Release Notes: 0.7.0 to 1.11.34

Version 1.10.17, 2017-10-02

  • Address a side channel affecting modular exponentiation. An attacker capable of a local or cross-VM cache analysis attack may be able to recover bits of secret exponents as used in RSA, DH, etc. CVE-2017-14737

  • Workaround a miscompilation bug in GCC 7 on x86-32 affecting GOST-34.11 hash function. (GH #1192 #1148 #882)

  • Add SecureVector::data() function which returns the start of the buffer. This makes it slightly simpler to support both 1.10 and 2.x APIs in the same codebase.

  • When compiled by a C++11 (or later) compiler, a template typedef of SecureVector, secure_vector, is added. In 2.x this class is a std::vector with a custom allocator, so has a somewhat different interface than SecureVector in 1.10. But this makes it slightly simpler to support both 1.10 and 2.x APIs in the same codebase.

  • Fix a bug that prevented configure.py from running under Python3

  • Botan 1.10.x does not support the OpenSSL 1.1 API. Now the build will #error if OpenSSL 1.1 is detected. Avoid –with-openssl if compiling against 1.1 or later. (GH #753)

  • Import patches from Debian adding basic support for building on aarch64, ppc64le, or1k, and mipsn32 platforms.

Version 1.10.16, 2017-04-04

  • Fix a bug in X509 DN string comparisons that could result in out of bound reads. This could result in information leakage, denial of service, or potentially incorrect certificate validation results. (CVE-2017-2801)

  • Avoid throwing during a destructor since this is undefined in C++11 and rarely a good idea. (GH #930)

Version 1.10.15, 2017-01-12

  • Fix a bug causing modular exponentiations done modulo even numbers to almost always be incorrect, unless the values were small. This bug is not known to affect any cryptographic operation in Botan. (GH #754)

  • Avoid use of C++11 std::to_string in some code added in 1.10.14 (GH #747 #834)

Version 1.11.34, 2016-11-28

  • Fix integer overflow during BER decoding, found by Falko Strenzke. This bug is not thought to be directly exploitable but upgrading ASAP is advised. (CVE-2016-9132)

  • Add post-quantum signature scheme XMSS. Provides either 128 or 256 bit (post-quantum) security, with small public and private keys, fast verification, and reasonably small signatures (2500 bytes for 128-bit security). Signature generation is very slow, on the order of seconds. And very importantly the signature scheme is stateful: each leaf index must only be used once, or all security is lost. In the appropriate system where signatures are rarely generated (such as code signing) XMSS makes an excellent choice. (GH #717 #736)

  • Add support for CECPQ1 TLS ciphersuites. These use a combination of x25519 ECDH and NewHope to provide post-quantum security. The ciphersuites are not IETF standard, but is compatible with BoringSSL. (GH #729)

  • Add support for client-side OCSP stapling to TLS. (GH #738)

  • Previously both public and private keys performed automatic self testing after generation or loading. However this often caused unexpected application performance problems, and so has been removed. Instead applications must call check_key explicitly. (GH #704)

  • Fix TLS session resumption bugs which caused resumption failures if an application used a single session cache for both TLS and DTLS. (GH #688)

  • Add SHAKE-128 and SHAKE-256 XOFs as hash functions supporting paramaterized output lengths.

  • Add MessageAuthenticationCode::start_msg interface, for MACs which require or can use a nonce (GH #691)

  • Add GMAC, a MAC based on GCM (GH #488 / #691)

  • Add ESP block cipher padding from RFC 4304. GH #724

  • Incompatible change to HKDF: previously the HKDF type in Botan was only the Expand half of HKDF. Now HKDF is the full Extract-then-Expand KDF, and HKDF_Extract and HKDF_Expand are available. If you previously used HKDF, you must switch to using HKDF_Expand. (GH #723)

  • Add Cipher_Mode::reset which resets message-specific state, allowing discarding state but allowing continued processing under the same key. (GH #552)

  • The ability to add OIDs at runtime has been removed. This additionally removes a global lock which was acquired on each OID lookup. (GH #706)

  • The default TLS policy now disables static RSA ciphersuites, all DSA ciphersuites, and the AES CCM-8 ciphersuites. Disabling static RSA by default protects servers from oracle attacks, as well as enforcing a forward secure ciphersuite. Some applications may be forced to re-enable RSA for interop reasons. DSA and CCM-8 are rarely used, and likely should not be negotiated outside of special circumstances.

  • The default TLS policy now prefers ChaCha20Poly1305 cipher over any AES mode.

  • The default TLS policy now orders ECC curve preferences in order by performance, with x25519 first, then P-256, then P-521, then the rest.

  • Add a BSD sockets version of the HTTP client code used for OCSP. GH #699

  • Export the public key workfactor functions (GH #734) and add tests for them.

  • HMAC_DRBG allows configuring maximum number of bytes before reseed check (GH #690)

  • Salsa20 now accepts a null IV as equivalent to an all-zero one (GH #697)

  • Optimize ECKCDSA verification (GH #700 #701 #702)

  • The deprecated RNGs HMAC_RNG and X9.31 RNG have been removed. Now the only userspace PRNG included in the library is HMAC_DRBG. (GH #692)

  • The entropy sources for EGD and BeOS, as well as the Unix entropy source which executed processes to get statistical data have been removed. (GH #692)

  • The openpgp module (which just implemented OpenPGP compatible base64 encoding and decoding, nothing else) has been removed.

  • Added new configure.py argument –optimize-for-size. Currently just sets the flag for code size optimizations with the compiler, but may have other effects in the future.

  • Fixed bug in Threaded_Fork causing incorrect computations (GH #695 #716)

  • Add DSA deterministic parameter generation test from FIPS 186-3.

  • Fix PKCS11_ECDSA_PrivateKey::check_key (GH #712)

  • Fixed problems running configure.py outside of the base directory

  • The BOTAN_ENTROPY_PROC_FS_PATH value in build.h was being ignored (GH #708)

  • Add speed tests for ECGDSA and ECKCDSA (GH #696)

  • Fix a crash in speed command for Salsa20 (GH #697)

  • Allow a custom ECC curve to be specified at build time, for application or system specific curves. (GH #636 #710)

  • Use NOMINMAX on Windows to avoid problems in amalgamation build. (GH #740)

  • Add support to output bakefiles with new configure.py option –with-bakefile. (GH #360 #720)

  • The function zero_mem has been renamed secure_scrub_memory

  • More tests for pipe/filter (GH #689 #693), AEADs (GH #552), KDF::name (GH #727),

  • Add a test suite for timing analysis for TLS CBC decryption, OAEP decryption, and PKCS #1 v1.5 decryption. These operations all have the feature that if an attacker can distinguish internal operations, such as through a variance in timing, they can use this oracle to decrypt arbitrary ciphertexts. GH #733

  • Add a test suite for testing and fuzzing with TLS-Attacker, a tool for analyzing TLS libraries. (https://github.com/RUB-NDS/TLS-Attacker)

  • Add a fuzzing framework. Supports fuzzing some APIs using AFL and libFuzzer.

  • Added documentation for PKCS #11 (GH #725)

  • The LibraryInitializer type is no longer needed and is now deprecated.

  • The license and news files were moved from doc to the top level directory. There should not be any other visible change (eg, to the installed version) as a result of this move.

  • Fixed some problems when running configure.py outside of the base directory, especially when using relative paths.

  • Add (back) the Perl XS wrapper and sqlite encryption code.

Version 1.10.14, 2016-11-28

  • NOTE WELL: Botan 1.10.x is supported for security patches only until 2017-12-31

  • Fix integer overflow during BER decoding, found by Falko Strenzke. This bug is not thought to be directly exploitable but upgrading ASAP is advised. (CVE-2016-9132)

  • Fix two cases where (in error situations) an exception would be thrown from a destructor, causing a call to std::terminate.

  • When RC4 is disabled in the build, also prevent it from being included in the OpenSSL provider. (GH #638)

Version 1.11.33, 2016-10-26

  • Avoid side channel during OAEP decryption. (CVE-2016-8871)

  • A countermeasure for the Lucky13 timing attack against CBC-based TLS ciphersuites has been added. (GH #675)

  • Added X25519-based key exchange for TLS (GH #673)

  • Add Certificate_Store_In_SQL which supports storing certs, keys, and revocation information in a SQL database. Subclass Certificate_Store_In_SQLite specializes with support for SQLite3 databases. (GH #631)

  • The Certificate_Store interface has been changed to deal with std::shared_ptrs instead of raw pointers (GH #471 #631)

  • Add support for official SHA-3. Keccak-1600 was already supported but used different padding from FIPS 202. (GH #669)

  • Add SHAKE-128 based stream cipher. (GH #669)

  • NewHope key exchange now supports the SHA-256/AES-128-CTR scheme used by BoringSSL in addition to the SHA-3/SHAKE-128 parameters used by the reference implementation. (GH #669)

  • Add support for the TLS Supported Point Formats Extension from RFC 4492. Adds TLS::Policy::use_ecc_point_compression policy option. If supported on both sides, ECC points can be sent in compressed format which saves a few bytes during the handshake. (GH #645)

  • Fix entropy source selection bug on Windows, which caused the CryptoAPI entropy source to be not available under its normal name “win32_cryptoapi” but instead “dev_random”. GH #644

  • Accept read-only access to /dev/urandom. System_RNG previously required read-write access, to allow applications to provide inputs to the system PRNG. But local security policies might only allow read-only access, as is the case with Ubuntu’s AppArmor profile for applications in the Snappy binary format. If opening read/write fails, System_RNG silently backs down to read-only, in which case calls to add_entropy on that object will fail. (GH #647 #648)

  • Fix use of Win32 CryptoAPI RNG as an entropy source, which was accidentally disabled due to empty list of acceptable providers being specified. Typically the library would fall back to gathering entropy from OS functions returning statistical information, but if this functionality was disabled in the build a PRNG_Unseeded exception would result. (GH #655)

  • Add support for building the library as part of the IncludeOS unikernel. This included making filesystem and threading support optional. (GH #665)

  • Added ISA annotations so that with GCC (all supported versions) and Clang (since 3.7) it is no longer required to compile amalgamation files with ABI specific flags such as -maes. (GH #665)

  • Internal cleanups to TLS CBC record handling. TLS CBC ciphersuites can now be disabled by disabling tls_cbc module. (GH #642 #659)

  • Internal cleanups to the object lookup code eliminates most global locks and all use of static initializers (GH #668 #465)

  • Avoid static_assert triggering under MSVC debug builds (GH #646)

  • The antique PBKDF1 password hashing scheme is deprecated and will be removed in a future release. It was only used to support the equally ancient PBES1 private key encryption scheme, which was removed in 1.11.8.

  • Added MSVC debug/checked iterator builds (GH #666 #667)

  • Added Linux ppc64le cross compile target to Travis CI (GH #654)

  • If RC4 is disabled, also disable it coming from the OpenSSL provider (GH #641)

  • Add TLS message parsing tests (GH #640)

  • Updated BSI policy to prohibit DES, HKDF, HMAC_RNG (GH #649)

  • Documentation improvements (GH #660 #662 #663 #670)

Version 1.11.32, 2016-09-28

  • Add support for the NewHope Ring-LWE key encapsulation algorithm. This scheme provides an estimated ~200 bit security level against a quantum attacker while also being very fast and requiring only modest message sizes of 1824 and 2048 bytes for initiator and responder, resp. This version is tested as having bit-for-bit identical output as the reference implementation by the authors.

    Be warned that NewHope is still a very new scheme and may yet fall to analysis. For best assurance, NewHope should be used only in combination with another key exchange mechanism, such as ECDH.

  • New TLS callbacks API. Instead of numerous std::function callbacks, the application passes an object implementing the TLS::Callbacks interface, which has virtual functions matching the previous callbacks (plus some extras). Full source compatability with previous versions is maintained for now, but the old interface is deprecated and will be removed in a future release. The manual has been updated to reflect the changes. (GH #457 and #567)

  • Add support for TLS Encrypt-then-MAC extension (GH #492 and #578), which fixes the known issues in the TLS CBC-HMAC construction.

  • The format of the TLS session struct has changed (to support EtM), so old TLS session caches will be invalidated.

  • How the library presents optimized algorithm implementations has changed. For example with the algorithm AES-128, previously there were three BlockCipher classes AES_128, AES_128_SSSE3, and AES_128_NI which used (resp) a table-based implementation vulnerable to side channels, a constant time version using SSSE3 SIMD extensions on modern x86, and x86 AES-NI instructions. Using the correct version at runtime required using BlockCipher::create. Now, only the class AES_128 is presented, and the best available version is always used based on CPUID checks. The tests have been extended to selectively disable CPUID bits to ensure all available versions are tested. (GH #477 #623)

    Removes API classes AES_128_NI, AES_192_NI, AES_256_NI, AES_128_SSSE3, AES_192_SSSE3 AES_256_SSSE3, IDEA_SSE2, Noekeon_SIMD, Serpent_SIMD, Threefish_512_AVX2, SHA_160_SSE2

  • The deprecated algorithms Rabin-Williams, Nyberg-Rueppel, MARS, RC2, RC5, RC6, SAFER-SK, TEA, MD2, HAS-160, and RIPEMD-128 have been removed. (GH #580)

  • A new Cipher_Mode interface process allows encryption/decryption of buffers without requiring copying into secure_vector first. (GH #516)

  • Fix verification of self-issued certificates (GH #634)

  • SSE2 optimizations for ChaCha, 60% faster on both Westmere and Skylake (GH #616)

  • The HMAC_RNG constructor added in 1.11.31 that took both an RNG and an entropy source list ignored the entropy sources.

  • The configure option --via-amalgamation was renamed to --amalgamation. The configure option --gen-amalgamation was removed. It did generate amalgamations but build Botan without amalgamation. Users should migrate to --amalgamation. (GH #621)

  • DH keys did not automatically self-test after being generated, contrary to the current behavior for other key types.

  • Add tests for TLS 1.2 PRF (GH #628)

Version 1.11.31, 2016-08-30

  • Fix undefined behavior in Curve25519 on platforms without a native 128-bit integer type. This was known to produce incorrect results on 32-bit ARM under Clang. GH #532 (CVE-2016-6878)

  • If X509_Certificate::allowed_usage was called with more than one Key_Usage set in the enum value, the function would return true if any of the allowed usages were set, instead of if all of the allowed usages are set. GH #591 (CVE-2016-6879)

  • Incompatible changes in DLIES: Previously the input to the KDF was the concatenation of the (ephemeral) public key and the secret value derived by the key agreement operation. Now the input is only the secret value obtained by the key agreement operati