A modern, portable, easy to use crypto library.
This release includes all the changes from 1.0.18-stable
, as well as two additions:
crypto_aead_aegis128l_*()
and crypto_aead_aegis256_*()
namespaces. AEGIS is a family of authenticated ciphers for high-performance applications, leveraging hardware AES acceleration on x86_64
and aarch64
. In addition to performance, AEGIS ciphers have unique properties making them easier and safer to use than AES-GCM. They can also be used as high-performance MACs.crypto_kdf_hkdf_*()
namespace. It is implemented for the SHA-256 and SHA-512 hash functions.osx.sh
build script was renamed to macos.sh
.From 1.0.18-stable:
libsodium
to WebAssembly/WASI(X).crypto_pwhash_*()
functions have been removed from Sumo builds, as they reserve a substantial amount of JavaScript memory, even when not used.CLOCK_MONOTONIC
if possible.memset_explicit()
is now used, when available.-Ofast
or -O3
instead of -O2
by default.unhandledRejection
handler is not set any more.MAP_CONCEAL
.print
and printErr
functions are overridden to send
errors to the console, if there is one.UTF8ToString()
is now exported since Pointer_stringify()
has been deprecated.dist-builds/wasm32-wasi.sh
).core_ed25519_from_hash()
and core_ed25519_random()
.crypto_core_ed25519_scalar_mul()
has been implemented for scalar*scalar (mod L)
multiplication.getentropy()
is now used on systems providing this system call.randombytes_salsa20
has been renamed to randombytes_internal
.((nonnull))
attributes have been relaxed to allow 0-length inputs
to be NULL
.-ftree-vectorize
and -ftree-slp-vectorize
compiler switches are
now used, if available, for optimized builds.sodium_pad()
didn't properly support block sizes >= 256 bytes.crypto_pwhash_scryptsalsa208sha256_str_verify()
and crypto_pwhash_scryptsalsa208sha256_str_needs_rehash()didn't return
EINVAL` on input strings with a short length, unlike their high-level counterpart.crypto_core_ed25519_scalar_random()
, crypto_core_ed25519_scalar_reduce()
,
crypto_core_ed25519_scalar_invert()
, crypto_core_ed25519_scalar_negate()
,
crypto_core_ed25519_scalar_complement()
, crypto_core_ed25519_scalar_add()
and crypto_core_ed25519_scalar_sub()
.crypto_scalarmult_ed25519_base_noclamp()
and crypto_scalarmult_ed25519_noclamp()
. These new APIs are especially useful for blinding.sodium_sub()
has been implemented.getrandom(2)
is now used on FreeBSD 12+.nonnull
attribute has been added to all relevant prototypes.crypto_scalarmult_ed25519()
, crypto_scalarmult_ed25519_base()
, crypto_core_ed25519_is_valid_point()
, crypto_core_ed25519_add()
,
crypto_core_ed25519_sub()
and crypto_core_ed25519_from_uniform()
(elligator representative to point).crypto_sign_open()
, crypto_sign_verify_detached() and
crypto_sign_edwards25519sha512batch_open` now reject public keys in non-canonical form in addition to low-order points.ED25519_NONDETERMINISTIC
defined in order to use synthetic nonces for EdDSA. This is disabled by default.crypto_pwhash_*()
functions are now included in non-sumo builds.sodium_stackzero()
was added to wipe content off the stack.pwhash_str_verify()
function can still verify Argon2i hashes without any changes, and pwhash()
can still compute Argon2i hashes as well.1
as defined by the OPSLIMIT_MIN
constant. This has been fixed..ready
promise that will resolve after the Webassembly code is loaded and compiled.set_sodium_misuse()
function. It still aborts by default or if the handler ever returns. This is not a replacement for non-fatal, expected runtime errors. This handler will be only called in unexpected situations due to potential bugs in the library or in language bindings.*_MESSAGEBYTES_MAX
macros (and the corresponding _messagebytes_max()
symbols) have been added to represent the maximum message size that can be safely handled by a primitive. Language bindings are encouraged to check user inputs against these maximum lengths.crypto_sign_ed25519_pk_to_curve25519()
now rejects points that are not on the curve, or not in the main subgroup.sodium_runtime_has_*
symbols for CPU features detection are now defined as weak symbols, i.e. they can be replaced with an application-defined implementation. This can be useful to disable AVX* when temperature/power consumption is a concern.crypto_kx_*()
now aborts if called with no non-NULL pointers to store keys to.crypto_verify_*()
have been added.crypto_pwhash_str_alg()
function.sodium_bin2base64()
) and decoding (sodium_base642bin()
) have been implemented.crypto_secretstream_*()
API was added to safely encrypt files and multi-part messages.sodium_pad()
and sodium_unpad()
helper functions have been added in order to add & remove padding.crypto_pwhash_str_needs_rehash()
function was added to check if a password hash string matches the given parameters, or if it needs an update.var
statement.crypto_pwhash_argon2i_MEMLIMIT_MAX
constant was incorrectly defined on 32-bit platforms. This has been fixed.crypto_pwhash_str_verify()
function automatically detects the algorithm and can verify both Argon2i and Argon2id hashed passwords.
The default algorithm for newly hashed passwords remains Argon2i in this version to avoid breaking compatibility with verifiers running libsodium <= 1.0.12.crypto_box_curve25519xchacha20poly1305_seal*()
function set was implemented.crypto_sign_init()
, crypto_sign_update()
, crypto_sign_final_*()
).crypto_secretbox
, crypto_box
and crypto_aead
now offer variants leveraging XChaCha20.crypto_kdf
, to easily derive one or more subkeys from a master key.crypto_shorthash_siphashx_*
.*_keygen()
helpers functions have been added to create secret keys for all constructions. This improves code clarity and can prevent keys from being partially initialized.randombytes_buf_deterministic()
function was added to deterministically fill a memory region with pseudorandom data. This function can especially be useful to write reproducible tests.crypto_kx_*()
API was added to compute shared session keys.contrib/Findsodium.cmake
was added as an example to include libsodium in a project using cmake.sodium_library_minimal()
.--enable-opt
compilation switch has become compatible with more platforms.sodium_init()
is now thread-safe, and can be safely called multiple times.pepper_49
by default.crypto_generichash_final()
now returns -1
if called twice.