0.001001 Mar 7 2026
SECURITY UPDATE (CVE-2026-30910): Combined aead encryption, combined signature
creation, and bin2hex functions did not check that output size will be less
than SIZE_MAX, which could lead to integer wraparound causing an undersized
output buffer. This can cause a crash in bin2hex and encryption algorithms
other than aes256gcm. For aes256gcm encryption and signatures, an undersized
buffer could lead to buffer overflow.
Encountering this issue is unlikely as the message length would need to be very
large.
Additional changes:
- update README
0.001000 Jan 21 2026
- large re-factor (mostly just deduplication) of perl module code. one
user-facing change: packages in the Crypt::Sodium::XS::OO:: namespace can no
longer be imported directly. they really shouldn't have been previously, but
it will no longer work. if any code was doing so, remove the "::OO" from the
package name where it is imported (e.g., "use Crypt::Sodium::XS::OO::box"
becomes "use Crypt::Sodium::XS::box") and no further changes are necessary.
- bump libsodium to version 1.0.21-stable as of Jan 21
- implement new ipcrypt feature from 1.0.21
- add related sodium_bin2ip and sodium_ip2bin from 1.0.21
- minor bugfixes and improvements
0.000042 Jan 4 2026
IMPORTANT SECURITY UPDATE: bundled libsodium updated to 1.0.20-stable. fixes
CVE-2025-15444 (upstream CVE-2025-69277). libsodium version 1.0.20-stable is
both a vulnerable and not-vulnerable version for this CVE. the included copy of
this "stable release" (daily snapshot) is the version of 1.0.20-stable released
January 3, 2026 which includes a fix for the vulnerability.
vulnerability notes:
- C::S::XS::curve25519::core_ed25519_is_valid_point could have improperly
reported invalid curve points as valid. only users of this low-level function
(e.g., for implementing custom crypto) are affected.
- this update only affects users of the bundled version of libsodium. users
of an externally-provided libsodium (e.g., software packaged by operating
system distribution) must update that library to a not-vulnerable version.
for those external library users, this Crypt::Sodium::XS update is not
necessary and will not remediate the vulnerability.
0.000041 Dec 5 2025
- add fallback for older Fcntl
- fix termios flag setting
0.000040 Dec 4 2025
- re-factoring of MemVault file/tty io functions
- document MemVault new_from_tty constructor
- don't use hardcoded class name in MemVault constructors, allow for
subclassing
- minor code cleanup (sodium_bin2base64) and assorted doc updates
0.000039 Aug 21 2025
- fix new_from_fd and new_from_file. test added.
0.000038 Aug 9 2025
- Makefile.PL: remove use of -C option with tar for portability (solaris)
0.000037 Aug 5 2025
- fix a potential under-allocation in generichash multipart state sizes
- fix missing export of mv_from_hex in MemVault
- minor bugfixes and improvements
0.000036 Aug 3 2025
- important update: return protected memory from pwhash function. the output is
intended to be used as a secret, and this was an oversight in the original
implementation.
- add new importable shortcut functions to memvault constructors
- replace undocumented memvault new_from_ttyno constructor with new_from_tty.
this remains undocumented and not recommended for use pending further review.
0.000035 Aug 1 2025
- BUGFIX: fix overread on new length parameter for memvault new_from_fd|file
- a couple documentation changes are included
0.000034 Aug 1 2025
- protected memory functions were renamed to be more sensible.
backwards-compatability aliases are there so code won't break. new protected
memory flag functions added. see Crypt::Sodium::XS::ProtMem.
- minor change to arguments in MemVault new_from_fd|new_from_file. now takes an
optional size argument before flags. pretty unlikely anyone was calling these
with flags before, but if so it needs updating.
- update csxs-ppcrypt demo program. NOTE: arguments to this program have
changed. encryption format has been extended, but is backwards compatible.
- fixes for pminisign demo program.
- test cleanup, and always disable strict mlock in tests.
- minor bugfixes and improvements
0.000033 Jul 24 2025
- kdf derive: use NV for id on platforms with less than 64-bit integers,
allowing for 2 ** 53 - 1 ids.
- kdf derive: restrict id on all platforms to 2 ** 53 - 1 to prevent accidental
derivation of duplicate keys. see docs for details.
0.000032 Jul 23 2025
- BUGFIX: fix kdf derive output length. found during manual review. test cases
added.
- BUGFIX: fix concat method to return new memvault. test cases added.
- require memvault unlock for compare method (and all new overloads that use
it)
- add '!=' and '==' overloads for MemVault (equivalent to eq and ne)
- add '<' 'lt' '<=' 'le' '>' 'gt' '>=' and 'ge' overloads for MemVault (derived
from compare method)
- add to_bytes as explicit method for stringification
- doc updates
0.000031 Jul 21 2025
- fix a handful of missing memory allocation failure checks. found in manual
review.
- no functional changes
0.000030 Jul 19 2025
- BUGFIX: fix missing null check in curve25519
- stream: support returning memvault from xor and xor_ic
- many documentation updates
- minor bugfixes and improvements
0.000029 Jul 16 2025
- BUGFIX: fix a regression in build failures when hkdf is not available.
author's testing against older versions has been improved to prevent future
regressions.
- added pad and unpad methods to MemVault and functions in Util package
- improved/added bitwise methods and overloads for MemVault
- Makefile.PL: allow SODIUM_BUNDLED env var to specify a libsodium tarball.
this allows bundling a specific version of libsodium, older or newer than
bundled with the dist.
- fix missing magic fetching in many places
0.000028 Jul 15 2025
- add curve25519 packages implementing finite field functions
crypto_core_ed25519|ristretto255_*
- add ed25519 and ristretto255 primitives to scalarmult
- update bundled libsodium to 1.0.20
- minor bugfixes and improvements
0.000027 Jul 12 2025
- fix a memory freeing bug
0.000026 Jul 9 2025
- fix MANIFEST missing test files
0.000025 Jul 9 2025
- BUGFIX: fix mlock flag mask and _NONE
- check for mlock working at all in tests (best guess), and disable if not
- revert a makefile change that inadvertently required newer EUMM
- fix a function argument type bug in kdf
- fix pgp key in markdown
0.000024 Jul 8 2025
- BUGFIX: fix another bug on threaded build
- add RT link to pod
0.000023 Jul 8 2025
- updates for better kwalitee
0.000022 Jul 8 2025
- BUGFIX: fix compile failure on threaded builds
- fix some compatability issues found by cpantesters smokes
0.000021 Jul 8 2025
- BUGFIX: fix a comment that breaks parsexs.
0.000020 Jul 7 2025
- BUGFIX: fixed memvault xor method with memvault arg
- add csxs-ppcrypt program to dist
- doc updates
0.000019 Jul 7 2025
- fix parallel make
- minor bugfixes and improvements
- doc updates
0.000018 Jul 6 2025
- BREAKING CHANGES - but not published yet. change constant and function names
to match new internal protected memory naming ("protmem" vs. "safemem").
- add environment variables for flag defaults
- use a single protected memory api the hood for all protected memory
- doc updates
0.000017 Jul 5 2025
- add a test for pminisign, just compiles
- doc updates
0.000016 Jul 4 2025
- add demo program for passphrase encryption/decryption
- minor bugfixes and improvements
- doc updates
0.000015 Jul 4 2025
- add flag to munlock sodium allocated memory
- minor bugfixes and improvements
- doc updates
0.000014 Jul 2 2025
- minor bugfixes and improvements
- doc updates
0.000013 Jul 2 2025
- minor bugfixes and improvements
- doc updates
0.000012 Jun 26 2025
- doc updates
0.000011 Jun 27 2025
- minor bugfixes and improvements
- doc updates
0.000010 Jun 26 2025
- no functional change
0.000009 Jun 25 2025
- OO interface added
- minor bugfixes and improvements
- doc updates
0.000008 Apr 12 2024
- C style improvements
- fix mpstate and memvault grant and release
- bugfix makefile for current libsodium
0.000007 Feb 16 2024
- move hkdf to own package
0.000006 Feb 15 2024
- bump libsodium to 1.0.19
- add hkdf
- add feature guards for hkdf and aegis
- makefile improvements
- bugfix aes256gcm decrypt
0.000005 Feb 12 2024
- makefile improvements
0.000004 Aug 30 2023
- fix undocumented memvault new_from_ttyno
0.000003 Aug 23 2023
- minor bugfixes
0.000002 Sun Jul 9 2023
- First release