From 95a444c9adcad04035704ab3b5d749a185ef0960 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 7 Sep 2021 13:18:22 +0200 Subject: [PATCH] Last minute NEWS and CHANGES entries for the 3.0 release Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/16533) --- CHANGES.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++-- NEWS.md | 8 +++++--- 2 files changed, 51 insertions(+), 5 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 5ed84e657a..58dffb15ef 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -38,6 +38,37 @@ breaking changes, and mappings for the large list of deprecated functions. ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * TLS_MAX_VERSION, DTLS_MAX_VERSION and DTLS_MIN_VERSION constants are now + deprecated. + + *Matt Caswell* + + * The `OPENSSL_s390xcap` environment variable can be used to set bits in the + S390X capability vector to zero. This simplifies testing of different code + paths on S390X architecture. + + *Patrick Steuer* + + * Encrypting more than 2^64 TLS records with AES-GCM is disallowed + as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from + SP 800-38D". The communication will fail at this point. + + *Paul Dale* + + * The EC_GROUP_clear_free() function is deprecated as there is nothing + confidential in EC_GROUP data. + + *Nicola Tuveri* + + * The byte order mark (BOM) character is ignored if encountered at the + beginning of a PEM-formatted file. + + *Dmitry Belyavskiy* + + * Added CMS support for the Russian GOST algorithms. + + *Dmitry Belyavskiy* + * Due to move of the implementation of cryptographic operations to the providers, validation of various operation parameters can be postponed until the actual operation is executed where previously @@ -521,6 +552,11 @@ breaking changes, and mappings for the large list of deprecated functions. *Richard Levitte* + * Added various `_ex` functions to the OpenSSL API that support using + a non-default `OSSL_LIB_CTX`. + + *OpenSSL team* + * Handshake now fails if Extended Master Secret extension is dropped on renegotiation. @@ -1234,11 +1270,19 @@ breaking changes, and mappings for the large list of deprecated functions. *Richard Levitte* - * Add Single Step KDF (EVP_KDF_SS) to EVP_KDF. + * Added KB KDF (EVP_KDF_KB) to EVP_KDF. + + *Robbie Harwood* + + * Added SSH KDF (EVP_KDF_SSHKDF) and KRB5 KDF (EVP_KDF_KRB5KDF) to EVP_KDF. + + *Simo Sorce* + + * Added Single Step KDF (EVP_KDF_SS), X963 KDF, and X942 KDF to EVP_KDF. *Shane Lontis* - * Add KMAC to EVP_MAC. + * Added KMAC to EVP_MAC. *Shane Lontis* diff --git a/NEWS.md b/NEWS.md index 5d836031c4..7cf0d8a7b7 100644 --- a/NEWS.md +++ b/NEWS.md @@ -29,9 +29,9 @@ OpenSSL 3.0 ### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0 [under development] * Enhanced 'openssl list' with many new options. - * Added migration guide to man7 - * Implemented support for fully "pluggable" TLSv1.3 groups - * Added suport for Kernel TLS (KTLS) + * Added migration guide to man7. + * Implemented support for fully "pluggable" TLSv1.3 groups. + * Added suport for Kernel TLS (KTLS). * Changed the license to the Apache License v2.0. * Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2, RC4, RC5, and DES to the legacy provider. @@ -47,6 +47,8 @@ OpenSSL 3.0 * Remove the `RAND_DRBG` API. * Deprecated the `ENGINE` API. * Added `OSSL_LIB_CTX`, a libcrypto library context. + * Added various `_ex` functions to the OpenSSL API that support using + a non-default `OSSL_LIB_CTX`. * Interactive mode is removed from the 'openssl' program. * The X25519, X448, Ed25519, Ed448, SHAKE128 and SHAKE256 algorithms are included in the FIPS provider.