===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/71.html,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -r1.56 -r1.57
--- www/71.html 2022/04/16 21:45:53 1.56
+++ www/71.html 2022/04/17 17:02:12 1.57
@@ -972,6 +972,7 @@
Various interoperability problems with stacks that validate
certificates more strictly than OpenSSL can be avoided this way.
Attempt to opportunistically use the host name for SNI in s_client
+ Allow non-standard name constraints of the form @domain.com.
Bug fixes
@@ -989,6 +990,16 @@
Handle zero byte reads/writes that trigger handshakes in the
TLSv1.3 stack
A long standing memleak in libtls CRL handling was fixed
+ Avoid single byte overread in asn1_parse2().
+ Allow name constraints with a leading dot.
+ Relax a check in x509_constraints_dirname() to allow prefixes.
+ Fix NULL dereferences in openssl(1) cms option parsing.
+ Do not zero the computed cofactor on ec_guess_cofactor() success.
+ Bound cofactor in EC_GROUP_set_generator() to reduce the number of
+ bogus groups that can be described with nonsensical parameters.
+ Avoid various potential segfaults in EVP_PKEY_CTX_free() in low
+ memory conditions.
+ Plug leak in ASN1_TIME_adj_internal().
Internal Improvements
@@ -1004,7 +1015,8 @@
Convert {i2d,d2i}_{,EC_,DSA_,RSA_}PUBKEY{,_bio,_fp}() to templated
ASN1
Convert ASN1_OBJECT_new(), ASN1_STRING_type_new(), ASN1_PCTX_new(),
- and X509_CRL_METHOD_new() to using calloc() instead of malloc()
+ X509_CRL_METHOD_new(), and pkey_hmac_init() to using calloc() instead
+ of malloc()
Rewrite ASN1_STRING_cmp()
Replace asn1_tlc_clear and asn1_tlc_clear_nc macros with a function
Consolidate {d2i,i2d}_{pr,pu}.c
@@ -1063,6 +1075,31 @@
The S3I macro was removed
The openssl(1) cms, smime and ts subcommands option handling was
converted and the C source was cleaned up.
+ Limit OID text conversion to 64 bits per arc.
+ Clean up and simplify memory BIO code.
+ Reduce number of memmove() calls in memory BIOs.
+ Factor out alert handling code in the legacy stack.
+ Add sanity checks on p and q in old_dsa_priv_decode()
+ Cache the SHA-512 hash instead of the SHA-1 for CRLs.
+ Suppress various compiler warnings for old gcc versions.
+ Remove free_cont from asn1_d2i_ex_primitive()/asn1_ex_c2i().
+ Rework ownership handling in x509_constraints_validate().
+ Rework ASN1_STRING_set().
+ Remove const from tls1_transcript_hash_value().
+ Clean up and simplify ssl3_renegotiate{,_check}().
+ Rewrite legacy TLS and DTLS unexpected handshake message handling.
+ Simplify SSL_do_handshake().
+ Rewrite ASCII/text to ASN.1 object conversion.
+ Provide t2i_ASN1_OBJECT_internal() and use it for OBJ_txt2obj().
+ Split armv7 and aarch64 code into separate locations.
+ Provide asn1_get_primitive().
+ Convert {c2i,d2i}_ASN1_OBJECT() to CBS.
+ Remove the minimum record length checks from dtls1_read_bytes().
+ Clean up {dtls1,ssl3}_read_bytes().
+ Be more careful with embedded and terminating NULs in the new
+ name constraints code.
+ Various minor code cleanup in openssl(1) pkcs12.
+ Simplify priv_key handling in d2i_ECPrivateKey().
Documentation improvements
@@ -1070,6 +1107,10 @@
45 new manual pages, most of which were written from scratch.
Documentation coverage of ASN.1 and X.509 code has been
significantly improved.
+ Update d2i_ASN1_OBJECT(3) documentation to reflect reality after
+ refactoring and bug fixes.
+ Fixed numerous minor grammar, spelling, wording, and punctuation
+ issues.