Date: September 10, 2024.
Changelog:
- Add support for SHAKE128 and SHAKE256 from FIPS 202 (#398).
- Bump copyright year to 2024.
- Bump MSRV to
1.80.0
. - Update CI dependencies.
- SHA2: Switch from
checked_shl(3)
tochecked_mul(8)
duringincrement_mlen()
(internal) (#376).
Date: September 19, 2023.
Changelog:
- Bump MSRV to
1.70.0
. - Bump
fiat-crypto
to0.2.1
.
Date: July 4, 2023.
Changelog:
- Add
experimental
crate feature. - Add support for fully-committing AEAD variants based on CTX (#324).
- Add support for SHA3 (#327).
- Bump MSRV to
1.64
. - Add support for DHKEM(X25519, HKDF-SHA256) from HPKE RFC 9180.
Date: March 4, 2023.
Changelog:
- Update Wycheproof test vectors (#320).
- Switch from
actions-rs/tarpaulin
tocargo-tarpaulin
(#322) - Update documentation for PBKDF2 and Argon2i cost parameter selection (#316, #321).
- Remove
cargo-audit
which was redundant tocargo-deny
(#311). - Bump MSRV to
1.59.0
. - Remove
html_root_url
(#325).
Date: December 7, 2022.
Changelog:
- Fix misuse issue in (X)ChaCha20 and (X)ChaCha20-Poly1305 APIs (#308).
- Add benchmark check test without running any actual benchmarks (#307).
- Improve
Balek2b::new()
docs (#303). - Migrated to Rust Edition 2021 (#237).
- MSRV bumped to
1.57.0
andcriterion
updated (#299). - Added
serde
doc feature-tag toPasswordHash
ser/deser impls (#297).
Date: August 16, 2022.
Changelog:
- BLAKE2b
Hasher
enum now implementsDebug + PartialEq
(#278 (by @black-eagle17)). - Removed unmaintained
audit-check
and replaced withcargo-deny
(#292). - Allow Unicode-DFS-2016 license in dev-dependency tree (#291).
Date: January 30, 2022.
Changelog:
- Use fiat-crypto from their provided crate on crates.io (#201) (by Vince Mutolo).
- Doc-tests no longer fail if run with
cargo test --no-default-features
, as the erroneous usages have been feature-gated (#254). - Specify MSRV in
Cargo.toml
viarust-version
field (#250). audit-check
GitHub Action added in addition tocargo-audit
(#257).- Updated copyright year to 2022 (#267).
- Implement
std::io::Write
for BLAKE2 and SHA2, also addingorion::hash::digest_from_reader
(#228) (by Vince Mutolo). - Implement Poly1305 using fiat-crypto (#198).
- Correct capitalization of crate name in docs, README and wiki (#259).
- Fix the benchmarking targets that failed to compile after
0.17.0
(#270). - Various internal cleanups and improvements.
Date: November 24, 2021.
Changelog:
- [Breaking change] Keyed and non-keyed BLAKE2b have been split into two separate modules (
orion::hazardous::mac::blake2b
andorion::hazardous::hash::blake2::blake2b
respectively). The keyed now returns aTag
instead ofDigest
(#208). - [Breaking change]
Tag
s (not only those used by BLAKE2b, but all) now implementDrop
but no longer implementCopy
(#208). - [Breaking change]
seal_chunk()
used in streaming AEAD now takeStreamTag
by reference (#212) (by 24seconds).
Date: November 3, 2021.
Changelog:
- Add support for X25519 using fiat-crypto Curve25519 field arithmetic (new modules
orion::hazardous::ecc
andorion::kex
) (#197). - Implement serde
Serialize
andDeserialize
for relevant types (#192) (by Vince Mutolo). - Fix incorrect documentation of SHA256 streaming state (#196).
- Add
is_empty()
to newtypes (#206). - Add documentation for correct use of streaming AEAD API with
StreamTag::Finish
(#139). - Convert uses of
assert!(a == b)
toassert_eq!(a, b)
where possible (#210) (by Emmanuel Leblond). - Derive
Clone
+Copy
forStreamTag
(#211) (by 24seconds). - Harden security of GitHub Actions CI/CD (#200) (by Vince Mutolo).
- Re-export HMAC
Tag
s used in their corresponding HKDF API (#224). - Fix warnings from CI jobs and bump MSRV to
1.52.0
(#222) (#223). - Update benchmarks (#214).
- Render feature badges for API on docs.rs (#238).
- Add new Crate Features page to wiki (#215).
Date: March 29, 2021.
Changelog:
- [Breaking change] Moved all libraries to the https://github.com/orion-rs organization and added Vince Mutolo as a maintainer (#191).
- [Breaking change] Use Argon2i parameters from PasswordHash in
pwhash::hash_password_verify()
(#138) (by Vince Mutolo). - [Breaking change] Limit high-level, variable-length newtype's input to
isize::MAX
(#130). - [Breaking change] Add support for SHA256 and SHA384 (#152, #181, #162, #183).
- [Breaking change] Add support for HMAC-SHA(256/384), PBKDF2-HMAC-SHA(256/384) and HKDF-HMAC-SHA(256/384) (#171, #153, #154, #170).
- [Breaking change] Remove
orion::kdf::derive_key_verify()
andorion::hazardous::kdf::hkdf::verify()
(#179, #184). - [Breaking change] Convert
StreamTag
used inorion::hazardous::aead::streaming
andorion::aead::streaming
to lower-case acronyms (i.eStreamTag::MESSAGE
->StreamTag::Message
) (#190). - Use new intra-doc links (#134, #185) along with other small improvements to documentation.
- Update fuzzing targets (#182).
- Add documentation for user-awareness of potential sensitive data in out-parameters during password-hash verification (#178, #187) (contrib. by Vince Mutolo).
- Replace
base64
dependency withct-codecs
to support constant-time encoding & decoding inorion::pwhash::PasswordHash
(#188, #189). - Refactor property-based tests to use the
#[quickcheck]
attribute, introducingquickcheck_macros
as a dev-dependency (#180). - Bump MSRV to
1.51.0
.
Date: February 9, 2021.
Changelog:
- The entire CI infrastructure has been moved to GitHub Actions (removing AppVeyor and Travis CI).
- Add
cargo-deny
to CI jobs (#174). - Refactoring of code related to testing and reading test vectors (#136, #143).
- Add new public Matrix room for discussion (#144).
- Internal documentation improvements and clippy improvements (by u5surf).
- Update and correct license years (#164).
- Update
quickcheck
. - Fix documentation on the
generate()
output-size for HMAC-based secret key newtypes which was incorrect (#169). - Improve the usage example in
orion::auth
(Vince Mutolo). - Add GitHub issue templates for bugs and feature requests (#155).
- Add
SECURITY.md
, specifying a disclosure policy, threat-model and information regarding yanking (#163).
Date: October 13, 2020.
Changelog:
- Documentation improvements.
- Update
base64
to0.13.0
.
Date: September 25, 2020.
Changelog:
- Empty plaintexts are now allowed for
hazardous::aead
(#127). - Update
getrandom
to0.2
. - Bump MSRV to
1.41
due to bump insubtle
.
Date: August 8, 2020.
Changelog:
- Documentation improvements.
- Argon2i is now available in a
no_std
context, using the newalloc
feature (#126). release
andbench
profiles now use the default LTO (thin local LTO) instead of fat LTO.
Date: June 7, 2020.
Changelog:
- Remove old
no_std
feature from CONTRIBUTING guidelines. - Improve documentation and code around HKDFs maximum output length.
- Move clippy, rustfmt and basic tests to GitHub Actions (#122).
- Add random secret-key/nonce tests to AEADs and stream ciphers (#123).
- Address various clippy warnings.
Date: March 9, 2020.
Changelog:
- Update
base64
dependency from0.11.0
to0.12.0
. - Documentation improvements.
Date: February 25, 2020.
Changelog:
- [Breaking change]
secure_cmp
and all verification functions now returnResult<(), UnknownCryptoError>
instead ofResult<bool, UnknownCryptoError>
(#97). - [Breaking change] HChaCha20 is no longer public.
- [Breaking change] The default size of a randomly generated secret key in
hazardous::hash::blake2b
is now 32 bytes instead of 64 bytes (#88). - [Breaking change]
orion::auth
now uses BLAKE2b in keyed-mode as MAC (#88, by Vince Mutolo). - [Breaking change] The public API for structs used with incremental processing has been changed (#106 and #87).
- [Breaking change] Support for Argon2i(single-threaded) has been added. This is now used in the
orion::kdf
andorion::pwhash
modules (#113). - [Breaking change]
chacha20::keystream_block
is no longer available. - [Breaking change] Uses of (X)ChaCha20Poly1305 will return an error if a
usize
tou64
conversion would be lossy. - [Breaking change] orion is now
no_std
-compatible on stable Rust and theno_std
andnightly
features have been removed (#111). - libsodium-compatible, streaming AEAD based on XChaCha20Poly1305 (libsodiums "secretstream") (#99 and #108, by snsmac).
- Switch to Criterion for benchmarks.
- Add contribution guidelines in
CONTRIBUTING.md
. - Move the changelog to a
CHANGELOG.md
file. - Add test vectors to XChaCha20.
- Improvements to
secure_cmp
(#93, by snsmac) - Add explicit security warnings to
#[must_use]
public APIs that return aResult
(#95, by Cole Lawrence) - Cleanup in the orion-dudect tests and add tests for newtype
PartialEq<&[u8]>
impl. - Remove hardcoded docs.rs links in the documentation (#100, by Kyle Schreiber).
- Previously, the documentation for
util::secure_rand_bytes
stated that a panic would occur if the function failed to generate random bytes without throwing an error, which was not the case. This has been corrected. - Add
Blake2b::verify
to fuzzing targets. - orion-dudect now also tests for constant-time execution in CI on OSX and Windows platforms.
- Testing constant-time execution with WASM at orion-sidefuzz.
- New testing framework which has greatly reduced the amount of duplicate testing code (#96).
- Document and test MSRV (#104).
- orion is now listed as an alternative to the old
rust-crypto
crate on RustSec. UnknownCryptoError
now implementsstd::error::Error
for better interoperability with error-handling crates.- Added new test vectors from Wycheproof for ChaCha20Poly1305, XChaCha20Poly1305, HMAC-SHA512 and HKDF-HMAC-SHA512 (#116).
#![deny(warnings)]
has been removed and replaced with flags in CI build jobs.- GitHub actions are used for daily security audit for the
crates-published
branch. Travis CI runs only weekly oncrates-published
branch now (daily before). - Removed inlining attributes that did not provide any performance improvements when tested with benchmarks (commit).
- Various performance improvements.
- Various improvements to fuzzing targets.
- Various improvements to tests.
Date: January 25, 2020.
Changelog:
- Fix
nightly
build breakage.
Date: August 21, 2019.
Changelog:
- Reduce the amount of allocations throughout most of orion.
- Vectorize the ChaCha20 implementation providing ~6% performance improvement for (X)ChaCha20Poly1305 and ~11.5% for (X)ChaCha20.
- Documentation improvements.
Date: August 1, 2019.
Changelog:
- Improved performance for ChaCha20Poly1305/XChaCha20Poly1305 when AAD is empty.
- Refactoring of streaming contexts used by SHA512, BLAKE2b and Poly1305.
- Implement
PartialEq<&[u8]>
for all newtypes and provide documentation for usage of such (by Vince Mutolo). - Switched to stable rustfmt.
- Fix use of now deprecated (since
v0.1.7
)getrandom
errors. - Updated fuzzing targets in orion-fuzz.
Date: June 10, 2019.
Changelog:
- Improved performance on all implementations, most notably: ~30% in ChaCha20/XChaCha20 and ~20% in ChaCha20Poly1305/XChaCha20Poly1305.
- Updated
zeroize
dependency. - Testing WebAssembly (
wasm32-unknown-unknown
) support in CI. - Improved documentation.
Date: May 27, 2019.
Changelog:
- Update
zeroize
dependency. - Improvements to documentation.
Date: May 4, 2019.
Changelog:
- [Breaking change] Function
as_bytes()
for public newtypes are replaced withAsRef<>
trait implementations. This means allas_bytes()
calls need to be replaced withas_ref()
. - [Breaking change] The
SecretKey
for BLAKE2b is longer padded with zeroes to the length of the blocksize. Thus, theSecretKey
no longer has aget_original_length()
function, but the same result will be represented by theget_length()
function instead. - [Breaking change] All calls to
as_ref()
andunprotected_as_bytes()
return the newtypes data with what it was initialized, regardless of padding. (With the exception of HMAC) - [Breaking change] All calls to
get_length()
return the length of the newtype with what is what initialized, regardless of padding. (With the exception of HMAC) - [Breaking change] All newtypes that offer
generate()
now panic if the RNG fails to initialize of read from its source. This also means that newtypegenerate()
functions, that do not take in a size parameter, no longer return aResult
. - [Breaking change]
ValidationCryptoError
andFinalizationCryptoError
have been removed. Though this doesn't mean that there is less information available, see issue here. - [Breaking change] Support for cSHAKE256 has been dropped, also meaning orion no longer depends on tiny-keccak. 8% decrease in
unsafe
code in dependencies. - All fuzzing targets in
fuzz
that used libFuzzer have been deprecated in favor of those in orion-fuzz using honggfuzz-rs. - Improvements to fuzzing targets in orion-fuzz.
- Automated testing in CI, for constant-time execution.
- Added
From<[u8; C]>
trait implementations for C-length fixed-sized newtypes, so that the caller may avoid usingResult
when not working with slices. - [Breaking change] Module
hazardous::constants
has been removed and all types made private. Only a select number of constants have been re-exported in their respective modules. See here for more information. - It is now strictly advised against using orion in debug mode, for what is meant to be production use. Using
opt-level = 0
with orion, is also advised against. See security section. rand_os
has been replaced withgetrandom
.- Improvements to documentation examples as they no longer use
.unwrap()
but?
instead.
Date: April 1, 2019.
Changelog:
- Fix build for latest nightly.
Date: March 31, 2019.
Changelog:
- Updated
zeroize
to0.6.0
. - Added a small number of tests.
- Improvement to constant-time interfaces (#66).
Date: March 13, 2019.
Changelog:
- PBKDF2 and BLAKE2b now panic on lengths exceeding (2^32-1) _ 64 and 2_(2^64-1), respectively.
- ChaCha20 length constrictions are now equivalent to those of the RFC and panics on trying to process more than 2^32-1 keystream blocks.
- Documentation improvements.
- OpenSSL test vectors for BLAKE2b.
Note: Strictly speaking, the first two changes are breaking, but because of the unlikeliness that this has an effect on anybody, they were not marked as such.
Date: February 16, 2019.
Changelog:
- Documentation improvements (#60).
Date: February 10, 2019.
Changelog:
- [Breaking change]:
orion::hazardous::hash::sha512
previously used the sameDigest
as BLAKE2b. This is no longer the case, making it impossible to specify a non fixed-length hash asDigest
with SHA512. - [Breaking change]:
HLEN
constant renamed toSHA512_OUTSIZE
andSHA2_BLOCKSIZE
constant renamed toSHA512_BLOCKSIZE
. - Added
POLY1305_OUTSIZE
constant. - Improved documentation for high-level
Password
,SecretKey
inhazardous
shmac
andblake2b
, as well asPassword
inpbkdf2
ofhazardous
. - Added AppVeyor builds and testing for Windows MSVC with Visual Studio 2017.
Date: February 8, 2019.
Changelog:
- Switched to zeroize in favor of clear_on_drop, such that using orion on stable Rust no longer requires a C compiler.
- Fuzzing with honggfuzz-rs.
Date: February 4, 2019.
Changelog:
- Refactored HMAC and improved performance for PBKDF2 by ~50%.
- Removed
byteorder
dependency using instead the endianness conversion functions that came with Rust 1.32.
Date: January 31, 2019.
Changelog:
- Fixes a bug where hashing, with BLAKE2b, over 2^64-1 bytes of data would cause an overflowing addition on debug builds.
- Fixes a bug where hashing, with SHA512, over 2^64-1 bytes of data would not result in the counter being correctly incremented.
- Added property-based testing, using QuickCheck, to most of the library and improved testing for the library in general.
PartialEq
is now implemented fororion::kdf::Salt
andNonce
in bothchacha20
andxchacha20
.- Added
get_length()
forblake2b::Digest
. - Updated fuzzing dependencies.
Date: January 29, 2019.
Changelog:
- Improved compilation time.
- Bugfix #50.
- Update
byteorder
andserde_json
dependencies (fixes build-failures related torand_core
).
Date: January 26, 2019.
Changelog:
- Fix a bug that lead to panics when using
out
parameters, withseal()
/open()
inhazardous
, with a length above a given point.
Date: January 16, 2019.
Changelog:
- Switched
rand
dependency out withrand_os
.
Date: December 29, 2018.
Changelog:
- [Breaking change]: All high-level functions now return a Result.
- [Breaking change]:
Password
inpbkdf2
,SecretKey
andhmac()
ofhmac
andextract()
ofhkdf
inhazardous
now return a Result. - [Breaking change]: Limit all
generate()
taking alength
parameter, andorion::kdf
calls to a length of less thanu32::max_value()
as maximum. - [Breaking change]:
orion::kdf
andorion::pwhash
take a newPassword
parameter that is heap-allocated and returns a Result. - Removed
sha2
dependency andring
dev-dependency.sha2
has been replaced with orion's own SHA512 implementation. - Added support for BLAKE2b and SHA512.
- Updated to Rust 2018 Edition.
- Better performance for HMAC, HKDF and PBKDF2.
Thanks to Gabe Langlais for valuable feedback, especially on the API design.
Date: December 22, 2018.
Changelog:
- Security fix: #46 (RUSTSEC-2018-0012, CVE-2018-20999).
- Updated subtle dependency.
Date: November 24, 2018.
Changelog:
- Fix missing error propagation in
v0.10
.
Date: November 23, 2018.
Changelog:
- New types for secret keys, nonces, tags, etc. This greatly increases misuse-resistance, usability and safety. To read more about the types and how they are implemented, see the wiki section.
default
API has been dropped. All high-level functionality is now accessible through these interfaces:orion::aead
,orion::auth
,orion::kdf
andorion::pwhash
.- AEAD interfaces in
hazardous
and in the high-level API (previouslydefault::encrypt
, etc.) have been renamed toseal
andopen
to reflect the authentication and hopefully increase familiarity. finalize_to_dst()
has been dropped for HMAC.- Adaption of the
#[must_use]
attribute. - Documentation improvements.
- HKDF and cSHAKE dropped from high-level API.
- High-level PBKDF2 now uses 64 byte salts and 64 byte password hashes and the iteration count has been made available for users to control.
- Argument
info
for HKDF andad
for AEADs are nowOption
. util::gen_rand_key
andutil::compare_ct
are nowutil::secure_rand_bytes
andutil::secure_cmp
.- The password length enforcement in high-level PBKDF2 API has been removed.
- All other public types (eg.
CShake
,Hmac
andPoly1305
) now implementDebug
. - Using
clear_on_drop
to wipe memory in favor ofseckey
. - New features
nightly
andno_std
. To use orion in ano_std
context, some dependency specifications are needed. Refer to the README for these. - Major improvements to error propagation.
Date: November 11, 2018.
Changelog:
- Fix bug in double-HMAC verification in the default API
- Documentation improvements
Date: November 4, 2018.
Changelog:
- Added support for HChaCha20, XChaCha20 and AEAD XChaCha20Poly1305.
- The
default
APIs encryption/decryption interface has been reintroduced, now offering authenticated encryption through the AEAD XChaCha20Poly1305 implementation. - Most of the library's structure has been revamped.
- Major additions to the project wiki detailing testing and some information regarding dependencies and security.
- Improved fuzzing targets and overall test suite.
- Documentation improvements.
Date: October 7, 2018.
Changelog:
- Added AEAD ChaCha20Poly1305 from RFC 8439
- Added
keystream_block()
public function to retrieve a keystream fromchacha20
- Added Poly1305 from RFC 8439
default::encrypt
anddefault::decrypt
removed until orion offers XChaCha20 with Poly1305- Documentation improvement
- Updated
sha2
dependency
Date: September 27, 2018.
Changelog:
- Fix bug in PBKDF2 (See issue)
Date: September 26, 2018.
Changelog:
- Update
subtle
dependency
Date: September 26, 2018.
Changelog:
- Fuzz test improvements
- Documentation improvements
Date: September 20, 2018.
Changelog:
default::chacha20_*
initial counter set to 0
Date: September 17, 2018.
Changelog:
- Added
FinalizationCryptoError
which meanscshake
andhmac
now return aResult
on finalization and update function calls. - Added the ChaCha20 algorithm from the RCF 8439.
- Fix failed builds for
no_std
. - Fix a bug where a user could call
update()
after finalization on bothcshake
andhmac
. cshake_verify()
function dropped from default API.- Documentation improvement.
Date: September 5, 2018.
Changelog:
- Update
subtle
dependency
Date: August 31, 2018.
Changelog:
- Fix:
byteorder
andrand
imported correctly forno_std
- Add default feature
safe_api
, meaning that forno_std
, import orion with default features disabled - Due to dependency fixing, Double HMAC Verification is now only done in the
safe_api
gen_rand_key
now only available withsafe_api
Date: August 22, 2018.
Changelog:
- Replaced
byte-tools
withbyteorder
crate asbyte-tools
no longer offers the required functionality
Date: August 20, 2018.
Changelog:
- Added
reset()
function to cSHAKE - Added finalization check for HMAC and cSHAKE, making it impossible to call finalization functions twice without a reset in between. Preventing misuse.
Date: August 13, 2018.
Changelog:
- Support for SHA256, SHA384, SHA512/256 and cSHAKE128 dropped.
- Support for
#![no_std]
added. - HMAC streaming API.
- HMAC now uses SHA512.
- Switched out
clear_on_drop
withseckey
. - Switched out
constant_time_eq
withsubtle
. - cSHAKE streaming API.
default::pbkdf2
no longer appends salt to password before hashing due to some problems integrating this using#![no_std]
. This might be re-introduced later on.orion::core
renamed toorion::utilities
.- cSHAKE verification function removed from hazardous.
Performance improvements compared to v0.4.3:
- HMAC: ~10% performance improvement
- HKDF: ~5% performance improvement
- PBKDF2: ~15% performance improvement
- cSHAKE: ~11% performance improvement
This was benchmarked on a MacBook Air 1,6 GHz Intel Core i5, 4GB.
Date: August 8, 2018.
Changelog:
- Updated dependency
- Adopted faster HMAC key padding steps from
rigel
crate, avoiding allocation as before but without theCow
borrow - Memory and performance improvement to the PBKDF2 implementation by avoiding many useless allocations