zzy/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add CHANGES.md and NEWS.md updates for the 3.4 release

Browse Source 
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25339)
This commit is contained in:
Tomas Mraz 2024-08-30 17:06:12 +02:00
parent 01f4b44e07
commit 5650289743
2 changed files with 105 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
CHANGES.md
View File

@ -29,7 +29,17 @@ OpenSSL 3.4
### Changes between 3.3 and 3.4 [xx XXX xxxx] ### Changes between 3.3 and 3.4 [xx XXX xxxx]
* XOF Digest API changes. * Improved base64 BIO correctness and error reporting.
*Viktor Dukhovni*
* Added support for directly fetched composite signature algorithms such as
RSA-SHA2-256 including new API functions in the EVP_PKEY_sign,
EVP_PKEY_verify and EVP_PKEY_verify_recover groups.
*Richard Levitte*
* XOF Digest API improvements
EVP_MD_CTX_get_size() and EVP_MD_CTX_size are macros that were aliased to EVP_MD_CTX_get_size() and EVP_MD_CTX_size are macros that were aliased to
EVP_MD_get_size which returns a constant value. XOF Digests such as SHAKE EVP_MD_get_size which returns a constant value. XOF Digests such as SHAKE
@ -44,7 +54,8 @@ OpenSSL 3.4
*Shane Lontis* *Shane Lontis*
* Add FIPS indicators to the FIPS provider. * Added FIPS indicators to the FIPS provider.
FIPS 140-3 requires indicators to be used if the FIPS provider allows FIPS 140-3 requires indicators to be used if the FIPS provider allows
non-approved algorithms. An algorithm is approved if it passes all non-approved algorithms. An algorithm is approved if it passes all
required checks such as minimum key size. By default an error will required checks such as minimum key size. By default an error will
@ -66,19 +77,42 @@ OpenSSL 3.4
*Shane Lontis, Paul Dale and Po-Hsing Wu* *Shane Lontis, Paul Dale and Po-Hsing Wu*
* Add debuginfo Makefile target for unix platforms to produce * Added support for hardware acceleration for HMAC on S390x architecture.
*Ingo Franzki*
* Added debuginfo Makefile target for unix platforms to produce
a separate DWARF info file from the corresponding shared libs. a separate DWARF info file from the corresponding shared libs.
*Neil Horman* *Neil Horman*
* Add feature to retrieve configured TLS signature algorithms, * Added support for encapsulation and decapsulation operations in the
pkeyutl command.
*Dmitry Belyavskiy*
* Added implementation of RFC 9579 (PBMAC1) in PKCS#12.
*Dmitry Belyavskiy*
* Add a new random seed source RNG `JITTER` using a statically linked
jitterentropy library.
*Dimitri John Ledkov*
* Added a feature to retrieve configured TLS signature algorithms,
e.g., via the openssl list command. e.g., via the openssl list command.
*Michael Baentsch* *Michael Baentsch*
* Deprecated TS_VERIFY_CTX_set_* functions and added replacement
TS_VERIFY_CTX_set0_* functions with improved semantics.
*Tobias Erbsland*
* Redesigned Windows use of OPENSSLDIR/ENGINESDIR/MODULESDIR such that * Redesigned Windows use of OPENSSLDIR/ENGINESDIR/MODULESDIR such that
what were formerly build time locations can now be defined at run time what were formerly build time locations can now be defined at run time
with registry keys. See NOTES-WINDOWS.md with registry keys. See NOTES-WINDOWS.md.
*Neil Horman* *Neil Horman*
@ -110,8 +144,8 @@ OpenSSL 3.4
*Tomáš Mráz* *Tomáš Mráz*
* Use an empty renegotiate extension in TLS client hellos instead of * An empty renegotiate extension will be used in TLS client hellos instead
the empty renegotiation SCSV, for all connections with a minimum TLS of the empty renegotiation SCSV, for all connections with a minimum TLS
version > 1.0. version > 1.0.
*Tim Perry* *Tim Perry*
@ -127,7 +161,14 @@ OpenSSL 3.4
This work was sponsored by Siemens AG. This work was sponsored by Siemens AG.
*Rajeev Ranjan* *Rajeev Ranjan*
* Added support for issuedOnBehalfOf, auditIdentity, basicAttConstraints,
userNotice, acceptablePrivilegePolicies, acceptableCertPolicies,
subjectDirectoryAttributes, associatedInformation, delegatedNameConstraints,
holderNameConstraints and targetingInformation X.509v3 extensions.
*Jonathan M. Wilbur*
* Added Attribute Certificate (RFC 5755) support. Attribute * Added Attribute Certificate (RFC 5755) support. Attribute
Certificates can be created, parsed, modified and printed via the Certificates can be created, parsed, modified and printed via the
@ -208,11 +249,6 @@ OpenSSL 3.3
### Changes between 3.2 and 3.3.0 [9 Apr 2024] ### Changes between 3.2 and 3.3.0 [9 Apr 2024]
* Add a new random seed source RNG `JITTER` using a statically linked
jitterentropy library.
*Dimitri John Ledkov*
* The `-verify` option to the `openssl crl` and `openssl req` will make * The `-verify` option to the `openssl crl` and `openssl req` will make
the program exit with 1 on failure. the program exit with 1 on failure.

57
NEWS.md
View File

@ -28,7 +28,62 @@ OpenSSL.
This release is in development. This release is in development.
* Added initial Attribute Certificate (RFC 5755) support. This release incorporates the following potentially significant or incompatible
changes:
* Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement
TS_VERIFY_CTX_set0_* functions with improved semantics
* Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that
what were formerly build time locations can now be defined at run time
with registry keys
* The X25519 and X448 key exchange implementation in the FIPS provider
is unapproved and has `fips=no` property.
* SHAKE-128 and SHAKE-256 implementations have no default digest length
anymore. That means these algorithms cannot be used with
EVP_DigestFinal/_ex() unless the `xoflen` param is set before.
* Setting `config_diagnostics=1` in the config file will cause errors to
be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error
in the ssl module configuration.
* An empty renegotiate extension will be used in TLS client hellos instead
of the empty renegotiation SCSV, for all connections with a minimum TLS
version > 1.0.
* Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and
SSL_CTX_flush_sessions() functions in favor of their respective `_ex`
functions which are Y2038-safe on platforms with Y2038-safe `time_t`
This release adds the following new features:
* Support for directly fetched composite signature algorithms such as
RSA-SHA2-256 including new API functions
* FIPS indicators support in the FIPS provider and various updates of the FIPS
provider required for future FIPS 140-3 validations
* Implementation of RFC 9579 (PBMAC1) in PKCS#12
* An optional additional random seed source RNG `JITTER` using a statically
linked jitterentropy library
* New options `-not_before` and `-not_after` for explicit setting start and
end dates of certificates created with the `req` and `x509` apps
* Support for integrity-only cipher suites TLS_SHA256_SHA256 and
TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150
* Support for requesting CRL in CMP
* Support for additional X.509v3 extensions related to Attribute Certificates
* Initial Attribute Certificate (RFC 5755) support
* Possibility to customize ECC groups initialization to use precomputed values
to save CPU time and use of this feature by the P-256 implementation
OpenSSL 3.3 OpenSSL 3.3
----------- -----------