pike.git / CHANGES

pike.git/CHANGES:1:   Pike 8: Changes since Pike 7.8 (scratch area for future release notes)   ----------------------------------------------------------------------    +    New language features   ---------------------      o Added a way to access the local, and not the overloaded,    implementation of a symbol.       As an example, given the classes:    | class Test    | {    | int a( ) { return 1; }
pike.git/CHANGES:172:      o Added a shorthand syntax for integer rages: xbit, where x is a    number between 1 and 31. This can be used as an example to indicate    that a string is 8 bits wide only: string(8bit)       This is equivalent to the range (0..255) but can be easier to parse.       Similarily int(1bit) is an alias for 'bool', and int(12bit) is    the same as int(0..4095).    +    New preprocessor features   -------------------------      o Support for the ", ##__VA_ARGS__" cpp feature.       This makes the ‘##’ token paste operator have a special meaning    when placed between a comma and a variable argument. If you write       | #define err(format, ...) f(debug)werror("ERROR: "+format, ##__VA_ARGS__)   
pike.git/CHANGES:361:       This makes things faster, it is often better to branch to a small    block of code than to have it inlined in a lot of different    locations on modern architectures.      o Faster hash-function for strings       + Also siphash24 was added and is used in case the string hash table    becomes inefficient    +    Deprecated features and modules   -------------------------------      o Tools.PEM and Tools.X409 deprecated       Use the corresponding modules in Standards.      o The built in sandbox is now deprecated       Unless somebody wants to take ownership of the feature and keep it
pike.git/CHANGES:911:    + Server:    - More forgiving MIME parsing for MSIE    - Fixed range header handling    - Fixed parsing of broken multipart/form-data data    - Added optional error_callback to attach_fd    - The response processor (response_and_finish) now treats the    reply mapping as read-only.    - Support if-none-match (etag:s)    - Ignore errors in close when destroying the object    + o Multiple threads can now call the Backend `() function (the function +  that waits for events). +  +  The first thread will be the controlling thread, and all callbacks +  will be called in it, the other threads will wake when the +  controlling thread is done. +    o dtrace support (on MacOSX)       Pike now supports dtrace events on function enter and leaving (and    when stack frames are notionally popped, for functions doing    tailrecursion).      o sizeof() now supports ADT.struct.      o Standards.JSON.encode can now get the initial indentation level    specified.
pike.git/CHANGES:951:    return significantly more random numbers, however, this means that    random_seed is a no-op on those machines.       A side-effect of this is that random_string is now actually    significantly faster on at least x86 cpu:s with rdrnd.       Note: If you want cryptographically random data please use    Crypto.Random.random_string unless you know for sure the random data    returned by the RDRND instruction is random enough.    - Crypto and SSL - -------------- +     - o Several identifiers have changed name + SSL + --- +  + o SSL now supports TLS 1.0 (SSL 3.1), TLS 1.1 and TLS 1.2. +  + o Several identifiers have changed names: +  +  SSL.alert -> SSL.Alert +  SSL.connection + SSL.handshake -> SSL.{Client,Server,}Connection +  SSL.context -> SSL.Context +  SSL.packet -> SSL.Packet +  SSL.session -> SSL.Session    SSL.sslfile -> SSL.File    SSL.sslport -> SSL.Port -  ... <add more, nilsson. :))> +  SSL.state -> SSL.State      o SSL.File: Changed client/server selection API.       Client and server operation is now selected by calling either    connect() (client-side) or accept() (server-side) after creating -  the SSL.sslfile object. +  the SSL.File object.       Blocking handshaking mode is selected by calling set_blocking()    before either of the above.    - o SNI client extension support for SSL (Server Name Indicator) + o SSL.File: Redesigned I/O state machine.    - o Standards.PEM +  This reduces the complexity and risk of bugs in the I/O handling.    -  + Added some support for encrypted PEM files + o SSL support for lots of new cipher suites added:    -  +  + AEADs and modes: +  +  - CCM and CCM-8 +  +  - CHACH20-POLY1305 +  +  - GCM +  +  + Certificates +  +  - ECDSA +  +  + Ciphers +  +  - AES and AES-256 +  +  - CAMELLIA and CAMELLIA-256 +  +  + Key exchange methods +  +  - DH and DHE +  +  - ECDH and ECDHE +  +  + All suites currently defined consisting of combinations of the above +  (and earlier existing) have been added (~190 suites in total). +  + o TLS Extensions added: +  +  + ALPN (Application Layer Protocol Negotiation) (RFC 7301). +  +  + EC Point Formats (RFC 4492). +  +  + Elliptic Curves (RFC 4492). +  +  + Encrypt then MAC. +  +  + Fallback SCSV. +  +  + Heartbeat (RFC 6520). +  +  + Max Fragment Length (RFC 6066). +  +  + Padding. +  +  + Renegotiation info (RFC 5746). +  +  + Signature Algorithms (RFC 5246). +  +  + SNI (Server Name Indicator) for both client and server (RFC 6066). +  +  + Truncated HMAC (RFC 6066). +  + o Improved protection against various SSL/TLS attacks: +  +  + BEAST protection (aka 1/(n-1)). +  +  Improve resilience against the BEAST client-side attack, +  by splitting the first data packet into two, where the +  first only contains a single byte of payload. +  +  + Heartbleed protection. +  +  The protocol code now probes the peer for the Heartbleed vulnerability, +  and aborts the connection with ALERT_insufficient_protection if so. +  +  + Lucky 13 protection. +  +  Attempts to have HMAC calculation take the same amount of time +  regardless of padding size. +  + o SSL.Context: Improved cipher suite selection: +  +  + Filtering of weak cipher suites. +  +  + Suite B (RFC 6460). +  + o SSL.Context: Support multiple concurrent certificates. +  +  This allows a server to eg have both an RSA and an ECDSA certificate. +  +  + Crypto and Nettle + ----------------- +    o Nettle refactored       CBC cipher mode is now twice as fast.    -  + o Nettle 3.0 supported. +  +  The new APIs in Nettle 3.0 are now detected and utilized. +    o Crypto.GCM       GCM (Galois Counter Mode) cipher mode added.    - o AES support added to the SSL module -  -  This adds support for the following cipher suites: -  TLS_rsa_with_aes_128_cbc_sha -  TLS_dhe_dss_with_aes_128_cbc_sha -  TLS_dhe_rsa_with_aes_128_cbc_sha -  TLS_rsa_with_aes_256_cbc_sha -  TLS_dhe_dss_with_aes_256_cbc_sha -  TLS_dhe_rsa_with_aes_256_cbc_sha -  - o SSL now supports TLS 1.0 (SSL 3.1) and TLS 1.1 -  +    o Blowfish and Serpent support fixed in Nettle      o Crypto.PGP       Added support for SHA256, SHA384 and SHA512 as hash functions.    Expose the used hash and key types in the out data      o Crypto.Arctwo       The 1-128 bit cipher Arctwo is now provided as a block cipher in    Crypto. This cipher is only intended for compatibility with OLD    third party code, and should NOT be used for new development.      o Crypto.Camellia       The 128/256 bit cipher Camellia is now available as block cipher in -  Crypto. In addition the following cipher suites have been added to -  SSL: +  Crypto.    -  TLS_rsa_with_camellia_{128,256}_cbc_{sha,sha256} -  TLS_dh_dss_with_camellia_{128,256}_cbc_{sha,sha256} -  TLS_dh_rsa_with_camellia_{128,256}_cbc_{sha,sha256} -  TLS_dhe_dss_with_camellia_{128,256}_cbc_{sha,sha256} -  TLS_dhe_rsa_with_camellia_{128,256}_cbc_{sha,sha256} -  TLS_dh_anon_with_camellia_{128,256}_cbc_{sha,sha256} + * Crypto.ECC    -  TLS_ecdhe_ecdsa_with_camellia_128_cbc_sha256 -  TLS_ecdhe_ecdsa_with_camellia_256_cbc_sha384 -  TLS_ecdh_ecdsa_with_camellia_128_cbc_sha256 -  TLS_ecdh_ecdsa_with_camellia_256_cbc_sha384 -  TLS_ecdhe_rsa_with_camellia_128_cbc_sha256 -  TLS_ecdhe_rsa_with_camellia_256_cbc_sha384 -  TLS_ecdh_rsa_with_camellia_128_cbc_sha256 -  TLS_ecdh_rsa_with_camellia_256_cbc_sha384 -  TLS_rsa_with_camellia_128_gcm_sha256 -  TLS_rsa_with_camellia_256_gcm_sha384 -  TLS_dhe_rsa_with_camellia_128_gcm_sha256 -  TLS_dhe_rsa_with_camellia_256_gcm_sha384 -  TLS_dh_rsa_with_camellia_128_gcm_sha256 -  TLS_dh_rsa_with_camellia_256_gcm_sha384 -  TLS_dhe_dss_with_camellia_128_gcm_sha256 -  TLS_dhe_dss_with_camellia_256_gcm_sha384 -  TLS_dh_dss_with_camellia_128_gcm_sha256 -  TLS_dh_dss_with_camellia_256_gcm_sha384 -  TLS_dh_anon_with_camellia_128_gcm_sha256 -  TLS_dh_anon_with_camellia_256_gcm_sha384 -  TLS_ecdhe_ecdsa_with_camellia_128_gcm_sha256 -  TLS_ecdhe_ecdsa_with_camellia_256_gcm_sha384 -  TLS_ecdh_ecdsa_with_camellia_128_gcm_sha256 -  TLS_ecdh_ecdsa_with_camellia_256_gcm_sha384 -  TLS_ecdhe_rsa_with_camellia_128_gcm_sha256 -  TLS_ecdhe_rsa_with_camellia_256_gcm_sha384 -  TLS_ecdh_rsa_with_camellia_128_gcm_sha256 -  TLS_ecdh_rsa_with_camellia_256_gcm_sha384 +  Elliptic Curve operations are now supported when compiled +  with Nettle 3.0 or later.      o Crypto.SALSA20 and Crypto.SALSA20R12       The 128/256 bit cipher SALSA20 is now available as a stream cipher    in Crypto. SALSA20R12 is SALSA20 reduced to just 12 rounds.      o Crypto.SHA3_224, Crypto.SHA3_256, Crypto.SHA3_384 and Crypto.SHA3_512       The SHA-3 secure hash algorithm has been added in multiple variants.   
pike.git/CHANGES:1073:   o Crypto.RSA and Crypto.DSA       The key generation for RSA and DSA are now done by Nettle. This    results in 90% faster key generation for RSA. Key generation for DSA    is 10 times slower, but produces better quality keys.      o Crypto.Hash       Added support for pbkdf1 from PKCS#5v1.5 and pbkdf2 from PKCS#5v2.0.    + o Standards.PEM +  +  + Added some support for encrypted PEM files +    o Standards.X509       X509 was moved from Tools to Standards and has been refactored and    bug fixed. It is now possible to extend both validation and creation    of certificates with new cipher and hash algorithms. A range of new    algorithms are supported for both RSA and DSA:       RSA MD2    RSA MD5    RSA SHA-1    RSA SHA-2-256    RSA SHA-2-384    RSA SHA-2-512    DSA SHA-1    DSA SHA-2-224    DSA SHA-2-256    -  Note that the API has changed compared with Tools.X509 and there is +  Note that the API has changed compared to Tools.X509 and there is    now a single make_selfsigned_certificate() method for both RSA and    DSA, though it takes the same arguments. In addition a hash function    and serial number can be supplied. The hash function defaults to    SHA-2-256.    - o Multiple threads can now call the Backend `() function (the function -  that waits for events). +     -  The first thread will be the controlling thread, and all callbacks -  will be called in it, the other threads will wake when the -  controlling thread is done. -  -  +    Incompatible C-level API changes   --------------------------------      o New svalue layout       The most obvious change is that the macros TYPEOF() and SUBTYPEOF()    are now actually needed to directly access the type and subtype of    an svalue, the svalues no have 'type' and 'subtype' members.       There are also a few additional macros used to set both the type and