Update relnotes

[ci skip]

2 files changed, 42 insertions, 5 deletions

diff --git a/doc/news.rst b/doc/news.rst
index ebc44e87a..ad3015082 100644
--- a/doc/news.rst
+++ b/doc/news.rst
@@ -4,11 +4,47 @@ Release Notes
 Version 1.11.33, Not Yet Released
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-* Add support for the TLS Supported Point Formats Extension (RFC 4492).
-
-* Fix entropy source selection bug on Windows, which caused the
-  CryptoAPI entropy source to be not available under its normal name
-  "win32_cryptoapi" but instead "dev_random". GH #644
+* Add Certificate_Store_In_SQL which supports storing certs, keys, and
+  revocation information in a SQL database. Subclass Certificate_Store_In_SQLite
+  specializes with support for SQLite3 databases. (GH #631)
+
+* The Certificate_Store interface has been changed to deal with std::shared_ptrs
+  instead of raw pointers (GH #471 #631)
+
+* Add support for the TLS Supported Point Formats Extension from RFC 4492. Adds
+  TLS::Policy::use_ecc_point_compression policy option. If supported on both
+  sides, ECC points can be sent in compressed format, which both saves a few
+  bytes on the wire and is an inexpensive way of avoiding invalid curve attacks.
+  For uncompressed points Botan already checks that the point is on the curve so
+  invalid curve attacks are not possible in either situation, but the point
+  decompression will typically be cheaper than verifying the point is on the
+  curve. (GH #645)
+
+* Fix entropy source selection bug on Windows, which caused the CryptoAPI
+  entropy source to be not available under its normal name "win32_cryptoapi" but
+  instead "dev_random". GH #644
+
+* Accept read-only access to /dev/urandom. System_RNG previously required
+  read-write access, to allow applications to provide inputs to the system
+  PRNG. But local security policies might only allow read-only access, as is the
+  case with Ubuntu's AppArmor profile for applications in the Snappy binary
+  format. If opening read/write fails, System_RNG silently backs down to
+  read-only, in which case calls to `add_entropy` on that object will fail.
+  (GH #647 #648)
+
+* Fix use of Win32 CryptoAPI RNG as an entropy source, which was accidentally
+  disabled due to empty list of acceptable providers being specified. Typically
+  the library would fall back to gathering entropy from OS functions returning
+  statistical information, but if this functionality was disabled in the build a
+  PRNG_Unseeded exception would result. (GH #655)
+
+* Added Linux ppc64le cross compile target to Travis CI (GH #654)
+
+* If RC4 is disabled, also disable it coming from the OpenSSL provider (GH #641)
+
+* Add TLS message parsing tests (GH #640)
+
+* Updated BSI policy to prohibit DES, HKDF, HMAC_RNG (GH #649)
 
 Version 1.11.32, 2016-09-28
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
diff --git a/doc/todo.rst b/doc/todo.rst
index 4e96bb147..0fde6807d 100644
--- a/doc/todo.rst
+++ b/doc/todo.rst
@@ -44,6 +44,7 @@ Public Key Crypto, Math
 External Providers, Hardware Support
 ----------------------------------------
 
+* Access to system certificate stores (Windows, OS X)
 * Extend OpenSSL provider (DH, HMAC, CMAC, GCM)
 * /dev/crypto provider (ciphers, hashes)
 * Windows CryptoAPI provider (ciphers, hashes, RSA)