aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorpukkamustard <pukkamustard@posteo.net>2021-02-05 21:02:47 +0100
committerpukkamustard <pukkamustard@posteo.net>2021-02-05 21:11:01 +0100
commit5628804d6884232fe28fb8d5ead74197b52cde6d (patch)
tree4724af0b0d39f07a724c55d28d925654a3290039
parent6cef88d8d028db077e1b4e48a390d4648966536d (diff)
initial working commit
-rw-r--r--README.md2
-rw-r--r--ffi/bindings/dune5
-rw-r--r--ffi/bindings/monocypher_bindings.ml13
-rw-r--r--ffi/lib/dune20
-rw-r--r--ffi/lib/m.ml15
-rw-r--r--ffi/stubgen/dune4
-rw-r--r--ffi/stubgen/ffi_stubgen.ml32
-rw-r--r--lib/dune8
-rw-r--r--lib/monocypher.ml9
-rw-r--r--test/dune2
-rw-r--r--vendor/AUTHORS.md58
-rw-r--r--vendor/CHANGELOG.md225
-rw-r--r--vendor/LICENCE.md173
-rw-r--r--vendor/README.md172
-rw-r--r--vendor/doc/html/crypto_aead_lock.html292
-rw-r--r--vendor/doc/html/crypto_aead_unlock.html292
-rw-r--r--vendor/doc/html/crypto_argon2i.html258
-rw-r--r--vendor/doc/html/crypto_argon2i_general.html258
-rw-r--r--vendor/doc/html/crypto_blake2b.html279
-rw-r--r--vendor/doc/html/crypto_blake2b_final.html279
-rw-r--r--vendor/doc/html/crypto_blake2b_general.html279
-rw-r--r--vendor/doc/html/crypto_blake2b_general_init.html279
-rw-r--r--vendor/doc/html/crypto_blake2b_init.html279
-rw-r--r--vendor/doc/html/crypto_blake2b_update.html279
-rw-r--r--vendor/doc/html/crypto_chacha20.html331
-rw-r--r--vendor/doc/html/crypto_chacha20_H.html110
-rw-r--r--vendor/doc/html/crypto_chacha20_ctr.html331
-rw-r--r--vendor/doc/html/crypto_chacha20_encrypt.html121
-rw-r--r--vendor/doc/html/crypto_chacha20_init.html121
-rw-r--r--vendor/doc/html/crypto_chacha20_set_ctr.html121
-rw-r--r--vendor/doc/html/crypto_chacha20_stream.html121
-rw-r--r--vendor/doc/html/crypto_chacha20_x_init.html121
-rw-r--r--vendor/doc/html/crypto_check.html215
-rw-r--r--vendor/doc/html/crypto_check_final.html269
-rw-r--r--vendor/doc/html/crypto_check_init.html269
-rw-r--r--vendor/doc/html/crypto_check_init_custom_hash.html267
-rw-r--r--vendor/doc/html/crypto_check_update.html269
-rw-r--r--vendor/doc/html/crypto_curve_to_hidden.html234
-rw-r--r--vendor/doc/html/crypto_ed25519_check.html95
-rw-r--r--vendor/doc/html/crypto_ed25519_check_final.html133
-rw-r--r--vendor/doc/html/crypto_ed25519_check_init.html133
-rw-r--r--vendor/doc/html/crypto_ed25519_check_update.html133
-rw-r--r--vendor/doc/html/crypto_ed25519_public_key.html95
-rw-r--r--vendor/doc/html/crypto_ed25519_sign.html95
-rw-r--r--vendor/doc/html/crypto_ed25519_sign_final.html133
-rw-r--r--vendor/doc/html/crypto_ed25519_sign_init_first_pass.html133
-rw-r--r--vendor/doc/html/crypto_ed25519_sign_init_second_pass.html133
-rw-r--r--vendor/doc/html/crypto_ed25519_sign_update.html133
-rw-r--r--vendor/doc/html/crypto_from_ed25519_private.html64
-rw-r--r--vendor/doc/html/crypto_from_ed25519_public.html64
-rw-r--r--vendor/doc/html/crypto_from_eddsa_private.html106
-rw-r--r--vendor/doc/html/crypto_from_eddsa_public.html106
-rw-r--r--vendor/doc/html/crypto_hchacha20.html110
-rw-r--r--vendor/doc/html/crypto_hidden_key_pair.html234
-rw-r--r--vendor/doc/html/crypto_hidden_to_curve.html234
-rw-r--r--vendor/doc/html/crypto_hmac_sha512.html196
-rw-r--r--vendor/doc/html/crypto_hmac_sha512_final.html196
-rw-r--r--vendor/doc/html/crypto_hmac_sha512_init.html196
-rw-r--r--vendor/doc/html/crypto_hmac_sha512_update.html196
-rw-r--r--vendor/doc/html/crypto_ietf_chacha20.html96
-rw-r--r--vendor/doc/html/crypto_ietf_chacha20_ctr.html96
-rw-r--r--vendor/doc/html/crypto_key_exchange.html164
-rw-r--r--vendor/doc/html/crypto_key_exchange_public_key.html164
-rw-r--r--vendor/doc/html/crypto_lock.html299
-rw-r--r--vendor/doc/html/crypto_lock_aead.html299
-rw-r--r--vendor/doc/html/crypto_lock_aead_auth.html307
-rw-r--r--vendor/doc/html/crypto_lock_auth.html307
-rw-r--r--vendor/doc/html/crypto_lock_auth_ad.html172
-rw-r--r--vendor/doc/html/crypto_lock_auth_message.html172
-rw-r--r--vendor/doc/html/crypto_lock_encrypt.html307
-rw-r--r--vendor/doc/html/crypto_lock_final.html172
-rw-r--r--vendor/doc/html/crypto_lock_init.html172
-rw-r--r--vendor/doc/html/crypto_lock_update.html172
-rw-r--r--vendor/doc/html/crypto_memcmp.html67
-rw-r--r--vendor/doc/html/crypto_poly1305.html241
-rw-r--r--vendor/doc/html/crypto_poly1305_final.html241
-rw-r--r--vendor/doc/html/crypto_poly1305_init.html241
-rw-r--r--vendor/doc/html/crypto_poly1305_update.html241
-rw-r--r--vendor/doc/html/crypto_sha512.html179
-rw-r--r--vendor/doc/html/crypto_sha512_final.html179
-rw-r--r--vendor/doc/html/crypto_sha512_init.html179
-rw-r--r--vendor/doc/html/crypto_sha512_update.html179
-rw-r--r--vendor/doc/html/crypto_sign.html215
-rw-r--r--vendor/doc/html/crypto_sign_final.html269
-rw-r--r--vendor/doc/html/crypto_sign_init_first_pass.html269
-rw-r--r--vendor/doc/html/crypto_sign_init_first_pass_custom_hash.html267
-rw-r--r--vendor/doc/html/crypto_sign_init_second_pass.html269
-rw-r--r--vendor/doc/html/crypto_sign_public_key.html215
-rw-r--r--vendor/doc/html/crypto_sign_public_key_custom_hash.html267
-rw-r--r--vendor/doc/html/crypto_sign_update.html269
-rw-r--r--vendor/doc/html/crypto_unlock.html299
-rw-r--r--vendor/doc/html/crypto_unlock_aead.html299
-rw-r--r--vendor/doc/html/crypto_unlock_aead_auth.html307
-rw-r--r--vendor/doc/html/crypto_unlock_auth_ad.html172
-rw-r--r--vendor/doc/html/crypto_unlock_auth_message.html172
-rw-r--r--vendor/doc/html/crypto_unlock_final.html172
-rw-r--r--vendor/doc/html/crypto_unlock_init.html172
-rw-r--r--vendor/doc/html/crypto_unlock_update.html172
-rw-r--r--vendor/doc/html/crypto_verify16.html92
-rw-r--r--vendor/doc/html/crypto_verify32.html92
-rw-r--r--vendor/doc/html/crypto_verify64.html92
-rw-r--r--vendor/doc/html/crypto_wipe.html86
-rw-r--r--vendor/doc/html/crypto_x25519.html164
-rw-r--r--vendor/doc/html/crypto_x25519_dirty_fast.html102
-rw-r--r--vendor/doc/html/crypto_x25519_dirty_small.html102
-rw-r--r--vendor/doc/html/crypto_x25519_inverse.html85
-rw-r--r--vendor/doc/html/crypto_x25519_public_key.html164
-rw-r--r--vendor/doc/html/crypto_xchacha20.html331
-rw-r--r--vendor/doc/html/crypto_xchacha20_ctr.html331
-rw-r--r--vendor/doc/html/crypto_zerocmp.html67
-rw-r--r--vendor/doc/html/intro.html299
-rw-r--r--vendor/doc/html/style.css292
-rw-r--r--vendor/doc/man/man3/crypto_argon2i.3monocypher297
l---------vendor/doc/man/man3/crypto_argon2i_general.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_blake2b.3monocypher312
l---------vendor/doc/man/man3/crypto_blake2b_final.3monocypher1
l---------vendor/doc/man/man3/crypto_blake2b_general.3monocypher1
l---------vendor/doc/man/man3/crypto_blake2b_general_init.3monocypher1
l---------vendor/doc/man/man3/crypto_blake2b_init.3monocypher1
l---------vendor/doc/man/man3/crypto_blake2b_update.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_chacha20.3monocypher391
l---------vendor/doc/man/man3/crypto_chacha20_H.3monocypher1
l---------vendor/doc/man/man3/crypto_chacha20_ctr.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_chacha20_encrypt.3monocypher150
l---------vendor/doc/man/man3/crypto_chacha20_init.3monocypher1
l---------vendor/doc/man/man3/crypto_chacha20_set_ctr.3monocypher1
l---------vendor/doc/man/man3/crypto_chacha20_stream.3monocypher1
l---------vendor/doc/man/man3/crypto_chacha20_x_init.3monocypher1
l---------vendor/doc/man/man3/crypto_check.3monocypher1
l---------vendor/doc/man/man3/crypto_check_final.3monocypher1
l---------vendor/doc/man/man3/crypto_check_init.3monocypher1
l---------vendor/doc/man/man3/crypto_check_init_custom_hash.3monocypher1
l---------vendor/doc/man/man3/crypto_check_update.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_curve_to_hidden.3monocypher284
-rw-r--r--vendor/doc/man/man3/crypto_from_eddsa_private.3monocypher132
l---------vendor/doc/man/man3/crypto_from_eddsa_public.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_hchacha20.3monocypher132
l---------vendor/doc/man/man3/crypto_hidden_key_pair.3monocypher1
l---------vendor/doc/man/man3/crypto_hidden_to_curve.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_ietf_chacha20.3monocypher132
l---------vendor/doc/man/man3/crypto_ietf_chacha20_ctr.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_key_exchange.3monocypher185
l---------vendor/doc/man/man3/crypto_key_exchange_public_key.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_lock.3monocypher340
l---------vendor/doc/man/man3/crypto_lock_aead.3monocypher1
l---------vendor/doc/man/man3/crypto_lock_auth_ad.3monocypher1
l---------vendor/doc/man/man3/crypto_lock_auth_message.3monocypher1
l---------vendor/doc/man/man3/crypto_lock_final.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_lock_init.3monocypher210
l---------vendor/doc/man/man3/crypto_lock_update.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_poly1305.3monocypher273
l---------vendor/doc/man/man3/crypto_poly1305_final.3monocypher1
l---------vendor/doc/man/man3/crypto_poly1305_init.3monocypher1
l---------vendor/doc/man/man3/crypto_poly1305_update.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_sign.3monocypher236
l---------vendor/doc/man/man3/crypto_sign_final.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_sign_init_first_pass.3monocypher302
-rw-r--r--vendor/doc/man/man3/crypto_sign_init_first_pass_custom_hash.3monocypher295
l---------vendor/doc/man/man3/crypto_sign_init_second_pass.3monocypher1
l---------vendor/doc/man/man3/crypto_sign_public_key.3monocypher1
l---------vendor/doc/man/man3/crypto_sign_public_key_custom_hash.3monocypher1
l---------vendor/doc/man/man3/crypto_sign_update.3monocypher1
l---------vendor/doc/man/man3/crypto_unlock.3monocypher1
l---------vendor/doc/man/man3/crypto_unlock_aead.3monocypher1
l---------vendor/doc/man/man3/crypto_unlock_auth_ad.3monocypher1
l---------vendor/doc/man/man3/crypto_unlock_auth_message.3monocypher1
l---------vendor/doc/man/man3/crypto_unlock_final.3monocypher1
l---------vendor/doc/man/man3/crypto_unlock_init.3monocypher1
l---------vendor/doc/man/man3/crypto_unlock_update.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_verify16.3monocypher126
l---------vendor/doc/man/man3/crypto_verify32.3monocypher1
l---------vendor/doc/man/man3/crypto_verify64.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_wipe.3monocypher110
-rw-r--r--vendor/doc/man/man3/crypto_x25519.3monocypher197
-rw-r--r--vendor/doc/man/man3/crypto_x25519_dirty_fast.3monocypher131
l---------vendor/doc/man/man3/crypto_x25519_dirty_small.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_x25519_inverse.3monocypher105
l---------vendor/doc/man/man3/crypto_x25519_public_key.3monocypher1
l---------vendor/doc/man/man3/crypto_xchacha20.3monocypher1
l---------vendor/doc/man/man3/crypto_xchacha20_ctr.3monocypher1
-rw-r--r--vendor/doc/man/man3/intro.3monocypher356
l---------vendor/doc/man/man3/optional/crypto_ed25519_check.3monocypher1
l---------vendor/doc/man/man3/optional/crypto_ed25519_check_final.3monocypher1
l---------vendor/doc/man/man3/optional/crypto_ed25519_check_init.3monocypher1
l---------vendor/doc/man/man3/optional/crypto_ed25519_check_update.3monocypher1
l---------vendor/doc/man/man3/optional/crypto_ed25519_public_key.3monocypher1
-rw-r--r--vendor/doc/man/man3/optional/crypto_ed25519_sign.3monocypher123
l---------vendor/doc/man/man3/optional/crypto_ed25519_sign_final.3monocypher1
-rw-r--r--vendor/doc/man/man3/optional/crypto_ed25519_sign_init_first_pass.3monocypher157
l---------vendor/doc/man/man3/optional/crypto_ed25519_sign_init_second_pass.3monocypher1
l---------vendor/doc/man/man3/optional/crypto_ed25519_sign_update.3monocypher1
-rw-r--r--vendor/doc/man/man3/optional/crypto_from_ed25519_private.3monocypher87
l---------vendor/doc/man/man3/optional/crypto_from_ed25519_public.3monocypher1
-rw-r--r--vendor/doc/man/man3/optional/crypto_hmac_sha512.3monocypher227
l---------vendor/doc/man/man3/optional/crypto_hmac_sha512_final.3monocypher1
l---------vendor/doc/man/man3/optional/crypto_hmac_sha512_init.3monocypher1
l---------vendor/doc/man/man3/optional/crypto_hmac_sha512_update.3monocypher1
-rw-r--r--vendor/doc/man/man3/optional/crypto_sha512.3monocypher213
l---------vendor/doc/man/man3/optional/crypto_sha512_final.3monocypher1
l---------vendor/doc/man/man3/optional/crypto_sha512_init.3monocypher1
l---------vendor/doc/man/man3/optional/crypto_sha512_update.3monocypher1
-rw-r--r--vendor/dune11
-rw-r--r--vendor/makefile235
-rw-r--r--vendor/monocypher.pc11
-rw-r--r--vendor/src/deprecated/aead-incr.c229
-rw-r--r--vendor/src/deprecated/aead-incr.h142
-rw-r--r--vendor/src/deprecated/chacha20.c148
-rw-r--r--vendor/src/deprecated/chacha20.h128
-rw-r--r--vendor/src/monocypher.c (renamed from lib/monocypher.c)0
-rw-r--r--vendor/src/monocypher.h (renamed from lib/monocypher.h)0
-rw-r--r--vendor/src/optional/monocypher-ed25519.c (renamed from lib/monocypher-ed25519.c)0
-rw-r--r--vendor/src/optional/monocypher-ed25519.h (renamed from lib/monocypher-ed25519.h)0
-rwxr-xr-xvendor/tests/coverage.sh59
-rw-r--r--vendor/tests/ctgrind.c309
-rw-r--r--vendor/tests/externals/c25519/AUTHORS.md5
-rw-r--r--vendor/tests/externals/c25519/c25519.c124
-rw-r--r--vendor/tests/externals/c25519/c25519.h48
-rw-r--r--vendor/tests/externals/c25519/ed25519.c320
-rw-r--r--vendor/tests/externals/c25519/ed25519.h82
-rw-r--r--vendor/tests/externals/c25519/edsign.c168
-rw-r--r--vendor/tests/externals/c25519/edsign.h51
-rw-r--r--vendor/tests/externals/c25519/f25519.c324
-rw-r--r--vendor/tests/externals/c25519/f25519.h92
-rw-r--r--vendor/tests/externals/c25519/fprime.c215
-rw-r--r--vendor/tests/externals/c25519/fprime.h70
-rw-r--r--vendor/tests/externals/c25519/morph25519.c87
-rw-r--r--vendor/tests/externals/c25519/morph25519.h29
-rw-r--r--vendor/tests/externals/c25519/sha512.c228
-rw-r--r--vendor/tests/externals/c25519/sha512.h52
-rw-r--r--vendor/tests/externals/tweetnacl/AUTHORS.md20
-rw-r--r--vendor/tests/externals/tweetnacl/tweetnacl.c809
-rw-r--r--vendor/tests/externals/tweetnacl/tweetnacl.h272
-rwxr-xr-xvendor/tests/formal-analysis.sh63
-rwxr-xr-xvendor/tests/frama-c.sh61
-rw-r--r--vendor/tests/speed/speed-c25519.c123
-rw-r--r--vendor/tests/speed/speed-hydrogen.c129
-rw-r--r--vendor/tests/speed/speed-sodium.c191
-rw-r--r--vendor/tests/speed/speed-tweetnacl.c169
-rw-r--r--vendor/tests/speed/speed.c221
-rw-r--r--vendor/tests/speed/speed.h105
-rw-r--r--vendor/tests/test-legacy.c347
-rw-r--r--vendor/tests/test.c1170
-rwxr-xr-xvendor/tests/test.sh65
-rw-r--r--vendor/tests/utils.c171
-rw-r--r--vendor/tests/utils.h95
-rw-r--r--vendor/tests/vectors.h12227
246 files changed, 45037 insertions, 14 deletions
diff --git a/README.md b/README.md
index c24b98f..0463485 100644
--- a/README.md
+++ b/README.md
@@ -2,6 +2,8 @@
ocaml-monocypher provides OCaml bindings to the [Monocypher](https://monocypher.org/) cryptographic library.
+Bindings are created using the [Ctypes](https://github.com/ocamllabs/ocaml-ctypes) library. Using dune to build a Ctypes project requires a bit of ceremony (well actually quite a lot - see [this issue](https://github.com/ocaml/dune/issues/135)). The boilerplate to make Ctypes and dune play nice has been taken from [ocaml-yaml](https://github.com/avsm/ocaml-yaml).
+
# Why ocaml-monocypher?
Monocypher provides "Boring crypto that simply works". In particular it provides primitives required for [DROMEDAR](https://gitlab.com/public.dream/dromedar/dromedar):
diff --git a/ffi/bindings/dune b/ffi/bindings/dune
new file mode 100644
index 0000000..b8eb0f9
--- /dev/null
+++ b/ffi/bindings/dune
@@ -0,0 +1,5 @@
+(library
+ (name monocypher_bindings)
+ (synopsis "Ctypes bindings that describe the Monocypher FFI")
+ (public_name monocypher.bindings)
+ (libraries ctypes.stubs ctypes))
diff --git a/ffi/bindings/monocypher_bindings.ml b/ffi/bindings/monocypher_bindings.ml
new file mode 100644
index 0000000..e04b0af
--- /dev/null
+++ b/ffi/bindings/monocypher_bindings.ml
@@ -0,0 +1,13 @@
+module M(F: Ctypes.FOREIGN) = struct
+ let foreign = F.foreign
+
+ module C = struct
+ include Ctypes
+ let (@->) = F.(@->)
+ let returning = F.returning
+ end
+
+ let crypto_blake2b_general =
+ foreign "crypto_blake2b_general"
+ C.(ptr char @-> size_t @-> string_opt @-> size_t @-> string @-> size_t @-> returning void)
+end
diff --git a/ffi/lib/dune b/ffi/lib/dune
new file mode 100644
index 0000000..be7b1ea
--- /dev/null
+++ b/ffi/lib/dune
@@ -0,0 +1,20 @@
+(rule
+ (targets g.ml)
+ (deps ../stubgen/ffi_stubgen.exe)
+ (action (with-stdout-to %{targets} (run %{deps} -ml))))
+
+(rule
+ (targets monocypher_stubs.c)
+ (deps (:stubgen ../stubgen/ffi_stubgen.exe) ../../vendor/src/monocypher.h ../../vendor/src/optional/monocypher-ed25519.h)
+ (action (with-stdout-to %{targets} (run %{stubgen} -c))))
+
+(library
+ (name monocypher_ffi)
+ (public_name monocypher.ffi)
+ (modules g m)
+ (flags (:standard -w -9-27-32-34))
+ (foreign_stubs
+ (language c)
+ (names monocypher_stubs)
+ (include_dirs ../../vendor/src ../../vendor/src/optional/))
+ (libraries monocypher.bindings ctypes.stubs ctypes monocypher.c))
diff --git a/ffi/lib/m.ml b/ffi/lib/m.ml
new file mode 100644
index 0000000..d48f73d
--- /dev/null
+++ b/ffi/lib/m.ml
@@ -0,0 +1,15 @@
+(* Copyright (c) 2017 Anil Madhavapeddy <anil@recoil.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. *)
+
+include Monocypher_bindings.M(G)
diff --git a/ffi/stubgen/dune b/ffi/stubgen/dune
new file mode 100644
index 0000000..1200799
--- /dev/null
+++ b/ffi/stubgen/dune
@@ -0,0 +1,4 @@
+(executable
+ (name ffi_stubgen)
+ (modules ffi_stubgen)
+ (libraries monocypher_bindings ctypes.stubs ctypes))
diff --git a/ffi/stubgen/ffi_stubgen.ml b/ffi/stubgen/ffi_stubgen.ml
new file mode 100644
index 0000000..33691cf
--- /dev/null
+++ b/ffi/stubgen/ffi_stubgen.ml
@@ -0,0 +1,32 @@
+(* Copyright (c) 2017 Anil Madhavapeddy <anil@recoil.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. *)
+
+let prefix = "monocypher_stub"
+
+let () =
+ let generate_ml, generate_c = ref false, ref false in
+ let () =
+ Arg.(parse [ ("-ml", Set generate_ml, "Generate ML");
+ ("-c", Set generate_c, "Generate C") ])
+ (fun _ -> failwith "unexpected anonymous argument")
+ "stubgen [-ml|-c]"
+ in
+ match !generate_ml, !generate_c with
+ | false, false
+ | true, true ->
+ failwith "Exactly one of -ml and -c must be specified"
+ | true, false ->
+ Cstubs.write_ml Format.std_formatter ~prefix (module Monocypher_bindings.M)
+ | false, true ->
+ Cstubs.write_c Format.std_formatter ~prefix (module Monocypher_bindings.M)
diff --git a/lib/dune b/lib/dune
index 68b373d..89be42c 100644
--- a/lib/dune
+++ b/lib/dune
@@ -1,9 +1,3 @@
(library
(name monocypher)
- (foreign_archives monocypher_c)
- (libraries ctypes))
-
-(foreign_library
- (archive_name monocypher_c)
- (language c)
- (names monocypher monocypher-ed25519))
+ (libraries monocypher.ffi ctypes))
diff --git a/lib/monocypher.ml b/lib/monocypher.ml
index a128f2f..a62fb42 100644
--- a/lib/monocypher.ml
+++ b/lib/monocypher.ml
@@ -7,22 +7,19 @@
open Ctypes
-open Foreign
+
+module M = Monocypher_ffi.M
module Hashing = struct
module Blake2b = struct
- let crypto_blake2b_general =
- foreign "crypto_blake2b_general"
- (ptr char @-> size_t @-> string_opt @-> size_t @-> string @-> size_t @-> returning void)
-
let digest ?key ?(size=64) msg =
let hash_ptr = allocate_n char ~count:size in
let key_size = Option.(key
|> map String.length
|> value ~default:0) in
- let () = crypto_blake2b_general
+ let () = M.crypto_blake2b_general
hash_ptr (Unsigned.Size_t.of_int size)
key (Unsigned.Size_t.of_int key_size)
msg (Unsigned.Size_t.of_int (String.length msg))
diff --git a/test/dune b/test/dune
index 8c95275..3e1cddc 100644
--- a/test/dune
+++ b/test/dune
@@ -1,3 +1,3 @@
(test
(name monocypher)
- (libraries monocypher ctypes))
+ (libraries monocypher ctypes.foreign))
diff --git a/vendor/AUTHORS.md b/vendor/AUTHORS.md
new file mode 100644
index 0000000..22d30fa
--- /dev/null
+++ b/vendor/AUTHORS.md
@@ -0,0 +1,58 @@
+Designers
+---------
+
+- **Chacha20:** Daniel J. Bernstein.
+- **Poly1305:** Daniel J. Bernstein.
+- **Blake2:** Jean-Philippe Aumasson, Christian Winnerlein, Samuel Neves,
+ and Zooko Wilcox-O'Hearn
+- **Argon2:** Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich
+- **X25519:** Daniel J. Bernstein
+- **EdDSA:** Daniel J. Bernstein, Bo-Yin Yang, Niels Duif, Peter
+ Schwabe, and Tanja Lange
+
+Implementors
+------------
+
+- **Chacha20:** Loup Vaillant, implemented from spec.
+- **Poly1305:** Loup Vaillant, implemented from spec.
+- **Blake2b:** Loup Vaillant, implemented from spec.
+- **Argon2i:** Loup Vaillant, implemented from spec.
+- **X25519:** Daniel J. Bernstein, taken and packaged from SUPERCOP
+ ref10.
+- **EdDSA:** Loup Vaillant, with bits and pieces from SUPERCOP ref10
+ and TweetNaCl.
+
+Test suite
+----------
+
+Designed and implemented by Loup Vaillant, using _libsodium_ (by many
+authors), and _ed25519-donna_ (by Andrew Moon —floodyberry).
+
+Manual
+------
+
+Loup Vaillant, Fabio Scotoni, and Michael Savage.
+
+- Loup Vaillant did a first draft.
+- Fabio Scotoni rewrote the manual into proper man pages (and
+ substantially changed it in the process).
+- Michael Savage did extensive editing and proofreading.
+
+Thanks
+------
+
+Fabio Scotoni provided much needed advice about testing, interface,
+packaging, and the general direction of the whole project. He also
+redesigned monocypher.org style sheets.
+
+Mike Pechkin and André Maroneze found bugs in earlier versions of
+Monocypher.
+
+Andrew Moon clarified carry propagation in modular arithmetic, and
+provided advice and code that significantly simplified and improved
+Elligator2 mappings.
+
+Mike Hamburg explained comb algorithms, including the signed
+all-bits-set comb described in his 2012 paper, Fast and compact
+elliptic-curve cryptography. This made EdDSA signatures over twice as
+fast.
diff --git a/vendor/CHANGELOG.md b/vendor/CHANGELOG.md
new file mode 100644
index 0000000..7014723
--- /dev/null
+++ b/vendor/CHANGELOG.md
@@ -0,0 +1,225 @@
+3.1.1
+-----
+2020/06/15
+
+- Various documentation fixes.
+- Fixed various compiler warnings.
+- Fixed some integer overflows (16-bit platforms only).
+
+
+3.1.0
+-----
+2020/04/03
+
+- Added Elligator 2 mappings (hash to curve, curve to hash).
+- Added OPRF support (with scalar inversion).
+- Added Edwards25519 -> Curve25519 conversions
+
+
+3.0.0
+-----
+2020/01/19
+
+- Deprecated the incremental AEAD interface.
+- Deprecated the incremental Chacha20, added a direct interface.
+- Added IETF Chacha20 (96-bit nonce), as described in RFC 8439.
+- Moved deprecated interfaces to a separate `src/deprecated` folder.
+- Removed the `ED25519_SHA512` preprocessor flag.
+- `crypto_x25519()` and `crypto_key_exchange()` now return `void`.
+- Added a custom hash interface to EdDSA. Several instances of EdDSA
+ can share the same binary.
+- Added optional support for HMAC SHA-512
+- Moved all SHA-512 operations to `src/optional/monocypher-ed25519.(h|c)`
+- Optional support for Ed25519 no longer requires a preprocessor flag.
+ Add `src/optional/monocypher-ed25519.(h|c)` to your project instead.
+
+
+2.0.6
+-----
+2019/10/21
+
+- Added the `BLAKE2_NO_UNROLLING` preprocessor definition. Activating it
+ makes the binary about 5KB smaller, and speeds up processing times on
+ many embedded processors.
+- Reduced the stack usage of signature verification by about
+ 40%. Signature verification now fits in smaller machines.
+- Fixed many implicit casts warnings.
+- Fixed the manual here and there.
+- Lots of small nitpicks.
+
+
+2.0.5
+-----
+2018/08/23
+
+- Faster EdDSA signatures and verification. Like, 4 times as fast.
+
+
+2.0.4
+-----
+2018/06/24
+
+- Corrected a critical vulnerability in EdDSA, where crypto_check() was
+ accepting invalid signatures. (Found by Mike Pechkin.) The current
+ fix removes a buggy optimisation, effectively halving the performance
+ of EdDSA.
+- The test suite no longer tries to allocate zero bytes (some platforms
+ fail such an allocation).
+
+2.0.3
+-----
+2018/06/16
+
+- Corrected undefined behaviour in Blake2b
+- Improved the test suite (faster, better coverage)
+
+2.0.2
+-----
+2018/04/23
+
+- Corrected a couple failures to wipe secret buffers.
+- Corrected a bug that prevented compilation in Ed25519 mode.
+- Adjusted the number of test vectors in the test suite.
+- Improved tests for incremental interfaces.
+- Replaced the GNU all permissive licence by a public domain dedication
+ (Creative Commons CC-0). The BSD licence remains as a fallback.
+
+2.0.1
+-----
+2018/03/07
+
+- Followed a systematic pattern for the loading code of symmetric
+ crypto. It is now easier to review.
+- Tweaked Poly1305 code to make it easier to prove correct.
+
+2.0.0
+-----
+2018/02/14
+
+- Changed the authenticated encryption format. It now conforms to
+ RFC 7539, with one exception: it uses XChacha20 initialisation instead
+ of the IETF version of Chacha20. This new format conforms to
+ Libsodium's `crypto_aead_xchacha20poly1305_ietf_encrypt`.
+- Removed `crypto_lock_encrypt()` and `crypto_lock_auth()`.
+- Renamed `crypto_lock_aead_auth()` to `crypto_lock_auth_ad()`.
+- Renamed `crypto_unlock_aead_auth()` to `crypto_unlock_auth_ad()`.
+- Added `crypto_lock_auth_message()` and `crypto_unlock_auth_message()`
+- Renamed `crypto_aead_lock` to `crypto_lock_aead`;
+- Renamed `crypto_aead_unlock` to `crypto_unlock_aead`;
+
+The format change facilitates optimisation by aligning data to block
+boundaries. The API changes increase consistency.
+
+1.1.0
+-----
+2018/02/06
+
+- Rewrote the manual into proper man pages.
+- Added incremental interfaces for authenticated encryption and
+ signatures.
+- A couple breaking API changes, easily fixed by renaming the affected
+ functions.
+
+1.0.1
+-----
+2017/07/23
+
+- Optimised the loading and unloading code of the symmetric crypto
+ (Blake2b, sha512, Chacha20, and Poly1305).
+- Fused self contained tests together for easier analysis with Frama-C
+ and the TIS interpreter.
+
+1.0
+---
+2017/07/18
+
+- Renamed `crypto_chacha20_Xinit` to `crypto_chacha20_x_init`, for
+ consistency reasons (snake case everywhere).
+- Fixed signed integer overflow detected by UBSan.
+- Doubled the speed of EdDSA by performing the scalar product in
+ Montgomery space.
+
+0.8
+---
+2017/07/06
+
+- Added about a hundred lines of code to improve performance of public
+ key cryptography. Diffie-Hellman is now 20% faster than before.
+ (The effects are less pronounces for EdDSA).
+- Added random self-consistency tests.
+- Added a speed benchmark against libsodium.
+
+0.7
+---
+2017/06/07
+
+- Slightly changed the authenticated encryption API. Functions are
+ now all in "detached" mode. The reason is better support for
+ authenticated encryption _without_ additional data.
+- Rewrote Blake2b from spec, so it can use the same licence as
+ everything else.
+- Added random tests that compare Monocypher with libsodium and
+ ed25519-donna.
+- Added explicit support for Frama-C analysis (this doesn't affect the
+ source code)
+
+0.6
+---
+2017/03/17
+
+- Fixed incorrect poly1305 output on empty messages. (Found by Mike
+ Pechkin.)
+
+0.5
+---
+2017/03/10
+
+- Fixed many undefined behaviours in curve25519, that occur whenever
+ we perform a left shift on a signed negative integer. It doesn't
+ affect the generated code, but you never know. (Found with Frama-C
+ by André Maroneze.)
+
+Fun fact: TweetNaCl and ref10 have the same bug. Libsodium have
+corrected the issue, though.
+
+For those who don't comprehend the magnitude of this madness, the
+expression `-1 << 3` is undefined in C. This is explained in
+section 6.5.7(§4) of the C11 standard.
+
+0.4
+---
+2017/03/09
+
+- Fixed critical bug causing Argon2i to fail whenever it uses more
+ than 512 blocks. It was reading uninitialised memory, and the
+ results were incorrect. (Found by Mike Pechkin.)
+- Fixed an undefined behaviour in curve25519 (`fe_tobytes()`). It was
+ accessing uninitialised memory, before throwing it away. It didn't
+ affect the compiled code nor the results, but you never know.
+ (Found with [Frama-C](http://frama-c.com) by André Maroneze.)
+
+0.3
+---
+2017/02/27
+
+- Got the invariants of poly1305 right, put them in the comments.
+ There was no bug, but that was lucky (turned out the IETF test
+ vectors were designed to trigger the bugs I was afraid of).
+- Simplified poly1305 finalisation (replaced conditional subtraction
+ by a carry propagation).
+- Made a few cosmetic changes here and there.
+
+0.2
+---
+????/??/??
+
+- Public interface significantly reworked. Removed redundant, hard to
+ mess up constructions.
+- Added AEAD.
+- Sped up curve25519 by a factor of more than 6 (switched to ref10
+ arithmetic)
+- Added various test vectors, completed the consistency tests.
+
+0.1
+---
+2016/??/??
diff --git a/vendor/LICENCE.md b/vendor/LICENCE.md
new file mode 100644
index 0000000..01c8391
--- /dev/null
+++ b/vendor/LICENCE.md
@@ -0,0 +1,173 @@
+Monocypher as a whole is dual-licensed. Choose whichever licence you
+want from the two licences listed below.
+
+The first licence is a regular 2-clause BSD licence. The second licence
+is the CC-0 from Creative Commons. It is intended to release Monocypher
+to the public domain. The BSD licence serves as a fallback option.
+
+See the individual files for specific information about who contributed
+to what file during which years. See below for special notes.
+
+Licence 1 (2-clause BSD)
+------------------------
+
+Copyright (c) 2017-2020, Loup Vaillant
+Copyright (c) 2017-2019, Michael Savage
+Copyright (c) 2017-2020, Fabio Scotoni
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the
+ distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+Licence 2 (CC-0)
+----------------
+
+> CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
+> LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
+> ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
+> INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
+> REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
+> PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
+> THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
+> HEREUNDER.
+
+### Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights (defined below) upon the creator
+and subsequent owner(s) (each and all, an "owner") of an original work
+of authorship and/or a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for
+the purpose of contributing to a commons of creative, cultural and
+scientific works ("Commons") that the public can reliably and without
+fear of later claims of infringement build upon, modify, incorporate in
+other works, reuse and redistribute as freely as possible in any form
+whatsoever and for any purposes, including without limitation commercial
+purposes. These owners may contribute to the Commons to promote the
+ideal of a free culture and the further production of creative, cultural
+and scientific works, or to gain reputation or greater distribution for
+their Work in part through the use and efforts of others.
+
+For these and/or other purposes and motivations, and without any
+expectation of additional consideration or compensation, the person
+associating CC0 with a Work (the "Affirmer"), to the extent that he or
+she is an owner of Copyright and Related Rights in the Work, voluntarily
+elects to apply CC0 to the Work and publicly distribute the Work under
+its terms, with knowledge of his or her Copyright and Related Rights in
+the Work and the meaning and intended legal effect of CC0 on those
+rights.
+
+1. **Copyright and Related Rights.** A Work made available under CC0 may
+ be protected by copyright and related or neighboring rights
+ ("Copyright and Related Rights"). Copyright and Related Rights
+ include, but are not limited to, the following:
+
+ - the right to reproduce, adapt, distribute, perform, display,
+ communicate, and translate a Work;
+ - moral rights retained by the original author(s) and/or
+ performer(s); publicity and privacy rights pertaining to a person's
+ image or likeness depicted in a Work;
+ - rights protecting against unfair competition in regards to a Work,
+ subject to the limitations in paragraph 4(a), below;
+ - rights protecting the extraction, dissemination, use and reuse of
+ data in a Work;
+ - database rights (such as those arising under Directive 96/9/EC of
+ the European Parliament and of the Council of 11 March 1996 on the
+ legal protection of databases, and under any national
+ implementation thereof, including any amended or successor version
+ of such directive); and
+ - other similar, equivalent or corresponding rights throughout the
+ world based on applicable law or treaty, and any national
+ implementations thereof.
+
+2. **Waiver.** To the greatest extent permitted by, but not in
+ contravention of, applicable law, Affirmer hereby overtly, fully,
+ permanently, irrevocably and unconditionally waives, abandons, and
+ surrenders all of Affirmer's Copyright and Related Rights and
+ associated claims and causes of action, whether now known or unknown
+ (including existing as well as future claims and causes of action),
+ in the Work (i) in all territories worldwide, (ii) for the maximum
+ duration provided by applicable law or treaty (including future time
+ extensions), (iii) in any current or future medium and for any number
+ of copies, and (iv) for any purpose whatsoever, including without
+ limitation commercial, advertising or promotional purposes (the
+ "Waiver"). Affirmer makes the Waiver for the benefit of each member
+ of the public at large and to the detriment of Affirmer's heirs and
+ successors, fully intending that such Waiver shall not be subject to
+ revocation, rescission, cancellation, termination, or any other legal
+ or equitable action to disrupt the quiet enjoyment of the Work by the
+ public as contemplated by Affirmer's express Statement of Purpose.
+
+3. **Public License Fallback.** Should any part of the Waiver for any
+ reason be judged legally invalid or ineffective under applicable law,
+ then the Waiver shall be preserved to the maximum extent permitted
+ taking into account Affirmer's express Statement of Purpose. In
+ addition, to the extent the Waiver is so judged Affirmer hereby
+ grants to each affected person a royalty-free, non transferable, non
+ sublicensable, non exclusive, irrevocable and unconditional license
+ to exercise Affirmer's Copyright and Related Rights in the Work (i)
+ in all territories worldwide, (ii) for the maximum duration provided
+ by applicable law or treaty (including future time extensions), (iii)
+ in any current or future medium and for any number of copies, and
+ (iv) for any purpose whatsoever, including without limitation
+ commercial, advertising or promotional purposes (the "License"). The
+ License shall be deemed effective as of the date CC0 was applied by
+ Affirmer to the Work. Should any part of the License for any reason
+ be judged legally invalid or ineffective under applicable law, such
+ partial invalidity or ineffectiveness shall not invalidate the
+ remainder of the License, and in such case Affirmer hereby affirms
+ that he or she will not (i) exercise any of his or her remaining
+ Copyright and Related Rights in the Work or (ii) assert any
+ associated claims and causes of action with respect to the Work, in
+ either case contrary to Affirmer's express Statement of Purpose.
+
+4. **Limitations and Disclaimers.**
+
+ - No trademark or patent rights held by Affirmer are waived,
+ abandoned, surrendered, licensed or otherwise affected by this
+ document.
+ - Affirmer offers the Work as-is and makes no representations or
+ warranties of any kind concerning the Work, express, implied,
+ statutory or otherwise, including without limitation warranties of
+ title, merchantability, fitness for a particular purpose, non
+ infringement, or the absence of latent or other defects, accuracy,
+ or the present or absence of errors, whether or not discoverable,
+ all to the greatest extent permissible under applicable law.
+ - Affirmer disclaims responsibility for clearing rights of other
+ persons that may apply to the Work or any use thereof, including
+ without limitation any person's Copyright and Related Rights in the
+ Work. Further, Affirmer disclaims responsibility for obtaining any
+ necessary consents, permissions or other rights required for any
+ use of the Work.
+ - Affirmer understands and acknowledges that Creative Commons is not
+ a party to this document and has no duty or obligation with respect
+ to this CC0 or use of the Work.
+
+Special notes
+-------------
+
+The files in `tests/externals/` were placed in the public domain by
+their respective authors. See the `AUTHORS.md` files in each directory.
diff --git a/vendor/README.md b/vendor/README.md
new file mode 100644
index 0000000..2c68990
--- /dev/null
+++ b/vendor/README.md
@@ -0,0 +1,172 @@
+Monocypher
+----------
+
+Monocypher is an easy to use, easy to deploy, auditable crypto library
+written in portable C. It approaches the size of [TweetNaCl][] and the
+speed of [Libsodium][].
+
+[Official site.](https://monocypher.org/)
+[Official releases.](https://monocypher.org/download/)
+
+[Libsodium]: https://libsodium.org
+[TweetNaCl]: https://tweetnacl.cr.yp.to/
+
+Manual
+------
+
+The manual can be found at https://monocypher.org/manual/, and in the
+`doc/` folder.
+
+The `doc/man/` folder contains the man pages. You can install them in
+your system by running `make install-doc`. Official releases also have a
+`doc/html/` folder with an html version.
+
+
+Installation
+------------
+
+### Option 1: grab the sources
+
+The easiest way to use Monocypher is to include `src/monocypher.h` and
+`src/monocypher.c` directly into your project. They compile as C (since
+C99) and C++ (since C++98).
+
+
+### Option 2: grab the library
+
+Run `make`, then grab the `src/monocypher.h` header and either the
+`lib/libmonocypher.a` or `lib/libmonocypher.so` library. The default
+compiler is `gcc -std=gnu99`, and the default flags are `-pedantic -Wall
+-Wextra -O3 -march=native`. If they don't work on your platform, you
+can change them like this:
+
+ $ make CC="clang -std=c99" CFLAGS="-O2"
+
+### Option 3: install it on your system
+
+The following should work on most UNIX systems:
+
+ $ make install
+
+This will install Monocypher in `/usr/local/` by default. Libraries
+will go to `/usr/local/lib/`, the header in `/usr/local/include/`, and
+the man pages in `/usr/local/share/man/man3`. You can change those
+defaults with the `PREFIX` and `DESTDIR` variables thus:
+
+ $ make install PREFIX="/opt"
+
+Once installed, you can use `pkg-config` to compile and link your
+program. For instance, if you have a one file C project that uses
+Monocypher, you can compile it thus:
+
+ $ gcc -o myProgram myProgram.c \
+ $(pkg-config monocypher --cflags) \
+ $(pkg-config monocypher --libs)
+
+The `cflags` line gives the include path for monocypher.h, and the
+`libs` line provides the link path and option required to find
+`libmonocypher.a` (or `libmonocypher.so`).
+
+
+Test suite
+----------
+
+ $ make test
+
+It should display a nice printout of all the tests, all starting with
+"OK". If you see "FAILURE" anywhere, something has gone very wrong
+somewhere.
+
+*Do not* use Monocypher without running those tests at least once.
+
+The same test suite can be run under Clang sanitisers and Valgrind, and
+be checked for code coverage:
+
+ $ tests/test.sh
+ $ tests/coverage.sh
+
+
+### Serious auditing
+
+The code may be analysed more formally with [Frama-c][] and the
+[TIS interpreter][TIS]. To analyse the code with Frama-c, run:
+
+ $ tests/formal-analysis.sh
+ $ tests/frama-c.sh
+
+This will have Frama-c parse, and analyse the code, then launch a GUI.
+You must have Frama-c installed. See `frama-c.sh` for the recommended
+settings. To run the code under the TIS interpreter, run
+
+ $ tests/formal-analysis.sh
+ $ tis-interpreter.sh --cc -Dvolatile= tests/formal-analysis/*.c
+
+Notes:
+
+- `tis-interpreter.sh` is part of TIS. If it is not in your path,
+ adjust the command accordingly.
+
+- The TIS interpreter sometimes fails to evaluate correct programs when
+ they use the `volatile` keyword (which is only used as an attempt to
+ prevent dead store elimination for memory wipes). The `-cc
+ -Dvolatile=` option works around that bug by ignoring `volatile`
+ altogether.
+
+[Frama-c]:https://frama-c.com/
+[TIS]: https://trust-in-soft.com/tis-interpreter/
+
+
+Speed benchmark
+---------------
+
+ $ make speed
+
+This will give you an idea how fast Monocypher is on your machine. Make
+sure you run it on the target platform if performance is a concern. If
+Monocypher is too slow, try Libsodium. If you're not sure, you can
+always switch later.
+
+
+Note: the speed benchmark currently requires the POSIX
+`clock_gettime()` function.
+
+There are similar benchmarks for Libsodium, TweetNaCl, LibHydrogen, and
+c25519:
+
+ $ make speed-sodium
+ $ make speed-tweetnacl
+ $ make speed-hydrogen
+ $ make speed-c25519
+
+(The `speed-hydrogen` target assumes it has pkg-config installed. Try
+`make pkg-config-libhydrogen` as root if it is not.)
+
+You can also adjust the optimisation options for Monocypher, TweetNaCl,
+and c25519 (the default is `-O3 march=native`):
+
+ $ make speed CFLAGS="-O2"
+ $ make speed-tweetnacl CFLAGS="-O2"
+
+
+Customisation
+-------------
+
+Monocypher has optional compatibility with Ed25519. To have that, add
+`monocypher-ed25519.h` and `monocypher-ed25519.c` provided in
+`src/optional` to your project. If you're using the makefile, define
+the `USE_ED25519` variable to link it to monocypher.a and monocypher.so:
+
+ $ make USE_ED25519=true
+
+Monocypher also has the `BLAKE2_NO_UNROLLING` preprocessor flag, which
+is activated by compiling monocypher.c with the `-DBLAKE2_NO_UNROLLING`
+option.
+
+The `-DBLAKE2_NO_UNROLLING` option is a performance tweak. By default,
+Monocypher unrolls the Blake2b inner loop, because doing so is over 25%
+faster on modern processors. Some embedded processors however, run the
+unrolled loop _slower_ (possibly because of the cost of fetching 5KB of
+additional code). If you're using an embedded platform, try this
+option. The binary will be about 5KB smaller, and in some cases faster.
+
+
diff --git a/vendor/doc/html/crypto_aead_lock.html b/vendor/doc/html/crypto_aead_lock.html
new file mode 100644
index 0000000..ef9450b
--- /dev/null
+++ b/vendor/doc/html/crypto_aead_lock.html
@@ -0,0 +1,292 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_LOCK(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_LOCK(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_LOCK(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_aead_lock</b>,
+ <b class="Nm" title="Nm">crypto_aead_unlock</b>,
+ <b class="Nm" title="Nm">crypto_lock</b>,
+ <b class="Nm" title="Nm">crypto_unlock</b> &#x2014;
+ <span class="Nd" title="Nd">authenticated encryption with additional
+ data</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock</b>(<var class="Fa" title="Fa">uint8_t
+ mac[16]</var>, <var class="Fa" title="Fa">uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>,
+ <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock</b>(<var class="Fa" title="Fa">uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>,
+ <var class="Fa" title="Fa">const uint8_t mac[16]</var>,
+ <var class="Fa" title="Fa">const uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_aead_lock</b>(<var class="Fa" title="Fa">uint8_t
+ mac[16]</var>, <var class="Fa" title="Fa">uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>,
+ <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">size_t ad_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_aead_unlock</b>(<var class="Fa" title="Fa">uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>,
+ <var class="Fa" title="Fa">const uint8_t mac[16]</var>,
+ <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">size_t ad_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+<b class="Fn" title="Fn">crypto_lock</b>() encrypts and authenticates a
+ plaintext. It can be decrypted by
+ <b class="Fn" title="Fn">crypto_unlock</b>(). The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">A 32-byte session key, shared between the sender and the
+ recipient. It must be secret and random. Different methods can be used to
+ produce and exchange this key, such as Diffie-Hellman key exchange,
+ password key derivation (the password must be communicated on a secure
+ channel), or even meeting physically. See
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>
+ for key exchange, and
+ <a class="Xr" title="Xr" href="crypto_argon2i.html">crypto_argon2i(3monocypher)</a>
+ for password key derivation.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">nonce</var></dt>
+ <dd class="It-tag">A 24-byte number, used only once with any given session
+ key. It does not need to be secret or random, but it does have to be
+ unique. <i class="Em" title="Em">Never</i> use the same nonce twice with
+ the same key. This would reveal the XOR of 2 different messages, which
+ allows decryption and forgeries. The easiest (and recommended) way to
+ generate this nonce is to select it at random. See
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> about
+ random number generation (use your operating system's random number
+ generator).</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">mac</var></dt>
+ <dd class="It-tag">A 16-byte <i class="Em" title="Em">message authentication
+ code</i> (MAC), that can only be produced by someone who knows the session
+ key. This guarantee cannot be upheld if a nonce has been reused with the
+ session key, because doing so allows the attacker to learn the
+ authentication key associated with that nonce. The MAC is intended to be
+ sent along with the ciphertext.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">plain_text</var></dt>
+ <dd class="It-tag">The secret message. Its contents will be kept hidden from
+ attackers. Its length however, will <i class="Em" title="Em">not</i>. Be
+ careful when combining encryption with compression. See
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ details.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">cipher_text</var></dt>
+ <dd class="It-tag">The encrypted message.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">text_size</var></dt>
+ <dd class="It-tag">Length of both <var class="Fa" title="Fa">plain_text
+ and</var> <var class="Fa" title="Fa">cipher_text</var>, in bytes.</dd>
+</dl>
+<div class="Pp"></div>
+The <var class="Fa" title="Fa">cipher_text</var> and
+ <var class="Fa" title="Fa">plain_text</var> arguments may point to the same
+ buffer for in-place encryption. Otherwise, the buffers they point to must not
+ overlap.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_unlock</b>() first checks the integrity of an
+ encrypted message. If it has been corrupted,
+ <b class="Fn" title="Fn">crypto_unlock</b>() returns -1 immediately.
+ Otherwise, it decrypts the message, then returns zero.
+ <i class="Em" title="Em">Always check the return value</i>.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_aead_lock</b>() and
+ <b class="Fn" title="Fn">crypto_aead_unlock</b>() are variants of
+ <b class="Fn" title="Fn">crypto_lock</b>() and
+ <b class="Fn" title="Fn">crypto_unlock</b>(), permitting additional data.
+ Additional data is authenticated, but <i class="Em" title="Em">not</i>
+ encrypted. This is used to authenticate relevant data that cannot be
+ encrypted. The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">ad</var></dt>
+ <dd class="It-tag">Additional data to authenticate. It will not be encrypted.
+ May be <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">ad_size</var> is zero. Setting
+ <var class="Fa" title="Fa">ad_size</var> to zero yields the same results
+ as <b class="Fn" title="Fn">crypto_lock</b>() and
+ <b class="Fn" title="Fn">crypto_unlock</b>().</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">ad_size</var></dt>
+ <dd class="It-tag">Length of the additional data, in bytes.
+ <b class="Sy" title="Sy">That length is not authenticated.</b> If the
+ additional data is of variable length, the length should be appended to
+ <var class="Fa" title="Fa">ad</var> so it gets authenticated, and should
+ be extracted from the end of the message when decrypting. Otherwise an
+ attacker could provide a false length, effectively moving the boundary
+ between the additional data and the ciphertext. This may cause buffer
+ overflows in some programs.</dd>
+</dl>
+<div class="Pp"></div>
+An incremental interface is available; see
+ <a class="Xr" title="Xr" href="crypto_lock_init.html">crypto_lock_init(3monocypher)</a>.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_lock</b>() and
+ <b class="Fn" title="Fn">crypto_aead_lock</b>() return nothing. They cannot
+ fail. <b class="Fn" title="Fn">crypto_unlock</b>() and
+ <b class="Fn" title="Fn">crypto_aead_unlock</b>() return 0 on success or -1 if
+ the message was corrupted (i.e. <var class="Fa" title="Fa">mac</var>
+ mismatched the combination of <var class="Fa" title="Fa">key</var>,
+ <var class="Fa" title="Fa">nonce</var>, <var class="Fa" title="Fa">ad</var>
+ and <var class="Fa" title="Fa">cipher_text</var>). Corruption can be caused by
+ transmission errors, programmer error, or an attacker's interference.
+ <var class="Fa" title="Fa">plain_text</var> does not need to be wiped if the
+ decryption fails.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+Encryption:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t key [32]; /* Random, secret session key */
+const uint8_t nonce [24]; /* Use only once per key */
+const uint8_t plain_text [500]; /* Secret message */
+uint8_t mac [16]; /* Message authentication code */
+uint8_t cipher_text[500]; /* Encrypted message */
+crypto_lock(mac, cipher_text, key, nonce, plain_text, 500);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(plain_text, 500);
+crypto_wipe(key, 32);
+/* Transmit cipher_text, nonce, and mac over the network */
+</pre>
+</div>
+<div class="Pp"></div>
+To decrypt the above:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t key [32]; /* Same as the above */
+const uint8_t nonce [24]; /* Same as the above */
+const uint8_t cipher_text[500]; /* Encrypted message */
+const uint8_t mac [16]; /* Received from the network */
+uint8_t plain_text [500]; /* Secret message */
+if (crypto_unlock(plain_text, key, nonce, mac, cipher_text, 500)) {
+ /* The message is corrupted.
+ * Wipe key if it is no longer needed,
+ * and abort the decryption.
+ */
+ crypto_wipe(key, 32);
+}
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(plain_text, 500);
+crypto_wipe(key, 32);
+</pre>
+</div>
+<div class="Pp"></div>
+In-place encryption:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t key [32]; /* Random, secret session key */
+const uint8_t nonce[24]; /* Use only once per key */
+uint8_t text [500]; /* Secret message */
+uint8_t mac [16]; /* Message authentication code */
+crypto_lock(mac, text, key, nonce, text, 500);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(key, 32);
+/* Transmit text, nonce, and mac over the network */
+</pre>
+</div>
+<div class="Pp"></div>
+In-place decryption:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t key [32]; /* Same as the above */
+const uint8_t nonce[24]; /* Same as the above */
+const uint8_t mac [16]; /* Reived from the network */
+uint8_t text [500]; /* Message to decrypt */
+if (crypto_unlock(text, key, nonce, mac, text, 500)) {
+ /* The message is corrupted.
+ * Wipe key if it is no longer needed,
+ * and abort the decryption.
+ */
+ crypto_wipe(key, 32);
+}
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(text, 500);
+crypto_wipe(key, 32);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock_init.html">crypto_lock_init(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement the XChacha20 (encryption) and Poly1305 (MAC)
+ primitives. Chacha20 and Poly1305 are described in RFC 7539. XChacha20 derives
+ from Chacha20 the same way XSalsa20 derives from Salsa20, and benefits from
+ the same security reduction (proven secure as long as Chacha20 itself is
+ secure).
+<h1 class="Sh" title="Sh" id="IMPLEMENTATION_DETAILS"><a class="selflink" href="#IMPLEMENTATION_DETAILS">IMPLEMENTATION
+ DETAILS</a></h1>
+<b class="Fn" title="Fn">crypto_aead_lock</b>() and
+ <b class="Fn" title="Fn">crypto_aead_unlock</b>() do not authenticate the
+ length themselves to make them compatible with
+ <b class="Fn" title="Fn">crypto_lock</b>() and
+ <b class="Fn" title="Fn">crypto_unlock</b>() when the size of the additional
+ data is zero. This also simplifies the implementation.
+<div class="Pp"></div>
+This rarely causes problems in practice, because most of the time, the length of
+ the additional data is either fixed or self-contained, and thus outside of
+ attacker control.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">December 28, 2017</td>
+ <td class="foot-os">Linux 4.4.0-116-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_aead_unlock.html b/vendor/doc/html/crypto_aead_unlock.html
new file mode 100644
index 0000000..ef9450b
--- /dev/null
+++ b/vendor/doc/html/crypto_aead_unlock.html
@@ -0,0 +1,292 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_LOCK(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_LOCK(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_LOCK(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_aead_lock</b>,
+ <b class="Nm" title="Nm">crypto_aead_unlock</b>,
+ <b class="Nm" title="Nm">crypto_lock</b>,
+ <b class="Nm" title="Nm">crypto_unlock</b> &#x2014;
+ <span class="Nd" title="Nd">authenticated encryption with additional
+ data</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock</b>(<var class="Fa" title="Fa">uint8_t
+ mac[16]</var>, <var class="Fa" title="Fa">uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>,
+ <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock</b>(<var class="Fa" title="Fa">uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>,
+ <var class="Fa" title="Fa">const uint8_t mac[16]</var>,
+ <var class="Fa" title="Fa">const uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_aead_lock</b>(<var class="Fa" title="Fa">uint8_t
+ mac[16]</var>, <var class="Fa" title="Fa">uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>,
+ <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">size_t ad_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_aead_unlock</b>(<var class="Fa" title="Fa">uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>,
+ <var class="Fa" title="Fa">const uint8_t mac[16]</var>,
+ <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">size_t ad_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+<b class="Fn" title="Fn">crypto_lock</b>() encrypts and authenticates a
+ plaintext. It can be decrypted by
+ <b class="Fn" title="Fn">crypto_unlock</b>(). The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">A 32-byte session key, shared between the sender and the
+ recipient. It must be secret and random. Different methods can be used to
+ produce and exchange this key, such as Diffie-Hellman key exchange,
+ password key derivation (the password must be communicated on a secure
+ channel), or even meeting physically. See
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>
+ for key exchange, and
+ <a class="Xr" title="Xr" href="crypto_argon2i.html">crypto_argon2i(3monocypher)</a>
+ for password key derivation.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">nonce</var></dt>
+ <dd class="It-tag">A 24-byte number, used only once with any given session
+ key. It does not need to be secret or random, but it does have to be
+ unique. <i class="Em" title="Em">Never</i> use the same nonce twice with
+ the same key. This would reveal the XOR of 2 different messages, which
+ allows decryption and forgeries. The easiest (and recommended) way to
+ generate this nonce is to select it at random. See
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> about
+ random number generation (use your operating system's random number
+ generator).</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">mac</var></dt>
+ <dd class="It-tag">A 16-byte <i class="Em" title="Em">message authentication
+ code</i> (MAC), that can only be produced by someone who knows the session
+ key. This guarantee cannot be upheld if a nonce has been reused with the
+ session key, because doing so allows the attacker to learn the
+ authentication key associated with that nonce. The MAC is intended to be
+ sent along with the ciphertext.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">plain_text</var></dt>
+ <dd class="It-tag">The secret message. Its contents will be kept hidden from
+ attackers. Its length however, will <i class="Em" title="Em">not</i>. Be
+ careful when combining encryption with compression. See
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ details.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">cipher_text</var></dt>
+ <dd class="It-tag">The encrypted message.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">text_size</var></dt>
+ <dd class="It-tag">Length of both <var class="Fa" title="Fa">plain_text
+ and</var> <var class="Fa" title="Fa">cipher_text</var>, in bytes.</dd>
+</dl>
+<div class="Pp"></div>
+The <var class="Fa" title="Fa">cipher_text</var> and
+ <var class="Fa" title="Fa">plain_text</var> arguments may point to the same
+ buffer for in-place encryption. Otherwise, the buffers they point to must not
+ overlap.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_unlock</b>() first checks the integrity of an
+ encrypted message. If it has been corrupted,
+ <b class="Fn" title="Fn">crypto_unlock</b>() returns -1 immediately.
+ Otherwise, it decrypts the message, then returns zero.
+ <i class="Em" title="Em">Always check the return value</i>.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_aead_lock</b>() and
+ <b class="Fn" title="Fn">crypto_aead_unlock</b>() are variants of
+ <b class="Fn" title="Fn">crypto_lock</b>() and
+ <b class="Fn" title="Fn">crypto_unlock</b>(), permitting additional data.
+ Additional data is authenticated, but <i class="Em" title="Em">not</i>
+ encrypted. This is used to authenticate relevant data that cannot be
+ encrypted. The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">ad</var></dt>
+ <dd class="It-tag">Additional data to authenticate. It will not be encrypted.
+ May be <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">ad_size</var> is zero. Setting
+ <var class="Fa" title="Fa">ad_size</var> to zero yields the same results
+ as <b class="Fn" title="Fn">crypto_lock</b>() and
+ <b class="Fn" title="Fn">crypto_unlock</b>().</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">ad_size</var></dt>
+ <dd class="It-tag">Length of the additional data, in bytes.
+ <b class="Sy" title="Sy">That length is not authenticated.</b> If the
+ additional data is of variable length, the length should be appended to
+ <var class="Fa" title="Fa">ad</var> so it gets authenticated, and should
+ be extracted from the end of the message when decrypting. Otherwise an
+ attacker could provide a false length, effectively moving the boundary
+ between the additional data and the ciphertext. This may cause buffer
+ overflows in some programs.</dd>
+</dl>
+<div class="Pp"></div>
+An incremental interface is available; see
+ <a class="Xr" title="Xr" href="crypto_lock_init.html">crypto_lock_init(3monocypher)</a>.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_lock</b>() and
+ <b class="Fn" title="Fn">crypto_aead_lock</b>() return nothing. They cannot
+ fail. <b class="Fn" title="Fn">crypto_unlock</b>() and
+ <b class="Fn" title="Fn">crypto_aead_unlock</b>() return 0 on success or -1 if
+ the message was corrupted (i.e. <var class="Fa" title="Fa">mac</var>
+ mismatched the combination of <var class="Fa" title="Fa">key</var>,
+ <var class="Fa" title="Fa">nonce</var>, <var class="Fa" title="Fa">ad</var>
+ and <var class="Fa" title="Fa">cipher_text</var>). Corruption can be caused by
+ transmission errors, programmer error, or an attacker's interference.
+ <var class="Fa" title="Fa">plain_text</var> does not need to be wiped if the
+ decryption fails.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+Encryption:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t key [32]; /* Random, secret session key */
+const uint8_t nonce [24]; /* Use only once per key */
+const uint8_t plain_text [500]; /* Secret message */
+uint8_t mac [16]; /* Message authentication code */
+uint8_t cipher_text[500]; /* Encrypted message */
+crypto_lock(mac, cipher_text, key, nonce, plain_text, 500);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(plain_text, 500);
+crypto_wipe(key, 32);
+/* Transmit cipher_text, nonce, and mac over the network */
+</pre>
+</div>
+<div class="Pp"></div>
+To decrypt the above:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t key [32]; /* Same as the above */
+const uint8_t nonce [24]; /* Same as the above */
+const uint8_t cipher_text[500]; /* Encrypted message */
+const uint8_t mac [16]; /* Received from the network */
+uint8_t plain_text [500]; /* Secret message */
+if (crypto_unlock(plain_text, key, nonce, mac, cipher_text, 500)) {
+ /* The message is corrupted.
+ * Wipe key if it is no longer needed,
+ * and abort the decryption.
+ */
+ crypto_wipe(key, 32);
+}
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(plain_text, 500);
+crypto_wipe(key, 32);
+</pre>
+</div>
+<div class="Pp"></div>
+In-place encryption:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t key [32]; /* Random, secret session key */
+const uint8_t nonce[24]; /* Use only once per key */
+uint8_t text [500]; /* Secret message */
+uint8_t mac [16]; /* Message authentication code */
+crypto_lock(mac, text, key, nonce, text, 500);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(key, 32);
+/* Transmit text, nonce, and mac over the network */
+</pre>
+</div>
+<div class="Pp"></div>
+In-place decryption:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t key [32]; /* Same as the above */
+const uint8_t nonce[24]; /* Same as the above */
+const uint8_t mac [16]; /* Reived from the network */
+uint8_t text [500]; /* Message to decrypt */
+if (crypto_unlock(text, key, nonce, mac, text, 500)) {
+ /* The message is corrupted.
+ * Wipe key if it is no longer needed,
+ * and abort the decryption.
+ */
+ crypto_wipe(key, 32);
+}
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(text, 500);
+crypto_wipe(key, 32);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock_init.html">crypto_lock_init(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement the XChacha20 (encryption) and Poly1305 (MAC)
+ primitives. Chacha20 and Poly1305 are described in RFC 7539. XChacha20 derives
+ from Chacha20 the same way XSalsa20 derives from Salsa20, and benefits from
+ the same security reduction (proven secure as long as Chacha20 itself is
+ secure).
+<h1 class="Sh" title="Sh" id="IMPLEMENTATION_DETAILS"><a class="selflink" href="#IMPLEMENTATION_DETAILS">IMPLEMENTATION
+ DETAILS</a></h1>
+<b class="Fn" title="Fn">crypto_aead_lock</b>() and
+ <b class="Fn" title="Fn">crypto_aead_unlock</b>() do not authenticate the
+ length themselves to make them compatible with
+ <b class="Fn" title="Fn">crypto_lock</b>() and
+ <b class="Fn" title="Fn">crypto_unlock</b>() when the size of the additional
+ data is zero. This also simplifies the implementation.
+<div class="Pp"></div>
+This rarely causes problems in practice, because most of the time, the length of
+ the additional data is either fixed or self-contained, and thus outside of
+ attacker control.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">December 28, 2017</td>
+ <td class="foot-os">Linux 4.4.0-116-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_argon2i.html b/vendor/doc/html/crypto_argon2i.html
new file mode 100644
index 0000000..ea49288
--- /dev/null
+++ b/vendor/doc/html/crypto_argon2i.html
@@ -0,0 +1,258 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_ARGON2I(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_ARGON2I(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_ARGON2I(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_argon2i</b> &#x2014;
+ <span class="Nd" title="Nd">password key derivation</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_argon2i</b>(<var class="Fa" title="Fa">uint8_t
+ *hash</var>, <var class="Fa" title="Fa">uint32_t hash_size</var>,
+ <var class="Fa" title="Fa">void *work_area</var>,
+ <var class="Fa" title="Fa">uint32_t nb_blocks</var>,
+ <var class="Fa" title="Fa">uint32_t nb_iterations</var>,
+ <var class="Fa" title="Fa">const uint8_t *password</var>,
+ <var class="Fa" title="Fa">uint32_t password_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *salt</var>,
+ <var class="Fa" title="Fa">uint32_t salt_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_argon2i_general</b>(<var class="Fa" title="Fa">uint8_t
+ *hash</var>, <var class="Fa" title="Fa">uint32_t hash_size</var>,
+ <var class="Fa" title="Fa">void *work_area</var>,
+ <var class="Fa" title="Fa">uint32_t nb_blocks</var>,
+ <var class="Fa" title="Fa">uint32_t nb_iterations</var>,
+ <var class="Fa" title="Fa">const uint8_t *password</var>,
+ <var class="Fa" title="Fa">uint32_t password_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *salt</var>,
+ <var class="Fa" title="Fa">uint32_t salt_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">uint32_t key_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">uint32_t ad_size</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+Argon2i is a resource intensive password key derivation scheme optimised for the
+ typical x86-like processor. It runs in constant time with respect to the
+ contents of the password.
+<div class="Pp"></div>
+Typical applications are password checking (for online services), and key
+ derivation (for encryption). Derived keys can be used to encrypt, for example,
+ private keys or password databases.
+<div class="Pp"></div>
+The version provided by Monocypher has no threading support, so the degree of
+ parallelism is limited to 1. This is considered good enough for most purposes.
+<div class="Pp"></div>
+The arguments to <b class="Fn" title="Fn">crypto_argon2i</b>() are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hash</var></dt>
+ <dd class="It-tag">The output hash.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hash_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">hash</var>, in bytes.
+ This argument should be set to 32 or 64 for compatibility with the
+ <b class="Fn" title="Fn">crypto_verify*</b>() constant time comparison
+ functions.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">work_area</var></dt>
+ <dd class="It-tag">Temporary buffer for the algorithm, allocated by the
+ caller. It must be <var class="Fa" title="Fa">nb_blocks</var> &#x00D7;
+ 1024 bytes big, and suitably aligned for 64-bit integers. If you are not
+ sure how to allocate that buffer, just use
+ <b class="Fn" title="Fn">malloc</b>().
+ <div class="Pp"></div>
+ The work area is automatically wiped by
+ <b class="Fn" title="Fn">crypto_argon2i</b>().</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">nb_blocks</var></dt>
+ <dd class="It-tag">The number of blocks for the work area. Must be at least 8.
+ A value of 100000 (one hundred megabytes) is a good starting point. If the
+ computation takes too long, reduce this number. If it is too fast,
+ increase this number. If it is still too fast with all available memory,
+ increase <var class="Fa" title="Fa">nb_iterations</var>.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">nb_iterations</var></dt>
+ <dd class="It-tag">The number of iterations. It must be at least 1. A value of
+ 3 is <i class="Em" title="Em">strongly</i> recommended; any value lower
+ than 3 enables significantly more efficient attacks.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">password</var></dt>
+ <dd class="It-tag">The password to hash. It should be wiped with
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>
+ after being hashed.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">password_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">password</var>, in
+ bytes.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">salt</var></dt>
+ <dd class="It-tag">A password salt. This should be filled with random bytes,
+ generated separately for each password to be hashed. See
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about generating random bytes (use the operating system's random
+ number generator).</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">salt_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">salt</var>, in bytes.
+ Must be at least 8. 16 is recommended.</dd>
+</dl>
+<div class="Pp"></div>
+The output hash must not overlap with the work area, or it will be wiped along
+ with it. Any other overlap is permitted.
+<div class="Pp"></div>
+Use
+ <a class="Xr" title="Xr" href="crypto_verify16.html">crypto_verify16(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_verify32.html">crypto_verify32(3monocypher)</a>
+ or
+ <a class="Xr" title="Xr" href="crypto_verify64.html">crypto_verify64(3monocypher)</a>
+ to compare password hashes to prevent timing attacks.
+<div class="Pp"></div>
+To select the <var class="Fa" title="Fa">nb_blocks</var> and
+ <var class="Fa" title="Fa">nb_iterations</var> parameters, it should first be
+ decided how long the computation should take. For user authentication, values
+ somewhere between half a second (convenient) and several seconds (paranoid)
+ are recommended. The computation should use as much memory as can be spared.
+<div class="Pp"></div>
+Since parameter selection depends on your hardware, some trial and error will be
+ required in order to determine the ideal settings. Three iterations and 100000
+ blocks (that is, one hundred megabytes of memory) is a good starting point.
+ Adjust <var class="Fa" title="Fa">nb_blocks</var> first. If using all
+ available memory is not slow enough, increase
+ <var class="Fa" title="Fa">nb_iterations</var>.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_argon2i_general</b>() is a variant of
+ <b class="Fn" title="Fn">crypto_argon2i</b>() that supports keyed hashing and
+ hashing of additional data. The additional arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">A key to use in the hash. Can be
+ <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">key_size</var> is zero. The key is generally
+ not needed, but it does have some uses. In the context of password
+ derivation, it would be stored separately from the password database, and
+ would remain secret even if an attacker were to steal the database. Note
+ that changing the key requires rehashing the user's password, which is
+ only possible upon user login.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">key</var>, in bytes.
+ Must be zero if there is no key.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">ad</var></dt>
+ <dd class="It-tag">Additional data. This is additional data that goes into the
+ hash, similar to the authenticated encryption with authenticated data
+ (AEAD) construction in
+ <a class="Xr" title="Xr" href="crypto_lock_aead.html">crypto_lock_aead(3monocypher)</a>.
+ This most likely has no practical application but is exposed for the sake
+ of completeness. This parameter may be
+ <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">ad_size</var> is zero.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">ad_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">ad</var>, in bytes.
+ Must be zero if there is no additional data.</dd>
+</dl>
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following example assumes the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+This example shows how to hash a password with the recommended baseline
+ parameters:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash[32]; /* Output hash */
+char *password = &quot;Okay Password!&quot;; /* User's password */
+uint32_t password_size = 14; /* Password length */
+uint8_t salt[16]; /* Random salt */
+const uint32_t nb_blocks = 100000; /* 100 megabytes */
+const uint32_t nb_iterations = 3; /* 3 iterations */
+void *work_area = malloc(nb_blocks * 1024); /* Work area */
+if (work_area == NULL) {
+ /* Handle malloc() failure */
+ /* Wipe secrets if they are no longer needed */
+ crypto_wipe(password, password_size);
+} else {
+ arc4random_buf(salt, 16);
+ crypto_argon2i(hash, 32,
+ work_area, nb_blocks, nb_iterations,
+ (uint8_t *)password, password_size,
+ salt, 16);
+ /* Wipe secrets if they are no longer needed */
+ crypto_wipe(password, password_size);
+ free(work_area);
+}
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_verify16.html">crypto_verify16(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement Argon2i. An RFC draft is being maintained.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_argon2i_general</b>() function first
+ appeared in Monocypher 0.1 but was called
+ <b class="Fn" title="Fn">crypto_argon2i</b>(); it was renamed to its current
+ name in Monocypher 1.1.0. The current
+ <b class="Fn" title="Fn">crypto_argon2i</b>() first appeared in Monocypher
+ 1.1.0.
+<h1 class="Sh" title="Sh" id="CAVEATS"><a class="selflink" href="#CAVEATS">CAVEATS</a></h1>
+Any deviation from the specified input and output length ranges results in
+ <b class="Sy" title="Sy">undefined behaviour</b>. Make sure your inputs are
+ correct.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">April 8, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_argon2i_general.html b/vendor/doc/html/crypto_argon2i_general.html
new file mode 100644
index 0000000..ea49288
--- /dev/null
+++ b/vendor/doc/html/crypto_argon2i_general.html
@@ -0,0 +1,258 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_ARGON2I(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_ARGON2I(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_ARGON2I(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_argon2i</b> &#x2014;
+ <span class="Nd" title="Nd">password key derivation</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_argon2i</b>(<var class="Fa" title="Fa">uint8_t
+ *hash</var>, <var class="Fa" title="Fa">uint32_t hash_size</var>,
+ <var class="Fa" title="Fa">void *work_area</var>,
+ <var class="Fa" title="Fa">uint32_t nb_blocks</var>,
+ <var class="Fa" title="Fa">uint32_t nb_iterations</var>,
+ <var class="Fa" title="Fa">const uint8_t *password</var>,
+ <var class="Fa" title="Fa">uint32_t password_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *salt</var>,
+ <var class="Fa" title="Fa">uint32_t salt_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_argon2i_general</b>(<var class="Fa" title="Fa">uint8_t
+ *hash</var>, <var class="Fa" title="Fa">uint32_t hash_size</var>,
+ <var class="Fa" title="Fa">void *work_area</var>,
+ <var class="Fa" title="Fa">uint32_t nb_blocks</var>,
+ <var class="Fa" title="Fa">uint32_t nb_iterations</var>,
+ <var class="Fa" title="Fa">const uint8_t *password</var>,
+ <var class="Fa" title="Fa">uint32_t password_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *salt</var>,
+ <var class="Fa" title="Fa">uint32_t salt_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">uint32_t key_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">uint32_t ad_size</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+Argon2i is a resource intensive password key derivation scheme optimised for the
+ typical x86-like processor. It runs in constant time with respect to the
+ contents of the password.
+<div class="Pp"></div>
+Typical applications are password checking (for online services), and key
+ derivation (for encryption). Derived keys can be used to encrypt, for example,
+ private keys or password databases.
+<div class="Pp"></div>
+The version provided by Monocypher has no threading support, so the degree of
+ parallelism is limited to 1. This is considered good enough for most purposes.
+<div class="Pp"></div>
+The arguments to <b class="Fn" title="Fn">crypto_argon2i</b>() are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hash</var></dt>
+ <dd class="It-tag">The output hash.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hash_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">hash</var>, in bytes.
+ This argument should be set to 32 or 64 for compatibility with the
+ <b class="Fn" title="Fn">crypto_verify*</b>() constant time comparison
+ functions.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">work_area</var></dt>
+ <dd class="It-tag">Temporary buffer for the algorithm, allocated by the
+ caller. It must be <var class="Fa" title="Fa">nb_blocks</var> &#x00D7;
+ 1024 bytes big, and suitably aligned for 64-bit integers. If you are not
+ sure how to allocate that buffer, just use
+ <b class="Fn" title="Fn">malloc</b>().
+ <div class="Pp"></div>
+ The work area is automatically wiped by
+ <b class="Fn" title="Fn">crypto_argon2i</b>().</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">nb_blocks</var></dt>
+ <dd class="It-tag">The number of blocks for the work area. Must be at least 8.
+ A value of 100000 (one hundred megabytes) is a good starting point. If the
+ computation takes too long, reduce this number. If it is too fast,
+ increase this number. If it is still too fast with all available memory,
+ increase <var class="Fa" title="Fa">nb_iterations</var>.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">nb_iterations</var></dt>
+ <dd class="It-tag">The number of iterations. It must be at least 1. A value of
+ 3 is <i class="Em" title="Em">strongly</i> recommended; any value lower
+ than 3 enables significantly more efficient attacks.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">password</var></dt>
+ <dd class="It-tag">The password to hash. It should be wiped with
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>
+ after being hashed.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">password_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">password</var>, in
+ bytes.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">salt</var></dt>
+ <dd class="It-tag">A password salt. This should be filled with random bytes,
+ generated separately for each password to be hashed. See
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about generating random bytes (use the operating system's random
+ number generator).</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">salt_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">salt</var>, in bytes.
+ Must be at least 8. 16 is recommended.</dd>
+</dl>
+<div class="Pp"></div>
+The output hash must not overlap with the work area, or it will be wiped along
+ with it. Any other overlap is permitted.
+<div class="Pp"></div>
+Use
+ <a class="Xr" title="Xr" href="crypto_verify16.html">crypto_verify16(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_verify32.html">crypto_verify32(3monocypher)</a>
+ or
+ <a class="Xr" title="Xr" href="crypto_verify64.html">crypto_verify64(3monocypher)</a>
+ to compare password hashes to prevent timing attacks.
+<div class="Pp"></div>
+To select the <var class="Fa" title="Fa">nb_blocks</var> and
+ <var class="Fa" title="Fa">nb_iterations</var> parameters, it should first be
+ decided how long the computation should take. For user authentication, values
+ somewhere between half a second (convenient) and several seconds (paranoid)
+ are recommended. The computation should use as much memory as can be spared.
+<div class="Pp"></div>
+Since parameter selection depends on your hardware, some trial and error will be
+ required in order to determine the ideal settings. Three iterations and 100000
+ blocks (that is, one hundred megabytes of memory) is a good starting point.
+ Adjust <var class="Fa" title="Fa">nb_blocks</var> first. If using all
+ available memory is not slow enough, increase
+ <var class="Fa" title="Fa">nb_iterations</var>.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_argon2i_general</b>() is a variant of
+ <b class="Fn" title="Fn">crypto_argon2i</b>() that supports keyed hashing and
+ hashing of additional data. The additional arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">A key to use in the hash. Can be
+ <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">key_size</var> is zero. The key is generally
+ not needed, but it does have some uses. In the context of password
+ derivation, it would be stored separately from the password database, and
+ would remain secret even if an attacker were to steal the database. Note
+ that changing the key requires rehashing the user's password, which is
+ only possible upon user login.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">key</var>, in bytes.
+ Must be zero if there is no key.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">ad</var></dt>
+ <dd class="It-tag">Additional data. This is additional data that goes into the
+ hash, similar to the authenticated encryption with authenticated data
+ (AEAD) construction in
+ <a class="Xr" title="Xr" href="crypto_lock_aead.html">crypto_lock_aead(3monocypher)</a>.
+ This most likely has no practical application but is exposed for the sake
+ of completeness. This parameter may be
+ <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">ad_size</var> is zero.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">ad_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">ad</var>, in bytes.
+ Must be zero if there is no additional data.</dd>
+</dl>
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following example assumes the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+This example shows how to hash a password with the recommended baseline
+ parameters:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash[32]; /* Output hash */
+char *password = &quot;Okay Password!&quot;; /* User's password */
+uint32_t password_size = 14; /* Password length */
+uint8_t salt[16]; /* Random salt */
+const uint32_t nb_blocks = 100000; /* 100 megabytes */
+const uint32_t nb_iterations = 3; /* 3 iterations */
+void *work_area = malloc(nb_blocks * 1024); /* Work area */
+if (work_area == NULL) {
+ /* Handle malloc() failure */
+ /* Wipe secrets if they are no longer needed */
+ crypto_wipe(password, password_size);
+} else {
+ arc4random_buf(salt, 16);
+ crypto_argon2i(hash, 32,
+ work_area, nb_blocks, nb_iterations,
+ (uint8_t *)password, password_size,
+ salt, 16);
+ /* Wipe secrets if they are no longer needed */
+ crypto_wipe(password, password_size);
+ free(work_area);
+}
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_verify16.html">crypto_verify16(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement Argon2i. An RFC draft is being maintained.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_argon2i_general</b>() function first
+ appeared in Monocypher 0.1 but was called
+ <b class="Fn" title="Fn">crypto_argon2i</b>(); it was renamed to its current
+ name in Monocypher 1.1.0. The current
+ <b class="Fn" title="Fn">crypto_argon2i</b>() first appeared in Monocypher
+ 1.1.0.
+<h1 class="Sh" title="Sh" id="CAVEATS"><a class="selflink" href="#CAVEATS">CAVEATS</a></h1>
+Any deviation from the specified input and output length ranges results in
+ <b class="Sy" title="Sy">undefined behaviour</b>. Make sure your inputs are
+ correct.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">April 8, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_blake2b.html b/vendor/doc/html/crypto_blake2b.html
new file mode 100644
index 0000000..727a748
--- /dev/null
+++ b/vendor/doc/html/crypto_blake2b.html
@@ -0,0 +1,279 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_BLAKE2B(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_BLAKE2B(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_BLAKE2B(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_blake2b</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_general</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_general_init</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_init</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_update</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_final</b> &#x2014;
+ <span class="Nd" title="Nd">cryptographic hashing</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b</b>(<var class="Fa" title="Fa">uint8_t
+ hash[64]</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_general</b>(<var class="Fa" title="Fa">uint8_t
+ *hash</var>, <var class="Fa" title="Fa">size_t hash_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_init</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_general_init</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>, <var class="Fa" title="Fa">size_t hash_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_update</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_final</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *hash</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+BLAKE2b is a fast cryptographically secure hash, based on the ideas of Chacha20.
+ It is faster than MD5, yet just as secure as SHA-3.
+<div class="Pp"></div>
+Note that BLAKE2b itself is not suitable for hashing passwords and deriving keys
+ from them; use the
+ <a class="Xr" title="Xr" href="crypto_argon2i.html">crypto_argon2i(3monocypher)</a>
+ family of functions for that purpose instead.
+<div class="Pp"></div>
+BLAKE2b is immune to length extension attacks, and as such does not require any
+ specific precautions, such as using the HMAC algorithm.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hash</var></dt>
+ <dd class="It-tag">The output hash.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hash_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">hash</var>, in bytes.
+ Must be between 1 and 64. Anything below 32 is discouraged when using
+ Blake2b as a general-purpose hash function; anything below 16 is
+ discouraged when using Blake2b as a message authentication code.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">Some secret key. One cannot predict the final hash without
+ it. May be <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">key_size</var> is 0, in which case no key is
+ used. Keys can be used to create a message authentication code (MAC). Use
+ <a class="Xr" title="Xr" href="crypto_verify16.html">crypto_verify16(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_verify32.html">crypto_verify32(3monocypher)</a>,
+ or
+ <a class="Xr" title="Xr" href="crypto_verify64.html">crypto_verify64(3monocypher)</a>
+ to compare MACs created this way. Choose the size of the hash accordingly.
+ Users may want to wipe the key with
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>
+ once they are done with it.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">key</var>, in bytes.
+ Must be between 0 and 64. 32 is a good default.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message</var></dt>
+ <dd class="It-tag">The message to hash. May overlap with
+ <var class="Fa" title="Fa">hash</var>. May be
+ <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">message_size</var> is 0.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">message</var>, in
+ bytes.</dd>
+</dl>
+<h2 class="Ss" title="Ss" id="Direct_interface"><a class="selflink" href="#Direct_interface">Direct
+ interface</a></h2>
+The direct interface has two functions,
+ <b class="Fn" title="Fn">crypto_blake2b</b>() and
+ <b class="Fn" title="Fn">crypto_blake2b_general</b>().
+ <b class="Fn" title="Fn">crypto_blake2b</b>() is provided for convenience, and
+ is equivalent to calling <b class="Fn" title="Fn">crypto_blake2b_general</b>()
+ with no key and a 64-byte hash.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_blake2b_general</b>() users can specify the size
+ of the hash, and use a secret key to make the hash unpredictable &#x2013;
+ useful for message authentication codes. Even when using a key, you do not
+ have to wipe the context struct with
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>.
+<h2 class="Ss" title="Ss" id="Incremental_interface"><a class="selflink" href="#Incremental_interface">Incremental
+ interface</a></h2>
+The incremental interface is useful for handling streams of data or large files
+ without using too much memory. This interface uses three steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">initialisation with
+ <b class="Fn" title="Fn">crypto_blake2b_general_init</b>() or
+ <b class="Fn" title="Fn">crypto_blake2b_init</b>(), which sets up a
+ context with the hashing parameters;</li>
+ <li class="It-bullet">update with
+ <b class="Fn" title="Fn">crypto_blake2b_update</b>(), which hashes the
+ message chunk by chunk, and keep the intermediary result in the
+ context;</li>
+ <li class="It-bullet">and finalisation with
+ <b class="Fn" title="Fn">crypto_blake2b_final</b>(), which produces the
+ final hash. The <var class="Ft" title="Ft">crypto_blake2b_ctx</var> is
+ automatically wiped upon finalisation.</li>
+</ul>
+<div class="Pp"></div>
+The invariants of the parameters are the same as for
+ <b class="Fn" title="Fn">crypto_blake2b_general</b>().
+ <b class="Fn" title="Fn">crypto_blake2b_init</b>() is a convenience
+ initialisation function that specifies a 64-byte hash and no key. This is
+ considered a good default.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following examples assume the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+Hashing a message all at once:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [64]; /* Output hash (64 bytes) */
+uint8_t message[12] = &quot;Lorem ipsum&quot;; /* Message to hash */
+crypto_blake2b(hash, message, 12);
+</pre>
+</div>
+<div class="Pp"></div>
+Computing a message authentication code all at once:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [16];
+uint8_t key [32];
+uint8_t message[11] = &quot;Lorem ipsu&quot;; /* Message to authenticate */
+arc4random_buf(key, 32);
+crypto_blake2b_general(hash, 16, key, 32, message, 11);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(message, 11);
+crypto_wipe(key, 32);
+</pre>
+</div>
+<div class="Pp"></div>
+Hashing a message incrementally (without a key):
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [ 64]; /* Output hash (64 bytes) */
+uint8_t message[500] = {1}; /* Message to hash */
+crypto_blake2b_ctx ctx;
+crypto_blake2b_init(&amp;ctx);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_blake2b_update(&amp;ctx, message + i, 100);
+}
+crypto_blake2b_final(&amp;ctx, hash);
+</pre>
+</div>
+<div class="Pp"></div>
+Computing a message authentication code incrementally:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [ 16];
+uint8_t key [ 32];
+uint8_t message[500] = {1}; /* Message to authenticate */
+crypto_blake2b_ctx ctx;
+arc4random_buf(key, 32);
+crypto_blake2b_general_init(&amp;ctx, 16, key, 32);
+/* Wipe the key */
+crypto_wipe(key, 32);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_blake2b_update(&amp;ctx, message + i, 100);
+ /* Wipe secrets if they are no longer needed */
+ crypto_wipe(message + i, 100);
+}
+crypto_blake2b_final(&amp;ctx, hash);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement BLAKE2b, described in RFC 7693.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_blake2b</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_general</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_general_init</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_init</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_update</b>(), and
+ <b class="Fn" title="Fn">crypto_blake2b_final</b>() functions first appeared
+ in Monocypher 0.1.
+<h1 class="Sh" title="Sh" id="CAVEATS"><a class="selflink" href="#CAVEATS">CAVEATS</a></h1>
+Monocypher does not perform any input validation. Any deviation from the
+ specified input and output length ranges results in
+ <b class="Sy" title="Sy">undefined behaviour</b>. Make sure your inputs are
+ correct.
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+BLAKE2b is a general-purpose cryptographic hash function; this means that it is
+ not suited for hashing passwords and deriving cryptographic keys from
+ passwords in particular. While cryptographic keys usually have hundreds of
+ bits of entropy, passwords are often much less complex. When storing passwords
+ as hashes or when deriving keys from them, the goal is normally to prevent
+ attackers from quickly iterating all possible passwords. Because passwords
+ tend to be simple, it is important to artificially slow down attackers by
+ using especially computationally difficult hashing algorithms. Monocypher
+ therefore provides
+ <a class="Xr" title="Xr" href="crypto_argon2i.html">crypto_argon2i(3monocypher)</a>
+ for password hashing and deriving keys from passwords.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 31, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_blake2b_final.html b/vendor/doc/html/crypto_blake2b_final.html
new file mode 100644
index 0000000..727a748
--- /dev/null
+++ b/vendor/doc/html/crypto_blake2b_final.html
@@ -0,0 +1,279 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_BLAKE2B(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_BLAKE2B(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_BLAKE2B(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_blake2b</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_general</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_general_init</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_init</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_update</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_final</b> &#x2014;
+ <span class="Nd" title="Nd">cryptographic hashing</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b</b>(<var class="Fa" title="Fa">uint8_t
+ hash[64]</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_general</b>(<var class="Fa" title="Fa">uint8_t
+ *hash</var>, <var class="Fa" title="Fa">size_t hash_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_init</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_general_init</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>, <var class="Fa" title="Fa">size_t hash_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_update</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_final</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *hash</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+BLAKE2b is a fast cryptographically secure hash, based on the ideas of Chacha20.
+ It is faster than MD5, yet just as secure as SHA-3.
+<div class="Pp"></div>
+Note that BLAKE2b itself is not suitable for hashing passwords and deriving keys
+ from them; use the
+ <a class="Xr" title="Xr" href="crypto_argon2i.html">crypto_argon2i(3monocypher)</a>
+ family of functions for that purpose instead.
+<div class="Pp"></div>
+BLAKE2b is immune to length extension attacks, and as such does not require any
+ specific precautions, such as using the HMAC algorithm.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hash</var></dt>
+ <dd class="It-tag">The output hash.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hash_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">hash</var>, in bytes.
+ Must be between 1 and 64. Anything below 32 is discouraged when using
+ Blake2b as a general-purpose hash function; anything below 16 is
+ discouraged when using Blake2b as a message authentication code.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">Some secret key. One cannot predict the final hash without
+ it. May be <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">key_size</var> is 0, in which case no key is
+ used. Keys can be used to create a message authentication code (MAC). Use
+ <a class="Xr" title="Xr" href="crypto_verify16.html">crypto_verify16(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_verify32.html">crypto_verify32(3monocypher)</a>,
+ or
+ <a class="Xr" title="Xr" href="crypto_verify64.html">crypto_verify64(3monocypher)</a>
+ to compare MACs created this way. Choose the size of the hash accordingly.
+ Users may want to wipe the key with
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>
+ once they are done with it.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">key</var>, in bytes.
+ Must be between 0 and 64. 32 is a good default.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message</var></dt>
+ <dd class="It-tag">The message to hash. May overlap with
+ <var class="Fa" title="Fa">hash</var>. May be
+ <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">message_size</var> is 0.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">message</var>, in
+ bytes.</dd>
+</dl>
+<h2 class="Ss" title="Ss" id="Direct_interface"><a class="selflink" href="#Direct_interface">Direct
+ interface</a></h2>
+The direct interface has two functions,
+ <b class="Fn" title="Fn">crypto_blake2b</b>() and
+ <b class="Fn" title="Fn">crypto_blake2b_general</b>().
+ <b class="Fn" title="Fn">crypto_blake2b</b>() is provided for convenience, and
+ is equivalent to calling <b class="Fn" title="Fn">crypto_blake2b_general</b>()
+ with no key and a 64-byte hash.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_blake2b_general</b>() users can specify the size
+ of the hash, and use a secret key to make the hash unpredictable &#x2013;
+ useful for message authentication codes. Even when using a key, you do not
+ have to wipe the context struct with
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>.
+<h2 class="Ss" title="Ss" id="Incremental_interface"><a class="selflink" href="#Incremental_interface">Incremental
+ interface</a></h2>
+The incremental interface is useful for handling streams of data or large files
+ without using too much memory. This interface uses three steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">initialisation with
+ <b class="Fn" title="Fn">crypto_blake2b_general_init</b>() or
+ <b class="Fn" title="Fn">crypto_blake2b_init</b>(), which sets up a
+ context with the hashing parameters;</li>
+ <li class="It-bullet">update with
+ <b class="Fn" title="Fn">crypto_blake2b_update</b>(), which hashes the
+ message chunk by chunk, and keep the intermediary result in the
+ context;</li>
+ <li class="It-bullet">and finalisation with
+ <b class="Fn" title="Fn">crypto_blake2b_final</b>(), which produces the
+ final hash. The <var class="Ft" title="Ft">crypto_blake2b_ctx</var> is
+ automatically wiped upon finalisation.</li>
+</ul>
+<div class="Pp"></div>
+The invariants of the parameters are the same as for
+ <b class="Fn" title="Fn">crypto_blake2b_general</b>().
+ <b class="Fn" title="Fn">crypto_blake2b_init</b>() is a convenience
+ initialisation function that specifies a 64-byte hash and no key. This is
+ considered a good default.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following examples assume the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+Hashing a message all at once:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [64]; /* Output hash (64 bytes) */
+uint8_t message[12] = &quot;Lorem ipsum&quot;; /* Message to hash */
+crypto_blake2b(hash, message, 12);
+</pre>
+</div>
+<div class="Pp"></div>
+Computing a message authentication code all at once:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [16];
+uint8_t key [32];
+uint8_t message[11] = &quot;Lorem ipsu&quot;; /* Message to authenticate */
+arc4random_buf(key, 32);
+crypto_blake2b_general(hash, 16, key, 32, message, 11);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(message, 11);
+crypto_wipe(key, 32);
+</pre>
+</div>
+<div class="Pp"></div>
+Hashing a message incrementally (without a key):
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [ 64]; /* Output hash (64 bytes) */
+uint8_t message[500] = {1}; /* Message to hash */
+crypto_blake2b_ctx ctx;
+crypto_blake2b_init(&amp;ctx);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_blake2b_update(&amp;ctx, message + i, 100);
+}
+crypto_blake2b_final(&amp;ctx, hash);
+</pre>
+</div>
+<div class="Pp"></div>
+Computing a message authentication code incrementally:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [ 16];
+uint8_t key [ 32];
+uint8_t message[500] = {1}; /* Message to authenticate */
+crypto_blake2b_ctx ctx;
+arc4random_buf(key, 32);
+crypto_blake2b_general_init(&amp;ctx, 16, key, 32);
+/* Wipe the key */
+crypto_wipe(key, 32);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_blake2b_update(&amp;ctx, message + i, 100);
+ /* Wipe secrets if they are no longer needed */
+ crypto_wipe(message + i, 100);
+}
+crypto_blake2b_final(&amp;ctx, hash);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement BLAKE2b, described in RFC 7693.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_blake2b</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_general</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_general_init</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_init</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_update</b>(), and
+ <b class="Fn" title="Fn">crypto_blake2b_final</b>() functions first appeared
+ in Monocypher 0.1.
+<h1 class="Sh" title="Sh" id="CAVEATS"><a class="selflink" href="#CAVEATS">CAVEATS</a></h1>
+Monocypher does not perform any input validation. Any deviation from the
+ specified input and output length ranges results in
+ <b class="Sy" title="Sy">undefined behaviour</b>. Make sure your inputs are
+ correct.
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+BLAKE2b is a general-purpose cryptographic hash function; this means that it is
+ not suited for hashing passwords and deriving cryptographic keys from
+ passwords in particular. While cryptographic keys usually have hundreds of
+ bits of entropy, passwords are often much less complex. When storing passwords
+ as hashes or when deriving keys from them, the goal is normally to prevent
+ attackers from quickly iterating all possible passwords. Because passwords
+ tend to be simple, it is important to artificially slow down attackers by
+ using especially computationally difficult hashing algorithms. Monocypher
+ therefore provides
+ <a class="Xr" title="Xr" href="crypto_argon2i.html">crypto_argon2i(3monocypher)</a>
+ for password hashing and deriving keys from passwords.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 31, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_blake2b_general.html b/vendor/doc/html/crypto_blake2b_general.html
new file mode 100644
index 0000000..727a748
--- /dev/null
+++ b/vendor/doc/html/crypto_blake2b_general.html
@@ -0,0 +1,279 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_BLAKE2B(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_BLAKE2B(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_BLAKE2B(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_blake2b</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_general</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_general_init</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_init</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_update</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_final</b> &#x2014;
+ <span class="Nd" title="Nd">cryptographic hashing</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b</b>(<var class="Fa" title="Fa">uint8_t
+ hash[64]</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_general</b>(<var class="Fa" title="Fa">uint8_t
+ *hash</var>, <var class="Fa" title="Fa">size_t hash_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_init</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_general_init</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>, <var class="Fa" title="Fa">size_t hash_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_update</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_final</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *hash</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+BLAKE2b is a fast cryptographically secure hash, based on the ideas of Chacha20.
+ It is faster than MD5, yet just as secure as SHA-3.
+<div class="Pp"></div>
+Note that BLAKE2b itself is not suitable for hashing passwords and deriving keys
+ from them; use the
+ <a class="Xr" title="Xr" href="crypto_argon2i.html">crypto_argon2i(3monocypher)</a>
+ family of functions for that purpose instead.
+<div class="Pp"></div>
+BLAKE2b is immune to length extension attacks, and as such does not require any
+ specific precautions, such as using the HMAC algorithm.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hash</var></dt>
+ <dd class="It-tag">The output hash.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hash_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">hash</var>, in bytes.
+ Must be between 1 and 64. Anything below 32 is discouraged when using
+ Blake2b as a general-purpose hash function; anything below 16 is
+ discouraged when using Blake2b as a message authentication code.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">Some secret key. One cannot predict the final hash without
+ it. May be <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">key_size</var> is 0, in which case no key is
+ used. Keys can be used to create a message authentication code (MAC). Use
+ <a class="Xr" title="Xr" href="crypto_verify16.html">crypto_verify16(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_verify32.html">crypto_verify32(3monocypher)</a>,
+ or
+ <a class="Xr" title="Xr" href="crypto_verify64.html">crypto_verify64(3monocypher)</a>
+ to compare MACs created this way. Choose the size of the hash accordingly.
+ Users may want to wipe the key with
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>
+ once they are done with it.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">key</var>, in bytes.
+ Must be between 0 and 64. 32 is a good default.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message</var></dt>
+ <dd class="It-tag">The message to hash. May overlap with
+ <var class="Fa" title="Fa">hash</var>. May be
+ <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">message_size</var> is 0.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">message</var>, in
+ bytes.</dd>
+</dl>
+<h2 class="Ss" title="Ss" id="Direct_interface"><a class="selflink" href="#Direct_interface">Direct
+ interface</a></h2>
+The direct interface has two functions,
+ <b class="Fn" title="Fn">crypto_blake2b</b>() and
+ <b class="Fn" title="Fn">crypto_blake2b_general</b>().
+ <b class="Fn" title="Fn">crypto_blake2b</b>() is provided for convenience, and
+ is equivalent to calling <b class="Fn" title="Fn">crypto_blake2b_general</b>()
+ with no key and a 64-byte hash.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_blake2b_general</b>() users can specify the size
+ of the hash, and use a secret key to make the hash unpredictable &#x2013;
+ useful for message authentication codes. Even when using a key, you do not
+ have to wipe the context struct with
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>.
+<h2 class="Ss" title="Ss" id="Incremental_interface"><a class="selflink" href="#Incremental_interface">Incremental
+ interface</a></h2>
+The incremental interface is useful for handling streams of data or large files
+ without using too much memory. This interface uses three steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">initialisation with
+ <b class="Fn" title="Fn">crypto_blake2b_general_init</b>() or
+ <b class="Fn" title="Fn">crypto_blake2b_init</b>(), which sets up a
+ context with the hashing parameters;</li>
+ <li class="It-bullet">update with
+ <b class="Fn" title="Fn">crypto_blake2b_update</b>(), which hashes the
+ message chunk by chunk, and keep the intermediary result in the
+ context;</li>
+ <li class="It-bullet">and finalisation with
+ <b class="Fn" title="Fn">crypto_blake2b_final</b>(), which produces the
+ final hash. The <var class="Ft" title="Ft">crypto_blake2b_ctx</var> is
+ automatically wiped upon finalisation.</li>
+</ul>
+<div class="Pp"></div>
+The invariants of the parameters are the same as for
+ <b class="Fn" title="Fn">crypto_blake2b_general</b>().
+ <b class="Fn" title="Fn">crypto_blake2b_init</b>() is a convenience
+ initialisation function that specifies a 64-byte hash and no key. This is
+ considered a good default.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following examples assume the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+Hashing a message all at once:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [64]; /* Output hash (64 bytes) */
+uint8_t message[12] = &quot;Lorem ipsum&quot;; /* Message to hash */
+crypto_blake2b(hash, message, 12);
+</pre>
+</div>
+<div class="Pp"></div>
+Computing a message authentication code all at once:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [16];
+uint8_t key [32];
+uint8_t message[11] = &quot;Lorem ipsu&quot;; /* Message to authenticate */
+arc4random_buf(key, 32);
+crypto_blake2b_general(hash, 16, key, 32, message, 11);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(message, 11);
+crypto_wipe(key, 32);
+</pre>
+</div>
+<div class="Pp"></div>
+Hashing a message incrementally (without a key):
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [ 64]; /* Output hash (64 bytes) */
+uint8_t message[500] = {1}; /* Message to hash */
+crypto_blake2b_ctx ctx;
+crypto_blake2b_init(&amp;ctx);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_blake2b_update(&amp;ctx, message + i, 100);
+}
+crypto_blake2b_final(&amp;ctx, hash);
+</pre>
+</div>
+<div class="Pp"></div>
+Computing a message authentication code incrementally:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [ 16];
+uint8_t key [ 32];
+uint8_t message[500] = {1}; /* Message to authenticate */
+crypto_blake2b_ctx ctx;
+arc4random_buf(key, 32);
+crypto_blake2b_general_init(&amp;ctx, 16, key, 32);
+/* Wipe the key */
+crypto_wipe(key, 32);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_blake2b_update(&amp;ctx, message + i, 100);
+ /* Wipe secrets if they are no longer needed */
+ crypto_wipe(message + i, 100);
+}
+crypto_blake2b_final(&amp;ctx, hash);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement BLAKE2b, described in RFC 7693.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_blake2b</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_general</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_general_init</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_init</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_update</b>(), and
+ <b class="Fn" title="Fn">crypto_blake2b_final</b>() functions first appeared
+ in Monocypher 0.1.
+<h1 class="Sh" title="Sh" id="CAVEATS"><a class="selflink" href="#CAVEATS">CAVEATS</a></h1>
+Monocypher does not perform any input validation. Any deviation from the
+ specified input and output length ranges results in
+ <b class="Sy" title="Sy">undefined behaviour</b>. Make sure your inputs are
+ correct.
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+BLAKE2b is a general-purpose cryptographic hash function; this means that it is
+ not suited for hashing passwords and deriving cryptographic keys from
+ passwords in particular. While cryptographic keys usually have hundreds of
+ bits of entropy, passwords are often much less complex. When storing passwords
+ as hashes or when deriving keys from them, the goal is normally to prevent
+ attackers from quickly iterating all possible passwords. Because passwords
+ tend to be simple, it is important to artificially slow down attackers by
+ using especially computationally difficult hashing algorithms. Monocypher
+ therefore provides
+ <a class="Xr" title="Xr" href="crypto_argon2i.html">crypto_argon2i(3monocypher)</a>
+ for password hashing and deriving keys from passwords.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 31, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_blake2b_general_init.html b/vendor/doc/html/crypto_blake2b_general_init.html
new file mode 100644
index 0000000..727a748
--- /dev/null
+++ b/vendor/doc/html/crypto_blake2b_general_init.html
@@ -0,0 +1,279 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_BLAKE2B(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_BLAKE2B(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_BLAKE2B(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_blake2b</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_general</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_general_init</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_init</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_update</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_final</b> &#x2014;
+ <span class="Nd" title="Nd">cryptographic hashing</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b</b>(<var class="Fa" title="Fa">uint8_t
+ hash[64]</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_general</b>(<var class="Fa" title="Fa">uint8_t
+ *hash</var>, <var class="Fa" title="Fa">size_t hash_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_init</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_general_init</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>, <var class="Fa" title="Fa">size_t hash_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_update</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_final</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *hash</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+BLAKE2b is a fast cryptographically secure hash, based on the ideas of Chacha20.
+ It is faster than MD5, yet just as secure as SHA-3.
+<div class="Pp"></div>
+Note that BLAKE2b itself is not suitable for hashing passwords and deriving keys
+ from them; use the
+ <a class="Xr" title="Xr" href="crypto_argon2i.html">crypto_argon2i(3monocypher)</a>
+ family of functions for that purpose instead.
+<div class="Pp"></div>
+BLAKE2b is immune to length extension attacks, and as such does not require any
+ specific precautions, such as using the HMAC algorithm.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hash</var></dt>
+ <dd class="It-tag">The output hash.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hash_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">hash</var>, in bytes.
+ Must be between 1 and 64. Anything below 32 is discouraged when using
+ Blake2b as a general-purpose hash function; anything below 16 is
+ discouraged when using Blake2b as a message authentication code.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">Some secret key. One cannot predict the final hash without
+ it. May be <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">key_size</var> is 0, in which case no key is
+ used. Keys can be used to create a message authentication code (MAC). Use
+ <a class="Xr" title="Xr" href="crypto_verify16.html">crypto_verify16(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_verify32.html">crypto_verify32(3monocypher)</a>,
+ or
+ <a class="Xr" title="Xr" href="crypto_verify64.html">crypto_verify64(3monocypher)</a>
+ to compare MACs created this way. Choose the size of the hash accordingly.
+ Users may want to wipe the key with
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>
+ once they are done with it.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">key</var>, in bytes.
+ Must be between 0 and 64. 32 is a good default.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message</var></dt>
+ <dd class="It-tag">The message to hash. May overlap with
+ <var class="Fa" title="Fa">hash</var>. May be
+ <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">message_size</var> is 0.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">message</var>, in
+ bytes.</dd>
+</dl>
+<h2 class="Ss" title="Ss" id="Direct_interface"><a class="selflink" href="#Direct_interface">Direct
+ interface</a></h2>
+The direct interface has two functions,
+ <b class="Fn" title="Fn">crypto_blake2b</b>() and
+ <b class="Fn" title="Fn">crypto_blake2b_general</b>().
+ <b class="Fn" title="Fn">crypto_blake2b</b>() is provided for convenience, and
+ is equivalent to calling <b class="Fn" title="Fn">crypto_blake2b_general</b>()
+ with no key and a 64-byte hash.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_blake2b_general</b>() users can specify the size
+ of the hash, and use a secret key to make the hash unpredictable &#x2013;
+ useful for message authentication codes. Even when using a key, you do not
+ have to wipe the context struct with
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>.
+<h2 class="Ss" title="Ss" id="Incremental_interface"><a class="selflink" href="#Incremental_interface">Incremental
+ interface</a></h2>
+The incremental interface is useful for handling streams of data or large files
+ without using too much memory. This interface uses three steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">initialisation with
+ <b class="Fn" title="Fn">crypto_blake2b_general_init</b>() or
+ <b class="Fn" title="Fn">crypto_blake2b_init</b>(), which sets up a
+ context with the hashing parameters;</li>
+ <li class="It-bullet">update with
+ <b class="Fn" title="Fn">crypto_blake2b_update</b>(), which hashes the
+ message chunk by chunk, and keep the intermediary result in the
+ context;</li>
+ <li class="It-bullet">and finalisation with
+ <b class="Fn" title="Fn">crypto_blake2b_final</b>(), which produces the
+ final hash. The <var class="Ft" title="Ft">crypto_blake2b_ctx</var> is
+ automatically wiped upon finalisation.</li>
+</ul>
+<div class="Pp"></div>
+The invariants of the parameters are the same as for
+ <b class="Fn" title="Fn">crypto_blake2b_general</b>().
+ <b class="Fn" title="Fn">crypto_blake2b_init</b>() is a convenience
+ initialisation function that specifies a 64-byte hash and no key. This is
+ considered a good default.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following examples assume the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+Hashing a message all at once:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [64]; /* Output hash (64 bytes) */
+uint8_t message[12] = &quot;Lorem ipsum&quot;; /* Message to hash */
+crypto_blake2b(hash, message, 12);
+</pre>
+</div>
+<div class="Pp"></div>
+Computing a message authentication code all at once:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [16];
+uint8_t key [32];
+uint8_t message[11] = &quot;Lorem ipsu&quot;; /* Message to authenticate */
+arc4random_buf(key, 32);
+crypto_blake2b_general(hash, 16, key, 32, message, 11);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(message, 11);
+crypto_wipe(key, 32);
+</pre>
+</div>
+<div class="Pp"></div>
+Hashing a message incrementally (without a key):
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [ 64]; /* Output hash (64 bytes) */
+uint8_t message[500] = {1}; /* Message to hash */
+crypto_blake2b_ctx ctx;
+crypto_blake2b_init(&amp;ctx);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_blake2b_update(&amp;ctx, message + i, 100);
+}
+crypto_blake2b_final(&amp;ctx, hash);
+</pre>
+</div>
+<div class="Pp"></div>
+Computing a message authentication code incrementally:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [ 16];
+uint8_t key [ 32];
+uint8_t message[500] = {1}; /* Message to authenticate */
+crypto_blake2b_ctx ctx;
+arc4random_buf(key, 32);
+crypto_blake2b_general_init(&amp;ctx, 16, key, 32);
+/* Wipe the key */
+crypto_wipe(key, 32);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_blake2b_update(&amp;ctx, message + i, 100);
+ /* Wipe secrets if they are no longer needed */
+ crypto_wipe(message + i, 100);
+}
+crypto_blake2b_final(&amp;ctx, hash);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement BLAKE2b, described in RFC 7693.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_blake2b</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_general</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_general_init</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_init</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_update</b>(), and
+ <b class="Fn" title="Fn">crypto_blake2b_final</b>() functions first appeared
+ in Monocypher 0.1.
+<h1 class="Sh" title="Sh" id="CAVEATS"><a class="selflink" href="#CAVEATS">CAVEATS</a></h1>
+Monocypher does not perform any input validation. Any deviation from the
+ specified input and output length ranges results in
+ <b class="Sy" title="Sy">undefined behaviour</b>. Make sure your inputs are
+ correct.
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+BLAKE2b is a general-purpose cryptographic hash function; this means that it is
+ not suited for hashing passwords and deriving cryptographic keys from
+ passwords in particular. While cryptographic keys usually have hundreds of
+ bits of entropy, passwords are often much less complex. When storing passwords
+ as hashes or when deriving keys from them, the goal is normally to prevent
+ attackers from quickly iterating all possible passwords. Because passwords
+ tend to be simple, it is important to artificially slow down attackers by
+ using especially computationally difficult hashing algorithms. Monocypher
+ therefore provides
+ <a class="Xr" title="Xr" href="crypto_argon2i.html">crypto_argon2i(3monocypher)</a>
+ for password hashing and deriving keys from passwords.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 31, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_blake2b_init.html b/vendor/doc/html/crypto_blake2b_init.html
new file mode 100644
index 0000000..727a748
--- /dev/null
+++ b/vendor/doc/html/crypto_blake2b_init.html
@@ -0,0 +1,279 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_BLAKE2B(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_BLAKE2B(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_BLAKE2B(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_blake2b</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_general</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_general_init</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_init</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_update</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_final</b> &#x2014;
+ <span class="Nd" title="Nd">cryptographic hashing</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b</b>(<var class="Fa" title="Fa">uint8_t
+ hash[64]</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_general</b>(<var class="Fa" title="Fa">uint8_t
+ *hash</var>, <var class="Fa" title="Fa">size_t hash_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_init</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_general_init</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>, <var class="Fa" title="Fa">size_t hash_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_update</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_final</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *hash</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+BLAKE2b is a fast cryptographically secure hash, based on the ideas of Chacha20.
+ It is faster than MD5, yet just as secure as SHA-3.
+<div class="Pp"></div>
+Note that BLAKE2b itself is not suitable for hashing passwords and deriving keys
+ from them; use the
+ <a class="Xr" title="Xr" href="crypto_argon2i.html">crypto_argon2i(3monocypher)</a>
+ family of functions for that purpose instead.
+<div class="Pp"></div>
+BLAKE2b is immune to length extension attacks, and as such does not require any
+ specific precautions, such as using the HMAC algorithm.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hash</var></dt>
+ <dd class="It-tag">The output hash.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hash_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">hash</var>, in bytes.
+ Must be between 1 and 64. Anything below 32 is discouraged when using
+ Blake2b as a general-purpose hash function; anything below 16 is
+ discouraged when using Blake2b as a message authentication code.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">Some secret key. One cannot predict the final hash without
+ it. May be <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">key_size</var> is 0, in which case no key is
+ used. Keys can be used to create a message authentication code (MAC). Use
+ <a class="Xr" title="Xr" href="crypto_verify16.html">crypto_verify16(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_verify32.html">crypto_verify32(3monocypher)</a>,
+ or
+ <a class="Xr" title="Xr" href="crypto_verify64.html">crypto_verify64(3monocypher)</a>
+ to compare MACs created this way. Choose the size of the hash accordingly.
+ Users may want to wipe the key with
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>
+ once they are done with it.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">key</var>, in bytes.
+ Must be between 0 and 64. 32 is a good default.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message</var></dt>
+ <dd class="It-tag">The message to hash. May overlap with
+ <var class="Fa" title="Fa">hash</var>. May be
+ <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">message_size</var> is 0.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">message</var>, in
+ bytes.</dd>
+</dl>
+<h2 class="Ss" title="Ss" id="Direct_interface"><a class="selflink" href="#Direct_interface">Direct
+ interface</a></h2>
+The direct interface has two functions,
+ <b class="Fn" title="Fn">crypto_blake2b</b>() and
+ <b class="Fn" title="Fn">crypto_blake2b_general</b>().
+ <b class="Fn" title="Fn">crypto_blake2b</b>() is provided for convenience, and
+ is equivalent to calling <b class="Fn" title="Fn">crypto_blake2b_general</b>()
+ with no key and a 64-byte hash.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_blake2b_general</b>() users can specify the size
+ of the hash, and use a secret key to make the hash unpredictable &#x2013;
+ useful for message authentication codes. Even when using a key, you do not
+ have to wipe the context struct with
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>.
+<h2 class="Ss" title="Ss" id="Incremental_interface"><a class="selflink" href="#Incremental_interface">Incremental
+ interface</a></h2>
+The incremental interface is useful for handling streams of data or large files
+ without using too much memory. This interface uses three steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">initialisation with
+ <b class="Fn" title="Fn">crypto_blake2b_general_init</b>() or
+ <b class="Fn" title="Fn">crypto_blake2b_init</b>(), which sets up a
+ context with the hashing parameters;</li>
+ <li class="It-bullet">update with
+ <b class="Fn" title="Fn">crypto_blake2b_update</b>(), which hashes the
+ message chunk by chunk, and keep the intermediary result in the
+ context;</li>
+ <li class="It-bullet">and finalisation with
+ <b class="Fn" title="Fn">crypto_blake2b_final</b>(), which produces the
+ final hash. The <var class="Ft" title="Ft">crypto_blake2b_ctx</var> is
+ automatically wiped upon finalisation.</li>
+</ul>
+<div class="Pp"></div>
+The invariants of the parameters are the same as for
+ <b class="Fn" title="Fn">crypto_blake2b_general</b>().
+ <b class="Fn" title="Fn">crypto_blake2b_init</b>() is a convenience
+ initialisation function that specifies a 64-byte hash and no key. This is
+ considered a good default.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following examples assume the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+Hashing a message all at once:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [64]; /* Output hash (64 bytes) */
+uint8_t message[12] = &quot;Lorem ipsum&quot;; /* Message to hash */
+crypto_blake2b(hash, message, 12);
+</pre>
+</div>
+<div class="Pp"></div>
+Computing a message authentication code all at once:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [16];
+uint8_t key [32];
+uint8_t message[11] = &quot;Lorem ipsu&quot;; /* Message to authenticate */
+arc4random_buf(key, 32);
+crypto_blake2b_general(hash, 16, key, 32, message, 11);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(message, 11);
+crypto_wipe(key, 32);
+</pre>
+</div>
+<div class="Pp"></div>
+Hashing a message incrementally (without a key):
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [ 64]; /* Output hash (64 bytes) */
+uint8_t message[500] = {1}; /* Message to hash */
+crypto_blake2b_ctx ctx;
+crypto_blake2b_init(&amp;ctx);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_blake2b_update(&amp;ctx, message + i, 100);
+}
+crypto_blake2b_final(&amp;ctx, hash);
+</pre>
+</div>
+<div class="Pp"></div>
+Computing a message authentication code incrementally:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [ 16];
+uint8_t key [ 32];
+uint8_t message[500] = {1}; /* Message to authenticate */
+crypto_blake2b_ctx ctx;
+arc4random_buf(key, 32);
+crypto_blake2b_general_init(&amp;ctx, 16, key, 32);
+/* Wipe the key */
+crypto_wipe(key, 32);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_blake2b_update(&amp;ctx, message + i, 100);
+ /* Wipe secrets if they are no longer needed */
+ crypto_wipe(message + i, 100);
+}
+crypto_blake2b_final(&amp;ctx, hash);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement BLAKE2b, described in RFC 7693.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_blake2b</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_general</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_general_init</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_init</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_update</b>(), and
+ <b class="Fn" title="Fn">crypto_blake2b_final</b>() functions first appeared
+ in Monocypher 0.1.
+<h1 class="Sh" title="Sh" id="CAVEATS"><a class="selflink" href="#CAVEATS">CAVEATS</a></h1>
+Monocypher does not perform any input validation. Any deviation from the
+ specified input and output length ranges results in
+ <b class="Sy" title="Sy">undefined behaviour</b>. Make sure your inputs are
+ correct.
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+BLAKE2b is a general-purpose cryptographic hash function; this means that it is
+ not suited for hashing passwords and deriving cryptographic keys from
+ passwords in particular. While cryptographic keys usually have hundreds of
+ bits of entropy, passwords are often much less complex. When storing passwords
+ as hashes or when deriving keys from them, the goal is normally to prevent
+ attackers from quickly iterating all possible passwords. Because passwords
+ tend to be simple, it is important to artificially slow down attackers by
+ using especially computationally difficult hashing algorithms. Monocypher
+ therefore provides
+ <a class="Xr" title="Xr" href="crypto_argon2i.html">crypto_argon2i(3monocypher)</a>
+ for password hashing and deriving keys from passwords.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 31, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_blake2b_update.html b/vendor/doc/html/crypto_blake2b_update.html
new file mode 100644
index 0000000..727a748
--- /dev/null
+++ b/vendor/doc/html/crypto_blake2b_update.html
@@ -0,0 +1,279 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_BLAKE2B(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_BLAKE2B(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_BLAKE2B(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_blake2b</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_general</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_general_init</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_init</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_update</b>,
+ <b class="Nm" title="Nm">crypto_blake2b_final</b> &#x2014;
+ <span class="Nd" title="Nd">cryptographic hashing</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b</b>(<var class="Fa" title="Fa">uint8_t
+ hash[64]</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_general</b>(<var class="Fa" title="Fa">uint8_t
+ *hash</var>, <var class="Fa" title="Fa">size_t hash_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_init</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_general_init</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>, <var class="Fa" title="Fa">size_t hash_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_update</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_blake2b_final</b>(<var class="Fa" title="Fa">crypto_blake2b_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *hash</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+BLAKE2b is a fast cryptographically secure hash, based on the ideas of Chacha20.
+ It is faster than MD5, yet just as secure as SHA-3.
+<div class="Pp"></div>
+Note that BLAKE2b itself is not suitable for hashing passwords and deriving keys
+ from them; use the
+ <a class="Xr" title="Xr" href="crypto_argon2i.html">crypto_argon2i(3monocypher)</a>
+ family of functions for that purpose instead.
+<div class="Pp"></div>
+BLAKE2b is immune to length extension attacks, and as such does not require any
+ specific precautions, such as using the HMAC algorithm.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hash</var></dt>
+ <dd class="It-tag">The output hash.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hash_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">hash</var>, in bytes.
+ Must be between 1 and 64. Anything below 32 is discouraged when using
+ Blake2b as a general-purpose hash function; anything below 16 is
+ discouraged when using Blake2b as a message authentication code.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">Some secret key. One cannot predict the final hash without
+ it. May be <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">key_size</var> is 0, in which case no key is
+ used. Keys can be used to create a message authentication code (MAC). Use
+ <a class="Xr" title="Xr" href="crypto_verify16.html">crypto_verify16(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_verify32.html">crypto_verify32(3monocypher)</a>,
+ or
+ <a class="Xr" title="Xr" href="crypto_verify64.html">crypto_verify64(3monocypher)</a>
+ to compare MACs created this way. Choose the size of the hash accordingly.
+ Users may want to wipe the key with
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>
+ once they are done with it.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">key</var>, in bytes.
+ Must be between 0 and 64. 32 is a good default.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message</var></dt>
+ <dd class="It-tag">The message to hash. May overlap with
+ <var class="Fa" title="Fa">hash</var>. May be
+ <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">message_size</var> is 0.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">message</var>, in
+ bytes.</dd>
+</dl>
+<h2 class="Ss" title="Ss" id="Direct_interface"><a class="selflink" href="#Direct_interface">Direct
+ interface</a></h2>
+The direct interface has two functions,
+ <b class="Fn" title="Fn">crypto_blake2b</b>() and
+ <b class="Fn" title="Fn">crypto_blake2b_general</b>().
+ <b class="Fn" title="Fn">crypto_blake2b</b>() is provided for convenience, and
+ is equivalent to calling <b class="Fn" title="Fn">crypto_blake2b_general</b>()
+ with no key and a 64-byte hash.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_blake2b_general</b>() users can specify the size
+ of the hash, and use a secret key to make the hash unpredictable &#x2013;
+ useful for message authentication codes. Even when using a key, you do not
+ have to wipe the context struct with
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>.
+<h2 class="Ss" title="Ss" id="Incremental_interface"><a class="selflink" href="#Incremental_interface">Incremental
+ interface</a></h2>
+The incremental interface is useful for handling streams of data or large files
+ without using too much memory. This interface uses three steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">initialisation with
+ <b class="Fn" title="Fn">crypto_blake2b_general_init</b>() or
+ <b class="Fn" title="Fn">crypto_blake2b_init</b>(), which sets up a
+ context with the hashing parameters;</li>
+ <li class="It-bullet">update with
+ <b class="Fn" title="Fn">crypto_blake2b_update</b>(), which hashes the
+ message chunk by chunk, and keep the intermediary result in the
+ context;</li>
+ <li class="It-bullet">and finalisation with
+ <b class="Fn" title="Fn">crypto_blake2b_final</b>(), which produces the
+ final hash. The <var class="Ft" title="Ft">crypto_blake2b_ctx</var> is
+ automatically wiped upon finalisation.</li>
+</ul>
+<div class="Pp"></div>
+The invariants of the parameters are the same as for
+ <b class="Fn" title="Fn">crypto_blake2b_general</b>().
+ <b class="Fn" title="Fn">crypto_blake2b_init</b>() is a convenience
+ initialisation function that specifies a 64-byte hash and no key. This is
+ considered a good default.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following examples assume the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+Hashing a message all at once:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [64]; /* Output hash (64 bytes) */
+uint8_t message[12] = &quot;Lorem ipsum&quot;; /* Message to hash */
+crypto_blake2b(hash, message, 12);
+</pre>
+</div>
+<div class="Pp"></div>
+Computing a message authentication code all at once:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [16];
+uint8_t key [32];
+uint8_t message[11] = &quot;Lorem ipsu&quot;; /* Message to authenticate */
+arc4random_buf(key, 32);
+crypto_blake2b_general(hash, 16, key, 32, message, 11);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(message, 11);
+crypto_wipe(key, 32);
+</pre>
+</div>
+<div class="Pp"></div>
+Hashing a message incrementally (without a key):
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [ 64]; /* Output hash (64 bytes) */
+uint8_t message[500] = {1}; /* Message to hash */
+crypto_blake2b_ctx ctx;
+crypto_blake2b_init(&amp;ctx);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_blake2b_update(&amp;ctx, message + i, 100);
+}
+crypto_blake2b_final(&amp;ctx, hash);
+</pre>
+</div>
+<div class="Pp"></div>
+Computing a message authentication code incrementally:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [ 16];
+uint8_t key [ 32];
+uint8_t message[500] = {1}; /* Message to authenticate */
+crypto_blake2b_ctx ctx;
+arc4random_buf(key, 32);
+crypto_blake2b_general_init(&amp;ctx, 16, key, 32);
+/* Wipe the key */
+crypto_wipe(key, 32);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_blake2b_update(&amp;ctx, message + i, 100);
+ /* Wipe secrets if they are no longer needed */
+ crypto_wipe(message + i, 100);
+}
+crypto_blake2b_final(&amp;ctx, hash);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement BLAKE2b, described in RFC 7693.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_blake2b</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_general</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_general_init</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_init</b>(),
+ <b class="Fn" title="Fn">crypto_blake2b_update</b>(), and
+ <b class="Fn" title="Fn">crypto_blake2b_final</b>() functions first appeared
+ in Monocypher 0.1.
+<h1 class="Sh" title="Sh" id="CAVEATS"><a class="selflink" href="#CAVEATS">CAVEATS</a></h1>
+Monocypher does not perform any input validation. Any deviation from the
+ specified input and output length ranges results in
+ <b class="Sy" title="Sy">undefined behaviour</b>. Make sure your inputs are
+ correct.
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+BLAKE2b is a general-purpose cryptographic hash function; this means that it is
+ not suited for hashing passwords and deriving cryptographic keys from
+ passwords in particular. While cryptographic keys usually have hundreds of
+ bits of entropy, passwords are often much less complex. When storing passwords
+ as hashes or when deriving keys from them, the goal is normally to prevent
+ attackers from quickly iterating all possible passwords. Because passwords
+ tend to be simple, it is important to artificially slow down attackers by
+ using especially computationally difficult hashing algorithms. Monocypher
+ therefore provides
+ <a class="Xr" title="Xr" href="crypto_argon2i.html">crypto_argon2i(3monocypher)</a>
+ for password hashing and deriving keys from passwords.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 31, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_chacha20.html b/vendor/doc/html/crypto_chacha20.html
new file mode 100644
index 0000000..a3c0ec7
--- /dev/null
+++ b/vendor/doc/html/crypto_chacha20.html
@@ -0,0 +1,331 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_CHACHA20(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_CHACHA20(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_CHACHA20(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_chacha20</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_ctr</b>,
+ <b class="Nm" title="Nm">crypto_xchacha20</b>,
+ <b class="Nm" title="Nm">crypto_xchacha20_ctr</b> &#x2014;
+ <span class="Nd" title="Nd">Chacha20 and XChacha20 encryption functions</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20</b>(<var class="Fa" title="Fa">uint8_t
+ *cipher_text</var>, <var class="Fa" title="Fa">const uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">size_t text_size</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[8]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_xchacha20</b>(<var class="Fa" title="Fa">uint8_t
+ *cipher_text</var>, <var class="Fa" title="Fa">const uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">size_t text_size</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">uint64_t</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_ctr</b>(<var class="Fa" title="Fa">uint8_t
+ *cipher_text</var>, <var class="Fa" title="Fa">const uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">size_t text_size</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[8]</var>,
+ <var class="Fa" title="Fa">uint64_t ctr</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">uint64_t</var>
+<br/>
+<b class="Fn" title="Fn">crypto_xchacha20_ctr</b>(<var class="Fa" title="Fa">uint8_t
+ *cipher_text</var>, <var class="Fa" title="Fa">const uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">size_t text_size</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>,
+ <var class="Fa" title="Fa">uint64_t ctr</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions provide an interface for the Chacha20 encryption primitive.
+<div class="Pp"></div>
+Chacha20 is a low-level primitive. Consider using authenticated encryption,
+ implemented by
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">A 32-byte secret key.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">nonce</var></dt>
+ <dd class="It-tag">An 8-byte or 24-byte number, used only once with any given
+ key. It does not need to be secret or random, but it does have to be
+ unique. Repeating a nonce with the same key reveals the XOR of two
+ different messages, which allows decryption. 24-byte nonces can be
+ selected at random. 8-byte nonces <i class="Em" title="Em">cannot</i>.
+ They are too small, and the same nonce may be selected twice by accident.
+ See <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about generating random numbers (use the operating system's random
+ number generator).</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">plain_text</var></dt>
+ <dd class="It-tag">The message to encrypt. It is allowed to be
+ <code class="Dv" title="Dv">NULL</code>, in which case it will be
+ interpreted as an all zero input.
+ <var class="Fa" title="Fa">cipher_text</var> will then contain the raw
+ Chacha20 stream.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">cipher_text</var></dt>
+ <dd class="It-tag">The encrypted message.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">text_size</var></dt>
+ <dd class="It-tag">Length of both <var class="Fa" title="Fa">plain_text</var>
+ and <var class="Fa" title="Fa">cipher_text</var>, in bytes.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">ctr</var></dt>
+ <dd class="It-tag">The number of 64-byte blocks since the beginning of the
+ stream.</dd>
+</dl>
+<div class="Pp"></div>
+The <var class="Fa" title="Fa">key</var> and
+ <var class="Fa" title="Fa">nonce</var> buffers may overlap.
+ <var class="Fa" title="Fa">plain_text</var> and
+ <var class="Fa" title="Fa">cipher_text</var> must either be the same buffer
+ (for in-place encryption), or non-overlapping.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_chacha20</b>() performs a Chacha20 operation. It
+ uses an 8-byte nonce, which is too small to be selected at random. Use a
+ message counter as a nonce instead.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_xchacha20</b>() performs an XChacha20 operation.
+ It uses a 24-byte nonce, which is large enough to be selected at random.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_xchacha20</b>() is recommended over
+ <b class="Fn" title="Fn">crypto_chacha20</b>(). The ability to use random
+ nonces makes it easier to use securely, and the performance hit is often
+ negligible in practice.
+<div class="Pp"></div>
+The <b class="Fn" title="Fn">crypto_chacha20</b>() and
+ <b class="Fn" title="Fn">crypto_xchacha20</b>() encrypt
+ <var class="Fa" title="Fa">plain_text</var> by XORing it with a pseudo-random
+ stream of numbers, seeded by the provided <var class="Fa" title="Fa">key</var>
+ and <var class="Fa" title="Fa">nonce</var>.
+<div class="Pp"></div>
+Since XOR is its own inverse, decryption is the same operation as encryption. To
+ decrypt the cipher text, &#x201C;encrypt&#x201D; it again with the same key
+ and nonce. You will likely want to wipe the key when you are done with
+ encryption or decryption. Use
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>
+ to wipe them.
+<div class="Pp"></div>
+The <var class="Fa" title="Fa">plain_text</var> pointer is allowed to be
+ <code class="Dv" title="Dv">NULL</code>, in which case it will be interpreted
+ as an all zero input. This is useful as a user space random number generator.
+ While <b class="Sy" title="Sy">this should not be used as a random number
+ generator for secrets</b>, for which the operating system random number
+ generator should be preferred, it can be handy outside of a security context.
+ Deterministic procedural generation and reproducible property-based tests come
+ to mind. Additionally, it <i class="Em" title="Em">can</i> be used to generate
+ large amounts of random-looking data quickly, for example to generate padding.
+<div class="Pp"></div>
+The <b class="Fn" title="Fn">crypto_chacha20_ctr</b>() and
+ <b class="Fn" title="Fn">crypto_xchacha20_ctr</b>() perform a Chacha20 or
+ XChacha20 encryption, respectively, starting the stream at the block
+ <var class="Fa" title="Fa">ctr</var> (which is the byte
+ &#x2018;<code class="Li">ctr &#x00D7; 64</code>&#x2019;). This can be used to
+ encrypt (or decrypt) part of a long message, or to implement some AEAD
+ constructions such as the one described in RFC 8439. Be careful when using
+ this not to accidentally reuse parts of the random stream as that would
+ destroy confidentiality.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_chacha20</b>() and
+ <b class="Fn" title="Fn">crypto_xchacha20</b>() return nothing.
+ <b class="Fn" title="Fn">crypto_chacha20_ctr</b>() and
+ <b class="Fn" title="Fn">crypto_xchacha20_ctr</b>() functions return the next
+ <var class="Fa" title="Fa">ctr</var> to use with the same key and nonce
+ values; this is always <var class="Fa" title="Fa">text_size</var> divided by
+ 64; plus one if there was a remainder.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following examples assume the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+Simple encryption:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t key [ 32]; /* Secret random key */
+uint8_t nonce [ 24]; /* Unique nonce (possibly random) */
+uint8_t plain_text [500] = {1}; /* Secret message */
+uint8_t cipher_text[500]; /* Encrypted message */
+arc4random_buf(key, 32);
+arc4random_buf(nonce, 24);
+crypto_xchacha20(cipher_text, plain_text, 500, key, nonce);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(key, 32);
+crypto_wipe(plain_text, 500);
+</pre>
+</div>
+<div class="Pp"></div>
+To decrypt the above:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t key [ 32]; /* Same key as above */
+const uint8_t nonce [ 24]; /* Same nonce as above */
+uint8_t plain_text [500]; /* Message to decrypt */
+uint8_t cipher_text[500]; /* Secret message */
+crypto_xchacha20(cipher_text, plain_text, 500, key, nonce);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(key, 32);
+/* The plain text likely needs to be processed before you wipe it */
+crypto_wipe(plain_text, 12);
+</pre>
+</div>
+<div class="Pp"></div>
+Incremental encryption (in blocks of 64 bytes):
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t key [ 32]; /* Secret random key */
+uint8_t nonce [ 24]; /* Unique nonce (possibly random) */
+uint8_t plain_text [500]; /* Secret message */
+uint8_t cipher_text[500]; /* Encrypted message */
+uint64_t ctr = 0; /* Block counter */
+unsigned int i;
+arc4random_buf(key, 32);
+arc4random_buf(nonce, 24);
+for(i = 0; i &lt; 500; i += 64) {
+ ctr = crypto_xchacha20_ctr(cipher_text+i, plain_text+i, 64,
+ key, nonce, ctr);
+}
+/* Process data that didn't fit into 64 byte pieces */
+crypto_xchacha20_ctr(cipher_text+500-(i-64),
+ plain_text+500-(i-64),
+ 500-(i-64),
+ key, nonce, ctr);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(key, 32);
+crypto_wipe(plain_text, 500);
+</pre>
+</div>
+<div class="Pp"></div>
+Encryption by jumping around (do not do that, this is only meant to show how
+ <b class="Fn" title="Fn">crypto_xchacha20_ctr</b>() works):
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t key [ 32]; /* Secret random key */
+uint8_t nonce [ 24]; /* Unique nonce (possibly random) */
+uint8_t plain_text [500] = {1}; /* Message to be encrypted */
+uint8_t cipher_text[500]; /* Will be the encrypted message */
+arc4random_buf(key, 32);
+arc4random_buf(nonce, 24);
+/* Encrypt the second part of the message first... */
+crypto_xchacha20_ctr(cipher_text + (3 * 64),
+ plain_text + (3 * 64),
+ 500 - (3 * 64),
+ key, nonce, 3);
+/* ...then encrypt the first part */
+crypto_xchacha20_ctr(cipher_text, plain_text, 3 * 64, key, nonce, 0);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(key, 32);
+crypto_wipe(plain_text, 500);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_ietf_chacha20.html">crypto_ietf_chacha20(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement Chacha20 and XChacha20. Chacha20 is described in:
+ <cite class="Rs" title="Rs"><span class="RsA">Daniel J. Bernstein</span>,
+ <span class="RsT">ChaCha, a variant of Salsa20</span>, <i class="RsJ">SASC
+ 2008 &#x2013; The State of the Art of Stream Ciphers</i>,
+ <span class="RsP">pp. 273&#x2013;278</span>.</cite> The nonce and counter
+ sizes were modified in RFC 8439. XChacha20 derives from Chacha20 the same way
+ XSalsa20 derives from Salsa20, and benefits from the same security reduction
+ (proven secure as long as Chacha20 itself is secure).
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+<b class="Fn" title="Fn">crypto_chacha20</b>(),
+ <b class="Fn" title="Fn">crypto_chacha20_ctr</b>(),
+ <b class="Fn" title="Fn">crypto_xchacha20</b>(), and
+ <b class="Fn" title="Fn">crypto_xchacha20_ctr</b>() were added in Monocypher
+ 3.0.0. They replace <b class="Fn" title="Fn">crypto_chacha20_encrypt</b>(),
+ <b class="Fn" title="Fn">crypto_chacha20_init</b>(),
+ <b class="Fn" title="Fn">crypto_chacha20_stream</b>(),
+ <b class="Fn" title="Fn">crypto_chacha20_x_init</b>(), and
+ <b class="Fn" title="Fn">crypto_chacha20_set_ctr</b>() that were deprecated in
+ Monocypher 3.0.0.
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+<h2 class="Ss" title="Ss" id="Encrypted_does_not_mean_secure"><a class="selflink" href="#Encrypted_does_not_mean_secure">Encrypted
+ does not mean secure</a></h2>
+Chacha20 only protects against eavesdropping, not forgeries. Most applications
+ need protection against forgeries to be properly secure. To ensure the
+ integrity of a message, use Blake2b in keyed mode, or authenticated
+ encryption; see
+ <a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>.
+<h2 class="Ss" title="Ss" id="Nonce_reuse"><a class="selflink" href="#Nonce_reuse">Nonce
+ reuse</a></h2>
+Repeating a nonce with the same key exposes the XOR of two or more plain text
+ messages, effectively destroying confidentiality.
+<div class="Pp"></div>
+For the same reason, <b class="Sy" title="Sy">do not select small nonces at
+ random</b>. The <b class="Fn" title="Fn">crypto_chacha20</b>() nonce spans
+ only 64 bits, which is small enough to trigger accidental reuses. A message
+ counter should be used instead. If multiple parties send out messages, Each
+ can start with an initial nonce of 0, 1 .. n-1 respectively, and increment
+ them by n for each new message. Make sure the counters never wrap around.
+<h2 class="Ss" title="Ss" id="Secure_random_number_generation"><a class="selflink" href="#Secure_random_number_generation">Secure
+ random number generation</a></h2>
+Do not use these functions as a cryptographic random number generator. Always
+ use the operating system's random number generator for cryptographic purposes,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>.
+<h2 class="Ss" title="Ss" id="Protection_against_side_channels"><a class="selflink" href="#Protection_against_side_channels">Protection
+ against side channels</a></h2>
+Secrets should not dwell in memory longer than needed. Use
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>
+ to erase secrets you no longer need. For Chacha20, this means the key and in
+ some cases the plain text itself.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 31, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_chacha20_H.html b/vendor/doc/html/crypto_chacha20_H.html
new file mode 100644
index 0000000..04177b6
--- /dev/null
+++ b/vendor/doc/html/crypto_chacha20_H.html
@@ -0,0 +1,110 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_HCHACHA20(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_HCHACHA20(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_HCHACHA20(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_hchacha20</b> &#x2014;
+ <span class="Nd" title="Nd">HChacha20 special-purpose hashing</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hchacha20</b>(<var class="Fa" title="Fa">uint8_t
+ out[32]</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t in[16]</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+<b class="Fn" title="Fn">crypto_hchacha20</b>() provides a not-so-cryptographic
+ hash. It may be used for some specific purposes, such as X25519 key
+ derivation, or XChacha20 initialisation. If in doubt, do not use directly. Use
+ <a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>
+ instead.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">A sufficiently random key, such as the output of
+ <a class="Xr" title="Xr" href="crypto_x25519.html">crypto_x25519(3monocypher)</a>.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">in</var></dt>
+ <dd class="It-tag">The space reserved for the Chacha20 nonce and counter. It
+ does not have to be random.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">out</var></dt>
+ <dd class="It-tag">A cryptographically secure random number
+ <i class="Em" title="Em">if</i> there is enough entropy in
+ <var class="Fa" title="Fa">key</var>. X25519 shared secrets have enough
+ entropy.</dd>
+</dl>
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+This function returns nothing.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following example assumes the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+Simple hash:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t key[32]; /* Must have enough entropy */
+uint8_t in [16]; /* Does not have to be random */
+uint8_t out[32]; /* Will be random iff the above holds */
+arc4random_buf(key, 32);
+crypto_hchacha20(out, key, in);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(key, 32);
+crypto_wipe(in , 16);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_chacha20_encrypt.html">crypto_chacha20_encrypt(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+This function implements HChacha20. HChacha20 derives from Chacha20 the same way
+ HSalsa20 derives from Salsa20.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_hchacha20</b>() function first appeared in
+ Monocypher 0.1 as <b class="Fn" title="Fn">crypto_chacha20_H</b>(). It was
+ renamed to <b class="Fn" title="Fn">crypto_hchacha20</b>() in Monocypher
+ 3.0.0.
+<h1 class="Sh" title="Sh" id="CAVEATS"><a class="selflink" href="#CAVEATS">CAVEATS</a></h1>
+<b class="Sy" title="Sy">This is not a general-purpose cryptographic hash
+ function</b>.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 2, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_chacha20_ctr.html b/vendor/doc/html/crypto_chacha20_ctr.html
new file mode 100644
index 0000000..a3c0ec7
--- /dev/null
+++ b/vendor/doc/html/crypto_chacha20_ctr.html
@@ -0,0 +1,331 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_CHACHA20(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_CHACHA20(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_CHACHA20(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_chacha20</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_ctr</b>,
+ <b class="Nm" title="Nm">crypto_xchacha20</b>,
+ <b class="Nm" title="Nm">crypto_xchacha20_ctr</b> &#x2014;
+ <span class="Nd" title="Nd">Chacha20 and XChacha20 encryption functions</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20</b>(<var class="Fa" title="Fa">uint8_t
+ *cipher_text</var>, <var class="Fa" title="Fa">const uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">size_t text_size</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[8]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_xchacha20</b>(<var class="Fa" title="Fa">uint8_t
+ *cipher_text</var>, <var class="Fa" title="Fa">const uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">size_t text_size</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">uint64_t</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_ctr</b>(<var class="Fa" title="Fa">uint8_t
+ *cipher_text</var>, <var class="Fa" title="Fa">const uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">size_t text_size</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[8]</var>,
+ <var class="Fa" title="Fa">uint64_t ctr</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">uint64_t</var>
+<br/>
+<b class="Fn" title="Fn">crypto_xchacha20_ctr</b>(<var class="Fa" title="Fa">uint8_t
+ *cipher_text</var>, <var class="Fa" title="Fa">const uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">size_t text_size</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>,
+ <var class="Fa" title="Fa">uint64_t ctr</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions provide an interface for the Chacha20 encryption primitive.
+<div class="Pp"></div>
+Chacha20 is a low-level primitive. Consider using authenticated encryption,
+ implemented by
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">A 32-byte secret key.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">nonce</var></dt>
+ <dd class="It-tag">An 8-byte or 24-byte number, used only once with any given
+ key. It does not need to be secret or random, but it does have to be
+ unique. Repeating a nonce with the same key reveals the XOR of two
+ different messages, which allows decryption. 24-byte nonces can be
+ selected at random. 8-byte nonces <i class="Em" title="Em">cannot</i>.
+ They are too small, and the same nonce may be selected twice by accident.
+ See <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about generating random numbers (use the operating system's random
+ number generator).</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">plain_text</var></dt>
+ <dd class="It-tag">The message to encrypt. It is allowed to be
+ <code class="Dv" title="Dv">NULL</code>, in which case it will be
+ interpreted as an all zero input.
+ <var class="Fa" title="Fa">cipher_text</var> will then contain the raw
+ Chacha20 stream.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">cipher_text</var></dt>
+ <dd class="It-tag">The encrypted message.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">text_size</var></dt>
+ <dd class="It-tag">Length of both <var class="Fa" title="Fa">plain_text</var>
+ and <var class="Fa" title="Fa">cipher_text</var>, in bytes.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">ctr</var></dt>
+ <dd class="It-tag">The number of 64-byte blocks since the beginning of the
+ stream.</dd>
+</dl>
+<div class="Pp"></div>
+The <var class="Fa" title="Fa">key</var> and
+ <var class="Fa" title="Fa">nonce</var> buffers may overlap.
+ <var class="Fa" title="Fa">plain_text</var> and
+ <var class="Fa" title="Fa">cipher_text</var> must either be the same buffer
+ (for in-place encryption), or non-overlapping.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_chacha20</b>() performs a Chacha20 operation. It
+ uses an 8-byte nonce, which is too small to be selected at random. Use a
+ message counter as a nonce instead.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_xchacha20</b>() performs an XChacha20 operation.
+ It uses a 24-byte nonce, which is large enough to be selected at random.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_xchacha20</b>() is recommended over
+ <b class="Fn" title="Fn">crypto_chacha20</b>(). The ability to use random
+ nonces makes it easier to use securely, and the performance hit is often
+ negligible in practice.
+<div class="Pp"></div>
+The <b class="Fn" title="Fn">crypto_chacha20</b>() and
+ <b class="Fn" title="Fn">crypto_xchacha20</b>() encrypt
+ <var class="Fa" title="Fa">plain_text</var> by XORing it with a pseudo-random
+ stream of numbers, seeded by the provided <var class="Fa" title="Fa">key</var>
+ and <var class="Fa" title="Fa">nonce</var>.
+<div class="Pp"></div>
+Since XOR is its own inverse, decryption is the same operation as encryption. To
+ decrypt the cipher text, &#x201C;encrypt&#x201D; it again with the same key
+ and nonce. You will likely want to wipe the key when you are done with
+ encryption or decryption. Use
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>
+ to wipe them.
+<div class="Pp"></div>
+The <var class="Fa" title="Fa">plain_text</var> pointer is allowed to be
+ <code class="Dv" title="Dv">NULL</code>, in which case it will be interpreted
+ as an all zero input. This is useful as a user space random number generator.
+ While <b class="Sy" title="Sy">this should not be used as a random number
+ generator for secrets</b>, for which the operating system random number
+ generator should be preferred, it can be handy outside of a security context.
+ Deterministic procedural generation and reproducible property-based tests come
+ to mind. Additionally, it <i class="Em" title="Em">can</i> be used to generate
+ large amounts of random-looking data quickly, for example to generate padding.
+<div class="Pp"></div>
+The <b class="Fn" title="Fn">crypto_chacha20_ctr</b>() and
+ <b class="Fn" title="Fn">crypto_xchacha20_ctr</b>() perform a Chacha20 or
+ XChacha20 encryption, respectively, starting the stream at the block
+ <var class="Fa" title="Fa">ctr</var> (which is the byte
+ &#x2018;<code class="Li">ctr &#x00D7; 64</code>&#x2019;). This can be used to
+ encrypt (or decrypt) part of a long message, or to implement some AEAD
+ constructions such as the one described in RFC 8439. Be careful when using
+ this not to accidentally reuse parts of the random stream as that would
+ destroy confidentiality.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_chacha20</b>() and
+ <b class="Fn" title="Fn">crypto_xchacha20</b>() return nothing.
+ <b class="Fn" title="Fn">crypto_chacha20_ctr</b>() and
+ <b class="Fn" title="Fn">crypto_xchacha20_ctr</b>() functions return the next
+ <var class="Fa" title="Fa">ctr</var> to use with the same key and nonce
+ values; this is always <var class="Fa" title="Fa">text_size</var> divided by
+ 64; plus one if there was a remainder.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following examples assume the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+Simple encryption:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t key [ 32]; /* Secret random key */
+uint8_t nonce [ 24]; /* Unique nonce (possibly random) */
+uint8_t plain_text [500] = {1}; /* Secret message */
+uint8_t cipher_text[500]; /* Encrypted message */
+arc4random_buf(key, 32);
+arc4random_buf(nonce, 24);
+crypto_xchacha20(cipher_text, plain_text, 500, key, nonce);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(key, 32);
+crypto_wipe(plain_text, 500);
+</pre>
+</div>
+<div class="Pp"></div>
+To decrypt the above:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t key [ 32]; /* Same key as above */
+const uint8_t nonce [ 24]; /* Same nonce as above */
+uint8_t plain_text [500]; /* Message to decrypt */
+uint8_t cipher_text[500]; /* Secret message */
+crypto_xchacha20(cipher_text, plain_text, 500, key, nonce);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(key, 32);
+/* The plain text likely needs to be processed before you wipe it */
+crypto_wipe(plain_text, 12);
+</pre>
+</div>
+<div class="Pp"></div>
+Incremental encryption (in blocks of 64 bytes):
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t key [ 32]; /* Secret random key */
+uint8_t nonce [ 24]; /* Unique nonce (possibly random) */
+uint8_t plain_text [500]; /* Secret message */
+uint8_t cipher_text[500]; /* Encrypted message */
+uint64_t ctr = 0; /* Block counter */
+unsigned int i;
+arc4random_buf(key, 32);
+arc4random_buf(nonce, 24);
+for(i = 0; i &lt; 500; i += 64) {
+ ctr = crypto_xchacha20_ctr(cipher_text+i, plain_text+i, 64,
+ key, nonce, ctr);
+}
+/* Process data that didn't fit into 64 byte pieces */
+crypto_xchacha20_ctr(cipher_text+500-(i-64),
+ plain_text+500-(i-64),
+ 500-(i-64),
+ key, nonce, ctr);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(key, 32);
+crypto_wipe(plain_text, 500);
+</pre>
+</div>
+<div class="Pp"></div>
+Encryption by jumping around (do not do that, this is only meant to show how
+ <b class="Fn" title="Fn">crypto_xchacha20_ctr</b>() works):
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t key [ 32]; /* Secret random key */
+uint8_t nonce [ 24]; /* Unique nonce (possibly random) */
+uint8_t plain_text [500] = {1}; /* Message to be encrypted */
+uint8_t cipher_text[500]; /* Will be the encrypted message */
+arc4random_buf(key, 32);
+arc4random_buf(nonce, 24);
+/* Encrypt the second part of the message first... */
+crypto_xchacha20_ctr(cipher_text + (3 * 64),
+ plain_text + (3 * 64),
+ 500 - (3 * 64),
+ key, nonce, 3);
+/* ...then encrypt the first part */
+crypto_xchacha20_ctr(cipher_text, plain_text, 3 * 64, key, nonce, 0);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(key, 32);
+crypto_wipe(plain_text, 500);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_ietf_chacha20.html">crypto_ietf_chacha20(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement Chacha20 and XChacha20. Chacha20 is described in:
+ <cite class="Rs" title="Rs"><span class="RsA">Daniel J. Bernstein</span>,
+ <span class="RsT">ChaCha, a variant of Salsa20</span>, <i class="RsJ">SASC
+ 2008 &#x2013; The State of the Art of Stream Ciphers</i>,
+ <span class="RsP">pp. 273&#x2013;278</span>.</cite> The nonce and counter
+ sizes were modified in RFC 8439. XChacha20 derives from Chacha20 the same way
+ XSalsa20 derives from Salsa20, and benefits from the same security reduction
+ (proven secure as long as Chacha20 itself is secure).
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+<b class="Fn" title="Fn">crypto_chacha20</b>(),
+ <b class="Fn" title="Fn">crypto_chacha20_ctr</b>(),
+ <b class="Fn" title="Fn">crypto_xchacha20</b>(), and
+ <b class="Fn" title="Fn">crypto_xchacha20_ctr</b>() were added in Monocypher
+ 3.0.0. They replace <b class="Fn" title="Fn">crypto_chacha20_encrypt</b>(),
+ <b class="Fn" title="Fn">crypto_chacha20_init</b>(),
+ <b class="Fn" title="Fn">crypto_chacha20_stream</b>(),
+ <b class="Fn" title="Fn">crypto_chacha20_x_init</b>(), and
+ <b class="Fn" title="Fn">crypto_chacha20_set_ctr</b>() that were deprecated in
+ Monocypher 3.0.0.
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+<h2 class="Ss" title="Ss" id="Encrypted_does_not_mean_secure"><a class="selflink" href="#Encrypted_does_not_mean_secure">Encrypted
+ does not mean secure</a></h2>
+Chacha20 only protects against eavesdropping, not forgeries. Most applications
+ need protection against forgeries to be properly secure. To ensure the
+ integrity of a message, use Blake2b in keyed mode, or authenticated
+ encryption; see
+ <a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>.
+<h2 class="Ss" title="Ss" id="Nonce_reuse"><a class="selflink" href="#Nonce_reuse">Nonce
+ reuse</a></h2>
+Repeating a nonce with the same key exposes the XOR of two or more plain text
+ messages, effectively destroying confidentiality.
+<div class="Pp"></div>
+For the same reason, <b class="Sy" title="Sy">do not select small nonces at
+ random</b>. The <b class="Fn" title="Fn">crypto_chacha20</b>() nonce spans
+ only 64 bits, which is small enough to trigger accidental reuses. A message
+ counter should be used instead. If multiple parties send out messages, Each
+ can start with an initial nonce of 0, 1 .. n-1 respectively, and increment
+ them by n for each new message. Make sure the counters never wrap around.
+<h2 class="Ss" title="Ss" id="Secure_random_number_generation"><a class="selflink" href="#Secure_random_number_generation">Secure
+ random number generation</a></h2>
+Do not use these functions as a cryptographic random number generator. Always
+ use the operating system's random number generator for cryptographic purposes,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>.
+<h2 class="Ss" title="Ss" id="Protection_against_side_channels"><a class="selflink" href="#Protection_against_side_channels">Protection
+ against side channels</a></h2>
+Secrets should not dwell in memory longer than needed. Use
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>
+ to erase secrets you no longer need. For Chacha20, this means the key and in
+ some cases the plain text itself.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 31, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_chacha20_encrypt.html b/vendor/doc/html/crypto_chacha20_encrypt.html
new file mode 100644
index 0000000..4b1409b
--- /dev/null
+++ b/vendor/doc/html/crypto_chacha20_encrypt.html
@@ -0,0 +1,121 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_CHACHA20_ENCRYPT(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_CHACHA20_ENCRYPT(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_CHACHA20_ENCRYPT(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_chacha20_encrypt</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_init</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_x_init</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_stream</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_set_ctr</b> &#x2014;
+ <span class="Nd" title="Nd">deprecated Chacha20 and XChacha20 encryption
+ functions</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_init</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[8]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_x_init</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_encrypt</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_stream</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *stream</var>,
+ <var class="Fa" title="Fa">size_t stream_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_set_ctr</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint64_t ctr</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions provided an incremental interface for the Chacha20 cipher. They
+ are deprecated in favor of
+ <a class="Xr" title="Xr" href="crypto_chacha20.html">crypto_chacha20(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_chacha20_ctr.html">crypto_chacha20_ctr(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_xchacha20.html">crypto_xchacha20(3monocypher)</a>,
+ and
+ <a class="Xr" title="Xr" href="crypto_xchacha20_ctr.html">crypto_xchacha20_ctr(3monocypher)</a>.
+<div class="Pp"></div>
+For encryption, you can achieve an identical effect as the deprecated functions
+ by using
+ <a class="Xr" title="Xr" href="crypto_chacha20_ctr.html">crypto_chacha20_ctr(3monocypher)</a>
+ or
+ <a class="Xr" title="Xr" href="crypto_xchacha20_ctr.html">crypto_xchacha20_ctr(3monocypher)</a>.
+ Care needs to be taken with regards to handling the counter value when
+ migrating old code to use the new functions. The new functions
+ <i class="Em" title="Em">always return next counter value</i>. This means that
+ input ciphertexts or plaintexts whose lengths are not exactly multiples of 64
+ bytes advance the counter, even though there is theoretically some space left
+ in a Chacha20 block. New applications should design their code so that either
+ the protocl is not reliant on the counter covering the entire text (e.g. by
+ cutting input into independent chunks) or inputs are always such that their
+ lengths are multiples of 64 bytes (e.g. by buffering input until 64 bytes have
+ been obtained).
+<div class="Pp"></div>
+To obtain the raw Chacha20 stream previously provided by
+ <b class="Fn" title="Fn">crypto_chacha20_stream</b>(), pass
+ <code class="Dv" title="Dv">NULL</code> to
+ <a class="Xr" title="Xr" href="crypto_chacha20.html">crypto_chacha20</a> as
+ plaintext.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_chacha20.html">crypto_chacha20(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_chacha20_ctr.html">crypto_chacha20_ctr(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_xchacha20.html">crypto_xchacha20(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_xchacha20_ctr.html">crypto_xchacha20_ctr(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_chacha20_encrypt</b>(),
+ <b class="Fn" title="Fn">crypto_chacha20_init</b>(), functions first appeared
+ in Monocypher 0.1. <b class="Fn" title="Fn">crypto_chacha20_stream</b>() was
+ added in Monocypher 0.2. <b class="Fn" title="Fn">crypto_chacha20_x_init</b>()
+ and <b class="Fn" title="Fn">crypto_chacha20_set_ctr</b>() were added in
+ Monocypher 1.0. They were deprecated in Monocypher 3.0.0 and will be removed
+ in Monocypher 4.0.0.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">December 2, 2019</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_chacha20_init.html b/vendor/doc/html/crypto_chacha20_init.html
new file mode 100644
index 0000000..4b1409b
--- /dev/null
+++ b/vendor/doc/html/crypto_chacha20_init.html
@@ -0,0 +1,121 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_CHACHA20_ENCRYPT(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_CHACHA20_ENCRYPT(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_CHACHA20_ENCRYPT(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_chacha20_encrypt</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_init</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_x_init</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_stream</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_set_ctr</b> &#x2014;
+ <span class="Nd" title="Nd">deprecated Chacha20 and XChacha20 encryption
+ functions</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_init</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[8]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_x_init</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_encrypt</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_stream</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *stream</var>,
+ <var class="Fa" title="Fa">size_t stream_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_set_ctr</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint64_t ctr</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions provided an incremental interface for the Chacha20 cipher. They
+ are deprecated in favor of
+ <a class="Xr" title="Xr" href="crypto_chacha20.html">crypto_chacha20(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_chacha20_ctr.html">crypto_chacha20_ctr(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_xchacha20.html">crypto_xchacha20(3monocypher)</a>,
+ and
+ <a class="Xr" title="Xr" href="crypto_xchacha20_ctr.html">crypto_xchacha20_ctr(3monocypher)</a>.
+<div class="Pp"></div>
+For encryption, you can achieve an identical effect as the deprecated functions
+ by using
+ <a class="Xr" title="Xr" href="crypto_chacha20_ctr.html">crypto_chacha20_ctr(3monocypher)</a>
+ or
+ <a class="Xr" title="Xr" href="crypto_xchacha20_ctr.html">crypto_xchacha20_ctr(3monocypher)</a>.
+ Care needs to be taken with regards to handling the counter value when
+ migrating old code to use the new functions. The new functions
+ <i class="Em" title="Em">always return next counter value</i>. This means that
+ input ciphertexts or plaintexts whose lengths are not exactly multiples of 64
+ bytes advance the counter, even though there is theoretically some space left
+ in a Chacha20 block. New applications should design their code so that either
+ the protocl is not reliant on the counter covering the entire text (e.g. by
+ cutting input into independent chunks) or inputs are always such that their
+ lengths are multiples of 64 bytes (e.g. by buffering input until 64 bytes have
+ been obtained).
+<div class="Pp"></div>
+To obtain the raw Chacha20 stream previously provided by
+ <b class="Fn" title="Fn">crypto_chacha20_stream</b>(), pass
+ <code class="Dv" title="Dv">NULL</code> to
+ <a class="Xr" title="Xr" href="crypto_chacha20.html">crypto_chacha20</a> as
+ plaintext.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_chacha20.html">crypto_chacha20(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_chacha20_ctr.html">crypto_chacha20_ctr(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_xchacha20.html">crypto_xchacha20(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_xchacha20_ctr.html">crypto_xchacha20_ctr(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_chacha20_encrypt</b>(),
+ <b class="Fn" title="Fn">crypto_chacha20_init</b>(), functions first appeared
+ in Monocypher 0.1. <b class="Fn" title="Fn">crypto_chacha20_stream</b>() was
+ added in Monocypher 0.2. <b class="Fn" title="Fn">crypto_chacha20_x_init</b>()
+ and <b class="Fn" title="Fn">crypto_chacha20_set_ctr</b>() were added in
+ Monocypher 1.0. They were deprecated in Monocypher 3.0.0 and will be removed
+ in Monocypher 4.0.0.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">December 2, 2019</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_chacha20_set_ctr.html b/vendor/doc/html/crypto_chacha20_set_ctr.html
new file mode 100644
index 0000000..4b1409b
--- /dev/null
+++ b/vendor/doc/html/crypto_chacha20_set_ctr.html
@@ -0,0 +1,121 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_CHACHA20_ENCRYPT(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_CHACHA20_ENCRYPT(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_CHACHA20_ENCRYPT(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_chacha20_encrypt</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_init</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_x_init</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_stream</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_set_ctr</b> &#x2014;
+ <span class="Nd" title="Nd">deprecated Chacha20 and XChacha20 encryption
+ functions</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_init</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[8]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_x_init</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_encrypt</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_stream</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *stream</var>,
+ <var class="Fa" title="Fa">size_t stream_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_set_ctr</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint64_t ctr</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions provided an incremental interface for the Chacha20 cipher. They
+ are deprecated in favor of
+ <a class="Xr" title="Xr" href="crypto_chacha20.html">crypto_chacha20(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_chacha20_ctr.html">crypto_chacha20_ctr(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_xchacha20.html">crypto_xchacha20(3monocypher)</a>,
+ and
+ <a class="Xr" title="Xr" href="crypto_xchacha20_ctr.html">crypto_xchacha20_ctr(3monocypher)</a>.
+<div class="Pp"></div>
+For encryption, you can achieve an identical effect as the deprecated functions
+ by using
+ <a class="Xr" title="Xr" href="crypto_chacha20_ctr.html">crypto_chacha20_ctr(3monocypher)</a>
+ or
+ <a class="Xr" title="Xr" href="crypto_xchacha20_ctr.html">crypto_xchacha20_ctr(3monocypher)</a>.
+ Care needs to be taken with regards to handling the counter value when
+ migrating old code to use the new functions. The new functions
+ <i class="Em" title="Em">always return next counter value</i>. This means that
+ input ciphertexts or plaintexts whose lengths are not exactly multiples of 64
+ bytes advance the counter, even though there is theoretically some space left
+ in a Chacha20 block. New applications should design their code so that either
+ the protocl is not reliant on the counter covering the entire text (e.g. by
+ cutting input into independent chunks) or inputs are always such that their
+ lengths are multiples of 64 bytes (e.g. by buffering input until 64 bytes have
+ been obtained).
+<div class="Pp"></div>
+To obtain the raw Chacha20 stream previously provided by
+ <b class="Fn" title="Fn">crypto_chacha20_stream</b>(), pass
+ <code class="Dv" title="Dv">NULL</code> to
+ <a class="Xr" title="Xr" href="crypto_chacha20.html">crypto_chacha20</a> as
+ plaintext.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_chacha20.html">crypto_chacha20(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_chacha20_ctr.html">crypto_chacha20_ctr(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_xchacha20.html">crypto_xchacha20(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_xchacha20_ctr.html">crypto_xchacha20_ctr(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_chacha20_encrypt</b>(),
+ <b class="Fn" title="Fn">crypto_chacha20_init</b>(), functions first appeared
+ in Monocypher 0.1. <b class="Fn" title="Fn">crypto_chacha20_stream</b>() was
+ added in Monocypher 0.2. <b class="Fn" title="Fn">crypto_chacha20_x_init</b>()
+ and <b class="Fn" title="Fn">crypto_chacha20_set_ctr</b>() were added in
+ Monocypher 1.0. They were deprecated in Monocypher 3.0.0 and will be removed
+ in Monocypher 4.0.0.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">December 2, 2019</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_chacha20_stream.html b/vendor/doc/html/crypto_chacha20_stream.html
new file mode 100644
index 0000000..4b1409b
--- /dev/null
+++ b/vendor/doc/html/crypto_chacha20_stream.html
@@ -0,0 +1,121 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_CHACHA20_ENCRYPT(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_CHACHA20_ENCRYPT(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_CHACHA20_ENCRYPT(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_chacha20_encrypt</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_init</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_x_init</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_stream</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_set_ctr</b> &#x2014;
+ <span class="Nd" title="Nd">deprecated Chacha20 and XChacha20 encryption
+ functions</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_init</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[8]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_x_init</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_encrypt</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_stream</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *stream</var>,
+ <var class="Fa" title="Fa">size_t stream_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_set_ctr</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint64_t ctr</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions provided an incremental interface for the Chacha20 cipher. They
+ are deprecated in favor of
+ <a class="Xr" title="Xr" href="crypto_chacha20.html">crypto_chacha20(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_chacha20_ctr.html">crypto_chacha20_ctr(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_xchacha20.html">crypto_xchacha20(3monocypher)</a>,
+ and
+ <a class="Xr" title="Xr" href="crypto_xchacha20_ctr.html">crypto_xchacha20_ctr(3monocypher)</a>.
+<div class="Pp"></div>
+For encryption, you can achieve an identical effect as the deprecated functions
+ by using
+ <a class="Xr" title="Xr" href="crypto_chacha20_ctr.html">crypto_chacha20_ctr(3monocypher)</a>
+ or
+ <a class="Xr" title="Xr" href="crypto_xchacha20_ctr.html">crypto_xchacha20_ctr(3monocypher)</a>.
+ Care needs to be taken with regards to handling the counter value when
+ migrating old code to use the new functions. The new functions
+ <i class="Em" title="Em">always return next counter value</i>. This means that
+ input ciphertexts or plaintexts whose lengths are not exactly multiples of 64
+ bytes advance the counter, even though there is theoretically some space left
+ in a Chacha20 block. New applications should design their code so that either
+ the protocl is not reliant on the counter covering the entire text (e.g. by
+ cutting input into independent chunks) or inputs are always such that their
+ lengths are multiples of 64 bytes (e.g. by buffering input until 64 bytes have
+ been obtained).
+<div class="Pp"></div>
+To obtain the raw Chacha20 stream previously provided by
+ <b class="Fn" title="Fn">crypto_chacha20_stream</b>(), pass
+ <code class="Dv" title="Dv">NULL</code> to
+ <a class="Xr" title="Xr" href="crypto_chacha20.html">crypto_chacha20</a> as
+ plaintext.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_chacha20.html">crypto_chacha20(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_chacha20_ctr.html">crypto_chacha20_ctr(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_xchacha20.html">crypto_xchacha20(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_xchacha20_ctr.html">crypto_xchacha20_ctr(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_chacha20_encrypt</b>(),
+ <b class="Fn" title="Fn">crypto_chacha20_init</b>(), functions first appeared
+ in Monocypher 0.1. <b class="Fn" title="Fn">crypto_chacha20_stream</b>() was
+ added in Monocypher 0.2. <b class="Fn" title="Fn">crypto_chacha20_x_init</b>()
+ and <b class="Fn" title="Fn">crypto_chacha20_set_ctr</b>() were added in
+ Monocypher 1.0. They were deprecated in Monocypher 3.0.0 and will be removed
+ in Monocypher 4.0.0.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">December 2, 2019</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_chacha20_x_init.html b/vendor/doc/html/crypto_chacha20_x_init.html
new file mode 100644
index 0000000..4b1409b
--- /dev/null
+++ b/vendor/doc/html/crypto_chacha20_x_init.html
@@ -0,0 +1,121 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_CHACHA20_ENCRYPT(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_CHACHA20_ENCRYPT(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_CHACHA20_ENCRYPT(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_chacha20_encrypt</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_init</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_x_init</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_stream</b>,
+ <b class="Nm" title="Nm">crypto_chacha20_set_ctr</b> &#x2014;
+ <span class="Nd" title="Nd">deprecated Chacha20 and XChacha20 encryption
+ functions</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_init</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[8]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_x_init</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_encrypt</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_stream</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *stream</var>,
+ <var class="Fa" title="Fa">size_t stream_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_chacha20_set_ctr</b>(<var class="Fa" title="Fa">crypto_chacha_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint64_t ctr</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions provided an incremental interface for the Chacha20 cipher. They
+ are deprecated in favor of
+ <a class="Xr" title="Xr" href="crypto_chacha20.html">crypto_chacha20(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_chacha20_ctr.html">crypto_chacha20_ctr(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_xchacha20.html">crypto_xchacha20(3monocypher)</a>,
+ and
+ <a class="Xr" title="Xr" href="crypto_xchacha20_ctr.html">crypto_xchacha20_ctr(3monocypher)</a>.
+<div class="Pp"></div>
+For encryption, you can achieve an identical effect as the deprecated functions
+ by using
+ <a class="Xr" title="Xr" href="crypto_chacha20_ctr.html">crypto_chacha20_ctr(3monocypher)</a>
+ or
+ <a class="Xr" title="Xr" href="crypto_xchacha20_ctr.html">crypto_xchacha20_ctr(3monocypher)</a>.
+ Care needs to be taken with regards to handling the counter value when
+ migrating old code to use the new functions. The new functions
+ <i class="Em" title="Em">always return next counter value</i>. This means that
+ input ciphertexts or plaintexts whose lengths are not exactly multiples of 64
+ bytes advance the counter, even though there is theoretically some space left
+ in a Chacha20 block. New applications should design their code so that either
+ the protocl is not reliant on the counter covering the entire text (e.g. by
+ cutting input into independent chunks) or inputs are always such that their
+ lengths are multiples of 64 bytes (e.g. by buffering input until 64 bytes have
+ been obtained).
+<div class="Pp"></div>
+To obtain the raw Chacha20 stream previously provided by
+ <b class="Fn" title="Fn">crypto_chacha20_stream</b>(), pass
+ <code class="Dv" title="Dv">NULL</code> to
+ <a class="Xr" title="Xr" href="crypto_chacha20.html">crypto_chacha20</a> as
+ plaintext.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_chacha20.html">crypto_chacha20(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_chacha20_ctr.html">crypto_chacha20_ctr(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_xchacha20.html">crypto_xchacha20(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_xchacha20_ctr.html">crypto_xchacha20_ctr(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_chacha20_encrypt</b>(),
+ <b class="Fn" title="Fn">crypto_chacha20_init</b>(), functions first appeared
+ in Monocypher 0.1. <b class="Fn" title="Fn">crypto_chacha20_stream</b>() was
+ added in Monocypher 0.2. <b class="Fn" title="Fn">crypto_chacha20_x_init</b>()
+ and <b class="Fn" title="Fn">crypto_chacha20_set_ctr</b>() were added in
+ Monocypher 1.0. They were deprecated in Monocypher 3.0.0 and will be removed
+ in Monocypher 4.0.0.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">December 2, 2019</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_check.html b/vendor/doc/html/crypto_check.html
new file mode 100644
index 0000000..85b8686
--- /dev/null
+++ b/vendor/doc/html/crypto_check.html
@@ -0,0 +1,215 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_SIGN(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_SIGN(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_SIGN(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_sign</b>,
+ <b class="Nm" title="Nm">crypto_check</b>,
+ <b class="Nm" title="Nm">crypto_sign_public_key</b> &#x2014;
+ <span class="Nd" title="Nd">public key signatures</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_sign_public_key</b>(<var class="Fa" title="Fa">uint8_t
+ public_key[32]</var>, <var class="Fa" title="Fa">const uint8_t
+ secret_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_sign</b>(<var class="Fa" title="Fa">uint8_t
+ signature[64]</var>, <var class="Fa" title="Fa">const uint8_t
+ secret_key[32]</var>, <var class="Fa" title="Fa">const uint8_t
+ public_key[32]</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_check</b>(<var class="Fa" title="Fa">const
+ uint8_t signature[64]</var>, <var class="Fa" title="Fa">const uint8_t
+ public_key[32]</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+<b class="Fn" title="Fn">crypto_sign</b>() and
+ <b class="Fn" title="Fn">crypto_check</b>() provide EdDSA public key
+ signatures and verification.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">signature</var></dt>
+ <dd class="It-tag">The signature.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">secret_key</var></dt>
+ <dd class="It-tag">A 32-byte random number, known only to you. See
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> about
+ random number generation (use your operating system's random number
+ generator). Do not use the same private key for both signatures and key
+ exchanges. The public keys are different, and revealing both may leak
+ information.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">public_key</var></dt>
+ <dd class="It-tag">The public key, generated from
+ <var class="Fa" title="Fa">secret_key</var> with
+ <b class="Fn" title="Fn">crypto_sign_public_key</b>().</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message</var></dt>
+ <dd class="It-tag">Message to sign.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">message</var>, in
+ bytes.</dd>
+</dl>
+<div class="Pp"></div>
+<var class="Fa" title="Fa">signature</var> and
+ <var class="Fa" title="Fa">message</var> may overlap.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_sign_public_key</b>() computes the public key of
+ the specified secret key.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_sign</b>() signs a message with
+ <var class="Fa" title="Fa">secret_key</var>. The public key is optional, and
+ will be recomputed if not provided. This recomputation doubles the execution
+ time.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_check</b>() checks that a given signature is
+ genuine. Meaning, only someone who had the private key could have signed the
+ message. <b class="Sy" title="Sy">It does not run in constant time</b>. It
+ does not have to in most threat models, because nothing is secret: everyone
+ knows the public key, and the signature and message are rarely secret. If the
+ message needs to be secret, use
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_lock_aead.html">crypto_lock_aead(3monocypher)</a>
+ instead.
+<div class="Pp"></div>
+An incremental interface is available; see
+ <a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_sign_public_key</b>() and
+ <b class="Fn" title="Fn">crypto_sign</b>() return nothing.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_check</b>() returns 0 for legitimate messages
+ and -1 for forgeries.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following examples assume the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+Generate a public key from a random secret key:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t sk[32]; /* Random secret key */
+uint8_t pk[32]; /* Matching public key */
+arc4random_buf(sk, 32);
+crypto_sign_public_key(pk, sk);
+/* Wipe the secret key if it is no longer needed */
+crypto_wipe(sk, 32);
+</pre>
+</div>
+<div class="Pp"></div>
+Sign a message:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t sk [32]; /* Secret key from above */
+const uint8_t pk [32]; /* Matching public key */
+const uint8_t message [11] = &quot;Lorem ipsu&quot;; /* Message to sign */
+uint8_t signature[64];
+crypto_sign(signature, sk, pk, message, 10);
+/* Wipe the secret key if it is no longer needed */
+crypto_wipe(sk, 32);
+</pre>
+</div>
+<div class="Pp"></div>
+Check the above:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t pk [32]; /* Their public key */
+const uint8_t message [11] = &quot;Lorem ipsu&quot;; /* Signed message */
+const uint8_t signature[64]; /* Signature to check */
+if (crypto_check(signature, pk, message, 10)) {
+ /* Message is corrupted, abort processing */
+} else {
+ /* Message is genuine */
+}
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement PureEdDSA with Curve25519 and Blake2b, as described in
+ RFC 8032. This is the same as Ed25519, with Blake2b instead of SHA-512.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_sign</b>(),
+ <b class="Fn" title="Fn">crypto_check</b>(), and
+ <b class="Fn" title="Fn">crypto_sign_public_key</b>() functions appeared in
+ Monocypher 0.2.
+<div class="Pp"></div>
+<b class="Sy" title="Sy">A critical security vulnerability</b> that caused
+ all-zero signatures to be accepted was introduced in Monocypher 0.3; it was
+ fixed in Monocypher 1.1.1 and 2.0.4.
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+<h2 class="Ss" title="Ss" id="Signature_malleability"><a class="selflink" href="#Signature_malleability">Signature
+ malleability</a></h2>
+EdDSA signatures are not unique like cryptographic hashes. For any given public
+ key and message, there are many possible valid signatures. Some of them
+ require knowledge of the private key. Others only require knowledge of an
+ existing signature. Observing a valid signature only proves that someone with
+ knowledge of the private key signed the message at some point. Do not rely on
+ any other security property.
+<h2 class="Ss" title="Ss" id="Fault_injection_and_power_analysis"><a class="selflink" href="#Fault_injection_and_power_analysis">Fault
+ injection and power analysis</a></h2>
+Fault injection (also known as glitching) and power analysis may be used to
+ manipulate the resulting signature and recover the secret key in some cases.
+ This requires hardware access. If attackers are expected to have such access
+ and have the relevant equipment, you may try use the incremental interface
+ provided by
+ <a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>
+ to mitigate the side channel attacks. Note that there may still be other
+ power-related side channels (such as if the CPU leaks information when an
+ operation overflows a register) that must be considered.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 31, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_check_final.html b/vendor/doc/html/crypto_check_final.html
new file mode 100644
index 0000000..23bf438
--- /dev/null
+++ b/vendor/doc/html/crypto_check_final.html
@@ -0,0 +1,269 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_sign_init_first_pass</b>,
+ <b class="Nm" title="Nm">crypto_sign_update</b>,
+ <b class="Nm" title="Nm">crypto_sign_final</b>,
+ <b class="Nm" title="Nm">crypto_sign_init_second_pass</b>,
+ <b class="Nm" title="Nm">crypto_check_init</b>,
+ <b class="Nm" title="Nm">crypto_check_update</b>,
+ <b class="Nm" title="Nm">crypto_check_final</b> &#x2014;
+ <span class="Nd" title="Nd">incremental public key signatures</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_sign_init_first_pass</b>(<var class="Fa" title="Fa">crypto_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t secret_key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_sign_update</b>(<var class="Fa" title="Fa">crypto_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_sign_final</b>(<var class="Fa" title="Fa">crypto_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t signature[64]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_sign_init_second_pass</b>(<var class="Fa" title="Fa">crypto_sign_ctx
+ *ctx</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_check_init</b>(<var class="Fa" title="Fa">crypto_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t signature[64]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_check_update</b>(<var class="Fa" title="Fa">crypto_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_check_final</b>(<var class="Fa" title="Fa">crypto_check_ctx
+ *ctx</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions are variants of
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_check.html">crypto_check(3monocypher)</a>.
+ Prefer those simpler functions if possible.
+<div class="Pp"></div>
+The arguments are the same as those described in
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<div class="Pp"></div>
+This incremental interface can be used to sign or verify messages too large to
+ fit in a single buffer. The arguments are the same as the direct interface
+ described in
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<div class="Pp"></div>
+The direct and incremental interface produce and accept the same signatures.
+<div class="Pp"></div>
+Signing is done in two passes. This requires five steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">Initialisation of the first pass with
+ <b class="Fn" title="Fn">crypto_sign_init_first_pass</b>(). The public key
+ is optional, and will be recomputed if not provided. This recomputation
+ doubles the execution time for short messages.</li>
+ <li class="It-bullet">The first pass proper, with
+ <b class="Fn" title="Fn">crypto_sign_update</b>().
+ <b class="Sy" title="Sy">Under no circumstances must you forget the first
+ pass</b>: Forgetting to call
+ <b class="Fn" title="Fn">crypto_sign_update</b>() will appear to work in
+ that it produces valid signatures, but also loses all security because
+ attackers may now recover the secret key.</li>
+ <li class="It-bullet">Initialisation of the second pass with
+ <b class="Fn" title="Fn">crypto_sign_init_second_pass</b>().</li>
+ <li class="It-bullet">The second pass proper, with
+ <b class="Fn" title="Fn">crypto_sign_update</b>(). The same update
+ function is used for both passes.</li>
+ <li class="It-bullet">Signature generation with
+ <b class="Fn" title="Fn">crypto_sign_final</b>(). This also wipes the
+ context.</li>
+</ul>
+<div class="Pp"></div>
+Verification requires three steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">Initialisation with
+ <b class="Fn" title="Fn">crypto_check_init</b>().</li>
+ <li class="It-bullet">Update with
+ <b class="Fn" title="Fn">crypto_check_update</b>().</li>
+ <li class="It-bullet">Signature verification with
+ <b class="Fn" title="Fn">crypto_check_final</b>().</li>
+</ul>
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_check_init</b>() and
+ <b class="Fn" title="Fn">crypto_check_update</b>() return nothing.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_check_final</b>() returns 0 for legitimate
+ messages and -1 for forgeries.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+Sign a message:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t sk [ 32]; /* Secret key */
+const uint8_t pk [ 32]; /* Public key (optional) */
+const uint8_t message [500]; /* Message to sign */
+uint8_t signature[ 64]; /* Output signature */
+crypto_sign_ctx ctx;
+crypto_sign_init_first_pass((crypto_sign_ctx_abstract*)&amp;ctx, sk, pk);
+/* Wipe the secret key if no longer needed */
+crypto_wipe(sk, 32);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_sign_update((crypto_sign_ctx_abstract*)&amp;ctx, message + i, 100);
+}
+crypto_sign_init_second_pass((crypto_sign_ctx_abstract*)&amp;ctx);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_sign_update((crypto_sign_ctx_abstract*)&amp;ctx, message + i, 100);
+}
+crypto_sign_final((crypto_sign_ctx_abstract*)&amp;ctx, signature);
+</pre>
+</div>
+<div class="Pp"></div>
+Check the above:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t pk [ 32]; /* Public key */
+const uint8_t message [500]; /* Message to sign */
+const uint8_t signature[ 64]; /* Signature to check */
+crypto_check_ctx ctx;
+crypto_check_init((crypto_sign_ctx_abstract*)&amp;ctx, signature, pk);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_check_update((crypto_sign_ctx_abstract*)&amp;ctx, message + i, 100);
+}
+if (crypto_check_final((crypto_sign_ctx_abstract*)&amp;ctx)) {
+ /* Message is corrupted, abort processing */
+} else {
+ /* Message is genuine */
+}
+</pre>
+</div>
+<div class="Pp"></div>
+This interface can be used to mitigate attacks that leverage power analysis and
+ fault injection (glitching) &#x2013; both of which require physical access and
+ appropriate equipment &#x2013; by injecting additional randomness (at least 32
+ bytes) and padding (to the hash function's block size, which is 128 bytes for
+ all hash functions supported by Monocypher), of which 32 bytes are already
+ inserted into the buffer by
+ <b class="Fn" title="Fn">crypto_sign_init_first_pass</b>(). Access to a
+ cryptographically secure pseudo-random generator is a requirement for
+ effective side channel mitigation. Signing a message with increased
+ power-related side channel mitigations:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t message [ 500]; /* Message to sign */
+uint8_t sk [ 32]; /* Secret key */
+const uint8_t pk [ 32]; /* Public key (optional) */
+uint8_t signature[ 64]; /* Output signature */
+uint8_t buf [128-32] = {0}; /* Mitigation buffer */
+crypto_sign_ctx ctx;
+crypto_sign_ctx_abstract *actx = (crypto_sign_ctx_abstract *)&amp;ctx;
+
+arc4random_buf(buf, 32);
+/* The rest of buf MUST be zeroes. */
+
+crypto_sign_init_first_pass(actx, sk, pk);
+crypto_sign_update (actx, buf, sizeof(buf));
+crypto_sign_update (actx, message, 500);
+
+crypto_sign_init_second_pass(actx);
+crypto_sign_update (actx, message, 500);
+crypto_sign_final (actx, signature);
+
+crypto_wipe(buf, 32);
+/* Wipe the secret key if no longer needed */
+crypto_wipe(sk, 32);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement PureEdDSA with Curve25519 and Blake2b, as described in
+ RFC 8032. This is the same as Ed25519, with Blake2b instead of SHA-512.
+<div class="Pp"></div>
+The example for side channel mitigation follows the methodology outlined in
+ I-D.draft-mattsson-cfrg-det-sigs-with-noise-02.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_check_init</b>(),
+ <b class="Fn" title="Fn">crypto_check_update</b>(), and
+ <b class="Fn" title="Fn">crypto_check_final</b>() functions first appeared in
+ Monocypher 1.1.0.
+<div class="Pp"></div>
+<b class="Sy" title="Sy">A critical security vulnerability</b> that caused
+ all-zero signatures to be accepted was introduced in Monocypher 0.3; it was
+ fixed in Monocypher 1.1.1 and 2.0.4.
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+Messages are not verified until the call to
+ <b class="Fn" title="Fn">crypto_check_final</b>(). Messages may be stored
+ before they are verified, but they cannot be
+ <i class="Em" title="Em">trusted</i>. Processing untrusted messages increases
+ the attack surface of the system. Doing so securely is hard. Do not process
+ messages before calling <b class="Fn" title="Fn">crypto_check_final</b>().
+<div class="Pp"></div>
+When signing messages, the security considerations documented in
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>
+ also apply. In particular, if power-related side channels are part of your
+ threat model, note that there may still be other power-related side channels
+ (such as if the CPU leaks information when an operation overflows a register)
+ that must be considered.
+<h1 class="Sh" title="Sh" id="IMPLEMENTATION_DETAILS"><a class="selflink" href="#IMPLEMENTATION_DETAILS">IMPLEMENTATION
+ DETAILS</a></h1>
+EdDSA signatures require two passes that cannot be performed in parallel. There
+ are ways around this limitation, but they all lower security in some way. For
+ this reason, Monocypher does not support them.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 31, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_check_init.html b/vendor/doc/html/crypto_check_init.html
new file mode 100644
index 0000000..23bf438
--- /dev/null
+++ b/vendor/doc/html/crypto_check_init.html
@@ -0,0 +1,269 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_sign_init_first_pass</b>,
+ <b class="Nm" title="Nm">crypto_sign_update</b>,
+ <b class="Nm" title="Nm">crypto_sign_final</b>,
+ <b class="Nm" title="Nm">crypto_sign_init_second_pass</b>,
+ <b class="Nm" title="Nm">crypto_check_init</b>,
+ <b class="Nm" title="Nm">crypto_check_update</b>,
+ <b class="Nm" title="Nm">crypto_check_final</b> &#x2014;
+ <span class="Nd" title="Nd">incremental public key signatures</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_sign_init_first_pass</b>(<var class="Fa" title="Fa">crypto_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t secret_key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_sign_update</b>(<var class="Fa" title="Fa">crypto_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_sign_final</b>(<var class="Fa" title="Fa">crypto_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t signature[64]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_sign_init_second_pass</b>(<var class="Fa" title="Fa">crypto_sign_ctx
+ *ctx</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_check_init</b>(<var class="Fa" title="Fa">crypto_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t signature[64]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_check_update</b>(<var class="Fa" title="Fa">crypto_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_check_final</b>(<var class="Fa" title="Fa">crypto_check_ctx
+ *ctx</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions are variants of
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_check.html">crypto_check(3monocypher)</a>.
+ Prefer those simpler functions if possible.
+<div class="Pp"></div>
+The arguments are the same as those described in
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<div class="Pp"></div>
+This incremental interface can be used to sign or verify messages too large to
+ fit in a single buffer. The arguments are the same as the direct interface
+ described in
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<div class="Pp"></div>
+The direct and incremental interface produce and accept the same signatures.
+<div class="Pp"></div>
+Signing is done in two passes. This requires five steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">Initialisation of the first pass with
+ <b class="Fn" title="Fn">crypto_sign_init_first_pass</b>(). The public key
+ is optional, and will be recomputed if not provided. This recomputation
+ doubles the execution time for short messages.</li>
+ <li class="It-bullet">The first pass proper, with
+ <b class="Fn" title="Fn">crypto_sign_update</b>().
+ <b class="Sy" title="Sy">Under no circumstances must you forget the first
+ pass</b>: Forgetting to call
+ <b class="Fn" title="Fn">crypto_sign_update</b>() will appear to work in
+ that it produces valid signatures, but also loses all security because
+ attackers may now recover the secret key.</li>
+ <li class="It-bullet">Initialisation of the second pass with
+ <b class="Fn" title="Fn">crypto_sign_init_second_pass</b>().</li>
+ <li class="It-bullet">The second pass proper, with
+ <b class="Fn" title="Fn">crypto_sign_update</b>(). The same update
+ function is used for both passes.</li>
+ <li class="It-bullet">Signature generation with
+ <b class="Fn" title="Fn">crypto_sign_final</b>(). This also wipes the
+ context.</li>
+</ul>
+<div class="Pp"></div>
+Verification requires three steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">Initialisation with
+ <b class="Fn" title="Fn">crypto_check_init</b>().</li>
+ <li class="It-bullet">Update with
+ <b class="Fn" title="Fn">crypto_check_update</b>().</li>
+ <li class="It-bullet">Signature verification with
+ <b class="Fn" title="Fn">crypto_check_final</b>().</li>
+</ul>
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_check_init</b>() and
+ <b class="Fn" title="Fn">crypto_check_update</b>() return nothing.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_check_final</b>() returns 0 for legitimate
+ messages and -1 for forgeries.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+Sign a message:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t sk [ 32]; /* Secret key */
+const uint8_t pk [ 32]; /* Public key (optional) */
+const uint8_t message [500]; /* Message to sign */
+uint8_t signature[ 64]; /* Output signature */
+crypto_sign_ctx ctx;
+crypto_sign_init_first_pass((crypto_sign_ctx_abstract*)&amp;ctx, sk, pk);
+/* Wipe the secret key if no longer needed */
+crypto_wipe(sk, 32);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_sign_update((crypto_sign_ctx_abstract*)&amp;ctx, message + i, 100);
+}
+crypto_sign_init_second_pass((crypto_sign_ctx_abstract*)&amp;ctx);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_sign_update((crypto_sign_ctx_abstract*)&amp;ctx, message + i, 100);
+}
+crypto_sign_final((crypto_sign_ctx_abstract*)&amp;ctx, signature);
+</pre>
+</div>
+<div class="Pp"></div>
+Check the above:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t pk [ 32]; /* Public key */
+const uint8_t message [500]; /* Message to sign */
+const uint8_t signature[ 64]; /* Signature to check */
+crypto_check_ctx ctx;
+crypto_check_init((crypto_sign_ctx_abstract*)&amp;ctx, signature, pk);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_check_update((crypto_sign_ctx_abstract*)&amp;ctx, message + i, 100);
+}
+if (crypto_check_final((crypto_sign_ctx_abstract*)&amp;ctx)) {
+ /* Message is corrupted, abort processing */
+} else {
+ /* Message is genuine */
+}
+</pre>
+</div>
+<div class="Pp"></div>
+This interface can be used to mitigate attacks that leverage power analysis and
+ fault injection (glitching) &#x2013; both of which require physical access and
+ appropriate equipment &#x2013; by injecting additional randomness (at least 32
+ bytes) and padding (to the hash function's block size, which is 128 bytes for
+ all hash functions supported by Monocypher), of which 32 bytes are already
+ inserted into the buffer by
+ <b class="Fn" title="Fn">crypto_sign_init_first_pass</b>(). Access to a
+ cryptographically secure pseudo-random generator is a requirement for
+ effective side channel mitigation. Signing a message with increased
+ power-related side channel mitigations:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t message [ 500]; /* Message to sign */
+uint8_t sk [ 32]; /* Secret key */
+const uint8_t pk [ 32]; /* Public key (optional) */
+uint8_t signature[ 64]; /* Output signature */
+uint8_t buf [128-32] = {0}; /* Mitigation buffer */
+crypto_sign_ctx ctx;
+crypto_sign_ctx_abstract *actx = (crypto_sign_ctx_abstract *)&amp;ctx;
+
+arc4random_buf(buf, 32);
+/* The rest of buf MUST be zeroes. */
+
+crypto_sign_init_first_pass(actx, sk, pk);
+crypto_sign_update (actx, buf, sizeof(buf));
+crypto_sign_update (actx, message, 500);
+
+crypto_sign_init_second_pass(actx);
+crypto_sign_update (actx, message, 500);
+crypto_sign_final (actx, signature);
+
+crypto_wipe(buf, 32);
+/* Wipe the secret key if no longer needed */
+crypto_wipe(sk, 32);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement PureEdDSA with Curve25519 and Blake2b, as described in
+ RFC 8032. This is the same as Ed25519, with Blake2b instead of SHA-512.
+<div class="Pp"></div>
+The example for side channel mitigation follows the methodology outlined in
+ I-D.draft-mattsson-cfrg-det-sigs-with-noise-02.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_check_init</b>(),
+ <b class="Fn" title="Fn">crypto_check_update</b>(), and
+ <b class="Fn" title="Fn">crypto_check_final</b>() functions first appeared in
+ Monocypher 1.1.0.
+<div class="Pp"></div>
+<b class="Sy" title="Sy">A critical security vulnerability</b> that caused
+ all-zero signatures to be accepted was introduced in Monocypher 0.3; it was
+ fixed in Monocypher 1.1.1 and 2.0.4.
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+Messages are not verified until the call to
+ <b class="Fn" title="Fn">crypto_check_final</b>(). Messages may be stored
+ before they are verified, but they cannot be
+ <i class="Em" title="Em">trusted</i>. Processing untrusted messages increases
+ the attack surface of the system. Doing so securely is hard. Do not process
+ messages before calling <b class="Fn" title="Fn">crypto_check_final</b>().
+<div class="Pp"></div>
+When signing messages, the security considerations documented in
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>
+ also apply. In particular, if power-related side channels are part of your
+ threat model, note that there may still be other power-related side channels
+ (such as if the CPU leaks information when an operation overflows a register)
+ that must be considered.
+<h1 class="Sh" title="Sh" id="IMPLEMENTATION_DETAILS"><a class="selflink" href="#IMPLEMENTATION_DETAILS">IMPLEMENTATION
+ DETAILS</a></h1>
+EdDSA signatures require two passes that cannot be performed in parallel. There
+ are ways around this limitation, but they all lower security in some way. For
+ this reason, Monocypher does not support them.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 31, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_check_init_custom_hash.html b/vendor/doc/html/crypto_check_init_custom_hash.html
new file mode 100644
index 0000000..9976495
--- /dev/null
+++ b/vendor/doc/html/crypto_check_init_custom_hash.html
@@ -0,0 +1,267 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_SIGN_INIT_FIRST_PASS_CUSTOM_HASH(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_SIGN_INIT_FIRST_PASS_CUSTOM_HASH(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_SIGN_INIT_FIRST_PASS_CUSTOM_HASH(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_sign_init_first_pass_custom_hash</b>,
+ <b class="Nm" title="Nm">crypto_sign_public_key_custom_hash</b>,
+ <b class="Nm" title="Nm">crypto_check_init_custom_hash</b> &#x2014;
+ <span class="Nd" title="Nd">public key signatures with custom hash
+ functions</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_sign_init_first_pass_custom_hash</b>(<var class="Fa" title="Fa">crypto_sign_ctx_abstract
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t secret_key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>,
+ <var class="Fa" title="Fa">const crypto_sign_vtable *hash</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_sign_public_key_custom_hash</b>(<var class="Fa" title="Fa">uint8_t
+ public_key[32]</var>, <var class="Fa" title="Fa">const uint8_t
+ secret_key[32]</var>, <var class="Fa" title="Fa">const crypto_sign_vtable
+ *hash</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_check_init_custom_hash</b>(<var class="Fa" title="Fa">crypto_sign_ctx_abstract
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t signature[64]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>,
+ <var class="Fa" title="Fa">const crypto_sign_vtable *hash</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions are variants of the
+ <a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>
+ family of functions: They provide the ability to replace the EdDSA hash
+ function with any user-provided hash function.
+<div class="Pp"></div>
+<b class="Sy" title="Sy">This is a highly advanced feature</b>. Interoperability
+ of public key signatures with other cryptographic libraries can normally be
+ achieved by using
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign.html">crypto_ed25519_sign(3monocypher)</a>
+ or
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign_init_first_pass.html">crypto_ed25519_sign_init_first_pass(3monocypher)</a>
+ already. This interface is exposed only for completeness and to handle special
+ situations (e.g. to use the hash function of the future winner of the NIST
+ lightweight crypto competition on a device with highly constrained resources
+ or taking advantage of hardware support for cryptographic hash functions).
+ Whenever possible, these functions should be avoided.
+<div class="Pp"></div>
+To make available a custom hash algorithm for use with these functions, a
+ <var class="Vt" title="Vt">crypto_sign_vtable</var> structure must be
+ provided. It is defined as:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 0.00ex;">
+<pre class="Li">
+typedef struct {
+ void (*hash)(uint8_t hash[64], const uint8_t *message,
+ size_t message_size);
+ void (*init )(void *ctx);
+ void (*update)(void *ctx, const uint8_t *message,
+ size_t message_size);
+ void (*final )(void *ctx, uint8_t hash[64]);
+ size_t ctx_size;
+} crypto_sign_vtable;
+</pre>
+</div>
+<div class="Pp"></div>
+The context argument to the functions shall be referred to as &#x201C;outer
+ signing context&#x201D;. The outer signing context must contain a
+ <var class="Vt" title="Vt">crypto_sign_ctx_abstract</var> as
+ <i class="Em" title="Em">its first member</i>. Other than that, the outer
+ signing context may be defined freely. Logically, it is required to contain
+ some kind of hash context as well, else it cannot work as a custom hash
+ function.
+<div class="Pp"></div>
+Because the calling code cannot know the real type of the outer signing context,
+ it is cast to <var class="Vt" title="Vt">void *</var> when calling the hash
+ functions in the vtable, but the <var class="Fa" title="Fa">ctx</var> argument
+ to the functions in the vtable is always guaranteed to be the outer signing
+ context.
+<div class="Pp"></div>
+The hash functions must not fail. If they somehow can fail, they have no way to
+ propagate its error status, and thus the only ways to handle errors are to
+ either assume an error never occurs (if reasonable), or to induce a crash in
+ the code when an error occurs.
+<div class="Pp"></div>
+The fields of <var class="Vt" title="Vt">crypto_sign_vtable</var> are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hash</var></dt>
+ <dd class="It-tag">Function that computes a 64-byte hash for a given message
+ and writes the computed hash to <var class="Fa" title="Fa">hash</var>. The
+ output length <i class="Em" title="Em">must</i> be exactly 64 bytes. This
+ will normally be constructed using the functions that provide the
+ <var class="Fa" title="Fa">init</var>,
+ <var class="Fa" title="Fa">update</var> and
+ <var class="Fa" title="Fa">final</var> members.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">init</var></dt>
+ <dd class="It-tag">Function that initialises the hash context of an outer
+ signing context.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">update</var></dt>
+ <dd class="It-tag">Function that updates the hash context of an outer signing
+ context. It must be able to handle message sizes of at least 32
+ bytes.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">final</var></dt>
+ <dd class="It-tag">Function that finalises the hash context of an outer
+ signing context and writes the computed hash to
+ <var class="Fa" title="Fa">hash</var>. The output length
+ <i class="Em" title="Em">must</i> be exactly 64 bytes. This function
+ should wipe the hash context with
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>
+ if it contains pointers to objects outside the outer signing context.
+ Monocypher takes care of wiping the outer signing context.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">ctx_size</var></dt>
+ <dd class="It-tag">The size of the outer signing context as determined by
+ <b class="Fn" title="Fn">sizeof</b>().</dd>
+</dl>
+<div class="Pp"></div>
+The functions indicated in the
+ <var class="Vt" title="Vt">crypto_sign_vtable</var> must be thread-safe if any
+ of Monocypher's signing functions are accessed from multiple threads.
+<div class="Pp"></div>
+After calling
+ <b class="Fn" title="Fn">crypto_sign_init_first_pass_custom_hash</b>() or
+ <b class="Fn" title="Fn">crypto_check_init_custom_hash</b>(), the
+ <a class="Xr" title="Xr" href="crypto_sign_update.html">crypto_sign_update(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign_final.html">crypto_sign_final(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign_init_second_pass.html">crypto_sign_init_second_pass(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_check_update.html">crypto_check_update(3monocypher)</a>,
+ and
+ <a class="Xr" title="Xr" href="crypto_check_final.html">crypto_check_final(3monocypher)</a>
+ functions can be used as usual. They will call into the hash vtable as
+ required. The same security considerations and semantics apply.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+Defining and using a custom implementation of SHA-512 and crudely checking its
+ results against
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign.html">crypto_ed25519_sign(3monocypher)</a>:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+struct outer_ctx {
+ crypto_sign_ctx_abstract sctx;
+ SHA2_CTX hash_ctx;
+};
+
+static void
+my_hash(uint8_t hash[64], const uint8_t *msg, size_t len)
+{
+ SHA2_CTX ctx;
+ SHA512Init(&amp;ctx);
+ SHA512Update(&amp;ctx, msg, len);
+ SHA512Final(hash, &amp;ctx);
+}
+
+static void
+my_init(void *ctx)
+{
+ struct outer_ctx *octx = (struct outer_ctx *)ctx;
+ SHA512Init(&amp;octx-&gt;hash_ctx);
+}
+
+static void
+my_update(void *ctx, const uint8_t *msg, size_t len)
+{
+ struct outer_ctx *octx = (struct outer_ctx *)ctx;
+ SHA512Update(&amp;octx-&gt;hash_ctx, msg, len);
+}
+
+static void
+my_final(void *ctx, uint8_t *hash)
+{
+ struct outer_ctx *octx = (struct outer_ctx *)ctx;
+ SHA512Final(hash, &amp;octx-&gt;hash_ctx);
+}
+
+static const crypto_sign_vtable my_vtable = {
+ my_hash,
+ my_init,
+ my_update,
+ my_final,
+ sizeof(struct outer_ctx)
+};
+
+int
+main(void)
+{
+ uint8_t theirs[64], mine[64];
+ uint8_t sk[32] = {0x01, 0x02, 0x03, 0x04};
+ const uint8_t msg[] = {
+ 0x00, 0x01, 0x02, 0x04
+ };
+
+ crypto_ed25519_sign(theirs, sk, NULL, msg, sizeof(msg));
+
+ struct outer_ctx ctx;
+ crypto_sign_ctx_abstract *actx = (crypto_sign_ctx_abstract*)&amp;ctx;
+ crypto_sign_init_first_pass_custom_hash(actx,
+ sk, NULL, &amp;my_vtable);
+ crypto_wipe(sk, sizeof(sk));
+ crypto_sign_update( actx, msg, sizeof(msg));
+ crypto_sign_init_second_pass(actx);
+ crypto_sign_update( actx, msg, sizeof(msg));
+ crypto_sign_final( actx, mine);
+
+ if (crypto_verify64(theirs, mine) != 0) {
+ fprintf(stderr, &quot;theirs != mine\n&quot;);
+ return 1;
+ }
+ puts(&quot;ok&quot;);
+ return 0;
+}
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sha512.html">crypto_sha512(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_sign_init_first_pass_custom_hash</b>(),
+ <b class="Fn" title="Fn">crypto_sign_public_key_custom_hash</b>(),
+ <b class="Fn" title="Fn">crypto_check_init_first_pass_custom_hash</b>()
+ functions first appeared in Monocypher 3.0.0.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">December 28, 2019</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_check_update.html b/vendor/doc/html/crypto_check_update.html
new file mode 100644
index 0000000..23bf438
--- /dev/null
+++ b/vendor/doc/html/crypto_check_update.html
@@ -0,0 +1,269 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_sign_init_first_pass</b>,
+ <b class="Nm" title="Nm">crypto_sign_update</b>,
+ <b class="Nm" title="Nm">crypto_sign_final</b>,
+ <b class="Nm" title="Nm">crypto_sign_init_second_pass</b>,
+ <b class="Nm" title="Nm">crypto_check_init</b>,
+ <b class="Nm" title="Nm">crypto_check_update</b>,
+ <b class="Nm" title="Nm">crypto_check_final</b> &#x2014;
+ <span class="Nd" title="Nd">incremental public key signatures</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_sign_init_first_pass</b>(<var class="Fa" title="Fa">crypto_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t secret_key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_sign_update</b>(<var class="Fa" title="Fa">crypto_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_sign_final</b>(<var class="Fa" title="Fa">crypto_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t signature[64]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_sign_init_second_pass</b>(<var class="Fa" title="Fa">crypto_sign_ctx
+ *ctx</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_check_init</b>(<var class="Fa" title="Fa">crypto_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t signature[64]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_check_update</b>(<var class="Fa" title="Fa">crypto_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_check_final</b>(<var class="Fa" title="Fa">crypto_check_ctx
+ *ctx</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions are variants of
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_check.html">crypto_check(3monocypher)</a>.
+ Prefer those simpler functions if possible.
+<div class="Pp"></div>
+The arguments are the same as those described in
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<div class="Pp"></div>
+This incremental interface can be used to sign or verify messages too large to
+ fit in a single buffer. The arguments are the same as the direct interface
+ described in
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<div class="Pp"></div>
+The direct and incremental interface produce and accept the same signatures.
+<div class="Pp"></div>
+Signing is done in two passes. This requires five steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">Initialisation of the first pass with
+ <b class="Fn" title="Fn">crypto_sign_init_first_pass</b>(). The public key
+ is optional, and will be recomputed if not provided. This recomputation
+ doubles the execution time for short messages.</li>
+ <li class="It-bullet">The first pass proper, with
+ <b class="Fn" title="Fn">crypto_sign_update</b>().
+ <b class="Sy" title="Sy">Under no circumstances must you forget the first
+ pass</b>: Forgetting to call
+ <b class="Fn" title="Fn">crypto_sign_update</b>() will appear to work in
+ that it produces valid signatures, but also loses all security because
+ attackers may now recover the secret key.</li>
+ <li class="It-bullet">Initialisation of the second pass with
+ <b class="Fn" title="Fn">crypto_sign_init_second_pass</b>().</li>
+ <li class="It-bullet">The second pass proper, with
+ <b class="Fn" title="Fn">crypto_sign_update</b>(). The same update
+ function is used for both passes.</li>
+ <li class="It-bullet">Signature generation with
+ <b class="Fn" title="Fn">crypto_sign_final</b>(). This also wipes the
+ context.</li>
+</ul>
+<div class="Pp"></div>
+Verification requires three steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">Initialisation with
+ <b class="Fn" title="Fn">crypto_check_init</b>().</li>
+ <li class="It-bullet">Update with
+ <b class="Fn" title="Fn">crypto_check_update</b>().</li>
+ <li class="It-bullet">Signature verification with
+ <b class="Fn" title="Fn">crypto_check_final</b>().</li>
+</ul>
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_check_init</b>() and
+ <b class="Fn" title="Fn">crypto_check_update</b>() return nothing.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_check_final</b>() returns 0 for legitimate
+ messages and -1 for forgeries.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+Sign a message:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t sk [ 32]; /* Secret key */
+const uint8_t pk [ 32]; /* Public key (optional) */
+const uint8_t message [500]; /* Message to sign */
+uint8_t signature[ 64]; /* Output signature */
+crypto_sign_ctx ctx;
+crypto_sign_init_first_pass((crypto_sign_ctx_abstract*)&amp;ctx, sk, pk);
+/* Wipe the secret key if no longer needed */
+crypto_wipe(sk, 32);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_sign_update((crypto_sign_ctx_abstract*)&amp;ctx, message + i, 100);
+}
+crypto_sign_init_second_pass((crypto_sign_ctx_abstract*)&amp;ctx);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_sign_update((crypto_sign_ctx_abstract*)&amp;ctx, message + i, 100);
+}
+crypto_sign_final((crypto_sign_ctx_abstract*)&amp;ctx, signature);
+</pre>
+</div>
+<div class="Pp"></div>
+Check the above:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t pk [ 32]; /* Public key */
+const uint8_t message [500]; /* Message to sign */
+const uint8_t signature[ 64]; /* Signature to check */
+crypto_check_ctx ctx;
+crypto_check_init((crypto_sign_ctx_abstract*)&amp;ctx, signature, pk);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_check_update((crypto_sign_ctx_abstract*)&amp;ctx, message + i, 100);
+}
+if (crypto_check_final((crypto_sign_ctx_abstract*)&amp;ctx)) {
+ /* Message is corrupted, abort processing */
+} else {
+ /* Message is genuine */
+}
+</pre>
+</div>
+<div class="Pp"></div>
+This interface can be used to mitigate attacks that leverage power analysis and
+ fault injection (glitching) &#x2013; both of which require physical access and
+ appropriate equipment &#x2013; by injecting additional randomness (at least 32
+ bytes) and padding (to the hash function's block size, which is 128 bytes for
+ all hash functions supported by Monocypher), of which 32 bytes are already
+ inserted into the buffer by
+ <b class="Fn" title="Fn">crypto_sign_init_first_pass</b>(). Access to a
+ cryptographically secure pseudo-random generator is a requirement for
+ effective side channel mitigation. Signing a message with increased
+ power-related side channel mitigations:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t message [ 500]; /* Message to sign */
+uint8_t sk [ 32]; /* Secret key */
+const uint8_t pk [ 32]; /* Public key (optional) */
+uint8_t signature[ 64]; /* Output signature */
+uint8_t buf [128-32] = {0}; /* Mitigation buffer */
+crypto_sign_ctx ctx;
+crypto_sign_ctx_abstract *actx = (crypto_sign_ctx_abstract *)&amp;ctx;
+
+arc4random_buf(buf, 32);
+/* The rest of buf MUST be zeroes. */
+
+crypto_sign_init_first_pass(actx, sk, pk);
+crypto_sign_update (actx, buf, sizeof(buf));
+crypto_sign_update (actx, message, 500);
+
+crypto_sign_init_second_pass(actx);
+crypto_sign_update (actx, message, 500);
+crypto_sign_final (actx, signature);
+
+crypto_wipe(buf, 32);
+/* Wipe the secret key if no longer needed */
+crypto_wipe(sk, 32);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement PureEdDSA with Curve25519 and Blake2b, as described in
+ RFC 8032. This is the same as Ed25519, with Blake2b instead of SHA-512.
+<div class="Pp"></div>
+The example for side channel mitigation follows the methodology outlined in
+ I-D.draft-mattsson-cfrg-det-sigs-with-noise-02.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_check_init</b>(),
+ <b class="Fn" title="Fn">crypto_check_update</b>(), and
+ <b class="Fn" title="Fn">crypto_check_final</b>() functions first appeared in
+ Monocypher 1.1.0.
+<div class="Pp"></div>
+<b class="Sy" title="Sy">A critical security vulnerability</b> that caused
+ all-zero signatures to be accepted was introduced in Monocypher 0.3; it was
+ fixed in Monocypher 1.1.1 and 2.0.4.
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+Messages are not verified until the call to
+ <b class="Fn" title="Fn">crypto_check_final</b>(). Messages may be stored
+ before they are verified, but they cannot be
+ <i class="Em" title="Em">trusted</i>. Processing untrusted messages increases
+ the attack surface of the system. Doing so securely is hard. Do not process
+ messages before calling <b class="Fn" title="Fn">crypto_check_final</b>().
+<div class="Pp"></div>
+When signing messages, the security considerations documented in
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>
+ also apply. In particular, if power-related side channels are part of your
+ threat model, note that there may still be other power-related side channels
+ (such as if the CPU leaks information when an operation overflows a register)
+ that must be considered.
+<h1 class="Sh" title="Sh" id="IMPLEMENTATION_DETAILS"><a class="selflink" href="#IMPLEMENTATION_DETAILS">IMPLEMENTATION
+ DETAILS</a></h1>
+EdDSA signatures require two passes that cannot be performed in parallel. There
+ are ways around this limitation, but they all lower security in some way. For
+ this reason, Monocypher does not support them.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 31, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_curve_to_hidden.html b/vendor/doc/html/crypto_curve_to_hidden.html
new file mode 100644
index 0000000..bdbc6cb
--- /dev/null
+++ b/vendor/doc/html/crypto_curve_to_hidden.html
@@ -0,0 +1,234 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_CURVE_TO_HIDDEN(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_CURVE_TO_HIDDEN(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_CURVE_TO_HIDDEN(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_curve_to_hidden</b>,
+ <b class="Nm" title="Nm">crypto_hidden_to_curve</b>,
+ <b class="Nm" title="Nm">crypto_hidden_key_pair</b> &#x2014;
+ <span class="Nd" title="Nd">hiding of X25519 public keys</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_curve_to_hidden</b>(<var class="Fa" title="Fa">uint8_t
+ hidden[32]</var>, <var class="Fa" title="Fa">const uint8_t curve[32]</var>,
+ <var class="Fa" title="Fa">uint8_t tweak</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hidden_to_curve</b>(<var class="Fa" title="Fa">uint8_t
+ curve[32]</var>, <var class="Fa" title="Fa">const uint8_t hidden[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hidden_key_pair</b>(<var class="Fa" title="Fa">uint8_t
+ hidden[32]</var>, <var class="Fa" title="Fa">uint8_t secret_key[32]</var>,
+ <var class="Fa" title="Fa">uint8_t seed[32]</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions allow obfuscating X25519 public keys by making them appear
+ effectively indistinguishable from random noise. This is of interest for key
+ exchange protocols that require indistinguishability from randomness, such as
+ padded uniform random blobs (PURBs). They are intended for ephemeral
+ (short-lived, possibly just one-time) X25519 keys, not for long-term public
+ keys. After an initial key exchange involving hidden keys, subsequent key
+ exchange messages should be encrypted instead; see, for example, the Noise
+ protocol. This is an <i class="Em" title="Em">advanced feature</i> &#x2013;
+ unless you are implementing an protocol that requires indistinguishability of
+ all communications from random noise, consider
+ <a class="Xr" title="Xr" href="crypto_key_exchange_public_key.html">crypto_key_exchange_public_key(3monocypher)</a>
+ instead.
+<div class="Pp"></div>
+For understanding what these functions do, it is important to note that a
+ &#x201C;public key&#x201D; in this context refers to a
+ <i class="Em" title="Em">point on Curve25519</i>. This also means that these
+ functions are not compatible with
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>
+ and related functions.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_curve_to_hidden</b>() takes a public key
+ <var class="Fa" title="Fa">curve</var> and a
+ <var class="Fa" title="Fa">tweak</var>, hiding the public key it so that it is
+ effectively indistinguishable from random noise. Note that only
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_fast.html">crypto_x25519_dirty_fast(3monocypher)</a>
+ or
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_small.html">crypto_x25519_dirty_small(3monocypher)</a>
+ can generate a suitable public key; the
+ <a class="Xr" title="Xr" href="crypto_x25519.html">crypto_x25519(3monocypher)</a>
+ function is insufficient. The <var class="Fa" title="Fa">tweak</var> must be
+ chosen at random. Even then, this operation <i class="Em" title="Em">may</i>
+ fail: Not all curve points are capable of being hidden. In this case,
+ <b class="Fn" title="Fn">crypto_curve_to_hidden</b>() must be tried again with
+ a new key pair; the <var class="Fa" title="Fa">tweak</var> does not need to be
+ changed. On average, two attempts are needed. Once a suitable public key has
+ been found, <b class="Fn" title="Fn">crypto_curve_to_hidden</b>() always
+ succeeds for it. Given the same values for
+ <var class="Fa" title="Fa">tweak</var> and
+ <var class="Fa" title="Fa">curve</var>,
+ <b class="Fn" title="Fn">crypto_curve_to_hidden</b>() yields the same output
+ value <var class="Fa" title="Fa">hidden</var>.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_hidden_to_curve</b>() performs the inverse
+ operation: It decodes a hidden point to a curve point on Curve25519.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_hidden_key_pair</b>() is a convenience function
+ that generates a secret key and its corresponding public key, which is
+ effectively indistinguishable from random noise, from a random seed.
+ <i class="Em" title="Em">The execution time of this function is
+ unpredictable</i> because it may take many failures until a key pair could be
+ generated successfully. <b class="Fn" title="Fn">crypto_hidden_key_pair</b>()
+ uses
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_fast.html">crypto_x25519_dirty_fast(3monocypher)</a>
+ internally; if code size is an important concern, its functionality can be
+ replicated with
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_small.html">crypto_x25519_dirty_small(3monocypher)</a>
+ instead.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">curve</var></dt>
+ <dd class="It-tag">A point on the curve, which is a Curve25519 public key
+ generated with either
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_fast.html">crypto_x25519_dirty_fast(3monocypher)</a>
+ or
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_small.html">crypto_x25519_dirty_small(3monocypher)</a>.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hidden</var></dt>
+ <dd class="It-tag">The hidden encoding of a point on the curve which is
+ effectively indistinguishable from random.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">secret_key</var></dt>
+ <dd class="It-tag">The secret key that was generated from the given
+ <var class="Fa" title="Fa">seed</var>.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">seed</var></dt>
+ <dd class="It-tag">A 32-byte random number from which to derive a key pair.
+ See <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about generating random bytes (use the operating system's random
+ number generator). The <var class="Fa" title="Fa">seed</var> is wiped
+ automatically.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">tweak</var></dt>
+ <dd class="It-tag">A 1-byte random number, which influences the final output
+ of <b class="Fn" title="Fn">crypto_curve_to_hidden</b>().</dd>
+</dl>
+<div class="Pp"></div>
+The <var class="Fa" title="Fa">hidden</var> and
+ <var class="Fa" title="Fa">curve</var> arguments may overlap or point at the
+ same buffer.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_curve_to_hidden</b>() returns 0 on success, -1
+ if the given <var class="Fa" title="Fa">curve</var> argument is unsuitable for
+ hiding.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_hidden_to_curve</b>() and
+ <b class="Fn" title="Fn">crypto_hidden_key_pair</b>() return nothing; they
+ cannot fail.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+Generate a key pair manually using
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_small.html">crypto_x25519_dirty_small(3monocypher)</a>
+ instead of its fast variant:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t sk [32]; /* Secret key output */
+uint8_t pk [32]; /* Hidden public key output */
+uint8_t tweak; /* Random tweak input */
+arc4random_buf(&amp;tweak, 1);
+for (;;) {
+ arc4random_buf(sk, 32);
+ crypto_x25519_dirty_small(pk, sk);
+ if (crypto_curve_to_hidden(pk, pk, tweak) == 0)
+ break;
+}
+/* Now save the secret key and send the hidden public key. */
+</pre>
+</div>
+<div class="Pp"></div>
+Performing a key exchange with the other party's public key having been hidden:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hidden_pk [32]; /* Their hidden public key */
+uint8_t their_pk [32]; /* Their unhidden public key */
+uint8_t your_sk [32]; /* Your secret key */
+uint8_t shared_key[32]; /* Shared session key */
+crypto_hidden_to_curve(their_pk, hidden_pk);
+crypto_key_exchange(shared_key, your_sk, their_pk);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(your_sk, 32);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_x25519.html">crypto_x25519(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_small.html">crypto_x25519_dirty_small(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement the Elligator 2 mapping for Curve25519. This mapping
+ is incompatible with both the hash-to-curve Internet draft and the
+ implementation of Elligator 2 in libsodium. Elligator 2 was described in:
+ <cite class="Rs" title="Rs"><span class="RsA">Daniel J. Bernstein</span>,
+ <span class="RsA">Mike Hamburg</span>, <span class="RsA">Anna Krasnova</span>,
+ and <span class="RsA">Tanja Lange</span>, <span class="RsT">Elligator:
+ Elliptic-curve points indistinguishable from uniform random strings</span>,
+ <i class="RsI">Association for Computing Machinery</i>, <i class="RsJ">CCS
+ '13: Proceedings of the 2013 ACM SIGSAC conference on Computer &amp;
+ communications security</i>, <span class="RsP">pp. 967&#x2013;980</span>,
+ <span class="RsD">2013</span>.</cite>
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_curve_to_hidden</b>(),
+ <b class="Fn" title="Fn">crypto_hidden_to_curve</b>(), and
+ <b class="Fn" title="Fn">crypto_hidden_key_pair</b>() functions first appeared
+ in Monocypher 3.1.0.
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+The secret keys for the public keys fed into
+ <b class="Fn" title="Fn">crypto_curve_to_hidden</b>()
+ <b class="Sy" title="Sy">must be chosen randomly</b>, rather than
+ deterministically. Otherwise, the timing information given by the required
+ number of retries also leaks information on the secret keys.
+<div class="Pp"></div>
+These functions <i class="Em" title="Em">help</i> build highly
+ difficult-to-analyze protocols, but are insufficient by themselves: Other
+ metadata, such as the amount of bytes sent in a packet or the size of the
+ 32-byte random-looking string that represents the curve point itself, can be
+ very strong indicators of the use of cryptography. Consider using appropriate
+ padding algorithms, such as PADME, and obscure other metadata as much as
+ possible.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 31, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_ed25519_check.html b/vendor/doc/html/crypto_ed25519_check.html
new file mode 100644
index 0000000..a31017a
--- /dev/null
+++ b/vendor/doc/html/crypto_ed25519_check.html
@@ -0,0 +1,95 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_ED25519_SIGN(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_ED25519_SIGN(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_ED25519_SIGN(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_ed25519_sign</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_public_key</b> &#x2014;
+ <span class="Nd" title="Nd">public key signatures</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher-ed25519.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_public_key</b>(<var class="Fa" title="Fa">uint8_t
+ public_key[32]</var>, <var class="Fa" title="Fa">const uint8_t
+ secret_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign</b>(<var class="Fa" title="Fa">uint8_t
+ signature[64]</var>, <var class="Fa" title="Fa">const uint8_t
+ secret_key[32]</var>, <var class="Fa" title="Fa">const uint8_t
+ public_key[32]</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check</b>(<var class="Fa" title="Fa">const
+ uint8_t signature[64]</var>, <var class="Fa" title="Fa">const uint8_t
+ public_key[32]</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+The <b class="Fn" title="Fn">crypto_ed25519_sign</b>() and
+ <b class="Fn" title="Fn">crypto_ed25519_check</b>() functions provide Ed25519
+ public key signatures and verification with SHA-512 as the underlying hash
+ function; they are interoperable with other Ed25519 implementations. If you
+ have no interoperability requirements, prefer
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<div class="Pp"></div>
+The arguments and security considerations are the same as those described in
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<div class="Pp"></div>
+An incremental interface is available; see
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign_init_first_pass.html">crypto_ed25519_sign_init_first_pass(3monocypher)</a>.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_ed25519_public_key</b>() and
+ <b class="Fn" title="Fn">crypto_ed25519_sign</b>() return nothing.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_ed25519_check</b>() returns 0 for legitimate
+ messages and -1 for forgeries.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_check.html">crypto_check(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sha512.html">crypto_sha512(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement Ed25519 as described in RFC 8032.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_ed25519_sign</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check</b>(), and
+ <b class="Fn" title="Fn">crypto_ed25519_public_key</b>() functions appeared in
+ Monocypher 3.0.0. They replace recompilation of Monocypher with the
+ <code class="Dv" title="Dv">ED25519_SHA512</code> preprocessor
+ definition.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">May 24, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_ed25519_check_final.html b/vendor/doc/html/crypto_ed25519_check_final.html
new file mode 100644
index 0000000..ed0a2a6
--- /dev/null
+++ b/vendor/doc/html/crypto_ed25519_check_final.html
@@ -0,0 +1,133 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_ed25519_sign_init_first_pass</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_update</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_final</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_init_second_pass</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_init</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_update</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_final</b> &#x2014;
+ <span class="Nd" title="Nd">incremental public key signatures</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher-ed25519.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t secret_key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t signature[64]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_init</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t signature[64]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_update</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_final</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions are variants of
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign.html">crypto_ed25519_sign(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_ed25519_check.html">crypto_ed25519_check(3monocypher)</a>.
+ Prefer those simpler functions if possible.
+<div class="Pp"></div>
+These functions provide Ed25519 public key signatures and verification with
+ SHA-512 as the underlying hash function; they are interoperable with other
+ Ed25519 implementations. If you have no interoperability requirements, prefer
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<div class="Pp"></div>
+The arguments, security considerations and semantics are the same as those
+ described in
+ <a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_init</b>() and
+ <b class="Fn" title="Fn">crypto_ed25519_check_update</b>() return nothing.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_ed25519_check_final</b>() returns 0 for
+ legitimate messages and -1 for forgeries.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign.html">crypto_ed25519_sign(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sha512.html">crypto_sha512(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement Ed25519 as described in RFC 8032.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_init</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_update</b>(), and
+ <b class="Fn" title="Fn">crypto_ed25519_check_final</b>() functions first
+ appeared in Monocypher 3.0.0. They replace recompilation of Monocypher with
+ the <code class="Dv" title="Dv">ED25519_SHA512</code> preprocessor
+ definition.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">May 24, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_ed25519_check_init.html b/vendor/doc/html/crypto_ed25519_check_init.html
new file mode 100644
index 0000000..ed0a2a6
--- /dev/null
+++ b/vendor/doc/html/crypto_ed25519_check_init.html
@@ -0,0 +1,133 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_ed25519_sign_init_first_pass</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_update</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_final</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_init_second_pass</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_init</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_update</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_final</b> &#x2014;
+ <span class="Nd" title="Nd">incremental public key signatures</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher-ed25519.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t secret_key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t signature[64]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_init</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t signature[64]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_update</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_final</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions are variants of
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign.html">crypto_ed25519_sign(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_ed25519_check.html">crypto_ed25519_check(3monocypher)</a>.
+ Prefer those simpler functions if possible.
+<div class="Pp"></div>
+These functions provide Ed25519 public key signatures and verification with
+ SHA-512 as the underlying hash function; they are interoperable with other
+ Ed25519 implementations. If you have no interoperability requirements, prefer
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<div class="Pp"></div>
+The arguments, security considerations and semantics are the same as those
+ described in
+ <a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_init</b>() and
+ <b class="Fn" title="Fn">crypto_ed25519_check_update</b>() return nothing.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_ed25519_check_final</b>() returns 0 for
+ legitimate messages and -1 for forgeries.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign.html">crypto_ed25519_sign(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sha512.html">crypto_sha512(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement Ed25519 as described in RFC 8032.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_init</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_update</b>(), and
+ <b class="Fn" title="Fn">crypto_ed25519_check_final</b>() functions first
+ appeared in Monocypher 3.0.0. They replace recompilation of Monocypher with
+ the <code class="Dv" title="Dv">ED25519_SHA512</code> preprocessor
+ definition.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">May 24, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_ed25519_check_update.html b/vendor/doc/html/crypto_ed25519_check_update.html
new file mode 100644
index 0000000..ed0a2a6
--- /dev/null
+++ b/vendor/doc/html/crypto_ed25519_check_update.html
@@ -0,0 +1,133 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_ed25519_sign_init_first_pass</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_update</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_final</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_init_second_pass</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_init</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_update</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_final</b> &#x2014;
+ <span class="Nd" title="Nd">incremental public key signatures</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher-ed25519.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t secret_key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t signature[64]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_init</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t signature[64]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_update</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_final</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions are variants of
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign.html">crypto_ed25519_sign(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_ed25519_check.html">crypto_ed25519_check(3monocypher)</a>.
+ Prefer those simpler functions if possible.
+<div class="Pp"></div>
+These functions provide Ed25519 public key signatures and verification with
+ SHA-512 as the underlying hash function; they are interoperable with other
+ Ed25519 implementations. If you have no interoperability requirements, prefer
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<div class="Pp"></div>
+The arguments, security considerations and semantics are the same as those
+ described in
+ <a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_init</b>() and
+ <b class="Fn" title="Fn">crypto_ed25519_check_update</b>() return nothing.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_ed25519_check_final</b>() returns 0 for
+ legitimate messages and -1 for forgeries.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign.html">crypto_ed25519_sign(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sha512.html">crypto_sha512(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement Ed25519 as described in RFC 8032.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_init</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_update</b>(), and
+ <b class="Fn" title="Fn">crypto_ed25519_check_final</b>() functions first
+ appeared in Monocypher 3.0.0. They replace recompilation of Monocypher with
+ the <code class="Dv" title="Dv">ED25519_SHA512</code> preprocessor
+ definition.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">May 24, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_ed25519_public_key.html b/vendor/doc/html/crypto_ed25519_public_key.html
new file mode 100644
index 0000000..a31017a
--- /dev/null
+++ b/vendor/doc/html/crypto_ed25519_public_key.html
@@ -0,0 +1,95 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_ED25519_SIGN(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_ED25519_SIGN(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_ED25519_SIGN(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_ed25519_sign</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_public_key</b> &#x2014;
+ <span class="Nd" title="Nd">public key signatures</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher-ed25519.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_public_key</b>(<var class="Fa" title="Fa">uint8_t
+ public_key[32]</var>, <var class="Fa" title="Fa">const uint8_t
+ secret_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign</b>(<var class="Fa" title="Fa">uint8_t
+ signature[64]</var>, <var class="Fa" title="Fa">const uint8_t
+ secret_key[32]</var>, <var class="Fa" title="Fa">const uint8_t
+ public_key[32]</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check</b>(<var class="Fa" title="Fa">const
+ uint8_t signature[64]</var>, <var class="Fa" title="Fa">const uint8_t
+ public_key[32]</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+The <b class="Fn" title="Fn">crypto_ed25519_sign</b>() and
+ <b class="Fn" title="Fn">crypto_ed25519_check</b>() functions provide Ed25519
+ public key signatures and verification with SHA-512 as the underlying hash
+ function; they are interoperable with other Ed25519 implementations. If you
+ have no interoperability requirements, prefer
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<div class="Pp"></div>
+The arguments and security considerations are the same as those described in
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<div class="Pp"></div>
+An incremental interface is available; see
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign_init_first_pass.html">crypto_ed25519_sign_init_first_pass(3monocypher)</a>.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_ed25519_public_key</b>() and
+ <b class="Fn" title="Fn">crypto_ed25519_sign</b>() return nothing.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_ed25519_check</b>() returns 0 for legitimate
+ messages and -1 for forgeries.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_check.html">crypto_check(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sha512.html">crypto_sha512(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement Ed25519 as described in RFC 8032.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_ed25519_sign</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check</b>(), and
+ <b class="Fn" title="Fn">crypto_ed25519_public_key</b>() functions appeared in
+ Monocypher 3.0.0. They replace recompilation of Monocypher with the
+ <code class="Dv" title="Dv">ED25519_SHA512</code> preprocessor
+ definition.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">May 24, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_ed25519_sign.html b/vendor/doc/html/crypto_ed25519_sign.html
new file mode 100644
index 0000000..a31017a
--- /dev/null
+++ b/vendor/doc/html/crypto_ed25519_sign.html
@@ -0,0 +1,95 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_ED25519_SIGN(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_ED25519_SIGN(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_ED25519_SIGN(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_ed25519_sign</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_public_key</b> &#x2014;
+ <span class="Nd" title="Nd">public key signatures</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher-ed25519.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_public_key</b>(<var class="Fa" title="Fa">uint8_t
+ public_key[32]</var>, <var class="Fa" title="Fa">const uint8_t
+ secret_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign</b>(<var class="Fa" title="Fa">uint8_t
+ signature[64]</var>, <var class="Fa" title="Fa">const uint8_t
+ secret_key[32]</var>, <var class="Fa" title="Fa">const uint8_t
+ public_key[32]</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check</b>(<var class="Fa" title="Fa">const
+ uint8_t signature[64]</var>, <var class="Fa" title="Fa">const uint8_t
+ public_key[32]</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+The <b class="Fn" title="Fn">crypto_ed25519_sign</b>() and
+ <b class="Fn" title="Fn">crypto_ed25519_check</b>() functions provide Ed25519
+ public key signatures and verification with SHA-512 as the underlying hash
+ function; they are interoperable with other Ed25519 implementations. If you
+ have no interoperability requirements, prefer
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<div class="Pp"></div>
+The arguments and security considerations are the same as those described in
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<div class="Pp"></div>
+An incremental interface is available; see
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign_init_first_pass.html">crypto_ed25519_sign_init_first_pass(3monocypher)</a>.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_ed25519_public_key</b>() and
+ <b class="Fn" title="Fn">crypto_ed25519_sign</b>() return nothing.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_ed25519_check</b>() returns 0 for legitimate
+ messages and -1 for forgeries.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_check.html">crypto_check(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sha512.html">crypto_sha512(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement Ed25519 as described in RFC 8032.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_ed25519_sign</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check</b>(), and
+ <b class="Fn" title="Fn">crypto_ed25519_public_key</b>() functions appeared in
+ Monocypher 3.0.0. They replace recompilation of Monocypher with the
+ <code class="Dv" title="Dv">ED25519_SHA512</code> preprocessor
+ definition.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">May 24, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_ed25519_sign_final.html b/vendor/doc/html/crypto_ed25519_sign_final.html
new file mode 100644
index 0000000..ed0a2a6
--- /dev/null
+++ b/vendor/doc/html/crypto_ed25519_sign_final.html
@@ -0,0 +1,133 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_ed25519_sign_init_first_pass</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_update</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_final</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_init_second_pass</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_init</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_update</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_final</b> &#x2014;
+ <span class="Nd" title="Nd">incremental public key signatures</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher-ed25519.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t secret_key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t signature[64]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_init</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t signature[64]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_update</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_final</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions are variants of
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign.html">crypto_ed25519_sign(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_ed25519_check.html">crypto_ed25519_check(3monocypher)</a>.
+ Prefer those simpler functions if possible.
+<div class="Pp"></div>
+These functions provide Ed25519 public key signatures and verification with
+ SHA-512 as the underlying hash function; they are interoperable with other
+ Ed25519 implementations. If you have no interoperability requirements, prefer
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<div class="Pp"></div>
+The arguments, security considerations and semantics are the same as those
+ described in
+ <a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_init</b>() and
+ <b class="Fn" title="Fn">crypto_ed25519_check_update</b>() return nothing.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_ed25519_check_final</b>() returns 0 for
+ legitimate messages and -1 for forgeries.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign.html">crypto_ed25519_sign(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sha512.html">crypto_sha512(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement Ed25519 as described in RFC 8032.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_init</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_update</b>(), and
+ <b class="Fn" title="Fn">crypto_ed25519_check_final</b>() functions first
+ appeared in Monocypher 3.0.0. They replace recompilation of Monocypher with
+ the <code class="Dv" title="Dv">ED25519_SHA512</code> preprocessor
+ definition.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">May 24, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_ed25519_sign_init_first_pass.html b/vendor/doc/html/crypto_ed25519_sign_init_first_pass.html
new file mode 100644
index 0000000..ed0a2a6
--- /dev/null
+++ b/vendor/doc/html/crypto_ed25519_sign_init_first_pass.html
@@ -0,0 +1,133 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_ed25519_sign_init_first_pass</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_update</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_final</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_init_second_pass</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_init</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_update</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_final</b> &#x2014;
+ <span class="Nd" title="Nd">incremental public key signatures</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher-ed25519.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t secret_key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t signature[64]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_init</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t signature[64]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_update</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_final</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions are variants of
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign.html">crypto_ed25519_sign(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_ed25519_check.html">crypto_ed25519_check(3monocypher)</a>.
+ Prefer those simpler functions if possible.
+<div class="Pp"></div>
+These functions provide Ed25519 public key signatures and verification with
+ SHA-512 as the underlying hash function; they are interoperable with other
+ Ed25519 implementations. If you have no interoperability requirements, prefer
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<div class="Pp"></div>
+The arguments, security considerations and semantics are the same as those
+ described in
+ <a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_init</b>() and
+ <b class="Fn" title="Fn">crypto_ed25519_check_update</b>() return nothing.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_ed25519_check_final</b>() returns 0 for
+ legitimate messages and -1 for forgeries.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign.html">crypto_ed25519_sign(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sha512.html">crypto_sha512(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement Ed25519 as described in RFC 8032.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_init</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_update</b>(), and
+ <b class="Fn" title="Fn">crypto_ed25519_check_final</b>() functions first
+ appeared in Monocypher 3.0.0. They replace recompilation of Monocypher with
+ the <code class="Dv" title="Dv">ED25519_SHA512</code> preprocessor
+ definition.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">May 24, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_ed25519_sign_init_second_pass.html b/vendor/doc/html/crypto_ed25519_sign_init_second_pass.html
new file mode 100644
index 0000000..ed0a2a6
--- /dev/null
+++ b/vendor/doc/html/crypto_ed25519_sign_init_second_pass.html
@@ -0,0 +1,133 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_ed25519_sign_init_first_pass</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_update</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_final</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_init_second_pass</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_init</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_update</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_final</b> &#x2014;
+ <span class="Nd" title="Nd">incremental public key signatures</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher-ed25519.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t secret_key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t signature[64]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_init</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t signature[64]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_update</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_final</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions are variants of
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign.html">crypto_ed25519_sign(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_ed25519_check.html">crypto_ed25519_check(3monocypher)</a>.
+ Prefer those simpler functions if possible.
+<div class="Pp"></div>
+These functions provide Ed25519 public key signatures and verification with
+ SHA-512 as the underlying hash function; they are interoperable with other
+ Ed25519 implementations. If you have no interoperability requirements, prefer
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<div class="Pp"></div>
+The arguments, security considerations and semantics are the same as those
+ described in
+ <a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_init</b>() and
+ <b class="Fn" title="Fn">crypto_ed25519_check_update</b>() return nothing.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_ed25519_check_final</b>() returns 0 for
+ legitimate messages and -1 for forgeries.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign.html">crypto_ed25519_sign(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sha512.html">crypto_sha512(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement Ed25519 as described in RFC 8032.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_init</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_update</b>(), and
+ <b class="Fn" title="Fn">crypto_ed25519_check_final</b>() functions first
+ appeared in Monocypher 3.0.0. They replace recompilation of Monocypher with
+ the <code class="Dv" title="Dv">ED25519_SHA512</code> preprocessor
+ definition.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">May 24, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_ed25519_sign_update.html b/vendor/doc/html/crypto_ed25519_sign_update.html
new file mode 100644
index 0000000..ed0a2a6
--- /dev/null
+++ b/vendor/doc/html/crypto_ed25519_sign_update.html
@@ -0,0 +1,133 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_ED25519_SIGN_INIT_FIRST_PASS(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_ed25519_sign_init_first_pass</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_update</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_final</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_sign_init_second_pass</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_init</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_update</b>,
+ <b class="Nm" title="Nm">crypto_ed25519_check_final</b> &#x2014;
+ <span class="Nd" title="Nd">incremental public key signatures</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher-ed25519.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t secret_key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t signature[64]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(<var class="Fa" title="Fa">crypto_ed25519_sign_ctx
+ *ctx</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_init</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t signature[64]</var>,
+ <var class="Fa" title="Fa">const uint8_t public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_update</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ed25519_check_final</b>(<var class="Fa" title="Fa">crypto_ed25519_check_ctx
+ *ctx</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions are variants of
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign.html">crypto_ed25519_sign(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_ed25519_check.html">crypto_ed25519_check(3monocypher)</a>.
+ Prefer those simpler functions if possible.
+<div class="Pp"></div>
+These functions provide Ed25519 public key signatures and verification with
+ SHA-512 as the underlying hash function; they are interoperable with other
+ Ed25519 implementations. If you have no interoperability requirements, prefer
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<div class="Pp"></div>
+The arguments, security considerations and semantics are the same as those
+ described in
+ <a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_init</b>() and
+ <b class="Fn" title="Fn">crypto_ed25519_check_update</b>() return nothing.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_ed25519_check_final</b>() returns 0 for
+ legitimate messages and -1 for forgeries.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_ed25519_sign.html">crypto_ed25519_sign(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sha512.html">crypto_sha512(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement Ed25519 as described in RFC 8032.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_ed25519_sign_init_first_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_update</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_final</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_sign_init_second_pass</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_init</b>(),
+ <b class="Fn" title="Fn">crypto_ed25519_check_update</b>(), and
+ <b class="Fn" title="Fn">crypto_ed25519_check_final</b>() functions first
+ appeared in Monocypher 3.0.0. They replace recompilation of Monocypher with
+ the <code class="Dv" title="Dv">ED25519_SHA512</code> preprocessor
+ definition.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">May 24, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_from_ed25519_private.html b/vendor/doc/html/crypto_from_ed25519_private.html
new file mode 100644
index 0000000..ca08f10
--- /dev/null
+++ b/vendor/doc/html/crypto_from_ed25519_private.html
@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_FROM_ED25519_PRIVATE(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_FROM_ED25519_PRIVATE(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_FROM_ED25519_PRIVATE(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_from_ed25519_private</b>,
+ <b class="Nm" title="Nm">crypto_from_ed25519_public</b> &#x2014;
+ <span class="Nd" title="Nd">conversion of key pairs for EdDSA with BLAKE2b to
+ X25519 key pairs</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher-ed25519.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_from_ed25519_private</b>(<var class="Fa" title="Fa">uint8_t
+ x25519[32]</var>, <var class="Fa" title="Fa">const uint8_t eddsa[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_from_ed25519_public</b>(<var class="Fa" title="Fa">uint8_t
+ x25519[32]</var>, <var class="Fa" title="Fa">const uint8_t eddsa[32]</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions work like
+ <a class="Xr" title="Xr" href="crypto_from_eddsa_private.html">crypto_from_eddsa_private(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_from_eddsa_public.html">crypto_from_eddsa_public(3monocypher)</a>,
+ except that they operate on Ed25519 key pairs rather than key pairs for EdDSA
+ with BLAKE2b. Please see the documentation for those functions for details.
+<h1 class="Sh" title="Sh" id="IMPLEMENTATION_DETAILS"><a class="selflink" href="#IMPLEMENTATION_DETAILS">IMPLEMENTATION
+ DETAILS</a></h1>
+<b class="Fn" title="Fn">crypto_from_ed25519_public</b>() is actually
+ implemented as a macro that aliases to
+ <a class="Xr" title="Xr" href="crypto_from_eddsa_public.html">crypto_from_eddsa_public(3monocypher)</a>.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_from_ed25519_private</b>() and
+ <b class="Fn" title="Fn">crypto_from_ed25519_public</b>() functions first
+ appeared in Monocypher 3.1.0.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">May 24, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_from_ed25519_public.html b/vendor/doc/html/crypto_from_ed25519_public.html
new file mode 100644
index 0000000..ca08f10
--- /dev/null
+++ b/vendor/doc/html/crypto_from_ed25519_public.html
@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_FROM_ED25519_PRIVATE(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_FROM_ED25519_PRIVATE(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_FROM_ED25519_PRIVATE(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_from_ed25519_private</b>,
+ <b class="Nm" title="Nm">crypto_from_ed25519_public</b> &#x2014;
+ <span class="Nd" title="Nd">conversion of key pairs for EdDSA with BLAKE2b to
+ X25519 key pairs</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher-ed25519.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_from_ed25519_private</b>(<var class="Fa" title="Fa">uint8_t
+ x25519[32]</var>, <var class="Fa" title="Fa">const uint8_t eddsa[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_from_ed25519_public</b>(<var class="Fa" title="Fa">uint8_t
+ x25519[32]</var>, <var class="Fa" title="Fa">const uint8_t eddsa[32]</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions work like
+ <a class="Xr" title="Xr" href="crypto_from_eddsa_private.html">crypto_from_eddsa_private(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_from_eddsa_public.html">crypto_from_eddsa_public(3monocypher)</a>,
+ except that they operate on Ed25519 key pairs rather than key pairs for EdDSA
+ with BLAKE2b. Please see the documentation for those functions for details.
+<h1 class="Sh" title="Sh" id="IMPLEMENTATION_DETAILS"><a class="selflink" href="#IMPLEMENTATION_DETAILS">IMPLEMENTATION
+ DETAILS</a></h1>
+<b class="Fn" title="Fn">crypto_from_ed25519_public</b>() is actually
+ implemented as a macro that aliases to
+ <a class="Xr" title="Xr" href="crypto_from_eddsa_public.html">crypto_from_eddsa_public(3monocypher)</a>.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_from_ed25519_private</b>() and
+ <b class="Fn" title="Fn">crypto_from_ed25519_public</b>() functions first
+ appeared in Monocypher 3.1.0.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">May 24, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_from_eddsa_private.html b/vendor/doc/html/crypto_from_eddsa_private.html
new file mode 100644
index 0000000..4b55a99
--- /dev/null
+++ b/vendor/doc/html/crypto_from_eddsa_private.html
@@ -0,0 +1,106 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_FROM_EDDSA_PRIVATE(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_FROM_EDDSA_PRIVATE(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_FROM_EDDSA_PRIVATE(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_from_eddsa_private</b>,
+ <b class="Nm" title="Nm">crypto_from_eddsa_public</b> &#x2014;
+ <span class="Nd" title="Nd">conversion of key pairs for EdDSA with BLAKE2b to
+ X25519 key pairs</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_from_eddsa_private</b>(<var class="Fa" title="Fa">uint8_t
+ x25519[32]</var>, <var class="Fa" title="Fa">const uint8_t eddsa[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_from_eddsa_public</b>(<var class="Fa" title="Fa">uint8_t
+ x25519[32]</var>, <var class="Fa" title="Fa">const uint8_t eddsa[32]</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions convert keys for use with
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>
+ (EdDSA with the BLAKE2b hash function) to keys for use with
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_x25519.html">crypto_x25519(3monocypher)</a>.
+ This may be useful in some resource-constrained contexts or when no other key
+ is available (for example, when retrieving SSH public keys from GitHub and
+ reusing the SSH public keys as X25519 public keys).
+<div class="Pp"></div>
+The <b class="Fn" title="Fn">crypto_from_eddsa_private</b>() function converts
+ an EdDSA (with BLAKE2b) private key to an X25519 private key. The
+ <b class="Fn" title="Fn">crypto_from_eddsa_public</b>() function converts an
+ EdDSA public key to an X25519 public key.
+<div class="Pp"></div>
+X25519 key pairs cannot be converted back to EdDSA key pairs. The conversion of
+ private keys is specific to EdDSA with BLAKE2b because of the way EdDSA works.
+ In particular, this means that the output of
+ <b class="Fn" title="Fn">crypto_from_eddsa_private</b>() differs from
+ <a class="Xr" title="Xr" href="crypto_from_ed25519_private.html">crypto_from_ed25519_private(3monocypher)</a>
+ in the optional code. However, the output of
+ <b class="Fn" title="Fn">crypto_from_eddsa_public</b>() is identical to
+ <a class="Xr" title="Xr" href="crypto_from_ed25519_public.html">crypto_from_ed25519_public(3monocypher)</a>.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">eddsa</var></dt>
+ <dd class="It-tag">The signing public key or private key to convert to a
+ X25519 public key or private key, respectively.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">x25519</var></dt>
+ <dd class="It-tag">The converted private key or public key.</dd>
+</dl>
+<div class="Pp"></div>
+The arguments may overlap or point at the same buffer.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing. They cannot fail.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_key_exchange_public_key.html">crypto_key_exchange_public_key(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign_public_key.html">crypto_sign_public_key(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_from_eddsa_private</b>() and
+ <b class="Fn" title="Fn">crypto_from_eddsa_public</b>() functions first
+ appeared in Monocypher 3.1.0.
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+It is generally considered poor form to reuse the same key for different
+ purposes. While this conversion is technically safe, avoid these functions
+ nonetheless unless you are particularly resource-constrained or have some
+ other kind of hard requirement. It is otherwise an unnecessary risk
+ factor.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 25, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_from_eddsa_public.html b/vendor/doc/html/crypto_from_eddsa_public.html
new file mode 100644
index 0000000..4b55a99
--- /dev/null
+++ b/vendor/doc/html/crypto_from_eddsa_public.html
@@ -0,0 +1,106 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_FROM_EDDSA_PRIVATE(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_FROM_EDDSA_PRIVATE(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_FROM_EDDSA_PRIVATE(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_from_eddsa_private</b>,
+ <b class="Nm" title="Nm">crypto_from_eddsa_public</b> &#x2014;
+ <span class="Nd" title="Nd">conversion of key pairs for EdDSA with BLAKE2b to
+ X25519 key pairs</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_from_eddsa_private</b>(<var class="Fa" title="Fa">uint8_t
+ x25519[32]</var>, <var class="Fa" title="Fa">const uint8_t eddsa[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_from_eddsa_public</b>(<var class="Fa" title="Fa">uint8_t
+ x25519[32]</var>, <var class="Fa" title="Fa">const uint8_t eddsa[32]</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions convert keys for use with
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>
+ (EdDSA with the BLAKE2b hash function) to keys for use with
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_x25519.html">crypto_x25519(3monocypher)</a>.
+ This may be useful in some resource-constrained contexts or when no other key
+ is available (for example, when retrieving SSH public keys from GitHub and
+ reusing the SSH public keys as X25519 public keys).
+<div class="Pp"></div>
+The <b class="Fn" title="Fn">crypto_from_eddsa_private</b>() function converts
+ an EdDSA (with BLAKE2b) private key to an X25519 private key. The
+ <b class="Fn" title="Fn">crypto_from_eddsa_public</b>() function converts an
+ EdDSA public key to an X25519 public key.
+<div class="Pp"></div>
+X25519 key pairs cannot be converted back to EdDSA key pairs. The conversion of
+ private keys is specific to EdDSA with BLAKE2b because of the way EdDSA works.
+ In particular, this means that the output of
+ <b class="Fn" title="Fn">crypto_from_eddsa_private</b>() differs from
+ <a class="Xr" title="Xr" href="crypto_from_ed25519_private.html">crypto_from_ed25519_private(3monocypher)</a>
+ in the optional code. However, the output of
+ <b class="Fn" title="Fn">crypto_from_eddsa_public</b>() is identical to
+ <a class="Xr" title="Xr" href="crypto_from_ed25519_public.html">crypto_from_ed25519_public(3monocypher)</a>.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">eddsa</var></dt>
+ <dd class="It-tag">The signing public key or private key to convert to a
+ X25519 public key or private key, respectively.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">x25519</var></dt>
+ <dd class="It-tag">The converted private key or public key.</dd>
+</dl>
+<div class="Pp"></div>
+The arguments may overlap or point at the same buffer.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing. They cannot fail.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_key_exchange_public_key.html">crypto_key_exchange_public_key(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sign_public_key.html">crypto_sign_public_key(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_from_eddsa_private</b>() and
+ <b class="Fn" title="Fn">crypto_from_eddsa_public</b>() functions first
+ appeared in Monocypher 3.1.0.
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+It is generally considered poor form to reuse the same key for different
+ purposes. While this conversion is technically safe, avoid these functions
+ nonetheless unless you are particularly resource-constrained or have some
+ other kind of hard requirement. It is otherwise an unnecessary risk
+ factor.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 25, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_hchacha20.html b/vendor/doc/html/crypto_hchacha20.html
new file mode 100644
index 0000000..04177b6
--- /dev/null
+++ b/vendor/doc/html/crypto_hchacha20.html
@@ -0,0 +1,110 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_HCHACHA20(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_HCHACHA20(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_HCHACHA20(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_hchacha20</b> &#x2014;
+ <span class="Nd" title="Nd">HChacha20 special-purpose hashing</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hchacha20</b>(<var class="Fa" title="Fa">uint8_t
+ out[32]</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t in[16]</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+<b class="Fn" title="Fn">crypto_hchacha20</b>() provides a not-so-cryptographic
+ hash. It may be used for some specific purposes, such as X25519 key
+ derivation, or XChacha20 initialisation. If in doubt, do not use directly. Use
+ <a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>
+ instead.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">A sufficiently random key, such as the output of
+ <a class="Xr" title="Xr" href="crypto_x25519.html">crypto_x25519(3monocypher)</a>.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">in</var></dt>
+ <dd class="It-tag">The space reserved for the Chacha20 nonce and counter. It
+ does not have to be random.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">out</var></dt>
+ <dd class="It-tag">A cryptographically secure random number
+ <i class="Em" title="Em">if</i> there is enough entropy in
+ <var class="Fa" title="Fa">key</var>. X25519 shared secrets have enough
+ entropy.</dd>
+</dl>
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+This function returns nothing.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following example assumes the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+Simple hash:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t key[32]; /* Must have enough entropy */
+uint8_t in [16]; /* Does not have to be random */
+uint8_t out[32]; /* Will be random iff the above holds */
+arc4random_buf(key, 32);
+crypto_hchacha20(out, key, in);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(key, 32);
+crypto_wipe(in , 16);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_chacha20_encrypt.html">crypto_chacha20_encrypt(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+This function implements HChacha20. HChacha20 derives from Chacha20 the same way
+ HSalsa20 derives from Salsa20.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_hchacha20</b>() function first appeared in
+ Monocypher 0.1 as <b class="Fn" title="Fn">crypto_chacha20_H</b>(). It was
+ renamed to <b class="Fn" title="Fn">crypto_hchacha20</b>() in Monocypher
+ 3.0.0.
+<h1 class="Sh" title="Sh" id="CAVEATS"><a class="selflink" href="#CAVEATS">CAVEATS</a></h1>
+<b class="Sy" title="Sy">This is not a general-purpose cryptographic hash
+ function</b>.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 2, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_hidden_key_pair.html b/vendor/doc/html/crypto_hidden_key_pair.html
new file mode 100644
index 0000000..bdbc6cb
--- /dev/null
+++ b/vendor/doc/html/crypto_hidden_key_pair.html
@@ -0,0 +1,234 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_CURVE_TO_HIDDEN(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_CURVE_TO_HIDDEN(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_CURVE_TO_HIDDEN(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_curve_to_hidden</b>,
+ <b class="Nm" title="Nm">crypto_hidden_to_curve</b>,
+ <b class="Nm" title="Nm">crypto_hidden_key_pair</b> &#x2014;
+ <span class="Nd" title="Nd">hiding of X25519 public keys</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_curve_to_hidden</b>(<var class="Fa" title="Fa">uint8_t
+ hidden[32]</var>, <var class="Fa" title="Fa">const uint8_t curve[32]</var>,
+ <var class="Fa" title="Fa">uint8_t tweak</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hidden_to_curve</b>(<var class="Fa" title="Fa">uint8_t
+ curve[32]</var>, <var class="Fa" title="Fa">const uint8_t hidden[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hidden_key_pair</b>(<var class="Fa" title="Fa">uint8_t
+ hidden[32]</var>, <var class="Fa" title="Fa">uint8_t secret_key[32]</var>,
+ <var class="Fa" title="Fa">uint8_t seed[32]</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions allow obfuscating X25519 public keys by making them appear
+ effectively indistinguishable from random noise. This is of interest for key
+ exchange protocols that require indistinguishability from randomness, such as
+ padded uniform random blobs (PURBs). They are intended for ephemeral
+ (short-lived, possibly just one-time) X25519 keys, not for long-term public
+ keys. After an initial key exchange involving hidden keys, subsequent key
+ exchange messages should be encrypted instead; see, for example, the Noise
+ protocol. This is an <i class="Em" title="Em">advanced feature</i> &#x2013;
+ unless you are implementing an protocol that requires indistinguishability of
+ all communications from random noise, consider
+ <a class="Xr" title="Xr" href="crypto_key_exchange_public_key.html">crypto_key_exchange_public_key(3monocypher)</a>
+ instead.
+<div class="Pp"></div>
+For understanding what these functions do, it is important to note that a
+ &#x201C;public key&#x201D; in this context refers to a
+ <i class="Em" title="Em">point on Curve25519</i>. This also means that these
+ functions are not compatible with
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>
+ and related functions.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_curve_to_hidden</b>() takes a public key
+ <var class="Fa" title="Fa">curve</var> and a
+ <var class="Fa" title="Fa">tweak</var>, hiding the public key it so that it is
+ effectively indistinguishable from random noise. Note that only
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_fast.html">crypto_x25519_dirty_fast(3monocypher)</a>
+ or
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_small.html">crypto_x25519_dirty_small(3monocypher)</a>
+ can generate a suitable public key; the
+ <a class="Xr" title="Xr" href="crypto_x25519.html">crypto_x25519(3monocypher)</a>
+ function is insufficient. The <var class="Fa" title="Fa">tweak</var> must be
+ chosen at random. Even then, this operation <i class="Em" title="Em">may</i>
+ fail: Not all curve points are capable of being hidden. In this case,
+ <b class="Fn" title="Fn">crypto_curve_to_hidden</b>() must be tried again with
+ a new key pair; the <var class="Fa" title="Fa">tweak</var> does not need to be
+ changed. On average, two attempts are needed. Once a suitable public key has
+ been found, <b class="Fn" title="Fn">crypto_curve_to_hidden</b>() always
+ succeeds for it. Given the same values for
+ <var class="Fa" title="Fa">tweak</var> and
+ <var class="Fa" title="Fa">curve</var>,
+ <b class="Fn" title="Fn">crypto_curve_to_hidden</b>() yields the same output
+ value <var class="Fa" title="Fa">hidden</var>.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_hidden_to_curve</b>() performs the inverse
+ operation: It decodes a hidden point to a curve point on Curve25519.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_hidden_key_pair</b>() is a convenience function
+ that generates a secret key and its corresponding public key, which is
+ effectively indistinguishable from random noise, from a random seed.
+ <i class="Em" title="Em">The execution time of this function is
+ unpredictable</i> because it may take many failures until a key pair could be
+ generated successfully. <b class="Fn" title="Fn">crypto_hidden_key_pair</b>()
+ uses
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_fast.html">crypto_x25519_dirty_fast(3monocypher)</a>
+ internally; if code size is an important concern, its functionality can be
+ replicated with
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_small.html">crypto_x25519_dirty_small(3monocypher)</a>
+ instead.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">curve</var></dt>
+ <dd class="It-tag">A point on the curve, which is a Curve25519 public key
+ generated with either
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_fast.html">crypto_x25519_dirty_fast(3monocypher)</a>
+ or
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_small.html">crypto_x25519_dirty_small(3monocypher)</a>.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hidden</var></dt>
+ <dd class="It-tag">The hidden encoding of a point on the curve which is
+ effectively indistinguishable from random.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">secret_key</var></dt>
+ <dd class="It-tag">The secret key that was generated from the given
+ <var class="Fa" title="Fa">seed</var>.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">seed</var></dt>
+ <dd class="It-tag">A 32-byte random number from which to derive a key pair.
+ See <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about generating random bytes (use the operating system's random
+ number generator). The <var class="Fa" title="Fa">seed</var> is wiped
+ automatically.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">tweak</var></dt>
+ <dd class="It-tag">A 1-byte random number, which influences the final output
+ of <b class="Fn" title="Fn">crypto_curve_to_hidden</b>().</dd>
+</dl>
+<div class="Pp"></div>
+The <var class="Fa" title="Fa">hidden</var> and
+ <var class="Fa" title="Fa">curve</var> arguments may overlap or point at the
+ same buffer.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_curve_to_hidden</b>() returns 0 on success, -1
+ if the given <var class="Fa" title="Fa">curve</var> argument is unsuitable for
+ hiding.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_hidden_to_curve</b>() and
+ <b class="Fn" title="Fn">crypto_hidden_key_pair</b>() return nothing; they
+ cannot fail.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+Generate a key pair manually using
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_small.html">crypto_x25519_dirty_small(3monocypher)</a>
+ instead of its fast variant:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t sk [32]; /* Secret key output */
+uint8_t pk [32]; /* Hidden public key output */
+uint8_t tweak; /* Random tweak input */
+arc4random_buf(&amp;tweak, 1);
+for (;;) {
+ arc4random_buf(sk, 32);
+ crypto_x25519_dirty_small(pk, sk);
+ if (crypto_curve_to_hidden(pk, pk, tweak) == 0)
+ break;
+}
+/* Now save the secret key and send the hidden public key. */
+</pre>
+</div>
+<div class="Pp"></div>
+Performing a key exchange with the other party's public key having been hidden:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hidden_pk [32]; /* Their hidden public key */
+uint8_t their_pk [32]; /* Their unhidden public key */
+uint8_t your_sk [32]; /* Your secret key */
+uint8_t shared_key[32]; /* Shared session key */
+crypto_hidden_to_curve(their_pk, hidden_pk);
+crypto_key_exchange(shared_key, your_sk, their_pk);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(your_sk, 32);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_x25519.html">crypto_x25519(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_small.html">crypto_x25519_dirty_small(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement the Elligator 2 mapping for Curve25519. This mapping
+ is incompatible with both the hash-to-curve Internet draft and the
+ implementation of Elligator 2 in libsodium. Elligator 2 was described in:
+ <cite class="Rs" title="Rs"><span class="RsA">Daniel J. Bernstein</span>,
+ <span class="RsA">Mike Hamburg</span>, <span class="RsA">Anna Krasnova</span>,
+ and <span class="RsA">Tanja Lange</span>, <span class="RsT">Elligator:
+ Elliptic-curve points indistinguishable from uniform random strings</span>,
+ <i class="RsI">Association for Computing Machinery</i>, <i class="RsJ">CCS
+ '13: Proceedings of the 2013 ACM SIGSAC conference on Computer &amp;
+ communications security</i>, <span class="RsP">pp. 967&#x2013;980</span>,
+ <span class="RsD">2013</span>.</cite>
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_curve_to_hidden</b>(),
+ <b class="Fn" title="Fn">crypto_hidden_to_curve</b>(), and
+ <b class="Fn" title="Fn">crypto_hidden_key_pair</b>() functions first appeared
+ in Monocypher 3.1.0.
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+The secret keys for the public keys fed into
+ <b class="Fn" title="Fn">crypto_curve_to_hidden</b>()
+ <b class="Sy" title="Sy">must be chosen randomly</b>, rather than
+ deterministically. Otherwise, the timing information given by the required
+ number of retries also leaks information on the secret keys.
+<div class="Pp"></div>
+These functions <i class="Em" title="Em">help</i> build highly
+ difficult-to-analyze protocols, but are insufficient by themselves: Other
+ metadata, such as the amount of bytes sent in a packet or the size of the
+ 32-byte random-looking string that represents the curve point itself, can be
+ very strong indicators of the use of cryptography. Consider using appropriate
+ padding algorithms, such as PADME, and obscure other metadata as much as
+ possible.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 31, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_hidden_to_curve.html b/vendor/doc/html/crypto_hidden_to_curve.html
new file mode 100644
index 0000000..bdbc6cb
--- /dev/null
+++ b/vendor/doc/html/crypto_hidden_to_curve.html
@@ -0,0 +1,234 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_CURVE_TO_HIDDEN(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_CURVE_TO_HIDDEN(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_CURVE_TO_HIDDEN(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_curve_to_hidden</b>,
+ <b class="Nm" title="Nm">crypto_hidden_to_curve</b>,
+ <b class="Nm" title="Nm">crypto_hidden_key_pair</b> &#x2014;
+ <span class="Nd" title="Nd">hiding of X25519 public keys</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_curve_to_hidden</b>(<var class="Fa" title="Fa">uint8_t
+ hidden[32]</var>, <var class="Fa" title="Fa">const uint8_t curve[32]</var>,
+ <var class="Fa" title="Fa">uint8_t tweak</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hidden_to_curve</b>(<var class="Fa" title="Fa">uint8_t
+ curve[32]</var>, <var class="Fa" title="Fa">const uint8_t hidden[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hidden_key_pair</b>(<var class="Fa" title="Fa">uint8_t
+ hidden[32]</var>, <var class="Fa" title="Fa">uint8_t secret_key[32]</var>,
+ <var class="Fa" title="Fa">uint8_t seed[32]</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions allow obfuscating X25519 public keys by making them appear
+ effectively indistinguishable from random noise. This is of interest for key
+ exchange protocols that require indistinguishability from randomness, such as
+ padded uniform random blobs (PURBs). They are intended for ephemeral
+ (short-lived, possibly just one-time) X25519 keys, not for long-term public
+ keys. After an initial key exchange involving hidden keys, subsequent key
+ exchange messages should be encrypted instead; see, for example, the Noise
+ protocol. This is an <i class="Em" title="Em">advanced feature</i> &#x2013;
+ unless you are implementing an protocol that requires indistinguishability of
+ all communications from random noise, consider
+ <a class="Xr" title="Xr" href="crypto_key_exchange_public_key.html">crypto_key_exchange_public_key(3monocypher)</a>
+ instead.
+<div class="Pp"></div>
+For understanding what these functions do, it is important to note that a
+ &#x201C;public key&#x201D; in this context refers to a
+ <i class="Em" title="Em">point on Curve25519</i>. This also means that these
+ functions are not compatible with
+ <a class="Xr" title="Xr" href="crypto_sign.html">crypto_sign(3monocypher)</a>
+ and related functions.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_curve_to_hidden</b>() takes a public key
+ <var class="Fa" title="Fa">curve</var> and a
+ <var class="Fa" title="Fa">tweak</var>, hiding the public key it so that it is
+ effectively indistinguishable from random noise. Note that only
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_fast.html">crypto_x25519_dirty_fast(3monocypher)</a>
+ or
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_small.html">crypto_x25519_dirty_small(3monocypher)</a>
+ can generate a suitable public key; the
+ <a class="Xr" title="Xr" href="crypto_x25519.html">crypto_x25519(3monocypher)</a>
+ function is insufficient. The <var class="Fa" title="Fa">tweak</var> must be
+ chosen at random. Even then, this operation <i class="Em" title="Em">may</i>
+ fail: Not all curve points are capable of being hidden. In this case,
+ <b class="Fn" title="Fn">crypto_curve_to_hidden</b>() must be tried again with
+ a new key pair; the <var class="Fa" title="Fa">tweak</var> does not need to be
+ changed. On average, two attempts are needed. Once a suitable public key has
+ been found, <b class="Fn" title="Fn">crypto_curve_to_hidden</b>() always
+ succeeds for it. Given the same values for
+ <var class="Fa" title="Fa">tweak</var> and
+ <var class="Fa" title="Fa">curve</var>,
+ <b class="Fn" title="Fn">crypto_curve_to_hidden</b>() yields the same output
+ value <var class="Fa" title="Fa">hidden</var>.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_hidden_to_curve</b>() performs the inverse
+ operation: It decodes a hidden point to a curve point on Curve25519.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_hidden_key_pair</b>() is a convenience function
+ that generates a secret key and its corresponding public key, which is
+ effectively indistinguishable from random noise, from a random seed.
+ <i class="Em" title="Em">The execution time of this function is
+ unpredictable</i> because it may take many failures until a key pair could be
+ generated successfully. <b class="Fn" title="Fn">crypto_hidden_key_pair</b>()
+ uses
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_fast.html">crypto_x25519_dirty_fast(3monocypher)</a>
+ internally; if code size is an important concern, its functionality can be
+ replicated with
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_small.html">crypto_x25519_dirty_small(3monocypher)</a>
+ instead.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">curve</var></dt>
+ <dd class="It-tag">A point on the curve, which is a Curve25519 public key
+ generated with either
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_fast.html">crypto_x25519_dirty_fast(3monocypher)</a>
+ or
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_small.html">crypto_x25519_dirty_small(3monocypher)</a>.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hidden</var></dt>
+ <dd class="It-tag">The hidden encoding of a point on the curve which is
+ effectively indistinguishable from random.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">secret_key</var></dt>
+ <dd class="It-tag">The secret key that was generated from the given
+ <var class="Fa" title="Fa">seed</var>.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">seed</var></dt>
+ <dd class="It-tag">A 32-byte random number from which to derive a key pair.
+ See <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about generating random bytes (use the operating system's random
+ number generator). The <var class="Fa" title="Fa">seed</var> is wiped
+ automatically.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">tweak</var></dt>
+ <dd class="It-tag">A 1-byte random number, which influences the final output
+ of <b class="Fn" title="Fn">crypto_curve_to_hidden</b>().</dd>
+</dl>
+<div class="Pp"></div>
+The <var class="Fa" title="Fa">hidden</var> and
+ <var class="Fa" title="Fa">curve</var> arguments may overlap or point at the
+ same buffer.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_curve_to_hidden</b>() returns 0 on success, -1
+ if the given <var class="Fa" title="Fa">curve</var> argument is unsuitable for
+ hiding.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_hidden_to_curve</b>() and
+ <b class="Fn" title="Fn">crypto_hidden_key_pair</b>() return nothing; they
+ cannot fail.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+Generate a key pair manually using
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_small.html">crypto_x25519_dirty_small(3monocypher)</a>
+ instead of its fast variant:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t sk [32]; /* Secret key output */
+uint8_t pk [32]; /* Hidden public key output */
+uint8_t tweak; /* Random tweak input */
+arc4random_buf(&amp;tweak, 1);
+for (;;) {
+ arc4random_buf(sk, 32);
+ crypto_x25519_dirty_small(pk, sk);
+ if (crypto_curve_to_hidden(pk, pk, tweak) == 0)
+ break;
+}
+/* Now save the secret key and send the hidden public key. */
+</pre>
+</div>
+<div class="Pp"></div>
+Performing a key exchange with the other party's public key having been hidden:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hidden_pk [32]; /* Their hidden public key */
+uint8_t their_pk [32]; /* Their unhidden public key */
+uint8_t your_sk [32]; /* Your secret key */
+uint8_t shared_key[32]; /* Shared session key */
+crypto_hidden_to_curve(their_pk, hidden_pk);
+crypto_key_exchange(shared_key, your_sk, their_pk);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(your_sk, 32);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_x25519.html">crypto_x25519(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_x25519_dirty_small.html">crypto_x25519_dirty_small(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement the Elligator 2 mapping for Curve25519. This mapping
+ is incompatible with both the hash-to-curve Internet draft and the
+ implementation of Elligator 2 in libsodium. Elligator 2 was described in:
+ <cite class="Rs" title="Rs"><span class="RsA">Daniel J. Bernstein</span>,
+ <span class="RsA">Mike Hamburg</span>, <span class="RsA">Anna Krasnova</span>,
+ and <span class="RsA">Tanja Lange</span>, <span class="RsT">Elligator:
+ Elliptic-curve points indistinguishable from uniform random strings</span>,
+ <i class="RsI">Association for Computing Machinery</i>, <i class="RsJ">CCS
+ '13: Proceedings of the 2013 ACM SIGSAC conference on Computer &amp;
+ communications security</i>, <span class="RsP">pp. 967&#x2013;980</span>,
+ <span class="RsD">2013</span>.</cite>
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_curve_to_hidden</b>(),
+ <b class="Fn" title="Fn">crypto_hidden_to_curve</b>(), and
+ <b class="Fn" title="Fn">crypto_hidden_key_pair</b>() functions first appeared
+ in Monocypher 3.1.0.
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+The secret keys for the public keys fed into
+ <b class="Fn" title="Fn">crypto_curve_to_hidden</b>()
+ <b class="Sy" title="Sy">must be chosen randomly</b>, rather than
+ deterministically. Otherwise, the timing information given by the required
+ number of retries also leaks information on the secret keys.
+<div class="Pp"></div>
+These functions <i class="Em" title="Em">help</i> build highly
+ difficult-to-analyze protocols, but are insufficient by themselves: Other
+ metadata, such as the amount of bytes sent in a packet or the size of the
+ 32-byte random-looking string that represents the curve point itself, can be
+ very strong indicators of the use of cryptography. Consider using appropriate
+ padding algorithms, such as PADME, and obscure other metadata as much as
+ possible.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 31, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_hmac_sha512.html b/vendor/doc/html/crypto_hmac_sha512.html
new file mode 100644
index 0000000..3d92390
--- /dev/null
+++ b/vendor/doc/html/crypto_hmac_sha512.html
@@ -0,0 +1,196 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_HMAC_SHA512(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_HMAC_SHA512(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_HMAC_SHA512(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_hmac_sha512</b>,
+ <b class="Nm" title="Nm">crypto_hmac_sha512_init</b>,
+ <b class="Nm" title="Nm">crypto_hmac_sha512_update</b>,
+ <b class="Nm" title="Nm">crypto_hmac_sha512_final</b> &#x2014;
+ <span class="Nd" title="Nd">cryptographic hash-based message authentication
+ code with SHA-512</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher-ed25519.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hmac_sha512</b>(<var class="Fa" title="Fa">uint8_t
+ hmac[64]</var>, <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hmac_sha512_init</b>(<var class="Fa" title="Fa">crypto_hmac_sha512_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hmac_sha512_update</b>(<var class="Fa" title="Fa">crypto_hmac_sha512_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hmac_sha512_final</b>(<var class="Fa" title="Fa">crypto_hmac_sha512_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t hmac[64]</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+HMAC with SHA-512 is a cryptographically secure message authentication code
+ (MAC), provided to enable compatibility with other cryptographic systems. It
+ is generally recommended to use
+ <a class="Xr" title="Xr" href="crypto_blake2b_general.html">crypto_blake2b_general(3monocypher)</a>
+ instead, as it performs faster on x86_64 CPUs.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hmac</var></dt>
+ <dd class="It-tag">The output MAC, which is always 64 bytes long.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">Some secret key. One cannot predict the final hash without
+ it. Users may want to wipe the key with
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>
+ once they are done with it.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">key</var>, in bytes.
+ 32 is a good default. Keys longer than 128 bytes will be reduced to 64
+ bytes by hashing the key with SHA-512.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message</var></dt>
+ <dd class="It-tag">The message to compute the HMAC for. May overlap with
+ <var class="Fa" title="Fa">hmac</var>. May be
+ <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">message_size</var> is 0.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">message</var>, in
+ bytes.</dd>
+</dl>
+<div class="Pp"></div>
+An incremental interface is provided. It is useful for handling streams of data
+ or large files without using too much memory. This interface uses three steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">initialisation with
+ <b class="Fn" title="Fn">crypto_hmac_sha512_init</b>(), which sets up a
+ context with the hashing parameters;</li>
+ <li class="It-bullet">update with
+ <b class="Fn" title="Fn">crypto_hmac_sha512_update</b>(), which hashes the
+ message chunk by chunk, and keep the intermediary result in the
+ context;</li>
+ <li class="It-bullet">and finalisation with
+ <b class="Fn" title="Fn">crypto_hmac_sha512_final</b>(), which produces
+ the final hash. The
+ <var class="Ft" title="Ft">crypto_hmac_sha512_ctx</var> is automatically
+ wiped upon finalisation.</li>
+</ul>
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_hmac_sha512</b>() is a convenience function that
+ performs <b class="Fn" title="Fn">crypto_hmac_sha512_init</b>(),
+ <b class="Fn" title="Fn">crypto_hmac_sha512_update</b>(), and
+ <b class="Fn" title="Fn">crypto_hmac_sha512_final</b>().
+<div class="Pp"></div>
+MACs may be truncated safely down to at most 16 bytes; the
+ <a class="Xr" title="Xr" href="crypto_verify64.html">crypto_verify64(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_verify32.html">crypto_verify32(3monocypher)</a>,
+ and
+ <a class="Xr" title="Xr" href="crypto_verify16.html">crypto_verify16(3monocypher)</a>
+ functions can be used to to compare (possibly truncated) MACs.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following examples assume the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+Computing a message authentication code all at once:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [64]; /* Output hash (between 1 and 64 bytes) */
+uint8_t key [32]; /* Key (at least 1 byte) */
+uint8_t message[10] = &quot;Lorem ipsu&quot;; /* Message to authenticate */
+arc4random_buf(key, 32);
+crypto_hmac_sha512(hash, key, 32, message, 500);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(message, 500);
+crypto_wipe(key, 32);
+</pre>
+</div>
+<div class="Pp"></div>
+Computing a message authentication code incrementally:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [64]; /* Output hash (between 1 and 64 bytes) */
+uint8_t key [32]; /* Key (at least 1 byte) */
+uint8_t message[500] = {1}; /* Message to authenticate */
+crypto_hmac_sha512_ctx ctx;
+arc4random_buf(key, 32);
+crypto_hmac_sha512_init(&amp;ctx, key, 32);
+/* Wipe the key */
+crypto_wipe(key, 32);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_hmac_sha512_update(&amp;ctx, message + i, 100);
+ /* Wipe secrets if they are no longer needed */
+ crypto_wipe(message + i, 100);
+}
+crypto_hmac_sha512_final(&amp;ctx, hash);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_poly1305.html">crypto_poly1305(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sha512.html">crypto_sha512(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement HMAC with SHA-512. HMAC and SHA-512 itself are
+ described in RFC 6234; SHA-512 is also described in the Federal Information
+ Processing Standard (FIPS) 180-4; HMAC is also described in FIPS 198-1.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_hmac_sha512</b>(),
+ <b class="Fn" title="Fn">crypto_hmac_sha512_init</b>(),
+ <b class="Fn" title="Fn">crypto_hmac_sha512_update</b>(), and
+ <b class="Fn" title="Fn">crypto_hmac_sha512_final</b>() functions first
+ appeared in Monocypher 3.0.0.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 2, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_hmac_sha512_final.html b/vendor/doc/html/crypto_hmac_sha512_final.html
new file mode 100644
index 0000000..3d92390
--- /dev/null
+++ b/vendor/doc/html/crypto_hmac_sha512_final.html
@@ -0,0 +1,196 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_HMAC_SHA512(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_HMAC_SHA512(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_HMAC_SHA512(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_hmac_sha512</b>,
+ <b class="Nm" title="Nm">crypto_hmac_sha512_init</b>,
+ <b class="Nm" title="Nm">crypto_hmac_sha512_update</b>,
+ <b class="Nm" title="Nm">crypto_hmac_sha512_final</b> &#x2014;
+ <span class="Nd" title="Nd">cryptographic hash-based message authentication
+ code with SHA-512</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher-ed25519.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hmac_sha512</b>(<var class="Fa" title="Fa">uint8_t
+ hmac[64]</var>, <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hmac_sha512_init</b>(<var class="Fa" title="Fa">crypto_hmac_sha512_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hmac_sha512_update</b>(<var class="Fa" title="Fa">crypto_hmac_sha512_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hmac_sha512_final</b>(<var class="Fa" title="Fa">crypto_hmac_sha512_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t hmac[64]</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+HMAC with SHA-512 is a cryptographically secure message authentication code
+ (MAC), provided to enable compatibility with other cryptographic systems. It
+ is generally recommended to use
+ <a class="Xr" title="Xr" href="crypto_blake2b_general.html">crypto_blake2b_general(3monocypher)</a>
+ instead, as it performs faster on x86_64 CPUs.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hmac</var></dt>
+ <dd class="It-tag">The output MAC, which is always 64 bytes long.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">Some secret key. One cannot predict the final hash without
+ it. Users may want to wipe the key with
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>
+ once they are done with it.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">key</var>, in bytes.
+ 32 is a good default. Keys longer than 128 bytes will be reduced to 64
+ bytes by hashing the key with SHA-512.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message</var></dt>
+ <dd class="It-tag">The message to compute the HMAC for. May overlap with
+ <var class="Fa" title="Fa">hmac</var>. May be
+ <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">message_size</var> is 0.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">message</var>, in
+ bytes.</dd>
+</dl>
+<div class="Pp"></div>
+An incremental interface is provided. It is useful for handling streams of data
+ or large files without using too much memory. This interface uses three steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">initialisation with
+ <b class="Fn" title="Fn">crypto_hmac_sha512_init</b>(), which sets up a
+ context with the hashing parameters;</li>
+ <li class="It-bullet">update with
+ <b class="Fn" title="Fn">crypto_hmac_sha512_update</b>(), which hashes the
+ message chunk by chunk, and keep the intermediary result in the
+ context;</li>
+ <li class="It-bullet">and finalisation with
+ <b class="Fn" title="Fn">crypto_hmac_sha512_final</b>(), which produces
+ the final hash. The
+ <var class="Ft" title="Ft">crypto_hmac_sha512_ctx</var> is automatically
+ wiped upon finalisation.</li>
+</ul>
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_hmac_sha512</b>() is a convenience function that
+ performs <b class="Fn" title="Fn">crypto_hmac_sha512_init</b>(),
+ <b class="Fn" title="Fn">crypto_hmac_sha512_update</b>(), and
+ <b class="Fn" title="Fn">crypto_hmac_sha512_final</b>().
+<div class="Pp"></div>
+MACs may be truncated safely down to at most 16 bytes; the
+ <a class="Xr" title="Xr" href="crypto_verify64.html">crypto_verify64(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_verify32.html">crypto_verify32(3monocypher)</a>,
+ and
+ <a class="Xr" title="Xr" href="crypto_verify16.html">crypto_verify16(3monocypher)</a>
+ functions can be used to to compare (possibly truncated) MACs.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following examples assume the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+Computing a message authentication code all at once:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [64]; /* Output hash (between 1 and 64 bytes) */
+uint8_t key [32]; /* Key (at least 1 byte) */
+uint8_t message[10] = &quot;Lorem ipsu&quot;; /* Message to authenticate */
+arc4random_buf(key, 32);
+crypto_hmac_sha512(hash, key, 32, message, 500);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(message, 500);
+crypto_wipe(key, 32);
+</pre>
+</div>
+<div class="Pp"></div>
+Computing a message authentication code incrementally:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [64]; /* Output hash (between 1 and 64 bytes) */
+uint8_t key [32]; /* Key (at least 1 byte) */
+uint8_t message[500] = {1}; /* Message to authenticate */
+crypto_hmac_sha512_ctx ctx;
+arc4random_buf(key, 32);
+crypto_hmac_sha512_init(&amp;ctx, key, 32);
+/* Wipe the key */
+crypto_wipe(key, 32);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_hmac_sha512_update(&amp;ctx, message + i, 100);
+ /* Wipe secrets if they are no longer needed */
+ crypto_wipe(message + i, 100);
+}
+crypto_hmac_sha512_final(&amp;ctx, hash);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_poly1305.html">crypto_poly1305(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sha512.html">crypto_sha512(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement HMAC with SHA-512. HMAC and SHA-512 itself are
+ described in RFC 6234; SHA-512 is also described in the Federal Information
+ Processing Standard (FIPS) 180-4; HMAC is also described in FIPS 198-1.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_hmac_sha512</b>(),
+ <b class="Fn" title="Fn">crypto_hmac_sha512_init</b>(),
+ <b class="Fn" title="Fn">crypto_hmac_sha512_update</b>(), and
+ <b class="Fn" title="Fn">crypto_hmac_sha512_final</b>() functions first
+ appeared in Monocypher 3.0.0.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 2, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_hmac_sha512_init.html b/vendor/doc/html/crypto_hmac_sha512_init.html
new file mode 100644
index 0000000..3d92390
--- /dev/null
+++ b/vendor/doc/html/crypto_hmac_sha512_init.html
@@ -0,0 +1,196 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_HMAC_SHA512(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_HMAC_SHA512(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_HMAC_SHA512(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_hmac_sha512</b>,
+ <b class="Nm" title="Nm">crypto_hmac_sha512_init</b>,
+ <b class="Nm" title="Nm">crypto_hmac_sha512_update</b>,
+ <b class="Nm" title="Nm">crypto_hmac_sha512_final</b> &#x2014;
+ <span class="Nd" title="Nd">cryptographic hash-based message authentication
+ code with SHA-512</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher-ed25519.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hmac_sha512</b>(<var class="Fa" title="Fa">uint8_t
+ hmac[64]</var>, <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hmac_sha512_init</b>(<var class="Fa" title="Fa">crypto_hmac_sha512_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hmac_sha512_update</b>(<var class="Fa" title="Fa">crypto_hmac_sha512_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hmac_sha512_final</b>(<var class="Fa" title="Fa">crypto_hmac_sha512_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t hmac[64]</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+HMAC with SHA-512 is a cryptographically secure message authentication code
+ (MAC), provided to enable compatibility with other cryptographic systems. It
+ is generally recommended to use
+ <a class="Xr" title="Xr" href="crypto_blake2b_general.html">crypto_blake2b_general(3monocypher)</a>
+ instead, as it performs faster on x86_64 CPUs.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hmac</var></dt>
+ <dd class="It-tag">The output MAC, which is always 64 bytes long.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">Some secret key. One cannot predict the final hash without
+ it. Users may want to wipe the key with
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>
+ once they are done with it.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">key</var>, in bytes.
+ 32 is a good default. Keys longer than 128 bytes will be reduced to 64
+ bytes by hashing the key with SHA-512.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message</var></dt>
+ <dd class="It-tag">The message to compute the HMAC for. May overlap with
+ <var class="Fa" title="Fa">hmac</var>. May be
+ <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">message_size</var> is 0.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">message</var>, in
+ bytes.</dd>
+</dl>
+<div class="Pp"></div>
+An incremental interface is provided. It is useful for handling streams of data
+ or large files without using too much memory. This interface uses three steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">initialisation with
+ <b class="Fn" title="Fn">crypto_hmac_sha512_init</b>(), which sets up a
+ context with the hashing parameters;</li>
+ <li class="It-bullet">update with
+ <b class="Fn" title="Fn">crypto_hmac_sha512_update</b>(), which hashes the
+ message chunk by chunk, and keep the intermediary result in the
+ context;</li>
+ <li class="It-bullet">and finalisation with
+ <b class="Fn" title="Fn">crypto_hmac_sha512_final</b>(), which produces
+ the final hash. The
+ <var class="Ft" title="Ft">crypto_hmac_sha512_ctx</var> is automatically
+ wiped upon finalisation.</li>
+</ul>
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_hmac_sha512</b>() is a convenience function that
+ performs <b class="Fn" title="Fn">crypto_hmac_sha512_init</b>(),
+ <b class="Fn" title="Fn">crypto_hmac_sha512_update</b>(), and
+ <b class="Fn" title="Fn">crypto_hmac_sha512_final</b>().
+<div class="Pp"></div>
+MACs may be truncated safely down to at most 16 bytes; the
+ <a class="Xr" title="Xr" href="crypto_verify64.html">crypto_verify64(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_verify32.html">crypto_verify32(3monocypher)</a>,
+ and
+ <a class="Xr" title="Xr" href="crypto_verify16.html">crypto_verify16(3monocypher)</a>
+ functions can be used to to compare (possibly truncated) MACs.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following examples assume the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+Computing a message authentication code all at once:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [64]; /* Output hash (between 1 and 64 bytes) */
+uint8_t key [32]; /* Key (at least 1 byte) */
+uint8_t message[10] = &quot;Lorem ipsu&quot;; /* Message to authenticate */
+arc4random_buf(key, 32);
+crypto_hmac_sha512(hash, key, 32, message, 500);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(message, 500);
+crypto_wipe(key, 32);
+</pre>
+</div>
+<div class="Pp"></div>
+Computing a message authentication code incrementally:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [64]; /* Output hash (between 1 and 64 bytes) */
+uint8_t key [32]; /* Key (at least 1 byte) */
+uint8_t message[500] = {1}; /* Message to authenticate */
+crypto_hmac_sha512_ctx ctx;
+arc4random_buf(key, 32);
+crypto_hmac_sha512_init(&amp;ctx, key, 32);
+/* Wipe the key */
+crypto_wipe(key, 32);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_hmac_sha512_update(&amp;ctx, message + i, 100);
+ /* Wipe secrets if they are no longer needed */
+ crypto_wipe(message + i, 100);
+}
+crypto_hmac_sha512_final(&amp;ctx, hash);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_poly1305.html">crypto_poly1305(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sha512.html">crypto_sha512(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement HMAC with SHA-512. HMAC and SHA-512 itself are
+ described in RFC 6234; SHA-512 is also described in the Federal Information
+ Processing Standard (FIPS) 180-4; HMAC is also described in FIPS 198-1.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_hmac_sha512</b>(),
+ <b class="Fn" title="Fn">crypto_hmac_sha512_init</b>(),
+ <b class="Fn" title="Fn">crypto_hmac_sha512_update</b>(), and
+ <b class="Fn" title="Fn">crypto_hmac_sha512_final</b>() functions first
+ appeared in Monocypher 3.0.0.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 2, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_hmac_sha512_update.html b/vendor/doc/html/crypto_hmac_sha512_update.html
new file mode 100644
index 0000000..3d92390
--- /dev/null
+++ b/vendor/doc/html/crypto_hmac_sha512_update.html
@@ -0,0 +1,196 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_HMAC_SHA512(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_HMAC_SHA512(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_HMAC_SHA512(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_hmac_sha512</b>,
+ <b class="Nm" title="Nm">crypto_hmac_sha512_init</b>,
+ <b class="Nm" title="Nm">crypto_hmac_sha512_update</b>,
+ <b class="Nm" title="Nm">crypto_hmac_sha512_final</b> &#x2014;
+ <span class="Nd" title="Nd">cryptographic hash-based message authentication
+ code with SHA-512</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher-ed25519.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hmac_sha512</b>(<var class="Fa" title="Fa">uint8_t
+ hmac[64]</var>, <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hmac_sha512_init</b>(<var class="Fa" title="Fa">crypto_hmac_sha512_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *key</var>,
+ <var class="Fa" title="Fa">size_t key_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hmac_sha512_update</b>(<var class="Fa" title="Fa">crypto_hmac_sha512_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
+ <var class="Fa" title="Fa">size_t message_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_hmac_sha512_final</b>(<var class="Fa" title="Fa">crypto_hmac_sha512_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t hmac[64]</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+HMAC with SHA-512 is a cryptographically secure message authentication code
+ (MAC), provided to enable compatibility with other cryptographic systems. It
+ is generally recommended to use
+ <a class="Xr" title="Xr" href="crypto_blake2b_general.html">crypto_blake2b_general(3monocypher)</a>
+ instead, as it performs faster on x86_64 CPUs.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">hmac</var></dt>
+ <dd class="It-tag">The output MAC, which is always 64 bytes long.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">Some secret key. One cannot predict the final hash without
+ it. Users may want to wipe the key with
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>
+ once they are done with it.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">key</var>, in bytes.
+ 32 is a good default. Keys longer than 128 bytes will be reduced to 64
+ bytes by hashing the key with SHA-512.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message</var></dt>
+ <dd class="It-tag">The message to compute the HMAC for. May overlap with
+ <var class="Fa" title="Fa">hmac</var>. May be
+ <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">message_size</var> is 0.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">message_size</var></dt>
+ <dd class="It-tag">Length of <var class="Fa" title="Fa">message</var>, in
+ bytes.</dd>
+</dl>
+<div class="Pp"></div>
+An incremental interface is provided. It is useful for handling streams of data
+ or large files without using too much memory. This interface uses three steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">initialisation with
+ <b class="Fn" title="Fn">crypto_hmac_sha512_init</b>(), which sets up a
+ context with the hashing parameters;</li>
+ <li class="It-bullet">update with
+ <b class="Fn" title="Fn">crypto_hmac_sha512_update</b>(), which hashes the
+ message chunk by chunk, and keep the intermediary result in the
+ context;</li>
+ <li class="It-bullet">and finalisation with
+ <b class="Fn" title="Fn">crypto_hmac_sha512_final</b>(), which produces
+ the final hash. The
+ <var class="Ft" title="Ft">crypto_hmac_sha512_ctx</var> is automatically
+ wiped upon finalisation.</li>
+</ul>
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_hmac_sha512</b>() is a convenience function that
+ performs <b class="Fn" title="Fn">crypto_hmac_sha512_init</b>(),
+ <b class="Fn" title="Fn">crypto_hmac_sha512_update</b>(), and
+ <b class="Fn" title="Fn">crypto_hmac_sha512_final</b>().
+<div class="Pp"></div>
+MACs may be truncated safely down to at most 16 bytes; the
+ <a class="Xr" title="Xr" href="crypto_verify64.html">crypto_verify64(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_verify32.html">crypto_verify32(3monocypher)</a>,
+ and
+ <a class="Xr" title="Xr" href="crypto_verify16.html">crypto_verify16(3monocypher)</a>
+ functions can be used to to compare (possibly truncated) MACs.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+These functions return nothing.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following examples assume the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+Computing a message authentication code all at once:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [64]; /* Output hash (between 1 and 64 bytes) */
+uint8_t key [32]; /* Key (at least 1 byte) */
+uint8_t message[10] = &quot;Lorem ipsu&quot;; /* Message to authenticate */
+arc4random_buf(key, 32);
+crypto_hmac_sha512(hash, key, 32, message, 500);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(message, 500);
+crypto_wipe(key, 32);
+</pre>
+</div>
+<div class="Pp"></div>
+Computing a message authentication code incrementally:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t hash [64]; /* Output hash (between 1 and 64 bytes) */
+uint8_t key [32]; /* Key (at least 1 byte) */
+uint8_t message[500] = {1}; /* Message to authenticate */
+crypto_hmac_sha512_ctx ctx;
+arc4random_buf(key, 32);
+crypto_hmac_sha512_init(&amp;ctx, key, 32);
+/* Wipe the key */
+crypto_wipe(key, 32);
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_hmac_sha512_update(&amp;ctx, message + i, 100);
+ /* Wipe secrets if they are no longer needed */
+ crypto_wipe(message + i, 100);
+}
+crypto_hmac_sha512_final(&amp;ctx, hash);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_poly1305.html">crypto_poly1305(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_sha512.html">crypto_sha512(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement HMAC with SHA-512. HMAC and SHA-512 itself are
+ described in RFC 6234; SHA-512 is also described in the Federal Information
+ Processing Standard (FIPS) 180-4; HMAC is also described in FIPS 198-1.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_hmac_sha512</b>(),
+ <b class="Fn" title="Fn">crypto_hmac_sha512_init</b>(),
+ <b class="Fn" title="Fn">crypto_hmac_sha512_update</b>(), and
+ <b class="Fn" title="Fn">crypto_hmac_sha512_final</b>() functions first
+ appeared in Monocypher 3.0.0.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 2, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_ietf_chacha20.html b/vendor/doc/html/crypto_ietf_chacha20.html
new file mode 100644
index 0000000..0dfd1c9
--- /dev/null
+++ b/vendor/doc/html/crypto_ietf_chacha20.html
@@ -0,0 +1,96 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_IETF_CHACHA20(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_IETF_CHACHA20(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_IETF_CHACHA20(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_ietf_chacha20</b>,
+ <b class="Nm" title="Nm">crypto_ietf_chacha20_ctr</b> &#x2014;
+ <span class="Nd" title="Nd">IETF Chacha20 encryption functions</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ietf_chacha20</b>(<var class="Fa" title="Fa">uint8_t
+ *cipher_text</var>, <var class="Fa" title="Fa">const uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">size_t text_size</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[12]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ietf_chacha20_ctr</b>(<var class="Fa" title="Fa">uint8_t
+ *cipher_text</var>, <var class="Fa" title="Fa">const uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">size_t text_size</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[12]</var>,
+ <var class="Fa" title="Fa">const uint32_t ctr</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions provide an interface for the Chacha20 encryption primitive as
+ specified by the IETF in RFC 8439. They are provided strictly for
+ compatibility with existing systems or strict standards compliance. New
+ programs are strongly encouraged to use
+ <a class="Xr" title="Xr" href="crypto_xchacha20.html">crypto_xchacha20(3monocypher)</a>
+ instead.
+<div class="Pp"></div>
+Chacha20 is a low-level primitive. Consider using authenticated encryption,
+ implemented by
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>.
+<div class="Pp"></div>
+The <b class="Fn" title="Fn">crypto_ietf_chacha20</b>() and
+ <b class="Fn" title="Fn">crypto_ietf_chacha20_ctr</b>() functions behave the
+ same as
+ <a class="Xr" title="Xr" href="crypto_chacha20.html">crypto_chacha20</a> and
+ <a class="Xr" title="Xr" href="crypto_chacha20_ctr.html">crypto_chacha20_ctr</a>,
+ respectively, but use differently-sized nonce and counter values. The nonce
+ encompasses 12 bytes and the counter is correspondingly reduced to 4 bytes.
+ The short counter limits a single pair of key and nonce to 256 GiB of data. A
+ nonce of 12 bytes is <i class="Em" title="Em">just barely too short</i> to be
+ safely chosen at random; use a message counter instead. RFC 8439 also permits
+ linear feedback shift registers to generate nonces.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_ietf_chacha20</b>() returns nothing.
+ <b class="Fn" title="Fn">crypto_ietf_chacha20_ctr</b>() functions return the
+ next <var class="Fa" title="Fa">ctr</var> to use with the same key and nonce
+ values; this is always <var class="Fa" title="Fa">text_size</var> divided by
+ 64; plus one if there was a remainder.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_chacha20.html">crypto_chacha20(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement Chacha20 as described in RFC 8439.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+<b class="Fn" title="Fn">crypto_ietf_chacha20</b>() and
+ <b class="Fn" title="Fn">crypto_ietf_chacha20_ctr</b>() were added in
+ Monocypher 3.0.0.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 31, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_ietf_chacha20_ctr.html b/vendor/doc/html/crypto_ietf_chacha20_ctr.html
new file mode 100644
index 0000000..0dfd1c9
--- /dev/null
+++ b/vendor/doc/html/crypto_ietf_chacha20_ctr.html
@@ -0,0 +1,96 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_IETF_CHACHA20(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_IETF_CHACHA20(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_IETF_CHACHA20(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_ietf_chacha20</b>,
+ <b class="Nm" title="Nm">crypto_ietf_chacha20_ctr</b> &#x2014;
+ <span class="Nd" title="Nd">IETF Chacha20 encryption functions</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ietf_chacha20</b>(<var class="Fa" title="Fa">uint8_t
+ *cipher_text</var>, <var class="Fa" title="Fa">const uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">size_t text_size</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[12]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_ietf_chacha20_ctr</b>(<var class="Fa" title="Fa">uint8_t
+ *cipher_text</var>, <var class="Fa" title="Fa">const uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">size_t text_size</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[12]</var>,
+ <var class="Fa" title="Fa">const uint32_t ctr</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions provide an interface for the Chacha20 encryption primitive as
+ specified by the IETF in RFC 8439. They are provided strictly for
+ compatibility with existing systems or strict standards compliance. New
+ programs are strongly encouraged to use
+ <a class="Xr" title="Xr" href="crypto_xchacha20.html">crypto_xchacha20(3monocypher)</a>
+ instead.
+<div class="Pp"></div>
+Chacha20 is a low-level primitive. Consider using authenticated encryption,
+ implemented by
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>.
+<div class="Pp"></div>
+The <b class="Fn" title="Fn">crypto_ietf_chacha20</b>() and
+ <b class="Fn" title="Fn">crypto_ietf_chacha20_ctr</b>() functions behave the
+ same as
+ <a class="Xr" title="Xr" href="crypto_chacha20.html">crypto_chacha20</a> and
+ <a class="Xr" title="Xr" href="crypto_chacha20_ctr.html">crypto_chacha20_ctr</a>,
+ respectively, but use differently-sized nonce and counter values. The nonce
+ encompasses 12 bytes and the counter is correspondingly reduced to 4 bytes.
+ The short counter limits a single pair of key and nonce to 256 GiB of data. A
+ nonce of 12 bytes is <i class="Em" title="Em">just barely too short</i> to be
+ safely chosen at random; use a message counter instead. RFC 8439 also permits
+ linear feedback shift registers to generate nonces.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_ietf_chacha20</b>() returns nothing.
+ <b class="Fn" title="Fn">crypto_ietf_chacha20_ctr</b>() functions return the
+ next <var class="Fa" title="Fa">ctr</var> to use with the same key and nonce
+ values; this is always <var class="Fa" title="Fa">text_size</var> divided by
+ 64; plus one if there was a remainder.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_chacha20.html">crypto_chacha20(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement Chacha20 as described in RFC 8439.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+<b class="Fn" title="Fn">crypto_ietf_chacha20</b>() and
+ <b class="Fn" title="Fn">crypto_ietf_chacha20_ctr</b>() were added in
+ Monocypher 3.0.0.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 31, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_key_exchange.html b/vendor/doc/html/crypto_key_exchange.html
new file mode 100644
index 0000000..dd5a314
--- /dev/null
+++ b/vendor/doc/html/crypto_key_exchange.html
@@ -0,0 +1,164 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_KEY_EXCHANGE(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_KEY_EXCHANGE(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_KEY_EXCHANGE(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_key_exchange</b>,
+ <b class="Nm" title="Nm">crypto_key_exchange_public_key</b> &#x2014;
+ <span class="Nd" title="Nd">Elliptic Curve Diffie-Hellman key exchange</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_key_exchange</b>(<var class="Fa" title="Fa">uint8_t
+ shared_key[32]</var>, <var class="Fa" title="Fa">const uint8_t
+ your_secret_key[32]</var>, <var class="Fa" title="Fa">const uint8_t
+ their_public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_key_exchange_public_key</b>(<var class="Fa" title="Fa">uint8_t
+ your_public_key[32]</var>, <var class="Fa" title="Fa">const uint8_t
+ your_secret_key[32]</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+<b class="Fn" title="Fn">crypto_key_exchange</b>() computes a shared key with
+ your secret key and their public key.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_key_exchange_public_key</b>() deterministically
+ computes the public key from a random secret key.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">shared_key</var></dt>
+ <dd class="It-tag">The shared secret, known only to those who know a relevant
+ secret key (yours or theirs). It is cryptographically random, and suitable
+ for use with the
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>
+ family of functions.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">your_secret_key</var></dt>
+ <dd class="It-tag">A 32-byte random number, known only to you. See
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about generating random bytes (use the operating system's random
+ number generator).</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">their_public_key</var></dt>
+ <dd class="It-tag">The public key of the other party.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">your_public_key</var></dt>
+ <dd class="It-tag">Your public key, generated from
+ <var class="Fa" title="Fa">your_secret_key</var> with
+ <b class="Fn" title="Fn">crypto_key_exchange_public_key</b>().</dd>
+</dl>
+<div class="Pp"></div>
+<var class="Fa" title="Fa">shared_key</var> and
+ <var class="Fa" title="Fa">your_secret_key</var> may overlap if the secret is
+ no longer required.
+<div class="Pp"></div>
+Some poorly designed protocols require to test for &#x201C;contributory&#x201D;
+ behaviour, which ensures that no untrusted party forces the shared secret to a
+ known constant. Protocols should instead be designed in such a way that no
+ such check is necessary, namely by authenticating the other party or
+ exchanging keys over a trusted channel.
+<div class="Pp"></div>
+Do not use the same secret key for both key exchanges and signatures. The public
+ keys are different, and revealing both may leak information. If there really
+ is no room to store or derive two different secret keys, consider generating a
+ key pair for signatures and then converting it with
+ <a class="Xr" title="Xr" href="crypto_from_eddsa_private.html">crypto_from_eddsa_private(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_from_eddsa_public.html">crypto_from_eddsa_public(3monocypher)</a>.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_key_exchange</b>() and
+ <b class="Fn" title="Fn">crypto_key_exchange_public_key</b>() return nothing.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following examples assume the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+Generate a public key from a randomly generated secret key:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t sk[32]; /* Random secret key */
+uint8_t pk[32]; /* Public key */
+arc4random_buf(sk, 32);
+crypto_key_exchange_public_key(pk, sk);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(sk, 32);
+</pre>
+</div>
+<div class="Pp"></div>
+Generate a shared, symmetric key with your secret key and their public key. (The
+ other party will generate the same shared key with your public key and their
+ secret key.)
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t their_pk [32]; /* Their public key */
+uint8_t your_sk [32]; /* Your secret key */
+uint8_t shared_key[32]; /* Shared session key */
+crypto_key_exchange(shared_key, your_sk, their_pk);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(your_sk, 32);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement X25519, described in RFC 7748.
+ <b class="Fn" title="Fn">crypto_key_exchange</b>() uses HChacha20 as well.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_key_exchange</b>() function first appeared
+ in Monocypher 0.2. The
+ <b class="Fn" title="Fn">crypto_key_exchange_public_key</b>() macro alias
+ first appeared in Monocypher 1.1.0.
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+If either of the long term secret keys leaks, it may compromise
+ <i class="Em" title="Em">all past messages</i>. This can be avoided by using
+ protocols that provide forward secrecy, such as the X3DH key agreement
+ protocol.
+<h1 class="Sh" title="Sh" id="IMPLEMENTATION_DETAILS"><a class="selflink" href="#IMPLEMENTATION_DETAILS">IMPLEMENTATION
+ DETAILS</a></h1>
+<b class="Fn" title="Fn">crypto_key_exchange_public_key</b>() is an alias to
+ <a class="Xr" title="Xr" href="crypto_x25519_public_key.html">crypto_x25519_public_key(3monocypher)</a>.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 31, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_key_exchange_public_key.html b/vendor/doc/html/crypto_key_exchange_public_key.html
new file mode 100644
index 0000000..dd5a314
--- /dev/null
+++ b/vendor/doc/html/crypto_key_exchange_public_key.html
@@ -0,0 +1,164 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_KEY_EXCHANGE(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_KEY_EXCHANGE(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_KEY_EXCHANGE(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_key_exchange</b>,
+ <b class="Nm" title="Nm">crypto_key_exchange_public_key</b> &#x2014;
+ <span class="Nd" title="Nd">Elliptic Curve Diffie-Hellman key exchange</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_key_exchange</b>(<var class="Fa" title="Fa">uint8_t
+ shared_key[32]</var>, <var class="Fa" title="Fa">const uint8_t
+ your_secret_key[32]</var>, <var class="Fa" title="Fa">const uint8_t
+ their_public_key[32]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_key_exchange_public_key</b>(<var class="Fa" title="Fa">uint8_t
+ your_public_key[32]</var>, <var class="Fa" title="Fa">const uint8_t
+ your_secret_key[32]</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+<b class="Fn" title="Fn">crypto_key_exchange</b>() computes a shared key with
+ your secret key and their public key.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_key_exchange_public_key</b>() deterministically
+ computes the public key from a random secret key.
+<div class="Pp"></div>
+The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">shared_key</var></dt>
+ <dd class="It-tag">The shared secret, known only to those who know a relevant
+ secret key (yours or theirs). It is cryptographically random, and suitable
+ for use with the
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>
+ family of functions.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">your_secret_key</var></dt>
+ <dd class="It-tag">A 32-byte random number, known only to you. See
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about generating random bytes (use the operating system's random
+ number generator).</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">their_public_key</var></dt>
+ <dd class="It-tag">The public key of the other party.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">your_public_key</var></dt>
+ <dd class="It-tag">Your public key, generated from
+ <var class="Fa" title="Fa">your_secret_key</var> with
+ <b class="Fn" title="Fn">crypto_key_exchange_public_key</b>().</dd>
+</dl>
+<div class="Pp"></div>
+<var class="Fa" title="Fa">shared_key</var> and
+ <var class="Fa" title="Fa">your_secret_key</var> may overlap if the secret is
+ no longer required.
+<div class="Pp"></div>
+Some poorly designed protocols require to test for &#x201C;contributory&#x201D;
+ behaviour, which ensures that no untrusted party forces the shared secret to a
+ known constant. Protocols should instead be designed in such a way that no
+ such check is necessary, namely by authenticating the other party or
+ exchanging keys over a trusted channel.
+<div class="Pp"></div>
+Do not use the same secret key for both key exchanges and signatures. The public
+ keys are different, and revealing both may leak information. If there really
+ is no room to store or derive two different secret keys, consider generating a
+ key pair for signatures and then converting it with
+ <a class="Xr" title="Xr" href="crypto_from_eddsa_private.html">crypto_from_eddsa_private(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_from_eddsa_public.html">crypto_from_eddsa_public(3monocypher)</a>.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_key_exchange</b>() and
+ <b class="Fn" title="Fn">crypto_key_exchange_public_key</b>() return nothing.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following examples assume the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+Generate a public key from a randomly generated secret key:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t sk[32]; /* Random secret key */
+uint8_t pk[32]; /* Public key */
+arc4random_buf(sk, 32);
+crypto_key_exchange_public_key(pk, sk);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(sk, 32);
+</pre>
+</div>
+<div class="Pp"></div>
+Generate a shared, symmetric key with your secret key and their public key. (The
+ other party will generate the same shared key with your public key and their
+ secret key.)
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t their_pk [32]; /* Their public key */
+uint8_t your_sk [32]; /* Your secret key */
+uint8_t shared_key[32]; /* Shared session key */
+crypto_key_exchange(shared_key, your_sk, their_pk);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(your_sk, 32);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement X25519, described in RFC 7748.
+ <b class="Fn" title="Fn">crypto_key_exchange</b>() uses HChacha20 as well.
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_key_exchange</b>() function first appeared
+ in Monocypher 0.2. The
+ <b class="Fn" title="Fn">crypto_key_exchange_public_key</b>() macro alias
+ first appeared in Monocypher 1.1.0.
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+If either of the long term secret keys leaks, it may compromise
+ <i class="Em" title="Em">all past messages</i>. This can be avoided by using
+ protocols that provide forward secrecy, such as the X3DH key agreement
+ protocol.
+<h1 class="Sh" title="Sh" id="IMPLEMENTATION_DETAILS"><a class="selflink" href="#IMPLEMENTATION_DETAILS">IMPLEMENTATION
+ DETAILS</a></h1>
+<b class="Fn" title="Fn">crypto_key_exchange_public_key</b>() is an alias to
+ <a class="Xr" title="Xr" href="crypto_x25519_public_key.html">crypto_x25519_public_key(3monocypher)</a>.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">March 31, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_lock.html b/vendor/doc/html/crypto_lock.html
new file mode 100644
index 0000000..921c60e
--- /dev/null
+++ b/vendor/doc/html/crypto_lock.html
@@ -0,0 +1,299 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_LOCK(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_LOCK(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_LOCK(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_lock_aead</b>,
+ <b class="Nm" title="Nm">crypto_unlock_aead</b>,
+ <b class="Nm" title="Nm">crypto_lock</b>,
+ <b class="Nm" title="Nm">crypto_unlock</b> &#x2014;
+ <span class="Nd" title="Nd">authenticated encryption with additional
+ data</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock</b>(<var class="Fa" title="Fa">uint8_t
+ mac[16]</var>, <var class="Fa" title="Fa">uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>,
+ <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock</b>(<var class="Fa" title="Fa">uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>,
+ <var class="Fa" title="Fa">const uint8_t mac[16]</var>,
+ <var class="Fa" title="Fa">const uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_aead</b>(<var class="Fa" title="Fa">uint8_t
+ mac[16]</var>, <var class="Fa" title="Fa">uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>,
+ <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">size_t ad_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_aead</b>(<var class="Fa" title="Fa">uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>,
+ <var class="Fa" title="Fa">const uint8_t mac[16]</var>,
+ <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">size_t ad_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+<b class="Fn" title="Fn">crypto_lock</b>() encrypts and authenticates a
+ plaintext. It can be decrypted by
+ <b class="Fn" title="Fn">crypto_unlock</b>(). The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">A 32-byte session key, shared between the sender and the
+ recipient. It must be secret and random. Different methods can be used to
+ produce and exchange this key, such as Diffie-Hellman key exchange,
+ password key derivation (the password must be communicated on a secure
+ channel), or even meeting physically. See
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>
+ for key exchange, and
+ <a class="Xr" title="Xr" href="crypto_argon2i.html">crypto_argon2i(3monocypher)</a>
+ for password key derivation.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">nonce</var></dt>
+ <dd class="It-tag">A 24-byte number, used only once with any given session
+ key. It does not need to be secret or random, but it does have to be
+ unique. <i class="Em" title="Em">Never</i> use the same nonce twice with
+ the same key. This would reveal the XOR of 2 different messages, which
+ allows decryption and forgeries. The easiest (and recommended) way to
+ generate this nonce is to select it at random. See
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> about
+ random number generation (use your operating system's random number
+ generator).</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">mac</var></dt>
+ <dd class="It-tag">A 16-byte <i class="Em" title="Em">message authentication
+ code</i> (MAC), that can only be produced by someone who knows the session
+ key. This guarantee cannot be upheld if a nonce has been reused with the
+ session key, because doing so allows the attacker to learn the
+ authentication key associated with that nonce. The MAC is intended to be
+ sent along with the ciphertext.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">plain_text</var></dt>
+ <dd class="It-tag">The secret message. Its contents will be kept hidden from
+ attackers. Its length however, will <i class="Em" title="Em">not</i>. Be
+ careful when combining encryption with compression. See
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ details.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">cipher_text</var></dt>
+ <dd class="It-tag">The encrypted message.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">text_size</var></dt>
+ <dd class="It-tag">Length of both <var class="Fa" title="Fa">plain_text
+ and</var> <var class="Fa" title="Fa">cipher_text</var>, in bytes.</dd>
+</dl>
+<div class="Pp"></div>
+The <var class="Fa" title="Fa">cipher_text</var> and
+ <var class="Fa" title="Fa">plain_text</var> arguments may point to the same
+ buffer for in-place encryption. Otherwise, the buffers they point to must not
+ overlap.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_unlock</b>() first checks the integrity of an
+ encrypted message. If it has been corrupted,
+ <b class="Fn" title="Fn">crypto_unlock</b>() returns -1 immediately.
+ Otherwise, it decrypts the message, then returns zero.
+ <i class="Em" title="Em">Always check the return value</i>.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_lock_aead</b>() and
+ <b class="Fn" title="Fn">crypto_unlock_aead</b>() are variants of
+ <b class="Fn" title="Fn">crypto_lock</b>() and
+ <b class="Fn" title="Fn">crypto_unlock</b>(), permitting additional data.
+ Additional data is authenticated, but <i class="Em" title="Em">not</i>
+ encrypted. This is used to authenticate relevant data that cannot be
+ encrypted. The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">ad</var></dt>
+ <dd class="It-tag">Additional data to authenticate. It will not be encrypted.
+ May be <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">ad_size</var> is zero. Setting
+ <var class="Fa" title="Fa">ad_size</var> to zero yields the same results
+ as <b class="Fn" title="Fn">crypto_lock</b>() and
+ <b class="Fn" title="Fn">crypto_unlock</b>().</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">ad_size</var></dt>
+ <dd class="It-tag">Length of the additional data, in bytes.</dd>
+</dl>
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_lock</b>() and
+ <b class="Fn" title="Fn">crypto_lock_aead</b>() return nothing.
+ <b class="Fn" title="Fn">crypto_unlock</b>() and
+ <b class="Fn" title="Fn">crypto_unlock_aead</b>() return 0 on success or -1 if
+ the message was corrupted (i.e. <var class="Fa" title="Fa">mac</var>
+ mismatched the combination of <var class="Fa" title="Fa">key</var>,
+ <var class="Fa" title="Fa">nonce</var>, <var class="Fa" title="Fa">ad</var>
+ and <var class="Fa" title="Fa">cipher_text</var>). Corruption can be caused by
+ transmission errors, programmer error, or an attacker's interference.
+ <var class="Fa" title="Fa">plain_text</var> does not need to be wiped if the
+ decryption fails.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following examples assume the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+Encryption:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t key [32]; /* Random, secret session key */
+uint8_t nonce [24]; /* Use only once per key */
+uint8_t plain_text [12] = &quot;Lorem ipsum&quot;; /* Secret message */
+uint8_t mac [16]; /* Message authentication code */
+uint8_t cipher_text[12]; /* Encrypted message */
+arc4random_buf(key, 32);
+arc4random_buf(nonce, 24);
+crypto_lock(mac, cipher_text, key, nonce, plain_text,
+ sizeof(plain_text));
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(plain_text, 12);
+crypto_wipe(key, 32);
+/* Transmit cipher_text, nonce, and mac over the network,
+ * store them in a file, etc.
+ */
+</pre>
+</div>
+<div class="Pp"></div>
+To decrypt the above:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t key [32]; /* Same as the above */
+uint8_t nonce [24]; /* Same as the above */
+const uint8_t cipher_text[12]; /* Encrypted message */
+const uint8_t mac [16]; /* Received along with text */
+uint8_t plain_text [12]; /* Secret message */
+if (crypto_unlock(plain_text, key, nonce, mac, cipher_text, 12)) {
+ /* The message is corrupted.
+ * Wipe key if it is no longer needed,
+ * and abort the decryption.
+ */
+ crypto_wipe(key, 32);
+} else {
+ /* ...do something with the decrypted text here... */
+ /* Finally, wipe secrets if they are no longer needed */
+ crypto_wipe(plain_text, 12);
+ crypto_wipe(key, 32);
+}
+</pre>
+</div>
+<div class="Pp"></div>
+In-place encryption:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t key [32]; /* Random, secret session key */
+uint8_t nonce[24]; /* Use only once per key */
+uint8_t text [12] = &quot;Lorem ipsum&quot;; /* Secret message */
+uint8_t mac [16]; /* Message authentication code */
+arc4random_buf(key, 32);
+arc4random_buf(nonce, 24);
+crypto_lock(mac, text, key, nonce, text, 12);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(key, 32);
+/* Transmit cipher_text, nonce, and mac over the network,
+ * store them in a file, etc.
+ */
+</pre>
+</div>
+<div class="Pp"></div>
+In-place decryption:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t key [32]; /* Same as the above */
+const uint8_t nonce[24]; /* Same as the above */
+const uint8_t mac [16]; /* Received from along with text */
+uint8_t text [12]; /* Message to decrypt */
+if (crypto_unlock(text, key, nonce, mac, text, 12)) {
+ /* The message is corrupted.
+ * Wipe key if it is no longer needed,
+ * and abort the decryption.
+ */
+ crypto_wipe(key, 32);
+} else {
+ /* ...do something with the decrypted text here... */
+ /* Finally, wipe secrets if they are no longer needed */
+ crypto_wipe(text, 12);
+ crypto_wipe(key, 32);
+}
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement RFC 8439, with XChacha20 instead of Chacha20.
+ XChacha20 derives from Chacha20 the same way XSalsa20 derives from Salsa20,
+ and benefits from the same security reduction (proven secure as long as
+ Chacha20 itself is secure).
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_lock</b>() and
+ <b class="Fn" title="Fn">crypto_unlock</b>() functions first appeared in
+ Monocypher 0.1. <b class="Fn" title="Fn">crypto_lock_aead</b>() and
+ <b class="Fn" title="Fn">crypto_unlock_aead</b>() were introduced in
+ Monocypher 1.1.0. In Monocypher 2.0.0, the underlying algorithms for these
+ functions were changed from a custom XChacha20/Poly1305 construction to an
+ implementation of RFC 7539 (now RFC 8439) with XChacha20 instead of Chacha20.
+ The <b class="Fn" title="Fn">crypto_lock_encrypt</b>() and
+ <b class="Fn" title="Fn">crypto_lock_auth</b>() functions were removed in
+ Monocypher 2.0.0.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">February 29, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_lock_aead.html b/vendor/doc/html/crypto_lock_aead.html
new file mode 100644
index 0000000..921c60e
--- /dev/null
+++ b/vendor/doc/html/crypto_lock_aead.html
@@ -0,0 +1,299 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_LOCK(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_LOCK(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_LOCK(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_lock_aead</b>,
+ <b class="Nm" title="Nm">crypto_unlock_aead</b>,
+ <b class="Nm" title="Nm">crypto_lock</b>,
+ <b class="Nm" title="Nm">crypto_unlock</b> &#x2014;
+ <span class="Nd" title="Nd">authenticated encryption with additional
+ data</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock</b>(<var class="Fa" title="Fa">uint8_t
+ mac[16]</var>, <var class="Fa" title="Fa">uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>,
+ <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock</b>(<var class="Fa" title="Fa">uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>,
+ <var class="Fa" title="Fa">const uint8_t mac[16]</var>,
+ <var class="Fa" title="Fa">const uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_aead</b>(<var class="Fa" title="Fa">uint8_t
+ mac[16]</var>, <var class="Fa" title="Fa">uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>,
+ <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">size_t ad_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_aead</b>(<var class="Fa" title="Fa">uint8_t
+ *plain_text</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>,
+ <var class="Fa" title="Fa">const uint8_t mac[16]</var>,
+ <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">size_t ad_size</var>,
+ <var class="Fa" title="Fa">const uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+<b class="Fn" title="Fn">crypto_lock</b>() encrypts and authenticates a
+ plaintext. It can be decrypted by
+ <b class="Fn" title="Fn">crypto_unlock</b>(). The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">key</var></dt>
+ <dd class="It-tag">A 32-byte session key, shared between the sender and the
+ recipient. It must be secret and random. Different methods can be used to
+ produce and exchange this key, such as Diffie-Hellman key exchange,
+ password key derivation (the password must be communicated on a secure
+ channel), or even meeting physically. See
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>
+ for key exchange, and
+ <a class="Xr" title="Xr" href="crypto_argon2i.html">crypto_argon2i(3monocypher)</a>
+ for password key derivation.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">nonce</var></dt>
+ <dd class="It-tag">A 24-byte number, used only once with any given session
+ key. It does not need to be secret or random, but it does have to be
+ unique. <i class="Em" title="Em">Never</i> use the same nonce twice with
+ the same key. This would reveal the XOR of 2 different messages, which
+ allows decryption and forgeries. The easiest (and recommended) way to
+ generate this nonce is to select it at random. See
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> about
+ random number generation (use your operating system's random number
+ generator).</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">mac</var></dt>
+ <dd class="It-tag">A 16-byte <i class="Em" title="Em">message authentication
+ code</i> (MAC), that can only be produced by someone who knows the session
+ key. This guarantee cannot be upheld if a nonce has been reused with the
+ session key, because doing so allows the attacker to learn the
+ authentication key associated with that nonce. The MAC is intended to be
+ sent along with the ciphertext.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">plain_text</var></dt>
+ <dd class="It-tag">The secret message. Its contents will be kept hidden from
+ attackers. Its length however, will <i class="Em" title="Em">not</i>. Be
+ careful when combining encryption with compression. See
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ details.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">cipher_text</var></dt>
+ <dd class="It-tag">The encrypted message.</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">text_size</var></dt>
+ <dd class="It-tag">Length of both <var class="Fa" title="Fa">plain_text
+ and</var> <var class="Fa" title="Fa">cipher_text</var>, in bytes.</dd>
+</dl>
+<div class="Pp"></div>
+The <var class="Fa" title="Fa">cipher_text</var> and
+ <var class="Fa" title="Fa">plain_text</var> arguments may point to the same
+ buffer for in-place encryption. Otherwise, the buffers they point to must not
+ overlap.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_unlock</b>() first checks the integrity of an
+ encrypted message. If it has been corrupted,
+ <b class="Fn" title="Fn">crypto_unlock</b>() returns -1 immediately.
+ Otherwise, it decrypts the message, then returns zero.
+ <i class="Em" title="Em">Always check the return value</i>.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_lock_aead</b>() and
+ <b class="Fn" title="Fn">crypto_unlock_aead</b>() are variants of
+ <b class="Fn" title="Fn">crypto_lock</b>() and
+ <b class="Fn" title="Fn">crypto_unlock</b>(), permitting additional data.
+ Additional data is authenticated, but <i class="Em" title="Em">not</i>
+ encrypted. This is used to authenticate relevant data that cannot be
+ encrypted. The arguments are:
+<dl class="Bl-tag">
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">ad</var></dt>
+ <dd class="It-tag">Additional data to authenticate. It will not be encrypted.
+ May be <code class="Dv" title="Dv">NULL</code> if
+ <var class="Fa" title="Fa">ad_size</var> is zero. Setting
+ <var class="Fa" title="Fa">ad_size</var> to zero yields the same results
+ as <b class="Fn" title="Fn">crypto_lock</b>() and
+ <b class="Fn" title="Fn">crypto_unlock</b>().</dd>
+ <dt class="It-tag">&#x00A0;</dt>
+ <dd class="It-tag">&#x00A0;</dd>
+ <dt class="It-tag"><var class="Fa" title="Fa">ad_size</var></dt>
+ <dd class="It-tag">Length of the additional data, in bytes.</dd>
+</dl>
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_lock</b>() and
+ <b class="Fn" title="Fn">crypto_lock_aead</b>() return nothing.
+ <b class="Fn" title="Fn">crypto_unlock</b>() and
+ <b class="Fn" title="Fn">crypto_unlock_aead</b>() return 0 on success or -1 if
+ the message was corrupted (i.e. <var class="Fa" title="Fa">mac</var>
+ mismatched the combination of <var class="Fa" title="Fa">key</var>,
+ <var class="Fa" title="Fa">nonce</var>, <var class="Fa" title="Fa">ad</var>
+ and <var class="Fa" title="Fa">cipher_text</var>). Corruption can be caused by
+ transmission errors, programmer error, or an attacker's interference.
+ <var class="Fa" title="Fa">plain_text</var> does not need to be wiped if the
+ decryption fails.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+The following examples assume the existence of
+ <b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
+ with cryptographically secure random bytes. If
+ <b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
+ see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
+ advice about how to generate cryptographically secure random bytes.
+<div class="Pp"></div>
+Encryption:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t key [32]; /* Random, secret session key */
+uint8_t nonce [24]; /* Use only once per key */
+uint8_t plain_text [12] = &quot;Lorem ipsum&quot;; /* Secret message */
+uint8_t mac [16]; /* Message authentication code */
+uint8_t cipher_text[12]; /* Encrypted message */
+arc4random_buf(key, 32);
+arc4random_buf(nonce, 24);
+crypto_lock(mac, cipher_text, key, nonce, plain_text,
+ sizeof(plain_text));
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(plain_text, 12);
+crypto_wipe(key, 32);
+/* Transmit cipher_text, nonce, and mac over the network,
+ * store them in a file, etc.
+ */
+</pre>
+</div>
+<div class="Pp"></div>
+To decrypt the above:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t key [32]; /* Same as the above */
+uint8_t nonce [24]; /* Same as the above */
+const uint8_t cipher_text[12]; /* Encrypted message */
+const uint8_t mac [16]; /* Received along with text */
+uint8_t plain_text [12]; /* Secret message */
+if (crypto_unlock(plain_text, key, nonce, mac, cipher_text, 12)) {
+ /* The message is corrupted.
+ * Wipe key if it is no longer needed,
+ * and abort the decryption.
+ */
+ crypto_wipe(key, 32);
+} else {
+ /* ...do something with the decrypted text here... */
+ /* Finally, wipe secrets if they are no longer needed */
+ crypto_wipe(plain_text, 12);
+ crypto_wipe(key, 32);
+}
+</pre>
+</div>
+<div class="Pp"></div>
+In-place encryption:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t key [32]; /* Random, secret session key */
+uint8_t nonce[24]; /* Use only once per key */
+uint8_t text [12] = &quot;Lorem ipsum&quot;; /* Secret message */
+uint8_t mac [16]; /* Message authentication code */
+arc4random_buf(key, 32);
+arc4random_buf(nonce, 24);
+crypto_lock(mac, text, key, nonce, text, 12);
+/* Wipe secrets if they are no longer needed */
+crypto_wipe(key, 32);
+/* Transmit cipher_text, nonce, and mac over the network,
+ * store them in a file, etc.
+ */
+</pre>
+</div>
+<div class="Pp"></div>
+In-place decryption:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+uint8_t key [32]; /* Same as the above */
+const uint8_t nonce[24]; /* Same as the above */
+const uint8_t mac [16]; /* Received from along with text */
+uint8_t text [12]; /* Message to decrypt */
+if (crypto_unlock(text, key, nonce, mac, text, 12)) {
+ /* The message is corrupted.
+ * Wipe key if it is no longer needed,
+ * and abort the decryption.
+ */
+ crypto_wipe(key, 32);
+} else {
+ /* ...do something with the decrypted text here... */
+ /* Finally, wipe secrets if they are no longer needed */
+ crypto_wipe(text, 12);
+ crypto_wipe(key, 32);
+}
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement RFC 8439, with XChacha20 instead of Chacha20.
+ XChacha20 derives from Chacha20 the same way XSalsa20 derives from Salsa20,
+ and benefits from the same security reduction (proven secure as long as
+ Chacha20 itself is secure).
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_lock</b>() and
+ <b class="Fn" title="Fn">crypto_unlock</b>() functions first appeared in
+ Monocypher 0.1. <b class="Fn" title="Fn">crypto_lock_aead</b>() and
+ <b class="Fn" title="Fn">crypto_unlock_aead</b>() were introduced in
+ Monocypher 1.1.0. In Monocypher 2.0.0, the underlying algorithms for these
+ functions were changed from a custom XChacha20/Poly1305 construction to an
+ implementation of RFC 7539 (now RFC 8439) with XChacha20 instead of Chacha20.
+ The <b class="Fn" title="Fn">crypto_lock_encrypt</b>() and
+ <b class="Fn" title="Fn">crypto_lock_auth</b>() functions were removed in
+ Monocypher 2.0.0.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">February 29, 2020</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_lock_aead_auth.html b/vendor/doc/html/crypto_lock_aead_auth.html
new file mode 100644
index 0000000..fd6c688
--- /dev/null
+++ b/vendor/doc/html/crypto_lock_aead_auth.html
@@ -0,0 +1,307 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_LOCK_INIT(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_LOCK_INIT(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_LOCK_INIT(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_lock_init</b>,
+ <b class="Nm" title="Nm">crypto_lock_aead_auth</b>,
+ <b class="Nm" title="Nm">crypto_lock_update</b>,
+ <b class="Nm" title="Nm">crypto_lock_final</b>,
+ <b class="Nm" title="Nm">crypto_unlock_init</b>,
+ <b class="Nm" title="Nm">crypto_unlock_aead_auth</b>,
+ <b class="Nm" title="Nm">crypto_unlock_update</b>,
+ <b class="Nm" title="Nm">crypto_unlock_final</b>,
+ <b class="Nm" title="Nm">crypto_lock_auth</b>,
+ <b class="Nm" title="Nm">crypto_lock_encrypt</b> &#x2014;
+ <span class="Nd" title="Nd">incremental authenticated encryption with
+ additional data</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_init</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_aead_auth</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">size_t ad_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_update</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_final</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t mac[16]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_init</b>(<var class="Fa" title="Fa">crypto_unlock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_aead_auth</b>(<var class="Fa" title="Fa">crypto_unlock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">size_t ad_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_update</b>(<var class="Fa" title="Fa">crypto_unlock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">const uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_final</b>(<var class="Fa" title="Fa">crypto_unlock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t mac[16]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_auth</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">size_t ad_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_encrypt</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions are variants of
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_unlock.html">crypto_unlock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_aead_lock.html">crypto_aead_lock(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_aead_unlock.html">crypto_aead_unlock(3monocypher)</a>.
+ Prefer those simpler functions if possible.
+<div class="Pp"></div>
+This incremental interface can be used to encrypt and decrypt messages too large
+ to fit in a single buffer. The arguments are the same as described for the
+ direct interface described in
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>.
+<div class="Pp"></div>
+Encryption requires four steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">Initialise a context with
+ <b class="Fn" title="Fn">crypto_lock_init</b>().</li>
+ <li class="It-bullet">Authenticate additional data, if any, with
+ <b class="Fn" title="Fn">crypto_lock_aead_auth</b>().</li>
+ <li class="It-bullet">Encrypt and authenticate some data with
+ <b class="Fn" title="Fn">crypto_lock_update</b>().</li>
+ <li class="It-bullet">Generate the MAC with
+ <b class="Fn" title="Fn">crypto_lock_final</b>().</li>
+</ul>
+<div class="Pp"></div>
+Decryption also requires four steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">Initialise a context with
+ <b class="Fn" title="Fn">crypto_unlock_init</b>().</li>
+ <li class="It-bullet">Verify additional data, if any, with
+ <b class="Fn" title="Fn">crypto_unlock_aead_auth</b>().</li>
+ <li class="It-bullet">Decrypt and verify some data with
+ <b class="Fn" title="Fn">crypto_unlock_update</b>().</li>
+ <li class="It-bullet">Verify the MAC with
+ <b class="Fn" title="Fn">crypto_unlock_final</b>().</li>
+</ul>
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_lock_encrypt</b>() encrypts or decrypts data
+ <i class="Em" title="Em">without authenticating it</i>. It is meant as a
+ building block. Used with <b class="Fn" title="Fn">crypto_lock_auth</b>(), it
+ enables various AEAD constructions. Most users do not need either of them.
+ Prefer <b class="Fn" title="Fn">crypto_lock_update</b>() and
+ <b class="Fn" title="Fn">crypto_unlock_update</b>() instead.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_lock_init</b>(),
+ <b class="Fn" title="Fn">crypto_unlock_init</b>(),
+ <b class="Fn" title="Fn">crypto_lock_auth</b>(),
+ <b class="Fn" title="Fn">crypto_lock_encrypt</b>(),
+ <b class="Fn" title="Fn">crypto_lock_aead_auth</b>(),
+ <b class="Fn" title="Fn">crypto_unlock_aead_auth</b>(),
+ <b class="Fn" title="Fn">crypto_lock_update</b>(),
+ <b class="Fn" title="Fn">crypto_unlock_update</b>(), and
+ <b class="Fn" title="Fn">crypto_lock_final</b>() return nothing. They cannot
+ fail.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_unlock_final</b>() returns 0 on success or -1 if
+ the message was corrupted. Corruption can be caused by transmission errors,
+ programmer error, or an attacker's interference.
+ <i class="Em" title="Em">Always check the return value</i>.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+Encryption:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t key [ 32]; /* Session key */
+const uint8_t nonce [ 32]; /* Unique per session key */
+const uint8_t ad [500]; /* Optional additional data */
+const uint8_t plain_text [500]; /* Secret message */
+uint8_t cipher_text[500]; /* Encrypted message */
+uint8_t mac [ 16]; /* Message authentication code */
+
+/* Set up initial context */
+crypto_lock_ctx ctx;
+crypto_lock_init(&amp;ctx, key, nonce);
+/* Wipe the key if it is no longer needed */
+crypto_wipe(key, 32);
+
+/* Authenticate additional data */
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_lock_aead_auth(&amp;ctx, ad + i, 100);
+}
+
+/* Encrypt message */
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_lock_update(&amp;ctx, cipher_text + i, plain_text + i, 100);
+ /* Wipe the secret message if it is no longer needed */
+ crypto_wipe(plain_text + i, 100);
+}
+
+/* Produce the MAC */
+crypto_lock_final(&amp;ctx, mac);
+</pre>
+</div>
+<div class="Pp"></div>
+To decrypt the above:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t key [ 32]; /* Session key */
+const uint8_t nonce [ 32]; /* Unique per session key */
+const uint8_t mac [ 16]; /* Transmitted MAC */
+const uint8_t ad [500]; /* Optional additional data */
+const uint8_t cipher_text[500]; /* Encrypted message */
+uint8_t plain_text [500]; /* Secret message */
+
+/* Set up initial context */
+crypto_unlock_ctx ctx;
+crypto_unlock_init(&amp;ctx, key, nonce);
+/* Wipe the key if it is no longer needed */
+crypto_wipe(key, 32);
+
+/* Verify additional data */
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_unlock_aead_auth(&amp;ctx, ad + i, 100);
+}
+
+/* Decrypt message */
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_unlock_update(&amp;ctx, plain_text + i, cipher_text + i, 100);
+}
+
+/* Check the MAC */
+if (crypto_unlock_final(&amp;ctx, mac)) {
+ /* Corrupted message, abort processing */
+} else {
+ /* Genuine message */
+}
+
+/* Wipe the secret message if it is no longer needed */
+crypto_wipe(plain_text, 500);
+</pre>
+</div>
+<div class="Pp"></div>
+In-place encryption without additional data:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t key [ 32]; /* Session key */
+const uint8_t nonce [ 32]; /* Unique per session key */
+uint8_t text [500]; /* Message */
+uint8_t mac [ 16]; /* Message authentication code */
+
+/* Set up initial context */
+crypto_lock_ctx ctx;
+crypto_lock_init(&amp;ctx, key, nonce);
+/* Wipe the key if it is no longer needed */
+crypto_wipe(key, 32);
+
+/* Encrypt message */
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_lock_update(&amp;ctx, text + i, text + i, 100);
+}
+
+/* Produce the MAC */
+crypto_lock_final(&amp;ctx, mac);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_aead_lock.html">crypto_aead_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_aead_unlock.html">crypto_aead_unlock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_unlock.html">crypto_unlock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement the XChacha20 (encryption) and Poly1305 (MAC)
+ primitives. Chacha20 and Poly1305 are described in RFC 7539. XChacha20 derives
+ from Chacha20 the same way XSalsa20 derives from Salsa20, and benefits from
+ the same security reduction (proven secure as long as Chacha20 itself is
+ secure).
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+Messages are not verified until the call to
+ <b class="Fn" title="Fn">crypto_unlock_final</b>(). Make sure to call it and
+ check the return value <i class="Em" title="Em">before</i> processing the
+ message. Messages may be stored before they are verified, but they cannot be
+ trusted. Processing untrusted messages increases the attack surface of the
+ system. Doing so securely is hard. Do not process messages before calling
+ <b class="Fn" title="Fn">crypto_unlock_final</b>().
+<h1 class="Sh" title="Sh" id="IMPLEMENTATION_DETAILS"><a class="selflink" href="#IMPLEMENTATION_DETAILS">IMPLEMENTATION
+ DETAILS</a></h1>
+<ul class="Bl-bullet">
+ <li class="It-bullet"><var class="Vt" title="Vt">crypto_unlock_ctx</var> is an
+ alias to <var class="Vt" title="Vt">crypto_lock_ctx</var>.</li>
+ <li class="It-bullet"><b class="Fn" title="Fn">crypto_unlock_init</b>() is an
+ alias to <b class="Fn" title="Fn">crypto_lock_init</b>().</li>
+ <li class="It-bullet"><b class="Fn" title="Fn">crypto_lock_aead_auth</b>() and
+ <b class="Fn" title="Fn">crypto_unlock_aead_auth</b>() are aliases to
+ <b class="Fn" title="Fn">crypto_lock_auth</b>().</li>
+</ul>
+<div class="Pp"></div>
+The incremental interface is roughly three times slower than the direct
+ interface at identifying corrupted messages. This is because the incremental
+ interface works in a single pass and has to interleave decryption and
+ verification. Users who expect a high corruption rate may want to avoid
+ it.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">December 28, 2017</td>
+ <td class="foot-os">Linux 4.4.0-116-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_lock_auth.html b/vendor/doc/html/crypto_lock_auth.html
new file mode 100644
index 0000000..fd6c688
--- /dev/null
+++ b/vendor/doc/html/crypto_lock_auth.html
@@ -0,0 +1,307 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_LOCK_INIT(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_LOCK_INIT(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_LOCK_INIT(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_lock_init</b>,
+ <b class="Nm" title="Nm">crypto_lock_aead_auth</b>,
+ <b class="Nm" title="Nm">crypto_lock_update</b>,
+ <b class="Nm" title="Nm">crypto_lock_final</b>,
+ <b class="Nm" title="Nm">crypto_unlock_init</b>,
+ <b class="Nm" title="Nm">crypto_unlock_aead_auth</b>,
+ <b class="Nm" title="Nm">crypto_unlock_update</b>,
+ <b class="Nm" title="Nm">crypto_unlock_final</b>,
+ <b class="Nm" title="Nm">crypto_lock_auth</b>,
+ <b class="Nm" title="Nm">crypto_lock_encrypt</b> &#x2014;
+ <span class="Nd" title="Nd">incremental authenticated encryption with
+ additional data</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_init</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_aead_auth</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">size_t ad_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_update</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_final</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t mac[16]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_init</b>(<var class="Fa" title="Fa">crypto_unlock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_aead_auth</b>(<var class="Fa" title="Fa">crypto_unlock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">size_t ad_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_update</b>(<var class="Fa" title="Fa">crypto_unlock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">const uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_final</b>(<var class="Fa" title="Fa">crypto_unlock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t mac[16]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_auth</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">size_t ad_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_encrypt</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions are variants of
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_unlock.html">crypto_unlock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_aead_lock.html">crypto_aead_lock(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_aead_unlock.html">crypto_aead_unlock(3monocypher)</a>.
+ Prefer those simpler functions if possible.
+<div class="Pp"></div>
+This incremental interface can be used to encrypt and decrypt messages too large
+ to fit in a single buffer. The arguments are the same as described for the
+ direct interface described in
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>.
+<div class="Pp"></div>
+Encryption requires four steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">Initialise a context with
+ <b class="Fn" title="Fn">crypto_lock_init</b>().</li>
+ <li class="It-bullet">Authenticate additional data, if any, with
+ <b class="Fn" title="Fn">crypto_lock_aead_auth</b>().</li>
+ <li class="It-bullet">Encrypt and authenticate some data with
+ <b class="Fn" title="Fn">crypto_lock_update</b>().</li>
+ <li class="It-bullet">Generate the MAC with
+ <b class="Fn" title="Fn">crypto_lock_final</b>().</li>
+</ul>
+<div class="Pp"></div>
+Decryption also requires four steps:
+<ul class="Bl-bullet">
+ <li class="It-bullet">Initialise a context with
+ <b class="Fn" title="Fn">crypto_unlock_init</b>().</li>
+ <li class="It-bullet">Verify additional data, if any, with
+ <b class="Fn" title="Fn">crypto_unlock_aead_auth</b>().</li>
+ <li class="It-bullet">Decrypt and verify some data with
+ <b class="Fn" title="Fn">crypto_unlock_update</b>().</li>
+ <li class="It-bullet">Verify the MAC with
+ <b class="Fn" title="Fn">crypto_unlock_final</b>().</li>
+</ul>
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_lock_encrypt</b>() encrypts or decrypts data
+ <i class="Em" title="Em">without authenticating it</i>. It is meant as a
+ building block. Used with <b class="Fn" title="Fn">crypto_lock_auth</b>(), it
+ enables various AEAD constructions. Most users do not need either of them.
+ Prefer <b class="Fn" title="Fn">crypto_lock_update</b>() and
+ <b class="Fn" title="Fn">crypto_unlock_update</b>() instead.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_lock_init</b>(),
+ <b class="Fn" title="Fn">crypto_unlock_init</b>(),
+ <b class="Fn" title="Fn">crypto_lock_auth</b>(),
+ <b class="Fn" title="Fn">crypto_lock_encrypt</b>(),
+ <b class="Fn" title="Fn">crypto_lock_aead_auth</b>(),
+ <b class="Fn" title="Fn">crypto_unlock_aead_auth</b>(),
+ <b class="Fn" title="Fn">crypto_lock_update</b>(),
+ <b class="Fn" title="Fn">crypto_unlock_update</b>(), and
+ <b class="Fn" title="Fn">crypto_lock_final</b>() return nothing. They cannot
+ fail.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_unlock_final</b>() returns 0 on success or -1 if
+ the message was corrupted. Corruption can be caused by transmission errors,
+ programmer error, or an attacker's interference.
+ <i class="Em" title="Em">Always check the return value</i>.
+<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
+Encryption:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t key [ 32]; /* Session key */
+const uint8_t nonce [ 32]; /* Unique per session key */
+const uint8_t ad [500]; /* Optional additional data */
+const uint8_t plain_text [500]; /* Secret message */
+uint8_t cipher_text[500]; /* Encrypted message */
+uint8_t mac [ 16]; /* Message authentication code */
+
+/* Set up initial context */
+crypto_lock_ctx ctx;
+crypto_lock_init(&amp;ctx, key, nonce);
+/* Wipe the key if it is no longer needed */
+crypto_wipe(key, 32);
+
+/* Authenticate additional data */
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_lock_aead_auth(&amp;ctx, ad + i, 100);
+}
+
+/* Encrypt message */
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_lock_update(&amp;ctx, cipher_text + i, plain_text + i, 100);
+ /* Wipe the secret message if it is no longer needed */
+ crypto_wipe(plain_text + i, 100);
+}
+
+/* Produce the MAC */
+crypto_lock_final(&amp;ctx, mac);
+</pre>
+</div>
+<div class="Pp"></div>
+To decrypt the above:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t key [ 32]; /* Session key */
+const uint8_t nonce [ 32]; /* Unique per session key */
+const uint8_t mac [ 16]; /* Transmitted MAC */
+const uint8_t ad [500]; /* Optional additional data */
+const uint8_t cipher_text[500]; /* Encrypted message */
+uint8_t plain_text [500]; /* Secret message */
+
+/* Set up initial context */
+crypto_unlock_ctx ctx;
+crypto_unlock_init(&amp;ctx, key, nonce);
+/* Wipe the key if it is no longer needed */
+crypto_wipe(key, 32);
+
+/* Verify additional data */
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_unlock_aead_auth(&amp;ctx, ad + i, 100);
+}
+
+/* Decrypt message */
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_unlock_update(&amp;ctx, plain_text + i, cipher_text + i, 100);
+}
+
+/* Check the MAC */
+if (crypto_unlock_final(&amp;ctx, mac)) {
+ /* Corrupted message, abort processing */
+} else {
+ /* Genuine message */
+}
+
+/* Wipe the secret message if it is no longer needed */
+crypto_wipe(plain_text, 500);
+</pre>
+</div>
+<div class="Pp"></div>
+In-place encryption without additional data:
+<div class="Pp"></div>
+<div class="Bd" style="margin-left: 5.00ex;">
+<pre class="Li">
+const uint8_t key [ 32]; /* Session key */
+const uint8_t nonce [ 32]; /* Unique per session key */
+uint8_t text [500]; /* Message */
+uint8_t mac [ 16]; /* Message authentication code */
+
+/* Set up initial context */
+crypto_lock_ctx ctx;
+crypto_lock_init(&amp;ctx, key, nonce);
+/* Wipe the key if it is no longer needed */
+crypto_wipe(key, 32);
+
+/* Encrypt message */
+for (size_t i = 0; i &lt; 500; i += 100) {
+ crypto_lock_update(&amp;ctx, text + i, text + i, 100);
+}
+
+/* Produce the MAC */
+crypto_lock_final(&amp;ctx, mac);
+</pre>
+</div>
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_aead_lock.html">crypto_aead_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_aead_unlock.html">crypto_aead_unlock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_unlock.html">crypto_unlock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
+These functions implement the XChacha20 (encryption) and Poly1305 (MAC)
+ primitives. Chacha20 and Poly1305 are described in RFC 7539. XChacha20 derives
+ from Chacha20 the same way XSalsa20 derives from Salsa20, and benefits from
+ the same security reduction (proven secure as long as Chacha20 itself is
+ secure).
+<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
+ CONSIDERATIONS</a></h1>
+Messages are not verified until the call to
+ <b class="Fn" title="Fn">crypto_unlock_final</b>(). Make sure to call it and
+ check the return value <i class="Em" title="Em">before</i> processing the
+ message. Messages may be stored before they are verified, but they cannot be
+ trusted. Processing untrusted messages increases the attack surface of the
+ system. Doing so securely is hard. Do not process messages before calling
+ <b class="Fn" title="Fn">crypto_unlock_final</b>().
+<h1 class="Sh" title="Sh" id="IMPLEMENTATION_DETAILS"><a class="selflink" href="#IMPLEMENTATION_DETAILS">IMPLEMENTATION
+ DETAILS</a></h1>
+<ul class="Bl-bullet">
+ <li class="It-bullet"><var class="Vt" title="Vt">crypto_unlock_ctx</var> is an
+ alias to <var class="Vt" title="Vt">crypto_lock_ctx</var>.</li>
+ <li class="It-bullet"><b class="Fn" title="Fn">crypto_unlock_init</b>() is an
+ alias to <b class="Fn" title="Fn">crypto_lock_init</b>().</li>
+ <li class="It-bullet"><b class="Fn" title="Fn">crypto_lock_aead_auth</b>() and
+ <b class="Fn" title="Fn">crypto_unlock_aead_auth</b>() are aliases to
+ <b class="Fn" title="Fn">crypto_lock_auth</b>().</li>
+</ul>
+<div class="Pp"></div>
+The incremental interface is roughly three times slower than the direct
+ interface at identifying corrupted messages. This is because the incremental
+ interface works in a single pass and has to interleave decryption and
+ verification. Users who expect a high corruption rate may want to avoid
+ it.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">December 28, 2017</td>
+ <td class="foot-os">Linux 4.4.0-116-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_lock_auth_ad.html b/vendor/doc/html/crypto_lock_auth_ad.html
new file mode 100644
index 0000000..312c542
--- /dev/null
+++ b/vendor/doc/html/crypto_lock_auth_ad.html
@@ -0,0 +1,172 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_LOCK_INIT(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_LOCK_INIT(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_LOCK_INIT(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_lock_init</b>,
+ <b class="Nm" title="Nm">crypto_lock_auth_ad</b>,
+ <b class="Nm" title="Nm">crypto_lock_auth_message</b>,
+ <b class="Nm" title="Nm">crypto_lock_update</b>,
+ <b class="Nm" title="Nm">crypto_lock_final</b>,
+ <b class="Nm" title="Nm">crypto_unlock_init</b>,
+ <b class="Nm" title="Nm">crypto_unlock_auth_ad</b>,
+ <b class="Nm" title="Nm">crypto_unlock_auth_message</b>,
+ <b class="Nm" title="Nm">crypto_unlock_update</b>,
+ <b class="Nm" title="Nm">crypto_unlock_final</b> &#x2014;
+ <span class="Nd" title="Nd">incremental authenticated encryption with
+ additional data</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_init</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_auth_ad</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">size_t ad_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_auth_message</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_update</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_final</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t mac[16]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_init</b>(<var class="Fa" title="Fa">crypto_unlock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_auth_ad</b>(<var class="Fa" title="Fa">crypto_unlock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">size_t ad_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_auth_message</b>(<var class="Fa" title="Fa">crypto_unlock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_update</b>(<var class="Fa" title="Fa">crypto_unlock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">const uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_final</b>(<var class="Fa" title="Fa">crypto_unlock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t mac[16]</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions were variants of
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_unlock.html">crypto_unlock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock_aead.html">crypto_lock_aead(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_unlock_aead.html">crypto_unlock_aead(3monocypher)</a>.
+ They are deprecated in favor of those simpler functions.
+<div class="Pp"></div>
+Change your protocol so that it does not rely on the removed functions, namely
+ by splitting the data into chunks that you can individually use
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_unlock.html">crypto_unlock(3monocypher)</a>
+ on.
+<div class="Pp"></div>
+For files in particular, you may alternatively (and suboptimally) attempt to use
+ <b class="Fn" title="Fn">mmap</b>() (on *NIX) or
+ <b class="Fn" title="Fn">MapViewOfFile</b>() (on Windows) and pass the files
+ as mapped memory into
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>
+ and
+ <a class="Xr" title="Xr" href="crypto_unlock.html">crypto_unlock(3monocypher)</a>
+ instead.
+<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
+ VALUES</a></h1>
+<b class="Fn" title="Fn">crypto_lock_init</b>(),
+ <b class="Fn" title="Fn">crypto_unlock_init</b>(),
+ <b class="Fn" title="Fn">crypto_lock_auth_ad</b>(),
+ <b class="Fn" title="Fn">crypto_unlock_auth_ad</b>(),
+ <b class="Fn" title="Fn">crypto_lock_auth_message</b>(),
+ <b class="Fn" title="Fn">crypto_unlock_auth_message</b>(),
+ <b class="Fn" title="Fn">crypto_lock_update</b>(),
+ <b class="Fn" title="Fn">crypto_unlock_update</b>(), and
+ <b class="Fn" title="Fn">crypto_lock_final</b>() return nothing.
+<div class="Pp"></div>
+<b class="Fn" title="Fn">crypto_unlock_final</b>() returns 0 on success or -1 if
+ the message was corrupted. Corruption can be caused by transmission errors,
+ programmer error, or an attacker's interference.
+ <i class="Em" title="Em">Always check the return value</i>.
+<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
+ ALSO</a></h1>
+<a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_lock_aead.html">crypto_lock_aead(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_unlock.html">crypto_unlock(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_unlock_aead.html">crypto_unlock_aead(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="crypto_wipe.html">crypto_wipe(3monocypher)</a>,
+ <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
+<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
+The <b class="Fn" title="Fn">crypto_lock_init</b>(),
+ <b class="Fn" title="Fn">crypto_lock_auth_ad</b>(),
+ <b class="Fn" title="Fn">crypto_lock_auth_message</b>(),
+ <b class="Fn" title="Fn">crypto_lock_update</b>(),
+ <b class="Fn" title="Fn">crypto_lock_final</b>(),
+ <b class="Fn" title="Fn">crypto_unlock_init</b>(),
+ <b class="Fn" title="Fn">crypto_unlock_auth_ad</b>(),
+ <b class="Fn" title="Fn">crypto_unlock_auth_message</b>(),
+ <b class="Fn" title="Fn">crypto_unlock_update</b>(), and
+ <b class="Fn" title="Fn">crypto_unlock_final</b>() functions first appeared in
+ Monocypher 1.1.0. <b class="Fn" title="Fn">crypto_lock_aead_auth</b>() and
+ <b class="Fn" title="Fn">crypto_unlock_aead_auth</b>() were renamed to
+ <b class="Fn" title="Fn">crypto_lock_auth_ad</b>() and
+ <b class="Fn" title="Fn">crypto_unlock_auth_ad</b>() respectively in
+ Monocypher 2.0.0. They were deprecated in Monocypher 3.0.0 and will be removed
+ in Monocypher 4.0.0.</div>
+<table class="foot">
+ <tr>
+ <td class="foot-date">December 12, 2019</td>
+ <td class="foot-os">Linux 4.15.0-106-generic</td>
+ </tr>
+</table>
+</body>
+</html>
diff --git a/vendor/doc/html/crypto_lock_auth_message.html b/vendor/doc/html/crypto_lock_auth_message.html
new file mode 100644
index 0000000..312c542
--- /dev/null
+++ b/vendor/doc/html/crypto_lock_auth_message.html
@@ -0,0 +1,172 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8"/>
+ <style>
+ table.head, table.foot { width: 100%; }
+ td.head-rtitle, td.foot-os { text-align: right; }
+ td.head-vol { text-align: center; }
+ div.Pp { margin: 1ex 0ex; }
+ </style>
+ <link rel="stylesheet" href="style.css" type="text/css" media="all"/>
+ <title>CRYPTO_LOCK_INIT(3MONOCYPHER)</title>
+</head>
+<body>
+<table class="head">
+ <tr>
+ <td class="head-ltitle">CRYPTO_LOCK_INIT(3MONOCYPHER)</td>
+ <td class="head-vol">3MONOCYPHER</td>
+ <td class="head-rtitle">CRYPTO_LOCK_INIT(3MONOCYPHER)</td>
+ </tr>
+</table>
+<div class="manual-text">
+<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
+<b class="Nm" title="Nm">crypto_lock_init</b>,
+ <b class="Nm" title="Nm">crypto_lock_auth_ad</b>,
+ <b class="Nm" title="Nm">crypto_lock_auth_message</b>,
+ <b class="Nm" title="Nm">crypto_lock_update</b>,
+ <b class="Nm" title="Nm">crypto_lock_final</b>,
+ <b class="Nm" title="Nm">crypto_unlock_init</b>,
+ <b class="Nm" title="Nm">crypto_unlock_auth_ad</b>,
+ <b class="Nm" title="Nm">crypto_unlock_auth_message</b>,
+ <b class="Nm" title="Nm">crypto_unlock_update</b>,
+ <b class="Nm" title="Nm">crypto_unlock_final</b> &#x2014;
+ <span class="Nd" title="Nd">incremental authenticated encryption with
+ additional data</span>
+<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<b class="In" title="In">#include
+ &lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_init</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_auth_ad</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">size_t ad_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_auth_message</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_update</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_lock_final</b>(<var class="Fa" title="Fa">crypto_lock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t mac[16]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_init</b>(<var class="Fa" title="Fa">crypto_unlock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t key[32]</var>,
+ <var class="Fa" title="Fa">const uint8_t nonce[24]</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_auth_ad</b>(<var class="Fa" title="Fa">crypto_unlock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *ad</var>,
+ <var class="Fa" title="Fa">size_t ad_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_auth_message</b>(<var class="Fa" title="Fa">crypto_unlock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">void</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_update</b>(<var class="Fa" title="Fa">crypto_unlock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">uint8_t *plain_text</var>,
+ <var class="Fa" title="Fa">const uint8_t *cipher_text</var>,
+ <var class="Fa" title="Fa">size_t text_size</var>);
+<div class="Pp"></div>
+<var class="Ft" title="Ft">int</var>
+<br/>
+<b class="Fn" title="Fn">crypto_unlock_final</b>(<var class="Fa" title="Fa">crypto_unlock_ctx
+ *ctx</var>, <var class="Fa" title="Fa">const uint8_t mac[16]</var>);
+<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+These functions were variants of
+ <a class="Xr" title="Xr" href="crypto_lock.html">