===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/72.html,v
retrieving revision 1.52
retrieving revision 1.53
diff -c -r1.52 -r1.53
*** www/72.html 2022/10/03 21:30:58 1.52
--- www/72.html 2022/10/03 21:44:19 1.53
***************
*** 894,926 ****
Added ASN1_INTEGER_{get,set}_{u,}int64()
Move leaf certificate checks to the last thing after chain
validation.
! Added -s option to openssl(1) ciphers that only shows the ciphers
! supported by the specified protocol.
! Use TLS_client_method() instead of TLSv1_client_method() in
! the openssl(1) ciphers command.
! Validate the protocols in SSL{_CTX,}_set_alpn_protos().
Made TS and PKCS12 opaque.
Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OF.
Align PKCS12_key_gen_uni() with OpenSSL
Various PKCS12 and TS accessors were added. In particular, the
TS_RESP_CTX_set_time_cb() function was added back.
! Allow a NULL header in PEM_write{,_bio}()
Allow empty attribute sets in CSRs.
! Adjust signatures of BIO_ctrl functions.
Provide additional defines for EVP AEAD.
Provide OPENSSL_cleanup().
! Make BIO_info_cb() identical to bio_info_cb().
Bug fixes
- Avoid use of uninitialized in BN_mod_exp_recp().
!
- Fix X509_get_extension_flags() by ensuring that EXFLAG_INVALID is
set on X509_get_purpose() failure.
!
- Fix HMAC() with NULL key.
!
- Add ERR_load_{COMP,CT,KDF}_strings() to ERR_load_crypto_strings().
- Avoid strict aliasing violations in BN_nist_mod_*().
!
- Do not return X509_V_ERR_UNSPECIFIED from X509_check_ca().
No return value of X509_check_ca() indicates failure. Application
code should therefore issue a checked call to X509_check_purpose()
before calling X509_check_ca().
--- 894,938 ----
- Added ASN1_INTEGER_{get,set}_{u,}int64()
- Move leaf certificate checks to the last thing after chain
validation.
!
- Added -s option to openssl(1) ciphers
! that only shows the ciphers supported by the specified protocol.
!
- Use TLS_client_method(3)
! instead of TLSv1_client_method(3) in
! the openssl(1) ciphers command.
!
- Validate the protocols in SSL{_CTX,}_set_alpn_protos().
- Made TS and PKCS12 opaque.
- Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OF.
- Align PKCS12_key_gen_uni() with OpenSSL
- Various PKCS12 and TS accessors were added. In particular, the
TS_RESP_CTX_set_time_cb() function was added back.
!
- Allow a NULL header in PEM_write{,_bio}()
- Allow empty attribute sets in CSRs.
!
- Adjust signatures of BIO_ctrl functions.
- Provide additional defines for EVP AEAD.
- Provide OPENSSL_cleanup().
!
- Make BIO_info_cb() identical to bio_info_cb().
Bug fixes
- Avoid use of uninitialized in BN_mod_exp_recp().
!
- Fix X509_get_extension_flags()
! by ensuring that EXFLAG_INVALID is
set on X509_get_purpose() failure.
!
- Fix HMAC() with NULL key.
!
- Add ERR_load_{COMP,CT,KDF}_strings() to ERR_load_crypto_strings().
- Avoid strict aliasing violations in BN_nist_mod_*().
!
- Do not return X509_V_ERR_UNSPECIFIED from X509_check_ca().
No return value of X509_check_ca() indicates failure. Application
code should therefore issue a checked call to X509_check_purpose()
before calling X509_check_ca().
***************
*** 928,936 ****
valid input.
- Call the ASN1_OP_D2I_PRE callback after ASN1_item_ex_new().
- Fix d2i_ASN1_OBJECT to advance the *der_in pointer correctly.
!
- Avoid use of uninitialized in ASN1_STRING_to_UTF8().
!
- Do not pass uninitialized pointer to ASN1_STRING_to_UTF8().
!
- Do not refuse valid IPv6 addresses in nc(1)'s HTTP CONNECT proxy.
- Do not reject primes in trial divisions.
- Error out on negative shifts in BN_{r,l}shift() instead of
accessing arrays out of bounds.
--- 940,951 ----
valid input.
- Call the ASN1_OP_D2I_PRE callback after ASN1_item_ex_new().
- Fix d2i_ASN1_OBJECT to advance the *der_in pointer correctly.
!
- Avoid use of uninitialized in ASN1_STRING_to_UTF8().
!
- Do not pass uninitialized pointer to ASN1_STRING_to_UTF8().
!
- Do not refuse valid IPv6 addresses in nc(1)'s HTTP CONNECT proxy.
- Do not reject primes in trial divisions.
- Error out on negative shifts in BN_{r,l}shift() instead of
accessing arrays out of bounds.
***************
*** 938,950 ****
- Fix the legacy verifier callback behaviour for untrusted certs.
- Correct serfver-side handling of TLSv1.3 key updates.
- Plug leak in PKCS12_setup_mac().
!
- Plug leak in X509V3_add1_i2d().
- Only print X.509 versions we know about.
- Avoid signed integer overflow due to unary negation
!
- Initialize readbytes in BIO_gets().
- Plug memory leak in CMS_add_simple_smimecap().
!
- Plug memory leak in X509_REQ_print_ex().
!
- Check HMAC() return value to avoid a later use of uninitialized.
- Avoid potential NULL dereference in ssl_set_pkey().
- Check return values in ssl_print_tmp_key().
- Switch loop bounds from size_t to int in check_hosts().
--- 953,969 ----
- Fix the legacy verifier callback behaviour for untrusted certs.
- Correct serfver-side handling of TLSv1.3 key updates.
- Plug leak in PKCS12_setup_mac().
!
- Plug leak in X509V3_add1_i2d().
- Only print X.509 versions we know about.
- Avoid signed integer overflow due to unary negation
!
- Initialize readbytes in BIO_gets().
- Plug memory leak in CMS_add_simple_smimecap().
!
- Plug memory leak in X509_REQ_print_ex().
!
- Check HMAC() return value to avoid a later use of uninitialized.
- Avoid potential NULL dereference in ssl_set_pkey().
- Check return values in ssl_print_tmp_key().
- Switch loop bounds from size_t to int in check_hosts().
***************
*** 960,966 ****
- The templated ASN.1 decoder has been cleaned up, refactored,
modernized with parts rewritten using CBB and CBS.
- The ASN.1 time parser has been rewritten.
!
- Rewrite and fix ASN1_STRING_to_UTF8().
- Use asn1_abs_set_unused_bits() rather than inlining it.
- Simplify ec_asn1_group2curve().
- First pass at a clean up of ASN1_item_sign_ctx()
--- 979,986 ----
- The templated ASN.1 decoder has been cleaned up, refactored,
modernized with parts rewritten using CBB and CBS.
- The ASN.1 time parser has been rewritten.
!
- Rewrite and fix ASN1_STRING_to_UTF8().
- Use asn1_abs_set_unused_bits() rather than inlining it.
- Simplify ec_asn1_group2curve().
- First pass at a clean up of ASN1_item_sign_ctx()