1*0ac341f1SConrad Meyer 2*0ac341f1SConrad Meyer* Version 1.0.16 3*0ac341f1SConrad Meyer - Signatures computations and verifications are now way faster on 4*0ac341f1SConrad Meyer64-bit platforms with compilers supporting 128-bit arithmetic (gcc, 5*0ac341f1SConrad Meyerclang, icc). This includes the WebAssembly target. 6*0ac341f1SConrad Meyer - New low-level APIs for computations over edwards25519: 7*0ac341f1SConrad Meyer`crypto_scalarmult_ed25519()`, `crypto_scalarmult_ed25519_base()`, 8*0ac341f1SConrad Meyer`crypto_core_ed25519_is_valid_point()`, `crypto_core_ed25519_add()`, 9*0ac341f1SConrad Meyer`crypto_core_ed25519_sub()` and `crypto_core_ed25519_from_uniform()` 10*0ac341f1SConrad Meyer(elligator representative to point). 11*0ac341f1SConrad Meyer - `crypto_sign_open()`, `crypto_sign_verify_detached() and 12*0ac341f1SConrad Meyer`crypto_sign_edwards25519sha512batch_open` now reject public keys in 13*0ac341f1SConrad Meyernon-canonical form in addition to low-order points. 14*0ac341f1SConrad Meyer - The library can be built with `ED25519_NONDETERMINISTIC` defined in 15*0ac341f1SConrad Meyerorder to use synthetic nonces for EdDSA. This is disabled by default. 16*0ac341f1SConrad Meyer - Webassembly: `crypto_pwhash_*()` functions are now included in 17*0ac341f1SConrad Meyernon-sumo builds. 18*0ac341f1SConrad Meyer - `sodium_stackzero()` was added to wipe content off the stack. 19*0ac341f1SConrad Meyer - Android: support new SDKs where unified headers have become the 20*0ac341f1SConrad Meyerdefault. 21*0ac341f1SConrad Meyer - The Salsa20-based PRNG example is now thread-safe on platforms with 22*0ac341f1SConrad Meyersupport for thread-local storage, optionally mixes bits from RDRAND. 23*0ac341f1SConrad Meyer - CMAKE: static library detection on Unix systems has been improved 24*0ac341f1SConrad Meyer(thanks to @BurningEnlightenment, @nibua-r, @mellery451) 25*0ac341f1SConrad Meyer - Argon2 and scrypt are slightly faster on Linux. 26*0ac341f1SConrad Meyer 27*0ac341f1SConrad Meyer* Version 1.0.15 28*0ac341f1SConrad Meyer - The default password hashing algorithm is now Argon2id. The 29*0ac341f1SConrad Meyer`pwhash_str_verify()` function can still verify Argon2i hashes 30*0ac341f1SConrad Meyerwithout any changes, and `pwhash()` can still compute Argon2i hashes 31*0ac341f1SConrad Meyeras well. 32*0ac341f1SConrad Meyer - The aes128ctr primitive was removed. It was slow, non-standard, not 33*0ac341f1SConrad Meyerauthenticated, and didn't seem to be used by any opensource project. 34*0ac341f1SConrad Meyer - Argon2id required at least 3 passes like Argon2i, despite a minimum 35*0ac341f1SConrad Meyerof `1` as defined by the `OPSLIMIT_MIN` constant. This has been fixed. 36*0ac341f1SConrad Meyer - The secretstream construction was slightly changed to be consistent 37*0ac341f1SConrad Meyerwith forthcoming variants. 38*0ac341f1SConrad Meyer - The Javascript and Webassembly versions have been merged, and the 39*0ac341f1SConrad Meyermodule now returns a `.ready` promise that will resolve after the 40*0ac341f1SConrad MeyerWebassembly code is loaded and compiled. 41*0ac341f1SConrad Meyer - Note that due to these incompatible changes, the library version 42*0ac341f1SConrad Meyermajor was bumped up. 43*0ac341f1SConrad Meyer 44*0ac341f1SConrad Meyer* Version 1.0.14 45*0ac341f1SConrad Meyer - iOS binaries should now be compatible with WatchOS and TVOS. 46*0ac341f1SConrad Meyer - WebAssembly is now officially supported. Special thanks to 47*0ac341f1SConrad Meyer@facekapow and @pepyakin who helped to make it happen. 48*0ac341f1SConrad Meyer - Internal consistency checks failing and primitives used with 49*0ac341f1SConrad Meyerdangerous/out-of-bounds/invalid parameters used to call abort(3). 50*0ac341f1SConrad MeyerNow, a custom handler *that doesn't return* can be set with the 51*0ac341f1SConrad Meyer`set_sodium_misuse()` function. It still aborts by default or if the 52*0ac341f1SConrad Meyerhandler ever returns. This is not a replacement for non-fatal, 53*0ac341f1SConrad Meyerexpected runtime errors. This handler will be only called in 54*0ac341f1SConrad Meyerunexpected situations due to potential bugs in the library or in 55*0ac341f1SConrad Meyerlanguage bindings. 56*0ac341f1SConrad Meyer - `*_MESSAGEBYTES_MAX` macros (and the corresponding 57*0ac341f1SConrad Meyer`_messagebytes_max()` symbols) have been added to represent the 58*0ac341f1SConrad Meyermaximum message size that can be safely handled by a primitive. 59*0ac341f1SConrad MeyerLanguage bindings are encouraged to check user inputs against these 60*0ac341f1SConrad Meyermaximum lengths. 61*0ac341f1SConrad Meyer - The test suite has been extended to cover more edge cases. 62*0ac341f1SConrad Meyer - crypto_sign_ed25519_pk_to_curve25519() now rejects points that are 63*0ac341f1SConrad Meyernot on the curve, or not in the main subgroup. 64*0ac341f1SConrad Meyer - Further changes have been made to ensure that smart compilers will 65*0ac341f1SConrad Meyernot optimize out code that we don't want to be optimized. 66*0ac341f1SConrad Meyer - Visual Studio solutions are now included in distribution tarballs. 67*0ac341f1SConrad Meyer - The `sodium_runtime_has_*` symbols for CPU features detection are 68*0ac341f1SConrad Meyernow defined as weak symbols, i.e. they can be replaced with an 69*0ac341f1SConrad Meyerapplication-defined implementation. This can be useful to disable 70*0ac341f1SConrad MeyerAVX* when temperature/power consumption is a concern. 71*0ac341f1SConrad Meyer - `crypto_kx_*()` now aborts if called with no non-NULL pointers to 72*0ac341f1SConrad Meyerstore keys to. 73*0ac341f1SConrad Meyer - SSE2 implementations of `crypto_verify_*()` have been added. 74*0ac341f1SConrad Meyer - Passwords can be hashed using a specific algorithm with the new 75*0ac341f1SConrad Meyer`crypto_pwhash_str_alg()` function. 76*0ac341f1SConrad Meyer - Due to popular demand, base64 encoding (`sodium_bin2base64()`) and 77*0ac341f1SConrad Meyerdecoding (`sodium_base642bin()`) have been implemented. 78*0ac341f1SConrad Meyer - A new `crypto_secretstream_*()` API was added to safely encrypt files 79*0ac341f1SConrad Meyerand multi-part messages. 80*0ac341f1SConrad Meyer - The `sodium_pad()` and `sodium_unpad()` helper functions have been 81*0ac341f1SConrad Meyeradded in order to add & remove padding. 82*0ac341f1SConrad Meyer - An AVX512 optimized implementation of Argon2 has been added (written 83*0ac341f1SConrad Meyerby Ondrej Mosnáček, thanks!) 84*0ac341f1SConrad Meyer - The `crypto_pwhash_str_needs_rehash()` function was added to check if 85*0ac341f1SConrad Meyera password hash string matches the given parameters, or if it needs an 86*0ac341f1SConrad Meyerupdate. 87*0ac341f1SConrad Meyer - The library can now be compiled with recent versions of 88*0ac341f1SConrad Meyeremscripten/binaryen that don't allow multiple variables declarations 89*0ac341f1SConrad Meyerusing a single `var` statement. 90*0ac341f1SConrad Meyer 91*0ac341f1SConrad Meyer* Version 1.0.13 92*0ac341f1SConrad Meyer - Javascript: the sumo builds now include all symbols. They were 93*0ac341f1SConrad Meyerpreviously limited to symbols defined in minimal builds. 94*0ac341f1SConrad Meyer - The public `crypto_pwhash_argon2i_MEMLIMIT_MAX` constant was 95*0ac341f1SConrad Meyerincorrectly defined on 32-bit platforms. This has been fixed. 96*0ac341f1SConrad Meyer - Version 1.0.12 didn't compile on OpenBSD/i386 using the base gcc 97*0ac341f1SConrad Meyercompiler. This has been fixed. 98*0ac341f1SConrad Meyer - The Android compilation scripts have been updated for NDK r14b. 99*0ac341f1SConrad Meyer - armv7s-optimized code was re-added to iOS builds. 100*0ac341f1SConrad Meyer - An AVX2 optimized implementation of the Argon2 round function was 101*0ac341f1SConrad Meyeradded. 102*0ac341f1SConrad Meyer - The Argon2id variant of Argon2 has been implemented. The 103*0ac341f1SConrad Meyerhigh-level `crypto_pwhash_str_verify()` function automatically detects 104*0ac341f1SConrad Meyerthe algorithm and can verify both Argon2i and Argon2id hashed passwords. 105*0ac341f1SConrad MeyerThe default algorithm for newly hashed passwords remains Argon2i in 106*0ac341f1SConrad Meyerthis version to avoid breaking compatibility with verifiers running 107*0ac341f1SConrad Meyerlibsodium <= 1.0.12. 108*0ac341f1SConrad Meyer - A `crypto_box_curve25519xchacha20poly1305_seal*()` function set was 109*0ac341f1SConrad Meyerimplemented. 110*0ac341f1SConrad Meyer - scrypt was removed from minimal builds. 111*0ac341f1SConrad Meyer - libsodium is now available on NuGet. 112*0ac341f1SConrad Meyer 113*0ac341f1SConrad Meyer* Version 1.0.12 114*0ac341f1SConrad Meyer - Ed25519ph was implemented, adding a multi-part signature API 115*0ac341f1SConrad Meyer(`crypto_sign_init()`, `crypto_sign_update()`, `crypto_sign_final_*()`). 116*0ac341f1SConrad Meyer - New constants and related accessors have been added for Scrypt and 117*0ac341f1SConrad MeyerArgon2. 118*0ac341f1SConrad Meyer - XChaCha20 has been implemented. Like XSalsa20, this construction 119*0ac341f1SConrad Meyerextends the ChaCha20 cipher to accept a 192-bit nonce. This makes it safe 120*0ac341f1SConrad Meyerto use ChaCha20 with random nonces. 121*0ac341f1SConrad Meyer - `crypto_secretbox`, `crypto_box` and `crypto_aead` now offer 122*0ac341f1SConrad Meyervariants leveraging XChaCha20. 123*0ac341f1SConrad Meyer - SHA-2 is about 20% faster, which also gives a speed boost to 124*0ac341f1SConrad Meyersignature and signature verification. 125*0ac341f1SConrad Meyer - AVX2 implementations of Salsa20 and ChaCha20 have been added. They 126*0ac341f1SConrad Meyerare twice as fast as the SSE2 implementations. The speed gain is 127*0ac341f1SConrad Meyereven more significant on Windows, that previously didn't use 128*0ac341f1SConrad Meyervectorized implementations. 129*0ac341f1SConrad Meyer - New high-level API: `crypto_kdf`, to easily derive one or more 130*0ac341f1SConrad Meyersubkeys from a master key. 131*0ac341f1SConrad Meyer - Siphash with a 128-bit output has been implemented, and is 132*0ac341f1SConrad Meyeravailable as `crypto_shorthash_siphashx_*`. 133*0ac341f1SConrad Meyer - New `*_keygen()` helpers functions have been added to create secret 134*0ac341f1SConrad Meyerkeys for all constructions. This improves code clarity and can prevent keys 135*0ac341f1SConrad Meyerfrom being partially initialized. 136*0ac341f1SConrad Meyer - A new `randombytes_buf_deterministic()` function was added to 137*0ac341f1SConrad Meyerdeterministically fill a memory region with pseudorandom data. This 138*0ac341f1SConrad Meyerfunction can especially be useful to write reproducible tests. 139*0ac341f1SConrad Meyer - A preliminary `crypto_kx_*()` API was added to compute shared session 140*0ac341f1SConrad Meyerkeys. 141*0ac341f1SConrad Meyer - AVX2 detection is more reliable. 142*0ac341f1SConrad Meyer - The pthreads library is not required any more when using MingW. 143*0ac341f1SConrad Meyer - `contrib/Findsodium.cmake` was added as an example to include 144*0ac341f1SConrad Meyerlibsodium in a project using cmake. 145*0ac341f1SConrad Meyer - Compatibility with gcc 2.x has been restored. 146*0ac341f1SConrad Meyer - Minimal builds can be checked using `sodium_library_minimal()`. 147*0ac341f1SConrad Meyer - The `--enable-opt` compilation switch has become compatible with more 148*0ac341f1SConrad Meyerplatforms. 149*0ac341f1SConrad Meyer - Android builds are now using clang on platforms where it is 150*0ac341f1SConrad Meyeravailable. 151*0ac341f1SConrad Meyer 152*0ac341f1SConrad Meyer* Version 1.0.11 153*0ac341f1SConrad Meyer - `sodium_init()` is now thread-safe, and can be safely called multiple 154*0ac341f1SConrad Meyertimes. 155*0ac341f1SConrad Meyer - Android binaries now properly support 64-bit Android, targeting 156*0ac341f1SConrad Meyerplatform 24, but without breaking compatibility with platforms 16 and 157*0ac341f1SConrad Meyer21. 158*0ac341f1SConrad Meyer - Better support for old gcc versions. 159*0ac341f1SConrad Meyer - On FreeBSD, core dumps are disabled on regions allocated with 160*0ac341f1SConrad Meyersodium allocation functions. 161*0ac341f1SConrad Meyer - AVX2 detection was fixed, resulting in faster Blake2b hashing on 162*0ac341f1SConrad Meyerplatforms where it was not properly detected. 163*0ac341f1SConrad Meyer - The Sandy2x Curve25519 implementation was not as fast as expected 164*0ac341f1SConrad Meyeron some platforms. This has been fixed. 165*0ac341f1SConrad Meyer - The NativeClient target was improved. Most notably, it now supports 166*0ac341f1SConrad Meyeroptimized implementations, and uses pepper_49 by default. 167*0ac341f1SConrad Meyer - The library can be compiled with recent Emscripten versions. 168*0ac341f1SConrad MeyerChanges have been made to produce smaller code, and the default heap 169*0ac341f1SConrad Meyersize was reduced in the standard version. 170*0ac341f1SConrad Meyer - The code can now be compiled on SLES11 service pack 4. 171*0ac341f1SConrad Meyer - Decryption functions can now accept a NULL pointer for the output. 172*0ac341f1SConrad MeyerThis checks the MAC without writing the decrypted message. 173*0ac341f1SConrad Meyer - crypto_generichash_final() now returns -1 if called twice. 174*0ac341f1SConrad Meyer - Support for Visual Studio 2008 was improved. 175*0ac341f1SConrad Meyer 176*0ac341f1SConrad Meyer* Version 1.0.10 177*0ac341f1SConrad Meyer - This release only fixes a compilation issue reported with some older 178*0ac341f1SConrad Meyergcc versions. There are no functional changes over the previous release. 179*0ac341f1SConrad Meyer 180*0ac341f1SConrad Meyer* Version 1.0.9 181*0ac341f1SConrad Meyer - The Javascript target now includes a `--sumo` option to include all 182*0ac341f1SConrad Meyerthe symbols of the original C library. 183*0ac341f1SConrad Meyer - A detached API was added to the ChaCha20-Poly1305 and AES256-GCM 184*0ac341f1SConrad Meyerimplementations. 185*0ac341f1SConrad Meyer - The Argon2i password hashing function was added, and is accessible 186*0ac341f1SConrad Meyerdirectly and through a new, high-level `crypto_pwhash` API. The scrypt 187*0ac341f1SConrad Meyerfunction remains available as well. 188*0ac341f1SConrad Meyer - A speed-record AVX2 implementation of BLAKE2b was added (thanks to 189*0ac341f1SConrad MeyerSamuel Neves). 190*0ac341f1SConrad Meyer - The library can now be compiled using C++Builder (thanks to @jcolli44) 191*0ac341f1SConrad Meyer - Countermeasures for Ed25519 signatures malleability have been added 192*0ac341f1SConrad Meyerto match the irtf-cfrg-eddsa draft (note that malleability is irrelevant to 193*0ac341f1SConrad Meyerthe standard definition of signature security). Signatures with a small-order 194*0ac341f1SConrad Meyer`R` point are now also rejected. 195*0ac341f1SConrad Meyer - Some implementations are now slightly faster when using the Clang 196*0ac341f1SConrad Meyercompiler. 197*0ac341f1SConrad Meyer - The HChaCha20 core function was implemented (`crypto_core_hchacha20()`). 198*0ac341f1SConrad Meyer - No-op stubs were added for all AES256-GCM public functions even when 199*0ac341f1SConrad Meyercompiled on non-Intel platforms. 200*0ac341f1SConrad Meyer - `crypt_generichash_blake2b_statebytes()` was added. 201*0ac341f1SConrad Meyer - New macros were added for the IETF variant of the ChaCha20-Poly1305 202*0ac341f1SConrad Meyerconstruction. 203*0ac341f1SConrad Meyer - The library can now be compiled on Minix. 204*0ac341f1SConrad Meyer - HEASLR is now enabled on MinGW builds. 205*0ac341f1SConrad Meyer 206*0ac341f1SConrad Meyer* Version 1.0.8 207*0ac341f1SConrad Meyer - Handle the case where the CPU supports AVX, but we are running 208*0ac341f1SConrad Meyeron an hypervisor with AVX disabled/not supported. 209*0ac341f1SConrad Meyer - Faster (2x) scalarmult_base() when using the ref10 implementation. 210*0ac341f1SConrad Meyer 211*0ac341f1SConrad Meyer* Version 1.0.7 212*0ac341f1SConrad Meyer - More functions whose return value should be checked have been 213*0ac341f1SConrad Meyertagged with `__attribute__ ((warn_unused_result))`: `crypto_box_easy()`, 214*0ac341f1SConrad Meyer`crypto_box_detached()`, `crypto_box_beforenm()`, `crypto_box()`, and 215*0ac341f1SConrad Meyer`crypto_scalarmult()`. 216*0ac341f1SConrad Meyer - Sandy2x, the fastest Curve25519 implementation ever, has been 217*0ac341f1SConrad Meyermerged in, and is automatically used on CPUs supporting the AVX 218*0ac341f1SConrad Meyerinstructions set. 219*0ac341f1SConrad Meyer - An SSE2 optimized implementation of Poly1305 was added, and is 220*0ac341f1SConrad Meyertwice as fast as the portable one. 221*0ac341f1SConrad Meyer - An SSSE3 optimized implementation of ChaCha20 was added, and is 222*0ac341f1SConrad Meyertwice as fast as the portable one. 223*0ac341f1SConrad Meyer - Faster `sodium_increment()` for common nonce sizes. 224*0ac341f1SConrad Meyer - New helper functions have been added: `sodium_is_zero()` and 225*0ac341f1SConrad Meyer `sodium_add()`. 226*0ac341f1SConrad Meyer - `sodium_runtime_has_aesni()` now properly detects the CPU flag when 227*0ac341f1SConrad Meyer compiled using Visual Studio. 228*0ac341f1SConrad Meyer 229*0ac341f1SConrad Meyer* Version 1.0.6 230*0ac341f1SConrad Meyer - Optimized implementations of Blake2 have been added for modern 231*0ac341f1SConrad MeyerIntel platforms. `crypto_generichash()` is now faster than MD5 and SHA1 232*0ac341f1SConrad Meyerimplementations while being far more secure. 233*0ac341f1SConrad Meyer - Functions for which the return value should be checked have been 234*0ac341f1SConrad Meyertagged with `__attribute__ ((warn_unused_result))`. This will 235*0ac341f1SConrad Meyerintentionally break code compiled with `-Werror` that didn't bother 236*0ac341f1SConrad Meyerchecking critical return values. 237*0ac341f1SConrad Meyer - The `crypto_sign_edwards25519sha512batch_*()` functions have been 238*0ac341f1SConrad Meyertagged as deprecated. 239*0ac341f1SConrad Meyer - Undocumented symbols that were exported, but were only useful for 240*0ac341f1SConrad Meyerinternal purposes have been removed or made private: 241*0ac341f1SConrad Meyer`sodium_runtime_get_cpu_features()`, the implementation-specific 242*0ac341f1SConrad Meyer`crypto_onetimeauth_poly1305_donna()` symbols, 243*0ac341f1SConrad Meyer`crypto_onetimeauth_poly1305_set_implementation()`, 244*0ac341f1SConrad Meyer`crypto_onetimeauth_poly1305_implementation_name()` and 245*0ac341f1SConrad Meyer`crypto_onetimeauth_pick_best_implementation()`. 246*0ac341f1SConrad Meyer - `sodium_compare()` now works as documented, and compares numbers 247*0ac341f1SConrad Meyerin little-endian format instead of behaving like `memcmp()`. 248*0ac341f1SConrad Meyer - The previous changes should not break actual applications, but to be 249*0ac341f1SConrad Meyersafe, the library version major was incremented. 250*0ac341f1SConrad Meyer - `sodium_runtime_has_ssse3()` and `sodium_runtime_has_sse41()` have 251*0ac341f1SConrad Meyerbeen added. 252*0ac341f1SConrad Meyer - The library can now be compiled with the CompCert compiler. 253*0ac341f1SConrad Meyer 254*0ac341f1SConrad Meyer* Version 1.0.5 255*0ac341f1SConrad Meyer - Compilation issues on some platforms were fixed: missing alignment 256*0ac341f1SConrad Meyerdirectives were added (required at least on RHEL-6/i386), a workaround 257*0ac341f1SConrad Meyerfor a VRP bug on gcc/armv7 was added, and the library can now be compiled 258*0ac341f1SConrad Meyerwith the SunPro compiler. 259*0ac341f1SConrad Meyer - Javascript target: io.js is not supported any more. Use nodejs. 260*0ac341f1SConrad Meyer 261*0ac341f1SConrad Meyer* Version 1.0.4 262*0ac341f1SConrad Meyer - Support for AES256-GCM has been added. This requires 263*0ac341f1SConrad Meyera CPU with the aesni and pclmul extensions, and is accessible via the 264*0ac341f1SConrad Meyercrypto_aead_aes256gcm_*() functions. 265*0ac341f1SConrad Meyer - The Javascript target doesn't use eval() any more, so that the 266*0ac341f1SConrad Meyerlibrary can be used in Chrome packaged applications. 267*0ac341f1SConrad Meyer - QNX and CloudABI are now supported. 268*0ac341f1SConrad Meyer - Support for NaCl has finally been added. 269*0ac341f1SConrad Meyer - ChaCha20 with an extended (96 bit) nonce and a 32-bit counter has 270*0ac341f1SConrad Meyerbeen implemented as crypto_stream_chacha20_ietf(), 271*0ac341f1SConrad Meyercrypto_stream_chacha20_ietf_xor() and crypto_stream_chacha20_ietf_xor_ic(). 272*0ac341f1SConrad MeyerAn IETF-compatible version of ChaCha20Poly1305 is available as 273*0ac341f1SConrad Meyercrypto_aead_chacha20poly1305_ietf_npubbytes(), 274*0ac341f1SConrad Meyercrypto_aead_chacha20poly1305_ietf_encrypt() and 275*0ac341f1SConrad Meyercrypto_aead_chacha20poly1305_ietf_decrypt(). 276*0ac341f1SConrad Meyer - The sodium_increment() helper function has been added, to increment 277*0ac341f1SConrad Meyeran arbitrary large number (such as a nonce). 278*0ac341f1SConrad Meyer - The sodium_compare() helper function has been added, to compare 279*0ac341f1SConrad Meyerarbitrary large numbers (such as nonces, in order to prevent replay 280*0ac341f1SConrad Meyerattacks). 281*0ac341f1SConrad Meyer 282*0ac341f1SConrad Meyer* Version 1.0.3 283*0ac341f1SConrad Meyer - In addition to sodium_bin2hex(), sodium_hex2bin() is now a 284*0ac341f1SConrad Meyerconstant-time function. 285*0ac341f1SConrad Meyer - crypto_stream_xsalsa20_ic() has been added. 286*0ac341f1SConrad Meyer - crypto_generichash_statebytes(), crypto_auth_*_statebytes() and 287*0ac341f1SConrad Meyercrypto_hash_*_statebytes() have been added in order to retrieve the 288*0ac341f1SConrad Meyersize of structures keeping states from foreign languages. 289*0ac341f1SConrad Meyer - The JavaScript target doesn't require /dev/urandom or an external 290*0ac341f1SConrad Meyerrandombytes() implementation any more. Other minor Emscripten-related 291*0ac341f1SConrad Meyerimprovements have been made in order to support libsodium.js 292*0ac341f1SConrad Meyer - Custom randombytes implementations do not need to provide their own 293*0ac341f1SConrad Meyerimplementation of randombytes_uniform() any more. randombytes_stir() 294*0ac341f1SConrad Meyerand randombytes_close() can also be NULL pointers if they are not 295*0ac341f1SConrad Meyerrequired. 296*0ac341f1SConrad Meyer - On Linux, getrandom(2) is being used instead of directly accessing 297*0ac341f1SConrad Meyer/dev/urandom, if the kernel supports this system call. 298*0ac341f1SConrad Meyer - crypto_box_seal() and crypto_box_seal_open() have been added. 299*0ac341f1SConrad Meyer - Visual Studio 2015 is now supported. 300*0ac341f1SConrad Meyer 301*0ac341f1SConrad Meyer* Version 1.0.2 302*0ac341f1SConrad Meyer - The _easy and _detached APIs now support precalculated keys; 303*0ac341f1SConrad Meyercrypto_box_easy_afternm(), crypto_box_open_easy_afternm(), 304*0ac341f1SConrad Meyercrypto_box_detached_afternm() and crypto_box_open_detached_afternm() 305*0ac341f1SConrad Meyerhave been added as an alternative to the NaCl interface. 306*0ac341f1SConrad Meyer - Memory allocation functions can now be used on operating systems with 307*0ac341f1SConrad Meyerno memory protection. 308*0ac341f1SConrad Meyer - crypto_sign_open() and crypto_sign_edwards25519sha512batch_open() 309*0ac341f1SConrad Meyernow accept a NULL pointer instead of a pointer to the message size, if 310*0ac341f1SConrad Meyerstoring this information is not required. 311*0ac341f1SConrad Meyer - The close-on-exec flag is now set on the descriptor returned when 312*0ac341f1SConrad Meyeropening /dev/urandom. 313*0ac341f1SConrad Meyer - A libsodium-uninstalled.pc file to use pkg-config even when 314*0ac341f1SConrad Meyerlibsodium is not installed, has been added. 315*0ac341f1SConrad Meyer - The iOS target now includes armv7s and arm64 optimized code, as well 316*0ac341f1SConrad Meyeras i386 and x86_64 code for the iOS simulator. 317*0ac341f1SConrad Meyer - sodium_free() can now be called on regions with PROT_NONE protection. 318*0ac341f1SConrad Meyer - The Javascript tests can run on Ubuntu, where the node binary was 319*0ac341f1SConrad Meyerrenamed nodejs. io.js can also be used instead of node. 320*0ac341f1SConrad Meyer 321*0ac341f1SConrad Meyer* Version 1.0.1 322*0ac341f1SConrad Meyer - DLL_EXPORT was renamed SODIUM_DLL_EXPORT in order to avoid 323*0ac341f1SConrad Meyercollisions with similar macros defined by other libraries. 324*0ac341f1SConrad Meyer - sodium_bin2hex() is now constant-time. 325*0ac341f1SConrad Meyer - crypto_secretbox_detached() now supports overlapping input and output 326*0ac341f1SConrad Meyerregions. 327*0ac341f1SConrad Meyer - NaCl's donna_c64 implementation of curve25519 was reading an extra byte 328*0ac341f1SConrad Meyerpast the end of the buffer containing the base point. This has been 329*0ac341f1SConrad Meyerfixed. 330*0ac341f1SConrad Meyer 331*0ac341f1SConrad Meyer* Version 1.0.0 332*0ac341f1SConrad Meyer - The API and ABI are now stable. New features will be added, but 333*0ac341f1SConrad Meyerbackward-compatibility is guaranteed through all the 1.x.y releases. 334*0ac341f1SConrad Meyer - crypto_sign() properly works with overlapping regions again. Thanks 335*0ac341f1SConrad Meyerto @pysiak for reporting this regression introduced in version 0.6.1. 336*0ac341f1SConrad Meyer - The test suite has been extended. 337*0ac341f1SConrad Meyer 338*0ac341f1SConrad Meyer* Version 0.7.1 (1.0 RC2) 339*0ac341f1SConrad Meyer - This is the second release candidate of Sodium 1.0. Minor 340*0ac341f1SConrad Meyercompilation, readability and portability changes have been made and the 341*0ac341f1SConrad Meyertest suite was improved, but the API is the same as the previous release 342*0ac341f1SConrad Meyercandidate. 343*0ac341f1SConrad Meyer 344*0ac341f1SConrad Meyer* Version 0.7.0 (1.0 RC1) 345*0ac341f1SConrad Meyer - Allocating memory to store sensitive data can now be done using 346*0ac341f1SConrad Meyersodium_malloc() and sodium_allocarray(). These functions add guard 347*0ac341f1SConrad Meyerpages around the protected data to make it less likely to be 348*0ac341f1SConrad Meyeraccessible in a heartbleed-like scenario. In addition, the protection 349*0ac341f1SConrad Meyerfor memory regions allocated that way can be changed using 350*0ac341f1SConrad Meyersodium_mprotect_noaccess(), sodium_mprotect_readonly() and 351*0ac341f1SConrad Meyersodium_mprotect_readwrite(). 352*0ac341f1SConrad Meyer - ed25519 keys can be converted to curve25519 keys with 353*0ac341f1SConrad Meyercrypto_sign_ed25519_pk_to_curve25519() and 354*0ac341f1SConrad Meyercrypto_sign_ed25519_sk_to_curve25519(). This allows using the same 355*0ac341f1SConrad Meyerkeys for signature and encryption. 356*0ac341f1SConrad Meyer - The seed and the public key can be extracted from an ed25519 key 357*0ac341f1SConrad Meyerusing crypto_sign_ed25519_sk_to_seed() and crypto_sign_ed25519_sk_to_pk(). 358*0ac341f1SConrad Meyer - aes256 was removed. A timing-attack resistant implementation might 359*0ac341f1SConrad Meyerbe added later, but not before version 1.0 is tagged. 360*0ac341f1SConrad Meyer - The crypto_pwhash_scryptxsalsa208sha256_* compatibility layer was 361*0ac341f1SConrad Meyerremoved. Use crypto_pwhash_scryptsalsa208sha256_*. 362*0ac341f1SConrad Meyer - The compatibility layer for implementation-specific functions was 363*0ac341f1SConrad Meyerremoved. 364*0ac341f1SConrad Meyer - Compilation issues with Mingw64 on MSYS (not MSYS2) were fixed. 365*0ac341f1SConrad Meyer - crypto_pwhash_scryptsalsa208sha256_STRPREFIX was added: it contains 366*0ac341f1SConrad Meyerthe prefix produced by crypto_pwhash_scryptsalsa208sha256_str() 367*0ac341f1SConrad Meyer 368*0ac341f1SConrad Meyer* Version 0.6.1 369*0ac341f1SConrad Meyer - Important bug fix: when crypto_sign_open() was given a signed 370*0ac341f1SConrad Meyermessage too short to even contain a signature, it was putting an 371*0ac341f1SConrad Meyerunlimited amount of zeros into the target buffer instead of 372*0ac341f1SConrad Meyerimmediately returning -1. The bug was introduced in version 0.5.0. 373*0ac341f1SConrad Meyer - New API: crypto_sign_detached() and crypto_sign_verify_detached() 374*0ac341f1SConrad Meyerto produce and verify ed25519 signatures without having to duplicate 375*0ac341f1SConrad Meyerthe message. 376*0ac341f1SConrad Meyer - New ./configure switch: --enable-minimal, to create a smaller 377*0ac341f1SConrad Meyerlibrary, with only the functions required for the high-level API. 378*0ac341f1SConrad MeyerMainly useful for the JavaScript target and embedded systems. 379*0ac341f1SConrad Meyer - All the symbols are now exported by the Emscripten build script. 380*0ac341f1SConrad Meyer - The pkg-config .pc file is now always installed even if the 381*0ac341f1SConrad Meyerpkg-config tool is not available during the installation. 382*0ac341f1SConrad Meyer 383*0ac341f1SConrad Meyer* Version 0.6.0 384*0ac341f1SConrad Meyer - The ChaCha20 stream cipher has been added, as crypto_stream_chacha20_* 385*0ac341f1SConrad Meyer - The ChaCha20Poly1305 AEAD construction has been implemented, as 386*0ac341f1SConrad Meyercrypto_aead_chacha20poly1305_* 387*0ac341f1SConrad Meyer - The _easy API does not require any heap allocations any more and 388*0ac341f1SConrad Meyerdoes not have any overhead over the NaCl API. With the password 389*0ac341f1SConrad Meyerhashing function being an obvious exception, the library doesn't 390*0ac341f1SConrad Meyerallocate and will not allocate heap memory ever. 391*0ac341f1SConrad Meyer - crypto_box and crypto_secretbox have a new _detached API to store 392*0ac341f1SConrad Meyerthe authentication tag and the encrypted message separately. 393*0ac341f1SConrad Meyer - crypto_pwhash_scryptxsalsa208sha256*() functions have been renamed 394*0ac341f1SConrad Meyercrypto_pwhash_scryptsalsa208sha256*(). 395*0ac341f1SConrad Meyer - The low-level crypto_pwhash_scryptsalsa208sha256_ll() function 396*0ac341f1SConrad Meyerallows setting individual parameters of the scrypt function. 397*0ac341f1SConrad Meyer - New macros and functions for recommended crypto_pwhash_* parameters 398*0ac341f1SConrad Meyerhave been added. 399*0ac341f1SConrad Meyer - Similarly to crypto_sign_seed_keypair(), crypto_box_seed_keypair() 400*0ac341f1SConrad Meyerhas been introduced to deterministically generate a key pair from a seed. 401*0ac341f1SConrad Meyer - crypto_onetimeauth() now provides a streaming interface. 402*0ac341f1SConrad Meyer - crypto_stream_chacha20_xor_ic() and crypto_stream_salsa20_xor_ic() 403*0ac341f1SConrad Meyerhave been added to use a non-zero initial block counter. 404*0ac341f1SConrad Meyer - On Windows, CryptGenRandom() was replaced by RtlGenRandom(), which 405*0ac341f1SConrad Meyerdoesn't require the Crypt API. 406*0ac341f1SConrad Meyer - The high bit in curve25519 is masked instead of processing the key as 407*0ac341f1SConrad Meyera 256-bit value. 408*0ac341f1SConrad Meyer - The curve25519 ref implementation was replaced by the latest ref10 409*0ac341f1SConrad Meyerimplementation from Supercop. 410*0ac341f1SConrad Meyer - sodium_mlock() now prevents memory from being included in coredumps 411*0ac341f1SConrad Meyeron Linux 3.4+ 412*0ac341f1SConrad Meyer 413*0ac341f1SConrad Meyer* Version 0.5.0 414*0ac341f1SConrad Meyer - sodium_mlock()/sodium_munlock() have been introduced to lock pages 415*0ac341f1SConrad Meyerin memory before storing sensitive data, and to zero them before 416*0ac341f1SConrad Meyerunlocking them. 417*0ac341f1SConrad Meyer - High-level wrappers for crypto_box and crypto_secretbox 418*0ac341f1SConrad Meyer(crypto_box_easy and crypto_secretbox_easy) can be used to avoid 419*0ac341f1SConrad Meyerdealing with the specific memory layout regular functions depend on. 420*0ac341f1SConrad Meyer - crypto_pwhash_scryptsalsa208sha256* functions have been added 421*0ac341f1SConrad Meyerto derive a key from a password, and for password storage. 422*0ac341f1SConrad Meyer - Salsa20 and ed25519 implementations now support overlapping 423*0ac341f1SConrad Meyerinputs/keys/outputs (changes imported from supercop-20140505). 424*0ac341f1SConrad Meyer - New build scripts for Visual Studio, Emscripten, different Android 425*0ac341f1SConrad Meyerarchitectures and msys2 are available. 426*0ac341f1SConrad Meyer - The poly1305-53 implementation has been replaced with Floodyberry's 427*0ac341f1SConrad Meyerpoly1305-donna32 and poly1305-donna64 implementations. 428*0ac341f1SConrad Meyer - sodium_hex2bin() has been added to complement sodium_bin2hex(). 429*0ac341f1SConrad Meyer - On OpenBSD and Bitrig, arc4random() is used instead of reading 430*0ac341f1SConrad Meyer/dev/urandom. 431*0ac341f1SConrad Meyer - crypto_auth_hmac_sha512() has been implemented. 432*0ac341f1SConrad Meyer - sha256 and sha512 now have a streaming interface. 433*0ac341f1SConrad Meyer - hmacsha256, hmacsha512 and hmacsha512256 now support keys of 434*0ac341f1SConrad Meyerarbitrary length, and have a streaming interface. 435*0ac341f1SConrad Meyer - crypto_verify_64() has been implemented. 436*0ac341f1SConrad Meyer - first-class Visual Studio build system, thanks to @evoskuil 437*0ac341f1SConrad Meyer - CPU features are now detected at runtime. 438*0ac341f1SConrad Meyer 439*0ac341f1SConrad Meyer* Version 0.4.5 440*0ac341f1SConrad Meyer - Restore compatibility with OSX <= 10.6 441*0ac341f1SConrad Meyer 442*0ac341f1SConrad Meyer* Version 0.4.4 443*0ac341f1SConrad Meyer - Visual Studio is officially supported (VC 2010 & VC 2013) 444*0ac341f1SConrad Meyer - mingw64 is now supported 445*0ac341f1SConrad Meyer - big-endian architectures are now supported as well 446*0ac341f1SConrad Meyer - The donna_c64 implementation of curve25519_donna_c64 now handles 447*0ac341f1SConrad Meyernon-canonical points like the ref implementation 448*0ac341f1SConrad Meyer - Missing scalarmult_curve25519 and stream_salsa20 constants are now exported 449*0ac341f1SConrad Meyer - A crypto_onetimeauth_poly1305_ref() wrapper has been added 450*0ac341f1SConrad Meyer 451*0ac341f1SConrad Meyer* Version 0.4.3 452*0ac341f1SConrad Meyer - crypto_sign_seedbytes() and crypto_sign_SEEDBYTES were added. 453*0ac341f1SConrad Meyer - crypto_onetimeauth_poly1305_implementation_name() was added. 454*0ac341f1SConrad Meyer - poly1305-ref has been replaced by a faster implementation, 455*0ac341f1SConrad MeyerFloodyberry's poly1305-donna-unrolled. 456*0ac341f1SConrad Meyer - Stackmarkings have been added to assembly code, for Hardened Gentoo. 457*0ac341f1SConrad Meyer - pkg-config can now be used in order to retrieve compilations flags for 458*0ac341f1SConrad Meyerusing libsodium. 459*0ac341f1SConrad Meyer - crypto_stream_aes256estream_*() can now deal with unaligned input 460*0ac341f1SConrad Meyeron platforms that require word alignment. 461*0ac341f1SConrad Meyer - portability improvements. 462*0ac341f1SConrad Meyer 463*0ac341f1SConrad Meyer* Version 0.4.2 464*0ac341f1SConrad Meyer - All NaCl constants are now also exposed as functions. 465*0ac341f1SConrad Meyer - The Android and iOS cross-compilation script have been improved. 466*0ac341f1SConrad Meyer - libsodium can now be cross-compiled to Windows from Linux. 467*0ac341f1SConrad Meyer - libsodium can now be compiled with emscripten. 468*0ac341f1SConrad Meyer - New convenience function (prototyped in utils.h): sodium_bin2hex(). 469*0ac341f1SConrad Meyer 470*0ac341f1SConrad Meyer* Version 0.4.1 471*0ac341f1SConrad Meyer - sodium_version_*() functions were not exported in version 0.4. They 472*0ac341f1SConrad Meyerare now visible as intended. 473*0ac341f1SConrad Meyer - sodium_init() now calls randombytes_stir(). 474*0ac341f1SConrad Meyer - optimized assembly version of salsa20 is now used on amd64. 475*0ac341f1SConrad Meyer - further cleanups and enhanced compatibility with non-C99 compilers. 476*0ac341f1SConrad Meyer 477*0ac341f1SConrad Meyer* Version 0.4 478*0ac341f1SConrad Meyer - Most constants and operations are now available as actual functions 479*0ac341f1SConrad Meyerinstead of macros, making it easier to use from other languages. 480*0ac341f1SConrad Meyer - New operation: crypto_generichash, featuring a variable key size, a 481*0ac341f1SConrad Meyervariable output size, and a streaming API. Currently implemented using 482*0ac341f1SConrad MeyerBlake2b. 483*0ac341f1SConrad Meyer - The package can be compiled in a separate directory. 484*0ac341f1SConrad Meyer - aes128ctr functions are exported. 485*0ac341f1SConrad Meyer - Optimized versions of curve25519 (curve25519_donna_c64), poly1305 486*0ac341f1SConrad Meyer(poly1305_53) and ed25519 (ed25519_ref10) are available. Optionally calling 487*0ac341f1SConrad Meyersodium_init() once before using the library makes it pick the fastest 488*0ac341f1SConrad Meyerimplementation. 489*0ac341f1SConrad Meyer - New convenience function: sodium_memzero() in order to securely 490*0ac341f1SConrad Meyerwipe a memory area. 491*0ac341f1SConrad Meyer - A whole bunch of cleanups and portability enhancements. 492*0ac341f1SConrad Meyer - On Windows, a .REF file is generated along with the shared library, 493*0ac341f1SConrad Meyerfor use with Visual Studio. The installation path for these has become 494*0ac341f1SConrad Meyer$prefix/bin as expected by MingW. 495*0ac341f1SConrad Meyer 496*0ac341f1SConrad Meyer* Version 0.3 497*0ac341f1SConrad Meyer - The crypto_shorthash operation has been added, implemented using 498*0ac341f1SConrad MeyerSipHash-2-4. 499*0ac341f1SConrad Meyer 500*0ac341f1SConrad Meyer* Version 0.2 501*0ac341f1SConrad Meyer - crypto_sign_seed_keypair() has been added 502*0ac341f1SConrad Meyer 503*0ac341f1SConrad Meyer* Version 0.1 504*0ac341f1SConrad Meyer - Initial release. 505*0ac341f1SConrad Meyer 506