Releases: cossacklabs/themis
0.13.6 - Hotfix for iOS and macOS
This is a hotfix for Apple platforms: ObjCThemis and SwiftThemis, running on iOS and macOS, when installed via Carthage or CocoaPods.
themis
pod is now restored to use dynamic linkage again- Resolved errors related to
@rpath
when using CocoaPods - Removed
arm64e
architecture slice from Carthage builds for iOS which prevented CocoaPods from functioning correctly
Code:
0.13.5 – Hotfix for macOS with Carthage
This is a hotfix for Apple platforms: ObjCThemis and SwiftThemis, running on macOS, when installed via Carthage.
iOS platform is not affected. Installations via CocoaPods are not affected too. You can continue using Themis 0.13.4 there.
- Resolved issues with deploying macOS apps with Apple Silicon support when Themis is installed via Carthage
Code:
-
Objective-C / Swift
- Fixed code signing issues on macOS with Xcode 12 (#744).
0.13.4 – Hotfix for Xcode 12 and Apple Silicon
This is a hotfix for Apple platforms: ObjCThemis and SwiftThemis, running on iOS and macOS, installed via Carthage or CocoaPods.
- Resolved critical issues with App Store deployment (see #715)
- Resolved issues with stable Xcode 12 support (disabled arm64 builds for iOS Simulator)
- Improved Apple Silicon support (arm64 builds for macOS with Xcode 12.2 beta)
- Updated OpenSSL to the latest 1.1.1h
- CocoaPods is now using OpenSSL 1.1.1h by default (again)
Note that this hotfix is not compatible with Xcode 11. (Future releases of Themis will also require Xcode 12+) If you are using Xcode 11, please use older versions of Themis:
- CocoaPods:
pod 'themis', '0.13.0'
- Carthage:
github "cossacklabs/themis" "0.13.0"
Code:
0.13.3 - hotfix CocoaPods for SwiftThemis and ObjCThemis [iOS, macOS] for Xcode12
Updated Themis podspec to be compatible with Xcode12:
- exclude arm64 architecture (well, temporary);
- updated iOS/macOS deployment target;
- updated bitcode settings.
CocoaPods:
iOS:
Xcode 12: use pod themis, "0.13.3"
. It excludes arm64-iphonesimulator architecture slice for now. Resulting app can be submitted to App Store.
Xcode 11: use pod themis, "0.13.0"
. It is compatible with Xcode 11, not with Xcode 12.
macOS:
If you use macOS, use 0.13.3, and please exclude mac-arm64 for now (set Build Active Architecture Only = YES
). This will build correct x86_64 application.
Carthage:
iOS:
Exclude arm64-iphonesimulator architecture slice for now (see #713).
macOS:
If you use macOS, use 0.13.3, and please exclude mac-arm64 for now (set Build Active Architecture Only = YES
). This will build correct x86_64 application.
0.13.2 hotfix Carthage for SwiftThemis and ObjCThemis
Hotfix for Carthage, removing dysfunctional ObjCThemis.xcodeproj
.
Breaking changes and deprecations:
- ObjCThemis framework built by Carthage is now called
themis.framework
once again.
Code:
-
Objective-C
-
Breaking changes
-
ObjCThemis framework built by Carthage is now called
themis.framework
once again (#704).ObjCThemis 0.13.0 has initiated renaming of the framework produced by Carthage into
objcthemis.framework
from its historical namethemis.framework
. This decision has been a mistake. More information is available in the pull request linked above.objcthemis.framework
is removed and should not be used.Please continue linking your applications to
themis.framework
. Note as well that starting with ObjCThemis 0.13.1, you do not have to embedopenssl.framework
anymore when ObjCThemis is installed via Carthage.
-
-
0.13.1 hotfix Swift, Objective-C, Go, Node.js, WebAssembly
TL;DR:
- AndroidThemis is now available on JCenter
- ObjCThemis and SwiftThemis get latest OpenSSL update
- ObjCThemis and SwiftThemis now require Xcode 11 (or later)
- Minor security fixes in GoThemis, JsThemis, WasmThemis
Code:
-
Core
- Improved compatibility with OpenSSL 1.1.1 (#684).
-
Android
- AndroidThemis is now available on JCenter (#679).
-
Go
-
Node.js
- Minor dependency updates making the world a better place (#680).
-
WebAssembly
- Minor dependency updates making the world a better place (#680).
-
Swift
- Updated OpenSSL to the latest 1.1.1g (#692).
-
Objective-C
- Updated OpenSSL to the latest 1.1.1g (#692).
Infrastructure:
0.13.0
0.13.0, July 8th 2020
TL;DR:
- Added API for generating symmetric keys for use with Secure Cell.
- Added API for Secure Cell encryption with human-readable passphrases.
- New supported languages: Kotlin, Swift 5.
- Updated look-and-feel of the documentation.
- Squished many tricky bugs and added whole lot of extra security checks.
Breaking changes and deprecations:
- Many languages received Secure Cell API overhaul with parts of the old API becoming deprecated. Refer to individual language sections for details.
- ObjCThemis installed via Carthage is now called
objcthemis
instead of justthemis
(read more). - Themis 0.9.6 compatibility is now disabled by default (read more).
- Themis doesn't support big-endian architectures (read more).
- Java 7 is no longer supported, breaking Android and Java builds on outdated systems (read more).
- Python 2 is no longer supported (read more).
- Serialisation of Secure Session state in JavaThemis is now deprecated (read more).
Code:
-
Core
-
Added support for building with sanitizers like ASan and UBSan, enabled by
WITH_ASAN=1
flags (#548, #556). -
Fixed a number of possible use-after-free conditions (#546).
-
Themis Core is now compiled with
-O2
optimizations enabled by default (#543). -
Themis Core is now compiled with even more paranoid compiler flags (#578).
-
Fixed various edge-case correctness issues pointed out by sanitizers, clang-tidy, and compiler warnings (#540, #545, #554, #570, #597, #613).
-
Improved memory wiping, making sure that sensitive data doesn't stay in memory longer than absolutely necessary (#584, #585, #586, #612).
-
Soter (low-level security core used by Themis)
- New function
soter_pbkdf2_sha256()
can be used to derive encryption keys from passphrases with PBKDF2 algorithm (#574).
- New function
-
Key generation
- New function
themis_gen_sym_key()
can be used to securely generate symmetric keys for Secure Cell (#560).
- New function
-
Secure Cell
-
Secure Session
- Fixed serialization issue in
secure_session_save()
andsecure_session_load()
methods (#658).
- Fixed serialization issue in
-
Breaking changes
-
Secure Cell compatibility with Themis 0.9.6 is now disabled by default (#614).
Old versions of Themis have been calculating encrypted data length incorrectly, which made Secure Cells encrypted on 64-bit machines impossible to decrypt on 32-bit machines (see #279 for details).
Themis 0.10 and later versions include a fix for that issue and a compatiblity workaround that allows to decrypt data encrypted by Themis 0.9.6 on 64-bit platforms. This workaround was enabled by default and could be disabled by setting the
NO_SCELL_COMPAT
varible.Since Themis 0.13 the workaround for Themis 0.9.6 compatibility is disabled by default (as it has performance implications). It can be enabled if needed by compling with
WITH_SCELL_COMPAT
.We are planning to remove the workaround completely after Themis 0.9.6 reaches end-of-life in December 2020. Please use this time to migrate existing data if you have been using Themis 0.9.6. To migrate the data, decrypt it and encrypt it back with the latest Themis version.
-
Themis is known to be broken on big-endian architectures (#623, #592).
Themis has never committed to supporting machines with big-endian architectures. However, it was expected to accidentally work to some degree on such machines, with certain compatibility restrictions on interaction with little-endian machines.
Recent changes in Themis Core are known to introduce compatibility issues on big-endian architectures. If you believe you are affected by this change, please reach out to us via dev@cossacklabs.com.
-
-
-
Android
See also: Java API updates.
-
Kotlin is now officially supported language on Android (#637).
-
Fixed a crash when decrypting corrupted Secure Cell data (#639).
-
Updated embedded BoringSSL to the latest version (#643).
-
Fixed broken
SecureSession#save
andSecureSession#restore
methods (#658). -
Breaking changes
-
Android build now uses Gradle 5.6 and requires Java 8 (#633).
It is no longer possible to build AndroidThemis with Java 7. Please upgrade to Java 8 or later version.
-
-
Deprecations
-
Unqualified Gradle targets are now deprecated (#633).
To build Themis for Android, run
./gradlew :android:assembleRelease
instead of
./gradlew assembleRelease
The unqualified form still works for now, but may break in future releases.
-
-
-
C++
-
Secure Cell API updates (#588)
-
ThemisPP now supports passphrase API of Secure Cell in Seal mode:
#include <themispp/secure_cell.hpp> auto cell = themispp::secure_cell_seal_with_passphrase("string"); uint8_t[] plaintext = "message"; std::vector<uint8_t> encrypted = cell.encrypt(plaintext); std::vector<uint8_t> decrypted = cell.decrypt(encrypted);
You can safely and securely use short, human-readable passphrases as strings with this new API.
Existing master key API (
themispp::secure_cell_seal
and other modes) should not be used with passphrases or passwords. Use master key API with symmetric encryption keys, such as generated bythemispp::gen_sym_key()
(#561). Use passphrase API with human-readable passphrases. -
All modes of Secure Cell get a new initialisation API to avoid ambiguity over whether Secure Cell is secured with a passphrase or a master key (since both are effectively byte arrays in C++):
themispp::secure_cell_seal_with_key(master_key)
themispp::secure_cell_token_protect_with_key(master_key)
themispp::secure_cell_context_imprint_with_key(master_key)
New API has additional benefits:
- broader range of input types is accepted, including STL-compatible containers such as
std::vector
,std::array
,std::span
, C arrays, etc. - Token Protect API is much easier to use
- Secure Cell is now thread-safe
-
Deprecated API
The following classes are deprecated:
themispp::secure_cell_seal_t
themispp::secure_cell_token_protect_t
themispp::secure_cell_context_imprint_t
They should be replaced with their
_with_key
counterparts. In most cases migration should be a trivial renaming but there are caveats with Token Protect mode and iterator usage. Please see #588 for details.
-
-
New function
themispp::gen_sym_key()
can be used to generate symmetric keys for Secure Cell (#561, #576). -
Updated test suite to test C++14 and C++17 (in addition to C++11 and C++03) (#572).
-
Breaking changes
-
get_pub_key_by_id()
method ofsecure_session_callback_interface_t
now has to return non-const vector (#540).Change your implementation like this:
-const std::vector<uint8_t> get_pub_key_by_id(const std::vector<uint8_t>& id) override +std::vector<uint8_t> get_pub_key_by_id(const std::vector<uint8_t>& id) override { // ... }
-
-
-
Go
- New function
keys.NewSymmetricKey()
can be used to generate symmetric keys for Secure Cell (#561).
...
- New function
0.12.2 hotfix WasmThemis
Fixed an issue in WasmThemis which caused an error when packaging with webpack (#568).
0.12.1 hotfix iOS/macOS CocoaPods
This is a small change required only for Themis iOS/macOS to link themis.podspec
to correct tag.
0.12.0
0.12.0, September 27th 2019
TL;DR:
- Added WasmThemis to support WebAssembly (works with Electron and Node.js);
- added experimental support for Windows (using MSYS2 compiler and NSIS installer);
- added support of Go Modules;
- added package for ThemisPP;
- added support for Node.js v12 LTS (in addition to v10 and v8) in jsThemis;
- added extra safety checks and fixes for tricky bugs.
Breaking changes:
- Linux: when building from sources, the default installation path of Themis Core library has been changed from
/usr
to/usr/local
. If you’re affected, read the instructions on how to make a clean upgrade below. - Go: some of GoThemis APIs have been renamed to comply with Go naming convention (old API are marked as deprecated and will be removed in the next release). If you’re using Go – please switch to new functions.
- Ruby: deprecated
rubythemis
gem has been completely removed in favour ofrbthemis
.
Code:
-
Core
-
Soter (low-level security core used by Themis)
Improved security and code quality, implemented better handling of secrets and memory management. These changes decrease the chance of potential memory leaks.
-
Introduced new internal function:
soter_wipe()
.
It can be used to securely wipe sensitive data from memory after it's no longer needed.
All Themis cryptosystems now use this new API (#488). -
Improved usage and error handling of OpenSSL/BoringSSL PRNGs.
Thank you, @veorq for bringing up this issue (#485). -
Improved memory safety and fixed potential corner-case issues in OpenSSL/BoringSSL usage.
Thanks, @outspace for identifying these issues (#501, #524, #525, #535).
-
-
Key generation
-
Improved key validity checks across all Themis cryptosystems. Now it’s harder to use wrong keys or misuse them (#486).
-
Improved error handling for EC key generator that could produce an invalid public key without returning an error.
Thanks, @vixentael for finding this issue (#500).
-
-
Secure Cell
-
Library ABI
-
Themis shared libraries now have a formal ABI version.
This ensures that no compatibility issues arise if we ever need to introduce breaking changes in the ABI (#454). -
Removed private symbols from public export lists.
Themis has been accidentally exporting various private utility functions.
Private functions not intended for public use are now hidden (#458, #472).
-
-
-
Themis now installs to
/usr/local
by default when building from source on Linux (#448).This may be a breaking change if your system has non-standard precedence rules.
If you install Themis from source code directly, please do a clean upgrade the following way:make uninstall PREFIX=/usr make install PREFIX=/usr/local
Please consider using binary repositories to install Themis.
If your system or package manager is not supported yet, please let us know via dev@cossacklabs.com. -
Themis packages now support multiarch installations (#512).
Multiarch enables parallel installation of 32-bit and 64-bit versions of the library.
This is particularly important on CentOS where some tools like pkg-config would fail to locate Themis due to non-standard installation path. -
Updated Makefile to support a number of standard GNU variables like
libdir
(#453, #455). -
Improved accuracy of package dependencies to make sure you don't have to install anything manually after installing Themis from package repositories (#446).
-
NSIS installer is now available for Windows. To build NSIS installer, use
make nsis_installer
command in MSYS2 environment.
You can read more about MSYS2 target here (#474).
-
-
Dependency updates
-
Other changes
-
-
Android
-
C++
-
ThemisPP is now available as a system package through Cossack Labs repositories (#506).
Use
libthemispp-dev
for Debian and Ubuntu,libthemispp-devel
for CentOS.
-
-
Go
-
Breaking changes
-
Some APIs have been renamed to conform with the Go naming conventions (#424).
The old names are now deprecated and scheduled for removal in the next release.
Please migrate to using the new names when you upgrade.Old API New API cell.CELL_MODE_SEAL
cell.ModeSeal
compare.COMPARE_MATCH
compare.Match
keys.KEYTYPE_EC
keys.TypeEC
session.STATE_ESTABLISHED
session.StateEstablished
(*session.SecureSession) GetRemoteId
GetRemoteID
-
-
GoThemis is now compatible with Go 1.11 modules starting with this release.
For example, you are now able to pin a specific version of GoThemis in your projects (#505).
-
-
iOS, macOS
-
Java
- JNI wrapper for desktop Java does not require a separate installation of Themis Core from now on (#450).
-
Node.js
-
PHP
- Updated PHP installer to use the latest Composer version (#519).
-
Ruby
-
Breaking changes
rubythemis
gem has been completely removed after being deprecated in Themis 0.11.
Please userequire 'rbthemis'
in your projects (#508).
-
-
Rust
- Minor internal code style modernizations (#466).
-
WebAssembly
- WasmThemis brings Themis to Web using [WebAssembly](https://web...