diff -Nru botan1.10-1.10.5/botan_version.py botan1.10-1.10.8/botan_version.py --- botan1.10-1.10.5/botan_version.py 2013-03-02 21:19:38.000000000 +0000 +++ botan1.10-1.10.8/botan_version.py 2014-04-10 14:11:44.000000000 +0000 @@ -1,9 +1,11 @@ release_major = 1 release_minor = 10 -release_patch = 5 +release_patch = 8 -release_vc_rev = 'mtn:b20e0bf2e33c620314250dcb82eeb479219a0cfd' release_so_abi_rev = 0 -release_datestamp = 0 +# These are set by the distribution script +release_vc_rev = 'mtn:3e5da04321de05a3ae1f7177e0dd2191e598dca7' +release_datestamp = 20140410 +release_type = 'released' diff -Nru botan1.10-1.10.5/checks/bench.cpp botan1.10-1.10.8/checks/bench.cpp --- botan1.10-1.10.5/checks/bench.cpp 2013-03-02 21:19:35.000000000 +0000 +++ botan1.10-1.10.8/checks/bench.cpp 2014-04-10 14:11:43.000000000 +0000 @@ -150,8 +150,8 @@ std::cout << algo; -#if (defined(__GNUC__) && __GNUC__ <= 3) || defined(__SUNPRO_CC) - // Work around GCC 3.x bug, reverse iterators don't work +#if (defined(__GNUC__) && __GNUC__ <= 3) || defined(__SUNPRO_CC) || defined(__ANDROID__) + // Work around bug in various compilers where map rev iterators don't work for(std::map::const_iterator i = results.begin(); i != results.end(); ++i) #else for(std::map::const_reverse_iterator i = results.rbegin(); i != results.rend(); ++i) diff -Nru botan1.10-1.10.5/checks/check.cpp botan1.10-1.10.8/checks/check.cpp --- botan1.10-1.10.5/checks/check.cpp 2013-03-02 21:19:35.000000000 +0000 +++ botan1.10-1.10.8/checks/check.cpp 2014-04-10 14:11:43.000000000 +0000 @@ -138,6 +138,8 @@ #endif } + Botan::AutoSeeded_RNG rng; + if(opts.is_set("help") || argc <= 1) { std::cerr << "Test driver for " @@ -151,8 +153,6 @@ return 1; } - Botan::AutoSeeded_RNG rng; - if(opts.is_set("validate") || opts.is_set("test")) { return run_test_suite(rng); diff -Nru botan1.10-1.10.5/configure.py botan1.10-1.10.8/configure.py --- botan1.10-1.10.5/configure.py 2013-03-02 21:19:36.000000000 +0000 +++ botan1.10-1.10.8/configure.py 2014-04-10 14:11:44.000000000 +0000 @@ -544,7 +544,7 @@ lex_me_harder(infofile, self, ['source', 'header:internal', 'header:public', 'requires', 'os', 'arch', 'cc', 'libs', - 'comment'], + 'comment', 'warning'], { 'load_on': 'auto', 'define': [], @@ -604,6 +604,11 @@ else: self.comment = None + if self.warning != []: + self.warning = ' '.join(self.warning) + else: + self.warning = None + def sources(self): return self.source @@ -1321,6 +1326,8 @@ logging.info('Using SIMD module ' + mod) if modules[mod].comment: logging.info('%s: %s' % (mod, modules[mod].comment)) + if modules[mod].warning: + logging.warning('%s: %s' % (mod, modules[mod].warning)) logging.debug('Loading modules %s', ' '.join(sorted(to_load))) @@ -1780,7 +1787,7 @@ gcc_version = stdout.strip() logging.info('Detected gcc version %s' % (gcc_version)) - return map(int, gcc_version.split('.')[0:2]) + return [int(v) for v in gcc_version.split('.')] except OSError: logging.warning('Could not execute %s for version check' % (gcc_bin)) return None @@ -1880,7 +1887,7 @@ main() except Exception as e: logging.error(str(e)) - #import traceback - #traceback.print_exc(file=sys.stderr) + import traceback + logging.debug(traceback.format_exc()) sys.exit(1) sys.exit(0) diff -Nru botan1.10-1.10.5/debian/changelog botan1.10-1.10.8/debian/changelog --- botan1.10-1.10.5/debian/changelog 2014-03-15 16:55:06.000000000 +0000 +++ botan1.10-1.10.8/debian/changelog 2014-08-25 08:59:02.000000000 +0000 @@ -1,10 +1,25 @@ -botan1.10 (1.10.5-1ubuntu1) trusty; urgency=medium +botan1.10 (1.10.8-2) unstable; urgency=medium - * ppc64el-support.patch: Add powerpc64le support to the upstream build - system and update ppc64/altivec support for power7+ and power8 CPUs. - * arm64-support.patch: Add arm64 support to the upstream build system. + * Add ppc64el and arm64 support (Closes: #741691) + * Add support for or1k (Closes: #749267) + * Use correct Vcs-* links - -- Adam Conrad Sat, 15 Mar 2014 10:26:49 -0600 + -- Ondřej Surý Mon, 25 Aug 2014 10:49:33 +0200 + +botan1.10 (1.10.8-1) unstable; urgency=medium + + * New upstream version 1.10.8 + * Use debhelper 9 (dpkg-buildflags) instead of hardening-wrapper + * Update watch file to look for v.1.10.x + * Update patches for 1.10.8 release + + -- Ondřej Surý Mon, 30 Jun 2014 10:09:50 +0200 + +botan1.10 (1.10.5-2) unstable; urgency=low + + * Add support MIPS64(el) and MIPSN32(el) (Closes: #726128) + + -- Ondřej Surý Mon, 14 Oct 2013 11:34:13 +0200 botan1.10 (1.10.5-1) unstable; urgency=low diff -Nru botan1.10-1.10.5/debian/compat botan1.10-1.10.8/debian/compat --- botan1.10-1.10.5/debian/compat 2013-03-04 08:26:55.000000000 +0000 +++ botan1.10-1.10.8/debian/compat 2014-08-25 08:59:02.000000000 +0000 @@ -1 +1 @@ -7 +9 diff -Nru botan1.10-1.10.5/debian/control botan1.10-1.10.8/debian/control --- botan1.10-1.10.5/debian/control 2014-03-15 16:27:49.000000000 +0000 +++ botan1.10-1.10.8/debian/control 2014-08-25 08:59:02.000000000 +0000 @@ -1,23 +1,25 @@ Source: botan1.10 Section: libs Priority: optional -Maintainer: Ubuntu Developers -XSBC-Original-Maintainer: Ondřej Surý -Build-Depends: - debhelper (>= 7.0.50~), libbz2-dev, libgmp3-dev, libssl-dev, python, - zlib1g-dev, hardening-wrapper -Standards-Version: 3.9.2 +Maintainer: Ondřej Surý +Build-Depends: debhelper (>= 9), + libbz2-dev, + libgmp3-dev, + libssl-dev, + python, + zlib1g-dev +Standards-Version: 3.9.5 Homepage: http://botan.randombit.net/ -Vcs-Browser: http://git.debian.org/?p=pkg-nlnetlabs/botan1.10.git -Vcs-Git: git://git.debian.org/pkg-nlnetlabs/botan1.10.git +Vcs-Browser: http://anonscm.debian.org/?p=pkg-nlnetlabs/botan1.10.git +Vcs-Git: git://anonscm.debian.org/pkg-nlnetlabs/botan1.10.git Package: botan1.10-dbg Section: debug Priority: extra Architecture: any -Depends: - ${misc:Depends}, libbotan-1.10-0 (= ${binary:Version}), - libbotan1.10-dev (= ${binary:Version}) +Depends: ${misc:Depends}, + libbotan-1.10-0 (= ${binary:Version}), + libbotan1.10-dev (= ${binary:Version}) Description: multiplatform crypto library (debug) Botan is a C++ library which provides support for many common cryptographic operations, including encryption, authentication, and X.509v3 certificates and @@ -29,7 +31,8 @@ Package: libbotan-1.10-0 Section: libs Architecture: any -Depends: ${misc:Depends}, ${shlibs:Depends} +Depends: ${misc:Depends}, + ${shlibs:Depends} Description: multiplatform crypto library Botan is a C++ library which provides support for many common cryptographic operations, including encryption, authentication, and X.509v3 certificates and @@ -39,7 +42,8 @@ Package: libbotan1.10-dev Section: libdevel Architecture: any -Depends: ${misc:Depends}, libbotan-1.10-0 (= ${binary:Version}) +Depends: ${misc:Depends}, + libbotan-1.10-0 (= ${binary:Version}) Conflicts: libbotan1.6-dev Replaces: libbotan1.6-dev Description: multiplatform crypto library (development) diff -Nru botan1.10-1.10.5/debian/patches/add-arm64-support.patch.diff botan1.10-1.10.8/debian/patches/add-arm64-support.patch.diff --- botan1.10-1.10.5/debian/patches/add-arm64-support.patch.diff 1970-01-01 00:00:00.000000000 +0000 +++ botan1.10-1.10.8/debian/patches/add-arm64-support.patch.diff 2014-08-25 08:59:02.000000000 +0000 @@ -0,0 +1,32 @@ +Description: Add support for arm64. +Author: Adam Conrad + +--- /dev/null ++++ botan1.10/src/build-data/arch/aarch64.txt +@@ -0,0 +1,6 @@ ++endian little ++ ++ ++arm64 # For Debian ++ ++ +--- botan1.10.orig/src/build-data/cc/gcc.txt ++++ botan1.10/src/build-data/cc/gcc.txt +@@ -75,6 +75,7 @@ sh4 -> "-m4 -mieee" + + alpha -> "-mcpu=SUBMODEL" alpha- + arm -> "-march=SUBMODEL" ++aarch64 -> "-mtune=generic" + superh -> "-mSUBMODEL" sh + hppa -> "-march=SUBMODEL" hppa + ia64 -> "-mtune=SUBMODEL" +--- botan1.10.orig/src/math/mp/mp_asm64/info.txt ++++ botan1.10/src/math/mp/mp_asm64/info.txt +@@ -8,6 +8,7 @@ mp_generic:mp_asmi.h + + + ++aarch64 + alpha + ia64 + mips64 diff -Nru botan1.10-1.10.5/debian/patches/add-mips64-mipsn32-support.diff botan1.10-1.10.8/debian/patches/add-mips64-mipsn32-support.diff --- botan1.10-1.10.5/debian/patches/add-mips64-mipsn32-support.diff 1970-01-01 00:00:00.000000000 +0000 +++ botan1.10-1.10.8/debian/patches/add-mips64-mipsn32-support.diff 2014-08-25 08:59:02.000000000 +0000 @@ -0,0 +1,46 @@ +--- /dev/null ++++ botan1.10/src/build-data/arch/mipsn32.txt +@@ -0,0 +1,22 @@ ++ ++mipsn32el # For Debian ++ ++ ++ ++r4000 ++r4100 ++r4300 ++r4400 ++r4600 ++r4560 ++r5000 ++r8000 ++r10000 ++ ++ ++ ++r4k -> r4000 ++r5k -> r5000 ++r8k -> r8000 ++r10k -> r10000 ++ +--- botan1.10.orig/src/build-data/cc/clang.txt ++++ botan1.10/src/build-data/cc/clang.txt +@@ -39,6 +39,8 @@ westmere -> "-march=corei7 -maes" + + + x86_64 -> "-m64" ++mips32 -> "-mabi=32" ++mipsn32 -> "-mabi=n32" + mips64 -> "-mabi=64" + s390 -> "-m31" + s390x -> "-m64" +--- botan1.10.orig/src/build-data/cc/gcc.txt ++++ botan1.10/src/build-data/cc/gcc.txt +@@ -80,6 +80,7 @@ hppa -> "-march=SUBMODEL" hppa + ia64 -> "-mtune=SUBMODEL" + m68k -> "-mSUBMODEL" + mips32 -> "-mips1 -mcpu=SUBMODEL" mips32- ++mipsn32 -> "-mips3 -mcpu=SUBMODEL" mips64- + mips64 -> "-mips3 -mcpu=SUBMODEL" mips64- + ppc32 -> "-mcpu=SUBMODEL" ppc + ppc64 -> "-mcpu=SUBMODEL" ppc diff -Nru botan1.10-1.10.5/debian/patches/add-or1k-support.diff botan1.10-1.10.8/debian/patches/add-or1k-support.diff --- botan1.10-1.10.5/debian/patches/add-or1k-support.diff 1970-01-01 00:00:00.000000000 +0000 +++ botan1.10-1.10.8/debian/patches/add-or1k-support.diff 2014-08-25 08:59:02.000000000 +0000 @@ -0,0 +1,7 @@ +--- /dev/null ++++ botan1.10/src/build-data/arch/or1k.txt +@@ -0,0 +1,4 @@ ++endian big ++ ++or1k ++ diff -Nru botan1.10-1.10.5/debian/patches/add-powerpc64le-support.diff botan1.10-1.10.8/debian/patches/add-powerpc64le-support.diff --- botan1.10-1.10.5/debian/patches/add-powerpc64le-support.diff 1970-01-01 00:00:00.000000000 +0000 +++ botan1.10-1.10.8/debian/patches/add-powerpc64le-support.diff 2014-08-25 08:59:02.000000000 +0000 @@ -0,0 +1,88 @@ +Description: Add support for ppc64el. +Author: Adam Conrad + +--- /dev/null ++++ botan1.10/src/build-data/arch/ppc64le.txt +@@ -0,0 +1,21 @@ ++endian little ++ ++family ppc ++ ++ ++powerpc64le ++ppc64el ++ ++ ++ ++power7 ++power7p ++power8 ++power8e ++ ++ ++# This should be enabled for all targets, but the Altivec code currently ++# makes lots of endian assumptions that I don't have the time to fix up: ++# ++#altivec:all ++# +--- botan1.10.orig/src/build-data/cc/gcc.txt ++++ botan1.10/src/build-data/cc/gcc.txt +@@ -84,6 +84,7 @@ mipsn32 -> "-mips3 -mcpu=SUBMODEL" mi + mips64 -> "-mips3 -mcpu=SUBMODEL" mips64- + ppc32 -> "-mcpu=SUBMODEL" ppc + ppc64 -> "-mcpu=SUBMODEL" ppc ++ppc64le -> "-mcpu=power7 -mtune=power8" ppc + sparc32 -> "-mcpu=SUBMODEL -Wa,-xarch=v8plus" sparc32- + sparc64 -> "-mcpu=v9 -mtune=SUBMODEL" + x86_32 -> "-march=SUBMODEL -momit-leaf-frame-pointer" +--- botan1.10.orig/src/math/mp/mp_asm64/info.txt ++++ botan1.10/src/math/mp/mp_asm64/info.txt +@@ -12,6 +12,7 @@ alpha + ia64 + mips64 + ppc64 ++ppc64le + sparc64 + + +--- botan1.10.orig/src/build-data/arch/ppc64.txt ++++ botan1.10/src/build-data/arch/ppc64.txt +@@ -17,6 +17,9 @@ power4 + power5 + power6 + power7 ++power7p ++power8 ++power8e + cellppu + + +@@ -25,5 +28,5 @@ cellbroadbandengine -> cellppu + + + +-altivec:cellppu,ppc970,power6,power7 ++altivec:cellppu,ppc970,power6,power7,power7p,power8,power8e + +--- botan1.10.orig/src/utils/cpuid.cpp ++++ botan1.10/src/utils/cpuid.cpp +@@ -157,6 +157,9 @@ bool altivec_check_pvr_emul() + const u16bit PVR_G5_970GX = 0x0045; + const u16bit PVR_POWER6 = 0x003E; + const u16bit PVR_POWER7 = 0x003F; ++ const u16bit PVR_POWER7p = 0x004A; ++ const u16bit PVR_POWER8 = 0x004D; ++ const u16bit PVR_POWER8E = 0x004B; + const u16bit PVR_CELL_PPU = 0x0070; + + // Motorola produced G4s with PVR 0x800[0123C] (at least) +@@ -177,6 +180,9 @@ bool altivec_check_pvr_emul() + altivec_capable |= (pvr == PVR_G5_970GX); + altivec_capable |= (pvr == PVR_POWER6); + altivec_capable |= (pvr == PVR_POWER7); ++ altivec_capable |= (pvr == PVR_POWER7p); ++ altivec_capable |= (pvr == PVR_POWER8); ++ altivec_capable |= (pvr == PVR_POWER8E); + altivec_capable |= (pvr == PVR_CELL_PPU); + #endif + diff -Nru botan1.10-1.10.5/debian/patches/arm64-support.patch botan1.10-1.10.8/debian/patches/arm64-support.patch --- botan1.10-1.10.5/debian/patches/arm64-support.patch 2014-03-15 16:52:46.000000000 +0000 +++ botan1.10-1.10.8/debian/patches/arm64-support.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,38 +0,0 @@ -Description: Add support for arm64. -Author: Adam Conrad - -Index: botan1.10-1.10.5/src/build-data/arch/aarch64.txt -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ botan1.10-1.10.5/src/build-data/arch/aarch64.txt 2014-03-15 10:52:05.448011048 -0600 -@@ -0,0 +1,6 @@ -+endian little -+ -+ -+arm64 # For Debian -+ -+ -Index: botan1.10-1.10.5/src/build-data/cc/gcc.txt -=================================================================== ---- botan1.10-1.10.5.orig/src/build-data/cc/gcc.txt 2014-03-15 10:52:05.452011048 -0600 -+++ botan1.10-1.10.5/src/build-data/cc/gcc.txt 2014-03-15 10:52:05.448011048 -0600 -@@ -74,6 +74,7 @@ - - alpha -> "-mcpu=SUBMODEL" alpha- - arm -> "-march=SUBMODEL" -+aarch64 -> "-mtune=generic" - superh -> "-mSUBMODEL" sh - hppa -> "-march=SUBMODEL" hppa - ia64 -> "-mtune=SUBMODEL" -Index: botan1.10-1.10.5/src/math/mp/mp_asm64/info.txt -=================================================================== ---- botan1.10-1.10.5.orig/src/math/mp/mp_asm64/info.txt 2014-03-15 10:52:05.452011048 -0600 -+++ botan1.10-1.10.5/src/math/mp/mp_asm64/info.txt 2014-03-15 10:52:05.448011048 -0600 -@@ -8,6 +8,7 @@ - - - -+aarch64 - alpha - ia64 - mips64 diff -Nru botan1.10-1.10.5/debian/patches/ppc64el-support.patch botan1.10-1.10.8/debian/patches/ppc64el-support.patch --- botan1.10-1.10.5/debian/patches/ppc64el-support.patch 2014-03-15 17:16:47.000000000 +0000 +++ botan1.10-1.10.8/debian/patches/ppc64el-support.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,98 +0,0 @@ -Description: Add support for ppc64el. -Author: Adam Conrad - -Index: botan1.10-1.10.5/src/build-data/arch/ppc64le.txt -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ botan1.10-1.10.5/src/build-data/arch/ppc64le.txt 2014-03-15 10:50:21.008012067 -0600 -@@ -0,0 +1,21 @@ -+endian little -+ -+family ppc -+ -+ -+powerpc64le -+ppc64el -+ -+ -+ -+power7 -+power7p -+power8 -+power8e -+ -+ -+# This should be enabled for all targets, but the Altivec code currently -+# makes lots of endian assumptions that I don't have the time to fix up: -+# -+#altivec:all -+# -Index: botan1.10-1.10.5/src/build-data/cc/gcc.txt -=================================================================== ---- botan1.10-1.10.5.orig/src/build-data/cc/gcc.txt 2014-03-15 10:50:21.016012067 -0600 -+++ botan1.10-1.10.5/src/build-data/cc/gcc.txt 2014-03-15 10:50:21.008012067 -0600 -@@ -82,6 +82,7 @@ - mips64 -> "-mips3 -mcpu=SUBMODEL" mips64- - ppc32 -> "-mcpu=SUBMODEL" ppc - ppc64 -> "-mcpu=SUBMODEL" ppc -+ppc64le -> "-mpcu=power7 -mtune=power8" ppc - sparc32 -> "-mcpu=SUBMODEL -Wa,-xarch=v8plus" sparc32- - sparc64 -> "-mcpu=v9 -mtune=SUBMODEL" - x86_32 -> "-march=SUBMODEL -momit-leaf-frame-pointer" -Index: botan1.10-1.10.5/src/math/mp/mp_asm64/info.txt -=================================================================== ---- botan1.10-1.10.5.orig/src/math/mp/mp_asm64/info.txt 2014-03-15 10:50:21.016012067 -0600 -+++ botan1.10-1.10.5/src/math/mp/mp_asm64/info.txt 2014-03-15 10:50:21.008012067 -0600 -@@ -12,6 +12,7 @@ - ia64 - mips64 - ppc64 -+ppc64le - sparc64 - - -Index: botan1.10-1.10.5/src/build-data/arch/ppc64.txt -=================================================================== ---- botan1.10-1.10.5.orig/src/build-data/arch/ppc64.txt 2014-03-15 10:50:21.016012067 -0600 -+++ botan1.10-1.10.5/src/build-data/arch/ppc64.txt 2014-03-15 10:50:21.008012067 -0600 -@@ -17,6 +17,9 @@ - power5 - power6 - power7 -+power7p -+power8 -+power8e - cellppu - - -@@ -25,5 +28,5 @@ - - - --altivec:cellppu,ppc970,power6,power7 -+altivec:cellppu,ppc970,power6,power7,power7p,power8,power8e - -Index: botan1.10-1.10.5/src/utils/cpuid.cpp -=================================================================== ---- botan1.10-1.10.5.orig/src/utils/cpuid.cpp 2014-03-15 10:50:21.016012067 -0600 -+++ botan1.10-1.10.5/src/utils/cpuid.cpp 2014-03-15 10:50:21.012012067 -0600 -@@ -157,6 +157,9 @@ - const u16bit PVR_G5_970GX = 0x0045; - const u16bit PVR_POWER6 = 0x003E; - const u16bit PVR_POWER7 = 0x003F; -+ const u16bit PVR_POWER7p = 0x004A; -+ const u16bit PVR_POWER8 = 0x004D; -+ const u16bit PVR_POWER8E = 0x004B; - const u16bit PVR_CELL_PPU = 0x0070; - - // Motorola produced G4s with PVR 0x800[0123C] (at least) -@@ -177,6 +180,9 @@ - altivec_capable |= (pvr == PVR_G5_970GX); - altivec_capable |= (pvr == PVR_POWER6); - altivec_capable |= (pvr == PVR_POWER7); -+ altivec_capable |= (pvr == PVR_POWER7p); -+ altivec_capable |= (pvr == PVR_POWER8); -+ altivec_capable |= (pvr == PVR_POWER8E); - altivec_capable |= (pvr == PVR_CELL_PPU); - #endif - diff -Nru botan1.10-1.10.5/debian/patches/series botan1.10-1.10.8/debian/patches/series --- botan1.10-1.10.5/debian/patches/series 2014-03-15 16:52:00.000000000 +0000 +++ botan1.10-1.10.8/debian/patches/series 2014-08-25 08:59:02.000000000 +0000 @@ -1,2 +1,4 @@ -ppc64el-support.patch -arm64-support.patch +add-mips64-mipsn32-support.diff +add-powerpc64le-support.diff +add-arm64-support.patch.diff +add-or1k-support.diff diff -Nru botan1.10-1.10.5/debian/rules botan1.10-1.10.8/debian/rules --- botan1.10-1.10.5/debian/rules 2013-03-04 08:26:55.000000000 +0000 +++ botan1.10-1.10.8/debian/rules 2014-08-25 08:59:02.000000000 +0000 @@ -9,8 +9,12 @@ # Using --cpu=$arch would enable it, and break ABI. # CONFIGURE_FLAGS += --disable-modules=mp_asm64,mp_amd64 +# Debian hardening +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk + %: - DEB_BUILD_HARDENING=1 dh ${@} + dh ${@} override_dh_auto_clean: dh_auto_clean @@ -19,15 +23,13 @@ rm -rf build override_dh_auto_configure: - DEB_BUILD_HARDENING=1 ./configure.py --prefix=/usr --cc=gcc --os=linux --with-bzip2 --with-gnump --with-openssl --with-zlib $(CONFIGURE_FLAGS) + ./configure.py --prefix=/usr --cc=gcc --os=linux --with-bzip2 --with-gnump --with-openssl --with-zlib $(CONFIGURE_FLAGS) override_dh_auto_build: - DEB_BUILD_HARDENING=1 $(MAKE) all - + dh_auto_build -- all override_dh_auto_test: ifeq (,$(findstring $(DEB_HOST_GNU_CPU),$(SKIP_TESTS_ON_CPU))) - $(MAKE) check - + dh_auto_test -- check LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:$(CURDIR)" ./check --validate endif diff -Nru botan1.10-1.10.5/debian/watch botan1.10-1.10.8/debian/watch --- botan1.10-1.10.5/debian/watch 2013-03-04 08:26:55.000000000 +0000 +++ botan1.10-1.10.8/debian/watch 2014-08-25 08:59:02.000000000 +0000 @@ -1,2 +1,2 @@ version=3 -http://files.randombit.net/botan/v1.8/Botan-(.*)\.tgz +http://files.randombit.net/botan/v1.10/Botan-(.*)\.tbz diff -Nru botan1.10-1.10.5/doc/log.txt botan1.10-1.10.8/doc/log.txt --- botan1.10-1.10.5/doc/log.txt 2013-03-02 21:19:36.000000000 +0000 +++ botan1.10-1.10.8/doc/log.txt 2014-04-10 14:11:44.000000000 +0000 @@ -7,6 +7,74 @@ Series 1.10 ---------------------------------------- +Version 1.10.8, 2014-04-10 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fix a bug in primality testing introduced in 1.8.3 which caused only + a single random base, rather than a sequence of random bases, to be + used in the Miller-Rabin test. This increased the probability that a + non-prime would be accepted, for instance a 1024 bit number would be + incorrectly classed as prime with probability around 2^-40. Reported + by Jeff Marrison. + +* The key length limit on HMAC has been raised to 512 bytes, allowing + the use of very long passphrases with PBKDF2. + +Version 1.10.7, 2013-12-29 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* OAEP had two bugs, one of which allowed it to be used even if the + key was too small, and the other of which would cause a crash during + decryption if the EME data was too large for the associated key. + +Version 1.10.6, 2013-11-10 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* The device reading entropy source now attempts to read from all + available devices. Previously it would break out early if a partial + read from a blocking source occured, not continuing to read from a + non-blocking device. This would cause the library to fall back on + slower and less reliable techniques for collecting PRNG seed + material. Reported by Rickard Bellgrim. + +* HMAC_RNG (the default PRNG implementation) now automatically reseeds + itself periodically. Previously reseeds only occured on explicit + application request. + +* Fix an encoding error in EC_Group when encoding using EC_DOMPAR_ENC_OID. + Reported by fxdupont on github. + +* In EMSA2 and Randpool, avoid calling name() on objects after deleting them if + the provided algorithm objects are not suitable for use. Found by Clang + analyzer, reported by Jeffrey Walton. + +* If X509_Store was copied, the u32bit containing how long to cache validation + results was not initialized, potentially causing results to be cached for + significant amounts of time. This could allow a certificate to be considered + valid after its issuing CA's cert expired. Expiration of the end-entity cert + is always checked, and reading a CRL always causes the status to be reset, so + this issue does not affect revocation. Found by Coverity scanner. + +* Avoid off by one causing a potentially unterminated string to be passed to + the connect system call if the library was configured to use a very long path + name for the EGD socket. Found by Coverity Scanner. + +* In PK_Encryptor_EME, PK_Decryptor_EME, PK_Verifier, and PK_Key_Agreement, + avoid dereferencing an unitialized pointer if no engine supported operations + on the key object given. Found by Coverity scanner. + +* Avoid leaking a file descriptor in the /dev/random and EGD entropy sources if + stdin (file descriptor 0) was closed. Found by Coverity scanner. + +* Avoid a potentially undefined operation in the bit rotation operations. Not + known to have caused problems under any existing compiler, but might have + caused problems in the future. Caught by Clang sanitizer, reported by Jeffrey + Walton. + +* Increase default hash iterations from 10000 to 50000 in PBES1 and PBES2 + +* Add a fix for mips64el builds from Brad Smith. + Version 1.10.5, 2013-03-02 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff -Nru botan1.10-1.10.5/readme.txt botan1.10-1.10.8/readme.txt --- botan1.10-1.10.5/readme.txt 2013-03-02 21:19:36.000000000 +0000 +++ botan1.10-1.10.8/readme.txt 2014-04-10 14:11:44.000000000 +0000 @@ -1,15 +1,11 @@ -Botan 1.10.5, 2013-03-02 -http://botan.randombit.net/ -Botan is a C++ class library for performing a wide variety of -cryptographic operations. It is released under the 2 clause BSD -license; see doc/license.txt for the specifics. You can file bugs in -Bugzilla (http://bugs.randombit.net/) or by sending a report to the -botan-devel mailing list. More information about the mailing list is -at http://lists.randombit.net/mailman/listinfo/botan-devel/ +Botan is a C++ library for performing a wide variety of cryptographic +operations. It is released under the 2 clause BSD license; see +doc/license.rst for the specifics. You can file bugs in Bugzilla +(http://bugs.randombit.net/) or by sending a report to the botan-devel +mailing list. More information about the mailing list is at +http://lists.randombit.net/mailman/listinfo/botan-devel/ You can find documentation online at http://botan.randombit.net/ as well as in the doc directory in the distribution. Several examples can be found in doc/examples as well. - -Jack Lloyd (lloyd@randombit.net) diff -Nru botan1.10-1.10.5/src/alloc/mem_pool/mem_pool.cpp botan1.10-1.10.8/src/alloc/mem_pool/mem_pool.cpp --- botan1.10-1.10.5/src/alloc/mem_pool/mem_pool.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/alloc/mem_pool/mem_pool.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -167,7 +167,7 @@ const size_t BITMAP_SIZE = Memory_Block::bitmap_size(); const size_t BLOCK_SIZE = Memory_Block::block_size(); - if(ptr == 0 && n == 0) + if(ptr == 0 || n == 0) return; Mutex_Holder lock(mutex); diff -Nru botan1.10-1.10.5/src/block/aes/aes.cpp botan1.10-1.10.8/src/block/aes/aes.cpp --- botan1.10-1.10.5/src/block/aes/aes.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/block/aes/aes.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -10,6 +10,7 @@ #include #include #include +#include namespace Botan { @@ -620,6 +621,9 @@ SecureVector XEK(length + 32), XDK(length + 32); const size_t X = length / 4; + + BOTAN_ASSERT(X == 4 || X == 6 || X == 8, "Known AES key size"); + for(size_t i = 0; i != X; ++i) XEK[i] = load_be(key, i); diff -Nru botan1.10-1.10.5/src/build-data/arch/mips64.txt botan1.10-1.10.8/src/build-data/arch/mips64.txt --- botan1.10-1.10.5/src/build-data/arch/mips64.txt 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/build-data/arch/mips64.txt 2014-04-10 14:11:44.000000000 +0000 @@ -1,3 +1,7 @@ + +mips64el + + r4000 r4100 diff -Nru botan1.10-1.10.5/src/build-data/buildh.in botan1.10-1.10.8/src/build-data/buildh.in --- botan1.10-1.10.5/src/build-data/buildh.in 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/build-data/buildh.in 2014-04-10 14:11:44.000000000 +0000 @@ -40,6 +40,13 @@ #define BOTAN_PRIVATE_KEY_STRONG_CHECKS_ON_LOAD 0 #define BOTAN_PRIVATE_KEY_STRONG_CHECKS_ON_GENERATE 1 +/* +* RNGs will automatically poll the system for additional +* seed material after producing this many bytes of output. +*/ +#define BOTAN_RNG_MAX_OUTPUT_BEFORE_RESEED 512 +#define BOTAN_RNG_RESEED_POLL_BITS 128 + /* Should we use GCC-style inline assembler? */ #if !defined(BOTAN_USE_GCC_INLINE_ASM) && defined(__GNUG__) #define BOTAN_USE_GCC_INLINE_ASM 1 diff -Nru botan1.10-1.10.5/src/build-data/cc/gcc.txt botan1.10-1.10.8/src/build-data/cc/gcc.txt --- botan1.10-1.10.5/src/build-data/cc/gcc.txt 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/build-data/cc/gcc.txt 2014-04-10 14:11:44.000000000 +0000 @@ -47,16 +47,17 @@ i486 -> "-mtune=generic -momit-leaf-frame-pointer" i586 -> "-mtune=generic -momit-leaf-frame-pointer" -# Translate to GCC-speak +sandybridge -> "-march=corei7-avx -momit-leaf-frame-pointer" +atom32 -> "-march=atom -momit-leaf-frame-pointer" + +# For recent GCC nehalem -> "-march=corei7 -momit-leaf-frame-pointer" -#westmere -> "-march=corei7 -maes -momit-leaf-frame-pointer" +westmere -> "-march=corei7 -maes -momit-leaf-frame-pointer" +# For older GCC #nehalem -> "-march=core2 -msse4.1 -msse4.2 -momit-leaf-frame-pointer" #westmere -> "-march=core2 -msse4.1 -msse4.2 -maes -momit-leaf-frame-pointer" -sandybridge -> "-march=corei7-avx -momit-leaf-frame-pointer" -atom32 -> "-march=atom -momit-leaf-frame-pointer" - ppc601 -> "-mpowerpc -mcpu=601" cellppu -> "-mcpu=cell" e500v2 -> "-mcpu=8548" diff -Nru botan1.10-1.10.5/src/build-data/scripts/dist.py botan1.10-1.10.8/src/build-data/scripts/dist.py --- botan1.10-1.10.5/src/build-data/scripts/dist.py 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/build-data/scripts/dist.py 2014-04-10 14:11:44.000000000 +0000 @@ -1,13 +1,23 @@ #!/usr/bin/python -import optparse -import subprocess +""" +Release script for botan (http://botan.randombit.net/) + +(C) 2011, 2012 Jack Lloyd + +Distributed under the terms of the Botan license +""" + +import errno import logging +import optparse import os -import sys +import shlex +import StringIO import shutil +import subprocess +import sys import tarfile -import errno def check_subprocess_results(subproc, name): (stdout, stderr) = subproc.communicate() @@ -34,14 +44,55 @@ return check_subprocess_results(mtn, 'mtn') -def gpg_sign(file, keyid): - print file - gpg = subprocess.Popen(['gpg', '--armor', '--detach-sign', - '--local-user', keyid, file], - stdout=subprocess.PIPE, - stderr=subprocess.PIPE) +def get_certs(db, rev_id): + tokens = shlex.split(run_monotone(db, ['automate', 'certs', rev_id])) + + def usable_cert(cert): + if 'signature' not in cert or cert['signature'] != 'ok': + return False + if 'trust' not in cert or cert['trust'] != 'trusted': + return False + if 'name' not in cert or 'value' not in cert: + return False + return True + + def cert_builder(tokens): + pairs = zip(tokens[::2], tokens[1::2]) + current_cert = {} + for pair in pairs: + if pair[0] == 'key': + if usable_cert(current_cert): + name = current_cert['name'] + value = current_cert['value'] + current_cert = {} + + logging.debug('Cert %s "%s" for rev %s' % (name, value, rev_id)) + yield (name, value) + + current_cert[pair[0]] = pair[1] + + certs = dict(cert_builder(tokens)) + return certs + +def datestamp(db, rev_id): + certs = get_certs(db, rev_id) + + if 'date' in certs: + return int(certs['date'].replace('-','')[0:8]) + + logging.info('Could not retreive date for %s' % (rev_id)) + return 0 + +def gpg_sign(keyid, files): + for filename in files: + logging.info('Signing %s using PGP id %s' % (filename, keyid)) + + gpg = subprocess.Popen(['gpg', '--armor', '--detach-sign', + '--local-user', keyid, filename], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE) - check_subprocess_results(gpg, 'gpg') + check_subprocess_results(gpg, 'gpg') def parse_args(args): parser = optparse.OptionParser() @@ -65,7 +116,7 @@ def remove_file_if_exists(fspath): try: os.unlink(fspath) - except OSError, e: + except OSError as e: if e.errno != errno.ENOENT: raise @@ -96,73 +147,83 @@ logging.error('Usage: %s version' % (sys.argv[0])) return 1 - try: - version = args[0] + version = args[0] - rev_id = run_monotone(options.mtn_db, - ['automate', 'select', 't:' + version]) + rev_id = run_monotone(options.mtn_db, + ['automate', 'select', 't:' + version]) - if rev_id == '': - logging.error('No revision for %s found' % (version)) - return 2 + if rev_id == '': + logging.error('No revision for %s found' % (version)) + return 2 + + output_basename = os.path.join(options.output_dir, 'Botan-' + version) - output_basename = 'Botan-' + version - output_name = os.path.join(options.output_dir, output_basename) + output_tgz = output_basename + '.tgz' + output_tbz = output_basename + '.tbz' - output_tgz = output_name + '.tgz' - output_tbz = output_name + '.tbz' + logging.info('Found revision id %s' % (rev_id)) - logging.info('Found revision id %s' % (rev_id)) + if os.access(output_basename, os.X_OK): + shutil.rmtree(output_basename) - if os.access(output_name, os.X_OK): - shutil.rmtree(output_name) + run_monotone(options.mtn_db, + ['checkout', '-r', rev_id, output_basename]) - run_monotone(options.mtn_db, - ['checkout', '-r', rev_id, output_name]) + shutil.rmtree(os.path.join(output_basename, '_MTN')) + remove_file_if_exists(os.path.join(output_basename, '.mtn-ignore')) - shutil.rmtree(os.path.join(output_name, '_MTN')) - remove_file_if_exists(os.path.join(output_name, '.mtn-ignore')) + version_file = os.path.join(output_basename, 'botan_version.py') - version_file = os.path.join(output_name, 'botan_version.py') - if os.access(version_file, os.R_OK): - # rewrite botan_version.py + if os.access(version_file, os.R_OK): + # rewrite botan_version.py - contents = open(version_file).readlines() + contents = open(version_file).readlines() - def content_rewriter(): - for line in contents: - if line == 'release_vc_rev = None\n': - yield 'release_vc_rev = \'mtn:%s\'\n' % (rev_id) - else: - yield line + def content_rewriter(): + for line in contents: + if line == 'release_vc_rev = None\n': + yield 'release_vc_rev = \'mtn:%s\'\n' % (rev_id) + elif line == 'release_datestamp = 0\n': + yield 'release_datestamp = %d\n' % (datestamp(options.mtn_db, rev_id)) + else: + yield line - open(version_file, 'w').write(''.join(list(content_rewriter()))) + open(version_file, 'w').write(''.join(list(content_rewriter()))) + else: + logging.error('Cannot find %s' % (version_file)) + return 2 - os.chdir(options.output_dir) + try: + os.makedirs(options.output_dir) + except OSError as e: + if e.errno != errno.EEXIST: + logging.error('Creating dir %s failed %s' % (options.output_dir, e)) + return 2 - remove_file_if_exists(output_tgz) - remove_file_if_exists(output_tgz + '.asc') - archive = tarfile.open(output_tgz, 'w:gz') - archive.add(output_basename) - archive.close() - if options.pgp_key_id != '': - gpg_sign(output_tgz, options.pgp_key_id) + remove_file_if_exists(output_tgz) + remove_file_if_exists(output_tgz + '.asc') + archive = tarfile.open(output_tgz, 'w:gz') + archive.add(output_basename) + archive.close() + + remove_file_if_exists(output_tbz) + remove_file_if_exists(output_tbz + '.asc') + archive = tarfile.open(output_tbz, 'w:bz2') + archive.add(output_basename) + archive.close() - remove_file_if_exists(output_tbz) - remove_file_if_exists(output_tbz + '.asc') - archive = tarfile.open(output_tbz, 'w:bz2') - archive.add(output_basename) - archive.close() - if options.pgp_key_id != '': - gpg_sign(output_tbz, options.pgp_key_id) + if options.pgp_key_id != '': + gpg_sign(options.pgp_key_id, [output_tbz, output_tgz]) - shutil.rmtree(output_name) + shutil.rmtree(output_basename) - except Exception, e: - import traceback - traceback.print_exc(file=sys.stderr) - logging.error(str(e)) - return 1 + return 0 if __name__ == '__main__': - sys.exit(main()) + try: + sys.exit(main()) + except Exception as e: + logging.error(e) + import traceback + logging.info(traceback.format_exc()) + sys.exit(1) diff -Nru botan1.10-1.10.5/src/cert/x509cert/x509_ext.cpp botan1.10-1.10.8/src/cert/x509cert/x509_ext.cpp --- botan1.10-1.10.5/src/cert/x509cert/x509_ext.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/cert/x509cert/x509_ext.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -61,6 +61,8 @@ std::make_pair(other.extensions[i].first->copy(), other.extensions[i].second)); + should_throw = other.should_throw; + return (*this); } diff -Nru botan1.10-1.10.5/src/cert/x509store/x509stor.cpp botan1.10-1.10.8/src/cert/x509store/x509stor.cpp --- botan1.10-1.10.5/src/cert/x509store/x509stor.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/cert/x509store/x509stor.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -187,6 +187,7 @@ for(size_t j = 0; j != other.stores.size(); ++j) stores[j] = other.stores[j]->clone(); time_slack = other.time_slack; + validation_cache_timeout = other.validation_cache_timeout; } /* diff -Nru botan1.10-1.10.5/src/entropy/dev_random/dev_random.cpp botan1.10-1.10.8/src/entropy/dev_random/dev_random.cpp --- botan1.10-1.10.5/src/entropy/dev_random/dev_random.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/entropy/dev_random/dev_random.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -1,6 +1,6 @@ /* -* /dev/random EntropySource -* (C) 1999-2009 Jack Lloyd +* Reader of /dev/random and company +* (C) 1999-2009,2013 Jack Lloyd * * Distributed under the terms of the Botan license */ @@ -16,53 +16,9 @@ namespace Botan { -/** -Close the device, if open -*/ -void Device_EntropySource::Device_Reader::close() - { - if(fd > 0) { ::close(fd); fd = -1; } - } - -/** -Read bytes from a device file -*/ -size_t Device_EntropySource::Device_Reader::get(byte out[], size_t length, - size_t ms_wait_time) - { - if(fd < 0) - return 0; - - if(fd >= FD_SETSIZE) - return 0; - - fd_set read_set; - FD_ZERO(&read_set); - FD_SET(fd, &read_set); - - struct ::timeval timeout; - - timeout.tv_sec = (ms_wait_time / 1000); - timeout.tv_usec = (ms_wait_time % 1000) * 1000; - - if(::select(fd + 1, &read_set, 0, 0, &timeout) < 0) - return 0; +namespace { - if(!(FD_ISSET(fd, &read_set))) - return 0; - - const ssize_t got = ::read(fd, out, length); - if(got <= 0) - return 0; - - return static_cast(got); - } - -/** -Attempt to open a device -*/ -Device_EntropySource::Device_Reader::fd_type -Device_EntropySource::Device_Reader::open(const std::string& pathname) +int open_nonblocking(const char* pathname) { #ifndef O_NONBLOCK #define O_NONBLOCK 0 @@ -73,21 +29,22 @@ #endif const int flags = O_RDONLY | O_NONBLOCK | O_NOCTTY; - return ::open(pathname.c_str(), flags); + return ::open(pathname, flags); } +} + /** Device_EntropySource constructor Open a file descriptor to each (available) device in fsnames */ -Device_EntropySource::Device_EntropySource( - const std::vector& fsnames) +Device_EntropySource::Device_EntropySource(const std::vector& fsnames) { for(size_t i = 0; i != fsnames.size(); ++i) { - Device_Reader::fd_type fd = Device_Reader::open(fsnames[i]); - if(fd > 0) - devices.push_back(Device_Reader(fd)); + fd_type fd = open_nonblocking(fsnames[i].c_str()); + if(fd >= 0 && fd < FD_SETSIZE) + devices.push_back(fd); } } @@ -97,7 +54,7 @@ Device_EntropySource::~Device_EntropySource() { for(size_t i = 0; i != devices.size(); ++i) - devices[i].close(); + ::close(devices[i]); } /** @@ -105,23 +62,38 @@ */ void Device_EntropySource::poll(Entropy_Accumulator& accum) { - const size_t ENTROPY_BITS_PER_BYTE = 7; + if(devices.empty()) + return; - const size_t go_get = std::min( - accum.desired_remaining_bits() / ENTROPY_BITS_PER_BYTE, 32); + const size_t ENTROPY_BITS_PER_BYTE = 8; + const size_t MS_WAIT_TIME = 32; + const size_t READ_ATTEMPT = accum.desired_remaining_bits() / 4; - const size_t read_wait_ms = std::max(go_get, 100); - MemoryRegion& io_buffer = accum.get_io_buffer(go_get); + MemoryRegion& io_buffer = accum.get_io_buffer(READ_ATTEMPT); + int max_fd = devices[0]; + fd_set read_set; + FD_ZERO(&read_set); for(size_t i = 0; i != devices.size(); ++i) { - size_t got = devices[i].get(&io_buffer[0], io_buffer.size(), - read_wait_ms); + FD_SET(devices[i], &read_set); + max_fd = std::max(devices[i], max_fd); + } + + struct ::timeval timeout; - if(got) + timeout.tv_sec = (MS_WAIT_TIME / 1000); + timeout.tv_usec = (MS_WAIT_TIME % 1000) * 1000; + + if(::select(max_fd + 1, &read_set, 0, 0, &timeout) < 0) + return; + + for(size_t i = 0; i != devices.size(); ++i) + { + if(FD_ISSET(devices[i], &read_set)) { + const ssize_t got = ::read(devices[i], &io_buffer[0], io_buffer.size()); accum.add(&io_buffer[0], got, ENTROPY_BITS_PER_BYTE); - break; } } } diff -Nru botan1.10-1.10.5/src/entropy/dev_random/dev_random.h botan1.10-1.10.8/src/entropy/dev_random/dev_random.h --- botan1.10-1.10.5/src/entropy/dev_random/dev_random.h 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/entropy/dev_random/dev_random.h 2014-04-10 14:11:44.000000000 +0000 @@ -27,28 +27,9 @@ Device_EntropySource(const std::vector& fsnames); ~Device_EntropySource(); private: + typedef int fd_type; - /** - A class handling reading from a Unix character device - */ - class Device_Reader - { - public: - typedef int fd_type; - - // Does not own fd, a transient class - Device_Reader(fd_type device_fd) : fd(device_fd) {} - - void close(); - - size_t get(byte out[], size_t length, size_t ms_wait_time); - - static fd_type open(const std::string& pathname); - private: - fd_type fd; - }; - - std::vector devices; + std::vector devices; }; } diff -Nru botan1.10-1.10.5/src/entropy/egd/es_egd.cpp botan1.10-1.10.8/src/entropy/egd/es_egd.cpp --- botan1.10-1.10.5/src/entropy/egd/es_egd.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/entropy/egd/es_egd.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -43,7 +43,7 @@ std::memset(&addr, 0, sizeof(addr)); addr.sun_family = PF_LOCAL; - if(sizeof(addr.sun_path) < path.length() + 1) + if(path.length() >= sizeof(addr.sun_path)) throw std::invalid_argument("EGD socket path is too long"); std::strncpy(addr.sun_path, path.c_str(), sizeof(addr.sun_path)); diff -Nru botan1.10-1.10.5/src/entropy/proc_walk/es_ftw.cpp botan1.10-1.10.8/src/entropy/proc_walk/es_ftw.cpp --- botan1.10-1.10.5/src/entropy/proc_walk/es_ftw.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/entropy/proc_walk/es_ftw.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -120,7 +120,7 @@ { int fd = ::open(full_path.c_str(), O_RDONLY | O_NOCTTY); - if(fd > 0) + if(fd >= 0) return fd; } } diff -Nru botan1.10-1.10.5/src/entropy/rdrand/rdrand.cpp botan1.10-1.10.8/src/entropy/rdrand/rdrand.cpp --- botan1.10-1.10.5/src/entropy/rdrand/rdrand.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/entropy/rdrand/rdrand.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -40,7 +40,7 @@ for(size_t i = 0; i != RDRAND_POLLS; ++i) { - unsigned int r; + unsigned int r = 0; #if BOTAN_USE_GCC_INLINE_ASM int cf = 0; diff -Nru botan1.10-1.10.5/src/entropy/unix_procs/es_unix.cpp botan1.10-1.10.8/src/entropy/unix_procs/es_unix.cpp --- botan1.10-1.10.5/src/entropy/unix_procs/es_unix.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/entropy/unix_procs/es_unix.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -74,8 +74,8 @@ { struct stat statbuf; clear_mem(&statbuf, 1); - ::stat(stat_targets[i], &statbuf); - accum.add(&statbuf, sizeof(statbuf), .005); + if(::stat(stat_targets[i], &statbuf) == 0) + accum.add(&statbuf, sizeof(statbuf), .005); } accum.add(::getpid(), 0); diff -Nru botan1.10-1.10.5/src/filters/filter.cpp botan1.10-1.10.8/src/filters/filter.cpp --- botan1.10-1.10.5/src/filters/filter.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/filters/filter.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -104,17 +104,16 @@ */ void Filter::set_next(Filter* filters[], size_t size) { - while(size && filters && filters[size-1] == 0) - --size; - next.clear(); - next.resize(size); port_num = 0; filter_owns = 0; - for(size_t j = 0; j != size; ++j) - next[j] = filters[j]; + while(size && filters && filters[size-1] == 0) + --size; + + if(filters && size) + next.assign(filters, filters + size); } /* diff -Nru botan1.10-1.10.5/src/filters/pk_filts/pk_filts.h botan1.10-1.10.8/src/filters/pk_filts/pk_filts.h --- botan1.10-1.10.5/src/filters/pk_filts/pk_filts.h 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/filters/pk_filts/pk_filts.h 2014-04-10 14:11:44.000000000 +0000 @@ -19,6 +19,8 @@ class BOTAN_DLL PK_Encryptor_Filter : public Filter { public: + std::string name() const { return "PK Encryptor"; } + void write(const byte[], size_t); void end_msg(); PK_Encryptor_Filter(PK_Encryptor* c, @@ -37,6 +39,8 @@ class BOTAN_DLL PK_Decryptor_Filter : public Filter { public: + std::string name() const { return "PK Decryptor"; } + void write(const byte[], size_t); void end_msg(); PK_Decryptor_Filter(PK_Decryptor* c) : cipher(c) {} @@ -52,6 +56,8 @@ class BOTAN_DLL PK_Signer_Filter : public Filter { public: + std::string name() const { return "PK Signer"; } + void write(const byte[], size_t); void end_msg(); @@ -71,6 +77,8 @@ class BOTAN_DLL PK_Verifier_Filter : public Filter { public: + std::string name() const { return "PK Verifier"; } + void write(const byte[], size_t); void end_msg(); diff -Nru botan1.10-1.10.5/src/libstate/global_rng.cpp botan1.10-1.10.8/src/libstate/global_rng.cpp --- botan1.10-1.10.5/src/libstate/global_rng.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/libstate/global_rng.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -76,7 +76,7 @@ #if defined(BOTAN_HAS_ENTROPY_SRC_DEV_RANDOM) rng->add_entropy_source( new Device_EntropySource( - split_on("/dev/random:/dev/srandom:/dev/urandom", ':') + split_on("/dev/urandom:/dev/srandom:/dev/random", ':') ) ); #endif diff -Nru botan1.10-1.10.5/src/mac/hmac/hmac.h botan1.10-1.10.8/src/mac/hmac/hmac.h --- botan1.10-1.10.5/src/mac/hmac/hmac.h 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/mac/hmac/hmac.h 2014-04-10 14:11:44.000000000 +0000 @@ -27,7 +27,8 @@ Key_Length_Specification key_spec() const { - return Key_Length_Specification(0, 2*hash->hash_block_size()); + // Absurd max length here is to support PBKDF2 + return Key_Length_Specification(0, 512); } /** diff -Nru botan1.10-1.10.5/src/math/ec_gfp/curve_gfp.h botan1.10-1.10.8/src/math/ec_gfp/curve_gfp.h --- botan1.10-1.10.5/src/math/ec_gfp/curve_gfp.h 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/math/ec_gfp/curve_gfp.h 2014-04-10 14:11:44.000000000 +0000 @@ -24,7 +24,7 @@ /** * Create an uninitialized CurveGFp */ - CurveGFp() {} + CurveGFp() : p_words(0), p_dash(0) {} /** * Construct the elliptic curve E: y^2 = x^3 + ax + b over GF(p) diff -Nru botan1.10-1.10.5/src/math/numbertheory/numthry.cpp botan1.10-1.10.8/src/math/numbertheory/numthry.cpp --- botan1.10-1.10.5/src/math/numbertheory/numthry.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/math/numbertheory/numthry.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -53,10 +53,8 @@ return false; } - if(y != n_minus_1) // fails Fermat test - return true; - - return false; + // If we reached here then n fails the Fermat test + return true; } /* @@ -265,7 +263,7 @@ RandomNumberGenerator& rng, size_t level) { - const size_t PREF_NONCE_BITS = 64; + const size_t PREF_NONCE_BITS = 128; if(n == 2) return true; @@ -295,17 +293,21 @@ MillerRabin_Test mr(n); + if(mr.is_witness(2)) + return false; + const size_t tests = miller_rabin_test_iterations(n.bits(), level); - BigInt nonce; for(size_t i = 0; i != tests; ++i) { + BigInt nonce; while(nonce < 2 || nonce >= (n-1)) nonce.randomize(rng, NONCE_BITS); if(mr.is_witness(nonce)) return false; } + return true; } diff -Nru botan1.10-1.10.5/src/math/numbertheory/powm_mnt.cpp botan1.10-1.10.8/src/math/numbertheory/powm_mnt.cpp --- botan1.10-1.10.5/src/math/numbertheory/powm_mnt.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/math/numbertheory/powm_mnt.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -134,6 +134,7 @@ window_bits = 0; this->hints = hints; modulus = mod; + exp_bits = 0; mod_words = modulus.sig_words(); diff -Nru botan1.10-1.10.5/src/math/numbertheory/pow_mod.cpp botan1.10-1.10.8/src/math/numbertheory/pow_mod.cpp --- botan1.10-1.10.5/src/math/numbertheory/pow_mod.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/math/numbertheory/pow_mod.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -18,6 +18,7 @@ { core = 0; set_modulus(n, hints); + hints = NO_HINTS; } /* @@ -26,6 +27,7 @@ Power_Mod::Power_Mod(const Power_Mod& other) { core = 0; + hints = other.hints; if(other.core) core = other.core->copy(); } diff -Nru botan1.10-1.10.5/src/pbe/pbes1/pbes1.cpp botan1.10-1.10.8/src/pbe/pbes1/pbes1.cpp --- botan1.10-1.10.5/src/pbe/pbes1/pbes1.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/pbe/pbes1/pbes1.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -90,7 +90,7 @@ */ void PBE_PKCS5v15::new_params(RandomNumberGenerator& rng) { - iterations = 10000; + iterations = 50000; salt = rng.random_vec(8); } @@ -161,7 +161,7 @@ PBE_PKCS5v15::PBE_PKCS5v15(BlockCipher* cipher, HashFunction* hash, Cipher_Dir dir) : - direction(dir), block_cipher(cipher), hash_function(hash) + direction(dir), block_cipher(cipher), hash_function(hash), iterations(0) { if(cipher->name() != "DES" && cipher->name() != "RC2") { diff -Nru botan1.10-1.10.5/src/pbe/pbes2/pbes2.cpp botan1.10-1.10.8/src/pbe/pbes2/pbes2.cpp --- botan1.10-1.10.5/src/pbe/pbes2/pbes2.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/pbe/pbes2/pbes2.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -92,7 +92,7 @@ */ void PBE_PKCS5v20::new_params(RandomNumberGenerator& rng) { - iterations = 10000; + iterations = 50000; key_length = block_cipher->maximum_keylength(); salt = rng.random_vec(12); @@ -210,7 +210,11 @@ */ PBE_PKCS5v20::PBE_PKCS5v20(BlockCipher* cipher, HashFunction* digest) : - direction(ENCRYPTION), block_cipher(cipher), hash_function(digest) + direction(ENCRYPTION), + block_cipher(cipher), + hash_function(digest), + iterations(0), + key_length(0) { if(!known_cipher(block_cipher->name())) throw Invalid_Argument("PBE-PKCS5 v2.0: Invalid cipher " + cipher->name()); diff -Nru botan1.10-1.10.5/src/pk_pad/eme1/eme1.cpp botan1.10-1.10.8/src/pk_pad/eme1/eme1.cpp --- botan1.10-1.10.5/src/pk_pad/eme1/eme1.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/pk_pad/eme1/eme1.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -21,7 +21,7 @@ { key_length /= 8; - if(in_length > key_length - 2*Phash.size() - 1) + if(key_length < in_length + 2*Phash.size() + 1) throw Invalid_Argument("EME1: Input is too large"); SecureVector out(key_length); @@ -82,7 +82,7 @@ * to timing analysis. Other compilers, or GCC on other platforms, * may or may not. */ - for(size_t i = delim_idx; i != input.size(); ++i) + for(size_t i = delim_idx; i < input.size(); ++i) { const bool zero_p = !input[i]; const bool one_p = input[i] == 0x01; diff -Nru botan1.10-1.10.5/src/pk_pad/emsa2/emsa2.cpp botan1.10-1.10.8/src/pk_pad/emsa2/emsa2.cpp --- botan1.10-1.10.5/src/pk_pad/emsa2/emsa2.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/pk_pad/emsa2/emsa2.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -99,12 +99,13 @@ { empty_hash = hash->final(); - hash_id = ieee1363_hash_id(hash->name()); + const std::string hash_name = hash->name(); + hash_id = ieee1363_hash_id(hash_name); if(hash_id == 0) { delete hash; - throw Encoding_Error("EMSA2 cannot be used with " + hash->name()); + throw Encoding_Error("EMSA2 cannot be used with " + hash_name); } } diff -Nru botan1.10-1.10.5/src/pubkey/ec_group/ec_group.cpp botan1.10-1.10.8/src/pubkey/ec_group/ec_group.cpp --- botan1.10-1.10.5/src/pubkey/ec_group/ec_group.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/pubkey/ec_group/ec_group.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -121,7 +121,7 @@ .get_contents(); } else if(form == EC_DOMPAR_ENC_OID) - return DER_Encoder().encode(get_oid()).get_contents(); + return DER_Encoder().encode(OID(get_oid())).get_contents(); else if(form == EC_DOMPAR_ENC_IMPLICITCA) return DER_Encoder().encode_null().get_contents(); else diff -Nru botan1.10-1.10.5/src/pubkey/pubkey.cpp botan1.10-1.10.8/src/pubkey/pubkey.cpp --- botan1.10-1.10.5/src/pubkey/pubkey.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/pubkey/pubkey.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -27,6 +27,8 @@ { Algorithm_Factory::Engine_Iterator i(global_state().algorithm_factory()); + op = 0; + while(const Engine* engine = i.next()) { op = engine->get_encryption_op(key); @@ -35,8 +37,7 @@ } if(!op) - throw Lookup_Error("PK_Encryptor_EME: No working engine for " + - key.algo_name()); + throw Lookup_Error("Encryption with " + key.algo_name() + " not supported"); eme = (eme_name == "Raw") ? 0 : get_eme(eme_name); } @@ -87,6 +88,8 @@ { Algorithm_Factory::Engine_Iterator i(global_state().algorithm_factory()); + op = 0; + while(const Engine* engine = i.next()) { op = engine->get_decryption_op(key); @@ -95,8 +98,7 @@ } if(!op) - throw Lookup_Error("PK_Decryptor_EME: No working engine for " + - key.algo_name()); + throw Lookup_Error("Decryption with " + key.algo_name() + " not supported"); eme = (eme_name == "Raw") ? 0 : get_eme(eme_name); } @@ -146,8 +148,7 @@ } if(!op || (!verify_op && prot == ENABLE_FAULT_PROTECTION)) - throw Lookup_Error("PK_Signer: No working engine for " + - key.algo_name()); + throw Lookup_Error("Signing with " + key.algo_name() + " not supported"); emsa = get_emsa(emsa_name); sig_format = format; @@ -250,6 +251,8 @@ { Algorithm_Factory::Engine_Iterator i(global_state().algorithm_factory()); + op = 0; + while(const Engine* engine = i.next()) { op = engine->get_verify_op(key); @@ -258,8 +261,7 @@ } if(!op) - throw Lookup_Error("PK_Verifier: No working engine for " + - key.algo_name()); + throw Lookup_Error("Verification with " + key.algo_name() + " not supported"); emsa = get_emsa(emsa_name); sig_format = format; @@ -359,6 +361,8 @@ { Algorithm_Factory::Engine_Iterator i(global_state().algorithm_factory()); + op = 0; + while(const Engine* engine = i.next()) { op = engine->get_key_agreement_op(key); @@ -367,8 +371,7 @@ } if(!op) - throw Lookup_Error("PK_Key_Agreement: No working engine for " + - key.algo_name()); + throw Lookup_Error("Key agreement with " + key.algo_name() + " not supported"); kdf = (kdf_name == "Raw") ? 0 : get_kdf(kdf_name); } diff -Nru botan1.10-1.10.5/src/rng/hmac_rng/hmac_rng.cpp botan1.10-1.10.8/src/rng/hmac_rng/hmac_rng.cpp --- botan1.10-1.10.5/src/rng/hmac_rng/hmac_rng.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/rng/hmac_rng/hmac_rng.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -7,6 +7,7 @@ #include #include +#include #include #include #include @@ -23,6 +24,7 @@ prf->update(K); prf->update(label); prf->update_be(counter); + prf->update_be(get_nanoseconds_clock()); prf->final(&K[0]); ++counter; @@ -50,6 +52,11 @@ copy_mem(out, &K[0], copied); out += copied; length -= copied; + + output_since_reseed += copied; + + if(output_since_reseed >= BOTAN_RNG_MAX_OUTPUT_BEFORE_RESEED) + reseed(BOTAN_RNG_RESEED_POLL_BITS); } } @@ -109,7 +116,7 @@ // Reset state zeroise(K); counter = 0; - user_input_len = 0; + output_since_reseed = 0; /* Consider ourselves seeded once we've collected an estimated 128 bits of @@ -119,24 +126,12 @@ seeded = true; } -/* -* Add user-supplied entropy to the extractor input -*/ void HMAC_RNG::add_entropy(const byte input[], size_t length) { - const size_t USER_ENTROPY_WATERSHED = 64; + // Add user-supplied whatever to the extractor input, and then reseed extractor->update(input, length); - user_input_len += length; - - /* - * After we've accumulated at least USER_ENTROPY_WATERSHED bytes of - * user input, reseed. This input will automatically have been - * included if reseed was called already, as it's just included in - * the extractor input. - */ - if(user_input_len >= USER_ENTROPY_WATERSHED) - reseed(0); + reseed(BOTAN_RNG_RESEED_POLL_BITS); } /* @@ -156,7 +151,7 @@ prf->clear(); zeroise(K); counter = 0; - user_input_len = 0; + output_since_reseed = 0; seeded = false; } @@ -185,7 +180,7 @@ K.resize(prf->output_length()); counter = 0; - user_input_len = 0; + output_since_reseed = 0; seeded = false; /* diff -Nru botan1.10-1.10.5/src/rng/hmac_rng/hmac_rng.h botan1.10-1.10.8/src/rng/hmac_rng/hmac_rng.h --- botan1.10-1.10.5/src/rng/hmac_rng/hmac_rng.h 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/rng/hmac_rng/hmac_rng.h 2014-04-10 14:11:44.000000000 +0000 @@ -52,7 +52,7 @@ bool seeded; SecureVector K, io_buffer; - size_t user_input_len; + size_t output_since_reseed; u32bit counter; }; diff -Nru botan1.10-1.10.5/src/rng/randpool/randpool.cpp botan1.10-1.10.8/src/rng/randpool/randpool.cpp --- botan1.10-1.10.5/src/rng/randpool/randpool.cpp 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/rng/randpool/randpool.cpp 2014-04-10 14:11:44.000000000 +0000 @@ -184,8 +184,7 @@ { delete cipher; delete mac; - throw Internal_Error("Randpool: Invalid algorithm combination " + - cipher->name() + "/" + mac->name()); + throw Internal_Error("Randpool: Invalid algorithm combination"); } buffer.resize(BLOCK_SIZE); diff -Nru botan1.10-1.10.5/src/ssl/info.txt botan1.10-1.10.8/src/ssl/info.txt --- botan1.10-1.10.5/src/ssl/info.txt 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/ssl/info.txt 2014-04-10 14:11:44.000000000 +0000 @@ -1,10 +1,10 @@ define SSL_TLS +load_on auto + -A new TLS API is being developed. This version has numerous -performance and usability issues and will not be supported in the -future. Only use it if you need it for compatability with code written -against previous versions. +If you are using TLS in your application definitely consider using the +version in 1.11 instead uses_tr1 yes diff -Nru botan1.10-1.10.5/src/utils/rotate.h botan1.10-1.10.8/src/utils/rotate.h --- botan1.10-1.10.5/src/utils/rotate.h 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/utils/rotate.h 2014-04-10 14:11:44.000000000 +0000 @@ -20,6 +20,8 @@ */ template inline T rotate_left(T input, size_t rot) { + if(rot == 0) + return input; return static_cast((input << rot) | (input >> (8*sizeof(T)-rot)));; } @@ -31,6 +33,8 @@ */ template inline T rotate_right(T input, size_t rot) { + if(rot == 0) + return input; return static_cast((input >> rot) | (input << (8*sizeof(T)-rot))); } diff -Nru botan1.10-1.10.5/src/wrap/perl-xs/Makefile.PL botan1.10-1.10.8/src/wrap/perl-xs/Makefile.PL --- botan1.10-1.10.5/src/wrap/perl-xs/Makefile.PL 2013-03-02 21:19:37.000000000 +0000 +++ botan1.10-1.10.8/src/wrap/perl-xs/Makefile.PL 2014-04-10 14:11:44.000000000 +0000 @@ -9,8 +9,8 @@ else { $cc = 'g++'; - $cflags = '-Wno-write-strings -fexceptions ' . qx( botan-config --cflags ); - $libs = qx( botan-config --libs ); + $cflags = $Config::Config{ccflags} . ' -Wno-write-strings -fexceptions ' . qx( botan-config-1.10 --cflags ); + $libs = qx( botan-config-1.10 --libs ); } WriteMakefile(