78f65b1e09
CHANGES.md, NEWS.md: updates for 4.0.0 final release
...
NEWS.md is amended to include the following PRs:
* https://github.com/openssl/openssl/pull/28305
"Replace homebrewed implementation of *printf*() functions with libc"
* https://github.com/openssl/openssl/pull/29299
"Remove support for custom EVP_CIPHERs"
* https://github.com/openssl/openssl/pull/29366
"Remove support for custom EVP_MDs"
* https://github.com/openssl/openssl/pull/29384
"Remove support for custom EVP_PKEY_METHODs"
* https://github.com/openssl/openssl/pull/30128
"Removes fixed version TLS methods."
* https://github.com/openssl/openssl/pull/29405
"Remove support EVP_PKEY_ASN1_METHODs from the public API"
Overall, CHANGES.md includes the following:
* https://github.com/openssl/openssl/pull/8136
"Remove spurious '00:' printing RSA/DSA/DH/EC key material with leading bit
set in unsigned BN"
* https://github.com/openssl/openssl/pull/17495
"4.0: `X509_ALGOR_set_md()`: Add return value to indicate success or failure"
* https://github.com/openssl/openssl/pull/18229
"public API: Remove needless `const` from scalar types"
* https://github.com/openssl/openssl/pull/22304
"4.0: crypto/{CMS,PKCS7,OCSP,TS,X509}: constify cert list parameters"
* https://github.com/openssl/openssl/pull/24551
"Enable RFC 7919 FFDHE groups for TLS 1.2 server"
* https://github.com/openssl/openssl/pull/24738
"add ech-api.md"
* https://github.com/openssl/openssl/pull/25193
"ECH build artefacts and a bit of code"
* https://github.com/openssl/openssl/pull/25420
"ECH CLI implementation"
* https://github.com/openssl/openssl/pull/25663
"ECH external APIs"
* https://github.com/openssl/openssl/pull/25991
"preserve data constness when getting issuer name's and subject's hash"
* https://github.com/openssl/openssl/pull/26011
"ECH client side"
* https://github.com/openssl/openssl/pull/27397
"create SSL_listen_ex api"
* https://github.com/openssl/openssl/pull/27431
"fips: Enforce lower bounds checks for password protected files when using
FIPS providers, by default"
* https://github.com/openssl/openssl/pull/27540
"ECH client sending mulitple key shares"
* https://github.com/openssl/openssl/pull/27561
"ECH both sides now"
* https://github.com/openssl/openssl/pull/27776
"Introduce the PACKET_msg_start() function"
* https://github.com/openssl/openssl/pull/28033
"Constify further X509 functions; remove OSSL_FUTURE_CONST"
* https://github.com/openssl/openssl/pull/28041
"Remove support for SSLv2 Client Hello"
* https://github.com/openssl/openssl/pull/28108
"Add a way to cleanse params arrays"
* https://github.com/openssl/openssl/pull/28160
"New options for reading MAC key from environment variable, file and standard
input were added."
* https://github.com/openssl/openssl/pull/28270
"s_client and s_server command line options for ECH (plus some wndows
CI fixes)"
* https://github.com/openssl/openssl/pull/28278
"Implementing store support for EVP_SKEY"
* https://github.com/openssl/openssl/pull/28305
"Replace homebrewed implementation of *printf*() functions with libc"
* https://github.com/openssl/openssl/pull/28432
"Add support for CSHAKE."
* https://github.com/openssl/openssl/pull/28445
"Updated s_server's verify_return_error option to enable peer verification"
* https://github.com/openssl/openssl/pull/28535
"Print PowerPC CPUINFO"
* https://github.com/openssl/openssl/pull/28623
"Combining time validation with comparison return values considered harmful"
* https://github.com/openssl/openssl/pull/28837
"Add support to serialize/deserialize digest state for export/import"
* https://github.com/openssl/openssl/pull/29018
"CRL: Validate Certificate Issuer extension with IDP Indirect=TRUE"
* https://github.com/openssl/openssl/pull/29057
"Avoid empty AKID/SKID extensions in CSRs and certs"
* https://github.com/openssl/openssl/pull/29107
"CRL: Enforce proper handling of ASN1_TIME validation results"
* https://github.com/openssl/openssl/pull/29116
"info: Print CPUINFO for SPARCv9 processors"
* https://github.com/openssl/openssl/pull/29152
"Add new public API for checking certificate times."
* https://github.com/openssl/openssl/pull/29187
"Remove the ASN1_STRING_FLAG_X509_TIME flag"
* https://github.com/openssl/openssl/pull/29195
"Add SNMPKDF implementation"
* https://github.com/openssl/openssl/pull/29200
"Add tests and documentation and fix some issues resulting"
* https://github.com/openssl/openssl/pull/29206
"Per-key encoding formats for ML-KEM and ML-DSA"
* https://github.com/openssl/openssl/pull/29222
"Implementation of Deferred FIPS Self-Tests"
* https://github.com/openssl/openssl/pull/29223
"ML-DSA: Add a digest that can calculate external mu."
* https://github.com/openssl/openssl/pull/29230
"doc/man3: Add OPENSSL_ppccap.pod
* https://github.com/openssl/openssl/pull/29266
"make PEM hexdump width a multiple of 8 bytes"
* https://github.com/openssl/openssl/pull/29299
"Remove support for custom EVP_CIPHERs"
* https://github.com/openssl/openssl/pull/29305
"Feature/engineremoval"
* https://github.com/openssl/openssl/pull/29311
"Documentation for BIO flags and related functions"
* https://github.com/openssl/openssl/pull/29338
"merge feature/removesslv3"
* https://github.com/openssl/openssl/pull/29366
"Remove support for custom EVP_MDs"
* https://github.com/openssl/openssl/pull/29380
"Remove crypto-mdebug-backtrace option from config"
* https://github.com/openssl/openssl/pull/29381
" Added LMS support for OpenSSL commandline signature verification using
pkeyutl."
* https://github.com/openssl/openssl/pull/29384
"Remove support for custom EVP_PKEY_METHODs"
* https://github.com/openssl/openssl/pull/29385
"Atexit.final draft.cleanup"
* https://github.com/openssl/openssl/pull/29387
"Add ASN1_BIT_STRING_get_length()"
* https://github.com/openssl/openssl/pull/29405
"Remove support EVP_PKEY_ASN1_METHODs from the public API"
* https://github.com/openssl/openssl/pull/29427
"Remove the c_rehash script"
* https://github.com/openssl/openssl/pull/29428
"Constify return value of X509_get_X509_PUBKEY()"
* https://github.com/openssl/openssl/pull/29435
"Add SRTP KDF"
* https://github.com/openssl/openssl/pull/29445
"Remove BIO_f_reliable() as it is broken"
* https://github.com/openssl/openssl/pull/29465
"Constify X509_get_ext() and friends.."
* https://github.com/openssl/openssl/pull/29468
"constify X509_NAME."
* https://github.com/openssl/openssl/pull/29488
"Constify the X509_STORE_CTX argument to the lookup_certs functions."
* https://github.com/openssl/openssl/pull/29576
"KDF: Add configuration options to disable many of the KDF algorithms."
* https://github.com/openssl/openssl/pull/29612
"Support multiple names for certificate verification"
* https://github.com/openssl/openssl/pull/29635
"SSL_CTX_is_server() was added"
* https://github.com/openssl/openssl/pull/29639
"Disabling explicit EC curves encoding"
* https://github.com/openssl/openssl/pull/29640
"add thunking for compare function to OPENSSL_STACK"
* https://github.com/openssl/openssl/pull/29646
"Added SSL_CTX_get0_alpn_protos() and SSL_get0_alpn_protos()"
* https://github.com/openssl/openssl/pull/29653
"Drop darwin-i386(-cc) targets from Configurations"
* https://github.com/openssl/openssl/pull/29658
"Disable support of weak elliptic curves in TLS by default"
* https://github.com/openssl/openssl/pull/29672
"Drop darwin-ppc{,64} targets"
* https://github.com/openssl/openssl/pull/29721
"Make OPENSSL_cleanup() G A"
* https://github.com/openssl/openssl/pull/29813
"Make X509_ATTRIBUTE accessor functions const-correct"
* https://github.com/openssl/openssl/pull/29862
"Make ASN1_STRING opaque"
* https://github.com/openssl/openssl/pull/29874
"Take OPENSSL_atexit() for a walk behind the barn."
* https://github.com/openssl/openssl/pull/29926
"Provide ASN1_BIT_STRING_set1()"
* https://github.com/openssl/openssl/pull/29953
"Support for RFC8998 `sm2sig_sm3`, `curveSM2` and its ML-KEM-768 hybrid."
* https://github.com/openssl/openssl/pull/29971
"X509: apply AKID verification checks when X509_V_FLAG_X509_STRICT is set"
* https://github.com/openssl/openssl/pull/29982
"Improved reporting of shared and peer sigalgs"
* https://github.com/openssl/openssl/pull/29991
"Fix of SSL_get_error() so that it no longer depends on the state
of the error stack"
* https://github.com/openssl/openssl/pull/29995
"Add abilty to use static vcruntime"
* https://github.com/openssl/openssl/pull/30005
"Make ERR_STATE opaque and remove related deprecated functions"
* https://github.com/openssl/openssl/pull/30011
"Deprecate ASN1_OBJECT_new()."
* https://github.com/openssl/openssl/pull/30020
"Const correct time parameter for X509_cmp_time(), X509_time_adj()
and X509_time_adj_ex()."
* https://github.com/openssl/openssl/pull/30024
"CRL: reject malformed CRL Number and CRL Delta Indicator"
* https://github.com/openssl/openssl/pull/30028
"Add TLS 1.3 SM ciphersuites"
* https://github.com/openssl/openssl/pull/30031
"Mostly deprecated is slightly not deprecated...."
* https://github.com/openssl/openssl/pull/30033
"Remove the "msie-hack" option from openssl ca"
* https://github.com/openssl/openssl/pull/30034
"Use the appropriate libctx when executing CMS_SignerInfo_verify"
* https://github.com/openssl/openssl/pull/30035
"Constify X509_verify"
* https://github.com/openssl/openssl/pull/30036
"Constify more X509 arguments and return values"
* https://github.com/openssl/openssl/pull/30044
"Added BIO_set_send_flags() function to set flags passed to send(),
sendto(), and sendmsg()"
* https://github.com/openssl/openssl/pull/30048
"change from I-D to RFC 9849 and resolve TODO(ECH) cases"
* https://github.com/openssl/openssl/pull/30053
"Constify NAME_CONSTRAINTS_check and NAME_CONSTRAINTS_check_CN"
* https://github.com/openssl/openssl/pull/30054
"Consity X509_add_cert and X509_self_signed"
* https://github.com/openssl/openssl/pull/30055
"Constify various functions that were non const due to extension cache"
* https://github.com/openssl/openssl/pull/30056
"Constify X509_build_chain"
* https://github.com/openssl/openssl/pull/30058
"Constify X509_chain_check_suiteb"
* https://github.com/openssl/openssl/pull/30067
"Constify X509_check_issued and friends"
* https://github.com/openssl/openssl/pull/30071
"constify X509_check_trust, X509_TRUST_add"
* https://github.com/openssl/openssl/pull/30072
"Constify X509_to_X509_REQ and X509_REQ_to_X509"
* https://github.com/openssl/openssl/pull/30073
"Constify X509_print_fp and X509_print_ex_fp"
* https://github.com/openssl/openssl/pull/30074
"Constify X509_STORE_add_cert()"
* https://github.com/openssl/openssl/pull/30076
"Constify X509_STORE_CTX functions invoving X509 *"
* https://github.com/openssl/openssl/pull/30079
"Constify X509_CRL_get0_by_cert"
* https://github.com/openssl/openssl/pull/30080
"Constify X509v3_asid_validate_resource_set
and X509v3_addr_validate_resource_set"
* https://github.com/openssl/openssl/pull/30082
"Constify X509_REQ_get1_email, X509_get1_email and X509_get1_ocsp."
* https://github.com/openssl/openssl/pull/30084
"Constify X509_issuer_and_serial_hash"
* https://github.com/openssl/openssl/pull/30089
"Added -expected-rpks s_client/server option"
* https://github.com/openssl/openssl/pull/30090
"Constify X509_CRL_get0_by_cert"
* https://github.com/openssl/openssl/pull/30092
"constify X509_find_by_issuer_and_serial"
* https://github.com/openssl/openssl/pull/30096
"Constify X509_find_by_subject"
* https://github.com/openssl/openssl/pull/30098
"Add a changes entry for the x509 time function changes"
* https://github.com/openssl/openssl/pull/30113
"Add keyshare floating"
* https://github.com/openssl/openssl/pull/30117
"Constify X509_OBJECT_[get0|set1]_X509 and friends"
* https://github.com/openssl/openssl/pull/30127
"Constify a bunch of seldom used X509 functions. "
* https://github.com/openssl/openssl/pull/30128
"Removes fixed version TLS methods."
* https://github.com/openssl/openssl/pull/30140
"Ensure TLS 1.3 ciphersuites are actually for TLS 1.3"
* https://github.com/openssl/openssl/pull/30171
"CRL: Reject CRLs with malformed Issuing Distribution Point"
* https://github.com/openssl/openssl/pull/30200
"Remove remnant SSL_FIPS flag"
* https://github.com/openssl/openssl/pull/30229
"X509 returned by X509_REQ_to_X509() should not be (const ...)"
* https://github.com/openssl/openssl/pull/30235
"Make X509_up_ref and X509_free take const X509 *"
* https://github.com/openssl/openssl/pull/30249
"x509: remove erroneous critical extension enforcement"
* https://github.com/openssl/openssl/pull/30252
"Some more X509 extension add/del polish"
* https://github.com/openssl/openssl/pull/30263
"Restrict the number of keyshares/groups/sigalgs a server is willing
to accept"
* https://github.com/openssl/openssl/pull/30265
"Unconstify X509_find_by_issuer_and_serial() and X509_find_by_subject()"
* https://github.com/openssl/openssl/pull/30272
"Partially revert "Constify X509_STORE_CTX functions invoving X509
*""
* https://github.com/openssl/openssl/pull/30273
"Revert "Make X509_up_ref and X509_free take const X509 *""
* https://github.com/openssl/openssl/pull/30276
"Un-constify X509_OBJECT_get0_X509 and X509_OBJECT_set1_X509"
The changes associated with these PRs are already mentioned in 3.6.x changes:
* https://github.com/openssl/openssl/pull/28760
"Improve the CPUINFO display for RISC-V"
* https://github.com/openssl/openssl/pull/28797
"Fix regression when X509_V_FLAG_CRL_CHECK_ALL is set"
* https://github.com/openssl/openssl/pull/28955
"Fix for TLS handshake issue with GnuTLS #28902 "
* https://github.com/openssl/openssl/pull/29155
"fix(x509.c): fixed -checkend return values"
* https://github.com/openssl/openssl/pull/29214
"s390x: Check and fail on invalid malformed ECDSA signatures"
* https://github.com/openssl/openssl/pull/29242
"Clang format head"
* https://github.com/openssl/openssl/pull/29251
"Fix change of behavior of the single stapled OCSP response API"
* https://github.com/openssl/openssl/pull/30204
"Fix detection of plaintext HTTP over TLS"
* https://github.com/openssl/openssl/pull/30384
"Fix #19891 CONNECT request for IPv6 targets in OSSL_HTTP_proxy_connect"
* https://github.com/openssl/openssl/pull/30557
"re-constructorize the cpuid stuff, but fix riscv to not depend
on BIO_snprintf."
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org >
Original-PR: https://github.com/openssl/openssl/pull/30817 )
Original-Commit: 8fba5d0d9cnikolap@openssl.org >
Reviewed-by: Norbert Pocs <norbertp@openssl.org >
MergeDate: Sun Apr 26 13:17:07 2026
(Merged from https://github.com/openssl/openssl/pull/30847 )
2026-04-26 15:16:53 +02:00
fcc8edbd98
Forward port release update commit to master branch
...
Bring NEWS.md/CHANGES.md into line with updates on the 4.0 branch
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: Norbert Pocs <norbertp@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.foundation >
MergeDate: Thu Apr 16 16:27:47 2026
(Merged from https://github.com/openssl/openssl/pull/30830 )
2026-04-16 18:27:35 +02:00
bdfac7bb66
Add docs for new atomic apis
...
Documents CRYPTO_atomic_load_ptr(), CRYPTO_atomic_store_ptr() and
CRYPTO_atomic_cmp_exch_ptr()
Reviewed-by: Paul Dale <paul.dale@oracle.com >
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org >
MergeDate: Tue Apr 14 08:29:33 2026
(Merged from https://github.com/openssl/openssl/pull/30670 )
2026-04-14 10:29:28 +02:00
43377bb06e
CHANGES.md, NEWS.md: update for 3.6.2
...
3.6.2 CHANGES.md includes the following:
* CVE-2026-2673, CVE-2026-28386, CVE-2026-28387, CVE-2026-28388,
CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, CVE-2026-31790
* https://github.com/openssl/openssl/pull/30384
"Fix #19891 CONNECT request for IPv6 targets in OSSL_HTTP_proxy_connect"
* https://github.com/openssl/openssl/pull/30411
"Fix detection of plaintext HTTP over TLS (3.6/3.5 backport)"
* https://github.com/openssl/openssl/pull/30557
"re-constructorize the cpuid stuff, but fix riscv to not depend
on BIO_snprintf."
3.6.2 NEWS.md includes the following:
* CVE-2026-2673, CVE-2026-28386, CVE-2026-28387, CVE-2026-28388,
CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, CVE-2026-31790
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.foundation >
Reviewed-by: Paul Dale <paul.dale@oracle.com >
MergeDate: Sat Apr 11 18:51:42 2026
(Merged from https://github.com/openssl/openssl/pull/30720 )
2026-04-11 20:51:23 +02:00
5de59e4272
NEWS.md: Update 3.6.0 release date
...
Original-Commit: 7b371d80d9paulyang.inf@gmail.com >
Reviewed-by: Paul Dale <paul.dale@oracle.com >
Reviewed-by: Tomas Mraz <tomas@openssl.foundation >
MergeDate: Wed Apr 8 10:00:08 2026
(Merged from https://github.com/openssl/openssl/pull/30686 )
2026-04-08 11:59:56 +02:00
d315ac4389
Prepare for 4.1
...
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org >
MergeDate: Tue Mar 10 14:39:56 2026
Release: yes
2026-03-10 14:39:55 +00:00
8f23518654
CHANGES.md, NEWS.md: picking up changes from 3.6.1
...
Since it has been released before 4.0.0-alpha1.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
MergeDate: Tue Mar 10 13:39:37 2026
(Merged from https://github.com/openssl/openssl/pull/30338 )
2026-03-10 13:13:44 +01:00
63b300a5b9
CHANGES.md, NEWS.md: update the URL format for CVE URLs
...
The URLs have changed from [1] to [2].
[1] https://www.openssl.org/news/vulnerabilities.html
[2] https://openssl-library.org/news/vulnerabilities/
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
MergeDate: Tue Mar 10 13:39:35 2026
(Merged from https://github.com/openssl/openssl/pull/30338 )
2026-03-10 11:45:08 +01:00
4e0961e223
NEWS.md: update
...
Include various items from CHANGES.md, remove items pertaining
OPENSSL_sk_set_cmp_thunks() and crypto-mdebug-backtrace, split into new
features and significant/incompatible changes.
Also, while at it, added the leader to the 3.6.0 news entry.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
MergeDate: Tue Mar 10 13:39:28 2026
(Merged from https://github.com/openssl/openssl/pull/30338 )
2026-03-10 11:36:24 +01:00
35d09a5f94
Move the FIPS PKCS5_PBKDF2_HMAC limits description from NEWS.md to CHANGES.md
...
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
MergeDate: Tue Mar 10 13:39:25 2026
(Merged from https://github.com/openssl/openssl/pull/30338 )
2026-03-10 11:20:13 +01:00
7324a87796
CHANGES.md, NEWS.md: wfixes, tfixes, ffixes
...
An attempt has been made to harmonise the language and style
of the changelog and news records a bit.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
MergeDate: Tue Mar 10 13:39:20 2026
(Merged from https://github.com/openssl/openssl/pull/30338 )
2026-03-10 11:20:13 +01:00
fb3b82bd54
CHANGES.md, NEWS.md: sort links in lexicographical order
...
A specific order makes link addition more consistent moving forward.
The links were sorted with "LC_ALL=C sort -V" command, "sort"
is from GNU coreutils.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
MergeDate: Tue Mar 10 13:39:11 2026
(Merged from https://github.com/openssl/openssl/pull/30338 )
2026-03-10 11:19:27 +01:00
66ab2db185
fips: Align PKCS5_PBKDF2_HMAC defaults with EVP_KDF-PBKDF2
...
EVP_KDF-PBKDF2 has provider-dependent runtime behaviour w.r.t. lower
bounds checks. The default provider does not enforce them, but can opt
into them. The fips provider does enforce them, but can opt out.
The same is not true for the PKCS5_PBKDF2_HMAC, which always opts out
of the lower bound checks.
This leads to unexpected behaviour without user consent, they may
expect in error that when using FIPS provider the lower bound checks
will be enforced by default.
There are two popular tools for ACVP testing:
- https://github.com/cisco/libacvp/blob/9ee15db6e6c6f123f5fdd72e453eca261482ea94/app/app_kdf.c#L411
- https://github.com/smuellerDD/acvpparser/blob/e1c094ae3a708a9c45cb8b270e96c252365a5376/backends/backend_openssl_common.c#L1836
One of them creates params and then calls the one-shot EVP_KDF_derive
api, whilst the other calls the PKCS5_PBKDF2_HMAC convenience
wrapper. For the same ACVP test vectors the two produce different
results: with and without lower bounds checks.
But it seems like PKCS5_PBKDF2_HMAC is popular, as it outnumbers
EVP_KDF_derive 8x when doing a global code search on github
(anecdotal, as results are skewed by the number of forks). This thus
comes down to the expectations end users have. And it feels like, at
least for this API, the FIPS 140-3 users expectation would be for the
lower bound checks to be enforced.
Modify the PKCS5_PBKDF2_HMAC wrapper around EVP_KDF_derive to not set
PKCS5 parameter, such that the provider implicit default is used
instead. Thus no change for default provider users, and FIPS
enforcement by default in the FIPS case like it always has done when
calling via EVP_KDF_derive.
Test fixes:
Tests with too short salt would fail with fips provider.
Add test that FIPS provider rejects invalid salt length.
test/certs: Re-encrypt leaf-encrypted.key with a longer salt.
This way test cases can work with a FIPS provider
Reviewed-by: Paul Dale <paul.dale@oracle.com >
Reviewed-by: Shane Lontis <shane.lontis@oracle.com >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
MergeDate: Wed Mar 4 17:25:55 2026
(Merged from https://github.com/openssl/openssl/pull/27431 )
2026-03-04 18:24:45 +01:00
2230c67f94
ECH: change from I-D to RFC 9849 and resolve TODO(ECH) cases
...
Reviewed-by: Matt Caswell <matt@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
MergeDate: Thu Feb 19 09:22:37 2026
(Merged from https://github.com/openssl/openssl/pull/30048 )
2026-02-20 16:40:25 +00:00
9431cc20be
Add abilty to use static vcruntime
...
Add a config option to selectively enable disable static vcruntime
linkage (default disabled, implying dynamic vcruntime linkage)
Fixes #12210
Reviewed-by: Norbert Pocs <norbertp@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
MergeDate: Tue Feb 17 09:43:37 2026
(Merged from https://github.com/openssl/openssl/pull/29995 )
2026-02-17 10:43:35 +01:00
cfa5eb176b
Add NEWS/CHANGES for new OPENSSL_sk_set_cmp_thunks() api
...
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org >
MergeDate: Sat Feb 7 18:11:19 2026
(Merged from https://github.com/openssl/openssl/pull/29640 )
2026-02-07 13:11:08 -05:00
24b51ab61c
Fix typo in CHANGES and NEWS entry for CVE-2019-1551
...
Fixes #12977
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org >
Reviewed-by: Paul Dale <paul.dale@oracle.com >
MergeDate: Tue Feb 3 08:56:59 2026
(Merged from https://github.com/openssl/openssl/pull/29740 )
2026-02-03 09:56:50 +01:00
09c2bc5f6c
Remove support for SSLv2 Client Hello
...
Drop support for the SSLv2 Client Hello. We allowed that a client send
an SSLv2 compatible Client Hello.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com >
Reviewed-by: Alicja Kario <hkario@redhat.com >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Matt Caswell <matt@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/28041 )
2026-01-16 15:52:49 +00:00
994413f995
Update NEWS.md
...
Co-authored-by: Matt Caswell <matt@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Matt Caswell <matt@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/29385 )
2025-12-19 12:06:38 -05:00
85773d519a
- update NEWS.md
...
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Matt Caswell <matt@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/29385 )
2025-12-19 12:02:25 -05:00
43033e129b
Remove the c_rehash script
...
The `openssl rehash` should be used instead.
Signed-off-by: Norbert Pocs <norbertp@openssl.org >
Reviewed-by: Richard Levitte <levitte@openssl.org >
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org >
Reviewed-by: Paul Dale <paul.dale@oracle.com >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/29427 )
2025-12-19 16:10:24 +01:00
5ba513fadd
Remove crypto-mdebug-backtrace option from config
...
We still build with crypto-mdebug-backtrace enabled in a few ci jobs,
but it does nothing.
With the upcoming merge of feature/removesslv3, the code changes there
prevent the use of this option (i.e. enabling it results in
configuration failure).
It seems the most sensible thing to do here, given we have a major
release is to eliminate the option entirely, as it hasn't done anything
since 1.0.2.
Fixes openssl/project#1763
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Simo Sorce <simo@redhat.com >
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/29380 )
2025-12-12 19:34:54 -05:00
696913bdd2
Mention ENGINE removal in CHANGES and NEWS
...
Resolves: https://github.com/openssl/project/issues/1423
Signed-off-by: Norbert Pocs <norbertp@openssl.org >
Reviewed-by: Paul Yang <paulyang.inf@gmail.com >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Saša Nedvědický <sashan@openssl.org >
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Matt Caswell <matt@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/29305 )
2025-12-04 07:32:18 -05:00
134f17d526
Document CVE-2021-4160
...
This was fixed in openssl 3.0.1 by #17258 and assigned
CVE-2021-4160 but unfortunately forgotten to mention
in the CHANGES and/or NEWS.
Reviewed-by: Paul Yang <paulyang.inf@gmail.com >
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com >
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/29051 )
2025-11-26 18:44:10 +01:00
552374022f
CHANGES.md, NEWS.md: update for 3.6.0
...
* Add the release date for 3.5.4
* Various touch-ups aimed at improving consistency of the news
* ffixes, wfixes
Release: Yes
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/28734 )
2025-10-17 18:52:09 +02:00
481eb62f69
CHANGES.md, NEWS.md: update for 3.5.4
...
3.5.4 CHANGES.md includes the following:
* https://github.com/openssl/openssl/pull/28415
* https://github.com/openssl/openssl/pull/28573
* https://github.com/openssl/openssl/pull/28603
3.5.4 NEWS.md includes the following:
* https://github.com/openssl/openssl/pull/28603
Release: Yes
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/28734 )
2025-10-17 18:52:09 +02:00
8886960842
Add CHANGES.md and NEWS.md updates
...
Including a few corrections of the previous entries.
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Matt Caswell <matt@openssl.org >
2025-09-29 14:27:36 +02:00
e70d3b1886
Add util/codespell-check.sh and run it
...
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Richard Levitte <levitte@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/28639 )
2025-09-26 07:58:44 -04:00
4732ce799c
CHANGES.md, NEWS.md: update for 3.6.0-beta1
...
CHANGES.md:
* https://github.com/openssl/openssl/pull/28398
* https://github.com/openssl/openssl/pull/28411
* https://github.com/openssl/openssl/pull/28447
* https://github.com/openssl/openssl/pull/28449
NEWS.md:
* https://github.com/openssl/openssl/pull/28447
Release: yes
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/28547 )
2025-09-16 12:07:53 -04:00
d236a32da6
CHANGES.md, NEWS.md: ffix
...
Minor formating cleanups.
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/28547 )
2025-09-16 12:07:53 -04:00
e26ae2754f
The next version to be released from master is 4.0
...
Now that the 3.6 branch has been created, correct the master branch so
that it is clear that the next release from that branch will be 4.0
Reviewed-by: Tim Hudson <tjh@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/28423 )
2025-09-04 10:40:04 +01:00
cca9844f0c
Prepare for 3.7
...
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Saša Nedvědický <sashan@openssl.org >
Release: yes
2025-09-02 13:07:27 +00:00
145e909a69
Release news and changelog for version 3.6
...
Release: yes
Signed-off-by: Norbert Pocs <norbertp@openssl.org >
Reviewed-by: Matt Caswell <matt@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/28403 )
2025-09-02 09:03:23 -04:00
833a34dac3
fips: add news & changes entry for DetECDSA
...
Reviewed-by: Shane Lontis <shane.lontis@oracle.com >
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Paul Dale <ppzgs1@gmail.com >
(Merged from https://github.com/openssl/openssl/pull/28213 )
2025-08-21 09:59:55 +10:00
f6c400f4cc
CHANGES.md / NEWS.md fixups ahead of release
...
Release: yes
Reviewed-by: Matt Caswell <matt@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/27927 )
2025-07-01 12:28:00 +01:00
53e5071f34
Document transition from ANSI-C towards C-99
...
The existing NOTES-ANSI.md are renamed to NOTES-C99.md and updated
accordingly. INSTALL.md lists C-99 compiler instead of ANSI-C now.
Also moving from ANSI-C to C-99 warrants updates to NEWS.md and
CHANGES.md.
Reviewed-by: Richard Levitte <levitte@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com >
(Merged from https://github.com/openssl/openssl/pull/27751 )
2025-06-10 19:58:41 +02:00
8109618a1c
CHANGES/NEWS entries for configutl
...
Reviewed-by: Matt Caswell <matt@openssl.org >
Reviewed-by: Paul Dale <ppzgs1@gmail.com >
(Merged from https://github.com/openssl/openssl/pull/27290 )
2025-05-08 11:05:42 +10:00
3f98e949d3
Removed references to vxworks because it is an unsupported platform
...
Fixes #26558
Reviewed-by: Matt Caswell <matt@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/26630 )
2025-05-05 16:13:35 +02:00
f014892d9f
Point to new docs location
...
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Paul Dale <ppzgs1@gmail.com >
Reviewed-by: Matt Caswell <matt@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/27331 )
2025-04-15 15:56:16 +01:00
30adecd725
Add known issues to NEWS.md for 3.5.0
...
Reviewed-by: Saša Nedvědický <sashan@openssl.org >
Reviewed-by: Tim Hudson <tjh@openssl.org >
Reviewed-by: Matt Caswell <matt@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/27287 )
2025-04-07 11:19:06 -04:00
da8de0e8dd
Change documentation to point to new wiki location
...
Reviewed-by: Matt Caswell <matt@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/27081 )
2025-03-25 20:24:48 +01:00
21f4bd986b
Update NEWS.md and CHANGES.md for the 3.5 release
...
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Saša Nedvědický <sashan@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/27152 )
(cherry picked from commit d6ace599ed
2025-03-25 15:30:24 +01:00
b2762763e9
Prepare for 3.6
...
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Matt Caswell <matt@openssl.org >
Release: yes
2025-03-12 13:37:30 +00:00
2df40ea6ff
Adding missed items to NEWS.md prior to release
...
Reviewed-by: Matt Caswell <matt@openssl.org >
Reviewed-by: Saša Nedvědický <sashan@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/27026 )
2025-03-11 09:21:45 -04:00
b48145cd18
QUIC server post-rebase nits
...
- Apply doc nits suggested by Viktor from https://github.com/openssl/openssl/pull/26762
- Update CHANGES.md & NEWS.md saying there is now support for QUIC server
- Added copyright header in: test/radix/quic_ops.c
Reviewed-by: Tim Hudson <tjh@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/26944 )
2025-03-05 15:02:17 +01:00
253a380bdb
doc/, CHANGES, NEWS: add missing entries and fix existing ones when which CMP feature was added
...
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Tim Hudson <tjh@openssl.org >
Reviewed-by: Paul Dale <ppzgs1@gmail.com >
(Merged from https://github.com/openssl/openssl/pull/26908 )
2025-02-27 16:58:47 +01:00
cf9d6685fd
Update CHANGES and NEWS for security release
...
Reviewed-by: Tomas Mraz <tomas@openssl.org >
Reviewed-by: Matt Caswell <matt@openssl.org >
2025-02-11 08:36:29 -05:00
c3144e1025
Add CHANGES.md and NEWS.md updates for CVE-2024-13176
...
Reviewed-by: Tim Hudson <tjh@openssl.org >
Reviewed-by: Neil Horman <nhorman@openssl.org >
Reviewed-by: Paul Dale <ppzgs1@gmail.com >
(Merged from https://github.com/openssl/openssl/pull/26429 )
2025-01-20 09:30:48 +01:00
539b17b658
apps: Change default cipher to aes-256-cbc for req, cms and smime apps
...
Update `CHANGES.md` and `NEWS.md`; remove `no-des` guard from req, cms,
and smime apps
Update MAN pages for default cipher; fix styling by removing braces around single statements
Reviewed-by: Matt Caswell <matt@openssl.org >
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com >
Reviewed-by: Tomas Mraz <tomas@openssl.org >
(Merged from https://github.com/openssl/openssl/pull/25839 )
2024-11-04 09:56:55 +01:00
36254fda37
Add CHANGES.md and NEWS.md entries for CVE-2024-9143
...
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com >
Reviewed-by: Viktor Dukhovni <viktor@openssl.org >
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de >
(Merged from https://github.com/openssl/openssl/pull/25734 )
(cherry picked from commit 233034bc5a
2024-10-22 10:45:14 +01:00
Eugene Syromiatnikov
openssl-machine
Neil Horman
Dimitri John Ledkov
sftcd
Tomas Mraz
Kurt Roeckx
Sashan
Norbert Pocs
Bernd Edlinger
Bob Beck
Matt Caswell
Dmitry Belyavskiy
20ioppolan
Jon Ericson
Andrew Dinh
Dr. David von Oheimb
Aditya