10ac341f1SConrad Meyer 20ac341f1SConrad Meyer* Version 1.0.16 30ac341f1SConrad Meyer - Signatures computations and verifications are now way faster on 40ac341f1SConrad Meyer64-bit platforms with compilers supporting 128-bit arithmetic (gcc, 50ac341f1SConrad Meyerclang, icc). This includes the WebAssembly target. 60ac341f1SConrad Meyer - New low-level APIs for computations over edwards25519: 70ac341f1SConrad Meyer`crypto_scalarmult_ed25519()`, `crypto_scalarmult_ed25519_base()`, 80ac341f1SConrad Meyer`crypto_core_ed25519_is_valid_point()`, `crypto_core_ed25519_add()`, 90ac341f1SConrad Meyer`crypto_core_ed25519_sub()` and `crypto_core_ed25519_from_uniform()` 100ac341f1SConrad Meyer(elligator representative to point). 110ac341f1SConrad Meyer - `crypto_sign_open()`, `crypto_sign_verify_detached() and 120ac341f1SConrad Meyer`crypto_sign_edwards25519sha512batch_open` now reject public keys in 130ac341f1SConrad Meyernon-canonical form in addition to low-order points. 140ac341f1SConrad Meyer - The library can be built with `ED25519_NONDETERMINISTIC` defined in 150ac341f1SConrad Meyerorder to use synthetic nonces for EdDSA. This is disabled by default. 160ac341f1SConrad Meyer - Webassembly: `crypto_pwhash_*()` functions are now included in 170ac341f1SConrad Meyernon-sumo builds. 180ac341f1SConrad Meyer - `sodium_stackzero()` was added to wipe content off the stack. 190ac341f1SConrad Meyer - Android: support new SDKs where unified headers have become the 200ac341f1SConrad Meyerdefault. 210ac341f1SConrad Meyer - The Salsa20-based PRNG example is now thread-safe on platforms with 220ac341f1SConrad Meyersupport for thread-local storage, optionally mixes bits from RDRAND. 230ac341f1SConrad Meyer - CMAKE: static library detection on Unix systems has been improved 240ac341f1SConrad Meyer(thanks to @BurningEnlightenment, @nibua-r, @mellery451) 250ac341f1SConrad Meyer - Argon2 and scrypt are slightly faster on Linux. 260ac341f1SConrad Meyer 270ac341f1SConrad Meyer* Version 1.0.15 280ac341f1SConrad Meyer - The default password hashing algorithm is now Argon2id. The 290ac341f1SConrad Meyer`pwhash_str_verify()` function can still verify Argon2i hashes 300ac341f1SConrad Meyerwithout any changes, and `pwhash()` can still compute Argon2i hashes 310ac341f1SConrad Meyeras well. 320ac341f1SConrad Meyer - The aes128ctr primitive was removed. It was slow, non-standard, not 330ac341f1SConrad Meyerauthenticated, and didn't seem to be used by any opensource project. 340ac341f1SConrad Meyer - Argon2id required at least 3 passes like Argon2i, despite a minimum 350ac341f1SConrad Meyerof `1` as defined by the `OPSLIMIT_MIN` constant. This has been fixed. 360ac341f1SConrad Meyer - The secretstream construction was slightly changed to be consistent 370ac341f1SConrad Meyerwith forthcoming variants. 380ac341f1SConrad Meyer - The Javascript and Webassembly versions have been merged, and the 390ac341f1SConrad Meyermodule now returns a `.ready` promise that will resolve after the 400ac341f1SConrad MeyerWebassembly code is loaded and compiled. 410ac341f1SConrad Meyer - Note that due to these incompatible changes, the library version 420ac341f1SConrad Meyermajor was bumped up. 430ac341f1SConrad Meyer 440ac341f1SConrad Meyer* Version 1.0.14 450ac341f1SConrad Meyer - iOS binaries should now be compatible with WatchOS and TVOS. 460ac341f1SConrad Meyer - WebAssembly is now officially supported. Special thanks to 470ac341f1SConrad Meyer@facekapow and @pepyakin who helped to make it happen. 480ac341f1SConrad Meyer - Internal consistency checks failing and primitives used with 490ac341f1SConrad Meyerdangerous/out-of-bounds/invalid parameters used to call abort(3). 500ac341f1SConrad MeyerNow, a custom handler *that doesn't return* can be set with the 510ac341f1SConrad Meyer`set_sodium_misuse()` function. It still aborts by default or if the 520ac341f1SConrad Meyerhandler ever returns. This is not a replacement for non-fatal, 530ac341f1SConrad Meyerexpected runtime errors. This handler will be only called in 540ac341f1SConrad Meyerunexpected situations due to potential bugs in the library or in 550ac341f1SConrad Meyerlanguage bindings. 560ac341f1SConrad Meyer - `*_MESSAGEBYTES_MAX` macros (and the corresponding 570ac341f1SConrad Meyer`_messagebytes_max()` symbols) have been added to represent the 580ac341f1SConrad Meyermaximum message size that can be safely handled by a primitive. 590ac341f1SConrad MeyerLanguage bindings are encouraged to check user inputs against these 600ac341f1SConrad Meyermaximum lengths. 610ac341f1SConrad Meyer - The test suite has been extended to cover more edge cases. 620ac341f1SConrad Meyer - crypto_sign_ed25519_pk_to_curve25519() now rejects points that are 630ac341f1SConrad Meyernot on the curve, or not in the main subgroup. 640ac341f1SConrad Meyer - Further changes have been made to ensure that smart compilers will 650ac341f1SConrad Meyernot optimize out code that we don't want to be optimized. 660ac341f1SConrad Meyer - Visual Studio solutions are now included in distribution tarballs. 670ac341f1SConrad Meyer - The `sodium_runtime_has_*` symbols for CPU features detection are 680ac341f1SConrad Meyernow defined as weak symbols, i.e. they can be replaced with an 690ac341f1SConrad Meyerapplication-defined implementation. This can be useful to disable 700ac341f1SConrad MeyerAVX* when temperature/power consumption is a concern. 710ac341f1SConrad Meyer - `crypto_kx_*()` now aborts if called with no non-NULL pointers to 720ac341f1SConrad Meyerstore keys to. 730ac341f1SConrad Meyer - SSE2 implementations of `crypto_verify_*()` have been added. 740ac341f1SConrad Meyer - Passwords can be hashed using a specific algorithm with the new 750ac341f1SConrad Meyer`crypto_pwhash_str_alg()` function. 760ac341f1SConrad Meyer - Due to popular demand, base64 encoding (`sodium_bin2base64()`) and 770ac341f1SConrad Meyerdecoding (`sodium_base642bin()`) have been implemented. 780ac341f1SConrad Meyer - A new `crypto_secretstream_*()` API was added to safely encrypt files 790ac341f1SConrad Meyerand multi-part messages. 800ac341f1SConrad Meyer - The `sodium_pad()` and `sodium_unpad()` helper functions have been 810ac341f1SConrad Meyeradded in order to add & remove padding. 820ac341f1SConrad Meyer - An AVX512 optimized implementation of Argon2 has been added (written 830ac341f1SConrad Meyerby Ondrej Mosnáček, thanks!) 840ac341f1SConrad Meyer - The `crypto_pwhash_str_needs_rehash()` function was added to check if 850ac341f1SConrad Meyera password hash string matches the given parameters, or if it needs an 860ac341f1SConrad Meyerupdate. 870ac341f1SConrad Meyer - The library can now be compiled with recent versions of 880ac341f1SConrad Meyeremscripten/binaryen that don't allow multiple variables declarations 890ac341f1SConrad Meyerusing a single `var` statement. 900ac341f1SConrad Meyer 910ac341f1SConrad Meyer* Version 1.0.13 920ac341f1SConrad Meyer - Javascript: the sumo builds now include all symbols. They were 930ac341f1SConrad Meyerpreviously limited to symbols defined in minimal builds. 940ac341f1SConrad Meyer - The public `crypto_pwhash_argon2i_MEMLIMIT_MAX` constant was 950ac341f1SConrad Meyerincorrectly defined on 32-bit platforms. This has been fixed. 960ac341f1SConrad Meyer - Version 1.0.12 didn't compile on OpenBSD/i386 using the base gcc 970ac341f1SConrad Meyercompiler. This has been fixed. 980ac341f1SConrad Meyer - The Android compilation scripts have been updated for NDK r14b. 990ac341f1SConrad Meyer - armv7s-optimized code was re-added to iOS builds. 1000ac341f1SConrad Meyer - An AVX2 optimized implementation of the Argon2 round function was 1010ac341f1SConrad Meyeradded. 1020ac341f1SConrad Meyer - The Argon2id variant of Argon2 has been implemented. The 1030ac341f1SConrad Meyerhigh-level `crypto_pwhash_str_verify()` function automatically detects 1040ac341f1SConrad Meyerthe algorithm and can verify both Argon2i and Argon2id hashed passwords. 1050ac341f1SConrad MeyerThe default algorithm for newly hashed passwords remains Argon2i in 1060ac341f1SConrad Meyerthis version to avoid breaking compatibility with verifiers running 1070ac341f1SConrad Meyerlibsodium <= 1.0.12. 1080ac341f1SConrad Meyer - A `crypto_box_curve25519xchacha20poly1305_seal*()` function set was 1090ac341f1SConrad Meyerimplemented. 1100ac341f1SConrad Meyer - scrypt was removed from minimal builds. 1110ac341f1SConrad Meyer - libsodium is now available on NuGet. 1120ac341f1SConrad Meyer 1130ac341f1SConrad Meyer* Version 1.0.12 1140ac341f1SConrad Meyer - Ed25519ph was implemented, adding a multi-part signature API 1150ac341f1SConrad Meyer(`crypto_sign_init()`, `crypto_sign_update()`, `crypto_sign_final_*()`). 1160ac341f1SConrad Meyer - New constants and related accessors have been added for Scrypt and 1170ac341f1SConrad MeyerArgon2. 1180ac341f1SConrad Meyer - XChaCha20 has been implemented. Like XSalsa20, this construction 1190ac341f1SConrad Meyerextends the ChaCha20 cipher to accept a 192-bit nonce. This makes it safe 1200ac341f1SConrad Meyerto use ChaCha20 with random nonces. 1210ac341f1SConrad Meyer - `crypto_secretbox`, `crypto_box` and `crypto_aead` now offer 1220ac341f1SConrad Meyervariants leveraging XChaCha20. 1230ac341f1SConrad Meyer - SHA-2 is about 20% faster, which also gives a speed boost to 1240ac341f1SConrad Meyersignature and signature verification. 1250ac341f1SConrad Meyer - AVX2 implementations of Salsa20 and ChaCha20 have been added. They 1260ac341f1SConrad Meyerare twice as fast as the SSE2 implementations. The speed gain is 1270ac341f1SConrad Meyereven more significant on Windows, that previously didn't use 1280ac341f1SConrad Meyervectorized implementations. 1290ac341f1SConrad Meyer - New high-level API: `crypto_kdf`, to easily derive one or more 1300ac341f1SConrad Meyersubkeys from a master key. 1310ac341f1SConrad Meyer - Siphash with a 128-bit output has been implemented, and is 1320ac341f1SConrad Meyeravailable as `crypto_shorthash_siphashx_*`. 1330ac341f1SConrad Meyer - New `*_keygen()` helpers functions have been added to create secret 1340ac341f1SConrad Meyerkeys for all constructions. This improves code clarity and can prevent keys 1350ac341f1SConrad Meyerfrom being partially initialized. 1360ac341f1SConrad Meyer - A new `randombytes_buf_deterministic()` function was added to 1370ac341f1SConrad Meyerdeterministically fill a memory region with pseudorandom data. This 1380ac341f1SConrad Meyerfunction can especially be useful to write reproducible tests. 1390ac341f1SConrad Meyer - A preliminary `crypto_kx_*()` API was added to compute shared session 1400ac341f1SConrad Meyerkeys. 1410ac341f1SConrad Meyer - AVX2 detection is more reliable. 1420ac341f1SConrad Meyer - The pthreads library is not required any more when using MingW. 1430ac341f1SConrad Meyer - `contrib/Findsodium.cmake` was added as an example to include 1440ac341f1SConrad Meyerlibsodium in a project using cmake. 1450ac341f1SConrad Meyer - Compatibility with gcc 2.x has been restored. 1460ac341f1SConrad Meyer - Minimal builds can be checked using `sodium_library_minimal()`. 1470ac341f1SConrad Meyer - The `--enable-opt` compilation switch has become compatible with more 1480ac341f1SConrad Meyerplatforms. 1490ac341f1SConrad Meyer - Android builds are now using clang on platforms where it is 1500ac341f1SConrad Meyeravailable. 1510ac341f1SConrad Meyer 1520ac341f1SConrad Meyer* Version 1.0.11 1530ac341f1SConrad Meyer - `sodium_init()` is now thread-safe, and can be safely called multiple 1540ac341f1SConrad Meyertimes. 1550ac341f1SConrad Meyer - Android binaries now properly support 64-bit Android, targeting 1560ac341f1SConrad Meyerplatform 24, but without breaking compatibility with platforms 16 and 1570ac341f1SConrad Meyer21. 1580ac341f1SConrad Meyer - Better support for old gcc versions. 1590ac341f1SConrad Meyer - On FreeBSD, core dumps are disabled on regions allocated with 1600ac341f1SConrad Meyersodium allocation functions. 1610ac341f1SConrad Meyer - AVX2 detection was fixed, resulting in faster Blake2b hashing on 1620ac341f1SConrad Meyerplatforms where it was not properly detected. 1630ac341f1SConrad Meyer - The Sandy2x Curve25519 implementation was not as fast as expected 1640ac341f1SConrad Meyeron some platforms. This has been fixed. 1650ac341f1SConrad Meyer - The NativeClient target was improved. Most notably, it now supports 1660ac341f1SConrad Meyeroptimized implementations, and uses pepper_49 by default. 1670ac341f1SConrad Meyer - The library can be compiled with recent Emscripten versions. 1680ac341f1SConrad MeyerChanges have been made to produce smaller code, and the default heap 1690ac341f1SConrad Meyersize was reduced in the standard version. 1700ac341f1SConrad Meyer - The code can now be compiled on SLES11 service pack 4. 1710ac341f1SConrad Meyer - Decryption functions can now accept a NULL pointer for the output. 1720ac341f1SConrad MeyerThis checks the MAC without writing the decrypted message. 1730ac341f1SConrad Meyer - crypto_generichash_final() now returns -1 if called twice. 1740ac341f1SConrad Meyer - Support for Visual Studio 2008 was improved. 1750ac341f1SConrad Meyer 1760ac341f1SConrad Meyer* Version 1.0.10 1770ac341f1SConrad Meyer - This release only fixes a compilation issue reported with some older 1780ac341f1SConrad Meyergcc versions. There are no functional changes over the previous release. 1790ac341f1SConrad Meyer 1800ac341f1SConrad Meyer* Version 1.0.9 1810ac341f1SConrad Meyer - The Javascript target now includes a `--sumo` option to include all 1820ac341f1SConrad Meyerthe symbols of the original C library. 1830ac341f1SConrad Meyer - A detached API was added to the ChaCha20-Poly1305 and AES256-GCM 1840ac341f1SConrad Meyerimplementations. 1850ac341f1SConrad Meyer - The Argon2i password hashing function was added, and is accessible 1860ac341f1SConrad Meyerdirectly and through a new, high-level `crypto_pwhash` API. The scrypt 1870ac341f1SConrad Meyerfunction remains available as well. 1880ac341f1SConrad Meyer - A speed-record AVX2 implementation of BLAKE2b was added (thanks to 1890ac341f1SConrad MeyerSamuel Neves). 1900ac341f1SConrad Meyer - The library can now be compiled using C++Builder (thanks to @jcolli44) 1910ac341f1SConrad Meyer - Countermeasures for Ed25519 signatures malleability have been added 1920ac341f1SConrad Meyerto match the irtf-cfrg-eddsa draft (note that malleability is irrelevant to 1930ac341f1SConrad Meyerthe standard definition of signature security). Signatures with a small-order 1940ac341f1SConrad Meyer`R` point are now also rejected. 1950ac341f1SConrad Meyer - Some implementations are now slightly faster when using the Clang 1960ac341f1SConrad Meyercompiler. 1970ac341f1SConrad Meyer - The HChaCha20 core function was implemented (`crypto_core_hchacha20()`). 1980ac341f1SConrad Meyer - No-op stubs were added for all AES256-GCM public functions even when 1990ac341f1SConrad Meyercompiled on non-Intel platforms. 2000ac341f1SConrad Meyer - `crypt_generichash_blake2b_statebytes()` was added. 2010ac341f1SConrad Meyer - New macros were added for the IETF variant of the ChaCha20-Poly1305 2020ac341f1SConrad Meyerconstruction. 2030ac341f1SConrad Meyer - The library can now be compiled on Minix. 2040ac341f1SConrad Meyer - HEASLR is now enabled on MinGW builds. 2050ac341f1SConrad Meyer 2060ac341f1SConrad Meyer* Version 1.0.8 2070ac341f1SConrad Meyer - Handle the case where the CPU supports AVX, but we are running 2080ac341f1SConrad Meyeron an hypervisor with AVX disabled/not supported. 2090ac341f1SConrad Meyer - Faster (2x) scalarmult_base() when using the ref10 implementation. 2100ac341f1SConrad Meyer 2110ac341f1SConrad Meyer* Version 1.0.7 2120ac341f1SConrad Meyer - More functions whose return value should be checked have been 2130ac341f1SConrad Meyertagged with `__attribute__ ((warn_unused_result))`: `crypto_box_easy()`, 2140ac341f1SConrad Meyer`crypto_box_detached()`, `crypto_box_beforenm()`, `crypto_box()`, and 2150ac341f1SConrad Meyer`crypto_scalarmult()`. 2160ac341f1SConrad Meyer - Sandy2x, the fastest Curve25519 implementation ever, has been 2170ac341f1SConrad Meyermerged in, and is automatically used on CPUs supporting the AVX 2180ac341f1SConrad Meyerinstructions set. 2190ac341f1SConrad Meyer - An SSE2 optimized implementation of Poly1305 was added, and is 2200ac341f1SConrad Meyertwice as fast as the portable one. 2210ac341f1SConrad Meyer - An SSSE3 optimized implementation of ChaCha20 was added, and is 2220ac341f1SConrad Meyertwice as fast as the portable one. 2230ac341f1SConrad Meyer - Faster `sodium_increment()` for common nonce sizes. 2240ac341f1SConrad Meyer - New helper functions have been added: `sodium_is_zero()` and 2250ac341f1SConrad Meyer `sodium_add()`. 2260ac341f1SConrad Meyer - `sodium_runtime_has_aesni()` now properly detects the CPU flag when 2270ac341f1SConrad Meyer compiled using Visual Studio. 2280ac341f1SConrad Meyer 2290ac341f1SConrad Meyer* Version 1.0.6 2300ac341f1SConrad Meyer - Optimized implementations of Blake2 have been added for modern 2310ac341f1SConrad MeyerIntel platforms. `crypto_generichash()` is now faster than MD5 and SHA1 2320ac341f1SConrad Meyerimplementations while being far more secure. 2330ac341f1SConrad Meyer - Functions for which the return value should be checked have been 2340ac341f1SConrad Meyertagged with `__attribute__ ((warn_unused_result))`. This will 2350ac341f1SConrad Meyerintentionally break code compiled with `-Werror` that didn't bother 2360ac341f1SConrad Meyerchecking critical return values. 2370ac341f1SConrad Meyer - The `crypto_sign_edwards25519sha512batch_*()` functions have been 2380ac341f1SConrad Meyertagged as deprecated. 2390ac341f1SConrad Meyer - Undocumented symbols that were exported, but were only useful for 2400ac341f1SConrad Meyerinternal purposes have been removed or made private: 2410ac341f1SConrad Meyer`sodium_runtime_get_cpu_features()`, the implementation-specific 2420ac341f1SConrad Meyer`crypto_onetimeauth_poly1305_donna()` symbols, 2430ac341f1SConrad Meyer`crypto_onetimeauth_poly1305_set_implementation()`, 2440ac341f1SConrad Meyer`crypto_onetimeauth_poly1305_implementation_name()` and 2450ac341f1SConrad Meyer`crypto_onetimeauth_pick_best_implementation()`. 2460ac341f1SConrad Meyer - `sodium_compare()` now works as documented, and compares numbers 2470ac341f1SConrad Meyerin little-endian format instead of behaving like `memcmp()`. 2480ac341f1SConrad Meyer - The previous changes should not break actual applications, but to be 2490ac341f1SConrad Meyersafe, the library version major was incremented. 2500ac341f1SConrad Meyer - `sodium_runtime_has_ssse3()` and `sodium_runtime_has_sse41()` have 2510ac341f1SConrad Meyerbeen added. 2520ac341f1SConrad Meyer - The library can now be compiled with the CompCert compiler. 2530ac341f1SConrad Meyer 2540ac341f1SConrad Meyer* Version 1.0.5 2550ac341f1SConrad Meyer - Compilation issues on some platforms were fixed: missing alignment 2560ac341f1SConrad Meyerdirectives were added (required at least on RHEL-6/i386), a workaround 2570ac341f1SConrad Meyerfor a VRP bug on gcc/armv7 was added, and the library can now be compiled 2580ac341f1SConrad Meyerwith the SunPro compiler. 2590ac341f1SConrad Meyer - Javascript target: io.js is not supported any more. Use nodejs. 2600ac341f1SConrad Meyer 2610ac341f1SConrad Meyer* Version 1.0.4 2620ac341f1SConrad Meyer - Support for AES256-GCM has been added. This requires 2630ac341f1SConrad Meyera CPU with the aesni and pclmul extensions, and is accessible via the 2640ac341f1SConrad Meyercrypto_aead_aes256gcm_*() functions. 2650ac341f1SConrad Meyer - The Javascript target doesn't use eval() any more, so that the 2660ac341f1SConrad Meyerlibrary can be used in Chrome packaged applications. 2670ac341f1SConrad Meyer - QNX and CloudABI are now supported. 2680ac341f1SConrad Meyer - Support for NaCl has finally been added. 2690ac341f1SConrad Meyer - ChaCha20 with an extended (96 bit) nonce and a 32-bit counter has 2700ac341f1SConrad Meyerbeen implemented as crypto_stream_chacha20_ietf(), 2710ac341f1SConrad Meyercrypto_stream_chacha20_ietf_xor() and crypto_stream_chacha20_ietf_xor_ic(). 2720ac341f1SConrad MeyerAn IETF-compatible version of ChaCha20Poly1305 is available as 2730ac341f1SConrad Meyercrypto_aead_chacha20poly1305_ietf_npubbytes(), 2740ac341f1SConrad Meyercrypto_aead_chacha20poly1305_ietf_encrypt() and 2750ac341f1SConrad Meyercrypto_aead_chacha20poly1305_ietf_decrypt(). 2760ac341f1SConrad Meyer - The sodium_increment() helper function has been added, to increment 2770ac341f1SConrad Meyeran arbitrary large number (such as a nonce). 2780ac341f1SConrad Meyer - The sodium_compare() helper function has been added, to compare 2790ac341f1SConrad Meyerarbitrary large numbers (such as nonces, in order to prevent replay 2800ac341f1SConrad Meyerattacks). 2810ac341f1SConrad Meyer 2820ac341f1SConrad Meyer* Version 1.0.3 2830ac341f1SConrad Meyer - In addition to sodium_bin2hex(), sodium_hex2bin() is now a 2840ac341f1SConrad Meyerconstant-time function. 2850ac341f1SConrad Meyer - crypto_stream_xsalsa20_ic() has been added. 2860ac341f1SConrad Meyer - crypto_generichash_statebytes(), crypto_auth_*_statebytes() and 2870ac341f1SConrad Meyercrypto_hash_*_statebytes() have been added in order to retrieve the 2880ac341f1SConrad Meyersize of structures keeping states from foreign languages. 2890ac341f1SConrad Meyer - The JavaScript target doesn't require /dev/urandom or an external 2900ac341f1SConrad Meyerrandombytes() implementation any more. Other minor Emscripten-related 2910ac341f1SConrad Meyerimprovements have been made in order to support libsodium.js 2920ac341f1SConrad Meyer - Custom randombytes implementations do not need to provide their own 2930ac341f1SConrad Meyerimplementation of randombytes_uniform() any more. randombytes_stir() 2940ac341f1SConrad Meyerand randombytes_close() can also be NULL pointers if they are not 2950ac341f1SConrad Meyerrequired. 2960ac341f1SConrad Meyer - On Linux, getrandom(2) is being used instead of directly accessing 2970ac341f1SConrad Meyer/dev/urandom, if the kernel supports this system call. 2980ac341f1SConrad Meyer - crypto_box_seal() and crypto_box_seal_open() have been added. 2990ac341f1SConrad Meyer - Visual Studio 2015 is now supported. 3000ac341f1SConrad Meyer 3010ac341f1SConrad Meyer* Version 1.0.2 3020ac341f1SConrad Meyer - The _easy and _detached APIs now support precalculated keys; 3030ac341f1SConrad Meyercrypto_box_easy_afternm(), crypto_box_open_easy_afternm(), 3040ac341f1SConrad Meyercrypto_box_detached_afternm() and crypto_box_open_detached_afternm() 3050ac341f1SConrad Meyerhave been added as an alternative to the NaCl interface. 3060ac341f1SConrad Meyer - Memory allocation functions can now be used on operating systems with 3070ac341f1SConrad Meyerno memory protection. 3080ac341f1SConrad Meyer - crypto_sign_open() and crypto_sign_edwards25519sha512batch_open() 3090ac341f1SConrad Meyernow accept a NULL pointer instead of a pointer to the message size, if 3100ac341f1SConrad Meyerstoring this information is not required. 3110ac341f1SConrad Meyer - The close-on-exec flag is now set on the descriptor returned when 3120ac341f1SConrad Meyeropening /dev/urandom. 3130ac341f1SConrad Meyer - A libsodium-uninstalled.pc file to use pkg-config even when 3140ac341f1SConrad Meyerlibsodium is not installed, has been added. 3150ac341f1SConrad Meyer - The iOS target now includes armv7s and arm64 optimized code, as well 3160ac341f1SConrad Meyeras i386 and x86_64 code for the iOS simulator. 3170ac341f1SConrad Meyer - sodium_free() can now be called on regions with PROT_NONE protection. 3180ac341f1SConrad Meyer - The Javascript tests can run on Ubuntu, where the node binary was 3190ac341f1SConrad Meyerrenamed nodejs. io.js can also be used instead of node. 3200ac341f1SConrad Meyer 3210ac341f1SConrad Meyer* Version 1.0.1 3220ac341f1SConrad Meyer - DLL_EXPORT was renamed SODIUM_DLL_EXPORT in order to avoid 3230ac341f1SConrad Meyercollisions with similar macros defined by other libraries. 3240ac341f1SConrad Meyer - sodium_bin2hex() is now constant-time. 3250ac341f1SConrad Meyer - crypto_secretbox_detached() now supports overlapping input and output 3260ac341f1SConrad Meyerregions. 3270ac341f1SConrad Meyer - NaCl's donna_c64 implementation of curve25519 was reading an extra byte 3280ac341f1SConrad Meyerpast the end of the buffer containing the base point. This has been 3290ac341f1SConrad Meyerfixed. 3300ac341f1SConrad Meyer 3310ac341f1SConrad Meyer* Version 1.0.0 3320ac341f1SConrad Meyer - The API and ABI are now stable. New features will be added, but 3330ac341f1SConrad Meyerbackward-compatibility is guaranteed through all the 1.x.y releases. 3340ac341f1SConrad Meyer - crypto_sign() properly works with overlapping regions again. Thanks 3350ac341f1SConrad Meyerto @pysiak for reporting this regression introduced in version 0.6.1. 3360ac341f1SConrad Meyer - The test suite has been extended. 3370ac341f1SConrad Meyer 3380ac341f1SConrad Meyer* Version 0.7.1 (1.0 RC2) 3390ac341f1SConrad Meyer - This is the second release candidate of Sodium 1.0. Minor 3400ac341f1SConrad Meyercompilation, readability and portability changes have been made and the 3410ac341f1SConrad Meyertest suite was improved, but the API is the same as the previous release 3420ac341f1SConrad Meyercandidate. 3430ac341f1SConrad Meyer 3440ac341f1SConrad Meyer* Version 0.7.0 (1.0 RC1) 3450ac341f1SConrad Meyer - Allocating memory to store sensitive data can now be done using 3460ac341f1SConrad Meyersodium_malloc() and sodium_allocarray(). These functions add guard 3470ac341f1SConrad Meyerpages around the protected data to make it less likely to be 3480ac341f1SConrad Meyeraccessible in a heartbleed-like scenario. In addition, the protection 3490ac341f1SConrad Meyerfor memory regions allocated that way can be changed using 3500ac341f1SConrad Meyersodium_mprotect_noaccess(), sodium_mprotect_readonly() and 3510ac341f1SConrad Meyersodium_mprotect_readwrite(). 3520ac341f1SConrad Meyer - ed25519 keys can be converted to curve25519 keys with 3530ac341f1SConrad Meyercrypto_sign_ed25519_pk_to_curve25519() and 3540ac341f1SConrad Meyercrypto_sign_ed25519_sk_to_curve25519(). This allows using the same 3550ac341f1SConrad Meyerkeys for signature and encryption. 3560ac341f1SConrad Meyer - The seed and the public key can be extracted from an ed25519 key 3570ac341f1SConrad Meyerusing crypto_sign_ed25519_sk_to_seed() and crypto_sign_ed25519_sk_to_pk(). 3580ac341f1SConrad Meyer - aes256 was removed. A timing-attack resistant implementation might 3590ac341f1SConrad Meyerbe added later, but not before version 1.0 is tagged. 3600ac341f1SConrad Meyer - The crypto_pwhash_scryptxsalsa208sha256_* compatibility layer was 3610ac341f1SConrad Meyerremoved. Use crypto_pwhash_scryptsalsa208sha256_*. 3620ac341f1SConrad Meyer - The compatibility layer for implementation-specific functions was 3630ac341f1SConrad Meyerremoved. 3640ac341f1SConrad Meyer - Compilation issues with Mingw64 on MSYS (not MSYS2) were fixed. 3650ac341f1SConrad Meyer - crypto_pwhash_scryptsalsa208sha256_STRPREFIX was added: it contains 3660ac341f1SConrad Meyerthe prefix produced by crypto_pwhash_scryptsalsa208sha256_str() 3670ac341f1SConrad Meyer 3680ac341f1SConrad Meyer* Version 0.6.1 3690ac341f1SConrad Meyer - Important bug fix: when crypto_sign_open() was given a signed 3700ac341f1SConrad Meyermessage too short to even contain a signature, it was putting an 3710ac341f1SConrad Meyerunlimited amount of zeros into the target buffer instead of 3720ac341f1SConrad Meyerimmediately returning -1. The bug was introduced in version 0.5.0. 3730ac341f1SConrad Meyer - New API: crypto_sign_detached() and crypto_sign_verify_detached() 3740ac341f1SConrad Meyerto produce and verify ed25519 signatures without having to duplicate 3750ac341f1SConrad Meyerthe message. 3760ac341f1SConrad Meyer - New ./configure switch: --enable-minimal, to create a smaller 3770ac341f1SConrad Meyerlibrary, with only the functions required for the high-level API. 3780ac341f1SConrad MeyerMainly useful for the JavaScript target and embedded systems. 3790ac341f1SConrad Meyer - All the symbols are now exported by the Emscripten build script. 3800ac341f1SConrad Meyer - The pkg-config .pc file is now always installed even if the 3810ac341f1SConrad Meyerpkg-config tool is not available during the installation. 3820ac341f1SConrad Meyer 3830ac341f1SConrad Meyer* Version 0.6.0 3840ac341f1SConrad Meyer - The ChaCha20 stream cipher has been added, as crypto_stream_chacha20_* 3850ac341f1SConrad Meyer - The ChaCha20Poly1305 AEAD construction has been implemented, as 3860ac341f1SConrad Meyercrypto_aead_chacha20poly1305_* 3870ac341f1SConrad Meyer - The _easy API does not require any heap allocations any more and 3880ac341f1SConrad Meyerdoes not have any overhead over the NaCl API. With the password 3890ac341f1SConrad Meyerhashing function being an obvious exception, the library doesn't 3900ac341f1SConrad Meyerallocate and will not allocate heap memory ever. 3910ac341f1SConrad Meyer - crypto_box and crypto_secretbox have a new _detached API to store 3920ac341f1SConrad Meyerthe authentication tag and the encrypted message separately. 3930ac341f1SConrad Meyer - crypto_pwhash_scryptxsalsa208sha256*() functions have been renamed 3940ac341f1SConrad Meyercrypto_pwhash_scryptsalsa208sha256*(). 3950ac341f1SConrad Meyer - The low-level crypto_pwhash_scryptsalsa208sha256_ll() function 3960ac341f1SConrad Meyerallows setting individual parameters of the scrypt function. 3970ac341f1SConrad Meyer - New macros and functions for recommended crypto_pwhash_* parameters 3980ac341f1SConrad Meyerhave been added. 3990ac341f1SConrad Meyer - Similarly to crypto_sign_seed_keypair(), crypto_box_seed_keypair() 4000ac341f1SConrad Meyerhas been introduced to deterministically generate a key pair from a seed. 4010ac341f1SConrad Meyer - crypto_onetimeauth() now provides a streaming interface. 4020ac341f1SConrad Meyer - crypto_stream_chacha20_xor_ic() and crypto_stream_salsa20_xor_ic() 4030ac341f1SConrad Meyerhave been added to use a non-zero initial block counter. 4040ac341f1SConrad Meyer - On Windows, CryptGenRandom() was replaced by RtlGenRandom(), which 4050ac341f1SConrad Meyerdoesn't require the Crypt API. 4060ac341f1SConrad Meyer - The high bit in curve25519 is masked instead of processing the key as 4070ac341f1SConrad Meyera 256-bit value. 4080ac341f1SConrad Meyer - The curve25519 ref implementation was replaced by the latest ref10 4090ac341f1SConrad Meyerimplementation from Supercop. 4100ac341f1SConrad Meyer - sodium_mlock() now prevents memory from being included in coredumps 4110ac341f1SConrad Meyeron Linux 3.4+ 4120ac341f1SConrad Meyer 4130ac341f1SConrad Meyer* Version 0.5.0 4140ac341f1SConrad Meyer - sodium_mlock()/sodium_munlock() have been introduced to lock pages 4150ac341f1SConrad Meyerin memory before storing sensitive data, and to zero them before 4160ac341f1SConrad Meyerunlocking them. 4170ac341f1SConrad Meyer - High-level wrappers for crypto_box and crypto_secretbox 4180ac341f1SConrad Meyer(crypto_box_easy and crypto_secretbox_easy) can be used to avoid 4190ac341f1SConrad Meyerdealing with the specific memory layout regular functions depend on. 4200ac341f1SConrad Meyer - crypto_pwhash_scryptsalsa208sha256* functions have been added 4210ac341f1SConrad Meyerto derive a key from a password, and for password storage. 4220ac341f1SConrad Meyer - Salsa20 and ed25519 implementations now support overlapping 4230ac341f1SConrad Meyerinputs/keys/outputs (changes imported from supercop-20140505). 4240ac341f1SConrad Meyer - New build scripts for Visual Studio, Emscripten, different Android 4250ac341f1SConrad Meyerarchitectures and msys2 are available. 4260ac341f1SConrad Meyer - The poly1305-53 implementation has been replaced with Floodyberry's 4270ac341f1SConrad Meyerpoly1305-donna32 and poly1305-donna64 implementations. 4280ac341f1SConrad Meyer - sodium_hex2bin() has been added to complement sodium_bin2hex(). 4290ac341f1SConrad Meyer - On OpenBSD and Bitrig, arc4random() is used instead of reading 4300ac341f1SConrad Meyer/dev/urandom. 4310ac341f1SConrad Meyer - crypto_auth_hmac_sha512() has been implemented. 4320ac341f1SConrad Meyer - sha256 and sha512 now have a streaming interface. 4330ac341f1SConrad Meyer - hmacsha256, hmacsha512 and hmacsha512256 now support keys of 4340ac341f1SConrad Meyerarbitrary length, and have a streaming interface. 4350ac341f1SConrad Meyer - crypto_verify_64() has been implemented. 4360ac341f1SConrad Meyer - first-class Visual Studio build system, thanks to @evoskuil 4370ac341f1SConrad Meyer - CPU features are now detected at runtime. 4380ac341f1SConrad Meyer 4390ac341f1SConrad Meyer* Version 0.4.5 4400ac341f1SConrad Meyer - Restore compatibility with OSX <= 10.6 4410ac341f1SConrad Meyer 4420ac341f1SConrad Meyer* Version 0.4.4 4430ac341f1SConrad Meyer - Visual Studio is officially supported (VC 2010 & VC 2013) 4440ac341f1SConrad Meyer - mingw64 is now supported 4450ac341f1SConrad Meyer - big-endian architectures are now supported as well 4460ac341f1SConrad Meyer - The donna_c64 implementation of curve25519_donna_c64 now handles 4470ac341f1SConrad Meyernon-canonical points like the ref implementation 4480ac341f1SConrad Meyer - Missing scalarmult_curve25519 and stream_salsa20 constants are now exported 4490ac341f1SConrad Meyer - A crypto_onetimeauth_poly1305_ref() wrapper has been added 4500ac341f1SConrad Meyer 4510ac341f1SConrad Meyer* Version 0.4.3 4520ac341f1SConrad Meyer - crypto_sign_seedbytes() and crypto_sign_SEEDBYTES were added. 4530ac341f1SConrad Meyer - crypto_onetimeauth_poly1305_implementation_name() was added. 4540ac341f1SConrad Meyer - poly1305-ref has been replaced by a faster implementation, 4550ac341f1SConrad MeyerFloodyberry's poly1305-donna-unrolled. 4560ac341f1SConrad Meyer - Stackmarkings have been added to assembly code, for Hardened Gentoo. 4570ac341f1SConrad Meyer - pkg-config can now be used in order to retrieve compilations flags for 4580ac341f1SConrad Meyerusing libsodium. 4590ac341f1SConrad Meyer - crypto_stream_aes256estream_*() can now deal with unaligned input 4600ac341f1SConrad Meyeron platforms that require word alignment. 4610ac341f1SConrad Meyer - portability improvements. 4620ac341f1SConrad Meyer 4630ac341f1SConrad Meyer* Version 0.4.2 4640ac341f1SConrad Meyer - All NaCl constants are now also exposed as functions. 4650ac341f1SConrad Meyer - The Android and iOS cross-compilation script have been improved. 4660ac341f1SConrad Meyer - libsodium can now be cross-compiled to Windows from Linux. 4670ac341f1SConrad Meyer - libsodium can now be compiled with emscripten. 4680ac341f1SConrad Meyer - New convenience function (prototyped in utils.h): sodium_bin2hex(). 4690ac341f1SConrad Meyer 4700ac341f1SConrad Meyer* Version 0.4.1 4710ac341f1SConrad Meyer - sodium_version_*() functions were not exported in version 0.4. They 4720ac341f1SConrad Meyerare now visible as intended. 4730ac341f1SConrad Meyer - sodium_init() now calls randombytes_stir(). 4740ac341f1SConrad Meyer - optimized assembly version of salsa20 is now used on amd64. 4750ac341f1SConrad Meyer - further cleanups and enhanced compatibility with non-C99 compilers. 4760ac341f1SConrad Meyer 4770ac341f1SConrad Meyer* Version 0.4 4780ac341f1SConrad Meyer - Most constants and operations are now available as actual functions 4790ac341f1SConrad Meyerinstead of macros, making it easier to use from other languages. 4800ac341f1SConrad Meyer - New operation: crypto_generichash, featuring a variable key size, a 4810ac341f1SConrad Meyervariable output size, and a streaming API. Currently implemented using 4820ac341f1SConrad MeyerBlake2b. 4830ac341f1SConrad Meyer - The package can be compiled in a separate directory. 4840ac341f1SConrad Meyer - aes128ctr functions are exported. 4850ac341f1SConrad Meyer - Optimized versions of curve25519 (curve25519_donna_c64), poly1305 4860ac341f1SConrad Meyer(poly1305_53) and ed25519 (ed25519_ref10) are available. Optionally calling 4870ac341f1SConrad Meyersodium_init() once before using the library makes it pick the fastest 4880ac341f1SConrad Meyerimplementation. 4890ac341f1SConrad Meyer - New convenience function: sodium_memzero() in order to securely 4900ac341f1SConrad Meyerwipe a memory area. 4910ac341f1SConrad Meyer - A whole bunch of cleanups and portability enhancements. 4920ac341f1SConrad Meyer - On Windows, a .REF file is generated along with the shared library, 4930ac341f1SConrad Meyerfor use with Visual Studio. The installation path for these has become 4940ac341f1SConrad Meyer$prefix/bin as expected by MingW. 4950ac341f1SConrad Meyer 4960ac341f1SConrad Meyer* Version 0.3 4970ac341f1SConrad Meyer - The crypto_shorthash operation has been added, implemented using 4980ac341f1SConrad MeyerSipHash-2-4. 4990ac341f1SConrad Meyer 5000ac341f1SConrad Meyer* Version 0.2 5010ac341f1SConrad Meyer - crypto_sign_seed_keypair() has been added 5020ac341f1SConrad Meyer 5030ac341f1SConrad Meyer* Version 0.1 5040ac341f1SConrad Meyer - Initial release. 5050ac341f1SConrad Meyer 506