[openssl] openssl-3.0 update

Richard Levitte levitte at openssl.org
Tue Sep 7 11:24:37 UTC 2021 

The branch openssl-3.0 has been updated
       via  00dbc7cc77d702c59a776b7726e54f3d29059f05 (commit)
      from  4c4ab4d7efdf8c9b49c9838742a0fcd7321d88ff (commit)


- Log -----------------------------------------------------------------
commit 00dbc7cc77d702c59a776b7726e54f3d29059f05
Author: Tomas Mraz <tomas at openssl.org>
Date:   Tue Sep 7 13:18:22 2021 +0200

    Last minute NEWS and CHANGES entries for the 3.0 release
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16533)
    
    (cherry picked from commit 95a444c9adcad04035704ab3b5d749a185ef0960)

-----------------------------------------------------------------------

Summary of changes:
 CHANGES.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++--
 NEWS.md    |  8 +++++---
 2 files changed, 51 insertions(+), 5 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index 5578b0e7e5..00d9246274 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -30,6 +30,37 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
 
+ * TLS_MAX_VERSION, DTLS_MAX_VERSION and DTLS_MIN_VERSION constants are now
+   deprecated.
+
+   *Matt Caswell*
+
+ * The `OPENSSL_s390xcap` environment variable can be used to set bits in the
+   S390X capability vector to zero. This simplifies testing of different code
+   paths on S390X architecture.
+
+   *Patrick Steuer*
+
+ * Encrypting more than 2^64 TLS records with AES-GCM is disallowed
+   as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from
+   SP 800-38D". The communication will fail at this point.
+
+   *Paul Dale*
+
+ * The EC_GROUP_clear_free() function is deprecated as there is nothing
+   confidential in EC_GROUP data.
+
+   *Nicola Tuveri*
+
+ * The byte order mark (BOM) character is ignored if encountered at the
+   beginning of a PEM-formatted file.
+
+   *Dmitry Belyavskiy*
+
+ * Added CMS support for the Russian GOST algorithms.
+
+   *Dmitry Belyavskiy*
+
  * Due to move of the implementation of cryptographic operations
    to the providers, validation of various operation parameters can
    be postponed until the actual operation is executed where previously
@@ -513,6 +544,11 @@ breaking changes, and mappings for the large list of deprecated functions.
 
    *Richard Levitte*
 
+ * Added various `_ex` functions to the OpenSSL API that support using
+   a non-default `OSSL_LIB_CTX`.
+
+   *OpenSSL team*
+
  * Handshake now fails if Extended Master Secret extension is dropped
    on renegotiation.
 
@@ -1226,11 +1262,19 @@ breaking changes, and mappings for the large list of deprecated functions.
 
    *Richard Levitte*
 
- * Add Single Step KDF (EVP_KDF_SS) to EVP_KDF.
+ * Added KB KDF (EVP_KDF_KB) to EVP_KDF.
+
+   *Robbie Harwood*
+
+ * Added SSH KDF (EVP_KDF_SSHKDF) and KRB5 KDF (EVP_KDF_KRB5KDF) to EVP_KDF.
+
+   *Simo Sorce*
+
+ * Added Single Step KDF (EVP_KDF_SS), X963 KDF, and X942 KDF to EVP_KDF.
 
    *Shane Lontis*
 
- * Add KMAC to EVP_MAC.
+ * Added KMAC to EVP_MAC.
 
    *Shane Lontis*
 
diff --git a/NEWS.md b/NEWS.md
index f2097f1dd4..cec9cd48e0 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -21,9 +21,9 @@ OpenSSL 3.0
 ### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0 [under development]
 
   * Enhanced 'openssl list' with many new options.
-  * Added migration guide to man7
-  * Implemented support for fully "pluggable" TLSv1.3 groups
-  * Added suport for Kernel TLS (KTLS)
+  * Added migration guide to man7.
+  * Implemented support for fully "pluggable" TLSv1.3 groups.
+  * Added suport for Kernel TLS (KTLS).
   * Changed the license to the Apache License v2.0.
   * Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2,
     RC4, RC5, and DES to the legacy provider.
@@ -39,6 +39,8 @@ OpenSSL 3.0
   * Remove the `RAND_DRBG` API.
   * Deprecated the `ENGINE` API.
   * Added `OSSL_LIB_CTX`, a libcrypto library context.
+  * Added various `_ex` functions to the OpenSSL API that support using
+    a non-default `OSSL_LIB_CTX`.
   * Interactive mode is removed from the 'openssl' program.
   * The X25519, X448, Ed25519, Ed448, SHAKE128 and SHAKE256 algorithms are
     included in the FIPS provider.

More information about the openssl-commits mailing list