diff --git a/CHANGES.md b/CHANGES.md index c66ec92cd9..db01de1b35 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -29,7 +29,17 @@ OpenSSL 3.4 ### Changes between 3.3 and 3.4 [xx XXX xxxx] - * XOF Digest API changes. + * Improved base64 BIO correctness and error reporting. + + *Viktor Dukhovni* + + * Added support for directly fetched composite signature algorithms such as + RSA-SHA2-256 including new API functions in the EVP_PKEY_sign, + EVP_PKEY_verify and EVP_PKEY_verify_recover groups. + + *Richard Levitte* + + * XOF Digest API improvements EVP_MD_CTX_get_size() and EVP_MD_CTX_size are macros that were aliased to EVP_MD_get_size which returns a constant value. XOF Digests such as SHAKE @@ -44,7 +54,8 @@ OpenSSL 3.4 *Shane Lontis* - * Add FIPS indicators to the FIPS provider. + * Added FIPS indicators to the FIPS provider. + FIPS 140-3 requires indicators to be used if the FIPS provider allows non-approved algorithms. An algorithm is approved if it passes all required checks such as minimum key size. By default an error will @@ -66,19 +77,42 @@ OpenSSL 3.4 *Shane Lontis, Paul Dale and Po-Hsing Wu* - * Add debuginfo Makefile target for unix platforms to produce + * Added support for hardware acceleration for HMAC on S390x architecture. + + *Ingo Franzki* + + * Added debuginfo Makefile target for unix platforms to produce a separate DWARF info file from the corresponding shared libs. *Neil Horman* - * Add feature to retrieve configured TLS signature algorithms, + * Added support for encapsulation and decapsulation operations in the + pkeyutl command. + + *Dmitry Belyavskiy* + + * Added implementation of RFC 9579 (PBMAC1) in PKCS#12. + + *Dmitry Belyavskiy* + + * Add a new random seed source RNG `JITTER` using a statically linked + jitterentropy library. + + *Dimitri John Ledkov* + + * Added a feature to retrieve configured TLS signature algorithms, e.g., via the openssl list command. *Michael Baentsch* + * Deprecated TS_VERIFY_CTX_set_* functions and added replacement + TS_VERIFY_CTX_set0_* functions with improved semantics. + + *Tobias Erbsland* + * Redesigned Windows use of OPENSSLDIR/ENGINESDIR/MODULESDIR such that what were formerly build time locations can now be defined at run time - with registry keys. See NOTES-WINDOWS.md + with registry keys. See NOTES-WINDOWS.md. *Neil Horman* @@ -110,8 +144,8 @@ OpenSSL 3.4 *Tomáš Mráz* - * Use an empty renegotiate extension in TLS client hellos instead of - the empty renegotiation SCSV, for all connections with a minimum TLS + * An empty renegotiate extension will be used in TLS client hellos instead + of the empty renegotiation SCSV, for all connections with a minimum TLS version > 1.0. *Tim Perry* @@ -127,7 +161,14 @@ OpenSSL 3.4 This work was sponsored by Siemens AG. - *Rajeev Ranjan* + *Rajeev Ranjan* + + * Added support for issuedOnBehalfOf, auditIdentity, basicAttConstraints, + userNotice, acceptablePrivilegePolicies, acceptableCertPolicies, + subjectDirectoryAttributes, associatedInformation, delegatedNameConstraints, + holderNameConstraints and targetingInformation X.509v3 extensions. + + *Jonathan M. Wilbur* * Added Attribute Certificate (RFC 5755) support. Attribute Certificates can be created, parsed, modified and printed via the @@ -208,11 +249,6 @@ OpenSSL 3.3 ### Changes between 3.2 and 3.3.0 [9 Apr 2024] - * Add a new random seed source RNG `JITTER` using a statically linked - jitterentropy library. - - *Dimitri John Ledkov* - * The `-verify` option to the `openssl crl` and `openssl req` will make the program exit with 1 on failure. diff --git a/NEWS.md b/NEWS.md index 11e1057b87..d8ed71dbe5 100644 --- a/NEWS.md +++ b/NEWS.md @@ -28,7 +28,62 @@ OpenSSL. This release is in development. - * Added initial Attribute Certificate (RFC 5755) support. +This release incorporates the following potentially significant or incompatible +changes: + + * Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement + TS_VERIFY_CTX_set0_* functions with improved semantics + + * Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that + what were formerly build time locations can now be defined at run time + with registry keys + + * The X25519 and X448 key exchange implementation in the FIPS provider + is unapproved and has `fips=no` property. + + * SHAKE-128 and SHAKE-256 implementations have no default digest length + anymore. That means these algorithms cannot be used with + EVP_DigestFinal/_ex() unless the `xoflen` param is set before. + + * Setting `config_diagnostics=1` in the config file will cause errors to + be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error + in the ssl module configuration. + + * An empty renegotiate extension will be used in TLS client hellos instead + of the empty renegotiation SCSV, for all connections with a minimum TLS + version > 1.0. + + * Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and + SSL_CTX_flush_sessions() functions in favor of their respective `_ex` + functions which are Y2038-safe on platforms with Y2038-safe `time_t` + +This release adds the following new features: + + * Support for directly fetched composite signature algorithms such as + RSA-SHA2-256 including new API functions + + * FIPS indicators support in the FIPS provider and various updates of the FIPS + provider required for future FIPS 140-3 validations + + * Implementation of RFC 9579 (PBMAC1) in PKCS#12 + + * An optional additional random seed source RNG `JITTER` using a statically + linked jitterentropy library + + * New options `-not_before` and `-not_after` for explicit setting start and + end dates of certificates created with the `req` and `x509` apps + + * Support for integrity-only cipher suites TLS_SHA256_SHA256 and + TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150 + + * Support for requesting CRL in CMP + + * Support for additional X.509v3 extensions related to Attribute Certificates + + * Initial Attribute Certificate (RFC 5755) support + + * Possibility to customize ECC groups initialization to use precomputed values + to save CPU time and use of this feature by the P-256 implementation OpenSSL 3.3 -----------