### Changes between 3.5 and 3.6 [xx XXX xxxx]
+ * Added support for EVP_SKEY opaque symmetric key objects to the key
+ derivation and key exchange provider methods. Added `EVP_KDF_CTX_set_SKEY()`,
+ `EVP_KDF_derive_SKEY()`, and `EVP_PKEY_derive_SKEY()` functions.
+
+ *Dmitry Belyavskiy and Simo Sorce*
+
+ * Added PCT for key import for SLH-DSA when in FIPS mode.
+
+ *Dr Paul Dale*
+
+ * Added FIPS 140-3 PCT on DH key generation.
+
+ *Nikola Pajkovsky*
+
+ * Added i2d_PKCS8PrivateKey(3) API to complement i2d_PrivateKey(3), the former
+ always outputs PKCS#8.
+
+ *Viktor Dukhovni*
+
+ * Implemented interleaved AES-CBC+HMAC-SHA algorithm on aarch64.
+
+ *Fangming Fang*
+
+ * Added NIST security categories for PKEY objects.
+
+ *Dr Paul Dale*
+
+ * Added notification when all stream FINs are acknowledged in QUIC. Introduced
+ `ossl_quic_channel_notify_flush_done()` so that once final FINs are ACKed,
+ the channel transitions to terminating and SSL_poll() signals completion.
+ This allows applications to progress shutdown reliably.
+
+ *Alexandr Nedvedicky*
+
+ * Fixed the synthesised `OPENSSL_VERSION_NUMBER`.
+
+ *Richard Levitte*
+
+ * Added array memory allocation routines and converted suitable memory
+ allocation calls in the library to them.
+
+ *Eugene Syromiatnikov*
+
+ * Fixed behavior change of EC keygen by adding the generic error entry if the
+ provider did not itself add an error entry onto the queue. That way, there
+ always is an error on the error queue in case of a failure, but no behavior
+ change in case the provider emitted the error entry itself.
+
+ *Ingo Franzki*
+
+ * Documented all the environment variables used across the project in
+ `openssl-env(7)` and in specific man pages.
+
+ *Eugene Syromiatnikov*
+
+ * Added SHA-2 assembly implementation enhancing performance for LoongArch.
+ Added optimized SM3, MD5, SHA-256, SHA-512 implementation using Zbb extension
+ for RISC-V.
+
+ *Julian Zhu*
+
+ * Added options `CRYPTO_MEM_SEC` and `CRYPTO_MEM_SEC_MINSIZE` to openssl app to
+ initialize secure memory at the beginning of openssl app.
+
+ *Norbert Pocs*
+
+ * Resolved compiler warnings on Win64 builds.
+
+ *Tomas Mraz*
+
+ * Extended new `CRYPTO_THREAD_[get|set]_local` api to reduce our reliance
+ on OS thread-local variables.
+
+ *Neil Horman*
+
+ * Added make targets `build_inst_sw` and `build_inst_programs` which have the
+ functionality to split the build into two parts, e.g.: when tests should be
+ built with different compiler flags than installed software.
+
+ *Pavol Zacik*
+
* Refactored OSSL_PARAM name parsing so that automatically generated
parsers are used instead of OSSL_PARAM_locate calls. This should
also ensure that the list of acceptable parameters better matches
OpenSSL 3.5
-----------
-### Changes between 3.5.0 and 3.5.1 [xx XXX xxxx]
+### Changes between 3.5.1 and 3.5.2 [5 Aug 2025]
+
+ * The FIPS provider now performs a PCT on key import for RSA, EC and ECX.
+ This is mandated by FIPS 140-3 IG 10.3.A additional comment 1.
+
+ *Dr Paul Dale*
+
+### Changes between 3.5.0 and 3.5.1 [1 Jul 2025]
* Fix x509 application adds trusted use instead of rejected use.
OpenSSL Releases
----------------
+ - [OpenSSL 3.6](#openssl-36)
- [OpenSSL 3.5](#openssl-35)
- [OpenSSL 3.4](#openssl-34)
- [OpenSSL 3.3](#openssl-33)
- [OpenSSL 1.0.0](#openssl-100)
- [OpenSSL 0.9.x](#openssl-09x)
-OpenSSL 3.5
+OpenSSL 3.6
-----------
### Major changes between OpenSSL 3.5 and OpenSSL 3.6 [under development]
This release incorporates the following potentially significant or incompatible
changes:
+ * Added PCT for key import for SLH-DSA when in FIPS mode
+
+ * Added FIPS 140-3 PCT on DH key generation
+
+ * Added NIST security categories for PKEY objects.
+
+ * Added support for EVP_SKEY opaque symmetric key objects to the key
+ derivation and key exchange provider methods. Added `EVP_KDF_CTX_set_SKEY()`,
+ `EVP_KDF_derive_SKEY()`, and `EVP_PKEY_derive_SKEY()` functions.
+
+ * The FIPS provider now performs a PCT on key import for RSA, EC and ECX.
+ This is mandated by FIPS 140-3 IG 10.3.A additional comment 1.
+
+ * Added LMS signature verification support as per [SP 800-208]. This
+ support is present in both the FIPS and default providers.
+
* An ANSI-C toolchain is no longer sufficient for building OpenSSL. The code
should build on compilers supporting C-99 features.
* Added support for FIPS 186-5 deterministic ECDSA signature
generation to the FIPS provider.
-### Major changes between OpenSSL 3.5.0 and OpenSSL 3.5.1 [under development]
+ * Deprecated `EVP_PKEY_ASN1_METHOD` related functions.
+
+OpenSSL 3.5
+-----------
+
+### Changes between 3.5.1 and 3.5.2 [5 Aug 2025]
+
+ * The FIPS provider now performs a PCT on key import for RSA, EC and ECX.
+ This is mandated by FIPS 140-3 IG 10.3.A additional comment 1.
+
+ *Dr Paul Dale*
+
+### Major changes between OpenSSL 3.5.0 and OpenSSL 3.5.1 [1 Jul 2025]
OpenSSL 3.5.1 is a security patch release. The most severe CVE fixed in this
release is Low.
* Fix x509 application adds trusted use instead of rejected use.
([CVE-2025-4575])
-### Major changes between OpenSSL 3.4 and OpenSSL 3.5 [under development]
+### Major changes between OpenSSL 3.4 and OpenSSL 3.5 [8 Apr 2025]
OpenSSL 3.5.0 is a feature release adding significant new functionality to
OpenSSL.
projects / thirdparty / openssl.git / commitdiff
