8 files changed, 96 insertions, 56 deletions
diff --git a/news.rst b/news.rst
index a94e3e204..4d9e85924 100644
--- a/news.rst
+++ b/news.rst
@@ -19,6 +19,17 @@ Version 2.0.0, Not Yet Released
 * The DL_Group enum value X942_DH_PARAMETERS has been renamed
   ANSI_X9_42_DH_PARAMETERS to avoid a conflict with Windows headers (GH #482)
 
+* Change default PEM header for X942 DH to match OpenSSL. Either version is
+  accepted on reading. (GH #818)
+
+* DL_Group strong generation previously set the generator to 2. However
+  sometimes 2 generates the entire group mod p, rather than the subgroup mod q.
+  This is invalid by X9.42 standard, and exposes incautious applications to
+  small subgroup attacks. Now DL_Group uses the smallest g which is a quadratic
+  residue. (GH #818)
+
+* Add iOS build target instead of piggybacking on OS X configuration. (GH #793)
+
 * Changes all Public_Key derived class ctors to take a std::vector instead of a
   secure_vector for the DER encoded public key bits. (GH #768)
 
@@ -64,6 +75,17 @@ Version 2.0.0, Not Yet Released
 
 * Fix tests errors when write access to /dev/urandom is prohibited (GH #748)
 
+* Add more Diffie-Hellman tests (GH #790), tests for RSA blinding, others.
+
+* Add `tls_ciphers` command which prints the ciphersuites a client
+  hello will contain, depending on the policy specified.
+
+* Prevent TLS from negotiating SHA-2 ciphersuites in TLS v1.0/v1.1. These
+  ciphersuites are technically not defined except for v1.2, so disable
+  them in older protocols. (GH #496)
+
+* Documentation: add project goals (GH #788) and side channel info (GH #787)
+
 Version 1.11.34, 2016-11-28
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
diff --git a/src/extra_tests/fuzzers/jigs/pow_mod.cpp b/src/extra_tests/fuzzers/jigs/pow_mod.cpp
index 65181ac93..c97dd78cd 100644
--- a/src/extra_tests/fuzzers/jigs/pow_mod.cpp
+++ b/src/extra_tests/fuzzers/jigs/pow_mod.cpp
@@ -9,7 +9,7 @@
 #include <botan/reducer.h>
 #include <botan/pow_mod.h>
 
-BigInt simple_power_mod(BigInt x, BigInt n, const BigInt& p)
+BigInt simple_power_mod(BigInt x, BigInt n, const BigInt& p, const Modular_Reducer& mod_p)
    {
    if(n == 0)
       {
@@ -18,7 +18,6 @@ BigInt simple_power_mod(BigInt x, BigInt n, const BigInt& p)
       return 1;
       }
 
-   Modular_Reducer mod_p(p);
    BigInt y = 1;
 
    while(n > 1)
@@ -35,17 +34,19 @@ BigInt simple_power_mod(BigInt x, BigInt n, const BigInt& p)
 
 void fuzz(const uint8_t in[], size_t len)
    {
-   if(len % 3 != 0 || len > 3 * (2048/8))
-      return;
+   static const size_t p_bits = 1024;
+   static const BigInt p = random_prime(fuzzer_rng(), p_bits);
+   static Modular_Reducer mod_p(p);
 
-   const size_t part_size = len / 3;
+   if(len == 0 || len > p_bits/8)
+      return;
 
    try
       {
-      const BigInt g = BigInt::decode(in, part_size);
-      const BigInt x = BigInt::decode(in + part_size, part_size);
-      const BigInt p = BigInt::decode(in + 2 * (part_size), part_size);
-      const BigInt ref = simple_power_mod(g, x, p);
+      const BigInt g = BigInt::decode(in, len / 2);
+      const BigInt x = BigInt::decode(in + len / 2, len / 2);
+
+      const BigInt ref = simple_power_mod(g, x, p, mod_p);
       const BigInt z = Botan::power_mod(g, x, p);
 
       if(ref != z)
diff --git a/src/extra_tests/fuzzers/jigs/ressol.cpp b/src/extra_tests/fuzzers/jigs/ressol.cpp
index 97130255c..6fbb85690 100644
--- a/src/extra_tests/fuzzers/jigs/ressol.cpp
+++ b/src/extra_tests/fuzzers/jigs/ressol.cpp
@@ -6,44 +6,35 @@
 
 #include "driver.h"
 #include <botan/numthry.h>
+#include <botan/reducer.h>
 
 void fuzz(const uint8_t in[], size_t len)
    {
-   /*
-   * This allows two values (a,p) up to 768 bits in length, which is
-   * sufficient to test ressol (modular square root) for since it is
-   * mostly used for ECC.
-   */
-   if(len % 2 != 0 || len > 2 * (768 / 8))
-      return;
+   // Ressol is mostly used for ECC point decompression so best to test smaller sizes
+   static const size_t p_bits = 256;
+   static const BigInt p = random_prime(fuzzer_rng(), p_bits);
+   static const Modular_Reducer mod_p(p);
 
-   const BigInt a = BigInt::decode(in, len / 2);
-   const BigInt n = BigInt::decode(in + len / 2, len / 2);
+   if(len > p_bits / 8)
+      return;
 
-   try {
-       BigInt a_sqrt = ressol(a, n);
+   try
+      {
+      const BigInt a = BigInt::decode(in, len);
+      BigInt a_sqrt = Botan::ressol(a, p);
 
       if(a_sqrt > 0)
          {
-         /*
-         * If n is not prime then the result of ressol will be bogus. But
-         * this function is exposed to untrusted inputs (via OS2ECP) so
-         * should not hang or crash even with composite modulus.
-         * If the result is incorrect, check if n is a prime: if it is
-         * then z != a is a bug.
-         */
-         BigInt z = (a_sqrt * a_sqrt) % n;
-         BigInt a_redc = a % n;
+         const BigInt a_redc = mod_p.reduce(a);
+         const BigInt z = mod_p.square(a_sqrt);
+
          if(z != a_redc)
             {
-            if(is_prime(n, fuzzer_rng(), 64))
-               {
-               std::cout << "A = " << a << "\n";
-               std::cout << "N = " << n << "\n";
-               std::cout << "Ressol = " << a_sqrt << "\n";
-               std::cout << "recomputed = " << z << "\n";
-               abort();
-               }
+            std::cout << "A = " << a << "\n";
+            std::cout << "P = " << p << "\n";
+            std::cout << "R = " << a_sqrt << "\n";
+            std::cout << "Z = " << z << "\n";
+            abort();
             }
          }
       }
diff --git a/src/lib/prov/pkcs11/p11_module.cpp b/src/lib/prov/pkcs11/p11_module.cpp
index 4ea3dc56d..ba8b659b9 100644
--- a/src/lib/prov/pkcs11/p11_module.cpp
+++ b/src/lib/prov/pkcs11/p11_module.cpp
@@ -20,7 +20,14 @@ Module::Module(const std::string& file_path, C_InitializeArgs init_args)
 
 Module::~Module() BOTAN_NOEXCEPT
    {
-   m_low_level->C_Finalize(nullptr, nullptr);
+   try
+      {
+      m_low_level->C_Finalize(nullptr, nullptr);
+      }
+   catch(...)
+      {
+      // we are noexcept and must swallow any exception here
+      }
    }
 
 void Module::reload(C_InitializeArgs init_args)
diff --git a/src/lib/prov/pkcs11/p11_object.cpp b/src/lib/prov/pkcs11/p11_object.cpp
index 872fdf8b7..5f078fd31 100644
--- a/src/lib/prov/pkcs11/p11_object.cpp
+++ b/src/lib/prov/pkcs11/p11_object.cpp
@@ -92,9 +92,16 @@ ObjectFinder::ObjectFinder(Session& session, const std::vector<Attribute>& searc
 
 ObjectFinder::~ObjectFinder() BOTAN_NOEXCEPT
    {
-   if(m_search_terminated == false)
+   try
       {
-      module()->C_FindObjectsFinal(m_session.get().handle(), nullptr);
+      if(m_search_terminated == false)
+         {
+         module()->C_FindObjectsFinal(m_session.get().handle(), nullptr);
+         }
+      }
+   catch(...)
+      {
+      // ignore error during noexcept function
       }
    }
 
diff --git a/src/lib/prov/pkcs11/p11_session.cpp b/src/lib/prov/pkcs11/p11_session.cpp
index ceb316169..71397eea5 100644
--- a/src/lib/prov/pkcs11/p11_session.cpp
+++ b/src/lib/prov/pkcs11/p11_session.cpp
@@ -38,14 +38,21 @@ Session::Session(Slot& slot, SessionHandle handle)
 
 Session::~Session() BOTAN_NOEXCEPT
    {
-   if(m_handle)
+   try
       {
-      if(m_logged_in)
+      if(m_handle)
          {
-         module()->C_Logout(m_handle, nullptr);
+         if(m_logged_in)
+            {
+            module()->C_Logout(m_handle, nullptr);
+            }
+         module()->C_CloseSession(m_handle, nullptr);
+         m_handle = 0;
          }
-      module()->C_CloseSession(m_handle, nullptr);
-      m_handle = 0;
+      }
+   catch(...)
+      {
+      // exception during noexcept destructor is ignored
       }
    }
 
diff --git a/src/scripts/ci/travis/after_success.sh b/src/scripts/ci/travis/after_success.sh
index 0bc723b7f..769a8fac4 100755
--- a/src/scripts/ci/travis/after_success.sh
+++ b/src/scripts/ci/travis/after_success.sh
@@ -4,9 +4,9 @@ which shellcheck > /dev/null && shellcheck "$0" # Run shellcheck on this if avai
 
 if [ "$BUILD_MODE" = "coverage" ]; then
     GCOV="/usr/bin/gcov-4.8"
-    /tmp/usr/bin/lcov --gcov-tool "$GCOV" --directory . --capture --output-file $(pwd)/coverage.info.in
-    /tmp/usr/bin/lcov --gcov-tool "$GCOV" --remove $(pwd)/coverage.info.in 'tests/*' '/usr/*' --output-file $(pwd)/coverage.info
-    /tmp/usr/bin/lcov --gcov-tool "$GCOV" --list $(pwd)/coverage.info
+    /tmp/bin/lcov --gcov-tool "$GCOV" --directory . --capture --output-file $(pwd)/coverage.info.in
+    /tmp/bin/lcov --gcov-tool "$GCOV" --remove $(pwd)/coverage.info.in 'tests/*' '/usr/*' --output-file $(pwd)/coverage.info
+    /tmp/bin/lcov --gcov-tool "$GCOV" --list $(pwd)/coverage.info
 
     LD_LIBRARY_PATH=. coverage run --branch src/python/botan.py
 
diff --git a/src/tests/test_pkcs11_low_level.cpp b/src/tests/test_pkcs11_low_level.cpp
index feb490cd4..289ff5995 100644
--- a/src/tests/test_pkcs11_low_level.cpp
+++ b/src/tests/test_pkcs11_low_level.cpp
@@ -49,18 +49,23 @@ class RAII_LowLevel
          }
       ~RAII_LowLevel() BOTAN_NOEXCEPT
          {
-
-         if(m_is_session_open)
+         try
             {
-            if(m_is_logged_in)
+            if(m_is_session_open)
                {
-               m_low_level.get()->C_Logout(m_session_handle, nullptr);
-               }
+               if(m_is_logged_in)
+                  {
+                  m_low_level.get()->C_Logout(m_session_handle, nullptr);
+                  }
 
-            m_low_level.get()->C_CloseSession(m_session_handle, nullptr);
+               m_low_level.get()->C_CloseSession(m_session_handle, nullptr);
+               }
+            m_low_level.get()->C_Finalize(nullptr, nullptr);
+            }
+         catch(...)
+            {
+            // ignore errors here
             }
-
-         m_low_level.get()->C_Finalize(nullptr, nullptr);
          }
 
       std::vector<SlotId> get_slots(bool token_present) const