2023-09-17 03:34:52 -04:00
|
|
|
* Version 1.0.19
|
|
|
|
This release includes all the changes from 1.0.18-stable, as well as two
|
|
|
|
additions:
|
|
|
|
|
|
|
|
- New AEADs: AEGIS-128L and AEGIS-256 are now available in the
|
|
|
|
`crypto_aead_aegis128l_*()` and `crypto_aead_aegis256_*()` namespaces.
|
|
|
|
AEGIS is a family of authenticated ciphers for high-performance applications,
|
|
|
|
leveraging hardware AES acceleration on `x86_64` and `aarch64`. In addition
|
|
|
|
to performance, AEGIS ciphers have unique properties making them easier and
|
|
|
|
safer to use than AES-GCM. They can also be used as high-performance MACs.
|
|
|
|
- The HKDF key derivation mechanism, required by many standard protocols, is
|
|
|
|
now available in the `crypto_kdf_hkdf_*()` namespace. It is implemented for
|
|
|
|
the SHA-256 and SHA-512 hash functions.
|
|
|
|
- The `osx.sh` build script was renamed to `macos.sh`.
|
|
|
|
- Support for android-mips was removed.
|
|
|
|
|
|
|
|
* Version 1.0.18-stable
|
|
|
|
- Visual Studio: support for Windows/ARM64 builds has been added.
|
|
|
|
- Visual Studio: AVX512 implementations are enabled on supported CPUs.
|
|
|
|
- Visual Studio: an MSVC 2022 solution was added.
|
|
|
|
- Apple XCFramework: support for VisionOS was added.
|
|
|
|
- Apple XCFranework: support for Catalyst was added.
|
|
|
|
- Apple XCFramework: building the simulators is now optional.
|
|
|
|
- iOS: bitcode is not generated any more, as it was deprecated by Apple.
|
|
|
|
- watchOS: support for arm64 was added.
|
|
|
|
- The Zig toolchain can now be used as a modern build system to replace
|
|
|
|
autoconf/automake/libtool/make/ccache and the compiler. This enables faster
|
|
|
|
compilation times, easier cross compilation, and static libraries optimized
|
|
|
|
for any CPU.
|
|
|
|
- The Zig toolchain is now the recommended way to compile `libsodium`
|
|
|
|
to WebAssembly/WASI(X).
|
|
|
|
- libsodium can now be added as a dependency to Zig projects.
|
|
|
|
- Memory fences were added to remove some gadgets that could be used
|
|
|
|
alongside speculative loads.
|
|
|
|
- The AES-GCM implementation was completely rewritten. It is now faster,
|
|
|
|
and also available on aarch64, including Windows/ARM64.
|
|
|
|
- Compatibility with CET instrumentation / IBT / Shadow Stack was added.
|
|
|
|
- Emscripten: the `crypto_pwhash_*()` functions have been removed from Sumo
|
|
|
|
builds, as they reserve a substantial amount of JavaScript memory, even when
|
|
|
|
not used.
|
|
|
|
- Benchmarks now use `CLOCK_MONOTONIC` if possible.
|
|
|
|
- WebAssembly: tests can now run using Bun, WasmEdge, Wazero, wasm3 and
|
|
|
|
wasmer-js. Support for WAVM and Lucet have been removed, as these projects
|
|
|
|
have reached EOL.
|
|
|
|
- .NET: the minimum supported macOS version is now 1.0.15; this matches
|
|
|
|
Microsoft guidelines.
|
|
|
|
- .NET: all the packages are now built using Zig, on all platforms. This
|
|
|
|
allows us to easily match Microsoft's requirements, including supported glibc
|
|
|
|
versions. However, on x86_64, targets are expected to support at least the
|
|
|
|
AVX instruction set.
|
|
|
|
- .NET: packages for ARM64 are now available.
|
|
|
|
- C23 `memset_explicit()` is now used, when available.
|
|
|
|
- Compilation now uses `-Ofast` or `-O3` instead of `-O2` by default.
|
|
|
|
- Portability improvements to help compile libsodium to modern game consoles.
|
|
|
|
- JavaScript: a default `unhandledRejection` handler is not set any more.
|
|
|
|
- Slightly faster 25519 operations.
|
|
|
|
- OpenBSD: leverage `MAP_CONCEAL`.
|
2013-08-05 14:19:13 -04:00
|
|
|
|
2019-05-30 10:04:55 -04:00
|
|
|
* Version 1.0.18
|
2019-05-30 18:44:08 -04:00
|
|
|
- Enterprise versions of Visual Studio are now supported.
|
2019-05-30 10:04:55 -04:00
|
|
|
- Visual Studio 2019 is now supported.
|
|
|
|
- 32-bit binaries for Visual Studio 2010 are now provided.
|
2019-05-30 18:44:08 -04:00
|
|
|
- A test designed to trigger an OOM condition didn't work on Linux systems
|
|
|
|
with memory overcommit turned on. It has been removed in order to fix
|
|
|
|
Ansible builds.
|
2019-05-30 10:04:55 -04:00
|
|
|
- Emscripten: `print` and `printErr` functions are overridden to send
|
|
|
|
errors to the console, if there is one.
|
|
|
|
- Emscripten: `UTF8ToString()` is now exported since `Pointer_stringify()`
|
|
|
|
has been deprecated.
|
|
|
|
- Libsodium version detection has been fixed in the CMake recipe.
|
|
|
|
- Generic hashing got a 10% speedup on AVX2.
|
|
|
|
- New target: WebAssembly/WASI (compile with `dist-builds/wasm32-wasi.sh`).
|
|
|
|
- New functions to map a hash to an edwards25519 point or get a random point:
|
|
|
|
`core_ed25519_from_hash()` and `core_ed25519_random()`.
|
2019-05-30 18:44:08 -04:00
|
|
|
- `crypto_core_ed25519_scalar_mul()` has been implemented for
|
|
|
|
`scalar*scalar (mod L)` multiplication.
|
|
|
|
- Support for the Ristretto group has been implemented for interoperability
|
2019-05-30 10:04:55 -04:00
|
|
|
with wasm-crypto.
|
|
|
|
- Improvements have been made to the test suite.
|
2019-05-30 18:44:08 -04:00
|
|
|
- Portability improvements have been made.
|
2019-05-30 10:04:55 -04:00
|
|
|
- `getentropy()` is now used on systems providing this system call.
|
2019-05-30 18:44:08 -04:00
|
|
|
- `randombytes_salsa20` has been renamed to `randombytes_internal`.
|
|
|
|
- Support for NativeClient has been removed.
|
2019-05-30 10:04:55 -04:00
|
|
|
- Most `((nonnull))` attributes have been relaxed to allow 0-length inputs
|
|
|
|
to be `NULL`.
|
|
|
|
- The `-ftree-vectorize` and `-ftree-slp-vectorize` compiler switches are
|
|
|
|
now used, if available, for optimized builds.
|
|
|
|
|
2023-09-17 03:34:52 -04:00
|
|
|
* Version 1.0.17-stable
|
|
|
|
- AVX512 detection has been improved.
|
|
|
|
- A compilation option was added to enable retpoline support.
|
|
|
|
- `-ftls-model=global-dynamic` is now set, if available.
|
|
|
|
- Portability and documentation improvements.
|
|
|
|
|
2018-08-29 08:27:17 -04:00
|
|
|
* Version 1.0.17
|
|
|
|
- Bug fix: `sodium_pad()` didn't properly support block sizes >= 256 bytes.
|
|
|
|
- JS/WebAssembly: some old iOS versions can't instantiate the WebAssembly
|
|
|
|
module; fall back to Javascript on these.
|
|
|
|
- JS/WebAssembly: compatibility with newer Emscripten versions.
|
|
|
|
- Bug fix: `crypto_pwhash_scryptsalsa208sha256_str_verify()` and
|
|
|
|
`crypto_pwhash_scryptsalsa208sha256_str_needs_rehash()` didn't return
|
|
|
|
`EINVAL` on input strings with a short length, unlike their high-level
|
|
|
|
counterpart.
|
|
|
|
- Added a workaround for Visual Studio 2010 bug causing CPU features
|
|
|
|
not to be detected.
|
|
|
|
- Portability improvements.
|
2018-09-06 15:00:32 -04:00
|
|
|
- Test vectors from Project Wycheproof have been added.
|
2018-12-24 10:56:24 -05:00
|
|
|
- New low-level APIs for arithmetic mod the order of the prime order group:
|
|
|
|
`crypto_core_ed25519_scalar_random()`, `crypto_core_ed25519_scalar_reduce()`,
|
2018-12-29 14:20:07 -05:00
|
|
|
`crypto_core_ed25519_scalar_invert()`, `crypto_core_ed25519_scalar_negate()`,
|
|
|
|
`crypto_core_ed25519_scalar_complement()`, `crypto_core_ed25519_scalar_add()`
|
|
|
|
and `crypto_core_ed25519_scalar_sub()`.
|
2018-12-24 10:56:24 -05:00
|
|
|
- New low-level APIs for scalar multiplication without clamping:
|
2019-01-06 12:43:38 -05:00
|
|
|
`crypto_scalarmult_ed25519_base_noclamp()` and
|
|
|
|
`crypto_scalarmult_ed25519_noclamp()`. These new APIs are especially useful
|
|
|
|
for blinding.
|
2018-12-30 04:26:44 -05:00
|
|
|
- `sodium_sub()` has been implemented.
|
2018-12-24 10:56:24 -05:00
|
|
|
- Support for WatchOS has been added.
|
|
|
|
- getrandom(2) is now used on FreeBSD 12+.
|
2018-12-30 06:04:52 -05:00
|
|
|
- The `nonnull` attribute has been added to all relevant prototypes.
|
2019-01-04 06:52:59 -05:00
|
|
|
- More reliable AVX512 detection.
|
2019-01-06 12:43:38 -05:00
|
|
|
- Javascript/Webassembly builds now use dynamic memory growth.
|
2018-08-29 08:27:17 -04:00
|
|
|
|
2017-12-05 17:14:43 -05:00
|
|
|
* Version 1.0.16
|
|
|
|
- Signatures computations and verifications are now way faster on
|
|
|
|
64-bit platforms with compilers supporting 128-bit arithmetic (gcc,
|
2017-12-09 20:09:06 -05:00
|
|
|
clang, icc). This includes the WebAssembly target.
|
2017-12-05 17:14:43 -05:00
|
|
|
- New low-level APIs for computations over edwards25519:
|
|
|
|
`crypto_scalarmult_ed25519()`, `crypto_scalarmult_ed25519_base()`,
|
|
|
|
`crypto_core_ed25519_is_valid_point()`, `crypto_core_ed25519_add()`,
|
|
|
|
`crypto_core_ed25519_sub()` and `crypto_core_ed25519_from_uniform()`
|
|
|
|
(elligator representative to point).
|
2017-12-09 05:01:23 -05:00
|
|
|
- `crypto_sign_open()`, `crypto_sign_verify_detached() and
|
|
|
|
`crypto_sign_edwards25519sha512batch_open` now reject public keys in
|
|
|
|
non-canonical form in addition to low-order points.
|
2017-12-05 17:14:43 -05:00
|
|
|
- The library can be built with `ED25519_NONDETERMINISTIC` defined in
|
|
|
|
order to use synthetic nonces for EdDSA. This is disabled by default.
|
|
|
|
- Webassembly: `crypto_pwhash_*()` functions are now included in
|
|
|
|
non-sumo builds.
|
|
|
|
- `sodium_stackzero()` was added to wipe content off the stack.
|
|
|
|
- Android: support new SDKs where unified headers have become the
|
|
|
|
default.
|
|
|
|
- The Salsa20-based PRNG example is now thread-safe on platforms with
|
|
|
|
support for thread-local storage, optionally mixes bits from RDRAND.
|
|
|
|
- CMAKE: static library detection on Unix systems has been improved
|
|
|
|
(thanks to @BurningEnlightenment, @nibua-r, @mellery451)
|
2017-12-11 17:42:02 -05:00
|
|
|
- Argon2 and scrypt are slightly faster on Linux.
|
2017-12-05 17:14:43 -05:00
|
|
|
|
2017-10-01 07:12:33 -04:00
|
|
|
* Version 1.0.15
|
|
|
|
- The default password hashing algorithm is now Argon2id. The
|
|
|
|
`pwhash_str_verify()` function can still verify Argon2i hashes
|
|
|
|
without any changes, and `pwhash()` can still compute Argon2i hashes
|
|
|
|
as well.
|
|
|
|
- The aes128ctr primitive was removed. It was slow, non-standard, not
|
|
|
|
authenticated, and didn't seem to be used by any opensource project.
|
|
|
|
- Argon2id required at least 3 passes like Argon2i, despite a minimum
|
|
|
|
of `1` as defined by the `OPSLIMIT_MIN` constant. This has been fixed.
|
|
|
|
- The secretstream construction was slightly changed to be consistent
|
|
|
|
with forthcoming variants.
|
|
|
|
- The Javascript and Webassembly versions have been merged, and the
|
|
|
|
module now returns a `.ready` promise that will resolve after the
|
|
|
|
Webassembly code is loaded and compiled.
|
|
|
|
- Note that due to these incompatible changes, the library version
|
|
|
|
major was bumped up.
|
|
|
|
|
2017-08-04 11:42:29 -04:00
|
|
|
* Version 1.0.14
|
|
|
|
- iOS binaries should now be compatible with WatchOS and TVOS.
|
|
|
|
- WebAssembly is now officially supported. Special thanks to
|
|
|
|
@facekapow and @pepyakin who helped to make it happen.
|
|
|
|
- Internal consistency checks failing and primitives used with
|
|
|
|
dangerous/out-of-bounds/invalid parameters used to call abort(3).
|
|
|
|
Now, a custom handler *that doesn't return* can be set with the
|
2017-08-16 14:21:31 -04:00
|
|
|
`set_sodium_misuse()` function. It still aborts by default or if the
|
|
|
|
handler ever returns. This is not a replacement for non-fatal,
|
2017-08-16 14:16:19 -04:00
|
|
|
expected runtime errors. This handler will be only called in
|
|
|
|
unexpected situations due to potential bugs in the library or in
|
|
|
|
language bindings.
|
2017-08-04 11:42:29 -04:00
|
|
|
- `*_MESSAGEBYTES_MAX` macros (and the corresponding
|
|
|
|
`_messagebytes_max()` symbols) have been added to represent the
|
|
|
|
maximum message size that can be safely handled by a primitive.
|
2017-08-16 14:21:31 -04:00
|
|
|
Language bindings are encouraged to check user inputs against these
|
|
|
|
maximum lengths.
|
2017-08-04 11:42:29 -04:00
|
|
|
- The test suite has been extended to cover more edge cases.
|
|
|
|
- crypto_sign_ed25519_pk_to_curve25519() now rejects points that are
|
|
|
|
not on the curve, or not in the main subgroup.
|
2017-09-21 14:39:38 -04:00
|
|
|
- Further changes have been made to ensure that smart compilers will
|
|
|
|
not optimize out code that we don't want to be optimized.
|
2017-08-04 11:42:29 -04:00
|
|
|
- Visual Studio solutions are now included in distribution tarballs.
|
|
|
|
- The `sodium_runtime_has_*` symbols for CPU features detection are
|
|
|
|
now defined as weak symbols, i.e. they can be replaced with an
|
2017-09-21 14:39:38 -04:00
|
|
|
application-defined implementation. This can be useful to disable
|
2017-08-04 11:42:29 -04:00
|
|
|
AVX* when temperature/power consumption is a concern.
|
|
|
|
- `crypto_kx_*()` now aborts if called with no non-NULL pointers to
|
|
|
|
store keys to.
|
|
|
|
- SSE2 implementations of `crypto_verify_*()` have been added.
|
2017-08-05 14:58:11 -04:00
|
|
|
- Passwords can be hashed using a specific algorithm with the new
|
|
|
|
`crypto_pwhash_str_alg()` function.
|
2017-08-09 16:27:49 -04:00
|
|
|
- Due to popular demand, base64 encoding (`sodium_bin2base64()`) and
|
|
|
|
decoding (`sodium_base642bin()`) have been implemented.
|
2017-08-17 08:08:11 -04:00
|
|
|
- A new `crypto_secretstream_*()` API was added to safely encrypt files
|
2017-08-16 14:21:31 -04:00
|
|
|
and multi-part messages.
|
2017-08-17 08:08:11 -04:00
|
|
|
- The `sodium_pad()` and `sodium_unpad()` helper functions have been
|
|
|
|
added in order to add & remove padding.
|
2017-09-15 09:01:33 -04:00
|
|
|
- An AVX512 optimized implementation of Argon2 has been added (written
|
|
|
|
by Ondrej Mosnáček, thanks!)
|
|
|
|
- The `crypto_pwhash_str_needs_rehash()` function was added to check if
|
|
|
|
a password hash string matches the given parameters, or if it needs an
|
|
|
|
update.
|
2017-09-17 06:02:20 -04:00
|
|
|
- The library can now be compiled with recent versions of
|
|
|
|
emscripten/binaryen that don't allow multiple variables declarations
|
|
|
|
using a single `var` statement.
|
2017-08-04 11:42:29 -04:00
|
|
|
|
2017-03-28 06:46:51 -04:00
|
|
|
* Version 1.0.13
|
|
|
|
- Javascript: the sumo builds now include all symbols. They were
|
|
|
|
previously limited to symbols defined in minimal builds.
|
|
|
|
- The public `crypto_pwhash_argon2i_MEMLIMIT_MAX` constant was
|
|
|
|
incorrectly defined on 32-bit platforms. This has been fixed.
|
|
|
|
- Version 1.0.12 didn't compile on OpenBSD/i386 using the base gcc
|
|
|
|
compiler. This has been fixed.
|
|
|
|
- The Android compilation scripts have been updated for NDK r14b.
|
2017-04-07 10:44:12 -04:00
|
|
|
- armv7s-optimized code was re-added to iOS builds.
|
2017-07-11 10:32:12 -04:00
|
|
|
- An AVX2 optimized implementation of the Argon2 round function was
|
|
|
|
added.
|
2017-06-27 10:39:15 -04:00
|
|
|
- The Argon2id variant of Argon2 has been implemented. The
|
|
|
|
high-level `crypto_pwhash_str_verify()` function automatically detects
|
|
|
|
the algorithm and can verify both Argon2i and Argon2id hashed passwords.
|
|
|
|
The default algorithm for newly hashed passwords remains Argon2i in
|
|
|
|
this version to avoid breaking compatibility with verifiers running
|
|
|
|
libsodium <= 1.0.12.
|
2017-07-06 09:19:13 -04:00
|
|
|
- A `crypto_box_curve25519xchacha20poly1305_seal*()` function set was
|
|
|
|
implemented.
|
2017-07-11 16:08:42 -04:00
|
|
|
- scrypt was removed from minimal builds.
|
2017-07-13 18:23:18 -04:00
|
|
|
- libsodium is now available on NuGet.
|
2017-03-28 06:46:51 -04:00
|
|
|
|
2017-03-03 06:14:54 -05:00
|
|
|
* Version 1.0.12
|
2017-03-05 08:45:13 -05:00
|
|
|
- Ed25519ph was implemented, adding a multi-part signature API
|
2017-03-05 08:45:56 -05:00
|
|
|
(`crypto_sign_init()`, `crypto_sign_update()`, `crypto_sign_final_*()`).
|
2017-03-03 06:14:54 -05:00
|
|
|
- New constants and related accessors have been added for Scrypt and
|
|
|
|
Argon2.
|
|
|
|
- XChaCha20 has been implemented. Like XSalsa20, this construction
|
|
|
|
extends the ChaCha20 cipher to accept a 192-bit nonce. This makes it safe
|
|
|
|
to use ChaCha20 with random nonces.
|
|
|
|
- `crypto_secretbox`, `crypto_box` and `crypto_aead` now offer
|
|
|
|
variants leveraging XChaCha20.
|
|
|
|
- SHA-2 is about 20% faster, which also gives a speed boost to
|
|
|
|
signature and signature verification.
|
|
|
|
- AVX2 implementations of Salsa20 and ChaCha20 have been added. They
|
|
|
|
are twice as fast as the SSE2 implementations. The speed gain is
|
|
|
|
even more significant on Windows, that previously didn't use
|
|
|
|
vectorized implementations.
|
|
|
|
- New high-level API: `crypto_kdf`, to easily derive one or more
|
2017-03-04 03:29:12 -05:00
|
|
|
subkeys from a master key.
|
2017-03-03 06:14:54 -05:00
|
|
|
- Siphash with a 128-bit output has been implemented, and is
|
|
|
|
available as `crypto_shorthash_siphashx_*`.
|
|
|
|
- New `*_keygen()` helpers functions have been added to create secret
|
|
|
|
keys for all constructions. This improves code clarity and can prevent keys
|
|
|
|
from being partially initialized.
|
|
|
|
- A new `randombytes_buf_deterministic()` function was added to
|
|
|
|
deterministically fill a memory region with pseudorandom data. This
|
|
|
|
function can especially be useful to write reproducible tests.
|
2017-03-12 15:41:32 -04:00
|
|
|
- A preliminary `crypto_kx_*()` API was added to compute shared session
|
|
|
|
keys.
|
2017-03-03 06:14:54 -05:00
|
|
|
- AVX2 detection is more reliable.
|
|
|
|
- The pthreads library is not required any more when using MingW.
|
|
|
|
- `contrib/Findsodium.cmake` was added as an example to include
|
|
|
|
libsodium in a project using cmake.
|
|
|
|
- Compatibility with gcc 2.x has been restored.
|
2017-03-06 03:47:09 -05:00
|
|
|
- Minimal builds can be checked using `sodium_library_minimal()`.
|
2017-03-12 12:44:23 -04:00
|
|
|
- The `--enable-opt` compilation switch has become compatible with more
|
|
|
|
platforms.
|
2017-03-10 14:49:21 -05:00
|
|
|
- Android builds are now using clang on platforms where it is
|
|
|
|
available.
|
2017-03-03 06:14:54 -05:00
|
|
|
|
2016-06-29 11:13:11 -04:00
|
|
|
* Version 1.0.11
|
2017-03-03 06:14:54 -05:00
|
|
|
- `sodium_init()` is now thread-safe, and can be safely called multiple
|
2016-06-29 11:13:11 -04:00
|
|
|
times.
|
|
|
|
- Android binaries now properly support 64-bit Android, targeting
|
|
|
|
platform 24, but without breaking compatibility with platforms 16 and
|
|
|
|
21.
|
|
|
|
- Better support for old gcc versions.
|
|
|
|
- On FreeBSD, core dumps are disabled on regions allocated with
|
|
|
|
sodium allocation functions.
|
|
|
|
- AVX2 detection was fixed, resulting in faster Blake2b hashing on
|
|
|
|
platforms where it was not properly detected.
|
|
|
|
- The Sandy2x Curve25519 implementation was not as fast as expected
|
|
|
|
on some platforms. This has been fixed.
|
|
|
|
- The NativeClient target was improved. Most notably, it now supports
|
|
|
|
optimized implementations, and uses pepper_49 by default.
|
|
|
|
- The library can be compiled with recent Emscripten versions.
|
|
|
|
Changes have been made to produce smaller code, and the default heap
|
|
|
|
size was reduced in the standard version.
|
|
|
|
- The code can now be compiled on SLES11 service pack 4.
|
|
|
|
- Decryption functions can now accept a NULL pointer for the output.
|
|
|
|
This checks the MAC without writing the decrypted message.
|
|
|
|
- crypto_generichash_final() now returns -1 if called twice.
|
|
|
|
- Support for Visual Studio 2008 was improved.
|
|
|
|
|
2016-04-04 15:44:00 -04:00
|
|
|
* Version 1.0.10
|
|
|
|
- This release only fixes a compilation issue reported with some older
|
|
|
|
gcc versions. There are no functional changes over the previous release.
|
|
|
|
|
2016-03-23 07:20:40 -04:00
|
|
|
* Version 1.0.9
|
2016-04-02 07:30:22 -04:00
|
|
|
- The Javascript target now includes a `--sumo` option to include all
|
2016-03-23 07:20:40 -04:00
|
|
|
the symbols of the original C library.
|
|
|
|
- A detached API was added to the ChaCha20-Poly1305 and AES256-GCM
|
|
|
|
implementations.
|
|
|
|
- The Argon2i password hashing function was added, and is accessible
|
|
|
|
directly and through a new, high-level `crypto_pwhash` API. The scrypt
|
2016-04-02 07:30:22 -04:00
|
|
|
function remains available as well.
|
2016-03-25 11:32:05 -04:00
|
|
|
- A speed-record AVX2 implementation of BLAKE2b was added (thanks to
|
|
|
|
Samuel Neves).
|
|
|
|
- The library can now be compiled using C++Builder (thanks to @jcolli44)
|
2016-03-23 07:20:40 -04:00
|
|
|
- Countermeasures for Ed25519 signatures malleability have been added
|
|
|
|
to match the irtf-cfrg-eddsa draft (note that malleability is irrelevant to
|
|
|
|
the standard definition of signature security). Signatures with a small-order
|
|
|
|
`R` point are now also rejected.
|
|
|
|
- Some implementations are now slightly faster when using the Clang
|
|
|
|
compiler.
|
|
|
|
- The HChaCha20 core function was implemented (`crypto_core_hchacha20()`).
|
|
|
|
- No-op stubs were added for all AES256-GCM public functions even when
|
|
|
|
compiled on non-Intel platforms.
|
|
|
|
- `crypt_generichash_blake2b_statebytes()` was added.
|
|
|
|
- New macros were added for the IETF variant of the ChaCha20-Poly1305
|
|
|
|
construction.
|
|
|
|
- The library can now be compiled on Minix.
|
|
|
|
- HEASLR is now enabled on MinGW builds.
|
|
|
|
|
2015-12-25 06:23:31 -05:00
|
|
|
* Version 1.0.8
|
2015-12-19 15:26:08 -05:00
|
|
|
- Handle the case where the CPU supports AVX, but we are running
|
|
|
|
on an hypervisor with AVX disabled/not supported.
|
2015-12-25 09:58:54 -05:00
|
|
|
- Faster (2x) scalarmult_base() when using the ref10 implementation.
|
2015-12-19 15:26:08 -05:00
|
|
|
|
2015-12-08 10:58:21 -05:00
|
|
|
* Version 1.0.7
|
2015-11-16 19:19:00 -05:00
|
|
|
- More functions whose return value should be checked have been
|
|
|
|
tagged with `__attribute__ ((warn_unused_result))`: `crypto_box_easy()`,
|
|
|
|
`crypto_box_detached()`, `crypto_box_beforenm()`, `crypto_box()`, and
|
|
|
|
`crypto_scalarmult()`.
|
2015-11-04 17:54:15 -05:00
|
|
|
- Sandy2x, the fastest Curve25519 implementation ever, has been
|
|
|
|
merged in, and is automatically used on CPUs supporting the AVX
|
|
|
|
instructions set.
|
2015-11-15 12:15:05 -05:00
|
|
|
- An SSE2 optimized implementation of Poly1305 was added, and is
|
|
|
|
twice as fast as the portable one.
|
2015-11-25 10:07:36 -05:00
|
|
|
- An SSSE3 optimized implementation of ChaCha20 was added, and is
|
|
|
|
twice as fast as the portable one.
|
2015-12-06 13:55:47 -05:00
|
|
|
- Faster `sodium_increment()` for common nonce sizes.
|
2015-11-16 19:19:00 -05:00
|
|
|
- New helper functions have been added: `sodium_is_zero()` and
|
|
|
|
`sodium_add()`.
|
|
|
|
- `sodium_runtime_has_aesni()` now properly detects the CPU flag when
|
|
|
|
compiled using Visual Studio.
|
2015-11-04 17:54:15 -05:00
|
|
|
|
2015-11-01 16:36:10 -05:00
|
|
|
* Version 1.0.6
|
2015-11-01 12:57:55 -05:00
|
|
|
- Optimized implementations of Blake2 have been added for modern
|
2015-11-02 05:20:59 -05:00
|
|
|
Intel platforms. `crypto_generichash()` is now faster than MD5 and SHA1
|
2015-11-01 12:57:55 -05:00
|
|
|
implementations while being far more secure.
|
|
|
|
- Functions for which the return value should be checked have been
|
|
|
|
tagged with `__attribute__ ((warn_unused_result))`. This will
|
|
|
|
intentionally break code compiled with `-Werror` that didn't bother
|
|
|
|
checking critical return values.
|
|
|
|
- The `crypto_sign_edwards25519sha512batch_*()` functions have been
|
|
|
|
tagged as deprecated.
|
|
|
|
- Undocumented symbols that were exported, but were only useful for
|
|
|
|
internal purposes have been removed or made private:
|
|
|
|
`sodium_runtime_get_cpu_features()`, the implementation-specific
|
|
|
|
`crypto_onetimeauth_poly1305_donna()` symbols,
|
|
|
|
`crypto_onetimeauth_poly1305_set_implementation()`,
|
|
|
|
`crypto_onetimeauth_poly1305_implementation_name()` and
|
|
|
|
`crypto_onetimeauth_pick_best_implementation()`.
|
2015-11-01 16:35:26 -05:00
|
|
|
- `sodium_compare()` now works as documented, and compares numbers
|
2015-11-01 14:31:12 -05:00
|
|
|
in little-endian format instead of behaving like `memcmp()`.
|
2015-11-01 12:57:55 -05:00
|
|
|
- The previous changes should not break actual applications, but to be
|
|
|
|
safe, the library version major was incremented.
|
|
|
|
- `sodium_runtime_has_ssse3()` and `sodium_runtime_has_sse41()` have
|
|
|
|
been added.
|
|
|
|
- The library can now be compiled with the CompCert compiler.
|
|
|
|
|
2015-10-24 13:12:49 -04:00
|
|
|
* Version 1.0.5
|
2015-10-24 16:56:21 -04:00
|
|
|
- Compilation issues on some platforms were fixed: missing alignment
|
2015-10-22 12:37:21 -04:00
|
|
|
directives were added (required at least on RHEL-6/i386), a workaround
|
2015-10-24 10:54:30 -04:00
|
|
|
for a VRP bug on gcc/armv7 was added, and the library can now be compiled
|
|
|
|
with the SunPro compiler.
|
2015-10-20 12:09:00 -04:00
|
|
|
- Javascript target: io.js is not supported any more. Use nodejs.
|
|
|
|
|
2015-10-18 09:00:08 -04:00
|
|
|
* Version 1.0.4
|
2015-10-12 09:12:31 -04:00
|
|
|
- Support for AES256-GCM has been added. This requires
|
|
|
|
a CPU with the aesni and pclmul extensions, and is accessible via the
|
|
|
|
crypto_aead_aes256gcm_*() functions.
|
2015-10-12 08:51:37 -04:00
|
|
|
- The Javascript target doesn't use eval() any more, so that the
|
|
|
|
library can be used in Chrome packaged applications.
|
|
|
|
- QNX and CloudABI are now supported.
|
2015-09-22 16:51:31 -04:00
|
|
|
- Support for NaCl has finally been added.
|
2015-06-01 04:32:53 -04:00
|
|
|
- ChaCha20 with an extended (96 bit) nonce and a 32-bit counter has
|
|
|
|
been implemented as crypto_stream_chacha20_ietf(),
|
|
|
|
crypto_stream_chacha20_ietf_xor() and crypto_stream_chacha20_ietf_xor_ic().
|
|
|
|
An IETF-compatible version of ChaCha20Poly1305 is available as
|
|
|
|
crypto_aead_chacha20poly1305_ietf_npubbytes(),
|
|
|
|
crypto_aead_chacha20poly1305_ietf_encrypt() and
|
|
|
|
crypto_aead_chacha20poly1305_ietf_decrypt().
|
2015-06-22 07:53:35 -04:00
|
|
|
- The sodium_increment() helper function has been added, to increment
|
2015-10-17 15:34:45 -04:00
|
|
|
an arbitrary large number (such as a nonce).
|
|
|
|
- The sodium_compare() helper function has been added, to compare
|
|
|
|
arbitrary large numbers (such as nonces, in order to prevent replay
|
|
|
|
attacks).
|
2015-06-01 04:32:53 -04:00
|
|
|
|
2015-05-09 04:06:33 -04:00
|
|
|
* Version 1.0.3
|
2015-02-10 11:06:06 -05:00
|
|
|
- In addition to sodium_bin2hex(), sodium_hex2bin() is now a
|
|
|
|
constant-time function.
|
2015-02-03 11:26:16 -05:00
|
|
|
- crypto_stream_xsalsa20_ic() has been added.
|
2015-01-26 01:27:12 -05:00
|
|
|
- crypto_generichash_statebytes(), crypto_auth_*_statebytes() and
|
|
|
|
crypto_hash_*_statebytes() have been added in order to retrieve the
|
|
|
|
size of structures keeping states from foreign languages.
|
|
|
|
- The JavaScript target doesn't require /dev/urandom or an external
|
|
|
|
randombytes() implementation any more. Other minor Emscripten-related
|
|
|
|
improvements have been made in order to support libsodium.js
|
|
|
|
- Custom randombytes implementations do not need to provide their own
|
|
|
|
implementation of randombytes_uniform() any more. randombytes_stir()
|
|
|
|
and randombytes_close() can also be NULL pointers if they are not
|
|
|
|
required.
|
2015-03-11 13:24:18 -04:00
|
|
|
- On Linux, getrandom(2) is being used instead of directly accessing
|
|
|
|
/dev/urandom, if the kernel supports this system call.
|
2015-04-17 17:37:51 -04:00
|
|
|
- crypto_box_seal() and crypto_box_seal_open() have been added.
|
2017-03-11 13:52:55 -05:00
|
|
|
- Visual Studio 2015 is now supported.
|
2015-01-26 01:27:12 -05:00
|
|
|
|
2015-01-12 10:27:51 -05:00
|
|
|
* Version 1.0.2
|
|
|
|
- The _easy and _detached APIs now support precalculated keys;
|
|
|
|
crypto_box_easy_afternm(), crypto_box_open_easy_afternm(),
|
|
|
|
crypto_box_detached_afternm() and crypto_box_open_detached_afternm()
|
|
|
|
have been added as an alternative to the NaCl interface.
|
2015-01-15 16:31:50 -05:00
|
|
|
- Memory allocation functions can now be used on operating systems with
|
2015-01-12 10:27:51 -05:00
|
|
|
no memory protection.
|
|
|
|
- crypto_sign_open() and crypto_sign_edwards25519sha512batch_open()
|
|
|
|
now accept a NULL pointer instead of a pointer to the message size, if
|
|
|
|
storing this information is not required.
|
|
|
|
- The close-on-exec flag is now set on the descriptor returned when
|
|
|
|
opening /dev/urandom.
|
|
|
|
- A libsodium-uninstalled.pc file to use pkg-config even when
|
|
|
|
libsodium is not installed, has been added.
|
|
|
|
- The iOS target now includes armv7s and arm64 optimized code, as well
|
|
|
|
as i386 and x86_64 code for the iOS simulator.
|
|
|
|
- sodium_free() can now be called on regions with PROT_NONE protection.
|
|
|
|
- The Javascript tests can run on Ubuntu, where the node binary was
|
2015-01-14 02:20:17 -05:00
|
|
|
renamed nodejs. io.js can also be used instead of node.
|
2015-01-12 10:27:51 -05:00
|
|
|
|
2014-10-19 22:18:17 -04:00
|
|
|
* Version 1.0.1
|
|
|
|
- DLL_EXPORT was renamed SODIUM_DLL_EXPORT in order to avoid
|
|
|
|
collisions with similar macros defined by other libraries.
|
|
|
|
- sodium_bin2hex() is now constant-time.
|
2014-11-20 15:21:39 -05:00
|
|
|
- crypto_secretbox_detached() now supports overlapping input and output
|
|
|
|
regions.
|
|
|
|
- NaCl's donna_c64 implementation of curve25519 was reading an extra byte
|
|
|
|
past the end of the buffer containing the base point. This has been
|
|
|
|
fixed.
|
2014-10-19 22:18:17 -04:00
|
|
|
|
2014-09-24 03:18:44 -04:00
|
|
|
* Version 1.0.0
|
|
|
|
- The API and ABI are now stable. New features will be added, but
|
|
|
|
backward-compatibility is guaranteed through all the 1.x.y releases.
|
|
|
|
- crypto_sign() properly works with overlapping regions again. Thanks
|
|
|
|
to @pysiak for reporting this regression introduced in version 0.6.1.
|
|
|
|
- The test suite has been extended.
|
|
|
|
|
2014-09-19 01:47:11 -04:00
|
|
|
* Version 0.7.1 (1.0 RC2)
|
|
|
|
- This is the second release candidate of Sodium 1.0. Minor
|
|
|
|
compilation, readability and portability changes have been made and the
|
|
|
|
test suite was improved, but the API is the same as the previous release
|
|
|
|
candidate.
|
|
|
|
|
2014-08-15 20:16:44 -04:00
|
|
|
* Version 0.7.0 (1.0 RC1)
|
|
|
|
- Allocating memory to store sensitive data can now be done using
|
|
|
|
sodium_malloc() and sodium_allocarray(). These functions add guard
|
|
|
|
pages around the protected data to make it less likely to be
|
|
|
|
accessible in a heartbleed-like scenario. In addition, the protection
|
|
|
|
for memory regions allocated that way can be changed using
|
|
|
|
sodium_mprotect_noaccess(), sodium_mprotect_readonly() and
|
|
|
|
sodium_mprotect_readwrite().
|
|
|
|
- ed25519 keys can be converted to curve25519 keys with
|
|
|
|
crypto_sign_ed25519_pk_to_curve25519() and
|
|
|
|
crypto_sign_ed25519_sk_to_curve25519(). This allows using the same
|
|
|
|
keys for signature and encryption.
|
|
|
|
- The seed and the public key can be extracted from an ed25519 key
|
|
|
|
using crypto_sign_ed25519_sk_to_seed() and crypto_sign_ed25519_sk_to_pk().
|
|
|
|
- aes256 was removed. A timing-attack resistant implementation might
|
|
|
|
be added later, but not before version 1.0 is tagged.
|
|
|
|
- The crypto_pwhash_scryptxsalsa208sha256_* compatibility layer was
|
|
|
|
removed. Use crypto_pwhash_scryptsalsa208sha256_*.
|
|
|
|
- The compatibility layer for implementation-specific functions was
|
|
|
|
removed.
|
|
|
|
- Compilation issues with Mingw64 on MSYS (not MSYS2) were fixed.
|
|
|
|
- crypto_pwhash_scryptsalsa208sha256_STRPREFIX was added: it contains
|
|
|
|
the prefix produced by crypto_pwhash_scryptsalsa208sha256_str()
|
|
|
|
|
2014-07-15 16:59:42 -04:00
|
|
|
* Version 0.6.1
|
|
|
|
- Important bug fix: when crypto_sign_open() was given a signed
|
|
|
|
message too short to even contain a signature, it was putting an
|
|
|
|
unlimited amount of zeros into the target buffer instead of
|
|
|
|
immediately returning -1. The bug was introduced in version 0.5.0.
|
|
|
|
- New API: crypto_sign_detached() and crypto_sign_verify_detached()
|
|
|
|
to produce and verify ed25519 signatures without having to duplicate
|
|
|
|
the message.
|
|
|
|
- New ./configure switch: --enable-minimal, to create a smaller
|
|
|
|
library, with only the functions required for the high-level API.
|
|
|
|
Mainly useful for the JavaScript target and embedded systems.
|
2014-07-15 17:19:37 -04:00
|
|
|
- All the symbols are now exported by the Emscripten build script.
|
2014-07-15 16:59:42 -04:00
|
|
|
- The pkg-config .pc file is now always installed even if the
|
|
|
|
pkg-config tool is not available during the installation.
|
|
|
|
|
2014-06-30 21:34:50 -04:00
|
|
|
* Version 0.6.0
|
2014-07-01 19:35:34 -04:00
|
|
|
- The ChaCha20 stream cipher has been added, as crypto_stream_chacha20_*
|
2014-06-30 21:34:50 -04:00
|
|
|
- The ChaCha20Poly1305 AEAD construction has been implemented, as
|
|
|
|
crypto_aead_chacha20poly1305_*
|
|
|
|
- The _easy API does not require any heap allocations any more and
|
|
|
|
does not have any overhead over the NaCl API. With the password
|
|
|
|
hashing function being an obvious exception, the library doesn't
|
|
|
|
allocate and will not allocate heap memory ever.
|
|
|
|
- crypto_box and crypto_secretbox have a new _detached API to store
|
|
|
|
the authentication tag and the encrypted message separately.
|
2014-05-15 03:13:30 -04:00
|
|
|
- crypto_pwhash_scryptxsalsa208sha256*() functions have been renamed
|
|
|
|
crypto_pwhash_scryptsalsa208sha256*().
|
2014-06-30 21:34:50 -04:00
|
|
|
- The low-level crypto_pwhash_scryptsalsa208sha256_ll() function
|
|
|
|
allows setting individual parameters of the scrypt function.
|
|
|
|
- New macros and functions for recommended crypto_pwhash_* parameters
|
|
|
|
have been added.
|
|
|
|
- Similarly to crypto_sign_seed_keypair(), crypto_box_seed_keypair()
|
2014-07-01 19:35:34 -04:00
|
|
|
has been introduced to deterministically generate a key pair from a seed.
|
2014-06-30 21:34:50 -04:00
|
|
|
- crypto_onetimeauth() now provides a streaming interface.
|
|
|
|
- crypto_stream_chacha20_xor_ic() and crypto_stream_salsa20_xor_ic()
|
|
|
|
have been added to use a non-zero initial block counter.
|
|
|
|
- On Windows, CryptGenRandom() was replaced by RtlGenRandom(), which
|
|
|
|
doesn't require the Crypt API.
|
2014-07-01 19:35:34 -04:00
|
|
|
- The high bit in curve25519 is masked instead of processing the key as
|
|
|
|
a 256-bit value.
|
2014-06-30 21:34:50 -04:00
|
|
|
- The curve25519 ref implementation was replaced by the latest ref10
|
|
|
|
implementation from Supercop.
|
|
|
|
- sodium_mlock() now prevents memory from being included in coredumps
|
|
|
|
on Linux 3.4+
|
2014-05-15 03:13:30 -04:00
|
|
|
|
2014-05-09 01:36:28 -04:00
|
|
|
* Version 0.5.0
|
|
|
|
- sodium_mlock()/sodium_munlock() have been introduced to lock pages
|
|
|
|
in memory before storing sensitive data, and to zero them before
|
|
|
|
unlocking them.
|
|
|
|
- High-level wrappers for crypto_box and crypto_secretbox
|
|
|
|
(crypto_box_easy and crypto_secretbox_easy) can be used to avoid
|
|
|
|
dealing with the specific memory layout regular functions depend on.
|
2014-05-15 03:01:16 -04:00
|
|
|
- crypto_pwhash_scryptsalsa208sha256* functions have been added
|
2014-05-09 01:36:28 -04:00
|
|
|
to derive a key from a password, and for password storage.
|
|
|
|
- Salsa20 and ed25519 implementations now support overlapping
|
|
|
|
inputs/keys/outputs (changes imported from supercop-20140505).
|
|
|
|
- New build scripts for Visual Studio, Emscripten, different Android
|
|
|
|
architectures and msys2 are available.
|
|
|
|
- The poly1305-53 implementation has been replaced with Floodyberry's
|
|
|
|
poly1305-donna32 and poly1305-donna64 implementations.
|
|
|
|
- sodium_hex2bin() has been added to complement sodium_bin2hex().
|
|
|
|
- On OpenBSD and Bitrig, arc4random() is used instead of reading
|
|
|
|
/dev/urandom.
|
|
|
|
- crypto_auth_hmac_sha512() has been implemented.
|
|
|
|
- sha256 and sha512 now have a streaming interface.
|
|
|
|
- hmacsha256, hmacsha512 and hmacsha512256 now support keys of
|
|
|
|
arbitrary length, and have a streaming interface.
|
|
|
|
- crypto_verify_64() has been implemented.
|
2014-05-12 12:40:18 -04:00
|
|
|
- first-class Visual Studio build system, thanks to @evoskuil
|
2014-05-12 13:49:42 -04:00
|
|
|
- CPU features are now detected at runtime.
|
2014-05-09 01:36:28 -04:00
|
|
|
|
2013-10-22 05:57:27 -04:00
|
|
|
* Version 0.4.5
|
|
|
|
- Restore compatibility with OSX <= 10.6
|
|
|
|
|
2013-10-21 23:54:56 -04:00
|
|
|
* Version 0.4.4
|
|
|
|
- Visual Studio is officially supported (VC 2010 & VC 2013)
|
|
|
|
- mingw64 is now supported
|
|
|
|
- big-endian architectures are now supported as well
|
|
|
|
- The donna_c64 implementation of curve25519_donna_c64 now handles
|
|
|
|
non-canonical points like the ref implementation
|
2013-10-22 01:03:37 -04:00
|
|
|
- Missing scalarmult_curve25519 and stream_salsa20 constants are now exported
|
2013-10-21 23:54:56 -04:00
|
|
|
- A crypto_onetimeauth_poly1305_ref() wrapper has been added
|
|
|
|
|
2013-09-09 01:34:16 -04:00
|
|
|
* Version 0.4.3
|
|
|
|
- crypto_sign_seedbytes() and crypto_sign_SEEDBYTES were added.
|
|
|
|
- crypto_onetimeauth_poly1305_implementation_name() was added.
|
|
|
|
- poly1305-ref has been replaced by a faster implementation,
|
|
|
|
Floodyberry's poly1305-donna-unrolled.
|
|
|
|
- Stackmarkings have been added to assembly code, for Hardened Gentoo.
|
|
|
|
- pkg-config can now be used in order to retrieve compilations flags for
|
|
|
|
using libsodium.
|
|
|
|
- crypto_stream_aes256estream_*() can now deal with unaligned input
|
|
|
|
on platforms that require word alignment.
|
|
|
|
- portability improvements.
|
|
|
|
|
2013-08-05 14:19:13 -04:00
|
|
|
* Version 0.4.2
|
|
|
|
- All NaCl constants are now also exposed as functions.
|
|
|
|
- The Android and iOS cross-compilation script have been improved.
|
|
|
|
- libsodium can now be cross-compiled to Windows from Linux.
|
|
|
|
- libsodium can now be compiled with emscripten.
|
|
|
|
- New convenience function (prototyped in utils.h): sodium_bin2hex().
|
|
|
|
|
|
|
|
* Version 0.4.1
|
|
|
|
- sodium_version_*() functions were not exported in version 0.4. They
|
|
|
|
are now visible as intended.
|
|
|
|
- sodium_init() now calls randombytes_stir().
|
|
|
|
- optimized assembly version of salsa20 is now used on amd64.
|
|
|
|
- further cleanups and enhanced compatibility with non-C99 compilers.
|
|
|
|
|
|
|
|
* Version 0.4
|
|
|
|
- Most constants and operations are now available as actual functions
|
|
|
|
instead of macros, making it easier to use from other languages.
|
|
|
|
- New operation: crypto_generichash, featuring a variable key size, a
|
|
|
|
variable output size, and a streaming API. Currently implemented using
|
|
|
|
Blake2b.
|
|
|
|
- The package can be compiled in a separate directory.
|
|
|
|
- aes128ctr functions are exported.
|
|
|
|
- Optimized versions of curve25519 (curve25519_donna_c64), poly1305
|
|
|
|
(poly1305_53) and ed25519 (ed25519_ref10) are available. Optionally calling
|
|
|
|
sodium_init() once before using the library makes it pick the fastest
|
|
|
|
implementation.
|
|
|
|
- New convenience function: sodium_memzero() in order to securely
|
|
|
|
wipe a memory area.
|
|
|
|
- A whole bunch of cleanups and portability enhancements.
|
|
|
|
- On Windows, a .REF file is generated along with the shared library,
|
|
|
|
for use with Visual Studio. The installation path for these has become
|
|
|
|
$prefix/bin as expected by MingW.
|
|
|
|
|
|
|
|
* Version 0.3
|
|
|
|
- The crypto_shorthash operation has been added, implemented using
|
|
|
|
SipHash-2-4.
|
|
|
|
|
|
|
|
* Version 0.2
|
|
|
|
- crypto_sign_seed_keypair() has been added
|
|
|
|
|
|
|
|
* Version 0.1
|
|
|
|
- Initial release.
|
|
|
|
|