The annotated tag openssl-3.0.0-alpha12 has been created at ba908b36f412d1a4a26aefee3841e276c09b5413 (tag) tagging b467d394eb11ac94500d9f003426f5fa75d60c3c (commit) replaces openssl-3.0.0-alpha11 tagged by Matt Caswell on Thu Feb 18 15:08:54 2021 +0000
- Log ----------------------------------------------------------------- OpenSSL 3.0.0-alpha12 release tag -----BEGIN PGP SIGNATURE----- iQFFBAABCAAvFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmAugwYRHG1hdHRAb3Bl bnNzbC5vcmcACgkQ2cTSbQ5gRJEqoggAq+1HjMo/su4rXEcxn6kH3kRMJUNKe887 tky9dlzVjCJH7cWQm8tVGlmcvqmYqXvW0Wj2oImKWlrFifcIhQcrhmtw/hDHLd5l zaf/yrILs19B8zenw9gCKEQe1TY2JJ6YorvVXE8GtdgaOl+JMM6LSC69Js+m9Ffl ij7NxZJYGEcdPNlWjdf0kdy5WrrGU7SO4vpKe983LvNWsd8TaOFCghPCruSgpg72 tkFMtoRQeng1ukBivOQf2GTrlzL8OQ9+I7OX4gCh7/WN228uOVaRU23Bot5EP1nR +qkyox8L32zbvivlzEWB+5kq3VSjbLWf5LRhkc50jumwDM00LkyZuQ== =oN+j -----END PGP SIGNATURE----- Armin Fuerst (1): apps/ca: Properly handle certificate expiration times in do_updatedb Beat Bolli (1): README-ENGINES: fix the link to the provider API README Benjamin Kaduk (3): Remove unused 'peer_type' from SSL_SESSION x509_vfy: remove redundant stack allocation RSA: avoid dereferencing possibly-NULL parameter in initializers Daniel Bevenius (1): EVP: fix keygen for EVP_PKEY_RSA_PSS Disconnect3d (1): passwd.c: use the actual ROUNDS_DEFAULT macro Dmitry Belyavskiy (2): DH/DHX parameter check using pkeyparam DSA parameter check using pkeyparam Dr. David von Oheimb (28): obj_xref: rsassaPss must map to 'undef rsassaPss' (not 'undef rsaEncryption') Fix rsa_pss_asn1_meth to refert to rsa_sig_info_set check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS OSSL_HTTP_REQ_CTX_nbio(): Revert to having state var that keeps req len still to send Fix not backwards-compat X509_http_nbio() and X509_CRL_http_nbio() HTTP: Fix mistakes and unclarities on maxline and max_resp_len params HTTP: add more error detection to low-level API Constify OSSL_HTTP_REQ_CTX_get0_mem_bio() OSSL_HTTP_REQ_CTX.pod and OSSL_HTTP_transfer.pod: various improvements openssl.pod: Add documentation for using the loader_attic engine apps/cmp.c: check and exit on engine load error test/recipes: split 81_test_cmp_cli.t, add test using -engine loader_attic run_tests.pl: Improve diagnostics on the use of HARNESS_JOBS Allow NULL arg to OPENSSL_sk_{dup,deep_copy} returning empty stack x509_vfy.c: Improve coding style and comments all over the file Add X509_STORE_CTX_verify(), which takes the first untrusted cert as default target mknum.pl: Exclude duplicate entries and include source file name in diagnostics x509_vfy.c: Fix various coding style and documentation style nits x509_vfy: Clarify relevance of ctx->error also on successful verification X509_get_pubkey_parameters(): Correct failure behavior and its use x509_vfy.c: Sort out return values 0 vs. -1 (failure/internal error) x509_vfy.c: Make chain_build() error diagnostics to the point X509_STORE_CTX_get1_issuer(): Make preference on expired certs consistent with find_issuer() X509_STORE_CTX_cleanup(): Use internally so no need to call explicitly apps/ca.c: Make sure ext_ctx structure gets initialized apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR x509_vfy: fix mem leaks in chain_build() on malloc error Coverify CID 1473068 chain_build(): Call verify_cb_cert() if a preliminary error has become final Dr. Matthias St. Pierre (6): Add some missing committers to the AUTHORS list Revise some renamings of NOTES and README files Reformat some NOTES and README files Unify the markdown links to the NOTES and README files Add deprecation note to the README-ENGINES file Add a skeleton README-PROVIDERS file FdaSilvaYY (3): include/crypto: add a few missing #pragma once directives include/openssl: add a few missing #pragma once directives include/internal: add a few missing #pragma once directives Jay Satiro (1): NOTES-WINDOWS: fix typo Job Snijders (2): Add some PKIX-RPKI objects Add OID for draft-ietf-opsawg-finding-geofeeds detached CMS signature Jon Spillett (1): Switch to BIO_snprintf to avoid missing symbol problems on Windows Juergen Christ (3): Fix cipher reinit on s390x if no key is specified Fix parameter types in sshkdf Remove superfluous EVP_KDF_CTRL_ defines. KOBAYASHI Ittoku (1): Match description with actual output of dgst Matt Caswell (38): Ensure EC keys with a private key but without a public key can be created Test that EC keys without a public key in them work as expected Add a multi-thread test for shared EVP_PKEYs Refactor RAND_get0_primary() locking Avoid races by caching exported ciphers in the init function Always ensure we hold ctx->lock when calling CRYPTO_get_ex_data() Ensure access to FIPS_state and rate_limit is appropriately locked Ensure the EVP_PKEY operation_cache is appropriately locked Add a CI job to run the threads test with threads sanitizer on Remove some TODO(OpenSSL1.2) references Remove a DSA related TODO Remove OPENSSL_NO_DH guards from libssl Ensure default supported groups works even with no-ec and no-dh Make supported_groups code independent of EC and DH Stop disabling TLSv1.3 if ec and dh are disabled Check for availability of ciphersuites at run time Remove compile time guard checking from ssl3_get_req_cert_type Add the nist group names as aliases for the normal TLS group names Make sure we don't use sigalgs that are not available Remove OPENSSL_NO_EC guards from libssl Remove all OPENSSL_NO_XXX from libssl where XXX is a crypto alg Fix the cipher_overhead_test Deprecate the low level SRP APIs Deprecate the libssl level SRP APIs Update documentation following deprecation of SRP Run DH_check_ex() not DH_check_params_ex() when checking params Implement EVP_PKEY_param_check_quick() and use it in libssl Fix the dhparam_check test Document the newly added function EVP_PKEY_param_check_quick() Fix Null pointer deref in X509_issuer_and_serial_hash() Test that X509_issuer_and_serial_hash doesn't crash Refactor rsa_test Fix the RSA_SSLV23_PADDING padding type Fix rsa_test to properly test RSA_SSLV23_PADDING Don't overflow the output length in EVP_CipherUpdate calls Update CHANGES and NEWS for new release Update copyright year Prepare for release of 3.0 alpha 12 Nicola Tuveri (2): [doc/man3] Fix typo in DESCRIPTION of OSSL_ENCODER_properties [doc/man3][OSSL_ENCODER] Move NOTES to the bottom Oleksandr Tymoshenko (1): Handle partial data re-sending on ktls/sendfile on FreeBSD Pauli (21): Fix a use after free issue when a provider context is being used and isn't cached Fix race condition & allow operation cache to grow. test: turn off parallel tests in verbose mode. test: add an option to output timing information from tests. EVP: fix reference counting for digest operations. CI: add a non-caching CI loop Prov: add an option to force provider fetches to not be cached. EVP: fix reference counting for EVP_CIPHER. test: fix no-cache problem with the quality comparison for KDFs. changes: add a CHANGES.md entry for the OSSL_FORCE_NO_CACHE_FETCH option. test: filter provider honours the no_cache setting. test: add import and export key management hooks for the TLS provider. Add a configure time option to disable the fetch cache. Remove an unnecessary free call. test: DRBG test with long seed. err: generated error files RNG seed: add get_entropy hook for seeding. RNG test: add get_entropy hook for testing. core: add get_entropy and clear_entropy calls to RAND rand: update DRBGs to use the get_entropy call for seeding doc: document the two new RAND functions Petr Gotthard (4): apps/openssl: add -propquery command line option Enhanced integer parsing in OSSL_PARAM_allocate_from_text Fix propquery handling in EVP_DigestSignInit_ex Replace SSL_CTX_new by SSL_CTX_new_ex in apps/s_server + s_client Randall S. Becker (1): Enable fipsload test on NonStop x86. Rich Salz (9): Deprecate X509_certificate_type Deprecate EVP_MD_CTX_{set_}update_fn() Don't make pthreads mutexes recursive. Fetch algorithm after loading providers Fetch alg, etc., after loading providers Load rand state after loading providers Process digest option after loading providers Fetch cipher after loading providers Allow -rand to be repeated Richard Levitte (27): Prepare for 3.0 alpha 12 Fix some odd names in our provider source code PROV: Add SM2 encoders and decoders, as well as support functionality CORE & PROV: clean away OSSL_FUNC_mac_size() EVP: Don't find standard EVP_PKEY_METHODs automatically EVP: Fix evp_pkey_ctx_store_cached_data() to handle provider backed EVP_PKEY_CTX EC: Reverse the default asn1_flag in a new EC_GROUP EVP: Make EVP_PKEY_set_params() increment the dirty count EVP: Adapt the other EVP_PKEY_set_xxx_param() functions EVP: Modify the checks in EVP_PKEY_{set,get}_xxx_param() functions EVP: Adapt EVP_PKEY_{set1,get1}_encoded_public_key() ERR: clean away everything related to _F_ macros from util/mkerr.pl ERR: Rebuild all generated error headers and source files Remove the old DEPRECATEDIN macros dev/release.sh: Fix typo EVP: use evp_pkey_copy_downgraded() in EVP_PKEY_copy_parameters() TEST: Add an algorithm ID tester for libcrypto vs provider DOCS: Remove the "global" dependency on writing .pod files from .pod.in Makefile template: Allow separate generation of .pod.in -> .pod PROV: Fix encoding of MDWithRSAEncryption signature AlgorithmID Configuration: ensure that 'no-tests' works correctly Use ERR_R_*_LIB instead of ERR_LIB_* as reason code for sub-libraries DOCS: Update the internal documentation on EVP_PKEY. Configurations/descrip.mms.tmpl: avoid enormous PIPE commands VMS documentation fixes TEST: Add missing initialization Fix backward incompatibility revolving around OSSL_HTTP_REQ_CTX_sendreq_d2i() Sahana Prasad (1): DH: Make DH_bits(), DH_size(), and DH_security_bits() check that there are key parameters Shane Lontis (10): Simplify the EVP_PKEY_XXX_fromdata_XX methods. Change the ASN1 variant of x942kdf so that it can test acvp data. Replace MAC flags OSSL_MAC_PARAM_FLAGS with separate param fields. Replace provider cipher flags with separate param fields Replace provider digest flags with separate param fields Remove dead code in rsa_pkey_ctrl. Add docs for ASN1_item_sign and ASN1_item_verify functions Fix external symbols in the provider cipher implementations. Fix external symbols in the provider digest implementations. Fix external symbols related to provider related security checks for keys and digests. Tomas Mraz (16): rsa_kmgmt: Return OSSL_PKEY_PARAM_DEFAULT_DIGEST for unrestricted PSS keys dh_cms_set_peerkey: Pad the public key to p size Add diacritics to my name in CHANGES.md apps/ecparam: Avoid crash when parameters fail to load provider-signature.pod: Fix formatting. RSA: properly generate algorithm identifier for RSA-PSS signatures Deprecate BN_pseudo_rand() and BN_pseudo_rand_range() CHANGES.md: Mention RSA key generation slowdown related changes Move the PROV_R reason codes to a public header Various cleanup of PROV_R_ reason codes Rename internal providercommonerr.h to less mouthful proverr.h tls_valid_group: Add missing dereference of okfortls13 ssl_test: Add testcases for disallowing non-TLS1.3 curves with TLS1.3 Do not match RFC 5114 groups without q as it is significant Rename OSSL_ENCODER_CTX_new_by_EVP_PKEY and OSSL_DECODER_CTX_new_by_EVP_PKEY dsa_check: Perform simple parameter check if seed is not available zekeevans-mf (1): Add deep copy of propq field in mac_dupctx to avoid double free -----------------------------------------------------------------------