aboutsummaryrefslogtreecommitdiffstats
path: root/doc
Commit message (Collapse)AuthorAgeFilesLines
* Update OCSP manual, and inline to main X.509 docJack Lloyd2016-12-173-48/+116
| | | | [ci skip]
* Update the X.509 manual and add more informationRené Korthaus2016-12-171-58/+243
|
* Update todo [ci skip]Jack Lloyd2016-12-081-2/+1
|
* Update pubkey docsDaniel Neus2016-12-082-41/+71
|
* resolved invalid links to build with sphinx 1.5Never2016-12-072-2/+2
|
* Merge GH #756 Remove ECB Cipher_Mode classJack Lloyd2016-12-051-2/+0
|\
| * Remove ECB modeJack Lloyd2016-12-041-2/+0
| | | | | | | | | | | | | | Not a good thing to offer at this level. If you know what you are doing for the strange special case where it is necessary, the raw BlockCipher interface is available and probably more convenient.
* | Merge GH #745 Make --via-amalgamation an error. Improve quoting in Travis ↵Jack Lloyd2016-12-041-4/+7
|\ \ | |/ |/| | | build script
| * Adapt docs to --amalgamation changeSimon Warta2016-12-021-4/+7
| |
* | Update tls_verify_cert_chain docs to reflect OCSP stapling changesJack Lloyd2016-12-041-5/+19
|/ | | | | | GH #755 [ci skip]
* Update roadmap with plans for 2017 [ci skip]Jack Lloyd2016-11-281-0/+66
|
* Add note on rfc6979 signatures to manual [ci skip]René Korthaus2016-11-282-2/+14
|
* Note range of versions affected by CVE-2016-9132Jack Lloyd2016-11-281-0/+2
| | | | [ci skip]
* Update newsJack Lloyd2016-11-281-1/+1
|
* Fix BER decoder integer overflowJack Lloyd2016-11-281-1/+10
|\
| * Check for overflow in BER decoder EOC scanningJack Lloyd2016-11-271-1/+10
| |
* | Document TLS::Policy::require_cert_revocation_infoJack Lloyd2016-11-281-0/+20
|/
* Merge GH #739 Update docs and BSI policyJack Lloyd2016-11-261-1/+8
|\
| * Updates docs & module policyMatthias Gierlings2016-11-261-1/+8
| | | | | | | | | | | | - Added GMAC to list of supported MAC algorithms in readme.rst - Updated module policy to prevent CI crash - Added myself to credits.rst
* | Probably easy todo [ci skip]Jack Lloyd2016-11-261-0/+1
| |
* | Shuffle sections of contributing.rst [ci skip]Jack Lloyd2016-11-261-88/+78
|/
* Address review comments from @cordneyJack Lloyd2016-11-251-2/+2
| | | | | | | | | | | | Primarily doc updates but also expose some more logic in PKIX namespace, overall_status and merge_revocation_status. This allows calling more or less all of the logic used by the monolitic x509_path_validate in any way needed by an application. Add Certificate_Store_In_Memory::add_crl variant taking shared_ptr Add optional Certificate_Store_In_Memory* pointer to check_crl_online, valid CRLs are saved there.
* Move TLS cert verification callback from Credentials_Manager to TLS::CallbacksJack Lloyd2016-11-232-27/+37
| | | | | | It is the only function in C_M which is called on to process session-specific (and adversarially provided) inputs, rather than passively returning some credential which is typically not session specific.
* Merge GH #731 Add CLI docsJack Lloyd2016-11-193-12/+165
|\ | | | | | | [ci skip]
| * Minor changes and fixesJuraj Somorovsky2016-11-191-19/+23
| |
| * added CLI sectionNever2016-11-173-12/+161
| |
* | Order default TLS ECC curve preferences by performanceJack Lloyd2016-11-191-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | Moves x25519 to the front for best by-default side channel resistance, and orders remaining NIST/BP curves by performance rather than size. That means putting P-521 before P-384, since P-521 is much faster at least in Botan (due to much simpler modular reduction for P-521 prime), and Brainpools to the end due to being quite slow (no fast reductions). All of the supported curves seem strong enough, and if someone can break P-256 they can probably break P-384 as well so there doesn't seem much advantage in preferring slower curves by default.
* | Add CECPQ1 TLS ciphersuitesJack Lloyd2016-11-171-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | Tested against BoringSSL (as client + server) and google.com (as client). Fix a stupid crashing bug in NewHope's BoringSSL mode. Remove unneeded error return from curve25519_donna - always returned 0. Default policy prefers ChaChaPoly1305 over GCM and CECPQ1 over ECDH/DH, which means the default no-extra-configuration ciphersuite (for Botan client speaking to Botan server) is a ciphersuite which is both implemented in constant time on all platforms and (hopefully) provides post quantum security. Good Things.
* | Merge GH #721 Documentation reorg and expansionJack Lloyd2016-11-166-272/+943
|\|
| * added manual code examples and removed Nyberg-Rueppel, Rabin-Williams from docNever2016-11-161-37/+101
| |
| * Doc changes/additions: hash,symmetric crypto and pubkeyNever2016-11-116-272/+879
| |
* | Todo updates [ci skip]Jack Lloyd2016-11-161-1/+2
| |
* | Add PKCS#11 documentationDaniel Neus2016-11-142-0/+1245
|/
* Update todoJack Lloyd2016-11-071-2/+12
|
* Remove mention of GNU MP engine optionJack Lloyd2016-11-071-6/+1
| | | | | | | | Was removed in 1.11.10, but reference here remained. GH #719 Update OpenSSL requirements - 1.0.0 and all older versions are EOL [ci skip]
* Fix Sphinx formatting errorsJack Lloyd2016-11-061-3/+5
| | | | [ci skip]
* Tweak readme textsJack Lloyd2016-11-051-2/+2
| | | | [ci skip]
* Revert "Remove the Perl XS module"Jack Lloyd2016-11-051-0/+38
| | | | | | | This reverts commit 2ec08fa6b5fd270e50f8526c1c6dfaabfda66e02. The Perl wrapper was removed as unmaintained, but nobody is likely to maintain it if they don't know it exists.
* Update roadmap re 2.0Jack Lloyd2016-11-031-34/+42
| | | | [ci skip]
* Update todo [ci skip]Jack Lloyd2016-11-031-2/+3
|
* Update deprecated listJack Lloyd2016-11-031-2/+14
| | | | | | | None of these are queued for removal before 2.0, but all probably should have been removed already so get out in front of things for 2.2 [ci skip]
* Change TLS default policy to disable DSA, CCM-8, and static RSAJack Lloyd2016-11-021-18/+60
| | | | | | | | | | | | | | | Disables static RSA by default. The advantage here is twofold: enforcing forward security and protecting TLS servers from oracle attacks since by default they will never negotiate a suite which forces them to act as a decryption oracle. Some applications/users may be forced to enable RSA in order to speak with old or misconfigured peers, but these can be the exception not the default. Disable DSA and CCM-8 by default: if you need to enable these things, you know it. Adds TLS policy hooks to enforce DSA key sizes, default 2048 bits. Remove an incorrect warning about DTLS in the manual; the sequence number window check prevents this scenario from occuring.
* Fix path to news fileJack Lloyd2016-10-311-1/+1
|
* Move license and news to top level directoryJack Lloyd2016-10-313-4224/+1
| | | | | These files are important so make them easy to find for someone unpacking the tarball for the first time.
* Update 1.11.34 release notesJack Lloyd2016-10-301-7/+19
|
* Merge GH #692 Remove deprecated RNGs and entropy sourcesJack Lloyd2016-10-301-10/+0
|\
| * Remove HMAC_RNG, X9.31-RNG, BeOS stats, EGD reader, Unix process runnerJack Lloyd2016-10-281-10/+0
| | | | | | | | | | Change AutoSeeded_RNG to use SHA-384, SHA-256, SHA-3(256), or SHA-1, whichever is available (in that order).
* | Add note on status of Pipe/Filter APIJack Lloyd2016-10-291-0/+15
|/ | | | [ci skip]
* Update release notes with 1.11.34 so farJack Lloyd2016-10-281-0/+10
| | | | [ci skip]
* Fix ReST formatting [ci skip]Jack Lloyd2016-10-262-2/+2
|