From: Norbert Pocs Date: Mon, 1 Sep 2025 12:38:51 +0000 (+0200) Subject: Release news and changelog for version 3.6 X-Git-Tag: openssl-3.6.0-alpha1~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=145e909a69821b96115b657cf0d9fa374bf8c695;p=thirdparty%2Fopenssl.git Release news and changelog for version 3.6 Release: yes Signed-off-by: Norbert Pocs Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Neil Horman (Merged from https://github.com/openssl/openssl/pull/28403) --- diff --git a/CHANGES.md b/CHANGES.md index 70a682cf453..2edfb577262 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -31,6 +31,87 @@ OpenSSL 3.6 ### Changes between 3.5 and 3.6 [xx XXX xxxx] + * Added support for EVP_SKEY opaque symmetric key objects to the key + derivation and key exchange provider methods. Added `EVP_KDF_CTX_set_SKEY()`, + `EVP_KDF_derive_SKEY()`, and `EVP_PKEY_derive_SKEY()` functions. + + *Dmitry Belyavskiy and Simo Sorce* + + * Added PCT for key import for SLH-DSA when in FIPS mode. + + *Dr Paul Dale* + + * Added FIPS 140-3 PCT on DH key generation. + + *Nikola Pajkovsky* + + * Added i2d_PKCS8PrivateKey(3) API to complement i2d_PrivateKey(3), the former + always outputs PKCS#8. + + *Viktor Dukhovni* + + * Implemented interleaved AES-CBC+HMAC-SHA algorithm on aarch64. + + *Fangming Fang* + + * Added NIST security categories for PKEY objects. + + *Dr Paul Dale* + + * Added notification when all stream FINs are acknowledged in QUIC. Introduced + `ossl_quic_channel_notify_flush_done()` so that once final FINs are ACKed, + the channel transitions to terminating and SSL_poll() signals completion. + This allows applications to progress shutdown reliably. + + *Alexandr Nedvedicky* + + * Fixed the synthesised `OPENSSL_VERSION_NUMBER`. + + *Richard Levitte* + + * Added array memory allocation routines and converted suitable memory + allocation calls in the library to them. + + *Eugene Syromiatnikov* + + * Fixed behavior change of EC keygen by adding the generic error entry if the + provider did not itself add an error entry onto the queue. That way, there + always is an error on the error queue in case of a failure, but no behavior + change in case the provider emitted the error entry itself. + + *Ingo Franzki* + + * Documented all the environment variables used across the project in + `openssl-env(7)` and in specific man pages. + + *Eugene Syromiatnikov* + + * Added SHA-2 assembly implementation enhancing performance for LoongArch. + Added optimized SM3, MD5, SHA-256, SHA-512 implementation using Zbb extension + for RISC-V. + + *Julian Zhu* + + * Added options `CRYPTO_MEM_SEC` and `CRYPTO_MEM_SEC_MINSIZE` to openssl app to + initialize secure memory at the beginning of openssl app. + + *Norbert Pocs* + + * Resolved compiler warnings on Win64 builds. + + *Tomas Mraz* + + * Extended new `CRYPTO_THREAD_[get|set]_local` api to reduce our reliance + on OS thread-local variables. + + *Neil Horman* + + * Added make targets `build_inst_sw` and `build_inst_programs` which have the + functionality to split the build into two parts, e.g.: when tests should be + built with different compiler flags than installed software. + + *Pavol Zacik* + * Refactored OSSL_PARAM name parsing so that automatically generated parsers are used instead of OSSL_PARAM_locate calls. This should also ensure that the list of acceptable parameters better matches @@ -172,7 +253,14 @@ OpenSSL 3.6 OpenSSL 3.5 ----------- -### Changes between 3.5.0 and 3.5.1 [xx XXX xxxx] +### Changes between 3.5.1 and 3.5.2 [5 Aug 2025] + + * The FIPS provider now performs a PCT on key import for RSA, EC and ECX. + This is mandated by FIPS 140-3 IG 10.3.A additional comment 1. + + *Dr Paul Dale* + +### Changes between 3.5.0 and 3.5.1 [1 Jul 2025] * Fix x509 application adds trusted use instead of rejected use. diff --git a/NEWS.md b/NEWS.md index cbdb54e7ef4..4d76005b5aa 100644 --- a/NEWS.md +++ b/NEWS.md @@ -7,6 +7,7 @@ release. For more details please read the CHANGES file. OpenSSL Releases ---------------- + - [OpenSSL 3.6](#openssl-36) - [OpenSSL 3.5](#openssl-35) - [OpenSSL 3.4](#openssl-34) - [OpenSSL 3.3](#openssl-33) @@ -20,7 +21,7 @@ OpenSSL Releases - [OpenSSL 1.0.0](#openssl-100) - [OpenSSL 0.9.x](#openssl-09x) -OpenSSL 3.5 +OpenSSL 3.6 ----------- ### Major changes between OpenSSL 3.5 and OpenSSL 3.6 [under development] @@ -28,6 +29,22 @@ OpenSSL 3.5 This release incorporates the following potentially significant or incompatible changes: + * Added PCT for key import for SLH-DSA when in FIPS mode + + * Added FIPS 140-3 PCT on DH key generation + + * Added NIST security categories for PKEY objects. + + * Added support for EVP_SKEY opaque symmetric key objects to the key + derivation and key exchange provider methods. Added `EVP_KDF_CTX_set_SKEY()`, + `EVP_KDF_derive_SKEY()`, and `EVP_PKEY_derive_SKEY()` functions. + + * The FIPS provider now performs a PCT on key import for RSA, EC and ECX. + This is mandated by FIPS 140-3 IG 10.3.A additional comment 1. + + * Added LMS signature verification support as per [SP 800-208]. This + support is present in both the FIPS and default providers. + * An ANSI-C toolchain is no longer sufficient for building OpenSSL. The code should build on compilers supporting C-99 features. @@ -39,7 +56,19 @@ changes: * Added support for FIPS 186-5 deterministic ECDSA signature generation to the FIPS provider. -### Major changes between OpenSSL 3.5.0 and OpenSSL 3.5.1 [under development] + * Deprecated `EVP_PKEY_ASN1_METHOD` related functions. + +OpenSSL 3.5 +----------- + +### Changes between 3.5.1 and 3.5.2 [5 Aug 2025] + + * The FIPS provider now performs a PCT on key import for RSA, EC and ECX. + This is mandated by FIPS 140-3 IG 10.3.A additional comment 1. + + *Dr Paul Dale* + +### Major changes between OpenSSL 3.5.0 and OpenSSL 3.5.1 [1 Jul 2025] OpenSSL 3.5.1 is a security patch release. The most severe CVE fixed in this release is Low. @@ -49,7 +78,7 @@ This release incorporates the following bug fixes and mitigations: * Fix x509 application adds trusted use instead of rejected use. ([CVE-2025-4575]) -### Major changes between OpenSSL 3.4 and OpenSSL 3.5 [under development] +### Major changes between OpenSSL 3.4 and OpenSSL 3.5 [8 Apr 2025] OpenSSL 3.5.0 is a feature release adding significant new functionality to OpenSSL.