diff options
Diffstat (limited to 'doc/relnotes/1_11_1.rst')
| -rw-r--r-- | doc/relnotes/1_11_1.rst | 91 |
1 files changed, 0 insertions, 91 deletions
diff --git a/doc/relnotes/1_11_1.rst b/doc/relnotes/1_11_1.rst deleted file mode 100644 index 0e1fba4dc..000000000 --- a/doc/relnotes/1_11_1.rst +++ /dev/null @@ -1,91 +0,0 @@ -Version 1.11.1, 2012-10-30 -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -TLS Enhancements and Bug Fixes -"""""""""""""""""""""""""""""""""""""""" - -Initial support for DTLS (both v1.0 and v1.2) is available in this -release, though it should be considered highly experimental. Currently -timeouts and retransmissions are not handled. - -The :cpp:class:`TLS::Client` constructor now takes the version to -offer to the server. The policy hook :cpp:class:`TLS::Policy` function -`pref_version`, which previously controlled this, has been removed. - -:cpp:class:`TLS::Session_Manager_In_Memory` now chooses a random -256-bit key at startup and encrypts all sessions (using the existing -:cpp:func:`TLS::Session::encrypt` mechanism) while they are stored in -memory. This is primarily to reduce pressure on locked memory, as each -session normally requires 48 bytes of locked memory for the master -secret, whereas now only 32 bytes are needed total. This change may -also make it slightly harder for an attacker to extract session data -from memory dumps (eg with a cold boot attack). - -The keys used in :cpp:func:`session encryption <TLS::Session::encrypt>` -were previously uniquely determined by the master key. Now the -encrypted session blob includes two 80 bit salts which are used in the -derivation of the cipher and MAC keys. - -The ``secure_renegotiation`` flag is now considered an aspect of the -connection rather than the session, which matches the behavior of -other implementations. As the format has changed, sessions saved to -persistent storage by 1.11.0 will not load in this version and vice -versa. In either case this will not cause any errors, the session will -simply not resume and instead a full handshake will occur. - -New policy hooks :cpp:func:`TLS::Policy::acceptable_protocol_version`, -:cpp:func:`TLS::Policy::allow_server_initiated_renegotiation`, and -:cpp:func:`TLS::Policy::negotiate_heartbeat_support` were added. - -TLS clients were not sending a next protocol message during a session -resumption, which would cause resumption failures with servers that -support NPN if NPN was being offered by the client. - -A bug caused heartbeat requests sent by the counterparty during a -handshake to be passed to the application callback as if they were -heartbeat responses. - -Support for TLS key material export as specified in :rfc:`5705` has -been added, available via :cpp:func:`TLS::Channel::key_material_export` - -New Feature: Public Key Strength Checking -"""""""""""""""""""""""""""""""""""""""""" - -A new function :cpp:func:`Public_Key::estimated_strength` returns -an estimate for the upper bound of the strength of the key. For -instance for an RSA key, it will return an estimate of how many -operations GNFS would take to factor the key. - -A new :cpp:class:`Path_Validation_Result` code has been added -``SIGNATURE_METHOD_TOO_WEAK``. By default signatures created with keys -below 80 bits of strength (as estimated by ``estimated_strength``) are -rejected. This level can be modified using a parameter to the -:cpp:class:`Path_Validation_Restrictions` constructor. - -SRP6 Is Picker About Values -"""""""""""""""""""""""""""""""""""""""" - -The SRP6 code was checking for invalid values as specified in -:rfc:`5054`, ones equal to zero mod p, however it would accept -negative A/B values, or ones larger than p, neither of which should -occur in a normal run of the protocol. These values are now -rejected. Credits to Timothy Prepscius for pointing out these values -are not normally used and probably signal something fishy. - -Removal of Various BigInt Functions -"""""""""""""""""""""""""""""""""""""""" - -Several :cpp:class:`BigInt` functions have been removed, including -``operator[]``, ``assign``, ``get_reg``, and ``grow_reg``. The version -of ``data`` that returns a mutable pointer has been renamed -``mutable_data``. Support for octal conversions has been removed. - -The constructor ``BigInt(NumberType type, size_t n)`` has been -removed, replaced by ``BigInt::power_of_2``. - -AES-NI Crash Fixed -"""""""""""""""""""""""""""""""""""""""" - -In 1.11.0, when compiled by GCC, the AES-NI implementation of AES-192 -would crash if the mlock-based allocator was used due to an alignment -issue. |