Add changes entry for opaquifying of libssl structures

[openssl.git] / CHANGES

diff --git a/CHANGES b/CHANGES
index 0252eb570671c68678128e4c231c651b4b16d093..4b7838704c3ca30bf7de221a00e7c178dd34a201 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,11 @@
  _______________
 
  Changes between 1.0.2 and 1.1.0  [xx XXX xxxx]
+  *) All libssl internal structures have been removed from the public header
+     files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is
+     now redundant). Users should not attempt to access internal structures
+     directly. Instead they should use the provided API functions.
+     [Matt Caswell]
 
   *) config has been changed so that by default OPENSSL_NO_DEPRECATED is used.
      Access to deprecated functions can be re-enabled by running config with
@@ -34,6 +39,22 @@
        MPE/iX
        Sinix/ReliantUNIX RM400
        DGUX
+       NCR
+       Tandem
+       Cray
+       16-bit platforms such as WIN16
+     [Rich Salz]
+
+  *) Start cleaning up OPENSSL_NO_xxx #define's
+       OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
+       OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
+       Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
+        Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
+        Remove MS_STATIC; it's a relic from platforms <32 bits.
+     [Rich Salz]
+
+  *) Start cleaning up dead code
+        Remove all but one '#ifdef undef' which is to be looked at.
      [Rich Salz]
 
   *) Experimental support for a new, fast, unbiased prime candidate generator,
@@ -337,6 +358,14 @@
 
  Changes between 1.0.1k and 1.0.2 [xx XXX xxxx]
 
+  *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
+     ARMv5 through ARMv8, as opposite to "locking" it to single one.
+     So far those who have to target multiple plaforms would compromise
+     and argue that binary targeting say ARMv5 would still execute on
+     ARMv8. "Universal" build resolves this compromise by providing
+     near-optimal performance even on newer platforms.
+     [Andy Polyakov]
+
   *) Accelerated NIST P-256 elliptic curve implementation for x86_64
      (other platforms pending).
      [Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov]
@@ -662,10 +691,20 @@
   *) Abort handshake if server key exchange message is omitted for ephemeral
      ECDH ciphersuites.
 
-     Thanks to Karthikeyan Bhargavan for reporting this issue.
+     Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
+     reporting this issue.
      (CVE-2014-3572)
      [Steve Henson]
 
+  *) Remove non-export ephemeral RSA code on client and server. This code
+     violated the TLS standard by allowing the use of temporary RSA keys in
+     non-export ciphersuites and could be used by a server to effectively
+     downgrade the RSA key length used to a value smaller than the server
+     certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
+     INRIA or reporting this issue.
+     (CVE-2015-0204)
+     [Steve Henson]
+
   *) Ensure that the session ID context of an SSL is updated when its
      SSL_CTX is updated via SSL_set_SSL_CTX.