/src/mesa/x86/

• ../
• 3dnow.c
• 3dnow.h
• 3dnow_xform1.S
• 3dnow_xform2.S
• 3dnow_xform3.S
• 3dnow_xform4.S
• assyntax.h
• clip_args.h
• common_x86.c
• common_x86_asm.S
• common_x86_asm.h
• common_x86_features.h
• gen_matypes.c
• mmx.h
• mmx_blend.S
• mmx_blendtmp.h
• norm_args.h
• read_rgba_span_x86.S
• rtasm
• sse.c
• sse.h
• sse_normal.S
• sse_xform1.S
• sse_xform2.S
• sse_xform3.S
• sse_xform4.S
• x86_cliptest.S
• x86_xform.c
• x86_xform.h
• x86_xform2.S
• x86_xform3.S
• x86_xform4.S
• xform_args.h

Release Notes
========================================

Version 1.11.25, Not Yet Released
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* In this release the test suite has been largely rewritten. Previously the
  tests had internally used several different test helper frameworks created or
  adopted over time, each of which was insufficient on its own for testing the
  entire library. These have been fully converged on a new framework which
  suffices for all of the tests. There should be no user-visible change as a
  result of this.

* The OpenSSL implementation of RC4 would return the wrong value from `name` if
  leading bytes of the keystream had been skipped in the output.

* Fixed the signature of botan_pubkey_destroy which took the wrong type and was
  not usable.

Version 1.11.24, 2015-11-04
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* When the bugs affecting X.509 path validation were fixed in 1.11.23, a check
  in Credentials_Manager::verify_certificate_chain was accidentally removed
  which caused path validation failures not to be signaled to the TLS layer.
  Thus in 1.11.23 certificate authentication in TLS is bypassed.
  Reported by Florent Le Coz in GH #324

* Fixed an endian dependency in McEliece key generation which caused
  keys to be generated differently on big and little endian systems,
  even when using a deterministic PRNG with the same seed.

* In `configure,py`, the flags for controlling use of debug, sanitizer, and
  converage information have been split out into individual options
  `--with-debug-info`, `--with-sanitizers`, and `--with-coverage`. These allow
  enabling more than one in a build in a controlled way. The `--build-mode` flag
  added in 1.11.17 has been removed.

Version 1.11.23, 2015-10-26
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* CVE-2015-7824: An information leak allowed padding oracle attacks against
  TLS CBC decryption. Found in a review by Sirrix AG and 3curity GmbH.

* CVE-2015-7825: Validating a malformed certificate chain could cause an
  infinite loop. Found in a review by Sirrix AG and 3curity GmbH.

* CVE-2015-7826: X.509 path validation violated RFC 6125 and would accept
  certificates which should not validate under those rules. In particular botan
  would accept wildcard certificates as matching in situations where it should
  not (for example it would erroneously accept '*.example.com' as a valid
  wildcard for 'foo.bar.example.com')

* CVE-2015-7827: The routines for decoding PKCS #1 encryption and OAEP blocks
  have been rewritten to run without secret indexes or branches. These
  cryptographic operations are vulnerable to oracle attacks, including via side
  channels such as timing or cache-based analysis. In theory it would be
  possible to attack the previous implementations using such a side channel,
  which could allow an attacker to mount a plaintext recovery attack.

  By writing the code such that it does not depend on secret inputs for branch
  or memory indexes, such a side channel would be much less likely to exist.

  The OAEP code has previously made an attempt at constant time operation, but
  it used a construct which many compilers converted into a conditional jump.

* Add support for using ctgrind (https://github.com/agl/ctgrind) to test that
  sections of code do not use secret inputs to decide branches or memory indexes.
  The testing relies on dynamic checking using valgrind.

  So far PKCS #1 decoding, OAEP decoding, Montgomery reduction, IDEA, and
  Curve25519 have been notated and confirmed to be constant time on Linux/x86-64
  when compiled by gcc.

* Public key operations can now be used with specified providers by passing an
  additional parameter to the constructor of the PK operation.

* OpenSSL RSA provider now supports signature creation and verification.

* The blinding code used for RSA, Diffie-Hellman, ElGamal and Rabin-Williams now
  periodically reinitializes the sequence of blinding values instead of always
  deriving the next value by squaring the previous ones. The reinitializion
  interval can be controlled by the build.h parameter BOTAN_BLINDING_REINIT_INTERVAL.

* A bug decoding DTLS client hellos prevented session resumption for succeeding.

* DL_Group now prohibits creating a group smaller than 1024 bits.

* Add System_RNG type. Previously the global system RNG was only accessible via
  `system_rng` which returned a reference to the object. However is at times
  useful to have a unique_ptr<RandomNumberGenerator> which will be either the
  system RNG or an AutoSeeded_RNG, depending on availability, which this
  additional type allows.

* New command line tools `dl_group` and `prime`

* The `configure.py` option `--no-autoload` is now also available
  under the more understandable name `--minimized-build`.

* Note: 1.11.22 was briefly released on 2015-10-26. The only difference between
  the two was a fix for a compilation problem in the OpenSSL RSA code.  As the
  1.11.22 release had already been tagged it was simpler to immediately release
  1.11.23 rather than redo the release.

Version 1.11.21, 2015-10-11
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add new methods for creating types such as BlockCiphers or HashFunctions,
  T::providers() returning list of provider for a type, and T::create() creating
  a new object of a specified provider. The functions in lookup.h forward to
  these new APIs. A change to the lookup system in 1.11.14 had caused problems
  with static libraries (GH #52). These problems have been fixed as part of these
  changes. GH #279

* Fix loading McEliece public or private keys with PKCS::load_key / X509::load_key

* Add `mce` command line tool for McEliece key generation and file encryption

* Add Darwin_SecRandom entropy source which uses `SecRandomCopyBytes`
  API call for OS X and iOS, as this call is accessible even from a
  sandboxed application. GH #288

* Add new HMAC_DRBG constructor taking a name for the MAC to use, rather
  than a pointer to an object.

* The OCaml module is now a separate project at
  https://github.com/randombit/botan-ocaml

* The encrypted sqlite database support in contrib has moved to
  https://github.com/randombit/botan-sqlite

* The Perl XS module has been removed as it was no longer maintained.

Version 1.11.20, 2015-09-07
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Additional countermeasures were added to ECC point multiplications
  including exponent blinding and randomization of the point
  representation to help protect against side channel attacks.

* An ECDSA provider using OpenSSL has been added.

* The ordering of algorithm priorities has been reversed. Previously
  255 was the lowest priority and 0 was the highest priority. Now it
  is the reverse, with 0 being lowest priority and 255 being highest.
  The default priority for the base algorithms is 100. This only
  affects external providers or applications which directly set
  provider preferences.

* On OS X, rename libs to avoid trailing version numbers, e.g.
  libbotan-1.11.dylib.19 -> libbotan-1.11.19.dylib. This was requested
  by the Homebrew project package audit. GH #241, #260

* Enable use of CPUID interface with clang. GH #232

* Add support for MSVC 2015 debug builds by satisfying C++ allocator
  requirements. SO 31802806, GH #236

* Make `X509_Time` string parsing and `to_u32bit()` more strict to avoid
  integer overflows and other potentially dangerous misinterpretations.
  GH #240, #243

* Remove all 'extern "C"' declarations from src/lib/math/mp/ because some
  of those did throw exceptions and thus cannot be C methods. GH #249

* Fix build configuration for clang debug on Linux. GH #250

* Fix zlib error when compressing an empty buffer. GH #265

* Fix iOS builds by allowing multiple compiler flags with the same name.
  GH #266

* Fix Solaris build issue caused by `RLIMIT_MEMLOCK`. GH #262

Version 1.11.19, 2015-08-03
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* SECURITY: The BER decoder would crash due to reading from offset 0
  of an empty vector if it encountered a BIT STRING which did not
  contain any data at all. As the type requires a 1 byte field this is
  not valid BER but could occur in malformed data. Found with afl.
  CVE-2015-5726

* SECURITY: The BER decoder would allocate a fairly arbitrary amount
  of memory in a length field, even if there was no chance the read
  request would succeed. This might cause the process to run out of
  memory or invoke the OOM killer. Found with afl.
  CVE-2015-5727

* The TLS heartbeat extension is deprecated and unless strong arguments
  are raised in its favor it will be removed in a future release.
  Comment at https://github.com/randombit/botan/issues/187

* The x86-32 assembly versions of MD4, MD5, SHA-1, and Serpent and the
  x86-64 version of SHA-1 have been removed. With compilers from this
  decade the C++ versions are significantly faster. The SSE2 versions
  of SHA-1 and Serpent remain, as they are still the fastest version
  for processors with SIMD extensions. GH #216

* BigInt::to_u32bit would fail if the value was exactly 32 bits.
  GH #220

* Botan is now fully compaitible with _GLIBCXX_DEBUG. GH #73

* BigInt::random_integer distribution was not uniform. GH #108

* Added unit testing framework Catch. GH #169

* Fix `make install`. GH #181, #186

* Public header `fs.h` moved to `internal/filesystem.h`. Added filesystem
  support for MSVC 2013 when boost is not available, allowing tests to run on
  those systems. GH #198, #199

* Added os "android" and fix Android compilation issues. GH #203

* Drop support for Python 2.6 for all Botan Python scripts. GH #217

Version 1.10.10, 2015-08-03
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* SECURITY: The BER decoder would crash due to reading from offset 0
  of an empty vector if it encountered a BIT STRING which did not
  contain any data at all. As the type requires a 1 byte field this is
  not valid BER but could occur in malformed data. Found with afl.
  CVE-2015-5726

* SECURITY: The BER decoder would allocate a fairly arbitrary amount
  of memory in a length field, even if there was no chance the read
  request would succeed. This might cause the process to run out of
  memory or invoke the OOM killer. Found with afl.
  CVE-2015-5727

* Due to an ABI incompatible (though not API incompatible) change in
  this release, the version number of the shared object has been
  increased.

* The default TLS policy no longer allows RC4.

* Fix a signed integer overflow in Blue Midnight Wish that may cause
  incorrect computations or undefined behavior.

Version 1.11.18, 2015-07-05
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* In this release Botan has switched VCS from ``monotone`` to ``git``,
  and is now hosted on github at https://github.com/randombit/botan

* The TLS client called ``std::set_difference`` on an invalid iterator
  pair. This could potentially lead to a crash depending on the
  compiler and STL implementation. It also would trigger assertion
  failures when using checked iterators. GH #73

* Remove code constructs which triggered errors under MSVC and GCC
  debug iterators. The primary of these was an idiom of ``&vec[x]`` to
  create a pointer offset of a ``std::vector``. This failed when x was
  set equal to ``vec.size()`` to create the one-past-the-end address.
  The pointer in question was never dereferenced, but it triggered
  the iterator debugging checks which prevented using these valuble
  analysis tools. From Simon Warta and Daniel Seither. GH #125

* Several incorrect or missing module dependencies have been fixed. These
  often prevented a successful build of a minimized amalgamation when
  only a small set of algorithms were specified. GH #71
  From Simon Warta.

* Add an initial binding to OCaml. Currently only hashes, RNGs, and
  bcrypt are supported.

* The default key size generated by the ``keygen`` tool has increased
  to 2048 bits. From Rene Korthaus.

* The ``Botan_types`` namespace, which contained ``using`` declarations
  for (just) ``Botan::byte`` and ``Botan::u32bit``, has been removed.
  Any use should be replaced by ``using`` declarations for those types
  directly.

Version 1.11.17, 2015-06-18
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* All support for the insecure RC4 stream cipher has been removed
  from the TLS implementation.

* Fix decoding of TLS maximum fragment length. Regardless of what
  value was actually negotiated, TLS would treat it as a negotiated
  limit of 4096.

* Fix the configure.py flag ``--disable-aes-ni`` which did nothing of
  the sort.

* Fixed nmake clean target. GitHub #104

* Correct buffering logic in ``Compression_Filter``. GitHub #93 and #95

Version 1.11.16, 2015-03-29
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* TLS has changed from using the non-standard NPN extension to the IETF
  standardized ALPN extension for negotiating an application-level protocol.
  Unfortunately the semantics of the exchange have changed with ALPN. Using
  NPN, the server offered a list of protocols it advertised, and then the
  client chose its favorite. With ALPN, the client offers a list of protocols
  and the server chooses. The the signatures of both the TLS::Client and
  TLS::Server constructors have changed to support this new flow.

* Optimized ECDSA signature verification thanks to an observation by
  Dr. Falko Strenzke. On some systems verifications are between 1.5
  and 2 times faster than in 1.11.15.

* RSA encrypt and decrypt operations using OpenSSL have been added.

* Public key operation types now handle all aspects of the operation,
  such as hashing and padding for signatures. This change allows
  supporting specialized implementations which only support particular
  padding types.

* Added global timeout to HMAC_RNG entropy reseed. The defaults are
  the values set in the build.h macros ``BOTAN_RNG_AUTO_RESEED_TIMEOUT``
  and ``BOTAN_RNG_RESEED_DEFAULT_TIMEOUT``, but can be overriden
  on a specific poll with the new API call reseed_with_timeout.

* Fixed Python cipher update_granularity() and default_nonce_length()
  functions

* The library now builds on Visual C++ 2013

* The GCM update granularity was reduced from 4096 to 16 bytes.

* Fix a bug that prevented building the amalgamation until a non-amalgamation
  configuration was performed first in the same directory.

* Add Travis CI integration. Github pull 60.

Version 1.11.15, 2015-03-08
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Support for RC4 in TLS, already disabled by default, is now deprecated.
  The RC4 ciphersuites will be removed entirely in a future release.

* A bug in ffi.cpp meant Python could only encrypt. Github issue 53.

* When comparing two ASN.1 algorithm identifiers, consider empty and
  NULL parameters the same.

* Fixed memory leaks in TLS and cipher modes introduced in 1.11.14

* MARK-4 failed when OpenSSL was enabled in the build in 1.11.14
  because the OpenSSL version ignored the skip parameter.

* Fix compilation problem on OS X/clang

* Use BOTAN_NOEXCEPT macro to work around lack of noexcept in VS 2013

Version 1.11.14, 2015-02-27
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The global state object previously used by the library has been removed.
  This includes the global PRNG. The library can be safely initialized
  multiple times without harm.

  The engine code has also been removed, replaced by a much lighter-weight
  object registry system which provides lookups in faster time and with less
  memory overhead than the previous approach.

  One caveat of the current system with regards to static linking: because only
  symbols already mentioned elsewhere in the program are included in the final
  link step, few algorithms will be available through the lookup system by
  default, even though they were compiled into the library. Your application
  must explicitly reference the types you require or they will not end up
  being available in the final binary. See also Github issue #52

  If you intend to build your application against a static library and don't
  want to explicitly reference each algo object you might attempt to look up by
  string, consider either building with ``--via-amalgamation``, or else (much
  simpler) using the amalgamation directly.

* The new ``ffi`` submodule provides a simple C API/ABI for a number of useful
  operations (hashing, ciphers, public key operations, etc) which is easily
  accessed using the FFI modules included in many languages.

* A new Python wrapper (in ``src/lib/python/botan.py``) using ``ffi`` and the Python
  ``ctypes`` module is available. The old Boost.Python wrapper has been removed.

* Add specialized reducers for P-192, P-224, P-256, and P-384

* OCB mode, which provides a fast and constant time AEAD mode without requiring
  hardware support, is now supported in TLS, following
  draft-zauner-tls-aes-ocb-01. Because this specification is not yet finalized
  is not yet enabled by the default policy, and the ciphersuite numbers used are
  in the experimental range and may conflict with other uses.

* Add ability to read TLS policy from a text file using ``TLS::Text_Policy``.

* The amalgamation now splits off any ISA specific code (for instance, that
  requiring SSSE3 instruction sets) into a new file named (for instance)
  ``botan_all_ssse3.cpp``. This allows the main amalgamation file to be compiled
  without any special flags, so ``--via-amalgamation`` builds actually work now.
  This is disabled with the build option ``--single-amalgamation-file``

* PBKDF and KDF operations now provide a way to write the desired output
  directly to an application-specified area rather than always allocating a new
  heap buffer.

* HKDF, previously provided using a non-standard interface, now uses the
  standard KDF interface and is retrievable using get_kdf.

* It is once again possible to build the complete test suite without requiring
  any boost libraries. This is currently only supported on systems supporting
  the readdir interface.

* Remove use of memset_s which caused problems with amalgamation on OS X.
  Github 42, 45

* The memory usage of the counter mode implementation has been reduced.
  Previously it encrypted 256 blocks in parallel as this leads to a slightly
  faster counter increment operation. Instead CTR_BE simply encrypts a buffer
  equal in size to the advertised parallelism of the cipher implementation.
  This is not measurably slower, and dramatically reduces the memory use of
  CTR mode.

* The memory allocator available on Unix systems which uses mmap and mlock to
  lock a pool of memory now checks environment variable BOTAN_MLOCK_POOL_SIZE
  and interprets it as an integer. If the value set to a smaller value then the
  library would originally have allocated (based on resource limits) the user
  specified size is used instead. You can also set the variable to 0 to
  disable the pool entirely. Previously the allocator would consume all
  available mlocked memory, this allows botan to coexist with an application
  which wants to mlock memory for its own uses.

* The botan-config script previously installed on Unix systems has been
  removed.  Its functionality is replaced by the ``config`` command of the
  ``botan`` tool executable, for example ``botan config cflags`` instead of
  ``botan-config --cflags``.

* Added a target for POWER8 processors

Version 1.11.13, 2015-01-11
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* All support for the insecure SSLv3 protocol and the server support
  for processing SSLv2 client hellos has been removed.

* The command line tool now has ``tls_proxy`` which negotiates TLS with
  clients and forwards the plaintext to a specified port.

* Add MCEIES, a McEliece-based integrated encryption system using
  AES-256 in OCB mode for message encryption/authentication.

* Add DTLS-SRTP negotiation defined in RFC 5764

* Add SipHash

* Add SHA-512/256

* The format of serialized TLS sessions has changed. Additiionally, PEM
  formatted sessions now use the label of "TLS SESSION" instead of "SSL SESSION"

* Serialized TLS sessions are now encrypted using AES-256/GCM instead of a
  CBC+HMAC construction.

* The cryptobox_psk module added in 1.11.4 and previously used for TLS session
  encryption has been removed.

* When sending a TLS heartbeat message, the number of pad bytes to use can now
  be specified, making it easier to use for PMTU discovery.

* If available, zero_mem now uses RtlSecureZeroMemory or memset_s instead of a
  byte-at-a-time loop.

* The functions base64_encode and base64_decode would erroneously
  throw an exception if passed a zero-length input. Github issue 37.

* The Python install script added in version 1.11.10 failed to place the
  headers into a versioned subdirectory.

* Fix the install script when running under Python3.

* Avoid code that triggers iterator debugging asserts under MSVC 2013. Github
  pull 36 from Simon Warta.

Version 1.11.12, 2015-01-02
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add Curve25519. The implementation is based on curve25519-donna-c64.c
  by Adam Langley. New (completely non-standard) OIDs and formats for
  encrypting Curve25519 keys under PKCS #8 and including them in
  certificates and CRLs have been defined.

* Add Poly1305, based on the implementation poly1305-donna by Andrew Moon.

* Add the ChaCha20Poly1305 AEADs defined in draft-irtf-cfrg-chacha20-poly1305-03
  and draft-agl-tls-chacha20poly1305-04.

* Add ChaCha20Poly1305 ciphersuites for TLS compatible with Google's servers
  following draft-agl-tls-chacha20poly1305-04

* When encrypted as PKCS #8 structures, Curve25519 and McEliece
  private keys default to using AES-256/GCM instead of AES-256/CBC

* Define OIDs for OCB mode with AES, Serpent and Twofish.

Version 1.11.11, 2014-12-21
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The Sqlite3 wrapper has been abstracted to a simple interface for
  SQL dbs in general, though Sqlite3 remains the only implementation.
  The main logic of the TLS session manager which stored encrypted
  sessions to a Sqlite3 database (``TLS::Session_Manager_SQLite``) has
  been moved to the new ``TLS::Session_Manager_SQL``. The Sqlite3
  manager API remains the same but now just subclasses
  ``TLS::Session_Manager_SQL`` and has a constructor instantiate the
  concrete database instance.

  Applications which would like to use a different db can now do so
  without having to reimplement the session cache logic simply by
  implementing a database wrapper subtype.

* The CryptGenRandom entropy source is now also used on MinGW.

* The system_rng API is now also available on systems with CryptGenRandom

* With GCC use -fstack-protector for linking as well as compiling,
  as this is required on MinGW. Github issue 34.

* Fix missing dependency in filters that caused compilation problem
  in amalgamation builds. Github issue 33.

* SSLv3 support is officially deprecated and will be removed in a
  future release.

Version 1.10.9, 2014-12-13
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fixed EAX tag verification to run in constant time

* The default TLS policy now disables SSLv3.

* A crash could occur when reading from a blocking random device if
  the device initially indicated that entropy was available but
  a concurrent process drained the entropy pool before the
  read was initiated.

* Fix decoding indefinite length BER constructs that contain a context
  sensitive tag of zero. Github pull 26 from Janusz Chorko.

* The ``botan-config`` script previously tried to guess its prefix from
  the location of the binary. However this was error prone, and now
  the script assumes the final installation prefix matches the value
  set during the build. Github issue 29.

Version 1.11.10, 2014-12-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* An implementation of McEliece code-based public key encryption based
  on INRIA's HyMES and secured against a variety of side-channels was
  contributed by cryptosource GmbH. The original version is LGPL but
  cryptosource has secured permission to release an adaptation under a
  BSD license. A CCA2-secure KEM scheme is also included.

  The implementation is further described in
  http://www.cryptosource.de/docs/mceliece_in_botan.pdf and
  http://cryptosource.de/news_mce_in_botan_en.html

* DSA and ECDSA now create RFC 6979 deterministic signatures.

* Add support for TLS fallback signaling (draft-ietf-tls-downgrade-scsv-00).
  Clients will send a fallback SCSV if the version passed to the Client
  constructor is less than the latest version supported by local policy, so
  applications implementing fallback are protected. Servers always check the
  SCSV.

* In previous versions a TLS::Server could service either TLS or DTLS
  connections depending on policy settings and what type of client hello it
  received. This has changed and now a Server object is initialized for
  either TLS or DTLS operation. The default policy previously prohibited
  DTLS, precisely to prevent a TCP server from being surprised by a DTLS
  connection.  The default policy now allows TLS v1.0 or higher or DTLS v1.2.

* Fixed a bug in CCM mode which caused it to produce incorrect tags when used
  with a value of L other than 2. This affected CCM TLS ciphersuites, which
  use L=3. Thanks to Manuel Pégourié-Gonnard for the anaylsis and patch.
  Bugzilla 270.

* DTLS now supports timeouts and handshake retransmits. Timeout checking
  is triggered by the application calling the new TLS::Channel::timeout_check.

* Add a TLS policy hook to disable putting the value of the local clock in hello
  random fields.

* All compression operations previously available as Filters are now
  performed via the Transformation API, which minimizes memory copies.
  Compression operations are still available through the Filter API
  using new general compression/decompression filters in comp_filter.h

* The zlib module now also supports gzip compression and decompression.

* Avoid a crash in low-entropy situations when reading from /dev/random, when
  select indicated the device was readable but by the time we start the read the
  entropy pool had been depleted.

* The Miller-Rabin primality test function now takes a parameter allowing the
  user to directly specify the maximum false negative probability they are
  willing to accept.

* PKCS #8 private keys can now be encrypted using GCM mode instead of
  unauthenticated CBC. The default remains CBC for compatibility.

* The default PKCS #8 encryption scheme has changed to use PBKDF2 with
  SHA-256 instead of SHA-1

* A specialized reducer for P-521 was added.

* On Linux the mlock allocator will use MADV_DONTDUMP on the pool so
  that the contents are not included in coredumps.

* A new interface for directly using a system-provided PRNG is
  available in system_rng.h. Currently only systems with /dev/urandom
  are supported.

* Fix decoding indefinite length BER constructs that contain a context sensitive
  tag of zero. Github pull 26 from Janusz Chorko.

* The GNU MP engine has been removed.

* Added AltiVec detection for POWER8 processors.

* Add a new install script written in Python which replaces shell hackery in the
  makefiles.

* Various modifications to better support Visual C++ 2013 and 2015. Github
  issues 11, 17, 18, 21, 22.

Version 1.10.8, 2014-04-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* SECURITY: Fix a bug in primality testing introduced in 1.8.3 which
  caused only a single random base, rather than a sequence of random
  bases, to be used in the Miller-Rabin test. This increased the
  probability that a non-prime would be accepted, for instance a 1024
  bit number would be incorrectly classed as prime with probability
  around 2^-40. Reported by Jeff Marrison. CVE-2014-9742

* The key length limit on HMAC has been raised to 512 bytes, allowing
  the use of very long passphrases with PBKDF2.

Version 1.11.9, 2014-04-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* SECURITY: Fix a bug in primality testing introduced in 1.8.3 which
  caused only a single random base, rather than a sequence of random
  bases, to be used in the Miller-Rabin test. This increased the
  probability that a non-prime would be accepted, for instance a 1024
  bit number would be incorrectly classed as prime with probability
  around 2^-40. Reported by Jeff Marrison. CVE-2014-9742

* X.509 path validation now returns a set of all errors that occurred
  during validation, rather than immediately returning the first
  detected error. This prevents a seemingly innocuous error (such as
  an expired certificate) from hiding an obviously serious error
  (such as an invalid signature). The Certificate_Status_Code enum is
  now ordered by severity, and the most severe error is returned by
  Path_Validation_Result::result(). The entire set of status codes is
  available with the new all_statuses call.

* Fixed a bug in OCSP response decoding which would cause an error
  when attempting to decode responses from some widely used
  responders.

* An implementation of HMAC_DRBG RNG from NIST SP800-90A has been
  added. Like the X9.31 PRNG implementation, it uses another
  underlying RNG for seeding material.

* An implementation of the RFC 6979 deterministic nonce generator has
  been added.

* Fix a bug in certificate path validation which prevented successful
  validation if intermediate certificates were presented out of order.

* Fix a bug introduced in 1.11.5 which could cause crashes or other
  incorrect behavior when a cipher mode filter was followed in the
  pipe by another filter, and that filter had a non-empty start_msg.

* The types.h header now uses stdint.h rather than cstdint to avoid
  problems with Clang on OS X.

Version 1.11.8, 2014-02-13
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The ``botan`` command line application introduced in 1.11.7 is now
  installed along with the library.

* A bug in certificate path validation introduced in 1.11.6 which
  caused all CRL signature checks to fail has been corrected.

* The ChaCha20 stream cipher has been added.

* The ``Transformation`` class no longer implements an interface for keying,
  this has been moved to a new subclass ``Keyed_Transformation``.

* The ``Algorithm`` class, which previously acted as a global base for
  various types (ciphers, hashes, etc) has been removed.

* CMAC now supports 256 and 512 bit block ciphers, which also allows
  the use of larger block ciphers with EAX mode. In particular this
  allows using Threefish in EAX mode.

* The antique PBES1 private key encryption scheme (which only supports
  DES or 64-bit RC2) has been removed.

* The Square, Skipjack, and Luby-Rackoff block ciphers have been removed.

* The Blue Midnight Wish hash function has been removed.

* Skein-512 no longer supports output lengths greater than 512 bits.

* Skein did not reset its internal state properly if clear() was
  called, causing it to produce incorrect results for the following
  message. It was reset correctly in final() so most usages should not
  be affected.

* A number of public key padding schemes have been renamed to match
  the most common notation; for instance EME1 is now called OAEP and
  EMSA4 is now called PSSR. Aliases are set which should allow all
  current applications to continue to work unmodified.

* A bug in CFB encryption caused a few bytes past the end of the final
  block to be read. The actual output was not affected.

* Fix compilation errors in the tests that occurred with minimized
  builds. Contributed by Markus Wanner.

* Add a new ``--destdir`` option to ``configure.py`` which controls
  where the install target will place the output. The ``--prefix``
  option continues to set the location where the library expects to be
  eventually installed.

* Many class destructors which previously deleted memory have been
  removed in favor of using ``unique_ptr``.

* Various portability fixes for Clang, Windows, Visual C++ 2013, OS X,
  and x86-32.

Version 1.11.7, 2014-01-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Botan's basic numeric types are now defined in terms of the
  C99/C++11 standard integer types. For instance ``u32bit`` is now a
  typedef for ``uint32_t``, and both names are included in the library
  namespace. This should not result in any application-visible
  changes.

* There are now two executable outputs of the build, ``botan-test``,
  which runs the tests, and ``botan`` which is used as a driver to call
  into various subcommands which can also act as examples of library
  use, much in the manner of the ``openssl`` command. It understands the
  commands ``base64``, ``asn1``, ``x509``, ``tls_client``, ``tls_server``,
  ``bcrypt``, ``keygen``, ``speed``, and various others. As part of this
  change many obsolete, duplicated, or one-off examples were removed,
  while others were extended with new functionality. Contributions of
  new subcommands, new bling for exising ones, or documentation in any
  form is welcome.

* Fix a bug in Lion, which was broken by a change in 1.11.0. The
  problem was not noticed before as Lion was also missing a test vector
  in previous releases.

Version 1.10.7, 2013-12-29
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* OAEP had two bugs, one of which allowed it to be used even if the
  key was too small, and the other of which would cause a crash during
  decryption if the EME data was too large for the associated key.

Version 1.11.6, 2013-12-29
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The Boost filesystem and asio libraries are now being used by default.
  Pass ``--without-boost`` to ``configure.py`` to disable.

* The default TLS policy no longer allows SSLv3 or RC4.

* OAEP had two bugs, one of which allowed it to be used even if the
  key was too small, and the other of which would cause a crash during
  decryption if the EME data was too large for the associated key.

* GCM mode now uses the Intel clmul instruction when available

* Add the Threefish-512 tweakable block cipher, including an AVX2 version

* Add SIV (from :rfc:`5297`) as a nonce-based AEAD

* Add HKDF (from :rfc:`5869`) using an experimental PRF interface

* Add HTTP utility functions and OCSP online checking

* Add TLS::Policy::acceptable_ciphersuite hook to disable ciphersuites
  on an ad-hoc basis.

* TLS::Session_Manager_In_Memory's constructor now requires a RNG

Version 1.10.6, 2013-11-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The device reading entropy source now attempts to read from all
  available devices. Previously it would break out early if a partial
  read from a blocking source occurred, not continuing to read from a
  non-blocking device. This would cause the library to fall back on
  slower and less reliable techniques for collecting PRNG seed
  material. Reported by Rickard Bellgrim.

* HMAC_RNG (the default PRNG implementation) now automatically reseeds
  itself periodically. Previously reseeds only occurred on explicit
  application request.

* Fix an encoding error in EC_Group when encoding using EC_DOMPAR_ENC_OID.
  Reported by fxdupont on github.

* In EMSA2 and Randpool, avoid calling name() on objects after deleting them if
  the provided algorithm objects are not suitable for use.  Found by Clang
  analyzer, reported by Jeffrey Walton.

* If X509_Store was copied, the u32bit containing how long to cache validation
  results was not initialized, potentially causing results to be cached for
  significant amounts of time. This could allow a certificate to be considered
  valid after its issuing CA's cert expired. Expiration of the end-entity cert
  is always checked, and reading a CRL always causes the status to be reset, so
  this issue does not affect revocation. Found by Coverity scanner.

* Avoid off by one causing a potentially unterminated string to be passed to
  the connect system call if the library was configured to use a very long path
  name for the EGD socket. Found by Coverity Scanner.

* In PK_Encryptor_EME, PK_Decryptor_EME, PK_Verifier, and PK_Key_Agreement,
  avoid dereferencing an unitialized pointer if no engine supported operations
  on the key object given. Found by Coverity scanner.

* Avoid leaking a file descriptor in the /dev/random and EGD entropy sources if
  stdin (file descriptor 0) was closed. Found by Coverity scanner.

* Avoid a potentially undefined operation in the bit rotation operations.  Not
  known to have caused problems under any existing compiler, but might have
  caused problems in the future. Caught by Clang sanitizer, reported by Jeffrey
  Walton.

* Increase default hash iterations from 10000 to 50000 in PBES1 and PBES2

* Add a fix for mips64el builds from Brad Smith.

Version 1.11.5, 2013-11-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The TLS callback signatures have changed - there are now two distinct
  callbacks for application data and alerts. TLS::Client and TLS::Server have
  constructors which continue to accept the old callback and use it for both
  operations.

* The entropy collector that read from randomness devices had two bugs - it
  would break out of the poll as soon as any read succeeded, and it selected on
  each device individually. When a blocking source was first in the device list
  and the entropy pool was running low, the reader might either block in select
  until eventually timing out (continuing on to read from /dev/urandom instead),
  or read just a few bytes, skip /dev/urandom, fail to satisfy the entropy
  target, and the poll would continue using other (slower) sources. This caused
  substantial performance/latency problems in RNG heavy applications. Now all
  devices are selected over at once, with the effect that a full read from
  urandom always occurs, along with however much (if any) output is available
  from blocking sources.

* Previously AutoSeeded_RNG referenced a globally shared PRNG instance.
  Now each instance has distinct state.

* The entropy collector that runs Unix programs to collect statistical
  data now runs multiple processes in parallel, greatly reducing poll
  times on some systems.

* The Randpool RNG implementation was removed.

* All existing cipher mode implementations (such as CBC and XTS) have been
  converted from filters to using the interface previously provided by
  AEAD modes which allows for in-place message
  processing. Code which directly references the filter objects will break, but
  an adaptor filter allows usage through get_cipher as usual.

* An implementation of CCM mode from RFC 3601 has been added, as well as CCM
  ciphersuites for TLS.

* The implementation of OCB mode now supports 64 and 96 bit tags

* Optimized computation of XTS tweaks, producing a substantial speedup

* Add support for negotiating Brainpool ECC curves in TLS

* TLS v1.2 will not negotiate plain SHA-1 signatures by default.

* TLS channels now support sending a ``std::vector``

* Add a generic 64x64->128 bit multiply instruction operation in mul128.h

* Avoid potentially undefined operations in the bit rotation operations. Not
  known to have caused problems under existing compilers but might break in the
  future. Found by Clang sanitizer, reported by Jeffrey Walton.

Version 1.11.4, 2013-07-25
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* CPU specific extensions are now always compiled if support for the
  operations is available at build time, and flags enabling use of
  extra operations (such as SSE2) are only included when compiling
  files which specifically request support. This means, for instance,
  that the SSSE3 and AES-NI implementations of AES are always included
  in x86 builds, relying on runtime cpuid checking to prevent their
  use on CPUs that do not support those operations.

* The default TLS policy now only accepts TLS, to minimize surprise
  for servers which might not expect to negotiate DTLS. Previously a
  server would by default negotiate either protocol type (clients
  would only accept the same protocol type as they
  offered). Applications which use DTLS or combined TLS/DTLS need to
  override ``Policy::acceptable_protocol_version``.

* The TLS channels now accept a new parameter specifying how many
  bytes to preallocate for the record handling buffers, which allows
  an application some control over how much memory is used at runtime
  for a particular connection.

* Applications can now send arbitrary TLS alert messages using
  ``TLS::Channel::send_alert``

* A new TLS policy ``NSA_Suite_B_128`` is available, which
  will negotiate only the 128-bit security NSA Suite B. See
  :rfc:`6460` for more information about Suite B.

* Adds a new interface for benchmarking, ``time_algorithm_ops``,
  which returns a map of operations to operations per second. For
  instance now both encrypt and decrypt speed of a block cipher can be
  checked, as well as the key schedule of all keyed algorithms. It
  additionally supports AEAD modes.

* Rename ARC4 to RC4

Version 1.11.3, 2013-04-11
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add a new interface for AEAD modes (``AEAD_Mode``).

* Implementations of the OCB and GCM authenticated cipher modes are
  now included.

* Support for TLS GCM ciphersuites is now available.

* A new TLS policy mechanism
  ``TLS::Policy::server_uses_own_ciphersuite_preferences``
  controls how a server chooses a ciphersuite. Previously it always
  chose its most preferred cipher out of the client's list, but this
  can allow configuring a server to choose by the client's preferences
  instead.

* ``Keyed_Filter`` now supports returning a
  ``Key_Length_Specification`` so the full details of what
  keylengths are supported is now available in keyed filters.

* The experimental and rarely used Turing and WiderWAKE stream ciphers
  have been removed

* New functions for symmetric encryption are included in cryptobox.h
  though interfaces and formats are subject to change.

* A new function ``algorithm_kat_detailed`` returns a string
  providing information about failures, instead of just a pass/fail
  indicator as in ``algorithm_kat``.

Version 1.10.5, 2013-03-02
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* A potential crash in the AES-NI implementation of the AES-192 key
  schedule (caused by misaligned loads) has been fixed.

* A previously conditional operation in Montgomery multiplication and
  squaring is now always performed, removing a possible timing
  channel.

* Use correct flags for creating a shared library on OS X under Clang.

* Fix a compile time incompatibility with Visual C++ 2012.

Version 1.11.2, 2013-03-02
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* A bug in the release script caused the ``botan_version.py`` included
  in 1.11.1`` to be invalid, which required a manual edit to fix
  (Bugzilla 226)

* Previously ``clear_mem`` was implemented by an inlined call to
  ``std::memset``. However an optimizing compiler might notice cases
  where the memset could be skipped in cases allowed by the standard.
  Now ``clear_mem`` calls ``zero_mem`` which is compiled separately and
  which zeros out the array through a volatile pointer. It is possible
  some compiler with some optimization setting (especially with
  something like LTO) might still skip the writes. It would be nice if
  there was an automated way to test this.

* The new filter ``Threaded_Fork`` acts like a normal
  ``Fork``, sending its input to a number of different
  filters, but each subchain of filters in the fork runs in its own
  thread. Contributed by Joel Low.

* The default TLS policy formerly preferred AES over RC4, and allowed
  3DES by default. Now the default policy is to negotiate only either
  AES or RC4, and to prefer RC4.

* New TLS ``Blocking_Client`` provides a thread per
  connection style API similar to that provided in 1.10

* The API of ``Credentials_Manager::trusted_certificate_authorities``
  has changed to return a vector of ``Certificate_Store*`` instead of
  ``X509_Certificate``. This allows the list of trusted CAs to be
  more easily updated dynamically or loaded lazily.

* The ``asn1_int.h`` header was split into ``asn1_alt_name.h``,
  ``asn1_attribute.h`` and ``asn1_time.h``.

Version 1.10.4, 2013-01-07
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Avoid a conditional operation in the power mod implementations on if
  a nibble of the exponent was zero or not. This may help protect
  against certain forms of side channel attacks.

* The SRP6 code was checking for invalid values as specified in RFC
  5054, specifically values equal to zero mod p. However SRP would
  accept negative A/B values, or ones larger than p, neither of which
  should occur in a normal run of the protocol. These values are now
  rejected. Credits to Timothy Prepscius for pointing out these values
  are not normally used and probably signal something fishy.

* The return value of version_string is now a compile time constant
  string, so version information can be more easily extracted from
  binaries.

Version 1.11.1, 2012-10-30
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Initial support for DTLS (both v1.0 and v1.2) is available in this
release, though it should be considered highly experimental. Currently
timeouts and retransmissions are not handled.

The ``TLS::Client`` constructor now takes the version to
offer to the server. The policy hook ``TLS::Policy`` function
`pref_version``, which previously controlled this, has been removed.

`TLS::Session_Manager_In_Memory`` now chooses a random
256-bit key at startup and encrypts all sessions (using the existing
`TLS::Session::encrypt`` mechanism) while they are stored in
memory. This is primarily to reduce pressure on locked memory, as each
session normally requires 48 bytes of locked memory for the master
secret, whereas now only 32 bytes are needed total. This change may
also make it slightly harder for an attacker to extract session data
from memory dumps (eg with a cold boot attack).

The keys used in TLS session encryption were previously uniquely
determined by the master key. Now the encrypted session blob includes
two 80 bit salts which are used in the derivation of the cipher and
MAC keys.

The ``secure_renegotiation`` flag is now considered an aspect of the
connection rather than the session, which matches the behavior of
other implementations. As the format has changed, sessions saved to
persistent storage by 1.11.0 will not load in this version and vice
versa. In either case this will not cause any errors, the session will
simply not resume and instead a full handshake will occur.

New policy hooks ``TLS::Policy::acceptable_protocol_version``,
`TLS::Policy::allow_server_initiated_renegotiation``, and
`TLS::Policy::negotiate_heartbeat_support`` were added.

TLS clients were not sending a next protocol message during a session
resumption, which would cause resumption failures with servers that
support NPN if NPN was being offered by the client.

A bug caused heartbeat requests sent by the counterparty during a
handshake to be passed to the application callback as if they were
heartbeat responses.

Support for TLS key material export as specified in :rfc:`5705` has
been added, available via ``TLS::Channel::key_material_export``

A new function ``Public_Key::estimated_strength`` returns
an estimate for the upper bound of the strength of the key. For
instance for an RSA key, it will return an estimate of how many
operations GNFS would take to factor the key.

A new ``Path_Validation_Result`` code has been added
``SIGNATURE_METHOD_TOO_WEAK``. By default signatures created with keys
below 80 bits of strength (as estimated by ``estimated_strength``) are
rejected. This level can be modified using a parameter to the
``Path_Validation_Restrictions`` constructor.

The SRP6 code was checking for invalid values as specified in
:rfc:`5054`, ones equal to zero mod p, however it would accept
negative A/B values, or ones larger than p, neither of which should
occur in a normal run of the protocol. These values are now
rejected. Credits to Timothy Prepscius for pointing out these values
are not normally used and probably signal something fishy.

Several ``BigInt`` functions have been removed, including
``operator[]``, ``assign``, ``get_reg``, and ``grow_reg``. The version
of ``data`` that returns a mutable pointer has been renamed
``mutable_data``.  Support for octal conversions has been removed.

The constructor ``BigInt(NumberType type, size_t n)`` has been
removed, replaced by ``BigInt::power_of_2``.

In 1.11.0, when compiled by GCC, the AES-NI implementation of AES-192
would crash if the mlock-based allocator was used due to an alignment
issue.

Version 1.11.0, 2012-07-19
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. note::

  In this release, many new features of C++11 are being used in the
  library. Currently GCC 4.7 and Clang 3.1 are known to work well.
  This version of the library cannot be compiled by or used with a
  C++98 compiler.

There have been many changes and improvements to TLS.  The interface
is now purely event driven and does not directly interact with
sockets.  New TLS features include TLS v1.2 support, client
certificate authentication, renegotiation, session tickets, and
session resumption. Session information can be saved in memory or to
an encrypted SQLite3 database. Newly supported TLS ciphersuite
algorithms include using SHA-2 for message authentication, pre shared
keys and SRP for authentication and key exchange, ECC algorithms for
key exchange and signatures, and anonymous DH/ECDH key exchange.

Support for OCSP has been added. Currently only client-side support
exists.

The API for X.509 path validation has changed, with
``x509_path_validate`` in x509path.h now handles path validation and
``Certificate_Store`` handles storage of certificates and CRLs.

The memory container types have changed substantially.  The
``MemoryVector`` and ``SecureVector`` container types have been
removed, and an alias of ``std::vector`` using an allocator that
clears memory named ``secure_vector`` is used for key material, with
plain ``std::vector`` being used for everything else.

The technique used for mlock'ing memory on Linux and BSD systems is
much improved. Now a single page-aligned block of memory (the exact
limit of what we can mlock) is mmap'ed, with allocations being done
using a best-fit allocator and all metadata held outside the mmap'ed
range, in an effort to make best use of the very limited amount of
memory current Linux kernels allow unpriveledged users to lock.

A filter using LZMA was contributed by Vojtech Kral. It is available
if LZMA support was enabled at compilation time by passing
``--with-lzma`` to ``configure.py``.

:rfc:`5915` adds some extended information which can be included in
ECC private keys which the ECC key decoder did not expect, causing an
exception when such a key was loaded. In particular, recent versions
of OpenSSL use these fields. Now these fields are decoded properly,
and if the public key value is included it is used, as otherwise the
public key needs to be rederived from the private key. However the
library does not include these fields on encoding keys for
compatibility with software that does not expect them (including older
versions of botan).

Version 1.8.14, 2012-07-18
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The malloc allocator would return null instead of throwing in the
  event of an allocation failure, which could cause an application
  crash due to null pointer dereference where normally an exception
  would occur.

* Recent versions of OpenSSL include extra information in ECC private
  keys, the presence of which caused an exception when such a key was
  loaded by botan. The decoding of ECC private keys has been changed to
  ignore these fields if they are set.

* AutoSeeded_RNG has been changed to prefer ``/dev/random`` over
  ``/dev/urandom``

* Fix detection of s390x (Debian bug 638347)

Version 1.10.3, 2012-07-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

A change in 1.10.2 accidentally broke ABI compatibility with 1.10.1
and earlier versions, causing programs compiled against 1.10.1 to
crash if linked with 1.10.2 at runtime.

Recent versions of OpenSSL include extra information in ECC private
keys, the presence of which caused an exception when such a key was
loaded by botan. The decoding of ECC private keys has been changed to
ignore these fields if they are set.

Version 1.10.2, 2012-06-17
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Several TLS bugs were fixed in this release, including a major
omission that the renegotiation extension was not being used.  As the
1.10 implementation of TLS does not properly support renegotiation,
the approach in this release is simply to send the renegotiation
extension SCSV, which should protect the client against any handshake
splicing. In addition renegotiation attempts are handled properly
instead of causing handshake failures - all hello requests, and all
client hellos after the initial negotiation, are ignored. Some
bugs affecting DSA server authentication were also fixed.

By popular request, ``Pipe::reset`` no longer requires that message
processing be completed, a requirement that caused problems when a
Filter's end_msg call threw an exception, after which point the Pipe
object was no longer usable.

Support for getting entropy using the rdrand instruction introduced in
Intel's Ivy Bridge processors has been added. In previous releases,
the ``CPUID::has_rdrand`` function was checking the wrong cpuid bit,
and would false positive on AMD Bulldozer processors.

An implementation of SRP-6a compatible with the specification in RFC
5054 is now available in ``srp6.h``. In 1.11, this is being used for
TLS-SRP, but may be useful in other environments as well.

An implementation of the Camellia block cipher was added, again largely
for use in TLS.

If ``clock_gettime`` is available on the system, hres_timer will poll all
the available clock types.

AltiVec is now detected on IBM POWER7 processors and on OpenBSD systems.
The OpenBSD support was contributed by Brad Smith.

The Qt mutex wrapper was broken and would not compile with any recent
version of Qt. Taking this as a clear indication that it is not in use,
it has been removed.

Avoid setting the soname on OpenBSD, as it doesn't support it (Bugzilla 158)

A compilation problem in the dynamic loader that prevented using
dyn_load under MinGW GCC has been fixed.

A common error for people using MinGW is to target GCC on Windows,
however the 'Windows' target assumes the existence of Visual C++
runtime functions which do not exist in MinGW. Now, configuring for
GCC on Windows will cause the configure.py to warn that likely you
wanted to configure for either MinGW or Cygwin, not the generic
Windows target.

A bug in configure.py would cause it to interpret ``--cpu=s390x`` as
``s390``. This may have affected other CPUs as well. Now configure.py
searches for an exact match, and only if no exact match is found will
it search for substring matches.

An incompatibility in configure.py with the subprocess module included
in Python 3.1 has been fixed (Bugzilla 157).

The exception catching syntax of configure.py has been changed to the
Python 3.x syntax. This syntax also works with Python 2.6 and 2.7, but
not with any earlier Python 2 release. A simple search and replace
will allow running it under Python 2.5::

  perl -pi -e 's/except (.*) as (.*):/except $1, $2:/g' configure.py

Note that Python 2.4 is not supported at all.

Version 1.10.1, 2011-07-11
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* A race condition in ``Algorithm_Factory`` could cause crashes in
  multithreaded code.

* The return value of ``name`` has changed for GOST 28147-89 and
  Skein-512.  GOST's ``name`` now includes the name of the sbox, and
  Skein's includes the personalization string (if nonempty). This
  allows an object to be properly roundtripped, which is necessary to
  fix the race condition described above.

* A new distribution script is now included, as
  ``src/build-data/scripts/dist.py``

* The ``build.h`` header now includes, if available, an identifier of
  the source revision that was used. This identifier is also included
  in the result of ``version_string``.

Version 1.8.13, 2011-07-02
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* A race condition in ``Algorithm_Factory`` could cause crashes in
  multithreaded code.

Version 1.10.0, 2011-06-20
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Detection for the rdrand instruction being added to upcoming Intel
  Ivy Bridge processors has been added.

* A template specialization of std::swap was added for the memory
  container types.

Version 1.8.12, 2011-06-20
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* If EMSA3(Raw) was used for more than one signature, it would produce
  incorrect output.

* Fix the --enable-debug option to configure.py

* Improve OS detection on Cygwin

* Fix compilation under Sun Studio 12 on Solaris

* Fix a memory leak in the constructors of DataSource_Stream and
  DataSink_Stream which would occur if opening the file failed (Bugzilla 144)

Version 1.9.18, 2011-06-03
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fourth release candidate for 1.10.0

* The GOST 34.10 verification operation was not ensuring that s and r
  were both greater than zero. This could potentially have meant it
  would have accepted an invalid all-zero signature as valid for any
  message. Due to how ECC points are internally represented it instead
  resulted in an exception being thrown.

* A simple multiexponentation algorithm is now used in ECDSA and
  GOST-34.10 signature verification, leading to 20 to 25% improvements
  in ECDSA and 25% to 40% improvements in GOST-34.10 verification
  performance.

* The internal representation of elliptic curve points has been
  modified to use Montgomery representation exclusively, resulting in
  reduced memory usage and a 10 to 20% performance improvement for
  ECDSA and ECDH.

* In OAEP decoding, scan for the delimiter bytes using a loop that is
  written without conditionals so as to help avoid timing analysis.
  Unfortunately GCC at least is 'smart' enough to compile it to
  jumps anyway.

* The SSE2 implementation of IDEA did not work correctly when compiled
  by Clang, because the trick it used to emulate a 16 bit unsigned
  compare in SSE (which doesn't contain one natively) relied on signed
  overflow working in the 'usual' way. A different method that doesn't
  rely on signed overflow is now used.

* Add support for compiling SSL using Visual C++ 2010's TR1
  implementation.

* Fix a bug under Visual C++ 2010 which would cause ``hex_encode`` to
  crash if given a zero-sized input to encode.

* A new build option ``--via-amalgamation`` will first generate the
  single-file amalgamation, then build the library from that single
  file. This option requires a lot of memory and does not parallelize,
  but the resulting library is smaller and may be faster.

* On Unix, the library and header paths have been changed to allow
  parallel installation of different versions of the library. Headers
  are installed into ``<prefix>/include/botan-1.9/botan``, libraries
  are named ``libbotan-1.9``, and ``botan-config`` is now namespaced
  (so in this release ``botan-config-1.9``). All of these embedded
  versions will be 1.10 in the upcoming stable release.

* The soname system has been modified. In this release the library
  soname is ``libbotan-1.9.so.0``, with the full library being named
  ``libbotan-1.9.so.0.18``. The ``0`` is the ABI version, and will be
  incremented whenever a breaking ABI change is made.

* TR1 support is not longer automatically assumed under older versions
  of GCC

* Functions for base64 decoding that work standalone (without needing
  to use a pipe) have been added to ``base64.h``

* The function ``BigInt::to_u32bit`` was inadvertently removed in 1.9.11
  and has been added back.

* The function ``BigInt::get_substring`` did not work correctly with a
  *length* argument of 32.

* The implementation of ``FD_ZERO`` on Solaris uses ``memset`` and
  assumes the caller included ``string.h`` on its behalf. Do so to
  fix compilation in the ``dev_random`` and ``unix_procs`` entropy
  sources. Patch from Jeremy C. Reed.

* Add two different configuration targets for Atom, since some are
  32-bit and some are 64-bit. The 'atom' target now refers to the
  64-bit implementations, use 'atom32' to target the 32-bit
  processors.

* The (incomplete) support for CMS and card verifiable certificates
  are disabled by default; add ``--enable-modules=cms`` or
  ``--enable-modules=cvc`` during configuration to turn them back on.

Version 1.9.17, 2011-04-29
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Third release candidate for 1.10.0

* The format preserving encryption method currently available was
  presented in the header ``fpe.h`` and the functions ``fpe_encrypt``
  and ``fpe_decrypt``. These were renamed as it is likely that other
  FPE schemes will be included in the future. The header is now
  ``fpe_fe1.h``, and the functions are named ``fe1_encrypt`` and
  ``fe1_decrypt``.

* New options to ``configure.py`` control what tools are used for
  documentation generation. The ``--with-sphinx`` option enables using
  Sphinx to convert ReST into HTML; otherwise the ReST sources are
  installed directly. If ``--with-doxygen`` is used, Doxygen will run
  as well. Documentation generation can be triggered via the ``docs``
  target in the makefile; it will also be installed by the install
  target on Unix.

* A bug in 1.9.16 effectively disabled support for runtime CPU feature
  detection on x86 under GCC in that release.

* A mostly internal change, all references to "ia32" and "amd64" have
  been changed to the vendor neutral and probably easier to understand
  "x86-32" and "x86-64". For instance, the "mp_amd64" module has been
  renamed "mp_x86_64", and the macro indicating x86-32 has changed
  from ``BOTAN_TARGET_ARCH_IS_IA32`` to
  ``BOTAN_TARGET_ARCH_IS_X86_32``. The classes calling assembly have
  also been renamed.

* Similiarly to the above change, the AES implemenations using the
  AES-NI instruction set have been renamed from AES_XXX_Intel to
  AES_XXX_NI.

* Systems that are identified as ``sun4u`` will default to compiling for
  32-bit SPARCv9 code rather than 64-bit. This matches the still
  common convention for 32-bit SPARC userspaces. If you want 64-bit
  code on such as system, use ``--cpu=sparc64``.

* Some minor fixes for compiling botan under the BeOS
  clone/continuation `Haiku <http://haiku-os.org>`_.

* Further updates to the documentation

Version 1.9.16, 2011-04-11
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Second release candidate for 1.10.0

* The documentation, previously written in LaTeX, is now in
  reStructuredText suitable for processing by `Sphinx
  <http://sphinx.pocoo.org>`_, which can generate nicely formatted
  HTML and PDFs. The documentation has also been greatly updated and
  expanded.

* The class ``EC_Domain_Params`` has been renamed ``EC_Group``, with a
  typedef for backwards compatibility.

* The ``EC_Group`` string constructor didn't understand the standard
  names like "secp160r1", forcing use of the OIDs.

* Two constructors for ECDSA private keys, the one that creates a new
  random key, and the one that provides a preset private key as a
  ``BigInt``, have been merged. This matches the existing interface
  for DSA and DH keys. If you previously used the version taking a
  ``BigInt`` private key, you'll have to additionally pass in a
  ``RandomNumberGenerator`` object starting in this release.

* It is now possible to create ECDH keys with a preset ``BigInt``
  private key; previously no method for this was available.

* The overload of ``generate_passhash9`` that takes an explicit
  algorithm identifier has been merged with the one that does not.
  The algorithm identifier code has been moved from the second
  parameter to the fourth.

* Change shared library versioning to match the normal Unix
  conventions. Instead of ``libbotan-X.Y.Z.so``, the shared lib is
  named ``libbotan-X.Y.so.Z``; this allows the runtime linker to do
  its runtime linky magic. It can be safely presumed that any change
  in the major or minor version indicates ABI incompatibility.

* Remove the socket wrapper code; it was not actually used by anything
  in the library, only in the examples, and you can use whatever kind
  of (blocking) socket interface you like with the SSL/TLS code. It's
  available as socket.h in the examples directory if you want to use
  it.

* Disable the by-default 'strong' checking of private keys that are
  loaded from storage. You can always request key material sanity
  checking using Private_Key::check_key.

* Bring back removed functions ``min_keylength_of``,
  ``max_keylength_of``, ``keylength_multiple_of`` in ``lookup.h`` to
  avoid breaking applications written against 1.8

Version 1.9.15, 2011-03-21
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* First release candidate for 1.10.0

* Modify how message expansion is done in SHA-256 and SHA-512.
  Instead of expanding the entire message at the start, compute them
  in the minimum number of registers. Values are computed 15 rounds
  before they are needed. On a Core i7-860, GCC 4.5.2, went from 143
  to 157 MiB/s in SHA-256, and 211 to 256 MiB/s in SHA-512.

* Pipe will delete empty output queues as soon as they are no longer
  needed, even if earlier messages still have data unread. However an
  (empty) entry in a deque of pointers will remain until all prior
  messages are completely emptied.

* Avoid reading the SPARC ``%tick`` register on OpenBSD as unlike the
  Linux and NetBSD kernels, it will not trap and emulate it for us,
  causing a illegal instruction crash.

* Improve detection and autoconfiguration for ARM processors. Thanks
  go out to the the `Tahoe-LAFS Software Foundation
  <http://tahoe-lafs.org>`_, who donated a Sheevaplug that I'll be
  using to figure out how to make the cryptographic primitives
  Tahoe-LAFS relies on faster, particularly targeting the ARMv5TE.

Version 1.9.14, 2011-03-01
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add support for bcrypt, OpenBSD's password hashing scheme.

* Add support for NIST's AES key wrapping algorithm, as described in
  :rfc:`3394`. It is available by including ``rfc3394.h``.

* Fix an infinite loop in zlib filters introduced in 1.9.11 (Bugzilla 142)

Version 1.9.13, 2011-02-19
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

GOST 34.10 signatures were being formatted in a way that was not
compatible with other implemenations, and specifically how GOST is
used in DNSSEC.

The Keccak hash function was updated to the tweaked variant proposed
for round 3 of the NIST hash competition. This version is not
compatible with the previous algorithm.

A new option ``--distribution-info`` was added to the configure
script. It allows the user building the library to set any
distribution-specific notes on the build, which are available as a
macro ``BOTAN_DISTRIBUTION_INFO``. The default value is
'unspecified'. If you are building an unmodified version of botan
(especially for distribution), and want to indicate to applications
that this is the case, consider using
``--distribution-info=pristine``. If you are making any patches or
modifications, it is recommended to use
``--distribution-info=[Distribution Name] [Version]``, for instance
'FooNix 1.9.13-r3'.

Some bugs preventing compilation under Clang 2.9 and Sun Studio 12
were fixed.

The DER/BER codecs use ``size_t`` instead of ``u32bit`` for small
integers

Version 1.9.12, 2010-12-13
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add the Keccak hash function
* Fix compilation problems in Python wrappers
* Fix compilation problem in OpenSSL engine
* Update SQLite3 database encryption codec

Version 1.9.11, 2010-11-29
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The TLS API has changed substantially and now relies heavily on
  TR1's ``std::function`` is now required. Additionally, it is
  required that all callers derive a subclass of TLS_Policy and pass
  it to a client or server object. Please remember that the TLS
  interface/API is currently unstable and will very likely change
  further before TLS is included in a stable release. A handshake
  failure that occurred when RC4 was negotiated has also been fixed.

* Some possible timing channels in the implementations of Montgomery
  reduction and the IDEA key schedule were removed. The table-based
  AES implementation uses smaller tables in the first round to help
  make some timing/cache attacks harder.

* The library now uses size_t instead of u32bit to represent
  lengths. Also the interfaces for the memory containers have changed
  substantially to better match STL container interfaces;
  MemoryRegion::append, MemoryRegion::destroy, and MemoryRegion::set
  were all removed, and several other functions, like clear and
  resize, have changed meaning.

* Update Skein-512 to match the v1.3 specification
* Fix a number of CRL encoding and decoding bugs
* Counter mode now always encrypts 256 blocks in parallel
* Use small tables in the first round of AES
* Removed AES class: app must choose AES-128, AES-192, or AES-256
* Add hex encoding/decoding functions that can be used without a Pipe
* Add base64 encoding functions that can be used without a Pipe
* Add to_string function to X509_Certificate
* Add support for dynamic engine loading on Windows
* Replace BlockCipher::BLOCK_SIZE attribute with function block_size()
* Replace HashFunction::HASH_BLOCK_SIZE attribute with hash_block_size()
* Move PBKDF lookup to engine system
* The IDEA key schedule has been changed to run in constant time
* Add Algorithm and Key_Length_Specification classes
* Switch default PKCS #8 encryption algorithm from AES-128 to AES-256
* Allow using PBKDF2 with empty passphrases
* Add compile-time deprecation warnings for GCC, Clang, and MSVC
* Support use of HMAC(SHA-256) and CMAC(Blowfish) in passhash9
* Improve support for Intel Atom processors
* Fix compilation problems under Sun Studio and Clang

Version 1.8.11, 2010-11-02
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fix a number of CRL encoding and decoding bugs
* When building a debug library under VC++, use the debug runtime
* Fix compilation under Sun Studio on Linux and Solaris
* Add several functions for compatibility with 1.9
* In the examples, read most input files as binary
* The Perl build script has been removed in this release

Version 1.8.10, 2010-08-31
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Switch default PKCS #8 encryption algorithm from 3DES to AES-256
* Increase default hash iterations from 2048 to 10000 in PBES1 and PBES2
* Use small tables in the first round of AES
* Add PBKDF typedef and get_pbkdf for better compatibility with 1.9
* Add version of S2K::derive_key taking salt and iteration count
* Enable the /proc-walking entropy source on NetBSD
* Fix the doxygen makefile target

Version 1.9.10, 2010-08-12
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add a constant-time AES implementation using SSSE3. This code is
  based on public domain assembly written by `Mike Hamburg
  <http://crypto.stanford.edu/vpaes/>`_, and described in his CHES
  2009 paper "Accelerating AES with Vector Permute Instructions". In
  addition to being constant time, it is also significantly faster
  than the table-based implementation on some processors. The current
  code has been tested with GCC 4.5, Visual C++ 2008, and Clang 2.8.

* Support for dynamically loading Engine objects at runtime was also
  added. Currently only system that use ``dlopen``-style dynamic
  linking are supported.

* On GCC 4.3 and later, use the byteswap intrinsic functions.

* Drop support for building with Python 2.4

* Fix benchmarking of block ciphers in ECB mode

* Consolidate the two x86 assembly engines

* Rename S2K to PBKDF

Version 1.9.9, 2010-06-28
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

A new pure virtual function has been added to ``Filter``, ``name``
which simply returns some useful identifier for the object. Any
out-of-tree ``Filter`` implementations will need to be updated.

Add ``Keyed_Filter::valid_iv_length`` which makes it possible to query
as to what IV length(s) a particular filter allows. Previously,
partially because there was no such query mechanism, if a filter did
not support IVs at all, then calls to ``set_iv`` would be silently
ignored. Now an exception about the invalid IV length will be thrown.

The default iteration count for the password based encryption schemes
has been increased from 2048 to 10000. This should make
password-guessing attacks against private keys encrypted with versions
after this release somewhat harder.

New functions for encoding public and private keys to binary,
``X509::BER_encode`` and ``PKCS8::BER_encode`` have been added.

Problems compiling under Apple's version of GCC 4.2.1 and on 64-bit
MIPS systems using GCC 4.4 or later were fixed.

The coverage of Doxygen documentation comments has significantly
improved in this release.

Version 1.8.9, 2010-06-16
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Use constant time multiplication in IDEA

* Avoid possible timing attack against OAEP decoding

* Add new X509::BER_encode and PKCS8::BER_encode

* Enable DLL builds under Windows

* Add Win32 installer support

* Add support for the Clang compiler

* Fix problem in semcem.h preventing build under Clang or GCC 3.4

* Fix bug that prevented creation of DSA groups under 1024 bits

* Fix crash in GMP_Engine if library is shutdown and reinitialized and
  a PK algorithm was used after the second init

* Work around problem with recent binutils in x86-64 SHA-1

* The Perl build script is no longer supported and refuses to run by
  default. If you really want to use it, pass
  ``--i-know-this-is-broken`` to the script.

Version 1.9.8, 2010-06-14
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add support for wide multiplications on 64-bit Windows
* Use constant time multiplication in IDEA
* Avoid possible timing attack against OAEP decoding
* Removed FORK-256; rarely used and it has been broken
* Rename ``--use-boost-python`` to ``--with-boost-python``
* Skip building shared libraries on MinGW/Cygwin
* Fix creation of 512 and 768 bit DL groups using the DSA kosherizer
* Fix compilation on GCC versions before 4.3 (missing cpuid.h)
* Fix compilation under the Clang compiler

Version 1.9.7, 2010-04-27
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* TLS: Support reading SSLv2 client hellos
* TLS: Add support for SEED ciphersuites (RFC 4162)
* Add Comb4P hash combiner function

* Fix checking of EMSA_Raw signatures with leading 0 bytes, valid
  signatures could be rejected in certain scenarios.

Version 1.9.6, 2010-04-09
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* TLS: Add support for TLS v1.1
* TLS: Support server name indicator extension
* TLS: Fix server handshake
* TLS: Fix server using DSA certificates
* TLS: Avoid timing channel between CBC padding check and MAC verification

Version 1.9.5, 2010-03-29
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Numerous ECC optimizations
* Fix GOST 34.10-2001 X.509 key loading
* Allow PK_Signer's fault protection checks to be toggled off
* Avoid using pool-based locking allocator if we can't mlock
* Remove all runtime options
* New BER_Decoder::{decode_and_check, decode_octet_string_bigint}
* Remove SecureBuffer in favor of SecureVector length parameter
* HMAC_RNG: Perform a poll along with user-supplied entropy
* Fix crash in MemoryRegion if Allocator::get failed
* Fix small compilation problem on FreeBSD

Version 1.9.4, 2010-03-09
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add the Ajisai SSLv3/TLSv1.0 implementation

* Add GOST 34.10-2001 public key signature scheme
* Add SIMD implementation of Noekeon

* Add SSE2 implementation of IDEA

* Extend Salsa20 to support longer IVs (XSalsa20)

* Perform XTS encryption and decryption in parallel where possible

* Perform CBC decryption in parallel where possible

* Add SQLite3 db encryption codec, contributed by Olivier de Gaalon

* Add a block cipher cascade construction

* Add support for password hashing for authentication (passhash9.h)

* Add support for Win32 high resolution system timers

* Major refactoring and API changes in the public key code

* PK_Signer class now verifies all signatures before releasing them to
  the caller; this should help prevent a wide variety of fault
  attacks, though it does have the downside of hurting signature
  performance, particularly for DSA/ECDSA.

* Changed S2K interface: derive_key now takes salt, iteration count

* Remove dependency on TR1 shared_ptr in ECC and CVC code

* Renamed ECKAEG to its more usual name, ECDH

* Fix crash in GMP_Engine if library is shutdown and reinitialized

* Fix an invalid memory read in MD4

* Fix Visual C++ static builds

* Remove Timer class entirely

* Switch default PKCS #8 encryption algorithm from 3DES to AES-128

* New configuration option, ``--gen-amalgamation``, creates a pair of
  files (``botan_all.cpp`` and ``botan_all.h``) which contain the
  contents of the library as it would have normally been compiled
  based on the set configuration.

* Many headers are now explicitly internal-use-only and are not installed

* Greatly improve the Win32 installer

* Several fixes for Visual C++ debug builds

Version 1.9.3, 2009-11-19
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add new AES implementation using Intel's AES instruction intrinsics
* Add an implementation of format preserving encryption
* Allow use of any hash function in X.509 certificate creation
* Optimizations for MARS, Skipjack, and AES
* Set macros for available SIMD instructions in build.h
* Add support for using InnoSetup to package Windows builds
* By default build a DLL on Windows

Version 1.8.8, 2009-11-03
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Alter Skein-512 to match the tweaked 1.2 specification
* Fix use of inline asm for access to x86 bswap function
* Allow building the library without AES enabled
* Add 'powerpc64' alias to ppc64 arch for Gentoo ebuild

Version 1.9.2, 2009-11-03
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^