🤖 Audit: Auto-update with latest upstream patches

config/botan.env

@@ -28,7 +28,7 @@ BOTAN_VERSION=3.5.0
 # creation of source-code related document generation. Once a Botan release is
 # minted, this may be the git-tag of that release. During development of an
 # upcoming version it should be a concrete commit SHA on Botan's main branch.
-BOTAN_REF=5649a10ec3399d28c8b84ae18fd65fce57bd7bca
+BOTAN_REF=927aab815ff3ffec3ef011eaf4b35cc13c0ba295
 
 # The Botan repository reference that is currently seen as the "trusted source
 # revision". Typically this is the source reference that was audited by the

docs/audit_report/changes/topics/code_chore.yml

@@ -98,3 +98,23 @@ patches:
 - pr: 4006  # https://github.com/randombit/botan/pull/4006
   merge_commit: c479ebbc9eefdaa722cb36761703e0c234e35d8d
   classification: info
+
+# Ignore new warnings in clang-tidy from LLVM 17 [ci skip]  (Jack Lloyd)
+- commit: 2b7e2eea2d9ffb6437347cbbc7476609a9476380  # https://github.com/randombit/botan/commit/2b7e2eea2d9ffb6437347cbbc7476609a9476380
+  classification: info
+  auditer: reneme
+
+# Use clang-format 17  (@randombit)
+- pr: 4100  # https://github.com/randombit/botan/pull/4100
+  merge_commit: 19c62311243a6f66237bcc302a9c34bd8e5bef13
+  classification: info
+
+# Fix various issues flagged by clang-tidy 18  (@randombit)
+- pr: 4101  # https://github.com/randombit/botan/pull/4101
+  merge_commit: 1a5cf8729f42f55f5a9336a2fa389c4c0a2dfda3
+  classification: info
+
+# Extend KMAC maximal key length   (@FAlbertDev)
+- pr: 4109  # https://github.com/randombit/botan/pull/4109
+  merge_commit: 7be1498984319abd04d56081567a7dc132b01045
+  classification: info

docs/audit_report/changes/topics/continuous_integration.yml

@@ -41,3 +41,20 @@ patches:
 - pr: 4078  # https://github.com/randombit/botan/pull/4078
   merge_commit: 100a065bda4219d0cea220859681e65a2714019b
   classification: info
+
+# Convert most Linux CI builds to use Ubuntu 24.04  (@randombit)
+- pr: 4098  # https://github.com/randombit/botan/pull/4098
+  merge_commit: 117f3b351a294c9c29982b11e52822faae47386d
+  classification: info
+
+# Add a workaround for MSVC/GH fuckup  (@randombit)
+- pr: 4105  # https://github.com/randombit/botan/pull/4105
+  merge_commit: 1c3890144aa3d0734dfa51c887b3d5dff542d0af
+  classification: info
+  auditer: reneme
+
+# Use 24.04 image for valgrind CI job  (@randombit)
+- pr: 4106  # https://github.com/randombit/botan/pull/4106
+  merge_commit: 759f12590b4bc14a18f0dec284cb79a8d598264f
+  classification: info
+  auditer: reneme

docs/audit_report/changes/topics/ecc.yml

@@ -67,3 +67,38 @@ patches:
   classification: info
   comment: |
     This is a follow-up to PR #4056.
+
+# Make application provided EC_Group restrictions a bit stricter  (@randombit)
+- pr: 4089  # https://github.com/randombit/botan/pull/4089
+  merge_commit: d215d2574712e1f4e1597f72ed41b0b540f20a4e
+  classification: info
+  comment: |
+    This restricts application-defined elliptic curves:
+
+    * must be prime order.
+    * must have a cofactor of 1.
+    * prime bitlength must be between 128 and 512 bits
+      (with special allowance for 521-bit Mersenne prime)
+    * prime must be congruent to 3 mod 4.
+
+# Add some further test cases of hash2curve  (@randombit)
+- pr: 4092  # https://github.com/randombit/botan/pull/4092
+  merge_commit: 709e26b86a19235715403401dbb5d492d168cedf
+  classification: info
+
+# Add library for compile time instantiation of elliptic curves  (@randombit)
+- pr: 3979  # https://github.com/randombit/botan/pull/3979
+  merge_commit: 856174ef1ecbbfbd9c4853bb4974f04d82d7f952
+  classification: critical
+  comment: |
+    This is a re-implementation of prime-order elliptic using modern
+    C++ features to allow significantly better compiler optimizations
+    and have a much better side-channel profile.
+
+# Fix: EC private key encoding  (@FAlbertDev)
+- pr: 4110  # https://github.com/randombit/botan/pull/4110
+  merge_commit: 3a87193718db9da4b75cc4faa470d855011558e3
+  classification: info
+  comment: |
+    This fixes an issue that was introduced recently and was never
+    part of an official release.

docs/audit_report/changes/topics/side_channel_mitigation.yml

@@ -0,0 +1,29 @@
+title: Side Channel Mitigations
+
+patches:
+# Add CT::value_barrier  (@randombit)
+- pr: 4096  # https://github.com/randombit/botan/pull/4096
+  merge_commit: bf8bbee83f87b29592fce5c30bc96c90126ae35b
+  classification: critical
+  comment: |
+    This introduces a new helper function aiming to prevent the compiler from
+    reasoning about the value or the set of possible values of a variable.
+
+# Mitigate a potential side-channel in Kyber  (@reneme)
+- pr: 4107  # https://github.com/randombit/botan/pull/4107
+  merge_commit: 7ef549fe0394006f3a44616d67948db2f1db95b0
+  classification: critical
+  comment: |
+    This mitigates a potential side-channel in the Kyber implementation where
+    Clang could introduce a secret-dependant conditional branch. This was
+    `found by PQShield <https://pqshield.com/pqshield-plugs-timing-leaks-in-kyber-ml-kem-to-improve-pqc-implementation-maturity>`_.
+
+# Use CT::Mask instead of multiplication in polynomial doubling  (@randombit)
+- pr: 4108  # https://github.com/randombit/botan/pull/4108
+  merge_commit: 4ed0feec31f7c5a8851a5fd4347a38aa7cb3a1ac
+  classification: relevant
+
+# Add CT::Choice  (@randombit)
+- pr: 4115  # https://github.com/randombit/botan/pull/4115
+  merge_commit: 927aab815ff3ffec3ef011eaf4b35cc13c0ba295
+  classification: relevant