Changes that are currently in development and have not been released yet.
0.15.1, September 13 2023
- Updated OpenSSL to 1.1.1v
- Removed support of 32-bit platforms
- Minimum iOS: 11, macOS: 10.13, Catalyst: 14
0.15.0, June 21st 2023
TL;DR:
- Uncompressed EC public keys are now supported.
- Increased PBKDF2 iteration count from 200000 to 314110 for Secure Cell passphrase mode.
- OpenSSL 3.0 is now supported.
- Pythemis now uses
pyproject.toml
. - And as usual: enhanced security measures and fixed bugs.
Breaking changes and deprecations:
- AndroidThemis build requires Gradle 7.3, Android SDK 11, Android NDK 25.
- Some Soter functions are deprecated.
- Node.js 8 is no longer supported.
- Rust
SecureSessionTransport
implementations are nowSend
. - Rust 1.58 is now the minimum supported version.
Code:
-
Core
-
Themis will generate uncompressed EC public keys when
THEMIS_GEN_EC_KEY_PAIR_UNCOMPRESSED=1
environment variable is set (#959) -
Increased PBKDF2 iteration count to maintain security of Secure Cell passphrase mode (#976).
-
Bumped embedded BoringSSL to the latest version (#1004).
-
Soter (low-level security core used by Themis)
soter_sign_export_key()
is now deprecated, superseded bysoter_sign_export_private_key()
andsoter_sign_export_public_key()
(#959)- better OpenSSL 3 support, with many EC- and RSA-related deprecated functions being replaced with newer alternatives, and OpenSSL 1.X is still supported
- removed build option THEMIS_EXPERIMENTAL_OPENSSL_3_SUPPORT since building/linking with OpenSSL 3 now works out of the box
-
Android
- AndroidThemis build from source now requires Gradle 7.3, Android SDK 11, Android NDK 25 (#942).
-
Node.js
-
Python
-
pythemis.scomparator
andpythemis.skeygen
are now imported withfrom pythemis import *
(#914). -
Pythemis supports
pyproject.toml
as a main way of building packages. The oldsetup.py
is preserved for backwards compatibility (#1006). -
New installation methods, accessible with make (#1023, #1042).
- install package into virtualenv
- create/install
.deb
or.rpm
package for system-wide installation
-
-
Ruby
- Improved compatibility with non-standard installations on Apple M1 (#917).
-
Rust
-
WasmThemis
-
WebAssembly
- Node.js v8 is no longer supported (#901).
0.14.10, Nov 3rd 2022
-
Redesigned the framework to make it less vulnerable to native exceptions (#955).
-
Updates for react native examples. (#956).
- Improved compatibility with non-Homebrew Python installations on Apple M1 (#915).
0.14.9, Sep 12th 2022
- Fixing the code signing issue for macOS Themis installation via SPM (#944).
0.14.8, Aug 22th 2022
- Rebuild wasm-themis with optimization flag to make package smaller again. (938).
0.14.7, Aug 12th 2022
Upgrade packages versions for security reasons in React Native Themis package.json (934).
Resolve the issue in React Native Themis to support Javascript exceptions (930)
- Define additional checks to generate Javascript exceptions in case of empty required parameters.
Fix the bug with encryption of large files (933).
- Added option to build WASM file.
0.14.6, May 24th 2022
Reduce WasmThemis binary size x3, by increasing the compiler optimization level for WasmThemis build (919).
0.14.5, April 14th 2022
Typescript compatibility issues in WasmThemis
- Improved SecureCell Seal in WasmThemis. Added optional context parameters to SecureCell Seal mode instead of using arguments in methods
encrypt()
anddecrypt()
to make compilers happy (#909).
0.14.4, March 15th 2022 / April 05th 2022
React Native Support
-
Added React Native Themis with Typescript support (#902, #903, #905, #906).
react-native-themis
is now available on npm! 🎉npm install react-native-themis
0.14.0, December 24th 2021
TL;DR:
- JavaThemis for Android has moved to Maven Central (read more).
- JavaThemis for Java is available on Maven Central (read more).
- Themis is now available via Swift Package Manager (read more)
- Themis for iOS and macOS is also available as XCFramework, attached to the release.
- TypeScript definitions and ES6 module are now available for WasmThemis (read more).
- Node.js v16 is now supported.
- Overhaul of documentation once again.
- New Themis Core packages with BoringSSL –
libthemis-boringssl
. - OpenSSL 3.0 support is work-in-progress, but not ready yet (read more).
- And as usual: more security hardening, fewer known bugs.
Breaking changes and deprecations:
- Themis Core: private C header files are no longer installed.
- GoThemis:
ErrOverflow
is now deprecated. - Rust:
themis
now requires Rust 1.47 or newer. - Rust:
libthemis-src
is no longer supported. - Installing Themis via Carthage now requires Carthage 0.38 or newer (read more).
- Deprecated CocoaPods subspecs
themis/themis-openssl
andthemis/themis-boringssl
have been removed (read more) - Themis Server (Themis Interactive Simulator) is no longer supported (read more.
Code:
-
Core
-
Include embedded BoringSSL into Soter for convenience (#681, #702).
-
make deb
andmake rpm
withENGINE=boringssl
will now producelibthemis-boringssl
packages with embedded BoringSSL (#683, #686). -
secure_session_create()
now allows only EC keys, returning an error for RSA (#693). -
Cleaned up unused private API. Thanks to @luismerino for pointing this out (#714).
-
Cleaned up public header files and API of Themis and Soter (#759).
Private header files are no longer installed. Private APIs which have been unintentially exported are no longer available. This might be a breaking change for those who have used them. Please refrain from using private API and include only public API:
#include <themis/themis.h>
Users of official high-level wrappers are not affected. However, this might affect developers of third-party wrappers. Refer to the detailed description below for a list of removed headers.
The following Soter headers are no longer available:
<soter/soter_container.h>
<soter/soter_crc32.h>
<soter/soter_ec_key.h>
<soter/soter_portable_endian.h>
<soter/soter_rsa_key.h>
<soter/soter_sign_ecdsa.h>
<soter/soter_sign_rsa.h>
<soter/soter_t.h>
All APIs previously exported by them are no longer available as well.
The following Themis headers are no longer available:
<themis/secure_cell_alg.h>
<themis/secure_cell_seal_passphrase.h>
<themis/secure_comparator_t.h>
<themis/secure_message_wrapper.h>
<themis/secure_session_peer.h>
<themis/secure_session_t.h>
<themis/secure_session_utils.h>
<themis/sym_enc_message.h>
<themis/themis_portable_endian.h>
All APIs previously exported by them are no longer available as well.
In addition to that, the following private symbols and definitions previously exported by
<themis/secure_session.h>
have been hidden:THEMIS_SESSION_ID_TAG
THEMIS_SESSION_PROTO_TAG
SESSION_MASTER_KEY_LENGTH
SESSION_MESSAGE_KEY_LENGTH
struct secure_session_peer_type
typedef secure_session_peer_t
typedef secure_session_handler
secure_session_peer_init()
secure_session_peer_cleanup()
-
Fixed multiple buffer overflows in Secure Message (#763).
-
Fixed cross-compilation on macOS by setting
ARCH
andSDK
variables (#849). -
Updated embedded BoringSSL to the latest version (#812).
-
Builds with OpenSSL 3.0 will result in a compilation error for the time being (#872).
-
Hardened EC/RSA key generation and handling in Secure Message and Secure Session (#875, #876)
-
-
Android
- Example project moved to the main repository –
docs/examples/android
(#813). - Example project is now written in Kotlin (#813).
- Updated embedded BoringSSL to the latest version (#812).
- Example project moved to the main repository –
-
C++
themispp::secure_message_t::sign()
output is a bit smaller now (#775).
-
Go
-
Java / Kotlin
-
SecureMessage#sign()
output is a bit smaller now (#777). -
JavaThemis for Android and desktop Java is now published in the Maven Central repository (#786, #788).
Add the Maven Central repository to your
build.gradle
:repositories { mavenCentral() }
For Android, use this dependency:
dependencies { implementation 'com.cossacklabs.com:themis:0.14.0' }
For desktop systems use this one:
dependencies { implementation 'com.cossacklabs.com:java-themis:0.14.0' }
-
Example project for desktop Java moved to the main repository –
docs/examples/java
(#816).
-
-
Objective-C
- Updated Objective-C examples (iOS and macOS, Carthage and CocoaPods) to showcase usage of the newest Secure Cell API: generating symmetric keys and using Secure Cell with Passphrase (#688) and to use latest Themis 0.13.4 (#701, #703, #706, #723, #724, #726, #740).
TSSession
initializer now returns an error (nil
) when given incorrect key type (#710).- Improved compatibility with Xcode 12 (#742).
- Updated CocoaPods examples to the latest Themis version 0.13.10 (#834).
- Removed deprecated CocoaPods subspecs:
themis/themis-openssl
andthemis/themis-boringssl
(#884, #885).
-
PHP
-
Node.js
-
Python
SSession
constructor now throws an exception when given incorrect key type (#710).
-
Ruby
Ssession
constructor now throws an exception when given incorrect key type (#710).
-
Rust
-
Swift
- Updated Swift examples (iOS and macOS, Carthage and CocoaPods) to showcase usage of the newest Secure Cell API: generating symmetric keys and using Secure Cell with Passphrase (#688) and to use latest Themis 0.13.4 (#701, #703, #706, #740).
TSSession
initializer now returns an error (nil
) when given incorrect key type (#710).- Improved compatibility with Xcode 12 (#742).
- Updated CocoaPods examples to the latest Themis version 0.13.10 (#834).
- Removed deprecated CocoaPods subspecs:
themis/themis-openssl
andthemis/themis-boringssl
(#884, #885).
-
WebAssembly
- Updated Emscripten toolchain to the latest version (#760, #880).
- Node.js v16 is now supported (#801).
- TypeScript type definitions and ES6 module are now available, thanks to @maxammann (#792).
import {SecureCell, SecureMessage, SecureSession, SecureComparator} from 'wasm-themis';
- New initialization API:
initialize()
, allowing to specify custom URL forlibthemis.wasm
(#792, #854, #857). - Updated embedded BoringSSL to the latest version (#812).
make wasmthemis
now fails with unsupported Emscripten toolchains (#879).
Infrastructure:
- Improved package split making
libthemis
thinner (#678). - Optimized dependencies of
libthemis
DEB and RPM packages (#682, #686). make deb
andmake rpm
withENGINE=boringssl
will now producelibthemis-boringssl
packages with embedded BoringSSL (#683, #686).- Build system and tests now respect the
PATH
settings (#685). - Rename embedded BoringSSL symbols by default to avoid conflicts with system OpenSSL (#702).
- Started phasing out CircleCI in favour of GitHub Actions (#709, #755).
- Themis is now fuzzed with
afl++
(#766). - Secure Message is now covered with fuzz testing (#762).
- JavaThemis for Android and desktop Java is now published in the Maven Central repository (#786, #788).
- MSYS2 builds for Windows are now checked by CI (#791).
- Added automated tests for Android example project (#813).
- Added automated tests for desktop Java example project (#816).
- Embedded BoringSSL now builds faster if Ninja is available (#837).
- Embedded BoringSSL can now be cross-compiled on macOS by setting
ARCH
andSDK
variables (#849). - Builds on macOS use OpenSSL 1.1 from Homebrew by default (#871).
- Builds with OpenSSL 3.0 are currently not supported (#872).
0.13.12, July 26th 2021
Hotfix for Apple arm64 simulators for M1
Code:
- Fixed
Themis.xcodeproj
build settings: removed arm64 from exluded architectures (865).
0.13.11, July 6th 2021
Hotfix for WasmThemis:
- Fixed issue when bundling WasmThemis with webpack (#779).
Code:
-
WebAssembly
- Fixed issue with
TypeError: TextEncoder is not a constructor
when bundling WasmThemis with webpack (#779).
- Fixed issue with
0.13.10, May 26th 2021
Deprecation Notice for CocoaPods users:
themis/themis-openssl
subspec based on GRKOpenSSLFramework is deprecated and will be removed in Themis version 0.14.themis/themis-boringssl
subspec based on BoringSSL is deprecated and will be removed in Themis version 0.14.
Please, switch to the default option in your Podfile: pod 'themis'
Hotfix for Apple platforms:
themis
for CocoaPods now uses XCFrameworks, supports Apple Silicon, and OpenSSL 1.1.1k (#828).- Updated Carthage examples to use Themis XCFramework (#823).
Code:
-
Objective-C / Swift
themis
for CocoaPods now uses XCFrameworks, supports Apple Silicon, and OpenSSL 1.1.1k (#828).
0.13.9, May 14th 2021
Hotfix for Apple platforms:
themis
for Carthage switched to using XCFrameworks (#817). So, the minimum required Carthage version is now 0.38.0. You can continue using previous Themis version with previous Carthage versions.- Updated OpenSSL to the latest 1.1.1k for Carthage (#817).
Code:
-
Objective-C / Swift
themis
for Carthage now pulls OpenSSL dependency as XCFramework, and Carthage buildsthemis
as XCFramework as well.Themis.xcodeproj
now usesopenssl.xcframwork
andthemis.xcframework
. Carthage dependencies should be built with--use-xcframeworks
flag (#817).- Updated OpenSSL to the latest 1.1.1k for Carthage (#817).
- Tests (Github Actions) are updated to use the latest Carthage version (0.38.0 and up) and
--use-xcframeworks
flag (#817).
0.13.8, April 30th 2021
Hotfix for Apple platforms:
- Updated OpenSSL to the latest 1.1.1k for SPM and attached
themis.xcframework
(iOS and macOS) (#808). - New Swift and Objective-C example projects: SPM for iOS and macOS (#808).
Code:
-
Objective-C / Swift
0.13.7, April 28th 2021
Hotfix for Apple platforms:
themis
is now packaged as XCFramework (#789). It is available in the release attached files section.themis
now supports SPM (#789), its installation and usage are very straightforward, just addthemis
as SPM dependency.
Code:
-
Objective-C / Swift
0.13.6, November 23rd 2020
Hotfix for Apple platforms:
themis
pod is now restored to use dynamic linkage again- Resolved errors related to
@rpath
when using CocoaPods - Removed
arm64e
architecture slice from Carthage builds for iOS which prevented CocoaPods from functioning correctly
Code:
-
Objective-C / Swift
0.13.5, November 12th 2020
Hotfix for Apple platforms:
- Resolved issues with deploying macOS apps with Apple Silicon support when Themis is installed via Carthage
Code:
-
Objective-C / Swift
- Fixed code signing issues on macOS with Xcode 12 (#744).
0.13.4, October 29th 2020
Hotfix for Apple platforms:
- Improved Apple Silicon support (arm64 builds for macOS with Xcode 12.2 beta)
- Resolved issues with stable Xcode 12 support (disabled arm64 builds for iOS Simulator)
- Updated OpenSSL to the latest 1.1.1h
- CocoaPods is now using OpenSSL 1.1.1h by default (again)
- CocoaPods and Carthage now both produce full-static builds of Themis, resolving critical issues with App Store deployment (see #715)
Code:
-
Objective-C / Swift
0.13.3, October 12th 2020
Hotfix for Themis CocoaPods and Xcode12:
- Default Themis podspec is using OpenSSL 1.0.2u again ("themis/themis-openssl"). OpenSSL 1.1.1g podspec ("themis/openssl") might be broken for Xcode12, fixing is in progress. BoringSSL podspec ("themis/themis-boringssl") is available too.
Code:
-
Objective-C / Swift
- Themis CocoaPods podspec is updated with bitcode fixes and disabling arm64 simulator in order to support Xcode12 builds. This is a podspec change only, no changes in code, headers or whatsoever. Default podspec is set as "themis/themis-openssl", which uses OpenSSL 1.0.2u. Fixes for "themis/openssl" podspec (OpenSSL 1.1.1g) might arrive soon.
0.13.2, August 14th 2020
Breaking changes and deprecations:
- ObjCThemis framework built by Carthage is now called
themis.framework
once again (read more).
Code:
-
Objective-C
-
Breaking changes
-
ObjCThemis framework built by Carthage is now called
themis.framework
once again (#704).ObjCThemis 0.13.0 has initiated renaming of the framework produced by Carthage into
objcthemis.framework
from its historical namethemis.framework
. This decision has been a mistake. More information is available in the pull request linked above.objcthemis.framework
is removed and should not be used.Please continue linking your applications to
themis.framework
. Note as well that starting with ObjCThemis 0.13.1, you do not have to embedopenssl.framework
anymore when ObjCThemis is installed via Carthage.
-
-
0.13.1, August 13th 2020
TL;DR:
- AndroidThemis is now available on JCenter
- ObjCThemis and SwiftThemis get latest OpenSSL update
- ObjCThemis and SwiftThemis now require Xcode 11 (or later)
- Minor security fixes in GoThemis, JsThemis, WasmThemis
Code:
-
Core
- Improved compatibility with OpenSSL 1.1.1 (#684).
-
Android
- AndroidThemis is now available on JCenter (#679).
-
Go
-
Node.js
- Minor dependency updates making the world a better place (#680).
-
WebAssembly
- Minor dependency updates making the world a better place (#680).
-
Swift
- Updated OpenSSL to the latest 1.1.1g (#692).
-
Objective-C
- Updated OpenSSL to the latest 1.1.1g (#692).
Infrastructure:
- AndroidThemis is now available on JCenter (#679).
- ObjCThemis and SwiftThemis now require Xcode 11 (#692).
0.13.0, July 8th 2020
TL;DR:
- Added API for generating symmetric keys for use with Secure Cell.
- Added API for Secure Cell encryption with human-readable passphrases.
- New supported platforms: Kotlin, Swift 5, iPadOS.
- Updated look-and-feel of the documentation.
- Squished many tricky bugs and added whole lot of extra security checks.
Breaking changes and deprecations:
- Many languages received Secure Cell API overhaul with parts of the old API becoming deprecated. Refer to individual language sections for details.
- ObjCThemis installed via Carthage is now called
objcthemis
instead of justthemis
(read more). - Themis 0.9.6 compatibility is now disabled by default (read more).
- Themis is known to be broken on big-endian architectures (read more).
- Java 7 is no longer supported, breaking Android and Java builds on outdated systems (read more).
- Python 2 is no longer supported (read more).
- Serialisation of Secure Session state in JavaThemis is now deprecated (read more).
Code:
-
Core
-
Added support for building with sanitizers like ASan and UBSan, enabled by
WITH_ASAN=1
flags (#548, #556). -
Fixed a number of possible use-after-free conditions (#546).
-
Themis Core is now compiled with
-O2
optimizations enabled by default (#543). -
Themis Core is now compiled with even more paranoid compiler flags (#578).
-
Fixed various edge-case correctness issues pointed out by sanitizers, clang-tidy, and compiler warnings (#540, #545, #554, #570, #597, #613).
-
Improved memory wiping, making sure that sensitive data doesn't stay in memory longer than absolutely necessary (#584, #585, #586, #612).
-
Soter (low-level security core used by Themis)
- New function
soter_pbkdf2_sha256()
can be used to derive encryption keys from passphrases with PBKDF2 algorithm (#574).
- New function
-
Key generation
- New function
themis_gen_sym_key()
can be used to securely generate symmetric keys for Secure Cell (#560).
- New function
-
Secure Cell
-
Secure Session
- Fixed serialization issue in
secure_session_save()
andsecure_session_load()
methods (#658).
- Fixed serialization issue in
-
Breaking changes
-
Secure Cell compatibility with Themis 0.9.6 is now disabled by default (#614).
Old versions of Themis have been calculating encrypted data length incorrectly, which made Secure Cells encrypted on 64-bit machines impossible to decrypt on 32-bit machines (see #279 for details).
Themis 0.10 and later versions include a fix for that issue and a compatiblity workaround that allows to decrypt data encrypted by Themis 0.9.6 on 64-bit platforms. This workaround was enabled by default and could be disabled by setting the
NO_SCELL_COMPAT
varible.Since Themis 0.13 the workaround for Themis 0.9.6 compatibility is disabled by default (as it has performance implications). It can be enabled if needed by compling with
WITH_SCELL_COMPAT
.We are planning to remove the workaround completely after Themis 0.9.6 reaches end-of-life in December 2020. Please use this time to migrate existing data if you have been using Themis 0.9.6. To migrate the data, decrypt it and encrypt it back with the latest Themis version.
-
Themis is known to be broken on big-endian architectures (#623, #592).
Themis has never committed to supporting machines with big-endian architectures. However, it was expected to accidentally work to some degree on such machines, with certain compatibility restrictions on interaction with little-endian machines.
Recent changes in Themis Core are known to introduce compatibility issues on big-endian architectures. If you believe you are affected by this change, please reach out to us via [email protected].
-
-
-
Android
See also: Java API updates.
-
Kotlin is now officially supported language on Android (#637).
-
Fixed a crash when decrypting corrupted Secure Cell data (#639).
-
Updated embedded BoringSSL to the latest version (#643).
-
Fixed broken
SecureSession#save
andSecureSession#restore
methods (#658). -
Breaking changes
-
Android build now uses Gradle 5.6 and requires Java 8 (#633).
It is no longer possible to build AndroidThemis with Java 7. Please upgrade to Java 8 or later version.
-
-
Deprecations
-
Unqualified Gradle targets are now deprecated (#633).
To build Themis for Android, run
./gradlew :android:assembleRelease
instead of
./gradlew assembleRelease
The unqualified form still works for now, but may break in future releases.
-
-
-
C++
-
Secure Cell API updates (#588)
-
ThemisPP now supports passphrase API of Secure Cell in Seal mode:
#include <themispp/secure_cell.hpp> auto cell = themispp::secure_cell_seal_with_passphrase("string"); uint8_t[] plaintext = "message"; std::vector<uint8_t> encrypted = cell.encrypt(plaintext); std::vector<uint8_t> decrypted = cell.decrypt(encrypted);
You can safely and securely use short, human-readable passphrases as strings with this new API.
Existing master key API (
themispp::secure_cell_seal
and other modes) should not be used with passphrases or passwords. Use master key API with symmetric encryption keys, such as generated bythemispp::gen_sym_key()
(#561). Use passphrase API with human-readable passphrases. -
All modes of Secure Cell get a new initialisation API to avoid ambiguity over whether Secure Cell is secured with a passphrase or a master key (since both are effectively byte arrays in C++):
themispp::secure_cell_seal_with_key(master_key)
themispp::secure_cell_token_protect_with_key(master_key)
themispp::secure_cell_context_imprint_with_key(master_key)
New API has additional benefits:
- broader range of input types is accepted, including STL-compatible containers such as
std::vector
,std::array
,std::span
, C arrays, etc. - Token Protect API is much easier to use
- Secure Cell is now thread-safe
-
Deprecated API
The following classes are deprecated:
themispp::secure_cell_seal_t
themispp::secure_cell_token_protect_t
themispp::secure_cell_context_imprint_t
They should be replaced with their
_with_key
counterparts. In most cases migration should be a trivial renaming but there are caveats with Token Protect mode and iterator usage. Please see #588 for details.
-
-
New function
themispp::gen_sym_key()
can be used to generate symmetric keys for Secure Cell (#561, #576). -
Updated test suite to test C++14 and C++17 (in addition to C++11 and C++03) (#572).
-
Breaking changes
-
get_pub_key_by_id()
method ofsecure_session_callback_interface_t
now has to return non-const vector (#540).Change your implementation like this:
-const std::vector<uint8_t> get_pub_key_by_id(const std::vector<uint8_t>& id) override +std::vector<uint8_t> get_pub_key_by_id(const std::vector<uint8_t>& id) override { // ... }
-
-
-
Go
-
New function
keys.NewSymmetricKey()
can be used to generate symmetric keys for Secure Cell (#561). -
Improved
ThemisError
introspection: added error constants, numeric error codes (#622). -
Secure Cell API updates:
-
New API with improved usability and consistent naming (#624).
func SealWithKey(key *keys.SymmetricKey) (*SecureCellSeal, error) func (sc *SecureCellSeal) Encrypt(plaintext, context []byte) ([]byte, error) func (sc *SecureCellSeal) Decrypt(encrypted, context []byte) ([]byte, error) func TokenProtectWithKey(key *keys.SymmetricKey) (*SecureCellTokenProtect, error) func (sc *SecureCellTokenProtect) Encrypt(plaintext, context []byte) (encrypted, token []byte, error) func (sc *SecureCellTokenProtect) Decrypt(encrypted, token, context []byte) ([]byte, error) func ContextImprintWithKey(key *keys.SymmetricKey) (*SecureCellContextImprint, error) func (sc *SecureCellContextImprint) Encrypt(plaintext, context []byte) ([]byte, error) func (sc *SecureCellContextImprint) Decrypt(encrypted, context []byte) ([]byte, error)
This API is less ambiguous and more convenient to use.
-
GoThemis now supports passphrase API in Seal mode (#625).
scell, err := cell.SealWithPassphrase("secret") if err != nil { return err } encrypted, err := scell.Encrypt([]byte("message"), nil) if err != nil { return err } decrypted, err := scell.Decrypt(encrypted, nil) if err != nil { return err }
You can safely and securely use short, human-readable passphrases as strings with this new API.
Existing master key API (
cell.SealWithKey()
orcell.New()
) should not be used with passphrases or passwords. Use master key API with symmetric encryption keys, such as generated bykeys.NewSymmetricKey()
(#561). Use passphrase API with human-readable passphrases.
-
-
Deprecated API
-
Run-time mode-setting for Secure Cell is deprecated (#624).
Please use new constructors
cell.SealWithKey()
instead ofcell.New()
andcell.ModeSeal...
constants. Encryption is now performed withEncrypt()
method instead ofProtect()
. For decryption useDecrypt()
instead ofUnprotect()
.Old API is retained for compatibility.
-
-
-
iOS and macOS
-
New function
TSGenerateSymmetricKey()
(available in Objective-C and Swift) can be used to generate symmetric keys for Secure Cell (#561). -
Mac Catalyst is explicitly disabled (#598).
-
Improved test coverage of platforms (#599, #607, #610, #642).
-
SwiftThemis is now tested with Swift 5 (#605).
-
iPadOS is now officially supported target for ObjCThemis (#641).
-
Secure Cell API updates:
-
New encryption/decryption API with consistent naming:
encrypt
anddecrypt
(#606). -
Improved Token Protect API (#606):
- Encryption results use
NSData
now which bridges with SwiftData
directly. - Decryption no longer requires an intermediate
TSCellTokenEncryptedData
object.
- Encryption results use
-
ObjCThemis now supports passphrase API of in Seal mode (#609).
In Swift:
let cell = TSCellSeal(passphrase: "secret") let encrypted = try cell.encrypt("message".data(using: .utf8)!) let decrypted = try cell.decrypt(encrypted)
In Objective-C:
TSCellSeal *cell = [[TSCellSeal alloc] initWithPassphrase:@"secret"]; NSData *encrypted = [cell encrypt:[@"message" dataUsingEncoding:NSUTF8StringEncoding]]; NSData *decrypted = [cell decrypt:encrypted];
You can safely and securely use short, human-readable passphrases as strings with this new API.
Existing master key API (
TSCellSeal(key: ...)
orinitWithKey:...
) should not be used with passphrases or passwords. Use master key API with symmetric encryption keys, such as generated byTSGenerateSymmetricKey()
(#561). Use passphrase API with human-readable passphrases.
-
-
Deprecated API
-
Secure Cell wrapData/unwrapData renamed into encrypt/decrypt (#606).
As a result, the following methods are deprecated. There are no plans for their removal.
Swift
Mode Deprecation Replacement TSCellSeal
wrap(_:, context:)
wrap
encrypt(_:, context:)
encrypt
unwrapData(_:, context:)
unwrapData
decrypt(_:, context:)
decrypt
TSCellToken
wrap(_:, context:)
wrap
encrypt(_:, context:)
encrypt
unwrapData(_:, context:)
unwrapData
decrypt(_:, token:, context:)
decrypt(_:, token:)
TSCellContextImprint
wrap(_:, context:)
wrap
encrypt(_:, context:)
encrypt
unwrapData(_:, context:)
unwrapData
decrypt(_:, context:)
decrypt
Objective-C
Mode Deprecation Replacement TSCellSeal
wrapData:context:error:
wrapData:error:
encrypt:context:error:
encrypt:error:
unwrapData:context:error:
unwrapData:error:
decrypt:context:error:
decrypt:error:
TSCellToken
wrapData:context:error:
wrapData:error:
encrypt:context:error:
encrypt:error:
unwrapData:context:error:
unwrapData:error:
decrypt:token:context:error:
decrypt:token:error:
TSCellContextImprint
wrapData:context:error:
wrapData:error:
encrypt:context:error:
encrypt:error:
unwrapData:context:error:
unwrapData:error:
decrypt:context:error:
decrypt:error:
-
-
Breaking changes
-
ObjCThemis framework built by Carthage is now called
objcthemis.framework
(#604).We have renamed the Carthage framework from
themis.framework
toobjcthemis.framework
in order to improve compatibility with CocoaPods and avoid possible import conflicts with Themis Core.⚠️ Please migrate toobjcthemis.framework
in a timely manner.themis.framework
is deprecated since Themis 0.13 and will be removed in the next release due to maintainability issues.ℹ️ Installations via CocoaPods are not affected. If you get Themis via CocoaPods then no action is necessary.
Migration instructions (click to reveal)
After upgrading to Themis 0.13 and running
carthage update
you will notice that two Themis projects have been built:*** Building scheme "OpenSSL (iOS)" in OpenSSL.xcodeproj *** Building scheme "ObjCThemis (iOS)" in ObjCThemis.xcodeproj *** Building scheme "Themis (iOS)" in Themis.xcodeproj
Your project is currently using “Themis”. In order to migrate to “ObjCThemis” you need to do the following:
-
update
#import
statements in code (for Objective-C only) -
link against
objcthemis.framework
in Xcode project -
remove link to
themis.framework
in Xcode project
Use the new syntax to import ObjCThemis in Objective-C projects:
// NEW: #import <objcthemis/objcthemis.h> // old and deprecated: #import <themis/themis.h>
The new syntax is now the same as used by CocoaPods.
If you are using Swift, the import syntax is unchanged:
import themis
After updating imports you also need to link against the new framework (regardless of the language).
-
Add
objcthemis.framework
to your project (can be found inCarthage/Build/iOS
orMac
). -
For each Xcode target:
- Open General tab, Frameworks and Libraries section
- Drag
objcthemis.framework
there. Select Embed & Sign if necessary. - Remove
themis.framework
from dependencies.
-
Finally, remove
themis.framework
reference from the project.
Migration is complete, your project should build successfully now.
We are sorry for the inconvenience.
-
-
-
-
-
JDK location is now detected automatically in most cases, you should not need to set JAVA_HOME or JDK_INCLUDE_PATH manually (#551).
-
JNI libraries are now available as
libthemis-jni
packages for supported Linux systems (#552, #553). -
Fixed a NullPointerException bug in
SecureSocket
initialisation (#557). -
Some Themis exceptions have been converted from checked
Exception
to uncheckedRuntimeException
, relaxing requirements forthrows
specifiers (#563). -
Introduced
IKey
interface with accessors to raw key data (#564). -
New class
SymmetricKey
can be used to generate symmetric keys for Secure Cell (#565). -
It is now possible to build desktop Java with Gradle. Run
./gradlew :desktop:tasks
to learn more (#633). -
Kotlin is now officially supported language for JavaThemis (#637).
-
Fixed broken
SecureSession#save
andSecureSession#restore
methods (#658). -
Java source code is now ASCII-only for improved compatibility (#655).
-
Secure Cell API updates:
-
New encryption/decryption API with consistent naming:
encrypt
anddecrypt
(#634). -
Improved Token Protect API (#634).
-
Decryption no longer requires an intermediate
SecureCellData
object. -
SecureCellData
can now be destructured in Kotlin (#638).// You can now write like this: val (encrypted, authToken) = cellTP.encrypt(message, context) // Instead of having to spell it out like this: val result = cellTP.protect(context, message) val encrypted = result.protectedData val authToken = result.additionalData
-
-
Secure Cell mode can now be selected by instantiating an appropriate interface:
New API Old API SecureCell.SealWithKey(key)
new SecureCell(key, SecureCell.MODE_SEAL)
SecureCell.SealWithPassphrase(passphrase)
not available SecureCell.TokenProtectWithKey(key)
new SecureCell(key, SecureCell.MODE_TOKEN_PROTECT)
SecureCell.ContextImprintWithKey(key)
new SecureCell(key, SecureCell.MODE_CONTEXT_IMPRINT)
-
JavaThemis now supports passphrase API of in Seal mode (#635).
In Kotlin:
import com.cossacklabs.themis.SecureCell val cell = SecureCell.SealWithPassphrase("secret") val message = "message".toByteArray() val encrypted = cell.encrypt(message) val decrypted = cell.decrypt(encrypted) assertArrayEquals(decrypted, message)
In Java:
import com.cossacklabs.themis.SecureCell; SecureCell.Seal cell = SecureCell.SealWithPassphrase("secret"); byte[] message = "message".getBytes(StandardCharsets.UTF_8); byte[] encrypted = cell.encrypt(message); byte[] decrypted = cell.decrypt(encrypted); assertArrayEquals(decrypted, message);
You can safely and securely use short, human-readable passphrases as strings with this new API.
Existing symmetric key API (
SecureCell.SealWithKey(...)
ornew SecureCell(...)
) should not be used with passphrases or passwords. Use symmetric key API with symmetric encryption keys, such as generated bySymmetricKey
(#565). Use passphrase API with human-readable passphrases.
-
-
Deprecated API
-
Secure Cell has received API overhaul which deprecates old API (#636).
The following items are deprecated:
- Constructors:
new SecureCell(int mode)
new SecureCell(byte[] key)
new SecureCell(byte[] key, int mode)
new SecureCell(String password)
⚠️ not recommended, insecurenew SecureCell(String password, int mode)
⚠️ not recommended, insecure
- Methods:
protect(byte[] key, byte[] context, byte[] data)
protect(byte[] constext, byte[] data)
protect(String password, String context, byte[] data)
⚠️ not recommended, insecureprotect(String context, byte[] data)
unprotect(byte[] key, byte[] context, SecureCellData protected)
unprotect(byte[] context, SecureCellData protected)
unprotect(String password, String context, SecureCellData protected)
⚠️ not recommended, insecureunprotect(String context, SecureCellData protected)
- Constants:
SecureCell.MODE_SEAL
SecureCell.MODE_TOKEN_PROTECT
SecureCell.MODE_CONTEXT_IMPRINT
Some methods are not secure when used with short passphrases, consider using new passphrase API instead. Other methods have easier to use replacements in the new API, consider using them instead.
Deprecated API is still supported, there are no plans for its removal.
- Constructors:
-
SecureSession
methodssave
andrestore
are now deprecated (#659).An improved API for serialisation might appear in some next version of JavaThemis. For now, please refrain from using
SecureSession#save
andSecureSession#restore
which may be removed in the future.
-
-
-
Node.js
-
New class
SymmetricKey
can be used to generate symmetric keys for Secure Cell (#562). -
New makefile target
make jsthemis
can be used to build JsThemis from source (#618). -
SecureCell
now allowsnull
to explicitly specify omitted encryption context (#620). -
SecureMessage
now allowsnull
for omitted keys in sign/verify mode (#620). -
Fixed a crash when an exception is thrown from
SecureSession
callback (#620). -
Node.js v14 is now supported (#654).
-
Passphrase API support in Secure Cell (#621).
JsThemis now supports passphrase API of Secure Cell in Seal mode:
const themis = require('jsthemis') let cell = themis.SecureCellSeal.withPassphrase('secret') let encrypted = cell.encrypt(Buffer.from('message data')) let decrypted = cell.decrypt(encrypted)
You can safely and securely use short, human-readable passphrases as strings with this new API.
Existing master key API (available as
themis.SecureCellSeal.withKey(...)
) should not be used with passphrases or passwords. Use master key API with symmetric encryption keys, such as generated bySymmetricKey
(#562). Use passphrase API with human-readable passphrases. -
Deprecated API
-
Secure Cell construction with
new
is deprecated (#621).Passphrase API makes it ambiguous whether a Secure Cell is initialised with a master key or a passphrase. All Secure Cell classes –
SecureCellSeal
,SecureCellTokenProtect
,SecureCellContextImprint
– get a static factory methodwithKey
to reduce the ambiguity. Please use it instead:// NEW, write like this: let cell = themis.SecureCellSeal.withKey(secret) // old, avoid this: let cell = new themis.SecureCellSeal(secret)
new
constructors are not recommended for use but they are still supported and will always work with master keys, as they did before.
-
-
-
PHP
-
New function
phpthemis_gen_sym_key()
can be used to generate symmetric keys for Secure Cell (#561). -
Resolved PHP Composer checksum issues once and for all (#566, #567).
-
PHPThemis now supports passphrase API of Secure Cell in Seal mode (#594, #601).
$encrypted = phpthemis_scell_seal_encrypt_with_passphrase('passphrase', 'message'); $decrypted = phpthemis_scell_seal_decrypt_with_passphrase('passphrase', $encrypted);
You can safely and securely use short, human-readable passphrases as strings with this new API.
Existing master key API (
phpthemis_scell_seal_{encrypt,decrypt}
and other modes) should not be used with passphrases or passwords. Use master key API with symmetric encryption keys, such as generated byphpthemis_gen_sym_key()
(#561). Use passphrase API with human-readable passphrases.
-
-
Python
-
Fixed compatibility issues on 32-bit platforms (#555).
-
New function
skeygen.GenerateSymmetricKey()
can be used to generate symmetric keys for Secure Cell (#561). -
PyThemis now supports passphrase API of Secure Cell in Seal mode (#596).
from pythemis.scell import SCellSeal cell = SCellSeal(passphrase='my passphrase') encrypted = cell.encrypt(b'message data') decrypted = cell.decrypt(encrypted)
You can safely and securely use short, human-readable passphrases as strings with this new API.
Existing master key API (
SCellSeal(key=...)
) should not be used with passphrases or passwords. Use master key API with symmetric encryption keys, such as generated byGenerateSymmetricKey()
(#561). Use passphrase API with human-readable passphrases. -
Python 2 is no longer supported (#648).
Python 2 had reached EOL on 2020-01-01.
In fact, we are not making any changes in this release that break compatibility, but we no longer officially support it. This means that we do not run any CI tests for Python 2, and in the future we will develop code compatible only with Python 3+.
-
-
Ruby
-
New function
Themis::gen_sym_key()
can be used to generate symmetric keys for Secure Cell (#561). -
Secure Cell API updates (#603).
-
RbThemis now supports passphrase API of Secure Cell in Seal mode:
require 'rbthemis' cell = Themis::ScellSealPassphrase.new('secret string') encrypted = cell.encrypt('message data') decrypted = cell.decrypt(encrypted)
You can safely and securely use short, human-readable passphrases as strings with this new API.
Existing master key API (
Themis::Scell...
) should not be used with passphrases or passwords. Use master key API with symmetric encryption keys, such as generated byThemis::gen_sym_key
(#561). Use passphrase API with human-readable passphrases. -
Secure Cell mode can now be selected by instantiating an appropriate subclass:
New API Old API Themis::ScellSeal.new(key)
Themis::Scell.new(key, Themis::Scell::SEAL_MODE)
Themis::ScellSealPassphrase.new(passphrase)
not available Themis::ScellTokenProtect.new(key)
Themis::Scell.new(key, Themis::Scell::TOKEN_PROTECT_MODE)
Themis::ScellContextImprint.new(key
Themis::Scell.new(key, Themis::Scell::CONTEXT_IMPRINT_MODE)
Themis::Scell
class is deprecated and should be replaced with new API. -
Token Protect mode now accepts encrypted data and token as separate arguments instead of requiring an array:
decrypted = cell.decrypt([encrypted, token], context) # old decrypted = cell.decrypt(encrypted, token, context) # new
(Arrays are still accepted for compatibility but this API is deprecated.)
-
-
-
Rust
-
New object
themis::keys::SymmetricKey
can be used to generate symmetric keys for Secure Cell (#561, #631). -
Significantly reduced compilation time by removing
bindgen
crate from dependencies (#626). -
Bindgen 0.54.1 or later is now required for RustThemis development (#664).
-
Passphrase API support in Secure Cell (#630).
RustThemis now supports passphrase API of Secure Cell in Seal mode:
use themis::secure_cell::SecureCell; let cell = SecureCell::with_passphase("secret")?.seal(); let encrypted = cell.encrypt(b"message data")?; let decrypted = cell.decrypt(&encrypted)?;
You can safely and securely use short, human-readable passphrases as strings with this new API.
Existing master key API (available as
SecureCell::with_key(...)
) should not be used with passphrases or passwords. Use master key API with symmetric encryption keys, such as generated bythemis::keys::SymmetricKey
(#561). Use passphrase API with human-readable passphrases. -
Miscellaneous minor improvements in code quality (#571, #591).
-
-
WebAssembly
-
New class
SymmetricKey
can be used to generate symmetric keys for Secure Cell (#561). -
Fixed an issue with webpack Terser plugin (#568).
-
Updated Emscripten toolchain to the latest version (#550, #569, #602, #653).
-
Updated embedded BoringSSL and other dependencies to the latest versions (#608, #643).
-
Node.js v14 is now supported (#654).
-
Passphrase API support in Secure Cell (#616).
WasmThemis now supports passphrase API of Secure Cell in Seal mode:
const themis = require('wasm-themis') let cell = themis.SecureCellSeal.withPassphrase('secret') let encrypted = cell.encrypt(Buffer.from('message data')) let decrypted = cell.decrypt(encrypted)
You can safely and securely use short, human-readable passphrases as strings with this new API.
Existing master key API (available as
themis.SecureCellSeal.withKey(...)
) should not be used with passphrases or passwords. Use master key API with symmetric encryption keys, such as generated bySymmetricKey
(#561). Use passphrase API with human-readable passphrases. -
Deprecated API
-
Secure Cell construction with
new
is deprecated (#616).Passphrase API makes it ambiguous whether a Secure Cell is initialised with a master key or a passphrase. All Secure Cell classes –
SecureCellSeal
,SecureCellTokenProtect
,SecureCellContextImprint
– get a static factory methodwithKey
to reduce the ambiguity. Please use it instead:// NEW, write like this: let cell = themis.SecureCellSeal.withKey(secret) // old, avoid this: let cell = new themis.SecureCellSeal(secret)
new
constructors are not recommended for use but they are still supported and will always work with master keys, as they did before.
-
-
Docs:
- New improved design and structure of Themis documentation.
- Updated templates for GitHub issues and pull requests (#549).
- Miscellaneous quality improvements in various pieces of documentation (#558, #575, #581, #587, #590).
- Clarified information on data privacy regulations (#593).
- Removed last surviving links to deprecated GitHub Wiki (#589).
Infrastructure:
-
Changed name of the tarball produced by
make dist
tothemis_X.Y.Z.tar.gz
(#544). -
Fixed Doxygen support (#559).
-
Automated benchmarking harness is now tracking Themis performance. See
benches
(#580, #582). -
Automated regular fuzzing of the code with AFL (#579, #583).
-
Added automated tests for all code samples in documentation, ensuring they are always up-to-date (#600).
-
All 13 supported platforms are verified on GitHub Actions, along with existing CircleCI and Bitrise tests (#600).
-
New Makefile targets:
make jsthemis
builds JsThemis from source (#618).
-
Resolved issues with library search paths on CentOS when Themis Core is built from source and installed with
make install
(#645. -
Resolved issues with library search paths on Debian when Themis Core is installed from packages (#651).
-
Introduced
./configure
script to significantly improve rebuild performance (#611, #628). -
Improved package installation testing and platform coverage (#595, #650).
-
Miscellaneous minor improvements and updates in the build system (#542, #573, #615, #617, #629, #627, #632, #644, #646, #649, #656).
-
- CentOS 8 is now fully fully supported.
- Ubuntu 20.04 “Focal Fossa” is now fully fully supported.
- GoThemis is now tested with Go 1.14 (#595).
- SwiftThemis is now tested with Swift 5 (#605).
- Kotlin API of JavaThemis is now verified by all CI platforms (#637).
- iPadOS is now officially supported target for ObjCThemis (#641).
- Node.js v14 is now supported for JsThemis and WasmThemis (#654).
-
Breaking changes
-
Java 7 is no longer supported (#633).
Updates in Gradle build infrastructure require Java 8.
-
Debian 8 “Jessie” is no longer supported (#633).
This version is no longer maintained by the Debian team and it lacks Java 8. We no longer provide binary packages for this distribution.
-
Python 2 is no longer supported (#648).
Python 2 had finally reached EOL on 2020-01-01. PyThemis 0.13 is the last version guaranteed to be compatible with Python 2.
-
0.12.0, September 27th 2019
TL;DR:
- Added WasmThemis to support WebAssembly (works with Electron and Node.js);
- added experimental support for Windows (using MSYS2 compiler and NSIS installer);
- added support of Go Modules;
- added package for ThemisPP;
- added support for Node.js v12 LTS (in addition to v10 and v8) in jsThemis;
- added extra safety checks and fixes for tricky bugs.
Breaking changes:
- Linux: when building from sources, the default installation path of Themis Core library has been changed from
/usr
to/usr/local
. If you’re affected, read the instructions on how to make a clean upgrade below. - Go: some of GoThemis APIs have been renamed to comply with Go naming convention (old API are marked as deprecated and will be removed in the next release). If you’re using Go – please switch to new functions.
- Ruby: deprecated
rubythemis
gem has been completely removed in favour ofrbthemis
.
Code:
-
Core
-
Soter (low-level security core used by Themis)
Improved security and code quality, implemented better handling of secrets and memory management. These changes decrease the chance of potential memory leaks.
-
Introduced new internal function:
soter_wipe()
. It can be used to securely wipe sensitive data from memory after it's no longer needed. All Themis cryptosystems now use this new API (#488). -
Improved usage and error handling of OpenSSL/BoringSSL PRNGs. Thank you, @veorq for bringing up this issue (#485).
-
Improved memory safety and fixed potential corner-case issues in OpenSSL/BoringSSL usage. Thanks, @outspace for identifying these issues (#501, #524, #525, #535).
-
-
Key generation
-
Improved key validity checks across all Themis cryptosystems. Now it’s harder to use wrong keys or misuse them (#486).
-
Improved error handling for EC key generator that could produce an invalid public key without returning an error. Thanks, @vixentael for finding this issue (#500).
-
-
Secure Cell
-
Library ABI
-
Themis shared libraries now have a formal ABI version. This ensures that no compatibility issues arise if we ever need to introduce breaking changes in the ABI (#454).
-
Removed private symbols from public export lists. Themis has been accidentally exporting various private utility functions. Private functions not intended for public use are now hidden (#458, #472).
-
-
-
Themis now installs to
/usr/local
by default when building from source on Linux (#448).This may be a breaking change if your system has non-standard precedence rules. If you install Themis from source code directly, please do a clean upgrade the following way:
make uninstall PREFIX=/usr make install PREFIX=/usr/local
Please consider using binary repositories to install Themis. If your system or package manager is not supported yet, please let us know via [email protected].
-
Themis packages now support multiarch installations (#512).
Multiarch enables parallel installation of 32-bit and 64-bit versions of the library. This is particularly important on CentOS where some tools like pkg-config would fail to locate Themis due to non-standard installation path.
-
Updated Makefile to support a number of standard GNU variables like
libdir
(#453, #455). -
Improved accuracy of package dependencies to make sure you don't have to install anything manually after installing Themis from package repositories (#446).
-
NSIS installer is now available for Windows. To build NSIS installer, use
make nsis_installer
command in MSYS2 environment. You can read more about MSYS2 target here (#474).
-
-
Dependency updates
-
Other changes
-
-
Android
-
C++
-
ThemisPP is now available as a system package through Cossack Labs repositories (#506).
Use
libthemispp-dev
for Debian and Ubuntu,libthemispp-devel
for CentOS.
-
-
Go
-
Breaking changes
-
Some APIs have been renamed to conform with the Go naming conventions (#424).
The old names are now deprecated and scheduled for removal in the next release. Please migrate to using the new names when you upgrade.
Old API New API cell.CELL_MODE_SEAL
cell.ModeSeal
compare.COMPARE_MATCH
compare.Match
keys.KEYTYPE_EC
keys.TypeEC
session.STATE_ESTABLISHED
session.StateEstablished
(*session.SecureSession) GetRemoteId
GetRemoteID
-
-
GoThemis is now compatible with Go 1.11 modules starting with this release. For example, you are now able to pin a specific version of GoThemis in your projects (#505).
-
-
iOS, macOS
-
Java
- JNI wrapper for desktop Java does not require a separate installation of Themis Core from now on (#450).
-
Node.js
-
PHP
- Updated PHP installer to use the latest Composer version (#519).
-
Ruby
-
Breaking changes
rubythemis
gem has been completely removed after being deprecated in Themis 0.11. Please userequire 'rbthemis'
in your projects (#508).
-
-
Rust
- Minor internal code style modernizations (#466).
-
WebAssembly
-
WasmThemis brings Themis to Web using WebAssembly. Thank you to @ilammy for adding it.
WasmThemis supports the full functionality of other Themis wrappers: Secure Cell, Secure Message, Secure Session, and Secure Comparator. WasmThemis package is available via npm as
wasm-themis
, sample code can be found in docs/examples/js, and the HowTo guide is available on the documentation server (#457, #461, #462, #473, #482, #489, #490, #491, #492,#494, #495, #498, #507, #513). -
WasmThemis is tested with current Node.js LTS versions, popular Web browsers, and Electron framework. It is also tested for compatibility with other Themis wrappers (#509, #510, #511).
-
-
Windows
-
It is now possible to compile Themis Core for Windows using MSYS2 environment. See the instructions here (#469).
-
NSIS installer is now provided for the distribution of Themis on Windows. It's compatible with the new MSYS2 builds (#474).
-
It is now possible to compile JsThemis on Windows, given that Themis Core is installed (#475).
-
Miscellaneous compatibility fixes should make it possible to compile Themis Core with Microsoft Visual Studio. This platform does not have full official support yet, though (#470, #471).
-
Docs:
-
Themis GitHub Wiki is being deprecated. Please find the latest documentation for Themis on Cossack Labs Documentation Server. If you're used to using the Themis Wiki or have bookmarked a few pages for further use, don't worry - its pages and table of contents stay where they were, but each will now link to its corresponding Cossack Labs Documentation Server counterpart.
-
Code of Conduct has been introduced to make sure that Themis project has a welcoming environment (#518).
-
Improved and updated installation guides for numerous languages and platforms.
Infrastructure:
-
New Makefile targets and use cases:
emmake make all
builds WasmThemis in Emscripten environment (#475);make all
can be run in MSYS2 environment on Windows now (#469);make nsis_installer
builds NSIS installer for Windows binaries (#474);make deb
andmake rpm
now build ThemisPP packages, too (#506);NO_NIST_STS
environment variable can be used to disable the long-running NIST statistical test suite when doingmake test
(#456).
-
Removed Makefile targets:
- Deprecated
rubythemis
targets have been completely removed. Usemake rbthemis_install
to install RubyThemis instead (#508).
- Deprecated
-
Multiple updates in the way Themis is installed and packaged. The most significant are switch to
/usr/local
for installation from source code and added support for multiarch installation packages (Read more). -
JsThemis and WasmThemis are now tested on all current LTS versions of Node.js (#502, #510).
-
Integration tests are getting stronger with WebAssembly platform being added to the suite (#511).
-
CI servers are now using the latest RVM for testing RubyThemis (#503, #504).
0.11.1, April 1st 2019
TL;DR: Rust-Themis can now be installed entirely from packages (repositories and crates.io), without building anything from source.
Code:
Infrastructure:
- Minor fixes in the packaging process (#442).
0.11.0, March 28th 2019
TL;DR: Added Rust Themis, added Carthage distribution for iOS and Maven distribution for Android. Improved Secure Message API and propagated it to all our language wrappers.
We found that Themis is now recommended by OWASP as data encryption library for mobile platforms.
Breaking changes: We renamed rubythemis
to rbthemis
as a beginning of a tradition of gentle deprecations, with timely warning of all the users that can potentially be affected. We removed themis_version()
function that allowed checking Themis' version at run-time (with no replacement function).
Code:
-
Core
-
Fixes in Soter (low-level security core used by Themis):
-
Fixed possible null pointer deference caused by the misusage of short-circuit evaluation. Huge thanks to @movie-travel-code for pointing out (#315, #314).
-
Fixed crash in Secure Message when RSA keys are used incorrectly (swapped or empty) – a shoutout for @ilammy and @secumod for fixing this (#334).
-
Fixed issue with RSA key generator silently truncating private keys – our gratitude going out to @ilammy and @secumod again (#335).
-
Fixed crash that occured on re-using Secure Comparator with BoringSSL – thanks to @ilammy and @secumod for this fix (#347).
-
Fixed overflow during Secure Cell decryption in Seal mode - thanks to @ilammy and his skills in fuzz testing (#367).
-
Improved the test suite to catch more corner cases, including with OpenSSL-specific issues (#323, #319).
-
-
Secure Session
-
Added additional safety tests for Secure Session: return error if clientID is empty (thanks @deszip for asking tough questions and mis-using clientID) (#386).
-
Described thread safety code practices when using Secure Session.
-
-
Secure Message
-
Updated Secure Message API: divided the
wrap
function intoencrypt
andsign
, and theunwrap
function intodecrypt
andverify
. The new API has more intuitive naming and should be harder to misuse, with encrypt/decrypt and sign/verify API clearly named and separated.A common mistake with the old API was that users could accidentally use sign/verify API instead of encryption because they didn't provide a private key. The new API features more strict checks and prevents this kind of mistake.
This change doesn't affect the language wrappers you are using, so no code changes are required from you.
Documentation for the new API calls is available in the Wiki documentation and for each language separately (in their HowTos) (#389).
-
Fixed a potential memory leak in Secure Message encryption and decryption (#398).
-
-
Code quality
-
Cleaned up circular dependencies in header files. This change has made the code cleaner and the compilation time faster (#392).
-
Improved code quality by fixing warnings from various compiler flags (
-Wall -Wextra -Wformat-security -Wnull-dereference -Wshift-overflow
and so on) (#377). -
Formatted the code using
clang-format
andclang-tidy
, added automated formatting for core and tests (#418, #399, #397, #396, #395).
-
-
Other changes
-
Improved and refactored our Great Makefile to be more stable, more user-friendly, and to support OS-specific issues (#417, #413, #348, #346, #345, #343, #321).
-
Removed
themis_version()
function and all related API for querying Themis and Soter versions at run-time. There is no replacement for it and this is obviously a breaking change (#388).
-
-
-
Rust
-
Introduced Rust Themis wrapper, all work done by brilliant @ilammy!
Rust Themis supports the same functionality as other Themis wrappers: Secure Cell, Secure Message, Secure Session, and Secure Comparator. Rust Themis package is available through crates.io, examples are stored in docs/examples/rust, the HowTo guide is available in Wiki (#419, #405, #403, #390, #383, #382, #381, #380, #376, #375, #374, #373, #372, #365, #363, #362, #358, #357, #356, #353, #349, #340).
-
-
iOS and macOS
-
Added Carthage support. Now users can add Themis to their Cartfile using
github "cossacklabs/themis"
.More details available in Objective-C HowTo and Swift HowTo. Example projects available in docs/examples/objc and docs/examples/swift/ folders (#432, #430, #428, #427).
-
Added BoringSSL support, now users can select which crypto-engine they want to include. This change affects only Themis CocoaPod: users can add Themis based on BoringSSL to their Podfile using
pod 'themis/themis-boringssl'
(#351, #331, #330, #329). -
Added bitcode support. This affects only Themis CocoaPod that uses OpenSSL – thanks @deszip and @popaaaandrei (#407, #355, #354).
-
Added compatibility for Swift frameworks. Now Themis can be used directly from Swift without Bridging header file, kudos to @popaaaandrei for pointing on this out (#416, #415).
-
Updated code to use the latest Secure Message API (see description of core changes above). This change doesn't affect user-facing code so no code changes are required from users (#393).
-
Updated error codes and error messages for all crypto systems, now errors and logs are more user-friendly and understandable (#394, #393).
-
Improved code quality here and there (#317).
-
Dropped feature flag
SECURE_COMPARATOR_ENABLED
because it's redundant: Secure Comparator is enabled by default (#429).
-
-
macOS specific
- Added Homebrew support for Themis Core. Now users can install Themis Core library using
brew tap cossacklabs/tap && brew update && brew install libthemis
. This is useful when you're developing on macOS.
More details can be found in the Installation guide.
- Added Homebrew support for Themis Core. Now users can install Themis Core library using
-
C++
-
Improved Secure Session memory behavior (now users can move and copy Secure Session objects and callbacks) (#370, #369).
-
Allowed to link ThemisPP as header-only library by adding "inline" functions – thanks @deszip for pushing us. Check for detailed instructions in C++ HowTo (#371).
-
Added support of smart pointer constructors for Secure Session, now users should use
std::shared_ptr<secure_session_callback_interface_t>
constructor (#378). -
Added functions for key validation: now you can check if keypairs are valid before using it for encryption/decryption (#389).
-
Updated test suite to test C++03 and C++11 (#379).
-
Updated error codes and error messages for all crypto systems, now errors and logs are more user-friendly and understandable (#385).
-
Formatted code using
clang-format
rules and implemented someclang-tidy
recommendations (#410, #404).
-
-
Java
-
Updated Secure Message API: separated function
wrap
intoencrypt
andsign
, and functionunwrap
intodecrypt
andverify
. Old functions are still available, but will be deprecated eventually (#389). -
Significantly improved Themis usage examples for Desktop Java - thanks to @Dimdron #3.
-
Formatted JNI code using
clang-format
rules and implemented someclang-tidy
recommendations (#420).
-
-
Android
-
Added Maven distribution (#361).
The new installation process requires adding only two lines to the Maven app configuration (instead of manually re-compiling the whole Themis library)! See the updated HowTo guide in Wiki.
-
Significantly improved Themis usage examples for Android - thanks to @Dimdron #3.
-
Significantly improved Secure mobile websocket example - thanks to @sergeyzenchenko #4.
-
Formatted JNI code using
clang-format
rules and implemented someclang-tidy
recommendations (#420).
-
-
Go
-
Node.js
-
Fixed jsthemis to be compatible with Node 10, huge thanks to @deszip (#327, #326).
-
Updated error codes and error messages for all crypto systems, now errors and logs are more user-friendly and understandable (#384).
-
Fixed memory corruption tests on i386 systems (#408).
-
Formatted native extension code using
clang-format
rules and implemented someclang-tidy
recommendations (#412).
-
-
PHP
-
Python
-
Updated code to use the latest Secure Message API (see description of core changes above). This change doesn't affect user-facing code so no code changes are required from users (#401).
-
Updated error codes and error messages for all crypto systems, now errors and logs are more user-friendly and understandable (#401).
-
-
Ruby
-
Updated code to use latest Secure Message API (see description of core changes above). This change doesn't affect user-facing code so no code changes are required from users (#402).
-
Updated error codes and error messages for all crypto systems, now errors and logs are more user-friendly and understandable (#402).
-
Deprecated
rubythemis
in favor ofrbthemis
. Users should userequire 'rbthemis'
in their projects (#434).
-
-
Tests and other things
Docs:
-
Described the new Secure Message API: how we divided the
wrap
function intoencrypt
andsign
, and theunwrap
function — intodecrypt
andverify
to make it more obvious for the users. -
Described thread safety code practices when using Secure Session.
-
Improved installation guides for numerous languages.
Infrastructure:
-
Added Homebrew support for Themis Core. Now users can install Themis Core libraby using
brew tap cossacklabs/tap && brew update && brew install libthemis
. This is useful when you're developing on macOS. More details can be found in the Installation guide. -
Added installation guide on using Docker container as a building environment for Themis: if you can't download Themis Core from packages, feel free to use Docker container for this.
0.10.0, February 6th 2018
TL;DR: Multi-platform, multi-language compatibility improved.
-
If you are using Themis on x64 systems, consider upgrading every Themis library/wrapper you were using to
0.10.0
. Incompatibility issues may arise between previous Themis versions and0.10.0
on x64 machines (#279). -
Rubythemis has breaking changes for Secure Cell Token Protect mode (#281). We added checks for other language wrappers to make sure this won't happen again (#282, #283).
Check the Migration Guide for more details.
Docs:
- Updated the descriptions of Crypto systems, added more usage examples and code samples.
- Refreshed code samples in language tutorials, made them more readable.
Obj-C | Swift | Java and Android | Python | PHP | Ruby | C++ | Go | Node.js. - Added human-friendly description of Secure Comparator and supplied usage examples for all languages with the exception of PHP.
Infrastructure:
- Added support of Ubuntu 17.10.
- Removed support of Ubuntu 16.10 and Ubuntu 17.04 (no more compiled binaries for these OSs now).
- Added CLI utils for easy testing of Secure Cell, Secure Message, and Key generation on local machine. Available for Python, Ruby, Go, NodeJS, and PHP. Check the Console Utils guide for more details and usage description/guide.
- Added Integration test suit for the majority of the available language wrappers, which was the catalyst for many fixes in this release.
- Added support of CircleCI 2.0 with multiple workflows. This allows testing each language wrapper and integrations between them easily and quickly (#295, #299).
Code:
- Core:
- C++ wrapper:
- Added a set of unit tests (#292).
- Android wrapper:
- iOS wrapper:
- GoThemis:
- JSThemis:
- RubyThemis:
- Fixed arguments' order for Secure Cell in the Token Protect mode, which caused incompatibility with older versions of rubythemis (#281). Please check the migration guide for the details;
- Added CLI utils and integration tests that allow you to test Secure Cell, Secure Message, and Key generation on your local machine (#277, #293, #305, #306)
- PyThemis:
- PHPThemis:
- Added support of PHP 7.0, 7.1, 7.2 (#278, #280);
- Added a package for
phpthemis
. Now you don't need to compile it from sources. See the installation PHP guide for more details; - Improved unit tests. Now it's easy to run tests because all the dependencies are handled by a php-composer (#284, #285, #303);
- Added a memory test suit, which allows us to keep a closer eye on PHPThemis' memory usage (#298);
- Added CLI utils and integration tests that allow you to test Secure Cell, Secure Message, and Key generation on your local machine (#277, #293, #305, #306).
0.9.6, December 14th 2017
TL;DR: OpenSSL 1.1 support.
Docs:
- Significant update of the Contributing section.
Infrastructure:
- Removed support for Ubuntu Precise.
- Fixed
.rpm
package versioning (#240). - Added a handy command for preparing and running of all the tests
make test
(#243). - Added small changes and updates into Makefile to make it even better and fixed the installing dependencies (#236, #239, #250).
Code:
- Core:
- added OpenSSL 1.1 support (#208).
- Android wrapper:
- iOS wrapper:
- GoThemis:
- JSThemis:
- PyThemis:
0.9.5, September 13th 2017
TL;DR: Mostly usability fixes for wrappers.
Infrastructure:
- You can now download pre-built Themis packages from our package server.
- Enhanced building process for MacOS (working now!) (#215).
- Enhanced building process for Debian 9.x (working even better now!).
- Updated documentation and examples to make it easier to understand.
- Now we use Bitrise as a separate CI for iOS wrapper.
- Test and code coverage are automagically measured now!
Code:
- Core: disabled SHA1 support.
- Secure Comparator: magically improved code readability (#196, #195).
- iOS wrapper: added support of dynamic frameworks and bitcode (#222, #219, #205).
- GoThemis: refactored custom error (
themisError
) type. - PHP wrapper: updated tests.
- PyThemis: considerably improved example projects.
0.9.4, November 22nd 2016
This is tiny intermediary release to lock ongoing changes in stable form for all languages:
- BoringSSL support on Android and Linux
- Fixed some leaks and code styling problems (thanks to @bryongloden)
- Memory management updates for stability in languages, which rely on sloppy GC
- Fix Themis build errors under certain conditions
- Secure Comparator examples for many languages
- Swift3 support + numerous enhancements from @valeriyvan, thanks a lot!
- GoThemis: fixed rare behavior in Secure Session wrapper
- GoThemis examples
- JsThemis syntax corrections and style fixes
- JsThemis Nan usage to enhance compatibility
- More and better Themis Server examples
- Enhanced error messages (now with proper spelling!)
- Corrections for RD_Themis
0.9.3.1, August 24th 2016
Updating podspec to be compatible with CocoaPods 1.0
0.9.3, May 24th 2016
Infrastructure:
- Lots of new high-level language wrappers
- Enhanced documentation
- Lots of various demo projects
- Updated Themis Server
- Better make system verbosity (now you can actually see what succeeded and what didn't)
- Infrastructure to build Java on all platforms
Code:
- iOS wrapper now has umbrella header.
- We added Swift language examples and howto.
- Themis wrapper for Go language: howto (examples coming soon).
- Themis wrapper for NodeJS: examples and howto.
- Google Chrome-friendly spin-off called WebThemis was released.
- Themis wrapper for C++: examples and HowTo.
- Secure Comparator got serious updates to eliminate possible security drawbacks pointed out by cryptographic community.
0.9.2, November 4th 2015
Infrastructure:
- Much better documentation
- We've introduced Themis Server, interactive environment to debug your apps and learn how Themis works.
- Tests for all platforms and languages.
- Themis is now integrated with Circle CI, with controls every repository change and tests it
- Added conditional compilation for advanced features (see 4.5 and our blog for more information)
- Doxygen-friendly comments in code
Code:
- Python Themis wrapper is now Python 3 / PEP friendly.
- Android Themis wrapper for Secure Message now works in Sign/Verify mode, too.
- PHP Themis wrapper now supports Secure Session (although with some advice on use cases, see docs).
- iOS wrapper supports iOS 9, lots of minor fixes.
- Better exceptions and verbose errors in some wrappers.
- Longer RSA keys support
- Better abstractions for cryptosystem parameters like key lengths.
- Zero Knowledge Proof-based authentication called Secure Comparator. Advanced experimental feature.