[openssl] openssl-3.0.0-alpha14 create

Matt Caswell matt at openssl.org
Thu Apr 8 12:25:45 UTC 2021

The annotated tag openssl-3.0.0-alpha14 has been created
        at  448d9b589ad9a6dba838844dfcbd33efb7db2ac0 (tag)
   tagging  f510d614a7e981cbf69f11ae186c97d3fa00dda9 (commit)
  replaces  openssl-3.0.0-alpha13
 tagged by  Matt Caswell
        on  Thu Apr 8 13:15:49 2021 +0100

- Log -----------------------------------------------------------------
OpenSSL 3.0.0-alpha14 release tag


Alex Yursha (1):
      Print correct error message in utils/mkdir-p.pl

Alexander Traud (1):
      ssl/ssl_ciph.c: update format string, again

Amitay Isaacs (12):
      numbers: Define 128-bit integers if compiler supports
      Use numbers definition of int128_t and uint128_t
      curve448: Use relative includes to avoid explicit dependencies
      Partially Revert "Remove curve448 architecture specific files"
      curve448: Rename arch_ref64 to arch_64
      curve448: Modernise reference 64-bit code
      curve448: Use NLIMBS where appropriate to simplify the code
      curve448: Remove the unrolled loop version
      Add a constant time zero check function for 64-bit integers
      curve448: Use constant time zero check function
      Configure: Check if 128-bit integers are supported by compiler
      curve448: Integrate 64-bit reference implementation

Andrey Matyukov (4):
      Dual 1024-bit exponentiation optimization for Intel IceLake CPU with AVX512_IFMA + AVX512_VL instructions, primarily for RSA CRT private key operations. It uses 256-bit registers to avoid CPU frequency scaling issues. The performance speedup for RSA2k signature on ICL is ~2x.
      Rearranged .pdata entries in rsaz-avx512.pl to make them properly ordered.
      Moved build instructions from the man page
      Increase minimum clang version requirement for rsaz-avx512.pl

Anthony Hu (1):
      Increase the upper limit on group name length

Arthur Gautier (1):
      EVP_KDF-KB man page: fixup ABI/API change

Beat Bolli (4):
      ASN1: add an internal header to validate Unicode ranges
      ASN1: limit the Unicode code point range in UTF8_getc() and UTF8_putc()
      ASN1: check the Unicode code point range in ASN1_mbstring_copy()
      Add tests for the limited Unicode code point range

Benjamin Kaduk (1):
      Increase HKDF_MAXBUF from 1024 to 2048

David Benjamin (1):
      Merge OFB encrypt and decrypt test vectors.

Dr. David von Oheimb (16):
      openssl-cmp.pod.in and apps/cmp.c: Various minor do improvements
      TS ESS: Let TS_RESP_verify_signature() make use of untrusted certs also from token response
      apps/ts.c: Allow -untrusted arg to refer to multiple sources
      apps.c: Fix missing newline in warn_cert_msg() output
      TS ESS: Invert the search logic of ts_check_signing_certs() to correctly cover cert ID list
      ts_check_signing_certs(): Make sure both ESSCertID and ESSCertIDv2 are checked
      TS and CMS CAdES-BES: Refactor check_signing_certs() funcs into common ESS func
      APPS: fix load_certs_multifile() interpreting backslashes
      HTTP: Rename OSSL_HTTP_REQ_CTX_i2d() to OSSL_HTTP_REQ_CTX_set1_req()
      HTTP: Fix mem leak of OSSL_HTTP_REQ_CTX_transfer(), rename to ossl_http_req_ctx_transfer()
      HTTP: Fix method_POST param by moving it to OSSL_HTTP_REQ_CTX_set_request_line()
      http_client.c: Prevent spurious error queue entry on NULL mem argument
      80-test_cmp_http.t: Add diagnostic info on starting/stopping mock server
      OSSL_parse_url(): Improve handling of IPv6 addresses
      OSSL_HTTP_REQ_CTX_transfer(): improve distinction of send error vs. receive error
      CHANGES.md: reflect OSSL_HTTP_REQ_CTX_i2d renamed to OSSL_HTTP_REQ_CTX_set1_req

Fangming.Fang (1):
      Fix AES-CBC perf test failure issue

FdaSilvaYY (1):
      Fix a windows build break

Jakub Zelenka (1):
      Update CHANGES with info about AuthEnvelopedData addition

Jon Spillett (4):
      Add testing for non-default library context into evp_extra_test
      Fix up issues found when running evp_extra_test with a non-default library context
      Remove TODO comment. Resolves #14396
      endecode_test: Add file and line arguments to test callbacks

Juergen Christ (1):
      Fix compilation under -Werror

Kevin Cadieux (1):
      Fixing stack buffer overflow error caused by incorrectly sized array.

Matt Caswell (25):
      Prepare for 3.0 alpha 14
      Don't crash if the pkeyopt doesn't have a value
      Remove a TODO from async_delete_thread_state()
      Convert a TODO(3.0) in OPENSSL_thread_stop_ex to a comment
      Add a CHANGES entry for the cosmetic differences in textual output
      Ensure that ECX keys pass EVP_PKEY_param_check()
      Add a CHANGES entry for EVP_PKEY_public_check() and EVP_KEY_param_check()
      Fix a TODO(3.0) in the siphash code
      Remove a TODO(3.0) from EVP_PKEY_derive_set_peer()
      Convert some TODO(3.0) comments in init.c to normal comments
      Ensure we deregister thread handlers even after a failed init
      Update README-FIPS.md
      Be more selective about copying libcrypto symbols into legacy.so
      Teach TLSProxy how to encrypt <= TLSv1.2 ETM records
      Add a test for CVE-2021-3449
      Ensure buffer/length pairs are always in sync
      Update CHANGES.md and NEWS.md for new release
      Fix change in behaviour of EVP_PKEY_CTRL_RSA_KEYGEN_BITS
      Expand the libcrypto documentation
      Add additional glossary entries
      Update provider.pod
      Update the algorithm fetching documentation links
      Remove a TODO in EVP_set_default_properties
      Update copyright year
      Prepare for release of 3.0 alpha 14

Mohamed Akram (1):
      doc: fix enc -z option documentation

Nan Xiao (9):
      Fix typo in bio.h.in
      Fix BIO_new_ssl_connect() to not leak memory
      Fix typo in BIO_push.pod
      Fix typos in bio.pod
      Remove unnecessary BIO_do_handshake()s
      Fix typos in ssl_lib.c
      Fix potential double free in sslapitest.c
      Remove unnecessary setting SSL_MODE_AUTO_RETRY
      Fix typo in store_meth.c

Pauli (140):
      test: add params argument to key manager's gen_init call
      evp: add params argument to key manager's gen_init call
      provider: add params argument to key manager's gen_init call
      core: add params argument to key manager's gen_init call
      doc: add params argument to key manager's gen_init call
      prov: asym ciphers take an extra init() params argument
      core: add params arguments to init calls
      evp: add params arguments to init functions
      doc: update PKEY documentation to include the new init functions with params
      misc: other init function param additions
      prov: update exchange algorithms to support params on the init call
      prov: update KEM to support params on init()
      apps: support param argument to init functions
      ssl: support params arguments to init functions
      test: support params arguments to init functions
      doc: document param argument to cipher init calls
      doc: document param argument to RSA calls
      prov: support param argument to digest init calls
      doc: update digest documentation to include the new init functions with params
      prov: update digests to support modified ctx params
      prov: support params arguments to signature init calls
      prov: support params argument to RCx ciphers
      prov: support params argument to CHACHA20 ciphers
      prov: support param argument to null cipher init calls
      prov: support param argument to DES cipher init calls
      prov: support params argument to common cipher init calls
      doc: update cipher documentation to include the new init functions with params
      support params argument to AES cipher init calls
      doc: document the additional params argument to the various init() calls
      doc: note that get_params and set_params calls should return true if the param array is null
      prov: add extra params argument to KDF implementations
      update set_ctx_param MAC calls to return 1 for a NULL params
      update set_ctx_param DRBG calls to return 1 for a NULL params
      update set_ctx_param store management calls to return 1 for a NULL params
      core: modify ossl_provider_forall_loaded() to avoid locking for the callbacks
      doc: describe the return from ossl_provider_forall_loaded()
      rename ossl_provider_forall_loaded to ossl_provider_doall_activated
      ssl: fix format specifier for size_t argument to BIO_printf
      property: default queries create the property values.
      prov: remove TODO in der_rsa_key.c
      prov: remove todos in rsa_keymgmt.c
      doc: remove TODOs about redesigning the AEAD API
      params: clean up TODO
      Remove TODOs from digest.c
      ci: add a no-legacy build
      modes: fix coverity 1449851: overlapping memory copy
      modes: fix coverity 1449860: overlapping memory copy
      ssl: fix coverity 1451515: out of bounds memory access
      apps: fix coverity 966560: division by zero
      test: fix Coverity 1454818: use after free
      test: fix coverity 1451553: resource leak
      test: fix coverity 1451562: resource leak
      test: fix coverity 1454040: resource leak
      test: fix coverity 1414445: resource leak
      test: fix coverity 1414449 & 1414471: resource leak
      ssl: fix coverity 1451495: resource leak
      test: fix coverity 1455330, 1455332, 1455334, 1455342, 1455344 : resource leak
      test: fix coverity 1470559: resource leak
      evp: fix coverity 1470561: resource leak
      rsa: fix coverity 1472658: resource leak
      apps: fix Coverity 1472670 & 1472685: resource leaks
      decoder: fix Coverity 1473236 & 1473386: resource leaks
      evp: fix coverity 1445872 - dereference after null check
      async: coverity 1446224 - dereference after null check
      test: coverity 1455747 - dereference after null check
      test: coverity 1455749 - dereference after null check
      ssl: coverity 1465527 - dereference after null check
      test: coverity 1469426 - dereference after null check
      x509: coverity 1472673 & 1472693 - dereference after null checks
      evp: fix coverity 1473381 - dereference after null check
      sslapitest: fix problem in cleanup on failure path
      evp: fix coverity 1473380: copy into fixed size buffer
      pem: fix coverity 1474426: uninitialised scalar variable.
      err: fix coverity 1452768: dereference after null check
      apps: fix coverity 271258: improper use of negative value
      test: fix coverity 1371689 & 1371690: improper use of negative values
      enc: fix coverity 1451499, 1451501, 1451506, 1451507, 1351511, 1451514, 1451517, 1451523, 1451526m 1451528, 1451539, 1451441, 1451549, 1451568 & 1451572: improper use of negative value
      test: fix coverity 1451574: improper use of negative value
      test: fix coverity 1454812: improper use of negative value
      test: fix coverity 1469427: impropery use of negative value
      test: fix coverity 1451534: improper use of negative value
      apps: fix coverity 1451544: improper use of negative value
      dh: fix coverty 1474423: resource leak
      ec_keymgmt: fix coverity 1474427: resource leak
      x509: fix coverity 1461225: data race condition
      x509: fix coverity 1474424: data race condition
      rand: fix coverity 1473636: data race condition
      rsa: fix coverity 1463571: explicit null dereference
      sm2: fix coverity 1467503: explicit null dereference
      apps: fix coverity 1470781: explicit null dereference
      encoder: fix coverity 1473235: null dereference
      test: fix coverity 1338157: unchecked return value
      apps: fix coverity 1358776, 1451513, 1451519, 1451531 & 1473387: unchecked return values
      test: fix coverity 1414451: unchecked return value
      test: fix coverity 1416888: unchecked return value
      test: fix coverity 1429210: unchecked return value
      test: fix coverity 1451550: unchecked return value
      apps: fix coverity 1455340: unchecked return value
      evp: fix coverity 1467500 & 1467502: unchecked return values
      params: fix coverity 1473069: unchecked return values
      evp: fix coverity 1473378: unchecked return value
      test: fix coverity 1473609 & 1473610: unchecked return values
      doc: add life-cycle source files
      doc: note that KDF/PRF transitions will be enforced at some future point
      doc: life-cycle description for KDFs/PRFs
      doc: note that RAND lifecycle transitions will be enforced at some point
      doc: life-cycle descritpion for RANDs
      doc: note that MAC lifecycle transitions will be enforced at some point
      doc: life-cycle descritpion for MACs
      doc: add documentation for the X509_PUBKEY_dup() function
      test: add test case for X508_PUBKEY_dup() function
      Fix X509_PUBKEY_dup() to not leak memory
      doc: fix style problems with this man page
      x509: fix coverity 1474471: NULL pointer dereference
      x509: fix coverity 1474470: NULL pointer dereference
      evp: fix coverity 1474469: negative return
      test: fix coverity 1474468: resource leak
      apps: fix coverity 1474463, 1474465 & 1474467: resource leaks
      ssl: fix problem where MAC IDs were globally cached.
      Check for integer overflow in i2a_ASN1_OBJECT and error out if found.
      Ensure that the negative flag is correct set for ASN1 integer types.
      Make the lock in CRYPTO_secure_allocated() a read lock
      Remove locking in CRYPTO_secure_allocated()
      Disallow ASN.1 enumerated types to be treated as strings.
      test: fix coverity 1475941: resource leak
      test: fix coverity 1475940: negative return
      test: fix coverity 1473234 & 1473239: argument cannot be negative
      evp: fix coverity 1472682: argument cannot be negative
      evp: fix coverity 1451510: argument cannot be negative
      evp: fix coverity 1451509: argument cannot be negative
      evp: fix coverity 1473631: argument cannot be negative
      dh: fix coverity 1473238: argument cannot be negative
      fix coverity 1466710: resource leak
      apps: fix AES CBC performance loop
      property: check return values from the property locking calls.
      test: fix problem with threads test using default library context.
      property: lock the lib ctx when updating the property definition cache
      Revert "Fix AES-CBC perf test failure issue"
      param_build: check for the usage of secure memory better.
      test: add extra secure memory test case.

Peter Kaestle (1):
      ssl sigalg extension: fix NULL pointer dereference

Randall S. Becker (6):
      Disable fips-securitychecks if no-fips is configured.
      Add $(PERL) to util/wrap.pl execution to avoid env incompatibilities
      Add explicit support in util/shlib_wrap.sh.in for NonStop DLL loading.
      Added guarding #ifndef/#define to avoid duplicate include of crypto/types.h
      Split Makefile clean recipe for document sets into individual lines.
      Corrected missing definitions from NonStop SPT build.

Rich Salz (4):
      Fix error-checking compiles for mutex
      Always check CRYPTO_LOCK_{read,write}_lock
      Make fipsinstall -out flag optional
      Add a local perl module to get year last changed

Richard Levitte (29):
      PROV: use EVP_CIPHER_CTX_set_params() rather than EVP_CIPHER_CTX_ctrl()
      TEST: Stop the cleanup in test/recipes/20-test_mac.t
      Fix a missing rand -> ossl_rand rename
      Configure: check all DEPEND values against GENERATE, not just .h files
      PROV: Refactor DER->key decoder
      PROV: Add type specific SubjectPublicKeyInfo decoding to the DER->key decoders
      PROV: Add RSA-PSS specific OSSL_FUNC_KEYMGMT_LOAD function
      PROV: Add type specific PKCS#8 decoding to the DER->key decoders
      PROV: Add type specific MSBLOB and PVK decoding for the MS->key decoders
      TEST: Modify test/endecode_test.c to give the decoder callback the structure
      STORE: Use the same error avoidance criteria as for the DER->key decoder
      TEST: Clarify and adjust test/recipes/30-test_evp.t
      Make evp_privatekey_from_binary() completely libcrypto internal
      Make ossl_d2i_PUBKEY_legacy() completely libcrypto internal
      ASN1: Reset the content dump flag after dumping
      RSA-PSS: When printing parameters, always print the trailerfield ASN.1 value
      TEST: Cleanup test recipes
      Unix build file template: symlink "simple" to "full" shlib selectively
      Android config targets: don't include the SO version in the shlib file name
      Re-implement ANSI C building with a Github workflow
      EVP: One stray comma removed in crypto/evp/ctrl_params_translate.c
      CORE: Add an algorithm_description field to OSSL_ALGORITHM
      Add OSSL_DECODER_description() and OSSL_ENCODER_description()
      Add OSSL_STORE_LOADER_description()
      EVP: Add EVP_<TYPE>_description()
      APPS: Replace the use of OBJ_nid2ln() with name or description calls
      Refactor CPUID code
      Include BN assembler alongside CPUID code
      test/recipes/02-test_errstr.t: Do not test negative system error codes

Sahana Prasad (2):
      Allocates and initializes pubkey in X509_PUBKEY_dup()
      Adds a new lock to read default_path and uses a strdup() on default_path before using it Fixes #14483 Signed-off-by: Sahana Prasad <sahana at redhat.com>

Shane Lontis (39):
      Remove TODO in test/acvp_test.c related to setting AES-GCM iv.
      Remove TODO in rsa_ameth.c
      Fix DSA EVP_PKEY_param_check() when defaults are used for param generation.
      Fix external symbols for crypto_*
      Fix misc external ossl_ symbols.
      Add ossl_rand symbols
      Add ossl_asn1 symbols
      Add ossl_encode symbols
      Add ossl_rsa symbols
      Add ossl_v3 symbols
      Add ossl_ ecx symbols
      Add ossl_ conf symbols
      Add ossl_aria symbols
      Add ossl_siv symbols
      Add ossl_ symbols for sm3 and sm4
      Add ossl_sa symbols
      Add ossl_bn_group symbols
      Add ossl_ symbol to x509 policy
      Add ossl_lhash symbols
      Add ossl_gost symbols
      Add ossl_ x509 symbols
      Add ossl_pem_check_suffix symbol
      Add ossl_pkcs5_pbkdf2_hmac_ex symbol
      Add ossl_is_partially_overlapping symbol
      rename err_get_state_int() to ossl_err_get_state_int()
      Rename CMS_si_check_attributes to ossl_cms_si_check_attributes
      Add ossl_provider symbols
      Fix windows build compiler issue.
      Fix DER reading from stdin for BIO_f_readbuffer
      Fix usages of const EVP_MD.
      Add coveralls to CI
      Disable cmp_http test on AIX
      Fix Build issue on Oracle Linux x64
      Update deprecated API's in the documentation.
      Fix DH gettable OSSL_PKEY_PARAM_DH_PRIV_LEN so that it has the correct type.
      Add a range check (from SP800-56Ar3) to DH key derivation.
      Test miminal windows build using Github actions
      Add macosx build
      Fix more certificate related lib_ctx settings.

Tobias Nießen (1):
      Fix option description for PKCS#12 export

Tomas Mraz (32):
      Use OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL) in libcrypto
      Remove the RAND_get0_public() from fips provider initialization
      acvp_test: Do not expect exact number of self tests
      keymgmt_meth: remove two TODO 3.0
      apps: Add maybe_stdin argument to load_certs and set it in pkcs12
      apps: Make load_key_certs_crls to read only what is expected
      Use --debug with no-caching build as sanitizers need it
      decoder_process: data_structure can be NULL
      provider_core: Remove two TODO 3.0
      core_get_libctx: use assert() instead of ossl_assert()
      property_test: use property values that are not used elsewhere
      p_lib.c: Remove TODO comments
      Add some encoder and decoder code examples
      apps/crl: Print just the hash value if printing just hash
      evp_keymgmt_util_copy: Fix possible leak on copy failure
      Make EVP_PKEY_missing_parameters work properly on provided RSA keys
      Added functions for printing EVP_PKEYs to FILE *
      ASYNC_start_job: Reset libctx when async_fibre_swapcontext fails
      EVP_PKEY_get_*_param should work with legacy
      EVP_PKCS82PKEY: Create provided keys if possible
      Remove the external BoringSSL test
      Make the SM2 group the default group for the SM2 algorithm
      Remove RSA bignum_data that is not used anywhere
      Implement EVP_PKEY_dup() function
      EVP_PKEY_CTRL_CIPHER can be used with encrypt/decrypt with GOST
      OBJ_nid2sn(NID_sha256) is completely equivalent to OSSL_DIGEST_NAME_SHA2_256
      Drop TODO 3.0 as we cannot get rid of legacy nids in 3.0
      EVP_CIPHER_type: fix misleading argument name
      Avoid going through NID when unnecessary
      Add "save-parameters" encoder parameter
      DSA_generate_parameters_ex: use the old method for all small keys
      Deprecate the EVP_PKEY controls for CMS and PKCS#7

div2016bit (1):
      Tiny clarification of comment for RSA_sign

luyahan (1):
      Add riscv64 target


More information about the openssl-commits mailing list