1 files changed, 1879 insertions, 0 deletions

diff --git a/comm/third_party/botan/news.rst b/comm/third_party/botan/news.rst
new file mode 100644
index 0000000000..7da4db1890
--- /dev/null
+++ b/comm/third_party/botan/news.rst
@@ -0,0 +1,1879 @@
+Release Notes
+========================================
+
+Version 2.18.2, 2021-10-25
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Avoid using short exponents when encrypting in ElGamal, as some PGP
+  implementations generate keys with parameters that are weak when
+  short exponents are used (GH #2794)
+
+* Fix a low risk OAEP decryption side channel (GH #2797)
+
+* Work around a miscompilation of SHA-3 caused by a bug in Clang 12
+  and XCode 13. (GH #2826)
+
+* Remove support in OpenSSL provider for algorithms which are
+  disabled by default in OpenSSL 3.0 (GH #2823, #2814)
+
+* Add CI based on GitHub actions to replace Travis CI (GH #2632)
+
+* Fix the online OCSP test, as the certificate involved had expired.
+  (GH #2799)
+
+* Fix some test failures induced by the expiration of the trust root
+  "DST Root CA X3" (GH #2820)
+
+Version 2.18.1, 2021-05-09
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix a build regression in 2.18.0 which caused linker flags which
+  contain ``-l`` within them (such as ``-fuse-linker-plugin``) to
+  be misinterpreted. (GH #2715)
+
+* Fix a bug which caused decoding a certificate which contained
+  more than one name in a single RDN. (GH #2611 #2630 #2724)
+
+* Fix a bug which caused OID lookup failures when run in a locale
+  which uses thousands separators (pt_BR was reported as having
+  this issue). (GH #2732 #2730 #2237)
+
+* DNS names in name constraints were compared with case sensitivity, which
+  could cause valid certificates to be rejected. (GH #2739 #2735)
+
+* X.509 name constraint extensions were rejected if non-critical. RFC 5280
+  requires conforming CAs issue such extensions as critical, but not all
+  certificates are compliant, and all other known implementations do not
+  require this. (GH #2739 #2736)
+
+* X.509 name constraints were incorrectly applied to the certificate which
+  included the constraint. (GH #2739 #2737)
+
+Version 2.18.0, 2021-04-15
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add support for implementing custom RNG objects through the
+  FFI interface (GH #2627 #2600)
+
+* Improve safegcd bounds, improving runtime performance (GH #2628 #2619)
+
+* Fix a bug introduced in 2.9.0 where BigInt::operator< would return
+  an incorrect result if both operands were negative. (GH #2641 #2638)
+
+* Reject non-TLS messages as quickly as possible without waiting for
+  a full record. (GH #2676)
+
+* Add build support for RISC-V 32
+
+* Fixes for TLS::Stream::async_shutdown (GH #2673)
+
+* Fix a regression introduced in 2.17.0 where LDFLAGS which add an extra
+  library (such as ``-latomic`` needed on SPARC) were not always applied
+  effectively. (GH #2622 #2623 #2625)
+
+Version 2.17.3, 2020-12-21
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* CVE-2021-24115 Change base64, base58, base32, and hex encoding and
+  decoding operations to run in constant time (GH #2549)
+
+* Fix a build problem on PPC64 building with Clang (GH #2547)
+
+* Fix an install problem introduced in 2.17.2 affecting MSVC 2015
+
+* Fix use of -L flag in linking when configured using ``--with-external-libdir``
+  (GH #2496)
+
+* Fix a build problem on big-endian PowerPC related to VSX instructions
+  in the AES code. (GH #2515)
+
+Version 2.17.2, 2020-11-13
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix an build problem on ppc64 introduced with certain recent
+  versions of GCC or binutils where using the DARN instruction
+  requires using an appropriate -mcpu flag to enable the instruction
+  in the assembler. (GH #2481 2463)
+
+* Resolve an issue in the modular square root algorithm where a loop
+  to find a quadratic non-residue could, for a carefully chosen
+  composite modulus, not terminate in a timely manner. (GH #2482 #2476)
+
+* Fix a regression in MinGW builds introduced in 2.17.1
+
+Version 2.17.1, 2020-11-07
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix a build problem that could occur if Python was not in the PATH.
+  This was known to occur on some installations of macOS.
+
+* Re-enable support for the x86 CLMUL instruction on Visual C++, which was
+  accidentally disabled starting in 2.12.0. (GH #2460)
+
+Version 2.17.0, 2020-11-05
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix a bug in ECDSA which could occur when the group size and hash length
+  differ. In this case, on occasion the generated signature would not be
+  accepted by other ECDSA implementations. This was particularly likely to
+  affect users of 160-bit or 239-bit curves. (GH #2433 #2415)
+
+* Fix a bug in ECDSA verification when the public key was chosen to be
+  a small multiple of the group generator. In that case, verification
+  would fail even if the signature was actually valid. (GH #2425)
+
+* SIV's functionality of supporting multiple associated data inputs has been
+  generalized onto the AEAD_Mode interface. However at the moment SIV is the
+  only AEAD implemented which supports more than one AD. (GH #2440)
+
+* The contents of ASN.1 headers ``asn1_str.h``, ``asn1_time.h``, ``asn1_oid.h``
+  and ``alg_id.h`` have been moved to ``asn1_obj.h``. The header files remain
+  but simply forward the include to ``asn1_obj.h``. These now-empty header files
+  are deprecated, and will be removed in a future major release. (GH #2441)
+
+* The contents of X.509/PKIX headers ``asn1_attribute.h`` ``asn1_alt_name.h``
+  ``name_constraint.h`` ``x509_dn.h`` ``cert_status.h`` and ``key_constraint.h``
+  have been merged into ``pkix_enums.h`` (for enumerations) and ``pkix_types.h``
+  (for all other definitions). The previous header files remain but simply
+  forward the include to the new header containing the definition. These
+  now-empty header files are deprecated, and will be removed in a future major
+  release. (GH #2441)
+
+* A number of other headers including those related to HOTP/TOTP, XMSS,
+  PKCS11, PSK_DB have also been merged. Any now deprecated/empty headers
+  simply include the new header and issue a deprecation warning.
+  (GH #2443 #2446 #2447 2448 #2449)
+
+* Small optimizations in the non-hardware assisted AES key generation
+  code path (GH #2417 #2418)
+
+* Move the GHASH code to a new module in utils, making it possible
+  to build GMAC support without requiring GCM (GH #2416)
+
+* Add more detection logic for AVX-512 features (GH #2430)
+
+* Avoid std::is_pod which is deprecated in C++20 (GH #2429)
+
+* Fix a bug parsing deeply nested cipher names (GH #2426)
+
+* Add support for ``aarch64_be`` target CPU (GH #2422)
+
+* Fix order of linker flags so they are always applied effectively (GH #2420)
+
+* Prevent requesting DER encoding of signatures when the algorithm
+  did not support it (GH #2419)
+
+Version 2.16.0, 2020-10-06
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Now userspace PRNG objects (such as AutoSeeded_RNG and HMAC_DRBG)
+  use an internal lock, which allows safe concurrent use. This however
+  is purely a precaution in case of accidental sharing of such RNG
+  objects; for performance reasons it is always preferable to use
+  a RNG per thread if a userspace RNG is needed. (GH #2399)
+
+* DL_Group and EC_Group objects now track if they were created from a
+  known trusted group (such as P-256 or an IPsec DH parameter).  If
+  so, then verification tests can be relaxed, as compared to
+  parameters which may have been maliciously constructed in order to
+  pass primality checks. (GH #2409)
+
+* RandomNumberGenerator::add_entropy_T assumed its input was a POD
+  type but did not verify this. (GH #2403)
+
+* Support OCSP responders that live on a non-standard port (GH #2401)
+
+* Add support for Solaris sandbox (GH #2385)
+
+* Support suffixes on release numbers for alpha/beta releases (GH #2404)
+
+* Fix a bug in EAX which allowed requesting a 0 length tag, which had
+  the effect of using a full length tag. Instead omit the length field,
+  or request the full tag length explicitly. (GH #2392 #2390)
+
+* Fix a memory leak in GCM where if passed an unsuitable block cipher
+  (eg not 128 bit) it would throw an exception and leak the cipher
+  object. (GH #2392 #2388)
+
+Version 2.15.0, 2020-07-07
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix a bug where the name constraint extension did not constrain the
+  alternative DN field which can be included in a subject alternative name. This
+  would allow a corrupted sub-CA which was otherwise constrained by a name
+  constraint to issue a certificate with a prohibited DN.
+
+* Fix a bug in the TLS server during client authentication where where
+  if a (disabled by default) static RSA ciphersuite was selected, then
+  no certificate request would be sent. This would have an equivalent
+  effect to a client which simply replied with an empty Certificate
+  message. (GH #2367)
+
+* Replace the T-Tables implementation of AES with a 32-bit bitsliced
+  version. As a result AES is now constant time on all processors.
+  (GH #2346 #2348 #2353 #2329 #2355)
+
+* In TLS, enforce that the key usage given in the server certificate
+  allows the operation being performed in the ciphersuite. (GH #2367)
+
+* In X.509 certificates, verify that the algorithm parameters are
+  the expected NULL or empty. (GH #2367)
+
+* Change the HMAC key schedule to attempt to reduce the information
+  leaked from the key schedule with regards to the length of the key,
+  as this is at times (as for example in PBKDF2) sensitive information.
+  (GH #2362)
+
+* Add Processor_RNG which wraps RDRAND or the POWER DARN RNG
+  instructions. The previous RDRAND_RNG interface is deprecated.
+  (GH #2352)
+
+* The documentation claimed that mlocked pages were created with a
+  guard page both before and after. However only a trailing guard page
+  was used. Add a leading guard page. (GH #2334)
+
+* Add support for generating and verifying DER-encoded ECDSA signatures
+  in the C and Python interfaces. (GH #2357 #2356)
+
+* Workaround a bug in GCC's UbSan which triggered on a code sequence
+  in XMSS (GH #2322)
+
+* When building documentation using Sphinx avoid parallel builds with
+  version 3.0 due to a bug in that version (GH #2326 #2324)
+
+* Fix a memory leak in the CommonCrypto block cipher calls (GH #2371)
+
+* Fix a flaky test that would occasionally fail when running the tests
+  with a large number of threads. (GH #2325 #2197)
+
+* Additional algorithms are now deprecated: XTEA, GOST, and Tiger.
+  They will be removed in a future major release.
+
+Version 2.14.0, 2020-04-06
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add support for using POWER8+ VPSUMD instruction to accelerate GCM
+  (GH #2247)
+
+* Optimize the vector permute AES implementation, especially improving
+  performance on ARMv7, Aarch64, and POWER. (GH #2243)
+
+* Use a new algorithm for modular inversions which is both faster and
+  more resistant to side channel attacks. (GH #2287 #2296 #2301)
+
+* Address an issue in CBC padding which would leak the length of the
+  plaintext which was being padded. Unpadding during decryption was
+  not affected. Thanks to Maximilian Blochberger for reporting this.
+  (GH #2312)
+
+* Optimize NIST prime field reductions, improving ECDSA by 3-9% (GH #2295)
+
+* Increase the size of the ECC blinding mask and scale it based on the
+  size of the group order. (GH #880 #893 #2308)
+
+* Add server side support for the TLS asio wrapper. (GH #2229)
+
+* Add support for using Windows certificate store on MinGW (GH #2280)
+
+* Use the library thread pool instead of a new thread for RSA computations,
+  improving signature performance by up to 20%. (GH #2257)
+
+* Precompute and cache additional fields in ``X509_Certificate`` (GH #2250)
+
+* Add a CLI utility ``cpu_clock`` which estimates the speed of the
+  processor cycle counter. (GH #2251)
+
+* Fix a bug which prevented using DER-encoded ECDSA signatures with a PKCS11
+  key (GH #2293)
+
+* Enable use of raw block ciphers from CommonCrypto (GH #2278)
+
+* Support for splitting up the amalgamation file by ABI extension has
+  been removed. Instead only ``botan_all.cpp`` and ``botan_all.h`` are
+  generated. (GH #2246)
+
+* Improve support for baremetal systems with no underlying OS, with
+  target OS ``none`` (GH #2303 #2304 #2305)
+
+* The build system now avoids using ``-rpath=$ORIGIN`` or (on macOS)
+  install_name which allowed running the tests from the build
+  directory without setting ``LD_LIBRARY_PATH``/``DYLD_LIBRARY_PATH``
+  environment variables. Instead set the dynamic linker variables
+  appropriately, or use ``make check``. (GH #2294 #2302)
+
+* Add new option ``--name-amalgamation`` which allows naming the
+  amalgamation output, instead of the default ``botan_all``. (GH #2246)
+
+* Avoid using symbolic links on Windows (GH #2288 #2286 #2285)
+
+* Fix a bug that prevented compilation of the amalgamation on ARM and
+  POWER processors (GH #2245 #2241)
+
+* Fix some build problems under Intel C++ (GH #2260)
+
+* Remove use of Toolhelp Windows library, which was known to trigger
+  false positives under some antivirus systems. (GH #2261)
+
+* Fix a compilation problem when building on Windows in Unicode mode.
+  Add Unicode build to CI to prevent regressions. (GH #2254 #2256)
+
+* Work around a GCC bug affecting old libc (GH #2235)
+
+* Workaround a bug in macOS 10.15 which caused a test to crash.
+  (GH #2279 #2268)
+
+* Avoid a crash in PKCS8::load_key due to a bug in Clang 8.
+  (GH #2277)
+
+Version 2.13.0, 2020-01-06
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add Roughtime client (GH #2143 #1842)
+
+* Add support for XMSS X.509 certificates (GH #2172)
+
+* Add support for X.509 CRLs in FFI layer and Python wrapper (GH #2213)
+
+* It is now possible to disable TLS v1.0/v1.1 and DTLS v1.0 at build time.
+  (GH #2188)
+
+* The format of encrypted TLS sessions has changed, which will invalidate all
+  existing session tickets. The new format will make it easier to support ticket
+  key rotation in the future. (GH #2225)
+
+* Improve RSA key generation performance (GH #2148)
+
+* Make gcd computation constant-time (GH #2147)
+
+* Add AVX2 implementation of SHACAL2 (GH #2196)
+
+* Update BSI policy to reflect 2019 update of TR 02102-2 (GH #2195)
+
+* Support more functionality for X.509 in the Python API (GH #2165)
+
+* Add ``generic`` CPU target useful when building for some new or unusual
+  platform.
+
+* Disable MD5 in BSI or NIST modes (GH #2188)
+
+* Disable stack protector on MinGW as it causes crashes with some recent
+  versions. (GH #2187)
+
+* On Windows the DLL is now installed into the binary directory (GH #2233)
+
+* Previously Windows required an explicit ``.lib`` suffix be added when
+  providing an explicit library name, as is used for example for Boost.
+  Now the ``.lib`` suffix is implicit, and should be omitted.
+
+* Remove the 32-bit x86 inline asm for Visual C++ as it seemed to not offer
+  much in the way of improved performance. (GH #2204 #256)
+
+* Resolve all compile time warnings generated by GCC, Clang and MSVC.
+  Modify CI to compile with warnings-as-errors. (GH #2170 #2206 #2211 #2212)
+
+* Fix bugs linking to 3rd party libraries on Windows due to invalid
+  link specifiers. (GH #2210 #2215)
+
+* Add long input and NIST Monte-Carlo hash function tests.
+
+* Fix a bug introduced in 2.12.0 where ``TLS::Channel::is_active`` and
+  ``TLS::Channel::is_closed`` could simultaneously return true.
+  (GH #2174 #2171)
+
+* Use ``std::shared_ptr`` instead of ``boost::shared_ptr`` in some examples.
+  (GH #2155)
+
+Version 2.12.1, 2019-10-14
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix a bug that prevented building with nmake (GH #2142 #2141)
+
+* Fix an issue where make install would attempt to build targets which
+  were disabled. (GH #2140)
+
+* If the option ``--without-documentation`` is used, avoid invoking the
+  documentation build script. (GH #2138)
+
+* Fix a bug that prevented compilation on x86-32 using GCC 4.9 (GH #2139)
+
+* Fix a bug in CCM encryption, where it was possible to call ``finish`` without
+  ever setting a nonce (GH #2151 #2150)
+
+* Improve ECIES/DLIES interfaces. If no initialization vector was set, they
+  would typically produce hard to understand exceptions. (GH #2151 #2150)
+
+Version 2.12.0, 2019-10-07
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Many currently public headers are being deprecated. If any such header is
+  included by an application, a warning is issued at compile time. Headers
+  issuing this warning will be made internal in a future major release.
+  (GH #2061)
+
+* RSA signature performance improvements (GH #2068 #2070)
+
+* Performance improvements for GCM (GH #2024 #2099 #2119), OCB (#2122),
+  XTS (#2123) and ChaCha20Poly1305 (GH #2117), especially for small messages.
+
+* Add support for constant time AES using NEON and AltiVec (GH #2093 #2095 #2100)
+
+* Improve performance of POWER8 AES instructions (GH #2096)
+
+* Add support for the POWER9 hardware random number generator (GH #2026)
+
+* Add support for 64-bit version of RDRAND, doubling performance on x86-64 (GH #934 #2022)
+
+* In DTLS server, support a client crashing and then reconnecting from
+  the same source port, as described in RFC 6347 sec 4.2.8 (GH #2029)
+
+* Optimize DTLS MTU splitting to split precisely to the set MTU (GH #2042)
+
+* Add support for the TLS v1.3 downgrade indicator. (GH #2027)
+
+* Improve the error messages generated when an invalid TLS state transition occurs
+  (GH #2030)
+
+* Fix some edge cases around TLS close_notify support. (GH #2054)
+
+* Modifications to support GOST 34.10-2012 signatures (GH #2055 #2056 #1860 #1897)
+
+* Add some new APIs on ``OID`` objects (GH #2057)
+
+* Properly decode OCSP responses which indicate an error (GH #2110)
+
+* Add a function to remove an X.509 extension from an Extensions object.
+  (GH #2101 #2073 #2065)
+
+* Support Argon2 outputs longer than 64 bytes (GH #2079 #2078)
+
+* Correct a bug in CAST-128 which caused incorrect computation using
+  11, 13, 14, or 15 byte keys. (GH #2081)
+
+* Fix a bug which would cause Streebog to produce incorrect outputs for
+  certain messages (GH #2082 #2083)
+
+* Fix a bug that prevented loading EC points with an affine x or y
+  value of 0. For certain curves such points can exist. (GH #2102)
+
+* Fix a bug which would cause PBKDF2 to go into a very long loop if
+  it was requested to use an iteration count of 0. (GH #2090 #2088)
+
+* The BearSSL provider has been removed (GH #2020)
+
+* Add a new ``entropy`` cli which allows sampling the output of the entropy sources.
+
+* Add new ``base32_enc`` and ``base32_dec`` cli for base32 encoding operations. (GH #2111)
+
+* Support setting TLS policies in CLIs like ``tls_client`` and ``tls_proxy_server`` (GH #2047)
+
+* The tests now run in multithreaded mode by default. Provide option ``--test-threads=1`` to
+  return to previous single-threaded behavior. (GH #2071 #2075)
+
+* Cleanups in TLS record layer (GH #2021)
+
+* Fix typos in some OCSP enums which used "OSCP" instead. (GH #2048)
+
+* In the Python module, avoid trying to load DLLs for names that don't match the current
+  platform (GH #2062 #2059)
+
+* In the Python module, also look for ``botan.dll`` so Python wrapper can run on Windows.
+  (GH #2059 #2060)
+
+* Add support for TOTP algorithm to the Python module. (GH #2112)
+
+* Now the minimum Windows target is set to Windows 7 (GH #2036 #2028)
+
+* Add ``BOTAN_FORCE_INLINE`` macro to resolve a performance issue with BLAKE2b on MSVC
+  (GH #2092 #2089)
+
+* Avoid using ``__GNUG__`` in headers that may be consumed by a C compiler (GH #2013)
+
+* Improve the PKCS11 tests (GH #2115)
+
+* Fix a warning from Klocwork (GH #2128 #2129)
+
+* Fix a bug which caused amalgamation builds to fail on iOS (GH #2045)
+
+* Support disabling thread local storage, needed for building on old iOS (GH #2045)
+
+* Add a script to help with building for Android, using Docker (GH #2016 #2033 #513)
+
+* Add Android NDK build to Travis CI (GH #2017)
+
+Version 2.11.0, 2019-07-01
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add Argon2 PBKDF and password hash (GH #459 #1981 #1987)
+
+* Add Bcrypt-PBKDF (GH #1990)
+
+* Add a libsodium compat layer in sodium.h (GH #1996)
+
+* XMSS now follows RFC 8391 which is incompatible with previous versions, which
+  had followed draft 6. (GH #1858 #2003)
+
+* Add server side support for issuing DTLS HelloVerifyRequest messages
+  (GH #1999)
+
+* Add a shim allowing testing Botan against the BoringSSL test suite,
+  and fix a number of bugs in TLS found using it.
+  (GH #1954 #1955 #1956 #1959 #1966 #1970)
+
+* Add support for the TLS v1.3 supported_versions extension. (GH #1976)
+
+* Add Ed25519ph compatible with RFC 8032 (GH #1699 #2000)
+
+* Add support for OCSP stapling on server side. (GH #1703 #1967)
+
+* Add a ``boost::asio`` TLS stream compatible with ``boost::asio::ssl``.
+  (GH #1839 #1927 #1992)
+
+* Add a certificate store for Linux/Unix systems. (GH #1885 #1936)
+
+* Add a certificate store for Windows systems. (GH #1931)
+
+* Add a generic ``System_Certificate_Store`` which wraps Windows, macOS,
+  and Linux certificate stores. (GH #1893)
+
+* Fix verification rooted in a v1 certificate which previously would fail.
+  (GH #1890)
+
+* Add ability to specify the maximum age of an OCSP response which does not
+  have the nextUpdate field set. (GH #1974 #1995)
+
+* Fix X509_DN::operator< which could erroneously return true in both
+  directions (ie, DN1 < DN2 && DN2 < DN1). This would break STL
+  containers using a DN as the key. (GH #1938)
+
+* It is now possible to create intermediate CA certificates using the
+  command line interface. (GH #1879 #1889)
+
+* Add a new build time option to set where the system stores trusted
+  certificates. (GH #1888)
+
+* New ``trust_roots`` CLI that examines the system certificate store.
+  (GH #1893)
+
+* Fix bugs and add many new features in the Python wrapper.
+  (GH #1899 #1900 #1901 #1902 #1903 #1904 #1906 #1907 #1915)
+
+* Various FFI interfaces which are redundant with other APIs are now
+  deprecated. The deprecation message suggests the alternate API to use.
+  (GH #1915)
+
+* Fix decoding of RSA-OAEP certificates. (GH #1943 #1944)
+
+* Allow setting multiple organization unit fields in a certificate or
+  certificate request. (GH #1939)
+
+* Increase the maximum allowed year in ASN1_Time to 3100. This works
+  around a problem parsing certs in AppVeyor's trust store.
+
+* Add ``--format`` option to ``rng`` CLI command allowing to format
+  as base64, base58 or binary in addition to hex. (GH #1945)
+
+* Remove use of table lookups for IP/FP transforms in DES (GH #1928)
+
+* Improve the tests for SRP6 (GH #1917 #1923)
+
+* Document the build system
+
+* When available use POSIX ``sysconf`` to detect the number of CPUs (GH #1877)
+
+* Add functionality to handle Boost naming conventions on different platforms,
+  especially affecting Windows. Enable Boost in AppVeyor builds. (GH #1964)
+
+* Add alternate implementation of ``getauxval`` for older Android (GH #1962)
+
+* Add ``configure.py`` option allowing to set arbitrary macros during build.
+  (GH #1960)
+
+* Use FreeBSD's ``elf_aux_info`` to detect ARM and POWER CPU features
+  (GH #1895)
+
+* Use FreeBSD's ``PROT_MAX`` to prevent mmap regions from being made executable
+  later. (GH #2001)
+
+* Fix a memory leak in the tests (GH #1886)
+
+* Fix an issue building with the new Boost 1.70 (GH #1881 #1880)
+
+* Fix an issue with UbSan in the tests (GH #1892)
+
+* Remove use of ``-mabi`` flag when building on MIPS64 (GH #1918)
+
+* Make it possible to specify additional libraries in ``LDFLAGS`` (GH #1916)
+
+* Fix some warnings from Clang 8 (GH #1941)
+
+* Fix the makefile .PHONY syntax (GH #1874)
+
+* Fix build issue with SoftHSM 2.5.0 (GH #1986)
+
+Version 2.10.0, 2019-03-30
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Notice: the developers plan to switch from gzip to xz compression for
+  releases starting in 2.11. If this is a problem please comment at
+  https://github.com/randombit/botan/issues/1872
+
+* Warning: XMSS currently implements draft-06 which is not compatible with the
+  final RFC 8391 specification. A PR is open to fix this, however it will break
+  all current uses of XMSS. If you are currently using XMSS please comment at
+  https://github.com/randombit/botan/pull/1858. Otherwise the PR will be merged
+  and support for draft-06 will be removed starting in 2.11.
+
+* Added a new certificate store implementation that can access the
+  MacOS keychain certificate store. (GH #1830)
+
+* Redesigned ``Memory_Pool`` class, which services allocations out of a
+  set of pages locked into memory (using ``mlock``/``VirtualLock``). It is now
+  faster and with improved exploit mitigations. (GH #1800)
+
+* Add BMI2 implementations of SHA-512 and SHA-3 which improve performance by
+  25-35% on common CPUs. (GH #1815)
+
+* Unroll SHA-3 computation improving performance by 10-12% (GH #1838)
+
+* Add a ``Thread_Pool`` class. It is now possible to run the tests in multiple
+  threads with ``--test-threads=N`` flag to select the number of threads to use.
+  Use ``--test-threads=0`` to run with as many CPU cores as are available on the
+  current system. The default remains single threaded. (GH #1819)
+
+* XMSS signatures now uses a global thread pool instead of spawning new threads
+  for each usage. This improves signature generation performance by between 10%
+  and 60% depending on architecture and core count. (GH #1864)
+
+* Some functions related to encoding and decoding BigInts have been deprecated.
+  (GH #1817)
+
+* Binary encoding and decoding of BigInts has been optimized by performing
+  word-size operations when possible. (GH #1817)
+
+* Rename the exception ``Integrity_Failure`` to ``Invalid_Authentication_Tag`` to make
+  its meaning and usage more clear. The old name remains as a typedef. (GH #1816)
+
+* Support for using Boost ``filesystem`` and MSVC's ``std::filesystem`` have been
+  removed, since already POSIX and Win32 versions had to be maintained for
+  portability. (GH #1814)
+
+* Newly generated McEliece and XMSS keys now default to being encrypted using
+  SIV mode, support for which was added in 2.8.0. Previously GCM was used by
+  default for these algorithms.
+
+* Use ``arc4random`` on Android systems (GH #1851)
+
+* Fix the encoding of PGP-S2K iteration counts (GH #1853 #1854)
+
+* Add a facility for sandboxing the command line util. Currently FreeBSD
+  (Capsicum) and OpenBSD (``pledge``) sandboxes are supported. (GH #1808)
+
+* Use ``if constexpr`` when available.
+
+* Disable building shared libs on iOS as it was broken and it is not clear shared
+  libraries are ever useful on iOS (GH #1865)
+
+* Renamed the ``darwin`` build target to ``macos``. This should not cause any
+  user-visible change. (GH #1866)
+
+* Add support for using ``sccache`` to cache the Windows CI build (GH #1807)
+
+* Add ``--extra-cxxflags`` option which allows adding compilation flags without
+  overriding the default set. (GH #1826)
+
+* Add ``--format=`` option to the ``hash`` cli which allows formatting the output
+  as base64 or base58, default output remains hex.
+
+* Add ``base58_enc`` and ``base58_dec`` cli utils for base58 encoding/decoding.
+  (GH #1848)
+
+* Enable ``getentropy`` by default on macOS (GH #1862)
+
+* Avoid using ``-momit-leaf-frame-pointer`` flags, since ``-fomit-frame-pointer``
+  is already the default with recent versions of GCC.
+
+* Fix XLC sanitizer flags.
+
+* Rename ``Blake2b`` class to ``BLAKE2b`` to match the official name. There is
+  a typedef for compat.
+
+* Fix a bug where loading a raw ``Ed25519_PublicKey`` of incorrect length would
+  lead to a crash. (GH #1850)
+
+* Fix a bug that caused compilation problems using CryptoNG PRNG. (GH #1832)
+
+* Extended SHAKE-128 cipher to support any key between 1 and 160 bytes, instead
+  of only multiples of 8 bytes.
+
+* Minor HMAC optimizations.
+
+* Build fixes for GNU/Hurd.
+
+* Fix a bug that prevented generating or verifying Ed25519 signatures in the CLI
+  (GH #1828 #1829)
+
+* Fix a compilation error when building the amalgamation outside of the original
+  source directory when AVX2 was enabled. (GH #1812)
+
+* Fix a crash when creating the amalgamation if a header file was edited on
+  Windows but then the amalgamation was built on Linux (GH #1763)
+
+Version 2.9.0, 2019-01-04
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* CVE-2018-20187 Address a side channel during ECC key generation,
+  which used an unblinded Montgomery ladder. As a result, a timing
+  attack can reveal information about the high bits of the secret key.
+
+* Fix bugs in TLS which caused negotiation failures when the client
+  used an unknown signature algorithm or version (GH #1711 #1709 #1708)
+
+* Fix bug affecting GCM, EAX and ChaCha20Poly1305 where if the associated data
+  was set after starting a message, the new AD was not reflected in the produced
+  tag. Now with these modes setting an AD after beginning a message throws an
+  exception.
+
+* Use a smaller sieve which improves performance of prime generation.
+
+* Fixed a bug that caused ChaCha to produce incorrect output after encrypting
+  256 GB. (GH #1728)
+
+* Add NEON and AltiVec implementations of ChaCha (GH #1719 #1728 #1729)
+
+* Optimize AVX2 ChaCha (GH #1730)
+
+* Many more operations in BigInt, ECC and RSA code paths are either fully const time
+  or avoid problematic branches that could potentially be exploited in a side
+  channel attack. (GH #1738 #1750 #1754 #1755 #1757 #1758 #1759 #1762 #1765
+  #1770 #1773 #1774 #1779 #1780 #1794 #1795 #1796 #1797)
+
+* Several optimizations for BigInt and ECC, improving ECDSA performance by as
+  much as 30%. (GH #1734 #1737 #1777 #1750 #1737 #1788)
+
+* Support recovering an ECDSA public key from a message/signature pair (GH #664 #1784)
+
+* Add base58 encoding/decoding functions (GH #1783)
+
+* In the command line interface, add support for reading passphrases from the
+  terminal with echo disabled (GH #1756)
+
+* Add ``CT::Mask`` type to simplify const-time programming (GH #1751)
+
+* Add new configure options ``--disable-bmi2``, ``--disable-rdrand``,
+  and ``--disable-rdseed`` to prevent use of those instruction sets.
+
+* Add ``error_type`` and ``error_code`` functions to Exception type (GH #1744)
+
+* Now on POSIX systems ``posix_memalign`` is used instead of ``mmap`` for
+  allocating the page-locked memory pool. This avoids issues with ``fork``.
+  (GH #602 #1798)
+
+* When available, use RDRAND to generate the additional data in
+  ``Stateful_RNG::randomize_with_ts_input``
+
+* Use vzeroall/vzeroupper intrinsics to avoid AVX2/SSE transition penalties.
+
+* Support for Visual C++ 2013 has been removed (GH #1557 #1697)
+
+* Resolve a memory leak when verifying ECDSA signatures with versions
+  of OpenSSL before 1.1.0 (GH #1698)
+
+* Resolve a memory leak using ECDH via OpenSSL (GH #1767)
+
+* Fix an error in XTS which prohibited encrypting values which were
+  exactly the same length as the underlying block size. Messages of
+  this size are allowed by the standard and other XTS implementations.
+  (GH #1706)
+
+* Resolve a bug in TSS which resulted in it using an incorrect length
+  field in the shares. Now the correct length is encoded, but either
+  correct or buggy lengths are accepted when decoding. (GH #1722)
+
+* Correct a bug when reducing a negative ``BigInt`` modulo a small power of 2.
+  (GH #1755)
+
+* Add CLI utils for threshold secret splitting. (GH #1722)
+
+* Fix a bug introduced in 2.8.0 that caused compilation failure if using
+  a single amalgamation file with AVX2 enabled. (GH #1700)
+
+* Add an explicit OS target for Emscripten and improve support for it.
+  (GH #1702)
+
+* Fix small issues when building for QNX
+
+* Switch the Travis CI build to using Ubuntu 16.04 (GH #1767)
+
+* Add options to ``configure.py`` to disable generation of ``pkg-config``
+  file, and (for systems where ``pkg-config`` support defaults to off,
+  like Windows), to enable generating it. (GH #1268)
+
+* Modify ``configure.py`` to accept empty lists or trailing/extra commas.
+  (GH #1705)
+
+Version 2.8.0, 2018-10-01
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add support for using Apple CommonCrypto library for hashing (GH #1667),
+  cipher modes (GH #1674) and block ciphers (GH #1673).
+
+* Support for negotiating TLS versions 1.0 and 1.1 is disabled in the default
+  TLS policy. In addition, support for negotiating TLS ciphersuites using CBC or
+  CCM mode is disabled by default. Applications which need to interop with old
+  peers must enable these in their TLS policy object. (GH #1651)
+
+* During primality testing, use a Lucas test in addition to Miller-Rabin. It is
+  possible to construct a composite integer which passes n Miller-Rabin tests
+  with probability (1/4)^n. So for a incautious verifier using a small number
+  of tests (under 16 or so) it is possible if unlikely they would accept such a
+  composite as prime. Adding a Lucas test precludes such an attack. (GH #1636)
+
+* Add XChaCha and XChaCha20Poly1305 (GH #1640)
+
+* Add AVX2 implementations of ChaCha (GH #1662) and Serpent (GH #1660)
+
+* Add a new password hashing interface in pwdhash.h (GH #1670)
+
+* C binding improvements. Added functions to get name and supported
+  keylengths of cipher, hash and MAC objects, support for FE1 format
+  preserving encryption (GH #1625 #1646), functions to load and save
+  RSA keys in PKCS #1 format (GH #1621), HOTP and TOTP algorithms,
+  scrypt, certificate verification (GH #1647), functions to get the
+  output length of public key operations (GH #1642), and functions for
+  loading and serializing X25519 keys (GH #1681)
+
+* Support for building with BOTAN_MP_WORD_BITS set to 8 or 16 has been removed.
+
+* Previously SM2 had two distinct key types, one for signatures and another for
+  encryption. They have now been merged into a single key type since in practice
+  it seems the same key is at times used for both operations. (GH #1637)
+
+* The ``Cipher_Mode`` class now derives from ``SymmetricAlgorithm`` (GH #1639)
+
+* Add support for using the ARMv8 instructions for SM4 encryption (GH #1622)
+
+* The entropy source using ``SecRandomCopyBytes`` has been removed as it was
+  redundant with other entropy sources (GH #1668)
+
+* The Python module has much better error checking and reporting, and offers new
+  functionality such as scrypt, MPI and FPE. (GH #1643 #1646)
+
+* Fixed a bug that caused CCM to fail with an exception when used with L=8
+  (GH #1631 #1632)
+
+* The default bcrypt work factor has been increased from 10 to 12.
+
+* The default algorithm used in passhash9 has changed from SHA-256 to SHA-512,
+  and the default work factor increased from 10 to 15.
+
+* In ECC private keys, include the public key data for compatibility with
+  GnuTLS (GH #1634 #1635)
+
+* Add support for using Linux ``getrandom`` syscall to access the system PRNG.
+  This is disabled by default, use ``--with-os-feature=getrandom`` to enable.
+
+* It is now possible to encrypt private keys using SIV mode.
+
+* The FFI function botan_privkey_load now ignores its rng argument.
+
+* Resolve a problem when building under Visual C++ 15.8 (GH #1624)
+
+* Fix a bug in XSalsa20 (192-bit Salsa nonces) where if set_iv was called twice
+  without calling set_key, the resulting encryption was incorrect. (GH #1640)
+
+* Handle an error seen when verifying invalid ECDSA signatures using LibreSSL
+  on non x86-64 platforms (GH #1627 #1628)
+
+* Fix bugs in PKCS7 and X9.23 CBC padding schemes, which would ignore
+  the first byte in the event the padding took up the entire block. (GH #1690)
+
+* Correct bugs which would cause CFB, OCB, and GCM modes to crash when they
+  were used in an unkeyed state. (GH #1639)
+
+* Optimizations for SM4 and Poly1305
+
+* Avoid a cache side channel in the AES key schedule
+
+* Add ``pk_encrypt`` and ``pk_decrypt`` CLI operations
+
+* Now ``asn1print`` CLI defaults to printing context-specific fields.
+
+* Use codec_base for Base64, which matches how Base32 is implemented (GH #1597)
+
+* The ``cast`` module has been split up into ``cast128`` and ``cast256`` (GH #1685)
+
+* When building under Visual C++ 2013, the user must acknowledge the upcoming
+  removal of support using the configure.py flag ``--ack-vc2013-deprecated``
+  (GH #1557)
+
+Version 2.7.0, 2018-07-02
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* CVE-2018-12435 Avoid a side channel in ECDSA signature generation (GH #1604)
+
+* Avoid a side channel in RSA key generation due to use of a non-constant time
+  gcd algorithm. (GH #1542 #1556)
+
+* Optimize prime generation, especially improving RSA key generation. (GH #1542)
+
+* Make Karatsuba multiplication, Montgomery field operations, Barrett reduction
+  and Montgomery exponentiation const time (GH #1540 #1606 #1609 #1610)
+
+* Optimizations for elliptic curve operations especially improving reductions
+  and inversions modulo NIST primes (GH #1534 #1538 #1545 #1546 #1547 #1550)
+
+* Add 24 word wide Comba multiplication, improving 3072-bit RSA and DH by ~25%.
+  (GH #1564)
+
+* Unroll Montgomery reduction for specific sizes (GH #1603)
+
+* Improved performance of signature verification in ECGDSA, ECKCDSA,
+  SM2 and GOST by 10-15%.
+
+* XMSS optimizations (GH #1583 #1585)
+
+* Fix an error that meant XMSS would only sign half as many signatures as is
+  allowed (GH #1582)
+
+* Add support for base32 encoding/decoding (GH #1541)
+
+* Add BMI2 optimized version of SHA-256, 40% faster on Skylake (GH #1584)
+
+* Allow the year to be up to 2200 in ASN.1 time objects. Previously this
+  was limited to 2100. (GH #1536)
+
+* Add support for Scrypt password hashing (GH #1570)
+
+* Add support for using Scrypt for private key encryption (GH #1574)
+
+* Optimizations for DES/3DES, approx 50% faster when used in certain modes such
+  as CBC decrypt or CTR.
+
+* XMSS signature verification did not check that the signature was of
+  the expected length which could lead to a crash. (GH #1537)
+
+* The bcrypt variants 2b and 2y are now supported.
+
+* Support for 192-bit Suite B TLS profile is now implemented, as the 128-bit
+  Suite B is since 2015 not allowed anymore.
+
+* Previously botan allowed GCM to be used with an empty nonce, which is not
+  allowed by the specification. Now such nonces are rejected.
+
+* Avoid problems on Windows when compiling in Unicode mode (GH #1615 #1616)
+
+* Previously for ASN.1 encoded signatures (eg ECDSA) Botan would accept any
+  valid BER encoding. Now only the single valid DER encoding is accepted.
+
+* Correct an error that could in rare cases cause an internal error exception
+  when doing computations with the P-224 curve.
+
+* Optimizations to reduce allocations/copies during DER encoding and BER
+  decoding (GH #1571 #1572 #1600)
+
+* Botan generates X.509 subject key IDs by hashing the public key with whatever
+  hash function is being used to sign the certificate. However especially for
+  SHA-512 this caused SKIDs that were far longer than necessary. Now all SKIDs
+  are truncated to 192 bits.
+
+* In the test suite use ``mkstemp`` to create temporary files instead of
+  creating them in the current working directory. (GH #1533 #1530)
+
+* It is now possible to safely override ``CXX`` when invoking make in addition
+  to when ``configure.py`` is run. (GH #1579)
+
+* OIDs for Camellia and SM4 in CBC and GCM mode are now defined, making it
+  possible to use this algorithms for private key encryption.
+
+* Avoid creating symlinks to the shared object on OpenBSD (#1535)
+
+* The ``factor`` command runs much faster on larger inputs now.
+
+* Support for Windows Phone/UWP was deprecated starting in 2.5. This deprecation
+  has been reversed as it seems UWP is still actively used. (GH #1586 #1587)
+
+* Support for Visual C++ 2013 is deprecated, and will be removed in Jan 2019.
+
+* Added support for GCC's --sysroot option to configure.py for cross-compiling.
+
+Version 2.6.0, 2018-04-10
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* CVE-2018-9860 Fix a bug decrypting TLS CBC ciphertexts which could
+  for a malformed ciphertext cause the decryptor to read and HMAC an
+  additional 64K bytes of data which is not part of the record. This
+  could cause a crash if the read went into unmapped memory. No
+  information leak or out of bounds write occurs.
+
+* Add support for OAEP labels (GH #1508)
+
+* RSA signing is about 15% faster (GH #1523) and RSA verification is
+  about 50% faster.
+
+* Add exponent blinding to RSA (GH #1523)
+
+* Add ``Cipher_Mode::create`` and ``AEAD_Mode::create`` (GH #1527)
+
+* Fix bug in TLS server introduced in 2.5 which caused connection to
+  fail if the client offered any signature algorithm not known to the
+  server (for example RSA/SHA-224).
+
+* Fix a bug in inline asm that would with GCC 7.3 cause incorrect
+  computations and an infinite loop during the tests. (GH #1524 #1529)
+
+Version 2.5.0, 2018-04-02
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix error in certificate wildcard matching (CVE-2018-9127), where a
+  wildcard cert for ``b*.example.com`` would be accepted as a match for
+  any host with name ``*b*.example.com`` (GH #1519)
+
+* Add support for RSA-PSS signatures in TLS (GH #1285)
+
+* Ed25519 certificates are now supported (GH #1501)
+
+* Many optimizations in ECC operations. ECDSA signatures are 8-10 times faster.
+  ECDSA verification is about twice as fast. ECDH key agreement is 3-4 times
+  faster. (GH #1457 #1478)
+
+* Implement product scanning Montgomery reduction, which improves Diffie-Hellman
+  and RSA performance by 10 to 20% on most platforms. (GH #1472)
+
+* DSA signing and verification performance has improved by 30-50%.
+
+* Add a new Credentials_Manager callback that specifies which CAs the server
+  has indicated it trusts (GH #1395 fixing #1261)
+
+* Add new TLS::Callbacks methods that allow creating or removing extensions,
+  as well as examining extensions sent by the peer (GH #1394 #1186)
+
+* Add new TLS::Callbacks methods that allow an application to
+  negotiate use of custom elliptic curves. (GH #1448)
+
+* Add ability to create custom elliptic curves (GH #1441 #1444)
+
+* Add support for POWER8 AES instructions (GH #1459 #1393 #1206)
+
+* Fix DSA/ECDSA handling of hashes longer than the group order (GH #1502 #986)
+
+* The default encoding of ECC public keys has changed from compressed
+  to uncompressed point representation. This improves compatibility with
+  some common software packages including Golang's standard library.
+  (GH #1480 #1483)
+
+* It is now possible to create DNs with custom components. (GH #1490 #1492)
+
+* It is now possible to specify the serial number of created certificates,
+  instead of using the default 128-bit random integer. (GH #1489 #1491)
+
+* Change DL_Group and EC_Group to store their data as shared_ptr for
+  fast copying. Also both classes precompute additional useful values
+  (eg for modular reductions). (GH #1435 #1454)
+
+* On Windows platforms RtlGenRandom is now used in preference to CryptoAPI
+  or CryptoNG libraries. (GH #1494)
+
+* Make it possible for PKCS10 requests to include custom extensions. This also
+  makes it possible to use multiple SubjectAlternativeNames of a single type in
+  a request, which was previously not possible. (GH #1429 #1428)
+
+* Add new optimized interface for FE1 format preserving encryption. By caching a
+  number of values computed in the course of the FPE calculation, it provides a
+  6-7x speedup versus the old API. (GH #1469)
+
+* Add DSA and ElGamal keygen functions to FFI (#1426)
+
+* Add ``Pipe::prepend_filter`` to replace deprecated ``Pipe::prepend`` (GH #1402)
+
+* Fix a memory leak in the OpenSSL block cipher integration, introduced in 2.2.0
+
+* Use an improved algorithm for generating safe primes which is several tens of
+  times faster. Also, fix a bug in the prime sieving algorithm which caused
+  standard prime generation (like for RSA keys) to be slower than necessary.
+  (GH #1413 #1411)
+
+* Correct the return value of ``PK_Encryptor::maximum_input_size`` which
+  reported a much too small value (GH #1410)
+
+* Remove use of CPU specific optimization flags, instead the user should set
+  these via CXXFLAGS if desired. (GH #1392)
+
+* Resolve an issue that would cause a crash in the tests if they were run on
+  a machine without SSE2/NEON/VMX instructions. (GH #1495)
+
+* The Python module now tries to load DLLs from a list of names and
+  uses the first one which successfully loads and indicates it
+  supports the desired API level. (GH #1497)
+
+* Various minor optimizations for SHA-3 (GH #1433 #1434)
+
+* The output of ``botan --help`` has been improved (GH #1387)
+
+* Add ``--der-format`` flag to command line utils, making it possible verify
+  DSA/ECDSA signatures generated by OpenSSL command line (GH #1409)
+
+* Add support for ``--library-suffix`` option to ``configure.py`` (GH #1405 #1404)
+
+* Use feature flags to enable/disable system specific code (GH #1378)
+
+* Add ``--msvc-runtime`` option to allow using static runtime (GH #1499 #210)
+
+* Add ``--enable-sanitizers=`` option to allow specifying which sanitizers to
+  enable. The existing ``--with-sanitizers`` option just enables some default
+  set which is known to work with the minimum required compiler versions.
+
+* Use either ``rst2man`` or ``rst2man.py`` for generating man page as
+  distributions differ on where this program is installed (GH #1516)
+
+* The threefish module has been renamed threefish_512 since that is the
+  algorithm it provides. (GH #1477)
+
+* The Perl XS based wrapper has been removed, as it was unmaintained and
+  broken. (GH #1412)
+
+* The sqlite3 encryption patch under ``contrib`` has been removed. It
+  is still maintained by the original author at
+  https://github.com/OlivierJG/botansqlite3
+
+* Support for Windows Phone is deprecated.
+
+Version 2.4.0, 2018-01-08
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Several build improvements requested by downstream packagers, including the
+  ability to disable building the static library. All makefile constructs that
+  were specific to nmake or GNU make have been eliminated, thus the option
+  ``--makefile-style`` which was previously used to select the makefile type has
+  also been removed. (GH #1230 #1237 #1300 #1318 #1319 #1324 #1325 #1346)
+
+* Support for negotiating the DH group as specified in RFC 7919 is now available
+  in TLS (GH #1263)
+
+* Support for ARIA-GCM ciphersuites are now available in TLS. They are disabled
+  by default. (GH #1284)
+
+* Add support for generating and verifying X.509 objects (certificates, CRLs,
+  etc) using RSA-PSS signatures (GH #1270 and #1368)
+
+* Add support for AES key wrapping with padding, as specified in RFC 5649 and
+  NIST SP 800-38F (GH #1301)
+
+* OCSP requests made during certificate verification had the potential to hang
+  forever. Now the sockets are non-blocking and a timeout is enforced. (GH #1360
+  fixing GH #1326)
+
+* Add ``Public_Key::fingerprint_public`` which allows fingerprinting the public key.
+  The previously available ``Private_Key::fingerprint`` is deprecated, now
+  ``Private_Key::fingerprint_private`` should be used if this is required.
+  (GH #1357)
+
+* ECC certificates generated by Botan used an invalid encoding for the
+  parameters field, which was rejected by some certificate validation libraries
+  notably BouncyCastle. (GH #1367)
+
+* Loading an ECC key which used OID encoding for the domain parameters, then
+  saving it, would result in a key using the explicit parameters encoding.
+  Now the OID encoding is retained. (GH #1365)
+
+* Correct various problems in certificate path validation that arose when
+  multiple paths could be constructed leading to a trusted root but due to
+  other constraints only some of them validated. (GH #1363)
+
+* It is now possible for certificate validation to return warning indicators,
+  such as that the distinguished name is not within allowed limits or that a
+  certificate with a negative serial number was observed. (GH #1363 #1359)
+
+* XMSS signatures now are multi-threaded for improved performance (GH #1267)
+
+* Fix a bug that caused the TLS peer cert list to be empty on a resumed session.
+  (GH #1303 #1342)
+
+* Increase the maximum HMAC key length from 512 bytes to 4096 bytes. This allows
+  using a DH key exchange in TLS with a group greater than 4096 bits. (GH #1316)
+
+* Fix a bug in the TLS server where, on receiving an SSLv3 client hello, it
+  would attempt to negotiate TLS v1.2. Now a protocol_version alert is sent.
+  Found with tlsfuzzer. (GH #1316)
+
+* Fix several bugs related to sending the wrong TLS alert type in various error
+  scenarios, caught with tlsfuzzer.
+
+* Add support for a ``tls_http_server`` command line utility which responds to
+  simple GET requests. This is useful for testing against a browser, or various
+  TLS test tools which expect the underlying protocol to be HTTP. (GH #1315)
+
+* Add an interface for generic PSK data stores, as well as an implementation
+  which encrypts stored values with AES key wrapping. (GH #1302)
+
+* Optimize GCM mode on systems both with and without carryless multiply
+  support. This includes a new base case implementation (still constant time), a
+  new SSSE3 implementation for systems with SSSE3 but not clmul, and better
+  algorithms for systems with clmul and pmull. (GH #1253 #1263)
+
+* Various optimizations for OCB, CFB, CTR, SM3, SM4, GMAC, BLAKE2b, Blowfish,
+  Twofish, CAST-128, and CRC24 (GH #1281)
+
+* Salsa20 now supports the seek operation.
+
+* Add ``EC_Group::known_named_groups`` (GH #1339)
+
+* Symmetric algorithms (block ciphers, stream ciphers, MACs) now verify that a
+  key was set before accepting data. Previously attempting to use an unkeyed
+  object would instead result in either a crash or invalid outputs. (GH #1279)
+
+* The X509 certificate, CRL and PKCS10 types have been heavily refactored
+  internally. Previously all data of these types was serialized to strings, then
+  in the event a more complicated data structure (such as X509_DN) was needed,
+  it would be recreated from the string representation. However the round trip
+  process was not perfect and could cause fields to become lost. This approach
+  is no longer used, fixing several bugs (GH #1010 #1089 #1242 #1252). The
+  internal data is now stored in a ``shared_ptr``, so copying such objects is
+  now very cheap. (GH #884)
+
+* ASN.1 string objects previously held their contents as ISO 8859-1 codepoints.
+  However this led to certificates which contained strings outside of this
+  character set (eg in Cyrillic, Greek, or Chinese) being rejected. Now the
+  strings are always converted to UTF-8, which allows representing any
+  character. In addition, UCS-4 strings are now supported.
+  (GH #1113 #1250 #1287 #1289)
+
+* It is now possible to create an uninitialized X509_Certificate object. Such an
+  object will throw if any attempt to access its members is made. (GH #1335)
+
+* In BER decoder, avoid unbounded stack recursion when parsing nested indefinite
+  length values. Now at most 16 nested indefinite length values are accepted,
+  anything deeper resulting in a decoding error.  (GH #1304 OSS-Fuzz 4353).
+
+* A new ASN.1 printer API allows generating a string representation of arbitrary
+  BER data. This is used in the ``asn1print`` command line utility and may be
+  useful in other applications, for instance for debugging.
+
+* New functions for bit rotations that distinguish rotating by a compile-time
+  constant vs a runtime variable rotation. This allows better optimizations in
+  both cases. Notably performance of CAST-128 and CAST-256 are substantially
+  improved. (GH #1247)
+
+* TLS CBC ciphersuites now are implemented using the standard CBC code, instead
+  of reimplementing CBC inside the TLS stack. This allows for parallel
+  decryption of TLS CBC ciphertexts, and improves performance especially when
+  using AES hardware support. (GH #1269)
+
+* Add callbacks to make it possible for an application using TLS to provide
+  custom implementations of signature schemes, eg when offloading the
+  computations to another device. (GH #1332)
+
+* Use a direct calculation for calendar computations instead of relying on
+  non-portable operating system interfaces. (GH #1336)
+
+* Fix a bug in the amalgamation generation which could cause build failures on
+  some systems including macOS. (GH #1264 #1265)
+
+* A particular code sequence in TLS handshake would always (with an ECC
+  ciphersuite) result in an exception being thrown and then caught.  This has
+  changed so no exception is thrown. (GH #1275)
+
+* The code for byteswapping has been improved for ARMv7 and for Windows x86-64
+  systems using MSVC. (GH #1274)
+
+* The GMAC class no longer derives from GHASH. This should not cause any
+  noticeable change for applications. (GH #1253)
+
+* The base implementation of AES now uses a single 4K table, instead of 4 such
+  tables. This offers a significant improvement against cache-based side
+  channels without hurting performance too much. In addition the table is now
+  guaranteed to be aligned on a cache line, which ensures the additional
+  countermeasure of reading each cache line works as expected. (GH #1255)
+
+* In TLS client resumption, avoid sending a OCSP stapling request. This caused
+  resumption failures with some servers. (GH #1276)
+
+* The overhead of making a call through the FFI layer has been reduced.
+
+* The IDs for SHA-3 PKCSv1.5 signatures added in 2.3.0 were incorrect. They have
+  been changed to use the correct encoding, and a test added to ensure such
+  errors do not recur.
+
+* Counter mode allows setting a configurable width of the counter. Previously it
+  was allowed for a counter of even 8 bits wide, which would mean the keystream
+  would repeat after just 256 blocks. Now it requires the width be at least 32
+  bits. The only way this feature could be used was by manually constructing a
+  ``CTR_BE`` object and setting the second parameter to something in the range
+  of 1 to 3.
+
+* A new mechanism for formatting ASN.1 data is included in ``asn1_print.h``.
+  This is the same functionality used by the command line ``asn1print`` util,
+  now cleaned up and moved to the library.
+
+* Add ``Pipe::append_filter``. This is like the existing (deprecated)
+  ``Pipe::append``, the difference being that ``append_filter`` only
+  allows modification before the first call to ``start_msg``. (GH #1306 #1307)
+
+* The size of ASN1_Tag is increased to 32 bits. This avoids a problem
+  with UbSan (GH #751)
+
+* Fix a bug affecting bzip2 compression. In certain circumstances, compression
+  would fail with ``BZ_SEQUENCE_ERROR`` due to calling bzlib in an way it does
+  not support. (GH #1308 #1309)
+
+* In 2.3.0, final annotations were added to many classes including the TLS
+  policies (like ``Strict_Policy`` and ``BSI_TR_02102_2``). However it is
+  reasonable and useful for an application to derive from one of these policies, so
+  as to create an application specific policy that is based on a library-provided
+  policy, but with a few tweaks. So the final annotations have been removed on
+  these classes. (GH #1292)
+
+* A new option ``--with-pdf`` enables building a PDF copy of the handbook.
+  (GH #1337)
+
+* A new option ``--with-rst2man`` enables building a man page for the
+  command line util using Docutils rst2man. (GH #1349)
+
+* Support for NEON is now enabled under Clang.
+
+* Now the compiler version is detected using the preprocessor, instead of trying
+  to parse the output of the compiler's version string, which was subject to
+  problems with localization. (GH #1358)
+
+* By default the gzip compressor will not include a timestamp in the header.
+  The timestamp can be set by passing it to the ``Gzip_Compression``
+  constructor.
+
+* Resolve a performance regression on Windows involving the system stats
+  entropy source. (GH #1369)
+
+* Add an OID for RIPEMD-160
+
+* Fixes for CMake build (GH #1251)
+
+* Avoid some signed overflow warnings (GH #1220 #1245)
+
+* As upstream support for Native Client has been deprecated by Google, support
+  is now also deprecated in Botan and will be removed in a future release.
+
+* The Perl-XS wrapper has not been maintained in many years. It is now deprecated,
+  and if no attempts are made to revive it, it will be removed in a future release.
+
+* Support for building on IRIX has been removed.
+
+Version 2.3.0, 2017-10-02
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Address a side channel affecting modular exponentiation. An attacker
+  capable of a local or cross-VM cache analysis attack may be able
+  to recover bits of secret exponents as used in RSA, DH, etc.
+  CVE-2017-14737
+
+* Add the SHACAL2 block cipher, including optimizations using SIMD and SHA-NI
+  instructions. (GH #1151)
+
+* Add the ARIA block cipher (GH #1004 and #1157)
+
+* Add support for the ARMv8 AES instructions (GH #1182 and #1146)
+
+* Add support for the ARMv8 PMULL instruction (GH #1181 and #842)
+
+* On macOS and iOS the ``System_RNG`` class is now implemented using ``arc4random``.
+  Previously the system RNG class was not available on iOS. (GH #1219)
+
+* Optimized the CMAC polynomial doubling operation, and removed a small timing
+  channel due to a conditional operation.
+
+* Added support for the ECDHE_PSK AEAD TLS ciphersuites from
+  draft-ietf-tls-ecdhe-psk-aead-05.
+
+* SM2 encryption and signature schemes were previously hardcoded to use SM3
+  hash, now any hash is allowed. (GH #1188)
+
+* SM2 encryption in 2.2.0 followed an obsolete version of the standard. The
+  format of the ciphertext changed in a more recent revision of the standard,
+  and now uses an ASN.1 encoding. Botan has changed to reflect this format,
+  which is compatible with GmSSL (GH #1218)
+
+* OCB mode now supports 192, 256 and 512 bit block ciphers. (GH #1205)
+
+* XTS mode now supports 256-bit and 512-bit block ciphers.
+
+* Add ids to allow SHA-3 signatures with PKCSv1.5 (GH #1184)
+
+* Add support for ``PSSR_Raw`` signatures which PSS sign an externally derived
+  hash. (GH #1212 #1211)
+
+* GCM now supports truncated tags in the range 96...128 bits. GCM had
+  previously supported 64-bit truncated tags, but these are known to
+  be insecure and are now deprecated. (GH #1210 #1207)
+
+* Add a new TLS policy hook ``allow_client_initiated_renegotiation`` which is the
+  parallel of the existing ``allow_server_initiated_renegotiation``. If set to
+  false, servers will reject attempts by the client to renegotiation the
+  session, instead sending a ``no_renegotiation`` warning alert. Note that the
+  default is ``false``, ie that client renegotiation is now prohibited by default.
+  (GH #872)
+
+* Add HKDF-Expand-Label function which is used in TLS v1.3 and QUIC protocols.
+  (GH #1226)
+
+* Fix decoding of ECC keys that use extensions from RFC 5915 (GH #1208)
+
+* The entropy source that called CryptGenRandom has been removed, and
+  replaced by a version which invokes the system PRNG, which may
+  be CryptGenRandom or some other source. (GH #1180)
+
+* Add support for gathering entropy using the Crypt-NG BCryptGenRandom
+  API. This is necessary to build for Windows Phone/Windows Store. (GH #1180)
+
+* Extend "Raw" signature padding (which allows signing a hash computed
+  externally) to optionally take a hash function name. In this case, it will be
+  verified that the input matches the expected hash size.  This also will
+  control the hash algorithm used for RFC 6979 deterministic nonces; previously
+  SHA-512 was always used for RFC 6979 nonces with "Raw". (GH #1153)
+
+* The advertised FFI API version has increased. This should have happened
+  already in 2.2 but was neglected. The ``botan_ffi_supports_api`` call will
+  return true for either the current or older versions of the API version since
+  no backwards incompatible changes have occurred.
+
+* Add new C89 API functions ``botan_hex_decode``, ``botan_base64_encode``,
+  ``botan_base64_decode``, ``botan_constant_time_compare``.
+
+* Add new C89 API functions ``botan_privkey_load_dh``, ``botan_pubkey_load_dh``,
+  and ``botan_privkey_create_dh`` (GH #1155)
+
+* Add ``is_passhash9_alg_supported`` (GH #1154)
+
+* The ``power_mod`` function now supports negative bases (GH #1179 #1168)
+
+* Add a new command line utility for examining TLS client hellos.
+
+* Added a new target for LLVM bitcode (GH #1169)
+
+* Improve support for Windows Phone (GH #1180 #796 #794)
+
+* Correct return value of ``botan_pk_op_verify_finish``. In 2.2.0 this function
+  returned -1 on invalid signature, instead of 1 which was used in 2.0, 2.1, and
+  now again in 2.3. (GH #1189 #1187)
+
+* Allow loading unencrypted private keys via FFI API (GH #1197)
+
+* Add new command line options ``--rng-type=drbg`` and ``--drbg-seed`` which
+  allow running commands with a deterministic RNG. (GH #1169)
+
+* Fix a number of warnings seen under Visual C++ (GH #1171 #795)
+
+* Workaround a GCC 7 bug that caused miscompilation of the GOST-34.11 hash
+  function on x86-32. (GH #882 #1148)
+
+* Fix a bug in SIMD_4x32 which affected little-endian PowerPC processors.
+  This would cause test failures for Serpent, among other problems.
+
+* Fix Altivec runtime detection, which was broken starting in Botan 2.1.0
+
+* Optimized the verification of TLS CBC padding bytes. Previously the check
+  examined every byte of the record, even though at most 256 bytes of padding
+  may be appended. (GH #1227)
+
+* Simplified definition of ``Botan::secure_allocator``. In particular, not
+  defining the ``construct`` and ``destroy`` methods avoids a performance problem
+  under MSVC. (GH #1228 and #1229)
+
+* The ``secure_allocator`` class now uses ``calloc`` and ``free`` instead of
+  ``new`` and ``delete``. In addition the actual allocation operation is hidden
+  inside of compiled functions, which significantly reduces code size. (GH #1231)
+
+* The ``secure_scrub_memory`` function now uses ``explicit_bzero`` on OpenBSD.
+
+* Previously ARM feature detection (NEON, AES, ...) relied on getauxval, which
+  is only supported on Linux and Android. Now iOS is supported, by checking the
+  model name/version and matching it against known versions. Unfortunately this
+  is the best available technique on iOS. On Aarch64 systems that are not iOS or
+  Linux/Android, a technique based on trial execution while catching SIGILL is
+  used. (GH #1213)
+
+* The output of ``botan config libs`` was incorrect, it produced ``-lbotan-2.X``
+  where X is the minor version, instead of the actual lib name ``-lbotan-2``.
+
+* Add ``constant_time_compare`` as better named equivalent of ``same_mem``.
+
+* Silence a Clang warning in ``create_private_key`` (GH #1150)
+
+* The fuzzers have been better integrated with the main build. See the
+  handbook for details. (GH #1158)
+
+* The Travis CI and AppVeyor CI builds are now run via a Python script. This
+  makes it easier to replicate the behavior of the CI build locally. Also a
+  number of changes were made to improve the turnaround time of CI builds.
+  (GH #1162 #1199)
+
+* Add support for Win32 filesystem operation, so the tests pass completely
+  on MinGW now (GH #1203)
+
+* Added a script to automate running TLS-Attacker tests.
+
+* The distribution script now creates reproducible outputs, by
+  forcing all modification times, uids, etc to values fixed by the release date.
+  (GH #1217)
+
+* The ``BOTAN_DLL`` macro has been split up into ``BOTAN_PUBLIC_API``,
+  ``BOTAN_UNSTABLE_API`` and ``BOTAN_TEST_API`` which allows
+  indicating in the header the API stability of the export. All three
+  are defined as ``BOTAN_DLL`` so overriding just that macro continues
+  to work as before. (GH #1216)
+
+* Optimize ``bigint_divop`` when a double-word type is available. (GH #494)
+
+* Fix several memory leaks in the tests. Additionally a false positive
+  leak seen under ``valgrind`` in the ``fork`` tests for the RNG was resolved.
+
+* Export ``CurveGFp_Repr`` type (only used internally) to resolve a
+  long standing UBSan warning. (GH #453)
+
+* Now ``-fstack-protector`` and similar flags that affect linking are exported
+  in ``botan config ldflags`` as they already were in the ``pkg-config`` output.
+  (GH #863)
+
+* Remove double underscore in header guards to avoid using names
+  reserved by ISO C++. (GH #512)
+
+* Additions to the SRP documentation (GH #1029)
+
+* The package transform (in ``package.h``) is now deprecated, and will be
+  removed in a future release. (GH #1215)
+
+* Add more tests for the const-time utils (GH #1214)
+
+* Fix a bug in FFI tests that caused the test files not to be found when using
+  ``--data-dir`` option (GH #1149)
+
+* C++ ``final`` annotations have been added to classes which are not
+  intended for derivation. This keyword was already in use but was not
+  applied consistently.
+
+* A typedef ``SecureVector`` has been added for the ``secure_vector`` type.
+  This makes porting code from 1.10 to 2.x API slightly simpler.
+
+* Header files have been cleaned up to remove unnecessary inclusions. In some
+  cases it may be required to include additional botan headers to get all the
+  declarations that were previously visible. For example, ``bigint.h`` no longer
+  includes ``rng.h``, but just forward declares ``RandomNumberGenerator``.
+
+* Improved support for IBM xlc compiler.
+
+Version 2.2.0, 2017-08-07
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add the Ed25519 signature scheme (GH #1066)
+
+* The format of x25519 keys, which previously used a non-standard encoding,
+  has changed to match the upcoming IETF specification. (GH #1076)
+
+* Add the SM2 signature scheme (GH #1082)
+
+* Add the SM2 public key encryption scheme (GH #1142)
+
+* Add the SM3 hash function (GH #996)
+
+* Add the Streebog (GOST R 34.11-2012) hash function (GH #1114)
+
+* Add the SM4 block cipher (GH #1080)
+
+* Add the PGP S2K algorithm (GH #1060)
+
+* Add SP 800-56A KDF (GH #1040)
+
+* Add ChaCha_RNG which is a very fast and completely non-standard
+  random bit generator (GH #1137)
+
+* Add support for SHA-1 and SHA-2 instructions added in Intel Goldmont
+  (GH #826)
+
+* Add support for SHA-1 and SHA-2 instructions added in ARMv8 (GH #844)
+
+* Add support for HOTP (RFC 4226) and TOTP (RFC 6238)
+  one-time-password algorithms (GH #1054)
+
+* Fix a bug that caused secure_allocator to not fully zeroize blocks
+  when sizeof(T) was greater than 1.
+
+* Add HashFunction::copy_state which allows efficiently computing the
+  hash of several messages with a common prefix (GH #1056 #1037)
+
+* ECC keys now encode their parameters using an OID instead of a literal
+  encoding of the domain parameters. This will lead to smaller public and
+  private keys in most instances. (GH #1093)
+
+* The OpenSSL backend now supports the 1.1.0 API (GH #1056)
+
+* Add a preliminary provider using BearSSL, currently EC and hashes supported
+  (GH #1094)
+
+* Fix a bug in certificate path length checking that could cause valid
+  chains to be rejected. (GH #1053)
+
+* It is possible for CBC, CFB, and stream ciphers to carry over the
+  nonce from the previous message, which is needed by some applications.
+  This worked in 1.10 but broke in 2.0. (GH #1044 fixing GH #864)
+
+* Avoid recursion in BER_Decoder::get_next_object which could cause
+  stack exhaustion. (GH #989)
+
+* Fix missing flush in DataSink_Stream::end_msg. (GH #972 fixing GH #972)
+
+* Allow to seek in the big endian counter mode of operation (GH #999)
+
+* Support loading ElGamal keys through FFI interface (GH #1008)
+
+* Support Windows sockets in ``http_util`` (allowing OCSP checks on Windows),
+  as well as in the TLS command line utils (GH #1138).
+
+* The ``--destdir`` flag to ``configure.py`` has been removed. Instead use
+  the ``DESTDIR`` environment variable at install time. This change was
+  done to more closely match how autoconf handles this case.
+  (GH #1139 #1111 #997 #996).
+
+* Many changes to configure.py and botan2.py to make them pylint clean
+  (GH #1041 #1002 #984)
+
+* Add command line utils ``hmac`` (GH #1001), ``encryption`` (GH #359),
+  ``hex_enc``, and ``hex_dec``.
+
+* Fix an error in ``sign_cert`` command line util, which ignored the
+  ``--ca-key-pass`` option. (GH #1106)
+
+* The ``speed`` util can now benchmark multiple buffer sizes (GH #1084)
+
+* Fix return value of FFI botan_bcrypt_is_valid (GH #1033)
+
+* Support generating RSA keys using OpenSSL (GH #1035)
+
+* Add new FFI functions botan_hash_block_size (GH #1036),
+  botan_hash_copy_state (GH #1059), botan_scrub_mem
+
+* Add support for RFC 3394 keywrap through FFI (GH #1135)
+
+* Support AES-CBC ciphers via OpenSSL (GH #1022)
+
+* Add function to return certificates included in OCSP response (GH #1123)
+
+* Complete wildcard handling for X.509 certificates (GH #1017)
+
+* Add some missing functions to TLS::Text_Policy (GH #1023)
+
+* It was previously possible to use ``--single-amalgamation-file``
+  without ``--amalgamation``, though it did not do anything useful. Now
+  ``--single-amalgamation-file`` requires ``--amalgamation`` also be set
+  on the command line.
+
+Version 2.1.0, 2017-04-04
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix incorrect truncation in Bcrypt. Passwords in length between 56 and 72
+  characters were truncated at 56 characters. Found and reported by Solar Designer.
+  (CVE-2017-7252) (GH #938)
+
+* Fix a bug in X509 DN string comparisons that could result in out of bound
+  reads. This could result in information leakage, denial of service, or
+  potentially incorrect certificate validation results. Found independently
+  by Cisco Talos team and OSS-Fuzz. (CVE-2017-2801)
+
+* Correct minimum work factor for Bcrypt password hashes. All other
+  implementations require the work factor be at least 4. Previously Botan simply
+  required it be greater than zero. (GH #938)
+
+* Converge on a single side channel silent EC blinded multiply algorithm.
+  Uses Montgomery ladder with order/2 bits scalar blinding and point randomization
+  now by default. (GH #893)
+
+* Add ability to search for certificates using the SHA-256 of the distinguished name.
+  (GH #900)
+
+* Support a 0-length IV in ChaCha stream cipher. Such an IV is treated
+  identically to an 8-byte IV of all zeros.
+
+* Add new interfaces to the C API including multiple precision integers, key
+  validity tests, block ciphers, and extracting algorithm specific key parameters
+  (such as the modulus and public exponent from RSA public keys). GH #899 #944
+  #946 #961 #964
+
+* The PKCS11 module did not require any external dependencies, so it
+  has been enabled by default. The ``--with-pkcs11`` and ``--without-pkcs11``
+  flags to ``configure.py`` have been removed. PKCS11 can still be disabled
+  using ``--disable-modules=pkcs11`` (GH #837)
+
+* Add ``OS::run_cpu_instruction_probe`` for runtime probing of ISA extensions.
+  Supporting this requires system-specific techniques, currently Windows SEH and
+  Unix signal handling are supported.
+
+* Add support for ARM NEON in the SIMD_4x32 type
+
+* Add support for ARM CPU feature detection using getauxval (GH #843)
+
+* Previously Botan forbid any use of times past 2037 to avoid Y2038 issues.
+  Now this restriction is only in place on systems which have a 32-bit
+  ``time_t``. (GH #933 fixing #917)
+
+* Add generic type decoder function to BER decoder (GH #897)
+
+* Fix portability or build problems affecting Sun Studio compiler (GH #846),
+  Solaris, ppc64le, DragonflyBSD (GH #887)
+
+* Add ``--with-external-libdir`` to configure.py (GH #857 fixing #19 #767)
+
+* Add ``OS::get_high_resolution_clock`` which returns the best resolution
+  clock available on the system.
+
+* Change ``OS::get_processor_timestamp`` to return 0 if no hardware
+  cycle counter is available. Previously it silently fell back on some
+  other clock type.
+
+* Report cycles/byte in the output of ``botan speed``.
+
+* Add speed tests for modular exponentiations and ECC scalar multiplies.
+
+* Avoid using IP address for SNI in ``tls_client``. (GH #942)
+
+* Add command line util ``timing_test`` which enables running
+  timing-based side channel analysis of TLS CBC decryption, ECC scalar
+  multiplies, OAEP decoding, and other operations which are prone to
+  providing an oracle via side channel. This replaces the standalone
+  timing test suite added in 1.11.34, which has been removed.
+
+* Various cleanups and refactorings (GH #965)
+
+* Add wrapper of C++14 make_unique (GH #974)
+
+* Fix pkg-config output when --build-dir was used (GH #936)
+
+* Make it possible to disable `-fstack-protector` using a build-time flag.
+  GH #863
+
+* Add tests for TLS DSA ciphersuites, more Noekeon tests, others.
+
+* Avoid a GCC warning that triggered on the public key types (GH #849)
+
+* Fix various warnings flagged by pylint and pyflakes linters in
+  configure.py and botan.py (GH #832 #836 #839 #962 #975)
+
+* Improve support for OpenBSD including using getentropy (GH #954)
+  for PRNG seeding, and arc4random to access system RNG (GH #953)
+
+* Add ability to build through CMake. As of now this is only supported
+  for development rather than production builds. (GH #967)
+
+* Rename python wrapper to botan2.py (GH #847)
+
+* Change name constraint test to use a fixed reference time. Test certs have expired.
+
+* Increase Miller-Rabin iterations for DSA primes to match FIPS 186-4. (GH #881)
+
+* Fix possible ISO 9796-2 padding side channel, and add a missing length check (GH #891)
+
+* In command line utility, prefer the system RNG if it is available.
+
+Version 2.0.1, 2017-01-09
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Change an unintended behavior of 2.0.0, which named the include
+  directory ``botan-2.0``. Since future release of Botan-2 should be
+  compatible with code written against old versions, there does not
+  seem to be any reason to version the include directory with the
+  minor number. (GH #830 #833)
+
+* Fix a bug which caused an error when building on Cygwin or
+  other platforms where shared libraries are not supported.
+  (GH #821)
+
+* Enable use of readdir on Cygwin, which allows the tests to run (GH #824)
+
+* Switch to readthedocs Sphinx theme by default (GH #822 #823)
+
+Version 2.0.0, 2017-01-06
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* With this release the project adopts Semantic Versioning (GH #766)
+
+* Fix a longstanding bug in modular exponentiation which caused most
+  exponentiations modulo an even number to have an incorrect result; such moduli
+  occur only rarely in cryptographic contexts. (GH #754)
+
+* Fix a bug in BigInt multiply operation, introduced in 1.11.30, which could
+  cause incorrect results. Found by OSS-Fuzz fuzzing the ressol function, where
+  the bug manifested as an incorrect modular exponentiation. OSS-Fuzz bug #287
+
+* Fix a bug that meant the "ietf/modp/6144" and "ietf/modp/8192" discrete log
+  groups used an incorrect value for the generator, specifically the value
+  (p-1)/2 was used instead of the correct value of 2.
+
+* The DL_Group enum value X942_DH_PARAMETERS has been renamed
+  ANSI_X9_42_DH_PARAMETERS to avoid a conflict with Windows headers (GH #482)
+
+* Change default PEM header for X942 DH to match OpenSSL. Either version is
+  accepted on reading. (GH #818)
+
+* DL_Group strong generation previously set the generator to 2. However
+  sometimes 2 generates the entire group mod p, rather than the subgroup mod q.
+  This is invalid by X9.42 standard, and exposes incautious applications to
+  small subgroup attacks. Now DL_Group uses the smallest g which is a quadratic
+  residue. (GH #818)
+
+* Add iOS build target instead of piggybacking on OS X configuration. (GH #793)
+
+* Changes all Public_Key derived class ctors to take a std::vector instead of a
+  secure_vector for the DER encoded public key bits. (GH #768)
+
+* Allow use of custom extensions when creating X.509 certificates (GH #744)
+
+* The default TLS policy now requires 2048 or larger DH groups by default.
+
+* Add BSI_TR_02102_2 TLS::Policy subclass representing BSI TR-02102-2 recommendations.
+
+* The default Path_Validation_Restrictions constructor has changed to
+  require at least 110 bit signature strength. This means 1024 bit RSA
+  certificates and also SHA-1 certificates are rejected by default.
+  Both settings were already the default for certificate validation in
+  TLS handshake, but this changes it for applications also.
+
+* Add ISO 9796-2 signature padding schemes DS2 and DS3. These schemes provide
+  message recovery (part or all of the plaintext message can be recovered from
+  the signature alone) and are used by some industry protocols. (GH #759)
+
+* Rewrite all the code that handles parsing CBC padding bytes to run without
+  conditional jumps or loads. (GH #765 #728)
+
+* Fix deref of invalid memory location in TLS client when the server chooses a
+  ciphersuite value larger than the largest TLS ciphersuite ID compiled into the
+  table. This might conceivably cause a crash in rare circumstances, but does
+  not seem to be further exploitable. (GH #758)
+
+* Rename Public_Key::x509_subject_public_key, which does not return a
+  X.509 SubjectPublicKey, to public_key_bits. Add a new non-virtual function
+  Public_Key::subject_public_key which does exactly that. (GH #685 #757)
+
+* Rename Private_Key::pkcs8_private_key, which does not return a
+  PKCS#8 private key, to private_key_bits. Add a new non-virtual function
+  Private_Key::private_key_info which does exactly that. (GH #685 #757)
+
+* The deprecated ECB Cipher_Mode class has been removed (GH #756)
+
+* The class SRP6_Authenticator_File (in srp6_files.h) was meant to parse GnuTLS
+  SRP files. But it was completely untested, and it turns out due to several
+  problems it was completely unable to parse any SRP file correctly. It has
+  been removed, with a future replacement planned that can handle both
+  flat files (in the actual SRP format) or using a SQL database.
+
+* Fix tests errors when write access to /dev/urandom is prohibited (GH #748)
+
+* Add more Diffie-Hellman tests (GH #790), tests for RSA blinding, others.
+
+* Add `tls_ciphers` command which prints the ciphersuites a client
+  hello will contain, depending on the policy specified.
+
+* Prevent TLS from negotiating SHA-2 ciphersuites in TLS v1.0/v1.1. These
+  ciphersuites are technically not defined except for v1.2, so disable
+  them in older protocols. (GH #496)
+
+* Documentation: add project goals (GH #788) and side channel info (GH #787)
+
+Older Versions
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* The release notes for versions 0.7.0 through 1.11.34 can be found in
+  ``doc/old_news.rst``