Fix the ChangeLog for clarity, english and credit
diff --git a/ChangeLog b/ChangeLog
index 0af942b..24020fb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,38 +3,40 @@
= mbed TLS 2.1.x branch released xxxx-xx-xx
Security
- * Fix a bug in the X.509 module potentially leading to a buffer overread
- during CRT verification or to invalid or omitted checks for certificate
- validity. The former can be triggered remotely, while the latter requires
- a non DER-compliant certificate correctly signed by a trusted CA, or a
- trusted CA with a non DER-compliant certificate. Found by luocm on GitHub.
- Fixes #825.
- * Fix buffer length assertion in the ssl_parse_certificate_request()
- function which leads to an arbitrary overread of the message buffer. The
- overreads could occur upon receiving a message malformed at the point
- where an optional signature algorithms list is expected in the cases of
- the signature algorithms section being too short. In the debug builds
- the overread data is printed to the standard output.
+ * Fix an issue in the X.509 module which could lead to a buffer overread
+ during certificate validation. Additionally, the issue could also lead to
+ unnecessary callback checks being made or to some validation checks to be
+ omitted. The overread could be triggered remotely, while the other issues
+ would require a non DER-compliant certificate to be correctly signed by a
+ trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
+ luocm. Fixes #825.
+ * Fix the buffer length assertion in the ssl_parse_certificate_request()
+ function which led to an arbitrary overread of the message buffer. The
+ overreads could be caused by receiving a malformed message at the point
+ where an optional signature algorithms list is expected when the signature
+ algorithms section is too short. In builds with debug output, the overread
+ data is output with the debug data.
* Fix a client-side bug in the validation of the server's ciphersuite choice
- potentially leading to the client accepting a ciphersuite it didn't offer
- or one that cannot be used with the (D)TLS version chosen by the server.
- This may lead to corruption of internal data structures for some
- configurations.
+ which could potentially lead to the client accepting a ciphersuite it didn't
+ offer or a ciphersuite that cannot be used with the TLS or DTLS version
+ chosen by the server. This could lead to corruption of internal data
+ structures for some configurations.
Bugfix
* Add missing dependencies in test suites that led to build failures
in configurations that omit certain hashes or public-key algorithms.
Fixes #1040.
* Add missing dependencies for MBEDTLS_HAVE_TIME_DATE and
- MBEDTLS_VERSION_FEATURES in test suites. Contributed by Deomid Ryabkov.
- Fixes #1299, #1475.
- * Fix dynamic library building process with Makefile on Mac OS X. Fixed by
- mnacamura.
+ MBEDTLS_VERSION_FEATURES in some test suites. Contributed by
+ Deomid Ryabkov. Fixes #1299, #1475.
+ * Fix the Makefile build process for building shared libraries on Mac OS X.
+ Fixed by mnacamura.
* Fix parsing of PKCS#8 encoded Elliptic Curve keys. Previously Mbed TLS was
- unable to parse keys with only the optional parameters field of the
- ECPrivateKey structure. Found by jethrogb, fixed in #1379.
- * Return plaintext data sooner on unpadded CBC decryption, as stated in
- the mbedtls_cipher_update() documentation. Contributed by Andy Leiserson.
+ unable to parse keys which had only the optional parameters field of the
+ ECPrivateKey structure. Found by Jethro Beekman, fixed in #1379.
+ * Return the plaintext data more quickly on unpadded CBC decryption, as
+ stated in the mbedtls_cipher_update() documentation. Contributed by
+ Andy Leiserson.
* Fix overriding and ignoring return values when parsing and writing to
a file in pk_sign program. Found by kevlut in #1142.
* Fix buffer length assertions in the ssl_parse_certificate_request()
@@ -53,10 +55,11 @@
* Provide an empty implementation of mbedtls_pkcs5_pbes2() when
MBEDTLS_ASN1_PARSE_C is not enabled. This allows the use of PBKDF2
without PBES2. Fixed by Marcos Del Sol Vives.
- * Improve the documentation of mbedtls_net_accept(). Contributed by Ivan Krylov.
+ * Improve the documentation of mbedtls_net_accept(). Contributed by Ivan
+ Krylov.
* Improve the documentation of mbedtls_ssl_write(). Suggested by
Paul Sokolovsky in #1356.
- * Add an option in the makefile to support ar utilities where the operation
+ * Add an option in the Makefile to support ar utilities where the operation
letter must not be prefixed by '-', such as LLVM. Found and fixed by
Alex Hixon.
* Allow configuring the shared library extension by setting the DLEXT