[openssl] openssl-3.0.0-alpha10 create

Matt Caswell matt at openssl.org
Thu Jan 7 14:07:34 UTC 2021

The annotated tag openssl-3.0.0-alpha10 has been created
        at  45817feda8996f2e0812731b9b3e565d2682d694 (tag)
   tagging  cae118f9382c3790359b3ff050d6e01c11579a7f (commit)
  replaces  openssl-3.0.0-alpha9
 tagged by  Matt Caswell
        on  Thu Jan 7 13:48:21 2021 +0000

- Log -----------------------------------------------------------------
OpenSSL 3.0.0-alpha10 release tag


Ankita Shetty (4):
      cmp_client.c: Remove dead code of variable 'txt' in cert_response()
      cmp_client.c: Fix indentation and remove empty line
      openssl.pod: Carve out Trusted Certificate, Pass Phrase, Name Format, and Format Options
      openssl.pod: Fix openSSL options doc

Ard Biesheuvel (1):
      aes/asm/aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode

Benjamin Kaduk (1):
      Fix comment in do_dtls1_write()

Daiki Ueno (1):
      openssl dgst: add option to specify output length for XOF

Daniel Bevenius (2):
      EVP: don't touch the lock for evp_pkey_downgrade
      STORE: clear err after ossl_store_get0_loader_int

David CARLIER (1):
      Mac M1 setting change proposal.

David Carlier (2):
      CRYPTO_secure_malloc_init: Add FreeBSD support for secure-malloc dont-dump-region.
      Add MAP_CONCEAL from OpenBSD which has similar purpose but on mmap call level.

David von Oheimb (1):
      openssl.pod: Move verification doc to new doc/man1/openssl-verification-options.pod

Dmitry Belyavskiy (8):
      OPENSSL_NO_GOST has nothing to do with low-level algos
      Deprecate -cipher-commands and -digest-commands options
      Skip unavailable digests and ciphers in -*-commands
      Documenting the options deprecating
      Documenting the options deprecating in CHANGES.md
      Skip tests depending on deprecated list -*-commands options
      Fetch provided algorithm once per benchmark
      Fix doc-nits for list command

Dr. David von Oheimb (42):
      asn1t.h: Improve comments documenting ASN1_ITYPE_... and the 'funcs' field
      X509_dup: fix copying of libctx and propq using new ASN1_OP_DUP_POST cb operation
      endecode_test.c: Significant speedup in generating DH and DHX keys
      remove obsolete test/drbg_extra_test.h
      remove obsolete test/drbg_cavs_data.h
      test cleanup: move helper .c and .h files to test/helpers/
      endecode_test.c: Add warning that 512-bit DH key size is for testing only
      apps/pkcs12.c: Correct default legacy algs and make related doc consistent
      apps/pkcs12.c: Improve user guidance, re-ordering no-export vs. export options
      x509_vfy.c: Restore rejection of expired trusted (root) certificate
      appveyor.yml: Let 'nmake' run by defaut silently (/S), using MAKEVERBOSE like .travis.yml
      appveyor.yml: Let 'nmake' do builds in parallel on all CPU cores
      .travis.yml: Do some build (gcc) runs in parallel (-j4)
      ci.yml: Add 'perl configdata.pm --dump' to each config
      ci.yml: Let 'make' run silently (-s) with build (gcc) runs in parallel (-j4)
      appveyor.yml: Move printing of env variables such that locally defined ones are shown as well.
      encode_key2any.c: Fix build error on OPENSSL_NO_DH and OPENSSL_NO_EC
      encode_key2text.c: Fix build error on OPENSSL_NO_{DH,DSA,EC}
      fuzz/server.c: Fix build error on OPENSSL_NO_{DSA,EC,DEPECATED_3_0}
      apps/speed.c: Fix build errors on OPENSSL_NO_{RSA,DSA,EC,DEPECATED_3_0}
      endecode_test.c: Fix build errors on OPENSSL_NO_{DH,DSA,EC,EC2M}
      evp_pkey_dparams_test.c: Fix build error on OPENSSL_NO_{DH,DSA,EC}
      apps/speed.c: Rename misleading 'rsa_count' variable to 'op_count'
      {.travis,ci,appveyor}.yml: Make minimal config consistent, add no-deprecated no-ec no-ktls no-siv
      apps/verify:c: Enable output of multiple verification errors due to -x509_strict
      x509_vfy.c: Improve comments (correcting typos etc.)
      test/certs/setup.sh: Fix two glitches
      find-doc-nits: fix regexp and point out that CA.pl and tsget.pod are special
      Use adapted test_get_libctx() for simpler test setup and better error reporting
      apps/req.c: Improve diagnostics on multiple/overriding X.509 extensions defined via -reqext option
      x509v3_config.pod: Clarify semantics of subjectKeyIdentifier and authorityKeyIdentifier
      apps/{req,x509,ca}.c: Clean up code setting X.509 cert version v3
      apps/{req,x509,ca}.c: Cleanup: move shared X509{,_REQ,_CRL} code to apps/lib/apps.c
      apps/x509.c: Factor out common aspects of X509 signing
      openssl-ca.pod.in: Clarify the -extensions/-crlexts options vs. x509_extensions/crl_extensions
      X509V3_EXT_add_nconf_sk(): Improve description and use of 'sk' arg, which may be NULL
      v2i_AUTHORITY_KEYID(): Correct out-of-memory behavior and avoid mem leaks
      openssl_hexstr2buf_sep(): Prevent misleading 'malloc failure' errors on short input
      apps/{ca,req,x509}.c: Improve diag and doc mostly on X.509 extensions, fix multiple instances
      apps/cmp.c: Fix bug on -path option introduced in commit 3c9d6266ed85
      apps/cmp.c: Correct -keyform option range w.r.t engine
      Update copyright years of auto-generated headers (make update)

Etienne Millon (2):
      EVP_SIGNATURE-ED25519.pod: fix typo in algo name
      28-seclevel.cnf.in: fix typo in algo name

Fangming.Fang (1):
      Read MIDR_EL1 system register on aarch64

Ingo Schwarze (1):
      Fix NULL pointer access caused by X509_ATTRIBUTE_create()

J08nY (1):
      README: Move Travis link to .com from .org.

John Baldwin (4):
      Allow zero-byte writes to be reported as success.
      Collapse two identical if statements into a single body.
      Use CRIOGET to fetch a crypto descriptor when present.
      Support session information on FreeBSD.

Kelvin Lee (1):
      Fix simpledynamic.c - a typo and missed a header

Liang Liu (1):
      [DOC]Fix two broken links in INSTALL.md; Change name of zlib flag to the current one.

Matt Caswell (56):
      Prepare for 3.0 alpha 10
      Fix no-posix-io
      Deprecate DH_new as well as i2d_DHparams and d2i_DHparams
      Deprecate functions for getting and setting DH values in an EVP_PKEY
      Deprecate EVP_PKEY_assign_DH and other similar macros
      Deprecate the DHparams and DHxparams PEM routines
      Remove fuzzing of deprecated functions in a no-deprecated build
      Don't test a deprecated function in a no-deprecated build
      Deprecate more DH functions
      Convert DH deprecations to the new way of deprecating functions
      Updates the CHANGES.md entry regarding DH deprecation
      Remove d2i_DHparams.pod and move documentation to d2i_RSAPrivateKey.pod
      Fix no-engine
      Fix instances of pointer addition with the NULL pointer
      Fix TLS1.2 CHACHA20-POLY1305 ciphersuites with OPENSSL_SMALL_FOOTPRINT
      Fix builds that specify both no-dh and no-ec
      Don't Overflow when printing Thawte Strong Extranet Version
      Fix a compile error with the no-sock option
      Fix no-dtls
      Fix no-dsa
      DirectoryString is a CHOICE type and therefore uses explicit tagging
      Correctly compare EdiPartyName in GENERAL_NAME_cmp()
      Check that multi-strings/CHOICE types don't use implicit tagging
      Complain if we are attempting to encode with an invalid ASN.1 template
      Add a test for GENERAL_NAME_cmp
      Add a test for encoding/decoding using an invalid ASN.1 Template
      Update CHANGES and NEWS for new release
      Fix a test failure with no-tls1_3
      Fix a compilation failure with no-tls_1_2
      Fix no-err
      Modify is_tls13_capable() to take account of the servername cb
      Test that we can negotiate TLSv1.3 if we have an SNI callback
      Don't use no-asm in the Github CIs
      Skip evp_test cases where we need the legacy prov and its not available
      Fix sslapitest.c if built with no-legacy
      Don't use legacy provider if not available in test_ssl_old
      Don't load the legacy provider in endecoder_legacy_test
      Skip testing ciphers in the legacy provider if no legacy
      Don't load the legacy provider if not available in test_enc_more
      Don't load the legacy provider in test_evp_libctx unnecessarily
      Don't use the legacy provider in test_store if its not available
      Don't run a legacy specific PKCS12 test if no legacy provider
      Skip cms tests using RC2 if no legacy provider
      Fix some typos in EVP_PKEY-DH.pod
      Fix no-threads
      Move the caching of cipher constants into evp_cipher_from_dispatch
      Cache Digest constants
      Optimise OPENSSL_init_crypto to not need a lock when loading config
      Don't call EVP_CIPHER_CTX_block_size() to find the block size
      Add some more CRYPTO_atomic functions
      Optimise OPENSSL_init_crypto
      Add documentation for CRYPTO_atomic_or and CRYPTO_atomic_load
      Add a test for the new CRYPTO_atomic_* functions
      Only perform special TLS handling if TLS has been configured
      Update copyright year
      Prepare for release of 3.0 alpha 10

Nan Xiao (1):
      Fix typo in OPENSSL_malloc.pod

Nirbheek Chauhan (2):
      crypto/win: Don't use disallowed APIs on UWP
      win-onecore: Build with /APPCONTAINER for UWP compat

Pauli (19):
      Print random seed on test failure.
      remove unused return value assignments
      remove unused assignments
      remove unused initialisations
      tag unused function arguments as ossl_unused
      rand: add a provider side seed source.
      Fix error clash in build
      rand seed: include lock and unlock functions.
      rand: don't leak memory
      rand: allow seed-src to be missing
      params: allow more variations in integer conversions.
      params: add integer conversion test cases.
      test: print OPENSSL_TEST_RAND_ORDER=x when a randomised test fails.
      test: document the random test ordering env variable
      dsa: documentation deprecation changes
      dsa: fuzzer deprecation changes
      dsa: apps deprecation changes
      dsa: provider and library deprecation changes
      dsa: add additional deprecated functions to CHANGES entry.

Petr Gotthard (1):
      Fix OSSL_PARAM creation in OSSL_STORE_open_ex

Rich Salz (3):
      Deprecate OCSP_REQ_CTX_set1_req
      Document OCSP_REQ_CTX_i2d.
      Check non-option arguments

Richard Levitte (80):
      APPS: Make it possible for apps to set the base (fallback) UI_METHOD
      APPS: Modify apps/cmp.c to use set_base_ui_method() for its -batch option
      ERR: Restore the similarity of ERR_print_error_cb() and ERR_error_string_n()
      TEST: Adapt test/errtest for the 'no-err' configuration
      EVP_PKEY & DSA: Make DSA EVP_PKEY_CTX parameter ctrls / setters more available
      ERR: Drop or deprecate dangerous or overly confusing functions
      ERR: drop err_delete_thread_state() TODO marker
      TEST: Fix path length in test/ossl_store_test.c
      RSA: correct digestinfo_ripemd160_der[]
      TEST: Break out the local dynamic loading code from shlibloadtest.c
      TEST: Add a simple module loader, and test the FIPS module with it
      ENCODER: Don't pass libctx to OSSL_ENCODER_CTX_new_by_EVP_PKEY()
      Adapt everything else to the updated OSSL_ENCODER_CTX_new_by_EVP_PKEY()
      APPS: Add OSSL_STORE loader for engine keys
      APPS: Adapt load_key() and load_pubkey() for the engine: loader
      Add test to demonstrate the app's new engine key loading
      Switch deprecation method for AES
      Switch deprecation method for ASN.1
      Switch deprecation method for BIO
      Switch deprecation method for Blowfish
      Switch deprecation method for BIGNUM
      Switch deprecation method for Camellia
      Switch deprecation method for CAST
      Switch deprecation method for CMAC
      Switch deprecation method for CONF
      Switch deprecation method for CRYPTO
      Switch deprecation method for DES
      Switch deprecation method for ENGINE
      Switch deprecation method for ERR
      Switch deprecation method for EVP
      Switch deprecation method for HMAC
      Switch deprecation method for IDEA
      Switch deprecation method for MD2
      Switch deprecation method for MD4
      Switch deprecation method for MD5
      Switch deprecation method for MDC2
      Switch deprecation method for PKCS#12
      Switch deprecation method for RAND
      Switch deprecation method for RC2
      Switch deprecation method for RC4
      Switch deprecation method for RC5
      Switch deprecation method for RIPEMD
      Switch deprecation method for SEED
      Switch deprecation method for SHA
      Switch deprecation method for SRP
      Switch deprecation method for SSL
      Switch deprecation method for OSSL_STORE
      Switch deprecation method for Whirlpool
      Switch deprecation method for X.509
      DSA: Make DSA_bits() and DSA_size() check that there are key parameters
      EVP: Adjust EVP_PKEY_size(), EVP_PKEY_bits() and EVP_PKEY_security_bits()
      PEM: Add a more generic way to implement PEM _ex functions for libctx
      providers/common/der/build.info: Improve checks of disabled algos
      EVP: constify the EVP_PKEY_get_*_param() argument |pkey|
      EVP: Add EVP_PKEY_get_group_name() to extract the group name of a pkey
      TLS: Use EVP_PKEY_get_group_name() to get the group name
      DOCS: Update OSSL_DECODER_CTX_new_by_EVP_PKEY.pod to match declarations
      DOCS: Improve documentation of the EVP_PKEY type
      Building: Fix the library file names for MSVC builds to include multilib
      PEM: Unlock MSBLOB and PVK functions from 'no-dsa' and 'no-rc4'
      Remove unnecessary guards around MSBLOB and PVK readers and writers
      APPS: Correct the output structure for public keys in 'openssl rsa'
      TEST: Fix test/recipes/15-test_rsa.t
      PROV: Add MSBLOB and PVK encoders
      EVP_PKEY & DSA: move dsa_ctrl.c to be included only on libcrypto
      EVP_PKEY & DH: Make DH EVP_PKEY_CTX parameter ctrls / setters more available
      EVP_PKEY & EC_KEY: Make EC EVP_PKEY_CTX parameter ctrls / setters more available
      Drop unnecessary checks of OPENSSL_NO_DH, OPENSSL_NO_DSA and OPENSSL_NO_EC
      Add necessary checks of OPENSSL_NO_DH, OPENSSL_NO_DSA and OPENSSL_NO_EC
      DECODER EVP_PKEY: Don't store all the EVP_KEYMGMTs
      MSBLOB & PVK: Make it possible to write EVP_PKEYs with provided internal key
      DECODER: Adjust the library context of keys in our decoders
      CORE: Separate OSSL_PROVIDER activation from OSSL_PROVIDER reference
      EVP: Fix memory leak in EVP_PKEY_CTX_dup()
      GitHub CI: Add 'check-update' and 'check-docs'
      make update
      TEST: Fix test/endecode_test.c for 'no-legacy'
      Fix 'no-deprecated'
      GitHub CI: Separate no-deprecated job from minimal job
      Drop OPENSSL_NO_RSA everywhere

Sebastian Andrzej Siewior (1):
      Configurations: PowerPC is big endian

Shane Lontis (16):
      Fix EVP_CIPHER_CTX_set_padding for legacy path
      Fix no-deprecated configuration
      Fix s390 EDDSA HW support in providers.
      Add EVP_KDF-X942 to the fips module
      Fix X509 propq so it does not use references
      Fix x509_crl propq so that it uses a copy
      fix x509_PUBKEY propq so that it uses a copy
      Fix EVP_PKEY_CTX propq so that it uses a copy
      Fix ecdsa digest setting code to match dsa.
      Fix dsa & rsa signature dupctx() so that ctx->propq is strduped
      Change OPENSSL_hexstr2buf_ex() & OPENSSL_buf2hexstr_ex() to pass the separator
      Deprecate EC_POINT_bn2point and EC_POINT_point2bn.
      Add validate method to ECX keymanager
      Add fips self tests for all included kdf
      Fix Segfault in EVP_PKEY_CTX_dup when the ctx has an undefined operation.
      Change AES-CTS modes CS2 and CS3 to also be inside the fips module.

Tim Hudson (1):
      Correct system guessing for darwin64-arm64 target

Tomas Mraz (6):
      EVP_DigestFinalXOF must not reset the EVP_MD_CTX
      Add test for no reset after DigestFinal_ex and DigestFinalXOF
      Fix regression in EVP_DigestInit_ex: crash when called with NULL type
      Documentation improvements for EVP_DigestInit_ex and related functions
      v3nametest: Make the gennames structure static
      Github CI: run also on repository pushes

bazmoz (1):
      Updated SSL_CTX_new doc

ihsinme (1):
      Update bio_ok.c

jwalch (1):
      Restore v2i_AUTHORITY_INFO_ACCESS() behavior


More information about the openssl-commits mailing list