Botan 1.8.9: Timing attack fixes, Windows DLL, new encoder functions
The latest release in the stable branch, botan 1.8.9, has been released.
The main driver for this release is a couple of security related fixes; possible timing channels that could be used against OAEP decoding and the IDEA block cipher were removed. If you use either OAEP (EME1) or IDEA, you should upgrade as soon as possible.
Three new functions were added in this release; X509::BER_encode and two variants of PKCS8::BER_encode. Previously, the only way to BER encode a key as raw binary, without PEM encoding, was using X509::encode, PKCS8::encode, or PKCS8::encrypt_key, all of which required using a Pipe which would receive the key data. A number of uses I found of these functions simply started a Pipe with no filters and immediately read out the contents as a bitstring. So these functions provide this functionality directly. The previous encode functions are reduced to just:
if(encoding == PEM)
pipe.write(PEM_encode(key));
else
pipe.write(BER_encode(key));
X509::encode, PKCS8::encode, and PKCS8::encrypt_key are now deprecated, and may be removed in a future release. Simply call PEM_encode or BER_encode instead, depending on whatever you were using for the encoding argument.
A bug in the FIPS 186-3 kosherizer prevented creating DSA groups that had 512 or 768 bit p values. Not that using a 512 or 768 bit (or 1024 bit, for that matter) DSA key is a particularly good idea anymore.
The GNU MP backend engine would crash if the library was initialized then shutdown and reinitialized and a PK algorithm was used after the second init.
This release has a number of build changes. Perhaps most noticeable for Windows users is that a DLL is now built by default; if you want a static library, use the option --disable-shared. A Windows installer script (for use with InnoSetup) is created during configuration on Windows. Prebuilt binaries for 1.8.9 for 32 and 64 bit Windows should be available soon.
Botan 1.8 currently has two scripts that can be used to configure the build - one in Perl that traces back to the first release, and a newer one written in Python. For the last year, the Perl version has warned that it was deprecated and recommended migration to the Python script. As of this release, the Perl script is no longer maintained, tested, or supported in any way. Additionally, it will not run at all by default; you must pass the option --i-know-this-is-broken first.
Some bugs that prevented compiling with the LLVM/Clang compiler, GCC 3.4, and with very recent versions of GNU binutils (x86-64 only) were also fixed.
Posted 2010/06/16 in releases; no comments
< 1.9.8 Released: Windows x64 optimizations, timing attack countermeasures | Windows Binaries Now Available For 1.8.9 >