Skip to content

Releases: mcginty/snow

v0.10.0

19 Jul 17:00
@mcginty mcginty
v0.10.0
4bb43f5
Compare
Choose a tag to compare
v0.10.0 Latest
Latest

Quick Summary

snow is now no_std-friendly, with only one required dependency (subtle) now if you bring your own cryptographic provider, thank you @complexspaces!

This release also sees some breaking API changes in the builder to further prevent misuse/abuse - more builder functions now return Result<Self, Error> instead of Self.

The P-256 curve is now also available as a non-default feature for those of you needing more curves in your life.

Finally, this release transitioned the snow codebase to Rust 2024 and has a new MSRV of 1.85.

New

Improvements

Migrating from 0.9

The main change you'll likely notice is the need to add expect(...) or ? to a few builder functions that have been updated to further limit the chance of misuse.

Here are the semver-breaking changes:

  • Builder function fallibility: more functions in the builder now return a Result to more explicitly prohibit calling the same setter twice.
  • DHChoice::Ed448 has been renamed to DHChoice::Curve448
  • Multiple new error enum variants have been added.

PRs

Full Changelog: v0.9.6...v0.10.0

Contributors

tarcieri, dconnolly, and 9 other contributors
Assets 2
Loading

v0.10.0-beta.2

16 Jun 14:38
@mcginty mcginty
v0.10.0-beta.2
ee66c84
Compare
Choose a tag to compare
v0.10.0-beta.2 Pre-release
Pre-release

This latest beta cleans out the dependency graph, such that snow now only has one required dependency (on subtle)! Shoutout to @complexspaces for the work.

changes since v0.10.0-beta.1

  • Updated Rust edition to 2024
  • Remove dependency on rand, and feature-gated dependency on getrandom
  • Removed unused byteorder dependency

Quick Summary

snow is now no_std-friendly, with only one required dependency now if you bring your own cryptographic provider!

This release also sees some breaking API changes in the builder to further prevent misuse/abuse - more builder functions now return Result<Self, Error> instead of Self.

The P-256 curve is now also available as a non-default feature for those of you needing more curves in your life.

New

Improvements

Migrating from 0.9

The main change you'll likely notice is the need to add expect(...) or ? to a few builder functions that have been updated to further limit the chance of misuse.

Here are all the semver-breaking changes:

  • Builder function fallibility: more functions in the builder now return a Result to more explicitly prohibit calling the same setter twice.
  • DHChoice::Ed448 has been renamed to DHChoice::Curve448
  • Multiple new error enum variants have been added.

New Contributors

Full Changelog: v0.9.0...v0.10.0-beta.1

Contributors

dconnolly, AlfioEmanueleFresta, and 8 other contributors
Loading

v0.10.0-beta.1

06 Jun 14:11
@mcginty mcginty
v0.10.0-beta.1
659eeb7
Compare
Choose a tag to compare
v0.10.0-beta.1 Pre-release
Pre-release

v0.10.0-beta.1

This change brings in some very welcome additions: no_std support, finally, and unofficial support for the P-256 curve.

changes since v0.10.0-alpha.1

  • Updated rand_core to 0.9
  • Updated criterion to 0.6
  • Updated ring and curve25519-dalek versions to the latest version that doesn't have a RUSTSEC warning

New

Improvements

Migrating from 0.9

The main change you'll likely notice is the need to add expect(...) or ? to a few builder functions that have been updated to further limit the chance of misuse.

Here are all the semver-breaking changes:

  • Builder function fallibility: more functions in the builder now return a Result to more explicitly prohibit calling the same setter twice.
  • DHChoice::Ed448 has been renamed to DHChoice::Curve448
  • Multiple new error enum variants have been added.

New Contributors

Full Changelog: v0.9.0...v0.10.0-beta.1

Contributors

dconnolly, AlfioEmanueleFresta, and 8 other contributors
Loading

v0.10.0-alpha.1

18 Feb 21:50
@mcginty mcginty
v0.10.0-alpha.1
6c99643
Compare
Choose a tag to compare
v0.10.0-alpha.1 Pre-release
Pre-release

v0.10.0-alpha.1

This change brings in some very welcome additions: no_std support, finally, and unofficial support for the P-256 curve.

New

Improvements

Migrating from 0.9

This should be a zero-diff change for most users of Snow, but there are small semver incompatibilities.

  • DHChoice::Ed448 has been renamed to DHChoice::Curve448
  • Multiple new error enum variants have been added.

New Contributors

Full Changelog: v0.9.0...v0.10.0-alpha.1

Contributors

dconnolly, AlfioEmanueleFresta, and 8 other contributors
Loading

v0.9.6

26 Jan 03:44
@mcginty mcginty
v0.9.6
a4be73f
Compare
Choose a tag to compare
v0.9.6
  • Validate invalid PSK positions when building a Noise protocol.
  • Raise errors in various typos/mistakes in Noise patterns when parsing.
  • Deprecate the sodiumoxide backend, as that crate is no longer maintained. We may eventually migrate it to a maintaned version of the crate, but for now it's best to warn users.
  • Set a hard limit in read_message() in transport mode to 65535 to be fully compliant with the Noise specification.

Full Changelog: v0.9.5...v0.9.6

Loading

v0.9.5

24 Jan 07:54
@mcginty mcginty
v0.9.5
74e30cf
Compare
Choose a tag to compare
v0.9.5

This is a security release that fixes a logic flaw in decryption in TransportState (i.e. the stateful one), where the nonce could increase even when decryption failed, which can cause a desync between the sender and receiver, opening this up as a denial of service vector if the attacker has the ability to inject packets in the channel Noise is talking over.

More details can be found in the advisory: GHSA-7g9j-g5jg-3vv3

All users are encouraged to update.

Loading

v0.9.4

11 Nov 22:41
@mcginty mcginty
v0.9.4
4cd77c5
Compare
Choose a tag to compare
v0.9.4

This is a dependency version bump release because a couple of important dependencies released new versions that needed a Cargo.toml bump:

  • ring 0.17
  • pqcrypto-kyber 0.8
  • aes-gcm 0.10
  • chacha20poly1305 0.10
Loading

v0.9.3

16 Aug 21:13
@mcginty mcginty
v0.9.3
59804f8
Compare
Choose a tag to compare
v0.9.3

This is a quick patch release to use the stable 4.0 version of curve25519-dalek.

Loading

v0.9.2

13 Mar 00:25
@mcginty mcginty
v0.9.2
a11d0d9
Compare
Choose a tag to compare
v0.9.2

This is a patch release to address a correctness issue for compliance with the Noise specification: the nonce $2^{64} - 1$ is reserved for rekeying, and CipherState and StatelessCipherState did not check that, instead just making sure that there was no integer overflow.

Thanks to @kjvalencik for reporting the issue and @complexspaces for contributing the fix PR (#152).

Thanks to @robyoder as well for fixing broken links and making sure all links were HTTPS (#151).

Full Changelog: v0.9.1...v0.9.2

Contributors

robyoder, kjvalencik, and complexspaces
Loading

v0.9.1

31 Jan 23:09
@mcginty mcginty
v0.9.1
fd56e6c
Compare
Choose a tag to compare
v0.9.1

This is a patch release to fix build breakages due to not pinning curve25519-dalek to a specific pre-release version.

Thanks to @Kofituo and @thomaseizinger for bringing it to attention and @tarcieri for the fix PR (#148).

Contributors

tarcieri, thomaseizinger, and Kofituo
Loading