X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=b538085098fdb0e687e0550a77ea3c303f7d4ab3;hp=e68cc7b3c143d87f4852fa9f2240927d4aab22d5;hb=e15acd9d9efcfd537996a5910c9f32afc5b84d9e;hpb=e7928282d0148af5f28fa3437a625a2006af0214 diff --git a/CHANGES b/CHANGES index e68cc7b3c1..b538085098 100644 --- a/CHANGES +++ b/CHANGES @@ -4,11 +4,34 @@ Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] + *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves. + [Steve Henson] + + *) Use separate DRBG fields for internal and external flags. New function + FIPS_drbg_health_check() to perform on demand health checking. Add + generation tests to fips_test_suite with reduced health check interval to + demonstrate periodic health checking. Add "nodh" option to + fips_test_suite to skip very slow DH test. + [Steve Henson] + + *) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers + based on NID. + [Steve Henson] + + *) More extensive health check for DRBG checking many more failure modes. + New function FIPS_selftest_drbg_all() to handle every possible DRBG + combination: call this in fips_test_suite. + [Steve Henson] + + *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test + and POST to handle Dual EC cases. + [Steve Henson] + *) Add support for canonical generation of DSA parameter 'g'. See FIPS 186-3 A.2.3. - *) Add support for HMAC DRBG from SP800-90. Update algorithm and POST - to handle HMAC cases. + *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and + POST to handle HMAC cases. [Steve Henson] *) Add functions FIPS_module_version() and FIPS_module_version_text() @@ -233,8 +256,8 @@ multi-process servers. [Steve Henson] - *) Experiemental password based recipient info support for CMS library: - implementing RFC3211. + *) Password based recipient info support for CMS library: implementing + RFC3211. [Steve Henson] *) Split password based encryption into PBES2 and PBKDF2 functions. This @@ -258,6 +281,19 @@ Changes between 1.0.0e and 1.0.1 [xx XXX xxxx] + *) Session-handling fixes: + - Fix handling of connections that are resuming with a session ID, + but also support Session Tickets. + - Fix a bug that suppressed issuing of a new ticket if the client + presented a ticket with an expired session. + - Try to set the ticket lifetime hint to something reasonable. + - Make tickets shorter by excluding irrelevant information. + - On the client side, don't ignore renewed tickets. + [Adam Langley, Bodo Moeller (Google)] + + *) Fix PSK session representation. + [Bodo Moeller] + *) Add RC4-MD5 and AESNI-SHA1 "stitched" implementations. This work was sponsored by Intel. @@ -418,8 +454,12 @@ Changes between 1.0.0d and 1.0.0e [xx XXX xxxx] + *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted + by initialising X509_STORE_CTX properly. (CVE-2011-3207) + [Kaspar Brand ] + *) Fix SSL memory handling for (EC)DH ciphersuites, in particular - for multi-threaded use of ECDH. + for multi-threaded use of ECDH. (CVE-2011-3210) [Adam Langley (Google)] *) Fix x509_name_ex_d2i memory leak on bad inputs.