Add description in X509_STORE manipulation

[oweals/openssl.git] / CHANGES

diff --git a/CHANGES b/CHANGES
index c5cd38b6fddd59f8b853e2732b70679d46dc0ab2..2cb84d4507cb0e4784f928d3542dc89b90bd8ad7 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,29 @@
 
  Changes between 1.1.1c and 1.1.1d [xx XXX xxxx]
 
 
  Changes between 1.1.1c and 1.1.1d [xx XXX xxxx]
 

+  *) Correct the extended master secret constant on EBCDIC systems. Without this
+     fix TLS connections between an EBCDIC system and a non-EBCDIC system that
+     negotiate EMS will fail. Unfortunately this also means that TLS connections
+     between EBCDIC systems with this fix, and EBCDIC systems without this
+     fix will fail if they negotiate EMS.
+     [Matt Caswell]
+
+  *) Use Windows installation paths in the mingw builds
+
+     Mingw isn't a POSIX environment per se, which means that Windows
+     paths should be used for installation.
+     (CVE-2019-1552)
+     [Richard Levitte]
+
+  *) Changed DH parameters to generate the order q subgroup instead of 2q.
+     Previously generated DH parameters are still accepted by DH_check
+     but DH_generate_key works around that by clearing bit 0 of the
+     private key for those. This avoids leaking bit 0 of the private key.
+     [Bernd Edlinger]
+
+  *) Significantly reduce secure memory usage by the randomness pools.
+     [Paul Dale]
+

   *) Revert the DEVRANDOM_WAIT feature for Linux systems
 
      The DEVRANDOM_WAIT feature added a select() call to wait for the
   *) Revert the DEVRANDOM_WAIT feature for Linux systems
 
      The DEVRANDOM_WAIT feature added a select() call to wait for the


@@ -346,7 +369,7 @@
         SSL_set_ciphersuites()
      [Matt Caswell]
 
         SSL_set_ciphersuites()
      [Matt Caswell]
 

-  *) Memory allocation failures consistenly add an error to the error
+  *) Memory allocation failures consistently add an error to the error

      stack.
      [Rich Salz]
 
      stack.
      [Rich Salz]
 


@@ -6884,7 +6907,7 @@
      reason texts, thereby removing some of the footprint that may not
      be interesting if those errors aren't displayed anyway.
 
      reason texts, thereby removing some of the footprint that may not
      be interesting if those errors aren't displayed anyway.
 

-     NOTE: it's still possible for any application or module to have it's
+     NOTE: it's still possible for any application or module to have its

      own set of error texts inserted.  The routines are there, just not
      used by default when no-err is given.
      [Richard Levitte]
      own set of error texts inserted.  The routines are there, just not
      used by default when no-err is given.
      [Richard Levitte]


@@ -8850,7 +8873,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  Changes between 0.9.6g and 0.9.6h  [5 Dec 2002]
 
   *) New function OPENSSL_cleanse(), which is used to cleanse a section of
  Changes between 0.9.6g and 0.9.6h  [5 Dec 2002]
 
   *) New function OPENSSL_cleanse(), which is used to cleanse a section of

-     memory from it's contents.  This is done with a counter that will
+     memory from its contents.  This is done with a counter that will

      place alternating values in each byte.  This can be used to solve
      two issues: 1) the removal of calls to memset() by highly optimizing
      compilers, and 2) cleansing with other values than 0, since those can
      place alternating values in each byte.  This can be used to solve
      two issues: 1) the removal of calls to memset() by highly optimizing
      compilers, and 2) cleansing with other values than 0, since those can