Skip to content

Releases: mcginty/snow

v0.9.6

26 Jan 03:44
Compare
Choose a tag to compare
  • Validate invalid PSK positions when building a Noise protocol.
  • Raise errors in various typos/mistakes in Noise patterns when parsing.
  • Deprecate the sodiumoxide backend, as that crate is no longer maintained. We may eventually migrate it to a maintaned version of the crate, but for now it's best to warn users.
  • Set a hard limit in read_message() in transport mode to 65535 to be fully compliant with the Noise specification.

Full Changelog: v0.9.5...v0.9.6

v0.9.5

24 Jan 07:54
Compare
Choose a tag to compare

This is a security release that fixes a logic flaw in decryption in TransportState (i.e. the stateful one), where the nonce could increase even when decryption failed, which can cause a desync between the sender and receiver, opening this up as a denial of service vector if the attacker has the ability to inject packets in the channel Noise is talking over.

More details can be found in the advisory: GHSA-7g9j-g5jg-3vv3

All users are encouraged to update.

v0.9.4

11 Nov 22:41
Compare
Choose a tag to compare

This is a dependency version bump release because a couple of important dependencies released new versions that needed a Cargo.toml bump:

  • ring 0.17
  • pqcrypto-kyber 0.8
  • aes-gcm 0.10
  • chacha20poly1305 0.10

v0.9.3

16 Aug 21:13
Compare
Choose a tag to compare

This is a quick patch release to use the stable 4.0 version of curve25519-dalek.

v0.9.2

13 Mar 00:25
Compare
Choose a tag to compare

This is a patch release to address a correctness issue for compliance with the Noise specification: the nonce $2^{64} - 1$ is reserved for rekeying, and CipherState and StatelessCipherState did not check that, instead just making sure that there was no integer overflow.

Thanks to @kjvalencik for reporting the issue and @complexspaces for contributing the fix PR (#152).

Thanks to @robyoder as well for fixing broken links and making sure all links were HTTPS (#151).

Full Changelog: v0.9.1...v0.9.2

v0.9.1

31 Jan 23:09
Compare
Choose a tag to compare

This is a patch release to fix build breakages due to not pinning curve25519-dalek to a specific pre-release version.

Thanks to @Kofituo and @thomaseizinger for bringing it to attention and @tarcieri for the fix PR (#148).

v0.9.0

03 Feb 07:59
Compare
Choose a tag to compare

This is a maintenance release, with the exception of some minor function signature changes where snow::Error is now the error type instead of ().

Changes

  • Updated all dependencies to latest
  • Cleaner error handling with fewer unwraps, thanks to @BlackHoleFox
  • Reduced number of dependencies for the crate by using curve25519-dalek directly and no longer depending on rand.

Full Changelog: v0.8.1...v0.9.0

v0.8.0

11 May 17:23
Compare
Choose a tag to compare

This change increases the minor version to avoid issues from updating underlying dependencies. It's otherwise quite minor of a change.

v0.7.2

14 Feb 11:47
Compare
Choose a tag to compare
v0.7.2

v0.7.1

06 Jul 13:57
Compare
Choose a tag to compare
  • Add missing checks to HandshakeState::read_message which would allow panics to happen if the read wasn't called in the correct order.
  • Updated RustCrypto crates.