X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=df15b538bae61cd98ace148ae36e596806c9b837;hp=b1bb98699443f4ec878e5370a0116d71d9d0be13;hb=1d7d74647ac9928e1097d27e3731d62c7fcc0c35;hpb=09483c58e3b21841d2761ce90b1f12b24f814881

diff --git a/CHANGES b/CHANGES
index b1bb986994..df15b538ba 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,20 +4,47 @@
 
  Changes between 0.9.4 and 0.9.5  [xx XXX 1999]
 
+  *) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes
+     used (char *) instead of (void *) and had casts all over the place.
+     [Steve Henson]
+
+  *) Make BN_generate_prime() return NULL on error if ret!=NULL.
+     [Ulf Möller]
+
+  *) Retain source code compatibility for BN_prime_checks macro.
+     [Ulf Möller]
+
+  *) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
+     DH_CHECK_P_NOT_SAFE_PRIME.
+     (Check if this is true? OpenPGP calls them "strong".)
+     [Ulf Möller]
+
   *) Merge the functionality of "dh" and "gendh" programs into a new program
      "dhparam". The old programs are retained for now but will handle DH keys
      (instead of parameters) in future.
      [Steve Henson]
 
-  *) Apply Lutz Jaenicke's 56bit cipher patch. This should fix the problems
-     with cipher ordering and the new EXPORT1024 ciphers. Only two minor
-     changes have been made, the error reason codes have been altered and the
-     @STRENGTH sorting behaviour changed so eNULL ciphers are also sorted
-     (if present).
+  *) Make the ciphers, s_server and s_client programs check the return values
+     when a new cipher list is set.
+     [Steve Henson]
+
+  *) Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit
+     ciphers. Before when the 56bit ciphers were enabled the sorting was
+     wrong.
+
+     The syntax for the cipher sorting has been extended to support sorting by
+     cipher-strength (using the strength_bits hard coded in the tables).
+     The new command is "@STRENGTH" (see also doc/apps/ciphers.pod).
+
+     Fix a bug in the cipher-command parser: when supplying a cipher command
+     string with an "undefined" symbol (neither command nor alphanumeric
+     [A-Za-z0-9], ssl_set_cipher_list used to hang in an endless loop. Now
+     an error is flagged.
 
-     One other addition: the "ciphers" program didn't check the return code
-     of SSL_CTX_set_cipher_list().
-     [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> modified by Steve Henson]
+     Due to the strength-sorting extension, the code of the
+     ssl_create_cipher_list() function was completely rearranged. I hope that
+     the readability was also increased :-)
+     [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>]
 
   *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1
      for the first serial number and places 2 in the serial number file. This
@@ -57,8 +84,8 @@
 
   *) Do more iterations of Rabin-Miller probable prime test (specifically,
      3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
-     instead of only 2 for all lengths; see BN_prime_checks definition
-     in crypto/bn/bn.h for the complete table).  This guarantees a
+     instead of only 2 for all lengths; see BN_prime_checks_size definition
+     in crypto/bn/bn_prime.c for the complete table).  This guarantees a
      false-positive rate of at most 2^-80 (actually less because we are
      additionally doing trial division) for random input.
      [Bodo Moeller]