diff --git a/config/botan.env b/config/botan.env
index 61faa902..f71f6e3f 100644
--- a/config/botan.env
+++ b/config/botan.env
@@ -28,7 +28,7 @@ BOTAN_VERSION=3.5.0
# creation of source-code related document generation. Once a Botan release is
# minted, this may be the git-tag of that release. During development of an
# upcoming version it should be a concrete commit SHA on Botan's main branch.
-BOTAN_REF=540f716fc3ab65c9f7bee2a841f60619f8dc66b2
+BOTAN_REF=5649a10ec3399d28c8b84ae18fd65fce57bd7bca
# The Botan repository reference that is currently seen as the "trusted source
# revision". Typically this is the source reference that was audited by the
diff --git a/docs/audit_report/changes/topics/additions.yml b/docs/audit_report/changes/topics/additions.yml
new file mode 100644
index 00000000..71443559
--- /dev/null
+++ b/docs/audit_report/changes/topics/additions.yml
@@ -0,0 +1,39 @@
+title: Additions
+
+description: |
+ One notable addition is basic support for SSLKEYLOGFILE, which allows for
+ debugging of TLS connections by exporting the secrets used to encrypt and
+ decrypt traffic. See also `draft-ietf-tls-keylogfile `_.
+
+patches:
+# Introduce Public_Key::raw_public_key_bits() (@reneme)
+- pr: 3985 # https://github.com/randombit/botan/pull/3985
+ merge_commit: 2d52a434a97aff21e865bd7d4487800232d85827
+ classification: info
+
+# add callback to export secrets for SSLKEYLOGFILE (@volok-aleksej)
+- pr: 4043 # https://github.com/randombit/botan/pull/4043
+ merge_commit: 9a5a367c82b8daba4a59861d23517e3a537eeb65
+ classification: info
+
+# FIX: some code smells found by clang-tidy (@reneme)
+- pr: 4070 # https://github.com/randombit/botan/pull/4070
+ merge_commit: bccd67b986374ecb573c1c933b2cfa36a602166d
+ classification: info
+
+# Use sysctlbyname on iOS as well (@randombit)
+- pr: 4018 # https://github.com/randombit/botan/pull/4018
+ merge_commit: 19e9ada97714d9030941711976c2200948c5151d
+ classification: info
+
+# Add a os_utils helper for locatime->put_time (@randombit)
+- pr: 4011 # https://github.com/randombit/botan/pull/4011
+ merge_commit: 660dd6ed8945238dfae97ef5391217001a10204b
+ classification: info
+ auditer: reneme
+
+# Optimize XTS tweak computation (@randombit)
+- pr: 4057 # https://github.com/randombit/botan/pull/4057
+ merge_commit: 36bde7448b05dc555ef4bc0cb6adfbe697cb4870
+ classification: info
+ auditer: reneme
diff --git a/docs/audit_report/changes/topics/build_system.yml b/docs/audit_report/changes/topics/build_system.yml
new file mode 100644
index 00000000..f860dc86
--- /dev/null
+++ b/docs/audit_report/changes/topics/build_system.yml
@@ -0,0 +1,27 @@
+title: Build System
+
+description: |
+ This section covers changes to the build system. Most notably, Botan now requires
+ at least XCode 15 to build on macOS.
+
+patches:
+# Add helper for defining binary option pairs (@randombit)
+- pr: 3997 # https://github.com/randombit/botan/pull/3997
+ merge_commit: d9edacb2655162dd3b59a5be6a0a5a51809fe0d3
+ classification: info
+
+# Distinguish between LLVM Clang and XCode Clang (@randombit)
+- pr: 4010 # https://github.com/randombit/botan/pull/4010
+ merge_commit: 3863af7ea0b7a74506979626abc876c4bd24122f
+ classification: info
+
+# Tweak XCode version detection, update CI to XCode 15.4 (@randombit)
+- pr: 4066 # https://github.com/randombit/botan/pull/4066
+ merge_commit: 8d0ab774b451e586da58111b6103e59134cc2bac
+ classification: info
+
+# Fix enabling stack protector (@Kentzo)
+- pr: 3996 # https://github.com/randombit/botan/pull/3996
+ merge_commit: 846a6aedc9bdfbf1cff043f1cd32c3c261407669
+ classification: info
+ auditer: reneme
diff --git a/docs/audit_report/changes/topics/code_chore.yml b/docs/audit_report/changes/topics/code_chore.yml
new file mode 100644
index 00000000..9a0b9dfc
--- /dev/null
+++ b/docs/audit_report/changes/topics/code_chore.yml
@@ -0,0 +1,100 @@
+title: Code Chores
+
+description: |
+ This section covers changes to the code that focus on general maintenance.
+ None of these changes should affect the functionality of the library. However,
+ note that a number of obsolete features have been deprecated in this release.
+
+patches:
+# Improve notification and documentation of deprecated features (@randombit)
+- pr: 4050 # https://github.com/randombit/botan/pull/4050
+ merge_commit: f7e4e9320a8d31e958f9c01c82ae884dec035e39
+ classification: info
+ comment: |
+ This deprecates a number of modules, namely:
+
+ * Symmetric ciphers
+
+ * GOST 28147
+ * Lion
+ * Noekeon
+ * SHAKE-based stream cipher
+
+ * Hash functions
+
+ * MD4
+ * Streebog
+
+ * Key derivation functions
+
+ * PRF X9.42
+
+ * Public key cryptography
+
+ * Dilithium in AES mode
+ * DLIES
+ * GOST 34.10
+ * Kyber in AES mode ("Kyber 90s")
+ * McEliece
+
+# [std::span] some pubkey things (@reneme)
+- pr: 3993 # https://github.com/randombit/botan/pull/3993
+ merge_commit: ad0aeedc33c74c81608adcbc751ad2c58503c007
+ classification: info
+
+# Remove some obsolete and/or rarely used STL utilities (@randombit)
+- pr: 3988 # https://github.com/randombit/botan/pull/3988
+ merge_commit: fea4cb983ff2e6acab6d9915b1f852a2662578a6
+ classification: info
+
+# Fix inclusion of bswap.h (@randombit)
+- pr: 4000 # https://github.com/randombit/botan/pull/4000
+ merge_commit: 4cfd407534a109767c15a0cf705689eb44379f5a
+ classification: info
+
+# Cleanup of rounding functionality (@randombit)
+- pr: 3998 # https://github.com/randombit/botan/pull/3998
+ merge_commit: 7987b8e006c52e671fb6dd0a08a10c65f2d25400
+ classification: info
+
+# Refactor: concat() is constexpr and can deal with std::array<> (@reneme)
+- pr: 3994 # https://github.com/randombit/botan/pull/3994
+ merge_commit: 06997284554155c8a051d05e68eebd28c84dfeb9
+ classification: info
+
+# Move checked integer arithmetic to int_utils.h (@randombit)
+- pr: 3999 # https://github.com/randombit/botan/pull/3999
+ merge_commit: 8d02e96ada344cb289dd060d76cc0c03240d2255
+ classification: info
+
+# Compute the Kuznyechik tables instead of hardcoding them (@randombit)
+- pr: 4017 # https://github.com/randombit/botan/pull/4017
+ merge_commit: 11b88e5899ca0a30036f35c57fa94b83d4de10cd
+ classification: out of scope
+
+# Rename Curve25519 to X25519 (@randombit)
+- pr: 4012 # https://github.com/randombit/botan/pull/4012
+ merge_commit: d1ba2fd6e25e0884ca6fd12281db498386560b42
+ classification: info
+
+# Use copy_mem in Sphincs+ (@FAlbertDev)
+- pr: 4028 # https://github.com/randombit/botan/pull/4028
+ merge_commit: e50f4f61b08115c4616136ec87df718b75284721
+ classification: info
+
+# Teach clang-format about our DEPRECATED macros (@randombit)
+- pr: 4055 # https://github.com/randombit/botan/pull/4055
+ merge_commit: 6bc081fb0d652c9c8fa5ec054c61745436be2f48
+ classification: info
+ auditer: reneme
+
+# Avoid various GCC 14 false positive issues (@randombit)
+- pr: 4046 # https://github.com/randombit/botan/pull/4046
+ merge_commit: 9ed7adbb599679c437f9bd8d7d4acf91471f78ef
+ classification: info
+ auditer: reneme
+
+# Small cleanup to the freestanding argon2 function (@randombit)
+- pr: 4006 # https://github.com/randombit/botan/pull/4006
+ merge_commit: c479ebbc9eefdaa722cb36761703e0c234e35d8d
+ classification: info
diff --git a/docs/audit_report/changes/topics/continuous_integration.yml b/docs/audit_report/changes/topics/continuous_integration.yml
new file mode 100644
index 00000000..bc206eee
--- /dev/null
+++ b/docs/audit_report/changes/topics/continuous_integration.yml
@@ -0,0 +1,43 @@
+title: Continuous Integration
+
+description: |
+ This section covers changes to the continuous integration system.
+ The functionality of the library should not be affected by these changes.
+
+patches:
+# Update roughtime.cloudflare.com public key and port (@lukevalenta)
+- pr: 4002 # https://github.com/randombit/botan/pull/4002
+ merge_commit: 3801b0af5d4414cc4bded25b8d7a09b3d4a0854e
+ classification: info
+ auditer: reneme
+
+# Upgrade XCode in CI to 15.2 on MacOS 13 and 15.3 on MacOS 14 (@randombit)
+- pr: 4005 # https://github.com/randombit/botan/pull/4005
+ merge_commit: c428cbc070c0527fed6af196f19080b35a1470e2
+ classification: info
+
+# Tweak XCode version detection, update CI to XCode 15.4 (@randombit)
+- pr: 4066 # https://github.com/randombit/botan/pull/4066
+ merge_commit: 8d0ab774b451e586da58111b6103e59134cc2bac
+ classification: info
+
+# FIX: dynamically pull test.openquantumsafe.org root CA (@reneme)
+- pr: 4071 # https://github.com/randombit/botan/pull/4071
+ merge_commit: 8af866b4a30f671e3b62fe986cf973ec23ba1edc
+ classification: info
+
+# FIX: clang-tidy error in nightly build (@reneme)
+- pr: 4075 # https://github.com/randombit/botan/pull/4075
+ merge_commit: 00e234d884a31e37b291df531fc12f5f1313da2f
+ classification: info
+ comment: Also fixes a minor clang-tidy warning introduced in GH #4043.
+
+# Skip the Frodo KAT tests under valgrind and arm32-qemu (@randombit)
+- pr: 4081 # https://github.com/randombit/botan/pull/4081
+ merge_commit: 35c8bd170f246767ce29a830b20b99cf7eb03ce6
+ classification: info
+
+# Chore: Update BoGo test suite (@reneme)
+- pr: 4078 # https://github.com/randombit/botan/pull/4078
+ merge_commit: 100a065bda4219d0cea220859681e65a2714019b
+ classification: info
diff --git a/docs/audit_report/changes/topics/crystals.yml b/docs/audit_report/changes/topics/crystals.yml
new file mode 100644
index 00000000..f37f0d58
--- /dev/null
+++ b/docs/audit_report/changes/topics/crystals.yml
@@ -0,0 +1,10 @@
+title: Refactoring of CRYSTALS (Kyber and Dilithium)
+
+patches:
+# Refactor: Kyber internals (@reneme)
+- pr: 3887 # https://github.com/randombit/botan/pull/3887
+ merge_commit: b1a6d251bb361494bd6299d0601680b22a136183
+ classification: relevant
+ comment: |
+ This PR refactors the internals of the Kyber implementation.
+ The changes are internal and neither affect the public API nor the functionality.
diff --git a/docs/audit_report/changes/topics/documentation.yml b/docs/audit_report/changes/topics/documentation.yml
new file mode 100644
index 00000000..b39fb2e3
--- /dev/null
+++ b/docs/audit_report/changes/topics/documentation.yml
@@ -0,0 +1,56 @@
+title: Documentation
+
+description: |
+ This section covers changes to the documentation and release notes. These
+ changes should not affect the functionality of the library.
+
+patches:
+# Update license year [ci skip] (Jack Lloyd)
+- commit: 0baf3cb7ff7cad2a8daaf3f74882003c2db88115 # https://github.com/randombit/botan/commit/0baf3cb7ff7cad2a8daaf3f74882003c2db88115
+ classification: info
+ auditer: reneme
+
+# Clarify SemVer guarantees (@randombit)
+- pr: 4015 # https://github.com/randombit/botan/pull/4015
+ merge_commit: ce348dba379aafa4783cecec05b0560607ddaa94
+ classification: info
+
+# Bump version and add initial news items for 3.5.0 [ci skip] (Jack Lloyd)
+- commit: 5e6f52cf3767d156dd8f323a8f74c29c6e166fb4 # https://github.com/randombit/botan/commit/5e6f52cf3767d156dd8f323a8f74c29c6e166fb4
+ classification: info
+ auditer: reneme
+
+# Minor update on roadmap and support lifetimes [ci skip] (Jack Lloyd)
+- commit: 9c05fbecf4250cdfe442378e958250fa0b1922d4 # https://github.com/randombit/botan/commit/9c05fbecf4250cdfe442378e958250fa0b1922d4
+ classification: info
+ auditer: reneme
+
+# Update info about OCSP responder vulnerability [ci skip] (Jack Lloyd)
+- commit: efc4d24ec614814b2666c6bf28a123fcaefff4cf # https://github.com/randombit/botan/commit/efc4d24ec614814b2666c6bf28a123fcaefff4cf
+ classification: info
+ auditer: reneme
+
+# Update news with recent changes [ci skip] (Jack Lloyd)
+- commit: dd24ef254b1a97da0ab6cdc4d3193f50fe992843 # https://github.com/randombit/botan/commit/dd24ef254b1a97da0ab6cdc4d3193f50fe992843
+ classification: info
+ auditer: reneme
+
+# Update note regarding minimum XCode version [ci skip] (Jack Lloyd)
+- commit: a265013b9e3e52e69a14cef4808bb74dfe6c0229 # https://github.com/randombit/botan/commit/a265013b9e3e52e69a14cef4808bb74dfe6c0229
+ classification: info
+ auditer: reneme
+
+# Update news [ci skip] (Jack Lloyd)
+- commit: d6b946da3160b07235fbd1a2044149daacb3b9e7 # https://github.com/randombit/botan/commit/d6b946da3160b07235fbd1a2044149daacb3b9e7
+ classification: info
+ auditer: reneme
+
+# Update todo list [ci skip] (Jack Lloyd)
+- commit: 36048811197c519cc66bbb245acf3b829dfe3107 # https://github.com/randombit/botan/commit/36048811197c519cc66bbb245acf3b829dfe3107
+ classification: info
+ auditer: reneme
+
+# Officially SemVer exclude functions starting with underscore [ci skip] (Jack Lloyd)
+- commit: ddfd07547244e315c762442ac771d64830927ee7 # https://github.com/randombit/botan/commit/ddfd07547244e315c762442ac771d64830927ee7
+ classification: info
+ auditer: reneme
diff --git a/docs/audit_report/changes/topics/ecc.yml b/docs/audit_report/changes/topics/ecc.yml
new file mode 100644
index 00000000..4fd640f1
--- /dev/null
+++ b/docs/audit_report/changes/topics/ecc.yml
@@ -0,0 +1,69 @@
+title: New implementation of Elliptic Curve Cryptography
+
+patches:
+# Add word3 type and take advantage of Clang's _BitInt extension (@randombit)
+- pr: 3989 # https://github.com/randombit/botan/pull/3989
+ merge_commit: 0d32f989991bbc4fd057968c52a253e1dc3566a2
+ classification: relevant
+ comment: |
+ Introduces a helper for a 3-word wide accumulator that is useful for
+ comba multiplication and big number montgomery reduction.
+
+# Remove all 32-bit x86 inline asm related to multiprecision math (@randombit)
+- pr: 3987 # https://github.com/randombit/botan/pull/3987
+ merge_commit: 1a814747a4637aadf0af45880ec98b80792339e1
+ classification: info
+
+# Add constexpr shift_right mp helper (@randombit)
+- pr: 4008 # https://github.com/randombit/botan/pull/4008
+ merge_commit: 7113fb440f176f985790f10fae3745b91a94c95d
+ classification: info
+
+# Redirect from the template Comba to the unrolled Combas where possible (@randombit)
+- pr: 4007 # https://github.com/randombit/botan/pull/4007
+ merge_commit: d184e7842fe7db26f8ab8368e92526574c8343fe
+ classification: info
+
+# Change ECC base multiply tests to consume fixed sized inputs (@randombit)
+- pr: 4016 # https://github.com/randombit/botan/pull/4016
+ merge_commit: 550f8e9ed40c388769d4a298dc23c96888638fc2
+ classification: info
+
+# Take advange of CT::Mask::select_n (@randombit)
+- pr: 3990 # https://github.com/randombit/botan/pull/3990
+ merge_commit: 8970266d1071a448f62b379d1ce65ac33539e78d
+ classification: info
+
+# Replace bogus custom curve in TLS example (@randombit)
+- pr: 4039 # https://github.com/randombit/botan/pull/4039
+ merge_commit: 7eb9dbbf56fc0fc8875be39e5cbae52766667555
+ classification: relevant
+ comment: |
+ Introduces a rough check for the Hasse bound to the curve verification.
+ The replaced bogus curve was just in some example code and not used in the library.
+
+# Account for the cofactor when checking Hasse bound (Jack Lloyd)
+- commit: 2b8cf53ae0e835c3223461ce68af2ff9a656d5f2 # https://github.com/randombit/botan/commit/2b8cf53ae0e835c3223461ce68af2ff9a656d5f2
+ classification: relevant
+ auditer: reneme
+ comment: |
+ Follow-up fix for GH #4039.
+
+# Some EC_Group usage cleanups (@randombit)
+- pr: 4038 # https://github.com/randombit/botan/pull/4038
+ merge_commit: 9bca3f772b4f834afe443235897635ba91f30989
+ classification: info
+
+# Clean out the BigInt interface (@randombit)
+- pr: 4056 # https://github.com/randombit/botan/pull/4056
+ merge_commit: e101afd63b121c43742d8340148f0c4c2c9f6ea9
+ classification: relevant
+ comment: |
+ Internal cleanups of Botan's big number implementation.
+
+# Follow-up: Use load_be more efficiently (@reneme)
+- pr: 4085 # https://github.com/randombit/botan/pull/4085
+ merge_commit: 5649a10ec3399d28c8b84ae18fd65fce57bd7bca
+ classification: info
+ comment: |
+ This is a follow-up to PR #4056.
diff --git a/docs/audit_report/changes/topics/fixes.yml b/docs/audit_report/changes/topics/fixes.yml
new file mode 100644
index 00000000..c21c49ab
--- /dev/null
+++ b/docs/audit_report/changes/topics/fixes.yml
@@ -0,0 +1,48 @@
+title: Fixes
+
+description: |
+ This section lists fixes on various topics.
+ Note that there's a dedicated section for :ref:`fixes related to X.509 `.
+
+patches:
+# Fix test_cli_crypt.py with --threads=1 [ci skip] (Jack Lloyd)
+- commit: 187e3d8dc62e3d935cb480f8a6140abb9b3aaa7b # https://github.com/randombit/botan/commit/187e3d8dc62e3d935cb480f8a6140abb9b3aaa7b
+ classification: info
+ auditer: FAlbertDev
+
+# Fix curve448 compiler warning (@FAlbertDev)
+- pr: 4025 # https://github.com/randombit/botan/pull/4025
+ merge_commit: bf86f1a9f99aa1fc62f9884d0bda8193fb1d57b7
+ classification: info
+
+# Correct an error in RFC 6979 ECDSA (@randombit)
+- pr: 4040 # https://github.com/randombit/botan/pull/4040
+ merge_commit: adda2dd9f7799d2c64a5541c3733e47213b57bd1
+ classification: relevant
+ auditer: FAlbertDev
+ comment: |
+ Fixes a bug where the ECDSA message hash was not reduced modulo the EC group order
+ before being used in the signature computation. Due to the math involved, this
+ does not produce wrong results, but RFC 6979 asks for it. Also, this fix now
+ disallows ECDSA private keys that were not reduced beforehand. The tests were
+ adjusted accordingly.
+
+
+# fixed retransmission handled ClientHello with another protocol version. (@volok-aleksej)
+- pr: 4037 # https://github.com/randombit/botan/pull/4037
+ merge_commit: 8798305c102934c4c20d9e4f63b768ba7e74c6b9
+ classification: relevant
+ auditer: FAlbertDev
+ comment: |
+ Fixes a DTLS 1.2 bug that terminates a connection if ClientHello records
+ are retransmitted.
+
+# Improve FFI's botan_cipher_update() performance for stream ciphers (@reneme)
+- pr: 3951 # https://github.com/randombit/botan/pull/3951
+ merge_commit: 1644599e16f6b128c4caf32fb0eca6e67394bfe9
+ classification: relevant
+
+# Doc: botan_cipher_update() byte generation behavior (@reneme)
+- pr: 4088 # https://github.com/randombit/botan/pull/4088
+ merge_commit: 908dfde29b634a76119af43a08bb3c5354de6273
+ classification: info
diff --git a/docs/audit_report/changes/topics/fixes_x509.yml b/docs/audit_report/changes/topics/fixes_x509.yml
new file mode 100644
index 00000000..c9b437b7
--- /dev/null
+++ b/docs/audit_report/changes/topics/fixes_x509.yml
@@ -0,0 +1,97 @@
+title: Fixes in X.509
+
+description: |
+ Due to some discovered issues with X.509 certificate handling, several fixes
+ and refactorings were applied to the X.509 module.
+
+patches:
+# Fix a bug in SAN handling when creating certs and PKCS 10 requests (@randombit)
+- pr: 4032 # https://github.com/randombit/botan/pull/4032
+ merge_commit: 4af65b1a4bf8ec1e366e90f95cc0b84fb9926ff4
+ classification: relevant
+
+# Refactor AlternativeName internals (@randombit)
+- pr: 4034 # https://github.com/randombit/botan/pull/4034
+ merge_commit: 7606d70d3a2ac7114476ec2651ca0243c4536fdf
+ classification: relevant
+ comment: |
+ Refactors the internal interface of AlternativeName. Also resolves a
+ performance issue in the name constraint matching code.
+
+# Fix X509_CRL::crl_issuing_distribution_point (@randombit)
+- pr: 4030 # https://github.com/randombit/botan/pull/4030
+ merge_commit: 44147d5f6d3cc8a56d040ad729fc7bf217a04019
+ classification: info
+ comment: |
+ Refactor the internal representation of issuing distribution points in
+ Certificate Revocation Lists (CRLs).
+
+# During X509 path validation, return immediately if a signature is invalid (@randombit)
+- pr: 4045 # https://github.com/randombit/botan/pull/4045
+ merge_commit: 39535f13c322f56aa3da2f44b2b6abb8619a82ac
+ classification: critical
+ comment: |
+ Changes the X509 path validation logic to return early if the certificate
+ chain cannot be trusted. Used to make denial-of-service-like attacks
+ more difficult.
+
+# Add a much faster IPv4 dotted quad parser (@randombit)
+- pr: 4058 # https://github.com/randombit/botan/pull/4058
+ merge_commit: 36eb2ee914ceb0a437e98b1cd43380e36c8b1f96
+ classification: info
+
+# Optimize name constraint matching (@randombit)
+- pr: 4047 # https://github.com/randombit/botan/pull/4047
+ merge_commit: c3264821b9f6286ee4e6e3e06826f6b7177e6d41
+ classification: relevant
+
+# In BER decoding do not allow leading 0s in multibyte tag encoding (@randombit)
+- pr: 4064 # https://github.com/randombit/botan/pull/4064
+ merge_commit: 59e17501abaa7b545cd7d41ed4eec1c9052a6aa4
+ classification: relevant
+
+# Fix various SNI related issues (@randombit)
+- pr: 4059 # https://github.com/randombit/botan/pull/4059
+ merge_commit: 8a77f7387e2717e43aa3d129afc6ddd5f6ac5a48
+ classification: relevant
+ comment: |
+ Hardens the checks on Server Name Indication (SNI) handling in TLS so that
+ IP addresses are prohibited.
+
+# Fix several bugs relating to OID encoding and decoding (@randombit)
+- pr: 4063 # https://github.com/randombit/botan/pull/4063
+ merge_commit: 9e6c6da8b4041c99882858405dcaec3bf82cfa94
+ classification: relevant
+
+# Fix Python wrapper when X509 cert or CRL parsing fails (@randombit)
+- pr: 4072 # https://github.com/randombit/botan/pull/4072
+ merge_commit: 4f6b4babaeb9b4c2c9be45956bf2ffdabc42a218
+ classification: info
+
+# Fix various name constraint and path building bugs (@randombit)
+- pr: 4074 # https://github.com/randombit/botan/pull/4074
+ merge_commit: 769983aad3966a250390827141d38b14f9f7e2a5
+ classification: relevant
+ comment: |
+ The following issues were addressed:
+
+ * X.509 Alternative Name addresses with not exactly 4 (IPv4) or 16 bytes \
+ (IPv6) were not rejected.
+
+ * Malformed key usage extensions were effectively ignored. Now, they \
+ result in an empty extension that prohibits all key usages.
+
+ * In addition to the key usage extension, the extended key usage extension \
+ is now also checked to see if a CA is allowed to sign.
+
+ * Permitted subtrees in X.509 name constraints were not handled correctly. \
+ Botan required a constraint for all names to match. Instead, every \
+ name must match any permitted subtree.
+
+ * Malformed server alternative names are now handled as empty ones to prevent \
+ a fallback to the common name when checking the domain name.
+
+ * Refactoring of name constraint logic.
+
+ * Various tests were updated and fixed. Support for an external X.509 \
+ test suite was included.
diff --git a/docs/audit_report/changes/topics/hss_lms.yml b/docs/audit_report/changes/topics/hss_lms.yml
new file mode 100644
index 00000000..d70df021
--- /dev/null
+++ b/docs/audit_report/changes/topics/hss_lms.yml
@@ -0,0 +1,23 @@
+title: HSS/LMS
+
+patches:
+# HSS-LMS Signature Algorithm Implementation (@FAlbertDev)
+- pr: 3716 # https://github.com/randombit/botan/pull/3716
+ merge_commit: 19567e328197294718f8393929a75387fbb159cb
+ classification: critical
+
+# Doc: Mention HSS/LMS in top-level docs (@reneme)
+- pr: 4069 # https://github.com/randombit/botan/pull/4069
+ merge_commit: 3922eebc65971db50cd3e9842de523d34d77e9c8
+ classification: info
+
+# HSS/LMS Verification Assert Regression Test (@FAlbertDev)
+- pr: 4084 # https://github.com/randombit/botan/pull/4084
+ merge_commit: 36e0acd6ebc15859f10d0735b14df1771a56edca
+ classification: info
+
+# Reject all HSS-LMS unknown parameter types (@randombit)
+- pr: 4083 # https://github.com/randombit/botan/pull/4083
+ merge_commit: df4c265ac2c729c597b6bce7c2a461ebb2f85a17
+ classification: info
+
diff --git a/docs/cryptodoc/src/05_06_spx.rst b/docs/cryptodoc/src/05_06_spx.rst
index d00bdb92..2ab29c11 100644
--- a/docs/cryptodoc/src/05_06_spx.rst
+++ b/docs/cryptodoc/src/05_06_spx.rst
@@ -290,7 +290,7 @@ SPHINCS+ parameter sets `.
+----------------------------------+-------------+-------------+-----------+-----------------+-----------+-----------+
SPHINCS\ :sup:`+` key generation follows Section 6.2 of [SPX-R3]_ and is
-implemented in :srcref:`[src/lib/pubkey/sphincsplus/sphincsplus_common]/sphincsplus.cpp:248|SphincsPlus_PrivateKey`
+implemented in :srcref:`[src/lib/pubkey/sphincsplus/sphincsplus_common]/sphincsplus.cpp:254|SphincsPlus_PrivateKey`
within the ``SphincsPlus_PrivateKey`` constructor. It works as follows:
.. admonition:: SPHINCS+ Key Generation
@@ -320,7 +320,7 @@ Signature Creation
------------------
A SPHINCS\ :sup:`+` signature is created in the following manner, following
-Algorithm 20 of [SPX-R3]_ (see :srcref:`[src/lib/pubkey/sphincsplus/sphincsplus_common]/sphincsplus.cpp:289|sign`):
+Algorithm 20 of [SPX-R3]_ (see :srcref:`[src/lib/pubkey/sphincsplus/sphincsplus_common]/sphincsplus.cpp:295|sign`):
.. admonition:: SPHINCS+ Signature Creation
@@ -350,7 +350,7 @@ Signature Validation
--------------------
A SPHINCS\ :sup:`+` signature is verified in the following manner, following
-Algorithm 21 of [SPX-R3]_ (see :srcref:`[src/lib/pubkey/sphincsplus/sphincsplus_common]/sphincsplus.cpp:152|is_valid_signature`):
+Algorithm 21 of [SPX-R3]_ (see :srcref:`[src/lib/pubkey/sphincsplus/sphincsplus_common]/sphincsplus.cpp:158|is_valid_signature`):
.. admonition:: SPHINCS+ Signature Validation
diff --git a/docs/cryptodoc/src/05_07_dilithium.rst b/docs/cryptodoc/src/05_07_dilithium.rst
index d5f48033..13932e37 100644
--- a/docs/cryptodoc/src/05_07_dilithium.rst
+++ b/docs/cryptodoc/src/05_07_dilithium.rst
@@ -111,7 +111,7 @@ It also contains the seed ``key``, the vectors ``s1`` and ``s2``, and the value
The keys use a helper function ``calculate_t0_and_t1`` to compute :math:`(\mathbf{t_1},\mathbf{t_0})` based on the public key seed ``rho`` and private vectors ``s1, s2``, i.e., realizing L. 3, L.5, and L. 6, Fig. 4, [Dilithium-R3]_.
Furthermore, encoding and decoding of keys and signatures are provided via the key classes.
-The Dilithium key generation process follows :math:`\mathsf{Gen}` of Figure 4 of [Dilithium-R3]_ and works as follows (see :srcref:`[src/lib/pubkey/dilithium/dilithium_common]/dilithium.cpp:567|Dilithium_PrivateKey`):
+The Dilithium key generation process follows :math:`\mathsf{Gen}` of Figure 4 of [Dilithium-R3]_ and works as follows (see :srcref:`[src/lib/pubkey/dilithium/dilithium_common]/dilithium.cpp:573|Dilithium_PrivateKey`):
.. admonition:: Dilithium_PrivateKey::Dilithium_PrivateKey()
diff --git a/docs/cryptodoc/src/05_08_kyber.rst b/docs/cryptodoc/src/05_08_kyber.rst
index 91df6b0a..a1174f9a 100644
--- a/docs/cryptodoc/src/05_08_kyber.rst
+++ b/docs/cryptodoc/src/05_08_kyber.rst
@@ -3,6 +3,15 @@
Kyber
=====
+.. todo::
+
+ This documentation is outdated (and potentially too detailed).
+ It should be updated as soon as those pull requests are merged:
+
+ * https://github.com/randombit/botan/pull/4024
+
+ Until then, I've removed some of the source links to pass CI.
+
Botan implements the CRYSTALS-Kyber KEM in
:srcref:`src/lib/pubkey/kyber/`. The implementation is based on the NIST round 3 specification [Kyber-R3]_.
The list of supported algorithms and their parameters is depicted in
@@ -11,7 +20,7 @@ Table :ref:`Supported Kyber parameter sets `).
+The abstract adapter class ``Kyber_Symmetric_Primitives`` is the interface for Kyber's five symmetric primitives, which are instantiated either as a ``Kyber_Modern_Symmetric_Primitives`` object (in :srcref:`[src/lib/pubkey/kyber]/kyber_round3/kyber`) for modern Kyber
+or as a ``Kyber_90s_Symmetric_Primitives`` one (in :srcref:`[src/lib/pubkey/kyber]/kyber_round3/kyber_90s`) for the 90s variant (see Table :ref:`Kyber's symmetric primitives `).
For each mode, the ``KyberConstants`` class contains the corresponding set of parameters and symmetric functions (``Kyber_Symmetric_Primitives``).
.. _pubkey_key_generation/kyber/table_params:
@@ -109,7 +118,7 @@ Encoding/decoding of polynomials (**Algorithm 3** of [Kyber-R3]_) is realized vi
Key Generation
--------------
-Based on these functions the key generation process follows **Algorithms 4 and 7** of [Kyber-R3]_ (see :srcref:`[src/lib/pubkey/kyber]/kyber_common/kyber.cpp:1287|Kyber_PrivateKey`) and works as follows:
+Based on these functions the key generation process follows **Algorithms 4 and 7** of [Kyber-R3]_ and works as follows:
.. admonition:: Kyber_PrivateKey::Kyber_PrivateKey()
@@ -144,7 +153,7 @@ Key Encapsulation
Kyber.CPAPKE
^^^^^^^^^^^^
-Encryption works as follows, realizing **Algorithm 5** of [Kyber-R3]_ (see :srcref:`[src/lib/pubkey/kyber]/kyber_common/kyber.cpp:1061|indcpa_enc`):
+Encryption works as follows, realizing **Algorithm 5** of [Kyber-R3]_:
.. admonition:: Kyber_KEM_Cryptor::indcpa_enc()
@@ -178,7 +187,7 @@ Encryption works as follows, realizing **Algorithm 5** of [Kyber-R3]_ (see :srcr
Kyber.CCAKEM
^^^^^^^^^^^^
-Encapsulation works as follows, realizing **Algorithm 8** of [Kyber-R3]_ (see :srcref:`[src/lib/pubkey/kyber]/kyber_common/kyber.cpp:1123|raw_kem_encrypt`):
+Encapsulation works as follows, realizing **Algorithm 8** of [Kyber-R3]_:
.. admonition:: Kyber_KEM_Encryptor::raw_kem_encrypt()
@@ -212,7 +221,7 @@ Key Decapsulation
Kyber.CPAPKE
^^^^^^^^^^^^
-IND-CPA decryption works as follows, realizing **Algorithm 6** of [Kyber-R3]_ (see :srcref:`[src/lib/pubkey/kyber]/kyber_common/kyber.cpp:797|indcpa_decrypt`):
+IND-CPA decryption works as follows, realizing **Algorithm 6** of [Kyber-R3]_:
.. |step_3_formular| replace:: :math:`\mathbf{\hat{s}}^T \circ \mathsf{NTT}(\mathbf{u})`
.. |step_4_formular| replace:: :math:`\mathsf{NTT}^{-1}(\mathbf{\hat{s}}^T \circ \mathsf{NTT}(\mathbf{u}))`
@@ -244,7 +253,7 @@ IND-CPA decryption works as follows, realizing **Algorithm 6** of [Kyber-R3]_ (s
Kyber.CCAKEM
^^^^^^^^^^^^
-Decapsulation works as follows, realizing **Algorithm 9** of [Kyber-R3]_ (see :srcref:`[src/lib/pubkey/kyber]/kyber_common/kyber.cpp:1171|raw_kem_decrypt`):
+Decapsulation works as follows, realizing **Algorithm 9** of [Kyber-R3]_:
.. admonition:: Kyber_KEM_Decryptor::raw_kem_decrypt()
diff --git a/docs/cryptodoc/src/05_09_frodokem.rst b/docs/cryptodoc/src/05_09_frodokem.rst
index 51a41836..9052a5d8 100644
--- a/docs/cryptodoc/src/05_09_frodokem.rst
+++ b/docs/cryptodoc/src/05_09_frodokem.rst
@@ -164,7 +164,7 @@ Key Generation
--------------
FrodoKEM key generation follows Section 8.1 of [FrodoKEM-ISO]_ and is
-implemented within ``FrodoKEM_PrivateKey`` constructor (see: :srcref:`[src/lib/pubkey/frodokem/frodokem_common]/frodokem.cpp:303|FrodoKEM_PrivateKey`).
+implemented within ``FrodoKEM_PrivateKey`` constructor (see: :srcref:`[src/lib/pubkey/frodokem/frodokem_common]/frodokem.cpp:307|FrodoKEM_PrivateKey`).
It works as follows:
.. admonition:: FrodoKEM Key Generation
@@ -206,7 +206,7 @@ It works as follows:
Key Encapsulation
-----------------
-The FrodoKEM encapsulation procedure of Botan (see :srcref:`[src/lib/pubkey/frodokem/frodokem_common]/frodokem.cpp:89|raw_kem_encrypt`) follows Section 8.2 of [FrodoKEM-ISO]_ and
+The FrodoKEM encapsulation procedure of Botan (see :srcref:`[src/lib/pubkey/frodokem/frodokem_common]/frodokem.cpp:87|raw_kem_encrypt`) follows Section 8.2 of [FrodoKEM-ISO]_ and
works as follows:
.. admonition:: FrodoKEM Encapsulation
@@ -252,7 +252,7 @@ works as follows:
Key Decapsulation
-----------------
-The FrodoKEM decapsulation procedure of Botan (see :srcref:`[src/lib/pubkey/frodokem/frodokem_common]/frodokem.cpp:156|raw_kem_decrypt`) follows Section 8.3 of [FrodoKEM-ISO]_ and
+The FrodoKEM decapsulation procedure of Botan (see :srcref:`[src/lib/pubkey/frodokem/frodokem_common]/frodokem.cpp:154|raw_kem_decrypt`) follows Section 8.3 of [FrodoKEM-ISO]_ and
works as follows:
.. admonition:: FrodoKEM Decapsulation