[openssl] openssl-3.0.1 create

Matt Caswell matt at openssl.org
Tue Dec 14 16:31:30 UTC 2021

The annotated tag openssl-3.0.1 has been created
        at  a50b847c27705d84f4c03828ebfbc1c1f0200f07 (tag)
   tagging  b4e83ed7cd99c12d27e0e220c3afa1745a68f921 (commit)
  replaces  openssl-3.0.0
 tagged by  Matt Caswell
        on  Tue Dec 14 16:16:26 2021 +0000

- Log -----------------------------------------------------------------
OpenSSL 3.0.1 release tag


Alex Pawelko (1):
      Fix Markdown links in SUPPORT.md

Allan Jude (1):
      Fix detection of ARMv7 and ARM64 CPU features on FreeBSD

Amit Kulkarni (1):
      doc: crypto(7) - fix typo

Arne Schwabe (2):
      Add missing mention of mandatory function OSSL_FUNC_keymgmt_has
      Note that SHA1 and MD5 x509 signatures are also forbidden at security level 1

Bernd Edlinger (10):
      Fix a memory leak in the afalg engine
      Replace the AES-128-CBC-HMAC-SHA1 cipher in e_ossltest.c
      Fix a memory leak reported in CIFuzz
      Fix another memory leak reported in CIFuzz
      Fix a memory leak in tls_parse_stoc_key_share
      Fix a memory leak in ssl_create_cipher_list
      Avoid loading of a dynamic engine twice
      Add a test case for duplicate engine loading
      Minor code cleanup in o_names_init
      Fix a carry overflow bug in bn_sqr_comba4/8 for mips 32-bit targets

Dmitry Belyavskiy (6):
      Avoid double-free on unsuccessful getting PRNG seeding
      FIPS and KTLS may interfere
      Fix for the dasync engine
      Bindhost/bindport should be freed
      No EtM for GOST ciphers in TLS 1.2
      More detailed explanation how do engines work in 3.0

Dominic Letz (1):
      Update 15-ios.conf

Dr. David von Oheimb (31):
      80-test_cmp_http.t: Fix handling of empty HTTP proxy string
      APPS/cmp.c: Move warning on overlong section name to make it effective again
      APPS/{x509,req}: Fix description and diagnostics of -key, -in, etc. options
      openssl-x509.pod.in: Reflect better that -signkey is an alias for -key option
      Fix ssl_free() and thus BIO_free() to respect BIO_NOCLOSE
      BIO_f_ssl.pod: Make clear where an SSL BIOs are expected as an argument
      apps/x509: Fix self-signed check to happen before setting issuer name
      OSSL_HTTP_REQ_CTX.pod: clarify that resulting BIO must not be freed
      OSSL_HTTP_transfer.pod: clarify that resulting BIO must be freed
      APPS/x509: Fix generation of AKID via v2i_AUTHORITY_KEYID()
      Fix verbosity of CMP client diagnostics
      cmp_server.c: Log received request type before checking details
      80-test_cmp_http: Make server diagnostics more verbose to aid debugging
      HTTP client: workaround for #16028 (BIO_gets not supported by connect and SSL BIOs)
      Make ERR_str_reasons in err.c consistent again with err.h
      02-test_errstr.t: print errorcodes in hex (rather than decimal) format
      BIO_push.pod: fix confusing text and add details on corner cases
      OSSL_HTTP_transfer.pod: Fix omission documenting the 'ok' parameter of OSSL_HTTP_close()
      OSSL_HTTP_transfer.pod: Some clarifications on the BIO connect/disconnect callback function
      parse_http_line1(): Fix diagnostic output on error and return code
      OSSL_HTTP_REQ_CTX_nbio(): Fix parsing of responses with status code != 200
      OBJ_obj2txt(): fix off-by-one documentation of the result
      OSSL_HTTP_set1_request(): Fix check for presence of port option and its documentation
      OSSL_HTTP_open(): Complete documentation of checks for server and proxy args
      OSSL_HTTP_open(): clarify doc of 'server' arg and its use of BIO_new_connect()
      X509V3_set_ctx(): Clarify use of subject/req parameter for constructing SKID by hash of pubkey
      X509V3_set_ctx(): Clarify subject/req parameter for constructing SAN email addresses from subject DN
      OSSL_CMP_MSG_read(): Fix mem leak on file read error
      APPS/cmp: fix -rspin option such that it works again without -reqin
      OSSL_HTTP_get(): Fix timeout handling on redirection
      APPS/cmp: Fix use of OPENSSL_NO_SOCK: options like -server do not make sense with no-sock

Dr. Matthias St. Pierre (1):
      doc/man3/SSL_set_fd.pod: add note about Windows compiler warning

Gerd Hoffmann (1):
      rename MIN() macro

Jiasheng Jiang (1):
      test/ssl_old_test.c: Do NULL pointer check before its use

Kelvin Lee (1):
      Explicitly #include <synchapi.h> is unnecessary

Kinshuk Dua (2):
      Doc: be explicit about NUL in max_identity_len
      Doc: replace `NULL` terminated with `NUL`

Martin Schwenke (1):
      perlasm/ppc-xlate.pl: Fix build on OS X

Matt Caswell (54):
      Clarify what SSL_get_session() does on the server side in TLSv1.3
      Correct the documentation for SSL_set_num_tickets()
      New extensions can be sent in a certificate request
      Extend custom extension testing
      Fix the signature newctx documentation
      Make sure EVP_CIPHER_CTX_copy works with the dasync engine
      Ensure pkey_set_type handles ENGINE references correctly
      Update provider_util.c to correctly handle ENGINE references
      Add tests for ENGINE problems
      Prevent an overflow if an application supplies a buffer that is too small
      Enforce a size check in EVP_MAC_final()
      Fix SSKDF to not claim a buffer size that is too small for the MAC
      Test short buffers
      Add an additional note to EVP_DigestSign() documentation
      Fix a bug in signature self tests in the FIPS module
      Fix test_CMAC_keygen
      Fix acvp_test sig_gen
      Update pyca-cryptography sub-module
      Fix the s_server psk_server_cb for use in DTLS
      Fix no-cmac
      Don't crash encoding a public key with no public key value
      Test that a key is usable after an EVP_PKEY_fromdata call
      Clarify the documentation for the "byname" functions
      Fix a gcc 11.2.0 warning
      Fix errors in EVP_PKEY_fromdata examples
      Don't write to the globals ossl_property_true and ossl_property_false
      Don't attempt to deactive child providers if we don't need to
      Avoid a race in init_thread_stop()
      Remove the isinited variable from child_prov_globals
      Don't try and do ossl_provider_find in ossl_provider_new
      Don't bail out during provider deactivation if we don't have store
      Stop receiving child callbacks in a child libctx when appropriate
      Correctly activate the provider in OSSL_PROVIDER_try_load
      Use a write lock during ossl_provider_find()
      Hold the flag_lock when calling child callbacks
      Extend the test_multi_load() test
      Reset the rwstate before calling ASYNC_start_job()
      Clarify the PEM docs
      Don't create an ECX key with short keys
      Add a test for creating ECX private keys that are too short
      Clarify and correct the EVP_CTRL_AEAD_SET_TAG docs
      Don't delete the doc/html directories when cleaning
      Clarify the deprecation warnings in the docs
      Don't run the symbol presence test on windows
      Don't free the EVP_PKEY on error in set0_tmp_dh_pkey() functions
      Fix documentation for tlsext_ticket_key
      Update CHANGES and NEWS for new release
      Fix invalid handling of verify errors in libssl
      Add a new Name Constraints test cert
      Add a TLS test for name constraints with an EE cert without a SAN
      Add a test case for the name constraints bug
      Update copyright year
      make update
      Prepare for release of 3.0.1

Mattias Ellert (3):
      Remove extra comma in man page example code
      EVP_PKEY_keygen_init has no argument named pkey
      Fix variable name mis-match in example code

Mingjun.Yang (2):
      Add sm2 encryption test case from GM/T 0003.5-2012
      Add missing check according to SM2 Digital Signature generation algorithm

Nikita Ivanov (1):
      Fix nc_email to check ASN1 strings with NULL byte in the middle

PW Hu (18):
      Fix some documentation errors
      Fix unsafe BIO_get_md_ctx check
      Bugfix: unsafe return check of EVP_PKEY_fromdata_init
      Bugfix: unsafe return check of EVP_PKEY_fromdata
      Fix function signature error
      Fix some documentation errors related to return values
      Fix documentation errors, mainly caused by return values of BIO_ctrl
      doc: Fix some function signature errors
      doc: Fix some function signature errors
      Fix return value error in doc, and an error test
      Fix incorrect return check of BN_bn2nativepad
      update doc: BN_bn2lebinpad() and BN_bn2nativepad()
      Fix incorrect return check of BN_bn2binpad
      Fix: invoking x509_name_cannon improperly
      Fix: invoking X509_self_signed improperly
      Fix return value checking of BN_check_prime invocations
      Fix the return check of OBJ_obj2txt
      Return -1 properly from do_X509_REQ_verify and do_X509_verify

Pauli (25):
      Fix the example SSH KDF code.
      Remove end of line whitespace to appease CI checks
      ci: add copyright header to CI scripts
      doc: remove end of line whitespace
      rand: don't free an mis-set pointer on error
      doc: Fix include syntax
      property: produce error if a name is duplicated
      test: add failure testing for property parsing
      doc: document that property names are unique
      test-rand: return failure on not enough data, allow parent
      speed: range check the argument given to -multi
      Remove redundant RAND_get0_private() call
      Convert the weak key and key parity tests to be constant time.
      Add unit tests for weak key and key parity checks
      avoid a NULL dereference when getting digest
      Fix coverity 1493364 & 1493375: unchecked return value
      Address Coverity 1493387 Logically dead code
      Address coverity 1493382 argument cannot be negative
      Address Coverity 1493362 resource leak
      Fix data race setting `default_DSO_meth`
      Add return value NULL checks that were missing
      Add documentation for some of the missing environment variables.
      doc: fix macro name
      doc: remove non-existent callbacks
      Fix Coverity 1494385 logically dead code.

Peiwei Hu (19):
      Fix some documentation errors
      Fix return value of BIO_free
      test/ssl_old_test.c: Fix potential leak
      RAND_bytes_ex: fix return check
      EVP_Cipher: fix the incomplete return check
      EVP_DigestVerifyFinal: fix test function and invocation
      EVP_PKEY_paramgen_init: fix return check
      EVP_PKEY_keygen_init: fix return check
      BIO_read_filename: fix return check
      BIO_gets: fix the incomplete return check
      ossl_do_blob_header: fix return check
      Fix EVP_PKEY_decrypt return check
      TXT_DB_write: fix the return check
      asn1_item_embed_d2i: fix th return check
      EVP_RAND_generate: fix return check
      BIO_set_prefix: fix return check
      BIO_set_indent: fix return check
      SSL_export_keying_material: fix return check
      bio_enc.c: add memory allocation check

Phil Mesnier (1):
      Fix for a segv interrupt that occurs when fix_dh_rfc5114 is called with ctx->p2 being a null pointer.

Richard Levitte (46):
      Prepare for 3.0.1
      DOCS: Update the page for 'openssl passwd' to not duplicate some info
      Fix test/recipes/90-test_fipsload.t to use bldtop_file for the FIPS module
      OpenSSL::Ordinals::set_version() should only be given the short version
      VMS: Fix descrip.mms template
      Fix 'openssl speed' information printout
      Fix the build file templates where uplink matters
      Configurations/platform/Unix.pm: account for variants in sharedlib_simple()
      Fix util/mkpod2html.pl to call pod2html with absolute paths
      Fix test/recipes/01-test_symbol_presence.t to allow for stripped libraries
      Fix test/recipes/01-test_symbol_presence.t to disregard version info
      Fix lock leak in evp_keymgmt_util_export_to_provider()
      CORE: add a provider argument to ossl_method_construct()
      EVP: Add the internal function evp_generic_fetch_from_prov()
      EVP: Add evp_keymgmt_fetch_from_prov()
      EVP: Reverse the fetch logic in all pkey using functionality
      EVP: Add internal functions to fetch type specific EVP methods from provider
      EVP: Allow a fallback for operations that work with an EVP_PKEY
      EVP: For all operations that use an EVP_PKEY, check that there is one
      CORE: Encure that cached fetches can be done per provider
      Configurations/windows-makefile.tmpl: obj2bin(): use the resource file too
      Fix DER encoder implementations for output structures "EC" and "SM2"
      Make OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers
      DOC: OSSL_PARAM_{set,get,construct}_BN() currently only supports nonnegative numbers
      DOC: Add a few previously documented functions
      Test the performance of OSSL_PARAM_allocate_from_text with arbitrary size ints
      Have OSSL_PARAM_allocate_from_text() raise error on unexpected neg number
      Allow sign extension in OSSL_PARAM_allocate_from_text()
      TEST: Enable and fix test_bn2padded() in test/bntest.c
      Make OSSL_provider_init() OPENSSL_EXPORT, not just extern
      Teach OpenSSL::ParseC about OPENSSL_EXPORT and OPENSSL_EXTERN
      Fix faulty detail in BN_rand() manual
      Fix EVP_PKEY_eq() to be possible to use with strictly private keys
      Adapt our OSSL_FUNC_keymgmt_match() implementations to the EVP_PKEY_eq() fix
      Enhance the explanation of selector bits in provider-keymgmt(7)
      test/evp_extra_test.c: Refactor test_fromdata()
      test/evp_extra_test.c: Add EVP_PKEY comparisons in test_EC_priv_pub()
      Fix VMS installation - consistent program names with version info
      Fix VMS installation - $config{pointer_size} -> $target{pointer_size}
      Fix VMS installation - Define the logical name OSSL$MODULES
      Fix VMS installation - use platform->shlib_version_as_filename() consistently
      Fix VMS installation - deassign the same logical names that were defined
      Fix VMS installation - Check the presence of providers in the IVP script
      Fix VMS installation - Override the openssl logical name in descrip.mms.tmpl
      Fix VMS installation - Document in CHANGES.md
      Add some CHANGES entries for 3.0.1

Sam Eaton (1):
      changes opensssl typos to openssl

Tianjia Zhang (3):
      ssl: Correct filename in README
      ssl: Correct comment for ssl3_read_bytes()
      KTLS: use EVP_CIPHER_is_a instead of nid

Tobias Nießen (2):
      Fix heading in random generator man7 page
      Fix infinite verification loops due to has_san_id

Tom Cosgrove (2):
      Fix builds on Armv8 systems without AArch64
      Fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value

Tomas Mraz (40):
      dh_ameth: Fix dh_cmp_parameters to really compare the params
      install_fips: Create the OPENSSLDIR as it might not exist
      linux-x86-clang target: Add -latomic
      providers: Do not use global EVP_CIPHERs and EVP_MDs
      BIO_ctrl: Avoid spurious error being raised on NULL bio parameter
      doc: OPENSSL_CORE_CTX should never be cast to OSSL_LIB_CTX
      ctrl_params_translate: Fix leak of BN_CTX
      cmp_vfy.c, encoder_lib.c: Fix potential leak of a BIO
      Raise error when invalid digest used with SM2
      Add missing define to enable AES-NI usage on x86 platform
      doc: Document the type of label EVP_PKEY_CTX_set0_rsa_oaep_label properly
      doc: EVP_PKEY_get_utf8/octet_string_param() clarify NULL buffer behavior
      OCSP_sendreq_bio: Avoid doublefree of mem BIO
      tests: Add test for X509_dup with ENGINE based key
      X509_dup: Avoid duplicating the embedded EVP_PKEY
      X509_PUBKEY_dup: Do not just up-ref the EVP_PKEY
      cmp.c: Avoid dereference with negative index and use memcpy
      migration_guide: Mention ERR_GET_FUNC() and function code removal
      test: fetching proper signature provider for non-exportable keys
      DES_set_key(): return values as DES_set_key_checked() but always set
      do_sigver_init: Allow reinitialization of an existing operation.
      test: Add testing of reinitialization via EVP_DigestSignInit()
      providers: Allow possible reinitialization in all signature algorithms
      evp_extra_test: Add SIPHASH MAC digestsign test with reinitialization
      doc: Document outcome of multiple digestsign/digestverify calls
      Add null digest implementation to the default provider
      d2i_PublicKey: Make it work with EC parameters in a provided key
      rsa_signverify_init: Set the PARAMS after key is set
      Add test for EVP_PKEY_sign_init_ex with RSA PSS padding
      EVP_MD_CTX_copy_ex: Allow copying uninitialized digest contexts
      Add test for copying uninitialized EVP_MD_CTX
      various kdfs: Always reset buflen after clearing the buffer
      CI: Replace windows-2016 with windows-2022
      Fix pvk encoder to properly query for the passphrase
      PVK decoder: prompt for PVK passphrase and not PEM
      key_to_type_specific_pem_bio_cb: Use passphrase callback from the arguments
      test_rsa: Test for PVK format conversion
      Windows CI: explicitly use windows-2019 instead of using windows-latest
      bn2binpad: Use memset as the buffer will be used later
      Add some CHANGES.md entries for the 3.0.1 release

Viktor Dukhovni (3):
      Fully initialise cipher/digest app handles
      Prioritise DANE TLSA issuer certs over peer certs
      Test for DANE cross cert fix

Viktor Szakats (1):
      convert tabs to spaces in two distributed Perl scripts

Xiaofei Bai (1):
      Fix sigsize usage in apps/speed.c

astraujums (1):
      Fixed state transitions for the HTML version of the life_cycle-kdf.pod. The MAN version was fine and so are kdf.dot and lifecycles.ods from doc/life-cycles

jwalch (1):
      Avoid NULL+X UB in bss_mem.c

lprimak (1):
      MacOS prior to 10.12 does not support random API correctly

olszomal (1):
      Don't include any TLSv1.3 ciphersuites that are disabled

slontis (2):
      Document that the openssl fipsinstall self test callback may not be used.
      Fix tests to check for negative results when calling EVP_PKEY_fromdata_init

x2018 (8):
      add checks for the return values of BN_new(), sk_RSA_PRIME_INFO_new_reserve(), EVP_PKEY_CTX_new_from_pkey() and EVP_CIPHER_CTX_new(). Otherwise may result in memory errors.
      free the Post-Handshake Auth digest when there is an error saving the digest
      check the return value of BN_new() and BN_dup()
      check the return value of OPENSSL_strdup to prevent potential memory access error
      check the return value of OPENSSL_strdup(CRYPTO_strdup) to prevent potential memory access error
      check the return value of OPENSSL_strdup(CRYPTO_strdup) in apps/lib/app_rand.c:32
      check the return value of BN_dup() in rsa_lib.c:1248
      s_cb.c: check the return value of X509_get0_pubkey()

yuanjungong (1):
      Clean up on failed BIO creation


More information about the openssl-commits mailing list