A Rust implementation of the Noise Protocol Framework
sodiumoxide
backend, as that crate is no longer maintained. We may eventually migrate it to a maintaned version of the crate, but for now it's best to warn users.read_message()
in transport mode to 65535 to be fully compliant with the Noise specification.Full Changelog: https://github.com/mcginty/snow/compare/v0.9.5...v0.9.6
This is a security release that fixes a logic flaw in decryption in TransportState
(i.e. the stateful one), where the nonce could increase even when decryption failed, which can cause a desync between the sender and receiver, opening this up as a denial of service vector if the attacker has the ability to inject packets in the channel Noise is talking over.
More details can be found in the advisory: https://github.com/mcginty/snow/security/advisories/GHSA-7g9j-g5jg-3vv3
All users are encouraged to update.
This is a dependency version bump release because a couple of important dependencies released new versions that needed a Cargo.toml
bump:
ring
0.17pqcrypto-kyber
0.8aes-gcm
0.10chacha20poly1305
0.10This is a quick patch release to use the stable 4.0
version of curve25519-dalek
.
This is a patch release to address a correctness issue for compliance with the Noise specification: the nonce $2^{64} - 1$ is reserved for rekeying, and CipherState
and StatelessCipherState
did not check that, instead just making sure that there was no integer overflow.
Thanks to @kjvalencik for reporting the issue and @complexspaces for contributing the fix PR (#152).
Thanks to @robyoder as well for fixing broken links and making sure all links were HTTPS (#151).
Full Changelog: https://github.com/mcginty/snow/compare/v0.9.1...v0.9.2
This is a patch release to fix build breakages due to not pinning curve25519-dalek
to a specific pre-release version.
Thanks to @Kofituo and @thomaseizinger for bringing it to attention and @tarcieri for the fix PR (#148).
This is a maintenance release, with the exception of some minor function signature changes where snow::Error
is now the error type instead of ()
.
curve25519-dalek
directly and no longer depending on rand
.Full Changelog: https://github.com/mcginty/snow/compare/v0.8.1...v0.9.0
This change increases the minor version to avoid issues from updating underlying dependencies. It's otherwise quite minor of a change.
HandshakeState::read_message
which would allow panics to happen if the read wasn't called in the correct order.