aboutsummaryrefslogtreecommitdiff
path: root/vendor/doc/man
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/doc/man')
-rw-r--r--vendor/doc/man/man3/crypto_argon2i.3monocypher297
l---------vendor/doc/man/man3/crypto_argon2i_general.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_blake2b.3monocypher312
l---------vendor/doc/man/man3/crypto_blake2b_final.3monocypher1
l---------vendor/doc/man/man3/crypto_blake2b_general.3monocypher1
l---------vendor/doc/man/man3/crypto_blake2b_general_init.3monocypher1
l---------vendor/doc/man/man3/crypto_blake2b_init.3monocypher1
l---------vendor/doc/man/man3/crypto_blake2b_update.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_chacha20.3monocypher391
l---------vendor/doc/man/man3/crypto_chacha20_H.3monocypher1
l---------vendor/doc/man/man3/crypto_chacha20_ctr.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_chacha20_encrypt.3monocypher150
l---------vendor/doc/man/man3/crypto_chacha20_init.3monocypher1
l---------vendor/doc/man/man3/crypto_chacha20_set_ctr.3monocypher1
l---------vendor/doc/man/man3/crypto_chacha20_stream.3monocypher1
l---------vendor/doc/man/man3/crypto_chacha20_x_init.3monocypher1
l---------vendor/doc/man/man3/crypto_check.3monocypher1
l---------vendor/doc/man/man3/crypto_check_final.3monocypher1
l---------vendor/doc/man/man3/crypto_check_init.3monocypher1
l---------vendor/doc/man/man3/crypto_check_init_custom_hash.3monocypher1
l---------vendor/doc/man/man3/crypto_check_update.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_curve_to_hidden.3monocypher284
-rw-r--r--vendor/doc/man/man3/crypto_from_eddsa_private.3monocypher132
l---------vendor/doc/man/man3/crypto_from_eddsa_public.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_hchacha20.3monocypher132
l---------vendor/doc/man/man3/crypto_hidden_key_pair.3monocypher1
l---------vendor/doc/man/man3/crypto_hidden_to_curve.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_ietf_chacha20.3monocypher132
l---------vendor/doc/man/man3/crypto_ietf_chacha20_ctr.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_key_exchange.3monocypher185
l---------vendor/doc/man/man3/crypto_key_exchange_public_key.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_lock.3monocypher340
l---------vendor/doc/man/man3/crypto_lock_aead.3monocypher1
l---------vendor/doc/man/man3/crypto_lock_auth_ad.3monocypher1
l---------vendor/doc/man/man3/crypto_lock_auth_message.3monocypher1
l---------vendor/doc/man/man3/crypto_lock_final.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_lock_init.3monocypher210
l---------vendor/doc/man/man3/crypto_lock_update.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_poly1305.3monocypher273
l---------vendor/doc/man/man3/crypto_poly1305_final.3monocypher1
l---------vendor/doc/man/man3/crypto_poly1305_init.3monocypher1
l---------vendor/doc/man/man3/crypto_poly1305_update.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_sign.3monocypher236
l---------vendor/doc/man/man3/crypto_sign_final.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_sign_init_first_pass.3monocypher302
-rw-r--r--vendor/doc/man/man3/crypto_sign_init_first_pass_custom_hash.3monocypher295
l---------vendor/doc/man/man3/crypto_sign_init_second_pass.3monocypher1
l---------vendor/doc/man/man3/crypto_sign_public_key.3monocypher1
l---------vendor/doc/man/man3/crypto_sign_public_key_custom_hash.3monocypher1
l---------vendor/doc/man/man3/crypto_sign_update.3monocypher1
l---------vendor/doc/man/man3/crypto_unlock.3monocypher1
l---------vendor/doc/man/man3/crypto_unlock_aead.3monocypher1
l---------vendor/doc/man/man3/crypto_unlock_auth_ad.3monocypher1
l---------vendor/doc/man/man3/crypto_unlock_auth_message.3monocypher1
l---------vendor/doc/man/man3/crypto_unlock_final.3monocypher1
l---------vendor/doc/man/man3/crypto_unlock_init.3monocypher1
l---------vendor/doc/man/man3/crypto_unlock_update.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_verify16.3monocypher126
l---------vendor/doc/man/man3/crypto_verify32.3monocypher1
l---------vendor/doc/man/man3/crypto_verify64.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_wipe.3monocypher110
-rw-r--r--vendor/doc/man/man3/crypto_x25519.3monocypher197
-rw-r--r--vendor/doc/man/man3/crypto_x25519_dirty_fast.3monocypher131
l---------vendor/doc/man/man3/crypto_x25519_dirty_small.3monocypher1
-rw-r--r--vendor/doc/man/man3/crypto_x25519_inverse.3monocypher105
l---------vendor/doc/man/man3/crypto_x25519_public_key.3monocypher1
l---------vendor/doc/man/man3/crypto_xchacha20.3monocypher1
l---------vendor/doc/man/man3/crypto_xchacha20_ctr.3monocypher1
-rw-r--r--vendor/doc/man/man3/intro.3monocypher356
l---------vendor/doc/man/man3/optional/crypto_ed25519_check.3monocypher1
l---------vendor/doc/man/man3/optional/crypto_ed25519_check_final.3monocypher1
l---------vendor/doc/man/man3/optional/crypto_ed25519_check_init.3monocypher1
l---------vendor/doc/man/man3/optional/crypto_ed25519_check_update.3monocypher1
l---------vendor/doc/man/man3/optional/crypto_ed25519_public_key.3monocypher1
-rw-r--r--vendor/doc/man/man3/optional/crypto_ed25519_sign.3monocypher123
l---------vendor/doc/man/man3/optional/crypto_ed25519_sign_final.3monocypher1
-rw-r--r--vendor/doc/man/man3/optional/crypto_ed25519_sign_init_first_pass.3monocypher157
l---------vendor/doc/man/man3/optional/crypto_ed25519_sign_init_second_pass.3monocypher1
l---------vendor/doc/man/man3/optional/crypto_ed25519_sign_update.3monocypher1
-rw-r--r--vendor/doc/man/man3/optional/crypto_from_ed25519_private.3monocypher87
l---------vendor/doc/man/man3/optional/crypto_from_ed25519_public.3monocypher1
-rw-r--r--vendor/doc/man/man3/optional/crypto_hmac_sha512.3monocypher227
l---------vendor/doc/man/man3/optional/crypto_hmac_sha512_final.3monocypher1
l---------vendor/doc/man/man3/optional/crypto_hmac_sha512_init.3monocypher1
l---------vendor/doc/man/man3/optional/crypto_hmac_sha512_update.3monocypher1
-rw-r--r--vendor/doc/man/man3/optional/crypto_sha512.3monocypher213
l---------vendor/doc/man/man3/optional/crypto_sha512_final.3monocypher1
l---------vendor/doc/man/man3/optional/crypto_sha512_init.3monocypher1
l---------vendor/doc/man/man3/optional/crypto_sha512_update.3monocypher1
89 files changed, 0 insertions, 5566 deletions
diff --git a/vendor/doc/man/man3/crypto_argon2i.3monocypher b/vendor/doc/man/man3/crypto_argon2i.3monocypher
deleted file mode 100644
index ac9d1c6..0000000
--- a/vendor/doc/man/man3/crypto_argon2i.3monocypher
+++ /dev/null
@@ -1,297 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2017-2019 Loup Vaillant
-.\" Copyright (c) 2018 Michael Savage
-.\" Copyright (c) 2017, 2019-2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2017-2020 by Loup Vaillant, Michael Savage and Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd April 8, 2020
-.Dt CRYPTO_ARGON2I 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_argon2i
-.Nd password key derivation
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_argon2i
-.Fa "uint8_t *hash"
-.Fa "uint32_t hash_size"
-.Fa "void *work_area"
-.Fa "uint32_t nb_blocks"
-.Fa "uint32_t nb_iterations"
-.Fa "const uint8_t *password"
-.Fa "uint32_t password_size"
-.Fa "const uint8_t *salt"
-.Fa "uint32_t salt_size"
-.Fc
-.Ft void
-.Fo crypto_argon2i_general
-.Fa "uint8_t *hash"
-.Fa "uint32_t hash_size"
-.Fa "void *work_area"
-.Fa "uint32_t nb_blocks"
-.Fa "uint32_t nb_iterations"
-.Fa "const uint8_t *password"
-.Fa "uint32_t password_size"
-.Fa "const uint8_t *salt"
-.Fa "uint32_t salt_size"
-.Fa "const uint8_t *key"
-.Fa "uint32_t key_size"
-.Fa "const uint8_t *ad"
-.Fa "uint32_t ad_size"
-.Fc
-.Sh DESCRIPTION
-Argon2i is a resource intensive password key derivation scheme
-optimised for the typical x86-like processor.
-It runs in constant time with respect to the contents of the password.
-.Pp
-Typical applications are password checking (for online services), and
-key derivation (for encryption).
-Derived keys can be used to encrypt, for example, private keys or
-password databases.
-.Pp
-The version provided by Monocypher has no threading support, so the
-degree of parallelism is limited to 1.
-This is considered good enough for most purposes.
-.Pp
-The arguments to
-.Fn crypto_argon2i
-are:
-.Bl -tag -width Ds
-.It Fa hash
-The output hash.
-.It Fa hash_size
-Length of
-.Fa hash ,
-in bytes.
-This argument should be set to 32 or 64 for compatibility with the
-.Fn crypto_verify*
-constant time comparison functions.
-.It Fa work_area
-Temporary buffer for the algorithm, allocated by the caller.
-It must be
-.Fa nb_blocks
-× 1024 bytes big, and suitably aligned for 64-bit integers.
-If you are not sure how to allocate that buffer, just use
-.Fn malloc .
-.Pp
-The work area is automatically wiped by
-.Fn crypto_argon2i .
-.It Fa nb_blocks
-The number of blocks for the work area.
-Must be at least 8.
-A value of 100000 (one hundred megabytes) is a good starting point.
-If the computation takes too long, reduce this number.
-If it is too fast, increase this number.
-If it is still too fast with all available memory, increase
-.Fa nb_iterations .
-.It Fa nb_iterations
-The number of iterations.
-It must be at least 1.
-A value of 3 is
-.Em strongly
-recommended;
-any value lower than 3 enables significantly more efficient attacks.
-.It Fa password
-The password to hash.
-It should be wiped with
-.Xr crypto_wipe 3monocypher
-after being hashed.
-.It Fa password_size
-Length of
-.Fa password ,
-in bytes.
-.It Fa salt
-A password salt.
-This should be filled with random bytes, generated separately for each
-password to be hashed.
-See
-.Xr intro 3monocypher
-for advice about generating random bytes (use the operating system's
-random number generator).
-.It Fa salt_size
-Length of
-.Fa salt ,
-in bytes.
-Must be at least 8.
-16 is recommended.
-.El
-.Pp
-The output hash must not overlap with the work area, or it will be
-wiped along with it.
-Any other overlap is permitted.
-.Pp
-Use
-.Xr crypto_verify16 3monocypher ,
-.Xr crypto_verify32 3monocypher
-or
-.Xr crypto_verify64 3monocypher
-to compare password hashes to prevent timing attacks.
-.Pp
-To select the
-.Fa nb_blocks
-and
-.Fa nb_iterations
-parameters, it should first be decided how long the computation should
-take.
-For user authentication, values somewhere between half a second
-(convenient) and several seconds (paranoid) are recommended.
-The computation should use as much memory as can be spared.
-.Pp
-Since parameter selection depends on your hardware, some trial and error
-will be required in order to determine the ideal settings.
-Three iterations and 100000 blocks (that is, one hundred megabytes of
-memory) is a good starting point.
-Adjust
-.Fa nb_blocks
-first.
-If using all available memory is not slow enough, increase
-.Fa nb_iterations .
-.Pp
-.Fn crypto_argon2i_general
-is a variant of
-.Fn crypto_argon2i
-that supports keyed hashing and hashing of additional data.
-The additional arguments are:
-.Bl -tag -width Ds
-.It Fa key
-A key to use in the hash.
-Can be
-.Dv NULL
-if
-.Fa key_size
-is zero.
-The key is generally not needed, but it does have some uses.
-In the context of password derivation, it would be stored separately
-from the password database, and would remain secret even if an
-attacker were to steal the database.
-Note that changing the key requires rehashing the user's password,
-which is only possible upon user login.
-.It Fa key_size
-Length of
-.Fa key ,
-in bytes.
-Must be zero if there is no key.
-.It Fa ad
-Additional data.
-This is additional data that goes into the hash, similar to the
-authenticated encryption with authenticated data (AEAD) construction in
-.Xr crypto_lock_aead 3monocypher .
-This most likely has no practical application but is exposed for the
-sake of completeness.
-This parameter may be
-.Dv NULL
-if
-.Fa ad_size
-is zero.
-.It Fa ad_size
-Length of
-.Fa ad ,
-in bytes.
-Must be zero if there is no additional data.
-.El
-.Sh RETURN VALUES
-These functions return nothing.
-.Sh EXAMPLES
-The following example assumes the existence of
-.Fn arc4random_buf ,
-which fills the given buffer with cryptographically secure random bytes.
-If
-.Fn arc4random_buf
-does not exist on your system, see
-.Xr intro 3monocypher
-for advice about how to generate cryptographically secure random bytes.
-.Pp
-This example shows how to hash a password with the recommended baseline
-parameters:
-.Bd -literal -offset indent
-uint8_t hash[32]; /* Output hash */
-char *password = "Okay Password!"; /* User's password */
-uint32_t password_size = 14; /* Password length */
-uint8_t salt[16]; /* Random salt */
-const uint32_t nb_blocks = 100000; /* 100 megabytes */
-const uint32_t nb_iterations = 3; /* 3 iterations */
-void *work_area = malloc(nb_blocks * 1024); /* Work area */
-if (work_area == NULL) {
- /* Handle malloc() failure */
- /* Wipe secrets if they are no longer needed */
- crypto_wipe(password, password_size);
-} else {
- arc4random_buf(salt, 16);
- crypto_argon2i(hash, 32,
- work_area, nb_blocks, nb_iterations,
- (uint8_t *)password, password_size,
- salt, 16);
- /* Wipe secrets if they are no longer needed */
- crypto_wipe(password, password_size);
- free(work_area);
-}
-.Ed
-.Sh SEE ALSO
-.Xr crypto_lock 3monocypher ,
-.Xr crypto_verify16 3monocypher ,
-.Xr crypto_wipe 3monocypher ,
-.Xr intro 3monocypher
-.Sh STANDARDS
-These functions implement Argon2i.
-An RFC draft is being maintained.
-.Sh HISTORY
-The
-.Fn crypto_argon2i_general
-function first appeared in Monocypher 0.1 but was called
-.Fn crypto_argon2i ;
-it was renamed to its current name in Monocypher 1.1.0.
-The current
-.Fn crypto_argon2i
-first appeared in Monocypher 1.1.0.
-.Sh CAVEATS
-Any deviation from the specified input and output length ranges results
-in
-.Sy undefined behaviour .
-Make sure your inputs are correct.
diff --git a/vendor/doc/man/man3/crypto_argon2i_general.3monocypher b/vendor/doc/man/man3/crypto_argon2i_general.3monocypher
deleted file mode 120000
index 6aaa189..0000000
--- a/vendor/doc/man/man3/crypto_argon2i_general.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_argon2i.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_blake2b.3monocypher b/vendor/doc/man/man3/crypto_blake2b.3monocypher
deleted file mode 100644
index 67f59d1..0000000
--- a/vendor/doc/man/man3/crypto_blake2b.3monocypher
+++ /dev/null
@@ -1,312 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2017-2019 Loup Vaillant
-.\" Copyright (c) 2018 Michael Savage
-.\" Copyright (c) 2017, 2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2017-2020 by Loup Vaillant, Michael Savage and Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd March 31, 2020
-.Dt CRYPTO_BLAKE2B 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_blake2b ,
-.Nm crypto_blake2b_general ,
-.Nm crypto_blake2b_general_init ,
-.Nm crypto_blake2b_init ,
-.Nm crypto_blake2b_update ,
-.Nm crypto_blake2b_final
-.Nd cryptographic hashing
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_blake2b
-.Fa "uint8_t hash[64]"
-.Fa "const uint8_t *message"
-.Fa "size_t message_size"
-.Fc
-.Ft void
-.Fo crypto_blake2b_general
-.Fa "uint8_t *hash"
-.Fa "size_t hash_size"
-.Fa "const uint8_t *key"
-.Fa "size_t key_size"
-.Fa "const uint8_t *message"
-.Fa "size_t message_size"
-.Fc
-.Ft void
-.Fo crypto_blake2b_init
-.Fa "crypto_blake2b_ctx *ctx"
-.Fc
-.Ft void
-.Fo crypto_blake2b_general_init
-.Fa "crypto_blake2b_ctx *ctx"
-.Fa "size_t hash_size"
-.Fa "const uint8_t *key"
-.Fa "size_t key_size"
-.Fc
-.Ft void
-.Fo crypto_blake2b_update
-.Fa "crypto_blake2b_ctx *ctx"
-.Fa "const uint8_t *message"
-.Fa "size_t message_size"
-.Fc
-.Ft void
-.Fo crypto_blake2b_final
-.Fa "crypto_blake2b_ctx *ctx"
-.Fa "uint8_t *hash"
-.Fc
-.Sh DESCRIPTION
-BLAKE2b is a fast cryptographically secure hash, based on the ideas of
-Chacha20.
-It is faster than MD5, yet just as secure as SHA-3.
-.Pp
-Note that BLAKE2b itself is not suitable for hashing passwords and
-deriving keys from them;
-use the
-.Xr crypto_argon2i 3monocypher
-family of functions for that purpose instead.
-.Pp
-BLAKE2b is immune to length extension attacks, and as such does not
-require any specific precautions, such as using the HMAC algorithm.
-.Pp
-The arguments are:
-.Bl -tag -width Ds
-.It Fa hash
-The output hash.
-.It Fa hash_size
-Length of
-.Fa hash ,
-in bytes.
-Must be between 1 and 64.
-Anything below 32 is discouraged when using Blake2b as a general-purpose
-hash function;
-anything below 16 is discouraged when using Blake2b as a message
-authentication code.
-.It Fa key
-Some secret key.
-One cannot predict the final hash without it.
-May be
-.Dv NULL
-if
-.Fa key_size
-is 0, in which case no key is used.
-Keys can be used to create a message authentication code (MAC).
-Use
-.Xr crypto_verify16 3monocypher ,
-.Xr crypto_verify32 3monocypher ,
-or
-.Xr crypto_verify64 3monocypher
-to compare MACs created this way.
-Choose the size of the hash accordingly.
-Users may want to wipe the key with
-.Xr crypto_wipe 3monocypher
-once they are done with it.
-.It Fa key_size
-Length of
-.Fa key ,
-in bytes.
-Must be between 0 and 64.
-32 is a good default.
-.It Fa message
-The message to hash.
-May overlap with
-.Fa hash .
-May be
-.Dv NULL
-if
-.Fa message_size
-is 0.
-.It Fa message_size
-Length of
-.Fa message ,
-in bytes.
-.El
-.Ss Direct interface
-The direct interface has two functions,
-.Fn crypto_blake2b
-and
-.Fn crypto_blake2b_general .
-.Fn crypto_blake2b
-is provided for convenience, and is equivalent to calling
-.Fn crypto_blake2b_general
-with no key and a 64-byte hash.
-.Pp
-.Fn crypto_blake2b_general
-users can specify the size of the hash, and use a secret key to
-make the hash unpredictable \(en useful for message authentication
-codes.
-Even when using a key, you do not have to wipe the context struct with
-.Xr crypto_wipe 3monocypher .
-.Ss Incremental interface
-The incremental interface is useful for handling streams of data or
-large files without using too much memory.
-This interface uses three steps:
-.Bl -bullet
-.It
-initialisation with
-.Fn crypto_blake2b_general_init
-or
-.Fn crypto_blake2b_init ,
-which sets up a context with the hashing parameters;
-.It
-update with
-.Fn crypto_blake2b_update ,
-which hashes the message chunk by chunk, and keep the intermediary
-result in the context;
-.It
-and finalisation with
-.Fn crypto_blake2b_final ,
-which produces the final hash.
-The
-.Ft crypto_blake2b_ctx
-is automatically wiped upon finalisation.
-.El
-.Pp
-The invariants of the parameters are the same as for
-.Fn crypto_blake2b_general .
-.Fn crypto_blake2b_init
-is a convenience initialisation function that
-specifies a 64-byte hash and no key.
-This is considered a good default.
-.Sh RETURN VALUES
-These functions return nothing.
-.Sh EXAMPLES
-The following examples assume the existence of
-.Fn arc4random_buf ,
-which fills the given buffer with cryptographically secure random bytes.
-If
-.Fn arc4random_buf
-does not exist on your system, see
-.Xr intro 3monocypher
-for advice about how to generate cryptographically secure random bytes.
-.Pp
-Hashing a message all at once:
-.Bd -literal -offset indent
-uint8_t hash [64]; /* Output hash (64 bytes) */
-uint8_t message[12] = "Lorem ipsum"; /* Message to hash */
-crypto_blake2b(hash, message, 12);
-.Ed
-.Pp
-Computing a message authentication code all at once:
-.Bd -literal -offset indent
-uint8_t hash [16];
-uint8_t key [32];
-uint8_t message[11] = "Lorem ipsu"; /* Message to authenticate */
-arc4random_buf(key, 32);
-crypto_blake2b_general(hash, 16, key, 32, message, 11);
-/* Wipe secrets if they are no longer needed */
-crypto_wipe(message, 11);
-crypto_wipe(key, 32);
-.Ed
-.Pp
-Hashing a message incrementally (without a key):
-.Bd -literal -offset indent
-uint8_t hash [ 64]; /* Output hash (64 bytes) */
-uint8_t message[500] = {1}; /* Message to hash */
-crypto_blake2b_ctx ctx;
-crypto_blake2b_init(&ctx);
-for (size_t i = 0; i < 500; i += 100) {
- crypto_blake2b_update(&ctx, message + i, 100);
-}
-crypto_blake2b_final(&ctx, hash);
-.Ed
-.Pp
-Computing a message authentication code incrementally:
-.Bd -literal -offset indent
-uint8_t hash [ 16];
-uint8_t key [ 32];
-uint8_t message[500] = {1}; /* Message to authenticate */
-crypto_blake2b_ctx ctx;
-arc4random_buf(key, 32);
-crypto_blake2b_general_init(&ctx, 16, key, 32);
-/* Wipe the key */
-crypto_wipe(key, 32);
-for (size_t i = 0; i < 500; i += 100) {
- crypto_blake2b_update(&ctx, message + i, 100);
- /* Wipe secrets if they are no longer needed */
- crypto_wipe(message + i, 100);
-}
-crypto_blake2b_final(&ctx, hash);
-.Ed
-.Sh SEE ALSO
-.Xr crypto_key_exchange 3monocypher ,
-.Xr crypto_lock 3monocypher ,
-.Xr intro 3monocypher
-.Sh STANDARDS
-These functions implement BLAKE2b, described in RFC 7693.
-.Sh HISTORY
-The
-.Fn crypto_blake2b ,
-.Fn crypto_blake2b_general ,
-.Fn crypto_blake2b_general_init ,
-.Fn crypto_blake2b_init ,
-.Fn crypto_blake2b_update ,
-and
-.Fn crypto_blake2b_final
-functions first appeared in Monocypher 0.1.
-.Sh CAVEATS
-Monocypher does not perform any input validation.
-Any deviation from the specified input and output length ranges results
-in
-.Sy undefined behaviour .
-Make sure your inputs are correct.
-.Sh SECURITY CONSIDERATIONS
-BLAKE2b is a general-purpose cryptographic hash function;
-this means that it is not suited for hashing passwords and deriving
-cryptographic keys from passwords in particular.
-While cryptographic keys usually have hundreds of bits of entropy,
-passwords are often much less complex.
-When storing passwords as hashes or when deriving keys from them,
-the goal is normally to prevent attackers from quickly iterating all
-possible passwords.
-Because passwords tend to be simple,
-it is important to artificially slow down attackers by using especially
-computationally difficult hashing algorithms.
-Monocypher therefore provides
-.Xr crypto_argon2i 3monocypher
-for password hashing and deriving keys from passwords.
diff --git a/vendor/doc/man/man3/crypto_blake2b_final.3monocypher b/vendor/doc/man/man3/crypto_blake2b_final.3monocypher
deleted file mode 120000
index 63f57c0..0000000
--- a/vendor/doc/man/man3/crypto_blake2b_final.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_blake2b.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_blake2b_general.3monocypher b/vendor/doc/man/man3/crypto_blake2b_general.3monocypher
deleted file mode 120000
index 63f57c0..0000000
--- a/vendor/doc/man/man3/crypto_blake2b_general.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_blake2b.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_blake2b_general_init.3monocypher b/vendor/doc/man/man3/crypto_blake2b_general_init.3monocypher
deleted file mode 120000
index 63f57c0..0000000
--- a/vendor/doc/man/man3/crypto_blake2b_general_init.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_blake2b.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_blake2b_init.3monocypher b/vendor/doc/man/man3/crypto_blake2b_init.3monocypher
deleted file mode 120000
index 63f57c0..0000000
--- a/vendor/doc/man/man3/crypto_blake2b_init.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_blake2b.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_blake2b_update.3monocypher b/vendor/doc/man/man3/crypto_blake2b_update.3monocypher
deleted file mode 120000
index 63f57c0..0000000
--- a/vendor/doc/man/man3/crypto_blake2b_update.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_blake2b.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_chacha20.3monocypher b/vendor/doc/man/man3/crypto_chacha20.3monocypher
deleted file mode 100644
index a6e1c2b..0000000
--- a/vendor/doc/man/man3/crypto_chacha20.3monocypher
+++ /dev/null
@@ -1,391 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2017-2019 Loup Vaillant
-.\" Copyright (c) 2018 Michael Savage
-.\" Copyright (c) 2017, 2019-2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2017-2020 by Loup Vaillant, Michael Savage and Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd March 31, 2020
-.Dt CRYPTO_CHACHA20 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_chacha20 ,
-.Nm crypto_chacha20_ctr ,
-.Nm crypto_xchacha20 ,
-.Nm crypto_xchacha20_ctr
-.Nd Chacha20 and XChacha20 encryption functions
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_chacha20
-.Fa "uint8_t *cipher_text"
-.Fa "const uint8_t *plain_text"
-.Fa "size_t text_size"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[8]"
-.Fc
-.Ft void
-.Fo crypto_xchacha20
-.Fa "uint8_t *cipher_text"
-.Fa "const uint8_t *plain_text"
-.Fa "size_t text_size"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[24]"
-.Fc
-.Ft uint64_t
-.Fo crypto_chacha20_ctr
-.Fa "uint8_t *cipher_text"
-.Fa "const uint8_t *plain_text"
-.Fa "size_t text_size"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[8]"
-.Fa "uint64_t ctr"
-.Fc
-.Ft uint64_t
-.Fo crypto_xchacha20_ctr
-.Fa "uint8_t *cipher_text"
-.Fa "const uint8_t *plain_text"
-.Fa "size_t text_size"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[24]"
-.Fa "uint64_t ctr"
-.Fc
-.Sh DESCRIPTION
-These functions provide an interface for the Chacha20 encryption
-primitive.
-.Pp
-Chacha20 is a low-level primitive.
-Consider using authenticated encryption, implemented by
-.Xr crypto_lock 3monocypher .
-.Pp
-The arguments are:
-.Bl -tag -width Ds
-.It Fa key
-A 32-byte secret key.
-.It Fa nonce
-An 8-byte or 24-byte number, used only once with any given key.
-It does not need to be secret or random, but it does have to be unique.
-Repeating a nonce with the same key reveals the XOR of two different
-messages, which allows decryption.
-24-byte nonces can be selected at random.
-8-byte nonces
-.Em cannot .
-They are too small, and the same nonce may be selected twice by
-accident.
-See
-.Xr intro 3monocypher
-for advice about generating random numbers (use the operating system's
-random number generator).
-.It Fa plain_text
-The message to encrypt.
-It is allowed to be
-.Dv NULL ,
-in which case it will be interpreted as an all zero input.
-.Fa cipher_text
-will then contain the raw Chacha20 stream.
-.It Fa cipher_text
-The encrypted message.
-.It Fa text_size
-Length of both
-.Fa plain_text
-and
-.Fa cipher_text ,
-in bytes.
-.It Fa ctr
-The number of 64-byte blocks since the beginning of the stream.
-.El
-.Pp
-The
-.Fa key
-and
-.Fa nonce
-buffers may overlap.
-.Fa plain_text
-and
-.Fa cipher_text
-must either be the same buffer (for in-place encryption), or
-non-overlapping.
-.Pp
-.Fn crypto_chacha20
-performs a Chacha20 operation.
-It uses an 8-byte nonce, which is too small to be selected at random.
-Use a message counter as a nonce instead.
-.Pp
-.Fn crypto_xchacha20
-performs an XChacha20 operation.
-It uses a 24-byte nonce, which is large enough to be selected at random.
-.Pp
-.Fn crypto_xchacha20
-is recommended over
-.Fn crypto_chacha20 .
-The ability to use random nonces makes it easier to use securely, and
-the performance hit is often negligible in practice.
-.Pp
-The
-.Fn crypto_chacha20
-and
-.Fn crypto_xchacha20
-encrypt
-.Fa plain_text
-by XORing it with a pseudo-random stream of
-numbers, seeded by the provided
-.Fa key
-and
-.Fa nonce .
-.Pp
-Since XOR is its own inverse, decryption is the same operation as
-encryption.
-To decrypt the cipher text,
-.Dq encrypt
-it again with the same key and nonce.
-You will likely want to wipe the key when you are done with
-encryption or decryption.
-Use
-.Xr crypto_wipe 3monocypher
-to wipe them.
-.Pp
-The
-.Fa plain_text
-pointer is allowed to be
-.Dv NULL ,
-in which case it will be interpreted as an all zero input.
-This is useful as a user space random number generator.
-While
-.Sy this should not be used as a random number generator for secrets ,
-for which the operating system random number generator should be
-preferred,
-it can be handy outside of a security context.
-Deterministic procedural generation and reproducible property-based
-tests come to mind.
-Additionally, it
-.Em can
-be used to generate large amounts of random-looking data quickly,
-for example to generate padding.
-.Pp
-The
-.Fn crypto_chacha20_ctr
-and
-.Fn crypto_xchacha20_ctr
-perform a Chacha20 or XChacha20 encryption, respectively,
-starting the stream at the block
-.Fa ctr
-(which is the byte
-.Ql ctr \(mu 64 ) .
-This can be used to encrypt (or decrypt) part of a long message, or to
-implement some AEAD constructions such as the one described in RFC
-8439.
-Be careful when using this not to accidentally reuse parts of the
-random stream as that would destroy confidentiality.
-.Sh RETURN VALUES
-.Fn crypto_chacha20
-and
-.Fn crypto_xchacha20
-return nothing.
-.Fn crypto_chacha20_ctr
-and
-.Fn crypto_xchacha20_ctr
-functions return the next
-.Fa ctr
-to use with the same key and nonce values;
-this is always
-.Fa text_size
-divided by 64;
-plus one if there was a remainder.
-.Sh EXAMPLES
-The following examples assume the existence of
-.Fn arc4random_buf ,
-which fills the given buffer with cryptographically secure random bytes.
-If
-.Fn arc4random_buf
-does not exist on your system, see
-.Xr intro 3monocypher
-for advice about how to generate cryptographically secure random bytes.
-.Pp
-Simple encryption:
-.Bd -literal -offset indent
-uint8_t key [ 32]; /* Secret random key */
-uint8_t nonce [ 24]; /* Unique nonce (possibly random) */
-uint8_t plain_text [500] = {1}; /* Secret message */
-uint8_t cipher_text[500]; /* Encrypted message */
-arc4random_buf(key, 32);
-arc4random_buf(nonce, 24);
-crypto_xchacha20(cipher_text, plain_text, 500, key, nonce);
-/* Wipe secrets if they are no longer needed */
-crypto_wipe(key, 32);
-crypto_wipe(plain_text, 500);
-.Ed
-.Pp
-To decrypt the above:
-.Bd -literal -offset indent
-uint8_t key [ 32]; /* Same key as above */
-const uint8_t nonce [ 24]; /* Same nonce as above */
-uint8_t plain_text [500]; /* Message to decrypt */
-uint8_t cipher_text[500]; /* Secret message */
-crypto_xchacha20(cipher_text, plain_text, 500, key, nonce);
-/* Wipe secrets if they are no longer needed */
-crypto_wipe(key, 32);
-/* The plain text likely needs to be processed before you wipe it */
-crypto_wipe(plain_text, 12);
-.Ed
-.Pp
-Incremental encryption (in blocks of 64 bytes):
-.Bd -literal -offset indent
-uint8_t key [ 32]; /* Secret random key */
-uint8_t nonce [ 24]; /* Unique nonce (possibly random) */
-uint8_t plain_text [500]; /* Secret message */
-uint8_t cipher_text[500]; /* Encrypted message */
-uint64_t ctr = 0; /* Block counter */
-unsigned int i;
-arc4random_buf(key, 32);
-arc4random_buf(nonce, 24);
-for(i = 0; i < 500; i += 64) {
- ctr = crypto_xchacha20_ctr(cipher_text+i, plain_text+i, 64,
- key, nonce, ctr);
-}
-/* Process data that didn't fit into 64 byte pieces */
-crypto_xchacha20_ctr(cipher_text+500-(i-64),
- plain_text+500-(i-64),
- 500-(i-64),
- key, nonce, ctr);
-/* Wipe secrets if they are no longer needed */
-crypto_wipe(key, 32);
-crypto_wipe(plain_text, 500);
-.Ed
-.Pp
-Encryption by jumping around (do not do that, this is only meant to show
-how
-.Fn crypto_xchacha20_ctr
-works):
-.Bd -literal -offset indent
-uint8_t key [ 32]; /* Secret random key */
-uint8_t nonce [ 24]; /* Unique nonce (possibly random) */
-uint8_t plain_text [500] = {1}; /* Message to be encrypted */
-uint8_t cipher_text[500]; /* Will be the encrypted message */
-arc4random_buf(key, 32);
-arc4random_buf(nonce, 24);
-/* Encrypt the second part of the message first... */
-crypto_xchacha20_ctr(cipher_text + (3 * 64),
- plain_text + (3 * 64),
- 500 - (3 * 64),
- key, nonce, 3);
-/* ...then encrypt the first part */
-crypto_xchacha20_ctr(cipher_text, plain_text, 3 * 64, key, nonce, 0);
-/* Wipe secrets if they are no longer needed */
-crypto_wipe(key, 32);
-crypto_wipe(plain_text, 500);
-.Ed
-.Sh SEE ALSO
-.Xr crypto_ietf_chacha20 3monocypher ,
-.Xr crypto_lock 3monocypher ,
-.Xr crypto_wipe 3monocypher ,
-.Xr intro 3monocypher
-.Sh STANDARDS
-These functions implement Chacha20 and XChacha20.
-Chacha20 is described in:
-.Rs
-.%A Daniel J. Bernstein
-.%J SASC 2008 \(en The State of the Art of Stream Ciphers
-.%P pp. 273\(en278
-.%T ChaCha, a variant of Salsa20
-.Re
-The nonce and counter sizes were modified in RFC 8439.
-XChacha20 derives from Chacha20 the same way XSalsa20 derives from
-Salsa20, and benefits from the same security reduction (proven secure
-as long as Chacha20 itself is secure).
-.Sh HISTORY
-.Fn crypto_chacha20 ,
-.Fn crypto_chacha20_ctr ,
-.Fn crypto_xchacha20 ,
-and
-.Fn crypto_xchacha20_ctr
-were added in Monocypher 3.0.0.
-They replace
-.Fn crypto_chacha20_encrypt ,
-.Fn crypto_chacha20_init ,
-.Fn crypto_chacha20_stream ,
-.Fn crypto_chacha20_x_init ,
-and
-.Fn crypto_chacha20_set_ctr
-that were deprecated in Monocypher 3.0.0.
-.Sh SECURITY CONSIDERATIONS
-.Ss Encrypted does not mean secure
-Chacha20 only protects against eavesdropping, not forgeries.
-Most applications need protection against forgeries to be properly
-secure.
-To ensure the integrity of a message, use Blake2b in keyed mode, or
-authenticated encryption; see
-.Xr crypto_blake2b 3monocypher
-and
-.Xr crypto_lock 3monocypher .
-.Ss Nonce reuse
-Repeating a nonce with the same key exposes the XOR of two or more
-plain text messages, effectively destroying confidentiality.
-.Pp
-For the same reason,
-.Sy do not select small nonces at random .
-The
-.Fn crypto_chacha20
-nonce spans only 64 bits, which is small enough to trigger accidental
-reuses.
-A message counter should be used instead.
-If multiple parties send out messages, Each can start with an initial
-nonce of 0, 1 .. n-1 respectively, and increment them by n for each
-new message.
-Make sure the counters never wrap around.
-.Ss Secure random number generation
-Do not use these functions as a cryptographic random number generator.
-Always use the operating system's random number generator for
-cryptographic purposes, see
-.Xr intro 3monocypher .
-.Ss Protection against side channels
-Secrets should not dwell in memory longer than needed.
-Use
-.Xr crypto_wipe 3monocypher
-to erase secrets you no longer need.
-For Chacha20, this means the key and in some cases the
-plain text itself.
diff --git a/vendor/doc/man/man3/crypto_chacha20_H.3monocypher b/vendor/doc/man/man3/crypto_chacha20_H.3monocypher
deleted file mode 120000
index 9e603a2..0000000
--- a/vendor/doc/man/man3/crypto_chacha20_H.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_hchacha20.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_chacha20_ctr.3monocypher b/vendor/doc/man/man3/crypto_chacha20_ctr.3monocypher
deleted file mode 120000
index 2dfb4d4..0000000
--- a/vendor/doc/man/man3/crypto_chacha20_ctr.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_chacha20.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_chacha20_encrypt.3monocypher b/vendor/doc/man/man3/crypto_chacha20_encrypt.3monocypher
deleted file mode 100644
index a987ed7..0000000
--- a/vendor/doc/man/man3/crypto_chacha20_encrypt.3monocypher
+++ /dev/null
@@ -1,150 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2019 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2019 by Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd December 2, 2019
-.Dt CRYPTO_CHACHA20_ENCRYPT 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_chacha20_encrypt ,
-.Nm crypto_chacha20_init ,
-.Nm crypto_chacha20_x_init ,
-.Nm crypto_chacha20_stream ,
-.Nm crypto_chacha20_set_ctr
-.Nd deprecated Chacha20 and XChacha20 encryption functions
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_chacha20_init
-.Fa "crypto_chacha_ctx *ctx"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[8]"
-.Fc
-.Ft void
-.Fo crypto_chacha20_x_init
-.Fa "crypto_chacha_ctx *ctx"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[24]"
-.Fc
-.Ft void
-.Fo crypto_chacha20_encrypt
-.Fa "crypto_chacha_ctx *ctx"
-.Fa "uint8_t *cipher_text"
-.Fa "const uint8_t *plain_text"
-.Fa "size_t text_size"
-.Fc
-.Ft void
-.Fo crypto_chacha20_stream
-.Fa "crypto_chacha_ctx *ctx"
-.Fa "uint8_t *stream"
-.Fa "size_t stream_size"
-.Fc
-.Ft void
-.Fo crypto_chacha20_set_ctr
-.Fa "crypto_chacha_ctx *ctx"
-.Fa "uint64_t ctr"
-.Fc
-.Sh DESCRIPTION
-These functions provided an incremental interface for the Chacha20
-cipher.
-They are deprecated in favor of
-.Xr crypto_chacha20 3monocypher ,
-.Xr crypto_chacha20_ctr 3monocypher ,
-.Xr crypto_xchacha20 3monocypher , and
-.Xr crypto_xchacha20_ctr 3monocypher .
-.Pp
-For encryption, you can achieve an identical effect
-as the deprecated functions by using
-.Xr crypto_chacha20_ctr 3monocypher
-or
-.Xr crypto_xchacha20_ctr 3monocypher .
-Care needs to be taken with regards to handling the counter value
-when migrating old code to use the new functions.
-The new functions
-.Em always return next counter value .
-This means that input ciphertexts or plaintexts
-whose lengths are not exactly multiples of 64 bytes
-advance the counter, even though there is theoretically some space left
-in a Chacha20 block.
-New applications should design their code so that either
-the protocl is not reliant on the counter covering the entire text
-(e.g. by cutting input into independent chunks) or
-inputs are always such that their lengths are multiples of 64 bytes
-(e.g. by buffering input until 64 bytes have been obtained).
-.Pp
-To obtain the raw Chacha20 stream previously provided by
-.Fn crypto_chacha20_stream ,
-pass
-.Dv NULL
-to
-.Xr crypto_chacha20
-as plaintext.
-.Sh RETURN VALUES
-These functions return nothing.
-.Sh SEE ALSO
-.Xr crypto_chacha20 3monocypher ,
-.Xr crypto_chacha20_ctr 3monocypher ,
-.Xr crypto_xchacha20 3monocypher ,
-.Xr crypto_xchacha20_ctr 3monocypher ,
-.Xr crypto_lock 3monocypher ,
-.Xr crypto_wipe 3monocypher ,
-.Xr intro 3monocypher
-.Sh HISTORY
-The
-.Fn crypto_chacha20_encrypt ,
-.Fn crypto_chacha20_init ,
-functions first appeared in Monocypher 0.1.
-.Fn crypto_chacha20_stream
-was added in Monocypher 0.2.
-.Fn crypto_chacha20_x_init
-and
-.Fn crypto_chacha20_set_ctr
-were added in Monocypher 1.0.
-They were deprecated in Monocypher 3.0.0
-and will be removed in Monocypher 4.0.0.
diff --git a/vendor/doc/man/man3/crypto_chacha20_init.3monocypher b/vendor/doc/man/man3/crypto_chacha20_init.3monocypher
deleted file mode 120000
index 7edf6f3..0000000
--- a/vendor/doc/man/man3/crypto_chacha20_init.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_chacha20_encrypt.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_chacha20_set_ctr.3monocypher b/vendor/doc/man/man3/crypto_chacha20_set_ctr.3monocypher
deleted file mode 120000
index 7edf6f3..0000000
--- a/vendor/doc/man/man3/crypto_chacha20_set_ctr.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_chacha20_encrypt.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_chacha20_stream.3monocypher b/vendor/doc/man/man3/crypto_chacha20_stream.3monocypher
deleted file mode 120000
index 7edf6f3..0000000
--- a/vendor/doc/man/man3/crypto_chacha20_stream.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_chacha20_encrypt.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_chacha20_x_init.3monocypher b/vendor/doc/man/man3/crypto_chacha20_x_init.3monocypher
deleted file mode 120000
index 7edf6f3..0000000
--- a/vendor/doc/man/man3/crypto_chacha20_x_init.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_chacha20_encrypt.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_check.3monocypher b/vendor/doc/man/man3/crypto_check.3monocypher
deleted file mode 120000
index f359740..0000000
--- a/vendor/doc/man/man3/crypto_check.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_sign.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_check_final.3monocypher b/vendor/doc/man/man3/crypto_check_final.3monocypher
deleted file mode 120000
index 08c255b..0000000
--- a/vendor/doc/man/man3/crypto_check_final.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_sign_init_first_pass.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_check_init.3monocypher b/vendor/doc/man/man3/crypto_check_init.3monocypher
deleted file mode 120000
index 08c255b..0000000
--- a/vendor/doc/man/man3/crypto_check_init.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_sign_init_first_pass.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_check_init_custom_hash.3monocypher b/vendor/doc/man/man3/crypto_check_init_custom_hash.3monocypher
deleted file mode 120000
index a4b73ad..0000000
--- a/vendor/doc/man/man3/crypto_check_init_custom_hash.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_sign_init_first_pass_custom_hash.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_check_update.3monocypher b/vendor/doc/man/man3/crypto_check_update.3monocypher
deleted file mode 120000
index 08c255b..0000000
--- a/vendor/doc/man/man3/crypto_check_update.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_sign_init_first_pass.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_curve_to_hidden.3monocypher b/vendor/doc/man/man3/crypto_curve_to_hidden.3monocypher
deleted file mode 100644
index afa8f7b..0000000
--- a/vendor/doc/man/man3/crypto_curve_to_hidden.3monocypher
+++ /dev/null
@@ -1,284 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2020 by Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd March 31, 2020
-.Dt CRYPTO_CURVE_TO_HIDDEN 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_curve_to_hidden ,
-.Nm crypto_hidden_to_curve ,
-.Nm crypto_hidden_key_pair
-.Nd hiding of X25519 public keys
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft int
-.Fo crypto_curve_to_hidden
-.Fa "uint8_t hidden[32]"
-.Fa "const uint8_t curve[32]"
-.Fa "uint8_t tweak"
-.Fc
-.Ft void
-.Fo crypto_hidden_to_curve
-.Fa "uint8_t curve[32]"
-.Fa "const uint8_t hidden[32]"
-.Fc
-.Ft void
-.Fo crypto_hidden_key_pair
-.Fa "uint8_t hidden[32]"
-.Fa "uint8_t secret_key[32]"
-.Fa "uint8_t seed[32]"
-.Fc
-.Sh DESCRIPTION
-These functions allow obfuscating X25519 public keys by making
-them appear effectively indistinguishable from random noise.
-This is of interest for key exchange protocols that require
-indistinguishability from randomness, such as padded uniform random
-blobs (PURBs).
-They are intended for ephemeral (short-lived, possibly just one-time)
-X25519 keys, not for long-term public keys.
-After an initial key exchange involving hidden keys,
-subsequent key exchange messages should be encrypted instead;
-see, for example, the Noise protocol.
-This is an
-.Em advanced feature
-\(en unless you are implementing an protocol that requires
-indistinguishability of all communications from random noise,
-consider
-.Xr crypto_key_exchange_public_key 3monocypher
-instead.
-.Pp
-For understanding what these functions do, it is important to note that
-a
-.Dq public key
-in this context refers to a
-.Em point on Curve25519 .
-This also means that these functions are not compatible with
-.Xr crypto_sign 3monocypher
-and related functions.
-.Pp
-.Fn crypto_curve_to_hidden
-takes a public key
-.Fa curve
-and a
-.Fa tweak ,
-hiding the public key it so that it is effectively indistinguishable
-from random noise.
-Note that only
-.Xr crypto_x25519_dirty_fast 3monocypher
-or
-.Xr crypto_x25519_dirty_small 3monocypher
-can generate a suitable public key;
-the
-.Xr crypto_x25519 3monocypher
-function is insufficient.
-The
-.Fa tweak
-must be chosen at random.
-Even then, this operation
-.Em may
-fail:
-Not all curve points are capable of being hidden.
-In this case,
-.Fn crypto_curve_to_hidden
-must be tried again with a new key pair;
-the
-.Fa tweak
-does not need to be changed.
-On average, two attempts are needed.
-Once a suitable public key has been found,
-.Fn crypto_curve_to_hidden
-always succeeds for it.
-Given the same values for
-.Fa tweak
-and
-.Fa curve ,
-.Fn crypto_curve_to_hidden
-yields the same output value
-.Fa hidden .
-.Pp
-.Fn crypto_hidden_to_curve
-performs the inverse operation:
-It decodes a hidden point to a curve point on Curve25519.
-.Pp
-.Fn crypto_hidden_key_pair
-is a convenience function that generates a secret key and its
-corresponding public key, which is effectively indistinguishable from
-random noise, from a random seed.
-.Em The execution time of this function is unpredictable
-because it may take many failures until a key pair could be generated
-successfully.
-.Fn crypto_hidden_key_pair
-uses
-.Xr crypto_x25519_dirty_fast 3monocypher
-internally;
-if code size is an important concern,
-its functionality can be replicated with
-.Xr crypto_x25519_dirty_small 3monocypher
-instead.
-.Pp
-The arguments are:
-.Bl -tag -width Ds
-.It Fa curve
-A point on the curve, which is a Curve25519 public key generated with
-either
-.Xr crypto_x25519_dirty_fast 3monocypher
-or
-.Xr crypto_x25519_dirty_small 3monocypher .
-.It Fa hidden
-The hidden encoding of a point on the curve which is effectively
-indistinguishable from random.
-.It Fa secret_key
-The secret key that was generated from the given
-.Fa seed .
-.It Fa seed
-A 32-byte random number from which to derive a key pair.
-See
-.Xr intro 3monocypher
-for advice about generating random bytes (use the operating system's
-random number generator).
-The
-.Fa seed
-is wiped automatically.
-.It Fa tweak
-A 1-byte random number,
-which influences the final output of
-.Fn crypto_curve_to_hidden .
-.El
-.Pp
-The
-.Fa hidden
-and
-.Fa curve
-arguments may overlap or point at the same buffer.
-.Sh RETURN VALUES
-.Fn crypto_curve_to_hidden
-returns 0 on success, -1 if the given
-.Fa curve
-argument is unsuitable for hiding.
-.Pp
-.Fn crypto_hidden_to_curve
-and
-.Fn crypto_hidden_key_pair
-return nothing; they cannot fail.
-.Sh EXAMPLES
-Generate a key pair manually using
-.Xr crypto_x25519_dirty_small 3monocypher
-instead of its fast variant:
-.Bd -literal -offset indent
-uint8_t sk [32]; /* Secret key output */
-uint8_t pk [32]; /* Hidden public key output */
-uint8_t tweak; /* Random tweak input */
-arc4random_buf(&tweak, 1);
-for (;;) {
- arc4random_buf(sk, 32);
- crypto_x25519_dirty_small(pk, sk);
- if (crypto_curve_to_hidden(pk, pk, tweak) == 0)
- break;
-}
-/* Now save the secret key and send the hidden public key. */
-.Ed
-.Pp
-Performing a key exchange with the other party's public key having been
-hidden:
-.Bd -literal -offset indent
-uint8_t hidden_pk [32]; /* Their hidden public key */
-uint8_t their_pk [32]; /* Their unhidden public key */
-uint8_t your_sk [32]; /* Your secret key */
-uint8_t shared_key[32]; /* Shared session key */
-crypto_hidden_to_curve(their_pk, hidden_pk);
-crypto_key_exchange(shared_key, your_sk, their_pk);
-/* Wipe secrets if they are no longer needed */
-crypto_wipe(your_sk, 32);
-.Ed
-.Sh SEE ALSO
-.Xr crypto_key_exchange 3monocypher ,
-.Xr crypto_x25519 3monocypher ,
-.Xr crypto_x25519_dirty_small 3monocypher ,
-.Xr intro 3monocypher
-.Sh STANDARDS
-These functions implement the Elligator 2 mapping for Curve25519.
-This mapping is incompatible with both the hash-to-curve Internet draft
-and the implementation of Elligator 2 in libsodium.
-Elligator 2 was described in:
-.Rs
-.%A Daniel J. Bernstein
-.%A Mike Hamburg
-.%A Anna Krasnova
-.%A Tanja Lange
-.%T Elligator: Elliptic-curve points indistinguishable from uniform random strings
-.%J CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
-.%I Association for Computing Machinery
-.%D 2013
-.%P pp. 967\(en980
-.Re
-.Sh HISTORY
-The
-.Fn crypto_curve_to_hidden ,
-.Fn crypto_hidden_to_curve ,
-and
-.Fn crypto_hidden_key_pair
-functions first appeared in Monocypher 3.1.0.
-.Sh SECURITY CONSIDERATIONS
-The secret keys for the public keys fed into
-.Fn crypto_curve_to_hidden
-.Sy must be chosen randomly ,
-rather than deterministically.
-Otherwise, the timing information given by the required number of
-retries also leaks information on the secret keys.
-.Pp
-These functions
-.Em help
-build highly difficult-to-analyze protocols,
-but are insufficient by themselves:
-Other metadata, such as the amount of bytes sent in a packet or the size
-of the 32-byte random-looking string that represents the curve point
-itself, can be very strong indicators of the use of cryptography.
-Consider using appropriate padding algorithms, such as PADME,
-and obscure other metadata as much as possible.
diff --git a/vendor/doc/man/man3/crypto_from_eddsa_private.3monocypher b/vendor/doc/man/man3/crypto_from_eddsa_private.3monocypher
deleted file mode 100644
index 3c19ddc..0000000
--- a/vendor/doc/man/man3/crypto_from_eddsa_private.3monocypher
+++ /dev/null
@@ -1,132 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2020 by Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd March 25, 2020
-.Dt CRYPTO_FROM_EDDSA_PRIVATE 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_from_eddsa_private ,
-.Nm crypto_from_eddsa_public
-.Nd conversion of key pairs for EdDSA with BLAKE2b to X25519 key pairs
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_from_eddsa_private
-.Fa "uint8_t x25519[32]"
-.Fa "const uint8_t eddsa[32]"
-.Fc
-.Ft void
-.Fo crypto_from_eddsa_public
-.Fa "uint8_t x25519[32]"
-.Fa "const uint8_t eddsa[32]"
-.Fc
-.Sh DESCRIPTION
-These functions convert keys for use with
-.Xr crypto_sign 3monocypher
-(EdDSA with the BLAKE2b hash function)
-to keys for use with
-.Xr crypto_key_exchange 3monocypher
-and
-.Xr crypto_x25519 3monocypher .
-This may be useful in some resource-constrained contexts or when no
-other key is available (for example, when retrieving SSH public keys
-from GitHub and reusing the SSH public keys as X25519 public keys).
-.Pp
-The
-.Fn crypto_from_eddsa_private
-function converts an EdDSA (with BLAKE2b) private key to an X25519
-private key.
-The
-.Fn crypto_from_eddsa_public
-function converts an EdDSA public key to an X25519 public key.
-.Pp
-X25519 key pairs cannot be converted back to EdDSA key pairs.
-The conversion of private keys is specific to EdDSA with BLAKE2b because
-of the way EdDSA works.
-In particular, this means that the output of
-.Fn crypto_from_eddsa_private
-differs from
-.Xr crypto_from_ed25519_private 3monocypher
-in the optional code.
-However, the output of
-.Fn crypto_from_eddsa_public
-is identical to
-.Xr crypto_from_ed25519_public 3monocypher .
-.Pp
-The arguments are:
-.Bl -tag -width Ds
-.It Fa eddsa
-The signing public key or private key to convert to a X25519 public key
-or private key, respectively.
-.It Fa x25519
-The converted private key or public key.
-.El
-.Pp
-The arguments may overlap or point at the same buffer.
-.Sh RETURN VALUES
-These functions return nothing.
-They cannot fail.
-.Sh SEE ALSO
-.Xr crypto_key_exchange_public_key 3monocypher ,
-.Xr crypto_sign_public_key 3monocypher ,
-.Xr intro 3monocypher
-.Sh HISTORY
-The
-.Fn crypto_from_eddsa_private
-and
-.Fn crypto_from_eddsa_public
-functions first appeared in Monocypher 3.1.0.
-.Sh SECURITY CONSIDERATIONS
-It is generally considered poor form to reuse the same key for different
-purposes.
-While this conversion is technically safe,
-avoid these functions nonetheless unless you are particularly
-resource-constrained or have some other kind of hard requirement.
-It is otherwise an unnecessary risk factor.
diff --git a/vendor/doc/man/man3/crypto_from_eddsa_public.3monocypher b/vendor/doc/man/man3/crypto_from_eddsa_public.3monocypher
deleted file mode 120000
index 9766c25..0000000
--- a/vendor/doc/man/man3/crypto_from_eddsa_public.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_from_eddsa_private.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_hchacha20.3monocypher b/vendor/doc/man/man3/crypto_hchacha20.3monocypher
deleted file mode 100644
index f7fa0b3..0000000
--- a/vendor/doc/man/man3/crypto_hchacha20.3monocypher
+++ /dev/null
@@ -1,132 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2017-2019 Loup Vaillant
-.\" Copyright (c) 2017-2018 Michael Savage
-.\" Copyright (c) 2019-2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2017-2020 by Loup Vaillant, Michael Savage and Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd March 2, 2020
-.Dt CRYPTO_HCHACHA20 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_hchacha20
-.Nd HChacha20 special-purpose hashing
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_hchacha20
-.Fa "uint8_t out[32]"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t in[16]"
-.Fc
-.Sh DESCRIPTION
-.Fn crypto_hchacha20
-provides a not-so-cryptographic hash.
-It may be used for some specific purposes, such as X25519 key
-derivation, or XChacha20 initialisation.
-If in doubt, do not use directly.
-Use
-.Xr crypto_blake2b 3monocypher
-instead.
-.Pp
-The arguments are:
-.Bl -tag -width Ds
-.It Fa key
-A sufficiently random key, such as the output of
-.Xr crypto_x25519 3monocypher .
-.It Fa in
-The space reserved for the Chacha20 nonce and counter.
-It does not have to be random.
-.It Fa out
-A cryptographically secure random number
-.Em if
-there is enough entropy in
-.Fa key .
-X25519 shared secrets have enough entropy.
-.El
-.Sh RETURN VALUES
-This function returns nothing.
-.Sh EXAMPLES
-The following example assumes the existence of
-.Fn arc4random_buf ,
-which fills the given buffer with cryptographically secure random bytes.
-If
-.Fn arc4random_buf
-does not exist on your system, see
-.Xr intro 3monocypher
-for advice about how to generate cryptographically secure random bytes.
-.Pp
-Simple hash:
-.Bd -literal -offset indent
-uint8_t key[32]; /* Must have enough entropy */
-uint8_t in [16]; /* Does not have to be random */
-uint8_t out[32]; /* Will be random iff the above holds */
-arc4random_buf(key, 32);
-crypto_hchacha20(out, key, in);
-/* Wipe secrets if they are no longer needed */
-crypto_wipe(key, 32);
-crypto_wipe(in , 16);
-.Ed
-.Sh SEE ALSO
-.Xr crypto_chacha20_encrypt 3monocypher ,
-.Xr crypto_key_exchange 3monocypher ,
-.Xr intro 3monocypher
-.Sh STANDARDS
-This function implements HChacha20.
-HChacha20 derives from Chacha20 the same way HSalsa20 derives from
-Salsa20.
-.Sh HISTORY
-The
-.Fn crypto_hchacha20
-function first appeared in Monocypher 0.1 as
-.Fn crypto_chacha20_H .
-It was renamed to
-.Fn crypto_hchacha20
-in Monocypher 3.0.0.
-.Sh CAVEATS
-.Sy This is not a general-purpose cryptographic hash function .
diff --git a/vendor/doc/man/man3/crypto_hidden_key_pair.3monocypher b/vendor/doc/man/man3/crypto_hidden_key_pair.3monocypher
deleted file mode 120000
index 3717a86..0000000
--- a/vendor/doc/man/man3/crypto_hidden_key_pair.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_curve_to_hidden.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_hidden_to_curve.3monocypher b/vendor/doc/man/man3/crypto_hidden_to_curve.3monocypher
deleted file mode 120000
index 3717a86..0000000
--- a/vendor/doc/man/man3/crypto_hidden_to_curve.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_curve_to_hidden.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_ietf_chacha20.3monocypher b/vendor/doc/man/man3/crypto_ietf_chacha20.3monocypher
deleted file mode 100644
index 4352016..0000000
--- a/vendor/doc/man/man3/crypto_ietf_chacha20.3monocypher
+++ /dev/null
@@ -1,132 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2019-2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2019-2020 by Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd March 31, 2020
-.Dt CRYPTO_IETF_CHACHA20 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_ietf_chacha20 ,
-.Nm crypto_ietf_chacha20_ctr
-.Nd IETF Chacha20 encryption functions
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_ietf_chacha20
-.Fa "uint8_t *cipher_text"
-.Fa "const uint8_t *plain_text"
-.Fa "size_t text_size"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[12]"
-.Fc
-.Ft void
-.Fo crypto_ietf_chacha20_ctr
-.Fa "uint8_t *cipher_text"
-.Fa "const uint8_t *plain_text"
-.Fa "size_t text_size"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[12]"
-.Fa "const uint32_t ctr"
-.Fc
-.Sh DESCRIPTION
-These functions provide an interface for the Chacha20 encryption
-primitive as specified by the IETF in RFC 8439.
-They are provided strictly for compatibility with existing systems
-or strict standards compliance.
-New programs are strongly encouraged to use
-.Xr crypto_xchacha20 3monocypher
-instead.
-.Pp
-Chacha20 is a low-level primitive.
-Consider using authenticated encryption, implemented by
-.Xr crypto_lock 3monocypher .
-.Pp
-The
-.Fn crypto_ietf_chacha20
-and
-.Fn crypto_ietf_chacha20_ctr
-functions behave the same as
-.Xr crypto_chacha20
-and
-.Xr crypto_chacha20_ctr ,
-respectively,
-but use differently-sized nonce and counter values.
-The nonce encompasses 12 bytes and the counter is correspondingly
-reduced to 4 bytes.
-The short counter limits a single pair of key and nonce to 256 GiB of
-data.
-A nonce of 12 bytes is
-.Em just barely too short
-to be safely chosen at random;
-use a message counter instead.
-RFC 8439 also permits linear feedback shift registers to generate
-nonces.
-.Sh RETURN VALUES
-.Fn crypto_ietf_chacha20
-returns nothing.
-.Fn crypto_ietf_chacha20_ctr
-functions return the next
-.Fa ctr
-to use with the same key and nonce values;
-this is always
-.Fa text_size
-divided by 64;
-plus one if there was a remainder.
-.Sh SEE ALSO
-.Xr crypto_chacha20 3monocypher ,
-.Xr crypto_lock 3monocypher ,
-.Xr crypto_wipe 3monocypher ,
-.Xr intro 3monocypher
-.Sh STANDARDS
-These functions implement Chacha20 as described in RFC 8439.
-.Sh HISTORY
-.Fn crypto_ietf_chacha20
-and
-.Fn crypto_ietf_chacha20_ctr
-were added in Monocypher 3.0.0.
diff --git a/vendor/doc/man/man3/crypto_ietf_chacha20_ctr.3monocypher b/vendor/doc/man/man3/crypto_ietf_chacha20_ctr.3monocypher
deleted file mode 120000
index b56752a..0000000
--- a/vendor/doc/man/man3/crypto_ietf_chacha20_ctr.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_ietf_chacha20.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_key_exchange.3monocypher b/vendor/doc/man/man3/crypto_key_exchange.3monocypher
deleted file mode 100644
index 96bdc8d..0000000
--- a/vendor/doc/man/man3/crypto_key_exchange.3monocypher
+++ /dev/null
@@ -1,185 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2017-2019 Loup Vaillant
-.\" Copyright (c) 2017-2018 Michael Savage
-.\" Copyright (c) 2017, 2019-2020 Fabio Scotoni
-.\" Copyright (c) 2020 Richard Walmsley
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2017-2020 by Loup Vaillant, Michael Savage, Fabio Scotoni and
-.\" Richard Walmsley
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd March 31, 2020
-.Dt CRYPTO_KEY_EXCHANGE 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_key_exchange ,
-.Nm crypto_key_exchange_public_key
-.Nd Elliptic Curve Diffie-Hellman key exchange
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_key_exchange
-.Fa "uint8_t shared_key[32]"
-.Fa "const uint8_t your_secret_key[32]"
-.Fa "const uint8_t their_public_key[32]"
-.Fc
-.Ft void
-.Fo crypto_key_exchange_public_key
-.Fa "uint8_t your_public_key[32]"
-.Fa "const uint8_t your_secret_key[32]"
-.Fc
-.Sh DESCRIPTION
-.Fn crypto_key_exchange
-computes a shared key with your secret key and their public key.
-.Pp
-.Fn crypto_key_exchange_public_key
-deterministically computes the public key from a random secret key.
-.Pp
-The arguments are:
-.Bl -tag -width Ds
-.It Fa shared_key
-The shared secret, known only to those who know a relevant secret key
-(yours or theirs).
-It is cryptographically random, and suitable for use with the
-.Xr crypto_lock 3monocypher
-family of functions.
-.It Fa your_secret_key
-A 32-byte random number, known only to you.
-See
-.Xr intro 3monocypher
-for advice about generating random bytes (use the operating system's
-random number generator).
-.It Fa their_public_key
-The public key of the other party.
-.It Fa your_public_key
-Your public key, generated from
-.Fa your_secret_key
-with
-.Fn crypto_key_exchange_public_key .
-.El
-.Pp
-.Fa shared_key
-and
-.Fa your_secret_key
-may overlap if the secret is no longer required.
-.Pp
-Some poorly designed protocols require to test for
-.Dq contributory
-behaviour, which ensures that no untrusted party forces the shared
-secret to a known constant.
-Protocols should instead be designed in such a way that no such check
-is necessary, namely by authenticating the other party or exchanging
-keys over a trusted channel.
-.Pp
-Do not use the same secret key for both key exchanges and signatures.
-The public keys are different, and revealing both may leak information.
-If there really is no room to store or derive two different secret keys,
-consider generating a key pair for signatures and then converting it
-with
-.Xr crypto_from_eddsa_private 3monocypher
-and
-.Xr crypto_from_eddsa_public 3monocypher .
-.Sh RETURN VALUES
-.Fn crypto_key_exchange
-and
-.Fn crypto_key_exchange_public_key
-return nothing.
-.Sh EXAMPLES
-The following examples assume the existence of
-.Fn arc4random_buf ,
-which fills the given buffer with cryptographically secure random bytes.
-If
-.Fn arc4random_buf
-does not exist on your system, see
-.Xr intro 3monocypher
-for advice about how to generate cryptographically secure random bytes.
-.Pp
-Generate a public key from a randomly generated secret key:
-.Bd -literal -offset indent
-uint8_t sk[32]; /* Random secret key */
-uint8_t pk[32]; /* Public key */
-arc4random_buf(sk, 32);
-crypto_key_exchange_public_key(pk, sk);
-/* Wipe secrets if they are no longer needed */
-crypto_wipe(sk, 32);
-.Ed
-.Pp
-Generate a shared, symmetric key with your secret key and their public
-key.
-(The other party will generate the same shared key with your public
-key and their secret key.)
-.Bd -literal -offset indent
-const uint8_t their_pk [32]; /* Their public key */
-uint8_t your_sk [32]; /* Your secret key */
-uint8_t shared_key[32]; /* Shared session key */
-crypto_key_exchange(shared_key, your_sk, their_pk);
-/* Wipe secrets if they are no longer needed */
-crypto_wipe(your_sk, 32);
-.Ed
-.Sh SEE ALSO
-.Xr crypto_lock 3monocypher ,
-.Xr intro 3monocypher
-.Sh STANDARDS
-These functions implement X25519, described in RFC 7748.
-.Fn crypto_key_exchange
-uses HChacha20 as well.
-.Sh HISTORY
-The
-.Fn crypto_key_exchange
-function first appeared in Monocypher 0.2.
-The
-.Fn crypto_key_exchange_public_key
-macro alias first appeared in Monocypher 1.1.0.
-.Sh SECURITY CONSIDERATIONS
-If either of the long term secret keys leaks, it may compromise
-.Em all past messages .
-This can be avoided by using protocols that provide forward secrecy,
-such as the X3DH key agreement protocol.
-.Sh IMPLEMENTATION DETAILS
-.Fn crypto_key_exchange_public_key
-is an alias to
-.Xr crypto_x25519_public_key 3monocypher .
diff --git a/vendor/doc/man/man3/crypto_key_exchange_public_key.3monocypher b/vendor/doc/man/man3/crypto_key_exchange_public_key.3monocypher
deleted file mode 120000
index ff1529a..0000000
--- a/vendor/doc/man/man3/crypto_key_exchange_public_key.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_key_exchange.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_lock.3monocypher b/vendor/doc/man/man3/crypto_lock.3monocypher
deleted file mode 100644
index 32af8c0..0000000
--- a/vendor/doc/man/man3/crypto_lock.3monocypher
+++ /dev/null
@@ -1,340 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2017-2019 Loup Vaillant
-.\" Copyright (c) 2017-2018 Michael Savage
-.\" Copyright (c) 2017, 2019-2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2017-2020 by Loup Vaillant, Michael Savage and Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd February 29, 2020
-.Dt CRYPTO_LOCK 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_lock_aead ,
-.Nm crypto_unlock_aead ,
-.Nm crypto_lock ,
-.Nm crypto_unlock
-.Nd authenticated encryption with additional data
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_lock
-.Fa "uint8_t mac[16]"
-.Fa "uint8_t *cipher_text"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[24]"
-.Fa "const uint8_t *plain_text"
-.Fa "size_t text_size"
-.Fc
-.Ft int
-.Fo crypto_unlock
-.Fa "uint8_t *plain_text"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[24]"
-.Fa "const uint8_t mac[16]"
-.Fa "const uint8_t *cipher_text"
-.Fa "size_t text_size"
-.Fc
-.Ft void
-.Fo crypto_lock_aead
-.Fa "uint8_t mac[16]"
-.Fa "uint8_t *cipher_text"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[24]"
-.Fa "const uint8_t *ad"
-.Fa "size_t ad_size"
-.Fa "const uint8_t *plain_text"
-.Fa "size_t text_size"
-.Fc
-.Ft int
-.Fo crypto_unlock_aead
-.Fa "uint8_t *plain_text"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[24]"
-.Fa "const uint8_t mac[16]"
-.Fa "const uint8_t *ad"
-.Fa "size_t ad_size"
-.Fa "const uint8_t *cipher_text"
-.Fa "size_t text_size"
-.Fc
-.Sh DESCRIPTION
-.Fn crypto_lock
-encrypts and authenticates a plaintext.
-It can be decrypted by
-.Fn crypto_unlock .
-The arguments are:
-.Bl -tag -width Ds
-.It Fa key
-A 32-byte session key, shared between the sender and the recipient.
-It must be secret and random.
-Different methods can be used to produce and exchange this key, such
-as Diffie-Hellman key exchange, password key derivation (the password
-must be communicated on a secure channel), or even meeting physically.
-See
-.Xr crypto_key_exchange 3monocypher
-for key exchange, and
-.Xr crypto_argon2i 3monocypher
-for password key derivation.
-.It Fa nonce
-A 24-byte number, used only once with any given session key.
-It does not need to be secret or random, but it does have to be
-unique.
-.Em Never
-use the same nonce twice with the same key.
-This would reveal the XOR of 2 different messages, which allows
-decryption and forgeries.
-The easiest (and recommended) way to generate this nonce is to
-select it at random.
-See
-.Xr intro 3monocypher
-about random number generation (use your operating system's random
-number generator).
-.It Fa mac
-A 16-byte
-.Em message authentication code
-(MAC), that can only be produced by someone who knows the session key.
-This guarantee cannot be upheld if a nonce has been reused with the
-session key, because doing so allows the attacker to learn the
-authentication key associated with that nonce.
-The MAC is intended to be sent along with the ciphertext.
-.It Fa plain_text
-The secret message.
-Its contents will be kept hidden from attackers.
-Its length however, will
-.Em not .
-Be careful when combining encryption with compression.
-See
-.Xr intro 3monocypher
-for details.
-.It Fa cipher_text
-The encrypted message.
-.It Fa text_size
-Length of both
-.Fa plain_text and
-.Fa cipher_text ,
-in bytes.
-.El
-.Pp
-The
-.Fa cipher_text
-and
-.Fa plain_text
-arguments may point to the same buffer for in-place encryption.
-Otherwise, the buffers they point to must not overlap.
-.Pp
-.Fn crypto_unlock
-first checks the integrity of an encrypted message.
-If it has been corrupted,
-.Fn crypto_unlock
-returns -1 immediately.
-Otherwise, it decrypts the message, then returns zero.
-.Em Always check the return value .
-.Pp
-.Fn crypto_lock_aead
-and
-.Fn crypto_unlock_aead
-are variants of
-.Fn crypto_lock
-and
-.Fn crypto_unlock ,
-permitting additional data.
-Additional data is authenticated, but
-.Em not
-encrypted.
-This is used to authenticate relevant data that cannot be encrypted.
-The arguments are:
-.Bl -tag -width Ds
-.It Fa ad
-Additional data to authenticate.
-It will not be encrypted.
-May be
-.Dv NULL
-if
-.Fa ad_size
-is zero.
-Setting
-.Fa ad_size
-to zero yields the same results as
-.Fn crypto_lock
-and
-.Fn crypto_unlock .
-.It Fa ad_size
-Length of the additional data, in bytes.
-.El
-.Sh RETURN VALUES
-.Fn crypto_lock
-and
-.Fn crypto_lock_aead
-return nothing.
-.Fn crypto_unlock
-and
-.Fn crypto_unlock_aead
-return 0 on success or -1 if the message was corrupted (i.e.
-.Fa mac
-mismatched the combination of
-.Fa key ,
-.Fa nonce ,
-.Fa ad
-and
-.Fa cipher_text ) .
-Corruption can be caused by transmission errors, programmer error, or an
-attacker's interference.
-.Fa plain_text
-does not need to be wiped if the decryption fails.
-.Sh EXAMPLES
-The following examples assume the existence of
-.Fn arc4random_buf ,
-which fills the given buffer with cryptographically secure random bytes.
-If
-.Fn arc4random_buf
-does not exist on your system, see
-.Xr intro 3monocypher
-for advice about how to generate cryptographically secure random bytes.
-.Pp
-Encryption:
-.Bd -literal -offset indent
-uint8_t key [32]; /* Random, secret session key */
-uint8_t nonce [24]; /* Use only once per key */
-uint8_t plain_text [12] = "Lorem ipsum"; /* Secret message */
-uint8_t mac [16]; /* Message authentication code */
-uint8_t cipher_text[12]; /* Encrypted message */
-arc4random_buf(key, 32);
-arc4random_buf(nonce, 24);
-crypto_lock(mac, cipher_text, key, nonce, plain_text,
- sizeof(plain_text));
-/* Wipe secrets if they are no longer needed */
-crypto_wipe(plain_text, 12);
-crypto_wipe(key, 32);
-/* Transmit cipher_text, nonce, and mac over the network,
- * store them in a file, etc.
- */
-.Ed
-.Pp
-To decrypt the above:
-.Bd -literal -offset indent
-uint8_t key [32]; /* Same as the above */
-uint8_t nonce [24]; /* Same as the above */
-const uint8_t cipher_text[12]; /* Encrypted message */
-const uint8_t mac [16]; /* Received along with text */
-uint8_t plain_text [12]; /* Secret message */
-if (crypto_unlock(plain_text, key, nonce, mac, cipher_text, 12)) {
- /* The message is corrupted.
- * Wipe key if it is no longer needed,
- * and abort the decryption.
- */
- crypto_wipe(key, 32);
-} else {
- /* ...do something with the decrypted text here... */
- /* Finally, wipe secrets if they are no longer needed */
- crypto_wipe(plain_text, 12);
- crypto_wipe(key, 32);
-}
-.Ed
-.Pp
-In-place encryption:
-.Bd -literal -offset indent
-uint8_t key [32]; /* Random, secret session key */
-uint8_t nonce[24]; /* Use only once per key */
-uint8_t text [12] = "Lorem ipsum"; /* Secret message */
-uint8_t mac [16]; /* Message authentication code */
-arc4random_buf(key, 32);
-arc4random_buf(nonce, 24);
-crypto_lock(mac, text, key, nonce, text, 12);
-/* Wipe secrets if they are no longer needed */
-crypto_wipe(key, 32);
-/* Transmit cipher_text, nonce, and mac over the network,
- * store them in a file, etc.
- */
-.Ed
-.Pp
-In-place decryption:
-.Bd -literal -offset indent
-uint8_t key [32]; /* Same as the above */
-const uint8_t nonce[24]; /* Same as the above */
-const uint8_t mac [16]; /* Received from along with text */
-uint8_t text [12]; /* Message to decrypt */
-if (crypto_unlock(text, key, nonce, mac, text, 12)) {
- /* The message is corrupted.
- * Wipe key if it is no longer needed,
- * and abort the decryption.
- */
- crypto_wipe(key, 32);
-} else {
- /* ...do something with the decrypted text here... */
- /* Finally, wipe secrets if they are no longer needed */
- crypto_wipe(text, 12);
- crypto_wipe(key, 32);
-}
-.Ed
-.Sh SEE ALSO
-.Xr crypto_key_exchange 3monocypher ,
-.Xr crypto_wipe 3monocypher ,
-.Xr intro 3monocypher
-.Sh STANDARDS
-These functions implement RFC 8439, with XChacha20 instead of Chacha20.
-XChacha20 derives from Chacha20 the same way XSalsa20 derives from
-Salsa20, and benefits from the same security reduction (proven secure
-as long as Chacha20 itself is secure).
-.Sh HISTORY
-The
-.Fn crypto_lock
-and
-.Fn crypto_unlock
-functions first appeared in Monocypher 0.1.
-.Fn crypto_lock_aead
-and
-.Fn crypto_unlock_aead
-were introduced in Monocypher 1.1.0.
-In Monocypher 2.0.0, the underlying algorithms for these functions were
-changed from a custom XChacha20/Poly1305 construction to an
-implementation of RFC 7539 (now RFC 8439) with XChacha20 instead of
-Chacha20.
-The
-.Fn crypto_lock_encrypt
-and
-.Fn crypto_lock_auth
-functions were removed in Monocypher 2.0.0.
diff --git a/vendor/doc/man/man3/crypto_lock_aead.3monocypher b/vendor/doc/man/man3/crypto_lock_aead.3monocypher
deleted file mode 120000
index 126507a..0000000
--- a/vendor/doc/man/man3/crypto_lock_aead.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_lock.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_lock_auth_ad.3monocypher b/vendor/doc/man/man3/crypto_lock_auth_ad.3monocypher
deleted file mode 120000
index c5b4453..0000000
--- a/vendor/doc/man/man3/crypto_lock_auth_ad.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_lock_init.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_lock_auth_message.3monocypher b/vendor/doc/man/man3/crypto_lock_auth_message.3monocypher
deleted file mode 120000
index c5b4453..0000000
--- a/vendor/doc/man/man3/crypto_lock_auth_message.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_lock_init.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_lock_final.3monocypher b/vendor/doc/man/man3/crypto_lock_final.3monocypher
deleted file mode 120000
index c5b4453..0000000
--- a/vendor/doc/man/man3/crypto_lock_final.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_lock_init.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_lock_init.3monocypher b/vendor/doc/man/man3/crypto_lock_init.3monocypher
deleted file mode 100644
index 4eb1fe9..0000000
--- a/vendor/doc/man/man3/crypto_lock_init.3monocypher
+++ /dev/null
@@ -1,210 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2017-2019 Loup Vaillant
-.\" Copyright (c) 2017 Michael Savage
-.\" Copyright (c) 2017, 2019 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2017-2019 by Loup Vaillant, Michael Savage and Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd December 12, 2019
-.Dt CRYPTO_LOCK_INIT 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_lock_init ,
-.Nm crypto_lock_auth_ad ,
-.Nm crypto_lock_auth_message ,
-.Nm crypto_lock_update ,
-.Nm crypto_lock_final ,
-.Nm crypto_unlock_init ,
-.Nm crypto_unlock_auth_ad ,
-.Nm crypto_unlock_auth_message ,
-.Nm crypto_unlock_update ,
-.Nm crypto_unlock_final
-.Nd incremental authenticated encryption with additional data
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_lock_init
-.Fa "crypto_lock_ctx *ctx"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[24]"
-.Fc
-.Ft void
-.Fo crypto_lock_auth_ad
-.Fa "crypto_lock_ctx *ctx"
-.Fa "const uint8_t *ad"
-.Fa "size_t ad_size"
-.Fc
-.Ft void
-.Fo crypto_lock_auth_message
-.Fa "crypto_lock_ctx *ctx"
-.Fa "const uint8_t *plain_text"
-.Fa "size_t text_size"
-.Fc
-.Ft void
-.Fo crypto_lock_update
-.Fa "crypto_lock_ctx *ctx"
-.Fa "uint8_t *cipher_text"
-.Fa "const uint8_t *plain_text"
-.Fa "size_t text_size"
-.Fc
-.Ft void
-.Fo crypto_lock_final
-.Fa "crypto_lock_ctx *ctx"
-.Fa "uint8_t mac[16]"
-.Fc
-.Ft void
-.Fo crypto_unlock_init
-.Fa "crypto_unlock_ctx *ctx"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[24]"
-.Fc
-.Ft void
-.Fo crypto_unlock_auth_ad
-.Fa "crypto_unlock_ctx *ctx"
-.Fa "const uint8_t *ad"
-.Fa "size_t ad_size"
-.Fc
-.Ft void
-.Fo crypto_unlock_auth_message
-.Fa "crypto_unlock_ctx *ctx"
-.Fa "const uint8_t *plain_text"
-.Fa "size_t text_size"
-.Fc
-.Ft void
-.Fo crypto_unlock_update
-.Fa "crypto_unlock_ctx *ctx"
-.Fa "uint8_t *plain_text"
-.Fa "const uint8_t *cipher_text"
-.Fa "size_t text_size"
-.Fc
-.Ft int
-.Fo crypto_unlock_final
-.Fa "crypto_unlock_ctx *ctx"
-.Fa "const uint8_t mac[16]"
-.Fc
-.Sh DESCRIPTION
-These functions were variants of
-.Xr crypto_lock 3monocypher ,
-.Xr crypto_unlock 3monocypher ,
-.Xr crypto_lock_aead 3monocypher
-and
-.Xr crypto_unlock_aead 3monocypher .
-They are deprecated in favor of
-those simpler functions.
-.Pp
-Change your protocol so that it does not rely on the removed functions,
-namely by splitting the data into chunks that you can individually use
-.Xr crypto_lock 3monocypher
-and
-.Xr crypto_unlock 3monocypher
-on.
-.Pp
-For files in particular,
-you may alternatively (and suboptimally)
-attempt to use
-.Fn mmap
-(on *NIX)
-or
-.Fn MapViewOfFile
-(on Windows)
-and pass the files as mapped memory into
-.Xr crypto_lock 3monocypher
-and
-.Xr crypto_unlock 3monocypher
-instead.
-.El
-.Sh RETURN VALUES
-.Fn crypto_lock_init ,
-.Fn crypto_unlock_init ,
-.Fn crypto_lock_auth_ad ,
-.Fn crypto_unlock_auth_ad ,
-.Fn crypto_lock_auth_message ,
-.Fn crypto_unlock_auth_message ,
-.Fn crypto_lock_update ,
-.Fn crypto_unlock_update ,
-and
-.Fn crypto_lock_final
-return nothing.
-.Pp
-.Fn crypto_unlock_final
-returns 0 on success or -1 if the message was corrupted.
-Corruption can be caused by transmission errors, programmer error, or an
-attacker's interference.
-.Em Always check the return value .
-.Sh SEE ALSO
-.Xr crypto_key_exchange 3monocypher ,
-.Xr crypto_lock 3monocypher ,
-.Xr crypto_lock_aead 3monocypher ,
-.Xr crypto_unlock 3monocypher ,
-.Xr crypto_unlock_aead 3monocypher ,
-.Xr crypto_wipe 3monocypher ,
-.Xr intro 3monocypher
-.Sh HISTORY
-The
-.Fn crypto_lock_init ,
-.Fn crypto_lock_auth_ad ,
-.Fn crypto_lock_auth_message ,
-.Fn crypto_lock_update ,
-.Fn crypto_lock_final ,
-.Fn crypto_unlock_init ,
-.Fn crypto_unlock_auth_ad ,
-.Fn crypto_unlock_auth_message ,
-.Fn crypto_unlock_update ,
-and
-.Fn crypto_unlock_final
-functions first appeared in Monocypher 1.1.0.
-.Fn crypto_lock_aead_auth
-and
-.Fn crypto_unlock_aead_auth
-were renamed to
-.Fn crypto_lock_auth_ad
-and
-.Fn crypto_unlock_auth_ad
-respectively in Monocypher 2.0.0.
-They were deprecated in Monocypher 3.0.0
-and will be removed in Monocypher 4.0.0.
diff --git a/vendor/doc/man/man3/crypto_lock_update.3monocypher b/vendor/doc/man/man3/crypto_lock_update.3monocypher
deleted file mode 120000
index c5b4453..0000000
--- a/vendor/doc/man/man3/crypto_lock_update.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_lock_init.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_poly1305.3monocypher b/vendor/doc/man/man3/crypto_poly1305.3monocypher
deleted file mode 100644
index c0f25a1..0000000
--- a/vendor/doc/man/man3/crypto_poly1305.3monocypher
+++ /dev/null
@@ -1,273 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2017-2019 Loup Vaillant
-.\" Copyright (c) 2017-2018 Michael Savage
-.\" Copyright (c) 2017-2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2017-2020 by Loup Vaillant, Michael Savage and Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd March 31, 2020
-.Dt CRYPTO_POLY1305 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_poly1305 ,
-.Nm crypto_poly1305_init ,
-.Nm crypto_poly1305_update ,
-.Nm crypto_poly1305_final
-.Nd Poly1305 one-time message authentication codes
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_poly1305
-.Fa "uint8_t mac[16]"
-.Fa "const uint8_t *message"
-.Fa "size_t message_size"
-.Fa "const uint8_t key[32]"
-.Fc
-.Ft void
-.Fo crypto_poly1305_init
-.Fa "crypto_poly1305_ctx *ctx"
-.Fa "const uint8_t key[32]"
-.Fc
-.Ft void
-.Fo crypto_poly1305_update
-.Fa "crypto_poly1305_ctx *ctx"
-.Fa "const uint8_t *message"
-.Fa "size_t message_size"
-.Fc
-.Ft void
-.Fo crypto_poly1305_final
-.Fa "crypto_poly1305_ctx *ctx"
-.Fa "uint8_t mac[16]"
-.Fc
-.Sh DESCRIPTION
-Poly1305 is a one-time message authentication code.
-.Dq One-time
-means the authentication key can be used only once.
-.Sy This makes Poly1305 easy to misuse .
-On the other hand, Poly1305 is fast, and provably secure if used
-correctly.
-.Pp
-Poly1305 is a low-level primitive.
-Consider using authenticated encryption, implemented by
-.Xr crypto_lock 3monocypher .
-.Pp
-The arguments are:
-.Bl -tag -width Ds
-.It Fa mac
-The authentication code.
-.It Fa key
-The secret authentication key.
-Use only once per message.
-Do not use the session key to authenticate messages.
-It should be wiped with
-.Xr crypto_wipe 3monocypher
-after use.
-.It Fa message
-The message to authenticate.
-May overlap with the
-.Fa mac
-argument.
-.It Fa message_size
-Length of
-.Fa message ,
-in bytes.
-.El
-.Ss Direct interface
-.Fn crypto_poly1305
-produces a message authentication code for the given message and
-authentication key.
-To verify the integrity of a message, use
-.Xr crypto_verify16 3monocypher
-to compare the received MAC to the output
-.Fa mac .
-.Ss Incremental interface
-.Fn crypto_poly1305_init
-initialises a context.
-.Fa key
-should be wiped once the context is initialised.
-Then,
-.Fn crypto_poly1305_update
-authenticates the message chunk by chunk.
-Once the message is entirely processed,
-.Fn crypto_poly1305_final
-yields the message authentication code.
-.Sh RETURN VALUES
-These functions return nothing.
-.Sh EXAMPLES
-The following examples assume the existence of
-.Fn arc4random_buf ,
-which fills the given buffer with cryptographically secure random bytes.
-If
-.Fn arc4random_buf
-does not exist on your system, see
-.Xr intro 3monocypher
-for advice about how to generate cryptographically secure random bytes.
-.Pp
-To authenticate a message:
-.Bd -literal -offset indent
-const uint8_t msg[ 5] = "Lorem"; /* Message to authenticate */
-uint8_t key[32]; /* Random secret key (use only once) */
-uint8_t mac[16]; /* Message authentication code (MAC) */
-arc4random_buf(key, 32);
-crypto_poly1305(mac, msg, 5, key);
-/* Wipe the key */
-crypto_wipe(key, 32);
-.Ed
-.Pp
-To verify the above message:
-.Bd -literal -offset indent
-const uint8_t msg [ 5] = "Lorem"; /* Message to verify */
-uint8_t key [32]; /* The above key */
-const uint8_t mac [16]; /* The above MAC */
-uint8_t real_mac[16]; /* The actual MAC */
-crypto_poly1305(real_mac, msg, 5, key);
-/* Wipe the key */
-crypto_wipe(key, 32);
-if (crypto_verify16(mac, real_mac)) {
- /* Corrupted message, abort processing */
-} else {
- /* Genuine message */
-}
-/* The real mac is secret. Wipe it */
-crypto_wipe(real_mac, 16);
-.Ed
-.Pp
-Incremental authentication:
-.Bd -literal -offset indent
-const uint8_t msg[500]= {1}; /* Message to authenticate */
-uint8_t key[ 32]; /* Random secret key (use only once) */
-uint8_t mac[ 16]; /* Message authentication code (MAC) */
-crypto_poly1305_ctx ctx;
-arc4random_buf(key, 32);
-crypto_poly1305_init(&ctx, key);
-/* Wipe the key */
-crypto_wipe(key, 32);
-for (int i = 0; i < 500; i += 100) {
- crypto_poly1305_update(&ctx, msg, 100);
-}
-crypto_poly1305_final(&ctx, mac);
-.Ed
-.Sh SEE ALSO
-.Xr crypto_blake2b 3monocypher ,
-.Xr crypto_lock 3monocypher ,
-.Xr crypto_verify16 3monocypher ,
-.Xr intro 3monocypher
-.Sh STANDARDS
-These functions implement Poly1305, described in RFC 8439.
-.Sh HISTORY
-The
-.Fn crypto_poly1305_init ,
-.Fn crypto_poly1305_update ,
-and
-.Fn crypto_poly1305_final
-functions first appeared in Monocypher 0.1.
-.Fn crypto_poly1305
-first appeared in Monocypher 1.1.0.
-.Sh SECURITY CONSIDERATIONS
-Poly1305 is difficult to use correctly.
-Do not use it unless you are absolutely sure what you are doing.
-Use authenticated encryption instead; see
-.Xr crypto_lock 3monocypher .
-If you are certain you do not want encryption, refer to
-.Xr crypto_blake2b 3monocypher
-on how to use Blake2b to generate message authentication codes.
-.Ss Authentication key requirements
-Poly1305 is a
-.Em one-time
-authenticator.
-This puts rather stringent constraints on the authentication key:
-.Bl -bullet
-.It
-Any given key must be used only once.
-Using the same key for two different messages reveals it to the
-attacker.
-Do not use the session key, or it will void all security.
-.It
-Authentication keys must be random, and independent from each other.
-Do not use non-random nonces.
-Do not use related keys.
-Use fresh, unpredictable, uniformly distributed random numbers.
-.It
-The key must be transmitted to the recipient without revealing it to the
-attacker.
-Somehow.
-.El
-.Pp
-The only practical source for the authentication key is a chunk of the
-encryption stream used to encrypt the message.
-That chunk must be
-.Em dedicated
-to the authentication key:
-if it is reused to encrypt the message itself, the attacker may recover
-that chunk by guessing the message, then forge arbitrary messages.
-.Pp
-To get this right, you need a session key, a
-.Em unique
-nonce, and a
-stream cipher.
-Generate a stream with the session key and nonce.
-Take the first 32 bytes of that stream as your authentication key, then
-use the
-.Em rest
-of the stream to encrypt your message.
-This is the approach used by
-.Xr crypto_lock_aead 3monocypher .
-.Ss Protection against side channels
-Use
-.Xr crypto_verify16 3monocypher
-to compare message authentication codes.
-Avoid standard buffer comparison functions.
-They may not run in constant time, enabling an attacker to exploit timing
-attacks to recover the MAC.
-.Pp
-The authentication key should be wiped with
-.Xr crypto_wipe 3monocypher
-after use.
-.Pp
-The incremental interface automatically wipes its context when finished
-so users do not need to do it themselves.
diff --git a/vendor/doc/man/man3/crypto_poly1305_final.3monocypher b/vendor/doc/man/man3/crypto_poly1305_final.3monocypher
deleted file mode 120000
index 861ea25..0000000
--- a/vendor/doc/man/man3/crypto_poly1305_final.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_poly1305.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_poly1305_init.3monocypher b/vendor/doc/man/man3/crypto_poly1305_init.3monocypher
deleted file mode 120000
index 861ea25..0000000
--- a/vendor/doc/man/man3/crypto_poly1305_init.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_poly1305.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_poly1305_update.3monocypher b/vendor/doc/man/man3/crypto_poly1305_update.3monocypher
deleted file mode 120000
index 861ea25..0000000
--- a/vendor/doc/man/man3/crypto_poly1305_update.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_poly1305.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_sign.3monocypher b/vendor/doc/man/man3/crypto_sign.3monocypher
deleted file mode 100644
index 44c08c8..0000000
--- a/vendor/doc/man/man3/crypto_sign.3monocypher
+++ /dev/null
@@ -1,236 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2017-2019 Loup Vaillant
-.\" Copyright (c) 2017-2018 Michael Savage
-.\" Copyright (c) 2017, 2019-2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2017-2020 by Loup Vaillant, Michael Savage and Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd March 31, 2020
-.Dt CRYPTO_SIGN 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_sign ,
-.Nm crypto_check ,
-.Nm crypto_sign_public_key
-.Nd public key signatures
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_sign_public_key
-.Fa "uint8_t public_key[32]"
-.Fa "const uint8_t secret_key[32]"
-.Fc
-.Ft void
-.Fo crypto_sign
-.Fa "uint8_t signature[64]"
-.Fa "const uint8_t secret_key[32]"
-.Fa "const uint8_t public_key[32]"
-.Fa "const uint8_t *message"
-.Fa "size_t message_size"
-.Fc
-.Ft int
-.Fo crypto_check
-.Fa "const uint8_t signature[64]"
-.Fa "const uint8_t public_key[32]"
-.Fa "const uint8_t *message"
-.Fa "size_t message_size"
-.Fc
-.Sh DESCRIPTION
-.Fn crypto_sign
-and
-.Fn crypto_check
-provide EdDSA public key signatures and verification.
-.Pp
-The arguments are:
-.Bl -tag -width Ds
-.It Fa signature
-The signature.
-.It Fa secret_key
-A 32-byte random number, known only to you.
-See
-.Xr intro 3monocypher
-about random number generation (use your operating system's random
-number generator).
-Do not use the same private key for both signatures and key exchanges.
-The public keys are different, and revealing both may leak information.
-.It Fa public_key
-The public key, generated from
-.Fa secret_key
-with
-.Fn crypto_sign_public_key .
-.It Fa message
-Message to sign.
-.It Fa message_size
-Length of
-.Fa message ,
-in bytes.
-.El
-.Pp
-.Fa signature
-and
-.Fa message
-may overlap.
-.Pp
-.Fn crypto_sign_public_key
-computes the public key of the specified secret key.
-.Pp
-.Fn crypto_sign
-signs a message with
-.Fa secret_key .
-The public key is optional, and will be recomputed if not provided.
-This recomputation doubles the execution time.
-.Pp
-.Fn crypto_check
-checks that a given signature is genuine.
-Meaning, only someone who had the private key could have signed the
-message.
-.Sy \&It does not run in constant time .
-It does not have to in most threat models, because nothing is secret:
-everyone knows the public key, and the signature and message are
-rarely secret.
-If the message needs to be secret, use
-.Xr crypto_key_exchange 3monocypher
-and
-.Xr crypto_lock_aead 3monocypher
-instead.
-.Pp
-An incremental interface is available; see
-.Xr crypto_sign_init_first_pass 3monocypher .
-.Sh RETURN VALUES
-.Fn crypto_sign_public_key
-and
-.Fn crypto_sign
-return nothing.
-.Pp
-.Fn crypto_check
-returns 0 for legitimate messages and -1 for forgeries.
-.Sh EXAMPLES
-The following examples assume the existence of
-.Fn arc4random_buf ,
-which fills the given buffer with cryptographically secure random bytes.
-If
-.Fn arc4random_buf
-does not exist on your system, see
-.Xr intro 3monocypher
-for advice about how to generate cryptographically secure random bytes.
-.Pp
-Generate a public key from a random secret key:
-.Bd -literal -offset indent
-uint8_t sk[32]; /* Random secret key */
-uint8_t pk[32]; /* Matching public key */
-arc4random_buf(sk, 32);
-crypto_sign_public_key(pk, sk);
-/* Wipe the secret key if it is no longer needed */
-crypto_wipe(sk, 32);
-.Ed
-.Pp
-Sign a message:
-.Bd -literal -offset indent
-uint8_t sk [32]; /* Secret key from above */
-const uint8_t pk [32]; /* Matching public key */
-const uint8_t message [11] = "Lorem ipsu"; /* Message to sign */
-uint8_t signature[64];
-crypto_sign(signature, sk, pk, message, 10);
-/* Wipe the secret key if it is no longer needed */
-crypto_wipe(sk, 32);
-.Ed
-.Pp
-Check the above:
-.Bd -literal -offset indent
-const uint8_t pk [32]; /* Their public key */
-const uint8_t message [11] = "Lorem ipsu"; /* Signed message */
-const uint8_t signature[64]; /* Signature to check */
-if (crypto_check(signature, pk, message, 10)) {
- /* Message is corrupted, abort processing */
-} else {
- /* Message is genuine */
-}
-.Ed
-.Sh SEE ALSO
-.Xr crypto_blake2b 3monocypher ,
-.Xr crypto_key_exchange 3monocypher ,
-.Xr crypto_lock 3monocypher ,
-.Xr intro 3monocypher
-.Sh STANDARDS
-These functions implement PureEdDSA with Curve25519 and Blake2b, as
-described in RFC 8032.
-This is the same as Ed25519, with Blake2b instead of SHA-512.
-.Sh HISTORY
-The
-.Fn crypto_sign ,
-.Fn crypto_check ,
-and
-.Fn crypto_sign_public_key
-functions appeared in Monocypher 0.2.
-.Pp
-.Sy A critical security vulnerability
-that caused all-zero signatures to be accepted was introduced in
-Monocypher 0.3;
-it was fixed in Monocypher 1.1.1 and 2.0.4.
-.Sh SECURITY CONSIDERATIONS
-.Ss Signature malleability
-EdDSA signatures are not unique like cryptographic hashes.
-For any given public key and message, there are many possible valid
-signatures.
-Some of them require knowledge of the private key.
-Others only require knowledge of an existing signature.
-Observing a valid signature only proves that someone with knowledge of
-the private key signed the message at some point.
-Do not rely on any other security property.
-.Ss Fault injection and power analysis
-Fault injection (also known as glitching) and power analysis may be used
-to manipulate the resulting signature and recover the secret key in
-some cases.
-This requires hardware access.
-If attackers are expected to have such access and have the relevant
-equipment, you may try use the incremental interface provided by
-.Xr crypto_sign_init_first_pass 3monocypher
-to mitigate the side channel attacks.
-Note that there may still be other power-related side channels (such as
-if the CPU leaks information when an operation overflows a register)
-that must be considered.
diff --git a/vendor/doc/man/man3/crypto_sign_final.3monocypher b/vendor/doc/man/man3/crypto_sign_final.3monocypher
deleted file mode 120000
index 08c255b..0000000
--- a/vendor/doc/man/man3/crypto_sign_final.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_sign_init_first_pass.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_sign_init_first_pass.3monocypher b/vendor/doc/man/man3/crypto_sign_init_first_pass.3monocypher
deleted file mode 100644
index de6310e..0000000
--- a/vendor/doc/man/man3/crypto_sign_init_first_pass.3monocypher
+++ /dev/null
@@ -1,302 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2017-2019 Loup Vaillant
-.\" Copyright (c) 2017-2018 Michael Savage
-.\" Copyright (c) 2017, 2019-2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2017-2020 by Loup Vaillant, Michael Savage and Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd March 31, 2020
-.Dt CRYPTO_SIGN_INIT_FIRST_PASS 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_sign_init_first_pass ,
-.Nm crypto_sign_update ,
-.Nm crypto_sign_final ,
-.Nm crypto_sign_init_second_pass ,
-.Nm crypto_check_init ,
-.Nm crypto_check_update ,
-.Nm crypto_check_final
-.Nd incremental public key signatures
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_sign_init_first_pass
-.Fa "crypto_sign_ctx *ctx"
-.Fa "const uint8_t secret_key[32]"
-.Fa "const uint8_t public_key[32]"
-.Fc
-.Ft void
-.Fo crypto_sign_update
-.Fa "crypto_sign_ctx *ctx"
-.Fa "const uint8_t *message"
-.Fa "size_t message_size"
-.Fc
-.Ft void
-.Fo crypto_sign_final
-.Fa "crypto_sign_ctx *ctx"
-.Fa "uint8_t signature[64]"
-.Fc
-.Ft void
-.Fo crypto_sign_init_second_pass
-.Fa "crypto_sign_ctx *ctx"
-.Fc
-.Ft void
-.Fo crypto_check_init
-.Fa "crypto_check_ctx *ctx"
-.Fa "const uint8_t signature[64]"
-.Fa "const uint8_t public_key[32]"
-.Fc
-.Ft void
-.Fo crypto_check_update
-.Fa "crypto_check_ctx *ctx"
-.Fa "const uint8_t *message"
-.Fa "size_t message_size"
-.Fc
-.Ft int
-.Fo crypto_check_final
-.Fa "crypto_check_ctx *ctx"
-.Fc
-.Sh DESCRIPTION
-These functions are variants of
-.Xr crypto_sign 3monocypher
-and
-.Xr crypto_check 3monocypher .
-Prefer those simpler functions if possible.
-.Pp
-The arguments are the same as those described in
-.Xr crypto_sign 3monocypher .
-.Pp
-This incremental interface can be used to sign or verify messages too
-large to fit in a single buffer.
-The arguments are the same as the direct interface described in
-.Xr crypto_sign 3monocypher .
-.Pp
-The direct and incremental interface produce and accept the same
-signatures.
-.Pp
-Signing is done in two passes.
-This requires five steps:
-.Bl -bullet
-.It
-Initialisation of the first pass with
-.Fn crypto_sign_init_first_pass .
-The public key is optional, and will be recomputed if not provided.
-This recomputation doubles the execution time for short messages.
-.It
-The first pass proper, with
-.Fn crypto_sign_update .
-.Sy Under no circumstances must you forget the first pass :
-Forgetting to call
-.Fn crypto_sign_update
-will appear to work in that it produces valid signatures,
-but also
-loses all security because attackers may now recover the secret key.
-.It
-Initialisation of the second pass with
-.Fn crypto_sign_init_second_pass .
-.It
-The second pass proper, with
-.Fn crypto_sign_update .
-The same update function is used for both passes.
-.It
-Signature generation with
-.Fn crypto_sign_final .
-This also wipes the context.
-.El
-.Pp
-Verification requires three steps:
-.Bl -bullet
-.It
-Initialisation with
-.Fn crypto_check_init .
-.It
-Update with
-.Fn crypto_check_update .
-.It
-Signature verification with
-.Fn crypto_check_final .
-.El
-.Sh RETURN VALUES
-.Fn crypto_sign_init_first_pass ,
-.Fn crypto_sign_init_second_pass ,
-.Fn crypto_sign_update ,
-.Fn crypto_sign_final ,
-.Fn crypto_check_init
-and
-.Fn crypto_check_update
-return nothing.
-.Pp
-.Fn crypto_check_final
-returns 0 for legitimate messages and -1 for forgeries.
-.Sh EXAMPLES
-Sign a message:
-.Bd -literal -offset indent
-uint8_t sk [ 32]; /* Secret key */
-const uint8_t pk [ 32]; /* Public key (optional) */
-const uint8_t message [500]; /* Message to sign */
-uint8_t signature[ 64]; /* Output signature */
-crypto_sign_ctx ctx;
-crypto_sign_init_first_pass((crypto_sign_ctx_abstract*)&ctx, sk, pk);
-/* Wipe the secret key if no longer needed */
-crypto_wipe(sk, 32);
-for (size_t i = 0; i < 500; i += 100) {
- crypto_sign_update((crypto_sign_ctx_abstract*)&ctx, message + i, 100);
-}
-crypto_sign_init_second_pass((crypto_sign_ctx_abstract*)&ctx);
-for (size_t i = 0; i < 500; i += 100) {
- crypto_sign_update((crypto_sign_ctx_abstract*)&ctx, message + i, 100);
-}
-crypto_sign_final((crypto_sign_ctx_abstract*)&ctx, signature);
-.Ed
-.Pp
-Check the above:
-.Bd -literal -offset indent
-const uint8_t pk [ 32]; /* Public key */
-const uint8_t message [500]; /* Message to sign */
-const uint8_t signature[ 64]; /* Signature to check */
-crypto_check_ctx ctx;
-crypto_check_init((crypto_sign_ctx_abstract*)&ctx, signature, pk);
-for (size_t i = 0; i < 500; i += 100) {
- crypto_check_update((crypto_sign_ctx_abstract*)&ctx, message + i, 100);
-}
-if (crypto_check_final((crypto_sign_ctx_abstract*)&ctx)) {
- /* Message is corrupted, abort processing */
-} else {
- /* Message is genuine */
-}
-.Ed
-.Pp
-This interface can be used to mitigate attacks that leverage power
-analysis and fault injection (glitching) \(en both of which require
-physical access and appropriate equipment \(en by injecting additional
-randomness (at least 32 bytes) and padding (to the hash function's block
-size, which is 128 bytes for all hash functions supported by
-Monocypher), of which 32 bytes are already inserted into the buffer by
-.Fn crypto_sign_init_first_pass .
-Access to a cryptographically secure pseudo-random generator is a
-requirement for effective side channel mitigation.
-Signing a message with increased power-related side channel mitigations:
-.Bd -literal -offset indent
-const uint8_t message [ 500]; /* Message to sign */
-uint8_t sk [ 32]; /* Secret key */
-const uint8_t pk [ 32]; /* Public key (optional) */
-uint8_t signature[ 64]; /* Output signature */
-uint8_t buf [128-32] = {0}; /* Mitigation buffer */
-crypto_sign_ctx ctx;
-crypto_sign_ctx_abstract *actx = (crypto_sign_ctx_abstract *)&ctx;
-
-arc4random_buf(buf, 32);
-/* The rest of buf MUST be zeroes. */
-
-crypto_sign_init_first_pass(actx, sk, pk);
-crypto_sign_update (actx, buf, sizeof(buf));
-crypto_sign_update (actx, message, 500);
-
-crypto_sign_init_second_pass(actx);
-crypto_sign_update (actx, message, 500);
-crypto_sign_final (actx, signature);
-
-crypto_wipe(buf, 32);
-/* Wipe the secret key if no longer needed */
-crypto_wipe(sk, 32);
-.Ed
-.Sh SEE ALSO
-.Xr crypto_blake2b 3monocypher ,
-.Xr crypto_key_exchange 3monocypher ,
-.Xr crypto_lock 3monocypher ,
-.Xr crypto_sign 3monocypher ,
-.Xr crypto_wipe 3monocypher ,
-.Xr intro 3monocypher
-.Sh STANDARDS
-These functions implement PureEdDSA with Curve25519 and Blake2b, as
-described in RFC 8032.
-This is the same as Ed25519, with Blake2b instead of SHA-512.
-.Pp
-The example for side channel mitigation follows the methodology outlined
-in I-D.draft-mattsson-cfrg-det-sigs-with-noise-02.
-.Sh HISTORY
-The
-.Fn crypto_sign_init_first_pass ,
-.Fn crypto_sign_update ,
-.Fn crypto_sign_final ,
-.Fn crypto_sign_init_second_pass ,
-.Fn crypto_check_init ,
-.Fn crypto_check_update ,
-and
-.Fn crypto_check_final
-functions first appeared in Monocypher 1.1.0.
-.Pp
-.Sy A critical security vulnerability
-that caused all-zero signatures to be accepted was introduced in
-Monocypher 0.3;
-it was fixed in Monocypher 1.1.1 and 2.0.4.
-.Sh SECURITY CONSIDERATIONS
-Messages are not verified until the call to
-.Fn crypto_check_final .
-Messages may be stored before they are verified, but they cannot be
-.Em trusted .
-Processing untrusted messages increases the attack surface of the
-system.
-Doing so securely is hard.
-Do not process messages before calling
-.Fn crypto_check_final .
-.Pp
-When signing messages, the security considerations documented in
-.Xr crypto_sign 3monocypher
-also apply.
-In particular, if power-related side channels are part of your threat
-model,
-note that there may still be other power-related side channels (such as
-if the CPU leaks information when an operation overflows a register)
-that must be considered.
-.Sh IMPLEMENTATION DETAILS
-EdDSA signatures require two passes that cannot be performed in
-parallel.
-There are ways around this limitation, but they all lower security in
-some way.
-For this reason, Monocypher does not support them.
diff --git a/vendor/doc/man/man3/crypto_sign_init_first_pass_custom_hash.3monocypher b/vendor/doc/man/man3/crypto_sign_init_first_pass_custom_hash.3monocypher
deleted file mode 100644
index c1af870..0000000
--- a/vendor/doc/man/man3/crypto_sign_init_first_pass_custom_hash.3monocypher
+++ /dev/null
@@ -1,295 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2019-2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2019-2020 by Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd December 28, 2019
-.Dt CRYPTO_SIGN_INIT_FIRST_PASS_CUSTOM_HASH 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_sign_init_first_pass_custom_hash ,
-.Nm crypto_sign_public_key_custom_hash ,
-.Nm crypto_check_init_custom_hash
-.Nd public key signatures with custom hash functions
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_sign_init_first_pass_custom_hash
-.Fa "crypto_sign_ctx_abstract *ctx"
-.Fa "const uint8_t secret_key[32]"
-.Fa "const uint8_t public_key[32]"
-.Fa "const crypto_sign_vtable *hash"
-.Fc
-.Ft void
-.Fo crypto_sign_public_key_custom_hash
-.Fa "uint8_t public_key[32]"
-.Fa "const uint8_t secret_key[32]"
-.Fa "const crypto_sign_vtable *hash"
-.Fc
-.Ft void
-.Fo crypto_check_init_custom_hash
-.Fa "crypto_sign_ctx_abstract *ctx"
-.Fa "const uint8_t signature[64]"
-.Fa "const uint8_t public_key[32]"
-.Fa "const crypto_sign_vtable *hash"
-.Fc
-.Sh DESCRIPTION
-These functions are variants of the
-.Xr crypto_sign_init_first_pass 3monocypher
-family of functions:
-They provide the ability to replace the EdDSA hash function with any
-user-provided hash function.
-.Pp
-.Sy This is a highly advanced feature .
-Interoperability of public key signatures
-with other cryptographic libraries can normally be achieved by using
-.Xr crypto_ed25519_sign 3monocypher
-or
-.Xr crypto_ed25519_sign_init_first_pass 3monocypher
-already.
-This interface is exposed only for completeness and to handle special
-situations
-(e.g. to use the hash function of the future winner of the NIST
-lightweight crypto competition on a device with highly constrained
-resources or taking advantage of hardware support for cryptographic
-hash functions).
-Whenever possible, these functions should be avoided.
-.Pp
-To make available a custom hash algorithm for use with these functions,
-a
-.Vt crypto_sign_vtable
-structure must be provided.
-It is defined as:
-.Bd -literal
-typedef struct {
- void (*hash)(uint8_t hash[64], const uint8_t *message,
- size_t message_size);
- void (*init )(void *ctx);
- void (*update)(void *ctx, const uint8_t *message,
- size_t message_size);
- void (*final )(void *ctx, uint8_t hash[64]);
- size_t ctx_size;
-} crypto_sign_vtable;
-.Ed
-.Pp
-The context argument to the functions shall be referred to as
-.Dq outer signing context .
-The outer signing context must contain a
-.Vt crypto_sign_ctx_abstract
-as
-.Em its first member .
-Other than that, the outer signing context may be defined freely.
-Logically, it is required to contain some kind of hash context as well,
-else it cannot work as a custom hash function.
-.Pp
-Because the calling code cannot know the real type of the outer signing
-context,
-it is cast to
-.Vt void *
-when calling the hash functions in the vtable,
-but the
-.Fa ctx
-argument to the functions in the vtable is always guaranteed to be the
-outer signing context.
-.Pp
-The hash functions must not fail.
-If they somehow can fail,
-they have no way to propagate its error status,
-and thus the only ways to handle errors
-are to either assume an error never occurs (if reasonable),
-or to induce a crash in the code when an error occurs.
-.Pp
-The fields of
-.Vt crypto_sign_vtable
-are:
-.Bl -tag -width Ds
-.It Fa hash
-Function that computes a 64-byte hash for a given message
-and writes the computed hash to
-.Fa hash .
-The output length
-.Em must
-be exactly 64 bytes.
-This will normally be constructed using the functions that provide the
-.Fa init ,
-.Fa update
-and
-.Fa final
-members.
-.It Fa init
-Function that initialises the hash context of an outer signing context.
-.It Fa update
-Function that updates the hash context of an outer signing context.
-It must be able to handle message sizes of at least 32 bytes.
-.It Fa final
-Function that finalises the hash context of an outer signing context
-and writes the computed hash to
-.Fa hash .
-The output length
-.Em must
-be exactly 64 bytes.
-This function should wipe the hash context with
-.Xr crypto_wipe 3monocypher
-if it contains pointers to objects outside the outer signing context.
-Monocypher takes care of wiping the outer signing context.
-.It Fa ctx_size
-The size of the outer signing context as determined by
-.Fn sizeof .
-.El
-.Pp
-The functions indicated in the
-.Vt crypto_sign_vtable
-must be thread-safe if any of Monocypher's signing functions are
-accessed from multiple threads.
-.Pp
-After calling
-.Fn crypto_sign_init_first_pass_custom_hash
-or
-.Fn crypto_check_init_custom_hash ,
-the
-.Xr crypto_sign_update 3monocypher ,
-.Xr crypto_sign_final 3monocypher ,
-.Xr crypto_sign_init_second_pass 3monocypher ,
-.Xr crypto_check_update 3monocypher ,
-and
-.Xr crypto_check_final 3monocypher
-functions can be used as usual.
-They will call into the hash vtable as required.
-The same security considerations and semantics apply.
-.Sh RETURN VALUES
-These functions return nothing.
-.Sh EXAMPLES
-Defining and using a custom implementation of SHA-512 and crudely
-checking its results against
-.Xr crypto_ed25519_sign 3monocypher :
-.Bd -literal -offset indent
-struct outer_ctx {
- crypto_sign_ctx_abstract sctx;
- SHA2_CTX hash_ctx;
-};
-
-static void
-my_hash(uint8_t hash[64], const uint8_t *msg, size_t len)
-{
- SHA2_CTX ctx;
- SHA512Init(&ctx);
- SHA512Update(&ctx, msg, len);
- SHA512Final(hash, &ctx);
-}
-
-static void
-my_init(void *ctx)
-{
- struct outer_ctx *octx = (struct outer_ctx *)ctx;
- SHA512Init(&octx->hash_ctx);
-}
-
-static void
-my_update(void *ctx, const uint8_t *msg, size_t len)
-{
- struct outer_ctx *octx = (struct outer_ctx *)ctx;
- SHA512Update(&octx->hash_ctx, msg, len);
-}
-
-static void
-my_final(void *ctx, uint8_t *hash)
-{
- struct outer_ctx *octx = (struct outer_ctx *)ctx;
- SHA512Final(hash, &octx->hash_ctx);
-}
-
-static const crypto_sign_vtable my_vtable = {
- my_hash,
- my_init,
- my_update,
- my_final,
- sizeof(struct outer_ctx)
-};
-
-int
-main(void)
-{
- uint8_t theirs[64], mine[64];
- uint8_t sk[32] = {0x01, 0x02, 0x03, 0x04};
- const uint8_t msg[] = {
- 0x00, 0x01, 0x02, 0x04
- };
-
- crypto_ed25519_sign(theirs, sk, NULL, msg, sizeof(msg));
-
- struct outer_ctx ctx;
- crypto_sign_ctx_abstract *actx = (crypto_sign_ctx_abstract*)&ctx;
- crypto_sign_init_first_pass_custom_hash(actx,
- sk, NULL, &my_vtable);
- crypto_wipe(sk, sizeof(sk));
- crypto_sign_update( actx, msg, sizeof(msg));
- crypto_sign_init_second_pass(actx);
- crypto_sign_update( actx, msg, sizeof(msg));
- crypto_sign_final( actx, mine);
-
- if (crypto_verify64(theirs, mine) != 0) {
- fprintf(stderr, "theirs != mine\en");
- return 1;
- }
- puts("ok");
- return 0;
-}
-.Ed
-.Sh SEE ALSO
-.Xr crypto_blake2b 3monocypher ,
-.Xr crypto_sha512 3monocypher ,
-.Xr crypto_sign 3monocypher ,
-.Xr crypto_sign_init_first_pass 3monocypher ,
-.Xr crypto_wipe 3monocypher ,
-.Xr intro 3monocypher
-.Sh HISTORY
-The
-.Fn crypto_sign_init_first_pass_custom_hash ,
-.Fn crypto_sign_public_key_custom_hash ,
-.Fn crypto_check_init_first_pass_custom_hash
-functions first appeared in Monocypher 3.0.0.
diff --git a/vendor/doc/man/man3/crypto_sign_init_second_pass.3monocypher b/vendor/doc/man/man3/crypto_sign_init_second_pass.3monocypher
deleted file mode 120000
index 08c255b..0000000
--- a/vendor/doc/man/man3/crypto_sign_init_second_pass.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_sign_init_first_pass.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_sign_public_key.3monocypher b/vendor/doc/man/man3/crypto_sign_public_key.3monocypher
deleted file mode 120000
index f359740..0000000
--- a/vendor/doc/man/man3/crypto_sign_public_key.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_sign.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_sign_public_key_custom_hash.3monocypher b/vendor/doc/man/man3/crypto_sign_public_key_custom_hash.3monocypher
deleted file mode 120000
index a4b73ad..0000000
--- a/vendor/doc/man/man3/crypto_sign_public_key_custom_hash.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_sign_init_first_pass_custom_hash.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_sign_update.3monocypher b/vendor/doc/man/man3/crypto_sign_update.3monocypher
deleted file mode 120000
index 08c255b..0000000
--- a/vendor/doc/man/man3/crypto_sign_update.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_sign_init_first_pass.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_unlock.3monocypher b/vendor/doc/man/man3/crypto_unlock.3monocypher
deleted file mode 120000
index 126507a..0000000
--- a/vendor/doc/man/man3/crypto_unlock.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_lock.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_unlock_aead.3monocypher b/vendor/doc/man/man3/crypto_unlock_aead.3monocypher
deleted file mode 120000
index 126507a..0000000
--- a/vendor/doc/man/man3/crypto_unlock_aead.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_lock.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_unlock_auth_ad.3monocypher b/vendor/doc/man/man3/crypto_unlock_auth_ad.3monocypher
deleted file mode 120000
index c5b4453..0000000
--- a/vendor/doc/man/man3/crypto_unlock_auth_ad.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_lock_init.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_unlock_auth_message.3monocypher b/vendor/doc/man/man3/crypto_unlock_auth_message.3monocypher
deleted file mode 120000
index c5b4453..0000000
--- a/vendor/doc/man/man3/crypto_unlock_auth_message.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_lock_init.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_unlock_final.3monocypher b/vendor/doc/man/man3/crypto_unlock_final.3monocypher
deleted file mode 120000
index c5b4453..0000000
--- a/vendor/doc/man/man3/crypto_unlock_final.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_lock_init.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_unlock_init.3monocypher b/vendor/doc/man/man3/crypto_unlock_init.3monocypher
deleted file mode 120000
index c5b4453..0000000
--- a/vendor/doc/man/man3/crypto_unlock_init.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_lock_init.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_unlock_update.3monocypher b/vendor/doc/man/man3/crypto_unlock_update.3monocypher
deleted file mode 120000
index c5b4453..0000000
--- a/vendor/doc/man/man3/crypto_unlock_update.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_lock_init.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_verify16.3monocypher b/vendor/doc/man/man3/crypto_verify16.3monocypher
deleted file mode 100644
index 9ff898b..0000000
--- a/vendor/doc/man/man3/crypto_verify16.3monocypher
+++ /dev/null
@@ -1,126 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2017-2019 Loup Vaillant
-.\" Copyright (c) 2017-2018 Michael Savage
-.\" Copyright (c) 2017, 2019-2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2017-2020 by Loup Vaillant, Michael Savage and Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd March 31, 2020
-.Dt CRYPTO_VERIFY16 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_verify16 ,
-.Nm crypto_verify32 ,
-.Nm crypto_verify64
-.Nd timing-safe data comparison
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft int
-.Fo crypto_verify16
-.Fa "const uint8_t a[16]"
-.Fa "const uint8_t b[16]"
-.Fc
-.Ft int
-.Fo crypto_verify32
-.Fa "const uint8_t a[32]"
-.Fa "const uint8_t b[32]"
-.Fc
-.Ft int
-.Fo crypto_verify64
-.Fa "const uint8_t a[64]"
-.Fa "const uint8_t b[64]"
-.Fc
-.Sh DESCRIPTION
-Cryptographic operations often require comparison of secrets or values
-derived from secrets.
-Standard comparison functions like
-.Fn memcmp
-tend to exit when they find the first difference, leaking information
-through timing differences.
-.Pp
-As an example, say a message authentication code (MAC) is sent over the
-network along with a message, but the correct MAC is secret.
-If the attacker attempts a forgery, one does not want to reveal
-.Dq your MAC is wrong, Em and it took 384 microseconds to tell .
-If the next attempt takes 462 microseconds instead, it tells the
-attacker they just guessed a byte correctly.
-That way, an attacker can derive the correct MAC byte by byte,
-and successfully forge a message.
-This has lead to practical attacks in the past.
-.Pp
-To avoid such catastrophic failure,
-.Fn crypto_verify16 ,
-.Fn crypto_verify32
-and
-.Fn crypto_verify64
-provide comparison functions whose timing is independent from
-the content of their input.
-They compare the first
-16, 32, or 64 bytes of the two byte arrays
-.Fa a
-and
-.Fa b .
-.Pp
-When in doubt, prefer these functions over
-.Fn memcmp .
-.Sh RETURN VALUES
-These functions return 0 if the two memory chunks are the same, -1
-otherwise.
-.Sh SEE ALSO
-.Xr intro 3monocypher
-.Sh HISTORY
-The
-.Fn crypto_verify16 ,
-.Fn crypto_verify32 ,
-.Fn crypto_verify64
-functions first appeared in Monocypher 1.1.0.
-They replaced the
-.Fn crypto_memcmp
-and
-.Fn crypto_zerocmp
-functions that were present until Monocypher 1.0.1.
diff --git a/vendor/doc/man/man3/crypto_verify32.3monocypher b/vendor/doc/man/man3/crypto_verify32.3monocypher
deleted file mode 120000
index 0d26e5d..0000000
--- a/vendor/doc/man/man3/crypto_verify32.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_verify16.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_verify64.3monocypher b/vendor/doc/man/man3/crypto_verify64.3monocypher
deleted file mode 120000
index 0d26e5d..0000000
--- a/vendor/doc/man/man3/crypto_verify64.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_verify16.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_wipe.3monocypher b/vendor/doc/man/man3/crypto_wipe.3monocypher
deleted file mode 100644
index 5cd7000..0000000
--- a/vendor/doc/man/man3/crypto_wipe.3monocypher
+++ /dev/null
@@ -1,110 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2017-2019 Loup Vaillant
-.\" Copyright (c) 2017-2018 Michael Savage
-.\" Copyright (c) 2017, 2019 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2017-2019 by Loup Vaillant, Michael Savage and Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd December 12, 2019
-.Dt CRYPTO_WIPE 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_wipe
-.Nd wipe data from memory
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_wipe
-.Fa "void *secret"
-.Fa "size_t secret_size"
-.Fc
-.Sh DESCRIPTION
-.Fn crypto_wipe
-securely erases sensitive data in memory.
-.Pp
-Sensitive data (such as cryptographic keys or secret plaintexts) should
-be erased from memory as early as possible, to minimise the window in
-which it can be leaked.
-Standard functions like memset and bzero are not safe to use, as the
-compiler may decide they have no effect and optimise them out.
-.Pp
-The arguments are:
-.Bl -tag -width Ds
-.It Fa secret
-The buffer to erase.
-.It Fa secret_size
-The number of bytes to erase from the buffer.
-Normally this is the size of the entire buffer.
-.El
-.Pp
-Monocypher will wipe its context structs when finalizing an operation
-such as signing or decrypting.
-When using direct interfaces like
-.Xr crypto_lock 3monocypher ,
-these context structs are invisible to you.
-They are exposed in incremental interfaces like
-.Xr crypto_blake2b_init 3monocypher .
-The original key buffer does not get automatically wiped.
-When using incremental interfaces, you may want to wipe the original key
-buffers immediately after calling the respective init function.
-.Pp
-Using
-.Fn crypto_wipe
-alone may not suffice for security.
-It is recommended to lock down relevant memory regions as well.
-Refer to
-.Xr intro 3monocypher
-for instructions on how to lock down memory on common operating systems.
-.Sh RETURN VALUES
-This function returns nothing.
-.Sh SEE ALSO
-.Xr intro 3monocypher
-.Sh HISTORY
-The
-.Fn crypto_wipe
-function first appeared in Monocypher 1.1.0.
diff --git a/vendor/doc/man/man3/crypto_x25519.3monocypher b/vendor/doc/man/man3/crypto_x25519.3monocypher
deleted file mode 100644
index e39c0d4..0000000
--- a/vendor/doc/man/man3/crypto_x25519.3monocypher
+++ /dev/null
@@ -1,197 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2017-2019 Loup Vaillant
-.\" Copyright (c) 2017-2018 Michael Savage
-.\" Copyright (c) 2017, 2019-2020 Fabio Scotoni
-.\" Copyright (c) 2020 Richard Walmsley
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2017-2020 by Loup Vaillant, Michael Savage, Fabio Scotoni and
-.\" Richard Walmsley
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd March 31, 2020
-.Dt CRYPTO_X25519 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_x25519 ,
-.Nm crypto_x25519_public_key
-.Nd X25519 key exchange
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_x25519
-.Fa "uint8_t raw_shared_secret[32]"
-.Fa "const uint8_t your_secret_key[32]"
-.Fa "const uint8_t their_public_key[32]"
-.Fc
-.Ft void
-.Fo crypto_x25519_public_key
-.Fa "uint8_t your_public_key[32]"
-.Fa "const uint8_t your_secret_key[32]"
-.Fc
-.Sh DESCRIPTION
-.Fn crypto_x25519
-computes a shared secret with
-.Fa your_secret_key
-and
-.Fa their_public_key .
-It is a low-level primitive.
-Use
-.Xr crypto_key_exchange 3monocypher
-unless you have a specific reason not to.
-.Pp
-.Fn crypto_x25519_public_key
-is the same as
-.Xr crypto_key_exchange_public_key 3monocypher .
-It deterministically computes the public key from a random secret key.
-.Pp
-The arguments are:
-.Bl -tag -width Ds
-.It Fa raw_shared_secret
-The shared secret, known only to those who know a relevant secret key
-(yours or theirs).
-It is not cryptographically random.
-Do not use it directly as a key.
-Hash it with
-.Xr crypto_chacha20_H 3monocypher
-or
-.Xr crypto_blake2b 3monocypher
-first.
-.It Fa your_secret_key
-A 32-byte secret random number.
-See
-.Xr intro 3monocypher
-for advice about generating random bytes (use the operating system's
-random number generator).
-.It Fa their_public_key
-The public key of the other party.
-.Pp
-.Fa raw_shared_secret
-and
-.Fa your_secret_key
-may overlap if your secret is no longer required.
-.El
-.Pp
-Some protocols,
-such as some password-authenticated key exchange (PAKE) protocols
-and oblivious pseudo-random functions (OPRF),
-may require
-.Dq contributory
-behaviour, which ensures that no untrusted party forces the shared
-secret to a known constant.
-If a protocol requires contributory behaviour,
-compare the output of
-.Fn crypto_x25519
-to an all-zero buffer using
-.Xr crypto_verify32 3monocypher ;
-abort the protocol if the output and the all-zero buffer are equal.
-.Pp
-Do not use the same secret key for both key exchanges and signatures.
-The public keys are different, and revealing both may leak information.
-If there really is no room to store or derive two different secret keys,
-consider generating a key pair for signatures and then converting it
-with
-.Xr crypto_from_eddsa_private 3monocypher
-and
-.Xr crypto_from_eddsa_public 3monocypher .
-.Sh RETURN VALUES
-.Fn crypto_x25519
-and
-.Fn crypto_x25519_public_key
-return nothing.
-.Sh EXAMPLES
-The following example assumes the existence of
-.Fn arc4random_buf ,
-which fills the given buffer with cryptographically secure random bytes.
-If
-.Fn arc4random_buf
-does not exist on your system, see
-.Xr intro 3monocypher
-for advice about how to generate cryptographically secure random bytes.
-.Pp
-Generate a pair of shared keys with your secret key and their public
-key.
-(This can help nonce management for full duplex communications.)
-.Bd -literal -offset indent
-const uint8_t their_pk [32]; /* Their public key */
-uint8_t your_sk [32]; /* Your secret key */
-uint8_t shared_secret[32]; /* Shared secret (NOT a key) */
-arc4random_buf(your_sk, 32);
-crypto_x25519(shared_secret, your_sk, their_pk);
-/* Wipe secrets if they are no longer needed */
-crypto_wipe(your_sk, 32);
-
-uint8_t shared_keys[64]; /* Two shared session keys */
-crypto_blake2b(shared_keys, shared_secret, 32);
-const uint8_t *key_1 = shared_keys; /* Shared key 1 */
-const uint8_t *key_2 = shared_keys + 32; /* Shared key 2 */
-/* Wipe secrets if they are no longer needed */
-crypto_wipe(shared_secret, 32);
-.Ed
-.Sh SEE ALSO
-.Xr crypto_key_exchange 3monocypher ,
-.Xr intro 3monocypher
-.Sh STANDARDS
-This function implements X25519, described in RFC 7748.
-.Sh HISTORY
-The
-.Fn crypto_x25519 ,
-and
-.Fn crypto_x25519_public_key
-functions first appeared in Monocypher 0.1.
-.Sh SECURITY CONSIDERATIONS
-If either of the long term secret keys leaks, it may compromise
-.Em all past messages .
-This can be avoided by using protocols that provide forward secrecy,
-such as the X3DH key agreement protocol.
-.Sh IMPLEMENTATION DETAILS
-The most significant bit of the public key is systematically ignored.
-It is not needed because every public key should be smaller than
-2^255-19, which fits in 255 bits.
-If another implementation of X25519 gives you a key that is not fully
-reduced and has its high bit set, the computation will fail.
-On the other hand, it also means you may use this bit for other purposes
-(such as parity flipping for Ed25519 compatibility).
diff --git a/vendor/doc/man/man3/crypto_x25519_dirty_fast.3monocypher b/vendor/doc/man/man3/crypto_x25519_dirty_fast.3monocypher
deleted file mode 100644
index 80fd8e0..0000000
--- a/vendor/doc/man/man3/crypto_x25519_dirty_fast.3monocypher
+++ /dev/null
@@ -1,131 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2020 by Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd March 24, 2020
-.Dt CRYPTO_X25519_DIRTY_FAST 3monocypher
-.Os
-.Sh NAME
-.Nm crypto_x25519_dirty_fast ,
-.Nm crypto_x25519_dirty_small
-.Nd generation of Curve25519 points with a low-order component
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_x25519_dirty_fast
-.Fa "uint8_t pk[32]"
-.Fa "const uint8_t sk[32]"
-.Fc
-.Ft void
-.Fo crypto_x25519_dirty_small
-.Fa "uint8_t pk[32]"
-.Fa "const uint8_t sk[32]"
-.Fc
-.Sh DESCRIPTION
-These functions are used in public key generation for
-.Xr crypto_curve_to_hidden 3monocypher .
-.Sy This is a highly advanced feature ;
-unless you are reading this because you were referred here from
-.Xr crypto_curve_to_hidden 3monocypher ,
-.Sy you likely have no reason to be using these functions
-and are probably looking for
-.Xr crypto_key_exchange 3monocypher
-or
-.Xr crypto_x25519 3monocypher
-instead.
-Expect elliptic curve jargon on this page.
-.Pp
-Both functions generate a Curve25519 public key
-.Fa pk
-from the given secret key
-.Fa sk ;
-the public keys are on the
-.Em whole
-curve, rather than just the main prime-order subgroup.
-Both do the same with different code size and memory characteristics:
-.Fn crypto_x25519_dirty_fast
-uses multiple large temporary variables and uses functions that are
-normally used internally for
-.Xr crypto_sign 3monocypher ;
-accordingly, it uses both more memory (for the temporary variables) and
-more code size (unless the signing code is already compiled in
-elsewhere).
-.Fn crypto_x25519_dirty_small
-yields the same result, but does so using less code and memory at a
-large performance penalty compared to
-.Fn crypto_x25519_dirty_fast .
-.Pp
-The resulting public keys are to be used with
-.Xr crypto_x25519 3monocypher
-or
-.Xr crypto_key_exchange 3monocypher ,
-which clear the cofactor.
-.Sh RETURN VALUES
-These functions have no return value.
-They cannot fail.
-.Sh SEE ALSO
-.Xr crypto_curve_to_hidden 3monocypher ,
-.Xr crypto_key_exchange_public_key 3monocypher ,
-.Xr crypto_x25519_public_key 3monocypher ,
-.Xr intro 3monocypher
-.Sh HISTORY
-The
-.Fn crypto_x25519_dirty_fast
-and
-.Fn crypto_x25519_dirty_small
-functions first appeared in Monocypher 3.1.0.
-.Sh IMPLEMENTATION DETAILS
-The slow variant is approximately an entire two times slower than the
-fast variant.
-When considering that, on average, two calls to this function will be
-required for obtaining a valid key pair for
-.Xr crypto_curve_to_hidden 3monocypher ,
-this adds up to an
-.Em average
-effective slowdown for key pair generation of a factor of four.
diff --git a/vendor/doc/man/man3/crypto_x25519_dirty_small.3monocypher b/vendor/doc/man/man3/crypto_x25519_dirty_small.3monocypher
deleted file mode 120000
index af980f3..0000000
--- a/vendor/doc/man/man3/crypto_x25519_dirty_small.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_x25519_dirty_fast.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_x25519_inverse.3monocypher b/vendor/doc/man/man3/crypto_x25519_inverse.3monocypher
deleted file mode 100644
index 30a2086..0000000
--- a/vendor/doc/man/man3/crypto_x25519_inverse.3monocypher
+++ /dev/null
@@ -1,105 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2020 by Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd March 24, 2020
-.Dt CRYPTO_X25519_INVERSE 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_x25519_inverse
-.Nd X25519 scalar multiplication with the multiplicative inverse of a scalar
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_x25519_inverse
-.Fa "uint8_t blind_salt[32]"
-.Fa "const uint8_t private_key[32]"
-.Fa "const uint8_t curve_point"
-.Fc
-.Sh DESCRIPTION
-The
-.Fn crypto_x25519_inverse
-function performs scalar multiplication of the multiplicative inverse
-of a scalar for X25519.
-.Sy This is a highly advanced, specialized feature ;
-unless you are implementing a protocol that requires this specifically,
-.Sy you likely have no reason to be using these functions
-and are probably looking for
-.Xr crypto_key_exchange 3monocypher
-or
-.Xr crypto_x25519 3monocypher
-instead.
-Expect elliptic curve jargon on this page.
-.Pp
-This function is used, for example, with exponential blinding in
-oblivious pseudo-random functions (OPRFs).
-The arguments are:
-.Bl -tag -width Ds
-.It Fa blind_salt
-The output point.
-.It Fa private_key
-The private key (scalar) to use.
-First, the value is clamped;
-then the clamped value's multiplicative inverse (modulo the curve order)
-is determined;
-the clamped value's multiplicative inverse then has its cofactor
-cleared,
-and that final value is then used for scalar multiplication.
-.It Fa curve_point
-The curve point on X25519 to multiply with the multiplicative inverse
-(modulo the curve order) of
-.Fa private_key .
-.El
-.Sh SEE ALSO
-.Xr crypto_x25519 3monocypher ,
-.Xr intro 3monocypher
-.Sh HISTORY
-The
-.Fn crypto_x25519_inverse
-function first appeared in Monocypher 3.1.0.
diff --git a/vendor/doc/man/man3/crypto_x25519_public_key.3monocypher b/vendor/doc/man/man3/crypto_x25519_public_key.3monocypher
deleted file mode 120000
index cc26d9f..0000000
--- a/vendor/doc/man/man3/crypto_x25519_public_key.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_x25519.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_xchacha20.3monocypher b/vendor/doc/man/man3/crypto_xchacha20.3monocypher
deleted file mode 120000
index 2dfb4d4..0000000
--- a/vendor/doc/man/man3/crypto_xchacha20.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_chacha20.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/crypto_xchacha20_ctr.3monocypher b/vendor/doc/man/man3/crypto_xchacha20_ctr.3monocypher
deleted file mode 120000
index 2dfb4d4..0000000
--- a/vendor/doc/man/man3/crypto_xchacha20_ctr.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_chacha20.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/intro.3monocypher b/vendor/doc/man/man3/intro.3monocypher
deleted file mode 100644
index 4a5880c..0000000
--- a/vendor/doc/man/man3/intro.3monocypher
+++ /dev/null
@@ -1,356 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2017-2019 Loup Vaillant
-.\" Copyright (c) 2018 Michael Savage
-.\" Copyright (c) 2017, 2019-2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2017-2020 by Loup Vaillant, Michael Savage and Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd March 31, 2020
-.Dt INTRO 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm intro
-.Nd introduction to Monocypher
-.Sh DESCRIPTION
-Monocypher is a cryptographic library.
-It provides functions for authenticated encryption, hashing, password
-hashing and key derivation, key exchange, and public key signatures.
-.Ss Authenticated encryption
-.Xr crypto_lock 3monocypher
-and
-.Xr crypto_unlock 3monocypher
-use the Chacha20 cipher and the Poly1305 one-time authenticator.
-.Pp
-Chacha20 is a stream cipher based on a cryptographic hash function.
-It runs efficiently on a wide variety of hardware, and unlike AES
-naturally runs in constant time on all hardware.
-.Pp
-Poly1305 is a one-time authenticator, derived from Carter & Wegman
-universal hashing.
-It is very fast and very simple.
-.Pp
-For specialised needs,
-.Xr crypto_chacha20 3monocypher
-and
-.Xr crypto_poly1305 3monocypher
-are available to implement constructions involving them.
-Whenever possible,
-.Xr crypto_lock 3monocypher
-should be preferred, however.
-.Ss Hashing
-.Xr crypto_blake2b 3monocypher
-implements the Blake2b hash.
-Blake2b combines the security of SHA-3 and the speed of MD5.
-It is immune to length extension attacks and provides a keyed mode
-that makes it a safe, easy to use authenticator.
-.Ss Password hashing and key derivation
-.Xr crypto_argon2i 3monocypher
-implements the Argon2i resource intensive hash algorithm,
-which can be used to hash passwords for storage and to derive keys
-from passwords.
-Argon2 won the password hashing competition in 2015.
-Unlike Scrypt, Argon2i is immune to timing attacks.
-.Ss Key exchange
-.Xr crypto_key_exchange 3monocypher
-implements X25519, an elliptic curve Diffie Hellman key exchange
-algorithm based on Curve25519.
-X25519 derives a shared secret from two private/public key pairs.
-It is fast, simple, and relatively easy to implement securely.
-.Pp
-For specialised protocols that require indistinguishability from random
-noise,
-.Xr crypto_curve_to_hidden 3monocypher
-gives the option to disguise ephemeral (one-time use) X25519 public keys
-as random noise.
-.Ss Public key signatures
-.Xr crypto_sign 3monocypher
-and
-.Xr crypto_check 3monocypher
-implement EdDSA, with Curve25519 and Blake2b.
-This is the same as the more famous Ed25519, with SHA-512 replaced by
-the faster and more secure Blake2b.
-.Pp
-For highly specialised needs,
-it is possible to use a custom hash function with EdDSA;
-see
-.Xr crypto_sign_init_first_pass_custom_hash 3monocypher .
-.Ss Constant time comparison
-.Xr crypto_verify16 3monocypher ,
-.Xr crypto_verify32 3monocypher ,
-and
-.Xr crypto_verify64 3monocypher
-compare buffers in constant time.
-They should be used to compare secrets to prevent timing attacks.
-.Ss Memory wipe
-.Xr crypto_wipe 3monocypher
-wipes a buffer.
-It is meant to erase secrets when they are no longer needed, to reduce
-the chances of leaks.
-.Ss Optional code
-If Monocypher was compiled and installed with
-.Dv USE_ED25519 ,
-SHA-512 functions become available as well.
-See
-.Xr crypto_ed25519_sign 3monocypher ,
-.Xr crypto_ed25519_sign_init_first_pass 3monocypher ,
-.Xr crypto_sha512 3monocypher ,
-and
-.Xr crypto_hmac_sha512 3monocypher .
-.Sh SEE ALSO
-.Xr crypto_argon2i 3monocypher ,
-.Xr crypto_argon2i_general 3monocypher ,
-.Xr crypto_blake2b 3monocypher ,
-.Xr crypto_blake2b_final 3monocypher ,
-.Xr crypto_blake2b_general 3monocypher ,
-.Xr crypto_blake2b_general_init 3monocypher ,
-.Xr crypto_blake2b_init 3monocypher ,
-.Xr crypto_blake2b_update 3monocypher ,
-.Xr crypto_chacha20 3monocypher ,
-.Xr crypto_chacha20_ctr 3monocypher ,
-.Xr crypto_check 3monocypher ,
-.Xr crypto_check_final 3monocypher ,
-.Xr crypto_check_init 3monocypher ,
-.Xr crypto_check_init_custom_hash 3monocypher ,
-.Xr crypto_check_update 3monocypher ,
-.Xr crypto_curve_to_hidden 3monocypher ,
-.Xr crypto_from_eddsa_private 3monocypher ,
-.Xr crypto_from_eddsa_public 3monocypher ,
-.Xr crypto_hchacha20 3monocypher ,
-.Xr crypto_hidden_key_pair 3monocypher ,
-.Xr crypto_hidden_to_curve 3monocypher ,
-.Xr crypto_ietf_chacha20 3monocypher ,
-.Xr crypto_ietf_chacha20_ctr 3monocypher ,
-.Xr crypto_key_exchange 3monocypher ,
-.Xr crypto_lock 3monocypher ,
-.Xr crypto_lock_aead 3monocypher ,
-.Xr crypto_poly1305 3monocypher ,
-.Xr crypto_poly1305_final 3monocypher ,
-.Xr crypto_poly1305_init 3monocypher ,
-.Xr crypto_poly1305_update 3monocypher ,
-.Xr crypto_sign 3monocypher ,
-.Xr crypto_sign_final 3monocypher ,
-.Xr crypto_sign_init_first_pass 3monocypher ,
-.Xr crypto_sign_init_first_pass_custom_hash 3monocypher ,
-.Xr crypto_sign_init_second_pass 3monocypher ,
-.Xr crypto_sign_public_key 3monocypher ,
-.Xr crypto_sign_public_key_custom_hash 3monocypher ,
-.Xr crypto_sign_update 3monocypher ,
-.Xr crypto_unlock 3monocypher ,
-.Xr crypto_unlock_aead 3monocypher ,
-.Xr crypto_verify16 3monocypher ,
-.Xr crypto_verify32 3monocypher ,
-.Xr crypto_verify64 3monocypher ,
-.Xr crypto_wipe 3monocypher ,
-.Xr crypto_x25519 3monocypher ,
-.Xr crypto_x25519_dirty_fast 3monocypher ,
-.Xr crypto_x25519_dirty_small 3monocypher ,
-.Xr crypto_x25519_inverse 3monocypher ,
-.Xr crypto_x25519_public_key 3monocypher ,
-.Xr crypto_xchacha20 3monocypher ,
-.Xr crypto_xchacha20_ctr 3monocypher
-.Ss Optional code
-.Xr crypto_from_ed25519_private 3monocypher ,
-.Xr crypto_from_ed25519_public 3monocypher ,
-.Xr crypto_ed25519_check 3monocypher ,
-.Xr crypto_ed25519_check_init 3monocypher ,
-.Xr crypto_ed25519_check_update 3monocypher ,
-.Xr crypto_ed25519_check_final 3monocypher ,
-.Xr crypto_ed25519_public_key 3monocypher ,
-.Xr crypto_ed25519_sign 3monocypher ,
-.Xr crypto_ed25519_sign_init_first_pass 3monocypher ,
-.Xr crypto_ed25519_sign_init_second_pass 3monocypher ,
-.Xr crypto_ed25519_sign_final 3monocypher ,
-.Xr crypto_hmac_sha512 3monocypher ,
-.Xr crypto_hmac_sha512_init 3monocypher ,
-.Xr crypto_hmac_sha512_update 3monocypher ,
-.Xr crypto_hmac_sha512_final 3monocypher
-.Xr crypto_sha512 3monocypher ,
-.Xr crypto_sha512_init 3monocypher ,
-.Xr crypto_sha512_update 3monocypher ,
-.Xr crypto_sha512_final 3monocypher
-.Sh SECURITY CONSIDERATIONS
-Using cryptography securely is difficult.
-Flaws that never manifest under normal use might be exploited by a
-clever adversary.
-Cryptographic libraries are easy to misuse.
-Even Monocypher allows a number of fatal mistakes.
-.Pp
-Users should follow a formal introduction to cryptography.
-We currently recommend the
-.Lk https://www.crypto101.io/ "Crypto 101 online course" .
-.Ss Random number generation
-Use the facilities of your operating system.
-Avoid user space random number generators.
-They are easy to misuse, which has lead to countless vulnerabilities
-in the past.
-For instance, the random stream may be repeated if one is not careful
-with multi-threading, and forward secrecy is lost without proper key
-erasure.
-.Pp
-Different system calls are available on different systems:
-.Bl -bullet
-.It
-Recent versions of Linux (glibc >= 2.25, Linux >= 3.17), provide
-.Fn getrandom
-in
-.In linux/random.h .
-Do not set any flag.
-.It
-BSD provides
-.Fn arc4random_buf
-in
-.In stdlib.h
-or
-.In bsd/stdlib.h .
-This is easier to use than
-.Fn getrandom .
-.It
-Windows provides
-.Fn BCryptGenRandom .
-.El
-.Pp
-The
-.Pa /dev/urandom
-special file may be used on systems that do not provide an easy to use
-system call.
-Be careful though, being a file makes
-.Pa /dev/urandom
-hard to use correctly and securely.
-Reads may be interrupted, and more attacks are possible on a file than
-on a system call.
-.Ss Timing attacks
-Monocypher runs in
-.Dq constant time .
-There is no flow from secrets to timings.
-No secret dependent indices, no secret dependent branches.
-Nevertheless, there are a couple important caveats.
-.Pp
-Comparing secrets should be done with constant-time comparison
-functions, such as
-.Xr crypto_verify16 3monocypher ,
-.Xr crypto_verify32 3monocypher ,
-or
-.Xr crypto_verify64 3monocypher .
-Do not use standard comparison functions.
-They tend to stop as soon as a difference is spotted.
-In many cases, this enables attackers to recover the secrets and
-destroy all security.
-.Pp
-The Poly1305 authenticator, X25519, and EdDSA use multiplication.
-Some older processors do not multiply in constant time.
-If the target platform is something other than Intel or AMD x86_64,
-double check how it handles multiplication.
-In particular,
-.Em ARM Cortex-M CPUs may lack constant-time multiplication .
-Some VIA Nano x86 and x86_64 CPUs may lack constant-time multiplication
-as well.
-.Ss Data compression
-Encryption does not hide the length of the input plaintext.
-Most compression algorithms work by using fewer bytes to encode
-previously seen data or common characters.
-If an attacker can add data to the input before it is compressed and
-encrypted, they can observe changes to the ciphertext length to recover
-secrets from the input.
-Researchers have demonstrated an attack on HTTPS to steal session
-cookies when compression is enabled, dubbed
-.Dq CRIME .
-.Ss Forward secrecy
-Long term secrets cannot be expected to stay safe indefinitely.
-Users may reveal them by mistake, or the host computer might have a
-vulnerability and be compromised.
-To mitigate this problem, some protocols guarantee that past messages
-are not compromised even if the long term keys are.
-This is done by generating temporary keys, then encrypting messages
-using them.
-.Pp
-In general, secrets that went through a computer should not be
-compromised when this computer is stolen or infected at a later point.
-.Pp
-A first layer of defence is to explicitly wipe secrets as soon as
-they are no longer used.
-Monocypher already wipes its own temporary buffers, and contexts are
-erased with the
-.Fn crypto_*_final
-functions.
-The secret keys and messages however are the responsibility of the
-user.
-Use
-.Xr crypto_wipe 3monocypher
-to erase them.
-.Pp
-A second layer of defence is to ensure those secrets are not swapped
-to disk while they are used.
-There are several ways to do this.
-The most secure is to disable swapping entirely.
-Doing so is recommended on sensitive machines.
-Another way is to encrypt the swap partition (this is less safe).
-Finally, swap can be disabled locally \(en this is often the only
-way.
-.Pp
-UNIX systems can disable swap for specific buffers with
-.Fn mlock ,
-and disable swap for the whole process with
-.Fn mlockall .
-Windows can disable swap for specific buffers with
-.Fn VirtualLock .
-.Pp
-Core dumps cause similar problems.
-Disable them.
-Also beware of suspend to disk (deep sleep mode), which writes all RAM
-to disk regardless of swap policy, as well as virtual machine snapshots.
-Erasing secrets with
-.Xr crypto_wipe 3monocypher
-is often the only way to mitigate these dangers.
-.Ss Undefined behaviour
-Monocypher is a C library.
-C is notoriously unsafe.
-Using Monocypher incorrectly can trigger undefined behaviour.
-This can lead to data corruption, data theft, or even arbitrary code
-execution.
-.Pp
-Consider binding to a safe language if possible.
diff --git a/vendor/doc/man/man3/optional/crypto_ed25519_check.3monocypher b/vendor/doc/man/man3/optional/crypto_ed25519_check.3monocypher
deleted file mode 120000
index f6e345b..0000000
--- a/vendor/doc/man/man3/optional/crypto_ed25519_check.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_ed25519_sign.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/optional/crypto_ed25519_check_final.3monocypher b/vendor/doc/man/man3/optional/crypto_ed25519_check_final.3monocypher
deleted file mode 120000
index a2ccd03..0000000
--- a/vendor/doc/man/man3/optional/crypto_ed25519_check_final.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_ed25519_sign_init_first_pass.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/optional/crypto_ed25519_check_init.3monocypher b/vendor/doc/man/man3/optional/crypto_ed25519_check_init.3monocypher
deleted file mode 120000
index a2ccd03..0000000
--- a/vendor/doc/man/man3/optional/crypto_ed25519_check_init.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_ed25519_sign_init_first_pass.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/optional/crypto_ed25519_check_update.3monocypher b/vendor/doc/man/man3/optional/crypto_ed25519_check_update.3monocypher
deleted file mode 120000
index a2ccd03..0000000
--- a/vendor/doc/man/man3/optional/crypto_ed25519_check_update.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_ed25519_sign_init_first_pass.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/optional/crypto_ed25519_public_key.3monocypher b/vendor/doc/man/man3/optional/crypto_ed25519_public_key.3monocypher
deleted file mode 120000
index f6e345b..0000000
--- a/vendor/doc/man/man3/optional/crypto_ed25519_public_key.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_ed25519_sign.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/optional/crypto_ed25519_sign.3monocypher b/vendor/doc/man/man3/optional/crypto_ed25519_sign.3monocypher
deleted file mode 100644
index ae46bf5..0000000
--- a/vendor/doc/man/man3/optional/crypto_ed25519_sign.3monocypher
+++ /dev/null
@@ -1,123 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2019-2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2019-2020 by Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd May 24, 2020
-.Dt CRYPTO_ED25519_SIGN 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_ed25519_sign ,
-.Nm crypto_ed25519_check ,
-.Nm crypto_ed25519_public_key
-.Nd public key signatures
-.Sh SYNOPSIS
-.In monocypher-ed25519.h
-.Ft void
-.Fo crypto_ed25519_public_key
-.Fa "uint8_t public_key[32]"
-.Fa "const uint8_t secret_key[32]"
-.Fc
-.Ft void
-.Fo crypto_ed25519_sign
-.Fa "uint8_t signature[64]"
-.Fa "const uint8_t secret_key[32]"
-.Fa "const uint8_t public_key[32]"
-.Fa "const uint8_t *message"
-.Fa "size_t message_size"
-.Fc
-.Ft int
-.Fo crypto_ed25519_check
-.Fa "const uint8_t signature[64]"
-.Fa "const uint8_t public_key[32]"
-.Fa "const uint8_t *message"
-.Fa "size_t message_size"
-.Fc
-.Sh DESCRIPTION
-The
-.Fn crypto_ed25519_sign
-and
-.Fn crypto_ed25519_check
-functions provide Ed25519 public key signatures and verification
-with SHA-512 as the underlying hash function;
-they are interoperable with other Ed25519 implementations.
-If you have no interoperability requirements, prefer
-.Xr crypto_sign 3monocypher .
-.Pp
-The arguments and security considerations are the same as those
-described in
-.Xr crypto_sign 3monocypher .
-.Pp
-An incremental interface is available; see
-.Xr crypto_ed25519_sign_init_first_pass 3monocypher .
-.Sh RETURN VALUES
-.Fn crypto_ed25519_public_key
-and
-.Fn crypto_ed25519_sign
-return nothing.
-.Pp
-.Fn crypto_ed25519_check
-returns 0 for legitimate messages and -1 for forgeries.
-.Sh SEE ALSO
-.Xr crypto_check 3monocypher ,
-.Xr crypto_key_exchange 3monocypher ,
-.Xr crypto_lock 3monocypher ,
-.Xr crypto_sha512 3monocypher ,
-.Xr intro 3monocypher
-.Sh STANDARDS
-These functions implement Ed25519 as described in RFC 8032.
-.Sh HISTORY
-The
-.Fn crypto_ed25519_sign ,
-.Fn crypto_ed25519_check ,
-and
-.Fn crypto_ed25519_public_key
-functions appeared in Monocypher 3.0.0.
-They replace recompilation of Monocypher with the
-.Dv ED25519_SHA512
-preprocessor definition.
diff --git a/vendor/doc/man/man3/optional/crypto_ed25519_sign_final.3monocypher b/vendor/doc/man/man3/optional/crypto_ed25519_sign_final.3monocypher
deleted file mode 120000
index a2ccd03..0000000
--- a/vendor/doc/man/man3/optional/crypto_ed25519_sign_final.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_ed25519_sign_init_first_pass.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/optional/crypto_ed25519_sign_init_first_pass.3monocypher b/vendor/doc/man/man3/optional/crypto_ed25519_sign_init_first_pass.3monocypher
deleted file mode 100644
index 9601054..0000000
--- a/vendor/doc/man/man3/optional/crypto_ed25519_sign_init_first_pass.3monocypher
+++ /dev/null
@@ -1,157 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2019-2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2019-2020 by Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd May 24,2020
-.Dt CRYPTO_ED25519_SIGN_INIT_FIRST_PASS 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_ed25519_sign_init_first_pass ,
-.Nm crypto_ed25519_sign_update ,
-.Nm crypto_ed25519_sign_final ,
-.Nm crypto_ed25519_sign_init_second_pass ,
-.Nm crypto_ed25519_check_init ,
-.Nm crypto_ed25519_check_update ,
-.Nm crypto_ed25519_check_final
-.Nd incremental public key signatures
-.Sh SYNOPSIS
-.In monocypher-ed25519.h
-.Ft void
-.Fo crypto_ed25519_sign_init_first_pass
-.Fa "crypto_ed25519_sign_ctx *ctx"
-.Fa "const uint8_t secret_key[32]"
-.Fa "const uint8_t public_key[32]"
-.Fc
-.Ft void
-.Fo crypto_ed25519_sign_update
-.Fa "crypto_ed25519_sign_ctx *ctx"
-.Fa "const uint8_t *message"
-.Fa "size_t message_size"
-.Fc
-.Ft void
-.Fo crypto_ed25519_sign_final
-.Fa "crypto_ed25519_sign_ctx *ctx"
-.Fa "uint8_t signature[64]"
-.Fc
-.Ft void
-.Fo crypto_ed25519_sign_init_second_pass
-.Fa "crypto_ed25519_sign_ctx *ctx"
-.Fc
-.Ft void
-.Fo crypto_ed25519_check_init
-.Fa "crypto_ed25519_check_ctx *ctx"
-.Fa "const uint8_t signature[64]"
-.Fa "const uint8_t public_key[32]"
-.Fc
-.Ft void
-.Fo crypto_ed25519_check_update
-.Fa "crypto_ed25519_check_ctx *ctx"
-.Fa "const uint8_t *message"
-.Fa "size_t message_size"
-.Fc
-.Ft int
-.Fo crypto_ed25519_check_final
-.Fa "crypto_ed25519_check_ctx *ctx"
-.Fc
-.Sh DESCRIPTION
-These functions are variants of
-.Xr crypto_ed25519_sign 3monocypher
-and
-.Xr crypto_ed25519_check 3monocypher .
-Prefer those simpler functions if possible.
-.Pp
-These functions provide Ed25519 public key signatures and verification
-with SHA-512 as the underlying hash function;
-they are interoperable with other Ed25519 implementations.
-If you have no interoperability requirements, prefer
-.Xr crypto_sign 3monocypher .
-.Pp
-The arguments, security considerations and semantics are the same as
-those described in
-.Xr crypto_sign_init_first_pass 3monocypher
-and
-.Xr crypto_sign 3monocypher .
-.Sh RETURN VALUES
-.Fn crypto_ed25519_sign_init_first_pass ,
-.Fn crypto_ed25519_sign_init_second_pass ,
-.Fn crypto_ed25519_sign_update ,
-.Fn crypto_ed25519_sign_final ,
-.Fn crypto_ed25519_check_init
-and
-.Fn crypto_ed25519_check_update
-return nothing.
-.Pp
-.Fn crypto_ed25519_check_final
-returns 0 for legitimate messages and -1 for forgeries.
-.Sh SEE ALSO
-.Xr crypto_blake2b 3monocypher ,
-.Xr crypto_key_exchange 3monocypher ,
-.Xr crypto_lock 3monocypher ,
-.Xr crypto_ed25519_sign 3monocypher ,
-.Xr crypto_sign 3monocypher ,
-.Xr crypto_sign_init_first_pass 3monocypher ,
-.Xr crypto_sha512 3monocypher ,
-.Xr crypto_wipe 3monocypher ,
-.Xr intro 3monocypher
-.Sh STANDARDS
-These functions implement Ed25519 as described in RFC 8032.
-.Sh HISTORY
-The
-.Fn crypto_ed25519_sign_init_first_pass ,
-.Fn crypto_ed25519_sign_update ,
-.Fn crypto_ed25519_sign_final ,
-.Fn crypto_ed25519_sign_init_second_pass ,
-.Fn crypto_ed25519_check_init ,
-.Fn crypto_ed25519_check_update ,
-and
-.Fn crypto_ed25519_check_final
-functions first appeared in Monocypher 3.0.0.
-They replace recompilation of Monocypher with the
-.Dv ED25519_SHA512
-preprocessor definition.
diff --git a/vendor/doc/man/man3/optional/crypto_ed25519_sign_init_second_pass.3monocypher b/vendor/doc/man/man3/optional/crypto_ed25519_sign_init_second_pass.3monocypher
deleted file mode 120000
index a2ccd03..0000000
--- a/vendor/doc/man/man3/optional/crypto_ed25519_sign_init_second_pass.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_ed25519_sign_init_first_pass.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/optional/crypto_ed25519_sign_update.3monocypher b/vendor/doc/man/man3/optional/crypto_ed25519_sign_update.3monocypher
deleted file mode 120000
index a2ccd03..0000000
--- a/vendor/doc/man/man3/optional/crypto_ed25519_sign_update.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_ed25519_sign_init_first_pass.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/optional/crypto_from_ed25519_private.3monocypher b/vendor/doc/man/man3/optional/crypto_from_ed25519_private.3monocypher
deleted file mode 100644
index 328eb82..0000000
--- a/vendor/doc/man/man3/optional/crypto_from_ed25519_private.3monocypher
+++ /dev/null
@@ -1,87 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2020 by Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd May 24, 2020
-.Dt CRYPTO_FROM_ED25519_PRIVATE 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_from_ed25519_private ,
-.Nm crypto_from_ed25519_public
-.Nd conversion of key pairs for EdDSA with BLAKE2b to X25519 key pairs
-.Sh SYNOPSIS
-.In monocypher-ed25519.h
-.Ft void
-.Fo crypto_from_ed25519_private
-.Fa "uint8_t x25519[32]"
-.Fa "const uint8_t eddsa[32]"
-.Fc
-.Ft void
-.Fo crypto_from_ed25519_public
-.Fa "uint8_t x25519[32]"
-.Fa "const uint8_t eddsa[32]"
-.Fc
-.Sh DESCRIPTION
-These functions work like
-.Xr crypto_from_eddsa_private 3monocypher
-and
-.Xr crypto_from_eddsa_public 3monocypher ,
-except that they operate on Ed25519 key pairs
-rather than key pairs for EdDSA with BLAKE2b.
-Please see the documentation for those functions for details.
-.Sh IMPLEMENTATION DETAILS
-.Fn crypto_from_ed25519_public
-is actually implemented as a macro that aliases to
-.Xr crypto_from_eddsa_public 3monocypher .
-.Sh HISTORY
-The
-.Fn crypto_from_ed25519_private
-and
-.Fn crypto_from_ed25519_public
-functions first appeared in Monocypher 3.1.0.
diff --git a/vendor/doc/man/man3/optional/crypto_from_ed25519_public.3monocypher b/vendor/doc/man/man3/optional/crypto_from_ed25519_public.3monocypher
deleted file mode 120000
index 8c31b15..0000000
--- a/vendor/doc/man/man3/optional/crypto_from_ed25519_public.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_from_ed25519_private.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/optional/crypto_hmac_sha512.3monocypher b/vendor/doc/man/man3/optional/crypto_hmac_sha512.3monocypher
deleted file mode 100644
index 59b4e48..0000000
--- a/vendor/doc/man/man3/optional/crypto_hmac_sha512.3monocypher
+++ /dev/null
@@ -1,227 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2019-2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2019-2020 by Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd March 2, 2020
-.Dt CRYPTO_HMAC_SHA512 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_hmac_sha512 ,
-.Nm crypto_hmac_sha512_init ,
-.Nm crypto_hmac_sha512_update ,
-.Nm crypto_hmac_sha512_final
-.Nd cryptographic hash-based message authentication code with SHA-512
-.Sh SYNOPSIS
-.In monocypher-ed25519.h
-.Ft void
-.Fo crypto_hmac_sha512
-.Fa "uint8_t hmac[64]"
-.Fa "const uint8_t *key"
-.Fa "size_t key_size"
-.Fa "const uint8_t *message"
-.Fa "size_t message_size"
-.Fc
-.Ft void
-.Fo crypto_hmac_sha512_init
-.Fa "crypto_hmac_sha512_ctx *ctx"
-.Fa "const uint8_t *key"
-.Fa "size_t key_size"
-.Fc
-.Ft void
-.Fo crypto_hmac_sha512_update
-.Fa "crypto_hmac_sha512_ctx *ctx"
-.Fa "const uint8_t *message"
-.Fa "size_t message_size"
-.Fc
-.Ft void
-.Fo crypto_hmac_sha512_final
-.Fa "crypto_hmac_sha512_ctx *ctx"
-.Fa "uint8_t hmac[64]"
-.Fc
-.Sh DESCRIPTION
-HMAC with SHA-512 is a cryptographically secure message authentication
-code (MAC),
-provided to enable compatibility with other cryptographic systems.
-It is generally recommended to use
-.Xr crypto_blake2b_general 3monocypher
-instead,
-as it performs faster on x86_64 CPUs.
-.Pp
-The arguments are:
-.Bl -tag -width Ds
-.It Fa hmac
-The output MAC,
-which is always 64 bytes long.
-.It Fa key
-Some secret key.
-One cannot predict the final hash without it.
-Users may want to wipe the key with
-.Xr crypto_wipe 3monocypher
-once they are done with it.
-.It Fa key_size
-Length of
-.Fa key ,
-in bytes.
-32 is a good default.
-Keys longer than 128 bytes will be reduced to 64 bytes by hashing
-the key with SHA-512.
-.It Fa message
-The message to compute the HMAC for.
-May overlap with
-.Fa hmac .
-May be
-.Dv NULL
-if
-.Fa message_size
-is 0.
-.It Fa message_size
-Length of
-.Fa message ,
-in bytes.
-.El
-.Pp
-An incremental interface is provided.
-It is useful for handling streams of data or
-large files without using too much memory.
-This interface uses three steps:
-.Bl -bullet
-.It
-initialisation with
-.Fn crypto_hmac_sha512_init ,
-which sets up a context with the hashing parameters;
-.It
-update with
-.Fn crypto_hmac_sha512_update ,
-which hashes the message chunk by chunk, and keep the intermediary
-result in the context;
-.It
-and finalisation with
-.Fn crypto_hmac_sha512_final ,
-which produces the final hash.
-The
-.Ft crypto_hmac_sha512_ctx
-is automatically wiped upon finalisation.
-.El
-.Pp
-.Fn crypto_hmac_sha512
-is a convenience function that
-performs
-.Fn crypto_hmac_sha512_init ,
-.Fn crypto_hmac_sha512_update ,
-and
-.Fn crypto_hmac_sha512_final .
-.Pp
-MACs may be truncated safely down to at most 16 bytes;
-the
-.Xr crypto_verify64 3monocypher ,
-.Xr crypto_verify32 3monocypher ,
-and
-.Xr crypto_verify16 3monocypher
-functions can be used to to compare (possibly truncated) MACs.
-.Sh RETURN VALUES
-These functions return nothing.
-.Sh EXAMPLES
-The following examples assume the existence of
-.Fn arc4random_buf ,
-which fills the given buffer with cryptographically secure random bytes.
-If
-.Fn arc4random_buf
-does not exist on your system, see
-.Xr intro 3monocypher
-for advice about how to generate cryptographically secure random bytes.
-.Pp
-Computing a message authentication code all at once:
-.Bd -literal -offset indent
-uint8_t hash [64]; /* Output hash (between 1 and 64 bytes) */
-uint8_t key [32]; /* Key (at least 1 byte) */
-uint8_t message[10] = "Lorem ipsu"; /* Message to authenticate */
-arc4random_buf(key, 32);
-crypto_hmac_sha512(hash, key, 32, message, 500);
-/* Wipe secrets if they are no longer needed */
-crypto_wipe(message, 500);
-crypto_wipe(key, 32);
-.Ed
-.Pp
-Computing a message authentication code incrementally:
-.Bd -literal -offset indent
-uint8_t hash [64]; /* Output hash (between 1 and 64 bytes) */
-uint8_t key [32]; /* Key (at least 1 byte) */
-uint8_t message[500] = {1}; /* Message to authenticate */
-crypto_hmac_sha512_ctx ctx;
-arc4random_buf(key, 32);
-crypto_hmac_sha512_init(&ctx, key, 32);
-/* Wipe the key */
-crypto_wipe(key, 32);
-for (size_t i = 0; i < 500; i += 100) {
- crypto_hmac_sha512_update(&ctx, message + i, 100);
- /* Wipe secrets if they are no longer needed */
- crypto_wipe(message + i, 100);
-}
-crypto_hmac_sha512_final(&ctx, hash);
-.Ed
-.Sh SEE ALSO
-.Xr crypto_blake2b 3monocypher ,
-.Xr crypto_lock 3monocypher ,
-.Xr crypto_poly1305 3monocypher ,
-.Xr crypto_sha512 3monocypher ,
-.Xr intro 3monocypher
-.Sh STANDARDS
-These functions implement HMAC with SHA-512.
-HMAC and SHA-512 itself are described in RFC 6234;
-SHA-512 is also described in the Federal Information Processing Standard
-(FIPS) 180-4;
-HMAC is also described in FIPS 198-1.
-.Sh HISTORY
-The
-.Fn crypto_hmac_sha512 ,
-.Fn crypto_hmac_sha512_init ,
-.Fn crypto_hmac_sha512_update ,
-and
-.Fn crypto_hmac_sha512_final
-functions first appeared in Monocypher 3.0.0.
diff --git a/vendor/doc/man/man3/optional/crypto_hmac_sha512_final.3monocypher b/vendor/doc/man/man3/optional/crypto_hmac_sha512_final.3monocypher
deleted file mode 120000
index fee9097..0000000
--- a/vendor/doc/man/man3/optional/crypto_hmac_sha512_final.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_hmac_sha512.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/optional/crypto_hmac_sha512_init.3monocypher b/vendor/doc/man/man3/optional/crypto_hmac_sha512_init.3monocypher
deleted file mode 120000
index fee9097..0000000
--- a/vendor/doc/man/man3/optional/crypto_hmac_sha512_init.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_hmac_sha512.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/optional/crypto_hmac_sha512_update.3monocypher b/vendor/doc/man/man3/optional/crypto_hmac_sha512_update.3monocypher
deleted file mode 120000
index fee9097..0000000
--- a/vendor/doc/man/man3/optional/crypto_hmac_sha512_update.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_hmac_sha512.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/optional/crypto_sha512.3monocypher b/vendor/doc/man/man3/optional/crypto_sha512.3monocypher
deleted file mode 100644
index 0fdb603..0000000
--- a/vendor/doc/man/man3/optional/crypto_sha512.3monocypher
+++ /dev/null
@@ -1,213 +0,0 @@
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2019-2020 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2019-2020 by Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd February 5, 2020
-.Dt CRYPTO_SHA512 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_sha512 ,
-.Nm crypto_sha512_init ,
-.Nm crypto_sha512_update ,
-.Nm crypto_sha512_final
-.Nd cryptographic hashing with the SHA-512 algorithm
-.Sh SYNOPSIS
-.In monocypher-ed25519.h
-.Ft void
-.Fo crypto_sha512
-.Fa "uint8_t hash[64]"
-.Fa "const uint8_t *message"
-.Fa "size_t message_size"
-.Fc
-.Ft void
-.Fo crypto_sha512_init
-.Fa "crypto_sha512_ctx *ctx"
-.Fc
-.Ft void
-.Fo crypto_sha512_update
-.Fa "crypto_sha512_ctx *ctx"
-.Fa "const uint8_t *message"
-.Fa "size_t message_size"
-.Fc
-.Ft void
-.Fo crypto_sha512_final
-.Fa "crypto_sha512_ctx *ctx"
-.Fa "uint8_t hash[64]"
-.Fc
-.Sh DESCRIPTION
-SHA-512 is a cryptographically secure hash,
-provided to enable compatibility with other cryptographic systems.
-It is generally recommended to use
-.Xr crypto_blake2b 3monocypher
-instead,
-as it both performs faster on x86_64 CPUs and
-lacks many of the pitfalls of SHA-512.
-.Pp
-Note that SHA-512 itself is not suitable for hashing passwords and
-deriving keys from them;
-use the
-.Xr crypto_argon2i 3monocypher
-family of functions for that purpose instead.
-.Pp
-SHA-512 is
-.Em vulnerable to length extension attacks ;
-using it as a message authentication code (MAC) algorithm or keyed hash
-requires precautions.
-The
-.Xr crypto_hmac_sha512 3monocypher
-family of functions provides HMAC with SHA-512.
-Use
-.Xr crypto_verify64 3monocypher
-to compare MACs created this way.
-.Pp
-The arguments are:
-.Bl -tag -width Ds
-.It Fa hash
-The output hash,
-which is always 64 bytes long.
-.It Fa message
-The message to hash.
-May overlap with
-.Fa hash .
-May be
-.Dv NULL
-if
-.Fa message_size
-is 0.
-.It Fa message_size
-Length of
-.Fa message ,
-in bytes.
-.El
-.Pp
-An incremental interface is provided.
-It is useful for handling streams of data or
-large files without using too much memory.
-This interface uses three steps:
-.Bl -bullet
-.It
-initialisation with
-.Fn crypto_sha512_init ,
-which sets up a context with the hashing parameters;
-.It
-update with
-.Fn crypto_sha512_update ,
-which hashes the message chunk by chunk, and keep the intermediary
-result in the context;
-.It
-and finalisation with
-.Fn crypto_sha512_final ,
-which produces the final hash.
-The
-.Ft crypto_sha512_ctx
-is automatically wiped upon finalisation.
-.El
-.Pp
-.Fn crypto_sha512
-is a convenience function that
-performs
-.Fn crypto_sha512_init ,
-.Fn crypto_sha512_update ,
-and
-.Fn crypto_sha512_final .
-.Sh RETURN VALUES
-These functions return nothing.
-.Sh EXAMPLES
-Hashing a message all at once:
-.Bd -literal -offset indent
-uint8_t hash [64]; /* Output hash (64 bytes) */
-uint8_t message[12] = "Lorem ipsum"; /* Message to hash */
-crypto_sha512(hash, message, 12);
-.Ed
-.Pp
-Hashing a message incrementally:
-.Bd -literal -offset indent
-uint8_t hash [ 64]; /* Output hash (64 bytes) */
-uint8_t message[500] = {1}; /* Message to hash */
-crypto_sha512_ctx ctx;
-crypto_sha512_init(&ctx);
-for (size_t i = 0; i < 500; i += 100) {
- crypto_sha512_update(&ctx, message + i, 100);
-}
-crypto_sha512_final(&ctx, hash);
-.Ed
-.Sh SEE ALSO
-.Xr crypto_blake2b 3monocypher ,
-.Xr crypto_hmac_sha512 3monocypher ,
-.Xr crypto_lock 3monocypher ,
-.Xr intro 3monocypher
-.Sh STANDARDS
-These functions implement SHA-512, described in RFC 6234 and
-the Federal Information Processing Standard (FIPS) 180-4.
-.Sh HISTORY
-The
-.Fn crypto_sha512 ,
-.Fn crypto_sha512_init ,
-.Fn crypto_sha512_update ,
-and
-.Fn crypto_sha512_final
-functions first appeared in Monocypher 0.3;
-they were not intended for use outside Monocypher itself and thus
-undocumented.
-They became part of the official API in Monocypher 3.0.0.
-.Sh SECURITY CONSIDERATIONS
-SHA-512 is a general-purpose cryptographic hash function;
-this means that it is not suited for hashing passwords and deriving
-cryptographic keys from passwords in particular.
-While cryptographic keys usually have hundreds of bits of entropy,
-passwords are often much less complex.
-When storing passwords as hashes or when deriving keys from them,
-the goal is normally to prevent attackers from quickly iterating all
-possible passwords.
-Because passwords tend to be simple,
-it is important to artificially slow down attackers by using especially
-computationally difficult hashing algorithms.
-Monocypher therefore provides
-.Xr crypto_argon2i 3monocypher
-for password hashing and deriving keys from passwords.
diff --git a/vendor/doc/man/man3/optional/crypto_sha512_final.3monocypher b/vendor/doc/man/man3/optional/crypto_sha512_final.3monocypher
deleted file mode 120000
index c7fecc6..0000000
--- a/vendor/doc/man/man3/optional/crypto_sha512_final.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_sha512.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/optional/crypto_sha512_init.3monocypher b/vendor/doc/man/man3/optional/crypto_sha512_init.3monocypher
deleted file mode 120000
index c7fecc6..0000000
--- a/vendor/doc/man/man3/optional/crypto_sha512_init.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_sha512.3monocypher \ No newline at end of file
diff --git a/vendor/doc/man/man3/optional/crypto_sha512_update.3monocypher b/vendor/doc/man/man3/optional/crypto_sha512_update.3monocypher
deleted file mode 120000
index c7fecc6..0000000
--- a/vendor/doc/man/man3/optional/crypto_sha512_update.3monocypher
+++ /dev/null
@@ -1 +0,0 @@
-crypto_sha512.3monocypher \ No newline at end of file