X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=ChangeLog;h=4743a480b7d1fbee307f36398b6264187567a427;hb=HEAD;hp=79e91274398d50ccd7b718b54a8b9078d32c4ac1;hpb=8e408fcd0e346ae33624a7d515fc9a6efbaa059d;p=platform%2Fupstream%2Fgnutls.git diff --git a/ChangeLog b/ChangeLog index 79e9127..4743a48 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,5652 @@ +2017-03-06 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, m4/hooks.m4: bumped version + +2017-03-05 Nikos Mavrogiannopoulos + + * NEWS: doc update Signed-off-by: Nikos Mavrogiannopoulos + +2017-03-05 Alex Gaynor + + * lib/opencdk/read-packet.c: Enforce the max packet length for + OpenPGP subpackets as well This addresses: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 Signed-off-by: Alex Gaynor + +2017-03-01 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2017-03-01 Nikos Mavrogiannopoulos + + * lib/opencdk/kbnode.c, lib/opencdk/keydb.c, lib/opencdk/literal.c, + lib/opencdk/opencdk.h, lib/opencdk/read-packet.c, + lib/openpgp/gnutls_openpgp.c, lib/openpgp/pgp.c, + lib/openpgp/privkey.c: opencdk: do not parse any secret keys in + packet when reading a certificate This reduces the attack surface on the parsers, and prevents any + bugs in the secret key parser to be exploitable by inserting secret + key sub-packets into an openpgp certificate. This addresses: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-28 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/crt_apis.c: tests: backported crt_apis + from master branch In addition to other APIs, this explicitly tests + gnutls_x509_crt_set_subject_unique_id() and + gnutls_x509_crt_set_issuer_unique_id(). Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-28 Nikos Mavrogiannopoulos + + * src/certtool-cfg.c: certtool: increased buffer for reading from + user This allows reading longer than 128-byte fields interactively. The + new limit is 512-bytes. Relates #179 Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-22 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/pkcs11/pkcs11-import-with-pin.c: tests: + added PKCS#11 test for pin input This introduces a test on PIN input to retrieve an object using + pin-value and pin-source (file). Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-22 Nikos Mavrogiannopoulos + + * tests/utils.c, tests/utils.h: tests: utils: added ability to use + tmpfiles Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-22 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/pkcs11/pkcs11-pubkey-import-rsa.c, + tests/pkcs11/pkcs11-pubkey-import.c: tests: backported PKCS#11 test In addition to public key import checks, this test ensures that the + pin-value attribute is functional. Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-22 Nikos Mavrogiannopoulos + + * NEWS: doc update Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-22 Nikos Mavrogiannopoulos + + * configure.ac, lib/pkcs11.c: Use p11_kit_uri_get_pin_value() if + available in p11-kit This allows parsing the pin-value attribute of the PKCS#11 URI. Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-22 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: nettle/pk: added error checking in + _rsa_params_to_pubkey Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-21 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: nettle/pk: corrected memcpy of Q in DSA params Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-21 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2017-02-20 Nikos Mavrogiannopoulos + + * lib/opencdk/read-packet.c: opencdk/read-packet.c: corrected typo + in type cast Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-20 Nikos Mavrogiannopoulos + + * lib/opencdk/read-packet.c: cdk_pkt_read: enforce packet limits That ensures that there are no overflows in the subsequent + calculations. Resolves the oss-fuzz found bug: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 Relates: #159 Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-03 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: gnutls_pkcs11_obj_list_import_url2: Always return an + initialized pointer When returning success, but no elements, + gnutls_pkcs11_obj_list_import_url4, could have returned zero number + of elements with a pointer that was uninitialized. Ensure that an + initialized (i.e., null in that case), pointer is always returned. + Reported by Jeremy Harris. Signed-off-by: Nikos Mavrogiannopoulos + +2017-01-17 Nikos Mavrogiannopoulos + + * lib/opencdk/read-packet.c: opencdk: improved error code checking + in the stream reading functions This ammends 49be4f7b82eba2363bb8d4090950dad976a77a3a Signed-off-by: Nikos Mavrogiannopoulos + +2017-01-09 Nikos Mavrogiannopoulos + + * tests/cert-tests/Makefile.am, tests/key-tests/Makefile.am: tests: + do not run key-tests and cert-tests under leak sanitizer The reason is that we cannot distinguish between a memory leak on + application failure (which is followed by exit- thus should be + ignored) and an address sanitizer issue (which should never be + ignored). As such we disable leak detection with asan and rely on + valgrind. Signed-off-by: Nikos Mavrogiannopoulos + +2017-01-09 Nikos Mavrogiannopoulos + + * tests/key-tests/Makefile.am: tests: added missing file + +2017-01-09 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: Build and Check - separate build + dir (x86): force build in gitlab shared runners In the Centos7 based runners there is an issue running autogen. Signed-off-by: Nikos Mavrogiannopoulos + +2017-01-09 Nikos Mavrogiannopoulos + + * .gitignore, src/Makefile.am: tools: use stamp files to allow + parallel build of autogen files Autogen seems to output on the creates files gradually, something + that makes 'make' believe that the command is complete prior to the + output file being fully populated. The current approach uses stamp + files to ensure that no incomplete files are used for compilation. + +2017-01-09 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2017-01-09 Nikos Mavrogiannopoulos + + * NEWS, doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: + updated auto-generated files + +2017-01-09 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2017-01-09 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2017-01-04 Nikos Mavrogiannopoulos + + * lib/opencdk/read-packet.c: opencdk: added error checking in the + stream reading functions This addresses an out of memory error. Issue found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=337 Signed-off-by: Nikos Mavrogiannopoulos + +2017-01-04 Nikos Mavrogiannopoulos + + * lib/opencdk/pubkey.c: opencdk: cdk_pk_get_keyid: fix stack + overflow Issue found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=340 Signed-off-by: Nikos Mavrogiannopoulos + +2017-01-04 Nikos Mavrogiannopoulos + + * lib/opencdk/read-packet.c: opencdk: read_attribute: added more + precise checks when reading stream That addresses heap read overflows found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=338 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=346 Signed-off-by: Nikos Mavrogiannopoulos + +2017-01-01 Alex Gaynor + + * lib/opencdk/read-packet.c: Corrected a leak in OpenPGP sub-packet + parsing. Signed-off-by: Alex Gaynor + +2016-12-30 Alex Gaynor + + * lib/opencdk/read-packet.c: Attempt to fix a leak in OpenPGP cert + parsing. + +2016-12-26 Alex Gaynor + + * lib/opencdk/read-packet.c: Do not infinite loop if an EOF occurs + while skipping a PGP packet Signed-off-by: Alex Gaynor + +2016-02-29 Nikos Mavrogiannopoulos + + * lib/opencdk/misc.c: opencdk: Fixes to prevent undefined behavior + (found with libubsan) + +2017-01-04 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2017-01-04 Nikos Mavrogiannopoulos + + * lib/auth/rsa.c: auth rsa: eliminated memory leak on pkcs-1 + formatting attack path Signed-off-by: Nikos Mavrogiannopoulos + +2017-01-02 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2016-12-09 Nikos Mavrogiannopoulos + + * lib/x509/verify.c: pkcs11 verification: ensure that an issuer we + retrieve is not blacklist It may happen in p11-kit trust module that a trusted certificate is + both in the trusted set, and the blacklisted set. To avoid accepting + a certificate when in both sets, we always check whether a trusted + issuer certificate is in the blacklisted set. + +2016-12-31 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: improved error reporting on file error + +2016-12-20 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2016-12-15 Nikos Mavrogiannopoulos + + * lib/x509/x509_ext.c: gnutls_x509_ext_import_proxy: fix issue + reading the policy language If the language was set but the policy wasn't, that could lead to a + double free, as the value returned to the user was freed. + +2016-12-16 Nikos Mavrogiannopoulos + + * : commit 5ca126e1a5daf071ce690f28823fa97de6a7ae68 Author: Nikos + Mavrogiannopoulos Date: Thu Dec 15 17:05:59 2016 + +0100 + +2016-12-14 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-12-13 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/pkcs8-key-decode-encrypted.c, + tests/pkcs8-key-decode.c: tests: added test for PKCS#8 encrypted key + decoding This also verifies that the return value when attempting to decrypt + without a password is GNUTLS_E_DECRYPTION_FAILED. + +2016-11-14 Nikos Mavrogiannopoulos + + * tests/key-tests/Makefile.am, tests/key-tests/pkcs8-invalid: tests: + added test suite with PKCS#8 files that have invalid encryption + +2016-12-14 Nikos Mavrogiannopoulos + + * lib/x509/privkey_pkcs8.c: PKCS#7 decrypt_data: merge all errors + during decryption to GNUTLS_E_DECRYPTION_FAILED + +2016-12-13 Nikos Mavrogiannopoulos + + * lib/x509/privkey_pkcs8.c: pkcs8: ensure that the correct error + code is returned on decryption failure + +2016-12-14 Nikos Mavrogiannopoulos + + * lib/x509/privkey_pkcs8.c: PKCS#5,7 decryption: added sanity check + on padding size Relates #148 + +2016-12-14 Nikos Mavrogiannopoulos + + * lib/x509/privkey_pkcs8.c: PKCS#5,7 decryption: fail without leak + on unknown MAC + +2016-12-14 Nikos Mavrogiannopoulos + + * lib/x509/privkey_pkcs8.c: PKCS#5,7 decryption: fail early on + invalid block sizes + +2016-12-14 Nikos Mavrogiannopoulos + + * lib/x509/privkey_pkcs8.c, lib/x509/x509_int.h: PKCS#5,7 + decryption: enforce limits in the support parameter sizes This allows to detect invalid parameters early rather than later. + Relates #148 + +2016-12-09 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-07-14 Nikos Mavrogiannopoulos + + * src/tpmtool-args.def, src/tpmtool.c: tpmtool: Added --test-sign + parameter + +2016-12-09 Nikos Mavrogiannopoulos + + * src/tpmtool.c: compiler warnings elimination and other bug fixes + +2015-06-05 Nikos Mavrogiannopoulos + + * src/tpmtool.c: tpmtool: added newline in error messages + +2016-12-09 Nikos Mavrogiannopoulos + + * configure.ac, lib/Makefile.am, lib/abstract_int.h, + lib/gnutls_errors.c, lib/gnutls_global.c, lib/gnutls_global.h, + lib/gnutls_privkey.c, lib/includes/gnutls/gnutls.h.in, lib/tpm.c: + tpm: backported improvements from master branch * Load libtspi dynamically using dlopen - prevents direct linking + with openssl * Fix handling of keys requiring authorization * In import_tpm_key_cb() fix the wrong password loop + +2016-12-09 Nikos Mavrogiannopoulos + + * src/certtool-args.def: doc: updated to documentation of certtool + [ci skip] This corrects options which incorrectly mentioned they support URLs. + +2016-12-07 Nikos Mavrogiannopoulos + + * src/certtool.c: Don't trash DER CRQ output with text data Backported patch from master. + +2016-11-29 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-11-29 Nikos Mavrogiannopoulos + + * tests/suite/testpkcs11: tests: backported test suite for p11tool + --set-id and --set-label options + +2015-03-11 Nikos Mavrogiannopoulos + + * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: + p11tool: added --set-id and --set-label options + +2015-03-11 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c, + lib/pkcs11_int.c, lib/pkcs11_int.h: added + gnutls_pkcs11_obj_set_info() This function allows setting information such as the CKA_ID and the + CKA_LABEL of an object. + +2016-11-29 Nikos Mavrogiannopoulos + + * tests/suite/testpkcs11: tests: check whether PKCS #11 ID set on + copy/generation is correct + +2016-11-29 Nikos Mavrogiannopoulos + + * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: + p11tool: allow setting the CKA_ID on object + initialization/generation + +2016-11-29 Nikos Mavrogiannopoulos + + * lib/libgnutls.map: exported new functions + +2015-03-31 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: pkcs11: + enhanced key generation functions to allow specifying a CKA_ID + +2015-03-30 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11_write.c: enhanced copy + functions to allow specifying a CKA_ID + +2016-11-29 Nikos Mavrogiannopoulos + + * lib/x509/pkcs12_encr.c: pkcs12: fixed the calculation of p_size Include the trailing zero into the size calculation. + +2016-11-28 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-11-28 Nikos Mavrogiannopoulos + + * tests/pkcs12-decode/Makefile.am, tests/pkcs12-decode/pkcs12: + tests: added pkcs12 check with openssl generated structure and long + password + +2016-11-28 Nikos Mavrogiannopoulos + + * lib/x509/pkcs12_encr.c: pkcs12: fixed the calculation of p_size That affects passwords which exceed 32 characters. + +2016-11-07 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: _wrap_nettle_pk_verify: use FAIL_IF_LIB_ERROR + prior to returning success This will prevent verification to succeed if the system is in error + state. + +2016-11-02 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-10-21 Nikos Mavrogiannopoulos + + * lib/ext/signature.c, lib/gnutls_alert.c: Terminate handshake if + only unknown or disabled signatures are advertized by the peer That is, do not attempt to proceed assuming that the peer supports + SHA-1. + +2016-10-26 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-11-13 Nikos Mavrogiannopoulos + + * lib/ext/status_request.c: certificate status requestion response + is optional according to RFC6066 + +2016-10-18 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: allow setting key purposes for non-CA + certificates That is, allow setting code signing, or time stamping key purpose in + certificates that are not marked as CA. The previous restriction + served no purpose. + +2016-10-14 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/multi-alerts.c: tests: added check to + verify that the server will bail out after many alerts + +2016-10-14 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/naked-alerts.c: tests: added check to + verify that the server will bail out after receiving only alerts + +2016-10-14 Nikos Mavrogiannopoulos + + * tests/cert-common.h: tests: backported the common certs from + master + +2016-10-14 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c: + handshake: set a maximum number of warning messages that can be + received per handshake That is to avoid DoS due to the assymetry of cost of sending an + alert vs the cost of processing. + +2016-10-14 Nikos Mavrogiannopoulos + + * lib/gnutls_record.c: record: disallow parsing of alert messages + prior to session start + +2016-10-14 Nikos Mavrogiannopoulos + + * src/certtool-common.c: certtool: improve text on missing options + for cert generation + +2016-10-13 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: avoid asking the security officer PIN twice + on initialization + +2016-10-13 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: improved messages on token initialization + +2016-10-13 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: corrected check of PIN existance in token + initialization + +2016-10-09 Nikos Mavrogiannopoulos + + * tests/Makefile.am: tests: link tests which utilize nettle with + nettle + +2016-10-09 Nikos Mavrogiannopoulos + + * doc/Makefile.am, doc/manpages/Makefile.am: updated auto-generated + files + +2016-10-09 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-10-09 Nikos Mavrogiannopoulos + + * lib/gnutls_extensions.c: TLS extensions: only cache the extension + IDs from exts that the server supports That avoids imposing any artificial limits on the number of + extensions that a server can handle. Resolves #136 + +2016-10-07 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: added safety net when generating a + certificate request That is, do not allow specifying --generate-request --load-pubkey + without specifying --load-privkey. Previously if --load-pubkey would + have been used, it would have been ignored, causing confusion to the + users. + +2016-09-19 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-09-16 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c, lib/gnutls_int.h: Increased the maximum + size allowed for handshake messages to 128kb This would allow the library to cope with larger packets, as well as + TLS 1.3 hellos. Suggested by Hubert Kario. + +2016-09-12 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-09-12 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: gnutls_certificate_set_*key: ensure proper + cleanup on key mismatch failures That is, ensure that we keep no local references that are shared + with the caller, and that we properly free all initialized values. + +2016-09-07 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-09-07 Nikos Mavrogiannopoulos + + * lib/system.c: _gnutls_ucs2_to_utf8: fixed use of + WideCharToMultiByte in windows + +2016-09-06 Nikos Mavrogiannopoulos + + * src/ocsptool.c: ocsptool: do not enter a spurious newline to + responses. + +2015-11-12 Nikos Mavrogiannopoulos + + * tests/cert-tests/Makefile.am, tests/cert-tests/template-test, + tests/cert-tests/template-unique.pem, + tests/cert-tests/template-unique.tmpl: tests: verify that unique IDs + are generated as expected + +2015-11-12 Nikos Mavrogiannopoulos + + * src/certtool-args.def, src/certtool-cfg.c, src/certtool-cfg.h, + src/certtool.c: certtool: Allow writing unique IDs in generated + certificates + +2016-09-05 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-09-05 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2015-11-12 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/x509.h, lib/libgnutls.map, + lib/x509/x509_write.c: Added gnutls_x509_crt_set_issuer_unique_id() + and gnutls_x509_crt_set_subject_unique_id() + +2016-09-05 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-09-03 Nikos Mavrogiannopoulos + + * lib/gnutls_pk.c: _gnutls_encode_ber_rs_raw: zero-pad values when + necessary This addresses issue when encoding values obtained via PKCS#11 which + may not be necessarily padded. Resolves #122 + +2016-09-03 Nikos Mavrogiannopoulos + + * tests/cert-tests/template-test: tests: don't run overflow tests on + archs which fail This addresses a CI failure on x86. + +2016-09-03 Nikos Mavrogiannopoulos + + * tests/slow/hash-large.c: tests: backported hash-large from master + +2016-09-03 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: use the gitlab.com shared runners Backported from master branch + +2016-08-28 David Woodhouse + + * lib/x509/pkcs12.c: gnutls_pkcs12_simple_parse: set the key value + to null on failure + +2016-08-27 Nikos Mavrogiannopoulos + + * lib/x509/ocsp.c: ocsp: corrected the comparison of the serial size + in OCSP response Previously the OCSP certificate check wouldn't verify the serial + length and could succeed in cases it shouldn't. Reported by Stefan Buehler. + +2016-08-24 Nikos Mavrogiannopoulos + + * tests/pkcs8-decode/Makefile.am, tests/pkcs8-decode/pkcs8, + tests/pkcs8-decode/pkcs8-pbes2-sha256.pem: tests: added decoding of + key with pbes2 and SHA256 PRF + +2016-08-24 Nikos Mavrogiannopoulos + + * NEWS, lib/algorithms.h, lib/algorithms/mac.c, lib/gnutls_int.h, + lib/includes/gnutls/x509.h, lib/pkix.asn, lib/pkix_asn1_tab.c, + lib/x509/Makefile.am, lib/x509/pbkdf2-sha1.c, + lib/x509/pbkdf2-sha1.h, lib/x509/pkcs12.c, + lib/x509/privkey_openssl.c, lib/x509/privkey_pkcs8.c, + lib/x509/x509_int.h, tests/gc.c: Added support for decrypting PKCS#8 + files which use HMAC-SHA256 as PRF This backports nettle pbkdf2 support, and improves compatibility + with new openssl versions. + +2014-08-04 Nikos Mavrogiannopoulos + + * lib/x509/pkcs12.c: pkcs12: increased the number of iterations for + MAC + +2016-08-10 Nikos Mavrogiannopoulos + + * lib/crypto-api.c: gnutls_key_generate: fail if the state of the + library is invalid Suggested by Stephan Mueller. + +2016-08-09 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-08-08 Stefan Sørensen + + * lib/x509/pkcs12.c: Fix gnutls_pkcs12_simple_parse to always + extract the complete chain gnutls_pkcs12_simple_parse was only collecting extra certificates + that was possible elements of the certificate chain when the + extra_certs argument was not NULL. Fix by allways collecting all the + certificates, any unneeded certificates are released before + returning if extra_certs is NULL anyway. Signed-off-by: Stefan Sørensen + +2016-08-07 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: nettle: use rsa_*_key_prepare on key import Previously we calculated the size of the key directly, but by using + the rsa_*_key_prepare we benefit from any checks that may be + introduced in the future. Specifically any checks for invalid public + keys (e.g., keys that may crash the underlying gmp functions). This patch avoids calling rsa_private_key_prepare every time we + construct a nettle private key struct, because this function + requires a bigint multiplication. We call that function once on + private key import. + +2016-08-08 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: Revert "nettle: use rsa_*_key_prepare" This reverts commit a2c3ee54ea8080eeb59fcfeec88a842324982c90. + +2016-08-01 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: nettle: use rsa_*_key_prepare Previously we calculated the size of the key directly, but by using + the rsa_*_key_prepare we benefit from any checks that may be + introduced in the future. Specifically any checks for invalid public + keys (e.g., keys that may crash the underlying gmp functions). + +2016-07-28 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-07-09 Tim Kosse + + * lib/x509/x509.c: gnutls_x509_crt_list_import2 was ignoring the + passed flags if all certificates in the list fit within the + initially allocated memory. + +2016-07-09 Tim Kosse + + * lib/x509/crl.c: gnutls_x509_crl_list_import2 was ignoring the + passed flags if all CTLs in the list fit within the initially + allocated memory. + +2016-07-25 Nikos Mavrogiannopoulos + + * lib/minitasn1/coding.c, lib/minitasn1/decoding.c, + lib/minitasn1/element.c, lib/minitasn1/element.h, + lib/minitasn1/int.h, lib/minitasn1/libtasn1.h, + lib/minitasn1/parser_aux.c, lib/minitasn1/parser_aux.h, + lib/minitasn1/structure.c: minitasn1: updated to libtasn1 4.9 + +2016-07-08 Nikos Mavrogiannopoulos + + * NEWS: NEWS: corrected release date [ci skip] + +2016-07-06 Nikos Mavrogiannopoulos + + * NEWS: released 3.3.24 + +2016-06-30 Nikos Mavrogiannopoulos + + * configure.ac: configure: check for libdl irrespective of FIPS140 + configuration This allows to link to libdl for the tests that require it. + +2016-07-05 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2016-07-05 Nikos Mavrogiannopoulos + + * libdane/errors.c, libdane/includes/gnutls/dane.h: dane: corrected + the license of libdane files The license was always LGPL version 2.1, and these files mentioned + LGPL version 3. Reported by Thomas Petazzoni. + +2016-06-30 Nikos Mavrogiannopoulos + + * tests/Makefile.am: tests: account pkcs11/pkcs11-mock-ext.h in + Makefile + +2016-06-30 Nikos Mavrogiannopoulos + + * tests/Makefile.am: tests: link pkcs11-import-url-privkey with + libdl That is because it uses dlopen(). + +2016-06-30 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-06-30 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/pkcs11/pkcs11-import-url-privkey.c, + tests/pkcs11/pkcs11-mock-ext.h, tests/pkcs11/pkcs11-mock.c: tests: + added check to verify the tolerance of broken C_GetAttributes That is, test gnutls_pkcs11_obj_list_import_url4() when importing + private keys from tokens that return CKR_OK on sensitive objects, + and tokens that return CKR_ATTRIBUTE_SENSTIVE. Relates #108 + +2016-06-30 Nikos Mavrogiannopoulos + + * lib/pkcs11_int.c: pkcs11_get_attribute_avalue: correctly handle a + -1 value length from C_GetAttributeValue That is, work-around modules which do not return an error on + sensitive objects. Relates #108 + +2016-06-29 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-06-29 Nikos Mavrogiannopoulos + + * lib/pkcs11_int.c: pkcs11_get_attribute_avalue: do not assign + values on failure When C_GetAttributeValue() returns size but does not return data + then pkcs11_get_attribute_avalue() would set the return data pointer + to a free'd value. This is against the convention expected by + callers, i.e, set data to NULL. Reported by Anthony Alba in #108. + +2016-06-29 Nikos Mavrogiannopoulos + + * tests/suite/testpkcs11, tests/suite/testpkcs11.softhsm: tests: + updated testpkcs11 to support softhsmv2 + +2016-06-29 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/{suite => pkcs11}/pkcs11-chainverify.c, + tests/{suite => pkcs11}/pkcs11-combo.c, tests/{suite => + pkcs11}/pkcs11-get-issuer.c, tests/{suite => + pkcs11}/pkcs11-is-known.c, tests/{suite => pkcs11}/softhsm.h, + tests/suite/Makefile.am: tests: moved pkcs11 tests to main test + suite + +2016-06-28 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-is-known.c: tests: backported pkcs11-is-known + from master + +2016-06-23 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: gnutls_pkcs11_crt_is_known: always assume + GNUTLS_PKCS11_OBJ_FLAG_COMPARE unless + GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is given + +2016-06-28 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: find_cert_cb: minor cleanups in find_cert_cb + +2016-06-22 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-06-22 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-combo.c, + tests/suite/pkcs11-get-issuer.c, tests/suite/pkcs11-is-known.c, + tests/suite/softhsm.h: tests: backported the softhsmv2 pkcs11 checks + from 3.4.0 + +2016-06-22 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: correctly encode the serial number when + searching for certificate In gnutls_pkcs11_crt_is_known() corrected the encoding of the serial + number to TLV DER from LV DER. This is the encoding we use when + storing that number. + +2016-06-22 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: correctly account check_found_cert() + +2016-06-22 Nikos Mavrogiannopoulos + + * lib/pkcs11_write.c: Amended "Corrected the writing of serial + number in PKCS#11 modules" This corrects the writing of the serial number. + +2016-06-16 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-06-16 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c: dtls: corrected reconstruction of handshake + packets received out of order That is, when the handshake packet is split into multiple different + chunks and received out of order, make sure that reconstruction + occurs properly. Reported by Guillaume Roguez. + +2016-06-16 Nikos Mavrogiannopoulos + + * lib/pkcs11_write.c: Corrected the writing of serial number in + PKCS#11 modules That is previously the serial number was written in raw format, but + in PKCS#11 the serial number must be set encoded as integer. Report + and fix by Stanislav Zidek. + +2016-05-31 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-05-31 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: pkcs11: when generating a private key ensure + the public key is not private This is a backport from the 3.4.x branch. + +2016-05-28 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/x86-common.c: x86-common: use secure_getenv() + +2016-05-27 Nikos Mavrogiannopoulos + + * configure.ac: configure.ac: check for secure_getenv where + available and always enable system extensions + +2016-05-27 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-05-27 Nikos Mavrogiannopoulos + + * lib/fips.c, lib/gnutls_global.c, lib/gnutls_mem.h, lib/system.c: + env: use secure_getenv when reading environment variables + +2016-05-23 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: added sanity check to find_obj_url_cb() for + object validity Also avoid unnecessary recursion. + +2016-05-20 Nikos Mavrogiannopoulos + + * tests/suite/eagain, tests/suite/testsrn: tests: use /bin/bash in + tests which require common.sh + +2016-05-21 Nikos Mavrogiannopoulos + + * tests/suite/Makefile.am, tests/suite/testcompat, + tests/suite/testcompat-common, tests/suite/testcompat-main: tests: + backported full openssl suite from master Removed the priority strings not applicable in 3.3.x. + +2016-05-13 Nikos Mavrogiannopoulos + + * tests/dsa/testdsa, tests/openpgp-certs/testcerts, + tests/scripts/common.sh, tests/suite/eagain, + tests/suite/mini-eagain2.c, tests/suite/testcompat-main, + tests/suite/testsrn: tests: simplified server launching process Also attempt to use a new port on every started server and added a + waiting period for the port to become re-usable. + +2016-05-21 Nikos Mavrogiannopoulos + + * tests/version-checks.c: added check for the VERS-ALL priority + keyword + +2016-05-21 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: gnutls_priority_init: recognize the + VERS-ALL keyword This keyword is identical to VERS-TLS-ALL, but it will allow to + re-use priority strings from 3.4.x+ to this branch of gnutls. + +2016-05-20 Nikos Mavrogiannopoulos + + * tests/Makefile.am: tests: do not use pkglib to generate + libpkcs11mock1.so This resulted in the test library being installed. Install we use + noinst for the library, but pass -rpath to LDFLAGS as a hack to for + libtool to generate the shared version. + +2016-05-20 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, m4/hooks.m4: released 3.3.23 + +2016-05-19 Nikos Mavrogiannopoulos + + * src/cli.c, src/socket.c, src/socket.h: gnutls-cli: allow operation + with stdin input That is once commands from stdin are given, they are not only sent + to server, but we also wait for a response prior to exiting. Resolves #96 + +2016-05-17 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2016-05-17 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-05-17 Nikos Mavrogiannopoulos + + * src/cli.c: gnutls-cli: corrected check for OCSP verification + success + +2016-01-18 Nikos Mavrogiannopoulos + + * lib/gnutls_global.c: gnutls_global_init: log gnutls' version on + initialization + +2016-05-12 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2016-05-12 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/mini-server-name.c: tests: backported + server name checks + +2016-05-12 Nikos Mavrogiannopoulos + + * lib/ext/server_name.c: server_name: only save the supported server + names in the session Invalid server names with embedded nulls and unsupported types are + not saved. + +2016-05-10 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-05-10 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: cert cred: add the CN to the list of known + hostnames only if no dns_names That is, follow rfc6125 and support CN as a fallback only. + +2016-05-10 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: gnutls_certificate_set_key: import the DNS + names of the certificates That is, only when no (NULL) names are provided. + +2016-05-03 Nikos Mavrogiannopoulos + + * tests/pkcs11/pkcs11-cert-import-url-exts.c, + tests/pkcs11/pkcs11-get-exts.c, + tests/pkcs11/pkcs11-get-raw-issuer-exts.c: Revert "tests: ignore + failure to load pkcs11 mock provider" This reverts commit ae40598e5597b1b1f01a7e55d35b5f476d7d19d7. + +2016-05-03 Nikos Mavrogiannopoulos + + * configure.ac, tests/Makefile.am: tests: don't run pkcs11 mock + module tests under buggy p11-kit + +2016-05-03 Nikos Mavrogiannopoulos + + * tests/pkcs11/pkcs11-cert-import-url-exts.c, + tests/pkcs11/pkcs11-get-exts.c, + tests/pkcs11/pkcs11-get-raw-issuer-exts.c: tests: ignore failure to + load pkcs11 mock provider GnuTLS 3.3.x can work with old versions of p11-kit which do not have + the necessary fixes to load absolute paths. + +2016-05-03 Nikos Mavrogiannopoulos + + * lib/nettle/gnettle.h: Fixed _NETTLE_UPDATE macro The macro was not using the input parameters but rather the actual + variable name from the function (which was identical to input). + Patch by Stanislav Zidek. + +2016-05-03 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: gnutls_certificate_set_key: duplicate the + provided memory That is, do not assume that a heap allocated value is provided. + +2016-05-03 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2016-05-03 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-05-02 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/pkcs11/pkcs11-cert-import-url-exts.c, + tests/pkcs11/pkcs11-get-exts.c, + tests/pkcs11/pkcs11-get-raw-issuer-exts.c, + tests/pkcs11/pkcs11-mock.c, tests/pkcs11/pkcs11-mock.h: tests: added + a basic PKCS#11 mock module This is used to test gnutls_pkcs11_obj_get_exts(), + gnutls_x509_crt_import_url(), and gnutls_pkcs11_get_raw_issuer() + with the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag. + +2016-05-03 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: find_cert_cb: do not use C_FindObjectsInit() + when another is already running While some modules implicitly terminated the previous run, this is + not something that PKCS#11 modules are expected to typically do. + +2016-05-03 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: the flag + GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT will be respected by + imported certificates That is, certificates imported with gnutls_pkcs11_obj_import_url() + or gnutls_x509_crt_import_url() will be able to be extracted with + their extensions overriden. Previously that was available only on + gnutls_pkcs11_get_raw_issuer() and friends. + +2016-05-03 Nikos Mavrogiannopoulos + + * lib/pkcs11x.c: pkcs11: find_ext_cb: eliminated memory leak + +2016-05-02 Nikos Mavrogiannopoulos + + * lib/pkcs11x.c: gnutls_pkcs11_obj_get_exts: updated documentation + [ci skip] + +2016-04-29 Nikos Mavrogiannopoulos + + * lib/gnutls_privkey_raw.c: corrected import issue in + gnutls_privkey_import_ecc_raw + +2016-04-29 Nikos Mavrogiannopoulos + + * lib/x509/privkey.c: x509/privkey: in raw import functions set the + parameter's algorithm type + +2016-04-26 Nikos Mavrogiannopoulos + + * tests/dane.c: tests: enhanced dane testing with offline + verification checks + +2016-04-26 Nikos Mavrogiannopoulos + + * libdane/dane.c: dane: verification will not fail if a CA entry is + encountered but cannot be verified That addresses the issue of verifying a single certificate against a + list of TLSA entries that contain an entry with CA usage (cert usage + 0). With the previous behavior verification would have failed, while + now this entry will be skipped. + +2016-04-26 Nikos Mavrogiannopoulos + + * lib/gnutls_cert.c, libdane/dane.c: doc: improved documentation on + certificate and DANE verification functions + +2016-04-18 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: _wrap_nettle_pk_derive: reject values of public + key that are over the prime That is do not canonicalise the value we get from the network, but + rather check it for validity. This saves a modular reduction on + handshake and performs a sanity check on the peer's (client) + parameters. Reported by Hubert Kario. Resolves #84 + +2016-04-13 Nikos Mavrogiannopoulos + + * lib/gnutls_sig.c: handshake: do not overwrite the server's + signature algorithm That is, correct a bug under which a client sending a certificate + would overwrite the server's idea about the used signature + algorithm. Reported by Hubert Kario. + +2016-04-12 Nikos Mavrogiannopoulos + + * lib/x509/ocsp.c: gnutls_ocsp_resp_get_single: fail if thisUpdate + is not available or unparsable That is because this field is not optional, and a failure on its + parsing is always fatal. Reported by Yuan Jochen Kang. + +2016-04-09 Nikos Mavrogiannopoulos + + * lib/x509/ocsp_output.c, lib/x509/output.c: x509 output: don't warn + about insecure algorithm when unknown + +2016-04-08 Nikos Mavrogiannopoulos + + * lib/pkix.asn, lib/pkix_asn1_tab.c: pkix.asn: corrected byKey + definition OCSP is defined in an EXPLICIT tags module, and as such we must tag + explicitly all of its tags. + +2016-04-05 Nikos Mavrogiannopoulos + + * lib/x509/name_constraints.c: name constraints: enforce the rules + for IP constraints when adding This will prevent gnutls from generating badly formed certificates. + +2016-04-02 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-04-02 Nikos Mavrogiannopoulos + + * src/ocsptool-common.c: ocsptool: use HTTP/1.0 for requests This avoids issue with servers serving chunk encoding which ocsptool + doesn't support. Reported by Thomas Klute. + +2016-03-30 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-03-30 Nikos Mavrogiannopoulos + + * lib/x509/output.c: x509/output: simplified cidr_to_string() + +2016-03-29 Nikos Mavrogiannopoulos + + * lib/x509/output.c: x509/output: print RFC5280 CIDRs in name + constraints + +2016-03-30 Nikos Mavrogiannopoulos + + * lib/system.c: system_recv_timeout(): verify that the file + descriptor is acceptable for select() + +2016-03-21 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-03-15 Nikos Mavrogiannopoulos + + * tests/cert-tests/template-nc.pem: tests: template-test was updated + for OCSP key purpose reordering + +2016-03-15 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: do not require a CA for OCSP signing This follows the recommendations in RFC6960 in 4.2.2.2 which allow a + CA to delegate OCSP signing to another certificate without requiring + it to be a CA. Reported by Thomas Klute. + +2016-03-16 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/x86-common.c: x86-common: CPUID override will + only work if CPU has already the capability present This resolves test suite failure on CPUs with limited capabilities. + Reported by Andreas Metzler. + +2016-03-18 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-03-18 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c: handshake: parse the mandatory to parse + extension prior to any callback call This relates to the change of ALPN extension to mandatory to parse, + and allows applications to get ALPN data prior to handshake + completion. + +2016-03-18 Nikos Mavrogiannopoulos + + * tests/mini-x509-callbacks.c: tests: verify that the + post-client-hello callback has access to ALPN data + +2016-03-18 Nikos Mavrogiannopoulos + + * tests/resume.c: tests: added checks for session resumption and + ALPN This checks whether the ALPN extension is re-read on resumption and + is negotiated. + +2016-02-11 Nikos Mavrogiannopoulos + + * tests/resume.c: tests: resume: simplified structure assignment + using C99 syntax + +2016-03-15 Yuriy M. Kaminskiy + + * lib/ext/alpn.c: alpn: ALPN state is per-connection, it should not + be saved with session data In addition the extension was moved to the mandatory to parse to + ensure it is always parsed when sessions are resumed. rfc7301: Unlike many other TLS extensions, this extension does not + establish properties of the session, only of the connection. + When session resumption or session tickets [RFC5077] are used, the + previous contents of this extension are irrelevant, and only the + values in the new handshake messages are considered. Signed-off-by: Yuriy M. Kaminskiy Signed-off-by: + Nikos Mavrogiannopoulos + +2016-03-11 Nikos Mavrogiannopoulos + + * src/cli.c: gnutls-cli: fix invalid initialization in + cert_verify_ocsp() + +2016-03-10 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-03-08 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2016-03-08 Nikos Mavrogiannopoulos + + * tests/mini-loss-time.c: tests: backported mini-loss-time fixes + +2016-03-08 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2016-03-04 Nikos Mavrogiannopoulos + + * tests/slow/Makefile.am: tests: do not run hash-large twice + +2016-03-03 Nikos Mavrogiannopoulos + + * tests/version-checks.c: tests: corrected typo in version-checks + +2016-03-03 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: added check on build with SSL 3.0 + +2016-03-03 Nikos Mavrogiannopoulos + + * tests/suite/testsrn: tests: backported testsrn from 3.4 branch + +2016-03-03 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/cert-common.h, tests/version-checks.c: + tests: added check for version negotiation default prio string That verifies whether the support versions are negotiated. + +2016-03-03 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-03-03 Nikos Mavrogiannopoulos + + * configure.ac, lib/gnutls_priority.c: Remove SSL 3.0 from the + default priority strings That can be reverted by using the --with-ssl3 configure option. + +2016-03-03 Nikos Mavrogiannopoulos + + * tests/slow/Makefile.am: tests: include test-hash-large into dist + +2016-03-01 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: separate builds with asan + +2016-03-01 Nikos Mavrogiannopoulos + + * lib/openpgp/extras.c: gnutls_openpgp_keyring_import: backported + mem leak fix + +2016-03-01 Nikos Mavrogiannopoulos + + * src/p11tool.c: p11tool: avoid warning with cast + +2016-03-01 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: eliminated memory leaks on cert + verification + +2016-03-01 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: backported memory leak fixes in PKCS#12 + handling + +2015-11-09 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: eliminate leaks in _verify_x509_mem() + +2015-11-09 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: eliminate memory leaks in certificate + generation + +2016-02-29 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version [ci skip] + +2016-02-29 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: avoid warning with cast + +2016-02-29 Nikos Mavrogiannopoulos + + * lib/ext/ecc.c: ecc: optimized extension parsing + +2016-02-29 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: fixed asan build for nettle3 + +2016-02-29 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2016-02-29 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c: timespec_sub_ms: fixed operation in 32-bit + systems + +2016-02-29 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: Fixes to prevent undefined behavior (found + with libubsan) + +2016-02-29 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/gnutls.h.in: gnutls.h: Fixes to prevent + undefined behavior (found with libubsan) + +2016-02-29 Nikos Mavrogiannopoulos + + * lib/gnutls_mem.h, lib/x509/x509.c: x509: Fixes to prevent + undefined behavior (found with libubsan) + +2016-02-26 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: added libasan build with nettle3 + +2016-02-25 Jan Vcelak + + * lib/x509/privkey_pkcs8.c: gnutls_x509_privkey_import: add missing + algorithm setting for DSA keys The algorithm number was set only in the private key structure, not + in the nested structure with parameters. This made certain + operations to fail (e.g., copying the key into a PKCS #11 token). Signed-off-by: Jan Vcelak + +2015-06-17 Nikos Mavrogiannopoulos + + * tests/cert-tests/template-date.pem, + tests/cert-tests/template-dn.pem, + tests/cert-tests/template-generalized.pem, + tests/cert-tests/template-nc.pem, + tests/cert-tests/template-overflow.pem, + tests/cert-tests/template-overflow2.pem, + tests/cert-tests/template-test, tests/cert-tests/template-test.pem, + tests/cert-tests/template-utf8.pem: tests: regenerate the results in + template-test using UTC times + +2016-02-25 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-02-25 Nikos Mavrogiannopoulos + + * lib/x509/common.c, lib/x509/common.h: When writing the Time ASN.1 + structure follow the RFC5280 recommendations That is make sure we generate dates with UTCTime prior to 2050 and + GeneralizedTime format after 2050. + +2015-06-17 Nikos Mavrogiannopoulos + + * tests/cert-tests/Makefile.am, tests/cert-tests/template-date.pem, + tests/cert-tests/template-dn.pem, + tests/cert-tests/template-generalized.pem, + tests/cert-tests/template-generalized.tmpl, + tests/cert-tests/template-nc.pem, + tests/cert-tests/template-overflow.pem, + tests/cert-tests/template-overflow2.pem, + tests/cert-tests/template-test, tests/cert-tests/template-test.pem, + tests/cert-tests/template-utf8.pem: tests: verify that we generate + dates with UTCTime prior to 2050 Also that we generate dates with GeneralizedTime format after 2050. + +2016-02-19 Nikos Mavrogiannopoulos + + * lib/nettle/cipher.c: Prevent the encryption or decryption of more + than 2^32 bytes with nettle2 That is because of nettle2 API limitations. Unlike the hash + functions there is no real need for a wrapper as encrypting or + decrypting that amount of data is unlikely. + +2016-02-13 Nikos Mavrogiannopoulos + + * tests/dsa/testdsa, tests/scripts/common.sh: tests: backported + testdsa to prevent random failures in test suite + +2016-02-13 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-02-13 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/hmac-padlock.c, + lib/accelerated/x86/hmac-x86-ssse3.c, + lib/accelerated/x86/sha-padlock.c, + lib/accelerated/x86/sha-padlock.h, + lib/accelerated/x86/sha-x86-ssse3.c, lib/accelerated/x86/sha-x86.h, + lib/accelerated/x86/x86-common.h, lib/nettle/gnettle.h, + lib/nettle/mac.c: nettle: use the correct type for hash and MAC + functions In addition allow for hashing of more than UINT_MAX data bytes with + nettle 2.x in 64-bit systems. + +2016-02-12 Nikos Mavrogiannopoulos + + * tests/slow/Makefile.am, tests/slow/hash-large.c, + tests/slow/test-hash-large: tests: check whether large buffer hashes + and MAC work as expected + +2016-02-10 Nikos Mavrogiannopoulos + + * tests/set_pkcs12_cred.c: tests: set_pkcs12_cred: existing tests + are disabled when in FIPS140-2 mode The tests require access to the RC4 cipher which is not available. + +2016-02-03 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, m4/hooks.m4: bumped version + +2016-01-31 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2016-01-30 Nikos Mavrogiannopoulos + + * tests/cert-tests/template-date.pem, + tests/cert-tests/template-dn.pem, tests/cert-tests/template-nc.pem, + tests/cert-tests/template-overflow.pem, + tests/cert-tests/template-overflow2.pem, + tests/cert-tests/template-test.pem: Revert "tests: updated to + account for cert generation after + c1405c6e08ef55421108bd4395588368f4122dda fix" This reverts commit 09dcbe564a85c021ebcbf7a3f28075d19c399ce4. + +2016-01-30 Nikos Mavrogiannopoulos + + * lib/x509/x509_ext.c: Revert "Fix out-of-bounds read in + gnutls_x509_ext_export_key_usage" This was a false negative and not a real out-of-bounds read. This + reverts commit c1405c6e08ef55421108bd4395588368f4122dda. + +2016-01-21 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: Added build with ARCFOUR + +2016-01-21 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, lib/gnutls_priority.c, tests/priorities.c: + Added configure flag --with-arcfour128 This flag will re-enable ARCFOUR in the priority strings by default. + +2016-01-20 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-01-20 Nikos Mavrogiannopoulos + + * tests/mini-global-load.c, tests/mini-x509.c, tests/priorities.c, + tests/record-sizes.c: Revert "Revert "tests: updated to account for + ARCFOUR being disabled"" This reverts commit a2f907d0d4e52eb4dd24cc1f5d7d892b21abfd83. + +2016-01-20 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: Revert "Revert "ARCFOUR is disabled from + the default priority strings"" This reverts commit b3b5db319d4246e4735017cc423b92175f713a89. + +2016-01-13 Nikos Mavrogiannopoulos + + * lib/gnutls_pubkey.c: gnutls_pubkey_import_x509_raw: fixed memory + leak + +2016-01-11 Nikos Mavrogiannopoulos + + * lib/x509/output.c: x509: place newline when printing unsupported + othernames + +2016-01-10 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-01-10 Nikos Mavrogiannopoulos + + * lib/ext/alpn.c: alpn: when parsing the list of protocols return at + the first mutually common That resolves an issue where the server wouldn't select the first + mutually supported. Resolves #63 + +2016-01-10 Nikos Mavrogiannopoulos + + * tests/mini-alpn.c: tests: mini-alpn: corrected protocol selection + order + +2016-01-10 Nikos Mavrogiannopoulos + + * tests/mini-alpn.c: tests: alpn: enhance the testing of ALPN + negotiation + +2016-01-09 Nikos Mavrogiannopoulos + + * lib/ext/alpn.c: alpn: document how the selected protocol is + selected [ci skip] + +2016-01-09 Nikos Mavrogiannopoulos + + * tests/mini-alpn.c: tests: verify that the selected ALPN protocol + is the first advertised + +2016-01-08 Nikos Mavrogiannopoulos + + * NEWS: released 3.3.20 + +2016-01-08 Nikos Mavrogiannopoulos + + * NEWS: reverted ARCFOUR removal change + +2016-01-08 Nikos Mavrogiannopoulos + + * tests/mini-global-load.c, tests/mini-x509.c, tests/priorities.c, + tests/record-sizes.c: Revert "tests: updated to account for ARCFOUR + being disabled" This reverts commit 45926d9561b2e888c505524663b7c7ad87c263bc. + +2016-01-08 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: Revert "ARCFOUR is disabled from the + default priority strings" This reverts commit 76be7bda79d6785eeab3ef8e96db026ad7aac9c3. + +2016-01-07 Nikos Mavrogiannopoulos + + * configure.ac: configure: no longer distribute lzip tarballs + +2015-11-25 Nikos Mavrogiannopoulos + + * src/libopts/text_mmap.c: libopts: use the O_BINARY flag in windows + for files + +2015-11-25 Nikos Mavrogiannopoulos + + * src/libopts/COPYING.gplv3, src/libopts/COPYING.lgplv3, + src/libopts/COPYING.mbsd, src/libopts/Makefile.am, + src/libopts/README, src/libopts/ag-char-map.h, src/libopts/alias.c, + src/libopts/ao-strs.c, src/libopts/ao-strs.h, + src/libopts/autoopts.c, src/libopts/autoopts.h, + src/libopts/autoopts/options.h, src/libopts/autoopts/project.h, + src/libopts/autoopts/usage-txt.h, src/libopts/boolean.c, + src/libopts/check.c, src/libopts/compat/compat.h, + src/libopts/compat/pathfind.c, src/libopts/compat/windows-config.h, + src/libopts/configfile.c, src/libopts/cook.c, src/libopts/enum.c, + src/libopts/env.c, src/libopts/file.c, src/libopts/find.c, + src/libopts/genshell.c, src/libopts/genshell.h, + src/libopts/gettext.h, src/libopts/init.c, src/libopts/intprops.h, + src/libopts/libopts.c, src/libopts/load.c, + src/libopts/m4/libopts.m4, src/libopts/m4/liboptschk.m4, + src/libopts/m4/stdnoreturn.m4, src/libopts/makeshell.c, + src/libopts/nested.c, src/libopts/numeric.c, + src/libopts/option-value-type.c, + src/libopts/option-xat-attribute.c, src/libopts/parse-duration.c, + src/libopts/parse-duration.h, src/libopts/pgusage.c, + src/libopts/proto.h, src/libopts/putshell.c, src/libopts/reset.c, + src/libopts/restore.c, src/libopts/save.c, src/libopts/sort.c, + src/libopts/stack.c, src/libopts/stdnoreturn.in.h, + src/libopts/streqvcmp.c, src/libopts/text_mmap.c, + src/libopts/time.c, src/libopts/tokenize.c, src/libopts/usage.c, + src/libopts/version.c: libopts: updated to 5.18.6 + +2016-01-07 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2016-01-07 Nikos Mavrogiannopoulos + + * Makefile.am, symbols.last: symbols.last: don't include internal + symbols into exported list + +2016-01-07 Nikos Mavrogiannopoulos + + * NEWS: NEWS: doc update + +2016-01-05 Nikos Mavrogiannopoulos + + * tests/cert-tests/template-date.pem, + tests/cert-tests/template-dn.pem, tests/cert-tests/template-nc.pem, + tests/cert-tests/template-overflow.pem, + tests/cert-tests/template-overflow2.pem, + tests/cert-tests/template-test.pem: tests: updated to account for + cert generation after c1405c6e08ef55421108bd4395588368f4122dda fix + +2016-01-05 Nikos Mavrogiannopoulos + + * tests/Makefile.am: tests: Makefile.am: removed invalid program ld + flags + +2016-01-04 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-01-04 Tim Kosse + + * lib/x509/x509_ext.c: Fix out-of-bounds read in + gnutls_x509_ext_export_key_usage + +2016-01-01 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: optimized build process That is, in slow asan and valgrind builds don't check the full test + suite. + +2015-12-31 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: pkcs11: fixes to store the imported URL This ammends 603d0db776537c19bdfd907e0fc77c7321874bf0 with changes + for the 3.3.x branch. + +2015-12-31 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2015-12-31 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-12-31 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: pkcs11: import public keys from any + available object That is, load public keys from the public key object, or the + certificate object if they are present. That affects non-RSA public + keys which do not contain all required fields on the private key + object. + +2015-12-31 Nikos Mavrogiannopoulos + + * lib/pkcs11_write.c: gnutls_pkcs11_copy_x509_privkey2: corrected + the writing of ECC private key + +2015-12-31 Nikos Mavrogiannopoulos + + * lib/pkcs11_write.c: gnutls_pkcs11_copy_x509_privkey2: corrected + the type of the written object Previously only RSA objects were correctly written. + +2015-12-24 Nikos Mavrogiannopoulos + + * NEWS: NEWS: doc update [ci skip] + +2015-12-23 Nikos Mavrogiannopoulos + + * lib/ext/max_record.c: max_record: don't consider this extension on + DTLS That is because it doesn't work as expected, and does not fragment + handshake messages. Relates with #61 + +2015-12-20 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-04-28 Nikos Mavrogiannopoulos + + * lib/x509/name_constraints.c, tests/name-constraints.c: Handle DNS + name constraints with leading dot Patch by Fotis Loukos. Resolves 3 Signed-off-by: Nikos Mavrogiannopoulos + +2015-12-15 Nikos Mavrogiannopoulos + + * tests/mini-global-load.c, tests/mini-x509.c, tests/priorities.c, + tests/record-sizes.c: tests: updated to account for ARCFOUR being + disabled + +2015-12-15 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-12-15 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: ARCFOUR is disabled from the default + priority strings ARCFOUR is a cipher known to be broken theoretically and + practically. Configurations that depend on that cipher being on + should explicitly enable it. Resolves #23 + +2015-12-08 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: Do not allow importing public keys from PKCS + #11 private keys for DSA and ECDSA This prevents the reading of the public key when non-RSA keys are + available. This is a much cleaner approach than + 5a4e692511dc3a829eda0d7c5a87e56cbc2055f0. + +2015-12-08 Nikos Mavrogiannopoulos + + * lib/gnutls_pubkey.c, lib/pkcs11.c, lib/pkcs11_int.h, + lib/pkcs11_privkey.c: Revert "Do not allow importing public keys + from PKCS #11 private keys for DSA and ECDSA" This reverts commit 0e79aabab519a6b568cf8c31b38523cce7416bd8. + +2015-12-06 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-12-06 Nikos Mavrogiannopoulos + + * lib/gnutls_pubkey.c, lib/pkcs11.c, lib/pkcs11_int.h, + lib/pkcs11_privkey.c: Do not allow importing public keys from PKCS + #11 private keys for DSA and ECDSA That is, because they do not contain all the required parameters for + a direct import. Reported by Jan Vcelak. + +2015-12-06 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: pkcs11: avoid setting a variable which isn't + used + +2015-12-06 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: pkcs11: + deinitialize gnutls_pkcs11_obj_t's pubkey on deinit + +2015-12-06 Jan Vcelak + + * lib/pkcs11_privkey.c: pkcs11: fix passing of incorrect variable in + privkey_get_pubkey The code worked for RSA because the content of the variables + matched. But it doesn't match for ECC. CKM_RSA_PKCS_KEY_PAIR_GEN (0x0) == CKK_RSA (0x0) + CKM_ECDSA_KEY_PAIR_GEN (0x1040) != CKK_ECDSA (0x3) Signed-off-by: Jan Vcelak + +2015-11-30 Nikos Mavrogiannopoulos + + * lib/x509/x509.c: allow specifying NULL buffer in + gnutls_x509_crt_get_*_unique_id() + +2015-11-22 Nikos Mavrogiannopoulos + + * NEWS: released 3.3.19 + +2015-11-21 Nikos Mavrogiannopoulos + + * symbols.last: updated auto-generated files + +2015-11-21 Nikos Mavrogiannopoulos + + * doc/scripts/getfuncs.pl: getfuncs.pl: don't consider functions + with _gnutls prefix + +2015-11-21 Nikos Mavrogiannopoulos + + * lib/gnutls_global.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map: gnutls_global_init_skip: prefixed with an + underscore + +2015-11-21 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2015-11-19 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-11-16 Nikos Mavrogiannopoulos + + * tests/global-init-override.c, tests/global-init.c: tests: + corrected copyright info + +2015-11-16 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/global-init-override.c: tests: added + check for overriding global initialization + +2015-11-16 Nikos Mavrogiannopoulos + + * doc/cha-gtls-app.texi: documented GNUTLS_SKIP_GLOBAL_INIT macro + +2015-11-16 Nikos Mavrogiannopoulos + + * lib/gnutls_global.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map: Added GNUTLS_SKIP_GLOBAL_INIT macro to allow + programs skip implicit global initialization + +2015-11-16 Nikos Mavrogiannopoulos + + * tests/utils.c, tests/utils.h: utils: backported sec_sleep() + +2015-11-16 Nikos Mavrogiannopoulos + + * tests/mini-handshake-timeout.c: tests: backported + mini-handshake-timeout + +2015-11-16 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: added build and check in FIPS140-2 + mode + +2015-11-16 Nikos Mavrogiannopoulos + + * tests/mini-dtls-record.c, tests/resume-dtls.c: tests: backported + mini-dtls-record.c and resume-dtls.c + +2015-11-16 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: remove the minimal library from + targets + +2015-11-15 Nikos Mavrogiannopoulos + + * lib/x509/x509_write.c: disable_optional_stuff: don't disable + unique IDs if set There are sideways set these values even if they are not in the + public API, and we shouldn't disable them unconditionally. + +2015-11-15 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: Added CI build rules + +2015-11-09 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-11-09 Nikos Mavrogiannopoulos + + * lib/algorithms/ciphersuites.c, tests/mini-record.c: Require TLS + 1.2 for all the ciphersuites which are defined for it only This solves an interoperability issue with openssl. Reported by + Viktor Dukhovni. + +2015-11-11 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-11-11 Nikos Mavrogiannopoulos + + * lib/auth/dhe.c, lib/auth/ecdhe.c: Allow switching a ciphersuite to + DHE and ECDHE on a rehandshake + +2015-11-08 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-11-03 Nikos Mavrogiannopoulos + + * lib/gnutls.pc.in: gnutls.pc: don't use the libtool version of the + link options Reported by Dan Kegel. Resolves #49 + +2015-10-23 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-10-15 Nikos Mavrogiannopoulos + + * lib/algorithms/ciphers.c, lib/gnutls_cipher_int.c, + lib/gnutls_priority.c: Disable the NULL cipher on runtime when + FIPS140 mode is enabled instead of statically That way the NULL cipher can be used when not in FIPS140 mode. + +2015-10-15 Nikos Mavrogiannopoulos + + * lib/algorithms.h, lib/algorithms/ciphers.c, lib/algorithms/kx.c, + lib/gnutls_int.h, lib/gnutls_priority.c: backport: Tolerate priority + strings with names of legacy ciphers and key exchanges That enables better backwards compatibility with old applications + which disable or enable algorithms which no longer are supported. + Relates #44 + +2015-10-15 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-10-15 Nikos Mavrogiannopoulos + + * lib/pkcs11_write.c: pkcs11: write CKA_ISSUER and CKA_SERIAL_NUMBER + when writing on a certificate That allows NSS to read and use the written certificate. Resolves + #43 + +2015-10-12 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-10-12 Lennert Buytenhek + + * lib/nettle/pk.c: Fix memory leak in wrap_nettle_hash_algorithm(). wrap_nettle_hash_algorithm() leaks an mpz_t if it is called with pk + == GNUTLS_PK_RSA and sig == NULL, in which case it will return + without going through the regular exit path that clears the mpz_t it + allocated at the beginning of the function. Use the regular exit + path instead to fix this. This leak can be triggered via calls to + gnutls_pubkey_get_preferred_hash_algorithm(). Signed-off-by: Lennert Buytenhek + +2015-09-14 Nikos Mavrogiannopoulos + + * lib/gnutls_str.c: _gnutls_hex2bin: avoid overrun in the provided + buffer + +2015-09-12 Nikos Mavrogiannopoulos + + * doc/manpages/tpmtool.1: tpmtool.1: updated + +2015-09-12 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, m4/hooks.m4: bumped version + +2015-09-11 Nikos Mavrogiannopoulos + + * lib/x509/output.c: Don't use formatted output for fixed strings Resolves #35 + +2015-08-21 Nikos Mavrogiannopoulos + + * lib/gnutls_session_pack.c: session packing: corrected issue in PSK + session unpack + +2015-08-21 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-08-21 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c, lib/x509/verify-high2.c: x509: when + appending CRLs to a trust list ensure that we don't have duplicates That is, overwrite CRLs if they have been obsoleted. + +2015-08-21 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: allow exporting very long CRLs + +2015-08-19 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-08-12 Nikos Mavrogiannopoulos + + * tests/cert-tests/Makefile.am, tests/cert-tests/crl: tests: check + whether the CRL generation code works as expected + +2015-08-12 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: removed limit on maximum imported + certificates in the -i option + +2015-08-12 Nikos Mavrogiannopoulos + + * src/certtool-common.c, src/certtool.c: certtool: eliminated memory + leaks due to new cert loading code + +2015-08-12 Nikos Mavrogiannopoulos + + * src/certtool-common.c, src/certtool-common.h: certtool: lifted + limits on file size to load + +2015-08-10 Nikos Mavrogiannopoulos + + * Makefile.am: before dist ensure that included libopts matches + autogen + +2015-08-09 Nikos Mavrogiannopoulos + + * tests/suite/mini-eagain2.c: tests: backported fix in mini-eagain2 + +2015-08-09 Nikos Mavrogiannopoulos + + * lib/pkcs11_write.c: pkcs11: increase attributes size in + gnutls_pkcs11_copy_x509_privkey + +2015-08-09 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2015-08-09 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-08-03 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-08-03 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: pkcs11: set + the CKA_TOKEN attribute on generated public keys That also introduces the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY + flag, to simulate the previous behavior. + +2015-07-31 Nikos Mavrogiannopoulos + + * lib/ext/safe_renegotiation.c: safe renegotiation: simulate + receiving the extension on receival of SCSV + +2015-07-31 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-07-31 Nikos Mavrogiannopoulos + + * lib/ext/safe_renegotiation.c: safe renegotiation: handle case + where client didn't send any extension That was affected by the "don't try to send extensions we didn't + receive". + +2015-07-31 Nikos Mavrogiannopoulos + + * lib/gnutls_extensions.c, lib/gnutls_handshake.c, lib/gnutls_int.h: + As server don't try to send extensions we didn't receive. + +2015-07-20 Nikos Mavrogiannopoulos + + * lib/x509/common.c: Reset the output value on error in + _gnutls_x509_dn_to_string() Reported by Kurt Roeckx. + +2015-07-20 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c: gnutls_prf: document that this is not + identical to RFC5705 + +2015-07-20 Nikos Mavrogiannopoulos + + * src/p11tool-args.def: p11tool: fix documentation for + --generate-ecc and generate-dsa + +2015-07-12 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, m4/hooks.m4: bumped version + +2015-07-10 Nikos Mavrogiannopoulos + + * lib/ext/dumbfw.c: corrected function name + +2015-07-10 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-07-10 Nikos Mavrogiannopoulos + + * lib/auth/dhe_psk.c: PSK: set the hint in DHE-PSK and ECDHE-PSK + ciphersuites + +2015-07-09 Nikos Mavrogiannopoulos + + * lib/ext/dumbfw.c: dumbfw: don't append a size prefix in the pad Reported by Hannes Mehnert. + +2015-07-02 Daniel Kahn Gillmor + + * src/certtool.c: certtool --outder should not emit signature + verification status When emitting binary-formatted output, send signature verification + status to stderr, since it is not binary-formatted output. A simpler version of this patch would be to always send signature + verification to stderr, but that would change the text-formatted + output. + +2015-07-01 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-07-01 Nikos Mavrogiannopoulos + + * lib/gnutls_pubkey.c: DSA: the numeric number of bits returned from + public key should depend on P not Y That allows to do the proper evaluation to check certificate + strength. Reported by Hubert Kario. + +2015-07-01 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-07-01 Nikos Mavrogiannopoulos + + * lib/x509/name_constraints.c: name constraints: don't reject + certificates if a CA has the URI or IPADDRESS constraints Don't reject certificates if a CA has the URI or IPADDRESS + constraints, and the end certificate doesn't have an IPaddress name + or a URI set. + +2015-06-26 Nikos Mavrogiannopoulos + + * lib/x509/privkey.c: enhanced header matching code for private keys + to skip unrelated data + +2015-06-25 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-06-25 Nikos Mavrogiannopoulos + + * tests/suite/Makefile.am, tests/suite/ciphersuite/scan-gnutls.sh, + tests/suite/ciphersuite/test-ciphers.js, + tests/suite/ciphersuite/test-ciphersuites.sh, + tests/suite/test-ciphersuite-names: tests: backported + test-ciphersuite-names from master + +2015-06-25 Nikos Mavrogiannopoulos + + * lib/x509/privkey.c: gnutls_x509_privkey_import2: better behavior + when provided with an unencrypted file That is, it will attempt to decode it first as plain file prior to + trying all encrypted options. + +2015-06-25 Nikos Mavrogiannopoulos + + * lib/x509/key_decode.c, lib/x509/mpi.c: _gnutls_get_asn_mpis() will + release any data on failure Resolves #15 + +2015-06-11 Nikos Mavrogiannopoulos + + * tests/suite/testcompat-main: tests: backported test-compat-main + from master + +2015-06-10 Nikos Mavrogiannopoulos + + * lib/nettle/cipher.c: Corrected camellia256 set key in nettle3 + compat mode + +2015-06-04 Nikos Mavrogiannopoulos + + * lib/nettle/int/drbg-aes.c: drbg-aes: include gnutls_errors.h + +2015-06-03 Nikos Mavrogiannopoulos + + * lib/nettle/int/drbg-aes-self-test.c: fips140: added check for + reseed detection + +2015-06-03 Nikos Mavrogiannopoulos + + * tests/rng-fork.c: tests: check random generator for long outputs + as well + +2015-06-03 Nikos Mavrogiannopoulos + + * lib/nettle/int/drbg-aes.c: fips140: reset the reseed counter only + on reseed + +2015-06-03 Nikos Mavrogiannopoulos + + * lib/nettle/int/drbg-aes-self-test.c: fips140: added more checks on + the reseed and generate function + +2015-06-03 Nikos Mavrogiannopoulos + + * lib/nettle/int/drbg-aes.c, lib/nettle/int/drbg-aes.h: fips140: + enforce the max_number_of_bits_per_request + +2015-05-26 Nikos Mavrogiannopoulos + + * lib/x509/ocsp_output.c: Check the OID size for match when + comparing for the OCSP nonce extension Reported by Hanno Böck. + +2015-05-23 Armin Burgmeier + + * lib/gnutls_ui.c: gnutls_dh_get_prime_bits: return 0 if DH is not + used Before, the number of bits of a zero-length number was attempted to + be extracted, resulting in an error. The changed behaviour is + consistent with the documentation which explicitly states that 0 + should be returned if no DH key exchange was performed. + +2015-05-22 Nikos Mavrogiannopoulos + + * lib/gnutls_ui.c: gnutls_dh_get_group: mention that the values may + include a leading zero + +2015-05-21 Nikos Mavrogiannopoulos + + * lib/gnutls_ui.c: gnutls_dh_set_prime_bits: warn when overriding + the DH max prime size with 1007 bits or less + +2015-05-14 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-05-13 Nikos Mavrogiannopoulos + + * configure.ac, lib/accelerated/x86/aes-gcm-padlock.c, + lib/accelerated/x86/aes-gcm-x86-aesni.c, + lib/accelerated/x86/aes-gcm-x86-ssse3.c, + lib/accelerated/x86/aes-padlock.c, + lib/accelerated/x86/sha-padlock.c, + lib/accelerated/x86/sha-x86-ssse3.c, lib/nettle/Makefile.am, + lib/nettle/cipher.c, lib/nettle/int/dsa-fips.h, + lib/nettle/int/dsa-keygen-fips186.c, lib/nettle/int/dsa-validate.c, + lib/nettle/pk.c, m4/hooks.m4, tests/dsa/testdsa: Allow using nettle3 + with gnutls3.3 + +2015-05-06 Nikos Mavrogiannopoulos + + * tests/sign-md5-rep.c: tests: updated sign-md5-rep to reduce false + failures + +2015-05-05 Nikos Mavrogiannopoulos + + * tests/mini-loss-time.c: tests: eliminate mem leaks in + mini-loss-time + +2015-05-05 Nikos Mavrogiannopoulos + + * tests/mini-loss-time.c: tests: backported mini-loss-time from + master + +2015-04-28 Jan Vcelak + + * lib/nettle/pk.c: fix memory leak in ECDSA key parameters + verification Signed-off-by: Jan Vcelak + +2015-05-03 Nikos Mavrogiannopoulos + + * NEWS: updated NEWS + +2015-05-03 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, m4/hooks.m4: released 3.3.15 + +2015-04-30 Nikos Mavrogiannopoulos + + * lib/gnutls_dtls.c: doc: updated gnutls_dtls_set_timeouts + +2015-04-30 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c: gnutls_handshake_set_timeout will properly + work with DTLS + +2015-04-30 Nikos Mavrogiannopoulos + + * doc/examples/ex-client-dtls.c: doc: fixed example with DTLS + timeouts + +2015-04-28 Nikos Mavrogiannopoulos + + * lib/minitasn1/decoding.c, lib/minitasn1/libtasn1.h: updated + minitasn1 + +2015-04-25 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-04-25 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/sign-md5-rep.c: tests: added reproducer + for the MD5 acceptance issue Reported by Karthikeyan Bhargavan. + + http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007572.htmlConflicts: tests/Makefile.am + +2015-04-25 Nikos Mavrogiannopoulos + + * lib/ext/signature.c: before falling back to SHA1 as signature + algorithm in TLS 1.2 check if it is enabled + +2015-04-25 Nikos Mavrogiannopoulos + + * lib/ext/signature.c: _gnutls_session_sign_algo_enabled: do not + consider any values from the extension data to decide acceptable + algorithms + +2015-04-25 Nikos Mavrogiannopoulos + + * lib/auth/cert.c: set the value used by + gnutls_certificate_client_get_request_status prior to selecting + certificate That allows gnutls_certificate_client_get_request_status() to be + properly operating from the callback. Reported by Anton Lavrentiev. + +2015-04-22 Nikos Mavrogiannopoulos + + * lib/gnutls_cert.c: fixed doc: reported by Anton Lavrentiev + +2015-04-21 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-04-20 Nikos Mavrogiannopoulos + + * lib/gnutls_ui.c: gnutls_certificate_get_ours: will return the + certificate even if a callback was used This corrects a bug where this function would not work, when + gnutls_certificate_set_retrieve_function2() was used. + +2015-04-20 Nikos Mavrogiannopoulos + + * lib/x509/x509.c: ensure that the X.509 version number is one byte + only + +2015-04-20 Nikos Mavrogiannopoulos + + * lib/x509/x509.c: Check for invalid length in the X.509 version + field If such an invalid length is detected, reject the certificate. + Reported by Hanno Böck. + +2015-03-30 Nikos Mavrogiannopoulos + + * tests/mini-loss-time.c: tests: mini-loss-time: ignore sigpipe + +2015-03-30 Nikos Mavrogiannopoulos + + * NEWS: released 3.3.14 + +2015-03-30 Nikos Mavrogiannopoulos + + * tests/suite/testcompat-main: tests: change the default port in + testcompat to avoid clash with testsrn + +2015-03-30 Nikos Mavrogiannopoulos + + * doc/texinfo.css: doc: increase border spacing in HTML tables + +2015-03-29 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2015-03-29 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-03-28 Nikos Mavrogiannopoulos + + * lib/gnutls_int.h: do not penalize CBC ciphers with the maximum + send data size That reduced the maximum send size for CBC ciphers from 16384 to + 16384-(block size), which was unnecessary and was causing issues: + https://bugs.winehq.org/show_bug.cgi?id=37500 + +2015-03-29 Nikos Mavrogiannopoulos + + * lib/algorithms/ciphersuites.c, + tests/suite/ciphersuite/scan-gnutls.sh: made ciphersuites.c more + self-contained to be handled by test-ciphersuites.sh + +2015-03-28 Nikos Mavrogiannopoulos + + * lib/x509/x509_ext.c: Better fix for the double free in dist point + parsing + +2015-03-28 Nikos Mavrogiannopoulos + + * lib/minitasn1/parser_aux.c, lib/minitasn1/parser_aux.h: updated + libtasn1 + +2015-03-28 Nikos Mavrogiannopoulos + + * lib/gnutls_datum.c, lib/gnutls_datum.h, lib/x509/gnutls-idna.c, + lib/x509/x509_ext.c: gnutls_subject_alt_names_set and + gnutls_x509_aki_set_cert_issuer will set null-terminated strings + +2015-03-23 Nikos Mavrogiannopoulos + + * lib/x509/x509_ext.c: eliminated double-free in the parsing of dist + points Reported by Robert Święcki. + +2015-03-27 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-03-27 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: gnutls_pkcs11_privkey_generate2: increased + the size of ck_attributes + +2015-03-27 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: pkcs11: check gnutls_rnd() for error + condition + +2015-03-27 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: gnutls_pkcs11_privkey_generate2: set a + CKA_ID on key generation + +2015-03-26 Nikos Mavrogiannopoulos + + * lib/pkcs11_write.c: pkcs11: set the CKA_SIGN and CKA_DECRYPT flags + when writing a private key + +2015-03-26 Nikos Mavrogiannopoulos + + * lib/ext/server_name.c: When an application calls + gnutls_server_name_set() with a name of zero size disable the + extension Resolves #2 + +2015-03-25 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-03-25 Nikos Mavrogiannopoulos + + * lib/x509/name_constraints.c: name constraints: when no name of the + type is found, accept the certificate This follows RFC5280 advice closely. Reported by Fotis Loukos. + +2015-03-20 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c: avoid overflow when receiving DTLS 0.9 CCS + +2015-03-13 Nikos Mavrogiannopoulos + + * lib/gnutls_supplemental.c: Fixed handling of supplemental data + with types > 255. Patch by Thierry Quemerais. + +2015-03-13 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: doc update + +2015-03-13 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: gnutls_priority_init: document that + priorities can be NULL + +2015-03-13 Nikos Mavrogiannopoulos + + * lib/crypto-selftests.c: corrected self test for 3DES + +2015-03-11 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: only set ID and label when both size and + data are set + +2015-03-05 Nikos Mavrogiannopoulos + + * configure.ac: configure: check for /usr/share/dns/root.key as well + for dns root key + +2015-03-09 Nikos Mavrogiannopoulos + + * m4/hooks.m4: corrected macro which checks libtasn1 for + asn1_decode_simple_ber + +2015-03-09 Nikos Mavrogiannopoulos + + * lib/minitasn1/decoding.c, lib/minitasn1/libtasn1.h, + lib/minitasn1/parser_aux.c: minitasn1: updated to libtasn1 4.3 + +2015-03-09 Nikos Mavrogiannopoulos + + * doc/cha-internals.texi: rearranged internal documentation + +2015-03-09 Nikos Mavrogiannopoulos + + * src/cli-args.def, src/cli-debug-args.def, src/danetool-args.def, + src/socket.c: tools: added ftp as a starttls protocol + +2015-03-09 Nikos Mavrogiannopoulos + + * src/cli-args.def: gnutls-cli: starttls and starttls-proto can't + mix + +2015-03-07 Nikos Mavrogiannopoulos + + * doc/cha-gtls-app.texi: expand on SECURE256 being an alias to + SECURE192 + +2015-03-06 Nikos Mavrogiannopoulos + + * src/tests.c: gnutls-cli-debug: corrected check of certificate + chain order + +2015-03-06 Nikos Mavrogiannopoulos + + * tests/x509cert.c: tests: added small test to verify that + GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED succeeds with a single cert + +2015-03-06 Nikos Mavrogiannopoulos + + * src/cli-debug.c, src/tests.c: gnutls-cli-debug: disable + unsupported TLS protocols as soon + +2015-03-06 Nikos Mavrogiannopoulos + + * src/socket.c: cli sockets: check for a digit prior using atoi + +2015-03-06 Nikos Mavrogiannopoulos + + * src/tests.c: gnutls-cli-debug: a cert list of size 1 is always + sorted + +2015-03-06 Nikos Mavrogiannopoulos + + * src/socket.c: gnutls-cli-debug: do not warn multiple times about + unknown protocols + +2015-03-06 Nikos Mavrogiannopoulos + + * doc/cha-support.texi: updated documentation on FIPS140-2 + +2015-03-05 Nikos Mavrogiannopoulos + + * tests/cert-tests/Makefile.am, + tests/cert-tests/template-basic.pem, + tests/cert-tests/template-basic.tmpl, + tests/cert-tests/template-test: Revert "tests: template-test: added + a baseline check to detect slow systems" This reverts commit 2ee2a78178a842c9b0ef2ca3e12909ca3bb9fe79. + +2015-03-05 Nikos Mavrogiannopoulos + + * tests/cert-tests/template-test: tests: don't perform the overflow + check in 32-bit systems + +2015-03-05 Nikos Mavrogiannopoulos + + * tests/cert-tests/template-date.pem, + tests/cert-tests/template-date.tmpl: tests: date parsing test was + modified to work in 32-bit systems + +2015-03-05 Nikos Mavrogiannopoulos + + * tests/cert-tests/Makefile.am, + tests/cert-tests/template-basic.pem, + tests/cert-tests/template-basic.tmpl, + tests/cert-tests/template-test: tests: template-test: added a + baseline check to detect slow systems + +2015-03-04 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-01-12 Nikos Mavrogiannopoulos + + * tests/suite/testpkcs11: testpkcs11: do not ignore the failure to + write a trusted CA + +2015-01-05 Nikos Mavrogiannopoulos + + * tests/suite/testpkcs11: testpkcs11: detect softhsm2 + +2015-03-04 Nikos Mavrogiannopoulos + + * lib/gnutls_pubkey.c, lib/tpm.c, lib/x509/common.c, + lib/x509/common.h, lib/x509/dn.c, lib/x509/ocsp.c, + lib/x509/pkcs12.c, lib/x509/pkcs12_bag.c, lib/x509/x509_ext.c, + m4/hooks.m4: use asn1_decode_simple_ber if available + +2015-02-27 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/abstract.h: list + gnutls_pubkey_get_verify_algorithm as deprected + +2015-02-26 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c: corrected typo in gnutls_handshake(), + spotted by Andris Mednis + +2015-02-25 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, m4/hooks.m4: released 3.3.13 + +2015-02-20 Nikos Mavrogiannopoulos + + * tests/cert-tests/Makefile.am, tests/cert-tests/invalid-sig, + tests/cert-tests/invalid-sig2.pem, + tests/cert-tests/invalid-sig3.pem: tests: added checks for invalid + X.509 certificate signatures + +2015-02-24 Nikos Mavrogiannopoulos + + * lib/gnutls_session.c: doc update: document that session_get_data() + must be used in non-resumed sessions + +2015-02-21 Nikos Mavrogiannopoulos + + * tests/suite/testcompat-main: tests: testcompat: disable tests with + NULL ciphersuites; debian doesn't support them + +2015-02-21 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-02-21 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c: fixed handling of GNUTLS_E_INT_CHECK_AGAIN + +2015-02-21 Nikos Mavrogiannopoulos + + * tests/mini-overhead.c, tests/mini-record.c: tests: require DTLS + 1.2 when using GCM + +2015-02-21 Nikos Mavrogiannopoulos + + * lib/algorithms/ciphersuites.c: corrected check which prevented + client to sent an unacceptable for the version ciphersuite + +2015-02-20 Nikos Mavrogiannopoulos + + * lib/gnutls_record.c: fixed sequence number copy + +2015-02-17 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-02-17 Nikos Mavrogiannopoulos + + * lib/x509/x509.c: when importing a certificate ensure that the + signature parameters match + +2015-02-14 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-02-14 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/x86-common.c: Allow AESNI GCM accelaration in + x86 + +2015-02-04 Nikos Mavrogiannopoulos + + * src/cli.c: handle differently OCSP responses that are revoked and + of unknown status + +2015-02-01 Nikos Mavrogiannopoulos + + * src/common.c: compilation fix with return on void function; + reported by David Marx + +2015-01-29 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c: doc update + +2015-01-29 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c: set the appropriate direction when + _gnutls_io_write_flush() is called + +2015-01-28 Nikos Mavrogiannopoulos + + * doc/cha-gtls-app.texi: documented using a session with fork or + multiple threads + +2015-01-25 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c: print errno in a more uniform way + +2015-01-19 Nikos Mavrogiannopoulos + + * lib/x509/x509.c: on certificate import check whether the two + signature algorithms match + +2015-01-25 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c: simplified _gnutls_writev() by requiring the + total length + +2015-01-19 Nikos Mavrogiannopoulos + + * src/cli.c, src/ocsptool-common.c, src/ocsptool-common.h: don't be + so verbose about the OCSP nonce; it is universally unsupported + +2015-01-17 Tim Ruehsen + + * src/cli.c, src/ocsptool-common.c: OCSP check the whole cert chain Signed-off-by: Nikos Mavrogiannopoulos + +2015-01-17 Nikos Mavrogiannopoulos + + * NEWS: released 3.3.12 + +2015-01-16 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-01-16 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped versions + +2015-01-16 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-01-16 Nikos Mavrogiannopoulos + + * libdane/errors.c: corrected typos Reported by Guido Kroon. + +2015-01-16 Nikos Mavrogiannopoulos + + * lib/algorithms/protocols.c, lib/gnutls_int.h: Added the notion of + obsolete versions That prevents using these versions as record version numbers, unless + they are the only protocol supported. This avoids the issues with + servers that have banned SSL 3.0 record versions. + +2015-01-16 Nikos Mavrogiannopoulos + + * src/ocsptool-common.c: ocsptool: follow the documented process for + gnutls_x509_crt_get_authority_info_access + +2015-01-16 Nikos Mavrogiannopoulos + + * lib/x509/x509.c: gnutls_x509_crt_get_authority_info_access: doc + update + +2015-01-15 Nikos Mavrogiannopoulos + + * src/ocsptool-common.c: ocsptool-common: iterate through all AIA + items prior to decidig the OCSP server + +2015-01-13 Nikos Mavrogiannopoulos + + * src/cli-args.def: simplified text for inline-commands-prefix + +2015-01-12 Nikos Mavrogiannopoulos + + * NEWS: doc update: added urls of savannah reports + +2015-01-12 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-01-12 Nikos Mavrogiannopoulos + + * src/cli-args.def, src/cli.c, src/socket.c: gnutls-cli: added + --starttls-proto option + +2015-01-12 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: cleanup the name of types Conflicts: lib/pkcs11.c + +2015-01-12 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: when importing a public key, import it's + data as well (version 2 fix) + +2015-01-12 Nikos Mavrogiannopoulos + + * lib/x509/verify.c: doc update + +2015-01-11 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: when importing a public key, import it's + data as well + +2015-01-11 Nikos Mavrogiannopoulos + + * lib/gnutls_cert.c: doc update + +2015-01-10 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-01-10 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c: When setting up TLS with cert-type OpenPGP + from a client, the server verifies if it supports the extension’s + contents in _gnutls_session_cert_type_supported(). This function + checks for cred->get_cert_callback but not cred->get_cert_callback2. + As a result, servers setup for OpenPGP certificate credential + callback with gnutls_certificate_set_retrieve_function2() are unable + to use the OpenPGP certificate type. The solution is to consider cred->get_cert_callback2 alongside + cred->get_cert_callback in _gnutls_session_cert_type_supported(). Patch by Rick van Rein. + +2015-01-10 Nikos Mavrogiannopoulos + + * lib/gnutls_privkey.c: gnutls_privkey_import_openpgp_raw: do not + release the cached value + +2015-01-08 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-01-08 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c, lib/gnutls_errors.h: When receiving a TLS + record with multiple handshake packets, parse them in one go That resolves: https://savannah.gnu.org/support/?108712 + +2015-01-08 Ludovic Courtès + + * NEWS, guile/modules/gnutls.in: guile: Call 'load-extension' both + during expansion and at run time. Fixes . * guile/modules/gnutls.in: Wrap '%libdir' definition and 'load-extension' call in 'eval-when'. * NEWS: Update. + +2015-01-06 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-01-06 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c: in DTLS don't combine multiple packets which + exceed MTU Resolves: https://savannah.gnu.org/support/?108715 + +2015-01-06 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c: Added more precise check of push functions + availability + +2015-01-06 Nikos Mavrogiannopoulos + + * src/Makefile.am: danetool: only compile when dane is enabled + +2014-12-11 Nikos Mavrogiannopoulos + + * lib/crypto-backend.c: Allow a random generator with the same + priority to re-register That corrects an issue where the library is deinitialized, and + reinitialization wouldn't register the same rnd module. Reported by + Stanislav Zidek. + +2015-01-04 Nikos Mavrogiannopoulos + + * src/certtool-cfg.c: certtool: modified check for READ_NUMERIC + +2015-01-04 Nikos Mavrogiannopoulos + + * src/certtool-cfg.c: certtool: use 64-bit type for CRL serial + number + +2015-01-04 Nikos Mavrogiannopoulos + + * src/certtool-cfg.c: certtool: check for overflows when reading + serial numbers + +2015-01-04 Nikos Mavrogiannopoulos + + * src/certtool-cfg.c, src/certtool-cfg.h: certtool: use int64_t as + type for integers read + +2015-01-04 Nikos Mavrogiannopoulos + + * src/socket.c: gnutls-cli-debug: more precise handling of SMTP + protocol Patch by Andreas Metzler. + +2015-01-04 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-01-04 Nikos Mavrogiannopoulos + + * gl/Makefile.am, gl/alloca.in.h, gl/asnprintf.c, gl/asprintf.c, + gl/base64.c, gl/base64.h, gl/byteswap.in.h, gl/c-ctype.c, + gl/c-ctype.h, gl/errno.in.h, gl/float+.h, gl/float.c, + gl/float.in.h, gl/fstat.c, gl/ftell.c, gl/ftello.c, gl/getdelim.c, + gl/getline.c, gl/gettext.h, gl/gettimeofday.c, gl/hash-pjw-bare.c, + gl/hash-pjw-bare.h, gl/intprops.h, gl/itold.c, gl/lseek.c, + gl/m4/00gnulib.m4, gl/m4/absolute-header.m4, gl/m4/alloca.m4, + gl/m4/base64.m4, gl/m4/byteswap.m4, gl/m4/codeset.m4, + gl/m4/errno_h.m4, gl/m4/exponentd.m4, gl/m4/extensions.m4, + gl/m4/extern-inline.m4, gl/m4/fcntl-o.m4, gl/m4/fcntl_h.m4, + gl/m4/fdopen.m4, gl/m4/float_h.m4, gl/m4/fpieee.m4, + gl/m4/fseeko.m4, gl/m4/fstat.m4, gl/m4/ftell.m4, gl/m4/ftello.m4, + gl/m4/func.m4, gl/m4/getdelim.m4, gl/m4/getline.m4, + gl/m4/getpagesize.m4, gl/m4/gettext.m4, gl/m4/gettimeofday.m4, + gl/m4/glibc2.m4, gl/m4/glibc21.m4, gl/m4/gnulib-cache.m4, + gl/m4/gnulib-common.m4, gl/m4/gnulib-comp.m4, gl/m4/gnulib-tool.m4, + gl/m4/iconv.m4, gl/m4/include_next.m4, gl/m4/intdiv0.m4, + gl/m4/intl.m4, gl/m4/intldir.m4, gl/m4/intlmacosx.m4, + gl/m4/intmax.m4, gl/m4/intmax_t.m4, gl/m4/inttypes-pri.m4, + gl/m4/inttypes.m4, gl/m4/inttypes_h.m4, gl/m4/largefile.m4, + gl/m4/lcmessage.m4, gl/m4/ld-output-def.m4, + gl/m4/ld-version-script.m4, gl/m4/lib-ld.m4, gl/m4/lib-link.m4, + gl/m4/lib-prefix.m4, gl/m4/lock.m4, gl/m4/longlong.m4, + gl/m4/lseek.m4, gl/m4/malloc.m4, gl/m4/manywarnings.m4, + gl/m4/math_h.m4, gl/m4/memchr.m4, gl/m4/memmem.m4, gl/m4/minmax.m4, + gl/m4/mmap-anon.m4, gl/m4/msvc-inval.m4, gl/m4/msvc-nothrow.m4, + gl/m4/multiarch.m4, gl/m4/netdb_h.m4, gl/m4/netinet_in_h.m4, + gl/m4/nls.m4, gl/m4/off_t.m4, gl/m4/po.m4, gl/m4/printf-posix.m4, + gl/m4/printf.m4, gl/m4/progtest.m4, gl/m4/read-file.m4, + gl/m4/realloc.m4, gl/m4/size_max.m4, gl/m4/snprintf.m4, + gl/m4/socklen.m4, gl/m4/sockpfaf.m4, gl/m4/ssize_t.m4, + gl/m4/stdalign.m4, gl/m4/stdbool.m4, gl/m4/stddef_h.m4, + gl/m4/stdint.m4, gl/m4/stdint_h.m4, gl/m4/stdio_h.m4, + gl/m4/stdlib_h.m4, gl/m4/strcase.m4, gl/m4/string_h.m4, + gl/m4/strings_h.m4, gl/m4/strndup.m4, gl/m4/strnlen.m4, + gl/m4/strtok_r.m4, gl/m4/strverscmp.m4, gl/m4/sys_socket_h.m4, + gl/m4/sys_stat_h.m4, gl/m4/sys_time_h.m4, gl/m4/sys_types_h.m4, + gl/m4/sys_uio_h.m4, gl/m4/threadlib.m4, gl/m4/time_h.m4, + gl/m4/time_r.m4, gl/m4/uintmax_t.m4, gl/m4/ungetc.m4, + gl/m4/unistd_h.m4, gl/m4/valgrind-tests.m4, gl/m4/vasnprintf.m4, + gl/m4/vasprintf.m4, gl/m4/visibility.m4, gl/m4/vsnprintf.m4, + gl/m4/warn-on-use.m4, gl/m4/warnings.m4, gl/m4/wchar_h.m4, + gl/m4/wchar_t.m4, gl/m4/wint_t.m4, gl/m4/xsize.m4, gl/malloc.c, + gl/memchr.c, gl/memmem.c, gl/minmax.h, gl/msvc-inval.c, + gl/msvc-inval.h, gl/msvc-nothrow.c, gl/msvc-nothrow.h, + gl/netdb.in.h, gl/netinet_in.in.h, gl/printf-args.c, + gl/printf-args.h, gl/printf-parse.c, gl/printf-parse.h, + gl/read-file.c, gl/read-file.h, gl/realloc.c, gl/size_max.h, + gl/snprintf.c, gl/stdalign.in.h, gl/stdbool.in.h, gl/stddef.in.h, + gl/stdint.in.h, gl/stdio-impl.h, gl/stdio.in.h, gl/stdlib.in.h, + gl/str-two-way.h, gl/strcasecmp.c, gl/string.in.h, gl/strings.in.h, + gl/strncasecmp.c, gl/strndup.c, gl/strnlen.c, gl/strtok_r.c, + gl/strverscmp.c, gl/sys_socket.in.h, gl/sys_stat.in.h, + gl/sys_time.in.h, gl/sys_types.in.h, gl/sys_uio.in.h, + gl/tests/Makefile.am, gl/tests/binary-io.h, gl/tests/fcntl.in.h, + gl/tests/fdopen.c, gl/tests/fpucw.h, gl/tests/getpagesize.c, + gl/tests/init.sh, gl/tests/inttypes.in.h, gl/tests/macros.h, + gl/tests/signature.h, gl/tests/test-alloca-opt.c, + gl/tests/test-base64.c, gl/tests/test-binary-io.c, + gl/tests/test-byteswap.c, gl/tests/test-c-ctype.c, + gl/tests/test-errno.c, gl/tests/test-fcntl-h.c, + gl/tests/test-fdopen.c, gl/tests/test-fgetc.c, + gl/tests/test-float.c, gl/tests/test-fputc.c, + gl/tests/test-fread.c, gl/tests/test-fstat.c, + gl/tests/test-ftell.c, gl/tests/test-ftell3.c, + gl/tests/test-ftello.c, gl/tests/test-ftello3.c, + gl/tests/test-ftello4.c, gl/tests/test-func.c, + gl/tests/test-fwrite.c, gl/tests/test-getdelim.c, + gl/tests/test-getline.c, gl/tests/test-gettimeofday.c, + gl/tests/test-iconv.c, gl/tests/test-init.sh, + gl/tests/test-intprops.c, gl/tests/test-inttypes.c, + gl/tests/test-memchr.c, gl/tests/test-netdb.c, + gl/tests/test-netinet_in.c, gl/tests/test-read-file.c, + gl/tests/test-snprintf.c, gl/tests/test-stdalign.c, + gl/tests/test-stdbool.c, gl/tests/test-stddef.c, + gl/tests/test-stdint.c, gl/tests/test-stdio.c, + gl/tests/test-stdlib.c, gl/tests/test-string.c, + gl/tests/test-strings.c, gl/tests/test-strnlen.c, + gl/tests/test-strverscmp.c, gl/tests/test-sys_socket.c, + gl/tests/test-sys_stat.c, gl/tests/test-sys_time.c, + gl/tests/test-sys_types.c, gl/tests/test-sys_uio.c, + gl/tests/test-sys_wait.h, gl/tests/test-time.c, + gl/tests/test-u64.c, gl/tests/test-unistd.c, + gl/tests/test-vasnprintf.c, gl/tests/test-vasprintf.c, + gl/tests/test-vc-list-files-cvs.sh, + gl/tests/test-vc-list-files-git.sh, gl/tests/test-verify.c, + gl/tests/test-vsnprintf.c, gl/tests/test-wchar.c, + gl/tests/zerosize-ptr.h, gl/time.in.h, gl/time_r.c, gl/u64.h, + gl/unistd.in.h, gl/vasnprintf.c, gl/vasnprintf.h, gl/vasprintf.c, + gl/verify.h, gl/vsnprintf.c, gl/wchar.in.h, gl/xsize.h, + src/gl/Makefile.am, src/gl/accept.c, src/gl/alloca.in.h, + src/gl/arpa_inet.in.h, src/gl/asnprintf.c, src/gl/bind.c, + src/gl/c-ctype.c, src/gl/c-ctype.h, src/gl/close.c, + src/gl/connect.c, src/gl/dup2.c, src/gl/errno.in.h, src/gl/error.c, + src/gl/error.h, src/gl/exitfail.c, src/gl/exitfail.h, + src/gl/fd-hook.c, src/gl/fd-hook.h, src/gl/float+.h, + src/gl/float.c, src/gl/float.in.h, src/gl/fseek.c, src/gl/fseeko.c, + src/gl/fstat.c, src/gl/ftell.c, src/gl/ftello.c, + src/gl/gai_strerror.c, src/gl/getaddrinfo.c, src/gl/getdelim.c, + src/gl/getline.c, src/gl/getpass.c, src/gl/getpass.h, + src/gl/getpeername.c, src/gl/gettext.h, src/gl/gettime.c, + src/gl/gettimeofday.c, src/gl/inet_ntop.c, src/gl/inet_pton.c, + src/gl/intprops.h, src/gl/itold.c, src/gl/listen.c, src/gl/lseek.c, + src/gl/m4/00gnulib.m4, src/gl/m4/absolute-header.m4, + src/gl/m4/alloca.m4, src/gl/m4/arpa_inet_h.m4, src/gl/m4/bison.m4, + src/gl/m4/clock_time.m4, src/gl/m4/close.m4, src/gl/m4/dup2.m4, + src/gl/m4/eealloc.m4, src/gl/m4/environ.m4, src/gl/m4/errno_h.m4, + src/gl/m4/error.m4, src/gl/m4/exponentd.m4, + src/gl/m4/extensions.m4, src/gl/m4/extern-inline.m4, + src/gl/m4/float_h.m4, src/gl/m4/fseek.m4, src/gl/m4/fseeko.m4, + src/gl/m4/fstat.m4, src/gl/m4/ftell.m4, src/gl/m4/ftello.m4, + src/gl/m4/getaddrinfo.m4, src/gl/m4/getdelim.m4, + src/gl/m4/getline.m4, src/gl/m4/getpass.m4, src/gl/m4/gettime.m4, + src/gl/m4/gettimeofday.m4, src/gl/m4/gnulib-cache.m4, + src/gl/m4/gnulib-common.m4, src/gl/m4/gnulib-comp.m4, + src/gl/m4/gnulib-tool.m4, src/gl/m4/hostent.m4, + src/gl/m4/include_next.m4, src/gl/m4/inet_ntop.m4, + src/gl/m4/inet_pton.m4, src/gl/m4/intmax_t.m4, + src/gl/m4/inttypes_h.m4, src/gl/m4/largefile.m4, + src/gl/m4/longlong.m4, src/gl/m4/lseek.m4, src/gl/m4/malloc.m4, + src/gl/m4/malloca.m4, src/gl/m4/math_h.m4, src/gl/m4/memchr.m4, + src/gl/m4/minmax.m4, src/gl/m4/mktime.m4, src/gl/m4/mmap-anon.m4, + src/gl/m4/msvc-inval.m4, src/gl/m4/msvc-nothrow.m4, + src/gl/m4/multiarch.m4, src/gl/m4/netdb_h.m4, + src/gl/m4/netinet_in_h.m4, src/gl/m4/off_t.m4, + src/gl/m4/parse-datetime.m4, src/gl/m4/printf.m4, + src/gl/m4/read-file.m4, src/gl/m4/realloc.m4, src/gl/m4/select.m4, + src/gl/m4/servent.m4, src/gl/m4/setenv.m4, src/gl/m4/signal_h.m4, + src/gl/m4/size_max.m4, src/gl/m4/snprintf.m4, + src/gl/m4/socketlib.m4, src/gl/m4/sockets.m4, src/gl/m4/socklen.m4, + src/gl/m4/sockpfaf.m4, src/gl/m4/ssize_t.m4, src/gl/m4/stdalign.m4, + src/gl/m4/stdbool.m4, src/gl/m4/stddef_h.m4, src/gl/m4/stdint.m4, + src/gl/m4/stdint_h.m4, src/gl/m4/stdio_h.m4, src/gl/m4/stdlib_h.m4, + src/gl/m4/strdup.m4, src/gl/m4/strerror.m4, src/gl/m4/string_h.m4, + src/gl/m4/sys_select_h.m4, src/gl/m4/sys_socket_h.m4, + src/gl/m4/sys_stat_h.m4, src/gl/m4/sys_time_h.m4, + src/gl/m4/sys_types_h.m4, src/gl/m4/sys_uio_h.m4, + src/gl/m4/time_h.m4, src/gl/m4/time_r.m4, src/gl/m4/timespec.m4, + src/gl/m4/tm_gmtoff.m4, src/gl/m4/unistd_h.m4, + src/gl/m4/vasnprintf.m4, src/gl/m4/warn-on-use.m4, + src/gl/m4/wchar_h.m4, src/gl/m4/wchar_t.m4, src/gl/m4/wint_t.m4, + src/gl/m4/xalloc.m4, src/gl/m4/xsize.m4, src/gl/malloc.c, + src/gl/malloca.c, src/gl/malloca.h, src/gl/memchr.c, + src/gl/minmax.h, src/gl/mktime.c, src/gl/msvc-inval.c, + src/gl/msvc-inval.h, src/gl/msvc-nothrow.c, src/gl/msvc-nothrow.h, + src/gl/netdb.in.h, src/gl/netinet_in.in.h, src/gl/parse-datetime.h, + src/gl/parse-datetime.y, src/gl/printf-args.c, + src/gl/printf-args.h, src/gl/printf-parse.c, src/gl/printf-parse.h, + src/gl/progname.c, src/gl/progname.h, src/gl/read-file.c, + src/gl/read-file.h, src/gl/realloc.c, src/gl/recv.c, + src/gl/recvfrom.c, src/gl/select.c, src/gl/send.c, src/gl/sendto.c, + src/gl/setenv.c, src/gl/setsockopt.c, src/gl/shutdown.c, + src/gl/signal.in.h, src/gl/size_max.h, src/gl/snprintf.c, + src/gl/socket.c, src/gl/sockets.c, src/gl/sockets.h, + src/gl/stdalign.in.h, src/gl/stdbool.in.h, src/gl/stddef.in.h, + src/gl/stdint.in.h, src/gl/stdio-impl.h, src/gl/stdio.in.h, + src/gl/stdlib.in.h, src/gl/strdup.c, src/gl/strerror-override.c, + src/gl/strerror-override.h, src/gl/strerror.c, src/gl/string.in.h, + src/gl/sys_select.in.h, src/gl/sys_socket.in.h, + src/gl/sys_stat.in.h, src/gl/sys_time.in.h, src/gl/sys_types.in.h, + src/gl/sys_uio.in.h, src/gl/time.in.h, src/gl/time_r.c, + src/gl/timespec.h, src/gl/unistd.in.h, src/gl/unsetenv.c, + src/gl/vasnprintf.c, src/gl/vasnprintf.h, src/gl/verify.h, + src/gl/w32sock.h, src/gl/wchar.in.h, src/gl/xalloc-die.c, + src/gl/xalloc-oversized.h, src/gl/xalloc.h, src/gl/xmalloc.c, + src/gl/xsize.h: updated gnulib + +2015-01-02 Nikos Mavrogiannopoulos + + * src/cli-debug.c: gnutls-cli-debug: corrected the skip of ignored + checks + +2014-12-31 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-12-31 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-12-31 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: --pubkey-info will load a public key + from stdin + +2014-12-31 Nikos Mavrogiannopoulos + + * lib/system.h: include netinet/in.h if present to access ipv6 + related structures Based on patch by Rumko. https://savannah.gnu.org/support/?108713 + +2014-12-30 Matthias-Christian Ott + + * lib/gnutls_cipher_int.c: Don't call _gnutls_cipher_encrypt2 with + textlen = 0 in _gnutls_auth_cipher_encrypt2_tag If the plaintext is shorter than the block size of the used cipher, + _gnutls_auth_cipher_encrypt2_tag calls _gnutls_cipher_encrypt2 with + textlen = 0. By definition _gnutls_cipher_encrypt2 does nothing in + this case and thus does not need to be called. + +2014-12-30 Matthias-Christian Ott + + * lib/accelerated/x86/aes-gcm-padlock.c, + lib/accelerated/x86/aes-padlock.c: Handle zero length plaintext for + VIA PadLock functions If the plaintext is shorter than the block size of the used cipher, + _gnutls_auth_cipher_encrypt2_tag calls _gnutls_cipher_encrypt2 with + textlen = 0. padlock_ecb_encrypt and padlock_cbc_encrypt assume that + the plaintext length (last parameter) is greater than zero and + segfault otherwise. The assembler code for both functions is + automatically generated and imported from OpenSSL, so to ease + maintenance the length should be validated in the functions that + call padlock_ecb_encrypt or padlock_cbc_encrypt. + +2014-12-28 Nikos Mavrogiannopoulos + + * tests/openpgp-keyring.c: tests: enhanced openpgp-keyring test + +2014-12-28 Nikos Mavrogiannopoulos + + * lib/openpgp/output.c: openpgp: properly print names in oneline + output as well + +2014-12-28 Nikos Mavrogiannopoulos + + * lib/openpgp/output.c: updates in openpgp DSA key printing + +2014-12-28 Nikos Mavrogiannopoulos + + * lib/openpgp/output.c: properly print openpgp names + +2014-12-25 Nikos Mavrogiannopoulos + + * src/cli-debug.c, src/common.c, src/tests.c: tools: use OCSP + functions only when OCSP is enabled + +2014-12-24 Nikos Mavrogiannopoulos + + * lib/gnutls_pubkey.c: Corrected encoding and decoding of ANSI X9.62 That affects gnutls_pubkey_export_ecc_x962() and + gnutls_pubkey_import_ecc_x962(). + +2014-12-24 Nikos Mavrogiannopoulos + + * src/certtool-args.def, src/p11tool-args.def: tools: document the + available curves + +2014-12-23 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-12-23 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/pkcs11_int.h, + lib/pkcs11_privkey.c, lib/pkcs11_secret.c, lib/pkcs11_write.c: Use + hints to support incomplete PKCS#11 URIs + +2014-12-23 Nikos Mavrogiannopoulos + + * doc/examples/Makefile.am, src/Makefile.am, src/gl/Makefile.am, + src/gl/m4/gnulib-cache.m4, src/gl/m4/gnulib-comp.m4: completely + separated the two gnulibs to avoid conflicts + +2014-12-23 Nikos Mavrogiannopoulos + + * gl/Makefile.am, gl/m4/extensions.m4, gl/m4/extern-inline.m4, + gl/m4/gnulib-comp.m4, gl/m4/iconv.m4, gl/m4/printf.m4, + gl/m4/stdalign.m4, gl/m4/stddef_h.m4, gl/m4/stdio_h.m4, + gl/stdalign.in.h, gl/stddef.in.h, gl/tests/test-fcntl-h.c, + gl/tests/test-stddef.c, gl/unistd.in.h, gl/vasnprintf.c, + src/gl/Makefile.am, src/gl/m4/extensions.m4, + src/gl/m4/extern-inline.m4, src/gl/m4/gnulib-comp.m4, + src/gl/m4/printf.m4, src/gl/m4/stdalign.m4, src/gl/m4/stddef_h.m4, + src/gl/m4/stdio_h.m4, src/gl/parse-datetime.y, + src/gl/stdalign.in.h, src/gl/stddef.in.h, src/gl/timespec.h, + src/gl/unistd.in.h, src/gl/vasnprintf.c: updated gnulib + +2014-12-22 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-12-22 Nikos Mavrogiannopoulos + + * lib/x509/verify-high2.c: when importing object CAs from PKCS#11 + URL, import the marked as trusted only + +2014-12-22 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: when matching objects, also match the label + +2014-12-21 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-chainverify.c: added missing variable + +2014-12-21 Nikos Mavrogiannopoulos + + * lib/x509/Makefile.am: Added p11-kit cflags in x509/ + +2014-12-21 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-combo.c, + tests/suite/pkcs11-get-issuer.c, tests/suite/pkcs11-is-known.c, + tests/suite/softhsm.h, tests/suite/testpkcs11.softhsm: Added + softhsm.h to share code in softhsm detection Conflicts: tests/suite/pkcs11-chainverify.c tests/suite/pkcs11-privkey.c + +2014-12-21 Nikos Mavrogiannopoulos + + * lib/pkcs11_int.h, lib/x509/verify-high2.c: Directly import PKCS + #11 object URLs as trusted certificates That is, don't treat them as trusted modules, because they aren't a + token URL, but rather a direct reference to specific objects. + +2014-12-19 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c, lib/gnutls_record.c: corrected documentation + for the cork/uncork functions Reported by Jaak Ristioja. + +2014-12-19 Nikos Mavrogiannopoulos + + * lib/gnutls_record.c: doc update + +2014-12-19 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-12-19 Nikos Mavrogiannopoulos + + * lib/algorithms/protocols.c: Added more precise version check in + _gnutls_version_lowest + +2014-11-21 Nikos Mavrogiannopoulos + + * lib/algorithms.h, lib/algorithms/protocols.c, + lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_priority.c: The + record version in the client Hello will be set to the lowest + supported protocol There should have been no harm in keeping it SSL 3.0 but + unfortunately in draft-thomson-sslv3-diediedie-00 it has been marked + as MUST NOT do that. That will be fixed in a later revision but + since then there are servers not accepting SSL 3.0 as a valid record + version (note that this is about the record version, which describes + the format of the packet, nothing to do with the negotiated + version). + +2014-12-19 Nikos Mavrogiannopoulos + + * lib/gnutls_record.c: corrected documentation of gnutls_cork() + +2014-12-12 Ludovic Courtès + + * NEWS, doc/gnutls-guile.texi, guile/modules/gnutls.in, + guile/modules/gnutls/build/smobs.scm, guile/src/core.c, + guile/tests/openpgp-auth.scm, guile/tests/x509-auth.scm: Revert + "guile: Remove RSA parameters and related procedures." This reverts commit 9f5788469f6f3f3fdd4cf064621a903607f10f2f; this + will be done in the 3.4 branch, as for the C library. Update NEWS + accordingly. + +2014-12-12 Ludovic Courtès + + * NEWS: Update 'NEWS'. + +2014-12-11 Ludovic Courtès + + * guile/tests/openpgp-keyring.scm: guile: Open binary file in binary + mode, for the sake of MinGW. Reported by Eli Zaretskii . * guile/tests/openpgp-keyring.scm: Use 'open-file' with "rb" instead + of 'open-input-file'. + +2014-12-11 Ludovic Courtès + + * guile/src/Makefile.am: guile: Link with '-no-undefined'. Fixes builds on MinGW. Reported by Eli Zaretskii . * guile/src/Makefile.am (guile_gnutls_v_2_la_LDFLAGS): Add -no-undefined. + +2014-12-04 Ludovic Courtès + + * guile/src/Makefile.am: guile: Build with warnings. * guile/src/Makefile.am (AM_CFLAGS) [HAVE_GCC]: Add -Wall -Wextra -Wno-unused-parameter. + +2014-12-04 Ludovic Courtès + + * guile/modules/Makefile.am, guile/modules/gnutls.in, + guile/modules/gnutls/build/priorities.scm, guile/src/Makefile.am, + guile/src/core.c, guile/src/make-session-priorities.scm, + guile/tests/session-record-port.scm, guile/tests/x509-auth.scm: + guile: Remove the deprecated priority API. * guile/modules/gnutls/build/priorities.scm: Remove. * guile/src/make-session-priorities.scm: Remove. * guile/modules/Makefile.am (EXTRA_DIST): Adjust accordingly. * guile/src/Makefile.am (EXTRA_DIST): Likewise. (GENERATED_BINDINGS): Remove 'priorities.i.c'. (priorities.i.c): Remove target. * guile/src/core.c: Don't include it. (scm_gnutls_set_default_priority_x): Remove. * guile/modules/gnutls.in (gnutls): Adjust export list. * guile/tests/session-record-port.scm: Use + 'set-session-priorities!'. * guile/tests/x509-auth.scm: Likewise. + +2014-12-04 Ludovic Courtès + + * doc/gnutls-guile.texi, guile/modules/gnutls.in, + guile/modules/gnutls/build/smobs.scm, guile/src/core.c, + guile/tests/openpgp-auth.scm, guile/tests/x509-auth.scm: guile: + Remove RSA parameters and related procedures. * guile/modules/gnutls/build/smobs.scm (%rsa-parameters-smob): + Remove. (%gnutls-smobs): Remove it. * guile/src/core.c (scm_gnutls_make_rsa_parameters, scm_gnutls_pkcs1_import_rsa_parameters, scm_gnutls_pkcs1_export_rsa_parameters, scm_gnutls_set_certificate_credentials_rsa_export_params_x): + Remove. * guile/modules/gnutls.in: Adjust export list. * guile/tests/openpgp-auth.scm (import-rsa-params): Remove. Remove references to it and to 'set-certificate-credentials-rsa-export-parameters!'. * guile/tests/x509-auth.scm: Likewise. * doc/gnutls-guile.texi (Representation of Binary Data): Remove references to RSA parameters. Adjust example accordingly. (OpenPGP Authentication Guile Example): Likewise. + +2014-12-12 Nikos Mavrogiannopoulos + + * lib/random.c: gnutls_rnd: doc update + +2014-12-12 Nikos Mavrogiannopoulos + + * lib/x509/pkcs12.c: gnutls_pkcs12_simple_parse: doc update + +2014-12-12 Nikos Mavrogiannopoulos + + * libdane/dane.c: improved documentation on dane + +2014-12-11 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: use Sleep() in windows + +2014-12-11 Nikos Mavrogiannopoulos + + * src/certtool-cfg.c: certtool: ensure that default_serial_int is + 64-bits or more + +2014-12-11 Nikos Mavrogiannopoulos + + * src/socket.c: use select() instead of alarm for better portability Based on patch by Eli Zaretskii. + +2014-12-11 Nikos Mavrogiannopoulos + + * NEWS: released 3.3.11 + +2014-12-11 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2014-12-11 Nikos Mavrogiannopoulos + + * tests/suite/testcompat-main: testcompat: corrected usage of null + cipher + +2014-12-10 Nikos Mavrogiannopoulos + + * lib/nettle/rnd-fips.c: added the .check function in FIPS140-2 code + +2014-12-05 Nikos Mavrogiannopoulos + + * lib/x509/dn.c: _gnutls_x509_get_dn() always return a null + terminated string + +2014-12-02 Nikos Mavrogiannopoulos + + * lib/random.h: if the rnd structure doesn't provide check, + _gnutls_rnd_check() will succeed + +2014-11-30 Nikos Mavrogiannopoulos + + * lib/x509/x509.c: Reorganized, and eliminated memory leak in + _gnutls_x509_crt_check_revocation() Reported by Tim Rühsen. + +2014-11-28 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/gnutls.h.in, lib/includes/gnutls/pkcs11.h: doc + update + +2014-11-25 Nikos Mavrogiannopoulos + + * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: Added + check for whether %NO_EXTENSIONS is required + +2014-11-28 Nikos Mavrogiannopoulos + + * lib/gnutls_ui.c: gnutls_session_get_desc: allow proper printing of + the NULL KX + +2014-11-25 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: gnutls_certificate_set_x509_key_*: eliminated + memory leak when certificate could not be parsed Reported by Georg Richter. + +2014-11-24 Nikos Mavrogiannopoulos + + * src/socket.c: gnutls-cli-debug: do not print error on unknown + protocols + +2014-11-24 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: documented the limitations of the loading + functions + +2014-11-24 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: corrected memleak in read_key_mem() Patch by Georg Richter. + +2014-11-24 Nikos Mavrogiannopoulos + + * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: Added + check for sorted certificate chain + +2014-11-22 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c, lib/gnutls_record.c, + tests/mini-rehandshake-2.c: restore only the documented behavior + +2014-11-21 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-11-21 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/mini-rehandshake-2.c: tests: added test + for GNUTLS_E_GOT_APPLICATION_DATA on rehandshake Conflicts: tests/Makefile.am + +2014-11-21 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c, lib/gnutls_record.c: treat + GNUTLS_E_GOT_APPLICATION_DATA as non-fatal if initial negotiation is + complete This corrects a regression introduced in + b5a0de2e6da98866cafb770c3141b7353d030ab2 Reported by Dan Winship. + https://savannah.gnu.org/support/?108690 + +2014-11-21 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-11-21 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: Revert "The priority modifier + %LATEST_RECORD_VERSION is now the default" This reverts commit 96b408b20fe8707306f38cba6f652556b99a47e4. + +2014-11-13 Nikos Mavrogiannopoulos + + * lib/nettle/rnd-common.c: _rnd_get_event: use memset to avoid + valgrind complaints + +2014-11-21 Nikos Mavrogiannopoulos + + * lib/fips.c: compilation fix for FIPS140-2 mode + +2014-11-21 Nikos Mavrogiannopoulos + + * lib/x509/ocsp.c: deinitialize the OCSP response der data That also makes sure that reinitialization of ASN1 structures are + done when it is required only. + +2014-11-17 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: NORMAL priority: prioritize the less than + 256-bits curves at the lowest level + +2014-11-16 Nikos Mavrogiannopoulos + + * lib/fips.c, lib/fips.h, lib/gnutls_global.c: properly reset the + zombie mode in FIPS mode This amends 9158f590f4a18c84fc9eb41877b29d73b30af879 + +2014-11-15 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-11-14 David Weber + + * src/cli.c, src/serv.c: Fixed SRTP profile configuration in cli.c + and serv.c. I have tested the fix in 3.3.10. This commit is UNTESTED as i am + unable to compile gnutls (./configure complains about gl_INIT and + ggl_INIT). Signed-off-by: Nikos Mavrogiannopoulos + +2014-11-14 Nikos Mavrogiannopoulos + + * src/common.c: gnutls-cli: print info on the OCSP status request + +2014-11-14 Nikos Mavrogiannopoulos + + * lib/x509/ocsp.c: use the original DER/BER data when verifying an + OCSP response Conflicts: lib/x509/ocsp.c + +2014-11-14 Nikos Mavrogiannopoulos + + * lib/system.c: windows: updated _gnutls_ucs2_to_utf8() + +2014-11-14 Nikos Mavrogiannopoulos + + * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: check + for OCSP status response Conflicts: src/tests.c + +2014-11-13 Nikos Mavrogiannopoulos + + * src/cli-debug.c, src/tests.c, src/tests.h: added check for servers + that disallow the SSL 3.0 record version + +2014-11-14 Nikos Mavrogiannopoulos + + * tests/cert-tests/crq: corrected crq test case; reported by Andreas + Metzler + +2014-11-13 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: set the GNUTLS_PIN_CONTEXT_SPECIFIC flag on PIN + callback + +2014-11-13 Nikos Mavrogiannopoulos + + * lib/nettle/rnd-common.h: rnd: removed the packed attribute from + event_st That prevents a SIGBUS on solaris sparc systems. Reported by Thomas + Thorberger. + +2014-11-13 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-11-13 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: The priority modifier + %LATEST_RECORD_VERSION is now the default This works-around issue with servers that forbit the SSL 3.0 version + number from the first packet of the record protocol. + +2014-11-10 Nikos Mavrogiannopoulos + + * tests/suite/testcompat-common, tests/suite/testcompat-main: + testcompat: updated + +2014-11-10 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2014-11-09 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-31 Nikos Mavrogiannopoulos + + * configure.ac, tests/cert-tests/Makefile.am, tests/cert-tests/crq: + Added check with the invalid crq sent by Sean Burford + +2014-10-31 Nikos Mavrogiannopoulos + + * lib/gnutls_ecc.c: when exporting curve coordinates to X9.63 + format, perform additional sanity checks on input Reported by Sean Burford. + +2014-11-08 Nikos Mavrogiannopoulos + + * doc/cha-intro-tls.texi: doc update + +2014-11-08 Nikos Mavrogiannopoulos + + * doc/cha-gtls-app.texi, doc/cha-intro-tls.texi: doc: updated text + on session tickets + +2014-11-07 Nikos Mavrogiannopoulos + + * src/socket.c: tools: include arpa/inet.h in socket.c + +2014-11-07 Nikos Mavrogiannopoulos + + * doc/examples/ex-serv-dtls.c: doc: use the same port for DTLS + client and server + +2014-11-07 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: pass the correct user type to protected + authentication login + +2014-11-07 Nikos Mavrogiannopoulos + + * doc/cha-gtls-app.texi: doc: corrected values for INSECURE level + +2014-11-07 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-11-07 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/pkcs11_int.h: pkcs11_login: set the correct user + type on reauthentication + +2014-11-06 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: pkcs11: + force login on tokens that require it + +2014-11-06 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: added + support for PKCS #11 keys that require reauthentication and + simplified pkcs11_login + +2014-11-06 Nikos Mavrogiannopoulos + + * gl/unistd.in.h, src/gl/unistd.in.h: applied patch by A. Klitzing + to improve compatibile with some apple systems Signed-off-by: Nikos Mavrogiannopoulos + +2014-11-05 Nikos Mavrogiannopoulos + + * src/cli-debug.c, src/common.c, src/common.h, src/tests.c: + gnutls-cli-debug: backported changes from 3.4.0 branch + +2014-11-05 Chen Hongzhi + + * lib/x509/pkcs12.c: Fix double-free in gnutls_pkcs12_simple_parse() Signed-off-by: Nikos Mavrogiannopoulos + +2014-11-04 Nikos Mavrogiannopoulos + + * doc/scripts/mytexi2latex: mytexi2latex: handle na@"ive + +2014-11-04 Chris Barry + + * doc/cha-auth.texi, doc/cha-cert-auth.texi, + doc/cha-cert-auth2.texi, doc/cha-errors.texi, doc/sec-tls-app.texi: + Cleaning up some awkward phrasings. Signed-off-by: Nikos Mavrogiannopoulos + +2014-11-04 Nikos Mavrogiannopoulos + + * lib/ext/alpn.c: updated text + +2014-11-03 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-11-03 Jaak Ristioja + + * lib/system_override.c: doc: Added missing reference for EMSGSIZE + to inline documentation of gnutls_transport_set_errno(). Signed-off-by: Nikos Mavrogiannopoulos + +2014-11-03 Jaak Ristioja + + * lib/system_override.c: doc: Fixed typo in inline comment of + gnutls_transport_set_errno(). Signed-off-by: Nikos Mavrogiannopoulos + +2014-11-02 Nikos Mavrogiannopoulos + + * lib/gnutls_errors.c: updated the text for + GNUTLS_E_UNSUPPORTED_VERSION_PACKET + +2014-11-01 Nikos Mavrogiannopoulos + + * lib/x509/common.c: when calling gnutls_x509_crt_get_subject_key_id + set the id_size + +2014-11-01 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: deinitialize the temporary spki data + +2014-10-31 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/init_fds.c: tests: added test for + gnutls_global_init after all descriptors are closed Conflicts: tests/Makefile.am + +2014-10-31 Nikos Mavrogiannopoulos + + * lib/gnutls_global.c, lib/nettle/rnd-common.c, lib/random.h: + corrected check for urandom fd + +2014-10-31 Nikos Mavrogiannopoulos + + * lib/gnutls_global.c: corrected exit state from gnutls_global_init + +2014-10-31 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-31 Nikos Mavrogiannopoulos + + * doc/cha-gtls-app.texi: updated text for gnutls_fd_in_use() to + account the new behavior + +2014-10-31 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map, lib/nettle/rnd-common.c: dropped + gnutls_fd_in_use, it is no longer necessary Conflicts: lib/libgnutls.map + +2014-10-31 Nikos Mavrogiannopoulos + + * lib/crypto-backend.h, lib/gnutls_global.c, + lib/nettle/rnd-common.c, lib/nettle/rnd-common.h, lib/nettle/rnd.c, + lib/random.h: When gnutls_global_init() is called manually from the + application check the urandom fd for validity That addresses the issue where a server closes all open file + descriptors and then calls gnutls_global_init(). Conflicts: lib/nettle/rnd-common.c + +2014-10-29 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: _gnutls_dh_generate_key() will account the q_bits + +2014-10-29 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-28 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-28 Nikos Mavrogiannopoulos + + * lib/nettle/rnd.c: doc update + +2014-10-28 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c: do not explicitly refresh rnd state on session + deinit It is already being refreshed during the session lifetime. + +2014-10-26 Nikos Mavrogiannopoulos + + * configure.ac: disable hardware acceleration by default in solaris + +2014-10-25 Nikos Mavrogiannopoulos + + * tests/dtls/dtls: tests: dtls-stress -r disabled as it causes + issues when used with freebsd kernel + +2014-10-25 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/elf/aes-ssse3-x86.s, + lib/accelerated/x86/elf/aes-ssse3-x86_64.s, + lib/accelerated/x86/elf/aesni-x86.s, + lib/accelerated/x86/elf/aesni-x86_64.s, + lib/accelerated/x86/elf/cpuid-x86.s, + lib/accelerated/x86/elf/cpuid-x86_64.s, + lib/accelerated/x86/elf/e_padlock-x86.s, + lib/accelerated/x86/elf/e_padlock-x86_64.s, + lib/accelerated/x86/elf/ghash-x86_64.s, + lib/accelerated/x86/elf/sha1-ssse3-x86.s, + lib/accelerated/x86/elf/sha1-ssse3-x86_64.s, + lib/accelerated/x86/elf/sha256-avx-x86_64.s, + lib/accelerated/x86/elf/sha256-ssse3-x86.s, + lib/accelerated/x86/elf/sha512-ssse3-x86.s, + lib/accelerated/x86/elf/sha512-ssse3-x86_64.s: do not use the ifdef + directive in assembly files, as it isn't portable + +2014-10-23 Nikos Mavrogiannopoulos + + * configure.ac, lib/Makefile.am: check and use libnsl (used in + solaris) + +2014-10-23 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/elf/aes-ssse3-x86.s, + lib/accelerated/x86/elf/aes-ssse3-x86_64.s, + lib/accelerated/x86/elf/aesni-x86.s, + lib/accelerated/x86/elf/aesni-x86_64.s, + lib/accelerated/x86/elf/cpuid-x86.s, + lib/accelerated/x86/elf/cpuid-x86_64.s, + lib/accelerated/x86/elf/e_padlock-x86.s, + lib/accelerated/x86/elf/e_padlock-x86_64.s, + lib/accelerated/x86/elf/ghash-x86_64.s, + lib/accelerated/x86/elf/sha1-ssse3-x86.s, + lib/accelerated/x86/elf/sha1-ssse3-x86_64.s, + lib/accelerated/x86/elf/sha256-avx-x86_64.s, + lib/accelerated/x86/elf/sha256-ssse3-x86.s, + lib/accelerated/x86/elf/sha512-ssse3-x86.s, + lib/accelerated/x86/elf/sha512-ssse3-x86_64.s: use the + .note.GNU-stack in linux systems only + +2014-10-23 Nikos Mavrogiannopoulos + + * gl/Makefile.am, gl/m4/extern-inline.m4, gl/m4/gnulib-common.m4, + gl/m4/manywarnings.m4, gl/m4/stdlib_h.m4, gl/m4/threadlib.m4, + gl/m4/unistd_h.m4, gl/stdlib.in.h, gl/tests/fcntl.in.h, + gl/unistd.in.h, gl/vasnprintf.c, maint.mk, src/gl/Makefile.am, + src/gl/error.c, src/gl/getpass.c, src/gl/m4/extern-inline.m4, + src/gl/m4/gnulib-common.m4, src/gl/m4/stdlib_h.m4, + src/gl/m4/unistd_h.m4, src/gl/parse-datetime.y, src/gl/stdlib.in.h, + src/gl/sys_select.in.h, src/gl/unistd.in.h, src/gl/vasnprintf.c: + updated gnulib + +2014-10-23 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-23 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-get-issuer.c: tests: check the issuer value + validity of gnutls_x509_trust_list_get_issuer + +2014-10-23 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c: corrected bug in + gnutls_x509_trust_list_get_issuer() when used without the + GNUTLS_TL_GET_COPY flag + +2014-10-22 Nikos Mavrogiannopoulos + + * tests/slow/Makefile.am: tests: include minitasn1 when needed + +2014-10-22 Nikos Mavrogiannopoulos + + * src/danetool.c: use HAVE_DANE ifdef for unused functions + +2014-10-22 Nikos Mavrogiannopoulos + + * lib/libgnutls.map: exported gnutls_fd_in_use + +2014-10-22 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-22 Nikos Mavrogiannopoulos + + * doc/cha-gtls-app.texi: document gnutls_fd_in_use() + +2014-10-22 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: corrected FIND_OBJECT loop when the token + func is used + +2014-10-22 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c: gnutls_fd_in_use: mention version + +2014-10-22 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c, lib/includes/gnutls/gnutls.h.in, + lib/nettle/rnd-common.c, lib/random.h: added gnutls_fd_in_use() to + check whether a file descriptor is in use + +2014-10-21 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: fips140-2: limit the FIPS code in fips mode + +2014-10-21 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: fips140-2: use the FIPS algorithms only when in + FIPS140-2 mode + +2014-10-20 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-05 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: default pkcs-cipher is now 3des as in + PKCS #12 + +2014-10-17 Nikos Mavrogiannopoulos + + * src/cli-args.def: gnutls-cli: prevent the combination of the -p + and --list options As -p may be mistaken for --priority that would prevent wrong + outputs. + +2014-10-17 Nikos Mavrogiannopoulos + + * lib/x509/verify-high2.c: avoid d from getting out of scope + +2014-10-17 Nikos Mavrogiannopoulos + + * src/udp-serv.c: gnutls-serv: avoid possible buffer overrun + +2014-10-17 Nikos Mavrogiannopoulos + + * lib/x509/privkey.c: avoid memory leak on + gnutls_x509_privkey_generate() failure + +2014-10-15 Nikos Mavrogiannopoulos + + * lib/nettle/int/dsa-fips.h, lib/nettle/int/dsa-keygen-fips186.c, + lib/nettle/int/dsa-validate.c: in FIPS140-2 mode only disable + 1024-bit DSA parameters when generating + +2014-10-14 Ludovic Courtès + + * guile/src/core.c: guile: Remove trailing zero in + 'gnutls_server_name_set' call. In GnuTLS 3.2.19 (and possibly 3.3.9 and 3.1.17), + 'set-session-server-name!' would pass a trailing nul character on + the wire after the server name, which would thus be rejected by + servers. + +2014-10-14 Nikos Mavrogiannopoulos + + * lib/nettle/int/dsa-fips.h, lib/nettle/int/provable-prime.c, + lib/nettle/int/rsa-keygen-fips186.c: FIPS140-2 RSA key generation + changes to account for seed starting with null byte + +2014-10-14 Nikos Mavrogiannopoulos + + * src/libopts/Makefile.am: corrected libopt's Makefile.am reported by Marius Schamschula. + +2014-10-10 Nikos Mavrogiannopoulos + + * lib/nettle/int/rsa-keygen-fips186.c: use lcm(p-1,q-1) instead of + phi(n) for RSA key generation in FIPS-140-2 mode + +2014-10-14 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/sha-x86-ssse3.c: corrected the SSSE3 optimized + SHA224 + +2014-10-14 Nikos Mavrogiannopoulos + + * lib/nettle/rnd-common.c: simplified getrusage code; the failure + check code wasn't needed + +2014-10-13 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-13 Nikos Mavrogiannopoulos + + * tests/x509-extensions.c: tests: added check for import failure of + v1 certificate with extensions + +2014-10-13 Nikos Mavrogiannopoulos + + * lib/x509/x509.c: do not allow importing X.509 certificates with + version < 3 and extensions present + +2014-10-13 Nikos Mavrogiannopoulos + + * cfg.mk: update the guile manual along the C one + +2014-10-13 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, m4/hooks.m4: bumped version + +2014-10-13 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-11 Nikos Mavrogiannopoulos + + * src/libopts/Makefile.am, src/libopts/ag-char-map.h, + src/libopts/ao-strs.c, src/libopts/ao-strs.h, + src/libopts/autoopts.h, src/libopts/autoopts/options.h, + src/libopts/autoopts/usage-txt.h, src/libopts/compat/_Noreturn.h, + src/libopts/genshell.c, src/libopts/genshell.h, + src/libopts/intprops.h, src/libopts/m4/libopts.m4, + src/libopts/m4/stdnoreturn.m4, src/libopts/option-value-type.c, + src/libopts/option-value-type.h, + src/libopts/option-xat-attribute.c, + src/libopts/option-xat-attribute.h, src/libopts/parse-duration.c, + src/libopts/proto.h, src/libopts/stdnoreturn.in.h, + src/libopts/version.c: updated to libopts 5.18.4 + +2014-10-11 Nikos Mavrogiannopoulos + + * lib/nettle/rnd-common.c: place all rusage variables into + HAVE_GETRUSAGE block + +2014-10-11 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-11 Nikos Mavrogiannopoulos + + * lib/nettle/rnd-common.c: rnd: if RUSAGE_THREAD fails try + RUSAGE_SELF + +2014-10-10 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-combo.c: tests: pkcs11-combo: use unique db + file + +2014-10-10 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-02 Nikos Mavrogiannopoulos + + * lib/ext/session_ticket.c: use wait and retransmit when receiving + session tickets + +2014-10-02 Nikos Mavrogiannopoulos + + * tests/dtls/dtls, tests/dtls/dtls-stress.c: tests: added -r option + to dtls-stress That allows it to replay messages in a kind of arbitrary way. + +2014-09-25 Nikos Mavrogiannopoulos + + * lib/ext/heartbeat.c: forbid heartbeat messages during a handshake + +2014-10-09 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c: + added internal variable to track handshake status Conflicts: lib/gnutls_handshake.c + +2014-10-09 Nikos Mavrogiannopoulos + + * .gitignore: more files to ignore + +2014-10-09 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-is-known.c: tests: updated time in + pkcs11-is-known + +2014-10-09 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: handle errors from override_cert_exts as + fatal + +2014-10-09 Nikos Mavrogiannopoulos + + * tests/chainverify.c, tests/suite/pkcs11-chainverify.c, + tests/test-chains.h: tests: allow running specific chainverify tests + on fixed dates Conflicts: tests/chainverify.c tests/suite/pkcs11-chainverify.c tests/test-chains.h + +2014-10-09 Nikos Mavrogiannopoulos + + * lib/x509/common.c: _gnutls_check_valid_key_id: corrected + activation/expiration check + +2014-10-09 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/x509/common.c, lib/x509/common.h: pkcs11: + simplified and optimized loop + +2014-10-09 Nikos Mavrogiannopoulos + + * doc/cha-crypto.texi: mention nettle as the recommended crypto + backend + +2014-10-09 Nikos Mavrogiannopoulos + + * tests/suite/Makefile.am, tests/suite/pkcs11-combo.c: tests: Added + check to ensure that trust list combination with extra certificates + works + +2014-10-09 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-09 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c: when both a trust module and additional + CAs are present account the latter as well That solves an issue in openconnect which used the system trust + module, plus additional certificates. Conflicts: lib/x509/verify-high.c + +2014-10-09 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c, lib/x509/verify-high.h: simplify the + handling of trust_list_get_issuer() when GNUTLS_TL_GET_COPY is not + given + +2014-10-08 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: corrected assignment + +2014-10-08 Nikos Mavrogiannopoulos + + * lib/libgnutls.map: corrected the name of exported function + +2014-10-07 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-07 Nikos Mavrogiannopoulos + + * tests/test-chains.h: tests: corrected test for v1 cert signing + (removed bogus authorityIdentifier) + +2014-10-07 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: only set the authority key identifier, + if there is a corresponding subject key identifier + +2014-10-07 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: do not shortcut checks when + GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY is specified + +2014-10-07 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/x509/common.c, lib/x509/common.h: pkcs11: always + check for a valid subjectKeyIdentifier match That way, expired certificates can co-exist with their replacements. + +2014-10-06 Armin Burgmeier + + * lib/x509/verify-high2.c: Return an error if multiple PKCS11 URLs + are added to a trust list Before, the new URL would overwrite the old URL, and the memory of + theold URL would be leaked. It is documented that only one URL can + be used, so it should be safe to reject any attempt to add another + one. Signed-off-by: Armin Burgmeier + +2014-10-07 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/x509/common.c, lib/x509/common.h: pkcs11: when + no CKA_ID can be relied on fallback on checking the + SubjectKeyIdentifier Patch by David Woodhouse. + +2014-10-02 Nikos Mavrogiannopoulos + + * lib/gnutls_global.c: report the FIPS140-2 mode + +2014-10-07 Nikos Mavrogiannopoulos + + * lib/libgnutls.map, lib/nettle/pk.c: added FIPS140-2 ECDH + verification functions + +2014-10-07 Nikos Mavrogiannopoulos + + * lib/libgnutls.map, lib/nettle/pk.c: added FIPS140-2 DH + verification functions + +2014-10-07 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-is-known.c: tests: corrected check with + gnutls_x509_trust_list_get_issuer + +2014-10-06 Nikos Mavrogiannopoulos + + * lib/x509/verify-high2.c: corrected remove_pkcs11_url() + +2014-10-06 Nikos Mavrogiannopoulos + + * tests/suite/Makefile.am, tests/suite/pkcs11-is-known.c: tests: + check gnutls_pkcs11_crt_is_known() when multiple same DNs are + present + +2014-10-06 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: when checking for presence do not give up on + the first mismatch + +2014-10-06 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: address memory leak in gnutls_pkcs11_crt_is_known() + +2014-10-05 Nikos Mavrogiannopoulos + + * lib/x509/verify-high2.c: doc update: clarifications in + gnutls_x509_trust_list_add_trust_file + +2014-10-02 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c: corrected compilation for non-pkcs11; + reported by David Woodhouse. + +2014-09-29 Nikos Mavrogiannopoulos + + * NEWS: corrected typo + +2014-10-01 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-01 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-get-issuer.c, tests/x509cert.c: tests: added + check for GNUTLS_TL_GET_COPY + +2014-10-01 Nikos Mavrogiannopoulos + + * lib/gnutls_cert.c, lib/gnutls_x509.c, lib/includes/gnutls/x509.h, + lib/x509/ocsp.c, lib/x509/verify-high.c: Added GNUTLS_TL_GET_COPY + flag and documented the limitations of + gnutls_x509_trust_list_get_issuer() + +2014-09-30 Nikos Mavrogiannopoulos + + * lib/opencdk/stream.h: opencdk: changed filter_fnct_t to match the + actual function prototypes + +2014-09-30 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-26 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c, lib/gnutls_handshake.c: do not allow + GNUTLS_E_LARGE_PACKET to be returned from non-DTLS sessions + +2014-09-25 Nikos Mavrogiannopoulos + + * lib/system.c: gnutls_x509_trust_list_add_system_trust() will not + allow duplicate entries + +2014-09-25 Nikos Mavrogiannopoulos + + * lib/x509/verify-high2.c: use _DIRENT_HAVE_D_TYPE to detect + d->d_type + +2014-09-25 Nikos Mavrogiannopoulos + + * lib/x509/x509.c: corrected type + +2014-09-25 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c: + protect DTLS clients that don't handle GNUTLS_E_LARGE_PACKET from an + infinite loop on handshake + +2014-09-25 Nikos Mavrogiannopoulos + + * lib/gnutls_errors.c: removed unused error values + +2014-09-25 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c, lib/gnutls_record.c, lib/gnutls_record.h: + restrict the number of non-fatal errors gnutls_handshake() can + return + +2014-09-25 Nikos Mavrogiannopoulos + + * lib/gnutls_errors.c: optimized gnutls_error_is_fatal() by + splitting the errors to two tables + +2014-09-22 Ludovic Courtès + + * guile/src/core.c: guile: Restore cross-reference in + 'set-session-priorities!' docstring. This had been destroyed in 32d90395. + +2014-09-22 Ludovic Courtès + + * guile/modules/gnutls.in, guile/modules/gnutls/build/enums.scm, + guile/src/core.c, guile/tests/anonymous-auth.scm: guile: Add + bindings for 'gnutls_server_name_set'. This adds the 'set-session-server-name!' procedure and the + 'server-name-type' enum type. + +2014-09-18 Armin Burgmeier + + * lib/x509/verify-high.c: Memory leak fix on certificate copy + failure Signed-off-by: Armin Burgmeier + +2014-09-17 Armin Burgmeier + + * lib/gnutls_ui.c: Fix a documentation typo Signed-off-by: Armin Burgmeier + +2014-09-19 Nikos Mavrogiannopoulos + + * cfg.mk, lib/accelerated/x86/files.mk: regenerated files.mk + +2014-09-19 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-19 Nikos Mavrogiannopoulos + + * libdane/dane.c: libdane: do not require the CA to be a direct CA + +2014-09-19 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-19 Nikos Mavrogiannopoulos + + * tests/scripts/common.sh, tests/suite/testpkcs11: tests: enhanced + test suite to pass more of the PKCS #11 API under valgrind + +2014-09-19 Nikos Mavrogiannopoulos + + * src/serv-args.def, src/serv.c: gnutls-serv: added the --provider + option + +2014-09-19 Nikos Mavrogiannopoulos + + * src/common.c: tools: corrected pin entry + +2014-09-19 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: cleaned up memory deallocation in + read_cert_url() That caused unexpected results when loading PKCS #11 URLs. Reported + by Joseph Peruski. + +2014-09-18 Nikos Mavrogiannopoulos + + * doc/certtool.cfg: updated certtool.cfg + +2014-09-18 Nikos Mavrogiannopoulos + + * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated + auto-generated files + +2014-09-15 Nikos Mavrogiannopoulos + + * tests/test-chains.h: tests: added checks with modified certificate This tests whether a modified of a DER certificate, that is + cancelled out while we parse it, would result to a good signature. + +2014-09-18 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-18 Nikos Mavrogiannopoulos + + * configure.ac: depend on p11-kit 0.20.7 + +2014-09-17 Nikos Mavrogiannopoulos + + * configure.ac, lib/pkcs11x.h: depend on p11-kit 0.20.6 + +2014-09-04 Nikos Mavrogiannopoulos + + * m4/hooks.m4: require libtasn1 3.9 or later That is because of the ocsp fix. + +2014-09-17 Nikos Mavrogiannopoulos + + * lib/verify-tofu.c: removed unused variable + +2014-09-17 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: added sanity check on cleanup + +2014-09-17 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: corrected typo in printing error + +2014-09-17 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: correctly reallocate the read buffer Report and patch by David Woodhouse. + +2014-09-16 Nikos Mavrogiannopoulos + + * doc/cha-cert-auth.texi: updated documentation on PKCS #11 trust + module verification + +2014-09-16 Nikos Mavrogiannopoulos + + * lib/x509/common.h, lib/x509/verify-high.c, lib/x509/verify.c: + unified the key purpose checks functions + +2014-09-16 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/x509.h, lib/x509/common.h, + lib/x509/verify-high.c, lib/x509/verify.c: check for CAs with the + same key in gnutls_x509_trust_list_add_cas That way when GNUTLS_TL_NO_DUPLICATE_KEY is specified the added CA + will overwrite any previous one with the same name and key. + +2014-09-16 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c: hostname and key purpose checks were moved + above CRL checks + +2014-09-16 Nikos Mavrogiannopoulos + + * lib/x509/output.c, lib/x509/x509_ext.c: doc update + +2014-09-16 Nikos Mavrogiannopoulos + + * m4/hooks.m4: bumped library version + +2014-09-16 Nikos Mavrogiannopoulos + + * lib/x509/crl.c: corrected gnutls_x509_crl_get_raw_issuer_dn() + +2014-09-16 Nikos Mavrogiannopoulos + + * lib/x509/common.c: only deallocate data when allocation succeeds + +2014-09-16 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-15 Nikos Mavrogiannopoulos + + * lib/minitasn1/decoding.c: updated libtasn1 + +2014-09-15 Nikos Mavrogiannopoulos + + * doc/cha-gtls-app.texi: documented the environment variables + +2014-09-15 Nikos Mavrogiannopoulos + + * lib/verify-tofu.c, lib/x509/common.c, lib/x509/common.h: + Backported x509_raw_crt_to_raw_pubkey and x509_crt_to_raw_pubkey + +2014-09-12 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-12 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: print Attached Extensions, instead of + extensions + +2014-09-12 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c: when adding a duplicate certificate, keep + the last entry + +2014-09-12 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-get-issuer.c: pkcs11-get-issuer: do not + hardcode the chain number, use its name + +2014-09-11 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/x509-ext.h, lib/libgnutls.map, + lib/x509/output.c, lib/x509/x509.c, lib/x509/x509_ext.c, + src/pkcs11.c: fixes in the extension handling + +2014-09-11 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: will print trust module extensions if + present + +2014-09-10 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c, lib/x509/verify.c, lib/x509/x509_int.h: + check the key purpose of the CA certificate when in pkcs11 cert + validation + +2014-09-10 Nikos Mavrogiannopoulos + + * lib/Makefile.am, lib/includes/gnutls/pkcs11.h, + lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/pkcs11.c, + lib/pkcs11_int.c, lib/pkcs11_int.h, lib/x509/common.h, + lib/x509/output.c, lib/x509/x509_ext.c: allow retrieving extensions + in a trust module using + GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT Conflicts: lib/pkcs11.c + +2014-09-10 Nikos Mavrogiannopoulos + + * lib/verify-tofu.c, lib/x509/common.h, lib/x509/extensions.c, + lib/x509/ocsp.c: export x509_crt_to_raw_pubkey() in x509/common.h + and prefixed s/get_extension with _gnutls + +2014-09-10 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c: doc update + +2014-09-09 Nikos Mavrogiannopoulos + + * lib/gnutls_cert.c, lib/gnutls_x509.c, lib/gnutls_x509.h, + lib/includes/gnutls/x509.h, lib/libgnutls.map, + lib/x509/verify-high.c: gnutls_x509_trust_list_verify_crt2 is in par + with gnutls_certificate_verify_peers That is, it accepts a list of gnutls_typed_vdata_st and allows for + flexibility. Conflicts: lib/libgnutls.map + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/x509/x509_ext.c: doc update + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/x509/crq.c, + lib/x509/x509.c: Added gnutls_x509_crt_get_extension_by_oid2() and + gnutls_x509_crq_get_extension_by_oid2() + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c, lib/includes/gnutls/x509.h, lib/libgnutls.map, + lib/x509/verify-high.c: Added + gnutls_x509_trust_list_verify_purpose_crt() Conflicts: lib/libgnutls.map + +2014-09-13 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-13 Nikos Mavrogiannopoulos + + * configure.ac, lib/pkcs11.c, lib/pkcs11x.c, lib/pkcs11x.h: simulate + pkcs11x.h when it doesn't exist + +2014-09-13 Nikos Mavrogiannopoulos + + * lib/Makefile.am, lib/pkcs11.c, lib/pkcs11x.h: added pkcs11x.h + +2014-09-13 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/crlverify.c: tests: Added crlverify to + check gnutls_x509_crl_verify and gnutls_x509_trust_list_add_crls Conflicts: tests/Makefile.am + +2014-09-13 Nikos Mavrogiannopoulos + + * lib/x509/verify.c: gnutls_x509_crl_verify: do not always set the + invalid status Reported by Armin Burgmeier. + +2014-09-13 Nikos Mavrogiannopoulos + + * lib/gnutls_ui.c: doc update + +2014-09-12 Nikos Mavrogiannopoulos + + * lib/pkcs11x.c: added missing file + +2014-09-13 Nikos Mavrogiannopoulos + + * lib/x509/verify.c: Revert "gnutls_x509_crl_verify: do not always + set the invalid status" This reverts commit 950b62da58542938adec366620948c85b78607dd. + +2014-09-13 Nikos Mavrogiannopoulos + + * lib/x509/verify.c: gnutls_x509_crl_verify: do not always set the + invalid status Reported by Armin Burgmeier. + +2014-09-05 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-08 Nikos Mavrogiannopoulos + + * src/tpmtool.c: tpmtool: corrected key password read + +2014-09-08 Nikos Mavrogiannopoulos + + * src/danetool.c: set umask prior to calling mkstemp + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c: initialize verification output to zero + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c: dtls: when discarding packet, discard the + correct number of bytes + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/x509/rfc2818_hostname.c: check_ip: initialize ret + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/tpm.c: gnutls_tpm_privkey_generate: initialize input values to + null to prevent any issue + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: do not dereference find_data->p_list in pkcs11 + callback + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/nettle/rnd-fips.c: corrected issue in fips RNG + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: added comment to clarify check + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/opencdk/literal.c: opencdk: corrected unsigned comparison + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/tpm.c: fixes in loop for SRK password input + +2014-09-08 Nikos Mavrogiannopoulos + + * src/common.c: apps: corrected GNUTLS_PIN reading + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/x509/verify-high2.c: gnutls_x509_trust_list_add_trust_dir: + corrected CRL loading error + +2014-09-08 Nikos Mavrogiannopoulos + + * src/certtool-cfg.c: certtool: corrected copy+paste error + +2014-09-05 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-05 Nikos Mavrogiannopoulos + + * lib/x509/verify-high2.c: corrected usage of readdir_r() + +2014-09-05 Nikos Mavrogiannopoulos + + * src/ocsptool-common.c: ocsptool: better error message + +2014-09-05 Nikos Mavrogiannopoulos + + * lib/x509/verify-high2.c: reentrant fixes for + gnutls_x509_trust_list_add_trust_dir() handle unknown file types + +2014-09-05 Nikos Mavrogiannopoulos + + * tests/ocsp.c: doc update + +2014-09-05 Nikos Mavrogiannopoulos + + * m4/hooks.m4, tests/ocsp.c: Revert "require libtasn0 3.9 or later" This reverts commit 07a906b4e5c9d1446aee1bf4e091fefa1f1eb1da. + +2014-09-04 Nikos Mavrogiannopoulos + + * lib/x509/x509_dn.c: optimized escaped comma handling + +2014-09-04 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-04 Nikos Mavrogiannopoulos + + * m4/hooks.m4, tests/ocsp.c: require libtasn1 3.9 or later That is because of the ocsp fix. + +2014-09-04 Nikos Mavrogiannopoulos + + * tests/crq_apis.c: tests: extended crq API checks + +2014-09-04 Nikos Mavrogiannopoulos + + * lib/x509/x509_write.c: doc update + +2014-09-04 Nikos Mavrogiannopoulos + + * lib/x509/x509_dn.c: when setting a DN properly handle spaces and + escaped commas + +2014-09-04 Nikos Mavrogiannopoulos + + * lib/x509/common.c, lib/x509/common.h, lib/x509/crl.c, + lib/x509/x509.c: The get_raw_dn() functions were modified to work + even if the certificate is generated (not imported) + +2014-09-04 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-04 Nikos Mavrogiannopoulos + + * lib/gnutls_dtls.c: Disallow zero fragments in DTLS for packets + which have data. Reported by Manuel Pégourié-Gonnard. + +2014-09-04 Nikos Mavrogiannopoulos + + * configure.ac, lib/vasprintf.c: steal openconnect's vasprintf() + implementation + +2014-09-04 Nikos Mavrogiannopoulos + + * lib/vasprintf.c: corrected bundled vasprintf(); reported by Jeff + Lee + +2014-09-04 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2014-09-04 Nikos Mavrogiannopoulos + + * lib/minitasn1/decoding.c, lib/minitasn1/libtasn1.h: updated + included libtasn1 + +2014-09-04 Nikos Mavrogiannopoulos + + * tests/ocsp.c: tests: Added tests on the invalid OCSP response + +2014-09-03 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-03 Nikos Mavrogiannopoulos + + * lib/x509/common.h, lib/x509/verify.c: when comparing an + end-certificate with the trusted list compare the entire certificate + +2014-09-02 Nikos Mavrogiannopoulos + + * tests/test-chains.h: tests: Added test for amazon.com chain with + new verisign CA. + +2014-09-02 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/x509/common.c, + lib/x509/common.h, lib/x509/crl.c, lib/x509/verify.c, + lib/x509/x509.c, lib/x509/x509_int.h: when comparing a CA + certificate with the trusted list compare the name and key That is to handle cases where a CA certificate was superceded by a + different one with the same name and the same key. That can happen + when an intermediate CA certificate is replaced by a self-signed + one. + +2014-08-29 Nikos Mavrogiannopoulos + + * lib/x509/common.c, lib/x509/crl.c, lib/x509/x509.c: avoid new + allocations and keep a pointer to the DER data for DN + +2014-08-29 Nikos Mavrogiannopoulos + + * lib/x509/crl.c, lib/x509/verify.c, lib/x509/x509_int.h: when + importing a CRL keep the DER data + +2014-08-29 Nikos Mavrogiannopoulos + + * lib/x509/common.c, lib/x509/common.h, lib/x509/crq.c, + lib/x509/verify.c, lib/x509/x509.c, lib/x509/x509_int.h: when + importing a certificate, keep the DER data + +2014-09-03 Nikos Mavrogiannopoulos + + * lib/fips.c: fips140: check the integrity of GMP + +2014-09-02 Nikos Mavrogiannopoulos + + * lib/fips.c, lib/fips.h, lib/gnutls_global.c, + lib/nettle/int/dsa-fips.h: perform the FIPS140-2 self tests in two + rounds One round is before the AES acceleration is registered, and the + second is after. That is to allow testing of the AES implementation + used in the DRBG. That is a hack until nettle handles all cipher + acceleration. Conflicts: lib/gnutls_global.c + +2014-09-01 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-01 Nikos Mavrogiannopoulos + + * lib/x509/name_constraints.c: name constraints: do not check CN + when a DNSname is available + +2014-09-01 Nikos Mavrogiannopoulos + + * lib/nettle/int/drbg-aes-self-test.c, lib/nettle/int/drbg-aes.h: + drbg-aes: added checks in the error handling of the functions That coverts the instantiate and generation functions. + +2014-09-01 Nikos Mavrogiannopoulos + + * lib/crypto-selftests.c: fips140: fail on encryption test failure + +2014-09-01 Nikos Mavrogiannopoulos + + * lib/nettle/int/drbg-aes.c: drbg-aes: if the continuous test fails, + put the library into error state + +2014-08-31 Nikos Mavrogiannopoulos + + * doc/cha-tokens.texi, doc/cha-upgrade.texi, doc/latex/cover.tex: + small doc updates + +2014-08-31 Nikos Mavrogiannopoulos + + * doc/Makefile.am, doc/cha-tokens.texi, doc/latex/cover.tex: doc: + fixes in sectioning for p11tool and tpmtool invocation + +2014-08-29 Tristan Matthews + + * lib/ext/alpn.c: alpn: fix version documentation Signed-off-by: Nikos Mavrogiannopoulos + +2014-08-29 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: allow printing multiple types of tokens + +2014-08-29 Nikos Mavrogiannopoulos + + * lib/x509/rfc2818_hostname.c: refer to rfc6125 + +2014-08-29 Nikos Mavrogiannopoulos + + * lib/x509/privkey.c: additional sanity check in RSA key generation + testing in FIPS-140-2 mode The encrypted data are checked to differ from the plaintext, to + prevent any issues with an accidental null encryption. + +2014-08-29 Nikos Mavrogiannopoulos + + * lib/x509/privkey.c: when in FIPS140-2 mode switch the library to + error state if key generation fails + +2014-08-29 Nikos Mavrogiannopoulos + + * cfg.mk, configure.ac, devel/openssl, + lib/accelerated/x86/Makefile.am, lib/accelerated/x86/x86-common.c: + added configuration option --disable-padlock That allows keeping hardware acceleration in x86 but without support + for padlock. + +2014-08-28 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-28 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: when listing tokens, list their type as + well + +2014-08-27 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/x86-common.c: hide _gnutls_x86_cpuid_s + +2014-08-27 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: gnutls_pkcs11_obj_list_import_url2() will import + data in a single pass + +2014-08-26 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-26 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: when reading PKCS #11 objects, read multiple + objects at a time That improves the performance significantly when reading from tokens + with a significant number of objects. Reported by David Woodhouse. + +2014-08-26 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: do not fail the entire operation if a single + object cannot be imported + +2014-08-26 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: allow objects without label or without ID + +2014-08-26 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-26 Nikos Mavrogiannopoulos + + * tests/test-chains.h: tests: updated name constraints checks to not + include a CN + +2014-08-26 Nikos Mavrogiannopoulos + + * lib/x509/name_constraints.c, lib/x509/x509.c: doc update + +2014-08-26 Nikos Mavrogiannopoulos + + * lib/x509/verify.c: only check name constraints in non-CA + certificates + +2014-08-26 Nikos Mavrogiannopoulos + + * lib/x509/name_constraints.c: ignore constraints for different type + than the checked + +2014-08-26 Nikos Mavrogiannopoulos + + * lib/x509/name_constraints.c: when verifying name constrains + enforce the single CN rule + +2014-08-25 Nikos Mavrogiannopoulos + + * src/libopts/autoopts.h: check for stdnoreturn.h presence + +2014-08-24 Alon Bar-Lev + + * tests/Makefile.am, tests/x509cert-tl.c: build: tests: x509cert-tl: + support separate builddir Signed-off-by: Alon Bar-Lev + +2014-08-24 Alon Bar-Lev + + * lib/gnutls_privkey.c: build: condition pkcs11 block Signed-off-by: Alon Bar-Lev + +2014-08-24 Nikos Mavrogiannopoulos + + * NEWS: released 3.3.7 + +2014-08-23 Nikos Mavrogiannopoulos + + * lib/gnutls_record.c: record: tolerate a finished packet with + errors in DTLS + +2014-08-23 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-23 Nikos Mavrogiannopoulos + + * lib/gnutls_record.c: record: in DTLS discard only messages that + cause unexpected packet errors + +2014-08-23 Nikos Mavrogiannopoulos + + * src/socket.c: tools: use the AI_IDN flag in getaddrinfo if it + exists + +2014-08-23 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-23 Nikos Mavrogiannopoulos + + * src/certtool-common.c, src/certtool-extras.c, src/common.c, + src/danetool.c, src/socket.c: danetool: added openssl-linking + exception That allows linking against unbound. + +2014-08-23 Nikos Mavrogiannopoulos + + * src/danetool.c: danetool: ensure the temporary file is always + removed + +2014-08-22 Nikos Mavrogiannopoulos + + * lib/gnutls_errors.c: doc update + +2014-08-22 Nikos Mavrogiannopoulos + + * lib/nettle/int/dsa-keygen-fips186.c: prevent 1024-bit DSA + parameter generation only when FIPS-mode is enabled. + +2014-08-22 Nikos Mavrogiannopoulos + + * lib/nettle/int/dsa-keygen-fips186.c: Revert "removed pbits=1024, + qbits=160 from the acceptable bit sizes in FIPS140-2 DSA parameter + generation." This reverts commit 110527d9bb9ca70a66ae8173769067f133fd3cf7. + +2014-08-21 Nikos Mavrogiannopoulos + + * lib/system.c: use the windows API in windows even if iconv is + available + +2014-08-20 Nikos Mavrogiannopoulos + + * lib/minitasn1/decoding.c: updated libtasn1 + +2014-08-20 Nikos Mavrogiannopoulos + + * lib/minitasn1/decoding.c: updated minitasn1 + +2014-08-20 Nikos Mavrogiannopoulos + + * m4/hooks.m4: configure: print error message when nettle is 3.0 or + later + +2014-08-18 Nikos Mavrogiannopoulos + + * lib/x509/crl.c, lib/x509/pkcs7.c, lib/x509/privkey.c, + lib/x509/x509.c, lib/x509/x509_int.h: Safer reinitialization of + structures on re-import to avoid memory leaks. That also adds the gnutls_pkcs7_t structure into the list of allowed + to re-import. + +2014-08-17 Nikos Mavrogiannopoulos + + * lib/verify-tofu.c: doc update + +2014-08-17 Nikos Mavrogiannopoulos + + * lib/verify-tofu.c: doc update + +2014-08-16 Nikos Mavrogiannopoulos + + * lib/x509/crl.c, lib/x509/pkcs12.c, lib/x509/privkey.c, + lib/x509/privkey_pkcs8.c, lib/x509/x509.c, lib/x509/x509_int.h: + Re-initialize the ASN.1 structures on every import That allows to import a key/certificate on a structure even if the + previous import failed. + +2014-08-14 Nikos Mavrogiannopoulos + + * symbols.last: symbols.last: added private entry + +2014-08-14 Nikos Mavrogiannopoulos + + * src/cli-args.def, src/cli.c: gnutls-cli: added --fips140-mode + command line option That option will report the status of the FIPS140-2 mode in the + library. + +2014-08-14 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-14 Nikos Mavrogiannopoulos + + * lib/fips.c: The environment variable GNUTLS_FORCE_FIPS_MODE can be + used to force the FIPS-140-2 mode + +2014-08-13 Nikos Mavrogiannopoulos + + * src/common.h: gnutls-cli/danetool: corrected check on ipv6 IPs + +2014-08-13 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-13 Nikos Mavrogiannopoulos + + * src/cli-debug.c, src/cli.c, src/common.h, src/danetool.c: + gnutls-cli/danetool: added a common check for hostname being an IP + +2014-08-13 Nikos Mavrogiannopoulos + + * lib/x509/rfc2818_hostname.c: Follow the rfc6125 requirement that a + single CN must be present for hostname verification. Follow up on the original commit that simplifies checking for more + than a single hostname. + +2014-08-13 Nikos Mavrogiannopoulos + + * lib/x509/rfc2818_hostname.c, tests/hostname-check.c: Follow the + rfc6125 requirement that a single CN must be present for hostname + verification. + +2014-08-12 Nikos Mavrogiannopoulos + + * tests/hostname-check.c: tests: check that + gnutls_x509_crt_check_hostname() will correctly use the last CN when + multiple + +2014-08-12 Nikos Mavrogiannopoulos + + * lib/x509/rfc2818_hostname.c: when checking the hostname of a + certificate with multiple CNs use the "most specific" CN In our case we use the last CN present in the DN. Reported by David + Woodhouse. https://bugzilla.mozilla.org/show_bug.cgi?id=307234#c2 + +2014-08-11 Nikos Mavrogiannopoulos + + * src/benchmark-cipher.c: gnutls-cli: more organized printing of + cipher benchmark output + +2014-08-11 Nikos Mavrogiannopoulos + + * src/benchmark-tls.c: gnutls-cli: removed salsa20 from the + benchmarked ciphers + +2014-08-11 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-11 Nikos Mavrogiannopoulos + + * lib/algorithms.h, lib/algorithms/mac.c, lib/libgnutls.map: + mac_to_entry -> _gnutls_mac_to_entry + +2014-08-10 Nikos Mavrogiannopoulos + + * lib/libgnutls.map, tests/pkcs12_s2k.c: tests: updated string to + keys tests for new internal API + +2014-08-10 Nikos Mavrogiannopoulos + + * tests/pkcs12-decode/Makefile.am, tests/pkcs12-decode/pkcs12: + tests: test the decoding of a PKCS #12 structure with SHA256 MAC + +2014-08-10 Nikos Mavrogiannopoulos + + * lib/algorithms.h, lib/x509/pkcs12.c, lib/x509/pkcs12_encr.c, + lib/x509/privkey_pkcs8.c, lib/x509/x509_int.h: pkcs12: Allow + verification with structures that support other than HMAC-SHA1 MACs. + +2014-08-11 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: gnutls_pkcs11_obj_flags_get_str: mention UNWRAP + +2014-08-10 Nikos Mavrogiannopoulos + + * lib/x509/pkcs12.c: updated doc for gnutls_pkcs12_simple_parse() + +2014-08-09 Nikos Mavrogiannopoulos + + * src/danetool.c: danetool: obtain certificate only once + +2014-08-09 Nikos Mavrogiannopoulos + + * m4/hooks.m4: bumped version + +2014-08-09 Nikos Mavrogiannopoulos + + * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: added new + functions + +2014-08-09 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: pkcs11: + modified prototype and doc to be recognized by doc parser + +2014-08-09 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-09 Nikos Mavrogiannopoulos + + * src/cli-debug-args.def, src/danetool-args.def, src/socket.c: + danetool/gnutls-cli-debug: added support for imap starttls + +2014-08-09 Nikos Mavrogiannopoulos + + * doc/manpages/tpmtool.1: auto-generated files update + +2014-08-09 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-09 Nikos Mavrogiannopoulos + + * src/cli-debug-args.def, src/cli-debug.c: gnutls-cli-debug: + supports SMTP starttls + +2014-08-09 Nikos Mavrogiannopoulos + + * src/danetool-args.def, src/danetool.c, src/socket.c, src/socket.h: + danetool: supports SMTP starttls + +2014-08-09 Nikos Mavrogiannopoulos + + * src/danetool-args.def, src/danetool.c, src/socket.c: danetool: + improvements in information presentation + +2014-08-09 Nikos Mavrogiannopoulos + + * libdane/dane.c: libdane: disable debugging mode + +2014-08-08 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-08 Nikos Mavrogiannopoulos + + * src/Makefile.am, src/cli.c, src/danetool.c, + src/ocsptool-common.c, src/socket.c, src/socket.h, + tests/suite/testdane: danetool: if the certificate to verify against + is not provide it try to obtain it + +2014-08-08 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c: updated documentation for + gnutls_handshake() + +2014-08-08 Nikos Mavrogiannopoulos + + * lib/gnutls_pk.c: protect _gnutls_params_get_rsa_raw() from + crashing when exporting an RSA public key That could happen in case of PKCS #11 abstract keys. + +2014-08-08 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: corrected typo + +2014-08-08 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-08 Nikos Mavrogiannopoulos + + * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: + p11tool: added --info parameter That allows obtaining information on a specific object. + +2014-08-08 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c: pkcs11: added + GNUTLS_PKCS11_OBJ_ATTR_MATCH flag This flag allows listing only the tokens that match the URL. That + is, this performs an object URL comparison, rather than a token URL + usage. + +2014-08-08 Nikos Mavrogiannopoulos + + * src/p11tool.c: p11tool: only print the debugging message in + debuglevel > 4 + +2014-08-08 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: check CKA_UNWRAP as well for enabling + GNUTLS_PKCS11_OBJ_FLAG_MARK_KEY_WRAP + +2014-08-07 Nikos Mavrogiannopoulos + + * doc/cha-intro-tls.texi: removed reference to UMAC + +2014-08-07 Nikos Mavrogiannopoulos + + * doc/cha-intro-tls.texi: removed references to SALSA20 + +2014-08-07 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: doc update + +2014-08-07 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-07 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: pkcs11: simplified pkcs11_privkey handling A PKCS #11 always holds an open session to the key. + +2014-08-07 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-07 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c, + src/pkcs11.c: gnutls_pkcs11_flags_get_str -> + gnutls_pkcs11_obj_flags_get_str + +2014-08-07 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-get-issuer.c: + tests: ensure that no environment variables confuse softhsm + +2014-08-07 Nikos Mavrogiannopoulos + + * tests/suite/testpkcs11: testpkcs11: exit if + export_pubkey_of_privkey fails + +2014-08-07 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c, + lib/pkcs11_int.h, lib/pkcs11_privkey.c, src/p11tool.c, src/pkcs11.c: + pkcs11: added new functions to query the object's flags gnutls_pkcs11_obj_get_flags() allows obtaining an object's flags, + and gnutls_pkcs11_flags_get_str() allows printing them. + +2014-08-07 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h: pkcs11.h: introduced + gnutls_pkcs11_obj_flags + +2014-08-06 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-06 Nikos Mavrogiannopoulos + + * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: + p11tool: simplify the passing of flags and pass the key wrapping + flag + +2014-08-06 Nikos Mavrogiannopoulos + + * src/benchmark-tls.c: gnutls-cli: TLS benchmark parameters were + updated + +2014-08-06 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-06 Nikos Mavrogiannopoulos + + * lib/gnutls_privkey.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: + _gnutls_privkey_get_mpis: extended to work for PKCS #11 keys + +2014-08-06 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/pkcs11_privkey.c: doc update + +2014-08-06 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, + lib/pkcs11_privkey.c, src/pkcs11.c: changed semantics of + gnutls_pkcs11_privkey_get_pubkey; named + gnutls_pkcs11_privkey_export_pubkey Conflicts: lib/libgnutls.map + +2014-08-06 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-06 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: gnutls_pkcs11_privkey_get_pubkey: return + GNUTLS_E_INVALID_REQUEST on invalid params + +2014-08-06 Nikos Mavrogiannopoulos + + * src/p11tool.c: p11tool: activate the --batch option + +2014-08-06 Nikos Mavrogiannopoulos + + * tests/suite/testpkcs11: testpkcs11: Test the export of public key + +2014-08-06 Wolfgang Meyer zu Bergsten + + * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: + add public key export to p11tool Signed-off-by: Wolfgang Meyer zu Bergsten + +2014-08-04 Wolfgang Meyer zu Bergsten + + * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, + lib/pkcs11_privkey.c: add pubkey export from private key in pkcs11 + subsystem There are cases where we need to export the public key of private + key at a later time. Previously, the public key was only available + immediately after creation of a key pair. This patch allows to + retrieve the public key of a private key at any time after creation. Signed-off-by: Wolfgang Meyer zu Bergsten + +2014-08-06 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: documented flags format + +2014-08-04 Wolfgang Meyer zu Bergsten + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: improve + compatibility in pkcs11 key generation * add key wrap/unwrap key usage * explicitly set public exponent in template Signed-off-by: Wolfgang Meyer zu Bergsten + +2014-08-06 Nikos Mavrogiannopoulos + + * src/cli-debug.c, src/tests.c: gnutls-cli-debug: added AES and + CAMELLIA to the list of default ciphers + +2014-08-05 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c, lib/x509/x509.c: doc: replaced non-0 with + non-zero + +2014-08-04 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-04 Nikos Mavrogiannopoulos + + * lib/x509/privkey_pkcs8.c: pkcs8: initialize parameters on + decryption + +2014-07-31 Nikos Mavrogiannopoulos + + * lib/nettle/rnd-common.c, lib/system.h, lib/x509/verify-high2.c: + several windows compilation fixes Conflicts: lib/atfork.h + +2014-07-29 Nikos Mavrogiannopoulos + + * src/libopts/COPYING.gplv3, src/libopts/COPYING.lgplv3, + src/libopts/README, src/libopts/ag-char-map.h, src/libopts/alias.c, + src/libopts/ao-strs.c, src/libopts/ao-strs.h, + src/libopts/autoopts.c, src/libopts/autoopts.h, + src/libopts/autoopts/options.h, src/libopts/autoopts/project.h, + src/libopts/autoopts/usage-txt.h, src/libopts/boolean.c, + src/libopts/check.c, src/libopts/compat/compat.h, + src/libopts/compat/windows-config.h, src/libopts/configfile.c, + src/libopts/cook.c, src/libopts/enum.c, src/libopts/env.c, + src/libopts/file.c, src/libopts/find.c, src/libopts/genshell.c, + src/libopts/genshell.h, src/libopts/gettext.h, src/libopts/init.c, + src/libopts/load.c, src/libopts/m4/libopts.m4, + src/libopts/m4/liboptschk.m4, src/libopts/makeshell.c, + src/libopts/nested.c, src/libopts/numeric.c, + src/libopts/option-value-type.c, src/libopts/option-value-type.h, + src/libopts/option-xat-attribute.c, + src/libopts/option-xat-attribute.h, src/libopts/parse-duration.c, + src/libopts/parse-duration.h, src/libopts/pgusage.c, + src/libopts/proto.h, src/libopts/putshell.c, src/libopts/reset.c, + src/libopts/restore.c, src/libopts/save.c, src/libopts/sort.c, + src/libopts/stack.c, src/libopts/streqvcmp.c, + src/libopts/text_mmap.c, src/libopts/time.c, + src/libopts/tokenize.c, src/libopts/usage.c, src/libopts/version.c: + updated to libopts 5.18.3 + +2014-07-29 Nikos Mavrogiannopoulos + + * build-aux/config.rpath, build-aux/gendocs.sh, + doc/gendocs_template, gl/m4/gnulib-common.m4, gl/m4/intl.m4, + gl/m4/po.m4, gl/m4/printf.m4, gl/m4/valgrind-tests.m4, + gl/tests/fcntl.in.h, maint.mk, src/gl/error.c, src/gl/m4/dup2.m4, + src/gl/m4/gnulib-common.m4, src/gl/m4/printf.m4, src/gl/mktime.c, + src/gl/select.c, src/gl/xalloc.h: updated gnulib + +2014-07-29 Nikos Mavrogiannopoulos + + * lib/x509/pkcs12.c: updated documentation for + gnutls_pkcs12_simple_parse + +2014-07-29 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, m4/hooks.m4: bumped versions + +2014-07-28 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-28 Nikos Mavrogiannopoulos + + * lib/Makefile.am, lib/inet_pton.c, lib/system.h, + lib/x509/rfc2818_hostname.c: Added replacements of inet_aton and + inet_pton on systems they are not present gnulib is avoided due to keep the gnulib network replacements out of + the library. + +2014-07-28 Nikos Mavrogiannopoulos + + * doc/cha-cert-auth.texi: Added text on PKCS #11 verification + +2014-07-27 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/abstract.h, lib/includes/gnutls/gnutls.h.in, + lib/includes/gnutls/ocsp.h, lib/includes/gnutls/pkcs11.h, + lib/includes/gnutls/x509.h: removed comma at the end of enumerations That patch allows compilers that don't support C99 syntax to compile + applications that use a header of gnutls. Report and patch Ryan + Schmidt. + +2014-07-27 Nikos Mavrogiannopoulos + + * Makefile.am, configure.ac, doc/Makefile.am: check for sed in + configure.ac and use the output variable in Makefiles + +2014-07-24 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c: doc update + +2014-07-23 Nikos Mavrogiannopoulos + + * tests/dane.c: tests: dane: add flag DANE_F_IGNORE_LOCAL_RESOLVER + to dane_state_init That prevents unbound from complaining in systems where no DNSSEC + functionality is present. + +2014-07-23 Nikos Mavrogiannopoulos + + * libdane/dane.c: doc update + +2014-07-23 Nikos Mavrogiannopoulos + + * tests/Makefile.am: tests: added libdane/includes to includes dir + +2014-07-23 Nikos Mavrogiannopoulos + + * NEWS: released 3.3.6 + +2014-07-23 Nikos Mavrogiannopoulos + + * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: Added + missing functions + +2014-07-22 Nikos Mavrogiannopoulos + + * m4/hooks.m4: bumped library version + +2014-07-22 Nikos Mavrogiannopoulos + + * libdane/dane.c: libdane: simplified initialization of variables. + +2014-07-22 Nikos Mavrogiannopoulos + + * libdane/dane.c: libdane: bogus and secure values are always + initialized in dane_query_to_raw_tlsa + +2014-07-22 Nikos Mavrogiannopoulos + + * tests/dane.c: tests: eliminated leak from dane check + +2014-07-22 Nikos Mavrogiannopoulos + + * libdane/dane.c: libdane: use gnutls_malloc() and doc update + +2014-07-22 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/dane.c: Added self test for DANE raw + functions + +2014-07-22 Nikos Mavrogiannopoulos + + * src/danetool-args.def, src/danetool.c: danetool: added option to + print the raw entries. + +2014-07-22 Nikos Mavrogiannopoulos + + * libdane/dane.c: doc update + +2014-07-22 Nikos Mavrogiannopoulos + + * lib/libgnutls.map: moved _gnutls_prf_raw to FIPS140 symbols + +2014-07-22 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/aes-gcm-x86-pclmul.c, + lib/accelerated/x86/aes-padlock.c: Added sanity check on padlock AES + IV set. + +2014-07-22 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c, lib/libgnutls.map: fips140-2: Added + _gnutls_prf_raw() which can calculate the TLS PRF without depending + on a session structure. + +2014-07-22 Nikos Mavrogiannopoulos + + * lib/fips.c: fips140-2: do not check the libtasn1's integrity + +2014-07-22 Nikos Mavrogiannopoulos + + * lib/algorithms/ciphersuites.c: RSA-PSK ciphersuites are only + allowed in TLS 1.0. That is because they implement the EncryptedPreMasterSecret encoding + according to RFC 4279, which uses the TLS 1.0 (RFC 2246) encoding, + and there can be ambiguities when using that over SSL 3.0. See: + http://lists.gnupg.org/pipermail/gnutls-help/2014-July/003546.html + +2014-07-22 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: gnutls_priority_init: set err_pos prior to + any action That allows a valid err_pos, even on a memory allocation error. + Reported by Dan Fandrich. + +2014-07-22 Nikos Mavrogiannopoulos + + * doc/TODO: updated TODO + +2014-07-22 Nikos Mavrogiannopoulos + + * lib/algorithms/ciphersuites.c: minimum version was changed to TLS + 1.0 for ciphersuites with SHA2 These ciphersuites could not be used with SSL 3.0 that only defines + usage of MD5 or SHA1 MACs. Reported by Manuel Pegourie-Gonnard. + +2014-07-21 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: ignore CKR_CRYPTOKI_ALREADY_INITIALIZED when + returned on reinitialization + +2014-07-21 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/x509cert-dir/ca.pem, tests/x509cert-tl.c: + tests: x509cert-tl checks gnutls_x509_trust_list_add_trust_dir() + +2014-07-21 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: doc update + +2014-07-21 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-21 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map: Added gnutls_certificate_set_x509_trust_dir() + +2014-07-21 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/system.c, + lib/x509/verify-high2.c: Added + gnutls_x509_trust_list_add_trust_dir() This essentially exports the functionality to read from a directory + with trusted certificates. + +2014-07-21 Nikos Mavrogiannopoulos + + * configure.ac, lib/system.c: Allow specifying a directory as trust + store + +2014-07-11 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-10 Simon Arlott + + * libdane/dane.c, libdane/includes/gnutls/dane.h, + libdane/libdane.map: libdane: add function dane_query_to_raw_tlsa This function converts a dane_query_t into the parameters needed for + dane_raw_tlsa() to make it easy to copy the results of the + (synchronous) lookup query from one process to another. This code allocates an unnecessary extra NULL entry for + dane_data_len to avoid trying to malloc 0 bytes if q->data_entries + is 0 (it is possible for malloc/calloc to return NULL when requested + to allocate 0 bytes). Signed-off-by: Simon Arlott + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/fips.c: FIPS140-2 tests: no need for MD5 check + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/fips.c: FIPS140-2 tests: removed redundant checks We keep on check per cipher which is required, and avoid multiple + (and time-consuming) tests. + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/x86-common.c: Allow specifying + GNUTLS_CPUID_OVERRIDE in either hex or decimal. + +2014-07-08 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/x86-common.c: Added option to disable any cpu + optimizations + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/x86-common.c, + lib/accelerated/x86/x86-common.h: simplified housekeeping of CPUID + registers + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/x86-common.c: Allow overriding the detected + CPUID using the GNUTLS_CPUID_OVERRIDE environment variable + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/x509/privkey.c: FIPS140-2 tests: Added pairwise consistency + check for RSA encryption + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/crypto-selftests-pk.c: FIPS140-2 tests: check with DSA-2048 + and DSA-3072 bit keys, as well as SHA256. + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/crypto-selftests-pk.c: FIPS140-2 tests: check with RSA-2048 + and RSA-3072 bit keys + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/crypto-selftests-pk.c: tests: check RSA with SHA256 + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/crypto-selftests-pk.c: FIPS140-2 mode: test whether RSA + encrypted data differ from plaintext + +2014-07-07 Nikos Mavrogiannopoulos + + * lib/nettle/cipher.c: FIPS140-2 mode: enforce the minimum GCM IV + size required by SP800-38D (section 8.2) + +2014-07-07 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-07 Nikos Mavrogiannopoulos + + * src/certtool-args.def, src/certtool-common.c, + src/certtool-common.h, src/certtool.c, src/p11tool-args.def, + src/p11tool.c: p11tool/certtool: Added --curve parameter. The curve parameter allows to explicitly specify the curve to use + when generating a key. + +2014-07-07 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-07 Nikos Mavrogiannopoulos + + * lib/gnutls_pubkey.c, lib/pkcs11.c, lib/pkcs11_privkey.c, + lib/pkcs11_write.c, lib/x509/key_encode.c, lib/x509/x509_int.h: set + CKA_EC_PARAMS when generating an ECDSA key + +2014-07-07 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: only print warning about key sizes in RSA + keys + +2014-07-07 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: make brief output more brief + +2014-07-07 Nikos Mavrogiannopoulos + + * lib/nettle/mpi.c, lib/nettle/pk.c: mpi: use zeroize_key() instead + of memset() + +2014-07-06 Nikos Mavrogiannopoulos + + * libdane/dane.c: dane: Skip DANE entries that may contain unknown + info That would allow skipping any future entries without failing. + Reported by Simon Arlott. + +2014-07-06 Nikos Mavrogiannopoulos + + * libdane/dane.c: dane: Added sanity check in dane_verify_crt_raw() That allows calling the function will an empty chain. Reported by + Simon Arlott. + +2014-07-06 Nikos Mavrogiannopoulos + + * doc/examples/ex-cert-select-pkcs11.c, + doc/examples/ex-cert-select.c, doc/examples/ex-client-dtls.c, + doc/examples/ex-client-srp.c, doc/examples/ex-client-x509.c, + doc/examples/ex-serv-anon.c, doc/examples/ex-serv-pgp.c, + doc/examples/ex-serv-psk.c, doc/examples/ex-serv-srp.c, + doc/examples/ex-serv-x509.c: examples: mention that + gnutls_global_init() is optional + +2014-07-06 Nikos Mavrogiannopoulos + + * doc/cha-tokens.texi: doc: mention and link to trust storage module + +2014-07-06 Nikos Mavrogiannopoulos + + * doc/cha-bib.texi, doc/cha-tokens.texi: doc update + +2014-07-04 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-04 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: pkcs11: Removed length check of attribute as + a sanity check for valid keys. There can be keys where the id or label is empty and thus with zero + length. + +2014-07-04 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: Increased number of attributes + +2014-07-03 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-03 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: try to restart on session errors, to avoid + having a failed call. + +2014-07-03 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: corrected pkcs11 reinitialization + +2014-07-03 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: If we get a PKCS #11 session error, + invalidate the cached session. + +2014-07-03 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: set the maximum value when printing + library_description + +2014-07-03 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/pkcs11_privkey.c: On fork invalidate the PKCS + #11 privkey cached session + +2014-07-03 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-03 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: don't outsmart user and override login type Unfortunately tokens vary on their requirements for writing trusted + and private objects, and there is no one-size fits all policy. Thus + allow a proper failure and warn the user that so-login may be + required. + +2014-07-03 Nikos Mavrogiannopoulos + + * tests/suite/testpkcs11: testpkcs11: Try to write the trusted + object both by so-pin and normal pin + +2014-07-02 Nikos Mavrogiannopoulos + + * tests/suite/testpkcs11: tests: testpkcs11: temp parameters are + deleted after generation + +2014-07-02 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2014-07-02 Nikos Mavrogiannopoulos + + * tests/suite/Makefile.am: tests: added testpkcs11.sc-hsm + +2014-07-02 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-02 Nikos Mavrogiannopoulos + + * src/p11tool-args.def, src/pkcs11.c: p11tool: use GNUTLS_PIN and + GNUTLS_SO_PIN when setting the PINs of an initialized token. + +2014-07-02 Nikos Mavrogiannopoulos + + * tests/slow/gendh.c: tests: gendh: increased the DH prime size to + allow usage under FIPS140-2 mode + +2014-07-02 Nikos Mavrogiannopoulos + + * src/common.c: tools: when in batch mode and no PIN, print a note + about using the environment variables + +2014-07-02 Nikos Mavrogiannopoulos + + * tests/crq_key_id.c: tests: crq_key_id: increased generated DSA key + size and changed hash to SHA256 That allows the test to operate under the FIPS140-2 mode. + +2014-07-02 Nikos Mavrogiannopoulos + + * tests/crq_key_id.c: tests: improved error reporting in crq_key_id + +2014-07-02 Nikos Mavrogiannopoulos + + * doc/cha-upgrade.texi: doc: properly terminate table + +2014-07-02 Nikos Mavrogiannopoulos + + * lib/nettle/int/dsa-keygen-fips186.c: removed pbits=1024, qbits=160 + from the acceptable bit sizes in FIPS140-2 DSA parameter generation. + +2014-07-02 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-02 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-02 Nikos Mavrogiannopoulos + + * src/certtool.c, src/common.c, src/common.h, src/danetool.c, + src/pkcs11.c, src/serv.c: tools: PIN callback will respect batch + mode and will not ask for PIN. + +2014-07-02 Nikos Mavrogiannopoulos + + * src/certtool-common.h, src/p11tool-args.def, src/p11tool.c, + src/p11tool.h, src/pkcs11.c: p11tool: Ask for label if not + specified. Added --batch parameter to disable interaction. + +2014-07-02 Nikos Mavrogiannopoulos + + * src/p11tool.c, src/p11tool.h, src/pkcs11.c: p11tool: If there is + only a single token available, don't bother complaining about + specifying the correct URL + +2014-07-02 Nikos Mavrogiannopoulos + + * lib/nettle/int/drbg-aes.h: updated comment + +2014-07-01 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-01 Nikos Mavrogiannopoulos + + * src/certtool-args.def: certtool: document that URLs are supported + +2014-07-01 Nikos Mavrogiannopoulos + + * src/p11tool-args.def: p11tool: document GNUTLS_SO_PIN env variable + +2014-07-01 Nikos Mavrogiannopoulos + + * tests/suite/Makefile.am, tests/suite/testpkcs11, + tests/suite/testpkcs11.pkcs15, tests/suite/testpkcs11.sc-hsm, + tests/suite/testpkcs11.softhsm: tests: improved testpkcs11 suite + +2014-07-01 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: + gnutls_pkcs11_privkey_generate2(): corrected public key extraction + (for ECDSA keys) + +2014-07-01 Nikos Mavrogiannopoulos + + * src/common.c: p11tool/certtool: use GNUTLS_SO_PIN for reading + security officer's PIN + +2014-07-01 Nikos Mavrogiannopoulos + + * src/certtool-common.h, src/p11tool-args.def, src/p11tool.c, + src/pkcs11.c: p11tool: added options --set-pin and --set-so-pin These allow for an non-interactive --initialize process. + +2014-06-30 Nikos Mavrogiannopoulos + + * lib/x509/rfc2818_hostname.c: Added explicit documentation on IPv4 + and IPv6 address matching. + +2014-06-29 Nikos Mavrogiannopoulos + + * tests/long-session-id.c: tests: long-session-id: ignore SIGPIPE + +2014-06-29 Nikos Mavrogiannopoulos + + * doc/cha-upgrade.texi: doc: Added text on upgrading to 3.3.x from + 3.2.x + +2014-06-27 Nikos Mavrogiannopoulos + + * lib/x509/rfc2818_hostname.c: do not exit the loop in case a name + doesn't fit into our buffer. + +2014-06-27 Nikos Mavrogiannopoulos + + * lib/x509/rfc2818_hostname.c: when verifying an IP, also verify it + as a hostname There are several misconfigured servers that placed their IP as a + DNS name. Pointed out by David Woodhouse. + +2014-06-27 Nikos Mavrogiannopoulos + + * lib/x509/output.c: supress warnings + +2014-06-27 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-06-27 Nikos Mavrogiannopoulos + + * configure.ac, lib/x509/rfc2818_hostname.c: check of inet_pton + instead for AF_INET6 + +2014-06-27 Nikos Mavrogiannopoulos + + * configure.ac, lib/x509/output.c: Use inet_ntop() for printing IP + addresses. The old dumb code is used in systems that don't have that function. + +2014-06-27 Nikos Mavrogiannopoulos + + * tests/hostname-check.c: tests: Added test cases for IPv4/6 + matching. + +2014-06-27 Nikos Mavrogiannopoulos + + * lib/x509/rfc2818_hostname.c: gnutls_x509_crt_check_hostname() + checks text ip addresses as well. That aligns the documentation with the implementation. Reported by + David Woodhouse. + +2014-06-27 Nikos Mavrogiannopoulos + + * lib/gnutls_str.c: initialize str to NULL + +2014-06-26 Nikos Mavrogiannopoulos + + * lib/x509/crl.c: fixed documentation + 2014-06-26 Nikos Mavrogiannopoulos * tests/cert-tests/aki, tests/cert-tests/pathlen, @@ -1083,9 +6732,9 @@ lib/accelerated/x86/aes-padlock.c, lib/accelerated/x86/sha-padlock.c, lib/accelerated/x86/sha-x86-ssse3.c, - lib/accelerated/x86/x86-common.c, lib/accelerated/x86/x86-common.h, - lib/accelerated/x86/x86.h: x86.h was renamed to x86-common.h to - avoid clashes with system headers. + lib/accelerated/x86/x86-common.c, lib/accelerated/x86/{x86.h => + x86-common.h}: x86.h was renamed to x86-common.h to avoid clashes + with system headers. 2014-04-27 Nikos Mavrogiannopoulos @@ -1723,18 +7372,16 @@ 2014-04-03 Nikos Mavrogiannopoulos - * configure.ac, tests/Makefile.am, tests/key-id/Makefile.am, - tests/key-id/README, tests/key-id/ca-gnutls-keyid.pem, - tests/key-id/ca-no-keyid.pem, tests/key-id/ca-weird-keyid.pem, - tests/key-id/key-ca.pem, tests/key-id/key-id, - tests/key-id/key-user.pem, tests/key-tests/Makefile.am, - tests/key-tests/README, tests/key-tests/ca-gnutls-keyid.pem, - tests/key-tests/ca-no-keyid.pem, - tests/key-tests/ca-weird-keyid.pem, tests/key-tests/key-ca-1234.p8, + * configure.ac, tests/Makefile.am, tests/{key-id => + key-tests}/Makefile.am, tests/{key-id => key-tests}/README, + tests/{key-id => key-tests}/ca-gnutls-keyid.pem, tests/{key-id => + key-tests}/ca-no-keyid.pem, tests/{key-id => + key-tests}/ca-weird-keyid.pem, tests/key-tests/key-ca-1234.p8, tests/key-tests/key-ca-empty.p8, tests/key-tests/key-ca-null.p8, - tests/key-tests/key-ca.pem, tests/key-tests/key-id, - tests/key-tests/key-user.pem, tests/key-tests/pkcs8: Added self-test - for PKCS #8 key conversion and reading + tests/{key-id => key-tests}/key-ca.pem, tests/{key-id => + key-tests}/key-id, tests/{key-id => key-tests}/key-user.pem, + tests/key-tests/pkcs8: Added self-test for PKCS #8 key conversion + and reading 2014-04-03 Nikos Mavrogiannopoulos @@ -2243,9 +7890,9 @@ 2014-03-06 Kevin Cernekee - * .gitignore, doc/manpages/Makefile.am, src/Makefile.am, - src/psk-args.def, src/psk.c, src/psktool-args.def: Rename - psk-args.def to psktool-args.def Other utilities generate invoke-%.texi from %-args.def, but + * .gitignore, doc/manpages/Makefile.am, src/Makefile.am, src/psk.c, + src/{psk-args.def => psktool-args.def}: Rename psk-args.def to + psktool-args.def Other utilities generate invoke-%.texi from %-args.def, but currently invoke-psktool.texi is generated from psk-args.def. If we make psktool conform to the same convention as the other utilities, we can use a generic pattern to handle all of them the same way. Signed-off-by: Kevin Cernekee @@ -3494,7 +9141,7 @@ 2014-01-26 Nikos Mavrogiannopoulos * doc/scripts/getfuncs-map.pl, lib/libgnutls.map: added - gnutls_realloc_fast to false positives Conflicts: lib/libgnutls.map + gnutls_realloc_fast to false positives Conflicts: lib/libgnutls.map 2014-01-26 Nikos Mavrogiannopoulos @@ -4400,7 +10047,7 @@ 2013-12-20 Nikos Mavrogiannopoulos - * lib/Makefile.am: libtasn1 generated files are set in BUILT_SOURCES Conflicts: lib/Makefile.am + * lib/Makefile.am: libtasn1 generated files are set in BUILT_SOURCES Conflicts: lib/Makefile.am 2013-12-18 Nikos Mavrogiannopoulos @@ -4581,11 +10228,9 @@ 2013-12-14 Nikos Mavrogiannopoulos - * lib/accelerated/x86/Makefile.am, - lib/accelerated/x86/hmac-x86-ssse3.c, - lib/accelerated/x86/hmac-x86.c, - lib/accelerated/x86/sha-x86-ssse3.c, lib/accelerated/x86/sha-x86.c: - use better names for files + * lib/accelerated/x86/Makefile.am, lib/accelerated/x86/{hmac-x86.c + => hmac-x86-ssse3.c}, lib/accelerated/x86/{sha-x86.c => + sha-x86-ssse3.c}: use better names for files 2013-12-14 Nikos Mavrogiannopoulos @@ -4598,13 +10243,12 @@ 2013-12-14 Nikos Mavrogiannopoulos * lib/accelerated/x86/Makefile.am, - lib/accelerated/x86/aes-gcm-x86-pclmul.c, + lib/accelerated/x86/{aes-gcm-x86.c => aes-gcm-x86-pclmul.c}, lib/accelerated/x86/aes-gcm-x86-ssse3.c, - lib/accelerated/x86/aes-gcm-x86.c, lib/accelerated/x86/aes-x86.c, - lib/accelerated/x86/aes-x86.h, lib/accelerated/x86/hmac-x86.c, - lib/accelerated/x86/sha-x86.c, lib/accelerated/x86/sha-x86.h: When - PCLMUL isn't available use the SSSE3 implementation of AES to - optimize GCM. + lib/accelerated/x86/aes-x86.c, lib/accelerated/x86/aes-x86.h, + lib/accelerated/x86/hmac-x86.c, lib/accelerated/x86/sha-x86.c, + lib/accelerated/x86/sha-x86.h: When PCLMUL isn't available use the + SSSE3 implementation of AES to optimize GCM. 2013-12-14 Nikos Mavrogiannopoulos @@ -4698,40 +10342,28 @@ devel/perlasm/sha512-ssse3-x86_64.pl, lib/accelerated/x86/Makefile.am, lib/accelerated/x86/aes-padlock.h, lib/accelerated/x86/aes-x86.c, - lib/accelerated/x86/coff/aesni-x86.s, - lib/accelerated/x86/coff/aesni-x86_64.s, - lib/accelerated/x86/coff/appro-aes-gcm-x86-64-coff.s, - lib/accelerated/x86/coff/appro-aes-x86-64-coff.s, - lib/accelerated/x86/coff/appro-aes-x86-coff.s, - lib/accelerated/x86/coff/cpuid-x86-64-coff.s, - lib/accelerated/x86/coff/cpuid-x86-coff.s, - lib/accelerated/x86/coff/cpuid-x86.s, - lib/accelerated/x86/coff/cpuid-x86_64.s, - lib/accelerated/x86/coff/e_padlock-x86.s, - lib/accelerated/x86/coff/e_padlock-x86_64.s, - lib/accelerated/x86/coff/ghash-x86_64.s, - lib/accelerated/x86/coff/openssl-cpuid-x86.s, + lib/accelerated/x86/coff/{appro-aes-x86-coff.s => aesni-x86.s}, + lib/accelerated/x86/coff/{appro-aes-x86-64-coff.s => + aesni-x86_64.s}, lib/accelerated/x86/coff/{cpuid-x86-coff.s => + cpuid-x86.s}, lib/accelerated/x86/coff/{cpuid-x86-64-coff.s => + cpuid-x86_64.s}, lib/accelerated/x86/coff/{padlock-x86-coff.s => + e_padlock-x86.s}, lib/accelerated/x86/coff/{padlock-x86-64-coff.s + => e_padlock-x86_64.s}, + lib/accelerated/x86/coff/{appro-aes-gcm-x86-64-coff.s => + ghash-x86_64.s}, lib/accelerated/x86/coff/openssl-cpuid-x86.s, lib/accelerated/x86/coff/openssl-cpuid-x86_64.s, - lib/accelerated/x86/coff/padlock-x86-64-coff.s, - lib/accelerated/x86/coff/padlock-x86-coff.s, lib/accelerated/x86/coff/sha1-ssse3-x86.s, lib/accelerated/x86/coff/sha1-ssse3-x86_64.s, lib/accelerated/x86/coff/sha256-avx-x86_64.s, lib/accelerated/x86/coff/sha256-ssse3-x86.s, lib/accelerated/x86/coff/sha512-ssse3-x86.s, lib/accelerated/x86/coff/sha512-ssse3-x86_64.s, - lib/accelerated/x86/elf/aesni-x86.s, - lib/accelerated/x86/elf/aesni-x86_64.s, - lib/accelerated/x86/elf/appro-aes-gcm-x86-64.s, - lib/accelerated/x86/elf/appro-aes-x86-64.s, - lib/accelerated/x86/elf/appro-aes-x86.s, - lib/accelerated/x86/elf/cpuid-x86-64.s, - lib/accelerated/x86/elf/cpuid-x86_64.s, - lib/accelerated/x86/elf/e_padlock-x86.s, - lib/accelerated/x86/elf/e_padlock-x86_64.s, - lib/accelerated/x86/elf/ghash-x86_64.s, - lib/accelerated/x86/elf/padlock-x86-64.s, - lib/accelerated/x86/elf/padlock-x86.s, + lib/accelerated/x86/elf/{appro-aes-x86.s => aesni-x86.s}, + lib/accelerated/x86/elf/{appro-aes-x86-64.s => aesni-x86_64.s}, + lib/accelerated/x86/elf/{cpuid-x86-64.s => cpuid-x86_64.s}, + lib/accelerated/x86/elf/{padlock-x86.s => e_padlock-x86.s}, + lib/accelerated/x86/elf/{padlock-x86-64.s => e_padlock-x86_64.s}, + lib/accelerated/x86/elf/{appro-aes-gcm-x86-64.s => ghash-x86_64.s}, lib/accelerated/x86/elf/sha1-ssse3-x86.s, lib/accelerated/x86/elf/sha1-ssse3-x86_64.s, lib/accelerated/x86/elf/sha256-avx-x86_64.s, @@ -4739,22 +10371,19 @@ lib/accelerated/x86/elf/sha512-ssse3-x86.s, lib/accelerated/x86/elf/sha512-ssse3-x86_64.s, lib/accelerated/x86/files.mk, lib/accelerated/x86/hmac-x86.c, - lib/accelerated/x86/macosx/aesni-x86.s, - lib/accelerated/x86/macosx/aesni-x86_64.s, - lib/accelerated/x86/macosx/appro-aes-gcm-x86-64-macosx.s, - lib/accelerated/x86/macosx/appro-aes-x86-64-macosx.s, - lib/accelerated/x86/macosx/appro-aes-x86-macosx.s, - lib/accelerated/x86/macosx/cpuid-x86-64-macosx.s, + lib/accelerated/x86/macosx/{appro-aes-x86-macosx.s => aesni-x86.s}, + lib/accelerated/x86/macosx/{appro-aes-x86-64-macosx.s => + aesni-x86_64.s}, lib/accelerated/x86/macosx/cpuid-x86-64-macosx.s, lib/accelerated/x86/macosx/cpuid-x86-macosx.s, lib/accelerated/x86/macosx/cpuid-x86.s, lib/accelerated/x86/macosx/cpuid-x86_64.s, - lib/accelerated/x86/macosx/e_padlock-x86.s, - lib/accelerated/x86/macosx/e_padlock-x86_64.s, - lib/accelerated/x86/macosx/ghash-x86_64.s, - lib/accelerated/x86/macosx/openssl-cpuid-x86.s, + lib/accelerated/x86/macosx/{padlock-x86-macosx.s => + e_padlock-x86.s}, + lib/accelerated/x86/macosx/{padlock-x86-64-macosx.s => + e_padlock-x86_64.s}, + lib/accelerated/x86/macosx/{appro-aes-gcm-x86-64-macosx.s => + ghash-x86_64.s}, lib/accelerated/x86/macosx/openssl-cpuid-x86.s, lib/accelerated/x86/macosx/openssl-cpuid-x86_64.s, - lib/accelerated/x86/macosx/padlock-x86-64-macosx.s, - lib/accelerated/x86/macosx/padlock-x86-macosx.s, lib/accelerated/x86/macosx/sha1-ssse3-x86.s, lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s, lib/accelerated/x86/macosx/sha256-avx-x86_64.s, @@ -5040,7 +10669,7 @@ 2013-11-30 Nikos Mavrogiannopoulos - * : Merged the FIPS140-2 support code. Conflicts: lib/gnutls_global.c tests/mini-overhead.c + * : Merged the FIPS140-2 support code. Conflicts: lib/gnutls_global.c tests/mini-overhead.c 2013-11-30 Nikos Mavrogiannopoulos @@ -5272,11 +10901,11 @@ 2013-11-25 Nikos Mavrogiannopoulos - * configure.ac, lib/nettle/Makefile.am, lib/nettle/gcm-camellia.c, - lib/nettle/gcm-camellia.h, lib/nettle/int/drbg-aes-self-test.c, - lib/nettle/int/drbg-aes.c, lib/nettle/int/drbg-aes.h, - lib/nettle/int/gcm-camellia.c, lib/nettle/int/gcm-camellia.h, - lib/nettle/rnd-fips.c: Added DRBG submitted to nettle in gnutls. + * configure.ac, lib/nettle/Makefile.am, + lib/nettle/int/drbg-aes-self-test.c, lib/nettle/int/drbg-aes.c, + lib/nettle/int/drbg-aes.h, lib/nettle/{ => int}/gcm-camellia.c, + lib/nettle/{ => int}/gcm-camellia.h, lib/nettle/rnd-fips.c: Added + DRBG submitted to nettle in gnutls. 2013-11-25 Nikos Mavrogiannopoulos @@ -5576,7 +11205,7 @@ lib/x509/verify-high.c, lib/x509/x509.c, lib/xssl.c: Added support for fips states. This implies that when in FIPS mode and the library is not in operational state (i.e., all self checks succeeded), crypto - functionality of the library will fail. This includes: * API functions of gnutls/crypto.h * API functions of gnutls/abstract.h * API functions of gnutls/x509.h * gnutls_init() * API functions of gnutls/xssl.h + functionality of the library will fail. This includes: * API functions of gnutls/crypto.h * API functions of gnutls/abstract.h * API functions of gnutls/x509.h * gnutls_init() * API functions of gnutls/xssl.h 2013-11-11 Nikos Mavrogiannopoulos @@ -5670,7 +11299,7 @@ 2013-11-26 Nikos Mavrogiannopoulos * configure.ac, lib/Makefile.am: Do not link gnutls against librt - unlress it is really necessary. Conflicts: configure.ac lib/Makefile.am + unlress it is really necessary. Conflicts: configure.ac lib/Makefile.am 2013-11-24 Nikos Mavrogiannopoulos @@ -5731,10 +11360,9 @@ 2013-11-23 Nikos Mavrogiannopoulos * gl/Makefile.am, gl/m4/gnulib-cache.m4, gl/m4/gnulib-comp.m4, - gl/strerror-override.c, gl/strerror-override.h, gl/strerror.c, - gl/tests/Makefile.am, gl/tests/strerror-override.c, - gl/tests/strerror-override.h, gl/tests/strerror.c: Added strerror - module. + gl/{tests => }/strerror-override.c, gl/{tests => + }/strerror-override.h, gl/{tests => }/strerror.c, + gl/tests/Makefile.am: Added strerror module. 2013-11-23 Nikos Mavrogiannopoulos @@ -6039,11 +11667,10 @@ 2013-11-13 Nikos Mavrogiannopoulos - * gl/Makefile.am, gl/base64.c, gl/intprops.h, + * gl/Makefile.am, gl/base64.c, gl/{tests => }/intprops.h, gl/m4/extern-inline.m4, gl/m4/gnulib-cache.m4, - gl/m4/gnulib-comp.m4, gl/tests/Makefile.am, gl/tests/intprops.h, - maint.mk: Added intprops module (which is needed by newer libtasn1 - versions) + gl/m4/gnulib-comp.m4, gl/tests/Makefile.am, maint.mk: Added intprops + module (which is needed by newer libtasn1 versions) 2013-11-12 Nikos Mavrogiannopoulos @@ -7559,19 +13186,18 @@ gl/basename-lgpl.c, gl/bind.c, gl/byteswap.in.h, gl/c-ctype.c, gl/c-ctype.h, gl/close.c, gl/closedir.c, gl/connect.c, gl/dirent-private.h, gl/dirent.in.h, gl/dirname-lgpl.c, - gl/dirname.h, gl/dosname.h, gl/dup2.c, gl/errno.in.h, gl/error.c, - gl/error.h, gl/fd-hook.c, gl/fd-hook.h, gl/filename.h, gl/float+.h, - gl/float.c, gl/float.in.h, gl/fpucw.h, gl/frexp.c, gl/frexpl.c, - gl/fseek.c, gl/fseeko.c, gl/fseterr.c, gl/fseterr.h, gl/fstat.c, - gl/ftell.c, gl/ftello.c, gl/gai_strerror.c, gl/getaddrinfo.c, - gl/getdelim.c, gl/getline.c, gl/getopt.c, gl/getopt.in.h, - gl/getopt1.c, gl/getopt_int.h, gl/getpass.c, gl/getpass.h, - gl/getpeername.c, gl/getsubopt.c, gl/gettext.h, gl/gettimeofday.c, - gl/hash-pjw-bare.c, gl/hash-pjw-bare.h, gl/inet_ntop.c, - gl/inet_pton.c, gl/intprops.h, gl/isnan.c, gl/isnand-nolibm.h, - gl/isnand.c, gl/isnanf-nolibm.h, gl/isnanf.c, gl/isnanl-nolibm.h, - gl/isnanl.c, gl/itold.c, gl/listen.c, gl/lseek.c, - gl/m4/alphasort.m4, gl/m4/argp.m4, gl/m4/closedir.m4, + gl/dirname.h, gl/dup2.c, gl/errno.in.h, gl/error.c, gl/error.h, + gl/fd-hook.c, gl/fd-hook.h, gl/filename.h, gl/float+.h, gl/float.c, + gl/float.in.h, gl/frexp.c, gl/frexpl.c, gl/fseek.c, gl/fseeko.c, + gl/fseterr.c, gl/fseterr.h, gl/fstat.c, gl/ftell.c, gl/ftello.c, + gl/gai_strerror.c, gl/getaddrinfo.c, gl/getdelim.c, gl/getline.c, + gl/getopt.c, gl/getopt.in.h, gl/getopt1.c, gl/getopt_int.h, + gl/getpass.c, gl/getpass.h, gl/getpeername.c, gl/getsubopt.c, + gl/gettext.h, gl/gettimeofday.c, gl/hash-pjw-bare.c, + gl/hash-pjw-bare.h, gl/inet_ntop.c, gl/inet_pton.c, gl/isnan.c, + gl/isnand-nolibm.h, gl/isnand.c, gl/isnanf-nolibm.h, gl/isnanf.c, + gl/isnanl-nolibm.h, gl/isnanl.c, gl/itold.c, gl/listen.c, + gl/lseek.c, gl/m4/alphasort.m4, gl/m4/argp.m4, gl/m4/closedir.m4, gl/m4/dirent_h.m4, gl/m4/dirname.m4, gl/m4/double-slash-root.m4, gl/m4/eealloc.m4, gl/m4/environ.m4, gl/m4/error.m4, gl/m4/exponentf.m4, gl/m4/exponentl.m4, gl/m4/frexp.m4, @@ -7600,45 +13226,45 @@ gl/stdalign.in.h, gl/stdarg.in.h, gl/stdbool.in.h, gl/stddef.in.h, gl/stdint.in.h, gl/stdio-impl.h, gl/stdio.in.h, gl/stdlib.in.h, gl/str-two-way.h, gl/strcasecmp.c, gl/strchrnul.c, - gl/strchrnul.valgrind, gl/strdup.c, gl/strerror-override.c, - gl/strerror-override.h, gl/strerror.c, gl/string.in.h, + gl/strchrnul.valgrind, gl/strdup.c, gl/string.in.h, gl/strings.in.h, gl/stripslash.c, gl/strncasecmp.c, gl/strndup.c, gl/strnlen.c, gl/strtok_r.c, gl/strverscmp.c, gl/sys_select.in.h, gl/sys_socket.in.h, gl/sys_stat.in.h, gl/sys_time.in.h, gl/sys_types.in.h, gl/sys_uio.in.h, gl/sysexits.in.h, - gl/tests/Makefile.am, gl/tests/dosname.h, gl/tests/fpucw.h, - gl/tests/infinity.h, gl/tests/intprops.h, gl/tests/malloca.c, - gl/tests/malloca.h, gl/tests/malloca.valgrind, + gl/tests/Makefile.am, gl/{ => tests}/dosname.h, gl/{ => + tests}/fpucw.h, gl/tests/infinity.h, gl/{ => tests}/intprops.h, + gl/tests/malloca.c, gl/tests/malloca.h, gl/tests/malloca.valgrind, gl/tests/minus-zero.h, gl/tests/nan.h, gl/tests/putenv.c, - gl/tests/randomd.c, gl/tests/randoml.c, gl/tests/setenv.c, - gl/tests/strerror-override.c, gl/tests/strerror-override.h, - gl/tests/strerror.c, gl/tests/test-argp-2.sh, gl/tests/test-argp.c, - gl/tests/test-dirent.c, gl/tests/test-environ.c, - gl/tests/test-fprintf-posix.h, gl/tests/test-frexp.c, - gl/tests/test-frexp.h, gl/tests/test-frexpl.c, - gl/tests/test-fseterr.c, gl/tests/test-getopt.c, - gl/tests/test-getopt.h, gl/tests/test-getopt_long.h, - gl/tests/test-isnand-nolibm.c, gl/tests/test-isnand.h, - gl/tests/test-isnanf-nolibm.c, gl/tests/test-isnanf.h, - gl/tests/test-isnanl-nolibm.c, gl/tests/test-isnanl.h, - gl/tests/test-malloc-gnu.c, gl/tests/test-malloca.c, - gl/tests/test-math.c, gl/tests/test-printf-frexp.c, - gl/tests/test-printf-frexpl.c, gl/tests/test-printf-posix.h, - gl/tests/test-printf-posix.output, gl/tests/test-rawmemchr.c, - gl/tests/test-setenv.c, gl/tests/test-signbit.c, - gl/tests/test-sleep.c, gl/tests/test-strchrnul.c, - gl/tests/test-sysexits.c, gl/tests/test-unsetenv.c, - gl/tests/test-version-etc.c, gl/tests/test-version-etc.sh, - gl/tests/test-vfprintf-posix.c, gl/tests/test-vfprintf-posix.sh, - gl/tests/test-vprintf-posix.c, gl/tests/test-vprintf-posix.sh, - gl/tests/unsetenv.c, gl/time.in.h, gl/time_r.c, gl/u64.h, - gl/unistd.in.h, gl/vasnprintf.c, gl/vasnprintf.h, gl/vasprintf.c, - gl/verify.h, gl/version-etc-fsf.c, gl/version-etc.c, - gl/version-etc.h, gl/vfprintf.c, gl/vprintf.c, gl/vsnprintf.c, - gl/w32sock.h, gl/wchar.in.h, gl/xsize.h, src/certtool.c, - src/cli-debug.c, src/cli.c, src/danetool.c, src/ocsptool-common.c, - src/ocsptool.c, src/p11tool.c, src/psk.c, src/serv.c, - src/srptool.c, src/tpmtool.c: gnulib only contains lgplv2 modules + gl/tests/randomd.c, gl/tests/randoml.c, gl/tests/setenv.c, gl/{ => + tests}/strerror-override.c, gl/{ => tests}/strerror-override.h, + gl/{ => tests}/strerror.c, gl/tests/test-argp-2.sh, + gl/tests/test-argp.c, gl/tests/test-dirent.c, + gl/tests/test-environ.c, gl/tests/test-fprintf-posix.h, + gl/tests/test-frexp.c, gl/tests/test-frexp.h, + gl/tests/test-frexpl.c, gl/tests/test-fseterr.c, + gl/tests/test-getopt.c, gl/tests/test-getopt.h, + gl/tests/test-getopt_long.h, gl/tests/test-isnand-nolibm.c, + gl/tests/test-isnand.h, gl/tests/test-isnanf-nolibm.c, + gl/tests/test-isnanf.h, gl/tests/test-isnanl-nolibm.c, + gl/tests/test-isnanl.h, gl/tests/test-malloc-gnu.c, + gl/tests/test-malloca.c, gl/tests/test-math.c, + gl/tests/test-printf-frexp.c, gl/tests/test-printf-frexpl.c, + gl/tests/test-printf-posix.h, gl/tests/test-printf-posix.output, + gl/tests/test-rawmemchr.c, gl/tests/test-setenv.c, + gl/tests/test-signbit.c, gl/tests/test-sleep.c, + gl/tests/test-strchrnul.c, gl/tests/test-sysexits.c, + gl/tests/test-unsetenv.c, gl/tests/test-version-etc.c, + gl/tests/test-version-etc.sh, gl/tests/test-vfprintf-posix.c, + gl/tests/test-vfprintf-posix.sh, gl/tests/test-vprintf-posix.c, + gl/tests/test-vprintf-posix.sh, gl/tests/unsetenv.c, gl/time.in.h, + gl/time_r.c, gl/u64.h, gl/unistd.in.h, gl/vasnprintf.c, + gl/vasnprintf.h, gl/vasprintf.c, gl/verify.h, gl/version-etc-fsf.c, + gl/version-etc.c, gl/version-etc.h, gl/vfprintf.c, gl/vprintf.c, + gl/vsnprintf.c, gl/w32sock.h, gl/wchar.in.h, gl/xsize.h, + src/certtool.c, src/cli-debug.c, src/cli.c, src/danetool.c, + src/ocsptool-common.c, src/ocsptool.c, src/p11tool.c, src/psk.c, + src/serv.c, src/srptool.c, src/tpmtool.c: gnulib only contains + lgplv2 modules 2013-08-05 Nikos Mavrogiannopoulos @@ -7818,8 +13444,8 @@ 2013-07-26 Nikos Mavrogiannopoulos - * tests/Makefile.am, tests/mini.c, tests/record-sizes.c: Updated - mini test. + * tests/Makefile.am, tests/{mini.c => record-sizes.c}: Updated mini + test. 2013-07-25 Nikos Mavrogiannopoulos @@ -9553,8 +15179,8 @@ * configure.ac, lib/algorithms/ciphersuites.c, lib/algorithms/kx.c, lib/auth/Makefile.am, lib/auth/anon_ecdh.c, lib/auth/cert.c, lib/auth/cert.h, lib/auth/dh_common.c, lib/auth/dhe.c, - lib/auth/dhe_psk.c, lib/auth/ecdh_common.c, lib/auth/ecdh_common.h, - lib/auth/ecdhe.c, lib/auth/ecdhe.h, lib/auth/rsa_export.c, + lib/auth/dhe_psk.c, lib/auth/{ecdh_common.c => ecdhe.c}, + lib/auth/{ecdh_common.h => ecdhe.h}, lib/auth/rsa_export.c, lib/gnutls_handshake.c, lib/gnutls_kx.c, lib/gnutls_priority.c, lib/gnutls_rsa_export.c, lib/gnutls_state.c, lib/gnutls_ui.c, m4/hooks.m4: Added options to disable more key exchange mechanisms. In that DHE was separated from ECDHE. @@ -10654,10 +16280,10 @@ * NEWS, lib/Makefile.am, lib/gnutls_cert.c, lib/gnutls_errors.c, lib/includes/Makefile.am, lib/includes/gnutls/gnutls.h.in, - lib/includes/gnutls/sbuf.h, lib/includes/gnutls/xssl.h, - lib/libgnutls.map, lib/sbuf.c, lib/sbuf.h, lib/sbuf_getline.c, - lib/xssl.c, lib/xssl.h, lib/xssl_getline.c, tests/Makefile.am, - tests/mini-sbuf.c, tests/mini-xssl.c: Added new interface. + lib/includes/gnutls/{sbuf.h => xssl.h}, lib/libgnutls.map, + lib/{sbuf.c => xssl.c}, lib/{sbuf.h => xssl.h}, lib/{sbuf_getline.c + => xssl_getline.c}, tests/Makefile.am, tests/mini-sbuf.c, + tests/mini-xssl.c: Added new interface. 2013-01-27 Nikos Mavrogiannopoulos @@ -11697,14 +17323,14 @@ 2012-11-20 Nikos Mavrogiannopoulos - * build-aux/gendocs.sh, configure.ac, gl/Makefile.am, gl/dup2.c, - gl/errno.in.h, gl/m4/errno_h.m4, gl/m4/gnulib-cache.m4, + * build-aux/gendocs.sh, configure.ac, gl/Makefile.am, gl/{tests => + }/dup2.c, gl/errno.in.h, gl/m4/errno_h.m4, gl/m4/gnulib-cache.m4, gl/m4/gnulib-comp.m4, gl/m4/select.m4, gl/m4/stdlib_h.m4, gl/select.c, gl/stdlib.in.h, gl/strerror-override.c, - gl/strerror-override.h, gl/tests/Makefile.am, gl/tests/dup2.c, - gl/tests/fcntl.in.h, gl/tests/test-fcntl-h.c, - gl/tests/test-iconv.c, gl/tests/test-select.h, lib/system.c, - m4/hooks.m4, maint.mk: use gnulib to detect iconv. + gl/strerror-override.h, gl/tests/Makefile.am, gl/tests/fcntl.in.h, + gl/tests/test-fcntl-h.c, gl/tests/test-iconv.c, + gl/tests/test-select.h, lib/system.c, m4/hooks.m4, maint.mk: use + gnulib to detect iconv. 2012-11-20 Nikos Mavrogiannopoulos @@ -11994,8 +17620,18 @@ 2012-11-07 Nikos Mavrogiannopoulos - * Removed GNUTLS_CERT_REVOCATION_DATA_INVALID and no longer fail on - OCSP parsing errors. + * NEWS, lib/gnutls_cert.c, lib/gnutls_x509.c, + lib/includes/gnutls/gnutls.h.in: Removed + GNUTLS_CERT_REVOCATION_DATA_INVALID and no longer fail on OCSP + parsing errors. + +2012-11-07 Nikos Mavrogiannopoulos + + * doc/cha-cert-auth.texi, doc/cha-tokens.texi: doc update + +2012-11-07 Nikos Mavrogiannopoulos + + * gnutls-cli-debug uses server name indication. -----