Be notified of new releases
Create your free GitHub account today to subscribe to this repository for new releases and build software alongside 28 million developers.Sign up
- Signatures computations and verifications are now way faster on 64-bit platforms with compilers supporting 128-bit arithmetic (gcc, clang, icc). This includes the WebAssembly target.
- New low-level APIs for computations over edwards25519:
crypto_core_ed25519_from_uniform()(elligator representative to point).
crypto_sign_verify_detached() andcrypto_sign_edwards25519sha512batch_open` now reject public keys in non-canonical form in addition to low-order points.
- The library can be built with
ED25519_NONDETERMINISTICdefined in order to use synthetic nonces for EdDSA. This is disabled by default.
crypto_pwhash_*()functions are now included in non-sumo builds.
sodium_stackzero()was added to wipe content off the stack.
- Android: support new SDKs where unified headers have become the default.
- The Salsa20-based PRNG example is now thread-safe on platforms with support for thread-local storage, optionally mixes bits from RDRAND.
- CMAKE: static library detection on Unix systems has been improved (thanks to @BurningEnlightenment, @nibua-r, @mellery451)
- Argon2 and scrypt are slightly faster on Linux.
- The default password hashing algorithm is now Argon2id. The
pwhash_str_verify()function can still verify Argon2i hashes without any changes, and
pwhash()can still compute Argon2i hashes as well.
- The aes128ctr primitive was removed. It was slow, non-standard, not authenticated, and didn't seem to be used by any opensource project.
- Argon2id required at least 3 passes like Argon2i, despite a minimum of
1as defined by the
OPSLIMIT_MINconstant. This has been fixed.
- The secretstream construction was slightly changed to be consistent with forthcoming variants.
.readypromise that will resolve after the Webassembly code is loaded and compiled.
- Note that due to these incompatible changes, the library version major was bumped up.
- iOS binaries should now be compatible with WatchOS and TVOS.
- WebAssembly is now officially supported. Special thanks to @facekapow and @pepyakin who helped to make it happen.
- Internal consistency checks failing and primitives used with dangerous/out-of-bounds/invalid parameters used to call abort(3). Now, a custom handler that doesn't return can be set with the
set_sodium_misuse()function. It still aborts by default or if the handler ever returns. This is not a replacement for non-fatal, expected runtime errors. This handler will be only called in unexpected situations due to potential bugs in the library or in language bindings.
*_MESSAGEBYTES_MAXmacros (and the corresponding
_messagebytes_max()symbols) have been added to represent the maximum message size that can be safely handled by a primitive. Language bindings are encouraged to check user inputs against these maximum lengths.
- The test suite has been extended to cover more edge cases.
crypto_sign_ed25519_pk_to_curve25519()now rejects points that are not on the curve, or not in the main subgroup.
- Further changes have been made to ensure that smart compilers will not optimize out code that we don't want to be optimized.
- Visual Studio solutions are now included in distribution tarballs.
sodium_runtime_has_*symbols for CPU features detection are now defined as weak symbols, i.e. they can be replaced with an application-defined implementation. This can be useful to disable AVX* when temperature/power consumption is a concern.
crypto_kx_*()now aborts if called with no non-NULL pointers to store keys to.
- SSE2 implementations of
crypto_verify_*()have been added.
- Passwords can be hashed using a specific algorithm with the new
- Due to popular demand, base64 encoding (
sodium_bin2base64()) and decoding (
sodium_base642bin()) have been implemented.
- A new
crypto_secretstream_*()API was added to safely encrypt files and multi-part messages.
sodium_unpad()helper functions have been added in order to add & remove padding.
- An AVX512 optimized implementation of Argon2 has been added (written by Ondrej Mosnáček, thanks!)
crypto_pwhash_str_needs_rehash()function was added to check if a password hash string matches the given parameters, or if it needs an update.
- The library can now be compiled with recent versions of emscripten/binaryen that don't allow multiple variables declarations using a single
- The public
crypto_pwhash_argon2i_MEMLIMIT_MAXconstant was incorrectly defined on 32-bit platforms. This has been fixed.
- Version 1.0.12 didn't compile on OpenBSD/i386 using the base gcc compiler. This has been fixed.
- The Android compilation scripts have been updated for NDK r14b.
- armv7s-optimized code was re-added to iOS builds.
- An AVX2 optimized implementation of the Argon2 round function was added.
- The Argon2id variant of Argon2 has been implemented. The high-level
crypto_pwhash_str_verify()function automatically detects the algorithm and can verify both Argon2i and Argon2id hashed passwords.
The default algorithm for newly hashed passwords remains Argon2i in this version to avoid breaking compatibility with verifiers running libsodium <= 1.0.12.
crypto_box_curve25519xchacha20poly1305_seal*()function set was implemented.
- scrypt was removed from minimal builds.
- libsodium is now available on NuGet.
- Ed25519ph was implemented, adding a multi-part signature API (
- New constants and related accessors have been added for Scrypt and Argon2.
- XChaCha20 has been implemented. Like XSalsa20, this construction extends the ChaCha20 cipher to accept a 192-bit nonce. This makes it safe to use ChaCha20 with random nonces.
crypto_aeadnow offer variants leveraging XChaCha20.
- SHA-2 is about 20% faster, which also gives a speed boost to signature and signature verification.
- AVX2 implementations of Salsa20 and ChaCha20 have been added. They are twice as fast as the SSE2 implementations. The speed gain is even more significant on Windows, that previously didn't use vectorized implementations.
- New high-level API:
crypto_kdf, to easily derive one or more subkeys from a master key.
- Siphash with a 128-bit output has been implemented, and is available as
*_keygen()helpers functions have been added to create secret keys for all constructions. This improves code clarity and can prevent keys from being partially initialized.
- A new
randombytes_buf_deterministic()function was added to deterministically fill a memory region with pseudorandom data. This function can especially be useful to write reproducible tests.
crypto_kx_*()API was added to compute shared session keys.
- AVX2 detection is more reliable.
- The pthreads library is not required any more when using MingW.
contrib/Findsodium.cmakewas added as an example to include libsodium in a project using cmake.
- Compatibility with gcc 2.x has been restored.
- Minimal builds can be checked using
--enable-optcompilation switch has become compatible with more platforms.
- Android builds are now using clang on platforms where it is available.
sodium_init()is now thread-safe, and can be safely called multiple times.
- Android binaries now properly support 64-bit Android, targeting platform 24, but without breaking compatibility with platforms 16 and 21.
- Better support for old gcc versions.
- On FreeBSD, core dumps are disabled on regions allocated with sodium allocation functions.
- AVX2 detection was fixed, resulting in faster BLAKE2b hashing on platforms where it was not properly detected.
- The Sandy2x Curve25519 implementation was not as fast as expected on some platforms. This has been fixed.
- The NativeClient target was improved. Most notably, it now supports optimized implementations, and uses
- The library can be compiled with recent Emscripten versions. Changes have been made to produce smaller code, and the default heap size was reduced in the standard version.
- The code can now be compiled on SLES11 service pack 4.
- Decryption functions can now accept a NULL pointer for the output. This checks the MAC without writing the decrypted message.
-1if called twice.
- Support for Visual Studio 2008 was improved.
- This release only fixes a compilation issue reported with some older gcc versions. There are no functional changes over the previous release.
--sumooption to include all the symbols of the original C library.
- A detached API was added to the ChaCha20-Poly1305 and AES256-GCM implementations.
- The Argon2i password hashing function was added, and is accessible directly and through a new, high-level
crypto_pwhashAPI. The scrypt function remains available as well.
- A speed-record AVX2 implementation of BLAKE2b was added (thanks to Samuel Neves).
- The library can now be compiled using C++Builder (thanks to @jcolli44)
- Countermeasures for Ed25519 signatures malleability have been added to match the irtf-cfrg-eddsa draft (note that malleability is irrelevant to the standard definition of signature security). Signatures with a small-order
Rpoint are now also rejected.
- Some implementations are now slightly faster when using the Clang compiler.
- The HChaCha20 core function was implemented (
- No-op stubs were added for all AES256-GCM public functions even when compiled on non-Intel platforms.
- New macros were added for the IETF variant of the ChaCha20-Poly1305 construction.
- The library can now be compiled on Minix.
- HEASLR is now enabled on MinGW builds.
* , _/^\_ < > * /.-.\ * * `/&\` * ,@.*;@, /_o.I %_\ * * (`'--:o(_@; /`;--.,__ `') * ;@`o % O,*`'`&\ * (`'--)_@ ;o %'()\ * /`;--._`''--._O'@; /&*,()~o`;-.,_ `""`) * /`,@ ;+& () o*`;-';\ (`""--.,_0 +% @' &()\ /-.,_ ``''--....-'`) * * /@%;o`:;'--,.__ __.'\ ;*,&(); @ % &^;~`"`o;@(); * /(); o^~; & ().o@*&`;&%O\ `"="==""==,,,.,="=="==="` __.----.(\-''#####---...___...-----._ '` \)_`"""""` .--' ') o( )_-\ `"""` `
- Handle the case where the CPU supports AVX, but we are running on an hypervisor with AVX disabled/not supported.
- Faster (2x)
scalarmult_base()when using the ref10 implementation.
- More functions whose return value should be checked have been tagged with
- Sandy2x, the fastest Curve25519 implementation ever, has been merged in, and is automatically used on CPUs supporting the AVX instructions set.
- An SSE2 optimized implementation of Poly1305 was added, and is twice as fast as the portable one.
- An SSSE3 optimized implementation of ChaCha20 was added, and is twice as fast as the portable one.
sodium_increment()for common nonce sizes.
- New helper functions have been added:
sodium_runtime_has_aesni()now properly detects the CPU flag when compiled using Visual Studio.