Add a NEWS entry covering the FIPS related changes.

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from #21386) (cherry picked from commit dfc4b6c)
openssl · Jul 13, 2023 · 7a3d32a · 7a3d32a
1 parent 15e041b
commit 7a3d32a
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -284,7 +284,16 @@ OpenSSL 3.2
 OpenSSL 3.1
 -----------
 
-### Changes between 3.1.0 and 3.1.1 [xx XXX xxxx]
+### Changes between 3.1.1 and 3.1.2 [xx XXX xxxx]
+
+ * When building with the `enable-fips` option and using the resulting
+   FIPS provider, TLS 1.2 will, by default, mandate the use of an extended
+   master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC DRBGs will
+   not operate with truncated digests (FIPS 140-3 IG G.R).
+
+   *Paul Dale*
+
+### Changes between 3.1.0 and 3.1.1 [30 May 2023]
 
  * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
    OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.

diff --git a/NEWS.md b/NEWS.md
@@ -37,7 +37,14 @@ OpenSSL 3.2
 OpenSSL 3.1
 -----------
 
-### Major changes between OpenSSL 3.1.0 and OpenSSL 3.1.1 [under development]
+### Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [under development]
+
+ * When building with the `enable-fips` option and using the resulting
+   FIPS provider, TLS 1.2 will, by default, mandate the use of an
+   extended master secret and the Hash and HMAC DRBGs will not operate
+   with truncated digests.
+
+### Major changes between OpenSSL 3.1.0 and OpenSSL 3.1.1 [30 May 2023]
 
   * Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT
     IDENTIFIER sub-identities.  ([CVE-2023-2650])