changes: note the banning of truncated hashes with DRBGs

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20521)
author: Pauli <pauli@openssl.org> 2023-03-17 11:23:49 +1100
committer: Pauli <pauli@openssl.org> 2023-03-29 09:25:57 +1100
commit: 808b30f6b60da3e92283e315f2e6f0e574a62080 (patch)
tree: 5215212c2113e9f30faeaf5dbddab1757a31616d
parent: e14fc22c90ce5a9e6d66d8658fc6bb37f95019da (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md
index 452e5d0e74..9fa63ea7f0 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -250,6 +250,13 @@ OpenSSL 3.1
 
 ### Changes between 3.1.0 and 3.1.1 [xx XXX xxxx]
 
+ * Add FIPS provider configuration option to disallow the use of
+   truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.).
+   The option '-no_drbg_truncated_digests' can optionally be
+   supplied to 'openssl fipsinstall'.
+
+   *Paul Dale*
+
  * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
    that it does not enable policy checking. Thanks to David Benjamin for
    discovering this issue.
author	Pauli <pauli@openssl.org>	2023-03-17 11:23:49 +1100
committer	Pauli <pauli@openssl.org>	2023-03-29 09:25:57 +1100
commit	808b30f6b60da3e92283e315f2e6f0e574a62080 (patch)
tree	5215212c2113e9f30faeaf5dbddab1757a31616d
parent	e14fc22c90ce5a9e6d66d8658fc6bb37f95019da (diff)