Merge branch 'master' of github.com:jedisct1/libsodium

* 'master' of github.com:jedisct1/libsodium:
  + Firefox
  Some notes about RtlGenRandom
  Format paragraphs
  Explain that sodium_misuse() still aborts by default
  + crypto_secretstream_*()
  THANKS += PIA

ChangeLog

@@ -6,20 +6,21 @@
  - Internal consistency checks failing and primitives used with
 dangerous/out-of-bounds/invalid parameters used to call abort(3).
 Now, a custom handler *that doesn't return* can be set with the
-`set_sodium_misuse()` function. This is not a replacement for
-non-fatal, expected runtime errors. This handler will be only
-called in unexpected situations due to potential bugs in the
-library or in language bindings.
+`set_sodium_misuse()` function. It still aborts by default or if the
+handler ever returns. This is not a replacement for non-fatal,
+expected runtime errors. This handler will be only called in
+unexpected situations due to potential bugs in the library or in
+language bindings.
  - `*_MESSAGEBYTES_MAX` macros (and the corresponding
 `_messagebytes_max()` symbols) have been added to represent the
 maximum message size that can be safely handled by a primitive.
-Language bindings are encouraged to check user inputs against
-these maximum lengths.
+Language bindings are encouraged to check user inputs against these
+maximum lengths.
  - The test suite has been extended to cover more edge cases.
  - crypto_sign_ed25519_pk_to_curve25519() now rejects points that are
 not on the curve, or not in the main subgroup.
- - Further changes to ensure that smart compilers will not optimize
-out code that we don't want to be optimized.
+ - Further changes to ensure that smart compilers will not optimize out
+code that we don't want to be optimized.
  - Visual Studio solutions are now included in distribution tarballs.
  - The `sodium_runtime_has_*` symbols for CPU features detection are
 now defined as weak symbols, i.e. they can be replaced with an
@@ -32,6 +33,8 @@ store keys to.
 `crypto_pwhash_str_alg()` function.
  - Due to popular demand, base64 encoding (`sodium_bin2base64()`) and
 decoding (`sodium_base642bin()`) have been implemented.
+ - A new crypto_secretstream_*() API was added to safely encrypt files
+and multi-part messages.
 
 * Version 1.0.13
  - Javascript: the sumo builds now include all symbols. They were

THANKS

@@ -87,3 +87,4 @@ Also thanks to:
 
 - Coverity, Inc. to provide static analysis.
 - FSF France for providing access to their compilation servers.
+- Private Internet Access for having sponsored a complete security audit.

src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c

@@ -36,6 +36,15 @@
  *     memory overhead if this API is not being used for other purposes
  *  - `RtlGenRandom` is thus called directly instead. A detailed explanation
  *     can be found here: https://blogs.msdn.microsoft.com/michael_howard/2005/01/14/cryptographically-secure-random-number-on-windows-without-using-cryptoapi/
+ *
+ * In spite of the disclaimer on the `RtlGenRandom` documentation page that was
+ * written back in the Windows XP days, this function is here to stay. The CRT
+ * function `rand_s()` directly depends on it, so touching it would break many
+ * applications released since Windows XP.
+ *
+ * Also note that Rust, Firefox and BoringSSL (thus, Google Chrome and everything
+ * based on Chromium) also depend on it, and that libsodium allows the RNG to be
+ * replaced without patching nor recompiling the library.
  */
 # include <windows.h>
 # define RtlGenRandom SystemFunction036