=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/72.html,v retrieving revision 1.52 retrieving revision 1.53 diff -c -r1.52 -r1.53 *** www/72.html 2022/10/03 21:30:58 1.52 --- www/72.html 2022/10/03 21:44:19 1.53 *************** *** 894,926 ****

Added ASN1_INTEGER_{get,set}_{u,}int64()

Move leaf certificate checks to the last thing after chain validation. !

Added -s option to openssl(1) ciphers that only shows the ciphers ! supported by the specified protocol. !

Use TLS_client_method() instead of TLSv1_client_method() in ! the openssl(1) ciphers command. !

Validate the protocols in SSL{_CTX,}_set_alpn_protos().

Made TS and PKCS12 opaque.

Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OF.

Align PKCS12_key_gen_uni() with OpenSSL

Various PKCS12 and TS accessors were added. In particular, the TS_RESP_CTX_set_time_cb() function was added back. !

Allow a NULL header in PEM_write{,_bio}()

Allow empty attribute sets in CSRs. !

Adjust signatures of BIO_ctrl functions.

Provide additional defines for EVP AEAD.

Provide OPENSSL_cleanup(). !

Make BIO_info_cb() identical to bio_info_cb().

Bug fixes

Avoid use of uninitialized in BN_mod_exp_recp(). !
Fix X509_get_extension_flags() by ensuring that EXFLAG_INVALID is set on X509_get_purpose() failure. !
Fix HMAC() with NULL key. !
Add ERR_load_{COMP,CT,KDF}_strings() to ERR_load_crypto_strings().
Avoid strict aliasing violations in BN_nist_mod_*(). !
Do not return X509_V_ERR_UNSPECIFIED from X509_check_ca(). No return value of X509_check_ca() indicates failure. Application code should therefore issue a checked call to X509_check_purpose() before calling X509_check_ca(). --- 894,938 ----
Added ASN1_INTEGER_{get,set}_{u,}int64()
Move leaf certificate checks to the last thing after chain validation. !
Added -s option to openssl(1) ciphers ! that only shows the ciphers supported by the specified protocol. !
Use TLS_client_method(3) ! instead of TLSv1_client_method(3) in ! the openssl(1) ciphers command. !
Validate the protocols in SSL{_CTX,}_set_alpn_protos().
Made TS and PKCS12 opaque.
Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OF.
Align PKCS12_key_gen_uni() with OpenSSL
Various PKCS12 and TS accessors were added. In particular, the TS_RESP_CTX_set_time_cb() function was added back. !
Allow a NULL header in PEM_write{,_bio}()
Allow empty attribute sets in CSRs. !
Adjust signatures of BIO_ctrl functions.
Provide additional defines for EVP AEAD.
Provide OPENSSL_cleanup(). !
Make BIO_info_cb() identical to bio_info_cb().

Bug fixes

Avoid use of uninitialized in BN_mod_exp_recp(). !
Fix X509_get_extension_flags() ! by ensuring that EXFLAG_INVALID is set on X509_get_purpose() failure. !
Fix HMAC() with NULL key. !
Add ERR_load_{COMP,CT,KDF}_strings() to ERR_load_crypto_strings().
Avoid strict aliasing violations in BN_nist_mod_*(). !
Do not return X509_V_ERR_UNSPECIFIED from X509_check_ca(). No return value of X509_check_ca() indicates failure. Application code should therefore issue a checked call to X509_check_purpose() before calling X509_check_ca(). *************** *** 928,936 **** valid input.
Call the ASN1_OP_D2I_PRE callback after ASN1_item_ex_new().
Fix d2i_ASN1_OBJECT to advance the *der_in pointer correctly. !
Avoid use of uninitialized in ASN1_STRING_to_UTF8(). !
Do not pass uninitialized pointer to ASN1_STRING_to_UTF8(). !
Do not refuse valid IPv6 addresses in nc(1)'s HTTP CONNECT proxy.
Do not reject primes in trial divisions.
Error out on negative shifts in BN_{r,l}shift() instead of accessing arrays out of bounds. --- 940,951 ---- valid input.
Call the ASN1_OP_D2I_PRE callback after ASN1_item_ex_new().
Fix d2i_ASN1_OBJECT to advance the *der_in pointer correctly. !
Avoid use of uninitialized in ASN1_STRING_to_UTF8(). !
Do not pass uninitialized pointer to ASN1_STRING_to_UTF8(). !
Do not refuse valid IPv6 addresses in nc(1)'s HTTP CONNECT proxy.
Do not reject primes in trial divisions.
Error out on negative shifts in BN_{r,l}shift() instead of accessing arrays out of bounds. *************** *** 938,950 ****
Fix the legacy verifier callback behaviour for untrusted certs.
Correct serfver-side handling of TLSv1.3 key updates.
Plug leak in PKCS12_setup_mac(). !
Plug leak in X509V3_add1_i2d().
Only print X.509 versions we know about.
Avoid signed integer overflow due to unary negation !
Initialize readbytes in BIO_gets().
Plug memory leak in CMS_add_simple_smimecap(). !
Plug memory leak in X509_REQ_print_ex(). !
Check HMAC() return value to avoid a later use of uninitialized.
Avoid potential NULL dereference in ssl_set_pkey().
Check return values in ssl_print_tmp_key().
Switch loop bounds from size_t to int in check_hosts(). --- 953,969 ----
Fix the legacy verifier callback behaviour for untrusted certs.
Correct serfver-side handling of TLSv1.3 key updates.
Plug leak in PKCS12_setup_mac(). !
Plug leak in X509V3_add1_i2d().
Only print X.509 versions we know about.
Avoid signed integer overflow due to unary negation !
Initialize readbytes in BIO_gets().
Plug memory leak in CMS_add_simple_smimecap(). !
Plug memory leak in X509_REQ_print_ex(). !
Check HMAC() return value to avoid a later use of uninitialized.
Avoid potential NULL dereference in ssl_set_pkey().
Check return values in ssl_print_tmp_key().
Switch loop bounds from size_t to int in check_hosts(). *************** *** 960,966 ****
The templated ASN.1 decoder has been cleaned up, refactored, modernized with parts rewritten using CBB and CBS.
The ASN.1 time parser has been rewritten. !
Rewrite and fix ASN1_STRING_to_UTF8().
Use asn1_abs_set_unused_bits() rather than inlining it.
Simplify ec_asn1_group2curve().
First pass at a clean up of ASN1_item_sign_ctx() --- 979,986 ----
The templated ASN.1 decoder has been cleaned up, refactored, modernized with parts rewritten using CBB and CBS.
The ASN.1 time parser has been rewritten. !
Rewrite and fix ASN1_STRING_to_UTF8().
Use asn1_abs_set_unused_bits() rather than inlining it.
Simplify ec_asn1_group2curve().
First pass at a clean up of ASN1_item_sign_ctx()