CHANGES.md, NEWS.md: updates for 4.0.0 final release
NEWS.md is amended to include the following PRs:
* https://github.com/openssl/openssl/pull/28305
"Replace homebrewed implementation of *printf*() functions with libc"
* https://github.com/openssl/openssl/pull/29299
"Remove support for custom EVP_CIPHERs"
* https://github.com/openssl/openssl/pull/29366
"Remove support for custom EVP_MDs"
* https://github.com/openssl/openssl/pull/29384
"Remove support for custom EVP_PKEY_METHODs"
* https://github.com/openssl/openssl/pull/30128
"Removes fixed version TLS methods."
* https://github.com/openssl/openssl/pull/29405
"Remove support EVP_PKEY_ASN1_METHODs from the public API"
Overall, CHANGES.md includes the following:
* https://github.com/openssl/openssl/pull/8136
"Remove spurious '00:' printing RSA/DSA/DH/EC key material with leading bit
set in unsigned BN"
* https://github.com/openssl/openssl/pull/17495
"4.0: `X509_ALGOR_set_md()`: Add return value to indicate success or failure"
* https://github.com/openssl/openssl/pull/18229
"public API: Remove needless `const` from scalar types"
* https://github.com/openssl/openssl/pull/22304
"4.0: crypto/{CMS,PKCS7,OCSP,TS,X509}: constify cert list parameters"
* https://github.com/openssl/openssl/pull/24551
"Enable RFC 7919 FFDHE groups for TLS 1.2 server"
* https://github.com/openssl/openssl/pull/24738
"add ech-api.md"
* https://github.com/openssl/openssl/pull/25193
"ECH build artefacts and a bit of code"
* https://github.com/openssl/openssl/pull/25420
"ECH CLI implementation"
* https://github.com/openssl/openssl/pull/25663
"ECH external APIs"
* https://github.com/openssl/openssl/pull/25991
"preserve data constness when getting issuer name's and subject's hash"
* https://github.com/openssl/openssl/pull/26011
"ECH client side"
* https://github.com/openssl/openssl/pull/27397
"create SSL_listen_ex api"
* https://github.com/openssl/openssl/pull/27431
"fips: Enforce lower bounds checks for password protected files when using
FIPS providers, by default"
* https://github.com/openssl/openssl/pull/27540
"ECH client sending mulitple key shares"
* https://github.com/openssl/openssl/pull/27561
"ECH both sides now"
* https://github.com/openssl/openssl/pull/27776
"Introduce the PACKET_msg_start() function"
* https://github.com/openssl/openssl/pull/28033
"Constify further X509 functions; remove OSSL_FUTURE_CONST"
* https://github.com/openssl/openssl/pull/28041
"Remove support for SSLv2 Client Hello"
* https://github.com/openssl/openssl/pull/28108
"Add a way to cleanse params arrays"
* https://github.com/openssl/openssl/pull/28160
"New options for reading MAC key from environment variable, file and standard
input were added."
* https://github.com/openssl/openssl/pull/28270
"s_client and s_server command line options for ECH (plus some wndows
CI fixes)"
* https://github.com/openssl/openssl/pull/28278
"Implementing store support for EVP_SKEY"
* https://github.com/openssl/openssl/pull/28305
"Replace homebrewed implementation of *printf*() functions with libc"
* https://github.com/openssl/openssl/pull/28432
"Add support for CSHAKE."
* https://github.com/openssl/openssl/pull/28445
"Updated s_server's verify_return_error option to enable peer verification"
* https://github.com/openssl/openssl/pull/28535
"Print PowerPC CPUINFO"
* https://github.com/openssl/openssl/pull/28623
"Combining time validation with comparison return values considered harmful"
* https://github.com/openssl/openssl/pull/28837
"Add support to serialize/deserialize digest state for export/import"
* https://github.com/openssl/openssl/pull/29018
"CRL: Validate Certificate Issuer extension with IDP Indirect=TRUE"
* https://github.com/openssl/openssl/pull/29057
"Avoid empty AKID/SKID extensions in CSRs and certs"
* https://github.com/openssl/openssl/pull/29107
"CRL: Enforce proper handling of ASN1_TIME validation results"
* https://github.com/openssl/openssl/pull/29116
"info: Print CPUINFO for SPARCv9 processors"
* https://github.com/openssl/openssl/pull/29152
"Add new public API for checking certificate times."
* https://github.com/openssl/openssl/pull/29187
"Remove the ASN1_STRING_FLAG_X509_TIME flag"
* https://github.com/openssl/openssl/pull/29195
"Add SNMPKDF implementation"
* https://github.com/openssl/openssl/pull/29200
"Add tests and documentation and fix some issues resulting"
* https://github.com/openssl/openssl/pull/29206
"Per-key encoding formats for ML-KEM and ML-DSA"
* https://github.com/openssl/openssl/pull/29222
"Implementation of Deferred FIPS Self-Tests"
* https://github.com/openssl/openssl/pull/29223
"ML-DSA: Add a digest that can calculate external mu."
* https://github.com/openssl/openssl/pull/29230
"doc/man3: Add OPENSSL_ppccap.pod
* https://github.com/openssl/openssl/pull/29266
"make PEM hexdump width a multiple of 8 bytes"
* https://github.com/openssl/openssl/pull/29299
"Remove support for custom EVP_CIPHERs"
* https://github.com/openssl/openssl/pull/29305
"Feature/engineremoval"
* https://github.com/openssl/openssl/pull/29311
"Documentation for BIO flags and related functions"
* https://github.com/openssl/openssl/pull/29338
"merge feature/removesslv3"
* https://github.com/openssl/openssl/pull/29366
"Remove support for custom EVP_MDs"
* https://github.com/openssl/openssl/pull/29380
"Remove crypto-mdebug-backtrace option from config"
* https://github.com/openssl/openssl/pull/29381
" Added LMS support for OpenSSL commandline signature verification using
pkeyutl."
* https://github.com/openssl/openssl/pull/29384
"Remove support for custom EVP_PKEY_METHODs"
* https://github.com/openssl/openssl/pull/29385
"Atexit.final draft.cleanup"
* https://github.com/openssl/openssl/pull/29387
"Add ASN1_BIT_STRING_get_length()"
* https://github.com/openssl/openssl/pull/29405
"Remove support EVP_PKEY_ASN1_METHODs from the public API"
* https://github.com/openssl/openssl/pull/29427
"Remove the c_rehash script"
* https://github.com/openssl/openssl/pull/29428
"Constify return value of X509_get_X509_PUBKEY()"
* https://github.com/openssl/openssl/pull/29435
"Add SRTP KDF"
* https://github.com/openssl/openssl/pull/29445
"Remove BIO_f_reliable() as it is broken"
* https://github.com/openssl/openssl/pull/29465
"Constify X509_get_ext() and friends.."
* https://github.com/openssl/openssl/pull/29468
"constify X509_NAME."
* https://github.com/openssl/openssl/pull/29488
"Constify the X509_STORE_CTX argument to the lookup_certs functions."
* https://github.com/openssl/openssl/pull/29576
"KDF: Add configuration options to disable many of the KDF algorithms."
* https://github.com/openssl/openssl/pull/29612
"Support multiple names for certificate verification"
* https://github.com/openssl/openssl/pull/29635
"SSL_CTX_is_server() was added"
* https://github.com/openssl/openssl/pull/29639
"Disabling explicit EC curves encoding"
* https://github.com/openssl/openssl/pull/29640
"add thunking for compare function to OPENSSL_STACK"
* https://github.com/openssl/openssl/pull/29646
"Added SSL_CTX_get0_alpn_protos() and SSL_get0_alpn_protos()"
* https://github.com/openssl/openssl/pull/29653
"Drop darwin-i386(-cc) targets from Configurations"
* https://github.com/openssl/openssl/pull/29658
"Disable support of weak elliptic curves in TLS by default"
* https://github.com/openssl/openssl/pull/29672
"Drop darwin-ppc{,64} targets"
* https://github.com/openssl/openssl/pull/29721
"Make OPENSSL_cleanup() G A"
* https://github.com/openssl/openssl/pull/29813
"Make X509_ATTRIBUTE accessor functions const-correct"
* https://github.com/openssl/openssl/pull/29862
"Make ASN1_STRING opaque"
* https://github.com/openssl/openssl/pull/29874
"Take OPENSSL_atexit() for a walk behind the barn."
* https://github.com/openssl/openssl/pull/29926
"Provide ASN1_BIT_STRING_set1()"
* https://github.com/openssl/openssl/pull/29953
"Support for RFC8998 `sm2sig_sm3`, `curveSM2` and its ML-KEM-768 hybrid."
* https://github.com/openssl/openssl/pull/29971
"X509: apply AKID verification checks when X509_V_FLAG_X509_STRICT is set"
* https://github.com/openssl/openssl/pull/29982
"Improved reporting of shared and peer sigalgs"
* https://github.com/openssl/openssl/pull/29991
"Fix of SSL_get_error() so that it no longer depends on the state
of the error stack"
* https://github.com/openssl/openssl/pull/29995
"Add abilty to use static vcruntime"
* https://github.com/openssl/openssl/pull/30005
"Make ERR_STATE opaque and remove related deprecated functions"
* https://github.com/openssl/openssl/pull/30011
"Deprecate ASN1_OBJECT_new()."
* https://github.com/openssl/openssl/pull/30020
"Const correct time parameter for X509_cmp_time(), X509_time_adj()
and X509_time_adj_ex()."
* https://github.com/openssl/openssl/pull/30024
"CRL: reject malformed CRL Number and CRL Delta Indicator"
* https://github.com/openssl/openssl/pull/30028
"Add TLS 1.3 SM ciphersuites"
* https://github.com/openssl/openssl/pull/30031
"Mostly deprecated is slightly not deprecated...."
* https://github.com/openssl/openssl/pull/30033
"Remove the "msie-hack" option from openssl ca"
* https://github.com/openssl/openssl/pull/30034
"Use the appropriate libctx when executing CMS_SignerInfo_verify"
* https://github.com/openssl/openssl/pull/30035
"Constify X509_verify"
* https://github.com/openssl/openssl/pull/30036
"Constify more X509 arguments and return values"
* https://github.com/openssl/openssl/pull/30044
"Added BIO_set_send_flags() function to set flags passed to send(),
sendto(), and sendmsg()"
* https://github.com/openssl/openssl/pull/30048
"change from I-D to RFC 9849 and resolve TODO(ECH) cases"
* https://github.com/openssl/openssl/pull/30053
"Constify NAME_CONSTRAINTS_check and NAME_CONSTRAINTS_check_CN"
* https://github.com/openssl/openssl/pull/30054
"Consity X509_add_cert and X509_self_signed"
* https://github.com/openssl/openssl/pull/30055
"Constify various functions that were non const due to extension cache"
* https://github.com/openssl/openssl/pull/30056
"Constify X509_build_chain"
* https://github.com/openssl/openssl/pull/30058
"Constify X509_chain_check_suiteb"
* https://github.com/openssl/openssl/pull/30067
"Constify X509_check_issued and friends"
* https://github.com/openssl/openssl/pull/30071
"constify X509_check_trust, X509_TRUST_add"
* https://github.com/openssl/openssl/pull/30072
"Constify X509_to_X509_REQ and X509_REQ_to_X509"
* https://github.com/openssl/openssl/pull/30073
"Constify X509_print_fp and X509_print_ex_fp"
* https://github.com/openssl/openssl/pull/30074
"Constify X509_STORE_add_cert()"
* https://github.com/openssl/openssl/pull/30076
"Constify X509_STORE_CTX functions invoving X509 *"
* https://github.com/openssl/openssl/pull/30079
"Constify X509_CRL_get0_by_cert"
* https://github.com/openssl/openssl/pull/30080
"Constify X509v3_asid_validate_resource_set
and X509v3_addr_validate_resource_set"
* https://github.com/openssl/openssl/pull/30082
"Constify X509_REQ_get1_email, X509_get1_email and X509_get1_ocsp."
* https://github.com/openssl/openssl/pull/30084
"Constify X509_issuer_and_serial_hash"
* https://github.com/openssl/openssl/pull/30089
"Added -expected-rpks s_client/server option"
* https://github.com/openssl/openssl/pull/30090
"Constify X509_CRL_get0_by_cert"
* https://github.com/openssl/openssl/pull/30092
"constify X509_find_by_issuer_and_serial"
* https://github.com/openssl/openssl/pull/30096
"Constify X509_find_by_subject"
* https://github.com/openssl/openssl/pull/30098
"Add a changes entry for the x509 time function changes"
* https://github.com/openssl/openssl/pull/30113
"Add keyshare floating"
* https://github.com/openssl/openssl/pull/30117
"Constify X509_OBJECT_[get0|set1]_X509 and friends"
* https://github.com/openssl/openssl/pull/30127
"Constify a bunch of seldom used X509 functions. "
* https://github.com/openssl/openssl/pull/30128
"Removes fixed version TLS methods."
* https://github.com/openssl/openssl/pull/30140
"Ensure TLS 1.3 ciphersuites are actually for TLS 1.3"
* https://github.com/openssl/openssl/pull/30171
"CRL: Reject CRLs with malformed Issuing Distribution Point"
* https://github.com/openssl/openssl/pull/30200
"Remove remnant SSL_FIPS flag"
* https://github.com/openssl/openssl/pull/30229
"X509 returned by X509_REQ_to_X509() should not be (const ...)"
* https://github.com/openssl/openssl/pull/30235
"Make X509_up_ref and X509_free take const X509 *"
* https://github.com/openssl/openssl/pull/30249
"x509: remove erroneous critical extension enforcement"
* https://github.com/openssl/openssl/pull/30252
"Some more X509 extension add/del polish"
* https://github.com/openssl/openssl/pull/30263
"Restrict the number of keyshares/groups/sigalgs a server is willing
to accept"
* https://github.com/openssl/openssl/pull/30265
"Unconstify X509_find_by_issuer_and_serial() and X509_find_by_subject()"
* https://github.com/openssl/openssl/pull/30272
"Partially revert "Constify X509_STORE_CTX functions invoving X509
*""
* https://github.com/openssl/openssl/pull/30273
"Revert "Make X509_up_ref and X509_free take const X509 *""
* https://github.com/openssl/openssl/pull/30276
"Un-constify X509_OBJECT_get0_X509 and X509_OBJECT_set1_X509"
The changes associated with these PRs are already mentioned in 3.6.x changes:
* https://github.com/openssl/openssl/pull/28760
"Improve the CPUINFO display for RISC-V"
* https://github.com/openssl/openssl/pull/28797
"Fix regression when X509_V_FLAG_CRL_CHECK_ALL is set"
* https://github.com/openssl/openssl/pull/28955
"Fix for TLS handshake issue with GnuTLS #28902"
* https://github.com/openssl/openssl/pull/29155
"fix(x509.c): fixed -checkend return values"
* https://github.com/openssl/openssl/pull/29214
"s390x: Check and fail on invalid malformed ECDSA signatures"
* https://github.com/openssl/openssl/pull/29242
"Clang format head"
* https://github.com/openssl/openssl/pull/29251
"Fix change of behavior of the single stapled OCSP response API"
* https://github.com/openssl/openssl/pull/30204
"Fix detection of plaintext HTTP over TLS"
* https://github.com/openssl/openssl/pull/30384
"Fix #19891 CONNECT request for IPv6 targets in OSSL_HTTP_proxy_connect"
* https://github.com/openssl/openssl/pull/30557
"re-constructorize the cpuid stuff, but fix riscv to not depend
on BIO_snprintf."
projects / thirdparty / openssl.git / commit
