Squashed 'deps/libsodium/' changes from 2ec482a..f01d7c1

f01d7c1 Regen
03b5f7d Correct whitespace in path detection, and turn it into a fatal error
bfa162c Ignore more specific directories than libsodium-* Remove curvecp from .gitignore Sort .gitignore
145a662 Don't include <immintrin.h> if it is not needed
ea67c2d fix avx2 feature detection, fixes #395
bbbcbeb sandy2x: don't mix VEX and non-VEX instructions
1f1346f sandy2x: clean the upper halves of the AVX registers
ad3176b Align loops
ae4174a sandy2x: align branch targets
46c3d61 Fixing a small documentation typo
a47f8db Grammar
0fe8fc3 abort() if nacl_secure_random() ever returns 0 but the wrong size
22a854c Use pepper_49
baf0b15 Disable asm on native client
076ade5 Tabify
36e63c4 Use the same convention for include guards everywhere
b3e275a scrypt/sse - Note that B's layout is permuted compared to nosse
47aae46 Hand-roll zeroing instead of relying on memset()
b51c2d5 Remove README
4adf5c7 Larger logo, less prominent saltcellar
defa27e Do not use getrandom(2) on SLES11 service pack 4
06cb6d2 Run `make clean` after `./configure` instead of `distclean` before
fa2ec16 Check for MinGW presence
eaa9f23 Regen
5e350ec Not an ELF system, not an Apple system, weak symbols may not work
7b553ea Do not forget crypto_pwhash.c on Visual Studio
cb700e4 Replace two more memcpy() with a local loop
f7a5257 sha{512,256}: use a local loop instead of if + memcpy()
5b3c23d https
b0a06c2 Avoid bit shifting with signed values
4c8ae70 memcpy(): pointers must be valid even if the size is 0
f165fe7 Require Visual Studio 2010+ for AESNI
ef0bb1a Argon2: initialize ctx{.pwd,.pwdlen} in the verify function
8170c73 1.0.10
b33385e Merge branch 'master' into stable
fce6852 Update the changelog
cac1261 Update appveyor version
90d57d2 Move curve25519_ref10.h to include/sodium/private/
9a98ef4 Remove headers that are not required in MSVC solutions
349a733 Remove some unneeded dependencies from MSVC project filters
97b09ab Move curve25519_ref10.h to include/sodium/private/
8957364 Remove headers that are not required in MSVC solutions
70983a4 include/sodium/private.h -> include/sodium/private/common.h
8df895b include/sodium/private.h -> include/sodium/private/common.h
ffa4817 Relocate sodium/common.h
5cad35b Remove some unneeded dependencies from MSVC project filters
3927cad Relocate sodium/common.h
e639af0 Include generated files
703120c Version bump [only the package]
b09e197 Test that ciphertexts shorter than the MAC size aren't even read
d73124a Make the test of truncated chacha20poly1305 ciphers less deterministic
501ec7a Adjust another relative path for sodium/common.h
fdf945a Merge pull request #376 from dwrensha/relative-includes
c3b68c1 Fix up relative includes of sodium/common.h
55f4cac Increase TOTAL_MEMORY for the Javascript target
1550026 Explain why blake2b_param_set_digest_length() is not needed
abdc839 Workaround for old gcc versions missing _mm256_broadcastsi128_si256()
66045e6 Update Appveyor version
fc94d11 Nits
c2b8ffb NO_BROWSER is not required any more, even for tests
0716b77 Initialize constant
1853248 Consistency
e50f1e9 Reuse STORE64_LE whenever possible
6ee06a9 Include missing structures definitions
698efbd Consistency
531c51e Stronger types for >= 16 bits shifts
ca71815 ((unsigned long long) 1) -> 1ULL
42535e0 (1 << x) -> (1UL << x) for compilers where sizeof(int) == 2
95114d8 l -> L
d4fd35d Update the list of symbols exported to Javascript
cff964d Add symbols to include/ignore
5cdd950 Reformat
d7f5877 Add crypto_pwhash_argon2i_ALG_ARGON2I13
384e08b Require an algorithm identifier in crypto_pwhash()
5d8c878 Remove mlen_p from the AEAD detached interface
2b1d7cb Revisit the default set of compiler warnings
7afe93f Mark test functions as static and __attribute__ ((noreturn))
de22f38 Mark the _out_of_bounds() function as noreturn
25faa47 Include blake2b_long prototype
4008158 Thanks!
20bf121 1.0.9 is almost ready to be tagged
2aa703f Restore the previous sodium_malloc(0) behavior
811bdb2 Explicit cast; length is already checked by the caller
1f1d3f7 More Argon2 tests
fb865c9 More tests / lcov exclusions
58e4cdf Make Argon2 encode/decode return codes consistent with other functions
e9b7a71 Remove unused code
a255693 The version in Argon2i strings is separated from other parameters
d91adb2 Avoid implicit sodium_malloc(0) in tests
321e9ea Remove useless check
da448c3 Nits
eb13ec0 Make sodium_malloc(0) well-defined. It always returns NULL.
02e4b3b Check memory base instead of the aligned pointer No behavior change, but it is less confusing to static analyzers
346f8c1 More tests
71a548a Additional tests for BLAKE2b
7a08f64 Remove unused declaration
55c3eed Have the SSE2 test trigger a conversion with old gcc versions
3f765f1 Old gcc versions need -flax-vector-conversions to compile some intrinsics
a3a2b74 Use existing functions for unaligned access in hash_sha*
e07a452 Nits
f40e0ba Remove hidden symbols from emscripten-symbols.def
b31f59d -save-temps is messing with the detection of supported directives Remove it from --enable-opt, and don't use any directives to restrict symbol visibility if detection appears to be unreliable
f4cc8ae Force LITTLE_ENDIAN detection on x86 and x86_64 This is a sad workaround for CompCert 2.6
7bb9b7f Endianness
caae5e8 C++ compat
b483845 Tests must use sodium_malloc() as much as possible
cb150c2 sizeof() -> constants
2b79c12 Nits
f137857 Add tests for the detached chacha20poly1305 API
0df15c5 Update ChangeLog
3295752 Of course, GNU ld doesn't know about .private_extern
bafc9c7 Only use .private_extern if this is supported
26e4cf4 Reduce symbols visibility in curve25519_sandy2x
bdd5e07 Set JS_EXPORTS_FLAGS after EXPORTED_FUNCTIONS
054f563 Add the script to generate the emscripten symbols
3826588 Update emscripten symbols, add a "sumo" mode
3fb2ee0 Add crypto_pwhash_primitive()
1820a42 Add missing SODIUM_EXPORT statements
de451c2 Add detached versions of ChaCha20-Poly1305
89a6f58 Replace some constants
e34f351 clen -> clen_p
79935dc test/pwhash_argon2i -> test/pwhash
359553f Add support for optional parameters to future-proof crypto_pwhash()
33f4068 Rename CPUID bits constants for clarity
fd440e7 AVX2 bit is in %ebx, not %ecx
2b71f28 Double crypto_pwhash_argon2i_MEMLIMIT_INTERACTIVE
05d82ad Simplify quirks for C++Builder
a456244 Merge pull request #373 from jcolli44/master
f0e3cb0 Some platforms don't define ENOSYS - use ENXIO instead on these.
2085693 Introduce C++Builder compatibility
0c06979 Verify at compile time that blake2b_param is packed as expected
76e3e91 Remove unnecessary extern "C" and unused prototypes
6c94f96 Remove BLAKE2s-related declarations
0a18d18 Consistent comment style
9f09fa2 Link text = "installation" only
23aebf3 Mention which section + split line
5efdbe4 Merge pull request #372 from paragonie-scott/patch-1
d4e053b Make it easier to find the integrity checking instructions
a54e940 Avoid BLAKE2 AVX2 implementation on Win32
4b6667a Update Makefiles and MSVC solutions
64fe1b2 Indent
d37f588 Add blake2b-compress-avx2.c to the top-level Visual Studio solution
7583cb2 Merge branch 'blakeavx2'
0131a72 BLAKE2b AVX2 implementation By the marvellous Samuel Neves - https://github.com/sneves/blake2-avx2
300080a CRLF
39c8b94 Update description
8a24608 Luminous beings are we, not this crude matter
81f87df The Yoda style avoiding we can. In a similar test above, that style we didn't use.
6f2be36 Argon2: avoid initial zeroing by calling fill_block() on the first pass
7611ea6 Add AVX2 detection
42d906d Cacheline alignment
a4327a9 Spacing
7ee23f7 Add crypto_core/curve25519
cf4f0c4 Add tests for the detached aes256gcm API
e8dfc76 Add a detached API for aes256gcm
d8845c0 Update blake2b licensing
630ac09 We only support data independent addressing for Argon2 Let the compiler automatically remove unused code
5a00dff p -> R for clarity
676950d Remove superflous constant type qualifiers
ab2f221 ed25519_verify: check for small-order R
7597b7c Check what the implications of versioned Argon2 strings will be
805fd35 The version number in Argon2 strings will require 5 extra bytes Round `crypto_pwhash_argon2i_STRBYTES` up to 128
7c5d30a Consistent indentation
62911ed Ed25519: verify 0<=s<2^252+27742317777372353535851937790883648493
845e3e7 Update test for short output
7d4cfbf pwhash_argon2i_str(): zero the output buffer even on error path
3853d5a Require a least 128 bits for an Argon2i digest
423702f Tab
ef843e0 Enable Valgrind for the unit tests only if --enable-valgrind is passed Also mention that the Valgrind checks currently require GNU make, unlike all other targets.
f92cfae Have --enable-opt use -O3, not -Ofast
7e4f83a Revisit Argon2i predefined parameters
0158b2b Argon2: use negative error codes
17b6717 Typo
4093e25 Remove the test dir from the VS solutions, except the top one
59f0300 Remove the test part from the vs2010 projects
81f3f64 Remove disabled files
ae6ecda Explicit downcast
dde91ba VS2015 update
dadf1b0 VS2013 update
ce5f82b Update the VS2012 project
bafee4d VS2010 update
a5ca5b1 Unused param
5353569 Remove obsolete and redundant globals
212841b int vs size_t
f4397f1 Remove unneeded prototypes
ddc1bba Remove unused variables
8035d6d Blame me for hchacha20
aafff07 Add support for running the test suite with Valgrind
2fb6917 scrypt: zeroize the temporary output buffer
edcd258 inttypes.h -> stdint.h
8b139cd Compile optimized Argon2i impl on 32-bit MSVC
db139ce MSVC analyzer FP
f4e5d6c Update root MSVC project
f3fc3e8 NO_BROWSER is not required any more with recent Emscripten versions
86cf171 Update the list of symbols exported to Javascript
b55feba Bump ARGON2_MIN_TIME to 3, adjust tests accordingly
0868222 Let core_salsa20* accept a default constant
9fbb822 Use stdint types a bit more
4e9b0b6 Let `crypto_core_hsalsa20()` accept `NULL` for the default constants
bb596e8 Trim/untab/indent
adfe6c9 scrypt/sysendian.h is gone
22eebd8 common_aes128ctr.c is gone
6dc466e Use a single way to do unaligned memory access/endianness conversion
d949383 Hide store32()/load32() in the header
49c57df Faster HChaCha20
1e2a9eb Faster with clang
4d5c397 Add HChaCha20
ecdcfba Argon2: issue different error codes for VERIFY_MISMATCH and DECODING_FAIL Only used internally, not exposed in the Sodium API
80d24c0 Use calloc() instead of malloc()+memset()
11caf90 Update Argon2 tests
4b6a909 Argon2: fill_block() now XORs blocks instead of overwriting them
e153deb Remove ...edwards25519sha512batch_*() wrappers for the constants
5491574 Define ZEROBYTES as BOXZEROBYTES + MACBYTES ZEROBYTES and BOXZEROBYTES are rarely used compared to MACBYTES, so it makes more sense to define MACBYTES and define the compat macros based on it that the other way round.
d7ffff1 Merge pull request #351 from gnieboer/master
b4af066 Added all argon2 files to other msvc project files and project filter files
36e60b2 Wipe secret keys before public keys and nonces
1b63773 Comments cleanup
8f050d1 added argon2-fill-block-ssse3.c to VS project
7035bbb Indent
aa2ae56 aes256gcm_encrypt_afternm() - abort() if mlen > 2^39-256 bits
113091b On non-ELF platforms, mark pointers as volatile, not just what they point to. See http://sk.tl/Wj3pmI vs http://sk.tl/VNsyd9
bd15b68 Argon2: explicitly initialize ctx.secret to NULL
367afac Sync argon2 implementation with upstream
31a153c argon2_core() -> argon2_ctx()
8bd6c9e Caps
dc4a979 Add comments to argon2-encoding.c Upstream `decode_string()` can return `ARGON2_INCORRECT_TYPE`. This change is not merged. Either have a function return an ARGON2 constant, have it return 0/1, or have it return 0/-1, but mixing different systems is confusing. (encode|decode)_string() should probably all return an ARGON2 code.
921507c Add extra sodium_memzero() in Argon2
a814810 Relax max sizes in argon2 decoding
1724854 Add aes256gcm stubs for platforms where it is not available
d1b028a Initialize ctx->pwdlen in argon2 string decoder
82c7c45 zero the context, in case we forget to initialize some members
ba415e1 Argon2: use existing constants more consistently By @technion via the reference implementation
53419d7 Merge pull request #348 from betafive/pbarker/blake2
e20291d Add crypt_generichash_blake2b_statebytes function
8c0b916 Add new macros for chacha20poly1305_ietf constants, for clarity
18cc1b5 The occasional absence of braces is disturbing.
08d3b8a Reuse validate_inputs() to validate parameters in argon2-encoding.c
fcf9441 Export crypto_pwhash*() to Javascript
846a84b Version bump (not released yet)
936667e Untab
20ccc09 Argon2: Let fill_{memory_blocks,segment} return an error code
bc98db0 Add AppVeyor configuration
fbeed0c Add Appveyor status
751f3b3 Visual Studio's preprocessor doesn't support #warning
1cce9b1 argon2i strings are variable length; check that they are zero-padded
f1ab1fd Add extra CRYPTO_ALIGN() required for Minix
cfd5972 Bring back tests vectors for argon2 strings
78d0770 2016
82ed216 Make argon2i blocks allocation functions static
74809e7 Update the top-level MSVC project
50002f7 Do not forget Daniel Dinu and Thomas Pornin in the list of contributors to the Argon2 code
29fb06c Check for crypto_pwhash_*limit_moderate() presence
ff32e8f argon2: memory usage is m_cost KiB, not 2^m_cost KiB
dfa0ee2 We don't need no external memory allocators
a781619 Check for _mm_set_epi64x() usability in the SSE2 test
1635f98 Add sodium/crypto_pwhash.h to the distribution
69cfab0 We don't need the ability to use a custom allocator
28ca446 argon2: don't dereference a pointer before testing it for NULL
77a61b8 Test the high-level crypto_pwhash() functions
b5ed4cc Add high-level crypto_pwhash() API
c7b9178 Consistent #include guards
654a2b3 Shorten a few test argon2i test vectors for V8 This is enough to reproduce an bug with Chrome
7a5668f Credit Argon2 authors
61c5b4a argon2i test: remove tv3 for now; it's too much for web browsers Proper test vectors will be reintroduced later
2bd822b Pasto
6d9f2ca argon2: ensure that memory is cacheline aligned; use mmap(2) if possible
9788147 Require less indentation
9ef45f8 argon2: make blocks allocation indirect, keep the base address
d39202c Put the browser-js.done marker at the right place
c48eaad Don't require too much memory for the pwhash_argon2i() test so that the Javascript version can run in web browsers
0ec2f46 Comment doesn't seem to be relevant any more
96c37fc Indent
bd44342 Remove unneeded extern "C"
71056e2 Add missing header
7a95e92 Add tests for pwhash_argon2i
14bf02a Rename the pwhash test as as pwhash_scrypt
dfdf65c Add crypto_pwhash_argon2i_(memlimit|opslimit)_moderate() Import missing crypto_pwhash_argon2i.h by the way
d740901 Have --enable-opt imply -Ofast
387dd75 Require at least SSSE3 for optimized implementations
a916ec9 crypto_pwhash_argon2i_*()
da927a9 Argon2 bits - Not exposed in the API yet
9abc0fd Back go to dev mode
953e959 Try --high-entropy-va on MinGW
342f209 Reorder
4430d84 1.0.8
35b0264 Get ready for the xmas release
99666f5 pkg-config is not required
61fbc8e lcov exclusion
d839d74 lcov exclusion
2f4603f lcov exclusion
9784038 Check crypto_box_detached() with a small order pk
2f1cec7 Test crypto_box_beforenm() with a small order pk
cdd45e4 lcov exclusion
b80d037 Check that crypto_box[_beforenm] fails with a small order pk
60d0533 Constify
ee3a5d8 Update the Visual Studio solutions
60f0b87 Mention that the gitbook online documentation requires Javascript Add a link to the offline documentation
f254415 Update .gitignore
c08c218 Version bump
8ca2c79 Annotations
e936002 2x
386ce83 Test crypto_onetimeauth_update() with a null size
82831cb Document constants
b6fd83f Merge pull request #340 from neuhaus/patch-1
0900de8 wipe secret key as soon as it is no longer needed.
15285e4 Merge branch 'master' of https://github.com/jedisct1/libsodium
1434812 Update the top-level Visual Studio solution
7e1ea85 Remove dead code
6996c38 Add warning
764ceb7 Fix empty __attribute__ definition for !__GNUC__
7d819ca Update ChangeLog
c233490 Use memset() for fe_(0|1)() This produces faster code with gcc. constify precomputations by the way.
90c4918 --enable-opt now enables -save-temps; remove -flto
0091450 Use stdint types instead of crypto_*
2b21e18 Finish replacing shifts on integers with multiplications
09128b8 Remove redundant blank lines
29caedb Spacing
194ad15 Explicitly call abort() if gettimeofday() doesn't succeed.
c82925f Merge pull request #334 from bsilver8192/master
c84ba1d Aliasing
63b82c2 Use the right type for sizeof's result
18187ff Don't rely on assert evaluating its argument
efabf7f Don't call strlen on uninitialized memory if fgets fails
0397354 Faster scalarmult_base() when using the ref10 implementation.
f430f3a Reorder to improve inlining
6872237 Reorder functions to help with inlining
b81f9cd Let the x25519 ref10 implementation use the core/curve25519/ref code cswap can be a convenient operation to have in core later, but it is not required yet.
f9d9824 Move most of sign/ed25519/ref10 to core/curve25519/ref10
5f4763c Simplify AVX availabity detection, add support for Visual Studio
2ee3db5 Use HAVE_AVX_ASM instead of HAVE_AMD64_ASM
ab4bade Check the extended control register to see if AVX is actually usable
5357030 Reduce diff between curve25519/ref10 and ed25519/ref10, add missing includes
76daa01 ref10: inline, constify
292b7bd Travis: Limit the double compilation to a single OS
885529c The output of "make distclean" is not worth logging in Travis
0c8834f Travis: Run the pre-C99 compilation test only once, with gcc Compile without optimizations (and symbols) as an opportunity to also check that it properly compiles under these conditions (re: force_inline issues)
6ab5957 Travis: check that we get the same code with&without named struct initializers
04c7c36 Don't refine SODIUM_C99 if it has already been defined
2d589f7 Reorder struct members to keep values of the same type together
bc37188 salsa20random stream struct members must match initializers for compatibility with old non-C99 compilers. Spotted and reported by @sneves
b977a53 printf("%llu") is not expected work on mingw32/Windows XP.
e36400a __attribute__((...)) -> __attribute__ ((...))
e7d9129 Run make distclean, not just make clean in the msys2 build scripts for consistency with other build scripts
0879c0b Run "make clean" first in the build scripts
47d8513 Fix offset in obsolete crypto_sign_edwards25519sha512batch_open
9567be2 Revert "Use minimal builds on msys2"
054579d Remove dead globals, bump the number of rounds in the box{7,8} tests
d9e3800 Reduce the number of rounds in the box7 test, use guarded memory
fb09514 Shorten the verify1 test
a84ae01 1.0.7 is ready
731f2e1 Force alignment for _mm_loadl_epi64() in DEBUG mode Required to work around gcc sanitizer
ea43d1b Shorten auth7
26535c3 Remove browser-js.done or js.done, but not both
bfa206e Let emscripten.sh support a --browser-tests switch
4bf74c7 C++ compat
48b9c4e Ignore test/default/browser, import HTML template
43c25a3 Reduce box8 even more
8e54dd6 Use guarded memory for the box8 test
3e2bef9 Reduce a few expensive tests
7ada62b Reduce some test cases, generate html test files
e262425 Reduce even more, for Chrome
1600ccf On a web browser, reduce the number of vectors for the sign test
0eaa229 Revert "Output signatures prefix in the signature test"
31b75af Nits
c73cbc4 Output signatures prefix in the signature test
3d1e11f Support a BROWSER_TESTS env variable to build tests for browsers
7354964 Update the examples for libsodium 1.0.7
c7eec99 Update ChangeLog
ec6b866 More checks for sodium_add() (overlaps) and sodium_increment()
a65484a Don't define unused variables
3796145 autoconf: check that named registers work
b816a44 Assembly optimized _increment() and _add() for common nonce types
5b62287 Add a --enable-opt compile-time switch
cb1b6a4 Use -O2 & -flto for iOS targets
bc531c6 On OSX, compile with -flto for better performance
2424295 Reformat
13f8e1a +floodyberry for poly1305/sse2
f58b84d THANKS << Scott Arciszewski
27ce39e Add a test with a null message in box_easy()
b482401 Add tests with null message in secretbox_easy.c
ba6833c Use sodium_malloc() for the secretbox_easy2 test
2e5c94a Use guarded memory for the box_easy2() test + non-deterministic buffer sizes
d11819e Let blake2b abort on invalid parameters instead of returning -1
4ec7fb4 Remove generichash tests with invalid parameters They must be reintroduced at some point, probably by overriding the `abort` symbol.
0ec04ba Nit
e0b027f Constify & add a note on _mm_loadl_epi64()
38fd43d Use memcpy() instead of a cast
b40663a Don't assume that substracting unrelated pointers is acceptable. Having to increment two pointers instead of one is the price to pay for portability, but it's not that big of a deal here.
ef3a073 Avoid unnecessary casts for the nonce/counter
d341893 format
c160dbc Use uint128_t consistently
85dbcd6 Replace some casts with memcpy()
457ff09 Revert
23b4e21 Directly use the internal state type when possible
9a2a278 Use memset() instead of a cast
04a59d0 Fix aliasing violations, even though we always disable strict aliasing
a2540cb Avoid pointer casting when using Emscripten
a5b4926 Keep it simple to avoid issues with the different heaps in Emscripten
20a13f6 Move Ted Krovetz to the implementors list
ff37903 Rephrase
2cbb5de Move size checks to the main chacha20 encryption function
1cd715e Remove unused code
cfdf256 Constify pointers & acknowledge that unaligned accesses are okay
ed64bfd C++ compat
1e71f84 1.0.7 (not released yet)
7f311aa Update ChangeLog
96d83ec Update ChangeLog
9a96bdc Don't use C99 when it's not required
8011838 Use more portable types
508a048 Remove blank line
714bf75 !__GNUC__ : not yet
8f9faa2 Use chacha20_vec if available
fce5502 + Ted Krovetz
fb42d08 Link chacha20_vec
31c4df3 x -> ctx
a27011c + missing stdint.h inclusion
a879c09 No need to zero the counter
1c8e345 Less deterministic crypto_verify_*() tests
65fbe15 Slightly faster verify_{16,32,64}
d5fd75d Make crypto_stream_chacha20 modular like the rest In preparation for optimized implementations
82b4183 Support the IBM compiler
d8b9b39 Mark everything as static in tests
cb9d527 Update the Visual Studio 2015 solution
4ea5380 Revert "Temporarily remove Coverity Scan button, as Coverity Scan is down"
65a91fd Remove api.h from the Visual Studio solutions
9bfa30a api.h -> stream_chacha20_ref.h
e60139c Add missing headers
2824490 Don't force inline
f95a790 api.h removal
3a4cdb9 More api.h removal
e33a505 api.h removal
16f12c1 More api.h removal
fd0c470 More api.h removal
e5a6057 Remove api.h reference
db5eda6 crypto_hash/sha{256,512}/cp/api.h removal
b7fdeb5 Stop hiding function names with macros in salsa20
68917b0 Limit safe_read() to SSIZE_MAX bytes
a39ab96 Use __uint128_t only if HAVE_TI_MODE is defined
b554ac4 Temporarily remove Coverity Scan button, as Coverity Scan is down
271f1fb Remove CVS $Id
0f03042 Update the Visual Studio 2013 solution
f40a432 More informative messages about missing package
d8eacd3 Mark randombytes_implementation functions static
5a90e15 Update the Visual Studio 2012 solution
37834da Merge pull request #322 from mc10/patch-1
2c58580 README: Use the svg Travis image
05ad4b6 Update the Visual Studio 2010 solution
b712542 Revert "Use SSSE3 instructions even on Visual Studio with a 32-bit target"
10151cd Remove extra comma
23a00c0 Do not export randombytes_set_implementation() in Javascript
5e17a7a Check that scalarmult() returns -1 with a point of small order
1e33a0b Update ChangeLog
2bc5874 Check that the output of X25519 is not the all-zero value Return -1 if this happens, and mark crypto_scalarmult() as warn_unused_result Mark dependent functions with warn_unused_result as well
bdd2cdb Consistency
55f6eb8 Keep it simple
9337ecf Add tests for sodium_add(), more tests for sodium_increment() and is_zero()
27466de Indent
07c4249 Repair sodium_is_zero()
397d506 Faster sodium_is_zero() and sodium_increment() helpers Also add sodium_add(), since people tend to reimplement this in order to add constants to nonces.
b74f644 Replace CPU_ALIGNED_ACCESS_REQUIRED with CPU_UNALIGNED_ACCESS
7371f0d Use SSSE3 instructions even on Visual Studio with a 32-bit target
0ad21a2 Return CPU features in Visual Studio builds
eb8119d Enable 128-bit arithmetic if __int128 is available
347464d Update ChangeLog
08a61e1 Update the top level VS solution
f9169ac Add a compile-time size check
707562c Update ChangeLog
cf3064b More explicit casts. Unaligned accesses are fine on these architectures.
27048b0 Clear the state after poly1305_finish()
e4167d6 Do not require assembly code to increment with carry
dd238f5 Bump major
0af177d Indent
096ea8a Handle partial blocks in poly1305_sse2
2742547 Link poly1305_sse2 Breakage is expected as partial blocks are not handled yet
a964055 Make the poly1305_sse2 code more consistent with the other implementation
6b78114 Import vanilla poly1305_sse2
121978e Different ways to avoid inlining
bd4c5c0 Remove crypto_onetimeauth_poly1305_donna_implementation_name() prototype
c179651 auth_poly1305_donna.c -> poly1305_donna.c for consistency
fb28119 Check inline assembly code using __asm__ __volatile__
985d389 Use poly1305_state_internal_t for the state of poly1305 internal functions
2550fd8 Indent
75cc712 ctx -> state for consistency with the high-level functions
580c22f Get rid of poly1305_state to reduce the number of indirections
8bced53 Add compilation-time poly1305 structure size checks
7561a25 Add a is_zero() helper
cc29da1 Use minimal builds on msys2
1f18cf3 Always include <stdint.h> and <limits.h> for SIZE_MAX
ceb9c56 Implement the old edwards25519sha512batch construction on top of ref10 Only for backward compatibility; not compiled in minimal mode.
2ff0ec3 Move the legacy edwards25519sha512batch code to the attic
7e99578 Remove useless sodium_memzero()
179587d Travis: sudo is not needed
49e160a In blake2b_final() the leftover shouldn't exceed two blocks
8986a95 Update the top Visual Studio solution
25d93a5 Travis: run the compile-everything task after having run ./configure
a46e3dc Travis: check that the project compiles by including everything and completely ignoring the normal autotools way.
8b94965 Check HAVE_AMD64_ASM to assemble x86_64 code (or not), not __x86_64__
5ea53c3 HMAC-SHA1 -> Blake2b in randombytes_salsa20 No functional changes but it's slightly faster and more readable.
77c25db Rename s to hsigma, use hex, clarify that this constant is not a PRNG "seed"
c574ad8 Remove unused base_curve25519_donna_c64.c file from the repository
03a67b6 noinst_HEADERS might be more correct than EXTRA_DIST
d3005a4 Update ChangeLog
18906a0 Unfortunately, some assemblers still don't know about AVX opcodes
3f3969f EMSCRIPTEN -> __EMSCRIPTEN__
91fc9e2 C++ compat
ae2bbc4 Drop extra backslash
0ca0ff8 Protect Sandy2x files against double compilation (Cocoapods...)
e5f768a Restore the initial file structure in sandy2x
c882546 Revert in order to keep the original files
c294dfa Allow compilation on Linux again
0cc725d Move the sandy2x implementation into a single file
5e054b8 Typo
999a1e9 Linux is not supported yet
18910cf Let sodium_init() pick the fastest curve25519 implementation
94437ae Enable the sandy2x implementation on CPUs with AVX support
16e5da8 Credit Tung Chou
8251519 Use the same ifndef convention as most other header files
26c7aa1 scalarmult: move the constants down
2bf84bb sandy2x: mask the top bit
ec72507 Link the sandy2x implementation Do not use it yet, because it doesn't ignore the top bit
f56647c Modularize scalarmult
950f382 Add stackmarkings. Required at least for Hardened Gentoo.
20eacd0 Properly tag function symbols
6774994 Don't mix .globl and .global - Pick one, stick to it
0c994ff Sandy2x: make all the references relative
7e00ec1 Import the raw Sandy2x curve25519 implementation
9623e58 Add missing include
049fd8f Add sodium_runtime_has_avx()
754b386 Quotes
1ec9de7 Update ChangeLog
e3f8046 Typo
437b201 Format
156006d Update ChangeLog
1bfdfd4 Update the Visual Studio 2015 solution
2a1bc66 Update the Visual Studio 2013 solution
27ecb1f Update the Visual Studio 2012 solution
d89b682 Merge branch 'master' of https://github.com/jedisct1/libsodium
36187f0 Update the Visual Studio 2010 solution
2840d72 Update ChangeLog
e58ea31 Retarget the top solution to Visual Studio 2015
2d3ed42 The SSE4.1 implementation is fine on MSVC/x86, reenable it
e471999 _mm_set_epi64x() is not required for Blake2b's SSE4.1 implementation
af532e5 Correct logic for compiling SSE4.1 code
f801afd Use the SSSE3 implementation only on x86_64
55a9a74 Enable optimized Blake2b implementations on MSVC
60bdcb1 Merge new files to the top MSVC solution
082b68b Remove references to orphan files in the top MSVC solution
2a77b18 Version bump (not released yet)
debed38 Check a return value in the secretbox_easy2 test
ec246de Remove warn_unused_result attribute where it is not critical
9a07e48 Add __attribute((malloc)) to sodium_{allocarray,malloc}()
094dac6 Don't export sodium_runtime_get_cpu_features()
17bcbbb Force functions whose result must be checked to be checked
2c9536d Merge branch 'master' of https://github.com/jedisct1/libsodium
99850ab Mark edwards25519sha512batch functions as deprecated
7d3ddda We already have a macro to force alignment, reuse it
1d4a2aa Reindent
95af650 Import onetimeauth_poly1305.h
f5caa45 Skip a useless test on non-emscripten platforms
2d04b79 Merge auth_poly1305_donna.c and verify_poly1305_donna.c
19308c5 Bump the library major version, since some functions have been removed
b3b8e97 Remove checksum files
68c52f2 Simplify crypto_onetimeauth_poly1305() internal implementation API
1d15772 Remove unused define
384dd99 Set the impl of the Blake2b compression function once, at init time.
d62451c Fix compilation on platforms without SSE
03546ef There's no such thing as SSSE2 :)
65ccbaa Passing unaligned pointers to _mm_{load|store}u_*() is fine
7dfed39 unconstify
b935486 Select the fastest Blake2b implementation at runtime
d7a0bdd Remove blake2b-opt from the tree
920c459 Link optimized compression functions for Blake2b
ca4361f Remove extra spaces
b9b722c Externalize the blake2b compression function
7f238f4 Assume that optimized Blake2b versions can use at least SSSE3
a3d3f35 Sync blake2-impl.h with ref
28fb7bd Reduce diffs between blake2b-ref and blake2b-opt
e59641c Remove traces of AVX & XOP specific optimizations
6881890 Import vanilla blake2b optimized implementation
aba184e THANKS << Project ArteMisc for Libstodium
e7bb1e2 Do not export crypto_onetimeauth_poly1305_set_implementation() This is a relique from very early versions of libsodium that should eventually just go away.
dd53b90 \#if defined( ) -> #ifdef
c8ae529 Remove extra empty lines
3361e20 blake2b-ref micro-optimizations
26fdfec Add sodium_runtime_has_ssse3() and sodium_runtime_has_sse41()
84695c8 Make sodium_compare() work on little-endian numbers as expected
9a42ee1 UL => ULL
d47cb42 Replace some memcpy() with a local loop
8deb15b Refuse an output length > 256 Gb in crypto_stream_chacha20_ietf_ref()
aeb4ff9 Defer a memcpy()
a1e4d3d Add AES256-GCM tests for decryption of truncated ciphertext
a56274b Merge pull request #311 from angt/angt-patch-1
2042cb7 Fix crypto_aead_aes256gcm_decrypt_afternm() when clen < 16
688e1c4 C++ compat
437ce02 Exercise ChaCha20 with different output sizes
b341756 chacha_encrypt_bytes(): ensure that the padding bytes are initialized Reported by Pascal Cuoq
771e32b CompCert compatibility
4b1478c Extra sanity checks for blake2b_salt_personal()
7ab8dde Zero the stack in crypto_box_seed_keypair()
220e972 Typo
f11da70 Package version bump. No ABI version changes required.
94da855 Add explicit signed/unsigned conversion
1ec3d7f SUSE Tumbleweed updated their gcc to fix the VRP bug
58c211a Work around gcc 5.1.1/arvm7l VRP bugs No binary changes on other platforms
6585edd Update ChangeLog
b81aa64 Add back final \n removed by PR #309
4b63489 Merge pull request #309 from dtorelliitrsgroup/master
0814537 Replace __sun and __GNU_C by __SUNPRO_C to simplify logic regarding @jedisct1 comments
4b63cd1 Libsodium does not compile for Solaris CC compiler #308
5d0236c C++ compat
61a4b75 Update ChangeLog
63b9c02 Alignment
52fe697 io.js has become node.js
45df38c Remove sodium_memcmp() from the list of functions exported to Javascript
9ca34ef Work around a GCC VRP bug.
e212499 doesn't -> does not
af9c77b Remove "not released yet"
c5d675e MSVC solutions: exclude test files from build
8b4be96 Make it explicit that aes256gcm_statebytes() returns a rounded value No actual changes to the returned value
143e1c1 Do not compile unused sections
1cfa5ec Add Blake2b test vectors from the reference code
f01c303 Blake2b: refuse a NULL key with a length > 0
eeb31af Let crypto_generichash_statebytes() return a size rounded to the alignment Add similar check in the aead_aes256gcm test.
1c98a61 Update ChangeLog
a2c8ff5 Visual Studio doesn't have %zu
d667efd Add sodium_compare()
2aef671 Indent
1647b30 Constify
beb826f S_IFNAM -> S_ISNAM (for QNX)
676d8a1 Merge branch 'master' of https://github.com/jedisct1/libsodium
046c1f0 Correct path in the main VS2010 solution
606ead7 Update MSVC2015 solution
684a7e3 Avoid variable shadowing
3f8d23f Rename acc to accv for consistency
e868211 Reuse previous declaration
9aec666 Name round counters "roundctr", not a generic "i"
bfed7b9 Explicit cast
ec7b8e5 Version bump [but still not released]
14cc1e4 Avoid variable shadowing
2ee2e86 Explicit cast
fa71e06 Update the MSVC2013 solution
6e24316 Don't build for WP8
a4a9f24 Update MSVS2012 solution
da35396 Don't mix code and declarations
ea5c989 Update MSVC2010 solution
8d35435 Add aes256gcm to the main Visual Studio solution
5d2692c Update ChangeLog
794b0e9 Update ChangeLog
cc56966 1.0.4 may still not work out of the box on Windows Phone due to no CSPRNG being available to C applications.
f169623 C++ compat
8462574 More test vectors
40ba7ea More test vectors from http://www.ieee802.org/1/files/public/docs2011/bn-randall-test-vectors-0511-v1.pdf
98550ac Add tests for the aes256gcm functions returning sizes Which spotted a typo by the way.
7082a3c Ignore the aes256gcm test if aes256gcm hasn't been compiled in
20e3849 Test for presence of new sodium_runtime_has_*() functions
c8be336 C++ compat
aa965a5 Expose only crypto_aead_aes256gcm_*() not crypto_aead_aes256gcm_aesni_*() libsodium typically doesn't expose specific implementations. It shouldn't be the case for that construction either, especially since an ARM8 implementation might be added later. We want a single interface for both.
dadc5d9 Add crypto_aead_aes256gcm_aesni_is_available()
76846bd Indent
9329585 Add aes256gcm test vectors
16beebb Don't use implementation-specific functions to expose sizes
1dddd63 Merge branch 'aes256gcm'
82e9c72 aes256gcm: we can expect the accumulator and the padding buffer to be aligned
66d55c1 aesgcm: don't expect input & output buffers to be aligned
b618248 Merge pull request #304 from Sc00bz/patch-1
e07599d Update hmac_hmacsha256.c
958323b Update hmac_hmacsha512.c
82b2f5a aes256gcm doesn't use SSE4.1 instructions any more
970058b Don't read past the AD buffer, even through an SIMD register
0b20d29 Convert more functions to macros
69aac7d Add do { ... } while(0) when relevant
7a67bb9 Turn reduce4 into a macro That's too much registers for a function call in 32-bit mode. And in MSVC, this is even the case if the function is marked inline.
d1d833a Enable aes256gcm on Visual Studio
30729b0 Don't declare new variables after a line of code
9055a14 Declare __m128 arrays used as parameters as pointers Required for MSVC
78002f8 Proper casts for aeskeygenassist()
fad86b2 Let's hope that requiring ssse3 is not required any more
84d92fc Try to enable specific cflags before testing each intructions set
c3195da ssse3 target is required in addition to sse4.1
f267352 Use SIMD-specific compiler flags only for files needing them
d4ff80e Define __SSSE3__ if required
6ca0631 Do not try to compile aesni code if this is not going to compile
e83e9b2 Check for AESNI & PCLMUL presence/usability
ab2e867 Replace the aes256gcm implementation with Romain Dolbeau's implementation which is slightly faster than mine. Reimplement features from the previous implementation: add batch mode and use two passes in the decryption function in order to check the tag before decrypting.
ef1417b Explicit cast
41c296f Make the state const in *_afternm()
96d4494 Add crypto_aead_aes256gcm_aesni_{beforenm|*_afternm}
396e168 Move CRYPTO_ALIGN to sodium/export.h
571bfc9 Check for ssse3 presence
e8e5d2f Add crypto_aead_aes256gcm_aesni_* Requires a CPU with aesni and pclmulqdq This is a private branch for a reason. It is not going to be merged as-is.
d8e870c /dev/urandom can be a name special file in addition to a character special file
4705c0a Yes, support for NativeClient was added.
dca2131 C++ compat
6be1ce3 scalarmult: add the exact test from the irtf-cfrg-curves draft Use guarded memory by the way.
fe27e6c randombytes: use arc4random(3) on OpenBSD and CloudABI
6757e33 Confusing indentation
46f71fb Check for getpid(2) presence instead of checking for Visual Studio
7fa840e C++ compat
8ee4950 Use sodium_malloc() for the secretbox_*() tests
e424963 Call a weak function in sodium_memcmp() to prevent LTO. sodium_memcmp() can be used to compare user-provided secrets against constant, hardcoded secrets. We don't want the compiler to generate code that would be optimized for these hardcoded values.
0f1f8a6 Check that secretbox works as expected when m and c are overlapping
f51fb6a Add a test for crypto_secretbox() with c == m
c1f749e Keep shell variables names consistent with their related C macros.
cccc29c Merge pull request #293 from mvduin/master
cfa9e95 improve test for unaligned access
8fa4ef1 + Drew Crawford for NaOH

git-subtree-dir: deps/libsodium
git-subtree-split: f01d7c1

Author: iefserge

.gitignore

@@ -1,16 +1,19 @@
+*.bc
 *.cmake
 *.dSYM
-*.exp
+*.done
 *.final
 *.gcda
 *.gcno
+*.i
 *.la
 *.lo
 *.log
 *.mem
 *.nexe
 *.o
 *.plist
+*.s
 *.scan
 *.sdf
 *.status
@@ -21,11 +24,16 @@
 .dirstamp
 .done
 .libs
+/bin/
+/obj/
 Build
 INSTALL
 Makefile
 Makefile.in
+Vagrantfile
 aclocal.m4
+android-toolchain
+android-toolchain-*
 autom4te.cache
 build
 compile
@@ -35,11 +43,25 @@ configure
 configure.lineno
 coverage.info
 depcomp
-android-toolchain
 install-sh
-libtool
+libsodium-*.tar.bz2
+libsodium-*.tar.gz
+libsodium-*.vcproj
+libsodium-*.vcproj.filters
+libsodium-*.vcxproj
+libsodium-*.vcxproj.filters
+libsodium-android-*
+libsodium-ios
+libsodium-js
+libsodium-js-*
+libsodium-nativeclient
+libsodium-nativeclient-*
+libsodium-osx
+libsodium-uninstalled.pc
+libsodium-win32
+libsodium-win64
 libsodium.pc
-libsodium-*
+libtool
 ltmain.sh
 m4/argz.m4
 m4/libtool.m4
@@ -50,17 +72,14 @@ m4/lt~obsolete.m4
 man/*.html
 man/Makefile.in
 missing
-src/curvecp/curvecpclient
-src/curvecp/curvecpmakekey
-src/curvecp/curvecpmessage
-src/curvecp/curvecpprintkey
-src/curvecp/curvecpserver
 src/libsodium/*.def
 src/libsodium/include/sodium/version.h
 stamp-*
-test/js.done
+test-driver
+test/default/browser
 test/default/*.res
 test/default/*.trs
+test/default/aead_aes256gcm
 test/default/aead_chacha20poly1305
 test/default/auth
 test/default/auth2
@@ -93,6 +112,7 @@ test/default/onetimeauth
 test/default/onetimeauth2
 test/default/onetimeauth7
 test/default/pwhash
+test/default/pwhash_scrypt
 test/default/pwhash_scrypt_ll
 test/default/randombytes
 test/default/scalarmult
@@ -118,10 +138,5 @@ test/default/stream2
 test/default/stream3
 test/default/stream4
 test/default/verify1
-test-driver
+test/js.done
 testing
-android-toolchain-*
-libsodium-android-*
-/bin/
-/obj/
-Vagrantfile

.travis.yml

@@ -1,3 +1,5 @@
+sudo: false
+
 language: c
 
 os:
@@ -14,10 +16,13 @@ before_script:
 
 script:
  - ./configure --disable-dependency-tracking
+ - >
+   if [ "$TRAVIS_OS_NAME" = 'linux' -a "$CC" = 'gcc' ]; then make CFLAGS='-g0' > /dev/null && cp src/libsodium/.libs/libsodium.so lib.so && make clean > /dev/null && make CFLAGS='-g0' CPPFLAGS='-DSODIUM_C99\(X\)=' > /dev/null && cp src/libsodium/.libs/libsodium.so lib-oldc.so && cmp lib.so lib-oldc.so && echo No binary changes && make clean > /dev/null ; fi
  - make distcheck
- - make distclean
+ - make distclean > /dev/null
  - ./configure --disable-dependency-tracking --enable-minimal
  - make distcheck
+ - ( echo '#include <sodium.h>' ; echo 'int main(void) { return sodium_init(); }' ) > /tmp/main.c && gcc -Isrc/libsodium/include -Isrc/libsodium/include/sodium $(find src -name '*.c' -o -name '*.S') /tmp/main.c
 
 env:
   global:

AUTHORS

@@ -2,13 +2,18 @@
 Designers
 =========
 
+argon2                                 Alex Biryukov
+                                       Daniel Dinu
+                                       Dmitry Khovratovich
+
 blake2                                 Jean-Philippe Aumasson
                                        Christian Winnerlein
                                        Samuel Neves
                                        Zooko Wilcox-O'Hearn
 
 chacha20                               Daniel J. Bernstein
-salsa20
+
+salsa20                                Daniel J. Bernstein
 
 chacha20poly1305                       Adam Langley
 
@@ -32,10 +37,17 @@ scrypt                                 Colin Percival
 Implementors
 ============
 
+crypto_aead/aes256gcm/aesni            Romain Dolbeau
+                                       Frank Denis
+
 crypto_aead/chacha20poly1305           Frank Denis
 
+crypto_core/curve25519                 Daniel J. Bernstein
+
 crypto_box/curve25519xsalsa20poly1305  Daniel J. Bernstein
 
+crypto_core/hchacha20                  Frank Denis
+
 crypto_core/hsalsa20                   Daniel J. Bernstein
 crypto_core/salsa20
 crypto_core/salsa2012
@@ -53,6 +65,8 @@ crypto_scalarmult/curve25519/ref10     Daniel J. Bernstein
 
 crypto_scalarmult/curve25519/donna_c64 Adam Langley
 
+crypto_scalarmult/curve25519/sandy2x   Tung Chou
+
 crypto_secretbox/xsalsa20poly1305      Daniel J. Bernstein
 
 crypto_sign/ed25519                    Peter Schwabe
@@ -63,7 +77,9 @@ crypto_sign/ed25519                    Peter Schwabe
 
 crypto_stream/aes128ctr                Peter Schwabe
 
-crypto_stream/chacha20                 Daniel J. Bernstein
+crypto_stream/chacha20/ref             Daniel J. Bernstein
+
+crypto_stream/chacha20/vec             Ted Krovetz
 
 crypto_stream/salsa20                  Daniel J. Bernstein
 crypto_stream/salsa2012
@@ -78,7 +94,15 @@ crypto_generichash/blake2b             Jean-Philippe Aumasson
                                        Samuel Neves
                                        Zooko Wilcox-O'Hearn
 
-crypto_onetimeauth/poly1305/donna      Andrew "floodyberry" Moon.
+crypto_onetimeauth/poly1305/donna      Andrew "floodyberry" Moon
+
+crypto_onetimeauth/poly1305/sse2       Andrew "floodyberry" Moon
+
+crypto_pwhash/argon2                   Samuel Neves
+                                       Dmitry Khovratovich
+                                       Jean-Philippe Aumasson
+                                       Daniel Dinu
+                                       Thomas Pornin
 
 crypto_pwhash/scryptsalsa208sha256     Colin Percival
                                        Alexander Peslyak

ChangeLog

@@ -1,15 +1,109 @@
 
-* Version 1.0.4 (not released yet)
+* Version 1.0.10
+ - This release only fixes a compilation issue reported with some older
+gcc versions. There are no functional changes over the previous release.
+
+* Version 1.0.9
+ - The Javascript target now includes a `--sumo` option to include all
+the symbols of the original C library.
+ - A detached API was added to the ChaCha20-Poly1305 and AES256-GCM
+implementations.
+ - The Argon2i password hashing function was added, and is accessible
+directly and through a new, high-level `crypto_pwhash` API. The scrypt
+function remains available as well.
+ - A speed-record AVX2 implementation of BLAKE2b was added (thanks to
+Samuel Neves).
+ - The library can now be compiled using C++Builder (thanks to @jcolli44)
+ - Countermeasures for Ed25519 signatures malleability have been added
+to match the irtf-cfrg-eddsa draft (note that malleability is irrelevant to
+the standard definition of signature security). Signatures with a small-order
+`R` point are now also rejected.
+ - Some implementations are now slightly faster when using the Clang
+compiler.
+ - The HChaCha20 core function was implemented (`crypto_core_hchacha20()`).
+ - No-op stubs were added for all AES256-GCM public functions even when
+compiled on non-Intel platforms.
+ - `crypt_generichash_blake2b_statebytes()` was added.
+ - New macros were added for the IETF variant of the ChaCha20-Poly1305
+construction.
+ - The library can now be compiled on Minix.
+ - HEASLR is now enabled on MinGW builds.
+
+* Version 1.0.8
+ - Handle the case where the CPU supports AVX, but we are running
+on an hypervisor with AVX disabled/not supported.
+ - Faster (2x) scalarmult_base() when using the ref10 implementation.
+
+* Version 1.0.7
+ - More functions whose return value should be checked have been
+tagged with `__attribute__ ((warn_unused_result))`: `crypto_box_easy()`,
+`crypto_box_detached()`, `crypto_box_beforenm()`, `crypto_box()`, and
+`crypto_scalarmult()`.
+ - Sandy2x, the fastest Curve25519 implementation ever, has been
+merged in, and is automatically used on CPUs supporting the AVX
+instructions set.
+ - An SSE2 optimized implementation of Poly1305 was added, and is
+twice as fast as the portable one.
+ - An SSSE3 optimized implementation of ChaCha20 was added, and is
+twice as fast as the portable one.
+ - Faster `sodium_increment()` for common nonce sizes.
+ - New helper functions have been added: `sodium_is_zero()` and
+ `sodium_add()`.
+ - `sodium_runtime_has_aesni()` now properly detects the CPU flag when
+ compiled using Visual Studio.
+
+* Version 1.0.6
+ - Optimized implementations of Blake2 have been added for modern
+Intel platforms. `crypto_generichash()` is now faster than MD5 and SHA1
+implementations while being far more secure.
+ - Functions for which the return value should be checked have been
+tagged with `__attribute__ ((warn_unused_result))`. This will
+intentionally break code compiled with `-Werror` that didn't bother
+checking critical return values.
+ - The `crypto_sign_edwards25519sha512batch_*()` functions have been
+tagged as deprecated.
+ - Undocumented symbols that were exported, but were only useful for
+internal purposes have been removed or made private:
+`sodium_runtime_get_cpu_features()`, the implementation-specific
+`crypto_onetimeauth_poly1305_donna()` symbols,
+`crypto_onetimeauth_poly1305_set_implementation()`,
+`crypto_onetimeauth_poly1305_implementation_name()` and
+`crypto_onetimeauth_pick_best_implementation()`.
+ - `sodium_compare()` now works as documented, and compares numbers
+in little-endian format instead of behaving like `memcmp()`.
+ - The previous changes should not break actual applications, but to be
+safe, the library version major was incremented.
+ - `sodium_runtime_has_ssse3()` and `sodium_runtime_has_sse41()` have
+been added.
+ - The library can now be compiled with the CompCert compiler.
+
+* Version 1.0.5
+ - Compilation issues on some platforms were fixed: missing alignment
+directives were added (required at least on RHEL-6/i386), a workaround
+for a VRP bug on gcc/armv7 was added, and the library can now be compiled
+with the SunPro compiler.
+ - Javascript target: io.js is not supported any more. Use nodejs.
+
+* Version 1.0.4
+ - Support for AES256-GCM has been added. This requires
+a CPU with the aesni and pclmul extensions, and is accessible via the
+crypto_aead_aes256gcm_*() functions.
+ - The Javascript target doesn't use eval() any more, so that the
+library can be used in Chrome packaged applications.
+ - QNX and CloudABI are now supported.
+ - Support for NaCl has finally been added.
  - ChaCha20 with an extended (96 bit) nonce and a 32-bit counter has
 been implemented as crypto_stream_chacha20_ietf(),
 crypto_stream_chacha20_ietf_xor() and crypto_stream_chacha20_ietf_xor_ic().
 An IETF-compatible version of ChaCha20Poly1305 is available as
 crypto_aead_chacha20poly1305_ietf_npubbytes(),
 crypto_aead_chacha20poly1305_ietf_encrypt() and
 crypto_aead_chacha20poly1305_ietf_decrypt().
- - Sodium can now be used in Windows Store apps.
  - The sodium_increment() helper function has been added, to increment
-an arbitrary long number (such as a nonce).
+an arbitrary large number (such as a nonce).
+ - The sodium_compare() helper function has been added, to compare
+arbitrary large numbers (such as nonces, in order to prevent replay
+attacks).
 
 * Version 1.0.3
  - In addition to sodium_bin2hex(), sodium_hex2bin() is now a

LICENSE

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2015
+ * Copyright (c) 2013-2016
  * Frank Denis <j at pureftpd dot org>
  *
  * Permission to use, copy, modify, and/or distribute this software for any

Makefile.am

@@ -17,5 +17,6 @@ SUBDIRS = \
 
 pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = @PACKAGE_NAME@.pc
+
 DISTCLEANFILES = $(pkgconfig_DATA)