ChangeLog

1.3.4:
	NEW FEATURES:
	* Added CBOR tag support (RFC 8949 §3.4, major type 6).
	  - All CBOR decoders are now tag-transparent: any number of leading
	    tag headers are silently skipped before decoding the underlying
	    value.  Tagged data from external producers (self-described CBOR
	    tag 55799, epoch timestamps tag 1, URI hints tag 32, etc.) is
	    accepted without application-level changes.
	  - New cbor_skip_tags() helper in cbor_support.[ch] peels off
	    consecutive leading CBOR tag headers from a raw buffer.
	  - Added well-known CBOR tag constants to cbor_support.h:
	    CBOR_TAG_DATETIME_STRING (0), CBOR_TAG_EPOCH_DATETIME (1),
	    CBOR_TAG_DECIMAL_FRACTION (4), CBOR_TAG_BIGFLOAT (5),
	    CBOR_TAG_BASE64URL (21), CBOR_TAG_BASE64 (22), CBOR_TAG_BASE16 (23),
	    CBOR_TAG_ENCODED_CBOR (24), CBOR_TAG_URI (32), CBOR_TAG_REGEX (35),
	    CBOR_TAG_UUID (37), CBOR_TAG_NETWORK_ADDR (260),
	    CBOR_TAG_SELF_DESCRIBED (55799).
	  - Extended check-CBOR test suite with comprehensive tag tests:
	    cbor_encode_tag() output verification, cbor_skip_tags() unit tests,
	    tag-transparent decode tests for INTEGER, OCTET STRING, NativeInteger,
	    and BIT STRING types, and nested multi-tag decode tests.
	  - Updated asn1c-usage.tex: added "CBOR Tags" API section documenting
	    encoding with cbor_encode_tag(), tag-transparent decoding, and
	    bignum tags. Added IANA CBOR Tags Registry reference.
	    Updated CBOR references from RFC 7049 to RFC 8949 (successor).
	  - Updated asn1c.man.md: added CBOR TAGS section and updated RFC
	    reference from RFC 7049 to RFC 8949.
	FIXES:
	* Fixed generated filename collisions with system headers on
	  case-insensitive filesystems (notably macOS/Windows). ASN.1 types
	  whose generated filenames match common system headers are now
	  disambiguated automatically (e.g., Time.h -> asn1c_time.h),
	  preventing accidental inclusion of generated headers when source
	  files include <time.h>. Added smoke-test coverage for the Time case.

1.3.3:
	NEW FEATURES:
	* Added complete CBOR (Concise Binary Object Representation, RFC 7049)
	  codec support. CBOR generation is enabled by default; use -no-gen-CBOR
	  to disable. New skeleton files: cbor_encoder.[ch], cbor_decoder.[ch],
	  cbor_support.[ch], INTEGER_cbor.c, NativeInteger_cbor.c,
	  OCTET_STRING_cbor.c, BIT_STRING_cbor.c, BOOLEAN_cbor.c, NULL_cbor.c,
	  ENUMERATED_cbor.c, NativeEnumerated_cbor.c, REAL_cbor.c,
	  NativeReal_cbor.c, constr_SEQUENCE_cbor.c, constr_SEQUENCE_OF_cbor.c,
	  constr_SET_cbor.c, constr_SET_OF_cbor.c, constr_CHOICE_cbor.c,
	  asn_codecs_prim_cbor.c. The SEQUENCE encoder correctly skips absent
	  optional and default-valued members so the CBOR map header count always
	  matches the number of encoded key/value pairs. INTEGER decoding handles
	  CBOR bignum tags (2 and 3) for values exceeding the 64-bit signed range.
	  New test: tests/tests-skeletons/check-CBOR.c with edge-case coverage for
	  INTEGER, NativeInteger, BIT STRING, and OCTET STRING types.
	* Added ATS_CBOR to asn_transfer_syntax enum and wired CBOR encode/decode
	  into asn_encode()/asn_decode() dispatch in asn_application.c. Added
	  -icbor and -ocbor switches to converter-example.c so that generated
	  converter applications can read and write CBOR-encoded data.

1.3.2:
	FIXES:
	* Fixed incorrect type descriptor selection when the same member name appears
	  in different parent types with different type definitions. When embedded types
	  like ssb-PositionsInBurst appeared as CHOICE in one parent and SEQUENCE in 
	  another, the decoder would incorrectly use the wrong type descriptor due to
	  unsuffixed alias collisions at runtime. The fix ensures member table references
	  always use suffixed type descriptors for embedded constructed types, avoiding
	  ambiguity. Affects 3GPP RRC and similar specifications with duplicate member
	  names across different parent structures.
	  (Severity: high; Security impact: none)
	* Moved complex_threshold from global variable to arg_t structure field.
	  Applications linking to libasn1compiler no longer need to define their own
	  version of the global complex_threshold variable. The variable is now properly
	  encapsulated within the compiler's argument structure and passed through the
	  asn1_compile() function. Default threshold value remains 4. Added test case
	  for -fcomplex-threshold flag validation.
	  (Severity: low; Security impact: none)
	* Fixed JER OPEN TYPE decoder to comply with ITU-T X.697 Clause 41. The decoder
	  was incorrectly attempting to parse CHOICE-style key wrappers and consuming
	  parent SEQUENCE delimiters, causing "Unexpected JSON key" and "Out of defined
	  members" errors when decoding valid ITU-T X.697 compliant JSON. The decoder now
	  decodes OPEN TYPE values directly without wrapper parsing and returns immediately
	  without consuming trailing delimiters, letting parent decoders handle structural
	  elements. Added automated regression test to prevent future issues. Affects F1AP
	  and similar specifications with OPEN TYPE fields. (PR #456)
	  (Severity: high; Security impact: none)

1.3.1:
	FEATURES:
	* Enhanced -fprefix implementation with automatic PDU handling and system
	  header conflict warnings. (PR #427)
	* Added warning system to detect filename conflicts with system headers on
	  case-insensitive filesystems. (PR #425)

	NOTABLE:
	* Added S1AP missing ASN.1 file to examples. (PR #423)

	FIXES:
	* Improved JER OPEN_TYPE encoder validation and diagnostics. Added comprehensive
	  checks for type descriptor validity, NULL pointer detection, and type mismatch
	  warnings. Enhanced debug logging to help diagnose encoding issues in complex
	  IOC scenarios. (Severity: low; Security impact: none)
	* Fixed name collision for nested CHOICE/SET members with identical identifiers.
	  When the same identifier appears recursively in nested CHOICE or SET structures
	  (e.g., "criticalExtensions" used at multiple nesting levels in 3GPP RRC schemas),
	  the compiler now automatically applies compound naming to prevent collisions.
	  This fixes UPER decoding failures in 3GPP WCDMA RRC and similar schemas.
	  (Severity: high; Security impact: none)
	* Fixed JER Open Type encoding to comply with ITU-T X.697 Clause 41 - removed
	  incorrect type name wrapper. (PR #444) (Severity: medium; Security impact: none)
	* Fixed SEQUENCE OF with inline SEQUENCE inside CHOICE generating undefined
	  types. (PR #442) (Severity: high; Security impact: none)
	* Fixed linker errors from duplicate unsuffixed type descriptor symbols on
	  non-ELF platforms (CYGWIN, Windows). (PR #439) (Severity: high; Security impact: none)
	* Fixed duplicate validation function names for nested ENUMERATEDs with
	  identical identifiers. (PR #436) (Severity: high; Security impact: none)
	* Fixed parser memory leak on syntax error. (PR #434) (Severity: low; Security impact: low)
	* Fixed memory leak in parser when processing unused tokens. (PR #433)
	  (Severity: low; Security impact: low)
	* Fixed code generation for deeply nested SEQUENCE OF with compound names.
	  (PR #432) (Severity: medium; Security impact: none)
	* Fixed XER Base64 decoder state loss in chunked decoding. (PR #430)
	  (Severity: medium; Security impact: none)
	* Fixed time.h shadowing on case-insensitive filesystems (macOS, Windows) by
	  moving include to header files. (PR #425) (Severity: medium; Security impact: none)
	* Fixed XER encoder indentation and empty element spacing issues. (PR #420)
	  (Severity: low; Security impact: none)
	* Fixed unused variable 'er' in OPEN_TYPE_jer.c that caused compilation
	  failure with -Werror -Wall flags. (Severity: low; Security impact: none)

1.3.0:
	FEATURES:
	* Added compile-time flag XER_ALLOW_EMPTY_OPTIONALS for XER decoder support
	  of empty OPTIONAL fields. (PR #416)
	* Added -fcomplex-threshold CLI parameter to control XER encoding complexity
	  and fixed related XER encoding issues. (PR #399)
	* Added -fprefix option to prefix generated type names. (PR #170)
	* Completed ENCODING-CONTROL Phases 4-5: full parsing of ENCODING-CONTROL
	  directive bodies and linking encoding instructions to target type
	  definitions. (PR #389)
	* Added JER-specific constraints for BIT STRING variable size. (PR #192)
	* Added JER support for pure hexadecimal OCTET STRINGs. (PR #193)
	* Added class default syntax support. (PR #172)
	* Added copy operation support. (PR #174)

	NOTABLE:
	* Reverted circular dependency detection changes from PRs #409 and #411,
	  preserved F1AP regression test. (PR #414)
	* Updated asn1c-usage.tex documentation for PRs #399, #389, #353, #336, #334.
	  (PR #412)
	* Updated README with supported encoding rules. (PR #173)
	* Breaking change introduced by circular dependency handling refactor in
	  PR #409 (later reverted in PR #414): many generated structures were
	  temporarily represented as pointers, requiring updates to existing code
	  (for example, adding dereferences) to compile and link it with the
	  current asn1c. This entry documents the temporary impact for users who
	  upgraded during that period.

	FIXES:
	* Fixed IOC constraint resolution for SEQUENCE OF with parent field references.
	  (PR #415) (Severity: medium; Security impact: none)
	* Fixed Open Type code generation for SEQUENCE OF in IEEE 1609.2. (PR #408)
	  (Severity: medium; Security impact: none)
	* Fixed F1AP circular dependency using -findirect-choice flag for IOC OPEN_TYPE
	  pointer generation. (PR #353) (Severity: medium; Security impact: none)
	* Fixed -fgen-only-pdu-deps to mark IOC table types and parameterized type
	  dependencies. (PR #336) (Severity: low; Security impact: none)
	* Fixed XER parsing for OCTET STRING with H'...' prefix notation. (PR #334)
	  (Severity: low; Security impact: none)
	* Fixed -Wsign-compare compiler warning in BIT_STRING_jer. (PR #200)
	  (Severity: low; Security impact: none)
	* Fixed version brackets in CHOICE type. (PR #199)
	  (Severity: low; Security impact: none)
	* Fixed format specifiers for 64-bit integers. (PR #185)
	  (Severity: low; Security impact: none)
	* Fixed integer tests warnings. (PR #182)
	  (Severity: low; Security impact: none)
	* Fixed GCC warnings. (PR #181)
	  (Severity: low; Security impact: none)
	* Fixed JER OBJECT IDENTIFIER quotes handling. (PR #178)
	  (Severity: low; Security impact: none)
	* Fixed INTEGER to 64-bit native methods conversion. (PR #177)
	  (Severity: low; Security impact: none)
	* Fixed APER INTEGER longs to intmaxs conversion. (PR #176)
	  (Severity: low; Security impact: none)

1.2.0:
	FEATURES:
	* Added support for OPEN TYPE in IOC, now V2X and C2X should work.
	* Added support for JER encoding and decoding.
	* Added ability to generate only codecs relevant to selected PDU(s)
	
	NOTABLE:
	* OCTET STRING in XER now uses Base64 encoding, CXER-compliant.
	* Hexadecimal encoding for OCTET STRING in XER may or may not work.
	* Validation of constraints should now work for all types.
	
	FIXES:
	* Numeral - addressed bugs and compiler warnings.

0.9.40:
    FEATURES:
    * Added support for basic Information Object Sets driven code generation.
    * Added OER support.
    * Added LTE RRC example (Bi-Ruei, Chiu).
    * Added IEEE 1609.2 example.
    * Added SAE J2735 example.

    NOTABLE:
    * Converter example (included by default):
      * converter-sample.c renamed into converter-example.c
      * make converter-example.mk file for building that converter
      * asn1c -no-gen-example to stop generating converter-example.{c,mk}
    * asn1c -no-gen-example option to disable converter-example generation.
    * Added random value generation (-R option to converter-example).
    * Added LibFuzzer-based randomized tests for supported transfer syntaxes
      (DER, OER, UPER, XER) into tests/tests-randomized. See the following
      article to get the latest LibFuzzer-enabled clang on macOS:
        https://medium.com/@levwalkin/compile-llvm-clang-libfuzzer-b61e82718430
      then ensure the new clang is in the way:
        CC=clang CXX=clang++ ./configure --enable-Werror --enable-test-fuzzer
    * OBJECT IDENTIFIER and RELATIVE-OID API simplified.
    * uper_encode() API got new argument (breaks API compatibility).
    * asn1c -gen-XXX flags are deprecated. Use -no-gen-XXX to disable codecs.

    FIXES IN COMPILER-GENERATED OUTPUT:
      * Fix incomplete (failed) CHOICE XER decoding memory leak.
        (Severity: medium; Security impact: medium)
      * Fix REAL type overwrite conversion memory leak.
        (Severity: low; Security impact: medium)
      * Fix UPER string decoding constrained only by lower bound > 0
        (Severity: low; Security impact: none)
      * Fix UPER decoding of large [bit-]strings of size a multiple of 16K
        (Severity: low; Security impact: none)
      * Fix XER decoder crash on maliciously constructed ENUMERATED input.
        (Severity: medium; Security impact: medium)
      * Fix XER decoder of INTEGER, OBJECT IDENTIFIER, and RELATIVE-OID.
        In some cases an INTEGER overflow during parsing is not detected
        and incorrect value is returned to the decoder instead of an error.
        Reported by Nika Pona <npona@digamma.ai>.
        (Severity: low; Security impact: medium).

    FIXES IN TOOLING:
      * CVE-2017-12966 verified not present.
      * Fix `unber` buffer overrun. Reported by Eric Sesterhenn.
        (Severity: low; Security impact: high)

0.9.28: 2017-03-26
    * PER decoding: avoid memory leak on error. By github.com/simo5
    * Constness patch #46 by Wim L <wiml@omnigroup.com> (41bbf1c..78d604f).
    Build issues:
    * Fixed generated file permissions introduced by earlier pull (issue/32).
    * Win32/MinGW patch #31 by Frank Morgner (frankmorgner).
    * Autoreconf fix patch by Dave Cridland (github.com/dwd)
    * Fix autoreconf-2.69 failure by github.com/brchiu
    * Fix C99 warnings. Fix by Adrien Destugues (github.com/pulkomandy).
    * C89 compliance fix by Jaroslav Imrich (github.com/jariq).
    * C standard compliance fixes by Markus Elfring (github.com/elfring).

0.9.27: 2014-Sep-17
    * Build structure fixes for portability.
    * Disable long debug of ASN.1 operations during `make check` stage.
    * Introduce --enable-ASN_DEBUG configure flag to emit long debug output.

0.9.26: 2014-Sep-11
    * Updated asn1c-usage.pdf.
    * Made -fskeletons-copy a default option; removed cmdline option.
    * Made -fnative-types a default option; removed cmdline option.
      Added -fwide-types for backwards compatibility.
    * Add -fline-refs to avoid being unfriendly to version control systems.
    * Default constraint checking fix.
      Thanks to Bartosz Marcinkiewicz <bma@megawatt.com.pl>
    * Get rid of non-standard pointer arithmetic on void* pointer.
    * PER-encoding of integers wider than 32 bits.

0.9.24:    2013-Mar-16

    * GeneralizedTime fix for working with time offsets which are not
      representable in whole hours. (Severity: low; Security impact: low)
      Thanks to IP Fabrics, Inc.
    * Added -fincludes-quoted to asn1c to generate #includes in "double"
      instead of <angle> quotes.
    * PER encoding correctness fix. (Severity: high; Security impact: low)
      Reported by Grzegorz Aksamit.
    * ENUMERATED extension values check relaxed. Reported by Gabriel Burca.
    * Fixed decimal decoding of REAL values in -fnative-types mode
      (Severity: medium; Security impact: medium)
    * Removed webcgi subproject (introduced in 2004) as useless.

0.9.22:    2008-Nov-19

    * Added -pdu=all and -pdu=<type> switches to asn1c.
    * Added PER support for most known-multiplier string types:
      IA5String, VisibleString, PrintableString, BMPString, UniversalString;
      useful types: GeneralizedTime, UTCTime, ObjectDescriptor;
      as well as REAL and OBJECT IDENTIFIER.
      TODO: SET type.
    * Added PER support for extensions in SEQUENCE.
    * Multiple enhancements by Daniele Varrazzo <daniele.varrazzo@gmail.com>
    * Fixed explicit tagging of an in-lined constructed type.
      (Severity: low; Security impact: none).
    * Memory leak fixed in SET OF / SEQUENCE OF when wrong encoding
      is encountered. (Severity: medium; Security impact: low)
    * Fixed extensibility handling of second SEQUENCE production.
      (Severity: low; Security impact: none)
    * Added DEFAULT handling for known multiplier string.
    * Added a sample OMA ULP decoder (./examples/sample.source.ULP).
    * Added full-width 32-bit integer encoding support in PER.
    * Fixed 1-byte OOB write issue with non-standard and Windows
      memory allocators (Severity: low; Security impact: medium).
      Reported by Sheng Yu.

0.9.21:    2006-Sep-17

    * skeletons/standard-modules directory is now used for standard types.
    * Fixed class field access problem (Test case 98)
      (Severity: medium; Security impact: none)
    * Refactored Information Object Classes parsing.
    * Refactored Parameterization support.
    * [typedef enum foo {}] foo_e; is now e_foo, see #1287989
    * Refactored ValueSetTypeAssignment parsing.
    * asn-decoder-template.c renamed into converter-sample.c
    * MEGACO (Media Gateway Control Protocol) decoder sample added.
    * First release of PER encoder (does not encode SETs yet).
    * Added a sample LDAP decoder (./examples/sample.source.LDAP3).
    * Added a sample 3GPP RRC decoder (./examples/sample.source.RRC).
    * Added a sample MEGACO (H.248.1) decoder (sample.source.MEGACO).

0.9.20:    2006-Mar-06

    * SET OF CHOICE, SEQUENCE OF CHOICE and a certain named S/O types
      are represented differently in XER. THIS IS AN INCOMPATIBLE CHANGE.
      (Test case 70) (Severity: low; Security impact: low)
    * asn1c: Removed -ftypes88 command line option.
    * Started PER implementation. Somewhat experimental!

0.9.19:    2005-Oct-06

    * A proper solution to circular references. No kludge flags
      should be necessary anymore to produce reference-free code:
      recursive dependencies are resolved automatically.
    * Test cases 73 & 92 keep track of various circular references.
    * Introduced compiler directives to allow finer control over the
      generated code ("--<ASN1C...>--" in comments), (Test case 93).
    * New feature for unber(1): -s <skip> bytes.
    * Mandatory elements map for SET was not getting generated properly.
      (Test case 94) (Severity: high; Security impact: low)
    * asn1c: new command line option: -fskeletons-copy.

0.9.18:    2005-Aug-14

    * The obsolete X.208 syntax is handled gracefully now (compound types'
      member names are invented on the fly). (Test case 87).
    * Generating enumeration tables for INTEGER types (Test case 88).
    * Generating enumeration tables for BIT STRING types (Test case 89).
    * Conditional INTEGER/ENUMERATED representation: long vs. INTEGER_t
      type is chosen based on PER visible constraints (Test cases 90, 91).
    * Union structures for CHOICE type are not anonymous anymore.
    * Made unber(1) program more verbose: effective structure length is
      now displayed as L="<n>" at the closing tag. (Test check-xxber.sh).
    * Fixed unber(1)'s -1 switch for indefinite encoding length.
    * New command line option for unber(1): -m to enable minimalistic mode.

0.9.17:    2005-Aug-07

    * Tagging mode is implicitly IMPLICIT if AUTOMATIC TAGS is used, #30.6.
      (Test cases 55, 86).
    * Started to use extern "C" {} in skeleton headers.
    * Introduced -finline-choice command line option to fix
      yet another class of circular references.

0.9.16:    2005-July-04

    * GeneralizedTime API now supports fractions of seconds.
      Thanks to Bent Nicolaisen <BN@JAI.com> for support.
    * ASN.1 parser has been tweaked to allow parsing something like
      "SEQUENCE----comment----", which is ambiguous for many reasons.
    * XER decoder better handles not-yet-defined future extensions.

0.9.15: 2005-July-02

    * Compiler now checks 64-bit overflows in constraints range handling
      code. No effect on the code produced by the compiler.
    * Compiler support for tagged and marked parametrized members.
    * Empty tags to element map avoided.
    * Compiled code GCC 4.x compatibility.

0.9.14:    2005-Apr-29

    * Fixed check-70.-fnative-integers.c test (it was failing
      when no test directory was found).

0.9.13:    2005-Apr-24

    * Added extra const qualifiers into the support code.
    * More RFC variations supported in crfc2asn1.pl.
    * Refined string values compatibility. (Test cases 77, 78).
    * Support for ContainedSubtype constraints. (Test case 16).
    * Parsing support for CONSTRAINED BY. (Test case 79).
    * Support for CharsDefn (Quadruple and Tuple, most used in
      ASN1-CHARACTER-MODULE) (Test case 80).
    * Pretty-printing support for WITH COMPONENT[S]. (Test case 82).
    * Streamed OCTET STRING decoding of large values: fixed allocation
      problem introduced in 0.9.9. (Severity: high; Security impact: medium)
      Reported by Yann Grossel <olrick@users.sourceforge.net>.
    * Fixed BASIC-XER encoding of REAL numbers.

0.9.12:    2005-Mar-10

    * Fixed a name clash in produced constraint checking code.
    * #includes are now in single quotes (to solve a name
      clash with system's <time.h> on a Win32 system).
    * Small refinement of XML DTD generation (`asn1c -X`).
    * Relaxed XER processing rules to skip extra whitespace
      in some more places. It also skips XML comments (although
      XML comments in XER are prohibited by X.693, #8.2.1).
      (Test case 70) (Severity: medium; Security impact: none)
      Reported by <Dominique.Nerriec@alcatel.fr>.
    * Constraints on primitive types being defined are now supported.
      (Test case 74) (Severity: low; Security impact: none)
    * XMLValueList generation fixed for CHOICE type.
      (Severity: medium; Security impact: none)
    * Added the GSM TAP3 decoder into ./examples/sample.source.TAP3

0.9.11:    2005-Mar-04

    * Released -fcompound-names to fix the name clashes in the code
      produced by the asn1c.
    * Released -fno-include-deps to avoid #including non-critical
      external dependencies.
    * Compiler is taught to produce compilable code for yet another class
      of circular ASN.1 type references.
    * X.693:8.3.4 prohibits anything but SignedNumber; fixed XER codec.
    * Fixed ENUMERATED identifier to value conversion in XER.
      Reported by <jacque.celaire@caramail.com>.
    * If the compiled file contents are the same as in already existing
      file (left from previous compilation), the old file is retained.
      This prevents thrashing `make` dependencies if amount of changes in
      the original ASN.1 module(s) is small.

0.9.10:    2005-Feb-25

    * Completed the XER XMLValueList encoding and decoding.
    * Native integer type is now using "long".
    * Fixed #1150856. Reported by <vvvy@users.sourceforge.net>.
    * Some WIN32 portability fixes.

0.9.9:    2005-Feb-22

    * First release of XER (XML) decoding implementation (somewhat
      experimental).
    * ANY allocation routine fixed.
      Reported by <mikko.ahonen@elma.net>.
    * Fixed tag parsing (tags like "[ 0 ]" were not supported).
    * Compiler now checks for duplicate ASN.1 types across modules.

0.9.8:    2005-Jan-17

    * [NEW PLATFORM] Compiled and tested on Linux @ alpha64 (LP64).
      Some code needed to be fixed regarding int-long conversions
      (mostly inside the test suite), and floating point handling
      code needed to be restructured to handle signalling NAN and
      other floating point exceptions quietly. Smooth transition!
    * [NEW PLATFORM] Compiled and tested on Sun Solaris 9 @ sparc.
      Improved includes/defines of/for system headers.
    * -X command line option added to asn1c to generate XML DTD.
    * Empty SEQUENCE and SET clauses are now allowed.
    * Removed confusion between &xNN; and &#xNN; in enber and unber.
    * Removed order dependency in DEFAULT references to ENUMERATED
      identifiers (./tests/68-*-OK.asn1).
    * ber_dec_rval_t renamed into asn_dec_rval_t: more generality.
    * Extensions in CHOICE types are properly marked as non-pointers
      (Test case 59) (Severity: medium; Security impact: medium)
      Reported by <roman.pfender@sdm.de>.
    * Tagged CHOICE type is now supported again.
      (Test case 59) (Severity: low; Security impact: low)
      Reported by <orlinkata@dir.bg>.
    * Implemented der_encode_to_buffer() procedure.

0.9.7.1:    2004-Oct-12

    * Fixed automatic tagging for extensions of compound types.
    * Fixed ParametrizedReference parsing: {} are now recognized.

0.9.7:    2004-Oct-11

    * Finished CXER implementation by adding SET and SET OF canonical
      ordering support.
    * Fixed unber(1) limits controlling logic.
    * Removed C99'izm from the x509dump, now understood by older compilers.
    * Enhanced UTF8String constraint validation, now it checks
      for the minimal encoding length; API of UTF8String_length() changed.
    * Fixed SEQUENCE dealing with premature termination of the
      optionals-laden indefinite length structure. The code was previously
      refusing to parse such structures.
    * Fixed explicitly tagged ANY type encoding and decoding
      (Severity: medium; Security impact: low).
    * Fixed CHOICE code spin when indefinite length structures appear
      in the extensions (Severity: medium; Security impact: medium).
      Reported by <siden@ul-gsm.ru>.
    * BIT STRING now stores the number of unused octets in a separate field.

0.9.6:    2004-Sep-29

    * Added several security firewalls: decoder's stack usage control
      and the stricter checking of the TLV length.
    * Implemented BASIC-XER encoding support (X.693).
    * Implemented unber(1) and enber(1) for BER<->XML translation.
    * Implemented CGI for online ASN.1 compilation (asn1c/webcgi).
    * Implemented the sample X.509 decoder (./examples/sample.source.PKIX1).
    * NamedType is now supported for SET OF/SEQUENCE OF type.
    * Added -fno-constraints option to asn1c, which disabled generation of
      ASN.1 subtype constraints checking code.
    * Added ASN1C_ENVIRONMENT_VERSION and get_asn1c_environment_version().
    * Fixed ANY type decoding (Severity: high; Security impact: low).
    * Fixed BER decoder restartability problem with certain primitive
      types (BOOLEAN, INTEGER, and REAL). The problem occurred when the
      encoding of such type is split between several bytes.
      (Severity: high; Security impact: low)
    * Support for cross-referencing type definitions (updated ./tests/43-*).
    * Fixed pretty-printing of the REAL type. Added lots of test cases.
    * Renamed asn1_* into asn_* in function and type names.
    * Updated documentation.

0.9.5:    2004-Sep-17

    * Fixed CER (common BER) decoder code. See check-25.c/VisibleString
      case for details. X.690 specifies that inner structures in BER
      encoding must be tagged by stripping off the outer tag for each
      subsequent containment level. See also X.690: 8.21.5.4 and
      the "Spouse" case in A.3.
      (Severity: medium; Security impact: low)
    * Added converters between any generic type and the ANY type.
    * Parser fixed: Information Object Class fields may be tagged.
    * Parser fixed: tagged types inside SEQUENCE OF/SET OF support.
    * Improved DEFAULT Value parsing and pretty-printing.
    * Condition on distinct tags checker was incorrectly dealing with
      tagged CHOICE types. Fixed. Modified tests/37-indirect-choice-OK.asn1
    * Improved type name generation code ("struct foo" vs "foo_t").
    * Fixed constraint checking code incorrectly dealing with imported
      types with constraint values defined in other modules.
    * Real REAL support! (Haven't tested denormals support yet!)
      See skeletons/tests/check-REAL.c

0.9.4:    2004-Sep-10

    * More support for recursive type definitions.
    * Explicit support for ANY type decoding.
    * Refactored tags processing code.
    * Fixed constraints checking code: non-exploitable buffer overflow.
      (Severity: medium; Security impact: low)

0.9.3:    2004-Sep-07

    * Extended constraints support in parametrized types.
    * Better support for parametrization and constraints handling.
    * Better handling of recursive type definitions.
    * Added support for ANY type.

0.9.2:    2004-Aug-24

    * More flexible subtype constraints handling, with relaxed
      PER visibility rules for actual constraints checking code generator.
    * Indirect references in constraints resolver code fixed.
    * Avoided compilation warning on gcc 3.3.3 systems.
    * Better ValueSet printing.

0.9.1:    2004-Aug-23

    * Documentation updated: doc/asn1c-usage.pdf
    * Fixed OBJECT IDENTIFIER human-readable printing.
      Reported by <siden@ul-gsm.ru>.

0.9:    2004-Aug-23

    * Reworked subtype constraints handling, aiming at PER-applicability.
    * BOOLEAN and NULL are now implemented in terms of native int type.
    * Compiler now links in only necessary skeleton files.
    * -t option added to asn1c to ease manual BER/CER/DER decoding.
    * Added support COMPONENTS OF construct.
    * Numerous parser fixes and enhancements.
    * Better constraint failure reporting.

0.8.19:    2004-Aug-18

    * Fixed BER encoder (problem encoding large tag values)
      (Severity: medium; Security impact: low)

0.8.18:    2004-Aug-12

    * Parser: fixed multiple IMPORTS problem (incorrect assertion).
    * Parser: constraints extensibility parsing fix.

0.8.17:    2004-Aug-11

    * Improved compiler output: duplicate #includes eliminated.
    * Win32 portability fixes.
    * More compatibility with C++ or non-GCC compilers.

0.8.16:    2004-Jul-22

    * Fixed application-level problem in SET OF/SEQUENCE OF array cleanup.
      (Severity: medium; Security impact: low)
    * Improved asn_GT2time() and added asn_time2{GT,UT}() functions.
    * BIT STRING pretty-printing.

0.8.15:    2004-Jul-20

    * Fixed parser: memory leak in free_struct code for SET OF/SEQUENCE OF.
      (Severity: high; Security impact: medium)
    * Fixed parser: invalid memory reference in code constructing tags.
      (Test case 48) (Severity: high; Security impact: medium)
      When encoding data for certain ASN.1 specifications containing
      explicit tags, the tag is always written incorrectly due to
      incorrect memory reference. The encoding will almost always produce
      unparsable data and might well reference unmapped region so program
      would produce segmentation violation. Fortunately, memory is
      read, not written, so remote exploits cannot execute arbitrary
      code and triggering unmapped memory reference is highly unlikely
      even it attacker knows the code (basically, the compiler should place
      asn1_DEF_... right before the end of the mapped memory region, which
      is extremely rare).
    * Improved INTEGER type printing.

0.8.14:    2004-Jun-30

    * Fixed compiler: extensibility of CHOICE and SET type has not been
      taken into account during table construction.
      (Test case 47) (Severity: high; Security impact: low)

0.8.13:    2004-Jun-29

    * Fixed compiler: the skip values for IMPLICIT tagging were broken
      in some complex cases where one type is defined using another.
      (Test case 46) (Severity: medium; Security impact: low).
    * Added -fknown-extern-type command line parameter to asn1c.
    * Removed -N command line flag and underlying functionality
      to honor KISS principle.

0.8.12:    2004-Jun-17

    * RELATIVE-OID and OBJECT IDENTIFIER encoders/decoders are not bound
      anymore to an integer type of specific size (unsigned long). The
      size of an integer must be provided explicitly.
      See {OBJECT_IDENTIFIER|RELATIVE_OID}_{get|set}_arcs().
    * SEQUENCE BER decoder fixed again for complex CHOICE case
      (Test case 44) (Severity: medium; Security impact: low).

0.8.11:    2004-Jun-05

    * Enforced stricter conformance with C standards.
    * SEQUENCE BER decoder is now equipped with the sorted map
      in case of complex CHOICE descendants. Test case 44 created.

0.8.10:    2004-Jun-02

    * Added const qualifier where necessary.
    * Changed position of outmost_tag fetcher within asn1_TYPE_descriptor_t
      structure.

0.8.9:    2004-May-26

    * Added *_{get|set}_arcs_*() functions for OBJECT IDENTIFIER
      and RELATIVE-OID, together with test cases.

0.8.8:    2004-May-09

    * Introduced subtype constraints support (incomplete!).
    * Fixed compiler. If the last member of the SEQUENCE is OPTIONAL
      and absent in the encoding, and the type is extensible (...) or
      EXTENSIBILITY IMPLIED flag is set, then the structure could not
      be correctly decoded. (Severity: high; Security impact: low).
    * Compiler: fixed recursive ASN.1 types inclusion (Severity: low,
      Security impact: none).
    * Parser: IMPORTS/FROM fixes, now allowing multiple sections.
    * NEW PLATFORM: Compiled and tested on MacOS X (@ PowerPC).
      No major portability issues experienced.

0.8.7:    2004-Apr-11    T-version-0-8-7

    * Fixed SEQUENCE BER decoder: if the last member of the SEQUENCE is
      OPTIONAL and absent in the encoding, RC_FAIL was returned instead
      of RC_OK (Severity: high; Security impact: low).
    * Added test case to check the above problem.
    * Added test case to check -fnative-integers mode.

0.8.6:    2004-Apr-03    T-version-0-8-6

    * Fixed compiler output for embedded ASN.1 structures.

0.8.5:    2004-Mar-28    T-version-0-8-5

    * Fixed ber_tlv_length() computation problem (Severity: high,
      Security impact: none).
      Reported by <vss@high.net.ru>

0.8.4:    2004-Mar-22

    * Removed RC_ITAG enumeration element from BER decoder.
      This return code did not have much practical value.

0.8.3:    2004-Mar-14    T-version-0-8-3

    * Fixed SET::BER decoder: restart after reaching a buffer boundary
      was broken (Severity: high; Security impact: low).
    * Fixed OCTET STRING::BER decoder: restart after reaching a buffer
      boundary was broken (Severity: high; Security impact: low).
      Reported by <vss@high.net.ru>
    * Added test cases to check decoders restartability.
    * Slightly more general INTEGER2long decoder.
    * Allowed nested /* C-type */ comments, as per X.680:2002.

0.8.2:    2004-Mar-01    T-version-0-8-2

    * Fixed SEQUENCE BER decoder: an OPTIONAL element was required, where
      should not have been (Severity: major; Security impact: low).
    * Fixed print_struct pointer inheritance.
    * Added -fno-c99 and -funnamed-unions

0.8.1:    2004-Feb-22

    * -R switch to asn1c: Omit support code, compile only the tables.
    * Introduced NativeInteger pseudotype.
    * Corrected the informal print_struct()'s output format.

0.8.0:    2004-Feb-03    T-version-0-8-0

    * Some documentation is created (a .pdf and a short manual page).
    * Last touches to the code.

0.7.9:    2004-Feb-01    T-version-0-7-9

    * Human readable printing support.
    * Support for implicit (standard) constraints.

0.7.8:    2004-Jan-31

    * SET now rejects duplicate fields in the data stream.

0.7.7:    2004-Jan-25

    * Added types: GeneralizedTime and UTCTime.

0.7.6:    2004-Jan-24    T-version-0-7-6

    * DER encoding of a SET OF now involves dynamic sorting.

0.7.5:    2004-Jan-24    T-version-0-7-5

    * DER encoding of a SET with untagged CHOICE
      now involves dynamic sorting.

0.7.0:    2004-Jan-19    T-version-0-7-0

    * A bunch of DER encoders is implemented.

0.6.6:    2004-Jan-11

    * Implemented CHOICE decoder.
    * Implemented destructors support.

0.6.5:    2004-Jan-03

    * Implemented SET decoder.
    * Implemented SET OF and SEQUENCE OF decoders.

0.6.4:    2003-Dec-31

    * Implemented BOOLEAN, NULL, ENUMERATED decoders.
    * Implemented OCTET STRING decoder.
    * Implemented BIT STRING decoder.

0.6:    2003-Dec-30

    * First decoding of a BER-encoded structure!

0.5:    2003-Dec-28

    * Framework and most of the compiler backbone coding done.

0.1:    2003-Nov-28

    * Programming started.

=== Bug importance disclosure terms ===

SEVERITY.
    This term applies to the frequence the particular construct is used
    in the real world. The higher the frequency, the more chances of triggering
    this bug.
    low:    The ASN.1 specifications which could trigger
            this kind of bug are not widespread.
    medium: The particular ASN.1 construct is used quite often,
            so the chance of triggering an error is considerable.
    high:   This fix is considered urgent, or the particular ASN.1
            construct triggering this bug is in wide use.

SECURITY IMPACT.
    This term applies to the amount of potential damage a bug exploitation
    could cause.
    none:   No malicious exploitation is possible.
    low:    The local exploitation is unlikely; the remote exploitation
            is not possible.
    medium: The remote exploitation is possible when a particular ASN.1
            construct is being used. If possible, only hard failure, spin
            or memory leak are the possible outcome: no shellcode
            injection could possibly be carried by the attack.
    high:   The remote shellcode injection is possible, or the bug is
            otherwise remotely exploitable for most specifications.