[openssl] openssl-3.0.1 create
Matt Caswell
matt at openssl.org
Tue Dec 14 16:31:30 UTC 2021
The annotated tag openssl-3.0.1 has been created
at a50b847c27705d84f4c03828ebfbc1c1f0200f07 (tag)
tagging b4e83ed7cd99c12d27e0e220c3afa1745a68f921 (commit)
replaces openssl-3.0.0
tagged by Matt Caswell
on Tue Dec 14 16:16:26 2021 +0000
- Log -----------------------------------------------------------------
OpenSSL 3.0.1 release tag
-----BEGIN PGP SIGNATURE-----
iQFFBAABCAAvFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmG4w1oRHG1hdHRAb3Bl
bnNzbC5vcmcACgkQ2cTSbQ5gRJGMkQgAkOUgRYLG6QoyDmGvwxlEEozZqjW+r9BC
EG/hP//2R/qvw59MLn9FbXa/imdJF6WK4UzYGOkFXPrSWX9kBS4JvkdQZjLkPd15
F+EMBodtG+PE0eEOS0D6J5K3jWOH9dUvPvBQocE/6FZ9R6n8ahmaiiZds5jvjvVm
l6FieqwJ5eJYzgmwLaq+8pocYQX8K+Q1dDWp1CkdiLzPSUGpSquwOtVKGMVI7se4
iaH6t3joPhjKpj/+zKFSxJ9RPk+TCto1ly7K3leJ1N4bG9KFg1GJI0TDjZuioCy8
uyQxYoiMUU4MCZqSzB32B1K/bh4QJ74R2V0QSKqDDZqpt1yWYaef2A==
=OpTi
-----END PGP SIGNATURE-----
Alex Pawelko (1):
Fix Markdown links in SUPPORT.md
Allan Jude (1):
Fix detection of ARMv7 and ARM64 CPU features on FreeBSD
Amit Kulkarni (1):
doc: crypto(7) - fix typo
Arne Schwabe (2):
Add missing mention of mandatory function OSSL_FUNC_keymgmt_has
Note that SHA1 and MD5 x509 signatures are also forbidden at security level 1
Bernd Edlinger (10):
Fix a memory leak in the afalg engine
Replace the AES-128-CBC-HMAC-SHA1 cipher in e_ossltest.c
Fix a memory leak reported in CIFuzz
Fix another memory leak reported in CIFuzz
Fix a memory leak in tls_parse_stoc_key_share
Fix a memory leak in ssl_create_cipher_list
Avoid loading of a dynamic engine twice
Add a test case for duplicate engine loading
Minor code cleanup in o_names_init
Fix a carry overflow bug in bn_sqr_comba4/8 for mips 32-bit targets
Dmitry Belyavskiy (6):
Avoid double-free on unsuccessful getting PRNG seeding
FIPS and KTLS may interfere
Fix for the dasync engine
Bindhost/bindport should be freed
No EtM for GOST ciphers in TLS 1.2
More detailed explanation how do engines work in 3.0
Dominic Letz (1):
Update 15-ios.conf
Dr. David von Oheimb (31):
80-test_cmp_http.t: Fix handling of empty HTTP proxy string
APPS/cmp.c: Move warning on overlong section name to make it effective again
APPS/{x509,req}: Fix description and diagnostics of -key, -in, etc. options
openssl-x509.pod.in: Reflect better that -signkey is an alias for -key option
Fix ssl_free() and thus BIO_free() to respect BIO_NOCLOSE
BIO_f_ssl.pod: Make clear where an SSL BIOs are expected as an argument
apps/x509: Fix self-signed check to happen before setting issuer name
OSSL_HTTP_REQ_CTX.pod: clarify that resulting BIO must not be freed
OSSL_HTTP_transfer.pod: clarify that resulting BIO must be freed
APPS/x509: Fix generation of AKID via v2i_AUTHORITY_KEYID()
Fix verbosity of CMP client diagnostics
cmp_server.c: Log received request type before checking details
80-test_cmp_http: Make server diagnostics more verbose to aid debugging
HTTP client: workaround for #16028 (BIO_gets not supported by connect and SSL BIOs)
Make ERR_str_reasons in err.c consistent again with err.h
02-test_errstr.t: print errorcodes in hex (rather than decimal) format
BIO_push.pod: fix confusing text and add details on corner cases
OSSL_HTTP_transfer.pod: Fix omission documenting the 'ok' parameter of OSSL_HTTP_close()
OSSL_HTTP_transfer.pod: Some clarifications on the BIO connect/disconnect callback function
parse_http_line1(): Fix diagnostic output on error and return code
OSSL_HTTP_REQ_CTX_nbio(): Fix parsing of responses with status code != 200
OBJ_obj2txt(): fix off-by-one documentation of the result
OSSL_HTTP_set1_request(): Fix check for presence of port option and its documentation
OSSL_HTTP_open(): Complete documentation of checks for server and proxy args
OSSL_HTTP_open(): clarify doc of 'server' arg and its use of BIO_new_connect()
X509V3_set_ctx(): Clarify use of subject/req parameter for constructing SKID by hash of pubkey
X509V3_set_ctx(): Clarify subject/req parameter for constructing SAN email addresses from subject DN
OSSL_CMP_MSG_read(): Fix mem leak on file read error
APPS/cmp: fix -rspin option such that it works again without -reqin
OSSL_HTTP_get(): Fix timeout handling on redirection
APPS/cmp: Fix use of OPENSSL_NO_SOCK: options like -server do not make sense with no-sock
Dr. Matthias St. Pierre (1):
doc/man3/SSL_set_fd.pod: add note about Windows compiler warning
Gerd Hoffmann (1):
rename MIN() macro
Jiasheng Jiang (1):
test/ssl_old_test.c: Do NULL pointer check before its use
Kelvin Lee (1):
Explicitly #include <synchapi.h> is unnecessary
Kinshuk Dua (2):
Doc: be explicit about NUL in max_identity_len
Doc: replace `NULL` terminated with `NUL`
Martin Schwenke (1):
perlasm/ppc-xlate.pl: Fix build on OS X
Matt Caswell (54):
Clarify what SSL_get_session() does on the server side in TLSv1.3
Correct the documentation for SSL_set_num_tickets()
New extensions can be sent in a certificate request
Extend custom extension testing
Fix the signature newctx documentation
Make sure EVP_CIPHER_CTX_copy works with the dasync engine
Ensure pkey_set_type handles ENGINE references correctly
Update provider_util.c to correctly handle ENGINE references
Add tests for ENGINE problems
Prevent an overflow if an application supplies a buffer that is too small
Enforce a size check in EVP_MAC_final()
Fix SSKDF to not claim a buffer size that is too small for the MAC
Test short buffers
Add an additional note to EVP_DigestSign() documentation
Fix a bug in signature self tests in the FIPS module
Fix test_CMAC_keygen
Fix acvp_test sig_gen
Update pyca-cryptography sub-module
Fix the s_server psk_server_cb for use in DTLS
Fix no-cmac
Don't crash encoding a public key with no public key value
Test that a key is usable after an EVP_PKEY_fromdata call
Clarify the documentation for the "byname" functions
Fix a gcc 11.2.0 warning
Fix errors in EVP_PKEY_fromdata examples
Don't write to the globals ossl_property_true and ossl_property_false
Don't attempt to deactive child providers if we don't need to
Avoid a race in init_thread_stop()
Remove the isinited variable from child_prov_globals
Don't try and do ossl_provider_find in ossl_provider_new
Don't bail out during provider deactivation if we don't have store
Stop receiving child callbacks in a child libctx when appropriate
Correctly activate the provider in OSSL_PROVIDER_try_load
Use a write lock during ossl_provider_find()
Hold the flag_lock when calling child callbacks
Extend the test_multi_load() test
Reset the rwstate before calling ASYNC_start_job()
Clarify the PEM docs
Don't create an ECX key with short keys
Add a test for creating ECX private keys that are too short
Clarify and correct the EVP_CTRL_AEAD_SET_TAG docs
Don't delete the doc/html directories when cleaning
Clarify the deprecation warnings in the docs
Don't run the symbol presence test on windows
Don't free the EVP_PKEY on error in set0_tmp_dh_pkey() functions
Fix documentation for tlsext_ticket_key
Update CHANGES and NEWS for new release
Fix invalid handling of verify errors in libssl
Add a new Name Constraints test cert
Add a TLS test for name constraints with an EE cert without a SAN
Add a test case for the name constraints bug
Update copyright year
make update
Prepare for release of 3.0.1
Mattias Ellert (3):
Remove extra comma in man page example code
EVP_PKEY_keygen_init has no argument named pkey
Fix variable name mis-match in example code
Mingjun.Yang (2):
Add sm2 encryption test case from GM/T 0003.5-2012
Add missing check according to SM2 Digital Signature generation algorithm
Nikita Ivanov (1):
Fix nc_email to check ASN1 strings with NULL byte in the middle
PW Hu (18):
Fix some documentation errors
Fix unsafe BIO_get_md_ctx check
Bugfix: unsafe return check of EVP_PKEY_fromdata_init
Bugfix: unsafe return check of EVP_PKEY_fromdata
Fix function signature error
Fix some documentation errors related to return values
Fix documentation errors, mainly caused by return values of BIO_ctrl
doc: Fix some function signature errors
doc: Fix some function signature errors
Fix return value error in doc, and an error test
Fix incorrect return check of BN_bn2nativepad
update doc: BN_bn2lebinpad() and BN_bn2nativepad()
Fix incorrect return check of BN_bn2binpad
Fix: invoking x509_name_cannon improperly
Fix: invoking X509_self_signed improperly
Fix return value checking of BN_check_prime invocations
Fix the return check of OBJ_obj2txt
Return -1 properly from do_X509_REQ_verify and do_X509_verify
Pauli (25):
Fix the example SSH KDF code.
Remove end of line whitespace to appease CI checks
ci: add copyright header to CI scripts
doc: remove end of line whitespace
rand: don't free an mis-set pointer on error
doc: Fix include syntax
property: produce error if a name is duplicated
test: add failure testing for property parsing
doc: document that property names are unique
test-rand: return failure on not enough data, allow parent
speed: range check the argument given to -multi
Remove redundant RAND_get0_private() call
Convert the weak key and key parity tests to be constant time.
Add unit tests for weak key and key parity checks
avoid a NULL dereference when getting digest
Fix coverity 1493364 & 1493375: unchecked return value
Address Coverity 1493387 Logically dead code
Address coverity 1493382 argument cannot be negative
Address Coverity 1493362 resource leak
Fix data race setting `default_DSO_meth`
Add return value NULL checks that were missing
Add documentation for some of the missing environment variables.
doc: fix macro name
doc: remove non-existent callbacks
Fix Coverity 1494385 logically dead code.
Peiwei Hu (19):
Fix some documentation errors
Fix return value of BIO_free
test/ssl_old_test.c: Fix potential leak
RAND_bytes_ex: fix return check
EVP_Cipher: fix the incomplete return check
EVP_DigestVerifyFinal: fix test function and invocation
EVP_PKEY_paramgen_init: fix return check
EVP_PKEY_keygen_init: fix return check
BIO_read_filename: fix return check
BIO_gets: fix the incomplete return check
ossl_do_blob_header: fix return check
Fix EVP_PKEY_decrypt return check
TXT_DB_write: fix the return check
asn1_item_embed_d2i: fix th return check
EVP_RAND_generate: fix return check
BIO_set_prefix: fix return check
BIO_set_indent: fix return check
SSL_export_keying_material: fix return check
bio_enc.c: add memory allocation check
Phil Mesnier (1):
Fix for a segv interrupt that occurs when fix_dh_rfc5114 is called with ctx->p2 being a null pointer.
Richard Levitte (46):
Prepare for 3.0.1
DOCS: Update the page for 'openssl passwd' to not duplicate some info
Fix test/recipes/90-test_fipsload.t to use bldtop_file for the FIPS module
OpenSSL::Ordinals::set_version() should only be given the short version
VMS: Fix descrip.mms template
Fix 'openssl speed' information printout
Fix the build file templates where uplink matters
Configurations/platform/Unix.pm: account for variants in sharedlib_simple()
Fix util/mkpod2html.pl to call pod2html with absolute paths
Fix test/recipes/01-test_symbol_presence.t to allow for stripped libraries
Fix test/recipes/01-test_symbol_presence.t to disregard version info
Fix lock leak in evp_keymgmt_util_export_to_provider()
CORE: add a provider argument to ossl_method_construct()
EVP: Add the internal function evp_generic_fetch_from_prov()
EVP: Add evp_keymgmt_fetch_from_prov()
EVP: Reverse the fetch logic in all pkey using functionality
EVP: Add internal functions to fetch type specific EVP methods from provider
EVP: Allow a fallback for operations that work with an EVP_PKEY
EVP: For all operations that use an EVP_PKEY, check that there is one
CORE: Encure that cached fetches can be done per provider
Configurations/windows-makefile.tmpl: obj2bin(): use the resource file too
Fix DER encoder implementations for output structures "EC" and "SM2"
Make OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers
DOC: OSSL_PARAM_{set,get,construct}_BN() currently only supports nonnegative numbers
DOC: Add a few previously documented functions
Test the performance of OSSL_PARAM_allocate_from_text with arbitrary size ints
Have OSSL_PARAM_allocate_from_text() raise error on unexpected neg number
Allow sign extension in OSSL_PARAM_allocate_from_text()
TEST: Enable and fix test_bn2padded() in test/bntest.c
Make OSSL_provider_init() OPENSSL_EXPORT, not just extern
Teach OpenSSL::ParseC about OPENSSL_EXPORT and OPENSSL_EXTERN
Fix faulty detail in BN_rand() manual
Fix EVP_PKEY_eq() to be possible to use with strictly private keys
Adapt our OSSL_FUNC_keymgmt_match() implementations to the EVP_PKEY_eq() fix
Enhance the explanation of selector bits in provider-keymgmt(7)
test/evp_extra_test.c: Refactor test_fromdata()
test/evp_extra_test.c: Add EVP_PKEY comparisons in test_EC_priv_pub()
Fix VMS installation - consistent program names with version info
Fix VMS installation - $config{pointer_size} -> $target{pointer_size}
Fix VMS installation - Define the logical name OSSL$MODULES
Fix VMS installation - use platform->shlib_version_as_filename() consistently
Fix VMS installation - deassign the same logical names that were defined
Fix VMS installation - Check the presence of providers in the IVP script
Fix VMS installation - Override the openssl logical name in descrip.mms.tmpl
Fix VMS installation - Document in CHANGES.md
Add some CHANGES entries for 3.0.1
Sam Eaton (1):
changes opensssl typos to openssl
Tianjia Zhang (3):
ssl: Correct filename in README
ssl: Correct comment for ssl3_read_bytes()
KTLS: use EVP_CIPHER_is_a instead of nid
Tobias Nießen (2):
Fix heading in random generator man7 page
Fix infinite verification loops due to has_san_id
Tom Cosgrove (2):
Fix builds on Armv8 systems without AArch64
Fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value
Tomas Mraz (40):
dh_ameth: Fix dh_cmp_parameters to really compare the params
install_fips: Create the OPENSSLDIR as it might not exist
linux-x86-clang target: Add -latomic
providers: Do not use global EVP_CIPHERs and EVP_MDs
BIO_ctrl: Avoid spurious error being raised on NULL bio parameter
doc: OPENSSL_CORE_CTX should never be cast to OSSL_LIB_CTX
ctrl_params_translate: Fix leak of BN_CTX
cmp_vfy.c, encoder_lib.c: Fix potential leak of a BIO
Raise error when invalid digest used with SM2
Add missing define to enable AES-NI usage on x86 platform
doc: Document the type of label EVP_PKEY_CTX_set0_rsa_oaep_label properly
doc: EVP_PKEY_get_utf8/octet_string_param() clarify NULL buffer behavior
OCSP_sendreq_bio: Avoid doublefree of mem BIO
tests: Add test for X509_dup with ENGINE based key
X509_dup: Avoid duplicating the embedded EVP_PKEY
X509_PUBKEY_dup: Do not just up-ref the EVP_PKEY
cmp.c: Avoid dereference with negative index and use memcpy
migration_guide: Mention ERR_GET_FUNC() and function code removal
test: fetching proper signature provider for non-exportable keys
DES_set_key(): return values as DES_set_key_checked() but always set
do_sigver_init: Allow reinitialization of an existing operation.
test: Add testing of reinitialization via EVP_DigestSignInit()
providers: Allow possible reinitialization in all signature algorithms
evp_extra_test: Add SIPHASH MAC digestsign test with reinitialization
doc: Document outcome of multiple digestsign/digestverify calls
Add null digest implementation to the default provider
d2i_PublicKey: Make it work with EC parameters in a provided key
rsa_signverify_init: Set the PARAMS after key is set
Add test for EVP_PKEY_sign_init_ex with RSA PSS padding
EVP_MD_CTX_copy_ex: Allow copying uninitialized digest contexts
Add test for copying uninitialized EVP_MD_CTX
various kdfs: Always reset buflen after clearing the buffer
CI: Replace windows-2016 with windows-2022
Fix pvk encoder to properly query for the passphrase
PVK decoder: prompt for PVK passphrase and not PEM
key_to_type_specific_pem_bio_cb: Use passphrase callback from the arguments
test_rsa: Test for PVK format conversion
Windows CI: explicitly use windows-2019 instead of using windows-latest
bn2binpad: Use memset as the buffer will be used later
Add some CHANGES.md entries for the 3.0.1 release
Viktor Dukhovni (3):
Fully initialise cipher/digest app handles
Prioritise DANE TLSA issuer certs over peer certs
Test for DANE cross cert fix
Viktor Szakats (1):
convert tabs to spaces in two distributed Perl scripts
Xiaofei Bai (1):
Fix sigsize usage in apps/speed.c
astraujums (1):
Fixed state transitions for the HTML version of the life_cycle-kdf.pod. The MAN version was fine and so are kdf.dot and lifecycles.ods from doc/life-cycles
jwalch (1):
Avoid NULL+X UB in bss_mem.c
lprimak (1):
MacOS prior to 10.12 does not support random API correctly
olszomal (1):
Don't include any TLSv1.3 ciphersuites that are disabled
slontis (2):
Document that the openssl fipsinstall self test callback may not be used.
Fix tests to check for negative results when calling EVP_PKEY_fromdata_init
x2018 (8):
add checks for the return values of BN_new(), sk_RSA_PRIME_INFO_new_reserve(), EVP_PKEY_CTX_new_from_pkey() and EVP_CIPHER_CTX_new(). Otherwise may result in memory errors.
free the Post-Handshake Auth digest when there is an error saving the digest
check the return value of BN_new() and BN_dup()
check the return value of OPENSSL_strdup to prevent potential memory access error
check the return value of OPENSSL_strdup(CRYPTO_strdup) to prevent potential memory access error
check the return value of OPENSSL_strdup(CRYPTO_strdup) in apps/lib/app_rand.c:32
check the return value of BN_dup() in rsa_lib.c:1248
s_cb.c: check the return value of X509_get0_pubkey()
yuanjungong (1):
Clean up on failed BIO creation
-----------------------------------------------------------------------
More information about the openssl-commits
mailing list