More extensive DRBG health check. New function to call health check

[openssl.git] / CHANGES

diff --git a/CHANGES b/CHANGES
index b3d4c06c00ce7821857b422ef2f80b26ea61efc2..8fa3e5436625695cc87d0350c6f6f6b48abb84b2 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,11 +4,20 @@
 
  Changes between 1.0.1 and 1.1.0  [xx XXX xxxx]
 
+  *) More extensive health check for DRBG checking many more failure modes.
+     New function FIPS_selftest_drbg_all() to handle every possible DRBG
+     combination: call this in fips_test_suite.
+     [Steve Henson]
+
+  *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test
+     and POST to handle Dual EC cases.
+     [Steve Henson]
+
   *) Add support for canonical generation of DSA parameter 'g'. See 
      FIPS 186-3 A.2.3.
 
-  *) Add support for HMAC DRBG from SP800-90. Update algorithm and POST
-     to handle HMAC cases.
+  *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
+     POST to handle HMAC cases.
      [Steve Henson]
 
   *) Add functions FIPS_module_version() and FIPS_module_version_text()
@@ -431,8 +440,12 @@
 
  Changes between 1.0.0d and 1.0.0e [xx XXX xxxx]
 
+  *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
+     by initialising X509_STORE_CTX properly. (CVE-2011-3207)
+     [Kaspar Brand <ossl@velox.ch>]
+
   *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
-     for multi-threaded use of ECDH.
+     for multi-threaded use of ECDH. (CVE-2011-3210)
      [Adam Langley (Google)]
 
   *) Fix x509_name_ex_d2i memory leak on bad inputs.