Fix the ChangeLog for clarity, english and credit

ChangeLog

@@ -3,43 +3,46 @@ mbed TLS ChangeLog (Sorted per branch, date)
 = mbed TLS x.x.x branch released xxxx-xx-xx
 
 Security
-   * Fix a bug in the X.509 module potentially leading to a buffer overread
+   * Fix an issue in the X.509 module which could lead to a buffer overread
-     during CRT verification or to invalid or omitted checks for certificate
+     during certificate validation. Additionally, the issue could also lead to
-     validity. The former can be triggered remotely, while the latter requires
+     unnecessary callback checks being made or to some validation checks to be
-     a non DER-compliant certificate correctly signed by a trusted CA, or a
+     omitted. The overread could be triggered remotely, while the other issues
-     trusted CA with a non DER-compliant certificate. Found by luocm on GitHub.
+     would require a non DER-compliant certificate to be correctly signed by a
-     Fixes #825.
+     trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
-   * Fix buffer length assertion in the ssl_parse_certificate_request()
+     luocm. Fixes #825.
-     function which leads to an arbitrary overread of the message buffer. The
+   * Fix the buffer length assertion in the ssl_parse_certificate_request()
-     overreads could occur upon receiving a message malformed at the point
+     function which led to an arbitrary overread of the message buffer. The
-     where an optional signature algorithms list is expected in the cases of
+     overreads could be caused by receiving a malformed message at the point
-     the signature algorithms section being too short. In the debug builds
+     where an optional signature algorithms list is expected when the signature
-     the overread data is printed to the standard output.
+     algorithms section is too short. In builds with debug output, the overread
+     data is output with the debug data.
    * Fix a client-side bug in the validation of the server's ciphersuite choice
-     potentially leading to the client accepting a ciphersuite it didn't offer
+     which could potentially lead to the client accepting a ciphersuite it didn't
-     or one that cannot be used with the (D)TLS version chosen by the server.
+     offer or a ciphersuite that cannot be used with the TLS or DTLS version
-     This may lead to corruption of internal data structures for some
+     chosen by the server. This could lead to corruption of internal data
-     configurations.
+     structures for some configurations.
 
 Features
-   * Add option MBEDTLS_AES_FEWER_TABLES to dynamically compute 3/4 of the AES tables
+   * Add an option, MBEDTLS_AES_FEWER_TABLES, to dynamically compute smaller AES
-     during runtime, thereby reducing the RAM/ROM footprint by ~6kb. Suggested
+     tables during runtime, thereby reducing the RAM/ROM footprint by ~6KiB.
-     and contributed by jkivilin in #394.
+     Suggested and contributed by jkivilin in pull request #394.
    * Add initial support for Curve448 (RFC 7748). Only mbedtls_ecp_mul() and
      ECDH primitive functions (mbedtls_ecdh_gen_public(),
      mbedtls_ecdh_compute_shared()) are supported for now. Contributed by
      Nicholas Wilson (#348).
 
 API Changes
-   * Add function mbedtls_net_poll to public API allowing to wait for a
+   * Extend the public API with the function of mbedtls_net_poll() to allow user
-     network context to become ready for reading or writing.
+     applications to wait for a network context to become ready before reading
-   * Add function mbedtls_ssl_check_pending to public API allowing to check
+     or writing.
-     if more data is pending to be processed in the internal message buffers.
+   * Add function mbedtls_ssl_check_pending() to the public API to allow
+     a check for whether more more data is pending to be processed in the
+     internal message buffers.
      This function is necessary to determine when it is safe to idle on the
      underlying transport in case event-driven IO is used.
 
 Bugfix
-   * Fix spurious uninitialized variable warning in cmac.c. Fix independently
+   * Fix a spurious uninitialized variable warning in cmac.c. Fix independently
      contributed by Brian J Murray and David Brown.
    * Add missing dependencies in test suites that led to build failures
      in configurations that omit certain hashes or public-key algorithms.
@@ -47,15 +50,16 @@ Bugfix
    * Fix C89 incompatibility in benchmark.c. Contributed by Brendan Shanks.
      #1353
    * Add missing dependencies for MBEDTLS_HAVE_TIME_DATE and
-     MBEDTLS_VERSION_FEATURES in test suites. Contributed by Deomid Ryabkov.
+     MBEDTLS_VERSION_FEATURES in some test suites. Contributed by
-     Fixes #1299, #1475.
+     Deomid Ryabkov. Fixes #1299, #1475.
-   * Fix dynamic library building process with Makefile on Mac OS X. Fixed by
+   * Fix the Makefile build process for building shared libraries on Mac OS X.
-     mnacamura.
+     Fixed by mnacamura.
    * Fix parsing of PKCS#8 encoded Elliptic Curve keys. Previously Mbed TLS was
-     unable to parse keys with only the optional parameters field of the
+     unable to parse keys which had only the optional parameters field of the
      ECPrivateKey structure. Found by Jethro Beekman, fixed in #1379.
-   * Return plaintext data sooner on unpadded CBC decryption, as stated in
+   * Return the plaintext data more quickly on unpadded CBC decryption, as
-     the mbedtls_cipher_update() documentation. Contributed by Andy Leiserson.
+     stated in the mbedtls_cipher_update() documentation. Contributed by
+     Andy Leiserson.
    * Fix overriding and ignoring return values when parsing and writing to
      a file in pk_sign program. Found by kevlut in #1142.
    * Restrict usage of error code MBEDTLS_ERR_SSL_WANT_READ to situations
@@ -63,9 +67,8 @@ Bugfix
      to make progress. Previously, this error code was also occasionally
      returned when unexpected messages were being discarded, ignoring that
      further messages could potentially already be pending to be processed
-     in the internal buffers; these cases lead to deadlocks in case
+     in the internal buffers; these cases led to deadlocks when event-driven
-     event-driven I/O was used.
+     I/O was used. Found and reported by Hubert Mis in #772.
-     Found and reported by Hubert Mis in #772.
    * Fix buffer length assertions in the ssl_parse_certificate_request()
      function which leads to a potential one byte overread of the message
      buffer.
@@ -74,18 +77,18 @@ Bugfix
 
 Changes
    * Remove some redundant code in bignum.c. Contributed by Alexey Skalozub.
-   * Support cmake build where Mbed TLS is a subproject. Fix
+   * Support cmake builds where Mbed TLS is a subproject. Fix contributed
-     contributed independently by Matthieu Volat and Arne Schwabe.
+     independently by Matthieu Volat and Arne Schwabe.
    * Improve testing in configurations that omit certain hashes or
      public-key algorithms. Includes contributions by Gert van Dijk.
    * Improve negative testing of X.509 parsing.
    * Do not define global mutexes around readdir() and gmtime() in
      configurations where the feature is disabled. Found and fixed by Gergely
      Budai.
-   * Harden mbedtls_ssl_config_free() against misuse, so that it doesn't
+   * Harden the function mbedtls_ssl_config_free() against misuse, so that it
-     leak memory in case the user doesn't use mbedtls_ssl_conf_psk() and
+     doesn't leak memory if the user doesn't use mbedtls_ssl_conf_psk() and
-     instead incorrectly manipulates conf->psk and/or conf->psk_identity
+     instead incorrectly manipulates the configuration structure directly.
-     directly. Found and fix submitted by junyeonLEE in #1220.
+     Found and fix submitted by junyeonLEE in #1220.
    * Provide an empty implementation of mbedtls_pkcs5_pbes2() when
      MBEDTLS_ASN1_PARSE_C is not enabled. This allows the use of PBKDF2
      without PBES2. Fixed by Marcos Del Sol Vives.
@@ -96,7 +99,7 @@ Changes
      Krylov.
    * Improve the documentation of mbedtls_ssl_write(). Suggested by
      Paul Sokolovsky in #1356.
-   * Add an option in the makefile to support ar utilities where the operation
+   * Add an option in the Makefile to support ar utilities where the operation
      letter must not be prefixed by '-', such as LLVM. Found and fixed by
      Alex Hixon.
    * Allow configuring the shared library extension by setting the DLEXT
@@ -109,8 +112,8 @@ Changes
    * Improve robustness of mbedtls_ssl_derive_keys against the use of
      HMAC functions with non-HMAC ciphersuites. Independently contributed
      by Jiayuan Chen in #1377. Fixes #1437.
-   * Improve security of RSA key generation by including criteria from FIPS
+   * Improve security of RSA key generation by including criteria from
-     186-4. Contributed by Jethro Beekman. #1380
+     FIPS 186-4. Contributed by Jethro Beekman. #1380
    * Declare functions in header files even when an alternative implementation
      of the corresponding module is activated by defining the corresponding
      MBEDTLS_XXX_ALT macro. This means that alternative implementations do
@@ -314,7 +317,7 @@ Bugfix
    * Fix ssl_parse_record_header() to silently discard invalid DTLS records
      as recommended in RFC 6347 Section 4.1.2.7.
    * Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times.
-     Found by projectgus and jethrogb, #836.
+     Found by projectgus and Jethro Beekman, #836.
    * Fix usage help in ssl_server2 example. Found and fixed by Bei Lin.
    * Parse signature algorithm extension when renegotiating. Previously,
      renegotiated handshakes would only accept signatures using SHA-1
@@ -508,8 +511,7 @@ Bugfix
      Previous behaviour was to keep processing data even after the alert has
      been sent.
    * Accept empty trusted CA chain in authentication mode
-     MBEDTLS_SSL_VERIFY_OPTIONAL.
+     MBEDTLS_SSL_VERIFY_OPTIONAL. Found by Jethro Beekman. #864
-     Found by jethrogb. #864
    * Fix implementation of mbedtls_ssl_parse_certificate() to not annihilate
      fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to
      reflect bad EC curves within verification result.