- Update to 1.0.21 (bsc#1256070, CVE-2025-15444, bsc#1255764, CVE-2025-69277):
small-order points that are not in the main subgroup
- A test designed to trigger an OOM condition didn't work on
Linux systems with memory overcommit turned on. It has been
- Emscripten: UTF8ToString() is now exported since
- New target: WebAssembly/WASI
- New functions to map a hash to an edwards25519 point
or get a random point:
- crypto_core_ed25519_scalar_mul() has been implemented for
- Support for the Ristretto group has been implemented for
- Bug fix: sodium_pad() didn't properly support block sizes
- JS/WebAssembly: some old iOS versions can't instantiate the
crypto_pwhash_scryptsalsa208sha256_str_needs_rehash()didn't
returnEINVAL` on input strings with a short length, unlike
- Added a workaround for Visual Studio 2010 bug causing CPU
- New low-level APIs for arithmetic mod the order of the prime
- crypto_core_ed25519_scalar_random(),
- crypto_core_ed25519_scalar_invert(),
- crypto_core_ed25519_scalar_complement(),
crypto_core_ed25519_scalar_add() and
crypto_scalarmult_ed25519_base_noclamp() and
crypto_scalarmult_ed25519_noclamp().
- The nonnull attribute has been added to all relevant
* AVX2 detection is more reliable.
Intel platforms. crypto_generichash() is now faster than MD5 and
- Now that gcc 5.2 is available on TW, remove the ARMv7 workaround.
crypto_aead_chacha20poly1305_ietf_npubbytes(),
* In addition to sodium_bin2hex(), sodium_hex2bin() is now a
* crypto_generichash_statebytes(), crypto_auth_*_statebytes()
and crypto_hash_*_statebytes() have been added in order to
OBS-URL: https://build.opensuse.org/request/show/1329146
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libsodium?expand=0&rev=30
small-order points that are not in the main subgroup
- A test designed to trigger an OOM condition didn't work on
Linux systems with memory overcommit turned on. It has been
- Emscripten: UTF8ToString() is now exported since
- New target: WebAssembly/WASI
- New functions to map a hash to an edwards25519 point
or get a random point:
- crypto_core_ed25519_scalar_mul() has been implemented for
- Support for the Ristretto group has been implemented for
- Bug fix: sodium_pad() didn't properly support block sizes
- JS/WebAssembly: some old iOS versions can't instantiate the
crypto_pwhash_scryptsalsa208sha256_str_needs_rehash()didn't
returnEINVAL` on input strings with a short length, unlike
- Added a workaround for Visual Studio 2010 bug causing CPU
- New low-level APIs for arithmetic mod the order of the prime
- crypto_core_ed25519_scalar_random(),
- crypto_core_ed25519_scalar_invert(),
- crypto_core_ed25519_scalar_complement(),
crypto_core_ed25519_scalar_add() and
crypto_scalarmult_ed25519_base_noclamp() and
crypto_scalarmult_ed25519_noclamp().
- The nonnull attribute has been added to all relevant
* AVX2 detection is more reliable.
Intel platforms. crypto_generichash() is now faster than MD5 and
- Now that gcc 5.2 is available on TW, remove the ARMv7 workaround.
crypto_aead_chacha20poly1305_ietf_npubbytes(),
* In addition to sodium_bin2hex(), sodium_hex2bin() is now a
* crypto_generichash_statebytes(), crypto_auth_*_statebytes()
and crypto_hash_*_statebytes() have been added in order to
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libsodium?expand=0&rev=81
- Update to 1.0.21:
* The new crypto_ipcrypt_* functions implement mechanisms for securely
encrypting and anonymizing IP addresses.
* The sodium_bin2ip and sodium_ip2bin helper functions have been added to
complement the crypto_ipcrypt_* functions and easily convert addresses
between bytes and strings.
* XOF: the crypto_xof_shake* and crypto_xof_turboshake* functions are
* standard
extendable output functions. From input of any length, they can derive
output of any length with the same properties as hash functions. These
primitives are required by many post-quantum mechanisms, but can also be
used for a wide range of applications, including key derivation, session
encryption and more.
* Performance of AES256-GCM and AEGIS on ARM has been improved with some
compilers
* Security: optblockers have been introduced in critical code paths to prevent
compilers from introducing unwanted side channels via conditional jumps. This
was observed on RISC-V targets with specific compilers and options.
* Security: crypto_core_ed25519_is_valid_point() now properly rejects
small-order points that are not in the main subgroup [bsc#1256070, CVE-2025-15444]
* ((nonnull)) attributes have been relaxed on some crypto_stream* functions to
allow NULL output buffers when the output length is zero
* A cross-compilation issue with old clang versions has been fixed
* crypto_aead_aes256gcm_is_available is exported to JavaScript
* Security: memory fences have been added after MAC verification in AEAD to
prevent speculative access to plaintext before authentication is complete
* Assembly files now include .gnu.property notes for proper IBT and Shadow
Stack support when building with CET instrumentation.
- Add patch libsodium-Fix-compilation-with-GCC-on-aarch64.patch (forwarded request 1325970 from lmulling)
OBS-URL: https://build.opensuse.org/request/show/1325971
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libsodium?expand=0&rev=29
- Update to 1.0.21:
* The new crypto_ipcrypt_* functions implement mechanisms for securely
encrypting and anonymizing IP addresses.
* The sodium_bin2ip and sodium_ip2bin helper functions have been added to
complement the crypto_ipcrypt_* functions and easily convert addresses
between bytes and strings.
* XOF: the crypto_xof_shake* and crypto_xof_turboshake* functions are
* standard
extendable output functions. From input of any length, they can derive
output of any length with the same properties as hash functions. These
primitives are required by many post-quantum mechanisms, but can also be
used for a wide range of applications, including key derivation, session
encryption and more.
* Performance of AES256-GCM and AEGIS on ARM has been improved with some
compilers
* Security: optblockers have been introduced in critical code paths to prevent
compilers from introducing unwanted side channels via conditional jumps. This
was observed on RISC-V targets with specific compilers and options.
* Security: crypto_core_ed25519_is_valid_point() now properly rejects
small-order points that are not in the main subgroup [bsc#1256070, CVE-2025-15444]
* ((nonnull)) attributes have been relaxed on some crypto_stream* functions to
allow NULL output buffers when the output length is zero
* A cross-compilation issue with old clang versions has been fixed
* crypto_aead_aes256gcm_is_available is exported to JavaScript
* Security: memory fences have been added after MAC verification in AEAD to
prevent speculative access to plaintext before authentication is complete
* Assembly files now include .gnu.property notes for proper IBT and Shadow
Stack support when building with CET instrumentation.
- Add patch libsodium-Fix-compilation-with-GCC-on-aarch64.patch
OBS-URL: https://build.opensuse.org/request/show/1325970
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libsodium?expand=0&rev=79
- Update to 1.0.18
- Enterprise versions of Visual Studio are now supported.
- Visual Studio 2019 is now supported.
- 32-bit binaries for Visual Studio 2010 are now provided.
- A test designed to trigger an OOM condition didn't work on
Linux systems with memory overcommit turned on. It has been
removed in order to fix Ansible builds.
- Emscripten: print and printErr functions are overridden to send
errors to the console, if there is one.
- Emscripten: UTF8ToString() is now exported since
Pointer_stringify() has been deprecated.
- Libsodium version detection has been fixed in the CMake recipe.
- Generic hashing got a 10% speedup on AVX2.
- New target: WebAssembly/WASI
(compile with dist-builds/wasm32-wasi.sh).
- New functions to map a hash to an edwards25519 point
or get a random point:
core_ed25519_from_hash() and core_ed25519_random().
- crypto_core_ed25519_scalar_mul() has been implemented for
scalar*scalar (mod L) multiplication.
- Support for the Ristretto group has been implemented for
interoperability with wasm-crypto.
- Improvements have been made to the test suite.
- Portability improvements have been made.
- getentropy() is now used on systems providing this system call.
- randombytes_salsa20 has been renamed to randombytes_internal.
- Support for NativeClient has been removed.
- Most ((nonnull)) attributes have been relaxed to allow 0-length
inputs to be NULL.
- The -ftree-vectorize and -ftree-slp-vectorize compiler switches
are now used, if available, for optimized builds.
OBS-URL: https://build.opensuse.org/request/show/710186
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libsodium?expand=0&rev=72
- Update to 1.0.17
- Bug fix: sodium_pad() didn't properly support block sizes
>= 256 bytes.
- JS/WebAssembly: some old iOS versions can't instantiate the
WebAssembly module; fall back to Javascript on these.
- JS/WebAssembly: compatibility with newer Emscripten versions.
- Bug fix: crypto_pwhash_scryptsalsa208sha256_str_verify() and
crypto_pwhash_scryptsalsa208sha256_str_needs_rehash()didn't
returnEINVAL` on input strings with a short length, unlike
their high-level counterpart.
- Added a workaround for Visual Studio 2010 bug causing CPU
features not to be detected.
- Portability improvements.
- Test vectors from Project Wycheproof have been added.
- New low-level APIs for arithmetic mod the order of the prime
order group:
- crypto_core_ed25519_scalar_random(),
crypto_core_ed25519_scalar_reduce(),
- crypto_core_ed25519_scalar_invert(),
crypto_core_ed25519_scalar_negate(),
- crypto_core_ed25519_scalar_complement(),
crypto_core_ed25519_scalar_add() and
crypto_core_ed25519_scalar_sub().
- New low-level APIs for scalar multiplication without clamping:
crypto_scalarmult_ed25519_base_noclamp() and
crypto_scalarmult_ed25519_noclamp().
These new APIs are especially useful for blinding.
- sodium_sub() has been implemented.
- Support for WatchOS has been added.
- getrandom(2) is now used on FreeBSD 12+.
- The nonnull attribute has been added to all relevant
prototypes.
- More reliable AVX512 detection.
- Javascript/Webassembly builds now use dynamic memory growth.
OBS-URL: https://build.opensuse.org/request/show/670712
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libsodium?expand=0&rev=70
- Update to 1.0.16
* Signatures computations and verifications are now way faster
on 64-bit platforms with compilers supporting 128-bit
arithmetic (gcc, clang, icc). This includes the WebAssembly
target.
* New low-level APIs for computations over edwards25519:
crypto_scalarmult_ed25519(), crypto_scalarmult_ed25519_base(),
crypto_core_ed25519_is_valid_point(), crypto_core_ed25519_add(),
crypto_core_ed25519_sub() and crypto_core_ed25519_from_uniform()
(elligator representative to point).
* crypto_sign_open(), crypto_sign_verify_detached() and
crypto_sign_edwards25519sha512batch_open` now reject public
keys in non-canonical form in addition to low-order points.
* The library can be built with ED25519_NONDETERMINISTIC defined
in order to use synthetic nonces for EdDSA. This is disabled
by default.
* sodium_stackzero() was added to wipe content off the stack.
* The Salsa20-based PRNG example is now thread-safe on platforms
with support for thread-local storage, optionally mixes bits
from RDRAND.
* Argon2 and scrypt are slightly faster on Linux.
OBS-URL: https://build.opensuse.org/request/show/556722
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libsodium?expand=0&rev=22
* Signatures computations and verifications are now way faster
on 64-bit platforms with compilers supporting 128-bit
arithmetic (gcc, clang, icc). This includes the WebAssembly
target.
* New low-level APIs for computations over edwards25519:
crypto_scalarmult_ed25519(), crypto_scalarmult_ed25519_base(),
crypto_core_ed25519_is_valid_point(), crypto_core_ed25519_add(),
crypto_core_ed25519_sub() and crypto_core_ed25519_from_uniform()
(elligator representative to point).
* crypto_sign_open(), crypto_sign_verify_detached() and
crypto_sign_edwards25519sha512batch_open` now reject public
keys in non-canonical form in addition to low-order points.
* The library can be built with ED25519_NONDETERMINISTIC defined
in order to use synthetic nonces for EdDSA. This is disabled
by default.
* sodium_stackzero() was added to wipe content off the stack.
* The Salsa20-based PRNG example is now thread-safe on platforms
with support for thread-local storage, optionally mixes bits
from RDRAND.
* Argon2 and scrypt are slightly faster on Linux.
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libsodium?expand=0&rev=63
- Refresh spec-file.
- Update to 1.0.15.
* Release notes: https://github.com/jedisct1/libsodium/releases/tag/1.0.15
* The default password hashing algorithm is now Argon2id.
* The pwhash_str_verify() function can still verify Argon2i hashes without any changes,
and pwhash() can still compute Argon2i hashes as well.
* The aes128ctr primitive was removed. It was slow, non-standard, not authenticated,
and didn't seem to be used by any opensource project.
* Argon2id required at least 3 passes like Argon2i, despite a minimum of 1
as defined by the OPSLIMIT_MIN constant. This has been fixed.
* The secretstream construction was slightly changed to be consistent with forthcoming variants.
* The Javascript and Webassembly versions have been merged, and the module now returns
a .ready promise that will resolve after the Webassembly code is loaded and compiled.
* Note that due to these incompatible changes, the library version major was bumped up.
OBS-URL: https://build.opensuse.org/request/show/532593
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libsodium?expand=0&rev=60
- Update to version 1.0.14
* Internal consistency checks failing and primitives used with
dangerous/out-of-bounds/invalid parameters used to call abort(3).
Now, a custom handler that doesn't return can be set with the
set_sodium_misuse() function. It still aborts by default or if
the handler ever returns. This is not a replacement for non-fatal,
expected runtime errors. This handler will be only called in
unexpected situations due to potential bugs in the library or in
language bindings.
* *_MESSAGEBYTES_MAX macros (and the corresponding _messagebytes_max()
symbols) have been added to represent the maximum message size that
can be safely handled by a primitive. Language bindings are
encouraged to check user inputs against these maximum lengths.
* The test suite has been extended to cover more edge cases.
* crypto_sign_ed25519_pk_to_curve25519() now rejects points that
are not on the curve, or not in the main subgroup.
* Further changes have been made to ensure that smart compilers
will not optimize out code that we don't want to be optimized.
* The sodium_runtime_has_* symbols for CPU features detection are
now defined as weak symbols, i.e. they can be replaced with an
application-defined implementation. This can be useful to
disable AVX* when temperature/power consumption is a concern.
* crypto_kx_*() now aborts if called with no non-NULL pointers
to store keys to.
* SSE2 implementations of crypto_verify_*() have been added.
* Passwords can be hashed using a specific algorithm with the new
crypto_pwhash_str_alg() function.
* Due to popular demand, base64 encoding (sodium_bin2base64())
and decoding (sodium_base642bin()) have been implemented.
* A new crypto_secretstream_*() API was added to safely encrypt
OBS-URL: https://build.opensuse.org/request/show/529173
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libsodium?expand=0&rev=20
* Internal consistency checks failing and primitives used with
dangerous/out-of-bounds/invalid parameters used to call abort(3).
Now, a custom handler that doesn't return can be set with the
set_sodium_misuse() function. It still aborts by default or if
the handler ever returns. This is not a replacement for non-fatal,
expected runtime errors. This handler will be only called in
unexpected situations due to potential bugs in the library or in
language bindings.
* *_MESSAGEBYTES_MAX macros (and the corresponding _messagebytes_max()
symbols) have been added to represent the maximum message size that
can be safely handled by a primitive. Language bindings are
encouraged to check user inputs against these maximum lengths.
* The test suite has been extended to cover more edge cases.
* crypto_sign_ed25519_pk_to_curve25519() now rejects points that
are not on the curve, or not in the main subgroup.
* Further changes have been made to ensure that smart compilers
will not optimize out code that we don't want to be optimized.
* The sodium_runtime_has_* symbols for CPU features detection are
now defined as weak symbols, i.e. they can be replaced with an
application-defined implementation. This can be useful to
disable AVX* when temperature/power consumption is a concern.
* crypto_kx_*() now aborts if called with no non-NULL pointers
to store keys to.
* SSE2 implementations of crypto_verify_*() have been added.
* Passwords can be hashed using a specific algorithm with the new
crypto_pwhash_str_alg() function.
* Due to popular demand, base64 encoding (sodium_bin2base64())
and decoding (sodium_base642bin()) have been implemented.
* A new crypto_secretstream_*() API was added to safely encrypt
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libsodium?expand=0&rev=57
* Ed25519ph was implemented, adding a multi-part signature API
(crypto_sign_init(), crypto_sign_update(), crypto_sign_final_*()).
* New constants and related accessors have been added for Scrypt
and Argon2.
* XChaCha20 has been implemented. Like XSalsa20, this construction
extends the ChaCha20 cipher to accept a 192-bit nonce. This
makes it safe to use ChaCha20 with random nonces.
* crypto_secretbox, crypto_box and crypto_aead now offer variants
leveraging XChaCha20.
* SHA-2 is about 20% faster, which also gives a speed boost to
signature and signature verification.
* AVX2 implementations of Salsa20 and ChaCha20 have been added.
They are twice as fast as the SSE2 implementations. The speed
gain is even more significant on Windows, that previously
didn't use vectorized implementations.
* New high-level API: crypto_kdf, to easily derive one or more
subkeys from a master key.
* Siphash with a 128-bit output has been implemented, and is
available as crypto_shorthash_siphashx_*.
* New *_keygen() helpers functions have been added to create
secret keys for all constructions. This improves code clarity
and can prevent keys from being partially initialized.
* A new randombytes_buf_deterministic() function was added to
deterministically fill a memory region with pseudorandom data.
This function can especially be useful to write reproducible tests.
* A preliminary crypto_kx_*() API was added to compute shared
session keys.
* AVX2 detection is more reliable.
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libsodium?expand=0&rev=55
- Update to version 1.0.9
* A detached API was added to the ChaCha20-Poly1305 and AES256-GCM
implementations.
* The Argon2i password hashing function was added, and is accessible
directly and through a new, high-level crypto_pwhash API.
The scrypt function remains available as well.
* A speed-record AVX2 implementation of BLAKE2b was added.
* Countermeasures for Ed25519 signatures malleability have been
added to match the irtf-cfrg-eddsa draft.
* The HChaCha20 core function was implemented (crypto_core_hchacha20()).
* No-op stubs were added for all AES256-GCM public functions even
when compiled on non-Intel platforms.
* crypt_generichash_blake2b_statebytes() was added.
* New macros were added for the IETF variant of the ChaCha20-Poly1305
construction.
OBS-URL: https://build.opensuse.org/request/show/383238
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libsodium?expand=0&rev=16
* A detached API was added to the ChaCha20-Poly1305 and AES256-GCM
implementations.
* The Argon2i password hashing function was added, and is accessible
directly and through a new, high-level crypto_pwhash API.
The scrypt function remains available as well.
* A speed-record AVX2 implementation of BLAKE2b was added.
* Countermeasures for Ed25519 signatures malleability have been
added to match the irtf-cfrg-eddsa draft.
* The HChaCha20 core function was implemented (crypto_core_hchacha20()).
* No-op stubs were added for all AES256-GCM public functions even
when compiled on non-Intel platforms.
* crypt_generichash_blake2b_statebytes() was added.
* New macros were added for the IETF variant of the ChaCha20-Poly1305
construction.
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libsodium?expand=0&rev=49
- Update to version 1.0.7
* Sandy2x, the fastest Curve25519 implementation ever,
has been merged in, and is automatically used on CPUs
supporting the AVX instructions set.
* An SSE2 optimized implementation of Poly1305 was added,
and is twice as fast as the portable one.
* An SSSE3 optimized implementation of ChaCha20 was added,
and is twice as fast as the portable one.
* Faster sodium_increment() for common nonce sizes.
* New helper functions have been added: sodium_is_zero()
and sodium_add().
- Follow upstream's lead and compile with -flto for > 13.2 on x86
and x86-64.
OBS-URL: https://build.opensuse.org/request/show/347947
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libsodium?expand=0&rev=14
* Sandy2x, the fastest Curve25519 implementation ever,
has been merged in, and is automatically used on CPUs
supporting the AVX instructions set.
* An SSE2 optimized implementation of Poly1305 was added,
and is twice as fast as the portable one.
* An SSSE3 optimized implementation of ChaCha20 was added,
and is twice as fast as the portable one.
* Faster sodium_increment() for common nonce sizes.
* New helper functions have been added: sodium_is_zero()
and sodium_add().
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libsodium?expand=0&rev=45
- Update to 1.0.6
* Optimized implementations of Blake2 have been added for modern
Intel platforms. crypto_generichash() is now faster than MD5 and
SHA1 implementations while being far more secure.
* The crypto_sign_edwards25519sha512batch_*() functions have been
tagged as deprecated.
* sodium_compare() now works as documented, and compares numbers
in little-endian format instead of behaving like memcmp().
* sodium_runtime_has_ssse3() and sodium_runtime_has_sse41() have
been added.
OBS-URL: https://build.opensuse.org/request/show/342056
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libsodium?expand=0&rev=13
* Optimized implementations of Blake2 have been added for modern
Intel platforms. crypto_generichash() is now faster than MD5 and
SHA1 implementations while being far more secure.
* The crypto_sign_edwards25519sha512batch_*() functions have been
tagged as deprecated.
* sodium_compare() now works as documented, and compares numbers
in little-endian format instead of behaving like memcmp().
* sodium_runtime_has_ssse3() and sodium_runtime_has_sse41() have
been added.
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libsodium?expand=0&rev=35
