1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
Version 1.11.0, 2012-07-19
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. note::
In this release, many new features of C++11 are being used in the
library. Currently GCC 4.7 and Clang 3.1 are known to work well.
This version of the library cannot be compiled by or used with a
C++98 compiler.
TLS and PKI Changes
""""""""""""""""""""""""""""""""""""""""
There have been many changes and improvements to TLS. The interface
is now purely event driven and does not directly interact with
sockets. New TLS features include TLS v1.2 support, client
certificate authentication, renegotiation, session tickets, and
session resumption. Session information can be saved in memory or to
an encrypted SQLite3 database. Newly supported TLS ciphersuite
algorithms include using SHA-2 for message authentication, pre shared
keys and SRP for authentication and key exchange, ECC algorithms for
key exchange and signatures, and anonymous DH/ECDH key exchange.
Support for OCSP has been added. Currently only client-side support
exists.
The API for X.509 path validation has changed, with
``x509_path_validate`` in x509path.h now handles path validation and
``Certificate_Store`` handles storage of certificates and CRLs.
Memory Container Changes
""""""""""""""""""""""""""""""""""""""""
The memory container types have changed substantially. The
``MemoryVector`` and ``SecureVector`` container types have been
removed, and an alias of ``std::vector`` using an allocator that
clears memory named ``secure_vector`` is used for key material, with
plain ``std::vector`` being used for everything else.
The technique used for mlock'ing memory on Linux and BSD systems is
much improved. Now a single page-aligned block of memory (the exact
limit of what we can mlock) is mmap'ed, with allocations being done
using a best-fit allocator and all metadata held outside the mmap'ed
range, in an effort to make best use of the very limited amount of
memory current Linux kernels allow unpriveledged users to lock.
New LZMA Compression Filter
""""""""""""""""""""""""""""""""""""""""
A filter using LZMA was contributed by Vojtech Kral. It is available
if LZMA support was enabled at compilation time by passing
``--with-lzma`` to ``configure.py``.
ECC Key Decoding Problem Resolved
""""""""""""""""""""""""""""""""""""""""
:rfc:`5915` adds some extended information which can be included in
ECC private keys which the ECC key decoder did not expect, causing an
exception when such a key was loaded. In particular, recent versions
of OpenSSL use these fields. Now these fields are decoded properly,
and if the public key value is included it is used, as otherwise the
public key needs to be rederived from the private key. However the
library does not include these fields on encoding keys for
compatability with software that does not expect them (including older
versions of botan).
|