Add CHANGES.md and NEWS.md updates for the 3.4 release

Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tom Cosgrove <[email protected]> (Merged from openssl#25339)
quictls · Sep 3, 2024 · 5650289 · 5650289
1 parent 01f4b44
commit 5650289
Show file tree

Hide file tree

Showing 2 changed files with 105 additions and 14 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -29,7 +29,17 @@ OpenSSL 3.4
 
 ### Changes between 3.3 and 3.4 [xx XXX xxxx]
 
- * XOF Digest API changes.
+ * Improved base64 BIO correctness and error reporting.
+
+   *Viktor Dukhovni*
+
+ * Added support for directly fetched composite signature algorithms such as
+   RSA-SHA2-256 including new API functions in the EVP_PKEY_sign,
+   EVP_PKEY_verify and EVP_PKEY_verify_recover groups.
+
+   *Richard Levitte*
+
+ * XOF Digest API improvements
 
    EVP_MD_CTX_get_size() and EVP_MD_CTX_size are macros that were aliased to
    EVP_MD_get_size which returns a constant value. XOF Digests such as SHAKE
@@ -44,7 +54,8 @@ OpenSSL 3.4
 
    *Shane Lontis*
 
- * Add FIPS indicators to the FIPS provider.
+ * Added FIPS indicators to the FIPS provider.
+
    FIPS 140-3 requires indicators to be used if the FIPS provider allows
    non-approved algorithms. An algorithm is approved if it passes all
    required checks such as minimum key size. By default an error will
@@ -66,19 +77,42 @@ OpenSSL 3.4
 
    *Shane Lontis, Paul Dale and Po-Hsing Wu*
 
- * Add debuginfo Makefile target for unix platforms to produce
+ * Added support for hardware acceleration for HMAC on S390x architecture.
+
+   *Ingo Franzki*
+
+ * Added debuginfo Makefile target for unix platforms to produce
    a separate DWARF info file from the corresponding shared libs.
 
    *Neil Horman*
 
- * Add feature to retrieve configured TLS signature algorithms,
+ * Added support for encapsulation and decapsulation operations in the
+   pkeyutl command.
+
+   *Dmitry Belyavskiy*
+
+ * Added implementation of RFC 9579 (PBMAC1) in PKCS#12.
+
+   *Dmitry Belyavskiy*
+
+ * Add a new random seed source RNG `JITTER` using a statically linked
+   jitterentropy library.
+
+   *Dimitri John Ledkov*
+
+ * Added a feature to retrieve configured TLS signature algorithms,
    e.g., via the openssl list command.
 
    *Michael Baentsch*
 
+ * Deprecated TS_VERIFY_CTX_set_* functions and added replacement
+   TS_VERIFY_CTX_set0_* functions with improved semantics.
+
+   *Tobias Erbsland*
+
  * Redesigned Windows use of OPENSSLDIR/ENGINESDIR/MODULESDIR such that
    what were formerly build time locations can now be defined at run time
-   with registry keys. See NOTES-WINDOWS.md
+   with registry keys. See NOTES-WINDOWS.md.
 
    *Neil Horman*
 
@@ -110,8 +144,8 @@ OpenSSL 3.4
 
    *Tomáš Mráz*
 
- * Use an empty renegotiate extension in TLS client hellos instead of
-   the empty renegotiation SCSV, for all connections with a minimum TLS
+ * An empty renegotiate extension will be used in TLS client hellos instead
+   of the empty renegotiation SCSV, for all connections with a minimum TLS
    version > 1.0.
 
    *Tim Perry*
@@ -127,7 +161,14 @@ OpenSSL 3.4
 
    This work was sponsored by Siemens AG.
 
-    *Rajeev Ranjan*
+   *Rajeev Ranjan*
+
+ * Added support for issuedOnBehalfOf, auditIdentity, basicAttConstraints,
+   userNotice, acceptablePrivilegePolicies, acceptableCertPolicies,
+   subjectDirectoryAttributes, associatedInformation, delegatedNameConstraints,
+   holderNameConstraints and targetingInformation X.509v3 extensions.
+
+   *Jonathan M. Wilbur*
 
  * Added Attribute Certificate (RFC 5755) support. Attribute
    Certificates can be created, parsed, modified and printed via the
@@ -208,11 +249,6 @@ OpenSSL 3.3
 
 ### Changes between 3.2 and 3.3.0 [9 Apr 2024]
 
- * Add a new random seed source RNG `JITTER` using a statically linked
-   jitterentropy library.
-
-   *Dimitri John Ledkov*
-
  * The `-verify` option to the `openssl crl` and `openssl req` will make
    the program exit with 1 on failure.
 

diff --git a/NEWS.md b/NEWS.md
@@ -28,7 +28,62 @@ OpenSSL.
 
 This release is in development.
 
-  * Added initial Attribute Certificate (RFC 5755) support.
+This release incorporates the following potentially significant or incompatible
+changes:
+
+  * Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement
+    TS_VERIFY_CTX_set0_* functions with improved semantics
+
+  * Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that
+    what were formerly build time locations can now be defined at run time
+    with registry keys
+
+  * The X25519 and X448 key exchange implementation in the FIPS provider
+    is unapproved and has `fips=no` property.
+
+  * SHAKE-128 and SHAKE-256 implementations have no default digest length
+    anymore. That means these algorithms cannot be used with
+    EVP_DigestFinal/_ex() unless the `xoflen` param is set before.
+
+  * Setting `config_diagnostics=1` in the config file will cause errors to
+    be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error
+    in the ssl module configuration.
+
+  * An empty renegotiate extension will be used in TLS client hellos instead
+    of the empty renegotiation SCSV, for all connections with a minimum TLS
+    version > 1.0.
+
+  * Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and
+    SSL_CTX_flush_sessions() functions in favor of their respective `_ex`
+    functions which are Y2038-safe on platforms with Y2038-safe `time_t`
+
+This release adds the following new features:
+
+  * Support for directly fetched composite signature algorithms such as
+    RSA-SHA2-256 including new API functions
+
+  * FIPS indicators support in the FIPS provider and various updates of the FIPS
+    provider required for future FIPS 140-3 validations
+
+  * Implementation of RFC 9579 (PBMAC1) in PKCS#12
+
+  * An optional additional random seed source RNG `JITTER` using a statically
+    linked jitterentropy library
+
+  * New options `-not_before` and `-not_after` for explicit setting start and
+    end dates of certificates created with the `req` and `x509` apps
+
+  * Support for integrity-only cipher suites TLS_SHA256_SHA256 and
+    TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150
+
+  * Support for requesting CRL in CMP
+
+  * Support for additional X.509v3 extensions related to Attribute Certificates
+
+  * Initial Attribute Certificate (RFC 5755) support
+
+  * Possibility to customize ECC groups initialization to use precomputed values
+    to save CPU time and use of this feature by the P-256 implementation
 
 OpenSSL 3.3
 -----------