Version 1.11.9, 2014-04-10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 * Fix a bug in primality testing introduced in 1.8.3 which caused
   only a single random base, rather than a sequence of random bases,
   to be used in the Miller-Rabin test. This increased the probability
   that a non-prime would be accepted, for instance a 1024 bit number
   would be incorrectly classed as prime with probability around
   2^-40. Reported by Jeff Marrison.

 * X.509 path validation now returns a set of all errors that occurred
   during validation, rather than immediately returning the first
   detected error. This prevents a seemingly innocuous error (such as
   an expired certificate) from hiding an obviously serious error
   (such as an invalid signature). The Certificate_Status_Code enum is
   now ordered by severity, and the most severe error is returned by
   Path_Validation_Result::result(). The entire set of status codes is
   available with the new all_statuses call.

 * Fixed a bug in OCSP response decoding which would cause an error
   when attempting to decode responses from some widely used
   responders.

 * An implementation of HMAC_DRBG RNG from NIST SP800-90A has been
   added. Like the X9.31 PRNG implementation, it uses another
   underlying RNG for seeding material.

 * An implementation of the RFC 6979 deterministic nonce generator has
   been added.

 * Fix a bug in certificate path validation which prevented successful
   validation if intermediate certificates were presented out of order.

 * Fix a bug introduced in 1.11.5 which could cause crashes or other
   incorrect behavior when a cipher mode filter was followed in the
   pipe by another filter, and that filter had a non-empty start_msg.

 * The types.h header now uses stdint.h rather than cstdint to avoid
   problems with Clang on OS X.