[openssl-commits] [openssl] OpenSSL_1_1_0i create

Matt Caswell matt at openssl.org
Tue Aug 14 13:13:19 UTC 2018

The annotated tag OpenSSL_1_1_0i has been created
        at  9ab02f49e781c0dc39bf34be721ef2f228ce5a03 (tag)
   tagging  97c0959f27b294fe1eb10b547145ebef2524b896 (commit)
  replaces  OpenSSL_1_1_0h
 tagged by  Matt Caswell
        on  Tue Aug 14 13:45:05 2018 +0100

- Log -----------------------------------------------------------------
OpenSSL 1.1.0i release tag


Alexandre Perrin (1):
      Documentation typo fix in BN_bn2bin.pod

Andy Polyakov (41):
      Configurations/10-main.conf: add magic macros to hpux targets.
      Configurations/10-main.conf: further HP-UX cleanups/unifications.
      bio/b_addr.c: resolve HP-UX compiler warnings.
      ARM assembly pack: make it work with older assembler.
      bn/asm/*-mont.pl: harmonize with BN_from_montgomery_word.
      bn/asm/sparcv9-mont.pl: iron another glitch in squaring code path.
      bn/asm/rsaz-avx2.pl: harmonize clang version detection.
      sha/asm/sha{1|256}-586.pl: harmonize clang version detection.
      {chacha|poly1305}/asm/*-x64.pl: harmonize clang version detection.
      ec/asm/ecp_nistz256-avx2.pl: harmonize clang version detection.
      ec/ec_mult.c: get BN_CTX_start,end sequence right.
      sha/asm/sha{256|512}-armv4.pl: harmonize thumb2 support with the rest.
      modes/asm/ghash-armv4.pl: address "infixes are deprecated" warnings.
      test/evp_test.c: address sanitizer errors in pderive_test_run.
      bn/bn_lib.c: remove bn_check_top from bn_expand2.
      bn/bn_mont.c: move boundary condition check closer to caller.
      bn/bn_mont.c: improve readability of post-condition code.
      bn/bn_lib.c: make BN_bn2binpad computationally constant-time.
      rsa/*: switch to BN_bn2binpad.
      bn/bn_lib.c address Coverity nit in bn2binpad.
      apps/dsaparam.c: fix -C output.
      bn/bn_intern.c: const-ify bn_set_{static}_words.
      ec/asm/ecp_nistz256-{!x86_64}.pl: fix scatter_w7 function.
      ec/ecp_nistz256.c: fix ecp_nistz256_set_from_affine.
      apps/dsaparam.c: make dsaparam -C output strict-warnings-friendly.
      crypto/cryptlib.c: resolve possible race in OPENSSL_isservice.
      bn/bn_lib.c: add BN_FLG_FIXED_TOP flag.
      bn/bn_{mont|exp}.c: switch to zero-padded intermediate vectors.
      ec/ecdsa_ossl.c: revert blinding in ECDSA signature.
      ec/ecdsa_ossl.c: formatting and readability fixes.
      ec/ecdsa_ossl.c: switch to fixed-length Montgomery multiplication.
      bn/bn_mod.c: harmonize BN_mod_add_quick with original implementation.
      CHANGES: mention blinding reverting in ECDSA.
      crypto/cryptlib.c: make OPENSS_cpuid_setup safe to use as constructor.
      crypto/init.c: use destructor_key even as guard in OPENSSL_thread_stop.
      asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock.
      Revert "asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock."
      asn1/tasn_utl.c: fix logical error in asn1_do_lock.
      x509v3/v3_purp.c: resolve Thread Sanitizer nit.
      x509v3/v3_purp.c: re-implement lock-free check for extensions cache validity.
      crypto/o_fopen.c: alias fopen to fopen64.

Benjamin Kaduk (1):
      Fix regression with session cache use by clients

Bernd Edlinger (17):
      Fix a crash in the asn1parse command
      Improve diagnostics for invalid arguments in asn1parse -strparse
      Use strtol instead of atoi in asn1parse
      Fix range checks with -offset and -length in asn1parse
      Remove an unnecessary cast in the param to BUF_MEM_grow
      Change the "offset too large" message to more generic wording
      Fix building linux-armv4 with --strict-warnings
      Fix a gcc-8 warning -Wcast-function-type
      Fix a warning about missing prototype on arm
      Ensure the thread keys are always allocated in the same order
      Fix memleaks in async api
      Fix a possible crash in BN_from_montgomery_word
      Try to work around ubuntu gcc-5 ubsan build failure
      Backport of commit 6b49b30811f4afa0340342af9400b8d0357b5291
      Fix a new gcc-9 warning [-Wstringop-truncation]
      Fix minor windows build issues
      Fix uninitialized value $s warning in windows static builds

Billy Brumley (6):
      RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set.
      Elliptic curve scalar multiplication with timing attack defenses
      ladder description: why it works
      Remove superfluous NULL checks. Add Andy's BN_FLG comment.
      fix: BN_swap mishandles flags (1.1.0)
      [crypto/ec] don't assume points are of order group->order

Bryan Donlan (1):
      Remove DSA digest length checks when no digest is passed

Daniel Bevenius (2):
      Remove import/use of File::Spec::Function
      Clarify default section in config.pod

David Benjamin (1):
      Save and restore the Windows error around TlsGetValue.

David von Oheimb (1):
      add documentation for OCSP_basic_verify()

Dr. Matthias St. Pierre (5):
      p5_scrypt.c: fix error check of RAND_bytes() call
      a_strex.c: prevent out of bound read in do_buf()
      v3_purp.c: add locking to x509v3_cache_extensions()
      Fix typo 'is an error occurred' in documentation

Emilia Kasper (2):
      X509_cmp_time: only return 1, 0, -1.
      X509 time: tighten validation per RFC 5280

FdaSilvaYY (2):
      EVP,KDF: Add more error code along some return 0
      apps/speed: fix possible OOB access in some EC arrays

Guido Vranken (1):
      Reject excessively large primes in DH key generation.

Jack Bates (1):
      Convert _meth_get_ functions to const getters

Ken Goldman (1):
      Document failure return for ECDSA_SIG_new

Kurt Roeckx (4):
      Fix prototype of ASN1_INTEGER_get and ASN1_INTEGER_set
      Change the number of Miller-Rabin test for DSA generation to 64
      Make number of Miller-Rabin tests for a prime tests depend on the security level of the prime
      Fix inconsistent use of bit vs bits

Marcus Huewe (1):
      Do not free a session before calling the remove_session_cb

Matt Caswell (56):
      Prepare for 1.1.0i-dev
      Don't write out a bad OID
      Tolerate a Certificate using a non-supported group on server side
      Fix a text canonicalisation bug in CMS
      Fix some errors in the mem leaks docs
      Move the loading of the ssl_conf module to libcrypto
      Don't crash if an unrecognised digest is used with dsa_paramgen_md
      Pick a q size consistent with the digest for DSA param generation
      Update the genpkey documentation
      Add test/versions to gitignore
      Fix an error code to be consistent with master
      Ignore the status_request extension in a resumption handshake
      Update fingerprints.txt
      Fix assertion failure in SSL_set_bio()
      Check the return from EVP_PKEY_get0_DH()
      Update EVP_DigestSignInit() docs
      Fix ocsp app exit code
      Don't crash if there are no trusted certs
      Add a test for a NULL X509_STORE in X509_STORE_CTX_init
      Fix the alert sent if no shared sig algs
      Fix SSL_pending() for DTLS
      Add a test for SSL_pending()
      Improve backwards compat with 1.0.2 for ECDHParameters
      Allow intermediate CAs to use RSA PSS in 1.1.0
      Document when a session gets removed from cache
      In a reneg use the same client_version we used last time
      Fix the MAX_CURVELIST definition
      Fix documentation for the -showcerts s_client option
      Update the *use_certificate* docs
      Update version docs
      Fix some errors and missing info in the CMS docs
      Clarify BN_mod_exp docs
      Add getter for X509_VERIFY_PARAM_get_hostflags
      Fix SSL_get_shared_ciphers()
      Fix comment in ssl_locl.h
      Add some documentation for SSL_get_shared_ciphers()
      Make X509_VERIFY_PARAM_get_hostflags() take a const arg
      Return an error from BN_mod_inverse if n is 1 (or -1)
      Fix a mem leak in CMS
      Don't fail on an out-of-order CCS in DTLS
      Fix s_client and s_server so that they correctly handle the DTLS timer
      Only auto-retry for DTLS if configured to do so
      Keep the DTLS timer running after the end of the handshake if appropriate
      Don't memcpy the contents of an empty fragment
      Mark DTLS records as read when we have finished with them
      Make BN_GF2m_mod_arr more constant time
      Fix undefined behaviour in X509_NAME_cmp()
      Improve compatibility of point and curve checks
      The result of a ^ 0 mod -1 is 0 not 1
      Add blinding to an ECDSA signature
      Add blinding to a DSA signature
      Fix a NULL ptr deref in error path in tls_process_cke_dhe()
      Don't create an invalid CertificateRequest
      Updates to CHANGES and NEWS for the new release
      Update copyright year
      Prepare for 1.1.0i release

Matthias Kraft (1):
      Custome built dladdr() for AIX.

Mingtao Yang (2):
      Add APIs for custom X509_LOOKUP_METHOD creation
      modes/ocb128.c: Reset nonce-dependent variables on setiv

Miroslav Suk (1):
      o_time.c: use gmtime_s with MSVC     ts/ts_rsp_sign.c: change to OPENSSL_gmtime.

Neel Goyal (1):
      Set biom->type in BIO_METH_new

Nick Mathewson (2):
      Update documentation for PEM callback: error is now -1.
      Improve the example getpass() implementation to show an error return

Nicola Tuveri (4):
      Address code style comments
      Pass through
      Move up check for EC_R_INCOMPATIBLE_OBJECTS and for the point at infinity case
      Deprecate DSA_sign_setup() in the documentation

Pauli (4):
      Check return from BN_set_word.     In ssl/t1_lib.c.
      Check conversion return in ASN1_INTEGER_print_bio.
      Check return from BN_sub
      Avoid errors when loading a cert multiple times.     Manual backport of #2830 to 1.1.0

Pavel Kopyl (1):
      Fix memory leaks in CA related functions.

Philippe Antoine (1):
      Adds multiple checks to avoid buffer over reads

Rahul Chaudhry (1):
      poly1305/asm/poly1305-armv4.pl: remove unintentional relocation.

Rich Salz (10):
      Fix typo in OPENSSL_LH_new compat API
      Updated to CONTRIBUTING to reflect GitHub, etc.
      Fix bugs in X509_NAME_ENTRY_set
      Make OS/X more explicit, to avoid questions
      Improve wording
      Zero-fill IV by default.
      Check for failures, to avoid memory leak
      Use auto-null-initializer
      Fix setting of ssl_strings_inited.
      Increase CT_NUMBER values

Richard Levitte (53):
      Revert "util/dofile.pl: only quote stuff that actually needs quoting"
      Faster fuzz test: teach the fuzz test programs to handle directories
      .travis.yml: with fast fuzz testing, there is no point avoiding it
      Refuse to run test_cipherlist unless shared library matches build
      VMS: Copy DECC inclusion epi- and prologues to internals
      Don't use CPP in Configurations/unix-Makefile.tmpl
      openssl rehash: document -compat
      openssl rehash: use libcrypto variables for default dir
      Docs for OpenSSL_init_crypto: there is no way to specify another file
      test/recipes/test_genrsa.t : don't fail because of size limit changes
      Don't distribute team internal config targets
      Fix late opening of output file
      Fix openssl ca, to correctly make output file binary when using -spkac
      ms/uplink-x86.pl: close the file handle that was opened
      openssl rehash: exit 0 on warnings, same as c_rehash
      PEM_def_callback(): don't loop because of too short password given
      PEM_def_callback(): use same parameter names as for pem_password_cb
      Use  get_last_sys_error() instead of get_last_rtl_error()
      Fix no-ui
      apps/s_server.c: Avoid unused variable due to 'no-dtls'
      docs: Fix typo EVP_PKEY_new_id -> EVP_PKEY_CTX_new_id
      BIO_s_mem() write: Skip early when input length is zero
      In cases where we ask PEM_def_callback for minimum 0 length, accept 0 length
      UI console: Restore tty settings, do not force ECHO after prompt
      CI config: no need to make both install and install_docs
      When producing man-pages, ensure NAME section is one line only
      Add a note on CHANGES and NEWS in CONTRIBUTING
      Restore check of |*xn| against |name| in X509_NAME_set
      Quiet pod2html warnings
      Windows: don't install __DECC_*.H
      apps: when the 'compat' nameopt has been set, leave it be
      ENGINE_pkey_asn1_find_str(): don't assume an engine implements ASN1 method
      VMS: have mkdef.pl parse lettered versions properly
      openssl ca: open the output file as late as possible
      OpenSSL-II style for emacs: don't indent because of extern block
      OpenSSL_add_ssl_algorithm-is-deprecated() is deprecated, make it so
      Move documentation to its correct location for this branch
      Document more EVP_MD_CTX functions
      Make 'with_fallback' use 'use' instead of 'require'
      Existing transfer modules must have a package and a $VERSION
      util/dofile.pl: require Text::Template 1.46 or newer
      Windows: fix echo for nmake
      Windows: avoid using 'rem' in the nmake makefile
      Avoid __GNUC__ warnings when defining DECLARE_DEPRECATED
      PKCS12: change safeContentsBag from a SET OF to a SEQUENCE OF
      Configure: Display error/warning on deprecated/unsupported options after loop
      Configure: print generic advice when dying
      Configure death handler: bail out early when run in eval block
      Configure death handler: remember to call original death handler
      Configure death handler: instead of printing directly, amend the message
      Make EVP_PKEY_asn1_new() stricter with its input
      Check early that the config target exists and isn't a template
      i2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer

Tilman Keskinöz (1):
      ssl/ssl_txt: fix NULL-check

Todd Short (1):
      Configure: fix Mac OS X builds that still require makedepend

Viktor Dukhovni (2):
      Limit scope of CN name constraints
      Skip CN DNS name constraint checks when not needed

cedral (1):
      fix build error in 32 bit debug build


More information about the openssl-commits mailing list