[openssl-commits] [openssl] OpenSSL_1_0_1n create

Matt Caswell matt at openssl.org
Thu Jun 11 14:44:39 UTC 2015

The annotated tag OpenSSL_1_0_1n has been created
        at  42c2a7f2c7173883f008a9678444cbafe2032cf8 (tag)
   tagging  517899e6c8af47d4972dcf9b375386631f6c93f1 (commit)
  replaces  OpenSSL_1_0_1m
 tagged by  Matt Caswell
        on  Thu Jun 11 15:05:11 2015 +0100

- Log -----------------------------------------------------------------
OpenSSL 1.0.1n release tag

Andy Polyakov (7):
      Please Clang's sanitizer, addendum.
      mk1mf.pl: replace chop for windows.
      md32_common.h: backport ICC fix.
      bn/bn_lcl.h: fix MIPS-specific gcc version check.
      Configure: replace -mv8 with -mcpu=v8 in SPARC config lines.
      Housekeeping 'make TABLE' update.
      bn/bn_gf2m.c: avoid infinite loop wich malformed ECParamters.

Annie Yousar (1):
      RT3230: Better test for C identifier

Billy Brumley (1):
      fix copy paste error in ec_GF2m function prototypes

Bjoern D. Rasmussen (1):
      Fix for memcpy() and strcmp() being undefined.

Douglas E Engert (1):
      Ensure EC private keys retain leading zeros

Dr. Stephen Henson (10):
      Make OCSP response verification more flexible.
      Configuration file examples.
      Don't set *pval to NULL in ASN1_item_ex_new.
      Reject empty generation strings.
      Limit depth of nested sequences when generating ASN.1
      Fix encoding bug in i2c_ASN1_INTEGER
      PEM doc fixes
      check for error when creating PKCS#8 structure
      return correct NID for undefined object
      Fix infinite loop in CMS

Emilia Kasper (16):
      Fix uninitialized variable warning
      Harden SSLv2-supporting servers against Bleichenbacher's attack.
      Error out immediately on empty ciphers list.
      make update
      Initialize variable
      Repair EAP-FAST session resumption
      s_server: Use 2048-bit DH parameters by default.
      dhparam: set the default to 2048 bits
      dhparam: fix documentation
      Update documentation with Diffie-Hellman best practices.     - Do not advise generation of DH parameters with dsaparam to save     computation time.     - Promote use of custom parameters more, and explicitly forbid use of     built-in parameters weaker than 2048 bits.     - Advise the callback to ignore <keylength> - it is currently called     with 1024 bits, but this value can and should be safely ignored by     servers.
      client: reject handshakes with DH parameters < 768 bits.
      Fix ssltest to use 1024-bit DHE parameters
      Use CRYPTO_memcmp when comparing authenticators
      Use CRYPTO_memcmp in s3_cbc.c
      Fix length checks in X509_cmp_time to avoid out-of-bounds reads.
      PKCS#7: Fix NULL dereference with missing EncryptedContent.

Gilles Khouzam (1):
      RT3820: Don't call GetDesktopWindow()

Hanno Böck (2):
      Fix uninitialized variable.
      Call of memcmp with null pointers in obj_cmp()

John Foley (1):
      Fix intermittent s_server issues with ECDHE

Kurt Cancemi (1):
      Add missing NULL check in X509V3_parse_list()

Kurt Roeckx (6):
      Don't send a for ServerKeyExchange for kDHr and kDHd
      X509_VERIFY_PARAM_free: Check param for NULL
      do_dirname: Don't change gen on failures
      Correctly check for export size limit
      Properly check certificate in case of export ciphers.
      Only allow a temporary rsa key exchange when they key is larger than 512.

Loganaden Velvindron (1):
      Fix CRYPTO_strdup

Lubom (1):
      Lost alert in DTLS

Matt Caswell (54):
      Prepare for 1.0.1n-dev
      Fix RAND_(pseudo_)?_bytes returns
      Add more HMAC tests
      Ensure that both the MD and key have been initialised before attempting to     create an HMAC
      Add HMAC test for invalid key len
      Fix HMAC to pass invalid key len test
      Fix bug in s_client. Previously default verify locations would only be loaded     if CAfile or CApath were also supplied and successfully loaded first.
      Check for ClientHello message overruns
      Fix ssl_get_prev_session overrun
      Fix misc NULL derefs in sureware engine
      Fix return checks in GOST engine
      Add length sanity check in SSLv2 n_do_ssl_write()
      Sanity check DES_enc_write buffer length
      Sanity check EVP_CTRL_AEAD_TLS_AAD
      Sanity check EVP_EncodeUpdate buffer len
      Clarify logic in BIO_*printf functions
      Add sanity check in ssl3_cbc_digest_record
      Sanity check the return from final_finish_mac
      Add sanity check to ssl_get_prev_session
      Add sanity check to print_bin function
      Fix buffer overrun in RSA signing
      Add Error state
      Add more error state transitions
      Add more error state transitions (client)
      Add more error state transitions (DTLS)
      Check sk_SSL_CIPHER_new_null return value
      Don't allow a CCS when expecting a CertificateVerify
      In certain situations the server provided certificate chain may no longer be valid. However the issuer of the leaf, or some intermediate cert is in fact in the trust store.
      Add flag to inhibit checking for alternate certificate chains. Setting this behaviour will force behaviour as per previous versions of OpenSSL
      Add -no_alt_chains option to apps to implement the new X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building certificate chains, the first chain found will be the one used. Without this flag, if the first chain found is not trusted then we will keep looking to see if we can build an alternative chain instead.
      Add documentation for the -no_alt_chains option for various apps, as well as the X509_V_FLAG_NO_ALT_CHAINS flag.
      Reject negative shifts for BN_rshift and BN_lshift
      Fix off-by-one in BN_rand
      Don't send an alert if we've just received one
      Handle unsigned struct timeval members
      Fix error check in GOST engine
      Don't check for a negative SRP extension size
      Check the message type requested is the type received in DTLS
      Clear state in DTLSv1_listen
      Fix race condition in NewSessionTicket
      Fix off-by-one error in BN_bn2hex
      Clean Kerberos pre-master secret
      Clean premaster_secret for GOST
      Remove misleading comment
      Fix Kerberos issue in ssl_session_dup
      Replace memset with OPENSSL_cleanse()
      Fix memory leaks in BIO_dup_chain()
      Tighten extension handling
      EC_POINT_is_on_curve does not return a boolean
      Fix leak in HMAC error path
      DTLS handshake message fragments musn't span packets
      More ssl_session_dup fixes
      Update CHANGES and NEWS
      Prepare for 1.0.1n release

Mike Frysinger (1):
      Fix malloc define typo

Rich Salz (1):
      Add NULL checks from master

Richard Levitte (11):
      Ignore the non-dll windows specific build directories
      Have mkerr.pl treat already existing multiline string defs properly
      Initialised 'ok' and redo the logic.
      RT2943: Check sizes if -iv and -K arguments
      Fix the update target and remove duplicate file updates
      Missed a couple of spots in the update change
      Fix update and depend in engines/
      Add the macro OPENSSL_SYS_WIN64
      Add and rearrange building of libraries
      When making libcrypto from apps or test, make sure to include engines
      Correction of make depend merge error

Robert Swiecki (1):
      Don't add write errors into bytecounts

StudioEtrange (1):
      GitHub284: Fix typo in xx-32.pl scripts.

Viktor Dukhovni (1):
      Code style: space after 'if'


More information about the openssl-commits mailing list