summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorMaciej Cencora <[email protected]>2010-02-06 18:38:01 +0100
committerMaciej Cencora <[email protected]>2010-03-07 12:21:29 +0100
commit8014b5f06853a5926ee772af232abdc9cd4e90c4 (patch)
tree4af213c01037846ab355c3a2845d6bcf91761d43 /src
parent5fefca5dbae9a5b00a3d624da0b5e582c00ad280 (diff)
radeon: add some debugging info to sw tiling/untiling functions
Diffstat (limited to 'src')
-rw-r--r--src/mesa/drivers/dri/radeon/radeon_tile.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/src/mesa/drivers/dri/radeon/radeon_tile.c b/src/mesa/drivers/dri/radeon/radeon_tile.c
index 1e4729a0b5d..935fa45e041 100644
--- a/src/mesa/drivers/dri/radeon/radeon_tile.c
+++ b/src/mesa/drivers/dri/radeon/radeon_tile.c
@@ -30,7 +30,8 @@
#include <stdint.h>
#include <string.h>
-#include <main/macros.h>
+#include "main/macros.h"
+#include "radeon_debug.h"
#define MICRO_TILE_SIZE 32
@@ -215,6 +216,10 @@ void tile_image(const void * src, unsigned src_pitch,
assert(dst_pitch >= width);
assert(dst_pitch * _mesa_get_format_bytes(format) % MICRO_TILE_SIZE == 0);
+ radeon_print(RADEON_TEXTURE, RADEON_TRACE,
+ "Software tiling: src_pitch %d, dst_pitch %d, width %d, height %d, bpp %d\n",
+ src_pitch, dst_pitch, width, height, _mesa_get_format_bytes(format));
+
switch (_mesa_get_format_bytes(format))
{
case 16:
@@ -436,6 +441,10 @@ void untile_image(const void * src, unsigned src_pitch,
assert(dst_pitch >= width);
assert(src_pitch * _mesa_get_format_bytes(format) % MICRO_TILE_SIZE == 0);
+ radeon_print(RADEON_TEXTURE, RADEON_TRACE,
+ "Software untiling: src_pitch %d, dst_pitch %d, width %d, height %d, bpp %d\n",
+ src_pitch, dst_pitch, width, height, _mesa_get_format_bytes(format));
+
switch (_mesa_get_format_bytes(format))
{
case 16:
#n193'>193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945 1946 1947 1948 1949 1950 1951 1952 1953 1954 1955 1956 1957 1958 1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 2042 2043 2044 2045 2046 2047 2048 2049 2050 2051 2052 2053 2054 2055 2056 2057 2058 2059 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123 2124 2125 2126 2127 2128 2129 2130 2131 2132 2133 2134 2135 2136 2137 2138 2139 2140 2141 2142 2143 2144 2145 2146 2147 2148 2149 2150 2151 2152 2153 2154 2155 2156 2157 2158 2159 2160 2161 2162 2163 2164 2165 2166 2167 2168 2169 2170 2171 2172 2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212 2213 2214 2215 2216 2217 2218 2219 2220 2221 2222 2223 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 2244 2245 2246 2247 2248 2249 2250 2251 2252 2253 2254 2255 2256 2257 2258 2259 2260 2261 2262 2263 2264 2265 2266 2267 2268 2269 2270 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 2286 2287 2288 2289 2290 2291 2292 2293 2294 2295 2296 2297 2298 2299 2300 2301 2302 2303 2304 2305 2306 2307 2308 2309 2310 2311 2312 2313 2314 2315 2316 2317 2318 2319 2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335 2336 2337 2338 2339 2340 2341 2342 2343 2344 2345 2346 2347 2348 2349 2350 2351 2352 2353 2354 2355 2356 2357 2358 2359 2360 2361 2362 2363 2364 2365 2366 2367 2368 2369 2370 2371 2372 2373 2374 2375 2376 2377 2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388 2389 2390 2391 2392 2393 2394 2395 2396 2397 2398 2399 2400 2401 2402 2403 2404 2405 2406 2407 2408 2409 2410 2411 2412 2413 2414 2415 2416 2417 2418 2419 2420 2421 2422 2423 2424 2425 2426 2427 2428 2429 2430 2431 2432 2433 2434 2435 2436 2437 2438 2439 2440 2441 2442 2443 2444 2445 2446 2447 2448 2449 2450 2451 2452 2453 2454 2455 2456 2457 2458 2459 2460 2461 2462 2463 2464 2465 2466 2467 2468 2469 2470 2471 2472 2473 2474 2475 2476 2477 2478 2479 2480 2481 2482 2483 2484 2485 2486 2487 2488 2489 2490 2491 2492 2493 2494 2495 2496 2497 2498 2499 2500 2501 2502 2503 2504 2505 2506 2507 2508 2509 2510 2511 2512 2513 2514 2515 2516 2517 2518 2519 2520 2521 2522 2523 2524 2525 2526 2527 2528 2529 2530 2531 2532 2533 2534 2535 2536 2537 2538 2539 2540 2541 2542 2543 2544 2545 2546 2547 2548 2549 2550 2551 2552 2553 2554 2555 2556 2557 2558 2559 2560 2561 2562 2563 2564 2565 2566 2567 2568 2569 2570 2571 2572 2573 2574 2575 2576 2577 2578 2579 2580 2581 2582 2583 2584 2585 2586 2587 2588 2589 2590 2591 2592 2593 2594 2595 2596 2597 2598 2599 2600 2601 2602 2603 2604 2605 2606 2607 2608 2609 2610 2611 2612 2613 2614 2615 2616 2617 2618 2619 2620 2621 2622 2623 2624 2625 2626 2627 2628 2629 2630 2631 2632 2633 2634 2635 2636 2637 2638 2639 2640 2641 2642 2643 2644 2645 2646 2647 2648 2649 2650 2651 2652 2653 2654 2655 2656 2657 2658 2659 2660 2661 2662 2663 2664 2665 2666 2667 2668 2669 2670 2671 2672 2673 2674 2675 2676 2677 2678 2679 2680 2681 2682 2683 2684 2685 2686 2687 2688 2689 2690 2691 2692 2693 2694 2695 2696 2697 2698 2699 2700 2701 2702 2703 2704 2705 2706 2707 2708 2709 2710 2711 2712 2713 2714 2715 2716 2717 2718 2719 2720 2721 2722 2723 2724 2725 2726 2727 2728 2729 2730 2731 2732 2733 2734 2735 2736 2737 2738 2739 2740 2741 2742 2743 2744 2745 2746 2747 2748 2749 2750 2751 2752 2753 2754 2755 2756 2757 2758 2759 2760 2761 2762 2763 2764 2765 2766 2767 2768 2769 2770 2771 2772 2773 2774 2775 2776 2777 2778 2779 2780 2781 2782 2783 2784 2785 2786 2787 2788 2789 2790 2791 2792 2793 2794 2795 2796 2797 2798 2799 2800 2801 2802 2803 2804 2805 2806 2807 2808 2809 2810 2811 2812 2813 2814 2815 2816 2817 2818 2819 2820 2821 2822 2823 2824 2825 2826 2827 2828 2829 2830 2831 2832 2833 2834 2835 2836 2837 2838 2839 2840 2841 2842 2843 2844 2845 2846 2847 2848 2849 2850 2851 2852 2853 2854 2855 2856 2857 2858 2859 2860 2861 2862 2863 2864 2865 2866 2867 2868 2869 2870 2871 2872 2873 2874 2875 2876 2877 2878 2879 2880 2881 2882 2883 2884 2885 2886 2887 2888 2889 2890 2891 2892 2893 2894 2895 2896 2897 2898 2899 2900 2901 2902 2903 2904 2905 2906 2907 2908 2909 2910 2911 2912 2913 2914 2915 2916 2917 2918 2919 2920 2921 2922 2923 2924 2925 2926 2927 2928 2929 2930 2931 2932 2933 2934 2935 2936 2937 2938 2939 2940 2941 2942 2943 2944 2945 2946 2947 2948 2949 2950 2951 2952 2953 2954 2955 2956 2957 2958 2959 2960 2961 2962 2963 2964 2965 2966 2967 2968 2969 2970 2971 2972 2973 2974 2975 2976 2977 2978 2979 2980 2981 2982 2983 2984 2985 2986 2987 2988 2989 2990 2991 2992 2993 2994 2995 2996 2997 2998 2999 3000 3001 3002 3003 3004 3005 3006 3007 3008 3009 3010 3011 3012 3013 3014 3015 3016 3017 3018 3019 3020 3021 3022 3023 3024 3025 3026 3027 3028 3029 3030 3031 3032 3033 3034 3035 3036 3037 3038 3039 3040 3041 3042 3043 3044 3045 3046 3047 3048 3049 3050 3051 3052 3053 3054 3055 3056 3057 3058 3059 3060 3061 3062 3063 3064 3065 3066 3067 3068 3069 3070 3071 3072 3073 3074 3075 3076 3077 3078 3079 3080 3081 3082 3083 3084 3085 3086 3087 3088 3089 3090 3091 3092 3093 3094 3095 3096 3097 3098 3099 3100 3101 3102 3103 3104 3105 3106 3107 3108 3109 3110 3111 3112 3113 3114 3115 3116 3117 3118 3119 3120 3121 3122 3123 3124 3125 3126 3127 3128 3129 3130 3131 3132 3133 3134 3135 3136 3137 3138 3139 3140 3141 3142 3143 3144 3145 3146 3147 3148 3149 3150 3151 3152 3153 3154 3155 3156 3157 3158 3159 3160 3161 3162 3163 3164 3165 3166 3167 3168 3169 3170 3171 3172 3173 3174 3175 3176 3177 3178 3179 3180 3181 3182 3183 3184 3185 3186 3187 3188 3189 3190 3191 3192 3193 3194 3195 3196 3197 3198 3199 3200 3201 3202 3203 3204 3205 3206 3207 3208 3209 3210 3211 3212 3213 3214 3215 3216 3217 3218 3219 3220 3221 3222 3223 3224 3225 3226 3227 3228 3229 3230 3231 3232 3233 3234 3235 3236 3237 3238 3239 3240 3241 3242 3243 3244 3245 3246 3247 3248 3249 3250 3251 3252 3253 3254 3255 3256 3257 3258 3259 3260 3261 3262 3263 3264 3265 3266 3267 3268 3269 3270 3271 3272 3273 3274 3275 3276 3277 3278 3279 3280 3281 3282 3283 3284 3285 3286 3287 3288 3289 3290 3291 3292 3293 3294 3295 3296 3297 3298 3299 3300 3301 3302 3303 3304 3305 3306 3307 3308 3309 3310 3311 3312 3313 3314 3315 3316 3317 3318 3319 3320 3321 3322 3323 3324 3325 3326 3327 3328 3329 3330 3331 3332 3333 3334 3335 3336 3337 3338 3339 3340 3341 3342 3343 3344 3345 3346 3347 3348 3349 3350 3351 3352 3353 3354 3355 3356 3357 3358 3359 3360 3361 3362 3363 3364 3365 3366 3367 3368 3369 3370 3371 3372 3373 3374 3375 3376 3377 3378 3379 3380 3381 3382 3383 3384 3385 3386 3387 3388 3389 3390 3391 3392 3393 3394 3395 3396 3397 3398 3399 3400 3401 3402 3403 3404 3405 3406 3407 3408 3409 3410 3411 3412 3413 3414 3415 3416 3417 3418 3419 3420 3421 3422 3423 3424 3425 3426 3427 3428 3429 3430 3431 3432 3433 3434 3435 3436 3437 3438 3439 3440 3441 3442 3443 3444 3445 3446 3447 3448 3449 3450 3451 3452 3453 3454 3455 3456 3457 3458 3459 3460 3461 3462 3463 3464 3465 3466 3467 3468 3469 3470 3471 3472 3473 3474 3475 3476 3477 3478 3479 3480 3481 3482 3483 3484 3485 3486 3487 3488 3489 3490 3491 3492 3493 3494 3495 3496 3497 3498 3499 3500 3501 3502 3503 3504 3505 3506 3507 3508 3509 3510 3511 3512 3513 3514 3515 3516 3517 3518 3519 3520 3521 3522 3523 3524 3525 3526 3527 3528 3529 3530 3531 3532 3533 3534 3535 3536 3537 3538 3539 3540 3541 3542 3543 3544 3545 3546 3547 3548 3549 3550 3551 3552 3553 3554 3555 3556 3557 3558 3559 3560 3561 3562 3563 3564 3565 3566 3567 3568 3569 3570 3571 3572 3573 3574 3575 3576 3577 3578 3579 3580 3581 3582 3583 3584 3585 3586 3587 3588 3589 3590 3591 3592 3593 3594 3595 3596 3597 3598 3599 3600 3601 3602 3603 3604 3605 3606 3607 3608 3609 3610 3611 3612 3613 3614 3615 3616 3617 3618 3619 3620 3621 3622 3623 3624 3625 3626 3627 3628 3629 3630 3631 3632 3633 3634 3635 3636 3637 3638 3639 3640 3641 3642 3643 3644 3645 3646 3647 3648 3649 3650 3651 3652 3653 3654 3655 3656 3657 3658 3659 3660 3661 3662 3663 3664 3665 3666 3667 3668 3669 3670 3671 3672 3673 3674 3675 3676 3677 3678 3679 3680 3681 3682 3683 3684 3685 3686 3687 3688 3689 3690 3691 3692 3693 3694 3695 3696 3697 3698 3699 3700 3701 3702 3703 3704 3705 3706 3707 3708 3709 3710 3711 3712 3713 3714 3715 3716 3717 3718 3719 3720 3721 3722 3723 3724 3725 3726 3727 3728 3729 3730 3731 3732 3733 3734 3735 3736 3737 3738 3739 3740 3741 3742 3743 3744 3745 3746 3747 3748 3749 3750 3751 3752 3753 3754 3755 3756 3757 3758 3759 3760 3761 3762 3763 3764 3765 3766 3767 3768 3769 3770 3771 3772 3773 3774 3775 3776 3777 3778 3779 3780 3781 3782 3783 3784 3785 3786 3787 3788 3789 3790 3791 3792 3793 3794 3795 3796 3797 3798 3799 3800 3801 3802 3803 3804 3805 3806 3807 3808 3809 3810 3811 3812 3813 3814 3815 3816 3817 3818 3819 3820 3821 3822 3823 3824 3825 3826 3827 3828 3829 3830 3831 3832 3833 3834 3835 3836 3837 3838 3839 3840 3841 3842 3843 3844 3845 3846 3847 3848 3849 3850 3851 3852 3853 3854 3855 3856 3857 3858 3859 3860 3861 3862 3863 3864 3865 3866 3867 3868 3869 3870 3871 3872 3873 3874 3875 3876 3877 3878 3879 3880 3881 3882 3883 3884 3885 3886 3887 3888 3889 3890 3891 3892 3893 3894 3895 3896 3897 3898 3899 3900 3901 3902 3903 3904 3905 3906 3907 3908 3909 3910 3911 3912 3913 3914 3915 3916 3917 3918 3919 3920 3921 3922 3923 3924 3925 3926 3927 3928 3929 3930 3931 3932 3933 3934 3935 3936 3937 3938 3939 3940 3941 3942 3943 3944 3945 3946 3947 3948 3949 3950 3951 3952 3953 3954 3955 3956 3957 3958 3959 3960 3961 3962 3963 3964 3965 3966 3967 3968 3969 3970 3971 3972 3973 3974 3975 3976 3977 3978 3979 3980 3981 3982 3983 3984 3985 3986 3987 3988 3989 3990 3991 3992 3993 3994 3995 3996 3997 3998 3999 4000 4001 4002 4003 4004 4005 4006 4007 4008 4009 4010 4011 4012 4013 4014 4015 4016 4017 4018 4019 4020 4021 4022 4023 4024 4025 4026 4027 4028 4029 4030 4031 4032 4033 4034 4035 4036 4037 4038 4039 4040 4041 4042 4043 4044 4045 4046 4047 4048 4049 4050 4051 4052 4053 4054 4055 4056 4057 4058 4059 4060 4061 4062 4063 4064 4065 4066 4067 4068 4069 4070 4071 4072 4073 4074 4075 4076 4077 4078 4079 4080 4081 4082 4083 4084 4085 4086 4087 4088 4089 4090 4091 4092 4093 4094 4095 4096 4097 4098 4099 4100 4101 4102 4103 4104 4105 4106 4107 4108 4109 4110 4111 4112 4113 4114 4115 4116 4117 4118 4119 4120 4121 4122 4123 4124 4125 4126 4127 4128 4129 4130 4131 4132 4133 4134 4135 4136 4137 4138 4139 4140 4141 4142 4143 4144 4145 4146 4147 4148 4149 4150 4151 4152 4153 4154 4155 4156 4157 4158 4159 4160 4161 4162 4163 4164 4165 4166 4167 4168 4169 4170 4171 4172 4173 4174 4175 4176 4177 4178 4179 4180 4181 4182 4183 4184 4185 4186 4187 4188 4189 4190 4191 4192 4193 4194 4195 4196 4197 4198 4199 4200 4201 4202 4203 4204 4205 4206 4207 4208 4209 4210 4211 4212 4213 4214 4215 4216 4217 4218 4219 4220 4221 4222 4223 4224 4225 4226 4227 4228 4229 4230 4231 4232 4233 4234 4235 4236 4237 4238 4239 4240 4241 4242 4243 4244 4245 4246 4247 4248 4249 4250 4251 4252 4253 4254 4255 4256 4257 4258 4259 4260 4261 4262 4263 4264 4265 4266 4267 4268 4269 4270 4271 4272 4273 4274 4275 4276 4277 4278 4279 4280 4281 4282 4283 4284 4285 4286 4287 4288 4289 4290 4291 4292 4293 4294 4295 4296 4297 4298 4299 4300 4301 4302 4303 4304 4305 4306 4307 4308 4309 4310 4311 4312 4313 4314 4315 4316 4317 4318 4319 4320 4321 4322 4323 4324 4325 4326 4327 4328 4329 4330 4331 4332 4333 4334 4335 4336 4337 4338 4339 4340 4341 4342 4343 4344 4345 4346 4347 4348 4349 4350 4351 4352 4353 4354 4355 4356 4357 4358 4359 4360 4361 4362 4363 4364 4365 4366 4367 4368 4369 4370 4371 4372 4373 4374 4375 4376 4377 4378 4379 4380 4381 4382 4383 4384 4385 4386 4387 4388 4389 4390 4391 4392 4393 4394 4395 4396 4397 4398 4399 4400 4401 4402 4403 4404 4405 4406 4407 4408 4409 4410 4411 4412 4413 4414 4415 4416 4417 4418 4419 4420 4421 4422 4423 4424 4425 4426 4427 4428 4429 4430 4431 4432 4433 4434 4435 4436 4437 4438 4439 4440 4441 4442 4443 4444 4445 4446 4447 4448 4449 4450 4451 4452 4453 4454 4455 4456 4457 4458 4459 4460 4461 4462 4463 4464 4465 4466 4467 4468 4469 4470 4471 4472 4473 4474 4475 4476 4477 4478 4479 4480 4481 4482 4483 4484 4485 4486 4487 4488 4489 4490 4491 4492 4493 4494 4495 4496 4497 4498 4499 4500 4501 4502 4503 4504 4505 4506 4507 4508 4509 4510 4511 4512 4513 4514 4515 4516 4517 4518 4519 4520 4521 4522 4523 4524 4525 4526 4527 4528 4529 4530 4531 4532 4533 4534 4535 4536 4537 4538 4539 4540 4541 4542 4543 4544 4545 4546 4547 4548 4549 4550 4551 4552 4553 4554 4555 4556 4557 4558 4559 4560 4561 4562 4563 4564 4565 4566 4567 4568 4569 4570 4571 4572 4573 4574 4575 4576 4577 4578 4579 4580 4581 4582 4583 4584 4585 4586 4587 4588 4589 4590 4591 4592 4593 4594 4595 4596 4597 4598 4599 4600 4601 4602 4603 4604 4605 4606 4607 4608 4609 4610 4611 4612 4613 4614 4615 4616 4617 4618 4619 4620 4621 4622 4623 4624 4625 4626 4627 4628 4629 4630 4631 4632 4633 4634 4635 4636 4637 4638 4639 4640 4641 4642 4643 4644 4645 4646 4647 4648 4649 4650 4651 4652 4653 4654 4655 4656 4657 4658 4659 4660 4661 4662 4663 4664 4665 4666 4667 4668 4669 4670 4671 4672 4673 4674 4675 4676 4677 4678 4679 4680 4681 4682 4683 4684 4685 4686 4687 4688 4689 4690 4691 4692 4693 4694 4695 4696 4697 4698 4699 4700 4701 4702 4703 4704 4705 4706 4707 4708 4709 4710 4711 4712 4713 4714 4715 4716 4717 4718 4719 4720 4721 4722 4723 4724 4725 4726 4727 4728 4729 4730 4731 4732 4733 4734 4735 4736 4737 4738 4739 4740 4741 4742 4743 4744 4745 4746 4747 4748 4749 4750 4751 4752 4753 4754 4755 4756 4757 4758 4759 4760 4761 4762 4763 4764 4765 4766 4767 4768 4769 4770 4771 4772 4773 4774 4775 4776 4777 4778 4779 4780 4781 4782 4783 4784 4785 4786 4787 4788 4789 4790 4791 4792 4793 4794 4795 4796 4797 4798 4799 4800 4801 4802 4803 4804 4805 4806 4807 4808 4809 4810 4811 4812 4813 4814 4815 4816 4817 4818 4819 4820 4821 4822 4823 4824 4825 4826 4827 4828 4829 4830 4831 4832 4833 4834 4835 4836 4837 4838 4839 4840 4841 4842 4843 4844 4845 4846 4847 4848 4849 4850 4851 4852 4853 4854 4855 4856 4857 4858 4859 4860 4861 4862 4863 4864 4865 4866 4867 4868 4869 4870 4871 4872 4873 4874 4875 4876 4877 4878 4879 4880 4881 4882 4883 4884 4885 4886 4887 4888 4889 4890 4891 4892 4893 4894 4895 4896 4897 4898 4899 4900 4901 4902 4903 4904 4905 4906 4907 4908 4909 4910 4911 4912 4913 4914 4915 4916 4917 4918 4919 4920 4921 4922 4923 4924 4925 4926 4927 4928 4929 4930 4931 4932 4933 4934 4935 4936 4937 4938 4939 4940 4941 4942 4943 4944 4945 4946 4947 4948 4949 4950 4951 4952 4953 4954 4955 4956 4957 4958 4959 4960 4961 4962 4963 4964 4965 4966 4967 4968 4969 4970 4971 4972 4973 4974 4975 4976 4977 4978 4979 4980 4981 4982 4983 4984 4985 4986 4987 4988 4989 4990 4991 4992 4993 4994 4995 4996 4997 4998 4999 5000 5001 5002 5003 5004 5005 5006 5007 5008 5009 5010 5011 5012 5013 5014 5015 5016 5017 5018 5019 5020 5021 5022 5023 5024 5025 5026 5027 5028 5029 5030 5031 5032 5033 5034 5035 5036 5037 5038 5039 5040 5041 5042 5043 5044 5045 5046 5047 5048 5049 5050 5051 5052 5053 5054 5055 5056 5057 5058 5059 5060 5061 5062 5063 5064 5065 5066 5067 5068 5069 5070 5071 5072 5073 5074 5075 5076 5077 5078 5079 5080 5081 5082 5083 5084 5085 5086 5087 5088 5089 5090 5091 5092 5093 5094 5095 5096 5097 5098 5099 5100 5101 5102 5103 5104 5105 5106 5107 5108 5109 5110 5111 5112 5113 5114 5115 5116 5117 5118 5119 5120 5121 5122 5123 5124 5125 5126 5127 5128 5129 5130 5131 5132 5133 5134 5135 5136 5137 5138 5139 5140 5141 5142 5143 5144 5145 5146 5147 5148 5149 5150 5151 5152 5153 5154 5155 5156 5157 5158 5159 5160 5161 5162 5163 5164 5165 5166 5167 5168 5169 5170 5171 5172 5173 5174 5175 5176 5177 5178 5179 5180 5181 5182 5183 5184 5185 5186 5187 5188 5189 5190 5191 5192 5193 5194 5195 5196 5197 5198 5199 5200 5201 5202 5203 5204 5205 5206 5207 5208 5209 5210 5211 5212 5213 5214 5215 5216 5217 5218 5219 5220 5221 5222 5223 5224 5225 5226 5227 5228 5229 5230 5231 5232 5233 5234 5235 5236 5237 5238 5239 5240 5241 5242 5243 5244 5245 5246 5247 5248 5249 5250 5251 5252 5253 5254 5255 5256 5257 5258 5259 5260 5261 5262 5263 5264 5265 5266 5267 5268 5269 5270 5271 5272 5273 5274 5275 5276 5277 5278 5279 5280 5281 5282 5283 5284 5285 5286 5287 5288 5289 5290 5291 5292 5293 5294 5295 5296 5297 5298 5299 5300 5301 5302 5303 5304 5305 5306 5307 5308 5309 5310 5311 5312 5313 5314 5315 5316 5317 5318 5319 5320 5321 5322 5323 5324 5325 5326 5327 5328 5329 5330 5331 5332 5333 5334 5335 5336 5337 5338 5339 5340 5341 5342 5343 5344 5345 5346 5347 5348 5349 5350 5351 5352 5353 5354 5355 5356 5357 5358 5359 5360 5361 5362 5363 5364 5365 5366 5367 5368 5369 5370 5371 5372 5373 5374 5375 5376 5377 5378 5379 5380 5381 5382 5383 5384 5385 5386 5387 5388 5389 5390 5391 5392 5393 5394 5395 5396 5397 5398 5399 5400 5401 5402 5403 5404 5405 5406 5407 5408 5409 5410 5411 5412 5413 5414 5415 5416 5417 5418 5419 5420 5421 5422 5423 5424 5425 5426 5427 5428 5429 5430 5431 5432 5433 5434 5435 5436 5437 5438 5439 5440 5441 5442 5443 5444 5445 5446 5447 5448 5449 5450 5451 5452 5453 5454 5455 5456 5457 5458 5459 5460 5461 5462 5463 5464 5465 5466 5467 5468 5469 5470 5471 5472 5473 5474 5475 5476 5477 5478 5479 5480 5481 5482 5483 5484 5485 5486 5487 5488 5489 5490 5491 5492 5493 5494 5495 5496 5497 5498 5499 5500 5501 5502 5503 5504 5505 5506 5507 5508 5509 5510 5511 5512 5513 5514 5515 5516 5517 5518 5519 5520 5521 5522 5523 5524 5525 5526 5527 5528 5529 5530 5531 5532 5533 5534 5535 5536 5537 5538 5539 5540 5541 5542 5543 5544 5545 5546 5547 5548 5549 5550 5551 5552 5553 5554 5555 5556 5557 5558 5559 5560 5561 5562 5563 5564 5565 5566 5567 5568 5569 5570 5571 5572 5573 5574 5575 5576 5577 5578 5579 5580 5581 5582 5583 5584 5585 5586 5587 5588 5589 5590 5591 5592 5593 5594 5595 5596 5597 5598 5599 5600 5601 5602 5603 5604 5605 5606 5607 5608 5609 5610 5611 5612 5613 5614 5615 5616 5617 5618 5619 5620 5621 5622 5623 5624 5625 5626 5627 5628 5629 5630 5631 5632 5633 5634 5635 5636 5637 5638 5639 5640 5641 5642 5643 5644 5645 5646 5647 5648 5649 5650 5651 5652 5653 5654 5655 5656 5657 5658 5659 5660 5661 5662 5663 5664 5665 5666 5667 5668 5669 5670 5671 5672 5673 5674 5675 5676 5677 5678 5679 5680 5681 5682 5683 5684 5685 5686 5687 5688 5689 5690 5691 5692 5693 5694 5695 5696 5697 5698 5699 5700 5701 5702 5703 5704 5705 5706 5707 5708 5709 5710 5711 5712 5713 5714 5715 5716 5717 5718 5719 5720 5721 5722 5723 5724 5725 5726 5727 5728 5729 5730 5731 5732 5733 5734 5735 5736 5737 5738 5739 5740 5741 5742 5743 5744 5745 5746 5747 5748 5749 5750 5751 5752 5753 5754 5755 5756 5757 5758 5759 5760 5761 5762 5763 5764 5765 5766 5767 5768 5769 5770 5771 5772 5773 5774 5775 5776 5777 5778 5779 5780
Release Notes
========================================

Version 2.12.0, Not Yet Released
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* GCM performance improvements (GH #2024)

* RSA signature performance improvements (GH #2068 #2070)

* Support Argon2 outputs longer than 64 bytes (GH #2079 #2078)

* Correct a bug in CAST-128 which caused incorrect computation using
  11, 13, 14, or 15 byte keys. (GH #2081)

* Fix a bug which would cause Streebog to produce incorrect outputs for
  certain messages (GH #2082 #2083)

* Fix a bug which would cause PBKDF2 to go into a very long loop if
  it was requested to use an iteration count of 0. (GH #2090 #2088)

* In DTLS server, support a client crashing and then reconnecting from
  the same source port, as described in RFC 6347 sec 4.2.8 (GH #2029)

* Optimize DTLS MTU splitting to split precisely to the set MTU (GH #2042)

* Improve the error messages generated when an invalid TLS state transition occurs
  (GH #2030)

* Add some new APIs on ``OID`` objects (GH #2057)

* Fix some edge cases around TLS close_notify support. (GH #2054)

* Add support for the TLS v1.3 downgrade indicator. (GH #2027)

* Modifications to support GOST 34.10-2012 signatures (GH #2055 #2056 #1860 #1897)

* The BearSSL provider has been removed (GH #2020)

* Add support for 64-bit version of RDRAND, doubling performance on x86-64 (GH #934 #2022)

* Add support for the POWER9 hardware random number generator (GH #2026)

* Add a new ``entropy`` cli which allows sampling the output of the entropy sources.

* Cleanups in TLS record layer (GH #2021)

* Support setting TLS policies in CLIs like ``tls_client`` and ``tls_proxy_server`` (GH #2047)

* Fix typos in some OCSP enums which used "OSCP" instead. (GH #2048)

* The tests now run in multithreaded mode by default. Provde option ``--test-threads=1`` to
  return to previous single-threaded behavior. (GH #2071 #2075)

* In the Python module, avoid trying to load DLLs for names that don't match the current
  platform (GH #2062 #2059)

* In the Python module, also look for ``botan.dll`` so Python wrapper can run on Windows.
  (GH #2059 #2060)

* Now the minimum Windows target is set to Windows 7 (GH #2036 #2028)

* Add ``BOTAN_FORCE_INLINE`` macro to resolve a performance issue with BLAKE2b on MSVC
  (GH #2092 #2089)

* Avoid using ``__GNUG__`` in headers that may be consumed by a C compiler (GH #2013)

* Fix a bug which caused amalgamation builds to fail on iOS (GH #2045)

* Support disabling thread local storage, needed for building on old iOS (GH #2045)p

* Add a script to help with building for Android, using Docker (GH #2016 #2033 #513)

* Add Android NDK build to Travis CI (GH #2017)

Version 2.11.0, 2019-07-01
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add Argon2 PBKDF and password hash (GH #459 #1981 #1987)

* Add Bcrypt-PBKDF (GH #1990)

* Add a libsodium compat layer in sodium.h (GH #1996)

* XMSS now follows RFC 8391 which is incompatible with previous versions, which
  had followed draft 6. (GH #1858 #2003)

* Add server side support for issuing DTLS HelloVerifyRequest messages
  (GH #1999)

* Add a shim allowing testing Botan against the BoringSSL test suite,
  and fix a number of bugs in TLS found using it.
  (GH #1954 #1955 #1956 #1959 #1966 #1970)

* Add support for the TLS v1.3 supported_versions extension. (GH #1976)

* Add Ed25519ph compatible with RFC 8032 (GH #1699 #2000)

* Add support for OCSP stapling on server side. (GH #1703 #1967)

* Add a ``boost::asio`` TLS stream compatible with ``boost::asio::ssl``.
  (GH #1839 #1927 #1992)

* Add a certificate store for Linux/Unix systems. (GH #1885 #1936)

* Add a certificate store for Windows systems. (GH #1931)

* Add a generic ``System_Certificate_Store`` which wraps Windows, macOS,
  and Linux certificate stores. (GH #1893)

* Fix verification rooted in a v1 certificate which previously would fail.
  (GH #1890)

* Add ability to specify the maximum age of an OCSP response which does not
  have the nextUpdate field set. (GH #1974 #1995)

* Fix X509_DN::operator< which could erroneously return true in both
  directions (ie, DN1 < DN2 && DN2 < DN1). This would break STL
  containers using a DN as the key. (GH #1938)

* It is now possible to create intermediate CA certificates using the
  command line interface. (GH #1879 #1889)

* Add a new build time option to set where the system stores trusted
  certificates. (GH #1888)

* New ``trust_roots`` CLI that examines the system certificate store.
  (GH #1893)

* Fix bugs and add many new features in the Python wrapper.
  (GH #1899 #1900 #1901 #1902 #1903 #1904 #1906 #1907 #1915)

* Various FFI interfaces which are redundant with other APIs are now
  deprecated. The deprecation message suggests the alternate API to use.
  (GH #1915)

* Fix decoding of RSA-OAEP certificates. (GH #1943 #1944)

* Allow setting multiple organization unit fields in a certificate or
  certificate request. (GH #1939)

* Increase the maximum allowed year in ASN1_Time to 3100. This works
  around a problem parsing certs in AppVeyor's trust store.

* Add ``--format`` option to ``rng`` CLI command allowing to format
  as base64, base58 or binary in addition to hex. (GH #1945)

* Remove use of table lookups for IP/FP transforms in DES (GH #1928)

* Improve the tests for SRP6 (GH #1917 #1923)

* Document the build system

* When available use POSIX ``sysconf`` to detect the number of CPUs (GH #1877)

* Add functionality to handle Boost naming conventions on different platforms,
  especially affecting Windows. Enable Boost in AppVeyor builds. (GH #1964)

* Add alternate implementation of ``getauxval`` for older Android (GH #1962)

* Add ``configure.py`` option allowing to set arbitrary macros during build.
  (GH #1960)

* Use FreeBSD's ``elf_aux_info`` to detect ARM and POWER CPU features
  (GH #1895)

* Use FreeBSD's ``PROT_MAX`` to prevent mmap regions from being made executable
  later. (GH #2001)

* Fix a memory leak in the tests (GH #1886)

* Fix an issue building with the new Boost 1.70 (GH #1881 #1880)

* Fix an issue with UbSan in the tests (GH #1892)

* Remove use of ``-mabi`` flag when building on MIPS64 (GH #1918)

* Make it possible to specify additional libraries in ``LDFLAGS`` (GH #1916)

* Fix some warnings from Clang 8 (GH #1941)

* Fix the makefile .PHONY syntax (GH #1874)

* Fix build issue with SoftHSM 2.5.0 (GH #1986)

Version 2.10.0, 2019-03-30
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Notice: the developers plan to switch from gzip to xz compression for
  releases starting in 2.11. If this is a problem please comment at
  https://github.com/randombit/botan/issues/1872

* Warning: XMSS currently implements draft-06 which is not compatible with the
  final RFC 8391 specification. A PR is open to fix this, however it will break
  all current uses of XMSS. If you are currently using XMSS please comment at
  https://github.com/randombit/botan/pull/1858. Otherwise the PR will be merged
  and support for draft-06 will be removed starting in 2.11.

* Added a new certificate store implementation that can access the
  MacOS keychain certificate store. (GH #1830)

* Redesigned ``Memory_Pool`` class, which services allocations out of a
  set of pages locked into memory (using ``mlock``/``VirtualLock``). It is now
  faster and with improved exploit mitigations. (GH #1800)

* Add BMI2 implementations of SHA-512 and SHA-3 which improve performance by
  25-35% on common CPUs. (GH #1815)

* Unroll SHA-3 computation improving performance by 10-12% (GH #1838)

* Add a ``Thread_Pool`` class. It is now possible to run the tests in multiple
  threads with ``--test-threads=N`` flag to select the number of threads to use.
  Use ``--test-threads=0`` to run with as many CPU cores as are available on the
  current system. The default remains single threaded. (GH #1819)

* XMSS signatures now uses a global thread pool instead of spawning new threads
  for each usage. This improves signature generation performance by between 10%
  and 60% depending on architecture and core count. (GH #1864)

* Some functions related to encoding and decoding BigInts have been deprecated.
  (GH #1817)

* Binary encoding and decoding of BigInts has been optimized by performing
  word-size operations when possible. (GH #1817)

* Rename the exception ``Integrity_Failure`` to ``Invalid_Authentication_Tag`` to make
  its meaning and usage more clear. The old name remains as a typedef. (GH #1816)

* Support for using Boost ``filesystem`` and MSVC's ``std::filesystem`` have been
  removed, since already POSIX and Win32 versions had to be maintained for
  portability. (GH #1814)

* Newly generated McEliece and XMSS keys now default to being encrypted using
  SIV mode, support for which was added in 2.8.0. Previously GCM was used by
  default for these algorithms.

* Use ``arc4random`` on Android systems (GH #1851)

* Fix the encoding of PGP-S2K iteration counts (GH #1853 #1854)

* Add a facility for sandboxing the command line util. Currently FreeBSD
  (Capsicum) and OpenBSD (``pledge``) sandboxes are supported. (GH #1808)

* Use ``if constexpr`` when available.

* Disable building shared libs on iOS as it was broken and it is not clear shared
  libraries are ever useful on iOS (GH #1865)

* Renamed the ``darwin`` build target to ``macos``. This should not cause any
  user-visible change. (GH #1866)

* Add support for using ``sccache`` to cache the Windows CI build (GH #1807)

* Add ``--extra-cxxflags`` option which allows adding compilation flags without
  overriding the default set. (GH #1826)

* Add ``--format=`` option to the ``hash`` cli which allows formatting the output
  as base64 or base58, default output remains hex.

* Add ``base58_enc`` and ``base58_dec`` cli utils for base58 encoding/decoding.
  (GH #1848)

* Enable ``getentropy`` by default on macOS (GH #1862)

* Avoid using ``-momit-leaf-frame-pointer`` flags, since ``-fomit-frame-pointer``
  is already the default with recent versions of GCC.

* Fix XLC sanitizer flags.

* Rename ``Blake2b`` class to ``BLAKE2b`` to match the official name. There is
  a typedef for compat.

* Fix a bug where loading a raw ``Ed25519_PublicKey`` of incorrect length would
  lead to a crash. (GH #1850)

* Fix a bug that caused compilation problems using CryptoNG PRNG. (GH #1832)

* Extended SHAKE-128 cipher to support any key between 1 and 160 bytes, instead
  of only multiples of 8 bytes.

* Minor HMAC optimizations.

* Build fixes for GNU/Hurd.

* Fix a bug that prevented generating or verifying Ed25519 signatures in the CLI
  (GH #1828 #1829)

* Fix a compilation error when building the amalgamation outside of the original
  source directory when AVX2 was enabled. (GH #1812)

* Fix a crash when creating the amalgamation if a header file was edited on
  Windows but then the amalgamation was built on Linux (GH #1763)

Version 2.9.0, 2019-01-04
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* CVE-2018-20187 Address a side channel during ECC key generation,
  which used an unblinded Montgomery ladder. As a result, a timing
  attack can reveal information about the high bits of the secret key.

* Fix bugs in TLS which caused negotiation failures when the client
  used an unknown signature algorithm or version (GH #1711 #1709 #1708)

* Fix bug affecting GCM, EAX and ChaCha20Poly1305 where if the associated data
  was set after starting a message, the new AD was not reflected in the produced
  tag. Now with these modes setting an AD after beginning a message throws an
  exception.

* Use a smaller sieve which improves performance of prime generation.

* Fixed a bug that caused ChaCha to produce incorrect output after encrypting
  256 GB. (GH #1728)

* Add NEON and AltiVec implementations of ChaCha (GH #1719 #1728 #1729)

* Optimize AVX2 ChaCha (GH #1730)

* Many more operations in BigInt, ECC and RSA code paths are either fully const time
  or avoid problematic branches that could potentially be exploited in a side
  channel attack. (GH #1738 #1750 #1754 #1755 #1757 #1758 #1759 #1762 #1765
  #1770 #1773 #1774 #1779 #1780 #1794 #1795 #1796 #1797)

* Several optimizations for BigInt and ECC, improving ECDSA performance by as
  much as 30%. (GH #1734 #1737 #1777 #1750 #1737 #1788)

* Support recovering an ECDSA public key from a message/signature pair (GH #664 #1784)

* Add base58 encoding/decoding functions (GH #1783)

* In the command line interface, add support for reading passphrases from the
  terminal with echo disabled (GH #1756)

* Add ``CT::Mask`` type to simplify const-time programming (GH #1751)

* Add new configure options ``--disable-bmi2``, ``--disable-rdrand``,
  and ``--disable-rdseed`` to prevent use of those instruction sets.

* Add ``error_type`` and ``error_code`` functions to Exception type (GH #1744)

* Now on POSIX systems ``posix_memalign`` is used instead of ``mmap`` for
  allocating the page-locked memory pool. This avoids issues with ``fork``.
  (GH #602 #1798)

* When available, use RDRAND to generate the additional data in
  ``Stateful_RNG::randomize_with_ts_input``

* Use vzeroall/vzeroupper intrinsics to avoid AVX2/SSE transition penalties.

* Support for Visual C++ 2013 has been removed (GH #1557 #1697)

* Resolve a memory leak when verifying ECDSA signatures with versions
  of OpenSSL before 1.1.0 (GH #1698)

* Resolve a memory leak using ECDH via OpenSSL (GH #1767)

* Fix an error in XTS which prohibited encrypting values which were
  exactly the same length as the underlying block size. Messages of
  this size are allowed by the standard and other XTS implementations.
  (GH #1706)

* Resolve a bug in TSS which resulted in it using an incorrect length
  field in the shares. Now the correct length is encoded, but either
  correct or buggy lengths are accepted when decoding. (GH #1722)

* Correct a bug when reducing a negative ``BigInt`` modulo a small power of 2.
  (GH #1755)

* Add CLI utils for threshold secret splitting. (GH #1722)

* Fix a bug introduced in 2.8.0 that caused compilation failure if using
  a single amalgamation file with AVX2 enabled. (GH #1700)

* Add an explicit OS target for Emscripten and improve support for it.
  (GH #1702)

* Fix small issues when building for QNX

* Switch the Travis CI build to using Ubuntu 16.04 (GH #1767)

* Add options to ``configure.py`` to disable generation of ``pkg-config``
  file, and (for systems where ``pkg-config`` support defaults to off,
  like Windows), to enable generating it. (GH #1268)

* Modify ``configure.py`` to accept empty lists or trailing/extra commas.
  (GH #1705)

Version 2.8.0, 2018-10-01
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add support for using Apple CommonCrypto library for hashing (GH #1667),
  cipher modes (GH #1674) and block ciphers (GH #1673).

* Support for negotiating TLS versions 1.0 and 1.1 is disabled in the default
  TLS policy. In addition, support for negotiating TLS ciphersuites using CBC or
  CCM mode is disabled by default. Applications which need to interop with old
  peers must enable these in their TLS policy object. (GH #1651)

* During primality testing, use a Lucas test in addition to Miller-Rabin. It is
  possible to construct a composite integer which passes n Miller-Rabin tests
  with probability (1/4)^n. So for a incautious verifier using a small number
  of tests (under 16 or so) it is possible if unlikely they would accept such a
  composite as prime. Adding a Lucas test precludes such an attack. (GH #1636)

* Add XChaCha and XChaCha20Poly1305 (GH #1640)

* Add AVX2 implementations of ChaCha (GH #1662) and Serpent (GH #1660)

* Add a new password hashing interface in pwdhash.h (GH #1670)

* C binding improvements. Added functions to get name and supported
  keylengths of cipher, hash and MAC objects, support for FE1 format
  preserving encryption (GH #1625 #1646), functions to load and save
  RSA keys in PKCS #1 format (GH #1621), HOTP and TOTP algorithms,
  scrypt, certificate verification (GH #1647), functions to get the
  output length of public key operations (GH #1642), and functions for
  loading and serializing X25519 keys (GH #1681)

* Support for building with BOTAN_MP_WORD_BITS set to 8 or 16 has been removed.

* Previously SM2 had two distinct key types, one for signatures and another for
  encryption. They have now been merged into a single key type since in practice
  it seems the same key is at times used for both operations. (GH #1637)

* The ``Cipher_Mode`` class now derives from ``SymmetricAlgorithm`` (GH #1639)

* Add support for using the ARMv8 instructions for SM4 encryption (GH #1622)

* The entropy source using ``SecRandomCopyBytes`` has been removed as it was
  redundant with other entropy sources (GH #1668)

* The Python module has much better error checking and reporting, and offers new
  functionality such as scrypt, MPI and FPE. (GH #1643 #1646)

* Fixed a bug that caused CCM to fail with an exception when used with L=8
  (GH #1631 #1632)

* The default bcrypt work factor has been increased from 10 to 12.

* The default algorithm used in passhash9 has changed from SHA-256 to SHA-512,
  and the default work factor increased from 10 to 15.

* In ECC private keys, include the public key data for compatibility with
  GnuTLS (GH #1634 #1635)

* Add support for using Linux ``getrandom`` syscall to access the system PRNG.
  This is disabled by default, use ``--with-os-feature=getrandom`` to enable.

* It is now possible to encrypt private keys using SIV mode.

* The FFI function botan_privkey_load now ignores its rng argument.

* Resolve a problem when building under Visual C++ 15.8 (GH #1624)

* Fix a bug in XSalsa20 (192-bit Salsa nonces) where if set_iv was called twice
  without calling set_key, the resulting encryption was incorrect. (GH #1640)

* Handle an error seen when verifying invalid ECDSA signatures using LibreSSL
  on non x86-64 platforms (GH #1627 #1628)

* Fix bugs in PKCS7 and X9.23 CBC padding schemes, which would ignore
  the first byte in the event the padding took up the entire block. (GH #1690)

* Correct bugs which would cause CFB, OCB, and GCM modes to crash when they
  were used in an unkeyed state. (GH #1639)

* Optimizations for SM4 and Poly1305

* Avoid a cache side channel in the AES key schedule

* Add ``pk_encrypt`` and ``pk_decrypt`` CLI operations

* Now ``asn1print`` CLI defaults to printing context-specific fields.

* Use codec_base for Base64, which matches how Base32 is implemented (GH #1597)

* The ``cast`` module has been split up into ``cast128`` and ``cast256`` (GH #1685)

* When building under Visual C++ 2013, the user must acknowledge the upcoming
  removal of support using the configure.py flag ``--ack-vc2013-deprecated``
  (GH #1557)

Version 2.7.0, 2018-07-02
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* CVE-2018-12435 Avoid a side channel in ECDSA signature generation (GH #1604)

* Avoid a side channel in RSA key generation due to use of a non-constant time
  gcd algorithm. (GH #1542 #1556)

* Optimize prime generation, especially improving RSA key generation. (GH #1542)

* Make Karatsuba multiplication, Montgomery field operations, Barrett reduction
  and Montgomery exponentiation const time (GH #1540 #1606 #1609 #1610)

* Optimizations for elliptic curve operations especially improving reductions
  and inversions modulo NIST primes (GH #1534 #1538 #1545 #1546 #1547 #1550)

* Add 24 word wide Comba multiplication, improving 3072-bit RSA and DH by ~25%.
  (GH #1564)

* Unroll Montgomery reduction for specific sizes (GH #1603)

* Improved performance of signature verification in ECGDSA, ECKCDSA,
  SM2 and GOST by 10-15%.

* XMSS optimizations (GH #1583 #1585)

* Fix an error that meant XMSS would only sign half as many signatures as is
  allowed (GH #1582)

* Add support for base32 encoding/decoding (GH #1541)

* Add BMI2 optimized version of SHA-256, 40% faster on Skylake (GH #1584)

* Allow the year to be up to 2200 in ASN.1 time objects. Previously this
  was limited to 2100. (GH #1536)

* Add support for Scrypt password hashing (GH #1570)

* Add support for using Scrypt for private key encryption (GH #1574)

* Optimizations for DES/3DES, approx 50% faster when used in certain modes such
  as CBC decrypt or CTR.

* XMSS signature verification did not check that the signature was of
  the expected length which could lead to a crash. (GH #1537)

* The bcrypt variants 2b and 2y are now supported.

* Support for 192-bit Suite B TLS profile is now implemented, as the 128-bit
  Suite B is since 2015 not allowed anymore.

* Previously botan allowed GCM to be used with an empty nonce, which is not
  allowed by the specification. Now such nonces are rejected.

* Avoid problems on Windows when compiling in Unicode mode (GH #1615 #1616)

* Previously for ASN.1 encoded signatures (eg ECDSA) Botan would accept any
  valid BER encoding. Now only the single valid DER encoding is accepted.

* Correct an error that could in rare cases cause an internal error exception
  when doing computations with the P-224 curve.

* Optimizations to reduce allocations/copies during DER encoding and BER
  decoding (GH #1571 #1572 #1600)

* Botan generates X.509 subject key IDs by hashing the public key with whatever
  hash function is being used to sign the certificate. However especially for
  SHA-512 this caused SKIDs that were far longer than necessary. Now all SKIDs
  are truncated to 192 bits.

* In the test suite use ``mkstemp`` to create temporary files instead of
  creating them in the current working directory. (GH #1533 #1530)

* It is now possible to safely override ``CXX`` when invoking make in addition
  to when ``configure.py`` is run. (GH #1579)

* OIDs for Camellia and SM4 in CBC and GCM mode are now defined, making it
  possible to use this algorithms for private key encryption.

* Avoid creating symlinks to the shared object on OpenBSD (#1535)

* The ``factor`` command runs much faster on larger inputs now.

* Support for Windows Phone/UWP was deprecated starting in 2.5. This deprecation
  has been reversed as it seems UWP is still actively used. (GH #1586 #1587)

* Support for Visual C++ 2013 is deprecated, and will be removed in Jan 2019.

* Added support for GCC's --sysroot option to configure.py for cross-compiling.

Version 2.6.0, 2018-04-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* CVE-2018-9860 Fix a bug decrypting TLS CBC ciphertexts which could
  for a malformed ciphertext cause the decryptor to read and HMAC an
  additional 64K bytes of data which is not part of the record. This
  could cause a crash if the read went into unmapped memory. No
  information leak or out of bounds write occurs.

* Add support for OAEP labels (GH #1508)

* RSA signing is about 15% faster (GH #1523) and RSA verification is
  about 50% faster.

* Add exponent blinding to RSA (GH #1523)

* Add ``Cipher_Mode::create`` and ``AEAD_Mode::create`` (GH #1527)

* Fix bug in TLS server introduced in 2.5 which caused connection to
  fail if the client offered any signature algorithm not known to the
  server (for example RSA/SHA-224).

* Fix a bug in inline asm that would with GCC 7.3 cause incorrect
  computations and an infinite loop during the tests. (GH #1524 #1529)

Version 2.5.0, 2018-04-02
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fix error in certificate wildcard matching (CVE-2018-9127), where a
  wildcard cert for ``b*.example.com`` would be accepted as a match for
  any host with name ``*b*.example.com`` (GH #1519)

* Add support for RSA-PSS signatures in TLS (GH #1285)

* Ed25519 certificates are now supported (GH #1501)

* Many optimizations in ECC operations. ECDSA signatures are 8-10 times faster.
  ECDSA verification is about twice as fast. ECDH key agreement is 3-4 times
  faster. (GH #1457 #1478)

* Implement product scanning Montgomery reduction, which improves Diffie-Hellman
  and RSA performance by 10 to 20% on most platforms. (GH #1472)

* DSA signing and verification performance has improved by 30-50%.

* Add a new Credentials_Manager callback that specifies which CAs the server
  has indicated it trusts (GH #1395 fixing #1261)

* Add new TLS::Callbacks methods that allow creating or removing extensions,
  as well as examining extensions sent by the peer (GH #1394 #1186)

* Add new TLS::Callbacks methods that allow an application to
  negotiate use of custom elliptic curves. (GH #1448)

* Add ability to create custom elliptic curves (GH #1441 #1444)

* Add support for POWER8 AES instructions (GH #1459 #1393 #1206)

* Fix DSA/ECDSA handling of hashes longer than the group order (GH #1502 #986)

* The default encoding of ECC public keys has changed from compressed
  to uncompressed point representation. This improves compatibility with
  some common software packages including Golang's standard library.
  (GH #1480 #1483)

* It is now possible to create DNs with custom components. (GH #1490 #1492)

* It is now possible to specify the serial number of created certificates,
  instead of using the default 128-bit random integer. (GH #1489 #1491)

* Change DL_Group and EC_Group to store their data as shared_ptr for
  fast copying. Also both classes precompute additional useful values
  (eg for modular reductions). (GH #1435 #1454)

* On Windows platforms RtlGenRandom is now used in preference to CryptoAPI
  or CryptoNG libraries. (GH #1494)

* Make it possible for PKCS10 requests to include custom extensions. This also
  makes it possible to use multiple SubjectAlternativeNames of a single type in
  a request, which was previously not possible. (GH #1429 #1428)

* Add new optimized interface for FE1 format preserving encryption. By caching a
  number of values computed in the course of the FPE calculation, it provides a
  6-7x speedup versus the old API. (GH #1469)

* Add DSA and ElGamal keygen functions to FFI (#1426)

* Add ``Pipe::prepend_filter`` to replace deprecated ``Pipe::prepend`` (GH #1402)

* Fix a memory leak in the OpenSSL block cipher integration, introduced in 2.2.0

* Use an improved algorithm for generating safe primes which is several tens of
  times faster. Also, fix a bug in the prime sieving algorithm which caused
  standard prime generation (like for RSA keys) to be slower than necessary.
  (GH #1413 #1411)

* Correct the return value of ``PK_Encryptor::maximum_input_size`` which
  reported a much too small value (GH #1410)

* Remove use of CPU specific optimization flags, instead the user should set
  these via CXXFLAGS if desired. (GH #1392)

* Resolve an issue that would cause a crash in the tests if they were run on
  a machine without SSE2/NEON/VMX instructions. (GH #1495)

* The Python module now tries to load DLLs from a list of names and
  uses the first one which successfully loads and indicates it
  supports the desired API level. (GH #1497)

* Various minor optimizations for SHA-3 (GH #1433 #1434)

* The output of ``botan --help`` has been improved (GH #1387)

* Add ``--der-format`` flag to command line utils, making it possible verify
  DSA/ECDSA signatures generated by OpenSSL command line (GH #1409)

* Add support for ``--library-suffix`` option to ``configure.py`` (GH #1405 #1404)

* Use feature flags to enable/disable system specific code (GH #1378)

* Add ``--msvc-runtime`` option to allow using static runtime (GH #1499 #210)

* Add ``--enable-sanitizers=`` option to allow specifying which sanitizers to
  enable. The existing ``--with-sanitizers`` option just enables some default
  set which is known to work with the minimum required compiler versions.

* Use either ``rst2man`` or ``rst2man.py`` for generating man page as
  distributions differ on where this program is installed (GH #1516)

* The threefish module has been renamed threefish_512 since that is the
  algorithm it provides. (GH #1477)

* The Perl XS based wrapper has been removed, as it was unmaintained and
  broken. (GH #1412)

* The sqlite3 encryption patch under ``contrib`` has been removed. It
  is still maintained by the original author at
  https://github.com/OlivierJG/botansqlite3

* Support for Windows Phone is deprecated.

Version 2.4.0, 2018-01-08
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Several build improvements requested by downstream packagers, including the
  ability to disable building the static library. All makefile constructs that
  were specific to nmake or GNU make have been eliminated, thus the option
  ``--makefile-style`` which was previously used to select the makefile type has
  also been removed. (GH #1230 #1237 #1300 #1318 #1319 #1324 #1325 #1346)

* Support for negotiating the DH group as specified in RFC 7919 is now available
  in TLS (GH #1263)

* Support for ARIA-GCM ciphersuites are now available in TLS. They are disabled
  by default. (GH #1284)

* Add support for generating and verifying X.509 objects (certificates, CRLs,
  etc) using RSA-PSS signatures (GH #1270 and #1368)

* Add support for AES key wrapping with padding, as specified in RFC 5649 and
  NIST SP 800-38F (GH #1301)

* OCSP requests made during certificate verification had the potential to hang
  forever. Now the sockets are non-blocking and a timeout is enforced. (GH #1360
  fixing GH #1326)

* Add ``Public_Key::fingerprint_public`` which allows fingerprinting the public key.
  The previously available ``Private_Key::fingerprint`` is deprecated, now
  ``Private_Key::fingerprint_private`` should be used if this is required.
  (GH #1357)

* ECC certificates generated by Botan used an invalid encoding for the
  parameters field, which was rejected by some certificate validation libraries
  notably BouncyCastle. (GH #1367)

* Loading an ECC key which used OID encoding for the domain parameters, then
  saving it, would result in a key using the explicit parameters encoding.
  Now the OID encoding is retained. (GH #1365)

* Correct various problems in certificate path validation that arose when
  multiple paths could be constructed leading to a trusted root but due to
  other constraints only some of them validated. (GH #1363)

* It is now possible for certificate validation to return warning indicators,
  such as that the distinguished name is not within allowed limits or that a
  certificate with a negative serial number was observed. (GH #1363 #1359)

* XMSS signatures now are multi-threaded for improved performance (GH #1267)

* Fix a bug that caused the TLS peer cert list to be empty on a resumed session.
  (GH #1303 #1342)

* Increase the maximum HMAC key length from 512 bytes to 4096 bytes. This allows
  using a DH key exchange in TLS with a group greater than 4096 bits. (GH #1316)

* Fix a bug in the TLS server where, on receiving an SSLv3 client hello, it
  would attempt to negotiate TLS v1.2. Now a protocol_version alert is sent.
  Found with tlsfuzzer. (GH #1316)

* Fix several bugs related to sending the wrong TLS alert type in various error
  scenarios, caught with tlsfuzzer.

* Add support for a ``tls_http_server`` command line utility which responds to
  simple GET requests. This is useful for testing against a browser, or various
  TLS test tools which expect the underlying protocol to be HTTP. (GH #1315)

* Add an interface for generic PSK data stores, as well as an implementation
  which encrypts stored values with AES key wrapping. (GH #1302)

* Optimize GCM mode on systems both with and without carryless multiply
  support. This includes a new base case implementation (still constant time), a
  new SSSE3 implementation for systems with SSSE3 but not clmul, and better
  algorithms for systems with clmul and pmull. (GH #1253 #1263)

* Various optimizations for OCB, CFB, CTR, SM3, SM4, GMAC, BLAKE2b, Blowfish,
  Twofish, CAST-128, and CRC24 (GH #1281)

* Salsa20 now supports the seek operation.

* Add ``EC_Group::known_named_groups`` (GH #1339)

* Symmetric algorithms (block ciphers, stream ciphers, MACs) now verify that a
  key was set before accepting data. Previously attempting to use an unkeyed
  object would instead result in either a crash or invalid outputs. (GH #1279)

* The X509 certificate, CRL and PKCS10 types have been heavily refactored
  internally. Previously all data of these types was serialized to strings, then
  in the event a more complicated data structure (such as X509_DN) was needed,
  it would be recreated from the string representation. However the round trip
  process was not perfect and could cause fields to become lost. This approach
  is no longer used, fixing several bugs (GH #1010 #1089 #1242 #1252). The
  internal data is now stored in a ``shared_ptr``, so copying such objects is
  now very cheap. (GH #884)

* ASN.1 string objects previously held their contents as ISO 8859-1 codepoints.
  However this led to certificates which contained strings outside of this
  character set (eg in Cyrillic, Greek, or Chinese) being rejected. Now the
  strings are always converted to UTF-8, which allows representing any
  character. In addition, UCS-4 strings are now supported.
  (GH #1113 #1250 #1287 #1289)

* It is now possible to create an uninitialized X509_Certificate object. Such an
  object will throw if any attempt to access its members is made. (GH #1335)

* In BER decoder, avoid unbounded stack recursion when parsing nested indefinite
  length values. Now at most 16 nested indefinite length values are accepted,
  anything deeper resulting in a decoding error.  (GH #1304 OSS-Fuzz 4353).

* A new ASN.1 printer API allows generating a string representation of arbitrary
  BER data. This is used in the ``asn1print`` command line utility and may be
  useful in other applications, for instance for debugging.

* New functions for bit rotations that distinguish rotating by a compile-time
  constant vs a runtime variable rotation. This allows better optimizations in
  both cases. Notably performance of CAST-128 and CAST-256 are substantially
  improved. (GH #1247)

* TLS CBC ciphersuites now are implemented using the standard CBC code, instead
  of reimplementing CBC inside the TLS stack. This allows for parallel
  decryption of TLS CBC ciphertexts, and improves performance especially when
  using AES hardware support. (GH #1269)

* Add callbacks to make it possible for an application using TLS to provide
  custom implementations of signature schemes, eg when offloading the
  computations to another device. (GH #1332)

* Use a direct calculation for calendar computations instead of relying on
  non-portable operating system interfaces. (GH #1336)

* Fix a bug in the amalgamation generation which could cause build failures on
  some systems including macOS. (GH #1264 #1265)

* A particular code sequence in TLS handshake would always (with an ECC
  ciphersuite) result in an exception being thrown and then caught.  This has
  changed so no exception is thrown. (GH #1275)

* The code for byteswapping has been improved for ARMv7 and for Windows x86-64
  systems using MSVC. (GH #1274)

* The GMAC class no longer derives from GHASH. This should not cause any
  noticeable change for applications. (GH #1253)

* The base implementation of AES now uses a single 4K table, instead of 4 such
  tables. This offers a significant improvement against cache-based side
  channels without hurting performance too much. In addition the table is now
  guaranteed to be aligned on a cache line, which ensures the additional
  countermeasure of reading each cache line works as expected. (GH #1255)

* In TLS client resumption, avoid sending a OCSP stapling request. This caused
  resumption failures with some servers. (GH #1276)

* The overhead of making a call through the FFI layer has been reduced.

* The IDs for SHA-3 PKCSv1.5 signatures added in 2.3.0 were incorrect. They have
  been changed to use the correct encoding, and a test added to ensure such
  errors do not recur.

* Counter mode allows setting a configurable width of the counter. Previously it
  was allowed for a counter of even 8 bits wide, which would mean the keystream
  would repeat after just 256 blocks. Now it requires the width be at least 32
  bits. The only way this feature could be used was by manually constructing a
  ``CTR_BE`` object and setting the second parameter to something in the range
  of 1 to 3.

* A new mechanism for formatting ASN.1 data is included in ``asn1_print.h``.
  This is the same functionality used by the command line ``asn1print`` util,
  now cleaned up and moved to the library.

* Add ``Pipe::append_filter``. This is like the existing (deprecated)
  ``Pipe::append``, the difference being that ``append_filter`` only
  allows modification before the first call to ``start_msg``. (GH #1306 #1307)

* The size of ASN1_Tag is increased to 32 bits. This avoids a problem
  with UbSan (GH #751)

* Fix a bug affecting bzip2 compression. In certain circumstances, compression
  would fail with ``BZ_SEQUENCE_ERROR`` due to calling bzlib in an way it does
  not support. (GH #1308 #1309)

* In 2.3.0, final annotations were added to many classes including the TLS
  policies (like ``Strict_Policy`` and ``BSI_TR_02102_2``). However it is
  reasonable and useful for an application to derive from one of these policies, so
  as to create an application specific policy that is based on a library-provided
  policy, but with a few tweaks. So the final annotations have been removed on
  these classes. (GH #1292)

* A new option ``--with-pdf`` enables building a PDF copy of the handbook.
  (GH #1337)

* A new option ``--with-rst2man`` enables building a man page for the
  command line util using Docutils rst2man. (GH #1349)

* Support for NEON is now enabled under Clang.

* Now the compiler version is detected using the preprocessor, instead of trying
  to parse the output of the compiler's version string, which was subject to
  problems with localization. (GH #1358)

* By default the gzip compressor will not include a timestamp in the header.
  The timestamp can be set by passing it to the ``Gzip_Compression``
  constructor.

* Resolve a performance regression on Windows involving the system stats
  entropy source. (GH #1369)

* Add an OID for RIPEMD-160

* Fixes for CMake build (GH #1251)

* Avoid some signed overflow warnings (GH #1220 #1245)

* As upstream support for Native Client has been deprecated by Google, support
  is now also deprecated in Botan and will be removed in a future release.

* The Perl-XS wrapper has not been maintained in many years. It is now deprecated,
  and if no attempts are made to revive it, it will be removed in a future release.

* Support for building on IRIX has been removed.

Version 2.3.0, 2017-10-02
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Address a side channel affecting modular exponentiation. An attacker
  capable of a local or cross-VM cache analysis attack may be able
  to recover bits of secret exponents as used in RSA, DH, etc.
  CVE-2017-14737

* Add the SHACAL2 block cipher, including optimizations using SIMD and SHA-NI
  instructions. (GH #1151)

* Add the ARIA block cipher (GH #1004 and #1157)

* Add support for the ARMv8 AES instructions (GH #1182 and #1146)

* Add support for the ARMv8 PMULL instruction (GH #1181 and #842)

* On macOS and iOS the ``System_RNG`` class is now implemented using ``arc4random``.
  Previously the system RNG class was not available on iOS. (GH #1219)

* Optimized the CMAC polynomial doubling operation, and removed a small timing
  channel due to a conditional operation.

* Added support for the ECDHE_PSK AEAD TLS ciphersuites from
  draft-ietf-tls-ecdhe-psk-aead-05.

* SM2 encryption and signature schemes were previously hardcoded to use SM3
  hash, now any hash is allowed. (GH #1188)

* SM2 encryption in 2.2.0 followed an obsolete version of the standard. The
  format of the ciphertext changed in a more recent revision of the standard,
  and now uses an ASN.1 encoding. Botan has changed to reflect this format,
  which is compatible with GmSSL (GH #1218)

* OCB mode now supports 192, 256 and 512 bit block ciphers. (GH #1205)

* XTS mode now supports 256-bit and 512-bit block ciphers.

* Add ids to allow SHA-3 signatures with PKCSv1.5 (GH #1184)

* Add support for ``PSSR_Raw`` signatures which PSS sign an externally derived
  hash. (GH #1212 #1211)

* GCM now supports truncated tags in the range 96...128 bits. GCM had
  previously supported 64-bit truncated tags, but these are known to
  be insecure and are now deprecated. (GH #1210 #1207)

* Add a new TLS policy hook ``allow_client_initiated_renegotiation`` which is the
  parallel of the existing ``allow_server_initiated_renegotiation``. If set to
  false, servers will reject attempts by the client to renegotiation the
  session, instead sending a ``no_renegotiation`` warning alert. Note that the
  default is ``false``, ie that client renegotiation is now prohibited by default.
  (GH #872)

* Add HKDF-Expand-Label function which is used in TLS v1.3 and QUIC protocols.
  (GH #1226)

* Fix decoding of ECC keys that use extensions from RFC 5915 (GH #1208)

* The entropy source that called CryptGenRandom has been removed, and
  replaced by a version which invokes the system PRNG, which may
  be CryptGenRandom or some other source. (GH #1180)

* Add support for gathering entropy using the Crypt-NG BCryptGenRandom
  API. This is necessary to build for Windows Phone/Windows Store. (GH #1180)

* Extend "Raw" signature padding (which allows signing a hash computed
  externally) to optionally take a hash function name. In this case, it will be
  verified that the input matches the expected hash size.  This also will
  control the hash algorithm used for RFC 6979 deterministic nonces; previously
  SHA-512 was always used for RFC 6979 nonces with "Raw". (GH #1153)

* The advertised FFI API version has increased. This should have happened
  already in 2.2 but was neglected. The ``botan_ffi_supports_api`` call will
  return true for either the current or older versions of the API version since
  no backwards incompatible changes have occurred.

* Add new C89 API functions ``botan_hex_decode``, ``botan_base64_encode``,
  ``botan_base64_decode``, ``botan_constant_time_compare``.

* Add new C89 API functions ``botan_privkey_load_dh``, ``botan_pubkey_load_dh``,
  and ``botan_privkey_create_dh`` (GH #1155)

* Add ``is_passhash9_alg_supported`` (GH #1154)

* The ``power_mod`` function now supports negative bases (GH #1179 #1168)

* Add a new command line utility for examining TLS client hellos.

* Added a new target for LLVM bitcode (GH #1169)

* Improve support for Windows Phone (GH #1180 #796 #794)

* Correct return value of ``botan_pk_op_verify_finish``. In 2.2.0 this function
  returned -1 on invalid signature, instead of 1 which was used in 2.0, 2.1, and
  now again in 2.3. (GH #1189 #1187)

* Allow loading unencrypted private keys via FFI API (GH #1197)

* Add new command line options ``--rng-type=drbg`` and ``--drbg-seed`` which
  allow running commands with a deterministic RNG. (GH #1169)

* Fix a number of warnings seen under Visual C++ (GH #1171 #795)

* Workaround a GCC 7 bug that caused miscompilation of the GOST-34.11 hash
  function on x86-32. (GH #882 #1148)

* Fix a bug in SIMD_4x32 which affected little-endian PowerPC processors.
  This would cause test failures for Serpent, among other problems.

* Fix Altivec runtime detection, which was broken starting in Botan 2.1.0

* Optimized the verification of TLS CBC padding bytes. Previously the check
  examined every byte of the record, even though at most 256 bytes of padding
  may be appended. (GH #1227)

* Simplified definition of ``Botan::secure_allocator``. In particular, not
  defining the ``construct`` and ``destroy`` methods avoids a performance problem
  under MSVC. (GH #1228 and #1229)

* The ``secure_allocator`` class now uses ``calloc`` and ``free`` instead of
  ``new`` and ``delete``. In addition the actual allocation operation is hidden
  inside of compiled functions, which significantly reduces code size. (GH #1231)

* The ``secure_scrub_memory`` function now uses ``explicit_bzero`` on OpenBSD.

* Previously ARM feature detection (NEON, AES, ...) relied on getauxval, which
  is only supported on Linux and Android. Now iOS is supported, by checking the
  model name/version and matching it against known versions. Unfortunately this
  is the best available technique on iOS. On Aarch64 systems that are not iOS or
  Linux/Android, a technique based on trial execution while catching SIGILL is
  used. (GH #1213)

* The output of ``botan config libs`` was incorrect, it produced ``-lbotan-2.X``
  where X is the minor version, instead of the actual lib name ``-lbotan-2``.

* Add ``constant_time_compare`` as better named equivalent of ``same_mem``.

* Silence a Clang warning in ``create_private_key`` (GH #1150)

* The fuzzers have been better integrated with the main build. See the
  handbook for details. (GH #1158)

* The Travis CI and AppVeyor CI builds are now run via a Python script. This
  makes it easier to replicate the behavior of the CI build locally. Also a
  number of changes were made to improve the turnaround time of CI builds.
  (GH #1162 #1199)

* Add support for Win32 filesystem operation, so the tests pass completely
  on MinGW now (GH #1203)

* Added a script to automate running TLS-Attacker tests.

* The distribution script now creates reproducible outputs, by
  forcing all modification times, uids, etc to values fixed by the release date.
  (GH #1217)

* The ``BOTAN_DLL`` macro has been split up into ``BOTAN_PUBLIC_API``,
  ``BOTAN_UNSTABLE_API`` and ``BOTAN_TEST_API`` which allows
  indicating in the header the API stability of the export. All three
  are defined as ``BOTAN_DLL`` so overriding just that macro continues
  to work as before. (GH #1216)

* Optimize ``bigint_divop`` when a double-word type is available. (GH #494)

* Fix several memory leaks in the tests. Additionally a false positive
  leak seen under ``valgrind`` in the ``fork`` tests for the RNG was resolved.

* Export ``CurveGFp_Repr`` type (only used internally) to resolve a
  long standing UBSan warning. (GH #453)

* Now ``-fstack-protector`` and similar flags that affect linking are exported
  in ``botan config ldflags`` as they already were in the ``pkg-config`` output.
  (GH #863)

* Remove double underscore in header guards to avoid using names
  reserved by ISO C++. (GH #512)

* Additions to the SRP documentation (GH #1029)

* The package transform (in ``package.h``) is now deprecated, and will be
  removed in a future release. (GH #1215)

* Add more tests for the const-time utils (GH #1214)

* Fix a bug in FFI tests that caused the test files not to be found when using
  ``--data-dir`` option (GH #1149)

* C++ ``final`` annotations have been added to classes which are not
  intended for derivation. This keyword was already in use but was not
  applied consistently.

* A typedef ``SecureVector`` has been added for the ``secure_vector`` type.
  This makes porting code from 1.10 to 2.x API slightly simpler.

* Header files have been cleaned up to remove unnecessary inclusions. In some
  cases it may be required to include additional botan headers to get all the
  declarations that were previously visible. For example, ``bigint.h`` no longer
  includes ``rng.h``, but just forward declares ``RandomNumberGenerator``.

* Improved support for IBM xlc compiler.

Version 1.10.17, 2017-10-02
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Address a side channel affecting modular exponentiation. An attacker
  capable of a local or cross-VM cache analysis attack may be able
  to recover bits of secret exponents as used in RSA, DH, etc.
  CVE-2017-14737

* Workaround a miscompilation bug in GCC 7 on x86-32 affecting GOST-34.11
  hash function. (GH #1192 #1148 #882)

* Add SecureVector::data() function which returns the start of the
  buffer. This makes it slightly simpler to support both 1.10 and 2.x
  APIs in the same codebase.

* When compiled by a C++11 (or later) compiler, a template typedef of
  SecureVector, secure_vector, is added. In 2.x this class is a
  std::vector with a custom allocator, so has a somewhat different
  interface than SecureVector in 1.10. But this makes it slightly
  simpler to support both 1.10 and 2.x APIs in the same codebase.

* Fix a bug that prevented `configure.py` from running under Python3

* Botan 1.10.x does not support the OpenSSL 1.1 API. Now the build
  will `#error` if OpenSSL 1.1 is detected. Avoid `--with-openssl`
  if compiling against 1.1 or later. (GH #753)

* Import patches from Debian adding basic support for building on
  aarch64, ppc64le, or1k, and mipsn32 platforms.

Version 2.2.0, 2017-08-07
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add the Ed25519 signature scheme (GH #1066)

* The format of x25519 keys, which previously used a non-standard encoding,
  has changed to match the upcoming IETF specification. (GH #1076)

* Add the SM2 signature scheme (GH #1082)

* Add the SM2 public key encryption scheme (GH #1142)

* Add the SM3 hash function (GH #996)

* Add the Streebog (GOST R 34.11-2012) hash function (GH #1114)

* Add the SM4 block cipher (GH #1080)

* Add the PGP S2K algorithm (GH #1060)

* Add SP 800-56A KDF (GH #1040)

* Add ChaCha_RNG which is a very fast and completely non-standard
  random bit generator (GH #1137)

* Add support for SHA-1 and SHA-2 instructions added in Intel Goldmont
  (GH #826)

* Add support for SHA-1 and SHA-2 instructions added in ARMv8 (GH #844)

* Add support for HOTP (RFC 4226) and TOTP (RFC 6238)
  one-time-password algorithms (GH #1054)

* Fix a bug that caused secure_allocator to not fully zeroize blocks
  when sizeof(T) was greater than 1.

* Add HashFunction::copy_state which allows efficiently computing the
  hash of several messages with a common prefix (GH #1056 #1037)

* ECC keys now encode their parameters using an OID instead of a literal
  encoding of the domain parameters. This will lead to smaller public and
  private keys in most instances. (GH #1093)

* The OpenSSL backend now supports the 1.1.0 API (GH #1056)

* Add a preliminary provider using BearSSL, currently EC and hashes supported
  (GH #1094)

* Fix a bug in certificate path length checking that could cause valid
  chains to be rejected. (GH #1053)

* It is possible for CBC, CFB, and stream ciphers to carry over the
  nonce from the previous message, which is needed by some applications.
  This worked in 1.10 but broke in 2.0. (GH #1044 fixing GH #864)

* Avoid recursion in BER_Decoder::get_next_object which could cause
  stack exhaustion. (GH #989)

* Fix missing flush in DataSink_Stream::end_msg. (GH #972 fixing GH #972)

* Allow to seek in the big endian counter mode of operation (GH #999)

* Support loading ElGamal keys through FFI interface (GH #1008)

* Support Windows sockets in ``http_util`` (allowing OCSP checks on Windows),
  as well as in the TLS command line utils (GH #1138).

* The ``--destdir`` flag to ``configure.py`` has been removed. Instead use
  the ``DESTDIR`` environment variable at install time. This change was
  done to more closely match how autoconf handles this case.
  (GH #1139 #1111 #997 #996).

* Many changes to configure.py and botan2.py to make them pylint clean
  (GH #1041 #1002 #984)

* Add command line utils ``hmac`` (GH #1001), ``encryption`` (GH #359),
  ``hex_enc``, and ``hex_dec``.

* Fix an error in ``sign_cert`` command line util, which ignored the
  ``--ca-key-pass`` option. (GH #1106)

* The ``speed`` util can now benchmark multiple buffer sizes (GH #1084)

* Fix return value of FFI botan_bcrypt_is_valid (GH #1033)

* Support generating RSA keys using OpenSSL (GH #1035)

* Add new FFI functions botan_hash_block_size (GH #1036),
  botan_hash_copy_state (GH #1059), botan_scrub_mem

* Add support for RFC 3394 keywrap through FFI (GH #1135)

* Support AES-CBC ciphers via OpenSSL (GH #1022)

* Add function to return certificates included in OCSP response (GH #1123)

* Complete wildcard handling for X.509 certificates (GH #1017)

* Add some missing functions to TLS::Text_Policy (GH #1023)

* It was previously possible to use ``--single-amalgamation-file``
  without ``--amalgamation``, though it did not do anything useful. Now
  ``--single-amalgamation-file`` requires ``--amalgamation`` also be set
  on the command line.

Version 2.1.0, 2017-04-04
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fix incorrect truncation in Bcrypt. Passwords in length between 56 and 72
  characters were truncated at 56 characters. Found and reported by Solar Designer.
  (CVE-2017-7252) (GH #938)

* Fix a bug in X509 DN string comparisons that could result in out of bound
  reads. This could result in information leakage, denial of service, or
  potentially incorrect certificate validation results. Found independently
  by Cisco Talos team and OSS-Fuzz. (CVE-2017-2801)

* Correct minimum work factor for Bcrypt password hashes. All other
  implementations require the work factor be at least 4. Previously Botan simply
  required it be greater than zero. (GH #938)

* Converge on a single side channel silent EC blinded multiply algorithm.
  Uses Montgomery ladder with order/2 bits scalar blinding and point randomization
  now by default. (GH #893)

* Add ability to search for certificates using the SHA-256 of the distinguished name.
  (GH #900)

* Support a 0-length IV in ChaCha stream cipher. Such an IV is treated
  identically to an 8-byte IV of all zeros.

* Add new interfaces to the C API including multiple precision integers, key
  validity tests, block ciphers, and extracting algorithm specific key parameters
  (such as the modulus and public exponent from RSA public keys). GH #899 #944
  #946 #961 #964

* The PKCS11 module did not require any external dependencies, so it
  has been enabled by default. The ``--with-pkcs11`` and ``--without-pkcs11``
  flags to ``configure.py`` have been removed. PKCS11 can still be disabled
  using ``--disable-modules=pkcs11`` (GH #837)

* Add ``OS::run_cpu_instruction_probe`` for runtime probing of ISA extensions.
  Supporting this requires system-specific techniques, currently Windows SEH and
  Unix signal handling are supported.

* Add support for ARM NEON in the SIMD_4x32 type

* Add support for ARM CPU feature detection using getauxval (GH #843)

* Previously Botan forbid any use of times past 2037 to avoid Y2038 issues.
  Now this restriction is only in place on systems which have a 32-bit
  ``time_t``. (GH #933 fixing #917)

* Add generic type decoder function to BER decoder (GH #897)

* Fix portability or build problems affecting Sun Studio compiler (GH #846),
  Solaris, ppc64le, DragonflyBSD (GH #887)

* Add ``--with-external-libdir`` to configure.py (GH #857 fixing #19 #767)

* Add ``OS::get_high_resolution_clock`` which returns the best resolution
  clock available on the system.

* Change ``OS::get_processor_timestamp`` to return 0 if no hardware
  cycle counter is available. Previously it silently fell back on some
  other clock type.

* Report cycles/byte in the output of ``botan speed``.

* Add speed tests for modular exponentiations and ECC scalar multiplies.

* Avoid using IP address for SNI in ``tls_client``. (GH #942)

* Add command line util ``timing_test`` which enables running
  timing-based side channel analysis of TLS CBC decryption, ECC scalar
  multiplies, OAEP decoding, and other operations which are prone to
  providing an oracle via side channel. This replaces the standalone
  timing test suite added in 1.11.34, which has been removed.

* Various cleanups and refactorings (GH #965)

* Add wrapper of C++14 make_unique (GH #974)

* Fix pkg-config output when --build-dir was used (GH #936)

* Make it possible to disable `-fstack-protector` using a build-time flag.
  GH #863

* Add tests for TLS DSA ciphersuites, more Noekeon tests, others.

* Avoid a GCC warning that triggered on the public key types (GH #849)

* Fix various warnings flagged by pylint and pyflakes linters in
  configure.py and botan.py (GH #832 #836 #839 #962 #975)

* Improve support for OpenBSD including using getentropy (GH #954)
  for PRNG seeding, and arc4random to access system RNG (GH #953)

* Add ability to build through CMake. As of now this is only supported
  for development rather than production builds. (GH #967)

* Rename python wrapper to botan2.py (GH #847)

* Change name constraint test to use a fixed reference time. Test certs have expired.

* Increase Miller-Rabin iterations for DSA primes to match FIPS 186-4. (GH #881)

* Fix possible ISO 9796-2 padding side channel, and add a missing length check (GH #891)

* In command line utility, prefer the system RNG if it is available.

Version 1.10.16, 2017-04-04
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fix a bug in X509 DN string comparisons that could result in out of bound
  reads. This could result in information leakage, denial of service, or
  potentially incorrect certificate validation results. (CVE-2017-2801)

* Avoid throwing during a destructor since this is undefined in C++11
  and rarely a good idea. (GH #930)

Version 1.10.15, 2017-01-12
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fix a bug causing modular exponentiations done modulo even numbers
  to almost always be incorrect, unless the values were small. This
  bug is not known to affect any cryptographic operation in Botan. (GH #754)

* Avoid use of C++11 std::to_string in some code added in 1.10.14 (GH #747 #834)

Version 2.0.1, 2017-01-09
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Change an unintended behavior of 2.0.0, which named the include
  directory ``botan-2.0``. Since future release of Botan-2 should be
  compatible with code written against old versions, there does not
  seem to be any reason to version the include directory with the
  minor number. (GH #830 #833)

* Fix a bug which caused an error when building on Cygwin or
  other platforms where shared libraries are not supported.
  (GH #821)

* Enable use of readdir on Cygwin, which allows the tests to run (GH #824)

* Switch to readthedocs Sphinx theme by default (GH #822 #823)

Version 2.0.0, 2017-01-06
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* With this release the project adopts Semantic Versioning (GH #766)

* Fix a longstanding bug in modular exponentiation which caused most
  exponentiations modulo an even number to have an incorrect result; such moduli
  occur only rarely in cryptographic contexts. (GH #754)

* Fix a bug in BigInt multiply operation, introduced in 1.11.30, which could
  cause incorrect results. Found by OSS-Fuzz fuzzing the ressol function, where
  the bug manifested as an incorrect modular exponentiation. OSS-Fuzz bug #287

* Fix a bug that meant the "ietf/modp/6144" and "ietf/modp/8192" discrete log
  groups used an incorrect value for the generator, specifically the value
  (p-1)/2 was used instead of the correct value of 2.

* The DL_Group enum value X942_DH_PARAMETERS has been renamed
  ANSI_X9_42_DH_PARAMETERS to avoid a conflict with Windows headers (GH #482)

* Change default PEM header for X942 DH to match OpenSSL. Either version is
  accepted on reading. (GH #818)

* DL_Group strong generation previously set the generator to 2. However
  sometimes 2 generates the entire group mod p, rather than the subgroup mod q.
  This is invalid by X9.42 standard, and exposes incautious applications to
  small subgroup attacks. Now DL_Group uses the smallest g which is a quadratic
  residue. (GH #818)

* Add iOS build target instead of piggybacking on OS X configuration. (GH #793)

* Changes all Public_Key derived class ctors to take a std::vector instead of a
  secure_vector for the DER encoded public key bits. (GH #768)

* Allow use of custom extensions when creating X.509 certificates (GH #744)

* The default TLS policy now requires 2048 or larger DH groups by default.

* Add BSI_TR_02102_2 TLS::Policy subclass representing BSI TR-02102-2 recommendations.

* The default Path_Validation_Restrictions constructor has changed to
  require at least 110 bit signature strength. This means 1024 bit RSA
  certificates and also SHA-1 certificates are rejected by default.
  Both settings were already the default for certificate validation in
  TLS handshake, but this changes it for applications also.

* Add ISO 9796-2 signature padding schemes DS2 and DS3. These schemes provide
  message recovery (part or all of the plaintext message can be recovered from
  the signature alone) and are used by some industry protocols. (GH #759)

* Rewrite all the code that handles parsing CBC padding bytes to run without
  conditional jumps or loads. (GH #765 #728)

* Fix deref of invalid memory location in TLS client when the server chooses a
  ciphersuite value larger than the largest TLS ciphersuite ID compiled into the
  table. This might conceivably cause a crash in rare circumstances, but does
  not seem to be further exploitable. (GH #758)

* Rename Public_Key::x509_subject_public_key, which does not return a
  X.509 SubjectPublicKey, to public_key_bits. Add a new non-virtual function
  Public_Key::subject_public_key which does exactly that. (GH #685 #757)

* Rename Private_Key::pkcs8_private_key, which does not return a
  PKCS#8 private key, to private_key_bits. Add a new non-virtual function
  Private_Key::private_key_info which does exactly that. (GH #685 #757)

* The deprecated ECB Cipher_Mode class has been removed (GH #756)

* The class SRP6_Authenticator_File (in srp6_files.h) was meant to parse GnuTLS
  SRP files. But it was completely untested, and it turns out due to several
  problems it was completely unable to parse any SRP file correctly. It has
  been removed, with a future replacement planned that can handle both
  flat files (in the actual SRP format) or using a SQL database.

* Fix tests errors when write access to /dev/urandom is prohibited (GH #748)

* Add more Diffie-Hellman tests (GH #790), tests for RSA blinding, others.

* Add `tls_ciphers` command which prints the ciphersuites a client
  hello will contain, depending on the policy specified.

* Prevent TLS from negotiating SHA-2 ciphersuites in TLS v1.0/v1.1. These
  ciphersuites are technically not defined except for v1.2, so disable
  them in older protocols. (GH #496)

* Documentation: add project goals (GH #788) and side channel info (GH #787)

Version 1.11.34, 2016-11-28
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fix integer overflow during BER decoding, found by Falko Strenzke.
  This bug is not thought to be directly exploitable but upgrading ASAP
  is advised. (CVE-2016-9132)

* Add post-quantum signature scheme XMSS. Provides either 128 or 256 bit
  (post-quantum) security, with small public and private keys, fast
  verification, and reasonably small signatures (2500 bytes for 128-bit
  security). Signature generation is very slow, on the order of seconds. And
  very importantly the signature scheme is stateful: each leaf index must only
  be used once, or all security is lost. In the appropriate system where
  signatures are rarely generated (such as code signing) XMSS makes an excellent
  choice. (GH #717 #736)

* Add support for CECPQ1 TLS ciphersuites. These use a combination of x25519
  ECDH and NewHope to provide post-quantum security. The ciphersuites are not
  IETF standard, but is compatible with BoringSSL. (GH #729)

* Add support for client-side OCSP stapling to TLS. (GH #738)

* Previously both public and private keys performed automatic self testing after
  generation or loading. However this often caused unexpected application
  performance problems, and so has been removed. Instead applications must call
  check_key explicitly. (GH #704)

* Fix TLS session resumption bugs which caused resumption failures if an
  application used a single session cache for both TLS and DTLS. (GH #688)

* Add SHAKE-128 and SHAKE-256 XOFs as hash functions supporting paramaterized
  output lengths.

* Add MessageAuthenticationCode::start_msg interface, for MACs which require or
  can use a nonce (GH #691)

* Add GMAC, a MAC based on GCM (GH #488 / #691)

* Add ESP block cipher padding from RFC 4304. GH #724

* Incompatible change to HKDF: previously the HKDF type in Botan was only the
  Expand half of HKDF. Now HKDF is the full Extract-then-Expand KDF, and
  HKDF_Extract and HKDF_Expand are available. If you previously used HKDF, you
  must switch to using HKDF_Expand. (GH #723)

* Add Cipher_Mode::reset which resets message-specific state, allowing
  discarding state but allowing continued processing under the same key. (GH #552)

* The ability to add OIDs at runtime has been removed. This additionally removes
  a global lock which was acquired on each OID lookup. (GH #706)

* The default TLS policy now disables static RSA ciphersuites, all DSA
  ciphersuites, and the AES CCM-8 ciphersuites. Disabling static RSA by default
  protects servers from oracle attacks, as well as enforcing a forward secure
  ciphersuite. Some applications may be forced to re-enable RSA for interop
  reasons. DSA and CCM-8 are rarely used, and likely should not be negotiated
  outside of special circumstances.

* The default TLS policy now prefers ChaCha20Poly1305 cipher over any AES mode.

* The default TLS policy now orders ECC curve preferences in order by performance,
  with x25519 first, then P-256, then P-521, then the rest.

* Add a BSD sockets version of the HTTP client code used for OCSP. GH #699

* Export the public key workfactor functions (GH #734) and add tests for them.

* HMAC_DRBG allows configuring maximum number of bytes before reseed check (GH #690)

* Salsa20 now accepts a null IV as equivalent to an all-zero one (GH #697)

* Optimize ECKCDSA verification (GH #700 #701 #702)

* The deprecated RNGs HMAC_RNG and X9.31 RNG have been removed. Now the only
  userspace PRNG included in the library is HMAC_DRBG. (GH #692)

* The entropy sources for EGD and BeOS, as well as the Unix entropy source which
  executed processes to get statistical data have been removed. (GH #692)

* The openpgp module (which just implemented OpenPGP compatible base64 encoding
  and decoding, nothing else) has been removed.

* Added new configure.py argument `--optimize-for-size`. Currently just sets
  the flag for code size optimizations with the compiler, but may have other
  effects in the future.

* Fixed bug in Threaded_Fork causing incorrect computations (GH #695 #716)

* Add DSA deterministic parameter generation test from FIPS 186-3.

* Fix PKCS11_ECDSA_PrivateKey::check_key (GH #712)

* Fixed problems running configure.py outside of the base directory

* The BOTAN_ENTROPY_PROC_FS_PATH value in build.h was being ignored (GH #708)

* Add speed tests for ECGDSA and ECKCDSA (GH #696)

* Fix a crash in speed command for Salsa20 (GH #697)

* Allow a custom ECC curve to be specified at build time, for application or
  system specific curves. (GH #636 #710)

* Use NOMINMAX on Windows to avoid problems in amalgamation build. (GH #740)

* Add support to output bakefiles with new `configure.py` option `--with-bakefile`.
  (GH #360 #720)

* The function `zero_mem` has been renamed `secure_scrub_memory`

* More tests for pipe/filter (GH #689 #693), AEADs (GH #552), KDF::name (GH #727),

* Add a test suite for timing analysis for TLS CBC decryption, OAEP decryption,
  and PKCS #1 v1.5 decryption. These operations all have the feature that if an
  attacker can distinguish internal operations, such as through a variance in
  timing, they can use this oracle to decrypt arbitrary ciphertexts. GH #733

* Add a test suite for testing and fuzzing with TLS-Attacker, a tool for
  analyzing TLS libraries. (https://github.com/RUB-NDS/TLS-Attacker)

* Add a fuzzing framework. Supports fuzzing some APIs using AFL and libFuzzer.

* Added documentation for PKCS #11 (GH #725)

* The LibraryInitializer type is no longer needed and is now deprecated.

* The license and news files were moved from doc to the top level directory.
  There should not be any other visible change (eg, to the installed version)
  as a result of this move.

* Fixed some problems when running configure.py outside of the base directory,
  especially when using relative paths.

* Add (back) the Perl XS wrapper and sqlite encryption code.

Version 1.10.14, 2016-11-28
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* NOTE WELL: Botan 1.10.x is supported for security patches only until
  2017-12-31

* Fix integer overflow during BER decoding, found by Falko Strenzke.
  This bug is not thought to be directly exploitable but upgrading ASAP
  is advised. (CVE-2016-9132)

* Fix two cases where (in error situations) an exception would be
  thrown from a destructor, causing a call to std::terminate.

* When RC4 is disabled in the build, also prevent it from being
  included in the OpenSSL provider. (GH #638)

Version 1.11.33, 2016-10-26
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Avoid side channel during OAEP decryption. (CVE-2016-8871)

* A countermeasure for the Lucky13 timing attack against CBC-based TLS
  ciphersuites has been added. (GH #675)

* Added X25519-based key exchange for TLS (GH #673)

* Add Certificate_Store_In_SQL which supports storing certs, keys, and
  revocation information in a SQL database. Subclass Certificate_Store_In_SQLite
  specializes with support for SQLite3 databases. (GH #631)

* The Certificate_Store interface has been changed to deal with
  ``std::shared_ptrs`` instead of raw pointers (GH #471 #631)

* Add support for official SHA-3. Keccak-1600 was already supported
  but used different padding from FIPS 202. (GH #669)

* Add SHAKE-128 based stream cipher. (GH #669)

* NewHope key exchange now supports the SHA-256/AES-128-CTR scheme
  used by BoringSSL in addition to the SHA-3/SHAKE-128 parameters used
  by the reference implementation. (GH #669)

* Add support for the TLS Supported Point Formats Extension from RFC 4492. Adds
  ``TLS::Policy::use_ecc_point_compression`` policy option. If supported on both
  sides, ECC points can be sent in compressed format which saves a few bytes
  during the handshake. (GH #645)

* Fix entropy source selection bug on Windows, which caused the CryptoAPI
  entropy source to be not available under its normal name "win32_cryptoapi" but
  instead "dev_random". GH #644

* Accept read-only access to ``/dev/urandom``. System_RNG previously required
  read-write access, to allow applications to provide inputs to the system
  PRNG. But local security policies might only allow read-only access, as is the
  case with Ubuntu's AppArmor profile for applications in the Snappy binary
  format. If opening read/write fails, System_RNG silently backs down to
  read-only, in which case calls to ``add_entropy`` on that object will fail.
  (GH #647 #648)

* Fix use of Win32 CryptoAPI RNG as an entropy source, which was accidentally
  disabled due to empty list of acceptable providers being specified. Typically
  the library would fall back to gathering entropy from OS functions returning
  statistical information, but if this functionality was disabled in the build a
  ``PRNG_Unseeded`` exception would result. (GH #655)

* Add support for building the library as part of the IncludeOS unikernel.
  This included making filesystem and threading support optional. (GH #665)

* Added ISA annotations so that with GCC (all supported versions) and
  Clang (since 3.7) it is no longer required to compile amalgamation
  files with ABI specific flags such as ``-maes``. (GH #665)

* Internal cleanups to TLS CBC record handling. TLS CBC ciphersuites
  can now be disabled by disabling ``tls_cbc`` module. (GH #642 #659)

* Internal cleanups to the object lookup code eliminates most global locks and
  all use of static initializers (GH #668 #465)

* Avoid ``static_assert`` triggering under MSVC debug builds (GH #646)

* The antique PBKDF1 password hashing scheme is deprecated and will be
  removed in a future release. It was only used to support the equally
  ancient PBES1 private key encryption scheme, which was removed in 1.11.8.

* Added MSVC debug/checked iterator builds (GH #666 #667)

* Added Linux ppc64le cross compile target to Travis CI (GH #654)

* If RC4 is disabled, also disable it coming from the OpenSSL provider (GH #641)

* Add TLS message parsing tests (GH #640)

* Updated BSI policy to prohibit DES, HKDF, HMAC_RNG (GH #649)

* Documentation improvements (GH #660 #662 #663 #670)

Version 1.11.32, 2016-09-28
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add support for the NewHope Ring-LWE key encapsulation algorithm. This scheme
  provides an estimated ~200 bit security level against a quantum attacker while
  also being very fast and requiring only modest message sizes of 1824 and 2048
  bytes for initiator and responder, resp. This version is tested as having
  bit-for-bit identical output as the reference implementation by the authors.

  Be warned that NewHope is still a very new scheme and may yet fall to analysis.
  For best assurance, NewHope should be used only in combination with another
  key exchange mechanism, such as ECDH.

* New TLS callbacks API. Instead of numerous std::function callbacks, the
  application passes an object implementing the TLS::Callbacks interface, which
  has virtual functions matching the previous callbacks (plus some extras).
  Full source compatability with previous versions is maintained for now, but
  the old interface is deprecated and will be removed in a future release.  The
  manual has been updated to reflect the changes. (GH #457 and #567)

* Add support for TLS Encrypt-then-MAC extension (GH #492 and #578), which fixes
  the known issues in the TLS CBC-HMAC construction.

* The format of the TLS session struct has changed (to support EtM), so old
  TLS session caches will be invalidated.

* How the library presents optimized algorithm implementations has changed.  For
  example with the algorithm AES-128, previously there were three BlockCipher
  classes AES_128, AES_128_SSSE3, and AES_128_NI which used (resp) a table-based
  implementation vulnerable to side channels, a constant time version using
  SSSE3 SIMD extensions on modern x86, and x86 AES-NI instructions. Using the
  correct version at runtime required using ``BlockCipher::create``. Now, only
  the class AES_128 is presented, and the best available version is always used
  based on CPUID checks. The tests have been extended to selectively disable
  CPUID bits to ensure all available versions are tested. (GH #477 #623)

  Removes API classes AES_128_NI, AES_192_NI, AES_256_NI, AES_128_SSSE3,
  AES_192_SSSE3 AES_256_SSSE3, IDEA_SSE2, Noekeon_SIMD, Serpent_SIMD,
  Threefish_512_AVX2, SHA_160_SSE2

* The deprecated algorithms Rabin-Williams, Nyberg-Rueppel, MARS, RC2, RC5, RC6,
  SAFER-SK, TEA, MD2, HAS-160, and RIPEMD-128 have been removed. (GH #580)

* A new Cipher_Mode interface ``process`` allows encryption/decryption of
  buffers without requiring copying into ``secure_vector`` first. (GH #516)

* Fix verification of self-issued certificates (GH #634)

* SSE2 optimizations for ChaCha, 60% faster on both Westmere and Skylake (GH #616)

* The HMAC_RNG constructor added in 1.11.31 that took both an RNG and an
  entropy source list ignored the entropy sources.

* The configure option ``--via-amalgamation`` was renamed to ``--amalgamation``.
  The configure option ``--gen-amalgamation`` was removed. It did generate
  amalgamations but build Botan without amalgamation. Users should migrate to
  ``--amalgamation``. (GH #621)

* DH keys did not automatically self-test after being generated, contrary to
  the current behavior for other key types.

* Add tests for TLS 1.2 PRF (GH #628)

Version 1.11.31, 2016-08-30
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fix undefined behavior in Curve25519 on platforms without a native 128-bit
  integer type. This was known to produce incorrect results on 32-bit ARM
  under Clang. GH #532 (CVE-2016-6878)

* If X509_Certificate::allowed_usage was called with more than one Key_Usage
  set in the enum value, the function would return true if *any* of the allowed
  usages were set, instead of if *all* of the allowed usages are set.
  GH #591 (CVE-2016-6879)

* Incompatible changes in DLIES: Previously the input to the KDF was
  the concatenation of the (ephemeral) public key and the secret value
  derived by the key agreement operation. Now the input is only the
  secret value obtained by the key agreement operation. That's how it
  is specified in the original paper "DHIES: An encryption scheme
  based on Diffie-Hellman Problem" or in BSI technical guideline
  TR-02102-1 for example. In addition to the already present
  XOR-encrypion/decryption mode it's now possible to use DLIES with a
  block cipher.  Furthermore the order of the output was changed from
  {public key, tag, ciphertext} to {public key, ciphertext, tag}. Both
  modes are compatible with BouncyCastle.

* Add initial PKCS #11 support (GH #507). Currently includes a low level
  wrapper to all of PKCS #11 (p11.h) and high level code for RSA and ECDSA
  signatures and hardware RNG access.

* Add ECIES encryption scheme, compatible with BouncyCastle (GH #483)

* Add ECKCDSA signature algorithm (GH #504)

* Add KDF1 from ISO 18033 (GH #483)

* Add FRP256v1 curve (GH #551)

* Changes for userspace PRNGs HMAC_DRBG and HMAC_RNG (GH #520 and #593)

  These RNGs now derive from Stateful_RNG which handles issues like periodic
  reseeding and (on Unix) detecting use of fork. Previously these measures were
  included only in HMAC_RNG.

  Stateful_RNG allows reseeding from another RNG and/or a specified set of
  entropy sources. For example it is possible to configure a HMAC_DRBG to reseed
  using a PKCS #11 token RNG, the CPU's RDSEED instruction, and the system RNG
  but disabling all other entropy polls.

* AutoSeeded_RNG now uses NIST SP800-90a HMAC_DRBG(SHA-384). (GH #520)

* On Windows and Unix systems, the system PRNG is used as the sole reseeding
  source for a default AutoSeeded_RNG, completely skipping the standard entropy
  polling code. New constructors allow specifying the reseed RNG and/or entropy
  sources. (GH #520)

* The `hres_timer` entropy source module has been removed. Timestamp inputs to
  the RNG are now handled as additional_data inputs to HMAC_DRBG.

* Add RDRAND_RNG which directly exposes the CPU RNG (GH #543)

* Add PKCS #1 v1.5 id for SHA-512/256 (GH #554)

* Add X509_Time::to_std_timepoint (GH #560)

* Fix a bug in ANSI X9.23 padding mode, which returned one byte more
  than the given block size (GH #529).

* Fix bug in SipHash::clear, which did not reset all state (GH #547)

* Fixes for FreeBSD (GH #517) and OpenBSD (GH #523). The compiler defaults
  to Clang on FreeBSD now.

* SonarQube static analysis integration (GH #592)

* Switched Travis CI to Ubuntu 14.04 LTS (GH #592)

* Added ARM32, ARM64, PPC32, PPC64, and MinGW x86 cross compile targets to Travis CI (GH #608)

* Clean up in TLS ciphersuite handling (GH #583)

* Threefish-512 AVX2 optimization work (GH #581)

* Remove build configuration host and timestamp from build.h
  This makes this header reproducible and allows using ccache's direct mode
  (GH #586 see also #587)

* Prevent building for x86-64 with x86-32 compiler and the reverse (GH #585)

* Avoid build problem on 32-bit userspace ARMv8 (GH #563)

* Refactor of internal MP headers (GH #549)

* Avoid MSVC C4100 warning (GH #525)

* Change botan.exe to botan-cli.exe on Windows to workaround VC issue (GH #584)

* More tests for RSA-KEM (GH #538), DH (GH #556), EME (GH #553),
  cipher mode padding (GH #529), CTS mode (GH #531),
  KDF1/ISO18033 (GH #537), OctetString (GH #545), OIDs (GH #546),
  parallel hash (GH #548), charset handling (GH #555),
  BigInt (GH #558), HMAC_DRBG (GH #598 #600)

* New deprecations. See the full list in doc/deprecated.txt

  The X9.31 and HMAC_RNG RNGs are deprecated.
  If you need a userspace PRNG, use HMAC_DRBG (or AutoSeeded_RNG
  which is HMAC_DRBG with defaults).

  Support for getting entropy from EGD is deprecated, and will be
  removed in a future release. The developers believe that it is
  unlikely that any modern system requires EGD and so the code is now
  dead weight. If you rely on EGD support, you should contact the
  developers by email or GitHub ASAP.

  The TLS ciphersuites using 3DES and SEED are deprecated and will be
  removed in a future release.

  ECB mode Cipher_Mode is deprecated and will be removed in a future
  release.

  Support for BeOS/Haiku has not been tested in 5+ years and is in an
  unknown state.  Unless reports are received of successful builds and
  use on this platform, support for BeOS/Haiku will be removed in a
  future release.

Version 1.11.30, 2016-06-19
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* In 1.11.23 a bug was introduced such that CBC-encrypted TLS packets
  containing no plaintext bytes at all were incorrectly rejected with
  a MAC failure. Records like this are used by OpenSSL in TLS 1.0
  connections in order to randomize the IV.

* A bug in GCM caused incorrect results if the 32-bit counter field
  overflowed. This bug has no implications on the security but affects
  interoperability.

  With a 96-bit nonce, this could only occur if at least 2**32 128-bit
  blocks (64 GiB) were encrypted. This actually exceeds the maximum
  allowable length of a GCM plaintext; when messages longer than
  2**32 - 2 blocks are encrypted, GCM loses its security properties.

  In addition to 96-bit nonces, GCM also supports nonces of arbitrary
  length using a different method which hashes the provided nonce
  under the authentication key. When using such a nonce, the last 4
  bytes of the resulting CTR input might be near the overflow
  boundary, with the probability of incorrect overflow increasing with
  longer messages. when encrypting 256 MiB of data under a random 128
  bit nonce, an incorrect result would be produced about 1/256 of the
  time. With 1 MiB texts, the probability of error is reduced to 1/65536.

  Since TLS uses GCM with 96 bit nonces and limits the length of any
  record to far less than 64 GiB, TLS GCM ciphersuites are not
  affected by this bug.

  Reported by Juraj Somorovsky, described also in "Nonce-Disrespecting
  Adversaries: Practical Forgery Attacks on GCM in TLS"
  (https://eprint.iacr.org/2016/475.pdf)

* Previously when generating a new self-signed certificate or PKCS #10
  request, the subject DN was required to contain both common name
  (CN) and country (C) fields. These restrictions have been removed.
  GH #496

* The Transform and Keyed_Transform interfaces has been removed. The
  two concrete implementations of these interfaces were Cipher_Mode
  and Compressor_Transform. The Cipher_Mode interface remains unchanged
  as the Transform and Keyed_Transform signatures have moved to it;
  no changes to Cipher_Mode usage should be necessary. Any uses of
  Transform& or Keyed_Transform& to refer to a cipher should be replaced
  by Cipher_Mode&. The compression algorithm interface has changed; the start
  function now takes the per-message compression ratio to use. Previously the
  compression level to use had to be set once, at creation time, and
  the required ``secure_vector`` argument to ``start`` was required to be empty.
  The new API is documented in `compression.rst` in the manual.

* Add IETF versions of the ChaCha20Poly1305 TLS ciphersuites from
  draft-ietf-tls-chacha20-poly1305-04. The previously implemented
  (non-standard) ChaCha20Poly1305 ciphersuites from
  draft-agl-tls-chacha20poly1305 remain but are deprecated.

* The OCB TLS ciphersuites have been updated to use the new nonce
  scheme from draft-zauner-tls-aes-ocb-04. This is incompatible with
  previous versions of the draft, and the ciphersuite numbers used for
  the (still experimental) OCB ciphersuites have changed.

* Previously an unknown critical extension caused X.509 certificate
  parsing to fail; such a cert could not be created at all. Now
  parsing succeeds and the certificate validation fails with
  an error indicating an unknown critical extension. GH #469

* X509_CRL previously had an option to cause it to ignore unknown
  critical extensions. This has been removed.

* Added StreamCipher::seek allowing seeking to arbitrary position
  in the key stream. Currently only implemented for ChaCha. (GH #497)

* Added support for ChaCha stream cipher with 8 or 12 rounds.

* Add ECGDSA signature algorithm (GH #479)

* Add support for label argument to KDFs (GH #495)

* Add NIST SP800-108 and 56C KDFs (GH #481)

* Support for Card Verifiable Certificates and the obsolete EMSA1_BSI
  signature padding scheme have been removed. (GH #487)

* A bug in the IETF version of ChaCha20Poly1305 (with 96 bit nonces)
  caused incorrect computation when the plaintext or AAD was exactly
  a multiple of 16 bytes.

* Fix return type of TLS_Reader::get_u32bit, which was truncated to
  16 bits. This only affected decoding of session ticket lifetimes.
  GH #478

* Fix OS X dylib naming problem (GH #468 #467)

* Fix bcrypt function under Python 3 (GH #461)

* The ``unix_procs`` entropy source is deprecated and will be removed
  in a future release. This entropy source attempts to get entropy by
  running Unix programs like ``arp``, ``netstat``, and ``dmesg`` which
  produce information which may be difficult for a remote attacker to
  guess. This exists primarily as a last-ditch for Unix systems
  without ``/dev/random``. But at this point such systems effectively
  no longer exist, and the use of ``fork`` and ``exec`` by the library
  complicates effective application sandboxing.

* Changes to avoid implicit cast warnings in Visual C++ (GH #484)

Version 1.10.13, 2016-04-23
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Use constant time modular inverse algorithm to avoid possible
  side channel attack against ECDSA (CVE-2016-2849)

* Use constant time PKCS #1 unpadding to avoid possible side channel
  attack against RSA decryption (CVE-2015-7827)

* Avoid a compilation problem in OpenSSL engine when ECDSA was
  disabled. Gentoo bug 542010

Version 1.11.29, 2016-03-20
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* CVE-2016-2849 DSA and ECDSA used a modular inverse function which
  had input dependent loops. It is possible a side channel attack on
  this function could be used to recover sufficient information about
  the nonce k to mount a lattice attack and recover the private key.
  Found by Sean Devlin.

* CVE-2016-2850 The TLS client did not check that the signature
  algorithm or ECC curve a v1.2 server used was actually acceptable by
  the policy. This would allow a server who ignored the preferences
  indicated in the client to use a weak algorithm, and may allow MITM
  attacks by an attacker who can break MD5 signatures or 160 bit ECC
  in real time. The server similarly failed to check on the hash a
  client used during client certificate authentication.

* Reject empty TLS records at the record processing layer since such a
  record is not valid regardless of the record type. Later checks
  already correctly rejected empty records, but during processing such
  a record, a pointer to the end of the vector was created, causing a
  assertion failure under checked iterators. Found by Juraj Somorovsky.

* Add PK_Decryptor::decrypt_or_random which allows an application to
  atomically (in constant time) check that a decrypted ciphertext has
  the expected length and/or apply content checks on the result. This
  is used by the TLS server for decrypting PKCS #1 v1.5 RSA ciphertexts.
  Previously the server used a implementation which was potentially
  vulnerable to side channels.

* Add support for processing X.509 name constraint extension during
  path validation. GH #454

* Add X509_Certificate::v3_extensions which allows retreiving the
  raw binary of all certificate extensions, including those which
  are not known to the library. This allows processing of custom
  extensions. GH #437

* Add support for module policies which are a preconfigured set of
  acceptable or prohibited modules. A policy based on BSI TR-02102-1
  is included. GH #439 #446

* Support for the deprecated TLS heartbeat extension has been removed.

* Support for the deprecated TLS minimum fragment length extension has
  been removed.

* SRP6 support is now optional in TLS

* Support for negotiating MD5 and SHA-224 signatures in TLS v1.2 has
  been removed. MD5 signatures are demonstratably insecure in TLS,
  SHA-224 is rarely used.

* Support for negotiating ECC curves secp160r1, secp160r2, secp160k1,
  secp192k1, secp192r1 (P-192), secp224k1, secp224r1 (P-224), and
  secp256k1 have been removed from the TLS implementation. All were
  already disabled in the default policy.

* HMAC_RNG now has an explicit check for fork using pid comparisons.
  It also includes the pid and system and CPU clocks into the PRF
  computation to help reduce the risk of pid wraparound. Even so,
  applications using fork and userspace RNGs should explicitly reseed
  all such RNGs whenever possible.

* Deprecation warning: support for DSA certificates in TLS is
  deprecated and will be removed in a future release.

* Deprecation warning: in addition to the algorithms deprecated in
  1.11.26, the following algorithms are now deprecated and will be
  removed in a future release: Rabin-Williams signatures, TEA, XTEA.

* Deprecation warning: the library has a number of compiled in MODP
  and ECC DL parameters. All MODP parameter sets under 2048 bits and
  all ECC parameters under 256 bits are deprecated and will be removed
  in a future release. This includes the MODP groups "modp/ietf/1024",
  "modp/srp/1024", "modp/ietf/1536", "modp/srp/1536" and the ECC
  groups "secp160k1", "secp160r1", "secp160r2", "secp192k1",
  "secp192r1", "secp224k1", "secp224r1", "brainpool160r1",
  "brainpool192r1", "brainpool224r1", "x962_p192v2", "x962_p192v3",
  "x962_p239v1", "x962_p239v2" and "x962_p239v3". Additionally all
  compiled in DSA parameter sets ("dsa/jce/1024", "dsa/botan/2048",
  and "dsa/botan/3072") are also deprecated.

* RDSEED/RDRAND polling now retries if the operation fails. GH #373

* Fix various minor bugs found by static analysis with PVS-Studio (GH#421),
  Clang analyzer (GH #441), cppcheck (GH #444, #445), and Coverity.

* Add --with-valgrind configure option to enable building against the
  valgrind client API. This currently enables checking of const time
  operations using memcheck.

* Fix remaining Wshadow warnings. Enable Wshadow in build. GH #427

* Use noexcept in VS 2015 GH #429

* On Windows allow the user to explicitly request symlinks be used
  as part of the build. Likely only useful for someone working on
  the library itself. GH #430

* Remove use of TickCount64 introduced in 1.11.27 which caused problem
  with downstream distributors/users building XP compatiable binaries
  which is still an option even in VS 2015

* MCEIES requires KDF1 at runtime but did not require it be enabled
  in the build. GH #369

* Small optimizations to Keccak hash

* Support for locking allocator on Windows using VirtualLock. GH #450

Version 1.8.15, 2016-02-13
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* NOTE WELL: Botan 1.8 is not supported for security issues anymore.
  Moving to 1.10 or 1.11 is certainly recommended.
* Fix CVE-2014-9742: Insufficient randomness in Miller-Rabin primality check
* Fix CVE-2016-2194: Infinite loop in modulur square root algorithm
* Fix CVE-2015-5726: Crash in BER decoder
* Fix CVE-2015-5727: Excess memory allocation in BER decoder
  Note: Unlike the fix in 1.10 which checks that the source actually
  contains enough data to satisfy the read before allocating the
  memory, 1.8.15 simply rejects all ASN.1 blocks larger than 1 MiB.
  This simpler check avoids the problem without breaking ABI.

Version 1.10.12, 2016-02-03
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* In 1.10.11, the check in PointGFp intended to check the affine y
  argument actually checked the affine x again. Reported by Remi Gacogne

  The CVE-2016-2195 overflow is not exploitable in 1.10.11 due to an
  additional check in the multiplication function itself which was
  also added in that release, so there are no security implications
  from the missed check. However to avoid confusion the change was
  pushed in a new release immediately.

  The 1.10.11 release notes incorrectly identified CVE-2016-2195 as CVE-2016-2915

Version 1.10.11, 2016-02-01
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Resolve heap overflow in ECC point decoding. CVE-2016-2195

* Resolve infinite loop in modular square root algorithm.
  CVE-2016-2194

* Correct BigInt::to_u32bit to not fail on integers of exactly 32 bits.
  GH #239

Version 1.11.28, 2016-02-01
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* One of the checks added while addressing CVE-2016-2195 was incorrect
  and could cause needless assertion failures.

Version 1.11.27, 2016-02-01
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* SECURITY: Avoid heap overflow in ECC point decoding. This could
  likely result in remote code execution. CVE-2016-2195

* SECURITY: Avoid one word heap overflow in P-521 reduction function.
  This could potentially lead to remote code execution or other
  attack. CVE-2016-2196.

* SECURITY: Avoid infinite or near-infinite loop during modular square
  root algorithm with invalid inputs. CVE-2016-2194

* Add Blake2b hash function. GH #413

* Use ``m_`` prefix on all member variables. GH #398 and #407

* Use final qualifier on many classes. GH #408

* Use noreturn attribute on assertion failure function to assist
  static analysis. GH #403

* Use TickCount64 and MemoryStatusEx in the Windows entropy source.
  Note these calls are only available in Vista/Server 2008. No
  accomodations are made for XP or Server 2003, both of which are
  no longer patched by the vendor. GH #365

Version 1.11.26, 2016-01-04
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Deprecation warnings: Nyberg-Rueppel signatures, MARS, RC2, RC5,
  RC6, SAFER, HAS-160, RIPEMD-128, MD2 and support for the TLS minimum
  fragment length extensions are all being considered for removal in a
  future release. If there is a compelling use case for keeping any of
  them in the library, please open a discussion ticket on GitHub.

* Support for the TLS extended master secret extension (RFC 7627) has
  been added.

* The format of serialized TLS sessions has changed to add a flag
  indicating support for the extended master secret flag, which is
  needed for proper handling of the extension.

* Root all exceptions thrown by the library in the ``Botan::Exception`` class.
  Previously the library would in many cases throw ``std::runtime_error``
  or ``std::invalid_argument`` exceptions which would make it hard to
  determine the source of the error in some cases.

* The command line interface has been mostly rewritten. The syntax of
  many of the sub-programs has changed, and a number have been
  extended with new features and options.

* Correct an error in PointGFp multiplication when multiplying a point
  by the scalar value 3. PointGFp::operator* would instead erronously
  compute it as if the scalar was 1 instead.

* Enable RdRand entropy source on Windows/MSVC. GH #364

* Add Intel's RdSeed as entropy source. GH #370

* Add preliminary support for accessing TPM v1.2 devices. Currently
  random number generation, RSA key generation, and signing are
  supported. Tested using Trousers and an ST TPM

* Add generalized interface for KEM (key encapsulation) techniques. Convert
  McEliece KEM to use it. The previous interfaces McEliece_KEM_Encryptor and
  McEliece_KEM_Decryptor have been removed. The new KEM interface now uses a KDF
  to hash the resulting keys; to get the same output as previously provided by
  McEliece_KEM_Encryptor, use "KDF1(SHA-512)" and request exactly 64 bytes.

* Add support for RSA-KEM from ISO 18033-2

* Add support for ECDH in the OpenSSL provider

* Fix a bug in DataSource::discard_next() which could cause either an
  infinite loop or the discarding of an incorrect number of bytes.
  Reported on mailing list by Falko Strenzke.

* Previously if BOTAN_TARGET_UNALIGNED_MEMORY_ACCESS_OK was defined,
  the code doing low level loads/stores would use pointer casts to
  access larger words out of a (potentially misaligned) byte array,
  rather than using byte-at-a-time accesses. However even on platforms
  such as x86 where this works, it triggers UBSan errors under Clang.
  Instead use memcpy, which the C standard says is usable for such
  purposes even with misaligned values. With recent GCC and Clang, the
  same code seems to be emitted for either approach.

* Avoid calling memcpy, memset, or memmove with a length of zero to
  avoid undefined behavior, as calling these functions with an invalid
  or null pointer, even with a length of zero, is invalid. Often there
  are corner cases where this can occur, such as pointing to the very
  end of a buffer.

* The function ``RandomNumberGenerator::gen_mask`` (added in 1.11.20)
  had undefined behavior when called with a bits value of 32 or
  higher, and was tested to behave in unpleasant ways (such as
  returning zero) when compiled by common compilers. This function was
  not being used anywhere in the library and rather than support
  something without a use case to justify it it seemed simpler to
  remove it. Undefined behavior found by Daniel Neus.

* Support for using ``ctgrind`` for checking const time blocks has
  been replaced by calling the valgrind memcheck APIs directly. This
  allows const-time behavior to be tested without requiring a modified
  valgrind binary. Adding the appropriate calls requires defining
  BOTAN_HAS_VALGRIND in build.h. A binary compiled with this flag set
  can still run normally (though with some slight runtime overhead).

* Export MGF1 function mgf1_mask GH #380

* Work around a problem with some antivirus programs which causes the
  ``shutil.rmtree`` and ``os.makedirs`` Python calls to occasionally
  fail. The could prevent ``configure.py`` from running sucessfully
  on such systems. GH #353

* Let ``configure.py`` run under CPython 2.6. GH #362

Version 1.11.25, 2015-12-07
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* In this release the test suite has been largely rewritten. Previously the
  tests had internally used several different test helper frameworks created or
  adopted over time, each of which was insufficient on its own for testing the
  entire library. These have been fully converged on a new framework which
  suffices for all of the tests. There should be no user-visible change as a
  result of this, except that the output format of `botan-test` has changed.

* Improved side channel countermeasures for the table based AES implementation.
  The 4K T tables are computed (once) at runtime to avoid various cache based
  attacks which are possible due to shared VMM mappings of read only tables.
  Additionally every cache line of the table is read from prior to processing
  the block(s).

* Support for the insecure ECC groups secp112r1, secp112r2, secp128r1, and
  secp128r2 has been removed.

* The portable version of GCM has been changed to run using only
  constant time operations.

* Work around a bug in MSVC 2013 std::mutex which on some Windows
  versions can result in a deadlock during static initialization. On
  Windows a CriticalSection is used instead. Analysis and patch from
  Matej Kenda (TopIT d.o.o.). GH #321

* The OpenSSL implementation of RC4 would return the wrong value from `name` if
  leading bytes of the keystream had been skipped in the output.

* Fixed the signature of the FFI function botan_pubkey_destroy, which took the
  wrong type and was not usable.

* The TLS client would erronously reject any server key exchange packet smaller
  than 6 bytes. This prevented negotiating a plain PSK TLS ciphersuite with an
  empty identity hint. ECDHE_PSK and DHE_PSK suites were not affected.

* Fixed a bug that would cause the TLS client to occasionally reject a valid
  server key exchange message as having an invalid signature. This only affected
  DHE and SRP ciphersuites.

* Support for negotiating use of SHA-224 in TLS has been disabled in the
  default policy.

* Added `remove_all` function to the `TLS::Session_Manager` interface

* Avoid GCC warning in pedantic mode when including bigint.h GH #330

Version 1.11.24, 2015-11-04
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* When the bugs affecting X.509 path validation were fixed in 1.11.23, a check
  in Credentials_Manager::verify_certificate_chain was accidentally removed
  which caused path validation failures not to be signaled to the TLS layer.
  Thus in 1.11.23 certificate authentication in TLS is bypassed.
  Reported by Florent Le Coz in GH #324

* Fixed an endian dependency in McEliece key generation which caused
  keys to be generated differently on big and little endian systems,
  even when using a deterministic PRNG with the same seed.

* In `configure,py`, the flags for controlling use of debug, sanitizer, and
  converage information have been split out into individual options
  `--with-debug-info`, `--with-sanitizers`, and `--with-coverage`. These allow
  enabling more than one in a build in a controlled way. The `--build-mode` flag
  added in 1.11.17 has been removed.

Version 1.11.23, 2015-10-26
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* CVE-2015-7824: An information leak allowed padding oracle attacks against
  TLS CBC decryption. Found in a review by Sirrix AG and 3curity GmbH.

* CVE-2015-7825: Validating a malformed certificate chain could cause an
  infinite loop. Found in a review by Sirrix AG and 3curity GmbH.

* CVE-2015-7826: X.509 path validation violated RFC 6125 and would accept
  certificates which should not validate under those rules. In particular botan
  would accept wildcard certificates as matching in situations where it should
  not (for example it would erroneously accept ``*.example.com`` as a valid
  wildcard for ``foo.bar.example.com``)

* CVE-2015-7827: The routines for decoding PKCS #1 encryption and OAEP blocks
  have been rewritten to run without secret indexes or branches. These
  cryptographic operations are vulnerable to oracle attacks, including via side
  channels such as timing or cache-based analysis. In theory it would be
  possible to attack the previous implementations using such a side channel,
  which could allow an attacker to mount a plaintext recovery attack.

  By writing the code such that it does not depend on secret inputs for branch
  or memory indexes, such a side channel would be much less likely to exist.

  The OAEP code has previously made an attempt at constant time operation, but
  it used a construct which many compilers converted into a conditional jump.

* Add support for using ctgrind (https://github.com/agl/ctgrind) to test that
  sections of code do not use secret inputs to decide branches or memory indexes.
  The testing relies on dynamic checking using valgrind.

  So far PKCS #1 decoding, OAEP decoding, Montgomery reduction, IDEA, and
  Curve25519 have been notated and confirmed to be constant time on Linux/x86-64
  when compiled by gcc.

* Public key operations can now be used with specified providers by passing an
  additional parameter to the constructor of the PK operation.

* OpenSSL RSA provider now supports signature creation and verification.

* The blinding code used for RSA, Diffie-Hellman, ElGamal and Rabin-Williams now
  periodically reinitializes the sequence of blinding values instead of always
  deriving the next value by squaring the previous ones. The reinitializion
  interval can be controlled by the build.h parameter BOTAN_BLINDING_REINIT_INTERVAL.

* A bug decoding DTLS client hellos prevented session resumption for succeeding.

* DL_Group now prohibits creating a group smaller than 1024 bits.

* Add System_RNG type. Previously the global system RNG was only accessible via
  `system_rng` which returned a reference to the object. However is at times
  useful to have a unique_ptr<RandomNumberGenerator> which will be either the
  system RNG or an AutoSeeded_RNG, depending on availability, which this
  additional type allows.

* New command line tools `dl_group` and `prime`

* The `configure.py` option `--no-autoload` is now also available
  under the more understandable name `--minimized-build`.

* Note: 1.11.22 was briefly released on 2015-10-26. The only difference between
  the two was a fix for a compilation problem in the OpenSSL RSA code.  As the
  1.11.22 release had already been tagged it was simpler to immediately release
  1.11.23 rather than redo the release.

Version 1.11.21, 2015-10-11
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add new methods for creating types such as BlockCiphers or HashFunctions,
  T::providers() returning list of provider for a type, and T::create() creating
  a new object of a specified provider. The functions in lookup.h forward to
  these new APIs. A change to the lookup system in 1.11.14 had caused problems
  with static libraries (GH #52). These problems have been fixed as part of these
  changes. GH #279

* Fix loading McEliece public or private keys with PKCS::load_key / X509::load_key

* Add `mce` command line tool for McEliece key generation and file encryption

* Add Darwin_SecRandom entropy source which uses `SecRandomCopyBytes`
  API call for OS X and iOS, as this call is accessible even from a
  sandboxed application. GH #288

* Add new HMAC_DRBG constructor taking a name for the MAC to use, rather
  than a pointer to an object.

* The OCaml module is now a separate project at
  https://github.com/randombit/botan-ocaml

* The encrypted sqlite database support in contrib has moved to
  https://github.com/randombit/botan-sqlite

* The Perl XS module has been removed as it was no longer maintained.

Version 1.11.20, 2015-09-07
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Additional countermeasures were added to ECC point multiplications
  including exponent blinding and randomization of the point
  representation to help protect against side channel attacks.

* An ECDSA provider using OpenSSL has been added.

* The ordering of algorithm priorities has been reversed. Previously
  255 was the lowest priority and 0 was the highest priority. Now it
  is the reverse, with 0 being lowest priority and 255 being highest.
  The default priority for the base algorithms is 100. This only
  affects external providers or applications which directly set
  provider preferences.

* On OS X, rename libs to avoid trailing version numbers, e.g.
  libbotan-1.11.dylib.19 -> libbotan-1.11.19.dylib. This was requested
  by the Homebrew project package audit. GH #241, #260

* Enable use of CPUID interface with clang. GH #232

* Add support for MSVC 2015 debug builds by satisfying C++ allocator
  requirements. SO 31802806, GH #236

* Make `X509_Time` string parsing and `to_u32bit()` more strict to avoid
  integer overflows and other potentially dangerous misinterpretations.
  GH #240, #243

* Remove all 'extern "C"' declarations from src/lib/math/mp/ because some
  of those did throw exceptions and thus cannot be C methods. GH #249

* Fix build configuration for clang debug on Linux. GH #250

* Fix zlib error when compressing an empty buffer. GH #265

* Fix iOS builds by allowing multiple compiler flags with the same name.
  GH #266

* Fix Solaris build issue caused by `RLIMIT_MEMLOCK`. GH #262

Version 1.11.19, 2015-08-03
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* SECURITY: The BER decoder would crash due to reading from offset 0
  of an empty vector if it encountered a BIT STRING which did not
  contain any data at all. As the type requires a 1 byte field this is
  not valid BER but could occur in malformed data. Found with afl.
  CVE-2015-5726

* SECURITY: The BER decoder would allocate a fairly arbitrary amount
  of memory in a length field, even if there was no chance the read
  request would succeed. This might cause the process to run out of
  memory or invoke the OOM killer. Found with afl.
  CVE-2015-5727

* The TLS heartbeat extension is deprecated and unless strong arguments
  are raised in its favor it will be removed in a future release.
  Comment at https://github.com/randombit/botan/issues/187

* The x86-32 assembly versions of MD4, MD5, SHA-1, and Serpent and the
  x86-64 version of SHA-1 have been removed. With compilers from this
  decade the C++ versions are significantly faster. The SSE2 versions
  of SHA-1 and Serpent remain, as they are still the fastest version
  for processors with SIMD extensions. GH #216

* BigInt::to_u32bit would fail if the value was exactly 32 bits.
  GH #220

* Botan is now fully compaitible with _GLIBCXX_DEBUG. GH #73

* BigInt::random_integer distribution was not uniform. GH #108

* Added unit testing framework Catch. GH #169

* Fix `make install`. GH #181, #186

* Public header `fs.h` moved to `internal/filesystem.h`. Added filesystem
  support for MSVC 2013 when boost is not available, allowing tests to run on
  those systems. GH #198, #199

* Added os "android" and fix Android compilation issues. GH #203

* Drop support for Python 2.6 for all Botan Python scripts. GH #217

Version 1.10.10, 2015-08-03
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* SECURITY: The BER decoder would crash due to reading from offset 0
  of an empty vector if it encountered a BIT STRING which did not
  contain any data at all. As the type requires a 1 byte field this is
  not valid BER but could occur in malformed data. Found with afl.
  CVE-2015-5726

* SECURITY: The BER decoder would allocate a fairly arbitrary amount
  of memory in a length field, even if there was no chance the read
  request would succeed. This might cause the process to run out of
  memory or invoke the OOM killer. Found with afl.
  CVE-2015-5727

* Due to an ABI incompatible (though not API incompatible) change in
  this release, the version number of the shared object has been
  increased.

* The default TLS policy no longer allows RC4.

* Fix a signed integer overflow in Blue Midnight Wish that may cause
  incorrect computations or undefined behavior.

Version 1.11.18, 2015-07-05
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* In this release Botan has switched VCS from ``monotone`` to ``git``,
  and is now hosted on github at https://github.com/randombit/botan

* The TLS client called ``std::set_difference`` on an invalid iterator
  pair. This could potentially lead to a crash depending on the
  compiler and STL implementation. It also would trigger assertion
  failures when using checked iterators. GH #73

* Remove code constructs which triggered errors under MSVC and GCC
  debug iterators. The primary of these was an idiom of ``&vec[x]`` to
  create a pointer offset of a ``std::vector``. This failed when x was
  set equal to ``vec.size()`` to create the one-past-the-end address.
  The pointer in question was never dereferenced, but it triggered
  the iterator debugging checks which prevented using these valuble
  analysis tools. From Simon Warta and Daniel Seither. GH #125

* Several incorrect or missing module dependencies have been fixed. These
  often prevented a successful build of a minimized amalgamation when
  only a small set of algorithms were specified. GH #71
  From Simon Warta.

* Add an initial binding to OCaml. Currently only hashes, RNGs, and
  bcrypt are supported.

* The default key size generated by the ``keygen`` tool has increased
  to 2048 bits. From Rene Korthaus.

* The ``Botan_types`` namespace, which contained ``using`` declarations
  for (just) ``Botan::byte`` and ``Botan::u32bit``, has been removed.
  Any use should be replaced by ``using`` declarations for those types
  directly.

Version 1.11.17, 2015-06-18
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* All support for the insecure RC4 stream cipher has been removed
  from the TLS implementation.

* Fix decoding of TLS maximum fragment length. Regardless of what
  value was actually negotiated, TLS would treat it as a negotiated
  limit of 4096.

* Fix the configure.py flag ``--disable-aes-ni`` which did nothing of
  the sort.

* Fixed nmake clean target. GitHub #104

* Correct buffering logic in ``Compression_Filter``. GitHub #93 and #95

Version 1.11.16, 2015-03-29
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* TLS has changed from using the non-standard NPN extension to the IETF
  standardized ALPN extension for negotiating an application-level protocol.
  Unfortunately the semantics of the exchange have changed with ALPN. Using
  NPN, the server offered a list of protocols it advertised, and then the
  client chose its favorite. With ALPN, the client offers a list of protocols
  and the server chooses. The the signatures of both the TLS::Client and
  TLS::Server constructors have changed to support this new flow.

* Optimized ECDSA signature verification thanks to an observation by
  Dr. Falko Strenzke. On some systems verifications are between 1.5
  and 2 times faster than in 1.11.15.

* RSA encrypt and decrypt operations using OpenSSL have been added.

* Public key operation types now handle all aspects of the operation,
  such as hashing and padding for signatures. This change allows
  supporting specialized implementations which only support particular
  padding types.

* Added global timeout to HMAC_RNG entropy reseed. The defaults are
  the values set in the build.h macros ``BOTAN_RNG_AUTO_RESEED_TIMEOUT``
  and ``BOTAN_RNG_RESEED_DEFAULT_TIMEOUT``, but can be overriden
  on a specific poll with the new API call reseed_with_timeout.

* Fixed Python cipher update_granularity() and default_nonce_length()
  functions

* The library now builds on Visual C++ 2013

* The GCM update granularity was reduced from 4096 to 16 bytes.

* Fix a bug that prevented building the amalgamation until a non-amalgamation
  configuration was performed first in the same directory.

* Add Travis CI integration. Github pull 60.

Version 1.11.15, 2015-03-08
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Support for RC4 in TLS, already disabled by default, is now deprecated.
  The RC4 ciphersuites will be removed entirely in a future release.

* A bug in ffi.cpp meant Python could only encrypt. Github issue 53.

* When comparing two ASN.1 algorithm identifiers, consider empty and
  NULL parameters the same.

* Fixed memory leaks in TLS and cipher modes introduced in 1.11.14

* MARK-4 failed when OpenSSL was enabled in the build in 1.11.14
  because the OpenSSL version ignored the skip parameter.

* Fix compilation problem on OS X/clang

* Use BOTAN_NOEXCEPT macro to work around lack of noexcept in VS 2013

Version 1.11.14, 2015-02-27
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The global state object previously used by the library has been removed.
  This includes the global PRNG. The library can be safely initialized
  multiple times without harm.

  The engine code has also been removed, replaced by a much lighter-weight
  object registry system which provides lookups in faster time and with less
  memory overhead than the previous approach.

  One caveat of the current system with regards to static linking: because only
  symbols already mentioned elsewhere in the program are included in the final
  link step, few algorithms will be available through the lookup system by
  default, even though they were compiled into the library. Your application
  must explicitly reference the types you require or they will not end up
  being available in the final binary. See also Github issue #52

  If you intend to build your application against a static library and don't
  want to explicitly reference each algo object you might attempt to look up by
  string, consider either building with ``--via-amalgamation``, or else (much
  simpler) using the amalgamation directly.

* The new ``ffi`` submodule provides a simple C API/ABI for a number of useful
  operations (hashing, ciphers, public key operations, etc) which is easily
  accessed using the FFI modules included in many languages.

* A new Python wrapper (in ``src/lib/python/botan.py``) using ``ffi`` and the Python
  ``ctypes`` module is available. The old Boost.Python wrapper has been removed.

* Add specialized reducers for P-192, P-224, P-256, and P-384

* OCB mode, which provides a fast and constant time AEAD mode without requiring
  hardware support, is now supported in TLS, following
  draft-zauner-tls-aes-ocb-01. Because this specification is not yet finalized
  is not yet enabled by the default policy, and the ciphersuite numbers used are
  in the experimental range and may conflict with other uses.

* Add ability to read TLS policy from a text file using ``TLS::Text_Policy``.

* The amalgamation now splits off any ISA specific code (for instance, that
  requiring SSSE3 instruction sets) into a new file named (for instance)
  ``botan_all_ssse3.cpp``. This allows the main amalgamation file to be compiled
  without any special flags, so ``--via-amalgamation`` builds actually work now.
  This is disabled with the build option ``--single-amalgamation-file``

* PBKDF and KDF operations now provide a way to write the desired output
  directly to an application-specified area rather than always allocating a new
  heap buffer.

* HKDF, previously provided using a non-standard interface, now uses the
  standard KDF interface and is retrievable using get_kdf.

* It is once again possible to build the complete test suite without requiring
  any boost libraries. This is currently only supported on systems supporting
  the readdir interface.

* Remove use of memset_s which caused problems with amalgamation on OS X.
  Github 42, 45

* The memory usage of the counter mode implementation has been reduced.
  Previously it encrypted 256 blocks in parallel as this leads to a slightly
  faster counter increment operation. Instead CTR_BE simply encrypts a buffer
  equal in size to the advertised parallelism of the cipher implementation.
  This is not measurably slower, and dramatically reduces the memory use of
  CTR mode.

* The memory allocator available on Unix systems which uses mmap and mlock to
  lock a pool of memory now checks environment variable BOTAN_MLOCK_POOL_SIZE
  and interprets it as an integer. If the value set to a smaller value then the
  library would originally have allocated (based on resource limits) the user
  specified size is used instead. You can also set the variable to 0 to
  disable the pool entirely. Previously the allocator would consume all
  available mlocked memory, this allows botan to coexist with an application
  which wants to mlock memory for its own uses.

* The botan-config script previously installed on Unix systems has been
  removed.  Its functionality is replaced by the ``config`` command of the
  ``botan`` tool executable, for example ``botan config cflags`` instead of
  ``botan-config --cflags``.

* Added a target for POWER8 processors

Version 1.11.13, 2015-01-11
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* All support for the insecure SSLv3 protocol and the server support
  for processing SSLv2 client hellos has been removed.

* The command line tool now has ``tls_proxy`` which negotiates TLS with
  clients and forwards the plaintext to a specified port.

* Add MCEIES, a McEliece-based integrated encryption system using
  AES-256 in OCB mode for message encryption/authentication.

* Add DTLS-SRTP negotiation defined in RFC 5764

* Add SipHash

* Add SHA-512/256

* The format of serialized TLS sessions has changed. Additiionally, PEM
  formatted sessions now use the label of "TLS SESSION" instead of "SSL SESSION"

* Serialized TLS sessions are now encrypted using AES-256/GCM instead of a
  CBC+HMAC construction.

* The cryptobox_psk module added in 1.11.4 and previously used for TLS session
  encryption has been removed.

* When sending a TLS heartbeat message, the number of pad bytes to use can now
  be specified, making it easier to use for PMTU discovery.

* If available, zero_mem now uses RtlSecureZeroMemory or memset_s instead of a
  byte-at-a-time loop.

* The functions base64_encode and base64_decode would erroneously
  throw an exception if passed a zero-length input. Github issue 37.

* The Python install script added in version 1.11.10 failed to place the
  headers into a versioned subdirectory.

* Fix the install script when running under Python3.

* Avoid code that triggers iterator debugging asserts under MSVC 2013. Github
  pull 36 from Simon Warta.

Version 1.11.12, 2015-01-02
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add Curve25519. The implementation is based on curve25519-donna-c64.c
  by Adam Langley. New (completely non-standard) OIDs and formats for
  encrypting Curve25519 keys under PKCS #8 and including them in
  certificates and CRLs have been defined.

* Add Poly1305, based on the implementation poly1305-donna by Andrew Moon.

* Add the ChaCha20Poly1305 AEADs defined in draft-irtf-cfrg-chacha20-poly1305-03
  and draft-agl-tls-chacha20poly1305-04.

* Add ChaCha20Poly1305 ciphersuites for TLS compatible with Google's servers
  following draft-agl-tls-chacha20poly1305-04

* When encrypted as PKCS #8 structures, Curve25519 and McEliece
  private keys default to using AES-256/GCM instead of AES-256/CBC

* Define OIDs for OCB mode with AES, Serpent and Twofish.

Version 1.11.11, 2014-12-21
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The Sqlite3 wrapper has been abstracted to a simple interface for
  SQL dbs in general, though Sqlite3 remains the only implementation.
  The main logic of the TLS session manager which stored encrypted
  sessions to a Sqlite3 database (``TLS::Session_Manager_SQLite``) has
  been moved to the new ``TLS::Session_Manager_SQL``. The Sqlite3
  manager API remains the same but now just subclasses
  ``TLS::Session_Manager_SQL`` and has a constructor instantiate the
  concrete database instance.

  Applications which would like to use a different db can now do so
  without having to reimplement the session cache logic simply by
  implementing a database wrapper subtype.

* The CryptGenRandom entropy source is now also used on MinGW.

* The system_rng API is now also available on systems with CryptGenRandom

* With GCC use -fstack-protector for linking as well as compiling,
  as this is required on MinGW. Github issue 34.

* Fix missing dependency in filters that caused compilation problem
  in amalgamation builds. Github issue 33.

* SSLv3 support is officially deprecated and will be removed in a
  future release.

Version 1.10.9, 2014-12-13
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fixed EAX tag verification to run in constant time

* The default TLS policy now disables SSLv3.

* A crash could occur when reading from a blocking random device if
  the device initially indicated that entropy was available but
  a concurrent process drained the entropy pool before the
  read was initiated.

* Fix decoding indefinite length BER constructs that contain a context
  sensitive tag of zero. Github pull 26 from Janusz Chorko.

* The ``botan-config`` script previously tried to guess its prefix from
  the location of the binary. However this was error prone, and now
  the script assumes the final installation prefix matches the value
  set during the build. Github issue 29.

Version 1.11.10, 2014-12-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* An implementation of McEliece code-based public key encryption based
  on INRIA's HyMES and secured against a variety of side-channels was
  contributed by cryptosource GmbH. The original version is LGPL but
  cryptosource has secured permission to release an adaptation under a
  BSD license. A CCA2-secure KEM scheme is also included.

  The implementation is further described in
  http://www.cryptosource.de/docs/mceliece_in_botan.pdf and
  http://cryptosource.de/news_mce_in_botan_en.html

* DSA and ECDSA now create RFC 6979 deterministic signatures.

* Add support for TLS fallback signaling (draft-ietf-tls-downgrade-scsv-00).
  Clients will send a fallback SCSV if the version passed to the Client
  constructor is less than the latest version supported by local policy, so
  applications implementing fallback are protected. Servers always check the
  SCSV.

* In previous versions a TLS::Server could service either TLS or DTLS
  connections depending on policy settings and what type of client hello it
  received. This has changed and now a Server object is initialized for
  either TLS or DTLS operation. The default policy previously prohibited
  DTLS, precisely to prevent a TCP server from being surprised by a DTLS
  connection.  The default policy now allows TLS v1.0 or higher or DTLS v1.2.

* Fixed a bug in CCM mode which caused it to produce incorrect tags when used
  with a value of L other than 2. This affected CCM TLS ciphersuites, which
  use L=3. Thanks to Manuel Pégourié-Gonnard for the anaylsis and patch.
  Bugzilla 270.

* DTLS now supports timeouts and handshake retransmits. Timeout checking
  is triggered by the application calling the new TLS::Channel::timeout_check.

* Add a TLS policy hook to disable putting the value of the local clock in hello
  random fields.

* All compression operations previously available as Filters are now
  performed via the Transformation API, which minimizes memory copies.
  Compression operations are still available through the Filter API
  using new general compression/decompression filters in comp_filter.h

* The zlib module now also supports gzip compression and decompression.

* Avoid a crash in low-entropy situations when reading from /dev/random, when
  select indicated the device was readable but by the time we start the read the
  entropy pool had been depleted.

* The Miller-Rabin primality test function now takes a parameter allowing the
  user to directly specify the maximum false negative probability they are
  willing to accept.

* PKCS #8 private keys can now be encrypted using GCM mode instead of
  unauthenticated CBC. The default remains CBC for compatibility.

* The default PKCS #8 encryption scheme has changed to use PBKDF2 with
  SHA-256 instead of SHA-1

* A specialized reducer for P-521 was added.

* On Linux the mlock allocator will use MADV_DONTDUMP on the pool so
  that the contents are not included in coredumps.

* A new interface for directly using a system-provided PRNG is
  available in system_rng.h. Currently only systems with /dev/urandom
  are supported.

* Fix decoding indefinite length BER constructs that contain a context sensitive
  tag of zero. Github pull 26 from Janusz Chorko.

* The GNU MP engine has been removed.

* Added AltiVec detection for POWER8 processors.

* Add a new install script written in Python which replaces shell hackery in the
  makefiles.

* Various modifications to better support Visual C++ 2013 and 2015. Github
  issues 11, 17, 18, 21, 22.

Version 1.10.8, 2014-04-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* SECURITY: Fix a bug in primality testing introduced in 1.8.3 which
  caused only a single random base, rather than a sequence of random
  bases, to be used in the Miller-Rabin test. This increased the
  probability that a non-prime would be accepted, for instance a 1024
  bit number would be incorrectly classed as prime with probability
  around 2^-40. Reported by Jeff Marrison. CVE-2014-9742

* The key length limit on HMAC has been raised to 512 bytes, allowing
  the use of very long passphrases with PBKDF2.

Version 1.11.9, 2014-04-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* SECURITY: Fix a bug in primality testing introduced in 1.8.3 which
  caused only a single random base, rather than a sequence of random
  bases, to be used in the Miller-Rabin test. This increased the
  probability that a non-prime would be accepted, for instance a 1024
  bit number would be incorrectly classed as prime with probability
  around 2^-40. Reported by Jeff Marrison. CVE-2014-9742

* X.509 path validation now returns a set of all errors that occurred
  during validation, rather than immediately returning the first
  detected error. This prevents a seemingly innocuous error (such as
  an expired certificate) from hiding an obviously serious error
  (such as an invalid signature). The Certificate_Status_Code enum is
  now ordered by severity, and the most severe error is returned by
  Path_Validation_Result::result(). The entire set of status codes is
  available with the new all_statuses call.

* Fixed a bug in OCSP response decoding which would cause an error
  when attempting to decode responses from some widely used
  responders.

* An implementation of HMAC_DRBG RNG from NIST SP800-90A has been
  added. Like the X9.31 PRNG implementation, it uses another
  underlying RNG for seeding material.

* An implementation of the RFC 6979 deterministic nonce generator has
  been added.

* Fix a bug in certificate path validation which prevented successful
  validation if intermediate certificates were presented out of order.

* Fix a bug introduced in 1.11.5 which could cause crashes or other
  incorrect behavior when a cipher mode filter was followed in the
  pipe by another filter, and that filter had a non-empty start_msg.

* The types.h header now uses stdint.h rather than cstdint to avoid
  problems with Clang on OS X.

Version 1.11.8, 2014-02-13
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The ``botan`` command line application introduced in 1.11.7 is now
  installed along with the library.

* A bug in certificate path validation introduced in 1.11.6 which
  caused all CRL signature checks to fail has been corrected.

* The ChaCha20 stream cipher has been added.

* The ``Transformation`` class no longer implements an interface for keying,
  this has been moved to a new subclass ``Keyed_Transformation``.

* The ``Algorithm`` class, which previously acted as a global base for
  various types (ciphers, hashes, etc) has been removed.

* CMAC now supports 256 and 512 bit block ciphers, which also allows
  the use of larger block ciphers with EAX mode. In particular this
  allows using Threefish in EAX mode.

* The antique PBES1 private key encryption scheme (which only supports
  DES or 64-bit RC2) has been removed.

* The Square, Skipjack, and Luby-Rackoff block ciphers have been removed.

* The Blue Midnight Wish hash function has been removed.

* Skein-512 no longer supports output lengths greater than 512 bits.

* Skein did not reset its internal state properly if clear() was
  called, causing it to produce incorrect results for the following
  message. It was reset correctly in final() so most usages should not
  be affected.

* A number of public key padding schemes have been renamed to match
  the most common notation; for instance EME1 is now called OAEP and
  EMSA4 is now called PSSR. Aliases are set which should allow all
  current applications to continue to work unmodified.

* A bug in CFB encryption caused a few bytes past the end of the final
  block to be read. The actual output was not affected.

* Fix compilation errors in the tests that occurred with minimized
  builds. Contributed by Markus Wanner.

* Add a new ``--destdir`` option to ``configure.py`` which controls
  where the install target will place the output. The ``--prefix``
  option continues to set the location where the library expects to be
  eventually installed.

* Many class destructors which previously deleted memory have been
  removed in favor of using ``unique_ptr``.

* Various portability fixes for Clang, Windows, Visual C++ 2013, OS X,
  and x86-32.

Version 1.11.7, 2014-01-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Botan's basic numeric types are now defined in terms of the
  C99/C++11 standard integer types. For instance ``u32bit`` is now a
  typedef for ``uint32_t``, and both names are included in the library
  namespace. This should not result in any application-visible
  changes.

* There are now two executable outputs of the build, ``botan-test``,
  which runs the tests, and ``botan`` which is used as a driver to call
  into various subcommands which can also act as examples of library
  use, much in the manner of the ``openssl`` command. It understands the
  commands ``base64``, ``asn1``, ``x509``, ``tls_client``, ``tls_server``,
  ``bcrypt``, ``keygen``, ``speed``, and various others. As part of this
  change many obsolete, duplicated, or one-off examples were removed,
  while others were extended with new functionality. Contributions of
  new subcommands, new bling for exising ones, or documentation in any
  form is welcome.

* Fix a bug in Lion, which was broken by a change in 1.11.0. The
  problem was not noticed before as Lion was also missing a test vector
  in previous releases.

Version 1.10.7, 2013-12-29
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* OAEP had two bugs, one of which allowed it to be used even if the
  key was too small, and the other of which would cause a crash during
  decryption if the EME data was too large for the associated key.

Version 1.11.6, 2013-12-29
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The Boost filesystem and asio libraries are now being used by default.
  Pass ``--without-boost`` to ``configure.py`` to disable.

* The default TLS policy no longer allows SSLv3 or RC4.

* OAEP had two bugs, one of which allowed it to be used even if the
  key was too small, and the other of which would cause a crash during
  decryption if the EME data was too large for the associated key.

* GCM mode now uses the Intel clmul instruction when available

* Add the Threefish-512 tweakable block cipher, including an AVX2 version

* Add SIV (from :rfc:`5297`) as a nonce-based AEAD

* Add HKDF (from :rfc:`5869`) using an experimental PRF interface

* Add HTTP utility functions and OCSP online checking

* Add TLS::Policy::acceptable_ciphersuite hook to disable ciphersuites
  on an ad-hoc basis.

* TLS::Session_Manager_In_Memory's constructor now requires a RNG

Version 1.10.6, 2013-11-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The device reading entropy source now attempts to read from all
  available devices. Previously it would break out early if a partial
  read from a blocking source occurred, not continuing to read from a
  non-blocking device. This would cause the library to fall back on
  slower and less reliable techniques for collecting PRNG seed
  material. Reported by Rickard Bellgrim.

* HMAC_RNG (the default PRNG implementation) now automatically reseeds
  itself periodically. Previously reseeds only occurred on explicit
  application request.

* Fix an encoding error in EC_Group when encoding using EC_DOMPAR_ENC_OID.
  Reported by fxdupont on github.

* In EMSA2 and Randpool, avoid calling name() on objects after deleting them if
  the provided algorithm objects are not suitable for use.  Found by Clang
  analyzer, reported by Jeffrey Walton.

* If X509_Store was copied, the u32bit containing how long to cache validation
  results was not initialized, potentially causing results to be cached for
  significant amounts of time. This could allow a certificate to be considered
  valid after its issuing CA's cert expired. Expiration of the end-entity cert
  is always checked, and reading a CRL always causes the status to be reset, so
  this issue does not affect revocation. Found by Coverity scanner.

* Avoid off by one causing a potentially unterminated string to be passed to
  the connect system call if the library was configured to use a very long path
  name for the EGD socket. Found by Coverity Scanner.

* In PK_Encryptor_EME, PK_Decryptor_EME, PK_Verifier, and PK_Key_Agreement,
  avoid dereferencing an unitialized pointer if no engine supported operations
  on the key object given. Found by Coverity scanner.

* Avoid leaking a file descriptor in the /dev/random and EGD entropy sources if
  stdin (file descriptor 0) was closed. Found by Coverity scanner.

* Avoid a potentially undefined operation in the bit rotation operations.  Not
  known to have caused problems under any existing compiler, but might have
  caused problems in the future. Caught by Clang sanitizer, reported by Jeffrey
  Walton.

* Increase default hash iterations from 10000 to 50000 in PBES1 and PBES2

* Add a fix for mips64el builds from Brad Smith.

Version 1.11.5, 2013-11-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The TLS callback signatures have changed - there are now two distinct
  callbacks for application data and alerts. TLS::Client and TLS::Server have
  constructors which continue to accept the old callback and use it for both
  operations.

* The entropy collector that read from randomness devices had two bugs - it
  would break out of the poll as soon as any read succeeded, and it selected on
  each device individually. When a blocking source was first in the device list
  and the entropy pool was running low, the reader might either block in select
  until eventually timing out (continuing on to read from /dev/urandom instead),
  or read just a few bytes, skip /dev/urandom, fail to satisfy the entropy
  target, and the poll would continue using other (slower) sources. This caused
  substantial performance/latency problems in RNG heavy applications. Now all
  devices are selected over at once, with the effect that a full read from
  urandom always occurs, along with however much (if any) output is available
  from blocking sources.

* Previously AutoSeeded_RNG referenced a globally shared PRNG instance.
  Now each instance has distinct state.

* The entropy collector that runs Unix programs to collect statistical
  data now runs multiple processes in parallel, greatly reducing poll
  times on some systems.

* The Randpool RNG implementation was removed.

* All existing cipher mode implementations (such as CBC and XTS) have been
  converted from filters to using the interface previously provided by
  AEAD modes which allows for in-place message
  processing. Code which directly references the filter objects will break, but
  an adaptor filter allows usage through get_cipher as usual.

* An implementation of CCM mode from RFC 3601 has been added, as well as CCM
  ciphersuites for TLS.

* The implementation of OCB mode now supports 64 and 96 bit tags

* Optimized computation of XTS tweaks, producing a substantial speedup

* Add support for negotiating Brainpool ECC curves in TLS

* TLS v1.2 will not negotiate plain SHA-1 signatures by default.

* TLS channels now support sending a ``std::vector``

* Add a generic 64x64->128 bit multiply instruction operation in mul128.h

* Avoid potentially undefined operations in the bit rotation operations. Not
  known to have caused problems under existing compilers but might break in the
  future. Found by Clang sanitizer, reported by Jeffrey Walton.

Version 1.11.4, 2013-07-25
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* CPU specific extensions are now always compiled if support for the
  operations is available at build time, and flags enabling use of
  extra operations (such as SSE2) are only included when compiling
  files which specifically request support. This means, for instance,
  that the SSSE3 and AES-NI implementations of AES are always included
  in x86 builds, relying on runtime cpuid checking to prevent their
  use on CPUs that do not support those operations.

* The default TLS policy now only accepts TLS, to minimize surprise
  for servers which might not expect to negotiate DTLS. Previously a
  server would by default negotiate either protocol type (clients
  would only accept the same protocol type as they
  offered). Applications which use DTLS or combined TLS/DTLS need to
  override ``Policy::acceptable_protocol_version``.

* The TLS channels now accept a new parameter specifying how many
  bytes to preallocate for the record handling buffers, which allows
  an application some control over how much memory is used at runtime
  for a particular connection.

* Applications can now send arbitrary TLS alert messages using
  ``TLS::Channel::send_alert``

* A new TLS policy ``NSA_Suite_B_128`` is available, which
  will negotiate only the 128-bit security NSA Suite B. See
  :rfc:`6460` for more information about Suite B.

* Adds a new interface for benchmarking, ``time_algorithm_ops``,
  which returns a map of operations to operations per second. For
  instance now both encrypt and decrypt speed of a block cipher can be
  checked, as well as the key schedule of all keyed algorithms. It
  additionally supports AEAD modes.

* Rename ARC4 to RC4

Version 1.11.3, 2013-04-11
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add a new interface for AEAD modes (``AEAD_Mode``).

* Implementations of the OCB and GCM authenticated cipher modes are
  now included.

* Support for TLS GCM ciphersuites is now available.

* A new TLS policy mechanism
  ``TLS::Policy::server_uses_own_ciphersuite_preferences``
  controls how a server chooses a ciphersuite. Previously it always
  chose its most preferred cipher out of the client's list, but this
  can allow configuring a server to choose by the client's preferences
  instead.

* ``Keyed_Filter`` now supports returning a
  ``Key_Length_Specification`` so the full details of what
  keylengths are supported is now available in keyed filters.

* The experimental and rarely used Turing and WiderWAKE stream ciphers
  have been removed

* New functions for symmetric encryption are included in cryptobox.h
  though interfaces and formats are subject to change.

* A new function ``algorithm_kat_detailed`` returns a string
  providing information about failures, instead of just a pass/fail
  indicator as in ``algorithm_kat``.

Version 1.10.5, 2013-03-02
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* A potential crash in the AES-NI implementation of the AES-192 key
  schedule (caused by misaligned loads) has been fixed.

* A previously conditional operation in Montgomery multiplication and
  squaring is now always performed, removing a possible timing
  channel.

* Use correct flags for creating a shared library on OS X under Clang.

* Fix a compile time incompatibility with Visual C++ 2012.

Version 1.11.2, 2013-03-02
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* A bug in the release script caused the ``botan_version.py`` included
  in 1.11.1`` to be invalid, which required a manual edit to fix
  (Bugzilla 226)

* Previously ``clear_mem`` was implemented by an inlined call to
  ``std::memset``. However an optimizing compiler might notice cases
  where the memset could be skipped in cases allowed by the standard.
  Now ``clear_mem`` calls ``zero_mem`` which is compiled separately and
  which zeros out the array through a volatile pointer. It is possible
  some compiler with some optimization setting (especially with
  something like LTO) might still skip the writes. It would be nice if
  there was an automated way to test this.

* The new filter ``Threaded_Fork`` acts like a normal
  ``Fork``, sending its input to a number of different
  filters, but each subchain of filters in the fork runs in its own
  thread. Contributed by Joel Low.

* The default TLS policy formerly preferred AES over RC4, and allowed
  3DES by default. Now the default policy is to negotiate only either
  AES or RC4, and to prefer RC4.

* New TLS ``Blocking_Client`` provides a thread per
  connection style API similar to that provided in 1.10

* The API of ``Credentials_Manager::trusted_certificate_authorities``
  has changed to return a vector of ``Certificate_Store*`` instead of
  ``X509_Certificate``. This allows the list of trusted CAs to be
  more easily updated dynamically or loaded lazily.

* The ``asn1_int.h`` header was split into ``asn1_alt_name.h``,
  ``asn1_attribute.h`` and ``asn1_time.h``.

Version 1.10.4, 2013-01-07
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Avoid a conditional operation in the power mod implementations on if
  a nibble of the exponent was zero or not. This may help protect
  against certain forms of side channel attacks.

* The SRP6 code was checking for invalid values as specified in RFC
  5054, specifically values equal to zero mod p. However SRP would
  accept negative A/B values, or ones larger than p, neither of which
  should occur in a normal run of the protocol. These values are now
  rejected. Credits to Timothy Prepscius for pointing out these values
  are not normally used and probably signal something fishy.

* The return value of version_string is now a compile time constant
  string, so version information can be more easily extracted from
  binaries.

Version 1.11.1, 2012-10-30
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Initial support for DTLS (both v1.0 and v1.2) is available in this
release, though it should be considered highly experimental. Currently
timeouts and retransmissions are not handled.

The ``TLS::Client`` constructor now takes the version to
offer to the server. The policy hook ``TLS::Policy`` function
`pref_version``, which previously controlled this, has been removed.

`TLS::Session_Manager_In_Memory`` now chooses a random
256-bit key at startup and encrypts all sessions (using the existing
`TLS::Session::encrypt`` mechanism) while they are stored in
memory. This is primarily to reduce pressure on locked memory, as each
session normally requires 48 bytes of locked memory for the master
secret, whereas now only 32 bytes are needed total. This change may
also make it slightly harder for an attacker to extract session data
from memory dumps (eg with a cold boot attack).

The keys used in TLS session encryption were previously uniquely
determined by the master key. Now the encrypted session blob includes
two 80 bit salts which are used in the derivation of the cipher and
MAC keys.

The ``secure_renegotiation`` flag is now considered an aspect of the
connection rather than the session, which matches the behavior of
other implementations. As the format has changed, sessions saved to
persistent storage by 1.11.0 will not load in this version and vice
versa. In either case this will not cause any errors, the session will
simply not resume and instead a full handshake will occur.

New policy hooks ``TLS::Policy::acceptable_protocol_version``,
`TLS::Policy::allow_server_initiated_renegotiation``, and
`TLS::Policy::negotiate_heartbeat_support`` were added.

TLS clients were not sending a next protocol message during a session
resumption, which would cause resumption failures with servers that
support NPN if NPN was being offered by the client.

A bug caused heartbeat requests sent by the counterparty during a
handshake to be passed to the application callback as if they were
heartbeat responses.

Support for TLS key material export as specified in :rfc:`5705` has
been added, available via ``TLS::Channel::key_material_export``

A new function ``Public_Key::estimated_strength`` returns
an estimate for the upper bound of the strength of the key. For
instance for an RSA key, it will return an estimate of how many
operations GNFS would take to factor the key.

A new ``Path_Validation_Result`` code has been added
``SIGNATURE_METHOD_TOO_WEAK``. By default signatures created with keys
below 80 bits of strength (as estimated by ``estimated_strength``) are
rejected. This level can be modified using a parameter to the
``Path_Validation_Restrictions`` constructor.

The SRP6 code was checking for invalid values as specified in
:rfc:`5054`, ones equal to zero mod p, however it would accept
negative A/B values, or ones larger than p, neither of which should
occur in a normal run of the protocol. These values are now
rejected. Credits to Timothy Prepscius for pointing out these values
are not normally used and probably signal something fishy.

Several ``BigInt`` functions have been removed, including
``operator[]``, ``assign``, ``get_reg``, and ``grow_reg``. The version
of ``data`` that returns a mutable pointer has been renamed
``mutable_data``.  Support for octal conversions has been removed.

The constructor ``BigInt(NumberType type, size_t n)`` has been
removed, replaced by ``BigInt::power_of_2``.

In 1.11.0, when compiled by GCC, the AES-NI implementation of AES-192
would crash if the mlock-based allocator was used due to an alignment
issue.

Version 1.11.0, 2012-07-19
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. note::

  In this release, many new features of C++11 are being used in the
  library. Currently GCC 4.7 and Clang 3.1 are known to work well.
  This version of the library cannot be compiled by or used with a
  C++98 compiler.

There have been many changes and improvements to TLS.  The interface
is now purely event driven and does not directly interact with
sockets.  New TLS features include TLS v1.2 support, client
certificate authentication, renegotiation, session tickets, and
session resumption. Session information can be saved in memory or to
an encrypted SQLite3 database. Newly supported TLS ciphersuite
algorithms include using SHA-2 for message authentication, pre shared
keys and SRP for authentication and key exchange, ECC algorithms for
key exchange and signatures, and anonymous DH/ECDH key exchange.

Support for OCSP has been added. Currently only client-side support
exists.

The API for X.509 path validation has changed, with
``x509_path_validate`` in x509path.h now handles path validation and
``Certificate_Store`` handles storage of certificates and CRLs.

The memory container types have changed substantially.  The
``MemoryVector`` and ``SecureVector`` container types have been
removed, and an alias of ``std::vector`` using an allocator that
clears memory named ``secure_vector`` is used for key material, with
plain ``std::vector`` being used for everything else.

The technique used for mlock'ing memory on Linux and BSD systems is
much improved. Now a single page-aligned block of memory (the exact
limit of what we can mlock) is mmap'ed, with allocations being done
using a best-fit allocator and all metadata held outside the mmap'ed
range, in an effort to make best use of the very limited amount of
memory current Linux kernels allow unpriveledged users to lock.

A filter using LZMA was contributed by Vojtech Kral. It is available
if LZMA support was enabled at compilation time by passing
``--with-lzma`` to ``configure.py``.

:rfc:`5915` adds some extended information which can be included in
ECC private keys which the ECC key decoder did not expect, causing an
exception when such a key was loaded. In particular, recent versions
of OpenSSL use these fields. Now these fields are decoded properly,
and if the public key value is included it is used, as otherwise the
public key needs to be rederived from the private key. However the
library does not include these fields on encoding keys for
compatibility with software that does not expect them (including older
versions of botan).

Version 1.8.14, 2012-07-18
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The malloc allocator would return null instead of throwing in the
  event of an allocation failure, which could cause an application
  crash due to null pointer dereference where normally an exception
  would occur.

* Recent versions of OpenSSL include extra information in ECC private
  keys, the presence of which caused an exception when such a key was
  loaded by botan. The decoding of ECC private keys has been changed to
  ignore these fields if they are set.

* AutoSeeded_RNG has been changed to prefer ``/dev/random`` over
  ``/dev/urandom``

* Fix detection of s390x (Debian bug 638347)

Version 1.10.3, 2012-07-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

A change in 1.10.2 accidentally broke ABI compatibility with 1.10.1
and earlier versions, causing programs compiled against 1.10.1 to
crash if linked with 1.10.2 at runtime.

Recent versions of OpenSSL include extra information in ECC private
keys, the presence of which caused an exception when such a key was
loaded by botan. The decoding of ECC private keys has been changed to
ignore these fields if they are set.

Version 1.10.2, 2012-06-17
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Several TLS bugs were fixed in this release, including a major
omission that the renegotiation extension was not being used.  As the
1.10 implementation of TLS does not properly support renegotiation,
the approach in this release is simply to send the renegotiation
extension SCSV, which should protect the client against any handshake
splicing. In addition renegotiation attempts are handled properly
instead of causing handshake failures - all hello requests, and all
client hellos after the initial negotiation, are ignored. Some
bugs affecting DSA server authentication were also fixed.

By popular request, ``Pipe::reset`` no longer requires that message
processing be completed, a requirement that caused problems when a
Filter's end_msg call threw an exception, after which point the Pipe
object was no longer usable.

Support for getting entropy using the rdrand instruction introduced in
Intel's Ivy Bridge processors has been added. In previous releases,
the ``CPUID::has_rdrand`` function was checking the wrong cpuid bit,
and would false positive on AMD Bulldozer processors.

An implementation of SRP-6a compatible with the specification in RFC
5054 is now available in ``srp6.h``. In 1.11, this is being used for
TLS-SRP, but may be useful in other environments as well.

An implementation of the Camellia block cipher was added, again largely
for use in TLS.

If ``clock_gettime`` is available on the system, hres_timer will poll all
the available clock types.

AltiVec is now detected on IBM POWER7 processors and on OpenBSD systems.
The OpenBSD support was contributed by Brad Smith.

The Qt mutex wrapper was broken and would not compile with any recent
version of Qt. Taking this as a clear indication that it is not in use,
it has been removed.

Avoid setting the soname on OpenBSD, as it doesn't support it (Bugzilla 158)

A compilation problem in the dynamic loader that prevented using
dyn_load under MinGW GCC has been fixed.

A common error for people using MinGW is to target GCC on Windows,
however the 'Windows' target assumes the existence of Visual C++
runtime functions which do not exist in MinGW. Now, configuring for
GCC on Windows will cause the configure.py to warn that likely you
wanted to configure for either MinGW or Cygwin, not the generic
Windows target.

A bug in configure.py would cause it to interpret ``--cpu=s390x`` as
``s390``. This may have affected other CPUs as well. Now configure.py
searches for an exact match, and only if no exact match is found will
it search for substring matches.

An incompatibility in configure.py with the subprocess module included
in Python 3.1 has been fixed (Bugzilla 157).

The exception catching syntax of configure.py has been changed to the
Python 3.x syntax. This syntax also works with Python 2.6 and 2.7, but
not with any earlier Python 2 release. A simple search and replace
will allow running it under Python 2.5:
``perl -pi -e 's/except (.*) as (.*):/except $1, $2:/g' configure.py``

Note that Python 2.4 is not supported at all.

Version 1.10.1, 2011-07-11
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* A race condition in ``Algorithm_Factory`` could cause crashes in
  multithreaded code.

* The return value of ``name`` has changed for GOST 28147-89 and
  Skein-512.  GOST's ``name`` now includes the name of the sbox, and
  Skein's includes the personalization string (if nonempty). This
  allows an object to be properly roundtripped, which is necessary to
  fix the race condition described above.

* A new distribution script is now included, as
  ``src/build-data/scripts/dist.py``

* The ``build.h`` header now includes, if available, an identifier of
  the source revision that was used. This identifier is also included
  in the result of ``version_string``.

Version 1.8.13, 2011-07-02
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* A race condition in ``Algorithm_Factory`` could cause crashes in
  multithreaded code.

Version 1.10.0, 2011-06-20
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Detection for the rdrand instruction being added to upcoming Intel
  Ivy Bridge processors has been added.

* A template specialization of std::swap was added for the memory
  container types.

Version 1.8.12, 2011-06-20
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* If EMSA3(Raw) was used for more than one signature, it would produce
  incorrect output.

* Fix the --enable-debug option to configure.py

* Improve OS detection on Cygwin

* Fix compilation under Sun Studio 12 on Solaris

* Fix a memory leak in the constructors of DataSource_Stream and
  DataSink_Stream which would occur if opening the file failed (Bugzilla 144)

Version 1.9.18, 2011-06-03
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fourth release candidate for 1.10.0

* The GOST 34.10 verification operation was not ensuring that s and r
  were both greater than zero. This could potentially have meant it
  would have accepted an invalid all-zero signature as valid for any
  message. Due to how ECC points are internally represented it instead
  resulted in an exception being thrown.

* A simple multiexponentation algorithm is now used in ECDSA and
  GOST-34.10 signature verification, leading to 20 to 25% improvements
  in ECDSA and 25% to 40% improvements in GOST-34.10 verification
  performance.

* The internal representation of elliptic curve points has been
  modified to use Montgomery representation exclusively, resulting in
  reduced memory usage and a 10 to 20% performance improvement for
  ECDSA and ECDH.

* In OAEP decoding, scan for the delimiter bytes using a loop that is
  written without conditionals so as to help avoid timing analysis.
  Unfortunately GCC at least is 'smart' enough to compile it to
  jumps anyway.

* The SSE2 implementation of IDEA did not work correctly when compiled
  by Clang, because the trick it used to emulate a 16 bit unsigned
  compare in SSE (which doesn't contain one natively) relied on signed
  overflow working in the 'usual' way. A different method that doesn't
  rely on signed overflow is now used.

* Add support for compiling SSL using Visual C++ 2010's TR1
  implementation.

* Fix a bug under Visual C++ 2010 which would cause ``hex_encode`` to
  crash if given a zero-sized input to encode.

* A new build option ``--via-amalgamation`` will first generate the
  single-file amalgamation, then build the library from that single
  file. This option requires a lot of memory and does not parallelize,
  but the resulting library is smaller and may be faster.

* On Unix, the library and header paths have been changed to allow
  parallel installation of different versions of the library. Headers
  are installed into ``<prefix>/include/botan-1.9/botan``, libraries
  are named ``libbotan-1.9``, and ``botan-config`` is now namespaced
  (so in this release ``botan-config-1.9``). All of these embedded
  versions will be 1.10 in the upcoming stable release.

* The soname system has been modified. In this release the library
  soname is ``libbotan-1.9.so.0``, with the full library being named
  ``libbotan-1.9.so.0.18``. The ``0`` is the ABI version, and will be
  incremented whenever a breaking ABI change is made.

* TR1 support is not longer automatically assumed under older versions
  of GCC

* Functions for base64 decoding that work standalone (without needing
  to use a pipe) have been added to ``base64.h``

* The function ``BigInt::to_u32bit`` was inadvertently removed in 1.9.11
  and has been added back.

* The function ``BigInt::get_substring`` did not work correctly with a
  *length* argument of 32.

* The implementation of ``FD_ZERO`` on Solaris uses ``memset`` and
  assumes the caller included ``string.h`` on its behalf. Do so to
  fix compilation in the ``dev_random`` and ``unix_procs`` entropy
  sources. Patch from Jeremy C. Reed.

* Add two different configuration targets for Atom, since some are
  32-bit and some are 64-bit. The 'atom' target now refers to the
  64-bit implementations, use 'atom32' to target the 32-bit
  processors.

* The (incomplete) support for CMS and card verifiable certificates
  are disabled by default; add ``--enable-modules=cms`` or
  ``--enable-modules=cvc`` during configuration to turn them back on.

Version 1.9.17, 2011-04-29
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Third release candidate for 1.10.0

* The format preserving encryption method currently available was
  presented in the header ``fpe.h`` and the functions ``fpe_encrypt``
  and ``fpe_decrypt``. These were renamed as it is likely that other
  FPE schemes will be included in the future. The header is now
  ``fpe_fe1.h``, and the functions are named ``fe1_encrypt`` and
  ``fe1_decrypt``.

* New options to ``configure.py`` control what tools are used for
  documentation generation. The ``--with-sphinx`` option enables using
  Sphinx to convert ReST into HTML; otherwise the ReST sources are
  installed directly. If ``--with-doxygen`` is used, Doxygen will run
  as well. Documentation generation can be triggered via the ``docs``
  target in the makefile; it will also be installed by the install
  target on Unix.

* A bug in 1.9.16 effectively disabled support for runtime CPU feature
  detection on x86 under GCC in that release.

* A mostly internal change, all references to "ia32" and "amd64" have
  been changed to the vendor neutral and probably easier to understand
  "x86-32" and "x86-64". For instance, the "mp_amd64" module has been
  renamed "mp_x86_64", and the macro indicating x86-32 has changed
  from ``BOTAN_TARGET_ARCH_IS_IA32`` to
  ``BOTAN_TARGET_ARCH_IS_X86_32``. The classes calling assembly have
  also been renamed.

* Similiarly to the above change, the AES implemenations using the
  AES-NI instruction set have been renamed from AES_XXX_Intel to
  AES_XXX_NI.

* Systems that are identified as ``sun4u`` will default to compiling for
  32-bit SPARCv9 code rather than 64-bit. This matches the still
  common convention for 32-bit SPARC userspaces. If you want 64-bit
  code on such as system, use ``--cpu=sparc64``.

* Some minor fixes for compiling botan under the BeOS
  clone/continuation `Haiku <http://haiku-os.org>`_.

* Further updates to the documentation

Version 1.9.16, 2011-04-11
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Second release candidate for 1.10.0

* The documentation, previously written in LaTeX, is now in
  reStructuredText suitable for processing by `Sphinx
  <http://sphinx.pocoo.org>`_, which can generate nicely formatted
  HTML and PDFs. The documentation has also been greatly updated and
  expanded.

* The class ``EC_Domain_Params`` has been renamed ``EC_Group``, with a
  typedef for backwards compatibility.

* The ``EC_Group`` string constructor didn't understand the standard
  names like "secp160r1", forcing use of the OIDs.

* Two constructors for ECDSA private keys, the one that creates a new
  random key, and the one that provides a preset private key as a
  ``BigInt``, have been merged. This matches the existing interface
  for DSA and DH keys. If you previously used the version taking a
  ``BigInt`` private key, you'll have to additionally pass in a
  ``RandomNumberGenerator`` object starting in this release.

* It is now possible to create ECDH keys with a preset ``BigInt``
  private key; previously no method for this was available.

* The overload of ``generate_passhash9`` that takes an explicit
  algorithm identifier has been merged with the one that does not.
  The algorithm identifier code has been moved from the second
  parameter to the fourth.

* Change shared library versioning to match the normal Unix
  conventions. Instead of ``libbotan-X.Y.Z.so``, the shared lib is
  named ``libbotan-X.Y.so.Z``; this allows the runtime linker to do
  its runtime linky magic. It can be safely presumed that any change
  in the major or minor version indicates ABI incompatibility.

* Remove the socket wrapper code; it was not actually used by anything
  in the library, only in the examples, and you can use whatever kind
  of (blocking) socket interface you like with the SSL/TLS code. It's
  available as socket.h in the examples directory if you want to use
  it.

* Disable the by-default 'strong' checking of private keys that are
  loaded from storage. You can always request key material sanity
  checking using Private_Key::check_key.

* Bring back removed functions ``min_keylength_of``,
  ``max_keylength_of``, ``keylength_multiple_of`` in ``lookup.h`` to
  avoid breaking applications written against 1.8

Version 1.9.15, 2011-03-21
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* First release candidate for 1.10.0

* Modify how message expansion is done in SHA-256 and SHA-512.
  Instead of expanding the entire message at the start, compute them
  in the minimum number of registers. Values are computed 15 rounds
  before they are needed. On a Core i7-860, GCC 4.5.2, went from 143
  to 157 MiB/s in SHA-256, and 211 to 256 MiB/s in SHA-512.

* Pipe will delete empty output queues as soon as they are no longer
  needed, even if earlier messages still have data unread. However an
  (empty) entry in a deque of pointers will remain until all prior
  messages are completely emptied.

* Avoid reading the SPARC ``%tick`` register on OpenBSD as unlike the
  Linux and NetBSD kernels, it will not trap and emulate it for us,
  causing a illegal instruction crash.

* Improve detection and autoconfiguration for ARM processors. Thanks
  go out to the the `Tahoe-LAFS Software Foundation
  <http://tahoe-lafs.org>`_, who donated a Sheevaplug that I'll be
  using to figure out how to make the cryptographic primitives
  Tahoe-LAFS relies on faster, particularly targeting the ARMv5TE.

Version 1.9.14, 2011-03-01
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add support for bcrypt, OpenBSD's password hashing scheme.

* Add support for NIST's AES key wrapping algorithm, as described in
  :rfc:`3394`. It is available by including ``rfc3394.h``.

* Fix an infinite loop in zlib filters introduced in 1.9.11 (Bugzilla 142)

Version 1.9.13, 2011-02-19
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

GOST 34.10 signatures were being formatted in a way that was not
compatible with other implemenations, and specifically how GOST is
used in DNSSEC.

The Keccak hash function was updated to the tweaked variant proposed
for round 3 of the NIST hash competition. This version is not
compatible with the previous algorithm.

A new option ``--distribution-info`` was added to the configure
script. It allows the user building the library to set any
distribution-specific notes on the build, which are available as a
macro ``BOTAN_DISTRIBUTION_INFO``. The default value is
'unspecified'. If you are building an unmodified version of botan
(especially for distribution), and want to indicate to applications
that this is the case, consider using
``--distribution-info=pristine``. If you are making any patches or
modifications, it is recommended to use
``--distribution-info=[Distribution Name] [Version]``, for instance
'FooNix 1.9.13-r3'.

Some bugs preventing compilation under Clang 2.9 and Sun Studio 12
were fixed.

The DER/BER codecs use ``size_t`` instead of ``u32bit`` for small
integers

Version 1.9.12, 2010-12-13
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add the Keccak hash function
* Fix compilation problems in Python wrappers
* Fix compilation problem in OpenSSL engine
* Update SQLite3 database encryption codec

Version 1.9.11, 2010-11-29
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The TLS API has changed substantially and now relies heavily on
  TR1's ``std::function`` is now required. Additionally, it is
  required that all callers derive a subclass of TLS_Policy and pass
  it to a client or server object. Please remember that the TLS
  interface/API is currently unstable and will very likely change
  further before TLS is included in a stable release. A handshake
  failure that occurred when RC4 was negotiated has also been fixed.

* Some possible timing channels in the implementations of Montgomery
  reduction and the IDEA key schedule were removed. The table-based
  AES implementation uses smaller tables in the first round to help
  make some timing/cache attacks harder.

* The library now uses size_t instead of u32bit to represent
  lengths. Also the interfaces for the memory containers have changed
  substantially to better match STL container interfaces;
  MemoryRegion::append, MemoryRegion::destroy, and MemoryRegion::set
  were all removed, and several other functions, like clear and
  resize, have changed meaning.

* Update Skein-512 to match the v1.3 specification
* Fix a number of CRL encoding and decoding bugs
* Counter mode now always encrypts 256 blocks in parallel
* Use small tables in the first round of AES
* Removed AES class: app must choose AES-128, AES-192, or AES-256
* Add hex encoding/decoding functions that can be used without a Pipe
* Add base64 encoding functions that can be used without a Pipe
* Add to_string function to X509_Certificate
* Add support for dynamic engine loading on Windows
* Replace BlockCipher::BLOCK_SIZE attribute with function block_size()
* Replace HashFunction::HASH_BLOCK_SIZE attribute with hash_block_size()
* Move PBKDF lookup to engine system
* The IDEA key schedule has been changed to run in constant time
* Add Algorithm and Key_Length_Specification classes
* Switch default PKCS #8 encryption algorithm from AES-128 to AES-256
* Allow using PBKDF2 with empty passphrases
* Add compile-time deprecation warnings for GCC, Clang, and MSVC
* Support use of HMAC(SHA-256) and CMAC(Blowfish) in passhash9
* Improve support for Intel Atom processors
* Fix compilation problems under Sun Studio and Clang

Version 1.8.11, 2010-11-02
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fix a number of CRL encoding and decoding bugs
* When building a debug library under VC++, use the debug runtime
* Fix compilation under Sun Studio on Linux and Solaris
* Add several functions for compatibility with 1.9
* In the examples, read most input files as binary
* The Perl build script has been removed in this release

Version 1.8.10, 2010-08-31
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Switch default PKCS #8 encryption algorithm from 3DES to AES-256
* Increase default hash iterations from 2048 to 10000 in PBES1 and PBES2
* Use small tables in the first round of AES
* Add PBKDF typedef and get_pbkdf for better compatibility with 1.9
* Add version of S2K::derive_key taking salt and iteration count
* Enable the /proc-walking entropy source on NetBSD
* Fix the doxygen makefile target

Version 1.9.10, 2010-08-12
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add a constant-time AES implementation using SSSE3. This code is
  based on public domain assembly written by `Mike Hamburg
  <http://crypto.stanford.edu/vpaes/>`_, and described in his CHES
  2009 paper "Accelerating AES with Vector Permute Instructions". In
  addition to being constant time, it is also significantly faster
  than the table-based implementation on some processors. The current
  code has been tested with GCC 4.5, Visual C++ 2008, and Clang 2.8.

* Support for dynamically loading Engine objects at runtime was also
  added. Currently only system that use ``dlopen``-style dynamic
  linking are supported.

* On GCC 4.3 and later, use the byteswap intrinsic functions.

* Drop support for building with Python 2.4

* Fix benchmarking of block ciphers in ECB mode

* Consolidate the two x86 assembly engines

* Rename S2K to PBKDF

Version 1.9.9, 2010-06-28
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

A new pure virtual function has been added to ``Filter``, ``name``
which simply returns some useful identifier for the object. Any
out-of-tree ``Filter`` implementations will need to be updated.

Add ``Keyed_Filter::valid_iv_length`` which makes it possible to query
as to what IV length(s) a particular filter allows. Previously,
partially because there was no such query mechanism, if a filter did
not support IVs at all, then calls to ``set_iv`` would be silently
ignored. Now an exception about the invalid IV length will be thrown.

The default iteration count for the password based encryption schemes
has been increased from 2048 to 10000. This should make
password-guessing attacks against private keys encrypted with versions
after this release somewhat harder.

New functions for encoding public and private keys to binary,
``X509::BER_encode`` and ``PKCS8::BER_encode`` have been added.

Problems compiling under Apple's version of GCC 4.2.1 and on 64-bit
MIPS systems using GCC 4.4 or later were fixed.

The coverage of Doxygen documentation comments has significantly
improved in this release.

Version 1.8.9, 2010-06-16
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Use constant time multiplication in IDEA

* Avoid possible timing attack against OAEP decoding

* Add new X509::BER_encode and PKCS8::BER_encode

* Enable DLL builds under Windows

* Add Win32 installer support

* Add support for the Clang compiler

* Fix problem in semcem.h preventing build under Clang or GCC 3.4

* Fix bug that prevented creation of DSA groups under 1024 bits

* Fix crash in GMP_Engine if library is shutdown and reinitialized and
  a PK algorithm was used after the second init

* Work around problem with recent binutils in x86-64 SHA-1

* The Perl build script is no longer supported and refuses to run by
  default. If you really want to use it, pass
  ``--i-know-this-is-broken`` to the script.

Version 1.9.8, 2010-06-14
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add support for wide multiplications on 64-bit Windows
* Use constant time multiplication in IDEA
* Avoid possible timing attack against OAEP decoding
* Removed FORK-256; rarely used and it has been broken
* Rename ``--use-boost-python`` to ``--with-boost-python``
* Skip building shared libraries on MinGW/Cygwin
* Fix creation of 512 and 768 bit DL groups using the DSA kosherizer
* Fix compilation on GCC versions before 4.3 (missing cpuid.h)
* Fix compilation under the Clang compiler

Version 1.9.7, 2010-04-27
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* TLS: Support reading SSLv2 client hellos
* TLS: Add support for SEED ciphersuites (RFC 4162)
* Add Comb4P hash combiner function

* Fix checking of EMSA_Raw signatures with leading 0 bytes, valid
  signatures could be rejected in certain scenarios.

Version 1.9.6, 2010-04-09
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* TLS: Add support for TLS v1.1
* TLS: Support server name indicator extension
* TLS: Fix server handshake
* TLS: Fix server using DSA certificates
* TLS: Avoid timing channel between CBC padding check and MAC verification

Version 1.9.5, 2010-03-29
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Numerous ECC optimizations
* Fix GOST 34.10-2001 X.509 key loading
* Allow PK_Signer's fault protection checks to be toggled off
* Avoid using pool-based locking allocator if we can't mlock
* Remove all runtime options
* New BER_Decoder::{decode_and_check, decode_octet_string_bigint}
* Remove SecureBuffer in favor of SecureVector length parameter
* HMAC_RNG: Perform a poll along with user-supplied entropy
* Fix crash in MemoryRegion if Allocator::get failed
* Fix small compilation problem on FreeBSD

Version 1.9.4, 2010-03-09
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add the Ajisai SSLv3/TLSv1.0 implementation

* Add GOST 34.10-2001 public key signature scheme
* Add SIMD implementation of Noekeon

* Add SSE2 implementation of IDEA

* Extend Salsa20 to support longer IVs (XSalsa20)

* Perform XTS encryption and decryption in parallel where possible

* Perform CBC decryption in parallel where possible

* Add SQLite3 db encryption codec, contributed by Olivier de Gaalon

* Add a block cipher cascade construction

* Add support for password hashing for authentication (passhash9.h)

* Add support for Win32 high resolution system timers

* Major refactoring and API changes in the public key code

* PK_Signer class now verifies all signatures before releasing them to
  the caller; this should help prevent a wide variety of fault
  attacks, though it does have the downside of hurting signature
  performance, particularly for DSA/ECDSA.

* Changed S2K interface: derive_key now takes salt, iteration count

* Remove dependency on TR1 shared_ptr in ECC and CVC code

* Renamed ECKAEG to its more usual name, ECDH

* Fix crash in GMP_Engine if library is shutdown and reinitialized

* Fix an invalid memory read in MD4

* Fix Visual C++ static builds

* Remove Timer class entirely

* Switch default PKCS #8 encryption algorithm from 3DES to AES-128

* New configuration option, ``--gen-amalgamation``, creates a pair of
  files (``botan_all.cpp`` and ``botan_all.h``) which contain the
  contents of the library as it would have normally been compiled
  based on the set configuration.

* Many headers are now explicitly internal-use-only and are not installed

* Greatly improve the Win32 installer

* Several fixes for Visual C++ debug builds

Version 1.9.3, 2009-11-19
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add new AES implementation using Intel's AES instruction intrinsics
* Add an implementation of format preserving encryption
* Allow use of any hash function in X.509 certificate creation
* Optimizations for MARS, Skipjack, and AES
* Set macros for available SIMD instructions in build.h
* Add support for using InnoSetup to package Windows builds
* By default build a DLL on Windows

Version 1.8.8, 2009-11-03
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Alter Skein-512 to match the tweaked 1.2 specification
* Fix use of inline asm for access to x86 bswap function
* Allow building the library without AES enabled
* Add 'powerpc64' alias to ppc64 arch for Gentoo ebuild

Version 1.9.2, 2009-11-03
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add SIMD version of XTEA
* Support both SSE2 and AltiVec SIMD for Serpent and XTEA
* Optimizations for SHA-1 and SHA-2
* Add AltiVec runtime detection
* Fix x86 CPU identification with Intel C++ and Visual C++

Version 1.9.1, 2009-10-23
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Better support for Python and Perl wrappers
* Add an implementation of Blue Midnight Wish (Round 2 tweak version)
* Modify Skein-512 to match the tweaked 1.2 specification
* Add threshold secret sharing (draft-mcgrew-tss-02)
* Add runtime cpu feature detection for x86/x86-64
* Add code for general runtime self testing for hashes, MACs, and ciphers
* Optimize XTEA; twice as fast as before on Core2 and Opteron
* Convert CTR_BE and OFB from filters to stream ciphers
* New parsing code for SCAN algorithm names
* Enable SSE2 optimizations under Visual C++
* Remove all use of C++ exception specifications
* Add support for GNU/Hurd and Clang/LLVM

Version 1.8.7, 2009-09-09
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fix processing multiple messages in XTS mode
* Add --no-autoload option to configure.py, for minimized builds

Version 1.9.0, 2009-09-09
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add support for parallel invocation of block ciphers where possible
* Add SSE2 implementation of Serpent
* Add Rivest's package transform (an all or nothing transform)
* Minor speedups to the Turing key schedule
* Fix processing multiple messages in XTS mode
* Add --no-autoload option to configure.py, for minimized builds
* The previously used configure.pl script is no longer supported

Version 1.8.6, 2009-08-13
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add Cryptobox, a set of simple password-based encryption routines
* Only read world-readable files when walking /proc for entropy
* Fix building with TR1 disabled
* Fix x86 bswap support for Visual C++
* Fixes for compilation under Sun C++
* Add support for Dragonfly BSD (contributed by Patrick Georgi)
* Add support for the Open64 C++ compiler
* Build fixes for MIPS systems running Linux
* Minor changes to license, now equivalent to the FreeBSD/NetBSD license

Version 1.8.5, 2009-07-23
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Change configure.py to work on stock Python 2.4
* Avoid a crash in Skein_512::add_data processing a zero-length input
* Small build fixes for SPARC, ARM, and HP-PA processors
* The test suite now returns an error code from main() if any tests failed

Version 1.8.4, 2009-07-12
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fix a bug in nonce generation in the Miller-Rabin test

Version 1.8.3, 2009-07-11
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add a new Python configuration script
* Add the Skein-512 SHA-3 candidate hash function
* Add the XTS block cipher mode from IEEE P1619
* Fix random_prime when generating a prime of less than 7 bits
* Improve handling of low-entropy situations during PRNG seeding
* Change random device polling to prefer /dev/urandom over /dev/random
* Use an input insensitive implementation of same_mem instead of memcmp
* Correct DataSource::discard_next to return the number of discarded bytes
* Provide a default value for AutoSeeded_RNG::reseed
* Fix Gentoo bug 272242

Version 1.8.2, 2009-04-07
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Make entropy polling more flexible and in most cases faster
* GOST 28147 now supports multiple sbox parameters
* Added the GOST 34.11 hash function
* Fix botan-config problems on MacOS X

Version 1.8.1, 2009-01-20
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Avoid a valgrind warning in es_unix.cpp on 32-bit Linux
* Fix memory leak in PKCS8 load_key and encrypt_key
* Relicense api.tex from CC-By-SA 2.5 to BSD
* Fix botan-config on MacOS X, Solaris

Version 1.8.0, 2008-12-08
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fix compilation on Solaris with GCC

Version 1.7.24, 2008-12-01
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fix a compatibility problem with SHA-512/EMSA3 signature padding
* Fix bug preventing EGD/PRNGD entropy poller from working
* Fix integer overflow in Pooling_Allocator::get_more_core (bug id #27)
* Add EMSA3_Raw, a variant of EMSA3 called CKM_RSA_PKCS in PKCS #11
* Add support for SHA-224 in EMSA2 and EMSA3 PK signature padding schemes
* Add many more test vectors for RSA with EMSA2, EMSA3, and EMSA4
* Wrap private structs in SSE2 SHA-1 code in anonymous namespace
* Change configure.pl's CPU autodetection output to be more consistent
* Disable using OpenSSL's AES due to crashes of unknown cause
* Fix warning in /proc walking entropy poller
* Fix compilation with IBM XLC for Cell 0.9-200709

Version 1.7.23, 2008-11-23
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Change to use TR1 (thus enabling ECDSA) with GCC and ICC
* Optimize almost all hash functions, especially MD4 and Tiger
* Add configure.pl options --{with,without}-{bzip2,zlib,openssl,gnump}
* Change Timer to be pure virtual, and add ANSI_Clock_Timer
* Cache socket descriptors in the EGD entropy source
* Avoid bogging down startup in /proc walking entropy source
* Remove Buffered_EntropySource helper class
* Add a Default_Benchmark_Timer typedef in benchmark.h
* Add examples using benchmark.h and Algorithm_Factory
* Add ECC tests from InSiTo
* Minor documentation updates

Version 1.7.22, 2008-11-17
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add provider preferences to Algorithm_Factory
* Fix memory leaks in PBE_PKCS5v20 and get_pbe introduced in 1.7.21
* Optimize AES encryption and decryption (about 10% faster)
* Enable SSE2 optimized SHA-1 implementation on Intel Prescott CPUs
* Fix nanoseconds overflow in benchmark code
* Remove Engine::add_engine

Version 1.7.21, 2008-11-11
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Make algorithm lookup much more configuable
* Add facilities for runtime performance testing of algorithms
* Drop use of entropy estimation in the PRNGs
* Increase intervals between HMAC_RNG automatic reseeding
* Drop InitializerOptions class, all options but thread safety

Version 1.7.20, 2008-11-09
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Namespace pkg-config file by major and minor versions
* Cache device descriptors in Device_EntropySource
* Split base.h into {block_cipher,stream_cipher,mac,hash}.h
* Removed get_mgf function from lookup.h

Version 1.7.19, 2008-11-06
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add HMAC_RNG, based on a design by Hugo Krawczyk
* Optimized the Turing stream cipher (about 20% faster on x86-64)
* Modify Randpool's reseeding algorithm to poll more sources
* Add a new AutoSeeded_RNG in auto_rng.h
* OpenPGP_S2K changed to take hash object instead of name
* Add automatic identification for Intel's Prescott processors

Version 1.7.18, 2008-10-22
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add Doxygen comments from InSiTo
* Add ECDSA and ECKAEG benchmarks
* Add configure.pl switch --with-tr1-implementation
* Fix configure.pl's --with-endian and --with-unaligned-mem options
* Added support for pkg-config
* Optimize byteswap with x86 inline asm for Visual C++ by Yves Jerschow
* Use const references to avoid copying overhead in CurveGFp, GFpModulus

Version 1.7.17, 2008-10-12
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add missing ECDSA object identifiers
* Fix error in x86 and x86-64 assembler affecting GF(p) math
* Remove Boost dependency from GF(p) math
* Modify botan-config to not print -L/usr/lib or -L/usr/local/lib
* Add BOTAN_DLL macro to over 30 classes missing it
* Rename the two SHA-2 base classes for consistency

Version 1.7.16, 2008-10-09
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add several missing pieces needed for ECDSA and ECKAEG
* Add Card Verifiable Certificates from InSiTo
* Add SHA-224 from InSiTo
* Add BSI variant of EMSA1 from InSiTo
* Add GF(p) and ECDSA tests from InSiTo
* Split ECDSA and ECKAEG into distinct modules
* Allow OpenSSL and GNU MP engines to be built with public key algos disabled
* Rename sha256.h to sha2_32.h and sha_64.h to sha2_64.h

Version 1.7.15, 2008-10-07
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add GF(p) arithmetic from InSiTo
* Add ECDSA and ECKAEG implementations from InSiTo
* Minimize internal dependencies, allowing for smaller build configurations
* Add new User Manual and Architecture Guide from FlexSecure GmbH
* Alter configure.pl options for better autotools compatibility
* Update build instructions for recent changes to configure.pl
* Fix CPU detection using /proc/cpuinfo

Version 1.7.14, 2008-09-30
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Split library into parts allowing modular builds
* Add (very preliminary) CMS support to the main library
* Some constructors now require object pointers instead of names
* Support multiple implementations of the same algorithm
* Build support for Pentium-M processors, from Derek Scherger
* Build support for MinGW/MSYS, from Zbigniew Zagorski
* Use inline assembly for bswap on 32-bit x86

Version 1.7.13, 2008-09-27
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add SSLv3 MAC, SSLv3 PRF, and TLS v1.0 PRF from Ajisai
* Allow all examples to compile even if compression not enabled
* Make CMAC's polynomial doubling operation a public class method
* Use the -m64 flag when compiling with Sun Forte on x86-64
* Clean up and slightly optimize CMAC::final_result

Version 1.7.12, 2008-09-18
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add x86 assembly for Visual Studio C++, by Luca Piccarreta
* Add a Perl XS module, by Vaclav Ovsik
* Add SWIG-based wrapper for Botan
* Add SSE2 implementation of SHA-1, by Dean Gaudet
* Remove the BigInt::sig_words cache due to bugs
* Combined the 4 Blowfish sboxes, suggested by Yves Jerschow
* Changed BigInt::grow_by and BigInt::grow_to to be non-const
* Add private assignment operators to classes that don't support assignment
* Benchmark RSA encryption and signatures
* Added test programs for random_prime and ressol
* Add high resolution timers for IA-64, HP-PA, S390x
* Reduce use of the RNG during benchmarks
* Fix builds on STI Cell PPU
* Add support for IBM's XLC compiler
* Add IETF 8192 bit MODP group

Version 1.7.11, 2008-09-11
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Added the Salsa20 stream cipher
* Optimized Montgomery reduction, Karatsuba squaring
* Added 16x16->32 word Comba multiplication and squaring
* Use a much larger Karatsuba cutoff point
* Remove bigint_mul_add_words
* Inlined several BigInt functions
* Add useful information to the generated build.h
* Rename alg_{ia32,amd64} modules to asm_{ia32,amd64}
* Fix the Windows build

Version 1.7.10, 2008-09-05
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Public key benchmarks run using a selection of random keys
* New benchmark timer options are clock_gettime, gettimeofday, times, clock
* Including reinterpret_cast optimization for xor_buf in default header
* Split byte swapping and word rotation functions into distinct headers
* Add IETF modp 6144 group and 2048 and 3072 bit DSS groups
* Optimizes BigInt right shift
* Add aliases in DL_Group::Format enum
* BigInt now caches the significant word count

Version 1.6.5, 2008-08-27
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add noexec stack marker for GNU linker in assembly code
* Fix autoconfiguration problem on x86 with GCC 4.2 and 4.3

Version 1.7.9, 2008-08-27
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Make clear() in most algorithm base classes a pure virtual
* Add noexec stack marker for GNU linker in assembly code
* Avoid string operations in ressol
* Compilation fixes for MinGW and Visual Studio C++ 2008
* Some autoconfiguration fixes for Windows

Version 1.7.8, 2008-07-15
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Added the block cipher Noekeon
* Remove global deref_alias function
* X509_Store takes timeout options as constructor arguments
* Add Shanks-Tonelli algorithm, contributed by FlexSecure GmbH
* Extend random_prime() for generating primes of any bit length
* Remove Config class
* Allow adding new entropy via base RNG interface
* Reseeding a X9.31 PRNG also reseeds the underlying PRNG

Version 1.7.7, 2008-06-28
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Remove the global PRNG object
* The PK filter objects were removed
* Add a test suite for the ANSI X9.31 PRNG
* Much cleaner and (mostly) thread-safe reimplementation of es_ftw
* Remove both default arguments to ANSI_X931_RNG's constructor
* Remove the randomizing version of OctetString::change
* Make the cipher and MAC to use in Randpool configurable
* Move RandomNumberGenerator declaration to rng.h
* RSA_PrivateKey will not generate keys smaller than 1024 bits
* Fix an error decoding BER UNIVERSAL types with special taggings

Version 1.7.6, 2008-05-05
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Initial support for Windows DLLs, from Joel Low
* Reset the position pointer when a new block is generated in X9.32 PRNG
* Timer objects are now treated as entropy sources
* Moved several ASN.1-related enums from enums.h to an appropriate header
* Removed the AEP module, due to inability to test
* Removed Global_RNG and rng.h
* Removed system_clock
* Removed Library_State::UI and the pulse callback logic

Version 1.7.5, 2008-04-12
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The API of X509_CA::sign_request was altered to avoid race conditions
* New type Pipe::message_id to represent the Pipe message number
* Remove the Named_Mutex_Holder for a small performance gain
* Removed several unused or rarely used functions from Config
* Ignore spaces inside of a decimal string in BigInt::decode
* Allow using a std::istream to initialize a DataSource_Stream object
* Fix compilation problem in zlib compression module
* The chunk sized used by Pooling_Allocator is now a compile time setting
* The size of random blinding factors is now a compile time setting
* The install target no longer tries to set a particular owner/group

Version 1.7.4, 2008-03-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Use unaligned memory read/writes on systems that allow it, for performance
* Assembly for x86-64 for accessing the bswap instruction
* Use larger buffers in ARC4 and WiderWAKE for significant throughput increase
* Unroll loops in SHA-160 for a few percent increase in performance
* Fix compilation with GCC 3.2 in es_ftw and es_unix
* Build fix for NetBSD systems
* Prevent es_dev from being built except on Unix systems

Version 1.6.4, 2008-03-08
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fix a compilation problem with Visual Studio C++ 2003

Version 1.7.3, 2008-01-23
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* New invocation syntax for configure.pl with several new options
* Support for IPv4 addresses in a subject alternative name
* New fast poll for the generic Unix entropy source (es_unix)
* The es_file entropy source has been replaced by the es_dev module
* The malloc allocator does not inherit from Pooling_Allocator anymore
* The path that es_unix will search in are now fully user-configurable
* Truncate X9.42 PRF output rather than allow counter overflow
* PowerPC is now assumed to be big-endian

Version 1.7.2, 2007-10-13
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Initialize the global library state lazily
* Add plain CBC-MAC for backwards compatibility with old systems
* Clean up some of the self test code
* Throw a sensible exception if a DL_Group is not found
* Truncate KDF2 output rather than allowing counter overflow
* Add newly assigned OIDs for SHA-2 and DSA with SHA-224/256
* Fix a Visual Studio compilation problem in x509stat.cpp

Version 1.6.3, 2007-07-23
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fix a race condition in the algorithm lookup cache
* Fix problems building the memory pool on some versions of Visual C++

Version 1.7.1, 2007-07-23
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fix a race condition in the algorithm object cache
* HMAC key schedule optimization
* The build header sets a macro defining endianness, if known
* New word load/store abstraction allowing further optimization
* Modify most of the library to avoid use the C-style casts
* Use higher resolution timers in symmetric benchmarks

Version 1.7.0, 2007-05-19
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* DSA parameter generation now follows FIPS 186-3
* Added OIDs for Rabin-Williams and Nyberg-Rueppel
* Somewhat better support for out of tree builds
* Minor optimizations for RC2 and Tiger
* Documentation updates
* Update the todo list

Version 1.6.2, 2007-03-24
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fix autodection on Athlon64s running Linux
* Fix builds on QNX and compilers using STLport
* Remove a call to abort() that crept into production

Version 1.6.1, 2007-01-20
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fix some base64 decoder bugs
* Add a new option to base64 encoding, to always append a newline
* Fix some build problems under Visual Studio with debug enabled
* Fix a bug in BER_Decoder that was triggered under some compilers

Version 1.6.0, 2006-12-17
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Minor cleanups versus 1.5.13

Version 1.5.13, 2006-12-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Compilation fixes for the bzip2, zlib, and GNU MP modules
* Better support for Intel C++ and EKOpath C++ on x86-64

Version 1.5.12, 2006-10-27
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Cleanups in the initialization routines
* Add some x86-64 assembly for multiply-add
* Fix problems generating very small (below 384 bit) RSA keys
* Support out of tree builds
* Bring some of the documentation up to date
* More improvements to the Python bindings

Version 1.5.11, 2006-09-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Removed the Algorithm base class
* Various cleanups in the public key inheritance hierarchy
* Major overhaul of the configure/build setup
* Added x86 assembler implementations of Serpent and low-level MPI code
* Optimizations for the SHA-1 x86 assembler
* Various improvements to the Python wrappers
* Work around a Visual Studio compiler bug

Version 1.5.10, 2006-08-13
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add x86 assembler versions of MD4, MD5, and SHA-1
* Expand InitializerOptions' language to support on/off switches
* Fix definition of OID 2.5.4.8; was accidentally changed in 1.5.9
* Fix possible resource leaks in the mmap allocator
* Slightly optimized buffering in MDx_HashFunction
* Initialization failures are dealt with somewhat better
* Add an example implementing Pollard's Rho algorithm
* Better option handling in the test/benchmark tool
* Expand the xor_ciph example to support longer keys
* Some updates to the documentation

Version 1.5.9, 2006-07-12
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fixed bitrot in the AEP engine
* Fix support for marking certificate/CRL extensions as critical
* Significant cleanups in the library state / initialization code
* LibraryInitializer takes an explicit InitializerOptions object
* Make Mutex_Factory an abstract class, add Default_Mutex_Factory
* Change configuration access to using global_state()
* Add support for global named mutexes throughout the library
* Add some STL wrappers for the delete operator
* Change how certificates are created to be more flexible and general

Version 1.5.8, 2006-06-23
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Many internal cleanups to the X.509 cert/CRL code
* Allow for application code to support new X.509 extensions
* Change the return type of X509_Certificate::{subject,issuer}_info
* Allow for alternate character set handling mechanisms
* Fix a bug that was slowing squaring performance somewhat
* Fix a very hard to hit overflow bug in the C version of word3_muladd
* Minor cleanups to the assembler modules
* Disable es_unix module on FreeBSD due to build problem on FreeBSD 6.1
* Support for GCC 2.95.x has been dropped in this release

Version 1.5.7, 2006-05-28
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Further, major changes to the BER/DER coding system
* Updated the Qt mutex module to use Mutex_Factory
* Moved the library global state object into an anonymous namespace
* Drop the Visual C++ x86 assembly module due to bugs

Version 1.5.6, 2006-03-01
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The low-level DER/BER coding system was redesigned and rewritten
* Portions of the certificate code were cleaned up internally
* Use macros to substantially clean up the GCC assembly code
* Added 32-bit x86 assembly for Visual C++ (by Luca Piccarreta)
* Avoid a couple of spurious warnings under Visual C++
* Some slight cleanups in X509_PublicKey::key_id

Version 1.5.5, 2006-02-04
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fixed a potential infinite loop in the memory pool code (Matt Johnston)
* Made Pooling_Allocator::Memory_Block an actual class of sorts
* Some small optimizations to the division and modulo computations
* Cleaned up the implementation of some of the BigInt operators
* Reduced use of dynamic memory allocation in low-level BigInt functions
* A few simplifications in the Randpool mixing function
* Removed power(), as it was not particularly useful (or fast)
* Fixed some annoying bugs in the benchmark code
* Added a real credits file

Version 1.5.4, 2006-01-29
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Integrated x86 and amd64 assembly code, contributed by Luca Piccarreta
* Fixed a memory access off-by-one in the Karatsuba code
* Changed Pooling_Allocator's free list search to a log(N) algorithm
* Merged ModularReducer with its only subclass, Barrett_Reducer
* Fixed sign-handling bugs in some of the division and modulo code
* Renamed the module description files to modinfo.txt
* Further cleanups in the initialization code
* Removed BigInt::add and BigInt::sub
* Merged all the division-related functions into just divide()
* Modified the <mp_asmi.h> functions to allow for better optimizations
* Made the number of bits polled from an EntropySource user configurable
* Avoid including <algorithm> in <botan/secmem.h>
* Fixed some build problems with Sun Forte
* Removed some dead code from bigint_modop
* Fix the definition of same_mem

Version 1.5.3, 2006-01-24
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Many optimizations in the low-level multiple precision integer code
* Added hooks for assembly implementations of the MPI code
* Support for the X.509 issuer alternative name extension in new certs
* Fixed a bug in the decompression modules; found and patched by Matt Johnston
* New Windows mutex module (mux_win32), by Luca Piccarreta
* Changed the Windows timer module to use QueryPerformanceCounter
* mem_pool.cpp was using std::set iterators instead of std::multiset ones
* Fixed a bug in X509_CA preventing users from disabling particular extensions
* Fixed the mp_asm64 module, which was entirely broken in 1.5.2
* Fixed some module build problems on FreeBSD and Tru64

Version 1.4.12, 2006-01-15
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fixed an off-by-one memory read in MISTY1::key()
* Fixed a nasty memory leak in Output_Buffers::retire()
* Changed maximum HMAC keylength to 1024 bits
* Fixed a build problem in the hardware timer module on 64-bit PowerPC

Version 1.5.2, 2006-01-15
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fixed an off-by-one memory read in MISTY1::key()
* Fixed a nasty memory leak in Output_Buffers::retire()
* Reimplemented the memory allocator from scratch
* Improved memory caching in Montgomery exponentiation
* Optimizations for multiple precision addition and subtraction
* Fixed a build problem in the hardware timer module on 64-bit PowerPC
* Changed default Karatsuba cutoff to 12 words (was 14)
* Removed MemoryRegion::bits(), which was unused and incorrect
* Changed maximum HMAC keylength to 1024 bits
* Various minor Makefile and build system changes
* Avoid using std::min in <secmem.h> to bypass Windows libc macro pollution
* Switched checks/clock.cpp back to using clock() by default
* Enabled the symmetric algorithm tests, which were accidentally off in 1.5.1
* Removed the Default_Mutex's unused clone() member function

Version 1.5.1, 2006-01-08
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Implemented Montgomery exponentiation
* Implemented generalized Karatsuba multiplication and squaring
* Implemented Comba squaring for 4, 6, and 8 word inputs
* Added new Modular_Exponentiator and Power_Mod classes
* Removed FixedBase_Exp and FixedExponent_Exp
* Fixed a performance regression in get_allocator introduced in 1.5.0
* Engines can now offer S2K algorithms and block cipher padding methods
* Merged the remaining global 'algolist' code into Default_Engine
* The low-level MPI code is linked as C again
* Replaced BigInt's get_nibble with the more general get_substring
* Some documentation updates

Version 1.5.0, 2006-01-01
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Moved all global/shared library state into a single object
* Mutex objects are created through mutex factories instead of a global
* Removed ::get_mutex(), ::initialize_mutex(), and Mutex::clone()
* Removed the RNG_Quality enum entirely
* There is now only a single global-use PRNG
* Removed the no_aliases and no_oids options for LibraryInitializer
* Removed the deprecated algorithms SEAL, ISAAC, and HAVAL
* Change es_ftw to use unbuffered I/O

Version 1.4.11, 2005-12-31
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Changed Whirlpool diffusion matrix to match updated algorithm spec
* Fixed several engine module build errors introduced in 1.4.10
* Fixed two build problems in es_capi; reported by Matthew Gregan
* Added a constructor to DataSource_Memory taking a std::string
* Placing the same Filter in multiple Pipes triggers an exception
* The configure script accepts --docdir and --libdir
* Merged doc/rngs.txt into the main API document
* Thanks to Joel Low for several bug reports on early tarballs of 1.4.11

Version 1.4.10, 2005-12-18
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Added an implementation of KASUMI, the block cipher used in 3G phones
* Refactored Pipe; output queues are now managed by a distinct class
* Made certain Filter facilities only available to subclasses of Fanout_Filter
* There is no longer any overhead in Pipe for a message that has been read out
* It is now possible to generate RSA keys as small as 128 bits
* Changed some of the core classes to derive from Algorithm as a virtual base
* Changed Randpool to use HMAC instead of a plain hash as the mixing function
* Fixed a bug in the allocators; found and fixed by Matthew Gregan
* Enabled the use of binary file I/O, when requested by the application
* The OpenSSL engine's block cipher code was missing some deallocation calls
* Disabled the es_ftw module on NetBSD, due to header problems there
* Fixed a problem preventing tm_hard from building on MacOS X on PowerPC
* Some cleanups for the modules that use inline assembler
* config.h is now stored in build/ instead of build/include/botan/
* The header util.h was split into bit_ops.h, parsing.h, and util.h
* Cleaned up some redundant include directives

Version 1.4.9, 2005-11-06
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Added the IBM-created AES candidate algorithm MARS
* Added the South Korean block cipher SEED
* Added the stream cipher Turing
* Added the new hash function FORK-256
* Deprecated the ISAAC stream cipher
* Twofish and RC6 are significantly faster with GCC
* Much better support for 64-bit PowerPC
* Added support for high-resolution PowerPC timers
* Fixed a bug in the configure script causing problems on FreeBSD
* Changed ANSI X9.31 to support arbitrary block ciphers
* Make the configure script a bit less noisy
* Added more test vectors for some algorithms, including all the AES finalists
* Various cosmetic source code cleanups

Version 1.4.8, 2005-10-16
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Resolved a bad performance problem in the allocators; fix by Matt Johnston
* Worked around a Visual Studio 2003 compilation problem introduced in 1.4.7
* Renamed OMAC to CMAC to match the official NIST naming
* Added single byte versions of update() to PK_Signer and PK_Verifier
* Removed the unused reverse_bits and reverse_bytes functions

Version 1.4.7, 2005-09-25
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fixed major performance problems with recent versions of GNU C++
* Added an implementation of the X9.31 PRNG
* Removed the X9.17 and FIPS 186-2 PRNG algorithms
* Changed defaults to use X9.31 PRNGs as global PRNG objects
* Documentation updates to reflect the PRNG changes
* Some cleanups related to the engine code
* Removed two useless headers, base_eng.h and secalloc.h
* Removed PK_Verifier::valid_signature
* Fixed configure/build system bugs affecting MacOS X builds
* Added support for the EKOPath x86-64 compiler
* Added missing destructor for BlockCipherModePaddingMethod
* Fix some build problems with Visual C++ 2005 beta
* Fix some build problems with Visual C++ 2003 Workshop

Version 1.4.6, 2005-03-13
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fix an error in the shutdown code introduced in 1.4.5
* Setting base/pkcs8_tries to 0 disables the builtin fail-out
* Support for XMPP identifiers in X.509 certificates
* Duplicate entries in X.509 DNs are removed
* More fixes for Borland C++, from Friedemann Kleint
* Add a workaround for buggy iostreams

Version 1.4.5, 2005-02-26
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add support for AES encryption of private keys
* Minor fixes for PBES2 parameter decoding
* Internal cleanups for global state variables
* GCC 3.x version detection was broken in non-English locales
* Work around a Sun Forte bug affecting mem_pool.h
* Several fixes for Borland C++ 5.5, from Friedemann Kleint
* Removed inclusion of init.h into base.h
* Fixed a major bug in reading from certificate stores
* Cleaned up a couple of mutex leaks
* Removed some left-over debugging code
* Removed SSL3_MAC, SSL3_PRF, and TLS_PRF

Version 1.4.4, 2004-12-02
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Further tweaks to the pooling allocator
* Modified EMSA3 to support SSL/TLS signatures
* Changes to support Qt/QCA, from Justin Karneges
* Moved mux_qt module code into mod_qt
* Fixes for HP-UX from Mike Desjardins

Version 1.4.3, 2004-11-06
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Split up SecureAllocator into Allocator and Pooling_Allocator
* Memory locking allocators are more likely to be used
* Fixed the placement of includes in some modules
* Fixed broken installation procedure
* Fixes in configure script to support alternate install programs
* Modules can specify the minimum version they support

Version 1.4.2, 2004-10-31
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fixed a major CRL handling bug
* Cipher and hash operations can be offloaded to engines
* Added support for cipher and hash offload in OpenSSL engine
* Improvements for 64-bit CPUs without a widening multiply instruction
* Support for SHA2-* and Whirlpool with EMSA2
* Fixed a long-standing build problem with conflicting include files
* Fixed some examples that hadn't been updated for 1.4.x
* Portability fixes for Solaris, BSD, HP-UX, and others
* Lots of fixes and cleanups in the configure script
* Updated the Gentoo ebuild file

Version 1.4.1, 2004-10-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fixed major errors in the X.509 and PKCS #8 copy_key functions
* Added a LAST_MESSAGE meta-message number for Pipe
* Added new aliases (3DES and DES-EDE) for Triple-DES
* Added some new functions to PK_Verifier
* Cleaned up the KDF interface
* Disabled tm_posix on BSD due to header issues
* Fixed a build problem on PowerPC with GNU C++ pre-3.4

Version 1.4.0, 2004-06-26
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Added the FIPS 186 RNG back
* Added copy_key functions for X.509 public keys and PKCS #8 private keys
* Fixed PKCS #1 signatures with RIPEMD-128
* Moved some code around to avoid warnings with Sun ONE compiler
* Fixed a bug in botan-config affecting OpenBSD
* Fixed some build problems on Tru64, HP-UX
* Fixed compile problems with Intel C++, Compaq C++

Version 1.3.14, 2004-06-12
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Added support for AEP's AEP1000/AEP2000 crypto cards
* Added a Mutex module using Qt, from Justin Karneges
* Added support for engine loading in LibraryInitializer
* Tweaked SecureAllocator, giving 20% better performance under heavy load
* Added timer and memory locking modules for Win32 (tm_win32, ml_win32)
* Renamed PK_Engine to Engine_Core
* Improved the Karatsuba cutoff points
* Fixes for compiling with GCC 3.4 and Sun C++ 5.5
* Fixes for Linux/s390, OpenBSD, and Solaris
* Added support for Linux/s390x
* The configure script was totally broken for 'generic' OS
* Removed Montgomery reduction due to bugs
* Removed an unused header, pkcs8alg.h
* check --validate returns an error code if any tests failed
* Removed duplicate entry in Unix command list for es_unix
* Moved the Cert_Usage enumeration into X509_Store
* Added new timing methods for PK benchmarks, clock_gettime and RDTSC
* Fixed a few minor bugs in the configure script
* Removed some deprecated functions from x509cert.h and pkcs10.h
* Removed the 'minimal' module, has to be updated for Engine support
* Changed MP_WORD_BITS macro to BOTAN_MP_WORD_BITS to clean up namespace
* Documentation updates

Version 1.3.13, 2004-05-15
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Major fixes for Cygwin builds
* Minor MacOS X install fixes
* The configure script is a little better at picking the right modules
* Removed ml_unix from the 'unix' module set for Cygwin compatibility
* Fixed a stupid compile problem in pkcs10.h

Version 1.3.12, 2004-05-02
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Added ability to remove old entries from CRLs
* Swapped the first two arguments of X509_CA::update_crl()
* Added an < operator for MemoryRegion, so it can be used as a std::map key
* Changed X.509 searching by DNS name from substring to full string compares
* Renamed a few X509_Certificate and PKCS10_Request member functions
* Fixed a problem when decoding some PKCS #10 requests
* Hex_Decoder would not check inputs, reported by Vaclav Ovsik
* Changed default CRL expire time from 30 days to 7 days
* X509_CRL's default PEM header is now "X509 CRL", for OpenSSL compatibility
* Corrected errors in the API doc, fixes from Ken Perano
* More documentation about the Pipe/Filter code

Version 1.3.11, 2004-04-01
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fixed two show-stopping bugs in PKCS10_Request
* Added some sanity checks in Pipe/Filter
* The DNS and URI entries would get swapped in subjectAlternativeNames
* MAC_Filter is now willing to not take a key at creation time
* Setting the expiration times of certs and CRLs is more flexible
* Fixed problems building on AIX with GCC
* Fixed some problems in the tutorial pointed out by Dominik Vogt
* Documentation updates

Version 1.3.10, 2004-03-27
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Added support for OpenPGP's ASCII armor format
* Cleaned up the RNG system; seeding is much more flexible
* Added simple autoconfiguration abilities to configure.pl
* Fixed a GCC 2.95.x compile problem
* Updated the example configuration file
* Documentation updates

Version 1.3.9, 2004-03-07
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Added an engine using OpenSSL (requires 0.9.7 or later)
* X509_Certificate would lose email addresses stored in the DN
* Fixed a missing initialization in a BigInt constructor
* Fixed several Visual C++ compile problems
* Fixed some BeOS build problems
* Fixed the WiderWake benchmark

Version 1.3.8, 2003-12-30
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Initial introduction of engine support, which separates PK keys from
  the underlying operations. An engine using GNU MP was added.

* DSA, DH, NR, and ElGamal constructors accept taking just the private
  key again since the public key is easily derived from it.

* Montgomery reduction support was added.
* ElGamal keys now support being imported/exported as ASN.1 objects
* Added Montgomery reductions
* Added an engine that uses GNU MP (requires 4.1 or later)
* Removed the obsolete mp_gmp module
* Moved several initialization/shutdown functions to init.h
* Major refactoring of the memory containers
* New non-locking container, MemoryVector
* Fixed 64-bit problems in BigInt::set_bit/clear_bit
* Renamed PK_Key::check_params() to check_key()
* Some incompatible changes to OctetString
* Added version checking macros in version.h
* Removed the fips140 module pending rewrite
* Added some functions and hooks to help GUIs
* Moved more shared code into MDx_HashFunction
* Added a policy hook for specifying the encoding of X.509 strings

Version 1.3.7, 2003-12-12
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fixed a big security problem in es_unix (use of untrusted PATH)
* Fixed several stability problems in es_unix
* Expanded the list of programs es_unix will try to use
* SecureAllocator now only preallocates blocks in special cases
* Added a special case in Global_RNG::seed for forcing a full poll
* Removed the FIPS 186 RNG added in 1.3.5 pending further testing
* Configure updates for PowerPC CPUs
* Removed the (never tested) VAX support
* Added support for S/390 Linux

Version 1.3.6, 2003-12-07
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Added a new module 'minimal', which disables most algorithms
* SecureAllocator allocates a few blocks at startup
* A few minor MPI cleanups
* RPM spec file cleanups and fixes

Version 1.3.5, 2003-11-30
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Major improvements in ASN.1 string handling
* Added partial support for ASN.1 UTF8 STRINGs and BMP STRINGs
* Added partial support for the X.509v3 certificate policies extension
* Centralized the handling of character set information
* Added FIPS 140-2 startup self tests
* Added a module (fips140) for doing extra FIPS 140-2 tests
* Added FIPS 186-2 RNG
* Improved ASN.1 BIT STRING handling
* Removed a memory leak in PKCS10_Request
* The encoding of DirectoryString now follows PKIX guidelines
* Fixed some of the character set dependencies
* Fixed a DER encoding error for tags greater than 30
* The BER decoder can now handle tags larger than 30
* Fixed tm_hard.cpp to recognize SPARC on more systems
* Workarounds for a GCC 2.95.x bug in x509find.cpp
* RPM changed to install into /usr instead of /usr/local
* Added support for QNX

Version 1.2.8, 2003-11-21
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Merged several important bug fixes from 1.3.x

Version 1.3.4, 2003-11-21
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Added a module that does certain MPI operations using GNU MP
* Added the X9.42 Diffie-Hellman PRF
* The Zlib and Bzip2 objects now use custom allocators
* Added member functions for directly hashing/MACing SecureVectors
* Minor optimizations to the MPI addition and subtraction algorithms
* Some cleanups in the low-level MPI code
* Created separate AES-{128,192,256} objects

Version 1.3.3, 2003-11-17
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The library can now be repeatedly initialized and shutdown without crashing
* Fixed an off-by-one error in the CTS code
* Fixed an error in the EMSA4 verification code
* Fixed a memory leak in mutex.cpp (pointed out by James Widener)
* Fixed a memory leak in Pthread_Mutex
* Fixed several memory leaks in the testing code
* Bulletproofed the EMSA/EME/KDF/MGF retrieval functions
* Minor cleanups in SecureAllocator
* Removed a needless mutex guarding the (stateless) global timer
* Fixed a piece of bash-specific code in botan-config
* X.509 objects report more information about decoding errors
* Cleaned up some of the exception handling
* Updated the example config file with new OIDSs
* Moved the build instructions into a separate document, building.tex

Version 1.3.2, 2003-11-13
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fixed a bug preventing DSA signatures from verifying on X.509 objects
* Made the X509_Store search routines more efficient and flexible
* Added a function to X509_PublicKey to do easy public/private key matching
* Added support for decoding indefinite length BER data
* Changed Pipe's peek() to take an offset
* Removed Filter::set_owns in favor of the new incr_owns function
* Removed BigInt::zero() and BigInt::one()
* Renamed the PEM related options from base/pem_* to pem/*
* Added an option to specify the line width when encoding PEM
* Removed the "rng/safe_longterm" option; it's always on now
* Changed the cipher used for RNG super-encryption from ARC4 to WiderWake4+1
* Cleaned up the base64/hex encoders and decoders
* Added an ASN.1/BER decoder as an example
* AES had its internals marked 'public' in previous versions
* Changed the value of the ASN.1 NO_OBJECT enum
* Various new hacks in the configure script
* Removed the already nominal support for SunOS

Version 1.3.1, 2003-11-04
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Generalized a few pieces of the DER encoder
* PKCS8::load_key would fail if handed an unencrypted key
* Added a failsafe so PKCS #8 key decoding can't go into an infinite loop

Version 1.3.0, 2003-11-02
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Major redesign of the PKCS #8 private key import/export system
* Added a small amount of UI interface code for getting passphrases
* Added heuristics that tell if a key, cert, etc is stored as PEM or BER
* Removed CS-Cipher, SHARK, ThreeWay, MD5-MAC, and EMAC
* Removed certain deprecated constructors of RSA, DSA, DH, RW, NR
* Made PEM decoding more forgiving of extra text before the header

Version 1.2.7, 2003-10-31
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Added support for reading configuration files
* Added constructors so NR and RW keys can be imported easily
* Fixed mp_asm64, which was completely broken in 1.2.6
* Removed tm_hw_ia32 module; replaced by tm_hard
* Added support for loading certain oddly formed RSA certificates
* Fixed spelling of NON_REPUDIATION enum
* Renamed the option default_to_ca to v1_assume_ca
* Fixed a minor bug in X.509 certificate generation
* Fixed a latent bug in the OID lookup code
* Updated the RPM spec file
* Added to the tutorial

Version 1.2.6, 2003-07-04
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Major performance increase for PK algorithms on most 64-bit systems
* Cleanups in the low-level MPI code to support asm implementations
* Fixed build problems with some versions of Compaq's C++ compiler
* Removed useless constructors for NR public and private keys
* Removed support for the patch_file directive in module files
* Removed several deprecated functions

Version 1.2.5, 2003-06-22
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fixed a tricky and long-standing memory leak in Pipe
* Major cleanups and fixes in the memory allocation system
* Removed alloc_mlock, which has been superseded by the ml_unix module
* Removed a denial of service vulnerability in X509_Store
* Fixed compilation problems with VS .NET 2003 and Codewarrior 8
* Added another variant of PKCS8::load_key, taking a memory buffer
* Fixed various minor/obscure bugs which occurred when MP_WORD_BITS != 32
* BigInt::operator%=(word) was a no-op if the input was a power of 2
* Fixed portability problems in BigInt::to_u32bit
* Fixed major bugs in SSL3-MAC
* Cleaned up some messes in the PK algorithms
* Cleanups and extensions for OMAC and EAX
* Made changes to the entropy estimation function
* Added a 'beos' module set for use on BeOS
* Officially deprecated a few X509:: and PKCS8:: functions