Release 1.11.291.11.29

3 files changed, 115 insertions, 36 deletions

diff --git a/doc/news.rst b/doc/news.rst
index b2bfd4d67..9a7e7fe05 100644
--- a/doc/news.rst
+++ b/doc/news.rst
@@ -1,25 +1,94 @@
 Release Notes
 ========================================
 
-Version 1.11.29, Not Yet Released
+Version 1.11.29, 2016-03-20
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-* Deprecation warning: Rabin-Williams is deprecated and will likely be
-  removed in a future release unless some good reason to keep it
-  (current application use or real protocols using it) is found.
+* CVE-2016-2849 DSA and ECDSA used a modular inverse function which
+  had input dependent loops. It is possible a side channel attack on
+  this function could be used to recover sufficient information about
+  the nonce k to mount a lattice attack and recover the private key.
+  Found by Sean Devlin.
+
+* CVE-2016-2850 The TLS client did not check that the signature
+  algorithm or ECC curve a v1.2 server used was actually acceptable by
+  the policy. This would allow a server who ignored the preferences
+  indicated in the client to use a weak algorithm, and may allow MITM
+  attacks by an attacker who can break MD5 signatures or 160 bit ECC
+  in real time. The server similarly failed to check on the hash a
+  client used during client certificate authentication.
 
 * Reject empty TLS records at the record processing layer since such a
   record is not valid regardless of the record type. Later checks
   already correctly rejected empty records, but during processing such
-  a record a pointer to the end of the vector was created, causing a
-  assertion when using checked iterators. Found by Juraj Somorovsky.
+  a record, a pointer to the end of the vector was created, causing a
+  assertion failure under checked iterators. Found by Juraj Somorovsky.
+
+* Add PK_Decryptor::decrypt_or_random which allows an application to
+  atomically (in constant time) check that a decrypted ciphertext has
+  the expected length and/or apply content checks on the result. This
+  is used by the TLS server for decrypting PKCS #1 v1.5 RSA ciphertexts.
+  Previously the server used a implementation which was potentially
+  vulnerable to side channels.
+
+* Add support for processing X.509 name constraint extension during
+  path validation. GH #454
 
-* Support for the TLS heartbeat extension has been removed.
+* Add X509_Certificate::v3_extensions which allows retreiving the
+  raw binary of all certificate extensions, including those which
+  are not unknown to the library. This allows processing of custom
+  extensions. GH #437
 
-* Support for the TLS minimum fragment length extension has been removed.
+* Add support for module policies which are a preconfigured set of
+  acceptable or prohibited modules. A policy based on BSI TR-02102-1
+  is included. GH #439 #446
+
+* Support for the deprecated TLS heartbeat extension has been removed.
+
+* Support for the deprecated TLS minimum fragment length extension has
+  been removed.
 
 * SRP6 support is now optional in TLS
 
+* Support for negotiating MD5 and SHA-224 signatures in TLS v1.2 has
+  been removed. MD5 signatures are demonstratably insecure in TLS,
+  SHA-224 is rarely used.
+
+* Support for negotiating ECC curves secp160r1, secp160r2, secp160k1,
+  secp192k1, secp192r1 (P-192), secp224k1, secp224r1 (P-224), and
+  secp256k1 have been removed from the TLS implementation. All were
+  already disabled in the default policy.
+
+* HMAC_RNG now has an explicit check for fork using pid comparisons.
+  It also includes the pid and system and CPU clocks into the PRF
+  computation to help reduce the risk of pid wraparound. Even so,
+  applications using fork and userspace RNGs should explicitly reseed
+  all such RNGs whenever possible.
+
+* Deprecation warning: support for DSA certificates in TLS is
+  deprecated and will be removed in a future release.
+
+* Deprecation warning: in addition to the algorithms deprecated in
+  1.11.26, the following algorithms are now deprecated and will be
+  removed in a future release: Rabin-Williams signatures, TEA, XTEA.
+
+* Deprecation warning: the library has a number of compiled in MODP
+  and ECC DL parameters. All MODP parameter sets under 2048 bits and
+  all ECC parameters under 256 bits are deprecated and will be removed
+  in a future release. This includes the MODP groups "modp/ietf/1024",
+  "modp/srp/1024", "modp/ietf/1536", "modp/srp/1536" and the ECC
+  groups "secp160k1", "secp160r1", "secp160r2", "secp192k1",
+  "secp192r1", "secp224k1", "secp224r1", "brainpool160r1",
+  "brainpool192r1", "brainpool224r1", "x962_p192v2", "x962_p192v3",
+  "x962_p239v1", "x962_p239v2" and "x962_p239v3". Additionally all
+  compiled in DSA parameter sets ("dsa/jce/1024", "dsa/botan/2048",
+  and "dsa/botan/3072") are also deprecated.
+
+* RDSEED/RDRAND polling now retries if the operation fails. GH #373
+
+* Fix various minor bugs found by static analysis with PVS-Studio (GH#421),
+  Clang analyzer (GH #441), cppcheck (GH #444, #445), and Coverity.
+
 * Add --with-valgrind configure option to enable building against the
   valgrind client API. This currently enables checking of const time
   operations using memcheck.
@@ -41,7 +110,7 @@ Version 1.11.29, Not Yet Released
 
 * Small optimizations to Keccak hash
 
-* Support for locking allocator on Windows using VirtualLock/VirtualUnlock
+* Support for locking allocator on Windows using VirtualLock. GH #450
 
 Version 1.10.12, 2016-02-03
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
diff --git a/doc/security.rst b/doc/security.rst
index 4f18381d6..c2858cb0a 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -19,6 +19,29 @@ Advisories
 2016
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+* 2016-03-17 (CVE-2016-2849): ECDSA side channel
+
+  ECDSA (and DSA) signature algorithms perform a modular inverse on the
+  signature nonce `k`.  The modular inverse algorithm used had input dependent
+  loops, and it is possible a side channel attack could recover sufficient
+  information about the nonce to eventually recover the ECDSA secret key. Found
+  by Sean Devlin.
+
+  Introduced in 1.7.15, fixed in 1.11.29
+
+* 2016-03-17 (CVE-2016-2850): Failure to enforce TLS policy
+
+  TLS v1.2 allows negotiating which signature algorithms and hash functions each
+  side is willing to accept. However received signatures were not actually
+  checked against the specified policy.  This had the effect of allowing a
+  server to use an MD5 or SHA-1 signature, even though the default policy
+  prohibits it. The same issue affected client cert authentication.
+
+  The TLS client also failed to verify that the ECC curve the server chose to
+  use was one which was acceptable by the client policy.
+
+  Introduced in 1.11.0, fixed in 1.11.29
+
 * 2016-02-01 (CVE-2016-2196): Overwrite in P-521 reduction
 
   The P-521 reduction function would overwrite zero to one word
@@ -53,7 +76,7 @@ Advisories
 
   Introduced in 1.9.18, fixed in 1.11.27 and 1.10.11
 
-* 2016-02-01 (CVE-2016-2194): Infinite loop in modulur square root algorithm
+* 2016-02-01 (CVE-2016-2194): Infinite loop in modular square root algorithm
 
   The ressol function implements the Tonelli-Shanks algorithm for
   finding square roots could be sent into a nearly infinite loop due
@@ -141,7 +164,7 @@ Advisories
 
   The BER decoder would crash due to reading from offset 0 of an empty vector if
   it encountered a BIT STRING which did not contain any data at all. This can be
-  used to easily crash applicatons reading untrusted ASN.1 data, but does not
+  used to easily crash applications reading untrusted ASN.1 data, but does not
   seem exploitable for code execution. Found with afl.
 
   Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11
diff --git a/readme.rst b/readme.rst
index b4d277421..f8df887ef 100644
--- a/readme.rst
+++ b/readme.rst
@@ -84,16 +84,9 @@ All releases are signed with a
         Key fingerprint = 621D AF64 11E1 851C 4CF9  A2E1 6211 EBF1 EFBA DFBC
   uid                  Botan Distribution Key
 
-Botan may already be included in your favorite distribution, such as
-`Fedora <https://admin.fedoraproject.org/pkgdb/packages/botan>`_,
-`EPEL <http://dl.fedoraproject.org/pub/epel/7/SRPMS/repoview/botan.html>`_ (for RHEL/CentOS),
-`Debian <http://packages.debian.org/search?keywords=libbotan>`_,
-`Ubuntu <http://packages.ubuntu.com/search?keywords=botan>`_,
-`Gentoo <https://packages.gentoo.org/packages/dev-libs/botan>`_,
-`Arch <http://www.archlinux.org/packages/community/x86_64/botan/>`_,
-`Slackbuild <http://slackbuilds.org/result/?search=Botan>`_,
-`FreeBSD ports <http://www.freshports.org/security/botan110>`_, or
-`MacPorts <http://www.macports.org/ports.php?by=name&substr=botan>`_.
+Some distributions such as Arch, Fedora and Debian include packages
+for Botan. However these are often out of date; using the latest
+source release is recommended.
 
 Current Development Work (1.11)
 ----------------------------------------
@@ -102,12 +95,10 @@ The 1.11 branch is highly recommended, especially for new projects.
 Versions 1.11 and later require a working C++11 compiler; GCC 4.8 and
 later, Clang 3.4 and later, and MSVC 2013 are regularly tested.
 
-A new development release is made on the first Monday of every month.
-
 The latest development release is
-`1.11.28 <http://botan.randombit.net/releases/Botan-1.11.28.tgz>`_
-`(sig) <http://botan.randombit.net/releases/Botan-1.11.28.tgz.asc>`_
-released on 2016-02-01
+`1.11.29 <http://botan.randombit.net/releases/Botan-1.11.29.tgz>`_
+`(sig) <http://botan.randombit.net/releases/Botan-1.11.29.tgz.asc>`_
+released on 2016-03-20
 
 Old Stable Series (1.10)
 ----------------------------------------
@@ -174,8 +165,8 @@ Public Key Cryptography
 * Quantum computer resistant McEliece KEM scheme
 * GOST-34.10-2001
 * ElGamal encryption
-* Rabin-Williams signatures
-* Nyberg-Rueppel signatures
+* Rabin-Williams signatures (deprecated)
+* Nyberg-Rueppel signatures (deprecated)
 * Padding schemes OAEP, PSS, PKCS #1 v1.5, X9.31
 
 Ciphers and cipher modes
@@ -187,10 +178,10 @@ Ciphers and cipher modes
 * AES candidates Serpent, Twofish, MARS, CAST-256, RC6
 * Stream ciphers Salsa20/XSalsa20, ChaCha20, and RC4
 * DES, 3DES and DESX
+* Threefish-512, Noekeon, Blowfish, CAST-128, IDEA
 * National/telecom block ciphers SEED, KASUMI, MISTY1, GOST 28147
-* Other block ciphers including Threefish-512, Blowfish, CAST-128, IDEA,
-  Noekeon, TEA, XTEA, RC2, RC5, SAFER-SK
 * Large block cipher construction Lion
+* Deprecated ciphers TEA, XTEA, RC2, RC5, SAFER-SK
 
 Hash functions and MACs
 ----------------------------------------
@@ -219,13 +210,9 @@ Other Useful Things
 Recommended Algorithms
 ----------------------------------------
 
-If your application is protecting network traffic, seriously consider
-using TLS v1.2 as a pre built, standard and well studied protocol.
-
-Otherwise, if you simply *must* do something custom, the developers
-currently recommend using:
+* For encryption of network traffic use TLS v1.2
 
-* Message encryption: AES or Serpent in GCM mode, or ChaCha20Poly1305
+* Packet encryption: AES-128/GCM, AES-128/OCB, ChaCha20Poly1305
 
 * General hash functions: SHA-256 or SHA-384