From e1d118f4973e2d5f58971acfb8aa28f4fc3085e2 Mon Sep 17 00:00:00 2001 From: lloyd Date: Thu, 8 Jan 2015 12:57:15 +0000 Subject: Change TLS session encryption to use AES-256/GCM instead of CBC+HMAC --- doc/manual/tls.rst | 8 +++++--- doc/relnotes/1_11_13.rst | 28 ++++++++++++++++++++++------ 2 files changed, 27 insertions(+), 9 deletions(-) (limited to 'doc') diff --git a/doc/manual/tls.rst b/doc/manual/tls.rst index 0faf9e4d4..b3ec1c0ea 100644 --- a/doc/manual/tls.rst +++ b/doc/manual/tls.rst @@ -81,6 +81,7 @@ available: .. cpp:class:: TLS::Channel .. cpp:function:: size_t received_data(const byte buf[], size_t buf_size) + .. cpp:function:: size_t received_data(const std::vector& buf) This function is used to provide data sent by the counterparty (eg data that you read off the socket layer). Depending on the @@ -94,6 +95,8 @@ available: will return 0 instead. .. cpp:function:: void send(const byte buf[], size_t buf_size) + .. cpp:function:: void send(const std::string& str) + .. cpp:function:: void send(const std::vector& vec) Create one or more new TLS application records containing the provided data and send them. This will eventually result in at @@ -173,7 +176,6 @@ available: Per :rfc:`5705`, *label* should begin with "EXPERIMENTAL" unless the label has been standardized in an RFC. - .. _tls_client: TLS Clients @@ -184,7 +186,7 @@ TLS Clients .. cpp:function:: TLS::Client( \ std::function output_fn, \ std::function data_cb, \ - std::function alert_cb, + std::function alert_cb, \ std::function handshake_cb, \ TLS::Session_Manager& session_manager, \ Credentials_Manager& credendials_manager, \ @@ -279,7 +281,7 @@ TLS Servers .. cpp:function:: TLS::Server( \ std::function output_fn, \ std::function data_cb, \ - std::function alert_cb, + std::function alert_cb, \ TLS::Session_Manager& session_manager, \ Credentials_Manager& creds, \ const TLS::Policy& policy, \ diff --git a/doc/relnotes/1_11_13.rst b/doc/relnotes/1_11_13.rst index f72c0f56b..b69073859 100644 --- a/doc/relnotes/1_11_13.rst +++ b/doc/relnotes/1_11_13.rst @@ -1,16 +1,32 @@ Version 1.11.13, Not Yet Released ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -* The format of TLS sessions has changed. The PEM formatted version - now uses "TLS SESSION" instead of "SSL SESSION" as the header, - and the version number of the binary format has also changed. +* Add DTLS-SRTP negotiation defined in RFC 5764 * Add SHA-512/256 -* Add DTLS-SRTP negotiation defined in RFC 5764 +* The format of serialized TLS sessions has changed. Additiionally, PEM + formatted sessions now use the label of "TLS SESSION" instead of "SSL SESSION". + +* Serialized TLS sessions are now encrypted using AES-256/GCM instead of a + CBC+HMAC construction. + +* The cryptobox_psk module added in 1.11.4 and previously used for TLS session + encryption has been removed. + +* When sending a TLS heartbeat message, the number of pad bytes to use can now + be specified, making it easier to use for PMTU discovery. + +* If available, zero_mem now uses RtlSecureZeroMemory or memset_s instead of a + byte-at-a-time loop. + +* The functions base64_encode and base64_decode would erroneously + throw an exception if passed a zero-length input. Github issue 37. -* The Python install script added in version 1.11.10 failed to place - the headers into a versioned subdirectory. +* The Python install script added in version 1.11.10 failed to place the + headers into a versioned subdirectory. * Fix the install script when running under Python3. +* Avoid code that triggers iterator debugging asserts under MSVC 2013. Github + pull 36 from Simon Warta. -- cgit v1.2.3