aboutsummaryrefslogtreecommitdiffstats
path: root/doc/news.rst
diff options
context:
space:
mode:
Diffstat (limited to 'doc/news.rst')
-rw-r--r--doc/news.rst13
1 files changed, 12 insertions, 1 deletions
diff --git a/doc/news.rst b/doc/news.rst
index 2a9fe53a6..0087782d3 100644
--- a/doc/news.rst
+++ b/doc/news.rst
@@ -9,6 +9,17 @@ Version 1.11.30, Not Yet Released
a MAC failure. Records like this are used by OpenSSL in TLS 1.0
connections in order to randomize the IV.
+* A bug in GCM caused incorrect results if the 32-bit counter field
+ overflowed. With a 96-bit nonce, this could only occur if 2**32
+ 128-bit blocks were encrypted. This actually exceeds the maximum
+ allowable length of a GCM plaintext.
+
+ However if a GCM nonce of any other size is used, the bug triggers
+ randomly, with increasing probability on longer messages. For
+ instance when encrypting 256 MiB of data under a random 128 bit
+ nonce, an incorrect result would be produced about 1/256 of the
+ time. With 1 MiB texts, the probability of error reduced to 1/65536.
+
* The Transform and Keyed_Transform interfaces has been removed. The
two concrete implementations of these interfaces were Cipher_Mode
and the Compressor_tkk. The Cipher_Mode interface remains unchanged
@@ -37,7 +48,7 @@ Version 1.11.30, Not Yet Released
* X509_CRL previously had an option to cause it to ignore unknown
critical extensions. This has been removed.
-
+
* Added support for ChaCha stream cipher with 12 rounds.
* Add ECGDSA signature algorithm (GH #479)