Version 1.11.5, 2013-11-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* The TLS callback signatures have changed - there are now two distinct
  callbacks for application data and alerts. TLS::Client and TLS::Server have
  constructors which continue to accept the old callback and use it for both
  operations.

* The entropy collector that read from randomness devices had two bugs - it
  would break out of the poll as soon as any read succeeded, and it selected on
  each device individually. When a blocking source was first in the device list
  and the entropy pool was running low, the reader might either block in select
  until eventually timing out (continuing on to read from /dev/urandom instead),
  or read just a few bytes, skip /dev/urandom, fail to satisfy the entropy
  target, and the poll would continue using other (slower) sources. This caused
  substantial performance/latency problems in RNG heavy applications. Now all
  devices are selected over at once, with the effect that a full read from
  urandom always occurs, along with however much (if any) output is available
  from blocking sources.

* Previously AutoSeeded_RNG referenced a globally shared PRNG instance.
  Now each instance has distinct state.

* The entropy collector that runs Unix programs to collect statistical
  data now runs multiple processes in parallel, greatly reducing poll
  times on some systems.

* The Randpool RNG implementation was removed.

* All existing cipher mode implementations (such as CBC and XTS) have been
  converted from filters to using the interface previously provided by
  AEAD modes which allows for in-place message
  processing. Code which directly references the filter objects will break, but
  an adaptor filter allows usage through get_cipher as usual.

* An implementation of CCM mode from RFC 3601 has been added, as well as CCM
  ciphersuites for TLS.

* The implementation of OCB mode now supports 64 and 96 bit tags

* Optimized computation of XTS tweaks, producing a substantial speedup

* Add support for negotiating Brainpool ECC curves in TLS

* TLS v1.2 will not negotiate plain SHA-1 signatures by default.

* TLS channels now support sending a ``std::vector``

* Add a generic 64x64->128 bit multiply instruction operation in mul128.h

* Avoid potentially undefined operations in the bit rotation operations. Not
  known to have caused problems under existing compilers but might break in the
  future. Found by Clang sanitizer, reported by Jeffrey Walton.