xref: /freebsd/sys/contrib/libsodium/ChangeLog (revision 3611ec604864a7d4dcc9a3ea898c80eb35eef8a0)
1*0ac341f1SConrad Meyer
2*0ac341f1SConrad Meyer* Version 1.0.16
3*0ac341f1SConrad Meyer - Signatures computations and verifications are now way faster on
4*0ac341f1SConrad Meyer64-bit platforms with compilers supporting 128-bit arithmetic (gcc,
5*0ac341f1SConrad Meyerclang, icc). This includes the WebAssembly target.
6*0ac341f1SConrad Meyer - New low-level APIs for computations over edwards25519:
7*0ac341f1SConrad Meyer`crypto_scalarmult_ed25519()`, `crypto_scalarmult_ed25519_base()`,
8*0ac341f1SConrad Meyer`crypto_core_ed25519_is_valid_point()`, `crypto_core_ed25519_add()`,
9*0ac341f1SConrad Meyer`crypto_core_ed25519_sub()` and `crypto_core_ed25519_from_uniform()`
10*0ac341f1SConrad Meyer(elligator representative to point).
11*0ac341f1SConrad Meyer - `crypto_sign_open()`, `crypto_sign_verify_detached() and
12*0ac341f1SConrad Meyer`crypto_sign_edwards25519sha512batch_open` now reject public keys in
13*0ac341f1SConrad Meyernon-canonical form in addition to low-order points.
14*0ac341f1SConrad Meyer - The library can be built with `ED25519_NONDETERMINISTIC` defined in
15*0ac341f1SConrad Meyerorder to use synthetic nonces for EdDSA. This is disabled by default.
16*0ac341f1SConrad Meyer - Webassembly: `crypto_pwhash_*()` functions are now included in
17*0ac341f1SConrad Meyernon-sumo builds.
18*0ac341f1SConrad Meyer - `sodium_stackzero()` was added to wipe content off the stack.
19*0ac341f1SConrad Meyer - Android: support new SDKs where unified headers have become the
20*0ac341f1SConrad Meyerdefault.
21*0ac341f1SConrad Meyer - The Salsa20-based PRNG example is now thread-safe on platforms with
22*0ac341f1SConrad Meyersupport for thread-local storage, optionally mixes bits from RDRAND.
23*0ac341f1SConrad Meyer - CMAKE: static library detection on Unix systems has been improved
24*0ac341f1SConrad Meyer(thanks to @BurningEnlightenment, @nibua-r, @mellery451)
25*0ac341f1SConrad Meyer - Argon2 and scrypt are slightly faster on Linux.
26*0ac341f1SConrad Meyer
27*0ac341f1SConrad Meyer* Version 1.0.15
28*0ac341f1SConrad Meyer - The default password hashing algorithm is now Argon2id. The
29*0ac341f1SConrad Meyer`pwhash_str_verify()` function can still verify Argon2i hashes
30*0ac341f1SConrad Meyerwithout any changes, and `pwhash()` can still compute Argon2i hashes
31*0ac341f1SConrad Meyeras well.
32*0ac341f1SConrad Meyer - The aes128ctr primitive was removed. It was slow, non-standard, not
33*0ac341f1SConrad Meyerauthenticated, and didn't seem to be used by any opensource project.
34*0ac341f1SConrad Meyer - Argon2id required at least 3 passes like Argon2i, despite a minimum
35*0ac341f1SConrad Meyerof `1` as defined by the `OPSLIMIT_MIN` constant. This has been fixed.
36*0ac341f1SConrad Meyer - The secretstream construction was slightly changed to be consistent
37*0ac341f1SConrad Meyerwith forthcoming variants.
38*0ac341f1SConrad Meyer - The Javascript and Webassembly versions have been merged, and the
39*0ac341f1SConrad Meyermodule now returns a `.ready` promise that will resolve after the
40*0ac341f1SConrad MeyerWebassembly code is loaded and compiled.
41*0ac341f1SConrad Meyer - Note that due to these incompatible changes, the library version
42*0ac341f1SConrad Meyermajor was bumped up.
43*0ac341f1SConrad Meyer
44*0ac341f1SConrad Meyer* Version 1.0.14
45*0ac341f1SConrad Meyer - iOS binaries should now be compatible with WatchOS and TVOS.
46*0ac341f1SConrad Meyer - WebAssembly is now officially supported. Special thanks to
47*0ac341f1SConrad Meyer@facekapow and @pepyakin who helped to make it happen.
48*0ac341f1SConrad Meyer - Internal consistency checks failing and primitives used with
49*0ac341f1SConrad Meyerdangerous/out-of-bounds/invalid parameters used to call abort(3).
50*0ac341f1SConrad MeyerNow, a custom handler *that doesn't return* can be set with the
51*0ac341f1SConrad Meyer`set_sodium_misuse()` function. It still aborts by default or if the
52*0ac341f1SConrad Meyerhandler ever returns. This is not a replacement for non-fatal,
53*0ac341f1SConrad Meyerexpected runtime errors. This handler will be only called in
54*0ac341f1SConrad Meyerunexpected situations due to potential bugs in the library or in
55*0ac341f1SConrad Meyerlanguage bindings.
56*0ac341f1SConrad Meyer - `*_MESSAGEBYTES_MAX` macros (and the corresponding
57*0ac341f1SConrad Meyer`_messagebytes_max()` symbols) have been added to represent the
58*0ac341f1SConrad Meyermaximum message size that can be safely handled by a primitive.
59*0ac341f1SConrad MeyerLanguage bindings are encouraged to check user inputs against these
60*0ac341f1SConrad Meyermaximum lengths.
61*0ac341f1SConrad Meyer - The test suite has been extended to cover more edge cases.
62*0ac341f1SConrad Meyer - crypto_sign_ed25519_pk_to_curve25519() now rejects points that are
63*0ac341f1SConrad Meyernot on the curve, or not in the main subgroup.
64*0ac341f1SConrad Meyer - Further changes have been made to ensure that smart compilers will
65*0ac341f1SConrad Meyernot optimize out code that we don't want to be optimized.
66*0ac341f1SConrad Meyer - Visual Studio solutions are now included in distribution tarballs.
67*0ac341f1SConrad Meyer - The `sodium_runtime_has_*` symbols for CPU features detection are
68*0ac341f1SConrad Meyernow defined as weak symbols, i.e. they can be replaced with an
69*0ac341f1SConrad Meyerapplication-defined implementation. This can be useful to disable
70*0ac341f1SConrad MeyerAVX* when temperature/power consumption is a concern.
71*0ac341f1SConrad Meyer - `crypto_kx_*()` now aborts if called with no non-NULL pointers to
72*0ac341f1SConrad Meyerstore keys to.
73*0ac341f1SConrad Meyer - SSE2 implementations of `crypto_verify_*()` have been added.
74*0ac341f1SConrad Meyer - Passwords can be hashed using a specific algorithm with the new
75*0ac341f1SConrad Meyer`crypto_pwhash_str_alg()` function.
76*0ac341f1SConrad Meyer - Due to popular demand, base64 encoding (`sodium_bin2base64()`) and
77*0ac341f1SConrad Meyerdecoding (`sodium_base642bin()`) have been implemented.
78*0ac341f1SConrad Meyer - A new `crypto_secretstream_*()` API was added to safely encrypt files
79*0ac341f1SConrad Meyerand multi-part messages.
80*0ac341f1SConrad Meyer - The `sodium_pad()` and `sodium_unpad()` helper functions have been
81*0ac341f1SConrad Meyeradded in order to add & remove padding.
82*0ac341f1SConrad Meyer - An AVX512 optimized implementation of Argon2 has been added (written
83*0ac341f1SConrad Meyerby Ondrej Mosnáček, thanks!)
84*0ac341f1SConrad Meyer - The `crypto_pwhash_str_needs_rehash()` function was added to check if
85*0ac341f1SConrad Meyera password hash string matches the given parameters, or if it needs an
86*0ac341f1SConrad Meyerupdate.
87*0ac341f1SConrad Meyer - The library can now be compiled with recent versions of
88*0ac341f1SConrad Meyeremscripten/binaryen that don't allow multiple variables declarations
89*0ac341f1SConrad Meyerusing a single `var` statement.
90*0ac341f1SConrad Meyer
91*0ac341f1SConrad Meyer* Version 1.0.13
92*0ac341f1SConrad Meyer - Javascript: the sumo builds now include all symbols. They were
93*0ac341f1SConrad Meyerpreviously limited to symbols defined in minimal builds.
94*0ac341f1SConrad Meyer - The public `crypto_pwhash_argon2i_MEMLIMIT_MAX` constant was
95*0ac341f1SConrad Meyerincorrectly defined on 32-bit platforms. This has been fixed.
96*0ac341f1SConrad Meyer - Version 1.0.12 didn't compile on OpenBSD/i386 using the base gcc
97*0ac341f1SConrad Meyercompiler. This has been fixed.
98*0ac341f1SConrad Meyer - The Android compilation scripts have been updated for NDK r14b.
99*0ac341f1SConrad Meyer - armv7s-optimized code was re-added to iOS builds.
100*0ac341f1SConrad Meyer - An AVX2 optimized implementation of the Argon2 round function was
101*0ac341f1SConrad Meyeradded.
102*0ac341f1SConrad Meyer - The Argon2id variant of Argon2 has been implemented. The
103*0ac341f1SConrad Meyerhigh-level `crypto_pwhash_str_verify()` function automatically detects
104*0ac341f1SConrad Meyerthe algorithm and can verify both Argon2i and Argon2id hashed passwords.
105*0ac341f1SConrad MeyerThe default algorithm for newly hashed passwords remains Argon2i in
106*0ac341f1SConrad Meyerthis version to avoid breaking compatibility with verifiers running
107*0ac341f1SConrad Meyerlibsodium <= 1.0.12.
108*0ac341f1SConrad Meyer - A `crypto_box_curve25519xchacha20poly1305_seal*()` function set was
109*0ac341f1SConrad Meyerimplemented.
110*0ac341f1SConrad Meyer - scrypt was removed from minimal builds.
111*0ac341f1SConrad Meyer - libsodium is now available on NuGet.
112*0ac341f1SConrad Meyer
113*0ac341f1SConrad Meyer* Version 1.0.12
114*0ac341f1SConrad Meyer - Ed25519ph was implemented, adding a multi-part signature API
115*0ac341f1SConrad Meyer(`crypto_sign_init()`, `crypto_sign_update()`, `crypto_sign_final_*()`).
116*0ac341f1SConrad Meyer - New constants and related accessors have been added for Scrypt and
117*0ac341f1SConrad MeyerArgon2.
118*0ac341f1SConrad Meyer - XChaCha20 has been implemented. Like XSalsa20, this construction
119*0ac341f1SConrad Meyerextends the ChaCha20 cipher to accept a 192-bit nonce. This makes it safe
120*0ac341f1SConrad Meyerto use ChaCha20 with random nonces.
121*0ac341f1SConrad Meyer - `crypto_secretbox`, `crypto_box` and `crypto_aead` now offer
122*0ac341f1SConrad Meyervariants leveraging XChaCha20.
123*0ac341f1SConrad Meyer - SHA-2 is about 20% faster, which also gives a speed boost to
124*0ac341f1SConrad Meyersignature and signature verification.
125*0ac341f1SConrad Meyer - AVX2 implementations of Salsa20 and ChaCha20 have been added. They
126*0ac341f1SConrad Meyerare twice as fast as the SSE2 implementations. The speed gain is
127*0ac341f1SConrad Meyereven more significant on Windows, that previously didn't use
128*0ac341f1SConrad Meyervectorized implementations.
129*0ac341f1SConrad Meyer - New high-level API: `crypto_kdf`, to easily derive one or more
130*0ac341f1SConrad Meyersubkeys from a master key.
131*0ac341f1SConrad Meyer - Siphash with a 128-bit output has been implemented, and is
132*0ac341f1SConrad Meyeravailable as `crypto_shorthash_siphashx_*`.
133*0ac341f1SConrad Meyer - New `*_keygen()` helpers functions have been added to create secret
134*0ac341f1SConrad Meyerkeys for all constructions. This improves code clarity and can prevent keys
135*0ac341f1SConrad Meyerfrom being partially initialized.
136*0ac341f1SConrad Meyer - A new `randombytes_buf_deterministic()` function was added to
137*0ac341f1SConrad Meyerdeterministically fill a memory region with pseudorandom data. This
138*0ac341f1SConrad Meyerfunction can especially be useful to write reproducible tests.
139*0ac341f1SConrad Meyer - A preliminary `crypto_kx_*()` API was added to compute shared session
140*0ac341f1SConrad Meyerkeys.
141*0ac341f1SConrad Meyer - AVX2 detection is more reliable.
142*0ac341f1SConrad Meyer - The pthreads library is not required any more when using MingW.
143*0ac341f1SConrad Meyer - `contrib/Findsodium.cmake` was added as an example to include
144*0ac341f1SConrad Meyerlibsodium in a project using cmake.
145*0ac341f1SConrad Meyer - Compatibility with gcc 2.x has been restored.
146*0ac341f1SConrad Meyer - Minimal builds can be checked using `sodium_library_minimal()`.
147*0ac341f1SConrad Meyer - The `--enable-opt` compilation switch has become compatible with more
148*0ac341f1SConrad Meyerplatforms.
149*0ac341f1SConrad Meyer - Android builds are now using clang on platforms where it is
150*0ac341f1SConrad Meyeravailable.
151*0ac341f1SConrad Meyer
152*0ac341f1SConrad Meyer* Version 1.0.11
153*0ac341f1SConrad Meyer - `sodium_init()` is now thread-safe, and can be safely called multiple
154*0ac341f1SConrad Meyertimes.
155*0ac341f1SConrad Meyer - Android binaries now properly support 64-bit Android, targeting
156*0ac341f1SConrad Meyerplatform 24, but without breaking compatibility with platforms 16 and
157*0ac341f1SConrad Meyer21.
158*0ac341f1SConrad Meyer - Better support for old gcc versions.
159*0ac341f1SConrad Meyer - On FreeBSD, core dumps are disabled on regions allocated with
160*0ac341f1SConrad Meyersodium allocation functions.
161*0ac341f1SConrad Meyer - AVX2 detection was fixed, resulting in faster Blake2b hashing on
162*0ac341f1SConrad Meyerplatforms where it was not properly detected.
163*0ac341f1SConrad Meyer - The Sandy2x Curve25519 implementation was not as fast as expected
164*0ac341f1SConrad Meyeron some platforms. This has been fixed.
165*0ac341f1SConrad Meyer - The NativeClient target was improved. Most notably, it now supports
166*0ac341f1SConrad Meyeroptimized implementations, and uses pepper_49 by default.
167*0ac341f1SConrad Meyer - The library can be compiled with recent Emscripten versions.
168*0ac341f1SConrad MeyerChanges have been made to produce smaller code, and the default heap
169*0ac341f1SConrad Meyersize was reduced in the standard version.
170*0ac341f1SConrad Meyer - The code can now be compiled on SLES11 service pack 4.
171*0ac341f1SConrad Meyer - Decryption functions can now accept a NULL pointer for the output.
172*0ac341f1SConrad MeyerThis checks the MAC without writing the decrypted message.
173*0ac341f1SConrad Meyer - crypto_generichash_final() now returns -1 if called twice.
174*0ac341f1SConrad Meyer - Support for Visual Studio 2008 was improved.
175*0ac341f1SConrad Meyer
176*0ac341f1SConrad Meyer* Version 1.0.10
177*0ac341f1SConrad Meyer - This release only fixes a compilation issue reported with some older
178*0ac341f1SConrad Meyergcc versions. There are no functional changes over the previous release.
179*0ac341f1SConrad Meyer
180*0ac341f1SConrad Meyer* Version 1.0.9
181*0ac341f1SConrad Meyer - The Javascript target now includes a `--sumo` option to include all
182*0ac341f1SConrad Meyerthe symbols of the original C library.
183*0ac341f1SConrad Meyer - A detached API was added to the ChaCha20-Poly1305 and AES256-GCM
184*0ac341f1SConrad Meyerimplementations.
185*0ac341f1SConrad Meyer - The Argon2i password hashing function was added, and is accessible
186*0ac341f1SConrad Meyerdirectly and through a new, high-level `crypto_pwhash` API. The scrypt
187*0ac341f1SConrad Meyerfunction remains available as well.
188*0ac341f1SConrad Meyer - A speed-record AVX2 implementation of BLAKE2b was added (thanks to
189*0ac341f1SConrad MeyerSamuel Neves).
190*0ac341f1SConrad Meyer - The library can now be compiled using C++Builder (thanks to @jcolli44)
191*0ac341f1SConrad Meyer - Countermeasures for Ed25519 signatures malleability have been added
192*0ac341f1SConrad Meyerto match the irtf-cfrg-eddsa draft (note that malleability is irrelevant to
193*0ac341f1SConrad Meyerthe standard definition of signature security). Signatures with a small-order
194*0ac341f1SConrad Meyer`R` point are now also rejected.
195*0ac341f1SConrad Meyer - Some implementations are now slightly faster when using the Clang
196*0ac341f1SConrad Meyercompiler.
197*0ac341f1SConrad Meyer - The HChaCha20 core function was implemented (`crypto_core_hchacha20()`).
198*0ac341f1SConrad Meyer - No-op stubs were added for all AES256-GCM public functions even when
199*0ac341f1SConrad Meyercompiled on non-Intel platforms.
200*0ac341f1SConrad Meyer - `crypt_generichash_blake2b_statebytes()` was added.
201*0ac341f1SConrad Meyer - New macros were added for the IETF variant of the ChaCha20-Poly1305
202*0ac341f1SConrad Meyerconstruction.
203*0ac341f1SConrad Meyer - The library can now be compiled on Minix.
204*0ac341f1SConrad Meyer - HEASLR is now enabled on MinGW builds.
205*0ac341f1SConrad Meyer
206*0ac341f1SConrad Meyer* Version 1.0.8
207*0ac341f1SConrad Meyer - Handle the case where the CPU supports AVX, but we are running
208*0ac341f1SConrad Meyeron an hypervisor with AVX disabled/not supported.
209*0ac341f1SConrad Meyer - Faster (2x) scalarmult_base() when using the ref10 implementation.
210*0ac341f1SConrad Meyer
211*0ac341f1SConrad Meyer* Version 1.0.7
212*0ac341f1SConrad Meyer - More functions whose return value should be checked have been
213*0ac341f1SConrad Meyertagged with `__attribute__ ((warn_unused_result))`: `crypto_box_easy()`,
214*0ac341f1SConrad Meyer`crypto_box_detached()`, `crypto_box_beforenm()`, `crypto_box()`, and
215*0ac341f1SConrad Meyer`crypto_scalarmult()`.
216*0ac341f1SConrad Meyer - Sandy2x, the fastest Curve25519 implementation ever, has been
217*0ac341f1SConrad Meyermerged in, and is automatically used on CPUs supporting the AVX
218*0ac341f1SConrad Meyerinstructions set.
219*0ac341f1SConrad Meyer - An SSE2 optimized implementation of Poly1305 was added, and is
220*0ac341f1SConrad Meyertwice as fast as the portable one.
221*0ac341f1SConrad Meyer - An SSSE3 optimized implementation of ChaCha20 was added, and is
222*0ac341f1SConrad Meyertwice as fast as the portable one.
223*0ac341f1SConrad Meyer - Faster `sodium_increment()` for common nonce sizes.
224*0ac341f1SConrad Meyer - New helper functions have been added: `sodium_is_zero()` and
225*0ac341f1SConrad Meyer `sodium_add()`.
226*0ac341f1SConrad Meyer - `sodium_runtime_has_aesni()` now properly detects the CPU flag when
227*0ac341f1SConrad Meyer compiled using Visual Studio.
228*0ac341f1SConrad Meyer
229*0ac341f1SConrad Meyer* Version 1.0.6
230*0ac341f1SConrad Meyer - Optimized implementations of Blake2 have been added for modern
231*0ac341f1SConrad MeyerIntel platforms. `crypto_generichash()` is now faster than MD5 and SHA1
232*0ac341f1SConrad Meyerimplementations while being far more secure.
233*0ac341f1SConrad Meyer - Functions for which the return value should be checked have been
234*0ac341f1SConrad Meyertagged with `__attribute__ ((warn_unused_result))`. This will
235*0ac341f1SConrad Meyerintentionally break code compiled with `-Werror` that didn't bother
236*0ac341f1SConrad Meyerchecking critical return values.
237*0ac341f1SConrad Meyer - The `crypto_sign_edwards25519sha512batch_*()` functions have been
238*0ac341f1SConrad Meyertagged as deprecated.
239*0ac341f1SConrad Meyer - Undocumented symbols that were exported, but were only useful for
240*0ac341f1SConrad Meyerinternal purposes have been removed or made private:
241*0ac341f1SConrad Meyer`sodium_runtime_get_cpu_features()`, the implementation-specific
242*0ac341f1SConrad Meyer`crypto_onetimeauth_poly1305_donna()` symbols,
243*0ac341f1SConrad Meyer`crypto_onetimeauth_poly1305_set_implementation()`,
244*0ac341f1SConrad Meyer`crypto_onetimeauth_poly1305_implementation_name()` and
245*0ac341f1SConrad Meyer`crypto_onetimeauth_pick_best_implementation()`.
246*0ac341f1SConrad Meyer - `sodium_compare()` now works as documented, and compares numbers
247*0ac341f1SConrad Meyerin little-endian format instead of behaving like `memcmp()`.
248*0ac341f1SConrad Meyer - The previous changes should not break actual applications, but to be
249*0ac341f1SConrad Meyersafe, the library version major was incremented.
250*0ac341f1SConrad Meyer - `sodium_runtime_has_ssse3()` and `sodium_runtime_has_sse41()` have
251*0ac341f1SConrad Meyerbeen added.
252*0ac341f1SConrad Meyer - The library can now be compiled with the CompCert compiler.
253*0ac341f1SConrad Meyer
254*0ac341f1SConrad Meyer* Version 1.0.5
255*0ac341f1SConrad Meyer - Compilation issues on some platforms were fixed: missing alignment
256*0ac341f1SConrad Meyerdirectives were added (required at least on RHEL-6/i386), a workaround
257*0ac341f1SConrad Meyerfor a VRP bug on gcc/armv7 was added, and the library can now be compiled
258*0ac341f1SConrad Meyerwith the SunPro compiler.
259*0ac341f1SConrad Meyer - Javascript target: io.js is not supported any more. Use nodejs.
260*0ac341f1SConrad Meyer
261*0ac341f1SConrad Meyer* Version 1.0.4
262*0ac341f1SConrad Meyer - Support for AES256-GCM has been added. This requires
263*0ac341f1SConrad Meyera CPU with the aesni and pclmul extensions, and is accessible via the
264*0ac341f1SConrad Meyercrypto_aead_aes256gcm_*() functions.
265*0ac341f1SConrad Meyer - The Javascript target doesn't use eval() any more, so that the
266*0ac341f1SConrad Meyerlibrary can be used in Chrome packaged applications.
267*0ac341f1SConrad Meyer - QNX and CloudABI are now supported.
268*0ac341f1SConrad Meyer - Support for NaCl has finally been added.
269*0ac341f1SConrad Meyer - ChaCha20 with an extended (96 bit) nonce and a 32-bit counter has
270*0ac341f1SConrad Meyerbeen implemented as crypto_stream_chacha20_ietf(),
271*0ac341f1SConrad Meyercrypto_stream_chacha20_ietf_xor() and crypto_stream_chacha20_ietf_xor_ic().
272*0ac341f1SConrad MeyerAn IETF-compatible version of ChaCha20Poly1305 is available as
273*0ac341f1SConrad Meyercrypto_aead_chacha20poly1305_ietf_npubbytes(),
274*0ac341f1SConrad Meyercrypto_aead_chacha20poly1305_ietf_encrypt() and
275*0ac341f1SConrad Meyercrypto_aead_chacha20poly1305_ietf_decrypt().
276*0ac341f1SConrad Meyer - The sodium_increment() helper function has been added, to increment
277*0ac341f1SConrad Meyeran arbitrary large number (such as a nonce).
278*0ac341f1SConrad Meyer - The sodium_compare() helper function has been added, to compare
279*0ac341f1SConrad Meyerarbitrary large numbers (such as nonces, in order to prevent replay
280*0ac341f1SConrad Meyerattacks).
281*0ac341f1SConrad Meyer
282*0ac341f1SConrad Meyer* Version 1.0.3
283*0ac341f1SConrad Meyer - In addition to sodium_bin2hex(), sodium_hex2bin() is now a
284*0ac341f1SConrad Meyerconstant-time function.
285*0ac341f1SConrad Meyer - crypto_stream_xsalsa20_ic() has been added.
286*0ac341f1SConrad Meyer - crypto_generichash_statebytes(), crypto_auth_*_statebytes() and
287*0ac341f1SConrad Meyercrypto_hash_*_statebytes() have been added in order to retrieve the
288*0ac341f1SConrad Meyersize of structures keeping states from foreign languages.
289*0ac341f1SConrad Meyer - The JavaScript target doesn't require /dev/urandom or an external
290*0ac341f1SConrad Meyerrandombytes() implementation any more. Other minor Emscripten-related
291*0ac341f1SConrad Meyerimprovements have been made in order to support libsodium.js
292*0ac341f1SConrad Meyer - Custom randombytes implementations do not need to provide their own
293*0ac341f1SConrad Meyerimplementation of randombytes_uniform() any more. randombytes_stir()
294*0ac341f1SConrad Meyerand randombytes_close() can also be NULL pointers if they are not
295*0ac341f1SConrad Meyerrequired.
296*0ac341f1SConrad Meyer - On Linux, getrandom(2) is being used instead of directly accessing
297*0ac341f1SConrad Meyer/dev/urandom, if the kernel supports this system call.
298*0ac341f1SConrad Meyer - crypto_box_seal() and crypto_box_seal_open() have been added.
299*0ac341f1SConrad Meyer - Visual Studio 2015 is now supported.
300*0ac341f1SConrad Meyer
301*0ac341f1SConrad Meyer* Version 1.0.2
302*0ac341f1SConrad Meyer - The _easy and _detached APIs now support precalculated keys;
303*0ac341f1SConrad Meyercrypto_box_easy_afternm(), crypto_box_open_easy_afternm(),
304*0ac341f1SConrad Meyercrypto_box_detached_afternm() and crypto_box_open_detached_afternm()
305*0ac341f1SConrad Meyerhave been added as an alternative to the NaCl interface.
306*0ac341f1SConrad Meyer - Memory allocation functions can now be used on operating systems with
307*0ac341f1SConrad Meyerno memory protection.
308*0ac341f1SConrad Meyer - crypto_sign_open() and crypto_sign_edwards25519sha512batch_open()
309*0ac341f1SConrad Meyernow accept a NULL pointer instead of a pointer to the message size, if
310*0ac341f1SConrad Meyerstoring this information is not required.
311*0ac341f1SConrad Meyer - The close-on-exec flag is now set on the descriptor returned when
312*0ac341f1SConrad Meyeropening /dev/urandom.
313*0ac341f1SConrad Meyer - A libsodium-uninstalled.pc file to use pkg-config even when
314*0ac341f1SConrad Meyerlibsodium is not installed, has been added.
315*0ac341f1SConrad Meyer - The iOS target now includes armv7s and arm64 optimized code, as well
316*0ac341f1SConrad Meyeras i386 and x86_64 code for the iOS simulator.
317*0ac341f1SConrad Meyer - sodium_free() can now be called on regions with PROT_NONE protection.
318*0ac341f1SConrad Meyer - The Javascript tests can run on Ubuntu, where the node binary was
319*0ac341f1SConrad Meyerrenamed nodejs. io.js can also be used instead of node.
320*0ac341f1SConrad Meyer
321*0ac341f1SConrad Meyer* Version 1.0.1
322*0ac341f1SConrad Meyer - DLL_EXPORT was renamed SODIUM_DLL_EXPORT in order to avoid
323*0ac341f1SConrad Meyercollisions with similar macros defined by other libraries.
324*0ac341f1SConrad Meyer - sodium_bin2hex() is now constant-time.
325*0ac341f1SConrad Meyer - crypto_secretbox_detached() now supports overlapping input and output
326*0ac341f1SConrad Meyerregions.
327*0ac341f1SConrad Meyer - NaCl's donna_c64 implementation of curve25519 was reading an extra byte
328*0ac341f1SConrad Meyerpast the end of the buffer containing the base point. This has been
329*0ac341f1SConrad Meyerfixed.
330*0ac341f1SConrad Meyer
331*0ac341f1SConrad Meyer* Version 1.0.0
332*0ac341f1SConrad Meyer - The API and ABI are now stable. New features will be added, but
333*0ac341f1SConrad Meyerbackward-compatibility is guaranteed through all the 1.x.y releases.
334*0ac341f1SConrad Meyer - crypto_sign() properly works with overlapping regions again. Thanks
335*0ac341f1SConrad Meyerto @pysiak for reporting this regression introduced in version 0.6.1.
336*0ac341f1SConrad Meyer - The test suite has been extended.
337*0ac341f1SConrad Meyer
338*0ac341f1SConrad Meyer* Version 0.7.1 (1.0 RC2)
339*0ac341f1SConrad Meyer - This is the second release candidate of Sodium 1.0. Minor
340*0ac341f1SConrad Meyercompilation, readability and portability changes have been made and the
341*0ac341f1SConrad Meyertest suite was improved, but the API is the same as the previous release
342*0ac341f1SConrad Meyercandidate.
343*0ac341f1SConrad Meyer
344*0ac341f1SConrad Meyer* Version 0.7.0 (1.0 RC1)
345*0ac341f1SConrad Meyer - Allocating memory to store sensitive data can now be done using
346*0ac341f1SConrad Meyersodium_malloc() and sodium_allocarray(). These functions add guard
347*0ac341f1SConrad Meyerpages around the protected data to make it less likely to be
348*0ac341f1SConrad Meyeraccessible in a heartbleed-like scenario. In addition, the protection
349*0ac341f1SConrad Meyerfor memory regions allocated that way can be changed using
350*0ac341f1SConrad Meyersodium_mprotect_noaccess(), sodium_mprotect_readonly() and
351*0ac341f1SConrad Meyersodium_mprotect_readwrite().
352*0ac341f1SConrad Meyer - ed25519 keys can be converted to curve25519 keys with
353*0ac341f1SConrad Meyercrypto_sign_ed25519_pk_to_curve25519() and
354*0ac341f1SConrad Meyercrypto_sign_ed25519_sk_to_curve25519(). This allows using the same
355*0ac341f1SConrad Meyerkeys for signature and encryption.
356*0ac341f1SConrad Meyer - The seed and the public key can be extracted from an ed25519 key
357*0ac341f1SConrad Meyerusing crypto_sign_ed25519_sk_to_seed() and crypto_sign_ed25519_sk_to_pk().
358*0ac341f1SConrad Meyer - aes256 was removed. A timing-attack resistant implementation might
359*0ac341f1SConrad Meyerbe added later, but not before version 1.0 is tagged.
360*0ac341f1SConrad Meyer - The crypto_pwhash_scryptxsalsa208sha256_* compatibility layer was
361*0ac341f1SConrad Meyerremoved. Use crypto_pwhash_scryptsalsa208sha256_*.
362*0ac341f1SConrad Meyer - The compatibility layer for implementation-specific functions was
363*0ac341f1SConrad Meyerremoved.
364*0ac341f1SConrad Meyer - Compilation issues with Mingw64 on MSYS (not MSYS2) were fixed.
365*0ac341f1SConrad Meyer - crypto_pwhash_scryptsalsa208sha256_STRPREFIX was added: it contains
366*0ac341f1SConrad Meyerthe prefix produced by crypto_pwhash_scryptsalsa208sha256_str()
367*0ac341f1SConrad Meyer
368*0ac341f1SConrad Meyer* Version 0.6.1
369*0ac341f1SConrad Meyer - Important bug fix: when crypto_sign_open() was given a signed
370*0ac341f1SConrad Meyermessage too short to even contain a signature, it was putting an
371*0ac341f1SConrad Meyerunlimited amount of zeros into the target buffer instead of
372*0ac341f1SConrad Meyerimmediately returning -1. The bug was introduced in version 0.5.0.
373*0ac341f1SConrad Meyer - New API: crypto_sign_detached() and crypto_sign_verify_detached()
374*0ac341f1SConrad Meyerto produce and verify ed25519 signatures without having to duplicate
375*0ac341f1SConrad Meyerthe message.
376*0ac341f1SConrad Meyer - New ./configure switch: --enable-minimal, to create a smaller
377*0ac341f1SConrad Meyerlibrary, with only the functions required for the high-level API.
378*0ac341f1SConrad MeyerMainly useful for the JavaScript target and embedded systems.
379*0ac341f1SConrad Meyer - All the symbols are now exported by the Emscripten build script.
380*0ac341f1SConrad Meyer - The pkg-config .pc file is now always installed even if the
381*0ac341f1SConrad Meyerpkg-config tool is not available during the installation.
382*0ac341f1SConrad Meyer
383*0ac341f1SConrad Meyer* Version 0.6.0
384*0ac341f1SConrad Meyer - The ChaCha20 stream cipher has been added, as crypto_stream_chacha20_*
385*0ac341f1SConrad Meyer - The ChaCha20Poly1305 AEAD construction has been implemented, as
386*0ac341f1SConrad Meyercrypto_aead_chacha20poly1305_*
387*0ac341f1SConrad Meyer - The _easy API does not require any heap allocations any more and
388*0ac341f1SConrad Meyerdoes not have any overhead over the NaCl API. With the password
389*0ac341f1SConrad Meyerhashing function being an obvious exception, the library doesn't
390*0ac341f1SConrad Meyerallocate and will not allocate heap memory ever.
391*0ac341f1SConrad Meyer - crypto_box and crypto_secretbox have a new _detached API to store
392*0ac341f1SConrad Meyerthe authentication tag and the encrypted message separately.
393*0ac341f1SConrad Meyer - crypto_pwhash_scryptxsalsa208sha256*() functions have been renamed
394*0ac341f1SConrad Meyercrypto_pwhash_scryptsalsa208sha256*().
395*0ac341f1SConrad Meyer - The low-level crypto_pwhash_scryptsalsa208sha256_ll() function
396*0ac341f1SConrad Meyerallows setting individual parameters of the scrypt function.
397*0ac341f1SConrad Meyer - New macros and functions for recommended crypto_pwhash_* parameters
398*0ac341f1SConrad Meyerhave been added.
399*0ac341f1SConrad Meyer - Similarly to crypto_sign_seed_keypair(), crypto_box_seed_keypair()
400*0ac341f1SConrad Meyerhas been introduced to deterministically generate a key pair from a seed.
401*0ac341f1SConrad Meyer - crypto_onetimeauth() now provides a streaming interface.
402*0ac341f1SConrad Meyer - crypto_stream_chacha20_xor_ic() and crypto_stream_salsa20_xor_ic()
403*0ac341f1SConrad Meyerhave been added to use a non-zero initial block counter.
404*0ac341f1SConrad Meyer - On Windows, CryptGenRandom() was replaced by RtlGenRandom(), which
405*0ac341f1SConrad Meyerdoesn't require the Crypt API.
406*0ac341f1SConrad Meyer - The high bit in curve25519 is masked instead of processing the key as
407*0ac341f1SConrad Meyera 256-bit value.
408*0ac341f1SConrad Meyer - The curve25519 ref implementation was replaced by the latest ref10
409*0ac341f1SConrad Meyerimplementation from Supercop.
410*0ac341f1SConrad Meyer - sodium_mlock() now prevents memory from being included in coredumps
411*0ac341f1SConrad Meyeron Linux 3.4+
412*0ac341f1SConrad Meyer
413*0ac341f1SConrad Meyer* Version 0.5.0
414*0ac341f1SConrad Meyer - sodium_mlock()/sodium_munlock() have been introduced to lock pages
415*0ac341f1SConrad Meyerin memory before storing sensitive data, and to zero them before
416*0ac341f1SConrad Meyerunlocking them.
417*0ac341f1SConrad Meyer - High-level wrappers for crypto_box and crypto_secretbox
418*0ac341f1SConrad Meyer(crypto_box_easy and crypto_secretbox_easy) can be used to avoid
419*0ac341f1SConrad Meyerdealing with the specific memory layout regular functions depend on.
420*0ac341f1SConrad Meyer - crypto_pwhash_scryptsalsa208sha256* functions have been added
421*0ac341f1SConrad Meyerto derive a key from a password, and for password storage.
422*0ac341f1SConrad Meyer - Salsa20 and ed25519 implementations now support overlapping
423*0ac341f1SConrad Meyerinputs/keys/outputs (changes imported from supercop-20140505).
424*0ac341f1SConrad Meyer - New build scripts for Visual Studio, Emscripten, different Android
425*0ac341f1SConrad Meyerarchitectures and msys2 are available.
426*0ac341f1SConrad Meyer - The poly1305-53 implementation has been replaced with Floodyberry's
427*0ac341f1SConrad Meyerpoly1305-donna32 and poly1305-donna64 implementations.
428*0ac341f1SConrad Meyer - sodium_hex2bin() has been added to complement sodium_bin2hex().
429*0ac341f1SConrad Meyer - On OpenBSD and Bitrig, arc4random() is used instead of reading
430*0ac341f1SConrad Meyer/dev/urandom.
431*0ac341f1SConrad Meyer - crypto_auth_hmac_sha512() has been implemented.
432*0ac341f1SConrad Meyer - sha256 and sha512 now have a streaming interface.
433*0ac341f1SConrad Meyer - hmacsha256, hmacsha512 and hmacsha512256 now support keys of
434*0ac341f1SConrad Meyerarbitrary length, and have a streaming interface.
435*0ac341f1SConrad Meyer - crypto_verify_64() has been implemented.
436*0ac341f1SConrad Meyer - first-class Visual Studio build system, thanks to @evoskuil
437*0ac341f1SConrad Meyer - CPU features are now detected at runtime.
438*0ac341f1SConrad Meyer
439*0ac341f1SConrad Meyer* Version 0.4.5
440*0ac341f1SConrad Meyer - Restore compatibility with OSX <= 10.6
441*0ac341f1SConrad Meyer
442*0ac341f1SConrad Meyer* Version 0.4.4
443*0ac341f1SConrad Meyer - Visual Studio is officially supported (VC 2010 & VC 2013)
444*0ac341f1SConrad Meyer - mingw64 is now supported
445*0ac341f1SConrad Meyer - big-endian architectures are now supported as well
446*0ac341f1SConrad Meyer - The donna_c64 implementation of curve25519_donna_c64 now handles
447*0ac341f1SConrad Meyernon-canonical points like the ref implementation
448*0ac341f1SConrad Meyer - Missing scalarmult_curve25519 and stream_salsa20 constants are now exported
449*0ac341f1SConrad Meyer - A crypto_onetimeauth_poly1305_ref() wrapper has been added
450*0ac341f1SConrad Meyer
451*0ac341f1SConrad Meyer* Version 0.4.3
452*0ac341f1SConrad Meyer - crypto_sign_seedbytes() and crypto_sign_SEEDBYTES were added.
453*0ac341f1SConrad Meyer - crypto_onetimeauth_poly1305_implementation_name() was added.
454*0ac341f1SConrad Meyer - poly1305-ref has been replaced by a faster implementation,
455*0ac341f1SConrad MeyerFloodyberry's poly1305-donna-unrolled.
456*0ac341f1SConrad Meyer - Stackmarkings have been added to assembly code, for Hardened Gentoo.
457*0ac341f1SConrad Meyer - pkg-config can now be used in order to retrieve compilations flags for
458*0ac341f1SConrad Meyerusing libsodium.
459*0ac341f1SConrad Meyer - crypto_stream_aes256estream_*() can now deal with unaligned input
460*0ac341f1SConrad Meyeron platforms that require word alignment.
461*0ac341f1SConrad Meyer - portability improvements.
462*0ac341f1SConrad Meyer
463*0ac341f1SConrad Meyer* Version 0.4.2
464*0ac341f1SConrad Meyer - All NaCl constants are now also exposed as functions.
465*0ac341f1SConrad Meyer - The Android and iOS cross-compilation script have been improved.
466*0ac341f1SConrad Meyer - libsodium can now be cross-compiled to Windows from Linux.
467*0ac341f1SConrad Meyer - libsodium can now be compiled with emscripten.
468*0ac341f1SConrad Meyer - New convenience function (prototyped in utils.h): sodium_bin2hex().
469*0ac341f1SConrad Meyer
470*0ac341f1SConrad Meyer* Version 0.4.1
471*0ac341f1SConrad Meyer - sodium_version_*() functions were not exported in version 0.4. They
472*0ac341f1SConrad Meyerare now visible as intended.
473*0ac341f1SConrad Meyer - sodium_init() now calls randombytes_stir().
474*0ac341f1SConrad Meyer - optimized assembly version of salsa20 is now used on amd64.
475*0ac341f1SConrad Meyer - further cleanups and enhanced compatibility with non-C99 compilers.
476*0ac341f1SConrad Meyer
477*0ac341f1SConrad Meyer* Version 0.4
478*0ac341f1SConrad Meyer - Most constants and operations are now available as actual functions
479*0ac341f1SConrad Meyerinstead of macros, making it easier to use from other languages.
480*0ac341f1SConrad Meyer - New operation: crypto_generichash, featuring a variable key size, a
481*0ac341f1SConrad Meyervariable output size, and a streaming API. Currently implemented using
482*0ac341f1SConrad MeyerBlake2b.
483*0ac341f1SConrad Meyer - The package can be compiled in a separate directory.
484*0ac341f1SConrad Meyer - aes128ctr functions are exported.
485*0ac341f1SConrad Meyer - Optimized versions of curve25519 (curve25519_donna_c64), poly1305
486*0ac341f1SConrad Meyer(poly1305_53) and ed25519 (ed25519_ref10) are available. Optionally calling
487*0ac341f1SConrad Meyersodium_init() once before using the library makes it pick the fastest
488*0ac341f1SConrad Meyerimplementation.
489*0ac341f1SConrad Meyer - New convenience function: sodium_memzero() in order to securely
490*0ac341f1SConrad Meyerwipe a memory area.
491*0ac341f1SConrad Meyer - A whole bunch of cleanups and portability enhancements.
492*0ac341f1SConrad Meyer - On Windows, a .REF file is generated along with the shared library,
493*0ac341f1SConrad Meyerfor use with Visual Studio. The installation path for these has become
494*0ac341f1SConrad Meyer$prefix/bin as expected by MingW.
495*0ac341f1SConrad Meyer
496*0ac341f1SConrad Meyer* Version 0.3
497*0ac341f1SConrad Meyer - The crypto_shorthash operation has been added, implemented using
498*0ac341f1SConrad MeyerSipHash-2-4.
499*0ac341f1SConrad Meyer
500*0ac341f1SConrad Meyer* Version 0.2
501*0ac341f1SConrad Meyer - crypto_sign_seed_keypair() has been added
502*0ac341f1SConrad Meyer
503*0ac341f1SConrad Meyer* Version 0.1
504*0ac341f1SConrad Meyer - Initial release.
505*0ac341f1SConrad Meyer
506