The annotated tag openssl-3.0.1 has been created at a50b847c27705d84f4c03828ebfbc1c1f0200f07 (tag) tagging b4e83ed7cd99c12d27e0e220c3afa1745a68f921 (commit) replaces openssl-3.0.0 tagged by Matt Caswell on Tue Dec 14 16:16:26 2021 +0000
- Log ----------------------------------------------------------------- OpenSSL 3.0.1 release tag -----BEGIN PGP SIGNATURE----- iQFFBAABCAAvFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmG4w1oRHG1hdHRAb3Bl bnNzbC5vcmcACgkQ2cTSbQ5gRJGMkQgAkOUgRYLG6QoyDmGvwxlEEozZqjW+r9BC EG/hP//2R/qvw59MLn9FbXa/imdJF6WK4UzYGOkFXPrSWX9kBS4JvkdQZjLkPd15 F+EMBodtG+PE0eEOS0D6J5K3jWOH9dUvPvBQocE/6FZ9R6n8ahmaiiZds5jvjvVm l6FieqwJ5eJYzgmwLaq+8pocYQX8K+Q1dDWp1CkdiLzPSUGpSquwOtVKGMVI7se4 iaH6t3joPhjKpj/+zKFSxJ9RPk+TCto1ly7K3leJ1N4bG9KFg1GJI0TDjZuioCy8 uyQxYoiMUU4MCZqSzB32B1K/bh4QJ74R2V0QSKqDDZqpt1yWYaef2A== =OpTi -----END PGP SIGNATURE----- Alex Pawelko (1): Fix Markdown links in SUPPORT.md Allan Jude (1): Fix detection of ARMv7 and ARM64 CPU features on FreeBSD Amit Kulkarni (1): doc: crypto(7) - fix typo Arne Schwabe (2): Add missing mention of mandatory function OSSL_FUNC_keymgmt_has Note that SHA1 and MD5 x509 signatures are also forbidden at security level 1 Bernd Edlinger (10): Fix a memory leak in the afalg engine Replace the AES-128-CBC-HMAC-SHA1 cipher in e_ossltest.c Fix a memory leak reported in CIFuzz Fix another memory leak reported in CIFuzz Fix a memory leak in tls_parse_stoc_key_share Fix a memory leak in ssl_create_cipher_list Avoid loading of a dynamic engine twice Add a test case for duplicate engine loading Minor code cleanup in o_names_init Fix a carry overflow bug in bn_sqr_comba4/8 for mips 32-bit targets Dmitry Belyavskiy (6): Avoid double-free on unsuccessful getting PRNG seeding FIPS and KTLS may interfere Fix for the dasync engine Bindhost/bindport should be freed No EtM for GOST ciphers in TLS 1.2 More detailed explanation how do engines work in 3.0 Dominic Letz (1): Update 15-ios.conf Dr. David von Oheimb (31): 80-test_cmp_http.t: Fix handling of empty HTTP proxy string APPS/cmp.c: Move warning on overlong section name to make it effective again APPS/{x509,req}: Fix description and diagnostics of -key, -in, etc. options openssl-x509.pod.in: Reflect better that -signkey is an alias for -key option Fix ssl_free() and thus BIO_free() to respect BIO_NOCLOSE BIO_f_ssl.pod: Make clear where an SSL BIOs are expected as an argument apps/x509: Fix self-signed check to happen before setting issuer name OSSL_HTTP_REQ_CTX.pod: clarify that resulting BIO must not be freed OSSL_HTTP_transfer.pod: clarify that resulting BIO must be freed APPS/x509: Fix generation of AKID via v2i_AUTHORITY_KEYID() Fix verbosity of CMP client diagnostics cmp_server.c: Log received request type before checking details 80-test_cmp_http: Make server diagnostics more verbose to aid debugging HTTP client: workaround for #16028 (BIO_gets not supported by connect and SSL BIOs) Make ERR_str_reasons in err.c consistent again with err.h 02-test_errstr.t: print errorcodes in hex (rather than decimal) format BIO_push.pod: fix confusing text and add details on corner cases OSSL_HTTP_transfer.pod: Fix omission documenting the 'ok' parameter of OSSL_HTTP_close() OSSL_HTTP_transfer.pod: Some clarifications on the BIO connect/disconnect callback function parse_http_line1(): Fix diagnostic output on error and return code OSSL_HTTP_REQ_CTX_nbio(): Fix parsing of responses with status code != 200 OBJ_obj2txt(): fix off-by-one documentation of the result OSSL_HTTP_set1_request(): Fix check for presence of port option and its documentation OSSL_HTTP_open(): Complete documentation of checks for server and proxy args OSSL_HTTP_open(): clarify doc of 'server' arg and its use of BIO_new_connect() X509V3_set_ctx(): Clarify use of subject/req parameter for constructing SKID by hash of pubkey X509V3_set_ctx(): Clarify subject/req parameter for constructing SAN email addresses from subject DN OSSL_CMP_MSG_read(): Fix mem leak on file read error APPS/cmp: fix -rspin option such that it works again without -reqin OSSL_HTTP_get(): Fix timeout handling on redirection APPS/cmp: Fix use of OPENSSL_NO_SOCK: options like -server do not make sense with no-sock Dr. Matthias St. Pierre (1): doc/man3/SSL_set_fd.pod: add note about Windows compiler warning Gerd Hoffmann (1): rename MIN() macro Jiasheng Jiang (1): test/ssl_old_test.c: Do NULL pointer check before its use Kelvin Lee (1): Explicitly #include <synchapi.h> is unnecessary Kinshuk Dua (2): Doc: be explicit about NUL in max_identity_len Doc: replace `NULL` terminated with `NUL` Martin Schwenke (1): perlasm/ppc-xlate.pl: Fix build on OS X Matt Caswell (54): Clarify what SSL_get_session() does on the server side in TLSv1.3 Correct the documentation for SSL_set_num_tickets() New extensions can be sent in a certificate request Extend custom extension testing Fix the signature newctx documentation Make sure EVP_CIPHER_CTX_copy works with the dasync engine Ensure pkey_set_type handles ENGINE references correctly Update provider_util.c to correctly handle ENGINE references Add tests for ENGINE problems Prevent an overflow if an application supplies a buffer that is too small Enforce a size check in EVP_MAC_final() Fix SSKDF to not claim a buffer size that is too small for the MAC Test short buffers Add an additional note to EVP_DigestSign() documentation Fix a bug in signature self tests in the FIPS module Fix test_CMAC_keygen Fix acvp_test sig_gen Update pyca-cryptography sub-module Fix the s_server psk_server_cb for use in DTLS Fix no-cmac Don't crash encoding a public key with no public key value Test that a key is usable after an EVP_PKEY_fromdata call Clarify the documentation for the "byname" functions Fix a gcc 11.2.0 warning Fix errors in EVP_PKEY_fromdata examples Don't write to the globals ossl_property_true and ossl_property_false Don't attempt to deactive child providers if we don't need to Avoid a race in init_thread_stop() Remove the isinited variable from child_prov_globals Don't try and do ossl_provider_find in ossl_provider_new Don't bail out during provider deactivation if we don't have store Stop receiving child callbacks in a child libctx when appropriate Correctly activate the provider in OSSL_PROVIDER_try_load Use a write lock during ossl_provider_find() Hold the flag_lock when calling child callbacks Extend the test_multi_load() test Reset the rwstate before calling ASYNC_start_job() Clarify the PEM docs Don't create an ECX key with short keys Add a test for creating ECX private keys that are too short Clarify and correct the EVP_CTRL_AEAD_SET_TAG docs Don't delete the doc/html directories when cleaning Clarify the deprecation warnings in the docs Don't run the symbol presence test on windows Don't free the EVP_PKEY on error in set0_tmp_dh_pkey() functions Fix documentation for tlsext_ticket_key Update CHANGES and NEWS for new release Fix invalid handling of verify errors in libssl Add a new Name Constraints test cert Add a TLS test for name constraints with an EE cert without a SAN Add a test case for the name constraints bug Update copyright year make update Prepare for release of 3.0.1 Mattias Ellert (3): Remove extra comma in man page example code EVP_PKEY_keygen_init has no argument named pkey Fix variable name mis-match in example code Mingjun.Yang (2): Add sm2 encryption test case from GM/T 0003.5-2012 Add missing check according to SM2 Digital Signature generation algorithm Nikita Ivanov (1): Fix nc_email to check ASN1 strings with NULL byte in the middle PW Hu (18): Fix some documentation errors Fix unsafe BIO_get_md_ctx check Bugfix: unsafe return check of EVP_PKEY_fromdata_init Bugfix: unsafe return check of EVP_PKEY_fromdata Fix function signature error Fix some documentation errors related to return values Fix documentation errors, mainly caused by return values of BIO_ctrl doc: Fix some function signature errors doc: Fix some function signature errors Fix return value error in doc, and an error test Fix incorrect return check of BN_bn2nativepad update doc: BN_bn2lebinpad() and BN_bn2nativepad() Fix incorrect return check of BN_bn2binpad Fix: invoking x509_name_cannon improperly Fix: invoking X509_self_signed improperly Fix return value checking of BN_check_prime invocations Fix the return check of OBJ_obj2txt Return -1 properly from do_X509_REQ_verify and do_X509_verify Pauli (25): Fix the example SSH KDF code. Remove end of line whitespace to appease CI checks ci: add copyright header to CI scripts doc: remove end of line whitespace rand: don't free an mis-set pointer on error doc: Fix include syntax property: produce error if a name is duplicated test: add failure testing for property parsing doc: document that property names are unique test-rand: return failure on not enough data, allow parent speed: range check the argument given to -multi Remove redundant RAND_get0_private() call Convert the weak key and key parity tests to be constant time. Add unit tests for weak key and key parity checks avoid a NULL dereference when getting digest Fix coverity 1493364 & 1493375: unchecked return value Address Coverity 1493387 Logically dead code Address coverity 1493382 argument cannot be negative Address Coverity 1493362 resource leak Fix data race setting `default_DSO_meth` Add return value NULL checks that were missing Add documentation for some of the missing environment variables. doc: fix macro name doc: remove non-existent callbacks Fix Coverity 1494385 logically dead code. Peiwei Hu (19): Fix some documentation errors Fix return value of BIO_free test/ssl_old_test.c: Fix potential leak RAND_bytes_ex: fix return check EVP_Cipher: fix the incomplete return check EVP_DigestVerifyFinal: fix test function and invocation EVP_PKEY_paramgen_init: fix return check EVP_PKEY_keygen_init: fix return check BIO_read_filename: fix return check BIO_gets: fix the incomplete return check ossl_do_blob_header: fix return check Fix EVP_PKEY_decrypt return check TXT_DB_write: fix the return check asn1_item_embed_d2i: fix th return check EVP_RAND_generate: fix return check BIO_set_prefix: fix return check BIO_set_indent: fix return check SSL_export_keying_material: fix return check bio_enc.c: add memory allocation check Phil Mesnier (1): Fix for a segv interrupt that occurs when fix_dh_rfc5114 is called with ctx->p2 being a null pointer. Richard Levitte (46): Prepare for 3.0.1 DOCS: Update the page for 'openssl passwd' to not duplicate some info Fix test/recipes/90-test_fipsload.t to use bldtop_file for the FIPS module OpenSSL::Ordinals::set_version() should only be given the short version VMS: Fix descrip.mms template Fix 'openssl speed' information printout Fix the build file templates where uplink matters Configurations/platform/Unix.pm: account for variants in sharedlib_simple() Fix util/mkpod2html.pl to call pod2html with absolute paths Fix test/recipes/01-test_symbol_presence.t to allow for stripped libraries Fix test/recipes/01-test_symbol_presence.t to disregard version info Fix lock leak in evp_keymgmt_util_export_to_provider() CORE: add a provider argument to ossl_method_construct() EVP: Add the internal function evp_generic_fetch_from_prov() EVP: Add evp_keymgmt_fetch_from_prov() EVP: Reverse the fetch logic in all pkey using functionality EVP: Add internal functions to fetch type specific EVP methods from provider EVP: Allow a fallback for operations that work with an EVP_PKEY EVP: For all operations that use an EVP_PKEY, check that there is one CORE: Encure that cached fetches can be done per provider Configurations/windows-makefile.tmpl: obj2bin(): use the resource file too Fix DER encoder implementations for output structures "EC" and "SM2" Make OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers DOC: OSSL_PARAM_{set,get,construct}_BN() currently only supports nonnegative numbers DOC: Add a few previously documented functions Test the performance of OSSL_PARAM_allocate_from_text with arbitrary size ints Have OSSL_PARAM_allocate_from_text() raise error on unexpected neg number Allow sign extension in OSSL_PARAM_allocate_from_text() TEST: Enable and fix test_bn2padded() in test/bntest.c Make OSSL_provider_init() OPENSSL_EXPORT, not just extern Teach OpenSSL::ParseC about OPENSSL_EXPORT and OPENSSL_EXTERN Fix faulty detail in BN_rand() manual Fix EVP_PKEY_eq() to be possible to use with strictly private keys Adapt our OSSL_FUNC_keymgmt_match() implementations to the EVP_PKEY_eq() fix Enhance the explanation of selector bits in provider-keymgmt(7) test/evp_extra_test.c: Refactor test_fromdata() test/evp_extra_test.c: Add EVP_PKEY comparisons in test_EC_priv_pub() Fix VMS installation - consistent program names with version info Fix VMS installation - $config{pointer_size} -> $target{pointer_size} Fix VMS installation - Define the logical name OSSL$MODULES Fix VMS installation - use platform->shlib_version_as_filename() consistently Fix VMS installation - deassign the same logical names that were defined Fix VMS installation - Check the presence of providers in the IVP script Fix VMS installation - Override the openssl logical name in descrip.mms.tmpl Fix VMS installation - Document in CHANGES.md Add some CHANGES entries for 3.0.1 Sam Eaton (1): changes opensssl typos to openssl Tianjia Zhang (3): ssl: Correct filename in README ssl: Correct comment for ssl3_read_bytes() KTLS: use EVP_CIPHER_is_a instead of nid Tobias Nießen (2): Fix heading in random generator man7 page Fix infinite verification loops due to has_san_id Tom Cosgrove (2): Fix builds on Armv8 systems without AArch64 Fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value Tomas Mraz (40): dh_ameth: Fix dh_cmp_parameters to really compare the params install_fips: Create the OPENSSLDIR as it might not exist linux-x86-clang target: Add -latomic providers: Do not use global EVP_CIPHERs and EVP_MDs BIO_ctrl: Avoid spurious error being raised on NULL bio parameter doc: OPENSSL_CORE_CTX should never be cast to OSSL_LIB_CTX ctrl_params_translate: Fix leak of BN_CTX cmp_vfy.c, encoder_lib.c: Fix potential leak of a BIO Raise error when invalid digest used with SM2 Add missing define to enable AES-NI usage on x86 platform doc: Document the type of label EVP_PKEY_CTX_set0_rsa_oaep_label properly doc: EVP_PKEY_get_utf8/octet_string_param() clarify NULL buffer behavior OCSP_sendreq_bio: Avoid doublefree of mem BIO tests: Add test for X509_dup with ENGINE based key X509_dup: Avoid duplicating the embedded EVP_PKEY X509_PUBKEY_dup: Do not just up-ref the EVP_PKEY cmp.c: Avoid dereference with negative index and use memcpy migration_guide: Mention ERR_GET_FUNC() and function code removal test: fetching proper signature provider for non-exportable keys DES_set_key(): return values as DES_set_key_checked() but always set do_sigver_init: Allow reinitialization of an existing operation. test: Add testing of reinitialization via EVP_DigestSignInit() providers: Allow possible reinitialization in all signature algorithms evp_extra_test: Add SIPHASH MAC digestsign test with reinitialization doc: Document outcome of multiple digestsign/digestverify calls Add null digest implementation to the default provider d2i_PublicKey: Make it work with EC parameters in a provided key rsa_signverify_init: Set the PARAMS after key is set Add test for EVP_PKEY_sign_init_ex with RSA PSS padding EVP_MD_CTX_copy_ex: Allow copying uninitialized digest contexts Add test for copying uninitialized EVP_MD_CTX various kdfs: Always reset buflen after clearing the buffer CI: Replace windows-2016 with windows-2022 Fix pvk encoder to properly query for the passphrase PVK decoder: prompt for PVK passphrase and not PEM key_to_type_specific_pem_bio_cb: Use passphrase callback from the arguments test_rsa: Test for PVK format conversion Windows CI: explicitly use windows-2019 instead of using windows-latest bn2binpad: Use memset as the buffer will be used later Add some CHANGES.md entries for the 3.0.1 release Viktor Dukhovni (3): Fully initialise cipher/digest app handles Prioritise DANE TLSA issuer certs over peer certs Test for DANE cross cert fix Viktor Szakats (1): convert tabs to spaces in two distributed Perl scripts Xiaofei Bai (1): Fix sigsize usage in apps/speed.c astraujums (1): Fixed state transitions for the HTML version of the life_cycle-kdf.pod. The MAN version was fine and so are kdf.dot and lifecycles.ods from doc/life-cycles jwalch (1): Avoid NULL+X UB in bss_mem.c lprimak (1): MacOS prior to 10.12 does not support random API correctly olszomal (1): Don't include any TLSv1.3 ciphersuites that are disabled slontis (2): Document that the openssl fipsinstall self test callback may not be used. Fix tests to check for negative results when calling EVP_PKEY_fromdata_init x2018 (8): add checks for the return values of BN_new(), sk_RSA_PRIME_INFO_new_reserve(), EVP_PKEY_CTX_new_from_pkey() and EVP_CIPHER_CTX_new(). Otherwise may result in memory errors. free the Post-Handshake Auth digest when there is an error saving the digest check the return value of BN_new() and BN_dup() check the return value of OPENSSL_strdup to prevent potential memory access error check the return value of OPENSSL_strdup(CRYPTO_strdup) to prevent potential memory access error check the return value of OPENSSL_strdup(CRYPTO_strdup) in apps/lib/app_rand.c:32 check the return value of BN_dup() in rsa_lib.c:1248 s_cb.c: check the return value of X509_get0_pubkey() yuanjungong (1): Clean up on failed BIO creation -----------------------------------------------------------------------