Date: TBD.
Changelog:
- Bump copyright year to 2024.
- Bump MSRV to
1.74.0. - Update CI dependencies.
- SHA2: Switch from
checked_shl(3)tochecked_mul(8)duringincrement_mlen()(internal) (#376).
Date: September 19, 2023.
Changelog:
- Bump MSRV to
1.70.0. - Bump
fiat-cryptoto0.2.1.
Date: July 4, 2023.
Changelog:
- Add
experimentalcrate feature. - Add support for fully-committing AEAD variants based on CTX (#324).
- Add support for SHA3 (#327).
- Bump MSRV to
1.64. - Add support for DHKEM(X25519, HKDF-SHA256) from HPKE RFC 9180.
Date: March 4, 2023.
Changelog:
- Update Wycheproof test vectors (#320).
- Switch from
actions-rs/tarpaulintocargo-tarpaulin(#322) - Update documentation for PBKDF2 and Argon2i cost parameter selection (#316, #321).
- Remove
cargo-auditwhich was redundant tocargo-deny(#311). - Bump MSRV to
1.59.0. - Remove
html_root_url(#325).
Date: December 7, 2022.
Changelog:
- Fix misuse issue in (X)ChaCha20 and (X)ChaCha20-Poly1305 APIs (#308).
- Add benchmark check test without running any actual benchmarks (#307).
- Improve
Balek2b::new()docs (#303). - Migrated to Rust Edition 2021 (#237).
- MSRV bumped to
1.57.0andcriterionupdated (#299). - Added
serdedoc feature-tag toPasswordHashser/deser impls (#297).
Date: August 16, 2022.
Changelog:
- BLAKE2b
Hasherenum now implementsDebug + PartialEq(#278 (by @black-eagle17)). - Removed unmaintained
audit-checkand replaced withcargo-deny(#292). - Allow Unicode-DFS-2016 license in dev-dependency tree (#291).
Date: January 30, 2022.
Changelog:
- Use fiat-crypto from their provided crate on crates.io (#201) (by Vince Mutolo).
- Doc-tests no longer fail if run with
cargo test --no-default-features, as the erroneous usages have been feature-gated (#254). - Specify MSRV in
Cargo.tomlviarust-versionfield (#250). audit-checkGitHub Action added in addition tocargo-audit(#257).- Updated copyright year to 2022 (#267).
- Implement
std::io::Writefor BLAKE2 and SHA2, also addingorion::hash::digest_from_reader(#228) (by Vince Mutolo). - Implement Poly1305 using fiat-crypto (#198).
- Correct capitalization of crate name in docs, README and wiki (#259).
- Fix the benchmarking targets that failed to compile after
0.17.0(#270). - Various internal cleanups and improvements.
Date: November 24, 2021.
Changelog:
- [Breaking change] Keyed and non-keyed BLAKE2b have been split into two separate modules (
orion::hazardous::mac::blake2bandorion::hazardous::hash::blake2::blake2brespectively). The keyed now returns aTaginstead ofDigest(#208). - [Breaking change]
Tags (not only those used by BLAKE2b, but all) now implementDropbut no longer implementCopy(#208). - [Breaking change]
seal_chunk()used in streaming AEAD now takeStreamTagby reference (#212) (by 24seconds).
Date: November 3, 2021.
Changelog:
- Add support for X25519 using fiat-crypto Curve25519 field arithmetic (new modules
orion::hazardous::eccandorion::kex) (#197). - Implement serde
SerializeandDeserializefor relevant types (#192) (by Vince Mutolo). - Fix incorrect documentation of SHA256 streaming state (#196).
- Add
is_empty()to newtypes (#206). - Add documentation for correct use of streaming AEAD API with
StreamTag::Finish(#139). - Convert uses of
assert!(a == b)toassert_eq!(a, b)where possible (#210) (by Emmanuel Leblond). - Derive
Clone+CopyforStreamTag(#211) (by 24seconds). - Harden security of GitHub Actions CI/CD (#200) (by Vince Mutolo).
- Re-export HMAC
Tags used in their corresponding HKDF API (#224). - Fix warnings from CI jobs and bump MSRV to
1.52.0(#222) (#223). - Update benchmarks (#214).
- Render feature badges for API on docs.rs (#238).
- Add new Crate Features page to wiki (#215).
Date: March 29, 2021.
Changelog:
- [Breaking change] Moved all libraries to the https://github.com/orion-rs organization and added Vince Mutolo as a maintainer (#191).
- [Breaking change] Use Argon2i parameters from PasswordHash in
pwhash::hash_password_verify()(#138) (by Vince Mutolo). - [Breaking change] Limit high-level, variable-length newtype's input to
isize::MAX(#130). - [Breaking change] Add support for SHA256 and SHA384 (#152, #181, #162, #183).
- [Breaking change] Add support for HMAC-SHA(256/384), PBKDF2-HMAC-SHA(256/384) and HKDF-HMAC-SHA(256/384) (#171, #153, #154, #170).
- [Breaking change] Remove
orion::kdf::derive_key_verify()andorion::hazardous::kdf::hkdf::verify()(#179, #184). - [Breaking change] Convert
StreamTagused inorion::hazardous::aead::streamingandorion::aead::streamingto lower-case acronyms (i.eStreamTag::MESSAGE->StreamTag::Message) (#190). - Use new intra-doc links (#134, #185) along with other small improvements to documentation.
- Update fuzzing targets (#182).
- Add documentation for user-awareness of potential sensitive data in out-parameters during password-hash verification (#178, #187) (contrib. by Vince Mutolo).
- Replace
base64dependency withct-codecsto support constant-time encoding & decoding inorion::pwhash::PasswordHash(#188, #189). - Refactor property-based tests to use the
#[quickcheck]attribute, introducingquickcheck_macrosas a dev-dependency (#180). - Bump MSRV to
1.51.0.
Date: February 9, 2021.
Changelog:
- The entire CI infrastructure has been moved to GitHub Actions (removing AppVeyor and Travis CI).
- Add
cargo-denyto CI jobs (#174). - Refactoring of code related to testing and reading test vectors (#136, #143).
- Add new public Matrix room for discussion (#144).
- Internal documentation improvements and clippy improvements (by u5surf).
- Update and correct license years (#164).
- Update
quickcheck. - Fix documentation on the
generate()output-size for HMAC-based secret key newtypes which was incorrect (#169). - Improve the usage example in
orion::auth(Vince Mutolo). - Add GitHub issue templates for bugs and feature requests (#155).
- Add
SECURITY.md, specifying a disclosure policy, threat-model and information regarding yanking (#163).
Date: October 13, 2020.
Changelog:
- Documentation improvements.
- Update
base64to0.13.0.
Date: September 25, 2020.
Changelog:
- Empty plaintexts are now allowed for
hazardous::aead(#127). - Update
getrandomto0.2. - Bump MSRV to
1.41due to bump insubtle.
Date: August 8, 2020.
Changelog:
- Documentation improvements.
- Argon2i is now available in a
no_stdcontext, using the newallocfeature (#126). releaseandbenchprofiles now use the default LTO (thin local LTO) instead of fat LTO.
Date: June 7, 2020.
Changelog:
- Remove old
no_stdfeature from CONTRIBUTING guidelines. - Improve documentation and code around HKDFs maximum output length.
- Move clippy, rustfmt and basic tests to GitHub Actions (#122).
- Add random secret-key/nonce tests to AEADs and stream ciphers (#123).
- Address various clippy warnings.
Date: March 9, 2020.
Changelog:
- Update
base64dependency from0.11.0to0.12.0. - Documentation improvements.
Date: February 25, 2020.
Changelog:
- [Breaking change]
secure_cmpand all verification functions now returnResult<(), UnknownCryptoError>instead ofResult<bool, UnknownCryptoError>(#97). - [Breaking change] HChaCha20 is no longer public.
- [Breaking change] The default size of a randomly generated secret key in
hazardous::hash::blake2bis now 32 bytes instead of 64 bytes (#88). - [Breaking change]
orion::authnow uses BLAKE2b in keyed-mode as MAC (#88, by Vince Mutolo). - [Breaking change] The public API for structs used with incremental processing has been changed (#106 and #87).
- [Breaking change] Support for Argon2i(single-threaded) has been added. This is now used in the
orion::kdfandorion::pwhashmodules (#113). - [Breaking change]
chacha20::keystream_blockis no longer available. - [Breaking change] Uses of (X)ChaCha20Poly1305 will return an error if a
usizetou64conversion would be lossy. - [Breaking change] orion is now
no_std-compatible on stable Rust and theno_stdandnightlyfeatures have been removed (#111). - libsodium-compatible, streaming AEAD based on XChaCha20Poly1305 (libsodiums "secretstream") (#99 and #108, by snsmac).
- Switch to Criterion for benchmarks.
- Add contribution guidelines in
CONTRIBUTING.md. - Move the changelog to a
CHANGELOG.mdfile. - Add test vectors to XChaCha20.
- Improvements to
secure_cmp(#93, by snsmac) - Add explicit security warnings to
#[must_use]public APIs that return aResult(#95, by Cole Lawrence) - Cleanup in the orion-dudect tests and add tests for newtype
PartialEq<&[u8]>impl. - Remove hardcoded docs.rs links in the documentation (#100, by Kyle Schreiber).
- Previously, the documentation for
util::secure_rand_bytesstated that a panic would occur if the function failed to generate random bytes without throwing an error, which was not the case. This has been corrected. - Add
Blake2b::verifyto fuzzing targets. - orion-dudect now also tests for constant-time execution in CI on OSX and Windows platforms.
- Testing constant-time execution with WASM at orion-sidefuzz.
- New testing framework which has greatly reduced the amount of duplicate testing code (#96).
- Document and test MSRV (#104).
- orion is now listed as an alternative to the old
rust-cryptocrate on RustSec. UnknownCryptoErrornow implementsstd::error::Errorfor better interoperability with error-handling crates.- Added new test vectors from Wycheproof for ChaCha20Poly1305, XChaCha20Poly1305, HMAC-SHA512 and HKDF-HMAC-SHA512 (#116).
#![deny(warnings)]has been removed and replaced with flags in CI build jobs.- GitHub actions are used for daily security audit for the
crates-publishedbranch. Travis CI runs only weekly oncrates-publishedbranch now (daily before). - Removed inlining attributes that did not provide any performance improvements when tested with benchmarks (commit).
- Various performance improvements.
- Various improvements to fuzzing targets.
- Various improvements to tests.
Date: January 25, 2020.
Changelog:
- Fix
nightlybuild breakage.
Date: August 21, 2019.
Changelog:
- Reduce the amount of allocations throughout most of orion.
- Vectorize the ChaCha20 implementation providing ~6% performance improvement for (X)ChaCha20Poly1305 and ~11.5% for (X)ChaCha20.
- Documentation improvements.
Date: August 1, 2019.
Changelog:
- Improved performance for ChaCha20Poly1305/XChaCha20Poly1305 when AAD is empty.
- Refactoring of streaming contexts used by SHA512, BLAKE2b and Poly1305.
- Implement
PartialEq<&[u8]>for all newtypes and provide documentation for usage of such (by Vince Mutolo). - Switched to stable rustfmt.
- Fix use of now deprecated (since
v0.1.7)getrandomerrors. - Updated fuzzing targets in orion-fuzz.
Date: June 10, 2019.
Changelog:
- Improved performance on all implementations, most notably: ~30% in ChaCha20/XChaCha20 and ~20% in ChaCha20Poly1305/XChaCha20Poly1305.
- Updated
zeroizedependency. - Testing WebAssembly (
wasm32-unknown-unknown) support in CI. - Improved documentation.
Date: May 27, 2019.
Changelog:
- Update
zeroizedependency. - Improvements to documentation.
Date: May 4, 2019.
Changelog:
- [Breaking change] Function
as_bytes()for public newtypes are replaced withAsRef<>trait implementations. This means allas_bytes()calls need to be replaced withas_ref(). - [Breaking change] The
SecretKeyfor BLAKE2b is longer padded with zeroes to the length of the blocksize. Thus, theSecretKeyno longer has aget_original_length()function, but the same result will be represented by theget_length()function instead. - [Breaking change] All calls to
as_ref()andunprotected_as_bytes()return the newtypes data with what it was initialized, regardless of padding. (With the exception of HMAC) - [Breaking change] All calls to
get_length()return the length of the newtype with what is what initialized, regardless of padding. (With the exception of HMAC) - [Breaking change] All newtypes that offer
generate()now panic if the RNG fails to initialize of read from its source. This also means that newtypegenerate()functions, that do not take in a size parameter, no longer return aResult. - [Breaking change]
ValidationCryptoErrorandFinalizationCryptoErrorhave been removed. Though this doesn't mean that there is less information available, see issue here. - [Breaking change] Support for cSHAKE256 has been dropped, also meaning orion no longer depends on tiny-keccak. 8% decrease in
unsafecode in dependencies. - All fuzzing targets in
fuzzthat used libFuzzer have been deprecated in favor of those in orion-fuzz using honggfuzz-rs. - Improvements to fuzzing targets in orion-fuzz.
- Automated testing in CI, for constant-time execution.
- Added
From<[u8; C]>trait implementations for C-length fixed-sized newtypes, so that the caller may avoid usingResultwhen not working with slices. - [Breaking change] Module
hazardous::constantshas been removed and all types made private. Only a select number of constants have been re-exported in their respective modules. See here for more information. - It is now strictly advised against using orion in debug mode, for what is meant to be production use. Using
opt-level = 0with orion, is also advised against. See security section. rand_oshas been replaced withgetrandom.- Improvements to documentation examples as they no longer use
.unwrap()but?instead.
Date: April 1, 2019.
Changelog:
- Fix build for latest nightly.
Date: March 31, 2019.
Changelog:
- Updated
zeroizeto0.6.0. - Added a small number of tests.
- Improvement to constant-time interfaces (#66).
Date: March 13, 2019.
Changelog:
- PBKDF2 and BLAKE2b now panic on lengths exceeding (2^32-1) _ 64 and 2_(2^64-1), respectively.
- ChaCha20 length constrictions are now equivalent to those of the RFC and panics on trying to process more than 2^32-1 keystream blocks.
- Documentation improvements.
- OpenSSL test vectors for BLAKE2b.
Note: Strictly speaking, the first two changes are breaking, but because of the unlikeliness that this has an effect on anybody, they were not marked as such.
Date: February 16, 2019.
Changelog:
- Documentation improvements (#60).
Date: February 10, 2019.
Changelog:
- [Breaking change]:
orion::hazardous::hash::sha512previously used the sameDigestas BLAKE2b. This is no longer the case, making it impossible to specify a non fixed-length hash asDigestwith SHA512. - [Breaking change]:
HLENconstant renamed toSHA512_OUTSIZEandSHA2_BLOCKSIZEconstant renamed toSHA512_BLOCKSIZE. - Added
POLY1305_OUTSIZEconstant. - Improved documentation for high-level
Password,SecretKeyinhazardousshmacandblake2b, as well asPasswordinpbkdf2ofhazardous. - Added AppVeyor builds and testing for Windows MSVC with Visual Studio 2017.
Date: February 8, 2019.
Changelog:
- Switched to zeroize in favor of clear_on_drop, such that using orion on stable Rust no longer requires a C compiler.
- Fuzzing with honggfuzz-rs.
Date: February 4, 2019.
Changelog:
- Refactored HMAC and improved performance for PBKDF2 by ~50%.
- Removed
byteorderdependency using instead the endianness conversion functions that came with Rust 1.32.
Date: January 31, 2019.
Changelog:
- Fixes a bug where hashing, with BLAKE2b, over 2^64-1 bytes of data would cause an overflowing addition on debug builds.
- Fixes a bug where hashing, with SHA512, over 2^64-1 bytes of data would not result in the counter being correctly incremented.
- Added property-based testing, using QuickCheck, to most of the library and improved testing for the library in general.
PartialEqis now implemented fororion::kdf::SaltandNoncein bothchacha20andxchacha20.- Added
get_length()forblake2b::Digest. - Updated fuzzing dependencies.
Date: January 29, 2019.
Changelog:
- Improved compilation time.
- Bugfix #50.
- Update
byteorderandserde_jsondependencies (fixes build-failures related torand_core).
Date: January 26, 2019.
Changelog:
- Fix a bug that lead to panics when using
outparameters, withseal()/open()inhazardous, with a length above a given point.
Date: January 16, 2019.
Changelog:
- Switched
randdependency out withrand_os.
Date: December 29, 2018.
Changelog:
- [Breaking change]: All high-level functions now return a Result.
- [Breaking change]:
Passwordinpbkdf2,SecretKeyandhmac()ofhmacandextract()ofhkdfinhazardousnow return a Result. - [Breaking change]: Limit all
generate()taking alengthparameter, andorion::kdfcalls to a length of less thanu32::max_value()as maximum. - [Breaking change]:
orion::kdfandorion::pwhashtake a newPasswordparameter that is heap-allocated and returns a Result. - Removed
sha2dependency andringdev-dependency.sha2has been replaced with orion's own SHA512 implementation. - Added support for BLAKE2b and SHA512.
- Updated to Rust 2018 Edition.
- Better performance for HMAC, HKDF and PBKDF2.
Thanks to Gabe Langlais for valuable feedback, especially on the API design.
Date: December 22, 2018.
Changelog:
- Security fix: #46 (RUSTSEC-2018-0012, CVE-2018-20999).
- Updated subtle dependency.
Date: November 24, 2018.
Changelog:
- Fix missing error propagation in
v0.10.
Date: November 23, 2018.
Changelog:
- New types for secret keys, nonces, tags, etc. This greatly increases misuse-resistance, usability and safety. To read more about the types and how they are implemented, see the wiki section.
defaultAPI has been dropped. All high-level functionality is now accessible through these interfaces:orion::aead,orion::auth,orion::kdfandorion::pwhash.- AEAD interfaces in
hazardousand in the high-level API (previouslydefault::encrypt, etc.) have been renamed tosealandopento reflect the authentication and hopefully increase familiarity. finalize_to_dst()has been dropped for HMAC.- Adaption of the
#[must_use]attribute. - Documentation improvements.
- HKDF and cSHAKE dropped from high-level API.
- High-level PBKDF2 now uses 64 byte salts and 64 byte password hashes and the iteration count has been made available for users to control.
- Argument
infofor HKDF andadfor AEADs are nowOption. util::gen_rand_keyandutil::compare_ctare nowutil::secure_rand_bytesandutil::secure_cmp.- The password length enforcement in high-level PBKDF2 API has been removed.
- All other public types (eg.
CShake,HmacandPoly1305) now implementDebug. - Using
clear_on_dropto wipe memory in favor ofseckey. - New features
nightlyandno_std. To use orion in ano_stdcontext, some dependency specifications are needed. Refer to the README for these. - Major improvements to error propagation.
Date: November 11, 2018.
Changelog:
- Fix bug in double-HMAC verification in the default API
- Documentation improvements
Date: November 4, 2018.
Changelog:
- Added support for HChaCha20, XChaCha20 and AEAD XChaCha20Poly1305.
- The
defaultAPIs encryption/decryption interface has been reintroduced, now offering authenticated encryption through the AEAD XChaCha20Poly1305 implementation. - Most of the library's structure has been revamped.
- Major additions to the project wiki detailing testing and some information regarding dependencies and security.
- Improved fuzzing targets and overall test suite.
- Documentation improvements.
Date: October 7, 2018.
Changelog:
- Added AEAD ChaCha20Poly1305 from RFC 8439
- Added
keystream_block()public function to retrieve a keystream fromchacha20 - Added Poly1305 from RFC 8439
default::encryptanddefault::decryptremoved until orion offers XChaCha20 with Poly1305- Documentation improvement
- Updated
sha2dependency
Date: September 27, 2018.
Changelog:
- Fix bug in PBKDF2 (See issue)
Date: September 26, 2018.
Changelog:
- Update
subtledependency
Date: September 26, 2018.
Changelog:
- Fuzz test improvements
- Documentation improvements
Date: September 20, 2018.
Changelog:
default::chacha20_*initial counter set to 0
Date: September 17, 2018.
Changelog:
- Added
FinalizationCryptoErrorwhich meanscshakeandhmacnow return aResulton finalization and update function calls. - Added the ChaCha20 algorithm from the RCF 8439.
- Fix failed builds for
no_std. - Fix a bug where a user could call
update()after finalization on bothcshakeandhmac. cshake_verify()function dropped from default API.- Documentation improvement.
Date: September 5, 2018.
Changelog:
- Update
subtledependency
Date: August 31, 2018.
Changelog:
- Fix:
byteorderandrandimported correctly forno_std - Add default feature
safe_api, meaning that forno_std, import orion with default features disabled - Due to dependency fixing, Double HMAC Verification is now only done in the
safe_api gen_rand_keynow only available withsafe_api
Date: August 22, 2018.
Changelog:
- Replaced
byte-toolswithbyteordercrate asbyte-toolsno longer offers the required functionality
Date: August 20, 2018.
Changelog:
- Added
reset()function to cSHAKE - Added finalization check for HMAC and cSHAKE, making it impossible to call finalization functions twice without a reset in between. Preventing misuse.
Date: August 13, 2018.
Changelog:
- Support for SHA256, SHA384, SHA512/256 and cSHAKE128 dropped.
- Support for
#![no_std]added. - HMAC streaming API.
- HMAC now uses SHA512.
- Switched out
clear_on_dropwithseckey. - Switched out
constant_time_eqwithsubtle. - cSHAKE streaming API.
default::pbkdf2no longer appends salt to password before hashing due to some problems integrating this using#![no_std]. This might be re-introduced later on.orion::corerenamed toorion::utilities.- cSHAKE verification function removed from hazardous.
Performance improvements compared to v0.4.3:
- HMAC: ~10% performance improvement
- HKDF: ~5% performance improvement
- PBKDF2: ~15% performance improvement
- cSHAKE: ~11% performance improvement
This was benchmarked on a MacBook Air 1,6 GHz Intel Core i5, 4GB.
Date: August 8, 2018.
Changelog:
- Updated dependency
- Adopted faster HMAC key padding steps from
rigelcrate, avoiding allocation as before but without theCowborrow - Memory and performance improvement to the PBKDF2 implementation by avoiding many useless allocations