[openssl-commits] [openssl] OpenSSL_1_0_1n create
matt at openssl.org
Thu Jun 11 14:44:39 UTC 2015
The annotated tag OpenSSL_1_0_1n has been created
at 42c2a7f2c7173883f008a9678444cbafe2032cf8 (tag)
tagging 517899e6c8af47d4972dcf9b375386631f6c93f1 (commit)
tagged by Matt Caswell
on Thu Jun 11 15:05:11 2015 +0100
- Log -----------------------------------------------------------------
OpenSSL 1.0.1n release tag
Andy Polyakov (7):
Please Clang's sanitizer, addendum.
mk1mf.pl: replace chop for windows.
md32_common.h: backport ICC fix.
bn/bn_lcl.h: fix MIPS-specific gcc version check.
Configure: replace -mv8 with -mcpu=v8 in SPARC config lines.
Housekeeping 'make TABLE' update.
bn/bn_gf2m.c: avoid infinite loop wich malformed ECParamters.
Annie Yousar (1):
RT3230: Better test for C identifier
Billy Brumley (1):
fix copy paste error in ec_GF2m function prototypes
Bjoern D. Rasmussen (1):
Fix for memcpy() and strcmp() being undefined.
Douglas E Engert (1):
Ensure EC private keys retain leading zeros
Dr. Stephen Henson (10):
Make OCSP response verification more flexible.
Configuration file examples.
Don't set *pval to NULL in ASN1_item_ex_new.
Reject empty generation strings.
Limit depth of nested sequences when generating ASN.1
Fix encoding bug in i2c_ASN1_INTEGER
PEM doc fixes
check for error when creating PKCS#8 structure
return correct NID for undefined object
Fix infinite loop in CMS
Emilia Kasper (16):
Fix uninitialized variable warning
Harden SSLv2-supporting servers against Bleichenbacher's attack.
Error out immediately on empty ciphers list.
Repair EAP-FAST session resumption
s_server: Use 2048-bit DH parameters by default.
dhparam: set the default to 2048 bits
dhparam: fix documentation
Update documentation with Diffie-Hellman best practices. - Do not advise generation of DH parameters with dsaparam to save computation time. - Promote use of custom parameters more, and explicitly forbid use of built-in parameters weaker than 2048 bits. - Advise the callback to ignore <keylength> - it is currently called with 1024 bits, but this value can and should be safely ignored by servers.
client: reject handshakes with DH parameters < 768 bits.
Fix ssltest to use 1024-bit DHE parameters
Use CRYPTO_memcmp when comparing authenticators
Use CRYPTO_memcmp in s3_cbc.c
Fix length checks in X509_cmp_time to avoid out-of-bounds reads.
PKCS#7: Fix NULL dereference with missing EncryptedContent.
Gilles Khouzam (1):
RT3820: Don't call GetDesktopWindow()
Hanno Böck (2):
Fix uninitialized variable.
Call of memcmp with null pointers in obj_cmp()
John Foley (1):
Fix intermittent s_server issues with ECDHE
Kurt Cancemi (1):
Add missing NULL check in X509V3_parse_list()
Kurt Roeckx (6):
Don't send a for ServerKeyExchange for kDHr and kDHd
X509_VERIFY_PARAM_free: Check param for NULL
do_dirname: Don't change gen on failures
Correctly check for export size limit
Properly check certificate in case of export ciphers.
Only allow a temporary rsa key exchange when they key is larger than 512.
Loganaden Velvindron (1):
Lost alert in DTLS
Matt Caswell (54):
Prepare for 1.0.1n-dev
Fix RAND_(pseudo_)?_bytes returns
Add more HMAC tests
Ensure that both the MD and key have been initialised before attempting to create an HMAC
Add HMAC test for invalid key len
Fix HMAC to pass invalid key len test
Fix bug in s_client. Previously default verify locations would only be loaded if CAfile or CApath were also supplied and successfully loaded first.
Check for ClientHello message overruns
Fix ssl_get_prev_session overrun
Fix misc NULL derefs in sureware engine
Fix return checks in GOST engine
Add length sanity check in SSLv2 n_do_ssl_write()
Sanity check DES_enc_write buffer length
Sanity check EVP_CTRL_AEAD_TLS_AAD
Sanity check EVP_EncodeUpdate buffer len
Clarify logic in BIO_*printf functions
Add sanity check in ssl3_cbc_digest_record
Sanity check the return from final_finish_mac
Add sanity check to ssl_get_prev_session
Add sanity check to print_bin function
Fix buffer overrun in RSA signing
Add Error state
Add more error state transitions
Add more error state transitions (client)
Add more error state transitions (DTLS)
Check sk_SSL_CIPHER_new_null return value
Don't allow a CCS when expecting a CertificateVerify
In certain situations the server provided certificate chain may no longer be valid. However the issuer of the leaf, or some intermediate cert is in fact in the trust store.
Add flag to inhibit checking for alternate certificate chains. Setting this behaviour will force behaviour as per previous versions of OpenSSL
Add -no_alt_chains option to apps to implement the new X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building certificate chains, the first chain found will be the one used. Without this flag, if the first chain found is not trusted then we will keep looking to see if we can build an alternative chain instead.
Add documentation for the -no_alt_chains option for various apps, as well as the X509_V_FLAG_NO_ALT_CHAINS flag.
Reject negative shifts for BN_rshift and BN_lshift
Fix off-by-one in BN_rand
Don't send an alert if we've just received one
Handle unsigned struct timeval members
Fix error check in GOST engine
Don't check for a negative SRP extension size
Check the message type requested is the type received in DTLS
Clear state in DTLSv1_listen
Fix race condition in NewSessionTicket
Fix off-by-one error in BN_bn2hex
Clean Kerberos pre-master secret
Clean premaster_secret for GOST
Remove misleading comment
Fix Kerberos issue in ssl_session_dup
Replace memset with OPENSSL_cleanse()
Fix memory leaks in BIO_dup_chain()
Tighten extension handling
EC_POINT_is_on_curve does not return a boolean
Fix leak in HMAC error path
DTLS handshake message fragments musn't span packets
More ssl_session_dup fixes
Update CHANGES and NEWS
Prepare for 1.0.1n release
Mike Frysinger (1):
Fix malloc define typo
Rich Salz (1):
Add NULL checks from master
Richard Levitte (11):
Ignore the non-dll windows specific build directories
Have mkerr.pl treat already existing multiline string defs properly
Initialised 'ok' and redo the logic.
RT2943: Check sizes if -iv and -K arguments
Fix the update target and remove duplicate file updates
Missed a couple of spots in the update change
Fix update and depend in engines/
Add the macro OPENSSL_SYS_WIN64
Add and rearrange building of libraries
When making libcrypto from apps or test, make sure to include engines
Correction of make depend merge error
Robert Swiecki (1):
Don't add write errors into bytecounts
GitHub284: Fix typo in xx-32.pl scripts.
Viktor Dukhovni (1):
Code style: space after 'if'
More information about the openssl-commits