Update CHANGES.md and NEWS.md for the upcoming 3.2 release

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21802)

CHANGES.md

@@ -27,17 +27,69 @@ OpenSSL 3.2
 
  * Added client side support for QUIC
 
-   *Hugo Landau*
+   *Hugo Landau, Matt Caswell, Paul Dale, Tomáš Mráz, Richard Levitte*
+
+ * Added multiple tutorials on the OpenSSL library and in particular
+   on writing various clients (using TLS and QUIC protocols) with libssl.
+
+   *Matt Caswell*
+
+ * Added secp384r1 implementation using Solinas' reduction to improve
+   speed of the NIST P-384 elliptic curve. To enable the implementation
+   the build option `enable-ec_nistp_64_gcc_128` must be used.
+
+   *Rohan McLure*
+
+ * Improved RFC7468 compliance of the asn1parse command.
+
+   *Matthias St. Pierre*
 
  * Added SHA256/192 algorithm support.
 
    *Fergus Dall*
 
- * Provide a new configure option `no-http` that can be used to disable HTTP
-   support.
+ * Added support for securely getting root CA certificate update in
+   CMP.
+
+   *David von Oheimb*
+
+ * Improved contention on global write locks by using more read locks where
+   appropriate.
+
+   *Matt Caswell*
+
+ * Improved performance of OSSL_PARAM lookups in performance critical
+   provider functions.
+
+   *Paul Dale*
+
+ * Added the SSL_get0_group_name() function to provide access to the
+   name of the group used for the TLS key exchange.
+
+   *Alex Bozarth*
+
+ * Provide a new configure option `no-http` that can be used to disable the
+   HTTP support. Provide new configure options `no-apps` and `no-docs` to
+   disable building the openssl command line application and the documentation.
 
    *Vladimír Kotal*
 
+ * Provide a new configure option `no-ecx` that can be used to disable the
+   X25519, X448, and EdDSA support.
+
+   *Yi Li*
+
+ * When multiple OSSL_KDF_PARAM_INFO parameters are passed to
+   the EVP_KDF_CTX_set_params() function they are now concatenated not just
+   for the HKDF algorithm but also for SSKDF and X9.63 KDF algorithms.
+
+   *Paul Dale*
+
+ * Added OSSL_FUNC_keymgmt_im/export_types_ex() provider functions that get
+   the provider context as a parameter.
+
+   *Ingo Franzki*
+
  * TLS round-trip time calculation was added by a Brigham Young University
    Capstone team partnering with Sandia National Laboratories. A new function
    in ssl_lib titled SSL_get_handshake_rtt will calculate and retrieve this
@@ -52,17 +104,6 @@ OpenSSL 3.2
 
    *Matt Caswell*
 
- * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
-   The previous fix for this timing side channel turned out to cause
-   a severe 2-3x performance regression in the typical use case
-   compared to 3.0.7. The new fix uses existing constant time
-   code paths, and restores the previous performance level while
-   fully eliminating all existing timing side channels.
-   The fix was developed by Bernd Edlinger with testing support
-   by Hubert Kario.
-
-   *Bernd Edlinger*
-
  * Added an "advanced" command mode to s_client. Use this with the "-adv"
    option. The old "basic" command mode recognises certain letters that must
    always appear at the start of a line and cannot be escaped. The advanced
@@ -80,11 +121,53 @@ OpenSSL 3.2
 
    *Todd Short*
 
- * Added EC_GROUP_to_params which creates an OSSL_PARAM array
+ * Added support for modular exponentiation and CRT offloading for the
+   S390x architecture.
+
+   *Juergen Christ*
+
+ * Added further assembler code for the RISC-V architecture.
+
+   *Christoph Müllner*
+
+ * Added EC_GROUP_to_params() which creates an OSSL_PARAM array
    from a given EC_GROUP.
 
    *Oliver Mihatsch*
 
+ * Improved support for non-default library contexts and property queries
+   when parsing PKCS#12 files.
+
+   *Shane Lontis*
+
+ * Implemented support for all five instances of EdDSA from RFC8032:
+   Ed25519, Ed25519ctx, Ed25519ph, Ed448, and Ed448ph.
+   The streaming is not yet supported for the HashEdDSA variants
+   (Ed25519ph and Ed448ph).
+
+   *James Muir*
+
+ * Added SM4 optimization for ARM processors using ASIMD and AES HW
+   instructions.
+
+   *Xu Yizhou*
+
+ * Implemented SM4-XTS support.
+
+   *Xu Yizhou*
+
+ * Added platform-agnostic OSSL_sleep() function.
+
+   *Richard Levitte*
+
+ * Implemented deterministic ECDSA signatures (RFC6979) support.
+
+   *Shane Lontis*
+
+ * Implemented AES-GCM-SIV (RFC8452) support.
+
+   *Todd Short*
+
  * Added support for pluggable (provider-based) TLS signature algorithms.
    This enables TLS 1.3 authentication operations with algorithms embedded
    in providers not included by default in OpenSSL. In combination with
@@ -94,6 +177,12 @@ OpenSSL 3.2
 
    *Michael Baentsch*
 
+ * Added support for pluggable (provider-based) CMS signature algorithms.
+   This enables CMS sign and verify operations with algorithms embedded
+   in providers not included by default in OpenSSL.
+
+   *Michael Baentsch*
+
  * Added support for Hybrid Public Key Encryption (HPKE) as defined
    in RFC9180. HPKE is required for TLS Encrypted ClientHello (ECH),
    Message Layer Security (MLS) and other IETF specifications.
@@ -103,6 +192,11 @@ OpenSSL 3.2
 
    *Stephen Farrell*
 
+ * Implemented HPKE DHKEM support in providers used by HPKE (RFC9180)
+   API.
+
+   *Shane Lontis*
+
  * Add support for certificate compression (RFC8879), including
    library support for Brotli and Zstandard compression.
 
@@ -116,11 +210,7 @@ OpenSSL 3.2
 
    *Graham Woodward*
 
- * Major refactor of the libssl record layer
-
-   *Matt Caswell*
-
- * Added a new BIO_s_dgram_mem() to read/write datagrams to memory
+ * Major refactor of the libssl record layer.
 
    *Matt Caswell*
 
@@ -162,6 +252,24 @@ OpenSSL 3.2
 
    *Darshan Sen*
 
+ * The PKCS12_parse() function now supports MAC-less PKCS12 files.
+
+   *Daniel Fiala*
+
+ * Added ASYNC_set_mem_functions() and ASYNC_get_mem_functions() calls to be able
+   to change functions used for allocating the memory of asynchronous call stack.
+
+   *Arran Cudbard-Bell*
+
+ * Added support for signed BIGNUMs in the OSSL_PARAM APIs.
+
+   *Richard Levitte*
+
+ * A failure exit code is returned when using the openssl x509 command to check
+   certificate attributes and the checks fail.
+
+   *Rami Khaldi*
+
  * The default SSL/TLS security level has been changed from 1 to 2. RSA,
    DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys
    of 160 bits and above and less than 224 bits were previously accepted by
@@ -181,6 +289,7 @@ OpenSSL 3.2
    will need to load the legacy crypto provider.
 
    *Paul Dale*
+
  * CCM8 cipher suites in TLS have been downgraded to security level zero
    because they use a short authentication tag which lowers their strength.
 
@@ -223,10 +332,10 @@ OpenSSL 3.2
 
    *David von Oheimb*
 
- * `CMS_add0_cert()` and `CMS_add1_cert()` no more throw an error
-   if a certificate to be added is already present.
- * `CMS_sign_ex()` and `CMS_sign()` now ignore any duplicate certificates
-   in their `certs` argument and no longer throw an error for them.
+ * `CMS_add0_cert()` and `CMS_add1_cert()` no longer throw an error if
+   a certificate to be added is already present. `CMS_sign_ex()` and
+   `CMS_sign()` now ignore any duplicate certificates in their `certs` argument
+   and no longer throw an error for them.
 
    *David von Oheimb*
 
@@ -236,6 +345,12 @@ OpenSSL 3.2
 
    *David von Oheimb*
 
+ * Added BIO_s_dgram_pair() and BIO_s_dgram_mem() that provide memory-based
+   BIOs with datagram semantics and support for BIO_sendmmsg() and BIO_recvmmsg()
+   calls. They can be used as the transport BIOs for QUIC.
+
+   *Hugo Landau, Matt Caswell and Tomáš Mráz*
+
  * Add new BIO_sendmmsg() and BIO_recvmmsg() BIO methods which allow
    sending and receiving multiple messages in a single call. An implementation
    is provided for BIO_dgram. For further details, see BIO_sendmmsg(3).
@@ -260,10 +375,31 @@ OpenSSL 3.2
 
    *Tianjia Zhang*
 
+ * Added `-ktls` option to `s_server` and `s_client` commands to enable the
+   KTLS support.
+
+   *Tianjia Zhang*
+
  * Zerocopy KTLS sendfile() support on Linux.
 
    *Maxim Mikityanskiy*
 
+ * The OBJ_ calls are now thread safe using a global lock.
+
+   *Paul Dale*
+
+ * New parameter `-digest` for openssl cms command allowing signing
+   pre-computed digests and new CMS API functions supporting that
+   functionality.
+
+   *Viktor Söderqvist*
+
+ * OPENSSL_malloc() and other allocation functions now raise errors on
+   allocation failures. The callers do not need to explicitly raise errors
+   unless they want to for tracing purposes.
+
+   *David von Oheimb*
+
  * Added and enabled by default implicit rejection in RSA PKCS#1 v1.5
    decryption as a protection against Bleichenbacher-like attacks.
    The RSA decryption API will now return a randomly generated deterministic
@@ -276,15 +412,23 @@ OpenSSL 3.2
 
    *Hubert Kario*
 
+ * Added support for Brainpool curves in TLS-1.3.
+
+   *Bernd Edlinger and Matt Caswell*
+
+ * Added OpenBSD specific build targets.
+
+   *David Carlier*
+
  * Support for Argon2d, Argon2i, Argon2id KDFs has been added along with
-   basic thread pool implementation for select platforms.
+   a basic thread pool implementation for select platforms.
 
    *Čestmír Kalina*
 
 OpenSSL 3.1
 -----------
 
-### Changes between 3.1.1 and 3.1.2 [xx XXX xxxx]
+### Changes between 3.1.1 and 3.1.2 [1 Aug 2023]
 
  * Fix excessive time spent checking DH q parameter value.
 
@@ -394,6 +538,17 @@ OpenSSL 3.1
 
    *Nevine Ebeid*
 
+ * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
+   The previous fix for this timing side channel turned out to cause
+   a severe 2-3x performance regression in the typical use case
+   compared to 3.0.7. The new fix uses existing constant time
+   code paths, and restores the previous performance level while
+   fully eliminating all existing timing side channels.
+   The fix was developed by Bernd Edlinger with testing support
+   by Hubert Kario.
+
+   *Bernd Edlinger*
+
  * Add FIPS provider configuration option to disallow the use of
    truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.).
    The option '-no_drbg_truncated_digests' can optionally be

NEWS.md

@@ -23,16 +23,31 @@ OpenSSL 3.2
 ### Major changes between OpenSSL 3.1 and OpenSSL 3.2 [under development]
 
   * Added client side support for QUIC.
-  * Add Raw Public Key (RFC7250) support.
+  * Added multiple tutorials on the OpenSSL library and in particular
+    on writing various clients (using TLS and QUIC protocols) with libssl.
+  * Added support for Brainpool curves in TLS-1.3.
+  * Added Raw Public Key (RFC7250) support.
   * Added support for certificate compression (RFC8879), including
     library support for Brotli and Zstandard compression.
+  * Implemented support for all five instances of EdDSA from RFC8032.
+  * Implemented SM4-XTS support.
+  * Implemented deterministic ECDSA signatures (RFC6979) support.
+  * Implemented AES-GCM-SIV (RFC8452) support.
+  * Implemented Hybrid Public Key Encryption (HPKE) as defined in RFC9180.
+  * Multiple new features and improvements of the CMP protocol support.
   * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
     by default.
   * TCP Fast Open (RFC7413) support is available on Linux, macOS, and FreeBSD
     where enabled and supported.
+  * The default SSL/TLS security level has been changed from 1 to 2.
   * Full support for provider-based/pluggable signature algorithms in TLS 1.3
-    operations as well as X.509 data structure support. With a suitable provider
-    this fully enables use of post-quantum/quantum-safe cryptography.
+    operations as well as CMS and X.509 data structure support. With a suitable
+    provider this fully enables use of post-quantum/quantum-safe cryptography.
+  * It is now possible to use the IANA standard names in TLS cipher
+    configuration.
+  * The `x509`, `ca`, and `req` apps now always produce X.509v3 certificates.
+  * Support for Argon2d, Argon2i, Argon2id KDFs has been added along with
+    a basic thread pool implementation for select platforms.
 
 OpenSSL 3.1
 -----------