Releases: TankerHQ/sdk-rust
v3.0.2
- Introduce the without_vendored_libcxx feature for mobile targets. See the documentation for more information.
This release includes fixes for the HIGH-severity OpenSSL advisories from November 1st (CVE-2022-3786 and CVE-2022-3602).
v3.0.1
This release improves support for using the SDK in CI environments:
- When the
httpfeature is on (by default), sdk-rust has been taught to load self-signed TLS certificates from the system store for desktop operating systems (Linux, Windows, macOS). - When the
httpfeature is on, the SSL_CERT_FILE environment variable is now supported (all operating systems).
The native Tanker library used internally by sdk-rust now targets glibc versions >= 2.31-0.
This change is not expected to have a visible impact.
v3.0.0
Version v2.30.0 introduced forward compatibility for padded encryption scheme. Make sure your end users use at least v2.30.0 before upgrading to v3.0.0.
Padded Encryption
Tanker now uses a padded symmetric encryption scheme by default. Adding padding to encrypted data aims at hiding the length of the clear message, see the dedicated guide.
Remove UMD build
We no longer ship the fully bundled UMD build of the JS SDK for @tanker/client-browser.
Remove device APIs
- Remove the
device_id()function - Remove the
device_list()function - Remove DeviceRevoked error
v2.32.1
- Fix an issue where attempting to install the SDK while on macOS would result in an error while linking the underlying c++ library.
- Improve the bundle size for mobile versions.
v2.32.0
End-to-end passphrase verification
A new end-to-end passphrase verification method is now available for users who need strict end-to-end security guarantees.
See the guide for more information.
Performance improvements
Reduce the number of group and resource key lookups by sharing results from in-progress lookups between calls.
This makes concurrent operations involving groups or encrypted resources faster, as fewer round trips to the network and/or local storage are made.
For example, parallel decryption of multiple resources shared with the same group now requires only one lookup to recover the last group key instead of one lookup per resource.
Bug fix
-
Fix
encryptwhen called with more than ~4GB of clear data:- An overflow of an unsigned integer was causing a corruption of the encrypted data
- Data encrypted through encrypt_stream is not affected
-
Fix
decryptwhen called with more than ~4GB of encrypted data:- An overflow of an unsigned integer was causing incorrect parsing of encrypted data
- Data decrypted through decrypt_stream is not affected
v2.31.0
There is no new feature or externally visible change in this version of the SDK.
v2.30.0
- Add forward compatibility for the decryption of padded data.
- Phone number verification method can now be used with session token.
set_oidc_test_nonceis available to test the new verification flow without requiring any end-user action.
Offline mode
No connection to Tanker remote services is made if not necessary, this is true when:
- The user already exists
- The device is already registered
- The operation can be completed using the device's local cache
Any user registration, device verification, group operation, new encryption or decryption of resource not in cache will open a new connection.
v2.29.1
v2.29.0
OpenID Connect
The identity verification using the OIDC has been revamped to improve security and isolation between Tanker servers and an application server using Tanker:
- A new mandatory nonce, created through
create_oidc_nonce(), should be used in OIDC authorization code flow. It allows:- Application server to deny any request using an IdToken already seen. Preventing Tanker from impersonating end-users
- Tanker to perform an additional challenge with end-users before accepting an IdToken. Preventing an Application server from impersonating end-users
- OIDC for provisional identity verification is not available anymore
The OIDC verification guide has been updated accordingly.