Prohibit use of low level digest APIs in FIPS mode.

[oweals/openssl.git] / CHANGES

diff --git a/CHANGES b/CHANGES
index 9f37b80aa5f37553c7ea0542625b59282d8e55ce..4702d74f102cd1a200754efe6ea8176d45274141 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,36 @@
 
  Changes between 1.0.0d and 1.0.1  [xx XXX xxxx]
 
+  *) Low level digest APIs are not approved in FIPS mode: any attempt
+     to use these will cause a fatal error. Applications that *really* want
+     to use them can use the private_* version instead.
+     [Steve Henson]
+
+  *) Redirect cipher operations to FIPS module for FIPS builds. 
+     [Steve Henson]
+
+  *) Redirect digest operations to FIPS module for FIPS builds. 
+     [Steve Henson]
+
+  *) Update build system to add "fips" flag which will link in fipscanister.o
+     for static and shared library builds embedding a signature if needed.
+     [Steve Henson]
+
+  *) Output TLS supported curves in preference order instead of numerical
+     order. This is currently hardcoded for the highest order curves first.
+     This should be configurable so applications can judge speed vs strength.
+     [Steve Henson]
+
+  *) Add protection against ECDSA timing attacks as mentioned in the paper
+     by Billy Bob Brumley and Nicola Tuveri, see:
+
+       http://eprint.iacr.org/2011/232.pdf
+
+     [Billy Bob Brumley and Nicola Tuveri]
+
+  *) Add TLS v1.2 server support for client authentication. 
+     [Steve Henson]
+
   *) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
      and enable MD5.
      [Steve Henson]