From c400f5c17af4996eb2ecf0597e17eb25c17857d8 Mon Sep 17 00:00:00 2001 From: dartraiden Date: Thu, 14 Sep 2023 22:53:45 +0300 Subject: libsodium: update to 1.0.19 --- libs/libsodium/docs/AUTHORS | 270 +++++------ libs/libsodium/docs/ChangeLog | 1054 +++++++++++++++++++++-------------------- libs/libsodium/docs/LICENSE | 36 +- libs/libsodium/docs/THANKS | 183 +++---- 4 files changed, 779 insertions(+), 764 deletions(-) (limited to 'libs/libsodium/docs') diff --git a/libs/libsodium/docs/AUTHORS b/libs/libsodium/docs/AUTHORS index 39e55f6288..6240b1dc37 100644 --- a/libs/libsodium/docs/AUTHORS +++ b/libs/libsodium/docs/AUTHORS @@ -1,135 +1,135 @@ - -Designers -========= - -argon2 Alex Biryukov - Daniel Dinu - Dmitry Khovratovich - -blake2 Jean-Philippe Aumasson - Christian Winnerlein - Samuel Neves - Zooko Wilcox-O'Hearn - -chacha20 Daniel J. Bernstein - -chacha20poly1305 Adam Langley - Yoav Nir - -curve25519 Daniel J. Bernstein - -curve25519xsalsa20poly1305 Daniel J. Bernstein - -ed25519 Daniel J. Bernstein - Bo-Yin Yang - Niels Duif - Peter Schwabe - Tanja Lange - -poly1305 Daniel J. Bernstein - -salsa20 Daniel J. Bernstein - -scrypt Colin Percival - -siphash Jean-Philippe Aumasson - Daniel J. Bernstein - -Implementors -============ - -crypto_aead/aes256gcm/aesni Romain Dolbeau - Frank Denis - -crypto_aead/chacha20poly1305 Frank Denis - -crypto_aead/xchacha20poly1305 Frank Denis - Jason A. Donenfeld - -crypto_auth/hmacsha256 Colin Percival -crypto_auth/hmacsha512 -crypto_auth/hmacsha512256 - -crypto_box/curve25519xsalsa20poly1305 Daniel J. Bernstein - -crypto_box/curve25519xchacha20poly1305 Frank Denis - -crypto_core/ed25519 Daniel J. Bernstein - Adam Langley - -crypto_core/hchacha20 Frank Denis - -crypto_core/hsalsa20 Daniel J. Bernstein -crypto_core/salsa - -crypto_generichash/blake2b Jean-Philippe Aumasson - Christian Winnerlein - Samuel Neves - Zooko Wilcox-O'Hearn - -crypto_hash/sha256 Colin Percival -crypto_hash/sha512 -crypto_hash/sha512256 - -crypto_kdf Frank Denis - -crypto_kx Frank Denis - -crypto_onetimeauth/poly1305/donna Andrew "floodyberry" Moon -crypto_onetimeauth/poly1305/sse2 - -crypto_pwhash/argon2 Samuel Neves - Dmitry Khovratovich - Jean-Philippe Aumasson - Daniel Dinu - Thomas Pornin - -crypto_pwhash/scryptsalsa208sha256 Colin Percival - Alexander Peslyak - -crypto_scalarmult/curve25519/ref10 Daniel J. Bernstein - -crypto_scalarmult/curve25519/sandy2x Tung Chou - -crypto_scalarmult/ed25519 Frank Denis - -crypto_secretbox/xsalsa20poly1305 Daniel J. Bernstein - -crypto_secretbox/xchacha20poly1305 Frank Denis - -crypto_secretstream/xchacha20poly1305 Frank Denis - -crypto_shorthash/siphash24 Jean-Philippe Aumasson - Daniel J. Bernstein - -crypto_sign/ed25519 Peter Schwabe - Daniel J. Bernstein - Niels Duif - Tanja Lange - Bo-Yin Yang - -crypto_stream/chacha20/ref Daniel J. Bernstein - -crypto_stream/chacha20/dolbeau Romain Dolbeau - Daniel J. Bernstein - -crypto_stream/salsa20/ref Daniel J. Bernstein -crypto_stream/salsa20/xmm6 - -crypto_stream/salsa20/xmm6int Romain Dolbeau - Daniel J. Bernstein - -crypto_stream/salsa2012/ref Daniel J. Bernstein -crypto_stream/salsa2008/ref - -crypto_stream/xchacha20 Frank Denis - -crypto_verify Frank Denis - -sodium/codecs.c Frank Denis - Thomas Pornin - Christian Winnerlein - -sodium/core.c Frank Denis -sodium/runtime.h -sodium/utils.c + +Designers +========= + +argon2 Alex Biryukov + Daniel Dinu + Dmitry Khovratovich + +blake2 Jean-Philippe Aumasson + Christian Winnerlein + Samuel Neves + Zooko Wilcox-O'Hearn + +chacha20 Daniel J. Bernstein + +chacha20poly1305 Adam Langley + Yoav Nir + +curve25519 Daniel J. Bernstein + +curve25519xsalsa20poly1305 Daniel J. Bernstein + +ed25519 Daniel J. Bernstein + Bo-Yin Yang + Niels Duif + Peter Schwabe + Tanja Lange + +poly1305 Daniel J. Bernstein + +salsa20 Daniel J. Bernstein + +scrypt Colin Percival + +siphash Jean-Philippe Aumasson + Daniel J. Bernstein + +Implementors +============ + +crypto_aead/aes256gcm/aesni Romain Dolbeau + Frank Denis + +crypto_aead/chacha20poly1305 Frank Denis + +crypto_aead/xchacha20poly1305 Frank Denis + Jason A. Donenfeld + +crypto_auth/hmacsha256 Colin Percival +crypto_auth/hmacsha512 +crypto_auth/hmacsha512256 + +crypto_box/curve25519xsalsa20poly1305 Daniel J. Bernstein + +crypto_box/curve25519xchacha20poly1305 Frank Denis + +crypto_core/ed25519 Daniel J. Bernstein + Adam Langley + +crypto_core/hchacha20 Frank Denis + +crypto_core/hsalsa20 Daniel J. Bernstein +crypto_core/salsa + +crypto_generichash/blake2b Jean-Philippe Aumasson + Christian Winnerlein + Samuel Neves + Zooko Wilcox-O'Hearn + +crypto_hash/sha256 Colin Percival +crypto_hash/sha512 +crypto_hash/sha512256 + +crypto_kdf Frank Denis + +crypto_kx Frank Denis + +crypto_onetimeauth/poly1305/donna Andrew "floodyberry" Moon +crypto_onetimeauth/poly1305/sse2 + +crypto_pwhash/argon2 Samuel Neves + Dmitry Khovratovich + Jean-Philippe Aumasson + Daniel Dinu + Thomas Pornin + +crypto_pwhash/scryptsalsa208sha256 Colin Percival + Alexander Peslyak + +crypto_scalarmult/curve25519/ref10 Daniel J. Bernstein + +crypto_scalarmult/curve25519/sandy2x Tung Chou + +crypto_scalarmult/ed25519 Frank Denis + +crypto_secretbox/xsalsa20poly1305 Daniel J. Bernstein + +crypto_secretbox/xchacha20poly1305 Frank Denis + +crypto_secretstream/xchacha20poly1305 Frank Denis + +crypto_shorthash/siphash24 Jean-Philippe Aumasson + Daniel J. Bernstein + +crypto_sign/ed25519 Peter Schwabe + Daniel J. Bernstein + Niels Duif + Tanja Lange + Bo-Yin Yang + +crypto_stream/chacha20/ref Daniel J. Bernstein + +crypto_stream/chacha20/dolbeau Romain Dolbeau + Daniel J. Bernstein + +crypto_stream/salsa20/ref Daniel J. Bernstein +crypto_stream/salsa20/xmm6 + +crypto_stream/salsa20/xmm6int Romain Dolbeau + Daniel J. Bernstein + +crypto_stream/salsa2012/ref Daniel J. Bernstein +crypto_stream/salsa2008/ref + +crypto_stream/xchacha20 Frank Denis + +crypto_verify Frank Denis + +sodium/codecs.c Frank Denis + Thomas Pornin + Christian Winnerlein + +sodium/core.c Frank Denis +sodium/runtime.h +sodium/utils.c diff --git a/libs/libsodium/docs/ChangeLog b/libs/libsodium/docs/ChangeLog index 2504a9b64a..288f58ccab 100644 --- a/libs/libsodium/docs/ChangeLog +++ b/libs/libsodium/docs/ChangeLog @@ -1,520 +1,534 @@ - -* Version 1.0.17 - - Bug fix: `sodium_pad()` didn't properly support block sizes >= 256 bytes. - - JS/WebAssembly: some old iOS versions can't instantiate the WebAssembly -module; fall back to Javascript on these. - - JS/WebAssembly: compatibility with newer Emscripten versions. - - Bug fix: `crypto_pwhash_scryptsalsa208sha256_str_verify()` and -`crypto_pwhash_scryptsalsa208sha256_str_needs_rehash()` didn't return -`EINVAL` on input strings with a short length, unlike their high-level -counterpart. - - Added a workaround for Visual Studio 2010 bug causing CPU features -not to be detected. - - The library now enables compilation with retpoline by default. - - Portability improvements. - - Test vectors from Project Wycheproof have been added. - -* Version 1.0.16 - - Signatures computations and verifications are now way faster on -64-bit platforms with compilers supporting 128-bit arithmetic (gcc, -clang, icc). This includes the WebAssembly target. - - New low-level APIs for computations over edwards25519: -`crypto_scalarmult_ed25519()`, `crypto_scalarmult_ed25519_base()`, -`crypto_core_ed25519_is_valid_point()`, `crypto_core_ed25519_add()`, -`crypto_core_ed25519_sub()` and `crypto_core_ed25519_from_uniform()` -(elligator representative to point). - - `crypto_sign_open()`, `crypto_sign_verify_detached() and -`crypto_sign_edwards25519sha512batch_open` now reject public keys in -non-canonical form in addition to low-order points. - - The library can be built with `ED25519_NONDETERMINISTIC` defined in -order to use synthetic nonces for EdDSA. This is disabled by default. - - Webassembly: `crypto_pwhash_*()` functions are now included in -non-sumo builds. - - `sodium_stackzero()` was added to wipe content off the stack. - - Android: support new SDKs where unified headers have become the -default. - - The Salsa20-based PRNG example is now thread-safe on platforms with -support for thread-local storage, optionally mixes bits from RDRAND. - - CMAKE: static library detection on Unix systems has been improved -(thanks to @BurningEnlightenment, @nibua-r, @mellery451) - - Argon2 and scrypt are slightly faster on Linux. - -* Version 1.0.15 - - The default password hashing algorithm is now Argon2id. The -`pwhash_str_verify()` function can still verify Argon2i hashes -without any changes, and `pwhash()` can still compute Argon2i hashes -as well. - - The aes128ctr primitive was removed. It was slow, non-standard, not -authenticated, and didn't seem to be used by any opensource project. - - Argon2id required at least 3 passes like Argon2i, despite a minimum -of `1` as defined by the `OPSLIMIT_MIN` constant. This has been fixed. - - The secretstream construction was slightly changed to be consistent -with forthcoming variants. - - The Javascript and Webassembly versions have been merged, and the -module now returns a `.ready` promise that will resolve after the -Webassembly code is loaded and compiled. - - Note that due to these incompatible changes, the library version -major was bumped up. - -* Version 1.0.14 - - iOS binaries should now be compatible with WatchOS and TVOS. - - WebAssembly is now officially supported. Special thanks to -@facekapow and @pepyakin who helped to make it happen. - - Internal consistency checks failing and primitives used with -dangerous/out-of-bounds/invalid parameters used to call abort(3). -Now, a custom handler *that doesn't return* can be set with the -`set_sodium_misuse()` function. It still aborts by default or if the -handler ever returns. This is not a replacement for non-fatal, -expected runtime errors. This handler will be only called in -unexpected situations due to potential bugs in the library or in -language bindings. - - `*_MESSAGEBYTES_MAX` macros (and the corresponding -`_messagebytes_max()` symbols) have been added to represent the -maximum message size that can be safely handled by a primitive. -Language bindings are encouraged to check user inputs against these -maximum lengths. - - The test suite has been extended to cover more edge cases. - - crypto_sign_ed25519_pk_to_curve25519() now rejects points that are -not on the curve, or not in the main subgroup. - - Further changes have been made to ensure that smart compilers will -not optimize out code that we don't want to be optimized. - - Visual Studio solutions are now included in distribution tarballs. - - The `sodium_runtime_has_*` symbols for CPU features detection are -now defined as weak symbols, i.e. they can be replaced with an -application-defined implementation. This can be useful to disable -AVX* when temperature/power consumption is a concern. - - `crypto_kx_*()` now aborts if called with no non-NULL pointers to -store keys to. - - SSE2 implementations of `crypto_verify_*()` have been added. - - Passwords can be hashed using a specific algorithm with the new -`crypto_pwhash_str_alg()` function. - - Due to popular demand, base64 encoding (`sodium_bin2base64()`) and -decoding (`sodium_base642bin()`) have been implemented. - - A new `crypto_secretstream_*()` API was added to safely encrypt files -and multi-part messages. - - The `sodium_pad()` and `sodium_unpad()` helper functions have been -added in order to add & remove padding. - - An AVX512 optimized implementation of Argon2 has been added (written -by Ondrej Mosnáček, thanks!) - - The `crypto_pwhash_str_needs_rehash()` function was added to check if -a password hash string matches the given parameters, or if it needs an -update. - - The library can now be compiled with recent versions of -emscripten/binaryen that don't allow multiple variables declarations -using a single `var` statement. - -* Version 1.0.13 - - Javascript: the sumo builds now include all symbols. They were -previously limited to symbols defined in minimal builds. - - The public `crypto_pwhash_argon2i_MEMLIMIT_MAX` constant was -incorrectly defined on 32-bit platforms. This has been fixed. - - Version 1.0.12 didn't compile on OpenBSD/i386 using the base gcc -compiler. This has been fixed. - - The Android compilation scripts have been updated for NDK r14b. - - armv7s-optimized code was re-added to iOS builds. - - An AVX2 optimized implementation of the Argon2 round function was -added. - - The Argon2id variant of Argon2 has been implemented. The -high-level `crypto_pwhash_str_verify()` function automatically detects -the algorithm and can verify both Argon2i and Argon2id hashed passwords. -The default algorithm for newly hashed passwords remains Argon2i in -this version to avoid breaking compatibility with verifiers running -libsodium <= 1.0.12. - - A `crypto_box_curve25519xchacha20poly1305_seal*()` function set was -implemented. - - scrypt was removed from minimal builds. - - libsodium is now available on NuGet. - -* Version 1.0.12 - - Ed25519ph was implemented, adding a multi-part signature API -(`crypto_sign_init()`, `crypto_sign_update()`, `crypto_sign_final_*()`). - - New constants and related accessors have been added for Scrypt and -Argon2. - - XChaCha20 has been implemented. Like XSalsa20, this construction -extends the ChaCha20 cipher to accept a 192-bit nonce. This makes it safe -to use ChaCha20 with random nonces. - - `crypto_secretbox`, `crypto_box` and `crypto_aead` now offer -variants leveraging XChaCha20. - - SHA-2 is about 20% faster, which also gives a speed boost to -signature and signature verification. - - AVX2 implementations of Salsa20 and ChaCha20 have been added. They -are twice as fast as the SSE2 implementations. The speed gain is -even more significant on Windows, that previously didn't use -vectorized implementations. - - New high-level API: `crypto_kdf`, to easily derive one or more -subkeys from a master key. - - Siphash with a 128-bit output has been implemented, and is -available as `crypto_shorthash_siphashx_*`. - - New `*_keygen()` helpers functions have been added to create secret -keys for all constructions. This improves code clarity and can prevent keys -from being partially initialized. - - A new `randombytes_buf_deterministic()` function was added to -deterministically fill a memory region with pseudorandom data. This -function can especially be useful to write reproducible tests. - - A preliminary `crypto_kx_*()` API was added to compute shared session -keys. - - AVX2 detection is more reliable. - - The pthreads library is not required any more when using MingW. - - `contrib/Findsodium.cmake` was added as an example to include -libsodium in a project using cmake. - - Compatibility with gcc 2.x has been restored. - - Minimal builds can be checked using `sodium_library_minimal()`. - - The `--enable-opt` compilation switch has become compatible with more -platforms. - - Android builds are now using clang on platforms where it is -available. - -* Version 1.0.11 - - `sodium_init()` is now thread-safe, and can be safely called multiple -times. - - Android binaries now properly support 64-bit Android, targeting -platform 24, but without breaking compatibility with platforms 16 and -21. - - Better support for old gcc versions. - - On FreeBSD, core dumps are disabled on regions allocated with -sodium allocation functions. - - AVX2 detection was fixed, resulting in faster Blake2b hashing on -platforms where it was not properly detected. - - The Sandy2x Curve25519 implementation was not as fast as expected -on some platforms. This has been fixed. - - The NativeClient target was improved. Most notably, it now supports -optimized implementations, and uses pepper_49 by default. - - The library can be compiled with recent Emscripten versions. -Changes have been made to produce smaller code, and the default heap -size was reduced in the standard version. - - The code can now be compiled on SLES11 service pack 4. - - Decryption functions can now accept a NULL pointer for the output. -This checks the MAC without writing the decrypted message. - - crypto_generichash_final() now returns -1 if called twice. - - Support for Visual Studio 2008 was improved. - -* Version 1.0.10 - - This release only fixes a compilation issue reported with some older -gcc versions. There are no functional changes over the previous release. - -* Version 1.0.9 - - The Javascript target now includes a `--sumo` option to include all -the symbols of the original C library. - - A detached API was added to the ChaCha20-Poly1305 and AES256-GCM -implementations. - - The Argon2i password hashing function was added, and is accessible -directly and through a new, high-level `crypto_pwhash` API. The scrypt -function remains available as well. - - A speed-record AVX2 implementation of BLAKE2b was added (thanks to -Samuel Neves). - - The library can now be compiled using C++Builder (thanks to @jcolli44) - - Countermeasures for Ed25519 signatures malleability have been added -to match the irtf-cfrg-eddsa draft (note that malleability is irrelevant to -the standard definition of signature security). Signatures with a small-order -`R` point are now also rejected. - - Some implementations are now slightly faster when using the Clang -compiler. - - The HChaCha20 core function was implemented (`crypto_core_hchacha20()`). - - No-op stubs were added for all AES256-GCM public functions even when -compiled on non-Intel platforms. - - `crypt_generichash_blake2b_statebytes()` was added. - - New macros were added for the IETF variant of the ChaCha20-Poly1305 -construction. - - The library can now be compiled on Minix. - - HEASLR is now enabled on MinGW builds. - -* Version 1.0.8 - - Handle the case where the CPU supports AVX, but we are running -on an hypervisor with AVX disabled/not supported. - - Faster (2x) scalarmult_base() when using the ref10 implementation. - -* Version 1.0.7 - - More functions whose return value should be checked have been -tagged with `__attribute__ ((warn_unused_result))`: `crypto_box_easy()`, -`crypto_box_detached()`, `crypto_box_beforenm()`, `crypto_box()`, and -`crypto_scalarmult()`. - - Sandy2x, the fastest Curve25519 implementation ever, has been -merged in, and is automatically used on CPUs supporting the AVX -instructions set. - - An SSE2 optimized implementation of Poly1305 was added, and is -twice as fast as the portable one. - - An SSSE3 optimized implementation of ChaCha20 was added, and is -twice as fast as the portable one. - - Faster `sodium_increment()` for common nonce sizes. - - New helper functions have been added: `sodium_is_zero()` and - `sodium_add()`. - - `sodium_runtime_has_aesni()` now properly detects the CPU flag when - compiled using Visual Studio. - -* Version 1.0.6 - - Optimized implementations of Blake2 have been added for modern -Intel platforms. `crypto_generichash()` is now faster than MD5 and SHA1 -implementations while being far more secure. - - Functions for which the return value should be checked have been -tagged with `__attribute__ ((warn_unused_result))`. This will -intentionally break code compiled with `-Werror` that didn't bother -checking critical return values. - - The `crypto_sign_edwards25519sha512batch_*()` functions have been -tagged as deprecated. - - Undocumented symbols that were exported, but were only useful for -internal purposes have been removed or made private: -`sodium_runtime_get_cpu_features()`, the implementation-specific -`crypto_onetimeauth_poly1305_donna()` symbols, -`crypto_onetimeauth_poly1305_set_implementation()`, -`crypto_onetimeauth_poly1305_implementation_name()` and -`crypto_onetimeauth_pick_best_implementation()`. - - `sodium_compare()` now works as documented, and compares numbers -in little-endian format instead of behaving like `memcmp()`. - - The previous changes should not break actual applications, but to be -safe, the library version major was incremented. - - `sodium_runtime_has_ssse3()` and `sodium_runtime_has_sse41()` have -been added. - - The library can now be compiled with the CompCert compiler. - -* Version 1.0.5 - - Compilation issues on some platforms were fixed: missing alignment -directives were added (required at least on RHEL-6/i386), a workaround -for a VRP bug on gcc/armv7 was added, and the library can now be compiled -with the SunPro compiler. - - Javascript target: io.js is not supported any more. Use nodejs. - -* Version 1.0.4 - - Support for AES256-GCM has been added. This requires -a CPU with the aesni and pclmul extensions, and is accessible via the -crypto_aead_aes256gcm_*() functions. - - The Javascript target doesn't use eval() any more, so that the -library can be used in Chrome packaged applications. - - QNX and CloudABI are now supported. - - Support for NaCl has finally been added. - - ChaCha20 with an extended (96 bit) nonce and a 32-bit counter has -been implemented as crypto_stream_chacha20_ietf(), -crypto_stream_chacha20_ietf_xor() and crypto_stream_chacha20_ietf_xor_ic(). -An IETF-compatible version of ChaCha20Poly1305 is available as -crypto_aead_chacha20poly1305_ietf_npubbytes(), -crypto_aead_chacha20poly1305_ietf_encrypt() and -crypto_aead_chacha20poly1305_ietf_decrypt(). - - The sodium_increment() helper function has been added, to increment -an arbitrary large number (such as a nonce). - - The sodium_compare() helper function has been added, to compare -arbitrary large numbers (such as nonces, in order to prevent replay -attacks). - -* Version 1.0.3 - - In addition to sodium_bin2hex(), sodium_hex2bin() is now a -constant-time function. - - crypto_stream_xsalsa20_ic() has been added. - - crypto_generichash_statebytes(), crypto_auth_*_statebytes() and -crypto_hash_*_statebytes() have been added in order to retrieve the -size of structures keeping states from foreign languages. - - The JavaScript target doesn't require /dev/urandom or an external -randombytes() implementation any more. Other minor Emscripten-related -improvements have been made in order to support libsodium.js - - Custom randombytes implementations do not need to provide their own -implementation of randombytes_uniform() any more. randombytes_stir() -and randombytes_close() can also be NULL pointers if they are not -required. - - On Linux, getrandom(2) is being used instead of directly accessing -/dev/urandom, if the kernel supports this system call. - - crypto_box_seal() and crypto_box_seal_open() have been added. - - Visual Studio 2015 is now supported. - -* Version 1.0.2 - - The _easy and _detached APIs now support precalculated keys; -crypto_box_easy_afternm(), crypto_box_open_easy_afternm(), -crypto_box_detached_afternm() and crypto_box_open_detached_afternm() -have been added as an alternative to the NaCl interface. - - Memory allocation functions can now be used on operating systems with -no memory protection. - - crypto_sign_open() and crypto_sign_edwards25519sha512batch_open() -now accept a NULL pointer instead of a pointer to the message size, if -storing this information is not required. - - The close-on-exec flag is now set on the descriptor returned when -opening /dev/urandom. - - A libsodium-uninstalled.pc file to use pkg-config even when -libsodium is not installed, has been added. - - The iOS target now includes armv7s and arm64 optimized code, as well -as i386 and x86_64 code for the iOS simulator. - - sodium_free() can now be called on regions with PROT_NONE protection. - - The Javascript tests can run on Ubuntu, where the node binary was -renamed nodejs. io.js can also be used instead of node. - -* Version 1.0.1 - - DLL_EXPORT was renamed SODIUM_DLL_EXPORT in order to avoid -collisions with similar macros defined by other libraries. - - sodium_bin2hex() is now constant-time. - - crypto_secretbox_detached() now supports overlapping input and output -regions. - - NaCl's donna_c64 implementation of curve25519 was reading an extra byte -past the end of the buffer containing the base point. This has been -fixed. - -* Version 1.0.0 - - The API and ABI are now stable. New features will be added, but -backward-compatibility is guaranteed through all the 1.x.y releases. - - crypto_sign() properly works with overlapping regions again. Thanks -to @pysiak for reporting this regression introduced in version 0.6.1. - - The test suite has been extended. - -* Version 0.7.1 (1.0 RC2) - - This is the second release candidate of Sodium 1.0. Minor -compilation, readability and portability changes have been made and the -test suite was improved, but the API is the same as the previous release -candidate. - -* Version 0.7.0 (1.0 RC1) - - Allocating memory to store sensitive data can now be done using -sodium_malloc() and sodium_allocarray(). These functions add guard -pages around the protected data to make it less likely to be -accessible in a heartbleed-like scenario. In addition, the protection -for memory regions allocated that way can be changed using -sodium_mprotect_noaccess(), sodium_mprotect_readonly() and -sodium_mprotect_readwrite(). - - ed25519 keys can be converted to curve25519 keys with -crypto_sign_ed25519_pk_to_curve25519() and -crypto_sign_ed25519_sk_to_curve25519(). This allows using the same -keys for signature and encryption. - - The seed and the public key can be extracted from an ed25519 key -using crypto_sign_ed25519_sk_to_seed() and crypto_sign_ed25519_sk_to_pk(). - - aes256 was removed. A timing-attack resistant implementation might -be added later, but not before version 1.0 is tagged. - - The crypto_pwhash_scryptxsalsa208sha256_* compatibility layer was -removed. Use crypto_pwhash_scryptsalsa208sha256_*. - - The compatibility layer for implementation-specific functions was -removed. - - Compilation issues with Mingw64 on MSYS (not MSYS2) were fixed. - - crypto_pwhash_scryptsalsa208sha256_STRPREFIX was added: it contains -the prefix produced by crypto_pwhash_scryptsalsa208sha256_str() - -* Version 0.6.1 - - Important bug fix: when crypto_sign_open() was given a signed -message too short to even contain a signature, it was putting an -unlimited amount of zeros into the target buffer instead of -immediately returning -1. The bug was introduced in version 0.5.0. - - New API: crypto_sign_detached() and crypto_sign_verify_detached() -to produce and verify ed25519 signatures without having to duplicate -the message. - - New ./configure switch: --enable-minimal, to create a smaller -library, with only the functions required for the high-level API. -Mainly useful for the JavaScript target and embedded systems. - - All the symbols are now exported by the Emscripten build script. - - The pkg-config .pc file is now always installed even if the -pkg-config tool is not available during the installation. - -* Version 0.6.0 - - The ChaCha20 stream cipher has been added, as crypto_stream_chacha20_* - - The ChaCha20Poly1305 AEAD construction has been implemented, as -crypto_aead_chacha20poly1305_* - - The _easy API does not require any heap allocations any more and -does not have any overhead over the NaCl API. With the password -hashing function being an obvious exception, the library doesn't -allocate and will not allocate heap memory ever. - - crypto_box and crypto_secretbox have a new _detached API to store -the authentication tag and the encrypted message separately. - - crypto_pwhash_scryptxsalsa208sha256*() functions have been renamed -crypto_pwhash_scryptsalsa208sha256*(). - - The low-level crypto_pwhash_scryptsalsa208sha256_ll() function -allows setting individual parameters of the scrypt function. - - New macros and functions for recommended crypto_pwhash_* parameters -have been added. - - Similarly to crypto_sign_seed_keypair(), crypto_box_seed_keypair() -has been introduced to deterministically generate a key pair from a seed. - - crypto_onetimeauth() now provides a streaming interface. - - crypto_stream_chacha20_xor_ic() and crypto_stream_salsa20_xor_ic() -have been added to use a non-zero initial block counter. - - On Windows, CryptGenRandom() was replaced by RtlGenRandom(), which -doesn't require the Crypt API. - - The high bit in curve25519 is masked instead of processing the key as -a 256-bit value. - - The curve25519 ref implementation was replaced by the latest ref10 -implementation from Supercop. - - sodium_mlock() now prevents memory from being included in coredumps -on Linux 3.4+ - -* Version 0.5.0 - - sodium_mlock()/sodium_munlock() have been introduced to lock pages -in memory before storing sensitive data, and to zero them before -unlocking them. - - High-level wrappers for crypto_box and crypto_secretbox -(crypto_box_easy and crypto_secretbox_easy) can be used to avoid -dealing with the specific memory layout regular functions depend on. - - crypto_pwhash_scryptsalsa208sha256* functions have been added -to derive a key from a password, and for password storage. - - Salsa20 and ed25519 implementations now support overlapping -inputs/keys/outputs (changes imported from supercop-20140505). - - New build scripts for Visual Studio, Emscripten, different Android -architectures and msys2 are available. - - The poly1305-53 implementation has been replaced with Floodyberry's -poly1305-donna32 and poly1305-donna64 implementations. - - sodium_hex2bin() has been added to complement sodium_bin2hex(). - - On OpenBSD and Bitrig, arc4random() is used instead of reading -/dev/urandom. - - crypto_auth_hmac_sha512() has been implemented. - - sha256 and sha512 now have a streaming interface. - - hmacsha256, hmacsha512 and hmacsha512256 now support keys of -arbitrary length, and have a streaming interface. - - crypto_verify_64() has been implemented. - - first-class Visual Studio build system, thanks to @evoskuil - - CPU features are now detected at runtime. - -* Version 0.4.5 - - Restore compatibility with OSX <= 10.6 - -* Version 0.4.4 - - Visual Studio is officially supported (VC 2010 & VC 2013) - - mingw64 is now supported - - big-endian architectures are now supported as well - - The donna_c64 implementation of curve25519_donna_c64 now handles -non-canonical points like the ref implementation - - Missing scalarmult_curve25519 and stream_salsa20 constants are now exported - - A crypto_onetimeauth_poly1305_ref() wrapper has been added - -* Version 0.4.3 - - crypto_sign_seedbytes() and crypto_sign_SEEDBYTES were added. - - crypto_onetimeauth_poly1305_implementation_name() was added. - - poly1305-ref has been replaced by a faster implementation, -Floodyberry's poly1305-donna-unrolled. - - Stackmarkings have been added to assembly code, for Hardened Gentoo. - - pkg-config can now be used in order to retrieve compilations flags for -using libsodium. - - crypto_stream_aes256estream_*() can now deal with unaligned input -on platforms that require word alignment. - - portability improvements. - -* Version 0.4.2 - - All NaCl constants are now also exposed as functions. - - The Android and iOS cross-compilation script have been improved. - - libsodium can now be cross-compiled to Windows from Linux. - - libsodium can now be compiled with emscripten. - - New convenience function (prototyped in utils.h): sodium_bin2hex(). - -* Version 0.4.1 - - sodium_version_*() functions were not exported in version 0.4. They -are now visible as intended. - - sodium_init() now calls randombytes_stir(). - - optimized assembly version of salsa20 is now used on amd64. - - further cleanups and enhanced compatibility with non-C99 compilers. - -* Version 0.4 - - Most constants and operations are now available as actual functions -instead of macros, making it easier to use from other languages. - - New operation: crypto_generichash, featuring a variable key size, a -variable output size, and a streaming API. Currently implemented using -Blake2b. - - The package can be compiled in a separate directory. - - aes128ctr functions are exported. - - Optimized versions of curve25519 (curve25519_donna_c64), poly1305 -(poly1305_53) and ed25519 (ed25519_ref10) are available. Optionally calling -sodium_init() once before using the library makes it pick the fastest -implementation. - - New convenience function: sodium_memzero() in order to securely -wipe a memory area. - - A whole bunch of cleanups and portability enhancements. - - On Windows, a .REF file is generated along with the shared library, -for use with Visual Studio. The installation path for these has become -$prefix/bin as expected by MingW. - -* Version 0.3 - - The crypto_shorthash operation has been added, implemented using -SipHash-2-4. - -* Version 0.2 - - crypto_sign_seed_keypair() has been added - -* Version 0.1 - - Initial release. - + +* Version 1.0.17 + - Bug fix: `sodium_pad()` didn't properly support block sizes >= 256 bytes. + - JS/WebAssembly: some old iOS versions can't instantiate the WebAssembly +module; fall back to Javascript on these. + - JS/WebAssembly: compatibility with newer Emscripten versions. + - Bug fix: `crypto_pwhash_scryptsalsa208sha256_str_verify()` and +`crypto_pwhash_scryptsalsa208sha256_str_needs_rehash()` didn't return +`EINVAL` on input strings with a short length, unlike their high-level +counterpart. + - Added a workaround for Visual Studio 2010 bug causing CPU features +not to be detected. + - Portability improvements. + - Test vectors from Project Wycheproof have been added. + - New low-level APIs for arithmetic mod the order of the prime order group: +`crypto_core_ed25519_scalar_random()`, `crypto_core_ed25519_scalar_reduce()`, +`crypto_core_ed25519_scalar_invert()`, `crypto_core_ed25519_scalar_negate()`, +`crypto_core_ed25519_scalar_complement()`, `crypto_core_ed25519_scalar_add()` +and `crypto_core_ed25519_scalar_sub()`. + - New low-level APIs for scalar multiplication without clamping: +`crypto_scalarmult_ed25519_base_noclamp()` and +`crypto_scalarmult_ed25519_noclamp()`. These new APIs are especially useful +for blinding. + - `sodium_sub()` has been implemented. + - Support for WatchOS has been added. + - getrandom(2) is now used on FreeBSD 12+. + - The `nonnull` attribute has been added to all relevant prototypes. + - More reliable AVX512 detection. + - Javascript/Webassembly builds now use dynamic memory growth. + +* Version 1.0.16 + - Signatures computations and verifications are now way faster on +64-bit platforms with compilers supporting 128-bit arithmetic (gcc, +clang, icc). This includes the WebAssembly target. + - New low-level APIs for computations over edwards25519: +`crypto_scalarmult_ed25519()`, `crypto_scalarmult_ed25519_base()`, +`crypto_core_ed25519_is_valid_point()`, `crypto_core_ed25519_add()`, +`crypto_core_ed25519_sub()` and `crypto_core_ed25519_from_uniform()` +(elligator representative to point). + - `crypto_sign_open()`, `crypto_sign_verify_detached() and +`crypto_sign_edwards25519sha512batch_open` now reject public keys in +non-canonical form in addition to low-order points. + - The library can be built with `ED25519_NONDETERMINISTIC` defined in +order to use synthetic nonces for EdDSA. This is disabled by default. + - Webassembly: `crypto_pwhash_*()` functions are now included in +non-sumo builds. + - `sodium_stackzero()` was added to wipe content off the stack. + - Android: support new SDKs where unified headers have become the +default. + - The Salsa20-based PRNG example is now thread-safe on platforms with +support for thread-local storage, optionally mixes bits from RDRAND. + - CMAKE: static library detection on Unix systems has been improved +(thanks to @BurningEnlightenment, @nibua-r, @mellery451) + - Argon2 and scrypt are slightly faster on Linux. + +* Version 1.0.15 + - The default password hashing algorithm is now Argon2id. The +`pwhash_str_verify()` function can still verify Argon2i hashes +without any changes, and `pwhash()` can still compute Argon2i hashes +as well. + - The aes128ctr primitive was removed. It was slow, non-standard, not +authenticated, and didn't seem to be used by any opensource project. + - Argon2id required at least 3 passes like Argon2i, despite a minimum +of `1` as defined by the `OPSLIMIT_MIN` constant. This has been fixed. + - The secretstream construction was slightly changed to be consistent +with forthcoming variants. + - The Javascript and Webassembly versions have been merged, and the +module now returns a `.ready` promise that will resolve after the +Webassembly code is loaded and compiled. + - Note that due to these incompatible changes, the library version +major was bumped up. + +* Version 1.0.14 + - iOS binaries should now be compatible with WatchOS and TVOS. + - WebAssembly is now officially supported. Special thanks to +@facekapow and @pepyakin who helped to make it happen. + - Internal consistency checks failing and primitives used with +dangerous/out-of-bounds/invalid parameters used to call abort(3). +Now, a custom handler *that doesn't return* can be set with the +`set_sodium_misuse()` function. It still aborts by default or if the +handler ever returns. This is not a replacement for non-fatal, +expected runtime errors. This handler will be only called in +unexpected situations due to potential bugs in the library or in +language bindings. + - `*_MESSAGEBYTES_MAX` macros (and the corresponding +`_messagebytes_max()` symbols) have been added to represent the +maximum message size that can be safely handled by a primitive. +Language bindings are encouraged to check user inputs against these +maximum lengths. + - The test suite has been extended to cover more edge cases. + - crypto_sign_ed25519_pk_to_curve25519() now rejects points that are +not on the curve, or not in the main subgroup. + - Further changes have been made to ensure that smart compilers will +not optimize out code that we don't want to be optimized. + - Visual Studio solutions are now included in distribution tarballs. + - The `sodium_runtime_has_*` symbols for CPU features detection are +now defined as weak symbols, i.e. they can be replaced with an +application-defined implementation. This can be useful to disable +AVX* when temperature/power consumption is a concern. + - `crypto_kx_*()` now aborts if called with no non-NULL pointers to +store keys to. + - SSE2 implementations of `crypto_verify_*()` have been added. + - Passwords can be hashed using a specific algorithm with the new +`crypto_pwhash_str_alg()` function. + - Due to popular demand, base64 encoding (`sodium_bin2base64()`) and +decoding (`sodium_base642bin()`) have been implemented. + - A new `crypto_secretstream_*()` API was added to safely encrypt files +and multi-part messages. + - The `sodium_pad()` and `sodium_unpad()` helper functions have been +added in order to add & remove padding. + - An AVX512 optimized implementation of Argon2 has been added (written +by Ondrej Mosnáček, thanks!) + - The `crypto_pwhash_str_needs_rehash()` function was added to check if +a password hash string matches the given parameters, or if it needs an +update. + - The library can now be compiled with recent versions of +emscripten/binaryen that don't allow multiple variables declarations +using a single `var` statement. + +* Version 1.0.13 + - Javascript: the sumo builds now include all symbols. They were +previously limited to symbols defined in minimal builds. + - The public `crypto_pwhash_argon2i_MEMLIMIT_MAX` constant was +incorrectly defined on 32-bit platforms. This has been fixed. + - Version 1.0.12 didn't compile on OpenBSD/i386 using the base gcc +compiler. This has been fixed. + - The Android compilation scripts have been updated for NDK r14b. + - armv7s-optimized code was re-added to iOS builds. + - An AVX2 optimized implementation of the Argon2 round function was +added. + - The Argon2id variant of Argon2 has been implemented. The +high-level `crypto_pwhash_str_verify()` function automatically detects +the algorithm and can verify both Argon2i and Argon2id hashed passwords. +The default algorithm for newly hashed passwords remains Argon2i in +this version to avoid breaking compatibility with verifiers running +libsodium <= 1.0.12. + - A `crypto_box_curve25519xchacha20poly1305_seal*()` function set was +implemented. + - scrypt was removed from minimal builds. + - libsodium is now available on NuGet. + +* Version 1.0.12 + - Ed25519ph was implemented, adding a multi-part signature API +(`crypto_sign_init()`, `crypto_sign_update()`, `crypto_sign_final_*()`). + - New constants and related accessors have been added for Scrypt and +Argon2. + - XChaCha20 has been implemented. Like XSalsa20, this construction +extends the ChaCha20 cipher to accept a 192-bit nonce. This makes it safe +to use ChaCha20 with random nonces. + - `crypto_secretbox`, `crypto_box` and `crypto_aead` now offer +variants leveraging XChaCha20. + - SHA-2 is about 20% faster, which also gives a speed boost to +signature and signature verification. + - AVX2 implementations of Salsa20 and ChaCha20 have been added. They +are twice as fast as the SSE2 implementations. The speed gain is +even more significant on Windows, that previously didn't use +vectorized implementations. + - New high-level API: `crypto_kdf`, to easily derive one or more +subkeys from a master key. + - Siphash with a 128-bit output has been implemented, and is +available as `crypto_shorthash_siphashx_*`. + - New `*_keygen()` helpers functions have been added to create secret +keys for all constructions. This improves code clarity and can prevent keys +from being partially initialized. + - A new `randombytes_buf_deterministic()` function was added to +deterministically fill a memory region with pseudorandom data. This +function can especially be useful to write reproducible tests. + - A preliminary `crypto_kx_*()` API was added to compute shared session +keys. + - AVX2 detection is more reliable. + - The pthreads library is not required any more when using MingW. + - `contrib/Findsodium.cmake` was added as an example to include +libsodium in a project using cmake. + - Compatibility with gcc 2.x has been restored. + - Minimal builds can be checked using `sodium_library_minimal()`. + - The `--enable-opt` compilation switch has become compatible with more +platforms. + - Android builds are now using clang on platforms where it is +available. + +* Version 1.0.11 + - `sodium_init()` is now thread-safe, and can be safely called multiple +times. + - Android binaries now properly support 64-bit Android, targeting +platform 24, but without breaking compatibility with platforms 16 and +21. + - Better support for old gcc versions. + - On FreeBSD, core dumps are disabled on regions allocated with +sodium allocation functions. + - AVX2 detection was fixed, resulting in faster Blake2b hashing on +platforms where it was not properly detected. + - The Sandy2x Curve25519 implementation was not as fast as expected +on some platforms. This has been fixed. + - The NativeClient target was improved. Most notably, it now supports +optimized implementations, and uses pepper_49 by default. + - The library can be compiled with recent Emscripten versions. +Changes have been made to produce smaller code, and the default heap +size was reduced in the standard version. + - The code can now be compiled on SLES11 service pack 4. + - Decryption functions can now accept a NULL pointer for the output. +This checks the MAC without writing the decrypted message. + - crypto_generichash_final() now returns -1 if called twice. + - Support for Visual Studio 2008 was improved. + +* Version 1.0.10 + - This release only fixes a compilation issue reported with some older +gcc versions. There are no functional changes over the previous release. + +* Version 1.0.9 + - The Javascript target now includes a `--sumo` option to include all +the symbols of the original C library. + - A detached API was added to the ChaCha20-Poly1305 and AES256-GCM +implementations. + - The Argon2i password hashing function was added, and is accessible +directly and through a new, high-level `crypto_pwhash` API. The scrypt +function remains available as well. + - A speed-record AVX2 implementation of BLAKE2b was added (thanks to +Samuel Neves). + - The library can now be compiled using C++Builder (thanks to @jcolli44) + - Countermeasures for Ed25519 signatures malleability have been added +to match the irtf-cfrg-eddsa draft (note that malleability is irrelevant to +the standard definition of signature security). Signatures with a small-order +`R` point are now also rejected. + - Some implementations are now slightly faster when using the Clang +compiler. + - The HChaCha20 core function was implemented (`crypto_core_hchacha20()`). + - No-op stubs were added for all AES256-GCM public functions even when +compiled on non-Intel platforms. + - `crypt_generichash_blake2b_statebytes()` was added. + - New macros were added for the IETF variant of the ChaCha20-Poly1305 +construction. + - The library can now be compiled on Minix. + - HEASLR is now enabled on MinGW builds. + +* Version 1.0.8 + - Handle the case where the CPU supports AVX, but we are running +on an hypervisor with AVX disabled/not supported. + - Faster (2x) scalarmult_base() when using the ref10 implementation. + +* Version 1.0.7 + - More functions whose return value should be checked have been +tagged with `__attribute__ ((warn_unused_result))`: `crypto_box_easy()`, +`crypto_box_detached()`, `crypto_box_beforenm()`, `crypto_box()`, and +`crypto_scalarmult()`. + - Sandy2x, the fastest Curve25519 implementation ever, has been +merged in, and is automatically used on CPUs supporting the AVX +instructions set. + - An SSE2 optimized implementation of Poly1305 was added, and is +twice as fast as the portable one. + - An SSSE3 optimized implementation of ChaCha20 was added, and is +twice as fast as the portable one. + - Faster `sodium_increment()` for common nonce sizes. + - New helper functions have been added: `sodium_is_zero()` and + `sodium_add()`. + - `sodium_runtime_has_aesni()` now properly detects the CPU flag when + compiled using Visual Studio. + +* Version 1.0.6 + - Optimized implementations of Blake2 have been added for modern +Intel platforms. `crypto_generichash()` is now faster than MD5 and SHA1 +implementations while being far more secure. + - Functions for which the return value should be checked have been +tagged with `__attribute__ ((warn_unused_result))`. This will +intentionally break code compiled with `-Werror` that didn't bother +checking critical return values. + - The `crypto_sign_edwards25519sha512batch_*()` functions have been +tagged as deprecated. + - Undocumented symbols that were exported, but were only useful for +internal purposes have been removed or made private: +`sodium_runtime_get_cpu_features()`, the implementation-specific +`crypto_onetimeauth_poly1305_donna()` symbols, +`crypto_onetimeauth_poly1305_set_implementation()`, +`crypto_onetimeauth_poly1305_implementation_name()` and +`crypto_onetimeauth_pick_best_implementation()`. + - `sodium_compare()` now works as documented, and compares numbers +in little-endian format instead of behaving like `memcmp()`. + - The previous changes should not break actual applications, but to be +safe, the library version major was incremented. + - `sodium_runtime_has_ssse3()` and `sodium_runtime_has_sse41()` have +been added. + - The library can now be compiled with the CompCert compiler. + +* Version 1.0.5 + - Compilation issues on some platforms were fixed: missing alignment +directives were added (required at least on RHEL-6/i386), a workaround +for a VRP bug on gcc/armv7 was added, and the library can now be compiled +with the SunPro compiler. + - Javascript target: io.js is not supported any more. Use nodejs. + +* Version 1.0.4 + - Support for AES256-GCM has been added. This requires +a CPU with the aesni and pclmul extensions, and is accessible via the +crypto_aead_aes256gcm_*() functions. + - The Javascript target doesn't use eval() any more, so that the +library can be used in Chrome packaged applications. + - QNX and CloudABI are now supported. + - Support for NaCl has finally been added. + - ChaCha20 with an extended (96 bit) nonce and a 32-bit counter has +been implemented as crypto_stream_chacha20_ietf(), +crypto_stream_chacha20_ietf_xor() and crypto_stream_chacha20_ietf_xor_ic(). +An IETF-compatible version of ChaCha20Poly1305 is available as +crypto_aead_chacha20poly1305_ietf_npubbytes(), +crypto_aead_chacha20poly1305_ietf_encrypt() and +crypto_aead_chacha20poly1305_ietf_decrypt(). + - The sodium_increment() helper function has been added, to increment +an arbitrary large number (such as a nonce). + - The sodium_compare() helper function has been added, to compare +arbitrary large numbers (such as nonces, in order to prevent replay +attacks). + +* Version 1.0.3 + - In addition to sodium_bin2hex(), sodium_hex2bin() is now a +constant-time function. + - crypto_stream_xsalsa20_ic() has been added. + - crypto_generichash_statebytes(), crypto_auth_*_statebytes() and +crypto_hash_*_statebytes() have been added in order to retrieve the +size of structures keeping states from foreign languages. + - The JavaScript target doesn't require /dev/urandom or an external +randombytes() implementation any more. Other minor Emscripten-related +improvements have been made in order to support libsodium.js + - Custom randombytes implementations do not need to provide their own +implementation of randombytes_uniform() any more. randombytes_stir() +and randombytes_close() can also be NULL pointers if they are not +required. + - On Linux, getrandom(2) is being used instead of directly accessing +/dev/urandom, if the kernel supports this system call. + - crypto_box_seal() and crypto_box_seal_open() have been added. + - Visual Studio 2015 is now supported. + +* Version 1.0.2 + - The _easy and _detached APIs now support precalculated keys; +crypto_box_easy_afternm(), crypto_box_open_easy_afternm(), +crypto_box_detached_afternm() and crypto_box_open_detached_afternm() +have been added as an alternative to the NaCl interface. + - Memory allocation functions can now be used on operating systems with +no memory protection. + - crypto_sign_open() and crypto_sign_edwards25519sha512batch_open() +now accept a NULL pointer instead of a pointer to the message size, if +storing this information is not required. + - The close-on-exec flag is now set on the descriptor returned when +opening /dev/urandom. + - A libsodium-uninstalled.pc file to use pkg-config even when +libsodium is not installed, has been added. + - The iOS target now includes armv7s and arm64 optimized code, as well +as i386 and x86_64 code for the iOS simulator. + - sodium_free() can now be called on regions with PROT_NONE protection. + - The Javascript tests can run on Ubuntu, where the node binary was +renamed nodejs. io.js can also be used instead of node. + +* Version 1.0.1 + - DLL_EXPORT was renamed SODIUM_DLL_EXPORT in order to avoid +collisions with similar macros defined by other libraries. + - sodium_bin2hex() is now constant-time. + - crypto_secretbox_detached() now supports overlapping input and output +regions. + - NaCl's donna_c64 implementation of curve25519 was reading an extra byte +past the end of the buffer containing the base point. This has been +fixed. + +* Version 1.0.0 + - The API and ABI are now stable. New features will be added, but +backward-compatibility is guaranteed through all the 1.x.y releases. + - crypto_sign() properly works with overlapping regions again. Thanks +to @pysiak for reporting this regression introduced in version 0.6.1. + - The test suite has been extended. + +* Version 0.7.1 (1.0 RC2) + - This is the second release candidate of Sodium 1.0. Minor +compilation, readability and portability changes have been made and the +test suite was improved, but the API is the same as the previous release +candidate. + +* Version 0.7.0 (1.0 RC1) + - Allocating memory to store sensitive data can now be done using +sodium_malloc() and sodium_allocarray(). These functions add guard +pages around the protected data to make it less likely to be +accessible in a heartbleed-like scenario. In addition, the protection +for memory regions allocated that way can be changed using +sodium_mprotect_noaccess(), sodium_mprotect_readonly() and +sodium_mprotect_readwrite(). + - ed25519 keys can be converted to curve25519 keys with +crypto_sign_ed25519_pk_to_curve25519() and +crypto_sign_ed25519_sk_to_curve25519(). This allows using the same +keys for signature and encryption. + - The seed and the public key can be extracted from an ed25519 key +using crypto_sign_ed25519_sk_to_seed() and crypto_sign_ed25519_sk_to_pk(). + - aes256 was removed. A timing-attack resistant implementation might +be added later, but not before version 1.0 is tagged. + - The crypto_pwhash_scryptxsalsa208sha256_* compatibility layer was +removed. Use crypto_pwhash_scryptsalsa208sha256_*. + - The compatibility layer for implementation-specific functions was +removed. + - Compilation issues with Mingw64 on MSYS (not MSYS2) were fixed. + - crypto_pwhash_scryptsalsa208sha256_STRPREFIX was added: it contains +the prefix produced by crypto_pwhash_scryptsalsa208sha256_str() + +* Version 0.6.1 + - Important bug fix: when crypto_sign_open() was given a signed +message too short to even contain a signature, it was putting an +unlimited amount of zeros into the target buffer instead of +immediately returning -1. The bug was introduced in version 0.5.0. + - New API: crypto_sign_detached() and crypto_sign_verify_detached() +to produce and verify ed25519 signatures without having to duplicate +the message. + - New ./configure switch: --enable-minimal, to create a smaller +library, with only the functions required for the high-level API. +Mainly useful for the JavaScript target and embedded systems. + - All the symbols are now exported by the Emscripten build script. + - The pkg-config .pc file is now always installed even if the +pkg-config tool is not available during the installation. + +* Version 0.6.0 + - The ChaCha20 stream cipher has been added, as crypto_stream_chacha20_* + - The ChaCha20Poly1305 AEAD construction has been implemented, as +crypto_aead_chacha20poly1305_* + - The _easy API does not require any heap allocations any more and +does not have any overhead over the NaCl API. With the password +hashing function being an obvious exception, the library doesn't +allocate and will not allocate heap memory ever. + - crypto_box and crypto_secretbox have a new _detached API to store +the authentication tag and the encrypted message separately. + - crypto_pwhash_scryptxsalsa208sha256*() functions have been renamed +crypto_pwhash_scryptsalsa208sha256*(). + - The low-level crypto_pwhash_scryptsalsa208sha256_ll() function +allows setting individual parameters of the scrypt function. + - New macros and functions for recommended crypto_pwhash_* parameters +have been added. + - Similarly to crypto_sign_seed_keypair(), crypto_box_seed_keypair() +has been introduced to deterministically generate a key pair from a seed. + - crypto_onetimeauth() now provides a streaming interface. + - crypto_stream_chacha20_xor_ic() and crypto_stream_salsa20_xor_ic() +have been added to use a non-zero initial block counter. + - On Windows, CryptGenRandom() was replaced by RtlGenRandom(), which +doesn't require the Crypt API. + - The high bit in curve25519 is masked instead of processing the key as +a 256-bit value. + - The curve25519 ref implementation was replaced by the latest ref10 +implementation from Supercop. + - sodium_mlock() now prevents memory from being included in coredumps +on Linux 3.4+ + +* Version 0.5.0 + - sodium_mlock()/sodium_munlock() have been introduced to lock pages +in memory before storing sensitive data, and to zero them before +unlocking them. + - High-level wrappers for crypto_box and crypto_secretbox +(crypto_box_easy and crypto_secretbox_easy) can be used to avoid +dealing with the specific memory layout regular functions depend on. + - crypto_pwhash_scryptsalsa208sha256* functions have been added +to derive a key from a password, and for password storage. + - Salsa20 and ed25519 implementations now support overlapping +inputs/keys/outputs (changes imported from supercop-20140505). + - New build scripts for Visual Studio, Emscripten, different Android +architectures and msys2 are available. + - The poly1305-53 implementation has been replaced with Floodyberry's +poly1305-donna32 and poly1305-donna64 implementations. + - sodium_hex2bin() has been added to complement sodium_bin2hex(). + - On OpenBSD and Bitrig, arc4random() is used instead of reading +/dev/urandom. + - crypto_auth_hmac_sha512() has been implemented. + - sha256 and sha512 now have a streaming interface. + - hmacsha256, hmacsha512 and hmacsha512256 now support keys of +arbitrary length, and have a streaming interface. + - crypto_verify_64() has been implemented. + - first-class Visual Studio build system, thanks to @evoskuil + - CPU features are now detected at runtime. + +* Version 0.4.5 + - Restore compatibility with OSX <= 10.6 + +* Version 0.4.4 + - Visual Studio is officially supported (VC 2010 & VC 2013) + - mingw64 is now supported + - big-endian architectures are now supported as well + - The donna_c64 implementation of curve25519_donna_c64 now handles +non-canonical points like the ref implementation + - Missing scalarmult_curve25519 and stream_salsa20 constants are now exported + - A crypto_onetimeauth_poly1305_ref() wrapper has been added + +* Version 0.4.3 + - crypto_sign_seedbytes() and crypto_sign_SEEDBYTES were added. + - crypto_onetimeauth_poly1305_implementation_name() was added. + - poly1305-ref has been replaced by a faster implementation, +Floodyberry's poly1305-donna-unrolled. + - Stackmarkings have been added to assembly code, for Hardened Gentoo. + - pkg-config can now be used in order to retrieve compilations flags for +using libsodium. + - crypto_stream_aes256estream_*() can now deal with unaligned input +on platforms that require word alignment. + - portability improvements. + +* Version 0.4.2 + - All NaCl constants are now also exposed as functions. + - The Android and iOS cross-compilation script have been improved. + - libsodium can now be cross-compiled to Windows from Linux. + - libsodium can now be compiled with emscripten. + - New convenience function (prototyped in utils.h): sodium_bin2hex(). + +* Version 0.4.1 + - sodium_version_*() functions were not exported in version 0.4. They +are now visible as intended. + - sodium_init() now calls randombytes_stir(). + - optimized assembly version of salsa20 is now used on amd64. + - further cleanups and enhanced compatibility with non-C99 compilers. + +* Version 0.4 + - Most constants and operations are now available as actual functions +instead of macros, making it easier to use from other languages. + - New operation: crypto_generichash, featuring a variable key size, a +variable output size, and a streaming API. Currently implemented using +Blake2b. + - The package can be compiled in a separate directory. + - aes128ctr functions are exported. + - Optimized versions of curve25519 (curve25519_donna_c64), poly1305 +(poly1305_53) and ed25519 (ed25519_ref10) are available. Optionally calling +sodium_init() once before using the library makes it pick the fastest +implementation. + - New convenience function: sodium_memzero() in order to securely +wipe a memory area. + - A whole bunch of cleanups and portability enhancements. + - On Windows, a .REF file is generated along with the shared library, +for use with Visual Studio. The installation path for these has become +$prefix/bin as expected by MingW. + +* Version 0.3 + - The crypto_shorthash operation has been added, implemented using +SipHash-2-4. + +* Version 0.2 + - crypto_sign_seed_keypair() has been added + +* Version 0.1 + - Initial release. + diff --git a/libs/libsodium/docs/LICENSE b/libs/libsodium/docs/LICENSE index 1553d6bb0f..365236e9b7 100644 --- a/libs/libsodium/docs/LICENSE +++ b/libs/libsodium/docs/LICENSE @@ -1,18 +1,18 @@ -/* - * ISC License - * - * Copyright (c) 2013-2018 - * Frank Denis - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ +/* + * ISC License + * + * Copyright (c) 2013-2019 + * Frank Denis + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ diff --git a/libs/libsodium/docs/THANKS b/libs/libsodium/docs/THANKS index 0d0da788f3..f17c882167 100644 --- a/libs/libsodium/docs/THANKS +++ b/libs/libsodium/docs/THANKS @@ -1,91 +1,92 @@ -Special thanks to people, companies and organizations having written -libsodium bindings for their favorite programming languages: - -@alethia7 -@artemisc -@carblue -@dnaq -@ektrah -@graxrabble -@harleqin -@joshjdevl -@jrmarino -@jshahbazi -@lvh -@neheb - -Adam Caudill (@adamcaudill) -Alexander Morris (@alexpmorris) -Amit Murthy (@amitmurthy) -Andrew Bennett (@potatosalad) -Andrew Lambert (@charonn0) -Bruce Mitchener (@waywardmonkeys) -Bruno Oliveira (@abstractj) -Caolan McMahon (@caolan) -Chris Rebert (@cvrebert) -Christian Hermann (@bitbeans) -Christian Wiese (@morfoh) -Christian Wiese (@morfoh) -Colm MacCárthaigh (@colmmacc) -David Parrish (@dmp1ce) -Donald Stufft (@dstufft) -Douglas Campos (@qmx) -Drew Crawford (@drewcrawford) -Emil Bay (@emilbayes) -Eric Dong (@quantum1423) -Eric Voskuil (@evoskuil) -Farid Hajji (@fhajji) -Frank Siebenlist (@franks42) -Gabriel Handford (@gabriel) -Geo Carncross (@geocar) -Henrik Gassmann (BurningEnlightenment) -Jachym Holecek (@freza) -Jack Wink (@jackwink) -James Ruan (@jamesruan) -Jan de Muijnck-Hughes (@jfdm) -Jason McCampbell (@jasonmccampbell) -Jeroen Habraken (@VeXocide) -Jeroen Ooms (@jeroen) -Jesper Louis Andersen (@jlouis) -Joe Eli McIlvain (@jemc) -Jonathan Stowe (@jonathanstowe) -Joseph Abrahamson (@tel) -Julien Kauffmann (@ereOn) -Kenneth Ballenegger (@kballenegger) -Loic Maury (@loicmaury) -Michael Gorlick (@mgorlick) -Michael Gregorowicz (@mgregoro) -Michał Zieliński (@zielmicha) -Omar Ayub (@electricFeel) -Pedro Paixao (@paixaop) -Project ArteMisc (@artemisc) -Rich FitzJohn (@richfitz) -Ruben De Visscher (@rubendv) -Rudolf Von Krugstein (@rudolfvonkrugstein) -Samuel Neves (@sneves) -Scott Arciszewski (@paragonie-scott) -Stanislav Ovsiannikov (@naphaso) -Stefan Marsiske (@stef) -Stephan Touset (@stouset) -Stephen Chavez (@redragonx) -Steve Gibson (@sggrc) -Tony Arcieri (@bascule) -Tony Garnock-Jones (@tonyg) -Y. T. Chung (@zonyitoo) - -Bytecurry Software -Cryptotronix -Facebook -FSF France -MaidSafe -Paragonie Initiative Enterprises -Python Cryptographic Authority - -(this list may not be complete, if you don't see your name, please -submit a pull request!) - -Also thanks to: - -- Coverity, Inc. to provide static analysis. -- FSF France for providing access to their compilation servers. -- Private Internet Access for having sponsored a complete security audit. +Special thanks to people, companies and organizations having written +libsodium bindings for their favorite programming languages: + +@alethia7 +@artemisc +@carblue +@dnaq +@ektrah +@graxrabble +@harleqin +@joshjdevl +@jrmarino +@jshahbazi +@lvh +@neheb + +Adam Caudill (@adamcaudill) +Alexander Ilin (@AlexIljin) +Alexander Morris (@alexpmorris) +Amit Murthy (@amitmurthy) +Andrew Bennett (@potatosalad) +Andrew Lambert (@charonn0) +Bruce Mitchener (@waywardmonkeys) +Bruno Oliveira (@abstractj) +Caolan McMahon (@caolan) +Chris Rebert (@cvrebert) +Christian Hermann (@bitbeans) +Christian Wiese (@morfoh) +Christian Wiese (@morfoh) +Colm MacCárthaigh (@colmmacc) +David Parrish (@dmp1ce) +Donald Stufft (@dstufft) +Douglas Campos (@qmx) +Drew Crawford (@drewcrawford) +Emil Bay (@emilbayes) +Eric Dong (@quantum1423) +Eric Voskuil (@evoskuil) +Farid Hajji (@fhajji) +Frank Siebenlist (@franks42) +Gabriel Handford (@gabriel) +Geo Carncross (@geocar) +Henrik Gassmann (BurningEnlightenment) +Jachym Holecek (@freza) +Jack Wink (@jackwink) +James Ruan (@jamesruan) +Jan de Muijnck-Hughes (@jfdm) +Jason McCampbell (@jasonmccampbell) +Jeroen Habraken (@VeXocide) +Jeroen Ooms (@jeroen) +Jesper Louis Andersen (@jlouis) +Joe Eli McIlvain (@jemc) +Jonathan Stowe (@jonathanstowe) +Joseph Abrahamson (@tel) +Julien Kauffmann (@ereOn) +Kenneth Ballenegger (@kballenegger) +Loic Maury (@loicmaury) +Michael Gorlick (@mgorlick) +Michael Gregorowicz (@mgregoro) +Michał Zieliński (@zielmicha) +Omar Ayub (@electricFeel) +Pedro Paixao (@paixaop) +Project ArteMisc (@artemisc) +Rich FitzJohn (@richfitz) +Ruben De Visscher (@rubendv) +Rudolf Von Krugstein (@rudolfvonkrugstein) +Samuel Neves (@sneves) +Scott Arciszewski (@paragonie-scott) +Stanislav Ovsiannikov (@naphaso) +Stefan Marsiske (@stef) +Stephan Touset (@stouset) +Stephen Chavez (@redragonx) +Steve Gibson (@sggrc) +Tony Arcieri (@bascule) +Tony Garnock-Jones (@tonyg) +Y. T. Chung (@zonyitoo) + +Bytecurry Software +Cryptotronix +Facebook +FSF France +MaidSafe +Paragonie Initiative Enterprises +Python Cryptographic Authority + +(this list may not be complete, if you don't see your name, please +submit a pull request!) + +Also thanks to: + +- Coverity, Inc. to provide static analysis. +- FSF France for providing access to their compilation servers. +- Private Internet Access for having sponsored a complete security audit. -- cgit v1.2.3