version 1.52, 2022/10/03 21:30:58 |
version 1.53, 2022/10/03 21:44:19 |
|
|
<li>Added ASN1_INTEGER_{get,set}_{u,}int64() |
<li>Added ASN1_INTEGER_{get,set}_{u,}int64() |
<li>Move leaf certificate checks to the last thing after chain |
<li>Move leaf certificate checks to the last thing after chain |
validation. |
validation. |
<li>Added -s option to openssl(1) ciphers that only shows the ciphers |
<li>Added -s option to <a |
supported by the specified protocol. |
href="https://man.openbsd.org/openssl.1">openssl(1)</a> ciphers |
<li>Use TLS_client_method() instead of TLSv1_client_method() in |
that only shows the ciphers supported by the specified protocol. |
the openssl(1) ciphers command. |
<li>Use <a href="https://man.openbsd.org/TLS_client_method.3">TLS_client_method(3)</a> |
<li>Validate the protocols in SSL{_CTX,}_set_alpn_protos(). |
instead of <a href="https://man.openbsd.org/TLSv1_client_method.3">TLSv1_client_method(3)</a> in |
|
the <a |
|
href="https://man.openbsd.org/openssl.1">openssl(1)</a> ciphers command. |
|
<li>Validate the protocols in <a |
|
href="https://man.openbsd.org/SSL_CTX_set_alpn_protos.3">SSL{_CTX,}_set_alpn_protos()</a>. |
<li>Made TS and PKCS12 opaque. |
<li>Made TS and PKCS12 opaque. |
<li>Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OF. |
<li>Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OF. |
<li>Align PKCS12_key_gen_uni() with OpenSSL |
<li>Align PKCS12_key_gen_uni() with OpenSSL |
<li>Various PKCS12 and TS accessors were added. In particular, the |
<li>Various PKCS12 and TS accessors were added. In particular, the |
TS_RESP_CTX_set_time_cb() function was added back. |
TS_RESP_CTX_set_time_cb() function was added back. |
<li>Allow a NULL header in PEM_write{,_bio}() |
<li>Allow a NULL header in <a |
|
href="https://man.openbsd.org/PEM_write.3">PEM_write{,_bio}()</a> |
<li>Allow empty attribute sets in CSRs. |
<li>Allow empty attribute sets in CSRs. |
<li>Adjust signatures of BIO_ctrl functions. |
<li>Adjust signatures of <a |
|
href="https://man.openbsd.org/BIO_ctrl.3">BIO_ctrl</a> functions. |
<li>Provide additional defines for EVP AEAD. |
<li>Provide additional defines for EVP AEAD. |
<li>Provide OPENSSL_cleanup(). |
<li>Provide OPENSSL_cleanup(). |
<li>Make BIO_info_cb() identical to bio_info_cb(). |
<li>Make <a |
|
href="https://man.openbsd.org/BIO_info_cb.3">BIO_info_cb()</a> identical to bio_info_cb(). |
</ul> |
</ul> |
|
|
<li>Bug fixes |
<li>Bug fixes |
<ul> |
<ul> |
<li>Avoid use of uninitialized in BN_mod_exp_recp(). |
<li>Avoid use of uninitialized in BN_mod_exp_recp(). |
<li>Fix X509_get_extension_flags() by ensuring that EXFLAG_INVALID is |
<li>Fix <a |
|
href="https://man.openbsd.org/X509_get_extension_flags.3">X509_get_extension_flags()</a> |
|
by ensuring that EXFLAG_INVALID is |
set on X509_get_purpose() failure. |
set on X509_get_purpose() failure. |
<li>Fix HMAC() with NULL key. |
<li>Fix <a |
<li>Add ERR_load_{COMP,CT,KDF}_strings() to ERR_load_crypto_strings(). |
href="https://man.openbsd.org/HMAC.3">HMAC()</a> with NULL key. |
|
<li>Add ERR_load_{COMP,CT,KDF}_strings() to <a |
|
href="https://man.openbsd.org/ERR_load_crypto_strings.3">ERR_load_crypto_strings()</a>. |
<li>Avoid strict aliasing violations in BN_nist_mod_*(). |
<li>Avoid strict aliasing violations in BN_nist_mod_*(). |
<li>Do not return X509_V_ERR_UNSPECIFIED from X509_check_ca(). |
<li>Do not return X509_V_ERR_UNSPECIFIED from <a |
|
href="https://man.openbsd.org/X509_check_ca.3">X509_check_ca()</a>. |
No return value of X509_check_ca() indicates failure. Application |
No return value of X509_check_ca() indicates failure. Application |
code should therefore issue a checked call to X509_check_purpose() |
code should therefore issue a checked call to X509_check_purpose() |
before calling X509_check_ca(). |
before calling X509_check_ca(). |
|
|
valid input. |
valid input. |
<li>Call the ASN1_OP_D2I_PRE callback after ASN1_item_ex_new(). |
<li>Call the ASN1_OP_D2I_PRE callback after ASN1_item_ex_new(). |
<li>Fix d2i_ASN1_OBJECT to advance the *der_in pointer correctly. |
<li>Fix d2i_ASN1_OBJECT to advance the *der_in pointer correctly. |
<li>Avoid use of uninitialized in ASN1_STRING_to_UTF8(). |
<li>Avoid use of uninitialized in <a |
<li>Do not pass uninitialized pointer to ASN1_STRING_to_UTF8(). |
href="https://man.openbsd.org/ASN1_STRING_to_UTF8.3">ASN1_STRING_to_UTF8()</a>. |
<li>Do not refuse valid IPv6 addresses in nc(1)'s HTTP CONNECT proxy. |
<li>Do not pass uninitialized pointer to <a |
|
href="https://man.openbsd.org/ASN1_STRING_to_UTF8.3">ASN1_STRING_to_UTF8()</a>. |
|
<li>Do not refuse valid IPv6 addresses in <a |
|
href="https://man.openbsd.org/nc.1">nc(1)</a>'s HTTP CONNECT proxy. |
<li>Do not reject primes in trial divisions. |
<li>Do not reject primes in trial divisions. |
<li>Error out on negative shifts in BN_{r,l}shift() instead of |
<li>Error out on negative shifts in BN_{r,l}shift() instead of |
accessing arrays out of bounds. |
accessing arrays out of bounds. |
|
|
<li>Fix the legacy verifier callback behaviour for untrusted certs. |
<li>Fix the legacy verifier callback behaviour for untrusted certs. |
<li>Correct serfver-side handling of TLSv1.3 key updates. |
<li>Correct serfver-side handling of TLSv1.3 key updates. |
<li>Plug leak in PKCS12_setup_mac(). |
<li>Plug leak in PKCS12_setup_mac(). |
<li>Plug leak in X509V3_add1_i2d(). |
<li>Plug leak in <a |
|
href="https://man.openbsd.org/X509V3_add1_i2d.3">X509V3_add1_i2d()</a>. |
<li>Only print X.509 versions we know about. |
<li>Only print X.509 versions we know about. |
<li>Avoid signed integer overflow due to unary negation |
<li>Avoid signed integer overflow due to unary negation |
<li>Initialize readbytes in BIO_gets(). |
<li>Initialize readbytes in <a |
|
href="https://man.openbsd.org/BIO_gets.3">BIO_gets()</a>. |
<li>Plug memory leak in CMS_add_simple_smimecap(). |
<li>Plug memory leak in CMS_add_simple_smimecap(). |
<li>Plug memory leak in X509_REQ_print_ex(). |
<li>Plug memory leak in <a |
<li>Check HMAC() return value to avoid a later use of uninitialized. |
href="https://man.openbsd.org/X509_REQ_print_ex.3">X509_REQ_print_ex()</a>. |
|
<li>Check <a |
|
href="https://man.openbsd.org/HMAC.3">HMAC()</a> return value to avoid a later use of uninitialized. |
<li>Avoid potential NULL dereference in ssl_set_pkey(). |
<li>Avoid potential NULL dereference in ssl_set_pkey(). |
<li>Check return values in ssl_print_tmp_key(). |
<li>Check return values in ssl_print_tmp_key(). |
<li>Switch loop bounds from size_t to int in check_hosts(). |
<li>Switch loop bounds from size_t to int in check_hosts(). |
|
|
<li>The templated ASN.1 decoder has been cleaned up, refactored, |
<li>The templated ASN.1 decoder has been cleaned up, refactored, |
modernized with parts rewritten using CBB and CBS. |
modernized with parts rewritten using CBB and CBS. |
<li>The ASN.1 time parser has been rewritten. |
<li>The ASN.1 time parser has been rewritten. |
<li>Rewrite and fix ASN1_STRING_to_UTF8(). |
<li>Rewrite and fix <a |
|
href="https://man.openbsd.org/ASN1_STRING_to_UTF8.3">ASN1_STRING_to_UTF8()</a>. |
<li>Use asn1_abs_set_unused_bits() rather than inlining it. |
<li>Use asn1_abs_set_unused_bits() rather than inlining it. |
<li>Simplify ec_asn1_group2curve(). |
<li>Simplify ec_asn1_group2curve(). |
<li>First pass at a clean up of ASN1_item_sign_ctx() |
<li>First pass at a clean up of ASN1_item_sign_ctx() |