[openssl-commits] [openssl] OpenSSL_1_0_2i create

Matt Caswell matt at openssl.org
Thu Sep 22 10:38:12 UTC 2016

The annotated tag OpenSSL_1_0_2i has been created
        at  c3b111de3699ae812738e61c6b01101ea6a12b74 (tag)
   tagging  32c130160f7dac2cef5d0e30d94b335e4a87104d (commit)
  replaces  OpenSSL_1_0_2h
 tagged by  Matt Caswell
        on  Thu Sep 22 11:24:53 2016 +0100

- Log -----------------------------------------------------------------
OpenSSL 1.0.2i release tag
Version: GnuPG v1


Alessandro Ghedini (1):
      Avoid double declaration of COMP_METHOD     Reviewed-by: Matt Caswell <matt at openssl.org>     Reviewed-by: Kurt Roeckx <kurt at openssl.org>     Reviewed-by: Rich Salz <rsalz at openssl.org>     (Merged from https://github.com/openssl/openssl/pull/1083)

Andy Polyakov (16):
      rand/randfile.c: remove _XOPEN_SOURCE definition.
      hmac/hmac.c: switch to OPENSSL_cleanse.
      crypto/mem_clr.c: switch to OPENSSL_cleanse implementation from master.
      crypto/mem.c: drop reference to cleanse_ctr and fix no-asm builds.
      crypto/sparccpuid.S: limit symbol visibility.
      aes/asm/bsaes-armv7.pl: fix XTS decrypt test failure.
      aes/asm/bsaes-armv7.pl: omit redundant stores in XTS subroutines.
      doc/crypto/OPENSSL_ia32cap.pod: harmonize with actual declaration.
      SPARC assembly pack: enforce V8+ ABI constraints.
      sha/asm/sha1-x86_64.pl: fix crash in SHAEXT code on Windows.
      ec/ecp_nistz256.c: get is_one on 32-bit platforms right.
      bn/asm/x86[_64]-mont*.pl: implement slightly alternative page-walking.
      ec/asm/ecp_nistz256-x86_64.pl: addition to perform stricter reduction.
      ec/ecp_nistz256: harmonize is_infinity with ec_GFp_simple_is_at_infinity.
      ec/asm/ecp_nistz256-x86_64.pl: /cmovb/cmovc/ as nasm doesn't recognize cmovb.
      crypto/bn/*: x86[_64] division instruction doesn't handle constants, change constraint from 'g' to 'r'.

Cesar Pereida (1):
      Fix DSA, preserve BN_FLG_CONSTTIME

Cristian Stoica (1):
      remove double initialization of cryptodev engine

Cynh (1):
      Fix SRP client key computation

David Benjamin (2):
      Don't send signature algorithms when client_version is below TLS 1.2.
      Don't check for malloc failure twice.

David Woodhouse (4):
      Fix SSL_export_keying_material() for DTLS1_BAD_VER
      Fix ubsan 'left shift of negative value -1' error in satsub64be()
      Add basic test for Cisco DTLS1_BAD_VER and record replay handling
      Avoid EVP_PKEY_cmp() crash on EC keys without public component

Dirk Feytons (1):
      Fix build with no-cmac

Dmitry Belyavsky (1):
      Avoid KCI attack for GOST

Dr. Matthias St. Pierre (1):
      RT3925: Remove trailing semi from #define's.

Dr. Stephen Henson (50):
      add documentation
      Fix double free in d2i_PrivateKey().
      Fix name length limit check.
      Always try to set ASN.1 parameters for CMS.
      Use default ASN.1 for SEED.
      Only set CMS parameter when encrypting
      Tidy up PKCS12_newpass() fix memory leaks.
      Constify PKCS12_newpass()
      Only call FIPS_update, FIPS_final in FIPS mode.
      Add -signcert to CA.pl usage message.
      Parameter copy sanity checks.
      Don't skip leading zeroes in PSK keys.
      Fix link error.
      Fix omitted selector handling.
      Don't indicate errors during initial adb decode.
      Fix print of ASN.1 BIGNUM type.
      Check and print out boolean type properly.
      Support PKCS v2.0 print in pkcs12 utility.
      Send alert on CKE error.
      Sanity check in ssl_get_algorithm2().
      Clarify digest change in HMAC_Init_ex()
      Fix OOB read in TS_OBJ_print_bio().
      Send alert for bad DH CKE
      Use newest CRL.
      Set error if EVP_CipherUpdate fails.
      Note cipher BIO write errors too.
      Fix CRL time comparison.
      Check for overlows and error return from ASN1_object_size()
      Check for overflows in ASN1_object_size().
      include <limits.h>
      Calculate sequence length properly.
      Limit status message sisze in ts_get_status_check
      Check for overflows in i2d_ASN1_SET()
      Limit recursion depth in old d2i_ASN1_bytes function
      Leak fixes.
      Sanity check input length in OPENSSL_uni2asc().
      Check for errors in a2d_ASN1_OBJECT()
      Check for errors in BN_bn2dec()
      Limit reads in do_b2i_bio()
      Sanity check ticket length.
      Avoid overflow in MDC2_Update()
      Fix memory leak on error.
      Fix memory leak on error.
      Fix memory leak on realloc error.
      update default dependencies
      Fix small OOB reads.
      Remove unnecessary check.
      Use SSL3_HM_HEADER_LENGTH instead of 4.
      Make message buffer slightly larger than message.

FdaSilvaYY (2):
      Fix some missing inits
      Fix a few leaks in X509_REQ_to_X509.     Fix a possible leak on NETSCAPE_SPKI_verify failure.

John Foley (1):
      RT3752: Add FIPS callback for thread id

Jonas Maebe (1):
      cryptodev_asym, zapparams: use OPENSSL_* allocation routines, handle errors

Kazuki Yamaguchi (1):
      Fix overflow check in BN_bn2dec()

Kurt Roeckx (2):
      Return error when trying to print invalid ASN1 integer
      Fix off by 1 in ASN1_STRING_set()

Marcus Meissner (1):
      initialize the RSA struct to 0.

Matt Caswell (49):
      Prepare for 1.0.2i-dev
      Fix BIO_eof() for BIO pairs
      Fix SSL compression symbol exporting
      Remove repeated condition from if in X509_NAME_oneline
      Fix a double free in tls1_setup_key_block
      Check that the obtained public key is valid
      Fix error return value in SRP functions
      Fix a mem leak on an error path in OBJ_NAME_add()
      The ssl3_digest_cached_records() function does not handle errors properly
      Check for malloc failure in EVP_PKEY_keygen()
      Avoid some undefined pointer arithmetic
      BIO_printf() can fail to print the last character
      Fix documentation error in x509 app certopt flag
      More fix DSA, preserve BN_FLG_CONSTTIME
      Fix BN_mod_word bug
      Add a BN_mod_word test()
      Fix seg fault in TS_RESP_verify_response()
      Fix an error path leak in do_ext_nconf()
      Fix an error path leak in int X509_ATTRIBUTE_set1_data()
      Revert "RT4526: Call TerminateProcess, not ExitProcess"
      Fix ASN1_STRING_to_UTF8 could not convert NumericString
      Ensure HMAC key gets cleansed after use
      Change usage of RAND_pseudo_bytes to RAND_bytes
      Convert memset calls to OPENSSL_cleanse
      Avoid an overflow in constructing the ServerKeyExchange message
      Disallow multiple protocol flags to s_server and s_client
      Back port ssltestlib code to 1.0.2
      Add a DTLS unprocesed records test
      Fix DTLS unprocessed records bug
      Add DTLS replay protection test
      Fix DTLS replay protection
      Update function error code
      Silence some "maybe used uninitialised" warnings
      Fix DTLS buffered message DoS attack
      Prevent DTLS Finished message injection
      Fix no-ec
      Fix the no-tls1 option
      SRP_create_verifier does not check for NULL before OPENSSL_cleanse
      Ensure the CertStatus message adds a DTLS message header where needed
      Abort on unrecognised warning alerts
      Add some sanity checks around usage of t_fromb64()
      Revert "Abort on unrecognised warning alerts"
      Fix a missing NULL check in dsa_builtin_paramgen
      Don't allow too many consecutive warning alerts
      Fix OCSP Status Request extension unbounded memory growth
      Fix a mem leak in NPN handling
      Updates CHANGES and NEWS for new release
      Prepare for 1.0.2i release

Orgad Shaneh (1):
      Fix compilation with CMS disabled

Pauli (1):
      RT4573: Synopsis for RAND_add is wrong

Phillip Hellewell (1):
      RT3053: Check for NULL before dereferencing

Rich Salz (21):
      GH837: Avoid double-free in OCSP parse.
      Recommend GH over RT, per team vote.
      RT4560: Initialize variable to NULL
      RT4562: Backport doc fix.
      RT4546: Backport doc fix
      RT4526: Call TerminateProcess, not ExitProcess
      RT4545: Backport 2877 to 1.0.2
      RT2964: Fix it via doc
      Revert "RT2964: Fix it via doc"
      RT2964: Fix it via doc
      Add missing casts.
      Fix NULL-return checks in 1.0.2
      RT3940: For now, just document the issue.
      Fix incorrect return argument.
      Fix pointer/alloc prob from previous commit
      RT2676: Reject RSA eponent if even or 1
      SWEET32 (CVE-2016-2183): Move DES from HIGH to MEDIUM
      Misc BN fixes
      Make update
      GH1555: Don't bump size on realloc failure
      Dcoument -alpn flag

Richard Levitte (54):
      Check return of PEM_write_* functions and report possible errors
      Add NULL check in i2d_PrivateKey()
      Use RPMBUILD macros rather than hard coded paths in openssl.spec
      Windows: Add CRYPT32.LIB to the libraries to link your app with
      Documentation: Clarify sizes for UI_add_input_string()
      Add support for RC / WINDRES env variables
      Add missing initialiser in e_chil.c
      Don't require any length of password when decrypting
      Make it possible to have RFC2254 escapes with ASN1_STRING_print_ex()
      make update
      Document the esc_2254 command line name option
      Refresh seldom used C generating scripts to current C standard
      Run the refreshed scripts
      Fix util/mkerr.pl
      Cleanup openssl.ec
      Revert "Make it possible to have RFC2254 escapes with ASN1_STRING_print_ex()"
      Revert "make update"
      Revert "Document the esc_2254 command line name option"
      openssl verify: only display the command usage on usage errors
      Always check that the value returned by asn1_do_adb() is non-NULL
      Change (!seqtt) to (seqtt == NULL)
      apps/req.c: Increment the right variable when parsing '+'
      Fix missing opening braces
      Check that the subject name in a proxy cert complies to RFC 3820
      Fix proxy certificate pathlength verification
      Allow proxy certs to be present when verifying a chain
      Fix ASN.1 private encode of EC_KEY to not change the input key
      Remove the silly CVS markers from LPdir_*.c
      Don't check any revocation info on proxy certificates
      make update to have PEM_R_HEADER_TOO_LONG defined
      VMS: synchronise tests with Unix
      evp_test.c: avoid warning from having a pointer difference returned as int
      VSI submission: avoid pointer size warnings in mem.c
      VSI submission: make better use of item lists in o_time.c
      VSI submission: RAND fixups
      Have dtlstest run on VMS as well
      ssltestlib: Tell compiler we don't care about the value when we don't
      Make 'openssl req -x509' more equivalent to 'openssl req -new'
      GOST: rearrange code so it's more like C rather than C++
      VMS: Use strict refdef extern model when building library object files
      mk1mf: dtlstest needs ssltestlib, include it with a hack
      Improve the definition of STITCHED_CALL in e_rc4_hmac_md5.c
      If errno is ENXIO in BSS_new_file(), set BIO_R_NO_SUCH_FILE
      Add enginesdir to libcrypto.pc pkg-config file
      VMS: only use _realloc32 with /POINTER_SIZE=32
      VSI submission: redirect terminal input through socket
      Add copyright and license on apps/vms_term_sock.[ch]
      Remove entirely unnecessary pointer size guards
      Reformat to fit OpenSSL source code standards
      Refactor to avoid unnecessary preprocessor logic
      Finally, make sure vms_term_sock.c is built
      RT4669: dgst can only sign/verify one file
      apps/apps.c: include sys/socket.h to declare recv()
      mk1mf.pl: check for no-tls1 here as well

Steven Valdez (1):
      Adding missing BN_CTX_(start/end) in crypto/ec/ec_key.c

Todd Short (2):
      OCSP_request_add0_id() inconsistent error return
      Always use session_ctx when removing a session

Viktor Dukhovni (3):
      Fix i2d_X509_AUX and update docs
      Clarify negative return from X509_verify_cert()
      Ensure verify error is set when X509_verify_cert() fails

isnotnick (1):
      RT3513: req doesn't display attributes using utf8string


More information about the openssl-commits mailing list