[openssl] openssl-3.0.0-alpha9 create

Matt Caswell matt at openssl.org
Thu Nov 26 15:12:15 UTC 2020

The annotated tag openssl-3.0.0-alpha9 has been created
        at  74413e120fec693be1b394358bf1bbbb568344e6 (tag)
   tagging  68ec3d4730a52d32edb35cb602f6580f27d64e8b (commit)
  replaces  openssl-3.0.0-alpha8
 tagged by  Matt Caswell
        on  Thu Nov 26 14:53:15 2020 +0000

- Log -----------------------------------------------------------------
OpenSSL 3.0.0-alpha9 release tag


Ankita Shetty (1):
      x509_vfy.c: Remove superfluous assignment to 'ret' in check_chain()

Bernd Edlinger (1):
      This should fix a lock-order-inversion

Daniel Bevenius (2):
      Fix REF_PRINT_COUNT argument in ecx_key_free
      REF_PRINT: cast pointer to void to avoid warnings

David Carlier (3):
      DragonFlyBSD build fix and update.
      NetBSD build fix.
      Haiku system build fix.

David von Oheimb (7):
      Improve doc of X509_verify_cert(), also in openssl.pod
      CHANGES.md: Mention (strict) checks recently added to X509_verify_cert()
      x509_vfy.c: Introduce CHECK_CB macro simplifying use of cert verification cb function
      x509_vfy.c: Call verification callback individually per strict check in check_chain()
      apps/ca: Minor code and doc cleanup
      Minor cleanup of error output for various apps
      apps/pkcs12: Retain test output files

Dmitry Belyavskiy (1):
      Check the configuration file by default

Dr. David von Oheimb (23):
      apps/cmp.c: Improve order of -path option: just after -server
      openssl-cmp.pod.in: Align order of options with apps/cmp.c; improve structuring of SYNOPSIS
      openssl-*.pod.in: Prevent newlines on empty engine_synopsis causing layout errors
      openssl.pod: Improve doc of -verify_email, -verify_hostname, and -verify_ip
      openssl-cmp.pod.in: Clean up doc of -verify_email, -verify_hostname, and -verify_ip
      cmp_msg.c: Use issuer of reference cert as default issuer entry in certTemplate
      25-test_x509.t: Re-add and improve a test on non-existence of ASN.1 parse errors
      Minor improvements of doc for ca and x509 app
      apps/pkcs12: Do not prompt for password in case -nomac and -noenc/-nodes
      apps/pkcs12: Really do not perform MAC in case -nomac
      apps/storeutl: Add error output in case of parse/decryption/mac errors in input files
      e_loader_attic.c: Remove redundant 'pass phrase' sub-string from try_decode_PKCS12()
      Allow for PKCS#12 input without MAC in p12_kiss.c and e_loader_attic.c
      e_loader_attic.c: Improve result handling of file_load_try_decode()
      apps/pkcs12: Clean up the order in which many options are presented
      apps.c: re-enable loading single certs and CRLs over HTTP
      apps/cmp.c: Add diagnostics on config file section(s) used
      apps/cmp.c: Improve diagnostics on -server URL parse error
      CMP: prevent misleading PKIStatusInfo output if not response available
      ossl_cmp_certreq_new(): Fix POPO key mismatch in case newPkey is just public key
      re-encrypt 81-test_cmp_cli_data/Mock/signer.p12 with AES-256-CBC (avoiding DES)
      apps/cmp.c: Improve description of key loaded due to -newkew option
      apps/cmp.c: fix crash with -batch option on OPENSSL_NO_UI_CONSOLE

Fred Hornsey (1):
      Support for Android NDK r22-beta1

Matt Caswell (45):
      Prepare for 3.0 alpha 9
      Don't clear errors on failure in CONF_modules_load_file_ex()
      Don't clear the whole error stack when loading engines
      Don't complain about uninitialized values when running Configure
      Correct system guessing for solaris64-x86_64-* targets
      Fix the reading of DSA parameters files using the dsaparam app
      Remove some redundant error messages in the apps
      Convert TLS auto DH parameters to use EVP_PKEY
      Convert TLS ServerKeyExchange processing to use an EVP_PKEY
      Deprecate SSL_CTRL_SET_TMP_DH and other related ctrls
      Avoid the use of a DH object in tls_construct_cke_dhe()
      Remove DH usage in tls_construct_server_key_exchange()
      Remove DH usage from tls_process_cke_dhe
      Disable the DHParameters config option in a no-deprecated build
      Remove deprecated functionality from s_server
      Implement a replacement for SSL_set_tmp_dh()
      Only disabled what we need to in a no-dh build
      Return sensible values for some SSL ctrls
      Document some SSL DH related functions/macros
      Add a test for the various ways of setting temporary DH params
      Add a CHANGES.md entry for the "tmp_dh" functions/macros
      Add some additional test certificates/keys
      Extend the auto DH testing to check DH sizes
      Adapt ssltest_old to not use deprecated DH APIs
      Swap to DH_PARAMGEN_TYPE_GENERATOR as the default outside of the FIPS module
      Swap to FIPS186-2 DSA generation outside of the FIPS module
      Allow multiple nested marks
      Add a test for setting, popping and clearing error marks
      Convert dhparam to be fully based on EVP
      Add encoder support to dhparam
      Remove some unneeded variables from dhparam
      Add a test for the dhparam CLI application
      Move some libssl global variables into SSL_CTX
      Turn on Github CI
      Undeprecate the -dsaparam option in the dhparam app
      Don't forget the datatype when decoding a PEM file
      Test various deprecated PEM_read_bio_* APIs
      Test that OSSL_STORE can load various types of params
      Ensure Stream ciphers know how to remove a TLS MAC
      Fix RC4-MD5 based ciphersuites
      Re-enable testing of ciphersuites
      Remove deprecation warning suppression from genpkey
      Fix no-rc2
      Update copyright year
      Prepare for release of 3.0 alpha 9

Nicola Tuveri (1):
      [test/recipes] Split test_fuzz into separate recipes

Pali Rohár (1):
      Document pkcs12 alg NONE

Pauli (17):
      rsa_test: add return value check
      apps/passwd: remove the -crypt option.
      Document the provider KDF API.
      Rename md5_sha1_* ossl_md5_sha1_*
      rename md5_block_asm_data_order to ossl_md5_block_asm_data_order
      rename mac_key_* to ossl_mac_key_*
      Provide side RNG functions renamed to have an ossl_ prefix.
      rename sha1_ctrl to ossl_sha1_ctrl.
      Rename SHA3 internal functions so they have an ossl_ prefix
      Rename internal drbg_ functions so they have an ossl_ prefix.
      Fix some warnings from clang 10 in params.c
      doc: Documentation changes for moving the entropy source out of the fips provider
      rand: move the entropy source out of the FIPS provider
      test: changes resulting from moving the entropy source out of the FIPS provider
      prov: move the entropy source out of the FIPS provider
      disassociate test RNG from the DRBGs
      test RNG: set state to uninitialised as part of uninstantiate call.

Petr Gotthard (1):
      Fix double-free in decoder_pkey.c

Rich Salz (2):
      Remove -C from dhparam,dsaparam,ecparam
      Remove -C option from x509 command

Richard Levitte (57):
      Fix test/recipes/80-test_ca.t to skip_all properly in a subtest
      EVP: Have all EVP_PKEY check functions export to provider if possible
      test/evp_extra_test.c: Modify to reflect provider support in test_EVP_PKEY_check
      UI: Use OPENSSL_zalloc() in general_allocate_prompt()
      PEM: Always use PEM_def_callback() when cb == NULL in pem_read_bio_key()
      DECODER: Add support for specifying the outermost input structure
      DECODER: Add support for OSSL_FUNC_decoder_does_selection()
      DECODER: Add input structure support for EVP_PKEY decoding
      DECODER: Add tracing
      PROV: Re-implement all the keypair decoders
      Adapt libcrypto functionality to specify the desired input structure
      DH: Move the code to set the DH sub-type
      TEST: Adapt test/endecoder_test.c
      Restore the legacy implementation of PEM_read_bio_DHparams()
      PEM: Have pem_read_bio_key() set the OSSL_STORE expected type
      OSSL_STORE: Make sure the called OSSL_DECODER knows what to expect
      Convert all {NAME}err() in ssl/ to their corresponding ERR_raise() call
      SSL: refactor ossl_statem_fatal() and SSLfatal()
      SSL: refactor all SSLfatal() calls
      Convert all {NAME}err() in providers/ to their corresponding ERR_raise() call
      CORE: Add support for specifying the outermost object structure
      ENCODER: Add support for specifying the outermost output structure
      ENCODER: Add support for OSSL_FUNC_encoder_does_selection()
      ENCODER: Add output structure support for EVP_PKEY encoding
      ENCODER: Add tracing
      PROV: Re-implement all the keypair encoders
      Adapt libcrypto functionality to specify the desired output structure
      test/endecode_test.c: Update to specify output structures
      test/evp_libctx_test.c: use OSSL_ENCODER instead of i2d_PublicKey()
      test/recipes/30-test_evp_libctx.t: use fips-and-base.cnf
      EVP: Adapt EVP_PKEY2PKCS8() to better handle provider-native keys
      Convert all {NAME}err() in crypto/ to their corresponding ERR_raise() call
      CRYPTO: refactor ERR_raise()+ERR_add_error_data() to ERR_raise_data()
      crypto/provider_core.c: fix a couple of faulty ERR_raise_data() calls
      BIO: Undefine UNICODE in b_addr.c to get POSIX declaration of gai_strerror()
      Fix a few github file references
      Fix SUPPORT.md for better readability
      test/endecoder_legacy_test.c: new test for legacy comparison
      DOC: Fixup the description of the -x509_strict option
      util/mkrc.pl: Make sure FILEVERSION and PRODUCTVERSION have four numbers
      util/find-doc-nits: check podchecker() return value
      Really deprecate the old NAMEerr() macros
      Simplify util/err-to-raise
      CONF: Convert one last CONFerr() to ERR_raise()
      DOC: Rewrite the section on reporting errors in doc/man3/ERR_put_error.pod
      DOC: Fix example in OSSL_PARAM_int.pod
      Deprecate RSA harder
      SSL: Change SSLerr() to ERR_raise()
      util/fix-deprecation: DEPRECATEDIN conversion util for public headers
      RSA: Fix guard mixup
      TEST: Make our test data binary
      ERR: Modify util/mkerr.pl to produce internal err string loaders
      Modify the ERR init functions to use the internal ERR string loaders
      ERR: Rebuild all generated error headers and source files
      Add missing ERR_load_KDF_strings(3) to util/missingcrypto111.txt as well.
      APPS: Guard use of IPv6 functions and constants with a check of AF_INET6
      DOC: Add note on how to terminate an OSSL_PARAM array

Shane Lontis (7):
      Remove test that breaks on AIX.
      Add support for making all of KBKDF FixedInput fields optional.
      Remove unused helper functions EVP_str2ctrl() & EVP_hex2ctrl().
      Fixup EVP-MAC-KMAC documentation
      Add documentation for EVP_PKEY2PKCS8/EVP_PKCS82PKEY
      Fix dsa securitycheck for fips.
      Fix crash in genpkey app when -pkeyopt digest:name is used for DH or DSA.

Tomas Mraz (3):
      Avoid duplicate ends_with_dirsep functions
      Add ossl_is_absolute_path function to detect absolute paths
      Do not prepend $OPENSSL_CONF_INCLUDE to absolute include paths

XiaokangQian (1):
      Optimize AES-XTS mode in OpenSSL for aarch64


More information about the openssl-commits mailing list