Test and deprecate Themis 0.9.6 compatibility path

.circleci/config.yml

@@ -285,20 +285,23 @@ jobs:
       - checkout
       - run: git reset HEAD && git submodule sync && git submodule update --init
       - run: make
+      - run: make BUILD_PATH=build_compat WITH_SCELL_COMPAT=yes
       - run: make JAVA_HOME=/usr/lib/jvm/default-java themis_jni
       - run: sudo make install
       - run: sudo make themispp_install
       - run: sudo make pythemis_install
       - run: sudo make rbthemis_install
       - run: make ENGINE=boringssl BUILD_PATH=build_with_boringssl prepare_tests_basic
       - run: make BUILD_PATH=cover_build COVERAGE=y prepare_tests_basic
+      - run: make prepare_tests_basic BUILD_PATH=build_compat WITH_SCELL_COMPAT=yes
       - run: make prepare_tests_all
       - run: lcov --directory . --zerocounters
       # run only if CIRCLE_PR_NUMBER variable is not set (it's not pull request and COVERALLS_TOKEN will be set via circleCI for non-PR build) and COVERALLS_TOKEN is set
       # we should calculate coverage for gothemis and send report before sending coverage of main C part
       - run: '[ -z "$CIRCLE_PR_NUMBER" ] && ! [ -z "$COVERALLS_TOKEN" ] && cd $HOME/go/src/$GOTHEMIS_IMPORT && $HOME/go/bin/goveralls -v -service=circle-ci -repotoken=$COVERALLS_TOKEN || true'
       - run: sudo /sbin/ldconfig
       - run: make test
+      - run: make test BUILD_PATH=build_compat
       - run: make clean_themispp_test && CXX="g++"     CFLAGS="-std=c++03" make themispp_test && make test_cpp
       - run: make clean_themispp_test && CXX="g++"     CFLAGS="-std=c++11" make themispp_test && make test_cpp
       - run: make clean_themispp_test && CXX="g++"     CFLAGS="-std=c++14" make themispp_test && make test_cpp

.github/workflows/test-core.yaml

@@ -58,12 +58,18 @@ jobs:
       - name: Build Themis Core (BoringSSL)
         if: always()
         run: make prepare_tests_basic ENGINE=boringssl BUILD_PATH=build-boringssl
+      - name: Build Themis Core (WITH_SCELL_COMPAT)
+        if: always()
+        run: make prepare_tests_basic WITH_SCELL_COMPAT=yes BUILD_PATH=build-compat
       - name: Run test suite (OpenSSL)
         if: always()
         run: make test BUILD_PATH=build-openssl
       - name: Run test suite (BoringSSL)
         if: always()
         run: make test BUILD_PATH=build-boringssl
+      - name: Run test suite (WITH_SCELL_COMPAT)
+        if: always()
+        run: make test BUILD_PATH=build-compat
 
   examples:
     name: Code examples

CHANGELOG.md

@@ -12,6 +12,7 @@ Changes that are currently in development and have not been released yet.
 
 - Many languages received Secure Cell API overhaul with parts of the old API becoming deprecated. Refer to individual language sections for details.
 - ObjCThemis installed via Carthage is now called `objcthemis` instead of just `themis` ([read more](#0.13.0-objcthemis-rename)).
+- Themis 0.9.6 compatibility is now disabled by default ([#614](https://github.com/cossacklabs/themis/pull/614)).
 
 _Code:_
 
@@ -34,6 +35,18 @@ _Code:_
 
       provide Seal mode API that is safe to use with passphrases ([#577](https://github.com/cossacklabs/themis/pull/577)).
 
+  - **Breaking changes**
+
+    - Secure Cell compatibility with Themis 0.9.6 is now disabled by default ([#614](https://github.com/cossacklabs/themis/pull/614)).
+
+      Old versions of Themis on 64-bit platforms have been using incorrect encryption algorithm with resulted in Secure Cells that cannot be decrypted on 32-bit machines (see [#279](https://github.com/cossacklabs/themis/pull/279) for details).
+
+      Themis 0.10 and later versions include a fix for that issue and compatiblity workaround that allows to decrypt data encrypted by Themis 0.9.6 on 64-bit platforms. This workaround was enabled by default and could be disabled by setting the `NO_SCELL_COMPAT` varible.
+
+      Since Themis 0.13 the workaround for Themis 0.9.6 compatibility is *disabled* by default (since it has performance implications). It can be enabled if needed by compling with `WITH_SCELL_COMPAT`.
+
+      We are planning to **remove** the workaround completely after Themis 0.9.6 reaches end-of-life in December 2020. Please use this time to migrate existing data if you have been using Themis 0.9.6. To migrate the data, decrypt it and encrypt it back with the latest Themis version.
+
 - **C++**
 
   - Secure Cell API updates ([#588](https://github.com/cossacklabs/themis/pull/588))

Makefile

@@ -348,7 +348,8 @@ LDFLAGS += $(SANITIZERS)
 
 # Binary format compatibility with Themis 0.9.6 on x86_64 architecture.
 # https://github.com/cossacklabs/themis/pull/279
-ifeq ($(NO_SCELL_COMPAT),)
+# Themis 0.9.6 is going EOL on 2020-12-13 so it can be removed after that.
+ifneq ($(WITH_SCELL_COMPAT),)
 	CFLAGS += -DSCELL_COMPAT
 endif