The annotated tag openssl-3.0.0-beta2 has been created at 9e34480b312df6080aeca3e71e3c9d6893e66beb (tag) tagging 9f551541e84eead1d42604b7d5e61885e8e34be0 (commit) replaces openssl-3.0.0-beta1 tagged by Matt Caswell on Thu Jul 29 15:50:30 2021 +0100
- Log ----------------------------------------------------------------- OpenSSL 3.0.0-beta2 release tag -----BEGIN PGP SIGNATURE----- iQFFBAABCAAvFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmECwDYRHG1hdHRAb3Bl bnNzbC5vcmcACgkQ2cTSbQ5gRJFN4Qf/RtGlb8u3mITyqOs5uGBFcN6iP6YVUHvV s3X8Hjgs8d+a0tbTp7SHSlWv30OgMdVH6WbKFOzdZ8bSBEheDEF0P8XGWU2/M9lF GBTfFG+upruURSLL00kyKea0bVorbk2/j4+jamDY2E8TPIcJeXM3sPQsfFvjV504 if1mruIWjuTLDLCbyaBF6jPeWML1mqO59AKDAfEWln9p2+KOBRFdGvlwm6cv2UjE 61xLheCiwLfo4dbV+Zxu1lCa6m9d2dvkUp/6AHURZxr83LIIekdC9eog0if05Kah LvXi/G3QrcdgDNHizbsaUrkbSl2DK2CTruzqKGf5fowoosPIQL7XUw== =l8M6 -----END PGP SIGNATURE----- Benjamin Kaduk (1): Fix comment for test_negotiated_group() test order Christian Heimes (1): Fix segfault in openssl x509 -modulus Daiki Ueno (2): BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name is given apps: Use the first detected address family if IPv6 is not available David Benjamin (1): Fix use of uninitialized memory in test_rsa_oaep David CARLIER (1): darwin platform replacing getentropy usage by platform api instead. Dmitry Belyavskiy (2): Some clear guidelines for the legacy algs. Missing link to fips_config documentation Dr. David von Oheimb (22): http_client.c: fix OSSL_HTTP_proxy_connect() for HTTPS proxy use http_client.c: fix error reporting (a char was missing; improve style) http_client.c: make prefix checking more readable and more efficient http_client.c: make HTTP_LINE1_MINLEN more efficient http_client.c: fix HTTP_VERSION_STR_LEN and make it more efficient cmp_mock_srv.c: Fix polling mode such that it can be done multiple times cmp_client.c: Print checkAfter value from pollRep before it may get modified cmp_server.c: Fix check: certConf not allowed after transaction is closed CMP: Clean up internal message creation API and its documentation ossl_sk_ASN1_UTF8STRING2text(): Minor generalization and refactoring for readability CMP: Improve reporting of error codes and related strings via 'error' msg Fix file_name_check() in storemgmt/file_store.c and e_loader_attic.c DOC: Clarify the role of EKUs including defaults for TLS client and server use ossl_cmp_error_new(): Fix Coverity issue 1486534, and consequently also issues 1486536 and 1486533 CMP: Add missing getter functions to CRMF API and CMP API cmp_mock_srv.c: Add missing OldCertID check for 'kur' cert update requests OSSL_CRMF_{CERTTEMPLATE,CERTID}_get0_serialNumber(): Make result const for consistency Improve doc of OSSL_HTTP_REQ_CTX_set_expected() on timeout param < 0 Fix legacy OCSP_REQ_CTX_http() function to expect ASN.1 formatted input SSL_CTX_set_cert_verify_callback.pod: various corrections and clarifications tls_process_{client,server}_certificate(): allow verify_callback return > 1 OSSL_HTTP_open(): Fix memory leak on TLS connect failure via proxy Hubert Kario (2): cross-reference the DH and RSA SECLEVEL to level of security mappings doc: make error checking in ticket handling code explicit Ingo Schwarze (1): Fix a read buffer overrun in X509_aux_print(). John Baldwin (2): Refactor KTLS tests to better support TLS 1.3. Add tests for KTLS with Chacha20-Poly1035. Juergen Christ (1): Fix compile warning with GCC 11. Lőrinczy, Zsigmond (1): Update config.pm Marek (1): Add demo for HKDF Martin Schwenke (12): ec: Fail build on big-endian with enable-ec_nistp_64_gcc_128 bn: Drop use of .p2align pseudo-op bn: Update .align pseudo-ops to match convention bn: Drop unnecessary use of r9 bn: Switch $i to be unused r9 bn: save/restore registers to/from stack ec: Drop uses of .cfi_startproc/.cfi_endproc pseudo-ops ec: Add alignment pseudo-op at beginning of function ec: Only build ecp_nistp521-ppc64.s if enable-ec_nistp_64_gcc_128 bn: Use a basic branch-if-not-zero bn: Fix .size directive bn: Make fixed-length Montgomery Multiplication conditional on PPC64 Matt Caswell (45): Prepare for 3.0 beta 2 Ensure we remove libctx DRBG state before removing the provider store Add a test for a custom rand provider Instantiate predefined providers just-in-time Instantiate user-added builtin providers when we need them Instantiate configuration supplied providers when we need them Add a new provider to the store only after we activate it Remove flag_couldbechild Set use_fallbacks to zero when we add a provider to the store Merge ossl_provider_activate() and ossl_provider_activate_child() Only associate a provider with a store once it has been added to it Don't hold any locks while calling the provider init function Add a test to check that RAND_bytes_ex() works with a child lib ctx Don't skip the current provider in ossl_provider_register_child_cb make struct provider_info_st a full type Update documentation following updates to the provider code Move OPENSSL_add_builtin back into provider.c Fix a race in ossl_provider_add_to_store() Add wrap.pl to .gitignore Ensure ordinals are created during release process Avoid some MinGW test failures Use TEST_time_t_* functions in cmp_hrd_test.c Work around a 32-bit mingw failure Avoid "excessive message size" for session tickets Don't add the first pkcs12 certificate multiple times Add a PKCS12 test to check with one input cert we get one output cert Fix s_server PSK handling Don't reset the packet pointer in ssl3_setup_read_buffer Disallow SSL_key_update() if there are writes pending Fix signed/unsigned comparison warnings in sslapitest Fix some minor record layer issues Update our EVP_PKEY_METHODs to get low level keys via public APIs Fix custom EVP_PKEY_METHOD implementations where no engine is present Add a test for custom EVP_PKEY_METHODs Mark the EVP_PKEY_METHOD arg as const on some EVP_PKEY_meth_get_*() funcs Fix EVP_MD_meth_dup and EVP_CIPHER_meth_dup Add a test case for EVP_MD_meth_dup() and EVP_CIPHER_meth_dup() Don't leak the OSSL_LIB_CTX in the event of a failure to load the FIPS module Ensure any default_properties still apply even in the event of a provider load failure Don't try and load the config file while already loading the config file Add some testing for the case where the FIPS provider fails to load Update fingerprints.txt Update copyright year make update Prepare for release of 3.0 beta 2 Oliver Mihatsch (1): Fix memory leak in i2d_ASN1_bio_stream Paul Kehrer (1): update pyca-cryptography regression test suite Pauli (85): params: avoid using intmax_t since it's not well supported params: fix range check when converting double to uint64_t. ssl: do not choose auto DH groups that are weaker than the security level test: add test for auto DH security level meets the minimum include: replace tabs with spaces in headers ssl: replace tabs with spaces test: replace tabs with spaces in test recipes crypto: repalce tabs with spaces punycode: fix indentation ssl: fix indentation ssl: fix indentation asn1: fix indentation rsa: fix indentation test: fix indentation sm3: fix function names after the big ossl_ prefix addition. test: put the new DHE auto test in the correct place asn1: properly clean up on failed BIO creation testutil: preserve app_malloc()'s failure behaviour doc: Document that the OBJ creation functions don't lock. err: add unable to get lock errors property: add locking for the property string database property: remove spurious incorrect comments test: add EVP_Q_digest tests to evp_test test: add EVP_Q_mac tests to evp_test apps: properly initialise arguments to EVP_PKEY_get_bn_param() x509: address NULL dereference and memory leaks apps: address potential memory leaks ui: address potential memory leak evp_test: address NULL pointer dereference and return failure better test: avoid memory leaks on errors test: check for NULL returns better doc: update up call documentation evp_test: use correct size in memory clear x509: improve error reporting test: fix coverity 1469427 Improper use of negative value (NEGATIVE_RETURNS) bio: check for valid socket when closing s_time: avoid unlikely division by zero dh_test: fix coverity 1473239 Argument cannot be negative (NEGATIVE_RETURNS) evp: fix coverity 1473380 Copy into fixed size buffer (STRING_OVERFLOW) test: fix test ordering in threads test afalg: add some memory initialisation calls to pacify memory sanitisation. ci: add a memory sanitiser test run provider: use #define for PBKDF1 algorithm name doc: add PBKDF1 provider documentation doc: include PBKDF1 documentation in build.info util: add -fips option to wrap.pl to make using the FIPS provider easier test: add some integral type size sanity checks err: remove ERR_GET_FUNC() doc: update documentation to note removal of ERR_GET_FUNC() changes: add entry noting the removal of ERR_GET_FUNC() bn: procduce correct sign for result of BN_mod() evp: detect and raise an error if no digest is found for a sign/verify operation apps: fix Coverity 1451531 Unchecked return value test: rename apps_mem.c to be apps_shims.c in anticipation of additonal functions test: add a shim function for the apps's opt_legacy_okay() function test: make build descriptions more consistent apps: add query to allow a command to know of a provider command line option was processed apps: add a function opt_legacy_okay() that indicates if legacy paths are permitted or not app: add library context and propq arguments to opt_md() and opt_cipher() doc: document the new opt_legacy_okay() function's behaviour asn.1: fix Coverity 1487104 Logically dead code apps: avoid using POSIX IO macros and functions when built without them. Remove lower limit on GCM mode ciphers test: add single byte IV AES GCM tests evp: constify some OSSL_PARAM arguments doc: document the params arguments to the initialisation functions. config: enable ACVP test case if FIPS is enabled. test: fix use after scope problem in ACVP test demo: add pbkdf2 demonstration program demo: add scrypt demonstration program demos: add Makefile support for pbkdf2 and scrypt KDF demos demos: update readme file with pbkdf2 and scrypt examples. drbg: allow the ctr derivation function to be disabled in FIPS mode err: remove the derivation function is mandatory for FIPS error message since it's no longer used and newly introduced docs: update CTR DRBG documentation to not mention the lack of a derivation function in FIPS test: include all DRBG tests in FIPS mode ci: omit tests that consume too much memory ci: reinstate the passwd tests for the no-cached-fetch run. ci: QEMU based cross compiled testing test: handle not a number (NaN) values in the param conversion test. QEMU: include test runs for most cross compilation targets ci: add the param conversion tests to the cross compiles. ci: get rid of no-asm flag to m68k cross compiles ci: disable async for the SH4 build and reenable the associated test test: add a comment indication that a bad MAC is intentional Petr Gotthard (2): BIO_new_from_core_bio: Fix heap-use-after-free after attach doc: fix OPENSSL_VERSION_NUMBER length in the synopsis Randall S. Becker (4): Add assert.h to threads_pthread.c for NonStop thread compiles. Document cross-compile considerations for NonStop x86 builds. Defined out MUTEX attributes not available on NonStop SPT Threads. Made foreign bit field unsigned in evp.h Rich Salz (1): Fix bug in X509_print_ex Richard Levitte (45): OpenSSL::Test: Move the command line quotifier Make util/wrap.pl work better on VMS TESTS: drop explicit quotes from empty command line arguments STORE: Fix OSSL_STORE_open_ex() error reporting Fix definition of ossl_intmax_t and ossl_uintmax_t APPS: Make fallback opt_[u]intmax() implementations based on long APPS & TEST: Use ossl_[u]intmax_t rather than [u]intmax_t test/recipes/80-test_cmp_http.t: use app() rather than cmd() test/recipes/81-test_cmp_cli.t: use app() rather than cmd() TEST: check 'loadereng' to determine if loader_attic should be tested Configure: Reflect that We don't build loader_attic when dynamic-engine is disabled EVP: Change the output size type of EVP_Q_digest() and EVP_Q_mac() Adapt other parts of the source to the changed EVP_Q_digest() and EVP_Q_mac() test/recipes/90-test_shlibload.t: Modify to work with known file names TEST: Modify simpledynamic.[ch] to allow use on VMS as well OpenSSL::Util::fixup_cmd_elements(): Include '!' among the VMS chars to process Fix test_errstr for VMS UTF-8 not easily supported on VMS command line yet test/ossl_store_test.c: Adapt the use of datadir for VMS paths testutil: teach test_mk_file_path() how to merge VMS file specs test/recipes/66-test_ossl_store.t: ensure native paths test/recipes/80-test_ca.t: Don't force quotes around the config file in $cnf apps/CA.pl.in: restore the quotes around -CAfile, they were there for a reason test/recipes/90-test_includes_data/vms-includes.cnf: correct the directory ENCODER & DECODER: Allow en/decoders to have multiple names Fix 'openssl req' to correctly use the algorithm from '-newkey algo:nnnn' PROV: Have our PEM->DER decoder only recognise our PEM names ENCODER & DECODER: Make a tighter coupling between en/decoders and keymgmt OSSL_STORE: Fix crash when tracing STORE DECODER & ENCODER: Make sure to pass around the original selection bits EVP: Have EVP_PKCS82PKEY_ex() pass a correct selection to OSSL_DECODER DOC: clarify OPENSSL_API_COMPAT TEST: Add testing of PVK and MSBLOB files to test_store PROV & STORE: Don't decode keys in the 'file:' store loader PROV & STORE: Make the 'file:' store loader understand more binary formats CRYPTO: Remove the check for built-in methods in the export_to function platform->sharedlib_simple(): return undef when same as platform->sharedlib() Configurations/unix-Makefile.tmpl: use platform->sharedlib() as fallback TEST: Check that i2d refuses to encode non-optional items with no content ASN.1: Refuse to encode to DER if non-optional items are missing Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN Fix test/asn1_encode_test.c to handle encoding/decoding failure Avoid empty lines in nmake rule bodies EVP: Add EVP_PKEY_get0_provider() and EVP_PKEY_CTX_get0_provider() DOCS: Move the description of EVP_PKEY_get0_description() Robbie Harwood (1): Update dependencies for krb5 external test Shane Lontis (6): Fix aes_core to use U64() macro.. Change self test for AES_CGM to perform both an encrypt and decrypt. Add table entries for fips 186-5 related to RSA auxiliary probable primes. Fix compile errors when building with --api=1.1.0 no-deprecated. Add test for provider gettables Add HKDF negative tests Syrone Wong (1): Fix OSSL_TRACE9 missing arg9 Theo Buehler (1): Fix two typos in OSSL_trace_enabled.pod Tianjia Zhang (1): Remove executable mode attributes of non-executable files Todd Short (1): Add missing session timeout calc Tomas Mraz (45): aix64-gcc target: Fix build breakage with enable-fips Replace non-ASCII character in source file evp_test: Support testing of stitched TLS ciphers simpledynamic: Add missing include for AIX builds Documentation: SM2 keys can use only the SM2 curve ossl_pw_get_passphrase: No ui method does not necessarily mean internal error epki2pki_decode: passphrase callback failure is fatal error OSSL_DECODER_from_bio: Avoid spurious decoder error trace: Do not produce dead code calling BIO_printf if disabled ppccap.c: Split out algorithm-specific functions Only the fips module dependencies are relevant for fips.module.sources Update fips sources and checksums coverity #1486531: return error properly from x509_pubkey_ex_new_ex() coverity #1486532: fix potential NULL dereference in test_mk_file_path() doc: Mention the update of der data pointers in d2i/i2d pem_read_bio_key_decoder: Avoid spurious error on unknown PEM data pem_read_bio_key: Add passphrase caching to avoid asking for password twice load_pkey_pem: Check for spurious errors when loading test_pem_reading: Test loading a key from a file with multiple PEM data load_key_certs_crls: Avoid reporting any spurious errors PEM_read_...: document that garbage and other PEM data is skipped Coverity #1486687: fix potential dereference of NULL keymgmt rsa_cms_verify: Avoid negative return with missing pss parameters fips module header inclusion fine-tunning update fips checksums test_cmp_ctx: Avoid using empty X509 with i2d doc: Document that incomplete certificates return error Make EVP_PKEY_check() be an alias for EVP_PKEY_pairwise_check() Split bignum code out of the sparcv9cap.c acvp_test: Fix incorrect parenthesis Signature algos: allow having identical digest in params CI: have enable-acvp-tests in some CI build Drop daily run-checker build with just enable-acvp-tests Allow RSA signature operations with RSA_NO_PADDING evp_test: Add tests for rsa_padding_mode:none RSA_public_decrypt is equivalent to a verify recover operation doc: It is not possible to use SSL_OP_* value in preprocessor conditions DSA/RSA_print(): Fix potential memory leak do_sigver_init: Add missing ERR_clear_last_mark() Fix potential problems with EVP_PKEY_CTX_new() with engine set ECDSA_SIG_set0: r and s parameters cannot be NULL ECDSA_SIG_set0(): Clarify documentation and fix formatting errors Drop no-ktls from runchecker daily build as it has no effect Test ktls in non-default options CI build KTLS: AES-CCM in TLS-1.3 is broken on 5.x kernels, disable it jenda1 (1): Makefile: Avoid changing LIBDIR based on whether it already exists yangyangtiantianlonglong (1): Add testcases for SSL_key_update() corner case calls yunh (1): enable getauxval on android 10 杨明君 (1): test: add sm3 low level test case to test suite. -----------------------------------------------------------------------