The annotated tag openssl-3.0.0-alpha14 has been created at 448d9b589ad9a6dba838844dfcbd33efb7db2ac0 (tag) tagging f510d614a7e981cbf69f11ae186c97d3fa00dda9 (commit) replaces openssl-3.0.0-alpha13 tagged by Matt Caswell on Thu Apr 8 13:15:49 2021 +0100
- Log ----------------------------------------------------------------- OpenSSL 3.0.0-alpha14 release tag -----BEGIN PGP SIGNATURE----- iQFFBAABCAAvFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmBu8/URHG1hdHRAb3Bl bnNzbC5vcmcACgkQ2cTSbQ5gRJEccQgAsw0cOHoaYy9uueJKVSP7fq3KZWP9x1HX VSca2orAoGYaWinSGcOPX2W6wQsATsupqaUXFM+SDVBJl11VQmTUCgZJ4mGqmzri dDC+ps2pW0kJIldvO8S7JSVlBqcuGWRGWtmS46fTmsJEWFlvU3dSeJGKO/IrsJ5A rE0KHQ1BbayjkO7WYyWz8sfhxFzBKO0+0sPh4UdECZOkcl3xeKYQVuKFqRtRP87l bfALVNjnCwvg1ApBl667vq+ie4C7ozi50KoJbbrisBvBQGvyNH1nGpSXXOEzoFsP bR53Rl7ePRiwo2KwhIR03yQ0/edPurzqdzR/+DBzhhpgH2Atwe+63A== =CM6J -----END PGP SIGNATURE----- Alex Yursha (1): Print correct error message in utils/mkdir-p.pl Alexander Traud (1): ssl/ssl_ciph.c: update format string, again Amitay Isaacs (12): numbers: Define 128-bit integers if compiler supports Use numbers definition of int128_t and uint128_t curve448: Use relative includes to avoid explicit dependencies Partially Revert "Remove curve448 architecture specific files" curve448: Rename arch_ref64 to arch_64 curve448: Modernise reference 64-bit code curve448: Use NLIMBS where appropriate to simplify the code curve448: Remove the unrolled loop version Add a constant time zero check function for 64-bit integers curve448: Use constant time zero check function Configure: Check if 128-bit integers are supported by compiler curve448: Integrate 64-bit reference implementation Andrey Matyukov (4): Dual 1024-bit exponentiation optimization for Intel IceLake CPU with AVX512_IFMA + AVX512_VL instructions, primarily for RSA CRT private key operations. It uses 256-bit registers to avoid CPU frequency scaling issues. The performance speedup for RSA2k signature on ICL is ~2x. Rearranged .pdata entries in rsaz-avx512.pl to make them properly ordered. Moved build instructions from the man page Increase minimum clang version requirement for rsaz-avx512.pl Anthony Hu (1): Increase the upper limit on group name length Arthur Gautier (1): EVP_KDF-KB man page: fixup ABI/API change Beat Bolli (4): ASN1: add an internal header to validate Unicode ranges ASN1: limit the Unicode code point range in UTF8_getc() and UTF8_putc() ASN1: check the Unicode code point range in ASN1_mbstring_copy() Add tests for the limited Unicode code point range Benjamin Kaduk (1): Increase HKDF_MAXBUF from 1024 to 2048 David Benjamin (1): Merge OFB encrypt and decrypt test vectors. Dr. David von Oheimb (16): openssl-cmp.pod.in and apps/cmp.c: Various minor do improvements TS ESS: Let TS_RESP_verify_signature() make use of untrusted certs also from token response apps/ts.c: Allow -untrusted arg to refer to multiple sources apps.c: Fix missing newline in warn_cert_msg() output TS ESS: Invert the search logic of ts_check_signing_certs() to correctly cover cert ID list ts_check_signing_certs(): Make sure both ESSCertID and ESSCertIDv2 are checked TS and CMS CAdES-BES: Refactor check_signing_certs() funcs into common ESS func APPS: fix load_certs_multifile() interpreting backslashes HTTP: Rename OSSL_HTTP_REQ_CTX_i2d() to OSSL_HTTP_REQ_CTX_set1_req() HTTP: Fix mem leak of OSSL_HTTP_REQ_CTX_transfer(), rename to ossl_http_req_ctx_transfer() HTTP: Fix method_POST param by moving it to OSSL_HTTP_REQ_CTX_set_request_line() http_client.c: Prevent spurious error queue entry on NULL mem argument 80-test_cmp_http.t: Add diagnostic info on starting/stopping mock server OSSL_parse_url(): Improve handling of IPv6 addresses OSSL_HTTP_REQ_CTX_transfer(): improve distinction of send error vs. receive error CHANGES.md: reflect OSSL_HTTP_REQ_CTX_i2d renamed to OSSL_HTTP_REQ_CTX_set1_req Fangming.Fang (1): Fix AES-CBC perf test failure issue FdaSilvaYY (1): Fix a windows build break Jakub Zelenka (1): Update CHANGES with info about AuthEnvelopedData addition Jon Spillett (4): Add testing for non-default library context into evp_extra_test Fix up issues found when running evp_extra_test with a non-default library context Remove TODO comment. Resolves #14396 endecode_test: Add file and line arguments to test callbacks Juergen Christ (1): Fix compilation under -Werror Kevin Cadieux (1): Fixing stack buffer overflow error caused by incorrectly sized array. Matt Caswell (25): Prepare for 3.0 alpha 14 Don't crash if the pkeyopt doesn't have a value Remove a TODO from async_delete_thread_state() Convert a TODO(3.0) in OPENSSL_thread_stop_ex to a comment Add a CHANGES entry for the cosmetic differences in textual output Ensure that ECX keys pass EVP_PKEY_param_check() Add a CHANGES entry for EVP_PKEY_public_check() and EVP_KEY_param_check() Fix a TODO(3.0) in the siphash code Remove a TODO(3.0) from EVP_PKEY_derive_set_peer() Convert some TODO(3.0) comments in init.c to normal comments Ensure we deregister thread handlers even after a failed init Update README-FIPS.md Be more selective about copying libcrypto symbols into legacy.so Teach TLSProxy how to encrypt <= TLSv1.2 ETM records Add a test for CVE-2021-3449 Ensure buffer/length pairs are always in sync Update CHANGES.md and NEWS.md for new release Fix change in behaviour of EVP_PKEY_CTRL_RSA_KEYGEN_BITS Expand the libcrypto documentation Add additional glossary entries Update provider.pod Update the algorithm fetching documentation links Remove a TODO in EVP_set_default_properties Update copyright year Prepare for release of 3.0 alpha 14 Mohamed Akram (1): doc: fix enc -z option documentation Nan Xiao (9): Fix typo in bio.h.in Fix BIO_new_ssl_connect() to not leak memory Fix typo in BIO_push.pod Fix typos in bio.pod Remove unnecessary BIO_do_handshake()s Fix typos in ssl_lib.c Fix potential double free in sslapitest.c Remove unnecessary setting SSL_MODE_AUTO_RETRY Fix typo in store_meth.c Pauli (140): test: add params argument to key manager's gen_init call evp: add params argument to key manager's gen_init call provider: add params argument to key manager's gen_init call core: add params argument to key manager's gen_init call doc: add params argument to key manager's gen_init call prov: asym ciphers take an extra init() params argument core: add params arguments to init calls evp: add params arguments to init functions doc: update PKEY documentation to include the new init functions with params misc: other init function param additions prov: update exchange algorithms to support params on the init call prov: update KEM to support params on init() apps: support param argument to init functions ssl: support params arguments to init functions test: support params arguments to init functions doc: document param argument to cipher init calls doc: document param argument to RSA calls prov: support param argument to digest init calls doc: update digest documentation to include the new init functions with params prov: update digests to support modified ctx params prov: support params arguments to signature init calls prov: support params argument to RCx ciphers prov: support params argument to CHACHA20 ciphers prov: support param argument to null cipher init calls prov: support param argument to DES cipher init calls prov: support params argument to common cipher init calls doc: update cipher documentation to include the new init functions with params support params argument to AES cipher init calls doc: document the additional params argument to the various init() calls doc: note that get_params and set_params calls should return true if the param array is null prov: add extra params argument to KDF implementations update set_ctx_param MAC calls to return 1 for a NULL params update set_ctx_param DRBG calls to return 1 for a NULL params update set_ctx_param store management calls to return 1 for a NULL params core: modify ossl_provider_forall_loaded() to avoid locking for the callbacks doc: describe the return from ossl_provider_forall_loaded() rename ossl_provider_forall_loaded to ossl_provider_doall_activated ssl: fix format specifier for size_t argument to BIO_printf property: default queries create the property values. prov: remove TODO in der_rsa_key.c prov: remove todos in rsa_keymgmt.c doc: remove TODOs about redesigning the AEAD API params: clean up TODO Remove TODOs from digest.c ci: add a no-legacy build modes: fix coverity 1449851: overlapping memory copy modes: fix coverity 1449860: overlapping memory copy ssl: fix coverity 1451515: out of bounds memory access apps: fix coverity 966560: division by zero test: fix Coverity 1454818: use after free test: fix coverity 1451553: resource leak test: fix coverity 1451562: resource leak test: fix coverity 1454040: resource leak test: fix coverity 1414445: resource leak test: fix coverity 1414449 & 1414471: resource leak ssl: fix coverity 1451495: resource leak test: fix coverity 1455330, 1455332, 1455334, 1455342, 1455344 : resource leak test: fix coverity 1470559: resource leak evp: fix coverity 1470561: resource leak rsa: fix coverity 1472658: resource leak apps: fix Coverity 1472670 & 1472685: resource leaks decoder: fix Coverity 1473236 & 1473386: resource leaks evp: fix coverity 1445872 - dereference after null check async: coverity 1446224 - dereference after null check test: coverity 1455747 - dereference after null check test: coverity 1455749 - dereference after null check ssl: coverity 1465527 - dereference after null check test: coverity 1469426 - dereference after null check x509: coverity 1472673 & 1472693 - dereference after null checks evp: fix coverity 1473381 - dereference after null check sslapitest: fix problem in cleanup on failure path evp: fix coverity 1473380: copy into fixed size buffer pem: fix coverity 1474426: uninitialised scalar variable. err: fix coverity 1452768: dereference after null check apps: fix coverity 271258: improper use of negative value test: fix coverity 1371689 & 1371690: improper use of negative values enc: fix coverity 1451499, 1451501, 1451506, 1451507, 1351511, 1451514, 1451517, 1451523, 1451526m 1451528, 1451539, 1451441, 1451549, 1451568 & 1451572: improper use of negative value test: fix coverity 1451574: improper use of negative value test: fix coverity 1454812: improper use of negative value test: fix coverity 1469427: impropery use of negative value test: fix coverity 1451534: improper use of negative value apps: fix coverity 1451544: improper use of negative value dh: fix coverty 1474423: resource leak ec_keymgmt: fix coverity 1474427: resource leak x509: fix coverity 1461225: data race condition x509: fix coverity 1474424: data race condition rand: fix coverity 1473636: data race condition rsa: fix coverity 1463571: explicit null dereference sm2: fix coverity 1467503: explicit null dereference apps: fix coverity 1470781: explicit null dereference encoder: fix coverity 1473235: null dereference test: fix coverity 1338157: unchecked return value apps: fix coverity 1358776, 1451513, 1451519, 1451531 & 1473387: unchecked return values test: fix coverity 1414451: unchecked return value test: fix coverity 1416888: unchecked return value test: fix coverity 1429210: unchecked return value test: fix coverity 1451550: unchecked return value apps: fix coverity 1455340: unchecked return value evp: fix coverity 1467500 & 1467502: unchecked return values params: fix coverity 1473069: unchecked return values evp: fix coverity 1473378: unchecked return value test: fix coverity 1473609 & 1473610: unchecked return values doc: add life-cycle source files doc: note that KDF/PRF transitions will be enforced at some future point doc: life-cycle description for KDFs/PRFs doc: note that RAND lifecycle transitions will be enforced at some point doc: life-cycle descritpion for RANDs doc: note that MAC lifecycle transitions will be enforced at some point doc: life-cycle descritpion for MACs doc: add documentation for the X509_PUBKEY_dup() function test: add test case for X508_PUBKEY_dup() function Fix X509_PUBKEY_dup() to not leak memory doc: fix style problems with this man page x509: fix coverity 1474471: NULL pointer dereference x509: fix coverity 1474470: NULL pointer dereference evp: fix coverity 1474469: negative return test: fix coverity 1474468: resource leak apps: fix coverity 1474463, 1474465 & 1474467: resource leaks ssl: fix problem where MAC IDs were globally cached. Check for integer overflow in i2a_ASN1_OBJECT and error out if found. Ensure that the negative flag is correct set for ASN1 integer types. Make the lock in CRYPTO_secure_allocated() a read lock Remove locking in CRYPTO_secure_allocated() Disallow ASN.1 enumerated types to be treated as strings. test: fix coverity 1475941: resource leak test: fix coverity 1475940: negative return test: fix coverity 1473234 & 1473239: argument cannot be negative evp: fix coverity 1472682: argument cannot be negative evp: fix coverity 1451510: argument cannot be negative evp: fix coverity 1451509: argument cannot be negative evp: fix coverity 1473631: argument cannot be negative dh: fix coverity 1473238: argument cannot be negative fix coverity 1466710: resource leak apps: fix AES CBC performance loop property: check return values from the property locking calls. test: fix problem with threads test using default library context. property: lock the lib ctx when updating the property definition cache Revert "Fix AES-CBC perf test failure issue" param_build: check for the usage of secure memory better. test: add extra secure memory test case. Peter Kaestle (1): ssl sigalg extension: fix NULL pointer dereference Randall S. Becker (6): Disable fips-securitychecks if no-fips is configured. Add $(PERL) to util/wrap.pl execution to avoid env incompatibilities Add explicit support in util/shlib_wrap.sh.in for NonStop DLL loading. Added guarding #ifndef/#define to avoid duplicate include of crypto/types.h Split Makefile clean recipe for document sets into individual lines. Corrected missing definitions from NonStop SPT build. Rich Salz (4): Fix error-checking compiles for mutex Always check CRYPTO_LOCK_{read,write}_lock Make fipsinstall -out flag optional Add a local perl module to get year last changed Richard Levitte (29): PROV: use EVP_CIPHER_CTX_set_params() rather than EVP_CIPHER_CTX_ctrl() TEST: Stop the cleanup in test/recipes/20-test_mac.t Fix a missing rand -> ossl_rand rename Configure: check all DEPEND values against GENERATE, not just .h files PROV: Refactor DER->key decoder PROV: Add type specific SubjectPublicKeyInfo decoding to the DER->key decoders PROV: Add RSA-PSS specific OSSL_FUNC_KEYMGMT_LOAD function PROV: Add type specific PKCS#8 decoding to the DER->key decoders PROV: Add type specific MSBLOB and PVK decoding for the MS->key decoders TEST: Modify test/endecode_test.c to give the decoder callback the structure STORE: Use the same error avoidance criteria as for the DER->key decoder TEST: Clarify and adjust test/recipes/30-test_evp.t Make evp_privatekey_from_binary() completely libcrypto internal Make ossl_d2i_PUBKEY_legacy() completely libcrypto internal ASN1: Reset the content dump flag after dumping RSA-PSS: When printing parameters, always print the trailerfield ASN.1 value TEST: Cleanup test recipes Unix build file template: symlink "simple" to "full" shlib selectively Android config targets: don't include the SO version in the shlib file name Re-implement ANSI C building with a Github workflow EVP: One stray comma removed in crypto/evp/ctrl_params_translate.c CORE: Add an algorithm_description field to OSSL_ALGORITHM Add OSSL_DECODER_description() and OSSL_ENCODER_description() Add OSSL_STORE_LOADER_description() EVP: Add EVP_<TYPE>_description() APPS: Replace the use of OBJ_nid2ln() with name or description calls Refactor CPUID code Include BN assembler alongside CPUID code test/recipes/02-test_errstr.t: Do not test negative system error codes Sahana Prasad (2): Allocates and initializes pubkey in X509_PUBKEY_dup() Adds a new lock to read default_path and uses a strdup() on default_path before using it Fixes #14483 Signed-off-by: Sahana Prasad <sah...@redhat.com> Shane Lontis (39): Remove TODO in test/acvp_test.c related to setting AES-GCM iv. Remove TODO in rsa_ameth.c Fix DSA EVP_PKEY_param_check() when defaults are used for param generation. Fix external symbols for crypto_* Fix misc external ossl_ symbols. Add ossl_rand symbols Add ossl_asn1 symbols Add ossl_encode symbols Add ossl_rsa symbols Add ossl_v3 symbols Add ossl_ ecx symbols Add ossl_ conf symbols Add ossl_aria symbols Add ossl_siv symbols Add ossl_ symbols for sm3 and sm4 Add ossl_sa symbols Add ossl_bn_group symbols Add ossl_ symbol to x509 policy Add ossl_lhash symbols Add ossl_gost symbols Add ossl_ x509 symbols Add ossl_pem_check_suffix symbol Add ossl_pkcs5_pbkdf2_hmac_ex symbol Add ossl_is_partially_overlapping symbol rename err_get_state_int() to ossl_err_get_state_int() Rename CMS_si_check_attributes to ossl_cms_si_check_attributes Add ossl_provider symbols Fix windows build compiler issue. Fix DER reading from stdin for BIO_f_readbuffer Fix usages of const EVP_MD. Add coveralls to CI Disable cmp_http test on AIX Fix Build issue on Oracle Linux x64 Update deprecated API's in the documentation. Fix DH gettable OSSL_PKEY_PARAM_DH_PRIV_LEN so that it has the correct type. Add a range check (from SP800-56Ar3) to DH key derivation. Test miminal windows build using Github actions Add macosx build Fix more certificate related lib_ctx settings. Tobias Nießen (1): Fix option description for PKCS#12 export Tomas Mraz (32): Use OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL) in libcrypto Remove the RAND_get0_public() from fips provider initialization acvp_test: Do not expect exact number of self tests keymgmt_meth: remove two TODO 3.0 apps: Add maybe_stdin argument to load_certs and set it in pkcs12 apps: Make load_key_certs_crls to read only what is expected Use --debug with no-caching build as sanitizers need it decoder_process: data_structure can be NULL provider_core: Remove two TODO 3.0 core_get_libctx: use assert() instead of ossl_assert() property_test: use property values that are not used elsewhere p_lib.c: Remove TODO comments Add some encoder and decoder code examples apps/crl: Print just the hash value if printing just hash evp_keymgmt_util_copy: Fix possible leak on copy failure Make EVP_PKEY_missing_parameters work properly on provided RSA keys Added functions for printing EVP_PKEYs to FILE * ASYNC_start_job: Reset libctx when async_fibre_swapcontext fails EVP_PKEY_get_*_param should work with legacy EVP_PKCS82PKEY: Create provided keys if possible Remove the external BoringSSL test Make the SM2 group the default group for the SM2 algorithm Remove RSA bignum_data that is not used anywhere Implement EVP_PKEY_dup() function EVP_PKEY_CTRL_CIPHER can be used with encrypt/decrypt with GOST OBJ_nid2sn(NID_sha256) is completely equivalent to OSSL_DIGEST_NAME_SHA2_256 Drop TODO 3.0 as we cannot get rid of legacy nids in 3.0 EVP_CIPHER_type: fix misleading argument name Avoid going through NID when unnecessary Add "save-parameters" encoder parameter DSA_generate_parameters_ex: use the old method for all small keys Deprecate the EVP_PKEY controls for CMS and PKCS#7 div2016bit (1): Tiny clarification of comment for RSA_sign luyahan (1): Add riscv64 target -----------------------------------------------------------------------