fd057f54b8
- Update to 1.0.21 (bsc#1256070, CVE-2025-15444, bsc#1255764, CVE-2025-69277): small-order points that are not in the main subgroup - A test designed to trigger an OOM condition didn't work on Linux systems with memory overcommit turned on. It has been - Emscripten: UTF8ToString() is now exported since - New target: WebAssembly/WASI - New functions to map a hash to an edwards25519 point or get a random point: - crypto_core_ed25519_scalar_mul() has been implemented for - Support for the Ristretto group has been implemented for - Bug fix: sodium_pad() didn't properly support block sizes - JS/WebAssembly: some old iOS versions can't instantiate the crypto_pwhash_scryptsalsa208sha256_str_needs_rehash()didn't returnEINVAL` on input strings with a short length, unlike - Added a workaround for Visual Studio 2010 bug causing CPU - New low-level APIs for arithmetic mod the order of the prime - crypto_core_ed25519_scalar_random(), - crypto_core_ed25519_scalar_invert(), - crypto_core_ed25519_scalar_complement(), crypto_core_ed25519_scalar_add() and crypto_scalarmult_ed25519_base_noclamp() and crypto_scalarmult_ed25519_noclamp(). - The nonnull attribute has been added to all relevant * AVX2 detection is more reliable. Intel platforms. crypto_generichash() is now faster than MD5 and - Now that gcc 5.2 is available on TW, remove the ARMv7 workaround. crypto_aead_chacha20poly1305_ietf_npubbytes(), * In addition to sodium_bin2hex(), sodium_hex2bin() is now a * crypto_generichash_statebytes(), crypto_auth_*_statebytes() and crypto_hash_*_statebytes() have been added in order to
Dirk Mueller2026-01-26 08:03:49 +00:00
1e84673dd2
Accepting request 1325971 from devel:libraries:c_c++
Ana Guerrero2026-01-09 16:02:49 +00:00
7359fdabda
- Update to 1.0.16 * Signatures computations and verifications are now way faster on 64-bit platforms with compilers supporting 128-bit arithmetic (gcc, clang, icc). This includes the WebAssembly target. * New low-level APIs for computations over edwards25519: crypto_scalarmult_ed25519(), crypto_scalarmult_ed25519_base(), crypto_core_ed25519_is_valid_point(), crypto_core_ed25519_add(), crypto_core_ed25519_sub() and crypto_core_ed25519_from_uniform() (elligator representative to point). * crypto_sign_open(), crypto_sign_verify_detached() and crypto_sign_edwards25519sha512batch_open` now reject public keys in non-canonical form in addition to low-order points. * The library can be built with ED25519_NONDETERMINISTIC defined in order to use synthetic nonces for EdDSA. This is disabled by default. * sodium_stackzero() was added to wipe content off the stack. * The Salsa20-based PRNG example is now thread-safe on platforms with support for thread-local storage, optionally mixes bits from RDRAND. * Argon2 and scrypt are slightly faster on Linux.
Ismail Dönmez
2017-12-13 16:14:24 +00:00
8318bdafcf
- Update to 1.0.16 * Signatures computations and verifications are now way faster on 64-bit platforms with compilers supporting 128-bit arithmetic (gcc, clang, icc). This includes the WebAssembly target. * New low-level APIs for computations over edwards25519: crypto_scalarmult_ed25519(), crypto_scalarmult_ed25519_base(), crypto_core_ed25519_is_valid_point(), crypto_core_ed25519_add(), crypto_core_ed25519_sub() and crypto_core_ed25519_from_uniform() (elligator representative to point). * crypto_sign_open(), crypto_sign_verify_detached() and crypto_sign_edwards25519sha512batch_open` now reject public keys in non-canonical form in addition to low-order points. * The library can be built with ED25519_NONDETERMINISTIC defined in order to use synthetic nonces for EdDSA. This is disabled by default. * sodium_stackzero() was added to wipe content off the stack. * The Salsa20-based PRNG example is now thread-safe on platforms with support for thread-local storage, optionally mixes bits from RDRAND. * Argon2 and scrypt are slightly faster on Linux.
Ismail Dönmez
2017-12-13 16:14:24 +00:00
42913c0779
- Update to version 1.0.14 * Internal consistency checks failing and primitives used with dangerous/out-of-bounds/invalid parameters used to call abort(3). Now, a custom handler that doesn't return can be set with the set_sodium_misuse() function. It still aborts by default or if the handler ever returns. This is not a replacement for non-fatal, expected runtime errors. This handler will be only called in unexpected situations due to potential bugs in the library or in language bindings. * *_MESSAGEBYTES_MAX macros (and the corresponding _messagebytes_max() symbols) have been added to represent the maximum message size that can be safely handled by a primitive. Language bindings are encouraged to check user inputs against these maximum lengths. * The test suite has been extended to cover more edge cases. * crypto_sign_ed25519_pk_to_curve25519() now rejects points that are not on the curve, or not in the main subgroup. * Further changes have been made to ensure that smart compilers will not optimize out code that we don't want to be optimized. * The sodium_runtime_has_* symbols for CPU features detection are now defined as weak symbols, i.e. they can be replaced with an application-defined implementation. This can be useful to disable AVX* when temperature/power consumption is a concern. * crypto_kx_*() now aborts if called with no non-NULL pointers to store keys to. * SSE2 implementations of crypto_verify_*() have been added. * Passwords can be hashed using a specific algorithm with the new crypto_pwhash_str_alg() function. * Due to popular demand, base64 encoding (sodium_bin2base64()) and decoding (sodium_base642bin()) have been implemented. * A new crypto_secretstream_*() API was added to safely encrypt
Ismail Dönmez
2017-09-28 20:06:20 +00:00
50350b1260
- Update to version 1.0.14 * Internal consistency checks failing and primitives used with dangerous/out-of-bounds/invalid parameters used to call abort(3). Now, a custom handler that doesn't return can be set with the set_sodium_misuse() function. It still aborts by default or if the handler ever returns. This is not a replacement for non-fatal, expected runtime errors. This handler will be only called in unexpected situations due to potential bugs in the library or in language bindings. * *_MESSAGEBYTES_MAX macros (and the corresponding _messagebytes_max() symbols) have been added to represent the maximum message size that can be safely handled by a primitive. Language bindings are encouraged to check user inputs against these maximum lengths. * The test suite has been extended to cover more edge cases. * crypto_sign_ed25519_pk_to_curve25519() now rejects points that are not on the curve, or not in the main subgroup. * Further changes have been made to ensure that smart compilers will not optimize out code that we don't want to be optimized. * The sodium_runtime_has_* symbols for CPU features detection are now defined as weak symbols, i.e. they can be replaced with an application-defined implementation. This can be useful to disable AVX* when temperature/power consumption is a concern. * crypto_kx_*() now aborts if called with no non-NULL pointers to store keys to. * SSE2 implementations of crypto_verify_*() have been added. * Passwords can be hashed using a specific algorithm with the new crypto_pwhash_str_alg() function. * Due to popular demand, base64 encoding (sodium_bin2base64()) and decoding (sodium_base642bin()) have been implemented. * A new crypto_secretstream_*() API was added to safely encrypt
Ismail Dönmez
2017-09-28 20:06:20 +00:00
b5939dfa8f
- Update to version 1.0.12 * Ed25519ph was implemented, adding a multi-part signature API (crypto_sign_init(), crypto_sign_update(), crypto_sign_final_*()). * New constants and related accessors have been added for Scrypt and Argon2. * XChaCha20 has been implemented. Like XSalsa20, this construction extends the ChaCha20 cipher to accept a 192-bit nonce. This makes it safe to use ChaCha20 with random nonces. * crypto_secretbox, crypto_box and crypto_aead now offer variants leveraging XChaCha20. * SHA-2 is about 20% faster, which also gives a speed boost to signature and signature verification. * AVX2 implementations of Salsa20 and ChaCha20 have been added. They are twice as fast as the SSE2 implementations. The speed gain is even more significant on Windows, that previously didn't use vectorized implementations. * New high-level API: crypto_kdf, to easily derive one or more subkeys from a master key. * Siphash with a 128-bit output has been implemented, and is available as crypto_shorthash_siphashx_*. * New *_keygen() helpers functions have been added to create secret keys for all constructions. This improves code clarity and can prevent keys from being partially initialized. * A new randombytes_buf_deterministic() function was added to deterministically fill a memory region with pseudorandom data. This function can especially be useful to write reproducible tests. * A preliminary crypto_kx_*() API was added to compute shared session keys. * AVX2 detection is more reliable.
Ismail Dönmez
2017-03-13 09:21:37 +00:00
c085c98d56
- Update to version 1.0.12 * Ed25519ph was implemented, adding a multi-part signature API (crypto_sign_init(), crypto_sign_update(), crypto_sign_final_*()). * New constants and related accessors have been added for Scrypt and Argon2. * XChaCha20 has been implemented. Like XSalsa20, this construction extends the ChaCha20 cipher to accept a 192-bit nonce. This makes it safe to use ChaCha20 with random nonces. * crypto_secretbox, crypto_box and crypto_aead now offer variants leveraging XChaCha20. * SHA-2 is about 20% faster, which also gives a speed boost to signature and signature verification. * AVX2 implementations of Salsa20 and ChaCha20 have been added. They are twice as fast as the SSE2 implementations. The speed gain is even more significant on Windows, that previously didn't use vectorized implementations. * New high-level API: crypto_kdf, to easily derive one or more subkeys from a master key. * Siphash with a 128-bit output has been implemented, and is available as crypto_shorthash_siphashx_*. * New *_keygen() helpers functions have been added to create secret keys for all constructions. This improves code clarity and can prevent keys from being partially initialized. * A new randombytes_buf_deterministic() function was added to deterministically fill a memory region with pseudorandom data. This function can especially be useful to write reproducible tests. * A preliminary crypto_kx_*() API was added to compute shared session keys. * AVX2 detection is more reliable.
Ismail Dönmez
2017-03-13 09:21:37 +00:00
a03e95d42e
- Update to version 1.0.9 * A detached API was added to the ChaCha20-Poly1305 and AES256-GCM implementations. * The Argon2i password hashing function was added, and is accessible directly and through a new, high-level crypto_pwhash API. The scrypt function remains available as well. * A speed-record AVX2 implementation of BLAKE2b was added. * Countermeasures for Ed25519 signatures malleability have been added to match the irtf-cfrg-eddsa draft. * The HChaCha20 core function was implemented (crypto_core_hchacha20()). * No-op stubs were added for all AES256-GCM public functions even when compiled on non-Intel platforms. * crypt_generichash_blake2b_statebytes() was added. * New macros were added for the IETF variant of the ChaCha20-Poly1305 construction.
Ismail Dönmez
2016-04-02 15:55:42 +00:00
cada03afe0
- Update to version 1.0.9 * A detached API was added to the ChaCha20-Poly1305 and AES256-GCM implementations. * The Argon2i password hashing function was added, and is accessible directly and through a new, high-level crypto_pwhash API. The scrypt function remains available as well. * A speed-record AVX2 implementation of BLAKE2b was added. * Countermeasures for Ed25519 signatures malleability have been added to match the irtf-cfrg-eddsa draft. * The HChaCha20 core function was implemented (crypto_core_hchacha20()). * No-op stubs were added for all AES256-GCM public functions even when compiled on non-Intel platforms. * crypt_generichash_blake2b_statebytes() was added. * New macros were added for the IETF variant of the ChaCha20-Poly1305 construction.
Ismail Dönmez
2016-04-02 15:55:42 +00:00
5f5272ff68
- Update to version 1.0.8 * Handle the case where the CPU supports AVX, but we are running on an hypervisor with AVX disabled/not supported. * Faster (2x) scalarmult_base() when using the ref10 implementation.
Ismail Dönmez
2015-12-25 17:11:04 +00:00
efc534b035
- Update to version 1.0.8 * Handle the case where the CPU supports AVX, but we are running on an hypervisor with AVX disabled/not supported. * Faster (2x) scalarmult_base() when using the ref10 implementation.
Ismail Dönmez
2015-12-25 17:11:04 +00:00
a8ae29ed4a
- Update to version 1.0.7 * Sandy2x, the fastest Curve25519 implementation ever, has been merged in, and is automatically used on CPUs supporting the AVX instructions set. * An SSE2 optimized implementation of Poly1305 was added, and is twice as fast as the portable one. * An SSSE3 optimized implementation of ChaCha20 was added, and is twice as fast as the portable one. * Faster sodium_increment() for common nonce sizes. * New helper functions have been added: sodium_is_zero() and sodium_add().
Ismail Dönmez
2015-12-08 16:31:21 +00:00
441d5d23c2
- Update to version 1.0.7 * Sandy2x, the fastest Curve25519 implementation ever, has been merged in, and is automatically used on CPUs supporting the AVX instructions set. * An SSE2 optimized implementation of Poly1305 was added, and is twice as fast as the portable one. * An SSSE3 optimized implementation of ChaCha20 was added, and is twice as fast as the portable one. * Faster sodium_increment() for common nonce sizes. * New helper functions have been added: sodium_is_zero() and sodium_add().
Ismail Dönmez
2015-12-08 16:31:21 +00:00
a2224068a1
- Follow upstream's lead and compile with -flto for > 13.2 on x86 and x86-64.
Ismail Dönmez
2015-12-02 07:57:45 +00:00
abcc3d3ee6
- Follow upstream's lead and compile with -flto for > 13.2 on x86 and x86-64.
Ismail Dönmez
2015-12-02 07:57:45 +00:00
bfe26a503d
- Update to 1.0.6 * Optimized implementations of Blake2 have been added for modern Intel platforms. crypto_generichash() is now faster than MD5 and SHA1 implementations while being far more secure. * The crypto_sign_edwards25519sha512batch_*() functions have been tagged as deprecated. * sodium_compare() now works as documented, and compares numbers in little-endian format instead of behaving like memcmp(). * sodium_runtime_has_ssse3() and sodium_runtime_has_sse41() have been added.
Ismail Dönmez
2015-11-02 10:58:18 +00:00
f56342fcf3
- Update to 1.0.6 * Optimized implementations of Blake2 have been added for modern Intel platforms. crypto_generichash() is now faster than MD5 and SHA1 implementations while being far more secure. * The crypto_sign_edwards25519sha512batch_*() functions have been tagged as deprecated. * sodium_compare() now works as documented, and compares numbers in little-endian format instead of behaving like memcmp(). * sodium_runtime_has_ssse3() and sodium_runtime_has_sse41() have been added.
Ismail Dönmez
2015-11-02 10:58:18 +00:00
16ec0d5fa4
Accepting request 340172 from devel:libraries:c_c++
Stephan Kulow
2015-10-25 18:12:56 +00:00
f56fc6e16a
Accepting request 340172 from devel:libraries:c_c++
Stephan Kulow
2015-10-25 18:12:56 +00:00
928a987294
- Now that gcc 5.2 is available on TW, remove the ARMv7 workaround.
Ismail Dönmez
2015-10-21 07:06:53 +00:00
b1c56a62cf
- Now that gcc 5.2 is available on TW, remove the ARMv7 workaround.
Ismail Dönmez
2015-10-21 07:06:53 +00:00
slfo-main
Lucas Mulling
Ana Guerrero
Dirk Mueller
Adrian Schröter
Jan Engelhardt
Dominique Leuenberger
Ismail Dönmez
Stephan Kulow
Adam Majer