- Bump OPENSSL_VERSION default from 3.0.8 to 3.1.2
- Update SHA256 hash for openssl-3.1.2.tar.gz
- Update all compliance checks to validate OpenSSL 3.1.x series
- Update docs: README, install.md, CLAUDE.md, test READMEs
- Previous 3.0.8 had only FIPS 140-2 (Cert #4282); 3.1.2 is the
first OpenSSL with full FIPS 140-3 validation (Cert #4985,
valid through March 2030)
- Add fips_configure_cipher() to pin FIPS-approved SQLCipher PRAGMAs
(HMAC-SHA512, PBKDF2-HMAC-SHA512, 256k iterations, 4096-byte pages)
- Call fips_configure_cipher() after sqlite3_key() in JNI and sample app
- Copy key material to OPENSSL_malloc buffer and zeroize with
OPENSSL_cleanse after use (SP 800-132 §5.3)
- Fix provider leak: unload FIPS provider on EVP_set_default_properties
failure to prevent silent FIPS bypass
- Delete stale DB before round-trip compliance test
- Add .codegraph/ and .grepai/ to .gitignore
- Document fips_configure_cipher API and key handling in CLAUDE.md
Christopher Fahlin