Themis 0.11.1 release

New Themis is greatly improved and sparkly with additions. We are proud to introduce Rust-Themis – full support of Themis for Rust. Rust-Themis works with all four crypto-systems: Secure Cell for storing data securely, Secure Message for encrypting and signing envelopes, Secure Session for encrypting session communications and Secure Comparator for zero-knowledge authentication. All Rust-Themis components can be installed from crates.io. Jump to the Rust How-To guide to learn more.

In addition to Rust-Themis, in the new version of Themis we’ve made installing easier than ever: macOS users can install Themis from Homebrew, iOS users can use Carthage (in addition to CocoaPods) and Android users can get Themis directly from Maven repositories

More goodies for developers! Better error logs – now it’s easier to understand what’s wrong: maybe you took wrong keys or maybe the data is null? Next, we extended Secure Message API – it has more intuitive naming and should be harder to misuse, with encrypt/decrypt and sign/verify API clearly named and separated.

We also found out that Themis is now recommended by OWASP as data encryption library for mobile platforms.

Read the rest of the update details below, or:

Core

  • Fixes in Soter (low-level security core used by Themis):
    • Fixed possible null pointer dereference caused by the misuse of short-circuit evaluation. Huge thanks to @movie-travel-code for pointing out (#315, #314).
    • Fixed crash in Secure Message when RSA keys are used incorrectly (swapped or empty) – a shoutout to @ilammy and @secumod for fixing this (#334).
    • Fixed issue with RSA key generator silently truncating private keys – our gratitude going out to @ilammy and @secumod again (#335).
    • Fixed crash that occurred on re-using Secure Comparator with BoringSSL – thanks @ilammyand @secumod for this fix (#347).
    • Fixed overflow during Secure Cell decryption in Seal mode – thanks to @ilammy and his skills in fuzz testing (#367).
    • Improved the test suite to catch more corner cases, including with OpenSSL-specific issues (#323, #319).
  • Secure Session
    • Added additional safety tests for Secure Session: return error if clientID is empty (thanks @deszip for asking tough questions and misusing clientID) (#386).
    • Described thread safety code practices when using Secure Session.
  • Secure Message
    • Updated Secure Message API: divided the wrap function into encrypt and sign, and the unwrap function into decrypt and verify. The new API has more intuitive naming and should be harder to misuse, with encrypt/decrypt and sign/verify API clearly named and separated.
    • A common mistake with the old API was that users could accidentally use sign/verify API instead of encryption because they didn't provide a private key. The new API features more strict checks and prevents this kind of mistake.
    • This change doesn't affect the language wrappers you are using, so no code changes are required from you.
    • Documentation for the new API calls is available in the Wiki documentation and for each language separately (in their Howtos) (#389).
    • Fixed a potential memory leak in Secure Message encryption and decryption (#398).
  • Code quality
    • Cleaned up circular dependencies in header files. This change has made the code cleaner and the compilation time faster (#392).
    • Improved code quality by fixing warnings from various compiler flags (-Wall -Wextra -Wformat-security -Wnull-dereference -Wshift-overflow and so on) (#377).
    • Formatted the code using clang-format and clang-tidy, added automated formatting for core and tests (#418, #399, #397, #396, #395).
  • Other changes
    • Improved and refactored our Great Makefile to be more stable, more user-friendly, and to support OS-specific issues (#417, #413, #348, #346, #345, #343, #321).
    • Removed themis_version() function and all related API for querying Themis and Soter versions at run-time. There is no replacement for it and this is obviously a breaking change (#388).

    Rust

    iOS and macOS

    • Added Carthage support. Now users can add Themis to their Cartfile using github "cossacklabs/themis".

    • More details available in Objective-C Howto and Swift Howto on wiki. Example projects available in docs/examples/objc and docs/examples/swift/ folders (#432, #430, #428, #427).

    • Added BoringSSL support, now users can select which crypto-engine they want to include. This change affects only Themis CocoaPod: users can add Themis based on BoringSSL to their Podfile using pod 'themis/themis-boringssl' (#351, #331, #330, #329).

    • Added bitcode support. This affects only Themis CocoaPod that uses OpenSSL – thanks @deszip and @popaaaandrei (#407, #355, #354).

    • Added compatibility for Swift frameworks. Now Themis can be used directly from Swift without Bridging header file, kudos to @popaaaandrei for pointing on this out (#416, #415).

    • Updated code to use the latest Secure Message API (see description of core changes above). This change doesn't affect user-facing code so no code changes are required from users (#393).

    • Updated error codes and error messages for all crypto systems, now errors and logs are more user-friendly and understandable (#394, #393).

    • Improved code quality here and there (#317).

    • Dropped feature flag SECURE_COMPARATOR_ENABLED because it's redundant: Secure Comparator is enabled by default (#429).

    macOS-specific

    • Added Homebrew support for Themis Core. Now users can install Themis Core library using brew tap cossacklabs/tap && brew update && brew install libthemis. This is useful when you're developing on macOS. More details can be found in the Installation guide.

    C++

    • Improved Secure Session memory behaviour (now users can move and copy Secure Session objects and callbacks) (#370, #369).

    • Allowed to link ThemisPP as a header-only library by adding "inline" functions – thanks @deszip for pushing us. Check for detailed instructions in C++ wiki (#371).

    • Added support of smart pointer constructors for Secure Session, now users should use std::shared_ptr<secure_session_callback_interface_t> constructor (#378).

    • Added functions for key validation: now you can check if keypairs are valid before using it for encryption/decryption (#389).

    • Updated test suite to test C++03 and C++11 (#379).

    • Updated error codes and error messages for all cryptosystems, now errors and logs are more user-friendly and understandable (#385).

    • Formatted code using clang-format rules and implemented some clang-tidy recommendations (#410, #404).

    Java

    • Updated Secure Message API: separated function wrap into encrypt and sign, and function unwrap into decrypt and verify. Old functions are still available, but will be deprecated eventually (#389).

    • Significantly improved Themis usage examples for Desktop Java - thanks to @Dimdron #3.

    • Formatted JNI code using clang-format rules and implemented some clang-tidy recommendations (#420).

    Android

    Go

    • Updated code to use the latest Secure Message API (see the description of core changes above). This change doesn't affect user-facing code so no code changes are required from users (#400).

    • Formatted code and fixed gofmt and golint warnings (#426, #424, #432, #422).

    Node.js

    • Fixed jsthemis to be compatible with Node 10, huge thanks to @deszip (#327, #326).

    • Updated error codes and error messages for all crypto systems, now errors and logs are more user-friendly and understandable (#384).

    • Fixed memory corruption tests on i386 systems (#408).

    • Formatted native extension code using clang-format rules and implemented some clang-tidy recommendations (#412).

    PHP

    • Updated PHP installer to use the latest Composer installer (#360, #328).

    Python

    • Updated code to use the latest Secure Message API (see the description of core changes above). This change doesn't affect user-facing code so no code changes are required from users (#401).

    • Updated error codes and error messages for all cryptosystems, now errors and logs are more user-friendly and understandable (#401).

    Ruby

    • Updated code to use the latest Secure Message API (see the description of core changes above). This change doesn't affect user-facing code so no code changes are required from users (#402).

    • Updated error codes and error messages for all cryptosystems, now errors and logs are more user-friendly and understandable (#402).

    • Deprecated rubythemis in favour of rbthemis. Users should use require 'rbthemis' in their projects (#434).

    Tests and other things

    • Added tools for fuzzing testing and tests on Themis Core (#421, #368, #366, #364).

    • Updated BoringSSL submodule configuration to use Clang while building (#352).

    • Updated NIST test suite: improved readability, maintainability, and output of NIST STS makefile, added build files to gitignore (#414).

    Docs

    • Described the new Secure Message API: how we divided the wrap function into encrypt and sign, and the unwrap function — into decrypt and verify to make it more obvious for the users.

    Important! This is the last time when the latest documentation version is available in the Cossack Labs GitHub Wiki. Starting with the next release, GitHub Wiki documentation for Themis will be deprecated in favour of the Documentation server. You can already find a lot of useful info there, i.e. the Interactive Themis Server Simulator — remote debugging server for Themis.

    • Added Homebrew support for Themis Core. Now users can install Themis Core library using brew tap cossacklabs/tap && brew update && brew install libthemis. This is useful when you're developing on macOS. More details can be found in the Installation guide.

    • Added installation guide on using Docker container as a building environment for Themis: if you can't download Themis Core from packages, feel free to use Docker container for this.

    See the changelog for the full list of changes and other information about the new Themis versions (0.11.0 and 0.11.1).

    Need cryptographic help? Consult with our engineers.

Copyright © 2014-2019 Cossack Labs Limited
Cossack Labs is a privately-held British company with a team of data security experts based in Kyiv, Ukraine.