[openssl] openssl-3.0.0-alpha11 create
Richard Levitte
levitte at openssl.org
Thu Jan 28 13:18:09 UTC 2021
The annotated tag openssl-3.0.0-alpha11 has been created
at 8ec1e7c79f7c0e2a6e1aebdff08584f9004a1100 (tag)
tagging 31a89254d8225bab5c33be88e08296786da6af6a (commit)
replaces openssl-3.0.0-alpha10
tagged by Richard Levitte
on Thu Jan 28 14:08:09 2021 +0100
- Log -----------------------------------------------------------------
OpenSSL 3.0.0-alpha11 release tag
-----BEGIN PGP SIGNATURE-----
iF0EABECAB0WIQTEyrdJw09/TMBP2smnr5549wlFOwUCYBK3OgAKCRCnr5549wlF
O9SFAKCn1YMnaGH8wvIxZtTd4KXg9JNl5gCgoWt69D3J+AfqN1y8BiVpPQh4uOE=
=51Cm
-----END PGP SIGNATURE-----
Agustin Gianni (1):
Fix incorrect use of BN_CTX API
Billy Brumley (1):
[crypto/dh] side channel hardening for computing DH shared keys
Daiki Ueno (1):
params: OSSL_PARAM_utf8_ptr: don't automatically reference `address`
Daniel Bevenius (2):
Correct typo in rsa_oaep.c
Fix typo in thread_once comments
David Carlier (2):
OPENSSL_cpuid_setup FreeBSD PowerPC update
OPENSSL_cpuid_setup FreeBSD arm update.
Dmitry Belyavskiy (1):
Skip BOM when reading the config file
Dr. David von Oheimb (58):
apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL
apps/pkey.c: Make clear that -passout is not supported for DER output
apps/pkey.c: Re-order help output and option documentation
apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations
APPS: Fix confusion between program and app/command name used in diagnostic/help output
APPS: Print help also on -h and --h; print high-level help when no cmd given
Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1
TEST: move cert, key, and CSR loading aux functions to new testutil/load.c
Make PEM_X509_INFO_read_bio_ex() conservative on the error queue
x509_vfy.c: Fix a regression in find_issuer()
d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX()
X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert
apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default
APPS: Allow OPENSSL_CONF to be empty, not loading a config file
apps/req.c: add -CA and -CAkey options; improve code and doc
Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c
apps/lib/opt.c: Fix error message on unknown option/digest
X509_PUBKEY_set(): Fix error reporting
apps/req.c: make -subj work with -x509; clean up related code
Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert
apps/req.c: Add -copy_extensions option for use with -x509; default: none
crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c
apps/req.c: Cosmetic improvements of code and documentation
apps/req.c: Make sure -verify option takes effect also with -x509
x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST
find_issuer(): When returning an expired issuer, take the most recently expired one
X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it
bio_lib.c: Fix error queue entries and return codes on NULL args etc.
replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER
util/check-format.pl: Minor improvements of whitespace checks
x509_vfy.c: Rename CHECK_CB() to the more intuitively readable CB_FAIL_IF()
make various test CA certs RFC 5280 compliant w.r.t. X509 extensions
ASN1_TIME_print() etc.: Improve doc and add comment on handling invalid time input
X509: Enable printing cert even with invalid validity times, saying 'Bad time value'
25-test_x509.t: Minor update: do not anymore unlink test output files
25-test_x509.t: Minor update: factor out path for test input files
25-test_x509.t: Make test case w.r.t. self-issued cert run also without EC enabled
apps/x509.c: Take the -signkey arg as default pubkey with -new
apps/x509.c: Major code, user guidance, and documentation cleanup
constify X509_REQ_add_extensions() and X509_REQ_add_extensions_nid()
X509_REQ_print_ex(): Replace weird 'a0:00' output on empty attributes by '(none)'
X509_REQ_print_ex(): Correct indentation of extensions, which are attributes
apps.c: Clean up copy_extensions()
80-test_ssl_old.t: Minor corrections: update name of test dir etc.
apps/x509.c: Add -copy_extensions option, used when transforming x509 <-> req
apps/x509.c: Make -x509toreq respect -clrext, -sigopt, and -extfile options
X509v3_get_ext_by_NID.pod: Add warning on counter-intuitive behavior of X509v3_delete_ext() etc.
apps/cmp.c: Improve diagnostics on loading private vs. public key for cert request
apps/cmp.c: Check self-signature on CSR input and warn on failure
X509_REQ_get_extensions(): Return empty stack if no extensions found
CMP: Allow PKCS#10 input also for ir, cr, kur, and rr messages
Util/Pod.pm: Fix uninitialized $podinfo{lastsecttext} on empty input
Add check of HTTP method to OSSL_HTTP_REQ_CTX_content()
rename OSSL_HTTP_REQ_CTX_header to OSSL_HTTP_REQ_CTX_set_request_line
OSSL_HTTP_REQ_CTX_new(): replace method_GET parameter by method_POST
OSSL_HTTP_REQ_CTX.pod: minor addition and remove redundant paragraph
OCSP HTTP: Restore API of undocumented and recently deprecated functions
TLS client: allow cert verify callback return -1 for SSL_ERROR_WANT_RETRY_VERIFY
Dr. Matthias St. Pierre (1):
v3_ocsp.c: fix indentation of include directives
John Baldwin (1):
Close /dev/crypto file descriptor after CRIOGET ioctl().
Jon Spillett (3):
Allow EVP_PKEY private key objects to be created without a public component
test-gendsa: Add test cases with FIPS provider
apps/genpkey.c: Use PEM_read_bio_Parameters_ex when reading parameters
Kurt Roeckx (1):
Fix memory leak in mac_newctx() on error
Matt Caswell (18):
Prepare for 3.0 alpha 11
Ensure DTLS free functions can handle NULL
Fix enable-weak-ssl-ciphers
Fix a crash with multi-threaded applications using the FIPS module
Add a test for performing work in multiple concurrent threads
Document the core_thread_start upcall
Lock the provider operation_bits
Make sure we take the ctx->lock in ossl_lib_ctx_generic_new()
Enable locking on the primary DRBG when we create it
Extend the threads test to add simple fetch from multi threads
Fix an issue in provider_activate_fallbacks()
Fix a failure where fetches can return NULL in multi-threaded code
Ensure SRP BN_mod_exp follows the constant time path
Ensure legacy_asn1_ctrl_to_param can handle MDs not in the OBJ database
Don't copy parameters on setting a key in libssl
Fix no-dh and no-dsa
Add EVP_PKEY functions to get EC conv form and field type
Fix running mingw dhparam test under wine
Michael Baentsch (4):
Adding TLS group name retrieval
Enhance default provider documentation
Update SERVER_HELLO_MAX_LENGTH
fall-back -> fallback find-doc-nit addition
Nicola Tuveri (5):
[test] Add `pkey -check` validation tests
[apps/pkey] Return error on failed `-[pub]check`
[test][pkey_check] Add invalid SM2 key test
Add SM2 private key range validation
[test][pkey_check] Add more invalid SM2 key tests
Otto Hollmann (4):
Fix set_ciphersuites ignore unknown ciphers.
Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites.
Fixed error and return code.
Remove extra space.
Pauli (1):
Remove unused DRBG tests.
Rich Salz (3):
Document openssl thread-safety
Deprecate OCSP_xxx API for OSSL_HTTP_xxx
Deprecate EVP_KEY_new_CMAC_key and EVP_PKEY_new_CMAC_key_ex
Richard Levitte (27):
Configure: Check all SOURCE declarations, to ensure consistency
Configure: clean away perl syntax faults
Configure: warn about duplicate GENERATE declarations in build.info files
Remove duplicate GENERATE declarations for .pod files
Use centralized fetching errors
Clean away extraneous library specific FETCH_FAILED reason codes
Make the OSSL_PARAM manual conform with man-pages(7)
Make the OSSL_SELF_TEST manual conform with man-pages(7)
Make the OSSL_HTTP manual conform with man-pages(7)
Make the OSSL_PROVIDER manual conform with man-pages(7)
Make the OSSL_trace manual conform with man-pages(7)
Make header references conform with man-pages(7) in all manuals
Make the OSSL_CMP manual conform with man-pages(7)
Fix crypto/des/build.info
Fix incomplete deprecation guard in test/sslapitest.c
DOCS: Fix the last few remaining pass phrase options references
Unix Makefile generator: separate "simple" shared libraries from import libraries
Unix Makefile generator: Fix empty basename calls
Github CI: Add a job for out-of-source build + install
Drop Travis
Clean away unnecessary length related OSSL_PARAM key names
DOC: Fix a few minor issues in OSSL_ENCODER / OSSL_DECODER docs
Fix OSSL_PARAM_allocate_from_text() for EBCDIC
APPS: Restore inclusions
Update NEWS.md before alpha11 release
Update copyright year
Prepare for release of 3.0 alpha 11
Romain Geissler (1):
Fix simpledynamic test compilation when condigured without DSO support.
Sahana Prasad (1):
doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code.
Shane Lontis (5):
CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**.
Fix PKCS7 potential segfault
Remove pkey_downgrade from PKCS7 code
Add functions to set values into an EVP_PKEY
Deprecate EC_KEY + Update ec apps to use EVP_PKEY
Thomas De Schampheleire (1):
replace 'unsigned const char' with 'const unsigned char'
Tim Hitchins (1):
Fix typo in crl2pkcs documentation
Tomas Mraz (20):
chacha20: Properly reinitialize the cipher context with NULL key
Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity
ec_kmgmt.c: OSSL_PKEY_PARAM_DEFAULT_DIGEST is gettable param for EC/SM2 keys
CI: Add some legacy stuff that we do not test in GitHub CI yet
Pass correct maximum output length to provider derive operation
Fixes related to broken DH support in CMS
kdf_exch.c (kdf_derive): Proper handling of NULL secret
Make the smdh.pem test certificate usable with fips provider
dh_cms_set_peerkey: The peer key is encoded as an ASN.1 integer
dh_cms_set_shared_info: Use explicit fetch to be able to provide libctx
bn: Deprecate the X9.31 RSA key generation related functions
krb5kdf: Do not dereference NULL ctx when allocation fails
Disable the test-ec completely when building with no-ec
Avoid using OSSL_PKEY_PARAM_GROUP_NAME when the key might be legacy
Add manpage for EVP_PKEY_get_field_type and EVP_PKEY_get_point_conv_form
EVP_PKEY_get_group_name works with public keys as well
ssl_old_test.c: Replace use of deprecated EC functions
ec: Document that -conv_form and -no_public are not supported with engine
Add checks for NULL return from EC_KEY_get0_group()
Check that the ecparam and pkeyparam do not mangle the parameters
Vadim Fedorenko (1):
ktls: Initial support for ChaCha20-Poly1305
anupamam13 (1):
Fix for negative return value from `SSL_CTX_sess_accept()`
zsugabubus (1):
Check input size before NULL pointer test inside mem_write()
-----------------------------------------------------------------------
More information about the openssl-commits
mailing list