1.0.9

• The Javascript target now includes a --sumo option to include all the symbols of the original C library.
• A detached API was added to the ChaCha20-Poly1305 and AES256-GCM implementations.
• The Argon2i password hashing function was added, and is accessible directly and through a new, high-level crypto_pwhash API. The scrypt function remains available as well.
• A speed-record AVX2 implementation of BLAKE2b was added (thanks to Samuel Neves).
• The library can now be compiled using C++Builder (thanks to @jcolli44)
• Countermeasures for Ed25519 signatures malleability have been added to match the irtf-cfrg-eddsa draft (note that malleability is irrelevant to the standard definition of signature security). Signatures with a small-order R point are now also rejected.
• Some implementations are now slightly faster when using the Clang compiler.
• The HChaCha20 core function was implemented (crypto_core_hchacha20()).
• No-op stubs were added for all AES256-GCM public functions even when compiled on non-Intel platforms.
• crypt_generichash_blake2b_statebytes() was added.
• New macros were added for the IETF variant of the ChaCha20-Poly1305 construction.
• The library can now be compiled on Minix.
• HEASLR is now enabled on MinGW builds.

1.0.8

           *             ,
                       _/^\_
                      <     >
     *                 /.-.\         *
              *        `/&\`                   *
                      ,@.*;@,
                     /_o.I %_\    *
        *           (`'--:o(_@;
                   /`;--.,__ `')             *
                  ;@`o % O,*`'`&\ 
            *    (`'--)_@ ;o %'()\      *
                 /`;--._`''--._O'@;
                /&*,()~o`;-.,_ `""`)
     *          /`,@ ;+& () o*`;-';\
               (`""--.,_0 +% @' &()\
               /-.,_    ``''--....-'`)  *
          *    /@%;o`:;'--,.__   __.'\
              ;*,&(); @ % &^;~`"`o;@();         *
              /(); o^~; & ().o@*&`;&%O\
              `"="==""==,,,.,="=="==="`
           __.----.(\-''#####---...___...-----._
         '`         \)_`"""""`
                 .--' ')
               o(  )_-\
                 `"""` `

• Handle the case where the CPU supports AVX, but we are running on an hypervisor with AVX disabled/not supported.
• Faster (2x) scalarmult_base() when using the ref10 implementation.

1.0.7

• More functions whose return value should be checked have been tagged with __attribute__ ((warn_unused_result)): crypto_box_easy(), crypto_box_detached(), crypto_box_beforenm(), crypto_box(), and crypto_scalarmult().
• Sandy2x, the fastest Curve25519 implementation ever, has been merged in, and is automatically used on CPUs supporting the AVX instructions set.
• An SSE2 optimized implementation of Poly1305 was added, and is twice as fast as the portable one.
• An SSSE3 optimized implementation of ChaCha20 was added, and is twice as fast as the portable one.
• Faster sodium_increment() for common nonce sizes.
• New helper functions have been added: sodium_is_zero() and sodium_add().
• sodium_runtime_has_aesni() now properly detects the CPU flag when compiled using Visual Studio.

1.0.6

• Optimized implementations of Blake2 have been added for modern Intel platforms. crypto_generichash() is now faster than MD5 and SHA1 implementations while being far more secure.
• Functions for which the return value should be checked have been tagged with __attribute__ ((warn_unused_result)). This will intentionally break code compiled with -Werror that didn't bother checking critical return values.
• The crypto_sign_edwards25519sha512batch_*() functions have been tagged as deprecated.
• Undocumented symbols that were exported, but were only useful for internal purposes have been removed or made private:
  sodium_runtime_get_cpu_features(), the implementation-specific crypto_onetimeauth_poly1305_donna() symbols, crypto_onetimeauth_poly1305_set_implementation(), crypto_onetimeauth_poly1305_implementation_name() and crypto_onetimeauth_pick_best_implementation().
• sodium_compare() now works as documented, and compares numbers in little-endian format instead of behaving like memcmp().
• The previous changes should not break actual applications, but to be safe, the library version major was incremented.
• sodium_runtime_has_ssse3() and sodium_runtime_has_sse41() have been added.
• The library can now be compiled with the CompCert compiler.

1.0.5

This release only fixes compilation issues on some platforms.

If 1.0.4 compiled and installed fine on your system, upgrading to this version is not required.
There are no functional changes.

• Compilation issues on some platforms were fixed: missing alignment directives were added (required at least on RHEL-6/i386), a workaround for a VRP bug on gcc/armv7 was added, and the library can now be compiled with the SunPro compiler.
• Javascript target: io.js is not supported any more. Use nodejs.

1.0.4

• Support for AES256-GCM has been added. This requires a CPU with the aesni and pclmul extensions, and is accessible via the crypto_aead_aes256gcm_*() functions.
• The Javascript target doesn't use eval() any more, so that the library can be used in Chrome packaged applications.
• QNX and CloudABI are now supported.
• Support for NaCl has finally been added.
• ChaCha20 with an extended (96 bit) nonce and a 32-bit counter has been implemented as crypto_stream_chacha20_ietf(), crypto_stream_chacha20_ietf_xor() and crypto_stream_chacha20_ietf_xor_ic(). An IETF-compatible version of ChaCha20Poly1305 is available as crypto_aead_chacha20poly1305_ietf_npubbytes(), crypto_aead_chacha20poly1305_ietf_encrypt() and crypto_aead_chacha20poly1305_ietf_decrypt().
• The sodium_increment() helper function has been added, to increment an arbitrary large number (such as a nonce).
• The sodium_compare() helper function has been added, to compare arbitrary large numbers (such as nonces, in order to prevent replay attacks).

1.0.3

• In addition to sodium_bin2hex(), sodium_hex2bin() is now a
  constant-time function.
• crypto_stream_xsalsa20_ic() has been added.
• crypto_generichash_statebytes(), crypto_auth_*_statebytes() and crypto_hash_*_statebytes() have been added in order to retrieve the size of structures keeping states from foreign languages.
• The JavaScript target doesn't require /dev/urandom or an external randombytes() implementation any more. Other minor Emscripten-related improvements have been made in order to support libsodium.js
• Custom randombytes implementations do not need to provide their own implementation of randombytes_uniform() any more. randombytes_stir() and randombytes_close() can also be NULL pointers if they are not required.
• On Linux, getrandom(2) is being used instead of directly accessing /dev/urandom, if the kernel supports this system call.
• crypto_box_seal() and crypto_box_seal_open() have been added.
• A solutions for Visual Studio 2015 was added.

1.0.1

• DLL_EXPORT was renamed SODIUM_DLL_EXPORT in order to avoid
  collisions with similar macros defined by other libraries.
• sodium_bin2hex() is now constant-time.
• crypto_secretbox_detached() now supports overlapping input and output
  regions.
• NaCl's donna_c64 implementation of curve25519 was reading an extra byte
  past the end of the buffer containing the base point. This has been
  fixed.

1.0.0

• The API and ABI are now stable. New features will be added, but backward-compatibility is guaranteed through all the 1.x.y releases.
• crypto_sign() properly works with overlapping regions again. Thanks to @pysiak for reporting this regression introduced in version 0.6.1.
• The test suite has been extended.

0.7.1 (1.0 RC2)

This is the second release candidate of Sodium 1.0.

Minor compilation, readability and portability changes have been made and the test suite was improved, but the API is the same as the previous release candidate.