[openssl] openssl-3.0.0-beta1 create

Matt Caswell matt at openssl.org
Thu Jun 17 13:19:47 UTC 2021


The annotated tag openssl-3.0.0-beta1 has been created
        at  61b205da30e5ce7ff9a1c5de96d9056d91bf44a2 (tag)
   tagging  f9bfdc3aa979eb32d4b8341999473f2ad202d889 (commit)
  replaces  openssl-3.0.0-alpha17
 tagged by  Matt Caswell
        on  Thu Jun 17 14:03:43 2021 +0100

- Log -----------------------------------------------------------------
OpenSSL 3.0.0-beta1 release tag
-----BEGIN PGP SIGNATURE-----

iQFFBAABCAAvFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmDLSC8RHG1hdHRAb3Bl
bnNzbC5vcmcACgkQ2cTSbQ5gRJGhmwgAopTANH5YxJu/dkq7E3oUj6l7It0qLYK+
3It6R41Kk7jbDh8JauNTXMHaEN30rKEHrkvYZvTy3mcBNyF15qgueQTdQatdz4KR
gTYvWmwo1DDux9ocqUXkDIaBLRxz8iyLzBA4O/kg0r6uWmupHzC1LYAwBrjJjM6G
QFG6UT74x9tNU8W7woeSz7ehgPNy2aJc7aUTduGMmXSdqCBSzDVj8MMZrrAVv4oV
gSZtbmwlJDSE80TFkhz0MRlDX9D26uqRyyGVn2+jtQPEBGsCIo6St5Vy1yg4LAM3
xiCOZqqEMZCp54m/WaU/f7zckiMJpZZ5uT82mAtmldh4xolmLNsRCw==
=0Jvr
-----END PGP SIGNATURE-----

Amitay Isaacs (1):
      ec: Add PPC64 vector assembly version of p521 field operations

Arran Cudbard-Bell (1):
      Enable ssl-trace by default

Benjamin Kaduk (1):
      Allow TLS13_AD_MISSING_EXTENSION for older versions

Bernd Edlinger (1):
      Add AES consttime code for no-asm configurations

Daniel Bevenius (1):
      Add aix64-gcc-as architecture and p2align callback

David Makepeace (1):
      Fix doc typos.

Dmitry Belyavskiy (4):
      HMAC doesn't work with a default digest
      Cleanup the peer point formats on regotiation
      Disabling Encrypt-then-MAC extension in s_client/s_server
      Correct processing of AES-SHA stitched ciphers

Dr. David von Oheimb (62):
      apps/cmp.c: Move CMP server code portion to separate function
      CMP test server: move apps/{,lib/}cmp_mock_srv.c and apps/{,include/}cmp_mock_srv.h
      find-doc-nits: Minor improvements of help and diagnostic output
      find-doc-nits: Add -m option allowing to select on which of man1,man3,man5,man7 to focus on
      find-doc-nits: Check that man1 SYNOPSIS and OPTIONS contain same options
      DOC: Fix nits found by new check on SYNOPSIS and OPTIONS consistency
      util/find-doc-nits: Improve helpstr pattern matching
      check-format.pl: Add check for constant left of comparison operator
      check-format.pl: Report needless intermediate multiple SPC only on -e or --extra-spc
      check-format.pl: Fix false positive "no SPC before binary '*'" for '!*'
      check-format.pl: Fix false positive on struct/union/enum in func return type
      check-format.pl: Replace 'SPC' and 'spc' by 'space' in reports and option names
      check-format.pl: Allow extra space before end-of-line comments unless -e|--eol-cmt given
      check-format.pl: Rename 'one-letter' to 'single-letter', do not report 'l'
      check-format.pl: Rename '*-cmt' options '*-comment'
      APPS: Allow non-option parameters appear anywhere in list, marking them OPT_PARAM
      APPS: Allow duplicate entries in options list, marking them OPT_DUP
      apps/cms: Clean up order of options in help output and documentation
      EVP_DigestSignInit.pod: Clarification in EVP_DigestSignFinal() parameter 'sig'
      BIO_s_accept.pod: Document port auto-selection feature of BIO_set_accept_port()
      apps/cms: Simplify handling of encerts; add warning if they are ignored
      apps/cms.c: Correct -sign output and -verify input with -binary
      80-test_cmp_http: Invert and correct the logic of success vs. failure exit
      Add warning to key/param generating apps on potential delay due to missing entropy
      Remove tmp file smcont.signed_ that was used for debuggin PR #15347
      DOC: Improve description of 'req' app: -new, -newkey, and -keyout options
      APPS req: Extend the -keyout option to be respected also with -key
      TEST: Prefer using precomputed RSA and DH keys for more efficient tests
      apps/lib/s_socket.c and 80-test_cmp_http.t: Make ACCEPT port reporting more robust
      DOC: Slightly improve the documentation of BIO_lookup() and related functions
      apps/ocsp: Allow -port 0
      BIO_s_accept.pod: Add missing documentation for BIO_{get,set}_accept_ip_family()
      BIO acpt_state(): Allow retrying addresses (e.g., using IPv6 vs. IPv4) on creating accept socket
      ee-self-signed.pem: Restore original version, adding -attime to 25-test_verify.t
      80-test_cms.t: Replace use of ee-self-signed.pem by more suitable smrsa1.pem
      CI windows.yml: Silence 'nmake' builds except 'minimal'; ci.yml: make 'minimal' build verbose
      80-test_cmp_http.t: Improve comparison on server_port variable
      80-test_http.t: Rename to 79-test_http.t, add basic HTTP server ACCEPT test
      BIO_write-ex(): Improve behavior in corner cases and documentation
      x509_trs.c: rename to x509_trust.c and correct comment in trust_compat()
      x509_vfy.c: Improve a couple of internally documenting comments
      X509_STORE_CTX_new.pod and x509_vfy.h.in: rename some params for clarity, improve their doc
      Improve the documentation of cert path building and validation
      x509.h.in: extended 'documenting' comment on X509_TRUST_OK_ANY_EKU
      Move trust-related decls from x509.h.in to x509_vfy.h.in
      80-test_cmp_http.t: Simplify and prevent hangs on server not launching/behaving correctly
      80-test_cmp_http.t: Improve the way the test server is launched and killed
      25-test_verify.t: Prevent expiration of test case 'Name constraints bad othername name constraint'
      test/certs/mkcert.sh: Correct description of geneealt parameters
      25-test_verify.t: Add test case: accept trusted self-signed EE cert with key usage keyCertSign also when strict
      HTTP client: Fix GET request handling when rctx is reused (keep-alive)
      Rename OSSL_HTTP_set_request() to OSSL_HTTP_set1_request() for clarity
      d2i_X509: revert calling X509v3_cache_extensions()
      ASN1: rename asn1_par.c to asn1_parse.c for clarity; simplify asn1_parse2()
      BIO: prevent crash on NULL BIO for prefix_ctrl() and thus for BIO_set_prefix(), BIO_set_indent(), etc.
      fuzz/asn1parse.c: Clean up non-portable code and catch malloc failure
      BIO_dum_indent_cb(): Fix handling of cb return value
      BIO: Make source file names in crypto/bio/ consistent
      BIO_write_ex(): Make handing of BIO b == NULL and dlen == 0 less redundant
      ASN1_parse_dump(): allow NULL BIO input, to simplify applications not needing output
      X509_digest_sig(): Improve default hash for EdDSA and allow to return the chosen default
      HTTP client: fix use of OSSL_HTTP_adapt_proxy(), which is needed also in cmp.c

FdaSilvaYY (1):
      Use rd instead rmdir

Florian Mickler (3):
      openssl ca: make index.txt parsing error more verbose
      openssl ocsp: make index.txt parsing error more verbose
      openssl srp: make index.txt parsing error more verbose

Hubert Kario (1):
      s_server: make -rev option easier to find (mention echo)

Jan Lana (2):
      fix Solaris OS detection in config.pm
      Update solaris64-sparcv9-cc build target cflags

Jean-Philippe Boivin (1):
      Properly restore XMM registers in ChaCha20's AVX-512(VL) assembly

Jon Spillett (13):
      Add PBKDF1 to the legacy provider
      Added PKCS5_PBE_keyivgen_ex() to allow PBKDF1 algorithms to be fetched for a specific library context
      Add a test for PKCS5_PBE_keyivgen()
      Add an evp_libctx_test test run for legacy provider
      Add special case to skip RC4 reinit
      Fixes #14103 & #14102. Update AES demos with error handling and EVP fetch
      Enhance the encoder/decoder tests to allow testing with a non-default library context and configurable providers
      Fix up encoder/decoder issues caused by not passing a library context to the PKCS8 encrypt/decrypt
      Pass library context and property query into private key decoders
      Fix up bad libcrypto.num
      Disable tracing within the FIPS module
      Add enable-fips to CI configuration
      80-test_cmp_http.t: Re-enable CMP tests for AIX, removing some inessential test cases

Juergen Christ (4):
      Fix warning in gf_serialize
      Fix compilation warning with GCC11.
      Fix CipherInit on s390x.
      Test EVP_CipherInit sequences and resets

Larkin Nickle (1):
      Fix compilation on systems with empty _POSIX_TIMERS

Lars Immisch (1):
      Use getauxval on Android with API level > 18

Martin Schwenke (3):
      perlasm/ppc-xlate.pl: Handle rewriting of vector registers
      ec: Rename reference p521 field operations and use them via macros
      ec: Add run time code selection for p521 field operations

Matt Caswell (48):
      Prepare for 3.0 beta 1
      Add ordinal numbers to the .num files
      Clean up the "fips" option to Configure
      Cleanup the missing*.txt files
      Fix a memleak in the FIPS provider
      Remove some perl 5.14 use from rsaz-avx512.pl
      Don't try the same decoder multiple times
      Ignore the threadstest_fips executable
      Special case SM2 when decoding
      Update check_sig_alg_match() to work with provided keys
      Teach EVP_PKEYs to say whether they were decoded from explicit params
      Fix cert creation in the store
      Teach ASN1_item_verify_ctx() how to handle provided keys
      Only call dtls1_start_timer() once
      Check that we got the expected name type when verifying name constraints
      Test a bad SmtpUTF8Mailbox name constraint
      Provide the ability to create an X509_PUBKEY with a libctx/propq
      Fix evp_extra_test to use libctx in an X509_PUBKEY
      Teach the ASN.1 code how to create embedded objects with libctx/propq
      Teach more of the ASN.1 code about libctx/propq
      Use the new ASN.1 libctx aware functions in CMS
      Use the new ASN.1 libctx aware capabilities in CMP
      Make sure X509_dup() also dup's any associated EVP_PKEY
      Give ASN.1 objects the ability to report their libctx/propq
      Ensure libctx/propq is propagated when handling X509_REQ
      Add documentation for newly added ASN1 functions
      Fix generate_ssl_tests.pl
      Fix the expected output of printing certificates
      Fix CTLOG_new_from_base64_ex()
      Use the right class/tag when decoding an embedded key
      Ensure that we consume all the data when decoding an SPKI
      Only use the legacy route to decode a public key if we have to
      Just look for "Unable to load Public Key" if no SM2
      Actually use a legacy route in pem_read_bio_key_legacy()
      Mark some priv/public key paris as only available in the default provider
      Use the fips-and-base.cnf config file in CMP tests
      Simplify error reporting in X509_PUBKEY_get0()
      Correctly detect decode errors when checking if a key is supported
      Add a generic SubjectPublicKeyInfo decoder
      Avoid excessive OSSL_DECODER_do_all_provided calls
      Add various OBJ functions as callbacks
      Add a test for the newly added OBJ upcalls
      Add documentation for the newly added OBJ up calls
      Clean up the encoder/decoder/loader stores before providers
      Add a test for fetching various non-evp objects
      Update copyright year
      make update
      Prepare for release of 3.0 beta 1

Pauli (140):
      property: convert integers to strings properly.
      doc: move images into their own subdirectory
      doc: rereference img locations into subdirectory
      doc: process images when installing
      configure: build list of image files
      configurations: update template makefiles to install documentation images
      test: add test case to reliably reproduce RAND leak during POST
      core: condition out more in FIPS builds
      test: fix typo in comment in threadstest.c
      doc: update core_thread_start() documentation
      fips: default to running self tests when starting the fips provider
      doc: document the MAC block size getter
      test: add evp_tests for the MAC size and block size
      mac: add a getter for the MAC block size.
      checksum: include header files in the checksumming output
      regenerate FIPS checksums
      err: rename err_load_xxx_strings_int functions
      rsa: special case the strengths of RSA with 7680 and 15360 bits
      test: update RSA test with current bit strengths
      bn: rename bn_check_prime_int -> ossl_bn_check_primt
      bn: rename extract_multiplier_2x20_win5 -> ossl_extract_multiplier_2x20_win5
      aes: rename new bsaes_ symbols -> ossl_bsaes_ ones
      rsa: rename global rsaz_ sumbols so they are in namespace
      rsa: remove the limit on the maximum key strength
      rsa: check that the RNG is capable of producing a key of the specified size
      errors: update error message (to be squashed)
      test: test genrsa in deprecated builds
      test: add test for key generation strength > RNG strength
      test: test MP genrsa in deprecated builds
      coverity 1484913: Null pointer dereferences (REVERSE_INULL)
      coverity 1484912: Null pointer dereferences (NULL_RETURNS)
      doc: document the strength arugments to the RNG functions
      rand: add a strength argument to the BN and RAND RNG calls
      test: add zero strenght arguments to BN and RAND RNG calls
      ssl: add zero strenght arguments to BN and RAND RNG calls
      prov: add zero strenght arguments to BN and RAND RNG calls
      add zero strenght arguments to BN and RAND RNG calls
      fips: set the library context and handle later
      ppc: fix ambiguous if if else statement
      sparc: fix cross compile build
      add some cross compilation builds
      rand: use size_t for size argument to RAND_bytes_ex()
      ssl: ass size_t to RAND_bytes_ex()
      crypto: updates to pass size_t to RAND_bytes_ex()
      req: fix Coverity 1485137 Explicit null dereference
      apps: remove TODOs
      fuzz: remove TODOs
      test: remove TODOs
      tls: remove TODOs
      providers: remove TODOs
      asn.1: remove TODOs
      bio: remove TODOs
      x509: remove TODOs
      cmp: remove TODOs
      cms: remove TODOs
      comp: remove TODOs
      crmf: remove TODOs
      ct: remove TODOs
      ocsp: remove TODOs
      pem: remove TODOs
      store: remove TODOs
      rsa: remove TODOs
      bn: remove TODOs
      dso: remove TODOs
      ec: remove TODOs
      err: remove TODOs
      evp: remove TODOs
      http: remove TODOs
      crypto: remove TODOs
      utils: remove TODO
      doc: move XXX_get_number() documentation to internal
      add internal get_number functons to crypto/evp.h
      Add internal get_number functions to internal headers
      doc: make XXX_get_number() internal
      libcrypto: make XXX_get_number() internal
      doc: fix OSSL_(EN|DE)CODER_get0_name function names
      store: include internal header
      list: update to not use XXX_get_number() calls
      util: update FIPS checksumming script to be more aggressive with whitespace
      update checksums
      rsa: make the maximum key strength check FIPS only.
      req: detect a bad choice of digest early
      Rename `n` field to `num_properties` in property definition structure.
      property: improve ossl_property_find_property() function
      property: move additional query functions to property_query.c
      doc: update Graphviz images to have a transparent background
      doc: update generated image files
      life-cycles: update digest state table
      doc: add digest lifecycle diagram
      doc: add digest life cycle documentation
      doc: add references to digest life cycle documentation
      doc: remove empty section
      doc-nits: support out of source execution
      doc: improve the cipher life cycle diagram
      doc: add cipher life cycle documentation
      doc: add references to cipher life cycle documentation
      doc: add build info for cipher life cycle documentation
      doc: build changes for PKEY life cycle documentation
      doc: add PKEY life cycle documentation
      bio: improve error checking fixing coverity 1485659 & 1485665
      fix coverity 1485660 improper use of negative value
      afalg: fix coverity 1485661 improper use of negative value
      evp: fix improper use of negative value issues
      evp: fix coverity 1485666 argument cannot be negative
      pkcs12: fix Coverity 1485667 logically dead code
      evp: fix Coverity 1485668 argument cannot be negative
      evp: fix Coverity 1485669 improper use of negative value
      evp: fix Coverity 1485670 argument cannot be negative
      evp: avoid some calls to EVP_CIPHER_CTX_get_iv_length() because it's been called already
      keymgmt: better detect when a key manager can be reused
      sha: convert SHA one shot macros back to being functions
      changes: fix woring that mentions SHA* one shot functions are deprecated
      util: convert SHA* one shots back to being functions
      err: clear flags better when clearing errors.
      ci: run the on pull request CIs on push to master
      spkac: allow digests other than MD5 to be used for signing
      spkac: document -digest option
      test: add SPKAC command test
      add libctx and property query to fetch functions
      fipsinstall: use the app's libctx and property query when searching for algorithms
      kdf: use the app's libctx and property query when searching for algorithms
      list: use the app's libctx and property query when searching for algorithms
      speed: use the app's libctx and property query when searching for algorithms
      pkcs12: use the app's libctx and property query when searching for algorithms
      speed: make sure to free any allocated EVP_MAC structures
      apps: move global libctx and property query into their own file
      cms: fix coverity 1485981: unchecked return value
      cms: free PKEY_CTX
      remove end of line whitespace
      new: update NEWS.md so it is correct.
      new: update NEWS.md so it is correct.
      doc: finish the provider child up call documentation
      Include a local static buffer for the SHA helper functions
      test: add test cases for SHAxxx helper functions
      doc: document the various get_cipher functions in the commands lib.
      apps: limit get_cipher() to not return AEAD or XTS ciphers
      apps: use get_cipher_any() instead of get_cipher() for commands that support these ciphers/modes
      apps: remove AEAD/mode checks that are now redundant
      prov: tag SM2 encoders and decoders as non-FIPS
      gost: remove the internal GOST test.

Petr Gotthard (3):
      Fix building of test/pbetest.c
      Fix memory leak in OSSL_CMP_CTX
      doc: fix OSSL_PARAM_BLD pointers in the example

Rich Salz (14):
      Remove engine_table_select_int
      Use <> for #include openssl/xxx
      Use "" for include internal/xxx
      Use "" for include crypto/xxx
      Rework and make DEBUG macros consistent.
      Fix issues found by md-nits
      Make undef'd counts zero by default.
      Make conf_method_st and conf_st deprecated
      Add NCONF_get0_libctx()
      Add md-nits task
      Remove I_CAN_LIVE_WITH_LNK4049
      Move AllowClientRenegotiation tests
      Remove "-immedate_renegotiation" option
      Always wait for both threads to finish

Richard Levitte (75):
      VMS: Copy __DECC_INCLUDE_{PROLOGUE,EPILOGUE}.H to more places
      PROV: Relegate most of the FIPS provider code to libfips.a
      DOCS: Fixups of the migration guide and the FIPS module manual
      VMS: don't use app_malloc() in apps/lib/vms_decc_argv.c
      Include "internal/numbers.h" in test programs using SIZE_MAX
      test/params_conversion_test.c: fix the use of strtoumax and strtoimax on VMS
      Configurations/descrip.mms.tmpl: rework the inclusion hacks
      VMS: Fix run of generic generator programs in descrip.mms.tmpl
      Make it possible to disable the loader_attic engine
      Disable loader_attic by default on VMS
      TEST: Avoid using just 'example.com'  - test_cmp_http
      DOCS: Don't mention internal functions in public documentation
      Fix 'openssl req' to be able to use provided keytypes
      Rework how providers/fipsmodule.cnf is produced
      Build file templates: rework how general dependencies are computed
      Build file templates: rework FIPS module installation
      TEST: Add test specific fipsmodule.cnf, and use it
      util/fix-doc-nits: Fix link detection in collectnames() to be kinder
      configdata.pm: Allow extra arguments when --query is given.
      Make providers/fips.module.sources.new depend on configdata.pm
      Rearrange the check of providers/fips.so dependencies
      make update-fips-checksums
      Add the usual autowarn perl snippet in providers/common/der/*.in
      Add .asn1 dependencies for files generated from providers/common/der/*.in
      Configure: variable expand GENERATE values too
      providers/common/der/build.info: make a variable for ../include/prov
      util/mknum.pl: Really allow unset ordinals in development
      Restore all the ? in util/libcrypto.num
      Deprecate EVP_CIPHER_impl_ctx_size and EVP_CIPHER_CTX_buf_noconst
      FIPS: don't include crypto/passphrase.c in libfips.a
      make update-fips-checksums
      property: Add functionality to query data from a property definition
      DECODER: use property definitions instead of getting implementation parameters
      PROV: drop get_params() and gettable_params() from all decoder implementations
      ENCODER: Drop OSSL_ENCODER_PARAM_INPUT_TYPE
      ENCODER: use property definitions instead of getting implementation parameters
      PROV: drop get_params() and gettable_params() from all encoder implementatio
      test/recipes/80-test_cmp_http.t: Simplify test_cmp_http()
      test/recipes/80-test_cmp_http.t: Don't trust $server_port in start_mock_server()
      OpenSSL::Test.pm: Replace all uses of rel2abs() with abs_path()
      Decoding PKCS#8: separate decoding of encrypted and unencrypted PKCS#8
      DECODER: Adapt addition of extra decoder implementations
      DECODER & ENCODER: Add better tracing
      APPS: Restore the possibility to combine -pubout with -text
      OpenSSL::Test: Treat SRCDATA directory specially, as it might not exist
      OpenSSL::Test: If __cwd() is to create the directory, do it early
      STORE: Make OSSL_STORE_LOADER_fetch() consistent with all other fetch functions
      apps/lib/s_socket.c: Alias getpid with _getpid for _WIN32
      Clean away remaining Travis related files
      Configure: Allow spaces around '=' in all build.info statements
      Building: Add necessary dependencies for linker scripts and .rc files
      Windows Github CI: test in Windows 2016 as well
      Windows GitHub CI: Introduce --strict-warnings
      APPS: Remove an unreachable statement in s_client.c
      CORE: Move away the allocation of the temporary no_cache method store
      Add the internal function ossl_method_store_do_all()
      Refactor OSSL_DECODER_do_all_provided() to behave like OSSL_DECODER_fetch()
      Refactor OSSL_ENCODER_do_all_provided() to behave like OSSL_ENCODER_fetch()
      Refactor evp_generic_do_all() to behave like evp_generic_fetch()
      Adapt all public EVP_XXX_do_all_provided() for the changed evp_generic_do_all()
      DECODER & ENCODER: Add better tracing
      test/evp_extra_test.c: Peek at the error instead of getting it.
      Refactor OSSL_STORE_LOADER_do_all_provided() to behave like OSSL_STORE_LOADER_fetch()
      TEST: Make test/recipes/01-test_symbol_presence.t more platform agnostic
      TEST: Display the correct shared library name
      TEST: Skip test/recipes/01-test_symbol_presence.t on MacOS
      CORE: Do a bit of cleanup of core fetching
      VMS build: drop a spurious debug print
      Configuration: Fix incorrect $unified_info{attributes} references
      Build file templates: Fix in2script dependencies
      TEST: Change 'catdir' to 'catfile' when dealing with files, in run_tests.pl
      DSO: Fix the VMS DSO name converter to actually do something
      Fix small typo in test/recipes/05-test_pbe.t
      Fix exit code for VMS in util/wrap.pl and test/run_tests.pl
      test/recipes/80-test_cmp_http.t: Kill the mock server brutally

Robbie Harwood (2):
      Fix upgrading docs for RSA_private_encrypt/RSA_public_decrypt
      Update krb5 module and re-enable pkinit tests

Shane Lontis (29):
      Rename the field 'provctx and data' to 'algctx' inside some objects containing pointers to provider size algorithm contexts.
      Add fipsinstall option to run self test KATS on module load
      Fix buffer overflow when generating large RSA keys in FIPS mode.
      Add demo for EC keygen
      Fix spelling mistake in d2i_PrivateKey.pod
      Fix PKCS12_create() so that a fetch error is not added to the error stack.
      EVP_CIPHER Documentation updates
      Add Docs for EVP_CIPHER-*
      Add missing EVP_CTRL_CCM_SET_L control
      Fix incorrect OSSL_CIPHER_PARAM_SPEED get_ctx_params
      Fix incorrect gettable OSSL_CIPHER_PARAM_TLS_MAC parameter
      Fix intermittent CI failure in evp_kdf_test for non_caching build.
      Fix PKCS7_verify to not have an error stack if it succeeds.
      Fix aes cfb1 so that it can operate in bit mode.
      Fix param indentation in ciphercommon_hw.c
      Document Settable EVP_CIPHER_CTX parameter "use-bits"
      Migration guide updates for flags and controls.
      Fix error stack for some fetch calls.
      Move provider der_XXX.h.in files to the include directory.
      Fix errors found by parfait static analyser.
      Document missing EC/SM2 params
      Add a gettable for provider ciphers to return the EVP_CIPH_RAND_KEY flag
      Fix AIX FIPS DEP.
      Fix s_server app to not report an error when using a non DH certificate.
      Fix DH/DHX named groups to not overwrite the private key length.
      Add missing NULL check in OSSL_DECODER_from_bio().
      Add missing migration_guide API mappings.
      Fix DH private key check.
      Add self test for ECDSA using curve with a binary field

Sven Schwermer (2):
      mkerr: Fix string literal conversion
      ERR: Rebuild generated engine error files

Tianjia Zhang (1):
      apps: Fix the mismatch of SM2 keys keymgmt

Todd Short (3):
      Call SSLfatal when the generate_ticket_cb returns 0
      Optimize session cache flushing
      Fix FIPS provider value in docs

Tom Cosgrove (2):
      Fix -static builds on master
      Initialise OPENSSL_armcap_P to 0 before setting it based on capabilities, not after

Tomas Mraz (47):
      pem_read_bio_key_legacy: Do not obscure real error if there is one
      Exchange no-siv and no-ec2m between daily and ci workflows
      FIPS label CI: Save PR number and use it
      apps: Cleanup useless bio_open_default() calls for key input
      Add some basic Windows builds to the Windows CI workflow
      Windows CI: use nasm on 32bit and 64bit shared builds
      Windows CI: Add make install step on the shared 64 bit build
      Windows CI: properly drop test_fuzz* tests to speed up things
      FIPS checksums CI: use merge checkout to compute the new checksums
      Do not try to install image directories with no images
      write-man-symlinks: Write relative symlinks not absolute
      Fix possible infinite loop in pem_read_bio_key_decoder()
      Add negative test cases for PEM_read_bio_PrivateKey
      OSSL_DECODER_from_bio: Report an unsupported error when there is none
      Deprecate old style BIO callback calls
      generate_fips_sources: properly include providers/common/der/*.in
      FIPS Checksums CI: use separate directories for the checkouts
      FIPS Checksums: checkout the head of the base repo as pristine
      Rename all getters to use get/get0 in name
      Rename also the OSSL_PROVIDER_name() function
      Add documentation of the old names kept as alias macros
      Fix enable-fips builds on Windows
      Windows CI: enable fips on shared 64 bit build
      Make the 00-prep_*.t recipe truly mandatory
      Add NCONF_get_section_names()
      ed25519 and ed448: fix incorrect OSSL_PKEY_PARAM_MAX_SIZE
      OPENSSL_init_crypto must return 0 when cleanup was done
      openssl spkac: Fix reading SPKAC data from stdin
      req: fix default bits handling for -newkey
      Move libssl related defines used by fips provider to prov_ssl.h
      Update fips checksums to drop the ssl headers
      Elimination of some sources not needed in the FIPS_MODULE
      X509_digest_sig: Handle RSA-PSS and EDDSA certificates
      EVP_PKEY_new_raw_private_key: Allow zero length keys
      Fix use after free in OSSL_HTTP_REQ_CTX_set1_req()
      store: Avoid spurious error from decoding at EOF
      ossl_provider_set_module_path: Prevent potential UAF
      dl_name_converter: Avoid unnecessary overallocation
      Document that provider name can be a full path
      Windows CI: Enable fuzz test in plain build
      BIO_write_ex: No error only on 0 bytes to write
      fuzz/asn1parse: Use BIO_s_mem() as fallback output
      Do not depend on the exact exit failure value of dgst app
      Avoid duplicating prov_running.o in libdefault and libcrypto
      Add -latomic only for architectures where needed
      Do not duplicate symbols between libcrypto and libssl in static builds
      When linking to static libssl always link to static libcrypto

Tommy Chiang (1):
      Fix typo about SSL_CONF_FLAG_CMDLINE

Trev Larock (1):
      Modify ssl_handshake_hash to call SSLfatal

William Edmisten (1):
      Add support for ISO 8601 datetime format

bonniegong (1):
      Check the return value of ASN1_STRING_length

jwalch (1):
      Fix OCSP_sendreq_nbio arg order

yuechen-chen (1):
      Add an EVP demo for signatures using EC

-----------------------------------------------------------------------


More information about the openssl-commits mailing list