aboutsummaryrefslogtreecommitdiffstats
path: root/news.rst
diff options
context:
space:
mode:
Diffstat (limited to 'news.rst')
-rw-r--r--news.rst4165
1 files changed, 4165 insertions, 0 deletions
diff --git a/news.rst b/news.rst
new file mode 100644
index 000000000..f88b480d0
--- /dev/null
+++ b/news.rst
@@ -0,0 +1,4165 @@
+Release Notes
+========================================
+
+Version 1.11.34, Not Yet Released
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix TLS session resumption bugs which caused resumption failures if an
+ application used a single session cache for both TLS and DTLS. (GH #688)
+
+* Add MessageAuthenticationCode::start_msg interface, for MACs which require or
+ can use a nonce (GH #691)
+
+* Add GMAC, a MAC based on GCM which requires a nonce (GH #488 / #691)
+
+* HMAC_DRBG allows configuring maximum number of bytes before a forced reseed
+ (GH #690)
+
+* The deprecated RNGs HMAC_RNG and X9.31 RNG have been removed. Now the only
+ userspace PRNG included in the library is HMAC_DRBG. (GH #692)
+
+* The entropy sources for EGD and BeOS, as well as the Unix entropy source which
+ executed processes to get statistical data have been removed. (GH #692)
+
+* The openpgp module (which just implemented OpenPGP compatible base64 encoding
+ and decoding, nothing else) has been removed.
+
+* Add more tests for Pipe/Filter (GH #689 #693)
+
+
+Version 1.11.33, 2016-10-26
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Avoid side channel during OAEP decryption. (CVE-2016-8871)
+
+* A countermeasure for the Lucky13 timing attack against CBC-based TLS
+ ciphersuites has been added. (GH #675)
+
+* Added X25519-based key exchange for TLS (GH #673)
+
+* Add Certificate_Store_In_SQL which supports storing certs, keys, and
+ revocation information in a SQL database. Subclass Certificate_Store_In_SQLite
+ specializes with support for SQLite3 databases. (GH #631)
+
+* The Certificate_Store interface has been changed to deal with
+ ``std::shared_ptrs`` instead of raw pointers (GH #471 #631)
+
+* Add support for official SHA-3. Keccak-1600 was already supported
+ but used different padding from FIPS 202. (GH #669)
+
+* Add SHAKE-128 based stream cipher. (GH #669)
+
+* NewHope key exchange now supports the SHA-256/AES-128-CTR scheme
+ used by BoringSSL in addition to the SHA-3/SHAKE-128 parameters used
+ by the reference implementation. (GH #669)
+
+* Add support for the TLS Supported Point Formats Extension from RFC 4492. Adds
+ ``TLS::Policy::use_ecc_point_compression`` policy option. If supported on both
+ sides, ECC points can be sent in compressed format which saves a few bytes
+ during the handshake. (GH #645)
+
+* Fix entropy source selection bug on Windows, which caused the CryptoAPI
+ entropy source to be not available under its normal name "win32_cryptoapi" but
+ instead "dev_random". GH #644
+
+* Accept read-only access to ``/dev/urandom``. System_RNG previously required
+ read-write access, to allow applications to provide inputs to the system
+ PRNG. But local security policies might only allow read-only access, as is the
+ case with Ubuntu's AppArmor profile for applications in the Snappy binary
+ format. If opening read/write fails, System_RNG silently backs down to
+ read-only, in which case calls to ``add_entropy`` on that object will fail.
+ (GH #647 #648)
+
+* Fix use of Win32 CryptoAPI RNG as an entropy source, which was accidentally
+ disabled due to empty list of acceptable providers being specified. Typically
+ the library would fall back to gathering entropy from OS functions returning
+ statistical information, but if this functionality was disabled in the build a
+ ``PRNG_Unseeded`` exception would result. (GH #655)
+
+* Add support for building the library as part of the IncludeOS unikernel.
+ This included making filesystem and threading support optional. (GH #665)
+
+* Added ISA annotations so that with GCC (all supported versions) and
+ Clang (since 3.7) it is no longer required to compile amalgamation
+ files with ABI specific flags such as ``-maes``. (GH #665)
+
+* Internal cleanups to TLS CBC record handling. TLS CBC ciphersuites
+ can now be disabled by disabling ``tls_cbc`` module. (GH #642 #659)
+
+* Internal cleanups to the object lookup code eliminates most global locks and
+ all use of static initializers (GH #668 #465)
+
+* Avoid ``static_assert`` triggering under MSVC debug builds (GH #646)
+
+* The antique PBKDF1 password hashing scheme is deprecated and will be
+ removed in a future release. It was only used to support the equally
+ ancient PBES1 private key encryption scheme, which was removed in 1.11.8.
+
+* Added MSVC debug/checked iterator builds (GH #666 #667)
+
+* Added Linux ppc64le cross compile target to Travis CI (GH #654)
+
+* If RC4 is disabled, also disable it coming from the OpenSSL provider (GH #641)
+
+* Add TLS message parsing tests (GH #640)
+
+* Updated BSI policy to prohibit DES, HKDF, HMAC_RNG (GH #649)
+
+* Documentation improvements (GH #660 #662 #663 #670)
+
+Version 1.11.32, 2016-09-28
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add support for the NewHope Ring-LWE key encapsulation algorithm. This scheme
+ provides an estimated ~200 bit security level against a quantum attacker while
+ also being very fast and requiring only modest message sizes of 1824 and 2048
+ bytes for initiator and responder, resp. This version is tested as having
+ bit-for-bit identical output as the reference implementation by the authors.
+
+ Be warned that NewHope is still a very new scheme and may yet fall to analysis.
+ For best assurance, NewHope should be used only in combination with another
+ key exchange mechanism, such as ECDH.
+
+* New TLS callbacks API. Instead of numerous std::function callbacks, the
+ application passes an object implementing the TLS::Callbacks interface, which
+ has virtual functions matching the previous callbacks (plus some extras).
+ Full source compatability with previous versions is maintained for now, but
+ the old interface is deprecated and will be removed in a future release. The
+ manual has been updated to reflect the changes. (GH #457 and #567)
+
+* Add support for TLS Encrypt-then-MAC extension (GH #492 and #578), which fixes
+ the known issues in the TLS CBC-HMAC construction.
+
+* The format of the TLS session struct has changed (to support EtM), so old
+ TLS session caches will be invalidated.
+
+* How the library presents optimized algorithm implementations has changed. For
+ example with the algorithm AES-128, previously there were three BlockCipher
+ classes AES_128, AES_128_SSSE3, and AES_128_NI which used (resp) a table-based
+ implementation vulnerable to side channels, a constant time version using
+ SSSE3 SIMD extensions on modern x86, and x86 AES-NI instructions. Using the
+ correct version at runtime required using ``BlockCipher::create``. Now, only
+ the class AES_128 is presented, and the best available version is always used
+ based on CPUID checks. The tests have been extended to selectively disable
+ CPUID bits to ensure all available versions are tested. (GH #477 #623)
+
+ Removes API classes AES_128_NI, AES_192_NI, AES_256_NI, AES_128_SSSE3,
+ AES_192_SSSE3 AES_256_SSSE3, IDEA_SSE2, Noekeon_SIMD, Serpent_SIMD,
+ Threefish_512_AVX2, SHA_160_SSE2
+
+* The deprecated algorithms Rabin-Williams, Nyberg-Rueppel, MARS, RC2, RC5, RC6,
+ SAFER-SK, TEA, MD2, HAS-160, and RIPEMD-128 have been removed. (GH #580)
+
+* A new Cipher_Mode interface ``process`` allows encryption/decryption of
+ buffers without requiring copying into ``secure_vector`` first. (GH #516)
+
+* Fix verification of self-issued certificates (GH #634)
+
+* SSE2 optimizations for ChaCha, 60% faster on both Westmere and Skylake (GH #616)
+
+* The HMAC_RNG constructor added in 1.11.31 that took both an RNG and an
+ entropy source list ignored the entropy sources.
+
+* The configure option ``--via-amalgamation`` was renamed to ``--amalgamation``.
+ The configure option ``--gen-amalgamation`` was removed. It did generate
+ amalgamations but build Botan without amalgamation. Users should migrate to
+ ``--amalgamation``. (GH #621)
+
+* DH keys did not automatically self-test after being generated, contrary to
+ the current behavior for other key types.
+
+* Add tests for TLS 1.2 PRF (GH #628)
+
+Version 1.11.31, 2016-08-30
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix undefined behavior in Curve25519 on platforms without a native 128-bit
+ integer type. This was known to produce incorrect results on 32-bit ARM
+ under Clang. GH #532 (CVE-2016-6878)
+
+* If X509_Certificate::allowed_usage was called with more than one Key_Usage
+ set in the enum value, the function would return true if *any* of the allowed
+ usages were set, instead of if *all* of the allowed usages are set.
+ GH #591 (CVE-2016-6879)
+
+* Incompatible changes in DLIES: Previously the input to the KDF was
+ the concatenation of the (ephemeral) public key and the secret value
+ derived by the key agreement operation. Now the input is only the
+ secret value obtained by the key agreement operation. That's how it
+ is specified in the original paper "DHIES: An encryption scheme
+ based on Diffie-Hellman Problem" or in BSI technical guideline
+ TR-02102-1 for example. In addition to the already present
+ XOR-encrypion/decryption mode it's now possible to use DLIES with a
+ block cipher. Furthermore the order of the output was changed from
+ {public key, tag, ciphertext} to {public key, ciphertext, tag}. Both
+ modes are compatible with BouncyCastle.
+
+* Add initial PKCS #11 support (GH #507). Currently includes a low level
+ wrapper to all of PKCS #11 (p11.h) and high level code for RSA and ECDSA
+ signatures and hardware RNG access.
+
+* Add ECIES encryption scheme, compatible with BouncyCastle (GH #483)
+
+* Add ECKCDSA signature algorithm (GH #504)
+
+* Add KDF1 from ISO 18033 (GH #483)
+
+* Add FRP256v1 curve (GH #551)
+
+* Changes for userspace PRNGs HMAC_DRBG and HMAC_RNG (GH #520 and #593)
+
+ These RNGs now derive from Stateful_RNG which handles issues like periodic
+ reseeding and (on Unix) detecting use of fork. Previously these measures were
+ included only in HMAC_RNG.
+
+ Stateful_RNG allows reseeding from another RNG and/or a specified set of
+ entropy sources. For example it is possible to configure a HMAC_DRBG to reseed
+ using a PKCS #11 token RNG, the CPU's RDSEED instruction, and the system RNG
+ but disabling all other entropy polls.
+
+* AutoSeeded_RNG now uses NIST SP800-90a HMAC_DRBG(SHA-384). (GH #520)
+
+* On Windows and Unix systems, the system PRNG is used as the sole reseeding
+ source for a default AutoSeeded_RNG, completely skipping the standard entropy
+ polling code. New constructors allow specifying the reseed RNG and/or entropy
+ sources. (GH #520)
+
+* The `hres_timer` entropy source module has been removed. Timestamp inputs to
+ the RNG are now handled as additional_data inputs to HMAC_DRBG.
+
+* Add RDRAND_RNG which directly exposes the CPU RNG (GH #543)
+
+* Add PKCS #1 v1.5 id for SHA-512/256 (GH #554)
+
+* Add X509_Time::to_std_timepoint (GH #560)
+
+* Fix a bug in ANSI X9.23 padding mode, which returned one byte more
+ than the given block size (GH #529).
+
+* Fix bug in SipHash::clear, which did not reset all state (GH #547)
+
+* Fixes for FreeBSD (GH #517) and OpenBSD (GH #523). The compiler defaults
+ to Clang on FreeBSD now.
+
+* SonarQube static analysis integration (GH #592)
+
+* Switched Travis CI to Ubuntu 14.04 LTS (GH #592)
+
+* Added ARM32, ARM64, PPC32, PPC64, and MinGW x86 cross compile targets to Travis CI (GH #608)
+
+* Clean up in TLS ciphersuite handling (GH #583)
+
+* Threefish-512 AVX2 optimization work (GH #581)
+
+* Remove build configuration host and timestamp from build.h
+ This makes this header reproducible and allows using ccache's direct mode
+ (GH #586 see also #587)
+
+* Prevent building for x86-64 with x86-32 compiler and the reverse (GH #585)
+
+* Avoid build problem on 32-bit userspace ARMv8 (GH #563)
+
+* Refactor of internal MP headers (GH #549)
+
+* Avoid MSVC C4100 warning (GH #525)
+
+* Change botan.exe to botan-cli.exe on Windows to workaround VC issue (GH #584)
+
+* More tests for RSA-KEM (GH #538), DH (GH #556), EME (GH #553),
+ cipher mode padding (GH #529), CTS mode (GH #531),
+ KDF1/ISO18033 (GH #537), OctetString (GH #545), OIDs (GH #546),
+ parallel hash (GH #548), charset handling (GH #555),
+ BigInt (GH #558), HMAC_DRBG (GH #598 #600)
+
+* New deprecations. See the full list in doc/deprecated.txt
+
+ The X9.31 and HMAC_RNG RNGs are deprecated.
+ If you need a userspace PRNG, use HMAC_DRBG (or AutoSeeded_RNG
+ which is HMAC_DRBG with defaults).
+
+ Support for getting entropy from EGD is deprecated, and will be
+ removed in a future release. The developers believe that it is
+ unlikely that any modern system requires EGD and so the code is now
+ dead weight. If you rely on EGD support, you should contact the
+ developers by email or GitHub ASAP.
+
+ The TLS ciphersuites using 3DES and SEED are deprecated and will be
+ removed in a future release.
+
+ ECB mode Cipher_Mode is deprecated and will be removed in a future
+ release.
+
+ Support for BeOS/Haiku has not been tested in 5+ years and is in an
+ unknown state. Unless reports are received of successful builds and
+ use on this platform, support for BeOS/Haiku will be removed in a
+ future release.
+
+Version 1.11.30, 2016-06-19
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* In 1.11.23 a bug was introduced such that CBC-encrypted TLS packets
+ containing no plaintext bytes at all were incorrectly rejected with
+ a MAC failure. Records like this are used by OpenSSL in TLS 1.0
+ connections in order to randomize the IV.
+
+* A bug in GCM caused incorrect results if the 32-bit counter field
+ overflowed. This bug has no implications on the security but affects
+ interoperability.
+
+ With a 96-bit nonce, this could only occur if at least 2**32 128-bit
+ blocks (64 GiB) were encrypted. This actually exceeds the maximum
+ allowable length of a GCM plaintext; when messages longer than
+ 2**32 - 2 blocks are encrypted, GCM loses its security properties.
+
+ In addition to 96-bit nonces, GCM also supports nonces of arbitrary
+ length using a different method which hashes the provided nonce
+ under the authentication key. When using such a nonce, the last 4
+ bytes of the resulting CTR input might be near the overflow
+ boundary, with the probability of incorrect overflow increasing with
+ longer messages. when encrypting 256 MiB of data under a random 128
+ bit nonce, an incorrect result would be produced about 1/256 of the
+ time. With 1 MiB texts, the probability of error is reduced to 1/65536.
+
+ Since TLS uses GCM with 96 bit nonces and limits the length of any
+ record to far less than 64 GiB, TLS GCM ciphersuites are not
+ affected by this bug.
+
+ Reported by Juraj Somorovsky, described also in "Nonce-Disrespecting
+ Adversaries: Practical Forgery Attacks on GCM in TLS"
+ (https://eprint.iacr.org/2016/475.pdf)
+
+* Previously when generating a new self-signed certificate or PKCS #10
+ request, the subject DN was required to contain both common name
+ (CN) and country (C) fields. These restrictions have been removed.
+ GH #496
+
+* The Transform and Keyed_Transform interfaces has been removed. The
+ two concrete implementations of these interfaces were Cipher_Mode
+ and Compressor_Transform. The Cipher_Mode interface remains unchanged
+ as the Transform and Keyed_Transform signatures have moved to it;
+ no changes to Cipher_Mode usage should be necessary. Any uses of
+ Transform& or Keyed_Transform& to refer to a cipher should be replaced
+ by Cipher_Mode&. The compression algorithm interface has changed; the start
+ function now takes the per-message compression ratio to use. Previously the
+ compression level to use had to be set once, at creation time, and
+ the required ``secure_vector`` argument to ``start`` was required to be empty.
+ The new API is documented in `compression.rst` in the manual.
+
+* Add IETF versions of the ChaCha20Poly1305 TLS ciphersuites from
+ draft-ietf-tls-chacha20-poly1305-04. The previously implemented
+ (non-standard) ChaCha20Poly1305 ciphersuites from
+ draft-agl-tls-chacha20poly1305 remain but are deprecated.
+
+* The OCB TLS ciphersuites have been updated to use the new nonce
+ scheme from draft-zauner-tls-aes-ocb-04. This is incompatible with
+ previous versions of the draft, and the ciphersuite numbers used for
+ the (still experimental) OCB ciphersuites have changed.
+
+* Previously an unknown critical extension caused X.509 certificate
+ parsing to fail; such a cert could not be created at all. Now
+ parsing succeeds and the certificate validation fails with
+ an error indicating an unknown critical extension. GH #469
+
+* X509_CRL previously had an option to cause it to ignore unknown
+ critical extensions. This has been removed.
+
+* Added StreamCipher::seek allowing seeking to arbitrary position
+ in the key stream. Currently only implemented for ChaCha. (GH #497)
+
+* Added support for ChaCha stream cipher with 8 or 12 rounds.
+
+* Add ECGDSA signature algorithm (GH #479)
+
+* Add support for label argument to KDFs (GH #495)
+
+* Add NIST SP800-108 and 56C KDFs (GH #481)
+
+* Support for Card Verifiable Certificates and the obsolete EMSA1_BSI
+ signature padding scheme have been removed. (GH #487)
+
+* A bug in the IETF version of ChaCha20Poly1305 (with 96 bit nonces)
+ caused incorrect computation when the plaintext or AAD was exactly
+ a multiple of 16 bytes.
+
+* Fix return type of TLS_Reader::get_u32bit, which was truncated to
+ 16 bits. This only affected decoding of session ticket lifetimes.
+ GH #478
+
+* Fix OS X dylib naming problem (GH #468 #467)
+
+* Fix bcrypt function under Python 3 (GH #461)
+
+* The ``unix_procs`` entropy source is deprecated and will be removed
+ in a future release. This entropy source attempts to get entropy by
+ running Unix programs like ``arp``, ``netstat``, and ``dmesg`` which
+ produce information which may be difficult for a remote attacker to
+ guess. This exists primarily as a last-ditch for Unix systems
+ without ``/dev/random``. But at this point such systems effectively
+ no longer exist, and the use of ``fork`` and ``exec`` by the library
+ complicates effective application sandboxing.
+
+* Changes to avoid implicit cast warnings in Visual C++ (GH #484)
+
+Version 1.10.13, 2016-04-23
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Use constant time modular inverse algorithm to avoid possible
+ side channel attack against ECDSA (CVE-2016-2849)
+
+* Use constant time PKCS #1 unpadding to avoid possible side channel
+ attack against RSA decryption (CVE-2015-7827)
+
+* Avoid a compilation problem in OpenSSL engine when ECDSA was
+ disabled. Gentoo bug 542010
+
+Version 1.11.29, 2016-03-20
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* CVE-2016-2849 DSA and ECDSA used a modular inverse function which
+ had input dependent loops. It is possible a side channel attack on
+ this function could be used to recover sufficient information about
+ the nonce k to mount a lattice attack and recover the private key.
+ Found by Sean Devlin.
+
+* CVE-2016-2850 The TLS client did not check that the signature
+ algorithm or ECC curve a v1.2 server used was actually acceptable by
+ the policy. This would allow a server who ignored the preferences
+ indicated in the client to use a weak algorithm, and may allow MITM
+ attacks by an attacker who can break MD5 signatures or 160 bit ECC
+ in real time. The server similarly failed to check on the hash a
+ client used during client certificate authentication.
+
+* Reject empty TLS records at the record processing layer since such a
+ record is not valid regardless of the record type. Later checks
+ already correctly rejected empty records, but during processing such
+ a record, a pointer to the end of the vector was created, causing a
+ assertion failure under checked iterators. Found by Juraj Somorovsky.
+
+* Add PK_Decryptor::decrypt_or_random which allows an application to
+ atomically (in constant time) check that a decrypted ciphertext has
+ the expected length and/or apply content checks on the result. This
+ is used by the TLS server for decrypting PKCS #1 v1.5 RSA ciphertexts.
+ Previously the server used a implementation which was potentially
+ vulnerable to side channels.
+
+* Add support for processing X.509 name constraint extension during
+ path validation. GH #454
+
+* Add X509_Certificate::v3_extensions which allows retreiving the
+ raw binary of all certificate extensions, including those which
+ are not known to the library. This allows processing of custom
+ extensions. GH #437
+
+* Add support for module policies which are a preconfigured set of
+ acceptable or prohibited modules. A policy based on BSI TR-02102-1
+ is included. GH #439 #446
+
+* Support for the deprecated TLS heartbeat extension has been removed.
+
+* Support for the deprecated TLS minimum fragment length extension has
+ been removed.
+
+* SRP6 support is now optional in TLS
+
+* Support for negotiating MD5 and SHA-224 signatures in TLS v1.2 has
+ been removed. MD5 signatures are demonstratably insecure in TLS,
+ SHA-224 is rarely used.
+
+* Support for negotiating ECC curves secp160r1, secp160r2, secp160k1,
+ secp192k1, secp192r1 (P-192), secp224k1, secp224r1 (P-224), and
+ secp256k1 have been removed from the TLS implementation. All were
+ already disabled in the default policy.
+
+* HMAC_RNG now has an explicit check for fork using pid comparisons.
+ It also includes the pid and system and CPU clocks into the PRF
+ computation to help reduce the risk of pid wraparound. Even so,
+ applications using fork and userspace RNGs should explicitly reseed
+ all such RNGs whenever possible.
+
+* Deprecation warning: support for DSA certificates in TLS is
+ deprecated and will be removed in a future release.
+
+* Deprecation warning: in addition to the algorithms deprecated in
+ 1.11.26, the following algorithms are now deprecated and will be
+ removed in a future release: Rabin-Williams signatures, TEA, XTEA.
+
+* Deprecation warning: the library has a number of compiled in MODP
+ and ECC DL parameters. All MODP parameter sets under 2048 bits and
+ all ECC parameters under 256 bits are deprecated and will be removed
+ in a future release. This includes the MODP groups "modp/ietf/1024",
+ "modp/srp/1024", "modp/ietf/1536", "modp/srp/1536" and the ECC
+ groups "secp160k1", "secp160r1", "secp160r2", "secp192k1",
+ "secp192r1", "secp224k1", "secp224r1", "brainpool160r1",
+ "brainpool192r1", "brainpool224r1", "x962_p192v2", "x962_p192v3",
+ "x962_p239v1", "x962_p239v2" and "x962_p239v3". Additionally all
+ compiled in DSA parameter sets ("dsa/jce/1024", "dsa/botan/2048",
+ and "dsa/botan/3072") are also deprecated.
+
+* RDSEED/RDRAND polling now retries if the operation fails. GH #373
+
+* Fix various minor bugs found by static analysis with PVS-Studio (GH#421),
+ Clang analyzer (GH #441), cppcheck (GH #444, #445), and Coverity.
+
+* Add --with-valgrind configure option to enable building against the
+ valgrind client API. This currently enables checking of const time
+ operations using memcheck.
+
+* Fix remaining Wshadow warnings. Enable Wshadow in build. GH #427
+
+* Use noexcept in VS 2015 GH #429
+
+* On Windows allow the user to explicitly request symlinks be used
+ as part of the build. Likely only useful for someone working on
+ the library itself. GH #430
+
+* Remove use of TickCount64 introduced in 1.11.27 which caused problem
+ with downstream distributors/users building XP compatiable binaries
+ which is still an option even in VS 2015
+
+* MCEIES requires KDF1 at runtime but did not require it be enabled
+ in the build. GH #369
+
+* Small optimizations to Keccak hash
+
+* Support for locking allocator on Windows using VirtualLock. GH #450
+
+Version 1.18.15, 2016-02-13
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+* NOTE WELL: Botan 1.8 is not supported for security issues anymore.
+ Moving to 1.10 or 1.11 is certainly recommended.
+* Fix CVE-2014-9742: Insufficient randomness in Miller-Rabin primality check
+* Fix CVE-2016-2194: Infinite loop in modulur square root algorithm
+* Fix CVE-2015-5726: Crash in BER decoder
+* Fix CVE-2015-5727: Excess memory allocation in BER decoder
+ Note: Unlike the fix in 1.10 which checks that the source actually
+ contains enough data to satisfy the read before allocating the
+ memory, 1.8.15 simply rejects all ASN.1 blocks larger than 1 MiB.
+ This simpler check avoids the problem without breaking ABI.
+
+Version 1.10.12, 2016-02-03
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* In 1.10.11, the check in PointGFp intended to check the affine y
+ argument actually checked the affine x again. Reported by Remi Gacogne
+
+ The CVE-2016-2195 overflow is not exploitable in 1.10.11 due to an
+ additional check in the multiplication function itself which was
+ also added in that release, so there are no security implications
+ from the missed check. However to avoid confusion the change was
+ pushed in a new release immediately.
+
+ The 1.10.11 release notes incorrectly identified CVE-2016-2195 as CVE-2016-2915
+
+Version 1.10.11, 2016-02-01
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Resolve heap overflow in ECC point decoding. CVE-2016-2195
+
+* Resolve infinite loop in modular square root algorithm.
+ CVE-2016-2194
+
+* Correct BigInt::to_u32bit to not fail on integers of exactly 32 bits.
+ GH #239
+
+Version 1.11.28, 2016-02-01
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* One of the checks added while addressing CVE-2016-2195 was incorrect
+ and could cause needless assertion failures.
+
+Version 1.11.27, 2016-02-01
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* SECURITY: Avoid heap overflow in ECC point decoding. This could
+ likely result in remote code execution. CVE-2016-2195
+
+* SECURITY: Avoid one word heap overflow in P-521 reduction function.
+ This could potentially lead to remote code execution or other
+ attack. CVE-2016-2196.
+
+* SECURITY: Avoid infinite or near-infinite loop during modular square
+ root algorithm with invalid inputs. CVE-2016-2194
+
+* Add Blake2b hash function. GH #413
+
+* Use m_ prefix on all member variables. GH #398 and #407
+
+* Use final qualifier on many classes. GH #408
+
+* Use noreturn attribute on assertion failure function to assist
+ static analysis. GH #403
+
+* Use TickCount64 and MemoryStatusEx in the Windows entropy source.
+ Note these calls are only available in Vista/Server 2008. No
+ accomodations are made for XP or Server 2003, both of which are
+ no longer patched by the vendor. GH #365
+
+Version 1.11.26, 2016-01-04
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Deprecation warnings: Nyberg-Rueppel signatures, MARS, RC2, RC5,
+ RC6, SAFER, HAS-160, RIPEMD-128, MD2 and support for the TLS minimum
+ fragment length extensions are all being considered for removal in a
+ future release. If there is a compelling use case for keeping any of
+ them in the library, please open a discussion ticket on GitHub.
+
+* Support for the TLS extended master secret extension (RFC 7627) has
+ been added.
+
+* The format of serialized TLS sessions has changed to add a flag
+ indicating support for the extended master secret flag, which is
+ needed for proper handling of the extension.
+
+* Root all exceptions thrown by the library in the ``Botan::Exception`` class.
+ Previously the library would in many cases throw ``std::runtime_error``
+ or ``std::invalid_argument`` exceptions which would make it hard to
+ determine the source of the error in some cases.
+
+* The command line interface has been mostly rewritten. The syntax of
+ many of the sub-programs has changed, and a number have been
+ extended with new features and options.
+
+* Correct an error in PointGFp multiplication when multiplying a point
+ by the scalar value 3. PointGFp::operator* would instead erronously
+ compute it as if the scalar was 1 instead.
+
+* Enable RdRand entropy source on Windows/MSVC. GH #364
+
+* Add Intel's RdSeed as entropy source. GH #370
+
+* Add preliminary support for accessing TPM v1.2 devices. Currently
+ random number generation, RSA key generation, and signing are
+ supported. Tested using Trousers and an ST TPM
+
+* Add generalized interface for KEM (key encapsulation) techniques. Convert
+ McEliece KEM to use it. The previous interfaces McEliece_KEM_Encryptor and
+ McEliece_KEM_Decryptor have been removed. The new KEM interface now uses a KDF
+ to hash the resulting keys; to get the same output as previously provided by
+ McEliece_KEM_Encryptor, use "KDF1(SHA-512)" and request exactly 64 bytes.
+
+* Add support for RSA-KEM from ISO 18033-2
+
+* Add support for ECDH in the OpenSSL provider
+
+* Fix a bug in DataSource::discard_next() which could cause either an
+ infinite loop or the discarding of an incorrect number of bytes.
+ Reported on mailing list by Falko Strenzke.
+
+* Previously if BOTAN_TARGET_UNALIGNED_MEMORY_ACCESS_OK was defined,
+ the code doing low level loads/stores would use pointer casts to
+ access larger words out of a (potentially misaligned) byte array,
+ rather than using byte-at-a-time accesses. However even on platforms
+ such as x86 where this works, it triggers UBSan errors under Clang.
+ Instead use memcpy, which the C standard says is usable for such
+ purposes even with misaligned values. With recent GCC and Clang, the
+ same code seems to be emitted for either approach.
+
+* Avoid calling memcpy, memset, or memmove with a length of zero to
+ avoid undefined behavior, as calling these functions with an invalid
+ or null pointer, even with a length of zero, is invalid. Often there
+ are corner cases where this can occur, such as pointing to the very
+ end of a buffer.
+
+* The function ``RandomNumberGenerator::gen_mask`` (added in 1.11.20)
+ had undefined behavior when called with a bits value of 32 or
+ higher, and was tested to behave in unpleasant ways (such as
+ returning zero) when compiled by common compilers. This function was
+ not being used anywhere in the library and rather than support
+ something without a use case to justify it it seemed simpler to
+ remove it. Undefined behavior found by Daniel Neus.
+
+* Support for using ``ctgrind`` for checking const time blocks has
+ been replaced by calling the valgrind memcheck APIs directly. This
+ allows const-time behavior to be tested without requiring a modified
+ valgrind binary. Adding the appropriate calls requires defining
+ BOTAN_HAS_VALGRIND in build.h. A binary compiled with this flag set
+ can still run normally (though with some slight runtime overhead).
+
+* Export MGF1 function mgf1_mask GH #380
+
+* Work around a problem with some antivirus programs which causes the
+ ``shutil.rmtree`` and ``os.makedirs`` Python calls to occasionally
+ fail. The could prevent ``configure.py`` from running sucessfully
+ on such systems. GH #353
+
+* Let ``configure.py`` run under CPython 2.6. GH #362
+
+Version 1.11.25, 2015-12-07
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* In this release the test suite has been largely rewritten. Previously the
+ tests had internally used several different test helper frameworks created or
+ adopted over time, each of which was insufficient on its own for testing the
+ entire library. These have been fully converged on a new framework which
+ suffices for all of the tests. There should be no user-visible change as a
+ result of this, except that the output format of `botan-test` has changed.
+
+* Improved side channel countermeasures for the table based AES implementation.
+ The 4K T tables are computed (once) at runtime to avoid various cache based
+ attacks which are possible due to shared VMM mappings of read only tables.
+ Additionally every cache line of the table is read from prior to processing
+ the block(s).
+
+* Support for the insecure ECC groups secp112r1, secp112r2, secp128r1, and
+ secp128r2 has been removed.
+
+* The portable version of GCM has been changed to run using only
+ constant time operations.
+
+* Work around a bug in MSVC 2013 std::mutex which on some Windows
+ versions can result in a deadlock during static initialization. On
+ Windows a CriticalSection is used instead. Analysis and patch from
+ Matej Kenda (TopIT d.o.o.). GH #321
+
+* The OpenSSL implementation of RC4 would return the wrong value from `name` if
+ leading bytes of the keystream had been skipped in the output.
+
+* Fixed the signature of the FFI function botan_pubkey_destroy, which took the
+ wrong type and was not usable.
+
+* The TLS client would erronously reject any server key exchange packet smaller
+ than 6 bytes. This prevented negotiating a plain PSK TLS ciphersuite with an
+ empty identity hint. ECDHE_PSK and DHE_PSK suites were not affected.
+
+* Fixed a bug that would cause the TLS client to occasionally reject a valid
+ server key exchange message as having an invalid signature. This only affected
+ DHE and SRP ciphersuites.
+
+* Support for negotiating use of SHA-224 in TLS has been disabled in the
+ default policy.
+
+* Added `remove_all` function to the `TLS::Session_Manager` interface
+
+* Avoid GCC warning in pedantic mode when including bigint.h GH #330
+
+Version 1.11.24, 2015-11-04
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* When the bugs affecting X.509 path validation were fixed in 1.11.23, a check
+ in Credentials_Manager::verify_certificate_chain was accidentally removed
+ which caused path validation failures not to be signaled to the TLS layer.
+ Thus in 1.11.23 certificate authentication in TLS is bypassed.
+ Reported by Florent Le Coz in GH #324
+
+* Fixed an endian dependency in McEliece key generation which caused
+ keys to be generated differently on big and little endian systems,
+ even when using a deterministic PRNG with the same seed.
+
+* In `configure,py`, the flags for controlling use of debug, sanitizer, and
+ converage information have been split out into individual options
+ `--with-debug-info`, `--with-sanitizers`, and `--with-coverage`. These allow
+ enabling more than one in a build in a controlled way. The `--build-mode` flag
+ added in 1.11.17 has been removed.
+
+Version 1.11.23, 2015-10-26
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* CVE-2015-7824: An information leak allowed padding oracle attacks against
+ TLS CBC decryption. Found in a review by Sirrix AG and 3curity GmbH.
+
+* CVE-2015-7825: Validating a malformed certificate chain could cause an
+ infinite loop. Found in a review by Sirrix AG and 3curity GmbH.
+
+* CVE-2015-7826: X.509 path validation violated RFC 6125 and would accept
+ certificates which should not validate under those rules. In particular botan
+ would accept wildcard certificates as matching in situations where it should
+ not (for example it would erroneously accept '*.example.com' as a valid
+ wildcard for 'foo.bar.example.com')
+
+* CVE-2015-7827: The routines for decoding PKCS #1 encryption and OAEP blocks
+ have been rewritten to run without secret indexes or branches. These
+ cryptographic operations are vulnerable to oracle attacks, including via side
+ channels such as timing or cache-based analysis. In theory it would be
+ possible to attack the previous implementations using such a side channel,
+ which could allow an attacker to mount a plaintext recovery attack.
+
+ By writing the code such that it does not depend on secret inputs for branch
+ or memory indexes, such a side channel would be much less likely to exist.
+
+ The OAEP code has previously made an attempt at constant time operation, but
+ it used a construct which many compilers converted into a conditional jump.
+
+* Add support for using ctgrind (https://github.com/agl/ctgrind) to test that
+ sections of code do not use secret inputs to decide branches or memory indexes.
+ The testing relies on dynamic checking using valgrind.
+
+ So far PKCS #1 decoding, OAEP decoding, Montgomery reduction, IDEA, and
+ Curve25519 have been notated and confirmed to be constant time on Linux/x86-64
+ when compiled by gcc.
+
+* Public key operations can now be used with specified providers by passing an
+ additional parameter to the constructor of the PK operation.
+
+* OpenSSL RSA provider now supports signature creation and verification.
+
+* The blinding code used for RSA, Diffie-Hellman, ElGamal and Rabin-Williams now
+ periodically reinitializes the sequence of blinding values instead of always
+ deriving the next value by squaring the previous ones. The reinitializion
+ interval can be controlled by the build.h parameter BOTAN_BLINDING_REINIT_INTERVAL.
+
+* A bug decoding DTLS client hellos prevented session resumption for succeeding.
+
+* DL_Group now prohibits creating a group smaller than 1024 bits.
+
+* Add System_RNG type. Previously the global system RNG was only accessible via
+ `system_rng` which returned a reference to the object. However is at times
+ useful to have a unique_ptr<RandomNumberGenerator> which will be either the
+ system RNG or an AutoSeeded_RNG, depending on availability, which this
+ additional type allows.
+
+* New command line tools `dl_group` and `prime`
+
+* The `configure.py` option `--no-autoload` is now also available
+ under the more understandable name `--minimized-build`.
+
+* Note: 1.11.22 was briefly released on 2015-10-26. The only difference between
+ the two was a fix for a compilation problem in the OpenSSL RSA code. As the
+ 1.11.22 release had already been tagged it was simpler to immediately release
+ 1.11.23 rather than redo the release.
+
+Version 1.11.21, 2015-10-11
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add new methods for creating types such as BlockCiphers or HashFunctions,
+ T::providers() returning list of provider for a type, and T::create() creating
+ a new object of a specified provider. The functions in lookup.h forward to
+ these new APIs. A change to the lookup system in 1.11.14 had caused problems
+ with static libraries (GH #52). These problems have been fixed as part of these
+ changes. GH #279
+
+* Fix loading McEliece public or private keys with PKCS::load_key / X509::load_key
+
+* Add `mce` command line tool for McEliece key generation and file encryption
+
+* Add Darwin_SecRandom entropy source which uses `SecRandomCopyBytes`
+ API call for OS X and iOS, as this call is accessible even from a
+ sandboxed application. GH #288
+
+* Add new HMAC_DRBG constructor taking a name for the MAC to use, rather
+ than a pointer to an object.
+
+* The OCaml module is now a separate project at
+ https://github.com/randombit/botan-ocaml
+
+* The encrypted sqlite database support in contrib has moved to
+ https://github.com/randombit/botan-sqlite
+
+* The Perl XS module has been removed as it was no longer maintained.
+
+Version 1.11.20, 2015-09-07
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Additional countermeasures were added to ECC point multiplications
+ including exponent blinding and randomization of the point
+ representation to help protect against side channel attacks.
+
+* An ECDSA provider using OpenSSL has been added.
+
+* The ordering of algorithm priorities has been reversed. Previously
+ 255 was the lowest priority and 0 was the highest priority. Now it
+ is the reverse, with 0 being lowest priority and 255 being highest.
+ The default priority for the base algorithms is 100. This only
+ affects external providers or applications which directly set
+ provider preferences.
+
+* On OS X, rename libs to avoid trailing version numbers, e.g.
+ libbotan-1.11.dylib.19 -> libbotan-1.11.19.dylib. This was requested
+ by the Homebrew project package audit. GH #241, #260
+
+* Enable use of CPUID interface with clang. GH #232
+
+* Add support for MSVC 2015 debug builds by satisfying C++ allocator
+ requirements. SO 31802806, GH #236
+
+* Make `X509_Time` string parsing and `to_u32bit()` more strict to avoid
+ integer overflows and other potentially dangerous misinterpretations.
+ GH #240, #243
+
+* Remove all 'extern "C"' declarations from src/lib/math/mp/ because some
+ of those did throw exceptions and thus cannot be C methods. GH #249
+
+* Fix build configuration for clang debug on Linux. GH #250
+
+* Fix zlib error when compressing an empty buffer. GH #265
+
+* Fix iOS builds by allowing multiple compiler flags with the same name.
+ GH #266
+
+* Fix Solaris build issue caused by `RLIMIT_MEMLOCK`. GH #262
+
+Version 1.11.19, 2015-08-03
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* SECURITY: The BER decoder would crash due to reading from offset 0
+ of an empty vector if it encountered a BIT STRING which did not
+ contain any data at all. As the type requires a 1 byte field this is
+ not valid BER but could occur in malformed data. Found with afl.
+ CVE-2015-5726
+
+* SECURITY: The BER decoder would allocate a fairly arbitrary amount
+ of memory in a length field, even if there was no chance the read
+ request would succeed. This might cause the process to run out of
+ memory or invoke the OOM killer. Found with afl.
+ CVE-2015-5727
+
+* The TLS heartbeat extension is deprecated and unless strong arguments
+ are raised in its favor it will be removed in a future release.
+ Comment at https://github.com/randombit/botan/issues/187
+
+* The x86-32 assembly versions of MD4, MD5, SHA-1, and Serpent and the
+ x86-64 version of SHA-1 have been removed. With compilers from this
+ decade the C++ versions are significantly faster. The SSE2 versions
+ of SHA-1 and Serpent remain, as they are still the fastest version
+ for processors with SIMD extensions. GH #216
+
+* BigInt::to_u32bit would fail if the value was exactly 32 bits.
+ GH #220
+
+* Botan is now fully compaitible with _GLIBCXX_DEBUG. GH #73
+
+* BigInt::random_integer distribution was not uniform. GH #108
+
+* Added unit testing framework Catch. GH #169
+
+* Fix `make install`. GH #181, #186
+
+* Public header `fs.h` moved to `internal/filesystem.h`. Added filesystem
+ support for MSVC 2013 when boost is not available, allowing tests to run on
+ those systems. GH #198, #199
+
+* Added os "android" and fix Android compilation issues. GH #203
+
+* Drop support for Python 2.6 for all Botan Python scripts. GH #217
+
+Version 1.10.10, 2015-08-03
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* SECURITY: The BER decoder would crash due to reading from offset 0
+ of an empty vector if it encountered a BIT STRING which did not
+ contain any data at all. As the type requires a 1 byte field this is
+ not valid BER but could occur in malformed data. Found with afl.
+ CVE-2015-5726
+
+* SECURITY: The BER decoder would allocate a fairly arbitrary amount
+ of memory in a length field, even if there was no chance the read
+ request would succeed. This might cause the process to run out of
+ memory or invoke the OOM killer. Found with afl.
+ CVE-2015-5727
+
+* Due to an ABI incompatible (though not API incompatible) change in
+ this release, the version number of the shared object has been
+ increased.
+
+* The default TLS policy no longer allows RC4.
+
+* Fix a signed integer overflow in Blue Midnight Wish that may cause
+ incorrect computations or undefined behavior.
+
+Version 1.11.18, 2015-07-05
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* In this release Botan has switched VCS from ``monotone`` to ``git``,
+ and is now hosted on github at https://github.com/randombit/botan
+
+* The TLS client called ``std::set_difference`` on an invalid iterator
+ pair. This could potentially lead to a crash depending on the
+ compiler and STL implementation. It also would trigger assertion
+ failures when using checked iterators. GH #73
+
+* Remove code constructs which triggered errors under MSVC and GCC
+ debug iterators. The primary of these was an idiom of ``&vec[x]`` to
+ create a pointer offset of a ``std::vector``. This failed when x was
+ set equal to ``vec.size()`` to create the one-past-the-end address.
+ The pointer in question was never dereferenced, but it triggered
+ the iterator debugging checks which prevented using these valuble
+ analysis tools. From Simon Warta and Daniel Seither. GH #125
+
+* Several incorrect or missing module dependencies have been fixed. These
+ often prevented a successful build of a minimized amalgamation when
+ only a small set of algorithms were specified. GH #71
+ From Simon Warta.
+
+* Add an initial binding to OCaml. Currently only hashes, RNGs, and
+ bcrypt are supported.
+
+* The default key size generated by the ``keygen`` tool has increased
+ to 2048 bits. From Rene Korthaus.
+
+* The ``Botan_types`` namespace, which contained ``using`` declarations
+ for (just) ``Botan::byte`` and ``Botan::u32bit``, has been removed.
+ Any use should be replaced by ``using`` declarations for those types
+ directly.
+
+Version 1.11.17, 2015-06-18
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* All support for the insecure RC4 stream cipher has been removed
+ from the TLS implementation.
+
+* Fix decoding of TLS maximum fragment length. Regardless of what
+ value was actually negotiated, TLS would treat it as a negotiated
+ limit of 4096.
+
+* Fix the configure.py flag ``--disable-aes-ni`` which did nothing of
+ the sort.
+
+* Fixed nmake clean target. GitHub #104
+
+* Correct buffering logic in ``Compression_Filter``. GitHub #93 and #95
+
+Version 1.11.16, 2015-03-29
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* TLS has changed from using the non-standard NPN extension to the IETF
+ standardized ALPN extension for negotiating an application-level protocol.
+ Unfortunately the semantics of the exchange have changed with ALPN. Using
+ NPN, the server offered a list of protocols it advertised, and then the
+ client chose its favorite. With ALPN, the client offers a list of protocols
+ and the server chooses. The the signatures of both the TLS::Client and
+ TLS::Server constructors have changed to support this new flow.
+
+* Optimized ECDSA signature verification thanks to an observation by
+ Dr. Falko Strenzke. On some systems verifications are between 1.5
+ and 2 times faster than in 1.11.15.
+
+* RSA encrypt and decrypt operations using OpenSSL have been added.
+
+* Public key operation types now handle all aspects of the operation,
+ such as hashing and padding for signatures. This change allows
+ supporting specialized implementations which only support particular
+ padding types.
+
+* Added global timeout to HMAC_RNG entropy reseed. The defaults are
+ the values set in the build.h macros ``BOTAN_RNG_AUTO_RESEED_TIMEOUT``
+ and ``BOTAN_RNG_RESEED_DEFAULT_TIMEOUT``, but can be overriden
+ on a specific poll with the new API call reseed_with_timeout.
+
+* Fixed Python cipher update_granularity() and default_nonce_length()
+ functions
+
+* The library now builds on Visual C++ 2013
+
+* The GCM update granularity was reduced from 4096 to 16 bytes.
+
+* Fix a bug that prevented building the amalgamation until a non-amalgamation
+ configuration was performed first in the same directory.
+
+* Add Travis CI integration. Github pull 60.
+
+Version 1.11.15, 2015-03-08
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Support for RC4 in TLS, already disabled by default, is now deprecated.
+ The RC4 ciphersuites will be removed entirely in a future release.
+
+* A bug in ffi.cpp meant Python could only encrypt. Github issue 53.
+
+* When comparing two ASN.1 algorithm identifiers, consider empty and
+ NULL parameters the same.
+
+* Fixed memory leaks in TLS and cipher modes introduced in 1.11.14
+
+* MARK-4 failed when OpenSSL was enabled in the build in 1.11.14
+ because the OpenSSL version ignored the skip parameter.
+
+* Fix compilation problem on OS X/clang
+
+* Use BOTAN_NOEXCEPT macro to work around lack of noexcept in VS 2013
+
+Version 1.11.14, 2015-02-27
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* The global state object previously used by the library has been removed.
+ This includes the global PRNG. The library can be safely initialized
+ multiple times without harm.
+
+ The engine code has also been removed, replaced by a much lighter-weight
+ object registry system which provides lookups in faster time and with less
+ memory overhead than the previous approach.
+
+ One caveat of the current system with regards to static linking: because only
+ symbols already mentioned elsewhere in the program are included in the final
+ link step, few algorithms will be available through the lookup system by
+ default, even though they were compiled into the library. Your application
+ must explicitly reference the types you require or they will not end up
+ being available in the final binary. See also Github issue #52
+
+ If you intend to build your application against a static library and don't
+ want to explicitly reference each algo object you might attempt to look up by
+ string, consider either building with ``--via-amalgamation``, or else (much
+ simpler) using the amalgamation directly.
+
+* The new ``ffi`` submodule provides a simple C API/ABI for a number of useful
+ operations (hashing, ciphers, public key operations, etc) which is easily
+ accessed using the FFI modules included in many languages.
+
+* A new Python wrapper (in ``src/lib/python/botan.py``) using ``ffi`` and the Python
+ ``ctypes`` module is available. The old Boost.Python wrapper has been removed.
+
+* Add specialized reducers for P-192, P-224, P-256, and P-384
+
+* OCB mode, which provides a fast and constant time AEAD mode without requiring
+ hardware support, is now supported in TLS, following
+ draft-zauner-tls-aes-ocb-01. Because this specification is not yet finalized
+ is not yet enabled by the default policy, and the ciphersuite numbers used are
+ in the experimental range and may conflict with other uses.
+
+* Add ability to read TLS policy from a text file using ``TLS::Text_Policy``.
+
+* The amalgamation now splits off any ISA specific code (for instance, that
+ requiring SSSE3 instruction sets) into a new file named (for instance)
+ ``botan_all_ssse3.cpp``. This allows the main amalgamation file to be compiled
+ without any special flags, so ``--via-amalgamation`` builds actually work now.
+ This is disabled with the build option ``--single-amalgamation-file``
+
+* PBKDF and KDF operations now provide a way to write the desired output
+ directly to an application-specified area rather than always allocating a new
+ heap buffer.
+
+* HKDF, previously provided using a non-standard interface, now uses the
+ standard KDF interface and is retrievable using get_kdf.
+
+* It is once again possible to build the complete test suite without requiring
+ any boost libraries. This is currently only supported on systems supporting
+ the readdir interface.
+
+* Remove use of memset_s which caused problems with amalgamation on OS X.
+ Github 42, 45
+
+* The memory usage of the counter mode implementation has been reduced.
+ Previously it encrypted 256 blocks in parallel as this leads to a slightly
+ faster counter increment operation. Instead CTR_BE simply encrypts a buffer
+ equal in size to the advertised parallelism of the cipher implementation.
+ This is not measurably slower, and dramatically reduces the memory use of
+ CTR mode.
+
+* The memory allocator available on Unix systems which uses mmap and mlock to
+ lock a pool of memory now checks environment variable BOTAN_MLOCK_POOL_SIZE
+ and interprets it as an integer. If the value set to a smaller value then the
+ library would originally have allocated (based on resource limits) the user
+ specified size is used instead. You can also set the variable to 0 to
+ disable the pool entirely. Previously the allocator would consume all
+ available mlocked memory, this allows botan to coexist with an application
+ which wants to mlock memory for its own uses.
+
+* The botan-config script previously installed on Unix systems has been
+ removed. Its functionality is replaced by the ``config`` command of the
+ ``botan`` tool executable, for example ``botan config cflags`` instead of
+ ``botan-config --cflags``.
+
+* Added a target for POWER8 processors
+
+Version 1.11.13, 2015-01-11
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* All support for the insecure SSLv3 protocol and the server support
+ for processing SSLv2 client hellos has been removed.
+
+* The command line tool now has ``tls_proxy`` which negotiates TLS with
+ clients and forwards the plaintext to a specified port.
+
+* Add MCEIES, a McEliece-based integrated encryption system using
+ AES-256 in OCB mode for message encryption/authentication.
+
+* Add DTLS-SRTP negotiation defined in RFC 5764
+
+* Add SipHash
+
+* Add SHA-512/256
+
+* The format of serialized TLS sessions has changed. Additiionally, PEM
+ formatted sessions now use the label of "TLS SESSION" instead of "SSL SESSION"
+
+* Serialized TLS sessions are now encrypted using AES-256/GCM instead of a
+ CBC+HMAC construction.
+
+* The cryptobox_psk module added in 1.11.4 and previously used for TLS session
+ encryption has been removed.
+
+* When sending a TLS heartbeat message, the number of pad bytes to use can now
+ be specified, making it easier to use for PMTU discovery.
+
+* If available, zero_mem now uses RtlSecureZeroMemory or memset_s instead of a
+ byte-at-a-time loop.
+
+* The functions base64_encode and base64_decode would erroneously
+ throw an exception if passed a zero-length input. Github issue 37.
+
+* The Python install script added in version 1.11.10 failed to place the
+ headers into a versioned subdirectory.
+
+* Fix the install script when running under Python3.
+
+* Avoid code that triggers iterator debugging asserts under MSVC 2013. Github
+ pull 36 from Simon Warta.
+
+Version 1.11.12, 2015-01-02
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add Curve25519. The implementation is based on curve25519-donna-c64.c
+ by Adam Langley. New (completely non-standard) OIDs and formats for
+ encrypting Curve25519 keys under PKCS #8 and including them in
+ certificates and CRLs have been defined.
+
+* Add Poly1305, based on the implementation poly1305-donna by Andrew Moon.
+
+* Add the ChaCha20Poly1305 AEADs defined in draft-irtf-cfrg-chacha20-poly1305-03
+ and draft-agl-tls-chacha20poly1305-04.
+
+* Add ChaCha20Poly1305 ciphersuites for TLS compatible with Google's servers
+ following draft-agl-tls-chacha20poly1305-04
+
+* When encrypted as PKCS #8 structures, Curve25519 and McEliece
+ private keys default to using AES-256/GCM instead of AES-256/CBC
+
+* Define OIDs for OCB mode with AES, Serpent and Twofish.
+
+Version 1.11.11, 2014-12-21
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* The Sqlite3 wrapper has been abstracted to a simple interface for
+ SQL dbs in general, though Sqlite3 remains the only implementation.
+ The main logic of the TLS session manager which stored encrypted
+ sessions to a Sqlite3 database (``TLS::Session_Manager_SQLite``) has
+ been moved to the new ``TLS::Session_Manager_SQL``. The Sqlite3
+ manager API remains the same but now just subclasses
+ ``TLS::Session_Manager_SQL`` and has a constructor instantiate the
+ concrete database instance.
+
+ Applications which would like to use a different db can now do so
+ without having to reimplement the session cache logic simply by
+ implementing a database wrapper subtype.
+
+* The CryptGenRandom entropy source is now also used on MinGW.
+
+* The system_rng API is now also available on systems with CryptGenRandom
+
+* With GCC use -fstack-protector for linking as well as compiling,
+ as this is required on MinGW. Github issue 34.
+
+* Fix missing dependency in filters that caused compilation problem
+ in amalgamation builds. Github issue 33.
+
+* SSLv3 support is officially deprecated and will be removed in a
+ future release.
+
+Version 1.10.9, 2014-12-13
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed EAX tag verification to run in constant time
+
+* The default TLS policy now disables SSLv3.
+
+* A crash could occur when reading from a blocking random device if
+ the device initially indicated that entropy was available but
+ a concurrent process drained the entropy pool before the
+ read was initiated.
+
+* Fix decoding indefinite length BER constructs that contain a context
+ sensitive tag of zero. Github pull 26 from Janusz Chorko.
+
+* The ``botan-config`` script previously tried to guess its prefix from
+ the location of the binary. However this was error prone, and now
+ the script assumes the final installation prefix matches the value
+ set during the build. Github issue 29.
+
+Version 1.11.10, 2014-12-10
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* An implementation of McEliece code-based public key encryption based
+ on INRIA's HyMES and secured against a variety of side-channels was
+ contributed by cryptosource GmbH. The original version is LGPL but
+ cryptosource has secured permission to release an adaptation under a
+ BSD license. A CCA2-secure KEM scheme is also included.
+
+ The implementation is further described in
+ http://www.cryptosource.de/docs/mceliece_in_botan.pdf and
+ http://cryptosource.de/news_mce_in_botan_en.html
+
+* DSA and ECDSA now create RFC 6979 deterministic signatures.
+
+* Add support for TLS fallback signaling (draft-ietf-tls-downgrade-scsv-00).
+ Clients will send a fallback SCSV if the version passed to the Client
+ constructor is less than the latest version supported by local policy, so
+ applications implementing fallback are protected. Servers always check the
+ SCSV.
+
+* In previous versions a TLS::Server could service either TLS or DTLS
+ connections depending on policy settings and what type of client hello it
+ received. This has changed and now a Server object is initialized for
+ either TLS or DTLS operation. The default policy previously prohibited
+ DTLS, precisely to prevent a TCP server from being surprised by a DTLS
+ connection. The default policy now allows TLS v1.0 or higher or DTLS v1.2.
+
+* Fixed a bug in CCM mode which caused it to produce incorrect tags when used
+ with a value of L other than 2. This affected CCM TLS ciphersuites, which
+ use L=3. Thanks to Manuel Pégourié-Gonnard for the anaylsis and patch.
+ Bugzilla 270.
+
+* DTLS now supports timeouts and handshake retransmits. Timeout checking
+ is triggered by the application calling the new TLS::Channel::timeout_check.
+
+* Add a TLS policy hook to disable putting the value of the local clock in hello
+ random fields.
+
+* All compression operations previously available as Filters are now
+ performed via the Transformation API, which minimizes memory copies.
+ Compression operations are still available through the Filter API
+ using new general compression/decompression filters in comp_filter.h
+
+* The zlib module now also supports gzip compression and decompression.
+
+* Avoid a crash in low-entropy situations when reading from /dev/random, when
+ select indicated the device was readable but by the time we start the read the
+ entropy pool had been depleted.
+
+* The Miller-Rabin primality test function now takes a parameter allowing the
+ user to directly specify the maximum false negative probability they are
+ willing to accept.
+
+* PKCS #8 private keys can now be encrypted using GCM mode instead of
+ unauthenticated CBC. The default remains CBC for compatibility.
+
+* The default PKCS #8 encryption scheme has changed to use PBKDF2 with
+ SHA-256 instead of SHA-1
+
+* A specialized reducer for P-521 was added.
+
+* On Linux the mlock allocator will use MADV_DONTDUMP on the pool so
+ that the contents are not included in coredumps.
+
+* A new interface for directly using a system-provided PRNG is
+ available in system_rng.h. Currently only systems with /dev/urandom
+ are supported.
+
+* Fix decoding indefinite length BER constructs that contain a context sensitive
+ tag of zero. Github pull 26 from Janusz Chorko.
+
+* The GNU MP engine has been removed.
+
+* Added AltiVec detection for POWER8 processors.
+
+* Add a new install script written in Python which replaces shell hackery in the
+ makefiles.
+
+* Various modifications to better support Visual C++ 2013 and 2015. Github
+ issues 11, 17, 18, 21, 22.
+
+Version 1.10.8, 2014-04-10
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* SECURITY: Fix a bug in primality testing introduced in 1.8.3 which
+ caused only a single random base, rather than a sequence of random
+ bases, to be used in the Miller-Rabin test. This increased the
+ probability that a non-prime would be accepted, for instance a 1024
+ bit number would be incorrectly classed as prime with probability
+ around 2^-40. Reported by Jeff Marrison. CVE-2014-9742
+
+* The key length limit on HMAC has been raised to 512 bytes, allowing
+ the use of very long passphrases with PBKDF2.
+
+Version 1.11.9, 2014-04-10
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* SECURITY: Fix a bug in primality testing introduced in 1.8.3 which
+ caused only a single random base, rather than a sequence of random
+ bases, to be used in the Miller-Rabin test. This increased the
+ probability that a non-prime would be accepted, for instance a 1024
+ bit number would be incorrectly classed as prime with probability
+ around 2^-40. Reported by Jeff Marrison. CVE-2014-9742
+
+* X.509 path validation now returns a set of all errors that occurred
+ during validation, rather than immediately returning the first
+ detected error. This prevents a seemingly innocuous error (such as
+ an expired certificate) from hiding an obviously serious error
+ (such as an invalid signature). The Certificate_Status_Code enum is
+ now ordered by severity, and the most severe error is returned by
+ Path_Validation_Result::result(). The entire set of status codes is
+ available with the new all_statuses call.
+
+* Fixed a bug in OCSP response decoding which would cause an error
+ when attempting to decode responses from some widely used
+ responders.
+
+* An implementation of HMAC_DRBG RNG from NIST SP800-90A has been
+ added. Like the X9.31 PRNG implementation, it uses another
+ underlying RNG for seeding material.
+
+* An implementation of the RFC 6979 deterministic nonce generator has
+ been added.
+
+* Fix a bug in certificate path validation which prevented successful
+ validation if intermediate certificates were presented out of order.
+
+* Fix a bug introduced in 1.11.5 which could cause crashes or other
+ incorrect behavior when a cipher mode filter was followed in the
+ pipe by another filter, and that filter had a non-empty start_msg.
+
+* The types.h header now uses stdint.h rather than cstdint to avoid
+ problems with Clang on OS X.
+
+Version 1.11.8, 2014-02-13
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* The ``botan`` command line application introduced in 1.11.7 is now
+ installed along with the library.
+
+* A bug in certificate path validation introduced in 1.11.6 which
+ caused all CRL signature checks to fail has been corrected.
+
+* The ChaCha20 stream cipher has been added.
+
+* The ``Transformation`` class no longer implements an interface for keying,
+ this has been moved to a new subclass ``Keyed_Transformation``.
+
+* The ``Algorithm`` class, which previously acted as a global base for
+ various types (ciphers, hashes, etc) has been removed.
+
+* CMAC now supports 256 and 512 bit block ciphers, which also allows
+ the use of larger block ciphers with EAX mode. In particular this
+ allows using Threefish in EAX mode.
+
+* The antique PBES1 private key encryption scheme (which only supports
+ DES or 64-bit RC2) has been removed.
+
+* The Square, Skipjack, and Luby-Rackoff block ciphers have been removed.
+
+* The Blue Midnight Wish hash function has been removed.
+
+* Skein-512 no longer supports output lengths greater than 512 bits.
+
+* Skein did not reset its internal state properly if clear() was
+ called, causing it to produce incorrect results for the following
+ message. It was reset correctly in final() so most usages should not
+ be affected.
+
+* A number of public key padding schemes have been renamed to match
+ the most common notation; for instance EME1 is now called OAEP and
+ EMSA4 is now called PSSR. Aliases are set which should allow all
+ current applications to continue to work unmodified.
+
+* A bug in CFB encryption caused a few bytes past the end of the final
+ block to be read. The actual output was not affected.
+
+* Fix compilation errors in the tests that occurred with minimized
+ builds. Contributed by Markus Wanner.
+
+* Add a new ``--destdir`` option to ``configure.py`` which controls
+ where the install target will place the output. The ``--prefix``
+ option continues to set the location where the library expects to be
+ eventually installed.
+
+* Many class destructors which previously deleted memory have been
+ removed in favor of using ``unique_ptr``.
+
+* Various portability fixes for Clang, Windows, Visual C++ 2013, OS X,
+ and x86-32.
+
+Version 1.11.7, 2014-01-10
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Botan's basic numeric types are now defined in terms of the
+ C99/C++11 standard integer types. For instance ``u32bit`` is now a
+ typedef for ``uint32_t``, and both names are included in the library
+ namespace. This should not result in any application-visible
+ changes.
+
+* There are now two executable outputs of the build, ``botan-test``,
+ which runs the tests, and ``botan`` which is used as a driver to call
+ into various subcommands which can also act as examples of library
+ use, much in the manner of the ``openssl`` command. It understands the
+ commands ``base64``, ``asn1``, ``x509``, ``tls_client``, ``tls_server``,
+ ``bcrypt``, ``keygen``, ``speed``, and various others. As part of this
+ change many obsolete, duplicated, or one-off examples were removed,
+ while others were extended with new functionality. Contributions of
+ new subcommands, new bling for exising ones, or documentation in any
+ form is welcome.
+
+* Fix a bug in Lion, which was broken by a change in 1.11.0. The
+ problem was not noticed before as Lion was also missing a test vector
+ in previous releases.
+
+Version 1.10.7, 2013-12-29
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* OAEP had two bugs, one of which allowed it to be used even if the
+ key was too small, and the other of which would cause a crash during
+ decryption if the EME data was too large for the associated key.
+
+Version 1.11.6, 2013-12-29
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* The Boost filesystem and asio libraries are now being used by default.
+ Pass ``--without-boost`` to ``configure.py`` to disable.
+
+* The default TLS policy no longer allows SSLv3 or RC4.
+
+* OAEP had two bugs, one of which allowed it to be used even if the
+ key was too small, and the other of which would cause a crash during
+ decryption if the EME data was too large for the associated key.
+
+* GCM mode now uses the Intel clmul instruction when available
+
+* Add the Threefish-512 tweakable block cipher, including an AVX2 version
+
+* Add SIV (from :rfc:`5297`) as a nonce-based AEAD
+
+* Add HKDF (from :rfc:`5869`) using an experimental PRF interface
+
+* Add HTTP utility functions and OCSP online checking
+
+* Add TLS::Policy::acceptable_ciphersuite hook to disable ciphersuites
+ on an ad-hoc basis.
+
+* TLS::Session_Manager_In_Memory's constructor now requires a RNG
+
+Version 1.10.6, 2013-11-10
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* The device reading entropy source now attempts to read from all
+ available devices. Previously it would break out early if a partial
+ read from a blocking source occurred, not continuing to read from a
+ non-blocking device. This would cause the library to fall back on
+ slower and less reliable techniques for collecting PRNG seed
+ material. Reported by Rickard Bellgrim.
+
+* HMAC_RNG (the default PRNG implementation) now automatically reseeds
+ itself periodically. Previously reseeds only occurred on explicit
+ application request.
+
+* Fix an encoding error in EC_Group when encoding using EC_DOMPAR_ENC_OID.
+ Reported by fxdupont on github.
+
+* In EMSA2 and Randpool, avoid calling name() on objects after deleting them if
+ the provided algorithm objects are not suitable for use. Found by Clang
+ analyzer, reported by Jeffrey Walton.
+
+* If X509_Store was copied, the u32bit containing how long to cache validation
+ results was not initialized, potentially causing results to be cached for
+ significant amounts of time. This could allow a certificate to be considered
+ valid after its issuing CA's cert expired. Expiration of the end-entity cert
+ is always checked, and reading a CRL always causes the status to be reset, so
+ this issue does not affect revocation. Found by Coverity scanner.
+
+* Avoid off by one causing a potentially unterminated string to be passed to
+ the connect system call if the library was configured to use a very long path
+ name for the EGD socket. Found by Coverity Scanner.
+
+* In PK_Encryptor_EME, PK_Decryptor_EME, PK_Verifier, and PK_Key_Agreement,
+ avoid dereferencing an unitialized pointer if no engine supported operations
+ on the key object given. Found by Coverity scanner.
+
+* Avoid leaking a file descriptor in the /dev/random and EGD entropy sources if
+ stdin (file descriptor 0) was closed. Found by Coverity scanner.
+
+* Avoid a potentially undefined operation in the bit rotation operations. Not
+ known to have caused problems under any existing compiler, but might have
+ caused problems in the future. Caught by Clang sanitizer, reported by Jeffrey
+ Walton.
+
+* Increase default hash iterations from 10000 to 50000 in PBES1 and PBES2
+
+* Add a fix for mips64el builds from Brad Smith.
+
+Version 1.11.5, 2013-11-10
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* The TLS callback signatures have changed - there are now two distinct
+ callbacks for application data and alerts. TLS::Client and TLS::Server have
+ constructors which continue to accept the old callback and use it for both
+ operations.
+
+* The entropy collector that read from randomness devices had two bugs - it
+ would break out of the poll as soon as any read succeeded, and it selected on
+ each device individually. When a blocking source was first in the device list
+ and the entropy pool was running low, the reader might either block in select
+ until eventually timing out (continuing on to read from /dev/urandom instead),
+ or read just a few bytes, skip /dev/urandom, fail to satisfy the entropy
+ target, and the poll would continue using other (slower) sources. This caused
+ substantial performance/latency problems in RNG heavy applications. Now all
+ devices are selected over at once, with the effect that a full read from
+ urandom always occurs, along with however much (if any) output is available
+ from blocking sources.
+
+* Previously AutoSeeded_RNG referenced a globally shared PRNG instance.
+ Now each instance has distinct state.
+
+* The entropy collector that runs Unix programs to collect statistical
+ data now runs multiple processes in parallel, greatly reducing poll
+ times on some systems.
+
+* The Randpool RNG implementation was removed.
+
+* All existing cipher mode implementations (such as CBC and XTS) have been
+ converted from filters to using the interface previously provided by
+ AEAD modes which allows for in-place message
+ processing. Code which directly references the filter objects will break, but
+ an adaptor filter allows usage through get_cipher as usual.
+
+* An implementation of CCM mode from RFC 3601 has been added, as well as CCM
+ ciphersuites for TLS.
+
+* The implementation of OCB mode now supports 64 and 96 bit tags
+
+* Optimized computation of XTS tweaks, producing a substantial speedup
+
+* Add support for negotiating Brainpool ECC curves in TLS
+
+* TLS v1.2 will not negotiate plain SHA-1 signatures by default.
+
+* TLS channels now support sending a ``std::vector``
+
+* Add a generic 64x64->128 bit multiply instruction operation in mul128.h
+
+* Avoid potentially undefined operations in the bit rotation operations. Not
+ known to have caused problems under existing compilers but might break in the
+ future. Found by Clang sanitizer, reported by Jeffrey Walton.
+
+Version 1.11.4, 2013-07-25
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* CPU specific extensions are now always compiled if support for the
+ operations is available at build time, and flags enabling use of
+ extra operations (such as SSE2) are only included when compiling
+ files which specifically request support. This means, for instance,
+ that the SSSE3 and AES-NI implementations of AES are always included
+ in x86 builds, relying on runtime cpuid checking to prevent their
+ use on CPUs that do not support those operations.
+
+* The default TLS policy now only accepts TLS, to minimize surprise
+ for servers which might not expect to negotiate DTLS. Previously a
+ server would by default negotiate either protocol type (clients
+ would only accept the same protocol type as they
+ offered). Applications which use DTLS or combined TLS/DTLS need to
+ override ``Policy::acceptable_protocol_version``.
+
+* The TLS channels now accept a new parameter specifying how many
+ bytes to preallocate for the record handling buffers, which allows
+ an application some control over how much memory is used at runtime
+ for a particular connection.
+
+* Applications can now send arbitrary TLS alert messages using
+ ``TLS::Channel::send_alert``
+
+* A new TLS policy ``NSA_Suite_B_128`` is available, which
+ will negotiate only the 128-bit security NSA Suite B. See
+ :rfc:`6460` for more information about Suite B.
+
+* Adds a new interface for benchmarking, ``time_algorithm_ops``,
+ which returns a map of operations to operations per second. For
+ instance now both encrypt and decrypt speed of a block cipher can be
+ checked, as well as the key schedule of all keyed algorithms. It
+ additionally supports AEAD modes.
+
+* Rename ARC4 to RC4
+
+Version 1.11.3, 2013-04-11
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add a new interface for AEAD modes (``AEAD_Mode``).
+
+* Implementations of the OCB and GCM authenticated cipher modes are
+ now included.
+
+* Support for TLS GCM ciphersuites is now available.
+
+* A new TLS policy mechanism
+ ``TLS::Policy::server_uses_own_ciphersuite_preferences``
+ controls how a server chooses a ciphersuite. Previously it always
+ chose its most preferred cipher out of the client's list, but this
+ can allow configuring a server to choose by the client's preferences
+ instead.
+
+* ``Keyed_Filter`` now supports returning a
+ ``Key_Length_Specification`` so the full details of what
+ keylengths are supported is now available in keyed filters.
+
+* The experimental and rarely used Turing and WiderWAKE stream ciphers
+ have been removed
+
+* New functions for symmetric encryption are included in cryptobox.h
+ though interfaces and formats are subject to change.
+
+* A new function ``algorithm_kat_detailed`` returns a string
+ providing information about failures, instead of just a pass/fail
+ indicator as in ``algorithm_kat``.
+
+Version 1.10.5, 2013-03-02
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* A potential crash in the AES-NI implementation of the AES-192 key
+ schedule (caused by misaligned loads) has been fixed.
+
+* A previously conditional operation in Montgomery multiplication and
+ squaring is now always performed, removing a possible timing
+ channel.
+
+* Use correct flags for creating a shared library on OS X under Clang.
+
+* Fix a compile time incompatibility with Visual C++ 2012.
+
+Version 1.11.2, 2013-03-02
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* A bug in the release script caused the ``botan_version.py`` included
+ in 1.11.1`` to be invalid, which required a manual edit to fix
+ (Bugzilla 226)
+
+* Previously ``clear_mem`` was implemented by an inlined call to
+ ``std::memset``. However an optimizing compiler might notice cases
+ where the memset could be skipped in cases allowed by the standard.
+ Now ``clear_mem`` calls ``zero_mem`` which is compiled separately and
+ which zeros out the array through a volatile pointer. It is possible
+ some compiler with some optimization setting (especially with
+ something like LTO) might still skip the writes. It would be nice if
+ there was an automated way to test this.
+
+* The new filter ``Threaded_Fork`` acts like a normal
+ ``Fork``, sending its input to a number of different
+ filters, but each subchain of filters in the fork runs in its own
+ thread. Contributed by Joel Low.
+
+* The default TLS policy formerly preferred AES over RC4, and allowed
+ 3DES by default. Now the default policy is to negotiate only either
+ AES or RC4, and to prefer RC4.
+
+* New TLS ``Blocking_Client`` provides a thread per
+ connection style API similar to that provided in 1.10
+
+* The API of ``Credentials_Manager::trusted_certificate_authorities``
+ has changed to return a vector of ``Certificate_Store*`` instead of
+ ``X509_Certificate``. This allows the list of trusted CAs to be
+ more easily updated dynamically or loaded lazily.
+
+* The ``asn1_int.h`` header was split into ``asn1_alt_name.h``,
+ ``asn1_attribute.h`` and ``asn1_time.h``.
+
+Version 1.10.4, 2013-01-07
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Avoid a conditional operation in the power mod implementations on if
+ a nibble of the exponent was zero or not. This may help protect
+ against certain forms of side channel attacks.
+
+* The SRP6 code was checking for invalid values as specified in RFC
+ 5054, specifically values equal to zero mod p. However SRP would
+ accept negative A/B values, or ones larger than p, neither of which
+ should occur in a normal run of the protocol. These values are now
+ rejected. Credits to Timothy Prepscius for pointing out these values
+ are not normally used and probably signal something fishy.
+
+* The return value of version_string is now a compile time constant
+ string, so version information can be more easily extracted from
+ binaries.
+
+Version 1.11.1, 2012-10-30
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Initial support for DTLS (both v1.0 and v1.2) is available in this
+release, though it should be considered highly experimental. Currently
+timeouts and retransmissions are not handled.
+
+The ``TLS::Client`` constructor now takes the version to
+offer to the server. The policy hook ``TLS::Policy`` function
+`pref_version``, which previously controlled this, has been removed.
+
+`TLS::Session_Manager_In_Memory`` now chooses a random
+256-bit key at startup and encrypts all sessions (using the existing
+`TLS::Session::encrypt`` mechanism) while they are stored in
+memory. This is primarily to reduce pressure on locked memory, as each
+session normally requires 48 bytes of locked memory for the master
+secret, whereas now only 32 bytes are needed total. This change may
+also make it slightly harder for an attacker to extract session data
+from memory dumps (eg with a cold boot attack).
+
+The keys used in TLS session encryption were previously uniquely
+determined by the master key. Now the encrypted session blob includes
+two 80 bit salts which are used in the derivation of the cipher and
+MAC keys.
+
+The ``secure_renegotiation`` flag is now considered an aspect of the
+connection rather than the session, which matches the behavior of
+other implementations. As the format has changed, sessions saved to
+persistent storage by 1.11.0 will not load in this version and vice
+versa. In either case this will not cause any errors, the session will
+simply not resume and instead a full handshake will occur.
+
+New policy hooks ``TLS::Policy::acceptable_protocol_version``,
+`TLS::Policy::allow_server_initiated_renegotiation``, and
+`TLS::Policy::negotiate_heartbeat_support`` were added.
+
+TLS clients were not sending a next protocol message during a session
+resumption, which would cause resumption failures with servers that
+support NPN if NPN was being offered by the client.
+
+A bug caused heartbeat requests sent by the counterparty during a
+handshake to be passed to the application callback as if they were
+heartbeat responses.
+
+Support for TLS key material export as specified in :rfc:`5705` has
+been added, available via ``TLS::Channel::key_material_export``
+
+A new function ``Public_Key::estimated_strength`` returns
+an estimate for the upper bound of the strength of the key. For
+instance for an RSA key, it will return an estimate of how many
+operations GNFS would take to factor the key.
+
+A new ``Path_Validation_Result`` code has been added
+``SIGNATURE_METHOD_TOO_WEAK``. By default signatures created with keys
+below 80 bits of strength (as estimated by ``estimated_strength``) are
+rejected. This level can be modified using a parameter to the
+``Path_Validation_Restrictions`` constructor.
+
+The SRP6 code was checking for invalid values as specified in
+:rfc:`5054`, ones equal to zero mod p, however it would accept
+negative A/B values, or ones larger than p, neither of which should
+occur in a normal run of the protocol. These values are now
+rejected. Credits to Timothy Prepscius for pointing out these values
+are not normally used and probably signal something fishy.
+
+Several ``BigInt`` functions have been removed, including
+``operator[]``, ``assign``, ``get_reg``, and ``grow_reg``. The version
+of ``data`` that returns a mutable pointer has been renamed
+``mutable_data``. Support for octal conversions has been removed.
+
+The constructor ``BigInt(NumberType type, size_t n)`` has been
+removed, replaced by ``BigInt::power_of_2``.
+
+In 1.11.0, when compiled by GCC, the AES-NI implementation of AES-192
+would crash if the mlock-based allocator was used due to an alignment
+issue.
+
+Version 1.11.0, 2012-07-19
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. note::
+
+ In this release, many new features of C++11 are being used in the
+ library. Currently GCC 4.7 and Clang 3.1 are known to work well.
+ This version of the library cannot be compiled by or used with a
+ C++98 compiler.
+
+There have been many changes and improvements to TLS. The interface
+is now purely event driven and does not directly interact with
+sockets. New TLS features include TLS v1.2 support, client
+certificate authentication, renegotiation, session tickets, and
+session resumption. Session information can be saved in memory or to
+an encrypted SQLite3 database. Newly supported TLS ciphersuite
+algorithms include using SHA-2 for message authentication, pre shared
+keys and SRP for authentication and key exchange, ECC algorithms for
+key exchange and signatures, and anonymous DH/ECDH key exchange.
+
+Support for OCSP has been added. Currently only client-side support
+exists.
+
+The API for X.509 path validation has changed, with
+``x509_path_validate`` in x509path.h now handles path validation and
+``Certificate_Store`` handles storage of certificates and CRLs.
+
+The memory container types have changed substantially. The
+``MemoryVector`` and ``SecureVector`` container types have been
+removed, and an alias of ``std::vector`` using an allocator that
+clears memory named ``secure_vector`` is used for key material, with
+plain ``std::vector`` being used for everything else.
+
+The technique used for mlock'ing memory on Linux and BSD systems is
+much improved. Now a single page-aligned block of memory (the exact
+limit of what we can mlock) is mmap'ed, with allocations being done
+using a best-fit allocator and all metadata held outside the mmap'ed
+range, in an effort to make best use of the very limited amount of
+memory current Linux kernels allow unpriveledged users to lock.
+
+A filter using LZMA was contributed by Vojtech Kral. It is available
+if LZMA support was enabled at compilation time by passing
+``--with-lzma`` to ``configure.py``.
+
+:rfc:`5915` adds some extended information which can be included in
+ECC private keys which the ECC key decoder did not expect, causing an
+exception when such a key was loaded. In particular, recent versions
+of OpenSSL use these fields. Now these fields are decoded properly,
+and if the public key value is included it is used, as otherwise the
+public key needs to be rederived from the private key. However the
+library does not include these fields on encoding keys for
+compatibility with software that does not expect them (including older
+versions of botan).
+
+Version 1.8.14, 2012-07-18
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* The malloc allocator would return null instead of throwing in the
+ event of an allocation failure, which could cause an application
+ crash due to null pointer dereference where normally an exception
+ would occur.
+
+* Recent versions of OpenSSL include extra information in ECC private
+ keys, the presence of which caused an exception when such a key was
+ loaded by botan. The decoding of ECC private keys has been changed to
+ ignore these fields if they are set.
+
+* AutoSeeded_RNG has been changed to prefer ``/dev/random`` over
+ ``/dev/urandom``
+
+* Fix detection of s390x (Debian bug 638347)
+
+Version 1.10.3, 2012-07-10
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+A change in 1.10.2 accidentally broke ABI compatibility with 1.10.1
+and earlier versions, causing programs compiled against 1.10.1 to
+crash if linked with 1.10.2 at runtime.
+
+Recent versions of OpenSSL include extra information in ECC private
+keys, the presence of which caused an exception when such a key was
+loaded by botan. The decoding of ECC private keys has been changed to
+ignore these fields if they are set.
+
+Version 1.10.2, 2012-06-17
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Several TLS bugs were fixed in this release, including a major
+omission that the renegotiation extension was not being used. As the
+1.10 implementation of TLS does not properly support renegotiation,
+the approach in this release is simply to send the renegotiation
+extension SCSV, which should protect the client against any handshake
+splicing. In addition renegotiation attempts are handled properly
+instead of causing handshake failures - all hello requests, and all
+client hellos after the initial negotiation, are ignored. Some
+bugs affecting DSA server authentication were also fixed.
+
+By popular request, ``Pipe::reset`` no longer requires that message
+processing be completed, a requirement that caused problems when a
+Filter's end_msg call threw an exception, after which point the Pipe
+object was no longer usable.
+
+Support for getting entropy using the rdrand instruction introduced in
+Intel's Ivy Bridge processors has been added. In previous releases,
+the ``CPUID::has_rdrand`` function was checking the wrong cpuid bit,
+and would false positive on AMD Bulldozer processors.
+
+An implementation of SRP-6a compatible with the specification in RFC
+5054 is now available in ``srp6.h``. In 1.11, this is being used for
+TLS-SRP, but may be useful in other environments as well.
+
+An implementation of the Camellia block cipher was added, again largely
+for use in TLS.
+
+If ``clock_gettime`` is available on the system, hres_timer will poll all
+the available clock types.
+
+AltiVec is now detected on IBM POWER7 processors and on OpenBSD systems.
+The OpenBSD support was contributed by Brad Smith.
+
+The Qt mutex wrapper was broken and would not compile with any recent
+version of Qt. Taking this as a clear indication that it is not in use,
+it has been removed.
+
+Avoid setting the soname on OpenBSD, as it doesn't support it (Bugzilla 158)
+
+A compilation problem in the dynamic loader that prevented using
+dyn_load under MinGW GCC has been fixed.
+
+A common error for people using MinGW is to target GCC on Windows,
+however the 'Windows' target assumes the existence of Visual C++
+runtime functions which do not exist in MinGW. Now, configuring for
+GCC on Windows will cause the configure.py to warn that likely you
+wanted to configure for either MinGW or Cygwin, not the generic
+Windows target.
+
+A bug in configure.py would cause it to interpret ``--cpu=s390x`` as
+``s390``. This may have affected other CPUs as well. Now configure.py
+searches for an exact match, and only if no exact match is found will
+it search for substring matches.
+
+An incompatibility in configure.py with the subprocess module included
+in Python 3.1 has been fixed (Bugzilla 157).
+
+The exception catching syntax of configure.py has been changed to the
+Python 3.x syntax. This syntax also works with Python 2.6 and 2.7, but
+not with any earlier Python 2 release. A simple search and replace
+will allow running it under Python 2.5::
+
+ perl -pi -e 's/except (.*) as (.*):/except $1, $2:/g' configure.py
+
+Note that Python 2.4 is not supported at all.
+
+Version 1.10.1, 2011-07-11
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* A race condition in ``Algorithm_Factory`` could cause crashes in
+ multithreaded code.
+
+* The return value of ``name`` has changed for GOST 28147-89 and
+ Skein-512. GOST's ``name`` now includes the name of the sbox, and
+ Skein's includes the personalization string (if nonempty). This
+ allows an object to be properly roundtripped, which is necessary to
+ fix the race condition described above.
+
+* A new distribution script is now included, as
+ ``src/build-data/scripts/dist.py``
+
+* The ``build.h`` header now includes, if available, an identifier of
+ the source revision that was used. This identifier is also included
+ in the result of ``version_string``.
+
+Version 1.8.13, 2011-07-02
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* A race condition in ``Algorithm_Factory`` could cause crashes in
+ multithreaded code.
+
+Version 1.10.0, 2011-06-20
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Detection for the rdrand instruction being added to upcoming Intel
+ Ivy Bridge processors has been added.
+
+* A template specialization of std::swap was added for the memory
+ container types.
+
+Version 1.8.12, 2011-06-20
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+* If EMSA3(Raw) was used for more than one signature, it would produce
+ incorrect output.
+
+* Fix the --enable-debug option to configure.py
+
+* Improve OS detection on Cygwin
+
+* Fix compilation under Sun Studio 12 on Solaris
+
+* Fix a memory leak in the constructors of DataSource_Stream and
+ DataSink_Stream which would occur if opening the file failed (Bugzilla 144)
+
+Version 1.9.18, 2011-06-03
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fourth release candidate for 1.10.0
+
+* The GOST 34.10 verification operation was not ensuring that s and r
+ were both greater than zero. This could potentially have meant it
+ would have accepted an invalid all-zero signature as valid for any
+ message. Due to how ECC points are internally represented it instead
+ resulted in an exception being thrown.
+
+* A simple multiexponentation algorithm is now used in ECDSA and
+ GOST-34.10 signature verification, leading to 20 to 25% improvements
+ in ECDSA and 25% to 40% improvements in GOST-34.10 verification
+ performance.
+
+* The internal representation of elliptic curve points has been
+ modified to use Montgomery representation exclusively, resulting in
+ reduced memory usage and a 10 to 20% performance improvement for
+ ECDSA and ECDH.
+
+* In OAEP decoding, scan for the delimiter bytes using a loop that is
+ written without conditionals so as to help avoid timing analysis.
+ Unfortunately GCC at least is 'smart' enough to compile it to
+ jumps anyway.
+
+* The SSE2 implementation of IDEA did not work correctly when compiled
+ by Clang, because the trick it used to emulate a 16 bit unsigned
+ compare in SSE (which doesn't contain one natively) relied on signed
+ overflow working in the 'usual' way. A different method that doesn't
+ rely on signed overflow is now used.
+
+* Add support for compiling SSL using Visual C++ 2010's TR1
+ implementation.
+
+* Fix a bug under Visual C++ 2010 which would cause ``hex_encode`` to
+ crash if given a zero-sized input to encode.
+
+* A new build option ``--via-amalgamation`` will first generate the
+ single-file amalgamation, then build the library from that single
+ file. This option requires a lot of memory and does not parallelize,
+ but the resulting library is smaller and may be faster.
+
+* On Unix, the library and header paths have been changed to allow
+ parallel installation of different versions of the library. Headers
+ are installed into ``<prefix>/include/botan-1.9/botan``, libraries
+ are named ``libbotan-1.9``, and ``botan-config`` is now namespaced
+ (so in this release ``botan-config-1.9``). All of these embedded
+ versions will be 1.10 in the upcoming stable release.
+
+* The soname system has been modified. In this release the library
+ soname is ``libbotan-1.9.so.0``, with the full library being named
+ ``libbotan-1.9.so.0.18``. The ``0`` is the ABI version, and will be
+ incremented whenever a breaking ABI change is made.
+
+* TR1 support is not longer automatically assumed under older versions
+ of GCC
+
+* Functions for base64 decoding that work standalone (without needing
+ to use a pipe) have been added to ``base64.h``
+
+* The function ``BigInt::to_u32bit`` was inadvertently removed in 1.9.11
+ and has been added back.
+
+* The function ``BigInt::get_substring`` did not work correctly with a
+ *length* argument of 32.
+
+* The implementation of ``FD_ZERO`` on Solaris uses ``memset`` and
+ assumes the caller included ``string.h`` on its behalf. Do so to
+ fix compilation in the ``dev_random`` and ``unix_procs`` entropy
+ sources. Patch from Jeremy C. Reed.
+
+* Add two different configuration targets for Atom, since some are
+ 32-bit and some are 64-bit. The 'atom' target now refers to the
+ 64-bit implementations, use 'atom32' to target the 32-bit
+ processors.
+
+* The (incomplete) support for CMS and card verifiable certificates
+ are disabled by default; add ``--enable-modules=cms`` or
+ ``--enable-modules=cvc`` during configuration to turn them back on.
+
+Version 1.9.17, 2011-04-29
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Third release candidate for 1.10.0
+
+* The format preserving encryption method currently available was
+ presented in the header ``fpe.h`` and the functions ``fpe_encrypt``
+ and ``fpe_decrypt``. These were renamed as it is likely that other
+ FPE schemes will be included in the future. The header is now
+ ``fpe_fe1.h``, and the functions are named ``fe1_encrypt`` and
+ ``fe1_decrypt``.
+
+* New options to ``configure.py`` control what tools are used for
+ documentation generation. The ``--with-sphinx`` option enables using
+ Sphinx to convert ReST into HTML; otherwise the ReST sources are
+ installed directly. If ``--with-doxygen`` is used, Doxygen will run
+ as well. Documentation generation can be triggered via the ``docs``
+ target in the makefile; it will also be installed by the install
+ target on Unix.
+
+* A bug in 1.9.16 effectively disabled support for runtime CPU feature
+ detection on x86 under GCC in that release.
+
+* A mostly internal change, all references to "ia32" and "amd64" have
+ been changed to the vendor neutral and probably easier to understand
+ "x86-32" and "x86-64". For instance, the "mp_amd64" module has been
+ renamed "mp_x86_64", and the macro indicating x86-32 has changed
+ from ``BOTAN_TARGET_ARCH_IS_IA32`` to
+ ``BOTAN_TARGET_ARCH_IS_X86_32``. The classes calling assembly have
+ also been renamed.
+
+* Similiarly to the above change, the AES implemenations using the
+ AES-NI instruction set have been renamed from AES_XXX_Intel to
+ AES_XXX_NI.
+
+* Systems that are identified as ``sun4u`` will default to compiling for
+ 32-bit SPARCv9 code rather than 64-bit. This matches the still
+ common convention for 32-bit SPARC userspaces. If you want 64-bit
+ code on such as system, use ``--cpu=sparc64``.
+
+* Some minor fixes for compiling botan under the BeOS
+ clone/continuation `Haiku <http://haiku-os.org>`_.
+
+* Further updates to the documentation
+
+Version 1.9.16, 2011-04-11
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Second release candidate for 1.10.0
+
+* The documentation, previously written in LaTeX, is now in
+ reStructuredText suitable for processing by `Sphinx
+ <http://sphinx.pocoo.org>`_, which can generate nicely formatted
+ HTML and PDFs. The documentation has also been greatly updated and
+ expanded.
+
+* The class ``EC_Domain_Params`` has been renamed ``EC_Group``, with a
+ typedef for backwards compatibility.
+
+* The ``EC_Group`` string constructor didn't understand the standard
+ names like "secp160r1", forcing use of the OIDs.
+
+* Two constructors for ECDSA private keys, the one that creates a new
+ random key, and the one that provides a preset private key as a
+ ``BigInt``, have been merged. This matches the existing interface
+ for DSA and DH keys. If you previously used the version taking a
+ ``BigInt`` private key, you'll have to additionally pass in a
+ ``RandomNumberGenerator`` object starting in this release.
+
+* It is now possible to create ECDH keys with a preset ``BigInt``
+ private key; previously no method for this was available.
+
+* The overload of ``generate_passhash9`` that takes an explicit
+ algorithm identifier has been merged with the one that does not.
+ The algorithm identifier code has been moved from the second
+ parameter to the fourth.
+
+* Change shared library versioning to match the normal Unix
+ conventions. Instead of ``libbotan-X.Y.Z.so``, the shared lib is
+ named ``libbotan-X.Y.so.Z``; this allows the runtime linker to do
+ its runtime linky magic. It can be safely presumed that any change
+ in the major or minor version indicates ABI incompatibility.
+
+* Remove the socket wrapper code; it was not actually used by anything
+ in the library, only in the examples, and you can use whatever kind
+ of (blocking) socket interface you like with the SSL/TLS code. It's
+ available as socket.h in the examples directory if you want to use
+ it.
+
+* Disable the by-default 'strong' checking of private keys that are
+ loaded from storage. You can always request key material sanity
+ checking using Private_Key::check_key.
+
+* Bring back removed functions ``min_keylength_of``,
+ ``max_keylength_of``, ``keylength_multiple_of`` in ``lookup.h`` to
+ avoid breaking applications written against 1.8
+
+Version 1.9.15, 2011-03-21
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* First release candidate for 1.10.0
+
+* Modify how message expansion is done in SHA-256 and SHA-512.
+ Instead of expanding the entire message at the start, compute them
+ in the minimum number of registers. Values are computed 15 rounds
+ before they are needed. On a Core i7-860, GCC 4.5.2, went from 143
+ to 157 MiB/s in SHA-256, and 211 to 256 MiB/s in SHA-512.
+
+* Pipe will delete empty output queues as soon as they are no longer
+ needed, even if earlier messages still have data unread. However an
+ (empty) entry in a deque of pointers will remain until all prior
+ messages are completely emptied.
+
+* Avoid reading the SPARC ``%tick`` register on OpenBSD as unlike the
+ Linux and NetBSD kernels, it will not trap and emulate it for us,
+ causing a illegal instruction crash.
+
+* Improve detection and autoconfiguration for ARM processors. Thanks
+ go out to the the `Tahoe-LAFS Software Foundation
+ <http://tahoe-lafs.org>`_, who donated a Sheevaplug that I'll be
+ using to figure out how to make the cryptographic primitives
+ Tahoe-LAFS relies on faster, particularly targeting the ARMv5TE.
+
+Version 1.9.14, 2011-03-01
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add support for bcrypt, OpenBSD's password hashing scheme.
+
+* Add support for NIST's AES key wrapping algorithm, as described in
+ :rfc:`3394`. It is available by including ``rfc3394.h``.
+
+* Fix an infinite loop in zlib filters introduced in 1.9.11 (Bugzilla 142)
+
+Version 1.9.13, 2011-02-19
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+GOST 34.10 signatures were being formatted in a way that was not
+compatible with other implemenations, and specifically how GOST is
+used in DNSSEC.
+
+The Keccak hash function was updated to the tweaked variant proposed
+for round 3 of the NIST hash competition. This version is not
+compatible with the previous algorithm.
+
+A new option ``--distribution-info`` was added to the configure
+script. It allows the user building the library to set any
+distribution-specific notes on the build, which are available as a
+macro ``BOTAN_DISTRIBUTION_INFO``. The default value is
+'unspecified'. If you are building an unmodified version of botan
+(especially for distribution), and want to indicate to applications
+that this is the case, consider using
+``--distribution-info=pristine``. If you are making any patches or
+modifications, it is recommended to use
+``--distribution-info=[Distribution Name] [Version]``, for instance
+'FooNix 1.9.13-r3'.
+
+Some bugs preventing compilation under Clang 2.9 and Sun Studio 12
+were fixed.
+
+The DER/BER codecs use ``size_t`` instead of ``u32bit`` for small
+integers
+
+Version 1.9.12, 2010-12-13
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add the Keccak hash function
+* Fix compilation problems in Python wrappers
+* Fix compilation problem in OpenSSL engine
+* Update SQLite3 database encryption codec
+
+Version 1.9.11, 2010-11-29
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* The TLS API has changed substantially and now relies heavily on
+ TR1's ``std::function`` is now required. Additionally, it is
+ required that all callers derive a subclass of TLS_Policy and pass
+ it to a client or server object. Please remember that the TLS
+ interface/API is currently unstable and will very likely change
+ further before TLS is included in a stable release. A handshake
+ failure that occurred when RC4 was negotiated has also been fixed.
+
+* Some possible timing channels in the implementations of Montgomery
+ reduction and the IDEA key schedule were removed. The table-based
+ AES implementation uses smaller tables in the first round to help
+ make some timing/cache attacks harder.
+
+* The library now uses size_t instead of u32bit to represent
+ lengths. Also the interfaces for the memory containers have changed
+ substantially to better match STL container interfaces;
+ MemoryRegion::append, MemoryRegion::destroy, and MemoryRegion::set
+ were all removed, and several other functions, like clear and
+ resize, have changed meaning.
+
+* Update Skein-512 to match the v1.3 specification
+* Fix a number of CRL encoding and decoding bugs
+* Counter mode now always encrypts 256 blocks in parallel
+* Use small tables in the first round of AES
+* Removed AES class: app must choose AES-128, AES-192, or AES-256
+* Add hex encoding/decoding functions that can be used without a Pipe
+* Add base64 encoding functions that can be used without a Pipe
+* Add to_string function to X509_Certificate
+* Add support for dynamic engine loading on Windows
+* Replace BlockCipher::BLOCK_SIZE attribute with function block_size()
+* Replace HashFunction::HASH_BLOCK_SIZE attribute with hash_block_size()
+* Move PBKDF lookup to engine system
+* The IDEA key schedule has been changed to run in constant time
+* Add Algorithm and Key_Length_Specification classes
+* Switch default PKCS #8 encryption algorithm from AES-128 to AES-256
+* Allow using PBKDF2 with empty passphrases
+* Add compile-time deprecation warnings for GCC, Clang, and MSVC
+* Support use of HMAC(SHA-256) and CMAC(Blowfish) in passhash9
+* Improve support for Intel Atom processors
+* Fix compilation problems under Sun Studio and Clang
+
+Version 1.8.11, 2010-11-02
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix a number of CRL encoding and decoding bugs
+* When building a debug library under VC++, use the debug runtime
+* Fix compilation under Sun Studio on Linux and Solaris
+* Add several functions for compatibility with 1.9
+* In the examples, read most input files as binary
+* The Perl build script has been removed in this release
+
+Version 1.8.10, 2010-08-31
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Switch default PKCS #8 encryption algorithm from 3DES to AES-256
+* Increase default hash iterations from 2048 to 10000 in PBES1 and PBES2
+* Use small tables in the first round of AES
+* Add PBKDF typedef and get_pbkdf for better compatibility with 1.9
+* Add version of S2K::derive_key taking salt and iteration count
+* Enable the /proc-walking entropy source on NetBSD
+* Fix the doxygen makefile target
+
+Version 1.9.10, 2010-08-12
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add a constant-time AES implementation using SSSE3. This code is
+ based on public domain assembly written by `Mike Hamburg
+ <http://crypto.stanford.edu/vpaes/>`_, and described in his CHES
+ 2009 paper "Accelerating AES with Vector Permute Instructions". In
+ addition to being constant time, it is also significantly faster
+ than the table-based implementation on some processors. The current
+ code has been tested with GCC 4.5, Visual C++ 2008, and Clang 2.8.
+
+* Support for dynamically loading Engine objects at runtime was also
+ added. Currently only system that use ``dlopen``-style dynamic
+ linking are supported.
+
+* On GCC 4.3 and later, use the byteswap intrinsic functions.
+
+* Drop support for building with Python 2.4
+
+* Fix benchmarking of block ciphers in ECB mode
+
+* Consolidate the two x86 assembly engines
+
+* Rename S2K to PBKDF
+
+Version 1.9.9, 2010-06-28
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+A new pure virtual function has been added to ``Filter``, ``name``
+which simply returns some useful identifier for the object. Any
+out-of-tree ``Filter`` implementations will need to be updated.
+
+Add ``Keyed_Filter::valid_iv_length`` which makes it possible to query
+as to what IV length(s) a particular filter allows. Previously,
+partially because there was no such query mechanism, if a filter did
+not support IVs at all, then calls to ``set_iv`` would be silently
+ignored. Now an exception about the invalid IV length will be thrown.
+
+The default iteration count for the password based encryption schemes
+has been increased from 2048 to 10000. This should make
+password-guessing attacks against private keys encrypted with versions
+after this release somewhat harder.
+
+New functions for encoding public and private keys to binary,
+``X509::BER_encode`` and ``PKCS8::BER_encode`` have been added.
+
+Problems compiling under Apple's version of GCC 4.2.1 and on 64-bit
+MIPS systems using GCC 4.4 or later were fixed.
+
+The coverage of Doxygen documentation comments has significantly
+improved in this release.
+
+Version 1.8.9, 2010-06-16
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Use constant time multiplication in IDEA
+
+* Avoid possible timing attack against OAEP decoding
+
+* Add new X509::BER_encode and PKCS8::BER_encode
+
+* Enable DLL builds under Windows
+
+* Add Win32 installer support
+
+* Add support for the Clang compiler
+
+* Fix problem in semcem.h preventing build under Clang or GCC 3.4
+
+* Fix bug that prevented creation of DSA groups under 1024 bits
+
+* Fix crash in GMP_Engine if library is shutdown and reinitialized and
+ a PK algorithm was used after the second init
+
+* Work around problem with recent binutils in x86-64 SHA-1
+
+* The Perl build script is no longer supported and refuses to run by
+ default. If you really want to use it, pass
+ ``--i-know-this-is-broken`` to the script.
+
+Version 1.9.8, 2010-06-14
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add support for wide multiplications on 64-bit Windows
+* Use constant time multiplication in IDEA
+* Avoid possible timing attack against OAEP decoding
+* Removed FORK-256; rarely used and it has been broken
+* Rename ``--use-boost-python`` to ``--with-boost-python``
+* Skip building shared libraries on MinGW/Cygwin
+* Fix creation of 512 and 768 bit DL groups using the DSA kosherizer
+* Fix compilation on GCC versions before 4.3 (missing cpuid.h)
+* Fix compilation under the Clang compiler
+
+Version 1.9.7, 2010-04-27
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* TLS: Support reading SSLv2 client hellos
+* TLS: Add support for SEED ciphersuites (RFC 4162)
+* Add Comb4P hash combiner function
+
+* Fix checking of EMSA_Raw signatures with leading 0 bytes, valid
+ signatures could be rejected in certain scenarios.
+
+Version 1.9.6, 2010-04-09
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* TLS: Add support for TLS v1.1
+* TLS: Support server name indicator extension
+* TLS: Fix server handshake
+* TLS: Fix server using DSA certificates
+* TLS: Avoid timing channel between CBC padding check and MAC verification
+
+Version 1.9.5, 2010-03-29
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Numerous ECC optimizations
+* Fix GOST 34.10-2001 X.509 key loading
+* Allow PK_Signer's fault protection checks to be toggled off
+* Avoid using pool-based locking allocator if we can't mlock
+* Remove all runtime options
+* New BER_Decoder::{decode_and_check, decode_octet_string_bigint}
+* Remove SecureBuffer in favor of SecureVector length parameter
+* HMAC_RNG: Perform a poll along with user-supplied entropy
+* Fix crash in MemoryRegion if Allocator::get failed
+* Fix small compilation problem on FreeBSD
+
+Version 1.9.4, 2010-03-09
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add the Ajisai SSLv3/TLSv1.0 implementation
+
+* Add GOST 34.10-2001 public key signature scheme
+* Add SIMD implementation of Noekeon
+
+* Add SSE2 implementation of IDEA
+
+* Extend Salsa20 to support longer IVs (XSalsa20)
+
+* Perform XTS encryption and decryption in parallel where possible
+
+* Perform CBC decryption in parallel where possible
+
+* Add SQLite3 db encryption codec, contributed by Olivier de Gaalon
+
+* Add a block cipher cascade construction
+
+* Add support for password hashing for authentication (passhash9.h)
+
+* Add support for Win32 high resolution system timers
+
+* Major refactoring and API changes in the public key code
+
+* PK_Signer class now verifies all signatures before releasing them to
+ the caller; this should help prevent a wide variety of fault
+ attacks, though it does have the downside of hurting signature
+ performance, particularly for DSA/ECDSA.
+
+* Changed S2K interface: derive_key now takes salt, iteration count
+
+* Remove dependency on TR1 shared_ptr in ECC and CVC code
+
+* Renamed ECKAEG to its more usual name, ECDH
+
+* Fix crash in GMP_Engine if library is shutdown and reinitialized
+
+* Fix an invalid memory read in MD4
+
+* Fix Visual C++ static builds
+
+* Remove Timer class entirely
+
+* Switch default PKCS #8 encryption algorithm from 3DES to AES-128
+
+* New configuration option, ``--gen-amalgamation``, creates a pair of
+ files (``botan_all.cpp`` and ``botan_all.h``) which contain the
+ contents of the library as it would have normally been compiled
+ based on the set configuration.
+
+* Many headers are now explicitly internal-use-only and are not installed
+
+* Greatly improve the Win32 installer
+
+* Several fixes for Visual C++ debug builds
+
+Version 1.9.3, 2009-11-19
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add new AES implementation using Intel's AES instruction intrinsics
+* Add an implementation of format preserving encryption
+* Allow use of any hash function in X.509 certificate creation
+* Optimizations for MARS, Skipjack, and AES
+* Set macros for available SIMD instructions in build.h
+* Add support for using InnoSetup to package Windows builds
+* By default build a DLL on Windows
+
+Version 1.8.8, 2009-11-03
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Alter Skein-512 to match the tweaked 1.2 specification
+* Fix use of inline asm for access to x86 bswap function
+* Allow building the library without AES enabled
+* Add 'powerpc64' alias to ppc64 arch for Gentoo ebuild
+
+Version 1.9.2, 2009-11-03
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add SIMD version of XTEA
+* Support both SSE2 and AltiVec SIMD for Serpent and XTEA
+* Optimizations for SHA-1 and SHA-2
+* Add AltiVec runtime detection
+* Fix x86 CPU identification with Intel C++ and Visual C++
+
+Version 1.9.1, 2009-10-23
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Better support for Python and Perl wrappers
+* Add an implementation of Blue Midnight Wish (Round 2 tweak version)
+* Modify Skein-512 to match the tweaked 1.2 specification
+* Add threshold secret sharing (draft-mcgrew-tss-02)
+* Add runtime cpu feature detection for x86/x86-64
+* Add code for general runtime self testing for hashes, MACs, and ciphers
+* Optimize XTEA; twice as fast as before on Core2 and Opteron
+* Convert CTR_BE and OFB from filters to stream ciphers
+* New parsing code for SCAN algorithm names
+* Enable SSE2 optimizations under Visual C++
+* Remove all use of C++ exception specifications
+* Add support for GNU/Hurd and Clang/LLVM
+
+Version 1.8.7, 2009-09-09
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix processing multiple messages in XTS mode
+* Add --no-autoload option to configure.py, for minimized builds
+
+Version 1.9.0, 2009-09-09
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add support for parallel invocation of block ciphers where possible
+* Add SSE2 implementation of Serpent
+* Add Rivest's package transform (an all or nothing transform)
+* Minor speedups to the Turing key schedule
+* Fix processing multiple messages in XTS mode
+* Add --no-autoload option to configure.py, for minimized builds
+* The previously used configure.pl script is no longer supported
+
+Version 1.8.6, 2009-08-13
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add Cryptobox, a set of simple password-based encryption routines
+* Only read world-readable files when walking /proc for entropy
+* Fix building with TR1 disabled
+* Fix x86 bswap support for Visual C++
+* Fixes for compilation under Sun C++
+* Add support for Dragonfly BSD (contributed by Patrick Georgi)
+* Add support for the Open64 C++ compiler
+* Build fixes for MIPS systems running Linux
+* Minor changes to license, now equivalent to the FreeBSD/NetBSD license
+
+Version 1.8.5, 2009-07-23
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Change configure.py to work on stock Python 2.4
+* Avoid a crash in Skein_512::add_data processing a zero-length input
+* Small build fixes for SPARC, ARM, and HP-PA processors
+* The test suite now returns an error code from main() if any tests failed
+
+Version 1.8.4, 2009-07-12
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix a bug in nonce generation in the Miller-Rabin test
+
+Version 1.8.3, 2009-07-11
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add a new Python configuration script
+* Add the Skein-512 SHA-3 candidate hash function
+* Add the XTS block cipher mode from IEEE P1619
+* Fix random_prime when generating a prime of less than 7 bits
+* Improve handling of low-entropy situations during PRNG seeding
+* Change random device polling to prefer /dev/urandom over /dev/random
+* Use an input insensitive implementation of same_mem instead of memcmp
+* Correct DataSource::discard_next to return the number of discarded bytes
+* Provide a default value for AutoSeeded_RNG::reseed
+* Fix Gentoo bug 272242
+
+Version 1.8.2, 2009-04-07
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Make entropy polling more flexible and in most cases faster
+* GOST 28147 now supports multiple sbox parameters
+* Added the GOST 34.11 hash function
+* Fix botan-config problems on MacOS X
+
+Version 1.8.1, 2009-01-20
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Avoid a valgrind warning in es_unix.cpp on 32-bit Linux
+* Fix memory leak in PKCS8 load_key and encrypt_key
+* Relicense api.tex from CC-By-SA 2.5 to BSD
+* Fix botan-config on MacOS X, Solaris
+
+Version 1.8.0, 2008-12-08
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix compilation on Solaris with GCC
+
+Version 1.7.24, 2008-12-01
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix a compatibility problem with SHA-512/EMSA3 signature padding
+* Fix bug preventing EGD/PRNGD entropy poller from working
+* Fix integer overflow in Pooling_Allocator::get_more_core (bug id #27)
+* Add EMSA3_Raw, a variant of EMSA3 called CKM_RSA_PKCS in PKCS #11
+* Add support for SHA-224 in EMSA2 and EMSA3 PK signature padding schemes
+* Add many more test vectors for RSA with EMSA2, EMSA3, and EMSA4
+* Wrap private structs in SSE2 SHA-1 code in anonymous namespace
+* Change configure.pl's CPU autodetection output to be more consistent
+* Disable using OpenSSL's AES due to crashes of unknown cause
+* Fix warning in /proc walking entropy poller
+* Fix compilation with IBM XLC for Cell 0.9-200709
+
+Version 1.7.23, 2008-11-23
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Change to use TR1 (thus enabling ECDSA) with GCC and ICC
+* Optimize almost all hash functions, especially MD4 and Tiger
+* Add configure.pl options --{with,without}-{bzip2,zlib,openssl,gnump}
+* Change Timer to be pure virtual, and add ANSI_Clock_Timer
+* Cache socket descriptors in the EGD entropy source
+* Avoid bogging down startup in /proc walking entropy source
+* Remove Buffered_EntropySource helper class
+* Add a Default_Benchmark_Timer typedef in benchmark.h
+* Add examples using benchmark.h and Algorithm_Factory
+* Add ECC tests from InSiTo
+* Minor documentation updates
+
+Version 1.7.22, 2008-11-17
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add provider preferences to Algorithm_Factory
+* Fix memory leaks in PBE_PKCS5v20 and get_pbe introduced in 1.7.21
+* Optimize AES encryption and decryption (about 10% faster)
+* Enable SSE2 optimized SHA-1 implementation on Intel Prescott CPUs
+* Fix nanoseconds overflow in benchmark code
+* Remove Engine::add_engine
+
+Version 1.7.21, 2008-11-11
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Make algorithm lookup much more configuable
+* Add facilities for runtime performance testing of algorithms
+* Drop use of entropy estimation in the PRNGs
+* Increase intervals between HMAC_RNG automatic reseeding
+* Drop InitializerOptions class, all options but thread safety
+
+Version 1.7.20, 2008-11-09
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Namespace pkg-config file by major and minor versions
+* Cache device descriptors in Device_EntropySource
+* Split base.h into {block_cipher,stream_cipher,mac,hash}.h
+* Removed get_mgf function from lookup.h
+
+Version 1.7.19, 2008-11-06
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add HMAC_RNG, based on a design by Hugo Krawczyk
+* Optimized the Turing stream cipher (about 20% faster on x86-64)
+* Modify Randpool's reseeding algorithm to poll more sources
+* Add a new AutoSeeded_RNG in auto_rng.h
+* OpenPGP_S2K changed to take hash object instead of name
+* Add automatic identification for Intel's Prescott processors
+
+Version 1.7.18, 2008-10-22
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add Doxygen comments from InSiTo
+* Add ECDSA and ECKAEG benchmarks
+* Add configure.pl switch --with-tr1-implementation
+* Fix configure.pl's --with-endian and --with-unaligned-mem options
+* Added support for pkg-config
+* Optimize byteswap with x86 inline asm for Visual C++ by Yves Jerschow
+* Use const references to avoid copying overhead in CurveGFp, GFpModulus
+
+Version 1.7.17, 2008-10-12
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add missing ECDSA object identifiers
+* Fix error in x86 and x86-64 assembler affecting GF(p) math
+* Remove Boost dependency from GF(p) math
+* Modify botan-config to not print -L/usr/lib or -L/usr/local/lib
+* Add BOTAN_DLL macro to over 30 classes missing it
+* Rename the two SHA-2 base classes for consistency
+
+Version 1.7.16, 2008-10-09
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add several missing pieces needed for ECDSA and ECKAEG
+* Add Card Verifiable Certificates from InSiTo
+* Add SHA-224 from InSiTo
+* Add BSI variant of EMSA1 from InSiTo
+* Add GF(p) and ECDSA tests from InSiTo
+* Split ECDSA and ECKAEG into distinct modules
+* Allow OpenSSL and GNU MP engines to be built with public key algos disabled
+* Rename sha256.h to sha2_32.h and sha_64.h to sha2_64.h
+
+Version 1.7.15, 2008-10-07
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add GF(p) arithmetic from InSiTo
+* Add ECDSA and ECKAEG implementations from InSiTo
+* Minimize internal dependencies, allowing for smaller build configurations
+* Add new User Manual and Architecture Guide from FlexSecure GmbH
+* Alter configure.pl options for better autotools compatibility
+* Update build instructions for recent changes to configure.pl
+* Fix CPU detection using /proc/cpuinfo
+
+Version 1.7.14, 2008-09-30
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Split library into parts allowing modular builds
+* Add (very preliminary) CMS support to the main library
+* Some constructors now require object pointers instead of names
+* Support multiple implementations of the same algorithm
+* Build support for Pentium-M processors, from Derek Scherger
+* Build support for MinGW/MSYS, from Zbigniew Zagorski
+* Use inline assembly for bswap on 32-bit x86
+
+Version 1.7.13, 2008-09-27
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add SSLv3 MAC, SSLv3 PRF, and TLS v1.0 PRF from Ajisai
+* Allow all examples to compile even if compression not enabled
+* Make CMAC's polynomial doubling operation a public class method
+* Use the -m64 flag when compiling with Sun Forte on x86-64
+* Clean up and slightly optimize CMAC::final_result
+
+Version 1.7.12, 2008-09-18
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add x86 assembly for Visual Studio C++, by Luca Piccarreta
+* Add a Perl XS module, by Vaclav Ovsik
+* Add SWIG-based wrapper for Botan
+* Add SSE2 implementation of SHA-1, by Dean Gaudet
+* Remove the BigInt::sig_words cache due to bugs
+* Combined the 4 Blowfish sboxes, suggested by Yves Jerschow
+* Changed BigInt::grow_by and BigInt::grow_to to be non-const
+* Add private assignment operators to classes that don't support assignment
+* Benchmark RSA encryption and signatures
+* Added test programs for random_prime and ressol
+* Add high resolution timers for IA-64, HP-PA, S390x
+* Reduce use of the RNG during benchmarks
+* Fix builds on STI Cell PPU
+* Add support for IBM's XLC compiler
+* Add IETF 8192 bit MODP group
+
+Version 1.7.11, 2008-09-11
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added the Salsa20 stream cipher
+* Optimized Montgomery reduction, Karatsuba squaring
+* Added 16x16->32 word Comba multiplication and squaring
+* Use a much larger Karatsuba cutoff point
+* Remove bigint_mul_add_words
+* Inlined several BigInt functions
+* Add useful information to the generated build.h
+* Rename alg_{ia32,amd64} modules to asm_{ia32,amd64}
+* Fix the Windows build
+
+Version 1.7.10, 2008-09-05
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Public key benchmarks run using a selection of random keys
+* New benchmark timer options are clock_gettime, gettimeofday, times, clock
+* Including reinterpret_cast optimization for xor_buf in default header
+* Split byte swapping and word rotation functions into distinct headers
+* Add IETF modp 6144 group and 2048 and 3072 bit DSS groups
+* Optimizes BigInt right shift
+* Add aliases in DL_Group::Format enum
+* BigInt now caches the significant word count
+
+Version 1.6.5, 2008-08-27
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add noexec stack marker for GNU linker in assembly code
+* Fix autoconfiguration problem on x86 with GCC 4.2 and 4.3
+
+Version 1.7.9, 2008-08-27
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Make clear() in most algorithm base classes a pure virtual
+* Add noexec stack marker for GNU linker in assembly code
+* Avoid string operations in ressol
+* Compilation fixes for MinGW and Visual Studio C++ 2008
+* Some autoconfiguration fixes for Windows
+
+Version 1.7.8, 2008-07-15
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added the block cipher Noekeon
+* Remove global deref_alias function
+* X509_Store takes timeout options as constructor arguments
+* Add Shanks-Tonelli algorithm, contributed by FlexSecure GmbH
+* Extend random_prime() for generating primes of any bit length
+* Remove Config class
+* Allow adding new entropy via base RNG interface
+* Reseeding a X9.31 PRNG also reseeds the underlying PRNG
+
+Version 1.7.7, 2008-06-28
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Remove the global PRNG object
+* The PK filter objects were removed
+* Add a test suite for the ANSI X9.31 PRNG
+* Much cleaner and (mostly) thread-safe reimplementation of es_ftw
+* Remove both default arguments to ANSI_X931_RNG's constructor
+* Remove the randomizing version of OctetString::change
+* Make the cipher and MAC to use in Randpool configurable
+* Move RandomNumberGenerator declaration to rng.h
+* RSA_PrivateKey will not generate keys smaller than 1024 bits
+* Fix an error decoding BER UNIVERSAL types with special taggings
+
+Version 1.7.6, 2008-05-05
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Initial support for Windows DLLs, from Joel Low
+* Reset the position pointer when a new block is generated in X9.32 PRNG
+* Timer objects are now treated as entropy sources
+* Moved several ASN.1-related enums from enums.h to an appropriate header
+* Removed the AEP module, due to inability to test
+* Removed Global_RNG and rng.h
+* Removed system_clock
+* Removed Library_State::UI and the pulse callback logic
+
+Version 1.7.5, 2008-04-12
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* The API of X509_CA::sign_request was altered to avoid race conditions
+* New type Pipe::message_id to represent the Pipe message number
+* Remove the Named_Mutex_Holder for a small performance gain
+* Removed several unused or rarely used functions from Config
+* Ignore spaces inside of a decimal string in BigInt::decode
+* Allow using a std::istream to initialize a DataSource_Stream object
+* Fix compilation problem in zlib compression module
+* The chunk sized used by Pooling_Allocator is now a compile time setting
+* The size of random blinding factors is now a compile time setting
+* The install target no longer tries to set a particular owner/group
+
+Version 1.7.4, 2008-03-10
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Use unaligned memory read/writes on systems that allow it, for performance
+* Assembly for x86-64 for accessing the bswap instruction
+* Use larger buffers in ARC4 and WiderWAKE for significant throughput increase
+* Unroll loops in SHA-160 for a few percent increase in performance
+* Fix compilation with GCC 3.2 in es_ftw and es_unix
+* Build fix for NetBSD systems
+* Prevent es_dev from being built except on Unix systems
+
+Version 1.6.4, 2008-03-08
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix a compilation problem with Visual Studio C++ 2003
+
+Version 1.7.3, 2008-01-23
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* New invocation syntax for configure.pl with several new options
+* Support for IPv4 addresses in a subject alternative name
+* New fast poll for the generic Unix entropy source (es_unix)
+* The es_file entropy source has been replaced by the es_dev module
+* The malloc allocator does not inherit from Pooling_Allocator anymore
+* The path that es_unix will search in are now fully user-configurable
+* Truncate X9.42 PRF output rather than allow counter overflow
+* PowerPC is now assumed to be big-endian
+
+Version 1.7.2, 2007-10-13
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Initialize the global library state lazily
+* Add plain CBC-MAC for backwards compatibility with old systems
+* Clean up some of the self test code
+* Throw a sensible exception if a DL_Group is not found
+* Truncate KDF2 output rather than allowing counter overflow
+* Add newly assigned OIDs for SHA-2 and DSA with SHA-224/256
+* Fix a Visual Studio compilation problem in x509stat.cpp
+
+Version 1.6.3, 2007-07-23
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix a race condition in the algorithm lookup cache
+* Fix problems building the memory pool on some versions of Visual C++
+
+Version 1.7.1, 2007-07-23
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix a race condition in the algorithm object cache
+* HMAC key schedule optimization
+* The build header sets a macro defining endianness, if known
+* New word load/store abstraction allowing further optimization
+* Modify most of the library to avoid use the C-style casts
+* Use higher resolution timers in symmetric benchmarks
+
+Version 1.7.0, 2007-05-19
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* DSA parameter generation now follows FIPS 186-3
+* Added OIDs for Rabin-Williams and Nyberg-Rueppel
+* Somewhat better support for out of tree builds
+* Minor optimizations for RC2 and Tiger
+* Documentation updates
+* Update the todo list
+
+Version 1.6.2, 2007-03-24
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix autodection on Athlon64s running Linux
+* Fix builds on QNX and compilers using STLport
+* Remove a call to abort() that crept into production
+
+Version 1.6.1, 2007-01-20
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix some base64 decoder bugs
+* Add a new option to base64 encoding, to always append a newline
+* Fix some build problems under Visual Studio with debug enabled
+* Fix a bug in BER_Decoder that was triggered under some compilers
+
+Version 1.6.0, 2006-12-17
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Minor cleanups versus 1.5.13
+
+Version 1.5.13, 2006-12-10
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Compilation fixes for the bzip2, zlib, and GNU MP modules
+* Better support for Intel C++ and EKOpath C++ on x86-64
+
+Version 1.5.12, 2006-10-27
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Cleanups in the initialization routines
+* Add some x86-64 assembly for multiply-add
+* Fix problems generating very small (below 384 bit) RSA keys
+* Support out of tree builds
+* Bring some of the documentation up to date
+* More improvements to the Python bindings
+
+Version 1.5.11, 2006-09-10
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Removed the Algorithm base class
+* Various cleanups in the public key inheritance hierarchy
+* Major overhaul of the configure/build setup
+* Added x86 assembler implementations of Serpent and low-level MPI code
+* Optimizations for the SHA-1 x86 assembler
+* Various improvements to the Python wrappers
+* Work around a Visual Studio compiler bug
+
+Version 1.5.10, 2006-08-13
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add x86 assembler versions of MD4, MD5, and SHA-1
+* Expand InitializerOptions' language to support on/off switches
+* Fix definition of OID 2.5.4.8; was accidentally changed in 1.5.9
+* Fix possible resource leaks in the mmap allocator
+* Slightly optimized buffering in MDx_HashFunction
+* Initialization failures are dealt with somewhat better
+* Add an example implementing Pollard's Rho algorithm
+* Better option handling in the test/benchmark tool
+* Expand the xor_ciph example to support longer keys
+* Some updates to the documentation
+
+Version 1.5.9, 2006-07-12
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed bitrot in the AEP engine
+* Fix support for marking certificate/CRL extensions as critical
+* Significant cleanups in the library state / initialization code
+* LibraryInitializer takes an explicit InitializerOptions object
+* Make Mutex_Factory an abstract class, add Default_Mutex_Factory
+* Change configuration access to using global_state()
+* Add support for global named mutexes throughout the library
+* Add some STL wrappers for the delete operator
+* Change how certificates are created to be more flexible and general
+
+Version 1.5.8, 2006-06-23
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Many internal cleanups to the X.509 cert/CRL code
+* Allow for application code to support new X.509 extensions
+* Change the return type of X509_Certificate::{subject,issuer}_info
+* Allow for alternate character set handling mechanisms
+* Fix a bug that was slowing squaring performance somewhat
+* Fix a very hard to hit overflow bug in the C version of word3_muladd
+* Minor cleanups to the assembler modules
+* Disable es_unix module on FreeBSD due to build problem on FreeBSD 6.1
+* Support for GCC 2.95.x has been dropped in this release
+
+Version 1.5.7, 2006-05-28
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Further, major changes to the BER/DER coding system
+* Updated the Qt mutex module to use Mutex_Factory
+* Moved the library global state object into an anonymous namespace
+* Drop the Visual C++ x86 assembly module due to bugs
+
+Version 1.5.6, 2006-03-01
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* The low-level DER/BER coding system was redesigned and rewritten
+* Portions of the certificate code were cleaned up internally
+* Use macros to substantially clean up the GCC assembly code
+* Added 32-bit x86 assembly for Visual C++ (by Luca Piccarreta)
+* Avoid a couple of spurious warnings under Visual C++
+* Some slight cleanups in X509_PublicKey::key_id
+
+Version 1.5.5, 2006-02-04
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed a potential infinite loop in the memory pool code (Matt Johnston)
+* Made Pooling_Allocator::Memory_Block an actual class of sorts
+* Some small optimizations to the division and modulo computations
+* Cleaned up the implementation of some of the BigInt operators
+* Reduced use of dynamic memory allocation in low-level BigInt functions
+* A few simplifications in the Randpool mixing function
+* Removed power(), as it was not particularly useful (or fast)
+* Fixed some annoying bugs in the benchmark code
+* Added a real credits file
+
+Version 1.5.4, 2006-01-29
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Integrated x86 and amd64 assembly code, contributed by Luca Piccarreta
+* Fixed a memory access off-by-one in the Karatsuba code
+* Changed Pooling_Allocator's free list search to a log(N) algorithm
+* Merged ModularReducer with its only subclass, Barrett_Reducer
+* Fixed sign-handling bugs in some of the division and modulo code
+* Renamed the module description files to modinfo.txt
+* Further cleanups in the initialization code
+* Removed BigInt::add and BigInt::sub
+* Merged all the division-related functions into just divide()
+* Modified the <mp_asmi.h> functions to allow for better optimizations
+* Made the number of bits polled from an EntropySource user configurable
+* Avoid including <algorithm> in <botan/secmem.h>
+* Fixed some build problems with Sun Forte
+* Removed some dead code from bigint_modop
+* Fix the definition of same_mem
+
+Version 1.5.3, 2006-01-24
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Many optimizations in the low-level multiple precision integer code
+* Added hooks for assembly implementations of the MPI code
+* Support for the X.509 issuer alternative name extension in new certs
+* Fixed a bug in the decompression modules; found and patched by Matt Johnston
+* New Windows mutex module (mux_win32), by Luca Piccarreta
+* Changed the Windows timer module to use QueryPerformanceCounter
+* mem_pool.cpp was using std::set iterators instead of std::multiset ones
+* Fixed a bug in X509_CA preventing users from disabling particular extensions
+* Fixed the mp_asm64 module, which was entirely broken in 1.5.2
+* Fixed some module build problems on FreeBSD and Tru64
+
+Version 1.4.12, 2006-01-15
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed an off-by-one memory read in MISTY1::key()
+* Fixed a nasty memory leak in Output_Buffers::retire()
+* Changed maximum HMAC keylength to 1024 bits
+* Fixed a build problem in the hardware timer module on 64-bit PowerPC
+
+Version 1.5.2, 2006-01-15
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed an off-by-one memory read in MISTY1::key()
+* Fixed a nasty memory leak in Output_Buffers::retire()
+* Reimplemented the memory allocator from scratch
+* Improved memory caching in Montgomery exponentiation
+* Optimizations for multiple precision addition and subtraction
+* Fixed a build problem in the hardware timer module on 64-bit PowerPC
+* Changed default Karatsuba cutoff to 12 words (was 14)
+* Removed MemoryRegion::bits(), which was unused and incorrect
+* Changed maximum HMAC keylength to 1024 bits
+* Various minor Makefile and build system changes
+* Avoid using std::min in <secmem.h> to bypass Windows libc macro pollution
+* Switched checks/clock.cpp back to using clock() by default
+* Enabled the symmetric algorithm tests, which were accidentally off in 1.5.1
+* Removed the Default_Mutex's unused clone() member function
+
+Version 1.5.1, 2006-01-08
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Implemented Montgomery exponentiation
+* Implemented generalized Karatsuba multiplication and squaring
+* Implemented Comba squaring for 4, 6, and 8 word inputs
+* Added new Modular_Exponentiator and Power_Mod classes
+* Removed FixedBase_Exp and FixedExponent_Exp
+* Fixed a performance regression in get_allocator introduced in 1.5.0
+* Engines can now offer S2K algorithms and block cipher padding methods
+* Merged the remaining global 'algolist' code into Default_Engine
+* The low-level MPI code is linked as C again
+* Replaced BigInt's get_nibble with the more general get_substring
+* Some documentation updates
+
+Version 1.5.0, 2006-01-01
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Moved all global/shared library state into a single object
+* Mutex objects are created through mutex factories instead of a global
+* Removed ::get_mutex(), ::initialize_mutex(), and Mutex::clone()
+* Removed the RNG_Quality enum entirely
+* There is now only a single global-use PRNG
+* Removed the no_aliases and no_oids options for LibraryInitializer
+* Removed the deprecated algorithms SEAL, ISAAC, and HAVAL
+* Change es_ftw to use unbuffered I/O
+
+Version 1.4.11, 2005-12-31
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Changed Whirlpool diffusion matrix to match updated algorithm spec
+* Fixed several engine module build errors introduced in 1.4.10
+* Fixed two build problems in es_capi; reported by Matthew Gregan
+* Added a constructor to DataSource_Memory taking a std::string
+* Placing the same Filter in multiple Pipes triggers an exception
+* The configure script accepts --docdir and --libdir
+* Merged doc/rngs.txt into the main API document
+* Thanks to Joel Low for several bug reports on early tarballs of 1.4.11
+
+Version 1.4.10, 2005-12-18
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added an implementation of KASUMI, the block cipher used in 3G phones
+* Refactored Pipe; output queues are now managed by a distinct class
+* Made certain Filter facilities only available to subclasses of Fanout_Filter
+* There is no longer any overhead in Pipe for a message that has been read out
+* It is now possible to generate RSA keys as small as 128 bits
+* Changed some of the core classes to derive from Algorithm as a virtual base
+* Changed Randpool to use HMAC instead of a plain hash as the mixing function
+* Fixed a bug in the allocators; found and fixed by Matthew Gregan
+* Enabled the use of binary file I/O, when requested by the application
+* The OpenSSL engine's block cipher code was missing some deallocation calls
+* Disabled the es_ftw module on NetBSD, due to header problems there
+* Fixed a problem preventing tm_hard from building on MacOS X on PowerPC
+* Some cleanups for the modules that use inline assembler
+* config.h is now stored in build/ instead of build/include/botan/
+* The header util.h was split into bit_ops.h, parsing.h, and util.h
+* Cleaned up some redundant include directives
+
+Version 1.4.9, 2005-11-06
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added the IBM-created AES candidate algorithm MARS
+* Added the South Korean block cipher SEED
+* Added the stream cipher Turing
+* Added the new hash function FORK-256
+* Deprecated the ISAAC stream cipher
+* Twofish and RC6 are significantly faster with GCC
+* Much better support for 64-bit PowerPC
+* Added support for high-resolution PowerPC timers
+* Fixed a bug in the configure script causing problems on FreeBSD
+* Changed ANSI X9.31 to support arbitrary block ciphers
+* Make the configure script a bit less noisy
+* Added more test vectors for some algorithms, including all the AES finalists
+* Various cosmetic source code cleanups
+
+Version 1.4.8, 2005-10-16
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Resolved a bad performance problem in the allocators; fix by Matt Johnston
+* Worked around a Visual Studio 2003 compilation problem introduced in 1.4.7
+* Renamed OMAC to CMAC to match the official NIST naming
+* Added single byte versions of update() to PK_Signer and PK_Verifier
+* Removed the unused reverse_bits and reverse_bytes functions
+
+Version 1.4.7, 2005-09-25
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed major performance problems with recent versions of GNU C++
+* Added an implementation of the X9.31 PRNG
+* Removed the X9.17 and FIPS 186-2 PRNG algorithms
+* Changed defaults to use X9.31 PRNGs as global PRNG objects
+* Documentation updates to reflect the PRNG changes
+* Some cleanups related to the engine code
+* Removed two useless headers, base_eng.h and secalloc.h
+* Removed PK_Verifier::valid_signature
+* Fixed configure/build system bugs affecting MacOS X builds
+* Added support for the EKOPath x86-64 compiler
+* Added missing destructor for BlockCipherModePaddingMethod
+* Fix some build problems with Visual C++ 2005 beta
+* Fix some build problems with Visual C++ 2003 Workshop
+
+Version 1.4.6, 2005-03-13
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix an error in the shutdown code introduced in 1.4.5
+* Setting base/pkcs8_tries to 0 disables the builtin fail-out
+* Support for XMPP identifiers in X.509 certificates
+* Duplicate entries in X.509 DNs are removed
+* More fixes for Borland C++, from Friedemann Kleint
+* Add a workaround for buggy iostreams
+
+Version 1.4.5, 2005-02-26
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add support for AES encryption of private keys
+* Minor fixes for PBES2 parameter decoding
+* Internal cleanups for global state variables
+* GCC 3.x version detection was broken in non-English locales
+* Work around a Sun Forte bug affecting mem_pool.h
+* Several fixes for Borland C++ 5.5, from Friedemann Kleint
+* Removed inclusion of init.h into base.h
+* Fixed a major bug in reading from certificate stores
+* Cleaned up a couple of mutex leaks
+* Removed some left-over debugging code
+* Removed SSL3_MAC, SSL3_PRF, and TLS_PRF
+
+Version 1.4.4, 2004-12-02
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Further tweaks to the pooling allocator
+* Modified EMSA3 to support SSL/TLS signatures
+* Changes to support Qt/QCA, from Justin Karneges
+* Moved mux_qt module code into mod_qt
+* Fixes for HP-UX from Mike Desjardins
+
+Version 1.4.3, 2004-11-06
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Split up SecureAllocator into Allocator and Pooling_Allocator
+* Memory locking allocators are more likely to be used
+* Fixed the placement of includes in some modules
+* Fixed broken installation procedure
+* Fixes in configure script to support alternate install programs
+* Modules can specify the minimum version they support
+
+Version 1.4.2, 2004-10-31
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed a major CRL handling bug
+* Cipher and hash operations can be offloaded to engines
+* Added support for cipher and hash offload in OpenSSL engine
+* Improvements for 64-bit CPUs without a widening multiply instruction
+* Support for SHA2-* and Whirlpool with EMSA2
+* Fixed a long-standing build problem with conflicting include files
+* Fixed some examples that hadn't been updated for 1.4.x
+* Portability fixes for Solaris, BSD, HP-UX, and others
+* Lots of fixes and cleanups in the configure script
+* Updated the Gentoo ebuild file
+
+Version 1.4.1, 2004-10-10
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed major errors in the X.509 and PKCS #8 copy_key functions
+* Added a LAST_MESSAGE meta-message number for Pipe
+* Added new aliases (3DES and DES-EDE) for Triple-DES
+* Added some new functions to PK_Verifier
+* Cleaned up the KDF interface
+* Disabled tm_posix on BSD due to header issues
+* Fixed a build problem on PowerPC with GNU C++ pre-3.4
+
+Version 1.4.0, 2004-06-26
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added the FIPS 186 RNG back
+* Added copy_key functions for X.509 public keys and PKCS #8 private keys
+* Fixed PKCS #1 signatures with RIPEMD-128
+* Moved some code around to avoid warnings with Sun ONE compiler
+* Fixed a bug in botan-config affecting OpenBSD
+* Fixed some build problems on Tru64, HP-UX
+* Fixed compile problems with Intel C++, Compaq C++
+
+Version 1.3.14, 2004-06-12
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added support for AEP's AEP1000/AEP2000 crypto cards
+* Added a Mutex module using Qt, from Justin Karneges
+* Added support for engine loading in LibraryInitializer
+* Tweaked SecureAllocator, giving 20% better performance under heavy load
+* Added timer and memory locking modules for Win32 (tm_win32, ml_win32)
+* Renamed PK_Engine to Engine_Core
+* Improved the Karatsuba cutoff points
+* Fixes for compiling with GCC 3.4 and Sun C++ 5.5
+* Fixes for Linux/s390, OpenBSD, and Solaris
+* Added support for Linux/s390x
+* The configure script was totally broken for 'generic' OS
+* Removed Montgomery reduction due to bugs
+* Removed an unused header, pkcs8alg.h
+* check --validate returns an error code if any tests failed
+* Removed duplicate entry in Unix command list for es_unix
+* Moved the Cert_Usage enumeration into X509_Store
+* Added new timing methods for PK benchmarks, clock_gettime and RDTSC
+* Fixed a few minor bugs in the configure script
+* Removed some deprecated functions from x509cert.h and pkcs10.h
+* Removed the 'minimal' module, has to be updated for Engine support
+* Changed MP_WORD_BITS macro to BOTAN_MP_WORD_BITS to clean up namespace
+* Documentation updates
+
+Version 1.3.13, 2004-05-15
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Major fixes for Cygwin builds
+* Minor MacOS X install fixes
+* The configure script is a little better at picking the right modules
+* Removed ml_unix from the 'unix' module set for Cygwin compatibility
+* Fixed a stupid compile problem in pkcs10.h
+
+Version 1.3.12, 2004-05-02
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added ability to remove old entries from CRLs
+* Swapped the first two arguments of X509_CA::update_crl()
+* Added an < operator for MemoryRegion, so it can be used as a std::map key
+* Changed X.509 searching by DNS name from substring to full string compares
+* Renamed a few X509_Certificate and PKCS10_Request member functions
+* Fixed a problem when decoding some PKCS #10 requests
+* Hex_Decoder would not check inputs, reported by Vaclav Ovsik
+* Changed default CRL expire time from 30 days to 7 days
+* X509_CRL's default PEM header is now "X509 CRL", for OpenSSL compatibility
+* Corrected errors in the API doc, fixes from Ken Perano
+* More documentation about the Pipe/Filter code
+
+Version 1.3.11, 2004-04-01
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed two show-stopping bugs in PKCS10_Request
+* Added some sanity checks in Pipe/Filter
+* The DNS and URI entries would get swapped in subjectAlternativeNames
+* MAC_Filter is now willing to not take a key at creation time
+* Setting the expiration times of certs and CRLs is more flexible
+* Fixed problems building on AIX with GCC
+* Fixed some problems in the tutorial pointed out by Dominik Vogt
+* Documentation updates
+
+Version 1.3.10, 2004-03-27
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added support for OpenPGP's ASCII armor format
+* Cleaned up the RNG system; seeding is much more flexible
+* Added simple autoconfiguration abilities to configure.pl
+* Fixed a GCC 2.95.x compile problem
+* Updated the example configuration file
+* Documentation updates
+
+Version 1.3.9, 2004-03-07
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added an engine using OpenSSL (requires 0.9.7 or later)
+* X509_Certificate would lose email addresses stored in the DN
+* Fixed a missing initialization in a BigInt constructor
+* Fixed several Visual C++ compile problems
+* Fixed some BeOS build problems
+* Fixed the WiderWake benchmark
+
+Version 1.3.8, 2003-12-30
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Initial introduction of engine support, which separates PK keys from
+ the underlying operations. An engine using GNU MP was added.
+
+* DSA, DH, NR, and ElGamal constructors accept taking just the private
+ key again since the public key is easily derived from it.
+
+* Montgomery reduction support was added.
+* ElGamal keys now support being imported/exported as ASN.1 objects
+* Added Montgomery reductions
+* Added an engine that uses GNU MP (requires 4.1 or later)
+* Removed the obsolete mp_gmp module
+* Moved several initialization/shutdown functions to init.h
+* Major refactoring of the memory containers
+* New non-locking container, MemoryVector
+* Fixed 64-bit problems in BigInt::set_bit/clear_bit
+* Renamed PK_Key::check_params() to check_key()
+* Some incompatible changes to OctetString
+* Added version checking macros in version.h
+* Removed the fips140 module pending rewrite
+* Added some functions and hooks to help GUIs
+* Moved more shared code into MDx_HashFunction
+* Added a policy hook for specifying the encoding of X.509 strings
+
+Version 1.3.7, 2003-12-12
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed a big security problem in es_unix (use of untrusted PATH)
+* Fixed several stability problems in es_unix
+* Expanded the list of programs es_unix will try to use
+* SecureAllocator now only preallocates blocks in special cases
+* Added a special case in Global_RNG::seed for forcing a full poll
+* Removed the FIPS 186 RNG added in 1.3.5 pending further testing
+* Configure updates for PowerPC CPUs
+* Removed the (never tested) VAX support
+* Added support for S/390 Linux
+
+Version 1.3.6, 2003-12-07
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added a new module 'minimal', which disables most algorithms
+* SecureAllocator allocates a few blocks at startup
+* A few minor MPI cleanups
+* RPM spec file cleanups and fixes
+
+Version 1.3.5, 2003-11-30
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Major improvements in ASN.1 string handling
+* Added partial support for ASN.1 UTF8 STRINGs and BMP STRINGs
+* Added partial support for the X.509v3 certificate policies extension
+* Centralized the handling of character set information
+* Added FIPS 140-2 startup self tests
+* Added a module (fips140) for doing extra FIPS 140-2 tests
+* Added FIPS 186-2 RNG
+* Improved ASN.1 BIT STRING handling
+* Removed a memory leak in PKCS10_Request
+* The encoding of DirectoryString now follows PKIX guidelines
+* Fixed some of the character set dependencies
+* Fixed a DER encoding error for tags greater than 30
+* The BER decoder can now handle tags larger than 30
+* Fixed tm_hard.cpp to recognize SPARC on more systems
+* Workarounds for a GCC 2.95.x bug in x509find.cpp
+* RPM changed to install into /usr instead of /usr/local
+* Added support for QNX
+
+Version 1.2.8, 2003-11-21
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Merged several important bug fixes from 1.3.x
+
+Version 1.3.4, 2003-11-21
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added a module that does certain MPI operations using GNU MP
+* Added the X9.42 Diffie-Hellman PRF
+* The Zlib and Bzip2 objects now use custom allocators
+* Added member functions for directly hashing/MACing SecureVectors
+* Minor optimizations to the MPI addition and subtraction algorithms
+* Some cleanups in the low-level MPI code
+* Created separate AES-{128,192,256} objects
+
+Version 1.3.3, 2003-11-17
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* The library can now be repeatedly initialized and shutdown without crashing
+* Fixed an off-by-one error in the CTS code
+* Fixed an error in the EMSA4 verification code
+* Fixed a memory leak in mutex.cpp (pointed out by James Widener)
+* Fixed a memory leak in Pthread_Mutex
+* Fixed several memory leaks in the testing code
+* Bulletproofed the EMSA/EME/KDF/MGF retrieval functions
+* Minor cleanups in SecureAllocator
+* Removed a needless mutex guarding the (stateless) global timer
+* Fixed a piece of bash-specific code in botan-config
+* X.509 objects report more information about decoding errors
+* Cleaned up some of the exception handling
+* Updated the example config file with new OIDSs
+* Moved the build instructions into a separate document, building.tex
+
+Version 1.3.2, 2003-11-13
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed a bug preventing DSA signatures from verifying on X.509 objects
+* Made the X509_Store search routines more efficient and flexible
+* Added a function to X509_PublicKey to do easy public/private key matching
+* Added support for decoding indefinite length BER data
+* Changed Pipe's peek() to take an offset
+* Removed Filter::set_owns in favor of the new incr_owns function
+* Removed BigInt::zero() and BigInt::one()
+* Renamed the PEM related options from base/pem_* to pem/*
+* Added an option to specify the line width when encoding PEM
+* Removed the "rng/safe_longterm" option; it's always on now
+* Changed the cipher used for RNG super-encryption from ARC4 to WiderWake4+1
+* Cleaned up the base64/hex encoders and decoders
+* Added an ASN.1/BER decoder as an example
+* AES had its internals marked 'public' in previous versions
+* Changed the value of the ASN.1 NO_OBJECT enum
+* Various new hacks in the configure script
+* Removed the already nominal support for SunOS
+
+Version 1.3.1, 2003-11-04
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Generalized a few pieces of the DER encoder
+* PKCS8::load_key would fail if handed an unencrypted key
+* Added a failsafe so PKCS #8 key decoding can't go into an infinite loop
+
+Version 1.3.0, 2003-11-02
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Major redesign of the PKCS #8 private key import/export system
+* Added a small amount of UI interface code for getting passphrases
+* Added heuristics that tell if a key, cert, etc is stored as PEM or BER
+* Removed CS-Cipher, SHARK, ThreeWay, MD5-MAC, and EMAC
+* Removed certain deprecated constructors of RSA, DSA, DH, RW, NR
+* Made PEM decoding more forgiving of extra text before the header
+
+Version 1.2.7, 2003-10-31
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added support for reading configuration files
+* Added constructors so NR and RW keys can be imported easily
+* Fixed mp_asm64, which was completely broken in 1.2.6
+* Removed tm_hw_ia32 module; replaced by tm_hard
+* Added support for loading certain oddly formed RSA certificates
+* Fixed spelling of NON_REPUDIATION enum
+* Renamed the option default_to_ca to v1_assume_ca
+* Fixed a minor bug in X.509 certificate generation
+* Fixed a latent bug in the OID lookup code
+* Updated the RPM spec file
+* Added to the tutorial
+
+Version 1.2.6, 2003-07-04
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Major performance increase for PK algorithms on most 64-bit systems
+* Cleanups in the low-level MPI code to support asm implementations
+* Fixed build problems with some versions of Compaq's C++ compiler
+* Removed useless constructors for NR public and private keys
+* Removed support for the patch_file directive in module files
+* Removed several deprecated functions
+
+Version 1.2.5, 2003-06-22
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed a tricky and long-standing memory leak in Pipe
+* Major cleanups and fixes in the memory allocation system
+* Removed alloc_mlock, which has been superseded by the ml_unix module
+* Removed a denial of service vulnerability in X509_Store
+* Fixed compilation problems with VS .NET 2003 and Codewarrior 8
+* Added another variant of PKCS8::load_key, taking a memory buffer
+* Fixed various minor/obscure bugs which occurred when MP_WORD_BITS != 32
+* BigInt::operator%=(word) was a no-op if the input was a power of 2
+* Fixed portability problems in BigInt::to_u32bit
+* Fixed major bugs in SSL3-MAC
+* Cleaned up some messes in the PK algorithms
+* Cleanups and extensions for OMAC and EAX
+* Made changes to the entropy estimation function
+* Added a 'beos' module set for use on BeOS
+* Officially deprecated a few X509:: and PKCS8:: functions
+* Moved the contents of primes.h to numthry.h
+* Moved the contents of x509opt.h to x509self.h
+* Removed the (empty) desx.h header
+* Documentation updates
+
+Version 1.2.4, 2003-05-29
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed a bug in EMSA1 affecting NR signature verification
+* Fixed a few latent bugs in BigInt related to word size
+* Removed an unused function, mp_add2_nc, from the MPI implementation
+* Reorganized the core MPI files
+
+Version 1.2.3, 2003-05-20
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed a bug that prevented DSA/NR key generation
+* Fixed a bug that prevented importing some root CA certs
+* Fixed a bug in the BER decoder when handing optional bit or byte strings
+* Fixed the encoding of authorityKeyIdentifier in X509_CA
+* Added a sanity check in PBKDF2 for zero length passphrases
+* Added versions of X509::load_key and PKCS8::load_key that take a file name
+* X509_CA generates 128 bit serial numbers now
+* Added tests to check PK key generation
+* Added a simplistic X.509 CA example
+* Cleaned up some of the examples
+
+Version 1.2.2, 2003-05-13
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add checks to prevent any BigInt bugs from revealing an RSA or RW key
+* Changed the interface of Global_RNG::seed
+* Major improvements for the es_unix module
+* Added another Win32 entropy source, es_win32
+* The Win32 CryptoAPI entropy source can now poll multiple providers
+* Improved the BeOS entropy source
+* Renamed pipe_unixfd module to fd_unix
+* Fixed a file descriptor leak in the EGD module
+* Fixed a few locking bugs
+
+Version 1.2.1, 2003-05-06
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added ANSI X9.23 compatible CBC padding
+* Added an entropy source using Win32 CryptoAPI
+* Removed the Pipe I/O operators taking a FILE*
+* Moved the BigInt encoding/decoding functions into the BigInt class
+* Integrated several fixes for VC++ 7 (from Hany Greiss)
+* Fixed the configure.pl script for Windows builds
+
+Version 1.2.0, 2003-04-28
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Tweaked the Karatsuba cut-off points
+* Increased the allowed keylength of HMAC and Blowfish
+* Removed the 'mpi_ia32' module, pending rewrite
+* Workaround a GCC 2.95.x bug in eme1.cpp
+
+Version 1.1.13, 2003-04-22
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added OMAC
+* Added EAX authenticated cipher mode
+* Diffie-Hellman would not do blinding in some cases
+* Optimized the OFB and CTR modes
+* Corrected Skipjack's word ordering, as per NIST clarification
+* Support for all subject/issuer attribute types required by RFC 3280
+* The removeFromCRL CRL reason code is now handled correctly
+* Increased the flexibility of the allocators
+* Renamed Rijndael to AES, created aes.h, deleted rijndael.h
+* Removed support for the 'no_timer' LibraryInitializer option
+* Removed 'es_pthr' module, pending further testing
+* Cleaned up get_ciph.cpp
+
+Version 1.1.12, 2003-04-15
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed a ASN.1 string encoding bug
+* Fixed a pair of X509_DN encoding problems
+* Base64_Decoder and Hex_Decoder can now validate input
+* Removed support for the LibraryInitializer option 'egd_path'
+* Added tests for DSA X.509 and PKCS #8 key formats
+* Removed a long deprecated feature of DH_PrivateKey's constructor
+* Updated the RPM .spec file
+* Major documentation updates
+
+Version 1.1.11, 2003-04-07
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added PKCS #10 certificate requests
+* Changed X509_Store searching interface to be more flexible
+* Added a generic Certificate_Store interface
+* Added a function for generating self-signed X.509 certs
+* Cleanups and changes to X509_CA
+* New examples for PKCS #10 and self-signed certificates
+* Some documentation updates
+
+Version 1.1.10, 2003-04-03
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* X509_CA can now generate new X.509 CRLs
+* Added blinding for RSA, RW, DH, and ElGamal to prevent timing attacks
+* More certificate and CRL extensions/attributes are supported
+* Better DN handling in X.509 certificates/CRLs
+* Added a DataSink hierarchy (suggested by Jim Darby)
+* Consolidated SecureAllocator and ManagedAllocator
+* Many cleanups and generalizations
+* Added a (slow) pthreads based EntropySource
+* Fixed some threading bugs
+
+Version 1.1.9, 2003-02-25
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added support for using X.509v2 CRLs
+* Fixed several bugs in the path validation algorithm
+* Certificates can be verified for a particular usage
+* Algorithm for comparing distinguished names now follows X.509
+* Cleaned up the code for the es_beos, es_ftw, es_unix modules
+* Documentation updates
+
+Version 1.1.8, 2003-01-29
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixes for the certificate path validation algorithm in X509_Store
+* Fixed a bug affecting X509_Certificate::is_ca_cert()
+* Added a general configuration interface for policy issues
+* Cleanups and API changes in the X.509 CA, cert, and store code
+* Made various options available for X509_CA users
+* Changed X509_Time's interface to work around time_t problems
+* Fixed a theoretical weakness in Randpool's entropy mixing function
+* Fixed problems compiling with GCC 2.95.3 and GCC 2.96
+* Fixed a configure bug (reported by Jon Wilson) affecting MinGW
+
+Version 1.0.2, 2003-01-12
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed an obscure SEGFAULT causing bug in Pipe
+* Fixed an obscure but dangerous bug in SecureVector::swap
+
+Version 1.1.7, 2003-01-12
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed an obscure but dangerous bug in SecureVector::swap
+* Consolidated SHA-384 and SHA-512 to save code space
+* Added SSL3-MAC and SSL3-PRF
+* Documentation updates, including a new tutorial
+
+Version 1.1.6, 2002-12-10
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Initial support for X.509v3 certificates and CAs
+* Major redesign/rewrite of the ASN.1 encoding/decoding code
+* Added handling for DSA/NR signatures encoded as DER SEQUENCEs
+* Documented the generic cipher lookup interface
+* Added an (untested) entropy source for BeOS
+* Various cleanups and bug fixes
+
+Version 1.1.5, 2002-11-17
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added the discrete logarithm integrated encryption system (DLIES)
+* Various optimizations for BigInt
+* Added support for assembler optimizations in modules
+* Added BigInt x86 optimizations module (mpi_ia32)
+
+Version 1.1.4, 2002-11-10
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Speedup of 15-30% for PK algorithms
+* Implemented the PBES2 encryption scheme
+* Fixed a potential bug in decoding RSA and RW private keys
+* Changed the DL_Group class interface to handle different formats better
+* Added support for PKCS #3 encoded DH parameters
+* X9.42 DH parameters use a PEM label of 'X942 DH PARAMETERS'
+* Added key pair consistency checking
+* Fixed a compatibility problem with gcc 2.96 (pointed out by Hany Greiss)
+* A botan-config script is generated at configure time
+* Documentation updates
+
+Version 1.1.3, 2002-11-03
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added a generic public/private key loading interface
+* Fixed a small encoding bug in RSA, RW, and DH
+* Changed the PK encryption/decryption interface classes
+* ECB supports using padding methods
+* Added a function-based interface for library initialization
+* Added support for RIPEMD-128 and Tiger PKCS#1 v1.5 signatures
+* The cipher mode benchmarks now use 128-bit AES instead of DES
+* Removed some obsolete typedefs
+* Removed OpenCL support (opencl.h, the OPENCL_* macros, etc)
+* Added tests for PKCS #8 encoding/decoding
+* Added more tests for ECB and CBC
+
+Version 1.1.2, 2002-10-21
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Support for PKCS #8 encoded RSA, DSA, and DH private keys
+* Support for Diffie-Hellman X.509 public keys
+* Major reorganization of how X.509 keys are handled
+* Added PKCS #5 v2.0's PBES1 encryption scheme
+* Added a generic cipher lookup interface
+* Added the WiderWake4+1 stream cipher
+* Added support for sync-able stream ciphers
+* Added a 'paranoia level' option for the LibraryInitializer
+* More security for RNG output meant for long term keys
+* Added documentation for some of the new 1.1.x features
+* CFB's feedback argument is now specified in bits
+* Renamed CTR class to CTR_BE
+* Updated the RSA and DSA examples to use X.509 and PKCS #8 key formats
+
+Version 1.1.1, 2002-10-15
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added the Korean hash function HAS-160
+* Partial support for RSA and DSA X.509 public keys
+* Added a mostly functional BER encoder/decoder
+* Added support for non-deterministic MAC functions
+* Initial support for PEM encoding/decoding
+* Internal cleanups in the PK algorithms
+* Several new convenience functions in Pipe
+* Fixed two nasty bugs in Pipe
+* Messed with the entropy sources for es_unix
+* Discrete logarithm groups are checked for safety more closely now
+* For compatibility with GnuPG, ElGamal now supports DSA-style groups
+
+Version 1.0.1, 2002-09-14
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed a minor bug in Randpool::random()
+* Added some new aliases and typedefs for 1.1.x compatibility
+* The 4096-bit RSA benchmark key was decimal instead of hex
+* EMAC was returning an incorrect name
+
+Version 1.1.0, 2002-09-14
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added entropy estimation to the RNGs
+* Improved the overall design of both Randpool and ANSI_X917_RNG
+* Added a separate RNG for nonce generation
+* Added window exponentiation support in power_mod
+* Added a get_s2k function and the PKCS #5 S2K algorithms
+* Added the TLSv1 PRF
+* Replaced BlockCipherModeIV typedef with InitializationVector class
+* Renamed PK_Key_Agreement_Scheme to PK_Key_Agreement
+* Renamed SHA1 -> SHA_160 and SHA2_x -> SHA_x
+* Added support for RIPEMD-160 PKCS#1 v1.5 signatures
+* Changed the key agreement scheme interface
+* Changed the S2K and KDF interfaces
+* Better SCAN compatibility for HAVAL, Tiger, MISTY1, SEAL, RC5, SAFER-SK
+* Added support for variable-pass Tiger
+* Major speedup for Rabin-Williams key generation
+
+Version 1.0.0, 2002-08-26
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Octal I/O of BigInt is now supported
+* Fixed portability problems in the es_egd module
+* Generalized IV handling in the block cipher modes
+* Added Karatsuba multiplication and k-ary exponentiation
+* Fixed a problem in the multiplication routines
+
+Version 0.9.2, 2002-08-18
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* DH_PrivateKey::public_value() was returning the wrong value
+* Various BigInt optimizations
+* The filters.h header now includes hex.h and base64.h
+* Moved Counter mode to ctr.h
+* Fixed a couple minor problems with VC++ 7
+* Fixed problems with the RPM spec file
+
+Version 0.9.1, 2002-08-10
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Grand rename from OpenCL to Botan
+* Major optimizations for the PK algorithms
+* Added ElGamal encryption
+* Added Whirlpool
+* Tweaked memory allocation parameters
+* Improved the method of seeding the global RNG
+* Moved pkcs1.h to eme_pkcs.h
+* Added more test vectors for some algorithms
+* Fixed error reporting in the BigInt tests
+* Removed Default_Timer, it was pointless
+* Added some new example applications
+* Removed some old examples that weren't that interesting
+* Documented the compression modules
+
+Version 0.9.0, 2002-08-03
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* EMSA4 supports variable salt size
+* PK_* can take a string naming the encoding method to use
+* Started writing some internals documentation
+
+Version 0.8.7, 2002-07-30
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed bugs in EME1 and EMSA4
+* Fixed a potential crash at shutdown
+* Cipher modes returned an ill-formed name
+* Removed various deprecated types and headers
+* Cleaned up the Pipe interface a bit
+* Minor additions to the documentation
+* First stab at a Visual C++ makefile (doc/Makefile.vc7)
+
+Version 0.8.6, 2002-07-25
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added EMSA4 (aka PSS)
+* Brought the manual up to date; many corrections and additions
+* Added a parallel hash function construction
+* Lookup supports all available algorithms now
+* Lazy initialization of the lookup tables
+* Made more discrete logarithm groups available through get_dl_group()
+* StreamCipher_Filter supports seeking (if the underlying cipher does)
+* Minor optimization for GCD calculations
+* Renamed SAFER_SK128 to SAFER_SK
+* Removed many previously deprecated functions
+* Some now-obsolete functions, headers, and types have been deprecated
+* Fixed some bugs in DSA prime generation
+* DL_Group had a constructor for DSA-style prime gen but it wasn't defined
+* Reversed the ordering of the two arguments to SEAL's constructor
+* Fixed a threading problem in the PK algorithms
+* Fixed a minor memory leak in lookup.cpp
+* Fixed pk_types.h (it was broken in 0.8.5)
+* Made validation tests more verbose
+* Updated the check and example applications
+
+Version 0.8.5, 2002-07-21
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Major changes to constructors for DL-based cryptosystems (DSA, NR, DH)
+* Added a DL_Group class
+* Reworking of the pubkey internals
+* Support in lookup for aliases and PK algorithms
+* Renamed CAST5 to CAST_128 and CAST256 to CAST_256
+* Added EMSA1
+* Reorganization of header files
+* LibraryInitializer will install new allocator types if requested
+* Fixed a bug in Diffie-Hellman key generation
+* Did a workaround in pipe.cpp for GCC 2.95.x on Linux
+* Removed some debugging code from init.cpp that made FTW ES useless
+* Better checking for invalid arguments in the PK algorithms
+* Reduced Base64 and Hex default line length (if line breaking is used)
+* Fixes for HP's aCC compiler
+* Cleanups in BigInt
+
+Version 0.8.4, 2002-07-14
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added Nyberg-Rueppel signatures
+* Added Diffie-Hellman key exchange (kex interface is subject to change)
+* Added KDF2
+* Enhancements to the lookup API
+* Many things formerly taking pointers to algorithms now take names
+* Speedups for prime generation
+* LibraryInitializer has support for seeding the global RNG
+* Reduced SAFER-SK128 memory consumption
+* Reversed the ordering of public and private key values in DSA constructor
+* Fixed serious bugs in MemoryMapping_Allocator
+* Fixed memory leak in Lion
+* FTW_EntropySource was not closing the files it read
+* Fixed line breaking problem in Hex_Encoder
+
+Version 0.8.3, 2002-06-09
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added DSA and Rabin-Williams signature schemes
+* Added EMSA3
+* Added PKCS#1 v1.5 encryption padding
+* Added Filters for PK algorithms
+* Added a Keyed_Filter class
+* LibraryInitializer processes arguments now
+* Major revamp of the PK interface classes
+* Changed almost all of the Filters for non-template operation
+* Changed HMAC, Lion, Luby-Rackoff to non-template classes
+* Some fairly minor BigInt optimizations
+* Added simple benchmarking for PK algorithms
+* Added hooks for fixed base and fixed exponent modular exponentiation
+* Added some examples for using RSA
+* Numerous bugfixes and cleanups
+* Documentation updates
+
+Version 0.8.2, 2002-05-18
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added an (experimental) algorithm lookup interface
+* Added code for directly testing BigInt
+* Added SHA2-384
+* Optimized SHA2-512
+* Major optimization for Adler32 (thanks to Dan Nicolaescu)
+* Various minor optimizations in BigInt and related areas
+* Fixed two bugs in X9.19 MAC, both reported by Darren Starsmore
+* Fixed a bug in BufferingFilter
+* Made a few fixes for MacOS X
+* Added a workaround in configure.pl for GCC 2.95.x
+* Better support for PowerPC, ARM, and Alpha
+* Some more cleanups
+
+Version 0.8.1, 2002-05-06
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Major code cleanup (check doc/deprecated.txt)
+* Various bugs fixed, including several portability problems
+* Renamed MessageAuthCode to MessageAuthenticationCode
+* A replacement for X917 is in x917_rng.h
+* Changed EMAC to non-template class
+* Added ANSI X9.19 compatible CBC-MAC
+* TripleDES now supports 128 bit keys
+
+Version 0.8.0, 2002-04-24
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Merged BigInt: many bugfixes and optimizations since alpha2
+* Added RSA (rsa.h)
+* Added EMSA2 (emsa2.h)
+* Lots of new interface code for public key algorithms (pk_base.h, pubkey.h)
+* Changed some interfaces, including SymmetricKey, to support the global rng
+* Fixed a serious bug in ManagedAllocator
+* Renamed RIPEMD128 to RIPEMD_128 and RIPEMD160 to RIPEMD_160
+* Removed some deprecated stuff
+* Added a global random number generator (rng.h)
+* Added clone functions to most of the basic algorithms
+* Added a library initializer class (init.h)
+* Version macros in version.h
+* Moved the base classes from opencl.h to base.h
+* Renamed the bzip2 module to comp_bzip2 and zlib to comp_zlib
+* Documentation updates for the new stuff (still incomplete)
+* Many new deprecated things: check doc/deprecated.txt
+
+Version 0.7.10, 2002-04-07
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Added EGD_EntropySource module (es_egd)
+* Added a file tree walking EntropySource (es_ftw)
+* Added MemoryLocking_Allocator module (alloc_mlock)
+* Renamed the pthr_mux, unix_rnd, and mmap_mem modules
+* Changed timer mechanism; the clock method can be switched on the fly.
+* Renamed MmapDisk_Allocator to MemoryMapping_Allocator
+* Renamed ent_file.h to es_file.h (ent_file.h is around, but deprecated)
+* Fixed several bugs in MemoryMapping_Allocator
+* Added more default sources for Unix_EntropySource
+* Changed SecureBuffer to use same allocation methods as SecureVector
+* Added bigint_divcore into mp_core to support BigInt alpha2 release
+* Removed some Pipe functions deprecated since 0.7.8
+* Some fixes for the configure program
+
+Version 0.7.9, 2002-03-19
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Memory allocation substantially revamped
+* Added memory allocation method based on mmap(2) in the mmap_mem module
+* Added ECB and CTS block cipher modes (ecb.h, cts.h)
+* Added a Mutex interface (mutex.h)
+* Added module pthr_mux, implementing the Mutex interface
+* Added Threaded Filter interface (thr_filt.h)
+* All algorithms can now by keyed with SymmetricKey objects
+* More testing occurs with --validate (expected failures)
+* Fixed two bugs reported by Hany Greiss, in Luby-Rackoff and RC6
+* Fixed a buffering bug in Bzip_Decompress and Zlib_Decompress
+* Made X917 safer (and about 1/3 as fast)
+* Documentation updates
+
+Version 0.7.8, 2002-02-28
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* More capabilities for Pipe, inspired by SysV STREAMS, including peeking,
+ better buffering, and stack ops. NOT BACKWARDS COMPATIBLE: SEE DOCUMENTATION
+* Added a BufferingFilter class
+* Added popen() based EntropySource for generic Unix systems (unix_rnd)
+* Moved 'devrand' module into main distribution (ent_file.h), renamed to
+ File_EntropySource, and changed interface somewhat.
+* Made Randpool somewhat more conservative and also 25% faster
+* Minor fixes and updates for the configure script
+* Added some tweaks for memory allocation
+* Documentation updates for the new Pipe interface
+* Fixed various minor bugs
+* Added a couple of new example programs (stack and hasher2)
+
+Version 0.7.7, 2001-11-24
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Filter::send now works in the constructor of a Filter subclass
+* You may now have to include <opencl/pipe.h> explicitly in some code
+* Added preliminary PK infrastructure classes in pubkey.h and pkbase.h
+* Enhancements to SecureVector (append, destroy functions)
+* New infrastructure for secure memory allocation
+* Added IEEE P1363 primitives MGF1, EME1, KDF1
+* Rijndael optimizations and cleanups
+* Changed CipherMode<B> to BlockCipherMode(B*)
+* Fixed a nasty bug in pipe_unixfd
+* Added portions of the BigInt code into the main library
+* Support for VAX, SH, POWER, PowerPC-64, Intel C++
+
+Version 0.7.6, 2001-10-14
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fixed several serious bugs in SecureVector created in 0.7.5
+* Square optimizations
+* Fixed shared objects on MacOS X and HP-UX
+* Fixed static libs for KCC 4.0; works with KCC 3.4g as well
+* Full support for Athlon and K6 processors using GCC
+* Added a table of prime numbers < 2**16 (primes.h)
+* Some minor documentation updates
+
+Version 0.7.5, 2001-08-19
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Split checksum.h into adler32.h, crc24.h, and crc32.h
+* Split modes.h into cbc.h, cfb.h, and ofb.h
+* CBC_wPadding* has been replaced by CBC_Encryption and CBC_Decryption
+* Added OneAndZeros and NoPadding methods for CBC
+* Added Lion, a very fast block cipher construction
+* Added an S2K base class (s2k.h) and an OpenPGP_S2K class (pgp_s2k.h)
+* Basic types (ciphers, hashes, etc) know their names now (call name())
+* Changed the EntropySource type somewhat
+* Big speed-ups for ISAAC, Adler32, CRC24, and CRC32
+* Optimized CAST-256, DES, SAFER-SK, Serpent, SEAL, MD2, and RIPEMD-160
+* Some semantics of SecureVector have changed slightly
+* The mlock module has been removed for the time being
+* Added string handling functions for hashes and MACs
+* Various non-user-visible cleanups
+* Shared library soname is now set to the full version number
+
+Version 0.7.4, 2001-07-15
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* New modules: Zlib, gettimeofday and x86 RTC timers, Unix I/O for Pipe
+* Fixed a vast number of errors in the config script/makefile/specfile
+* Pipe now has a stdio(3) interface as well as C++ iostreams
+* ARC4 supports skipping the first N bytes of the cipher stream (ala MARK4)
+* Bzip2 supports decompressing multiple concatenated streams, and flushing
+* Added a simple 'overall average' score to the benchmarks
+* Fixed a small bug in the POSIX timer module
+* Removed a very-unlikely-to-occur bug in most of the hash functions
+* filtbase.h now includes <iosfwd>, not <iostream>
+* Minor documentation updates
+
+Version 0.7.3, 2001-06-08
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix build problems on Solaris/SPARC
+* Fix build problems with Perl versions < 5.6
+* Fixed some stupid code that broke on a few compilers
+* Added string handling functions to Pipe
+* MISTY1 optimizations
+
+Version 0.7.2, 2001-06-03
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Build system supports modules
+* Added modules for mlock, a /dev/random EntropySource, POSIX1.b timers
+* Added Bzip2 compression filter, contributed by Peter Jones
+* GNU make no longer required (tested with 4.4BSD pmake and Solaris make)
+* Fixed minor bug in several of the hash functions
+* Various other minor fixes and changes
+* Updates to the documentation
+
+Version 0.7.1, 2001-05-16
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Rewrote configure script: more consistent and complete
+* Made it easier to find out parameters of types at run time (opencl.h)
+* New functions for finding the version being used (version.h)
+* New SymmetricKey interface for Filters (symkey.h)
+* InvalidKeyLength now records what the invalid key length was
+* Optimized DES, CS-Cipher, MISTY1, Skipjack, XTEA
+* Changed GOST to use correct S-box ordering (incompatible change)
+* Benchmark code was almost totally rewritten
+* Many more entries in the test vector file
+* Fixed minor and idiotic bug in check.cpp
+
+Version 0.7.0, 2001-03-01
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* First public release
+
+