[openssl] openssl-3.0.0-beta2 create

Matt Caswell matt at openssl.org
Thu Jul 29 15:15:19 UTC 2021

The annotated tag openssl-3.0.0-beta2 has been created
        at  9e34480b312df6080aeca3e71e3c9d6893e66beb (tag)
   tagging  9f551541e84eead1d42604b7d5e61885e8e34be0 (commit)
  replaces  openssl-3.0.0-beta1
 tagged by  Matt Caswell
        on  Thu Jul 29 15:50:30 2021 +0100

- Log -----------------------------------------------------------------
OpenSSL 3.0.0-beta2 release tag


Benjamin Kaduk (1):
      Fix comment for test_negotiated_group() test order

Christian Heimes (1):
      Fix segfault in openssl x509 -modulus

Daiki Ueno (2):
      BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name is given
      apps: Use the first detected address family if IPv6 is not available

David Benjamin (1):
      Fix use of uninitialized memory in test_rsa_oaep

David CARLIER (1):
      darwin platform replacing getentropy usage by platform api instead.

Dmitry Belyavskiy (2):
      Some clear guidelines for the legacy algs.
      Missing link to fips_config documentation

Dr. David von Oheimb (22):
      http_client.c: fix OSSL_HTTP_proxy_connect() for HTTPS proxy use
      http_client.c: fix error reporting (a char was missing; improve style)
      http_client.c: make prefix checking more readable and more efficient
      http_client.c: make HTTP_LINE1_MINLEN more efficient
      http_client.c: fix HTTP_VERSION_STR_LEN and make it more efficient
      cmp_mock_srv.c: Fix polling mode such that it can be done multiple times
      cmp_client.c: Print checkAfter value from pollRep before it may get modified
      cmp_server.c: Fix check: certConf not allowed after transaction is closed
      CMP: Clean up internal message creation API and its documentation
      ossl_sk_ASN1_UTF8STRING2text(): Minor generalization and refactoring for readability
      CMP: Improve reporting of error codes and related strings via 'error' msg
      Fix file_name_check() in storemgmt/file_store.c and e_loader_attic.c
      DOC: Clarify the role of EKUs including defaults for TLS client and server use
      ossl_cmp_error_new(): Fix Coverity issue 1486534, and consequently also issues 1486536 and 1486533
      CMP: Add missing getter functions to CRMF API and CMP API
      cmp_mock_srv.c: Add missing OldCertID check for 'kur' cert update requests
      OSSL_CRMF_{CERTTEMPLATE,CERTID}_get0_serialNumber(): Make result const for consistency
      Improve doc of OSSL_HTTP_REQ_CTX_set_expected() on timeout param < 0
      Fix legacy OCSP_REQ_CTX_http() function to expect ASN.1 formatted input
      SSL_CTX_set_cert_verify_callback.pod: various corrections and clarifications
      tls_process_{client,server}_certificate(): allow verify_callback return > 1
      OSSL_HTTP_open(): Fix memory leak on TLS connect failure via proxy

Hubert Kario (2):
      cross-reference the DH and RSA SECLEVEL to level of security mappings
      doc: make error checking in ticket handling code explicit

Ingo Schwarze (1):
      Fix a read buffer overrun in X509_aux_print().

John Baldwin (2):
      Refactor KTLS tests to better support TLS 1.3.
      Add tests for KTLS with Chacha20-Poly1035.

Juergen Christ (1):
      Fix compile warning with GCC 11.

Lőrinczy, Zsigmond (1):
      Update config.pm

Marek (1):
      Add demo for HKDF

Martin Schwenke (12):
      ec: Fail build on big-endian with enable-ec_nistp_64_gcc_128
      bn: Drop use of .p2align pseudo-op
      bn: Update .align pseudo-ops to match convention
      bn: Drop unnecessary use of r9
      bn: Switch $i to be unused r9
      bn: save/restore registers to/from stack
      ec: Drop uses of .cfi_startproc/.cfi_endproc pseudo-ops
      ec: Add alignment pseudo-op at beginning of function
      ec: Only build ecp_nistp521-ppc64.s if enable-ec_nistp_64_gcc_128
      bn: Use a basic branch-if-not-zero
      bn: Fix .size directive
      bn: Make fixed-length Montgomery Multiplication conditional on PPC64

Matt Caswell (45):
      Prepare for 3.0 beta 2
      Ensure we remove libctx DRBG state before removing the provider store
      Add a test for a custom rand provider
      Instantiate predefined providers just-in-time
      Instantiate user-added builtin providers when we need them
      Instantiate configuration supplied providers when we need them
      Add a new provider to the store only after we activate it
      Remove flag_couldbechild
      Set use_fallbacks to zero when we add a provider to the store
      Merge ossl_provider_activate() and ossl_provider_activate_child()
      Only associate a provider with a store once it has been added to it
      Don't hold any locks while calling the provider init function
      Add a test to check that RAND_bytes_ex() works with a child lib ctx
      Don't skip the current provider in ossl_provider_register_child_cb
      make struct provider_info_st a full type
      Update documentation following updates to the provider code
      Move OPENSSL_add_builtin back into provider.c
      Fix a race in ossl_provider_add_to_store()
      Add wrap.pl to .gitignore
      Ensure ordinals are created during release process
      Avoid some MinGW test failures
      Use TEST_time_t_* functions in cmp_hrd_test.c
      Work around a 32-bit mingw failure
      Avoid "excessive message size" for session tickets
      Don't add the first pkcs12 certificate multiple times
      Add a PKCS12 test to check with one input cert we get one output cert
      Fix s_server PSK handling
      Don't reset the packet pointer in ssl3_setup_read_buffer
      Disallow SSL_key_update() if there are writes pending
      Fix signed/unsigned comparison warnings in sslapitest
      Fix some minor record layer issues
      Update our EVP_PKEY_METHODs to get low level keys via public APIs
      Fix custom EVP_PKEY_METHOD implementations where no engine is present
      Add a test for custom EVP_PKEY_METHODs
      Mark the EVP_PKEY_METHOD arg as const on some EVP_PKEY_meth_get_*() funcs
      Fix EVP_MD_meth_dup and EVP_CIPHER_meth_dup
      Add a test case for EVP_MD_meth_dup() and EVP_CIPHER_meth_dup()
      Don't leak the OSSL_LIB_CTX in the event of a failure to load the FIPS module
      Ensure any default_properties still apply even in the event of a provider load failure
      Don't try and load the config file while already loading the config file
      Add some testing for the case where the FIPS provider fails to load
      Update fingerprints.txt
      Update copyright year
      make update
      Prepare for release of 3.0 beta 2

Oliver Mihatsch (1):
      Fix memory leak in i2d_ASN1_bio_stream

Paul Kehrer (1):
      update pyca-cryptography regression test suite

Pauli (85):
      params: avoid using intmax_t since it's not well supported
      params: fix range check when converting double to uint64_t.
      ssl: do not choose auto DH groups that are weaker than the security level
      test: add test for auto DH security level meets the minimum
      include: replace tabs with spaces in headers
      ssl: replace tabs with spaces
      test: replace tabs with spaces in test recipes
      crypto: repalce tabs with spaces
      punycode: fix indentation
      ssl: fix indentation
      ssl: fix indentation
      asn1: fix indentation
      rsa:  fix indentation
      test: fix indentation
      sm3: fix function names after the big ossl_ prefix addition.
      test: put the new DHE auto test in the correct place
      asn1: properly clean up on failed BIO creation
      testutil: preserve app_malloc()'s failure behaviour
      doc: Document that the OBJ creation functions don't lock.
      err: add unable to get lock errors
      property: add locking for the property string database
      property: remove spurious incorrect comments
      test: add EVP_Q_digest tests to evp_test
      test: add EVP_Q_mac tests to evp_test
      apps: properly initialise arguments to EVP_PKEY_get_bn_param()
      x509: address NULL dereference and memory leaks
      apps: address potential memory leaks
      ui: address potential memory leak
      evp_test: address NULL pointer dereference and return failure better
      test: avoid memory leaks on errors
      test: check for NULL returns better
      doc: update up call documentation
      evp_test: use correct size in memory clear
      x509: improve error reporting
      test: fix coverity 1469427 Improper use of negative value (NEGATIVE_RETURNS)
      bio: check for valid socket when closing
      s_time: avoid unlikely division by zero
      dh_test: fix coverity 1473239 Argument cannot be negative (NEGATIVE_RETURNS)
      evp: fix coverity 1473380 Copy into fixed size buffer (STRING_OVERFLOW)
      test: fix test ordering in threads test
      afalg: add some memory initialisation calls to pacify memory sanitisation.
      ci: add a memory sanitiser test run
      provider: use #define for PBKDF1 algorithm name
      doc: add PBKDF1 provider documentation
      doc: include PBKDF1 documentation in build.info
      util: add -fips option to wrap.pl to make using the FIPS provider easier
      test: add some integral type size sanity checks
      err: remove ERR_GET_FUNC()
      doc: update documentation to note removal of ERR_GET_FUNC()
      changes: add entry noting the removal of ERR_GET_FUNC()
      bn: procduce correct sign for result of BN_mod()
      evp: detect and raise an error if no digest is found for a sign/verify operation
      apps: fix Coverity 1451531 Unchecked return value
      test: rename apps_mem.c to be apps_shims.c in anticipation of additonal functions
      test: add a shim function for the apps's opt_legacy_okay() function
      test: make build descriptions more consistent
      apps: add query to allow a command to know of a provider command line option was processed
      apps: add a function opt_legacy_okay() that indicates if legacy paths are permitted or not
      app: add library context and propq arguments to opt_md() and opt_cipher()
      doc: document the new opt_legacy_okay() function's behaviour
      asn.1: fix Coverity 1487104 Logically dead code
      apps: avoid using POSIX IO macros and functions when built without them.
      Remove lower limit on GCM mode ciphers
      test: add single byte IV AES GCM tests
      evp: constify some OSSL_PARAM arguments
      doc: document the params arguments to the initialisation functions.
      config: enable ACVP test case if FIPS is enabled.
      test: fix use after scope problem in ACVP test
      demo: add pbkdf2 demonstration program
      demo: add scrypt demonstration program
      demos: add Makefile support for pbkdf2 and scrypt KDF demos
      demos: update readme file with pbkdf2 and scrypt examples.
      drbg: allow the ctr derivation function to be disabled in FIPS mode
      err: remove the derivation function is mandatory for FIPS error message since it's no longer used and newly introduced
      docs: update CTR DRBG documentation to not mention the lack of a derivation function in FIPS
      test: include all DRBG tests in FIPS mode
      ci: omit tests that consume too much memory
      ci: reinstate the passwd tests for the no-cached-fetch run.
      ci: QEMU based cross compiled testing
      test: handle not a number (NaN) values in the param conversion test.
      QEMU: include test runs for most cross compilation targets
      ci: add the param conversion tests to the cross compiles.
      ci: get rid of no-asm flag to m68k cross compiles
      ci: disable async for the SH4 build and reenable the associated test
      test: add a comment indication that a bad MAC is intentional

Petr Gotthard (2):
      BIO_new_from_core_bio: Fix heap-use-after-free after attach
      doc: fix OPENSSL_VERSION_NUMBER length in the synopsis

Randall S. Becker (4):
      Add assert.h to threads_pthread.c for NonStop thread compiles.
      Document cross-compile considerations for NonStop x86 builds.
      Defined out MUTEX attributes not available on NonStop SPT Threads.
      Made foreign bit field unsigned in evp.h

Rich Salz (1):
      Fix bug in X509_print_ex

Richard Levitte (45):
      OpenSSL::Test: Move the command line quotifier
      Make util/wrap.pl work better on VMS
      TESTS: drop explicit quotes from empty command line arguments
      STORE: Fix OSSL_STORE_open_ex() error reporting
      Fix definition of ossl_intmax_t and ossl_uintmax_t
      APPS: Make fallback opt_[u]intmax() implementations based on long
      APPS & TEST: Use ossl_[u]intmax_t rather than [u]intmax_t
      test/recipes/80-test_cmp_http.t: use app() rather than cmd()
      test/recipes/81-test_cmp_cli.t: use app() rather than cmd()
      TEST: check 'loadereng' to determine if loader_attic should be tested
      Configure: Reflect that We don't build loader_attic when dynamic-engine is disabled
      EVP: Change the output size type of EVP_Q_digest() and EVP_Q_mac()
      Adapt other parts of the source to the changed EVP_Q_digest() and EVP_Q_mac()
      test/recipes/90-test_shlibload.t: Modify to work with known file names
      TEST: Modify simpledynamic.[ch] to allow use on VMS as well
      OpenSSL::Util::fixup_cmd_elements(): Include '!' among the VMS chars to process
      Fix test_errstr for VMS
      UTF-8 not easily supported on VMS command line yet
      test/ossl_store_test.c: Adapt the use of datadir for VMS paths
      testutil: teach test_mk_file_path() how to merge VMS file specs
      test/recipes/66-test_ossl_store.t: ensure native paths
      test/recipes/80-test_ca.t: Don't force quotes around the config file in $cnf
      apps/CA.pl.in: restore the quotes around -CAfile, they were there for a reason
      test/recipes/90-test_includes_data/vms-includes.cnf: correct the directory
      ENCODER & DECODER: Allow en/decoders to have multiple names
      Fix 'openssl req' to correctly use the algorithm from '-newkey algo:nnnn'
      PROV: Have our PEM->DER decoder only recognise our PEM names
      ENCODER & DECODER: Make a tighter coupling between en/decoders and keymgmt
      OSSL_STORE: Fix crash when tracing STORE
      DECODER & ENCODER: Make sure to pass around the original selection bits
      EVP: Have EVP_PKCS82PKEY_ex() pass a correct selection to OSSL_DECODER
      TEST: Add testing of PVK and MSBLOB files to test_store
      PROV & STORE: Don't decode keys in the 'file:' store loader
      PROV & STORE: Make the 'file:' store loader understand more binary formats
      CRYPTO: Remove the check for built-in methods in the export_to function
      platform->sharedlib_simple(): return undef when same as platform->sharedlib()
      Configurations/unix-Makefile.tmpl: use platform->sharedlib() as fallback
      TEST: Check that i2d refuses to encode non-optional items with no content
      ASN.1: Refuse to encode to DER if non-optional items are missing
      Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN
      Fix test/asn1_encode_test.c to handle encoding/decoding failure
      Avoid empty lines in nmake rule bodies
      EVP: Add EVP_PKEY_get0_provider() and EVP_PKEY_CTX_get0_provider()
      DOCS: Move the description of EVP_PKEY_get0_description()

Robbie Harwood (1):
      Update dependencies for krb5 external test

Shane Lontis (6):
      Fix aes_core to use U64() macro..
      Change self test for AES_CGM to perform both an encrypt and decrypt.
      Add table entries for fips 186-5 related to RSA auxiliary probable primes.
      Fix compile errors when building with --api=1.1.0 no-deprecated.
      Add test for provider gettables
      Add HKDF negative tests

Syrone Wong (1):
      Fix OSSL_TRACE9 missing arg9

Theo Buehler (1):
      Fix two typos in OSSL_trace_enabled.pod

Tianjia Zhang (1):
      Remove executable mode attributes of non-executable files

Todd Short (1):
      Add missing session timeout calc

Tomas Mraz (45):
      aix64-gcc target: Fix build breakage with enable-fips
      Replace non-ASCII character in source file
      evp_test: Support testing of stitched TLS ciphers
      simpledynamic: Add missing include for AIX builds
      Documentation: SM2 keys can use only the SM2 curve
      ossl_pw_get_passphrase: No ui method does not necessarily mean internal error
      epki2pki_decode: passphrase callback failure is fatal error
      OSSL_DECODER_from_bio: Avoid spurious decoder error
      trace: Do not produce dead code calling BIO_printf if disabled
      ppccap.c: Split out algorithm-specific functions
      Only the fips module dependencies are relevant for fips.module.sources
      Update fips sources and checksums
      coverity #1486531: return error properly from x509_pubkey_ex_new_ex()
      coverity #1486532: fix potential NULL dereference in test_mk_file_path()
      doc: Mention the update of der data pointers in d2i/i2d
      pem_read_bio_key_decoder: Avoid spurious error on unknown PEM data
      pem_read_bio_key: Add passphrase caching to avoid asking for password twice
      load_pkey_pem: Check for spurious errors when loading
      test_pem_reading: Test loading a key from a file with multiple PEM data
      load_key_certs_crls: Avoid reporting any spurious errors
      PEM_read_...: document that garbage and other PEM data is skipped
      Coverity #1486687: fix potential dereference of NULL keymgmt
      rsa_cms_verify: Avoid negative return with missing pss parameters
      fips module header inclusion fine-tunning
      update fips checksums
      test_cmp_ctx: Avoid using empty X509 with i2d
      doc: Document that incomplete certificates return error
      Make EVP_PKEY_check() be an alias for EVP_PKEY_pairwise_check()
      Split bignum code out of the sparcv9cap.c
      acvp_test: Fix incorrect parenthesis
      Signature algos: allow having identical digest in params
      CI: have enable-acvp-tests in some CI build
      Drop daily run-checker build with just enable-acvp-tests
      Allow RSA signature operations with RSA_NO_PADDING
      evp_test: Add tests for rsa_padding_mode:none
      RSA_public_decrypt is equivalent to a verify recover operation
      doc: It is not possible to use SSL_OP_* value in preprocessor conditions
      DSA/RSA_print(): Fix potential memory leak
      do_sigver_init: Add missing ERR_clear_last_mark()
      Fix potential problems with EVP_PKEY_CTX_new() with engine set
      ECDSA_SIG_set0: r and s parameters cannot be NULL
      ECDSA_SIG_set0(): Clarify documentation and fix formatting errors
      Drop no-ktls from runchecker daily build as it has no effect
      Test ktls in non-default options CI build
      KTLS: AES-CCM in TLS-1.3 is broken on 5.x kernels, disable it

jenda1 (1):
      Makefile: Avoid changing LIBDIR based on whether it already exists

yangyangtiantianlonglong (1):
      Add testcases for SSL_key_update() corner case calls

yunh (1):
      enable getauxval on android 10

杨明君 (1):
      test: add sm3 low level test case to test suite.


More information about the openssl-commits mailing list