X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=CHANGES;h=b538085098fdb0e687e0550a77ea3c303f7d4ab3;hb=ce01482e0f3b64e88eaeb4c2c4357b42351a9efe;hp=98992f5a12d8b7909197f46e15895a07b56227fd;hpb=837e1b6812d53799cff304630bc3a1a9db86b696;p=openssl.git diff --git a/CHANGES b/CHANGES index 98992f5a12..b538085098 100644 --- a/CHANGES +++ b/CHANGES @@ -4,11 +4,34 @@ Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] + *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves. + [Steve Henson] + + *) Use separate DRBG fields for internal and external flags. New function + FIPS_drbg_health_check() to perform on demand health checking. Add + generation tests to fips_test_suite with reduced health check interval to + demonstrate periodic health checking. Add "nodh" option to + fips_test_suite to skip very slow DH test. + [Steve Henson] + + *) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers + based on NID. + [Steve Henson] + + *) More extensive health check for DRBG checking many more failure modes. + New function FIPS_selftest_drbg_all() to handle every possible DRBG + combination: call this in fips_test_suite. + [Steve Henson] + + *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test + and POST to handle Dual EC cases. + [Steve Henson] + *) Add support for canonical generation of DSA parameter 'g'. See FIPS 186-3 A.2.3. - *) Add support for HMAC DRBG from SP800-90. Update algorithm and POST - to handle HMAC cases. + *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and + POST to handle HMAC cases. [Steve Henson] *) Add functions FIPS_module_version() and FIPS_module_version_text() @@ -233,8 +256,8 @@ multi-process servers. [Steve Henson] - *) Experiemental password based recipient info support for CMS library: - implementing RFC3211. + *) Password based recipient info support for CMS library: implementing + RFC3211. [Steve Henson] *) Split password based encryption into PBES2 and PBKDF2 functions. This @@ -258,6 +281,19 @@ Changes between 1.0.0e and 1.0.1 [xx XXX xxxx] + *) Session-handling fixes: + - Fix handling of connections that are resuming with a session ID, + but also support Session Tickets. + - Fix a bug that suppressed issuing of a new ticket if the client + presented a ticket with an expired session. + - Try to set the ticket lifetime hint to something reasonable. + - Make tickets shorter by excluding irrelevant information. + - On the client side, don't ignore renewed tickets. + [Adam Langley, Bodo Moeller (Google)] + + *) Fix PSK session representation. + [Bodo Moeller] + *) Add RC4-MD5 and AESNI-SHA1 "stitched" implementations. This work was sponsored by Intel. @@ -418,6 +454,14 @@ Changes between 1.0.0d and 1.0.0e [xx XXX xxxx] + *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted + by initialising X509_STORE_CTX properly. (CVE-2011-3207) + [Kaspar Brand ] + + *) Fix SSL memory handling for (EC)DH ciphersuites, in particular + for multi-threaded use of ECDH. (CVE-2011-3210) + [Adam Langley (Google)] + *) Fix x509_name_ex_d2i memory leak on bad inputs. [Bodo Moeller] @@ -1315,6 +1359,10 @@ Changes between 0.9.8r and 0.9.8s [xx XXX xxxx] + *) Fix SSL memory handling for (EC)DH ciphersuites, in particular + for multi-threaded use of ECDH. + [Adam Langley (Google)] + *) Fix x509_name_ex_d2i memory leak on bad inputs. [Bodo Moeller]