summaryrefslogtreecommitdiff
path: root/libs/libsodium/docs
diff options
context:
space:
mode:
authordartraiden <wowemuh@gmail.com>2023-09-14 22:53:45 +0300
committerdartraiden <wowemuh@gmail.com>2023-09-14 22:53:45 +0300
commitc400f5c17af4996eb2ecf0597e17eb25c17857d8 (patch)
treec895207a210e5538c491ba9fc15ee0f28780a7f6 /libs/libsodium/docs
parentcd3146d46f9b9e24065b9ec31d963d52da3cdcbe (diff)
libsodium: update to 1.0.19
Diffstat (limited to 'libs/libsodium/docs')
-rw-r--r--libs/libsodium/docs/AUTHORS270
-rw-r--r--libs/libsodium/docs/ChangeLog1054
-rw-r--r--libs/libsodium/docs/LICENSE36
-rw-r--r--libs/libsodium/docs/THANKS183
4 files changed, 779 insertions, 764 deletions
diff --git a/libs/libsodium/docs/AUTHORS b/libs/libsodium/docs/AUTHORS
index 39e55f6288..6240b1dc37 100644
--- a/libs/libsodium/docs/AUTHORS
+++ b/libs/libsodium/docs/AUTHORS
@@ -1,135 +1,135 @@
-
-Designers
-=========
-
-argon2 Alex Biryukov
- Daniel Dinu
- Dmitry Khovratovich
-
-blake2 Jean-Philippe Aumasson
- Christian Winnerlein
- Samuel Neves
- Zooko Wilcox-O'Hearn
-
-chacha20 Daniel J. Bernstein
-
-chacha20poly1305 Adam Langley
- Yoav Nir
-
-curve25519 Daniel J. Bernstein
-
-curve25519xsalsa20poly1305 Daniel J. Bernstein
-
-ed25519 Daniel J. Bernstein
- Bo-Yin Yang
- Niels Duif
- Peter Schwabe
- Tanja Lange
-
-poly1305 Daniel J. Bernstein
-
-salsa20 Daniel J. Bernstein
-
-scrypt Colin Percival
-
-siphash Jean-Philippe Aumasson
- Daniel J. Bernstein
-
-Implementors
-============
-
-crypto_aead/aes256gcm/aesni Romain Dolbeau
- Frank Denis
-
-crypto_aead/chacha20poly1305 Frank Denis
-
-crypto_aead/xchacha20poly1305 Frank Denis
- Jason A. Donenfeld
-
-crypto_auth/hmacsha256 Colin Percival
-crypto_auth/hmacsha512
-crypto_auth/hmacsha512256
-
-crypto_box/curve25519xsalsa20poly1305 Daniel J. Bernstein
-
-crypto_box/curve25519xchacha20poly1305 Frank Denis
-
-crypto_core/ed25519 Daniel J. Bernstein
- Adam Langley
-
-crypto_core/hchacha20 Frank Denis
-
-crypto_core/hsalsa20 Daniel J. Bernstein
-crypto_core/salsa
-
-crypto_generichash/blake2b Jean-Philippe Aumasson
- Christian Winnerlein
- Samuel Neves
- Zooko Wilcox-O'Hearn
-
-crypto_hash/sha256 Colin Percival
-crypto_hash/sha512
-crypto_hash/sha512256
-
-crypto_kdf Frank Denis
-
-crypto_kx Frank Denis
-
-crypto_onetimeauth/poly1305/donna Andrew "floodyberry" Moon
-crypto_onetimeauth/poly1305/sse2
-
-crypto_pwhash/argon2 Samuel Neves
- Dmitry Khovratovich
- Jean-Philippe Aumasson
- Daniel Dinu
- Thomas Pornin
-
-crypto_pwhash/scryptsalsa208sha256 Colin Percival
- Alexander Peslyak
-
-crypto_scalarmult/curve25519/ref10 Daniel J. Bernstein
-
-crypto_scalarmult/curve25519/sandy2x Tung Chou
-
-crypto_scalarmult/ed25519 Frank Denis
-
-crypto_secretbox/xsalsa20poly1305 Daniel J. Bernstein
-
-crypto_secretbox/xchacha20poly1305 Frank Denis
-
-crypto_secretstream/xchacha20poly1305 Frank Denis
-
-crypto_shorthash/siphash24 Jean-Philippe Aumasson
- Daniel J. Bernstein
-
-crypto_sign/ed25519 Peter Schwabe
- Daniel J. Bernstein
- Niels Duif
- Tanja Lange
- Bo-Yin Yang
-
-crypto_stream/chacha20/ref Daniel J. Bernstein
-
-crypto_stream/chacha20/dolbeau Romain Dolbeau
- Daniel J. Bernstein
-
-crypto_stream/salsa20/ref Daniel J. Bernstein
-crypto_stream/salsa20/xmm6
-
-crypto_stream/salsa20/xmm6int Romain Dolbeau
- Daniel J. Bernstein
-
-crypto_stream/salsa2012/ref Daniel J. Bernstein
-crypto_stream/salsa2008/ref
-
-crypto_stream/xchacha20 Frank Denis
-
-crypto_verify Frank Denis
-
-sodium/codecs.c Frank Denis
- Thomas Pornin
- Christian Winnerlein
-
-sodium/core.c Frank Denis
-sodium/runtime.h
-sodium/utils.c
+
+Designers
+=========
+
+argon2 Alex Biryukov
+ Daniel Dinu
+ Dmitry Khovratovich
+
+blake2 Jean-Philippe Aumasson
+ Christian Winnerlein
+ Samuel Neves
+ Zooko Wilcox-O'Hearn
+
+chacha20 Daniel J. Bernstein
+
+chacha20poly1305 Adam Langley
+ Yoav Nir
+
+curve25519 Daniel J. Bernstein
+
+curve25519xsalsa20poly1305 Daniel J. Bernstein
+
+ed25519 Daniel J. Bernstein
+ Bo-Yin Yang
+ Niels Duif
+ Peter Schwabe
+ Tanja Lange
+
+poly1305 Daniel J. Bernstein
+
+salsa20 Daniel J. Bernstein
+
+scrypt Colin Percival
+
+siphash Jean-Philippe Aumasson
+ Daniel J. Bernstein
+
+Implementors
+============
+
+crypto_aead/aes256gcm/aesni Romain Dolbeau
+ Frank Denis
+
+crypto_aead/chacha20poly1305 Frank Denis
+
+crypto_aead/xchacha20poly1305 Frank Denis
+ Jason A. Donenfeld
+
+crypto_auth/hmacsha256 Colin Percival
+crypto_auth/hmacsha512
+crypto_auth/hmacsha512256
+
+crypto_box/curve25519xsalsa20poly1305 Daniel J. Bernstein
+
+crypto_box/curve25519xchacha20poly1305 Frank Denis
+
+crypto_core/ed25519 Daniel J. Bernstein
+ Adam Langley
+
+crypto_core/hchacha20 Frank Denis
+
+crypto_core/hsalsa20 Daniel J. Bernstein
+crypto_core/salsa
+
+crypto_generichash/blake2b Jean-Philippe Aumasson
+ Christian Winnerlein
+ Samuel Neves
+ Zooko Wilcox-O'Hearn
+
+crypto_hash/sha256 Colin Percival
+crypto_hash/sha512
+crypto_hash/sha512256
+
+crypto_kdf Frank Denis
+
+crypto_kx Frank Denis
+
+crypto_onetimeauth/poly1305/donna Andrew "floodyberry" Moon
+crypto_onetimeauth/poly1305/sse2
+
+crypto_pwhash/argon2 Samuel Neves
+ Dmitry Khovratovich
+ Jean-Philippe Aumasson
+ Daniel Dinu
+ Thomas Pornin
+
+crypto_pwhash/scryptsalsa208sha256 Colin Percival
+ Alexander Peslyak
+
+crypto_scalarmult/curve25519/ref10 Daniel J. Bernstein
+
+crypto_scalarmult/curve25519/sandy2x Tung Chou
+
+crypto_scalarmult/ed25519 Frank Denis
+
+crypto_secretbox/xsalsa20poly1305 Daniel J. Bernstein
+
+crypto_secretbox/xchacha20poly1305 Frank Denis
+
+crypto_secretstream/xchacha20poly1305 Frank Denis
+
+crypto_shorthash/siphash24 Jean-Philippe Aumasson
+ Daniel J. Bernstein
+
+crypto_sign/ed25519 Peter Schwabe
+ Daniel J. Bernstein
+ Niels Duif
+ Tanja Lange
+ Bo-Yin Yang
+
+crypto_stream/chacha20/ref Daniel J. Bernstein
+
+crypto_stream/chacha20/dolbeau Romain Dolbeau
+ Daniel J. Bernstein
+
+crypto_stream/salsa20/ref Daniel J. Bernstein
+crypto_stream/salsa20/xmm6
+
+crypto_stream/salsa20/xmm6int Romain Dolbeau
+ Daniel J. Bernstein
+
+crypto_stream/salsa2012/ref Daniel J. Bernstein
+crypto_stream/salsa2008/ref
+
+crypto_stream/xchacha20 Frank Denis
+
+crypto_verify Frank Denis
+
+sodium/codecs.c Frank Denis
+ Thomas Pornin
+ Christian Winnerlein
+
+sodium/core.c Frank Denis
+sodium/runtime.h
+sodium/utils.c
diff --git a/libs/libsodium/docs/ChangeLog b/libs/libsodium/docs/ChangeLog
index 2504a9b64a..288f58ccab 100644
--- a/libs/libsodium/docs/ChangeLog
+++ b/libs/libsodium/docs/ChangeLog
@@ -1,520 +1,534 @@
-
-* Version 1.0.17
- - Bug fix: `sodium_pad()` didn't properly support block sizes >= 256 bytes.
- - JS/WebAssembly: some old iOS versions can't instantiate the WebAssembly
-module; fall back to Javascript on these.
- - JS/WebAssembly: compatibility with newer Emscripten versions.
- - Bug fix: `crypto_pwhash_scryptsalsa208sha256_str_verify()` and
-`crypto_pwhash_scryptsalsa208sha256_str_needs_rehash()` didn't return
-`EINVAL` on input strings with a short length, unlike their high-level
-counterpart.
- - Added a workaround for Visual Studio 2010 bug causing CPU features
-not to be detected.
- - The library now enables compilation with retpoline by default.
- - Portability improvements.
- - Test vectors from Project Wycheproof have been added.
-
-* Version 1.0.16
- - Signatures computations and verifications are now way faster on
-64-bit platforms with compilers supporting 128-bit arithmetic (gcc,
-clang, icc). This includes the WebAssembly target.
- - New low-level APIs for computations over edwards25519:
-`crypto_scalarmult_ed25519()`, `crypto_scalarmult_ed25519_base()`,
-`crypto_core_ed25519_is_valid_point()`, `crypto_core_ed25519_add()`,
-`crypto_core_ed25519_sub()` and `crypto_core_ed25519_from_uniform()`
-(elligator representative to point).
- - `crypto_sign_open()`, `crypto_sign_verify_detached() and
-`crypto_sign_edwards25519sha512batch_open` now reject public keys in
-non-canonical form in addition to low-order points.
- - The library can be built with `ED25519_NONDETERMINISTIC` defined in
-order to use synthetic nonces for EdDSA. This is disabled by default.
- - Webassembly: `crypto_pwhash_*()` functions are now included in
-non-sumo builds.
- - `sodium_stackzero()` was added to wipe content off the stack.
- - Android: support new SDKs where unified headers have become the
-default.
- - The Salsa20-based PRNG example is now thread-safe on platforms with
-support for thread-local storage, optionally mixes bits from RDRAND.
- - CMAKE: static library detection on Unix systems has been improved
-(thanks to @BurningEnlightenment, @nibua-r, @mellery451)
- - Argon2 and scrypt are slightly faster on Linux.
-
-* Version 1.0.15
- - The default password hashing algorithm is now Argon2id. The
-`pwhash_str_verify()` function can still verify Argon2i hashes
-without any changes, and `pwhash()` can still compute Argon2i hashes
-as well.
- - The aes128ctr primitive was removed. It was slow, non-standard, not
-authenticated, and didn't seem to be used by any opensource project.
- - Argon2id required at least 3 passes like Argon2i, despite a minimum
-of `1` as defined by the `OPSLIMIT_MIN` constant. This has been fixed.
- - The secretstream construction was slightly changed to be consistent
-with forthcoming variants.
- - The Javascript and Webassembly versions have been merged, and the
-module now returns a `.ready` promise that will resolve after the
-Webassembly code is loaded and compiled.
- - Note that due to these incompatible changes, the library version
-major was bumped up.
-
-* Version 1.0.14
- - iOS binaries should now be compatible with WatchOS and TVOS.
- - WebAssembly is now officially supported. Special thanks to
-@facekapow and @pepyakin who helped to make it happen.
- - Internal consistency checks failing and primitives used with
-dangerous/out-of-bounds/invalid parameters used to call abort(3).
-Now, a custom handler *that doesn't return* can be set with the
-`set_sodium_misuse()` function. It still aborts by default or if the
-handler ever returns. This is not a replacement for non-fatal,
-expected runtime errors. This handler will be only called in
-unexpected situations due to potential bugs in the library or in
-language bindings.
- - `*_MESSAGEBYTES_MAX` macros (and the corresponding
-`_messagebytes_max()` symbols) have been added to represent the
-maximum message size that can be safely handled by a primitive.
-Language bindings are encouraged to check user inputs against these
-maximum lengths.
- - The test suite has been extended to cover more edge cases.
- - crypto_sign_ed25519_pk_to_curve25519() now rejects points that are
-not on the curve, or not in the main subgroup.
- - Further changes have been made to ensure that smart compilers will
-not optimize out code that we don't want to be optimized.
- - Visual Studio solutions are now included in distribution tarballs.
- - The `sodium_runtime_has_*` symbols for CPU features detection are
-now defined as weak symbols, i.e. they can be replaced with an
-application-defined implementation. This can be useful to disable
-AVX* when temperature/power consumption is a concern.
- - `crypto_kx_*()` now aborts if called with no non-NULL pointers to
-store keys to.
- - SSE2 implementations of `crypto_verify_*()` have been added.
- - Passwords can be hashed using a specific algorithm with the new
-`crypto_pwhash_str_alg()` function.
- - Due to popular demand, base64 encoding (`sodium_bin2base64()`) and
-decoding (`sodium_base642bin()`) have been implemented.
- - A new `crypto_secretstream_*()` API was added to safely encrypt files
-and multi-part messages.
- - The `sodium_pad()` and `sodium_unpad()` helper functions have been
-added in order to add & remove padding.
- - An AVX512 optimized implementation of Argon2 has been added (written
-by Ondrej Mosnáček, thanks!)
- - The `crypto_pwhash_str_needs_rehash()` function was added to check if
-a password hash string matches the given parameters, or if it needs an
-update.
- - The library can now be compiled with recent versions of
-emscripten/binaryen that don't allow multiple variables declarations
-using a single `var` statement.
-
-* Version 1.0.13
- - Javascript: the sumo builds now include all symbols. They were
-previously limited to symbols defined in minimal builds.
- - The public `crypto_pwhash_argon2i_MEMLIMIT_MAX` constant was
-incorrectly defined on 32-bit platforms. This has been fixed.
- - Version 1.0.12 didn't compile on OpenBSD/i386 using the base gcc
-compiler. This has been fixed.
- - The Android compilation scripts have been updated for NDK r14b.
- - armv7s-optimized code was re-added to iOS builds.
- - An AVX2 optimized implementation of the Argon2 round function was
-added.
- - The Argon2id variant of Argon2 has been implemented. The
-high-level `crypto_pwhash_str_verify()` function automatically detects
-the algorithm and can verify both Argon2i and Argon2id hashed passwords.
-The default algorithm for newly hashed passwords remains Argon2i in
-this version to avoid breaking compatibility with verifiers running
-libsodium <= 1.0.12.
- - A `crypto_box_curve25519xchacha20poly1305_seal*()` function set was
-implemented.
- - scrypt was removed from minimal builds.
- - libsodium is now available on NuGet.
-
-* Version 1.0.12
- - Ed25519ph was implemented, adding a multi-part signature API
-(`crypto_sign_init()`, `crypto_sign_update()`, `crypto_sign_final_*()`).
- - New constants and related accessors have been added for Scrypt and
-Argon2.
- - XChaCha20 has been implemented. Like XSalsa20, this construction
-extends the ChaCha20 cipher to accept a 192-bit nonce. This makes it safe
-to use ChaCha20 with random nonces.
- - `crypto_secretbox`, `crypto_box` and `crypto_aead` now offer
-variants leveraging XChaCha20.
- - SHA-2 is about 20% faster, which also gives a speed boost to
-signature and signature verification.
- - AVX2 implementations of Salsa20 and ChaCha20 have been added. They
-are twice as fast as the SSE2 implementations. The speed gain is
-even more significant on Windows, that previously didn't use
-vectorized implementations.
- - New high-level API: `crypto_kdf`, to easily derive one or more
-subkeys from a master key.
- - Siphash with a 128-bit output has been implemented, and is
-available as `crypto_shorthash_siphashx_*`.
- - New `*_keygen()` helpers functions have been added to create secret
-keys for all constructions. This improves code clarity and can prevent keys
-from being partially initialized.
- - A new `randombytes_buf_deterministic()` function was added to
-deterministically fill a memory region with pseudorandom data. This
-function can especially be useful to write reproducible tests.
- - A preliminary `crypto_kx_*()` API was added to compute shared session
-keys.
- - AVX2 detection is more reliable.
- - The pthreads library is not required any more when using MingW.
- - `contrib/Findsodium.cmake` was added as an example to include
-libsodium in a project using cmake.
- - Compatibility with gcc 2.x has been restored.
- - Minimal builds can be checked using `sodium_library_minimal()`.
- - The `--enable-opt` compilation switch has become compatible with more
-platforms.
- - Android builds are now using clang on platforms where it is
-available.
-
-* Version 1.0.11
- - `sodium_init()` is now thread-safe, and can be safely called multiple
-times.
- - Android binaries now properly support 64-bit Android, targeting
-platform 24, but without breaking compatibility with platforms 16 and
-21.
- - Better support for old gcc versions.
- - On FreeBSD, core dumps are disabled on regions allocated with
-sodium allocation functions.
- - AVX2 detection was fixed, resulting in faster Blake2b hashing on
-platforms where it was not properly detected.
- - The Sandy2x Curve25519 implementation was not as fast as expected
-on some platforms. This has been fixed.
- - The NativeClient target was improved. Most notably, it now supports
-optimized implementations, and uses pepper_49 by default.
- - The library can be compiled with recent Emscripten versions.
-Changes have been made to produce smaller code, and the default heap
-size was reduced in the standard version.
- - The code can now be compiled on SLES11 service pack 4.
- - Decryption functions can now accept a NULL pointer for the output.
-This checks the MAC without writing the decrypted message.
- - crypto_generichash_final() now returns -1 if called twice.
- - Support for Visual Studio 2008 was improved.
-
-* Version 1.0.10
- - This release only fixes a compilation issue reported with some older
-gcc versions. There are no functional changes over the previous release.
-
-* Version 1.0.9
- - The Javascript target now includes a `--sumo` option to include all
-the symbols of the original C library.
- - A detached API was added to the ChaCha20-Poly1305 and AES256-GCM
-implementations.
- - The Argon2i password hashing function was added, and is accessible
-directly and through a new, high-level `crypto_pwhash` API. The scrypt
-function remains available as well.
- - A speed-record AVX2 implementation of BLAKE2b was added (thanks to
-Samuel Neves).
- - The library can now be compiled using C++Builder (thanks to @jcolli44)
- - Countermeasures for Ed25519 signatures malleability have been added
-to match the irtf-cfrg-eddsa draft (note that malleability is irrelevant to
-the standard definition of signature security). Signatures with a small-order
-`R` point are now also rejected.
- - Some implementations are now slightly faster when using the Clang
-compiler.
- - The HChaCha20 core function was implemented (`crypto_core_hchacha20()`).
- - No-op stubs were added for all AES256-GCM public functions even when
-compiled on non-Intel platforms.
- - `crypt_generichash_blake2b_statebytes()` was added.
- - New macros were added for the IETF variant of the ChaCha20-Poly1305
-construction.
- - The library can now be compiled on Minix.
- - HEASLR is now enabled on MinGW builds.
-
-* Version 1.0.8
- - Handle the case where the CPU supports AVX, but we are running
-on an hypervisor with AVX disabled/not supported.
- - Faster (2x) scalarmult_base() when using the ref10 implementation.
-
-* Version 1.0.7
- - More functions whose return value should be checked have been
-tagged with `__attribute__ ((warn_unused_result))`: `crypto_box_easy()`,
-`crypto_box_detached()`, `crypto_box_beforenm()`, `crypto_box()`, and
-`crypto_scalarmult()`.
- - Sandy2x, the fastest Curve25519 implementation ever, has been
-merged in, and is automatically used on CPUs supporting the AVX
-instructions set.
- - An SSE2 optimized implementation of Poly1305 was added, and is
-twice as fast as the portable one.
- - An SSSE3 optimized implementation of ChaCha20 was added, and is
-twice as fast as the portable one.
- - Faster `sodium_increment()` for common nonce sizes.
- - New helper functions have been added: `sodium_is_zero()` and
- `sodium_add()`.
- - `sodium_runtime_has_aesni()` now properly detects the CPU flag when
- compiled using Visual Studio.
-
-* Version 1.0.6
- - Optimized implementations of Blake2 have been added for modern
-Intel platforms. `crypto_generichash()` is now faster than MD5 and SHA1
-implementations while being far more secure.
- - Functions for which the return value should be checked have been
-tagged with `__attribute__ ((warn_unused_result))`. This will
-intentionally break code compiled with `-Werror` that didn't bother
-checking critical return values.
- - The `crypto_sign_edwards25519sha512batch_*()` functions have been
-tagged as deprecated.
- - Undocumented symbols that were exported, but were only useful for
-internal purposes have been removed or made private:
-`sodium_runtime_get_cpu_features()`, the implementation-specific
-`crypto_onetimeauth_poly1305_donna()` symbols,
-`crypto_onetimeauth_poly1305_set_implementation()`,
-`crypto_onetimeauth_poly1305_implementation_name()` and
-`crypto_onetimeauth_pick_best_implementation()`.
- - `sodium_compare()` now works as documented, and compares numbers
-in little-endian format instead of behaving like `memcmp()`.
- - The previous changes should not break actual applications, but to be
-safe, the library version major was incremented.
- - `sodium_runtime_has_ssse3()` and `sodium_runtime_has_sse41()` have
-been added.
- - The library can now be compiled with the CompCert compiler.
-
-* Version 1.0.5
- - Compilation issues on some platforms were fixed: missing alignment
-directives were added (required at least on RHEL-6/i386), a workaround
-for a VRP bug on gcc/armv7 was added, and the library can now be compiled
-with the SunPro compiler.
- - Javascript target: io.js is not supported any more. Use nodejs.
-
-* Version 1.0.4
- - Support for AES256-GCM has been added. This requires
-a CPU with the aesni and pclmul extensions, and is accessible via the
-crypto_aead_aes256gcm_*() functions.
- - The Javascript target doesn't use eval() any more, so that the
-library can be used in Chrome packaged applications.
- - QNX and CloudABI are now supported.
- - Support for NaCl has finally been added.
- - ChaCha20 with an extended (96 bit) nonce and a 32-bit counter has
-been implemented as crypto_stream_chacha20_ietf(),
-crypto_stream_chacha20_ietf_xor() and crypto_stream_chacha20_ietf_xor_ic().
-An IETF-compatible version of ChaCha20Poly1305 is available as
-crypto_aead_chacha20poly1305_ietf_npubbytes(),
-crypto_aead_chacha20poly1305_ietf_encrypt() and
-crypto_aead_chacha20poly1305_ietf_decrypt().
- - The sodium_increment() helper function has been added, to increment
-an arbitrary large number (such as a nonce).
- - The sodium_compare() helper function has been added, to compare
-arbitrary large numbers (such as nonces, in order to prevent replay
-attacks).
-
-* Version 1.0.3
- - In addition to sodium_bin2hex(), sodium_hex2bin() is now a
-constant-time function.
- - crypto_stream_xsalsa20_ic() has been added.
- - crypto_generichash_statebytes(), crypto_auth_*_statebytes() and
-crypto_hash_*_statebytes() have been added in order to retrieve the
-size of structures keeping states from foreign languages.
- - The JavaScript target doesn't require /dev/urandom or an external
-randombytes() implementation any more. Other minor Emscripten-related
-improvements have been made in order to support libsodium.js
- - Custom randombytes implementations do not need to provide their own
-implementation of randombytes_uniform() any more. randombytes_stir()
-and randombytes_close() can also be NULL pointers if they are not
-required.
- - On Linux, getrandom(2) is being used instead of directly accessing
-/dev/urandom, if the kernel supports this system call.
- - crypto_box_seal() and crypto_box_seal_open() have been added.
- - Visual Studio 2015 is now supported.
-
-* Version 1.0.2
- - The _easy and _detached APIs now support precalculated keys;
-crypto_box_easy_afternm(), crypto_box_open_easy_afternm(),
-crypto_box_detached_afternm() and crypto_box_open_detached_afternm()
-have been added as an alternative to the NaCl interface.
- - Memory allocation functions can now be used on operating systems with
-no memory protection.
- - crypto_sign_open() and crypto_sign_edwards25519sha512batch_open()
-now accept a NULL pointer instead of a pointer to the message size, if
-storing this information is not required.
- - The close-on-exec flag is now set on the descriptor returned when
-opening /dev/urandom.
- - A libsodium-uninstalled.pc file to use pkg-config even when
-libsodium is not installed, has been added.
- - The iOS target now includes armv7s and arm64 optimized code, as well
-as i386 and x86_64 code for the iOS simulator.
- - sodium_free() can now be called on regions with PROT_NONE protection.
- - The Javascript tests can run on Ubuntu, where the node binary was
-renamed nodejs. io.js can also be used instead of node.
-
-* Version 1.0.1
- - DLL_EXPORT was renamed SODIUM_DLL_EXPORT in order to avoid
-collisions with similar macros defined by other libraries.
- - sodium_bin2hex() is now constant-time.
- - crypto_secretbox_detached() now supports overlapping input and output
-regions.
- - NaCl's donna_c64 implementation of curve25519 was reading an extra byte
-past the end of the buffer containing the base point. This has been
-fixed.
-
-* Version 1.0.0
- - The API and ABI are now stable. New features will be added, but
-backward-compatibility is guaranteed through all the 1.x.y releases.
- - crypto_sign() properly works with overlapping regions again. Thanks
-to @pysiak for reporting this regression introduced in version 0.6.1.
- - The test suite has been extended.
-
-* Version 0.7.1 (1.0 RC2)
- - This is the second release candidate of Sodium 1.0. Minor
-compilation, readability and portability changes have been made and the
-test suite was improved, but the API is the same as the previous release
-candidate.
-
-* Version 0.7.0 (1.0 RC1)
- - Allocating memory to store sensitive data can now be done using
-sodium_malloc() and sodium_allocarray(). These functions add guard
-pages around the protected data to make it less likely to be
-accessible in a heartbleed-like scenario. In addition, the protection
-for memory regions allocated that way can be changed using
-sodium_mprotect_noaccess(), sodium_mprotect_readonly() and
-sodium_mprotect_readwrite().
- - ed25519 keys can be converted to curve25519 keys with
-crypto_sign_ed25519_pk_to_curve25519() and
-crypto_sign_ed25519_sk_to_curve25519(). This allows using the same
-keys for signature and encryption.
- - The seed and the public key can be extracted from an ed25519 key
-using crypto_sign_ed25519_sk_to_seed() and crypto_sign_ed25519_sk_to_pk().
- - aes256 was removed. A timing-attack resistant implementation might
-be added later, but not before version 1.0 is tagged.
- - The crypto_pwhash_scryptxsalsa208sha256_* compatibility layer was
-removed. Use crypto_pwhash_scryptsalsa208sha256_*.
- - The compatibility layer for implementation-specific functions was
-removed.
- - Compilation issues with Mingw64 on MSYS (not MSYS2) were fixed.
- - crypto_pwhash_scryptsalsa208sha256_STRPREFIX was added: it contains
-the prefix produced by crypto_pwhash_scryptsalsa208sha256_str()
-
-* Version 0.6.1
- - Important bug fix: when crypto_sign_open() was given a signed
-message too short to even contain a signature, it was putting an
-unlimited amount of zeros into the target buffer instead of
-immediately returning -1. The bug was introduced in version 0.5.0.
- - New API: crypto_sign_detached() and crypto_sign_verify_detached()
-to produce and verify ed25519 signatures without having to duplicate
-the message.
- - New ./configure switch: --enable-minimal, to create a smaller
-library, with only the functions required for the high-level API.
-Mainly useful for the JavaScript target and embedded systems.
- - All the symbols are now exported by the Emscripten build script.
- - The pkg-config .pc file is now always installed even if the
-pkg-config tool is not available during the installation.
-
-* Version 0.6.0
- - The ChaCha20 stream cipher has been added, as crypto_stream_chacha20_*
- - The ChaCha20Poly1305 AEAD construction has been implemented, as
-crypto_aead_chacha20poly1305_*
- - The _easy API does not require any heap allocations any more and
-does not have any overhead over the NaCl API. With the password
-hashing function being an obvious exception, the library doesn't
-allocate and will not allocate heap memory ever.
- - crypto_box and crypto_secretbox have a new _detached API to store
-the authentication tag and the encrypted message separately.
- - crypto_pwhash_scryptxsalsa208sha256*() functions have been renamed
-crypto_pwhash_scryptsalsa208sha256*().
- - The low-level crypto_pwhash_scryptsalsa208sha256_ll() function
-allows setting individual parameters of the scrypt function.
- - New macros and functions for recommended crypto_pwhash_* parameters
-have been added.
- - Similarly to crypto_sign_seed_keypair(), crypto_box_seed_keypair()
-has been introduced to deterministically generate a key pair from a seed.
- - crypto_onetimeauth() now provides a streaming interface.
- - crypto_stream_chacha20_xor_ic() and crypto_stream_salsa20_xor_ic()
-have been added to use a non-zero initial block counter.
- - On Windows, CryptGenRandom() was replaced by RtlGenRandom(), which
-doesn't require the Crypt API.
- - The high bit in curve25519 is masked instead of processing the key as
-a 256-bit value.
- - The curve25519 ref implementation was replaced by the latest ref10
-implementation from Supercop.
- - sodium_mlock() now prevents memory from being included in coredumps
-on Linux 3.4+
-
-* Version 0.5.0
- - sodium_mlock()/sodium_munlock() have been introduced to lock pages
-in memory before storing sensitive data, and to zero them before
-unlocking them.
- - High-level wrappers for crypto_box and crypto_secretbox
-(crypto_box_easy and crypto_secretbox_easy) can be used to avoid
-dealing with the specific memory layout regular functions depend on.
- - crypto_pwhash_scryptsalsa208sha256* functions have been added
-to derive a key from a password, and for password storage.
- - Salsa20 and ed25519 implementations now support overlapping
-inputs/keys/outputs (changes imported from supercop-20140505).
- - New build scripts for Visual Studio, Emscripten, different Android
-architectures and msys2 are available.
- - The poly1305-53 implementation has been replaced with Floodyberry's
-poly1305-donna32 and poly1305-donna64 implementations.
- - sodium_hex2bin() has been added to complement sodium_bin2hex().
- - On OpenBSD and Bitrig, arc4random() is used instead of reading
-/dev/urandom.
- - crypto_auth_hmac_sha512() has been implemented.
- - sha256 and sha512 now have a streaming interface.
- - hmacsha256, hmacsha512 and hmacsha512256 now support keys of
-arbitrary length, and have a streaming interface.
- - crypto_verify_64() has been implemented.
- - first-class Visual Studio build system, thanks to @evoskuil
- - CPU features are now detected at runtime.
-
-* Version 0.4.5
- - Restore compatibility with OSX <= 10.6
-
-* Version 0.4.4
- - Visual Studio is officially supported (VC 2010 & VC 2013)
- - mingw64 is now supported
- - big-endian architectures are now supported as well
- - The donna_c64 implementation of curve25519_donna_c64 now handles
-non-canonical points like the ref implementation
- - Missing scalarmult_curve25519 and stream_salsa20 constants are now exported
- - A crypto_onetimeauth_poly1305_ref() wrapper has been added
-
-* Version 0.4.3
- - crypto_sign_seedbytes() and crypto_sign_SEEDBYTES were added.
- - crypto_onetimeauth_poly1305_implementation_name() was added.
- - poly1305-ref has been replaced by a faster implementation,
-Floodyberry's poly1305-donna-unrolled.
- - Stackmarkings have been added to assembly code, for Hardened Gentoo.
- - pkg-config can now be used in order to retrieve compilations flags for
-using libsodium.
- - crypto_stream_aes256estream_*() can now deal with unaligned input
-on platforms that require word alignment.
- - portability improvements.
-
-* Version 0.4.2
- - All NaCl constants are now also exposed as functions.
- - The Android and iOS cross-compilation script have been improved.
- - libsodium can now be cross-compiled to Windows from Linux.
- - libsodium can now be compiled with emscripten.
- - New convenience function (prototyped in utils.h): sodium_bin2hex().
-
-* Version 0.4.1
- - sodium_version_*() functions were not exported in version 0.4. They
-are now visible as intended.
- - sodium_init() now calls randombytes_stir().
- - optimized assembly version of salsa20 is now used on amd64.
- - further cleanups and enhanced compatibility with non-C99 compilers.
-
-* Version 0.4
- - Most constants and operations are now available as actual functions
-instead of macros, making it easier to use from other languages.
- - New operation: crypto_generichash, featuring a variable key size, a
-variable output size, and a streaming API. Currently implemented using
-Blake2b.
- - The package can be compiled in a separate directory.
- - aes128ctr functions are exported.
- - Optimized versions of curve25519 (curve25519_donna_c64), poly1305
-(poly1305_53) and ed25519 (ed25519_ref10) are available. Optionally calling
-sodium_init() once before using the library makes it pick the fastest
-implementation.
- - New convenience function: sodium_memzero() in order to securely
-wipe a memory area.
- - A whole bunch of cleanups and portability enhancements.
- - On Windows, a .REF file is generated along with the shared library,
-for use with Visual Studio. The installation path for these has become
-$prefix/bin as expected by MingW.
-
-* Version 0.3
- - The crypto_shorthash operation has been added, implemented using
-SipHash-2-4.
-
-* Version 0.2
- - crypto_sign_seed_keypair() has been added
-
-* Version 0.1
- - Initial release.
-
+
+* Version 1.0.17
+ - Bug fix: `sodium_pad()` didn't properly support block sizes >= 256 bytes.
+ - JS/WebAssembly: some old iOS versions can't instantiate the WebAssembly
+module; fall back to Javascript on these.
+ - JS/WebAssembly: compatibility with newer Emscripten versions.
+ - Bug fix: `crypto_pwhash_scryptsalsa208sha256_str_verify()` and
+`crypto_pwhash_scryptsalsa208sha256_str_needs_rehash()` didn't return
+`EINVAL` on input strings with a short length, unlike their high-level
+counterpart.
+ - Added a workaround for Visual Studio 2010 bug causing CPU features
+not to be detected.
+ - Portability improvements.
+ - Test vectors from Project Wycheproof have been added.
+ - New low-level APIs for arithmetic mod the order of the prime order group:
+`crypto_core_ed25519_scalar_random()`, `crypto_core_ed25519_scalar_reduce()`,
+`crypto_core_ed25519_scalar_invert()`, `crypto_core_ed25519_scalar_negate()`,
+`crypto_core_ed25519_scalar_complement()`, `crypto_core_ed25519_scalar_add()`
+and `crypto_core_ed25519_scalar_sub()`.
+ - New low-level APIs for scalar multiplication without clamping:
+`crypto_scalarmult_ed25519_base_noclamp()` and
+`crypto_scalarmult_ed25519_noclamp()`. These new APIs are especially useful
+for blinding.
+ - `sodium_sub()` has been implemented.
+ - Support for WatchOS has been added.
+ - getrandom(2) is now used on FreeBSD 12+.
+ - The `nonnull` attribute has been added to all relevant prototypes.
+ - More reliable AVX512 detection.
+ - Javascript/Webassembly builds now use dynamic memory growth.
+
+* Version 1.0.16
+ - Signatures computations and verifications are now way faster on
+64-bit platforms with compilers supporting 128-bit arithmetic (gcc,
+clang, icc). This includes the WebAssembly target.
+ - New low-level APIs for computations over edwards25519:
+`crypto_scalarmult_ed25519()`, `crypto_scalarmult_ed25519_base()`,
+`crypto_core_ed25519_is_valid_point()`, `crypto_core_ed25519_add()`,
+`crypto_core_ed25519_sub()` and `crypto_core_ed25519_from_uniform()`
+(elligator representative to point).
+ - `crypto_sign_open()`, `crypto_sign_verify_detached() and
+`crypto_sign_edwards25519sha512batch_open` now reject public keys in
+non-canonical form in addition to low-order points.
+ - The library can be built with `ED25519_NONDETERMINISTIC` defined in
+order to use synthetic nonces for EdDSA. This is disabled by default.
+ - Webassembly: `crypto_pwhash_*()` functions are now included in
+non-sumo builds.
+ - `sodium_stackzero()` was added to wipe content off the stack.
+ - Android: support new SDKs where unified headers have become the
+default.
+ - The Salsa20-based PRNG example is now thread-safe on platforms with
+support for thread-local storage, optionally mixes bits from RDRAND.
+ - CMAKE: static library detection on Unix systems has been improved
+(thanks to @BurningEnlightenment, @nibua-r, @mellery451)
+ - Argon2 and scrypt are slightly faster on Linux.
+
+* Version 1.0.15
+ - The default password hashing algorithm is now Argon2id. The
+`pwhash_str_verify()` function can still verify Argon2i hashes
+without any changes, and `pwhash()` can still compute Argon2i hashes
+as well.
+ - The aes128ctr primitive was removed. It was slow, non-standard, not
+authenticated, and didn't seem to be used by any opensource project.
+ - Argon2id required at least 3 passes like Argon2i, despite a minimum
+of `1` as defined by the `OPSLIMIT_MIN` constant. This has been fixed.
+ - The secretstream construction was slightly changed to be consistent
+with forthcoming variants.
+ - The Javascript and Webassembly versions have been merged, and the
+module now returns a `.ready` promise that will resolve after the
+Webassembly code is loaded and compiled.
+ - Note that due to these incompatible changes, the library version
+major was bumped up.
+
+* Version 1.0.14
+ - iOS binaries should now be compatible with WatchOS and TVOS.
+ - WebAssembly is now officially supported. Special thanks to
+@facekapow and @pepyakin who helped to make it happen.
+ - Internal consistency checks failing and primitives used with
+dangerous/out-of-bounds/invalid parameters used to call abort(3).
+Now, a custom handler *that doesn't return* can be set with the
+`set_sodium_misuse()` function. It still aborts by default or if the
+handler ever returns. This is not a replacement for non-fatal,
+expected runtime errors. This handler will be only called in
+unexpected situations due to potential bugs in the library or in
+language bindings.
+ - `*_MESSAGEBYTES_MAX` macros (and the corresponding
+`_messagebytes_max()` symbols) have been added to represent the
+maximum message size that can be safely handled by a primitive.
+Language bindings are encouraged to check user inputs against these
+maximum lengths.
+ - The test suite has been extended to cover more edge cases.
+ - crypto_sign_ed25519_pk_to_curve25519() now rejects points that are
+not on the curve, or not in the main subgroup.
+ - Further changes have been made to ensure that smart compilers will
+not optimize out code that we don't want to be optimized.
+ - Visual Studio solutions are now included in distribution tarballs.
+ - The `sodium_runtime_has_*` symbols for CPU features detection are
+now defined as weak symbols, i.e. they can be replaced with an
+application-defined implementation. This can be useful to disable
+AVX* when temperature/power consumption is a concern.
+ - `crypto_kx_*()` now aborts if called with no non-NULL pointers to
+store keys to.
+ - SSE2 implementations of `crypto_verify_*()` have been added.
+ - Passwords can be hashed using a specific algorithm with the new
+`crypto_pwhash_str_alg()` function.
+ - Due to popular demand, base64 encoding (`sodium_bin2base64()`) and
+decoding (`sodium_base642bin()`) have been implemented.
+ - A new `crypto_secretstream_*()` API was added to safely encrypt files
+and multi-part messages.
+ - The `sodium_pad()` and `sodium_unpad()` helper functions have been
+added in order to add & remove padding.
+ - An AVX512 optimized implementation of Argon2 has been added (written
+by Ondrej Mosnáček, thanks!)
+ - The `crypto_pwhash_str_needs_rehash()` function was added to check if
+a password hash string matches the given parameters, or if it needs an
+update.
+ - The library can now be compiled with recent versions of
+emscripten/binaryen that don't allow multiple variables declarations
+using a single `var` statement.
+
+* Version 1.0.13
+ - Javascript: the sumo builds now include all symbols. They were
+previously limited to symbols defined in minimal builds.
+ - The public `crypto_pwhash_argon2i_MEMLIMIT_MAX` constant was
+incorrectly defined on 32-bit platforms. This has been fixed.
+ - Version 1.0.12 didn't compile on OpenBSD/i386 using the base gcc
+compiler. This has been fixed.
+ - The Android compilation scripts have been updated for NDK r14b.
+ - armv7s-optimized code was re-added to iOS builds.
+ - An AVX2 optimized implementation of the Argon2 round function was
+added.
+ - The Argon2id variant of Argon2 has been implemented. The
+high-level `crypto_pwhash_str_verify()` function automatically detects
+the algorithm and can verify both Argon2i and Argon2id hashed passwords.
+The default algorithm for newly hashed passwords remains Argon2i in
+this version to avoid breaking compatibility with verifiers running
+libsodium <= 1.0.12.
+ - A `crypto_box_curve25519xchacha20poly1305_seal*()` function set was
+implemented.
+ - scrypt was removed from minimal builds.
+ - libsodium is now available on NuGet.
+
+* Version 1.0.12
+ - Ed25519ph was implemented, adding a multi-part signature API
+(`crypto_sign_init()`, `crypto_sign_update()`, `crypto_sign_final_*()`).
+ - New constants and related accessors have been added for Scrypt and
+Argon2.
+ - XChaCha20 has been implemented. Like XSalsa20, this construction
+extends the ChaCha20 cipher to accept a 192-bit nonce. This makes it safe
+to use ChaCha20 with random nonces.
+ - `crypto_secretbox`, `crypto_box` and `crypto_aead` now offer
+variants leveraging XChaCha20.
+ - SHA-2 is about 20% faster, which also gives a speed boost to
+signature and signature verification.
+ - AVX2 implementations of Salsa20 and ChaCha20 have been added. They
+are twice as fast as the SSE2 implementations. The speed gain is
+even more significant on Windows, that previously didn't use
+vectorized implementations.
+ - New high-level API: `crypto_kdf`, to easily derive one or more
+subkeys from a master key.
+ - Siphash with a 128-bit output has been implemented, and is
+available as `crypto_shorthash_siphashx_*`.
+ - New `*_keygen()` helpers functions have been added to create secret
+keys for all constructions. This improves code clarity and can prevent keys
+from being partially initialized.
+ - A new `randombytes_buf_deterministic()` function was added to
+deterministically fill a memory region with pseudorandom data. This
+function can especially be useful to write reproducible tests.
+ - A preliminary `crypto_kx_*()` API was added to compute shared session
+keys.
+ - AVX2 detection is more reliable.
+ - The pthreads library is not required any more when using MingW.
+ - `contrib/Findsodium.cmake` was added as an example to include
+libsodium in a project using cmake.
+ - Compatibility with gcc 2.x has been restored.
+ - Minimal builds can be checked using `sodium_library_minimal()`.
+ - The `--enable-opt` compilation switch has become compatible with more
+platforms.
+ - Android builds are now using clang on platforms where it is
+available.
+
+* Version 1.0.11
+ - `sodium_init()` is now thread-safe, and can be safely called multiple
+times.
+ - Android binaries now properly support 64-bit Android, targeting
+platform 24, but without breaking compatibility with platforms 16 and
+21.
+ - Better support for old gcc versions.
+ - On FreeBSD, core dumps are disabled on regions allocated with
+sodium allocation functions.
+ - AVX2 detection was fixed, resulting in faster Blake2b hashing on
+platforms where it was not properly detected.
+ - The Sandy2x Curve25519 implementation was not as fast as expected
+on some platforms. This has been fixed.
+ - The NativeClient target was improved. Most notably, it now supports
+optimized implementations, and uses pepper_49 by default.
+ - The library can be compiled with recent Emscripten versions.
+Changes have been made to produce smaller code, and the default heap
+size was reduced in the standard version.
+ - The code can now be compiled on SLES11 service pack 4.
+ - Decryption functions can now accept a NULL pointer for the output.
+This checks the MAC without writing the decrypted message.
+ - crypto_generichash_final() now returns -1 if called twice.
+ - Support for Visual Studio 2008 was improved.
+
+* Version 1.0.10
+ - This release only fixes a compilation issue reported with some older
+gcc versions. There are no functional changes over the previous release.
+
+* Version 1.0.9
+ - The Javascript target now includes a `--sumo` option to include all
+the symbols of the original C library.
+ - A detached API was added to the ChaCha20-Poly1305 and AES256-GCM
+implementations.
+ - The Argon2i password hashing function was added, and is accessible
+directly and through a new, high-level `crypto_pwhash` API. The scrypt
+function remains available as well.
+ - A speed-record AVX2 implementation of BLAKE2b was added (thanks to
+Samuel Neves).
+ - The library can now be compiled using C++Builder (thanks to @jcolli44)
+ - Countermeasures for Ed25519 signatures malleability have been added
+to match the irtf-cfrg-eddsa draft (note that malleability is irrelevant to
+the standard definition of signature security). Signatures with a small-order
+`R` point are now also rejected.
+ - Some implementations are now slightly faster when using the Clang
+compiler.
+ - The HChaCha20 core function was implemented (`crypto_core_hchacha20()`).
+ - No-op stubs were added for all AES256-GCM public functions even when
+compiled on non-Intel platforms.
+ - `crypt_generichash_blake2b_statebytes()` was added.
+ - New macros were added for the IETF variant of the ChaCha20-Poly1305
+construction.
+ - The library can now be compiled on Minix.
+ - HEASLR is now enabled on MinGW builds.
+
+* Version 1.0.8
+ - Handle the case where the CPU supports AVX, but we are running
+on an hypervisor with AVX disabled/not supported.
+ - Faster (2x) scalarmult_base() when using the ref10 implementation.
+
+* Version 1.0.7
+ - More functions whose return value should be checked have been
+tagged with `__attribute__ ((warn_unused_result))`: `crypto_box_easy()`,
+`crypto_box_detached()`, `crypto_box_beforenm()`, `crypto_box()`, and
+`crypto_scalarmult()`.
+ - Sandy2x, the fastest Curve25519 implementation ever, has been
+merged in, and is automatically used on CPUs supporting the AVX
+instructions set.
+ - An SSE2 optimized implementation of Poly1305 was added, and is
+twice as fast as the portable one.
+ - An SSSE3 optimized implementation of ChaCha20 was added, and is
+twice as fast as the portable one.
+ - Faster `sodium_increment()` for common nonce sizes.
+ - New helper functions have been added: `sodium_is_zero()` and
+ `sodium_add()`.
+ - `sodium_runtime_has_aesni()` now properly detects the CPU flag when
+ compiled using Visual Studio.
+
+* Version 1.0.6
+ - Optimized implementations of Blake2 have been added for modern
+Intel platforms. `crypto_generichash()` is now faster than MD5 and SHA1
+implementations while being far more secure.
+ - Functions for which the return value should be checked have been
+tagged with `__attribute__ ((warn_unused_result))`. This will
+intentionally break code compiled with `-Werror` that didn't bother
+checking critical return values.
+ - The `crypto_sign_edwards25519sha512batch_*()` functions have been
+tagged as deprecated.
+ - Undocumented symbols that were exported, but were only useful for
+internal purposes have been removed or made private:
+`sodium_runtime_get_cpu_features()`, the implementation-specific
+`crypto_onetimeauth_poly1305_donna()` symbols,
+`crypto_onetimeauth_poly1305_set_implementation()`,
+`crypto_onetimeauth_poly1305_implementation_name()` and
+`crypto_onetimeauth_pick_best_implementation()`.
+ - `sodium_compare()` now works as documented, and compares numbers
+in little-endian format instead of behaving like `memcmp()`.
+ - The previous changes should not break actual applications, but to be
+safe, the library version major was incremented.
+ - `sodium_runtime_has_ssse3()` and `sodium_runtime_has_sse41()` have
+been added.
+ - The library can now be compiled with the CompCert compiler.
+
+* Version 1.0.5
+ - Compilation issues on some platforms were fixed: missing alignment
+directives were added (required at least on RHEL-6/i386), a workaround
+for a VRP bug on gcc/armv7 was added, and the library can now be compiled
+with the SunPro compiler.
+ - Javascript target: io.js is not supported any more. Use nodejs.
+
+* Version 1.0.4
+ - Support for AES256-GCM has been added. This requires
+a CPU with the aesni and pclmul extensions, and is accessible via the
+crypto_aead_aes256gcm_*() functions.
+ - The Javascript target doesn't use eval() any more, so that the
+library can be used in Chrome packaged applications.
+ - QNX and CloudABI are now supported.
+ - Support for NaCl has finally been added.
+ - ChaCha20 with an extended (96 bit) nonce and a 32-bit counter has
+been implemented as crypto_stream_chacha20_ietf(),
+crypto_stream_chacha20_ietf_xor() and crypto_stream_chacha20_ietf_xor_ic().
+An IETF-compatible version of ChaCha20Poly1305 is available as
+crypto_aead_chacha20poly1305_ietf_npubbytes(),
+crypto_aead_chacha20poly1305_ietf_encrypt() and
+crypto_aead_chacha20poly1305_ietf_decrypt().
+ - The sodium_increment() helper function has been added, to increment
+an arbitrary large number (such as a nonce).
+ - The sodium_compare() helper function has been added, to compare
+arbitrary large numbers (such as nonces, in order to prevent replay
+attacks).
+
+* Version 1.0.3
+ - In addition to sodium_bin2hex(), sodium_hex2bin() is now a
+constant-time function.
+ - crypto_stream_xsalsa20_ic() has been added.
+ - crypto_generichash_statebytes(), crypto_auth_*_statebytes() and
+crypto_hash_*_statebytes() have been added in order to retrieve the
+size of structures keeping states from foreign languages.
+ - The JavaScript target doesn't require /dev/urandom or an external
+randombytes() implementation any more. Other minor Emscripten-related
+improvements have been made in order to support libsodium.js
+ - Custom randombytes implementations do not need to provide their own
+implementation of randombytes_uniform() any more. randombytes_stir()
+and randombytes_close() can also be NULL pointers if they are not
+required.
+ - On Linux, getrandom(2) is being used instead of directly accessing
+/dev/urandom, if the kernel supports this system call.
+ - crypto_box_seal() and crypto_box_seal_open() have been added.
+ - Visual Studio 2015 is now supported.
+
+* Version 1.0.2
+ - The _easy and _detached APIs now support precalculated keys;
+crypto_box_easy_afternm(), crypto_box_open_easy_afternm(),
+crypto_box_detached_afternm() and crypto_box_open_detached_afternm()
+have been added as an alternative to the NaCl interface.
+ - Memory allocation functions can now be used on operating systems with
+no memory protection.
+ - crypto_sign_open() and crypto_sign_edwards25519sha512batch_open()
+now accept a NULL pointer instead of a pointer to the message size, if
+storing this information is not required.
+ - The close-on-exec flag is now set on the descriptor returned when
+opening /dev/urandom.
+ - A libsodium-uninstalled.pc file to use pkg-config even when
+libsodium is not installed, has been added.
+ - The iOS target now includes armv7s and arm64 optimized code, as well
+as i386 and x86_64 code for the iOS simulator.
+ - sodium_free() can now be called on regions with PROT_NONE protection.
+ - The Javascript tests can run on Ubuntu, where the node binary was
+renamed nodejs. io.js can also be used instead of node.
+
+* Version 1.0.1
+ - DLL_EXPORT was renamed SODIUM_DLL_EXPORT in order to avoid
+collisions with similar macros defined by other libraries.
+ - sodium_bin2hex() is now constant-time.
+ - crypto_secretbox_detached() now supports overlapping input and output
+regions.
+ - NaCl's donna_c64 implementation of curve25519 was reading an extra byte
+past the end of the buffer containing the base point. This has been
+fixed.
+
+* Version 1.0.0
+ - The API and ABI are now stable. New features will be added, but
+backward-compatibility is guaranteed through all the 1.x.y releases.
+ - crypto_sign() properly works with overlapping regions again. Thanks
+to @pysiak for reporting this regression introduced in version 0.6.1.
+ - The test suite has been extended.
+
+* Version 0.7.1 (1.0 RC2)
+ - This is the second release candidate of Sodium 1.0. Minor
+compilation, readability and portability changes have been made and the
+test suite was improved, but the API is the same as the previous release
+candidate.
+
+* Version 0.7.0 (1.0 RC1)
+ - Allocating memory to store sensitive data can now be done using
+sodium_malloc() and sodium_allocarray(). These functions add guard
+pages around the protected data to make it less likely to be
+accessible in a heartbleed-like scenario. In addition, the protection
+for memory regions allocated that way can be changed using
+sodium_mprotect_noaccess(), sodium_mprotect_readonly() and
+sodium_mprotect_readwrite().
+ - ed25519 keys can be converted to curve25519 keys with
+crypto_sign_ed25519_pk_to_curve25519() and
+crypto_sign_ed25519_sk_to_curve25519(). This allows using the same
+keys for signature and encryption.
+ - The seed and the public key can be extracted from an ed25519 key
+using crypto_sign_ed25519_sk_to_seed() and crypto_sign_ed25519_sk_to_pk().
+ - aes256 was removed. A timing-attack resistant implementation might
+be added later, but not before version 1.0 is tagged.
+ - The crypto_pwhash_scryptxsalsa208sha256_* compatibility layer was
+removed. Use crypto_pwhash_scryptsalsa208sha256_*.
+ - The compatibility layer for implementation-specific functions was
+removed.
+ - Compilation issues with Mingw64 on MSYS (not MSYS2) were fixed.
+ - crypto_pwhash_scryptsalsa208sha256_STRPREFIX was added: it contains
+the prefix produced by crypto_pwhash_scryptsalsa208sha256_str()
+
+* Version 0.6.1
+ - Important bug fix: when crypto_sign_open() was given a signed
+message too short to even contain a signature, it was putting an
+unlimited amount of zeros into the target buffer instead of
+immediately returning -1. The bug was introduced in version 0.5.0.
+ - New API: crypto_sign_detached() and crypto_sign_verify_detached()
+to produce and verify ed25519 signatures without having to duplicate
+the message.
+ - New ./configure switch: --enable-minimal, to create a smaller
+library, with only the functions required for the high-level API.
+Mainly useful for the JavaScript target and embedded systems.
+ - All the symbols are now exported by the Emscripten build script.
+ - The pkg-config .pc file is now always installed even if the
+pkg-config tool is not available during the installation.
+
+* Version 0.6.0
+ - The ChaCha20 stream cipher has been added, as crypto_stream_chacha20_*
+ - The ChaCha20Poly1305 AEAD construction has been implemented, as
+crypto_aead_chacha20poly1305_*
+ - The _easy API does not require any heap allocations any more and
+does not have any overhead over the NaCl API. With the password
+hashing function being an obvious exception, the library doesn't
+allocate and will not allocate heap memory ever.
+ - crypto_box and crypto_secretbox have a new _detached API to store
+the authentication tag and the encrypted message separately.
+ - crypto_pwhash_scryptxsalsa208sha256*() functions have been renamed
+crypto_pwhash_scryptsalsa208sha256*().
+ - The low-level crypto_pwhash_scryptsalsa208sha256_ll() function
+allows setting individual parameters of the scrypt function.
+ - New macros and functions for recommended crypto_pwhash_* parameters
+have been added.
+ - Similarly to crypto_sign_seed_keypair(), crypto_box_seed_keypair()
+has been introduced to deterministically generate a key pair from a seed.
+ - crypto_onetimeauth() now provides a streaming interface.
+ - crypto_stream_chacha20_xor_ic() and crypto_stream_salsa20_xor_ic()
+have been added to use a non-zero initial block counter.
+ - On Windows, CryptGenRandom() was replaced by RtlGenRandom(), which
+doesn't require the Crypt API.
+ - The high bit in curve25519 is masked instead of processing the key as
+a 256-bit value.
+ - The curve25519 ref implementation was replaced by the latest ref10
+implementation from Supercop.
+ - sodium_mlock() now prevents memory from being included in coredumps
+on Linux 3.4+
+
+* Version 0.5.0
+ - sodium_mlock()/sodium_munlock() have been introduced to lock pages
+in memory before storing sensitive data, and to zero them before
+unlocking them.
+ - High-level wrappers for crypto_box and crypto_secretbox
+(crypto_box_easy and crypto_secretbox_easy) can be used to avoid
+dealing with the specific memory layout regular functions depend on.
+ - crypto_pwhash_scryptsalsa208sha256* functions have been added
+to derive a key from a password, and for password storage.
+ - Salsa20 and ed25519 implementations now support overlapping
+inputs/keys/outputs (changes imported from supercop-20140505).
+ - New build scripts for Visual Studio, Emscripten, different Android
+architectures and msys2 are available.
+ - The poly1305-53 implementation has been replaced with Floodyberry's
+poly1305-donna32 and poly1305-donna64 implementations.
+ - sodium_hex2bin() has been added to complement sodium_bin2hex().
+ - On OpenBSD and Bitrig, arc4random() is used instead of reading
+/dev/urandom.
+ - crypto_auth_hmac_sha512() has been implemented.
+ - sha256 and sha512 now have a streaming interface.
+ - hmacsha256, hmacsha512 and hmacsha512256 now support keys of
+arbitrary length, and have a streaming interface.
+ - crypto_verify_64() has been implemented.
+ - first-class Visual Studio build system, thanks to @evoskuil
+ - CPU features are now detected at runtime.
+
+* Version 0.4.5
+ - Restore compatibility with OSX <= 10.6
+
+* Version 0.4.4
+ - Visual Studio is officially supported (VC 2010 & VC 2013)
+ - mingw64 is now supported
+ - big-endian architectures are now supported as well
+ - The donna_c64 implementation of curve25519_donna_c64 now handles
+non-canonical points like the ref implementation
+ - Missing scalarmult_curve25519 and stream_salsa20 constants are now exported
+ - A crypto_onetimeauth_poly1305_ref() wrapper has been added
+
+* Version 0.4.3
+ - crypto_sign_seedbytes() and crypto_sign_SEEDBYTES were added.
+ - crypto_onetimeauth_poly1305_implementation_name() was added.
+ - poly1305-ref has been replaced by a faster implementation,
+Floodyberry's poly1305-donna-unrolled.
+ - Stackmarkings have been added to assembly code, for Hardened Gentoo.
+ - pkg-config can now be used in order to retrieve compilations flags for
+using libsodium.
+ - crypto_stream_aes256estream_*() can now deal with unaligned input
+on platforms that require word alignment.
+ - portability improvements.
+
+* Version 0.4.2
+ - All NaCl constants are now also exposed as functions.
+ - The Android and iOS cross-compilation script have been improved.
+ - libsodium can now be cross-compiled to Windows from Linux.
+ - libsodium can now be compiled with emscripten.
+ - New convenience function (prototyped in utils.h): sodium_bin2hex().
+
+* Version 0.4.1
+ - sodium_version_*() functions were not exported in version 0.4. They
+are now visible as intended.
+ - sodium_init() now calls randombytes_stir().
+ - optimized assembly version of salsa20 is now used on amd64.
+ - further cleanups and enhanced compatibility with non-C99 compilers.
+
+* Version 0.4
+ - Most constants and operations are now available as actual functions
+instead of macros, making it easier to use from other languages.
+ - New operation: crypto_generichash, featuring a variable key size, a
+variable output size, and a streaming API. Currently implemented using
+Blake2b.
+ - The package can be compiled in a separate directory.
+ - aes128ctr functions are exported.
+ - Optimized versions of curve25519 (curve25519_donna_c64), poly1305
+(poly1305_53) and ed25519 (ed25519_ref10) are available. Optionally calling
+sodium_init() once before using the library makes it pick the fastest
+implementation.
+ - New convenience function: sodium_memzero() in order to securely
+wipe a memory area.
+ - A whole bunch of cleanups and portability enhancements.
+ - On Windows, a .REF file is generated along with the shared library,
+for use with Visual Studio. The installation path for these has become
+$prefix/bin as expected by MingW.
+
+* Version 0.3
+ - The crypto_shorthash operation has been added, implemented using
+SipHash-2-4.
+
+* Version 0.2
+ - crypto_sign_seed_keypair() has been added
+
+* Version 0.1
+ - Initial release.
+
diff --git a/libs/libsodium/docs/LICENSE b/libs/libsodium/docs/LICENSE
index 1553d6bb0f..365236e9b7 100644
--- a/libs/libsodium/docs/LICENSE
+++ b/libs/libsodium/docs/LICENSE
@@ -1,18 +1,18 @@
-/*
- * ISC License
- *
- * Copyright (c) 2013-2018
- * Frank Denis <j at pureftpd dot org>
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
+/*
+ * ISC License
+ *
+ * Copyright (c) 2013-2019
+ * Frank Denis <j at pureftpd dot org>
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
diff --git a/libs/libsodium/docs/THANKS b/libs/libsodium/docs/THANKS
index 0d0da788f3..f17c882167 100644
--- a/libs/libsodium/docs/THANKS
+++ b/libs/libsodium/docs/THANKS
@@ -1,91 +1,92 @@
-Special thanks to people, companies and organizations having written
-libsodium bindings for their favorite programming languages:
-
-@alethia7
-@artemisc
-@carblue
-@dnaq
-@ektrah
-@graxrabble
-@harleqin
-@joshjdevl
-@jrmarino
-@jshahbazi
-@lvh
-@neheb
-
-Adam Caudill (@adamcaudill)
-Alexander Morris (@alexpmorris)
-Amit Murthy (@amitmurthy)
-Andrew Bennett (@potatosalad)
-Andrew Lambert (@charonn0)
-Bruce Mitchener (@waywardmonkeys)
-Bruno Oliveira (@abstractj)
-Caolan McMahon (@caolan)
-Chris Rebert (@cvrebert)
-Christian Hermann (@bitbeans)
-Christian Wiese (@morfoh)
-Christian Wiese (@morfoh)
-Colm MacCárthaigh (@colmmacc)
-David Parrish (@dmp1ce)
-Donald Stufft (@dstufft)
-Douglas Campos (@qmx)
-Drew Crawford (@drewcrawford)
-Emil Bay (@emilbayes)
-Eric Dong (@quantum1423)
-Eric Voskuil (@evoskuil)
-Farid Hajji (@fhajji)
-Frank Siebenlist (@franks42)
-Gabriel Handford (@gabriel)
-Geo Carncross (@geocar)
-Henrik Gassmann (BurningEnlightenment)
-Jachym Holecek (@freza)
-Jack Wink (@jackwink)
-James Ruan (@jamesruan)
-Jan de Muijnck-Hughes (@jfdm)
-Jason McCampbell (@jasonmccampbell)
-Jeroen Habraken (@VeXocide)
-Jeroen Ooms (@jeroen)
-Jesper Louis Andersen (@jlouis)
-Joe Eli McIlvain (@jemc)
-Jonathan Stowe (@jonathanstowe)
-Joseph Abrahamson (@tel)
-Julien Kauffmann (@ereOn)
-Kenneth Ballenegger (@kballenegger)
-Loic Maury (@loicmaury)
-Michael Gorlick (@mgorlick)
-Michael Gregorowicz (@mgregoro)
-Michał Zieliński (@zielmicha)
-Omar Ayub (@electricFeel)
-Pedro Paixao (@paixaop)
-Project ArteMisc (@artemisc)
-Rich FitzJohn (@richfitz)
-Ruben De Visscher (@rubendv)
-Rudolf Von Krugstein (@rudolfvonkrugstein)
-Samuel Neves (@sneves)
-Scott Arciszewski (@paragonie-scott)
-Stanislav Ovsiannikov (@naphaso)
-Stefan Marsiske (@stef)
-Stephan Touset (@stouset)
-Stephen Chavez (@redragonx)
-Steve Gibson (@sggrc)
-Tony Arcieri (@bascule)
-Tony Garnock-Jones (@tonyg)
-Y. T. Chung (@zonyitoo)
-
-Bytecurry Software
-Cryptotronix
-Facebook
-FSF France
-MaidSafe
-Paragonie Initiative Enterprises
-Python Cryptographic Authority
-
-(this list may not be complete, if you don't see your name, please
-submit a pull request!)
-
-Also thanks to:
-
-- Coverity, Inc. to provide static analysis.
-- FSF France for providing access to their compilation servers.
-- Private Internet Access for having sponsored a complete security audit.
+Special thanks to people, companies and organizations having written
+libsodium bindings for their favorite programming languages:
+
+@alethia7
+@artemisc
+@carblue
+@dnaq
+@ektrah
+@graxrabble
+@harleqin
+@joshjdevl
+@jrmarino
+@jshahbazi
+@lvh
+@neheb
+
+Adam Caudill (@adamcaudill)
+Alexander Ilin (@AlexIljin)
+Alexander Morris (@alexpmorris)
+Amit Murthy (@amitmurthy)
+Andrew Bennett (@potatosalad)
+Andrew Lambert (@charonn0)
+Bruce Mitchener (@waywardmonkeys)
+Bruno Oliveira (@abstractj)
+Caolan McMahon (@caolan)
+Chris Rebert (@cvrebert)
+Christian Hermann (@bitbeans)
+Christian Wiese (@morfoh)
+Christian Wiese (@morfoh)
+Colm MacCárthaigh (@colmmacc)
+David Parrish (@dmp1ce)
+Donald Stufft (@dstufft)
+Douglas Campos (@qmx)
+Drew Crawford (@drewcrawford)
+Emil Bay (@emilbayes)
+Eric Dong (@quantum1423)
+Eric Voskuil (@evoskuil)
+Farid Hajji (@fhajji)
+Frank Siebenlist (@franks42)
+Gabriel Handford (@gabriel)
+Geo Carncross (@geocar)
+Henrik Gassmann (BurningEnlightenment)
+Jachym Holecek (@freza)
+Jack Wink (@jackwink)
+James Ruan (@jamesruan)
+Jan de Muijnck-Hughes (@jfdm)
+Jason McCampbell (@jasonmccampbell)
+Jeroen Habraken (@VeXocide)
+Jeroen Ooms (@jeroen)
+Jesper Louis Andersen (@jlouis)
+Joe Eli McIlvain (@jemc)
+Jonathan Stowe (@jonathanstowe)
+Joseph Abrahamson (@tel)
+Julien Kauffmann (@ereOn)
+Kenneth Ballenegger (@kballenegger)
+Loic Maury (@loicmaury)
+Michael Gorlick (@mgorlick)
+Michael Gregorowicz (@mgregoro)
+Michał Zieliński (@zielmicha)
+Omar Ayub (@electricFeel)
+Pedro Paixao (@paixaop)
+Project ArteMisc (@artemisc)
+Rich FitzJohn (@richfitz)
+Ruben De Visscher (@rubendv)
+Rudolf Von Krugstein (@rudolfvonkrugstein)
+Samuel Neves (@sneves)
+Scott Arciszewski (@paragonie-scott)
+Stanislav Ovsiannikov (@naphaso)
+Stefan Marsiske (@stef)
+Stephan Touset (@stouset)
+Stephen Chavez (@redragonx)
+Steve Gibson (@sggrc)
+Tony Arcieri (@bascule)
+Tony Garnock-Jones (@tonyg)
+Y. T. Chung (@zonyitoo)
+
+Bytecurry Software
+Cryptotronix
+Facebook
+FSF France
+MaidSafe
+Paragonie Initiative Enterprises
+Python Cryptographic Authority
+
+(this list may not be complete, if you don't see your name, please
+submit a pull request!)
+
+Also thanks to:
+
+- Coverity, Inc. to provide static analysis.
+- FSF France for providing access to their compilation servers.
+- Private Internet Access for having sponsored a complete security audit.
generated by cgit v1.2.3 (git 2.25.1) at 2025-03-28 21:07:41 +0000