Skip to content

Releases: jedisct1/libsodium

1.0.19

13 Sep 13:53
1.0.19-RELEASE
Compare
Choose a tag to compare

1.0.19

This release includes all the changes from 1.0.18-stable, as well as two additions:

  • New AEADs: AEGIS-128L and AEGIS-256 are now available in the crypto_aead_aegis128l_*() and crypto_aead_aegis256_*() namespaces. AEGIS is a family of authenticated ciphers for high-performance applications, leveraging hardware AES acceleration on x86_64 and aarch64. In addition to performance, AEGIS ciphers have unique properties making them easier and safer to use than AES-GCM. They can also be used as high-performance MACs.
  • The HKDF key derivation mechanism, required by many standard protocols, is now available in the crypto_kdf_hkdf_*() namespace. It is implemented for the SHA-256 and SHA-512 hash functions.
  • The osx.sh build script was renamed to macos.sh.
  • Support for android-mips was removed.

From 1.0.18-stable:

  • Visual Studio: support for Windows/ARM64 builds has been added.
  • Visual Studio: AVX512 implementations are enabled on supported CPUs.
  • Visual Studio: an MSVC 2022 solution was added.
  • Apple XCFramework: support for VisionOS was added.
  • Apple XCFranework: support for Catalyst was added.
  • Apple XCFramework: building the simulators is now optional.
  • iOS: bitcode is not generated any more, as it was deprecated by Apple.
  • watchOS: support for arm64 was added.
  • The Zig toolchain can now be used as a modern build system to replace autoconf/automake/libtool/make/ccache and the compiler. This enables faster compilation times, easier cross compilation, and static libraries optimized for any CPU.
  • The Zig toolchain is now the recommended way to compile libsodium to WebAssembly/WASI(X).
  • libsodium can now be added as a dependency to Zig projects.
  • Memory fences were added to remove some gadgets that could be used alongside speculative loads.
  • The AES-GCM implementation was completely rewritten. It is now faster, and also available on aarch64, including Windows/ARM64.
  • Compatibility with CET instrumentation / IBT / Shadow Stack was added.
  • Emscripten: the crypto_pwhash_*() functions have been removed from Sumo builds, as they reserve a substantial amount of JavaScript memory, even when not used.
  • Benchmarks now use CLOCK_MONOTONIC if possible.
  • WebAssembly: tests can now run using Bun, WasmEdge, Wazero, wasm3 and wasmer-js. Support for WAVM and Lucet have been removed, as these projects have reached EOL.
  • .NET: the minimum supported macOS version is now 1.0.15; this matches Microsoft guidelines.
  • .NET: all the packages are now built using Zig, on all platforms. This allows us to easily match Microsoft's requirements, including supported glibc versions. However, on x86_64, targets are expected to support at least the AVX instruction set.
  • .NET: packages for ARM64 are now available.
  • C23 memset_explicit() is now used, when available.
  • Compilation now uses -Ofast or -O3 instead of -O2 by default.
  • Portability improvements to help compile libsodium to modern game consoles.
  • JavaScript: a default unhandledRejection handler is not set any more.
  • Slightly faster 25519 operations.
  • OpenBSD: leverage MAP_CONCEAL.

1.0.18

30 May 21:02
1.0.18-RELEASE
Compare
Choose a tag to compare
  • Enterprise versions of Visual Studio are now supported.
  • Visual Studio 2019 is now supported.
  • 32-bit binaries for Visual Studio 2010 are now provided.
  • A test designed to trigger an OOM condition didn't work on Linux systems with memory overcommit turned on. It has been removed in order to fix Ansible builds.
  • Emscripten: print and printErr functions are overridden to send
    errors to the console, if there is one.
  • Emscripten: UTF8ToString() is now exported since Pointer_stringify()
    has been deprecated.
  • Libsodium version detection has been fixed in the CMake recipe.
  • Generic hashing got a 10% speedup on AVX2.
  • New target: WebAssembly/WASI (compile with dist-builds/wasm32-wasi.sh).
  • New functions to map a hash to an edwards25519 point or get a random point:
    core_ed25519_from_hash() and core_ed25519_random().
  • crypto_core_ed25519_scalar_mul() has been implemented for scalar*scalar (mod L) multiplication.
  • Support for the Ristretto group has been implemented for interoperability with wasm-crypto.
  • Improvements have been made to the test suite.
  • Portability improvements have been made.
  • getentropy() is now used on systems providing this system call.
  • randombytes_salsa20 has been renamed to randombytes_internal.
  • Support for NativeClient has been removed.
  • Most ((nonnull)) attributes have been relaxed to allow 0-length inputs
    to be NULL.
  • The -ftree-vectorize and -ftree-slp-vectorize compiler switches are
    now used, if available, for optimized builds.

IMG_1495

1.0.17

07 Jan 10:40
1.0.17
Compare
Choose a tag to compare
  • Bug fix: sodium_pad() didn't properly support block sizes >= 256 bytes.
  • JS/WebAssembly: some old iOS versions can't instantiate the WebAssembly module; fall back to Javascript on these.
  • JS/WebAssembly: compatibility with newer Emscripten versions.
  • Bug fix: crypto_pwhash_scryptsalsa208sha256_str_verify() and crypto_pwhash_scryptsalsa208sha256_str_needs_rehash()didn't returnEINVAL` on input strings with a short length, unlike their high-level counterpart.
  • Added a workaround for Visual Studio 2010 bug causing CPU features not to be detected.
  • Portability improvements.
  • Test vectors from Project Wycheproof have been added.
  • New low-level APIs for arithmetic mod the order of the prime order group:
    crypto_core_ed25519_scalar_random(), crypto_core_ed25519_scalar_reduce(),
    crypto_core_ed25519_scalar_invert(), crypto_core_ed25519_scalar_negate(),
    crypto_core_ed25519_scalar_complement(), crypto_core_ed25519_scalar_add() and crypto_core_ed25519_scalar_sub().
  • New low-level APIs for scalar multiplication without clamping: crypto_scalarmult_ed25519_base_noclamp() and crypto_scalarmult_ed25519_noclamp(). These new APIs are especially useful for blinding.
  • sodium_sub() has been implemented.
  • Support for WatchOS has been added.
  • getrandom(2) is now used on FreeBSD 12+.
  • The nonnull attribute has been added to all relevant prototypes.
  • More reliable AVX512 detection.
  • Javascript/Webassembly builds now use dynamic memory growth.

1.0.16

13 Dec 14:59
1.0.16
Compare
Choose a tag to compare
  • Signatures computations and verifications are now way faster on 64-bit platforms with compilers supporting 128-bit arithmetic (gcc, clang, icc). This includes the WebAssembly target.
  • New low-level APIs for computations over edwards25519: crypto_scalarmult_ed25519(), crypto_scalarmult_ed25519_base(), crypto_core_ed25519_is_valid_point(), crypto_core_ed25519_add(),
    crypto_core_ed25519_sub() and crypto_core_ed25519_from_uniform() (elligator representative to point).
  • crypto_sign_open(), crypto_sign_verify_detached() and crypto_sign_edwards25519sha512batch_open` now reject public keys in non-canonical form in addition to low-order points.
  • The library can be built with ED25519_NONDETERMINISTIC defined in order to use synthetic nonces for EdDSA. This is disabled by default.
  • Webassembly: crypto_pwhash_*() functions are now included in non-sumo builds.
  • sodium_stackzero() was added to wipe content off the stack.
  • Android: support new SDKs where unified headers have become the default.
  • The Salsa20-based PRNG example is now thread-safe on platforms with support for thread-local storage, optionally mixes bits from RDRAND.
  • CMAKE: static library detection on Unix systems has been improved (thanks to @BurningEnlightenment, @nibua-r, @mellery451)
  • Argon2 and scrypt are slightly faster on Linux.

1.0.15

01 Oct 15:30
1.0.15
Compare
Choose a tag to compare
  • The default password hashing algorithm is now Argon2id. The pwhash_str_verify() function can still verify Argon2i hashes without any changes, and pwhash() can still compute Argon2i hashes as well.
  • The aes128ctr primitive was removed. It was slow, non-standard, not authenticated, and didn't seem to be used by any opensource project.
  • Argon2id required at least 3 passes like Argon2i, despite a minimum of 1 as defined by the OPSLIMIT_MIN constant. This has been fixed.
  • The secretstream construction was slightly changed to be consistent with forthcoming variants.
  • The Javascript and Webassembly versions have been merged, and the module now returns a .ready promise that will resolve after the Webassembly code is loaded and compiled.
  • Note that due to these incompatible changes, the library version major was bumped up.

1.0.14

21 Sep 23:21
1.0.14
Compare
Choose a tag to compare
  • iOS binaries should now be compatible with WatchOS and TVOS.
  • WebAssembly is now officially supported. Special thanks to @facekapow and @pepyakin who helped to make it happen.
  • Internal consistency checks failing and primitives used with dangerous/out-of-bounds/invalid parameters used to call abort(3). Now, a custom handler that doesn't return can be set with the set_sodium_misuse() function. It still aborts by default or if the handler ever returns. This is not a replacement for non-fatal, expected runtime errors. This handler will be only called in unexpected situations due to potential bugs in the library or in language bindings.
  • *_MESSAGEBYTES_MAX macros (and the corresponding _messagebytes_max() symbols) have been added to represent the maximum message size that can be safely handled by a primitive. Language bindings are encouraged to check user inputs against these maximum lengths.
  • The test suite has been extended to cover more edge cases.
  • crypto_sign_ed25519_pk_to_curve25519() now rejects points that are not on the curve, or not in the main subgroup.
  • Further changes have been made to ensure that smart compilers will not optimize out code that we don't want to be optimized.
  • Visual Studio solutions are now included in distribution tarballs.
  • The sodium_runtime_has_* symbols for CPU features detection are now defined as weak symbols, i.e. they can be replaced with an application-defined implementation. This can be useful to disable AVX* when temperature/power consumption is a concern.
  • crypto_kx_*() now aborts if called with no non-NULL pointers to store keys to.
  • SSE2 implementations of crypto_verify_*() have been added.
  • Passwords can be hashed using a specific algorithm with the new crypto_pwhash_str_alg() function.
  • Due to popular demand, base64 encoding (sodium_bin2base64()) and decoding (sodium_base642bin()) have been implemented.
  • A new crypto_secretstream_*() API was added to safely encrypt files and multi-part messages.
  • The sodium_pad() and sodium_unpad() helper functions have been added in order to add & remove padding.
  • An AVX512 optimized implementation of Argon2 has been added (written by Ondrej Mosnáček, thanks!)
  • The crypto_pwhash_str_needs_rehash() function was added to check if a password hash string matches the given parameters, or if it needs an update.
  • The library can now be compiled with recent versions of emscripten/binaryen that don't allow multiple variables declarations using a single var statement.

1.0.13

15 Jul 18:26
1.0.13
Compare
Choose a tag to compare
  • Javascript: the sumo builds now include all symbols. They were previously limited to symbols defined in minimal builds.
  • The public crypto_pwhash_argon2i_MEMLIMIT_MAX constant was incorrectly defined on 32-bit platforms. This has been fixed.
  • Version 1.0.12 didn't compile on OpenBSD/i386 using the base gcc compiler. This has been fixed.
  • The Android compilation scripts have been updated for NDK r14b.
  • armv7s-optimized code was re-added to iOS builds.
  • An AVX2 optimized implementation of the Argon2 round function was added.
  • The Argon2id variant of Argon2 has been implemented. The high-level crypto_pwhash_str_verify() function automatically detects the algorithm and can verify both Argon2i and Argon2id hashed passwords.
    The default algorithm for newly hashed passwords remains Argon2i in this version to avoid breaking compatibility with verifiers running libsodium <= 1.0.12.
  • A crypto_box_curve25519xchacha20poly1305_seal*() function set was implemented.
  • scrypt was removed from minimal builds.
  • libsodium is now available on NuGet.

1.0.12

13 Mar 08:27
1.0.12
Compare
Choose a tag to compare
  • Ed25519ph was implemented, adding a multi-part signature API (crypto_sign_init(), crypto_sign_update(), crypto_sign_final_*()).
  • New constants and related accessors have been added for Scrypt and Argon2.
  • XChaCha20 has been implemented. Like XSalsa20, this construction extends the ChaCha20 cipher to accept a 192-bit nonce. This makes it safe to use ChaCha20 with random nonces.
  • crypto_secretbox, crypto_box and crypto_aead now offer variants leveraging XChaCha20.
  • SHA-2 is about 20% faster, which also gives a speed boost to signature and signature verification.
  • AVX2 implementations of Salsa20 and ChaCha20 have been added. They are twice as fast as the SSE2 implementations. The speed gain is even more significant on Windows, that previously didn't use vectorized implementations.
  • New high-level API: crypto_kdf, to easily derive one or more subkeys from a master key.
  • Siphash with a 128-bit output has been implemented, and is available as crypto_shorthash_siphashx_*.
  • New *_keygen() helpers functions have been added to create secret keys for all constructions. This improves code clarity and can prevent keys from being partially initialized.
  • A new randombytes_buf_deterministic() function was added to deterministically fill a memory region with pseudorandom data. This function can especially be useful to write reproducible tests.
  • A crypto_kx_*() API was added to compute shared session keys.
  • AVX2 detection is more reliable.
  • The pthreads library is not required any more when using MingW.
  • contrib/Findsodium.cmake was added as an example to include libsodium in a project using cmake.
  • Compatibility with gcc 2.x has been restored.
  • Minimal builds can be checked using sodium_library_minimal().
  • The --enable-opt compilation switch has become compatible with more platforms.
  • Android builds are now using clang on platforms where it is available.

Pie from PIE

1.0.11

31 Jul 16:13
1.0.11
Compare
Choose a tag to compare
  • sodium_init() is now thread-safe, and can be safely called multiple times.
  • Android binaries now properly support 64-bit Android, targeting platform 24, but without breaking compatibility with platforms 16 and 21.
  • Better support for old gcc versions.
  • On FreeBSD, core dumps are disabled on regions allocated with sodium allocation functions.
  • AVX2 detection was fixed, resulting in faster BLAKE2b hashing on platforms where it was not properly detected.
  • The Sandy2x Curve25519 implementation was not as fast as expected on some platforms. This has been fixed.
  • The NativeClient target was improved. Most notably, it now supports optimized implementations, and uses pepper_49 by default.
  • The library can be compiled with recent Emscripten versions. Changes have been made to produce smaller code, and the default heap size was reduced in the standard version.
  • The code can now be compiled on SLES11 service pack 4.
  • Decryption functions can now accept a NULL pointer for the output. This checks the MAC without writing the decrypted message.
  • crypto_generichash_final() now returns -1 if called twice.
  • Support for Visual Studio 2008 was improved.

1.0.10

04 Apr 20:01
1.0.10
Compare
Choose a tag to compare
  • This release only fixes a compilation issue reported with some older gcc versions. There are no functional changes over the previous release.