[openssl-commits] [openssl] OpenSSL_1_0_2b create

Matt Caswell matt at openssl.org
Thu Jun 11 14:44:40 UTC 2015

The annotated tag OpenSSL_1_0_2b has been created
        at  ca9e0fecf4f40d9c6933dcb934113aa93843a894 (tag)
   tagging  7b560c174dcd569795f5be66e0c091d1be440614 (commit)
  replaces  OpenSSL_1_0_2a
 tagged by  Matt Caswell
        on  Thu Jun 11 14:55:38 2015 +0100

- Log -----------------------------------------------------------------
OpenSSL 1.0.2b release tag

Andy Polyakov (18):
      sha/asm/sha256-armv4.pl: adapt for use in Linux kernel context.
      ec/asm/ecp_nistz256-x86_64.pl: update commentary with before-after performance data.
      aes/asm/aesv8-armx.pl: optimize for Cortex-A5x.
      sha/asm/sha*-armv8.pl: add Denver and X-Gene esults.
      modes/asm/ghashv8-armx.pl: up to 90% performance improvement.
      aes/asm/aesni-x86[_64].pl update.
      aes/asm/aesni-x86.pl: fix typo affecting Windows build.
      aes/asm/aesni-sha256-x86_64.pl: fix Windows compilation failure with old assembler.
      mk1mf.pl: replace chop for windows.
      bn/asm/vis3-mont.pl: fix intermittent EC failures on SPARC T3.
      bn/bn_gf2m.c: appease STACK, unstable code detector.
      bn/asm/x86_64-mont5.pl: fix valgrind error.
      bn/bn_lcl.h: fix MIPS-specific gcc version check.
      Configure: replace -mv8 with -mcpu=v8 in SPARC config lines.
      Housekeeping 'make TABLE' update.
      gcm.c: address linker warning about OPENSSL_ia32cap_P size mismatch.
      e_aes_cbc_hmac_sha*.c: address linker warning about OPENSSL_ia32cap_P size mismatch.
      bn/bn_gf2m.c: avoid infinite loop wich malformed ECParamters.

Annie Yousar (1):
      RT3230: Better test for C identifier

Ben Laurie (1):
      Use cc instead of gcc so either clang or gcc is used as appropriate. Add clang     flags needed to keep it happy.

Billy Brumley (1):
      fix copy paste error in ec_GF2m function prototypes

Bjoern D. Rasmussen (1):
      Fix for memcpy() and strcmp() being undefined.

David Woodhouse (2):
      Add DTLS to SSL_get_version
      Add DTLS support to ssltest

Douglas E Engert (1):
      Ensure EC private keys retain leading zeros

Dr. Stephen Henson (15):
      Make OCSP response verification more flexible.
      Configuration file examples.
      Fix OCSP tests.
      Fix ECDH detection, add ECDH keyid test.
      Fix ECDH key identifier support.
      Don't set *pval to NULL in ASN1_item_ex_new.
      Reject empty generation strings.
      Limit depth of nested sequences when generating ASN.1
      Fix encoding bug in i2c_ASN1_INTEGER
      Fix verify algorithm.
      PEM doc fixes
      check for error when creating PKCS#8 structure
      make update
      return correct NID for undefined object
      Fix infinite loop in CMS

Emilia Kasper (22):
      Harden SSLv2-supporting servers against Bleichenbacher's attack.
      Use -Wall -Wextra with clang
      Error out immediately on empty ciphers list.
      make update
      Initialize variable
      Repair EAP-FAST session resumption
      Correctly set Z_is_one on the return value in the NISTZ256 implementation.
      Fix error checking and memory leaks in NISTZ256 precomputation.
      Error checking and memory leak fixes in NISTZ256.
      NISTZ256: set Z_is_one to boolean 0/1 as is customary.
      NISTZ256: don't swallow malloc errors
      NISTZ256: use EC_POINT API and check errors.
      s_server: Use 2048-bit DH parameters by default.
      dhparam: fix documentation
      Update documentation with Diffie-Hellman best practices.     - Do not advise generation of DH parameters with dsaparam to save     computation time.     - Promote use of custom parameters more, and explicitly forbid use of     built-in parameters weaker than 2048 bits.     - Advise the callback to ignore <keylength> - it is currently called     with 1024 bits, but this value can and should be safely ignored by     servers.
      client: reject handshakes with DH parameters < 768 bits.
      Only support >= 256-bit elliptic curves with ecdh_auto (server) or by default (client).
      Fix ssltest to use 1024-bit DHE parameters
      Use CRYPTO_memcmp when comparing authenticators
      Use CRYPTO_memcmp in s3_cbc.c
      Fix length checks in X509_cmp_time to avoid out-of-bounds reads.
      PKCS#7: Fix NULL dereference with missing EncryptedContent.

Gilles Khouzam (1):
      RT3820: Don't call GetDesktopWindow()

Hanno Böck (2):
      Fix uninitialized variable.
      Call of memcmp with null pointers in obj_cmp()

Jeffrey Walton (1):
      Explicitly mention PKCS5_PBKDF2_HMAC in EVP doc.

Kurt Cancemi (1):
      Add missing NULL check in X509V3_parse_list()

Kurt Roeckx (7):
      Don't send a for ServerKeyExchange for kDHr and kDHd
      X509_VERIFY_PARAM_free: Check param for NULL
      do_dirname: Don't change gen on failures
      Correctly check for export size limit
      Allow all curves when the client doesn't send an supported elliptic curves extension
      Properly check certificate in case of export ciphers.
      Only allow a temporary rsa key exchange when they key is larger than 512.

Loganaden Velvindron (1):
      Fix CRYPTO_strdup

Lubom (1):
      Lost alert in DTLS

Matt Caswell (65):
      Prepare for 1.0.2b-dev
      Add DTLS tests to make test
      Fix no-ec with no-ec2m
      Don't check curves that haven't been sent
      Ensure last_write_sequence is saved in DTLS1.2
      Add ticket length before buffering DTLS message
      Fix RAND_(pseudo_)?_bytes returns
      Add more HMAC tests
      Ensure that both the MD and key have been initialised before attempting to     create an HMAC
      Add HMAC test for invalid key len
      Fix HMAC to pass invalid key len test
      Fix bug in s_client. Previously default verify locations would only be loaded     if CAfile or CApath were also supplied and successfully loaded first.
      Check for ClientHello message overruns
      Fix ssl_get_prev_session overrun
      In certain situations the server provided certificate chain may no longer be     valid. However the issuer of the leaf, or some intermediate cert is in fact     in the trust store.
      Add flag to inhibit checking for alternate certificate chains. Setting this     behaviour will force behaviour as per previous versions of OpenSSL
      Add -no_alt_chains option to apps to implement the new     X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building     certificate chains, the first chain found will be the one used. Without this     flag, if the first chain found is not trusted then we will keep looking to     see if we can build an alternative chain instead.
      Add documentation for the -no_alt_chains option for various apps, as well as     the X509_V_FLAG_NO_ALT_CHAINS flag.
      Fix misc NULL derefs in sureware engine
      Fix return checks in GOST engine
      Revert "Fix verify algorithm."
      Add length sanity check in SSLv2 n_do_ssl_write()
      Sanity check DES_enc_write buffer length
      Sanity check EVP_CTRL_AEAD_TLS_AAD
      Sanity check EVP_EncodeUpdate buffer len
      Clarify logic in BIO_*printf functions
      Add sanity check in ssl3_cbc_digest_record
      Sanity check the return from final_finish_mac
      Add sanity check to ssl_get_prev_session
      Add sanity check to print_bin function
      Fix buffer overrun in RSA signing
      Remove libcrypto to libssl dependency
      Add Error state
      Add more error state transitions
      Add more error state transitions (client)
      Add more error state transitions (DTLS)
      Check sk_SSL_CIPHER_new_null return value
      Don't allow a CCS when expecting a CertificateVerify
      Reject negative shifts for BN_rshift and BN_lshift
      Fix off-by-one in BN_rand
      Remove export static DH ciphersuites
      Fix typo setting up certificate masks
      Don't send an alert if we've just received one
      Handle unsigned struct timeval members
      Fix error check in GOST engine
      Don't check for a negative SRP extension size
      Check the message type requested is the type received in DTLS
      Fix race condition in NewSessionTicket
      Fix compilation failure for some tool chains
      Fix DTLS session resumption
      Fix off-by-one error in BN_bn2hex
      Clean Kerberos pre-master secret
      Clean premaster_secret for GOST
      Remove misleading comment
      Fix Kerberos issue in ssl_session_dup
      Replace memset with OPENSSL_cleanse()
      Fix memory leaks in BIO_dup_chain()
      Tighten extension handling
      EC_POINT_is_on_curve does not return a boolean
      Fix leak in HMAC error path
      DTLS handshake message fragments musn't span packets
      More ssl_session_dup fixes
      Update CHANGES and NEWS
      make update
      Prepare for 1.0.2b release

Mike Frysinger (1):
      Fix malloc define typo

Olaf Johansson (1):
      GH249: Fix bad regexp in arg parsing.

Per Allansson (1):
      Fix IP_MTU_DISCOVER typo

Rich Salz (4):
      RT3776: Wrong size for malloc
      Fix cut/paste error
      Add NULL checks from master
      RT1207: document SSL_COMP_free_compression_methods.

Richard Levitte (15):
      Appease clang -Wempty-translation-unit
      Appease clang -Wgnu-statement-expression
      Appease clang -Wshadow
      Ignore the non-dll windows specific build directories
      Have mkerr.pl treat already existing multiline string defs properly
      Initialised 'ok' and redo the logic.
      RT2943: Check sizes if -iv and -K arguments
      Fix the update target and remove duplicate file updates
      Missed a couple of spots in the update change
      Fix update and depend in engines/
      Add the macro OPENSSL_SYS_WIN64
      Add and rearrange building of libraries
      When making libcrypto from apps or test, make sure to include engines
      Correction of make depend merge error
      make update

Robert Swiecki (1):
      Don't add write errors into bytecounts

Sergey Agievich (1):
      Add funtions to set item_sign and item_verify

StudioEtrange (1):
      GitHub284: Fix typo in xx-32.pl scripts.

Viktor Dukhovni (2):
      Code style: space after 'if'
      Fix typo in valid_star


More information about the openssl-commits mailing list