diff --git a/.gitignore b/.gitignore
index 8f21d48f..ab2bf5ab 100644
--- a/.gitignore
+++ b/.gitignore
@@ -81,7 +81,9 @@ test/default/*.asm.js
 test/default/*.res
 test/default/*.trs
 test/default/aead_aes256gcm
+test/default/aead_aes256gcm2
 test/default/aead_chacha20poly1305
+test/default/aead_chacha20poly13052
 test/default/aead_xchacha20poly1305
 test/default/auth
 test/default/auth2
@@ -131,6 +133,7 @@ test/default/scalarmult2
 test/default/scalarmult5
 test/default/scalarmult6
 test/default/scalarmult7
+test/default/scalarmult8
 test/default/secretbox
 test/default/secretbox2
 test/default/secretbox7
diff --git a/ChangeLog b/ChangeLog
index 2c6f7f17..ece44d44 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,33 @@
 
+* Version 1.0.17
+ - Bug fix: `sodium_pad()` didn't properly support block sizes >= 256 bytes.
+ - JS/WebAssembly: some old iOS versions can't instantiate the WebAssembly
+module; fall back to Javascript on these.
+ - JS/WebAssembly: compatibility with newer Emscripten versions.
+ - Bug fix: `crypto_pwhash_scryptsalsa208sha256_str_verify()` and
+`crypto_pwhash_scryptsalsa208sha256_str_needs_rehash()` didn't return
+`EINVAL` on input strings with a short length, unlike their high-level
+counterpart.
+ - Added a workaround for Visual Studio 2010 bug causing CPU features
+not to be detected.
+ - Portability improvements.
+ - Test vectors from Project Wycheproof have been added.
+ - New low-level APIs for arithmetic mod the order of the prime order group:
+`crypto_core_ed25519_scalar_random()`, `crypto_core_ed25519_scalar_reduce()`,
+`crypto_core_ed25519_scalar_invert()`, `crypto_core_ed25519_scalar_negate()`,
+`crypto_core_ed25519_scalar_complement()`, `crypto_core_ed25519_scalar_add()`
+and `crypto_core_ed25519_scalar_sub()`.
+ - New low-level APIs for scalar multiplication without clamping:
+`crypto_scalarmult_ed25519_base_noclamp()`,
+and `crypto_scalarmult_ed25519_noclamp()`. These new APIs are
+especially useful for blinding.
+ - `sodium_sub()` has been implemented.
+ - Support for WatchOS has been added.
+ - getrandom(2) is now used on FreeBSD 12+.
+ - The `nonnull` attribute has been added to all relevant prototypes.
+ - More reliable AVX512 detection.
+ - Javascript/Webassembly builds now use dynamic memory growth
+
 * Version 1.0.16
  - Signatures computations and verifications are now way faster on
 64-bit platforms with compilers supporting 128-bit arithmetic (gcc,
diff --git a/Makefile.in b/Makefile.in
index 7b78b894..9d48fe27 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -207,9 +207,7 @@ am__DIST_COMMON = $(srcdir)/Makefile.in \
 	$(top_srcdir)/src/libsodium/include/sodium/version.h.in \
 	AUTHORS ChangeLog THANKS build-aux/compile \
 	build-aux/config.guess build-aux/config.sub \
-	build-aux/install-sh build-aux/ltmain.sh build-aux/missing \
-	compile config.guess config.sub depcomp install-sh ltmain.sh \
-	missing
+	build-aux/install-sh build-aux/ltmain.sh build-aux/missing
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
@@ -309,7 +307,6 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-ISODATE = @ISODATE@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LIBOBJS = @LIBOBJS@
diff --git a/README.markdown b/README.markdown
index 815240ab..b986ca1c 100644
--- a/README.markdown
+++ b/README.markdown
@@ -21,7 +21,7 @@ as well as Javascript and Webassembly.
 
 ## Documentation
 
-The documentation is available on Gitbook:
+The documentation is available on Gitbook and built from the [libsodium-doc](https://github.com/jedisct1/libsodium-doc) repository:
 
 * [libsodium documentation](https://download.libsodium.org/doc/) -
 online, requires Javascript.
@@ -31,7 +31,7 @@ in PDF, MOBI and ePUB formats.
 ## Integrity Checking
 
 The integrity checking instructions (including the signing key for libsodium)
-are available in the [installation](https://download.libsodium.org/doc/installation/index.html#integrity-checking)
+are available in the [installation](https://download.libsodium.org/doc/installation#integrity-checking)
 section of the documentation.
 
 ## Community
diff --git a/THANKS b/THANKS
index 0d0da788..a4b6e70f 100644
--- a/THANKS
+++ b/THANKS
@@ -15,6 +15,7 @@ libsodium bindings for their favorite programming languages:
 @neheb
 
 Adam Caudill (@adamcaudill)
+Alexander Ilin (@AlexIljin)
 Alexander Morris (@alexpmorris)
 Amit Murthy (@amitmurthy)
 Andrew Bennett (@potatosalad)
diff --git a/builds/Makefile.in b/builds/Makefile.in
index afe42501..a140757b 100644
--- a/builds/Makefile.in
+++ b/builds/Makefile.in
@@ -185,7 +185,6 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-ISODATE = @ISODATE@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LIBOBJS = @LIBOBJS@
diff --git a/builds/msvc/resource.rc b/builds/msvc/resource.rc
index cb30e7b1..db9c5226 100644
--- a/builds/msvc/resource.rc
+++ b/builds/msvc/resource.rc
@@ -4,8 +4,8 @@
 #include "windows.h"
 
 //specify the version numbers for the dll's
-#define LIBSODIUM_VERSION_STRING "1.0.16.0"
-#define LIBSODIUM_VERSION_BIN 1,0,16,0
+#define LIBSODIUM_VERSION_STRING "1.0.17.0"
+#define LIBSODIUM_VERSION_BIN 1,0,17,0
 
 //specify the product name for the dlls based on the platform we are compiling for
 #if defined(x64)
@@ -47,7 +47,7 @@ BEGIN
             VALUE "FileDescription", "The Sodium crypto library (libsodium) "
             VALUE "FileVersion", LIBSODIUM_VERSION_STRING
             VALUE "InternalName", "libsodium"
-            VALUE "LegalCopyright", "Copyright (c) 2017 The libsodium authors."
+            VALUE "LegalCopyright", "Copyright (c) 2013-2019 The libsodium authors."
             VALUE "OriginalFilename", "libsodium.dll"
             VALUE "ProductName", LIBSODIUM_PRODUCT_NAME
             VALUE "ProductVersion", LIBSODIUM_VERSION_STRING
diff --git a/builds/msvc/version.h b/builds/msvc/version.h
index 56ec2b95..031d298f 100644
--- a/builds/msvc/version.h
+++ b/builds/msvc/version.h
@@ -4,10 +4,10 @@
 
 #include "export.h"
 
-#define SODIUM_VERSION_STRING "1.0.16"
+#define SODIUM_VERSION_STRING "1.0.17"
 
 #define SODIUM_LIBRARY_VERSION_MAJOR 10
-#define SODIUM_LIBRARY_VERSION_MINOR 1
+#define SODIUM_LIBRARY_VERSION_MINOR 2
 
 #ifdef __cplusplus
 extern "C" {
diff --git a/builds/msvc/vs2010/libsodium/libsodium.vcxproj b/builds/msvc/vs2010/libsodium/libsodium.vcxproj
index c5848161..ec340a17 100644
--- a/builds/msvc/vs2010/libsodium/libsodium.vcxproj
+++ b/builds/msvc/vs2010/libsodium/libsodium.vcxproj
@@ -259,6 +259,7 @@
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\sse2_64_32.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\common.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\mutex.h" />
+    <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\chacha20_ietf_ext.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\implementations.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\crypto_pwhash\argon2\blamka-round-ref.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\crypto_pwhash\argon2\blamka-round-avx2.h" />
diff --git a/builds/msvc/vs2010/libsodium/libsodium.vcxproj.filters b/builds/msvc/vs2010/libsodium/libsodium.vcxproj.filters
index 80701640..079094b9 100644
--- a/builds/msvc/vs2010/libsodium/libsodium.vcxproj.filters
+++ b/builds/msvc/vs2010/libsodium/libsodium.vcxproj.filters
@@ -566,6 +566,9 @@
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\mutex.h">
       <Filter>include\sodium\private</Filter>
     </ClInclude>
+    <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\chacha20_ietf_ext.h">
+      <Filter>include\sodium\private</Filter>
+    </ClInclude>
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\implementations.h">
       <Filter>include\sodium\private</Filter>
     </ClInclude>
diff --git a/builds/msvc/vs2012/libsodium/libsodium.vcxproj b/builds/msvc/vs2012/libsodium/libsodium.vcxproj
index 72040cbf..f140d161 100644
--- a/builds/msvc/vs2012/libsodium/libsodium.vcxproj
+++ b/builds/msvc/vs2012/libsodium/libsodium.vcxproj
@@ -259,6 +259,7 @@
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\sse2_64_32.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\common.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\mutex.h" />
+    <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\chacha20_ietf_ext.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\implementations.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\crypto_pwhash\argon2\blamka-round-ref.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\crypto_pwhash\argon2\blamka-round-avx2.h" />
diff --git a/builds/msvc/vs2012/libsodium/libsodium.vcxproj.filters b/builds/msvc/vs2012/libsodium/libsodium.vcxproj.filters
index 80701640..079094b9 100644
--- a/builds/msvc/vs2012/libsodium/libsodium.vcxproj.filters
+++ b/builds/msvc/vs2012/libsodium/libsodium.vcxproj.filters
@@ -566,6 +566,9 @@
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\mutex.h">
       <Filter>include\sodium\private</Filter>
     </ClInclude>
+    <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\chacha20_ietf_ext.h">
+      <Filter>include\sodium\private</Filter>
+    </ClInclude>
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\implementations.h">
       <Filter>include\sodium\private</Filter>
     </ClInclude>
diff --git a/builds/msvc/vs2013/libsodium/libsodium.vcxproj b/builds/msvc/vs2013/libsodium/libsodium.vcxproj
index b60bc018..cddd4ad6 100644
--- a/builds/msvc/vs2013/libsodium/libsodium.vcxproj
+++ b/builds/msvc/vs2013/libsodium/libsodium.vcxproj
@@ -259,6 +259,7 @@
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\sse2_64_32.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\common.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\mutex.h" />
+    <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\chacha20_ietf_ext.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\implementations.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\crypto_pwhash\argon2\blamka-round-ref.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\crypto_pwhash\argon2\blamka-round-avx2.h" />
diff --git a/builds/msvc/vs2013/libsodium/libsodium.vcxproj.filters b/builds/msvc/vs2013/libsodium/libsodium.vcxproj.filters
index 80701640..079094b9 100644
--- a/builds/msvc/vs2013/libsodium/libsodium.vcxproj.filters
+++ b/builds/msvc/vs2013/libsodium/libsodium.vcxproj.filters
@@ -566,6 +566,9 @@
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\mutex.h">
       <Filter>include\sodium\private</Filter>
     </ClInclude>
+    <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\chacha20_ietf_ext.h">
+      <Filter>include\sodium\private</Filter>
+    </ClInclude>
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\implementations.h">
       <Filter>include\sodium\private</Filter>
     </ClInclude>
diff --git a/builds/msvc/vs2015/libsodium/libsodium.vcxproj b/builds/msvc/vs2015/libsodium/libsodium.vcxproj
index 00d5bfb3..230086a9 100644
--- a/builds/msvc/vs2015/libsodium/libsodium.vcxproj
+++ b/builds/msvc/vs2015/libsodium/libsodium.vcxproj
@@ -259,6 +259,7 @@
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\sse2_64_32.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\common.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\mutex.h" />
+    <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\chacha20_ietf_ext.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\implementations.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\crypto_pwhash\argon2\blamka-round-ref.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\crypto_pwhash\argon2\blamka-round-avx2.h" />
diff --git a/builds/msvc/vs2015/libsodium/libsodium.vcxproj.filters b/builds/msvc/vs2015/libsodium/libsodium.vcxproj.filters
index 80701640..079094b9 100644
--- a/builds/msvc/vs2015/libsodium/libsodium.vcxproj.filters
+++ b/builds/msvc/vs2015/libsodium/libsodium.vcxproj.filters
@@ -566,6 +566,9 @@
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\mutex.h">
       <Filter>include\sodium\private</Filter>
     </ClInclude>
+    <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\chacha20_ietf_ext.h">
+      <Filter>include\sodium\private</Filter>
+    </ClInclude>
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\implementations.h">
       <Filter>include\sodium\private</Filter>
     </ClInclude>
diff --git a/builds/msvc/vs2017/libsodium/libsodium.vcxproj b/builds/msvc/vs2017/libsodium/libsodium.vcxproj
index ed26b978..8a175e0b 100644
--- a/builds/msvc/vs2017/libsodium/libsodium.vcxproj
+++ b/builds/msvc/vs2017/libsodium/libsodium.vcxproj
@@ -259,6 +259,7 @@
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\sse2_64_32.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\common.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\mutex.h" />
+    <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\chacha20_ietf_ext.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\implementations.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\crypto_pwhash\argon2\blamka-round-ref.h" />
     <ClInclude Include="..\..\..\..\src\libsodium\crypto_pwhash\argon2\blamka-round-avx2.h" />
diff --git a/builds/msvc/vs2017/libsodium/libsodium.vcxproj.filters b/builds/msvc/vs2017/libsodium/libsodium.vcxproj.filters
index 80701640..079094b9 100644
--- a/builds/msvc/vs2017/libsodium/libsodium.vcxproj.filters
+++ b/builds/msvc/vs2017/libsodium/libsodium.vcxproj.filters
@@ -566,6 +566,9 @@
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\mutex.h">
       <Filter>include\sodium\private</Filter>
     </ClInclude>
+    <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\chacha20_ietf_ext.h">
+      <Filter>include\sodium\private</Filter>
+    </ClInclude>
     <ClInclude Include="..\..\..\..\src\libsodium\include\sodium\private\implementations.h">
       <Filter>include\sodium\private</Filter>
     </ClInclude>
diff --git a/configure b/configure
index a757e6ee..0d59f16b 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for libsodium 1.0.16.
+# Generated by GNU Autoconf 2.69 for libsodium 1.0.17.
 #
 # Report bugs to <https://github.com/jedisct1/libsodium/issues>.
 #
@@ -590,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='libsodium'
 PACKAGE_TARNAME='libsodium'
-PACKAGE_VERSION='1.0.16'
-PACKAGE_STRING='libsodium 1.0.16'
+PACKAGE_VERSION='1.0.17'
+PACKAGE_STRING='libsodium 1.0.17'
 PACKAGE_BUGREPORT='https://github.com/jedisct1/libsodium/issues'
 PACKAGE_URL='https://github.com/jedisct1/libsodium'
 
@@ -732,7 +732,6 @@ DLL_VERSION
 SODIUM_LIBRARY_VERSION
 SODIUM_LIBRARY_VERSION_MINOR
 SODIUM_LIBRARY_VERSION_MAJOR
-ISODATE
 am__nodep
 AMDEPBACKSLASH
 AMDEP_FALSE
@@ -828,6 +827,7 @@ enable_minimal
 with_pthreads
 with_safecode
 with_ctgrind
+enable_retpoline
 enable_debug
 enable_opt
 enable_valgrind
@@ -1400,7 +1400,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures libsodium 1.0.16 to adapt to many kinds of systems.
+\`configure' configures libsodium 1.0.17 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1470,7 +1470,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of libsodium 1.0.16:";;
+     short | recursive ) echo "Configuration of libsodium 1.0.17:";;
    esac
   cat <<\_ACEOF
 
@@ -1498,6 +1498,7 @@ Optional Features:
                           broken on the target platform
   --enable-minimal        Only compile the minimum set of functions required
                           for the high-level API
+  --enable-retpoline      Use return trampolines for indirect calls
   --enable-debug          For maintainers only - please do not use
   --enable-opt            Optimize for the native CPU - The resulting library
                           will be faster but not portable
@@ -1620,7 +1621,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-libsodium configure 1.0.16
+libsodium configure 1.0.17
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2043,7 +2044,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by libsodium $as_me 1.0.16, which was
+It was created by libsodium $as_me 1.0.17, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2979,7 +2980,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='libsodium'
- VERSION='1.0.16'
+ VERSION='1.0.17'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -3271,13 +3272,11 @@ fi
 
 
 
-ISODATE=`date +%Y-%m-%d`
-
 
 SODIUM_LIBRARY_VERSION_MAJOR=10
-SODIUM_LIBRARY_VERSION_MINOR=1
+SODIUM_LIBRARY_VERSION_MINOR=2
 DLL_VERSION=8
-SODIUM_LIBRARY_VERSION=24:0:1
+SODIUM_LIBRARY_VERSION=25:0:2
 #                       | | |
 #                +------+ | +---+
 #                |        |     |
@@ -5555,6 +5554,124 @@ fi
 fi
 
 
+# Check whether --enable-retpoline was given.
+if test "${enable_retpoline+set}" = set; then :
+  enableval=$enable_retpoline; if test "x$enableval" = "xyes"; then :
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mindirect-branch=thunk-inline" >&5
+$as_echo_n "checking whether C compiler accepts -mindirect-branch=thunk-inline... " >&6; }
+if ${ax_cv_check_cflags___mindirect_branch_thunk_inline+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS  -mindirect-branch=thunk-inline"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <time.h>
+int
+main ()
+{
+time_t x; int fodder = 0; if (fodder > -1000 && time(&x)) return (int) x
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ax_cv_check_cflags___mindirect_branch_thunk_inline=yes
+else
+  ax_cv_check_cflags___mindirect_branch_thunk_inline=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mindirect_branch_thunk_inline" >&5
+$as_echo "$ax_cv_check_cflags___mindirect_branch_thunk_inline" >&6; }
+if test "x$ax_cv_check_cflags___mindirect_branch_thunk_inline" = xyes; then :
+  CFLAGS="$CFLAGS -mindirect-branch=thunk-inline"
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mretpoline" >&5
+$as_echo_n "checking whether C compiler accepts -mretpoline... " >&6; }
+if ${ax_cv_check_cflags___mretpoline+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS  -mretpoline"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <time.h>
+int
+main ()
+{
+time_t x; int fodder = 0; if (fodder > -1000 && time(&x)) return (int) x
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ax_cv_check_cflags___mretpoline=yes
+else
+  ax_cv_check_cflags___mretpoline=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mretpoline" >&5
+$as_echo "$ax_cv_check_cflags___mretpoline" >&6; }
+if test "x$ax_cv_check_cflags___mretpoline" = xyes; then :
+  CFLAGS="$CFLAGS -mretpoline"
+else
+  :
+fi
+
+
+fi
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mindirect-branch-register" >&5
+$as_echo_n "checking whether C compiler accepts -mindirect-branch-register... " >&6; }
+if ${ax_cv_check_cflags___mindirect_branch_register+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS  -mindirect-branch-register"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <time.h>
+int
+main ()
+{
+time_t x; int fodder = 0; if (fodder > -1000 && time(&x)) return (int) x
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ax_cv_check_cflags___mindirect_branch_register=yes
+else
+  ax_cv_check_cflags___mindirect_branch_register=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mindirect_branch_register" >&5
+$as_echo "$ax_cv_check_cflags___mindirect_branch_register" >&6; }
+if test "x$ax_cv_check_cflags___mindirect_branch_register" = xyes; then :
+  :
+else
+  :
+fi
+
+
+fi
+
+fi
+
+
 ENABLE_CWFLAGS=no
 # Check whether --enable-debug was given.
 if test "${enable_debug+set}" = set; then :
@@ -8838,6 +8955,42 @@ _ACEOF
 
      { $as_echo "$as_me:${as_lineno-$LINENO}: result: thread local storage is supported" >&5
 $as_echo "thread local storage is supported" >&6; }
+          { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -ftls-model=local-dynamic" >&5
+$as_echo_n "checking whether C compiler accepts -ftls-model=local-dynamic... " >&6; }
+if ${ax_cv_check_cflags___ftls_model_local_dynamic+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS  -ftls-model=local-dynamic"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <time.h>
+int
+main ()
+{
+time_t x; int fodder = 0; if (fodder > -1000 && time(&x)) return (int) x
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ax_cv_check_cflags___ftls_model_local_dynamic=yes
+else
+  ax_cv_check_cflags___ftls_model_local_dynamic=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___ftls_model_local_dynamic" >&5
+$as_echo "$ax_cv_check_cflags___ftls_model_local_dynamic" >&6; }
+if test "x$ax_cv_check_cflags___ftls_model_local_dynamic" = xyes; then :
+  CFLAGS="$CFLAGS -ftls-model=local-dynamic"
+else
+  :
+fi
+
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: thread local storage is not supported" >&5
 $as_echo "thread local storage is not supported" >&6; }
@@ -18267,8 +18420,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 # error libsodium currently expects a little endian CPU for the 128-bit type
 #endif
 #ifdef __EMSCRIPTEN__
-# error emscripten currently supports only shift operations on integers \
-#       larger than 64 bits
+# error emscripten currently doesn't support some operations on integers larger than 64 bits
 #endif
 #include <stddef.h>
 #include <stdint.h>
@@ -18279,6 +18431,8 @@ typedef unsigned uint128_t __attribute__((mode(TI)));
 #endif
 void fcontract(uint128_t *t) {
   *t += 0x8000000000000 - 1;
+  *t *= *t;
+  *t >>= 84;
 }
 
 int
@@ -18756,7 +18910,7 @@ _ACEOF
 fi
 done
 
-  for ac_func in mmap mlock madvise mprotect memset_s explicit_bzero nanosleep
+  for ac_func in mmap mlock madvise mprotect memset_s explicit_bzero explicit_memset nanosleep
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -19776,7 +19930,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by libsodium $as_me 1.0.16, which was
+This file was extended by libsodium $as_me 1.0.17, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -19834,7 +19988,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-libsodium config.status 1.0.16
+libsodium config.status 1.0.17
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index 124085c6..6d7c6ea4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.65])
-AC_INIT([libsodium],[1.0.16],
+AC_INIT([libsodium],[1.0.17],
   [https://github.com/jedisct1/libsodium/issues],
   [libsodium],
   [https://github.com/jedisct1/libsodium])
@@ -13,13 +13,11 @@ AM_MAINTAINER_MODE
 AM_DEP_TRACK
 
 AC_SUBST(VERSION)
-ISODATE=`date +%Y-%m-%d`
-AC_SUBST(ISODATE)
 
 SODIUM_LIBRARY_VERSION_MAJOR=10
-SODIUM_LIBRARY_VERSION_MINOR=1
+SODIUM_LIBRARY_VERSION_MINOR=2
 DLL_VERSION=8
-SODIUM_LIBRARY_VERSION=24:0:1
+SODIUM_LIBRARY_VERSION=25:0:2
 #                       | | |
 #                +------+ | +---+
 #                |        |     |
@@ -151,6 +149,17 @@ AC_ARG_WITH(ctgrind,
   ])
 ])
 
+AC_ARG_ENABLE(retpoline,
+[AS_HELP_STRING(--enable-retpoline,Use return trampolines for indirect calls)],
+[AS_IF([test "x$enableval" = "xyes"], [
+  AX_CHECK_COMPILE_FLAG([-mindirect-branch=thunk-inline],
+    [CFLAGS="$CFLAGS -mindirect-branch=thunk-inline"],
+    [AX_CHECK_COMPILE_FLAG([-mretpoline], [CFLAGS="$CFLAGS -mretpoline"])]
+  )
+  AX_CHECK_COMPILE_FLAG([-mindirect-branch-register])
+  ])
+])
+
 ENABLE_CWFLAGS=no
 AC_ARG_ENABLE(debug,
 [AS_HELP_STRING(--enable-debug,For maintainers only - please do not use)],
@@ -328,7 +337,9 @@ AX_CHECK_CATCHABLE_SEGV
 AX_CHECK_CATCHABLE_ABRT
 
 AS_IF([test "x$with_threads" = "xyes"], [
-  AX_TLS([AC_MSG_RESULT(thread local storage is supported)],
+  AX_TLS([AC_MSG_RESULT(thread local storage is supported)
+          AX_CHECK_COMPILE_FLAG([-ftls-model=local-dynamic],
+            [CFLAGS="$CFLAGS -ftls-model=local-dynamic"])],
          [AC_MSG_RESULT(thread local storage is not supported)]) ])
 
 LT_INIT
@@ -660,8 +671,7 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 # error libsodium currently expects a little endian CPU for the 128-bit type
 #endif
 #ifdef __EMSCRIPTEN__
-# error emscripten currently supports only shift operations on integers \
-#       larger than 64 bits
+# error emscripten currently doesn't support some operations on integers larger than 64 bits
 #endif
 #include <stddef.h>
 #include <stdint.h>
@@ -672,6 +682,8 @@ typedef unsigned uint128_t __attribute__((mode(TI)));
 #endif
 void fcontract(uint128_t *t) {
   *t += 0x8000000000000 - 1;
+  *t *= *t;
+  *t >>= 84;
 }
 ]], [[
 (void) fcontract;
@@ -787,7 +799,7 @@ dnl Checks for functions and headers
 AC_FUNC_ALLOCA
 AS_IF([test "x$EMSCRIPTEN" = "x"],[
   AC_CHECK_FUNCS([arc4random arc4random_buf])
-  AC_CHECK_FUNCS([mmap mlock madvise mprotect memset_s explicit_bzero nanosleep])
+  AC_CHECK_FUNCS([mmap mlock madvise mprotect memset_s explicit_bzero explicit_memset nanosleep])
 ])
 AC_CHECK_FUNCS([posix_memalign getpid])
 
diff --git a/contrib/Makefile.in b/contrib/Makefile.in
index 2761514e..0ee01446 100644
--- a/contrib/Makefile.in
+++ b/contrib/Makefile.in
@@ -185,7 +185,6 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-ISODATE = @ISODATE@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LIBOBJS = @LIBOBJS@
diff --git a/dist-build/Makefile.am b/dist-build/Makefile.am
index 3d0a0e63..63a8298f 100644
--- a/dist-build/Makefile.am
+++ b/dist-build/Makefile.am
@@ -14,4 +14,5 @@ EXTRA_DIST = \
 	msys2-win64.sh \
 	nativeclient-pnacl.sh \
 	nativeclient-x86.sh \
-	nativeclient-x86_64.sh
+	nativeclient-x86_64.sh \
+	watchos.sh
diff --git a/dist-build/Makefile.in b/dist-build/Makefile.in
index 8cd09d76..881c44fa 100644
--- a/dist-build/Makefile.in
+++ b/dist-build/Makefile.in
@@ -185,7 +185,6 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-ISODATE = @ISODATE@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LIBOBJS = @LIBOBJS@
@@ -302,7 +301,8 @@ EXTRA_DIST = \
 	msys2-win64.sh \
 	nativeclient-pnacl.sh \
 	nativeclient-x86.sh \
-	nativeclient-x86_64.sh
+	nativeclient-x86_64.sh \
+	watchos.sh
 
 all: all-am
 
diff --git a/dist-build/emscripten-symbols.def b/dist-build/emscripten-symbols.def
index 9e6abed1..a9e54229 100644
--- a/dist-build/emscripten-symbols.def
+++ b/dist-build/emscripten-symbols.def
@@ -27,12 +27,12 @@ _crypto_aead_chacha20poly1305_ietf_encrypt 1 1
 _crypto_aead_chacha20poly1305_ietf_encrypt_detached 1 1
 _crypto_aead_chacha20poly1305_ietf_keybytes 1 1
 _crypto_aead_chacha20poly1305_ietf_keygen 1 1
-_crypto_aead_chacha20poly1305_ietf_messagebytes_max 0 0
+_crypto_aead_chacha20poly1305_ietf_messagebytes_max 1 1
 _crypto_aead_chacha20poly1305_ietf_npubbytes 1 1
 _crypto_aead_chacha20poly1305_ietf_nsecbytes 1 1
 _crypto_aead_chacha20poly1305_keybytes 1 1
 _crypto_aead_chacha20poly1305_keygen 1 1
-_crypto_aead_chacha20poly1305_messagebytes_max 0 0
+_crypto_aead_chacha20poly1305_messagebytes_max 1 1
 _crypto_aead_chacha20poly1305_npubbytes 1 1
 _crypto_aead_chacha20poly1305_nsecbytes 1 1
 _crypto_aead_xchacha20poly1305_ietf_abytes 1 1
@@ -42,7 +42,7 @@ _crypto_aead_xchacha20poly1305_ietf_encrypt 1 1
 _crypto_aead_xchacha20poly1305_ietf_encrypt_detached 1 1
 _crypto_aead_xchacha20poly1305_ietf_keybytes 1 1
 _crypto_aead_xchacha20poly1305_ietf_keygen 1 1
-_crypto_aead_xchacha20poly1305_ietf_messagebytes_max 0 0
+_crypto_aead_xchacha20poly1305_ietf_messagebytes_max 1 1
 _crypto_aead_xchacha20poly1305_ietf_npubbytes 1 1
 _crypto_aead_xchacha20poly1305_ietf_nsecbytes 1 1
 _crypto_auth 1 1
@@ -91,7 +91,7 @@ _crypto_box_curve25519xchacha20poly1305_easy 0 1
 _crypto_box_curve25519xchacha20poly1305_easy_afternm 0 1
 _crypto_box_curve25519xchacha20poly1305_keypair 0 1
 _crypto_box_curve25519xchacha20poly1305_macbytes 0 1
-_crypto_box_curve25519xchacha20poly1305_messagebytes_max 0 0
+_crypto_box_curve25519xchacha20poly1305_messagebytes_max 1 1
 _crypto_box_curve25519xchacha20poly1305_noncebytes 0 1
 _crypto_box_curve25519xchacha20poly1305_open_detached 0 1
 _crypto_box_curve25519xchacha20poly1305_open_detached_afternm 0 1
@@ -111,7 +111,7 @@ _crypto_box_curve25519xsalsa20poly1305_beforenmbytes 0 1
 _crypto_box_curve25519xsalsa20poly1305_boxzerobytes 0 1
 _crypto_box_curve25519xsalsa20poly1305_keypair 0 1
 _crypto_box_curve25519xsalsa20poly1305_macbytes 0 1
-_crypto_box_curve25519xsalsa20poly1305_messagebytes_max 0 0
+_crypto_box_curve25519xsalsa20poly1305_messagebytes_max 0 1
 _crypto_box_curve25519xsalsa20poly1305_noncebytes 0 1
 _crypto_box_curve25519xsalsa20poly1305_open 0 1
 _crypto_box_curve25519xsalsa20poly1305_open_afternm 0 1
@@ -126,7 +126,7 @@ _crypto_box_easy 1 1
 _crypto_box_easy_afternm 1 1
 _crypto_box_keypair 1 1
 _crypto_box_macbytes 1 1
-_crypto_box_messagebytes_max 0 0
+_crypto_box_messagebytes_max 1 1
 _crypto_box_noncebytes 1 1
 _crypto_box_open 0 1
 _crypto_box_open_afternm 0 1
@@ -147,13 +147,22 @@ _crypto_core_ed25519_add 0 1
 _crypto_core_ed25519_bytes 0 1
 _crypto_core_ed25519_from_uniform 0 1
 _crypto_core_ed25519_is_valid_point 0 1
+_crypto_core_ed25519_nonreducedscalarbytes 0 1
+_crypto_core_ed25519_scalar_add 0 1
+_crypto_core_ed25519_scalar_complement 0 1
+_crypto_core_ed25519_scalar_invert 0 1
+_crypto_core_ed25519_scalar_negate 0 1
+_crypto_core_ed25519_scalar_random 0 1
+_crypto_core_ed25519_scalar_reduce 0 1
+_crypto_core_ed25519_scalar_sub 0 1
+_crypto_core_ed25519_scalarbytes 0 1
 _crypto_core_ed25519_sub 0 1
 _crypto_core_ed25519_uniformbytes 0 1
-_crypto_core_hchacha20 1 1
-_crypto_core_hchacha20_constbytes 1 1
-_crypto_core_hchacha20_inputbytes 1 1
-_crypto_core_hchacha20_keybytes 1 1
-_crypto_core_hchacha20_outputbytes 1 1
+_crypto_core_hchacha20 0 1
+_crypto_core_hchacha20_constbytes 0 1
+_crypto_core_hchacha20_inputbytes 0 1
+_crypto_core_hchacha20_keybytes 0 1
+_crypto_core_hchacha20_outputbytes 0 1
 _crypto_core_hsalsa20 0 1
 _crypto_core_hsalsa20_constbytes 0 1
 _crypto_core_hsalsa20_inputbytes 0 1
@@ -320,7 +329,7 @@ _crypto_pwhash_opslimit_moderate 1 1
 _crypto_pwhash_opslimit_sensitive 1 1
 _crypto_pwhash_passwd_max 1 1
 _crypto_pwhash_passwd_min 1 1
-_crypto_pwhash_primitive 1 1
+_crypto_pwhash_primitive 0 1
 _crypto_pwhash_saltbytes 1 1
 _crypto_pwhash_scryptsalsa208sha256 0 1
 _crypto_pwhash_scryptsalsa208sha256_bytes_max 0 1
@@ -357,7 +366,9 @@ _crypto_scalarmult_curve25519_bytes 0 1
 _crypto_scalarmult_curve25519_scalarbytes 0 1
 _crypto_scalarmult_ed25519 0 1
 _crypto_scalarmult_ed25519_base 0 1
+_crypto_scalarmult_ed25519_base_noclamp 0 1
 _crypto_scalarmult_ed25519_bytes 0 1
+_crypto_scalarmult_ed25519_noclamp 0 1
 _crypto_scalarmult_ed25519_scalarbytes 0 1
 _crypto_scalarmult_primitive 0 1
 _crypto_scalarmult_scalarbytes 1 1
@@ -368,7 +379,7 @@ _crypto_secretbox_easy 1 1
 _crypto_secretbox_keybytes 1 1
 _crypto_secretbox_keygen 1 1
 _crypto_secretbox_macbytes 1 1
-_crypto_secretbox_messagebytes_max 0 0
+_crypto_secretbox_messagebytes_max 1 1
 _crypto_secretbox_noncebytes 1 1
 _crypto_secretbox_open 0 1
 _crypto_secretbox_open_detached 1 1
@@ -378,7 +389,7 @@ _crypto_secretbox_xchacha20poly1305_detached 0 1
 _crypto_secretbox_xchacha20poly1305_easy 0 1
 _crypto_secretbox_xchacha20poly1305_keybytes 0 1
 _crypto_secretbox_xchacha20poly1305_macbytes 0 1
-_crypto_secretbox_xchacha20poly1305_messagebytes_max 0 0
+_crypto_secretbox_xchacha20poly1305_messagebytes_max 0 1
 _crypto_secretbox_xchacha20poly1305_noncebytes 0 1
 _crypto_secretbox_xchacha20poly1305_open_detached 0 1
 _crypto_secretbox_xchacha20poly1305_open_easy 0 1
@@ -387,15 +398,15 @@ _crypto_secretbox_xsalsa20poly1305_boxzerobytes 0 1
 _crypto_secretbox_xsalsa20poly1305_keybytes 0 1
 _crypto_secretbox_xsalsa20poly1305_keygen 0 1
 _crypto_secretbox_xsalsa20poly1305_macbytes 0 1
-_crypto_secretbox_xsalsa20poly1305_messagebytes_max 0 0
+_crypto_secretbox_xsalsa20poly1305_messagebytes_max 0 1
 _crypto_secretbox_xsalsa20poly1305_noncebytes 0 1
 _crypto_secretbox_xsalsa20poly1305_open 0 1
 _crypto_secretbox_xsalsa20poly1305_zerobytes 0 1
 _crypto_secretbox_zerobytes 0 1
 _crypto_secretstream_xchacha20poly1305_abytes 1 1
+_crypto_secretstream_xchacha20poly1305_headerbytes 1 1
 _crypto_secretstream_xchacha20poly1305_init_pull 1 1
 _crypto_secretstream_xchacha20poly1305_init_push 1 1
-_crypto_secretstream_xchacha20poly1305_headerbytes 1 1
 _crypto_secretstream_xchacha20poly1305_keybytes 1 1
 _crypto_secretstream_xchacha20poly1305_keygen 1 1
 _crypto_secretstream_xchacha20poly1305_messagebytes_max 1 1
@@ -425,7 +436,7 @@ _crypto_sign_ed25519 0 1
 _crypto_sign_ed25519_bytes 0 1
 _crypto_sign_ed25519_detached 0 1
 _crypto_sign_ed25519_keypair 0 1
-_crypto_sign_ed25519_messagebytes_max 0 0
+_crypto_sign_ed25519_messagebytes_max 0 1
 _crypto_sign_ed25519_open 0 1
 _crypto_sign_ed25519_pk_to_curve25519 1 1
 _crypto_sign_ed25519_publickeybytes 0 1
@@ -448,7 +459,7 @@ _crypto_sign_final_create 1 1
 _crypto_sign_final_verify 1 1
 _crypto_sign_init 1 1
 _crypto_sign_keypair 1 1
-_crypto_sign_messagebytes_max 0 0
+_crypto_sign_messagebytes_max 1 1
 _crypto_sign_open 1 1
 _crypto_sign_primitive 0 1
 _crypto_sign_publickeybytes 1 1
@@ -463,26 +474,26 @@ _crypto_stream_chacha20 0 1
 _crypto_stream_chacha20_ietf 0 1
 _crypto_stream_chacha20_ietf_keybytes 0 1
 _crypto_stream_chacha20_ietf_keygen 0 1
-_crypto_stream_chacha20_ietf_messagebytes_max 0 0
+_crypto_stream_chacha20_ietf_messagebytes_max 0 1
 _crypto_stream_chacha20_ietf_noncebytes 0 1
 _crypto_stream_chacha20_ietf_xor 0 1
 _crypto_stream_chacha20_ietf_xor_ic 0 1
 _crypto_stream_chacha20_keybytes 0 1
 _crypto_stream_chacha20_keygen 0 1
-_crypto_stream_chacha20_messagebytes_max 0 0
+_crypto_stream_chacha20_messagebytes_max 0 1
 _crypto_stream_chacha20_noncebytes 0 1
 _crypto_stream_chacha20_xor 0 1
 _crypto_stream_chacha20_xor_ic 0 1
 _crypto_stream_keybytes 0 1
-_crypto_stream_keygen 1 1
-_crypto_stream_messagebytes_max 0 0
+_crypto_stream_keygen 0 1
+_crypto_stream_messagebytes_max 0 1
 _crypto_stream_noncebytes 0 1
 _crypto_stream_primitive 0 1
 _crypto_stream_salsa20 0 1
 _crypto_stream_salsa2012 0 1
 _crypto_stream_salsa2012_keybytes 0 1
 _crypto_stream_salsa2012_keygen 0 1
-_crypto_stream_salsa2012_messagebytes_max 0 0
+_crypto_stream_salsa2012_messagebytes_max 0 1
 _crypto_stream_salsa2012_noncebytes 0 1
 _crypto_stream_salsa2012_xor 0 1
 _crypto_stream_salsa208 0 1
@@ -493,14 +504,14 @@ _crypto_stream_salsa208_noncebytes 0 1
 _crypto_stream_salsa208_xor 0 1
 _crypto_stream_salsa20_keybytes 0 1
 _crypto_stream_salsa20_keygen 0 1
-_crypto_stream_salsa20_messagebytes_max 0 0
+_crypto_stream_salsa20_messagebytes_max 0 1
 _crypto_stream_salsa20_noncebytes 0 1
 _crypto_stream_salsa20_xor 0 1
 _crypto_stream_salsa20_xor_ic 0 1
 _crypto_stream_xchacha20 0 1
 _crypto_stream_xchacha20_keybytes 0 1
 _crypto_stream_xchacha20_keygen 0 1
-_crypto_stream_xchacha20_messagebytes_max 0 0
+_crypto_stream_xchacha20_messagebytes_max 0 1
 _crypto_stream_xchacha20_noncebytes 0 1
 _crypto_stream_xchacha20_xor 0 1
 _crypto_stream_xchacha20_xor_ic 0 1
@@ -508,7 +519,7 @@ _crypto_stream_xor 0 1
 _crypto_stream_xsalsa20 0 1
 _crypto_stream_xsalsa20_keybytes 0 1
 _crypto_stream_xsalsa20_keygen 0 1
-_crypto_stream_xsalsa20_messagebytes_max 0 0
+_crypto_stream_xsalsa20_messagebytes_max 0 1
 _crypto_stream_xsalsa20_noncebytes 0 1
 _crypto_stream_xsalsa20_xor 0 1
 _crypto_stream_xsalsa20_xor_ic 0 1
@@ -530,8 +541,8 @@ _randombytes_stir 1 1
 _randombytes_uniform 1 1
 _sodium_add 0 0
 _sodium_allocarray 0 0
-_sodium_base64_encoded_len 1 1
 _sodium_base642bin 1 1
+_sodium_base64_encoded_len 1 1
 _sodium_bin2base64 1 1
 _sodium_bin2hex 1 1
 _sodium_compare 0 0
@@ -566,5 +577,6 @@ _sodium_runtime_has_sse41 0 0
 _sodium_runtime_has_ssse3 0 0
 _sodium_set_misuse_handler 0 0
 _sodium_stackzero 0 0
+_sodium_sub 0 0
 _sodium_unpad 1 1
 _sodium_version_string 1 1
diff --git a/dist-build/emscripten.sh b/dist-build/emscripten.sh
index 778f3e74..b5fba8db 100755
--- a/dist-build/emscripten.sh
+++ b/dist-build/emscripten.sh
@@ -1,13 +1,14 @@
 #! /bin/sh
 
 export MAKE_FLAGS='-j4'
-export EXPORTED_FUNCTIONS_STANDARD='["_malloc","_free","_crypto_aead_chacha20poly1305_abytes","_crypto_aead_chacha20poly1305_decrypt","_crypto_aead_chacha20poly1305_decrypt_detached","_crypto_aead_chacha20poly1305_encrypt","_crypto_aead_chacha20poly1305_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_abytes","_crypto_aead_chacha20poly1305_ietf_decrypt","_crypto_aead_chacha20poly1305_ietf_decrypt_detached","_crypto_aead_chacha20poly1305_ietf_encrypt","_crypto_aead_chacha20poly1305_ietf_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_keybytes","_crypto_aead_chacha20poly1305_ietf_keygen","_crypto_aead_chacha20poly1305_ietf_npubbytes","_crypto_aead_chacha20poly1305_ietf_nsecbytes","_crypto_aead_chacha20poly1305_keybytes","_crypto_aead_chacha20poly1305_keygen","_crypto_aead_chacha20poly1305_npubbytes","_crypto_aead_chacha20poly1305_nsecbytes","_crypto_aead_xchacha20poly1305_ietf_abytes","_crypto_aead_xchacha20poly1305_ietf_decrypt","_crypto_aead_xchacha20poly1305_ietf_decrypt_detached","_crypto_aead_xchacha20poly1305_ietf_encrypt","_crypto_aead_xchacha20poly1305_ietf_encrypt_detached","_crypto_aead_xchacha20poly1305_ietf_keybytes","_crypto_aead_xchacha20poly1305_ietf_keygen","_crypto_aead_xchacha20poly1305_ietf_npubbytes","_crypto_aead_xchacha20poly1305_ietf_nsecbytes","_crypto_auth","_crypto_auth_bytes","_crypto_auth_keybytes","_crypto_auth_keygen","_crypto_auth_verify","_crypto_box_beforenm","_crypto_box_beforenmbytes","_crypto_box_detached","_crypto_box_detached_afternm","_crypto_box_easy","_crypto_box_easy_afternm","_crypto_box_keypair","_crypto_box_macbytes","_crypto_box_noncebytes","_crypto_box_open_detached","_crypto_box_open_detached_afternm","_crypto_box_open_easy","_crypto_box_open_easy_afternm","_crypto_box_publickeybytes","_crypto_box_seal","_crypto_box_seal_open","_crypto_box_sealbytes","_crypto_box_secretkeybytes","_crypto_box_seed_keypair","_crypto_box_seedbytes","_crypto_core_hchacha20","_crypto_core_hchacha20_constbytes","_crypto_core_hchacha20_inputbytes","_crypto_core_hchacha20_keybytes","_crypto_core_hchacha20_outputbytes","_crypto_generichash","_crypto_generichash_bytes","_crypto_generichash_bytes_max","_crypto_generichash_bytes_min","_crypto_generichash_final","_crypto_generichash_init","_crypto_generichash_keybytes","_crypto_generichash_keybytes_max","_crypto_generichash_keybytes_min","_crypto_generichash_keygen","_crypto_generichash_statebytes","_crypto_generichash_update","_crypto_hash","_crypto_hash_bytes","_crypto_kdf_bytes_max","_crypto_kdf_bytes_min","_crypto_kdf_contextbytes","_crypto_kdf_derive_from_key","_crypto_kdf_keybytes","_crypto_kdf_keygen","_crypto_kx_client_session_keys","_crypto_kx_keypair","_crypto_kx_publickeybytes","_crypto_kx_secretkeybytes","_crypto_kx_seed_keypair","_crypto_kx_seedbytes","_crypto_kx_server_session_keys","_crypto_kx_sessionkeybytes","_crypto_pwhash","_crypto_pwhash_alg_argon2i13","_crypto_pwhash_alg_argon2id13","_crypto_pwhash_alg_default","_crypto_pwhash_bytes_max","_crypto_pwhash_bytes_min","_crypto_pwhash_memlimit_interactive","_crypto_pwhash_memlimit_max","_crypto_pwhash_memlimit_min","_crypto_pwhash_memlimit_moderate","_crypto_pwhash_memlimit_sensitive","_crypto_pwhash_opslimit_interactive","_crypto_pwhash_opslimit_max","_crypto_pwhash_opslimit_min","_crypto_pwhash_opslimit_moderate","_crypto_pwhash_opslimit_sensitive","_crypto_pwhash_passwd_max","_crypto_pwhash_passwd_min","_crypto_pwhash_primitive","_crypto_pwhash_saltbytes","_crypto_pwhash_str","_crypto_pwhash_str_alg","_crypto_pwhash_str_needs_rehash","_crypto_pwhash_str_verify","_crypto_pwhash_strbytes","_crypto_pwhash_strprefix","_crypto_scalarmult","_crypto_scalarmult_base","_crypto_scalarmult_bytes","_crypto_scalarmult_scalarbytes","_crypto_secretbox_detached","_crypto_secretbox_easy","_crypto_secretbox_keybytes","_crypto_secretbox_keygen","_crypto_secretbox_macbytes","_crypto_secretbox_noncebytes","_crypto_secretbox_open_detached","_crypto_secretbox_open_easy","_crypto_secretstream_xchacha20poly1305_abytes","_crypto_secretstream_xchacha20poly1305_headerbytes","_crypto_secretstream_xchacha20poly1305_init_pull","_crypto_secretstream_xchacha20poly1305_init_push","_crypto_secretstream_xchacha20poly1305_keybytes","_crypto_secretstream_xchacha20poly1305_keygen","_crypto_secretstream_xchacha20poly1305_messagebytes_max","_crypto_secretstream_xchacha20poly1305_pull","_crypto_secretstream_xchacha20poly1305_push","_crypto_secretstream_xchacha20poly1305_rekey","_crypto_secretstream_xchacha20poly1305_statebytes","_crypto_secretstream_xchacha20poly1305_tag_final","_crypto_secretstream_xchacha20poly1305_tag_message","_crypto_secretstream_xchacha20poly1305_tag_push","_crypto_secretstream_xchacha20poly1305_tag_rekey","_crypto_shorthash","_crypto_shorthash_bytes","_crypto_shorthash_keybytes","_crypto_shorthash_keygen","_crypto_sign","_crypto_sign_bytes","_crypto_sign_detached","_crypto_sign_ed25519_pk_to_curve25519","_crypto_sign_ed25519_sk_to_curve25519","_crypto_sign_final_create","_crypto_sign_final_verify","_crypto_sign_init","_crypto_sign_keypair","_crypto_sign_open","_crypto_sign_publickeybytes","_crypto_sign_secretkeybytes","_crypto_sign_seed_keypair","_crypto_sign_seedbytes","_crypto_sign_statebytes","_crypto_sign_update","_crypto_sign_verify_detached","_crypto_stream_keygen","_randombytes","_randombytes_buf","_randombytes_buf_deterministic","_randombytes_close","_randombytes_random","_randombytes_seedbytes","_randombytes_stir","_randombytes_uniform","_sodium_base642bin","_sodium_base64_encoded_len","_sodium_bin2base64","_sodium_bin2hex","_sodium_hex2bin","_sodium_init","_sodium_library_minimal","_sodium_library_version_major","_sodium_library_version_minor","_sodium_pad","_sodium_unpad","_sodium_version_string"]'
-export EXPORTED_FUNCTIONS_SUMO='["_malloc","_free","_crypto_aead_chacha20poly1305_abytes","_crypto_aead_chacha20poly1305_decrypt","_crypto_aead_chacha20poly1305_decrypt_detached","_crypto_aead_chacha20poly1305_encrypt","_crypto_aead_chacha20poly1305_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_abytes","_crypto_aead_chacha20poly1305_ietf_decrypt","_crypto_aead_chacha20poly1305_ietf_decrypt_detached","_crypto_aead_chacha20poly1305_ietf_encrypt","_crypto_aead_chacha20poly1305_ietf_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_keybytes","_crypto_aead_chacha20poly1305_ietf_keygen","_crypto_aead_chacha20poly1305_ietf_npubbytes","_crypto_aead_chacha20poly1305_ietf_nsecbytes","_crypto_aead_chacha20poly1305_keybytes","_crypto_aead_chacha20poly1305_keygen","_crypto_aead_chacha20poly1305_npubbytes","_crypto_aead_chacha20poly1305_nsecbytes","_crypto_aead_xchacha20poly1305_ietf_abytes","_crypto_aead_xchacha20poly1305_ietf_decrypt","_crypto_aead_xchacha20poly1305_ietf_decrypt_detached","_crypto_aead_xchacha20poly1305_ietf_encrypt","_crypto_aead_xchacha20poly1305_ietf_encrypt_detached","_crypto_aead_xchacha20poly1305_ietf_keybytes","_crypto_aead_xchacha20poly1305_ietf_keygen","_crypto_aead_xchacha20poly1305_ietf_npubbytes","_crypto_aead_xchacha20poly1305_ietf_nsecbytes","_crypto_auth","_crypto_auth_bytes","_crypto_auth_hmacsha256","_crypto_auth_hmacsha256_bytes","_crypto_auth_hmacsha256_final","_crypto_auth_hmacsha256_init","_crypto_auth_hmacsha256_keybytes","_crypto_auth_hmacsha256_keygen","_crypto_auth_hmacsha256_statebytes","_crypto_auth_hmacsha256_update","_crypto_auth_hmacsha256_verify","_crypto_auth_hmacsha512","_crypto_auth_hmacsha512256","_crypto_auth_hmacsha512256_bytes","_crypto_auth_hmacsha512256_final","_crypto_auth_hmacsha512256_init","_crypto_auth_hmacsha512256_keybytes","_crypto_auth_hmacsha512256_keygen","_crypto_auth_hmacsha512256_statebytes","_crypto_auth_hmacsha512256_update","_crypto_auth_hmacsha512256_verify","_crypto_auth_hmacsha512_bytes","_crypto_auth_hmacsha512_final","_crypto_auth_hmacsha512_init","_crypto_auth_hmacsha512_keybytes","_crypto_auth_hmacsha512_keygen","_crypto_auth_hmacsha512_statebytes","_crypto_auth_hmacsha512_update","_crypto_auth_hmacsha512_verify","_crypto_auth_keybytes","_crypto_auth_keygen","_crypto_auth_primitive","_crypto_auth_verify","_crypto_box","_crypto_box_afternm","_crypto_box_beforenm","_crypto_box_beforenmbytes","_crypto_box_boxzerobytes","_crypto_box_curve25519xchacha20poly1305_beforenm","_crypto_box_curve25519xchacha20poly1305_beforenmbytes","_crypto_box_curve25519xchacha20poly1305_detached","_crypto_box_curve25519xchacha20poly1305_detached_afternm","_crypto_box_curve25519xchacha20poly1305_easy","_crypto_box_curve25519xchacha20poly1305_easy_afternm","_crypto_box_curve25519xchacha20poly1305_keypair","_crypto_box_curve25519xchacha20poly1305_macbytes","_crypto_box_curve25519xchacha20poly1305_noncebytes","_crypto_box_curve25519xchacha20poly1305_open_detached","_crypto_box_curve25519xchacha20poly1305_open_detached_afternm","_crypto_box_curve25519xchacha20poly1305_open_easy","_crypto_box_curve25519xchacha20poly1305_open_easy_afternm","_crypto_box_curve25519xchacha20poly1305_publickeybytes","_crypto_box_curve25519xchacha20poly1305_seal","_crypto_box_curve25519xchacha20poly1305_seal_open","_crypto_box_curve25519xchacha20poly1305_sealbytes","_crypto_box_curve25519xchacha20poly1305_secretkeybytes","_crypto_box_curve25519xchacha20poly1305_seed_keypair","_crypto_box_curve25519xchacha20poly1305_seedbytes","_crypto_box_curve25519xsalsa20poly1305","_crypto_box_curve25519xsalsa20poly1305_afternm","_crypto_box_curve25519xsalsa20poly1305_beforenm","_crypto_box_curve25519xsalsa20poly1305_beforenmbytes","_crypto_box_curve25519xsalsa20poly1305_boxzerobytes","_crypto_box_curve25519xsalsa20poly1305_keypair","_crypto_box_curve25519xsalsa20poly1305_macbytes","_crypto_box_curve25519xsalsa20poly1305_noncebytes","_crypto_box_curve25519xsalsa20poly1305_open","_crypto_box_curve25519xsalsa20poly1305_open_afternm","_crypto_box_curve25519xsalsa20poly1305_publickeybytes","_crypto_box_curve25519xsalsa20poly1305_secretkeybytes","_crypto_box_curve25519xsalsa20poly1305_seed_keypair","_crypto_box_curve25519xsalsa20poly1305_seedbytes","_crypto_box_curve25519xsalsa20poly1305_zerobytes","_crypto_box_detached","_crypto_box_detached_afternm","_crypto_box_easy","_crypto_box_easy_afternm","_crypto_box_keypair","_crypto_box_macbytes","_crypto_box_noncebytes","_crypto_box_open","_crypto_box_open_afternm","_crypto_box_open_detached","_crypto_box_open_detached_afternm","_crypto_box_open_easy","_crypto_box_open_easy_afternm","_crypto_box_primitive","_crypto_box_publickeybytes","_crypto_box_seal","_crypto_box_seal_open","_crypto_box_sealbytes","_crypto_box_secretkeybytes","_crypto_box_seed_keypair","_crypto_box_seedbytes","_crypto_box_zerobytes","_crypto_core_ed25519_add","_crypto_core_ed25519_bytes","_crypto_core_ed25519_from_uniform","_crypto_core_ed25519_is_valid_point","_crypto_core_ed25519_sub","_crypto_core_ed25519_uniformbytes","_crypto_core_hchacha20","_crypto_core_hchacha20_constbytes","_crypto_core_hchacha20_inputbytes","_crypto_core_hchacha20_keybytes","_crypto_core_hchacha20_outputbytes","_crypto_core_hsalsa20","_crypto_core_hsalsa20_constbytes","_crypto_core_hsalsa20_inputbytes","_crypto_core_hsalsa20_keybytes","_crypto_core_hsalsa20_outputbytes","_crypto_core_salsa20","_crypto_core_salsa2012","_crypto_core_salsa2012_constbytes","_crypto_core_salsa2012_inputbytes","_crypto_core_salsa2012_keybytes","_crypto_core_salsa2012_outputbytes","_crypto_core_salsa208","_crypto_core_salsa208_constbytes","_crypto_core_salsa208_inputbytes","_crypto_core_salsa208_keybytes","_crypto_core_salsa208_outputbytes","_crypto_core_salsa20_constbytes","_crypto_core_salsa20_inputbytes","_crypto_core_salsa20_keybytes","_crypto_core_salsa20_outputbytes","_crypto_generichash","_crypto_generichash_blake2b","_crypto_generichash_blake2b_bytes","_crypto_generichash_blake2b_bytes_max","_crypto_generichash_blake2b_bytes_min","_crypto_generichash_blake2b_final","_crypto_generichash_blake2b_init","_crypto_generichash_blake2b_init_salt_personal","_crypto_generichash_blake2b_keybytes","_crypto_generichash_blake2b_keybytes_max","_crypto_generichash_blake2b_keybytes_min","_crypto_generichash_blake2b_keygen","_crypto_generichash_blake2b_personalbytes","_crypto_generichash_blake2b_salt_personal","_crypto_generichash_blake2b_saltbytes","_crypto_generichash_blake2b_statebytes","_crypto_generichash_blake2b_update","_crypto_generichash_bytes","_crypto_generichash_bytes_max","_crypto_generichash_bytes_min","_crypto_generichash_final","_crypto_generichash_init","_crypto_generichash_keybytes","_crypto_generichash_keybytes_max","_crypto_generichash_keybytes_min","_crypto_generichash_keygen","_crypto_generichash_primitive","_crypto_generichash_statebytes","_crypto_generichash_update","_crypto_hash","_crypto_hash_bytes","_crypto_hash_primitive","_crypto_hash_sha256","_crypto_hash_sha256_bytes","_crypto_hash_sha256_final","_crypto_hash_sha256_init","_crypto_hash_sha256_statebytes","_crypto_hash_sha256_update","_crypto_hash_sha512","_crypto_hash_sha512_bytes","_crypto_hash_sha512_final","_crypto_hash_sha512_init","_crypto_hash_sha512_statebytes","_crypto_hash_sha512_update","_crypto_kdf_blake2b_bytes_max","_crypto_kdf_blake2b_bytes_min","_crypto_kdf_blake2b_contextbytes","_crypto_kdf_blake2b_derive_from_key","_crypto_kdf_blake2b_keybytes","_crypto_kdf_bytes_max","_crypto_kdf_bytes_min","_crypto_kdf_contextbytes","_crypto_kdf_derive_from_key","_crypto_kdf_keybytes","_crypto_kdf_keygen","_crypto_kdf_primitive","_crypto_kx_client_session_keys","_crypto_kx_keypair","_crypto_kx_primitive","_crypto_kx_publickeybytes","_crypto_kx_secretkeybytes","_crypto_kx_seed_keypair","_crypto_kx_seedbytes","_crypto_kx_server_session_keys","_crypto_kx_sessionkeybytes","_crypto_onetimeauth","_crypto_onetimeauth_bytes","_crypto_onetimeauth_final","_crypto_onetimeauth_init","_crypto_onetimeauth_keybytes","_crypto_onetimeauth_keygen","_crypto_onetimeauth_poly1305","_crypto_onetimeauth_poly1305_bytes","_crypto_onetimeauth_poly1305_final","_crypto_onetimeauth_poly1305_init","_crypto_onetimeauth_poly1305_keybytes","_crypto_onetimeauth_poly1305_keygen","_crypto_onetimeauth_poly1305_statebytes","_crypto_onetimeauth_poly1305_update","_crypto_onetimeauth_poly1305_verify","_crypto_onetimeauth_primitive","_crypto_onetimeauth_statebytes","_crypto_onetimeauth_update","_crypto_onetimeauth_verify","_crypto_pwhash","_crypto_pwhash_alg_argon2i13","_crypto_pwhash_alg_argon2id13","_crypto_pwhash_alg_default","_crypto_pwhash_argon2i","_crypto_pwhash_argon2i_alg_argon2i13","_crypto_pwhash_argon2i_bytes_max","_crypto_pwhash_argon2i_bytes_min","_crypto_pwhash_argon2i_memlimit_interactive","_crypto_pwhash_argon2i_memlimit_max","_crypto_pwhash_argon2i_memlimit_min","_crypto_pwhash_argon2i_memlimit_moderate","_crypto_pwhash_argon2i_memlimit_sensitive","_crypto_pwhash_argon2i_opslimit_interactive","_crypto_pwhash_argon2i_opslimit_max","_crypto_pwhash_argon2i_opslimit_min","_crypto_pwhash_argon2i_opslimit_moderate","_crypto_pwhash_argon2i_opslimit_sensitive","_crypto_pwhash_argon2i_passwd_max","_crypto_pwhash_argon2i_passwd_min","_crypto_pwhash_argon2i_saltbytes","_crypto_pwhash_argon2i_str","_crypto_pwhash_argon2i_str_needs_rehash","_crypto_pwhash_argon2i_str_verify","_crypto_pwhash_argon2i_strbytes","_crypto_pwhash_argon2i_strprefix","_crypto_pwhash_argon2id","_crypto_pwhash_argon2id_alg_argon2id13","_crypto_pwhash_argon2id_bytes_max","_crypto_pwhash_argon2id_bytes_min","_crypto_pwhash_argon2id_memlimit_interactive","_crypto_pwhash_argon2id_memlimit_max","_crypto_pwhash_argon2id_memlimit_min","_crypto_pwhash_argon2id_memlimit_moderate","_crypto_pwhash_argon2id_memlimit_sensitive","_crypto_pwhash_argon2id_opslimit_interactive","_crypto_pwhash_argon2id_opslimit_max","_crypto_pwhash_argon2id_opslimit_min","_crypto_pwhash_argon2id_opslimit_moderate","_crypto_pwhash_argon2id_opslimit_sensitive","_crypto_pwhash_argon2id_passwd_max","_crypto_pwhash_argon2id_passwd_min","_crypto_pwhash_argon2id_saltbytes","_crypto_pwhash_argon2id_str","_crypto_pwhash_argon2id_str_needs_rehash","_crypto_pwhash_argon2id_str_verify","_crypto_pwhash_argon2id_strbytes","_crypto_pwhash_argon2id_strprefix","_crypto_pwhash_bytes_max","_crypto_pwhash_bytes_min","_crypto_pwhash_memlimit_interactive","_crypto_pwhash_memlimit_max","_crypto_pwhash_memlimit_min","_crypto_pwhash_memlimit_moderate","_crypto_pwhash_memlimit_sensitive","_crypto_pwhash_opslimit_interactive","_crypto_pwhash_opslimit_max","_crypto_pwhash_opslimit_min","_crypto_pwhash_opslimit_moderate","_crypto_pwhash_opslimit_sensitive","_crypto_pwhash_passwd_max","_crypto_pwhash_passwd_min","_crypto_pwhash_primitive","_crypto_pwhash_saltbytes","_crypto_pwhash_scryptsalsa208sha256","_crypto_pwhash_scryptsalsa208sha256_bytes_max","_crypto_pwhash_scryptsalsa208sha256_bytes_min","_crypto_pwhash_scryptsalsa208sha256_ll","_crypto_pwhash_scryptsalsa208sha256_memlimit_interactive","_crypto_pwhash_scryptsalsa208sha256_memlimit_max","_crypto_pwhash_scryptsalsa208sha256_memlimit_min","_crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive","_crypto_pwhash_scryptsalsa208sha256_opslimit_interactive","_crypto_pwhash_scryptsalsa208sha256_opslimit_max","_crypto_pwhash_scryptsalsa208sha256_opslimit_min","_crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive","_crypto_pwhash_scryptsalsa208sha256_passwd_max","_crypto_pwhash_scryptsalsa208sha256_passwd_min","_crypto_pwhash_scryptsalsa208sha256_saltbytes","_crypto_pwhash_scryptsalsa208sha256_str","_crypto_pwhash_scryptsalsa208sha256_str_needs_rehash","_crypto_pwhash_scryptsalsa208sha256_str_verify","_crypto_pwhash_scryptsalsa208sha256_strbytes","_crypto_pwhash_scryptsalsa208sha256_strprefix","_crypto_pwhash_str","_crypto_pwhash_str_alg","_crypto_pwhash_str_needs_rehash","_crypto_pwhash_str_verify","_crypto_pwhash_strbytes","_crypto_pwhash_strprefix","_crypto_scalarmult","_crypto_scalarmult_base","_crypto_scalarmult_bytes","_crypto_scalarmult_curve25519","_crypto_scalarmult_curve25519_base","_crypto_scalarmult_curve25519_bytes","_crypto_scalarmult_curve25519_scalarbytes","_crypto_scalarmult_ed25519","_crypto_scalarmult_ed25519_base","_crypto_scalarmult_ed25519_bytes","_crypto_scalarmult_ed25519_scalarbytes","_crypto_scalarmult_primitive","_crypto_scalarmult_scalarbytes","_crypto_secretbox","_crypto_secretbox_boxzerobytes","_crypto_secretbox_detached","_crypto_secretbox_easy","_crypto_secretbox_keybytes","_crypto_secretbox_keygen","_crypto_secretbox_macbytes","_crypto_secretbox_noncebytes","_crypto_secretbox_open","_crypto_secretbox_open_detached","_crypto_secretbox_open_easy","_crypto_secretbox_primitive","_crypto_secretbox_xchacha20poly1305_detached","_crypto_secretbox_xchacha20poly1305_easy","_crypto_secretbox_xchacha20poly1305_keybytes","_crypto_secretbox_xchacha20poly1305_macbytes","_crypto_secretbox_xchacha20poly1305_noncebytes","_crypto_secretbox_xchacha20poly1305_open_detached","_crypto_secretbox_xchacha20poly1305_open_easy","_crypto_secretbox_xsalsa20poly1305","_crypto_secretbox_xsalsa20poly1305_boxzerobytes","_crypto_secretbox_xsalsa20poly1305_keybytes","_crypto_secretbox_xsalsa20poly1305_keygen","_crypto_secretbox_xsalsa20poly1305_macbytes","_crypto_secretbox_xsalsa20poly1305_noncebytes","_crypto_secretbox_xsalsa20poly1305_open","_crypto_secretbox_xsalsa20poly1305_zerobytes","_crypto_secretbox_zerobytes","_crypto_secretstream_xchacha20poly1305_abytes","_crypto_secretstream_xchacha20poly1305_headerbytes","_crypto_secretstream_xchacha20poly1305_init_pull","_crypto_secretstream_xchacha20poly1305_init_push","_crypto_secretstream_xchacha20poly1305_keybytes","_crypto_secretstream_xchacha20poly1305_keygen","_crypto_secretstream_xchacha20poly1305_messagebytes_max","_crypto_secretstream_xchacha20poly1305_pull","_crypto_secretstream_xchacha20poly1305_push","_crypto_secretstream_xchacha20poly1305_rekey","_crypto_secretstream_xchacha20poly1305_statebytes","_crypto_secretstream_xchacha20poly1305_tag_final","_crypto_secretstream_xchacha20poly1305_tag_message","_crypto_secretstream_xchacha20poly1305_tag_push","_crypto_secretstream_xchacha20poly1305_tag_rekey","_crypto_shorthash","_crypto_shorthash_bytes","_crypto_shorthash_keybytes","_crypto_shorthash_keygen","_crypto_shorthash_primitive","_crypto_shorthash_siphash24","_crypto_shorthash_siphash24_bytes","_crypto_shorthash_siphash24_keybytes","_crypto_shorthash_siphashx24","_crypto_shorthash_siphashx24_bytes","_crypto_shorthash_siphashx24_keybytes","_crypto_sign","_crypto_sign_bytes","_crypto_sign_detached","_crypto_sign_ed25519","_crypto_sign_ed25519_bytes","_crypto_sign_ed25519_detached","_crypto_sign_ed25519_keypair","_crypto_sign_ed25519_open","_crypto_sign_ed25519_pk_to_curve25519","_crypto_sign_ed25519_publickeybytes","_crypto_sign_ed25519_secretkeybytes","_crypto_sign_ed25519_seed_keypair","_crypto_sign_ed25519_seedbytes","_crypto_sign_ed25519_sk_to_curve25519","_crypto_sign_ed25519_sk_to_pk","_crypto_sign_ed25519_sk_to_seed","_crypto_sign_ed25519_verify_detached","_crypto_sign_ed25519ph_final_create","_crypto_sign_ed25519ph_final_verify","_crypto_sign_ed25519ph_init","_crypto_sign_ed25519ph_statebytes","_crypto_sign_ed25519ph_update","_crypto_sign_final_create","_crypto_sign_final_verify","_crypto_sign_init","_crypto_sign_keypair","_crypto_sign_open","_crypto_sign_primitive","_crypto_sign_publickeybytes","_crypto_sign_secretkeybytes","_crypto_sign_seed_keypair","_crypto_sign_seedbytes","_crypto_sign_statebytes","_crypto_sign_update","_crypto_sign_verify_detached","_crypto_stream","_crypto_stream_chacha20","_crypto_stream_chacha20_ietf","_crypto_stream_chacha20_ietf_keybytes","_crypto_stream_chacha20_ietf_keygen","_crypto_stream_chacha20_ietf_noncebytes","_crypto_stream_chacha20_ietf_xor","_crypto_stream_chacha20_ietf_xor_ic","_crypto_stream_chacha20_keybytes","_crypto_stream_chacha20_keygen","_crypto_stream_chacha20_noncebytes","_crypto_stream_chacha20_xor","_crypto_stream_chacha20_xor_ic","_crypto_stream_keybytes","_crypto_stream_keygen","_crypto_stream_noncebytes","_crypto_stream_primitive","_crypto_stream_salsa20","_crypto_stream_salsa2012","_crypto_stream_salsa2012_keybytes","_crypto_stream_salsa2012_keygen","_crypto_stream_salsa2012_noncebytes","_crypto_stream_salsa2012_xor","_crypto_stream_salsa208","_crypto_stream_salsa208_keybytes","_crypto_stream_salsa208_keygen","_crypto_stream_salsa208_messagebytes_max","_crypto_stream_salsa208_noncebytes","_crypto_stream_salsa208_xor","_crypto_stream_salsa20_keybytes","_crypto_stream_salsa20_keygen","_crypto_stream_salsa20_noncebytes","_crypto_stream_salsa20_xor","_crypto_stream_salsa20_xor_ic","_crypto_stream_xchacha20","_crypto_stream_xchacha20_keybytes","_crypto_stream_xchacha20_keygen","_crypto_stream_xchacha20_noncebytes","_crypto_stream_xchacha20_xor","_crypto_stream_xchacha20_xor_ic","_crypto_stream_xor","_crypto_stream_xsalsa20","_crypto_stream_xsalsa20_keybytes","_crypto_stream_xsalsa20_keygen","_crypto_stream_xsalsa20_noncebytes","_crypto_stream_xsalsa20_xor","_crypto_stream_xsalsa20_xor_ic","_crypto_verify_16","_crypto_verify_16_bytes","_crypto_verify_32","_crypto_verify_32_bytes","_crypto_verify_64","_crypto_verify_64_bytes","_randombytes","_randombytes_buf","_randombytes_buf_deterministic","_randombytes_close","_randombytes_implementation_name","_randombytes_random","_randombytes_seedbytes","_randombytes_stir","_randombytes_uniform","_sodium_base642bin","_sodium_base64_encoded_len","_sodium_bin2base64","_sodium_bin2hex","_sodium_hex2bin","_sodium_init","_sodium_library_minimal","_sodium_library_version_major","_sodium_library_version_minor","_sodium_pad","_sodium_unpad","_sodium_version_string"]'
+export EXPORTED_FUNCTIONS_STANDARD='["_malloc","_free","_crypto_aead_chacha20poly1305_abytes","_crypto_aead_chacha20poly1305_decrypt","_crypto_aead_chacha20poly1305_decrypt_detached","_crypto_aead_chacha20poly1305_encrypt","_crypto_aead_chacha20poly1305_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_abytes","_crypto_aead_chacha20poly1305_ietf_decrypt","_crypto_aead_chacha20poly1305_ietf_decrypt_detached","_crypto_aead_chacha20poly1305_ietf_encrypt","_crypto_aead_chacha20poly1305_ietf_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_keybytes","_crypto_aead_chacha20poly1305_ietf_keygen","_crypto_aead_chacha20poly1305_ietf_messagebytes_max","_crypto_aead_chacha20poly1305_ietf_npubbytes","_crypto_aead_chacha20poly1305_ietf_nsecbytes","_crypto_aead_chacha20poly1305_keybytes","_crypto_aead_chacha20poly1305_keygen","_crypto_aead_chacha20poly1305_messagebytes_max","_crypto_aead_chacha20poly1305_npubbytes","_crypto_aead_chacha20poly1305_nsecbytes","_crypto_aead_xchacha20poly1305_ietf_abytes","_crypto_aead_xchacha20poly1305_ietf_decrypt","_crypto_aead_xchacha20poly1305_ietf_decrypt_detached","_crypto_aead_xchacha20poly1305_ietf_encrypt","_crypto_aead_xchacha20poly1305_ietf_encrypt_detached","_crypto_aead_xchacha20poly1305_ietf_keybytes","_crypto_aead_xchacha20poly1305_ietf_keygen","_crypto_aead_xchacha20poly1305_ietf_messagebytes_max","_crypto_aead_xchacha20poly1305_ietf_npubbytes","_crypto_aead_xchacha20poly1305_ietf_nsecbytes","_crypto_auth","_crypto_auth_bytes","_crypto_auth_keybytes","_crypto_auth_keygen","_crypto_auth_verify","_crypto_box_beforenm","_crypto_box_beforenmbytes","_crypto_box_curve25519xchacha20poly1305_messagebytes_max","_crypto_box_detached","_crypto_box_detached_afternm","_crypto_box_easy","_crypto_box_easy_afternm","_crypto_box_keypair","_crypto_box_macbytes","_crypto_box_messagebytes_max","_crypto_box_noncebytes","_crypto_box_open_detached","_crypto_box_open_detached_afternm","_crypto_box_open_easy","_crypto_box_open_easy_afternm","_crypto_box_publickeybytes","_crypto_box_seal","_crypto_box_seal_open","_crypto_box_sealbytes","_crypto_box_secretkeybytes","_crypto_box_seed_keypair","_crypto_box_seedbytes","_crypto_generichash","_crypto_generichash_bytes","_crypto_generichash_bytes_max","_crypto_generichash_bytes_min","_crypto_generichash_final","_crypto_generichash_init","_crypto_generichash_keybytes","_crypto_generichash_keybytes_max","_crypto_generichash_keybytes_min","_crypto_generichash_keygen","_crypto_generichash_statebytes","_crypto_generichash_update","_crypto_hash","_crypto_hash_bytes","_crypto_kdf_bytes_max","_crypto_kdf_bytes_min","_crypto_kdf_contextbytes","_crypto_kdf_derive_from_key","_crypto_kdf_keybytes","_crypto_kdf_keygen","_crypto_kx_client_session_keys","_crypto_kx_keypair","_crypto_kx_publickeybytes","_crypto_kx_secretkeybytes","_crypto_kx_seed_keypair","_crypto_kx_seedbytes","_crypto_kx_server_session_keys","_crypto_kx_sessionkeybytes","_crypto_pwhash","_crypto_pwhash_alg_argon2i13","_crypto_pwhash_alg_argon2id13","_crypto_pwhash_alg_default","_crypto_pwhash_bytes_max","_crypto_pwhash_bytes_min","_crypto_pwhash_memlimit_interactive","_crypto_pwhash_memlimit_max","_crypto_pwhash_memlimit_min","_crypto_pwhash_memlimit_moderate","_crypto_pwhash_memlimit_sensitive","_crypto_pwhash_opslimit_interactive","_crypto_pwhash_opslimit_max","_crypto_pwhash_opslimit_min","_crypto_pwhash_opslimit_moderate","_crypto_pwhash_opslimit_sensitive","_crypto_pwhash_passwd_max","_crypto_pwhash_passwd_min","_crypto_pwhash_saltbytes","_crypto_pwhash_str","_crypto_pwhash_str_alg","_crypto_pwhash_str_needs_rehash","_crypto_pwhash_str_verify","_crypto_pwhash_strbytes","_crypto_pwhash_strprefix","_crypto_scalarmult","_crypto_scalarmult_base","_crypto_scalarmult_bytes","_crypto_scalarmult_scalarbytes","_crypto_secretbox_detached","_crypto_secretbox_easy","_crypto_secretbox_keybytes","_crypto_secretbox_keygen","_crypto_secretbox_macbytes","_crypto_secretbox_messagebytes_max","_crypto_secretbox_noncebytes","_crypto_secretbox_open_detached","_crypto_secretbox_open_easy","_crypto_secretstream_xchacha20poly1305_abytes","_crypto_secretstream_xchacha20poly1305_headerbytes","_crypto_secretstream_xchacha20poly1305_init_pull","_crypto_secretstream_xchacha20poly1305_init_push","_crypto_secretstream_xchacha20poly1305_keybytes","_crypto_secretstream_xchacha20poly1305_keygen","_crypto_secretstream_xchacha20poly1305_messagebytes_max","_crypto_secretstream_xchacha20poly1305_pull","_crypto_secretstream_xchacha20poly1305_push","_crypto_secretstream_xchacha20poly1305_rekey","_crypto_secretstream_xchacha20poly1305_statebytes","_crypto_secretstream_xchacha20poly1305_tag_final","_crypto_secretstream_xchacha20poly1305_tag_message","_crypto_secretstream_xchacha20poly1305_tag_push","_crypto_secretstream_xchacha20poly1305_tag_rekey","_crypto_shorthash","_crypto_shorthash_bytes","_crypto_shorthash_keybytes","_crypto_shorthash_keygen","_crypto_sign","_crypto_sign_bytes","_crypto_sign_detached","_crypto_sign_ed25519_pk_to_curve25519","_crypto_sign_ed25519_sk_to_curve25519","_crypto_sign_final_create","_crypto_sign_final_verify","_crypto_sign_init","_crypto_sign_keypair","_crypto_sign_messagebytes_max","_crypto_sign_open","_crypto_sign_publickeybytes","_crypto_sign_secretkeybytes","_crypto_sign_seed_keypair","_crypto_sign_seedbytes","_crypto_sign_statebytes","_crypto_sign_update","_crypto_sign_verify_detached","_randombytes","_randombytes_buf","_randombytes_buf_deterministic","_randombytes_close","_randombytes_random","_randombytes_seedbytes","_randombytes_stir","_randombytes_uniform","_sodium_base642bin","_sodium_base64_encoded_len","_sodium_bin2base64","_sodium_bin2hex","_sodium_hex2bin","_sodium_init","_sodium_library_minimal","_sodium_library_version_major","_sodium_library_version_minor","_sodium_pad","_sodium_unpad","_sodium_version_string"]'
+export EXPORTED_FUNCTIONS_SUMO='["_malloc","_free","_crypto_aead_chacha20poly1305_abytes","_crypto_aead_chacha20poly1305_decrypt","_crypto_aead_chacha20poly1305_decrypt_detached","_crypto_aead_chacha20poly1305_encrypt","_crypto_aead_chacha20poly1305_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_abytes","_crypto_aead_chacha20poly1305_ietf_decrypt","_crypto_aead_chacha20poly1305_ietf_decrypt_detached","_crypto_aead_chacha20poly1305_ietf_encrypt","_crypto_aead_chacha20poly1305_ietf_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_keybytes","_crypto_aead_chacha20poly1305_ietf_keygen","_crypto_aead_chacha20poly1305_ietf_messagebytes_max","_crypto_aead_chacha20poly1305_ietf_npubbytes","_crypto_aead_chacha20poly1305_ietf_nsecbytes","_crypto_aead_chacha20poly1305_keybytes","_crypto_aead_chacha20poly1305_keygen","_crypto_aead_chacha20poly1305_messagebytes_max","_crypto_aead_chacha20poly1305_npubbytes","_crypto_aead_chacha20poly1305_nsecbytes","_crypto_aead_xchacha20poly1305_ietf_abytes","_crypto_aead_xchacha20poly1305_ietf_decrypt","_crypto_aead_xchacha20poly1305_ietf_decrypt_detached","_crypto_aead_xchacha20poly1305_ietf_encrypt","_crypto_aead_xchacha20poly1305_ietf_encrypt_detached","_crypto_aead_xchacha20poly1305_ietf_keybytes","_crypto_aead_xchacha20poly1305_ietf_keygen","_crypto_aead_xchacha20poly1305_ietf_messagebytes_max","_crypto_aead_xchacha20poly1305_ietf_npubbytes","_crypto_aead_xchacha20poly1305_ietf_nsecbytes","_crypto_auth","_crypto_auth_bytes","_crypto_auth_hmacsha256","_crypto_auth_hmacsha256_bytes","_crypto_auth_hmacsha256_final","_crypto_auth_hmacsha256_init","_crypto_auth_hmacsha256_keybytes","_crypto_auth_hmacsha256_keygen","_crypto_auth_hmacsha256_statebytes","_crypto_auth_hmacsha256_update","_crypto_auth_hmacsha256_verify","_crypto_auth_hmacsha512","_crypto_auth_hmacsha512256","_crypto_auth_hmacsha512256_bytes","_crypto_auth_hmacsha512256_final","_crypto_auth_hmacsha512256_init","_crypto_auth_hmacsha512256_keybytes","_crypto_auth_hmacsha512256_keygen","_crypto_auth_hmacsha512256_statebytes","_crypto_auth_hmacsha512256_update","_crypto_auth_hmacsha512256_verify","_crypto_auth_hmacsha512_bytes","_crypto_auth_hmacsha512_final","_crypto_auth_hmacsha512_init","_crypto_auth_hmacsha512_keybytes","_crypto_auth_hmacsha512_keygen","_crypto_auth_hmacsha512_statebytes","_crypto_auth_hmacsha512_update","_crypto_auth_hmacsha512_verify","_crypto_auth_keybytes","_crypto_auth_keygen","_crypto_auth_primitive","_crypto_auth_verify","_crypto_box","_crypto_box_afternm","_crypto_box_beforenm","_crypto_box_beforenmbytes","_crypto_box_boxzerobytes","_crypto_box_curve25519xchacha20poly1305_beforenm","_crypto_box_curve25519xchacha20poly1305_beforenmbytes","_crypto_box_curve25519xchacha20poly1305_detached","_crypto_box_curve25519xchacha20poly1305_detached_afternm","_crypto_box_curve25519xchacha20poly1305_easy","_crypto_box_curve25519xchacha20poly1305_easy_afternm","_crypto_box_curve25519xchacha20poly1305_keypair","_crypto_box_curve25519xchacha20poly1305_macbytes","_crypto_box_curve25519xchacha20poly1305_messagebytes_max","_crypto_box_curve25519xchacha20poly1305_noncebytes","_crypto_box_curve25519xchacha20poly1305_open_detached","_crypto_box_curve25519xchacha20poly1305_open_detached_afternm","_crypto_box_curve25519xchacha20poly1305_open_easy","_crypto_box_curve25519xchacha20poly1305_open_easy_afternm","_crypto_box_curve25519xchacha20poly1305_publickeybytes","_crypto_box_curve25519xchacha20poly1305_seal","_crypto_box_curve25519xchacha20poly1305_seal_open","_crypto_box_curve25519xchacha20poly1305_sealbytes","_crypto_box_curve25519xchacha20poly1305_secretkeybytes","_crypto_box_curve25519xchacha20poly1305_seed_keypair","_crypto_box_curve25519xchacha20poly1305_seedbytes","_crypto_box_curve25519xsalsa20poly1305","_crypto_box_curve25519xsalsa20poly1305_afternm","_crypto_box_curve25519xsalsa20poly1305_beforenm","_crypto_box_curve25519xsalsa20poly1305_beforenmbytes","_crypto_box_curve25519xsalsa20poly1305_boxzerobytes","_crypto_box_curve25519xsalsa20poly1305_keypair","_crypto_box_curve25519xsalsa20poly1305_macbytes","_crypto_box_curve25519xsalsa20poly1305_messagebytes_max","_crypto_box_curve25519xsalsa20poly1305_noncebytes","_crypto_box_curve25519xsalsa20poly1305_open","_crypto_box_curve25519xsalsa20poly1305_open_afternm","_crypto_box_curve25519xsalsa20poly1305_publickeybytes","_crypto_box_curve25519xsalsa20poly1305_secretkeybytes","_crypto_box_curve25519xsalsa20poly1305_seed_keypair","_crypto_box_curve25519xsalsa20poly1305_seedbytes","_crypto_box_curve25519xsalsa20poly1305_zerobytes","_crypto_box_detached","_crypto_box_detached_afternm","_crypto_box_easy","_crypto_box_easy_afternm","_crypto_box_keypair","_crypto_box_macbytes","_crypto_box_messagebytes_max","_crypto_box_noncebytes","_crypto_box_open","_crypto_box_open_afternm","_crypto_box_open_detached","_crypto_box_open_detached_afternm","_crypto_box_open_easy","_crypto_box_open_easy_afternm","_crypto_box_primitive","_crypto_box_publickeybytes","_crypto_box_seal","_crypto_box_seal_open","_crypto_box_sealbytes","_crypto_box_secretkeybytes","_crypto_box_seed_keypair","_crypto_box_seedbytes","_crypto_box_zerobytes","_crypto_core_ed25519_add","_crypto_core_ed25519_bytes","_crypto_core_ed25519_from_uniform","_crypto_core_ed25519_is_valid_point","_crypto_core_ed25519_nonreducedscalarbytes","_crypto_core_ed25519_scalar_add","_crypto_core_ed25519_scalar_complement","_crypto_core_ed25519_scalar_invert","_crypto_core_ed25519_scalar_negate","_crypto_core_ed25519_scalar_random","_crypto_core_ed25519_scalar_reduce","_crypto_core_ed25519_scalar_sub","_crypto_core_ed25519_scalarbytes","_crypto_core_ed25519_sub","_crypto_core_ed25519_uniformbytes","_crypto_core_hchacha20","_crypto_core_hchacha20_constbytes","_crypto_core_hchacha20_inputbytes","_crypto_core_hchacha20_keybytes","_crypto_core_hchacha20_outputbytes","_crypto_core_hsalsa20","_crypto_core_hsalsa20_constbytes","_crypto_core_hsalsa20_inputbytes","_crypto_core_hsalsa20_keybytes","_crypto_core_hsalsa20_outputbytes","_crypto_core_salsa20","_crypto_core_salsa2012","_crypto_core_salsa2012_constbytes","_crypto_core_salsa2012_inputbytes","_crypto_core_salsa2012_keybytes","_crypto_core_salsa2012_outputbytes","_crypto_core_salsa208","_crypto_core_salsa208_constbytes","_crypto_core_salsa208_inputbytes","_crypto_core_salsa208_keybytes","_crypto_core_salsa208_outputbytes","_crypto_core_salsa20_constbytes","_crypto_core_salsa20_inputbytes","_crypto_core_salsa20_keybytes","_crypto_core_salsa20_outputbytes","_crypto_generichash","_crypto_generichash_blake2b","_crypto_generichash_blake2b_bytes","_crypto_generichash_blake2b_bytes_max","_crypto_generichash_blake2b_bytes_min","_crypto_generichash_blake2b_final","_crypto_generichash_blake2b_init","_crypto_generichash_blake2b_init_salt_personal","_crypto_generichash_blake2b_keybytes","_crypto_generichash_blake2b_keybytes_max","_crypto_generichash_blake2b_keybytes_min","_crypto_generichash_blake2b_keygen","_crypto_generichash_blake2b_personalbytes","_crypto_generichash_blake2b_salt_personal","_crypto_generichash_blake2b_saltbytes","_crypto_generichash_blake2b_statebytes","_crypto_generichash_blake2b_update","_crypto_generichash_bytes","_crypto_generichash_bytes_max","_crypto_generichash_bytes_min","_crypto_generichash_final","_crypto_generichash_init","_crypto_generichash_keybytes","_crypto_generichash_keybytes_max","_crypto_generichash_keybytes_min","_crypto_generichash_keygen","_crypto_generichash_primitive","_crypto_generichash_statebytes","_crypto_generichash_update","_crypto_hash","_crypto_hash_bytes","_crypto_hash_primitive","_crypto_hash_sha256","_crypto_hash_sha256_bytes","_crypto_hash_sha256_final","_crypto_hash_sha256_init","_crypto_hash_sha256_statebytes","_crypto_hash_sha256_update","_crypto_hash_sha512","_crypto_hash_sha512_bytes","_crypto_hash_sha512_final","_crypto_hash_sha512_init","_crypto_hash_sha512_statebytes","_crypto_hash_sha512_update","_crypto_kdf_blake2b_bytes_max","_crypto_kdf_blake2b_bytes_min","_crypto_kdf_blake2b_contextbytes","_crypto_kdf_blake2b_derive_from_key","_crypto_kdf_blake2b_keybytes","_crypto_kdf_bytes_max","_crypto_kdf_bytes_min","_crypto_kdf_contextbytes","_crypto_kdf_derive_from_key","_crypto_kdf_keybytes","_crypto_kdf_keygen","_crypto_kdf_primitive","_crypto_kx_client_session_keys","_crypto_kx_keypair","_crypto_kx_primitive","_crypto_kx_publickeybytes","_crypto_kx_secretkeybytes","_crypto_kx_seed_keypair","_crypto_kx_seedbytes","_crypto_kx_server_session_keys","_crypto_kx_sessionkeybytes","_crypto_onetimeauth","_crypto_onetimeauth_bytes","_crypto_onetimeauth_final","_crypto_onetimeauth_init","_crypto_onetimeauth_keybytes","_crypto_onetimeauth_keygen","_crypto_onetimeauth_poly1305","_crypto_onetimeauth_poly1305_bytes","_crypto_onetimeauth_poly1305_final","_crypto_onetimeauth_poly1305_init","_crypto_onetimeauth_poly1305_keybytes","_crypto_onetimeauth_poly1305_keygen","_crypto_onetimeauth_poly1305_statebytes","_crypto_onetimeauth_poly1305_update","_crypto_onetimeauth_poly1305_verify","_crypto_onetimeauth_primitive","_crypto_onetimeauth_statebytes","_crypto_onetimeauth_update","_crypto_onetimeauth_verify","_crypto_pwhash","_crypto_pwhash_alg_argon2i13","_crypto_pwhash_alg_argon2id13","_crypto_pwhash_alg_default","_crypto_pwhash_argon2i","_crypto_pwhash_argon2i_alg_argon2i13","_crypto_pwhash_argon2i_bytes_max","_crypto_pwhash_argon2i_bytes_min","_crypto_pwhash_argon2i_memlimit_interactive","_crypto_pwhash_argon2i_memlimit_max","_crypto_pwhash_argon2i_memlimit_min","_crypto_pwhash_argon2i_memlimit_moderate","_crypto_pwhash_argon2i_memlimit_sensitive","_crypto_pwhash_argon2i_opslimit_interactive","_crypto_pwhash_argon2i_opslimit_max","_crypto_pwhash_argon2i_opslimit_min","_crypto_pwhash_argon2i_opslimit_moderate","_crypto_pwhash_argon2i_opslimit_sensitive","_crypto_pwhash_argon2i_passwd_max","_crypto_pwhash_argon2i_passwd_min","_crypto_pwhash_argon2i_saltbytes","_crypto_pwhash_argon2i_str","_crypto_pwhash_argon2i_str_needs_rehash","_crypto_pwhash_argon2i_str_verify","_crypto_pwhash_argon2i_strbytes","_crypto_pwhash_argon2i_strprefix","_crypto_pwhash_argon2id","_crypto_pwhash_argon2id_alg_argon2id13","_crypto_pwhash_argon2id_bytes_max","_crypto_pwhash_argon2id_bytes_min","_crypto_pwhash_argon2id_memlimit_interactive","_crypto_pwhash_argon2id_memlimit_max","_crypto_pwhash_argon2id_memlimit_min","_crypto_pwhash_argon2id_memlimit_moderate","_crypto_pwhash_argon2id_memlimit_sensitive","_crypto_pwhash_argon2id_opslimit_interactive","_crypto_pwhash_argon2id_opslimit_max","_crypto_pwhash_argon2id_opslimit_min","_crypto_pwhash_argon2id_opslimit_moderate","_crypto_pwhash_argon2id_opslimit_sensitive","_crypto_pwhash_argon2id_passwd_max","_crypto_pwhash_argon2id_passwd_min","_crypto_pwhash_argon2id_saltbytes","_crypto_pwhash_argon2id_str","_crypto_pwhash_argon2id_str_needs_rehash","_crypto_pwhash_argon2id_str_verify","_crypto_pwhash_argon2id_strbytes","_crypto_pwhash_argon2id_strprefix","_crypto_pwhash_bytes_max","_crypto_pwhash_bytes_min","_crypto_pwhash_memlimit_interactive","_crypto_pwhash_memlimit_max","_crypto_pwhash_memlimit_min","_crypto_pwhash_memlimit_moderate","_crypto_pwhash_memlimit_sensitive","_crypto_pwhash_opslimit_interactive","_crypto_pwhash_opslimit_max","_crypto_pwhash_opslimit_min","_crypto_pwhash_opslimit_moderate","_crypto_pwhash_opslimit_sensitive","_crypto_pwhash_passwd_max","_crypto_pwhash_passwd_min","_crypto_pwhash_primitive","_crypto_pwhash_saltbytes","_crypto_pwhash_scryptsalsa208sha256","_crypto_pwhash_scryptsalsa208sha256_bytes_max","_crypto_pwhash_scryptsalsa208sha256_bytes_min","_crypto_pwhash_scryptsalsa208sha256_ll","_crypto_pwhash_scryptsalsa208sha256_memlimit_interactive","_crypto_pwhash_scryptsalsa208sha256_memlimit_max","_crypto_pwhash_scryptsalsa208sha256_memlimit_min","_crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive","_crypto_pwhash_scryptsalsa208sha256_opslimit_interactive","_crypto_pwhash_scryptsalsa208sha256_opslimit_max","_crypto_pwhash_scryptsalsa208sha256_opslimit_min","_crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive","_crypto_pwhash_scryptsalsa208sha256_passwd_max","_crypto_pwhash_scryptsalsa208sha256_passwd_min","_crypto_pwhash_scryptsalsa208sha256_saltbytes","_crypto_pwhash_scryptsalsa208sha256_str","_crypto_pwhash_scryptsalsa208sha256_str_needs_rehash","_crypto_pwhash_scryptsalsa208sha256_str_verify","_crypto_pwhash_scryptsalsa208sha256_strbytes","_crypto_pwhash_scryptsalsa208sha256_strprefix","_crypto_pwhash_str","_crypto_pwhash_str_alg","_crypto_pwhash_str_needs_rehash","_crypto_pwhash_str_verify","_crypto_pwhash_strbytes","_crypto_pwhash_strprefix","_crypto_scalarmult","_crypto_scalarmult_base","_crypto_scalarmult_bytes","_crypto_scalarmult_curve25519","_crypto_scalarmult_curve25519_base","_crypto_scalarmult_curve25519_bytes","_crypto_scalarmult_curve25519_scalarbytes","_crypto_scalarmult_ed25519","_crypto_scalarmult_ed25519_base","_crypto_scalarmult_ed25519_base_noclamp","_crypto_scalarmult_ed25519_bytes","_crypto_scalarmult_ed25519_noclamp","_crypto_scalarmult_ed25519_scalarbytes","_crypto_scalarmult_primitive","_crypto_scalarmult_scalarbytes","_crypto_secretbox","_crypto_secretbox_boxzerobytes","_crypto_secretbox_detached","_crypto_secretbox_easy","_crypto_secretbox_keybytes","_crypto_secretbox_keygen","_crypto_secretbox_macbytes","_crypto_secretbox_messagebytes_max","_crypto_secretbox_noncebytes","_crypto_secretbox_open","_crypto_secretbox_open_detached","_crypto_secretbox_open_easy","_crypto_secretbox_primitive","_crypto_secretbox_xchacha20poly1305_detached","_crypto_secretbox_xchacha20poly1305_easy","_crypto_secretbox_xchacha20poly1305_keybytes","_crypto_secretbox_xchacha20poly1305_macbytes","_crypto_secretbox_xchacha20poly1305_messagebytes_max","_crypto_secretbox_xchacha20poly1305_noncebytes","_crypto_secretbox_xchacha20poly1305_open_detached","_crypto_secretbox_xchacha20poly1305_open_easy","_crypto_secretbox_xsalsa20poly1305","_crypto_secretbox_xsalsa20poly1305_boxzerobytes","_crypto_secretbox_xsalsa20poly1305_keybytes","_crypto_secretbox_xsalsa20poly1305_keygen","_crypto_secretbox_xsalsa20poly1305_macbytes","_crypto_secretbox_xsalsa20poly1305_messagebytes_max","_crypto_secretbox_xsalsa20poly1305_noncebytes","_crypto_secretbox_xsalsa20poly1305_open","_crypto_secretbox_xsalsa20poly1305_zerobytes","_crypto_secretbox_zerobytes","_crypto_secretstream_xchacha20poly1305_abytes","_crypto_secretstream_xchacha20poly1305_headerbytes","_crypto_secretstream_xchacha20poly1305_init_pull","_crypto_secretstream_xchacha20poly1305_init_push","_crypto_secretstream_xchacha20poly1305_keybytes","_crypto_secretstream_xchacha20poly1305_keygen","_crypto_secretstream_xchacha20poly1305_messagebytes_max","_crypto_secretstream_xchacha20poly1305_pull","_crypto_secretstream_xchacha20poly1305_push","_crypto_secretstream_xchacha20poly1305_rekey","_crypto_secretstream_xchacha20poly1305_statebytes","_crypto_secretstream_xchacha20poly1305_tag_final","_crypto_secretstream_xchacha20poly1305_tag_message","_crypto_secretstream_xchacha20poly1305_tag_push","_crypto_secretstream_xchacha20poly1305_tag_rekey","_crypto_shorthash","_crypto_shorthash_bytes","_crypto_shorthash_keybytes","_crypto_shorthash_keygen","_crypto_shorthash_primitive","_crypto_shorthash_siphash24","_crypto_shorthash_siphash24_bytes","_crypto_shorthash_siphash24_keybytes","_crypto_shorthash_siphashx24","_crypto_shorthash_siphashx24_bytes","_crypto_shorthash_siphashx24_keybytes","_crypto_sign","_crypto_sign_bytes","_crypto_sign_detached","_crypto_sign_ed25519","_crypto_sign_ed25519_bytes","_crypto_sign_ed25519_detached","_crypto_sign_ed25519_keypair","_crypto_sign_ed25519_messagebytes_max","_crypto_sign_ed25519_open","_crypto_sign_ed25519_pk_to_curve25519","_crypto_sign_ed25519_publickeybytes","_crypto_sign_ed25519_secretkeybytes","_crypto_sign_ed25519_seed_keypair","_crypto_sign_ed25519_seedbytes","_crypto_sign_ed25519_sk_to_curve25519","_crypto_sign_ed25519_sk_to_pk","_crypto_sign_ed25519_sk_to_seed","_crypto_sign_ed25519_verify_detached","_crypto_sign_ed25519ph_final_create","_crypto_sign_ed25519ph_final_verify","_crypto_sign_ed25519ph_init","_crypto_sign_ed25519ph_statebytes","_crypto_sign_ed25519ph_update","_crypto_sign_final_create","_crypto_sign_final_verify","_crypto_sign_init","_crypto_sign_keypair","_crypto_sign_messagebytes_max","_crypto_sign_open","_crypto_sign_primitive","_crypto_sign_publickeybytes","_crypto_sign_secretkeybytes","_crypto_sign_seed_keypair","_crypto_sign_seedbytes","_crypto_sign_statebytes","_crypto_sign_update","_crypto_sign_verify_detached","_crypto_stream","_crypto_stream_chacha20","_crypto_stream_chacha20_ietf","_crypto_stream_chacha20_ietf_keybytes","_crypto_stream_chacha20_ietf_keygen","_crypto_stream_chacha20_ietf_messagebytes_max","_crypto_stream_chacha20_ietf_noncebytes","_crypto_stream_chacha20_ietf_xor","_crypto_stream_chacha20_ietf_xor_ic","_crypto_stream_chacha20_keybytes","_crypto_stream_chacha20_keygen","_crypto_stream_chacha20_messagebytes_max","_crypto_stream_chacha20_noncebytes","_crypto_stream_chacha20_xor","_crypto_stream_chacha20_xor_ic","_crypto_stream_keybytes","_crypto_stream_keygen","_crypto_stream_messagebytes_max","_crypto_stream_noncebytes","_crypto_stream_primitive","_crypto_stream_salsa20","_crypto_stream_salsa2012","_crypto_stream_salsa2012_keybytes","_crypto_stream_salsa2012_keygen","_crypto_stream_salsa2012_messagebytes_max","_crypto_stream_salsa2012_noncebytes","_crypto_stream_salsa2012_xor","_crypto_stream_salsa208","_crypto_stream_salsa208_keybytes","_crypto_stream_salsa208_keygen","_crypto_stream_salsa208_messagebytes_max","_crypto_stream_salsa208_noncebytes","_crypto_stream_salsa208_xor","_crypto_stream_salsa20_keybytes","_crypto_stream_salsa20_keygen","_crypto_stream_salsa20_messagebytes_max","_crypto_stream_salsa20_noncebytes","_crypto_stream_salsa20_xor","_crypto_stream_salsa20_xor_ic","_crypto_stream_xchacha20","_crypto_stream_xchacha20_keybytes","_crypto_stream_xchacha20_keygen","_crypto_stream_xchacha20_messagebytes_max","_crypto_stream_xchacha20_noncebytes","_crypto_stream_xchacha20_xor","_crypto_stream_xchacha20_xor_ic","_crypto_stream_xor","_crypto_stream_xsalsa20","_crypto_stream_xsalsa20_keybytes","_crypto_stream_xsalsa20_keygen","_crypto_stream_xsalsa20_messagebytes_max","_crypto_stream_xsalsa20_noncebytes","_crypto_stream_xsalsa20_xor","_crypto_stream_xsalsa20_xor_ic","_crypto_verify_16","_crypto_verify_16_bytes","_crypto_verify_32","_crypto_verify_32_bytes","_crypto_verify_64","_crypto_verify_64_bytes","_randombytes","_randombytes_buf","_randombytes_buf_deterministic","_randombytes_close","_randombytes_implementation_name","_randombytes_random","_randombytes_seedbytes","_randombytes_stir","_randombytes_uniform","_sodium_base642bin","_sodium_base64_encoded_len","_sodium_bin2base64","_sodium_bin2hex","_sodium_hex2bin","_sodium_init","_sodium_library_minimal","_sodium_library_version_major","_sodium_library_version_minor","_sodium_pad","_sodium_unpad","_sodium_version_string"]'
 export EXPORTED_RUNTIME_METHODS='["Pointer_stringify","getValue","setValue"]'
 export TOTAL_MEMORY=16777216
-export TOTAL_MEMORY_SUMO=83886080
-export TOTAL_MEMORY_TESTS=167772160
+export TOTAL_MEMORY_SUMO=16777216
+export TOTAL_MEMORY_TESTS=16777216
 export LDFLAGS="-s RESERVED_FUNCTION_POINTERS=8"
+export LDFLAGS="${LDFLAGS} -s ALLOW_MEMORY_GROWTH=1"
 export LDFLAGS="${LDFLAGS} -s SINGLE_FILE=1"
 export LDFLAGS="${LDFLAGS} -s ASSERTIONS=0"
 export LDFLAGS="${LDFLAGS} -s AGGRESSIVE_VARIABLE_ELIMINATION=1 -s ALIASING_FUNCTION_POINTERS=1"
@@ -95,10 +96,10 @@ if [ "$DIST" = yes ]; then
       Module['TOTAL_MEMORY'] = root['sodium']['totalMemory'];
     }
     var _Module = Module;
-    Module.ready = new Promise(function (resolve, reject) {
+    Module.ready = new Promise(function(resolve, reject) {
       var Module = _Module;
       Module.onAbort = reject;
-      Module.onRuntimeInitialized = function () {
+      Module.onRuntimeInitialized = function() {
         try {
           /* Test arbitrary wasm function */
           Module._crypto_secretbox_keybytes();
@@ -107,7 +108,7 @@ if [ "$DIST" = yes ]; then
           reject(err);
         }
       };
-      Module.useBackupModule = function () {
+      Module.useBackupModule = function() {
         var Module = _Module;
         Object.keys(Module).forEach(function(k) {
           if (k !== 'getRandomValue') {
@@ -117,7 +118,7 @@ if [ "$DIST" = yes ]; then
         $(cat "${PREFIX}/lib/libsodium.asm.tmp.js" | sed 's|use asm||g')
       };
       $(cat "${PREFIX}/lib/libsodium.wasm.tmp.js")
-    }).catch(function () {
+    }).catch(function() {
       _Module.useBackupModule();
     });
 EOM
diff --git a/dist-build/generate-emscripten-symbols.sh b/dist-build/generate-emscripten-symbols.sh
index 78cbffd4..873307d2 100755
--- a/dist-build/generate-emscripten-symbols.sh
+++ b/dist-build/generate-emscripten-symbols.sh
@@ -17,7 +17,7 @@ symbols() {
       fi
     done < emscripten-symbols.def
 
-    nm /usr/local/lib/libsodium.23.dylib | \
+    /usr/bin/nm /usr/local/lib/libsodium.23.dylib | \
     fgrep ' T _' | \
     cut -d' ' -f3 | {
       while read symbol; do
diff --git a/dist-build/ios.sh b/dist-build/ios.sh
index b51eaf29..0575b090 100755
--- a/dist-build/ios.sh
+++ b/dist-build/ios.sh
@@ -17,14 +17,8 @@ export SIMULATOR32_PREFIX="$PREFIX/tmp/simulator32"
 export SIMULATOR64_PREFIX="$PREFIX/tmp/simulator64"
 export XCODEDIR=$(xcode-select -p)
 
-xcode_major=$(xcodebuild -version|egrep '^Xcode '|cut -d' ' -f2|cut -d. -f1)
-if [ $xcode_major -ge 8 ]; then
-  export IOS_SIMULATOR_VERSION_MIN=${IOS_SIMULATOR_VERSION_MIN-"6.0.0"}
-  export IOS_VERSION_MIN=${IOS_VERSION_MIN-"6.0.0"}
-else
-  export IOS_SIMULATOR_VERSION_MIN=${IOS_SIMULATOR_VERSION_MIN-"5.1.1"}
-  export IOS_VERSION_MIN=${IOS_VERSION_MIN-"5.1.1"}
-fi
+export IOS_SIMULATOR_VERSION_MIN=${IOS_SIMULATOR_VERSION_MIN-"6.0.0"}
+export IOS_VERSION_MIN=${IOS_VERSION_MIN-"6.0.0"}
 
 mkdir -p $SIMULATOR32_PREFIX $SIMULATOR64_PREFIX $IOS32_PREFIX $IOS32s_PREFIX $IOS64_PREFIX || exit 1
 
diff --git a/dist-build/watchos.sh b/dist-build/watchos.sh
new file mode 100755
index 00000000..60ab4b4e
--- /dev/null
+++ b/dist-build/watchos.sh
@@ -0,0 +1,114 @@
+#! /bin/sh
+#
+#  Step 1.
+#  Configure for base system so simulator is covered
+#
+#  Step 2.
+#  Make for watchOS and watchOS simulator
+#
+#  Step 3.
+#  Merge libs into final version for xcode import
+
+export PREFIX="$(pwd)/libsodium-watchos"
+export WATCHOS32_PREFIX="$PREFIX/tmp/watchos32"
+export WATCHOS64_32_PREFIX="$PREFIX/tmp/watchos64_32"
+export SIMULATOR32_PREFIX="$PREFIX/tmp/simulator32"
+export SIMULATOR64_PREFIX="$PREFIX/tmp/simulator64"
+export XCODEDIR=$(xcode-select -p)
+
+export WATCHOS_SIMULATOR_VERSION_MIN=${WATCHOS_SIMULATOR_VERSION_MIN-"4.0.0"}
+export WATCHOS_VERSION_MIN=${WATCHOS_VERSION_MIN-"4.0.0"}
+
+mkdir -p $SIMULATOR32_PREFIX $SIMULATOR64_PREFIX $WATCHOS32_PREFIX $WATCHOS64_32_PREFIX || exit 1
+
+# Build for the simulator
+export BASEDIR="${XCODEDIR}/Platforms/WatchSimulator.platform/Developer"
+export PATH="${BASEDIR}/usr/bin:$BASEDIR/usr/sbin:$PATH"
+export SDK="${BASEDIR}/SDKs/WatchSimulator.sdk"
+
+## i386 simulator
+export CFLAGS="-O2 -arch i386 -isysroot ${SDK} -mwatchos-simulator-version-min=${WATCHOS_SIMULATOR_VERSION_MIN}"
+export LDFLAGS="-arch i386 -isysroot ${SDK} -mwatchos-simulator-version-min=${WATCHOS_SIMULATOR_VERSION_MIN}"
+
+make distclean > /dev/null
+
+if [ -z "$LIBSODIUM_FULL_BUILD" ]; then
+  export LIBSODIUM_ENABLE_MINIMAL_FLAG="--enable-minimal"
+else
+  export LIBSODIUM_ENABLE_MINIMAL_FLAG=""
+fi
+
+./configure --host=i686-apple-darwin10 \
+            --disable-shared \
+            ${LIBSODIUM_ENABLE_MINIMAL_FLAG} \
+            --prefix="$SIMULATOR32_PREFIX" || exit 1
+
+
+NPROCESSORS=$(getconf NPROCESSORS_ONLN 2>/dev/null || getconf _NPROCESSORS_ONLN 2>/dev/null)
+PROCESSORS=${NPROCESSORS:-3}
+
+make -j${PROCESSORS} install || exit 1
+
+## x86_64 simulator
+export CFLAGS="-O2 -arch x86_64 -isysroot ${SDK} -mwatchos-simulator-version-min=${WATCHOS_SIMULATOR_VERSION_MIN}"
+export LDFLAGS="-arch x86_64 -isysroot ${SDK} -mwatchos-simulator-version-min=${WATCHOS_SIMULATOR_VERSION_MIN}"
+
+make distclean > /dev/null
+
+./configure --host=x86_64-apple-darwin10 \
+            --disable-shared \
+            ${LIBSODIUM_ENABLE_MINIMAL_FLAG} \
+            --prefix="$SIMULATOR64_PREFIX"
+
+make -j${PROCESSORS} install || exit 1
+
+# Build for watchOS
+export BASEDIR="${XCODEDIR}/Platforms/WatchOS.platform/Developer"
+export PATH="${BASEDIR}/usr/bin:$BASEDIR/usr/sbin:$PATH"
+export SDK="${BASEDIR}/SDKs/WatchOS.sdk"
+
+## 32-bit watchOS
+export CFLAGS="-fembed-bitcode -O2 -mthumb -arch armv7k -isysroot ${SDK} -mwatchos-version-min=${WATCHOS_VERSION_MIN}"
+export LDFLAGS="-fembed-bitcode -mthumb -arch armv7k -isysroot ${SDK} -mwatchos-version-min=${WATCHOS_VERSION_MIN}"
+
+make distclean > /dev/null
+
+./configure --host=arm-apple-darwin10 \
+            --disable-shared \
+            ${LIBSODIUM_ENABLE_MINIMAL_FLAG} \
+            --prefix="$WATCHOS32_PREFIX" || exit 1
+
+make -j${PROCESSORS} install || exit 1
+
+## 64-bit arm64_32 watchOS
+export CFLAGS="-fembed-bitcode -O2 -mthumb -arch arm64_32 -isysroot ${SDK} -mwatchos-version-min=${WATCHOS_VERSION_MIN}"
+export LDFLAGS="-fembed-bitcode -mthumb -arch arm64_32 -isysroot ${SDK} -mwatchos-version-min=${WATCHOS_VERSION_MIN}"
+
+make distclean > /dev/null
+
+./configure --host=arm-apple-darwin10 \
+            --disable-shared \
+            ${LIBSODIUM_ENABLE_MINIMAL_FLAG} \
+            --prefix="$WATCHOS64_32_PREFIX" || exit 1
+
+make -j${PROCESSORS} install || exit 1
+
+# Create universal binary and include folder
+rm -fr -- "$PREFIX/include" "$PREFIX/libsodium.a" 2> /dev/null
+mkdir -p -- "$PREFIX/lib"
+lipo -create \
+  "$SIMULATOR32_PREFIX/lib/libsodium.a" \
+  "$SIMULATOR64_PREFIX/lib/libsodium.a" \
+  "$WATCHOS32_PREFIX/lib/libsodium.a" \
+  "$WATCHOS64_32_PREFIX/lib/libsodium.a" \
+  -output "$PREFIX/lib/libsodium.a"
+mv -f -- "$WATCHOS32_PREFIX/include" "$PREFIX/"
+
+echo
+echo "libsodium has been installed into $PREFIX"
+echo
+file -- "$PREFIX/lib/libsodium.a"
+
+# Cleanup
+rm -rf -- "$PREFIX/tmp"
+make distclean > /dev/null
diff --git a/lgtm.yml b/lgtm.yml
new file mode 100644
index 00000000..f012f94d
--- /dev/null
+++ b/lgtm.yml
@@ -0,0 +1,6 @@
+extraction:
+  cpp:
+     configure:
+        command:
+        - ./autogen.sh
+        - ./configure
\ No newline at end of file
diff --git a/libsodium.vcxproj b/libsodium.vcxproj
index eec2a525..63d5f956 100644
--- a/libsodium.vcxproj
+++ b/libsodium.vcxproj
@@ -497,6 +497,7 @@
     <ClInclude Include="src\libsodium\include\sodium\private\sse2_64_32.h" />
     <ClInclude Include="src\libsodium\include\sodium\private\common.h" />
     <ClInclude Include="src\libsodium\include\sodium\private\mutex.h" />
+    <ClInclude Include="src\libsodium\include\sodium\private\chacha20_ietf_ext.h" />
     <ClInclude Include="src\libsodium\include\sodium\private\implementations.h" />
     <ClInclude Include="src\libsodium\crypto_pwhash\argon2\blamka-round-ref.h" />
     <ClInclude Include="src\libsodium\crypto_pwhash\argon2\blamka-round-avx2.h" />
diff --git a/libsodium.vcxproj.filters b/libsodium.vcxproj.filters
index 8325e43c..b4a4ea96 100644
--- a/libsodium.vcxproj.filters
+++ b/libsodium.vcxproj.filters
@@ -557,6 +557,9 @@
     <ClInclude Include="src\libsodium\include\sodium\private\mutex.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="src\libsodium\include\sodium\private\chacha20_ietf_ext.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
     <ClInclude Include="src\libsodium\include\sodium\private\implementations.h">
       <Filter>Header Files</Filter>
     </ClInclude>
diff --git a/msvc-scripts/Makefile.in b/msvc-scripts/Makefile.in
index 950e6579..f1f08897 100644
--- a/msvc-scripts/Makefile.in
+++ b/msvc-scripts/Makefile.in
@@ -185,7 +185,6 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-ISODATE = @ISODATE@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LIBOBJS = @LIBOBJS@
diff --git a/msvc-scripts/process.bat b/msvc-scripts/process.bat
index 84c44786..fdaeaecf 100755
--- a/msvc-scripts/process.bat
+++ b/msvc-scripts/process.bat
@@ -1,5 +1,5 @@
-cscript msvc-scripts/rep.vbs //Nologo s/@VERSION@/1.0.16/ < src\libsodium\include\sodium\version.h.in > tmp
+cscript msvc-scripts/rep.vbs //Nologo s/@VERSION@/1.0.17/ < src\libsodium\include\sodium\version.h.in > tmp
 cscript msvc-scripts/rep.vbs //Nologo s/@SODIUM_LIBRARY_VERSION_MAJOR@/10/ < tmp > tmp2
-cscript msvc-scripts/rep.vbs //Nologo s/@SODIUM_LIBRARY_VERSION_MINOR@/1/ < tmp2 > tmp3
+cscript msvc-scripts/rep.vbs //Nologo s/@SODIUM_LIBRARY_VERSION_MINOR@/2/ < tmp2 > tmp3
 cscript msvc-scripts/rep.vbs //Nologo s/@SODIUM_LIBRARY_MINIMAL_DEF@// < tmp3 > src\libsodium\include\sodium\version.h
 del tmp tmp2 tmp3
diff --git a/packaging/dotnet-core/README.md b/packaging/dotnet-core/README.md
index 0521ce3c..462ec29f 100644
--- a/packaging/dotnet-core/README.md
+++ b/packaging/dotnet-core/README.md
@@ -31,15 +31,15 @@ Version numbers for the packages for .NET Core consist of three components:
   It may be necessary to release more than one package for a libsodium version,
   e.g., when adding support for a new platform or if a release contains a broken
   binary. In this case, a package revision number is added as a fourth part to
-  the libsodium version, starting at `1`. For example, `1.0.16` is the initial
-  release of the package for libsodium 1.0.16 and `1.0.16.5` is the fifth
+  the libsodium version, starting at `1`. For example, `1.0.17` is the initial
+  release of the package for libsodium 1.0.17 and `1.0.17.5` is the fifth
   revision (sixth release) of that package.
 * *pre-release label*  
   If a package is a pre-release, a label is appended to the version number in
   `-preview-##` format where `##` is the number of the pre-release, starting at
-  `01`. For example, `1.0.16-preview-01` is the first pre-release of the package
-  for libsodium 1.0.16 and `1.0.16.5-preview-02` the second pre-release of the
-  fifth revision of the package for libsodium 1.0.16.
+  `01`. For example, `1.0.17-preview-01` is the first pre-release of the package
+  for libsodium 1.0.17 and `1.0.17.5-preview-02` the second pre-release of the
+  fifth revision of the package for libsodium 1.0.17.
 
 
 **Making a release**
diff --git a/packaging/dotnet-core/libsodium.props b/packaging/dotnet-core/libsodium.props
index b72266ef..32a1c0f5 100644
--- a/packaging/dotnet-core/libsodium.props
+++ b/packaging/dotnet-core/libsodium.props
@@ -15,7 +15,7 @@
     <Version><!-- set by prepare.py --></Version>
     <Authors>Frank Denis</Authors>
     <Description>Internal implementation package not meant for direct consumption. Please do not reference directly.</Description>
-    <Copyright>&#169; 2013-2017 Frank Denis</Copyright>
+    <Copyright>&#169; 2013-2019 Frank Denis</Copyright>
     <PackageRequireLicenseAcceptance>true</PackageRequireLicenseAcceptance>
     <PackageLicenseUrl>https://raw.githubusercontent.com/jedisct1/libsodium/master/LICENSE</PackageLicenseUrl>
     <PackageProjectUrl>https://libsodium.org/</PackageProjectUrl>
diff --git a/packaging/dotnet-core/prepare.py b/packaging/dotnet-core/prepare.py
index 50e6e7fa..29710d75 100755
--- a/packaging/dotnet-core/prepare.py
+++ b/packaging/dotnet-core/prepare.py
@@ -170,13 +170,13 @@ def main(args):
     print('       python3 prepare.py <version>')
     print()
     print('Examples:')
-    print('       python3 prepare.py 1.0.16-preview-01')
-    print('       python3 prepare.py 1.0.16-preview-02')
-    print('       python3 prepare.py 1.0.16-preview-03')
-    print('       python3 prepare.py 1.0.16')
-    print('       python3 prepare.py 1.0.16.1-preview-01')
-    print('       python3 prepare.py 1.0.16.1')
-    print('       python3 prepare.py 1.0.16.2')
+    print('       python3 prepare.py 1.0.17-preview-01')
+    print('       python3 prepare.py 1.0.17-preview-02')
+    print('       python3 prepare.py 1.0.17-preview-03')
+    print('       python3 prepare.py 1.0.17')
+    print('       python3 prepare.py 1.0.17.1-preview-01')
+    print('       python3 prepare.py 1.0.17.1')
+    print('       python3 prepare.py 1.0.17.2')
     return 1
 
   version = Version(m.group(2), m.group(0))
diff --git a/packaging/nuget/package.config b/packaging/nuget/package.config
index ffac6538..3e678873 100644
--- a/packaging/nuget/package.config
+++ b/packaging/nuget/package.config
@@ -1,4 +1,4 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- These values are populated into the package.gsl templates by package.bat. -->
 <!-- The target attribute controls path and file name only, id controls package naming. -->
-<package id="libsodium_vc120" target="libsodium" version = "1.0.16.0" pathversion="1_0_16_0" platformtoolset="v120" />
+<package id="libsodium_vc120" target="libsodium" version = "1.0.17.0" pathversion="1_0_17_0" platformtoolset="v120" />
diff --git a/packaging/nuget/package.gsl b/packaging/nuget/package.gsl
index b1b0aa24..5b255e5e 100644
--- a/packaging/nuget/package.gsl
+++ b/packaging/nuget/package.gsl
@@ -27,7 +27,7 @@
         <description>Sodium is a portable, cross-compilable, installable, packageable fork of NaCl, with a compatible API.</description>
         <summary>Portable fork of NaCl, packaged for Visual Studio 2013 (v120) and CTP_Nov2013 compilers.</summary>
         <releaseNotes>https://raw.github.com/jedisct1/libsodium/master/ChangeLog</releaseNotes>
-        <copyright>(c) 2013-2017, Frank Denis (attribution required)</copyright>
+        <copyright>(c) 2013-2019, Frank Denis (attribution required)</copyright>
         <tags>native, NaCl, salt, sodium, libsodium, C++</tags>
         <dependencies>
 .for dependency
@@ -257,4 +257,4 @@
       <EnumValue Name="ltcg" DisplayName="Static using link time compile generation (LTCG)" />
     </EnumProperty>
   </Rule>
-</ProjectSchemaDefinitions>
\ No newline at end of file
+</ProjectSchemaDefinitions>
diff --git a/regen-msvc/regen-msvc.py b/regen-msvc/regen-msvc.py
index 726eed70..d32fbe04 100755
--- a/regen-msvc/regen-msvc.py
+++ b/regen-msvc/regen-msvc.py
@@ -1,6 +1,5 @@
 #! /usr/bin/env python3
 
-import fileinput
 import glob
 import os
 import uuid
diff --git a/src/Makefile.in b/src/Makefile.in
index 0cb84d69..a4d6091e 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -245,7 +245,6 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-ISODATE = @ISODATE@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LIBOBJS = @LIBOBJS@
diff --git a/src/libsodium/Makefile.am b/src/libsodium/Makefile.am
index cbac4d19..2c3d210f 100644
--- a/src/libsodium/Makefile.am
+++ b/src/libsodium/Makefile.am
@@ -82,6 +82,7 @@ libsodium_la_SOURCES = \
 	crypto_stream/salsa20/stream_salsa20.h \
 	crypto_stream/xsalsa20/stream_xsalsa20.c \
 	crypto_verify/sodium/verify.c \
+	include/sodium/private/chacha20_ietf_ext.h \
 	include/sodium/private/common.h \
 	include/sodium/private/ed25519_ref10.h \
 	include/sodium/private/implementations.h \
diff --git a/src/libsodium/Makefile.in b/src/libsodium/Makefile.in
index de7d7d80..c4884aa6 100644
--- a/src/libsodium/Makefile.in
+++ b/src/libsodium/Makefile.in
@@ -327,7 +327,9 @@ am__libsodium_la_SOURCES_DIST =  \
 	crypto_stream/salsa20/stream_salsa20.c \
 	crypto_stream/salsa20/stream_salsa20.h \
 	crypto_stream/xsalsa20/stream_xsalsa20.c \
-	crypto_verify/sodium/verify.c include/sodium/private/common.h \
+	crypto_verify/sodium/verify.c \
+	include/sodium/private/chacha20_ietf_ext.h \
+	include/sodium/private/common.h \
 	include/sodium/private/ed25519_ref10.h \
 	include/sodium/private/implementations.h \
 	include/sodium/private/mutex.h \
@@ -803,7 +805,6 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-ISODATE = @ISODATE@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LIBOBJS = @LIBOBJS@
@@ -982,7 +983,9 @@ libsodium_la_SOURCES =  \
 	crypto_stream/salsa20/stream_salsa20.c \
 	crypto_stream/salsa20/stream_salsa20.h \
 	crypto_stream/xsalsa20/stream_xsalsa20.c \
-	crypto_verify/sodium/verify.c include/sodium/private/common.h \
+	crypto_verify/sodium/verify.c \
+	include/sodium/private/chacha20_ietf_ext.h \
+	include/sodium/private/common.h \
 	include/sodium/private/ed25519_ref10.h \
 	include/sodium/private/implementations.h \
 	include/sodium/private/mutex.h \
diff --git a/src/libsodium/crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c b/src/libsodium/crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c
index dc54bca7..69707a68 100644
--- a/src/libsodium/crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c
+++ b/src/libsodium/crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c
@@ -51,10 +51,10 @@ _bswap64(const uint64_t x)
 }
 #endif
 
-typedef struct context {
-    CRYPTO_ALIGN(16) unsigned char H[16];
-    __m128i          rkeys[16];
-} context;
+typedef struct aes256gcm_state {
+    __m128i       rkeys[16];
+    unsigned char H[16];
+} aes256gcm_state;
 
 static inline void
 aesni_key256_expand(const unsigned char *key, __m128i * const rkeys)
@@ -488,10 +488,10 @@ int
 crypto_aead_aes256gcm_beforenm(crypto_aead_aes256gcm_state *ctx_,
                                const unsigned char *k)
 {
-    context       *ctx = (context *) ctx_;
-    __m128i       *rkeys = ctx->rkeys;
-    __m128i        zero = _mm_setzero_si128();
-    unsigned char *H = ctx->H;
+    aes256gcm_state *ctx = (aes256gcm_state *) (void *) ctx_;
+    unsigned char   *H = ctx->H;
+    __m128i         *rkeys = ctx->rkeys;
+    __m128i          zero = _mm_setzero_si128();
 
     COMPILER_ASSERT((sizeof *ctx_) >= (sizeof *ctx));
     aesni_key256_expand(k, rkeys);
@@ -509,13 +509,13 @@ crypto_aead_aes256gcm_encrypt_detached_afternm(unsigned char *c,
                                                const unsigned char *npub,
                                                const crypto_aead_aes256gcm_state *ctx_)
 {
-    const __m128i       rev = _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15);
-    const context      *ctx = (const context *) ctx_;
-    const __m128i      *rkeys = ctx->rkeys;
-    __m128i             Hv, H2v, H3v, H4v, accv;
-    unsigned long long  i, j;
-    unsigned long long  adlen_rnd64 = adlen & ~63ULL;
-    unsigned long long  mlen_rnd128 = mlen & ~127ULL;
+    const __m128i          rev = _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15);
+    const aes256gcm_state *ctx = (const aes256gcm_state *) (const void *) ctx_;
+    const __m128i         *rkeys = ctx->rkeys;
+    __m128i                Hv, H2v, H3v, H4v, accv;
+    unsigned long long     i, j;
+    unsigned long long     adlen_rnd64 = adlen & ~63ULL;
+    unsigned long long     mlen_rnd128 = mlen & ~127ULL;
     CRYPTO_ALIGN(16) uint32_t      n2[4];
     CRYPTO_ALIGN(16) unsigned char H[16];
     CRYPTO_ALIGN(16) unsigned char T[16];
@@ -647,14 +647,14 @@ crypto_aead_aes256gcm_decrypt_detached_afternm(unsigned char *m, unsigned char *
                                                const unsigned char *npub,
                                                const crypto_aead_aes256gcm_state *ctx_)
 {
-    const __m128i       rev = _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15);
-    const context      *ctx = (const context *) ctx_;
-    const __m128i      *rkeys = ctx->rkeys;
-    __m128i             Hv, H2v, H3v, H4v, accv;
-    unsigned long long  i, j;
-    unsigned long long  adlen_rnd64 = adlen & ~63ULL;
-    unsigned long long  mlen;
-    unsigned long long  mlen_rnd128;
+    const __m128i          rev = _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15);
+    const aes256gcm_state *ctx = (const aes256gcm_state *) (const void *) ctx_;
+    const __m128i         *rkeys = ctx->rkeys;
+    __m128i                Hv, H2v, H3v, H4v, accv;
+    unsigned long long     i, j;
+    unsigned long long     adlen_rnd64 = adlen & ~63ULL;
+    unsigned long long     mlen;
+    unsigned long long     mlen_rnd128;
     CRYPTO_ALIGN(16) uint32_t      n2[4];
     CRYPTO_ALIGN(16) unsigned char H[16];
     CRYPTO_ALIGN(16) unsigned char T[16];
@@ -862,7 +862,7 @@ crypto_aead_aes256gcm_encrypt(unsigned char *c,
     ret = crypto_aead_aes256gcm_encrypt_afternm
         (c, clen_p, m, mlen, ad, adlen, nsec, npub,
             (const crypto_aead_aes256gcm_state *) &ctx);
-    sodium_memzero(ctx, sizeof ctx);
+    sodium_memzero(&ctx, sizeof ctx);
 
     return ret;
 }
@@ -906,7 +906,7 @@ crypto_aead_aes256gcm_decrypt(unsigned char *m,
     ret = crypto_aead_aes256gcm_decrypt_afternm
         (m, mlen_p, nsec, c, clen, ad, adlen, npub,
          (const crypto_aead_aes256gcm_state *) &ctx);
-    sodium_memzero(ctx, sizeof ctx);
+    sodium_memzero(&ctx, sizeof ctx);
 
     return ret;
 }
diff --git a/src/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c b/src/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c
index c79407a1..c3540879 100644
--- a/src/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c
+++ b/src/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c
@@ -12,6 +12,7 @@
 #include "randombytes.h"
 #include "utils.h"
 
+#include "private/chacha20_ietf_ext.h"
 #include "private/common.h"
 
 static const unsigned char _pad0[16] = { 0 };
diff --git a/src/libsodium/crypto_aead/xchacha20poly1305/sodium/aead_xchacha20poly1305.c b/src/libsodium/crypto_aead/xchacha20poly1305/sodium/aead_xchacha20poly1305.c
index 04971a82..07e36557 100644
--- a/src/libsodium/crypto_aead/xchacha20poly1305/sodium/aead_xchacha20poly1305.c
+++ b/src/libsodium/crypto_aead/xchacha20poly1305/sodium/aead_xchacha20poly1305.c
@@ -5,14 +5,118 @@
 #include <string.h>
 
 #include "core.h"
-#include "crypto_aead_xchacha20poly1305.h"
 #include "crypto_aead_chacha20poly1305.h"
+#include "crypto_aead_xchacha20poly1305.h"
 #include "crypto_core_hchacha20.h"
+#include "crypto_onetimeauth_poly1305.h"
+#include "crypto_stream_chacha20.h"
+#include "crypto_verify_16.h"
 #include "randombytes.h"
 #include "utils.h"
 
+#include "private/chacha20_ietf_ext.h"
 #include "private/common.h"
 
+static const unsigned char _pad0[16] = { 0 };
+
+static int
+_encrypt_detached(unsigned char *c,
+                  unsigned char *mac,
+                  unsigned long long *maclen_p,
+                  const unsigned char *m,
+                  unsigned long long mlen,
+                  const unsigned char *ad,
+                  unsigned long long adlen,
+                  const unsigned char *nsec,
+                  const unsigned char *npub,
+                  const unsigned char *k)
+{
+    crypto_onetimeauth_poly1305_state state;
+    unsigned char                     block0[64U];
+    unsigned char                     slen[8U];
+
+    (void) nsec;
+    crypto_stream_chacha20_ietf_ext(block0, sizeof block0, npub, k);
+    crypto_onetimeauth_poly1305_init(&state, block0);
+    sodium_memzero(block0, sizeof block0);
+
+    crypto_onetimeauth_poly1305_update(&state, ad, adlen);
+    crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - adlen) & 0xf);
+
+    crypto_stream_chacha20_ietf_ext_xor_ic(c, m, mlen, npub, 1U, k);
+
+    crypto_onetimeauth_poly1305_update(&state, c, mlen);
+    crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - mlen) & 0xf);
+
+    STORE64_LE(slen, (uint64_t) adlen);
+    crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
+
+    STORE64_LE(slen, (uint64_t) mlen);
+    crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
+
+    crypto_onetimeauth_poly1305_final(&state, mac);
+    sodium_memzero(&state, sizeof state);
+
+    if (maclen_p != NULL) {
+        *maclen_p = crypto_aead_chacha20poly1305_ietf_ABYTES;
+    }
+    return 0;
+}
+
+static int
+_decrypt_detached(unsigned char *m,
+                  unsigned char *nsec,
+                  const unsigned char *c,
+                  unsigned long long clen,
+                  const unsigned char *mac,
+                  const unsigned char *ad,
+                  unsigned long long adlen,
+                  const unsigned char *npub,
+                  const unsigned char *k)
+{
+    crypto_onetimeauth_poly1305_state state;
+    unsigned char                     block0[64U];
+    unsigned char                     slen[8U];
+    unsigned char                     computed_mac[crypto_aead_chacha20poly1305_ietf_ABYTES];
+    unsigned long long                mlen;
+    int                               ret;
+
+    (void) nsec;
+    crypto_stream_chacha20_ietf_ext(block0, sizeof block0, npub, k);
+    crypto_onetimeauth_poly1305_init(&state, block0);
+    sodium_memzero(block0, sizeof block0);
+
+    crypto_onetimeauth_poly1305_update(&state, ad, adlen);
+    crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - adlen) & 0xf);
+
+    mlen = clen;
+    crypto_onetimeauth_poly1305_update(&state, c, mlen);
+    crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - mlen) & 0xf);
+
+    STORE64_LE(slen, (uint64_t) adlen);
+    crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
+
+    STORE64_LE(slen, (uint64_t) mlen);
+    crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
+
+    crypto_onetimeauth_poly1305_final(&state, computed_mac);
+    sodium_memzero(&state, sizeof state);
+
+    COMPILER_ASSERT(sizeof computed_mac == 16U);
+    ret = crypto_verify_16(computed_mac, mac);
+    sodium_memzero(computed_mac, sizeof computed_mac);
+    if (m == NULL) {
+        return ret;
+    }
+    if (ret != 0) {
+        memset(m, 0, mlen);
+        return -1;
+    }
+    crypto_stream_chacha20_ietf_ext_xor_ic(m, c, mlen, npub, 1U, k);
+
+    return 0;
+}
+
 int
 crypto_aead_xchacha20poly1305_ietf_encrypt_detached(unsigned char *c,
                                                     unsigned char *mac,
@@ -32,8 +136,8 @@ crypto_aead_xchacha20poly1305_ietf_encrypt_detached(unsigned char *c,
     crypto_core_hchacha20(k2, npub, k, NULL);
     memcpy(npub2 + 4, npub + crypto_core_hchacha20_INPUTBYTES,
            crypto_aead_chacha20poly1305_ietf_NPUBBYTES - 4);
-    ret = crypto_aead_chacha20poly1305_ietf_encrypt_detached
-        (c, mac, maclen_p, m, mlen, ad, adlen, nsec, npub2, k2);
+    ret = _encrypt_detached(c, mac, maclen_p, m, mlen, ad, adlen,
+                            nsec, npub2, k2);
     sodium_memzero(k2, crypto_core_hchacha20_OUTPUTBYTES);
 
     return ret;
@@ -85,12 +189,10 @@ crypto_aead_xchacha20poly1305_ietf_decrypt_detached(unsigned char *m,
     crypto_core_hchacha20(k2, npub, k, NULL);
     memcpy(npub2 + 4, npub + crypto_core_hchacha20_INPUTBYTES,
            crypto_aead_chacha20poly1305_ietf_NPUBBYTES - 4);
-    ret = crypto_aead_chacha20poly1305_ietf_decrypt_detached
-        (m, nsec, c, clen, mac, ad, adlen, npub2, k2);
+    ret = _decrypt_detached(m, nsec, c, clen, mac, ad, adlen, npub2, k2);
     sodium_memzero(k2, crypto_core_hchacha20_OUTPUTBYTES);
 
     return ret;
-
 }
 
 int
@@ -105,7 +207,7 @@ crypto_aead_xchacha20poly1305_ietf_decrypt(unsigned char *m,
                                            const unsigned char *k)
 {
     unsigned long long mlen = 0ULL;
-    int                ret = -1;
+    int                ret  = -1;
 
     if (clen >= crypto_aead_xchacha20poly1305_ietf_ABYTES) {
         ret = crypto_aead_xchacha20poly1305_ietf_decrypt_detached
diff --git a/src/libsodium/crypto_core/ed25519/core_ed25519.c b/src/libsodium/crypto_core/ed25519/core_ed25519.c
index 1bcf5022..15c004b9 100644
--- a/src/libsodium/crypto_core/ed25519/core_ed25519.c
+++ b/src/libsodium/crypto_core/ed25519/core_ed25519.c
@@ -1,7 +1,11 @@
 
+#include <stdint.h>
+
 #include "crypto_core_ed25519.h"
 #include "private/common.h"
 #include "private/ed25519_ref10.h"
+#include "randombytes.h"
+#include "utils.h"
 
 int
 crypto_core_ed25519_is_valid_point(const unsigned char *p)
@@ -66,14 +70,126 @@ crypto_core_ed25519_from_uniform(unsigned char *p, const unsigned char *r)
     return - ge25519_has_small_order(p);
 }
 
+void
+crypto_core_ed25519_scalar_random(unsigned char *r)
+{
+    do {
+        randombytes_buf(r, crypto_core_ed25519_SCALARBYTES);
+        r[crypto_core_ed25519_SCALARBYTES - 1] &= 0x1f;
+    } while (sc25519_is_canonical(r) == 0 ||
+             sodium_is_zero(r, crypto_core_ed25519_SCALARBYTES));
+}
+
+int
+crypto_core_ed25519_scalar_invert(unsigned char *recip, const unsigned char *s)
+{
+    sc25519_invert(recip, s);
+
+    return - sodium_is_zero(s, crypto_core_ed25519_SCALARBYTES);
+}
+
+/* 2^252+27742317777372353535851937790883648493 */
+static const unsigned char L[] = {
+    0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7,
+    0xa2, 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
+};
+
+void
+crypto_core_ed25519_scalar_negate(unsigned char *neg, const unsigned char *s)
+{
+    unsigned char t_[crypto_core_ed25519_NONREDUCEDSCALARBYTES];
+    unsigned char s_[crypto_core_ed25519_NONREDUCEDSCALARBYTES];
+
+    COMPILER_ASSERT(crypto_core_ed25519_NONREDUCEDSCALARBYTES >=
+                    2 * crypto_core_ed25519_SCALARBYTES);
+    memset(t_, 0, sizeof t_);
+    memset(s_, 0, sizeof s_);
+    memcpy(t_ + crypto_core_ed25519_SCALARBYTES, L,
+           crypto_core_ed25519_SCALARBYTES);
+    memcpy(s_, s, crypto_core_ed25519_SCALARBYTES);
+    sodium_sub(t_, s_, sizeof t_);
+    sc25519_reduce(t_);
+    memcpy(neg, t_, crypto_core_ed25519_SCALARBYTES);
+}
+
+void
+crypto_core_ed25519_scalar_complement(unsigned char *comp,
+                                      const unsigned char *s)
+{
+    unsigned char t_[crypto_core_ed25519_NONREDUCEDSCALARBYTES];
+    unsigned char s_[crypto_core_ed25519_NONREDUCEDSCALARBYTES];
+
+    COMPILER_ASSERT(crypto_core_ed25519_NONREDUCEDSCALARBYTES >=
+                    2 * crypto_core_ed25519_SCALARBYTES);
+    memset(t_, 0, sizeof t_);
+    memset(s_, 0, sizeof s_);
+    t_[0]++;
+    memcpy(t_ + crypto_core_ed25519_SCALARBYTES, L,
+           crypto_core_ed25519_SCALARBYTES);
+    memcpy(s_, s, crypto_core_ed25519_SCALARBYTES);
+    sodium_sub(t_, s_, sizeof t_);
+    sc25519_reduce(t_);
+    memcpy(comp, t_, crypto_core_ed25519_SCALARBYTES);
+}
+
+void
+crypto_core_ed25519_scalar_add(unsigned char *z, const unsigned char *x,
+                               const unsigned char *y)
+{
+    unsigned char x_[crypto_core_ed25519_NONREDUCEDSCALARBYTES];
+    unsigned char y_[crypto_core_ed25519_NONREDUCEDSCALARBYTES];
+
+    memset(x_, 0, sizeof x_);
+    memset(y_, 0, sizeof y_);
+    memcpy(x_, x, crypto_core_ed25519_SCALARBYTES);
+    memcpy(y_, y, crypto_core_ed25519_SCALARBYTES);
+    sodium_add(x_, y_, crypto_core_ed25519_SCALARBYTES);
+    crypto_core_ed25519_scalar_reduce(z, x_);
+}
+
+void
+crypto_core_ed25519_scalar_sub(unsigned char *z, const unsigned char *x,
+                               const unsigned char *y)
+{
+    unsigned char yn[crypto_core_ed25519_SCALARBYTES];
+
+    crypto_core_ed25519_scalar_negate(yn, y);
+    crypto_core_ed25519_scalar_add(z, x, yn);
+}
+
+void
+crypto_core_ed25519_scalar_reduce(unsigned char *r,
+                                  const unsigned char *s)
+{
+    unsigned char t[crypto_core_ed25519_NONREDUCEDSCALARBYTES];
+
+    memcpy(t, s, sizeof t);
+    sc25519_reduce(t);
+    memcpy(r, t, crypto_core_ed25519_SCALARBYTES);
+    sodium_memzero(t, sizeof t);
+}
+
 size_t
 crypto_core_ed25519_bytes(void)
 {
     return crypto_core_ed25519_BYTES;
 }
 
+size_t
+crypto_core_ed25519_nonreducedscalarbytes(void)
+{
+    return crypto_core_ed25519_NONREDUCEDSCALARBYTES;
+}
+
 size_t
 crypto_core_ed25519_uniformbytes(void)
 {
     return crypto_core_ed25519_UNIFORMBYTES;
 }
+
+size_t
+crypto_core_ed25519_scalarbytes(void)
+{
+    return crypto_core_ed25519_SCALARBYTES;
+}
diff --git a/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c b/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c
index f7b82806..fb0d15fd 100644
--- a/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c
+++ b/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c
@@ -1055,6 +1055,478 @@ ge25519_has_small_order(const unsigned char s[32])
     return (int) ((k >> 8) & 1);
 }
 
+/*
+ Input:
+ a[0]+256*a[1]+...+256^31*a[31] = a
+ b[0]+256*b[1]+...+256^31*b[31] = b
+ *
+ Output:
+ s[0]+256*s[1]+...+256^31*s[31] = (ab) mod l
+ where l = 2^252 + 27742317777372353535851937790883648493.
+ */
+
+static void
+sc25519_mul(unsigned char s[32], const unsigned char a[32], const unsigned char b[32])
+{
+    int64_t a0  = 2097151 & load_3(a);
+    int64_t a1  = 2097151 & (load_4(a + 2) >> 5);
+    int64_t a2  = 2097151 & (load_3(a + 5) >> 2);
+    int64_t a3  = 2097151 & (load_4(a + 7) >> 7);
+    int64_t a4  = 2097151 & (load_4(a + 10) >> 4);
+    int64_t a5  = 2097151 & (load_3(a + 13) >> 1);
+    int64_t a6  = 2097151 & (load_4(a + 15) >> 6);
+    int64_t a7  = 2097151 & (load_3(a + 18) >> 3);
+    int64_t a8  = 2097151 & load_3(a + 21);
+    int64_t a9  = 2097151 & (load_4(a + 23) >> 5);
+    int64_t a10 = 2097151 & (load_3(a + 26) >> 2);
+    int64_t a11 = (load_4(a + 28) >> 7);
+
+    int64_t b0  = 2097151 & load_3(b);
+    int64_t b1  = 2097151 & (load_4(b + 2) >> 5);
+    int64_t b2  = 2097151 & (load_3(b + 5) >> 2);
+    int64_t b3  = 2097151 & (load_4(b + 7) >> 7);
+    int64_t b4  = 2097151 & (load_4(b + 10) >> 4);
+    int64_t b5  = 2097151 & (load_3(b + 13) >> 1);
+    int64_t b6  = 2097151 & (load_4(b + 15) >> 6);
+    int64_t b7  = 2097151 & (load_3(b + 18) >> 3);
+    int64_t b8  = 2097151 & load_3(b + 21);
+    int64_t b9  = 2097151 & (load_4(b + 23) >> 5);
+    int64_t b10 = 2097151 & (load_3(b + 26) >> 2);
+    int64_t b11 = (load_4(b + 28) >> 7);
+
+    int64_t s0;
+    int64_t s1;
+    int64_t s2;
+    int64_t s3;
+    int64_t s4;
+    int64_t s5;
+    int64_t s6;
+    int64_t s7;
+    int64_t s8;
+    int64_t s9;
+    int64_t s10;
+    int64_t s11;
+    int64_t s12;
+    int64_t s13;
+    int64_t s14;
+    int64_t s15;
+    int64_t s16;
+    int64_t s17;
+    int64_t s18;
+    int64_t s19;
+    int64_t s20;
+    int64_t s21;
+    int64_t s22;
+    int64_t s23;
+
+    int64_t carry0;
+    int64_t carry1;
+    int64_t carry2;
+    int64_t carry3;
+    int64_t carry4;
+    int64_t carry5;
+    int64_t carry6;
+    int64_t carry7;
+    int64_t carry8;
+    int64_t carry9;
+    int64_t carry10;
+    int64_t carry11;
+    int64_t carry12;
+    int64_t carry13;
+    int64_t carry14;
+    int64_t carry15;
+    int64_t carry16;
+    int64_t carry17;
+    int64_t carry18;
+    int64_t carry19;
+    int64_t carry20;
+    int64_t carry21;
+    int64_t carry22;
+
+    s0 = a0 * b0;
+    s1 = a0 * b1 + a1 * b0;
+    s2 = a0 * b2 + a1 * b1 + a2 * b0;
+    s3 = a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0;
+    s4 = a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0;
+    s5 = a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0;
+    s6 = a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0;
+    s7 = a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 +
+         a6 * b1 + a7 * b0;
+    s8 = a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 +
+         a6 * b2 + a7 * b1 + a8 * b0;
+    s9 = a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 +
+         a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0;
+    s10 = a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 +
+          a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0;
+    s11 = a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 +
+          a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0;
+    s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 +
+          a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1;
+    s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 +
+          a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2;
+    s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 +
+          a9 * b5 + a10 * b4 + a11 * b3;
+    s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 +
+          a10 * b5 + a11 * b4;
+    s16 =
+        a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5;
+    s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6;
+    s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7;
+    s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8;
+    s20 = a9 * b11 + a10 * b10 + a11 * b9;
+    s21 = a10 * b11 + a11 * b10;
+    s22 = a11 * b11;
+    s23 = 0;
+
+    carry0 = (s0 + (int64_t) (1L << 20)) >> 21;
+    s1 += carry0;
+    s0 -= carry0 * ((uint64_t) 1L << 21);
+    carry2 = (s2 + (int64_t) (1L << 20)) >> 21;
+    s3 += carry2;
+    s2 -= carry2 * ((uint64_t) 1L << 21);
+    carry4 = (s4 + (int64_t) (1L << 20)) >> 21;
+    s5 += carry4;
+    s4 -= carry4 * ((uint64_t) 1L << 21);
+    carry6 = (s6 + (int64_t) (1L << 20)) >> 21;
+    s7 += carry6;
+    s6 -= carry6 * ((uint64_t) 1L << 21);
+    carry8 = (s8 + (int64_t) (1L << 20)) >> 21;
+    s9 += carry8;
+    s8 -= carry8 * ((uint64_t) 1L << 21);
+    carry10 = (s10 + (int64_t) (1L << 20)) >> 21;
+    s11 += carry10;
+    s10 -= carry10 * ((uint64_t) 1L << 21);
+    carry12 = (s12 + (int64_t) (1L << 20)) >> 21;
+    s13 += carry12;
+    s12 -= carry12 * ((uint64_t) 1L << 21);
+    carry14 = (s14 + (int64_t) (1L << 20)) >> 21;
+    s15 += carry14;
+    s14 -= carry14 * ((uint64_t) 1L << 21);
+    carry16 = (s16 + (int64_t) (1L << 20)) >> 21;
+    s17 += carry16;
+    s16 -= carry16 * ((uint64_t) 1L << 21);
+    carry18 = (s18 + (int64_t) (1L << 20)) >> 21;
+    s19 += carry18;
+    s18 -= carry18 * ((uint64_t) 1L << 21);
+    carry20 = (s20 + (int64_t) (1L << 20)) >> 21;
+    s21 += carry20;
+    s20 -= carry20 * ((uint64_t) 1L << 21);
+    carry22 = (s22 + (int64_t) (1L << 20)) >> 21;
+    s23 += carry22;
+    s22 -= carry22 * ((uint64_t) 1L << 21);
+
+    carry1 = (s1 + (int64_t) (1L << 20)) >> 21;
+    s2 += carry1;
+    s1 -= carry1 * ((uint64_t) 1L << 21);
+    carry3 = (s3 + (int64_t) (1L << 20)) >> 21;
+    s4 += carry3;
+    s3 -= carry3 * ((uint64_t) 1L << 21);
+    carry5 = (s5 + (int64_t) (1L << 20)) >> 21;
+    s6 += carry5;
+    s5 -= carry5 * ((uint64_t) 1L << 21);
+    carry7 = (s7 + (int64_t) (1L << 20)) >> 21;
+    s8 += carry7;
+    s7 -= carry7 * ((uint64_t) 1L << 21);
+    carry9 = (s9 + (int64_t) (1L << 20)) >> 21;
+    s10 += carry9;
+    s9 -= carry9 * ((uint64_t) 1L << 21);
+    carry11 = (s11 + (int64_t) (1L << 20)) >> 21;
+    s12 += carry11;
+    s11 -= carry11 * ((uint64_t) 1L << 21);
+    carry13 = (s13 + (int64_t) (1L << 20)) >> 21;
+    s14 += carry13;
+    s13 -= carry13 * ((uint64_t) 1L << 21);
+    carry15 = (s15 + (int64_t) (1L << 20)) >> 21;
+    s16 += carry15;
+    s15 -= carry15 * ((uint64_t) 1L << 21);
+    carry17 = (s17 + (int64_t) (1L << 20)) >> 21;
+    s18 += carry17;
+    s17 -= carry17 * ((uint64_t) 1L << 21);
+    carry19 = (s19 + (int64_t) (1L << 20)) >> 21;
+    s20 += carry19;
+    s19 -= carry19 * ((uint64_t) 1L << 21);
+    carry21 = (s21 + (int64_t) (1L << 20)) >> 21;
+    s22 += carry21;
+    s21 -= carry21 * ((uint64_t) 1L << 21);
+
+    s11 += s23 * 666643;
+    s12 += s23 * 470296;
+    s13 += s23 * 654183;
+    s14 -= s23 * 997805;
+    s15 += s23 * 136657;
+    s16 -= s23 * 683901;
+
+    s10 += s22 * 666643;
+    s11 += s22 * 470296;
+    s12 += s22 * 654183;
+    s13 -= s22 * 997805;
+    s14 += s22 * 136657;
+    s15 -= s22 * 683901;
+
+    s9 += s21 * 666643;
+    s10 += s21 * 470296;
+    s11 += s21 * 654183;
+    s12 -= s21 * 997805;
+    s13 += s21 * 136657;
+    s14 -= s21 * 683901;
+
+    s8 += s20 * 666643;
+    s9 += s20 * 470296;
+    s10 += s20 * 654183;
+    s11 -= s20 * 997805;
+    s12 += s20 * 136657;
+    s13 -= s20 * 683901;
+
+    s7 += s19 * 666643;
+    s8 += s19 * 470296;
+    s9 += s19 * 654183;
+    s10 -= s19 * 997805;
+    s11 += s19 * 136657;
+    s12 -= s19 * 683901;
+
+    s6 += s18 * 666643;
+    s7 += s18 * 470296;
+    s8 += s18 * 654183;
+    s9 -= s18 * 997805;
+    s10 += s18 * 136657;
+    s11 -= s18 * 683901;
+
+    carry6 = (s6 + (int64_t) (1L << 20)) >> 21;
+    s7 += carry6;
+    s6 -= carry6 * ((uint64_t) 1L << 21);
+    carry8 = (s8 + (int64_t) (1L << 20)) >> 21;
+    s9 += carry8;
+    s8 -= carry8 * ((uint64_t) 1L << 21);
+    carry10 = (s10 + (int64_t) (1L << 20)) >> 21;
+    s11 += carry10;
+    s10 -= carry10 * ((uint64_t) 1L << 21);
+    carry12 = (s12 + (int64_t) (1L << 20)) >> 21;
+    s13 += carry12;
+    s12 -= carry12 * ((uint64_t) 1L << 21);
+    carry14 = (s14 + (int64_t) (1L << 20)) >> 21;
+    s15 += carry14;
+    s14 -= carry14 * ((uint64_t) 1L << 21);
+    carry16 = (s16 + (int64_t) (1L << 20)) >> 21;
+    s17 += carry16;
+    s16 -= carry16 * ((uint64_t) 1L << 21);
+
+    carry7 = (s7 + (int64_t) (1L << 20)) >> 21;
+    s8 += carry7;
+    s7 -= carry7 * ((uint64_t) 1L << 21);
+    carry9 = (s9 + (int64_t) (1L << 20)) >> 21;
+    s10 += carry9;
+    s9 -= carry9 * ((uint64_t) 1L << 21);
+    carry11 = (s11 + (int64_t) (1L << 20)) >> 21;
+    s12 += carry11;
+    s11 -= carry11 * ((uint64_t) 1L << 21);
+    carry13 = (s13 + (int64_t) (1L << 20)) >> 21;
+    s14 += carry13;
+    s13 -= carry13 * ((uint64_t) 1L << 21);
+    carry15 = (s15 + (int64_t) (1L << 20)) >> 21;
+    s16 += carry15;
+    s15 -= carry15 * ((uint64_t) 1L << 21);
+
+    s5 += s17 * 666643;
+    s6 += s17 * 470296;
+    s7 += s17 * 654183;
+    s8 -= s17 * 997805;
+    s9 += s17 * 136657;
+    s10 -= s17 * 683901;
+
+    s4 += s16 * 666643;
+    s5 += s16 * 470296;
+    s6 += s16 * 654183;
+    s7 -= s16 * 997805;
+    s8 += s16 * 136657;
+    s9 -= s16 * 683901;
+
+    s3 += s15 * 666643;
+    s4 += s15 * 470296;
+    s5 += s15 * 654183;
+    s6 -= s15 * 997805;
+    s7 += s15 * 136657;
+    s8 -= s15 * 683901;
+
+    s2 += s14 * 666643;
+    s3 += s14 * 470296;
+    s4 += s14 * 654183;
+    s5 -= s14 * 997805;
+    s6 += s14 * 136657;
+    s7 -= s14 * 683901;
+
+    s1 += s13 * 666643;
+    s2 += s13 * 470296;
+    s3 += s13 * 654183;
+    s4 -= s13 * 997805;
+    s5 += s13 * 136657;
+    s6 -= s13 * 683901;
+
+    s0 += s12 * 666643;
+    s1 += s12 * 470296;
+    s2 += s12 * 654183;
+    s3 -= s12 * 997805;
+    s4 += s12 * 136657;
+    s5 -= s12 * 683901;
+    s12 = 0;
+
+    carry0 = (s0 + (int64_t) (1L << 20)) >> 21;
+    s1 += carry0;
+    s0 -= carry0 * ((uint64_t) 1L << 21);
+    carry2 = (s2 + (int64_t) (1L << 20)) >> 21;
+    s3 += carry2;
+    s2 -= carry2 * ((uint64_t) 1L << 21);
+    carry4 = (s4 + (int64_t) (1L << 20)) >> 21;
+    s5 += carry4;
+    s4 -= carry4 * ((uint64_t) 1L << 21);
+    carry6 = (s6 + (int64_t) (1L << 20)) >> 21;
+    s7 += carry6;
+    s6 -= carry6 * ((uint64_t) 1L << 21);
+    carry8 = (s8 + (int64_t) (1L << 20)) >> 21;
+    s9 += carry8;
+    s8 -= carry8 * ((uint64_t) 1L << 21);
+    carry10 = (s10 + (int64_t) (1L << 20)) >> 21;
+    s11 += carry10;
+    s10 -= carry10 * ((uint64_t) 1L << 21);
+
+    carry1 = (s1 + (int64_t) (1L << 20)) >> 21;
+    s2 += carry1;
+    s1 -= carry1 * ((uint64_t) 1L << 21);
+    carry3 = (s3 + (int64_t) (1L << 20)) >> 21;
+    s4 += carry3;
+    s3 -= carry3 * ((uint64_t) 1L << 21);
+    carry5 = (s5 + (int64_t) (1L << 20)) >> 21;
+    s6 += carry5;
+    s5 -= carry5 * ((uint64_t) 1L << 21);
+    carry7 = (s7 + (int64_t) (1L << 20)) >> 21;
+    s8 += carry7;
+    s7 -= carry7 * ((uint64_t) 1L << 21);
+    carry9 = (s9 + (int64_t) (1L << 20)) >> 21;
+    s10 += carry9;
+    s9 -= carry9 * ((uint64_t) 1L << 21);
+    carry11 = (s11 + (int64_t) (1L << 20)) >> 21;
+    s12 += carry11;
+    s11 -= carry11 * ((uint64_t) 1L << 21);
+
+    s0 += s12 * 666643;
+    s1 += s12 * 470296;
+    s2 += s12 * 654183;
+    s3 -= s12 * 997805;
+    s4 += s12 * 136657;
+    s5 -= s12 * 683901;
+    s12 = 0;
+
+    carry0 = s0 >> 21;
+    s1 += carry0;
+    s0 -= carry0 * ((uint64_t) 1L << 21);
+    carry1 = s1 >> 21;
+    s2 += carry1;
+    s1 -= carry1 * ((uint64_t) 1L << 21);
+    carry2 = s2 >> 21;
+    s3 += carry2;
+    s2 -= carry2 * ((uint64_t) 1L << 21);
+    carry3 = s3 >> 21;
+    s4 += carry3;
+    s3 -= carry3 * ((uint64_t) 1L << 21);
+    carry4 = s4 >> 21;
+    s5 += carry4;
+    s4 -= carry4 * ((uint64_t) 1L << 21);
+    carry5 = s5 >> 21;
+    s6 += carry5;
+    s5 -= carry5 * ((uint64_t) 1L << 21);
+    carry6 = s6 >> 21;
+    s7 += carry6;
+    s6 -= carry6 * ((uint64_t) 1L << 21);
+    carry7 = s7 >> 21;
+    s8 += carry7;
+    s7 -= carry7 * ((uint64_t) 1L << 21);
+    carry8 = s8 >> 21;
+    s9 += carry8;
+    s8 -= carry8 * ((uint64_t) 1L << 21);
+    carry9 = s9 >> 21;
+    s10 += carry9;
+    s9 -= carry9 * ((uint64_t) 1L << 21);
+    carry10 = s10 >> 21;
+    s11 += carry10;
+    s10 -= carry10 * ((uint64_t) 1L << 21);
+    carry11 = s11 >> 21;
+    s12 += carry11;
+    s11 -= carry11 * ((uint64_t) 1L << 21);
+
+    s0 += s12 * 666643;
+    s1 += s12 * 470296;
+    s2 += s12 * 654183;
+    s3 -= s12 * 997805;
+    s4 += s12 * 136657;
+    s5 -= s12 * 683901;
+
+    carry0 = s0 >> 21;
+    s1 += carry0;
+    s0 -= carry0 * ((uint64_t) 1L << 21);
+    carry1 = s1 >> 21;
+    s2 += carry1;
+    s1 -= carry1 * ((uint64_t) 1L << 21);
+    carry2 = s2 >> 21;
+    s3 += carry2;
+    s2 -= carry2 * ((uint64_t) 1L << 21);
+    carry3 = s3 >> 21;
+    s4 += carry3;
+    s3 -= carry3 * ((uint64_t) 1L << 21);
+    carry4 = s4 >> 21;
+    s5 += carry4;
+    s4 -= carry4 * ((uint64_t) 1L << 21);
+    carry5 = s5 >> 21;
+    s6 += carry5;
+    s5 -= carry5 * ((uint64_t) 1L << 21);
+    carry6 = s6 >> 21;
+    s7 += carry6;
+    s6 -= carry6 * ((uint64_t) 1L << 21);
+    carry7 = s7 >> 21;
+    s8 += carry7;
+    s7 -= carry7 * ((uint64_t) 1L << 21);
+    carry8 = s8 >> 21;
+    s9 += carry8;
+    s8 -= carry8 * ((uint64_t) 1L << 21);
+    carry9 = s9 >> 21;
+    s10 += carry9;
+    s9 -= carry9 * ((uint64_t) 1L << 21);
+    carry10 = s10 >> 21;
+    s11 += carry10;
+    s10 -= carry10 * ((uint64_t) 1L << 21);
+
+    s[0]  = s0 >> 0;
+    s[1]  = s0 >> 8;
+    s[2]  = (s0 >> 16) | (s1 * ((uint64_t) 1 << 5));
+    s[3]  = s1 >> 3;
+    s[4]  = s1 >> 11;
+    s[5]  = (s1 >> 19) | (s2 * ((uint64_t) 1 << 2));
+    s[6]  = s2 >> 6;
+    s[7]  = (s2 >> 14) | (s3 * ((uint64_t) 1 << 7));
+    s[8]  = s3 >> 1;
+    s[9]  = s3 >> 9;
+    s[10] = (s3 >> 17) | (s4 * ((uint64_t) 1 << 4));
+    s[11] = s4 >> 4;
+    s[12] = s4 >> 12;
+    s[13] = (s4 >> 20) | (s5 * ((uint64_t) 1 << 1));
+    s[14] = s5 >> 7;
+    s[15] = (s5 >> 15) | (s6 * ((uint64_t) 1 << 6));
+    s[16] = s6 >> 2;
+    s[17] = s6 >> 10;
+    s[18] = (s6 >> 18) | (s7 * ((uint64_t) 1 << 3));
+    s[19] = s7 >> 5;
+    s[20] = s7 >> 13;
+    s[21] = s8 >> 0;
+    s[22] = s8 >> 8;
+    s[23] = (s8 >> 16) | (s9 * ((uint64_t) 1 << 5));
+    s[24] = s9 >> 3;
+    s[25] = s9 >> 11;
+    s[26] = (s9 >> 19) | (s10 * ((uint64_t) 1 << 2));
+    s[27] = s10 >> 6;
+    s[28] = (s10 >> 14) | (s11 * ((uint64_t) 1 << 7));
+    s[29] = s11 >> 1;
+    s[30] = s11 >> 9;
+    s[31] = s11 >> 17;
+}
+
 /*
  Input:
  a[0]+256*a[1]+...+256^31*a[31] = a
@@ -1067,8 +1539,8 @@ ge25519_has_small_order(const unsigned char s[32])
  */
 
 void
-sc25519_muladd(unsigned char *s, const unsigned char *a,
-               const unsigned char *b, const unsigned char *c)
+sc25519_muladd(unsigned char s[32], const unsigned char a[32],
+               const unsigned char b[32], const unsigned char c[32])
 {
     int64_t a0  = 2097151 & load_3(a);
     int64_t a1  = 2097151 & (load_4(a + 2) >> 5);
@@ -1543,6 +2015,88 @@ sc25519_muladd(unsigned char *s, const unsigned char *a,
     s[31] = s11 >> 17;
 }
 
+/*
+ Input:
+ a[0]+256*a[1]+...+256^31*a[31] = a
+ *
+ Output:
+ s[0]+256*s[1]+...+256^31*s[31] = a^2 mod l
+ where l = 2^252 + 27742317777372353535851937790883648493.
+ */
+
+static inline void
+sc25519_sq(unsigned char *s, const unsigned char *a)
+{
+    sc25519_mul(s, a, a);
+}
+
+/*
+ Input:
+ s[0]+256*a[1]+...+256^31*a[31] = a
+ n
+ *
+ Output:
+ s[0]+256*s[1]+...+256^31*s[31] = x * s^(s^n) mod l
+ where l = 2^252 + 27742317777372353535851937790883648493.
+ Overwrites s in place.
+ */
+
+static inline void
+sc25519_sqmul(unsigned char s[32], const int n, const unsigned char a[32])
+{
+    int i;
+
+    for (i = 0; i < n; i++) {
+        sc25519_sq(s, s);
+    }
+    sc25519_mul(s, s, a);
+}
+
+void
+sc25519_invert(unsigned char recip[32], const unsigned char s[32])
+{
+    unsigned char _10[32], _100[32], _11[32], _101[32], _111[32],
+        _1001[32], _1011[32], _1111[32];
+
+    sc25519_sq(_10, s);
+    sc25519_sq(_100, _10);
+    sc25519_mul(_11, _10, s);
+    sc25519_mul(_101, _10, _11);
+    sc25519_mul(_111, _10, _101);
+    sc25519_mul(_1001, _10, _111);
+    sc25519_mul(_1011, _10, _1001);
+    sc25519_mul(_1111, _100, _1011);
+    sc25519_mul(recip, _1111, s);
+
+    sc25519_sqmul(recip, 123 + 3, _101);
+    sc25519_sqmul(recip, 2 + 2, _11);
+    sc25519_sqmul(recip, 1 + 4, _1111);
+    sc25519_sqmul(recip, 1 + 4, _1111);
+    sc25519_sqmul(recip, 4, _1001);
+    sc25519_sqmul(recip, 2, _11);
+    sc25519_sqmul(recip, 1 + 4, _1111);
+    sc25519_sqmul(recip, 1 + 3, _101);
+    sc25519_sqmul(recip, 3 + 3, _101);
+    sc25519_sqmul(recip, 3, _111);
+    sc25519_sqmul(recip, 1 + 4, _1111);
+    sc25519_sqmul(recip, 2 + 3, _111);
+    sc25519_sqmul(recip, 2 + 2, _11);
+    sc25519_sqmul(recip, 1 + 4, _1011);
+    sc25519_sqmul(recip, 2 + 4, _1011);
+    sc25519_sqmul(recip, 6 + 4, _1001);
+    sc25519_sqmul(recip, 2 + 2, _11);
+    sc25519_sqmul(recip, 3 + 2, _11);
+    sc25519_sqmul(recip, 3 + 2, _11);
+    sc25519_sqmul(recip, 1 + 4, _1001);
+    sc25519_sqmul(recip, 1 + 3, _111);
+    sc25519_sqmul(recip, 2 + 4, _1111);
+    sc25519_sqmul(recip, 1 + 4, _1011);
+    sc25519_sqmul(recip, 3, _101);
+    sc25519_sqmul(recip, 2 + 4, _1111);
+    sc25519_sqmul(recip, 3, _101);
+    sc25519_sqmul(recip, 1 + 2, _11);
+}
+
 /*
  Input:
  s[0]+256*s[1]+...+256^63*s[63] = s
@@ -1554,7 +2108,7 @@ sc25519_muladd(unsigned char *s, const unsigned char *a,
  */
 
 void
-sc25519_reduce(unsigned char *s)
+sc25519_reduce(unsigned char s[64])
 {
     int64_t s0  = 2097151 & load_3(s);
     int64_t s1  = 2097151 & (load_4(s + 2) >> 5);
@@ -1878,7 +2432,7 @@ sc25519_reduce(unsigned char *s)
 }
 
 int
-sc25519_is_canonical(const unsigned char *s)
+sc25519_is_canonical(const unsigned char s[32])
 {
     /* 2^252+27742317777372353535851937790883648493 */
     static const unsigned char L[32] = {
diff --git a/src/libsodium/crypto_generichash/blake2b/ref/blake2.h b/src/libsodium/crypto_generichash/blake2b/ref/blake2.h
index c6c4fccb..6ea2832e 100644
--- a/src/libsodium/crypto_generichash/blake2b/ref/blake2.h
+++ b/src/libsodium/crypto_generichash/blake2b/ref/blake2.h
@@ -65,7 +65,14 @@ typedef struct blake2b_param_ {
     uint8_t personal[BLAKE2B_PERSONALBYTES]; /* 64 */
 } blake2b_param;
 
-typedef crypto_generichash_blake2b_state blake2b_state;
+typedef struct blake2b_state {
+    uint64_t h[8];
+    uint64_t t[2];
+    uint64_t f[2];
+    uint8_t  buf[2 * 128];
+    size_t   buflen;
+    uint8_t  last_node;
+} blake2b_state;
 
 #if defined(__IBMC__) || defined(__SUNPRO_C) || defined(__SUNPRO_CC)
 #pragma pack()
diff --git a/src/libsodium/crypto_generichash/blake2b/ref/blake2b-compress-avx2.h b/src/libsodium/crypto_generichash/blake2b/ref/blake2b-compress-avx2.h
index bc7e42d2..d08603a8 100644
--- a/src/libsodium/crypto_generichash/blake2b/ref/blake2b-compress-avx2.h
+++ b/src/libsodium/crypto_generichash/blake2b/ref/blake2b-compress-avx2.h
@@ -2,15 +2,20 @@
 #ifndef blake2b_compress_avx2_H
 #define blake2b_compress_avx2_H
 
-#define LOADU128(p) _mm_loadu_si128((__m128i *) (p))
+#define LOADU128(p) _mm_loadu_si128((const __m128i *) (p))
 #define STOREU128(p, r) _mm_storeu_si128((__m128i *) (p), r)
 
-#define LOAD(p) _mm256_load_si256((__m256i *) (p))
-#define STORE(p, r) _mm256_store_si256((__m256i *) (p), r)
-
-#define LOADU(p) _mm256_loadu_si256((__m256i *) (p))
+#define LOADU(p) _mm256_loadu_si256((const __m256i *) (p))
 #define STOREU(p, r) _mm256_storeu_si256((__m256i *) (p), r)
 
+#if defined(__INTEL_COMPILER) || defined(_MSC_VER) || defined(__GNUC__)
+# define LOAD(p) _mm256_load_si256((const __m256i *) (p))
+# define STORE(p, r) _mm256_store_si256((__m256i *) (p), r)
+#else
+# define LOAD(p) LOADU(p)
+# define STORE(p, r) STOREU(p, r)
+#endif
+
 static inline uint64_t
 LOADU64(const void *p)
 {
diff --git a/src/libsodium/crypto_generichash/blake2b/ref/blake2b-compress-ssse3.c b/src/libsodium/crypto_generichash/blake2b/ref/blake2b-compress-ssse3.c
index a207a64d..5684bc88 100644
--- a/src/libsodium/crypto_generichash/blake2b/ref/blake2b-compress-ssse3.c
+++ b/src/libsodium/crypto_generichash/blake2b/ref/blake2b-compress-ssse3.c
@@ -39,22 +39,22 @@ blake2b_compress_ssse3(blake2b_state *S,
         _mm_setr_epi8(2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9);
     const __m128i r24 =
         _mm_setr_epi8(3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10);
-    const uint64_t m0  = ((uint64_t *) block)[0];
-    const uint64_t m1  = ((uint64_t *) block)[1];
-    const uint64_t m2  = ((uint64_t *) block)[2];
-    const uint64_t m3  = ((uint64_t *) block)[3];
-    const uint64_t m4  = ((uint64_t *) block)[4];
-    const uint64_t m5  = ((uint64_t *) block)[5];
-    const uint64_t m6  = ((uint64_t *) block)[6];
-    const uint64_t m7  = ((uint64_t *) block)[7];
-    const uint64_t m8  = ((uint64_t *) block)[8];
-    const uint64_t m9  = ((uint64_t *) block)[9];
-    const uint64_t m10 = ((uint64_t *) block)[10];
-    const uint64_t m11 = ((uint64_t *) block)[11];
-    const uint64_t m12 = ((uint64_t *) block)[12];
-    const uint64_t m13 = ((uint64_t *) block)[13];
-    const uint64_t m14 = ((uint64_t *) block)[14];
-    const uint64_t m15 = ((uint64_t *) block)[15];
+    const uint64_t m0  = ((const uint64_t *) block)[0];
+    const uint64_t m1  = ((const uint64_t *) block)[1];
+    const uint64_t m2  = ((const uint64_t *) block)[2];
+    const uint64_t m3  = ((const uint64_t *) block)[3];
+    const uint64_t m4  = ((const uint64_t *) block)[4];
+    const uint64_t m5  = ((const uint64_t *) block)[5];
+    const uint64_t m6  = ((const uint64_t *) block)[6];
+    const uint64_t m7  = ((const uint64_t *) block)[7];
+    const uint64_t m8  = ((const uint64_t *) block)[8];
+    const uint64_t m9  = ((const uint64_t *) block)[9];
+    const uint64_t m10 = ((const uint64_t *) block)[10];
+    const uint64_t m11 = ((const uint64_t *) block)[11];
+    const uint64_t m12 = ((const uint64_t *) block)[12];
+    const uint64_t m13 = ((const uint64_t *) block)[13];
+    const uint64_t m14 = ((const uint64_t *) block)[14];
+    const uint64_t m15 = ((const uint64_t *) block)[15];
 
     row1l = LOADU(&S->h[0]);
     row1h = LOADU(&S->h[2]);
diff --git a/src/libsodium/crypto_generichash/blake2b/ref/blake2b-ref.c b/src/libsodium/crypto_generichash/blake2b/ref/blake2b-ref.c
index f5e07626..a1beacf3 100644
--- a/src/libsodium/crypto_generichash/blake2b/ref/blake2b-ref.c
+++ b/src/libsodium/crypto_generichash/blake2b/ref/blake2b-ref.c
@@ -97,7 +97,9 @@ blake2b_init0(blake2b_state *S)
     for (i  = 0; i < 8; i++) {
         S->h[i] = blake2b_IV[i];
     }
-    memset(S->t, 0, offsetof(blake2b_state, last_node) + sizeof(S->last_node)
+    /* zero everything between .t and .last_node */
+    memset((void *) &S->t, 0,
+           offsetof(blake2b_state, last_node) + sizeof(S->last_node)
            - offsetof(blake2b_state, t));
     return 0;
 }
@@ -183,7 +185,7 @@ blake2b_init_key(blake2b_state *S, const uint8_t outlen, const void *key,
         sodium_misuse();
     }
     if (!key || !keylen || keylen > BLAKE2B_KEYBYTES) {
-        sodium_misuse();
+        sodium_misuse(); /* does not return */
     }
     P->digest_length = outlen;
     P->key_length    = keylen;
@@ -203,7 +205,7 @@ blake2b_init_key(blake2b_state *S, const uint8_t outlen, const void *key,
     {
         uint8_t block[BLAKE2B_BLOCKBYTES];
         memset(block, 0, BLAKE2B_BLOCKBYTES);
-        memcpy(block, key, keylen); /* keylen cannot be 0 */
+        memcpy(block, key, keylen); /* key and keylen cannot be 0 */
         blake2b_update(S, block, BLAKE2B_BLOCKBYTES);
         sodium_memzero(block, BLAKE2B_BLOCKBYTES); /* Burn the key from stack */
     }
@@ -221,7 +223,7 @@ blake2b_init_key_salt_personal(blake2b_state *S, const uint8_t outlen,
         sodium_misuse();
     }
     if (!key || !keylen || keylen > BLAKE2B_KEYBYTES) {
-        sodium_misuse();
+        sodium_misuse(); /* does not return */
     }
     P->digest_length = outlen;
     P->key_length    = keylen;
@@ -249,7 +251,7 @@ blake2b_init_key_salt_personal(blake2b_state *S, const uint8_t outlen,
     {
         uint8_t block[BLAKE2B_BLOCKBYTES];
         memset(block, 0, BLAKE2B_BLOCKBYTES);
-        memcpy(block, key, keylen); /* keylen cannot be 0 */
+        memcpy(block, key, keylen); /* key and keylen cannot be 0 */
         blake2b_update(S, block, BLAKE2B_BLOCKBYTES);
         sodium_memzero(block, BLAKE2B_BLOCKBYTES); /* Burn the key from stack */
     }
@@ -333,7 +335,7 @@ int
 blake2b(uint8_t *out, const void *in, const void *key, const uint8_t outlen,
         const uint64_t inlen, uint8_t keylen)
 {
-    blake2b_state S[1];
+    CRYPTO_ALIGN(64) blake2b_state S[1];
 
     /* Verify parameters */
     if (NULL == in && inlen > 0) {
@@ -371,7 +373,7 @@ blake2b_salt_personal(uint8_t *out, const void *in, const void *key,
                       const uint8_t outlen, const uint64_t inlen,
                       uint8_t keylen, const void *salt, const void *personal)
 {
-    blake2b_state S[1];
+    CRYPTO_ALIGN(64) blake2b_state S[1];
 
     /* Verify parameters */
     if (NULL == in && inlen > 0) {
diff --git a/src/libsodium/crypto_generichash/blake2b/ref/generichash_blake2b.c b/src/libsodium/crypto_generichash/blake2b/ref/generichash_blake2b.c
index 4bd08550..7a8598c7 100644
--- a/src/libsodium/crypto_generichash/blake2b/ref/generichash_blake2b.c
+++ b/src/libsodium/crypto_generichash/blake2b/ref/generichash_blake2b.c
@@ -5,6 +5,7 @@
 
 #include "blake2.h"
 #include "crypto_generichash_blake2b.h"
+#include "private/common.h"
 #include "private/implementations.h"
 
 int
@@ -52,11 +53,12 @@ crypto_generichash_blake2b_init(crypto_generichash_blake2b_state *state,
     }
     assert(outlen <= UINT8_MAX);
     assert(keylen <= UINT8_MAX);
+    COMPILER_ASSERT(sizeof(blake2b_state) <= sizeof *state);
     if (key == NULL || keylen <= 0U) {
-        if (blake2b_init(state, (uint8_t) outlen) != 0) {
+        if (blake2b_init((blake2b_state *) (void *) state, (uint8_t) outlen) != 0) {
             return -1; /* LCOV_EXCL_LINE */
         }
-    } else if (blake2b_init_key(state, (uint8_t) outlen, key,
+    } else if (blake2b_init_key((blake2b_state *) (void *) state, (uint8_t) outlen, key,
                                 (uint8_t) keylen) != 0) {
         return -1; /* LCOV_EXCL_LINE */
     }
@@ -76,11 +78,12 @@ crypto_generichash_blake2b_init_salt_personal(
     assert(outlen <= UINT8_MAX);
     assert(keylen <= UINT8_MAX);
     if (key == NULL || keylen <= 0U) {
-        if (blake2b_init_salt_personal(state, (uint8_t) outlen, salt,
-                                       personal) != 0) {
+        if (blake2b_init_salt_personal((blake2b_state *) (void *) state,
+                                       (uint8_t) outlen, salt, personal) != 0) {
             return -1; /* LCOV_EXCL_LINE */
         }
-    } else if (blake2b_init_key_salt_personal(state, (uint8_t) outlen, key,
+    } else if (blake2b_init_key_salt_personal((blake2b_state *) (void *) state,
+                                              (uint8_t) outlen, key,
                                               (uint8_t) keylen, salt,
                                               personal) != 0) {
         return -1; /* LCOV_EXCL_LINE */
@@ -93,7 +96,8 @@ crypto_generichash_blake2b_update(crypto_generichash_blake2b_state *state,
                                   const unsigned char *in,
                                   unsigned long long inlen)
 {
-    return blake2b_update(state, (const uint8_t *) in, (uint64_t) inlen);
+    return blake2b_update((blake2b_state *) (void *) state,
+                          (const uint8_t *) in, (uint64_t) inlen);
 }
 
 int
@@ -101,7 +105,8 @@ crypto_generichash_blake2b_final(crypto_generichash_blake2b_state *state,
                                  unsigned char *out, const size_t outlen)
 {
     assert(outlen <= UINT8_MAX);
-    return blake2b_final(state, (uint8_t *) out, (uint8_t) outlen);
+    return blake2b_final((blake2b_state *) (void *) state,
+                         (uint8_t *) out, (uint8_t) outlen);
 }
 
 int
diff --git a/src/libsodium/crypto_kx/crypto_kx.c b/src/libsodium/crypto_kx/crypto_kx.c
index 877ab7ff..9f0c3aef 100644
--- a/src/libsodium/crypto_kx/crypto_kx.c
+++ b/src/libsodium/crypto_kx/crypto_kx.c
@@ -63,8 +63,8 @@ crypto_kx_client_session_keys(unsigned char rx[crypto_kx_SESSIONKEYBYTES],
     crypto_generichash_final(&h, keys, sizeof keys);
     sodium_memzero(&h, sizeof h);
     for (i = 0; i < crypto_kx_SESSIONKEYBYTES; i++) {
-        rx[i] = keys[i];
-        tx[i] = keys[i + crypto_kx_SESSIONKEYBYTES];
+        rx[i] = keys[i]; /* rx cannot be NULL */
+        tx[i] = keys[i + crypto_kx_SESSIONKEYBYTES]; /* tx cannot be NULL */
     }
     sodium_memzero(keys, sizeof keys);
 
diff --git a/src/libsodium/crypto_pwhash/argon2/argon2-core.c b/src/libsodium/crypto_pwhash/argon2/argon2-core.c
index 530778e4..bfe3fbbf 100644
--- a/src/libsodium/crypto_pwhash/argon2/argon2-core.c
+++ b/src/libsodium/crypto_pwhash/argon2/argon2-core.c
@@ -80,14 +80,11 @@ allocate_memory(block_region **region, uint32_t m_cost)
         return ARGON2_MEMORY_ALLOCATION_ERROR; /* LCOV_EXCL_LINE */
     }
     memory_size = sizeof(block) * m_cost;
-    if (m_cost == 0 ||
-        memory_size / m_cost !=
-            sizeof(block)) { /*1. Check for multiplication overflow*/
+    if (m_cost == 0 || memory_size / m_cost != sizeof(block)) {
         return ARGON2_MEMORY_ALLOCATION_ERROR; /* LCOV_EXCL_LINE */
     }
-    *region = (block_region *) malloc(
-        sizeof(block_region)); /*2. Try to allocate region*/
-    if (!*region) {
+    *region = (block_region *) malloc(sizeof(block_region));
+    if (*region == NULL) {
         return ARGON2_MEMORY_ALLOCATION_ERROR; /* LCOV_EXCL_LINE */
     }
     (*region)->base = (*region)->memory = NULL;
@@ -116,6 +113,8 @@ allocate_memory(block_region **region, uint32_t m_cost)
     }
 #endif
     if (base == NULL) {
+        free(*region);
+        *region = NULL;
         return ARGON2_MEMORY_ALLOCATION_ERROR; /* LCOV_EXCL_LINE */
     }
     (*region)->base   = base;
diff --git a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c
index e15e12b2..c4dd46a2 100644
--- a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c
+++ b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c
@@ -158,11 +158,11 @@ escrypt_r(escrypt_local_t *local, const uint8_t *passwd, size_t passwdlen,
     prefixlen = src - setting;
 
     salt = src;
-    src  = (uint8_t *) strrchr((char *) salt, '$');
+    src  = (const uint8_t *) strrchr((const char *) salt, '$');
     if (src) {
         saltlen = src - salt;
     } else {
-        saltlen = strlen((char *) salt);
+        saltlen = strlen((const char *) salt);
     }
     need = prefixlen + saltlen + 1 +
            crypto_pwhash_scryptsalsa208sha256_STRHASHBYTES_ENCODED + 1;
diff --git a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c
index 40288590..b1c1bd84 100644
--- a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c
+++ b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c
@@ -181,20 +181,23 @@ blockmix_salsa8(const uint32_t *Bin, uint32_t *Bout, uint32_t *X, size_t r)
 
     /* 1: X <-- B_{2r - 1} */
     blkcpy_64((escrypt_block_t *) X,
-              (escrypt_block_t *) &Bin[(2 * r - 1) * 16]);
+              (const escrypt_block_t *) &Bin[(2 * r - 1) * 16]);
 
     /* 2: for i = 0 to 2r - 1 do */
     for (i = 0; i < 2 * r; i += 2) {
         /* 3: X <-- H(X \xor B_i) */
-        blkxor_64((escrypt_block_t *) X, (escrypt_block_t *) &Bin[i * 16]);
+        blkxor_64((escrypt_block_t *) X,
+                  (const escrypt_block_t *) &Bin[i * 16]);
         salsa20_8(X);
 
         /* 4: Y_i <-- X */
         /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
-        blkcpy_64((escrypt_block_t *) &Bout[i * 8], (escrypt_block_t *) X);
+        blkcpy_64((escrypt_block_t *) &Bout[i * 8],
+                  (const escrypt_block_t *) X);
 
         /* 3: X <-- H(X \xor B_i) */
-        blkxor_64((escrypt_block_t *) X, (escrypt_block_t *) &Bin[i * 16 + 16]);
+        blkxor_64((escrypt_block_t *) X,
+                  (const escrypt_block_t *) &Bin[i * 16 + 16]);
         salsa20_8(X);
 
         /* 4: Y_i <-- X */
diff --git a/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c b/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c
index 7b93a724..4272ae24 100644
--- a/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c
+++ b/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c
@@ -18,29 +18,50 @@ has_small_order(const unsigned char s[32])
 {
     CRYPTO_ALIGN(16)
     static const unsigned char blacklist[][32] = {
-        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-        { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-        { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 },
-        { 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 },
-        { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
-        { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
-        { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
-        { 0xcd, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x80 },
-        { 0x4c, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0xd7 },
-        { 0xd9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
-        { 0xda, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
-        { 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }
+        /* 0 (order 4) */
+        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+        /* 1 (order 1) */
+        { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+        /* 325606250916557431795983626356110631294008115727848805560023387167927233504
+           (order 8) */
+        { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3,
+          0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32,
+          0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 },
+        /* 39382357235489614581723060781553021112529911719440698176882885853963445705823
+           (order 8) */
+        { 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1,
+          0x55, 0x9c, 0x83, 0xef, 0x5b, 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c,
+          0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 },
+        /* p-1 (order 2) */
+        { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
+        /* p (=0, order 4) */
+        { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
+        /* p+1 (=1, order 1) */
+        { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }
     };
-    unsigned char c[12] = { 0 };
+    unsigned char c[7] = { 0 };
     unsigned int  k;
     size_t        i, j;
 
-    COMPILER_ASSERT(12 == sizeof blacklist / sizeof blacklist[0]);
-    for (j = 0; j < 32; j++) {
+    COMPILER_ASSERT(7 == sizeof blacklist / sizeof blacklist[0]);
+    for (j = 0; j < 31; j++) {
         for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) {
             c[i] |= s[j] ^ blacklist[i][j];
         }
     }
+    for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) {
+        c[i] |= (s[j] & 0x7f) ^ blacklist[i][j];
+    }
     k = 0;
     for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) {
         k |= (c[i] - 1);
diff --git a/src/libsodium/crypto_scalarmult/ed25519/ref10/scalarmult_ed25519_ref10.c b/src/libsodium/crypto_scalarmult/ed25519/ref10/scalarmult_ed25519_ref10.c
index 0e317cf7..800ff00e 100644
--- a/src/libsodium/crypto_scalarmult/ed25519/ref10/scalarmult_ed25519_ref10.c
+++ b/src/libsodium/crypto_scalarmult/ed25519/ref10/scalarmult_ed25519_ref10.c
@@ -28,9 +28,9 @@ _crypto_scalarmult_ed25519_clamp(unsigned char k[32])
     k[31] |= 64;
 }
 
-int
-crypto_scalarmult_ed25519(unsigned char *q, const unsigned char *n,
-                          const unsigned char *p)
+static int
+_crypto_scalarmult_ed25519(unsigned char *q, const unsigned char *n,
+                           const unsigned char *p, const int clamp)
 {
     unsigned char *t = q;
     ge25519_p3     Q;
@@ -44,7 +44,9 @@ crypto_scalarmult_ed25519(unsigned char *q, const unsigned char *n,
     for (i = 0; i < 32; ++i) {
         t[i] = n[i];
     }
-    _crypto_scalarmult_ed25519_clamp(t);
+    if (clamp != 0) {
+        _crypto_scalarmult_ed25519_clamp(t);
+    }
     ge25519_scalarmult(&Q, t, &P);
     ge25519_p3_tobytes(q, &Q);
     if (_crypto_scalarmult_ed25519_is_inf(q) != 0 || sodium_is_zero(n, 32)) {
@@ -53,24 +55,54 @@ crypto_scalarmult_ed25519(unsigned char *q, const unsigned char *n,
     return 0;
 }
 
+int
+crypto_scalarmult_ed25519(unsigned char *q, const unsigned char *n,
+                          const unsigned char *p)
+{
+    return _crypto_scalarmult_ed25519(q, n, p, 1);
+}
+
+int
+crypto_scalarmult_ed25519_noclamp(unsigned char *q, const unsigned char *n,
+                                  const unsigned char *p)
+{
+    return _crypto_scalarmult_ed25519(q, n, p, 0);
+}
+
+static int
+_crypto_scalarmult_ed25519_base(unsigned char *q,
+                                const unsigned char *n, const int clamp)
+{
+    unsigned char *t = q;
+    ge25519_p3     Q;
+    unsigned int   i;
+
+    for (i = 0; i < 32; ++i) {
+        t[i] = n[i];
+    }
+    if (clamp != 0) {
+        _crypto_scalarmult_ed25519_clamp(t);
+    }
+    ge25519_scalarmult_base(&Q, t);
+    ge25519_p3_tobytes(q, &Q);
+    if (_crypto_scalarmult_ed25519_is_inf(q) != 0 || sodium_is_zero(n, 32)) {
+        return -1;
+    }
+    return 0;
+}
+
 int
 crypto_scalarmult_ed25519_base(unsigned char *q,
                                const unsigned char *n)
 {
-    unsigned char *t = q;
-    ge25519_p3     Q;
-    unsigned int   i;
+    return _crypto_scalarmult_ed25519_base(q, n, 1);
+}
 
-    for (i = 0; i < 32; ++i) {
-        t[i] = n[i];
-    }
-    _crypto_scalarmult_ed25519_clamp(t);
-    ge25519_scalarmult_base(&Q, t);
-    ge25519_p3_tobytes(q, &Q);
-    if (sodium_is_zero(n, 32) != 0) {
-        return -1;
-    }
-    return 0;
+int
+crypto_scalarmult_ed25519_base_noclamp(unsigned char *q,
+                                       const unsigned char *n)
+{
+    return _crypto_scalarmult_ed25519_base(q, n, 0);
 }
 
 size_t
diff --git a/src/libsodium/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c b/src/libsodium/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c
index ef000d16..2754a91c 100644
--- a/src/libsodium/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c
+++ b/src/libsodium/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c
@@ -123,6 +123,8 @@ crypto_secretstream_xchacha20poly1305_push
     if (outlen_p != NULL) {
         *outlen_p = 0U;
     }
+    COMPILER_ASSERT(crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX
+                    <= crypto_aead_chacha20poly1305_ietf_MESSAGEBYTES_MAX);
     if (mlen > crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX) {
         sodium_misuse();
     }
diff --git a/src/libsodium/crypto_sign/crypto_sign.c b/src/libsodium/crypto_sign/crypto_sign.c
index 127072f7..d723ff8c 100644
--- a/src/libsodium/crypto_sign/crypto_sign.c
+++ b/src/libsodium/crypto_sign/crypto_sign.c
@@ -108,7 +108,7 @@ crypto_sign_final_create(crypto_sign_state *state, unsigned char *sig,
 }
 
 int
-crypto_sign_final_verify(crypto_sign_state *state, unsigned char *sig,
+crypto_sign_final_verify(crypto_sign_state *state, const unsigned char *sig,
                          const unsigned char *pk)
 {
     return crypto_sign_ed25519ph_final_verify(state, sig, pk);
diff --git a/src/libsodium/crypto_sign/ed25519/ref10/keypair.c b/src/libsodium/crypto_sign/ed25519/ref10/keypair.c
index 8bf3cec8..e8e40150 100644
--- a/src/libsodium/crypto_sign/ed25519/ref10/keypair.c
+++ b/src/libsodium/crypto_sign/ed25519/ref10/keypair.c
@@ -15,11 +15,7 @@ crypto_sign_ed25519_seed_keypair(unsigned char *pk, unsigned char *sk,
 {
     ge25519_p3 A;
 
-#ifdef ED25519_NONDETERMINISTIC
-    memmove(sk, seed, 32);
-#else
     crypto_hash_sha512(sk, seed, 32);
-#endif
     sk[0] &= 248;
     sk[31] &= 127;
     sk[31] |= 64;
@@ -61,9 +57,9 @@ crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk,
     }
     fe25519_1(one_minus_y);
     fe25519_sub(one_minus_y, one_minus_y, A.Y);
-    fe25519_invert(one_minus_y, one_minus_y);
     fe25519_1(x);
     fe25519_add(x, x, A.Y);
+    fe25519_invert(one_minus_y, one_minus_y);
     fe25519_mul(x, x, one_minus_y);
     fe25519_tobytes(curve25519_pk, x);
 
@@ -76,11 +72,7 @@ crypto_sign_ed25519_sk_to_curve25519(unsigned char *curve25519_sk,
 {
     unsigned char h[crypto_hash_sha512_BYTES];
 
-#ifdef ED25519_NONDETERMINISTIC
-    memcpy(h, ed25519_sk, 32);
-#else
     crypto_hash_sha512(h, ed25519_sk, 32);
-#endif
     h[0] &= 248;
     h[31] &= 127;
     h[31] |= 64;
diff --git a/src/libsodium/crypto_sign/ed25519/ref10/open.c b/src/libsodium/crypto_sign/ed25519/ref10/open.c
index ba833a61..26476b32 100644
--- a/src/libsodium/crypto_sign/ed25519/ref10/open.c
+++ b/src/libsodium/crypto_sign/ed25519/ref10/open.c
@@ -23,21 +23,21 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
     ge25519_p3               A;
     ge25519_p2               R;
 
-#ifndef ED25519_COMPAT
+#ifdef ED25519_COMPAT
+    if (sig[63] & 224) {
+        return -1;
+    }
+#else
     if (sc25519_is_canonical(sig + 32) == 0 ||
         ge25519_has_small_order(sig) != 0) {
         return -1;
     }
-    if (ge25519_is_canonical(pk) == 0) {
-        return -1;
-    }
-#else
-    if (sig[63] & 224) {
+    if (ge25519_is_canonical(pk) == 0 ||
+        ge25519_has_small_order(pk) != 0) {
         return -1;
     }
 #endif
-    if (ge25519_has_small_order(pk) != 0 ||
-        ge25519_frombytes_negate_vartime(&A, pk) != 0) {
+    if (ge25519_frombytes_negate_vartime(&A, pk) != 0) {
         return -1;
     }
     _crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
diff --git a/src/libsodium/crypto_sign/ed25519/sign_ed25519.c b/src/libsodium/crypto_sign/ed25519/sign_ed25519.c
index 8a69513e..9b902497 100644
--- a/src/libsodium/crypto_sign/ed25519/sign_ed25519.c
+++ b/src/libsodium/crypto_sign/ed25519/sign_ed25519.c
@@ -86,7 +86,7 @@ crypto_sign_ed25519ph_final_create(crypto_sign_ed25519ph_state *state,
 
 int
 crypto_sign_ed25519ph_final_verify(crypto_sign_ed25519ph_state *state,
-                                   unsigned char               *sig,
+                                   const unsigned char         *sig,
                                    const unsigned char         *pk)
 {
     unsigned char ph[crypto_hash_sha512_BYTES];
diff --git a/src/libsodium/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-avx2.c b/src/libsodium/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-avx2.c
index 6149af39..f63e0552 100644
--- a/src/libsodium/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-avx2.c
+++ b/src/libsodium/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-avx2.c
@@ -77,9 +77,6 @@ chacha20_encrypt_bytes(chacha_ctx *ctx, const uint8_t *m, uint8_t *c,
     if (!bytes) {
         return; /* LCOV_EXCL_LINE */
     }
-    if (bytes > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
-        sodium_misuse();
-    }
 # include "u8.h"
 # include "u4.h"
 # include "u1.h"
@@ -106,8 +103,8 @@ stream_ref(unsigned char *c, unsigned long long clen, const unsigned char *n,
 }
 
 static int
-stream_ietf_ref(unsigned char *c, unsigned long long clen,
-                const unsigned char *n, const unsigned char *k)
+stream_ietf_ext_ref(unsigned char *c, unsigned long long clen,
+                    const unsigned char *n, const unsigned char *k)
 {
     struct chacha_ctx ctx;
 
@@ -150,9 +147,9 @@ stream_ref_xor_ic(unsigned char *c, const unsigned char *m,
 }
 
 static int
-stream_ietf_ref_xor_ic(unsigned char *c, const unsigned char *m,
-                       unsigned long long mlen, const unsigned char *n,
-                       uint32_t ic, const unsigned char *k)
+stream_ietf_ext_ref_xor_ic(unsigned char *c, const unsigned char *m,
+                           unsigned long long mlen, const unsigned char *n,
+                           uint32_t ic, const unsigned char *k)
 {
     struct chacha_ctx ctx;
     uint8_t           ic_bytes[4];
@@ -172,9 +169,9 @@ stream_ietf_ref_xor_ic(unsigned char *c, const unsigned char *m,
 struct crypto_stream_chacha20_implementation
     crypto_stream_chacha20_dolbeau_avx2_implementation = {
         SODIUM_C99(.stream =) stream_ref,
-        SODIUM_C99(.stream_ietf =) stream_ietf_ref,
+        SODIUM_C99(.stream_ietf_ext =) stream_ietf_ext_ref,
         SODIUM_C99(.stream_xor_ic =) stream_ref_xor_ic,
-        SODIUM_C99(.stream_ietf_xor_ic =) stream_ietf_ref_xor_ic
+        SODIUM_C99(.stream_ietf_ext_xor_ic =) stream_ietf_ext_ref_xor_ic
     };
 
 #endif
diff --git a/src/libsodium/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-ssse3.c b/src/libsodium/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-ssse3.c
index b7b9aa4a..6f5d3851 100644
--- a/src/libsodium/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-ssse3.c
+++ b/src/libsodium/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-ssse3.c
@@ -72,9 +72,6 @@ chacha20_encrypt_bytes(chacha_ctx *ctx, const uint8_t *m, uint8_t *c,
     if (!bytes) {
         return; /* LCOV_EXCL_LINE */
     }
-    if (bytes > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
-        sodium_misuse();
-    }
 # include "u4.h"
 # include "u1.h"
 # include "u0.h"
@@ -100,8 +97,8 @@ stream_ref(unsigned char *c, unsigned long long clen, const unsigned char *n,
 }
 
 static int
-stream_ietf_ref(unsigned char *c, unsigned long long clen,
-                const unsigned char *n, const unsigned char *k)
+stream_ietf_ext_ref(unsigned char *c, unsigned long long clen,
+                    const unsigned char *n, const unsigned char *k)
 {
     struct chacha_ctx ctx;
 
@@ -144,9 +141,9 @@ stream_ref_xor_ic(unsigned char *c, const unsigned char *m,
 }
 
 static int
-stream_ietf_ref_xor_ic(unsigned char *c, const unsigned char *m,
-                       unsigned long long mlen, const unsigned char *n,
-                       uint32_t ic, const unsigned char *k)
+stream_ietf_ext_ref_xor_ic(unsigned char *c, const unsigned char *m,
+                           unsigned long long mlen, const unsigned char *n,
+                           uint32_t ic, const unsigned char *k)
 {
     struct chacha_ctx ctx;
     uint8_t           ic_bytes[4];
@@ -166,9 +163,9 @@ stream_ietf_ref_xor_ic(unsigned char *c, const unsigned char *m,
 struct crypto_stream_chacha20_implementation
     crypto_stream_chacha20_dolbeau_ssse3_implementation = {
         SODIUM_C99(.stream =) stream_ref,
-        SODIUM_C99(.stream_ietf =) stream_ietf_ref,
+        SODIUM_C99(.stream_ietf_ext =) stream_ietf_ext_ref,
         SODIUM_C99(.stream_xor_ic =) stream_ref_xor_ic,
-        SODIUM_C99(.stream_ietf_xor_ic =) stream_ietf_ref_xor_ic
+        SODIUM_C99(.stream_ietf_ext_xor_ic =) stream_ietf_ext_ref_xor_ic
     };
 
 #endif
diff --git a/src/libsodium/crypto_stream/chacha20/dolbeau/u0.h b/src/libsodium/crypto_stream/chacha20/dolbeau/u0.h
index 17c3ff8e..c05dfd72 100644
--- a/src/libsodium/crypto_stream/chacha20/dolbeau/u0.h
+++ b/src/libsodium/crypto_stream/chacha20/dolbeau/u0.h
@@ -9,10 +9,10 @@ if (bytes > 0) {
 
     unsigned int i;
 
-    x_0 = _mm_loadu_si128((__m128i*) (x + 0));
-    x_1 = _mm_loadu_si128((__m128i*) (x + 4));
-    x_2 = _mm_loadu_si128((__m128i*) (x + 8));
-    x_3 = _mm_loadu_si128((__m128i*) (x + 12));
+    x_0 = _mm_loadu_si128((const __m128i*) (x + 0));
+    x_1 = _mm_loadu_si128((const __m128i*) (x + 4));
+    x_2 = _mm_loadu_si128((const __m128i*) (x + 8));
+    x_3 = _mm_loadu_si128((const __m128i*) (x + 12));
 
     for (i = 0; i < ROUNDS; i += 2) {
         x_0 = _mm_add_epi32(x_0, x_1);
@@ -69,10 +69,10 @@ if (bytes > 0) {
         t_1 = _mm_srli_epi32(t_1, 25);
         x_1 = _mm_xor_si128(x_1, t_1);
     }
-    x_0 = _mm_add_epi32(x_0, _mm_loadu_si128((__m128i*) (x + 0)));
-    x_1 = _mm_add_epi32(x_1, _mm_loadu_si128((__m128i*) (x + 4)));
-    x_2 = _mm_add_epi32(x_2, _mm_loadu_si128((__m128i*) (x + 8)));
-    x_3 = _mm_add_epi32(x_3, _mm_loadu_si128((__m128i*) (x + 12)));
+    x_0 = _mm_add_epi32(x_0, _mm_loadu_si128((const __m128i*) (x + 0)));
+    x_1 = _mm_add_epi32(x_1, _mm_loadu_si128((const __m128i*) (x + 4)));
+    x_2 = _mm_add_epi32(x_2, _mm_loadu_si128((const __m128i*) (x + 8)));
+    x_3 = _mm_add_epi32(x_3, _mm_loadu_si128((const __m128i*) (x + 12)));
     _mm_storeu_si128((__m128i*) (partialblock + 0), x_0);
     _mm_storeu_si128((__m128i*) (partialblock + 16), x_1);
     _mm_storeu_si128((__m128i*) (partialblock + 32), x_2);
diff --git a/src/libsodium/crypto_stream/chacha20/dolbeau/u1.h b/src/libsodium/crypto_stream/chacha20/dolbeau/u1.h
index 867b44bc..f93fffea 100644
--- a/src/libsodium/crypto_stream/chacha20/dolbeau/u1.h
+++ b/src/libsodium/crypto_stream/chacha20/dolbeau/u1.h
@@ -10,10 +10,10 @@ while (bytes >= 64) {
     uint32_t in13;
     int      i;
 
-    x_0 = _mm_loadu_si128((__m128i*) (x + 0));
-    x_1 = _mm_loadu_si128((__m128i*) (x + 4));
-    x_2 = _mm_loadu_si128((__m128i*) (x + 8));
-    x_3 = _mm_loadu_si128((__m128i*) (x + 12));
+    x_0 = _mm_loadu_si128((const __m128i*) (x + 0));
+    x_1 = _mm_loadu_si128((const __m128i*) (x + 4));
+    x_2 = _mm_loadu_si128((const __m128i*) (x + 8));
+    x_3 = _mm_loadu_si128((const __m128i*) (x + 12));
 
     for (i = 0; i < ROUNDS; i += 2) {
         x_0 = _mm_add_epi32(x_0, x_1);
@@ -70,14 +70,14 @@ while (bytes >= 64) {
         t_1 = _mm_srli_epi32(t_1, 25);
         x_1 = _mm_xor_si128(x_1, t_1);
     }
-    x_0 = _mm_add_epi32(x_0, _mm_loadu_si128((__m128i*) (x + 0)));
-    x_1 = _mm_add_epi32(x_1, _mm_loadu_si128((__m128i*) (x + 4)));
-    x_2 = _mm_add_epi32(x_2, _mm_loadu_si128((__m128i*) (x + 8)));
-    x_3 = _mm_add_epi32(x_3, _mm_loadu_si128((__m128i*) (x + 12)));
-    x_0 = _mm_xor_si128(x_0, _mm_loadu_si128((__m128i*) (m + 0)));
-    x_1 = _mm_xor_si128(x_1, _mm_loadu_si128((__m128i*) (m + 16)));
-    x_2 = _mm_xor_si128(x_2, _mm_loadu_si128((__m128i*) (m + 32)));
-    x_3 = _mm_xor_si128(x_3, _mm_loadu_si128((__m128i*) (m + 48)));
+    x_0 = _mm_add_epi32(x_0, _mm_loadu_si128((const __m128i*) (x + 0)));
+    x_1 = _mm_add_epi32(x_1, _mm_loadu_si128((const __m128i*) (x + 4)));
+    x_2 = _mm_add_epi32(x_2, _mm_loadu_si128((const __m128i*) (x + 8)));
+    x_3 = _mm_add_epi32(x_3, _mm_loadu_si128((const __m128i*) (x + 12)));
+    x_0 = _mm_xor_si128(x_0, _mm_loadu_si128((const __m128i*) (m + 0)));
+    x_1 = _mm_xor_si128(x_1, _mm_loadu_si128((const __m128i*) (m + 16)));
+    x_2 = _mm_xor_si128(x_2, _mm_loadu_si128((const __m128i*) (m + 32)));
+    x_3 = _mm_xor_si128(x_3, _mm_loadu_si128((const __m128i*) (m + 48)));
     _mm_storeu_si128((__m128i*) (c + 0), x_0);
     _mm_storeu_si128((__m128i*) (c + 16), x_1);
     _mm_storeu_si128((__m128i*) (c + 32), x_2);
diff --git a/src/libsodium/crypto_stream/chacha20/dolbeau/u4.h b/src/libsodium/crypto_stream/chacha20/dolbeau/u4.h
index 3ff83426..4ab295d7 100644
--- a/src/libsodium/crypto_stream/chacha20/dolbeau/u4.h
+++ b/src/libsodium/crypto_stream/chacha20/dolbeau/u4.h
@@ -120,31 +120,33 @@ if (bytes >= 256) {
             VEC4_QUARTERROUND(3, 4, 9, 14);
         }
 
-#define ONEQUAD_TRANSPOSE(A, B, C, D)                                     \
-    {                                                                     \
-        __m128i t0, t1, t2, t3;                                           \
-                                                                          \
-        x_##A = _mm_add_epi32(x_##A, orig##A);                            \
-        x_##B = _mm_add_epi32(x_##B, orig##B);                            \
-        x_##C = _mm_add_epi32(x_##C, orig##C);                            \
-        x_##D = _mm_add_epi32(x_##D, orig##D);                            \
-        t_##A = _mm_unpacklo_epi32(x_##A, x_##B);                         \
-        t_##B = _mm_unpacklo_epi32(x_##C, x_##D);                         \
-        t_##C = _mm_unpackhi_epi32(x_##A, x_##B);                         \
-        t_##D = _mm_unpackhi_epi32(x_##C, x_##D);                         \
-        x_##A = _mm_unpacklo_epi64(t_##A, t_##B);                         \
-        x_##B = _mm_unpackhi_epi64(t_##A, t_##B);                         \
-        x_##C = _mm_unpacklo_epi64(t_##C, t_##D);                         \
-        x_##D = _mm_unpackhi_epi64(t_##C, t_##D);                         \
-                                                                          \
-        t0 = _mm_xor_si128(x_##A, _mm_loadu_si128((__m128i*) (m + 0)));   \
-        _mm_storeu_si128((__m128i*) (c + 0), t0);                         \
-        t1 = _mm_xor_si128(x_##B, _mm_loadu_si128((__m128i*) (m + 64)));  \
-        _mm_storeu_si128((__m128i*) (c + 64), t1);                        \
-        t2 = _mm_xor_si128(x_##C, _mm_loadu_si128((__m128i*) (m + 128))); \
-        _mm_storeu_si128((__m128i*) (c + 128), t2);                       \
-        t3 = _mm_xor_si128(x_##D, _mm_loadu_si128((__m128i*) (m + 192))); \
-        _mm_storeu_si128((__m128i*) (c + 192), t3);                       \
+#define ONEQUAD_TRANSPOSE(A, B, C, D)                                          \
+    {                                                                          \
+        __m128i t0, t1, t2, t3;                                                \
+                                                                               \
+        x_##A = _mm_add_epi32(x_##A, orig##A);                                 \
+        x_##B = _mm_add_epi32(x_##B, orig##B);                                 \
+        x_##C = _mm_add_epi32(x_##C, orig##C);                                 \
+        x_##D = _mm_add_epi32(x_##D, orig##D);                                 \
+        t_##A = _mm_unpacklo_epi32(x_##A, x_##B);                              \
+        t_##B = _mm_unpacklo_epi32(x_##C, x_##D);                              \
+        t_##C = _mm_unpackhi_epi32(x_##A, x_##B);                              \
+        t_##D = _mm_unpackhi_epi32(x_##C, x_##D);                              \
+        x_##A = _mm_unpacklo_epi64(t_##A, t_##B);                              \
+        x_##B = _mm_unpackhi_epi64(t_##A, t_##B);                              \
+        x_##C = _mm_unpacklo_epi64(t_##C, t_##D);                              \
+        x_##D = _mm_unpackhi_epi64(t_##C, t_##D);                              \
+                                                                               \
+        t0 = _mm_xor_si128(x_##A, _mm_loadu_si128((const __m128i*) (m + 0)));  \
+        _mm_storeu_si128((__m128i*) (c + 0), t0);                              \
+        t1 = _mm_xor_si128(x_##B, _mm_loadu_si128((const __m128i*) (m + 64))); \
+        _mm_storeu_si128((__m128i*) (c + 64), t1);                             \
+        t2 =                                                                   \
+            _mm_xor_si128(x_##C, _mm_loadu_si128((const __m128i*) (m + 128))); \
+        _mm_storeu_si128((__m128i*) (c + 128), t2);                            \
+        t3 =                                                                   \
+            _mm_xor_si128(x_##D, _mm_loadu_si128((const __m128i*) (m + 192))); \
+        _mm_storeu_si128((__m128i*) (c + 192), t3);                            \
     }
 
 #define ONEQUAD(A, B, C, D) ONEQUAD_TRANSPOSE(A, B, C, D)
diff --git a/src/libsodium/crypto_stream/chacha20/dolbeau/u8.h b/src/libsodium/crypto_stream/chacha20/dolbeau/u8.h
index 22bf9fcf..2f6c5f1e 100644
--- a/src/libsodium/crypto_stream/chacha20/dolbeau/u8.h
+++ b/src/libsodium/crypto_stream/chacha20/dolbeau/u8.h
@@ -200,7 +200,7 @@ if (bytes >= 512) {
         in12   = x[12];
         in13   = x[13];
         in1213 = ((uint64_t) in12) | (((uint64_t) in13) << 32);
-        x_12   = x_13 = _mm256_broadcastq_epi64(_mm_cvtsi64_si128(in1213));
+        x_12 = x_13 = _mm256_broadcastq_epi64(_mm_cvtsi64_si128(in1213));
 
         t12 = _mm256_add_epi64(addv12, x_12);
         t13 = _mm256_add_epi64(addv13, x_13);
@@ -228,45 +228,45 @@ if (bytes >= 512) {
             VEC8_ROUND(0, 5, 10, 15, 1, 6, 11, 12, 2, 7, 8, 13, 3, 4, 9, 14);
         }
 
-#define ONEQUAD_TRANSPOSE(A, B, C, D)                              \
-    {                                                              \
-        __m128i t0, t1, t2, t3;                                    \
-        x_##A = _mm256_add_epi32(x_##A, orig##A);                  \
-        x_##B = _mm256_add_epi32(x_##B, orig##B);                  \
-        x_##C = _mm256_add_epi32(x_##C, orig##C);                  \
-        x_##D = _mm256_add_epi32(x_##D, orig##D);                  \
-        t_##A = _mm256_unpacklo_epi32(x_##A, x_##B);               \
-        t_##B = _mm256_unpacklo_epi32(x_##C, x_##D);               \
-        t_##C = _mm256_unpackhi_epi32(x_##A, x_##B);               \
-        t_##D = _mm256_unpackhi_epi32(x_##C, x_##D);               \
-        x_##A = _mm256_unpacklo_epi64(t_##A, t_##B);               \
-        x_##B = _mm256_unpackhi_epi64(t_##A, t_##B);               \
-        x_##C = _mm256_unpacklo_epi64(t_##C, t_##D);               \
-        x_##D = _mm256_unpackhi_epi64(t_##C, t_##D);               \
-        t0    = _mm_xor_si128(_mm256_extracti128_si256(x_##A, 0),  \
-                           _mm_loadu_si128((__m128i*) (m + 0)));   \
-        _mm_storeu_si128((__m128i*) (c + 0), t0);                  \
-        t1 = _mm_xor_si128(_mm256_extracti128_si256(x_##B, 0),     \
-                           _mm_loadu_si128((__m128i*) (m + 64)));  \
-        _mm_storeu_si128((__m128i*) (c + 64), t1);                 \
-        t2 = _mm_xor_si128(_mm256_extracti128_si256(x_##C, 0),     \
-                           _mm_loadu_si128((__m128i*) (m + 128))); \
-        _mm_storeu_si128((__m128i*) (c + 128), t2);                \
-        t3 = _mm_xor_si128(_mm256_extracti128_si256(x_##D, 0),     \
-                           _mm_loadu_si128((__m128i*) (m + 192))); \
-        _mm_storeu_si128((__m128i*) (c + 192), t3);                \
-        t0 = _mm_xor_si128(_mm256_extracti128_si256(x_##A, 1),     \
-                           _mm_loadu_si128((__m128i*) (m + 256))); \
-        _mm_storeu_si128((__m128i*) (c + 256), t0);                \
-        t1 = _mm_xor_si128(_mm256_extracti128_si256(x_##B, 1),     \
-                           _mm_loadu_si128((__m128i*) (m + 320))); \
-        _mm_storeu_si128((__m128i*) (c + 320), t1);                \
-        t2 = _mm_xor_si128(_mm256_extracti128_si256(x_##C, 1),     \
-                           _mm_loadu_si128((__m128i*) (m + 384))); \
-        _mm_storeu_si128((__m128i*) (c + 384), t2);                \
-        t3 = _mm_xor_si128(_mm256_extracti128_si256(x_##D, 1),     \
-                           _mm_loadu_si128((__m128i*) (m + 448))); \
-        _mm_storeu_si128((__m128i*) (c + 448), t3);                \
+#define ONEQUAD_TRANSPOSE(A, B, C, D)                                     \
+    {                                                                     \
+        __m128i t0, t1, t2, t3;                                           \
+        x_##A = _mm256_add_epi32(x_##A, orig##A);                         \
+        x_##B = _mm256_add_epi32(x_##B, orig##B);                         \
+        x_##C = _mm256_add_epi32(x_##C, orig##C);                         \
+        x_##D = _mm256_add_epi32(x_##D, orig##D);                         \
+        t_##A = _mm256_unpacklo_epi32(x_##A, x_##B);                      \
+        t_##B = _mm256_unpacklo_epi32(x_##C, x_##D);                      \
+        t_##C = _mm256_unpackhi_epi32(x_##A, x_##B);                      \
+        t_##D = _mm256_unpackhi_epi32(x_##C, x_##D);                      \
+        x_##A = _mm256_unpacklo_epi64(t_##A, t_##B);                      \
+        x_##B = _mm256_unpackhi_epi64(t_##A, t_##B);                      \
+        x_##C = _mm256_unpacklo_epi64(t_##C, t_##D);                      \
+        x_##D = _mm256_unpackhi_epi64(t_##C, t_##D);                      \
+        t0    = _mm_xor_si128(_mm256_extracti128_si256(x_##A, 0),         \
+                           _mm_loadu_si128((const __m128i*) (m + 0))); \
+        _mm_storeu_si128((__m128i*) (c + 0), t0);                         \
+        t1 = _mm_xor_si128(_mm256_extracti128_si256(x_##B, 0),            \
+                           _mm_loadu_si128((const __m128i*) (m + 64)));   \
+        _mm_storeu_si128((__m128i*) (c + 64), t1);                        \
+        t2 = _mm_xor_si128(_mm256_extracti128_si256(x_##C, 0),            \
+                           _mm_loadu_si128((const __m128i*) (m + 128)));  \
+        _mm_storeu_si128((__m128i*) (c + 128), t2);                       \
+        t3 = _mm_xor_si128(_mm256_extracti128_si256(x_##D, 0),            \
+                           _mm_loadu_si128((const __m128i*) (m + 192)));  \
+        _mm_storeu_si128((__m128i*) (c + 192), t3);                       \
+        t0 = _mm_xor_si128(_mm256_extracti128_si256(x_##A, 1),            \
+                           _mm_loadu_si128((const __m128i*) (m + 256)));  \
+        _mm_storeu_si128((__m128i*) (c + 256), t0);                       \
+        t1 = _mm_xor_si128(_mm256_extracti128_si256(x_##B, 1),            \
+                           _mm_loadu_si128((const __m128i*) (m + 320)));  \
+        _mm_storeu_si128((__m128i*) (c + 320), t1);                       \
+        t2 = _mm_xor_si128(_mm256_extracti128_si256(x_##C, 1),            \
+                           _mm_loadu_si128((const __m128i*) (m + 384)));  \
+        _mm_storeu_si128((__m128i*) (c + 384), t2);                       \
+        t3 = _mm_xor_si128(_mm256_extracti128_si256(x_##D, 1),            \
+                           _mm_loadu_si128((const __m128i*) (m + 448)));  \
+        _mm_storeu_si128((__m128i*) (c + 448), t3);                       \
     }
 
 #define ONEQUAD(A, B, C, D) ONEQUAD_TRANSPOSE(A, B, C, D)
@@ -287,42 +287,42 @@ if (bytes >= 512) {
         x_##D = _mm256_unpackhi_epi64(t_##C, t_##D); \
     }
 
-#define ONEOCTO(A, B, C, D, A2, B2, C2, D2)                                    \
-    {                                                                          \
-        ONEQUAD_UNPCK(A, B, C, D);                                             \
-        ONEQUAD_UNPCK(A2, B2, C2, D2);                                         \
-        t_##A  = _mm256_permute2x128_si256(x_##A, x_##A2, 0x20);               \
-        t_##A2 = _mm256_permute2x128_si256(x_##A, x_##A2, 0x31);               \
-        t_##B  = _mm256_permute2x128_si256(x_##B, x_##B2, 0x20);               \
-        t_##B2 = _mm256_permute2x128_si256(x_##B, x_##B2, 0x31);               \
-        t_##C  = _mm256_permute2x128_si256(x_##C, x_##C2, 0x20);               \
-        t_##C2 = _mm256_permute2x128_si256(x_##C, x_##C2, 0x31);               \
-        t_##D  = _mm256_permute2x128_si256(x_##D, x_##D2, 0x20);               \
-        t_##D2 = _mm256_permute2x128_si256(x_##D, x_##D2, 0x31);               \
-        t_##A =                                                                \
-            _mm256_xor_si256(t_##A, _mm256_loadu_si256((__m256i*) (m + 0)));   \
-        t_##B =                                                                \
-            _mm256_xor_si256(t_##B, _mm256_loadu_si256((__m256i*) (m + 64)));  \
-        t_##C =                                                                \
-            _mm256_xor_si256(t_##C, _mm256_loadu_si256((__m256i*) (m + 128))); \
-        t_##D =                                                                \
-            _mm256_xor_si256(t_##D, _mm256_loadu_si256((__m256i*) (m + 192))); \
-        t_##A2 = _mm256_xor_si256(t_##A2,                                      \
-                                  _mm256_loadu_si256((__m256i*) (m + 256)));   \
-        t_##B2 = _mm256_xor_si256(t_##B2,                                      \
-                                  _mm256_loadu_si256((__m256i*) (m + 320)));   \
-        t_##C2 = _mm256_xor_si256(t_##C2,                                      \
-                                  _mm256_loadu_si256((__m256i*) (m + 384)));   \
-        t_##D2 = _mm256_xor_si256(t_##D2,                                      \
-                                  _mm256_loadu_si256((__m256i*) (m + 448)));   \
-        _mm256_storeu_si256((__m256i*) (c + 0), t_##A);                        \
-        _mm256_storeu_si256((__m256i*) (c + 64), t_##B);                       \
-        _mm256_storeu_si256((__m256i*) (c + 128), t_##C);                      \
-        _mm256_storeu_si256((__m256i*) (c + 192), t_##D);                      \
-        _mm256_storeu_si256((__m256i*) (c + 256), t_##A2);                     \
-        _mm256_storeu_si256((__m256i*) (c + 320), t_##B2);                     \
-        _mm256_storeu_si256((__m256i*) (c + 384), t_##C2);                     \
-        _mm256_storeu_si256((__m256i*) (c + 448), t_##D2);                     \
+#define ONEOCTO(A, B, C, D, A2, B2, C2, D2)                          \
+    {                                                                \
+        ONEQUAD_UNPCK(A, B, C, D);                                   \
+        ONEQUAD_UNPCK(A2, B2, C2, D2);                               \
+        t_##A  = _mm256_permute2x128_si256(x_##A, x_##A2, 0x20);     \
+        t_##A2 = _mm256_permute2x128_si256(x_##A, x_##A2, 0x31);     \
+        t_##B  = _mm256_permute2x128_si256(x_##B, x_##B2, 0x20);     \
+        t_##B2 = _mm256_permute2x128_si256(x_##B, x_##B2, 0x31);     \
+        t_##C  = _mm256_permute2x128_si256(x_##C, x_##C2, 0x20);     \
+        t_##C2 = _mm256_permute2x128_si256(x_##C, x_##C2, 0x31);     \
+        t_##D  = _mm256_permute2x128_si256(x_##D, x_##D2, 0x20);     \
+        t_##D2 = _mm256_permute2x128_si256(x_##D, x_##D2, 0x31);     \
+        t_##A  = _mm256_xor_si256(                                   \
+            t_##A, _mm256_loadu_si256((const __m256i*) (m + 0)));   \
+        t_##B = _mm256_xor_si256(                                    \
+            t_##B, _mm256_loadu_si256((const __m256i*) (m + 64)));   \
+        t_##C = _mm256_xor_si256(                                    \
+            t_##C, _mm256_loadu_si256((const __m256i*) (m + 128)));  \
+        t_##D = _mm256_xor_si256(                                    \
+            t_##D, _mm256_loadu_si256((const __m256i*) (m + 192)));  \
+        t_##A2 = _mm256_xor_si256(                                   \
+            t_##A2, _mm256_loadu_si256((const __m256i*) (m + 256))); \
+        t_##B2 = _mm256_xor_si256(                                   \
+            t_##B2, _mm256_loadu_si256((const __m256i*) (m + 320))); \
+        t_##C2 = _mm256_xor_si256(                                   \
+            t_##C2, _mm256_loadu_si256((const __m256i*) (m + 384))); \
+        t_##D2 = _mm256_xor_si256(                                   \
+            t_##D2, _mm256_loadu_si256((const __m256i*) (m + 448))); \
+        _mm256_storeu_si256((__m256i*) (c + 0), t_##A);              \
+        _mm256_storeu_si256((__m256i*) (c + 64), t_##B);             \
+        _mm256_storeu_si256((__m256i*) (c + 128), t_##C);            \
+        _mm256_storeu_si256((__m256i*) (c + 192), t_##D);            \
+        _mm256_storeu_si256((__m256i*) (c + 256), t_##A2);           \
+        _mm256_storeu_si256((__m256i*) (c + 320), t_##B2);           \
+        _mm256_storeu_si256((__m256i*) (c + 384), t_##C2);           \
+        _mm256_storeu_si256((__m256i*) (c + 448), t_##D2);           \
     }
 
         ONEOCTO(0, 1, 2, 3, 4, 5, 6, 7);
diff --git a/src/libsodium/crypto_stream/chacha20/ref/chacha20_ref.c b/src/libsodium/crypto_stream/chacha20/ref/chacha20_ref.c
index f88a99db..40cccbf8 100644
--- a/src/libsodium/crypto_stream/chacha20/ref/chacha20_ref.c
+++ b/src/libsodium/crypto_stream/chacha20/ref/chacha20_ref.c
@@ -92,9 +92,6 @@ chacha20_encrypt_bytes(chacha_ctx *ctx, const uint8_t *m, uint8_t *c,
     if (!bytes) {
         return; /* LCOV_EXCL_LINE */
     }
-    if (bytes > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
-        sodium_misuse();
-    }
     j0  = ctx->input[0];
     j1  = ctx->input[1];
     j2  = ctx->input[2];
@@ -243,8 +240,8 @@ stream_ref(unsigned char *c, unsigned long long clen, const unsigned char *n,
 }
 
 static int
-stream_ietf_ref(unsigned char *c, unsigned long long clen,
-                const unsigned char *n, const unsigned char *k)
+stream_ietf_ext_ref(unsigned char *c, unsigned long long clen,
+                    const unsigned char *n, const unsigned char *k)
 {
     struct chacha_ctx ctx;
 
@@ -287,9 +284,9 @@ stream_ref_xor_ic(unsigned char *c, const unsigned char *m,
 }
 
 static int
-stream_ietf_ref_xor_ic(unsigned char *c, const unsigned char *m,
-                       unsigned long long mlen, const unsigned char *n,
-                       uint32_t ic, const unsigned char *k)
+stream_ietf_ext_ref_xor_ic(unsigned char *c, const unsigned char *m,
+                           unsigned long long mlen, const unsigned char *n,
+                           uint32_t ic, const unsigned char *k)
 {
     struct chacha_ctx ctx;
     uint8_t           ic_bytes[4];
@@ -309,7 +306,7 @@ stream_ietf_ref_xor_ic(unsigned char *c, const unsigned char *m,
 struct crypto_stream_chacha20_implementation
     crypto_stream_chacha20_ref_implementation = {
         SODIUM_C99(.stream =) stream_ref,
-        SODIUM_C99(.stream_ietf =) stream_ietf_ref,
+        SODIUM_C99(.stream_ietf_ext =) stream_ietf_ext_ref,
         SODIUM_C99(.stream_xor_ic =) stream_ref_xor_ic,
-        SODIUM_C99(.stream_ietf_xor_ic =) stream_ietf_ref_xor_ic
+        SODIUM_C99(.stream_ietf_ext_xor_ic =) stream_ietf_ext_ref_xor_ic
     };
diff --git a/src/libsodium/crypto_stream/chacha20/stream_chacha20.c b/src/libsodium/crypto_stream/chacha20/stream_chacha20.c
index 3b089511..427c3fb0 100644
--- a/src/libsodium/crypto_stream/chacha20/stream_chacha20.c
+++ b/src/libsodium/crypto_stream/chacha20/stream_chacha20.c
@@ -1,4 +1,6 @@
 #include "crypto_stream_chacha20.h"
+#include "core.h"
+#include "private/chacha20_ietf_ext.h"
 #include "private/common.h"
 #include "private/implementations.h"
 #include "randombytes.h"
@@ -53,40 +55,89 @@ int
 crypto_stream_chacha20(unsigned char *c, unsigned long long clen,
                        const unsigned char *n, const unsigned char *k)
 {
+    if (clen > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
+        sodium_misuse();
+    }
     return implementation->stream(c, clen, n, k);
 }
 
-int
-crypto_stream_chacha20_ietf(unsigned char *c, unsigned long long clen,
-                            const unsigned char *n, const unsigned char *k)
-{
-    return implementation->stream_ietf(c, clen, n, k);
-}
-
 int
 crypto_stream_chacha20_xor_ic(unsigned char *c, const unsigned char *m,
                               unsigned long long mlen,
                               const unsigned char *n, uint64_t ic,
                               const unsigned char *k)
 {
+    if (mlen > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
+        sodium_misuse();
+    }
     return implementation->stream_xor_ic(c, m, mlen, n, ic, k);
 }
 
+int
+crypto_stream_chacha20_xor(unsigned char *c, const unsigned char *m,
+                           unsigned long long mlen, const unsigned char *n,
+                           const unsigned char *k)
+{
+    if (mlen > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
+        sodium_misuse();
+    }
+    return implementation->stream_xor_ic(c, m, mlen, n, 0U, k);
+}
+
+int
+crypto_stream_chacha20_ietf_ext(unsigned char *c, unsigned long long clen,
+                                const unsigned char *n, const unsigned char *k)
+{
+    if (clen > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
+        sodium_misuse();
+    }
+    return implementation->stream_ietf_ext(c, clen, n, k);
+}
+
+int
+crypto_stream_chacha20_ietf_ext_xor_ic(unsigned char *c, const unsigned char *m,
+                                       unsigned long long mlen,
+                                       const unsigned char *n, uint32_t ic,
+                                       const unsigned char *k)
+{
+    if (mlen > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
+        sodium_misuse();
+    }
+    return implementation->stream_ietf_ext_xor_ic(c, m, mlen, n, ic, k);
+}
+
+static int
+crypto_stream_chacha20_ietf_ext_xor(unsigned char *c, const unsigned char *m,
+                                    unsigned long long mlen, const unsigned char *n,
+                                    const unsigned char *k)
+{
+    if (mlen > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
+        sodium_misuse();
+    }
+    return implementation->stream_ietf_ext_xor_ic(c, m, mlen, n, 0U, k);
+}
+
+int
+crypto_stream_chacha20_ietf(unsigned char *c, unsigned long long clen,
+                            const unsigned char *n, const unsigned char *k)
+{
+    if (clen > crypto_stream_chacha20_ietf_MESSAGEBYTES_MAX) {
+        sodium_misuse();
+    }
+    return crypto_stream_chacha20_ietf_ext(c, clen, n, k);
+}
+
 int
 crypto_stream_chacha20_ietf_xor_ic(unsigned char *c, const unsigned char *m,
                                    unsigned long long mlen,
                                    const unsigned char *n, uint32_t ic,
                                    const unsigned char *k)
 {
-    return implementation->stream_ietf_xor_ic(c, m, mlen, n, ic, k);
-}
-
-int
-crypto_stream_chacha20_xor(unsigned char *c, const unsigned char *m,
-                           unsigned long long mlen, const unsigned char *n,
-                           const unsigned char *k)
-{
-    return implementation->stream_xor_ic(c, m, mlen, n, 0U, k);
+    if ((unsigned long long) ic >
+        (64ULL * (1ULL << 32)) / 64ULL - (mlen + 63ULL) / 64ULL) {
+        sodium_misuse();
+    }
+    return crypto_stream_chacha20_ietf_ext_xor_ic(c, m, mlen, n, ic, k);
 }
 
 int
@@ -94,7 +145,10 @@ crypto_stream_chacha20_ietf_xor(unsigned char *c, const unsigned char *m,
                                 unsigned long long mlen, const unsigned char *n,
                                 const unsigned char *k)
 {
-    return implementation->stream_ietf_xor_ic(c, m, mlen, n, 0U, k);
+    if (mlen > crypto_stream_chacha20_ietf_MESSAGEBYTES_MAX) {
+        sodium_misuse();
+    }
+    return crypto_stream_chacha20_ietf_ext_xor(c, m, mlen, n, k);
 }
 
 void
diff --git a/src/libsodium/crypto_stream/chacha20/stream_chacha20.h b/src/libsodium/crypto_stream/chacha20/stream_chacha20.h
index d6b71c5e..40f782f4 100644
--- a/src/libsodium/crypto_stream/chacha20/stream_chacha20.h
+++ b/src/libsodium/crypto_stream/chacha20/stream_chacha20.h
@@ -7,16 +7,16 @@
 typedef struct crypto_stream_chacha20_implementation {
     int (*stream)(unsigned char *c, unsigned long long clen,
                   const unsigned char *n, const unsigned char *k);
-    int (*stream_ietf)(unsigned char *c, unsigned long long clen,
-                      const unsigned char *n, const unsigned char *k);
+    int (*stream_ietf_ext)(unsigned char *c, unsigned long long clen,
+                           const unsigned char *n, const unsigned char *k);
     int (*stream_xor_ic)(unsigned char *c, const unsigned char *m,
                          unsigned long long mlen,
                          const unsigned char *n, uint64_t ic,
                          const unsigned char *k);
-    int (*stream_ietf_xor_ic)(unsigned char *c, const unsigned char *m,
-                              unsigned long long mlen,
-                              const unsigned char *n, uint32_t ic,
-                              const unsigned char *k);
+    int (*stream_ietf_ext_xor_ic)(unsigned char *c, const unsigned char *m,
+                                  unsigned long long mlen,
+                                  const unsigned char *n, uint32_t ic,
+                                  const unsigned char *k);
 } crypto_stream_chacha20_implementation;
 
 #endif
diff --git a/src/libsodium/crypto_stream/salsa20/xmm6int/u0.h b/src/libsodium/crypto_stream/salsa20/xmm6int/u0.h
index b2d41680..830f70e8 100644
--- a/src/libsodium/crypto_stream/salsa20/xmm6int/u0.h
+++ b/src/libsodium/crypto_stream/salsa20/xmm6int/u0.h
@@ -1,8 +1,8 @@
 if (bytes > 0) {
-    __m128i diag0 = _mm_loadu_si128((__m128i *) (x + 0));
-    __m128i diag1 = _mm_loadu_si128((__m128i *) (x + 4));
-    __m128i diag2 = _mm_loadu_si128((__m128i *) (x + 8));
-    __m128i diag3 = _mm_loadu_si128((__m128i *) (x + 12));
+    __m128i diag0 = _mm_loadu_si128((const __m128i *) (x + 0));
+    __m128i diag1 = _mm_loadu_si128((const __m128i *) (x + 4));
+    __m128i diag2 = _mm_loadu_si128((const __m128i *) (x + 8));
+    __m128i diag3 = _mm_loadu_si128((const __m128i *) (x + 12));
     __m128i a0, a1, a2, a3, a4, a5, a6, a7;
     __m128i b0, b1, b2, b3, b4, b5, b6, b7;
     uint8_t partialblock[64];
@@ -156,25 +156,25 @@ if (bytes > 0) {
         diag0 = _mm_xor_si128(diag0, b7);
     }
 
-    diag0 = _mm_add_epi32(diag0, _mm_loadu_si128((__m128i *) (x + 0)));
-    diag1 = _mm_add_epi32(diag1, _mm_loadu_si128((__m128i *) (x + 4)));
-    diag2 = _mm_add_epi32(diag2, _mm_loadu_si128((__m128i *) (x + 8)));
-    diag3 = _mm_add_epi32(diag3, _mm_loadu_si128((__m128i *) (x + 12)));
+    diag0 = _mm_add_epi32(diag0, _mm_loadu_si128((const __m128i *) (x + 0)));
+    diag1 = _mm_add_epi32(diag1, _mm_loadu_si128((const __m128i *) (x + 4)));
+    diag2 = _mm_add_epi32(diag2, _mm_loadu_si128((const __m128i *) (x + 8)));
+    diag3 = _mm_add_epi32(diag3, _mm_loadu_si128((const __m128i *) (x + 12)));
 
-#define ONEQUAD_SHUFFLE(A, B, C, D)                      \
-    do {                                                 \
-        uint32_t in##A = _mm_cvtsi128_si32(diag0);       \
-        uint32_t in##B = _mm_cvtsi128_si32(diag1);       \
-        uint32_t in##C = _mm_cvtsi128_si32(diag2);       \
-        uint32_t in##D = _mm_cvtsi128_si32(diag3);       \
-        diag0          = _mm_shuffle_epi32(diag0, 0x39); \
-        diag1          = _mm_shuffle_epi32(diag1, 0x39); \
-        diag2          = _mm_shuffle_epi32(diag2, 0x39); \
-        diag3          = _mm_shuffle_epi32(diag3, 0x39); \
-        *(uint32_t *) (partialblock + (A * 4)) = in##A;  \
-        *(uint32_t *) (partialblock + (B * 4)) = in##B;  \
-        *(uint32_t *) (partialblock + (C * 4)) = in##C;  \
-        *(uint32_t *) (partialblock + (D * 4)) = in##D;  \
+#define ONEQUAD_SHUFFLE(A, B, C, D)                                              \
+    do {                                                                         \
+        uint32_t in##A                         = _mm_cvtsi128_si32(diag0);       \
+        uint32_t in##B                         = _mm_cvtsi128_si32(diag1);       \
+        uint32_t in##C                         = _mm_cvtsi128_si32(diag2);       \
+        uint32_t in##D                         = _mm_cvtsi128_si32(diag3);       \
+        diag0                                  = _mm_shuffle_epi32(diag0, 0x39); \
+        diag1                                  = _mm_shuffle_epi32(diag1, 0x39); \
+        diag2                                  = _mm_shuffle_epi32(diag2, 0x39); \
+        diag3                                  = _mm_shuffle_epi32(diag3, 0x39); \
+        *(uint32_t *) (partialblock + (A * 4)) = in##A;                          \
+        *(uint32_t *) (partialblock + (B * 4)) = in##B;                          \
+        *(uint32_t *) (partialblock + (C * 4)) = in##C;                          \
+        *(uint32_t *) (partialblock + (D * 4)) = in##D;                          \
     } while (0)
 
 #define ONEQUAD(A, B, C, D) ONEQUAD_SHUFFLE(A, B, C, D)
diff --git a/src/libsodium/crypto_stream/salsa20/xmm6int/u1.h b/src/libsodium/crypto_stream/salsa20/xmm6int/u1.h
index c245d956..e82521cd 100644
--- a/src/libsodium/crypto_stream/salsa20/xmm6int/u1.h
+++ b/src/libsodium/crypto_stream/salsa20/xmm6int/u1.h
@@ -1,8 +1,8 @@
 while (bytes >= 64) {
-    __m128i diag0 = _mm_loadu_si128((__m128i *) (x + 0));
-    __m128i diag1 = _mm_loadu_si128((__m128i *) (x + 4));
-    __m128i diag2 = _mm_loadu_si128((__m128i *) (x + 8));
-    __m128i diag3 = _mm_loadu_si128((__m128i *) (x + 12));
+    __m128i diag0 = _mm_loadu_si128((const __m128i *) (x + 0));
+    __m128i diag1 = _mm_loadu_si128((const __m128i *) (x + 4));
+    __m128i diag2 = _mm_loadu_si128((const __m128i *) (x + 8));
+    __m128i diag3 = _mm_loadu_si128((const __m128i *) (x + 12));
     __m128i a0, a1, a2, a3, a4, a5, a6, a7;
     __m128i b0, b1, b2, b3, b4, b5, b6, b7;
 
@@ -157,10 +157,10 @@ while (bytes >= 64) {
         diag0 = _mm_xor_si128(diag0, b7);
     }
 
-    diag0 = _mm_add_epi32(diag0, _mm_loadu_si128((__m128i *) (x + 0)));
-    diag1 = _mm_add_epi32(diag1, _mm_loadu_si128((__m128i *) (x + 4)));
-    diag2 = _mm_add_epi32(diag2, _mm_loadu_si128((__m128i *) (x + 8)));
-    diag3 = _mm_add_epi32(diag3, _mm_loadu_si128((__m128i *) (x + 12)));
+    diag0 = _mm_add_epi32(diag0, _mm_loadu_si128((const __m128i *) (x + 0)));
+    diag1 = _mm_add_epi32(diag1, _mm_loadu_si128((const __m128i *) (x + 4)));
+    diag2 = _mm_add_epi32(diag2, _mm_loadu_si128((const __m128i *) (x + 8)));
+    diag3 = _mm_add_epi32(diag3, _mm_loadu_si128((const __m128i *) (x + 12)));
 
 #define ONEQUAD_SHUFFLE(A, B, C, D)                      \
     do {                                                 \
@@ -172,10 +172,10 @@ while (bytes >= 64) {
         diag1          = _mm_shuffle_epi32(diag1, 0x39); \
         diag2          = _mm_shuffle_epi32(diag2, 0x39); \
         diag3          = _mm_shuffle_epi32(diag3, 0x39); \
-        in##A ^= *(uint32_t *) (m + (A * 4));            \
-        in##B ^= *(uint32_t *) (m + (B * 4));            \
-        in##C ^= *(uint32_t *) (m + (C * 4));            \
-        in##D ^= *(uint32_t *) (m + (D * 4));            \
+        in##A ^= *(const uint32_t *) (m + (A * 4));      \
+        in##B ^= *(const uint32_t *) (m + (B * 4));      \
+        in##C ^= *(const uint32_t *) (m + (C * 4));      \
+        in##D ^= *(const uint32_t *) (m + (D * 4));      \
         *(uint32_t *) (c + (A * 4)) = in##A;             \
         *(uint32_t *) (c + (B * 4)) = in##B;             \
         *(uint32_t *) (c + (C * 4)) = in##C;             \
diff --git a/src/libsodium/crypto_stream/salsa20/xmm6int/u4.h b/src/libsodium/crypto_stream/salsa20/xmm6int/u4.h
index 61d935fc..474f4860 100644
--- a/src/libsodium/crypto_stream/salsa20/xmm6int/u4.h
+++ b/src/libsodium/crypto_stream/salsa20/xmm6int/u4.h
@@ -12,22 +12,22 @@ if (bytes >= 256) {
 
     /* element broadcast immediate for _mm_shuffle_epi32 are in order:
        0x00, 0x55, 0xaa, 0xff */
-    z0  = _mm_loadu_si128((__m128i *) (x + 0));
+    z0  = _mm_loadu_si128((const __m128i *) (x + 0));
     z5  = _mm_shuffle_epi32(z0, 0x55);
     z10 = _mm_shuffle_epi32(z0, 0xaa);
     z15 = _mm_shuffle_epi32(z0, 0xff);
     z0  = _mm_shuffle_epi32(z0, 0x00);
-    z1  = _mm_loadu_si128((__m128i *) (x + 4));
+    z1  = _mm_loadu_si128((const __m128i *) (x + 4));
     z6  = _mm_shuffle_epi32(z1, 0xaa);
     z11 = _mm_shuffle_epi32(z1, 0xff);
     z12 = _mm_shuffle_epi32(z1, 0x00);
     z1  = _mm_shuffle_epi32(z1, 0x55);
-    z2  = _mm_loadu_si128((__m128i *) (x + 8));
+    z2  = _mm_loadu_si128((const __m128i *) (x + 8));
     z7  = _mm_shuffle_epi32(z2, 0xff);
     z13 = _mm_shuffle_epi32(z2, 0x55);
     z2  = _mm_shuffle_epi32(z2, 0xaa);
     /* no z8 -> first half of the nonce, will fill later */
-    z3  = _mm_loadu_si128((__m128i *) (x + 12));
+    z3  = _mm_loadu_si128((const __m128i *) (x + 12));
     z4  = _mm_shuffle_epi32(z3, 0x00);
     z14 = _mm_shuffle_epi32(z3, 0xaa);
     z3  = _mm_shuffle_epi32(z3, 0xff);
@@ -498,26 +498,26 @@ if (bytes >= 256) {
 
 /* store data ; this macro first transpose data in-registers, and then store
  * them in memory. much faster with icc. */
-#define ONEQUAD_TRANSPOSE(A, B, C, D)                                   \
-    z##A = _mm_add_epi32(z##A, orig##A);                                \
-    z##B = _mm_add_epi32(z##B, orig##B);                                \
-    z##C = _mm_add_epi32(z##C, orig##C);                                \
-    z##D = _mm_add_epi32(z##D, orig##D);                                \
-    y##A = _mm_unpacklo_epi32(z##A, z##B);                              \
-    y##B = _mm_unpacklo_epi32(z##C, z##D);                              \
-    y##C = _mm_unpackhi_epi32(z##A, z##B);                              \
-    y##D = _mm_unpackhi_epi32(z##C, z##D);                              \
-    z##A = _mm_unpacklo_epi64(y##A, y##B);                              \
-    z##B = _mm_unpackhi_epi64(y##A, y##B);                              \
-    z##C = _mm_unpacklo_epi64(y##C, y##D);                              \
-    z##D = _mm_unpackhi_epi64(y##C, y##D);                              \
-    y##A = _mm_xor_si128(z##A, _mm_loadu_si128((__m128i *) (m + 0)));   \
-    _mm_storeu_si128((__m128i *) (c + 0), y##A);                        \
-    y##B = _mm_xor_si128(z##B, _mm_loadu_si128((__m128i *) (m + 64)));  \
-    _mm_storeu_si128((__m128i *) (c + 64), y##B);                       \
-    y##C = _mm_xor_si128(z##C, _mm_loadu_si128((__m128i *) (m + 128))); \
-    _mm_storeu_si128((__m128i *) (c + 128), y##C);                      \
-    y##D = _mm_xor_si128(z##D, _mm_loadu_si128((__m128i *) (m + 192))); \
+#define ONEQUAD_TRANSPOSE(A, B, C, D)                                         \
+    z##A = _mm_add_epi32(z##A, orig##A);                                      \
+    z##B = _mm_add_epi32(z##B, orig##B);                                      \
+    z##C = _mm_add_epi32(z##C, orig##C);                                      \
+    z##D = _mm_add_epi32(z##D, orig##D);                                      \
+    y##A = _mm_unpacklo_epi32(z##A, z##B);                                    \
+    y##B = _mm_unpacklo_epi32(z##C, z##D);                                    \
+    y##C = _mm_unpackhi_epi32(z##A, z##B);                                    \
+    y##D = _mm_unpackhi_epi32(z##C, z##D);                                    \
+    z##A = _mm_unpacklo_epi64(y##A, y##B);                                    \
+    z##B = _mm_unpackhi_epi64(y##A, y##B);                                    \
+    z##C = _mm_unpacklo_epi64(y##C, y##D);                                    \
+    z##D = _mm_unpackhi_epi64(y##C, y##D);                                    \
+    y##A = _mm_xor_si128(z##A, _mm_loadu_si128((const __m128i *) (m + 0)));   \
+    _mm_storeu_si128((__m128i *) (c + 0), y##A);                              \
+    y##B = _mm_xor_si128(z##B, _mm_loadu_si128((const __m128i *) (m + 64)));  \
+    _mm_storeu_si128((__m128i *) (c + 64), y##B);                             \
+    y##C = _mm_xor_si128(z##C, _mm_loadu_si128((const __m128i *) (m + 128))); \
+    _mm_storeu_si128((__m128i *) (c + 128), y##C);                            \
+    y##D = _mm_xor_si128(z##D, _mm_loadu_si128((const __m128i *) (m + 192))); \
     _mm_storeu_si128((__m128i *) (c + 192), y##D)
 
 #define ONEQUAD(A, B, C, D) ONEQUAD_TRANSPOSE(A, B, C, D)
diff --git a/src/libsodium/crypto_stream/salsa20/xmm6int/u8.h b/src/libsodium/crypto_stream/salsa20/xmm6int/u8.h
index 467a9612..581b22c2 100644
--- a/src/libsodium/crypto_stream/salsa20/xmm6int/u8.h
+++ b/src/libsodium/crypto_stream/salsa20/xmm6int/u8.h
@@ -361,45 +361,45 @@ if (bytes >= 512) {
 
 /* store data ; this macro first transpose data in-registers, and then store
  * them in memory. much faster with icc. */
-#define ONEQUAD_TRANSPOSE(A, B, C, D)                              \
-    {                                                              \
-        __m128i t0, t1, t2, t3;                                    \
-        z##A = _mm256_add_epi32(z##A, orig##A);                    \
-        z##B = _mm256_add_epi32(z##B, orig##B);                    \
-        z##C = _mm256_add_epi32(z##C, orig##C);                    \
-        z##D = _mm256_add_epi32(z##D, orig##D);                    \
-        y##A = _mm256_unpacklo_epi32(z##A, z##B);                  \
-        y##B = _mm256_unpacklo_epi32(z##C, z##D);                  \
-        y##C = _mm256_unpackhi_epi32(z##A, z##B);                  \
-        y##D = _mm256_unpackhi_epi32(z##C, z##D);                  \
-        z##A = _mm256_unpacklo_epi64(y##A, y##B);                  \
-        z##B = _mm256_unpackhi_epi64(y##A, y##B);                  \
-        z##C = _mm256_unpacklo_epi64(y##C, y##D);                  \
-        z##D = _mm256_unpackhi_epi64(y##C, y##D);                  \
-        t0   = _mm_xor_si128(_mm256_extracti128_si256(z##A, 0),    \
-                           _mm_loadu_si128((__m128i*) (m + 0)));   \
-        _mm_storeu_si128((__m128i*) (c + 0), t0);                  \
-        t1 = _mm_xor_si128(_mm256_extracti128_si256(z##B, 0),      \
-                           _mm_loadu_si128((__m128i*) (m + 64)));  \
-        _mm_storeu_si128((__m128i*) (c + 64), t1);                 \
-        t2 = _mm_xor_si128(_mm256_extracti128_si256(z##C, 0),      \
-                           _mm_loadu_si128((__m128i*) (m + 128))); \
-        _mm_storeu_si128((__m128i*) (c + 128), t2);                \
-        t3 = _mm_xor_si128(_mm256_extracti128_si256(z##D, 0),      \
-                           _mm_loadu_si128((__m128i*) (m + 192))); \
-        _mm_storeu_si128((__m128i*) (c + 192), t3);                \
-        t0 = _mm_xor_si128(_mm256_extracti128_si256(z##A, 1),      \
-                           _mm_loadu_si128((__m128i*) (m + 256))); \
-        _mm_storeu_si128((__m128i*) (c + 256), t0);                \
-        t1 = _mm_xor_si128(_mm256_extracti128_si256(z##B, 1),      \
-                           _mm_loadu_si128((__m128i*) (m + 320))); \
-        _mm_storeu_si128((__m128i*) (c + 320), t1);                \
-        t2 = _mm_xor_si128(_mm256_extracti128_si256(z##C, 1),      \
-                           _mm_loadu_si128((__m128i*) (m + 384))); \
-        _mm_storeu_si128((__m128i*) (c + 384), t2);                \
-        t3 = _mm_xor_si128(_mm256_extracti128_si256(z##D, 1),      \
-                           _mm_loadu_si128((__m128i*) (m + 448))); \
-        _mm_storeu_si128((__m128i*) (c + 448), t3);                \
+#define ONEQUAD_TRANSPOSE(A, B, C, D)                                    \
+    {                                                                    \
+        __m128i t0, t1, t2, t3;                                          \
+        z##A = _mm256_add_epi32(z##A, orig##A);                          \
+        z##B = _mm256_add_epi32(z##B, orig##B);                          \
+        z##C = _mm256_add_epi32(z##C, orig##C);                          \
+        z##D = _mm256_add_epi32(z##D, orig##D);                          \
+        y##A = _mm256_unpacklo_epi32(z##A, z##B);                        \
+        y##B = _mm256_unpacklo_epi32(z##C, z##D);                        \
+        y##C = _mm256_unpackhi_epi32(z##A, z##B);                        \
+        y##D = _mm256_unpackhi_epi32(z##C, z##D);                        \
+        z##A = _mm256_unpacklo_epi64(y##A, y##B);                        \
+        z##B = _mm256_unpackhi_epi64(y##A, y##B);                        \
+        z##C = _mm256_unpacklo_epi64(y##C, y##D);                        \
+        z##D = _mm256_unpackhi_epi64(y##C, y##D);                        \
+        t0   = _mm_xor_si128(_mm256_extracti128_si256(z##A, 0),          \
+                           _mm_loadu_si128((const __m128i*) (m + 0))); \
+        _mm_storeu_si128((__m128i*) (c + 0), t0);                        \
+        t1 = _mm_xor_si128(_mm256_extracti128_si256(z##B, 0),            \
+                           _mm_loadu_si128((const __m128i*) (m + 64)));  \
+        _mm_storeu_si128((__m128i*) (c + 64), t1);                       \
+        t2 = _mm_xor_si128(_mm256_extracti128_si256(z##C, 0),            \
+                           _mm_loadu_si128((const __m128i*) (m + 128))); \
+        _mm_storeu_si128((__m128i*) (c + 128), t2);                      \
+        t3 = _mm_xor_si128(_mm256_extracti128_si256(z##D, 0),            \
+                           _mm_loadu_si128((const __m128i*) (m + 192))); \
+        _mm_storeu_si128((__m128i*) (c + 192), t3);                      \
+        t0 = _mm_xor_si128(_mm256_extracti128_si256(z##A, 1),            \
+                           _mm_loadu_si128((const __m128i*) (m + 256))); \
+        _mm_storeu_si128((__m128i*) (c + 256), t0);                      \
+        t1 = _mm_xor_si128(_mm256_extracti128_si256(z##B, 1),            \
+                           _mm_loadu_si128((const __m128i*) (m + 320))); \
+        _mm_storeu_si128((__m128i*) (c + 320), t1);                      \
+        t2 = _mm_xor_si128(_mm256_extracti128_si256(z##C, 1),            \
+                           _mm_loadu_si128((const __m128i*) (m + 384))); \
+        _mm_storeu_si128((__m128i*) (c + 384), t2);                      \
+        t3 = _mm_xor_si128(_mm256_extracti128_si256(z##D, 1),            \
+                           _mm_loadu_si128((const __m128i*) (m + 448))); \
+        _mm_storeu_si128((__m128i*) (c + 448), t3);                      \
     }
 
 #define ONEQUAD(A, B, C, D) ONEQUAD_TRANSPOSE(A, B, C, D)
@@ -420,41 +420,42 @@ if (bytes >= 512) {
         z##D = _mm256_unpackhi_epi64(y##C, y##D); \
     }
 
-#define ONEOCTO(A, B, C, D, A2, B2, C2, D2)                                     \
-    {                                                                           \
-        ONEQUAD_UNPCK(A, B, C, D);                                              \
-        ONEQUAD_UNPCK(A2, B2, C2, D2);                                          \
-        y##A  = _mm256_permute2x128_si256(z##A, z##A2, 0x20);                   \
-        y##A2 = _mm256_permute2x128_si256(z##A, z##A2, 0x31);                   \
-        y##B  = _mm256_permute2x128_si256(z##B, z##B2, 0x20);                   \
-        y##B2 = _mm256_permute2x128_si256(z##B, z##B2, 0x31);                   \
-        y##C  = _mm256_permute2x128_si256(z##C, z##C2, 0x20);                   \
-        y##C2 = _mm256_permute2x128_si256(z##C, z##C2, 0x31);                   \
-        y##D  = _mm256_permute2x128_si256(z##D, z##D2, 0x20);                   \
-        y##D2 = _mm256_permute2x128_si256(z##D, z##D2, 0x31);                   \
-        y##A  = _mm256_xor_si256(y##A, _mm256_loadu_si256((__m256i*) (m + 0))); \
-        y##B =                                                                  \
-            _mm256_xor_si256(y##B, _mm256_loadu_si256((__m256i*) (m + 64)));    \
-        y##C =                                                                  \
-            _mm256_xor_si256(y##C, _mm256_loadu_si256((__m256i*) (m + 128)));   \
-        y##D =                                                                  \
-            _mm256_xor_si256(y##D, _mm256_loadu_si256((__m256i*) (m + 192)));   \
-        y##A2 =                                                                 \
-            _mm256_xor_si256(y##A2, _mm256_loadu_si256((__m256i*) (m + 256)));  \
-        y##B2 =                                                                 \
-            _mm256_xor_si256(y##B2, _mm256_loadu_si256((__m256i*) (m + 320)));  \
-        y##C2 =                                                                 \
-            _mm256_xor_si256(y##C2, _mm256_loadu_si256((__m256i*) (m + 384)));  \
-        y##D2 =                                                                 \
-            _mm256_xor_si256(y##D2, _mm256_loadu_si256((__m256i*) (m + 448)));  \
-        _mm256_storeu_si256((__m256i*) (c + 0), y##A);                          \
-        _mm256_storeu_si256((__m256i*) (c + 64), y##B);                         \
-        _mm256_storeu_si256((__m256i*) (c + 128), y##C);                        \
-        _mm256_storeu_si256((__m256i*) (c + 192), y##D);                        \
-        _mm256_storeu_si256((__m256i*) (c + 256), y##A2);                       \
-        _mm256_storeu_si256((__m256i*) (c + 320), y##B2);                       \
-        _mm256_storeu_si256((__m256i*) (c + 384), y##C2);                       \
-        _mm256_storeu_si256((__m256i*) (c + 448), y##D2);                       \
+#define ONEOCTO(A, B, C, D, A2, B2, C2, D2)                                    \
+    {                                                                          \
+        ONEQUAD_UNPCK(A, B, C, D);                                             \
+        ONEQUAD_UNPCK(A2, B2, C2, D2);                                         \
+        y##A  = _mm256_permute2x128_si256(z##A, z##A2, 0x20);                  \
+        y##A2 = _mm256_permute2x128_si256(z##A, z##A2, 0x31);                  \
+        y##B  = _mm256_permute2x128_si256(z##B, z##B2, 0x20);                  \
+        y##B2 = _mm256_permute2x128_si256(z##B, z##B2, 0x31);                  \
+        y##C  = _mm256_permute2x128_si256(z##C, z##C2, 0x20);                  \
+        y##C2 = _mm256_permute2x128_si256(z##C, z##C2, 0x31);                  \
+        y##D  = _mm256_permute2x128_si256(z##D, z##D2, 0x20);                  \
+        y##D2 = _mm256_permute2x128_si256(z##D, z##D2, 0x31);                  \
+        y##A  = _mm256_xor_si256(y##A,                                         \
+                                _mm256_loadu_si256((const __m256i*) (m + 0))); \
+        y##B  = _mm256_xor_si256(                                              \
+            y##B, _mm256_loadu_si256((const __m256i*) (m + 64)));              \
+        y##C = _mm256_xor_si256(                                               \
+            y##C, _mm256_loadu_si256((const __m256i*) (m + 128)));             \
+        y##D = _mm256_xor_si256(                                               \
+            y##D, _mm256_loadu_si256((const __m256i*) (m + 192)));             \
+        y##A2 = _mm256_xor_si256(                                              \
+            y##A2, _mm256_loadu_si256((const __m256i*) (m + 256)));            \
+        y##B2 = _mm256_xor_si256(                                              \
+            y##B2, _mm256_loadu_si256((const __m256i*) (m + 320)));            \
+        y##C2 = _mm256_xor_si256(                                              \
+            y##C2, _mm256_loadu_si256((const __m256i*) (m + 384)));            \
+        y##D2 = _mm256_xor_si256(                                              \
+            y##D2, _mm256_loadu_si256((const __m256i*) (m + 448)));            \
+        _mm256_storeu_si256((__m256i*) (c + 0), y##A);                         \
+        _mm256_storeu_si256((__m256i*) (c + 64), y##B);                        \
+        _mm256_storeu_si256((__m256i*) (c + 128), y##C);                       \
+        _mm256_storeu_si256((__m256i*) (c + 192), y##D);                       \
+        _mm256_storeu_si256((__m256i*) (c + 256), y##A2);                      \
+        _mm256_storeu_si256((__m256i*) (c + 320), y##B2);                      \
+        _mm256_storeu_si256((__m256i*) (c + 384), y##C2);                      \
+        _mm256_storeu_si256((__m256i*) (c + 448), y##D2);                      \
     }
 
         ONEOCTO(0, 1, 2, 3, 4, 5, 6, 7);
diff --git a/src/libsodium/include/Makefile.in b/src/libsodium/include/Makefile.in
index 2c64341d..e7a87234 100644
--- a/src/libsodium/include/Makefile.in
+++ b/src/libsodium/include/Makefile.in
@@ -277,7 +277,6 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-ISODATE = @ISODATE@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LIBOBJS = @LIBOBJS@
diff --git a/src/libsodium/include/sodium/crypto_aead_aes256gcm.h b/src/libsodium/include/sodium/crypto_aead_aes256gcm.h
index 5e67aa99..2d31a975 100644
--- a/src/libsodium/include/sodium/crypto_aead_aes256gcm.h
+++ b/src/libsodium/include/sodium/crypto_aead_aes256gcm.h
@@ -56,7 +56,9 @@ size_t crypto_aead_aes256gcm_abytes(void);
 SODIUM_EXPORT
 size_t crypto_aead_aes256gcm_messagebytes_max(void);
 
-typedef CRYPTO_ALIGN(16) unsigned char crypto_aead_aes256gcm_state[512];
+typedef CRYPTO_ALIGN(16) struct crypto_aead_aes256gcm_state_ {
+    unsigned char opaque[512];
+} crypto_aead_aes256gcm_state;
 
 SODIUM_EXPORT
 size_t crypto_aead_aes256gcm_statebytes(void);
@@ -70,7 +72,8 @@ int crypto_aead_aes256gcm_encrypt(unsigned char *c,
                                   unsigned long long adlen,
                                   const unsigned char *nsec,
                                   const unsigned char *npub,
-                                  const unsigned char *k);
+                                  const unsigned char *k)
+            __attribute__ ((nonnull(1, 8, 9)));
 
 SODIUM_EXPORT
 int crypto_aead_aes256gcm_decrypt(unsigned char *m,
@@ -82,7 +85,7 @@ int crypto_aead_aes256gcm_decrypt(unsigned char *m,
                                   unsigned long long adlen,
                                   const unsigned char *npub,
                                   const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(4, 8, 9)));
 
 SODIUM_EXPORT
 int crypto_aead_aes256gcm_encrypt_detached(unsigned char *c,
@@ -94,7 +97,8 @@ int crypto_aead_aes256gcm_encrypt_detached(unsigned char *c,
                                            unsigned long long adlen,
                                            const unsigned char *nsec,
                                            const unsigned char *npub,
-                                           const unsigned char *k);
+                                           const unsigned char *k)
+            __attribute__ ((nonnull(1, 2, 9, 10)));
 
 SODIUM_EXPORT
 int crypto_aead_aes256gcm_decrypt_detached(unsigned char *m,
@@ -106,13 +110,14 @@ int crypto_aead_aes256gcm_decrypt_detached(unsigned char *m,
                                            unsigned long long adlen,
                                            const unsigned char *npub,
                                            const unsigned char *k)
-        __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(3, 5, 8, 9)));
 
 /* -- Precomputation interface -- */
 
 SODIUM_EXPORT
 int crypto_aead_aes256gcm_beforenm(crypto_aead_aes256gcm_state *ctx_,
-                                   const unsigned char *k);
+                                   const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_aead_aes256gcm_encrypt_afternm(unsigned char *c,
@@ -123,7 +128,8 @@ int crypto_aead_aes256gcm_encrypt_afternm(unsigned char *c,
                                           unsigned long long adlen,
                                           const unsigned char *nsec,
                                           const unsigned char *npub,
-                                          const crypto_aead_aes256gcm_state *ctx_);
+                                          const crypto_aead_aes256gcm_state *ctx_)
+            __attribute__ ((nonnull(1, 8, 9)));
 
 SODIUM_EXPORT
 int crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m,
@@ -135,7 +141,7 @@ int crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m,
                                           unsigned long long adlen,
                                           const unsigned char *npub,
                                           const crypto_aead_aes256gcm_state *ctx_)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(4, 8, 9)));
 
 SODIUM_EXPORT
 int crypto_aead_aes256gcm_encrypt_detached_afternm(unsigned char *c,
@@ -147,7 +153,8 @@ int crypto_aead_aes256gcm_encrypt_detached_afternm(unsigned char *c,
                                                    unsigned long long adlen,
                                                    const unsigned char *nsec,
                                                    const unsigned char *npub,
-                                                   const crypto_aead_aes256gcm_state *ctx_);
+                                                   const crypto_aead_aes256gcm_state *ctx_)
+            __attribute__ ((nonnull(1, 2, 9, 10)));
 
 SODIUM_EXPORT
 int crypto_aead_aes256gcm_decrypt_detached_afternm(unsigned char *m,
@@ -159,10 +166,11 @@ int crypto_aead_aes256gcm_decrypt_detached_afternm(unsigned char *m,
                                                    unsigned long long adlen,
                                                    const unsigned char *npub,
                                                    const crypto_aead_aes256gcm_state *ctx_)
-        __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(3, 5, 8, 9)));
 
 SODIUM_EXPORT
-void crypto_aead_aes256gcm_keygen(unsigned char k[crypto_aead_aes256gcm_KEYBYTES]);
+void crypto_aead_aes256gcm_keygen(unsigned char k[crypto_aead_aes256gcm_KEYBYTES])
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_aead_chacha20poly1305.h b/src/libsodium/include/sodium/crypto_aead_chacha20poly1305.h
index 8ab31243..5d671df1 100644
--- a/src/libsodium/include/sodium/crypto_aead_chacha20poly1305.h
+++ b/src/libsodium/include/sodium/crypto_aead_chacha20poly1305.h
@@ -45,7 +45,8 @@ int crypto_aead_chacha20poly1305_ietf_encrypt(unsigned char *c,
                                               unsigned long long adlen,
                                               const unsigned char *nsec,
                                               const unsigned char *npub,
-                                              const unsigned char *k);
+                                              const unsigned char *k)
+            __attribute__ ((nonnull(1, 8, 9)));
 
 SODIUM_EXPORT
 int crypto_aead_chacha20poly1305_ietf_decrypt(unsigned char *m,
@@ -57,7 +58,7 @@ int crypto_aead_chacha20poly1305_ietf_decrypt(unsigned char *m,
                                               unsigned long long adlen,
                                               const unsigned char *npub,
                                               const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(4, 8, 9)));
 
 SODIUM_EXPORT
 int crypto_aead_chacha20poly1305_ietf_encrypt_detached(unsigned char *c,
@@ -69,7 +70,8 @@ int crypto_aead_chacha20poly1305_ietf_encrypt_detached(unsigned char *c,
                                                        unsigned long long adlen,
                                                        const unsigned char *nsec,
                                                        const unsigned char *npub,
-                                                       const unsigned char *k);
+                                                       const unsigned char *k)
+            __attribute__ ((nonnull(1, 2, 9, 10)));
 
 SODIUM_EXPORT
 int crypto_aead_chacha20poly1305_ietf_decrypt_detached(unsigned char *m,
@@ -81,10 +83,11 @@ int crypto_aead_chacha20poly1305_ietf_decrypt_detached(unsigned char *m,
                                                        unsigned long long adlen,
                                                        const unsigned char *npub,
                                                        const unsigned char *k)
-        __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(3, 5, 8, 9)));
 
 SODIUM_EXPORT
-void crypto_aead_chacha20poly1305_ietf_keygen(unsigned char k[crypto_aead_chacha20poly1305_ietf_KEYBYTES]);
+void crypto_aead_chacha20poly1305_ietf_keygen(unsigned char k[crypto_aead_chacha20poly1305_ietf_KEYBYTES])
+            __attribute__ ((nonnull));
 
 /* -- Original ChaCha20-Poly1305 construction with a 64-bit nonce and a 64-bit internal counter -- */
 
@@ -118,7 +121,8 @@ int crypto_aead_chacha20poly1305_encrypt(unsigned char *c,
                                          unsigned long long adlen,
                                          const unsigned char *nsec,
                                          const unsigned char *npub,
-                                         const unsigned char *k);
+                                         const unsigned char *k)
+            __attribute__ ((nonnull(1, 8, 9)));
 
 SODIUM_EXPORT
 int crypto_aead_chacha20poly1305_decrypt(unsigned char *m,
@@ -130,7 +134,7 @@ int crypto_aead_chacha20poly1305_decrypt(unsigned char *m,
                                          unsigned long long adlen,
                                          const unsigned char *npub,
                                          const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(4, 8, 9)));
 
 SODIUM_EXPORT
 int crypto_aead_chacha20poly1305_encrypt_detached(unsigned char *c,
@@ -142,7 +146,8 @@ int crypto_aead_chacha20poly1305_encrypt_detached(unsigned char *c,
                                                   unsigned long long adlen,
                                                   const unsigned char *nsec,
                                                   const unsigned char *npub,
-                                                  const unsigned char *k);
+                                                  const unsigned char *k)
+            __attribute__ ((nonnull(1, 2, 9, 10)));
 
 SODIUM_EXPORT
 int crypto_aead_chacha20poly1305_decrypt_detached(unsigned char *m,
@@ -154,10 +159,11 @@ int crypto_aead_chacha20poly1305_decrypt_detached(unsigned char *m,
                                                   unsigned long long adlen,
                                                   const unsigned char *npub,
                                                   const unsigned char *k)
-        __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(3, 5, 8, 9)));
 
 SODIUM_EXPORT
-void crypto_aead_chacha20poly1305_keygen(unsigned char k[crypto_aead_chacha20poly1305_KEYBYTES]);
+void crypto_aead_chacha20poly1305_keygen(unsigned char k[crypto_aead_chacha20poly1305_KEYBYTES])
+            __attribute__ ((nonnull));
 
 /* Aliases */
 
diff --git a/src/libsodium/include/sodium/crypto_aead_xchacha20poly1305.h b/src/libsodium/include/sodium/crypto_aead_xchacha20poly1305.h
index 99692aae..a13b2247 100644
--- a/src/libsodium/include/sodium/crypto_aead_xchacha20poly1305.h
+++ b/src/libsodium/include/sodium/crypto_aead_xchacha20poly1305.h
@@ -41,7 +41,8 @@ int crypto_aead_xchacha20poly1305_ietf_encrypt(unsigned char *c,
                                                unsigned long long adlen,
                                                const unsigned char *nsec,
                                                const unsigned char *npub,
-                                               const unsigned char *k);
+                                               const unsigned char *k)
+            __attribute__ ((nonnull(1, 8, 9)));
 
 SODIUM_EXPORT
 int crypto_aead_xchacha20poly1305_ietf_decrypt(unsigned char *m,
@@ -53,7 +54,7 @@ int crypto_aead_xchacha20poly1305_ietf_decrypt(unsigned char *m,
                                                unsigned long long adlen,
                                                const unsigned char *npub,
                                                const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(4, 8, 9)));
 
 SODIUM_EXPORT
 int crypto_aead_xchacha20poly1305_ietf_encrypt_detached(unsigned char *c,
@@ -65,7 +66,8 @@ int crypto_aead_xchacha20poly1305_ietf_encrypt_detached(unsigned char *c,
                                                         unsigned long long adlen,
                                                         const unsigned char *nsec,
                                                         const unsigned char *npub,
-                                                        const unsigned char *k);
+                                                        const unsigned char *k)
+            __attribute__ ((nonnull(1, 2, 9, 10)));
 
 SODIUM_EXPORT
 int crypto_aead_xchacha20poly1305_ietf_decrypt_detached(unsigned char *m,
@@ -77,10 +79,11 @@ int crypto_aead_xchacha20poly1305_ietf_decrypt_detached(unsigned char *m,
                                                         unsigned long long adlen,
                                                         const unsigned char *npub,
                                                         const unsigned char *k)
-        __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(3, 5, 9, 9)));
 
 SODIUM_EXPORT
-void crypto_aead_xchacha20poly1305_ietf_keygen(unsigned char k[crypto_aead_xchacha20poly1305_ietf_KEYBYTES]);
+void crypto_aead_xchacha20poly1305_ietf_keygen(unsigned char k[crypto_aead_xchacha20poly1305_ietf_KEYBYTES])
+            __attribute__ ((nonnull));
 
 /* Aliases */
 
diff --git a/src/libsodium/include/sodium/crypto_auth.h b/src/libsodium/include/sodium/crypto_auth.h
index 7174e7bc..d0fc8ee2 100644
--- a/src/libsodium/include/sodium/crypto_auth.h
+++ b/src/libsodium/include/sodium/crypto_auth.h
@@ -27,15 +27,17 @@ const char *crypto_auth_primitive(void);
 
 SODIUM_EXPORT
 int crypto_auth(unsigned char *out, const unsigned char *in,
-                unsigned long long inlen, const unsigned char *k);
+                unsigned long long inlen, const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_auth_verify(const unsigned char *h, const unsigned char *in,
                        unsigned long long inlen, const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-void crypto_auth_keygen(unsigned char k[crypto_auth_KEYBYTES]);
+void crypto_auth_keygen(unsigned char k[crypto_auth_KEYBYTES])
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_auth_hmacsha256.h b/src/libsodium/include/sodium/crypto_auth_hmacsha256.h
index deec5266..aa4ecfd8 100644
--- a/src/libsodium/include/sodium/crypto_auth_hmacsha256.h
+++ b/src/libsodium/include/sodium/crypto_auth_hmacsha256.h
@@ -24,14 +24,14 @@ SODIUM_EXPORT
 int crypto_auth_hmacsha256(unsigned char *out,
                            const unsigned char *in,
                            unsigned long long inlen,
-                           const unsigned char *k);
+                           const unsigned char *k) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_auth_hmacsha256_verify(const unsigned char *h,
                                   const unsigned char *in,
                                   unsigned long long inlen,
                                   const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 /* ------------------------------------------------------------------------- */
 
@@ -46,20 +46,22 @@ size_t crypto_auth_hmacsha256_statebytes(void);
 SODIUM_EXPORT
 int crypto_auth_hmacsha256_init(crypto_auth_hmacsha256_state *state,
                                 const unsigned char *key,
-                                size_t keylen);
+                                size_t keylen) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_auth_hmacsha256_update(crypto_auth_hmacsha256_state *state,
                                   const unsigned char *in,
-                                  unsigned long long inlen);
+                                  unsigned long long inlen)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_auth_hmacsha256_final(crypto_auth_hmacsha256_state *state,
-                                 unsigned char *out);
+                                 unsigned char *out) __attribute__ ((nonnull));
 
 
 SODIUM_EXPORT
-void crypto_auth_hmacsha256_keygen(unsigned char k[crypto_auth_hmacsha256_KEYBYTES]);
+void crypto_auth_hmacsha256_keygen(unsigned char k[crypto_auth_hmacsha256_KEYBYTES])
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_auth_hmacsha512.h b/src/libsodium/include/sodium/crypto_auth_hmacsha512.h
index 77a55fbc..c5012583 100644
--- a/src/libsodium/include/sodium/crypto_auth_hmacsha512.h
+++ b/src/libsodium/include/sodium/crypto_auth_hmacsha512.h
@@ -24,14 +24,14 @@ SODIUM_EXPORT
 int crypto_auth_hmacsha512(unsigned char *out,
                            const unsigned char *in,
                            unsigned long long inlen,
-                           const unsigned char *k);
+                           const unsigned char *k) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_auth_hmacsha512_verify(const unsigned char *h,
                                   const unsigned char *in,
                                   unsigned long long inlen,
                                   const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 /* ------------------------------------------------------------------------- */
 
@@ -46,19 +46,20 @@ size_t crypto_auth_hmacsha512_statebytes(void);
 SODIUM_EXPORT
 int crypto_auth_hmacsha512_init(crypto_auth_hmacsha512_state *state,
                                 const unsigned char *key,
-                                size_t keylen);
+                                size_t keylen) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_auth_hmacsha512_update(crypto_auth_hmacsha512_state *state,
                                   const unsigned char *in,
-                                  unsigned long long inlen);
+                                  unsigned long long inlen) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_auth_hmacsha512_final(crypto_auth_hmacsha512_state *state,
-                                 unsigned char *out);
+                                 unsigned char *out) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-void crypto_auth_hmacsha512_keygen(unsigned char k[crypto_auth_hmacsha512_KEYBYTES]);
+void crypto_auth_hmacsha512_keygen(unsigned char k[crypto_auth_hmacsha512_KEYBYTES])
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h b/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h
index 4842f3de..0f266104 100644
--- a/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h
+++ b/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h
@@ -29,7 +29,7 @@ int crypto_auth_hmacsha512256_verify(const unsigned char *h,
                                      const unsigned char *in,
                                      unsigned long long inlen,
                                      const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 /* ------------------------------------------------------------------------- */
 
@@ -41,19 +41,20 @@ size_t crypto_auth_hmacsha512256_statebytes(void);
 SODIUM_EXPORT
 int crypto_auth_hmacsha512256_init(crypto_auth_hmacsha512256_state *state,
                                    const unsigned char *key,
-                                   size_t keylen);
+                                   size_t keylen) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_auth_hmacsha512256_update(crypto_auth_hmacsha512256_state *state,
                                      const unsigned char *in,
-                                     unsigned long long inlen);
+                                     unsigned long long inlen) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_auth_hmacsha512256_final(crypto_auth_hmacsha512256_state *state,
-                                    unsigned char *out);
+                                    unsigned char *out) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-void crypto_auth_hmacsha512256_keygen(unsigned char k[crypto_auth_hmacsha512256_KEYBYTES]);
+void crypto_auth_hmacsha512256_keygen(unsigned char k[crypto_auth_hmacsha512256_KEYBYTES])
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_box.h b/src/libsodium/include/sodium/crypto_box.h
index 99ee19a8..f6fe3ccb 100644
--- a/src/libsodium/include/sodium/crypto_box.h
+++ b/src/libsodium/include/sodium/crypto_box.h
@@ -50,29 +50,31 @@ const char *crypto_box_primitive(void);
 
 SODIUM_EXPORT
 int crypto_box_seed_keypair(unsigned char *pk, unsigned char *sk,
-                            const unsigned char *seed);
+                            const unsigned char *seed)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-int crypto_box_keypair(unsigned char *pk, unsigned char *sk);
+int crypto_box_keypair(unsigned char *pk, unsigned char *sk)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_easy(unsigned char *c, const unsigned char *m,
                     unsigned long long mlen, const unsigned char *n,
                     const unsigned char *pk, const unsigned char *sk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_open_easy(unsigned char *m, const unsigned char *c,
                          unsigned long long clen, const unsigned char *n,
                          const unsigned char *pk, const unsigned char *sk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5, 6)));
 
 SODIUM_EXPORT
 int crypto_box_detached(unsigned char *c, unsigned char *mac,
                         const unsigned char *m, unsigned long long mlen,
                         const unsigned char *n, const unsigned char *pk,
                         const unsigned char *sk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_open_detached(unsigned char *m, const unsigned char *c,
@@ -81,7 +83,7 @@ int crypto_box_open_detached(unsigned char *m, const unsigned char *c,
                              const unsigned char *n,
                              const unsigned char *pk,
                              const unsigned char *sk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 3, 5, 6, 7)));
 
 /* -- Precomputation interface -- */
 
@@ -92,30 +94,31 @@ size_t  crypto_box_beforenmbytes(void);
 SODIUM_EXPORT
 int crypto_box_beforenm(unsigned char *k, const unsigned char *pk,
                         const unsigned char *sk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_easy_afternm(unsigned char *c, const unsigned char *m,
                             unsigned long long mlen, const unsigned char *n,
-                            const unsigned char *k);
+                            const unsigned char *k) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_open_easy_afternm(unsigned char *m, const unsigned char *c,
                                  unsigned long long clen, const unsigned char *n,
                                  const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5)));
 
 SODIUM_EXPORT
 int crypto_box_detached_afternm(unsigned char *c, unsigned char *mac,
                                 const unsigned char *m, unsigned long long mlen,
-                                const unsigned char *n, const unsigned char *k);
+                                const unsigned char *n, const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_open_detached_afternm(unsigned char *m, const unsigned char *c,
                                      const unsigned char *mac,
                                      unsigned long long clen, const unsigned char *n,
                                      const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 3, 5, 6)));
 
 /* -- Ephemeral SK interface -- */
 
@@ -125,13 +128,14 @@ size_t crypto_box_sealbytes(void);
 
 SODIUM_EXPORT
 int crypto_box_seal(unsigned char *c, const unsigned char *m,
-                    unsigned long long mlen, const unsigned char *pk);
+                    unsigned long long mlen, const unsigned char *pk)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_seal_open(unsigned char *m, const unsigned char *c,
                          unsigned long long clen,
                          const unsigned char *pk, const unsigned char *sk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5)));
 
 /* -- NaCl compatibility interface ; Requires padding -- */
 
@@ -147,24 +151,24 @@ SODIUM_EXPORT
 int crypto_box(unsigned char *c, const unsigned char *m,
                unsigned long long mlen, const unsigned char *n,
                const unsigned char *pk, const unsigned char *sk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_open(unsigned char *m, const unsigned char *c,
                     unsigned long long clen, const unsigned char *n,
                     const unsigned char *pk, const unsigned char *sk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5, 6)));
 
 SODIUM_EXPORT
 int crypto_box_afternm(unsigned char *c, const unsigned char *m,
                        unsigned long long mlen, const unsigned char *n,
-                       const unsigned char *k);
+                       const unsigned char *k) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_open_afternm(unsigned char *m, const unsigned char *c,
                             unsigned long long clen, const unsigned char *n,
                             const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5)));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h b/src/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h
index c1cf7566..0d3937a7 100644
--- a/src/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h
+++ b/src/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h
@@ -45,11 +45,13 @@ size_t crypto_box_curve25519xchacha20poly1305_messagebytes_max(void);
 SODIUM_EXPORT
 int crypto_box_curve25519xchacha20poly1305_seed_keypair(unsigned char *pk,
                                                         unsigned char *sk,
-                                                        const unsigned char *seed);
+                                                        const unsigned char *seed)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_curve25519xchacha20poly1305_keypair(unsigned char *pk,
-                                                   unsigned char *sk);
+                                                   unsigned char *sk)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_curve25519xchacha20poly1305_easy(unsigned char *c,
@@ -58,7 +60,7 @@ int crypto_box_curve25519xchacha20poly1305_easy(unsigned char *c,
                                                 const unsigned char *n,
                                                 const unsigned char *pk,
                                                 const unsigned char *sk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_curve25519xchacha20poly1305_open_easy(unsigned char *m,
@@ -67,7 +69,7 @@ int crypto_box_curve25519xchacha20poly1305_open_easy(unsigned char *m,
                                                      const unsigned char *n,
                                                      const unsigned char *pk,
                                                      const unsigned char *sk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5, 6)));
 
 SODIUM_EXPORT
 int crypto_box_curve25519xchacha20poly1305_detached(unsigned char *c,
@@ -77,7 +79,7 @@ int crypto_box_curve25519xchacha20poly1305_detached(unsigned char *c,
                                                     const unsigned char *n,
                                                     const unsigned char *pk,
                                                     const unsigned char *sk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_curve25519xchacha20poly1305_open_detached(unsigned char *m,
@@ -87,7 +89,7 @@ int crypto_box_curve25519xchacha20poly1305_open_detached(unsigned char *m,
                                                          const unsigned char *n,
                                                          const unsigned char *pk,
                                                          const unsigned char *sk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 3, 5, 6, 7)));
 
 /* -- Precomputation interface -- */
 
@@ -95,14 +97,15 @@ SODIUM_EXPORT
 int crypto_box_curve25519xchacha20poly1305_beforenm(unsigned char *k,
                                                     const unsigned char *pk,
                                                     const unsigned char *sk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_curve25519xchacha20poly1305_easy_afternm(unsigned char *c,
                                                         const unsigned char *m,
                                                         unsigned long long mlen,
                                                         const unsigned char *n,
-                                                        const unsigned char *k);
+                                                        const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_curve25519xchacha20poly1305_open_easy_afternm(unsigned char *m,
@@ -110,7 +113,7 @@ int crypto_box_curve25519xchacha20poly1305_open_easy_afternm(unsigned char *m,
                                                              unsigned long long clen,
                                                              const unsigned char *n,
                                                              const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5)));
 
 SODIUM_EXPORT
 int crypto_box_curve25519xchacha20poly1305_detached_afternm(unsigned char *c,
@@ -118,7 +121,8 @@ int crypto_box_curve25519xchacha20poly1305_detached_afternm(unsigned char *c,
                                                             const unsigned char *m,
                                                             unsigned long long mlen,
                                                             const unsigned char *n,
-                                                            const unsigned char *k);
+                                                            const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_curve25519xchacha20poly1305_open_detached_afternm(unsigned char *m,
@@ -127,7 +131,7 @@ int crypto_box_curve25519xchacha20poly1305_open_detached_afternm(unsigned char *
                                                                  unsigned long long clen,
                                                                  const unsigned char *n,
                                                                  const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 3, 5, 6)));
 
 /* -- Ephemeral SK interface -- */
 
@@ -142,7 +146,8 @@ SODIUM_EXPORT
 int crypto_box_curve25519xchacha20poly1305_seal(unsigned char *c,
                                                 const unsigned char *m,
                                                 unsigned long long mlen,
-                                                const unsigned char *pk);
+                                                const unsigned char *pk)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_curve25519xchacha20poly1305_seal_open(unsigned char *m,
@@ -150,7 +155,7 @@ int crypto_box_curve25519xchacha20poly1305_seal_open(unsigned char *m,
                                                      unsigned long long clen,
                                                      const unsigned char *pk,
                                                      const unsigned char *sk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5)));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_box_curve25519xsalsa20poly1305.h b/src/libsodium/include/sodium/crypto_box_curve25519xsalsa20poly1305.h
index c5b15f42..f889430c 100644
--- a/src/libsodium/include/sodium/crypto_box_curve25519xsalsa20poly1305.h
+++ b/src/libsodium/include/sodium/crypto_box_curve25519xsalsa20poly1305.h
@@ -45,17 +45,19 @@ size_t crypto_box_curve25519xsalsa20poly1305_messagebytes_max(void);
 SODIUM_EXPORT
 int crypto_box_curve25519xsalsa20poly1305_seed_keypair(unsigned char *pk,
                                                        unsigned char *sk,
-                                                       const unsigned char *seed);
+                                                       const unsigned char *seed)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_curve25519xsalsa20poly1305_keypair(unsigned char *pk,
-                                                  unsigned char *sk);
+                                                  unsigned char *sk)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_curve25519xsalsa20poly1305_beforenm(unsigned char *k,
                                                    const unsigned char *pk,
                                                    const unsigned char *sk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 /* -- NaCl compatibility interface ; Requires padding -- */
 
@@ -76,7 +78,7 @@ int crypto_box_curve25519xsalsa20poly1305(unsigned char *c,
                                           const unsigned char *n,
                                           const unsigned char *pk,
                                           const unsigned char *sk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_curve25519xsalsa20poly1305_open(unsigned char *m,
@@ -85,14 +87,15 @@ int crypto_box_curve25519xsalsa20poly1305_open(unsigned char *m,
                                                const unsigned char *n,
                                                const unsigned char *pk,
                                                const unsigned char *sk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5, 6)));
 
 SODIUM_EXPORT
 int crypto_box_curve25519xsalsa20poly1305_afternm(unsigned char *c,
                                                   const unsigned char *m,
                                                   unsigned long long mlen,
                                                   const unsigned char *n,
-                                                  const unsigned char *k);
+                                                  const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_box_curve25519xsalsa20poly1305_open_afternm(unsigned char *m,
@@ -100,7 +103,7 @@ int crypto_box_curve25519xsalsa20poly1305_open_afternm(unsigned char *m,
                                                        unsigned long long clen,
                                                        const unsigned char *n,
                                                        const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5)));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_core_ed25519.h b/src/libsodium/include/sodium/crypto_core_ed25519.h
index 1536294b..eb736ffb 100644
--- a/src/libsodium/include/sodium/crypto_core_ed25519.h
+++ b/src/libsodium/include/sodium/crypto_core_ed25519.h
@@ -16,19 +16,65 @@ size_t crypto_core_ed25519_bytes(void);
 SODIUM_EXPORT
 size_t crypto_core_ed25519_uniformbytes(void);
 
+#define crypto_core_ed25519_SCALARBYTES 32
 SODIUM_EXPORT
-int crypto_core_ed25519_is_valid_point(const unsigned char *p);
+size_t crypto_core_ed25519_scalarbytes(void);
+
+#define crypto_core_ed25519_NONREDUCEDSCALARBYTES 64
+SODIUM_EXPORT
+size_t crypto_core_ed25519_nonreducedscalarbytes(void);
+
+SODIUM_EXPORT
+int crypto_core_ed25519_is_valid_point(const unsigned char *p)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_core_ed25519_add(unsigned char *r,
-                            const unsigned char *p, const unsigned char *q);
+                            const unsigned char *p, const unsigned char *q)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_core_ed25519_sub(unsigned char *r,
-                            const unsigned char *p, const unsigned char *q);
+                            const unsigned char *p, const unsigned char *q)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-int crypto_core_ed25519_from_uniform(unsigned char *p, const unsigned char *r);
+int crypto_core_ed25519_from_uniform(unsigned char *p, const unsigned char *r)
+            __attribute__ ((nonnull));
+
+SODIUM_EXPORT
+void crypto_core_ed25519_scalar_random(unsigned char *r)
+            __attribute__ ((nonnull));
+
+SODIUM_EXPORT
+int crypto_core_ed25519_scalar_invert(unsigned char *recip, const unsigned char *s)
+            __attribute__ ((nonnull));
+
+SODIUM_EXPORT
+void crypto_core_ed25519_scalar_negate(unsigned char *neg, const unsigned char *s)
+            __attribute__ ((nonnull));
+
+SODIUM_EXPORT
+void crypto_core_ed25519_scalar_complement(unsigned char *comp, const unsigned char *s)
+            __attribute__ ((nonnull));
+
+SODIUM_EXPORT
+void crypto_core_ed25519_scalar_add(unsigned char *z, const unsigned char *x,
+                                    const unsigned char *y)
+            __attribute__ ((nonnull));
+
+SODIUM_EXPORT
+void crypto_core_ed25519_scalar_sub(unsigned char *z, const unsigned char *x,
+                                    const unsigned char *y)
+            __attribute__ ((nonnull));
+
+/*
+ * The interval `s` is sampled from should be at least 317 bits to ensure almost
+ * uniformity of `r` over `L`.
+ */
+SODIUM_EXPORT
+void crypto_core_ed25519_scalar_reduce(unsigned char *r, const unsigned char *s)
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_core_hchacha20.h b/src/libsodium/include/sodium/crypto_core_hchacha20.h
index 05e5670c..ece141b0 100644
--- a/src/libsodium/include/sodium/crypto_core_hchacha20.h
+++ b/src/libsodium/include/sodium/crypto_core_hchacha20.h
@@ -26,7 +26,8 @@ size_t crypto_core_hchacha20_constbytes(void);
 
 SODIUM_EXPORT
 int crypto_core_hchacha20(unsigned char *out, const unsigned char *in,
-                          const unsigned char *k, const unsigned char *c);
+                          const unsigned char *k, const unsigned char *c)
+            __attribute__ ((nonnull(1, 2, 3)));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_core_hsalsa20.h b/src/libsodium/include/sodium/crypto_core_hsalsa20.h
index 82e475b8..4bf7a487 100644
--- a/src/libsodium/include/sodium/crypto_core_hsalsa20.h
+++ b/src/libsodium/include/sodium/crypto_core_hsalsa20.h
@@ -26,7 +26,8 @@ size_t crypto_core_hsalsa20_constbytes(void);
 
 SODIUM_EXPORT
 int crypto_core_hsalsa20(unsigned char *out, const unsigned char *in,
-                         const unsigned char *k, const unsigned char *c);
+                         const unsigned char *k, const unsigned char *c)
+            __attribute__ ((nonnull(1, 2, 3)));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_core_salsa20.h b/src/libsodium/include/sodium/crypto_core_salsa20.h
index 160cc56d..bd79fd9f 100644
--- a/src/libsodium/include/sodium/crypto_core_salsa20.h
+++ b/src/libsodium/include/sodium/crypto_core_salsa20.h
@@ -26,7 +26,8 @@ size_t crypto_core_salsa20_constbytes(void);
 
 SODIUM_EXPORT
 int crypto_core_salsa20(unsigned char *out, const unsigned char *in,
-                        const unsigned char *k, const unsigned char *c);
+                        const unsigned char *k, const unsigned char *c)
+            __attribute__ ((nonnull(1, 2, 3)));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_core_salsa2012.h b/src/libsodium/include/sodium/crypto_core_salsa2012.h
index bdd5f9fd..05957591 100644
--- a/src/libsodium/include/sodium/crypto_core_salsa2012.h
+++ b/src/libsodium/include/sodium/crypto_core_salsa2012.h
@@ -26,7 +26,8 @@ size_t crypto_core_salsa2012_constbytes(void);
 
 SODIUM_EXPORT
 int crypto_core_salsa2012(unsigned char *out, const unsigned char *in,
-                          const unsigned char *k, const unsigned char *c);
+                          const unsigned char *k, const unsigned char *c)
+            __attribute__ ((nonnull(1, 2, 3)));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_core_salsa208.h b/src/libsodium/include/sodium/crypto_core_salsa208.h
index 876bda89..d2f216af 100644
--- a/src/libsodium/include/sodium/crypto_core_salsa208.h
+++ b/src/libsodium/include/sodium/crypto_core_salsa208.h
@@ -30,7 +30,8 @@ size_t crypto_core_salsa208_constbytes(void)
 
 SODIUM_EXPORT
 int crypto_core_salsa208(unsigned char *out, const unsigned char *in,
-                         const unsigned char *k, const unsigned char *c);
+                         const unsigned char *k, const unsigned char *c)
+            __attribute__ ((nonnull(1, 2, 3)));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_generichash.h b/src/libsodium/include/sodium/crypto_generichash.h
index 2398fb9d..a5f313d7 100644
--- a/src/libsodium/include/sodium/crypto_generichash.h
+++ b/src/libsodium/include/sodium/crypto_generichash.h
@@ -41,6 +41,10 @@ size_t  crypto_generichash_keybytes(void);
 SODIUM_EXPORT
 const char *crypto_generichash_primitive(void);
 
+/*
+ * Important when writing bindings for other programming languages:
+ * the state address should be 64-bytes aligned.
+ */
 typedef crypto_generichash_blake2b_state crypto_generichash_state;
 
 SODIUM_EXPORT
@@ -49,24 +53,29 @@ size_t  crypto_generichash_statebytes(void);
 SODIUM_EXPORT
 int crypto_generichash(unsigned char *out, size_t outlen,
                        const unsigned char *in, unsigned long long inlen,
-                       const unsigned char *key, size_t keylen);
+                       const unsigned char *key, size_t keylen)
+            __attribute__ ((nonnull(1)));
 
 SODIUM_EXPORT
 int crypto_generichash_init(crypto_generichash_state *state,
                             const unsigned char *key,
-                            const size_t keylen, const size_t outlen);
+                            const size_t keylen, const size_t outlen)
+            __attribute__ ((nonnull(1)));
 
 SODIUM_EXPORT
 int crypto_generichash_update(crypto_generichash_state *state,
                               const unsigned char *in,
-                              unsigned long long inlen);
+                              unsigned long long inlen)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_generichash_final(crypto_generichash_state *state,
-                             unsigned char *out, const size_t outlen);
+                             unsigned char *out, const size_t outlen)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-void crypto_generichash_keygen(unsigned char k[crypto_generichash_KEYBYTES]);
+void crypto_generichash_keygen(unsigned char k[crypto_generichash_KEYBYTES])
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_generichash_blake2b.h b/src/libsodium/include/sodium/crypto_generichash_blake2b.h
index 9326a04a..ecda3625 100644
--- a/src/libsodium/include/sodium/crypto_generichash_blake2b.h
+++ b/src/libsodium/include/sodium/crypto_generichash_blake2b.h
@@ -21,12 +21,7 @@ extern "C" {
 #endif
 
 typedef struct CRYPTO_ALIGN(64) crypto_generichash_blake2b_state {
-    uint64_t h[8];
-    uint64_t t[2];
-    uint64_t f[2];
-    uint8_t  buf[2 * 128];
-    size_t   buflen;
-    uint8_t  last_node;
+    unsigned char opaque[384];
 } crypto_generichash_blake2b_state;
 
 #if defined(__IBMC__) || defined(__SUNPRO_C) || defined(__SUNPRO_CC)
@@ -74,7 +69,8 @@ SODIUM_EXPORT
 int crypto_generichash_blake2b(unsigned char *out, size_t outlen,
                                const unsigned char *in,
                                unsigned long long inlen,
-                               const unsigned char *key, size_t keylen);
+                               const unsigned char *key, size_t keylen)
+            __attribute__ ((nonnull(1)));
 
 SODIUM_EXPORT
 int crypto_generichash_blake2b_salt_personal(unsigned char *out, size_t outlen,
@@ -83,32 +79,37 @@ int crypto_generichash_blake2b_salt_personal(unsigned char *out, size_t outlen,
                                              const unsigned char *key,
                                              size_t keylen,
                                              const unsigned char *salt,
-                                             const unsigned char *personal);
+                                             const unsigned char *personal)
+            __attribute__ ((nonnull(1)));
 
 SODIUM_EXPORT
 int crypto_generichash_blake2b_init(crypto_generichash_blake2b_state *state,
                                     const unsigned char *key,
-                                    const size_t keylen, const size_t outlen);
+                                    const size_t keylen, const size_t outlen)
+            __attribute__ ((nonnull(1)));
 
 SODIUM_EXPORT
 int crypto_generichash_blake2b_init_salt_personal(crypto_generichash_blake2b_state *state,
                                                   const unsigned char *key,
                                                   const size_t keylen, const size_t outlen,
                                                   const unsigned char *salt,
-                                                  const unsigned char *personal);
+                                                  const unsigned char *personal)
+            __attribute__ ((nonnull(1)));
 
 SODIUM_EXPORT
 int crypto_generichash_blake2b_update(crypto_generichash_blake2b_state *state,
                                       const unsigned char *in,
-                                      unsigned long long inlen);
+                                      unsigned long long inlen)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_generichash_blake2b_final(crypto_generichash_blake2b_state *state,
                                      unsigned char *out,
-                                     const size_t outlen);
+                                     const size_t outlen) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-void crypto_generichash_blake2b_keygen(unsigned char k[crypto_generichash_blake2b_KEYBYTES]);
+void crypto_generichash_blake2b_keygen(unsigned char k[crypto_generichash_blake2b_KEYBYTES])
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_hash.h b/src/libsodium/include/sodium/crypto_hash.h
index 302ed5c5..4b16c477 100644
--- a/src/libsodium/include/sodium/crypto_hash.h
+++ b/src/libsodium/include/sodium/crypto_hash.h
@@ -26,7 +26,7 @@ size_t crypto_hash_bytes(void);
 
 SODIUM_EXPORT
 int crypto_hash(unsigned char *out, const unsigned char *in,
-                unsigned long long inlen);
+                unsigned long long inlen) __attribute__ ((nonnull));
 
 #define crypto_hash_PRIMITIVE "sha512"
 SODIUM_EXPORT
diff --git a/src/libsodium/include/sodium/crypto_hash_sha256.h b/src/libsodium/include/sodium/crypto_hash_sha256.h
index f64d16e0..306f1e93 100644
--- a/src/libsodium/include/sodium/crypto_hash_sha256.h
+++ b/src/libsodium/include/sodium/crypto_hash_sha256.h
@@ -36,19 +36,22 @@ size_t crypto_hash_sha256_bytes(void);
 
 SODIUM_EXPORT
 int crypto_hash_sha256(unsigned char *out, const unsigned char *in,
-                       unsigned long long inlen);
+                       unsigned long long inlen) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-int crypto_hash_sha256_init(crypto_hash_sha256_state *state);
+int crypto_hash_sha256_init(crypto_hash_sha256_state *state)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_hash_sha256_update(crypto_hash_sha256_state *state,
                               const unsigned char *in,
-                              unsigned long long inlen);
+                              unsigned long long inlen)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_hash_sha256_final(crypto_hash_sha256_state *state,
-                             unsigned char *out);
+                             unsigned char *out)
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_hash_sha512.h b/src/libsodium/include/sodium/crypto_hash_sha512.h
index 6b0330f1..7fb830c6 100644
--- a/src/libsodium/include/sodium/crypto_hash_sha512.h
+++ b/src/libsodium/include/sodium/crypto_hash_sha512.h
@@ -36,19 +36,22 @@ size_t crypto_hash_sha512_bytes(void);
 
 SODIUM_EXPORT
 int crypto_hash_sha512(unsigned char *out, const unsigned char *in,
-                       unsigned long long inlen);
+                       unsigned long long inlen) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-int crypto_hash_sha512_init(crypto_hash_sha512_state *state);
+int crypto_hash_sha512_init(crypto_hash_sha512_state *state)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_hash_sha512_update(crypto_hash_sha512_state *state,
                               const unsigned char *in,
-                              unsigned long long inlen);
+                              unsigned long long inlen)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_hash_sha512_final(crypto_hash_sha512_state *state,
-                             unsigned char *out);
+                             unsigned char *out)
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_kdf.h b/src/libsodium/include/sodium/crypto_kdf.h
index 52e496a7..ac2fc618 100644
--- a/src/libsodium/include/sodium/crypto_kdf.h
+++ b/src/libsodium/include/sodium/crypto_kdf.h
@@ -39,10 +39,12 @@ SODIUM_EXPORT
 int crypto_kdf_derive_from_key(unsigned char *subkey, size_t subkey_len,
                                uint64_t subkey_id,
                                const char ctx[crypto_kdf_CONTEXTBYTES],
-                               const unsigned char key[crypto_kdf_KEYBYTES]);
+                               const unsigned char key[crypto_kdf_KEYBYTES])
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-void crypto_kdf_keygen(unsigned char k[crypto_kdf_KEYBYTES]);
+void crypto_kdf_keygen(unsigned char k[crypto_kdf_KEYBYTES])
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_kdf_blake2b.h b/src/libsodium/include/sodium/crypto_kdf_blake2b.h
index 5480ebe8..3ae47dd3 100644
--- a/src/libsodium/include/sodium/crypto_kdf_blake2b.h
+++ b/src/libsodium/include/sodium/crypto_kdf_blake2b.h
@@ -34,7 +34,9 @@ SODIUM_EXPORT
 int crypto_kdf_blake2b_derive_from_key(unsigned char *subkey, size_t subkey_len,
                                        uint64_t subkey_id,
                                        const char ctx[crypto_kdf_blake2b_CONTEXTBYTES],
-                                       const unsigned char key[crypto_kdf_blake2b_KEYBYTES]);
+                                       const unsigned char key[crypto_kdf_blake2b_KEYBYTES])
+            __attribute__ ((nonnull));
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/libsodium/include/sodium/crypto_kx.h b/src/libsodium/include/sodium/crypto_kx.h
index d1fce90d..347132c3 100644
--- a/src/libsodium/include/sodium/crypto_kx.h
+++ b/src/libsodium/include/sodium/crypto_kx.h
@@ -35,11 +35,13 @@ const char *crypto_kx_primitive(void);
 SODIUM_EXPORT
 int crypto_kx_seed_keypair(unsigned char pk[crypto_kx_PUBLICKEYBYTES],
                            unsigned char sk[crypto_kx_SECRETKEYBYTES],
-                           const unsigned char seed[crypto_kx_SEEDBYTES]);
+                           const unsigned char seed[crypto_kx_SEEDBYTES])
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_kx_keypair(unsigned char pk[crypto_kx_PUBLICKEYBYTES],
-                      unsigned char sk[crypto_kx_SECRETKEYBYTES]);
+                      unsigned char sk[crypto_kx_SECRETKEYBYTES])
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_kx_client_session_keys(unsigned char rx[crypto_kx_SESSIONKEYBYTES],
@@ -47,7 +49,7 @@ int crypto_kx_client_session_keys(unsigned char rx[crypto_kx_SESSIONKEYBYTES],
                                   const unsigned char client_pk[crypto_kx_PUBLICKEYBYTES],
                                   const unsigned char client_sk[crypto_kx_SECRETKEYBYTES],
                                   const unsigned char server_pk[crypto_kx_PUBLICKEYBYTES])
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result))  __attribute__ ((nonnull(3, 4, 5)));
 
 SODIUM_EXPORT
 int crypto_kx_server_session_keys(unsigned char rx[crypto_kx_SESSIONKEYBYTES],
@@ -55,7 +57,7 @@ int crypto_kx_server_session_keys(unsigned char rx[crypto_kx_SESSIONKEYBYTES],
                                   const unsigned char server_pk[crypto_kx_PUBLICKEYBYTES],
                                   const unsigned char server_sk[crypto_kx_SECRETKEYBYTES],
                                   const unsigned char client_pk[crypto_kx_PUBLICKEYBYTES])
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result))  __attribute__ ((nonnull(3, 4, 5)));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_onetimeauth.h b/src/libsodium/include/sodium/crypto_onetimeauth.h
index 5951c5b8..803dbac8 100644
--- a/src/libsodium/include/sodium/crypto_onetimeauth.h
+++ b/src/libsodium/include/sodium/crypto_onetimeauth.h
@@ -32,28 +32,31 @@ const char *crypto_onetimeauth_primitive(void);
 
 SODIUM_EXPORT
 int crypto_onetimeauth(unsigned char *out, const unsigned char *in,
-                       unsigned long long inlen, const unsigned char *k);
+                       unsigned long long inlen, const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_onetimeauth_verify(const unsigned char *h, const unsigned char *in,
                               unsigned long long inlen, const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_onetimeauth_init(crypto_onetimeauth_state *state,
-                            const unsigned char *key);
+                            const unsigned char *key) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_onetimeauth_update(crypto_onetimeauth_state *state,
                               const unsigned char *in,
-                              unsigned long long inlen);
+                              unsigned long long inlen)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_onetimeauth_final(crypto_onetimeauth_state *state,
-                             unsigned char *out);
+                             unsigned char *out) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-void crypto_onetimeauth_keygen(unsigned char k[crypto_onetimeauth_KEYBYTES]);
+void crypto_onetimeauth_keygen(unsigned char k[crypto_onetimeauth_KEYBYTES])
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_onetimeauth_poly1305.h b/src/libsodium/include/sodium/crypto_onetimeauth_poly1305.h
index 4b89c4f0..516f7db3 100644
--- a/src/libsodium/include/sodium/crypto_onetimeauth_poly1305.h
+++ b/src/libsodium/include/sodium/crypto_onetimeauth_poly1305.h
@@ -35,30 +35,35 @@ SODIUM_EXPORT
 int crypto_onetimeauth_poly1305(unsigned char *out,
                                 const unsigned char *in,
                                 unsigned long long inlen,
-                                const unsigned char *k);
+                                const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_onetimeauth_poly1305_verify(const unsigned char *h,
                                        const unsigned char *in,
                                        unsigned long long inlen,
                                        const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_onetimeauth_poly1305_init(crypto_onetimeauth_poly1305_state *state,
-                                     const unsigned char *key);
+                                     const unsigned char *key)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_onetimeauth_poly1305_update(crypto_onetimeauth_poly1305_state *state,
                                        const unsigned char *in,
-                                       unsigned long long inlen);
+                                       unsigned long long inlen)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_onetimeauth_poly1305_final(crypto_onetimeauth_poly1305_state *state,
-                                      unsigned char *out);
+                                      unsigned char *out)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-void crypto_onetimeauth_poly1305_keygen(unsigned char k[crypto_onetimeauth_poly1305_KEYBYTES]);
+void crypto_onetimeauth_poly1305_keygen(unsigned char k[crypto_onetimeauth_poly1305_KEYBYTES])
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_pwhash.h b/src/libsodium/include/sodium/crypto_pwhash.h
index 2c76461f..585a993e 100644
--- a/src/libsodium/include/sodium/crypto_pwhash.h
+++ b/src/libsodium/include/sodium/crypto_pwhash.h
@@ -105,7 +105,7 @@ int crypto_pwhash(unsigned char * const out, unsigned long long outlen,
                   const char * const passwd, unsigned long long passwdlen,
                   const unsigned char * const salt,
                   unsigned long long opslimit, size_t memlimit, int alg)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 /*
  * The output string already includes all the required parameters, including
@@ -116,24 +116,24 @@ SODIUM_EXPORT
 int crypto_pwhash_str(char out[crypto_pwhash_STRBYTES],
                       const char * const passwd, unsigned long long passwdlen,
                       unsigned long long opslimit, size_t memlimit)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_pwhash_str_alg(char out[crypto_pwhash_STRBYTES],
                           const char * const passwd, unsigned long long passwdlen,
                           unsigned long long opslimit, size_t memlimit, int alg)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_pwhash_str_verify(const char str[crypto_pwhash_STRBYTES],
                              const char * const passwd,
                              unsigned long long passwdlen)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_pwhash_str_needs_rehash(const char str[crypto_pwhash_STRBYTES],
                                    unsigned long long opslimit, size_t memlimit)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 #define crypto_pwhash_PRIMITIVE "argon2i"
 SODIUM_EXPORT
diff --git a/src/libsodium/include/sodium/crypto_pwhash_argon2i.h b/src/libsodium/include/sodium/crypto_pwhash_argon2i.h
index 8e4c1c35..88ff6221 100644
--- a/src/libsodium/include/sodium/crypto_pwhash_argon2i.h
+++ b/src/libsodium/include/sodium/crypto_pwhash_argon2i.h
@@ -95,25 +95,25 @@ int crypto_pwhash_argon2i(unsigned char * const out,
                           const unsigned char * const salt,
                           unsigned long long opslimit, size_t memlimit,
                           int alg)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_pwhash_argon2i_str(char out[crypto_pwhash_argon2i_STRBYTES],
                               const char * const passwd,
                               unsigned long long passwdlen,
                               unsigned long long opslimit, size_t memlimit)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_pwhash_argon2i_str_verify(const char str[crypto_pwhash_argon2i_STRBYTES],
                                      const char * const passwd,
                                      unsigned long long passwdlen)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_pwhash_argon2i_str_needs_rehash(const char str[crypto_pwhash_argon2i_STRBYTES],
                                            unsigned long long opslimit, size_t memlimit)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result))  __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_pwhash_argon2id.h b/src/libsodium/include/sodium/crypto_pwhash_argon2id.h
index 51b17aa8..7183abd1 100644
--- a/src/libsodium/include/sodium/crypto_pwhash_argon2id.h
+++ b/src/libsodium/include/sodium/crypto_pwhash_argon2id.h
@@ -95,25 +95,25 @@ int crypto_pwhash_argon2id(unsigned char * const out,
                            const unsigned char * const salt,
                            unsigned long long opslimit, size_t memlimit,
                            int alg)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_pwhash_argon2id_str(char out[crypto_pwhash_argon2id_STRBYTES],
                                const char * const passwd,
                                unsigned long long passwdlen,
                                unsigned long long opslimit, size_t memlimit)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_pwhash_argon2id_str_verify(const char str[crypto_pwhash_argon2id_STRBYTES],
                                       const char * const passwd,
                                       unsigned long long passwdlen)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result))  __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_pwhash_argon2id_str_needs_rehash(const char str[crypto_pwhash_argon2id_STRBYTES],
                                             unsigned long long opslimit, size_t memlimit)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result))  __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_pwhash_scryptsalsa208sha256.h b/src/libsodium/include/sodium/crypto_pwhash_scryptsalsa208sha256.h
index 951b87b9..5c0bf7d3 100644
--- a/src/libsodium/include/sodium/crypto_pwhash_scryptsalsa208sha256.h
+++ b/src/libsodium/include/sodium/crypto_pwhash_scryptsalsa208sha256.h
@@ -84,7 +84,7 @@ int crypto_pwhash_scryptsalsa208sha256(unsigned char * const out,
                                        const unsigned char * const salt,
                                        unsigned long long opslimit,
                                        size_t memlimit)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_pwhash_scryptsalsa208sha256_str(char out[crypto_pwhash_scryptsalsa208sha256_STRBYTES],
@@ -92,26 +92,26 @@ int crypto_pwhash_scryptsalsa208sha256_str(char out[crypto_pwhash_scryptsalsa208
                                            unsigned long long passwdlen,
                                            unsigned long long opslimit,
                                            size_t memlimit)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_pwhash_scryptsalsa208sha256_str_verify(const char str[crypto_pwhash_scryptsalsa208sha256_STRBYTES],
                                                   const char * const passwd,
                                                   unsigned long long passwdlen)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_pwhash_scryptsalsa208sha256_ll(const uint8_t * passwd, size_t passwdlen,
                                           const uint8_t * salt, size_t saltlen,
                                           uint64_t N, uint32_t r, uint32_t p,
                                           uint8_t * buf, size_t buflen)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_pwhash_scryptsalsa208sha256_str_needs_rehash(const char str[crypto_pwhash_scryptsalsa208sha256_STRBYTES],
                                                         unsigned long long opslimit,
                                                         size_t memlimit)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result))  __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_scalarmult.h b/src/libsodium/include/sodium/crypto_scalarmult.h
index f7fa6f8f..01a8e3ea 100644
--- a/src/libsodium/include/sodium/crypto_scalarmult.h
+++ b/src/libsodium/include/sodium/crypto_scalarmult.h
@@ -23,7 +23,8 @@ SODIUM_EXPORT
 const char *crypto_scalarmult_primitive(void);
 
 SODIUM_EXPORT
-int crypto_scalarmult_base(unsigned char *q, const unsigned char *n);
+int crypto_scalarmult_base(unsigned char *q, const unsigned char *n)
+            __attribute__ ((nonnull));
 
 /*
  * NOTE: Do not use the result of this function directly.
@@ -36,7 +37,7 @@ int crypto_scalarmult_base(unsigned char *q, const unsigned char *n);
 SODIUM_EXPORT
 int crypto_scalarmult(unsigned char *q, const unsigned char *n,
                       const unsigned char *p)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_scalarmult_curve25519.h b/src/libsodium/include/sodium/crypto_scalarmult_curve25519.h
index ae85eadc..e5605cb2 100644
--- a/src/libsodium/include/sodium/crypto_scalarmult_curve25519.h
+++ b/src/libsodium/include/sodium/crypto_scalarmult_curve25519.h
@@ -28,10 +28,12 @@ size_t crypto_scalarmult_curve25519_scalarbytes(void);
 SODIUM_EXPORT
 int crypto_scalarmult_curve25519(unsigned char *q, const unsigned char *n,
                                  const unsigned char *p)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-int crypto_scalarmult_curve25519_base(unsigned char *q, const unsigned char *n);
+int crypto_scalarmult_curve25519_base(unsigned char *q,
+                                      const unsigned char *n)
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_scalarmult_ed25519.h b/src/libsodium/include/sodium/crypto_scalarmult_ed25519.h
index 3d512351..1958643c 100644
--- a/src/libsodium/include/sodium/crypto_scalarmult_ed25519.h
+++ b/src/libsodium/include/sodium/crypto_scalarmult_ed25519.h
@@ -29,10 +29,20 @@ size_t crypto_scalarmult_ed25519_scalarbytes(void);
 SODIUM_EXPORT
 int crypto_scalarmult_ed25519(unsigned char *q, const unsigned char *n,
                               const unsigned char *p)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-int crypto_scalarmult_ed25519_base(unsigned char *q, const unsigned char *n);
+int crypto_scalarmult_ed25519_noclamp(unsigned char *q, const unsigned char *n,
+                                      const unsigned char *p)
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
+
+SODIUM_EXPORT
+int crypto_scalarmult_ed25519_base(unsigned char *q, const unsigned char *n)
+            __attribute__ ((nonnull));
+
+SODIUM_EXPORT
+int crypto_scalarmult_ed25519_base_noclamp(unsigned char *q, const unsigned char *n)
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_secretbox.h b/src/libsodium/include/sodium/crypto_secretbox.h
index 55e94a02..eae44877 100644
--- a/src/libsodium/include/sodium/crypto_secretbox.h
+++ b/src/libsodium/include/sodium/crypto_secretbox.h
@@ -36,20 +36,21 @@ size_t crypto_secretbox_messagebytes_max(void);
 SODIUM_EXPORT
 int crypto_secretbox_easy(unsigned char *c, const unsigned char *m,
                           unsigned long long mlen, const unsigned char *n,
-                          const unsigned char *k);
+                          const unsigned char *k) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_secretbox_open_easy(unsigned char *m, const unsigned char *c,
                                unsigned long long clen, const unsigned char *n,
                                const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5)));
 
 SODIUM_EXPORT
 int crypto_secretbox_detached(unsigned char *c, unsigned char *mac,
                               const unsigned char *m,
                               unsigned long long mlen,
                               const unsigned char *n,
-                              const unsigned char *k);
+                              const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_secretbox_open_detached(unsigned char *m,
@@ -58,10 +59,11 @@ int crypto_secretbox_open_detached(unsigned char *m,
                                    unsigned long long clen,
                                    const unsigned char *n,
                                    const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 3, 5, 6)));
 
 SODIUM_EXPORT
-void crypto_secretbox_keygen(unsigned char k[crypto_secretbox_KEYBYTES]);
+void crypto_secretbox_keygen(unsigned char k[crypto_secretbox_KEYBYTES])
+            __attribute__ ((nonnull));
 
 /* -- NaCl compatibility interface ; Requires padding -- */
 
@@ -76,13 +78,13 @@ size_t  crypto_secretbox_boxzerobytes(void);
 SODIUM_EXPORT
 int crypto_secretbox(unsigned char *c, const unsigned char *m,
                      unsigned long long mlen, const unsigned char *n,
-                     const unsigned char *k);
+                     const unsigned char *k) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_secretbox_open(unsigned char *m, const unsigned char *c,
                           unsigned long long clen, const unsigned char *n,
                           const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5)));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_secretbox_xchacha20poly1305.h b/src/libsodium/include/sodium/crypto_secretbox_xchacha20poly1305.h
index 2919da16..e7948f2c 100644
--- a/src/libsodium/include/sodium/crypto_secretbox_xchacha20poly1305.h
+++ b/src/libsodium/include/sodium/crypto_secretbox_xchacha20poly1305.h
@@ -34,7 +34,8 @@ int crypto_secretbox_xchacha20poly1305_easy(unsigned char *c,
                                             const unsigned char *m,
                                             unsigned long long mlen,
                                             const unsigned char *n,
-                                            const unsigned char *k);
+                                            const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_secretbox_xchacha20poly1305_open_easy(unsigned char *m,
@@ -42,7 +43,7 @@ int crypto_secretbox_xchacha20poly1305_open_easy(unsigned char *m,
                                                  unsigned long long clen,
                                                  const unsigned char *n,
                                                  const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5)));
 
 SODIUM_EXPORT
 int crypto_secretbox_xchacha20poly1305_detached(unsigned char *c,
@@ -50,7 +51,8 @@ int crypto_secretbox_xchacha20poly1305_detached(unsigned char *c,
                                                 const unsigned char *m,
                                                 unsigned long long mlen,
                                                 const unsigned char *n,
-                                                const unsigned char *k);
+                                                const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_secretbox_xchacha20poly1305_open_detached(unsigned char *m,
@@ -59,7 +61,7 @@ int crypto_secretbox_xchacha20poly1305_open_detached(unsigned char *m,
                                                      unsigned long long clen,
                                                      const unsigned char *n,
                                                      const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 3, 5, 6)));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_secretbox_xsalsa20poly1305.h b/src/libsodium/include/sodium/crypto_secretbox_xsalsa20poly1305.h
index 4b8c7c8e..1c72d6c0 100644
--- a/src/libsodium/include/sodium/crypto_secretbox_xsalsa20poly1305.h
+++ b/src/libsodium/include/sodium/crypto_secretbox_xsalsa20poly1305.h
@@ -35,7 +35,8 @@ int crypto_secretbox_xsalsa20poly1305(unsigned char *c,
                                       const unsigned char *m,
                                       unsigned long long mlen,
                                       const unsigned char *n,
-                                      const unsigned char *k);
+                                      const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_secretbox_xsalsa20poly1305_open(unsigned char *m,
@@ -43,10 +44,11 @@ int crypto_secretbox_xsalsa20poly1305_open(unsigned char *m,
                                            unsigned long long clen,
                                            const unsigned char *n,
                                            const unsigned char *k)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5)));
 
 SODIUM_EXPORT
-void crypto_secretbox_xsalsa20poly1305_keygen(unsigned char k[crypto_secretbox_xsalsa20poly1305_KEYBYTES]);
+void crypto_secretbox_xsalsa20poly1305_keygen(unsigned char k[crypto_secretbox_xsalsa20poly1305_KEYBYTES])
+            __attribute__ ((nonnull));
 
 /* -- NaCl compatibility interface ; Requires padding -- */
 
diff --git a/src/libsodium/include/sodium/crypto_secretstream_xchacha20poly1305.h b/src/libsodium/include/sodium/crypto_secretstream_xchacha20poly1305.h
index dac273b5..b22e4e93 100644
--- a/src/libsodium/include/sodium/crypto_secretstream_xchacha20poly1305.h
+++ b/src/libsodium/include/sodium/crypto_secretstream_xchacha20poly1305.h
@@ -64,33 +64,38 @@ size_t crypto_secretstream_xchacha20poly1305_statebytes(void);
 
 SODIUM_EXPORT
 void crypto_secretstream_xchacha20poly1305_keygen
-   (unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES]);
+   (unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES])
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_secretstream_xchacha20poly1305_init_push
    (crypto_secretstream_xchacha20poly1305_state *state,
     unsigned char header[crypto_secretstream_xchacha20poly1305_HEADERBYTES],
-    const unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES]);
+    const unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES])
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_secretstream_xchacha20poly1305_push
    (crypto_secretstream_xchacha20poly1305_state *state,
     unsigned char *c, unsigned long long *clen_p,
     const unsigned char *m, unsigned long long mlen,
-    const unsigned char *ad, unsigned long long adlen, unsigned char tag);
+    const unsigned char *ad, unsigned long long adlen, unsigned char tag)
+            __attribute__ ((nonnull(1)));
 
 SODIUM_EXPORT
 int crypto_secretstream_xchacha20poly1305_init_pull
    (crypto_secretstream_xchacha20poly1305_state *state,
     const unsigned char header[crypto_secretstream_xchacha20poly1305_HEADERBYTES],
-    const unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES]);
+    const unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES])
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_secretstream_xchacha20poly1305_pull
    (crypto_secretstream_xchacha20poly1305_state *state,
     unsigned char *m, unsigned long long *mlen_p, unsigned char *tag_p,
     const unsigned char *c, unsigned long long clen,
-    const unsigned char *ad, unsigned long long adlen);
+    const unsigned char *ad, unsigned long long adlen)
+            __attribute__ ((nonnull(1)));
 
 SODIUM_EXPORT
 void crypto_secretstream_xchacha20poly1305_rekey
diff --git a/src/libsodium/include/sodium/crypto_shorthash.h b/src/libsodium/include/sodium/crypto_shorthash.h
index a4988082..dc8b2480 100644
--- a/src/libsodium/include/sodium/crypto_shorthash.h
+++ b/src/libsodium/include/sodium/crypto_shorthash.h
@@ -27,10 +27,12 @@ const char *crypto_shorthash_primitive(void);
 
 SODIUM_EXPORT
 int crypto_shorthash(unsigned char *out, const unsigned char *in,
-                     unsigned long long inlen, const unsigned char *k);
+                     unsigned long long inlen, const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-void crypto_shorthash_keygen(unsigned char k[crypto_shorthash_KEYBYTES]);
+void crypto_shorthash_keygen(unsigned char k[crypto_shorthash_KEYBYTES])
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_shorthash_siphash24.h b/src/libsodium/include/sodium/crypto_shorthash_siphash24.h
index 745ed48f..912e9d8c 100644
--- a/src/libsodium/include/sodium/crypto_shorthash_siphash24.h
+++ b/src/libsodium/include/sodium/crypto_shorthash_siphash24.h
@@ -23,7 +23,8 @@ size_t crypto_shorthash_siphash24_keybytes(void);
 
 SODIUM_EXPORT
 int crypto_shorthash_siphash24(unsigned char *out, const unsigned char *in,
-                               unsigned long long inlen, const unsigned char *k);
+                               unsigned long long inlen, const unsigned char *k)
+            __attribute__ ((nonnull));
 
 #ifndef SODIUM_LIBRARY_MINIMAL
 /* -- 128-bit output -- */
@@ -38,7 +39,8 @@ size_t crypto_shorthash_siphashx24_keybytes(void);
 
 SODIUM_EXPORT
 int crypto_shorthash_siphashx24(unsigned char *out, const unsigned char *in,
-                                unsigned long long inlen, const unsigned char *k);
+                                unsigned long long inlen, const unsigned char *k)
+            __attribute__ ((nonnull));
 #endif
 
 #ifdef __cplusplus
diff --git a/src/libsodium/include/sodium/crypto_sign.h b/src/libsodium/include/sodium/crypto_sign.h
index 85aff0c9..3d31ab24 100644
--- a/src/libsodium/include/sodium/crypto_sign.h
+++ b/src/libsodium/include/sodium/crypto_sign.h
@@ -51,50 +51,54 @@ const char *crypto_sign_primitive(void);
 
 SODIUM_EXPORT
 int crypto_sign_seed_keypair(unsigned char *pk, unsigned char *sk,
-                             const unsigned char *seed);
+                             const unsigned char *seed)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-int crypto_sign_keypair(unsigned char *pk, unsigned char *sk);
+int crypto_sign_keypair(unsigned char *pk, unsigned char *sk)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_sign(unsigned char *sm, unsigned long long *smlen_p,
                 const unsigned char *m, unsigned long long mlen,
-                const unsigned char *sk);
+                const unsigned char *sk) __attribute__ ((nonnull(1, 3, 5)));
 
 SODIUM_EXPORT
 int crypto_sign_open(unsigned char *m, unsigned long long *mlen_p,
                      const unsigned char *sm, unsigned long long smlen,
                      const unsigned char *pk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(3, 5)));
 
 SODIUM_EXPORT
 int crypto_sign_detached(unsigned char *sig, unsigned long long *siglen_p,
                          const unsigned char *m, unsigned long long mlen,
-                         const unsigned char *sk);
+                         const unsigned char *sk) __attribute__ ((nonnull(1, 3, 5)));
 
 SODIUM_EXPORT
 int crypto_sign_verify_detached(const unsigned char *sig,
                                 const unsigned char *m,
                                 unsigned long long mlen,
                                 const unsigned char *pk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_sign_init(crypto_sign_state *state);
 
 SODIUM_EXPORT
 int crypto_sign_update(crypto_sign_state *state,
-                       const unsigned char *m, unsigned long long mlen);
+                       const unsigned char *m, unsigned long long mlen)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_sign_final_create(crypto_sign_state *state, unsigned char *sig,
                              unsigned long long *siglen_p,
-                             const unsigned char *sk);
+                             const unsigned char *sk)
+            __attribute__ ((nonnull(1, 2, 4)));
 
 SODIUM_EXPORT
-int crypto_sign_final_verify(crypto_sign_state *state, unsigned char *sig,
+int crypto_sign_final_verify(crypto_sign_state *state, const unsigned char *sig,
                              const unsigned char *pk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_sign_ed25519.h b/src/libsodium/include/sodium/crypto_sign_ed25519.h
index 38d2b9dd..db978ea2 100644
--- a/src/libsodium/include/sodium/crypto_sign_ed25519.h
+++ b/src/libsodium/include/sodium/crypto_sign_ed25519.h
@@ -42,20 +42,22 @@ size_t crypto_sign_ed25519_messagebytes_max(void);
 SODIUM_EXPORT
 int crypto_sign_ed25519(unsigned char *sm, unsigned long long *smlen_p,
                         const unsigned char *m, unsigned long long mlen,
-                        const unsigned char *sk);
+                        const unsigned char *sk)
+            __attribute__ ((nonnull(1, 3, 5)));
 
 SODIUM_EXPORT
 int crypto_sign_ed25519_open(unsigned char *m, unsigned long long *mlen_p,
                              const unsigned char *sm, unsigned long long smlen,
                              const unsigned char *pk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(3, 5)));
 
 SODIUM_EXPORT
 int crypto_sign_ed25519_detached(unsigned char *sig,
                                  unsigned long long *siglen_p,
                                  const unsigned char *m,
                                  unsigned long long mlen,
-                                 const unsigned char *sk);
+                                 const unsigned char *sk)
+            __attribute__ ((nonnull(1, 3)));
 
 SODIUM_EXPORT
 int crypto_sign_ed25519_verify_detached(const unsigned char *sig,
@@ -65,47 +67,55 @@ int crypto_sign_ed25519_verify_detached(const unsigned char *sig,
             __attribute__ ((warn_unused_result));
 
 SODIUM_EXPORT
-int crypto_sign_ed25519_keypair(unsigned char *pk, unsigned char *sk);
+int crypto_sign_ed25519_keypair(unsigned char *pk, unsigned char *sk)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_sign_ed25519_seed_keypair(unsigned char *pk, unsigned char *sk,
-                                     const unsigned char *seed);
+                                     const unsigned char *seed)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk,
                                          const unsigned char *ed25519_pk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_sign_ed25519_sk_to_curve25519(unsigned char *curve25519_sk,
-                                         const unsigned char *ed25519_sk);
+                                         const unsigned char *ed25519_sk)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_sign_ed25519_sk_to_seed(unsigned char *seed,
-                                   const unsigned char *sk);
+                                   const unsigned char *sk)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-int crypto_sign_ed25519_sk_to_pk(unsigned char *pk, const unsigned char *sk);
+int crypto_sign_ed25519_sk_to_pk(unsigned char *pk, const unsigned char *sk)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-int crypto_sign_ed25519ph_init(crypto_sign_ed25519ph_state *state);
+int crypto_sign_ed25519ph_init(crypto_sign_ed25519ph_state *state)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_sign_ed25519ph_update(crypto_sign_ed25519ph_state *state,
                                  const unsigned char *m,
-                                 unsigned long long mlen);
+                                 unsigned long long mlen)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_sign_ed25519ph_final_create(crypto_sign_ed25519ph_state *state,
                                        unsigned char *sig,
                                        unsigned long long *siglen_p,
-                                       const unsigned char *sk);
+                                       const unsigned char *sk)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_sign_ed25519ph_final_verify(crypto_sign_ed25519ph_state *state,
-                                       unsigned char *sig,
+                                       const unsigned char *sig,
                                        const unsigned char *pk)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_sign_edwards25519sha512batch.h b/src/libsodium/include/sodium/crypto_sign_edwards25519sha512batch.h
index 4bb91924..e69339a4 100644
--- a/src/libsodium/include/sodium/crypto_sign_edwards25519sha512batch.h
+++ b/src/libsodium/include/sodium/crypto_sign_edwards25519sha512batch.h
@@ -33,7 +33,7 @@ int crypto_sign_edwards25519sha512batch(unsigned char *sm,
                                         const unsigned char *m,
                                         unsigned long long mlen,
                                         const unsigned char *sk)
-       __attribute__ ((deprecated));
+            __attribute__ ((deprecated)) __attribute__ ((nonnull(1, 3, 5)));
 
 SODIUM_EXPORT
 int crypto_sign_edwards25519sha512batch_open(unsigned char *m,
@@ -41,12 +41,12 @@ int crypto_sign_edwards25519sha512batch_open(unsigned char *m,
                                              const unsigned char *sm,
                                              unsigned long long smlen,
                                              const unsigned char *pk)
-       __attribute__ ((deprecated));
+            __attribute__ ((deprecated)) __attribute__ ((nonnull(3, 5)));
 
 SODIUM_EXPORT
 int crypto_sign_edwards25519sha512batch_keypair(unsigned char *pk,
                                                 unsigned char *sk)
-       __attribute__ ((deprecated));
+            __attribute__ ((deprecated)) __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_stream.h b/src/libsodium/include/sodium/crypto_stream.h
index d288f0b6..88dab5f6 100644
--- a/src/libsodium/include/sodium/crypto_stream.h
+++ b/src/libsodium/include/sodium/crypto_stream.h
@@ -39,15 +39,18 @@ const char *crypto_stream_primitive(void);
 
 SODIUM_EXPORT
 int crypto_stream(unsigned char *c, unsigned long long clen,
-                  const unsigned char *n, const unsigned char *k);
+                  const unsigned char *n, const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_stream_xor(unsigned char *c, const unsigned char *m,
                       unsigned long long mlen, const unsigned char *n,
-                      const unsigned char *k);
+                      const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-void crypto_stream_keygen(unsigned char k[crypto_stream_KEYBYTES]);
+void crypto_stream_keygen(unsigned char k[crypto_stream_KEYBYTES])
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_stream_chacha20.h b/src/libsodium/include/sodium/crypto_stream_chacha20.h
index d3e2b234..40889755 100644
--- a/src/libsodium/include/sodium/crypto_stream_chacha20.h
+++ b/src/libsodium/include/sodium/crypto_stream_chacha20.h
@@ -36,21 +36,25 @@ size_t crypto_stream_chacha20_messagebytes_max(void);
 
 SODIUM_EXPORT
 int crypto_stream_chacha20(unsigned char *c, unsigned long long clen,
-                           const unsigned char *n, const unsigned char *k);
+                           const unsigned char *n, const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_stream_chacha20_xor(unsigned char *c, const unsigned char *m,
                                unsigned long long mlen, const unsigned char *n,
-                               const unsigned char *k);
+                               const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_stream_chacha20_xor_ic(unsigned char *c, const unsigned char *m,
                                   unsigned long long mlen,
                                   const unsigned char *n, uint64_t ic,
-                                  const unsigned char *k);
+                                  const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-void crypto_stream_chacha20_keygen(unsigned char k[crypto_stream_chacha20_KEYBYTES]);
+void crypto_stream_chacha20_keygen(unsigned char k[crypto_stream_chacha20_KEYBYTES])
+            __attribute__ ((nonnull));
 
 /* ChaCha20 with a 96-bit nonce and a 32-bit counter (IETF) */
 
@@ -69,21 +73,25 @@ size_t crypto_stream_chacha20_ietf_messagebytes_max(void);
 
 SODIUM_EXPORT
 int crypto_stream_chacha20_ietf(unsigned char *c, unsigned long long clen,
-                                const unsigned char *n, const unsigned char *k);
+                                const unsigned char *n, const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_stream_chacha20_ietf_xor(unsigned char *c, const unsigned char *m,
                                     unsigned long long mlen, const unsigned char *n,
-                                    const unsigned char *k);
+                                    const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_stream_chacha20_ietf_xor_ic(unsigned char *c, const unsigned char *m,
                                        unsigned long long mlen,
                                        const unsigned char *n, uint32_t ic,
-                                       const unsigned char *k);
+                                       const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-void crypto_stream_chacha20_ietf_keygen(unsigned char k[crypto_stream_chacha20_ietf_KEYBYTES]);
+void crypto_stream_chacha20_ietf_keygen(unsigned char k[crypto_stream_chacha20_ietf_KEYBYTES])
+            __attribute__ ((nonnull));
 
 /* Aliases */
 
diff --git a/src/libsodium/include/sodium/crypto_stream_salsa20.h b/src/libsodium/include/sodium/crypto_stream_salsa20.h
index 0c7688c7..45b3b3e3 100644
--- a/src/libsodium/include/sodium/crypto_stream_salsa20.h
+++ b/src/libsodium/include/sodium/crypto_stream_salsa20.h
@@ -34,21 +34,25 @@ size_t crypto_stream_salsa20_messagebytes_max(void);
 
 SODIUM_EXPORT
 int crypto_stream_salsa20(unsigned char *c, unsigned long long clen,
-                          const unsigned char *n, const unsigned char *k);
+                          const unsigned char *n, const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_stream_salsa20_xor(unsigned char *c, const unsigned char *m,
                               unsigned long long mlen, const unsigned char *n,
-                              const unsigned char *k);
+                              const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_stream_salsa20_xor_ic(unsigned char *c, const unsigned char *m,
                                  unsigned long long mlen,
                                  const unsigned char *n, uint64_t ic,
-                                 const unsigned char *k);
+                                 const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-void crypto_stream_salsa20_keygen(unsigned char k[crypto_stream_salsa20_KEYBYTES]);
+void crypto_stream_salsa20_keygen(unsigned char k[crypto_stream_salsa20_KEYBYTES])
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_stream_salsa2012.h b/src/libsodium/include/sodium/crypto_stream_salsa2012.h
index c93d1c81..6c5d303c 100644
--- a/src/libsodium/include/sodium/crypto_stream_salsa2012.h
+++ b/src/libsodium/include/sodium/crypto_stream_salsa2012.h
@@ -33,15 +33,18 @@ size_t crypto_stream_salsa2012_messagebytes_max(void);
 
 SODIUM_EXPORT
 int crypto_stream_salsa2012(unsigned char *c, unsigned long long clen,
-                            const unsigned char *n, const unsigned char *k);
+                            const unsigned char *n, const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_stream_salsa2012_xor(unsigned char *c, const unsigned char *m,
                                 unsigned long long mlen, const unsigned char *n,
-                                const unsigned char *k);
+                                const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-void crypto_stream_salsa2012_keygen(unsigned char k[crypto_stream_salsa2012_KEYBYTES]);
+void crypto_stream_salsa2012_keygen(unsigned char k[crypto_stream_salsa2012_KEYBYTES])
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_stream_salsa208.h b/src/libsodium/include/sodium/crypto_stream_salsa208.h
index 653f6504..d574f304 100644
--- a/src/libsodium/include/sodium/crypto_stream_salsa208.h
+++ b/src/libsodium/include/sodium/crypto_stream_salsa208.h
@@ -37,17 +37,17 @@ size_t crypto_stream_salsa208_messagebytes_max(void)
 SODIUM_EXPORT
 int crypto_stream_salsa208(unsigned char *c, unsigned long long clen,
                            const unsigned char *n, const unsigned char *k)
-            __attribute__ ((deprecated));
+            __attribute__ ((deprecated)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_stream_salsa208_xor(unsigned char *c, const unsigned char *m,
                                unsigned long long mlen, const unsigned char *n,
                                const unsigned char *k)
-            __attribute__ ((deprecated));
+            __attribute__ ((deprecated)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 void crypto_stream_salsa208_keygen(unsigned char k[crypto_stream_salsa208_KEYBYTES])
-            __attribute__ ((deprecated));
+            __attribute__ ((deprecated)) __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_stream_xchacha20.h b/src/libsodium/include/sodium/crypto_stream_xchacha20.h
index cf0407ff..c4002db0 100644
--- a/src/libsodium/include/sodium/crypto_stream_xchacha20.h
+++ b/src/libsodium/include/sodium/crypto_stream_xchacha20.h
@@ -34,21 +34,25 @@ size_t crypto_stream_xchacha20_messagebytes_max(void);
 
 SODIUM_EXPORT
 int crypto_stream_xchacha20(unsigned char *c, unsigned long long clen,
-                            const unsigned char *n, const unsigned char *k);
+                            const unsigned char *n, const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_stream_xchacha20_xor(unsigned char *c, const unsigned char *m,
                                 unsigned long long mlen, const unsigned char *n,
-                                const unsigned char *k);
+                                const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_stream_xchacha20_xor_ic(unsigned char *c, const unsigned char *m,
                                    unsigned long long mlen,
                                    const unsigned char *n, uint64_t ic,
-                                   const unsigned char *k);
+                                   const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-void crypto_stream_xchacha20_keygen(unsigned char k[crypto_stream_xchacha20_KEYBYTES]);
+void crypto_stream_xchacha20_keygen(unsigned char k[crypto_stream_xchacha20_KEYBYTES])
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_stream_xsalsa20.h b/src/libsodium/include/sodium/crypto_stream_xsalsa20.h
index cb4c44a8..20034e34 100644
--- a/src/libsodium/include/sodium/crypto_stream_xsalsa20.h
+++ b/src/libsodium/include/sodium/crypto_stream_xsalsa20.h
@@ -34,21 +34,25 @@ size_t crypto_stream_xsalsa20_messagebytes_max(void);
 
 SODIUM_EXPORT
 int crypto_stream_xsalsa20(unsigned char *c, unsigned long long clen,
-                           const unsigned char *n, const unsigned char *k);
+                           const unsigned char *n, const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_stream_xsalsa20_xor(unsigned char *c, const unsigned char *m,
                                unsigned long long mlen, const unsigned char *n,
-                               const unsigned char *k);
+                               const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_stream_xsalsa20_xor_ic(unsigned char *c, const unsigned char *m,
                                   unsigned long long mlen,
                                   const unsigned char *n, uint64_t ic,
-                                  const unsigned char *k);
+                                  const unsigned char *k)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-void crypto_stream_xsalsa20_keygen(unsigned char k[crypto_stream_xsalsa20_KEYBYTES]);
+void crypto_stream_xsalsa20_keygen(unsigned char k[crypto_stream_xsalsa20_KEYBYTES])
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_verify_16.h b/src/libsodium/include/sodium/crypto_verify_16.h
index 5e9eeabe..7b9c8077 100644
--- a/src/libsodium/include/sodium/crypto_verify_16.h
+++ b/src/libsodium/include/sodium/crypto_verify_16.h
@@ -14,7 +14,7 @@ size_t crypto_verify_16_bytes(void);
 
 SODIUM_EXPORT
 int crypto_verify_16(const unsigned char *x, const unsigned char *y)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_verify_32.h b/src/libsodium/include/sodium/crypto_verify_32.h
index 281b5a1b..9b0f4529 100644
--- a/src/libsodium/include/sodium/crypto_verify_32.h
+++ b/src/libsodium/include/sodium/crypto_verify_32.h
@@ -14,7 +14,7 @@ size_t crypto_verify_32_bytes(void);
 
 SODIUM_EXPORT
 int crypto_verify_32(const unsigned char *x, const unsigned char *y)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/crypto_verify_64.h b/src/libsodium/include/sodium/crypto_verify_64.h
index 0dc7c304..c83b7302 100644
--- a/src/libsodium/include/sodium/crypto_verify_64.h
+++ b/src/libsodium/include/sodium/crypto_verify_64.h
@@ -14,7 +14,7 @@ size_t crypto_verify_64_bytes(void);
 
 SODIUM_EXPORT
 int crypto_verify_64(const unsigned char *x, const unsigned char *y)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/private/chacha20_ietf_ext.h b/src/libsodium/include/sodium/private/chacha20_ietf_ext.h
new file mode 100644
index 00000000..2c80b96a
--- /dev/null
+++ b/src/libsodium/include/sodium/private/chacha20_ietf_ext.h
@@ -0,0 +1,16 @@
+#ifndef chacha20_ietf_ext_H
+#define chacha20_ietf_ext_H
+
+#include <stdint.h>
+
+/* The ietf_ext variant allows the internal counter to overflow into the IV */
+
+int crypto_stream_chacha20_ietf_ext(unsigned char *c, unsigned long long clen,
+                                    const unsigned char *n, const unsigned char *k);
+
+int crypto_stream_chacha20_ietf_ext_xor_ic(unsigned char *c, const unsigned char *m,
+                                           unsigned long long mlen,
+                                           const unsigned char *n, uint32_t ic,
+                                           const unsigned char *k);
+#endif
+
diff --git a/src/libsodium/include/sodium/private/common.h b/src/libsodium/include/sodium/private/common.h
index 632fc8a7..9a2f7fab 100644
--- a/src/libsodium/include/sodium/private/common.h
+++ b/src/libsodium/include/sodium/private/common.h
@@ -1,6 +1,21 @@
 #ifndef common_H
 #define common_H 1
 
+#if !defined(_MSC_VER) && 0
+# warning *** This is unstable, untested, development code.
+# warning It might not compile. It might not work as expected.
+# warning It might be totally insecure.
+# warning Do not use this except if you are planning to contribute code.
+# warning Use releases available at https://download.libsodium.org/libsodium/releases/ instead.
+# warning Alternatively, use the "stable" branch in the git repository.
+#endif
+
+#if !defined(_MSC_VER) && (!defined(CONFIGURED) || CONFIGURED != 1)
+# warning *** The library is being compiled using an undocumented method.
+# warning This is not supported. It has not been tested, it might not
+# warning work as expected, and performance is likely to be suboptimal.
+#endif
+
 #include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
diff --git a/src/libsodium/include/sodium/private/ed25519_ref10.h b/src/libsodium/include/sodium/private/ed25519_ref10.h
index 42fcd981..5af41591 100644
--- a/src/libsodium/include/sodium/private/ed25519_ref10.h
+++ b/src/libsodium/include/sodium/private/ed25519_ref10.h
@@ -115,11 +115,13 @@ void ge25519_from_uniform(unsigned char s[32], const unsigned char r[32]);
  where l = 2^252 + 27742317777372353535851937790883648493.
  */
 
-void sc25519_reduce(unsigned char *s);
+void sc25519_invert(unsigned char recip[32], const unsigned char s[32]);
 
-void sc25519_muladd(unsigned char *s, const unsigned char *a,
-                    const unsigned char *b, const unsigned char *c);
+void sc25519_reduce(unsigned char s[64]);
 
-int sc25519_is_canonical(const unsigned char *s);
+void sc25519_muladd(unsigned char s[32], const unsigned char a[32],
+                    const unsigned char b[32], const unsigned char c[32]);
+
+int sc25519_is_canonical(const unsigned char s[32]);
 
 #endif
diff --git a/src/libsodium/include/sodium/randombytes.h b/src/libsodium/include/sodium/randombytes.h
index d19f684e..a03cc657 100644
--- a/src/libsodium/include/sodium/randombytes.h
+++ b/src/libsodium/include/sodium/randombytes.h
@@ -32,11 +32,13 @@ SODIUM_EXPORT
 size_t randombytes_seedbytes(void);
 
 SODIUM_EXPORT
-void randombytes_buf(void * const buf, const size_t size);
+void randombytes_buf(void * const buf, const size_t size)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 void randombytes_buf_deterministic(void * const buf, const size_t size,
-                                   const unsigned char seed[randombytes_SEEDBYTES]);
+                                   const unsigned char seed[randombytes_SEEDBYTES])
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 uint32_t randombytes_random(void);
@@ -51,7 +53,8 @@ SODIUM_EXPORT
 int randombytes_close(void);
 
 SODIUM_EXPORT
-int randombytes_set_implementation(randombytes_implementation *impl);
+int randombytes_set_implementation(randombytes_implementation *impl)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 const char *randombytes_implementation_name(void);
@@ -59,7 +62,8 @@ const char *randombytes_implementation_name(void);
 /* -- NaCl compatibility interface -- */
 
 SODIUM_EXPORT
-void randombytes(unsigned char * const buf, const unsigned long long buf_len);
+void randombytes(unsigned char * const buf, const unsigned long long buf_len)
+            __attribute__ ((nonnull));
 
 #ifdef __cplusplus
 }
diff --git a/src/libsodium/include/sodium/utils.h b/src/libsodium/include/sodium/utils.h
index 46eb331c..84feeea6 100644
--- a/src/libsodium/include/sodium/utils.h
+++ b/src/libsodium/include/sodium/utils.h
@@ -19,7 +19,7 @@ extern "C" {
 #endif
 
 SODIUM_EXPORT
-void sodium_memzero(void * const pnt, const size_t len);
+void sodium_memzero(void * const pnt, const size_t len) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 void sodium_stackzero(const size_t len);
@@ -32,7 +32,7 @@ void sodium_stackzero(const size_t len);
  */
 SODIUM_EXPORT
 int sodium_memcmp(const void * const b1_, const void * const b2_, size_t len)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 /*
  * sodium_compare() returns -1 if b1_ < b2_, 1 if b1_ > b2_ and 0 if b1_ == b2_
@@ -43,7 +43,7 @@ int sodium_memcmp(const void * const b1_, const void * const b2_, size_t len)
 SODIUM_EXPORT
 int sodium_compare(const unsigned char *b1_, const unsigned char *b2_,
                    size_t len)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result)) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int sodium_is_zero(const unsigned char *n, const size_t nlen);
@@ -52,17 +52,24 @@ SODIUM_EXPORT
 void sodium_increment(unsigned char *n, const size_t nlen);
 
 SODIUM_EXPORT
-void sodium_add(unsigned char *a, const unsigned char *b, const size_t len);
+void sodium_add(unsigned char *a, const unsigned char *b, const size_t len)
+            __attribute__ ((nonnull));
+
+SODIUM_EXPORT
+void sodium_sub(unsigned char *a, const unsigned char *b, const size_t len)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 char *sodium_bin2hex(char * const hex, const size_t hex_maxlen,
-                     const unsigned char * const bin, const size_t bin_len);
+                     const unsigned char * const bin, const size_t bin_len)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int sodium_hex2bin(unsigned char * const bin, const size_t bin_maxlen,
                    const char * const hex, const size_t hex_len,
                    const char * const ignore, size_t * const bin_len,
-                   const char ** const hex_end);
+                   const char ** const hex_end)
+            __attribute__ ((nonnull(1, 3)));
 
 #define sodium_base64_VARIANT_ORIGINAL            1
 #define sodium_base64_VARIANT_ORIGINAL_NO_PADDING 3
@@ -84,19 +91,22 @@ size_t sodium_base64_encoded_len(const size_t bin_len, const int variant);
 SODIUM_EXPORT
 char *sodium_bin2base64(char * const b64, const size_t b64_maxlen,
                         const unsigned char * const bin, const size_t bin_len,
-                        const int variant);
+                        const int variant) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int sodium_base642bin(unsigned char * const bin, const size_t bin_maxlen,
                       const char * const b64, const size_t b64_len,
                       const char * const ignore, size_t * const bin_len,
-                      const char ** const b64_end, const int variant);
+                      const char ** const b64_end, const int variant)
+            __attribute__ ((nonnull(1, 3)));
 
 SODIUM_EXPORT
-int sodium_mlock(void * const addr, const size_t len);
+int sodium_mlock(void * const addr, const size_t len)
+            __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-int sodium_munlock(void * const addr, const size_t len);
+int sodium_munlock(void * const addr, const size_t len)
+            __attribute__ ((nonnull));
 
 /* WARNING: sodium_malloc() and sodium_allocarray() are not general-purpose
  * allocation functions.
@@ -143,21 +153,23 @@ SODIUM_EXPORT
 void sodium_free(void *ptr);
 
 SODIUM_EXPORT
-int sodium_mprotect_noaccess(void *ptr);
+int sodium_mprotect_noaccess(void *ptr) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-int sodium_mprotect_readonly(void *ptr);
+int sodium_mprotect_readonly(void *ptr) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
-int sodium_mprotect_readwrite(void *ptr);
+int sodium_mprotect_readwrite(void *ptr) __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int sodium_pad(size_t *padded_buflen_p, unsigned char *buf,
-               size_t unpadded_buflen, size_t blocksize, size_t max_buflen);
+               size_t unpadded_buflen, size_t blocksize, size_t max_buflen)
+            __attribute__ ((nonnull(2)));
 
 SODIUM_EXPORT
 int sodium_unpad(size_t *unpadded_buflen_p, const unsigned char *buf,
-                 size_t padded_buflen, size_t blocksize);
+                 size_t padded_buflen, size_t blocksize)
+            __attribute__ ((nonnull(2)));
 
 /* -------- */
 
diff --git a/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c b/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c
index 79916eab..64c4cec5 100644
--- a/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c
+++ b/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c
@@ -19,9 +19,26 @@
 #ifdef __linux__
 # ifdef __dietlibc__
 #  define _LINUX_SOURCE
-# else
+#  include <sys/random.h>
+#  define HAVE_LINUX_COMPATIBLE_GETRANDOM
+# else /* __dietlibc__ */
 #  include <sys/syscall.h>
+#  if defined(SYS_getrandom) && defined(__NR_getrandom)
+#   define getrandom(B, S, F) syscall(SYS_getrandom, (B), (int) (S), (F))
+#   define HAVE_LINUX_COMPATIBLE_GETRANDOM
+#  endif
+# endif /* __dietlibc__ */
+#elif defined(__FreeBSD__)
+# include <sys/param.h>
+# if defined(__FreeBSD_version) && __FreeBSD_version >= 1200000
+#  include <sys/random.h>
+#  define HAVE_LINUX_COMPATIBLE_GETRANDOM
 # endif
+#endif
+#if !defined(NO_BLOCKING_RANDOM_POLL) && defined(__linux__)
+# define BLOCK_ON_DEV_RANDOM
+#endif
+#ifdef BLOCK_ON_DEV_RANDOM
 # include <poll.h>
 #endif
 #ifdef HAVE_RDRAND
@@ -146,8 +163,6 @@ sodium_hrtime(void)
 static void
 randombytes_salsa20_random_init(void)
 {
-    stream.nonce = sodium_hrtime();
-    assert(stream.nonce != (uint64_t) 0U);
     global.rdrand_available = sodium_runtime_has_rdrand();
 }
 
@@ -177,7 +192,7 @@ safe_read(const int fd, void * const buf_, size_t size)
     return (ssize_t) (buf - (unsigned char *) buf_);
 }
 
-# if defined(__linux__) && !defined(USE_BLOCKING_RANDOM) && !defined(NO_BLOCKING_RANDOM_POLL)
+# ifdef BLOCK_ON_DEV_RANDOM
 static int
 randombytes_block_on_dev_random(void)
 {
@@ -219,11 +234,11 @@ randombytes_salsa20_random_random_dev_open(void)
     const char      **device = devices;
     int               fd;
 
-# if defined(__linux__) && !defined(USE_BLOCKING_RANDOM) && !defined(NO_BLOCKING_RANDOM_POLL)
+#  ifdef BLOCK_ON_DEV_RANDOM
     if (randombytes_block_on_dev_random() != 0) {
         return -1;
     }
-# endif
+#  endif
     do {
         fd = open(*device, O_RDONLY);
         if (fd != -1) {
@@ -246,7 +261,7 @@ randombytes_salsa20_random_random_dev_open(void)
 }
 # endif
 
-# if defined(__dietlibc__) || (defined(SYS_getrandom) && defined(__NR_getrandom))
+# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM
 static int
 _randombytes_linux_getrandom(void * const buf, const size_t size)
 {
@@ -254,11 +269,7 @@ _randombytes_linux_getrandom(void * const buf, const size_t size)
 
     assert(size <= 256U);
     do {
-#  ifdef __dietlibc__
         readnb = getrandom(buf, size, 0);
-#  else
-        readnb = syscall(SYS_getrandom, buf, (int) size, 0);
-#  endif
     } while (readnb < 0 && (errno == EINTR || errno == EAGAIN));
 
     return (readnb == (int) size) - 1;
@@ -291,15 +302,13 @@ randombytes_salsa20_random_init(void)
 {
     const int errno_save = errno;
 
-    stream.nonce = sodium_hrtime();
     global.rdrand_available = sodium_runtime_has_rdrand();
-    assert(stream.nonce != (uint64_t) 0U);
 
 # ifdef HAVE_SAFE_ARC4RANDOM
     errno = errno_save;
 # else
 
-#  if defined(SYS_getrandom) && defined(__NR_getrandom)
+#  ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM
     {
         unsigned char fodder[16];
 
@@ -310,7 +319,7 @@ randombytes_salsa20_random_init(void)
         }
         global.getrandom_available = 0;
     }
-#  endif /* SYS_getrandom */
+#  endif /* HAVE_LINUX_COMPATIBLE_GETRANDOM */
 
     if ((global.random_data_source_fd =
          randombytes_salsa20_random_random_dev_open()) == -1) {
@@ -329,9 +338,8 @@ randombytes_salsa20_random_init(void)
 static void
 randombytes_salsa20_random_stir(void)
 {
-    unsigned char m0[crypto_stream_salsa20_KEYBYTES +
-                     crypto_stream_salsa20_NONCEBYTES];
-
+    stream.nonce = sodium_hrtime();
+    assert(stream.nonce != (uint64_t) 0U);
     memset(stream.rnd32, 0, sizeof stream.rnd32);
     stream.rnd32_outleft = (size_t) 0U;
     if (global.initialized == 0) {
@@ -345,34 +353,31 @@ randombytes_salsa20_random_stir(void)
 #ifndef _WIN32
 
 # ifdef HAVE_SAFE_ARC4RANDOM
-    arc4random_buf(m0, sizeof m0);
-# elif defined(SYS_getrandom) && defined(__NR_getrandom)
+    arc4random_buf(stream.key, sizeof stream.key);
+# elif defined(HAVE_LINUX_COMPATIBLE_GETRANDOM)
     if (global.getrandom_available != 0) {
-        if (randombytes_linux_getrandom(m0, sizeof m0) != 0) {
+        if (randombytes_linux_getrandom(stream.key, sizeof stream.key) != 0) {
             sodium_misuse(); /* LCOV_EXCL_LINE */
         }
     } else if (global.random_data_source_fd == -1 ||
-               safe_read(global.random_data_source_fd, m0,
-                         sizeof m0) != (ssize_t) sizeof m0) {
+               safe_read(global.random_data_source_fd, stream.key,
+                         sizeof stream.key) != (ssize_t) sizeof stream.key) {
         sodium_misuse(); /* LCOV_EXCL_LINE */
     }
 # else
     if (global.random_data_source_fd == -1 ||
-        safe_read(global.random_data_source_fd, m0,
-                  sizeof m0) != (ssize_t) sizeof m0) {
+        safe_read(global.random_data_source_fd, stream.key,
+                  sizeof stream.key) != (ssize_t) sizeof stream.key) {
         sodium_misuse(); /* LCOV_EXCL_LINE */
     }
 # endif
 
 #else /* _WIN32 */
-    if (! RtlGenRandom((PVOID) m0, (ULONG) sizeof m0)) {
+    if (! RtlGenRandom((PVOID) stream.key, (ULONG) sizeof stream.key)) {
         sodium_misuse(); /* LCOV_EXCL_LINE */
     }
 #endif
 
-    crypto_stream_salsa20(stream.key, sizeof stream.key,
-                          m0 + crypto_stream_salsa20_KEYBYTES, m0);
-    sodium_memzero(m0, sizeof m0);
     stream.initialized = 1;
 }
 
@@ -434,7 +439,7 @@ randombytes_salsa20_random_close(void)
     ret = 0;
 # endif
 
-# if defined(SYS_getrandom) && defined(__NR_getrandom)
+# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM
     if (global.getrandom_available != 0) {
         ret = 0;
     }
@@ -494,10 +499,10 @@ randombytes_salsa20_random_buf(void * const buf, const size_t size)
 
     randombytes_salsa20_random_stir_if_needed();
     COMPILER_ASSERT(sizeof stream.nonce == crypto_stream_salsa20_NONCEBYTES);
-#if defined(ULONG_LONG_MAX) && defined(SIZE_MAX)
-# if SIZE_MAX > ULONG_LONG_MAX
+#if defined(ULLONG_MAX) && defined(SIZE_MAX)
+# if SIZE_MAX > ULLONG_MAX
     /* coverity[result_independent_of_operands] */
-    assert(size <= ULONG_LONG_MAX);
+    assert(size <= ULLONG_MAX);
 # endif
 #endif
     ret = crypto_stream_salsa20((unsigned char *) buf, (unsigned long long) size,
diff --git a/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c b/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c
index f4dec08f..99018f35 100644
--- a/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c
+++ b/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c
@@ -18,9 +18,26 @@
 #ifdef __linux__
 # ifdef __dietlibc__
 #  define _LINUX_SOURCE
-# else
+#  include <sys/random.h>
+#  define HAVE_LINUX_COMPATIBLE_GETRANDOM
+# else /* __dietlibc__ */
 #  include <sys/syscall.h>
+#  if defined(SYS_getrandom) && defined(__NR_getrandom)
+#   define getrandom(B, S, F) syscall(SYS_getrandom, (B), (int) (S), (F))
+#   define HAVE_LINUX_COMPATIBLE_GETRANDOM
+#  endif
+# endif /* __dietlibc */
+#elif defined(__FreeBSD__)
+# include <sys/param.h>
+# if defined(__FreeBSD_version) && __FreeBSD_version >= 1200000
+#  include <sys/random.h>
+#  define HAVE_LINUX_COMPATIBLE_GETRANDOM
 # endif
+#endif
+#if !defined(NO_BLOCKING_RANDOM_POLL) && defined(__linux__)
+# define BLOCK_ON_DEV_RANDOM
+#endif
+#ifdef BLOCK_ON_DEV_RANDOM
 # include <poll.h>
 #endif
 
@@ -102,7 +119,7 @@ static SysRandom stream = {
     SODIUM_C99(.getrandom_available =) 0
 };
 
-#ifndef _WIN32
+# ifndef _WIN32
 static ssize_t
 safe_read(const int fd, void * const buf_, size_t size)
 {
@@ -126,10 +143,8 @@ safe_read(const int fd, void * const buf_, size_t size)
 
     return (ssize_t) (buf - (unsigned char *) buf_);
 }
-#endif
 
-#ifndef _WIN32
-# if defined(__linux__) && !defined(USE_BLOCKING_RANDOM) && !defined(NO_BLOCKING_RANDOM_POLL)
+#  ifdef BLOCK_ON_DEV_RANDOM
 static int
 randombytes_block_on_dev_random(void)
 {
@@ -154,7 +169,7 @@ randombytes_block_on_dev_random(void)
     }
     return close(fd);
 }
-# endif
+#  endif /* BLOCK_ON_DEV_RANDOM */
 
 static int
 randombytes_sysrandom_random_dev_open(void)
@@ -162,34 +177,34 @@ randombytes_sysrandom_random_dev_open(void)
 /* LCOV_EXCL_START */
     struct stat        st;
     static const char *devices[] = {
-# ifndef USE_BLOCKING_RANDOM
+#  ifndef USE_BLOCKING_RANDOM
         "/dev/urandom",
-# endif
+#  endif
         "/dev/random", NULL
     };
     const char       **device = devices;
     int                fd;
 
-# if defined(__linux__) && !defined(USE_BLOCKING_RANDOM) && !defined(NO_BLOCKING_RANDOM_POLL)
+#  ifdef BLOCK_ON_DEV_RANDOM
     if (randombytes_block_on_dev_random() != 0) {
         return -1;
     }
-# endif
+#  endif
     do {
         fd = open(*device, O_RDONLY);
         if (fd != -1) {
             if (fstat(fd, &st) == 0 &&
-# ifdef __COMPCERT__
+#  ifdef __COMPCERT__
                 1
-# elif defined(S_ISNAM)
+#  elif defined(S_ISNAM)
                 (S_ISNAM(st.st_mode) || S_ISCHR(st.st_mode))
-# else
+#  else
                 S_ISCHR(st.st_mode)
-# endif
+#  endif
                ) {
-# if defined(F_SETFD) && defined(FD_CLOEXEC)
+#  if defined(F_SETFD) && defined(FD_CLOEXEC)
                 (void) fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
-# endif
+#  endif
                 return fd;
             }
             (void) close(fd);
@@ -204,7 +219,7 @@ randombytes_sysrandom_random_dev_open(void)
 /* LCOV_EXCL_STOP */
 }
 
-# if defined(__dietlibc__) || (defined(SYS_getrandom) && defined(__NR_getrandom))
+#  ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM
 static int
 _randombytes_linux_getrandom(void * const buf, const size_t size)
 {
@@ -212,11 +227,7 @@ _randombytes_linux_getrandom(void * const buf, const size_t size)
 
     assert(size <= 256U);
     do {
-#  ifdef __dietlibc__
         readnb = getrandom(buf, size, 0);
-#  else
-        readnb = syscall(SYS_getrandom, buf, (int) size, 0);
-#  endif
     } while (readnb < 0 && (errno == EINTR || errno == EAGAIN));
 
     return (readnb == (int) size) - 1;
@@ -242,14 +253,14 @@ randombytes_linux_getrandom(void * const buf_, size_t size)
 
     return 0;
 }
-# endif
+#  endif /* HAVE_LINUX_COMPATIBLE_GETRANDOM */
 
 static void
 randombytes_sysrandom_init(void)
 {
     const int     errno_save = errno;
 
-# if defined(SYS_getrandom) && defined(__NR_getrandom)
+#  ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM
     {
         unsigned char fodder[16];
 
@@ -260,7 +271,7 @@ randombytes_sysrandom_init(void)
         }
         stream.getrandom_available = 0;
     }
-# endif
+#  endif
 
     if ((stream.random_data_source_fd =
          randombytes_sysrandom_random_dev_open()) == -1) {
@@ -269,13 +280,13 @@ randombytes_sysrandom_init(void)
     errno = errno_save;
 }
 
-#else /* _WIN32 */
+# else /* _WIN32 */
 
 static void
 randombytes_sysrandom_init(void)
 {
 }
-#endif
+# endif /* _WIN32 */
 
 static void
 randombytes_sysrandom_stir(void)
@@ -299,24 +310,24 @@ randombytes_sysrandom_close(void)
 {
     int ret = -1;
 
-#ifndef _WIN32
+# ifndef _WIN32
     if (stream.random_data_source_fd != -1 &&
         close(stream.random_data_source_fd) == 0) {
         stream.random_data_source_fd = -1;
         stream.initialized = 0;
         ret = 0;
     }
-# if defined(SYS_getrandom) && defined(__NR_getrandom)
+#  ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM
     if (stream.getrandom_available != 0) {
         ret = 0;
     }
-# endif
-#else /* _WIN32 */
+#  endif
+# else /* _WIN32 */
     if (stream.initialized != 0) {
         stream.initialized = 0;
         ret = 0;
     }
-#endif
+# endif /* _WIN32 */
     return ret;
 }
 
@@ -324,26 +335,26 @@ static void
 randombytes_sysrandom_buf(void * const buf, const size_t size)
 {
     randombytes_sysrandom_stir_if_needed();
-#if defined(ULONG_LONG_MAX) && defined(SIZE_MAX)
-# if SIZE_MAX > ULONG_LONG_MAX
+# if defined(ULLONG_MAX) && defined(SIZE_MAX)
+#  if SIZE_MAX > ULLONG_MAX
     /* coverity[result_independent_of_operands] */
-    assert(size <= ULONG_LONG_MAX);
+    assert(size <= ULLONG_MAX);
+#  endif
 # endif
-#endif
-#ifndef _WIN32
-# if defined(SYS_getrandom) && defined(__NR_getrandom)
+# ifndef _WIN32
+#  ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM
     if (stream.getrandom_available != 0) {
         if (randombytes_linux_getrandom(buf, size) != 0) {
             sodium_misuse(); /* LCOV_EXCL_LINE */
         }
         return;
     }
-# endif
+#  endif
     if (stream.random_data_source_fd == -1 ||
         safe_read(stream.random_data_source_fd, buf, size) != (ssize_t) size) {
         sodium_misuse(); /* LCOV_EXCL_LINE */
     }
-#else
+# else /* _WIN32 */
     COMPILER_ASSERT(randombytes_BYTES_MAX <= 0xffffffffUL);
     if (size > (size_t) 0xffffffffUL) {
         sodium_misuse(); /* LCOV_EXCL_LINE */
@@ -351,7 +362,7 @@ randombytes_sysrandom_buf(void * const buf, const size_t size)
     if (! RtlGenRandom((PVOID) buf, (ULONG) size)) {
         sodium_misuse(); /* LCOV_EXCL_LINE */
     }
-#endif
+# endif /* _WIN32 */
 }
 
 static uint32_t
diff --git a/src/libsodium/sodium/core.c b/src/libsodium/sodium/core.c
index 1ac29d09..f2456fe1 100644
--- a/src/libsodium/sodium/core.c
+++ b/src/libsodium/sodium/core.c
@@ -21,21 +21,6 @@
 #include "private/implementations.h"
 #include "private/mutex.h"
 
-#if !defined(_MSC_VER) && 0
-# warning *** This is unstable, untested, development code.
-# warning It might not compile. It might not work as expected.
-# warning It might be totally insecure.
-# warning Do not use this in production.
-# warning Use releases available at https://download.libsodium.org/libsodium/releases/ instead.
-# warning Alternatively, use the "stable" branch in the git repository.
-#endif
-
-#if !defined(_MSC_VER) && (!defined(CONFIGURED) || CONFIGURED != 1)
-# warning *** The library is being compiled using an undocumented method.
-# warning This is not supported. It has not been tested, it might not
-# warning work as expected, and performance is likely to be suboptimal.
-#endif
-
 static volatile int initialized;
 static volatile int locked;
 
@@ -140,8 +125,6 @@ sodium_crit_enter(void)
 int
 sodium_crit_leave(void)
 {
-    int ret;
-
     if (locked == 0) {
 # ifdef EPERM
         errno = EPERM;
diff --git a/src/libsodium/sodium/utils.c b/src/libsodium/sodium/utils.c
index 83bc04d3..d865eb90 100644
--- a/src/libsodium/sodium/utils.c
+++ b/src/libsodium/sodium/utils.c
@@ -110,6 +110,8 @@ sodium_memzero(void *const pnt, const size_t len)
     }
 #elif defined(HAVE_EXPLICIT_BZERO)
     explicit_bzero(pnt, len);
+#elif defined(HAVE_EXPLICIT_MEMSET)
+    explicit_memset(pnt, 0, len);
 #elif HAVE_WEAK_SYMBOLS
     memset(pnt, 0, len);
     _sodium_dummy_symbol_to_prevent_memzero_lto(pnt, len);
@@ -287,7 +289,7 @@ sodium_increment(unsigned char *n, const size_t nlen)
 void
 sodium_add(unsigned char *a, const unsigned char *b, const size_t len)
 {
-    size_t        i = 0U;
+    size_t        i;
     uint_fast16_t c = 0U;
 
 #ifdef HAVE_AMD64_ASM
@@ -326,13 +328,56 @@ sodium_add(unsigned char *a, const unsigned char *b, const size_t len)
         return;
     }
 #endif
-    for (; i < len; i++) {
+    for (i = 0U; i < len; i++) {
         c += (uint_fast16_t) a[i] + (uint_fast16_t) b[i];
         a[i] = (unsigned char) c;
         c >>= 8;
     }
 }
 
+void
+sodium_sub(unsigned char *a, const unsigned char *b, const size_t len)
+{
+    uint_fast16_t c = 0U;
+    size_t        i;
+
+#ifdef HAVE_AMD64_ASM
+    uint64_t t64_1, t64_2, t64_3, t64_4;
+    uint64_t t64_5, t64_6, t64_7, t64_8;
+    uint32_t t32;
+
+    if (len == 64U) {
+        __asm__ __volatile__(
+            "movq   (%[in]), %[t64_1] \n"
+            "movq  8(%[in]), %[t64_2] \n"
+            "movq 16(%[in]), %[t64_3] \n"
+            "movq 24(%[in]), %[t64_4] \n"
+            "movq 32(%[in]), %[t64_5] \n"
+            "movq 40(%[in]), %[t64_6] \n"
+            "movq 48(%[in]), %[t64_7] \n"
+            "movq 56(%[in]), %[t64_8] \n"
+            "subq %[t64_1],   (%[out]) \n"
+            "sbbq %[t64_2],  8(%[out]) \n"
+            "sbbq %[t64_3], 16(%[out]) \n"
+            "sbbq %[t64_4], 24(%[out]) \n"
+            "sbbq %[t64_5], 32(%[out]) \n"
+            "sbbq %[t64_6], 40(%[out]) \n"
+            "sbbq %[t64_7], 48(%[out]) \n"
+            "sbbq %[t64_8], 56(%[out]) \n"
+            : [t64_1] "=&r"(t64_1), [t64_2] "=&r"(t64_2), [t64_3] "=&r"(t64_3), [t64_4] "=&r"(t64_4),
+              [t64_5] "=&r"(t64_5), [t64_6] "=&r"(t64_6), [t64_7] "=&r"(t64_7), [t64_8] "=&r"(t64_8)
+            : [in] "S"(b), [out] "D"(a)
+            : "memory", "flags", "cc");
+        return;
+    }
+#endif
+    for (i = 0U; i < len; i++) {
+        c = (uint_fast16_t) a[i] - (uint_fast16_t) b[i] - c;
+        a[i] = (unsigned char) c;
+        c = (c >> 8) & 1U;
+    }
+}
+
 int
 _sodium_alloc_init(void)
 {
@@ -697,7 +742,7 @@ sodium_pad(size_t *padded_buflen_p, unsigned char *buf,
     for (i = 0; i < blocksize; i++) {
         barrier_mask = (unsigned char) (((i ^ xpadlen) - 1U)
            >> ((sizeof(size_t) - 1) * CHAR_BIT));
-        tail[-i] = (tail[-i] & mask) | (0x80 & barrier_mask);
+        *(tail - i) = ((*(tail - i)) & mask) | (0x80 & barrier_mask);
         mask |= barrier_mask;
     }
     return 0;
@@ -721,7 +766,7 @@ sodium_unpad(size_t *unpadded_buflen_p, const unsigned char *buf,
     tail = &buf[padded_buflen - 1U];
 
     for (i = 0U; i < blocksize; i++) {
-        c = tail[-i];
+        c = *(tail - i);
         is_barrier =
             (( (acc - 1U) & (pad_len - 1U) & ((c ^ 0x80) - 1U) ) >> 8) & 1U;
         acc |= c;
diff --git a/test/Makefile.in b/test/Makefile.in
index 4c8fb0bb..4fcf9de3 100644
--- a/test/Makefile.in
+++ b/test/Makefile.in
@@ -245,7 +245,6 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-ISODATE = @ISODATE@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LIBOBJS = @LIBOBJS@
diff --git a/test/default/Makefile.am b/test/default/Makefile.am
index 88d6e2aa..12869590 100644
--- a/test/default/Makefile.am
+++ b/test/default/Makefile.am
@@ -4,7 +4,9 @@ EXTRA_DIST = \
 	wintest.bat \
 	pre.js.inc \
 	aead_aes256gcm.exp \
+	aead_aes256gcm2.exp \
 	aead_chacha20poly1305.exp \
+	aead_chacha20poly13052.exp \
 	aead_xchacha20poly1305.exp \
 	auth.exp \
 	auth2.exp \
@@ -55,6 +57,7 @@ EXTRA_DIST = \
 	scalarmult5.exp \
 	scalarmult6.exp \
 	scalarmult7.exp \
+	scalarmult8.exp \
 	secretbox.exp \
 	secretbox2.exp \
 	secretbox7.exp \
@@ -79,7 +82,9 @@ EXTRA_DIST = \
 
 DISTCLEANFILES = \
 	aead_aes256gcm.res \
+	aead_aes256gcm2.res \
 	aead_chacha20poly1305.res \
+	aead_chacha20poly13052.res \
 	aead_xchacha20poly1305.res \
 	auth.res \
 	auth2.res \
@@ -130,6 +135,7 @@ DISTCLEANFILES = \
 	scalarmult5.res \
 	scalarmult6.res \
 	scalarmult7.res \
+	scalarmult8.res \
 	secretbox.res \
 	secretbox2.res \
 	secretbox7.res \
@@ -155,7 +161,9 @@ DISTCLEANFILES = \
 if NATIVECLIENT
 CLEANFILES = \
 	aead_aes256gcm.final \
+	aead_aes256gcm2.final \
 	aead_chacha20poly1305.final \
+	aead_chacha20poly13052.final \
 	aead_xchacha20poly1305.final \
 	auth.final \
 	auth2.final \
@@ -206,6 +214,7 @@ CLEANFILES = \
 	scalarmult5.final \
 	scalarmult6.final \
 	scalarmult7.final \
+	scalarmult8.final \
 	secretbox.final \
 	secretbox2.final \
 	secretbox7.final \
@@ -226,7 +235,9 @@ CLEANFILES = \
 	verify1.final \
 	xchacha20.final \
 	aead_aes256gcm.nexe \
+	aead_aes256gcm2.nexe \
 	aead_chacha20poly1305.nexe \
+	aead_chacha20poly13052.nexe \
 	aead_xchacha20poly1305.nexe \
 	auth.nexe \
 	auth2.nexe \
@@ -277,6 +288,7 @@ CLEANFILES = \
 	scalarmult5.nexe \
 	scalarmult6.nexe \
 	scalarmult7.nexe \
+	scalarmult8.nexe \
 	secretbox.nexe \
 	secretbox2.nexe \
 	secretbox7.nexe \
@@ -310,7 +322,9 @@ AM_LDFLAGS = @TEST_LDFLAGS@
 
 TESTS_TARGETS = \
 	aead_aes256gcm \
+	aead_aes256gcm2 \
 	aead_chacha20poly1305 \
+	aead_chacha20poly13052 \
 	aead_xchacha20poly1305 \
 	auth \
 	auth2 \
@@ -356,6 +370,7 @@ TESTS_TARGETS = \
 	scalarmult5 \
 	scalarmult6 \
 	scalarmult7 \
+	scalarmult8 \
 	secretbox \
 	secretbox2 \
 	secretbox7 \
@@ -392,9 +407,15 @@ TESTS_LDADD = \
 aead_aes256gcm_SOURCE                 = cmptest.h aead_aes256gcm.c
 aead_aes256gcm_LDADD                  = $(TESTS_LDADD)
 
+aead_aes256gcm2_SOURCE                = cmptest.h aead_aes256gcm2.c
+aead_aes256gcm2_LDADD                 = $(TESTS_LDADD)
+
 aead_chacha20poly1305_SOURCE          = cmptest.h aead_chacha20poly1305.c
 aead_chacha20poly1305_LDADD           = $(TESTS_LDADD)
 
+aead_chacha20poly13052_SOURCE         = cmptest.h aead_chacha20poly13052.c
+aead_chacha20poly13052_LDADD          = $(TESTS_LDADD)
+
 aead_xchacha20poly1305_SOURCE         = cmptest.h aead_xchacha20poly1305.c
 aead_xchacha20poly1305_LDADD          = $(TESTS_LDADD)
 
@@ -542,6 +563,9 @@ scalarmult6_LDADD         = $(TESTS_LDADD)
 scalarmult7_SOURCE        = cmptest.h scalarmult7.c
 scalarmult7_LDADD         = $(TESTS_LDADD)
 
+scalarmult8_SOURCE        = cmptest.h scalarmult8.c
+scalarmult8_LDADD         = $(TESTS_LDADD)
+
 secretbox_SOURCE          = cmptest.h secretbox.c
 secretbox_LDADD           = $(TESTS_LDADD)
 
diff --git a/test/default/Makefile.in b/test/default/Makefile.in
index 1e94a0c0..4b4f3628 100644
--- a/test/default/Makefile.in
+++ b/test/default/Makefile.in
@@ -128,7 +128,8 @@ CONFIG_CLEAN_VPATH_FILES =
 @MINIMAL_FALSE@	pwhash_scrypt_ll$(EXEEXT) \
 @MINIMAL_FALSE@	scalarmult_ed25519$(EXEEXT) siphashx24$(EXEEXT) \
 @MINIMAL_FALSE@	xchacha20$(EXEEXT)
-am__EXEEXT_3 = aead_aes256gcm$(EXEEXT) aead_chacha20poly1305$(EXEEXT) \
+am__EXEEXT_3 = aead_aes256gcm$(EXEEXT) aead_aes256gcm2$(EXEEXT) \
+	aead_chacha20poly1305$(EXEEXT) aead_chacha20poly13052$(EXEEXT) \
 	aead_xchacha20poly1305$(EXEEXT) auth$(EXEEXT) auth2$(EXEEXT) \
 	auth3$(EXEEXT) auth5$(EXEEXT) auth6$(EXEEXT) auth7$(EXEEXT) \
 	box$(EXEEXT) box2$(EXEEXT) box7$(EXEEXT) box8$(EXEEXT) \
@@ -143,14 +144,14 @@ am__EXEEXT_3 = aead_aes256gcm$(EXEEXT) aead_chacha20poly1305$(EXEEXT) \
 	onetimeauth7$(EXEEXT) pwhash_argon2i$(EXEEXT) \
 	pwhash_argon2id$(EXEEXT) randombytes$(EXEEXT) \
 	scalarmult$(EXEEXT) scalarmult2$(EXEEXT) scalarmult5$(EXEEXT) \
-	scalarmult6$(EXEEXT) scalarmult7$(EXEEXT) secretbox$(EXEEXT) \
-	secretbox2$(EXEEXT) secretbox7$(EXEEXT) secretbox8$(EXEEXT) \
-	secretbox_easy$(EXEEXT) secretbox_easy2$(EXEEXT) \
-	secretstream$(EXEEXT) shorthash$(EXEEXT) sign$(EXEEXT) \
-	sodium_core$(EXEEXT) sodium_utils$(EXEEXT) \
-	sodium_version$(EXEEXT) stream$(EXEEXT) stream2$(EXEEXT) \
-	stream3$(EXEEXT) stream4$(EXEEXT) verify1$(EXEEXT) \
-	$(am__EXEEXT_1) $(am__EXEEXT_2)
+	scalarmult6$(EXEEXT) scalarmult7$(EXEEXT) scalarmult8$(EXEEXT) \
+	secretbox$(EXEEXT) secretbox2$(EXEEXT) secretbox7$(EXEEXT) \
+	secretbox8$(EXEEXT) secretbox_easy$(EXEEXT) \
+	secretbox_easy2$(EXEEXT) secretstream$(EXEEXT) \
+	shorthash$(EXEEXT) sign$(EXEEXT) sodium_core$(EXEEXT) \
+	sodium_utils$(EXEEXT) sodium_version$(EXEEXT) stream$(EXEEXT) \
+	stream2$(EXEEXT) stream3$(EXEEXT) stream4$(EXEEXT) \
+	verify1$(EXEEXT) $(am__EXEEXT_1) $(am__EXEEXT_2)
 aead_aes256gcm_SOURCES = aead_aes256gcm.c
 aead_aes256gcm_OBJECTS = aead_aes256gcm.$(OBJEXT)
 aead_aes256gcm_DEPENDENCIES = $(TESTS_LDADD)
@@ -158,9 +159,15 @@ AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
 am__v_lt_0 = --silent
 am__v_lt_1 = 
+aead_aes256gcm2_SOURCES = aead_aes256gcm2.c
+aead_aes256gcm2_OBJECTS = aead_aes256gcm2.$(OBJEXT)
+aead_aes256gcm2_DEPENDENCIES = $(TESTS_LDADD)
 aead_chacha20poly1305_SOURCES = aead_chacha20poly1305.c
 aead_chacha20poly1305_OBJECTS = aead_chacha20poly1305.$(OBJEXT)
 aead_chacha20poly1305_DEPENDENCIES = $(TESTS_LDADD)
+aead_chacha20poly13052_SOURCES = aead_chacha20poly13052.c
+aead_chacha20poly13052_OBJECTS = aead_chacha20poly13052.$(OBJEXT)
+aead_chacha20poly13052_DEPENDENCIES = $(TESTS_LDADD)
 aead_xchacha20poly1305_SOURCES = aead_xchacha20poly1305.c
 aead_xchacha20poly1305_OBJECTS = aead_xchacha20poly1305.$(OBJEXT)
 aead_xchacha20poly1305_DEPENDENCIES = $(TESTS_LDADD)
@@ -305,6 +312,9 @@ scalarmult6_DEPENDENCIES = $(TESTS_LDADD)
 scalarmult7_SOURCES = scalarmult7.c
 scalarmult7_OBJECTS = scalarmult7.$(OBJEXT)
 scalarmult7_DEPENDENCIES = $(TESTS_LDADD)
+scalarmult8_SOURCES = scalarmult8.c
+scalarmult8_OBJECTS = scalarmult8.$(OBJEXT)
+scalarmult8_DEPENDENCIES = $(TESTS_LDADD)
 scalarmult_ed25519_SOURCES = scalarmult_ed25519.c
 scalarmult_ed25519_OBJECTS = scalarmult_ed25519.$(OBJEXT)
 scalarmult_ed25519_DEPENDENCIES = $(TESTS_LDADD)
@@ -387,7 +397,9 @@ DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp
 am__maybe_remake_depfiles = depfiles
 am__depfiles_remade = ./$(DEPDIR)/aead_aes256gcm.Po \
+	./$(DEPDIR)/aead_aes256gcm2.Po \
 	./$(DEPDIR)/aead_chacha20poly1305.Po \
+	./$(DEPDIR)/aead_chacha20poly13052.Po \
 	./$(DEPDIR)/aead_xchacha20poly1305.Po ./$(DEPDIR)/auth.Po \
 	./$(DEPDIR)/auth2.Po ./$(DEPDIR)/auth3.Po ./$(DEPDIR)/auth5.Po \
 	./$(DEPDIR)/auth6.Po ./$(DEPDIR)/auth7.Po ./$(DEPDIR)/box.Po \
@@ -409,17 +421,18 @@ am__depfiles_remade = ./$(DEPDIR)/aead_aes256gcm.Po \
 	./$(DEPDIR)/randombytes.Po ./$(DEPDIR)/scalarmult.Po \
 	./$(DEPDIR)/scalarmult2.Po ./$(DEPDIR)/scalarmult5.Po \
 	./$(DEPDIR)/scalarmult6.Po ./$(DEPDIR)/scalarmult7.Po \
-	./$(DEPDIR)/scalarmult_ed25519.Po ./$(DEPDIR)/secretbox.Po \
-	./$(DEPDIR)/secretbox2.Po ./$(DEPDIR)/secretbox7.Po \
-	./$(DEPDIR)/secretbox8.Po ./$(DEPDIR)/secretbox_easy.Po \
-	./$(DEPDIR)/secretbox_easy2.Po ./$(DEPDIR)/secretstream.Po \
-	./$(DEPDIR)/shorthash.Po ./$(DEPDIR)/sign.Po \
-	./$(DEPDIR)/siphashx24.Po ./$(DEPDIR)/sodium_core.Po \
-	./$(DEPDIR)/sodium_utils.Po ./$(DEPDIR)/sodium_utils2.Po \
-	./$(DEPDIR)/sodium_utils3.Po ./$(DEPDIR)/sodium_version.Po \
-	./$(DEPDIR)/stream.Po ./$(DEPDIR)/stream2.Po \
-	./$(DEPDIR)/stream3.Po ./$(DEPDIR)/stream4.Po \
-	./$(DEPDIR)/verify1.Po ./$(DEPDIR)/xchacha20.Po
+	./$(DEPDIR)/scalarmult8.Po ./$(DEPDIR)/scalarmult_ed25519.Po \
+	./$(DEPDIR)/secretbox.Po ./$(DEPDIR)/secretbox2.Po \
+	./$(DEPDIR)/secretbox7.Po ./$(DEPDIR)/secretbox8.Po \
+	./$(DEPDIR)/secretbox_easy.Po ./$(DEPDIR)/secretbox_easy2.Po \
+	./$(DEPDIR)/secretstream.Po ./$(DEPDIR)/shorthash.Po \
+	./$(DEPDIR)/sign.Po ./$(DEPDIR)/siphashx24.Po \
+	./$(DEPDIR)/sodium_core.Po ./$(DEPDIR)/sodium_utils.Po \
+	./$(DEPDIR)/sodium_utils2.Po ./$(DEPDIR)/sodium_utils3.Po \
+	./$(DEPDIR)/sodium_version.Po ./$(DEPDIR)/stream.Po \
+	./$(DEPDIR)/stream2.Po ./$(DEPDIR)/stream3.Po \
+	./$(DEPDIR)/stream4.Po ./$(DEPDIR)/verify1.Po \
+	./$(DEPDIR)/xchacha20.Po
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
@@ -439,7 +452,25 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
 am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
-SOURCES = aead_aes256gcm.c aead_chacha20poly1305.c \
+SOURCES = aead_aes256gcm.c aead_aes256gcm2.c aead_chacha20poly1305.c \
+	aead_chacha20poly13052.c aead_xchacha20poly1305.c auth.c \
+	auth2.c auth3.c auth5.c auth6.c auth7.c box.c box2.c box7.c \
+	box8.c box_easy.c box_easy2.c box_seal.c box_seed.c chacha20.c \
+	codecs.c core1.c core2.c core3.c core4.c core5.c core6.c \
+	core_ed25519.c ed25519_convert.c generichash.c generichash2.c \
+	generichash3.c hash.c hash3.c kdf.c keygen.c kx.c \
+	metamorphic.c misuse.c onetimeauth.c onetimeauth2.c \
+	onetimeauth7.c pwhash_argon2i.c pwhash_argon2id.c \
+	pwhash_scrypt.c pwhash_scrypt_ll.c randombytes.c scalarmult.c \
+	scalarmult2.c scalarmult5.c scalarmult6.c scalarmult7.c \
+	scalarmult8.c scalarmult_ed25519.c secretbox.c secretbox2.c \
+	secretbox7.c secretbox8.c secretbox_easy.c secretbox_easy2.c \
+	secretstream.c shorthash.c sign.c siphashx24.c sodium_core.c \
+	sodium_utils.c sodium_utils2.c sodium_utils3.c \
+	sodium_version.c stream.c stream2.c stream3.c stream4.c \
+	verify1.c xchacha20.c
+DIST_SOURCES = aead_aes256gcm.c aead_aes256gcm2.c \
+	aead_chacha20poly1305.c aead_chacha20poly13052.c \
 	aead_xchacha20poly1305.c auth.c auth2.c auth3.c auth5.c \
 	auth6.c auth7.c box.c box2.c box7.c box8.c box_easy.c \
 	box_easy2.c box_seal.c box_seed.c chacha20.c codecs.c core1.c \
@@ -449,28 +480,12 @@ SOURCES = aead_aes256gcm.c aead_chacha20poly1305.c \
 	onetimeauth.c onetimeauth2.c onetimeauth7.c pwhash_argon2i.c \
 	pwhash_argon2id.c pwhash_scrypt.c pwhash_scrypt_ll.c \
 	randombytes.c scalarmult.c scalarmult2.c scalarmult5.c \
-	scalarmult6.c scalarmult7.c scalarmult_ed25519.c secretbox.c \
-	secretbox2.c secretbox7.c secretbox8.c secretbox_easy.c \
-	secretbox_easy2.c secretstream.c shorthash.c sign.c \
-	siphashx24.c sodium_core.c sodium_utils.c sodium_utils2.c \
-	sodium_utils3.c sodium_version.c stream.c stream2.c stream3.c \
-	stream4.c verify1.c xchacha20.c
-DIST_SOURCES = aead_aes256gcm.c aead_chacha20poly1305.c \
-	aead_xchacha20poly1305.c auth.c auth2.c auth3.c auth5.c \
-	auth6.c auth7.c box.c box2.c box7.c box8.c box_easy.c \
-	box_easy2.c box_seal.c box_seed.c chacha20.c codecs.c core1.c \
-	core2.c core3.c core4.c core5.c core6.c core_ed25519.c \
-	ed25519_convert.c generichash.c generichash2.c generichash3.c \
-	hash.c hash3.c kdf.c keygen.c kx.c metamorphic.c misuse.c \
-	onetimeauth.c onetimeauth2.c onetimeauth7.c pwhash_argon2i.c \
-	pwhash_argon2id.c pwhash_scrypt.c pwhash_scrypt_ll.c \
-	randombytes.c scalarmult.c scalarmult2.c scalarmult5.c \
-	scalarmult6.c scalarmult7.c scalarmult_ed25519.c secretbox.c \
-	secretbox2.c secretbox7.c secretbox8.c secretbox_easy.c \
-	secretbox_easy2.c secretstream.c shorthash.c sign.c \
-	siphashx24.c sodium_core.c sodium_utils.c sodium_utils2.c \
-	sodium_utils3.c sodium_version.c stream.c stream2.c stream3.c \
-	stream4.c verify1.c xchacha20.c
+	scalarmult6.c scalarmult7.c scalarmult8.c scalarmult_ed25519.c \
+	secretbox.c secretbox2.c secretbox7.c secretbox8.c \
+	secretbox_easy.c secretbox_easy2.c secretstream.c shorthash.c \
+	sign.c siphashx24.c sodium_core.c sodium_utils.c \
+	sodium_utils2.c sodium_utils3.c sodium_version.c stream.c \
+	stream2.c stream3.c stream4.c verify1.c xchacha20.c
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
@@ -760,7 +775,6 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-ISODATE = @ISODATE@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LIBOBJS = @LIBOBJS@
@@ -867,7 +881,9 @@ EXTRA_DIST = \
 	wintest.bat \
 	pre.js.inc \
 	aead_aes256gcm.exp \
+	aead_aes256gcm2.exp \
 	aead_chacha20poly1305.exp \
+	aead_chacha20poly13052.exp \
 	aead_xchacha20poly1305.exp \
 	auth.exp \
 	auth2.exp \
@@ -918,6 +934,7 @@ EXTRA_DIST = \
 	scalarmult5.exp \
 	scalarmult6.exp \
 	scalarmult7.exp \
+	scalarmult8.exp \
 	secretbox.exp \
 	secretbox2.exp \
 	secretbox7.exp \
@@ -942,7 +959,9 @@ EXTRA_DIST = \
 
 DISTCLEANFILES = \
 	aead_aes256gcm.res \
+	aead_aes256gcm2.res \
 	aead_chacha20poly1305.res \
+	aead_chacha20poly13052.res \
 	aead_xchacha20poly1305.res \
 	auth.res \
 	auth2.res \
@@ -993,6 +1012,7 @@ DISTCLEANFILES = \
 	scalarmult5.res \
 	scalarmult6.res \
 	scalarmult7.res \
+	scalarmult8.res \
 	secretbox.res \
 	secretbox2.res \
 	secretbox7.res \
@@ -1017,7 +1037,9 @@ DISTCLEANFILES = \
 
 @NATIVECLIENT_TRUE@CLEANFILES = \
 @NATIVECLIENT_TRUE@	aead_aes256gcm.final \
+@NATIVECLIENT_TRUE@	aead_aes256gcm2.final \
 @NATIVECLIENT_TRUE@	aead_chacha20poly1305.final \
+@NATIVECLIENT_TRUE@	aead_chacha20poly13052.final \
 @NATIVECLIENT_TRUE@	aead_xchacha20poly1305.final \
 @NATIVECLIENT_TRUE@	auth.final \
 @NATIVECLIENT_TRUE@	auth2.final \
@@ -1068,6 +1090,7 @@ DISTCLEANFILES = \
 @NATIVECLIENT_TRUE@	scalarmult5.final \
 @NATIVECLIENT_TRUE@	scalarmult6.final \
 @NATIVECLIENT_TRUE@	scalarmult7.final \
+@NATIVECLIENT_TRUE@	scalarmult8.final \
 @NATIVECLIENT_TRUE@	secretbox.final \
 @NATIVECLIENT_TRUE@	secretbox2.final \
 @NATIVECLIENT_TRUE@	secretbox7.final \
@@ -1088,7 +1111,9 @@ DISTCLEANFILES = \
 @NATIVECLIENT_TRUE@	verify1.final \
 @NATIVECLIENT_TRUE@	xchacha20.final \
 @NATIVECLIENT_TRUE@	aead_aes256gcm.nexe \
+@NATIVECLIENT_TRUE@	aead_aes256gcm2.nexe \
 @NATIVECLIENT_TRUE@	aead_chacha20poly1305.nexe \
+@NATIVECLIENT_TRUE@	aead_chacha20poly13052.nexe \
 @NATIVECLIENT_TRUE@	aead_xchacha20poly1305.nexe \
 @NATIVECLIENT_TRUE@	auth.nexe \
 @NATIVECLIENT_TRUE@	auth2.nexe \
@@ -1139,6 +1164,7 @@ DISTCLEANFILES = \
 @NATIVECLIENT_TRUE@	scalarmult5.nexe \
 @NATIVECLIENT_TRUE@	scalarmult6.nexe \
 @NATIVECLIENT_TRUE@	scalarmult7.nexe \
+@NATIVECLIENT_TRUE@	scalarmult8.nexe \
 @NATIVECLIENT_TRUE@	secretbox.nexe \
 @NATIVECLIENT_TRUE@	secretbox2.nexe \
 @NATIVECLIENT_TRUE@	secretbox7.nexe \
@@ -1168,25 +1194,30 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/test/quirks
 
 AM_LDFLAGS = @TEST_LDFLAGS@
-TESTS_TARGETS = aead_aes256gcm aead_chacha20poly1305 \
-	aead_xchacha20poly1305 auth auth2 auth3 auth5 auth6 auth7 box \
-	box2 box7 box8 box_easy box_easy2 box_seal box_seed chacha20 \
-	codecs core1 core2 core3 core4 core5 core6 ed25519_convert \
-	generichash generichash2 generichash3 hash hash3 kdf keygen kx \
-	metamorphic misuse onetimeauth onetimeauth2 onetimeauth7 \
-	pwhash_argon2i pwhash_argon2id randombytes scalarmult \
-	scalarmult2 scalarmult5 scalarmult6 scalarmult7 secretbox \
-	secretbox2 secretbox7 secretbox8 secretbox_easy \
-	secretbox_easy2 secretstream shorthash sign sodium_core \
-	sodium_utils sodium_version stream stream2 stream3 stream4 \
-	verify1 $(am__append_1) $(am__append_2)
+TESTS_TARGETS = aead_aes256gcm aead_aes256gcm2 aead_chacha20poly1305 \
+	aead_chacha20poly13052 aead_xchacha20poly1305 auth auth2 auth3 \
+	auth5 auth6 auth7 box box2 box7 box8 box_easy box_easy2 \
+	box_seal box_seed chacha20 codecs core1 core2 core3 core4 \
+	core5 core6 ed25519_convert generichash generichash2 \
+	generichash3 hash hash3 kdf keygen kx metamorphic misuse \
+	onetimeauth onetimeauth2 onetimeauth7 pwhash_argon2i \
+	pwhash_argon2id randombytes scalarmult scalarmult2 scalarmult5 \
+	scalarmult6 scalarmult7 scalarmult8 secretbox secretbox2 \
+	secretbox7 secretbox8 secretbox_easy secretbox_easy2 \
+	secretstream shorthash sign sodium_core sodium_utils \
+	sodium_version stream stream2 stream3 stream4 verify1 \
+	$(am__append_1) $(am__append_2)
 TESTS_LDADD = \
 	${top_builddir}/src/libsodium/libsodium.la
 
 aead_aes256gcm_SOURCE = cmptest.h aead_aes256gcm.c
 aead_aes256gcm_LDADD = $(TESTS_LDADD)
+aead_aes256gcm2_SOURCE = cmptest.h aead_aes256gcm2.c
+aead_aes256gcm2_LDADD = $(TESTS_LDADD)
 aead_chacha20poly1305_SOURCE = cmptest.h aead_chacha20poly1305.c
 aead_chacha20poly1305_LDADD = $(TESTS_LDADD)
+aead_chacha20poly13052_SOURCE = cmptest.h aead_chacha20poly13052.c
+aead_chacha20poly13052_LDADD = $(TESTS_LDADD)
 aead_xchacha20poly1305_SOURCE = cmptest.h aead_xchacha20poly1305.c
 aead_xchacha20poly1305_LDADD = $(TESTS_LDADD)
 auth_SOURCE = cmptest.h auth.c
@@ -1285,6 +1316,8 @@ scalarmult6_SOURCE = cmptest.h scalarmult6.c
 scalarmult6_LDADD = $(TESTS_LDADD)
 scalarmult7_SOURCE = cmptest.h scalarmult7.c
 scalarmult7_LDADD = $(TESTS_LDADD)
+scalarmult8_SOURCE = cmptest.h scalarmult8.c
+scalarmult8_LDADD = $(TESTS_LDADD)
 secretbox_SOURCE = cmptest.h secretbox.c
 secretbox_LDADD = $(TESTS_LDADD)
 secretbox2_SOURCE = cmptest.h secretbox2.c
@@ -1375,10 +1408,18 @@ aead_aes256gcm$(EXEEXT): $(aead_aes256gcm_OBJECTS) $(aead_aes256gcm_DEPENDENCIES
 	@rm -f aead_aes256gcm$(EXEEXT)
 	$(AM_V_CCLD)$(LINK) $(aead_aes256gcm_OBJECTS) $(aead_aes256gcm_LDADD) $(LIBS)
 
+aead_aes256gcm2$(EXEEXT): $(aead_aes256gcm2_OBJECTS) $(aead_aes256gcm2_DEPENDENCIES) $(EXTRA_aead_aes256gcm2_DEPENDENCIES) 
+	@rm -f aead_aes256gcm2$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(aead_aes256gcm2_OBJECTS) $(aead_aes256gcm2_LDADD) $(LIBS)
+
 aead_chacha20poly1305$(EXEEXT): $(aead_chacha20poly1305_OBJECTS) $(aead_chacha20poly1305_DEPENDENCIES) $(EXTRA_aead_chacha20poly1305_DEPENDENCIES) 
 	@rm -f aead_chacha20poly1305$(EXEEXT)
 	$(AM_V_CCLD)$(LINK) $(aead_chacha20poly1305_OBJECTS) $(aead_chacha20poly1305_LDADD) $(LIBS)
 
+aead_chacha20poly13052$(EXEEXT): $(aead_chacha20poly13052_OBJECTS) $(aead_chacha20poly13052_DEPENDENCIES) $(EXTRA_aead_chacha20poly13052_DEPENDENCIES) 
+	@rm -f aead_chacha20poly13052$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(aead_chacha20poly13052_OBJECTS) $(aead_chacha20poly13052_LDADD) $(LIBS)
+
 aead_xchacha20poly1305$(EXEEXT): $(aead_xchacha20poly1305_OBJECTS) $(aead_xchacha20poly1305_DEPENDENCIES) $(EXTRA_aead_xchacha20poly1305_DEPENDENCIES) 
 	@rm -f aead_xchacha20poly1305$(EXEEXT)
 	$(AM_V_CCLD)$(LINK) $(aead_xchacha20poly1305_OBJECTS) $(aead_xchacha20poly1305_LDADD) $(LIBS)
@@ -1571,6 +1612,10 @@ scalarmult7$(EXEEXT): $(scalarmult7_OBJECTS) $(scalarmult7_DEPENDENCIES) $(EXTRA
 	@rm -f scalarmult7$(EXEEXT)
 	$(AM_V_CCLD)$(LINK) $(scalarmult7_OBJECTS) $(scalarmult7_LDADD) $(LIBS)
 
+scalarmult8$(EXEEXT): $(scalarmult8_OBJECTS) $(scalarmult8_DEPENDENCIES) $(EXTRA_scalarmult8_DEPENDENCIES) 
+	@rm -f scalarmult8$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(scalarmult8_OBJECTS) $(scalarmult8_LDADD) $(LIBS)
+
 scalarmult_ed25519$(EXEEXT): $(scalarmult_ed25519_OBJECTS) $(scalarmult_ed25519_DEPENDENCIES) $(EXTRA_scalarmult_ed25519_DEPENDENCIES) 
 	@rm -f scalarmult_ed25519$(EXEEXT)
 	$(AM_V_CCLD)$(LINK) $(scalarmult_ed25519_OBJECTS) $(scalarmult_ed25519_LDADD) $(LIBS)
@@ -1666,7 +1711,9 @@ distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aead_aes256gcm.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aead_aes256gcm2.Po@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aead_chacha20poly1305.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aead_chacha20poly13052.Po@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aead_xchacha20poly1305.Po@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth.Po@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth2.Po@am__quote@ # am--include-marker
@@ -1715,6 +1762,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scalarmult5.Po@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scalarmult6.Po@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scalarmult7.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scalarmult8.Po@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scalarmult_ed25519.Po@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/secretbox.Po@am__quote@ # am--include-marker
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/secretbox2.Po@am__quote@ # am--include-marker
@@ -1974,6 +2022,13 @@ aead_aes256gcm.log: aead_aes256gcm$(EXEEXT)
 	--log-file $$b.log --trs-file $$b.trs \
 	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
 	"$$tst" $(AM_TESTS_FD_REDIRECT)
+aead_aes256gcm2.log: aead_aes256gcm2$(EXEEXT)
+	@p='aead_aes256gcm2$(EXEEXT)'; \
+	b='aead_aes256gcm2'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
 aead_chacha20poly1305.log: aead_chacha20poly1305$(EXEEXT)
 	@p='aead_chacha20poly1305$(EXEEXT)'; \
 	b='aead_chacha20poly1305'; \
@@ -1981,6 +2036,13 @@ aead_chacha20poly1305.log: aead_chacha20poly1305$(EXEEXT)
 	--log-file $$b.log --trs-file $$b.trs \
 	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
 	"$$tst" $(AM_TESTS_FD_REDIRECT)
+aead_chacha20poly13052.log: aead_chacha20poly13052$(EXEEXT)
+	@p='aead_chacha20poly13052$(EXEEXT)'; \
+	b='aead_chacha20poly13052'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
 aead_xchacha20poly1305.log: aead_xchacha20poly1305$(EXEEXT)
 	@p='aead_xchacha20poly1305$(EXEEXT)'; \
 	b='aead_xchacha20poly1305'; \
@@ -2296,6 +2358,13 @@ scalarmult7.log: scalarmult7$(EXEEXT)
 	--log-file $$b.log --trs-file $$b.trs \
 	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
 	"$$tst" $(AM_TESTS_FD_REDIRECT)
+scalarmult8.log: scalarmult8$(EXEEXT)
+	@p='scalarmult8$(EXEEXT)'; \
+	b='scalarmult8'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
 secretbox.log: secretbox$(EXEEXT)
 	@p='secretbox$(EXEEXT)'; \
 	b='secretbox'; \
@@ -2567,7 +2636,9 @@ clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
 
 distclean: distclean-am
 		-rm -f ./$(DEPDIR)/aead_aes256gcm.Po
+	-rm -f ./$(DEPDIR)/aead_aes256gcm2.Po
 	-rm -f ./$(DEPDIR)/aead_chacha20poly1305.Po
+	-rm -f ./$(DEPDIR)/aead_chacha20poly13052.Po
 	-rm -f ./$(DEPDIR)/aead_xchacha20poly1305.Po
 	-rm -f ./$(DEPDIR)/auth.Po
 	-rm -f ./$(DEPDIR)/auth2.Po
@@ -2616,6 +2687,7 @@ distclean: distclean-am
 	-rm -f ./$(DEPDIR)/scalarmult5.Po
 	-rm -f ./$(DEPDIR)/scalarmult6.Po
 	-rm -f ./$(DEPDIR)/scalarmult7.Po
+	-rm -f ./$(DEPDIR)/scalarmult8.Po
 	-rm -f ./$(DEPDIR)/scalarmult_ed25519.Po
 	-rm -f ./$(DEPDIR)/secretbox.Po
 	-rm -f ./$(DEPDIR)/secretbox2.Po
@@ -2684,7 +2756,9 @@ installcheck-am:
 
 maintainer-clean: maintainer-clean-am
 		-rm -f ./$(DEPDIR)/aead_aes256gcm.Po
+	-rm -f ./$(DEPDIR)/aead_aes256gcm2.Po
 	-rm -f ./$(DEPDIR)/aead_chacha20poly1305.Po
+	-rm -f ./$(DEPDIR)/aead_chacha20poly13052.Po
 	-rm -f ./$(DEPDIR)/aead_xchacha20poly1305.Po
 	-rm -f ./$(DEPDIR)/auth.Po
 	-rm -f ./$(DEPDIR)/auth2.Po
@@ -2733,6 +2807,7 @@ maintainer-clean: maintainer-clean-am
 	-rm -f ./$(DEPDIR)/scalarmult5.Po
 	-rm -f ./$(DEPDIR)/scalarmult6.Po
 	-rm -f ./$(DEPDIR)/scalarmult7.Po
+	-rm -f ./$(DEPDIR)/scalarmult8.Po
 	-rm -f ./$(DEPDIR)/scalarmult_ed25519.Po
 	-rm -f ./$(DEPDIR)/secretbox.Po
 	-rm -f ./$(DEPDIR)/secretbox2.Po
diff --git a/test/default/aead_aes256gcm.c b/test/default/aead_aes256gcm.c
index 8f4fcb3e..1f83fdc0 100644
--- a/test/default/aead_aes256gcm.c
+++ b/test/default/aead_aes256gcm.c
@@ -3179,7 +3179,7 @@ tv(void)
             printf("Message length should have been set to zero after a failure\n");
         }
         if (crypto_aead_aes256gcm_decrypt(decrypted, &found_message_len,
-                                          NULL, NULL,
+                                          NULL, guard_page,
                                           randombytes_uniform(crypto_aead_aes256gcm_ABYTES),
                                           ad, ad_len, nonce, key) != -1) {
             printf("Verification of test vector #%u with a truncated tag failed\n",
diff --git a/test/default/aead_aes256gcm2.c b/test/default/aead_aes256gcm2.c
new file mode 100644
index 00000000..43170b5d
--- /dev/null
+++ b/test/default/aead_aes256gcm2.c
@@ -0,0 +1,276 @@
+
+#define TEST_NAME "aead_aes256gcm2"
+#include "cmptest.h"
+
+static struct {
+    const char *key_hex;
+    const char  nonce_hex[crypto_aead_aes256gcm_NPUBBYTES * 2 + 1];
+    const char *ad_hex;
+    const char *message_hex;
+    const char *detached_ciphertext_hex;
+    const char  mac_hex[crypto_aead_aes256gcm_ABYTES * 2 + 1];
+    const char *outcome;
+} tests[] = {
+    { "92ace3e348cd821092cd921aa3546374299ab46209691bc28b8752d17f123c20",
+      "00112233445566778899aabb", "00000000ffffffff", "00010203040506070809",
+      "e27abdd2d2a53d2f136b", "9a4a2579529301bcfb71c78d4060f52c", "valid" },
+    { "29d3a44f8723dc640239100c365423a312934ac80239212ac3df3421a2098123",
+      "00112233445566778899aabb", "aabbccddeeff", "", "",
+      "2a7d77fa526b8250cb296078926b5020", "valid" },
+    { "cc56b680552eb75008f5484b4cb803fa5063ebd6eab91f6ab6aef4916a766273",
+      "99e23ec48985bccdeeab60f1", "", "2a", "06",
+      "633c1e9703ef744ffffb40edf9d14355", "valid" },
+    { "51e4bf2bad92b7aff1a4bc05550ba81df4b96fabf41c12c7b00e60e48db7e152",
+      "4f07afedfdc3b6c2361823d3", "", "be3308f72a2c6aed", "cf332a12fdee800b",
+      "602e8d7c4799d62c140c9bb834876b09", "valid" },
+    { "67119627bd988eda906219e08c0d0d779a07d208ce8a4fe0709af755eeec6dcb",
+      "68ab7fdbf61901dad461d23c", "", "51f8c1f731ea14acdb210a6d973e07",
+      "43fc101bff4b32bfadd3daf57a590e", "ec04aacb7148a8b8be44cb7eaf4efa69",
+      "valid" },
+    { "59d4eafb4de0cfc7d3db99a8f54b15d7b39f0acc8da69763b019c1699f87674a",
+      "2fcb1b38a99e71b84740ad9b", "", "549b365af913f3b081131ccb6b825588",
+      "f58c16690122d75356907fd96b570fca", "28752c20153092818faba2a334640d6e",
+      "valid" },
+    { "3b2458d8176e1621c0cc24c0c0e24c1e80d72f7ee9149a4b166176629616d011",
+      "45aaa3e5d16d2d42dc03445d", "", "3ff1514b1c503915918f0c0c31094a6e1f",
+      "73a6b6f45f6ccc5131e07f2caa1f2e2f56", "2d7379ec1db5952d4e95d30c340b1b1d",
+      "valid" },
+    { "0212a8de5007ed87b33f1a7090b6114f9e08cefd9607f2c276bdcfdbc5ce9cd7",
+      "e6b1adf2fd58a8762c65f31b", "",
+      "10f1ecf9c60584665d9ae5efe279e7f7377eea6916d2b111",
+      "0843fff52d934fc7a071ea62c0bd351ce85678cde3ea2c9e",
+      "7355fde599006715053813ce696237a8", "valid" },
+    { "b279f57e19c8f53f2f963f5f2519fdb7c1779be2ca2b3ae8e1128b7d6c627fc4",
+      "98bc2c7438d5cd7665d76f6e", "c0",
+      "fcc515b294408c8645c9183e3f4ecee5127846d1",
+      "eb5500e3825952866d911253f8de860c00831c81",
+      "ecb660e1fb0541ec41e8d68a64141b3a", "valid" },
+    { "cdccfe3f46d782ef47df4e72f0c02d9c7f774def970d23486f11a57f54247f17",
+      "376187894605a8d45e30de51", "956846a209e087ed",
+      "e28e0e9f9d22463ac0e42639b530f42102fded75",
+      "feca44952447015b5df1f456df8ca4bb4eee2ce2",
+      "082e91924deeb77880e1b1c84f9b8d30", "valid" },
+    { "f32364b1d339d82e4f132d8f4a0ec1ff7e746517fa07ef1a7f422f4e25a48194",
+      "5a86a50a0e8a179c734b996d", "ab2ac7c44c60bdf8228c7884adb20184",
+      "43891bccb522b1e72a6b53cf31c074e9d6c2df8e",
+      "43dda832e942e286da314daa99bef5071d9d2c78",
+      "c3922583476ced575404ddb85dd8cd44", "valid" },
+    { "ff0089ee870a4a39f645b0a5da774f7a5911e9696fc9cad646452c2aa8595a12",
+      "bc2a7757d0ce2d8b1f14ccd9",
+      "972ab4e06390caae8f99dd6e2187be6c7ff2c08a24be16ef",
+      "748b28031621d95ee61812b4b4f47d04c6fc2ff3",
+      "a929ee7e67c7a2f91bbcec6389a3caf43ab49305",
+      "ebec6774b955e789591c822dab739e12", "valid" },
+    { "00112233445566778899aabbccddeeff102132435465768798a9bacbdcedfe0f",
+      "000000000000000000000000", "", "561008fa07a68f5c61285cd013464eaf",
+      "23293e9b07ca7d1b0cae7cc489a973b3", "ffffffffffffffffffffffffffffffff",
+      "valid" },
+    { "00112233445566778899aabbccddeeff102132435465768798a9bacbdcedfe0f",
+      "ffffffffffffffffffffffff", "", "c6152244cea1978d3e0bc274cf8c0b3b",
+      "7cb6fc7c6abc009efe9551a99f36a421", "00000000000000000000000000000000",
+      "valid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9de8fef6d8ab1bf1bf887232eab590dd",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9ee8fef6d8ab1bf1bf887232eab590dd",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "1ce8fef6d8ab1bf1bf887232eab590dd",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9ce9fef6d8ab1bf1bf887232eab590dd",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9ce8fe76d8ab1bf1bf887232eab590dd",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9ce8fef6d9ab1bf1bf887232eab590dd",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9ce8fef6daab1bf1bf887232eab590dd",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9ce8fef6d8ab1b71bf887232eab590dd",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9ce8fef6d8ab1bf1be887232eab590dd",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9ce8fef6d8ab1bf13f887232eab590dd",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9ce8fef6d8ab1bf1bfa87232eab590dd",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9ce8fef6d8ab1bf1bf887332eab590dd",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9ce8fef6d8ab1bf1bf887232ebb590dd",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9ce8fef6d8ab1bf1bf887232e8b590dd",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9ce8fef6d8ab1bf1bf8872326ab590dd",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9ce8fef6d8ab1bf1bf887232eab590dc",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9ce8fef6d8ab1bf1bf887232eab590df",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9ce8fef6d8ab1bf1bf887232eab5909d",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9ce8fef6d8ab1bf1bf887232eab5905d",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9de8fef6d8ab1bf1be887232eab590dd",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9ce8fe76d8ab1b71bf887232eab590dd",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9ce8fef6d8ab1b71bf887232eab5905d",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "631701092754e40e40778dcd154a6f22",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "00000000000000000000000000000000",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "ffffffffffffffffffffffffffffffff",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "1c687e76582b9b713f08f2b26a35105d",
+      "invalid" },
+    { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+      "505152535455565758595a5b", "", "202122232425262728292a2b2c2d2e2f",
+      "b2061457c0759fc1749f174ee1ccadfa", "9de9fff7d9aa1af0be897333ebb491dc",
+      "invalid" }
+};
+
+static int
+tv(void)
+{
+    unsigned char *ad;
+    unsigned char *decrypted;
+    unsigned char *detached_ciphertext;
+    unsigned char *key;
+    unsigned char *message;
+    unsigned char *mac;
+    unsigned char *nonce;
+    size_t         ad_len;
+    size_t         detached_ciphertext_len;
+    size_t         message_len;
+    unsigned int   i;
+
+    key   = (unsigned char *) sodium_malloc(crypto_aead_aes256gcm_KEYBYTES);
+    nonce = (unsigned char *) sodium_malloc(crypto_aead_aes256gcm_NPUBBYTES);
+    mac   = (unsigned char *) sodium_malloc(crypto_aead_aes256gcm_ABYTES);
+
+    for (i = 0U; i < (sizeof tests) / (sizeof tests[0]); i++) {
+        assert(strlen(tests[i].key_hex) == 2 * crypto_aead_aes256gcm_KEYBYTES);
+        sodium_hex2bin(key, crypto_aead_aes256gcm_KEYBYTES, tests[i].key_hex,
+                       strlen(tests[i].key_hex), NULL, NULL, NULL);
+
+        assert(strlen(tests[i].nonce_hex) ==
+               2 * crypto_aead_aes256gcm_NPUBBYTES);
+        sodium_hex2bin(nonce, crypto_aead_aes256gcm_NPUBBYTES,
+                       tests[i].nonce_hex, strlen(tests[i].nonce_hex), NULL,
+                       NULL, NULL);
+
+        message_len = strlen(tests[i].message_hex) / 2;
+        message     = (unsigned char *) sodium_malloc(message_len);
+        sodium_hex2bin(message, message_len, tests[i].message_hex,
+                       strlen(tests[i].message_hex), NULL, NULL, NULL);
+
+        ad_len = strlen(tests[i].ad_hex) / 2;
+        ad     = (unsigned char *) sodium_malloc(ad_len);
+        sodium_hex2bin(ad, ad_len, tests[i].ad_hex, strlen(tests[i].ad_hex),
+                       NULL, NULL, NULL);
+
+        detached_ciphertext_len = message_len;
+        assert(strlen(tests[i].detached_ciphertext_hex) == 2 * message_len);
+        assert(strlen(tests[i].mac_hex) == 2 * crypto_aead_aes256gcm_ABYTES);
+        sodium_hex2bin(mac, crypto_aead_aes256gcm_ABYTES, tests[i].mac_hex,
+                       strlen(tests[i].mac_hex), NULL, NULL, NULL);
+
+        detached_ciphertext =
+            (unsigned char *) sodium_malloc(detached_ciphertext_len);
+        sodium_hex2bin(detached_ciphertext, detached_ciphertext_len,
+                       tests[i].detached_ciphertext_hex,
+                       strlen(tests[i].detached_ciphertext_hex), NULL, NULL,
+                       NULL);
+
+        decrypted = (unsigned char *) sodium_malloc(message_len);
+        if (crypto_aead_aes256gcm_decrypt_detached(
+                decrypted, NULL, detached_ciphertext, detached_ciphertext_len,
+                mac, ad, ad_len, nonce, key) == 0) {
+            if (strcmp(tests[i].outcome, "valid") != 0) {
+                printf("*** test case %u succeeded, was supposed to be %s\n", i,
+                       tests[i].outcome);
+            }
+            if (memcmp(decrypted, message, message_len) != 0) {
+                printf("Incorrect decryption of test vector #%u\n",
+                       (unsigned int) i);
+            }
+        } else {
+            if (strcmp(tests[i].outcome, "invalid") != 0) {
+                printf("*** test case %u failed, was supposed to be %s\n", i,
+                       tests[i].outcome);
+            }
+        }
+
+        sodium_free(message);
+        sodium_free(ad);
+        sodium_free(decrypted);
+        sodium_free(detached_ciphertext);
+    }
+
+    sodium_free(key);
+    sodium_free(mac);
+    sodium_free(nonce);
+
+    return 0;
+}
+
+int
+main(void)
+{
+    if (crypto_aead_aes256gcm_is_available()) {
+        tv();
+    }
+    printf("OK\n");
+
+    return 0;
+}
diff --git a/test/default/aead_aes256gcm2.exp b/test/default/aead_aes256gcm2.exp
new file mode 100644
index 00000000..d86bac9d
--- /dev/null
+++ b/test/default/aead_aes256gcm2.exp
@@ -0,0 +1 @@
+OK
diff --git a/test/default/aead_chacha20poly1305.c b/test/default/aead_chacha20poly1305.c
index 30b9e66a..0a01afe1 100644
--- a/test/default/aead_chacha20poly1305.c
+++ b/test/default/aead_chacha20poly1305.c
@@ -115,7 +115,7 @@ tv(void)
     }
     m2len = 1;
     if (crypto_aead_chacha20poly1305_decrypt(
-            m2, &m2len, NULL, NULL,
+            m2, &m2len, NULL, guard_page,
             randombytes_uniform(crypto_aead_chacha20poly1305_ABYTES),
             NULL, 0U, nonce, firstkey) != -1) {
         printf("crypto_aead_chacha20poly1305_decrypt() worked with a short "
@@ -296,7 +296,7 @@ tv_ietf(void)
     }
     m2len = 1;
     if (crypto_aead_chacha20poly1305_ietf_decrypt(
-            m2, &m2len, NULL, NULL,
+            m2, &m2len, NULL, guard_page,
             randombytes_uniform(crypto_aead_chacha20poly1305_ietf_ABYTES),
             NULL, 0U, nonce, firstkey) != -1) {
         printf("crypto_aead_chacha20poly1305_ietf_decrypt() worked with a short "
diff --git a/test/default/aead_chacha20poly13052.c b/test/default/aead_chacha20poly13052.c
new file mode 100644
index 00000000..8c59ecaf
--- /dev/null
+++ b/test/default/aead_chacha20poly13052.c
@@ -0,0 +1,1046 @@
+
+#define TEST_NAME "aead_chacha20poly13052"
+#include "cmptest.h"
+
+static struct {
+    const char *key_hex;
+    const char  nonce_hex[crypto_aead_chacha20poly1305_ietf_NPUBBYTES * 2 + 1];
+    const char *ad_hex;
+    const char *message_hex;
+    const char *detached_ciphertext_hex;
+    const char  mac_hex[crypto_aead_chacha20poly1305_ietf_ABYTES * 2 + 1];
+    const char *outcome;
+} tests[] = {
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "070000004041424344454647", "50515253c0c1c2c3c4c5c6c7",
+      "4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66"
+      "202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e6520"
+      "74697020666f7220746865206675747572652c2073756e73637265656e20776f756c6420"
+      "62652069742e",
+      "d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e"
+      "8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c"
+      "9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d265"
+      "86cec64b6116",
+      "1ae10b594f09e26a7e902ecbd0600691", "valid" },
+    { "80ba3192c803ce965ea371d5ff073cf0f43b6a2ab576b208426e11409c09b9b0",
+      "4da5bf8dfd5852c1ea12379d", "", "", "",
+      "76acb342cf3166a5b63c0c0ea1383c8d", "valid" },
+    { "7a4cd759172e02eb204db2c3f5c746227df584fc1345196391dbb9577a250742",
+      "a92ef0ac991dd516a3c6f689", "bd506764f2d2c410", "", "",
+      "906fa6284b52f87b7359cbaa7563c709", "valid" },
+    { "cc56b680552eb75008f5484b4cb803fa5063ebd6eab91f6ab6aef4916a766273",
+      "99e23ec48985bccdeeab60f1", "", "2a", "3a",
+      "cac27dec0968801e9f6eded69d807522", "valid" },
+    { "46f0254965f769d52bdb4a70b443199f8ef207520d1220c55e4b70f0fda620ee",
+      "ab0dca716ee051d2782f4403", "91ca6c592cbcca53", "51", "c4",
+      "168310ca45b1f7c66cad4e99e43f72b9", "valid" },
+    { "2f7f7e4f592bb389194989743507bf3ee9cbde1786b6695fe6c025fd9ba4c100",
+      "461af122e9f2e0347e03f2db", "", "5c60", "4d13",
+      "91e8b61efb39c122195453077b22e5e2", "valid" },
+    { "c8833dce5ea9f248aa2030eacfe72bffe69a620caf793344e5718fe0d7ab1a58",
+      "61546ba5f1720590b6040ac6", "88364fc8060518bf", "ddf2", "b60d",
+      "ead0fd4697ec2e5558237719d02437a2", "valid" },
+    { "55568158d3a6483f1f7021eab69b703f614251cadc1af5d34a374fdbfc5adac7",
+      "3c4e654d663fa4596dc55bb7", "", "ab85e9c1571731", "5dfe3440dbb3c3",
+      "ed7a434e2602d394281e0afa9fb7aa42", "valid" },
+    { "e3c09e7fab1aefb516da6a33022a1dd4eb272c80d540c5da52a730f34d840d7f",
+      "58389375c69ee398de948396", "84e46be8c0919053", "4ee5cda20d4290",
+      "4bd47212941ce3", "185f1408ee7fbf18f5abad6e2253a1ba", "valid" },
+    { "51e4bf2bad92b7aff1a4bc05550ba81df4b96fabf41c12c7b00e60e48db7e152",
+      "4f07afedfdc3b6c2361823d3", "", "be3308f72a2c6aed", "8e9439a56eeec817",
+      "fbe8a6ed8fabb1937539dd6c00e90021", "valid" },
+    { "1131c1418577a054de7a4ac551950f1a053f9ae46e5b75fe4abd5608d7cddadd",
+      "b4ea666ee119563366484a78", "66c0ae70076cb14d", "a4c9c2801b71f7df",
+      "b9b910433af052b0", "4530f51aeee024e0a445a6328fa67a18", "valid" },
+    { "99b62bd5afbe3fb015bde93f0abf483957a1c3eb3ca59cb50b39f7f8a9cc51be",
+      "9a59fce26df0005e07538656", "", "42baae5978feaf5c368d14e0",
+      "ff7dc203b26c467a6b50db33", "578c0f2758c2e14e36d4fc106dcb29b4", "valid" },
+    { "85f35b6282cff440bc1020c8136ff27031110fa63ec16f1e825118b006b91257",
+      "58dbd4ad2c4ad35dd906e9ce", "a506e1a5c69093f9",
+      "fdc85b94a4b2a6b759b1a0da", "9f8816de0994e938d9e53f95",
+      "d086fc6c9d8fa915fd8423a7cf05072f", "valid" },
+    { "67119627bd988eda906219e08c0d0d779a07d208ce8a4fe0709af755eeec6dcb",
+      "68ab7fdbf61901dad461d23c", "", "51f8c1f731ea14acdb210a6d973e07",
+      "0b29638e1fbdd6df53970be2210042", "2a9134087d67a46e79178d0a93f5e1d2",
+      "valid" },
+    { "e6f1118d41e4b43fb58221b7ed79673834e0d8ac5c4fa60bbc8bc4893a58894d",
+      "d95b3243afaef714c5035b6a", "6453a53384632212",
+      "97469da667d6110f9cbda1d1a20673", "32db66c4a3819d81557455e5980fed",
+      "feae30dec94e6ad3a9eea06a0d703917", "valid" },
+    { "59d4eafb4de0cfc7d3db99a8f54b15d7b39f0acc8da69763b019c1699f87674a",
+      "2fcb1b38a99e71b84740ad9b", "", "549b365af913f3b081131ccb6b825588",
+      "e9110e9f56ab3ca483500ceabab67a13", "836ccabf15a6a22a51c1071cfa68fa0c",
+      "valid" },
+    { "b907a45075513fe8a8019edee3f2591487b2a030b03c6e1d771c862571d2ea1e",
+      "118a6964c2d3e380071f5266", "034585621af8d7ff",
+      "55a465644f5b650928cbee7c063214d6", "e4b113cb775945f3d3a8ae9ec141c00c",
+      "7c43f16ce096d0dc27c95849dc383b7d", "valid" },
+    { "3b2458d8176e1621c0cc24c0c0e24c1e80d72f7ee9149a4b166176629616d011",
+      "45aaa3e5d16d2d42dc03445d", "", "3ff1514b1c503915918f0c0c31094a6e1f",
+      "02cc3acb5ee1fcdd12a03bb857976474d3", "d83b7463a2c3800fe958c28eaa290813",
+      "valid" },
+    { "f60c6a1b625725f76c7037b48fe3577fa7f7b87b1bd5a982176d182306ffb870",
+      "f0384fb876121410633d993d", "9aaf299eeea78f79",
+      "63858ca3e2ce69887b578a3c167b421c9c",
+      "35766488d2bc7c2b8d17cbbb9abfad9e6d", "1f391e657b2738dda08448cba2811ceb",
+      "valid" },
+    { "0212a8de5007ed87b33f1a7090b6114f9e08cefd9607f2c276bdcfdbc5ce9cd7",
+      "e6b1adf2fd58a8762c65f31b", "",
+      "10f1ecf9c60584665d9ae5efe279e7f7377eea6916d2b111",
+      "42f26c56cb4be21d9d8d0c80fc99dde00d75f38074bfe764",
+      "54aa7e13d48fff7d7557039457040a3a", "valid" },
+    { "c5bc09565646e7edda954f1f739223dada20b95c44ab033d0fae4b0283d18be3",
+      "6b282ebecc541bcd7834ed55", "3e8bc5ade182ff08",
+      "9222f9018e54fd6de1200806a9ee8e4cc904d29f25cba193",
+      "123032437b4bfd6920e8f7e7e0087ae4889ebe7a0ad0e900",
+      "3cf68f179550da63d3b96c2d55411865", "valid" },
+    { "2eb51c469aa8eb9e6c54a8349bae50a20f0e382711bba1152c424f03b6671d71",
+      "04a9be03508a5f31371a6fd2", "",
+      "b053999286a2824f42cc8c203ab24e2c97a685adcc2ad32662558e55a5c729",
+      "45c7d6b53acad4abb68876a6e96a48fb59524d2c92c9d8a189c9fd2db91746",
+      "566d3ca10e311b695f3eae1551652493", "valid" },
+    { "7f5b74c07ed1b40fd14358fe2ff2a740c116c7706510e6a437f19ea49911cec4",
+      "470a339ecb3219b8b81a1f8b", "374618a06ea98a48",
+      "f45206abc25552b2abc9ab7fa243035fedaaddc3b2293956f1ea6e7156e7eb",
+      "46a80c4187024720084627580080dde5a3f4a11093a7076ed6f3d326bc7b70",
+      "534d4aa2835a52e72d14df0e4f47f25f", "valid" },
+    { "e1731d5854e1b70cb3ffe8b786a2b3ebf0994370954757b9dc8c7bc5354634a3",
+      "72cfd90ef3026ca22b7e6e6a", "",
+      "b9c554cbc36ac18ae897df7beecac1dbeb4eafa156bb60ce2e5d48f05715e678",
+      "ea29afa49d36e8760f5fe19723b9811ed5d519934a440f5081ac430b953b0e21",
+      "222541af46b86533c6b68d2ff108a7ea", "valid" },
+    { "27d860631b0485a410702fea61bc873f3442260caded4abde25b786a2d97f145",
+      "262880d475f3dac5340dd1b8", "2333e5ce0f93b059",
+      "6b2604996cd30c14a13a5257ed6cffd3bc5e29d6b97eb1799eb335e281ea451e",
+      "6dad637897544d8bf6be9507ed4d1bb2e954bc427e5de729daf50762846ff2f4",
+      "7b997d93c982189d7095dc794c746232", "valid" },
+    { "cf0d40a4644e5f51815165d5301b22631f4544c49a1878e3a0a5e8e1aae0f264",
+      "e74a515e7e2102b90bef55d2", "",
+      "973d0c753826bae466cf9abb3493152e9de7819e2bd0c71171346b4d2cebf8041aa3cedc"
+      "0dfd7b467e26228bc86c9a",
+      "fba78ae4f9d808a62e3da40be2cb7700c3613d9eb2c529c652e76a432c658d27095f0eb8"
+      "f940c324981ea935e507f9",
+      "8f046956db3a512908bd7afc8f2ab0a9", "valid" },
+    { "6cbfd71c645d184cf5d23c402bdb0d25ec54898c8a0273d42eb5be109fdcb2ac",
+      "d4d807341683825b31cd4d95", "b3e4064683b02d84",
+      "a98995504df16f748bfb7785ff91eeb3b660ea9ed3450c3d5e7b0e79ef653659a9978d75"
+      "542ef91c456762215640b9",
+      "a1ffed80761829ecce242e0e88b138049016bca018da2b6e19986b3e318cae8d806198fb"
+      "4c527cc39350ebddeac573",
+      "c4cbf0befda0b70242c640d7cd02d7a3", "valid" },
+    { "5b1d1035c0b17ee0b0444767f80a25b8c1b741f4b50a4d3052226baa1c6fb701",
+      "d61040a313ed492823cc065b", "",
+      "d096803181beef9e008ff85d5ddc38ddacf0f09ee5f7e07f1e4079cb64d0dc8f5e6711cd"
+      "4921a7887de76e2678fdc67618f1185586bfea9d4c685d50e4bb9a82",
+      "9a4ef22b181677b5755c08f747c0f8d8e8d4c18a9cc2405c12bb51bb1872c8e8b877678b"
+      "ec442cfcbb0ff464a64b74332cf072898c7e0eddf6232ea6e27efe50",
+      "9ff3427a0f32fa566d9ca0a78aefc013", "valid" },
+    { "97d635c4f47574d9998a90875da1d3a284b755b2d39297a5725235190e10a97e",
+      "d31c21aba175b70de4ebb19c", "7193f623663321a2",
+      "94ee166d6d6ecf8832437136b4ae805d428864359586d9193a25016293edba443c58e07e"
+      "7b7195ec5bd84582a9d56c8d4a108c7d7ce34e6c6f8ea1bec0567317",
+      "5fbbdecc34be201614f636031eeb42f1cace3c79a12cffd871ee8e73820c829749f1abb4"
+      "294367849fb6c2aa56bda8a3078f723d7c1c852024b017b58973fb1e",
+      "09263da7b4cb921452f97dca40f580ec", "valid" },
+    { "fe6e55bdaed1f7284ca5fc0f8c5f2b8df56dc0f49e8ca66a41995e783351f901",
+      "17c86a8abbb7e003acde2799", "",
+      "b429eb80fb8fe8baeda0c85b9c333458e7c2992e558475069d12d45c2221756412158803"
+      "2297eff56783742a5fc22d7410ffb29d66098661d76f126c3c27689e43b37267cac5a3a6"
+      "d3ab49e391da29cd3054a5692e2807e4c3ea46c8761d50f592",
+      "d0102f6c258bf49742cec34cf2d0fedf23d105fb4c84cf98515e1bc9a64f8ad5be8f0721"
+      "bde50645d00083c3a263a31053b760245f52ae2866a5ec83b19f61be1d30d5c5d9fecc4c"
+      "bbe08fd385813a2aa39a00ff9c10f7f23702add1e4b2ffa31c",
+      "41865fc71de12b19612127ce49993bb0", "valid" },
+    { "aabc063474e65c4c3e9bdc480dea97b45110c8618846ff6b15bdd2a4a5682c4e",
+      "46362f45d6379e63e5229460", "a11c40b603767330",
+      "ceb534ce50dc23ff638ace3ef63ab2cc2973eeada80785fc165d06c2f5100ff5e8ab2882"
+      "c475afcd05ccd49f2e7d8f55ef3a72e3dc51d6852b8e6b9e7aece57be6556b0b6d9413e3"
+      "3fc5fc24a9a205ad59574bb39d944a92dc47970d84a6ad3176",
+      "7545391b51de01d5c53dfaca777909063e58edee4bb1227e7110ac4d2620c2aec2f848f5"
+      "6deeb037a8dced75afa8a6c890e2dee42f950bb33d9e2424d08a505d899563973ed38870"
+      "f3de6ee2adc7fe072c366c14e2cf7ca62fb3d36bee11685461",
+      "b70d44ef8c66c5c7bbf10dcadd7facf6", "valid" },
+    { "7d00b48095adfa3272050607b264185002ba99957c498be022770f2ce2f3143c",
+      "87345f1055fd9e2102d50656", "02", "e5ccaa441bc814688f8f6e8f28b500b2",
+      "7e72f5a185af16a611921b438f749f0b", "1242c670732334029adfe1c5001651e4",
+      "valid" },
+    { "6432717f1db85e41ac7836bce25185a080d5762b9e2b18444b6ec72c3bd8e4dc",
+      "87a3163ec0598ad95b3aa713", "b648", "02cde168fba3f544bbd0332f7adeada8",
+      "85f29a719557cdd14d1f8fffab6d9e60", "732ca32becd515a1ed353f542e999858",
+      "valid" },
+    { "8e34cf73d245a1082a920b86364eb896c4946467bcb3d58929fcb36690e6394f",
+      "6f573aa86baa492ba46596df", "bd4cd02fc7502bbdbdf6c9a3cbe8f0",
+      "16ddd23ff53f3d23c06334487040eb47", "c1b295936d56fadac03e5f742bff73a1",
+      "39c457dbab66382babb3b55800cda5b8", "valid" },
+    { "cb5575f5c7c45c91cf320b139fb594237560d0a3e6f865a67d4f633f2c08f016",
+      "1a6518f02ede1da6809266d9", "89cce9fb47441d07e0245a66fe8b778b",
+      "623b7850c321e2cf0c6fbcc8dfd1aff2", "c84c9bb7c61c1bcb17772a1c500c5095",
+      "dbadf7a5138ca03459a2cd65831e092f", "valid" },
+    { "a5569e729a69b24ba6e0ff15c4627897436824c941e9d00b2e93fddc4ba77657",
+      "564dee49ab00d240fc1068c3", "d19f2d989095f7ab03a5fde84416e00c0e",
+      "87b3a4d7b26d8d3203a0de1d64ef82e3", "94bc80621ed1e71b1fd2b5c3a15e3568",
+      "333511861796978401598b963722f5b3", "valid" },
+    { "56207465b4e48e6d04630f4a42f35cfc163ab289c22a2b4784f6f9290330bee0",
+      "df8713e87ec3dbcfad14d53e",
+      "5e6470facd99c1d81e37cd44015fe19480a2a4d3352a4ff560c0640fdbda",
+      "e601b38557797da2f8a4106a089d1da6", "299b5d3f3d03c087209a16e285143111",
+      "4b454ed198de117e83ec49fa8d8508d6", "valid" },
+    { "3937986af86dafc1ba0c4672d8abc46c207062682d9c264ab06d6c5807205130",
+      "8df4b15a888c33286a7b7651",
+      "ba446f6f9a0ced22450feb10737d9007fd69abc19b1d4d9049a5551e86ec2b37",
+      "dc9e9eaf11e314182df6a4eba17aec9c", "605bbf90aeb974f6602bc778056f0dca",
+      "38ea23d99054b46b42ffe004129d2204", "valid" },
+    { "36372abcdb78e0279646ac3d176b9674e9154eecf0d5469c651ec7e16b4c1199",
+      "be40e5f1a11817a0a8fa8949",
+      "d41a828d5e71829247021905402ea257dccbc3b80fcd5675056b68bb59e62e8873",
+      "81ce84ede9b35859cc8c49a8f6be7dc6", "7b7ce0d824809a70de32562ccf2c2bbd",
+      "15d44a00ce0d19b4231f921e22bc0a43", "valid" },
+    { "9f1479ed097d7fe529c11f2f5add9aaff4a1ca0b68997a2cb7f79749bd90aaf4",
+      "84c87dae4eee27730ec35d12",
+      "3f2dd49bbf09d69a78a3d80ea2566614fc379474196c1aae84583da73d7ff85c6f42ca42"
+      "056a9792cc1b9fb3c7d261",
+      "a66747c89e857af3a18e2c79500087ed", "ca82bff3e2f310ccc976672c4415e69b",
+      "57638c62a5d85ded774f913c813ea032", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "00000000000000000000000000000000",
+      "256d40888094178355d304846443fee8df99470303fb3b7b80e030beebd329be",
+      "0000000000000000000000000000000000000000000000000000000000000000",
+      "e6d3d7324a1cbba777bbb0ecdda37807", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "00000000000000000000000000000000",
+      "256d40888094178355d304846443fee8df99470303fb3b7b80e030beebd329bee3bcdb5b"
+      "1edefcfe8bcda1b6a15c8c2b0869ffd2ec5e26e553b7b227fe87fdbd",
+      "000000000000000000000000000000000000000000000000000000000000000000000000"
+      "00000000000000000000000000000000000000000000000000000000",
+      "062de6795f274fd2a305d76980bc9cce", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "00000000000000000000000000000000",
+      "256d40888094178355d304846443fee8df99470303fb3b7b80e030beebd329bee3bcdb5b"
+      "1edefcfe8bcda1b6a15c8c2b0869ffd2ec5e26e553b7b227fe87fdbd7ada44424269bffa"
+      "5527f270acf68502b74c5ae2e60c0580981a4938459392c49bb2f284b646efc7f3f0b136"
+      "1dc348ed77d30bc57692ed38fbac0188380488c7",
+      "000000000000000000000000000000000000000000000000000000000000000000000000"
+      "000000000000000000000000000000000000000000000000000000000000000000000000"
+      "000000000000000000000000000000000000000000000000000000000000000000000000"
+      "0000000000000000000000000000000000000000",
+      "d8b47902baaeafb34203051529af282e", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "ffffffffffffffffffffffffffffffff",
+      "da92bf777f6be87caa2cfb7b9bbc01172066b8fcfc04c4847f1fcf41142cd641",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "b3891c849cb52c27747edfcf31213bb6", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "ffffffffffffffffffffffffffffffff",
+      "da92bf777f6be87caa2cfb7b9bbc01172066b8fcfc04c4847f1fcf41142cd6411c4324a4"
+      "e121030174325e495ea373d4f796002d13a1d91aac484dd801780242",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "f0c12d26ef03029b62c008da27c5dc68", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "ffffffffffffffffffffffffffffffff",
+      "da92bf777f6be87caa2cfb7b9bbc01172066b8fcfc04c4847f1fcf41142cd6411c4324a4"
+      "e121030174325e495ea373d4f796002d13a1d91aac484dd8017802428525bbbdbd964005"
+      "aad80d8f53097afd48b3a51d19f3fa7f67e5b6c7ba6c6d3b644d0d7b49b910380c0f4ec9"
+      "e23cb712882cf43a896d12c70453fe77c7fb7738",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffff",
+      "ee65783001c25691fa28d0f5f1c1d762", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "00000080000000800000008000000080",
+      "256d40088094170355d304046443fe68df99478303fb3bfb80e0303eebd3293e",
+      "0000008000000080000000800000008000000080000000800000008000000080",
+      "79ba7a29f5a7bb75797af87a610129a4", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "00000080000000800000008000000080",
+      "256d40088094170355d304046443fe68df99478303fb3bfb80e0303eebd3293ee3bcdbdb"
+      "1edefc7e8bcda136a15c8cab0869ff52ec5e266553b7b2a7fe87fd3d",
+      "000000800000008000000080000000800000008000000080000000800000008000000080"
+      "00000080000000800000008000000080000000800000008000000080",
+      "36b1743819e1b9ba1551e8ed922a959a", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "00000080000000800000008000000080",
+      "256d40088094170355d304046443fe68df99478303fb3bfb80e0303eebd3293ee3bcdbdb"
+      "1edefc7e8bcda136a15c8cab0869ff52ec5e266553b7b2a7fe87fd3d7ada44c24269bf7a"
+      "5527f2f0acf68582b74c5a62e60c0500981a49b8459392449bb2f204b646ef47f3f0b1b6"
+      "1dc3486d77d30b457692edb8fbac010838048847",
+      "000000800000008000000080000000800000008000000080000000800000008000000080"
+      "000000800000008000000080000000800000008000000080000000800000008000000080"
+      "000000800000008000000080000000800000008000000080000000800000008000000080"
+      "0000008000000080000000800000008000000080",
+      "feac4955554e806f3a1902e24432c08a", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "ffffff7fffffff7fffffff7fffffff7f",
+      "da92bff77f6be8fcaa2cfbfb9bbc01972066b87cfc04c4047f1fcfc1142cd6c1",
+      "ffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7f",
+      "20a3798df1292c5972bf9741aec38a19", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "ffffff7fffffff7fffffff7fffffff7f",
+      "da92bff77f6be8fcaa2cfbfb9bbc01972066b87cfc04c4047f1fcfc1142cd6c11c432424"
+      "e121038174325ec95ea37354f79600ad13a1d99aac484d58017802c2",
+      "ffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7f"
+      "ffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7f",
+      "c03d9f67354a97b2f074f7551557e49c", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "ffffff7fffffff7fffffff7fffffff7f",
+      "da92bff77f6be8fcaa2cfbfb9bbc01972066b87cfc04c4047f1fcfc1142cd6c11c432424"
+      "e121038174325ec95ea37354f79600ad13a1d99aac484d58017802c28525bb3dbd964085"
+      "aad80d0f53097a7d48b3a59d19f3faff67e5b647ba6c6dbb644d0dfb49b910b80c0f4e49"
+      "e23cb792882cf4ba896d12470453fef7c7fb77b8",
+      "ffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7f"
+      "ffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7f"
+      "ffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7f"
+      "ffffff7fffffff7fffffff7fffffff7fffffff7f",
+      "c86da8dd652286d50213d328d63e4006", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "7fffffff7fffffff7fffffff7fffffff",
+      "5a92bf77ff6be87c2a2cfb7b1bbc0117a066b8fc7c04c484ff1fcf41942cd641",
+      "7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff",
+      "bede9083ceb36ddfe5fa811f95471c67", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "7fffffff7fffffff7fffffff7fffffff",
+      "5a92bf77ff6be87c2a2cfb7b1bbc0117a066b8fc7c04c484ff1fcf41942cd6419c4324a4"
+      "61210301f4325e49dea373d47796002d93a1d91a2c484dd881780242",
+      "7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff"
+      "7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff",
+      "300874bb0692b689dead9ae15b067390", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "7fffffff7fffffff7fffffff7fffffff",
+      "5a92bf77ff6be87c2a2cfb7b1bbc0117a066b8fc7c04c484ff1fcf41942cd6419c4324a4"
+      "61210301f4325e49dea373d47796002d93a1d91a2c484dd8817802420525bbbd3d964005"
+      "2ad80d8fd3097afdc8b3a51d99f3fa7fe7e5b6c73a6c6d3be44d0d7bc9b910388c0f4ec9"
+      "623cb712082cf43a096d12c78453fe7747fb7738",
+      "7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff"
+      "7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff"
+      "7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff"
+      "7fffffff7fffffff7fffffff7fffffff7fffffff",
+      "99cad85f45ca40942d0d4d5e950ade22", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "00000000ffffffff00000000ffffffff",
+      "256d40887f6be87c55d304849bbc0117df994703fc04c48480e030be142cd641",
+      "00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff",
+      "8bbe145272e7c2d9a1891a3ab0983d9d", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "00000000ffffffff00000000ffffffff",
+      "256d40887f6be87c55d304849bbc0117df994703fc04c48480e030be142cd641e3bcdb5b"
+      "e12103018bcda1b65ea373d40869ffd213a1d91a53b7b22701780242",
+      "00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000"
+      "ffffffff00000000ffffffff00000000ffffffff00000000ffffffff",
+      "3b41861913a8f6de7f61e225631bc382", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "00000000ffffffff00000000ffffffff",
+      "256d40887f6be87c55d304849bbc0117df994703fc04c48480e030be142cd641e3bcdb5b"
+      "e12103018bcda1b65ea373d40869ffd213a1d91a53b7b227017802427ada4442bd964005"
+      "5527f27053097afdb74c5ae219f3fa7f981a4938ba6c6d3b9bb2f28449b91038f3f0b136"
+      "e23cb71277d30bc5896d12c7fbac0188c7fb7738",
+      "00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000"
+      "ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff"
+      "00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000"
+      "ffffffff00000000ffffffff00000000ffffffff",
+      "8428bcf023ec6bf31fd9efb203ff0871", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "ffffffff00000000ffffffff00000000",
+      "da92bf7780941783aa2cfb7b6443fee82066b8fc03fb3b7b7f1fcf41ebd329be",
+      "ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000",
+      "139fdf6474ea24f549b075825f2c7620", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "ffffffff00000000ffffffff00000000",
+      "da92bf7780941783aa2cfb7b6443fee82066b8fc03fb3b7b7f1fcf41ebd329be1c4324a4"
+      "1edefcfe74325e49a15c8c2bf796002dec5e26e5ac484dd8fe87fdbd",
+      "ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff"
+      "00000000ffffffff00000000ffffffff00000000ffffffff00000000",
+      "bbad8d863b835a8e8664fd1d4566b6b4", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000000000000000001ee3200", "ffffffff00000000ffffffff00000000",
+      "da92bf7780941783aa2cfb7b6443fee82066b8fc03fb3b7b7f1fcf41ebd329be1c4324a4"
+      "1edefcfe74325e49a15c8c2bf796002dec5e26e5ac484dd8fe87fdbd8525bbbd4269bffa"
+      "aad80d8facf6850248b3a51de60c058067e5b6c7459392c4644d0d7bb646efc70c0f4ec9"
+      "1dc348ed882cf43a7692ed380453fe77380488c7",
+      "ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff"
+      "00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000"
+      "ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffffff"
+      "00000000ffffffff00000000ffffffff00000000",
+      "42f2354297849a511d53e5571772f71f", "valid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "a2e3fdf9fba6861b5ad2607f40b7f447", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "a1e3fdf9fba6861b5ad2607f40b7f447", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "23e3fdf9fba6861b5ad2607f40b7f447", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "a3e2fdf9fba6861b5ad2607f40b7f447", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "a3e3fd79fba6861b5ad2607f40b7f447", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "a3e3fdf9faa6861b5ad2607f40b7f447", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "a3e3fdf9f9a6861b5ad2607f40b7f447", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "a3e3fdf9fba6869b5ad2607f40b7f447", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "a3e3fdf9fba6861b5bd2607f40b7f447", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "a3e3fdf9fba6861b5af2607f40b7f447", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "a3e3fdf9fba6861b5ad2617f40b7f447", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "a3e3fdf9fba6861b5ad2607f41b7f447", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "a3e3fdf9fba6861b5ad2607f42b7f447", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "a3e3fdf9fba6861b5ad2607f40b7f446", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "a3e3fdf9fba6861b5ad2607f40b7f445", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "a3e3fdf9fba6861b5ad2607f40b7f407", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "a3e3fdf9fba6861b5ad2607f40b7f4c7", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "a3e3fdf9fba6869b5ad2607f40b7f4c7", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "00000000000000000000000000000000", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "", "",
+      "ffffffffffffffffffffffffffffffff", "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "26da374f17b7f1b23844a5490bfc4001",
+      "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "25da374f17b7f1b23844a5490bfc4001",
+      "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "a7da374f17b7f1b23844a5490bfc4001",
+      "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "27db374f17b7f1b23844a5490bfc4001",
+      "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "27da37cf17b7f1b23844a5490bfc4001",
+      "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "27da374f16b7f1b23844a5490bfc4001",
+      "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "27da374f15b7f1b23844a5490bfc4001",
+      "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "27da374f17b7f1323844a5490bfc4001",
+      "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "27da374f17b7f1b23944a5490bfc4001",
+      "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "27da374f17b7f1b23864a5490bfc4001",
+      "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "27da374f17b7f1b23844a4490bfc4001",
+      "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "27da374f17b7f1b23844a5490afc4001",
+      "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "27da374f17b7f1b23844a54909fc4001",
+      "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "27da374f17b7f1b23844a5490bfc4000",
+      "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "27da374f17b7f1b23844a5490bfc4003",
+      "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "27da374f17b7f1b23844a5490bfc4041",
+      "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "27da374f17b7f1b23844a5490bfc4081",
+      "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "27da374f17b7f1323844a5490bfc4081",
+      "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "00000000000000000000000000000000",
+      "invalid" },
+    { "00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff",
+      "000102030405060708090a0b", "616164", "00000000000000000000000000000000",
+      "2cf8ae525fc86025268a4e1d88bead19", "ffffffffffffffffffffffffffffffff",
+      "invalid" },
+    { "3030303030303030303030303030303030303030303030303030303030303030",
+      "30303030303030300002506e",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "d4500bf009493551c380adf52c573a69df7e8b762463330facc16a5726be7190c63c5a1c"
+      "926584a096756828dcdc64acdf963d931bf1dae238f3f157224ac4b542d785b0dd84db6b"
+      "e3bc5a3663e84149ffbed09e54f78f16a8223b24cb019f58b21b0e551e7aa07327629551"
+      "376ccbc3937671a0629bd95c9915c78555771e7a",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffff",
+      "0b300d8da56c2185755279553c4c82ca", "valid" },
+    { "3030303030303030303030303030303030303030303030303030303030303030",
+      "3030303030303030000318a5",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "7de87f6729945275d0655da4c7fde4569e16f111b5eb26c22d859e3ff822eced3a6dd9a6"
+      "0f22957f7b7c857e8822eb9fe0b8d7022141f2d0b48f4b5612d322a88dd0fe0b4d917932"
+      "4f7c6c9e990efbd80e5ed6775826498b1efe0f71a0f3ec5b29cb28c2540a7dcd51b7daae"
+      "e0ff4a7f3ac1ee54c29ee4c170de408f66692194",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffff",
+      "c578e2aa44d309b7b6a5193bdc6118f5", "valid" },
+    { "3030303030303030303030303030303030303030303030303030303030303030",
+      "00000000000000000007b4f0",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "1b996f9a3ccc6785de22ff5b8add9502ce03a0faf5992a09522cdd1206d220b8f8bd07d1"
+      "f1f5a1bd9a71d11c7f579b855818c08d4de036393183b7f590b335aed8de5b57b13c5fed"
+      "e2441c3e184aa9d46e61598506b3e11c43c62cbcaceced33190875b012218b1930fb7c38"
+      "ec45ac11c353d0cf938dccb9efad8fedbe46daa5",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffff",
+      "4b0bda8ad043830d8319ab82c50c7663", "valid" },
+    { "3030303030303030303030303030303030303030303030303030303030303030",
+      "00000000000000000020fb66",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "86cbacae4d3f74ae01213e0551cc15160ea1be8408e3d5d74f01464995a69e6176cb9e02"
+      "b2247ed299892f9182a45caf4c69405611766edfafdc285519ea30480c44f05e781eacf8"
+      "fcecc7090abb28fa5fd585ac8cda7e8772e594e4ce6c883281932e0f89f877a1f04d9c32"
+      "b06cf90b0e762b430c4d517c97107068f498ef7f",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffff",
+      "4bc98f72c494c2a43c2b15a1043f1cfa", "valid" },
+    { "3030303030303030303030303030303030303030303030303030303030303030",
+      "00000000000000000038bb90",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "fab1cddf4fe198ef63add881d6ead6c57637bbe92018ca7c0b96fba0871e932db1fbf907"
+      "61be25df8dfaf931ce5757e617b3d7a9f0bf0ffe5d591a33c143b8f53fd0b5a19609fd62"
+      "e5c251a4281a200cfdc34f281710406f4e37625446ff6ef224913deb0d89af337128e3d1"
+      "55d16d3ec3246041432143e9ab3a6d2ccc2f4d62",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffff",
+      "f7e9e151b02533c74658bfc7737c680d", "valid" },
+    { "3030303030303030303030303030303030303030303030303030303030303030",
+      "00000000000000000070484a",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "227202be7f3515e9d1c02eea2f1950b6481b048a4c91506cb40d504e6c949f82d197c25a"
+      "d17dc721651125782ac7a71247feaef32f1f250ce4bb8f79acaa179d45a7b0545f092432"
+      "5efa87d5e441d28478c61f2223ee67c3b41f4394535e2a24369a2e16613c459490c14fb1"
+      "d755fe53fbe1ee45b1b21f7162e2fcaa742abefd",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffff",
+      "795bcff647c553c2e4eb6e0eafd9e04e", "valid" },
+    { "3030303030303030303030303030303030303030303030303030303030303030",
+      "000000000000000000932f40",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "fae58345c16cb0f5cc537f2b1b3469c969463b3ea71bcf6b98d669a8e60e04fc08d5fd06"
+      "9c362638e3400ef4cb242e27e2245e68cb9ec583da5340b12edf423b7326ad20feeb57da"
+      "ca2e0467a32899b42df8e56d84e006bc8a7acc731e7c1f6becb5719f7077f0d4f4c61ab1"
+      "1ebac1001801ce33c4e4a77d831d3ce34e8410e1",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffff",
+      "1946d653960f947a74d3e8093cf48502", "valid" },
+    { "3030303030303030303030303030303030303030303030303030303030303030",
+      "000000000000000000e29335",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "ebb216ddd7ca709215f503df9ce63c5cd2194e7d9099e8a90b2afaad5eba35069925a603"
+      "fdbc341aaed41505b10941fa3856a7e247b1040709746cfc2096caa631b2fff41c250506"
+      "d889c1c90671ade853ee6394c19192a5cf3710d1073099e5bc946582fc0fab9f543c716a"
+      "e2486a8683fdca39d2e14f23d00a582664f4ecb1",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffff",
+      "36c3002985dd21baf895d633573f12c0", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000000ef7d5",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "408ae6ef1c7ef0fb2c2d610816fc7849efa58f78273f5f166ea65f81b575747d035b3040"
+      "fede1eb9459788669788408e00413b3e376d152d204aa2b7a83558fcd48a0ef7a26b1cd6"
+      "d35d23b3f5dfe0ca77a4ce32b94abf83da2aefcaf068380879e89fb0a3829595cf44c385"
+      "2ae2cc662b689f9355d9c183801f6acc313f8907",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffff",
+      "6514518e0a264142e0b7351f967fc2ae", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000003dfce4",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "0a0a24499bcade58cf1576c312aca984718cb4cc7e0153f5a9015810859644dfc021174e"
+      "0b060a397448de8b484a8603be680a6934c0906f30dd17eae2d4c5faa777f8ca53370e08"
+      "331b88c342bac959787bbb33930e3b56be86da7f2a6eb1f94089d1d181074d4302f8e055"
+      "2d0de1fab306a21b42d4c3ba6e6f0cbcc81e877a",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffff",
+      "4c194da6a99fd65b40e9cad798f44b19", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000018486a8",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "4a0aaff8494729188691701340f3ce2b8a78eed3a0f065994b72484e7991d25c29aa075e"
+      "b1fc16de93fe069058112ab284a3ed18780326d1258a47222fa633d8b29f3bd9150b239b"
+      "1546c2bb9b9f410febead396000ee477701532c3d0f5fbf895d280196d2f737c5e9fec50"
+      "d92bb0df5d7e513be5b8ea971310d5bf16ba7aee",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffff",
+      "c8ae7788cd2874abc138541e11fd0587", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "ff9428d079351f665cd001354319875c783d35f613e6d9093d38e975c38fe3b89f7aed35"
+      "cb5a2fcaa0346efb936554649cf6378171eae4396ea15dc240d1abf4472d9096524fa1b2"
+      "b023b8b288222773d4d206616f9293f65b45dbbc74e7c2edfbcbbf1cfb679bb739a5862d"
+      "e2bcb937f74d5bf8671c5a8a5092f61d54c9aa5b",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffff",
+      "933a5163c7f62368327b3fbc1036c943", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000102030405060708090a0b",
+      "85ffffffffffffffffffffffffffffffa6902fcbc883bbc180b256ae34ad7f00",
+      "9a49c40f8b48d7c66d1db4e53f20f2dd4aaa241ddab26b5bc0e218b72c3390f2df3ebd01"
+      "76704419972bcdbc6bbcb3e4e74a71528ef51263ce24e0d575e0e44d",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "000102030405060708090a0b0c0d0e0f", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000102030405060708090a0b",
+      "ffffffffffffffffffffffffffffffff247e50642a1c0a2f8f77219609dba958",
+      "9a49c40f8b48d7c66d1db4e53f20f2dd4aaa241ddab26b5bc0e218b72c3390f2df3ebd01"
+      "76704419972bcdbc6bbcb3e4e74a71528ef51263ce24e0d575e0e44d",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "00000000000000000000000000000000", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000102030405060708090a0b",
+      "7cffffffffffffffffffffffffffffffd9e72c064ac8961f3fa585e0e2abd600",
+      "9a49c40f8b48d7c66d1db4e53f20f2dd4aaa241ddab26b5bc0e218b72c3390f2df3ebd01"
+      "76704419972bcdbc6bbcb3e4e74a71528ef51263ce24e0d575e0e44d",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "ffffffffffffffffffffffffffffffff", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000102030405060708090a0b",
+      "65ffffffffffffffffffffffffffffff95af0f4d0b686eaeccca4307d596f502",
+      "9a49c40f8b48d7c66d1db4e53f20f2dd4aaa241ddab26b5bc0e218b72c3390f2df3ebd01"
+      "76704419972bcdbc6bbcb3e4e74a71528ef51263ce24e0d575e0e44d",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "00000080000000800000008000000080", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000102030405060708090a0b",
+      "ffffffffffffffffffffffffffffffff8540b464357707be3a39d55c34f8bcb3",
+      "9a49c40f8b48d7c66d1db4e53f20f2dd4aaa241ddab26b5bc0e218b72c3390f2df3ebd01"
+      "76704419972bcdbc6bbcb3e4e74a71528ef51263ce24e0d575e0e44d",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "ffffff7fffffff7fffffff7fffffff7f", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000102030405060708090a0b",
+      "4fffffffffffffffffffffffffffffff6623d990b898d830d212af2383330701",
+      "9a49c40f8b48d7c66d1db4e53f20f2dd4aaa241ddab26b5bc0e218b72c3390f2df3ebd01"
+      "76704419972bcdbc6bbcb3e4e74a71528ef51263ce24e0d575e0e44d",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "01000000010000000100000001000000", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "000102030405060708090a0b",
+      "83ffffffffffffffffffffffffffffff5f16d09f17787211b7d484e024f89701",
+      "9a49c40f8b48d7c66d1db4e53f20f2dd4aaa241ddab26b5bc0e218b72c3390f2df3ebd01"
+      "76704419972bcdbc6bbcb3e4e74a71528ef51263ce24e0d575e0e44d",
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "ffffffff000000000000000000000000", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "005235d2a919f28d3db7664a34ae6b444d3d35f613e6d9093d38e975c38fe3b85b8b9450"
+      "9e2b74a36d346e33d572659ba9f6378171eae4396ea15dc240d1abf483dce9f3073efadb"
+      "7d23b87ace35168c",
+      "0039e2fd2fd312149e989880884813e7caffffffffffffffffffffffffffffff3b0e869a"
+      "aa8ea49632ffff37b9e8ce00caffffffffffffffffffffffffffffff3b0e869aaa8ea496"
+      "32ffff37b9e8ce00",
+      "a519ac1a35b4a57787510af78d8d200a", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "d39428d079351f665cd001354319875ce5da78766fa19290c031f75208506745ae7aed35"
+      "cb5a2fcaa0346efb93655464496ddeb05509c6efffab75eb2df4ab09762d9096524fa1b2"
+      "b023b8b2882227730149ef504b71b120ca4ff39519c2c210",
+      "d3ffffffffffffffffffffffffffffff6218b27f83b8b46602f6e1d834207b02ceffffff"
+      "ffffffffffffffffffffffff2a6416cedb1cdd296ef5d7d692daff02ceffffffffffffff"
+      "ffffffffffffffff2a6416cedb1cdd296ef5d7d692daff02",
+      "302fe82ab0a09af64400d015ae83d9cc", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "e99428d079351f665cd001354319875c6df1394edc539b5b3a0957be0fb85946807aed35"
+      "cb5a2fcaa0346efb93655464d1769fe806bbfeb6f590950f2eac9e0a582d9096524fa1b2"
+      "b023b8b2882227739952ae0818c38979c07413711a9af713",
+      "e9ffffffffffffffffffffffffffffffea33f347304abdadf8ce413433c84501e0ffffff"
+      "ffffffffffffffffffffffffb27f579688aee57064ce37329182ca01e0ffffffffffffff"
+      "ffffffffffffffffb27f579688aee57064ce37329182ca01",
+      "98a7e836e0ee4d023500d0557ec2cbe0", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "ff9428d079351f665cd001354319875c64f90f5b2692b860d4596ff4b3402c5c00b9bb53"
+      "707aa667d356fe50c7199694033561e7caca6d941dc3cd6914ad6904",
+      "ffffffffffffffffffffffffffffffffe33bc552ca8b9e96169e797e8f30301b603ca999"
+      "44df76528c9d6f54ab833d0f603ca99944df76528c9d6f54ab833d0f",
+      "6ab8dce2c59da4737130b0252f68a8d8", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "689428d079351f665cd001354319875cb08f25675b9bcbf6e38407de2ec75a479f7aed35"
+      "cb5a2fcaa0346efb936554642d2af7cd6b080501d31ba54fb2eb7596472d9096524fa1b2"
+      "b023b8b288222773650ec62d757072cee6ff233186dd1c8f",
+      "68ffffffffffffffffffffffffffffff374def6eb782ed002143115412b74600ffffffff"
+      "ffffffffffffffffffffffff4e233fb3e51d1ec7424507720dc5219dffffffffffffffff"
+      "ffffffffffffffff4e233fb3e51d1ec7424507720dc5219d",
+      "044dea608880412bfdffcf35579e9b26", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "6d9428d079351f665cd001354319875ca161b5ab040900629efeff78d7d86b459f7aed35"
+      "cb5a2fcaa0346efb93655464c6f8078cc8ef12a0ff657d6d08db10b8472d9096524fa1b2"
+      "b023b8b2882227738edc366cd697656fca81fb133ced79a1",
+      "6dffffffffffffffffffffffffffffff26a37fa2e81026945c39e9f2eba87702ffffffff"
+      "ffffffffffffffffffffffffa5f1cff246fa09666e3bdf50b7f544b3ffffffffffffffff"
+      "ffffffffffffffffa5f1cff246fa09666e3bdf50b7f544b3",
+      "1e6bea6314542e2ef9ffcf450b2e982b", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "ff9428d079351f665cd001354319875cfc01b891e5f0f9128d7d1c579192b69863414415"
+      "b69968959a7291b7a5af134860cd9ea10c29a36654e7a28e761becd8",
+      "ffffffffffffffffffffffffffffffff7bc3729809e9dfe44fba0addade2aadf03c456df"
+      "823cb8a0c5b900b3c935b8d303c456df823cb8a0c5b900b3c935b8d3",
+      "ed2017c8dba4775629049d786e3bceb1", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "ff9428d079351f665cd001354319875c6b6dc9d21a819e70b577f44137d3d6bd1335f5eb"
+      "44494077b26449a54b6c7c7510b92f5ffef98b847cf17a9c98d883e5",
+      "ffffffffffffffffffffffffffffffffecaf03dbf698b88677b0e2cb0ba3cafa73b0e721"
+      "70ec9042edafd8a127f6d7ee73b0e72170ec9042edafd8a127f6d7ee",
+      "073f17cb6778645925049d8822cbcab6", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "ffcb2b1106f8234c5e99d4db4c7048de323d35f613e6d9093d38e975c38fe3b816e9884a"
+      "114f0e9266cea3885fe36b9fd6f6378171eae4396ea15dc240d1abf4cebef5e9885a80ea"
+      "76d975c144a41888",
+      "ffa0fc3e8032c3d5fdb62a11f096307db5ffffffffffffffffffffffffffffff766c9a80"
+      "25eadea73905328c3379c004b5ffffffffffffffffffffffffffffff766c9a8025eadea7"
+      "3905328c3379c004",
+      "8b9bb4b4861289658c696a8340150405", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "6f9e70ed3b8baca026e46a5a0943158d213d35f613e6d9093d38e975c38fe3b80c612c5e"
+      "8d89a873dbcaad5b7346429bc5f6378171eae4396ea15dc240d1abf4d43651fd149c260b"
+      "cbdd7b126801318c",
+      "6ff5a7c2bd414c3985cb9490b5a56d2ea6ffffffffffffffffffffffffffffff6ce43e94"
+      "b92c784684013c5f1fdce900a6ffffffffffffffffffffffffffffff6ce43e94b92c7846"
+      "84013c5f1fdce900",
+      "8b3bbd51644459568d81ca1fa72ce404", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "412b080a3e19c10d44a1af1eabdeb4ce353d35f613e6d9093d38e975c38fe3b86b839433"
+      "0921486ca11d291c3e97ee9ad1f6378171eae4396ea15dc240d1abf4b3d4e9909034c614"
+      "b10aff5525d09d8d",
+      "4140df25b8d32194e78e51d41738cc6db2ffffffffffffffffffffffffffffff0b0686f9"
+      "3d849859fed6b818520d4501b2ffffffffffffffffffffffffffffff0b0686f93d849859"
+      "fed6b818520d4501",
+      "86fbab2b4a94f47aa56f0aea65d11008", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "b247a74723491aacacaad709c91e932b313d35f613e6d9093d38e975c38fe3b89ade04e7"
+      "5bb701d9660601b34765de98d5f6378171eae4396ea15dc240d1abf442897944c2a28fa1"
+      "7611d7fa5c22ad8f",
+      "b22c7068a583fa350f8529c375f8eb88b6fffffffffffffffffffffffffffffffa5b162d"
+      "6f12d1ec39cd90b72bff7503b6fffffffffffffffffffffffffffffffa5b162d6f12d1ec"
+      "39cd90b72bff7503",
+      "a019ac2ed667e17da16f0afa19610d0d", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "740f9e49f610efa585b659ca6ed8b4992d3d35f613e6d9093d38e975c38fe3b8412d96af"
+      "be80ec3e79d451b00a2db29ac9f6378171eae4396ea15dc240d1abf4997aeb0c27956246"
+      "69c387f9116ac18d",
+      "7464496670da0f3c2699a700d23ecc3aaaffffffffffffffffffffffffffffff21a88465"
+      "8a253c0b261fc0b466b71901aaffffffffffffffffffffffffffffff21a884658a253c0b"
+      "261fc0b466b71901",
+      "736e18181696a5889c3159faabab20fd", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "adba5d105bc8aa062c2336cb889ddbd5373d35f613e6d9093d38e975c38fe3b8177c5ffe"
+      "2875f468f6c2965748f3599ad3f6378171eae4396ea15dc240d1abf4cf2b225db1607a10"
+      "e6d5401e53b42a8d",
+      "add18a3fdd024a9f8f0cc801347ba376b0ffffffffffffffffffffffffffffff77f94d34"
+      "1cd0245da90907532469f201b0ffffffffffffffffffffffffffffff77f94d341cd0245d"
+      "a90907532469f201",
+      "bad58f10a91e6a889aba32fd17d8331a", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "fe9428d079351f665cd001354319875cc001edc5da442e719bce9abe273af144b47aed35"
+      "cb5a2fcaa0346efb9365546448025f41fa4e336c786957a2a7c4930a6c2d9096524fa1b2"
+      "b023b8b28822277300266ea1e43644a34d8dd1dc93f2fa13",
+      "feffffffffffffffffffffffffffffff47c327cc365d088759098c341b4aed03d4ffffff"
+      "ffffffffffffffffffffffff2b0b973f745b28aae937f59f18eac701d4ffffffffffffff"
+      "ffffffffffffffff2b0b973f745b28aae937f59f18eac701",
+      "d68ce174079add028dd05cf814630488", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "b513b06ab9ac14435acb8aa3a37afdb6543d35f613e6d9093d38e975c38fe3b861950193"
+      "b1bf0311ff117989aed9a999b0f6378171eae4396ea15dc240d1abf4b9c27c3028aa8d69"
+      "ef06afc0b59eda8e",
+      "b57867453f66f4daf9e474691f9c8515d3ffffffffffffffffffffffffffffff01101359"
+      "851ad324a0dae88dc2430202d3ffffffffffffffffffffffffffffff01101359851ad324"
+      "a0dae88dc2430202",
+      "aa48a3887d4b059699c2fdf9c6787e0a", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "ff9428d079351f665cd001354319875cd4f109e814cea85a08c011d850dd1dcbcf7aed35"
+      "cb5a2fcaa0346efb936554645340b85a9aa08296b77a5fc3961f660f172d9096524fa1b2"
+      "b023b8b2882227731b6489ba84d8f559829ed9bda2290f16",
+      "ffffffffffffffffffffffffffffffff5333c3e1f8d78eacca0707526cad018cafffffff"
+      "ffffffffffffffffffffffff3049702414b599502624fdfe29313204afffffffffffffff"
+      "ffffffffffffffff3049702414b599502624fdfe29313204",
+      "b936a817f2211af129e2cf160fd42bcb", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "ff9428d079351f665cd001354319875cdf4c62032d4119b588477e99925a56d9d67aed35"
+      "cb5a2fcaa0346efb93655464fa84f0645536421b2bb9246ec219ed0b0e2d9096524fa1b2"
+      "b023b8b288222773b2a0c1844b4e35d41e5da210f62f8412",
+      "ffffffffffffffffffffffffffffffff588ea80ac1583f434a806813ae2a4a9eb6ffffff"
+      "ffffffffffffffffffffffff998d381adb2359ddbae786537d37b900b6ffffffffffffff"
+      "ffffffffffffffff998d381adb2359ddbae786537d37b900",
+      "9f7ac4351f6b91e63097a713115d05be", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "ff9428d079351f665cd001354319875c13f80a006dc1bbdad639a92fc7eca655f77aed35"
+      "cb5a2fcaa0346efb936554646348b8fd29bf96d563a517e27d7bfc0f2f2d9096524fa1b2"
+      "b023b8b2882227732b6c891d37c7e11a5641919c494d9516",
+      "ffffffffffffffffffffffffffffffff943ac00981d89d2c14febfa5fb9cba1297ffffff"
+      "ffffffffffffffffffffffff00417083a7aa8d13f2fbb5dfc255a80497ffffffffffffff"
+      "ffffffffffffffff00417083a7aa8d13f2fbb5dfc255a804",
+      "9a18a828070269f44700d009e7171cc9", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "ff9428d079351f665cd001354319875c82e59b4582915038f933811e652dc66afc7aed35"
+      "cb5a2fcaa0346efb93655464b671c8cac270c265a0ac2f535799880a242d9096524fa1b2"
+      "b023b8b288222773fe55f92adc08b5aa9548a92d63afe113",
+      "ffffffffffffffffffffffffffffffff0527514c6e8876ce3bf49794595dda2d9cffffff"
+      "ffffffffffffffffffffffffd57800b44c65d9a331f28d6ee8b7dc019cffffffffffffff"
+      "ffffffffffffffffd57800b44c65d9a331f28d6ee8b7dc01",
+      "b436a82b93d555f74300d0199ba718ce", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "ff9428d079351f665cd001354319875cf1d12887b7216986a12d79098b6de60fc07aed35"
+      "cb5a2fcaa0346efb93655464a7c75899f3e60af1fcb6c7307d87590f182d9096524fa1b2"
+      "b023b8b288222773efe36979ed9e7d3ec952414e49b13016",
+      "ffffffffffffffffffffffffffffffff7613e28e5b384f7063ea6f83b71dfa48a0ffffff"
+      "ffffffffffffffffffffffffc4ce90e77df311376de8650dc2a90d04a0ffffffffffffff"
+      "ffffffffffffffffc4ce90e77df311376de8650dc2a90d04",
+      "ce54a82e1fa942fa3f00d0294f3715d3", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "cbf1da9e0ba9377374e69e1c0e600cfc343d35f613e6d9093d38e975c38fe3b8be3fa66b"
+      "6ce7808aa3e45949f944649fd0f6378171eae4396ea15dc240d1abf46668dbc8f5f20ef2"
+      "b3f38f00e2031788",
+      "cb9a0db18d63d7ead7c960d6b286745fb3ffffffffffffffffffffffffffffffdebab4a1"
+      "584250bffc2fc84d95decf04b3ffffffffffffffffffffffffffffffdebab4a1584250bf"
+      "fc2fc84d95decf04",
+      "2383ab0b799205699b510aa709bf31f1", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "8f278694c4e9daebd58d3e5b966e8b68423d35f613e6d9093d38e975c38fe3b80653e7a3"
+      "31718833acc3b9adff1c3198a6f6378171eae4396ea15dc240d1abf4de049a00a864064b"
+      "bcd46fe4e45b428f",
+      "8f4c51bb42233a7276a2c0912a88f3cbc5ffffffffffffffffffffffffffffff66d6f569"
+      "05d45806f30828a993869a03c5ffffffffffffffffffffffffffffff66d6f56905d45806"
+      "f30828a993869a03",
+      "8bfbab17a9e0b8748b510ae7d9fd2305", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "d59428d079351f665cd001354319875c9a22d70a48e24fddcdd4419de64c8f44fc7aed35"
+      "cb5a2fcaa0346efb9365546477b5c907d9c9e1ea51851a204aad9f0a242d9096524fa1b2"
+      "b023b8b2882227733f91f8e7c7b1962564619c5e7e9bf613",
+      "d5ffffffffffffffffffffffffffffff1de01d03a4fb692b0f135717da3c93039cffffff"
+      "ffffffffffffffffffffffff14bc017957dcfa2cc0dbb81df583cb019cffffffffffffff"
+      "ffffffffffffffff14bc017957dcfa2cc0dbb81df583cb01",
+      "49bc6e9fc51c4d503036644d842773d2", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "db9428d079351f665cd001354319875c75d5643aa5af934d8cce392cc3eedb47c07aed35"
+      "cb5a2fcaa0346efb93655464601b5ad2067f28066a8f3281715ba808182d9096524fa1b2"
+      "b023b8b288222773283f6b3218075fc95f6bb4ff456dc111",
+      "dbfffffffffffffffffffffffffffffff217ae3349b6b5bb4e092fa6ff9ec700a0ffffff"
+      "ffffffffffffffffffffffff031292ac886a33c0fbd190bcce75fc03a0ffffffffffffff"
+      "ffffffffffffffff031292ac886a33c0fbd190bcce75fc03",
+      "63da6ea251f039532c36645d38b76fd7", "valid" },
+    { "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+      "0000000000000000064c2d52", "ffffffff",
+      "939428d079351f665cd001354319875c624839604216e403ebcc6af559ec8b43977aed35"
+      "cb5a2fcaa0346efb93655464d8c8c3fa1a9e474abe52d02c8187e90f4f2d9096524fa1b2"
+      "b023b8b28822277390ecf21a04e630858bb65652b5b18016",
+      "93ffffffffffffffffffffffffffffffe58af369ae0fc2f5290b7c7f659c9704f7ffffff"
+      "ffffffffffffffffffffffffbbc10b84948b5c8c2f0c72113ea9bd04f7ffffffffffffff"
+      "ffffffffffffffffbbc10b84948b5c8c2f0c72113ea9bd04",
+      "73eb2724b5c405f04d00d0f15840a1c1", "valid" }
+};
+
+static int
+tv(void)
+{
+    unsigned char *ad;
+    unsigned char *decrypted;
+    unsigned char *detached_ciphertext;
+    unsigned char *key;
+    unsigned char *message;
+    unsigned char *mac;
+    unsigned char *nonce;
+    size_t         ad_len;
+    size_t         detached_ciphertext_len;
+    size_t         message_len;
+    unsigned int   i;
+
+    key = (unsigned char *) sodium_malloc(
+        crypto_aead_chacha20poly1305_ietf_KEYBYTES);
+    nonce = (unsigned char *) sodium_malloc(
+        crypto_aead_chacha20poly1305_ietf_NPUBBYTES);
+    mac = (unsigned char *) sodium_malloc(
+        crypto_aead_chacha20poly1305_ietf_ABYTES);
+
+    for (i = 0U; i < (sizeof tests) / (sizeof tests[0]); i++) {
+        assert(strlen(tests[i].key_hex) ==
+               2 * crypto_aead_chacha20poly1305_ietf_KEYBYTES);
+        sodium_hex2bin(key, crypto_aead_chacha20poly1305_ietf_KEYBYTES,
+                       tests[i].key_hex, strlen(tests[i].key_hex), NULL, NULL,
+                       NULL);
+
+        assert(strlen(tests[i].nonce_hex) ==
+               2 * crypto_aead_chacha20poly1305_ietf_NPUBBYTES);
+        sodium_hex2bin(nonce, crypto_aead_chacha20poly1305_ietf_NPUBBYTES,
+                       tests[i].nonce_hex, strlen(tests[i].nonce_hex), NULL,
+                       NULL, NULL);
+
+        message_len = strlen(tests[i].message_hex) / 2;
+        message     = (unsigned char *) sodium_malloc(message_len);
+        sodium_hex2bin(message, message_len, tests[i].message_hex,
+                       strlen(tests[i].message_hex), NULL, NULL, NULL);
+
+        ad_len = strlen(tests[i].ad_hex) / 2;
+        ad     = (unsigned char *) sodium_malloc(ad_len);
+        sodium_hex2bin(ad, ad_len, tests[i].ad_hex, strlen(tests[i].ad_hex),
+                       NULL, NULL, NULL);
+
+        detached_ciphertext_len = message_len;
+        assert(strlen(tests[i].detached_ciphertext_hex) == 2 * message_len);
+        assert(strlen(tests[i].mac_hex) ==
+               2 * crypto_aead_chacha20poly1305_ietf_ABYTES);
+        sodium_hex2bin(mac, crypto_aead_chacha20poly1305_ietf_ABYTES,
+                       tests[i].mac_hex, strlen(tests[i].mac_hex), NULL, NULL,
+                       NULL);
+
+        detached_ciphertext =
+            (unsigned char *) sodium_malloc(detached_ciphertext_len);
+        sodium_hex2bin(detached_ciphertext, detached_ciphertext_len,
+                       tests[i].detached_ciphertext_hex,
+                       strlen(tests[i].detached_ciphertext_hex), NULL, NULL,
+                       NULL);
+
+        decrypted = (unsigned char *) sodium_malloc(message_len);
+        if (crypto_aead_chacha20poly1305_ietf_decrypt_detached(
+                decrypted, NULL, detached_ciphertext, detached_ciphertext_len,
+                mac, ad, ad_len, nonce, key) == 0) {
+            if (strcmp(tests[i].outcome, "valid") != 0) {
+                printf("*** test case %u succeeded, was supposed to be %s\n", i,
+                       tests[i].outcome);
+            }
+            if (memcmp(decrypted, message, message_len) != 0) {
+                printf("Incorrect decryption of test vector #%u\n",
+                       (unsigned int) i);
+            }
+        } else {
+            if (strcmp(tests[i].outcome, "invalid") != 0) {
+                printf("*** test case %u failed, was supposed to be %s\n", i,
+                       tests[i].outcome);
+            }
+        }
+
+        sodium_free(message);
+        sodium_free(ad);
+        sodium_free(decrypted);
+        sodium_free(detached_ciphertext);
+    }
+
+    sodium_free(key);
+    sodium_free(mac);
+    sodium_free(nonce);
+
+    return 0;
+}
+
+int
+main(void)
+{
+    tv();
+    printf("OK\n");
+
+    return 0;
+}
diff --git a/test/default/aead_chacha20poly13052.exp b/test/default/aead_chacha20poly13052.exp
new file mode 100644
index 00000000..d86bac9d
--- /dev/null
+++ b/test/default/aead_chacha20poly13052.exp
@@ -0,0 +1 @@
+OK
diff --git a/test/default/aead_xchacha20poly1305.c b/test/default/aead_xchacha20poly1305.c
index 3ff62bef..9c51623a 100644
--- a/test/default/aead_xchacha20poly1305.c
+++ b/test/default/aead_xchacha20poly1305.c
@@ -118,7 +118,7 @@ tv(void)
     }
     m2len = 1;
     if (crypto_aead_xchacha20poly1305_ietf_decrypt(
-            m2, &m2len, NULL, NULL,
+            m2, &m2len, NULL, guard_page,
             randombytes_uniform(crypto_aead_xchacha20poly1305_ietf_ABYTES),
             NULL, 0U, nonce, firstkey) != -1) {
         printf("crypto_aead_xchacha20poly1305_ietf_decrypt() worked with a short "
diff --git a/test/default/auth.c b/test/default/auth.c
index 60d26587..19af20d7 100644
--- a/test/default/auth.c
+++ b/test/default/auth.c
@@ -55,7 +55,7 @@ main(void)
 
     memset(a2, 0, sizeof a2);
     crypto_auth_hmacsha256_init(&st256, key2, sizeof key2);
-    crypto_auth_hmacsha256_update(&st256, NULL, 0U);
+    crypto_auth_hmacsha256_update(&st256, guard_page, 0U);
     crypto_auth_hmacsha256_update(&st256, c, 1U);
     crypto_auth_hmacsha256_update(&st256, c, sizeof c - 2U);
     crypto_auth_hmacsha256_final(&st256, a2);
diff --git a/test/default/chacha20.c b/test/default/chacha20.c
index 5bf2a2a6..d92b11e8 100644
--- a/test/default/chacha20.c
+++ b/test/default/chacha20.c
@@ -105,7 +105,7 @@ void tv_ietf(void)
             1U },
           { "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
             "000000090000004a00000000",
-            0xffffffff }};
+            0xfeffffff }};
     unsigned char  key[crypto_stream_chacha20_KEYBYTES];
     unsigned char  nonce[crypto_stream_chacha20_IETF_NONCEBYTES];
     unsigned char *part;
@@ -137,7 +137,7 @@ void tv_ietf(void)
     assert(66 <= sizeof out);
     for (plen = 1U; plen < 66; plen += 3) {
         memset(out, (int) (plen & 0xff), sizeof out);
-        crypto_stream_chacha20_ietf(out, plen, nonce, key);
+        crypto_stream_chacha20(out, plen, nonce, key);
         sodium_bin2hex(out_hex, sizeof out_hex, out, sizeof out);
         printf("[%s]\n", out_hex);
     }
diff --git a/test/default/chacha20.exp b/test/default/chacha20.exp
index 0d2416bc..1b2017c7 100644
--- a/test/default/chacha20.exp
+++ b/test/default/chacha20.exp
@@ -35,29 +35,29 @@
 [72d54dfbf12ec44b362692df94137f328fea8da73990265ec1bbbea1ae9af0ca13b25aa26cb4a648cb9b9d1be65b2c0924a66c54d545ec1b7374f4872e99f096bf74dbd52cc4fc95ceb6097fe5e65358c9dbc0a5ecbf7894a132a9a54ae3e951f2e9f209aa9c3d9a877ac9dab62433d2961a17d103e455dfb7337c90f6857aad233065955a212b5c7a8eab4dc8a629e5b6b8ba914afd06de7177054b33d21c96]
 [c2c64d378cd536374ae204b9ef933fcd1a8b2288b3dfa49672ab765b54ee27c78a970e0e955c14f3a88e741b97c286f75f8fc299e8148362fa198a39531bed6d1a91288c874ec254f322c2a197340c55bb3e9b3998f7de2309486a0bb494abd20c9c5ef99c1370d61e77f408ac5514f49202bcc6828d45409d2d1416f8ae106b06ebd2541256264fa415bd54cb12e1d4449ed85299a1b7a249b75ff6c89b2e3f]
 [10f1e7e4d13b5915500fdd1fa32071c4c7d1f4c733c068030422aa9ac3d46c4ed2826446079faa0914c2d705d98b02a2b5129cd1de164eb9cbd083e8a2503c4e0a88837739d7bf4ef8ccacb0ea2bb9d69d56c394aa351dfda5bf459f0a2e9fe8e721f89255f9c486bf21679c683d4f9c5cf2fa27865526005b06ca374c86af3bdcbfbdcb83be65862ed5c20eae5a43241d6a92da6dca9a156be25297f51c2718]
-[ff2941b8d740f6cbb50936bf997ebd5218cb108dc53f41c64841d0218167430ca03b770ca74ccb642a28194d1dedd2ed13151e25ec5d7faeb6d060bfb7e6b146880b67b55162bca26abe045fad14b0f492a3f369dcd52f98bc1513eaf238a3f434c7527121b4b756613e270395358d831d4950b6c7812fb724dc7c9be5e5c62ec8796d6690205061108b113f695582e4cf5d8b51112a51d157ef15e2cb95e4d5]
-[8a010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101]
-[8adc91fd040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404]
-[8adc91fd9ff4f0070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707]
-[8adc91fd9ff4f0f51b0f0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a]
-[8adc91fd9ff4f0f51b0fad50ff0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d]
-[8adc91fd9ff4f0f51b0fad50ff15d637101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010]
-[8adc91fd9ff4f0f51b0fad50ff15d637e40efd131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313]
-[8adc91fd9ff4f0f51b0fad50ff15d637e40efda206cc161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616]
-[8adc91fd9ff4f0f51b0fad50ff15d637e40efda206cc52c783191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919]
-[8adc91fd9ff4f0f51b0fad50ff15d637e40efda206cc52c783a742001c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c]
-[8adc91fd9ff4f0f51b0fad50ff15d637e40efda206cc52c783a74200503c151f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f]
-[8adc91fd9ff4f0f51b0fad50ff15d637e40efda206cc52c783a74200503c1582cd98222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222]
-[8adc91fd9ff4f0f51b0fad50ff15d637e40efda206cc52c783a74200503c1582cd9833367d252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525]
-[8adc91fd9ff4f0f51b0fad50ff15d637e40efda206cc52c783a74200503c1582cd9833367d0a54d5282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828]
-[8adc91fd9ff4f0f51b0fad50ff15d637e40efda206cc52c783a74200503c1582cd9833367d0a54d57d3c9e2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b]
-[8adc91fd9ff4f0f51b0fad50ff15d637e40efda206cc52c783a74200503c1582cd9833367d0a54d57d3c9e998f492e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e]
-[8adc91fd9ff4f0f51b0fad50ff15d637e40efda206cc52c783a74200503c1582cd9833367d0a54d57d3c9e998f490ee69c313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131]
-[8adc91fd9ff4f0f51b0fad50ff15d637e40efda206cc52c783a74200503c1582cd9833367d0a54d57d3c9e998f490ee69ca34c1f343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434]
-[8adc91fd9ff4f0f51b0fad50ff15d637e40efda206cc52c783a74200503c1582cd9833367d0a54d57d3c9e998f490ee69ca34c1ff9e939373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737]
-[8adc91fd9ff4f0f51b0fad50ff15d637e40efda206cc52c783a74200503c1582cd9833367d0a54d57d3c9e998f490ee69ca34c1ff9e939a755843a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a]
-[8adc91fd9ff4f0f51b0fad50ff15d637e40efda206cc52c783a74200503c1582cd9833367d0a54d57d3c9e998f490ee69ca34c1ff9e939a75584c52d693d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d]
-[8adc91fd9ff4f0f51b0fad50ff15d637e40efda206cc52c783a74200503c1582cd9833367d0a54d57d3c9e998f490ee69ca34c1ff9e939a75584c52d690a35d4404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040]
+[75924bad7831b25662dbac54b46827990b6168ae990e7bd7e1fd2ad282bf23ef052c7d1a0a6c1ef862070943a0d4da24705fbc006dfb85e2af18c0a264d772a44c70fbedac9d6a6867ff6be0a32826507f2c784101583211c9e2453d4cc8b283d5e86682bd4bf511271b91dbd351415f5a009d1f78b64085a9a4341be7d42e2679d57e2747097f0129950e2c9e9ca1356022d45da252af71ac37f351a2e77911]
+[61010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101]
+[6146f256040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404]
+[6146f2564fe1bd070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707070707]
+[6146f2564fe1bdf9bccd0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a]
+[6146f2564fe1bdf9bccd0fe1ed0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d]
+[6146f2564fe1bdf9bccd0fe1edf0da5d101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010]
+[6146f2564fe1bdf9bccd0fe1edf0da5d92f1fa131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313]
+[6146f2564fe1bdf9bccd0fe1edf0da5d92f1fa76cb00161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616]
+[6146f2564fe1bdf9bccd0fe1edf0da5d92f1fa76cb002937ba191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919]
+[6146f2564fe1bdf9bccd0fe1edf0da5d92f1fa76cb002937ba9af1021c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c]
+[6146f2564fe1bdf9bccd0fe1edf0da5d92f1fa76cb002937ba9af10230a7081f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f]
+[6146f2564fe1bdf9bccd0fe1edf0da5d92f1fa76cb002937ba9af10230a7085f55f6222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222]
+[6146f2564fe1bdf9bccd0fe1edf0da5d92f1fa76cb002937ba9af10230a7085f55f67bf6ab252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525]
+[6146f2564fe1bdf9bccd0fe1edf0da5d92f1fa76cb002937ba9af10230a7085f55f67bf6ab410fba282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828]
+[6146f2564fe1bdf9bccd0fe1edf0da5d92f1fa76cb002937ba9af10230a7085f55f67bf6ab410fba060c2c2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b]
+[6146f2564fe1bdf9bccd0fe1edf0da5d92f1fa76cb002937ba9af10230a7085f55f67bf6ab410fba060c2c2973032e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e]
+[6146f2564fe1bdf9bccd0fe1edf0da5d92f1fa76cb002937ba9af10230a7085f55f67bf6ab410fba060c2c297303ace1e2313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131]
+[6146f2564fe1bdf9bccd0fe1edf0da5d92f1fa76cb002937ba9af10230a7085f55f67bf6ab410fba060c2c297303ace1e2e34130343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434]
+[6146f2564fe1bdf9bccd0fe1edf0da5d92f1fa76cb002937ba9af10230a7085f55f67bf6ab410fba060c2c297303ace1e2e3413018ff7e373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737373737]
+[6146f2564fe1bdf9bccd0fe1edf0da5d92f1fa76cb002937ba9af10230a7085f55f67bf6ab410fba060c2c297303ace1e2e3413018ff7ed87cfa3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a]
+[6146f2564fe1bdf9bccd0fe1edf0da5d92f1fa76cb002937ba9af10230a7085f55f67bf6ab410fba060c2c297303ace1e2e3413018ff7ed87cfa95b60f3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d]
+[6146f2564fe1bdf9bccd0fe1edf0da5d92f1fa76cb002937ba9af10230a7085f55f67bf6ab410fba060c2c297303ace1e2e3413018ff7ed87cfa95b60f094ee5404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040]
 [8adc91fd9ff4f0f51b0fad50ff15d637e40efda206cc52c783a74200503c1582cd9833367d0a54d57d3c9e998f490ee69ca34c1ff9e939a75584c52d690a35d410f1e7e4d13b5915500fdd1fa32071c4c7d1f4c733c068030422aa9ac3d46c4ed2826446079faa0914c2d705d98b02a2b5129cd1de164eb9cbd083e8a2503c4e0a88837739d7bf4ef8ccacb0ea2bb9d69d56c394aa351dfda5bf459f0a2e9fe8]
 [c89ed3bfddb6b2b7594def12bd579475a64cbfe0448e1085c1e50042127e57c08fda71743f4816973f7edcdbcd0b4ca4dee10e5dbbab7be517c6876f2b48779652b3a5a693791b57124d9f5de16233868593b68571822a414660e8d881962e0c90c0260445dde84b568095479bc940e0f750de939c540cfb8992c1aae0127e0c48cac1357b95fd0cba8eeef2a869fb94df1481d6e8775fbfe7fd07dd486cddaa]
 [42424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242]
diff --git a/test/default/cmptest.h b/test/default/cmptest.h
index fcd5d3f3..4625d551 100644
--- a/test/default/cmptest.h
+++ b/test/default/cmptest.h
@@ -35,6 +35,8 @@
 
 int xmain(void);
 
+static unsigned char *guard_page;
+
 #ifdef BENCHMARKS
 
 # include <sys/time.h>
@@ -43,6 +45,77 @@ int xmain(void);
 #  define ITERATIONS 128
 # endif
 
+struct {
+    void   *pnt;
+    size_t  size;
+} mempool[1024];
+
+static size_t mempool_idx;
+
+static __attribute__((malloc)) void *mempool_alloc(size_t size)
+{
+    size_t i;
+    if (size >= (size_t) 0x80000000 - (size_t) 0x00000fff) {
+        return NULL;
+    }
+    size = (size + (size_t) 0x00000fff) & ~ (size_t) 0x00000fff;
+    for (i = 0U; i < mempool_idx; i++) {
+        if (mempool[i].size >= (size | (size_t) 0x80000000)) {
+            mempool[i].size &= ~ (size_t) 0x80000000;
+            return mempool[i].pnt;
+        }
+    }
+    if (mempool_idx >= sizeof mempool / sizeof mempool[0]) {
+        return NULL;
+    }
+    mempool[mempool_idx].size = size;
+    return (mempool[mempool_idx++].pnt = (void *) malloc(size));
+}
+
+static void mempool_free(void *pnt)
+{
+    size_t i;
+    for (i = 0U; i < mempool_idx; i++) {
+        if (mempool[i].pnt == pnt) {
+            if ((mempool[i].size & (size_t) 0x80000000) != (size_t) 0x0) {
+                break;
+            }
+            mempool[i].size |= (size_t) 0x80000000;
+            return;
+        }
+    }
+    abort();
+}
+
+static __attribute__((malloc)) void *mempool_allocarray(size_t count, size_t size)
+{
+    if (count > (size_t) 0U && size >= (size_t) SIZE_MAX / count) {
+        return NULL;
+    }
+    return mempool_alloc(count * size);
+}
+
+static int mempool_free_all(void)
+{
+    size_t i;
+    int    ret = 0;
+
+    for (i = 0U; i < mempool_idx; i++) {
+        if ((mempool[i].size & (size_t) 0x80000000) == (size_t) 0x0) {
+            ret = -1;
+        }
+        free(mempool[i].pnt);
+        mempool[i].pnt = NULL;
+    }
+    mempool_idx = (size_t) 0U;
+
+    return ret;
+}
+
+#define sodium_malloc(X)        mempool_alloc(X)
+#define sodium_free(X)          mempool_free(X)
+#define sodium_allocarray(X, Y) mempool_allocarray((X), (Y))
+
 static unsigned long long now(void)
 {
     struct             timeval tp;
@@ -78,7 +151,10 @@ int main(void)
     }
     ts_end = now();
     printf("%llu\n", 1000000ULL * (ts_end - ts_start) / ITERATIONS);
-
+    if (mempool_free_all() != 0) {
+        fprintf(stderr, "** memory leaks detected **\n");
+        return 99;
+    }
     return 0;
 }
 
@@ -91,8 +167,9 @@ static FILE *fp_res;
 
 int main(void)
 {
-    FILE *fp_out;
-    int   c;
+    FILE          *fp_out;
+    unsigned char *_guard_page;
+    int           c;
 
     if ((fp_res = fopen(TEST_NAME_RES, "w+")) == NULL) {
         perror("fopen(" TEST_NAME_RES ")");
@@ -101,6 +178,11 @@ int main(void)
     if (sodium_init() != 0) {
         return 99;
     }
+    if ((_guard_page = (unsigned char *) sodium_malloc(0)) == NULL) {
+        perror("sodium_malloc()");
+        return 99;
+    }
+    guard_page = _guard_page + 1;
     if (xmain() != 0) {
         return 99;
     }
@@ -114,6 +196,7 @@ int main(void)
             return 99;
         }
     } while (c != EOF);
+    sodium_free(_guard_page);
 
     return 0;
 }
diff --git a/test/default/codecs.c b/test/default/codecs.c
index a2bf55d7..711b4217 100644
--- a/test/default/codecs.c
+++ b/test/default/codecs.c
@@ -11,11 +11,10 @@ main(void)
     char          *b64_;
     const char    *b64_end;
     unsigned char *bin;
-    unsigned char *bin_padded;
     const char    *hex;
     const char    *hex_end;
     size_t         b64_len;
-    size_t         bin_len, bin_len2;
+    size_t         bin_len;
     unsigned int   i;
 
     printf("%s\n",
@@ -93,7 +92,7 @@ main(void)
            sodium_bin2base64(buf3, 33U, (const unsigned char *) "\xfb\xf0\xf1" "0123456789ABCDEFabc",
                              22U, sodium_base64_VARIANT_URLSAFE_NO_PADDING));
     printf("%s\n",
-           sodium_bin2base64(buf3, 1U, NULL,
+           sodium_bin2base64(buf3, 1U, guard_page,
                              0U, sodium_base64_VARIANT_ORIGINAL));
     printf("%s\n",
            sodium_bin2base64(buf3, 5U, (const unsigned char *) "a",
@@ -105,7 +104,7 @@ main(void)
            sodium_bin2base64(buf3, 5U, (const unsigned char *) "abc",
                              3U, sodium_base64_VARIANT_ORIGINAL));
     printf("%s\n",
-           sodium_bin2base64(buf3, 1U, NULL,
+           sodium_bin2base64(buf3, 1U, guard_page,
                              0U, sodium_base64_VARIANT_ORIGINAL_NO_PADDING));
     printf("%s\n",
            sodium_bin2base64(buf3, 3U, (const unsigned char *) "a",
@@ -161,21 +160,21 @@ main(void)
     assert(sodium_base642bin(buf1, sizeof buf1, b64, strlen(b64), " \r\n", NULL,
                              NULL, sodium_base64_VARIANT_URLSAFE_NO_PADDING) == -1);
 
-    assert(sodium_base642bin(NULL, (size_t) 10U, "a=", (size_t) 2U, NULL, NULL, NULL,
+    assert(sodium_base642bin(guard_page, (size_t) 10U, "a=", (size_t) 2U, NULL, NULL, NULL,
                              sodium_base64_VARIANT_URLSAFE) == -1);
-    assert(sodium_base642bin(NULL, (size_t) 10U, "a*", (size_t) 2U, NULL, NULL, NULL,
+    assert(sodium_base642bin(guard_page, (size_t) 10U, "a*", (size_t) 2U, NULL, NULL, NULL,
                              sodium_base64_VARIANT_URLSAFE) == -1);
-    assert(sodium_base642bin(NULL, (size_t) 10U, "a*", (size_t) 2U, "~", NULL, NULL,
+    assert(sodium_base642bin(guard_page, (size_t) 10U, "a*", (size_t) 2U, "~", NULL, NULL,
                              sodium_base64_VARIANT_URLSAFE) == -1);
-    assert(sodium_base642bin(NULL, (size_t) 10U, "a*", (size_t) 2U, "*", NULL, NULL,
+    assert(sodium_base642bin(guard_page, (size_t) 10U, "a*", (size_t) 2U, "*", NULL, NULL,
                              sodium_base64_VARIANT_URLSAFE) == -1);
-    assert(sodium_base642bin(NULL, (size_t) 10U, "a==", (size_t) 3U, NULL, NULL, NULL,
+    assert(sodium_base642bin(guard_page, (size_t) 10U, "a==", (size_t) 3U, NULL, NULL, NULL,
                              sodium_base64_VARIANT_URLSAFE) == -1);
-    assert(sodium_base642bin(NULL, (size_t) 10U, "a=*", (size_t) 3U, NULL, NULL, NULL,
+    assert(sodium_base642bin(guard_page, (size_t) 10U, "a=*", (size_t) 3U, NULL, NULL, NULL,
                              sodium_base64_VARIANT_URLSAFE) == -1);
-    assert(sodium_base642bin(NULL, (size_t) 10U, "a=*", (size_t) 3U, "~", NULL, NULL,
+    assert(sodium_base642bin(guard_page, (size_t) 10U, "a=*", (size_t) 3U, "~", NULL, NULL,
                              sodium_base64_VARIANT_URLSAFE) == -1);
-    assert(sodium_base642bin(NULL, (size_t) 10U, "a=*", (size_t) 3U, "*", NULL, NULL,
+    assert(sodium_base642bin(guard_page, (size_t) 10U, "a=*", (size_t) 3U, "*", NULL, NULL,
                              sodium_base64_VARIANT_URLSAFE) == -1);
 
     assert(sodium_base642bin(buf1, sizeof buf1, "O1R", (size_t) 3U, NULL, NULL, NULL,
diff --git a/test/default/core_ed25519.c b/test/default/core_ed25519.c
index e8a0f00d..b6bdfab9 100644
--- a/test/default/core_ed25519.c
+++ b/test/default/core_ed25519.c
@@ -23,15 +23,22 @@ add_P(unsigned char * const S)
         0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
         0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
     };
-    unsigned char c = 0U;
-    unsigned int  i;
-    unsigned int  s;
 
-    for (i = 0U; i < 32U; i++) {
-        s = S[i] + P[i] + c;
-        S[i] = (unsigned char) s;
-        c = (s >> 8) & 1;
-    }
+    sodium_add(S, P, sizeof P);
+}
+
+static void
+add_l64(unsigned char * const S)
+{
+    static const unsigned char l[crypto_core_ed25519_NONREDUCEDSCALARBYTES] =
+      { 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
+        0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
+
+    sodium_add(S, l, sizeof l);
 }
 
 int
@@ -39,8 +46,10 @@ main(void)
 {
     unsigned char *h;
     unsigned char *p, *p2, *p3;
-    unsigned char *sc;
-    int            i, j;
+    unsigned char *sc, *sc2, *sc3;
+    unsigned char *sc64;
+    char          *hex;
+    unsigned int   i, j;
 
     h = (unsigned char *) sodium_malloc(crypto_core_ed25519_UNIFORMBYTES);
     p = (unsigned char *) sodium_malloc(crypto_core_ed25519_BYTES);
@@ -59,7 +68,7 @@ main(void)
     randombytes_buf(h, crypto_core_ed25519_UNIFORMBYTES);
     crypto_core_ed25519_from_uniform(p2, h);
 
-    j = 1 + (int) randombytes_uniform(100);
+    j = 1 + (unsigned int) randombytes_uniform(100);
     memcpy(p3, p, crypto_core_ed25519_BYTES);
     for (i = 0; i < j; i++) {
         crypto_core_ed25519_add(p, p, p2);
@@ -135,6 +144,200 @@ main(void)
     assert(crypto_core_ed25519_sub(p3, non_canonical_p, p3) == 0);
     assert(crypto_core_ed25519_sub(p3, non_canonical_invalid_p, p3) == -1);
 
+    for (i = 0; i < 1000; i++) {
+        randombytes_buf(h, crypto_core_ed25519_UNIFORMBYTES);
+        crypto_core_ed25519_from_uniform(p, h);
+        crypto_core_ed25519_scalar_random(sc);
+        if (crypto_scalarmult_ed25519_noclamp(p2, sc, p) != 0) {
+            printf("crypto_scalarmult_ed25519_noclamp() failed\n");
+        }
+        assert(crypto_core_ed25519_is_valid_point(p2));
+        if (crypto_core_ed25519_scalar_invert(sc, sc) != 0) {
+            printf("crypto_core_ed25519_scalar_invert() failed\n");
+        }
+        if (crypto_scalarmult_ed25519_noclamp(p3, sc, p2) != 0) {
+            printf("crypto_scalarmult_ed25519_noclamp() failed\n");
+        }
+        assert(memcmp(p3, p, crypto_core_ed25519_BYTES) == 0);
+    }
+
+    sc64 = (unsigned char *) sodium_malloc(64);
+    crypto_core_ed25519_scalar_random(sc);
+    memcpy(sc64, sc, crypto_core_ed25519_BYTES);
+    memset(sc64 + crypto_core_ed25519_BYTES, 0,
+           64 - crypto_core_ed25519_BYTES);
+    i = (unsigned int) randombytes_uniform(100);
+    do {
+        add_l64(sc64);
+    } while (i-- > 0);
+    crypto_core_ed25519_scalar_reduce(sc64, sc64);
+    if (memcmp(sc64, sc, crypto_core_ed25519_BYTES) != 0) {
+        printf("crypto_core_ed25519_scalar_reduce() failed\n");
+    }
+
+    randombytes_buf(h, crypto_core_ed25519_UNIFORMBYTES);
+    crypto_core_ed25519_from_uniform(p, h);
+    memcpy(p2, p, crypto_core_ed25519_BYTES);
+    crypto_core_ed25519_scalar_random(sc);
+    if (crypto_scalarmult_ed25519_noclamp(p, sc, p) != 0) {
+        printf("crypto_scalarmult_ed25519_noclamp() failed (1)\n");
+    }
+    crypto_core_ed25519_scalar_complement(sc, sc);
+    if (crypto_scalarmult_ed25519_noclamp(p2, sc, p2) != 0) {
+        printf("crypto_scalarmult_ed25519_noclamp() failed (2)\n");
+    }
+    crypto_core_ed25519_add(p3, p, p2);
+    crypto_core_ed25519_from_uniform(p, h);
+    crypto_core_ed25519_sub(p, p, p3);
+    assert(p[0] == 0x01);
+    for (i = 1; i < crypto_core_ed25519_BYTES; i++) {
+        assert(p[i] == 0);
+    }
+
+    randombytes_buf(h, crypto_core_ed25519_UNIFORMBYTES);
+    crypto_core_ed25519_from_uniform(p, h);
+    memcpy(p2, p, crypto_core_ed25519_BYTES);
+    crypto_core_ed25519_scalar_random(sc);
+    if (crypto_scalarmult_ed25519_noclamp(p, sc, p) != 0) {
+        printf("crypto_scalarmult_ed25519_noclamp() failed (3)\n");
+    }
+    crypto_core_ed25519_scalar_negate(sc, sc);
+    if (crypto_scalarmult_ed25519_noclamp(p2, sc, p2) != 0) {
+        printf("crypto_scalarmult_ed25519_noclamp() failed (4)\n");
+    }
+    crypto_core_ed25519_add(p, p, p2);
+    assert(p[0] == 0x01);
+    for (i = 1; i < crypto_core_ed25519_BYTES; i++) {
+        assert(p[i] == 0);
+    }
+
+    hex = (char *) sodium_malloc(crypto_core_ed25519_SCALARBYTES * 2 + 1);
+
+    for (i = 0; i < crypto_core_ed25519_SCALARBYTES; i++) {
+        sc[i] = 255 - i;
+    }
+    if (crypto_core_ed25519_scalar_invert(sc, sc) != 0) {
+        printf("crypto_core_ed25519_scalar_invert() failed\n");
+    }
+    sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
+                   sc, crypto_core_ed25519_SCALARBYTES);
+    printf("inv1: %s\n", hex);
+    if (crypto_core_ed25519_scalar_invert(sc, sc) != 0) {
+        printf("crypto_core_ed25519_scalar_invert() failed\n");
+    }
+    sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
+                   sc, crypto_core_ed25519_SCALARBYTES);
+    printf("inv2: %s\n", hex);
+    for (i = 0; i < crypto_core_ed25519_SCALARBYTES; i++) {
+        sc[i] = 32 - i;
+    }
+    if (crypto_core_ed25519_scalar_invert(sc, sc) != 0) {
+        printf("crypto_core_ed25519_scalar_invert() failed\n");
+    }
+
+    sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
+                   sc, crypto_core_ed25519_SCALARBYTES);
+    printf("inv3: %s\n", hex);
+    if (crypto_core_ed25519_scalar_invert(sc, sc) != 0) {
+        printf("crypto_core_ed25519_scalar_invert() failed\n");
+    }
+    sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
+                   sc, crypto_core_ed25519_SCALARBYTES);
+    printf("inv4: %s\n", hex);
+
+    for (i = 0; i < crypto_core_ed25519_SCALARBYTES; i++) {
+        sc[i] = 255 - i;
+    }
+    crypto_core_ed25519_scalar_negate(sc, sc);
+    sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
+                   sc, crypto_core_ed25519_SCALARBYTES);
+    printf("neg1: %s\n", hex);
+    crypto_core_ed25519_scalar_negate(sc, sc);
+    sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
+                   sc, crypto_core_ed25519_SCALARBYTES);
+    printf("neg2: %s\n", hex);
+    for (i = 0; i < crypto_core_ed25519_SCALARBYTES; i++) {
+        sc[i] = 32 - i;
+    }
+    crypto_core_ed25519_scalar_negate(sc, sc);
+    sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
+                   sc, crypto_core_ed25519_SCALARBYTES);
+    printf("neg3: %s\n", hex);
+    crypto_core_ed25519_scalar_negate(sc, sc);
+    sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
+                   sc, crypto_core_ed25519_SCALARBYTES);
+    printf("neg4: %s\n", hex);
+
+    for (i = 0; i < crypto_core_ed25519_SCALARBYTES; i++) {
+        sc[i] = 255 - i;
+    }
+    crypto_core_ed25519_scalar_complement(sc, sc);
+    sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
+                   sc, crypto_core_ed25519_SCALARBYTES);
+    printf("comp1: %s\n", hex);
+    crypto_core_ed25519_scalar_complement(sc, sc);
+    sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
+                   sc, crypto_core_ed25519_SCALARBYTES);
+    printf("comp2: %s\n", hex);
+    for (i = 0; i < crypto_core_ed25519_SCALARBYTES; i++) {
+        sc[i] = 32 - i;
+    }
+    crypto_core_ed25519_scalar_complement(sc, sc);
+    sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
+                   sc, crypto_core_ed25519_SCALARBYTES);
+    printf("comp3: %s\n", hex);
+    crypto_core_ed25519_scalar_complement(sc, sc);
+    sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
+                   sc, crypto_core_ed25519_SCALARBYTES);
+    printf("comp4: %s\n", hex);
+
+    sc2 = (unsigned char *) sodium_malloc(crypto_core_ed25519_SCALARBYTES);
+    sc3 = (unsigned char *) sodium_malloc(crypto_core_ed25519_SCALARBYTES);
+    for (i = 0; i < 1000; i++) {
+        randombytes_buf(sc, crypto_core_ed25519_SCALARBYTES);
+        randombytes_buf(sc2, crypto_core_ed25519_SCALARBYTES);
+        sc[crypto_core_ed25519_SCALARBYTES - 1] &= 0x7f;
+        sc2[crypto_core_ed25519_SCALARBYTES - 1] &= 0x7f;
+        crypto_core_ed25519_scalar_add(sc3, sc, sc2);
+        assert(!sodium_is_zero(sc, crypto_core_ed25519_SCALARBYTES));
+        crypto_core_ed25519_scalar_sub(sc3, sc3, sc2);
+        assert(!sodium_is_zero(sc, crypto_core_ed25519_SCALARBYTES));
+        crypto_core_ed25519_scalar_sub(sc3, sc3, sc);
+        assert(sodium_is_zero(sc3, crypto_core_ed25519_SCALARBYTES));
+    }
+
+    memset(sc, 0x69, crypto_core_ed25519_UNIFORMBYTES);
+    memset(sc2, 0x42, crypto_core_ed25519_UNIFORMBYTES);
+    crypto_core_ed25519_scalar_add(sc, sc, sc2);
+    crypto_core_ed25519_scalar_add(sc, sc2, sc);
+    sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
+                   sc, crypto_core_ed25519_SCALARBYTES);
+    printf("add1: %s\n", hex);
+
+    crypto_core_ed25519_scalar_sub(sc, sc2, sc);
+    crypto_core_ed25519_scalar_sub(sc, sc, sc2);
+    sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
+                   sc, crypto_core_ed25519_SCALARBYTES);
+    printf("sub1: %s\n", hex);
+
+    memset(sc, 0xcd, crypto_core_ed25519_UNIFORMBYTES);
+    memset(sc2, 0x42, crypto_core_ed25519_UNIFORMBYTES);
+    crypto_core_ed25519_scalar_add(sc, sc, sc2);
+    crypto_core_ed25519_scalar_add(sc, sc2, sc);
+    sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
+                   sc, crypto_core_ed25519_SCALARBYTES);
+    printf("add2: %s\n", hex);
+
+    crypto_core_ed25519_scalar_sub(sc, sc2, sc);
+    crypto_core_ed25519_scalar_sub(sc, sc, sc2);
+    sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
+                   sc, crypto_core_ed25519_SCALARBYTES);
+    printf("sub2: %s\n", hex);
+
+    sodium_free(hex);
+    sodium_free(sc64);
+    sodium_free(sc3);
+    sodium_free(sc2);
     sodium_free(sc);
     sodium_free(p3);
     sodium_free(p2);
@@ -142,6 +345,9 @@ main(void)
     sodium_free(h);
 
     assert(crypto_core_ed25519_BYTES == crypto_core_ed25519_bytes());
+    assert(crypto_core_ed25519_SCALARBYTES == crypto_core_ed25519_scalarbytes());
+    assert(crypto_core_ed25519_NONREDUCEDSCALARBYTES == crypto_core_ed25519_nonreducedscalarbytes());
+    assert(crypto_core_ed25519_NONREDUCEDSCALARBYTES >= crypto_core_ed25519_SCALARBYTES);
     assert(crypto_core_ed25519_UNIFORMBYTES == crypto_core_ed25519_uniformbytes());
     assert(crypto_core_ed25519_UNIFORMBYTES >= crypto_core_ed25519_BYTES);
 
diff --git a/test/default/core_ed25519.exp b/test/default/core_ed25519.exp
index d86bac9d..89fbaa33 100644
--- a/test/default/core_ed25519.exp
+++ b/test/default/core_ed25519.exp
@@ -1 +1,17 @@
+inv1: 5858cdec40a044b1548b3bb08f8ce0d71103d1f887df84ebc502643dac4df40b
+inv2: 09688ce78a8ff8273f636b0bc748c0cceeeeedecebeae9e8e7e6e5e4e3e2e100
+inv3: f70b4f272b47bd6a1015a511fb3c9fc1b9c21ca4ca2e17d5a225b4c410b9b60d
+inv4: 201f1e1d1c1b1a191817161514131211100f0e0d0c0b0a090807060504030201
+neg1: e46b69758fd3193097398c9717b11e48111112131415161718191a1b1c1d1e0f
+neg2: 09688ce78a8ff8273f636b0bc748c0cceeeeedecebeae9e8e7e6e5e4e3e2e100
+neg3: cdb4d73ffe47f83ebe85e18dcae6cc03f0f0f1f2f3f4f5f6f7f8f9fafbfcfd0e
+neg4: 201f1e1d1c1b1a191817161514131211100f0e0d0c0b0a090807060504030201
+comp1: e56b69758fd3193097398c9717b11e48111112131415161718191a1b1c1d1e0f
+comp2: 09688ce78a8ff8273f636b0bc748c0cceeeeedecebeae9e8e7e6e5e4e3e2e100
+comp3: ceb4d73ffe47f83ebe85e18dcae6cc03f0f0f1f2f3f4f5f6f7f8f9fafbfcfd0e
+comp4: 201f1e1d1c1b1a191817161514131211100f0e0d0c0b0a090807060504030201
+add1: f7567cd87c82ec1c355a6304c143bcc9ecedededededededededededededed0d
+sub1: f67c79849de0253ba142949e1db6224b13121212121212121212121212121202
+add2: b02e8581ce62f69922427c23f970f7e951525252525252525252525252525202
+sub2: 3da570db4b001cbeb35a7b7fe588e72aaeadadadadadadadadadadadadadad0d
 OK
diff --git a/test/default/ed25519_convert.c b/test/default/ed25519_convert.c
index a384c31e..d067547e 100644
--- a/test/default/ed25519_convert.c
+++ b/test/default/ed25519_convert.c
@@ -18,16 +18,10 @@ main(void)
     unsigned char curve25519_sk[crypto_scalarmult_curve25519_BYTES];
     char          curve25519_pk_hex[crypto_scalarmult_curve25519_BYTES * 2 + 1];
     char          curve25519_sk_hex[crypto_scalarmult_curve25519_BYTES * 2 + 1];
-    unsigned char hseed[crypto_hash_sha512_BYTES];
     unsigned int  i;
 
     assert(crypto_sign_ed25519_SEEDBYTES <= crypto_hash_sha512_BYTES);
-#ifdef ED25519_NONDETERMINISTIC
-    crypto_hash_sha512(hseed, keypair_seed, crypto_sign_ed25519_SEEDBYTES);
-#else
-    memcpy(hseed, keypair_seed, crypto_sign_ed25519_SEEDBYTES);
-#endif
-    crypto_sign_ed25519_seed_keypair(ed25519_pk, ed25519_skpk, hseed);
+    crypto_sign_ed25519_seed_keypair(ed25519_pk, ed25519_skpk, keypair_seed);
 
     if (crypto_sign_ed25519_pk_to_curve25519(curve25519_pk, ed25519_pk) != 0) {
         printf("conversion failed\n");
diff --git a/test/default/generichash.c b/test/default/generichash.c
index 507d4e0c..2da877d2 100644
--- a/test/default/generichash.c
+++ b/test/default/generichash.c
@@ -1367,13 +1367,13 @@ main(void)
     }
     printf("\n");
 
-    assert(crypto_generichash(NULL, 0,
+    assert(crypto_generichash(guard_page, 0,
                               in, (unsigned long long) sizeof in,
                               k, sizeof k) == -1);
-    assert(crypto_generichash(NULL, crypto_generichash_BYTES_MAX + 1,
+    assert(crypto_generichash(guard_page, crypto_generichash_BYTES_MAX + 1,
                               in, (unsigned long long) sizeof in,
                               k, sizeof k) == -1);
-    assert(crypto_generichash(NULL, (unsigned long long) sizeof in,
+    assert(crypto_generichash(guard_page, (unsigned long long) sizeof in,
                               in, (unsigned long long) sizeof in,
                               k, crypto_generichash_KEYBYTES_MAX + 1) == -1);
 
diff --git a/test/default/generichash2.c b/test/default/generichash2.c
index c0048828..b7e33e69 100644
--- a/test/default/generichash2.c
+++ b/test/default/generichash2.c
@@ -6,51 +6,57 @@ int
 main(void)
 {
 #define MAXLEN 64
-    crypto_generichash_state st;
-    unsigned char in[MAXLEN], out[crypto_generichash_BYTES_MAX],
-        k[crypto_generichash_KEYBYTES_MAX];
-    size_t h, i, j;
+    crypto_generichash_state *st;
+    unsigned char            in[MAXLEN];
+    unsigned char            out[crypto_generichash_BYTES_MAX];
+    unsigned char            k[crypto_generichash_KEYBYTES_MAX];
+    size_t                   h, i, j;
 
-    assert(crypto_generichash_statebytes() >= sizeof st);
-    for (h = 0; h < crypto_generichash_KEYBYTES_MAX; ++h)
+    assert(crypto_generichash_statebytes() >= sizeof *st);
+    st = (crypto_generichash_state *)
+        sodium_malloc(crypto_generichash_statebytes());
+    for (h = 0; h < crypto_generichash_KEYBYTES_MAX; ++h) {
         k[h] = (unsigned char) h;
-
+    }
     for (i = 0; i < MAXLEN; ++i) {
         in[i] = (unsigned char) i;
-        if (crypto_generichash_init(&st, k,
+        if (crypto_generichash_init(st, k,
                                     1 + i % crypto_generichash_KEYBYTES_MAX,
                                     1 + i % crypto_generichash_BYTES_MAX) != 0) {
             printf("crypto_generichash_init()\n");
             return 1;
         }
-        crypto_generichash_update(&st, in, i);
-        crypto_generichash_update(&st, in, i);
-        crypto_generichash_update(&st, in, i);
-        if (crypto_generichash_final(&st, out,
+        crypto_generichash_update(st, in, i);
+        crypto_generichash_update(st, in, i);
+        crypto_generichash_update(st, in, i);
+        if (crypto_generichash_final(st, out,
                                      1 + i % crypto_generichash_BYTES_MAX) != 0) {
             printf("crypto_generichash_final() should have returned 0\n");
         }
         for (j = 0; j < 1 + i % crypto_generichash_BYTES_MAX; ++j) {
-            printf("%02x", (unsigned int)out[j]);
+            printf("%02x", (unsigned int) out[j]);
         }
         printf("\n");
-        if (crypto_generichash_final(&st, out,
+        if (crypto_generichash_final(st, out,
                                      1 + i % crypto_generichash_BYTES_MAX) != -1) {
             printf("crypto_generichash_final() should have returned -1\n");
         }
     }
 
-    assert(crypto_generichash_init(&st, k, sizeof k, 0U) == -1);
-    assert(crypto_generichash_init(&st, k, sizeof k,
+    assert(crypto_generichash_init(st, k, sizeof k, 0U) == -1);
+    assert(crypto_generichash_init(st, k, sizeof k,
                                    crypto_generichash_BYTES_MAX + 1U) == -1);
-    assert(crypto_generichash_init(&st, k, crypto_generichash_KEYBYTES_MAX + 1U,
+    assert(crypto_generichash_init(st, k, crypto_generichash_KEYBYTES_MAX + 1U,
                                    sizeof out) == -1);
-    assert(crypto_generichash_init(&st, k, 0U, sizeof out) == 0);
-    assert(crypto_generichash_init(&st, k, 1U, sizeof out) == 0);
-    assert(crypto_generichash_init(&st, NULL, 1U, 0U) == -1);
-    assert(crypto_generichash_init(&st, NULL, crypto_generichash_KEYBYTES,
+    assert(crypto_generichash_init(st, k, 0U, sizeof out) == 0);
+    assert(crypto_generichash_init(st, k, 1U, sizeof out) == 0);
+    assert(crypto_generichash_init(st, NULL, 1U, 0U) == -1);
+    assert(crypto_generichash_init(st, NULL, crypto_generichash_KEYBYTES,
                                    1U) == 0);
-    assert(crypto_generichash_init(&st, NULL, crypto_generichash_KEYBYTES,
+    assert(crypto_generichash_init(st, NULL, crypto_generichash_KEYBYTES,
                                    0U) == -1);
+
+    sodium_free(st);
+
     return 0;
 }
diff --git a/test/default/generichash3.c b/test/default/generichash3.c
index d9646343..ec86b35f 100644
--- a/test/default/generichash3.c
+++ b/test/default/generichash3.c
@@ -131,15 +131,15 @@ main(void)
     printf("\n");
 
     assert(crypto_generichash_blake2b_salt_personal
-           (NULL, 0,
+           (guard_page, 0,
             in, (unsigned long long) sizeof in,
             k, sizeof k, NULL, NULL) == -1);
     assert(crypto_generichash_blake2b_salt_personal
-           (NULL, crypto_generichash_BYTES_MAX + 1,
+           (guard_page, crypto_generichash_BYTES_MAX + 1,
             in, (unsigned long long) sizeof in,
             k, sizeof k, NULL, NULL) == -1);
     assert(crypto_generichash_blake2b_salt_personal
-           (NULL, (unsigned long long) sizeof in,
+           (guard_page, (unsigned long long) sizeof in,
             in, (unsigned long long) sizeof in,
             k, crypto_generichash_KEYBYTES_MAX + 1, NULL, NULL) == -1);
 
diff --git a/test/default/misuse.c b/test/default/misuse.c
index f2798bc6..407d526f 100644
--- a/test/default/misuse.c
+++ b/test/default/misuse.c
@@ -19,8 +19,8 @@ sigabrt_handler_14(int sig)
     (void) sig;
     signal(SIGABRT, sigabrt_handler_15);
     assert(crypto_box_curve25519xchacha20poly1305_easy
-           (NULL, NULL, crypto_stream_xchacha20_MESSAGEBYTES_MAX - 1,
-            NULL, NULL, NULL) == -1);
+           (guard_page, guard_page, crypto_stream_xchacha20_MESSAGEBYTES_MAX - 1,
+            guard_page, guard_page, guard_page) == -1);
     exit(1);
 }
 
@@ -30,8 +30,8 @@ sigabrt_handler_13(int sig)
     (void) sig;
     signal(SIGABRT, sigabrt_handler_14);
     assert(crypto_box_curve25519xchacha20poly1305_easy_afternm
-           (NULL, NULL, crypto_stream_xchacha20_MESSAGEBYTES_MAX - 1,
-            NULL, NULL) == -1);
+           (guard_page, guard_page, crypto_stream_xchacha20_MESSAGEBYTES_MAX - 1,
+            guard_page, guard_page) == -1);
     exit(1);
 }
 # endif
@@ -45,7 +45,8 @@ sigabrt_handler_12(int sig)
 # else
     signal(SIGABRT, sigabrt_handler_13);
 # endif
-    assert(crypto_pwhash_str_alg(NULL, "", 0U, 1U, 1U, -1) == -1);
+    assert(crypto_pwhash_str_alg((char *) guard_page,
+                                 "", 0U, 1U, 1U, -1) == -1);
     exit(1);
 }
 
@@ -54,8 +55,9 @@ sigabrt_handler_11(int sig)
 {
     (void) sig;
     signal(SIGABRT, sigabrt_handler_12);
-    assert(crypto_box_easy(NULL, NULL, crypto_stream_xsalsa20_MESSAGEBYTES_MAX,
-                           NULL, NULL, NULL) == -1);
+    assert(crypto_box_easy(guard_page, guard_page,
+                           crypto_stream_xsalsa20_MESSAGEBYTES_MAX,
+                           guard_page, guard_page, guard_page) == -1);
     exit(1);
 }
 
@@ -64,8 +66,9 @@ sigabrt_handler_10(int sig)
 {
     (void) sig;
     signal(SIGABRT, sigabrt_handler_11);
-    assert(crypto_box_easy_afternm(NULL, NULL, crypto_stream_xsalsa20_MESSAGEBYTES_MAX,
-                                   NULL, NULL) == -1);
+    assert(crypto_box_easy_afternm(guard_page, guard_page,
+                                   crypto_stream_xsalsa20_MESSAGEBYTES_MAX,
+                                   guard_page, guard_page) == -1);
     exit(1);
 }
 
@@ -74,7 +77,8 @@ sigabrt_handler_9(int sig)
 {
     (void) sig;
     signal(SIGABRT, sigabrt_handler_10);
-    assert(sodium_base642bin(NULL, 1, NULL, 1, NULL, NULL, NULL, -1) == -1);
+    assert(sodium_base642bin(guard_page, 1, (const char *) guard_page, 1,
+                             NULL, NULL, NULL, -1) == -1);
     exit(1);
 }
 
@@ -83,7 +87,8 @@ sigabrt_handler_8(int sig)
 {
     (void) sig;
     signal(SIGABRT, sigabrt_handler_9);
-    assert(sodium_bin2base64(NULL, 1, NULL, 1, sodium_base64_VARIANT_ORIGINAL) == NULL);
+    assert(sodium_bin2base64((char *) guard_page, 1, guard_page, 1,
+                             sodium_base64_VARIANT_ORIGINAL) == NULL);
     exit(1);
 }
 
@@ -92,7 +97,8 @@ sigabrt_handler_7(int sig)
 {
     (void) sig;
     signal(SIGABRT, sigabrt_handler_8);
-    assert(sodium_bin2base64(NULL, 1, NULL, 1, -1) == NULL);
+    assert(sodium_bin2base64((char *) guard_page, 1,
+                             guard_page, 1, -1) == NULL);
     exit(1);
 }
 
@@ -101,7 +107,7 @@ sigabrt_handler_6(int sig)
 {
     (void) sig;
     signal(SIGABRT, sigabrt_handler_7);
-    assert(sodium_pad(NULL, NULL, SIZE_MAX, 16, 1) == -1);
+    assert(sodium_pad(NULL, guard_page, SIZE_MAX, 16, 1) == -1);
     exit(1);
 }
 
@@ -110,8 +116,9 @@ sigabrt_handler_5(int sig)
 {
     (void) sig;
     signal(SIGABRT, sigabrt_handler_6);
-    assert(crypto_aead_xchacha20poly1305_ietf_encrypt(NULL, NULL, NULL, UINT64_MAX,
-                                                      NULL, 0, NULL, NULL, NULL) == -1);
+    assert(crypto_aead_xchacha20poly1305_ietf_encrypt(guard_page, NULL, NULL, UINT64_MAX,
+                                                      NULL, 0, NULL,
+                                                      guard_page, guard_page) == -1);
     exit(1);
 }
 
@@ -120,8 +127,9 @@ sigabrt_handler_4(int sig)
 {
     (void) sig;
     signal(SIGABRT, sigabrt_handler_5);
-    assert(crypto_aead_chacha20poly1305_ietf_encrypt(NULL, NULL, NULL, UINT64_MAX,
-                                                     NULL, 0, NULL, NULL, NULL) == -1);
+    assert(crypto_aead_chacha20poly1305_ietf_encrypt(guard_page, NULL, NULL, UINT64_MAX,
+                                                     NULL, 0, NULL,
+                                                     guard_page, guard_page) == -1);
     exit(1);
 }
 
@@ -130,8 +138,9 @@ sigabrt_handler_3(int sig)
 {
     (void) sig;
     signal(SIGABRT, sigabrt_handler_4);
-    assert(crypto_aead_chacha20poly1305_encrypt(NULL, NULL, NULL, UINT64_MAX,
-                                                NULL, 0, NULL, NULL, NULL) == -1);
+    assert(crypto_aead_chacha20poly1305_encrypt(guard_page, NULL, NULL, UINT64_MAX,
+                                                NULL, 0, NULL,
+                                                guard_page, guard_page) == -1);
     exit(1);
 }
 
@@ -141,7 +150,7 @@ sigabrt_handler_2(int sig)
     (void) sig;
     signal(SIGABRT, sigabrt_handler_3);
 #if SIZE_MAX > 0x4000000000ULL
-    randombytes_buf_deterministic(NULL, 0x4000000001ULL, NULL);
+    randombytes_buf_deterministic(guard_page, 0x4000000001ULL, guard_page);
 #else
     abort();
 #endif
@@ -153,7 +162,8 @@ sigabrt_handler_1(int sig)
 {
     (void) sig;
     signal(SIGABRT, sigabrt_handler_2);
-    assert(crypto_kx_server_session_keys(NULL, NULL, NULL, NULL, NULL) == -1);
+    assert(crypto_kx_server_session_keys(NULL, NULL, guard_page, guard_page,
+                                         guard_page) == -1);
     exit(1);
 }
 
@@ -161,7 +171,8 @@ int
 main(void)
 {
     signal(SIGABRT, sigabrt_handler_1);
-    assert(crypto_kx_client_session_keys(NULL, NULL, NULL, NULL, NULL) == -1);
+    assert(crypto_kx_client_session_keys(NULL, NULL, guard_page, guard_page,
+                                         guard_page) == -1);
     return 1;
 }
 #else
diff --git a/test/default/pwhash_argon2id.c b/test/default/pwhash_argon2id.c
index 5940c9ca..95463492 100644
--- a/test/default/pwhash_argon2id.c
+++ b/test/default/pwhash_argon2id.c
@@ -480,19 +480,19 @@ main(void)
     assert(crypto_pwhash_alg_argon2id13() != crypto_pwhash_alg_argon2i13());
     assert(crypto_pwhash_alg_argon2id13() == crypto_pwhash_alg_default());
 
-    assert(crypto_pwhash_argon2id(NULL, 0, NULL, 0, NULL,
+    assert(crypto_pwhash_argon2id(guard_page, 0, (const char *) guard_page, 0, guard_page,
                                   crypto_pwhash_argon2id_OPSLIMIT_INTERACTIVE,
                                   crypto_pwhash_argon2id_MEMLIMIT_INTERACTIVE,
                                   0) == -1);
-    assert(crypto_pwhash_argon2id(NULL, 0, NULL, 0, NULL,
+    assert(crypto_pwhash_argon2id(guard_page, 0, (const char *) guard_page, 0, guard_page,
                                  crypto_pwhash_argon2id_OPSLIMIT_INTERACTIVE,
                                  crypto_pwhash_argon2id_MEMLIMIT_INTERACTIVE,
                                  crypto_pwhash_ALG_ARGON2I13) == -1);
-    assert(crypto_pwhash_argon2i(NULL, 0, NULL, 0, NULL,
+    assert(crypto_pwhash_argon2i(guard_page, 0, (const char *) guard_page, 0, guard_page,
                                  crypto_pwhash_argon2id_OPSLIMIT_INTERACTIVE,
                                  crypto_pwhash_argon2id_MEMLIMIT_INTERACTIVE,
                                  0) == -1);
-    assert(crypto_pwhash_argon2i(NULL, 0, NULL, 0, NULL,
+    assert(crypto_pwhash_argon2i(guard_page, 0, (const char *) guard_page, 0, guard_page,
                                  crypto_pwhash_argon2id_OPSLIMIT_INTERACTIVE,
                                  crypto_pwhash_argon2id_MEMLIMIT_INTERACTIVE,
                                  crypto_pwhash_ALG_ARGON2ID13) == -1);
diff --git a/test/default/scalarmult8.c b/test/default/scalarmult8.c
new file mode 100644
index 00000000..25a541dd
--- /dev/null
+++ b/test/default/scalarmult8.c
@@ -0,0 +1,580 @@
+
+#define TEST_NAME "scalarmult8"
+#include "cmptest.h"
+
+typedef struct TestData_ {
+    const char  pk_hex[crypto_scalarmult_BYTES * 2 + 1];
+    const char  sk_hex[crypto_scalarmult_SCALARBYTES * 2 + 1];
+    const char  shared_hex[crypto_scalarmult_BYTES * 2 + 1];
+    const char *outcome;
+} TestData;
+
+static TestData test_data[] = {
+    {
+        "9c647d9ae589b9f58fdc3ca4947efbc915c4b2e08e744a0edf469dac59c8f85a",
+        "4852834d9d6b77dadeabaaf2e11dca66d19fe74993a7bec36c6e16a0983feaba",
+        "87b7f212b627f7a54ca5e0bcdaddd5389d9de6156cdbcf8ebe14ffbcfb436551",
+        "valid"
+    },
+    {
+        "9c647d9ae589b9f58fdc3ca4947efbc915c4b2e08e744a0edf469dac59c8f85a",
+        "1064a67da639a8f6df4fbea2d63358b65bca80a770712e14ea8a72df5a3313ae",
+        "4b82bd8650ea9b81a42181840926a4ffa16434d1bf298de1db87efb5b0a9e34e",
+        "valid"
+    },
+    {
+        "63aa40c6e38346c5caf23a6df0a5e6c80889a08647e551b3563449befcfc9733",
+        "588c061a50804ac488ad774ac716c3f5ba714b2712e048491379a500211998a8",
+        "b1a707519495ffffb298ff941716b06dfab87cf8d91123fe2be9a233dda22212",
+        "acceptable"
+    },
+    {
+        "0f83c36fded9d32fadf4efa3ae93a90bb5cfa66893bc412c43fa7287dbb99779",
+        "b05bfd32e55325d9fd648cb302848039000b390e44d521e58aab3b29a6960ba8",
+        "67dd4a6e165533534c0e3f172e4ab8576bca923a5f07b2c069b4c310ff2e935b",
+        "acceptable"
+    },
+    {
+        "0b8211a2b6049097f6871c6c052d3c5fc1ba17da9e32ae458403b05bb283092a",
+        "70e34bcbe1f47fbc0fddfd7c1e1aa53d57bfe0f66d243067b424bb6210bed19c",
+        "4a0638cfaa9ef1933b47f8939296a6b25be541ef7f70e844c0bcc00b134de64a",
+        "acceptable"
+    },
+    {
+        "343ac20a3b9c6a27b1008176509ad30735856ec1c8d8fcae13912d08d152f46c",
+        "68c1f3a653a4cdb1d37bba94738f8b957a57beb24d646e994dc29a276aad458d",
+        "399491fce8dfab73b4f9f611de8ea0b27b28f85994250b0f475d585d042ac207",
+        "acceptable"
+    },
+    {
+        "fa695fc7be8d1be5bf704898f388c452bafdd3b8eae805f8681a8d15c2d4e142",
+        "d877b26d06dff9d9f7fd4c5b3769f8cdd5b30516a5ab806be324ff3eb69ea0b2",
+        "2c4fe11d490a53861776b13b4354abd4cf5a97699db6e6c68c1626d07662f758",
+        "acceptable"
+    },
+    {
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "207494038f2bb811d47805bcdf04a2ac585ada7f2f23389bfd4658f9ddd4debc",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "0100000000000000000000000000000000000000000000000000000000000000",
+        "202e8972b61c7e61930eb9450b5070eae1c670475685541f0476217e4818cfab",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "0200000000000000000000000000000000000000000000000000000000000000",
+        "38dde9f3e7b799045f9ac3793d4a9277dadeadc41bec0290f81f744f73775f84",
+        "9a2cfe84ff9c4a9739625cae4a3b82a906877a441946f8d7b3d795fe8f5d1639",
+        "acceptable"
+    },
+    {
+        "0300000000000000000000000000000000000000000000000000000000000000",
+        "9857a914e3c29036fd9a442ba526b5cdcdf28216153e636c10677acab6bd6aa5",
+        "4da4e0aa072c232ee2f0fa4e519ae50b52c1edd08a534d4ef346c2e106d21d60",
+        "acceptable"
+    },
+    {
+        "ffffff030000f8ffff1f0000c0ffffff000000feffff070000f0ffff3f000000",
+        "48e2130d723305ed05e6e5894d398a5e33367a8c6aac8fcdf0a88e4b42820db7",
+        "9ed10c53747f647f82f45125d3de15a1e6b824496ab40410ffcc3cfe95760f3b",
+        "acceptable"
+    },
+    {
+        "000000fcffff070000e0ffff3f000000ffffff010000f8ffff0f0000c0ffff7f",
+        "28f41011691851b3a62b641553b30d0dfddcb8fffcf53700a7be2f6a872e9fb0",
+        "cf72b4aa6aa1c9f894f4165b86109aa468517648e1f0cc70e1ab08460176506b",
+        "acceptable"
+    },
+    {
+        "00000000ffffffff00000000ffffffff00000000ffffffff00000000ffffff7f",
+        "18a93b6499b9f6b3225ca02fef410e0adec23532321d2d8ef1a6d602a8c65b83",
+        "5d50b62836bb69579410386cf7bb811c14bf85b1c7b17e5924c7ffea91ef9e12",
+        "acceptable"
+    },
+    {
+        "eaffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+        "c01d1305a1338a1fcac2ba7e2e032b427e0b04903165aca957d8d0553d8717b0",
+        "19230eb148d5d67c3c22ab1daeff80a57eae4265ce2872657b2c8099fc698e50",
+        "acceptable"
+    },
+    {
+        "0400000000000000000000000000000000000000000000000000000000000000",
+        "386f7f16c50731d64f82e6a170b142a4e34f31fd7768fcb8902925e7d1e21abe",
+        "0fcab5d842a078d7a71fc59b57bfb4ca0be6873b49dcdb9f44e14ae8fbdfa542",
+        "valid"
+    },
+    {
+        "ffffffff00000000ffffffff00000000ffffffff00000000ffffffff00000000",
+        "e023a289bd5e90fa2804ddc019a05ef3e79d434bb6ea2f522ecb643a75296e95",
+        "54ce8f2275c077e3b1306a3939c5e03eef6bbb88060544758d9fef59b0bc3e4f",
+        "valid"
+    },
+    {
+        "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff03",
+        "68f010d62ee8d926053a361c3a75c6ea4ebdc8606ab285003a6f8f4076b01e83",
+        "f136775c5beb0af8110af10b20372332043cab752419678775a223df57c9d30d",
+        "valid"
+    },
+    {
+        "fffffffbfffffbffffdfffffdffffffffefffffefffff7fffff7ffffbfffff3f",
+        "58ebcb35b0f8845caf1ec630f96576b62c4b7b6c36b29deb2cb0084651755c96",
+        "bf9affd06b844085586460962ef2146ff3d4533d9444aab006eb88cc3054407d",
+        "valid"
+    },
+    {
+        "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f",
+        "188c4bc5b9c44b38bb658b9b2ae82d5b01015e093184b17cb7863503a783e1bb",
+        "d480de04f699cb3be0684a9cc2e31281ea0bc5a9dcc157d3d20158d46ca5246d",
+        "valid"
+    },
+    {
+        "fffffffffeffff7ffffffffffeffff7ffffffffffeffff7ffffffffffeffff7f",
+        "e06c11bb2e13ce3dc7673f67f5482242909423a9ae95ee986a988d98faee23a2",
+        "4c4401cce6b51e4cb18f2790246c9bf914db667750a1cb89069092af07292276",
+        "valid"
+    },
+    {
+        "ebffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+        "c0658c46dde18129293877535b1162b6f9f5414a23cf4d2cbc140a4d99da2b8f",
+        "578ba8cc2dbdc575afcf9df2b3ee6189f5337d6854c79b4ce165ea12293b3a0f",
+        "valid"
+    },
+    {
+        "e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b800",
+        "10255c9230a97a30a458ca284a629669293a31890cda9d147febc7d1e22d6bb1",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f1157",
+        "78f1e8edf14481b389448dac8f59c70b038e7cf92ef2c7eff57a72466e115296",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+        "a0a05a3e8f9f44204d5f8059a94ac7dfc39a49ac016dd743dbfa43c5d671fd88",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+        "d0dbb3ed1906663f15420af31f4eaf6509d9a9949723500605ad7c1c6e7450a9",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+        "c0b1d0eb22b244fe3291140072cdd9d989b5f0ecd96c100feb5bca241c1d9f8f",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "0000000000000000000000000000000000000000000000000000000000000080",
+        "480bf45f594942a8bc0f3353c6e8b8853d77f351f1c2ca6c2d1abf8a00b4229c",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "0100000000000000000000000000000000000000000000000000000000000080",
+        "30f993fcf8514fc89bd8db14cd43ba0d4b2530e73c4276a05e1b145d420cedb4",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b880",
+        "c04974b758380e2a5b5df6eb09bb2f6b3434f982722a8e676d3da251d1b3de83",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f11d7",
+        "502a31373db32446842fe5add3e024022ea54f274182afc3d9f1bb3d39534eb5",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+        "90fa6417b0e37030fd6e43eff2abaef14c6793117a039cf621318ba90f4e98be",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+        "78ad3f26027f1c9fdd975a1613b947779bad2cf2b741ade01840885a30bb979c",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+        "98e23de7b1e0926ed9c87e7b14baf55f497a1d7096f93977680e44dc1c7b7b8b",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "1064a67da639a8f6df4fbea2d63358b65bca80a770712e14ea8a72df5a3313ae",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "0100000000000000000000000000000000000000000000000000000000000000",
+        "1064a67da639a8f6df4fbea2d63358b65bca80a770712e14ea8a72df5a3313ae",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+        "1064a67da639a8f6df4fbea2d63358b65bca80a770712e14ea8a72df5a3313ae",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f1157",
+        "1064a67da639a8f6df4fbea2d63358b65bca80a770712e14ea8a72df5a3313ae",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b800",
+        "1064a67da639a8f6df4fbea2d63358b65bca80a770712e14ea8a72df5a3313ae",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+        "1064a67da639a8f6df4fbea2d63358b65bca80a770712e14ea8a72df5a3313ae",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+        "1064a67da639a8f6df4fbea2d63358b65bca80a770712e14ea8a72df5a3313ae",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "0000000000000000000000000000000000000000000000000000000000000080",
+        "1064a67da639a8f6df4fbea2d63358b65bca80a770712e14ea8a72df5a3313ae",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "0100000000000000000000000000000000000000000000000000000000000080",
+        "1064a67da639a8f6df4fbea2d63358b65bca80a770712e14ea8a72df5a3313ae",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+        "1064a67da639a8f6df4fbea2d63358b65bca80a770712e14ea8a72df5a3313ae",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f11d7",
+        "1064a67da639a8f6df4fbea2d63358b65bca80a770712e14ea8a72df5a3313ae",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b880",
+        "1064a67da639a8f6df4fbea2d63358b65bca80a770712e14ea8a72df5a3313ae",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+        "1064a67da639a8f6df4fbea2d63358b65bca80a770712e14ea8a72df5a3313ae",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+        "1064a67da639a8f6df4fbea2d63358b65bca80a770712e14ea8a72df5a3313ae",
+        "0000000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "efffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+        "f01e48dafac9d7bcf589cbc382c878d18bda3550589ffb5d50b523bebe329dae",
+        "bd36a0790eb883098c988b21786773de0b3a4df162282cf110de18dd484ce74b",
+        "acceptable"
+    },
+    {
+        "f0ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+        "288796bc5aff4b81a37501757bc0753a3c21964790d38699308debc17a6eaf8d",
+        "b4e0dd76da7b071728b61f856771aa356e57eda78a5b1655cc3820fb5f854c5c",
+        "acceptable"
+    },
+    {
+        "f1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+        "98df845f6651bf1138221f119041f72b6dbc3c4ace7143d99fd55ad867480da8",
+        "6fdf6c37611dbd5304dc0f2eb7c9517eb3c50e12fd050ac6dec27071d4bfc034",
+        "acceptable"
+    },
+    {
+        "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+        "f09498e46f02f878829e78b803d316a2ed695d0498a08abdf8276930e24edcb0",
+        "4c8fc4b1c6ab88fb21f18f6d4c810240d4e94651ba44f7a2c863cec7dc56602d",
+        "acceptable"
+    },
+    {
+        "0200000000000000000000000000000000000000000000000000000000000080",
+        "1813c10a5c7f21f96e17f288c0cc37607c04c5f5aea2db134f9e2ffc66bd9db8",
+        "1cd0b28267dc541c642d6d7dca44a8b38a63736eef5c4e6501ffbbb1780c033c",
+        "acceptable"
+    },
+    {
+        "0300000000000000000000000000000000000000000000000000000000000080",
+        "7857fb808653645a0beb138a64f5f4d733a45ea84c3cda11a9c06f7e7139149e",
+        "8755be01c60a7e825cff3e0e78cb3aa4333861516aa59b1c51a8b2a543dfa822",
+        "acceptable"
+    },
+    {
+        "0400000000000000000000000000000000000000000000000000000000000080",
+        "e03aa842e2abc56e81e87b8b9f417b2a1e5913c723eed28d752f8d47a59f498f",
+        "54c9a1ed95e546d27822a360931dda60a1df049da6f904253c0612bbdc087476",
+        "acceptable"
+    },
+    {
+        "daffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+        "f8f707b7999b18cb0d6b96124f2045972ca274bfc154ad0c87038c24c6d0d4b2",
+        "cc1f40d743cdc2230e1043daba8b75e810f1fbab7f255269bd9ebb29e6bf494f",
+        "acceptable"
+    },
+    {
+        "dbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+        "a034f684fa631e1a348118c1ce4c98231f2d9eec9ba5365b4a05d69a785b0796",
+        "54998ee43a5b007bf499f078e736524400a8b5c7e9b9b43771748c7cdf880412",
+        "acceptable"
+    },
+    {
+        "dcffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+        "30b6c6a0f2ffa680768f992ba89e152d5bc9893d38c9119be4f767bfab6e0ca5",
+        "ead9b38efdd723637934e55ab717a7ae09eb86a21dc36a3feeb88b759e391e09",
+        "acceptable"
+    },
+    {
+        "eaffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+        "901b9dcf881e01e027575035d40b43bdc1c5242e030847495b0c7286469b6591",
+        "602ff40789b54b41805915fe2a6221f07a50ffc2c3fc94cf61f13d7904e88e0e",
+        "acceptable"
+    },
+    {
+        "ebffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+        "8046677c28fd82c9a1bdb71a1a1a34faba1225e2507fe3f54d10bd5b0d865f8e",
+        "e00ae8b143471247ba24f12c885536c3cb981b58e1e56b2baf35c12ae1f79c26",
+        "acceptable"
+    },
+    {
+        "efffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+        "602f7e2f68a846b82cc269b1d48e939886ae54fd636c1fe074d710127d472491",
+        "98cb9b50dd3fc2b0d4f2d2bf7c5cfdd10c8fcd31fc40af1ad44f47c131376362",
+        "acceptable"
+    },
+    {
+        "f0ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+        "60887b3dc72443026ebedbbbb70665f42b87add1440e7768fbd7e8e2ce5f639d",
+        "38d6304c4a7e6d9f7959334fb5245bd2c754525d4c91db950206926234c1f633",
+        "acceptable"
+    },
+    {
+        "f1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+        "78d31dfa854497d72d8def8a1b7fb006cec2d8c4924647c93814ae56faeda495",
+        "786cd54996f014a5a031ec14db812ed08355061fdb5de680a800ac521f318e23",
+        "acceptable"
+    },
+    {
+        "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+        "c04c5baefa8302ddded6a4bb957761b4eb97aefa4fc3b8043085f96a5659b3a5",
+        "29ae8bc73e9b10a08b4f681c43c3e0ac1a171d31b38f1a48efba29ae639ea134",
+        "acceptable"
+    },
+    {
+        "e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c",
+        "a046e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449a44",
+        "c3da55379de9c6908e94ea4df28d084f32eccf03491c71f754b4075577a28552",
+        "valid"
+    },
+    {
+        "e5210f12786811d3f4b7959d0538ae2c31dbe7106fc03c3efc4cd549c715a413",
+        "4866e9d4d1b4673c5ad22691957d6af5c11b6421e0ea01d42ca4169e7918ba4d",
+        "95cbde9476e8907d7aade45cb4b873f88b595a68799fa152e6f8f7647aac7957",
+        "valid"
+    },
+    {
+        "0ab4e76380d84dde4f6833c58f2a9fb8f83bb0169b172be4b6e0592887741a36",
+        "a0a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a976bf63",
+        "0200000000000000000000000000000000000000000000000000000000000000",
+        "acceptable"
+    },
+    {
+        "89e10d5701b4337d2d032181538b1064bd4084401ceca1fd12663a1959388000",
+        "a0a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a976bf63",
+        "0900000000000000000000000000000000000000000000000000000000000000",
+        "valid"
+    },
+    {
+        "2b55d3aa4a8f80c8c0b2ae5f933e85af49beac36c2fa7394bab76c8933f8f81d",
+        "a0a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a976bf63",
+        "1000000000000000000000000000000000000000000000000000000000000000",
+        "valid"
+    },
+    {
+        "63e5b1fe9601fe84385d8866b0421262f78fbfa5aff9585e626679b18547d959",
+        "a0a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a976bf63",
+        "feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f",
+        "acceptable"
+    },
+    {
+        "e428f3dac17809f827a522ce32355058d07369364aa78902ee10139b9f9dd653",
+        "a0a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a976bf63",
+        "fcffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f",
+        "valid"
+    },
+    {
+        "b3b50e3ed3a407b95de942ef74575b5ab8a10c09ee103544d60bdfed8138ab2b",
+        "a0a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a976bf63",
+        "f9ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f",
+        "acceptable"
+    },
+    {
+        "213fffe93d5ea8cd242e462844029922c43c77c9e3e42f562f485d24c501a20b",
+        "a0a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a976bf63",
+        "f3ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f",
+        "valid"
+    },
+    {
+        "91b232a178b3cd530932441e6139418f72172292f1da4c1834fc5ebfefb51e3f",
+        "a0a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a976bf63",
+        "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff03",
+        "valid"
+    },
+    {
+        "045c6e11c5d332556c7822fe94ebf89b56a3878dc27ca079103058849fabcb4f",
+        "a0a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a976bf63",
+        "e5ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+        "acceptable"
+    },
+    {
+        "1ca2190b71163539063c35773bda0c9c928e9136f0620aeb093f099197b7f74e",
+        "a0a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a976bf63",
+        "e3ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+        "acceptable"
+    },
+    {
+        "f76e9010ac33c5043b2d3b76a842171000c4916222e9e85897a0aec7f6350b3c",
+        "a0a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a976bf63",
+        "ddffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+        "valid"
+    },
+    {
+        "bb72688d8f8aa7a39cd6060cd5c8093cdec6fe341937c3886a99346cd07faa55",
+        "a0a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a976bf63",
+        "dbffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+        "acceptable"
+    },
+    {
+        "88fddea193391c6a5933ef9b71901549447205aae9da928a6b91a352ba10f41f",
+        "a0a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a976bf63",
+        "0000000000000000000000000000000000000000000000000000000000000002",
+        "acceptable"
+    },
+    {
+        "303b392f153116cad9cc682a00ccc44c95ff0d3bbe568beb6c4e739bafdc2c68",
+        "a0a4f130b98a5be4b1cedb7cb85584a3520e142d474dc9ccb909a073a976bf63",
+        "0000000000000000000000000000000000000000000000000000000000008000",
+        "acceptable"
+    },
+    {
+        "fd300aeb40e1fa582518412b49b208a7842b1e1f056a040178ea4141534f652d",
+        "c81724704000b26d31703cc97e3a378d56fad8219361c88cca8bd7c5719b12b2",
+        "b734105dc257585d73b566ccb76f062795ccbec89128e52b02f3e59639f13c46",
+        "valid"
+    },
+    {
+        "c8ef79b514d7682677bc7931e06ee5c27c9b392b4ae9484473f554e6678ecc2e",
+        "c81724704000b26d31703cc97e3a378d56fad8219361c88cca8bd7c5719b12b2",
+        "647a46b6fc3f40d62141ee3cee706b4d7a9271593a7b143e8e2e2279883e4550",
+        "valid"
+    },
+    {
+        "64aeac2504144861532b7bbcb6c87d67dd4c1f07ebc2e06effb95aecc6170b2c",
+        "c81724704000b26d31703cc97e3a378d56fad8219361c88cca8bd7c5719b12b2",
+        "4ff03d5fb43cd8657a3cf37c138cadcecce509e4eba089d0ef40b4e4fb946155",
+        "valid"
+    },
+    {
+        "bf68e35e9bdb7eee1b50570221860f5dcdad8acbab031b14974cc49013c49831",
+        "c81724704000b26d31703cc97e3a378d56fad8219361c88cca8bd7c5719b12b2",
+        "21cee52efdbc812e1d021a4af1e1d8bc4db3c400e4d2a2c56a3926db4d99c65b",
+        "valid"
+    },
+    {
+        "5347c491331a64b43ddc683034e677f53dc32b52a52a577c15a83bf298e99f19",
+        "c81724704000b26d31703cc97e3a378d56fad8219361c88cca8bd7c5719b12b2",
+        "18cb89e4e20c0c2bd324305245266c9327690bbe79acb88f5b8fb3f74eca3e52",
+        "valid"
+    },
+    {
+        "258e04523b8d253ee65719fc6906c657192d80717edc828fa0af21686e2faa75",
+        "a023cdd083ef5bb82f10d62e59e15a6800000000000000000000000000000050",
+        "258e04523b8d253ee65719fc6906c657192d80717edc828fa0af21686e2faa75",
+        "valid"
+    },
+    {
+        "2eae5ec3dd494e9f2d37d258f873a8e6e9d0dbd1e383ef64d98bb91b3e0be035",
+        "58083dd261ad91eff952322ec824c682ffffffffffffffffffffffffffffff5f",
+        "2eae5ec3dd494e9f2d37d258f873a8e6e9d0dbd1e383ef64d98bb91b3e0be035",
+        "acceptable"
+    }
+};
+
+int
+main(void)
+{
+    unsigned char sk[crypto_scalarmult_SCALARBYTES];
+    unsigned char pk[crypto_scalarmult_BYTES];
+    unsigned char shared[crypto_scalarmult_BYTES];
+    unsigned char shared2[crypto_scalarmult_BYTES];
+    unsigned int  i;
+    int           res;
+
+    for (i = 0U; i < (sizeof test_data) / (sizeof test_data[0]); i++) {
+        sodium_hex2bin(sk, crypto_scalarmult_SCALARBYTES, test_data[i].sk_hex,
+                       crypto_scalarmult_SCALARBYTES * 2, NULL, NULL, NULL);
+        sodium_hex2bin(pk, crypto_scalarmult_BYTES, test_data[i].pk_hex,
+                       crypto_scalarmult_BYTES * 2, NULL, NULL, NULL);
+        sodium_hex2bin(shared, crypto_scalarmult_BYTES, test_data[i].shared_hex,
+                       crypto_scalarmult_BYTES * 2, NULL, NULL, NULL);
+        randombytes_buf(shared2, crypto_scalarmult_BYTES);
+        res = crypto_scalarmult(shared2, sk, pk);
+        if (res == 0) {
+            if (strcmp(test_data[i].outcome, "acceptable") == 0) {
+                printf("test case %u succeeded (%s)\n", i,
+                       test_data[i].outcome);
+            } else if (strcmp(test_data[i].outcome, "valid") != 0) {
+                printf("*** test case %u succeeded, was supposed to be %s\n", i,
+                       test_data[i].outcome);
+            }
+            if (memcmp(shared, shared2, crypto_scalarmult_BYTES) != 0) {
+                printf("*** test case %u succeeded, but shared key is not %s\n",
+                       i, test_data[i].outcome);
+            }
+        } else {
+            if (strcmp(test_data[i].outcome, "acceptable") == 0) {
+                printf("test case %u failed (%s)\n", i, test_data[i].outcome);
+            } else if (strcmp(test_data[i].outcome, "valid") == 0) {
+                printf("*** test case %u failed, was supposed to be %s\n", i,
+                       test_data[i].outcome);
+            }
+        }
+    }
+    printf("OK\n");
+
+    return 0;
+}
diff --git a/test/default/scalarmult8.exp b/test/default/scalarmult8.exp
new file mode 100644
index 00000000..320ff64f
--- /dev/null
+++ b/test/default/scalarmult8.exp
@@ -0,0 +1,65 @@
+test case 2 succeeded (acceptable)
+test case 3 succeeded (acceptable)
+test case 4 succeeded (acceptable)
+test case 5 succeeded (acceptable)
+test case 6 succeeded (acceptable)
+test case 7 failed (acceptable)
+test case 8 failed (acceptable)
+test case 9 succeeded (acceptable)
+test case 10 succeeded (acceptable)
+test case 11 succeeded (acceptable)
+test case 12 succeeded (acceptable)
+test case 13 succeeded (acceptable)
+test case 14 succeeded (acceptable)
+test case 22 failed (acceptable)
+test case 23 failed (acceptable)
+test case 24 failed (acceptable)
+test case 25 failed (acceptable)
+test case 26 failed (acceptable)
+test case 27 failed (acceptable)
+test case 28 failed (acceptable)
+test case 29 failed (acceptable)
+test case 30 failed (acceptable)
+test case 31 failed (acceptable)
+test case 32 failed (acceptable)
+test case 33 failed (acceptable)
+test case 34 failed (acceptable)
+test case 35 failed (acceptable)
+test case 36 failed (acceptable)
+test case 37 failed (acceptable)
+test case 38 failed (acceptable)
+test case 39 failed (acceptable)
+test case 40 failed (acceptable)
+test case 41 failed (acceptable)
+test case 42 failed (acceptable)
+test case 43 failed (acceptable)
+test case 44 failed (acceptable)
+test case 45 failed (acceptable)
+test case 46 failed (acceptable)
+test case 47 failed (acceptable)
+test case 48 succeeded (acceptable)
+test case 49 succeeded (acceptable)
+test case 50 succeeded (acceptable)
+test case 51 succeeded (acceptable)
+test case 52 succeeded (acceptable)
+test case 53 succeeded (acceptable)
+test case 54 succeeded (acceptable)
+test case 55 succeeded (acceptable)
+test case 56 succeeded (acceptable)
+test case 57 succeeded (acceptable)
+test case 58 succeeded (acceptable)
+test case 59 succeeded (acceptable)
+test case 60 succeeded (acceptable)
+test case 61 succeeded (acceptable)
+test case 62 succeeded (acceptable)
+test case 63 succeeded (acceptable)
+test case 66 succeeded (acceptable)
+test case 69 succeeded (acceptable)
+test case 71 succeeded (acceptable)
+test case 74 succeeded (acceptable)
+test case 75 succeeded (acceptable)
+test case 77 succeeded (acceptable)
+test case 78 succeeded (acceptable)
+test case 79 succeeded (acceptable)
+test case 86 succeeded (acceptable)
+OK
diff --git a/test/default/scalarmult_ed25519.c b/test/default/scalarmult_ed25519.c
index 3ad4bd09..26d431ae 100644
--- a/test/default/scalarmult_ed25519.c
+++ b/test/default/scalarmult_ed25519.c
@@ -43,18 +43,24 @@ main(void)
 
     memset(n, 0, crypto_scalarmult_ed25519_SCALARBYTES);
     if (crypto_scalarmult_ed25519_base(q, n) != -1) {
-        printf("crypto_scalarmult_ed25519_base(0) failed\n");
+        printf("crypto_scalarmult_ed25519_base(0) passed\n");
     }
     if (crypto_scalarmult_ed25519(q2, n, p) != -1) {
         printf("crypto_scalarmult_ed25519(0) passed\n");
     }
+    if (crypto_scalarmult_ed25519_noclamp(q2, n, p) != -1) {
+        printf("crypto_scalarmult_ed25519_noclamp(0) passed\n");
+    }
 
     n[0] = 1;
     if (crypto_scalarmult_ed25519_base(q, n) != 0) {
         printf("crypto_scalarmult_ed25519_base() failed\n");
     }
     if (crypto_scalarmult_ed25519(q2, n, p) != 0) {
-        printf("crypto_scalarmult_ed25519() passed\n");
+        printf("crypto_scalarmult_ed25519() failed\n");
+    }
+    if (crypto_scalarmult_ed25519_noclamp(q2, n, p) != 0) {
+        printf("crypto_scalarmult_ed25519_noclamp() failed\n");
     }
 
     if (crypto_scalarmult_ed25519(q, n, non_canonical_p) != -1) {
@@ -67,14 +73,40 @@ main(void)
         printf("crypto_scalarmult_ed25519() failed\n");
     }
 
+    n[0] = 9;
+    if (crypto_scalarmult_ed25519(q, n, p) != 0) {
+        printf("crypto_scalarmult_ed25519() failed\n");
+    }
+    if (crypto_scalarmult_ed25519_noclamp(q2, n, p) != 0) {
+        printf("crypto_scalarmult_ed25519_noclamp() failed\n");
+    }
+    if (memcmp(q, q2, crypto_scalarmult_ed25519_BYTES) == 0) {
+        printf("clamping not applied\n");
+    }
+    n[0] = 8;
+    n[31] = 64;
+    if (crypto_scalarmult_ed25519_noclamp(q2, n, p) != 0) {
+        printf("crypto_scalarmult_ed25519_noclamp() failed\n");
+    }
+    if (memcmp(q, q2, crypto_scalarmult_ed25519_BYTES) != 0) {
+        printf("inconsistent clamping\n");
+    }
+
     memset(p, 0, crypto_scalarmult_ed25519_BYTES);
     if (crypto_scalarmult_ed25519(q, n, p) != -1) {
         printf("crypto_scalarmult_ed25519() didn't fail\n");
     }
+    if (crypto_scalarmult_ed25519_noclamp(q, n, p) != -1) {
+        printf("crypto_scalarmult_ed25519_noclamp() didn't fail\n");
+    }
+
     n[0] = 8;
     if (crypto_scalarmult_ed25519(q, n, p) != -1) {
         printf("crypto_scalarmult_ed25519() didn't fail\n");
     }
+    if (crypto_scalarmult_ed25519_noclamp(q, n, p) != -1) {
+        printf("crypto_scalarmult_ed25519_noclamp() didn't fail\n");
+    }
 
     sodium_free(q2);
     sodium_free(q);
diff --git a/test/default/sign.c b/test/default/sign.c
index 88b03529..30a2882b 100644
--- a/test/default/sign.c
+++ b/test/default/sign.c
@@ -1053,15 +1053,8 @@ static void add_l(unsigned char * const S)
         0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 };
-    unsigned char c = 0U;
-    unsigned int  i;
-    unsigned int  s;
 
-    for (i = 0U; i < 32U; i++) {
-        s = S[i] + l[i] + c;
-        S[i] = (unsigned char) s;
-        c = (s >> 8) & 1;
-    }
+    sodium_add(S, l, sizeof l);
 }
 
 int main(void)
diff --git a/test/default/sodium_utils.c b/test/default/sodium_utils.c
index 24073f7a..379518fc 100644
--- a/test/default/sodium_utils.c
+++ b/test/default/sodium_utils.c
@@ -60,8 +60,7 @@ main(void)
             buf2_rev[bin_len - 1 - j] = buf2[j];
         }
         if (memcmp(buf1_rev, buf2_rev, bin_len) *
-                sodium_compare(buf1, buf2, bin_len) <
-            0) {
+            sodium_compare(buf1, buf2, bin_len) < 0) {
             printf("sodium_compare() failure with length=%u\n",
                    (unsigned int) bin_len);
         }
@@ -106,7 +105,21 @@ main(void)
     if (sodium_compare(buf1, buf2, bin_len) != 0) {
         printf("sodium_add() failed\n");
     }
-
+    for (i = 0U; i < 1000U; i++) {
+        randombytes_buf(buf1, bin_len);
+        randombytes_buf(buf2, bin_len);
+        sodium_add(buf1, buf2, bin_len);
+        sodium_sub(buf1, buf2, bin_len);
+        sodium_sub(buf1, buf2, 0U);
+        if (sodium_is_zero(buf1, bin_len) &&
+            !sodium_is_zero(buf1, bin_len)) {
+            printf("sodium_sub() failed\n");
+        }
+        sodium_sub(buf1, buf1, bin_len);
+        if (!sodium_is_zero(buf1, bin_len)) {
+            printf("sodium_sub() failed\n");
+        }
+    }
     assert(sizeof nonce >= 24U);
     memset(nonce, 0xfe, 24U);
     memset(nonce, 0xff, 6U);
@@ -142,6 +155,18 @@ main(void)
     printf("%s\n",
            sodium_bin2hex(nonce_hex, sizeof nonce_hex, nonce, sizeof nonce));
 
+    randombytes_buf(buf1, 64U);
+    randombytes_buf(buf2, 64U);
+    memset(buf_add, 0, 64U);
+    sodium_add(buf_add, buf1, 64U);
+    assert(!sodium_is_zero(buf_add, 64U));
+    sodium_add(buf_add, buf2, 64U);
+    assert(!sodium_is_zero(buf_add, 64U));
+    sodium_sub(buf_add, buf1, 64U);
+    assert(!sodium_is_zero(buf_add, 64U));
+    sodium_sub(buf_add, buf2, 64U);
+    assert(sodium_is_zero(buf_add, 64U));
+
     for (i = 0; i < 2000U; i++) {
         bin_len = randombytes_uniform(200U);
         blocksize = 1U + randombytes_uniform(500U);
diff --git a/test/default/sodium_utils2.c b/test/default/sodium_utils2.c
index da8bbf2d..844f5866 100644
--- a/test/default/sodium_utils2.c
+++ b/test/default/sodium_utils2.c
@@ -12,6 +12,10 @@
 # warning The sodium_utils2 test is expected to fail with address sanitizer
 #endif
 
+#undef sodium_malloc
+#undef sodium_free
+#undef sodium_allocarray
+
 __attribute__((noreturn)) static void
 segv_handler(int sig)
 {