[openssl] openssl-3.0.0-beta2 create
Matt Caswell
matt at openssl.org
Thu Jul 29 15:15:19 UTC 2021
The annotated tag openssl-3.0.0-beta2 has been created
at 9e34480b312df6080aeca3e71e3c9d6893e66beb (tag)
tagging 9f551541e84eead1d42604b7d5e61885e8e34be0 (commit)
replaces openssl-3.0.0-beta1
tagged by Matt Caswell
on Thu Jul 29 15:50:30 2021 +0100
- Log -----------------------------------------------------------------
OpenSSL 3.0.0-beta2 release tag
-----BEGIN PGP SIGNATURE-----
iQFFBAABCAAvFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmECwDYRHG1hdHRAb3Bl
bnNzbC5vcmcACgkQ2cTSbQ5gRJFN4Qf/RtGlb8u3mITyqOs5uGBFcN6iP6YVUHvV
s3X8Hjgs8d+a0tbTp7SHSlWv30OgMdVH6WbKFOzdZ8bSBEheDEF0P8XGWU2/M9lF
GBTfFG+upruURSLL00kyKea0bVorbk2/j4+jamDY2E8TPIcJeXM3sPQsfFvjV504
if1mruIWjuTLDLCbyaBF6jPeWML1mqO59AKDAfEWln9p2+KOBRFdGvlwm6cv2UjE
61xLheCiwLfo4dbV+Zxu1lCa6m9d2dvkUp/6AHURZxr83LIIekdC9eog0if05Kah
LvXi/G3QrcdgDNHizbsaUrkbSl2DK2CTruzqKGf5fowoosPIQL7XUw==
=l8M6
-----END PGP SIGNATURE-----
Benjamin Kaduk (1):
Fix comment for test_negotiated_group() test order
Christian Heimes (1):
Fix segfault in openssl x509 -modulus
Daiki Ueno (2):
BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name is given
apps: Use the first detected address family if IPv6 is not available
David Benjamin (1):
Fix use of uninitialized memory in test_rsa_oaep
David CARLIER (1):
darwin platform replacing getentropy usage by platform api instead.
Dmitry Belyavskiy (2):
Some clear guidelines for the legacy algs.
Missing link to fips_config documentation
Dr. David von Oheimb (22):
http_client.c: fix OSSL_HTTP_proxy_connect() for HTTPS proxy use
http_client.c: fix error reporting (a char was missing; improve style)
http_client.c: make prefix checking more readable and more efficient
http_client.c: make HTTP_LINE1_MINLEN more efficient
http_client.c: fix HTTP_VERSION_STR_LEN and make it more efficient
cmp_mock_srv.c: Fix polling mode such that it can be done multiple times
cmp_client.c: Print checkAfter value from pollRep before it may get modified
cmp_server.c: Fix check: certConf not allowed after transaction is closed
CMP: Clean up internal message creation API and its documentation
ossl_sk_ASN1_UTF8STRING2text(): Minor generalization and refactoring for readability
CMP: Improve reporting of error codes and related strings via 'error' msg
Fix file_name_check() in storemgmt/file_store.c and e_loader_attic.c
DOC: Clarify the role of EKUs including defaults for TLS client and server use
ossl_cmp_error_new(): Fix Coverity issue 1486534, and consequently also issues 1486536 and 1486533
CMP: Add missing getter functions to CRMF API and CMP API
cmp_mock_srv.c: Add missing OldCertID check for 'kur' cert update requests
OSSL_CRMF_{CERTTEMPLATE,CERTID}_get0_serialNumber(): Make result const for consistency
Improve doc of OSSL_HTTP_REQ_CTX_set_expected() on timeout param < 0
Fix legacy OCSP_REQ_CTX_http() function to expect ASN.1 formatted input
SSL_CTX_set_cert_verify_callback.pod: various corrections and clarifications
tls_process_{client,server}_certificate(): allow verify_callback return > 1
OSSL_HTTP_open(): Fix memory leak on TLS connect failure via proxy
Hubert Kario (2):
cross-reference the DH and RSA SECLEVEL to level of security mappings
doc: make error checking in ticket handling code explicit
Ingo Schwarze (1):
Fix a read buffer overrun in X509_aux_print().
John Baldwin (2):
Refactor KTLS tests to better support TLS 1.3.
Add tests for KTLS with Chacha20-Poly1035.
Juergen Christ (1):
Fix compile warning with GCC 11.
Lőrinczy, Zsigmond (1):
Update config.pm
Marek (1):
Add demo for HKDF
Martin Schwenke (12):
ec: Fail build on big-endian with enable-ec_nistp_64_gcc_128
bn: Drop use of .p2align pseudo-op
bn: Update .align pseudo-ops to match convention
bn: Drop unnecessary use of r9
bn: Switch $i to be unused r9
bn: save/restore registers to/from stack
ec: Drop uses of .cfi_startproc/.cfi_endproc pseudo-ops
ec: Add alignment pseudo-op at beginning of function
ec: Only build ecp_nistp521-ppc64.s if enable-ec_nistp_64_gcc_128
bn: Use a basic branch-if-not-zero
bn: Fix .size directive
bn: Make fixed-length Montgomery Multiplication conditional on PPC64
Matt Caswell (45):
Prepare for 3.0 beta 2
Ensure we remove libctx DRBG state before removing the provider store
Add a test for a custom rand provider
Instantiate predefined providers just-in-time
Instantiate user-added builtin providers when we need them
Instantiate configuration supplied providers when we need them
Add a new provider to the store only after we activate it
Remove flag_couldbechild
Set use_fallbacks to zero when we add a provider to the store
Merge ossl_provider_activate() and ossl_provider_activate_child()
Only associate a provider with a store once it has been added to it
Don't hold any locks while calling the provider init function
Add a test to check that RAND_bytes_ex() works with a child lib ctx
Don't skip the current provider in ossl_provider_register_child_cb
make struct provider_info_st a full type
Update documentation following updates to the provider code
Move OPENSSL_add_builtin back into provider.c
Fix a race in ossl_provider_add_to_store()
Add wrap.pl to .gitignore
Ensure ordinals are created during release process
Avoid some MinGW test failures
Use TEST_time_t_* functions in cmp_hrd_test.c
Work around a 32-bit mingw failure
Avoid "excessive message size" for session tickets
Don't add the first pkcs12 certificate multiple times
Add a PKCS12 test to check with one input cert we get one output cert
Fix s_server PSK handling
Don't reset the packet pointer in ssl3_setup_read_buffer
Disallow SSL_key_update() if there are writes pending
Fix signed/unsigned comparison warnings in sslapitest
Fix some minor record layer issues
Update our EVP_PKEY_METHODs to get low level keys via public APIs
Fix custom EVP_PKEY_METHOD implementations where no engine is present
Add a test for custom EVP_PKEY_METHODs
Mark the EVP_PKEY_METHOD arg as const on some EVP_PKEY_meth_get_*() funcs
Fix EVP_MD_meth_dup and EVP_CIPHER_meth_dup
Add a test case for EVP_MD_meth_dup() and EVP_CIPHER_meth_dup()
Don't leak the OSSL_LIB_CTX in the event of a failure to load the FIPS module
Ensure any default_properties still apply even in the event of a provider load failure
Don't try and load the config file while already loading the config file
Add some testing for the case where the FIPS provider fails to load
Update fingerprints.txt
Update copyright year
make update
Prepare for release of 3.0 beta 2
Oliver Mihatsch (1):
Fix memory leak in i2d_ASN1_bio_stream
Paul Kehrer (1):
update pyca-cryptography regression test suite
Pauli (85):
params: avoid using intmax_t since it's not well supported
params: fix range check when converting double to uint64_t.
ssl: do not choose auto DH groups that are weaker than the security level
test: add test for auto DH security level meets the minimum
include: replace tabs with spaces in headers
ssl: replace tabs with spaces
test: replace tabs with spaces in test recipes
crypto: repalce tabs with spaces
punycode: fix indentation
ssl: fix indentation
ssl: fix indentation
asn1: fix indentation
rsa: fix indentation
test: fix indentation
sm3: fix function names after the big ossl_ prefix addition.
test: put the new DHE auto test in the correct place
asn1: properly clean up on failed BIO creation
testutil: preserve app_malloc()'s failure behaviour
doc: Document that the OBJ creation functions don't lock.
err: add unable to get lock errors
property: add locking for the property string database
property: remove spurious incorrect comments
test: add EVP_Q_digest tests to evp_test
test: add EVP_Q_mac tests to evp_test
apps: properly initialise arguments to EVP_PKEY_get_bn_param()
x509: address NULL dereference and memory leaks
apps: address potential memory leaks
ui: address potential memory leak
evp_test: address NULL pointer dereference and return failure better
test: avoid memory leaks on errors
test: check for NULL returns better
doc: update up call documentation
evp_test: use correct size in memory clear
x509: improve error reporting
test: fix coverity 1469427 Improper use of negative value (NEGATIVE_RETURNS)
bio: check for valid socket when closing
s_time: avoid unlikely division by zero
dh_test: fix coverity 1473239 Argument cannot be negative (NEGATIVE_RETURNS)
evp: fix coverity 1473380 Copy into fixed size buffer (STRING_OVERFLOW)
test: fix test ordering in threads test
afalg: add some memory initialisation calls to pacify memory sanitisation.
ci: add a memory sanitiser test run
provider: use #define for PBKDF1 algorithm name
doc: add PBKDF1 provider documentation
doc: include PBKDF1 documentation in build.info
util: add -fips option to wrap.pl to make using the FIPS provider easier
test: add some integral type size sanity checks
err: remove ERR_GET_FUNC()
doc: update documentation to note removal of ERR_GET_FUNC()
changes: add entry noting the removal of ERR_GET_FUNC()
bn: procduce correct sign for result of BN_mod()
evp: detect and raise an error if no digest is found for a sign/verify operation
apps: fix Coverity 1451531 Unchecked return value
test: rename apps_mem.c to be apps_shims.c in anticipation of additonal functions
test: add a shim function for the apps's opt_legacy_okay() function
test: make build descriptions more consistent
apps: add query to allow a command to know of a provider command line option was processed
apps: add a function opt_legacy_okay() that indicates if legacy paths are permitted or not
app: add library context and propq arguments to opt_md() and opt_cipher()
doc: document the new opt_legacy_okay() function's behaviour
asn.1: fix Coverity 1487104 Logically dead code
apps: avoid using POSIX IO macros and functions when built without them.
Remove lower limit on GCM mode ciphers
test: add single byte IV AES GCM tests
evp: constify some OSSL_PARAM arguments
doc: document the params arguments to the initialisation functions.
config: enable ACVP test case if FIPS is enabled.
test: fix use after scope problem in ACVP test
demo: add pbkdf2 demonstration program
demo: add scrypt demonstration program
demos: add Makefile support for pbkdf2 and scrypt KDF demos
demos: update readme file with pbkdf2 and scrypt examples.
drbg: allow the ctr derivation function to be disabled in FIPS mode
err: remove the derivation function is mandatory for FIPS error message since it's no longer used and newly introduced
docs: update CTR DRBG documentation to not mention the lack of a derivation function in FIPS
test: include all DRBG tests in FIPS mode
ci: omit tests that consume too much memory
ci: reinstate the passwd tests for the no-cached-fetch run.
ci: QEMU based cross compiled testing
test: handle not a number (NaN) values in the param conversion test.
QEMU: include test runs for most cross compilation targets
ci: add the param conversion tests to the cross compiles.
ci: get rid of no-asm flag to m68k cross compiles
ci: disable async for the SH4 build and reenable the associated test
test: add a comment indication that a bad MAC is intentional
Petr Gotthard (2):
BIO_new_from_core_bio: Fix heap-use-after-free after attach
doc: fix OPENSSL_VERSION_NUMBER length in the synopsis
Randall S. Becker (4):
Add assert.h to threads_pthread.c for NonStop thread compiles.
Document cross-compile considerations for NonStop x86 builds.
Defined out MUTEX attributes not available on NonStop SPT Threads.
Made foreign bit field unsigned in evp.h
Rich Salz (1):
Fix bug in X509_print_ex
Richard Levitte (45):
OpenSSL::Test: Move the command line quotifier
Make util/wrap.pl work better on VMS
TESTS: drop explicit quotes from empty command line arguments
STORE: Fix OSSL_STORE_open_ex() error reporting
Fix definition of ossl_intmax_t and ossl_uintmax_t
APPS: Make fallback opt_[u]intmax() implementations based on long
APPS & TEST: Use ossl_[u]intmax_t rather than [u]intmax_t
test/recipes/80-test_cmp_http.t: use app() rather than cmd()
test/recipes/81-test_cmp_cli.t: use app() rather than cmd()
TEST: check 'loadereng' to determine if loader_attic should be tested
Configure: Reflect that We don't build loader_attic when dynamic-engine is disabled
EVP: Change the output size type of EVP_Q_digest() and EVP_Q_mac()
Adapt other parts of the source to the changed EVP_Q_digest() and EVP_Q_mac()
test/recipes/90-test_shlibload.t: Modify to work with known file names
TEST: Modify simpledynamic.[ch] to allow use on VMS as well
OpenSSL::Util::fixup_cmd_elements(): Include '!' among the VMS chars to process
Fix test_errstr for VMS
UTF-8 not easily supported on VMS command line yet
test/ossl_store_test.c: Adapt the use of datadir for VMS paths
testutil: teach test_mk_file_path() how to merge VMS file specs
test/recipes/66-test_ossl_store.t: ensure native paths
test/recipes/80-test_ca.t: Don't force quotes around the config file in $cnf
apps/CA.pl.in: restore the quotes around -CAfile, they were there for a reason
test/recipes/90-test_includes_data/vms-includes.cnf: correct the directory
ENCODER & DECODER: Allow en/decoders to have multiple names
Fix 'openssl req' to correctly use the algorithm from '-newkey algo:nnnn'
PROV: Have our PEM->DER decoder only recognise our PEM names
ENCODER & DECODER: Make a tighter coupling between en/decoders and keymgmt
OSSL_STORE: Fix crash when tracing STORE
DECODER & ENCODER: Make sure to pass around the original selection bits
EVP: Have EVP_PKCS82PKEY_ex() pass a correct selection to OSSL_DECODER
DOC: clarify OPENSSL_API_COMPAT
TEST: Add testing of PVK and MSBLOB files to test_store
PROV & STORE: Don't decode keys in the 'file:' store loader
PROV & STORE: Make the 'file:' store loader understand more binary formats
CRYPTO: Remove the check for built-in methods in the export_to function
platform->sharedlib_simple(): return undef when same as platform->sharedlib()
Configurations/unix-Makefile.tmpl: use platform->sharedlib() as fallback
TEST: Check that i2d refuses to encode non-optional items with no content
ASN.1: Refuse to encode to DER if non-optional items are missing
Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN
Fix test/asn1_encode_test.c to handle encoding/decoding failure
Avoid empty lines in nmake rule bodies
EVP: Add EVP_PKEY_get0_provider() and EVP_PKEY_CTX_get0_provider()
DOCS: Move the description of EVP_PKEY_get0_description()
Robbie Harwood (1):
Update dependencies for krb5 external test
Shane Lontis (6):
Fix aes_core to use U64() macro..
Change self test for AES_CGM to perform both an encrypt and decrypt.
Add table entries for fips 186-5 related to RSA auxiliary probable primes.
Fix compile errors when building with --api=1.1.0 no-deprecated.
Add test for provider gettables
Add HKDF negative tests
Syrone Wong (1):
Fix OSSL_TRACE9 missing arg9
Theo Buehler (1):
Fix two typos in OSSL_trace_enabled.pod
Tianjia Zhang (1):
Remove executable mode attributes of non-executable files
Todd Short (1):
Add missing session timeout calc
Tomas Mraz (45):
aix64-gcc target: Fix build breakage with enable-fips
Replace non-ASCII character in source file
evp_test: Support testing of stitched TLS ciphers
simpledynamic: Add missing include for AIX builds
Documentation: SM2 keys can use only the SM2 curve
ossl_pw_get_passphrase: No ui method does not necessarily mean internal error
epki2pki_decode: passphrase callback failure is fatal error
OSSL_DECODER_from_bio: Avoid spurious decoder error
trace: Do not produce dead code calling BIO_printf if disabled
ppccap.c: Split out algorithm-specific functions
Only the fips module dependencies are relevant for fips.module.sources
Update fips sources and checksums
coverity #1486531: return error properly from x509_pubkey_ex_new_ex()
coverity #1486532: fix potential NULL dereference in test_mk_file_path()
doc: Mention the update of der data pointers in d2i/i2d
pem_read_bio_key_decoder: Avoid spurious error on unknown PEM data
pem_read_bio_key: Add passphrase caching to avoid asking for password twice
load_pkey_pem: Check for spurious errors when loading
test_pem_reading: Test loading a key from a file with multiple PEM data
load_key_certs_crls: Avoid reporting any spurious errors
PEM_read_...: document that garbage and other PEM data is skipped
Coverity #1486687: fix potential dereference of NULL keymgmt
rsa_cms_verify: Avoid negative return with missing pss parameters
fips module header inclusion fine-tunning
update fips checksums
test_cmp_ctx: Avoid using empty X509 with i2d
doc: Document that incomplete certificates return error
Make EVP_PKEY_check() be an alias for EVP_PKEY_pairwise_check()
Split bignum code out of the sparcv9cap.c
acvp_test: Fix incorrect parenthesis
Signature algos: allow having identical digest in params
CI: have enable-acvp-tests in some CI build
Drop daily run-checker build with just enable-acvp-tests
Allow RSA signature operations with RSA_NO_PADDING
evp_test: Add tests for rsa_padding_mode:none
RSA_public_decrypt is equivalent to a verify recover operation
doc: It is not possible to use SSL_OP_* value in preprocessor conditions
DSA/RSA_print(): Fix potential memory leak
do_sigver_init: Add missing ERR_clear_last_mark()
Fix potential problems with EVP_PKEY_CTX_new() with engine set
ECDSA_SIG_set0: r and s parameters cannot be NULL
ECDSA_SIG_set0(): Clarify documentation and fix formatting errors
Drop no-ktls from runchecker daily build as it has no effect
Test ktls in non-default options CI build
KTLS: AES-CCM in TLS-1.3 is broken on 5.x kernels, disable it
jenda1 (1):
Makefile: Avoid changing LIBDIR based on whether it already exists
yangyangtiantianlonglong (1):
Add testcases for SSL_key_update() corner case calls
yunh (1):
enable getauxval on android 10
杨明君 (1):
test: add sm3 low level test case to test suite.
-----------------------------------------------------------------------
More information about the openssl-commits
mailing list