Releases: ongres/scram
Releases · ongres/scram
Release list
SCRAM Java 3.4
🐛 Bug Fixes
- Resolve regression when passing pre-computed keys
.clientAndServerKey(clientKey, serverKey).
🚀 New features
- Introduces a static OID-to-Digest mapping table for
TlsServerEndpointto guarantee resolution when friendly algorithm names are unavailable or provider-specific.
SCRAM Java 3.3
🔒 Security
- Prevent silent downgrade attacks during channel binding negotiation via unsupported certificate algorithms. GHSA-p9jg-fcr6-3mhf
- Harden memory security by explicitly zeroing out highly sensitive cryptographic keys (
saltedPassword,clientKey, andserverKey) immediately following the client final message exchange to prevent lingering material in heap memory.
🚀 New features
- Implement an interrupt-aware implementation of the PBKDF2 'hi' function introducing
ScramInterruptedException, utilizing a stride-based check to allow long-running cryptographic operations to safely abort without blocking thread shutdown. - Introduce
.channelBindingPolicy()to the client builder to explicitly configureDISABLE,ALLOW(default), andREQUIREenforcement modes. - Introduce
MechanismNegotiationExceptionandChannelBindingExceptionruntime exception hierarchy to provide granular, precise failure types for driver integration loops instead of relying on genericIllegalArgumentExceptionthrows. - Add support for
RSASSA-PSSserver certificate signature extraction to ensure modern cryptographic algorithms are supported duringtls-server-end-pointchannel binding computations. - Add support for
SCRAM-SHA3-512andSCRAM-SHA3-512-PLUSSASL mechanisms to provide modern NIST SHA-3 hashing standards with higher cryptographic resilience against length-extension attacks (supported on modern JVMs only).
🏗️ Improvements
- Update the
saslprepdependency to 2.4. - Updated internal Maven plugins and project dependencies to their latest stable versions.
SCRAM Java 3.2
🔒 Security
- Fix Timing Attack Vulnerability in SCRAM Authentication
👻 Maintenance
- Updated dependencies and maven plugins.
- Use
central-publishing-maven-pluginto deploy to Maven Central.
SCRAM Java 3.1
🏗️ Improvements
- Ensure the
LICENSEfile is included in the Jar file. - Update of the
saslprepdependency to 2.2.
👻 Maintenance
- Added coverage report module.
- Updated dependencies and maven plugins.
- Remove
nexus-staging-maven-plugin.
Full Changelog: 3.0...3.1
SCRAM Java 3.0
💥 Breaking changes
⚠️ Full refactor of thescramjava implementation, this release is compatible with Java 8+, but it's incompatible with previous releases⚠️
🚀 New features
- Fully rewrite the
ScramClientallowing negotiation of channel-binding properly. - Create Multi-release Modular JARs, the modules names are:
com.ongres.scram.commonfor the common scram messages.com.ongres.scram.clientfor the scram client implementation.
- Add
StringPreparation.POSTGRESQL_PREPARATION, for any error in SASL preparation, it falls back to return the raw string. - Now the released jars are reproducible.
- Publish CycloneDX SBOM.
- Implementation of
tls-server-end-pointchannel binding data extraction.
🏗️ Improvements
- Update of the
saslprepdependency to 2.1. - Now the password is passed as a
char[]. - Improve Javadoc documentation.
👻 Maintenance
- Migrate the main repo back to GitHub.
- Remove the shaded Bouncy Castle pbkdf2 and base64 implementation used for Java 7 support.