Date: September 10, 2024.

Changelog:

• Add support for SHAKE128 and SHAKE256 from FIPS 202 (#398).
• Bump copyright year to 2024.
• Bump MSRV to 1.80.0.
• Update CI dependencies.
• SHA2: Switch from checked_shl(3) to checked_mul(8) during increment_mlen() (internal) (#376).

Date: September 19, 2023.

Changelog:

• Bump MSRV to 1.70.0.
• Bump fiat-crypto to 0.2.1.

Date: July 4, 2023.

Changelog:

• Add experimental crate feature.
• Add support for fully-committing AEAD variants based on CTX (#324).
• Add support for SHA3 (#327).
• Bump MSRV to 1.64.
• Add support for DHKEM(X25519, HKDF-SHA256) from HPKE RFC 9180.

Date: March 4, 2023.

Changelog:

• Update Wycheproof test vectors (#320).
• Switch from actions-rs/tarpaulin to cargo-tarpaulin (#322)
• Update documentation for PBKDF2 and Argon2i cost parameter selection (#316, #321).
• Remove cargo-audit which was redundant to cargo-deny (#311).
• Bump MSRV to 1.59.0.
• Remove html_root_url (#325).

Date: December 7, 2022.

Changelog:

• Fix misuse issue in (X)ChaCha20 and (X)ChaCha20-Poly1305 APIs (#308).
• Add benchmark check test without running any actual benchmarks (#307).
• Improve Balek2b::new() docs (#303).
• Migrated to Rust Edition 2021 (#237).
• MSRV bumped to 1.57.0 and criterion updated (#299).
• Added serde doc feature-tag to PasswordHash ser/deser impls (#297).

Date: August 16, 2022.

Changelog:

• BLAKE2b Hasher enum now implements Debug + PartialEq (#278 (by @black-eagle17)).
• Removed unmaintained audit-check and replaced with cargo-deny (#292).
• Allow Unicode-DFS-2016 license in dev-dependency tree (#291).

Date: January 30, 2022.

Changelog:

• Use fiat-crypto from their provided crate on crates.io (#201) (by Vince Mutolo).
• Doc-tests no longer fail if run with cargo test --no-default-features, as the erroneous usages have been feature-gated (#254).
• Specify MSRV in Cargo.toml via rust-version field (#250).
• audit-check GitHub Action added in addition to cargo-audit (#257).
• Updated copyright year to 2022 (#267).
• Implement std::io::Write for BLAKE2 and SHA2, also adding orion::hash::digest_from_reader (#228) (by Vince Mutolo).
• Implement Poly1305 using fiat-crypto (#198).
• Correct capitalization of crate name in docs, README and wiki (#259).
• Fix the benchmarking targets that failed to compile after 0.17.0 (#270).
• Various internal cleanups and improvements.

Date: November 24, 2021.

Changelog:

• [Breaking change] Keyed and non-keyed BLAKE2b have been split into two separate modules (orion::hazardous::mac::blake2b and orion::hazardous::hash::blake2::blake2b respectively). The keyed now returns a Tag instead of Digest (#208).
• [Breaking change] Tags (not only those used by BLAKE2b, but all) now implement Drop but no longer implement Copy (#208).
• [Breaking change] seal_chunk() used in streaming AEAD now take StreamTag by reference (#212) (by 24seconds).

Date: November 3, 2021.

Changelog:

• Add support for X25519 using fiat-crypto Curve25519 field arithmetic (new modules orion::hazardous::ecc and orion::kex) (#197).
• Implement serde Serialize and Deserialize for relevant types (#192) (by Vince Mutolo).
• Fix incorrect documentation of SHA256 streaming state (#196).
• Add is_empty() to newtypes (#206).
• Add documentation for correct use of streaming AEAD API with StreamTag::Finish (#139).
• Convert uses of assert!(a == b) to assert_eq!(a, b) where possible (#210) (by Emmanuel Leblond).
• Derive Clone + Copy for StreamTag (#211) (by 24seconds).
• Harden security of GitHub Actions CI/CD (#200) (by Vince Mutolo).
• Re-export HMAC Tags used in their corresponding HKDF API (#224).
• Fix warnings from CI jobs and bump MSRV to 1.52.0 (#222) (#223).
• Update benchmarks (#214).
• Render feature badges for API on docs.rs (#238).
• Add new Crate Features page to wiki (#215).

Date: March 29, 2021.

Changelog:

• [Breaking change] Moved all libraries to the https://github.com/orion-rs organization and added Vince Mutolo as a maintainer (#191).
• [Breaking change] Use Argon2i parameters from PasswordHash in pwhash::hash_password_verify() (#138) (by Vince Mutolo).
• [Breaking change] Limit high-level, variable-length newtype's input to isize::MAX (#130).
• [Breaking change] Add support for SHA256 and SHA384 (#152, #181, #162, #183).
• [Breaking change] Add support for HMAC-SHA(256/384), PBKDF2-HMAC-SHA(256/384) and HKDF-HMAC-SHA(256/384) (#171, #153, #154, #170).
• [Breaking change] Remove orion::kdf::derive_key_verify() and orion::hazardous::kdf::hkdf::verify() (#179, #184).
• [Breaking change] Convert StreamTag used in orion::hazardous::aead::streaming and orion::aead::streaming to lower-case acronyms (i.e StreamTag::MESSAGE -> StreamTag::Message) (#190).
• Use new intra-doc links (#134, #185) along with other small improvements to documentation.
• Update fuzzing targets (#182).
• Add documentation for user-awareness of potential sensitive data in out-parameters during password-hash verification (#178, #187) (contrib. by Vince Mutolo).
• Replace base64 dependency with ct-codecs to support constant-time encoding & decoding in orion::pwhash::PasswordHash (#188, #189).
• Refactor property-based tests to use the #[quickcheck] attribute, introducing quickcheck_macros as a dev-dependency (#180).
• Bump MSRV to 1.51.0.

Date: February 9, 2021.

Changelog:

• The entire CI infrastructure has been moved to GitHub Actions (removing AppVeyor and Travis CI).
• Add cargo-deny to CI jobs (#174).
• Refactoring of code related to testing and reading test vectors (#136, #143).
• Add new public Matrix room for discussion (#144).
• Internal documentation improvements and clippy improvements (by u5surf).
• Update and correct license years (#164).
• Update quickcheck.
• Fix documentation on the generate() output-size for HMAC-based secret key newtypes which was incorrect (#169).
• Improve the usage example in orion::auth (Vince Mutolo).
• Add GitHub issue templates for bugs and feature requests (#155).
• Add SECURITY.md, specifying a disclosure policy, threat-model and information regarding yanking (#163).

Date: October 13, 2020.

Changelog:

• Documentation improvements.
• Update base64 to 0.13.0.

Date: September 25, 2020.

Changelog:

• Empty plaintexts are now allowed for hazardous::aead (#127).
• Update getrandom to 0.2.
• Bump MSRV to 1.41 due to bump in subtle.

Date: August 8, 2020.

Changelog:

• Documentation improvements.
• Argon2i is now available in a no_std context, using the new alloc feature (#126).
• release and bench profiles now use the default LTO (thin local LTO) instead of fat LTO.

Date: June 7, 2020.

Changelog:

• Remove old no_std feature from CONTRIBUTING guidelines.
• Improve documentation and code around HKDFs maximum output length.
• Move clippy, rustfmt and basic tests to GitHub Actions (#122).
• Add random secret-key/nonce tests to AEADs and stream ciphers (#123).
• Address various clippy warnings.

Date: March 9, 2020.

Changelog:

• Update base64 dependency from 0.11.0 to 0.12.0.
• Documentation improvements.

Date: February 25, 2020.

Changelog:

• [Breaking change] secure_cmp and all verification functions now return Result<(), UnknownCryptoError> instead of Result<bool, UnknownCryptoError> (#97).
• [Breaking change] HChaCha20 is no longer public.
• [Breaking change] The default size of a randomly generated secret key in hazardous::hash::blake2b is now 32 bytes instead of 64 bytes (#88).
• [Breaking change] orion::auth now uses BLAKE2b in keyed-mode as MAC (#88, by Vince Mutolo).
• [Breaking change] The public API for structs used with incremental processing has been changed (#106 and #87).
• [Breaking change] Support for Argon2i(single-threaded) has been added. This is now used in the orion::kdf and orion::pwhash modules (#113).
• [Breaking change] chacha20::keystream_block is no longer available.
• [Breaking change] Uses of (X)ChaCha20Poly1305 will return an error if a usize to u64 conversion would be lossy.
• [Breaking change] orion is now no_std-compatible on stable Rust and the no_std and nightly features have been removed (#111).
• libsodium-compatible, streaming AEAD based on XChaCha20Poly1305 (libsodiums "secretstream") (#99 and #108, by snsmac).
• Switch to Criterion for benchmarks.
• Add contribution guidelines in CONTRIBUTING.md.
• Move the changelog to a CHANGELOG.md file.
• Add test vectors to XChaCha20.
• Improvements to secure_cmp (#93, by snsmac)
• Add explicit security warnings to #[must_use] public APIs that return a Result (#95, by Cole Lawrence)
• Cleanup in the orion-dudect tests and add tests for newtype PartialEq<&[u8]> impl.
• Remove hardcoded docs.rs links in the documentation (#100, by Kyle Schreiber).
• Previously, the documentation for util::secure_rand_bytes stated that a panic would occur if the function failed to generate random bytes without throwing an error, which was not the case. This has been corrected.
• Add Blake2b::verify to fuzzing targets.
• orion-dudect now also tests for constant-time execution in CI on OSX and Windows platforms.
• Testing constant-time execution with WASM at orion-sidefuzz.
• New testing framework which has greatly reduced the amount of duplicate testing code (#96).
• Document and test MSRV (#104).
• orion is now listed as an alternative to the old rust-crypto crate on RustSec.
• UnknownCryptoError now implements std::error::Error for better interoperability with error-handling crates.
• Added new test vectors from Wycheproof for ChaCha20Poly1305, XChaCha20Poly1305, HMAC-SHA512 and HKDF-HMAC-SHA512 (#116).
• #![deny(warnings)] has been removed and replaced with flags in CI build jobs.
• GitHub actions are used for daily security audit for the crates-published branch. Travis CI runs only weekly on crates-published branch now (daily before).
• Removed inlining attributes that did not provide any performance improvements when tested with benchmarks (commit).
• Various performance improvements.
• Various improvements to fuzzing targets.
• Various improvements to tests.

Date: January 25, 2020.

Changelog:

• Fix nightly build breakage.

Date: August 21, 2019.

Changelog:

• Reduce the amount of allocations throughout most of orion.
• Vectorize the ChaCha20 implementation providing ~6% performance improvement for (X)ChaCha20Poly1305 and ~11.5% for (X)ChaCha20.
• Documentation improvements.

Date: August 1, 2019.

Changelog:

• Improved performance for ChaCha20Poly1305/XChaCha20Poly1305 when AAD is empty.
• Refactoring of streaming contexts used by SHA512, BLAKE2b and Poly1305.
• Implement PartialEq<&[u8]> for all newtypes and provide documentation for usage of such (by Vince Mutolo).
• Switched to stable rustfmt.
• Fix use of now deprecated (since v0.1.7) getrandom errors.
• Updated fuzzing targets in orion-fuzz.

Date: June 10, 2019.

Changelog:

• Improved performance on all implementations, most notably: ~30% in ChaCha20/XChaCha20 and ~20% in ChaCha20Poly1305/XChaCha20Poly1305.
• Updated zeroize dependency.
• Testing WebAssembly (wasm32-unknown-unknown) support in CI.
• Improved documentation.

Date: May 27, 2019.

Changelog:

• Update zeroize dependency.
• Improvements to documentation.

Date: May 4, 2019.

Changelog:

• [Breaking change] Function as_bytes() for public newtypes are replaced with AsRef<> trait implementations. This means all as_bytes() calls need to be replaced with as_ref().
• [Breaking change] The SecretKey for BLAKE2b is longer padded with zeroes to the length of the blocksize. Thus, the SecretKey no longer has a get_original_length() function, but the same result will be represented by the get_length() function instead.
• [Breaking change] All calls to as_ref() and unprotected_as_bytes() return the newtypes data with what it was initialized, regardless of padding. (With the exception of HMAC)
• [Breaking change] All calls to get_length() return the length of the newtype with what is what initialized, regardless of padding. (With the exception of HMAC)
• [Breaking change] All newtypes that offer generate() now panic if the RNG fails to initialize of read from its source. This also means that newtype generate() functions, that do not take in a size parameter, no longer return a Result.
• [Breaking change] ValidationCryptoError and FinalizationCryptoError have been removed. Though this doesn't mean that there is less information available, see issue here.
• [Breaking change] Support for cSHAKE256 has been dropped, also meaning orion no longer depends on tiny-keccak. 8% decrease in unsafe code in dependencies.
• All fuzzing targets in fuzz that used libFuzzer have been deprecated in favor of those in orion-fuzz using honggfuzz-rs.
• Improvements to fuzzing targets in orion-fuzz.
• Automated testing in CI, for constant-time execution.
• Added From<[u8; C]> trait implementations for C-length fixed-sized newtypes, so that the caller may avoid using Result when not working with slices.
• [Breaking change] Module hazardous::constants has been removed and all types made private. Only a select number of constants have been re-exported in their respective modules. See here for more information.
• It is now strictly advised against using orion in debug mode, for what is meant to be production use. Using opt-level = 0 with orion, is also advised against. See security section.
• rand_os has been replaced with getrandom.
• Improvements to documentation examples as they no longer use .unwrap() but ? instead.

Date: April 1, 2019.

Changelog:

• Fix build for latest nightly.

Date: March 31, 2019.

Changelog:

• Updated zeroize to 0.6.0.
• Added a small number of tests.
• Improvement to constant-time interfaces (#66).

Date: March 13, 2019.

Changelog:

• PBKDF2 and BLAKE2b now panic on lengths exceeding (2^32-1) _ 64 and 2_(2^64-1), respectively.
• ChaCha20 length constrictions are now equivalent to those of the RFC and panics on trying to process more than 2^32-1 keystream blocks.
• Documentation improvements.
• OpenSSL test vectors for BLAKE2b.

Note: Strictly speaking, the first two changes are breaking, but because of the unlikeliness that this has an effect on anybody, they were not marked as such.

Date: February 16, 2019.

Changelog:

• Documentation improvements (#60).

Date: February 10, 2019.

Changelog:

• [Breaking change]: orion::hazardous::hash::sha512 previously used the same Digest as BLAKE2b. This is no longer the case, making it impossible to specify a non fixed-length hash as Digest with SHA512.
• [Breaking change]: HLEN constant renamed to SHA512_OUTSIZE and SHA2_BLOCKSIZE constant renamed to SHA512_BLOCKSIZE.
• Added POLY1305_OUTSIZE constant.
• Improved documentation for high-level Password, SecretKey in hazardouss hmac and blake2b, as well as Password in pbkdf2 of hazardous.
• Added AppVeyor builds and testing for Windows MSVC with Visual Studio 2017.

Date: February 8, 2019.

Changelog:

• Switched to zeroize in favor of clear_on_drop, such that using orion on stable Rust no longer requires a C compiler.
• Fuzzing with honggfuzz-rs.

Date: February 4, 2019.

Changelog:

• Refactored HMAC and improved performance for PBKDF2 by ~50%.
• Removed byteorder dependency using instead the endianness conversion functions that came with Rust 1.32.

Date: January 31, 2019.

Changelog:

• Fixes a bug where hashing, with BLAKE2b, over 2^64-1 bytes of data would cause an overflowing addition on debug builds.
• Fixes a bug where hashing, with SHA512, over 2^64-1 bytes of data would not result in the counter being correctly incremented.
• Added property-based testing, using QuickCheck, to most of the library and improved testing for the library in general.
• PartialEq is now implemented for orion::kdf::Salt and Nonce in both chacha20 and xchacha20.
• Added get_length() for blake2b::Digest.
• Updated fuzzing dependencies.

Date: January 29, 2019.

Changelog:

• Improved compilation time.
• Bugfix #50.
• Update byteorder and serde_json dependencies (fixes build-failures related to rand_core).

Date: January 26, 2019.

Changelog:

• Fix a bug that lead to panics when using out parameters, with seal()/open() in hazardous, with a length above a given point.

Date: January 16, 2019.

Changelog:

• Switched rand dependency out with rand_os.

Date: December 29, 2018.

Changelog:

• [Breaking change]: All high-level functions now return a Result.
• [Breaking change]: Password in pbkdf2, SecretKey and hmac() of hmac and extract() of hkdf in hazardous now return a Result.
• [Breaking change]: Limit all generate() taking a length parameter, and orion::kdf calls to a length of less than u32::max_value() as maximum.
• [Breaking change]: orion::kdf and orion::pwhash take a new Password parameter that is heap-allocated and returns a Result.
• Removed sha2 dependency and ring dev-dependency. sha2 has been replaced with orion's own SHA512 implementation.
• Added support for BLAKE2b and SHA512.
• Updated to Rust 2018 Edition.
• Better performance for HMAC, HKDF and PBKDF2.

Thanks to Gabe Langlais for valuable feedback, especially on the API design.

Date: December 22, 2018.

Changelog:

• Security fix: #46 (RUSTSEC-2018-0012, CVE-2018-20999).
• Updated subtle dependency.

Date: November 24, 2018.

Changelog:

• Fix missing error propagation in v0.10.

Date: November 23, 2018.

Changelog:

• New types for secret keys, nonces, tags, etc. This greatly increases misuse-resistance, usability and safety. To read more about the types and how they are implemented, see the wiki section.
• default API has been dropped. All high-level functionality is now accessible through these interfaces: orion::aead, orion::auth, orion::kdf and orion::pwhash.
• AEAD interfaces in hazardous and in the high-level API (previously default::encrypt, etc.) have been renamed to seal and open to reflect the authentication and hopefully increase familiarity.
• finalize_to_dst() has been dropped for HMAC.
• Adaption of the #[must_use] attribute.
• Documentation improvements.
• HKDF and cSHAKE dropped from high-level API.
• High-level PBKDF2 now uses 64 byte salts and 64 byte password hashes and the iteration count has been made available for users to control.
• Argument info for HKDF and ad for AEADs are now Option.
• util::gen_rand_key and util::compare_ct are now util::secure_rand_bytes and util::secure_cmp.
• The password length enforcement in high-level PBKDF2 API has been removed.
• All other public types (eg. CShake, Hmac and Poly1305) now implement Debug.
• Using clear_on_drop to wipe memory in favor of seckey.
• New features nightly and no_std. To use orion in a no_std context, some dependency specifications are needed. Refer to the README for these.
• Major improvements to error propagation.

Date: November 11, 2018.

Changelog:

• Fix bug in double-HMAC verification in the default API
• Documentation improvements

Date: November 4, 2018.

Changelog:

• Added support for HChaCha20, XChaCha20 and AEAD XChaCha20Poly1305.
• The default APIs encryption/decryption interface has been reintroduced, now offering authenticated encryption through the AEAD XChaCha20Poly1305 implementation.
• Most of the library's structure has been revamped.
• Major additions to the project wiki detailing testing and some information regarding dependencies and security.
• Improved fuzzing targets and overall test suite.
• Documentation improvements.

Date: October 7, 2018.

Changelog:

• Added AEAD ChaCha20Poly1305 from RFC 8439
• Added keystream_block() public function to retrieve a keystream from chacha20
• Added Poly1305 from RFC 8439
• default::encrypt and default::decrypt removed until orion offers XChaCha20 with Poly1305
• Documentation improvement
• Updated sha2 dependency

Date: September 27, 2018.

Changelog:

• Fix bug in PBKDF2 (See issue)

Date: September 26, 2018.

Changelog:

• Update subtle dependency

Date: September 26, 2018.

Changelog:

• Fuzz test improvements
• Documentation improvements

Date: September 20, 2018.

Changelog:

• default::chacha20_* initial counter set to 0

Date: September 17, 2018.

Changelog:

• Added FinalizationCryptoError which means cshake and hmac now return a Result on finalization and update function calls.
• Added the ChaCha20 algorithm from the RCF 8439.
• Fix failed builds for no_std.
• Fix a bug where a user could call update() after finalization on both cshake and hmac.
• cshake_verify() function dropped from default API.
• Documentation improvement.

Date: September 5, 2018.

Changelog:

• Update subtle dependency

Date: August 31, 2018.

Changelog:

• Fix: byteorder and rand imported correctly for no_std
• Add default feature safe_api, meaning that for no_std, import orion with default features disabled
• Due to dependency fixing, Double HMAC Verification is now only done in the safe_api
• gen_rand_key now only available with safe_api

Date: August 22, 2018.

Changelog:

• Replaced byte-tools with byteorder crate as byte-tools no longer offers the required functionality

Date: August 20, 2018.

Changelog:

• Added reset() function to cSHAKE
• Added finalization check for HMAC and cSHAKE, making it impossible to call finalization functions twice without a reset in between. Preventing misuse.

Date: August 13, 2018.

Changelog:

• Support for SHA256, SHA384, SHA512/256 and cSHAKE128 dropped.
• Support for #![no_std] added.
• HMAC streaming API.
• HMAC now uses SHA512.
• Switched out clear_on_drop with seckey.
• Switched out constant_time_eq with subtle.
• cSHAKE streaming API.
• default::pbkdf2 no longer appends salt to password before hashing due to some problems integrating this using #![no_std]. This might be re-introduced later on.
• orion::core renamed to orion::utilities.
• cSHAKE verification function removed from hazardous.

Performance improvements compared to v0.4.3:

• HMAC: ~10% performance improvement
• HKDF: ~5% performance improvement
• PBKDF2: ~15% performance improvement
• cSHAKE: ~11% performance improvement

This was benchmarked on a MacBook Air 1,6 GHz Intel Core i5, 4GB.

Date: August 8, 2018.

Changelog:

• Updated dependency
• Adopted faster HMAC key padding steps from rigel crate, avoiding allocation as before but without the Cow borrow
• Memory and performance improvement to the PBKDF2 implementation by avoiding many useless allocations