From 808b30f6b60da3e92283e315f2e6f0e574a62080 Mon Sep 17 00:00:00 2001 From: Pauli Date: Fri, 17 Mar 2023 11:23:49 +1100 Subject: [PATCH] changes: note the banning of truncated hashes with DRBGs Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/20521) --- CHANGES.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index 452e5d0e74..9fa63ea7f0 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -250,6 +250,13 @@ OpenSSL 3.1 ### Changes between 3.1.0 and 3.1.1 [xx XXX xxxx] + * Add FIPS provider configuration option to disallow the use of + truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.). + The option '-no_drbg_truncated_digests' can optionally be + supplied to 'openssl fipsinstall'. + + *Paul Dale* + * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that it does not enable policy checking. Thanks to David Benjamin for discovering this issue.