[openssl] openssl-3.0.0-alpha12 create

Matt Caswell matt at openssl.org
Thu Feb 18 15:24:18 UTC 2021

The annotated tag openssl-3.0.0-alpha12 has been created
        at  ba908b36f412d1a4a26aefee3841e276c09b5413 (tag)
   tagging  b467d394eb11ac94500d9f003426f5fa75d60c3c (commit)
  replaces  openssl-3.0.0-alpha11
 tagged by  Matt Caswell
        on  Thu Feb 18 15:08:54 2021 +0000

- Log -----------------------------------------------------------------
OpenSSL 3.0.0-alpha12 release tag


Armin Fuerst (1):
      apps/ca: Properly handle certificate expiration times in do_updatedb

Beat Bolli (1):
      README-ENGINES: fix the link to the provider API README

Benjamin Kaduk (3):
      Remove unused 'peer_type' from SSL_SESSION
      x509_vfy: remove redundant stack allocation
      RSA: avoid dereferencing possibly-NULL parameter in initializers

Daniel Bevenius (1):
      EVP: fix keygen for EVP_PKEY_RSA_PSS

Disconnect3d (1):
      passwd.c: use the actual ROUNDS_DEFAULT macro

Dmitry Belyavskiy (2):
      DH/DHX parameter check using pkeyparam
      DSA parameter check using pkeyparam

Dr. David von Oheimb (28):
      obj_xref: rsassaPss must map to 'undef rsassaPss' (not 'undef rsaEncryption')
      Fix rsa_pss_asn1_meth to refert to rsa_sig_info_set
      check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS
      OSSL_HTTP_REQ_CTX_nbio(): Revert to having state var that keeps req len still to send
      Fix not backwards-compat X509_http_nbio() and X509_CRL_http_nbio()
      HTTP: Fix mistakes and unclarities on maxline and max_resp_len params
      HTTP: add more error detection to low-level API
      Constify OSSL_HTTP_REQ_CTX_get0_mem_bio()
      OSSL_HTTP_REQ_CTX.pod and OSSL_HTTP_transfer.pod: various improvements
      openssl.pod: Add documentation for using the loader_attic engine
      apps/cmp.c: check and exit on engine load error
      test/recipes: split 81_test_cmp_cli.t, add test using -engine loader_attic
      run_tests.pl: Improve diagnostics on the use of HARNESS_JOBS
      Allow NULL arg to OPENSSL_sk_{dup,deep_copy} returning empty stack
      x509_vfy.c: Improve coding style and comments all over the file
      Add X509_STORE_CTX_verify(), which takes the first untrusted cert as default target
      mknum.pl: Exclude duplicate entries and include source file name in diagnostics
      x509_vfy.c: Fix various coding style and documentation style nits
      x509_vfy: Clarify relevance of ctx->error also on successful verification
      X509_get_pubkey_parameters(): Correct failure behavior and its use
      x509_vfy.c: Sort out return values 0 vs. -1 (failure/internal error)
      x509_vfy.c: Make chain_build() error diagnostics to the point
      X509_STORE_CTX_get1_issuer(): Make preference on expired certs consistent with find_issuer()
      X509_STORE_CTX_cleanup(): Use internally so no need to call explicitly
      apps/ca.c: Make sure ext_ctx structure gets initialized
      apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR
      x509_vfy: fix mem leaks in chain_build() on malloc error Coverify CID 1473068
      chain_build(): Call verify_cb_cert() if a preliminary error has become final

Dr. Matthias St. Pierre (6):
      Add some missing committers to the AUTHORS list
      Revise some renamings of NOTES and README files
      Reformat some NOTES and README files
      Unify the markdown links to the NOTES and README files
      Add deprecation note to the README-ENGINES file
      Add a skeleton README-PROVIDERS file

FdaSilvaYY (3):
      include/crypto: add a few missing #pragma once directives
      include/openssl: add a few missing #pragma once directives
      include/internal: add a few missing #pragma once directives

Jay Satiro (1):
      NOTES-WINDOWS: fix typo

Job Snijders (2):
      Add some PKIX-RPKI objects
      Add OID for draft-ietf-opsawg-finding-geofeeds detached CMS signature

Jon Spillett (1):
      Switch to BIO_snprintf to avoid missing symbol problems on Windows

Juergen Christ (3):
      Fix cipher reinit on s390x if no key is specified
      Fix parameter types in sshkdf
      Remove superfluous EVP_KDF_CTRL_ defines.

KOBAYASHI Ittoku (1):
      Match description with actual output of dgst

Matt Caswell (38):
      Ensure EC keys with a private key but without a public key can be created
      Test that EC keys without a public key in them work as expected
      Add a multi-thread test for shared EVP_PKEYs
      Refactor RAND_get0_primary() locking
      Avoid races by caching exported ciphers in the init function
      Always ensure we hold ctx->lock when calling CRYPTO_get_ex_data()
      Ensure access to FIPS_state and rate_limit is appropriately locked
      Ensure the EVP_PKEY operation_cache is appropriately locked
      Add a CI job to run the threads test with threads sanitizer on
      Remove some TODO(OpenSSL1.2) references
      Remove a DSA related TODO
      Remove OPENSSL_NO_DH guards from libssl
      Ensure default supported groups works even with no-ec and no-dh
      Make supported_groups code independent of EC and DH
      Stop disabling TLSv1.3 if ec and dh are disabled
      Check for availability of ciphersuites at run time
      Remove compile time guard checking from ssl3_get_req_cert_type
      Add the nist group names as aliases for the normal TLS group names
      Make sure we don't use sigalgs that are not available
      Remove OPENSSL_NO_EC guards from libssl
      Remove all OPENSSL_NO_XXX from libssl where XXX is a crypto alg
      Fix the cipher_overhead_test
      Deprecate the low level SRP APIs
      Deprecate the libssl level SRP APIs
      Update documentation following deprecation of SRP
      Run DH_check_ex() not DH_check_params_ex() when checking params
      Implement EVP_PKEY_param_check_quick() and use it in libssl
      Fix the dhparam_check test
      Document the newly added function EVP_PKEY_param_check_quick()
      Fix Null pointer deref in X509_issuer_and_serial_hash()
      Test that X509_issuer_and_serial_hash doesn't crash
      Refactor rsa_test
      Fix the RSA_SSLV23_PADDING padding type
      Fix rsa_test to properly test RSA_SSLV23_PADDING
      Don't overflow the output length in EVP_CipherUpdate calls
      Update CHANGES and NEWS for new release
      Update copyright year
      Prepare for release of 3.0 alpha 12

Nicola Tuveri (2):
      [doc/man3] Fix typo in DESCRIPTION of OSSL_ENCODER_properties
      [doc/man3][OSSL_ENCODER] Move NOTES to the bottom

Oleksandr Tymoshenko (1):
      Handle partial data re-sending on ktls/sendfile on FreeBSD

Pauli (21):
      Fix a use after free issue when a provider context is being used and isn't cached
      Fix race condition & allow operation cache to grow.
      test: turn off parallel tests in verbose mode.
      test: add an option to output timing information from tests.
      EVP: fix reference counting for digest operations.
      CI: add a non-caching CI loop
      Prov: add an option to force provider fetches to not be cached.
      EVP: fix reference counting for EVP_CIPHER.
      test: fix no-cache problem with the quality comparison for KDFs.
      changes: add a CHANGES.md entry for the OSSL_FORCE_NO_CACHE_FETCH option.
      test: filter provider honours the no_cache setting.
      test: add import and export key management hooks for the TLS provider.
      Add a configure time option to disable the fetch cache.
      Remove an unnecessary free call.
      test: DRBG test with long seed.
      err: generated error files
      RNG seed: add get_entropy hook for seeding.
      RNG test: add get_entropy hook for testing.
      core: add get_entropy and clear_entropy calls to RAND
      rand: update DRBGs to use the get_entropy call for seeding
      doc: document the two new RAND functions

Petr Gotthard (4):
      apps/openssl: add -propquery command line option
      Enhanced integer parsing in OSSL_PARAM_allocate_from_text
      Fix propquery handling in EVP_DigestSignInit_ex
      Replace SSL_CTX_new by SSL_CTX_new_ex in apps/s_server + s_client

Randall S. Becker (1):
      Enable fipsload test on NonStop x86.

Rich Salz (9):
      Deprecate X509_certificate_type
      Deprecate EVP_MD_CTX_{set_}update_fn()
      Don't make pthreads mutexes recursive.
      Fetch algorithm after loading providers
      Fetch alg, etc., after loading providers
      Load rand state after loading providers
      Process digest option after loading providers
      Fetch cipher after loading providers
      Allow -rand to be repeated

Richard Levitte (27):
      Prepare for 3.0 alpha 12
      Fix some odd names in our provider source code
      PROV: Add SM2 encoders and decoders, as well as support functionality
      CORE & PROV: clean away OSSL_FUNC_mac_size()
      EVP: Don't find standard EVP_PKEY_METHODs automatically
      EVP: Fix evp_pkey_ctx_store_cached_data() to handle provider backed EVP_PKEY_CTX
      EC: Reverse the default asn1_flag in a new EC_GROUP
      EVP: Make EVP_PKEY_set_params() increment the dirty count
      EVP: Adapt the other EVP_PKEY_set_xxx_param() functions
      EVP: Modify the checks in EVP_PKEY_{set,get}_xxx_param() functions
      EVP: Adapt EVP_PKEY_{set1,get1}_encoded_public_key()
      ERR: clean away everything related to _F_ macros from util/mkerr.pl
      ERR: Rebuild all generated error headers and source files
      Remove the old DEPRECATEDIN macros
      dev/release.sh: Fix typo
      EVP: use evp_pkey_copy_downgraded() in EVP_PKEY_copy_parameters()
      TEST: Add an algorithm ID tester for libcrypto vs provider
      DOCS: Remove the "global" dependency on writing .pod files from .pod.in
      Makefile template: Allow separate generation of .pod.in -> .pod
      PROV: Fix encoding of MDWithRSAEncryption signature AlgorithmID
      Configuration: ensure that 'no-tests' works correctly
      Use ERR_R_*_LIB instead of ERR_LIB_* as reason code for sub-libraries
      DOCS: Update the internal documentation on EVP_PKEY.
      Configurations/descrip.mms.tmpl: avoid enormous PIPE commands
      VMS documentation fixes
      TEST: Add missing initialization
      Fix backward incompatibility revolving around OSSL_HTTP_REQ_CTX_sendreq_d2i()

Sahana Prasad (1):
      DH: Make DH_bits(), DH_size(), and DH_security_bits() check that there are key parameters

Shane Lontis (10):
      Simplify the EVP_PKEY_XXX_fromdata_XX methods.
      Change the ASN1 variant of x942kdf so that it can test acvp data.
      Replace MAC flags OSSL_MAC_PARAM_FLAGS with separate param fields.
      Replace provider cipher flags with separate param fields
      Replace provider digest flags with separate param fields
      Remove dead code in rsa_pkey_ctrl.
      Add docs for ASN1_item_sign and ASN1_item_verify functions
      Fix external symbols in the provider cipher implementations.
      Fix external symbols in the provider digest implementations.
      Fix external symbols related to provider related security checks for keys and digests.

Tomas Mraz (16):
      rsa_kmgmt: Return OSSL_PKEY_PARAM_DEFAULT_DIGEST for unrestricted PSS keys
      dh_cms_set_peerkey: Pad the public key to p size
      Add diacritics to my name in CHANGES.md
      apps/ecparam: Avoid crash when parameters fail to load
      provider-signature.pod: Fix formatting.
      RSA: properly generate algorithm identifier for RSA-PSS signatures
      Deprecate BN_pseudo_rand() and BN_pseudo_rand_range()
      CHANGES.md: Mention RSA key generation slowdown related changes
      Move the PROV_R reason codes to a public header
      Various cleanup of PROV_R_ reason codes
      Rename internal providercommonerr.h to less mouthful proverr.h
      tls_valid_group: Add missing dereference of okfortls13
      ssl_test: Add testcases for disallowing non-TLS1.3 curves with TLS1.3
      Do not match RFC 5114 groups without q as it is significant
      dsa_check: Perform simple parameter check if seed is not available

zekeevans-mf (1):
      Add deep copy of propq field in mac_dupctx to avoid double free


More information about the openssl-commits mailing list