1Release Notes 2======================================== 3 4Version 2.18.1, 2021-05-09 5^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 6 7* Fix a build regression in 2.18.0 which caused linker flags which 8 contain ``-l`` within them (such as ``-fuse-linker-plugin``) to 9 be misinterpreted. (GH #2715) 10 11* Fix a bug which caused decoding a certificate which contained 12 more than one name in a single RDN. (GH #2611 #2630 #2724) 13 14* Fix a bug which caused OID lookup failures when run in a locale 15 which uses thousands separators (pt_BR was reported as having 16 this issue). (GH #2732 #2730 #2237) 17 18* DNS names in name constraints were compared with case sensitivity, which 19 could cause valid certificates to be rejected. (GH #2739 #2735) 20 21* X.509 name constraint extensions were rejected if non-critical. RFC 5280 22 requires conforming CAs issue such extensions as critical, but not all 23 certificates are compliant, and all other known implementations do not 24 require this. (GH #2739 #2736) 25 26* X.509 name constraints were incorrectly applied to the certificate which 27 included the constraint. (GH #2739 #2737) 28 29Version 2.18.0, 2021-04-15 30^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 31 32* Add support for implementing custom RNG objects through the 33 FFI interface (GH #2627 #2600) 34 35* Improve safegcd bounds, improving runtime performance (GH #2628 #2619) 36 37* Fix a bug introduced in 2.9.0 where BigInt::operator< would return 38 an incorrect result if both operands were negative. (GH #2641 #2638) 39 40* Reject non-TLS messages as quickly as possible without waiting for 41 a full record. (GH #2676) 42 43* Add build support for RISC-V 32 44 45* Fixes for TLS::Stream::async_shutdown (GH #2673) 46 47* Fix a regression introduced in 2.17.0 where LDFLAGS which add an extra 48 library (such as ``-latomic`` needed on SPARC) were not always applied 49 effectively. (GH #2622 #2623 #2625) 50 51Version 2.17.3, 2020-12-21 52^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 53 54* CVE-2021-24115 Change base64, base58, base32, and hex encoding and 55 decoding operations to run in constant time (GH #2549) 56 57* Fix a build problem on PPC64 building with Clang (GH #2547) 58 59* Fix an install problem introduced in 2.17.2 affecting MSVC 2015 60 61* Fix use of -L flag in linking when configured using ``--with-external-libdir`` 62 (GH #2496) 63 64* Fix a build problem on big-endian PowerPC related to VSX instructions 65 in the AES code. (GH #2515) 66 67Version 2.17.2, 2020-11-13 68^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 69 70* Fix an build problem on ppc64 introduced with certain recent 71 versions of GCC or binutils where using the DARN instruction 72 requires using an appropriate -mcpu flag to enable the instruction 73 in the assembler. (GH #2481 2463) 74 75* Resolve an issue in the modular square root algorithm where a loop 76 to find a quadratic non-residue could, for a carefully chosen 77 composite modulus, not terminate in a timely manner. (GH #2482 #2476) 78 79* Fix a regression in MinGW builds introduced in 2.17.1 80 81Version 2.17.1, 2020-11-07 82^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 83 84* Fix a build problem that could occur if Python was not in the PATH. 85 This was known to occur on some installations of macOS. 86 87* Re-enable support for the x86 CLMUL instruction on Visual C++, which was 88 accidentally disabled starting in 2.12.0. (GH #2460) 89 90Version 2.17.0, 2020-11-05 91^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 92 93* Fix a bug in ECDSA which could occur when the group size and hash length 94 differ. In this case, on occasion the generated signature would not be 95 accepted by other ECDSA implementations. This was particularly likely to 96 affect users of 160-bit or 239-bit curves. (GH #2433 #2415) 97 98* Fix a bug in ECDSA verification when the public key was chosen to be 99 a small multiple of the group generator. In that case, verification 100 would fail even if the signature was actually valid. (GH #2425) 101 102* SIV's functionality of supporting multiple associated data inputs has been 103 generalized onto the AEAD_Mode interface. However at the moment SIV is the 104 only AEAD implemented which supports more than one AD. (GH #2440) 105 106* The contents of ASN.1 headers ``asn1_str.h``, ``asn1_time.h``, ``asn1_oid.h`` 107 and ``alg_id.h`` have been moved to ``asn1_obj.h``. The header files remain 108 but simply forward the include to ``asn1_obj.h``. These now-empty header files 109 are deprecated, and will be removed in a future major release. (GH #2441) 110 111* The contents of X.509/PKIX headers ``asn1_attribute.h`` ``asn1_alt_name.h`` 112 ``name_constraint.h`` ``x509_dn.h`` ``cert_status.h`` and ``key_constraint.h`` 113 have been merged into ``pkix_enums.h`` (for enumerations) and ``pkix_types.h`` 114 (for all other definitions). The previous header files remain but simply 115 forward the include to the new header containing the definition. These 116 now-empty header files are deprecated, and will be removed in a future major 117 release. (GH #2441) 118 119* A number of other headers including those related to HOTP/TOTP, XMSS, 120 PKCS11, PSK_DB have also been merged. Any now deprecated/empty headers 121 simply include the new header and issue a deprecation warning. 122 (GH #2443 #2446 #2447 2448 #2449) 123 124* Small optimizations in the non-hardware assisted AES key generation 125 code path (GH #2417 #2418) 126 127* Move the GHASH code to a new module in utils, making it possible 128 to build GMAC support without requiring GCM (GH #2416) 129 130* Add more detection logic for AVX-512 features (GH #2430) 131 132* Avoid std::is_pod which is deprecated in C++20 (GH #2429) 133 134* Fix a bug parsing deeply nested cipher names (GH #2426) 135 136* Add support for ``aarch64_be`` target CPU (GH #2422) 137 138* Fix order of linker flags so they are always applied effectively (GH #2420) 139 140* Prevent requesting DER encoding of signatures when the algorithm 141 did not support it (GH #2419) 142 143Version 2.16.0, 2020-10-06 144^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 145 146* Now userspace PRNG objects (such as AutoSeeded_RNG and HMAC_DRBG) 147 use an internal lock, which allows safe concurrent use. This however 148 is purely a precaution in case of accidental sharing of such RNG 149 objects; for performance reasons it is always preferable to use 150 a RNG per thread if a userspace RNG is needed. (GH #2399) 151 152* DL_Group and EC_Group objects now track if they were created from a 153 known trusted group (such as P-256 or an IPsec DH parameter). If 154 so, then verification tests can be relaxed, as compared to 155 parameters which may have been maliciously constructed in order to 156 pass primality checks. (GH #2409) 157 158* RandomNumberGenerator::add_entropy_T assumed its input was a POD 159 type but did not verify this. (GH #2403) 160 161* Support OCSP responders that live on a non-standard port (GH #2401) 162 163* Add support for Solaris sandbox (GH #2385) 164 165* Support suffixes on release numbers for alpha/beta releases (GH #2404) 166 167* Fix a bug in EAX which allowed requesting a 0 length tag, which had 168 the effect of using a full length tag. Instead omit the length field, 169 or request the full tag length explicitly. (GH #2392 #2390) 170 171* Fix a memory leak in GCM where if passed an unsuitable block cipher 172 (eg not 128 bit) it would throw an exception and leak the cipher 173 object. (GH #2392 #2388) 174 175Version 2.15.0, 2020-07-07 176^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 177 178* Fix a bug where the name constraint extension did not constrain the 179 alternative DN field which can be included in a subject alternative name. This 180 would allow a corrupted sub-CA which was otherwise constrained by a name 181 constraint to issue a certificate with a prohibited DN. 182 183* Fix a bug in the TLS server during client authentication where where 184 if a (disabled by default) static RSA ciphersuite was selected, then 185 no certificate request would be sent. This would have an equivalent 186 effect to a client which simply replied with an empty Certificate 187 message. (GH #2367) 188 189* Replace the T-Tables implementation of AES with a 32-bit bitsliced 190 version. As a result AES is now constant time on all processors. 191 (GH #2346 #2348 #2353 #2329 #2355) 192 193* In TLS, enforce that the key usage given in the server certificate 194 allows the operation being performed in the ciphersuite. (GH #2367) 195 196* In X.509 certificates, verify that the algorithm parameters are 197 the expected NULL or empty. (GH #2367) 198 199* Change the HMAC key schedule to attempt to reduce the information 200 leaked from the key schedule with regards to the length of the key, 201 as this is at times (as for example in PBKDF2) sensitive information. 202 (GH #2362) 203 204* Add Processor_RNG which wraps RDRAND or the POWER DARN RNG 205 instructions. The previous RDRAND_RNG interface is deprecated. 206 (GH #2352) 207 208* The documentation claimed that mlocked pages were created with a 209 guard page both before and after. However only a trailing guard page 210 was used. Add a leading guard page. (GH #2334) 211 212* Add support for generating and verifying DER-encoded ECDSA signatures 213 in the C and Python interfaces. (GH #2357 #2356) 214 215* Workaround a bug in GCC's UbSan which triggered on a code sequence 216 in XMSS (GH #2322) 217 218* When building documentation using Sphinx avoid parallel builds with 219 version 3.0 due to a bug in that version (GH #2326 #2324) 220 221* Fix a memory leak in the CommonCrypto block cipher calls (GH #2371) 222 223* Fix a flaky test that would occasionally fail when running the tests 224 with a large number of threads. (GH #2325 #2197) 225 226* Additional algorithms are now deprecated: XTEA, GOST, and Tiger. 227 They will be removed in a future major release. 228 229Version 2.14.0, 2020-04-06 230^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 231 232* Add support for using POWER8+ VPSUMD instruction to accelerate GCM 233 (GH #2247) 234 235* Optimize the vector permute AES implementation, especially improving 236 performance on ARMv7, Aarch64, and POWER. (GH #2243) 237 238* Use a new algorithm for modular inversions which is both faster and 239 more resistant to side channel attacks. (GH #2287 #2296 #2301) 240 241* Address an issue in CBC padding which would leak the length of the 242 plaintext which was being padded. Unpadding during decryption was 243 not affected. Thanks to Maximilian Blochberger for reporting this. 244 (GH #2312) 245 246* Optimize NIST prime field reductions, improving ECDSA by 3-9% (GH #2295) 247 248* Increase the size of the ECC blinding mask and scale it based on the 249 size of the group order. (GH #880 #893 #2308) 250 251* Add server side support for the TLS asio wrapper. (GH #2229) 252 253* Add support for using Windows certificate store on MinGW (GH #2280) 254 255* Use the library thread pool instead of a new thread for RSA computations, 256 improving signature performance by up to 20%. (GH #2257) 257 258* Precompute and cache additional fields in ``X509_Certificate`` (GH #2250) 259 260* Add a CLI utility ``cpu_clock`` which estimates the speed of the 261 processor cycle counter. (GH #2251) 262 263* Fix a bug which prevented using DER-encoded ECDSA signatures with a PKCS11 264 key (GH #2293) 265 266* Enable use of raw block ciphers from CommonCrypto (GH #2278) 267 268* Support for splitting up the amalgamation file by ABI extension has 269 been removed. Instead only ``botan_all.cpp`` and ``botan_all.h`` are 270 generated. (GH #2246) 271 272* Improve support for baremetal systems with no underlying OS, with 273 target OS ``none`` (GH #2303 #2304 #2305) 274 275* The build system now avoids using ``-rpath=$ORIGIN`` or (on macOS) 276 install_name which allowed running the tests from the build 277 directory without setting ``LD_LIBRARY_PATH``/``DYLD_LIBRARY_PATH`` 278 environment variables. Instead set the dynamic linker variables 279 appropriately, or use ``make check``. (GH #2294 #2302) 280 281* Add new option ``--name-amalgamation`` which allows naming the 282 amalgamation output, instead of the default ``botan_all``. (GH #2246) 283 284* Avoid using symbolic links on Windows (GH #2288 #2286 #2285) 285 286* Fix a bug that prevented compilation of the amalgamation on ARM and 287 POWER processors (GH #2245 #2241) 288 289* Fix some build problems under Intel C++ (GH #2260) 290 291* Remove use of Toolhelp Windows library, which was known to trigger 292 false positives under some antivirus systems. (GH #2261) 293 294* Fix a compilation problem when building on Windows in Unicode mode. 295 Add Unicode build to CI to prevent regressions. (GH #2254 #2256) 296 297* Work around a GCC bug affecting old libc (GH #2235) 298 299* Workaround a bug in macOS 10.15 which caused a test to crash. 300 (GH #2279 #2268) 301 302* Avoid a crash in PKCS8::load_key due to a bug in Clang 8. 303 (GH #2277) 304 305Version 2.13.0, 2020-01-06 306^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 307 308* Add Roughtime client (GH #2143 #1842) 309 310* Add support for XMSS X.509 certificates (GH #2172) 311 312* Add support for X.509 CRLs in FFI layer and Python wrapper (GH #2213) 313 314* It is now possible to disable TLS v1.0/v1.1 and DTLS v1.0 at build time. 315 (GH #2188) 316 317* The format of encrypted TLS sessions has changed, which will invalidate all 318 existing session tickets. The new format will make it easier to support ticket 319 key rotation in the future. (GH #2225) 320 321* Improve RSA key generation performance (GH #2148) 322 323* Make gcd computation constant-time (GH #2147) 324 325* Add AVX2 implementation of SHACAL2 (GH #2196) 326 327* Update BSI policy to reflect 2019 update of TR 02102-2 (GH #2195) 328 329* Support more functionality for X.509 in the Python API (GH #2165) 330 331* Add ``generic`` CPU target useful when building for some new or unusual 332 platform. 333 334* Disable MD5 in BSI or NIST modes (GH #2188) 335 336* Disable stack protector on MinGW as it causes crashes with some recent 337 versions. (GH #2187) 338 339* On Windows the DLL is now installed into the binary directory (GH #2233) 340 341* Previously Windows required an explicit ``.lib`` suffix be added when 342 providing an explicit library name, as is used for example for Boost. 343 Now the ``.lib`` suffix is implicit, and should be omitted. 344 345* Remove the 32-bit x86 inline asm for Visual C++ as it seemed to not offer 346 much in the way of improved performance. (GH #2204 #256) 347 348* Resolve all compile time warnings generated by GCC, Clang and MSVC. 349 Modify CI to compile with warnings-as-errors. (GH #2170 #2206 #2211 #2212) 350 351* Fix bugs linking to 3rd party libraries on Windows due to invalid 352 link specifiers. (GH #2210 #2215) 353 354* Add long input and NIST Monte-Carlo hash function tests. 355 356* Fix a bug introduced in 2.12.0 where ``TLS::Channel::is_active`` and 357 ``TLS::Channel::is_closed`` could simultaneously return true. 358 (GH #2174 #2171) 359 360* Use ``std::shared_ptr`` instead of ``boost::shared_ptr`` in some examples. 361 (GH #2155) 362 363Version 2.12.1, 2019-10-14 364^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 365 366* Fix a bug that prevented building with nmake (GH #2142 #2141) 367 368* Fix an issue where make install would attempt to build targets which 369 were disabled. (GH #2140) 370 371* If the option ``--without-documentation`` is used, avoid invoking the 372 documentation build script. (GH #2138) 373 374* Fix a bug that prevented compilation on x86-32 using GCC 4.9 (GH #2139) 375 376* Fix a bug in CCM encryption, where it was possible to call ``finish`` without 377 ever setting a nonce (GH #2151 #2150) 378 379* Improve ECIES/DLIES interfaces. If no initialization vector was set, they 380 would typically produce hard to understand exceptions. (GH #2151 #2150) 381 382Version 2.12.0, 2019-10-07 383^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 384 385* Many currently public headers are being deprecated. If any such header is 386 included by an application, a warning is issued at compile time. Headers 387 issuing this warning will be made internal in a future major release. 388 (GH #2061) 389 390* RSA signature performance improvements (GH #2068 #2070) 391 392* Performance improvements for GCM (GH #2024 #2099 #2119), OCB (#2122), 393 XTS (#2123) and ChaCha20Poly1305 (GH #2117), especially for small messages. 394 395* Add support for constant time AES using NEON and AltiVec (GH #2093 #2095 #2100) 396 397* Improve performance of POWER8 AES instructions (GH #2096) 398 399* Add support for the POWER9 hardware random number generator (GH #2026) 400 401* Add support for 64-bit version of RDRAND, doubling performance on x86-64 (GH #934 #2022) 402 403* In DTLS server, support a client crashing and then reconnecting from 404 the same source port, as described in RFC 6347 sec 4.2.8 (GH #2029) 405 406* Optimize DTLS MTU splitting to split precisely to the set MTU (GH #2042) 407 408* Add support for the TLS v1.3 downgrade indicator. (GH #2027) 409 410* Improve the error messages generated when an invalid TLS state transition occurs 411 (GH #2030) 412 413* Fix some edge cases around TLS close_notify support. (GH #2054) 414 415* Modifications to support GOST 34.10-2012 signatures (GH #2055 #2056 #1860 #1897) 416 417* Add some new APIs on ``OID`` objects (GH #2057) 418 419* Properly decode OCSP responses which indicate an error (GH #2110) 420 421* Add a function to remove an X.509 extension from an Extensions object. 422 (GH #2101 #2073 #2065) 423 424* Support Argon2 outputs longer than 64 bytes (GH #2079 #2078) 425 426* Correct a bug in CAST-128 which caused incorrect computation using 427 11, 13, 14, or 15 byte keys. (GH #2081) 428 429* Fix a bug which would cause Streebog to produce incorrect outputs for 430 certain messages (GH #2082 #2083) 431 432* Fix a bug that prevented loading EC points with an affine x or y 433 value of 0. For certain curves such points can exist. (GH #2102) 434 435* Fix a bug which would cause PBKDF2 to go into a very long loop if 436 it was requested to use an iteration count of 0. (GH #2090 #2088) 437 438* The BearSSL provider has been removed (GH #2020) 439 440* Add a new ``entropy`` cli which allows sampling the output of the entropy sources. 441 442* Add new ``base32_enc`` and ``base32_dec`` cli for base32 encoding operations. (GH #2111) 443 444* Support setting TLS policies in CLIs like ``tls_client`` and ``tls_proxy_server`` (GH #2047) 445 446* The tests now run in multithreaded mode by default. Provide option ``--test-threads=1`` to 447 return to previous single-threaded behavior. (GH #2071 #2075) 448 449* Cleanups in TLS record layer (GH #2021) 450 451* Fix typos in some OCSP enums which used "OSCP" instead. (GH #2048) 452 453* In the Python module, avoid trying to load DLLs for names that don't match the current 454 platform (GH #2062 #2059) 455 456* In the Python module, also look for ``botan.dll`` so Python wrapper can run on Windows. 457 (GH #2059 #2060) 458 459* Add support for TOTP algorithm to the Python module. (GH #2112) 460 461* Now the minimum Windows target is set to Windows 7 (GH #2036 #2028) 462 463* Add ``BOTAN_FORCE_INLINE`` macro to resolve a performance issue with BLAKE2b on MSVC 464 (GH #2092 #2089) 465 466* Avoid using ``__GNUG__`` in headers that may be consumed by a C compiler (GH #2013) 467 468* Improve the PKCS11 tests (GH #2115) 469 470* Fix a warning from Klocwork (GH #2128 #2129) 471 472* Fix a bug which caused amalgamation builds to fail on iOS (GH #2045) 473 474* Support disabling thread local storage, needed for building on old iOS (GH #2045) 475 476* Add a script to help with building for Android, using Docker (GH #2016 #2033 #513) 477 478* Add Android NDK build to Travis CI (GH #2017) 479 480Version 2.11.0, 2019-07-01 481^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 482 483* Add Argon2 PBKDF and password hash (GH #459 #1981 #1987) 484 485* Add Bcrypt-PBKDF (GH #1990) 486 487* Add a libsodium compat layer in sodium.h (GH #1996) 488 489* XMSS now follows RFC 8391 which is incompatible with previous versions, which 490 had followed draft 6. (GH #1858 #2003) 491 492* Add server side support for issuing DTLS HelloVerifyRequest messages 493 (GH #1999) 494 495* Add a shim allowing testing Botan against the BoringSSL test suite, 496 and fix a number of bugs in TLS found using it. 497 (GH #1954 #1955 #1956 #1959 #1966 #1970) 498 499* Add support for the TLS v1.3 supported_versions extension. (GH #1976) 500 501* Add Ed25519ph compatible with RFC 8032 (GH #1699 #2000) 502 503* Add support for OCSP stapling on server side. (GH #1703 #1967) 504 505* Add a ``boost::asio`` TLS stream compatible with ``boost::asio::ssl``. 506 (GH #1839 #1927 #1992) 507 508* Add a certificate store for Linux/Unix systems. (GH #1885 #1936) 509 510* Add a certificate store for Windows systems. (GH #1931) 511 512* Add a generic ``System_Certificate_Store`` which wraps Windows, macOS, 513 and Linux certificate stores. (GH #1893) 514 515* Fix verification rooted in a v1 certificate which previously would fail. 516 (GH #1890) 517 518* Add ability to specify the maximum age of an OCSP response which does not 519 have the nextUpdate field set. (GH #1974 #1995) 520 521* Fix X509_DN::operator< which could erroneously return true in both 522 directions (ie, DN1 < DN2 && DN2 < DN1). This would break STL 523 containers using a DN as the key. (GH #1938) 524 525* It is now possible to create intermediate CA certificates using the 526 command line interface. (GH #1879 #1889) 527 528* Add a new build time option to set where the system stores trusted 529 certificates. (GH #1888) 530 531* New ``trust_roots`` CLI that examines the system certificate store. 532 (GH #1893) 533 534* Fix bugs and add many new features in the Python wrapper. 535 (GH #1899 #1900 #1901 #1902 #1903 #1904 #1906 #1907 #1915) 536 537* Various FFI interfaces which are redundant with other APIs are now 538 deprecated. The deprecation message suggests the alternate API to use. 539 (GH #1915) 540 541* Fix decoding of RSA-OAEP certificates. (GH #1943 #1944) 542 543* Allow setting multiple organization unit fields in a certificate or 544 certificate request. (GH #1939) 545 546* Increase the maximum allowed year in ASN1_Time to 3100. This works 547 around a problem parsing certs in AppVeyor's trust store. 548 549* Add ``--format`` option to ``rng`` CLI command allowing to format 550 as base64, base58 or binary in addition to hex. (GH #1945) 551 552* Remove use of table lookups for IP/FP transforms in DES (GH #1928) 553 554* Improve the tests for SRP6 (GH #1917 #1923) 555 556* Document the build system 557 558* When available use POSIX ``sysconf`` to detect the number of CPUs (GH #1877) 559 560* Add functionality to handle Boost naming conventions on different platforms, 561 especially affecting Windows. Enable Boost in AppVeyor builds. (GH #1964) 562 563* Add alternate implementation of ``getauxval`` for older Android (GH #1962) 564 565* Add ``configure.py`` option allowing to set arbitrary macros during build. 566 (GH #1960) 567 568* Use FreeBSD's ``elf_aux_info`` to detect ARM and POWER CPU features 569 (GH #1895) 570 571* Use FreeBSD's ``PROT_MAX`` to prevent mmap regions from being made executable 572 later. (GH #2001) 573 574* Fix a memory leak in the tests (GH #1886) 575 576* Fix an issue building with the new Boost 1.70 (GH #1881 #1880) 577 578* Fix an issue with UbSan in the tests (GH #1892) 579 580* Remove use of ``-mabi`` flag when building on MIPS64 (GH #1918) 581 582* Make it possible to specify additional libraries in ``LDFLAGS`` (GH #1916) 583 584* Fix some warnings from Clang 8 (GH #1941) 585 586* Fix the makefile .PHONY syntax (GH #1874) 587 588* Fix build issue with SoftHSM 2.5.0 (GH #1986) 589 590Version 2.10.0, 2019-03-30 591^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 592 593* Notice: the developers plan to switch from gzip to xz compression for 594 releases starting in 2.11. If this is a problem please comment at 595 https://github.com/randombit/botan/issues/1872 596 597* Warning: XMSS currently implements draft-06 which is not compatible with the 598 final RFC 8391 specification. A PR is open to fix this, however it will break 599 all current uses of XMSS. If you are currently using XMSS please comment at 600 https://github.com/randombit/botan/pull/1858. Otherwise the PR will be merged 601 and support for draft-06 will be removed starting in 2.11. 602 603* Added a new certificate store implementation that can access the 604 MacOS keychain certificate store. (GH #1830) 605 606* Redesigned ``Memory_Pool`` class, which services allocations out of a 607 set of pages locked into memory (using ``mlock``/``VirtualLock``). It is now 608 faster and with improved exploit mitigations. (GH #1800) 609 610* Add BMI2 implementations of SHA-512 and SHA-3 which improve performance by 611 25-35% on common CPUs. (GH #1815) 612 613* Unroll SHA-3 computation improving performance by 10-12% (GH #1838) 614 615* Add a ``Thread_Pool`` class. It is now possible to run the tests in multiple 616 threads with ``--test-threads=N`` flag to select the number of threads to use. 617 Use ``--test-threads=0`` to run with as many CPU cores as are available on the 618 current system. The default remains single threaded. (GH #1819) 619 620* XMSS signatures now uses a global thread pool instead of spawning new threads 621 for each usage. This improves signature generation performance by between 10% 622 and 60% depending on architecture and core count. (GH #1864) 623 624* Some functions related to encoding and decoding BigInts have been deprecated. 625 (GH #1817) 626 627* Binary encoding and decoding of BigInts has been optimized by performing 628 word-size operations when possible. (GH #1817) 629 630* Rename the exception ``Integrity_Failure`` to ``Invalid_Authentication_Tag`` to make 631 its meaning and usage more clear. The old name remains as a typedef. (GH #1816) 632 633* Support for using Boost ``filesystem`` and MSVC's ``std::filesystem`` have been 634 removed, since already POSIX and Win32 versions had to be maintained for 635 portability. (GH #1814) 636 637* Newly generated McEliece and XMSS keys now default to being encrypted using 638 SIV mode, support for which was added in 2.8.0. Previously GCM was used by 639 default for these algorithms. 640 641* Use ``arc4random`` on Android systems (GH #1851) 642 643* Fix the encoding of PGP-S2K iteration counts (GH #1853 #1854) 644 645* Add a facility for sandboxing the command line util. Currently FreeBSD 646 (Capsicum) and OpenBSD (``pledge``) sandboxes are supported. (GH #1808) 647 648* Use ``if constexpr`` when available. 649 650* Disable building shared libs on iOS as it was broken and it is not clear shared 651 libraries are ever useful on iOS (GH #1865) 652 653* Renamed the ``darwin`` build target to ``macos``. This should not cause any 654 user-visible change. (GH #1866) 655 656* Add support for using ``sccache`` to cache the Windows CI build (GH #1807) 657 658* Add ``--extra-cxxflags`` option which allows adding compilation flags without 659 overriding the default set. (GH #1826) 660 661* Add ``--format=`` option to the ``hash`` cli which allows formatting the output 662 as base64 or base58, default output remains hex. 663 664* Add ``base58_enc`` and ``base58_dec`` cli utils for base58 encoding/decoding. 665 (GH #1848) 666 667* Enable ``getentropy`` by default on macOS (GH #1862) 668 669* Avoid using ``-momit-leaf-frame-pointer`` flags, since ``-fomit-frame-pointer`` 670 is already the default with recent versions of GCC. 671 672* Fix XLC sanitizer flags. 673 674* Rename ``Blake2b`` class to ``BLAKE2b`` to match the official name. There is 675 a typedef for compat. 676 677* Fix a bug where loading a raw ``Ed25519_PublicKey`` of incorrect length would 678 lead to a crash. (GH #1850) 679 680* Fix a bug that caused compilation problems using CryptoNG PRNG. (GH #1832) 681 682* Extended SHAKE-128 cipher to support any key between 1 and 160 bytes, instead 683 of only multiples of 8 bytes. 684 685* Minor HMAC optimizations. 686 687* Build fixes for GNU/Hurd. 688 689* Fix a bug that prevented generating or verifying Ed25519 signatures in the CLI 690 (GH #1828 #1829) 691 692* Fix a compilation error when building the amalgamation outside of the original 693 source directory when AVX2 was enabled. (GH #1812) 694 695* Fix a crash when creating the amalgamation if a header file was edited on 696 Windows but then the amalgamation was built on Linux (GH #1763) 697 698Version 2.9.0, 2019-01-04 699^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 700 701* CVE-2018-20187 Address a side channel during ECC key generation, 702 which used an unblinded Montgomery ladder. As a result, a timing 703 attack can reveal information about the high bits of the secret key. 704 705* Fix bugs in TLS which caused negotiation failures when the client 706 used an unknown signature algorithm or version (GH #1711 #1709 #1708) 707 708* Fix bug affecting GCM, EAX and ChaCha20Poly1305 where if the associated data 709 was set after starting a message, the new AD was not reflected in the produced 710 tag. Now with these modes setting an AD after beginning a message throws an 711 exception. 712 713* Use a smaller sieve which improves performance of prime generation. 714 715* Fixed a bug that caused ChaCha to produce incorrect output after encrypting 716 256 GB. (GH #1728) 717 718* Add NEON and AltiVec implementations of ChaCha (GH #1719 #1728 #1729) 719 720* Optimize AVX2 ChaCha (GH #1730) 721 722* Many more operations in BigInt, ECC and RSA code paths are either fully const time 723 or avoid problematic branches that could potentially be exploited in a side 724 channel attack. (GH #1738 #1750 #1754 #1755 #1757 #1758 #1759 #1762 #1765 725 #1770 #1773 #1774 #1779 #1780 #1794 #1795 #1796 #1797) 726 727* Several optimizations for BigInt and ECC, improving ECDSA performance by as 728 much as 30%. (GH #1734 #1737 #1777 #1750 #1737 #1788) 729 730* Support recovering an ECDSA public key from a message/signature pair (GH #664 #1784) 731 732* Add base58 encoding/decoding functions (GH #1783) 733 734* In the command line interface, add support for reading passphrases from the 735 terminal with echo disabled (GH #1756) 736 737* Add ``CT::Mask`` type to simplify const-time programming (GH #1751) 738 739* Add new configure options ``--disable-bmi2``, ``--disable-rdrand``, 740 and ``--disable-rdseed`` to prevent use of those instruction sets. 741 742* Add ``error_type`` and ``error_code`` functions to Exception type (GH #1744) 743 744* Now on POSIX systems ``posix_memalign`` is used instead of ``mmap`` for 745 allocating the page-locked memory pool. This avoids issues with ``fork``. 746 (GH #602 #1798) 747 748* When available, use RDRAND to generate the additional data in 749 ``Stateful_RNG::randomize_with_ts_input`` 750 751* Use vzeroall/vzeroupper intrinsics to avoid AVX2/SSE transition penalties. 752 753* Support for Visual C++ 2013 has been removed (GH #1557 #1697) 754 755* Resolve a memory leak when verifying ECDSA signatures with versions 756 of OpenSSL before 1.1.0 (GH #1698) 757 758* Resolve a memory leak using ECDH via OpenSSL (GH #1767) 759 760* Fix an error in XTS which prohibited encrypting values which were 761 exactly the same length as the underlying block size. Messages of 762 this size are allowed by the standard and other XTS implementations. 763 (GH #1706) 764 765* Resolve a bug in TSS which resulted in it using an incorrect length 766 field in the shares. Now the correct length is encoded, but either 767 correct or buggy lengths are accepted when decoding. (GH #1722) 768 769* Correct a bug when reducing a negative ``BigInt`` modulo a small power of 2. 770 (GH #1755) 771 772* Add CLI utils for threshold secret splitting. (GH #1722) 773 774* Fix a bug introduced in 2.8.0 that caused compilation failure if using 775 a single amalgamation file with AVX2 enabled. (GH #1700) 776 777* Add an explicit OS target for Emscripten and improve support for it. 778 (GH #1702) 779 780* Fix small issues when building for QNX 781 782* Switch the Travis CI build to using Ubuntu 16.04 (GH #1767) 783 784* Add options to ``configure.py`` to disable generation of ``pkg-config`` 785 file, and (for systems where ``pkg-config`` support defaults to off, 786 like Windows), to enable generating it. (GH #1268) 787 788* Modify ``configure.py`` to accept empty lists or trailing/extra commas. 789 (GH #1705) 790 791Version 2.8.0, 2018-10-01 792^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 793 794* Add support for using Apple CommonCrypto library for hashing (GH #1667), 795 cipher modes (GH #1674) and block ciphers (GH #1673). 796 797* Support for negotiating TLS versions 1.0 and 1.1 is disabled in the default 798 TLS policy. In addition, support for negotiating TLS ciphersuites using CBC or 799 CCM mode is disabled by default. Applications which need to interop with old 800 peers must enable these in their TLS policy object. (GH #1651) 801 802* During primality testing, use a Lucas test in addition to Miller-Rabin. It is 803 possible to construct a composite integer which passes n Miller-Rabin tests 804 with probability (1/4)^n. So for a incautious verifier using a small number 805 of tests (under 16 or so) it is possible if unlikely they would accept such a 806 composite as prime. Adding a Lucas test precludes such an attack. (GH #1636) 807 808* Add XChaCha and XChaCha20Poly1305 (GH #1640) 809 810* Add AVX2 implementations of ChaCha (GH #1662) and Serpent (GH #1660) 811 812* Add a new password hashing interface in pwdhash.h (GH #1670) 813 814* C binding improvements. Added functions to get name and supported 815 keylengths of cipher, hash and MAC objects, support for FE1 format 816 preserving encryption (GH #1625 #1646), functions to load and save 817 RSA keys in PKCS #1 format (GH #1621), HOTP and TOTP algorithms, 818 scrypt, certificate verification (GH #1647), functions to get the 819 output length of public key operations (GH #1642), and functions for 820 loading and serializing X25519 keys (GH #1681) 821 822* Support for building with BOTAN_MP_WORD_BITS set to 8 or 16 has been removed. 823 824* Previously SM2 had two distinct key types, one for signatures and another for 825 encryption. They have now been merged into a single key type since in practice 826 it seems the same key is at times used for both operations. (GH #1637) 827 828* The ``Cipher_Mode`` class now derives from ``SymmetricAlgorithm`` (GH #1639) 829 830* Add support for using the ARMv8 instructions for SM4 encryption (GH #1622) 831 832* The entropy source using ``SecRandomCopyBytes`` has been removed as it was 833 redundant with other entropy sources (GH #1668) 834 835* The Python module has much better error checking and reporting, and offers new 836 functionality such as scrypt, MPI and FPE. (GH #1643 #1646) 837 838* Fixed a bug that caused CCM to fail with an exception when used with L=8 839 (GH #1631 #1632) 840 841* The default bcrypt work factor has been increased from 10 to 12. 842 843* The default algorithm used in passhash9 has changed from SHA-256 to SHA-512, 844 and the default work factor increased from 10 to 15. 845 846* In ECC private keys, include the public key data for compatibility with 847 GnuTLS (GH #1634 #1635) 848 849* Add support for using Linux ``getrandom`` syscall to access the system PRNG. 850 This is disabled by default, use ``--with-os-feature=getrandom`` to enable. 851 852* It is now possible to encrypt private keys using SIV mode. 853 854* The FFI function botan_privkey_load now ignores its rng argument. 855 856* Resolve a problem when building under Visual C++ 15.8 (GH #1624) 857 858* Fix a bug in XSalsa20 (192-bit Salsa nonces) where if set_iv was called twice 859 without calling set_key, the resulting encryption was incorrect. (GH #1640) 860 861* Handle an error seen when verifying invalid ECDSA signatures using LibreSSL 862 on non x86-64 platforms (GH #1627 #1628) 863 864* Fix bugs in PKCS7 and X9.23 CBC padding schemes, which would ignore 865 the first byte in the event the padding took up the entire block. (GH #1690) 866 867* Correct bugs which would cause CFB, OCB, and GCM modes to crash when they 868 were used in an unkeyed state. (GH #1639) 869 870* Optimizations for SM4 and Poly1305 871 872* Avoid a cache side channel in the AES key schedule 873 874* Add ``pk_encrypt`` and ``pk_decrypt`` CLI operations 875 876* Now ``asn1print`` CLI defaults to printing context-specific fields. 877 878* Use codec_base for Base64, which matches how Base32 is implemented (GH #1597) 879 880* The ``cast`` module has been split up into ``cast128`` and ``cast256`` (GH #1685) 881 882* When building under Visual C++ 2013, the user must acknowledge the upcoming 883 removal of support using the configure.py flag ``--ack-vc2013-deprecated`` 884 (GH #1557) 885 886Version 2.7.0, 2018-07-02 887^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 888 889* CVE-2018-12435 Avoid a side channel in ECDSA signature generation (GH #1604) 890 891* Avoid a side channel in RSA key generation due to use of a non-constant time 892 gcd algorithm. (GH #1542 #1556) 893 894* Optimize prime generation, especially improving RSA key generation. (GH #1542) 895 896* Make Karatsuba multiplication, Montgomery field operations, Barrett reduction 897 and Montgomery exponentiation const time (GH #1540 #1606 #1609 #1610) 898 899* Optimizations for elliptic curve operations especially improving reductions 900 and inversions modulo NIST primes (GH #1534 #1538 #1545 #1546 #1547 #1550) 901 902* Add 24 word wide Comba multiplication, improving 3072-bit RSA and DH by ~25%. 903 (GH #1564) 904 905* Unroll Montgomery reduction for specific sizes (GH #1603) 906 907* Improved performance of signature verification in ECGDSA, ECKCDSA, 908 SM2 and GOST by 10-15%. 909 910* XMSS optimizations (GH #1583 #1585) 911 912* Fix an error that meant XMSS would only sign half as many signatures as is 913 allowed (GH #1582) 914 915* Add support for base32 encoding/decoding (GH #1541) 916 917* Add BMI2 optimized version of SHA-256, 40% faster on Skylake (GH #1584) 918 919* Allow the year to be up to 2200 in ASN.1 time objects. Previously this 920 was limited to 2100. (GH #1536) 921 922* Add support for Scrypt password hashing (GH #1570) 923 924* Add support for using Scrypt for private key encryption (GH #1574) 925 926* Optimizations for DES/3DES, approx 50% faster when used in certain modes such 927 as CBC decrypt or CTR. 928 929* XMSS signature verification did not check that the signature was of 930 the expected length which could lead to a crash. (GH #1537) 931 932* The bcrypt variants 2b and 2y are now supported. 933 934* Support for 192-bit Suite B TLS profile is now implemented, as the 128-bit 935 Suite B is since 2015 not allowed anymore. 936 937* Previously botan allowed GCM to be used with an empty nonce, which is not 938 allowed by the specification. Now such nonces are rejected. 939 940* Avoid problems on Windows when compiling in Unicode mode (GH #1615 #1616) 941 942* Previously for ASN.1 encoded signatures (eg ECDSA) Botan would accept any 943 valid BER encoding. Now only the single valid DER encoding is accepted. 944 945* Correct an error that could in rare cases cause an internal error exception 946 when doing computations with the P-224 curve. 947 948* Optimizations to reduce allocations/copies during DER encoding and BER 949 decoding (GH #1571 #1572 #1600) 950 951* Botan generates X.509 subject key IDs by hashing the public key with whatever 952 hash function is being used to sign the certificate. However especially for 953 SHA-512 this caused SKIDs that were far longer than necessary. Now all SKIDs 954 are truncated to 192 bits. 955 956* In the test suite use ``mkstemp`` to create temporary files instead of 957 creating them in the current working directory. (GH #1533 #1530) 958 959* It is now possible to safely override ``CXX`` when invoking make in addition 960 to when ``configure.py`` is run. (GH #1579) 961 962* OIDs for Camellia and SM4 in CBC and GCM mode are now defined, making it 963 possible to use this algorithms for private key encryption. 964 965* Avoid creating symlinks to the shared object on OpenBSD (#1535) 966 967* The ``factor`` command runs much faster on larger inputs now. 968 969* Support for Windows Phone/UWP was deprecated starting in 2.5. This deprecation 970 has been reversed as it seems UWP is still actively used. (GH #1586 #1587) 971 972* Support for Visual C++ 2013 is deprecated, and will be removed in Jan 2019. 973 974* Added support for GCC's --sysroot option to configure.py for cross-compiling. 975 976Version 2.6.0, 2018-04-10 977^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 978 979* CVE-2018-9860 Fix a bug decrypting TLS CBC ciphertexts which could 980 for a malformed ciphertext cause the decryptor to read and HMAC an 981 additional 64K bytes of data which is not part of the record. This 982 could cause a crash if the read went into unmapped memory. No 983 information leak or out of bounds write occurs. 984 985* Add support for OAEP labels (GH #1508) 986 987* RSA signing is about 15% faster (GH #1523) and RSA verification is 988 about 50% faster. 989 990* Add exponent blinding to RSA (GH #1523) 991 992* Add ``Cipher_Mode::create`` and ``AEAD_Mode::create`` (GH #1527) 993 994* Fix bug in TLS server introduced in 2.5 which caused connection to 995 fail if the client offered any signature algorithm not known to the 996 server (for example RSA/SHA-224). 997 998* Fix a bug in inline asm that would with GCC 7.3 cause incorrect 999 computations and an infinite loop during the tests. (GH #1524 #1529) 1000 1001Version 2.5.0, 2018-04-02 1002^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1003 1004* Fix error in certificate wildcard matching (CVE-2018-9127), where a 1005 wildcard cert for ``b*.example.com`` would be accepted as a match for 1006 any host with name ``*b*.example.com`` (GH #1519) 1007 1008* Add support for RSA-PSS signatures in TLS (GH #1285) 1009 1010* Ed25519 certificates are now supported (GH #1501) 1011 1012* Many optimizations in ECC operations. ECDSA signatures are 8-10 times faster. 1013 ECDSA verification is about twice as fast. ECDH key agreement is 3-4 times 1014 faster. (GH #1457 #1478) 1015 1016* Implement product scanning Montgomery reduction, which improves Diffie-Hellman 1017 and RSA performance by 10 to 20% on most platforms. (GH #1472) 1018 1019* DSA signing and verification performance has improved by 30-50%. 1020 1021* Add a new Credentials_Manager callback that specifies which CAs the server 1022 has indicated it trusts (GH #1395 fixing #1261) 1023 1024* Add new TLS::Callbacks methods that allow creating or removing extensions, 1025 as well as examining extensions sent by the peer (GH #1394 #1186) 1026 1027* Add new TLS::Callbacks methods that allow an application to 1028 negotiate use of custom elliptic curves. (GH #1448) 1029 1030* Add ability to create custom elliptic curves (GH #1441 #1444) 1031 1032* Add support for POWER8 AES instructions (GH #1459 #1393 #1206) 1033 1034* Fix DSA/ECDSA handling of hashes longer than the group order (GH #1502 #986) 1035 1036* The default encoding of ECC public keys has changed from compressed 1037 to uncompressed point representation. This improves compatibility with 1038 some common software packages including Golang's standard library. 1039 (GH #1480 #1483) 1040 1041* It is now possible to create DNs with custom components. (GH #1490 #1492) 1042 1043* It is now possible to specify the serial number of created certificates, 1044 instead of using the default 128-bit random integer. (GH #1489 #1491) 1045 1046* Change DL_Group and EC_Group to store their data as shared_ptr for 1047 fast copying. Also both classes precompute additional useful values 1048 (eg for modular reductions). (GH #1435 #1454) 1049 1050* On Windows platforms RtlGenRandom is now used in preference to CryptoAPI 1051 or CryptoNG libraries. (GH #1494) 1052 1053* Make it possible for PKCS10 requests to include custom extensions. This also 1054 makes it possible to use multiple SubjectAlternativeNames of a single type in 1055 a request, which was previously not possible. (GH #1429 #1428) 1056 1057* Add new optimized interface for FE1 format preserving encryption. By caching a 1058 number of values computed in the course of the FPE calculation, it provides a 1059 6-7x speedup versus the old API. (GH #1469) 1060 1061* Add DSA and ElGamal keygen functions to FFI (#1426) 1062 1063* Add ``Pipe::prepend_filter`` to replace deprecated ``Pipe::prepend`` (GH #1402) 1064 1065* Fix a memory leak in the OpenSSL block cipher integration, introduced in 2.2.0 1066 1067* Use an improved algorithm for generating safe primes which is several tens of 1068 times faster. Also, fix a bug in the prime sieving algorithm which caused 1069 standard prime generation (like for RSA keys) to be slower than necessary. 1070 (GH #1413 #1411) 1071 1072* Correct the return value of ``PK_Encryptor::maximum_input_size`` which 1073 reported a much too small value (GH #1410) 1074 1075* Remove use of CPU specific optimization flags, instead the user should set 1076 these via CXXFLAGS if desired. (GH #1392) 1077 1078* Resolve an issue that would cause a crash in the tests if they were run on 1079 a machine without SSE2/NEON/VMX instructions. (GH #1495) 1080 1081* The Python module now tries to load DLLs from a list of names and 1082 uses the first one which successfully loads and indicates it 1083 supports the desired API level. (GH #1497) 1084 1085* Various minor optimizations for SHA-3 (GH #1433 #1434) 1086 1087* The output of ``botan --help`` has been improved (GH #1387) 1088 1089* Add ``--der-format`` flag to command line utils, making it possible verify 1090 DSA/ECDSA signatures generated by OpenSSL command line (GH #1409) 1091 1092* Add support for ``--library-suffix`` option to ``configure.py`` (GH #1405 #1404) 1093 1094* Use feature flags to enable/disable system specific code (GH #1378) 1095 1096* Add ``--msvc-runtime`` option to allow using static runtime (GH #1499 #210) 1097 1098* Add ``--enable-sanitizers=`` option to allow specifying which sanitizers to 1099 enable. The existing ``--with-sanitizers`` option just enables some default 1100 set which is known to work with the minimum required compiler versions. 1101 1102* Use either ``rst2man`` or ``rst2man.py`` for generating man page as 1103 distributions differ on where this program is installed (GH #1516) 1104 1105* The threefish module has been renamed threefish_512 since that is the 1106 algorithm it provides. (GH #1477) 1107 1108* The Perl XS based wrapper has been removed, as it was unmaintained and 1109 broken. (GH #1412) 1110 1111* The sqlite3 encryption patch under ``contrib`` has been removed. It 1112 is still maintained by the original author at 1113 https://github.com/OlivierJG/botansqlite3 1114 1115* Support for Windows Phone is deprecated. 1116 1117Version 2.4.0, 2018-01-08 1118^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1119 1120* Several build improvements requested by downstream packagers, including the 1121 ability to disable building the static library. All makefile constructs that 1122 were specific to nmake or GNU make have been eliminated, thus the option 1123 ``--makefile-style`` which was previously used to select the makefile type has 1124 also been removed. (GH #1230 #1237 #1300 #1318 #1319 #1324 #1325 #1346) 1125 1126* Support for negotiating the DH group as specified in RFC 7919 is now available 1127 in TLS (GH #1263) 1128 1129* Support for ARIA-GCM ciphersuites are now available in TLS. They are disabled 1130 by default. (GH #1284) 1131 1132* Add support for generating and verifying X.509 objects (certificates, CRLs, 1133 etc) using RSA-PSS signatures (GH #1270 and #1368) 1134 1135* Add support for AES key wrapping with padding, as specified in RFC 5649 and 1136 NIST SP 800-38F (GH #1301) 1137 1138* OCSP requests made during certificate verification had the potential to hang 1139 forever. Now the sockets are non-blocking and a timeout is enforced. (GH #1360 1140 fixing GH #1326) 1141 1142* Add ``Public_Key::fingerprint_public`` which allows fingerprinting the public key. 1143 The previously available ``Private_Key::fingerprint`` is deprecated, now 1144 ``Private_Key::fingerprint_private`` should be used if this is required. 1145 (GH #1357) 1146 1147* ECC certificates generated by Botan used an invalid encoding for the 1148 parameters field, which was rejected by some certificate validation libraries 1149 notably BouncyCastle. (GH #1367) 1150 1151* Loading an ECC key which used OID encoding for the domain parameters, then 1152 saving it, would result in a key using the explicit parameters encoding. 1153 Now the OID encoding is retained. (GH #1365) 1154 1155* Correct various problems in certificate path validation that arose when 1156 multiple paths could be constructed leading to a trusted root but due to 1157 other constraints only some of them validated. (GH #1363) 1158 1159* It is now possible for certificate validation to return warning indicators, 1160 such as that the distinguished name is not within allowed limits or that a 1161 certificate with a negative serial number was observed. (GH #1363 #1359) 1162 1163* XMSS signatures now are multi-threaded for improved performance (GH #1267) 1164 1165* Fix a bug that caused the TLS peer cert list to be empty on a resumed session. 1166 (GH #1303 #1342) 1167 1168* Increase the maximum HMAC key length from 512 bytes to 4096 bytes. This allows 1169 using a DH key exchange in TLS with a group greater than 4096 bits. (GH #1316) 1170 1171* Fix a bug in the TLS server where, on receiving an SSLv3 client hello, it 1172 would attempt to negotiate TLS v1.2. Now a protocol_version alert is sent. 1173 Found with tlsfuzzer. (GH #1316) 1174 1175* Fix several bugs related to sending the wrong TLS alert type in various error 1176 scenarios, caught with tlsfuzzer. 1177 1178* Add support for a ``tls_http_server`` command line utility which responds to 1179 simple GET requests. This is useful for testing against a browser, or various 1180 TLS test tools which expect the underlying protocol to be HTTP. (GH #1315) 1181 1182* Add an interface for generic PSK data stores, as well as an implementation 1183 which encrypts stored values with AES key wrapping. (GH #1302) 1184 1185* Optimize GCM mode on systems both with and without carryless multiply 1186 support. This includes a new base case implementation (still constant time), a 1187 new SSSE3 implementation for systems with SSSE3 but not clmul, and better 1188 algorithms for systems with clmul and pmull. (GH #1253 #1263) 1189 1190* Various optimizations for OCB, CFB, CTR, SM3, SM4, GMAC, BLAKE2b, Blowfish, 1191 Twofish, CAST-128, and CRC24 (GH #1281) 1192 1193* Salsa20 now supports the seek operation. 1194 1195* Add ``EC_Group::known_named_groups`` (GH #1339) 1196 1197* Symmetric algorithms (block ciphers, stream ciphers, MACs) now verify that a 1198 key was set before accepting data. Previously attempting to use an unkeyed 1199 object would instead result in either a crash or invalid outputs. (GH #1279) 1200 1201* The X509 certificate, CRL and PKCS10 types have been heavily refactored 1202 internally. Previously all data of these types was serialized to strings, then 1203 in the event a more complicated data structure (such as X509_DN) was needed, 1204 it would be recreated from the string representation. However the round trip 1205 process was not perfect and could cause fields to become lost. This approach 1206 is no longer used, fixing several bugs (GH #1010 #1089 #1242 #1252). The 1207 internal data is now stored in a ``shared_ptr``, so copying such objects is 1208 now very cheap. (GH #884) 1209 1210* ASN.1 string objects previously held their contents as ISO 8859-1 codepoints. 1211 However this led to certificates which contained strings outside of this 1212 character set (eg in Cyrillic, Greek, or Chinese) being rejected. Now the 1213 strings are always converted to UTF-8, which allows representing any 1214 character. In addition, UCS-4 strings are now supported. 1215 (GH #1113 #1250 #1287 #1289) 1216 1217* It is now possible to create an uninitialized X509_Certificate object. Such an 1218 object will throw if any attempt to access its members is made. (GH #1335) 1219 1220* In BER decoder, avoid unbounded stack recursion when parsing nested indefinite 1221 length values. Now at most 16 nested indefinite length values are accepted, 1222 anything deeper resulting in a decoding error. (GH #1304 OSS-Fuzz 4353). 1223 1224* A new ASN.1 printer API allows generating a string representation of arbitrary 1225 BER data. This is used in the ``asn1print`` command line utility and may be 1226 useful in other applications, for instance for debugging. 1227 1228* New functions for bit rotations that distinguish rotating by a compile-time 1229 constant vs a runtime variable rotation. This allows better optimizations in 1230 both cases. Notably performance of CAST-128 and CAST-256 are substantially 1231 improved. (GH #1247) 1232 1233* TLS CBC ciphersuites now are implemented using the standard CBC code, instead 1234 of reimplementing CBC inside the TLS stack. This allows for parallel 1235 decryption of TLS CBC ciphertexts, and improves performance especially when 1236 using AES hardware support. (GH #1269) 1237 1238* Add callbacks to make it possible for an application using TLS to provide 1239 custom implementations of signature schemes, eg when offloading the 1240 computations to another device. (GH #1332) 1241 1242* Use a direct calculation for calendar computations instead of relying on 1243 non-portable operating system interfaces. (GH #1336) 1244 1245* Fix a bug in the amalgamation generation which could cause build failures on 1246 some systems including macOS. (GH #1264 #1265) 1247 1248* A particular code sequence in TLS handshake would always (with an ECC 1249 ciphersuite) result in an exception being thrown and then caught. This has 1250 changed so no exception is thrown. (GH #1275) 1251 1252* The code for byteswapping has been improved for ARMv7 and for Windows x86-64 1253 systems using MSVC. (GH #1274) 1254 1255* The GMAC class no longer derives from GHASH. This should not cause any 1256 noticeable change for applications. (GH #1253) 1257 1258* The base implementation of AES now uses a single 4K table, instead of 4 such 1259 tables. This offers a significant improvement against cache-based side 1260 channels without hurting performance too much. In addition the table is now 1261 guaranteed to be aligned on a cache line, which ensures the additional 1262 countermeasure of reading each cache line works as expected. (GH #1255) 1263 1264* In TLS client resumption, avoid sending a OCSP stapling request. This caused 1265 resumption failures with some servers. (GH #1276) 1266 1267* The overhead of making a call through the FFI layer has been reduced. 1268 1269* The IDs for SHA-3 PKCSv1.5 signatures added in 2.3.0 were incorrect. They have 1270 been changed to use the correct encoding, and a test added to ensure such 1271 errors do not recur. 1272 1273* Counter mode allows setting a configurable width of the counter. Previously it 1274 was allowed for a counter of even 8 bits wide, which would mean the keystream 1275 would repeat after just 256 blocks. Now it requires the width be at least 32 1276 bits. The only way this feature could be used was by manually constructing a 1277 ``CTR_BE`` object and setting the second parameter to something in the range 1278 of 1 to 3. 1279 1280* A new mechanism for formatting ASN.1 data is included in ``asn1_print.h``. 1281 This is the same functionality used by the command line ``asn1print`` util, 1282 now cleaned up and moved to the library. 1283 1284* Add ``Pipe::append_filter``. This is like the existing (deprecated) 1285 ``Pipe::append``, the difference being that ``append_filter`` only 1286 allows modification before the first call to ``start_msg``. (GH #1306 #1307) 1287 1288* The size of ASN1_Tag is increased to 32 bits. This avoids a problem 1289 with UbSan (GH #751) 1290 1291* Fix a bug affecting bzip2 compression. In certain circumstances, compression 1292 would fail with ``BZ_SEQUENCE_ERROR`` due to calling bzlib in an way it does 1293 not support. (GH #1308 #1309) 1294 1295* In 2.3.0, final annotations were added to many classes including the TLS 1296 policies (like ``Strict_Policy`` and ``BSI_TR_02102_2``). However it is 1297 reasonable and useful for an application to derive from one of these policies, so 1298 as to create an application specific policy that is based on a library-provided 1299 policy, but with a few tweaks. So the final annotations have been removed on 1300 these classes. (GH #1292) 1301 1302* A new option ``--with-pdf`` enables building a PDF copy of the handbook. 1303 (GH #1337) 1304 1305* A new option ``--with-rst2man`` enables building a man page for the 1306 command line util using Docutils rst2man. (GH #1349) 1307 1308* Support for NEON is now enabled under Clang. 1309 1310* Now the compiler version is detected using the preprocessor, instead of trying 1311 to parse the output of the compiler's version string, which was subject to 1312 problems with localization. (GH #1358) 1313 1314* By default the gzip compressor will not include a timestamp in the header. 1315 The timestamp can be set by passing it to the ``Gzip_Compression`` 1316 constructor. 1317 1318* Resolve a performance regression on Windows involving the system stats 1319 entropy source. (GH #1369) 1320 1321* Add an OID for RIPEMD-160 1322 1323* Fixes for CMake build (GH #1251) 1324 1325* Avoid some signed overflow warnings (GH #1220 #1245) 1326 1327* As upstream support for Native Client has been deprecated by Google, support 1328 is now also deprecated in Botan and will be removed in a future release. 1329 1330* The Perl-XS wrapper has not been maintained in many years. It is now deprecated, 1331 and if no attempts are made to revive it, it will be removed in a future release. 1332 1333* Support for building on IRIX has been removed. 1334 1335Version 2.3.0, 2017-10-02 1336^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1337 1338* Address a side channel affecting modular exponentiation. An attacker 1339 capable of a local or cross-VM cache analysis attack may be able 1340 to recover bits of secret exponents as used in RSA, DH, etc. 1341 CVE-2017-14737 1342 1343* Add the SHACAL2 block cipher, including optimizations using SIMD and SHA-NI 1344 instructions. (GH #1151) 1345 1346* Add the ARIA block cipher (GH #1004 and #1157) 1347 1348* Add support for the ARMv8 AES instructions (GH #1182 and #1146) 1349 1350* Add support for the ARMv8 PMULL instruction (GH #1181 and #842) 1351 1352* On macOS and iOS the ``System_RNG`` class is now implemented using ``arc4random``. 1353 Previously the system RNG class was not available on iOS. (GH #1219) 1354 1355* Optimized the CMAC polynomial doubling operation, and removed a small timing 1356 channel due to a conditional operation. 1357 1358* Added support for the ECDHE_PSK AEAD TLS ciphersuites from 1359 draft-ietf-tls-ecdhe-psk-aead-05. 1360 1361* SM2 encryption and signature schemes were previously hardcoded to use SM3 1362 hash, now any hash is allowed. (GH #1188) 1363 1364* SM2 encryption in 2.2.0 followed an obsolete version of the standard. The 1365 format of the ciphertext changed in a more recent revision of the standard, 1366 and now uses an ASN.1 encoding. Botan has changed to reflect this format, 1367 which is compatible with GmSSL (GH #1218) 1368 1369* OCB mode now supports 192, 256 and 512 bit block ciphers. (GH #1205) 1370 1371* XTS mode now supports 256-bit and 512-bit block ciphers. 1372 1373* Add ids to allow SHA-3 signatures with PKCSv1.5 (GH #1184) 1374 1375* Add support for ``PSSR_Raw`` signatures which PSS sign an externally derived 1376 hash. (GH #1212 #1211) 1377 1378* GCM now supports truncated tags in the range 96...128 bits. GCM had 1379 previously supported 64-bit truncated tags, but these are known to 1380 be insecure and are now deprecated. (GH #1210 #1207) 1381 1382* Add a new TLS policy hook ``allow_client_initiated_renegotiation`` which is the 1383 parallel of the existing ``allow_server_initiated_renegotiation``. If set to 1384 false, servers will reject attempts by the client to renegotiation the 1385 session, instead sending a ``no_renegotiation`` warning alert. Note that the 1386 default is ``false``, ie that client renegotiation is now prohibited by default. 1387 (GH #872) 1388 1389* Add HKDF-Expand-Label function which is used in TLS v1.3 and QUIC protocols. 1390 (GH #1226) 1391 1392* Fix decoding of ECC keys that use extensions from RFC 5915 (GH #1208) 1393 1394* The entropy source that called CryptGenRandom has been removed, and 1395 replaced by a version which invokes the system PRNG, which may 1396 be CryptGenRandom or some other source. (GH #1180) 1397 1398* Add support for gathering entropy using the Crypt-NG BCryptGenRandom 1399 API. This is necessary to build for Windows Phone/Windows Store. (GH #1180) 1400 1401* Extend "Raw" signature padding (which allows signing a hash computed 1402 externally) to optionally take a hash function name. In this case, it will be 1403 verified that the input matches the expected hash size. This also will 1404 control the hash algorithm used for RFC 6979 deterministic nonces; previously 1405 SHA-512 was always used for RFC 6979 nonces with "Raw". (GH #1153) 1406 1407* The advertised FFI API version has increased. This should have happened 1408 already in 2.2 but was neglected. The ``botan_ffi_supports_api`` call will 1409 return true for either the current or older versions of the API version since 1410 no backwards incompatible changes have occurred. 1411 1412* Add new C89 API functions ``botan_hex_decode``, ``botan_base64_encode``, 1413 ``botan_base64_decode``, ``botan_constant_time_compare``. 1414 1415* Add new C89 API functions ``botan_privkey_load_dh``, ``botan_pubkey_load_dh``, 1416 and ``botan_privkey_create_dh`` (GH #1155) 1417 1418* Add ``is_passhash9_alg_supported`` (GH #1154) 1419 1420* The ``power_mod`` function now supports negative bases (GH #1179 #1168) 1421 1422* Add a new command line utility for examining TLS client hellos. 1423 1424* Added a new target for LLVM bitcode (GH #1169) 1425 1426* Improve support for Windows Phone (GH #1180 #796 #794) 1427 1428* Correct return value of ``botan_pk_op_verify_finish``. In 2.2.0 this function 1429 returned -1 on invalid signature, instead of 1 which was used in 2.0, 2.1, and 1430 now again in 2.3. (GH #1189 #1187) 1431 1432* Allow loading unencrypted private keys via FFI API (GH #1197) 1433 1434* Add new command line options ``--rng-type=drbg`` and ``--drbg-seed`` which 1435 allow running commands with a deterministic RNG. (GH #1169) 1436 1437* Fix a number of warnings seen under Visual C++ (GH #1171 #795) 1438 1439* Workaround a GCC 7 bug that caused miscompilation of the GOST-34.11 hash 1440 function on x86-32. (GH #882 #1148) 1441 1442* Fix a bug in SIMD_4x32 which affected little-endian PowerPC processors. 1443 This would cause test failures for Serpent, among other problems. 1444 1445* Fix Altivec runtime detection, which was broken starting in Botan 2.1.0 1446 1447* Optimized the verification of TLS CBC padding bytes. Previously the check 1448 examined every byte of the record, even though at most 256 bytes of padding 1449 may be appended. (GH #1227) 1450 1451* Simplified definition of ``Botan::secure_allocator``. In particular, not 1452 defining the ``construct`` and ``destroy`` methods avoids a performance problem 1453 under MSVC. (GH #1228 and #1229) 1454 1455* The ``secure_allocator`` class now uses ``calloc`` and ``free`` instead of 1456 ``new`` and ``delete``. In addition the actual allocation operation is hidden 1457 inside of compiled functions, which significantly reduces code size. (GH #1231) 1458 1459* The ``secure_scrub_memory`` function now uses ``explicit_bzero`` on OpenBSD. 1460 1461* Previously ARM feature detection (NEON, AES, ...) relied on getauxval, which 1462 is only supported on Linux and Android. Now iOS is supported, by checking the 1463 model name/version and matching it against known versions. Unfortunately this 1464 is the best available technique on iOS. On Aarch64 systems that are not iOS or 1465 Linux/Android, a technique based on trial execution while catching SIGILL is 1466 used. (GH #1213) 1467 1468* The output of ``botan config libs`` was incorrect, it produced ``-lbotan-2.X`` 1469 where X is the minor version, instead of the actual lib name ``-lbotan-2``. 1470 1471* Add ``constant_time_compare`` as better named equivalent of ``same_mem``. 1472 1473* Silence a Clang warning in ``create_private_key`` (GH #1150) 1474 1475* The fuzzers have been better integrated with the main build. See the 1476 handbook for details. (GH #1158) 1477 1478* The Travis CI and AppVeyor CI builds are now run via a Python script. This 1479 makes it easier to replicate the behavior of the CI build locally. Also a 1480 number of changes were made to improve the turnaround time of CI builds. 1481 (GH #1162 #1199) 1482 1483* Add support for Win32 filesystem operation, so the tests pass completely 1484 on MinGW now (GH #1203) 1485 1486* Added a script to automate running TLS-Attacker tests. 1487 1488* The distribution script now creates reproducible outputs, by 1489 forcing all modification times, uids, etc to values fixed by the release date. 1490 (GH #1217) 1491 1492* The ``BOTAN_DLL`` macro has been split up into ``BOTAN_PUBLIC_API``, 1493 ``BOTAN_UNSTABLE_API`` and ``BOTAN_TEST_API`` which allows 1494 indicating in the header the API stability of the export. All three 1495 are defined as ``BOTAN_DLL`` so overriding just that macro continues 1496 to work as before. (GH #1216) 1497 1498* Optimize ``bigint_divop`` when a double-word type is available. (GH #494) 1499 1500* Fix several memory leaks in the tests. Additionally a false positive 1501 leak seen under ``valgrind`` in the ``fork`` tests for the RNG was resolved. 1502 1503* Export ``CurveGFp_Repr`` type (only used internally) to resolve a 1504 long standing UBSan warning. (GH #453) 1505 1506* Now ``-fstack-protector`` and similar flags that affect linking are exported 1507 in ``botan config ldflags`` as they already were in the ``pkg-config`` output. 1508 (GH #863) 1509 1510* Remove double underscore in header guards to avoid using names 1511 reserved by ISO C++. (GH #512) 1512 1513* Additions to the SRP documentation (GH #1029) 1514 1515* The package transform (in ``package.h``) is now deprecated, and will be 1516 removed in a future release. (GH #1215) 1517 1518* Add more tests for the const-time utils (GH #1214) 1519 1520* Fix a bug in FFI tests that caused the test files not to be found when using 1521 ``--data-dir`` option (GH #1149) 1522 1523* C++ ``final`` annotations have been added to classes which are not 1524 intended for derivation. This keyword was already in use but was not 1525 applied consistently. 1526 1527* A typedef ``SecureVector`` has been added for the ``secure_vector`` type. 1528 This makes porting code from 1.10 to 2.x API slightly simpler. 1529 1530* Header files have been cleaned up to remove unnecessary inclusions. In some 1531 cases it may be required to include additional botan headers to get all the 1532 declarations that were previously visible. For example, ``bigint.h`` no longer 1533 includes ``rng.h``, but just forward declares ``RandomNumberGenerator``. 1534 1535* Improved support for IBM xlc compiler. 1536 1537Version 2.2.0, 2017-08-07 1538^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1539 1540* Add the Ed25519 signature scheme (GH #1066) 1541 1542* The format of x25519 keys, which previously used a non-standard encoding, 1543 has changed to match the upcoming IETF specification. (GH #1076) 1544 1545* Add the SM2 signature scheme (GH #1082) 1546 1547* Add the SM2 public key encryption scheme (GH #1142) 1548 1549* Add the SM3 hash function (GH #996) 1550 1551* Add the Streebog (GOST R 34.11-2012) hash function (GH #1114) 1552 1553* Add the SM4 block cipher (GH #1080) 1554 1555* Add the PGP S2K algorithm (GH #1060) 1556 1557* Add SP 800-56A KDF (GH #1040) 1558 1559* Add ChaCha_RNG which is a very fast and completely non-standard 1560 random bit generator (GH #1137) 1561 1562* Add support for SHA-1 and SHA-2 instructions added in Intel Goldmont 1563 (GH #826) 1564 1565* Add support for SHA-1 and SHA-2 instructions added in ARMv8 (GH #844) 1566 1567* Add support for HOTP (RFC 4226) and TOTP (RFC 6238) 1568 one-time-password algorithms (GH #1054) 1569 1570* Fix a bug that caused secure_allocator to not fully zeroize blocks 1571 when sizeof(T) was greater than 1. 1572 1573* Add HashFunction::copy_state which allows efficiently computing the 1574 hash of several messages with a common prefix (GH #1056 #1037) 1575 1576* ECC keys now encode their parameters using an OID instead of a literal 1577 encoding of the domain parameters. This will lead to smaller public and 1578 private keys in most instances. (GH #1093) 1579 1580* The OpenSSL backend now supports the 1.1.0 API (GH #1056) 1581 1582* Add a preliminary provider using BearSSL, currently EC and hashes supported 1583 (GH #1094) 1584 1585* Fix a bug in certificate path length checking that could cause valid 1586 chains to be rejected. (GH #1053) 1587 1588* It is possible for CBC, CFB, and stream ciphers to carry over the 1589 nonce from the previous message, which is needed by some applications. 1590 This worked in 1.10 but broke in 2.0. (GH #1044 fixing GH #864) 1591 1592* Avoid recursion in BER_Decoder::get_next_object which could cause 1593 stack exhaustion. (GH #989) 1594 1595* Fix missing flush in DataSink_Stream::end_msg. (GH #972 fixing GH #972) 1596 1597* Allow to seek in the big endian counter mode of operation (GH #999) 1598 1599* Support loading ElGamal keys through FFI interface (GH #1008) 1600 1601* Support Windows sockets in ``http_util`` (allowing OCSP checks on Windows), 1602 as well as in the TLS command line utils (GH #1138). 1603 1604* The ``--destdir`` flag to ``configure.py`` has been removed. Instead use 1605 the ``DESTDIR`` environment variable at install time. This change was 1606 done to more closely match how autoconf handles this case. 1607 (GH #1139 #1111 #997 #996). 1608 1609* Many changes to configure.py and botan2.py to make them pylint clean 1610 (GH #1041 #1002 #984) 1611 1612* Add command line utils ``hmac`` (GH #1001), ``encryption`` (GH #359), 1613 ``hex_enc``, and ``hex_dec``. 1614 1615* Fix an error in ``sign_cert`` command line util, which ignored the 1616 ``--ca-key-pass`` option. (GH #1106) 1617 1618* The ``speed`` util can now benchmark multiple buffer sizes (GH #1084) 1619 1620* Fix return value of FFI botan_bcrypt_is_valid (GH #1033) 1621 1622* Support generating RSA keys using OpenSSL (GH #1035) 1623 1624* Add new FFI functions botan_hash_block_size (GH #1036), 1625 botan_hash_copy_state (GH #1059), botan_scrub_mem 1626 1627* Add support for RFC 3394 keywrap through FFI (GH #1135) 1628 1629* Support AES-CBC ciphers via OpenSSL (GH #1022) 1630 1631* Add function to return certificates included in OCSP response (GH #1123) 1632 1633* Complete wildcard handling for X.509 certificates (GH #1017) 1634 1635* Add some missing functions to TLS::Text_Policy (GH #1023) 1636 1637* It was previously possible to use ``--single-amalgamation-file`` 1638 without ``--amalgamation``, though it did not do anything useful. Now 1639 ``--single-amalgamation-file`` requires ``--amalgamation`` also be set 1640 on the command line. 1641 1642Version 2.1.0, 2017-04-04 1643^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1644 1645* Fix incorrect truncation in Bcrypt. Passwords in length between 56 and 72 1646 characters were truncated at 56 characters. Found and reported by Solar Designer. 1647 (CVE-2017-7252) (GH #938) 1648 1649* Fix a bug in X509 DN string comparisons that could result in out of bound 1650 reads. This could result in information leakage, denial of service, or 1651 potentially incorrect certificate validation results. Found independently 1652 by Cisco Talos team and OSS-Fuzz. (CVE-2017-2801) 1653 1654* Correct minimum work factor for Bcrypt password hashes. All other 1655 implementations require the work factor be at least 4. Previously Botan simply 1656 required it be greater than zero. (GH #938) 1657 1658* Converge on a single side channel silent EC blinded multiply algorithm. 1659 Uses Montgomery ladder with order/2 bits scalar blinding and point randomization 1660 now by default. (GH #893) 1661 1662* Add ability to search for certificates using the SHA-256 of the distinguished name. 1663 (GH #900) 1664 1665* Support a 0-length IV in ChaCha stream cipher. Such an IV is treated 1666 identically to an 8-byte IV of all zeros. 1667 1668* Add new interfaces to the C API including multiple precision integers, key 1669 validity tests, block ciphers, and extracting algorithm specific key parameters 1670 (such as the modulus and public exponent from RSA public keys). GH #899 #944 1671 #946 #961 #964 1672 1673* The PKCS11 module did not require any external dependencies, so it 1674 has been enabled by default. The ``--with-pkcs11`` and ``--without-pkcs11`` 1675 flags to ``configure.py`` have been removed. PKCS11 can still be disabled 1676 using ``--disable-modules=pkcs11`` (GH #837) 1677 1678* Add ``OS::run_cpu_instruction_probe`` for runtime probing of ISA extensions. 1679 Supporting this requires system-specific techniques, currently Windows SEH and 1680 Unix signal handling are supported. 1681 1682* Add support for ARM NEON in the SIMD_4x32 type 1683 1684* Add support for ARM CPU feature detection using getauxval (GH #843) 1685 1686* Previously Botan forbid any use of times past 2037 to avoid Y2038 issues. 1687 Now this restriction is only in place on systems which have a 32-bit 1688 ``time_t``. (GH #933 fixing #917) 1689 1690* Add generic type decoder function to BER decoder (GH #897) 1691 1692* Fix portability or build problems affecting Sun Studio compiler (GH #846), 1693 Solaris, ppc64le, DragonflyBSD (GH #887) 1694 1695* Add ``--with-external-libdir`` to configure.py (GH #857 fixing #19 #767) 1696 1697* Add ``OS::get_high_resolution_clock`` which returns the best resolution 1698 clock available on the system. 1699 1700* Change ``OS::get_processor_timestamp`` to return 0 if no hardware 1701 cycle counter is available. Previously it silently fell back on some 1702 other clock type. 1703 1704* Report cycles/byte in the output of ``botan speed``. 1705 1706* Add speed tests for modular exponentiations and ECC scalar multiplies. 1707 1708* Avoid using IP address for SNI in ``tls_client``. (GH #942) 1709 1710* Add command line util ``timing_test`` which enables running 1711 timing-based side channel analysis of TLS CBC decryption, ECC scalar 1712 multiplies, OAEP decoding, and other operations which are prone to 1713 providing an oracle via side channel. This replaces the standalone 1714 timing test suite added in 1.11.34, which has been removed. 1715 1716* Various cleanups and refactorings (GH #965) 1717 1718* Add wrapper of C++14 make_unique (GH #974) 1719 1720* Fix pkg-config output when --build-dir was used (GH #936) 1721 1722* Make it possible to disable `-fstack-protector` using a build-time flag. 1723 GH #863 1724 1725* Add tests for TLS DSA ciphersuites, more Noekeon tests, others. 1726 1727* Avoid a GCC warning that triggered on the public key types (GH #849) 1728 1729* Fix various warnings flagged by pylint and pyflakes linters in 1730 configure.py and botan.py (GH #832 #836 #839 #962 #975) 1731 1732* Improve support for OpenBSD including using getentropy (GH #954) 1733 for PRNG seeding, and arc4random to access system RNG (GH #953) 1734 1735* Add ability to build through CMake. As of now this is only supported 1736 for development rather than production builds. (GH #967) 1737 1738* Rename python wrapper to botan2.py (GH #847) 1739 1740* Change name constraint test to use a fixed reference time. Test certs have expired. 1741 1742* Increase Miller-Rabin iterations for DSA primes to match FIPS 186-4. (GH #881) 1743 1744* Fix possible ISO 9796-2 padding side channel, and add a missing length check (GH #891) 1745 1746* In command line utility, prefer the system RNG if it is available. 1747 1748Version 2.0.1, 2017-01-09 1749^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1750 1751* Change an unintended behavior of 2.0.0, which named the include 1752 directory ``botan-2.0``. Since future release of Botan-2 should be 1753 compatible with code written against old versions, there does not 1754 seem to be any reason to version the include directory with the 1755 minor number. (GH #830 #833) 1756 1757* Fix a bug which caused an error when building on Cygwin or 1758 other platforms where shared libraries are not supported. 1759 (GH #821) 1760 1761* Enable use of readdir on Cygwin, which allows the tests to run (GH #824) 1762 1763* Switch to readthedocs Sphinx theme by default (GH #822 #823) 1764 1765Version 2.0.0, 2017-01-06 1766^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1767 1768* With this release the project adopts Semantic Versioning (GH #766) 1769 1770* Fix a longstanding bug in modular exponentiation which caused most 1771 exponentiations modulo an even number to have an incorrect result; such moduli 1772 occur only rarely in cryptographic contexts. (GH #754) 1773 1774* Fix a bug in BigInt multiply operation, introduced in 1.11.30, which could 1775 cause incorrect results. Found by OSS-Fuzz fuzzing the ressol function, where 1776 the bug manifested as an incorrect modular exponentiation. OSS-Fuzz bug #287 1777 1778* Fix a bug that meant the "ietf/modp/6144" and "ietf/modp/8192" discrete log 1779 groups used an incorrect value for the generator, specifically the value 1780 (p-1)/2 was used instead of the correct value of 2. 1781 1782* The DL_Group enum value X942_DH_PARAMETERS has been renamed 1783 ANSI_X9_42_DH_PARAMETERS to avoid a conflict with Windows headers (GH #482) 1784 1785* Change default PEM header for X942 DH to match OpenSSL. Either version is 1786 accepted on reading. (GH #818) 1787 1788* DL_Group strong generation previously set the generator to 2. However 1789 sometimes 2 generates the entire group mod p, rather than the subgroup mod q. 1790 This is invalid by X9.42 standard, and exposes incautious applications to 1791 small subgroup attacks. Now DL_Group uses the smallest g which is a quadratic 1792 residue. (GH #818) 1793 1794* Add iOS build target instead of piggybacking on OS X configuration. (GH #793) 1795 1796* Changes all Public_Key derived class ctors to take a std::vector instead of a 1797 secure_vector for the DER encoded public key bits. (GH #768) 1798 1799* Allow use of custom extensions when creating X.509 certificates (GH #744) 1800 1801* The default TLS policy now requires 2048 or larger DH groups by default. 1802 1803* Add BSI_TR_02102_2 TLS::Policy subclass representing BSI TR-02102-2 recommendations. 1804 1805* The default Path_Validation_Restrictions constructor has changed to 1806 require at least 110 bit signature strength. This means 1024 bit RSA 1807 certificates and also SHA-1 certificates are rejected by default. 1808 Both settings were already the default for certificate validation in 1809 TLS handshake, but this changes it for applications also. 1810 1811* Add ISO 9796-2 signature padding schemes DS2 and DS3. These schemes provide 1812 message recovery (part or all of the plaintext message can be recovered from 1813 the signature alone) and are used by some industry protocols. (GH #759) 1814 1815* Rewrite all the code that handles parsing CBC padding bytes to run without 1816 conditional jumps or loads. (GH #765 #728) 1817 1818* Fix deref of invalid memory location in TLS client when the server chooses a 1819 ciphersuite value larger than the largest TLS ciphersuite ID compiled into the 1820 table. This might conceivably cause a crash in rare circumstances, but does 1821 not seem to be further exploitable. (GH #758) 1822 1823* Rename Public_Key::x509_subject_public_key, which does not return a 1824 X.509 SubjectPublicKey, to public_key_bits. Add a new non-virtual function 1825 Public_Key::subject_public_key which does exactly that. (GH #685 #757) 1826 1827* Rename Private_Key::pkcs8_private_key, which does not return a 1828 PKCS#8 private key, to private_key_bits. Add a new non-virtual function 1829 Private_Key::private_key_info which does exactly that. (GH #685 #757) 1830 1831* The deprecated ECB Cipher_Mode class has been removed (GH #756) 1832 1833* The class SRP6_Authenticator_File (in srp6_files.h) was meant to parse GnuTLS 1834 SRP files. But it was completely untested, and it turns out due to several 1835 problems it was completely unable to parse any SRP file correctly. It has 1836 been removed, with a future replacement planned that can handle both 1837 flat files (in the actual SRP format) or using a SQL database. 1838 1839* Fix tests errors when write access to /dev/urandom is prohibited (GH #748) 1840 1841* Add more Diffie-Hellman tests (GH #790), tests for RSA blinding, others. 1842 1843* Add `tls_ciphers` command which prints the ciphersuites a client 1844 hello will contain, depending on the policy specified. 1845 1846* Prevent TLS from negotiating SHA-2 ciphersuites in TLS v1.0/v1.1. These 1847 ciphersuites are technically not defined except for v1.2, so disable 1848 them in older protocols. (GH #496) 1849 1850* Documentation: add project goals (GH #788) and side channel info (GH #787) 1851 1852Older Versions 1853^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1854 1855* The release notes for versions 0.7.0 through 1.11.34 can be found in 1856 ``doc/old_news.rst`` 1857