From: Pauli <pauli@openssl.org>
Date: Fri, 7 Jul 2023 08:37:08 +0000 (+1000)
Subject: Add a NEWS entry covering the FIPS related changes.
X-Git-Tag: openssl-3.1.2~37
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dfc4b6c93b99f6666cd958c5643a24bb6edff7b7;p=thirdparty%2Fopenssl.git

Add a NEWS entry covering the FIPS related changes.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/21386)
---

diff --git a/CHANGES.md b/CHANGES.md
index 2b405ede8d7..84f35c7dc4c 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,7 +24,12 @@ OpenSSL 3.1
 
 ### Changes between 3.1.1 and 3.1.2 [xx XXX xxxx]
 
- * none yet
+ * When building with the `enable-fips` option and using the resulting
+   FIPS provider, TLS 1.2 will, by default, mandate the use of an extended
+   master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC DRBGs will
+   not operate with truncated digests (FIPS 140-3 IG G.R).
+
+   *Paul Dale*
 
 ### Changes between 3.1.0 and 3.1.1 [30 May 2023]
 
diff --git a/NEWS.md b/NEWS.md
index 708db5c5ef3..2ef478cc1ab 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -21,7 +21,10 @@ OpenSSL 3.1
 
 ### Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [under development]
 
-  * none
+ * When building with the `enable-fips` option and using the resulting
+   FIPS provider, TLS 1.2 will, by default, mandate the use of an
+   extended master secret and the Hash and HMAC DRBGs will not operate
+   with truncated digests.
 
 ### Major changes between OpenSSL 3.1.0 and OpenSSL 3.1.1 [30 May 2023]