[openssl] openssl-3.0.0-alpha7 create
Matt Caswell
matt at openssl.org
Thu Oct 15 13:34:49 UTC 2020
The annotated tag openssl-3.0.0-alpha7 has been created
at 062506642b11e4231e78a80a7b030fed07127946 (tag)
tagging f9a5682e5c0fbf8b17319d71b0040dba9f8b46ee (commit)
replaces openssl-3.0.0-alpha6
tagged by Matt Caswell
on Thu Oct 15 14:16:06 2020 +0100
- Log -----------------------------------------------------------------
OpenSSL 3.0.0-alpha7 release tag
-----BEGIN PGP SIGNATURE-----
iQFFBAABCAAvFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl+IS5YRHG1hdHRAb3Bl
bnNzbC5vcmcACgkQ2cTSbQ5gRJHapwgAuPb61BIl0qEs05Z/mc9DUd7A8xKogDWM
ZGrRX/3Z9cDHbLZyq+zH58esTDiJJ+EzoArTcz/ng8/HVaf0+JxX2Oh3pP/Wh9i4
KbQfm+O5qvi8JkX1oCtZveMSI6o5IyIqC2llHZmCyDHkzvFPxUB04ENy++phM4QO
p5xTmE6NqhdCfF7IFEHPwZrGzkdH9kycUJniZOv8pCZvvpHBq5IIHiIiABc9yQ/G
9M9Ka2Ay6yaqhBf4d3xl8ZQMevmtlgEHFGJf6ynRtIMYhcl6cA4g8hNNVmXZFnZU
T4Q06PX+tqyUGlqy1wswlPCpdhxjEG1ObzoVhHhezWges2y3wIt2pQ==
=90me
-----END PGP SIGNATURE-----
Akshit Akhoury (1):
Changing X509at_get0_data_by_OBJ to expect const stack of X509_ATTRIBUTE
Alexander Borkowski (1):
s_client.pod: Fix grammar in NOTES section.
André Klitzing (1):
Allow to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE
Benjamin Kaduk (21):
Support cipher provider "iv state"
Deprecate and replace EVP_CIPHER_CTX_iv()/etc.
Add tests for new EVP_CIPHER_CTX IV accessors
Make GCM providers more generous about fetching IVs
Document EVP_CIPHER_CTX IV accessors
Retire EVP_CTRL_GET_IV
Use local IV storage in e_aes.c
Use local IV storage in e_aes_ebc_hmac_sha1.c
Use local IV storage in e_aes_ebc_hmac_sha256.c
Use local IV storage in e_aria.c
Use local IV storage in e_camellia.c
Use local IV storage in e_des.c
Use local IV storage in e_des3.c
Use local IV storage in e_sm4.c
Use local IV storage in e_xcbc_d.c
Use local IV storage in e_rc2.c
Use local IV storage in EVP BLOCK_* macros
Avoid deprecated function in evp_lib.c
Avoid deprecated API in evp_test.c
Expose S390x HW ciphers' IV state to provider layer
Mark SSL_CTX_set_ssl_version() as deprecated in 3.0
Benny Baumann (2):
Use size of target buffer for allocation
Avoid memory leak of parent on allocation failure for child structure
Biswapriyo Nath (1):
fuzz/test-corpus: check if PATH_MAX is already defined
C.W. Betts (1):
Initial Apple Silicon support.
Chris Novakovic (1):
apps/ca: allow CRL lastUpdate/nextUpdate fields to be specified
Daniel Bevenius (5):
Fix typo in FIPS_MODULE endif macro comment
Fix typo in bind_loader_attic comment
DOC: remove OPENSSL_CTX from OSSL_DECODER_CTX_new
ERR: fix comment typo in err.c
Set mark and pop error in d2i_PrivateKey_ex
David Benjamin (1):
Deprecate ASN1_STRING_length_set in OpenSSL 3.0.
Dmitry Belyavskiy (16):
Update gost-engine to fix API rename
Punycode decoding implementation
RFC 8398: Name constraints validation
RFC 8398: EAI comparison
Add NID_id_on_SmtpUTF8Mailbox to table of X.509 attributes
RFC 8398: documentation
EAI test script and data
Documentation for internal PUNYCODE-related functions
Replace hierogliphs with stub to pass tests
Fix PKCS#7 so that it still works with non fetchable digest algorithms.
Fix PKCS#7 so that it still works with non fetchable cipher algorithms.
New GOST PKCS12 standard support
HMAC should work with non-provided digests
Some OIDs used in Russian X.509 certificates.
Tests for processing zero-length content in SMIME format
Fix zero-length content verification in S/MIME format
Dr. David von Oheimb (103):
Introduce X509_add_cert[s] simplifying various additions to cert lists
Remove needless #ifndef OPENSSL_NO_SOCK for X509_{CRL_}load_http
OSSL_STORE file_load_try_decode(): Avoid flooding error queue by failed tries
PKCS12_parse(): Fix reversed order of certs parsed and output via *ca
PKCS12_parse(): Clean up code and correct documentation
Fix mem leaks on PKCS#12 read error in PKCS12_key_gen_{asc,utf8}
apps: make use of OSSL_STORE for generalized certs and CRLs loading
Make better use of new load_cert_pass() variant of load_cert() in apps/
Make sure x509v3_cache_extensions() does not modify the error queue
Add prerequisite #include directives to include/crypto/x509.h
Correct the #define's of EVP_PKEY_CTRL_SET1_ID and EVP_PKEY_CTRL_GET1_ID{,_LEN}
testutil: Make SETUP_TEST_FIXTURE return 0 on fixture == NULL
testutil: Add provider.c with test_get_libctx(), to use at least for SSL and CMP
Re-word null->empty property; improve iteration.count example in property.pod
x_x509.c: Simplify X509_new_with_libctx() using x509_set0_libctx()
Add libctx and propq param to ASN.1 sign/verify/HMAC/decrypt
Update CMP header file references in internal CMP documentation
cmp_vfy.c: Fix bug: must verify msg signature also in 3GPP mode
Add libctx and propq parameters to OSSL_CMP_{SRV_},CTX_new() and ossl_cmp_mock_srv_new()
Add OPENSSL_CTX parameter to OSSL_CRMF_pbmp_new() and improve its doc
crypto/cmp: Prevent misleading errors in case x509v3_cache_extensions() fails
cmp_hdr.c: Adapt ossl_cmp_hdr_init() to use OPENSSL_CTX for random number generation
cmp_util.c: Add OPENSSL_CTX parameter to ossl_cmp_build_cert_chain(), improve its doc
cmp_msg.c: Copy libctx and propq of CMP_CTX to newly enrolled certificate
Use in CMP+CRMF libctx and propq param added to sign/verify/HMAC/decrypt
Add libctx/provider support to cmp_client_test
Add libctx/provider support to cmp_vfy_test
Add libctx/provider support to cmp_protect_test
Add libctx/provider support to cmp_msg_test
run_tests.pl: Add warning that HARNESS_JOBS > 1 overrides HARNESS_VERBOSE
X509_add_certs(): Add to doc some warning notes on memory management
apps/pkcs12.c: Add -untrusted option
Add -verbosity option to apps/cmp.c and add log output also in crypto/cmp
apps/cmp.c: Clean up loading of certificates and CRLs
Add OSSL_CMP_CTX_get1_newChain() and related CLI option -chainout
Strengthen chain building for CMP
OSSL_CMP_CTX: rename field and its getter/setter from 'untrusted_certs' to 'untrusted
X509_STORE_CTX_print_verify_cb(): add AKID and SKID output for (non-)trusted certs
OSSL_HTTP_parse_url(): add optional port number return parameter and strengthen documentation
apps/cmp.c: Use enhanced OSSL_HTTP_parse_url(), removing parse_addr() and atoint()
apps/cmp.c: Allow default HTTP path (aka CMP alias) given with -server option
Add 4 new OIDs for PKIX key purposes and 3 new CMP information types
Allow unauthenticated CMP server if missing -trusted, -srvcert, and -secret options
Clean up CMP chain building for CMP signer, TLS client, and newly enrolled certs
Replace all wrong usages of 'B<...>' (typically by 'I<...>') in OSSL_CMP_CTX_new.pod
apps.c: Fix diagnostics and return value of load_key_certs_crls() on error
apps/cmp.c: clear leftover errors on loading libengines.so etc.
apps.c: Fix mem leaks on error in load_certs() and load_crls()
81-test_cmp_cli.t: Stop unlinking test output files according to #11080
81-test_cmp_cli: Make test output files all different according to #11080
test/recipes/81-test_cmp_cli_data/Mock/server.cnf: minor cleanup
test/cmp_{client,msg}_test.c: minor code cleanup
bugfix in ossl_cmp_msg_add_extraCerts(): should include cert chain when using PBM
bugfix in ossl_cmp_msg_protect(): set senderKID and extend extraCerts also for unprotected CMP requests
bugfix in apps/cmp.c and cmp_client.c: inconsistencies on retrieving extraCerts in code and doc
app_load_config_bio(): fix crash on error
X509_NAME_print_ex.pod: re-format lines to fit within 80 chars limit
X509_NAME_oneline(): Fix output of multi-valued RDNs, escaping '/' and '+' in values
X509_NAME_cmp: restrict normal return values to {-1,0,1} to avoid confusion with -2 for error
X509_NAME_add_entry_by_txt.pod: Improve documentation w.r.t. multi-valued RDNs (containing sets of AVAs)
X509_NAME_cmp(): Clearly document its semantics, referencing relevant RFCs
Add/harmonize multi-valued RDN support and doc of ca, cmp, req, storeutl, and x509 apps
apps_ui.c: Improve error handling and return value of setup_ui_method()
apps_ui.c: Correct handling of empty password from -passin
apps_ui.c: Correct password prompt for ui_method
apps/cmp.c: Improve safeguard assertion on consistency of cmp_options[] and cmp_vars[]
Extend X509 cert checks and error reporting in v3_{purp,crld}.c and x509_{set,vfy}.c
check_chain_extensions(): Add check that Basic Constraints of CA cert are marked critical
check_chain_extensions(): Add check that AKID and SKID are not marked critical
check_chain_extensions(): Add check that on empty Subject the SAN must be marked critical
check_chain_extensions(): Add check that CA cert includes key usage extension
x509_vfy.c: Make sure that strict checks are not done for self-issued EE certs
check_chain_extensions(): Change exclusion condition w.r.t. RFC 6818 section 2
check_chain_extensions(): Require X.509 v3 if extensions are present
apps/cmp.c: Improve documentation of -secret, -cert, and -key options
apps/cmp.c: Improve documentation of -extracerts, -untrusted, and -otherpass
apps/cmp.c: Improve user guidance on missing -subject etc. options
openssl-cmp.pod.in: Update Insta Demo CA port number in case needed
OSSL_CMP_CTX_new.pod: improve doc of OSSL_CMP_CTX_get1_{extraCertsIn,caPubs}
apps/cmp.c: Improve example given for -geninfo option (also in man page)
Improve robustness and performance of building Unix static libraries
Fix Coverity CID 1466708 - correct pointer calculation in one case
ocsp_vfy.c: Clean up code w.r.t. coding guidelines and reduce redundancies
load_key_certs_crls(): Restore output of fatal errors
Prune low-level ASN.1 parse errors from error queue in decoder_process()
apps/ca.c: Rename confusing variable 'req' to 'template_cert' in certify_cert()
Test.pm: Some clarifications added to the documentation
OCSP_resp_find_status.pod: Replace function arg references B<...> by I<...>
OCSP_resp_find_status.pod: Slightly improve the documentation of various flags
Implement treatment of id-pkix-ocsp-no-check extension for OCSP_basic_verify()
appveyor.yml: Clean up minimal configuration, adding no-ec and pruning cascaded no-*
30-test_evp.t: On no-dh, no-dsa, no-ec, no-sm2, and no-gost configurations disable respective tests
25-test_x509.t: Add test for suitable error report loading unsupported sm2 cert
Prune low-level ASN.1 parse errors from error queue in der2key_decode() etc.
EC_GROUP_new_by_curve_name_with_libctx(): Add name of unknown group to error output
check-format.pl: Document how to run positive and negative self-tests
check-format.pl: Extend exceptions for no SPC after trailing ';' in 'for (...;)'
check-format.pl: Allow nested indentation of labels (not only at line pos 1)
Fix memory leak in req_cb() of x_req.c - handle distinguishing_id also with NO_SM2
Test.pm: Add result_dir and export both result_dir and result_file
Move CMP CLI test output files to BLDTOP/test-runs/test_cmp_cli/
ocsp.h: Fix backward compatibility declaration of OCSP_parse_url()
Correct and simplify use of ERR_clear_error() etc. for loading DSO libs
Dr. Matthias St. Pierre (11):
rand: fix typo in parameter name
README.md: replace incorrect access token for the AppVeyor badge
README.md: remove incorrect link to openssl.github.io
test/drbgtest: improve the reseed after fork test
prov/drbg: fix misspelling of '#ifdef FIPS_MODULE'
prov/drbg: cleanup some RAND_DRBG leftovers
drbg: revert renamings of the generate and reseed counter
Update CHANGES and NEWS for 1.1.1h release
Change CVE link style in CHANGES and NEWS
Rename OPENSSL_CTX prefix to OSSL_LIB_CTX
Rename some occurrences of 'library_context' and 'lib_ctx' to 'libctx'
Eric Curtin (1):
Increase PSK_MAX_IDENTITY_LEN from 128 to 256
Felix Monninger (1):
also zero pad DHE public key in ClientKeyExchange message for interop
Henry N (1):
Fix: ecp_nistz256-armv4.S bad arguments
Hu Keping (1):
Simplify the tarball generating scripts
Ikko Ashimine (1):
Fixed typo in ssl_lib.c
Jakub Zelenka (1):
Add CMS AuthEnvelopedData with AES-GCM support
John Baldwin (13):
Add a ktls_crypto_info_t typedef.
Add helper functions for FreeBSD KTLS.
Add support for KTLS receive for TLS 1.1-1.2 on FreeBSD.
Don't check errno if ktls_read_record() returned 0.
Support for KTLS TX on FreeBSD for TLS 1.3.
Move KTLS inline functions only used by libssl into ssl/ktls.c.
Refactor the KTLS tests to minimize code duplication.
Skip tests using KTLS RX if KTLS RX is not supported.
Skip tests using KTLS RX for TLS 1.3.
Use global 'libctx' with RAND_bytes_ex to generate sendfile temp data.
Fix the socket BIO control methods to use ktls_crypto_info_t.
Remove unused dummy functions from ktls.h.
Slightly abstract ktls_start() to reduce OS-specific #ifdefs.
Jon Spillett (9):
Add new APIs to get PKCS12 secretBag OID and value
Add the correct enum value for DSA public key serialization
Update test data for DSA public key text
Avoid uninitialised variable warning for jobs
Avoid AIX compiler issue by making the macro argument names not match any substring
Use return code for 'which command' checks
Fix up issue on AIX caused by broken compiler handling of macro expansion
Allow zero-length secret for EVP_KDF API
Make KDFs fail if requesting a zero-length key.
Jordan Montgomery (1):
Expose PKCS7_get_octet_string and PKCS7_type_is_other
Jung-uk Kim (1):
Ignore vendor name in Clang version number.
Kelvin Lee (1):
Use .cnf for config files, not .conf
Kurt Roeckx (2):
Support writing RSA keys using the traditional format again
Use __BYTE_ORDER__ to test the endianness when available
Marc (2):
apps: -msg flag enhancement 1/2
apps: -msg flag enhancement 2/2
Matt Caswell (97):
Prepare for 3.0 alpha 7
Implement a EVP_PKEY KDF to KDF provider bridge
Extend the EVP_PKEY KDF to KDF provider bridge to also support HKDF
Extend the EVP_PKEY KDF to KDF provider bridge to also support Scrypt
Delete old KDF bridge EVP_PKEY_METHODS
Update KDF documentation
Minimise the size of the macros in kdf_exch.c
Extend the EVP_PKEY KDF to KDF provider bridge to the FIPS provider
Remove a TODO from evp_test
Load the default config file before working with default properties
Test that EVP_default_properties_is_fips_enabled() works early
Fix stitched ciphersuites in TLS1.0
Test mte with stitched ciphersuites in TLSv1.0
Implement key management for the EVP_PKEY MAC to EVP_MAC provider bridge
Implement signature functions for EVP_PKEY MAC to EVP_MAC provider bridge
Make the provider side EVP PKEY MAC bridge available in default and fips
Fix evp_extra_test to not assume that HMAC is legacy
Convert EVP_PKEY_CTX_set_mac_key() into a function
Fix some EVP_MD_CTX_* functions
Ensure libssl creates libctx aware MAC keys
Extend the provider MAC bridge for SIPHASH
Don't require a default digest from signature algorithms
Extend the provider MAC bridge for Poly1305
Extend the provider MAC bridge for CMAC
Delete unused PKEY MAC files
Extend test_CMAC_keygen in evp_extra_test
Document the EVP_PKEY_new_CMAC_key_with_libctx() function
Improve code reuse in the provider MAC bridge
Add some documentation about the EVP_PKEY MAC interface
Include "legacy" in the name of the various MAC bridge functions
Improve some error messages if a digest is not available
Check whether we have MD5-SHA1 and whether we need it
Add an HMAC implementation that is TLS aware
Start using the provider side TLS HMAC implementation
Make ssl3_cbc_digest_record() use the real data_size
Enable PKEY MAC bridge signature algs to take ctx params
Update the EVP_PKEY MAC documentation
Convert ssl3_cbc_digest_record() to use EVP_MD_is_a()
Ensure EVP_MAC_update() passes the length even if it is 0
Fix an EVP_MD_CTX leak
Fix safestack issues in ssl.h
Fix safestack issues in x509.h
Fix safestack issues in x509v3.h
Fix stacks of OPENSSL_STRING, OPENSSL_CSTRING and OPENSSL_BLOCK
Fix safestack issues in asn1.h
Fix safestack issues in cmp.h
Fix safestack issues in cms.h
Fix safestack issues in ocsp.h
Fix safestack issues in pkcs7.h
Fix safestack issues in srp.h
Fix safestack issues in x509_vfy.h
Fix safestack issues in crmf.h
Fix safestack issues in ct.h
Fix safestack issues in asn1t.h
Fix safestack issues in ess.h
Fix safestack issues in bio.h
Fix safestack issues in conf.h
Fix safestack issues in crypto.h
Fix safestack issues in pkcs12.h
Fix safestack issues in ui.h
Remove some safestack things that are no longer needed
Add a CHANGES entry for the safestack updates
Streamline the safestack generated code
Don't complain about stack related macros
Ignore unused return values from some sk_*() macros
Don't send -1 as the length of the hmac key
Redirect EVP_DigestInit to EVP_DigestSignInit_ex if appropriate
Correctly display the signing/hmac algorithm in the dgst app
Test HMAC output from the dgst CLI
Document 2 newly added functions
Provide basis for fixing lhash code
Update conf.h.in to use the new lhash generation code
Update err.h to use the new lhash generation code
Remove some unneeded code from lhash.h
Fix some doc-nits and make update errors
Teach EdDSA signature algorithms about AlgorithmIdentifiers
Make sure we properly test for EdDSA with alg ids
Update the EdDSA docs with information about Algorithm Identifiers
Move SM2 asymmetric encryption to be available in the default provider
Clean up some SM2 related TODOs in the tests
Remove some dead SM2 code
Extend the SM2 asym cipher test
Document the provider side SM2 Asymmetric Cipher support
Perl util to do with_libctx renaming
Run the withlibctx.pl script
Fix some things the rename script didn't quite get right
Fix encoding of DHX parameters files
Add a test for encoding and decoding of parameters files
Fix the decoder start type handling
Remove a CMS key downgrade
Move CMS enveloping code out of the algorithms and into CMS
Move CMS signing code out of the algorithms and into CMS
Remove CMS recipient info information out of the algorithm implementations
Remove some more CMS key downgrades
Make evp_pkey_ctx_get0_libctx/propq public API
Update copyright year
Prepare for release of 3.0 alpha 7
Maxim Masiutin (1):
TLS AEAD ciphers: more bytes for key_block than needed
Nicola Tuveri (9):
Add CLI tests in FIPS configuration
Fix segfault on missing provider_query_operation()
[test][tls-provider] Group xor_group properties in a struct
[test][sslapitest] Add test for pluggable KEM group
[test][tls-provider] Add 2nd pluggable tls group for KEM
Define OSSL_CAPABILITY_TLS_GROUP_IS_KEM
[ssl] Support ssl_decapsulate on client side
[ssl] Support ssl_encapsulate on server side
[test][tls-provider] Implement KEM algorithm
Norman Ashley (1):
Support keys with RSA_METHOD_FLAG_NO_CHECK with OCSP sign
Patrick Steuer (1):
Appease -Werror=stringop-overflow=
Paul Yang (6):
Add SM2 key management
Add SM2 signature algorithm to default provider
Address review comments
support PARAM_SECURITY_BITS for SM2
refactor get params functions
Add auto-gen SM2 der files into .gitignore
Pauli (68):
gettables: core changes to pass the provider context.
gettables: provider changes to pass the provider context.
gettables: test changes to pass the provider context.
gettables: documentation changes to pass the provider context.
mac: add some consistency to setting the XXX_final output length.
rand_drbg: remove RAND_DRBG.
drbgtest: avoid a memory leak
conf: add an error if the openssl_conf section isn't found.
provider: add the unused paramater tag to the gettable and settable functions
Move PKCS#12 KDF to provider.
PKCS#12 KDF: don't run tests with the FIPS provider.
provider: disable fall-backs if OSSL_PROVIDER_load() fails.
Apps: change provider_path option to provider-path.
OCSP: Add return value checks.
pkeyutil: check return value reading password
cmp: handle error return from OBJ_obj2txt()
EVP: NULL pctx pointer after free.
rand: add a note about a potentially misleading code analyzer warning.
rand: instantiate the DRBGs upon first use.
provider_conf: report missing section on error
conf: add diagnostic option
Deprecate SHA and MD5 again.
legacy: include MD5 code in legacy provider
TLS: remove legacy code path supporting special CBC mode
TLS fixes for CBC mode and no-deprecated
In a non-shared build, don't include the md5 object files in legacy provider
s_time: check return values better
provider: add an 'is_running' call to all providers.
FIPS: rename the status call to is_running.
digests: add FIPS error state handling
asymciphers: add FIPS error state handling
rand: add FIPS error state handling
mac: add FIPS error state handling
kdf: add FIPS error state handling
exchange: add FIPS error state handling
signature: add FIPS error state handling
keymgmt: add FIPS error state handling
ciphers: add FIPS error state handling
FIPS: error mode is set from failed self tests and produced a limited number of errors when algorithm accesses are attempted
CRNGT: enter FIPS error state if the test fails
DTLS: free allocated memory on error paths
PKCS#8: free data on error path in newpass_bag
PKCS5 PBE: free allocations on unlikely / impossible failure path
generate_cookie_callback: free temporary memory on an error path
free memory use on error in cert verify
rand: reference count the EVP_RAND contexts.
Add a "random" configuration section.
evp_rand: fix bug in gettable_ctx/settable_ctx calls
kdf/mac: add name query calls for KDFs and MACs
drbg: gettable parameters for cipher/digest/mac type.
list: add capability to print details about the current DRBGs
rand: add a test case for configuration based random
ACVP: add test case for DRBG
todo: remove fork protection todo comment, it isn't relevant to the FIPS provider
rand: declare get_hardware_random_value() before use.
prov: prefix all OSSL_DISPATCH tables names with ossl_
prov: prefix provider internal functions with ossl_
prov: prefix aes-cbc-cts functions with ossl_
prov: prefix all exposed 'cipher' symbols with ossl_
der: _ossl prefix DER functions
der: _ossl prefix der_oid_ and der_aid_ functions
doc: remove duplicated code in example
ffc: add _ossl to exported but internal functions
rsa: add ossl_ prefix to internal rsa_ calls.
apps: remove internal/cryptlib.h include that isn't used
vms: move otherwise dead code into the VMS relevant path.
coverity 1414446 out-of-bounds access: allocate \0 terminator byte to be safe
coverity 1403324 negative array index: check for finding an unknown value and error if so (since it shouldn't happen).
Rainer Jung (1):
Make TAP::Harness and TAP::Parser optional.
Randall S. Becker (5):
NonStop port updates for 3.0.0.
Added FIPS DEP initialization for the NonStop platform in fips/self_test.c.
Modified rand_cpu_x86.c to support builtin hardware randomizer on HPE NonStop.
Disabled symbol_presence test on NonStop due to different nm format.
Reconciled c99 and loader arguments for float on NonStop TNS/E and TNS/X.
Rich Salz (2):
Add OCSP_PARTIAL_CHAIN to OCSP_basic_verify()
Fix markdown nits in NOTES-Windows.txt
Richard Levitte (124):
RSA: Be less strict on PSS parameters when exporting to provider
PEM: Make general MSBLOB reader functions exposed internally
DESERIALIZER: Adjust to allow the use several deserializers with same name
PROV: Add MSBLOB and PVK to DSA and RSA deserializers
PEM: Fix i2b_PvK to use EVP_Encrypt calls consistently
TEST: Adjust the serdes test to include MSBLOB and PVK
EVP: Fix the returned value for ASN1_PKEY_CTRL_DEFAULT_MD_NID
PROV: Fix MSBLOB / PVK deserializer
EVP: Have evp_pkey_cmp_any() detect if export wasn't possible
TEST: separate out NIST ECC tests from non-NIST
RSA: Fix rsa_todata() to only add params for existing data
PROV: Fix EC OSSL_FUNC_keymgmt_match() to work in the FIPS provider
X509: Add d2i_PUBKEY_ex(), which take a libctx and propq
PROV: Fix DSA and DH private key serializers
STORE: Distinguish public keys from private keys
PEM: Add more library context aware PEM readers
TEST: Use PEM_read_bio_PUBKEY_ex() and PEM_read_bio_PrivateKey_ex()
Rename OSSL_SERIALIZER / OSSL_DESERIALIZER to OSSL_ENCODE / OSSL_DECODE
Rename OSSL_SERIALIZER / OSSL_DESERIALIZER to OSSL_ENCODE / OSSL_DECODE
Remove the OSSL_SERIALIZER / OSSL_DESERIALIZER renaming scripts
Clean away some declarations
CORE: Define provider-native abstract objects
CORE: Generalise internal pass phrase prompter
STORE: Add missing function OSSL_STORE_LOADER_set_open_with_libctx()
STORE for providers: define libcrypto <-> provider interface
STORE: Add the base functions to support provider based loaders
OSSL_PARAM: Add string pointer getters
DECODER: Add function to set an OSSL_PASSPHRASE_CALLBACK type callback
STORE: Modify to support loading with provider based loaders
STORE: Change all error recording to use ERR_raise() / ERR_raise_data()
TEST: Fix CMP tests so they load keys in the current library context
crypto/x509/v3_utl.c: Fix IPv6 output in ipaddr_to_asc()
Fix PEM_write_bio_PrivateKey_traditional() to not output PKCS#8
TEST: Adapt some tests for a stricter PEM_write_bio_PrivateKey_traditional()
ASN1: Fix d2i_KeyParams() to advance |pp| like all other d2i functions do
OSSL_ENCODER / OSSL_DECODER post-rename cleanup
STORE: Move the built-in 'file:' loader to become an engine module
STORE: Add a built-in 'file:' storemgmt implementation (loader)
STORE: Deprecate legacy / ENGINE functions
TEST: Modify test/recipes/90-test_store.t for use with different 'file:' loaders
EVP: Downgrade EVP_PKEYs in EVP_PKEY2PKCS8()
"Downgrade" provider-native keys to legacy where needed
STORE: Fix potential memory leak
CORE: Fix small bug in passphrase caching
STORE: Stop the flood of errors
TEST: have key_unsupported() in evp_test.c look at the last error
EVP: Don't report malloc failure in new_raw_key_int()
Revert "TEST: separate out NIST ECC tests from non-NIST"
TEST: Ensure that the base provider i activated when needed
EC: Remove one error record that shadows another
ASN1: Make ASN1_item_verify_ctx() work with provider-native keys
DOC: Modify one example in EVP_PKEY_fromdata(3)
DOC: Fix check of EVP_PKEY_fromdata{,_init} in examples
Building: Build Unix static libraries one object file at a time
EVP: Preserve the EVP_PKEY id in a few more spots
EVP: Don't shadow EVP_PKEY_CTX_new* error records
Fix test/evp_extra_test.c
EVP: Add support for delayed EVP_PKEY operation parameters
EVP: Expand the use of EVP_PKEY_CTX_md()
EVP: Move the functions and controls for setting and getting distid
PEM: Make PEM_write_bio_PrivateKey_traditional() handle provider-native keys
TEST: modify test/endecode_test.c to not use legacy keys
ENCODER: Refactor provider implementations, and some cleanup
Diverse build.info: Adjust paths
STORE: Fix OSSL_STORE_attach() to check |ui_method| before use
TEST: skip POSIX errcode zero in tesst/recipes/02-test_errstr.t
OSSL_DECODER 'decode' function must never be NULL.
dev/release.sh: Rework to be smoother
EC: Reimplement EVP_PKEY_CTX_set_ec_param_enc() to support providers
EVP: Add the internal convenience function evp_keymgmt_util_export()
TEST: Add a test of EC key generation with encoding spec
util/mknum.pl: Fix file opening
Make 'make ordinals' work again
Make 'make errors' work again
EVP: Centralise fetching error reporting
OpenSSL::ParseC: recognise inline function bodies
Configurations/unix-Makefile.tmpl: Don't specify headers twice
util/mkerr.h: Restore header file rename
ENCODER: Redefine the libcrypto <-> provider interface
ENCODER: Refactor the OSSL_ENCODER API to be more like OSSL_DECODER
ENCODER: Refactor our provider encoder implementations
ENCODER: Adapt calls to the changed OSSL_ENCODER_CTX_new_by_EVP_PKEY()
TEST: Adapt applicable tests to the changed OSSL_ENCODER_CTX_new_by_EVP_PKEY()
DECODER: Some cleanups, and aligning with OSSL_ENCODER
util/find-doc-nits: Add a regexp for C symbols and use it
DOC: POD syntax fixes in doc/man1/openssl-cmp.pod.in
Configurations/unix-Makefile.tmpl: make cleanup kinder
Configuration: Streamline NonStop entries
Configure: Show 'enable' and 'disable' config attributes
Use OPENSSL_SYS_TANDEM instead of OPENSSL_SYSNAME_TANDEM
Hide ECX_KEY again
Configuration: Make it possible to have an argument file
Configuration: Don't have shared libraries depend on themselves
EVP: Enforce that EVP_PKEY_set_alias_type() only works with legacy keys
TEST: Remove use of EVP_PKEY_set_alias_type() in test/evp_extra_test.c
Build: Make NonStop shared libraries only export selected symbols
STORE: Clear a couple of TODOs that were there for the sake of SM2
Configure: handle undefined shared_target.
EVP: use evp_pkey_ctx_is_legacy() to find what implementation to use
Configuration: add initial NonStop values in OpenSSL::config
DECODER: Handle abstract object data type
DECODER: Allow precise result type for OSSL_DECODER_CTX_new_by_EVP_PKEY()
APPS: Reduce deprecation warning suppression - ENGINE
unix-Makefile.tmpl: Add a target to install the FIPS module config
windows-makefile.tmpl: Add a target to install the FIPS module config
descrip.mms.tmpl: Add a target to install the FIPS module config
providers/build.info: Tag the FIPS module, for the build file
Document install_fips in INSTALL.md
OpenSSL::Ordinals: Add options for the writing functions
Modify util/mknum.pl to drop new symbols that don't exist any more
make ordinals
Fix diverse ERR code conflicts
ENCODER / DECODER: Add functions to encode/decode to/from a buffer
Adapt some code to OSSL_ENCODER_to_data() / OSSL_DECODER_from_data()
Add a macro OSSL_DEPRECATED for compiler dependent deprecation attributes
Change OSSL_DEPRECATED to take a version argument
Add definitions of OSSL_DEPRECATED[_FOR] for Microsoft VC
Add convenience macros OSSL_DEPRECATEDIN_{major}_{minor}
Make OpenSSL::ParseC and OpenSSL::Ordinals treat deprecation consistently
Add ASN1 declaration macros that take attributes
Add PEM declaration macros that take attributes
OpenSSL::ParseC: handle OSSL_CORE_MAKE_FUNC
Document how deprecation should be done
EVP: Take care of locks when downgrading an EVP_PKEY
Robert Jędrzejczyk (1):
Windows get ENV value as UTF-8 encoded string instead of a raw string
Rutger Hendriks (1):
Increase PSK_MAX_PSK_LEN to 512
Sahana Prasad (1):
apps/pkcs12: Change defaults from RC2 to PBES2 with PBKDF2
Shane Lontis (108):
Add evp_test fixes.
Add libctx support to CMS.
Add internal method x509_set0_libctx().
Add libctx to SMIME ASN1
Add libctx support to PKCS7.
Fix EVP_PKEY_CTX_get_rsa_oaep_md() & EVP_PKEY_CTX_get_rsa_mgf1_md() so they use a libctx to retrieve the digest
Add libctx to ecdh_KDF_X9_63.
Use libctx for EVP_CIPHER_CTX_rand_key() method.
Add EVP signature with libctx methods.
Change CMS tests to use a library context.
Add some of the missing CMS API documentation
Add 'on demand self test' and status test to providers
Fix memory leak in drbgtest
Add DHX support to keymanager
Add dh_kdf support to provider
Add DHX serialization
Add fix for RSA keygen in FIPS using keysizes 2048 < bits < 3072
Fix serializer_EVP_PKEY_to_bio so that that the key is exported if the serializer provider does not match the key provider.
Add public API for gettables and settables for keymanagement, signatures and key exchange.
Fix broken windows builds.
Fix DSA/DH so that legacy keys can still be generated by the default provider
Fix no-cms build errors.
Fix incorrect selection flags for ec serializer.
Add libctx/provider support to cmp_server_test
Add Explicit EC parameter support to providers.
Fix CMS so that it still works with non fetchable algorithms.
Fix coverity CID #1465594 - Null dereference in EVP_PKEY_get0()
Fix coverity CID #1465797 - Negative loop bound in collect_deserializer
Fix coverity CID #1465795 - Incorrect free deallocator used in SSL_add1_host()
Fix coverity CID #1465794 - Uninitialized pointer read in x942_encode_otherinfo()
Fix coverity CID #1465790 - Dereference after NULL check in evp_test.c
Fix coverity CID #1465531 - Negative return passed to a function param using size_t in asn1_item_digest_with_libctx()
Fix coverity CID #1465525 - NULL pointer dereference in OSSL_DECODER_CTX_new_by_EVP_PKEY()
Fix coverity CID #1458648 - Wrong sizeof() arg in rsa_freectx()
Fix coverity CID #1458647 - Use after free in clean_tbuf() which uses ctx->rsa
Fix coverity CID #1458645 - Dereference before NULL check in rsa_digest_verify_final()
Fix coverity CID #1458644 - Negative return passed to function taking size_t in ecdh_cms_set_shared_info()
Fix coverity CID #1458641 - Dereference before NULL check when setting ctx->flag_allow_md in rsa.c
Fix coverity CID #1455335 - Dereference after NULL check in fromdata_init()
Fix coverity CID #1454638 - Dereference after NULL check in EVP_MD_CTX_gettable_params()
Fix coverity CID #1452775 & #1452772- Dereference before NULL check in evp_lib.c
Fix coverity CID #1452773 - Dereference before NULL check in EVP_DigestFinal_ex()
Fix coverity CID #1452770 - Dereference before NULL check in CRYPTO_siv128_init()
Fix DH serializer import calls to use correct selection flags.
Fix DSA serializer import calls to use correct selection flags.
Fix RSA serializer import calls to use correct selection flags.
Fix ECX serializer import calls to use correct selection flags.
Fix coverity CID #1466378 - Incorrect expression in ec_backend.c
Fix coverity CID #1466377 - resource leak due to early return in ec_get_params().
Fix coverity CID #1466375 - Remove dead code.
Fix coverity CID #1466371 - fix dereference before NULL check.
Fix coverity CID #1465967 & #1465968 - fix NULL dereference in dh_ameth.c
Fix coverity CID #1457935 - Check return value in ffc_params.c for BIO_indent/BIO_puts calls.
Fix coverity CID #1452769 & #1452771 - Arg passed to function that cannot be negative in cms_ess.c
Fix coverity CID #1454815 - NULL ptr dereference in initthread.c
Fix fipsinstall module path
Fix coverity issue: CID 1466486 - Resource leak in OSSL_STORE
Fix coverity issue: CID 1466485 - Explicit NULL dereference in OSSL_STORE_find()
Fix coverity issue: CID 1466484 - Remove dead code in PKCS7_dataInit()
Fix coverity issue: CID 1466483 - Improper use of Negative value in dh_ctrl.c
Fix coverity issue: CID 1466482 - Resource leak in OSSL_STORE_SEARCH_by_key_fingerprint()
Fix coverity issue: CID 1466479 - Resource leak in apps/pkcs12.c
keygen: add FIPS error state management to conditional self tests
Update doc for EVP_PKEY_CTX_set_ec_param_enc()
Fix EVP_PKEY_CTX_ctrl() documentation
Add self tests for rsa encryption
Update AES GCM IV max length to be 1024 bits (was 512)
Fix AES_XTS on x86-64 platforms with BSAES and VPAES support.
Add selftest callback to CRNG output test
Add fips checks for rsa signatures.
Add fips checks for dsa signatures
Add fips checks for ecdsa signatures
Add fips checks for dh key agreement
Add fips checks for rsa encryption
Add fips checks for ecdh key agreement
Add error message to genpkey app for the '-genparam' option
Add missing 'ossl_unused' tags to some gettable and settable methods.
Separate fips and non fips code for key operations
fix provider signatures
fix provider exchange operations
Add 'fips-securitychecks' option and plumb this into the actual fips checks
Add option to fipsinstall to disable fips security checks at run time.
Add KEM (Key encapsulation mechanism) support to providers
Add a copy of OSSL_SELF_TEST_get_callback() to the fips module.
Fix ec keygen so that it passes the library context to SSL_SELF_TEST_get_callback().
Fix merge error with libcrypto.num
Fix CID 1467068 : Null pointer dereference in self_test.c
Fix CID 1466714 : Null pointer dereference in EVP_PKEY_CTX_ctrl() due to new call to evp_pkey_ctx_store_cached_data()
Fix CID 1466713 : Dead code in encode_key2text.c
Fix CID 1466712 : Resource leak in ec_kmgmt due to new callto ossl_prov_is_running()
Fix CID 1466710 : Resource leak in ec_kmgmt due to new call to ossl_prov_is_running()
Fix CID 1466709 : Negative value passed to a function that cant be negative in cms_sd.c
Change rsa gen so it can use the propq from OSSL_PKEY_PARAM_RSA_DIGEST
Fix EVP_KDF_scrypt so that is uses a propq for its fetch.
Fix ssl_hmac_new() so that it uses the propq
Fix ecx so that is uses a settable propertyquery
Fix missing propq in ecdh_cms_set_shared_info()
Fix missing propq in ffc_params_generate
Fix missing propq in sm2
Fix propq in x942kdf
Add key length check to rsa_kem operation.
Add EVP_KEM_gettable_ctx_params() and EVP_KEM_settable_ctx_params()
Add EVP_ASYM_CIPHER_gettable_ctx_params() and EVP_ASYM_CIPHER_settable_ctx_params()
Update openssl list to support new provider objects.
Remove openssl provider app
Fix bug in EDDSA speed test
Remove TODO comment from sskdf.c
rsa_mp_coeff_names should only have one entry in it for fips mode.
T.Yanagisawa (1):
Correct description of BN_mask_bits
Tim Hudson (1):
undeprecate EVP_PKEY_cmp and EVP_PKEY_cmp_parameters
Todd Short (2):
Fix use of OPENSSL_realloc in provider
Fix post-condition in algorithm_do_this
Tomas Mraz (9):
Avoid segfault in SSL_export_keying_material if there is no session
sslapitest: Add test for premature call of SSL_export_keying_material
EC_KEY: add EC_KEY_decoded_from_explicit_params()
Disallow certs with explicit curve in verification chain
Rename check_chain_extensions to check_chain
Correct certificate and key names for explicit ec param test
apps/ocsp: Return non zero exit code with invalid certID
Generate a certificate with critical id-pkix-ocsp-nocheck extension
INSTALL.md: Drop trailing spaces on a line
Vadim Fedorenko (1):
Fix two issues with AES-CCM KTLS tests.
Xiaofei Bai (1):
FIX strncpy warning in apps/cmp.c.
Yury Is (1):
syscall_random(): don't fail if the getentropy() function is a dummy
drgler (1):
Ensure that _GNU_SOURCE is defined for NI_MAXHOST and NI_MAXSERV
hklaas (1):
optimise ssl3_get_cipher_by_std_name()
jwalch (4):
Cleanup deprecation of ENGINE_setup_bsd_cryptodev
Add a NULL check to EVP_PKEY_assign
Annotate potential -Wunused-function violations in err.h
en EVP_PKEY_CTX_set_rsa_keygen_pubexp() BIGNUM management
luxinyou (1):
Fix memory leaks in conf_def.c
olszomal (1):
Add const to 'ppin' function parameter
ozppupbg (1):
Fixed EVP_MAC_final argument count in example
-----------------------------------------------------------------------
More information about the openssl-commits
mailing list