diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/contributing.rst | 1 | ||||
-rw-r--r-- | doc/deprecated.txt | 5 | ||||
-rw-r--r-- | doc/news.rst | 72 | ||||
-rw-r--r-- | doc/todo.rst | 8 |
4 files changed, 57 insertions, 29 deletions
diff --git a/doc/contributing.rst b/doc/contributing.rst index a0b8daec1..0d160c680 100644 --- a/doc/contributing.rst +++ b/doc/contributing.rst @@ -38,7 +38,6 @@ Library Layout * ``entropy`` has various entropy sources * ``asn1`` is the DER encoder/decoder * ``cert/x509`` is X.509 certificates, PKCS #10 requests, OCSP -* ``cert/cvc`` is Card Verifiable Certificates (ePassport credentials) * ``tls`` contains the TLS implementation * ``filters`` is a filter/pipe API for data transforms * ``compression`` has the compression wrappers (zlib, bzip2, lzma) diff --git a/doc/deprecated.txt b/doc/deprecated.txt index bb7bb28ef..456a7e6b7 100644 --- a/doc/deprecated.txt +++ b/doc/deprecated.txt @@ -6,9 +6,11 @@ Currently deprecated: - MARS, RC2, RC5, RC6, SAFER, TEA +- ECB Cipher_Mode + - MD2, HAS-160, RIPEMD-128 -- TLS 3DES and SEED ciphersuites in TLS +- 3DES and SEED ciphersuites in TLS - DSA auth in TLS (not ECDSA) @@ -25,4 +27,3 @@ Currently deprecated: - EGD entropy source - Unix process exec entropy source - diff --git a/doc/news.rst b/doc/news.rst index 0c9018be0..6e9b88479 100644 --- a/doc/news.rst +++ b/doc/news.rst @@ -4,48 +4,68 @@ Release Notes Version 1.11.31, Not Yet Released ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -* Add PKCS #11 support (GH #507) - -* Add ECIES encryption system (GH #483) +* Fix undefined behavior in Curve25519 on platforms without a native 128-bit + integer type. This was known to produce incorrect results on 32-bit ARM + under Clang. GH #532 (CVE-2016-6878) + +* If X509_Certificate::allowed_usage was called with more than one Key_Usage + set in the enum value, the function would return true if *any* of the allowed + usages were set, instead of if *all* of the allowed usages are set. + GH #591 (CVE-2016-6879) + +* Incompatible changes in DLIES: Previously the input to the KDF was + the concatenation of the (ephemeral) public key and the secret value + derived by the key agreement operation. Now the input is only the + secret value obtained by the key agreement operation. That's how it + is specified in the original paper "DHIES: An encryption scheme + based on Diffie-Hellman Problem" or in BSI technical guideline + TR-02102-1 for example. In addition to the already present + XOR-encrypion/decryption mode it's now possible to use DLIES with a + block cipher. Furthermore the order of the output was changed from + {public key, tag, ciphertext} to {public key, ciphertext, tag}. Both + modes are compatible with bouncycastle. + +* Add initial PKCS #11 support (GH #507). Currently includes a low level + wrapper to all of PKCS #11 (p11.h) and high level code for RSA and ECDSA + signatures and hardware RNG access. * Add ECKCDSA signature algorithm (#504) * Add KDF1 from ISO 18033 (GH #483) +* Add FRP256v1 curve (GH #551) + * RNG changes: NIST SP900-80's HMAC_DRBG is now the default generator for userspace RNG (AutoSeeded_RNG). HMAC_DRBG now attempts to detect use of fork (via pid checks) -* Fix undefined behavior in Curve25519 on platforms without a native 128-bit - integer type. This was known to produce incorrect results on 32-bit ARM - under Clang. GH #532 +* The X9.31 and HMAC_RNG RNGs are deprecated and will be removed in a + future release. If you need a userspace PRNG switch to HMAC_DRBG + (or AutoSeeded_RNG which is HMAC_DRBG with useful defaults). + +* Fix a bug in ANSI X9.23 padding mode, which returned one byte more + than the given block size (GH #529). * Fixes for FreeBSD (GH #517) and OpenBSD (GH #523) -* Support for getting entropy from EGD is deprecated, and will be removed in - a future release. The developers believe that it is unlikely that any modern - system requires EGD and so the code is now dead weight. If you rely on EGD - support, you should contact the developers by email or GitHub ASAP. +* New deprecations. See the full list in doc/deprecated.txt -* The TLS ciphersuites using 3DES and SEED are deprecated and will be removed in - a future release. + Support for getting entropy from EGD is deprecated, and will be + removed in a future release. The developers believe that it is + unlikely that any modern system requires EGD and so the code is now + dead weight. If you rely on EGD support, you should contact the + developers by email or GitHub ASAP. -* Support for BeOS/Haiku has not been tested in 5 years and is in an unknown state. - Unless reports are received of successful builds and use on this platform, support - for BeOS/Haiku will be removed in a future release. + The TLS ciphersuites using 3DES and SEED are deprecated and will be + removed in a future release. -* Changes in DLIES: Previously the input to the KDF was the concatenation - of the (ephemeral) public key and the secret value derived by the key - agreement operation. Now the input is only the secret value obtained - by the key agreement operation. That's how it is specified in the original - paper "DHIES: An encryption scheme based on Diffie-Hellman Problem" or in BSI - technical guideline TR-02102-1 for example. In addition to the already present - XOR-encrypion/decryption mode it's now possible to use DLIES with a block cipher. - Furthermore the order of the output was changed from {public key, tag, ciphertext} - to {public key, ciphertext, tag}. Both modes are compatible with bouncycastle. + ECB mode Cipher_Mode is deprecated and will be removed in a future + release. -* Fix a bug in ANSI X9.23 padding mode, which returned one byte more - than the given block size (GH #529). + Support for BeOS/Haiku has not been tested in 5+ years and is in an + unknown state. Unless reports are received of successful builds and + use on this platform, support for BeOS/Haiku will be removed in a + future release. Version 1.11.30, 2016-06-19 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/doc/todo.rst b/doc/todo.rst index a66c97f4f..b6c55a898 100644 --- a/doc/todo.rst +++ b/doc/todo.rst @@ -7,6 +7,14 @@ ticket on GitHub to make sure you're on the right track. Request a new feature by opening a pull request to update this file. +Documentation +---------------------------------------- + +* TPM (no docs) +* PKCS #11 (no docs) +* X.509 certs, path validation +* Specific docs covering one major topic (RSA, ECDSA, AES/GCM, ...) + CLI ---------------------------------------- |