Botan (Japanese for peony flower) is a cryptography library released under the permissive Simplified BSD license.
Botan’s goal is to be the best option for production cryptography by offering the tools necessary to implement a range of practical systems, such as TLSv1.3, X.509 PKI, modern AEAD ciphers, support for PKCS#11 and TPM hardware, memory-hard password hashing, and post quantum cryptography. All of this is covered by an extensive test suite, including an automated system for detecting side channels. The modular build system allows enabling or disabling features in a fine-grained way, and amalgamation builds are also supported.
It comes out of the box with C++, C, and Python APIs, and several other language bindings are available. The library is accompanied by a featureful command line interface. Consult the documentation for more information.
Homepage
Download
Recent Releases
3.8.027 Aug 2025 22:05
major feature:
.
Discussion has started regarding plans for Botan4, current ETA 2027. Check the
tracking in https://github.com/randombit/botan//4666 for the
current plans.
Ongoing elliptic curve optimizations and cleanups.
Add support for extended private keys in ML-KEM to handle certain implementations
which do not use the seed encoding..
Add support for SHA-512 instructions added in upcoming Intel processors.
Add support for SM4 instructions added in upcoming Intel processors.
The SHA-1 implementation using SSE2 has been extended to support NEON and LoongArch LSX.
.
Add SHA-256 and SHA-512 implementations using AVX2/BMI2.
Add SHA-512 implementation using AVX-512/BMI2.
Add SHA-256 implementation using SSSE3 or NEON for message expansion.
The default TLS policy now prefers AES/GCM over ChaCha20Poly1305.
Add support for TLS 1.3 post-quantum KEM secp384r1/ML-KEM-1024.
in the server-side implementation of TLS 1.3 post-quantum hybrid
encryption which affected ciphersuites using NIST curves..
Previously `build.h` included various parameters which could be modified by
end users prior to compilation. These have been removed..
Previously `build.h` had macros reflecting various information about the
target system, such as `BOTAN_TARGET_OS_IS_LINUX`. Now all such macros have
been moved to a new internal header. This allows sharing all installed
headers, including `build.h`, across multiple different builds of the
library, as long as they all have the same version and module selection. This
simplifies vendoring the library..
Various headers have been modified to minimize the number of inclusions they
make. You may need to modify your application to directly include any headers
which up until now had been implicitly pulled in..
Add an FFI example which also works as a test in CI that prevents accidentally
making changes to `ffi.h` or `build.h` that make them incompatible with C..
Add new FFI functions regarding stateful private keys, OIDS,
and EC_Group.
Ad
3.9.008 Aug 2025 03:15
major feature:
.
Add SHA-1 implementation using AVX2/BMI2.
Add Camellia implementation using GFNI/AVX2.
Add SHACAL2 implementation using AVX512.
The eFrodoKEM TLS 1.3 ciphersuites have changed the suite code to match changes
in OQS..
Add support for TLS 1.2 NULL cipher suites. These suites are disabled in the
build by default, enable `tls_null` module to use..
Add support for X.509 extensions from RFC 3779.
Elliptic curve improvements.
Add `EC_Scalar::hash` following RFC 9380's hash_to_field.
Modify the OID lookup system to use a static switch for builtin OIDs..
Optimizations for X448 and Ed448.
Modify `BOTAN_CLEAR_CPUID` so that clearing `ssse3` also disables AVX2/AVX512.
.
Remove various internal references to "EMSA", an obsolete term used for RSA
signature padding that originates from IEEE 1363..
Enable support for GCC's "strub" stack clearing. This is disabled by default, use
the `--enable-stack-scrubbing` option to turn on..
Use `std::span` in the internal block cipher padding mode interfaces.
Properly check DNS label length restrictions when checking wildcards..
Work around a GCC 13/14 miscompilation when LTO is used.
a preventing building `System_RNG` with only `getrandom` enabled..
Document the specific threat model the library uses.
Remove `configure.py` options to disable specific CPU instructions..
Remove `configure.py` option `--with-local-config`.
Add a better interface for encoding optional ASN.1 elements using `std::optional`.
Internal cleanups relating to multiprecision integers.
Resolve many warnings from `clang-tidy`.
CMake improvements.
CI improvements.
3.8.105 Jul 2025 03:15
minor bugfix:
.
a that prevented building using the `fips140` or `modern` module.
Policies.
a missing include that caused compilation failures with libc++20.
.
3.7.109 Feb 2025 03:15
minor feature:
.
Revert a change that prevented `build.h` from being usable from
C applications..
3.7.005 Feb 2025 12:05
minor feature:
* Add post-quantum scheme Classic McEliece (GH #3883 #4448 #4458 #4508 #4605)
* In TLS enable the hybrid x25519/ML-KEM-768 post quantum secure key
exchange by default for clients and servers. (GH #4305)
* Support for the pre-standard Kyber-r3 key exchange has been removed from TLS
(GH #4507 #4403)
* In TLS add support for "pure" ML-KEM key exchange, in addition
to the existing hybrid ML-KEM + EC suites. (GH #4393)
* Add new EC key constructors (GH #4437 #4563)
* Internal EC optimizations and improvements (GH #4385 #4432 #4436
#4492 #4479 #4510 #4511 #4512 #4517 #4518 #4532 #4533 #4549 #4550
#4552 #4556 #4557 #4564 #4566 #4570 #4601 #4604 #4608 #4619 #4624 #4626)
* An important note relating to EC groups, especially for users who do not build
the library using the default module settings (ie using ``--minimized-build``
or ``--disable-deprecated-features``). Until 3.7.0, including support for an
elliptic curve algorithm such as ECDSA also implicitly pulled in support for
all elliptic curves. This is no longer the case. You can re-enable support for
specific named curves by adding a ``pcurves`` module, for example
``pcurves_secp256r1`` or ``pcurves_brainpool384r1``. Also in 3.7.0, the old
BigInt based EC arithemtic implementation was moved to ``legacy_ec_point``,
which is marked as deprecated. Disabling this module will disable support for
certain (also deprecated) elliptic curves such as "x962_p239v1" and
"secp224k1". It will also disable support for application specific
curves. Depending on your usage you may need to enable the ``legacy_ec_point``
module. (GH #4027)
* Change OID formatting and PK signature padding naming to avoid
obsolete IEEE 1363 naming (GH #4600)
* Improve performance of RSA private key parsing (GH #4588)
* Fix a regression introduced in 3.6.0 which would cause many P-521
secret keys to be rejected as invalid due to not having the expected
length. (GH #4541 #4539)
* Add new operations to EC_AffineP
|