aboutsummaryrefslogtreecommitdiffstats
path: root/doc/relnotes/1_11_1.rst
blob: bfc513d045df85655fe5a00bbeda3f43dad33818 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
Version 1.11.1, Not Yet Released
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

TLS Enhancements and Bug Fixes
""""""""""""""""""""""""""""""""""""""""

Initial support for DTLS (both v1.0 and v1.2) is available in this
release, though it should be considered highly experimental. Currently
timeouts and retransmissions are not handled.

The :cpp:class:`TLS::Client` constructor now takes the version to
offer to the server. The policy hook :cpp:class:`TLS::Policy` function
`pref_version`, which previously controlled this, has been removed.

:cpp:class:`TLS::Session_Manager_In_Memory` now chooses a random
256-bit key at startup and encrypts all sessions (using the existing
:cpp:func:`TLS::Session::encrypt` mechanism) while they are stored in
memory. This is primarily to reduce pressure on locked memory, as each
session normally requires 48 bytes of locked memory for the master
secret, whereas now only 32 bytes are needed total. This change may
also make it slightly harder for an attacker to extract session data
from memory dumps (eg with a cold boot attack).

The keys used in :cpp:func:`session encryption <TLS::Session::encrypt>`
were previously uniquely determined by the master key. Now the
encrypted session blob includes two 80 bit salts which are used in the
derivation of the cipher and MAC keys.

The ``secure_renegotiation`` flag is now considered an aspect of the
connection rather than the session, which matches the behavior of
other implementations. As the format has changed, sessions saved to
persistent storage by 1.11.0 will not load in this version and vice
versa. In either case this will not cause any errors, the session will
simply not resume and instead a full handshake will occur.

New policy hooks :cpp:func:`TLS::Policy::acceptable_protocol_version`
and :cpp:func:`TLS::Policy::allow_server_initiated_renegotiation` were
added.

TLS clients were not sending a next protocol message during a session
resumption, which would cause resumption failures with servers that
support NPN if NPN was being offered by the client.

A bug caused heartbeat requests sent by the counterparty during a
handshake to be passed to the application callback as if they were
heartbeat responses.

Support for TLS key material export as specified in :rfc:`5057` has
been added, available via :cpp:func:`TLS::Channel::key_material_export`

New Feature: Public Key Strength Checking
""""""""""""""""""""""""""""""""""""""""""

A new function :cpp:func:`Public_Key::estimated_strength` returns
an estimate for the upper bound of the strength of the key. For
instance for an RSA key, it will return an estimate of how many
operations GNFS would take to factor the key.

A new :cpp:class:`Path_Validation_Result` code has been added
``SIGNATURE_METHOD_TOO_WEAK``. By default signatures created with keys
below 80 bits of strength (as estimated by ``estimated_strength``) are
rejected. This level can be modified using a parameter to the
:cpp:class:`Path_Validation_Restrictions` constructor.

SRP6 Is Picker About Values
""""""""""""""""""""""""""""""""""""""""

The SRP6 code was checking for invalid values as specified in RFC
5054, ones equal to zero mod p, however it would accept negative A/B
values, or ones larger than p, neither of which should occur in a
normal run of the protocol. These values are now rejected. Credits
to Timothy Prepscius for pointing out these values are not normally
used and probably signal something fishy.

Removal of Various BigInt Functions
""""""""""""""""""""""""""""""""""""""""

Several :cpp:class:`BigInt` functions have been removed, including
``operator[]``, ``assign``, ``get_reg``, and ``grow_reg``. The version
of ``data`` that returns a mutable pointer has been renamed
``mutable_data``.  Support for octal conversions has been removed.

The constructor ``BigInt(NumberType type, size_t n)`` has been
removed, replaced by ``BigInt::power_of_2``.

AES-NI Crash Fixed
""""""""""""""""""""""""""""""""""""""""

In 1.11.0, when compiled by GCC, the AES-NI implementation of AES-192
would crash if the mlock-based allocator was used due to an alignment
issue.