[openssl] openssl-3.0.0-alpha7 create

Matt Caswell matt at openssl.org
Thu Oct 15 13:34:49 UTC 2020

The annotated tag openssl-3.0.0-alpha7 has been created
        at  062506642b11e4231e78a80a7b030fed07127946 (tag)
   tagging  f9a5682e5c0fbf8b17319d71b0040dba9f8b46ee (commit)
  replaces  openssl-3.0.0-alpha6
 tagged by  Matt Caswell
        on  Thu Oct 15 14:16:06 2020 +0100

- Log -----------------------------------------------------------------
OpenSSL 3.0.0-alpha7 release tag


Akshit Akhoury (1):
      Changing X509at_get0_data_by_OBJ to expect const stack of X509_ATTRIBUTE

Alexander Borkowski (1):
      s_client.pod: Fix grammar in NOTES section.

André Klitzing (1):
      Allow to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE

Benjamin Kaduk (21):
      Support cipher provider "iv state"
      Deprecate and replace EVP_CIPHER_CTX_iv()/etc.
      Add tests for new EVP_CIPHER_CTX IV accessors
      Make GCM providers more generous about fetching IVs
      Document EVP_CIPHER_CTX IV accessors
      Retire EVP_CTRL_GET_IV
      Use local IV storage in e_aes.c
      Use local IV storage in e_aes_ebc_hmac_sha1.c
      Use local IV storage in e_aes_ebc_hmac_sha256.c
      Use local IV storage in e_aria.c
      Use local IV storage in e_camellia.c
      Use local IV storage in e_des.c
      Use local IV storage in e_des3.c
      Use local IV storage in e_sm4.c
      Use local IV storage in e_xcbc_d.c
      Use local IV storage in e_rc2.c
      Use local IV storage in EVP BLOCK_* macros
      Avoid deprecated function in evp_lib.c
      Avoid deprecated API in evp_test.c
      Expose S390x HW ciphers' IV state to provider layer
      Mark SSL_CTX_set_ssl_version() as deprecated in 3.0

Benny Baumann (2):
      Use size of target buffer for allocation
      Avoid memory leak of parent on allocation failure for child structure

Biswapriyo Nath (1):
      fuzz/test-corpus: check if PATH_MAX is already defined

C.W. Betts (1):
      Initial Apple Silicon support.

Chris Novakovic (1):
      apps/ca: allow CRL lastUpdate/nextUpdate fields to be specified

Daniel Bevenius (5):
      Fix typo in FIPS_MODULE endif macro comment
      Fix typo in bind_loader_attic comment
      DOC: remove OPENSSL_CTX from OSSL_DECODER_CTX_new
      ERR: fix comment typo in err.c
      Set mark and pop error in d2i_PrivateKey_ex

David Benjamin (1):
      Deprecate ASN1_STRING_length_set in OpenSSL 3.0.

Dmitry Belyavskiy (16):
      Update gost-engine to fix API rename
      Punycode decoding implementation
      RFC 8398: Name constraints validation
      RFC 8398: EAI comparison
      Add NID_id_on_SmtpUTF8Mailbox to table of X.509 attributes
      RFC 8398: documentation
      EAI test script and data
      Documentation for internal PUNYCODE-related functions
      Replace hierogliphs with stub to pass tests
      Fix PKCS#7 so that it still works with non fetchable digest algorithms.
      Fix PKCS#7 so that it still works with non fetchable cipher algorithms.
      New GOST PKCS12 standard support
      HMAC should work with non-provided digests
      Some OIDs used in Russian X.509 certificates.
      Tests for processing zero-length content in SMIME format
      Fix zero-length content verification in S/MIME format

Dr. David von Oheimb (103):
      Introduce X509_add_cert[s] simplifying various additions to cert lists
      Remove needless #ifndef OPENSSL_NO_SOCK for X509_{CRL_}load_http
      OSSL_STORE file_load_try_decode(): Avoid flooding error queue by failed tries
      PKCS12_parse(): Fix reversed order of certs parsed and output via *ca
      PKCS12_parse(): Clean up code and correct documentation
      Fix mem leaks on PKCS#12 read error in PKCS12_key_gen_{asc,utf8}
      apps: make use of OSSL_STORE for generalized certs and CRLs loading
      Make better use of new load_cert_pass() variant of load_cert() in apps/
      Make sure x509v3_cache_extensions() does not modify the error queue
      Add prerequisite #include directives to include/crypto/x509.h
      Correct the #define's of EVP_PKEY_CTRL_SET1_ID and EVP_PKEY_CTRL_GET1_ID{,_LEN}
      testutil: Make SETUP_TEST_FIXTURE return 0 on fixture == NULL
      testutil: Add provider.c with test_get_libctx(), to use at least for SSL and CMP
      Re-word null->empty property; improve iteration.count example in property.pod
      x_x509.c: Simplify X509_new_with_libctx() using x509_set0_libctx()
      Add libctx and propq param to ASN.1 sign/verify/HMAC/decrypt
      Update CMP header file references in internal CMP documentation
      cmp_vfy.c: Fix bug: must verify msg signature also in 3GPP mode
      Add libctx and propq parameters to OSSL_CMP_{SRV_},CTX_new() and ossl_cmp_mock_srv_new()
      Add OPENSSL_CTX parameter to OSSL_CRMF_pbmp_new() and improve its doc
      crypto/cmp: Prevent misleading errors in case x509v3_cache_extensions() fails
      cmp_hdr.c: Adapt ossl_cmp_hdr_init() to use OPENSSL_CTX for random number generation
      cmp_util.c: Add OPENSSL_CTX parameter to ossl_cmp_build_cert_chain(), improve its doc
      cmp_msg.c: Copy libctx and propq of CMP_CTX to newly enrolled certificate
      Use in CMP+CRMF libctx and propq param added to sign/verify/HMAC/decrypt
      Add libctx/provider support to cmp_client_test
      Add libctx/provider support to cmp_vfy_test
      Add libctx/provider support to cmp_protect_test
      Add libctx/provider support to cmp_msg_test
      run_tests.pl: Add warning that HARNESS_JOBS > 1 overrides HARNESS_VERBOSE
      X509_add_certs(): Add to doc some warning notes on memory management
      apps/pkcs12.c: Add -untrusted option
      Add -verbosity option to apps/cmp.c and add log output also in crypto/cmp
      apps/cmp.c: Clean up loading of certificates and CRLs
      Add OSSL_CMP_CTX_get1_newChain() and related CLI option -chainout
      Strengthen chain building for CMP
      OSSL_CMP_CTX: rename field and its getter/setter from 'untrusted_certs' to 'untrusted
      X509_STORE_CTX_print_verify_cb(): add AKID and SKID output for (non-)trusted certs
      OSSL_HTTP_parse_url(): add optional port number return parameter and strengthen documentation
      apps/cmp.c: Use enhanced OSSL_HTTP_parse_url(), removing parse_addr() and atoint()
      apps/cmp.c: Allow default HTTP path (aka CMP alias) given with -server option
      Add 4 new OIDs for PKIX key purposes and 3 new CMP information types
      Allow unauthenticated CMP server if missing -trusted, -srvcert, and -secret options
      Clean up CMP chain building for CMP signer, TLS client, and newly enrolled certs
      Replace all wrong usages of 'B<...>' (typically by 'I<...>') in OSSL_CMP_CTX_new.pod
      apps.c: Fix diagnostics and return value of load_key_certs_crls() on error
      apps/cmp.c: clear leftover errors on loading libengines.so etc.
      apps.c: Fix mem leaks on error in load_certs() and load_crls()
      81-test_cmp_cli.t: Stop unlinking test output files according to #11080
      81-test_cmp_cli: Make test output files all different according to #11080
      test/recipes/81-test_cmp_cli_data/Mock/server.cnf: minor cleanup
      test/cmp_{client,msg}_test.c: minor code cleanup
      bugfix in ossl_cmp_msg_add_extraCerts(): should include cert chain when using PBM
      bugfix in ossl_cmp_msg_protect(): set senderKID and extend extraCerts also for unprotected CMP requests
      bugfix in apps/cmp.c and cmp_client.c: inconsistencies on retrieving extraCerts in code and doc
      app_load_config_bio(): fix crash on error
      X509_NAME_print_ex.pod: re-format lines to fit within 80 chars limit
      X509_NAME_oneline(): Fix output of multi-valued RDNs, escaping '/' and '+' in values
      X509_NAME_cmp: restrict normal return values to {-1,0,1} to avoid confusion with -2 for error
      X509_NAME_add_entry_by_txt.pod: Improve documentation w.r.t. multi-valued RDNs (containing sets of AVAs)
      X509_NAME_cmp(): Clearly document its semantics, referencing relevant RFCs
      Add/harmonize multi-valued RDN support and doc of ca, cmp, req, storeutl, and x509 apps
      apps_ui.c: Improve error handling and return value of setup_ui_method()
      apps_ui.c: Correct handling of empty password from -passin
      apps_ui.c: Correct password prompt for ui_method
      apps/cmp.c: Improve safeguard assertion on consistency of cmp_options[] and cmp_vars[]
      Extend X509 cert checks and error reporting in v3_{purp,crld}.c and x509_{set,vfy}.c
      check_chain_extensions(): Add check that Basic Constraints of CA cert are marked critical
      check_chain_extensions(): Add check that AKID and SKID are not marked critical
      check_chain_extensions(): Add check that on empty Subject the SAN must be marked critical
      check_chain_extensions(): Add check that CA cert includes key usage extension
      x509_vfy.c: Make sure that strict checks are not done for self-issued EE certs
      check_chain_extensions(): Change exclusion condition w.r.t. RFC 6818 section 2
      check_chain_extensions(): Require X.509 v3 if extensions are present
      apps/cmp.c: Improve documentation of -secret, -cert, and -key options
      apps/cmp.c: Improve documentation of -extracerts, -untrusted, and -otherpass
      apps/cmp.c: Improve user guidance on missing -subject etc. options
      openssl-cmp.pod.in: Update Insta Demo CA port number in case needed
      OSSL_CMP_CTX_new.pod: improve doc of OSSL_CMP_CTX_get1_{extraCertsIn,caPubs}
      apps/cmp.c: Improve example given for -geninfo option (also in man page)
      Improve robustness and performance of building Unix static libraries
      Fix Coverity CID 1466708 - correct pointer calculation in one case
      ocsp_vfy.c: Clean up code w.r.t. coding guidelines and reduce redundancies
      load_key_certs_crls(): Restore output of fatal errors
      Prune low-level ASN.1 parse errors from error queue in decoder_process()
      apps/ca.c: Rename confusing variable 'req' to 'template_cert' in certify_cert()
      Test.pm: Some clarifications added to the documentation
      OCSP_resp_find_status.pod: Replace function arg references B<...> by I<...>
      OCSP_resp_find_status.pod: Slightly improve the documentation of various flags
      Implement treatment of id-pkix-ocsp-no-check extension for OCSP_basic_verify()
      appveyor.yml: Clean up minimal configuration, adding no-ec and pruning cascaded no-*
      30-test_evp.t: On no-dh, no-dsa, no-ec, no-sm2, and no-gost configurations disable respective tests
      25-test_x509.t: Add test for suitable error report loading unsupported sm2 cert
      Prune low-level ASN.1 parse errors from error queue in der2key_decode() etc.
      EC_GROUP_new_by_curve_name_with_libctx(): Add name of unknown group to error output
      check-format.pl: Document how to run positive and negative self-tests
      check-format.pl: Extend exceptions for no SPC after trailing ';' in 'for (...;)'
      check-format.pl: Allow nested indentation of labels (not only at line pos 1)
      Fix memory leak in req_cb() of x_req.c - handle distinguishing_id also with NO_SM2
      Test.pm: Add result_dir and export both result_dir and result_file
      Move CMP CLI test output files to BLDTOP/test-runs/test_cmp_cli/
      ocsp.h: Fix backward compatibility declaration of OCSP_parse_url()
      Correct and simplify use of ERR_clear_error() etc. for loading DSO libs

Dr. Matthias St. Pierre (11):
      rand: fix typo in parameter name
      README.md: replace incorrect access token for the AppVeyor badge
      README.md: remove incorrect link to openssl.github.io
      test/drbgtest: improve the reseed after fork test
      prov/drbg: fix misspelling of '#ifdef FIPS_MODULE'
      prov/drbg: cleanup some RAND_DRBG leftovers
      drbg: revert renamings of the generate and reseed counter
      Update CHANGES and NEWS for 1.1.1h release
      Change CVE link style in CHANGES and NEWS
      Rename OPENSSL_CTX prefix to OSSL_LIB_CTX
      Rename some occurrences of 'library_context' and 'lib_ctx' to 'libctx'

Eric Curtin (1):
      Increase PSK_MAX_IDENTITY_LEN from 128 to 256

Felix Monninger (1):
      also zero pad DHE public key in ClientKeyExchange message for interop

Henry N (1):
      Fix: ecp_nistz256-armv4.S bad arguments

Hu Keping (1):
      Simplify the tarball generating scripts

Ikko Ashimine (1):
      Fixed typo in ssl_lib.c

Jakub Zelenka (1):
      Add CMS AuthEnvelopedData with AES-GCM support

John Baldwin (13):
      Add a ktls_crypto_info_t typedef.
      Add helper functions for FreeBSD KTLS.
      Add support for KTLS receive for TLS 1.1-1.2 on FreeBSD.
      Don't check errno if ktls_read_record() returned 0.
      Support for KTLS TX on FreeBSD for TLS 1.3.
      Move KTLS inline functions only used by libssl into ssl/ktls.c.
      Refactor the KTLS tests to minimize code duplication.
      Skip tests using KTLS RX if KTLS RX is not supported.
      Skip tests using KTLS RX for TLS 1.3.
      Use global 'libctx' with RAND_bytes_ex to generate sendfile temp data.
      Fix the socket BIO control methods to use ktls_crypto_info_t.
      Remove unused dummy functions from ktls.h.
      Slightly abstract ktls_start() to reduce OS-specific #ifdefs.

Jon Spillett (9):
      Add new APIs to get PKCS12 secretBag OID and value
      Add the correct enum value for DSA public key serialization
      Update test data for DSA public key text
      Avoid uninitialised variable warning for jobs
      Avoid AIX compiler issue by making the macro argument names not match any substring
      Use return code for 'which command' checks
      Fix up issue on AIX caused by broken compiler handling of macro expansion
      Allow zero-length secret for EVP_KDF API
      Make KDFs fail if requesting a zero-length key.

Jordan Montgomery (1):
      Expose PKCS7_get_octet_string and PKCS7_type_is_other

Jung-uk Kim (1):
      Ignore vendor name in Clang version number.

Kelvin Lee (1):
      Use .cnf for config files, not .conf

Kurt Roeckx (2):
      Support writing RSA keys using the traditional format again
      Use __BYTE_ORDER__ to test the endianness when available

Marc (2):
      apps: -msg flag enhancement 1/2
      apps: -msg flag enhancement 2/2

Matt Caswell (97):
      Prepare for 3.0 alpha 7
      Implement a EVP_PKEY KDF to KDF provider bridge
      Extend the EVP_PKEY KDF to KDF provider bridge to also support HKDF
      Extend the EVP_PKEY KDF to KDF provider bridge to also support Scrypt
      Delete old KDF bridge EVP_PKEY_METHODS
      Update KDF documentation
      Minimise the size of the macros in kdf_exch.c
      Extend the EVP_PKEY KDF to KDF provider bridge to the FIPS provider
      Remove a TODO from evp_test
      Load the default config file before working with default properties
      Test that EVP_default_properties_is_fips_enabled() works early
      Fix stitched ciphersuites in TLS1.0
      Test mte with stitched ciphersuites in TLSv1.0
      Implement key management for the EVP_PKEY MAC to EVP_MAC provider bridge
      Implement signature functions for EVP_PKEY MAC to EVP_MAC provider bridge
      Make the provider side EVP PKEY MAC bridge available in default and fips
      Fix evp_extra_test to not assume that HMAC is legacy
      Convert EVP_PKEY_CTX_set_mac_key() into a function
      Fix some EVP_MD_CTX_* functions
      Ensure libssl creates libctx aware MAC keys
      Extend the provider MAC bridge for SIPHASH
      Don't require a default digest from signature algorithms
      Extend the provider MAC bridge for Poly1305
      Extend the provider MAC bridge for CMAC
      Delete unused PKEY MAC files
      Extend test_CMAC_keygen in evp_extra_test
      Document the EVP_PKEY_new_CMAC_key_with_libctx() function
      Improve code reuse in the provider MAC bridge
      Add some documentation about the EVP_PKEY MAC interface
      Include "legacy" in the name of the various MAC bridge functions
      Improve some error messages if a digest is not available
      Check whether we have MD5-SHA1 and whether we need it
      Add an HMAC implementation that is TLS aware
      Start using the provider side TLS HMAC implementation
      Make ssl3_cbc_digest_record() use the real data_size
      Enable PKEY MAC bridge signature algs to take ctx params
      Update the EVP_PKEY MAC documentation
      Convert ssl3_cbc_digest_record() to use EVP_MD_is_a()
      Ensure EVP_MAC_update() passes the length even if it is 0
      Fix an EVP_MD_CTX leak
      Fix safestack issues in ssl.h
      Fix safestack issues in x509.h
      Fix safestack issues in x509v3.h
      Fix safestack issues in asn1.h
      Fix safestack issues in cmp.h
      Fix safestack issues in cms.h
      Fix safestack issues in ocsp.h
      Fix safestack issues in pkcs7.h
      Fix safestack issues in srp.h
      Fix safestack issues in x509_vfy.h
      Fix safestack issues in crmf.h
      Fix safestack issues in ct.h
      Fix safestack issues in asn1t.h
      Fix safestack issues in ess.h
      Fix safestack issues in bio.h
      Fix safestack issues in conf.h
      Fix safestack issues in crypto.h
      Fix safestack issues in pkcs12.h
      Fix safestack issues in ui.h
      Remove some safestack things that are no longer needed
      Add a CHANGES entry for the safestack updates
      Streamline the safestack generated code
      Don't complain about stack related macros
      Ignore unused return values from some sk_*() macros
      Don't send -1 as the length of the hmac key
      Redirect EVP_DigestInit to EVP_DigestSignInit_ex if appropriate
      Correctly display the signing/hmac algorithm in the dgst app
      Test HMAC output from the dgst CLI
      Document 2 newly added functions
      Provide basis for fixing lhash code
      Update conf.h.in to use the new lhash generation code
      Update err.h to use the new lhash generation code
      Remove some unneeded code from lhash.h
      Fix some doc-nits and make update errors
      Teach EdDSA signature algorithms about AlgorithmIdentifiers
      Make sure we properly test for EdDSA with alg ids
      Update the EdDSA docs with information about Algorithm Identifiers
      Move SM2 asymmetric encryption to be available in the default provider
      Clean up some SM2 related TODOs in the tests
      Remove some dead SM2 code
      Extend the SM2 asym cipher test
      Document the provider side SM2 Asymmetric Cipher support
      Perl util to do with_libctx renaming
      Run the withlibctx.pl script
      Fix some things the rename script didn't quite get right
      Fix encoding of DHX parameters files
      Add a test for encoding and decoding of parameters files
      Fix the decoder start type handling
      Remove a CMS key downgrade
      Move CMS enveloping code out of the algorithms and into CMS
      Move CMS signing code out of the algorithms and into CMS
      Remove CMS recipient info information out of the algorithm implementations
      Remove some more CMS key downgrades
      Make evp_pkey_ctx_get0_libctx/propq public API
      Update copyright year
      Prepare for release of 3.0 alpha 7

Maxim Masiutin (1):
      TLS AEAD ciphers: more bytes for key_block than needed

Nicola Tuveri (9):
      Add CLI tests in FIPS configuration
      Fix segfault on missing provider_query_operation()
      [test][tls-provider] Group xor_group properties in a struct
      [test][sslapitest] Add test for pluggable KEM group
      [test][tls-provider] Add 2nd pluggable tls group for KEM
      [ssl] Support ssl_decapsulate on client side
      [ssl] Support ssl_encapsulate on server side
      [test][tls-provider] Implement KEM algorithm

Norman Ashley (1):
      Support keys with RSA_METHOD_FLAG_NO_CHECK with OCSP sign

Patrick Steuer (1):
      Appease -Werror=stringop-overflow=

Paul Yang (6):
      Add SM2 key management
      Add SM2 signature algorithm to default provider
      Address review comments
      support PARAM_SECURITY_BITS for SM2
      refactor get params functions
      Add auto-gen SM2 der files into .gitignore

Pauli (68):
      gettables: core changes to pass the provider context.
      gettables: provider changes to pass the provider context.
      gettables: test changes to pass the provider context.
      gettables: documentation changes to pass the provider context.
      mac: add some consistency to setting the XXX_final output length.
      rand_drbg: remove RAND_DRBG.
      drbgtest: avoid a memory leak
      conf: add an error if the openssl_conf section isn't found.
      provider: add the unused paramater tag to the gettable and settable functions
      Move PKCS#12 KDF to provider.
      PKCS#12 KDF: don't run tests with the FIPS provider.
      provider: disable fall-backs if OSSL_PROVIDER_load() fails.
      Apps: change provider_path option to provider-path.
      OCSP: Add return value checks.
      pkeyutil: check return value reading password
      cmp: handle error return from OBJ_obj2txt()
      EVP: NULL pctx pointer after free.
      rand: add a note about a potentially misleading code analyzer warning.
      rand: instantiate the DRBGs upon first use.
      provider_conf: report missing section on error
      conf: add diagnostic option
      Deprecate SHA and MD5 again.
      legacy: include MD5 code in legacy provider
      TLS: remove legacy code path supporting special CBC mode
      TLS fixes for CBC mode and no-deprecated
      In a non-shared build, don't include the md5 object files in legacy provider
      s_time: check return values better
      provider: add an 'is_running' call to all providers.
      FIPS: rename the status call to is_running.
      digests: add FIPS error state handling
      asymciphers: add FIPS error state handling
      rand: add FIPS error state handling
      mac: add FIPS error state handling
      kdf: add FIPS error state handling
      exchange: add FIPS error state handling
      signature: add FIPS error state handling
      keymgmt: add FIPS error state handling
      ciphers: add FIPS error state handling
      FIPS: error mode is set from failed self tests and produced a limited number of errors when algorithm accesses are attempted
      CRNGT: enter FIPS error state if the test fails
      DTLS: free allocated memory on error paths
      PKCS#8: free data on error path in newpass_bag
      PKCS5 PBE: free allocations on unlikely / impossible failure path
      generate_cookie_callback: free temporary memory on an error path
      free memory use on error in cert verify
      rand: reference count the EVP_RAND contexts.
      Add a "random" configuration section.
      evp_rand: fix bug in gettable_ctx/settable_ctx calls
      kdf/mac: add name query calls for KDFs and MACs
      drbg: gettable parameters for cipher/digest/mac type.
      list: add capability to print details about the current DRBGs
      rand: add a test case for configuration based random
      ACVP: add test case for DRBG
      todo: remove fork protection todo comment, it isn't relevant to the FIPS provider
      rand: declare get_hardware_random_value() before use.
      prov: prefix all OSSL_DISPATCH tables names with ossl_
      prov: prefix provider internal functions with ossl_
      prov: prefix aes-cbc-cts functions with ossl_
      prov: prefix all exposed 'cipher' symbols with ossl_
      der: _ossl prefix DER functions
      der: _ossl prefix der_oid_ and der_aid_ functions
      doc: remove duplicated code in example
      ffc: add _ossl to exported but internal functions
      rsa: add ossl_ prefix to internal rsa_ calls.
      apps: remove internal/cryptlib.h include that isn't used
      vms: move otherwise dead code into the VMS relevant path.
      coverity 1414446 out-of-bounds access: allocate \0 terminator byte to be safe
      coverity 1403324 negative array index: check for finding an unknown value and error if so (since it shouldn't happen).

Rainer Jung (1):
      Make TAP::Harness and TAP::Parser optional.

Randall S. Becker (5):
      NonStop port updates for 3.0.0.
      Added FIPS DEP initialization for the NonStop platform in fips/self_test.c.
      Modified rand_cpu_x86.c to support builtin hardware randomizer on HPE NonStop.
      Disabled symbol_presence test on NonStop due to different nm format.
      Reconciled c99 and loader arguments for float on NonStop TNS/E and TNS/X.

Rich Salz (2):
      Add OCSP_PARTIAL_CHAIN to OCSP_basic_verify()
      Fix markdown nits in NOTES-Windows.txt

Richard Levitte (124):
      RSA: Be less strict on PSS parameters when exporting to provider
      PEM: Make general MSBLOB reader functions exposed internally
      DESERIALIZER: Adjust to allow the use several deserializers with same name
      PROV: Add MSBLOB and PVK to DSA and RSA deserializers
      PEM: Fix i2b_PvK to use EVP_Encrypt calls consistently
      TEST: Adjust the serdes test to include MSBLOB and PVK
      EVP: Fix the returned value for ASN1_PKEY_CTRL_DEFAULT_MD_NID
      PROV: Fix MSBLOB / PVK deserializer
      EVP: Have evp_pkey_cmp_any() detect if export wasn't possible
      TEST: separate out NIST ECC tests from non-NIST
      RSA: Fix rsa_todata() to only add params for existing data
      PROV: Fix EC OSSL_FUNC_keymgmt_match() to work in the FIPS provider
      X509: Add d2i_PUBKEY_ex(), which take a libctx and propq
      PROV: Fix DSA and DH private key serializers
      STORE: Distinguish public keys from private keys
      PEM: Add more library context aware PEM readers
      TEST: Use PEM_read_bio_PUBKEY_ex() and PEM_read_bio_PrivateKey_ex()
      Remove the OSSL_SERIALIZER / OSSL_DESERIALIZER renaming scripts
      Clean away some declarations
      CORE: Define provider-native abstract objects
      CORE: Generalise internal pass phrase prompter
      STORE: Add missing function OSSL_STORE_LOADER_set_open_with_libctx()
      STORE for providers: define libcrypto <-> provider interface
      STORE: Add the base functions to support provider based loaders
      OSSL_PARAM: Add string pointer getters
      DECODER: Add function to set an OSSL_PASSPHRASE_CALLBACK type callback
      STORE: Modify to support loading with provider based loaders
      STORE: Change all error recording to use ERR_raise() / ERR_raise_data()
      TEST: Fix CMP tests so they load keys in the current library context
      crypto/x509/v3_utl.c: Fix IPv6 output in ipaddr_to_asc()
      Fix PEM_write_bio_PrivateKey_traditional() to not output PKCS#8
      TEST: Adapt some tests for a stricter PEM_write_bio_PrivateKey_traditional()
      ASN1: Fix d2i_KeyParams() to advance |pp| like all other d2i functions do
      OSSL_ENCODER / OSSL_DECODER post-rename cleanup
      STORE: Move the built-in 'file:' loader to become an engine module
      STORE: Add a built-in 'file:' storemgmt implementation (loader)
      STORE: Deprecate legacy / ENGINE functions
      TEST: Modify test/recipes/90-test_store.t for use with different 'file:' loaders
      EVP: Downgrade EVP_PKEYs in EVP_PKEY2PKCS8()
      "Downgrade" provider-native keys to legacy where needed
      STORE: Fix potential memory leak
      CORE: Fix small bug in passphrase caching
      STORE: Stop the flood of errors
      TEST: have key_unsupported() in evp_test.c look at the last error
      EVP: Don't report malloc failure in new_raw_key_int()
      Revert "TEST: separate out NIST ECC tests from non-NIST"
      TEST: Ensure that the base provider i activated when needed
      EC: Remove one error record that shadows another
      ASN1: Make ASN1_item_verify_ctx() work with provider-native keys
      DOC: Modify one example in EVP_PKEY_fromdata(3)
      DOC: Fix check of EVP_PKEY_fromdata{,_init} in examples
      Building: Build Unix static libraries one object file at a time
      EVP: Preserve the EVP_PKEY id in a few more spots
      EVP: Don't shadow EVP_PKEY_CTX_new* error records
      Fix test/evp_extra_test.c
      EVP: Add support for delayed EVP_PKEY operation parameters
      EVP: Expand the use of EVP_PKEY_CTX_md()
      EVP: Move the functions and controls for setting and getting distid
      PEM: Make PEM_write_bio_PrivateKey_traditional() handle provider-native keys
      TEST: modify test/endecode_test.c to not use legacy keys
      ENCODER: Refactor provider implementations, and some cleanup
      Diverse build.info: Adjust paths
      STORE: Fix OSSL_STORE_attach() to check |ui_method| before use
      TEST: skip POSIX errcode zero in tesst/recipes/02-test_errstr.t
      OSSL_DECODER 'decode' function must never be NULL.
      dev/release.sh: Rework to be smoother
      EC: Reimplement EVP_PKEY_CTX_set_ec_param_enc() to support providers
      EVP: Add the internal convenience function evp_keymgmt_util_export()
      TEST: Add a test of EC key generation with encoding spec
      util/mknum.pl: Fix file opening
      Make 'make ordinals' work again
      Make 'make errors' work again
      EVP: Centralise fetching error reporting
      OpenSSL::ParseC: recognise inline function bodies
      Configurations/unix-Makefile.tmpl: Don't specify headers twice
      util/mkerr.h: Restore header file rename
      ENCODER: Redefine the libcrypto <-> provider interface
      ENCODER: Refactor the OSSL_ENCODER API to be more like OSSL_DECODER
      ENCODER: Refactor our provider encoder implementations
      ENCODER: Adapt calls to the changed OSSL_ENCODER_CTX_new_by_EVP_PKEY()
      TEST: Adapt applicable tests to the changed OSSL_ENCODER_CTX_new_by_EVP_PKEY()
      DECODER: Some cleanups, and aligning with OSSL_ENCODER
      util/find-doc-nits: Add a regexp for C symbols and use it
      DOC: POD syntax fixes in doc/man1/openssl-cmp.pod.in
      Configurations/unix-Makefile.tmpl: make cleanup kinder
      Configuration: Streamline NonStop entries
      Configure: Show 'enable' and 'disable' config attributes
      Hide ECX_KEY again
      Configuration: Make it possible to have an argument file
      Configuration: Don't have shared libraries depend on themselves
      EVP: Enforce that EVP_PKEY_set_alias_type() only works with legacy keys
      TEST: Remove use of EVP_PKEY_set_alias_type() in test/evp_extra_test.c
      Build: Make NonStop shared libraries only export selected symbols
      STORE: Clear a couple of TODOs that were there for the sake of SM2
      Configure: handle undefined shared_target.
      EVP: use evp_pkey_ctx_is_legacy() to find what implementation to use
      Configuration: add initial NonStop values in OpenSSL::config
      DECODER: Handle abstract object data type
      DECODER: Allow precise result type for OSSL_DECODER_CTX_new_by_EVP_PKEY()
      APPS: Reduce deprecation warning suppression - ENGINE
      unix-Makefile.tmpl: Add a target to install the FIPS module config
      windows-makefile.tmpl: Add a target to install the FIPS module config
      descrip.mms.tmpl: Add a target to install the FIPS module config
      providers/build.info: Tag the FIPS module, for the build file
      Document install_fips in INSTALL.md
      OpenSSL::Ordinals: Add options for the writing functions
      Modify util/mknum.pl to drop new symbols that don't exist any more
      make ordinals
      Fix diverse ERR code conflicts
      ENCODER / DECODER: Add functions to encode/decode to/from a buffer
      Adapt some code to OSSL_ENCODER_to_data() / OSSL_DECODER_from_data()
      Add a macro OSSL_DEPRECATED for compiler dependent deprecation attributes
      Change OSSL_DEPRECATED to take a version argument
      Add definitions of OSSL_DEPRECATED[_FOR] for Microsoft VC
      Add convenience macros OSSL_DEPRECATEDIN_{major}_{minor}
      Make OpenSSL::ParseC and OpenSSL::Ordinals treat deprecation consistently
      Add ASN1 declaration macros that take attributes
      Add PEM declaration macros that take attributes
      OpenSSL::ParseC: handle OSSL_CORE_MAKE_FUNC
      Document how deprecation should be done
      EVP: Take care of locks when downgrading an EVP_PKEY

Robert Jędrzejczyk (1):
      Windows get ENV value as UTF-8 encoded string instead of a raw string

Rutger Hendriks (1):
      Increase PSK_MAX_PSK_LEN to 512

Sahana Prasad (1):
      apps/pkcs12: Change defaults from RC2 to PBES2 with PBKDF2

Shane Lontis (108):
      Add evp_test fixes.
      Add libctx support to CMS.
      Add internal method x509_set0_libctx().
      Add libctx to SMIME ASN1
      Add libctx support to PKCS7.
      Fix EVP_PKEY_CTX_get_rsa_oaep_md() & EVP_PKEY_CTX_get_rsa_mgf1_md() so they use a libctx to retrieve the digest
      Add libctx to ecdh_KDF_X9_63.
      Use libctx for EVP_CIPHER_CTX_rand_key() method.
      Add EVP signature with libctx methods.
      Change CMS tests to use a library context.
      Add some of the missing CMS API documentation
      Add 'on demand self test' and status test to providers
      Fix memory leak in drbgtest
      Add DHX support to keymanager
      Add dh_kdf support to provider
      Add DHX serialization
      Add fix for RSA keygen in FIPS using keysizes 2048 < bits < 3072
      Fix serializer_EVP_PKEY_to_bio so that that the key is exported if the serializer provider does not match the key provider.
      Add public API for gettables and settables for keymanagement, signatures and key exchange.
      Fix broken windows builds.
      Fix DSA/DH so that legacy keys can still be generated by the default provider
      Fix no-cms build errors.
      Fix incorrect selection flags for ec serializer.
      Add libctx/provider support to cmp_server_test
      Add Explicit EC parameter support to providers.
      Fix CMS so that it still works with non fetchable algorithms.
      Fix coverity CID #1465594 - Null dereference in EVP_PKEY_get0()
      Fix coverity CID #1465797 - Negative loop bound in collect_deserializer
      Fix coverity CID #1465795 - Incorrect free deallocator used in SSL_add1_host()
      Fix coverity CID #1465794 - Uninitialized pointer read in x942_encode_otherinfo()
      Fix coverity CID #1465790 - Dereference after NULL check in evp_test.c
      Fix coverity CID #1465531 - Negative return passed to a function param using size_t in asn1_item_digest_with_libctx()
      Fix coverity CID #1465525 - NULL pointer dereference in OSSL_DECODER_CTX_new_by_EVP_PKEY()
      Fix coverity CID #1458648 - Wrong sizeof() arg in rsa_freectx()
      Fix coverity CID #1458647 - Use after free in clean_tbuf() which uses ctx->rsa
      Fix coverity CID #1458645 - Dereference before NULL check in rsa_digest_verify_final()
      Fix coverity CID #1458644 - Negative return passed to function taking size_t in ecdh_cms_set_shared_info()
      Fix coverity CID #1458641 - Dereference before NULL check when setting ctx->flag_allow_md in rsa.c
      Fix coverity CID #1455335 - Dereference after NULL check in fromdata_init()
      Fix coverity CID #1454638 - Dereference after NULL check in EVP_MD_CTX_gettable_params()
      Fix coverity CID #1452775 & #1452772- Dereference before NULL check in evp_lib.c
      Fix coverity CID #1452773 - Dereference before NULL check in EVP_DigestFinal_ex()
      Fix coverity CID #1452770 - Dereference before NULL check in CRYPTO_siv128_init()
      Fix DH serializer import calls to use correct selection flags.
      Fix DSA serializer import calls to use correct selection flags.
      Fix RSA serializer import calls to use correct selection flags.
      Fix ECX serializer import calls to use correct selection flags.
      Fix coverity CID #1466378 - Incorrect expression in ec_backend.c
      Fix coverity CID #1466377 - resource leak due to early return in ec_get_params().
      Fix coverity CID #1466375 - Remove dead code.
      Fix coverity CID #1466371 - fix dereference before NULL check.
      Fix coverity CID #1465967 & #1465968 - fix NULL dereference in dh_ameth.c
      Fix coverity CID #1457935 - Check return value in ffc_params.c for BIO_indent/BIO_puts calls.
      Fix coverity CID #1452769 & #1452771 - Arg passed to function that cannot be negative in cms_ess.c
      Fix coverity CID #1454815 - NULL ptr dereference in initthread.c
      Fix fipsinstall module path
      Fix coverity issue: CID 1466486 - Resource leak in OSSL_STORE
      Fix coverity issue: CID 1466485 - Explicit NULL dereference in OSSL_STORE_find()
      Fix coverity issue: CID 1466484 - Remove dead code in PKCS7_dataInit()
      Fix coverity issue: CID 1466483 - Improper use of Negative value in dh_ctrl.c
      Fix coverity issue: CID 1466482 - Resource leak in OSSL_STORE_SEARCH_by_key_fingerprint()
      Fix coverity issue: CID 1466479 - Resource leak in apps/pkcs12.c
      keygen: add FIPS error state management to conditional self tests
      Update doc for EVP_PKEY_CTX_set_ec_param_enc()
      Fix EVP_PKEY_CTX_ctrl() documentation
      Add self tests for rsa encryption
      Update AES GCM IV max length to be 1024 bits (was 512)
      Fix AES_XTS on x86-64 platforms with BSAES and VPAES support.
      Add selftest callback to CRNG output test
      Add fips checks for rsa signatures.
      Add fips checks for dsa signatures
      Add fips checks for ecdsa signatures
      Add fips checks for dh key agreement
      Add fips checks for rsa encryption
      Add fips checks for ecdh key agreement
      Add error message to genpkey app for the '-genparam' option
      Add missing 'ossl_unused' tags to some gettable and settable methods.
      Separate fips and non fips code for key operations
      fix provider signatures
      fix provider exchange operations
      Add 'fips-securitychecks' option and plumb this into the actual fips checks
      Add option to fipsinstall to disable fips security checks at run time.
      Add KEM (Key encapsulation mechanism) support to providers
      Add a copy of OSSL_SELF_TEST_get_callback() to the fips module.
      Fix ec keygen so that it passes the library context to SSL_SELF_TEST_get_callback().
      Fix merge error with libcrypto.num
      Fix CID 1467068 : Null pointer dereference in self_test.c
      Fix CID 1466714 : Null pointer dereference in EVP_PKEY_CTX_ctrl() due to new call to evp_pkey_ctx_store_cached_data()
      Fix CID 1466713 : Dead code in encode_key2text.c
      Fix CID 1466712 : Resource leak in ec_kmgmt due to new callto ossl_prov_is_running()
      Fix CID 1466710 : Resource leak in ec_kmgmt due to new call to ossl_prov_is_running()
      Fix CID 1466709 : Negative value passed to a function that cant be negative in cms_sd.c
      Change rsa gen so it can use the propq from OSSL_PKEY_PARAM_RSA_DIGEST
      Fix EVP_KDF_scrypt so that is uses a propq for its fetch.
      Fix ssl_hmac_new() so that it uses the propq
      Fix ecx so that is uses a settable propertyquery
      Fix missing propq in ecdh_cms_set_shared_info()
      Fix missing propq in ffc_params_generate
      Fix missing propq in sm2
      Fix propq in x942kdf
      Add key length check to rsa_kem operation.
      Add EVP_KEM_gettable_ctx_params() and EVP_KEM_settable_ctx_params()
      Add EVP_ASYM_CIPHER_gettable_ctx_params() and EVP_ASYM_CIPHER_settable_ctx_params()
      Update openssl list to support new provider objects.
      Remove openssl provider app
      Fix bug in EDDSA speed test
      Remove TODO comment from sskdf.c
      rsa_mp_coeff_names should only have one entry in it for fips mode.

T.Yanagisawa (1):
      Correct description of BN_mask_bits

Tim Hudson (1):
      undeprecate EVP_PKEY_cmp and EVP_PKEY_cmp_parameters

Todd Short (2):
      Fix use of OPENSSL_realloc in provider
      Fix post-condition in algorithm_do_this

Tomas Mraz (9):
      Avoid segfault in SSL_export_keying_material if there is no session
      sslapitest: Add test for premature call of SSL_export_keying_material
      EC_KEY: add EC_KEY_decoded_from_explicit_params()
      Disallow certs with explicit curve in verification chain
      Rename check_chain_extensions to check_chain
      Correct certificate and key names for explicit ec param test
      apps/ocsp: Return non zero exit code with invalid certID
      Generate a certificate with critical id-pkix-ocsp-nocheck extension
      INSTALL.md: Drop trailing spaces on a line

Vadim Fedorenko (1):
      Fix two issues with AES-CCM KTLS tests.

Xiaofei Bai (1):
      FIX strncpy warning in apps/cmp.c.

Yury Is (1):
      syscall_random(): don't fail if the getentropy() function is a dummy

drgler (1):
      Ensure that _GNU_SOURCE is defined for NI_MAXHOST and NI_MAXSERV

hklaas (1):
      optimise ssl3_get_cipher_by_std_name()

jwalch (4):
      Cleanup deprecation of ENGINE_setup_bsd_cryptodev
      Add a NULL check to EVP_PKEY_assign
      Annotate potential -Wunused-function violations in err.h
      en EVP_PKEY_CTX_set_rsa_keygen_pubexp() BIGNUM management

luxinyou (1):
      Fix memory leaks in conf_def.c

olszomal (1):
      Add const to 'ppin' function parameter

ozppupbg (1):
      Fixed EVP_MAC_final argument count in example


More information about the openssl-commits mailing list