Package Release Info


Update Info: openSUSE-2022-10211
Available in Package Hub : 15 SP4 Update





Change Logs

Version: 2.10.0-bp151.1.5
* Tue Apr 02 2019 Daniel Molkentin <>
- Update to Botan 2.10
  * Bump SONAME
  * Warning: XMSS currently implements draft-06 which is not compatible with
    the final RFC 8391 specification. A PR is open to fix this, however it will
    break all current uses of XMSS. If you are currently using XMSS please
    comment at Otherwise the PR
    will be merged and support for draft-06 will be removed starting in 2.11.
  * Added a new certificate store implementation that can access the MacOS
    keychain certificate store. (GH #1830)
  * Redesigned Memory_Pool class, which services allocations out of a set of
    pages locked into memory (using mlock/VirtualLock). It is now faster and
    with improved exploit mitigations. (GH #1800)
  * Add BMI2 implementations of SHA-512 and SHA-3 which improve performance by
    25-35% on common CPUs. (GH #1815)
  * Unroll SHA-3 computation improving performance by 10-12% (GH #1838)
  * Add a Thread_Pool class. It is now possible to run the tests in multiple
    threads with --test-threads=N flag to select the number of threads to use.
    Use --test-threads=0 to run with as many CPU cores as are available on the
    current system. The default remains single threaded. (GH #1819)
  * XMSS signatures now uses a global thread pool instead of spawning new
    threads for each usage. This improves signature generation performance by
    between 10% and 60% depending on architecture and core count. (GH #1864)
  * Some functions related to encoding and decoding BigInts have been
    deprecated. (GH #1817)
  * Binary encoding and decoding of BigInts has been optimized by performing
    word-size operations when possible. (GH #1817)
  * Rename the exception Integrity_Failure to Invalid_Authentication_Tag to
    make its meaning and usage more clear. The old name remains as a typedef.
    (GH #1816)
  * Support for using Boost filesystem and MSVC?s std::filesystem have been
    removed, since already POSIX and Win32 versions had to be maintained for
    portability. (GH #1814)
  * Newly generated McEliece and XMSS keys now default to being encrypted using
    SIV mode, support for which was added in 2.8.0. Previously GCM was used by
    default for these algorithms.
  * Use arc4random on Android systems (GH #1851)
  * Fix the encoding of PGP-S2K iteration counts (GH #1853 #1854)
  * Add a facility for sandboxing the command line util. Currently FreeBSD
    (Capsicum) and OpenBSD (pledge) sandboxes are supported. (GH #1808)
  * Use if constexpr when available.
  * Disable building shared libs on iOS as it was broken and it is not clear
    shared libraries are ever useful on iOS (GH #1865)
  * Renamed the darwin build target to macos. This should not cause any
    user-visible change. (GH #1866)
  * Add support for using sccache to cache the Windows CI build (GH #1807)
  * Add --extra-cxxflags option which allows adding compilation flags without
    overriding the default set. (GH #1826)
  * Add --format= option to the hash cli which allows formatting the output as
    base64 or base58, default output remains hex.
  * Add base58_enc and base58_dec cli utils for base58 encoding/decoding. (GH #1848)
  * Enable getentropy by default on macOS (GH #1862)
  * Avoid using -momit-leaf-frame-pointer flags, since -fomit-frame-pointer is
    already the default with recent versions of GCC.
  * Fix XLC sanitizer flags.
  * Rename Blake2b class to BLAKE2b to match the official name. There is a typedef for compat.
  * Fix a bug where loading a raw Ed25519_PublicKey of incorrect length would
    lead to a crash. (GH #1850)
  * Fix a bug that caused compilation problems using CryptoNG PRNG. (GH #1832)
  * Extended SHAKE-128 cipher to support any key between 1 and 160 bytes,
    instead of only multiples of 8 bytes.
  * Minor HMAC optimizations.
  * Build fixes for GNU/Hurd.
  * Fix a bug that prevented generating or verifying Ed25519 signatures in the
    CLI (GH #1828 #1829)
  * Fix a compilation error when building the amalgamation outside of the
    original source directory when AVX2 was enabled. (GH #1812)
  * Fix a crash when creating the amalgamation if a header file was edited on
    Windows but then the amalgamation was built on Linux (GH #1763)
* Thu Jan 10 2019 Daniel Molkentin <>
- Update to Botan 2.9
  * Bump SONAME
  * CVE-2018-20187 Address a side channel during ECC key generation, which used an
    unblinded Montgomery ladder. As a result, a timing attack can reveal
    information about the high bits of the secret key.
  * Fix bugs in TLS which caused negotiation failures when the client used an
    unknown signature algorithm or version (GH #1711 #1709 #1708)
  * Fix bug affecting GCM, EAX and ChaCha20Poly1305 where if the associated data
    was set after starting a message, the new AD was not reflected in the produced
    tag. Now with these modes setting an AD after beginning a message throws an
  * Use a smaller sieve which improves performance of prime generation.
  * Fixed a bug that caused ChaCha to produce incorrect output after encrypting 256
    GB. (GH #1728)
  * Add NEON and AltiVec implementations of ChaCha (GH #1719 #1728 #1729)
  * Optimize AVX2 ChaCha (GH #1730)
  * Many more operations in BigInt, ECC and RSA code paths are either fully const
    time or avoid problematic branches that could potentially be exploited in a
    side channel attack. (GH #1738 #1750 #1754 #1755 #1757 #1758 #1759 #1762 #1765
    [#1770] #1773 #1774 #1779 #1780 #1794 #1795 #1796 #1797)
  * Several optimizations for BigInt and ECC, improving ECDSA performance by as
    much as 30%. (GH #1734 #1737 #1777 #1750 #1737 #1788)
  * Support recovering an ECDSA public key from a message/signature pair (GH #664
  * Add base58 encoding/decoding functions (GH #1783)
  * In the command line interface, add support for reading passphrases from the
    terminal with echo disabled (GH #1756)
  * Add CT::Mask type to simplify const-time programming (GH #1751)
  * Add new configure options --disable-bmi2, --disable-rdrand, and
  - -disable-rdseed to prevent use of those instruction sets.
  * Add error_type and error_code functions to Exception type (GH #1744)
  * Now on POSIX systems posix_memalign is used instead of mmap for allocating the
    page-locked memory pool. This avoids issues with fork. (GH #602 #1798)
  * When available, use RDRAND to generate the additional data in
  * Use vzeroall/vzeroupper intrinsics to avoid AVX2/SSE transition penalties.
  * Support for Visual C++ 2013 has been removed (GH #1557 #1697)
  * Resolve a memory leak when verifying ECDSA signatures with versions of OpenSSL
    before 1.1.0 (GH #1698)
  * Resolve a memory leak using ECDH via OpenSSL (GH #1767)
  * Fix an error in XTS which prohibited encrypting values which were exactly the
    same length as the underlying block size. Messages of this size are allowed by
    the standard and other XTS implementations. (GH #1706)
  * Resolve a bug in TSS which resulted in it using an incorrect length field in
    the shares. Now the correct length is encoded, but either correct or buggy
    lengths are accepted when decoding. (GH #1722)
  * Correct a bug when reducing a negative BigInt modulo a small power of 2. (GH
  * Add CLI utils for threshold secret splitting. (GH #1722)
  * Fix a bug introduced in 2.8.0 that caused compilation failure if using a single
    amalgamation file with AVX2 enabled. (GH #1700)
  * Add an explicit OS target for Emscripten and improve support for it. (GH #1702)
  * Fix small issues when building for QNX
  * Switch the Travis CI build to using Ubuntu 16.04 (GH #1767)
  * Add options to to disable generation of pkg-config file, and (for
    systems where pkg-config support defaults to off, like Windows), to enable
    generating it. (GH #1268)
  * Modify to accept empty lists or trailing/extra commas. (GH #1705)
- Update to Botan 2.8
  * Add support for using Apple CommonCrypto library for hashing (GH #1667),
    cipher modes (GH #1674) and block ciphers (GH #1673).
  * Support for negotiating TLS versions 1.0 and 1.1 is disabled in the default
    TLS policy. In addition, support for negotiating TLS ciphersuites using CBC
    or CCM mode is disabled by default. Applications which need to interop with
    old peers must enable these in their TLS policy object. (GH #1651)
  * During primality testing, use a Lucas test in addition to Miller-Rabin. It
    is possible to construct a composite integer which passes n Miller-Rabin
    tests with probability (1/4)^n. So for a incautious verifier using a small
    number of tests (under 16 or so) it is possible if unlikely they would
    accept such a composite as prime. Adding a Lucas test precludes such an
    attack. (GH #1636)
  * Add XChaCha and XChaCha20Poly1305 (GH #1640)
  * Add AVX2 implementations of ChaCha (GH #1662) and Serpent (GH #1660)
  * Add a new password hashing interface in pwdhash.h (GH #1670)
  * C binding improvements. Added functions to get name and supported
    keylengths of cipher, hash and MAC objects, support for FE1 format
    preserving encryption (GH #1625 #1646), functions to load and save RSA keys
    in PKCS #1 format (GH #1621), HOTP and TOTP algorithms, scrypt, certificate
    verification (GH #1647), functions to get the output length of public key
    operations (GH #1642), and functions for loading and serializing X25519
    keys (GH #1681)
  * Support for building with BOTAN_MP_WORD_BITS set to 8 or 16 has been removed.
  * Previously SM2 had two distinct key types, one for signatures and another
    for encryption. They have now been merged into a single key type since in
    practice it seems the same key is at times used for both operations. (GH
  * The Cipher_Mode class now derives from SymmetricAlgorithm (GH #1639)
  * Add support for using the ARMv8 instructions for SM4 encryption (GH #1622)
  * The entropy source using SecRandomCopyBytes has been removed as it was
    redundant with other entropy sources (GH #1668)
  * The Python module has much better error checking and reporting, and offers
    new functionality such as scrypt, MPI and FPE. (GH #1643 #1646)
  * Fixed a bug that caused CCM to fail with an exception when used with L=8 (GH #1631 #1632)
  * The default bcrypt work factor has been increased from 10 to 12.
  * The default algorithm used in passhash9 has changed from SHA-256 to
    SHA-512, and the default work factor increased from 10 to 15.
  * In ECC private keys, include the public key data for compatibility with GnuTLS (GH #1634 #1635)
  * Add support for using Linux getrandom syscall to access the system PRNG.
    This is disabled by default, use --with-os-feature=getrandom to enable.
  * It is now possible to encrypt private keys using SIV mode.
  * The FFI function botan_privkey_load now ignores its rng argument.
  * Resolve a problem when building under Visual C++ 15.8 (GH #1624)
  * Fix a bug in XSalsa20 (192-bit Salsa nonces) where if set_iv was called
    twice without calling set_key, the resulting encryption was incorrect. (GH
  * Handle an error seen when verifying invalid ECDSA signatures using LibreSSL
    on non x86-64 platforms (GH #1627 #1628)
  * Fix bugs in PKCS7 and X9.23 CBC padding schemes, which would ignore the
    first byte in the event the padding took up the entire block. (GH #1690)
  * Correct bugs which would cause CFB, OCB, and GCM modes to crash when they
    were used in an unkeyed state. (GH #1639)
  * Optimizations for SM4 and Poly1305
  * Avoid a cache side channel in the AES key schedule
  * Add pk_encrypt and pk_decrypt CLI operations
  * Now asn1print CLI defaults to printing context-specific fields.
  * Use codec_base for Base64, which matches how Base32 is implemented (GH #1597)
  * The cast module has been split up into cast128 and cast256 (GH #1685)
  * When building under Visual C++ 2013, the user must acknowledge the upcoming
    removal of support using the flag --ack-vc2013-deprecated (GH
* Tue Jul 31 2018
- Fix version in baselibs.conf
* Tue Jul 10 2018
- Update to Botan 2.7
  * CVE-2018-12435 Avoid a side channel in ECDSA signature generation (GH
  * Avoid a side channel in RSA key generation due to use of a non-constant
    time gcd algorithm. (GH #1542 #1556)
  * Optimize prime generation, especially improving RSA key generation. (GH
  * Make Karatsuba multiplication, Montgomery field operations, Barrett
    reduction and Montgomery exponentiation const time (GH #1540 #1606 #1609
  * Optimizations for elliptic curve operations especially improving reductions
    and inversions modulo NIST primes (GH #1534 #1538 #1545 #1546 #1547 #1550)
  * Add 24 word wide Comba multiplication, improving 3072-bit RSA and DH by
    ~25%. (GH #1564)
  * Unroll Montgomery reduction for specific sizes (GH #1603)
  * Improved performance of signature verification in ECGDSA, ECKCDSA, SM2 and
    GOST by 10-15%.
  * XMSS optimizations (GH #1583 #1585)
  * Fix an error that meant XMSS would only sign half as many signatures as is
    allowed (GH #1582)
  * Add support for base32 encoding/decoding (GH #1541)
  * Add BMI2 optimized version of SHA-256, 40% faster on Skylake (GH #1584)
  * Allow the year to be up to 2200 in ASN.1 time objects. Previously this was
    limited to 2100. (GH #1536)
  * Add support for Scrypt password hashing (GH #1570)
  * Add support for using Scrypt for private key encryption (GH #1574)
  * Optimizations for DES/3DES, approx 50% faster when used in certain modes
    such as CBC decrypt or CTR.
  * XMSS signature verification did not check that the signature was of the
    expected length which could lead to a crash. (GH #1537)
  * The bcrypt variants 2b and 2y are now supported.
  * Support for 192-bit Suite B TLS profile is now implemented, as the 128-bit
    Suite B is since 2015 not allowed anymore.
  * Previously botan allowed GCM to be used with an empty nonce, which is not
    allowed by the specification. Now such nonces are rejected.
  * Avoid problems on Windows when compiling in Unicode mode (GH #1615 #1616)
  * Previously for ASN.1 encoded signatures (eg ECDSA) Botan would accept any
    valid BER encoding. Now only the single valid DER encoding is accepted.
  * Correct an error that could in rare cases cause an internal error exception
    when doing computations with the P-224 curve.
  * Optimizations to reduce allocations/copies during DER encoding and BER
    decoding (GH #1571 #1572 #1600)
  * Botan generates X.509 subject key IDs by hashing the public key with
    whatever hash function is being used to sign the certificate. However
    especially for SHA-512 this caused SKIDs that were far longer than
    necessary. Now all SKIDs are truncated to 192 bits.
  * In the test suite use mkstemp to create temporary files instead of creating
    them in the current working directory. (GH #1533 #1530)
  * It is now possible to safely override CXX when invoking make in addition to
    when is run. (GH #1579)
  * OIDs for Camellia and SM4 in CBC and GCM mode are now defined, making it
    possible to use this algorithms for private key encryption.
  * Avoid creating symlinks to the shared object on OpenBSD (#1535)
  * The factor command runs much faster on larger inputs now.
  * Support for Windows Phone/UWP was deprecated starting in 2.5. This
    deprecation has been reversed as it seems UWP is still actively used. (GH
    [#1586] #1587)
  * Support for Visual C++ 2013 is deprecated, and will be removed in Jan 2019.
  * Added support for GCC?s ?sysroot option to for
Version: 2.10.0-bp151.3.3.1
* Fri Apr 16 2021 Ferdinand Thiessen <>
- Botan 2.18.0
  * Add support for implementing custom RNG objects through the FFI
  * Improve safegcd bounds, improving runtime performance
  * Reject non-TLS messages as quickly as possible without waiting
    for a full record.
  * Fixes for TLS::Stream::async_shutdown
- Removed unneeded GNU MP build requirement, support was dropped
  with version 1.11.10
- Enabled check target, verify integrity of build library
Version: 2.10.0-bp153.3.3.1
* Thu Nov 17 2022 Jason Sikes <>
- Fixed [CVE-2022-43705,bsc#1205509]
  * Added Botan-CVE-2022-43705.patch
  * Added Botan-CVE-2022-43705-certs.tgz
  * validate that an embedded certificate was issued by the end-entity
    issuing certificate authority when checking OCSP responses.
Version: 2.18.2-bp154.1.30
* Wed Nov 24 2021 Dirk Müller <>
- update to 2.18.2:
  * Avoid using short exponents when encrypting in ElGamal, as some PGP
    implementations generate keys with parameters that are weak when
    short exponents are used CVE-2021-40529 boo#1190244
  * Fix a low risk OAEP decryption side channel
  * Work around a miscompilation of SHA-3 caused by a bug in Clang 12
    and XCode 13
  * Remove support in OpenSSL provider for algorithms which are
    disabled by default in OpenSSL 3.0
  * Add CI based on GitHub actions to replace Travis CI
  * Fix the online OCSP test, as the certificate involved had expired.
  * Fix some test failures induced by the expiration of the trust root
    "DST Root CA X3"
* Mon May 10 2021 Andreas Stieger <>
- Botan 2.18.1:
  * Fix a build regression in 2.18.0 which caused linker flags
    which contain -l within them (such as -fuse-linker-plugin)
    to be misinterpreted
  * Fix a bug which caused decoding a certificate which contained
    more than one name in a single RDN
  * Fix a bug which caused OID lookup failures when run in a locale
    which uses thousands separators (pt_BR was reported as having
    this issue)
  * DNS names in name constraints were compared with case
    sensitivity, which could cause valid certificates to be
  * X.509 name constraint extensions were rejected if non-critical.
    RFC 5280 requires conforming CAs issue such extensions as
    critical, but not all certificates are compliant, and all other
    known implementations do not require this
  * X.509 name constraints were incorrectly applied to the
    certificate which included the constraint
- build with lzma compression support
- build with SQLite support
- build with TPM support
- fix SLE 12 build
* Wed Dec 23 2020 Andreas Stieger <>
- Botan 2.17.3:
  * Harden against side-channels from decoding secret values by
    changing the base64, base58, base32, and hex encoding and
    decoding opearations to run in constant time
* Fri Nov 13 2020 Andreas Stieger <>
- Botan 2.17.2:
  * Fix build problem on ppc64
  * Resolve an issue in the modular square root algorithm
* Sat Nov 07 2020 Andreas Stieger <>
- Botan 2.17.1:
  * Fix bugs in ECDSA signature generation and verifications under
    specific circumstances
  * developer visible changes, including deprecation with warnings
  * optimization in the non-hardware assisted AES key generation
  * Add more detection logic for AVX-512 features
  * Fix a bug parsing deeply nested cipher names
  * Prevent requesting DER encoding of signatures when the
    algorithm did not support it
* Tue Oct 27 2020 Pedro Monreal <>
- Update to 2.16.0:
  * Now userspace PRNG objects (such as AutoSeeded_RNG and HMAC_DRBG)
    use an internal lock, which allows safe concurrent use. This
    however is purely a precaution in case of accidental sharing of
    such RNG objects; for performance reasons it is always preferable
    to use a RNG per thread if a userspace RNG is needed.
  * DL_Group and EC_Group objects now track if they were created
    from a known trusted group (such as P-256 or an IPsec DH
    parameter). If so, then verification tests can be relaxed, as
    compared to parameters which may have been maliciously
    constructed in order to pass primality checks.
  * RandomNumberGenerator::add_entropy_T assumed its input was a POD
    type but did not verify this.
  * Support OCSP responders that live on a non-standard port.
  * Add support for Solaris sandbox.
  * Support suffixes on release numbers for alpha/beta releases.
  * Fix a bug in EAX which allowed requesting a 0 length tag, which
    had the effect of using a full length tag. Instead omit the
    length field, or request the full tag length explicitly.
  * Fix a memory leak in GCM where if passed an unsuitable block
    cipher (eg not 128 bit) it would throw an exception and leak
    the cipher object.
* Sun Aug 16 2020 Dirk Mueller <>
- update to 2.15:
  Fix a bug where the name constraint extension did not constrain the alternative
  DN field which can be included in a subject alternative name. This would allow
  a corrupted sub-CA which was otherwise constrained by a name constraint to
  issue a certificate with a prohibited DN.
  Fix a bug in the TLS server during client authentication where where if a
  (disabled by default) static RSA ciphersuite was selected, then no certificate
  request would be sent. This would have an equivalent effect to a client which
  simply replied with an empty Certificate message. (GH #2367)
  Replace the T-Tables implementation of AES with a 32-bit bitsliced version. As
  a result AES is now constant time on all processors. (GH #2346 #2348 #2353
  [#2329] #2355)
  In TLS, enforce that the key usage given in the server certificate allows the
  operation being performed in the ciphersuite. (GH #2367)
  In X.509 certificates, verify that the algorithm parameters are the expected
  NULL or empty. (GH #2367)
  Change the HMAC key schedule to attempt to reduce the information leaked from
  the key schedule with regards to the length of the key, as this is at times (as
  for example in PBKDF2) sensitive information. (GH #2362)
  Add Processor_RNG which wraps RDRAND or the POWER DARN RNG instructions. The
  previous RDRAND_RNG interface is deprecated. (GH #2352)
  The documentation claimed that mlocked pages were created with a guard page
  both before and after. However only a trailing guard page was used. Add a
  leading guard page. (GH #2334)
  Add support for generating and verifying DER-encoded ECDSA signatures in the C
  and Python interfaces. (GH #2357 #2356)
  Workaround a bug in GCC?s UbSan which triggered on a code sequence in XMSS (GH
  When building documentation using Sphinx avoid parallel builds with version 3.0
  due to a bug in that version (GH #2326 #2324)
  Fix a memory leak in the CommonCrypto block cipher calls (GH #2371)
  Fix a flaky test that would occasionally fail when running the tests with a
  large number of threads. (GH #2325 #2197)
  Additional algorithms are now deprecated: XTEA, GOST, and Tiger. They will be
  removed in a future major release.
* Wed Apr 08 2020 Paolo Stivanin <>
- Update to Botan 2.14:
  * Add support for using POWER8+ VPSUMD instruction to accelerate GCM (GH #2247)
  * Optimize the vector permute AES implementation, especially improving
    performance on ARMv7, Aarch64, and POWER. (GH #2243)
  * Use a new algorithm for modular inversions which is both faster
    and more resistant to side channel attacks. (GH #2287 #2296 #2301)
  * Address an issue in CBC padding which would leak the length of the plaintext
    which was being padded. Unpadding during decryption was not affected.
  * Optimize NIST prime field reductions, improving ECDSA by 3-9% (GH #2295)
  * Increase the size of the ECC blinding mask and scale it based on the
    size of the group order. (GH #880 #893 #2308)
  * Add server side support for the TLS asio wrapper. (GH #2229)
  * Add support for using Windows certificate store on MinGW (GH #2280)
  * Add a CLI utility cpu_clock which estimates the speed of the processor cycle counter.
  * Add Roughtime client (GH #2143 #1842)
  * Add support for XMSS X.509 certificates (GH #2172)
  * Add support for X.509 CRLs in FFI layer and Python wrapper (GH #2213)
  * Add AVX2 implementation of SHACAL2 (GH #2196)
  * Support more functionality for X.509 in the Python API (GH #2165)
  * Add generic CPU target useful when building for some new or unusual platform.
  * Disable MD5 in BSI or NIST modes (GH #2188)
  * Many currently public headers are being deprecated. If any such header is included by
    an application, a warning is issued at compile time.
    Headers issuing this warning will be made internal in a future major release.
  * RSA signature performance improvements (GH #2068 #2070)
  * Performance improvements for GCM (GH #2024 #2099 #2119), OCB (#2122), XTS (#2123) and
    ChaCha20Poly1305 (GH #2117), especially for small messages.
  * Add support for constant time AES using NEON and AltiVec (GH #2093 #2095 #2100)
  * Improve performance of POWER8 AES instructions (GH #2096)
  * Add support for the POWER9 hardware random number generator (GH #2026)
  * Add support for 64-bit version of RDRAND, doubling performance on x86-64 (GH #934 #2022)
  * In DTLS server, support a client crashing and then reconnecting from the same
    source port, as described in RFC 6347 sec 4.2.8 (GH #2029)
  * Optimize DTLS MTU splitting to split precisely to the set MTU (GH #2042)
  * Add support for the TLS v1.3 downgrade indicator. (GH #2027)
  * Add Argon2 PBKDF and password hash (GH #459 #1981 #1987)
  * Add Bcrypt-PBKDF (GH #1990)
  * Add server side support for issuing DTLS HelloVerifyRequest messages (GH #1999)
  * Add support for the TLS v1.3 supported_versions extension. (GH #1976)
  * Add Ed25519ph compatible with RFC 8032 (GH #1699 #2000)
  * Add support for OCSP stapling on server side. (GH #1703 #1967)
  * Add a boost::asio TLS stream compatible with boost::asio::ssl. (GH #1839 #1927 #1992)
  * Add a certificate store for Linux/Unix systems. (GH #1885 #1936)
  * Various Fixes