A modern, portable, easy to use crypto library.

Related tags

c cryptography crypto

GitHub CI Windows build status Coverity Scan Build Status Azure build status CodeQL scan


Sodium is a new, easy-to-use software library for encryption, decryption, signatures, password hashing and more.

It is a portable, cross-compilable, installable, packageable fork of NaCl, with a compatible API, and an extended API to improve usability even further.

Its goal is to provide all of the core operations needed to build higher-level cryptographic tools.

Sodium supports a variety of compilers and operating systems, including Windows (with MingW or Visual Studio, x86 and x64), iOS, Android, as well as Javascript and Webassembly.


The documentation is available on Gitbook and built from the libsodium-doc repository:

Integrity Checking

The integrity checking instructions (including the signing key for libsodium) are available in the installation section of the documentation.


A mailing-list is available to discuss libsodium.

In order to join, just send a random mail to sodium-subscribe {at} pureftpd {dot} org.


Code Contributors

This project exists thanks to all the people who contribute. [Contribute].

Financial Contributors

Become a financial contributor and help us sustain our community. [Contribute]



Support this project with your organization. Your logo will show up here with a link to your website. [Contribute]


ISC license.

  • Update packaging scripts to .NET Core 2.0

    Update packaging scripts to .NET Core 2.0

    This updates the packaging scripts to .NET Core 2.0 and fixes two issues:

    • When packing the libsodium package, dotnet pack using .NET Core 2.0 gives the following error:

      error MSB3644: The reference assemblies for framework ".NETFramework,Version=v4.6" were not found. To resolve this, install the SDK or Targeting Pack for this framework version or retarget your application to a version of the framework for which you have the SDK or Targeting Pack installed. Note that assemblies will be resolved from the Global Assembly Cache (GAC) and will be used in place of reference assemblies. Therefore your assembly may not be correctly targeted for the framework you intend.

      Of course, it's not possible to install .NET Framework 4.6 on Linux, where the libsodium package is packed.

      The fix is to remove net46 from <TargetFrameworks>. It doesn't seem to be strictly needed anyway.

    • When adding the libsodium package to a .NET Core 2.0 project, dotnet add package libsodium --version 1.0.12-preview-01 gives the following warning:

      warning NU1701: Package 'libsodium 1.0.12-preview-01' was restored using '.NETFramework,Version=v4.6.1' instead of the project target framework '.NETCoreApp,Version=v2.0'. This package may not be fully compatible with your project.

      I've tried a few things to get rid of the warning, but so far I haven't found anything working. @BurningEnlightenment - Do you have an idea?

      The fix is to remove support for .NET Framework for now.

    The libsodium NuGet package is now a dependency of the libsodium-core project.

    @tabrath @rwasef1830 - The libsodium NuGet package is intended for projects that wrap libsodium in a .NET library, like yours. The goal is to provide a stable, well-tested, high-quality NuGet package containing the native assets, primarily for .NET Core.

    The package is currently marked as "preview" because there are some issues that need to be addressed. This may require some changes to the package before it can be marked as stable.

    If you want, you can help speed up things by testing the package in as many configurations as possible. In particular, there hasn't been much testing related to ASP.NET yet (shadow copying, etc.).

    opened by ektrah 28
  • Fix for assertion failure in randombytes on Linux x86

    Fix for assertion failure in randombytes on Linux x86

    On Linux x86, I get the following assertion failure: randombytes/randombytes.c:63: randombytes: Assertionbuf_len <= (4294967295U)' failed.`

    On Linux x86, SIZE_MAX is 2^32, but an unsigned long long int is 2^64. In randombytes.h, the struct randombytes_implementation defines buf with the second parameter being a size_t (2^32), but the randombytes() function is defined using a long long unsigned int (2^64). This causes the library to only send 32 bits for the buf_len (size_t) but it tries to read 64 bits of data (long long unsigned int), which causes a failed assertion when memory following the 4 bytes is non-zero.

    All tests passed before and after this patch. I am using libsodium through Python with proprietary software, which worked on my co-workers' computers (Mac OSX 64-bit) but not on mine (Xubuntu 12.10 32-bit).

    opened by TehWan 23
  • Add functions exposing constants for all operation/primitive pairs

    Add functions exposing constants for all operation/primitive pairs

    Wrappers for other languages can't access constants defined by C preprocessor macros, so they must be exposed as functions. This was already done for the "default" implementation of each operation, but this commit adds functions for (almost) all of the underlying primitives.

    A few are currently excluded due to problems with the automated script used to generated this commit. They are:

    • crypto_onetimeauth_poly1305
    • crypto_generichash_blake2b
    • crypto_verify16
    • crypto_verify32
    opened by stouset 22
  • Fix x64 builds for MSVC < vc11

    Fix x64 builds for MSVC < vc11

    @jedisct1 x64 builds for VC9 and VC10 are broken now. I used this patch to create x64 builds for PHP 5.3 and PHP 5.4 (which some people are actually using): https://www.apachelounge.com/viewtopic.php?t=6359

    opened by Jan-E 16
  • Fixes VS 2008 build.

    Fixes VS 2008 build.

    The purpose of this change is to use ZeroMQ's curve security using PyZMQ in Python 2.7 on Windows.

    Since C extensions for Python 2.7 must be compiled with VS 2008, I need to be able to compile libsodium with Visual Studio 2008. I understand that this compiler is quite old, but the number of changes to fix the VS 2008 build is quite small. The changes are limited to:

    1. working around the absence of <stdint.h>; and
    2. VS 2008's confusion when both static and inline qualify a function.

    In the process, I've also realized that both libzmq and libsodium use the same DLL_EXPORT macro to control visibility of symbols. This makes it impossible to build libsodium as a dependency of libzmq on Windows when both are build as DLLs. Since the name of the macro is arbitrary, I added a library prefix to prevent this conflict.

    I also have a working VS 2008 solution to build libsodium on Windows. However, I can't get it to output the build products under the correct bin\ and obj\ folder with a structure that matches those of the other solutions. Since I couldn't get around this issue, I didn't include it in the pull request. If you're interested anyways, let me know and I can add it.


    opened by AndreLouisCaron 16
  • Stable branch for Android 64

    Stable branch for Android 64

    Simply changing the platform to 24 seems to do the job for all Android based architectures. Tested with Android devices and emulators down to Version 16

    opened by alexkeramidas 15
  • Ed25519: add EdDSA-Ed25519-Blake2b-512 signing variant

    Ed25519: add EdDSA-Ed25519-Blake2b-512 signing variant

    Copy of ref10 code, adding EdDSA-Ed25519-Blake2b-512 variant.

    Replaces internal use of Sha-512 with Blake2b-512, protects against Length Extension Attacks.

    opened by tini2p-project 14
  • Fix wrong statement about constant time sodium_memcmp()

    Fix wrong statement about constant time sodium_memcmp()

    The number of instructions depend on the parameter len.

    opened by ahamez 12
  • Add crypto_pwhash_MISMATCH errno

    Add crypto_pwhash_MISMATCH errno

    This will attempt at #533. I do not know however if setting errno is considered the best way, or returning another error code would be better. As I see it -1 is the expected "mismatch" error code and ENOMEM was an "unexpected" error cause from crypto_pwhash_str_verify, so if returning a error code is better we should decide on a error code for this.

    opened by emilbayes 12
  • 1.0.18-RELEASE(May 30, 2019)

    • Enterprise versions of Visual Studio are now supported.
    • Visual Studio 2019 is now supported.
    • 32-bit binaries for Visual Studio 2010 are now provided.
    • A test designed to trigger an OOM condition didn't work on Linux systems with memory overcommit turned on. It has been removed in order to fix Ansible builds.
    • Emscripten: print and printErr functions are overridden to send errors to the console, if there is one.
    • Emscripten: UTF8ToString() is now exported since Pointer_stringify() has been deprecated.
    • Libsodium version detection has been fixed in the CMake recipe.
    • Generic hashing got a 10% speedup on AVX2.
    • New target: WebAssembly/WASI (compile with dist-builds/wasm32-wasi.sh).
    • New functions to map a hash to an edwards25519 point or get a random point: core_ed25519_from_hash() and core_ed25519_random().
    • crypto_core_ed25519_scalar_mul() has been implemented for scalar*scalar (mod L) multiplication.
    • Support for the Ristretto group has been implemented for interoperability with wasm-crypto.
    • Improvements have been made to the test suite.
    • Portability improvements have been made.
    • getentropy() is now used on systems providing this system call.
    • randombytes_salsa20 has been renamed to randombytes_internal.
    • Support for NativeClient has been removed.
    • Most ((nonnull)) attributes have been relaxed to allow 0-length inputs to be NULL.
    • The -ftree-vectorize and -ftree-slp-vectorize compiler switches are now used, if available, for optimized builds.


    Source code(tar.gz)
    Source code(zip)
    libsodium-1.0.18-mingw.tar.gz(1013.87 KB)
    libsodium-1.0.18-mingw.tar.gz.minisig(317 bytes)
    libsodium-1.0.18-mingw.tar.gz.sig(566 bytes)
    libsodium-1.0.18-msvc.zip(41.20 MB)
    libsodium-1.0.18-msvc.zip.minisig(313 bytes)
    libsodium-1.0.18-msvc.zip.sig(566 bytes)
    libsodium-1.0.18.tar.gz(1.83 MB)
    libsodium-1.0.18.tar.gz.minisig(311 bytes)
    libsodium-1.0.18.tar.gz.sig(566 bytes)
  • 1.0.17(Jan 7, 2019)

    • Bug fix: sodium_pad() didn't properly support block sizes >= 256 bytes.
    • JS/WebAssembly: some old iOS versions can't instantiate the WebAssembly module; fall back to Javascript on these.
    • JS/WebAssembly: compatibility with newer Emscripten versions.
    • Bug fix: crypto_pwhash_scryptsalsa208sha256_str_verify() and crypto_pwhash_scryptsalsa208sha256_str_needs_rehash()didn't returnEINVAL` on input strings with a short length, unlike their high-level counterpart.
    • Added a workaround for Visual Studio 2010 bug causing CPU features not to be detected.
    • Portability improvements.
    • Test vectors from Project Wycheproof have been added.
    • New low-level APIs for arithmetic mod the order of the prime order group: crypto_core_ed25519_scalar_random(), crypto_core_ed25519_scalar_reduce(), crypto_core_ed25519_scalar_invert(), crypto_core_ed25519_scalar_negate(), crypto_core_ed25519_scalar_complement(), crypto_core_ed25519_scalar_add() and crypto_core_ed25519_scalar_sub().
    • New low-level APIs for scalar multiplication without clamping: crypto_scalarmult_ed25519_base_noclamp() and crypto_scalarmult_ed25519_noclamp(). These new APIs are especially useful for blinding.
    • sodium_sub() has been implemented.
    • Support for WatchOS has been added.
    • getrandom(2) is now used on FreeBSD 12+.
    • The nonnull attribute has been added to all relevant prototypes.
    • More reliable AVX512 detection.
    • Javascript/Webassembly builds now use dynamic memory growth.
    Source code(tar.gz)
    Source code(zip)
    libsodium-1.0.17.tar.gz(1.82 MB)
    libsodium-1.0.17.tar.gz.minisig(311 bytes)
    libsodium-1.0.17.tar.gz.sig(566 bytes)
  • 1.0.16(Dec 13, 2017)

    • Signatures computations and verifications are now way faster on 64-bit platforms with compilers supporting 128-bit arithmetic (gcc, clang, icc). This includes the WebAssembly target.
    • New low-level APIs for computations over edwards25519: crypto_scalarmult_ed25519(), crypto_scalarmult_ed25519_base(), crypto_core_ed25519_is_valid_point(), crypto_core_ed25519_add(), crypto_core_ed25519_sub() and crypto_core_ed25519_from_uniform() (elligator representative to point).
    • crypto_sign_open(), crypto_sign_verify_detached() andcrypto_sign_edwards25519sha512batch_open` now reject public keys in non-canonical form in addition to low-order points.
    • The library can be built with ED25519_NONDETERMINISTIC defined in order to use synthetic nonces for EdDSA. This is disabled by default.
    • Webassembly: crypto_pwhash_*() functions are now included in non-sumo builds.
    • sodium_stackzero() was added to wipe content off the stack.
    • Android: support new SDKs where unified headers have become the default.
    • The Salsa20-based PRNG example is now thread-safe on platforms with support for thread-local storage, optionally mixes bits from RDRAND.
    • CMAKE: static library detection on Unix systems has been improved (thanks to @BurningEnlightenment, @nibua-r, @mellery451)
    • Argon2 and scrypt are slightly faster on Linux.
    Source code(tar.gz)
    Source code(zip)
    libsodium-1.0.16.tar.gz(1.82 MB)
    libsodium-1.0.16.tar.gz.minisig(311 bytes)
    libsodium-1.0.16.tar.gz.sig(566 bytes)
  • 1.0.15(Oct 1, 2017)

    • The default password hashing algorithm is now Argon2id. The pwhash_str_verify() function can still verify Argon2i hashes without any changes, and pwhash() can still compute Argon2i hashes as well.
    • The aes128ctr primitive was removed. It was slow, non-standard, not authenticated, and didn't seem to be used by any opensource project.
    • Argon2id required at least 3 passes like Argon2i, despite a minimum of 1 as defined by the OPSLIMIT_MIN constant. This has been fixed.
    • The secretstream construction was slightly changed to be consistent with forthcoming variants.
    • The Javascript and Webassembly versions have been merged, and the module now returns a .ready promise that will resolve after the Webassembly code is loaded and compiled.
    • Note that due to these incompatible changes, the library version major was bumped up.
    Source code(tar.gz)
    Source code(zip)
    libsodium-1.0.15.tar.gz(1.77 MB)
    libsodium-1.0.15.tar.gz.minisig(311 bytes)
    libsodium-1.0.15.tar.gz.sig(566 bytes)
  • 1.0.14(Sep 21, 2017)

    • iOS binaries should now be compatible with WatchOS and TVOS.
    • WebAssembly is now officially supported. Special thanks to @facekapow and @pepyakin who helped to make it happen.
    • Internal consistency checks failing and primitives used with dangerous/out-of-bounds/invalid parameters used to call abort(3). Now, a custom handler that doesn't return can be set with the set_sodium_misuse() function. It still aborts by default or if the handler ever returns. This is not a replacement for non-fatal, expected runtime errors. This handler will be only called in unexpected situations due to potential bugs in the library or in language bindings.
    • *_MESSAGEBYTES_MAX macros (and the corresponding _messagebytes_max() symbols) have been added to represent the maximum message size that can be safely handled by a primitive. Language bindings are encouraged to check user inputs against these maximum lengths.
    • The test suite has been extended to cover more edge cases.
    • crypto_sign_ed25519_pk_to_curve25519() now rejects points that are not on the curve, or not in the main subgroup.
    • Further changes have been made to ensure that smart compilers will not optimize out code that we don't want to be optimized.
    • Visual Studio solutions are now included in distribution tarballs.
    • The sodium_runtime_has_* symbols for CPU features detection are now defined as weak symbols, i.e. they can be replaced with an application-defined implementation. This can be useful to disable AVX* when temperature/power consumption is a concern.
    • crypto_kx_*() now aborts if called with no non-NULL pointers to store keys to.
    • SSE2 implementations of crypto_verify_*() have been added.
    • Passwords can be hashed using a specific algorithm with the new crypto_pwhash_str_alg() function.
    • Due to popular demand, base64 encoding (sodium_bin2base64()) and decoding (sodium_base642bin()) have been implemented.
    • A new crypto_secretstream_*() API was added to safely encrypt files and multi-part messages.
    • The sodium_pad() and sodium_unpad() helper functions have been added in order to add & remove padding.
    • An AVX512 optimized implementation of Argon2 has been added (written by Ondrej Mosnáček, thanks!)
    • The crypto_pwhash_str_needs_rehash() function was added to check if a password hash string matches the given parameters, or if it needs an update.
    • The library can now be compiled with recent versions of emscripten/binaryen that don't allow multiple variables declarations using a single var statement.
    Source code(tar.gz)
    Source code(zip)
    libsodium-1.0.14.tar.gz(1.78 MB)
    libsodium-1.0.14.tar.gz.minisig(311 bytes)
    libsodium-1.0.14.tar.gz.sig(566 bytes)
  • 1.0.13(Jul 15, 2017)

    • Javascript: the sumo builds now include all symbols. They were previously limited to symbols defined in minimal builds.
    • The public crypto_pwhash_argon2i_MEMLIMIT_MAX constant was incorrectly defined on 32-bit platforms. This has been fixed.
    • Version 1.0.12 didn't compile on OpenBSD/i386 using the base gcc compiler. This has been fixed.
    • The Android compilation scripts have been updated for NDK r14b.
    • armv7s-optimized code was re-added to iOS builds.
    • An AVX2 optimized implementation of the Argon2 round function was added.
    • The Argon2id variant of Argon2 has been implemented. The high-level crypto_pwhash_str_verify() function automatically detects the algorithm and can verify both Argon2i and Argon2id hashed passwords. The default algorithm for newly hashed passwords remains Argon2i in this version to avoid breaking compatibility with verifiers running libsodium <= 1.0.12.
    • A crypto_box_curve25519xchacha20poly1305_seal*() function set was implemented.
    • scrypt was removed from minimal builds.
    • libsodium is now available on NuGet.
    Source code(tar.gz)
    Source code(zip)
    libsodium-1.0.13.tar.gz(1.80 MB)
    libsodium-1.0.13.tar.gz.minisig(311 bytes)
  • 1.0.12(Mar 13, 2017)

    • Ed25519ph was implemented, adding a multi-part signature API (crypto_sign_init(), crypto_sign_update(), crypto_sign_final_*()).
    • New constants and related accessors have been added for Scrypt and Argon2.
    • XChaCha20 has been implemented. Like XSalsa20, this construction extends the ChaCha20 cipher to accept a 192-bit nonce. This makes it safe to use ChaCha20 with random nonces.
    • crypto_secretbox, crypto_box and crypto_aead now offer variants leveraging XChaCha20.
    • SHA-2 is about 20% faster, which also gives a speed boost to signature and signature verification.
    • AVX2 implementations of Salsa20 and ChaCha20 have been added. They are twice as fast as the SSE2 implementations. The speed gain is even more significant on Windows, that previously didn't use vectorized implementations.
    • New high-level API: crypto_kdf, to easily derive one or more subkeys from a master key.
    • Siphash with a 128-bit output has been implemented, and is available as crypto_shorthash_siphashx_*.
    • New *_keygen() helpers functions have been added to create secret keys for all constructions. This improves code clarity and can prevent keys from being partially initialized.
    • A new randombytes_buf_deterministic() function was added to deterministically fill a memory region with pseudorandom data. This function can especially be useful to write reproducible tests.
    • A crypto_kx_*() API was added to compute shared session keys.
    • AVX2 detection is more reliable.
    • The pthreads library is not required any more when using MingW.
    • contrib/Findsodium.cmake was added as an example to include libsodium in a project using cmake.
    • Compatibility with gcc 2.x has been restored.
    • Minimal builds can be checked using sodium_library_minimal().
    • The --enable-opt compilation switch has become compatible with more platforms.
    • Android builds are now using clang on platforms where it is available.

    Pie from PIE

    Source code(tar.gz)
    Source code(zip)
    libsodium-1.0.12.tar.gz(1.79 MB)
    libsodium-1.0.12.tar.gz.minisig(311 bytes)
  • 1.0.11(Jul 31, 2016)

    • sodium_init() is now thread-safe, and can be safely called multiple times.
    • Android binaries now properly support 64-bit Android, targeting platform 24, but without breaking compatibility with platforms 16 and 21.
    • Better support for old gcc versions.
    • On FreeBSD, core dumps are disabled on regions allocated with sodium allocation functions.
    • AVX2 detection was fixed, resulting in faster BLAKE2b hashing on platforms where it was not properly detected.
    • The Sandy2x Curve25519 implementation was not as fast as expected on some platforms. This has been fixed.
    • The NativeClient target was improved. Most notably, it now supports optimized implementations, and uses pepper_49 by default.
    • The library can be compiled with recent Emscripten versions. Changes have been made to produce smaller code, and the default heap size was reduced in the standard version.
    • The code can now be compiled on SLES11 service pack 4.
    • Decryption functions can now accept a NULL pointer for the output. This checks the MAC without writing the decrypted message.
    • crypto_generichash_final() now returns -1 if called twice.
    • Support for Visual Studio 2008 was improved.
    Source code(tar.gz)
    Source code(zip)
    libsodium-1.0.11.tar.gz(1.76 MB)
    libsodium-1.0.11.tar.gz.minisig(311 bytes)
  • 1.0.10(Apr 4, 2016)

  • 1.0.9(Apr 2, 2016)

    • The Javascript target now includes a --sumo option to include all the symbols of the original C library.
    • A detached API was added to the ChaCha20-Poly1305 and AES256-GCM implementations.
    • The Argon2i password hashing function was added, and is accessible directly and through a new, high-level crypto_pwhash API. The scrypt function remains available as well.
    • A speed-record AVX2 implementation of BLAKE2b was added (thanks to Samuel Neves).
    • The library can now be compiled using C++Builder (thanks to @jcolli44)
    • Countermeasures for Ed25519 signatures malleability have been added to match the irtf-cfrg-eddsa draft (note that malleability is irrelevant to the standard definition of signature security). Signatures with a small-order R point are now also rejected.
    • Some implementations are now slightly faster when using the Clang compiler.
    • The HChaCha20 core function was implemented (crypto_core_hchacha20()).
    • No-op stubs were added for all AES256-GCM public functions even when compiled on non-Intel platforms.
    • crypt_generichash_blake2b_statebytes() was added.
    • New macros were added for the IETF variant of the ChaCha20-Poly1305 construction.
    • The library can now be compiled on Minix.
    • HEASLR is now enabled on MinGW builds.
    Source code(tar.gz)
    Source code(zip)
    libsodium-1.0.9.tar.gz(1.74 MB)
    libsodium-1.0.9.tar.gz.minisig(310 bytes)
  • 1.0.8(Dec 25, 2015)

               *             ,
                          <     >
         *                 /.-.\         *
                  *        `/&\`                   *
                         /_o.I %_\    *
            *           (`'--:o([email protected];
                       /`;--.,__ `')             *
                      ;@`o % O,*`'`&\ 
                *    (`'--)[email protected] ;o %'()\      *
                    /&*,()~o`;-.,_ `""`)
         *          /`,@ ;+& () o*`;-';\
                   (`""--.,_0 +% @' &()\
                   /-.,_    ``''--....-'`)  *
              *    /@%;o`:;'--,.__   __.'\
                  ;*,&(); @ % &^;~`"`o;@();         *
                  /(); o^~; & ()[email protected]*&`;&%O\
             '`         \)_`"""""`
                     .--' ')
                   o(  )_-\
                     `"""` `
    • Handle the case where the CPU supports AVX, but we are running on an hypervisor with AVX disabled/not supported.
    • Faster (2x) scalarmult_base() when using the ref10 implementation.
    Source code(tar.gz)
    Source code(zip)
    libsodium-1.0.8.tar.gz(1.71 MB)
    libsodium-1.0.8.tar.gz.minisig(310 bytes)
  • 1.0.7(Dec 8, 2015)

    • More functions whose return value should be checked have been tagged with __attribute__ ((warn_unused_result)): crypto_box_easy(), crypto_box_detached(), crypto_box_beforenm(), crypto_box(), and crypto_scalarmult().
    • Sandy2x, the fastest Curve25519 implementation ever, has been merged in, and is automatically used on CPUs supporting the AVX instructions set.
    • An SSE2 optimized implementation of Poly1305 was added, and is twice as fast as the portable one.
    • An SSSE3 optimized implementation of ChaCha20 was added, and is twice as fast as the portable one.
    • Faster sodium_increment() for common nonce sizes.
    • New helper functions have been added: sodium_is_zero() and sodium_add().
    • sodium_runtime_has_aesni() now properly detects the CPU flag when compiled using Visual Studio.
    Source code(tar.gz)
    Source code(zip)
    libsodium-1.0.7.tar.gz(1.72 MB)
    libsodium-1.0.7.tar.gz.minisig(310 bytes)
  • 1.0.6(Nov 1, 2015)

    • Optimized implementations of Blake2 have been added for modern Intel platforms. crypto_generichash() is now faster than MD5 and SHA1 implementations while being far more secure.
    • Functions for which the return value should be checked have been tagged with __attribute__ ((warn_unused_result)). This will intentionally break code compiled with -Werror that didn't bother checking critical return values.
    • The crypto_sign_edwards25519sha512batch_*() functions have been tagged as deprecated.
    • Undocumented symbols that were exported, but were only useful for internal purposes have been removed or made private: sodium_runtime_get_cpu_features(), the implementation-specific crypto_onetimeauth_poly1305_donna() symbols, crypto_onetimeauth_poly1305_set_implementation(), crypto_onetimeauth_poly1305_implementation_name() and crypto_onetimeauth_pick_best_implementation().
    • sodium_compare() now works as documented, and compares numbers in little-endian format instead of behaving like memcmp().
    • The previous changes should not break actual applications, but to be safe, the library version major was incremented.
    • sodium_runtime_has_ssse3() and sodium_runtime_has_sse41() have been added.
    • The library can now be compiled with the CompCert compiler.
    Source code(tar.gz)
    Source code(zip)
    libsodium-1.0.6.tar.gz(1.70 MB)
  • 1.0.5(Oct 24, 2015)

    This release only fixes compilation issues on some platforms.

    If 1.0.4 compiled and installed fine on your system, upgrading to this version is not required. There are no functional changes.

    • Compilation issues on some platforms were fixed: missing alignment directives were added (required at least on RHEL-6/i386), a workaround for a VRP bug on gcc/armv7 was added, and the library can now be compiled with the SunPro compiler.
    • Javascript target: io.js is not supported any more. Use nodejs.
    Source code(tar.gz)
    Source code(zip)
    libsodium-1.0.5.tar.gz(1.70 MB)
  • 1.0.4(Oct 18, 2015)

    • Support for AES256-GCM has been added. This requires a CPU with the aesni and pclmul extensions, and is accessible via the crypto_aead_aes256gcm_*() functions.
    • The Javascript target doesn't use eval() any more, so that the library can be used in Chrome packaged applications.
    • QNX and CloudABI are now supported.
    • Support for NaCl has finally been added.
    • ChaCha20 with an extended (96 bit) nonce and a 32-bit counter has been implemented as crypto_stream_chacha20_ietf(), crypto_stream_chacha20_ietf_xor() and crypto_stream_chacha20_ietf_xor_ic(). An IETF-compatible version of ChaCha20Poly1305 is available as crypto_aead_chacha20poly1305_ietf_npubbytes(), crypto_aead_chacha20poly1305_ietf_encrypt() and crypto_aead_chacha20poly1305_ietf_decrypt().
    • The sodium_increment() helper function has been added, to increment an arbitrary large number (such as a nonce).
    • The sodium_compare() helper function has been added, to compare arbitrary large numbers (such as nonces, in order to prevent replay attacks).
    Source code(tar.gz)
    Source code(zip)
    libsodium-1.0.4.tar.gz(1.70 MB)
  • 1.0.3(May 9, 2015)

    • In addition to sodium_bin2hex(), sodium_hex2bin() is now a constant-time function.
    • crypto_stream_xsalsa20_ic() has been added.
    • crypto_generichash_statebytes(), crypto_auth_*_statebytes() and crypto_hash_*_statebytes() have been added in order to retrieve the size of structures keeping states from foreign languages.
    • The JavaScript target doesn't require /dev/urandom or an external randombytes() implementation any more. Other minor Emscripten-related improvements have been made in order to support libsodium.js
    • Custom randombytes implementations do not need to provide their own implementation of randombytes_uniform() any more. randombytes_stir() and randombytes_close() can also be NULL pointers if they are not required.
    • On Linux, getrandom(2) is being used instead of directly accessing /dev/urandom, if the kernel supports this system call.
    • crypto_box_seal() and crypto_box_seal_open() have been added.
    • A solutions for Visual Studio 2015 was added.
    Source code(tar.gz)
    Source code(zip)
    libsodium-1.0.3.tar.gz(1.60 MB)
  • 1.0.1(Nov 20, 2014)

    • DLL_EXPORT was renamed SODIUM_DLL_EXPORT in order to avoid collisions with similar macros defined by other libraries.
    • sodium_bin2hex() is now constant-time.
    • crypto_secretbox_detached() now supports overlapping input and output regions.
    • NaCl's donna_c64 implementation of curve25519 was reading an extra byte past the end of the buffer containing the base point. This has been fixed.
    Source code(tar.gz)
    Source code(zip)
    libsodium-1.0.1.tar.gz(1.57 MB)
  • 1.0.0(Sep 24, 2014)

    • The API and ABI are now stable. New features will be added, but backward-compatibility is guaranteed through all the 1.x.y releases.
    • crypto_sign() properly works with overlapping regions again. Thanks to @pysiak for reporting this regression introduced in version 0.6.1.
    • The test suite has been extended.
    Source code(tar.gz)
    Source code(zip)
    libsodium-1.0.0.tar.gz(1.46 MB)
  • 0.7.1(Sep 19, 2014)

  • 0.7.0(Aug 24, 2014)

    • Allocating memory to store sensitive data can now be done using sodium_malloc() and sodium_allocarray(). These functions add guard pages around the protected data to make it less likely to be accessible in a heartbleed-like scenario. In addition, the protection for memory regions allocated that way can be changed using sodium_mprotect_noaccess(), sodium_mprotect_readonly() and sodium_mprotect_readwrite().
    • ed25519 keys can be converted to curve25519 keys with crypto_sign_ed25519_pk_to_curve25519() and crypto_sign_ed25519_sk_to_curve25519(). This allows using the same keys for signature and encryption.
    • The seed and the public key can be extracted from an ed25519 key using crypto_sign_ed25519_sk_to_seed() and crypto_sign_ed25519_sk_to_pk().
    • aes256 was removed. A timing-attack resistant implementation might be added later, but not before version 1.0 is tagged.
    • The crypto_pwhash_scryptxsalsa208sha256_* compatibility layer was removed. Use crypto_pwhash_scryptsalsa208sha256_*.
    • The compatibility layer for implementation-specific functions was removed.
    • Compilation issues with Mingw64 on MSYS (not MSYS2) were fixed.
    • crypto_pwhash_scryptsalsa208sha256_STRPREFIX was added: it contains the prefix produced by crypto_pwhash_scryptsalsa208sha256_str()
    Source code(tar.gz)
    Source code(zip)
    libsodium-0.7.0.tar.gz(1.46 MB)
  • 0.6.1(Jul 15, 2014)

    • Important bug fix: when crypto_sign_open() was given a signed message too short to even contain a signature, it was putting an unlimited amount of zeros into the target buffer instead of immediately returning -1. The bug was introduced in version 0.5.0.
    • New API: crypto_sign_detached() and crypto_sign_verify_detached() to produce and verify ed25519 signatures without having to duplicate the message.
    • New ./configure switch: --enable-minimal, to create a smaller library, with only the functions required for the high-level API. Mainly useful for the JavaScript target and embedded systems.
    • All the symbols are now exported by the Emscripten build script.
    • The pkg-config .pc file is now always installed even if the pkg-config tool is not available during the installation.
    Source code(tar.gz)
    Source code(zip)
    libsodium-0.6.1.tar.gz(1.47 MB)
  • 0.6.0(Jul 1, 2014)

    • The ChaCha20 stream cipher has been added, as crypto_stream_chacha20_*
    • The ChaCha20Poly1305 AEAD construction has been implemented, as crypto_aead_chacha20poly1305_*
    • The _easy API does not require any heap allocations any more and does not have any overhead over the NaCl API. With the password hashing function being an obvious exception, the library doesn't allocate and will not allocate heap memory ever.
    • crypto_box and crypto_secretbox have a new _detached API to store the authentication tag and the encrypted message separately.
    • crypto_pwhash_scryptxsalsa208sha256_() functions have been renamed crypto_pwhash_scryptsalsa208sha256_().
    • The low-level crypto_pwhash_scryptsalsa208sha256_ll() function allows setting individual parameters of the scrypt function.
    • New macros and functions for recommended crypto_pwhash_* parameters have been added.
    • Similarly to crypto_sign_seed_keypair(), crypto_box_seed_keypair() has been introduced to deterministically generate a key pair from a seed.
    • crypto_onetimeauth() now provides a streaming interface.
    • crypto_stream_chacha20_xor_ic() and crypto_stream_salsa20_xor_ic() have been added to use a non-zero initial block counter.
    • On Windows, CryptGenRandom() was replaced by RtlGenRandom(), which doesn't require the Crypt API.
    • The high bit in curve25519 is masked instead of processing the key as a 256-bit value.
    • The curve25519 ref implementation was replaced by the latest ref10 implementation from Supercop.
    • sodium_mlock() now prevents memory from being included in coredumps on Linux 3.4+
    Source code(tar.gz)
    Source code(zip)
    libsodium-0.6.0.tar.gz(1.47 MB)
  • 0.5.0(May 14, 2014)

    • sodium_mlock()/sodium_munlock() have been introduced to lock pages in memory before storing sensitive data, and to zero them before unlocking them.
    • High-level wrappers for crypto_box and crypto_secretbox (crypto_box_easy and crypto_secretbox_easy) can be used to avoid dealing with the specific memory layout regular functions depend on.
    • crypto_pwhash_scryptxsalsa208sha256* functions have been added to derive a key from a password, and for password storage.
    • Salsa20 and ed25519 implementations now support overlapping inputs/keys/outputs (changes imported from supercop-20140505).
    • New build scripts for Visual Studio, Emscripten, different Android architectures and msys2 are available.
    • The poly1305-53 implementation has been replaced with Floodyberry's poly1305-donna32 and poly1305-donna64 implementations.
    • sodium_hex2bin() has been added to complement sodium_bin2hex().
    • On OpenBSD and Bitrig, arc4random() is used instead of reading /dev/urandom.
    • crypto_auth_hmac_sha512() has been implemented.
    • sha256 and sha512 now have a streaming interface.
    • hmacsha256, hmacsha512 and hmacsha512256 now support keys of arbitrary length, and have a streaming interface.
    • crypto_verify_64() has been implemented.
    • first-class Visual Studio build system, thanks to @evoskuil
    • CPU features are now detected at runtime.
    Source code(tar.gz)
    Source code(zip)
    libsodium-0.5.0.tar.gz(1.45 MB)
  • 0.4.5(Oct 22, 2013)

  • 0.4.4(Oct 22, 2013)

    • Visual Studio is officially supported (VC 2010 & VC 2013)
    • mingw64 is now supported
    • big-endian architectures are now supported as well
    • The donna_c64 implementation of curve25519_donna_c64 now handles non-canonical points like the ref implementation
    • Missing scalarmult_curve25519 and stream_salsa20 constants are now exported
    • A crypto_onetimeauth_poly1305_ref() wrapper has been added
    Source code(tar.gz)
    Source code(zip)
    libsodium-0.4.4.tar.gz(527.74 KB)
  • 0.4.3(Sep 9, 2013)

    • crypto_sign_seedbytes() and crypto_sign_SEEDBYTES were added.
    • crypto_onetimeauth_poly1305_implementation_name() was added.
    • poly1305-ref has been replaced by a faster implementation, Floodyberry's poly1305-donna-unrolled.
    • Stackmarkings have been added to assembly code, for Hardened Gentoo.
    • pkg-config can now be used in order to retrieve compilations flags for using libsodium.
    • crypto_stream_aes256estream_*() can now deal with unaligned input on platforms that require word alignment.
    • portability improvements.
    Source code(tar.gz)
    Source code(zip)
    libsodium-0.4.3.tar.gz(510.90 KB)
  • 0.1(Jul 8, 2013)

  • 0.2(Jul 8, 2013)

  • 0.3(Jul 8, 2013)

  • 0.4(Jul 8, 2013)

    • Most constants and operations are now available as actual functions instead of macros, making it easier to use from other languages.
    • New operation: crypto_generichash, featuring a variable key size, a variable output size, and a streaming API. Currently implemented using Blake2b.
    • The package can be compiled in a separate directory.
    • aes128ctr functions are exported.
    • Optimized versions of curve25519 (curve25519_donna_c64), poly1305 (poly1305_53) and ed25519 (ed25519_ref10) are available. Optionally calling sodium_init() once before using the library makes it pick the fastest implementation.
    • New convenience function: sodium_memzero() in order to securely wipe a memory area.
    • A whole bunch of cleanups and portability enhancements.
    • On Windows, a .REF file is generated along with the shared library, for use with Visual Studio. The installation path for these has become $prefix/bin as expected by MingW.
    Source code(tar.gz)
    Source code(zip)
Frank Denis
Parisian fashion photographer with a knack for cryptography, computer vision, opensource software and infosec. Get my public keys here: https://sk.tl/7CPRo8kn
Frank Denis
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.2k Feb 18, 2021
Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.

Tink A multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse. Ubuntu

Google 11.1k Feb 19, 2021
An open source, portable, easy to use, readable and flexible SSL library

README for Mbed TLS Mbed TLS is a C library that implements cryptographic primitives, X.509 certificate manipulation and the SSL/TLS and DTLS protocol

Arm Mbed 2.8k Feb 19, 2021
DARKCAT Project - A Strong Prototype Crypto-Locker

Darkcat is an Open Source Crypto-locker directed at an audience with an interest in the field of Cyber Security. The locker is similar to how very obnoxious Ransomwares operate using 2-Layer Key Encryption with the intent of making it almost impossible to recover any key from memory even during the event of Encryption.

Alexander Töpfer 25 Feb 8, 2021
:lock: Don't use this repo, use the new monorepo instead:

trezor-crypto Heavily optimized cryptography algorithms for embedded devices. These include: AES/Rijndael encryption/decryption Big Number (256 bit) A

TREZOR 458 Feb 15, 2021
Monero: the secure, private, untraceable cryptocurrency

Monero: the secure, private, untraceable cryptocurrency

The Monero Project 5.6k Mar 28, 2021
MIRACL Cryptographic SDK: Multiprecision Integer and Rational Arithmetic Cryptographic Library is a C software library that is widely regarded by developers as the gold standard open source SDK for elliptic curve cryptography (ECC).

MIRACL What is MIRACL? Multiprecision Integer and Rational Arithmetic Cryptographic Library – the MIRACL Crypto SDK – is a C software library that is

MIRACL 388 Feb 13, 2021
Rubicon - a New Custom Encryption Algorithm/Tool

Rubicon - a New Custom Encryption Algorithm/Tool Disclaimer DO NOT use this project for purposes other than legitimate red teaming/pentesting jobs

null 12 Feb 7, 2021
A modern, portable, easy to use crypto library.

Sodium is a new, easy-to-use software library for encryption, decryption, signatures, password hashing and more. It is a portable, cross-compilable, i

Frank Denis 9.1k Feb 19, 2021
A lightweight, secure, easy-to-use crypto library suitable for constrained environments.

The Hydrogen library is a small, easy-to-use, hard-to-misuse cryptographic library. Features: Consistent high-level API, inspired by libsodium. Instea

Frank Denis 241 Feb 15, 2021
s2n : an implementation of the TLS/SSL protocols

s2n is a C99 implementation of the TLS/SSL protocols that is designed to be simple, small, fast, and with security as a priority. It is released and l

Amazon Web Services 3.9k Feb 19, 2021
LibSWIFFT - A fast C/C++ library for the SWIFFT secure homomorphic hash function

LibSWIFFT - A fast C/C++ library for the SWIFFT secure homomorphic hash function Official Repository LibSWIFFT is a production-ready C/C++ library pro

Gvili Tech Ltd 20 Feb 28, 2021
Jazzer is a coverage-guided, in-process fuzzer for the JVM platform developed by Code Intelligence.

Jazzer is a coverage-guided, in-process fuzzer for the JVM platform developed by Code Intelligence. It is based on libFuzzer and brings many of its instrumentation-powered mutation features to the JVM.

Code Intelligence 190 Mar 2, 2021
C++11 header-only message digest library

digestpp Experimental C++11 header-only message digest library. Derived from cppcrypto in an attempt to devise a more modern yet flexible and universa

null 115 Feb 16, 2021