1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
Deprecated Features
========================
Certain functionality is deprecated and is likely to be removed in
a future major release.
To help warn users, macros are used to annotate deprecated functions
and headers. These warnings are enabled by default, but can be
disabled by defining the macro ``BOTAN_NO_DEPRECATED_WARNINGS`` prior
to including any Botan headers.
.. warning::
Not all of the functionality which is currently deprecated has an
associated warning.
If you are using something which is currently deprecated and there
doesn't seem to be an obvious alternative, contact the developers to
explain your use case if you want to make sure your code continues to
work.
TLS Protocol Deprecations
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The following TLS protocol features are deprecated and will be removed
in a future major release:
- Support for TLSv1.0/v1.1 and DTLS v1.0
- Support for point compression in TLS. This is supported in v1.2 but
removed in v1.3. For simplicity it will be removed in v1.2 also.
- Support for using SHA-1 to sign TLS v1.2 ServerKeyExchange.
- All CBC mode ciphersuites. This includes all available 3DES and SEED
ciphersuites. This implies also removing Encrypt-then-MAC extension.
- All ciphersuites using DH key exchange (DHE-RSA, DHE-PSK)
- Support for renegotiation in TLS v1.2
- All ciphersuites using static RSA key exchange
- OCB ciphersuites using 128-bit keys
Deprecated Functionality
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This section lists cryptographic functionality which will be removed
in a future major release.
- Block cipher GOST 28147
- Hash function GOST 34.11-94
- DLIES
- GCM support for 64-bit tags
- Weak or rarely used ECC builtin groups including "secp160k1", "secp160r1",
"secp160r2", "secp192k1", "secp224k1",
"brainpool160r1", "brainpool192r1", "brainpool224r1", "brainpool320r1",
"x962_p192v2", "x962_p192v3", "x962_p239v1", "x962_p239v2", "x962_p239v3".
- All built in MODP groups < 2048 bits
- Support for explicit ECC curve parameters and ImplicitCA encoded parameters in
EC_Group and all users (including X.509 certificates and PKCS#8 private keys).
- All pre-created DSA groups
- All support for loading, generating or using RSA keys with a public
exponent larger than 2**64-1
Deprecated Headers
^^^^^^^^^^^^^^^^^^^^^^
PBKDF headers:
``bcrypt_pbkdf.h``,
``pbkdf1.h``,
``pbkdf2.h``,
``pgp_s2k.h``,
``scrypt.h``,
Internal implementation headers - seemingly no reason for applications to use:
``curve_gfp.h``,
``mdx_hash.h``,
``reducer.h``,
``scan_name.h``,
``tls_algos.h``,
``tls_magic.h``,
``xmss_hash.h``,
Utility headers, nominally useful in applications but not a core part of
the library API and most are just sufficient for what the library needs
to implement other functionality.
``compiler.h``,
``cpuid.h``,
``http_util.h``,
``uuid.h``,
Other API deprecations
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- Currently, for certain KDFs, if KDF interface is invoked with a
requested output length larger than supported by the KDF, it returns
instead a truncated key. In a future major release, instead if KDF
is called with a length larger than it supports an exception will be
thrown.
- The TLS constructors taking ``std::function`` for callbacks. Instead
use the ``TLS::Callbacks`` interface.
- The ``Buffered_Computation`` base class. In a future release the
class will be removed, and all of member functions instead declared
directly on ``MessageAuthenticationCode`` and ``HashFunction``. So
this only affects you if you are directly referencing
``Botan::Buffered_Computation`` in some way.
Deprecated Build Targets
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- Configuring a build (with ``configure.py``) using Python2. In a future
major release, Python3 will be required.
|
