[openssl] openssl-3.0.0-alpha11 create

Richard Levitte levitte at openssl.org
Thu Jan 28 13:18:09 UTC 2021

The annotated tag openssl-3.0.0-alpha11 has been created
        at  8ec1e7c79f7c0e2a6e1aebdff08584f9004a1100 (tag)
   tagging  31a89254d8225bab5c33be88e08296786da6af6a (commit)
  replaces  openssl-3.0.0-alpha10
 tagged by  Richard Levitte
        on  Thu Jan 28 14:08:09 2021 +0100

- Log -----------------------------------------------------------------
OpenSSL 3.0.0-alpha11 release tag


Agustin Gianni (1):
      Fix incorrect use of BN_CTX API

Billy Brumley (1):
      [crypto/dh] side channel hardening for computing DH shared keys

Daiki Ueno (1):
      params: OSSL_PARAM_utf8_ptr: don't automatically reference `address`

Daniel Bevenius (2):
      Correct typo in rsa_oaep.c
      Fix typo in thread_once comments

David Carlier (2):
      OPENSSL_cpuid_setup FreeBSD PowerPC update
      OPENSSL_cpuid_setup FreeBSD arm update.

Dmitry Belyavskiy (1):
      Skip BOM when reading the config file

Dr. David von Oheimb (58):
      apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL
      apps/pkey.c: Make clear that -passout is not supported for DER output
      apps/pkey.c: Re-order help output and option documentation
      apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations
      APPS: Fix confusion between program and app/command name used in diagnostic/help output
      APPS: Print help also on -h and --h; print high-level help when no cmd given
      Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1
      TEST: move cert, key, and CSR loading aux functions to new testutil/load.c
      Make PEM_X509_INFO_read_bio_ex() conservative on the error queue
      x509_vfy.c: Fix a regression in find_issuer()
      d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX()
      X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert
      apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default
      APPS: Allow OPENSSL_CONF to be empty, not loading a config file
      apps/req.c: add -CA and -CAkey options; improve code and doc
      Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c
      apps/lib/opt.c: Fix error message on unknown option/digest
      X509_PUBKEY_set(): Fix error reporting
      apps/req.c: make -subj work with -x509; clean up related code
      Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert
      apps/req.c: Add -copy_extensions option for use with -x509; default: none
      crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c
      apps/req.c: Cosmetic improvements of code and documentation
      apps/req.c: Make sure -verify option takes effect also with -x509
      x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST
      find_issuer(): When returning an expired issuer, take the most recently expired one
      X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it
      bio_lib.c: Fix error queue entries and return codes on NULL args etc.
      util/check-format.pl: Minor improvements of whitespace checks
      x509_vfy.c: Rename CHECK_CB() to the more intuitively readable CB_FAIL_IF()
      make various test CA certs RFC 5280 compliant w.r.t. X509 extensions
      ASN1_TIME_print() etc.: Improve doc and add comment on handling invalid time input
      X509: Enable printing cert even with invalid validity times, saying 'Bad time value'
      25-test_x509.t: Minor update: do not anymore unlink test output files
      25-test_x509.t: Minor update: factor out path for test input files
      25-test_x509.t: Make test case w.r.t. self-issued cert run also without EC enabled
      apps/x509.c: Take the -signkey arg as default pubkey with -new
      apps/x509.c: Major code, user guidance, and documentation cleanup
      constify X509_REQ_add_extensions() and X509_REQ_add_extensions_nid()
      X509_REQ_print_ex(): Replace weird 'a0:00' output on empty attributes by '(none)'
      X509_REQ_print_ex(): Correct indentation of extensions, which are attributes
      apps.c: Clean up copy_extensions()
      80-test_ssl_old.t: Minor corrections: update name of test dir etc.
      apps/x509.c: Add -copy_extensions option, used when transforming x509 <-> req
      apps/x509.c: Make -x509toreq respect -clrext, -sigopt, and -extfile options
      X509v3_get_ext_by_NID.pod: Add warning on counter-intuitive behavior of X509v3_delete_ext() etc.
      apps/cmp.c: Improve diagnostics on loading private vs. public key for cert request
      apps/cmp.c: Check self-signature on CSR input and warn on failure
      X509_REQ_get_extensions(): Return empty stack if no extensions found
      CMP: Allow PKCS#10 input also for ir, cr, kur, and rr messages
      Util/Pod.pm: Fix uninitialized $podinfo{lastsecttext} on empty input
      Add check of HTTP method to OSSL_HTTP_REQ_CTX_content()
      rename OSSL_HTTP_REQ_CTX_header to OSSL_HTTP_REQ_CTX_set_request_line
      OSSL_HTTP_REQ_CTX_new(): replace method_GET parameter by method_POST
      OSSL_HTTP_REQ_CTX.pod: minor addition and remove redundant paragraph
      OCSP HTTP: Restore API of undocumented and recently deprecated functions
      TLS client: allow cert verify callback return -1 for SSL_ERROR_WANT_RETRY_VERIFY

Dr. Matthias St. Pierre (1):
      v3_ocsp.c: fix indentation of include directives

John Baldwin (1):
      Close /dev/crypto file descriptor after CRIOGET ioctl().

Jon Spillett (3):
      Allow EVP_PKEY private key objects to be created without a public component
      test-gendsa: Add test cases with FIPS provider
      apps/genpkey.c: Use PEM_read_bio_Parameters_ex when reading parameters

Kurt Roeckx (1):
      Fix memory leak in mac_newctx() on error

Matt Caswell (18):
      Prepare for 3.0 alpha 11
      Ensure DTLS free functions can handle NULL
      Fix enable-weak-ssl-ciphers
      Fix a crash with multi-threaded applications using the FIPS module
      Add a test for performing work in multiple concurrent threads
      Document the core_thread_start upcall
      Lock the provider operation_bits
      Make sure we take the ctx->lock in ossl_lib_ctx_generic_new()
      Enable locking on the primary DRBG when we create it
      Extend the threads test to add simple fetch from multi threads
      Fix an issue in provider_activate_fallbacks()
      Fix a failure where fetches can return NULL in multi-threaded code
      Ensure SRP BN_mod_exp follows the constant time path
      Ensure legacy_asn1_ctrl_to_param can handle MDs not in the OBJ database
      Don't copy parameters on setting a key in libssl
      Fix no-dh and no-dsa
      Add EVP_PKEY functions to get EC conv form and field type
      Fix running mingw dhparam test under wine

Michael Baentsch (4):
      Adding TLS group name retrieval
      Enhance default provider documentation
      fall-back -> fallback find-doc-nit addition

Nicola Tuveri (5):
      [test] Add `pkey -check` validation tests
      [apps/pkey] Return error on failed `-[pub]check`
      [test][pkey_check] Add invalid SM2 key test
      Add SM2 private key range validation
      [test][pkey_check] Add more invalid SM2 key tests

Otto Hollmann (4):
      Fix set_ciphersuites ignore unknown ciphers.
      Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites.
      Fixed error and return code.
      Remove extra space.

Pauli (1):
      Remove unused DRBG tests.

Rich Salz (3):
      Document openssl thread-safety
      Deprecate OCSP_xxx API for OSSL_HTTP_xxx
      Deprecate EVP_KEY_new_CMAC_key and EVP_PKEY_new_CMAC_key_ex

Richard Levitte (27):
      Configure: Check all SOURCE declarations, to ensure consistency
      Configure: clean away perl syntax faults
      Configure: warn about duplicate GENERATE declarations in build.info files
      Remove duplicate GENERATE declarations for .pod files
      Use centralized fetching errors
      Clean away extraneous library specific FETCH_FAILED reason codes
      Make the OSSL_PARAM manual conform with man-pages(7)
      Make the OSSL_SELF_TEST manual conform with man-pages(7)
      Make the OSSL_HTTP manual conform with man-pages(7)
      Make the OSSL_PROVIDER manual conform with man-pages(7)
      Make the OSSL_trace manual conform with man-pages(7)
      Make header references conform with man-pages(7) in all manuals
      Make the OSSL_CMP manual conform with man-pages(7)
      Fix crypto/des/build.info
      Fix incomplete deprecation guard in test/sslapitest.c
      DOCS: Fix the last few remaining pass phrase options references
      Unix Makefile generator: separate "simple" shared libraries from import libraries
      Unix Makefile generator: Fix empty basename calls
      Github CI: Add a job for out-of-source build + install
      Drop Travis
      Clean away unnecessary length related OSSL_PARAM key names
      DOC: Fix a few minor issues in OSSL_ENCODER / OSSL_DECODER docs
      Fix OSSL_PARAM_allocate_from_text() for EBCDIC
      APPS: Restore inclusions
      Update NEWS.md before alpha11 release
      Update copyright year
      Prepare for release of 3.0 alpha 11

Romain Geissler (1):
      Fix simpledynamic test compilation when condigured without DSO support.

Sahana Prasad (1):
      doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code.

Shane Lontis (5):
      CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**.
      Fix PKCS7 potential segfault
      Remove pkey_downgrade from PKCS7 code
      Add functions to set values into an EVP_PKEY
      Deprecate EC_KEY + Update ec apps to use EVP_PKEY

Thomas De Schampheleire (1):
      replace 'unsigned const char' with 'const unsigned char'

Tim Hitchins (1):
      Fix typo in crl2pkcs documentation

Tomas Mraz (20):
      chacha20: Properly reinitialize the cipher context with NULL key
      Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity
      ec_kmgmt.c: OSSL_PKEY_PARAM_DEFAULT_DIGEST is gettable param for EC/SM2 keys
      CI: Add some legacy stuff that we do not test in GitHub CI yet
      Pass correct maximum output length to provider derive operation
      Fixes related to broken DH support in CMS
      kdf_exch.c (kdf_derive): Proper handling of NULL secret
      Make the smdh.pem test certificate usable with fips provider
      dh_cms_set_peerkey: The peer key is encoded as an ASN.1 integer
      dh_cms_set_shared_info: Use explicit fetch to be able to provide libctx
      bn: Deprecate the X9.31 RSA key generation related functions
      krb5kdf: Do not dereference NULL ctx when allocation fails
      Disable the test-ec completely when building with no-ec
      Avoid using OSSL_PKEY_PARAM_GROUP_NAME when the key might be legacy
      Add manpage for EVP_PKEY_get_field_type and EVP_PKEY_get_point_conv_form
      EVP_PKEY_get_group_name works with public keys as well
      ssl_old_test.c: Replace use of deprecated EC functions
      ec: Document that -conv_form and -no_public are not supported with engine
      Add checks for NULL return from EC_KEY_get0_group()
      Check that the ecparam and pkeyparam do not mangle the parameters

Vadim Fedorenko (1):
      ktls: Initial support for ChaCha20-Poly1305

anupamam13 (1):
      Fix for negative return value from `SSL_CTX_sess_accept()`

zsugabubus (1):
      Check input size before NULL pointer test inside mem_write()


More information about the openssl-commits mailing list