Version 1.11.10, Not Yet Released ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * An implementation of McEliece code-based public key encryption based on INRIA's HyMES and secured against a variety of side-channels was contributed by cryptosource GmbH. The original version is LGPL but cryptosource has secured permission to release an adaptation under a BSD license. A CCA2-secure KEM scheme is also included. The implementation is further described in http://www.cryptosource.de/docs/mceliece_in_botan.pdf and http://cryptosource.de/news_mce_in_botan_en.html * Add support for TLS fallback signaling (draft-ietf-tls-downgrade-scsv-00). Clients will send a fallback SCSV if the version passed to the Client constructor is less than the latest version supported by local policy, so applications implementing fallback are protected. Servers always check the SCSV. * In previous versions a TLS::Server could service either TLS or DTLS connections depending on policy settings and what type of client hello it received. This has changed and now a Server object is initialized for either TLS or DTLS operation. The default policy previously prohibited DTLS, precisely to prevent a TCP server from being surprised by a DTLS connection. This has changed and the default policy now allows TLS v1.0 or higher or DTLS v1.2. * Fixed a bug in CCM mode which caused it to produce incorrect tags when used with a value of L other than 2. This affected CCM TLS ciphersuites, which use L=3. Thanks to Manuel Pégourié-Gonnard for the anaylsis and patch. Bugzilla 270. * DTLS now supports timeouts and handshake retransmits. * Add a TLS policy hook to disable putting the value of the local clock in hello random fields. * All compression operations previously available as Filters are now performed via the Transformation API, which minimizes memory copies. * The zlib module now also supports gzip compression and decompression. * Avoid a crash in low-entropy situations when reading from /dev/random, when select indicated the device was readable but by the time we start the read the entropy pool had been depleted. * The Miller-Rabin primality test function now takes a parameter allowing the user to directly specify the maximum false negative probability they are willing to accept. * PKCS #8 private keys can now be encrypted using GCM mode instead of unauthenticated CBC. The default remains CBC for compatability. * The default PKCS #8 encryption scheme has changed to use PBKDF2 with SHA-256 instead of SHA-1 * A specialized reducer for P-521 was added. * On Linux the mlock allocator will use MADV_DONTDUMP on the pool so that the contents are not included in coredumps. * A new interface for directly using a system-provided PRNG is available in system_rng.h. Currently only systems with /dev/urandom are supported. * Fix decoding indefinite length BER constructs that contain a context sensitive tag of zero. Github pull 26 from Janusz Chorko. * Added AltiVec detection for POWER8 processors. * Add a new install script written in Python which replaces shell hackery in the makefiles. * Various modifications to better support Visual C++ 2013 and 2015. Github issues 11, 17, 18, 21, 22.