X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=NEWS.md;h=720cec7330d6af20df49c6ec0d6be5468ec7d185;hp=c1edd0c847baad654b22ce697c2d718bb68f50dd;hb=398ae8231650c4bd8ddff0e5efd38233c23b1ca0;hpb=cae118f9382c3790359b3ff050d6e01c11579a7f

diff --git a/NEWS.md b/NEWS.md
index c1edd0c847..720cec7330 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -7,6 +7,7 @@ release. For more details please read the CHANGES file.
 OpenSSL Releases
 ----------------
 
+ - [OpenSSL 3.1](#openssl-31)
  - [OpenSSL 3.0](#openssl-30)
  - [OpenSSL 1.1.1](#openssl-111)
  - [OpenSSL 1.1.0](#openssl-110)
@@ -15,23 +16,43 @@ OpenSSL Releases
  - [OpenSSL 1.0.0](#openssl-100)
  - [OpenSSL 0.9.x](#openssl-09x)
 
-OpenSSL 3.0
+OpenSSL 3.1
 -----------
 
-### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0 alpha 10 [in pre-release]
+### Major changes between OpenSSL 3.0 and OpenSSL 3.1 [under development]
+
+ * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
+   by default.
+
+OpenSSL 3.0
+-----------
 
-  * Deprecated the `DSA_` functions.
+### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0
+
+  * Enhanced 'openssl list' with many new options.
+  * Added migration guide to man7.
+  * Implemented support for fully "pluggable" TLSv1.3 groups.
+  * Added suport for Kernel TLS (KTLS).
+  * Changed the license to the Apache License v2.0.
+  * Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2,
+    RC4, RC5, and DES to the legacy provider.
+  * Moved the EVP digests MD2, MD4, MDC2, WHIRLPOOL and RIPEMD-160 to the legacy
+    provider.
+  * Added convenience functions for generating asymmetric key pairs.
+  * Deprecated the `OCSP_REQ_CTX` type and functions.
+  * Deprecated the `EC_KEY` and `EC_KEY_METHOD` types and functions.
+  * Deprecated the `RSA` and `RSA_METHOD` types and functions.
+  * Deprecated the `DSA` and `DSA_METHOD` types and functions.
+  * Deprecated the `DH` and `DH_METHOD` types and functions.
   * Deprecated the `ERR_load_` functions.
   * Remove the `RAND_DRBG` API.
   * Deprecated the `ENGINE` API.
   * Added `OSSL_LIB_CTX`, a libcrypto library context.
+  * Added various `_ex` functions to the OpenSSL API that support using
+    a non-default `OSSL_LIB_CTX`.
   * Interactive mode is removed from the 'openssl' program.
-  * The X25519, X448, Ed25519, Ed448 and SHAKE256 algorithms are included in
-    the FIPS provider.  None have the "fips=yes" property set and, as such,
-    will not be accidentially used.
-  * The algorithm specific public key command line applications have
-    been deprecated.  These include dhparam, gendsa and others.  The pkey
-    alternatives should be used instead: pkey, pkeyparam and genpkey.
+  * The X25519, X448, Ed25519, Ed448, SHAKE128 and SHAKE256 algorithms are
+    included in the FIPS provider.
   * X509 certificates signed using SHA1 are no longer allowed at security
     level 1 or higher. The default security level for TLS is 1, so
     certificates signed using SHA1 are by default no longer trusted to
@@ -42,10 +63,13 @@ OpenSSL 3.0
     also covering CRMF (RFC 4211) and HTTP transfer (RFC 6712).
     It is part of the crypto lib and adds a 'cmp' app with a demo configuration.
     All widely used CMP features are supported for both clients and servers.
-  * Added a proper HTTP(S) client to libcrypto supporting GET and POST,
-    redirection, plain and ASN.1-encoded contents, proxies, and timeouts.
+  * Added a proper HTTP client supporting GET with optional redirection, POST,
+    arbitrary request and response content types, TLS, persistent connections,
+    connections via HTTP(s) proxies, connections and exchange via user-defined
+    BIOs (allowing implicit connections), and timeout checks.
   * Added util/check-format.pl for checking adherence to the coding guidelines.
   * Added OSSL_ENCODER, a generic encoder API.
+  * Added OSSL_DECODER, a generic decoder API.
   * Added OSSL_PARAM_BLD, an easier to use API to OSSL_PARAM.
   * Added error raising macros, ERR_raise() and ERR_raise_data().
   * Deprecated ERR_put_error(), ERR_get_error_line(), ERR_get_error_line_data(),
@@ -60,10 +84,12 @@ OpenSSL 3.0
   * Changed our version number scheme and set the next major release to
     3.0.0
   * Added EVP_MAC, an EVP layer MAC API, and a generic EVP_PKEY to EVP_MAC
-    bridge.
+    bridge.  Supported MACs are: BLAKE2, CMAC, GMAC, HMAC, KMAC, POLY1305
+    and SIPHASH.
   * Removed the heartbeat message in DTLS feature.
-  * Added EVP_KDF, an EVP layer KDF API, and a generic EVP_PKEY to EVP_KDF
-    bridge.
+  * Added EVP_KDF, an EVP layer KDF and PRF API, and a generic EVP_PKEY to
+    EVP_KDF bridge.  Supported KDFs are: HKDF, KBKDF, KRB5 KDF, PBKDF2,
+    PKCS12 KDF, SCRYPT, SSH KDF, SSKDF, TLS1 PRF, X9.42 KDF and X9.63 KDF.
   * All of the low-level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224,
     SHA256, SHA384, SHA512 and Whirlpool digest functions have been
     deprecated.
@@ -72,11 +98,35 @@ OpenSSL 3.0
   * All of the low-level DH, DSA, ECDH, ECDSA and RSA public key functions
     have been deprecated.
   * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.
+  * Added providers, a new pluggability concept that will replace the
+    ENGINE API and ENGINE implementations.
 
 OpenSSL 1.1.1
 -------------
 
-### Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [under development]
+### Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021]
+
+  * Fixed an SM2 Decryption Buffer Overflow ([CVE-2021-3711])
+  * Fixed various read buffer overruns processing ASN.1 strings ([CVE-2021-3712])
+
+### Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021]
+
+  * Fixed a problem with verifying a certificate chain when using the
+    X509_V_FLAG_X509_STRICT flag ([CVE-2021-3450])
+  * Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously
+    crafted renegotiation ClientHello message from a client ([CVE-2021-3449])
+
+### Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021]
+
+  * Fixed a NULL pointer deref in the X509_issuer_and_serial_hash()
+    function ([CVE-2021-23841])
+  * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
+    padding mode to correctly check for rollback attacks
+  * Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and
+    EVP_DecryptUpdate functions ([CVE-2021-23840])
+  * Fixed SRP_Calc_client_key so that it runs in constant time
+
+### Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]
 
   * Fixed NULL pointer deref in GENERAL_NAME_cmp ([CVE-2020-1971])