From: Rafal Krypa Date: Fri, 9 Jun 2017 18:25:57 +0000 (+0200) Subject: Imported Upstream version 3.3.27 X-Git-Tag: upstream/3.3.27 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=ba32c8624c2a69a7a6b747c09d5c9b79324382b7;p=platform%2Fupstream%2Fgnutls.git Imported Upstream version 3.3.27 Change-Id: I798ef6aba691d3e449e9bb69810792a02e0179b3 --- diff --git a/ChangeLog b/ChangeLog index 79e9127..4743a48 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,5652 @@ +2017-03-06 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, m4/hooks.m4: bumped version + +2017-03-05 Nikos Mavrogiannopoulos + + * NEWS: doc update Signed-off-by: Nikos Mavrogiannopoulos + +2017-03-05 Alex Gaynor + + * lib/opencdk/read-packet.c: Enforce the max packet length for + OpenPGP subpackets as well This addresses: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 Signed-off-by: Alex Gaynor + +2017-03-01 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2017-03-01 Nikos Mavrogiannopoulos + + * lib/opencdk/kbnode.c, lib/opencdk/keydb.c, lib/opencdk/literal.c, + lib/opencdk/opencdk.h, lib/opencdk/read-packet.c, + lib/openpgp/gnutls_openpgp.c, lib/openpgp/pgp.c, + lib/openpgp/privkey.c: opencdk: do not parse any secret keys in + packet when reading a certificate This reduces the attack surface on the parsers, and prevents any + bugs in the secret key parser to be exploitable by inserting secret + key sub-packets into an openpgp certificate. This addresses: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-28 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/crt_apis.c: tests: backported crt_apis + from master branch In addition to other APIs, this explicitly tests + gnutls_x509_crt_set_subject_unique_id() and + gnutls_x509_crt_set_issuer_unique_id(). Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-28 Nikos Mavrogiannopoulos + + * src/certtool-cfg.c: certtool: increased buffer for reading from + user This allows reading longer than 128-byte fields interactively. The + new limit is 512-bytes. Relates #179 Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-22 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/pkcs11/pkcs11-import-with-pin.c: tests: + added PKCS#11 test for pin input This introduces a test on PIN input to retrieve an object using + pin-value and pin-source (file). Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-22 Nikos Mavrogiannopoulos + + * tests/utils.c, tests/utils.h: tests: utils: added ability to use + tmpfiles Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-22 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/pkcs11/pkcs11-pubkey-import-rsa.c, + tests/pkcs11/pkcs11-pubkey-import.c: tests: backported PKCS#11 test In addition to public key import checks, this test ensures that the + pin-value attribute is functional. Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-22 Nikos Mavrogiannopoulos + + * NEWS: doc update Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-22 Nikos Mavrogiannopoulos + + * configure.ac, lib/pkcs11.c: Use p11_kit_uri_get_pin_value() if + available in p11-kit This allows parsing the pin-value attribute of the PKCS#11 URI. Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-22 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: nettle/pk: added error checking in + _rsa_params_to_pubkey Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-21 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: nettle/pk: corrected memcpy of Q in DSA params Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-21 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2017-02-20 Nikos Mavrogiannopoulos + + * lib/opencdk/read-packet.c: opencdk/read-packet.c: corrected typo + in type cast Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-20 Nikos Mavrogiannopoulos + + * lib/opencdk/read-packet.c: cdk_pkt_read: enforce packet limits That ensures that there are no overflows in the subsequent + calculations. Resolves the oss-fuzz found bug: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 Relates: #159 Signed-off-by: Nikos Mavrogiannopoulos + +2017-02-03 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: gnutls_pkcs11_obj_list_import_url2: Always return an + initialized pointer When returning success, but no elements, + gnutls_pkcs11_obj_list_import_url4, could have returned zero number + of elements with a pointer that was uninitialized. Ensure that an + initialized (i.e., null in that case), pointer is always returned. + Reported by Jeremy Harris. Signed-off-by: Nikos Mavrogiannopoulos + +2017-01-17 Nikos Mavrogiannopoulos + + * lib/opencdk/read-packet.c: opencdk: improved error code checking + in the stream reading functions This ammends 49be4f7b82eba2363bb8d4090950dad976a77a3a Signed-off-by: Nikos Mavrogiannopoulos + +2017-01-09 Nikos Mavrogiannopoulos + + * tests/cert-tests/Makefile.am, tests/key-tests/Makefile.am: tests: + do not run key-tests and cert-tests under leak sanitizer The reason is that we cannot distinguish between a memory leak on + application failure (which is followed by exit- thus should be + ignored) and an address sanitizer issue (which should never be + ignored). As such we disable leak detection with asan and rely on + valgrind. Signed-off-by: Nikos Mavrogiannopoulos + +2017-01-09 Nikos Mavrogiannopoulos + + * tests/key-tests/Makefile.am: tests: added missing file + +2017-01-09 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: Build and Check - separate build + dir (x86): force build in gitlab shared runners In the Centos7 based runners there is an issue running autogen. Signed-off-by: Nikos Mavrogiannopoulos + +2017-01-09 Nikos Mavrogiannopoulos + + * .gitignore, src/Makefile.am: tools: use stamp files to allow + parallel build of autogen files Autogen seems to output on the creates files gradually, something + that makes 'make' believe that the command is complete prior to the + output file being fully populated. The current approach uses stamp + files to ensure that no incomplete files are used for compilation. + +2017-01-09 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2017-01-09 Nikos Mavrogiannopoulos + + * NEWS, doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: + updated auto-generated files + +2017-01-09 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2017-01-09 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2017-01-04 Nikos Mavrogiannopoulos + + * lib/opencdk/read-packet.c: opencdk: added error checking in the + stream reading functions This addresses an out of memory error. Issue found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=337 Signed-off-by: Nikos Mavrogiannopoulos + +2017-01-04 Nikos Mavrogiannopoulos + + * lib/opencdk/pubkey.c: opencdk: cdk_pk_get_keyid: fix stack + overflow Issue found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=340 Signed-off-by: Nikos Mavrogiannopoulos + +2017-01-04 Nikos Mavrogiannopoulos + + * lib/opencdk/read-packet.c: opencdk: read_attribute: added more + precise checks when reading stream That addresses heap read overflows found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=338 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=346 Signed-off-by: Nikos Mavrogiannopoulos + +2017-01-01 Alex Gaynor + + * lib/opencdk/read-packet.c: Corrected a leak in OpenPGP sub-packet + parsing. Signed-off-by: Alex Gaynor + +2016-12-30 Alex Gaynor + + * lib/opencdk/read-packet.c: Attempt to fix a leak in OpenPGP cert + parsing. + +2016-12-26 Alex Gaynor + + * lib/opencdk/read-packet.c: Do not infinite loop if an EOF occurs + while skipping a PGP packet Signed-off-by: Alex Gaynor + +2016-02-29 Nikos Mavrogiannopoulos + + * lib/opencdk/misc.c: opencdk: Fixes to prevent undefined behavior + (found with libubsan) + +2017-01-04 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2017-01-04 Nikos Mavrogiannopoulos + + * lib/auth/rsa.c: auth rsa: eliminated memory leak on pkcs-1 + formatting attack path Signed-off-by: Nikos Mavrogiannopoulos + +2017-01-02 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2016-12-09 Nikos Mavrogiannopoulos + + * lib/x509/verify.c: pkcs11 verification: ensure that an issuer we + retrieve is not blacklist It may happen in p11-kit trust module that a trusted certificate is + both in the trusted set, and the blacklisted set. To avoid accepting + a certificate when in both sets, we always check whether a trusted + issuer certificate is in the blacklisted set. + +2016-12-31 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: improved error reporting on file error + +2016-12-20 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2016-12-15 Nikos Mavrogiannopoulos + + * lib/x509/x509_ext.c: gnutls_x509_ext_import_proxy: fix issue + reading the policy language If the language was set but the policy wasn't, that could lead to a + double free, as the value returned to the user was freed. + +2016-12-16 Nikos Mavrogiannopoulos + + * : commit 5ca126e1a5daf071ce690f28823fa97de6a7ae68 Author: Nikos + Mavrogiannopoulos Date: Thu Dec 15 17:05:59 2016 + +0100 + +2016-12-14 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-12-13 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/pkcs8-key-decode-encrypted.c, + tests/pkcs8-key-decode.c: tests: added test for PKCS#8 encrypted key + decoding This also verifies that the return value when attempting to decrypt + without a password is GNUTLS_E_DECRYPTION_FAILED. + +2016-11-14 Nikos Mavrogiannopoulos + + * tests/key-tests/Makefile.am, tests/key-tests/pkcs8-invalid: tests: + added test suite with PKCS#8 files that have invalid encryption + +2016-12-14 Nikos Mavrogiannopoulos + + * lib/x509/privkey_pkcs8.c: PKCS#7 decrypt_data: merge all errors + during decryption to GNUTLS_E_DECRYPTION_FAILED + +2016-12-13 Nikos Mavrogiannopoulos + + * lib/x509/privkey_pkcs8.c: pkcs8: ensure that the correct error + code is returned on decryption failure + +2016-12-14 Nikos Mavrogiannopoulos + + * lib/x509/privkey_pkcs8.c: PKCS#5,7 decryption: added sanity check + on padding size Relates #148 + +2016-12-14 Nikos Mavrogiannopoulos + + * lib/x509/privkey_pkcs8.c: PKCS#5,7 decryption: fail without leak + on unknown MAC + +2016-12-14 Nikos Mavrogiannopoulos + + * lib/x509/privkey_pkcs8.c: PKCS#5,7 decryption: fail early on + invalid block sizes + +2016-12-14 Nikos Mavrogiannopoulos + + * lib/x509/privkey_pkcs8.c, lib/x509/x509_int.h: PKCS#5,7 + decryption: enforce limits in the support parameter sizes This allows to detect invalid parameters early rather than later. + Relates #148 + +2016-12-09 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-07-14 Nikos Mavrogiannopoulos + + * src/tpmtool-args.def, src/tpmtool.c: tpmtool: Added --test-sign + parameter + +2016-12-09 Nikos Mavrogiannopoulos + + * src/tpmtool.c: compiler warnings elimination and other bug fixes + +2015-06-05 Nikos Mavrogiannopoulos + + * src/tpmtool.c: tpmtool: added newline in error messages + +2016-12-09 Nikos Mavrogiannopoulos + + * configure.ac, lib/Makefile.am, lib/abstract_int.h, + lib/gnutls_errors.c, lib/gnutls_global.c, lib/gnutls_global.h, + lib/gnutls_privkey.c, lib/includes/gnutls/gnutls.h.in, lib/tpm.c: + tpm: backported improvements from master branch * Load libtspi dynamically using dlopen - prevents direct linking + with openssl * Fix handling of keys requiring authorization * In import_tpm_key_cb() fix the wrong password loop + +2016-12-09 Nikos Mavrogiannopoulos + + * src/certtool-args.def: doc: updated to documentation of certtool + [ci skip] This corrects options which incorrectly mentioned they support URLs. + +2016-12-07 Nikos Mavrogiannopoulos + + * src/certtool.c: Don't trash DER CRQ output with text data Backported patch from master. + +2016-11-29 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-11-29 Nikos Mavrogiannopoulos + + * tests/suite/testpkcs11: tests: backported test suite for p11tool + --set-id and --set-label options + +2015-03-11 Nikos Mavrogiannopoulos + + * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: + p11tool: added --set-id and --set-label options + +2015-03-11 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c, + lib/pkcs11_int.c, lib/pkcs11_int.h: added + gnutls_pkcs11_obj_set_info() This function allows setting information such as the CKA_ID and the + CKA_LABEL of an object. + +2016-11-29 Nikos Mavrogiannopoulos + + * tests/suite/testpkcs11: tests: check whether PKCS #11 ID set on + copy/generation is correct + +2016-11-29 Nikos Mavrogiannopoulos + + * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: + p11tool: allow setting the CKA_ID on object + initialization/generation + +2016-11-29 Nikos Mavrogiannopoulos + + * lib/libgnutls.map: exported new functions + +2015-03-31 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: pkcs11: + enhanced key generation functions to allow specifying a CKA_ID + +2015-03-30 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11_write.c: enhanced copy + functions to allow specifying a CKA_ID + +2016-11-29 Nikos Mavrogiannopoulos + + * lib/x509/pkcs12_encr.c: pkcs12: fixed the calculation of p_size Include the trailing zero into the size calculation. + +2016-11-28 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-11-28 Nikos Mavrogiannopoulos + + * tests/pkcs12-decode/Makefile.am, tests/pkcs12-decode/pkcs12: + tests: added pkcs12 check with openssl generated structure and long + password + +2016-11-28 Nikos Mavrogiannopoulos + + * lib/x509/pkcs12_encr.c: pkcs12: fixed the calculation of p_size That affects passwords which exceed 32 characters. + +2016-11-07 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: _wrap_nettle_pk_verify: use FAIL_IF_LIB_ERROR + prior to returning success This will prevent verification to succeed if the system is in error + state. + +2016-11-02 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-10-21 Nikos Mavrogiannopoulos + + * lib/ext/signature.c, lib/gnutls_alert.c: Terminate handshake if + only unknown or disabled signatures are advertized by the peer That is, do not attempt to proceed assuming that the peer supports + SHA-1. + +2016-10-26 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-11-13 Nikos Mavrogiannopoulos + + * lib/ext/status_request.c: certificate status requestion response + is optional according to RFC6066 + +2016-10-18 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: allow setting key purposes for non-CA + certificates That is, allow setting code signing, or time stamping key purpose in + certificates that are not marked as CA. The previous restriction + served no purpose. + +2016-10-14 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/multi-alerts.c: tests: added check to + verify that the server will bail out after many alerts + +2016-10-14 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/naked-alerts.c: tests: added check to + verify that the server will bail out after receiving only alerts + +2016-10-14 Nikos Mavrogiannopoulos + + * tests/cert-common.h: tests: backported the common certs from + master + +2016-10-14 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c: + handshake: set a maximum number of warning messages that can be + received per handshake That is to avoid DoS due to the assymetry of cost of sending an + alert vs the cost of processing. + +2016-10-14 Nikos Mavrogiannopoulos + + * lib/gnutls_record.c: record: disallow parsing of alert messages + prior to session start + +2016-10-14 Nikos Mavrogiannopoulos + + * src/certtool-common.c: certtool: improve text on missing options + for cert generation + +2016-10-13 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: avoid asking the security officer PIN twice + on initialization + +2016-10-13 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: improved messages on token initialization + +2016-10-13 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: corrected check of PIN existance in token + initialization + +2016-10-09 Nikos Mavrogiannopoulos + + * tests/Makefile.am: tests: link tests which utilize nettle with + nettle + +2016-10-09 Nikos Mavrogiannopoulos + + * doc/Makefile.am, doc/manpages/Makefile.am: updated auto-generated + files + +2016-10-09 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-10-09 Nikos Mavrogiannopoulos + + * lib/gnutls_extensions.c: TLS extensions: only cache the extension + IDs from exts that the server supports That avoids imposing any artificial limits on the number of + extensions that a server can handle. Resolves #136 + +2016-10-07 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: added safety net when generating a + certificate request That is, do not allow specifying --generate-request --load-pubkey + without specifying --load-privkey. Previously if --load-pubkey would + have been used, it would have been ignored, causing confusion to the + users. + +2016-09-19 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-09-16 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c, lib/gnutls_int.h: Increased the maximum + size allowed for handshake messages to 128kb This would allow the library to cope with larger packets, as well as + TLS 1.3 hellos. Suggested by Hubert Kario. + +2016-09-12 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-09-12 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: gnutls_certificate_set_*key: ensure proper + cleanup on key mismatch failures That is, ensure that we keep no local references that are shared + with the caller, and that we properly free all initialized values. + +2016-09-07 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-09-07 Nikos Mavrogiannopoulos + + * lib/system.c: _gnutls_ucs2_to_utf8: fixed use of + WideCharToMultiByte in windows + +2016-09-06 Nikos Mavrogiannopoulos + + * src/ocsptool.c: ocsptool: do not enter a spurious newline to + responses. + +2015-11-12 Nikos Mavrogiannopoulos + + * tests/cert-tests/Makefile.am, tests/cert-tests/template-test, + tests/cert-tests/template-unique.pem, + tests/cert-tests/template-unique.tmpl: tests: verify that unique IDs + are generated as expected + +2015-11-12 Nikos Mavrogiannopoulos + + * src/certtool-args.def, src/certtool-cfg.c, src/certtool-cfg.h, + src/certtool.c: certtool: Allow writing unique IDs in generated + certificates + +2016-09-05 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-09-05 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2015-11-12 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/x509.h, lib/libgnutls.map, + lib/x509/x509_write.c: Added gnutls_x509_crt_set_issuer_unique_id() + and gnutls_x509_crt_set_subject_unique_id() + +2016-09-05 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-09-03 Nikos Mavrogiannopoulos + + * lib/gnutls_pk.c: _gnutls_encode_ber_rs_raw: zero-pad values when + necessary This addresses issue when encoding values obtained via PKCS#11 which + may not be necessarily padded. Resolves #122 + +2016-09-03 Nikos Mavrogiannopoulos + + * tests/cert-tests/template-test: tests: don't run overflow tests on + archs which fail This addresses a CI failure on x86. + +2016-09-03 Nikos Mavrogiannopoulos + + * tests/slow/hash-large.c: tests: backported hash-large from master + +2016-09-03 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: use the gitlab.com shared runners Backported from master branch + +2016-08-28 David Woodhouse + + * lib/x509/pkcs12.c: gnutls_pkcs12_simple_parse: set the key value + to null on failure + +2016-08-27 Nikos Mavrogiannopoulos + + * lib/x509/ocsp.c: ocsp: corrected the comparison of the serial size + in OCSP response Previously the OCSP certificate check wouldn't verify the serial + length and could succeed in cases it shouldn't. Reported by Stefan Buehler. + +2016-08-24 Nikos Mavrogiannopoulos + + * tests/pkcs8-decode/Makefile.am, tests/pkcs8-decode/pkcs8, + tests/pkcs8-decode/pkcs8-pbes2-sha256.pem: tests: added decoding of + key with pbes2 and SHA256 PRF + +2016-08-24 Nikos Mavrogiannopoulos + + * NEWS, lib/algorithms.h, lib/algorithms/mac.c, lib/gnutls_int.h, + lib/includes/gnutls/x509.h, lib/pkix.asn, lib/pkix_asn1_tab.c, + lib/x509/Makefile.am, lib/x509/pbkdf2-sha1.c, + lib/x509/pbkdf2-sha1.h, lib/x509/pkcs12.c, + lib/x509/privkey_openssl.c, lib/x509/privkey_pkcs8.c, + lib/x509/x509_int.h, tests/gc.c: Added support for decrypting PKCS#8 + files which use HMAC-SHA256 as PRF This backports nettle pbkdf2 support, and improves compatibility + with new openssl versions. + +2014-08-04 Nikos Mavrogiannopoulos + + * lib/x509/pkcs12.c: pkcs12: increased the number of iterations for + MAC + +2016-08-10 Nikos Mavrogiannopoulos + + * lib/crypto-api.c: gnutls_key_generate: fail if the state of the + library is invalid Suggested by Stephan Mueller. + +2016-08-09 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-08-08 Stefan Sørensen + + * lib/x509/pkcs12.c: Fix gnutls_pkcs12_simple_parse to always + extract the complete chain gnutls_pkcs12_simple_parse was only collecting extra certificates + that was possible elements of the certificate chain when the + extra_certs argument was not NULL. Fix by allways collecting all the + certificates, any unneeded certificates are released before + returning if extra_certs is NULL anyway. Signed-off-by: Stefan Sørensen + +2016-08-07 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: nettle: use rsa_*_key_prepare on key import Previously we calculated the size of the key directly, but by using + the rsa_*_key_prepare we benefit from any checks that may be + introduced in the future. Specifically any checks for invalid public + keys (e.g., keys that may crash the underlying gmp functions). This patch avoids calling rsa_private_key_prepare every time we + construct a nettle private key struct, because this function + requires a bigint multiplication. We call that function once on + private key import. + +2016-08-08 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: Revert "nettle: use rsa_*_key_prepare" This reverts commit a2c3ee54ea8080eeb59fcfeec88a842324982c90. + +2016-08-01 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: nettle: use rsa_*_key_prepare Previously we calculated the size of the key directly, but by using + the rsa_*_key_prepare we benefit from any checks that may be + introduced in the future. Specifically any checks for invalid public + keys (e.g., keys that may crash the underlying gmp functions). + +2016-07-28 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-07-09 Tim Kosse + + * lib/x509/x509.c: gnutls_x509_crt_list_import2 was ignoring the + passed flags if all certificates in the list fit within the + initially allocated memory. + +2016-07-09 Tim Kosse + + * lib/x509/crl.c: gnutls_x509_crl_list_import2 was ignoring the + passed flags if all CTLs in the list fit within the initially + allocated memory. + +2016-07-25 Nikos Mavrogiannopoulos + + * lib/minitasn1/coding.c, lib/minitasn1/decoding.c, + lib/minitasn1/element.c, lib/minitasn1/element.h, + lib/minitasn1/int.h, lib/minitasn1/libtasn1.h, + lib/minitasn1/parser_aux.c, lib/minitasn1/parser_aux.h, + lib/minitasn1/structure.c: minitasn1: updated to libtasn1 4.9 + +2016-07-08 Nikos Mavrogiannopoulos + + * NEWS: NEWS: corrected release date [ci skip] + +2016-07-06 Nikos Mavrogiannopoulos + + * NEWS: released 3.3.24 + +2016-06-30 Nikos Mavrogiannopoulos + + * configure.ac: configure: check for libdl irrespective of FIPS140 + configuration This allows to link to libdl for the tests that require it. + +2016-07-05 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2016-07-05 Nikos Mavrogiannopoulos + + * libdane/errors.c, libdane/includes/gnutls/dane.h: dane: corrected + the license of libdane files The license was always LGPL version 2.1, and these files mentioned + LGPL version 3. Reported by Thomas Petazzoni. + +2016-06-30 Nikos Mavrogiannopoulos + + * tests/Makefile.am: tests: account pkcs11/pkcs11-mock-ext.h in + Makefile + +2016-06-30 Nikos Mavrogiannopoulos + + * tests/Makefile.am: tests: link pkcs11-import-url-privkey with + libdl That is because it uses dlopen(). + +2016-06-30 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-06-30 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/pkcs11/pkcs11-import-url-privkey.c, + tests/pkcs11/pkcs11-mock-ext.h, tests/pkcs11/pkcs11-mock.c: tests: + added check to verify the tolerance of broken C_GetAttributes That is, test gnutls_pkcs11_obj_list_import_url4() when importing + private keys from tokens that return CKR_OK on sensitive objects, + and tokens that return CKR_ATTRIBUTE_SENSTIVE. Relates #108 + +2016-06-30 Nikos Mavrogiannopoulos + + * lib/pkcs11_int.c: pkcs11_get_attribute_avalue: correctly handle a + -1 value length from C_GetAttributeValue That is, work-around modules which do not return an error on + sensitive objects. Relates #108 + +2016-06-29 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-06-29 Nikos Mavrogiannopoulos + + * lib/pkcs11_int.c: pkcs11_get_attribute_avalue: do not assign + values on failure When C_GetAttributeValue() returns size but does not return data + then pkcs11_get_attribute_avalue() would set the return data pointer + to a free'd value. This is against the convention expected by + callers, i.e, set data to NULL. Reported by Anthony Alba in #108. + +2016-06-29 Nikos Mavrogiannopoulos + + * tests/suite/testpkcs11, tests/suite/testpkcs11.softhsm: tests: + updated testpkcs11 to support softhsmv2 + +2016-06-29 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/{suite => pkcs11}/pkcs11-chainverify.c, + tests/{suite => pkcs11}/pkcs11-combo.c, tests/{suite => + pkcs11}/pkcs11-get-issuer.c, tests/{suite => + pkcs11}/pkcs11-is-known.c, tests/{suite => pkcs11}/softhsm.h, + tests/suite/Makefile.am: tests: moved pkcs11 tests to main test + suite + +2016-06-28 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-is-known.c: tests: backported pkcs11-is-known + from master + +2016-06-23 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: gnutls_pkcs11_crt_is_known: always assume + GNUTLS_PKCS11_OBJ_FLAG_COMPARE unless + GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is given + +2016-06-28 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: find_cert_cb: minor cleanups in find_cert_cb + +2016-06-22 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-06-22 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-combo.c, + tests/suite/pkcs11-get-issuer.c, tests/suite/pkcs11-is-known.c, + tests/suite/softhsm.h: tests: backported the softhsmv2 pkcs11 checks + from 3.4.0 + +2016-06-22 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: correctly encode the serial number when + searching for certificate In gnutls_pkcs11_crt_is_known() corrected the encoding of the serial + number to TLV DER from LV DER. This is the encoding we use when + storing that number. + +2016-06-22 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: correctly account check_found_cert() + +2016-06-22 Nikos Mavrogiannopoulos + + * lib/pkcs11_write.c: Amended "Corrected the writing of serial + number in PKCS#11 modules" This corrects the writing of the serial number. + +2016-06-16 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-06-16 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c: dtls: corrected reconstruction of handshake + packets received out of order That is, when the handshake packet is split into multiple different + chunks and received out of order, make sure that reconstruction + occurs properly. Reported by Guillaume Roguez. + +2016-06-16 Nikos Mavrogiannopoulos + + * lib/pkcs11_write.c: Corrected the writing of serial number in + PKCS#11 modules That is previously the serial number was written in raw format, but + in PKCS#11 the serial number must be set encoded as integer. Report + and fix by Stanislav Zidek. + +2016-05-31 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-05-31 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: pkcs11: when generating a private key ensure + the public key is not private This is a backport from the 3.4.x branch. + +2016-05-28 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/x86-common.c: x86-common: use secure_getenv() + +2016-05-27 Nikos Mavrogiannopoulos + + * configure.ac: configure.ac: check for secure_getenv where + available and always enable system extensions + +2016-05-27 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-05-27 Nikos Mavrogiannopoulos + + * lib/fips.c, lib/gnutls_global.c, lib/gnutls_mem.h, lib/system.c: + env: use secure_getenv when reading environment variables + +2016-05-23 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: added sanity check to find_obj_url_cb() for + object validity Also avoid unnecessary recursion. + +2016-05-20 Nikos Mavrogiannopoulos + + * tests/suite/eagain, tests/suite/testsrn: tests: use /bin/bash in + tests which require common.sh + +2016-05-21 Nikos Mavrogiannopoulos + + * tests/suite/Makefile.am, tests/suite/testcompat, + tests/suite/testcompat-common, tests/suite/testcompat-main: tests: + backported full openssl suite from master Removed the priority strings not applicable in 3.3.x. + +2016-05-13 Nikos Mavrogiannopoulos + + * tests/dsa/testdsa, tests/openpgp-certs/testcerts, + tests/scripts/common.sh, tests/suite/eagain, + tests/suite/mini-eagain2.c, tests/suite/testcompat-main, + tests/suite/testsrn: tests: simplified server launching process Also attempt to use a new port on every started server and added a + waiting period for the port to become re-usable. + +2016-05-21 Nikos Mavrogiannopoulos + + * tests/version-checks.c: added check for the VERS-ALL priority + keyword + +2016-05-21 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: gnutls_priority_init: recognize the + VERS-ALL keyword This keyword is identical to VERS-TLS-ALL, but it will allow to + re-use priority strings from 3.4.x+ to this branch of gnutls. + +2016-05-20 Nikos Mavrogiannopoulos + + * tests/Makefile.am: tests: do not use pkglib to generate + libpkcs11mock1.so This resulted in the test library being installed. Install we use + noinst for the library, but pass -rpath to LDFLAGS as a hack to for + libtool to generate the shared version. + +2016-05-20 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, m4/hooks.m4: released 3.3.23 + +2016-05-19 Nikos Mavrogiannopoulos + + * src/cli.c, src/socket.c, src/socket.h: gnutls-cli: allow operation + with stdin input That is once commands from stdin are given, they are not only sent + to server, but we also wait for a response prior to exiting. Resolves #96 + +2016-05-17 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2016-05-17 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-05-17 Nikos Mavrogiannopoulos + + * src/cli.c: gnutls-cli: corrected check for OCSP verification + success + +2016-01-18 Nikos Mavrogiannopoulos + + * lib/gnutls_global.c: gnutls_global_init: log gnutls' version on + initialization + +2016-05-12 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2016-05-12 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/mini-server-name.c: tests: backported + server name checks + +2016-05-12 Nikos Mavrogiannopoulos + + * lib/ext/server_name.c: server_name: only save the supported server + names in the session Invalid server names with embedded nulls and unsupported types are + not saved. + +2016-05-10 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-05-10 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: cert cred: add the CN to the list of known + hostnames only if no dns_names That is, follow rfc6125 and support CN as a fallback only. + +2016-05-10 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: gnutls_certificate_set_key: import the DNS + names of the certificates That is, only when no (NULL) names are provided. + +2016-05-03 Nikos Mavrogiannopoulos + + * tests/pkcs11/pkcs11-cert-import-url-exts.c, + tests/pkcs11/pkcs11-get-exts.c, + tests/pkcs11/pkcs11-get-raw-issuer-exts.c: Revert "tests: ignore + failure to load pkcs11 mock provider" This reverts commit ae40598e5597b1b1f01a7e55d35b5f476d7d19d7. + +2016-05-03 Nikos Mavrogiannopoulos + + * configure.ac, tests/Makefile.am: tests: don't run pkcs11 mock + module tests under buggy p11-kit + +2016-05-03 Nikos Mavrogiannopoulos + + * tests/pkcs11/pkcs11-cert-import-url-exts.c, + tests/pkcs11/pkcs11-get-exts.c, + tests/pkcs11/pkcs11-get-raw-issuer-exts.c: tests: ignore failure to + load pkcs11 mock provider GnuTLS 3.3.x can work with old versions of p11-kit which do not have + the necessary fixes to load absolute paths. + +2016-05-03 Nikos Mavrogiannopoulos + + * lib/nettle/gnettle.h: Fixed _NETTLE_UPDATE macro The macro was not using the input parameters but rather the actual + variable name from the function (which was identical to input). + Patch by Stanislav Zidek. + +2016-05-03 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: gnutls_certificate_set_key: duplicate the + provided memory That is, do not assume that a heap allocated value is provided. + +2016-05-03 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2016-05-03 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-05-02 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/pkcs11/pkcs11-cert-import-url-exts.c, + tests/pkcs11/pkcs11-get-exts.c, + tests/pkcs11/pkcs11-get-raw-issuer-exts.c, + tests/pkcs11/pkcs11-mock.c, tests/pkcs11/pkcs11-mock.h: tests: added + a basic PKCS#11 mock module This is used to test gnutls_pkcs11_obj_get_exts(), + gnutls_x509_crt_import_url(), and gnutls_pkcs11_get_raw_issuer() + with the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag. + +2016-05-03 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: find_cert_cb: do not use C_FindObjectsInit() + when another is already running While some modules implicitly terminated the previous run, this is + not something that PKCS#11 modules are expected to typically do. + +2016-05-03 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: the flag + GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT will be respected by + imported certificates That is, certificates imported with gnutls_pkcs11_obj_import_url() + or gnutls_x509_crt_import_url() will be able to be extracted with + their extensions overriden. Previously that was available only on + gnutls_pkcs11_get_raw_issuer() and friends. + +2016-05-03 Nikos Mavrogiannopoulos + + * lib/pkcs11x.c: pkcs11: find_ext_cb: eliminated memory leak + +2016-05-02 Nikos Mavrogiannopoulos + + * lib/pkcs11x.c: gnutls_pkcs11_obj_get_exts: updated documentation + [ci skip] + +2016-04-29 Nikos Mavrogiannopoulos + + * lib/gnutls_privkey_raw.c: corrected import issue in + gnutls_privkey_import_ecc_raw + +2016-04-29 Nikos Mavrogiannopoulos + + * lib/x509/privkey.c: x509/privkey: in raw import functions set the + parameter's algorithm type + +2016-04-26 Nikos Mavrogiannopoulos + + * tests/dane.c: tests: enhanced dane testing with offline + verification checks + +2016-04-26 Nikos Mavrogiannopoulos + + * libdane/dane.c: dane: verification will not fail if a CA entry is + encountered but cannot be verified That addresses the issue of verifying a single certificate against a + list of TLSA entries that contain an entry with CA usage (cert usage + 0). With the previous behavior verification would have failed, while + now this entry will be skipped. + +2016-04-26 Nikos Mavrogiannopoulos + + * lib/gnutls_cert.c, libdane/dane.c: doc: improved documentation on + certificate and DANE verification functions + +2016-04-18 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: _wrap_nettle_pk_derive: reject values of public + key that are over the prime That is do not canonicalise the value we get from the network, but + rather check it for validity. This saves a modular reduction on + handshake and performs a sanity check on the peer's (client) + parameters. Reported by Hubert Kario. Resolves #84 + +2016-04-13 Nikos Mavrogiannopoulos + + * lib/gnutls_sig.c: handshake: do not overwrite the server's + signature algorithm That is, correct a bug under which a client sending a certificate + would overwrite the server's idea about the used signature + algorithm. Reported by Hubert Kario. + +2016-04-12 Nikos Mavrogiannopoulos + + * lib/x509/ocsp.c: gnutls_ocsp_resp_get_single: fail if thisUpdate + is not available or unparsable That is because this field is not optional, and a failure on its + parsing is always fatal. Reported by Yuan Jochen Kang. + +2016-04-09 Nikos Mavrogiannopoulos + + * lib/x509/ocsp_output.c, lib/x509/output.c: x509 output: don't warn + about insecure algorithm when unknown + +2016-04-08 Nikos Mavrogiannopoulos + + * lib/pkix.asn, lib/pkix_asn1_tab.c: pkix.asn: corrected byKey + definition OCSP is defined in an EXPLICIT tags module, and as such we must tag + explicitly all of its tags. + +2016-04-05 Nikos Mavrogiannopoulos + + * lib/x509/name_constraints.c: name constraints: enforce the rules + for IP constraints when adding This will prevent gnutls from generating badly formed certificates. + +2016-04-02 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-04-02 Nikos Mavrogiannopoulos + + * src/ocsptool-common.c: ocsptool: use HTTP/1.0 for requests This avoids issue with servers serving chunk encoding which ocsptool + doesn't support. Reported by Thomas Klute. + +2016-03-30 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-03-30 Nikos Mavrogiannopoulos + + * lib/x509/output.c: x509/output: simplified cidr_to_string() + +2016-03-29 Nikos Mavrogiannopoulos + + * lib/x509/output.c: x509/output: print RFC5280 CIDRs in name + constraints + +2016-03-30 Nikos Mavrogiannopoulos + + * lib/system.c: system_recv_timeout(): verify that the file + descriptor is acceptable for select() + +2016-03-21 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-03-15 Nikos Mavrogiannopoulos + + * tests/cert-tests/template-nc.pem: tests: template-test was updated + for OCSP key purpose reordering + +2016-03-15 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: do not require a CA for OCSP signing This follows the recommendations in RFC6960 in 4.2.2.2 which allow a + CA to delegate OCSP signing to another certificate without requiring + it to be a CA. Reported by Thomas Klute. + +2016-03-16 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/x86-common.c: x86-common: CPUID override will + only work if CPU has already the capability present This resolves test suite failure on CPUs with limited capabilities. + Reported by Andreas Metzler. + +2016-03-18 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-03-18 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c: handshake: parse the mandatory to parse + extension prior to any callback call This relates to the change of ALPN extension to mandatory to parse, + and allows applications to get ALPN data prior to handshake + completion. + +2016-03-18 Nikos Mavrogiannopoulos + + * tests/mini-x509-callbacks.c: tests: verify that the + post-client-hello callback has access to ALPN data + +2016-03-18 Nikos Mavrogiannopoulos + + * tests/resume.c: tests: added checks for session resumption and + ALPN This checks whether the ALPN extension is re-read on resumption and + is negotiated. + +2016-02-11 Nikos Mavrogiannopoulos + + * tests/resume.c: tests: resume: simplified structure assignment + using C99 syntax + +2016-03-15 Yuriy M. Kaminskiy + + * lib/ext/alpn.c: alpn: ALPN state is per-connection, it should not + be saved with session data In addition the extension was moved to the mandatory to parse to + ensure it is always parsed when sessions are resumed. rfc7301: Unlike many other TLS extensions, this extension does not + establish properties of the session, only of the connection. + When session resumption or session tickets [RFC5077] are used, the + previous contents of this extension are irrelevant, and only the + values in the new handshake messages are considered. Signed-off-by: Yuriy M. Kaminskiy Signed-off-by: + Nikos Mavrogiannopoulos + +2016-03-11 Nikos Mavrogiannopoulos + + * src/cli.c: gnutls-cli: fix invalid initialization in + cert_verify_ocsp() + +2016-03-10 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-03-08 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2016-03-08 Nikos Mavrogiannopoulos + + * tests/mini-loss-time.c: tests: backported mini-loss-time fixes + +2016-03-08 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2016-03-04 Nikos Mavrogiannopoulos + + * tests/slow/Makefile.am: tests: do not run hash-large twice + +2016-03-03 Nikos Mavrogiannopoulos + + * tests/version-checks.c: tests: corrected typo in version-checks + +2016-03-03 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: added check on build with SSL 3.0 + +2016-03-03 Nikos Mavrogiannopoulos + + * tests/suite/testsrn: tests: backported testsrn from 3.4 branch + +2016-03-03 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/cert-common.h, tests/version-checks.c: + tests: added check for version negotiation default prio string That verifies whether the support versions are negotiated. + +2016-03-03 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-03-03 Nikos Mavrogiannopoulos + + * configure.ac, lib/gnutls_priority.c: Remove SSL 3.0 from the + default priority strings That can be reverted by using the --with-ssl3 configure option. + +2016-03-03 Nikos Mavrogiannopoulos + + * tests/slow/Makefile.am: tests: include test-hash-large into dist + +2016-03-01 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: separate builds with asan + +2016-03-01 Nikos Mavrogiannopoulos + + * lib/openpgp/extras.c: gnutls_openpgp_keyring_import: backported + mem leak fix + +2016-03-01 Nikos Mavrogiannopoulos + + * src/p11tool.c: p11tool: avoid warning with cast + +2016-03-01 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: eliminated memory leaks on cert + verification + +2016-03-01 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: backported memory leak fixes in PKCS#12 + handling + +2015-11-09 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: eliminate leaks in _verify_x509_mem() + +2015-11-09 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: eliminate memory leaks in certificate + generation + +2016-02-29 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version [ci skip] + +2016-02-29 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: avoid warning with cast + +2016-02-29 Nikos Mavrogiannopoulos + + * lib/ext/ecc.c: ecc: optimized extension parsing + +2016-02-29 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: fixed asan build for nettle3 + +2016-02-29 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2016-02-29 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c: timespec_sub_ms: fixed operation in 32-bit + systems + +2016-02-29 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: Fixes to prevent undefined behavior (found + with libubsan) + +2016-02-29 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/gnutls.h.in: gnutls.h: Fixes to prevent + undefined behavior (found with libubsan) + +2016-02-29 Nikos Mavrogiannopoulos + + * lib/gnutls_mem.h, lib/x509/x509.c: x509: Fixes to prevent + undefined behavior (found with libubsan) + +2016-02-26 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: added libasan build with nettle3 + +2016-02-25 Jan Vcelak + + * lib/x509/privkey_pkcs8.c: gnutls_x509_privkey_import: add missing + algorithm setting for DSA keys The algorithm number was set only in the private key structure, not + in the nested structure with parameters. This made certain + operations to fail (e.g., copying the key into a PKCS #11 token). Signed-off-by: Jan Vcelak + +2015-06-17 Nikos Mavrogiannopoulos + + * tests/cert-tests/template-date.pem, + tests/cert-tests/template-dn.pem, + tests/cert-tests/template-generalized.pem, + tests/cert-tests/template-nc.pem, + tests/cert-tests/template-overflow.pem, + tests/cert-tests/template-overflow2.pem, + tests/cert-tests/template-test, tests/cert-tests/template-test.pem, + tests/cert-tests/template-utf8.pem: tests: regenerate the results in + template-test using UTC times + +2016-02-25 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-02-25 Nikos Mavrogiannopoulos + + * lib/x509/common.c, lib/x509/common.h: When writing the Time ASN.1 + structure follow the RFC5280 recommendations That is make sure we generate dates with UTCTime prior to 2050 and + GeneralizedTime format after 2050. + +2015-06-17 Nikos Mavrogiannopoulos + + * tests/cert-tests/Makefile.am, tests/cert-tests/template-date.pem, + tests/cert-tests/template-dn.pem, + tests/cert-tests/template-generalized.pem, + tests/cert-tests/template-generalized.tmpl, + tests/cert-tests/template-nc.pem, + tests/cert-tests/template-overflow.pem, + tests/cert-tests/template-overflow2.pem, + tests/cert-tests/template-test, tests/cert-tests/template-test.pem, + tests/cert-tests/template-utf8.pem: tests: verify that we generate + dates with UTCTime prior to 2050 Also that we generate dates with GeneralizedTime format after 2050. + +2016-02-19 Nikos Mavrogiannopoulos + + * lib/nettle/cipher.c: Prevent the encryption or decryption of more + than 2^32 bytes with nettle2 That is because of nettle2 API limitations. Unlike the hash + functions there is no real need for a wrapper as encrypting or + decrypting that amount of data is unlikely. + +2016-02-13 Nikos Mavrogiannopoulos + + * tests/dsa/testdsa, tests/scripts/common.sh: tests: backported + testdsa to prevent random failures in test suite + +2016-02-13 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-02-13 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/hmac-padlock.c, + lib/accelerated/x86/hmac-x86-ssse3.c, + lib/accelerated/x86/sha-padlock.c, + lib/accelerated/x86/sha-padlock.h, + lib/accelerated/x86/sha-x86-ssse3.c, lib/accelerated/x86/sha-x86.h, + lib/accelerated/x86/x86-common.h, lib/nettle/gnettle.h, + lib/nettle/mac.c: nettle: use the correct type for hash and MAC + functions In addition allow for hashing of more than UINT_MAX data bytes with + nettle 2.x in 64-bit systems. + +2016-02-12 Nikos Mavrogiannopoulos + + * tests/slow/Makefile.am, tests/slow/hash-large.c, + tests/slow/test-hash-large: tests: check whether large buffer hashes + and MAC work as expected + +2016-02-10 Nikos Mavrogiannopoulos + + * tests/set_pkcs12_cred.c: tests: set_pkcs12_cred: existing tests + are disabled when in FIPS140-2 mode The tests require access to the RC4 cipher which is not available. + +2016-02-03 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, m4/hooks.m4: bumped version + +2016-01-31 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2016-01-30 Nikos Mavrogiannopoulos + + * tests/cert-tests/template-date.pem, + tests/cert-tests/template-dn.pem, tests/cert-tests/template-nc.pem, + tests/cert-tests/template-overflow.pem, + tests/cert-tests/template-overflow2.pem, + tests/cert-tests/template-test.pem: Revert "tests: updated to + account for cert generation after + c1405c6e08ef55421108bd4395588368f4122dda fix" This reverts commit 09dcbe564a85c021ebcbf7a3f28075d19c399ce4. + +2016-01-30 Nikos Mavrogiannopoulos + + * lib/x509/x509_ext.c: Revert "Fix out-of-bounds read in + gnutls_x509_ext_export_key_usage" This was a false negative and not a real out-of-bounds read. This + reverts commit c1405c6e08ef55421108bd4395588368f4122dda. + +2016-01-21 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: Added build with ARCFOUR + +2016-01-21 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, lib/gnutls_priority.c, tests/priorities.c: + Added configure flag --with-arcfour128 This flag will re-enable ARCFOUR in the priority strings by default. + +2016-01-20 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-01-20 Nikos Mavrogiannopoulos + + * tests/mini-global-load.c, tests/mini-x509.c, tests/priorities.c, + tests/record-sizes.c: Revert "Revert "tests: updated to account for + ARCFOUR being disabled"" This reverts commit a2f907d0d4e52eb4dd24cc1f5d7d892b21abfd83. + +2016-01-20 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: Revert "Revert "ARCFOUR is disabled from + the default priority strings"" This reverts commit b3b5db319d4246e4735017cc423b92175f713a89. + +2016-01-13 Nikos Mavrogiannopoulos + + * lib/gnutls_pubkey.c: gnutls_pubkey_import_x509_raw: fixed memory + leak + +2016-01-11 Nikos Mavrogiannopoulos + + * lib/x509/output.c: x509: place newline when printing unsupported + othernames + +2016-01-10 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-01-10 Nikos Mavrogiannopoulos + + * lib/ext/alpn.c: alpn: when parsing the list of protocols return at + the first mutually common That resolves an issue where the server wouldn't select the first + mutually supported. Resolves #63 + +2016-01-10 Nikos Mavrogiannopoulos + + * tests/mini-alpn.c: tests: mini-alpn: corrected protocol selection + order + +2016-01-10 Nikos Mavrogiannopoulos + + * tests/mini-alpn.c: tests: alpn: enhance the testing of ALPN + negotiation + +2016-01-09 Nikos Mavrogiannopoulos + + * lib/ext/alpn.c: alpn: document how the selected protocol is + selected [ci skip] + +2016-01-09 Nikos Mavrogiannopoulos + + * tests/mini-alpn.c: tests: verify that the selected ALPN protocol + is the first advertised + +2016-01-08 Nikos Mavrogiannopoulos + + * NEWS: released 3.3.20 + +2016-01-08 Nikos Mavrogiannopoulos + + * NEWS: reverted ARCFOUR removal change + +2016-01-08 Nikos Mavrogiannopoulos + + * tests/mini-global-load.c, tests/mini-x509.c, tests/priorities.c, + tests/record-sizes.c: Revert "tests: updated to account for ARCFOUR + being disabled" This reverts commit 45926d9561b2e888c505524663b7c7ad87c263bc. + +2016-01-08 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: Revert "ARCFOUR is disabled from the + default priority strings" This reverts commit 76be7bda79d6785eeab3ef8e96db026ad7aac9c3. + +2016-01-07 Nikos Mavrogiannopoulos + + * configure.ac: configure: no longer distribute lzip tarballs + +2015-11-25 Nikos Mavrogiannopoulos + + * src/libopts/text_mmap.c: libopts: use the O_BINARY flag in windows + for files + +2015-11-25 Nikos Mavrogiannopoulos + + * src/libopts/COPYING.gplv3, src/libopts/COPYING.lgplv3, + src/libopts/COPYING.mbsd, src/libopts/Makefile.am, + src/libopts/README, src/libopts/ag-char-map.h, src/libopts/alias.c, + src/libopts/ao-strs.c, src/libopts/ao-strs.h, + src/libopts/autoopts.c, src/libopts/autoopts.h, + src/libopts/autoopts/options.h, src/libopts/autoopts/project.h, + src/libopts/autoopts/usage-txt.h, src/libopts/boolean.c, + src/libopts/check.c, src/libopts/compat/compat.h, + src/libopts/compat/pathfind.c, src/libopts/compat/windows-config.h, + src/libopts/configfile.c, src/libopts/cook.c, src/libopts/enum.c, + src/libopts/env.c, src/libopts/file.c, src/libopts/find.c, + src/libopts/genshell.c, src/libopts/genshell.h, + src/libopts/gettext.h, src/libopts/init.c, src/libopts/intprops.h, + src/libopts/libopts.c, src/libopts/load.c, + src/libopts/m4/libopts.m4, src/libopts/m4/liboptschk.m4, + src/libopts/m4/stdnoreturn.m4, src/libopts/makeshell.c, + src/libopts/nested.c, src/libopts/numeric.c, + src/libopts/option-value-type.c, + src/libopts/option-xat-attribute.c, src/libopts/parse-duration.c, + src/libopts/parse-duration.h, src/libopts/pgusage.c, + src/libopts/proto.h, src/libopts/putshell.c, src/libopts/reset.c, + src/libopts/restore.c, src/libopts/save.c, src/libopts/sort.c, + src/libopts/stack.c, src/libopts/stdnoreturn.in.h, + src/libopts/streqvcmp.c, src/libopts/text_mmap.c, + src/libopts/time.c, src/libopts/tokenize.c, src/libopts/usage.c, + src/libopts/version.c: libopts: updated to 5.18.6 + +2016-01-07 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2016-01-07 Nikos Mavrogiannopoulos + + * Makefile.am, symbols.last: symbols.last: don't include internal + symbols into exported list + +2016-01-07 Nikos Mavrogiannopoulos + + * NEWS: NEWS: doc update + +2016-01-05 Nikos Mavrogiannopoulos + + * tests/cert-tests/template-date.pem, + tests/cert-tests/template-dn.pem, tests/cert-tests/template-nc.pem, + tests/cert-tests/template-overflow.pem, + tests/cert-tests/template-overflow2.pem, + tests/cert-tests/template-test.pem: tests: updated to account for + cert generation after c1405c6e08ef55421108bd4395588368f4122dda fix + +2016-01-05 Nikos Mavrogiannopoulos + + * tests/Makefile.am: tests: Makefile.am: removed invalid program ld + flags + +2016-01-04 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2016-01-04 Tim Kosse + + * lib/x509/x509_ext.c: Fix out-of-bounds read in + gnutls_x509_ext_export_key_usage + +2016-01-01 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: optimized build process That is, in slow asan and valgrind builds don't check the full test + suite. + +2015-12-31 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: pkcs11: fixes to store the imported URL This ammends 603d0db776537c19bdfd907e0fc77c7321874bf0 with changes + for the 3.3.x branch. + +2015-12-31 Nikos Mavrogiannopoulos + + * NEWS: doc update [ci skip] + +2015-12-31 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-12-31 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: pkcs11: import public keys from any + available object That is, load public keys from the public key object, or the + certificate object if they are present. That affects non-RSA public + keys which do not contain all required fields on the private key + object. + +2015-12-31 Nikos Mavrogiannopoulos + + * lib/pkcs11_write.c: gnutls_pkcs11_copy_x509_privkey2: corrected + the writing of ECC private key + +2015-12-31 Nikos Mavrogiannopoulos + + * lib/pkcs11_write.c: gnutls_pkcs11_copy_x509_privkey2: corrected + the type of the written object Previously only RSA objects were correctly written. + +2015-12-24 Nikos Mavrogiannopoulos + + * NEWS: NEWS: doc update [ci skip] + +2015-12-23 Nikos Mavrogiannopoulos + + * lib/ext/max_record.c: max_record: don't consider this extension on + DTLS That is because it doesn't work as expected, and does not fragment + handshake messages. Relates with #61 + +2015-12-20 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-04-28 Nikos Mavrogiannopoulos + + * lib/x509/name_constraints.c, tests/name-constraints.c: Handle DNS + name constraints with leading dot Patch by Fotis Loukos. Resolves 3 Signed-off-by: Nikos Mavrogiannopoulos + +2015-12-15 Nikos Mavrogiannopoulos + + * tests/mini-global-load.c, tests/mini-x509.c, tests/priorities.c, + tests/record-sizes.c: tests: updated to account for ARCFOUR being + disabled + +2015-12-15 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-12-15 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: ARCFOUR is disabled from the default + priority strings ARCFOUR is a cipher known to be broken theoretically and + practically. Configurations that depend on that cipher being on + should explicitly enable it. Resolves #23 + +2015-12-08 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: Do not allow importing public keys from PKCS + #11 private keys for DSA and ECDSA This prevents the reading of the public key when non-RSA keys are + available. This is a much cleaner approach than + 5a4e692511dc3a829eda0d7c5a87e56cbc2055f0. + +2015-12-08 Nikos Mavrogiannopoulos + + * lib/gnutls_pubkey.c, lib/pkcs11.c, lib/pkcs11_int.h, + lib/pkcs11_privkey.c: Revert "Do not allow importing public keys + from PKCS #11 private keys for DSA and ECDSA" This reverts commit 0e79aabab519a6b568cf8c31b38523cce7416bd8. + +2015-12-06 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-12-06 Nikos Mavrogiannopoulos + + * lib/gnutls_pubkey.c, lib/pkcs11.c, lib/pkcs11_int.h, + lib/pkcs11_privkey.c: Do not allow importing public keys from PKCS + #11 private keys for DSA and ECDSA That is, because they do not contain all the required parameters for + a direct import. Reported by Jan Vcelak. + +2015-12-06 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: pkcs11: avoid setting a variable which isn't + used + +2015-12-06 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: pkcs11: + deinitialize gnutls_pkcs11_obj_t's pubkey on deinit + +2015-12-06 Jan Vcelak + + * lib/pkcs11_privkey.c: pkcs11: fix passing of incorrect variable in + privkey_get_pubkey The code worked for RSA because the content of the variables + matched. But it doesn't match for ECC. CKM_RSA_PKCS_KEY_PAIR_GEN (0x0) == CKK_RSA (0x0) + CKM_ECDSA_KEY_PAIR_GEN (0x1040) != CKK_ECDSA (0x3) Signed-off-by: Jan Vcelak + +2015-11-30 Nikos Mavrogiannopoulos + + * lib/x509/x509.c: allow specifying NULL buffer in + gnutls_x509_crt_get_*_unique_id() + +2015-11-22 Nikos Mavrogiannopoulos + + * NEWS: released 3.3.19 + +2015-11-21 Nikos Mavrogiannopoulos + + * symbols.last: updated auto-generated files + +2015-11-21 Nikos Mavrogiannopoulos + + * doc/scripts/getfuncs.pl: getfuncs.pl: don't consider functions + with _gnutls prefix + +2015-11-21 Nikos Mavrogiannopoulos + + * lib/gnutls_global.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map: gnutls_global_init_skip: prefixed with an + underscore + +2015-11-21 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2015-11-19 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-11-16 Nikos Mavrogiannopoulos + + * tests/global-init-override.c, tests/global-init.c: tests: + corrected copyright info + +2015-11-16 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/global-init-override.c: tests: added + check for overriding global initialization + +2015-11-16 Nikos Mavrogiannopoulos + + * doc/cha-gtls-app.texi: documented GNUTLS_SKIP_GLOBAL_INIT macro + +2015-11-16 Nikos Mavrogiannopoulos + + * lib/gnutls_global.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map: Added GNUTLS_SKIP_GLOBAL_INIT macro to allow + programs skip implicit global initialization + +2015-11-16 Nikos Mavrogiannopoulos + + * tests/utils.c, tests/utils.h: utils: backported sec_sleep() + +2015-11-16 Nikos Mavrogiannopoulos + + * tests/mini-handshake-timeout.c: tests: backported + mini-handshake-timeout + +2015-11-16 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: added build and check in FIPS140-2 + mode + +2015-11-16 Nikos Mavrogiannopoulos + + * tests/mini-dtls-record.c, tests/resume-dtls.c: tests: backported + mini-dtls-record.c and resume-dtls.c + +2015-11-16 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: .gitlab-ci.yml: remove the minimal library from + targets + +2015-11-15 Nikos Mavrogiannopoulos + + * lib/x509/x509_write.c: disable_optional_stuff: don't disable + unique IDs if set There are sideways set these values even if they are not in the + public API, and we shouldn't disable them unconditionally. + +2015-11-15 Nikos Mavrogiannopoulos + + * .gitlab-ci.yml: Added CI build rules + +2015-11-09 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-11-09 Nikos Mavrogiannopoulos + + * lib/algorithms/ciphersuites.c, tests/mini-record.c: Require TLS + 1.2 for all the ciphersuites which are defined for it only This solves an interoperability issue with openssl. Reported by + Viktor Dukhovni. + +2015-11-11 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-11-11 Nikos Mavrogiannopoulos + + * lib/auth/dhe.c, lib/auth/ecdhe.c: Allow switching a ciphersuite to + DHE and ECDHE on a rehandshake + +2015-11-08 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-11-03 Nikos Mavrogiannopoulos + + * lib/gnutls.pc.in: gnutls.pc: don't use the libtool version of the + link options Reported by Dan Kegel. Resolves #49 + +2015-10-23 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-10-15 Nikos Mavrogiannopoulos + + * lib/algorithms/ciphers.c, lib/gnutls_cipher_int.c, + lib/gnutls_priority.c: Disable the NULL cipher on runtime when + FIPS140 mode is enabled instead of statically That way the NULL cipher can be used when not in FIPS140 mode. + +2015-10-15 Nikos Mavrogiannopoulos + + * lib/algorithms.h, lib/algorithms/ciphers.c, lib/algorithms/kx.c, + lib/gnutls_int.h, lib/gnutls_priority.c: backport: Tolerate priority + strings with names of legacy ciphers and key exchanges That enables better backwards compatibility with old applications + which disable or enable algorithms which no longer are supported. + Relates #44 + +2015-10-15 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-10-15 Nikos Mavrogiannopoulos + + * lib/pkcs11_write.c: pkcs11: write CKA_ISSUER and CKA_SERIAL_NUMBER + when writing on a certificate That allows NSS to read and use the written certificate. Resolves + #43 + +2015-10-12 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-10-12 Lennert Buytenhek + + * lib/nettle/pk.c: Fix memory leak in wrap_nettle_hash_algorithm(). wrap_nettle_hash_algorithm() leaks an mpz_t if it is called with pk + == GNUTLS_PK_RSA and sig == NULL, in which case it will return + without going through the regular exit path that clears the mpz_t it + allocated at the beginning of the function. Use the regular exit + path instead to fix this. This leak can be triggered via calls to + gnutls_pubkey_get_preferred_hash_algorithm(). Signed-off-by: Lennert Buytenhek + +2015-09-14 Nikos Mavrogiannopoulos + + * lib/gnutls_str.c: _gnutls_hex2bin: avoid overrun in the provided + buffer + +2015-09-12 Nikos Mavrogiannopoulos + + * doc/manpages/tpmtool.1: tpmtool.1: updated + +2015-09-12 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, m4/hooks.m4: bumped version + +2015-09-11 Nikos Mavrogiannopoulos + + * lib/x509/output.c: Don't use formatted output for fixed strings Resolves #35 + +2015-08-21 Nikos Mavrogiannopoulos + + * lib/gnutls_session_pack.c: session packing: corrected issue in PSK + session unpack + +2015-08-21 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-08-21 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c, lib/x509/verify-high2.c: x509: when + appending CRLs to a trust list ensure that we don't have duplicates That is, overwrite CRLs if they have been obsoleted. + +2015-08-21 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: allow exporting very long CRLs + +2015-08-19 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-08-12 Nikos Mavrogiannopoulos + + * tests/cert-tests/Makefile.am, tests/cert-tests/crl: tests: check + whether the CRL generation code works as expected + +2015-08-12 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: removed limit on maximum imported + certificates in the -i option + +2015-08-12 Nikos Mavrogiannopoulos + + * src/certtool-common.c, src/certtool.c: certtool: eliminated memory + leaks due to new cert loading code + +2015-08-12 Nikos Mavrogiannopoulos + + * src/certtool-common.c, src/certtool-common.h: certtool: lifted + limits on file size to load + +2015-08-10 Nikos Mavrogiannopoulos + + * Makefile.am: before dist ensure that included libopts matches + autogen + +2015-08-09 Nikos Mavrogiannopoulos + + * tests/suite/mini-eagain2.c: tests: backported fix in mini-eagain2 + +2015-08-09 Nikos Mavrogiannopoulos + + * lib/pkcs11_write.c: pkcs11: increase attributes size in + gnutls_pkcs11_copy_x509_privkey + +2015-08-09 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2015-08-09 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-08-03 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-08-03 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: pkcs11: set + the CKA_TOKEN attribute on generated public keys That also introduces the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY + flag, to simulate the previous behavior. + +2015-07-31 Nikos Mavrogiannopoulos + + * lib/ext/safe_renegotiation.c: safe renegotiation: simulate + receiving the extension on receival of SCSV + +2015-07-31 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-07-31 Nikos Mavrogiannopoulos + + * lib/ext/safe_renegotiation.c: safe renegotiation: handle case + where client didn't send any extension That was affected by the "don't try to send extensions we didn't + receive". + +2015-07-31 Nikos Mavrogiannopoulos + + * lib/gnutls_extensions.c, lib/gnutls_handshake.c, lib/gnutls_int.h: + As server don't try to send extensions we didn't receive. + +2015-07-20 Nikos Mavrogiannopoulos + + * lib/x509/common.c: Reset the output value on error in + _gnutls_x509_dn_to_string() Reported by Kurt Roeckx. + +2015-07-20 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c: gnutls_prf: document that this is not + identical to RFC5705 + +2015-07-20 Nikos Mavrogiannopoulos + + * src/p11tool-args.def: p11tool: fix documentation for + --generate-ecc and generate-dsa + +2015-07-12 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, m4/hooks.m4: bumped version + +2015-07-10 Nikos Mavrogiannopoulos + + * lib/ext/dumbfw.c: corrected function name + +2015-07-10 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-07-10 Nikos Mavrogiannopoulos + + * lib/auth/dhe_psk.c: PSK: set the hint in DHE-PSK and ECDHE-PSK + ciphersuites + +2015-07-09 Nikos Mavrogiannopoulos + + * lib/ext/dumbfw.c: dumbfw: don't append a size prefix in the pad Reported by Hannes Mehnert. + +2015-07-02 Daniel Kahn Gillmor + + * src/certtool.c: certtool --outder should not emit signature + verification status When emitting binary-formatted output, send signature verification + status to stderr, since it is not binary-formatted output. A simpler version of this patch would be to always send signature + verification to stderr, but that would change the text-formatted + output. + +2015-07-01 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-07-01 Nikos Mavrogiannopoulos + + * lib/gnutls_pubkey.c: DSA: the numeric number of bits returned from + public key should depend on P not Y That allows to do the proper evaluation to check certificate + strength. Reported by Hubert Kario. + +2015-07-01 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-07-01 Nikos Mavrogiannopoulos + + * lib/x509/name_constraints.c: name constraints: don't reject + certificates if a CA has the URI or IPADDRESS constraints Don't reject certificates if a CA has the URI or IPADDRESS + constraints, and the end certificate doesn't have an IPaddress name + or a URI set. + +2015-06-26 Nikos Mavrogiannopoulos + + * lib/x509/privkey.c: enhanced header matching code for private keys + to skip unrelated data + +2015-06-25 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-06-25 Nikos Mavrogiannopoulos + + * tests/suite/Makefile.am, tests/suite/ciphersuite/scan-gnutls.sh, + tests/suite/ciphersuite/test-ciphers.js, + tests/suite/ciphersuite/test-ciphersuites.sh, + tests/suite/test-ciphersuite-names: tests: backported + test-ciphersuite-names from master + +2015-06-25 Nikos Mavrogiannopoulos + + * lib/x509/privkey.c: gnutls_x509_privkey_import2: better behavior + when provided with an unencrypted file That is, it will attempt to decode it first as plain file prior to + trying all encrypted options. + +2015-06-25 Nikos Mavrogiannopoulos + + * lib/x509/key_decode.c, lib/x509/mpi.c: _gnutls_get_asn_mpis() will + release any data on failure Resolves #15 + +2015-06-11 Nikos Mavrogiannopoulos + + * tests/suite/testcompat-main: tests: backported test-compat-main + from master + +2015-06-10 Nikos Mavrogiannopoulos + + * lib/nettle/cipher.c: Corrected camellia256 set key in nettle3 + compat mode + +2015-06-04 Nikos Mavrogiannopoulos + + * lib/nettle/int/drbg-aes.c: drbg-aes: include gnutls_errors.h + +2015-06-03 Nikos Mavrogiannopoulos + + * lib/nettle/int/drbg-aes-self-test.c: fips140: added check for + reseed detection + +2015-06-03 Nikos Mavrogiannopoulos + + * tests/rng-fork.c: tests: check random generator for long outputs + as well + +2015-06-03 Nikos Mavrogiannopoulos + + * lib/nettle/int/drbg-aes.c: fips140: reset the reseed counter only + on reseed + +2015-06-03 Nikos Mavrogiannopoulos + + * lib/nettle/int/drbg-aes-self-test.c: fips140: added more checks on + the reseed and generate function + +2015-06-03 Nikos Mavrogiannopoulos + + * lib/nettle/int/drbg-aes.c, lib/nettle/int/drbg-aes.h: fips140: + enforce the max_number_of_bits_per_request + +2015-05-26 Nikos Mavrogiannopoulos + + * lib/x509/ocsp_output.c: Check the OID size for match when + comparing for the OCSP nonce extension Reported by Hanno Böck. + +2015-05-23 Armin Burgmeier + + * lib/gnutls_ui.c: gnutls_dh_get_prime_bits: return 0 if DH is not + used Before, the number of bits of a zero-length number was attempted to + be extracted, resulting in an error. The changed behaviour is + consistent with the documentation which explicitly states that 0 + should be returned if no DH key exchange was performed. + +2015-05-22 Nikos Mavrogiannopoulos + + * lib/gnutls_ui.c: gnutls_dh_get_group: mention that the values may + include a leading zero + +2015-05-21 Nikos Mavrogiannopoulos + + * lib/gnutls_ui.c: gnutls_dh_set_prime_bits: warn when overriding + the DH max prime size with 1007 bits or less + +2015-05-14 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-05-13 Nikos Mavrogiannopoulos + + * configure.ac, lib/accelerated/x86/aes-gcm-padlock.c, + lib/accelerated/x86/aes-gcm-x86-aesni.c, + lib/accelerated/x86/aes-gcm-x86-ssse3.c, + lib/accelerated/x86/aes-padlock.c, + lib/accelerated/x86/sha-padlock.c, + lib/accelerated/x86/sha-x86-ssse3.c, lib/nettle/Makefile.am, + lib/nettle/cipher.c, lib/nettle/int/dsa-fips.h, + lib/nettle/int/dsa-keygen-fips186.c, lib/nettle/int/dsa-validate.c, + lib/nettle/pk.c, m4/hooks.m4, tests/dsa/testdsa: Allow using nettle3 + with gnutls3.3 + +2015-05-06 Nikos Mavrogiannopoulos + + * tests/sign-md5-rep.c: tests: updated sign-md5-rep to reduce false + failures + +2015-05-05 Nikos Mavrogiannopoulos + + * tests/mini-loss-time.c: tests: eliminate mem leaks in + mini-loss-time + +2015-05-05 Nikos Mavrogiannopoulos + + * tests/mini-loss-time.c: tests: backported mini-loss-time from + master + +2015-04-28 Jan Vcelak + + * lib/nettle/pk.c: fix memory leak in ECDSA key parameters + verification Signed-off-by: Jan Vcelak + +2015-05-03 Nikos Mavrogiannopoulos + + * NEWS: updated NEWS + +2015-05-03 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, m4/hooks.m4: released 3.3.15 + +2015-04-30 Nikos Mavrogiannopoulos + + * lib/gnutls_dtls.c: doc: updated gnutls_dtls_set_timeouts + +2015-04-30 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c: gnutls_handshake_set_timeout will properly + work with DTLS + +2015-04-30 Nikos Mavrogiannopoulos + + * doc/examples/ex-client-dtls.c: doc: fixed example with DTLS + timeouts + +2015-04-28 Nikos Mavrogiannopoulos + + * lib/minitasn1/decoding.c, lib/minitasn1/libtasn1.h: updated + minitasn1 + +2015-04-25 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-04-25 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/sign-md5-rep.c: tests: added reproducer + for the MD5 acceptance issue Reported by Karthikeyan Bhargavan. + + http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007572.htmlConflicts: tests/Makefile.am + +2015-04-25 Nikos Mavrogiannopoulos + + * lib/ext/signature.c: before falling back to SHA1 as signature + algorithm in TLS 1.2 check if it is enabled + +2015-04-25 Nikos Mavrogiannopoulos + + * lib/ext/signature.c: _gnutls_session_sign_algo_enabled: do not + consider any values from the extension data to decide acceptable + algorithms + +2015-04-25 Nikos Mavrogiannopoulos + + * lib/auth/cert.c: set the value used by + gnutls_certificate_client_get_request_status prior to selecting + certificate That allows gnutls_certificate_client_get_request_status() to be + properly operating from the callback. Reported by Anton Lavrentiev. + +2015-04-22 Nikos Mavrogiannopoulos + + * lib/gnutls_cert.c: fixed doc: reported by Anton Lavrentiev + +2015-04-21 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-04-20 Nikos Mavrogiannopoulos + + * lib/gnutls_ui.c: gnutls_certificate_get_ours: will return the + certificate even if a callback was used This corrects a bug where this function would not work, when + gnutls_certificate_set_retrieve_function2() was used. + +2015-04-20 Nikos Mavrogiannopoulos + + * lib/x509/x509.c: ensure that the X.509 version number is one byte + only + +2015-04-20 Nikos Mavrogiannopoulos + + * lib/x509/x509.c: Check for invalid length in the X.509 version + field If such an invalid length is detected, reject the certificate. + Reported by Hanno Böck. + +2015-03-30 Nikos Mavrogiannopoulos + + * tests/mini-loss-time.c: tests: mini-loss-time: ignore sigpipe + +2015-03-30 Nikos Mavrogiannopoulos + + * NEWS: released 3.3.14 + +2015-03-30 Nikos Mavrogiannopoulos + + * tests/suite/testcompat-main: tests: change the default port in + testcompat to avoid clash with testsrn + +2015-03-30 Nikos Mavrogiannopoulos + + * doc/texinfo.css: doc: increase border spacing in HTML tables + +2015-03-29 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2015-03-29 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-03-28 Nikos Mavrogiannopoulos + + * lib/gnutls_int.h: do not penalize CBC ciphers with the maximum + send data size That reduced the maximum send size for CBC ciphers from 16384 to + 16384-(block size), which was unnecessary and was causing issues: + https://bugs.winehq.org/show_bug.cgi?id=37500 + +2015-03-29 Nikos Mavrogiannopoulos + + * lib/algorithms/ciphersuites.c, + tests/suite/ciphersuite/scan-gnutls.sh: made ciphersuites.c more + self-contained to be handled by test-ciphersuites.sh + +2015-03-28 Nikos Mavrogiannopoulos + + * lib/x509/x509_ext.c: Better fix for the double free in dist point + parsing + +2015-03-28 Nikos Mavrogiannopoulos + + * lib/minitasn1/parser_aux.c, lib/minitasn1/parser_aux.h: updated + libtasn1 + +2015-03-28 Nikos Mavrogiannopoulos + + * lib/gnutls_datum.c, lib/gnutls_datum.h, lib/x509/gnutls-idna.c, + lib/x509/x509_ext.c: gnutls_subject_alt_names_set and + gnutls_x509_aki_set_cert_issuer will set null-terminated strings + +2015-03-23 Nikos Mavrogiannopoulos + + * lib/x509/x509_ext.c: eliminated double-free in the parsing of dist + points Reported by Robert Święcki. + +2015-03-27 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-03-27 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: gnutls_pkcs11_privkey_generate2: increased + the size of ck_attributes + +2015-03-27 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: pkcs11: check gnutls_rnd() for error + condition + +2015-03-27 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: gnutls_pkcs11_privkey_generate2: set a + CKA_ID on key generation + +2015-03-26 Nikos Mavrogiannopoulos + + * lib/pkcs11_write.c: pkcs11: set the CKA_SIGN and CKA_DECRYPT flags + when writing a private key + +2015-03-26 Nikos Mavrogiannopoulos + + * lib/ext/server_name.c: When an application calls + gnutls_server_name_set() with a name of zero size disable the + extension Resolves #2 + +2015-03-25 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-03-25 Nikos Mavrogiannopoulos + + * lib/x509/name_constraints.c: name constraints: when no name of the + type is found, accept the certificate This follows RFC5280 advice closely. Reported by Fotis Loukos. + +2015-03-20 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c: avoid overflow when receiving DTLS 0.9 CCS + +2015-03-13 Nikos Mavrogiannopoulos + + * lib/gnutls_supplemental.c: Fixed handling of supplemental data + with types > 255. Patch by Thierry Quemerais. + +2015-03-13 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: doc update + +2015-03-13 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: gnutls_priority_init: document that + priorities can be NULL + +2015-03-13 Nikos Mavrogiannopoulos + + * lib/crypto-selftests.c: corrected self test for 3DES + +2015-03-11 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: only set ID and label when both size and + data are set + +2015-03-05 Nikos Mavrogiannopoulos + + * configure.ac: configure: check for /usr/share/dns/root.key as well + for dns root key + +2015-03-09 Nikos Mavrogiannopoulos + + * m4/hooks.m4: corrected macro which checks libtasn1 for + asn1_decode_simple_ber + +2015-03-09 Nikos Mavrogiannopoulos + + * lib/minitasn1/decoding.c, lib/minitasn1/libtasn1.h, + lib/minitasn1/parser_aux.c: minitasn1: updated to libtasn1 4.3 + +2015-03-09 Nikos Mavrogiannopoulos + + * doc/cha-internals.texi: rearranged internal documentation + +2015-03-09 Nikos Mavrogiannopoulos + + * src/cli-args.def, src/cli-debug-args.def, src/danetool-args.def, + src/socket.c: tools: added ftp as a starttls protocol + +2015-03-09 Nikos Mavrogiannopoulos + + * src/cli-args.def: gnutls-cli: starttls and starttls-proto can't + mix + +2015-03-07 Nikos Mavrogiannopoulos + + * doc/cha-gtls-app.texi: expand on SECURE256 being an alias to + SECURE192 + +2015-03-06 Nikos Mavrogiannopoulos + + * src/tests.c: gnutls-cli-debug: corrected check of certificate + chain order + +2015-03-06 Nikos Mavrogiannopoulos + + * tests/x509cert.c: tests: added small test to verify that + GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED succeeds with a single cert + +2015-03-06 Nikos Mavrogiannopoulos + + * src/cli-debug.c, src/tests.c: gnutls-cli-debug: disable + unsupported TLS protocols as soon + +2015-03-06 Nikos Mavrogiannopoulos + + * src/socket.c: cli sockets: check for a digit prior using atoi + +2015-03-06 Nikos Mavrogiannopoulos + + * src/tests.c: gnutls-cli-debug: a cert list of size 1 is always + sorted + +2015-03-06 Nikos Mavrogiannopoulos + + * src/socket.c: gnutls-cli-debug: do not warn multiple times about + unknown protocols + +2015-03-06 Nikos Mavrogiannopoulos + + * doc/cha-support.texi: updated documentation on FIPS140-2 + +2015-03-05 Nikos Mavrogiannopoulos + + * tests/cert-tests/Makefile.am, + tests/cert-tests/template-basic.pem, + tests/cert-tests/template-basic.tmpl, + tests/cert-tests/template-test: Revert "tests: template-test: added + a baseline check to detect slow systems" This reverts commit 2ee2a78178a842c9b0ef2ca3e12909ca3bb9fe79. + +2015-03-05 Nikos Mavrogiannopoulos + + * tests/cert-tests/template-test: tests: don't perform the overflow + check in 32-bit systems + +2015-03-05 Nikos Mavrogiannopoulos + + * tests/cert-tests/template-date.pem, + tests/cert-tests/template-date.tmpl: tests: date parsing test was + modified to work in 32-bit systems + +2015-03-05 Nikos Mavrogiannopoulos + + * tests/cert-tests/Makefile.am, + tests/cert-tests/template-basic.pem, + tests/cert-tests/template-basic.tmpl, + tests/cert-tests/template-test: tests: template-test: added a + baseline check to detect slow systems + +2015-03-04 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-01-12 Nikos Mavrogiannopoulos + + * tests/suite/testpkcs11: testpkcs11: do not ignore the failure to + write a trusted CA + +2015-01-05 Nikos Mavrogiannopoulos + + * tests/suite/testpkcs11: testpkcs11: detect softhsm2 + +2015-03-04 Nikos Mavrogiannopoulos + + * lib/gnutls_pubkey.c, lib/tpm.c, lib/x509/common.c, + lib/x509/common.h, lib/x509/dn.c, lib/x509/ocsp.c, + lib/x509/pkcs12.c, lib/x509/pkcs12_bag.c, lib/x509/x509_ext.c, + m4/hooks.m4: use asn1_decode_simple_ber if available + +2015-02-27 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/abstract.h: list + gnutls_pubkey_get_verify_algorithm as deprected + +2015-02-26 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c: corrected typo in gnutls_handshake(), + spotted by Andris Mednis + +2015-02-25 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, m4/hooks.m4: released 3.3.13 + +2015-02-20 Nikos Mavrogiannopoulos + + * tests/cert-tests/Makefile.am, tests/cert-tests/invalid-sig, + tests/cert-tests/invalid-sig2.pem, + tests/cert-tests/invalid-sig3.pem: tests: added checks for invalid + X.509 certificate signatures + +2015-02-24 Nikos Mavrogiannopoulos + + * lib/gnutls_session.c: doc update: document that session_get_data() + must be used in non-resumed sessions + +2015-02-21 Nikos Mavrogiannopoulos + + * tests/suite/testcompat-main: tests: testcompat: disable tests with + NULL ciphersuites; debian doesn't support them + +2015-02-21 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-02-21 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c: fixed handling of GNUTLS_E_INT_CHECK_AGAIN + +2015-02-21 Nikos Mavrogiannopoulos + + * tests/mini-overhead.c, tests/mini-record.c: tests: require DTLS + 1.2 when using GCM + +2015-02-21 Nikos Mavrogiannopoulos + + * lib/algorithms/ciphersuites.c: corrected check which prevented + client to sent an unacceptable for the version ciphersuite + +2015-02-20 Nikos Mavrogiannopoulos + + * lib/gnutls_record.c: fixed sequence number copy + +2015-02-17 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-02-17 Nikos Mavrogiannopoulos + + * lib/x509/x509.c: when importing a certificate ensure that the + signature parameters match + +2015-02-14 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-02-14 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/x86-common.c: Allow AESNI GCM accelaration in + x86 + +2015-02-04 Nikos Mavrogiannopoulos + + * src/cli.c: handle differently OCSP responses that are revoked and + of unknown status + +2015-02-01 Nikos Mavrogiannopoulos + + * src/common.c: compilation fix with return on void function; + reported by David Marx + +2015-01-29 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c: doc update + +2015-01-29 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c: set the appropriate direction when + _gnutls_io_write_flush() is called + +2015-01-28 Nikos Mavrogiannopoulos + + * doc/cha-gtls-app.texi: documented using a session with fork or + multiple threads + +2015-01-25 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c: print errno in a more uniform way + +2015-01-19 Nikos Mavrogiannopoulos + + * lib/x509/x509.c: on certificate import check whether the two + signature algorithms match + +2015-01-25 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c: simplified _gnutls_writev() by requiring the + total length + +2015-01-19 Nikos Mavrogiannopoulos + + * src/cli.c, src/ocsptool-common.c, src/ocsptool-common.h: don't be + so verbose about the OCSP nonce; it is universally unsupported + +2015-01-17 Tim Ruehsen + + * src/cli.c, src/ocsptool-common.c: OCSP check the whole cert chain Signed-off-by: Nikos Mavrogiannopoulos + +2015-01-17 Nikos Mavrogiannopoulos + + * NEWS: released 3.3.12 + +2015-01-16 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-01-16 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped versions + +2015-01-16 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-01-16 Nikos Mavrogiannopoulos + + * libdane/errors.c: corrected typos Reported by Guido Kroon. + +2015-01-16 Nikos Mavrogiannopoulos + + * lib/algorithms/protocols.c, lib/gnutls_int.h: Added the notion of + obsolete versions That prevents using these versions as record version numbers, unless + they are the only protocol supported. This avoids the issues with + servers that have banned SSL 3.0 record versions. + +2015-01-16 Nikos Mavrogiannopoulos + + * src/ocsptool-common.c: ocsptool: follow the documented process for + gnutls_x509_crt_get_authority_info_access + +2015-01-16 Nikos Mavrogiannopoulos + + * lib/x509/x509.c: gnutls_x509_crt_get_authority_info_access: doc + update + +2015-01-15 Nikos Mavrogiannopoulos + + * src/ocsptool-common.c: ocsptool-common: iterate through all AIA + items prior to decidig the OCSP server + +2015-01-13 Nikos Mavrogiannopoulos + + * src/cli-args.def: simplified text for inline-commands-prefix + +2015-01-12 Nikos Mavrogiannopoulos + + * NEWS: doc update: added urls of savannah reports + +2015-01-12 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-01-12 Nikos Mavrogiannopoulos + + * src/cli-args.def, src/cli.c, src/socket.c: gnutls-cli: added + --starttls-proto option + +2015-01-12 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: cleanup the name of types Conflicts: lib/pkcs11.c + +2015-01-12 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: when importing a public key, import it's + data as well (version 2 fix) + +2015-01-12 Nikos Mavrogiannopoulos + + * lib/x509/verify.c: doc update + +2015-01-11 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: when importing a public key, import it's + data as well + +2015-01-11 Nikos Mavrogiannopoulos + + * lib/gnutls_cert.c: doc update + +2015-01-10 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-01-10 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c: When setting up TLS with cert-type OpenPGP + from a client, the server verifies if it supports the extension’s + contents in _gnutls_session_cert_type_supported(). This function + checks for cred->get_cert_callback but not cred->get_cert_callback2. + As a result, servers setup for OpenPGP certificate credential + callback with gnutls_certificate_set_retrieve_function2() are unable + to use the OpenPGP certificate type. The solution is to consider cred->get_cert_callback2 alongside + cred->get_cert_callback in _gnutls_session_cert_type_supported(). Patch by Rick van Rein. + +2015-01-10 Nikos Mavrogiannopoulos + + * lib/gnutls_privkey.c: gnutls_privkey_import_openpgp_raw: do not + release the cached value + +2015-01-08 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-01-08 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c, lib/gnutls_errors.h: When receiving a TLS + record with multiple handshake packets, parse them in one go That resolves: https://savannah.gnu.org/support/?108712 + +2015-01-08 Ludovic Courtès + + * NEWS, guile/modules/gnutls.in: guile: Call 'load-extension' both + during expansion and at run time. Fixes . * guile/modules/gnutls.in: Wrap '%libdir' definition and 'load-extension' call in 'eval-when'. * NEWS: Update. + +2015-01-06 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-01-06 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c: in DTLS don't combine multiple packets which + exceed MTU Resolves: https://savannah.gnu.org/support/?108715 + +2015-01-06 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c: Added more precise check of push functions + availability + +2015-01-06 Nikos Mavrogiannopoulos + + * src/Makefile.am: danetool: only compile when dane is enabled + +2014-12-11 Nikos Mavrogiannopoulos + + * lib/crypto-backend.c: Allow a random generator with the same + priority to re-register That corrects an issue where the library is deinitialized, and + reinitialization wouldn't register the same rnd module. Reported by + Stanislav Zidek. + +2015-01-04 Nikos Mavrogiannopoulos + + * src/certtool-cfg.c: certtool: modified check for READ_NUMERIC + +2015-01-04 Nikos Mavrogiannopoulos + + * src/certtool-cfg.c: certtool: use 64-bit type for CRL serial + number + +2015-01-04 Nikos Mavrogiannopoulos + + * src/certtool-cfg.c: certtool: check for overflows when reading + serial numbers + +2015-01-04 Nikos Mavrogiannopoulos + + * src/certtool-cfg.c, src/certtool-cfg.h: certtool: use int64_t as + type for integers read + +2015-01-04 Nikos Mavrogiannopoulos + + * src/socket.c: gnutls-cli-debug: more precise handling of SMTP + protocol Patch by Andreas Metzler. + +2015-01-04 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2015-01-04 Nikos Mavrogiannopoulos + + * gl/Makefile.am, gl/alloca.in.h, gl/asnprintf.c, gl/asprintf.c, + gl/base64.c, gl/base64.h, gl/byteswap.in.h, gl/c-ctype.c, + gl/c-ctype.h, gl/errno.in.h, gl/float+.h, gl/float.c, + gl/float.in.h, gl/fstat.c, gl/ftell.c, gl/ftello.c, gl/getdelim.c, + gl/getline.c, gl/gettext.h, gl/gettimeofday.c, gl/hash-pjw-bare.c, + gl/hash-pjw-bare.h, gl/intprops.h, gl/itold.c, gl/lseek.c, + gl/m4/00gnulib.m4, gl/m4/absolute-header.m4, gl/m4/alloca.m4, + gl/m4/base64.m4, gl/m4/byteswap.m4, gl/m4/codeset.m4, + gl/m4/errno_h.m4, gl/m4/exponentd.m4, gl/m4/extensions.m4, + gl/m4/extern-inline.m4, gl/m4/fcntl-o.m4, gl/m4/fcntl_h.m4, + gl/m4/fdopen.m4, gl/m4/float_h.m4, gl/m4/fpieee.m4, + gl/m4/fseeko.m4, gl/m4/fstat.m4, gl/m4/ftell.m4, gl/m4/ftello.m4, + gl/m4/func.m4, gl/m4/getdelim.m4, gl/m4/getline.m4, + gl/m4/getpagesize.m4, gl/m4/gettext.m4, gl/m4/gettimeofday.m4, + gl/m4/glibc2.m4, gl/m4/glibc21.m4, gl/m4/gnulib-cache.m4, + gl/m4/gnulib-common.m4, gl/m4/gnulib-comp.m4, gl/m4/gnulib-tool.m4, + gl/m4/iconv.m4, gl/m4/include_next.m4, gl/m4/intdiv0.m4, + gl/m4/intl.m4, gl/m4/intldir.m4, gl/m4/intlmacosx.m4, + gl/m4/intmax.m4, gl/m4/intmax_t.m4, gl/m4/inttypes-pri.m4, + gl/m4/inttypes.m4, gl/m4/inttypes_h.m4, gl/m4/largefile.m4, + gl/m4/lcmessage.m4, gl/m4/ld-output-def.m4, + gl/m4/ld-version-script.m4, gl/m4/lib-ld.m4, gl/m4/lib-link.m4, + gl/m4/lib-prefix.m4, gl/m4/lock.m4, gl/m4/longlong.m4, + gl/m4/lseek.m4, gl/m4/malloc.m4, gl/m4/manywarnings.m4, + gl/m4/math_h.m4, gl/m4/memchr.m4, gl/m4/memmem.m4, gl/m4/minmax.m4, + gl/m4/mmap-anon.m4, gl/m4/msvc-inval.m4, gl/m4/msvc-nothrow.m4, + gl/m4/multiarch.m4, gl/m4/netdb_h.m4, gl/m4/netinet_in_h.m4, + gl/m4/nls.m4, gl/m4/off_t.m4, gl/m4/po.m4, gl/m4/printf-posix.m4, + gl/m4/printf.m4, gl/m4/progtest.m4, gl/m4/read-file.m4, + gl/m4/realloc.m4, gl/m4/size_max.m4, gl/m4/snprintf.m4, + gl/m4/socklen.m4, gl/m4/sockpfaf.m4, gl/m4/ssize_t.m4, + gl/m4/stdalign.m4, gl/m4/stdbool.m4, gl/m4/stddef_h.m4, + gl/m4/stdint.m4, gl/m4/stdint_h.m4, gl/m4/stdio_h.m4, + gl/m4/stdlib_h.m4, gl/m4/strcase.m4, gl/m4/string_h.m4, + gl/m4/strings_h.m4, gl/m4/strndup.m4, gl/m4/strnlen.m4, + gl/m4/strtok_r.m4, gl/m4/strverscmp.m4, gl/m4/sys_socket_h.m4, + gl/m4/sys_stat_h.m4, gl/m4/sys_time_h.m4, gl/m4/sys_types_h.m4, + gl/m4/sys_uio_h.m4, gl/m4/threadlib.m4, gl/m4/time_h.m4, + gl/m4/time_r.m4, gl/m4/uintmax_t.m4, gl/m4/ungetc.m4, + gl/m4/unistd_h.m4, gl/m4/valgrind-tests.m4, gl/m4/vasnprintf.m4, + gl/m4/vasprintf.m4, gl/m4/visibility.m4, gl/m4/vsnprintf.m4, + gl/m4/warn-on-use.m4, gl/m4/warnings.m4, gl/m4/wchar_h.m4, + gl/m4/wchar_t.m4, gl/m4/wint_t.m4, gl/m4/xsize.m4, gl/malloc.c, + gl/memchr.c, gl/memmem.c, gl/minmax.h, gl/msvc-inval.c, + gl/msvc-inval.h, gl/msvc-nothrow.c, gl/msvc-nothrow.h, + gl/netdb.in.h, gl/netinet_in.in.h, gl/printf-args.c, + gl/printf-args.h, gl/printf-parse.c, gl/printf-parse.h, + gl/read-file.c, gl/read-file.h, gl/realloc.c, gl/size_max.h, + gl/snprintf.c, gl/stdalign.in.h, gl/stdbool.in.h, gl/stddef.in.h, + gl/stdint.in.h, gl/stdio-impl.h, gl/stdio.in.h, gl/stdlib.in.h, + gl/str-two-way.h, gl/strcasecmp.c, gl/string.in.h, gl/strings.in.h, + gl/strncasecmp.c, gl/strndup.c, gl/strnlen.c, gl/strtok_r.c, + gl/strverscmp.c, gl/sys_socket.in.h, gl/sys_stat.in.h, + gl/sys_time.in.h, gl/sys_types.in.h, gl/sys_uio.in.h, + gl/tests/Makefile.am, gl/tests/binary-io.h, gl/tests/fcntl.in.h, + gl/tests/fdopen.c, gl/tests/fpucw.h, gl/tests/getpagesize.c, + gl/tests/init.sh, gl/tests/inttypes.in.h, gl/tests/macros.h, + gl/tests/signature.h, gl/tests/test-alloca-opt.c, + gl/tests/test-base64.c, gl/tests/test-binary-io.c, + gl/tests/test-byteswap.c, gl/tests/test-c-ctype.c, + gl/tests/test-errno.c, gl/tests/test-fcntl-h.c, + gl/tests/test-fdopen.c, gl/tests/test-fgetc.c, + gl/tests/test-float.c, gl/tests/test-fputc.c, + gl/tests/test-fread.c, gl/tests/test-fstat.c, + gl/tests/test-ftell.c, gl/tests/test-ftell3.c, + gl/tests/test-ftello.c, gl/tests/test-ftello3.c, + gl/tests/test-ftello4.c, gl/tests/test-func.c, + gl/tests/test-fwrite.c, gl/tests/test-getdelim.c, + gl/tests/test-getline.c, gl/tests/test-gettimeofday.c, + gl/tests/test-iconv.c, gl/tests/test-init.sh, + gl/tests/test-intprops.c, gl/tests/test-inttypes.c, + gl/tests/test-memchr.c, gl/tests/test-netdb.c, + gl/tests/test-netinet_in.c, gl/tests/test-read-file.c, + gl/tests/test-snprintf.c, gl/tests/test-stdalign.c, + gl/tests/test-stdbool.c, gl/tests/test-stddef.c, + gl/tests/test-stdint.c, gl/tests/test-stdio.c, + gl/tests/test-stdlib.c, gl/tests/test-string.c, + gl/tests/test-strings.c, gl/tests/test-strnlen.c, + gl/tests/test-strverscmp.c, gl/tests/test-sys_socket.c, + gl/tests/test-sys_stat.c, gl/tests/test-sys_time.c, + gl/tests/test-sys_types.c, gl/tests/test-sys_uio.c, + gl/tests/test-sys_wait.h, gl/tests/test-time.c, + gl/tests/test-u64.c, gl/tests/test-unistd.c, + gl/tests/test-vasnprintf.c, gl/tests/test-vasprintf.c, + gl/tests/test-vc-list-files-cvs.sh, + gl/tests/test-vc-list-files-git.sh, gl/tests/test-verify.c, + gl/tests/test-vsnprintf.c, gl/tests/test-wchar.c, + gl/tests/zerosize-ptr.h, gl/time.in.h, gl/time_r.c, gl/u64.h, + gl/unistd.in.h, gl/vasnprintf.c, gl/vasnprintf.h, gl/vasprintf.c, + gl/verify.h, gl/vsnprintf.c, gl/wchar.in.h, gl/xsize.h, + src/gl/Makefile.am, src/gl/accept.c, src/gl/alloca.in.h, + src/gl/arpa_inet.in.h, src/gl/asnprintf.c, src/gl/bind.c, + src/gl/c-ctype.c, src/gl/c-ctype.h, src/gl/close.c, + src/gl/connect.c, src/gl/dup2.c, src/gl/errno.in.h, src/gl/error.c, + src/gl/error.h, src/gl/exitfail.c, src/gl/exitfail.h, + src/gl/fd-hook.c, src/gl/fd-hook.h, src/gl/float+.h, + src/gl/float.c, src/gl/float.in.h, src/gl/fseek.c, src/gl/fseeko.c, + src/gl/fstat.c, src/gl/ftell.c, src/gl/ftello.c, + src/gl/gai_strerror.c, src/gl/getaddrinfo.c, src/gl/getdelim.c, + src/gl/getline.c, src/gl/getpass.c, src/gl/getpass.h, + src/gl/getpeername.c, src/gl/gettext.h, src/gl/gettime.c, + src/gl/gettimeofday.c, src/gl/inet_ntop.c, src/gl/inet_pton.c, + src/gl/intprops.h, src/gl/itold.c, src/gl/listen.c, src/gl/lseek.c, + src/gl/m4/00gnulib.m4, src/gl/m4/absolute-header.m4, + src/gl/m4/alloca.m4, src/gl/m4/arpa_inet_h.m4, src/gl/m4/bison.m4, + src/gl/m4/clock_time.m4, src/gl/m4/close.m4, src/gl/m4/dup2.m4, + src/gl/m4/eealloc.m4, src/gl/m4/environ.m4, src/gl/m4/errno_h.m4, + src/gl/m4/error.m4, src/gl/m4/exponentd.m4, + src/gl/m4/extensions.m4, src/gl/m4/extern-inline.m4, + src/gl/m4/float_h.m4, src/gl/m4/fseek.m4, src/gl/m4/fseeko.m4, + src/gl/m4/fstat.m4, src/gl/m4/ftell.m4, src/gl/m4/ftello.m4, + src/gl/m4/getaddrinfo.m4, src/gl/m4/getdelim.m4, + src/gl/m4/getline.m4, src/gl/m4/getpass.m4, src/gl/m4/gettime.m4, + src/gl/m4/gettimeofday.m4, src/gl/m4/gnulib-cache.m4, + src/gl/m4/gnulib-common.m4, src/gl/m4/gnulib-comp.m4, + src/gl/m4/gnulib-tool.m4, src/gl/m4/hostent.m4, + src/gl/m4/include_next.m4, src/gl/m4/inet_ntop.m4, + src/gl/m4/inet_pton.m4, src/gl/m4/intmax_t.m4, + src/gl/m4/inttypes_h.m4, src/gl/m4/largefile.m4, + src/gl/m4/longlong.m4, src/gl/m4/lseek.m4, src/gl/m4/malloc.m4, + src/gl/m4/malloca.m4, src/gl/m4/math_h.m4, src/gl/m4/memchr.m4, + src/gl/m4/minmax.m4, src/gl/m4/mktime.m4, src/gl/m4/mmap-anon.m4, + src/gl/m4/msvc-inval.m4, src/gl/m4/msvc-nothrow.m4, + src/gl/m4/multiarch.m4, src/gl/m4/netdb_h.m4, + src/gl/m4/netinet_in_h.m4, src/gl/m4/off_t.m4, + src/gl/m4/parse-datetime.m4, src/gl/m4/printf.m4, + src/gl/m4/read-file.m4, src/gl/m4/realloc.m4, src/gl/m4/select.m4, + src/gl/m4/servent.m4, src/gl/m4/setenv.m4, src/gl/m4/signal_h.m4, + src/gl/m4/size_max.m4, src/gl/m4/snprintf.m4, + src/gl/m4/socketlib.m4, src/gl/m4/sockets.m4, src/gl/m4/socklen.m4, + src/gl/m4/sockpfaf.m4, src/gl/m4/ssize_t.m4, src/gl/m4/stdalign.m4, + src/gl/m4/stdbool.m4, src/gl/m4/stddef_h.m4, src/gl/m4/stdint.m4, + src/gl/m4/stdint_h.m4, src/gl/m4/stdio_h.m4, src/gl/m4/stdlib_h.m4, + src/gl/m4/strdup.m4, src/gl/m4/strerror.m4, src/gl/m4/string_h.m4, + src/gl/m4/sys_select_h.m4, src/gl/m4/sys_socket_h.m4, + src/gl/m4/sys_stat_h.m4, src/gl/m4/sys_time_h.m4, + src/gl/m4/sys_types_h.m4, src/gl/m4/sys_uio_h.m4, + src/gl/m4/time_h.m4, src/gl/m4/time_r.m4, src/gl/m4/timespec.m4, + src/gl/m4/tm_gmtoff.m4, src/gl/m4/unistd_h.m4, + src/gl/m4/vasnprintf.m4, src/gl/m4/warn-on-use.m4, + src/gl/m4/wchar_h.m4, src/gl/m4/wchar_t.m4, src/gl/m4/wint_t.m4, + src/gl/m4/xalloc.m4, src/gl/m4/xsize.m4, src/gl/malloc.c, + src/gl/malloca.c, src/gl/malloca.h, src/gl/memchr.c, + src/gl/minmax.h, src/gl/mktime.c, src/gl/msvc-inval.c, + src/gl/msvc-inval.h, src/gl/msvc-nothrow.c, src/gl/msvc-nothrow.h, + src/gl/netdb.in.h, src/gl/netinet_in.in.h, src/gl/parse-datetime.h, + src/gl/parse-datetime.y, src/gl/printf-args.c, + src/gl/printf-args.h, src/gl/printf-parse.c, src/gl/printf-parse.h, + src/gl/progname.c, src/gl/progname.h, src/gl/read-file.c, + src/gl/read-file.h, src/gl/realloc.c, src/gl/recv.c, + src/gl/recvfrom.c, src/gl/select.c, src/gl/send.c, src/gl/sendto.c, + src/gl/setenv.c, src/gl/setsockopt.c, src/gl/shutdown.c, + src/gl/signal.in.h, src/gl/size_max.h, src/gl/snprintf.c, + src/gl/socket.c, src/gl/sockets.c, src/gl/sockets.h, + src/gl/stdalign.in.h, src/gl/stdbool.in.h, src/gl/stddef.in.h, + src/gl/stdint.in.h, src/gl/stdio-impl.h, src/gl/stdio.in.h, + src/gl/stdlib.in.h, src/gl/strdup.c, src/gl/strerror-override.c, + src/gl/strerror-override.h, src/gl/strerror.c, src/gl/string.in.h, + src/gl/sys_select.in.h, src/gl/sys_socket.in.h, + src/gl/sys_stat.in.h, src/gl/sys_time.in.h, src/gl/sys_types.in.h, + src/gl/sys_uio.in.h, src/gl/time.in.h, src/gl/time_r.c, + src/gl/timespec.h, src/gl/unistd.in.h, src/gl/unsetenv.c, + src/gl/vasnprintf.c, src/gl/vasnprintf.h, src/gl/verify.h, + src/gl/w32sock.h, src/gl/wchar.in.h, src/gl/xalloc-die.c, + src/gl/xalloc-oversized.h, src/gl/xalloc.h, src/gl/xmalloc.c, + src/gl/xsize.h: updated gnulib + +2015-01-02 Nikos Mavrogiannopoulos + + * src/cli-debug.c: gnutls-cli-debug: corrected the skip of ignored + checks + +2014-12-31 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-12-31 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-12-31 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: --pubkey-info will load a public key + from stdin + +2014-12-31 Nikos Mavrogiannopoulos + + * lib/system.h: include netinet/in.h if present to access ipv6 + related structures Based on patch by Rumko. https://savannah.gnu.org/support/?108713 + +2014-12-30 Matthias-Christian Ott + + * lib/gnutls_cipher_int.c: Don't call _gnutls_cipher_encrypt2 with + textlen = 0 in _gnutls_auth_cipher_encrypt2_tag If the plaintext is shorter than the block size of the used cipher, + _gnutls_auth_cipher_encrypt2_tag calls _gnutls_cipher_encrypt2 with + textlen = 0. By definition _gnutls_cipher_encrypt2 does nothing in + this case and thus does not need to be called. + +2014-12-30 Matthias-Christian Ott + + * lib/accelerated/x86/aes-gcm-padlock.c, + lib/accelerated/x86/aes-padlock.c: Handle zero length plaintext for + VIA PadLock functions If the plaintext is shorter than the block size of the used cipher, + _gnutls_auth_cipher_encrypt2_tag calls _gnutls_cipher_encrypt2 with + textlen = 0. padlock_ecb_encrypt and padlock_cbc_encrypt assume that + the plaintext length (last parameter) is greater than zero and + segfault otherwise. The assembler code for both functions is + automatically generated and imported from OpenSSL, so to ease + maintenance the length should be validated in the functions that + call padlock_ecb_encrypt or padlock_cbc_encrypt. + +2014-12-28 Nikos Mavrogiannopoulos + + * tests/openpgp-keyring.c: tests: enhanced openpgp-keyring test + +2014-12-28 Nikos Mavrogiannopoulos + + * lib/openpgp/output.c: openpgp: properly print names in oneline + output as well + +2014-12-28 Nikos Mavrogiannopoulos + + * lib/openpgp/output.c: updates in openpgp DSA key printing + +2014-12-28 Nikos Mavrogiannopoulos + + * lib/openpgp/output.c: properly print openpgp names + +2014-12-25 Nikos Mavrogiannopoulos + + * src/cli-debug.c, src/common.c, src/tests.c: tools: use OCSP + functions only when OCSP is enabled + +2014-12-24 Nikos Mavrogiannopoulos + + * lib/gnutls_pubkey.c: Corrected encoding and decoding of ANSI X9.62 That affects gnutls_pubkey_export_ecc_x962() and + gnutls_pubkey_import_ecc_x962(). + +2014-12-24 Nikos Mavrogiannopoulos + + * src/certtool-args.def, src/p11tool-args.def: tools: document the + available curves + +2014-12-23 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-12-23 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/pkcs11_int.h, + lib/pkcs11_privkey.c, lib/pkcs11_secret.c, lib/pkcs11_write.c: Use + hints to support incomplete PKCS#11 URIs + +2014-12-23 Nikos Mavrogiannopoulos + + * doc/examples/Makefile.am, src/Makefile.am, src/gl/Makefile.am, + src/gl/m4/gnulib-cache.m4, src/gl/m4/gnulib-comp.m4: completely + separated the two gnulibs to avoid conflicts + +2014-12-23 Nikos Mavrogiannopoulos + + * gl/Makefile.am, gl/m4/extensions.m4, gl/m4/extern-inline.m4, + gl/m4/gnulib-comp.m4, gl/m4/iconv.m4, gl/m4/printf.m4, + gl/m4/stdalign.m4, gl/m4/stddef_h.m4, gl/m4/stdio_h.m4, + gl/stdalign.in.h, gl/stddef.in.h, gl/tests/test-fcntl-h.c, + gl/tests/test-stddef.c, gl/unistd.in.h, gl/vasnprintf.c, + src/gl/Makefile.am, src/gl/m4/extensions.m4, + src/gl/m4/extern-inline.m4, src/gl/m4/gnulib-comp.m4, + src/gl/m4/printf.m4, src/gl/m4/stdalign.m4, src/gl/m4/stddef_h.m4, + src/gl/m4/stdio_h.m4, src/gl/parse-datetime.y, + src/gl/stdalign.in.h, src/gl/stddef.in.h, src/gl/timespec.h, + src/gl/unistd.in.h, src/gl/vasnprintf.c: updated gnulib + +2014-12-22 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-12-22 Nikos Mavrogiannopoulos + + * lib/x509/verify-high2.c: when importing object CAs from PKCS#11 + URL, import the marked as trusted only + +2014-12-22 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: when matching objects, also match the label + +2014-12-21 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-chainverify.c: added missing variable + +2014-12-21 Nikos Mavrogiannopoulos + + * lib/x509/Makefile.am: Added p11-kit cflags in x509/ + +2014-12-21 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-combo.c, + tests/suite/pkcs11-get-issuer.c, tests/suite/pkcs11-is-known.c, + tests/suite/softhsm.h, tests/suite/testpkcs11.softhsm: Added + softhsm.h to share code in softhsm detection Conflicts: tests/suite/pkcs11-chainverify.c tests/suite/pkcs11-privkey.c + +2014-12-21 Nikos Mavrogiannopoulos + + * lib/pkcs11_int.h, lib/x509/verify-high2.c: Directly import PKCS + #11 object URLs as trusted certificates That is, don't treat them as trusted modules, because they aren't a + token URL, but rather a direct reference to specific objects. + +2014-12-19 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c, lib/gnutls_record.c: corrected documentation + for the cork/uncork functions Reported by Jaak Ristioja. + +2014-12-19 Nikos Mavrogiannopoulos + + * lib/gnutls_record.c: doc update + +2014-12-19 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-12-19 Nikos Mavrogiannopoulos + + * lib/algorithms/protocols.c: Added more precise version check in + _gnutls_version_lowest + +2014-11-21 Nikos Mavrogiannopoulos + + * lib/algorithms.h, lib/algorithms/protocols.c, + lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_priority.c: The + record version in the client Hello will be set to the lowest + supported protocol There should have been no harm in keeping it SSL 3.0 but + unfortunately in draft-thomson-sslv3-diediedie-00 it has been marked + as MUST NOT do that. That will be fixed in a later revision but + since then there are servers not accepting SSL 3.0 as a valid record + version (note that this is about the record version, which describes + the format of the packet, nothing to do with the negotiated + version). + +2014-12-19 Nikos Mavrogiannopoulos + + * lib/gnutls_record.c: corrected documentation of gnutls_cork() + +2014-12-12 Ludovic Courtès + + * NEWS, doc/gnutls-guile.texi, guile/modules/gnutls.in, + guile/modules/gnutls/build/smobs.scm, guile/src/core.c, + guile/tests/openpgp-auth.scm, guile/tests/x509-auth.scm: Revert + "guile: Remove RSA parameters and related procedures." This reverts commit 9f5788469f6f3f3fdd4cf064621a903607f10f2f; this + will be done in the 3.4 branch, as for the C library. Update NEWS + accordingly. + +2014-12-12 Ludovic Courtès + + * NEWS: Update 'NEWS'. + +2014-12-11 Ludovic Courtès + + * guile/tests/openpgp-keyring.scm: guile: Open binary file in binary + mode, for the sake of MinGW. Reported by Eli Zaretskii . * guile/tests/openpgp-keyring.scm: Use 'open-file' with "rb" instead + of 'open-input-file'. + +2014-12-11 Ludovic Courtès + + * guile/src/Makefile.am: guile: Link with '-no-undefined'. Fixes builds on MinGW. Reported by Eli Zaretskii . * guile/src/Makefile.am (guile_gnutls_v_2_la_LDFLAGS): Add -no-undefined. + +2014-12-04 Ludovic Courtès + + * guile/src/Makefile.am: guile: Build with warnings. * guile/src/Makefile.am (AM_CFLAGS) [HAVE_GCC]: Add -Wall -Wextra -Wno-unused-parameter. + +2014-12-04 Ludovic Courtès + + * guile/modules/Makefile.am, guile/modules/gnutls.in, + guile/modules/gnutls/build/priorities.scm, guile/src/Makefile.am, + guile/src/core.c, guile/src/make-session-priorities.scm, + guile/tests/session-record-port.scm, guile/tests/x509-auth.scm: + guile: Remove the deprecated priority API. * guile/modules/gnutls/build/priorities.scm: Remove. * guile/src/make-session-priorities.scm: Remove. * guile/modules/Makefile.am (EXTRA_DIST): Adjust accordingly. * guile/src/Makefile.am (EXTRA_DIST): Likewise. (GENERATED_BINDINGS): Remove 'priorities.i.c'. (priorities.i.c): Remove target. * guile/src/core.c: Don't include it. (scm_gnutls_set_default_priority_x): Remove. * guile/modules/gnutls.in (gnutls): Adjust export list. * guile/tests/session-record-port.scm: Use + 'set-session-priorities!'. * guile/tests/x509-auth.scm: Likewise. + +2014-12-04 Ludovic Courtès + + * doc/gnutls-guile.texi, guile/modules/gnutls.in, + guile/modules/gnutls/build/smobs.scm, guile/src/core.c, + guile/tests/openpgp-auth.scm, guile/tests/x509-auth.scm: guile: + Remove RSA parameters and related procedures. * guile/modules/gnutls/build/smobs.scm (%rsa-parameters-smob): + Remove. (%gnutls-smobs): Remove it. * guile/src/core.c (scm_gnutls_make_rsa_parameters, scm_gnutls_pkcs1_import_rsa_parameters, scm_gnutls_pkcs1_export_rsa_parameters, scm_gnutls_set_certificate_credentials_rsa_export_params_x): + Remove. * guile/modules/gnutls.in: Adjust export list. * guile/tests/openpgp-auth.scm (import-rsa-params): Remove. Remove references to it and to 'set-certificate-credentials-rsa-export-parameters!'. * guile/tests/x509-auth.scm: Likewise. * doc/gnutls-guile.texi (Representation of Binary Data): Remove references to RSA parameters. Adjust example accordingly. (OpenPGP Authentication Guile Example): Likewise. + +2014-12-12 Nikos Mavrogiannopoulos + + * lib/random.c: gnutls_rnd: doc update + +2014-12-12 Nikos Mavrogiannopoulos + + * lib/x509/pkcs12.c: gnutls_pkcs12_simple_parse: doc update + +2014-12-12 Nikos Mavrogiannopoulos + + * libdane/dane.c: improved documentation on dane + +2014-12-11 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: use Sleep() in windows + +2014-12-11 Nikos Mavrogiannopoulos + + * src/certtool-cfg.c: certtool: ensure that default_serial_int is + 64-bits or more + +2014-12-11 Nikos Mavrogiannopoulos + + * src/socket.c: use select() instead of alarm for better portability Based on patch by Eli Zaretskii. + +2014-12-11 Nikos Mavrogiannopoulos + + * NEWS: released 3.3.11 + +2014-12-11 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2014-12-11 Nikos Mavrogiannopoulos + + * tests/suite/testcompat-main: testcompat: corrected usage of null + cipher + +2014-12-10 Nikos Mavrogiannopoulos + + * lib/nettle/rnd-fips.c: added the .check function in FIPS140-2 code + +2014-12-05 Nikos Mavrogiannopoulos + + * lib/x509/dn.c: _gnutls_x509_get_dn() always return a null + terminated string + +2014-12-02 Nikos Mavrogiannopoulos + + * lib/random.h: if the rnd structure doesn't provide check, + _gnutls_rnd_check() will succeed + +2014-11-30 Nikos Mavrogiannopoulos + + * lib/x509/x509.c: Reorganized, and eliminated memory leak in + _gnutls_x509_crt_check_revocation() Reported by Tim Rühsen. + +2014-11-28 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/gnutls.h.in, lib/includes/gnutls/pkcs11.h: doc + update + +2014-11-25 Nikos Mavrogiannopoulos + + * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: Added + check for whether %NO_EXTENSIONS is required + +2014-11-28 Nikos Mavrogiannopoulos + + * lib/gnutls_ui.c: gnutls_session_get_desc: allow proper printing of + the NULL KX + +2014-11-25 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: gnutls_certificate_set_x509_key_*: eliminated + memory leak when certificate could not be parsed Reported by Georg Richter. + +2014-11-24 Nikos Mavrogiannopoulos + + * src/socket.c: gnutls-cli-debug: do not print error on unknown + protocols + +2014-11-24 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: documented the limitations of the loading + functions + +2014-11-24 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: corrected memleak in read_key_mem() Patch by Georg Richter. + +2014-11-24 Nikos Mavrogiannopoulos + + * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: Added + check for sorted certificate chain + +2014-11-22 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c, lib/gnutls_record.c, + tests/mini-rehandshake-2.c: restore only the documented behavior + +2014-11-21 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-11-21 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/mini-rehandshake-2.c: tests: added test + for GNUTLS_E_GOT_APPLICATION_DATA on rehandshake Conflicts: tests/Makefile.am + +2014-11-21 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c, lib/gnutls_record.c: treat + GNUTLS_E_GOT_APPLICATION_DATA as non-fatal if initial negotiation is + complete This corrects a regression introduced in + b5a0de2e6da98866cafb770c3141b7353d030ab2 Reported by Dan Winship. + https://savannah.gnu.org/support/?108690 + +2014-11-21 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-11-21 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: Revert "The priority modifier + %LATEST_RECORD_VERSION is now the default" This reverts commit 96b408b20fe8707306f38cba6f652556b99a47e4. + +2014-11-13 Nikos Mavrogiannopoulos + + * lib/nettle/rnd-common.c: _rnd_get_event: use memset to avoid + valgrind complaints + +2014-11-21 Nikos Mavrogiannopoulos + + * lib/fips.c: compilation fix for FIPS140-2 mode + +2014-11-21 Nikos Mavrogiannopoulos + + * lib/x509/ocsp.c: deinitialize the OCSP response der data That also makes sure that reinitialization of ASN1 structures are + done when it is required only. + +2014-11-17 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: NORMAL priority: prioritize the less than + 256-bits curves at the lowest level + +2014-11-16 Nikos Mavrogiannopoulos + + * lib/fips.c, lib/fips.h, lib/gnutls_global.c: properly reset the + zombie mode in FIPS mode This amends 9158f590f4a18c84fc9eb41877b29d73b30af879 + +2014-11-15 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-11-14 David Weber + + * src/cli.c, src/serv.c: Fixed SRTP profile configuration in cli.c + and serv.c. I have tested the fix in 3.3.10. This commit is UNTESTED as i am + unable to compile gnutls (./configure complains about gl_INIT and + ggl_INIT). Signed-off-by: Nikos Mavrogiannopoulos + +2014-11-14 Nikos Mavrogiannopoulos + + * src/common.c: gnutls-cli: print info on the OCSP status request + +2014-11-14 Nikos Mavrogiannopoulos + + * lib/x509/ocsp.c: use the original DER/BER data when verifying an + OCSP response Conflicts: lib/x509/ocsp.c + +2014-11-14 Nikos Mavrogiannopoulos + + * lib/system.c: windows: updated _gnutls_ucs2_to_utf8() + +2014-11-14 Nikos Mavrogiannopoulos + + * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: check + for OCSP status response Conflicts: src/tests.c + +2014-11-13 Nikos Mavrogiannopoulos + + * src/cli-debug.c, src/tests.c, src/tests.h: added check for servers + that disallow the SSL 3.0 record version + +2014-11-14 Nikos Mavrogiannopoulos + + * tests/cert-tests/crq: corrected crq test case; reported by Andreas + Metzler + +2014-11-13 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: set the GNUTLS_PIN_CONTEXT_SPECIFIC flag on PIN + callback + +2014-11-13 Nikos Mavrogiannopoulos + + * lib/nettle/rnd-common.h: rnd: removed the packed attribute from + event_st That prevents a SIGBUS on solaris sparc systems. Reported by Thomas + Thorberger. + +2014-11-13 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-11-13 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: The priority modifier + %LATEST_RECORD_VERSION is now the default This works-around issue with servers that forbit the SSL 3.0 version + number from the first packet of the record protocol. + +2014-11-10 Nikos Mavrogiannopoulos + + * tests/suite/testcompat-common, tests/suite/testcompat-main: + testcompat: updated + +2014-11-10 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2014-11-09 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-31 Nikos Mavrogiannopoulos + + * configure.ac, tests/cert-tests/Makefile.am, tests/cert-tests/crq: + Added check with the invalid crq sent by Sean Burford + +2014-10-31 Nikos Mavrogiannopoulos + + * lib/gnutls_ecc.c: when exporting curve coordinates to X9.63 + format, perform additional sanity checks on input Reported by Sean Burford. + +2014-11-08 Nikos Mavrogiannopoulos + + * doc/cha-intro-tls.texi: doc update + +2014-11-08 Nikos Mavrogiannopoulos + + * doc/cha-gtls-app.texi, doc/cha-intro-tls.texi: doc: updated text + on session tickets + +2014-11-07 Nikos Mavrogiannopoulos + + * src/socket.c: tools: include arpa/inet.h in socket.c + +2014-11-07 Nikos Mavrogiannopoulos + + * doc/examples/ex-serv-dtls.c: doc: use the same port for DTLS + client and server + +2014-11-07 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: pass the correct user type to protected + authentication login + +2014-11-07 Nikos Mavrogiannopoulos + + * doc/cha-gtls-app.texi: doc: corrected values for INSECURE level + +2014-11-07 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-11-07 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/pkcs11_int.h: pkcs11_login: set the correct user + type on reauthentication + +2014-11-06 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: pkcs11: + force login on tokens that require it + +2014-11-06 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: added + support for PKCS #11 keys that require reauthentication and + simplified pkcs11_login + +2014-11-06 Nikos Mavrogiannopoulos + + * gl/unistd.in.h, src/gl/unistd.in.h: applied patch by A. Klitzing + to improve compatibile with some apple systems Signed-off-by: Nikos Mavrogiannopoulos + +2014-11-05 Nikos Mavrogiannopoulos + + * src/cli-debug.c, src/common.c, src/common.h, src/tests.c: + gnutls-cli-debug: backported changes from 3.4.0 branch + +2014-11-05 Chen Hongzhi + + * lib/x509/pkcs12.c: Fix double-free in gnutls_pkcs12_simple_parse() Signed-off-by: Nikos Mavrogiannopoulos + +2014-11-04 Nikos Mavrogiannopoulos + + * doc/scripts/mytexi2latex: mytexi2latex: handle na@"ive + +2014-11-04 Chris Barry + + * doc/cha-auth.texi, doc/cha-cert-auth.texi, + doc/cha-cert-auth2.texi, doc/cha-errors.texi, doc/sec-tls-app.texi: + Cleaning up some awkward phrasings. Signed-off-by: Nikos Mavrogiannopoulos + +2014-11-04 Nikos Mavrogiannopoulos + + * lib/ext/alpn.c: updated text + +2014-11-03 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-11-03 Jaak Ristioja + + * lib/system_override.c: doc: Added missing reference for EMSGSIZE + to inline documentation of gnutls_transport_set_errno(). Signed-off-by: Nikos Mavrogiannopoulos + +2014-11-03 Jaak Ristioja + + * lib/system_override.c: doc: Fixed typo in inline comment of + gnutls_transport_set_errno(). Signed-off-by: Nikos Mavrogiannopoulos + +2014-11-02 Nikos Mavrogiannopoulos + + * lib/gnutls_errors.c: updated the text for + GNUTLS_E_UNSUPPORTED_VERSION_PACKET + +2014-11-01 Nikos Mavrogiannopoulos + + * lib/x509/common.c: when calling gnutls_x509_crt_get_subject_key_id + set the id_size + +2014-11-01 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: deinitialize the temporary spki data + +2014-10-31 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/init_fds.c: tests: added test for + gnutls_global_init after all descriptors are closed Conflicts: tests/Makefile.am + +2014-10-31 Nikos Mavrogiannopoulos + + * lib/gnutls_global.c, lib/nettle/rnd-common.c, lib/random.h: + corrected check for urandom fd + +2014-10-31 Nikos Mavrogiannopoulos + + * lib/gnutls_global.c: corrected exit state from gnutls_global_init + +2014-10-31 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-31 Nikos Mavrogiannopoulos + + * doc/cha-gtls-app.texi: updated text for gnutls_fd_in_use() to + account the new behavior + +2014-10-31 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map, lib/nettle/rnd-common.c: dropped + gnutls_fd_in_use, it is no longer necessary Conflicts: lib/libgnutls.map + +2014-10-31 Nikos Mavrogiannopoulos + + * lib/crypto-backend.h, lib/gnutls_global.c, + lib/nettle/rnd-common.c, lib/nettle/rnd-common.h, lib/nettle/rnd.c, + lib/random.h: When gnutls_global_init() is called manually from the + application check the urandom fd for validity That addresses the issue where a server closes all open file + descriptors and then calls gnutls_global_init(). Conflicts: lib/nettle/rnd-common.c + +2014-10-29 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: _gnutls_dh_generate_key() will account the q_bits + +2014-10-29 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-28 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-28 Nikos Mavrogiannopoulos + + * lib/nettle/rnd.c: doc update + +2014-10-28 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c: do not explicitly refresh rnd state on session + deinit It is already being refreshed during the session lifetime. + +2014-10-26 Nikos Mavrogiannopoulos + + * configure.ac: disable hardware acceleration by default in solaris + +2014-10-25 Nikos Mavrogiannopoulos + + * tests/dtls/dtls: tests: dtls-stress -r disabled as it causes + issues when used with freebsd kernel + +2014-10-25 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/elf/aes-ssse3-x86.s, + lib/accelerated/x86/elf/aes-ssse3-x86_64.s, + lib/accelerated/x86/elf/aesni-x86.s, + lib/accelerated/x86/elf/aesni-x86_64.s, + lib/accelerated/x86/elf/cpuid-x86.s, + lib/accelerated/x86/elf/cpuid-x86_64.s, + lib/accelerated/x86/elf/e_padlock-x86.s, + lib/accelerated/x86/elf/e_padlock-x86_64.s, + lib/accelerated/x86/elf/ghash-x86_64.s, + lib/accelerated/x86/elf/sha1-ssse3-x86.s, + lib/accelerated/x86/elf/sha1-ssse3-x86_64.s, + lib/accelerated/x86/elf/sha256-avx-x86_64.s, + lib/accelerated/x86/elf/sha256-ssse3-x86.s, + lib/accelerated/x86/elf/sha512-ssse3-x86.s, + lib/accelerated/x86/elf/sha512-ssse3-x86_64.s: do not use the ifdef + directive in assembly files, as it isn't portable + +2014-10-23 Nikos Mavrogiannopoulos + + * configure.ac, lib/Makefile.am: check and use libnsl (used in + solaris) + +2014-10-23 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/elf/aes-ssse3-x86.s, + lib/accelerated/x86/elf/aes-ssse3-x86_64.s, + lib/accelerated/x86/elf/aesni-x86.s, + lib/accelerated/x86/elf/aesni-x86_64.s, + lib/accelerated/x86/elf/cpuid-x86.s, + lib/accelerated/x86/elf/cpuid-x86_64.s, + lib/accelerated/x86/elf/e_padlock-x86.s, + lib/accelerated/x86/elf/e_padlock-x86_64.s, + lib/accelerated/x86/elf/ghash-x86_64.s, + lib/accelerated/x86/elf/sha1-ssse3-x86.s, + lib/accelerated/x86/elf/sha1-ssse3-x86_64.s, + lib/accelerated/x86/elf/sha256-avx-x86_64.s, + lib/accelerated/x86/elf/sha256-ssse3-x86.s, + lib/accelerated/x86/elf/sha512-ssse3-x86.s, + lib/accelerated/x86/elf/sha512-ssse3-x86_64.s: use the + .note.GNU-stack in linux systems only + +2014-10-23 Nikos Mavrogiannopoulos + + * gl/Makefile.am, gl/m4/extern-inline.m4, gl/m4/gnulib-common.m4, + gl/m4/manywarnings.m4, gl/m4/stdlib_h.m4, gl/m4/threadlib.m4, + gl/m4/unistd_h.m4, gl/stdlib.in.h, gl/tests/fcntl.in.h, + gl/unistd.in.h, gl/vasnprintf.c, maint.mk, src/gl/Makefile.am, + src/gl/error.c, src/gl/getpass.c, src/gl/m4/extern-inline.m4, + src/gl/m4/gnulib-common.m4, src/gl/m4/stdlib_h.m4, + src/gl/m4/unistd_h.m4, src/gl/parse-datetime.y, src/gl/stdlib.in.h, + src/gl/sys_select.in.h, src/gl/unistd.in.h, src/gl/vasnprintf.c: + updated gnulib + +2014-10-23 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-23 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-get-issuer.c: tests: check the issuer value + validity of gnutls_x509_trust_list_get_issuer + +2014-10-23 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c: corrected bug in + gnutls_x509_trust_list_get_issuer() when used without the + GNUTLS_TL_GET_COPY flag + +2014-10-22 Nikos Mavrogiannopoulos + + * tests/slow/Makefile.am: tests: include minitasn1 when needed + +2014-10-22 Nikos Mavrogiannopoulos + + * src/danetool.c: use HAVE_DANE ifdef for unused functions + +2014-10-22 Nikos Mavrogiannopoulos + + * lib/libgnutls.map: exported gnutls_fd_in_use + +2014-10-22 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-22 Nikos Mavrogiannopoulos + + * doc/cha-gtls-app.texi: document gnutls_fd_in_use() + +2014-10-22 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: corrected FIND_OBJECT loop when the token + func is used + +2014-10-22 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c: gnutls_fd_in_use: mention version + +2014-10-22 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c, lib/includes/gnutls/gnutls.h.in, + lib/nettle/rnd-common.c, lib/random.h: added gnutls_fd_in_use() to + check whether a file descriptor is in use + +2014-10-21 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: fips140-2: limit the FIPS code in fips mode + +2014-10-21 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: fips140-2: use the FIPS algorithms only when in + FIPS140-2 mode + +2014-10-20 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-05 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: default pkcs-cipher is now 3des as in + PKCS #12 + +2014-10-17 Nikos Mavrogiannopoulos + + * src/cli-args.def: gnutls-cli: prevent the combination of the -p + and --list options As -p may be mistaken for --priority that would prevent wrong + outputs. + +2014-10-17 Nikos Mavrogiannopoulos + + * lib/x509/verify-high2.c: avoid d from getting out of scope + +2014-10-17 Nikos Mavrogiannopoulos + + * src/udp-serv.c: gnutls-serv: avoid possible buffer overrun + +2014-10-17 Nikos Mavrogiannopoulos + + * lib/x509/privkey.c: avoid memory leak on + gnutls_x509_privkey_generate() failure + +2014-10-15 Nikos Mavrogiannopoulos + + * lib/nettle/int/dsa-fips.h, lib/nettle/int/dsa-keygen-fips186.c, + lib/nettle/int/dsa-validate.c: in FIPS140-2 mode only disable + 1024-bit DSA parameters when generating + +2014-10-14 Ludovic Courtès + + * guile/src/core.c: guile: Remove trailing zero in + 'gnutls_server_name_set' call. In GnuTLS 3.2.19 (and possibly 3.3.9 and 3.1.17), + 'set-session-server-name!' would pass a trailing nul character on + the wire after the server name, which would thus be rejected by + servers. + +2014-10-14 Nikos Mavrogiannopoulos + + * lib/nettle/int/dsa-fips.h, lib/nettle/int/provable-prime.c, + lib/nettle/int/rsa-keygen-fips186.c: FIPS140-2 RSA key generation + changes to account for seed starting with null byte + +2014-10-14 Nikos Mavrogiannopoulos + + * src/libopts/Makefile.am: corrected libopt's Makefile.am reported by Marius Schamschula. + +2014-10-10 Nikos Mavrogiannopoulos + + * lib/nettle/int/rsa-keygen-fips186.c: use lcm(p-1,q-1) instead of + phi(n) for RSA key generation in FIPS-140-2 mode + +2014-10-14 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/sha-x86-ssse3.c: corrected the SSSE3 optimized + SHA224 + +2014-10-14 Nikos Mavrogiannopoulos + + * lib/nettle/rnd-common.c: simplified getrusage code; the failure + check code wasn't needed + +2014-10-13 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-13 Nikos Mavrogiannopoulos + + * tests/x509-extensions.c: tests: added check for import failure of + v1 certificate with extensions + +2014-10-13 Nikos Mavrogiannopoulos + + * lib/x509/x509.c: do not allow importing X.509 certificates with + version < 3 and extensions present + +2014-10-13 Nikos Mavrogiannopoulos + + * cfg.mk: update the guile manual along the C one + +2014-10-13 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, m4/hooks.m4: bumped version + +2014-10-13 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-11 Nikos Mavrogiannopoulos + + * src/libopts/Makefile.am, src/libopts/ag-char-map.h, + src/libopts/ao-strs.c, src/libopts/ao-strs.h, + src/libopts/autoopts.h, src/libopts/autoopts/options.h, + src/libopts/autoopts/usage-txt.h, src/libopts/compat/_Noreturn.h, + src/libopts/genshell.c, src/libopts/genshell.h, + src/libopts/intprops.h, src/libopts/m4/libopts.m4, + src/libopts/m4/stdnoreturn.m4, src/libopts/option-value-type.c, + src/libopts/option-value-type.h, + src/libopts/option-xat-attribute.c, + src/libopts/option-xat-attribute.h, src/libopts/parse-duration.c, + src/libopts/proto.h, src/libopts/stdnoreturn.in.h, + src/libopts/version.c: updated to libopts 5.18.4 + +2014-10-11 Nikos Mavrogiannopoulos + + * lib/nettle/rnd-common.c: place all rusage variables into + HAVE_GETRUSAGE block + +2014-10-11 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-11 Nikos Mavrogiannopoulos + + * lib/nettle/rnd-common.c: rnd: if RUSAGE_THREAD fails try + RUSAGE_SELF + +2014-10-10 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-combo.c: tests: pkcs11-combo: use unique db + file + +2014-10-10 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-02 Nikos Mavrogiannopoulos + + * lib/ext/session_ticket.c: use wait and retransmit when receiving + session tickets + +2014-10-02 Nikos Mavrogiannopoulos + + * tests/dtls/dtls, tests/dtls/dtls-stress.c: tests: added -r option + to dtls-stress That allows it to replay messages in a kind of arbitrary way. + +2014-09-25 Nikos Mavrogiannopoulos + + * lib/ext/heartbeat.c: forbid heartbeat messages during a handshake + +2014-10-09 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c: + added internal variable to track handshake status Conflicts: lib/gnutls_handshake.c + +2014-10-09 Nikos Mavrogiannopoulos + + * .gitignore: more files to ignore + +2014-10-09 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-is-known.c: tests: updated time in + pkcs11-is-known + +2014-10-09 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: handle errors from override_cert_exts as + fatal + +2014-10-09 Nikos Mavrogiannopoulos + + * tests/chainverify.c, tests/suite/pkcs11-chainverify.c, + tests/test-chains.h: tests: allow running specific chainverify tests + on fixed dates Conflicts: tests/chainverify.c tests/suite/pkcs11-chainverify.c tests/test-chains.h + +2014-10-09 Nikos Mavrogiannopoulos + + * lib/x509/common.c: _gnutls_check_valid_key_id: corrected + activation/expiration check + +2014-10-09 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/x509/common.c, lib/x509/common.h: pkcs11: + simplified and optimized loop + +2014-10-09 Nikos Mavrogiannopoulos + + * doc/cha-crypto.texi: mention nettle as the recommended crypto + backend + +2014-10-09 Nikos Mavrogiannopoulos + + * tests/suite/Makefile.am, tests/suite/pkcs11-combo.c: tests: Added + check to ensure that trust list combination with extra certificates + works + +2014-10-09 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-09 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c: when both a trust module and additional + CAs are present account the latter as well That solves an issue in openconnect which used the system trust + module, plus additional certificates. Conflicts: lib/x509/verify-high.c + +2014-10-09 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c, lib/x509/verify-high.h: simplify the + handling of trust_list_get_issuer() when GNUTLS_TL_GET_COPY is not + given + +2014-10-08 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: corrected assignment + +2014-10-08 Nikos Mavrogiannopoulos + + * lib/libgnutls.map: corrected the name of exported function + +2014-10-07 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-07 Nikos Mavrogiannopoulos + + * tests/test-chains.h: tests: corrected test for v1 cert signing + (removed bogus authorityIdentifier) + +2014-10-07 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: only set the authority key identifier, + if there is a corresponding subject key identifier + +2014-10-07 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: do not shortcut checks when + GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY is specified + +2014-10-07 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/x509/common.c, lib/x509/common.h: pkcs11: always + check for a valid subjectKeyIdentifier match That way, expired certificates can co-exist with their replacements. + +2014-10-06 Armin Burgmeier + + * lib/x509/verify-high2.c: Return an error if multiple PKCS11 URLs + are added to a trust list Before, the new URL would overwrite the old URL, and the memory of + theold URL would be leaked. It is documented that only one URL can + be used, so it should be safe to reject any attempt to add another + one. Signed-off-by: Armin Burgmeier + +2014-10-07 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/x509/common.c, lib/x509/common.h: pkcs11: when + no CKA_ID can be relied on fallback on checking the + SubjectKeyIdentifier Patch by David Woodhouse. + +2014-10-02 Nikos Mavrogiannopoulos + + * lib/gnutls_global.c: report the FIPS140-2 mode + +2014-10-07 Nikos Mavrogiannopoulos + + * lib/libgnutls.map, lib/nettle/pk.c: added FIPS140-2 ECDH + verification functions + +2014-10-07 Nikos Mavrogiannopoulos + + * lib/libgnutls.map, lib/nettle/pk.c: added FIPS140-2 DH + verification functions + +2014-10-07 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-is-known.c: tests: corrected check with + gnutls_x509_trust_list_get_issuer + +2014-10-06 Nikos Mavrogiannopoulos + + * lib/x509/verify-high2.c: corrected remove_pkcs11_url() + +2014-10-06 Nikos Mavrogiannopoulos + + * tests/suite/Makefile.am, tests/suite/pkcs11-is-known.c: tests: + check gnutls_pkcs11_crt_is_known() when multiple same DNs are + present + +2014-10-06 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: when checking for presence do not give up on + the first mismatch + +2014-10-06 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: address memory leak in gnutls_pkcs11_crt_is_known() + +2014-10-05 Nikos Mavrogiannopoulos + + * lib/x509/verify-high2.c: doc update: clarifications in + gnutls_x509_trust_list_add_trust_file + +2014-10-02 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c: corrected compilation for non-pkcs11; + reported by David Woodhouse. + +2014-09-29 Nikos Mavrogiannopoulos + + * NEWS: corrected typo + +2014-10-01 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-10-01 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-get-issuer.c, tests/x509cert.c: tests: added + check for GNUTLS_TL_GET_COPY + +2014-10-01 Nikos Mavrogiannopoulos + + * lib/gnutls_cert.c, lib/gnutls_x509.c, lib/includes/gnutls/x509.h, + lib/x509/ocsp.c, lib/x509/verify-high.c: Added GNUTLS_TL_GET_COPY + flag and documented the limitations of + gnutls_x509_trust_list_get_issuer() + +2014-09-30 Nikos Mavrogiannopoulos + + * lib/opencdk/stream.h: opencdk: changed filter_fnct_t to match the + actual function prototypes + +2014-09-30 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-26 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c, lib/gnutls_handshake.c: do not allow + GNUTLS_E_LARGE_PACKET to be returned from non-DTLS sessions + +2014-09-25 Nikos Mavrogiannopoulos + + * lib/system.c: gnutls_x509_trust_list_add_system_trust() will not + allow duplicate entries + +2014-09-25 Nikos Mavrogiannopoulos + + * lib/x509/verify-high2.c: use _DIRENT_HAVE_D_TYPE to detect + d->d_type + +2014-09-25 Nikos Mavrogiannopoulos + + * lib/x509/x509.c: corrected type + +2014-09-25 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c: + protect DTLS clients that don't handle GNUTLS_E_LARGE_PACKET from an + infinite loop on handshake + +2014-09-25 Nikos Mavrogiannopoulos + + * lib/gnutls_errors.c: removed unused error values + +2014-09-25 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c, lib/gnutls_record.c, lib/gnutls_record.h: + restrict the number of non-fatal errors gnutls_handshake() can + return + +2014-09-25 Nikos Mavrogiannopoulos + + * lib/gnutls_errors.c: optimized gnutls_error_is_fatal() by + splitting the errors to two tables + +2014-09-22 Ludovic Courtès + + * guile/src/core.c: guile: Restore cross-reference in + 'set-session-priorities!' docstring. This had been destroyed in 32d90395. + +2014-09-22 Ludovic Courtès + + * guile/modules/gnutls.in, guile/modules/gnutls/build/enums.scm, + guile/src/core.c, guile/tests/anonymous-auth.scm: guile: Add + bindings for 'gnutls_server_name_set'. This adds the 'set-session-server-name!' procedure and the + 'server-name-type' enum type. + +2014-09-18 Armin Burgmeier + + * lib/x509/verify-high.c: Memory leak fix on certificate copy + failure Signed-off-by: Armin Burgmeier + +2014-09-17 Armin Burgmeier + + * lib/gnutls_ui.c: Fix a documentation typo Signed-off-by: Armin Burgmeier + +2014-09-19 Nikos Mavrogiannopoulos + + * cfg.mk, lib/accelerated/x86/files.mk: regenerated files.mk + +2014-09-19 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-19 Nikos Mavrogiannopoulos + + * libdane/dane.c: libdane: do not require the CA to be a direct CA + +2014-09-19 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-19 Nikos Mavrogiannopoulos + + * tests/scripts/common.sh, tests/suite/testpkcs11: tests: enhanced + test suite to pass more of the PKCS #11 API under valgrind + +2014-09-19 Nikos Mavrogiannopoulos + + * src/serv-args.def, src/serv.c: gnutls-serv: added the --provider + option + +2014-09-19 Nikos Mavrogiannopoulos + + * src/common.c: tools: corrected pin entry + +2014-09-19 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: cleaned up memory deallocation in + read_cert_url() That caused unexpected results when loading PKCS #11 URLs. Reported + by Joseph Peruski. + +2014-09-18 Nikos Mavrogiannopoulos + + * doc/certtool.cfg: updated certtool.cfg + +2014-09-18 Nikos Mavrogiannopoulos + + * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated + auto-generated files + +2014-09-15 Nikos Mavrogiannopoulos + + * tests/test-chains.h: tests: added checks with modified certificate This tests whether a modified of a DER certificate, that is + cancelled out while we parse it, would result to a good signature. + +2014-09-18 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-18 Nikos Mavrogiannopoulos + + * configure.ac: depend on p11-kit 0.20.7 + +2014-09-17 Nikos Mavrogiannopoulos + + * configure.ac, lib/pkcs11x.h: depend on p11-kit 0.20.6 + +2014-09-04 Nikos Mavrogiannopoulos + + * m4/hooks.m4: require libtasn1 3.9 or later That is because of the ocsp fix. + +2014-09-17 Nikos Mavrogiannopoulos + + * lib/verify-tofu.c: removed unused variable + +2014-09-17 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: added sanity check on cleanup + +2014-09-17 Nikos Mavrogiannopoulos + + * src/certtool.c: certtool: corrected typo in printing error + +2014-09-17 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: correctly reallocate the read buffer Report and patch by David Woodhouse. + +2014-09-16 Nikos Mavrogiannopoulos + + * doc/cha-cert-auth.texi: updated documentation on PKCS #11 trust + module verification + +2014-09-16 Nikos Mavrogiannopoulos + + * lib/x509/common.h, lib/x509/verify-high.c, lib/x509/verify.c: + unified the key purpose checks functions + +2014-09-16 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/x509.h, lib/x509/common.h, + lib/x509/verify-high.c, lib/x509/verify.c: check for CAs with the + same key in gnutls_x509_trust_list_add_cas That way when GNUTLS_TL_NO_DUPLICATE_KEY is specified the added CA + will overwrite any previous one with the same name and key. + +2014-09-16 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c: hostname and key purpose checks were moved + above CRL checks + +2014-09-16 Nikos Mavrogiannopoulos + + * lib/x509/output.c, lib/x509/x509_ext.c: doc update + +2014-09-16 Nikos Mavrogiannopoulos + + * m4/hooks.m4: bumped library version + +2014-09-16 Nikos Mavrogiannopoulos + + * lib/x509/crl.c: corrected gnutls_x509_crl_get_raw_issuer_dn() + +2014-09-16 Nikos Mavrogiannopoulos + + * lib/x509/common.c: only deallocate data when allocation succeeds + +2014-09-16 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-15 Nikos Mavrogiannopoulos + + * lib/minitasn1/decoding.c: updated libtasn1 + +2014-09-15 Nikos Mavrogiannopoulos + + * doc/cha-gtls-app.texi: documented the environment variables + +2014-09-15 Nikos Mavrogiannopoulos + + * lib/verify-tofu.c, lib/x509/common.c, lib/x509/common.h: + Backported x509_raw_crt_to_raw_pubkey and x509_crt_to_raw_pubkey + +2014-09-12 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-12 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: print Attached Extensions, instead of + extensions + +2014-09-12 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c: when adding a duplicate certificate, keep + the last entry + +2014-09-12 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-get-issuer.c: pkcs11-get-issuer: do not + hardcode the chain number, use its name + +2014-09-11 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/x509-ext.h, lib/libgnutls.map, + lib/x509/output.c, lib/x509/x509.c, lib/x509/x509_ext.c, + src/pkcs11.c: fixes in the extension handling + +2014-09-11 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: will print trust module extensions if + present + +2014-09-10 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c, lib/x509/verify.c, lib/x509/x509_int.h: + check the key purpose of the CA certificate when in pkcs11 cert + validation + +2014-09-10 Nikos Mavrogiannopoulos + + * lib/Makefile.am, lib/includes/gnutls/pkcs11.h, + lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/pkcs11.c, + lib/pkcs11_int.c, lib/pkcs11_int.h, lib/x509/common.h, + lib/x509/output.c, lib/x509/x509_ext.c: allow retrieving extensions + in a trust module using + GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT Conflicts: lib/pkcs11.c + +2014-09-10 Nikos Mavrogiannopoulos + + * lib/verify-tofu.c, lib/x509/common.h, lib/x509/extensions.c, + lib/x509/ocsp.c: export x509_crt_to_raw_pubkey() in x509/common.h + and prefixed s/get_extension with _gnutls + +2014-09-10 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c: doc update + +2014-09-09 Nikos Mavrogiannopoulos + + * lib/gnutls_cert.c, lib/gnutls_x509.c, lib/gnutls_x509.h, + lib/includes/gnutls/x509.h, lib/libgnutls.map, + lib/x509/verify-high.c: gnutls_x509_trust_list_verify_crt2 is in par + with gnutls_certificate_verify_peers That is, it accepts a list of gnutls_typed_vdata_st and allows for + flexibility. Conflicts: lib/libgnutls.map + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/x509/x509_ext.c: doc update + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/x509/crq.c, + lib/x509/x509.c: Added gnutls_x509_crt_get_extension_by_oid2() and + gnutls_x509_crq_get_extension_by_oid2() + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c, lib/includes/gnutls/x509.h, lib/libgnutls.map, + lib/x509/verify-high.c: Added + gnutls_x509_trust_list_verify_purpose_crt() Conflicts: lib/libgnutls.map + +2014-09-13 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-13 Nikos Mavrogiannopoulos + + * configure.ac, lib/pkcs11.c, lib/pkcs11x.c, lib/pkcs11x.h: simulate + pkcs11x.h when it doesn't exist + +2014-09-13 Nikos Mavrogiannopoulos + + * lib/Makefile.am, lib/pkcs11.c, lib/pkcs11x.h: added pkcs11x.h + +2014-09-13 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/crlverify.c: tests: Added crlverify to + check gnutls_x509_crl_verify and gnutls_x509_trust_list_add_crls Conflicts: tests/Makefile.am + +2014-09-13 Nikos Mavrogiannopoulos + + * lib/x509/verify.c: gnutls_x509_crl_verify: do not always set the + invalid status Reported by Armin Burgmeier. + +2014-09-13 Nikos Mavrogiannopoulos + + * lib/gnutls_ui.c: doc update + +2014-09-12 Nikos Mavrogiannopoulos + + * lib/pkcs11x.c: added missing file + +2014-09-13 Nikos Mavrogiannopoulos + + * lib/x509/verify.c: Revert "gnutls_x509_crl_verify: do not always + set the invalid status" This reverts commit 950b62da58542938adec366620948c85b78607dd. + +2014-09-13 Nikos Mavrogiannopoulos + + * lib/x509/verify.c: gnutls_x509_crl_verify: do not always set the + invalid status Reported by Armin Burgmeier. + +2014-09-05 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-08 Nikos Mavrogiannopoulos + + * src/tpmtool.c: tpmtool: corrected key password read + +2014-09-08 Nikos Mavrogiannopoulos + + * src/danetool.c: set umask prior to calling mkstemp + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/x509/verify-high.c: initialize verification output to zero + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/gnutls_buffers.c: dtls: when discarding packet, discard the + correct number of bytes + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/x509/rfc2818_hostname.c: check_ip: initialize ret + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/tpm.c: gnutls_tpm_privkey_generate: initialize input values to + null to prevent any issue + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: do not dereference find_data->p_list in pkcs11 + callback + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/nettle/rnd-fips.c: corrected issue in fips RNG + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/nettle/pk.c: added comment to clarify check + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/opencdk/literal.c: opencdk: corrected unsigned comparison + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/tpm.c: fixes in loop for SRK password input + +2014-09-08 Nikos Mavrogiannopoulos + + * src/common.c: apps: corrected GNUTLS_PIN reading + +2014-09-08 Nikos Mavrogiannopoulos + + * lib/x509/verify-high2.c: gnutls_x509_trust_list_add_trust_dir: + corrected CRL loading error + +2014-09-08 Nikos Mavrogiannopoulos + + * src/certtool-cfg.c: certtool: corrected copy+paste error + +2014-09-05 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-05 Nikos Mavrogiannopoulos + + * lib/x509/verify-high2.c: corrected usage of readdir_r() + +2014-09-05 Nikos Mavrogiannopoulos + + * src/ocsptool-common.c: ocsptool: better error message + +2014-09-05 Nikos Mavrogiannopoulos + + * lib/x509/verify-high2.c: reentrant fixes for + gnutls_x509_trust_list_add_trust_dir() handle unknown file types + +2014-09-05 Nikos Mavrogiannopoulos + + * tests/ocsp.c: doc update + +2014-09-05 Nikos Mavrogiannopoulos + + * m4/hooks.m4, tests/ocsp.c: Revert "require libtasn0 3.9 or later" This reverts commit 07a906b4e5c9d1446aee1bf4e091fefa1f1eb1da. + +2014-09-04 Nikos Mavrogiannopoulos + + * lib/x509/x509_dn.c: optimized escaped comma handling + +2014-09-04 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-04 Nikos Mavrogiannopoulos + + * m4/hooks.m4, tests/ocsp.c: require libtasn1 3.9 or later That is because of the ocsp fix. + +2014-09-04 Nikos Mavrogiannopoulos + + * tests/crq_apis.c: tests: extended crq API checks + +2014-09-04 Nikos Mavrogiannopoulos + + * lib/x509/x509_write.c: doc update + +2014-09-04 Nikos Mavrogiannopoulos + + * lib/x509/x509_dn.c: when setting a DN properly handle spaces and + escaped commas + +2014-09-04 Nikos Mavrogiannopoulos + + * lib/x509/common.c, lib/x509/common.h, lib/x509/crl.c, + lib/x509/x509.c: The get_raw_dn() functions were modified to work + even if the certificate is generated (not imported) + +2014-09-04 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-04 Nikos Mavrogiannopoulos + + * lib/gnutls_dtls.c: Disallow zero fragments in DTLS for packets + which have data. Reported by Manuel Pégourié-Gonnard. + +2014-09-04 Nikos Mavrogiannopoulos + + * configure.ac, lib/vasprintf.c: steal openconnect's vasprintf() + implementation + +2014-09-04 Nikos Mavrogiannopoulos + + * lib/vasprintf.c: corrected bundled vasprintf(); reported by Jeff + Lee + +2014-09-04 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2014-09-04 Nikos Mavrogiannopoulos + + * lib/minitasn1/decoding.c, lib/minitasn1/libtasn1.h: updated + included libtasn1 + +2014-09-04 Nikos Mavrogiannopoulos + + * tests/ocsp.c: tests: Added tests on the invalid OCSP response + +2014-09-03 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-03 Nikos Mavrogiannopoulos + + * lib/x509/common.h, lib/x509/verify.c: when comparing an + end-certificate with the trusted list compare the entire certificate + +2014-09-02 Nikos Mavrogiannopoulos + + * tests/test-chains.h: tests: Added test for amazon.com chain with + new verisign CA. + +2014-09-02 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/x509/common.c, + lib/x509/common.h, lib/x509/crl.c, lib/x509/verify.c, + lib/x509/x509.c, lib/x509/x509_int.h: when comparing a CA + certificate with the trusted list compare the name and key That is to handle cases where a CA certificate was superceded by a + different one with the same name and the same key. That can happen + when an intermediate CA certificate is replaced by a self-signed + one. + +2014-08-29 Nikos Mavrogiannopoulos + + * lib/x509/common.c, lib/x509/crl.c, lib/x509/x509.c: avoid new + allocations and keep a pointer to the DER data for DN + +2014-08-29 Nikos Mavrogiannopoulos + + * lib/x509/crl.c, lib/x509/verify.c, lib/x509/x509_int.h: when + importing a CRL keep the DER data + +2014-08-29 Nikos Mavrogiannopoulos + + * lib/x509/common.c, lib/x509/common.h, lib/x509/crq.c, + lib/x509/verify.c, lib/x509/x509.c, lib/x509/x509_int.h: when + importing a certificate, keep the DER data + +2014-09-03 Nikos Mavrogiannopoulos + + * lib/fips.c: fips140: check the integrity of GMP + +2014-09-02 Nikos Mavrogiannopoulos + + * lib/fips.c, lib/fips.h, lib/gnutls_global.c, + lib/nettle/int/dsa-fips.h: perform the FIPS140-2 self tests in two + rounds One round is before the AES acceleration is registered, and the + second is after. That is to allow testing of the AES implementation + used in the DRBG. That is a hack until nettle handles all cipher + acceleration. Conflicts: lib/gnutls_global.c + +2014-09-01 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-09-01 Nikos Mavrogiannopoulos + + * lib/x509/name_constraints.c: name constraints: do not check CN + when a DNSname is available + +2014-09-01 Nikos Mavrogiannopoulos + + * lib/nettle/int/drbg-aes-self-test.c, lib/nettle/int/drbg-aes.h: + drbg-aes: added checks in the error handling of the functions That coverts the instantiate and generation functions. + +2014-09-01 Nikos Mavrogiannopoulos + + * lib/crypto-selftests.c: fips140: fail on encryption test failure + +2014-09-01 Nikos Mavrogiannopoulos + + * lib/nettle/int/drbg-aes.c: drbg-aes: if the continuous test fails, + put the library into error state + +2014-08-31 Nikos Mavrogiannopoulos + + * doc/cha-tokens.texi, doc/cha-upgrade.texi, doc/latex/cover.tex: + small doc updates + +2014-08-31 Nikos Mavrogiannopoulos + + * doc/Makefile.am, doc/cha-tokens.texi, doc/latex/cover.tex: doc: + fixes in sectioning for p11tool and tpmtool invocation + +2014-08-29 Tristan Matthews + + * lib/ext/alpn.c: alpn: fix version documentation Signed-off-by: Nikos Mavrogiannopoulos + +2014-08-29 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: allow printing multiple types of tokens + +2014-08-29 Nikos Mavrogiannopoulos + + * lib/x509/rfc2818_hostname.c: refer to rfc6125 + +2014-08-29 Nikos Mavrogiannopoulos + + * lib/x509/privkey.c: additional sanity check in RSA key generation + testing in FIPS-140-2 mode The encrypted data are checked to differ from the plaintext, to + prevent any issues with an accidental null encryption. + +2014-08-29 Nikos Mavrogiannopoulos + + * lib/x509/privkey.c: when in FIPS140-2 mode switch the library to + error state if key generation fails + +2014-08-29 Nikos Mavrogiannopoulos + + * cfg.mk, configure.ac, devel/openssl, + lib/accelerated/x86/Makefile.am, lib/accelerated/x86/x86-common.c: + added configuration option --disable-padlock That allows keeping hardware acceleration in x86 but without support + for padlock. + +2014-08-28 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-28 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: when listing tokens, list their type as + well + +2014-08-27 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/x86-common.c: hide _gnutls_x86_cpuid_s + +2014-08-27 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: gnutls_pkcs11_obj_list_import_url2() will import + data in a single pass + +2014-08-26 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-26 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: when reading PKCS #11 objects, read multiple + objects at a time That improves the performance significantly when reading from tokens + with a significant number of objects. Reported by David Woodhouse. + +2014-08-26 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: do not fail the entire operation if a single + object cannot be imported + +2014-08-26 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: allow objects without label or without ID + +2014-08-26 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-26 Nikos Mavrogiannopoulos + + * tests/test-chains.h: tests: updated name constraints checks to not + include a CN + +2014-08-26 Nikos Mavrogiannopoulos + + * lib/x509/name_constraints.c, lib/x509/x509.c: doc update + +2014-08-26 Nikos Mavrogiannopoulos + + * lib/x509/verify.c: only check name constraints in non-CA + certificates + +2014-08-26 Nikos Mavrogiannopoulos + + * lib/x509/name_constraints.c: ignore constraints for different type + than the checked + +2014-08-26 Nikos Mavrogiannopoulos + + * lib/x509/name_constraints.c: when verifying name constrains + enforce the single CN rule + +2014-08-25 Nikos Mavrogiannopoulos + + * src/libopts/autoopts.h: check for stdnoreturn.h presence + +2014-08-24 Alon Bar-Lev + + * tests/Makefile.am, tests/x509cert-tl.c: build: tests: x509cert-tl: + support separate builddir Signed-off-by: Alon Bar-Lev + +2014-08-24 Alon Bar-Lev + + * lib/gnutls_privkey.c: build: condition pkcs11 block Signed-off-by: Alon Bar-Lev + +2014-08-24 Nikos Mavrogiannopoulos + + * NEWS: released 3.3.7 + +2014-08-23 Nikos Mavrogiannopoulos + + * lib/gnutls_record.c: record: tolerate a finished packet with + errors in DTLS + +2014-08-23 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-23 Nikos Mavrogiannopoulos + + * lib/gnutls_record.c: record: in DTLS discard only messages that + cause unexpected packet errors + +2014-08-23 Nikos Mavrogiannopoulos + + * src/socket.c: tools: use the AI_IDN flag in getaddrinfo if it + exists + +2014-08-23 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-23 Nikos Mavrogiannopoulos + + * src/certtool-common.c, src/certtool-extras.c, src/common.c, + src/danetool.c, src/socket.c: danetool: added openssl-linking + exception That allows linking against unbound. + +2014-08-23 Nikos Mavrogiannopoulos + + * src/danetool.c: danetool: ensure the temporary file is always + removed + +2014-08-22 Nikos Mavrogiannopoulos + + * lib/gnutls_errors.c: doc update + +2014-08-22 Nikos Mavrogiannopoulos + + * lib/nettle/int/dsa-keygen-fips186.c: prevent 1024-bit DSA + parameter generation only when FIPS-mode is enabled. + +2014-08-22 Nikos Mavrogiannopoulos + + * lib/nettle/int/dsa-keygen-fips186.c: Revert "removed pbits=1024, + qbits=160 from the acceptable bit sizes in FIPS140-2 DSA parameter + generation." This reverts commit 110527d9bb9ca70a66ae8173769067f133fd3cf7. + +2014-08-21 Nikos Mavrogiannopoulos + + * lib/system.c: use the windows API in windows even if iconv is + available + +2014-08-20 Nikos Mavrogiannopoulos + + * lib/minitasn1/decoding.c: updated libtasn1 + +2014-08-20 Nikos Mavrogiannopoulos + + * lib/minitasn1/decoding.c: updated minitasn1 + +2014-08-20 Nikos Mavrogiannopoulos + + * m4/hooks.m4: configure: print error message when nettle is 3.0 or + later + +2014-08-18 Nikos Mavrogiannopoulos + + * lib/x509/crl.c, lib/x509/pkcs7.c, lib/x509/privkey.c, + lib/x509/x509.c, lib/x509/x509_int.h: Safer reinitialization of + structures on re-import to avoid memory leaks. That also adds the gnutls_pkcs7_t structure into the list of allowed + to re-import. + +2014-08-17 Nikos Mavrogiannopoulos + + * lib/verify-tofu.c: doc update + +2014-08-17 Nikos Mavrogiannopoulos + + * lib/verify-tofu.c: doc update + +2014-08-16 Nikos Mavrogiannopoulos + + * lib/x509/crl.c, lib/x509/pkcs12.c, lib/x509/privkey.c, + lib/x509/privkey_pkcs8.c, lib/x509/x509.c, lib/x509/x509_int.h: + Re-initialize the ASN.1 structures on every import That allows to import a key/certificate on a structure even if the + previous import failed. + +2014-08-14 Nikos Mavrogiannopoulos + + * symbols.last: symbols.last: added private entry + +2014-08-14 Nikos Mavrogiannopoulos + + * src/cli-args.def, src/cli.c: gnutls-cli: added --fips140-mode + command line option That option will report the status of the FIPS140-2 mode in the + library. + +2014-08-14 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-14 Nikos Mavrogiannopoulos + + * lib/fips.c: The environment variable GNUTLS_FORCE_FIPS_MODE can be + used to force the FIPS-140-2 mode + +2014-08-13 Nikos Mavrogiannopoulos + + * src/common.h: gnutls-cli/danetool: corrected check on ipv6 IPs + +2014-08-13 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-13 Nikos Mavrogiannopoulos + + * src/cli-debug.c, src/cli.c, src/common.h, src/danetool.c: + gnutls-cli/danetool: added a common check for hostname being an IP + +2014-08-13 Nikos Mavrogiannopoulos + + * lib/x509/rfc2818_hostname.c: Follow the rfc6125 requirement that a + single CN must be present for hostname verification. Follow up on the original commit that simplifies checking for more + than a single hostname. + +2014-08-13 Nikos Mavrogiannopoulos + + * lib/x509/rfc2818_hostname.c, tests/hostname-check.c: Follow the + rfc6125 requirement that a single CN must be present for hostname + verification. + +2014-08-12 Nikos Mavrogiannopoulos + + * tests/hostname-check.c: tests: check that + gnutls_x509_crt_check_hostname() will correctly use the last CN when + multiple + +2014-08-12 Nikos Mavrogiannopoulos + + * lib/x509/rfc2818_hostname.c: when checking the hostname of a + certificate with multiple CNs use the "most specific" CN In our case we use the last CN present in the DN. Reported by David + Woodhouse. https://bugzilla.mozilla.org/show_bug.cgi?id=307234#c2 + +2014-08-11 Nikos Mavrogiannopoulos + + * src/benchmark-cipher.c: gnutls-cli: more organized printing of + cipher benchmark output + +2014-08-11 Nikos Mavrogiannopoulos + + * src/benchmark-tls.c: gnutls-cli: removed salsa20 from the + benchmarked ciphers + +2014-08-11 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-11 Nikos Mavrogiannopoulos + + * lib/algorithms.h, lib/algorithms/mac.c, lib/libgnutls.map: + mac_to_entry -> _gnutls_mac_to_entry + +2014-08-10 Nikos Mavrogiannopoulos + + * lib/libgnutls.map, tests/pkcs12_s2k.c: tests: updated string to + keys tests for new internal API + +2014-08-10 Nikos Mavrogiannopoulos + + * tests/pkcs12-decode/Makefile.am, tests/pkcs12-decode/pkcs12: + tests: test the decoding of a PKCS #12 structure with SHA256 MAC + +2014-08-10 Nikos Mavrogiannopoulos + + * lib/algorithms.h, lib/x509/pkcs12.c, lib/x509/pkcs12_encr.c, + lib/x509/privkey_pkcs8.c, lib/x509/x509_int.h: pkcs12: Allow + verification with structures that support other than HMAC-SHA1 MACs. + +2014-08-11 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: gnutls_pkcs11_obj_flags_get_str: mention UNWRAP + +2014-08-10 Nikos Mavrogiannopoulos + + * lib/x509/pkcs12.c: updated doc for gnutls_pkcs12_simple_parse() + +2014-08-09 Nikos Mavrogiannopoulos + + * src/danetool.c: danetool: obtain certificate only once + +2014-08-09 Nikos Mavrogiannopoulos + + * m4/hooks.m4: bumped version + +2014-08-09 Nikos Mavrogiannopoulos + + * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: added new + functions + +2014-08-09 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: pkcs11: + modified prototype and doc to be recognized by doc parser + +2014-08-09 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-09 Nikos Mavrogiannopoulos + + * src/cli-debug-args.def, src/danetool-args.def, src/socket.c: + danetool/gnutls-cli-debug: added support for imap starttls + +2014-08-09 Nikos Mavrogiannopoulos + + * doc/manpages/tpmtool.1: auto-generated files update + +2014-08-09 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-09 Nikos Mavrogiannopoulos + + * src/cli-debug-args.def, src/cli-debug.c: gnutls-cli-debug: + supports SMTP starttls + +2014-08-09 Nikos Mavrogiannopoulos + + * src/danetool-args.def, src/danetool.c, src/socket.c, src/socket.h: + danetool: supports SMTP starttls + +2014-08-09 Nikos Mavrogiannopoulos + + * src/danetool-args.def, src/danetool.c, src/socket.c: danetool: + improvements in information presentation + +2014-08-09 Nikos Mavrogiannopoulos + + * libdane/dane.c: libdane: disable debugging mode + +2014-08-08 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-08 Nikos Mavrogiannopoulos + + * src/Makefile.am, src/cli.c, src/danetool.c, + src/ocsptool-common.c, src/socket.c, src/socket.h, + tests/suite/testdane: danetool: if the certificate to verify against + is not provide it try to obtain it + +2014-08-08 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c: updated documentation for + gnutls_handshake() + +2014-08-08 Nikos Mavrogiannopoulos + + * lib/gnutls_pk.c: protect _gnutls_params_get_rsa_raw() from + crashing when exporting an RSA public key That could happen in case of PKCS #11 abstract keys. + +2014-08-08 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: corrected typo + +2014-08-08 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-08 Nikos Mavrogiannopoulos + + * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: + p11tool: added --info parameter That allows obtaining information on a specific object. + +2014-08-08 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c: pkcs11: added + GNUTLS_PKCS11_OBJ_ATTR_MATCH flag This flag allows listing only the tokens that match the URL. That + is, this performs an object URL comparison, rather than a token URL + usage. + +2014-08-08 Nikos Mavrogiannopoulos + + * src/p11tool.c: p11tool: only print the debugging message in + debuglevel > 4 + +2014-08-08 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: pkcs11: check CKA_UNWRAP as well for enabling + GNUTLS_PKCS11_OBJ_FLAG_MARK_KEY_WRAP + +2014-08-07 Nikos Mavrogiannopoulos + + * doc/cha-intro-tls.texi: removed reference to UMAC + +2014-08-07 Nikos Mavrogiannopoulos + + * doc/cha-intro-tls.texi: removed references to SALSA20 + +2014-08-07 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: doc update + +2014-08-07 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-07 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: pkcs11: simplified pkcs11_privkey handling A PKCS #11 always holds an open session to the key. + +2014-08-07 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-07 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c, + src/pkcs11.c: gnutls_pkcs11_flags_get_str -> + gnutls_pkcs11_obj_flags_get_str + +2014-08-07 Nikos Mavrogiannopoulos + + * tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-get-issuer.c: + tests: ensure that no environment variables confuse softhsm + +2014-08-07 Nikos Mavrogiannopoulos + + * tests/suite/testpkcs11: testpkcs11: exit if + export_pubkey_of_privkey fails + +2014-08-07 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c, + lib/pkcs11_int.h, lib/pkcs11_privkey.c, src/p11tool.c, src/pkcs11.c: + pkcs11: added new functions to query the object's flags gnutls_pkcs11_obj_get_flags() allows obtaining an object's flags, + and gnutls_pkcs11_flags_get_str() allows printing them. + +2014-08-07 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h: pkcs11.h: introduced + gnutls_pkcs11_obj_flags + +2014-08-06 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-06 Nikos Mavrogiannopoulos + + * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: + p11tool: simplify the passing of flags and pass the key wrapping + flag + +2014-08-06 Nikos Mavrogiannopoulos + + * src/benchmark-tls.c: gnutls-cli: TLS benchmark parameters were + updated + +2014-08-06 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-06 Nikos Mavrogiannopoulos + + * lib/gnutls_privkey.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: + _gnutls_privkey_get_mpis: extended to work for PKCS #11 keys + +2014-08-06 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/pkcs11_privkey.c: doc update + +2014-08-06 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, + lib/pkcs11_privkey.c, src/pkcs11.c: changed semantics of + gnutls_pkcs11_privkey_get_pubkey; named + gnutls_pkcs11_privkey_export_pubkey Conflicts: lib/libgnutls.map + +2014-08-06 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-06 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: gnutls_pkcs11_privkey_get_pubkey: return + GNUTLS_E_INVALID_REQUEST on invalid params + +2014-08-06 Nikos Mavrogiannopoulos + + * src/p11tool.c: p11tool: activate the --batch option + +2014-08-06 Nikos Mavrogiannopoulos + + * tests/suite/testpkcs11: testpkcs11: Test the export of public key + +2014-08-06 Wolfgang Meyer zu Bergsten + + * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: + add public key export to p11tool Signed-off-by: Wolfgang Meyer zu Bergsten + +2014-08-04 Wolfgang Meyer zu Bergsten + + * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, + lib/pkcs11_privkey.c: add pubkey export from private key in pkcs11 + subsystem There are cases where we need to export the public key of private + key at a later time. Previously, the public key was only available + immediately after creation of a key pair. This patch allows to + retrieve the public key of a private key at any time after creation. Signed-off-by: Wolfgang Meyer zu Bergsten + +2014-08-06 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: documented flags format + +2014-08-04 Wolfgang Meyer zu Bergsten + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: improve + compatibility in pkcs11 key generation * add key wrap/unwrap key usage * explicitly set public exponent in template Signed-off-by: Wolfgang Meyer zu Bergsten + +2014-08-06 Nikos Mavrogiannopoulos + + * src/cli-debug.c, src/tests.c: gnutls-cli-debug: added AES and + CAMELLIA to the list of default ciphers + +2014-08-05 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c, lib/x509/x509.c: doc: replaced non-0 with + non-zero + +2014-08-04 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-08-04 Nikos Mavrogiannopoulos + + * lib/x509/privkey_pkcs8.c: pkcs8: initialize parameters on + decryption + +2014-07-31 Nikos Mavrogiannopoulos + + * lib/nettle/rnd-common.c, lib/system.h, lib/x509/verify-high2.c: + several windows compilation fixes Conflicts: lib/atfork.h + +2014-07-29 Nikos Mavrogiannopoulos + + * src/libopts/COPYING.gplv3, src/libopts/COPYING.lgplv3, + src/libopts/README, src/libopts/ag-char-map.h, src/libopts/alias.c, + src/libopts/ao-strs.c, src/libopts/ao-strs.h, + src/libopts/autoopts.c, src/libopts/autoopts.h, + src/libopts/autoopts/options.h, src/libopts/autoopts/project.h, + src/libopts/autoopts/usage-txt.h, src/libopts/boolean.c, + src/libopts/check.c, src/libopts/compat/compat.h, + src/libopts/compat/windows-config.h, src/libopts/configfile.c, + src/libopts/cook.c, src/libopts/enum.c, src/libopts/env.c, + src/libopts/file.c, src/libopts/find.c, src/libopts/genshell.c, + src/libopts/genshell.h, src/libopts/gettext.h, src/libopts/init.c, + src/libopts/load.c, src/libopts/m4/libopts.m4, + src/libopts/m4/liboptschk.m4, src/libopts/makeshell.c, + src/libopts/nested.c, src/libopts/numeric.c, + src/libopts/option-value-type.c, src/libopts/option-value-type.h, + src/libopts/option-xat-attribute.c, + src/libopts/option-xat-attribute.h, src/libopts/parse-duration.c, + src/libopts/parse-duration.h, src/libopts/pgusage.c, + src/libopts/proto.h, src/libopts/putshell.c, src/libopts/reset.c, + src/libopts/restore.c, src/libopts/save.c, src/libopts/sort.c, + src/libopts/stack.c, src/libopts/streqvcmp.c, + src/libopts/text_mmap.c, src/libopts/time.c, + src/libopts/tokenize.c, src/libopts/usage.c, src/libopts/version.c: + updated to libopts 5.18.3 + +2014-07-29 Nikos Mavrogiannopoulos + + * build-aux/config.rpath, build-aux/gendocs.sh, + doc/gendocs_template, gl/m4/gnulib-common.m4, gl/m4/intl.m4, + gl/m4/po.m4, gl/m4/printf.m4, gl/m4/valgrind-tests.m4, + gl/tests/fcntl.in.h, maint.mk, src/gl/error.c, src/gl/m4/dup2.m4, + src/gl/m4/gnulib-common.m4, src/gl/m4/printf.m4, src/gl/mktime.c, + src/gl/select.c, src/gl/xalloc.h: updated gnulib + +2014-07-29 Nikos Mavrogiannopoulos + + * lib/x509/pkcs12.c: updated documentation for + gnutls_pkcs12_simple_parse + +2014-07-29 Nikos Mavrogiannopoulos + + * NEWS, configure.ac, m4/hooks.m4: bumped versions + +2014-07-28 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-28 Nikos Mavrogiannopoulos + + * lib/Makefile.am, lib/inet_pton.c, lib/system.h, + lib/x509/rfc2818_hostname.c: Added replacements of inet_aton and + inet_pton on systems they are not present gnulib is avoided due to keep the gnulib network replacements out of + the library. + +2014-07-28 Nikos Mavrogiannopoulos + + * doc/cha-cert-auth.texi: Added text on PKCS #11 verification + +2014-07-27 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/abstract.h, lib/includes/gnutls/gnutls.h.in, + lib/includes/gnutls/ocsp.h, lib/includes/gnutls/pkcs11.h, + lib/includes/gnutls/x509.h: removed comma at the end of enumerations That patch allows compilers that don't support C99 syntax to compile + applications that use a header of gnutls. Report and patch Ryan + Schmidt. + +2014-07-27 Nikos Mavrogiannopoulos + + * Makefile.am, configure.ac, doc/Makefile.am: check for sed in + configure.ac and use the output variable in Makefiles + +2014-07-24 Nikos Mavrogiannopoulos + + * lib/gnutls_handshake.c: doc update + +2014-07-23 Nikos Mavrogiannopoulos + + * tests/dane.c: tests: dane: add flag DANE_F_IGNORE_LOCAL_RESOLVER + to dane_state_init That prevents unbound from complaining in systems where no DNSSEC + functionality is present. + +2014-07-23 Nikos Mavrogiannopoulos + + * libdane/dane.c: doc update + +2014-07-23 Nikos Mavrogiannopoulos + + * tests/Makefile.am: tests: added libdane/includes to includes dir + +2014-07-23 Nikos Mavrogiannopoulos + + * NEWS: released 3.3.6 + +2014-07-23 Nikos Mavrogiannopoulos + + * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: Added + missing functions + +2014-07-22 Nikos Mavrogiannopoulos + + * m4/hooks.m4: bumped library version + +2014-07-22 Nikos Mavrogiannopoulos + + * libdane/dane.c: libdane: simplified initialization of variables. + +2014-07-22 Nikos Mavrogiannopoulos + + * libdane/dane.c: libdane: bogus and secure values are always + initialized in dane_query_to_raw_tlsa + +2014-07-22 Nikos Mavrogiannopoulos + + * tests/dane.c: tests: eliminated leak from dane check + +2014-07-22 Nikos Mavrogiannopoulos + + * libdane/dane.c: libdane: use gnutls_malloc() and doc update + +2014-07-22 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/dane.c: Added self test for DANE raw + functions + +2014-07-22 Nikos Mavrogiannopoulos + + * src/danetool-args.def, src/danetool.c: danetool: added option to + print the raw entries. + +2014-07-22 Nikos Mavrogiannopoulos + + * libdane/dane.c: doc update + +2014-07-22 Nikos Mavrogiannopoulos + + * lib/libgnutls.map: moved _gnutls_prf_raw to FIPS140 symbols + +2014-07-22 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/aes-gcm-x86-pclmul.c, + lib/accelerated/x86/aes-padlock.c: Added sanity check on padlock AES + IV set. + +2014-07-22 Nikos Mavrogiannopoulos + + * lib/gnutls_state.c, lib/libgnutls.map: fips140-2: Added + _gnutls_prf_raw() which can calculate the TLS PRF without depending + on a session structure. + +2014-07-22 Nikos Mavrogiannopoulos + + * lib/fips.c: fips140-2: do not check the libtasn1's integrity + +2014-07-22 Nikos Mavrogiannopoulos + + * lib/algorithms/ciphersuites.c: RSA-PSK ciphersuites are only + allowed in TLS 1.0. That is because they implement the EncryptedPreMasterSecret encoding + according to RFC 4279, which uses the TLS 1.0 (RFC 2246) encoding, + and there can be ambiguities when using that over SSL 3.0. See: + http://lists.gnupg.org/pipermail/gnutls-help/2014-July/003546.html + +2014-07-22 Nikos Mavrogiannopoulos + + * lib/gnutls_priority.c: gnutls_priority_init: set err_pos prior to + any action That allows a valid err_pos, even on a memory allocation error. + Reported by Dan Fandrich. + +2014-07-22 Nikos Mavrogiannopoulos + + * doc/TODO: updated TODO + +2014-07-22 Nikos Mavrogiannopoulos + + * lib/algorithms/ciphersuites.c: minimum version was changed to TLS + 1.0 for ciphersuites with SHA2 These ciphersuites could not be used with SSL 3.0 that only defines + usage of MD5 or SHA1 MACs. Reported by Manuel Pegourie-Gonnard. + +2014-07-21 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: ignore CKR_CRYPTOKI_ALREADY_INITIALIZED when + returned on reinitialization + +2014-07-21 Nikos Mavrogiannopoulos + + * tests/Makefile.am, tests/x509cert-dir/ca.pem, tests/x509cert-tl.c: + tests: x509cert-tl checks gnutls_x509_trust_list_add_trust_dir() + +2014-07-21 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c: doc update + +2014-07-21 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-21 Nikos Mavrogiannopoulos + + * lib/gnutls_x509.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map: Added gnutls_certificate_set_x509_trust_dir() + +2014-07-21 Nikos Mavrogiannopoulos + + * lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/system.c, + lib/x509/verify-high2.c: Added + gnutls_x509_trust_list_add_trust_dir() This essentially exports the functionality to read from a directory + with trusted certificates. + +2014-07-21 Nikos Mavrogiannopoulos + + * configure.ac, lib/system.c: Allow specifying a directory as trust + store + +2014-07-11 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-10 Simon Arlott + + * libdane/dane.c, libdane/includes/gnutls/dane.h, + libdane/libdane.map: libdane: add function dane_query_to_raw_tlsa This function converts a dane_query_t into the parameters needed for + dane_raw_tlsa() to make it easy to copy the results of the + (synchronous) lookup query from one process to another. This code allocates an unnecessary extra NULL entry for + dane_data_len to avoid trying to malloc 0 bytes if q->data_entries + is 0 (it is possible for malloc/calloc to return NULL when requested + to allocate 0 bytes). Signed-off-by: Simon Arlott + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/fips.c: FIPS140-2 tests: no need for MD5 check + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/fips.c: FIPS140-2 tests: removed redundant checks We keep on check per cipher which is required, and avoid multiple + (and time-consuming) tests. + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/x86-common.c: Allow specifying + GNUTLS_CPUID_OVERRIDE in either hex or decimal. + +2014-07-08 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/x86-common.c: Added option to disable any cpu + optimizations + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/x86-common.c, + lib/accelerated/x86/x86-common.h: simplified housekeeping of CPUID + registers + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/accelerated/x86/x86-common.c: Allow overriding the detected + CPUID using the GNUTLS_CPUID_OVERRIDE environment variable + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/x509/privkey.c: FIPS140-2 tests: Added pairwise consistency + check for RSA encryption + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/crypto-selftests-pk.c: FIPS140-2 tests: check with DSA-2048 + and DSA-3072 bit keys, as well as SHA256. + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/crypto-selftests-pk.c: FIPS140-2 tests: check with RSA-2048 + and RSA-3072 bit keys + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/crypto-selftests-pk.c: tests: check RSA with SHA256 + +2014-07-08 Nikos Mavrogiannopoulos + + * lib/crypto-selftests-pk.c: FIPS140-2 mode: test whether RSA + encrypted data differ from plaintext + +2014-07-07 Nikos Mavrogiannopoulos + + * lib/nettle/cipher.c: FIPS140-2 mode: enforce the minimum GCM IV + size required by SP800-38D (section 8.2) + +2014-07-07 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-07 Nikos Mavrogiannopoulos + + * src/certtool-args.def, src/certtool-common.c, + src/certtool-common.h, src/certtool.c, src/p11tool-args.def, + src/p11tool.c: p11tool/certtool: Added --curve parameter. The curve parameter allows to explicitly specify the curve to use + when generating a key. + +2014-07-07 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-07 Nikos Mavrogiannopoulos + + * lib/gnutls_pubkey.c, lib/pkcs11.c, lib/pkcs11_privkey.c, + lib/pkcs11_write.c, lib/x509/key_encode.c, lib/x509/x509_int.h: set + CKA_EC_PARAMS when generating an ECDSA key + +2014-07-07 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: only print warning about key sizes in RSA + keys + +2014-07-07 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: make brief output more brief + +2014-07-07 Nikos Mavrogiannopoulos + + * lib/nettle/mpi.c, lib/nettle/pk.c: mpi: use zeroize_key() instead + of memset() + +2014-07-06 Nikos Mavrogiannopoulos + + * libdane/dane.c: dane: Skip DANE entries that may contain unknown + info That would allow skipping any future entries without failing. + Reported by Simon Arlott. + +2014-07-06 Nikos Mavrogiannopoulos + + * libdane/dane.c: dane: Added sanity check in dane_verify_crt_raw() That allows calling the function will an empty chain. Reported by + Simon Arlott. + +2014-07-06 Nikos Mavrogiannopoulos + + * doc/examples/ex-cert-select-pkcs11.c, + doc/examples/ex-cert-select.c, doc/examples/ex-client-dtls.c, + doc/examples/ex-client-srp.c, doc/examples/ex-client-x509.c, + doc/examples/ex-serv-anon.c, doc/examples/ex-serv-pgp.c, + doc/examples/ex-serv-psk.c, doc/examples/ex-serv-srp.c, + doc/examples/ex-serv-x509.c: examples: mention that + gnutls_global_init() is optional + +2014-07-06 Nikos Mavrogiannopoulos + + * doc/cha-tokens.texi: doc: mention and link to trust storage module + +2014-07-06 Nikos Mavrogiannopoulos + + * doc/cha-bib.texi, doc/cha-tokens.texi: doc update + +2014-07-04 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-04 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: pkcs11: Removed length check of attribute as + a sanity check for valid keys. There can be keys where the id or label is empty and thus with zero + length. + +2014-07-04 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: Increased number of attributes + +2014-07-03 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-03 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: try to restart on session errors, to avoid + having a failed call. + +2014-07-03 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: corrected pkcs11 reinitialization + +2014-07-03 Nikos Mavrogiannopoulos + + * lib/pkcs11_privkey.c: If we get a PKCS #11 session error, + invalidate the cached session. + +2014-07-03 Nikos Mavrogiannopoulos + + * lib/pkcs11.c: set the maximum value when printing + library_description + +2014-07-03 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/pkcs11_privkey.c: On fork invalidate the PKCS + #11 privkey cached session + +2014-07-03 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-03 Nikos Mavrogiannopoulos + + * src/pkcs11.c: p11tool: don't outsmart user and override login type Unfortunately tokens vary on their requirements for writing trusted + and private objects, and there is no one-size fits all policy. Thus + allow a proper failure and warn the user that so-login may be + required. + +2014-07-03 Nikos Mavrogiannopoulos + + * tests/suite/testpkcs11: testpkcs11: Try to write the trusted + object both by so-pin and normal pin + +2014-07-02 Nikos Mavrogiannopoulos + + * tests/suite/testpkcs11: tests: testpkcs11: temp parameters are + deleted after generation + +2014-07-02 Nikos Mavrogiannopoulos + + * configure.ac, m4/hooks.m4: bumped version + +2014-07-02 Nikos Mavrogiannopoulos + + * tests/suite/Makefile.am: tests: added testpkcs11.sc-hsm + +2014-07-02 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-02 Nikos Mavrogiannopoulos + + * src/p11tool-args.def, src/pkcs11.c: p11tool: use GNUTLS_PIN and + GNUTLS_SO_PIN when setting the PINs of an initialized token. + +2014-07-02 Nikos Mavrogiannopoulos + + * tests/slow/gendh.c: tests: gendh: increased the DH prime size to + allow usage under FIPS140-2 mode + +2014-07-02 Nikos Mavrogiannopoulos + + * src/common.c: tools: when in batch mode and no PIN, print a note + about using the environment variables + +2014-07-02 Nikos Mavrogiannopoulos + + * tests/crq_key_id.c: tests: crq_key_id: increased generated DSA key + size and changed hash to SHA256 That allows the test to operate under the FIPS140-2 mode. + +2014-07-02 Nikos Mavrogiannopoulos + + * tests/crq_key_id.c: tests: improved error reporting in crq_key_id + +2014-07-02 Nikos Mavrogiannopoulos + + * doc/cha-upgrade.texi: doc: properly terminate table + +2014-07-02 Nikos Mavrogiannopoulos + + * lib/nettle/int/dsa-keygen-fips186.c: removed pbits=1024, qbits=160 + from the acceptable bit sizes in FIPS140-2 DSA parameter generation. + +2014-07-02 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-02 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-02 Nikos Mavrogiannopoulos + + * src/certtool.c, src/common.c, src/common.h, src/danetool.c, + src/pkcs11.c, src/serv.c: tools: PIN callback will respect batch + mode and will not ask for PIN. + +2014-07-02 Nikos Mavrogiannopoulos + + * src/certtool-common.h, src/p11tool-args.def, src/p11tool.c, + src/p11tool.h, src/pkcs11.c: p11tool: Ask for label if not + specified. Added --batch parameter to disable interaction. + +2014-07-02 Nikos Mavrogiannopoulos + + * src/p11tool.c, src/p11tool.h, src/pkcs11.c: p11tool: If there is + only a single token available, don't bother complaining about + specifying the correct URL + +2014-07-02 Nikos Mavrogiannopoulos + + * lib/nettle/int/drbg-aes.h: updated comment + +2014-07-01 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-07-01 Nikos Mavrogiannopoulos + + * src/certtool-args.def: certtool: document that URLs are supported + +2014-07-01 Nikos Mavrogiannopoulos + + * src/p11tool-args.def: p11tool: document GNUTLS_SO_PIN env variable + +2014-07-01 Nikos Mavrogiannopoulos + + * tests/suite/Makefile.am, tests/suite/testpkcs11, + tests/suite/testpkcs11.pkcs15, tests/suite/testpkcs11.sc-hsm, + tests/suite/testpkcs11.softhsm: tests: improved testpkcs11 suite + +2014-07-01 Nikos Mavrogiannopoulos + + * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: + gnutls_pkcs11_privkey_generate2(): corrected public key extraction + (for ECDSA keys) + +2014-07-01 Nikos Mavrogiannopoulos + + * src/common.c: p11tool/certtool: use GNUTLS_SO_PIN for reading + security officer's PIN + +2014-07-01 Nikos Mavrogiannopoulos + + * src/certtool-common.h, src/p11tool-args.def, src/p11tool.c, + src/pkcs11.c: p11tool: added options --set-pin and --set-so-pin These allow for an non-interactive --initialize process. + +2014-06-30 Nikos Mavrogiannopoulos + + * lib/x509/rfc2818_hostname.c: Added explicit documentation on IPv4 + and IPv6 address matching. + +2014-06-29 Nikos Mavrogiannopoulos + + * tests/long-session-id.c: tests: long-session-id: ignore SIGPIPE + +2014-06-29 Nikos Mavrogiannopoulos + + * doc/cha-upgrade.texi: doc: Added text on upgrading to 3.3.x from + 3.2.x + +2014-06-27 Nikos Mavrogiannopoulos + + * lib/x509/rfc2818_hostname.c: do not exit the loop in case a name + doesn't fit into our buffer. + +2014-06-27 Nikos Mavrogiannopoulos + + * lib/x509/rfc2818_hostname.c: when verifying an IP, also verify it + as a hostname There are several misconfigured servers that placed their IP as a + DNS name. Pointed out by David Woodhouse. + +2014-06-27 Nikos Mavrogiannopoulos + + * lib/x509/output.c: supress warnings + +2014-06-27 Nikos Mavrogiannopoulos + + * NEWS: doc update + +2014-06-27 Nikos Mavrogiannopoulos + + * configure.ac, lib/x509/rfc2818_hostname.c: check of inet_pton + instead for AF_INET6 + +2014-06-27 Nikos Mavrogiannopoulos + + * configure.ac, lib/x509/output.c: Use inet_ntop() for printing IP + addresses. The old dumb code is used in systems that don't have that function. + +2014-06-27 Nikos Mavrogiannopoulos + + * tests/hostname-check.c: tests: Added test cases for IPv4/6 + matching. + +2014-06-27 Nikos Mavrogiannopoulos + + * lib/x509/rfc2818_hostname.c: gnutls_x509_crt_check_hostname() + checks text ip addresses as well. That aligns the documentation with the implementation. Reported by + David Woodhouse. + +2014-06-27 Nikos Mavrogiannopoulos + + * lib/gnutls_str.c: initialize str to NULL + +2014-06-26 Nikos Mavrogiannopoulos + + * lib/x509/crl.c: fixed documentation + 2014-06-26 Nikos Mavrogiannopoulos * tests/cert-tests/aki, tests/cert-tests/pathlen, @@ -1083,9 +6732,9 @@ lib/accelerated/x86/aes-padlock.c, lib/accelerated/x86/sha-padlock.c, lib/accelerated/x86/sha-x86-ssse3.c, - lib/accelerated/x86/x86-common.c, lib/accelerated/x86/x86-common.h, - lib/accelerated/x86/x86.h: x86.h was renamed to x86-common.h to - avoid clashes with system headers. + lib/accelerated/x86/x86-common.c, lib/accelerated/x86/{x86.h => + x86-common.h}: x86.h was renamed to x86-common.h to avoid clashes + with system headers. 2014-04-27 Nikos Mavrogiannopoulos @@ -1723,18 +7372,16 @@ 2014-04-03 Nikos Mavrogiannopoulos - * configure.ac, tests/Makefile.am, tests/key-id/Makefile.am, - tests/key-id/README, tests/key-id/ca-gnutls-keyid.pem, - tests/key-id/ca-no-keyid.pem, tests/key-id/ca-weird-keyid.pem, - tests/key-id/key-ca.pem, tests/key-id/key-id, - tests/key-id/key-user.pem, tests/key-tests/Makefile.am, - tests/key-tests/README, tests/key-tests/ca-gnutls-keyid.pem, - tests/key-tests/ca-no-keyid.pem, - tests/key-tests/ca-weird-keyid.pem, tests/key-tests/key-ca-1234.p8, + * configure.ac, tests/Makefile.am, tests/{key-id => + key-tests}/Makefile.am, tests/{key-id => key-tests}/README, + tests/{key-id => key-tests}/ca-gnutls-keyid.pem, tests/{key-id => + key-tests}/ca-no-keyid.pem, tests/{key-id => + key-tests}/ca-weird-keyid.pem, tests/key-tests/key-ca-1234.p8, tests/key-tests/key-ca-empty.p8, tests/key-tests/key-ca-null.p8, - tests/key-tests/key-ca.pem, tests/key-tests/key-id, - tests/key-tests/key-user.pem, tests/key-tests/pkcs8: Added self-test - for PKCS #8 key conversion and reading + tests/{key-id => key-tests}/key-ca.pem, tests/{key-id => + key-tests}/key-id, tests/{key-id => key-tests}/key-user.pem, + tests/key-tests/pkcs8: Added self-test for PKCS #8 key conversion + and reading 2014-04-03 Nikos Mavrogiannopoulos @@ -2243,9 +7890,9 @@ 2014-03-06 Kevin Cernekee - * .gitignore, doc/manpages/Makefile.am, src/Makefile.am, - src/psk-args.def, src/psk.c, src/psktool-args.def: Rename - psk-args.def to psktool-args.def Other utilities generate invoke-%.texi from %-args.def, but + * .gitignore, doc/manpages/Makefile.am, src/Makefile.am, src/psk.c, + src/{psk-args.def => psktool-args.def}: Rename psk-args.def to + psktool-args.def Other utilities generate invoke-%.texi from %-args.def, but currently invoke-psktool.texi is generated from psk-args.def. If we make psktool conform to the same convention as the other utilities, we can use a generic pattern to handle all of them the same way. Signed-off-by: Kevin Cernekee @@ -3494,7 +9141,7 @@ 2014-01-26 Nikos Mavrogiannopoulos * doc/scripts/getfuncs-map.pl, lib/libgnutls.map: added - gnutls_realloc_fast to false positives Conflicts: lib/libgnutls.map + gnutls_realloc_fast to false positives Conflicts: lib/libgnutls.map 2014-01-26 Nikos Mavrogiannopoulos @@ -4400,7 +10047,7 @@ 2013-12-20 Nikos Mavrogiannopoulos - * lib/Makefile.am: libtasn1 generated files are set in BUILT_SOURCES Conflicts: lib/Makefile.am + * lib/Makefile.am: libtasn1 generated files are set in BUILT_SOURCES Conflicts: lib/Makefile.am 2013-12-18 Nikos Mavrogiannopoulos @@ -4581,11 +10228,9 @@ 2013-12-14 Nikos Mavrogiannopoulos - * lib/accelerated/x86/Makefile.am, - lib/accelerated/x86/hmac-x86-ssse3.c, - lib/accelerated/x86/hmac-x86.c, - lib/accelerated/x86/sha-x86-ssse3.c, lib/accelerated/x86/sha-x86.c: - use better names for files + * lib/accelerated/x86/Makefile.am, lib/accelerated/x86/{hmac-x86.c + => hmac-x86-ssse3.c}, lib/accelerated/x86/{sha-x86.c => + sha-x86-ssse3.c}: use better names for files 2013-12-14 Nikos Mavrogiannopoulos @@ -4598,13 +10243,12 @@ 2013-12-14 Nikos Mavrogiannopoulos * lib/accelerated/x86/Makefile.am, - lib/accelerated/x86/aes-gcm-x86-pclmul.c, + lib/accelerated/x86/{aes-gcm-x86.c => aes-gcm-x86-pclmul.c}, lib/accelerated/x86/aes-gcm-x86-ssse3.c, - lib/accelerated/x86/aes-gcm-x86.c, lib/accelerated/x86/aes-x86.c, - lib/accelerated/x86/aes-x86.h, lib/accelerated/x86/hmac-x86.c, - lib/accelerated/x86/sha-x86.c, lib/accelerated/x86/sha-x86.h: When - PCLMUL isn't available use the SSSE3 implementation of AES to - optimize GCM. + lib/accelerated/x86/aes-x86.c, lib/accelerated/x86/aes-x86.h, + lib/accelerated/x86/hmac-x86.c, lib/accelerated/x86/sha-x86.c, + lib/accelerated/x86/sha-x86.h: When PCLMUL isn't available use the + SSSE3 implementation of AES to optimize GCM. 2013-12-14 Nikos Mavrogiannopoulos @@ -4698,40 +10342,28 @@ devel/perlasm/sha512-ssse3-x86_64.pl, lib/accelerated/x86/Makefile.am, lib/accelerated/x86/aes-padlock.h, lib/accelerated/x86/aes-x86.c, - lib/accelerated/x86/coff/aesni-x86.s, - lib/accelerated/x86/coff/aesni-x86_64.s, - lib/accelerated/x86/coff/appro-aes-gcm-x86-64-coff.s, - lib/accelerated/x86/coff/appro-aes-x86-64-coff.s, - lib/accelerated/x86/coff/appro-aes-x86-coff.s, - lib/accelerated/x86/coff/cpuid-x86-64-coff.s, - lib/accelerated/x86/coff/cpuid-x86-coff.s, - lib/accelerated/x86/coff/cpuid-x86.s, - lib/accelerated/x86/coff/cpuid-x86_64.s, - lib/accelerated/x86/coff/e_padlock-x86.s, - lib/accelerated/x86/coff/e_padlock-x86_64.s, - lib/accelerated/x86/coff/ghash-x86_64.s, - lib/accelerated/x86/coff/openssl-cpuid-x86.s, + lib/accelerated/x86/coff/{appro-aes-x86-coff.s => aesni-x86.s}, + lib/accelerated/x86/coff/{appro-aes-x86-64-coff.s => + aesni-x86_64.s}, lib/accelerated/x86/coff/{cpuid-x86-coff.s => + cpuid-x86.s}, lib/accelerated/x86/coff/{cpuid-x86-64-coff.s => + cpuid-x86_64.s}, lib/accelerated/x86/coff/{padlock-x86-coff.s => + e_padlock-x86.s}, lib/accelerated/x86/coff/{padlock-x86-64-coff.s + => e_padlock-x86_64.s}, + lib/accelerated/x86/coff/{appro-aes-gcm-x86-64-coff.s => + ghash-x86_64.s}, lib/accelerated/x86/coff/openssl-cpuid-x86.s, lib/accelerated/x86/coff/openssl-cpuid-x86_64.s, - lib/accelerated/x86/coff/padlock-x86-64-coff.s, - lib/accelerated/x86/coff/padlock-x86-coff.s, lib/accelerated/x86/coff/sha1-ssse3-x86.s, lib/accelerated/x86/coff/sha1-ssse3-x86_64.s, lib/accelerated/x86/coff/sha256-avx-x86_64.s, lib/accelerated/x86/coff/sha256-ssse3-x86.s, lib/accelerated/x86/coff/sha512-ssse3-x86.s, lib/accelerated/x86/coff/sha512-ssse3-x86_64.s, - lib/accelerated/x86/elf/aesni-x86.s, - lib/accelerated/x86/elf/aesni-x86_64.s, - lib/accelerated/x86/elf/appro-aes-gcm-x86-64.s, - lib/accelerated/x86/elf/appro-aes-x86-64.s, - lib/accelerated/x86/elf/appro-aes-x86.s, - lib/accelerated/x86/elf/cpuid-x86-64.s, - lib/accelerated/x86/elf/cpuid-x86_64.s, - lib/accelerated/x86/elf/e_padlock-x86.s, - lib/accelerated/x86/elf/e_padlock-x86_64.s, - lib/accelerated/x86/elf/ghash-x86_64.s, - lib/accelerated/x86/elf/padlock-x86-64.s, - lib/accelerated/x86/elf/padlock-x86.s, + lib/accelerated/x86/elf/{appro-aes-x86.s => aesni-x86.s}, + lib/accelerated/x86/elf/{appro-aes-x86-64.s => aesni-x86_64.s}, + lib/accelerated/x86/elf/{cpuid-x86-64.s => cpuid-x86_64.s}, + lib/accelerated/x86/elf/{padlock-x86.s => e_padlock-x86.s}, + lib/accelerated/x86/elf/{padlock-x86-64.s => e_padlock-x86_64.s}, + lib/accelerated/x86/elf/{appro-aes-gcm-x86-64.s => ghash-x86_64.s}, lib/accelerated/x86/elf/sha1-ssse3-x86.s, lib/accelerated/x86/elf/sha1-ssse3-x86_64.s, lib/accelerated/x86/elf/sha256-avx-x86_64.s, @@ -4739,22 +10371,19 @@ lib/accelerated/x86/elf/sha512-ssse3-x86.s, lib/accelerated/x86/elf/sha512-ssse3-x86_64.s, lib/accelerated/x86/files.mk, lib/accelerated/x86/hmac-x86.c, - lib/accelerated/x86/macosx/aesni-x86.s, - lib/accelerated/x86/macosx/aesni-x86_64.s, - lib/accelerated/x86/macosx/appro-aes-gcm-x86-64-macosx.s, - lib/accelerated/x86/macosx/appro-aes-x86-64-macosx.s, - lib/accelerated/x86/macosx/appro-aes-x86-macosx.s, - lib/accelerated/x86/macosx/cpuid-x86-64-macosx.s, + lib/accelerated/x86/macosx/{appro-aes-x86-macosx.s => aesni-x86.s}, + lib/accelerated/x86/macosx/{appro-aes-x86-64-macosx.s => + aesni-x86_64.s}, lib/accelerated/x86/macosx/cpuid-x86-64-macosx.s, lib/accelerated/x86/macosx/cpuid-x86-macosx.s, lib/accelerated/x86/macosx/cpuid-x86.s, lib/accelerated/x86/macosx/cpuid-x86_64.s, - lib/accelerated/x86/macosx/e_padlock-x86.s, - lib/accelerated/x86/macosx/e_padlock-x86_64.s, - lib/accelerated/x86/macosx/ghash-x86_64.s, - lib/accelerated/x86/macosx/openssl-cpuid-x86.s, + lib/accelerated/x86/macosx/{padlock-x86-macosx.s => + e_padlock-x86.s}, + lib/accelerated/x86/macosx/{padlock-x86-64-macosx.s => + e_padlock-x86_64.s}, + lib/accelerated/x86/macosx/{appro-aes-gcm-x86-64-macosx.s => + ghash-x86_64.s}, lib/accelerated/x86/macosx/openssl-cpuid-x86.s, lib/accelerated/x86/macosx/openssl-cpuid-x86_64.s, - lib/accelerated/x86/macosx/padlock-x86-64-macosx.s, - lib/accelerated/x86/macosx/padlock-x86-macosx.s, lib/accelerated/x86/macosx/sha1-ssse3-x86.s, lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s, lib/accelerated/x86/macosx/sha256-avx-x86_64.s, @@ -5040,7 +10669,7 @@ 2013-11-30 Nikos Mavrogiannopoulos - * : Merged the FIPS140-2 support code. Conflicts: lib/gnutls_global.c tests/mini-overhead.c + * : Merged the FIPS140-2 support code. Conflicts: lib/gnutls_global.c tests/mini-overhead.c 2013-11-30 Nikos Mavrogiannopoulos @@ -5272,11 +10901,11 @@ 2013-11-25 Nikos Mavrogiannopoulos - * configure.ac, lib/nettle/Makefile.am, lib/nettle/gcm-camellia.c, - lib/nettle/gcm-camellia.h, lib/nettle/int/drbg-aes-self-test.c, - lib/nettle/int/drbg-aes.c, lib/nettle/int/drbg-aes.h, - lib/nettle/int/gcm-camellia.c, lib/nettle/int/gcm-camellia.h, - lib/nettle/rnd-fips.c: Added DRBG submitted to nettle in gnutls. + * configure.ac, lib/nettle/Makefile.am, + lib/nettle/int/drbg-aes-self-test.c, lib/nettle/int/drbg-aes.c, + lib/nettle/int/drbg-aes.h, lib/nettle/{ => int}/gcm-camellia.c, + lib/nettle/{ => int}/gcm-camellia.h, lib/nettle/rnd-fips.c: Added + DRBG submitted to nettle in gnutls. 2013-11-25 Nikos Mavrogiannopoulos @@ -5576,7 +11205,7 @@ lib/x509/verify-high.c, lib/x509/x509.c, lib/xssl.c: Added support for fips states. This implies that when in FIPS mode and the library is not in operational state (i.e., all self checks succeeded), crypto - functionality of the library will fail. This includes: * API functions of gnutls/crypto.h * API functions of gnutls/abstract.h * API functions of gnutls/x509.h * gnutls_init() * API functions of gnutls/xssl.h + functionality of the library will fail. This includes: * API functions of gnutls/crypto.h * API functions of gnutls/abstract.h * API functions of gnutls/x509.h * gnutls_init() * API functions of gnutls/xssl.h 2013-11-11 Nikos Mavrogiannopoulos @@ -5670,7 +11299,7 @@ 2013-11-26 Nikos Mavrogiannopoulos * configure.ac, lib/Makefile.am: Do not link gnutls against librt - unlress it is really necessary. Conflicts: configure.ac lib/Makefile.am + unlress it is really necessary. Conflicts: configure.ac lib/Makefile.am 2013-11-24 Nikos Mavrogiannopoulos @@ -5731,10 +11360,9 @@ 2013-11-23 Nikos Mavrogiannopoulos * gl/Makefile.am, gl/m4/gnulib-cache.m4, gl/m4/gnulib-comp.m4, - gl/strerror-override.c, gl/strerror-override.h, gl/strerror.c, - gl/tests/Makefile.am, gl/tests/strerror-override.c, - gl/tests/strerror-override.h, gl/tests/strerror.c: Added strerror - module. + gl/{tests => }/strerror-override.c, gl/{tests => + }/strerror-override.h, gl/{tests => }/strerror.c, + gl/tests/Makefile.am: Added strerror module. 2013-11-23 Nikos Mavrogiannopoulos @@ -6039,11 +11667,10 @@ 2013-11-13 Nikos Mavrogiannopoulos - * gl/Makefile.am, gl/base64.c, gl/intprops.h, + * gl/Makefile.am, gl/base64.c, gl/{tests => }/intprops.h, gl/m4/extern-inline.m4, gl/m4/gnulib-cache.m4, - gl/m4/gnulib-comp.m4, gl/tests/Makefile.am, gl/tests/intprops.h, - maint.mk: Added intprops module (which is needed by newer libtasn1 - versions) + gl/m4/gnulib-comp.m4, gl/tests/Makefile.am, maint.mk: Added intprops + module (which is needed by newer libtasn1 versions) 2013-11-12 Nikos Mavrogiannopoulos @@ -7559,19 +13186,18 @@ gl/basename-lgpl.c, gl/bind.c, gl/byteswap.in.h, gl/c-ctype.c, gl/c-ctype.h, gl/close.c, gl/closedir.c, gl/connect.c, gl/dirent-private.h, gl/dirent.in.h, gl/dirname-lgpl.c, - gl/dirname.h, gl/dosname.h, gl/dup2.c, gl/errno.in.h, gl/error.c, - gl/error.h, gl/fd-hook.c, gl/fd-hook.h, gl/filename.h, gl/float+.h, - gl/float.c, gl/float.in.h, gl/fpucw.h, gl/frexp.c, gl/frexpl.c, - gl/fseek.c, gl/fseeko.c, gl/fseterr.c, gl/fseterr.h, gl/fstat.c, - gl/ftell.c, gl/ftello.c, gl/gai_strerror.c, gl/getaddrinfo.c, - gl/getdelim.c, gl/getline.c, gl/getopt.c, gl/getopt.in.h, - gl/getopt1.c, gl/getopt_int.h, gl/getpass.c, gl/getpass.h, - gl/getpeername.c, gl/getsubopt.c, gl/gettext.h, gl/gettimeofday.c, - gl/hash-pjw-bare.c, gl/hash-pjw-bare.h, gl/inet_ntop.c, - gl/inet_pton.c, gl/intprops.h, gl/isnan.c, gl/isnand-nolibm.h, - gl/isnand.c, gl/isnanf-nolibm.h, gl/isnanf.c, gl/isnanl-nolibm.h, - gl/isnanl.c, gl/itold.c, gl/listen.c, gl/lseek.c, - gl/m4/alphasort.m4, gl/m4/argp.m4, gl/m4/closedir.m4, + gl/dirname.h, gl/dup2.c, gl/errno.in.h, gl/error.c, gl/error.h, + gl/fd-hook.c, gl/fd-hook.h, gl/filename.h, gl/float+.h, gl/float.c, + gl/float.in.h, gl/frexp.c, gl/frexpl.c, gl/fseek.c, gl/fseeko.c, + gl/fseterr.c, gl/fseterr.h, gl/fstat.c, gl/ftell.c, gl/ftello.c, + gl/gai_strerror.c, gl/getaddrinfo.c, gl/getdelim.c, gl/getline.c, + gl/getopt.c, gl/getopt.in.h, gl/getopt1.c, gl/getopt_int.h, + gl/getpass.c, gl/getpass.h, gl/getpeername.c, gl/getsubopt.c, + gl/gettext.h, gl/gettimeofday.c, gl/hash-pjw-bare.c, + gl/hash-pjw-bare.h, gl/inet_ntop.c, gl/inet_pton.c, gl/isnan.c, + gl/isnand-nolibm.h, gl/isnand.c, gl/isnanf-nolibm.h, gl/isnanf.c, + gl/isnanl-nolibm.h, gl/isnanl.c, gl/itold.c, gl/listen.c, + gl/lseek.c, gl/m4/alphasort.m4, gl/m4/argp.m4, gl/m4/closedir.m4, gl/m4/dirent_h.m4, gl/m4/dirname.m4, gl/m4/double-slash-root.m4, gl/m4/eealloc.m4, gl/m4/environ.m4, gl/m4/error.m4, gl/m4/exponentf.m4, gl/m4/exponentl.m4, gl/m4/frexp.m4, @@ -7600,45 +13226,45 @@ gl/stdalign.in.h, gl/stdarg.in.h, gl/stdbool.in.h, gl/stddef.in.h, gl/stdint.in.h, gl/stdio-impl.h, gl/stdio.in.h, gl/stdlib.in.h, gl/str-two-way.h, gl/strcasecmp.c, gl/strchrnul.c, - gl/strchrnul.valgrind, gl/strdup.c, gl/strerror-override.c, - gl/strerror-override.h, gl/strerror.c, gl/string.in.h, + gl/strchrnul.valgrind, gl/strdup.c, gl/string.in.h, gl/strings.in.h, gl/stripslash.c, gl/strncasecmp.c, gl/strndup.c, gl/strnlen.c, gl/strtok_r.c, gl/strverscmp.c, gl/sys_select.in.h, gl/sys_socket.in.h, gl/sys_stat.in.h, gl/sys_time.in.h, gl/sys_types.in.h, gl/sys_uio.in.h, gl/sysexits.in.h, - gl/tests/Makefile.am, gl/tests/dosname.h, gl/tests/fpucw.h, - gl/tests/infinity.h, gl/tests/intprops.h, gl/tests/malloca.c, - gl/tests/malloca.h, gl/tests/malloca.valgrind, + gl/tests/Makefile.am, gl/{ => tests}/dosname.h, gl/{ => + tests}/fpucw.h, gl/tests/infinity.h, gl/{ => tests}/intprops.h, + gl/tests/malloca.c, gl/tests/malloca.h, gl/tests/malloca.valgrind, gl/tests/minus-zero.h, gl/tests/nan.h, gl/tests/putenv.c, - gl/tests/randomd.c, gl/tests/randoml.c, gl/tests/setenv.c, - gl/tests/strerror-override.c, gl/tests/strerror-override.h, - gl/tests/strerror.c, gl/tests/test-argp-2.sh, gl/tests/test-argp.c, - gl/tests/test-dirent.c, gl/tests/test-environ.c, - gl/tests/test-fprintf-posix.h, gl/tests/test-frexp.c, - gl/tests/test-frexp.h, gl/tests/test-frexpl.c, - gl/tests/test-fseterr.c, gl/tests/test-getopt.c, - gl/tests/test-getopt.h, gl/tests/test-getopt_long.h, - gl/tests/test-isnand-nolibm.c, gl/tests/test-isnand.h, - gl/tests/test-isnanf-nolibm.c, gl/tests/test-isnanf.h, - gl/tests/test-isnanl-nolibm.c, gl/tests/test-isnanl.h, - gl/tests/test-malloc-gnu.c, gl/tests/test-malloca.c, - gl/tests/test-math.c, gl/tests/test-printf-frexp.c, - gl/tests/test-printf-frexpl.c, gl/tests/test-printf-posix.h, - gl/tests/test-printf-posix.output, gl/tests/test-rawmemchr.c, - gl/tests/test-setenv.c, gl/tests/test-signbit.c, - gl/tests/test-sleep.c, gl/tests/test-strchrnul.c, - gl/tests/test-sysexits.c, gl/tests/test-unsetenv.c, - gl/tests/test-version-etc.c, gl/tests/test-version-etc.sh, - gl/tests/test-vfprintf-posix.c, gl/tests/test-vfprintf-posix.sh, - gl/tests/test-vprintf-posix.c, gl/tests/test-vprintf-posix.sh, - gl/tests/unsetenv.c, gl/time.in.h, gl/time_r.c, gl/u64.h, - gl/unistd.in.h, gl/vasnprintf.c, gl/vasnprintf.h, gl/vasprintf.c, - gl/verify.h, gl/version-etc-fsf.c, gl/version-etc.c, - gl/version-etc.h, gl/vfprintf.c, gl/vprintf.c, gl/vsnprintf.c, - gl/w32sock.h, gl/wchar.in.h, gl/xsize.h, src/certtool.c, - src/cli-debug.c, src/cli.c, src/danetool.c, src/ocsptool-common.c, - src/ocsptool.c, src/p11tool.c, src/psk.c, src/serv.c, - src/srptool.c, src/tpmtool.c: gnulib only contains lgplv2 modules + gl/tests/randomd.c, gl/tests/randoml.c, gl/tests/setenv.c, gl/{ => + tests}/strerror-override.c, gl/{ => tests}/strerror-override.h, + gl/{ => tests}/strerror.c, gl/tests/test-argp-2.sh, + gl/tests/test-argp.c, gl/tests/test-dirent.c, + gl/tests/test-environ.c, gl/tests/test-fprintf-posix.h, + gl/tests/test-frexp.c, gl/tests/test-frexp.h, + gl/tests/test-frexpl.c, gl/tests/test-fseterr.c, + gl/tests/test-getopt.c, gl/tests/test-getopt.h, + gl/tests/test-getopt_long.h, gl/tests/test-isnand-nolibm.c, + gl/tests/test-isnand.h, gl/tests/test-isnanf-nolibm.c, + gl/tests/test-isnanf.h, gl/tests/test-isnanl-nolibm.c, + gl/tests/test-isnanl.h, gl/tests/test-malloc-gnu.c, + gl/tests/test-malloca.c, gl/tests/test-math.c, + gl/tests/test-printf-frexp.c, gl/tests/test-printf-frexpl.c, + gl/tests/test-printf-posix.h, gl/tests/test-printf-posix.output, + gl/tests/test-rawmemchr.c, gl/tests/test-setenv.c, + gl/tests/test-signbit.c, gl/tests/test-sleep.c, + gl/tests/test-strchrnul.c, gl/tests/test-sysexits.c, + gl/tests/test-unsetenv.c, gl/tests/test-version-etc.c, + gl/tests/test-version-etc.sh, gl/tests/test-vfprintf-posix.c, + gl/tests/test-vfprintf-posix.sh, gl/tests/test-vprintf-posix.c, + gl/tests/test-vprintf-posix.sh, gl/tests/unsetenv.c, gl/time.in.h, + gl/time_r.c, gl/u64.h, gl/unistd.in.h, gl/vasnprintf.c, + gl/vasnprintf.h, gl/vasprintf.c, gl/verify.h, gl/version-etc-fsf.c, + gl/version-etc.c, gl/version-etc.h, gl/vfprintf.c, gl/vprintf.c, + gl/vsnprintf.c, gl/w32sock.h, gl/wchar.in.h, gl/xsize.h, + src/certtool.c, src/cli-debug.c, src/cli.c, src/danetool.c, + src/ocsptool-common.c, src/ocsptool.c, src/p11tool.c, src/psk.c, + src/serv.c, src/srptool.c, src/tpmtool.c: gnulib only contains + lgplv2 modules 2013-08-05 Nikos Mavrogiannopoulos @@ -7818,8 +13444,8 @@ 2013-07-26 Nikos Mavrogiannopoulos - * tests/Makefile.am, tests/mini.c, tests/record-sizes.c: Updated - mini test. + * tests/Makefile.am, tests/{mini.c => record-sizes.c}: Updated mini + test. 2013-07-25 Nikos Mavrogiannopoulos @@ -9553,8 +15179,8 @@ * configure.ac, lib/algorithms/ciphersuites.c, lib/algorithms/kx.c, lib/auth/Makefile.am, lib/auth/anon_ecdh.c, lib/auth/cert.c, lib/auth/cert.h, lib/auth/dh_common.c, lib/auth/dhe.c, - lib/auth/dhe_psk.c, lib/auth/ecdh_common.c, lib/auth/ecdh_common.h, - lib/auth/ecdhe.c, lib/auth/ecdhe.h, lib/auth/rsa_export.c, + lib/auth/dhe_psk.c, lib/auth/{ecdh_common.c => ecdhe.c}, + lib/auth/{ecdh_common.h => ecdhe.h}, lib/auth/rsa_export.c, lib/gnutls_handshake.c, lib/gnutls_kx.c, lib/gnutls_priority.c, lib/gnutls_rsa_export.c, lib/gnutls_state.c, lib/gnutls_ui.c, m4/hooks.m4: Added options to disable more key exchange mechanisms. In that DHE was separated from ECDHE. @@ -10654,10 +16280,10 @@ * NEWS, lib/Makefile.am, lib/gnutls_cert.c, lib/gnutls_errors.c, lib/includes/Makefile.am, lib/includes/gnutls/gnutls.h.in, - lib/includes/gnutls/sbuf.h, lib/includes/gnutls/xssl.h, - lib/libgnutls.map, lib/sbuf.c, lib/sbuf.h, lib/sbuf_getline.c, - lib/xssl.c, lib/xssl.h, lib/xssl_getline.c, tests/Makefile.am, - tests/mini-sbuf.c, tests/mini-xssl.c: Added new interface. + lib/includes/gnutls/{sbuf.h => xssl.h}, lib/libgnutls.map, + lib/{sbuf.c => xssl.c}, lib/{sbuf.h => xssl.h}, lib/{sbuf_getline.c + => xssl_getline.c}, tests/Makefile.am, tests/mini-sbuf.c, + tests/mini-xssl.c: Added new interface. 2013-01-27 Nikos Mavrogiannopoulos @@ -11697,14 +17323,14 @@ 2012-11-20 Nikos Mavrogiannopoulos - * build-aux/gendocs.sh, configure.ac, gl/Makefile.am, gl/dup2.c, - gl/errno.in.h, gl/m4/errno_h.m4, gl/m4/gnulib-cache.m4, + * build-aux/gendocs.sh, configure.ac, gl/Makefile.am, gl/{tests => + }/dup2.c, gl/errno.in.h, gl/m4/errno_h.m4, gl/m4/gnulib-cache.m4, gl/m4/gnulib-comp.m4, gl/m4/select.m4, gl/m4/stdlib_h.m4, gl/select.c, gl/stdlib.in.h, gl/strerror-override.c, - gl/strerror-override.h, gl/tests/Makefile.am, gl/tests/dup2.c, - gl/tests/fcntl.in.h, gl/tests/test-fcntl-h.c, - gl/tests/test-iconv.c, gl/tests/test-select.h, lib/system.c, - m4/hooks.m4, maint.mk: use gnulib to detect iconv. + gl/strerror-override.h, gl/tests/Makefile.am, gl/tests/fcntl.in.h, + gl/tests/test-fcntl-h.c, gl/tests/test-iconv.c, + gl/tests/test-select.h, lib/system.c, m4/hooks.m4, maint.mk: use + gnulib to detect iconv. 2012-11-20 Nikos Mavrogiannopoulos @@ -11994,8 +17620,18 @@ 2012-11-07 Nikos Mavrogiannopoulos - * Removed GNUTLS_CERT_REVOCATION_DATA_INVALID and no longer fail on - OCSP parsing errors. + * NEWS, lib/gnutls_cert.c, lib/gnutls_x509.c, + lib/includes/gnutls/gnutls.h.in: Removed + GNUTLS_CERT_REVOCATION_DATA_INVALID and no longer fail on OCSP + parsing errors. + +2012-11-07 Nikos Mavrogiannopoulos + + * doc/cha-cert-auth.texi, doc/cha-tokens.texi: doc update + +2012-11-07 Nikos Mavrogiannopoulos + + * gnutls-cli-debug uses server name indication. ----- diff --git a/Makefile.am b/Makefile.am index 71a7d83..a20f79f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -52,20 +52,20 @@ dist-hook: @echo "symbols added or removed are correct and copy symbols.last.tmp as" @echo "symbols.last" @echo "*****************************************************************" - objdump -T $(srcdir)/lib/.libs/libgnutls.so.28 | grep -v ' \*UND\*' | awk '{print $$7 "@" $$6;}' | sort -u >symbols.last.tmp + objdump -T $(srcdir)/lib/.libs/libgnutls.so.28 | grep -v ' \*UND\*' | awk '{print $$7 "@" $$6;}' | grep -v GNUTLS_FIPS140 | grep -v GNUTLS_PRIVATE | sort -u >symbols.last.tmp diff -u symbols.last symbols.last.tmp >/dev/null 2>&1 rm -f symbols.last.tmp rm -f ChangeLog make ChangeLog cp -f ChangeLog $(distdir)/ - sed 's/\@VERSION\@/$(VERSION)/g' -i $(distdir)/src/args-std.def - sed 's/\@YEAR\@/$(YEAR)/g' -i $(distdir)/src/args-std.def - sed 's/\@PACKAGE_BUGREPORT\@/$(PACKAGE_BUGREPORT)/g' -i $(distdir)/src/args-std.def + $(SED) 's/\@VERSION\@/$(VERSION)/g' -i $(distdir)/src/args-std.def + $(SED) 's/\@YEAR\@/$(YEAR)/g' -i $(distdir)/src/args-std.def + $(SED) 's/\@PACKAGE_BUGREPORT\@/$(PACKAGE_BUGREPORT)/g' -i $(distdir)/src/args-std.def cd $(distdir)/src/ && for i in *.def;do \ if test x"$$i" = x"args-std.def";then continue; fi; \ autogen $$i; \ cp $$i $$i.tmp; \ - sed -i 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $$i.tmp; \ + $(SED) -i 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $$i.tmp; \ autogen -Tagman-cmd.tpl $$i.tmp; \ rm -f $$i.tmp; \ mv -f *.1 ../doc/manpages/; \ @@ -73,4 +73,9 @@ dist-hook: cd $(distdir)/src/ && for i in *-args.c *-args.h;do \ mv $$i $$i.bak; \ done + @echo "*****************************************************************" + @echo "Checking whether included libopts matches the system's. If the" + @echo "check fails upgrade the included libopts." + @echo "*****************************************************************" + test "`autoopts-config libsrc|cut -d '-' -f 2|sed 's/.tar.gz//'`" = "`cat src/libopts/autoopts/options.h |grep OPTIONS_VERSION_STRING|cut -d '"' -f 2|sed 's/:/./g'`" touch $(distdir)/doc/*.html $(distdir)/doc/*.pdf $(distdir)/doc/*.info diff --git a/Makefile.in b/Makefile.in index 92db14d..e98d2ad 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -34,7 +34,17 @@ # along with this file; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -102,24 +112,6 @@ host_triplet = @host@ @ENABLE_TESTS_TRUE@am__append_3 = tests @HAVE_GUILE_TRUE@am__append_4 = guile subdir = . -DIST_COMMON = INSTALL NEWS README AUTHORS ChangeLog \ - $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/configure $(am__configure_deps) \ - $(srcdir)/config.h.in $(top_srcdir)/doc/doxygen/Doxyfile.in \ - $(top_srcdir)/lib/includes/gnutls/gnutls.h.in ABOUT-NLS \ - COPYING COPYING.LESSER THANKS build-aux/ar-lib \ - build-aux/compile build-aux/config.guess \ - build-aux/config.rpath build-aux/config.sub build-aux/depcomp \ - build-aux/install-sh build-aux/mdate-sh build-aux/missing \ - build-aux/texinfo.tex build-aux/ylwrap ltmain.sh \ - build-aux/ltmain.sh $(top_srcdir)/build-aux/ar-lib \ - $(top_srcdir)/build-aux/compile \ - $(top_srcdir)/build-aux/config.guess \ - $(top_srcdir)/build-aux/config.rpath \ - $(top_srcdir)/build-aux/config.sub \ - $(top_srcdir)/build-aux/install-sh \ - $(top_srcdir)/build-aux/ltmain.sh \ - $(top_srcdir)/build-aux/missing ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/src/gl/m4/bison.m4 \ @@ -153,6 +145,7 @@ am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/src/gl/m4/tm_gmtoff.m4 \ $(top_srcdir)/src/gl/m4/xalloc.m4 \ $(top_srcdir)/src/libopts/m4/libopts.m4 \ + $(top_srcdir)/src/libopts/m4/stdnoreturn.m4 \ $(top_srcdir)/gl/m4/00gnulib.m4 \ $(top_srcdir)/gl/m4/absolute-header.m4 \ $(top_srcdir)/gl/m4/alloca.m4 $(top_srcdir)/gl/m4/base64.m4 \ @@ -229,6 +222,8 @@ am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/m4/xsize.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(top_srcdir)/configure \ + $(am__configure_deps) $(am__DIST_COMMON) am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ configure.lineno config.status.lineno mkinstalldirs = $(install_sh) -d @@ -292,6 +287,22 @@ ETAGS = etags CTAGS = ctags CSCOPE = cscope DIST_SUBDIRS = gl lib extra libdane po src doc tests guile +am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \ + $(top_srcdir)/build-aux/ar-lib $(top_srcdir)/build-aux/compile \ + $(top_srcdir)/build-aux/config.guess \ + $(top_srcdir)/build-aux/config.rpath \ + $(top_srcdir)/build-aux/config.sub \ + $(top_srcdir)/build-aux/install-sh \ + $(top_srcdir)/build-aux/ltmain.sh \ + $(top_srcdir)/build-aux/missing \ + $(top_srcdir)/doc/doxygen/Doxyfile.in \ + $(top_srcdir)/lib/includes/gnutls/gnutls.h.in ABOUT-NLS \ + AUTHORS COPYING COPYING.LESSER ChangeLog INSTALL NEWS README \ + THANKS build-aux/ar-lib build-aux/compile \ + build-aux/config.guess build-aux/config.rpath \ + build-aux/config.sub build-aux/depcomp build-aux/install-sh \ + build-aux/ltmain.sh build-aux/mdate-sh build-aux/missing \ + build-aux/texinfo.tex build-aux/ylwrap ltmain.sh DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) @@ -328,8 +339,8 @@ am__relativize = \ done; \ reldir="$$dir2" GZIP_ENV = --best -DIST_ARCHIVES = $(distdir).tar.lz $(distdir).tar.xz -DIST_TARGETS = dist-lzip dist-xz +DIST_ARCHIVES = $(distdir).tar.xz +DIST_TARGETS = dist-xz distuninstallcheck_listfiles = find . -type f -print am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \ | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$' @@ -384,6 +395,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EMULTIHOP_HIDDEN = @EMULTIHOP_HIDDEN@ EMULTIHOP_VALUE = @EMULTIHOP_VALUE@ +ENABLE_PADLOCK = @ENABLE_PADLOCK@ ENOLINK_HIDDEN = @ENOLINK_HIDDEN@ ENOLINK_VALUE = @ENOLINK_VALUE@ EOVERFLOW_HIDDEN = @EOVERFLOW_HIDDEN@ @@ -543,6 +555,7 @@ GNULIB_PUTCHAR = @GNULIB_PUTCHAR@ GNULIB_PUTENV = @GNULIB_PUTENV@ GNULIB_PUTS = @GNULIB_PUTS@ GNULIB_PWRITE = @GNULIB_PWRITE@ +GNULIB_QSORT_R = @GNULIB_QSORT_R@ GNULIB_RAISE = @GNULIB_RAISE@ GNULIB_RANDOM = @GNULIB_RANDOM@ GNULIB_RANDOM_R = @GNULIB_RANDOM_R@ @@ -754,6 +767,7 @@ HAVE_LCHMOD = @HAVE_LCHMOD@ HAVE_LCHOWN = @HAVE_LCHOWN@ HAVE_LIBDL = @HAVE_LIBDL@ HAVE_LIBICONV = @HAVE_LIBICONV@ +HAVE_LIBNSL = @HAVE_LIBNSL@ HAVE_LIBPTHREAD = @HAVE_LIBPTHREAD@ HAVE_LIBRT = @HAVE_LIBRT@ HAVE_LIBZ = @HAVE_LIBZ@ @@ -761,6 +775,7 @@ HAVE_LINK = @HAVE_LINK@ HAVE_LINKAT = @HAVE_LINKAT@ HAVE_LONG_LONG_INT = @HAVE_LONG_LONG_INT@ HAVE_LSTAT = @HAVE_LSTAT@ +HAVE_MAX_ALIGN_T = @HAVE_MAX_ALIGN_T@ HAVE_MBRLEN = @HAVE_MBRLEN@ HAVE_MBRTOWC = @HAVE_MBRTOWC@ HAVE_MBSINIT = @HAVE_MBSINIT@ @@ -926,6 +941,8 @@ LIBICONV_PREFIX = @LIBICONV_PREFIX@ LIBIDN_CFLAGS = @LIBIDN_CFLAGS@ LIBIDN_LIBS = @LIBIDN_LIBS@ LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBNSL_PREFIX = @LIBNSL_PREFIX@ LIBOBJS = @LIBOBJS@ LIBOPTS_CFLAGS = @LIBOPTS_CFLAGS@ LIBOPTS_DIR = @LIBOPTS_DIR@ @@ -950,6 +967,7 @@ LTALLOCA = @LTALLOCA@ LTLIBDL = @LTLIBDL@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ +LTLIBNSL = @LTLIBNSL@ LTLIBOBJS = @LTLIBOBJS@ LTLIBPTHREAD = @LTLIBPTHREAD@ LTLIBRT = @LTLIBRT@ @@ -963,9 +981,6 @@ LT_REVISION = @LT_REVISION@ LT_SSL_AGE = @LT_SSL_AGE@ LT_SSL_CURRENT = @LT_SSL_CURRENT@ LT_SSL_REVISION = @LT_SSL_REVISION@ -LT_XSSL_AGE = @LT_XSSL_AGE@ -LT_XSSL_CURRENT = @LT_XSSL_CURRENT@ -LT_XSSL_REVISION = @LT_XSSL_REVISION@ MAJOR_VERSION = @MAJOR_VERSION@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ @@ -1129,10 +1144,12 @@ REPLACE_PTSNAME = @REPLACE_PTSNAME@ REPLACE_PTSNAME_R = @REPLACE_PTSNAME_R@ REPLACE_PUTENV = @REPLACE_PUTENV@ REPLACE_PWRITE = @REPLACE_PWRITE@ +REPLACE_QSORT_R = @REPLACE_QSORT_R@ REPLACE_RAISE = @REPLACE_RAISE@ REPLACE_RANDOM_R = @REPLACE_RANDOM_R@ REPLACE_READ = @REPLACE_READ@ REPLACE_READLINK = @REPLACE_READLINK@ +REPLACE_READLINKAT = @REPLACE_READLINKAT@ REPLACE_REALLOC = @REPLACE_REALLOC@ REPLACE_REALPATH = @REPLACE_REALPATH@ REPLACE_REMOVE = @REPLACE_REMOVE@ @@ -1164,6 +1181,7 @@ REPLACE_STRTOK_R = @REPLACE_STRTOK_R@ REPLACE_STRTOUMAX = @REPLACE_STRTOUMAX@ REPLACE_STRUCT_TIMEVAL = @REPLACE_STRUCT_TIMEVAL@ REPLACE_SYMLINK = @REPLACE_SYMLINK@ +REPLACE_SYMLINKAT = @REPLACE_SYMLINKAT@ REPLACE_TIMEGM = @REPLACE_TIMEGM@ REPLACE_TMPFILE = @REPLACE_TMPFILE@ REPLACE_TTYNAME_R = @REPLACE_TTYNAME_R@ @@ -1196,9 +1214,11 @@ STDALIGN_H = @STDALIGN_H@ STDBOOL_H = @STDBOOL_H@ STDDEF_H = @STDDEF_H@ STDINT_H = @STDINT_H@ +STDNORETURN_H = @STDNORETURN_H@ STRIP = @STRIP@ SYS_TIME_H_DEFINES_STRUCT_TIMESPEC = @SYS_TIME_H_DEFINES_STRUCT_TIMESPEC@ TIME_H_DEFINES_STRUCT_TIMESPEC = @TIME_H_DEFINES_STRUCT_TIMESPEC@ +TROUSERS_LIB = @TROUSERS_LIB@ TSS_CFLAGS = @TSS_CFLAGS@ TSS_LIBS = @TSS_LIBS@ UINT32_MAX_LT_UINTMAX_MAX = @UINT32_MAX_LT_UINTMAX_MAX@ @@ -1282,6 +1302,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -1314,7 +1335,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -1542,6 +1562,7 @@ dist-gzip: distdir dist-bzip2: distdir tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2 $(am__post_remove_distdir) + dist-lzip: distdir tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz $(am__post_remove_distdir) @@ -1550,15 +1571,15 @@ dist-xz: distdir $(am__post_remove_distdir) dist-tarZ: distdir - @echo WARNING: "Support for shar distribution archives is" \ - "deprecated." >&2 + @echo WARNING: "Support for distribution archives compressed with" \ + "legacy program 'compress' is deprecated." >&2 @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z $(am__post_remove_distdir) dist-shar: distdir - @echo WARNING: "Support for distribution archives compressed with" \ - "legacy program 'compress' is deprecated." >&2 + @echo WARNING: "Support for shar distribution archives is" \ + "deprecated." >&2 @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz $(am__post_remove_distdir) @@ -1594,17 +1615,17 @@ distcheck: dist esac chmod -R a-w $(distdir) chmod u+w $(distdir) - mkdir $(distdir)/_build $(distdir)/_inst + mkdir $(distdir)/_build $(distdir)/_build/sub $(distdir)/_inst chmod a-w $(distdir) test -d $(distdir)/_build || exit 0; \ dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \ && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \ && am__cwd=`pwd` \ - && $(am__cd) $(distdir)/_build \ - && ../configure \ + && $(am__cd) $(distdir)/_build/sub \ + && ../../configure \ $(AM_DISTCHECK_CONFIGURE_FLAGS) \ $(DISTCHECK_CONFIGURE_FLAGS) \ - --srcdir=.. --prefix="$$dc_install_base" \ + --srcdir=../.. --prefix="$$dc_install_base" \ && $(MAKE) $(AM_MAKEFLAGS) \ && $(MAKE) $(AM_MAKEFLAGS) dvi \ && $(MAKE) $(AM_MAKEFLAGS) check \ @@ -1781,6 +1802,8 @@ uninstall-am: mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am +.PRECIOUS: Makefile + dist-hook: make -C doc/ compare-makefile @@ -1791,20 +1814,20 @@ dist-hook: @echo "symbols added or removed are correct and copy symbols.last.tmp as" @echo "symbols.last" @echo "*****************************************************************" - objdump -T $(srcdir)/lib/.libs/libgnutls.so.28 | grep -v ' \*UND\*' | awk '{print $$7 "@" $$6;}' | sort -u >symbols.last.tmp + objdump -T $(srcdir)/lib/.libs/libgnutls.so.28 | grep -v ' \*UND\*' | awk '{print $$7 "@" $$6;}' | grep -v GNUTLS_FIPS140 | grep -v GNUTLS_PRIVATE | sort -u >symbols.last.tmp diff -u symbols.last symbols.last.tmp >/dev/null 2>&1 rm -f symbols.last.tmp rm -f ChangeLog make ChangeLog cp -f ChangeLog $(distdir)/ - sed 's/\@VERSION\@/$(VERSION)/g' -i $(distdir)/src/args-std.def - sed 's/\@YEAR\@/$(YEAR)/g' -i $(distdir)/src/args-std.def - sed 's/\@PACKAGE_BUGREPORT\@/$(PACKAGE_BUGREPORT)/g' -i $(distdir)/src/args-std.def + $(SED) 's/\@VERSION\@/$(VERSION)/g' -i $(distdir)/src/args-std.def + $(SED) 's/\@YEAR\@/$(YEAR)/g' -i $(distdir)/src/args-std.def + $(SED) 's/\@PACKAGE_BUGREPORT\@/$(PACKAGE_BUGREPORT)/g' -i $(distdir)/src/args-std.def cd $(distdir)/src/ && for i in *.def;do \ if test x"$$i" = x"args-std.def";then continue; fi; \ autogen $$i; \ cp $$i $$i.tmp; \ - sed -i 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $$i.tmp; \ + $(SED) -i 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $$i.tmp; \ autogen -Tagman-cmd.tpl $$i.tmp; \ rm -f $$i.tmp; \ mv -f *.1 ../doc/manpages/; \ @@ -1812,6 +1835,11 @@ dist-hook: cd $(distdir)/src/ && for i in *-args.c *-args.h;do \ mv $$i $$i.bak; \ done + @echo "*****************************************************************" + @echo "Checking whether included libopts matches the system's. If the" + @echo "check fails upgrade the included libopts." + @echo "*****************************************************************" + test "`autoopts-config libsrc|cut -d '-' -f 2|sed 's/.tar.gz//'`" = "`cat src/libopts/autoopts/options.h |grep OPTIONS_VERSION_STRING|cut -d '"' -f 2|sed 's/:/./g'`" touch $(distdir)/doc/*.html $(distdir)/doc/*.pdf $(distdir)/doc/*.info # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/NEWS b/NEWS index 3272691..a23d8af 100644 --- a/NEWS +++ b/NEWS @@ -1,8 +1,676 @@ GnuTLS NEWS -- History of user-visible changes. -*- outline -*- -Copyright (C) 2000-2014 Free Software Foundation, Inc. -Copyright (C) 2013, 2014 Nikos Mavrogiannopoulos +Copyright (C) 2000-2016 Free Software Foundation, Inc. +Copyright (C) 2013-2016 Nikos Mavrogiannopoulos See the end for copying conditions. +* Version 3.3.27 (released 2017-03-06) + +** libgnutls: read the pin-value attribute if the p11-kit version allows it. + +** libgnutls: Addressed integer overflow resulting to invalid memory write + in OpenPGP certificate parsing. Issue found using oss-fuzz project: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 [GNUTLS-SA-2017-3A] + +** libgnutls: Addressed crashes in OpenPGP certificate parsing, related + to private key parser. No longer allow OpenPGP certificates (public keys) + to contain private key sub-packets. Issue found using oss-fuzz project: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354 + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 [GNUTLS-SA-2017-3B] + +** libgnutls: Addressed large allocation in OpenPGP certificate parsing, that + could lead in out-of-memory condition. Issue found using oss-fuzz project, + and was fixed by Alex Gaynor: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 [GNUTLS-SA-2017-3C] + +** API and ABI modifications: +No changes since last version. + + +* Version 3.3.26 (released 2016-01-09) + +** libgnutls: Handle status request responses as optional (following + RFC6066). This improves compatibility with implementations not sending + these messages (including specific versions on the GnuTLS 3.5.x branch). + +** libgnutls: Set limits on the maximum number of alerts handled. That is, + applications using gnutls could be tricked into an busy loop if the + peer sends continuously alert messages. Applications which set a maximum + handshake time (via gnutls_handshake_set_timeout) will eventually recover + but others may remain in a busy loops indefinitely. This is related but + not identical to CVE-2016-8610, due to the difference in alert handling + of the libraries (gnutls delegates that handling to applications). + +** libgnutls: Fixed issue in PKCS#12 password encoding, which truncated + passwords over 32-characters. Reported by Mario Klebsch. + +** libgnutls: Backported functionality allowing to manipulate the IDs + of PKCS#11 objects. + +** libgnutls: Link to trousers (TPM library) dynamically. Backported TPM + key handling improvements from master branch. + +** libgnutls: Backported several fixes in PKCS#8 decryption (related to + gitlab issue #148). + +** libgnutls: Fix double free in certificate information printing. If the PKIX + extension proxy was set with a policy language set but no policy specified, + that could lead to a double free. [GNUTLS-SA-2017-1] + +** libgnutls: Addressed memory leak in server side error path + (issue found using oss-fuzz project) + +** libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate + parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project) + +** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing. + (issues found using oss-fuzz project) [GNUTLS-SA-2017-2] + +** tpmtool: backported the --test-sign option. + +** API and ABI modifications: +gnutls_pkcs11_obj_set_info: Added +gnutls_pkcs11_privkey_generate3: Added +gnutls_pkcs11_copy_x509_privkey2: Added +gnutls_pkcs11_copy_x509_crt2: Added + + +* Version 3.3.25 (released 2016-10-9) + +** libgnutls: Ensure proper cleanups on gnutls_certificate_set_*key() + failures due to key mismatch. This prevents leaks or double freeing + on such failures. + +** libgnutls: Corrected the comparison of the serial size in OCSP response. + Previously the OCSP certificate check wouldn't verify the serial length + and could succeed in cases it shouldn't (GNUTLS-SA-2016-3). + Reported by Stefan Buehler. + +** libgnutls: Fixes in gnutls_x509_crt_list_import2, which was + ignoring flags if all certificates in the list fit within the + initially allocated memory. + +** libgnutls: Fix gnutls_pkcs12_simple_parse to always extract the complete chain, + even when the extra_certs was non-null. Report and fix by Stefan Sørensen. + +** libgnutls: Added support for decrypting PKCS#8 files which use the HMAC-SHA256 + as PRF. + +** libgnutls: Addressed issue with PKCS#11 signature generation on ECDSA + keys. The signature is now written as unsigned integers into the DSASignatureValue + structure. Previously signed integers could be written depending on what + the underlying module would produce. Addresses #122. + +** libgnutls: backported X.509 unique ID functionality from later versions. + +** libgnutls: Increased the maximum size of the handshake message hash. + This will allow the library to cope better with larger packets, as + the ones offered by current TLS 1.3 drafts. + +** API and ABI modifications: +gnutls_x509_crt_set_issuer_unique_id: Added +gnutls_x509_crt_set_subject_unique_id: Added + + +* Version 3.3.24 (released 2016-07-06) + +** libgnutls: Address issue when utilizing the p11-kit trust store + for certificate verification (GNUTLS-SA-2016-2). + +** libgnutls: when generating private keys mark the public key as not + private. + +** libgnutls: use secure_getenv() where available to obtain environment + variables. + +** libgnutls: Fixed DTLS handshake packet reconstruction. Reported by + Guillaume Roguez. + +** libgnutls: Fixed issues with PKCS#11 reading of sensitive objects + from SafeNet Network HSM. Reported by Anthony Alba. + +** libgnutls: Corrected reading and writing of PKCS#11 CKA_SERIAL_NUMBER. Report + and fix by Stanislav Židek. + +** libgnutls: Enhanced the priority functions to understand -VERS-ALL keyword + to allow compatibility of priority strings between 3.4.x and 3.3.x. + +** API and ABI modifications: +No changes since last version. + + +* Version 3.3.23 (released 2016-05-20) + +** libgnutls: Corrected behavior of ALPN extension parsing during session + resumption. Report and patches by Yuriy M. Kaminskiy. + +** libgnutls: Properly print the IP Adress name constraints. + +** libgnutls: Fixes in gnutls_privkey_import_ecc_raw(). + +** libgnutls: Fixed gnutls_pkcs11_get_raw_issuer() usage with the + GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag. Previously that + operation could fail on certain PKCS#11 modules. + +** libgnutls: gnutls_pkcs11_obj_import_url() and gnutls_x509_crt_import_pkcs11_url() + can accept the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag. + +** libgnutls: gnutls_certificate_set_key() was enhanced to import the DNS + name of the certificates if the provided names are NULL. + +** libgnutls: when receiving SNI names, only save and expose to application + the supported DNS names. + +** libgnutls: when importing the certificate names at the + gnutls_certificate_set* functions, only consider the CN as a fallback + if DNS names are provided via the alternative name extension. + +** ocsptool: use HTTP/1.0 for requests. This avoids issue with servers + serving chunk encoding which ocsptool doesn't support. Reported by Thomas + Klute. + +** certtool: do not require a CA for OCSP signing tag. This follows the + recommendations in RFC6960 in 4.2.2.2 which allow a CA to delegate OCSP + signing to another certificate without requiring it to be a CA. Reported + by Thomas Klute. + +** gnutls-cli: on OCSP verification do not fail if we have a single valid + reply. Report and reproducer by Thomas Klute. + +** API and ABI modifications: +No changes since last version. + + +* Version 3.3.22 (released 2016-03-10) + +** libgnutls: Eliminated issues preventing buffers more than 2^32 bytes + to be used with hashing functions. + +** libgnutls: Follow closely RFC5280 recommendations and use UTCTime for + dates prior to 2050. Backported from 3.4.x branch. + +** libgnutls: Several fixes to prevent relying on undefined behavior of C + (found with libubsan). + +** libgnutls: SSL 3.0 is no longer included in the default priorities + list. It has to be explicitly enabled, e.g., with a string like + "NORMAL:+VERS-SSL3.0". The previous behavior can be restored using + the flag --with-ssl3 to configure. + +** API and ABI modifications: +No changes since last version. + + +* Version 3.3.21 (released 2016-02-03) + +** libgnutls: Corrected ALPN protocol negotiation. Before GnuTLS would negotiate + the last commonly supported protocol, rather than the first. Reported by + Remi Denis-Courmont (#63). + +** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities + list. It has to be explicitly enabled, e.g., with a string like + "NORMAL:+ARCFOUR-128". The previous behavior can be restored using + the flag --with-arcfour128 to configure. + +** libgnutls: Corrected regression caused by incorrect fix in + gnutls_x509_ext_export_key_usage() at 3.3.20 release. + +** API and ABI modifications: +No changes since last version. + + +* Version 3.3.20 (released 2016-01-08) + +** libgnutls: Corrected memory leak in gnutls_pubkey_import_privkey() when + used with PKCS #11 keys. + +** libgnutls: For DSA and ECDSA keys in PKCS #11 objects, import + their public keys from either a public key object or a certificate. + That is, because private keys do not contain all the required + parameters for a direct import. Reported by Jan Vcelak. + +** libgnutls: Fixed issue when writing ECDSA private keys in PKCS #11 + tokens. + +** libgnutls: Fixed out-of-bounds read in gnutls_x509_ext_export_key_usage(), + report and patch by Tim Kosse. + +** libgnutls: Handle DNS name constraints with a leading dot. Backported + from 3.4.x branch. + +** libgnutls: The max-record extension is no longer negotiated on DTLS. This resolves + issue with the max-record being negotiated but ignored. + +** API and ABI modifications: +No changes since last version. + + +* Version 3.3.19 (released 2015-11-22) + +** libgnutls: Properly require TLS 1.2 to all the CBC-SHA256 and CBC-SHA384 + ciphersuites. This solves an interoperability issue with openssl. + Reported by Viktor Dukhovni. + +** libgnutls: Fixed memory leak in gnutls_pubkey_get_preferred_hash_algorithm(), + patch by Lennert Buytenhek. + +** libgnutls: When writing a certificate into a PKCS #11 token, ensure + that CKA_SERIAL_NUMBER and CKA_ISSUER are written. + +** libgnutls: Allow the presence of legacy ciphers and key exchanges in + priority strings and consider them a no-op. + +** libgnutls: On a rehandshake allow switching from anonymous to ECDHE and + DHE ciphersuites. + +** libgnutls: Added GNUTLS_SKIP_GLOBAL_INIT macro to allow programs skipping + the implicit global initialization. + +** gnutls.pc: Don't include libtool specific options to link flags. + Reported by Dan Kegel. + +** API and ABI modifications: +GNUTLS_SKIP_GLOBAL_INIT: Added + + +* Version 3.3.18 (released 2015-09-12) + +** libgnutls: When re-importing CRLs to a trust list ensure that there + are no duplicate entries. + +** certtool: Removed any arbitrary limits imposed on input file sizes + and maximum number of certificates imported. + +** API and ABI modifications: + No changes since last version. + + +* Version 3.3.17 (released 2015-08-10) + +** libgnutls: Fix issue with server side sending the status request + extension even when not requested. Reported by Jeremy Harris. + +** libgnutls: gnutls_pkcs11_privkey_generate2() will store the generated + public key, unless the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY flag is + specified. + +** libgnutls: fixed double free in DN decoding [GNUTLS-SA-2015-3]. + +** API and ABI modifications: + No changes since last version. + + +* Version 3.3.16 (released 2015-07-12) + +** libgnutls: Allow compilation with nettle 3.0 or later + +** libgnutls: corrected failure when importing plain files + with gnutls_x509_privkey_import2(), and a password was provided. + +** libgnutls: Don't reject certificates if a CA has the URI or IP address + name constraints, and the end certificate doesn't have an IP address + name or a URI set. + +** libgnutls: set and read the hint in DHE-PSK and ECDHE-PSK ciphersuites. + +** API and ABI modifications: + No changes since last version. + + +* Version 3.3.15 (released 2015-05-03) + +** libgnutls: gnutls_certificate_get_ours: will return the certificate even +if a callback was used to send it. + +** libgnutls: Fix for MD5 downgrade in TLS 1.2 signatures. Reported by +Karthikeyan Bhargavan [GNUTLS-SA-2015-2]. + +** libgnutls: Check for invalid length in the X.509 version field. Without the check +certificates with invalid length would be detected as having an arbitrary +version. Reported by Hanno Böck. + +** API and ABI modifications: +No changes since last version. + + +* Version 3.3.14 (released 2015-03-30) + +** libgnutls: When retrieving OCTET STRINGS from PKCS #12 ContentInfo +structures use BER to decode them (requires libtasn1 4.3). That allows +to decode some more complex structures. + +** libgnutls: When an end-certificate with no name is present and there +are CA name constraints, don't reject the certificate. This follows RFC5280 +advice closely. Reported by Fotis Loukos. + +** libgnutls: Fixed handling of supplemental data with types > 255. +Patch by Thierry Quemerais. + +** libgnutls: Fixed double free in the parsing of CRL distribution points certificate +extension. Reported by Robert Święcki. + +** libgnutls: Fixed a two-byte stack overflow in DTLS 0.9 protocol. That +protocol is not enabled by default (used by openconnect VPN). + +** libgnutls: The maximum user data send size is set to be the same for +block and non-block ciphersuites. This addresses a regression with wine: +https://bugs.winehq.org/show_bug.cgi?id=37500 + +** libgnutls: When generating PKCS #11 keys, set CKA_ID, CKA_SIGN, +and CKA_DECRYPT when needed. + +** libgnutls: Allow names with zero size to be set using +gnutls_server_name_set(). That will disable the Server Name Indication. +Resolves issue with wine: https://gitlab.com/gnutls/gnutls/issues/2 + +** API and ABI modifications: +No changes since last version. + + +* Version 3.3.13 (released 2015-02-25) + +** libgnutls: Enable AESNI in GCM on x86 + +** libgnutls: Fixes in DTLS message handling + +** libgnutls: Check certificate algorithm consistency, i.e., +check whether the signatureAlgorithm field matches the signature +field inside TBSCertificate. + +** gnutls-cli: Fixes in OCSP verification. + +** API and ABI modifications: +No changes since last version. + + +* Version 3.3.12 (released 2015-01-17) + +** libgnutls: When negotiating TLS use the lowest enabled version in +the client hello, rather than the lowest supported. In addition, do +not use SSL 3.0 as a version in the TLS record layer, unless SSL 3.0 +is the only protocol supported. That addresses issues with servers that +immediately drop the connection when the encounter SSL 3.0 as the record +version number. See: +http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html + +** libgnutls: Corrected encoding and decoding of ANSI X9.62 parameters. + +** libgnutls: Handle zero length plaintext for VIA PadLock functions. +This solves a potential crash on AES encryption for small size plaintext. +Patch by Matthias-Christian Ott. + +** libgnutls: In DTLS don't combine multiple packets which exceed MTU. +Reported by Andreas Schultz. https://savannah.gnu.org/support/?108715 + +** libgnutls: In DTLS decode all handshake packets present in a record +packet, in a single pass. Reported by Andreas Schultz. +https://savannah.gnu.org/support/?108712 + +** libgnutls: When importing a CA file with a PKCS #11 URL, simply +import the certificates, if the URL specifies objects, rather than +treating it as trust module. + +** libgnutls: When importing a PKCS #11 URL and we know the type of +object we are importing, don't require the object type in the URL. + +** libgnutls: fixed openpgp authentication when gnutls_certificate_set_retrieve_function2 +was used by the server. + +** guile: Fix compilation on MinGW. Previously only the static version of the +'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile. + +** guile: Fix harmless warning during compilation of gnutls.scm +Initially reported at . + +** certtool: --pubkey-info will also attempt to load a public key +from stdin. + +** gnutls-cli: Added --starttls-proto option. That allows to specify a +protocol for starttls negotiation. + +** API and ABI modifications: +No changes since last version. + + +* Version 3.3.11 (released 2014-12-11) + +** libgnutls: Corrected regression introduced in 3.3.9 related to +session renegotiation. Reported by Dan Winship. + +** libgnutls: Corrected parsing issue with OCSP responses. + +** API and ABI modifications: +No changes since last version. + + +* Version 3.3.10 (released 2014-11-10) + +** libgnutls: Refuse to import v1 or v2 certificates that contain +extensions. + +** libgnutls: Fixes in usage of PKCS #11 token callback + +** libgnutls: Fixed bug in gnutls_x509_trust_list_get_issuer() when used +with a PKCS #11 trust module and without the GNUTLS_TL_GET_COPY flag. +Reported by David Woodhouse. + +** libgnutls: Removed superfluous random generator refresh on every call +of gnutls_deinit(). That reduces load and usage of /dev/urandom. + +** libgnutls: Corrected issue in export of ECC parameters to X9.63 format. +Reported by Sean Burford [GNUTLS-SA-2014-5]. + +** libgnutls: When gnutls_global_init() is called for a second time, it +will check whether the /dev/urandom fd kept is still open and matches +the original one. That behavior works around issues with servers that +close all file descriptors. + +** libgnutls: Corrected behavior with PKCS #11 objects that are marked +as CKA_ALWAYS_AUTHENTICATE. + +** certtool: The default cipher for PKCS #12 structures is 3des-pkcs12. +That option is more compatible than AES or RC4. + +** API and ABI modifications: +No changes since last version. + + +* Version 3.3.9 (released 2014-10-13) + +** libgnutls: Fixes in the transparent import of PKCS #11 certificates. +Reported by Joseph Peruski. + +** libgnutls: Fixed issue with unexpected non-fatal errors resetting the +handshake's hash buffer, in applications using the heartbeat extension +or DTLS. Reported by Joeri de Ruiter. + +** libgnutls: When both a trust module and additional CAs are present +account the latter as well; reported by David Woodhouse. + +** libgnutls: added GNUTLS_TL_GET_COPY flag for +gnutls_x509_trust_list_get_issuer(). That allows the function to be used +in a thread safe way when PKCS #11 trust modules are in use. + +** libgnutls: fix issue in DTLS retransmission when session tickets +were in use; reported by Manuel Pégourié-Gonnard. + +** libgnutls-dane: Do not require the CA on a ca match to be direct CA. + +** libgnutls: Prevent abort() in library if getrusage() fails. Try to +detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work. + +** guile: new 'set-session-server-name!' procedure; see the manual for +details. + +** certtool: The authority key identifier will be set in a certificate only +if the CA's subject key identifier is set. + +** API and ABI modifications: +No changes since last version. + + +* Version 3.3.8 (released 2014-09-18) + +** libgnutls: Updates in the name constraints checks. No name constraints +will be checked for intermediate certificates. As our support for name +constraints is limited to e-mail addresses in DNS names, it is pointless +to check them on intermediate certificates. + +** libgnutls: Fixed issues in PKCS #11 object listing. Previously multiple +object listing would fail completely if a single object could not be exported. + +** libgnutls: Improved the performance of PKCS #11 object listing/retrieving, +by retrieving them in large batches. Report and suggestion by David +Woodhouse. + +** libgnutls: Fixed issue with certificates being sanitized by gnutls prior +to signature verification. That resulted to certain non-DER compliant modifications +of valid certificates, being corrected by libtasn1's parser and restructured as +the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from +Codenomicon. + +** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle +strings with embedded spaces and escaped commas. + +** libgnutls: when comparing a CA certificate with the trusted list compare +the name and key only instead of the whole certificate. That is to handle +cases where a CA certificate was superceded by a different one with the same +name and the same key. + +** libgnutls: when verifying a certificate against a p11-kit trusted +module, use the attached extensions in the module to override the CA's +extensions (that requires p11-kit 0.20.7). + +** libgnutls: In DTLS prevent sending zero-size fragments in certain cases +of MTU split. Reported by Manuel Pégourié-Gonnard. + +** libgnutls: Added gnutls_x509_trust_list_verify_crt2() which allows +verifying using a hostname and a purpose (extended key usage). That +enhances PKCS #11 trust module verification, as it can now check the purpose +when this function is used. + +** libgnutls: Corrected gnutls_x509_crl_verify() which would always report +a CRL signature as invalid. Reported by Armin Burgmeier. + +** libgnutls: added option --disable-padlock to allow disabling the padlock +CPU acceleration. + +** p11tool: when listing tokens, list their type as well. + +** p11tool: when listing objects from a trust module print any attached +extensions on certificates. + +** API and ABI modifications: +gnutls_x509_crq_get_extension_by_oid2: Added +gnutls_x509_crt_get_extension_by_oid2: Added +gnutls_x509_trust_list_verify_crt2: Added +gnutls_x509_ext_print: Added +gnutls_x509_ext_deinit: Added +gnutls_x509_othername_to_virtual: Added +gnutls_pkcs11_obj_get_exts: Added + + +* Version 3.3.7 (released 2014-08-24) + +** libgnutls: Added function to export the public key of a PKCS #11 +private key. Contributed by Wolfgang Meyer zu Bergsten. + +** libgnutls: Explicitly set the exponent in PKCS #11 key generation. +That improves compatibility with certain PKCS #11 modules. Contributed by +Wolfgang Meyer zu Bergsten. + +** libgnutls: When generating a PKCS #11 private key allow setting +the WRAP/UNWRAP flags. Contributed by Wolfgang Meyer zu Bergsten. + +** libgnutls: gnutls_pkcs11_privkey_t will always hold an open session +to the key. + +** libgnutls: bundle replacements of inet_pton and inet_aton if not +available. + +** libgnutls: initialize parameters variable on PKCS #8 decryption. + +** libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1 +algorithms. + +** libgnutls: gnutls_x509_crt_check_hostname() will follow the RFC6125 +requirement of checking the Common Name (CN) part of DN only if there is +a single CN present in the certificate. + +** libgnutls: The environment variable GNUTLS_FORCE_FIPS_MODE can be used +to force the FIPS mode, when set to 1. + +** libgnutls: In DTLS ignore only errors that relate to unexpected packets +and decryption failures. + +** p11tool: Added --info parameter. + +** certtool: Added --mark-wrap parameter. + +** danetool: --check will attempt to retrieve the server's certificate +chain and verify against it. + +** danetool/gnutls-cli-debug: Added --app-proto parameters which can +be used to enforce starttls (currently only SMTP and IMAP) on the connection. + +** danetool: Added openssl linking exception, to allow linking +with libunbound. + +** API and ABI modifications: +GNUTLS_PKCS11_OBJ_ATTR_MATCH: Added +gnutls_pkcs11_privkey_export_pubkey: Added +gnutls_pkcs11_obj_flags_get_str: Added +gnutls_pkcs11_obj_get_flags: Added + + +* Version 3.3.6 (released 2014-07-23) + +** libgnutls: Use inet_ntop to print IP addresses when available + +** libgnutls: gnutls_x509_crt_check_hostname and friends will also check +IP addresses, and match documented behavior. Reported by David Woodhouse. + +** libgnutls: DSA key generation in FIPS140-2 mode doesn't allow 1024 +bit parameters. + +** libgnutls: fixed issue in gnutls_pkcs11_reinit() which prevented tokens +being usable after a reinitialization. + +** libgnutls: fixed PKCS #11 private key operations after a fork. + +** libgnutls: fixed PKCS #11 ECDSA key generation. + +** libgnutls: The GNUTLS_CPUID_OVERRIDE environment variable can be used to +explicitly enable/disable the use of certain CPU capabilities. Note that CPU +detection cannot be overriden, i.e., VIA options cannot be enabled on an Intel +CPU. The currently available options are: + 0x1: Disable all run-time detected optimizations + 0x2: Enable AES-NI + 0x4: Enable SSSE3 + 0x8: Enable PCLMUL + 0x100000: Enable VIA padlock + 0x200000: Enable VIA PHE + 0x400000: Enable VIA PHE SHA512 + +** libdane: added dane_query_to_raw_tlsa(); patch by Simon Arlott. + +** p11tool: use GNUTLS_SO_PIN to read the security officer's PIN if set. + +** p11tool: ask for label when one isn't provided. + +** p11tool: added --batch parameter to disable any interactivity. + +** p11tool: will not implicitly enable so-login for certain types of +objects. That avoids issues with tokens that require different login +types. + +** certtool/p11tool: Added the --curve parameter which allows to explicitly +specify the curve to use. + +** API and ABI modifications: +gnutls_certificate_set_x509_trust_dir: Added +gnutls_x509_trust_list_add_trust_dir: Added + + * Version 3.3.5 (released 2014-06-26) ** libgnutls: Added gnutls_record_recv_packet() and gnutls_packet_deinit(). diff --git a/aclocal.m4 b/aclocal.m4 index ac7c4f6..9574282 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1,6 +1,6 @@ -# generated automatically by aclocal 1.14.1 -*- Autoconf -*- +# generated automatically by aclocal 1.15 -*- Autoconf -*- -# Copyright (C) 1996-2013 Free Software Foundation, Inc. +# Copyright (C) 1996-2014 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,7 +20,7 @@ You have another version of autoconf. It may work, but is not guaranteed to. If you have problems, you may need to regenerate the build system entirely. To do so, use the procedure documented by the package, typically 'autoreconf'.])]) -# Copyright (C) 2002-2013 Free Software Foundation, Inc. +# Copyright (C) 2002-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -32,10 +32,10 @@ To do so, use the procedure documented by the package, typically 'autoreconf'.]) # generated from the m4 files accompanying Automake X.Y. # (This private macro should not be called outside this file.) AC_DEFUN([AM_AUTOMAKE_VERSION], -[am__api_version='1.14' +[am__api_version='1.15' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.14.1], [], +m4_if([$1], [1.15], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -51,12 +51,12 @@ m4_define([_AM_AUTOCONF_VERSION], []) # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.14.1])dnl +[AM_AUTOMAKE_VERSION([1.15])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) -# Copyright (C) 2011-2013 Free Software Foundation, Inc. +# Copyright (C) 2011-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -118,7 +118,7 @@ AC_SUBST([AR])dnl # Figure out how to run the assembler. -*- Autoconf -*- -# Copyright (C) 2001-2013 Free Software Foundation, Inc. +# Copyright (C) 2001-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -138,7 +138,7 @@ _AM_IF_OPTION([no-dependencies],, [_AM_DEPENDENCIES([CCAS])])dnl # AM_AUX_DIR_EXPAND -*- Autoconf -*- -# Copyright (C) 2001-2013 Free Software Foundation, Inc. +# Copyright (C) 2001-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -183,15 +183,14 @@ _AM_IF_OPTION([no-dependencies],, [_AM_DEPENDENCIES([CCAS])])dnl # configured tree to be moved without reconfiguration. AC_DEFUN([AM_AUX_DIR_EXPAND], -[dnl Rely on autoconf to set up CDPATH properly. -AC_PREREQ([2.50])dnl -# expand $ac_aux_dir to an absolute path -am_aux_dir=`cd $ac_aux_dir && pwd` +[AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl +# Expand $ac_aux_dir to an absolute path. +am_aux_dir=`cd "$ac_aux_dir" && pwd` ]) # AM_CONDITIONAL -*- Autoconf -*- -# Copyright (C) 1997-2013 Free Software Foundation, Inc. +# Copyright (C) 1997-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -222,7 +221,7 @@ AC_CONFIG_COMMANDS_PRE( Usually this means the macro was only invoked conditionally.]]) fi])]) -# Copyright (C) 1999-2013 Free Software Foundation, Inc. +# Copyright (C) 1999-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -413,7 +412,7 @@ _AM_SUBST_NOTMAKE([am__nodep])dnl # Generate code to set up dependency tracking. -*- Autoconf -*- -# Copyright (C) 1999-2013 Free Software Foundation, Inc. +# Copyright (C) 1999-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -489,7 +488,7 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS], # Do all the work for Automake. -*- Autoconf -*- -# Copyright (C) 1996-2013 Free Software Foundation, Inc. +# Copyright (C) 1996-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -579,8 +578,8 @@ AC_REQUIRE([AC_PROG_MKDIR_P])dnl # # AC_SUBST([mkdir_p], ['$(MKDIR_P)']) -# We need awk for the "check" target. The system "awk" is bad on -# some platforms. +# We need awk for the "check" target (and possibly the TAP driver). The +# system "awk" is bad on some platforms. AC_REQUIRE([AC_PROG_AWK])dnl AC_REQUIRE([AC_PROG_MAKE_SET])dnl AC_REQUIRE([AM_SET_LEADING_DOT])dnl @@ -654,6 +653,9 @@ END AC_MSG_ERROR([Your 'rm' program is bad, sorry.]) fi fi +dnl The trailing newline in this macro's definition is deliberate, for +dnl backward compatibility and to allow trailing 'dnl'-style comments +dnl after the AM_INIT_AUTOMAKE invocation. See automake bug#16841. ]) dnl Hook into '_AC_COMPILER_EXEEXT' early to learn its expansion. Do not @@ -683,7 +685,7 @@ for _am_header in $config_headers :; do done echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count]) -# Copyright (C) 2001-2013 Free Software Foundation, Inc. +# Copyright (C) 2001-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -694,7 +696,7 @@ echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_co # Define $install_sh. AC_DEFUN([AM_PROG_INSTALL_SH], [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl -if test x"${install_sh}" != xset; then +if test x"${install_sh+set}" != xset; then case $am_aux_dir in *\ * | *\ *) install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;; @@ -704,7 +706,7 @@ if test x"${install_sh}" != xset; then fi AC_SUBST([install_sh])]) -# Copyright (C) 2003-2013 Free Software Foundation, Inc. +# Copyright (C) 2003-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -725,7 +727,7 @@ AC_SUBST([am__leading_dot])]) # Check to see how 'make' treats includes. -*- Autoconf -*- -# Copyright (C) 2001-2013 Free Software Foundation, Inc. +# Copyright (C) 2001-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -775,7 +777,7 @@ rm -f confinc confmf # Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- -# Copyright (C) 1997-2013 Free Software Foundation, Inc. +# Copyright (C) 1997-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -812,7 +814,7 @@ else fi ]) -# Copyright (C) 2003-2013 Free Software Foundation, Inc. +# Copyright (C) 2003-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -846,7 +848,7 @@ esac # Helper functions for option handling. -*- Autoconf -*- -# Copyright (C) 2001-2013 Free Software Foundation, Inc. +# Copyright (C) 2001-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -875,7 +877,7 @@ AC_DEFUN([_AM_SET_OPTIONS], AC_DEFUN([_AM_IF_OPTION], [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])]) -# Copyright (C) 1999-2013 Free Software Foundation, Inc. +# Copyright (C) 1999-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -922,7 +924,7 @@ AC_LANG_POP([C])]) # For backward compatibility. AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])]) -# Copyright (C) 2001-2013 Free Software Foundation, Inc. +# Copyright (C) 2001-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -941,7 +943,7 @@ AC_DEFUN([AM_RUN_LOG], # Check to make sure that the build environment is sane. -*- Autoconf -*- -# Copyright (C) 1996-2013 Free Software Foundation, Inc. +# Copyright (C) 1996-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1022,7 +1024,7 @@ AC_CONFIG_COMMANDS_PRE( rm -f conftest.file ]) -# Copyright (C) 2009-2013 Free Software Foundation, Inc. +# Copyright (C) 2009-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1082,7 +1084,7 @@ AC_SUBST([AM_BACKSLASH])dnl _AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl ]) -# Copyright (C) 2001-2013 Free Software Foundation, Inc. +# Copyright (C) 2001-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1110,7 +1112,7 @@ fi INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" AC_SUBST([INSTALL_STRIP_PROGRAM])]) -# Copyright (C) 2006-2013 Free Software Foundation, Inc. +# Copyright (C) 2006-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1129,7 +1131,7 @@ AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)]) # Check how to create a tarball. -*- Autoconf -*- -# Copyright (C) 2004-2013 Free Software Foundation, Inc. +# Copyright (C) 2004-2014 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1292,6 +1294,7 @@ m4_include([src/gl/m4/timespec.m4]) m4_include([src/gl/m4/tm_gmtoff.m4]) m4_include([src/gl/m4/xalloc.m4]) m4_include([src/libopts/m4/libopts.m4]) +m4_include([src/libopts/m4/stdnoreturn.m4]) m4_include([gl/m4/00gnulib.m4]) m4_include([gl/m4/absolute-header.m4]) m4_include([gl/m4/alloca.m4]) diff --git a/build-aux/compile b/build-aux/compile index 531136b..a85b723 100755 --- a/build-aux/compile +++ b/build-aux/compile @@ -3,7 +3,7 @@ scriptversion=2012-10-14.11; # UTC -# Copyright (C) 1999-2013 Free Software Foundation, Inc. +# Copyright (C) 1999-2014 Free Software Foundation, Inc. # Written by Tom Tromey . # # This program is free software; you can redistribute it and/or modify diff --git a/build-aux/config.guess b/build-aux/config.guess index b79252d..1f5c50c 100755 --- a/build-aux/config.guess +++ b/build-aux/config.guess @@ -1,8 +1,8 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2013 Free Software Foundation, Inc. +# Copyright 1992-2014 Free Software Foundation, Inc. -timestamp='2013-06-10' +timestamp='2014-03-23' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -50,7 +50,7 @@ version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2013 Free Software Foundation, Inc. +Copyright 1992-2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -149,7 +149,7 @@ Linux|GNU|GNU/*) LIBC=gnu #endif EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'` + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` ;; esac @@ -826,7 +826,7 @@ EOF *:MINGW*:*) echo ${UNAME_MACHINE}-pc-mingw32 exit ;; - i*:MSYS*:*) + *:MSYS*:*) echo ${UNAME_MACHINE}-pc-msys exit ;; i*:windows32*:*) @@ -969,10 +969,10 @@ EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } ;; - or1k:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + openrisc*:Linux:*:*) + echo or1k-unknown-linux-${LIBC} exit ;; - or32:Linux:*:*) + or32:Linux:*:* | or1k*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; padre:Linux:*:*) @@ -1260,16 +1260,26 @@ EOF if test "$UNAME_PROCESSOR" = unknown ; then UNAME_PROCESSOR=powerpc fi - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then - if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ - grep IS_64BIT_ARCH >/dev/null - then - case $UNAME_PROCESSOR in - i386) UNAME_PROCESSOR=x86_64 ;; - powerpc) UNAME_PROCESSOR=powerpc64 ;; - esac + if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then + if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + case $UNAME_PROCESSOR in + i386) UNAME_PROCESSOR=x86_64 ;; + powerpc) UNAME_PROCESSOR=powerpc64 ;; + esac + fi fi + elif test "$UNAME_PROCESSOR" = i386 ; then + # Avoid executing cc on OS X 10.9, as it ships with a stub + # that puts up a graphical alert prompting to install + # developer tools. Any system running Mac OS X 10.7 or + # later (Darwin 11 and later) is required to have a 64-bit + # processor. This is not true of the ARM version of Darwin + # that Apple uses in portable devices. + UNAME_PROCESSOR=x86_64 fi echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} exit ;; @@ -1361,154 +1371,6 @@ EOF exit ;; esac -eval $set_cc_for_build -cat >$dummy.c < -# include -#endif -main () -{ -#if defined (sony) -#if defined (MIPSEB) - /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, - I don't know.... */ - printf ("mips-sony-bsd\n"); exit (0); -#else -#include - printf ("m68k-sony-newsos%s\n", -#ifdef NEWSOS4 - "4" -#else - "" -#endif - ); exit (0); -#endif -#endif - -#if defined (__arm) && defined (__acorn) && defined (__unix) - printf ("arm-acorn-riscix\n"); exit (0); -#endif - -#if defined (hp300) && !defined (hpux) - printf ("m68k-hp-bsd\n"); exit (0); -#endif - -#if defined (NeXT) -#if !defined (__ARCHITECTURE__) -#define __ARCHITECTURE__ "m68k" -#endif - int version; - version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; - if (version < 4) - printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); - else - printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); - exit (0); -#endif - -#if defined (MULTIMAX) || defined (n16) -#if defined (UMAXV) - printf ("ns32k-encore-sysv\n"); exit (0); -#else -#if defined (CMU) - printf ("ns32k-encore-mach\n"); exit (0); -#else - printf ("ns32k-encore-bsd\n"); exit (0); -#endif -#endif -#endif - -#if defined (__386BSD__) - printf ("i386-pc-bsd\n"); exit (0); -#endif - -#if defined (sequent) -#if defined (i386) - printf ("i386-sequent-dynix\n"); exit (0); -#endif -#if defined (ns32000) - printf ("ns32k-sequent-dynix\n"); exit (0); -#endif -#endif - -#if defined (_SEQUENT_) - struct utsname un; - - uname(&un); - - if (strncmp(un.version, "V2", 2) == 0) { - printf ("i386-sequent-ptx2\n"); exit (0); - } - if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ - printf ("i386-sequent-ptx1\n"); exit (0); - } - printf ("i386-sequent-ptx\n"); exit (0); - -#endif - -#if defined (vax) -# if !defined (ultrix) -# include -# if defined (BSD) -# if BSD == 43 - printf ("vax-dec-bsd4.3\n"); exit (0); -# else -# if BSD == 199006 - printf ("vax-dec-bsd4.3reno\n"); exit (0); -# else - printf ("vax-dec-bsd\n"); exit (0); -# endif -# endif -# else - printf ("vax-dec-bsd\n"); exit (0); -# endif -# else - printf ("vax-dec-ultrix\n"); exit (0); -# endif -#endif - -#if defined (alliant) && defined (i860) - printf ("i860-alliant-bsd\n"); exit (0); -#endif - - exit (1); -} -EOF - -$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` && - { echo "$SYSTEM_NAME"; exit; } - -# Apollos put the system type in the environment. - -test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; } - -# Convex versions that predate uname can use getsysinfo(1) - -if [ -x /usr/convex/getsysinfo ] -then - case `getsysinfo -f cpu_type` in - c1*) - echo c1-convex-bsd - exit ;; - c2*) - if getsysinfo -f scalar_acc - then echo c32-convex-bsd - else echo c2-convex-bsd - fi - exit ;; - c34*) - echo c34-convex-bsd - exit ;; - c38*) - echo c38-convex-bsd - exit ;; - c4*) - echo c4-convex-bsd - exit ;; - esac -fi - cat >&2 <." version="\ GNU config.sub ($timestamp) -Copyright 1992-2013 Free Software Foundation, Inc. +Copyright 1992-2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -265,6 +265,7 @@ case $basic_machine in | hexagon \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ + | k1om \ | le32 | le64 \ | lm32 \ | m32c | m32r | m32rle | m68000 | m68k | m88k \ @@ -282,8 +283,10 @@ case $basic_machine in | mips64vr5900 | mips64vr5900el \ | mipsisa32 | mipsisa32el \ | mipsisa32r2 | mipsisa32r2el \ + | mipsisa32r6 | mipsisa32r6el \ | mipsisa64 | mipsisa64el \ | mipsisa64r2 | mipsisa64r2el \ + | mipsisa64r6 | mipsisa64r6el \ | mipsisa64sb1 | mipsisa64sb1el \ | mipsisa64sr71k | mipsisa64sr71kel \ | mipsr5900 | mipsr5900el \ @@ -295,11 +298,11 @@ case $basic_machine in | nds32 | nds32le | nds32be \ | nios | nios2 | nios2eb | nios2el \ | ns16k | ns32k \ - | open8 \ - | or1k | or32 \ + | open8 | or1k | or1knd | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle \ | pyramid \ + | riscv32 | riscv64 \ | rl78 | rx \ | score \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ @@ -324,7 +327,7 @@ case $basic_machine in c6x) basic_machine=tic6x-unknown ;; - m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip) + m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip) basic_machine=$basic_machine-unknown os=-none ;; @@ -381,6 +384,7 @@ case $basic_machine in | hexagon-* \ | i*86-* | i860-* | i960-* | ia64-* \ | ip2k-* | iq2000-* \ + | k1om-* \ | le32-* | le64-* \ | lm32-* \ | m32c-* | m32r-* | m32rle-* \ @@ -400,8 +404,10 @@ case $basic_machine in | mips64vr5900-* | mips64vr5900el-* \ | mipsisa32-* | mipsisa32el-* \ | mipsisa32r2-* | mipsisa32r2el-* \ + | mipsisa32r6-* | mipsisa32r6el-* \ | mipsisa64-* | mipsisa64el-* \ | mipsisa64r2-* | mipsisa64r2el-* \ + | mipsisa64r6-* | mipsisa64r6el-* \ | mipsisa64sb1-* | mipsisa64sb1el-* \ | mipsisa64sr71k-* | mipsisa64sr71kel-* \ | mipsr5900-* | mipsr5900el-* \ @@ -413,6 +419,7 @@ case $basic_machine in | nios-* | nios2-* | nios2eb-* | nios2el-* \ | none-* | np1-* | ns16k-* | ns32k-* \ | open8-* \ + | or1k*-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ @@ -822,6 +829,10 @@ case $basic_machine in basic_machine=powerpc-unknown os=-morphos ;; + moxiebox) + basic_machine=moxie-unknown + os=-moxiebox + ;; msdos) basic_machine=i386-pc os=-msdos @@ -1367,14 +1378,14 @@ case $os in | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ | -linux-newlib* | -linux-musl* | -linux-uclibc* \ - | -uxpv* | -beos* | -mpeix* | -udk* \ + | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ - | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*) + | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1592,9 +1603,6 @@ case $basic_machine in mips*-*) os=-elf ;; - or1k-*) - os=-elf - ;; or32-*) os=-coff ;; diff --git a/build-aux/depcomp b/build-aux/depcomp index 4ebd5b3..fc98710 100755 --- a/build-aux/depcomp +++ b/build-aux/depcomp @@ -3,7 +3,7 @@ scriptversion=2013-05-30.07; # UTC -# Copyright (C) 1999-2013 Free Software Foundation, Inc. +# Copyright (C) 1999-2014 Free Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/build-aux/gendocs.sh b/build-aux/gendocs.sh index f9ec9df..b2e7b09 100755 --- a/build-aux/gendocs.sh +++ b/build-aux/gendocs.sh @@ -2,7 +2,7 @@ # gendocs.sh -- generate a GNU manual in many formats. This script is # mentioned in maintain.texi. See the help message below for usage details. -scriptversion=2013-10-10.09 +scriptversion=2014-05-01.10 # Copyright 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 # Free Software Foundation, Inc. @@ -78,6 +78,9 @@ Options: --html ARG pass ARG to makeinfo or texi2html for HTML targets. --info ARG pass ARG to makeinfo for Info, instead of --no-split. --no-ascii skip generating the plain text output. + --no-html skip generating the html output. + --no-info skip generating the info output. + --no-tex skip generating the dvi and pdf output. --source ARG include ARG in tar archive of sources. --split HOW make split HTML by node, section, chapter; default node. @@ -139,10 +142,13 @@ PACKAGE= EMAIL=webmasters@gnu.org # please override with --email commonarg= # passed to all makeinfo/texi2html invcations. dirargs= # passed to all tools (-I dir). -dirs= # -I's directories. +dirs= # -I directories. htmlarg= infoarg=--no-split generate_ascii=true +generate_html=true +generate_info=true +generate_tex=true outdir=manual source_extra= split=node @@ -159,6 +165,9 @@ while test $# -gt 0; do --html) shift; htmlarg=$1;; --info) shift; infoarg=$1;; --no-ascii) generate_ascii=false;; + --no-html) generate_ascii=false;; + --no-info) generate_info=false;; + --no-tex) generate_tex=false;; --source) shift; source_extra=$1;; --split) shift; split=$1;; --texi2html) use_texi2html=1;; @@ -221,8 +230,9 @@ calcsize() # copy_images OUTDIR HTML-FILE... # ------------------------------- -# Copy all the images needed by the HTML-FILEs into OUTDIR. Look -# for them in the -I directories. +# Copy all the images needed by the HTML-FILEs into OUTDIR. +# Look for them in . and the -I directories; this is simpler than what +# makeinfo supports with -I, but hopefully it will suffice. copy_images() { local odir @@ -232,7 +242,7 @@ copy_images() BEGIN { \$me = '$prog'; \$odir = '$odir'; - @dirs = qw($dirs); + @dirs = qw(. $dirs); } " -e ' /${srcdir}/$PACKAGE-db.xml" @@ -431,7 +455,8 @@ if test -n "$docbook"; then mv $PACKAGE-db.pdf "$outdir/" fi -printf "\nMaking index file...\n" +# +printf "\nMaking index.html for $PACKAGE...\n" if test -z "$use_texi2html"; then CONDS="/%%IF *HTML_SECTION%%/,/%%ENDIF *HTML_SECTION%%/d;\ /%%IF *HTML_CHAPTER%%/,/%%ENDIF *HTML_CHAPTER%%/d" diff --git a/build-aux/install-sh b/build-aux/install-sh index 377bb86..59990a1 100755 --- a/build-aux/install-sh +++ b/build-aux/install-sh @@ -1,7 +1,7 @@ #!/bin/sh # install - install a program, script, or datafile -scriptversion=2011-11-20.07; # UTC +scriptversion=2014-09-12.12; # UTC # This originates from X11R5 (mit/util/scripts/install.sh), which was # later released in X11R6 (xc/config/util/install.sh) with the @@ -41,19 +41,15 @@ scriptversion=2011-11-20.07; # UTC # This script is compatible with the BSD install script, but was written # from scratch. +tab=' ' nl=' ' -IFS=" "" $nl" +IFS=" $tab$nl" -# set DOITPROG to echo to test this script +# Set DOITPROG to "echo" to test this script. -# Don't use :- since 4.3BSD and earlier shells don't like it. doit=${DOITPROG-} -if test -z "$doit"; then - doit_exec=exec -else - doit_exec=$doit -fi +doit_exec=${doit:-exec} # Put in absolute file names if you don't have them in your path; # or use environment vars. @@ -68,17 +64,6 @@ mvprog=${MVPROG-mv} rmprog=${RMPROG-rm} stripprog=${STRIPPROG-strip} -posix_glob='?' -initialize_posix_glob=' - test "$posix_glob" != "?" || { - if (set -f) 2>/dev/null; then - posix_glob= - else - posix_glob=: - fi - } -' - posix_mkdir= # Desired mode of installed file. @@ -97,7 +82,7 @@ dir_arg= dst_arg= copy_on_change=false -no_target_directory= +is_target_a_directory=possibly usage="\ Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE @@ -137,46 +122,57 @@ while test $# -ne 0; do -d) dir_arg=true;; -g) chgrpcmd="$chgrpprog $2" - shift;; + shift;; --help) echo "$usage"; exit $?;; -m) mode=$2 - case $mode in - *' '* | *' '* | *' -'* | *'*'* | *'?'* | *'['*) - echo "$0: invalid mode: $mode" >&2 - exit 1;; - esac - shift;; + case $mode in + *' '* | *"$tab"* | *"$nl"* | *'*'* | *'?'* | *'['*) + echo "$0: invalid mode: $mode" >&2 + exit 1;; + esac + shift;; -o) chowncmd="$chownprog $2" - shift;; + shift;; -s) stripcmd=$stripprog;; - -t) dst_arg=$2 - # Protect names problematic for 'test' and other utilities. - case $dst_arg in - -* | [=\(\)!]) dst_arg=./$dst_arg;; - esac - shift;; + -t) + is_target_a_directory=always + dst_arg=$2 + # Protect names problematic for 'test' and other utilities. + case $dst_arg in + -* | [=\(\)!]) dst_arg=./$dst_arg;; + esac + shift;; - -T) no_target_directory=true;; + -T) is_target_a_directory=never;; --version) echo "$0 $scriptversion"; exit $?;; - --) shift - break;; + --) shift + break;; - -*) echo "$0: invalid option: $1" >&2 - exit 1;; + -*) echo "$0: invalid option: $1" >&2 + exit 1;; *) break;; esac shift done +# We allow the use of options -d and -T together, by making -d +# take the precedence; this is for compatibility with GNU install. + +if test -n "$dir_arg"; then + if test -n "$dst_arg"; then + echo "$0: target directory not allowed when installing a directory." >&2 + exit 1 + fi +fi + if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then # When -d is used, all remaining arguments are directories to create. # When -t is used, the destination is already specified. @@ -208,6 +204,15 @@ if test $# -eq 0; then fi if test -z "$dir_arg"; then + if test $# -gt 1 || test "$is_target_a_directory" = always; then + if test ! -d "$dst_arg"; then + echo "$0: $dst_arg: Is not a directory." >&2 + exit 1 + fi + fi +fi + +if test -z "$dir_arg"; then do_exit='(exit $ret); exit $ret' trap "ret=129; $do_exit" 1 trap "ret=130; $do_exit" 2 @@ -223,16 +228,16 @@ if test -z "$dir_arg"; then *[0-7]) if test -z "$stripcmd"; then - u_plus_rw= + u_plus_rw= else - u_plus_rw='% 200' + u_plus_rw='% 200' fi cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;; *) if test -z "$stripcmd"; then - u_plus_rw= + u_plus_rw= else - u_plus_rw=,u+rw + u_plus_rw=,u+rw fi cp_umask=$mode$u_plus_rw;; esac @@ -269,41 +274,15 @@ do # If destination is a directory, append the input filename; won't work # if double slashes aren't ignored. if test -d "$dst"; then - if test -n "$no_target_directory"; then - echo "$0: $dst_arg: Is a directory" >&2 - exit 1 + if test "$is_target_a_directory" = never; then + echo "$0: $dst_arg: Is a directory" >&2 + exit 1 fi dstdir=$dst dst=$dstdir/`basename "$src"` dstdir_status=0 else - # Prefer dirname, but fall back on a substitute if dirname fails. - dstdir=` - (dirname "$dst") 2>/dev/null || - expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$dst" : 'X\(//\)[^/]' \| \ - X"$dst" : 'X\(//\)$' \| \ - X"$dst" : 'X\(/\)' \| . 2>/dev/null || - echo X"$dst" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q' - ` - + dstdir=`dirname "$dst"` test -d "$dstdir" dstdir_status=$? fi @@ -314,74 +293,81 @@ do if test $dstdir_status != 0; then case $posix_mkdir in '') - # Create intermediate dirs using mode 755 as modified by the umask. - # This is like FreeBSD 'install' as of 1997-10-28. - umask=`umask` - case $stripcmd.$umask in - # Optimize common cases. - *[2367][2367]) mkdir_umask=$umask;; - .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;; - - *[0-7]) - mkdir_umask=`expr $umask + 22 \ - - $umask % 100 % 40 + $umask % 20 \ - - $umask % 10 % 4 + $umask % 2 - `;; - *) mkdir_umask=$umask,go-w;; - esac - - # With -d, create the new directory with the user-specified mode. - # Otherwise, rely on $mkdir_umask. - if test -n "$dir_arg"; then - mkdir_mode=-m$mode - else - mkdir_mode= - fi - - posix_mkdir=false - case $umask in - *[123567][0-7][0-7]) - # POSIX mkdir -p sets u+wx bits regardless of umask, which - # is incompatible with FreeBSD 'install' when (umask & 300) != 0. - ;; - *) - tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ - trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0 - - if (umask $mkdir_umask && - exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1 - then - if test -z "$dir_arg" || { - # Check for POSIX incompatibilities with -m. - # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or - # other-writable bit of parent directory when it shouldn't. - # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. - ls_ld_tmpdir=`ls -ld "$tmpdir"` - case $ls_ld_tmpdir in - d????-?r-*) different_mode=700;; - d????-?--*) different_mode=755;; - *) false;; - esac && - $mkdirprog -m$different_mode -p -- "$tmpdir" && { - ls_ld_tmpdir_1=`ls -ld "$tmpdir"` - test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" - } - } - then posix_mkdir=: - fi - rmdir "$tmpdir/d" "$tmpdir" - else - # Remove any dirs left behind by ancient mkdir implementations. - rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null - fi - trap '' 0;; - esac;; + # Create intermediate dirs using mode 755 as modified by the umask. + # This is like FreeBSD 'install' as of 1997-10-28. + umask=`umask` + case $stripcmd.$umask in + # Optimize common cases. + *[2367][2367]) mkdir_umask=$umask;; + .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;; + + *[0-7]) + mkdir_umask=`expr $umask + 22 \ + - $umask % 100 % 40 + $umask % 20 \ + - $umask % 10 % 4 + $umask % 2 + `;; + *) mkdir_umask=$umask,go-w;; + esac + + # With -d, create the new directory with the user-specified mode. + # Otherwise, rely on $mkdir_umask. + if test -n "$dir_arg"; then + mkdir_mode=-m$mode + else + mkdir_mode= + fi + + posix_mkdir=false + case $umask in + *[123567][0-7][0-7]) + # POSIX mkdir -p sets u+wx bits regardless of umask, which + # is incompatible with FreeBSD 'install' when (umask & 300) != 0. + ;; + *) + # $RANDOM is not portable (e.g. dash); use it when possible to + # lower collision chance + tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ + trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0 + + # As "mkdir -p" follows symlinks and we work in /tmp possibly; so + # create the $tmpdir first (and fail if unsuccessful) to make sure + # that nobody tries to guess the $tmpdir name. + if (umask $mkdir_umask && + $mkdirprog $mkdir_mode "$tmpdir" && + exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 + then + if test -z "$dir_arg" || { + # Check for POSIX incompatibilities with -m. + # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or + # other-writable bit of parent directory when it shouldn't. + # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. + test_tmpdir="$tmpdir/a" + ls_ld_tmpdir=`ls -ld "$test_tmpdir"` + case $ls_ld_tmpdir in + d????-?r-*) different_mode=700;; + d????-?--*) different_mode=755;; + *) false;; + esac && + $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { + ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` + test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" + } + } + then posix_mkdir=: + fi + rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" + else + # Remove any dirs left behind by ancient mkdir implementations. + rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null + fi + trap '' 0;; + esac;; esac if $posix_mkdir && ( - umask $mkdir_umask && - $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir" + umask $mkdir_umask && + $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir" ) then : else @@ -391,53 +377,51 @@ do # directory the slow way, step by step, checking for races as we go. case $dstdir in - /*) prefix='/';; - [-=\(\)!]*) prefix='./';; - *) prefix='';; + /*) prefix='/';; + [-=\(\)!]*) prefix='./';; + *) prefix='';; esac - eval "$initialize_posix_glob" - oIFS=$IFS IFS=/ - $posix_glob set -f + set -f set fnord $dstdir shift - $posix_glob set +f + set +f IFS=$oIFS prefixes= for d do - test X"$d" = X && continue - - prefix=$prefix$d - if test -d "$prefix"; then - prefixes= - else - if $posix_mkdir; then - (umask=$mkdir_umask && - $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break - # Don't fail if two instances are running concurrently. - test -d "$prefix" || exit 1 - else - case $prefix in - *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;; - *) qprefix=$prefix;; - esac - prefixes="$prefixes '$qprefix'" - fi - fi - prefix=$prefix/ + test X"$d" = X && continue + + prefix=$prefix$d + if test -d "$prefix"; then + prefixes= + else + if $posix_mkdir; then + (umask=$mkdir_umask && + $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break + # Don't fail if two instances are running concurrently. + test -d "$prefix" || exit 1 + else + case $prefix in + *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;; + *) qprefix=$prefix;; + esac + prefixes="$prefixes '$qprefix'" + fi + fi + prefix=$prefix/ done if test -n "$prefixes"; then - # Don't fail if two instances are running concurrently. - (umask $mkdir_umask && - eval "\$doit_exec \$mkdirprog $prefixes") || - test -d "$dstdir" || exit 1 - obsolete_mkdir_used=true + # Don't fail if two instances are running concurrently. + (umask $mkdir_umask && + eval "\$doit_exec \$mkdirprog $prefixes") || + test -d "$dstdir" || exit 1 + obsolete_mkdir_used=true fi fi fi @@ -472,15 +456,12 @@ do # If -C, don't bother to copy if it wouldn't change the file. if $copy_on_change && - old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` && - new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` && - - eval "$initialize_posix_glob" && - $posix_glob set -f && + old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` && + new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` && + set -f && set X $old && old=:$2:$4:$5:$6 && set X $new && new=:$2:$4:$5:$6 && - $posix_glob set +f && - + set +f && test "$old" = "$new" && $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1 then @@ -493,24 +474,24 @@ do # to itself, or perhaps because mv is so ancient that it does not # support -f. { - # Now remove or move aside any old file at destination location. - # We try this two ways since rm can't unlink itself on some - # systems and the destination file might be busy for other - # reasons. In this case, the final cleanup might fail but the new - # file should still install successfully. - { - test ! -f "$dst" || - $doit $rmcmd -f "$dst" 2>/dev/null || - { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && - { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; } - } || - { echo "$0: cannot unlink or rename $dst" >&2 - (exit 1); exit 1 - } - } && - - # Now rename the file to the real destination. - $doit $mvcmd "$dsttmp" "$dst" + # Now remove or move aside any old file at destination location. + # We try this two ways since rm can't unlink itself on some + # systems and the destination file might be busy for other + # reasons. In this case, the final cleanup might fail but the new + # file should still install successfully. + { + test ! -f "$dst" || + $doit $rmcmd -f "$dst" 2>/dev/null || + { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && + { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; } + } || + { echo "$0: cannot unlink or rename $dst" >&2 + (exit 1); exit 1 + } + } && + + # Now rename the file to the real destination. + $doit $mvcmd "$dsttmp" "$dst" } fi || exit 1 diff --git a/build-aux/ltmain.sh b/build-aux/ltmain.sh index 9fe8f59..bffda54 100644 --- a/build-aux/ltmain.sh +++ b/build-aux/ltmain.sh @@ -70,7 +70,7 @@ # compiler: $LTCC # compiler flags: $LTCFLAGS # linker: $LD (gnu? $with_gnu_ld) -# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1.6 +# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1.11 # automake: $automake_version # autoconf: $autoconf_version # @@ -80,7 +80,7 @@ PROGRAM=libtool PACKAGE=libtool -VERSION="2.4.2 Debian-2.4.2-1.6" +VERSION="2.4.2 Debian-2.4.2-1.11" TIMESTAMP="" package_revision=1.3337 diff --git a/build-aux/mdate-sh b/build-aux/mdate-sh index b3719cf..9e2c0c9 100755 --- a/build-aux/mdate-sh +++ b/build-aux/mdate-sh @@ -1,9 +1,9 @@ #!/bin/sh # Get modification time of a file or directory and pretty-print it. -scriptversion=2010-08-21.06; # UTC +scriptversion=2015-04-09.19; # UTC -# Copyright (C) 1995-2013 Free Software Foundation, Inc. +# Copyright (C) 1995-2014 Free Software Foundation, Inc. # written by Ulrich Drepper , June 1995 # # This program is free software; you can redistribute it and/or modify @@ -74,6 +74,10 @@ export LC_ALL LC_TIME=C export LC_TIME +# Use UTC to get reproducible result +TZ=UTC +export TZ + # GNU ls changes its time format in response to the TIME_STYLE # variable. Since we cannot assume 'unset' works, revert this # variable to its documented default. diff --git a/build-aux/missing b/build-aux/missing index db98974..f62bbae 100755 --- a/build-aux/missing +++ b/build-aux/missing @@ -3,7 +3,7 @@ scriptversion=2013-10-28.13; # UTC -# Copyright (C) 1996-2013 Free Software Foundation, Inc. +# Copyright (C) 1996-2014 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard , 1996. # This program is free software; you can redistribute it and/or modify diff --git a/cfg.mk b/cfg.mk index 527e5f8..e3b8094 100644 --- a/cfg.mk +++ b/cfg.mk @@ -159,6 +159,9 @@ web: sed 's/\@VERSION\@/$(VERSION)/g' -i $(htmldir)/manual/html_node/*.html $(htmldir)/manual/gnutls.html -cd doc && make gnutls.epub && cp gnutls.epub ../$(htmldir)/manual/ cd doc/latex && make gnutls.pdf && cp gnutls.pdf ../../$(htmldir)/manual/ + make -C doc gnutls-guile.html gnutls-guile.pdf + cd doc && makeinfo --html --split=node -o ../$(htmldir)/manual/gnutls-guile/ --css-include=./texinfo.css gnutls-guile.texi + cd doc && cp gnutls-guile.pdf gnutls-guile.html ../$(htmldir)/manual/ #cd doc/doxygen && doxygen && cd ../.. && cp -v doc/doxygen/html/* $(htmldir)/devel/doxygen/ && cd doc/doxygen/latex && make refman.pdf && cd ../../../ && cp doc/doxygen/latex/refman.pdf $(htmldir)/devel/doxygen/$(PACKAGE).pdf -cp -v doc/reference/html/*.html doc/reference/html/*.png doc/reference/html/*.devhelp doc/reference/html/*.css $(htmldir)/reference/ #cp -v doc/cyclo/cyclo-$(PACKAGE).html $(htmldir)/cyclo/ @@ -193,12 +196,15 @@ asm-sources: $(ASM_SOURCES_ELF) $(ASM_SOURCES_COFF) $(ASM_SOURCES_MACOSX) lib/ac asm-sources-clean: rm -f $(ASM_SOURCES_ELF) $(ASM_SOURCES_COFF) $(ASM_SOURCES_MACOSX) lib/accelerated/x86/files.mk -X86_FILES=XXX/aesni-x86.s XXX/cpuid-x86.s XXX/e_padlock-x86.s XXX/sha1-ssse3-x86.s \ +X86_FILES=XXX/aesni-x86.s XXX/cpuid-x86.s XXX/sha1-ssse3-x86.s \ XXX/sha256-ssse3-x86.s XXX/sha512-ssse3-x86.s XXX/aes-ssse3-x86.s -X86_64_FILES=XXX/aesni-x86_64.s XXX/cpuid-x86_64.s XXX/e_padlock-x86_64.s XXX/ghash-x86_64.s \ +X86_64_FILES=XXX/aesni-x86_64.s XXX/cpuid-x86_64.s XXX/ghash-x86_64.s \ XXX/sha1-ssse3-x86_64.s XXX/sha512-ssse3-x86_64.s XXX/aes-ssse3-x86_64.s +X86_PADLOCK_FILES=XXX/e_padlock-x86.s +X86_64_PADLOCK_FILES=XXX/e_padlock-x86_64.s + X86_FILES_ELF := $(subst XXX,elf,$(X86_FILES)) X86_FILES_COFF := $(subst XXX,coff,$(X86_FILES)) X86_FILES_MACOSX := $(subst XXX,macosx,$(X86_FILES)) @@ -206,6 +212,13 @@ X86_64_FILES_ELF := $(subst XXX,elf,$(X86_64_FILES)) X86_64_FILES_COFF := $(subst XXX,coff,$(X86_64_FILES)) X86_64_FILES_MACOSX := $(subst XXX,macosx,$(X86_64_FILES)) +X86_PADLOCK_FILES_ELF := $(subst XXX,elf,$(X86_PADLOCK_FILES)) +X86_PADLOCK_FILES_COFF := $(subst XXX,coff,$(X86_PADLOCK_FILES)) +X86_PADLOCK_FILES_MACOSX := $(subst XXX,macosx,$(X86_PADLOCK_FILES)) +X86_64_PADLOCK_FILES_ELF := $(subst XXX,elf,$(X86_64_PADLOCK_FILES)) +X86_64_PADLOCK_FILES_COFF := $(subst XXX,coff,$(X86_64_PADLOCK_FILES)) +X86_64_PADLOCK_FILES_MACOSX := $(subst XXX,macosx,$(X86_64_PADLOCK_FILES)) + lib/accelerated/x86/files.mk: $(ASM_SOURCES_ELF) echo X86_FILES_ELF=$(X86_FILES_ELF) > $@.tmp echo X86_FILES_COFF=$(X86_FILES_COFF) >> $@.tmp @@ -213,6 +226,12 @@ lib/accelerated/x86/files.mk: $(ASM_SOURCES_ELF) echo X86_64_FILES_ELF=$(X86_64_FILES_ELF) >> $@.tmp echo X86_64_FILES_COFF=$(X86_64_FILES_COFF) >> $@.tmp echo X86_64_FILES_MACOSX=$(X86_64_FILES_MACOSX) >> $@.tmp + echo X86_PADLOCK_FILES_ELF=$(X86_PADLOCK_FILES_ELF) >> $@.tmp + echo X86_PADLOCK_FILES_COFF=$(X86_PADLOCK_FILES_COFF) >> $@.tmp + echo X86_PADLOCK_FILES_MACOSX=$(X86_PADLOCK_FILES_MACOSX) >> $@.tmp + echo X86_64_PADLOCK_FILES_ELF=$(X86_64_PADLOCK_FILES_ELF) >> $@.tmp + echo X86_64_PADLOCK_FILES_COFF=$(X86_64_PADLOCK_FILES_COFF) >> $@.tmp + echo X86_64_PADLOCK_FILES_MACOSX=$(X86_64_PADLOCK_FILES_MACOSX) >> $@.tmp mv $@.tmp $@ # Appro's code diff --git a/config.h.in b/config.h.in index 6ded4d8..4a8019c 100644 --- a/config.h.in +++ b/config.h.in @@ -42,6 +42,9 @@ /* use the given CRL file */ #undef DEFAULT_CRL_FILE +/* use the given directory as default trust store */ +#undef DEFAULT_TRUST_STORE_DIR + /* use the given file default trust store */ #undef DEFAULT_TRUST_STORE_FILE @@ -54,6 +57,9 @@ /* enable anonymous authentication */ #undef ENABLE_ANON +/* Enable ARCFOUR128 */ +#undef ENABLE_ARCFOUR128 + /* Enable cryptodev support */ #undef ENABLE_CRYPTODEV @@ -84,6 +90,9 @@ /* use openpgp authentication */ #undef ENABLE_OPENPGP +/* Enable padlock acceleration */ +#undef ENABLE_PADLOCK + /* Build PKCS#11 support */ #undef ENABLE_PKCS11 @@ -102,6 +111,9 @@ /* enable SRP authentication */ #undef ENABLE_SRP +/* Enable SSL3.0 */ +#undef ENABLE_SSL3 + /* fopen(3) accepts a 'b' in the mode flag */ #undef FOPEN_BINARY_FLAG @@ -299,6 +311,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_ARPA_INET_H +/* Have this function */ +#undef HAVE_ASN1_DECODE_SIMPLE_BER + /* Define to 1 if you have the `atexit' function. */ #undef HAVE_ATEXIT @@ -540,6 +555,9 @@ /* Define to 1 if you have the `getdelim' function. */ #undef HAVE_GETDELIM +/* Define to 1 if you have the `getdtablesize' function. */ +#undef HAVE_GETDTABLESIZE + /* Define to 1 if you have the `gethostbyname' function. */ #undef HAVE_GETHOSTBYNAME @@ -628,6 +646,9 @@ /* nettle is enabled */ #undef HAVE_LIBNETTLE +/* Define if you have the libnsl library. */ +#undef HAVE_LIBNSL + /* Define if you have the libpthread library. */ #undef HAVE_LIBPTHREAD @@ -717,6 +738,9 @@ /* Define to 1 if you have the `pthread_mutex_lock' function. */ #undef HAVE_PTHREAD_MUTEX_LOCK +/* Define to 1 if the system has the type `ptrdiff_t'. */ +#undef HAVE_PTRDIFF_T + /* Define to 1 if you have the `putenv' function. */ #undef HAVE_PUTENV @@ -1357,6 +1381,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_SEARCH_H +/* Define to 1 if you have the `secure_getenv' function. */ +#undef HAVE_SECURE_GETENV + /* Define to 1 if you have the `select' function. */ #undef HAVE_SELECT @@ -1613,6 +1640,9 @@ /* Define to 1 if you have the `vasprintf' function. */ #undef HAVE_VASPRINTF +/* Have va_copy() */ +#undef HAVE_VA_COPY + /* Define to 1 if you have the `vfork' function. */ #undef HAVE_VFORK @@ -1679,6 +1709,9 @@ /* Define to 1 if you have the `__fsetlocking' function. */ #undef HAVE___FSETLOCKING +/* Have __va_copy() */ +#undef HAVE___VA_COPY + /* Define as const if the declaration of iconv() needs const. */ #undef ICONV_CONST @@ -1701,6 +1734,9 @@ /* no ssize_t type was found */ #undef NO_SSIZE_T +/* p11-kit supports p11_kit_uri_get_pin_value() */ +#undef P11_KIT_HAS_PIN_VALUE + /* Name of package */ #undef PACKAGE @@ -1757,8 +1793,8 @@ 'sig_atomic_t'. */ #undef SIG_ATOMIC_T_SUFFIX -/* The size of `char*', as computed by sizeof. */ -#undef SIZEOF_CHARP +/* The size of `char *', as computed by sizeof. */ +#undef SIZEOF_CHAR_P /* The size of `int', as computed by sizeof. */ #undef SIZEOF_INT @@ -1817,9 +1853,15 @@ /* Define to 1 if your declares `struct tm'. */ #undef TM_IN_SYS_TIME +/* the location of the trousers library */ +#undef TROUSERS_LIB + /* The DNSSEC root key file */ #undef UNBOUND_ROOT_KEY_FILE +/* nettle 3.0 or later */ +#undef USE_NETTLE3 + /* Enable extensions on AIX 3, Interix. */ #ifndef _ALL_SOURCE # undef _ALL_SOURCE @@ -1832,6 +1874,10 @@ #ifndef _GNU_SOURCE # undef _GNU_SOURCE #endif +/* Use GNU style printf and scanf. */ +#ifndef __USE_MINGW_ANSI_STDIO +# undef __USE_MINGW_ANSI_STDIO +#endif /* Enable threading extensions on Solaris. */ #ifndef _POSIX_PTHREAD_SEMANTICS # undef _POSIX_PTHREAD_SEMANTICS @@ -1945,13 +1991,28 @@ 'reference to static identifier "f" in extern inline function'. This bug was observed with Sun C 5.12 SunOS_i386 2011/11/16. - Suppress the use of extern inline on problematic Apple configurations. - OS X 10.8 and earlier mishandle it; see, e.g., - . + Suppress extern inline (with or without __attribute__ ((__gnu_inline__))) + on configurations that mistakenly use 'static inline' to implement + functions or macros in standard C headers like . For example, + if isdigit is mistakenly implemented via a static inline function, + a program containing an extern inline function that calls isdigit + may not work since the C standard prohibits extern inline functions + from calling static functions. This bug is known to occur on: + + OS X 10.8 and earlier; see: + http://lists.gnu.org/archive/html/bug-gnulib/2012-12/msg00023.html + + DragonFly; see + http://muscles.dragonflybsd.org/bulk/bleeding-edge-potential/latest-per-pkg/ah-tty-0.3.12.log + + FreeBSD; see: + http://lists.gnu.org/archive/html/bug-gnulib/2014-07/msg00104.html + OS X 10.9 has a macro __header_inline indicating the bug is fixed for C and for clang but remains for g++; see . - Perhaps Apple will fix this some day. */ -#if (defined __APPLE__ \ + Assume DragonFly and FreeBSD will be similar. */ +#if (((defined __APPLE__ && defined __MACH__) \ + || defined __DragonFly__ || defined __FreeBSD__) \ && (defined __header_inline \ ? (defined __cplusplus && defined __GNUC_STDC_INLINE__ \ && ! defined __clang__) \ @@ -1959,19 +2020,19 @@ && (defined __GNUC__ || defined __cplusplus)) \ || (defined _FORTIFY_SOURCE && 0 < _FORTIFY_SOURCE \ && defined __GNUC__ && ! defined __cplusplus)))) -# define _GL_EXTERN_INLINE_APPLE_BUG +# define _GL_EXTERN_INLINE_STDHEADER_BUG #endif #if ((__GNUC__ \ ? defined __GNUC_STDC_INLINE__ && __GNUC_STDC_INLINE__ \ : (199901L <= __STDC_VERSION__ \ && !defined __HP_cc \ && !(defined __SUNPRO_C && __STDC__))) \ - && !defined _GL_EXTERN_INLINE_APPLE_BUG) + && !defined _GL_EXTERN_INLINE_STDHEADER_BUG) # define _GL_INLINE inline # define _GL_EXTERN_INLINE extern inline # define _GL_EXTERN_INLINE_IN_USE #elif (2 < __GNUC__ + (7 <= __GNUC_MINOR__) && !defined __STRICT_ANSI__ \ - && !defined _GL_EXTERN_INLINE_APPLE_BUG) + && !defined _GL_EXTERN_INLINE_STDHEADER_BUG) # if defined __GNUC_GNU_INLINE__ && __GNUC_GNU_INLINE__ /* __gnu_inline__ suppresses a GCC 4.2 diagnostic. */ # define _GL_INLINE extern inline __attribute__ ((__gnu_inline__)) @@ -1985,6 +2046,11 @@ # define _GL_EXTERN_INLINE static _GL_UNUSED #endif +/* In GCC, suppress bogus "no previous prototype for 'FOO'" + and "no previous declaration for 'FOO'" diagnostics, + when FOO is an inline function in the header; see + and + . */ #if 4 < __GNUC__ + (6 <= __GNUC_MINOR__) # if defined __GNUC_STDC_INLINE__ && __GNUC_STDC_INLINE__ # define _GL_INLINE_HEADER_CONST_PRAGMA @@ -1992,10 +2058,6 @@ # define _GL_INLINE_HEADER_CONST_PRAGMA \ _Pragma ("GCC diagnostic ignored \"-Wsuggest-attribute=const\"") # endif - /* Suppress GCC's bogus "no previous prototype for 'FOO'" - and "no previous declaration for 'FOO'" diagnostics, - when FOO is an inline function in the header; see - . */ # define _GL_INLINE_HEADER_BEGIN \ _Pragma ("GCC diagnostic push") \ _Pragma ("GCC diagnostic ignored \"-Wmissing-prototypes\"") \ @@ -2090,6 +2152,16 @@ is a misnomer outside of parameter lists. */ #define _UNUSED_PARAMETER_ _GL_UNUSED +/* gcc supports the "unused" attribute on possibly unused labels, and + g++ has since version 4.5. Note to support C++ as well as C, + _GL_UNUSED_LABEL should be used with a trailing ; */ +#if !defined __cplusplus || __GNUC__ > 4 \ + || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) +# define _GL_UNUSED_LABEL _GL_UNUSED +#else +# define _GL_UNUSED_LABEL +#endif + /* The __pure__ attribute was added in gcc 2.96. */ #if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 96) # define _GL_ATTRIBUTE_PURE __attribute__ ((__pure__)) diff --git a/configure b/configure index 3b20877..a67999c 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for GnuTLS 3.3.5. +# Generated by GNU Autoconf 2.69 for GnuTLS 3.3.27. # # Report bugs to . # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='GnuTLS' PACKAGE_TARNAME='gnutls' -PACKAGE_VERSION='3.3.5' -PACKAGE_STRING='GnuTLS 3.3.5' +PACKAGE_VERSION='3.3.27' +PACKAGE_STRING='GnuTLS 3.3.27' PACKAGE_BUGREPORT='bugs@gnutls.org' PACKAGE_URL='' @@ -680,10 +680,16 @@ NEED_LIBOPTS_TRUE INSTALL_LIBOPTS_FALSE INSTALL_LIBOPTS_TRUE POSIX_SHELL +GL_GENERATE_STDNORETURN_H_FALSE +GL_GENERATE_STDNORETURN_H_TRUE +STDNORETURN_H +TROUSERS_LIB ENABLE_TROUSERS_FALSE ENABLE_TROUSERS_TRUE TSS_CFLAGS TSS_LIBS +HAVE_BUGGY_P11_KIT_FALSE +HAVE_BUGGY_P11_KIT_TRUE ENABLE_PKCS11_FALSE ENABLE_PKCS11_TRUE P11_KIT_LIBS @@ -692,15 +698,21 @@ ENABLE_DANE_FALSE ENABLE_DANE_TRUE UNBOUND_CFLAGS UNBOUND_LIBS +ENABLE_SSL3_FALSE +ENABLE_SSL3_TRUE +ENABLE_ARCFOUR128_FALSE +ENABLE_ARCFOUR128_TRUE ENABLE_SELF_CHECKS_FALSE ENABLE_SELF_CHECKS_TRUE +ENABLE_NON_SUITEB_CURVES_FALSE +ENABLE_NON_SUITEB_CURVES_TRUE FIPS140_LIBS +ENABLE_FIPS140_FALSE +ENABLE_FIPS140_TRUE LIBDL_PREFIX LTLIBDL LIBDL HAVE_LIBDL -ENABLE_FIPS140_FALSE -ENABLE_FIPS140_TRUE CXXCPP OTOOL64 OTOOL @@ -985,6 +997,7 @@ GL_GENERATE_STDDEF_H_FALSE GL_GENERATE_STDDEF_H_TRUE STDDEF_H HAVE_WCHAR_T +HAVE_MAX_ALIGN_T REPLACE_NULL HAVE__BOOL GL_GENERATE_STDBOOL_H_FALSE @@ -1091,6 +1104,7 @@ REPLACE_SETENV REPLACE_REALPATH REPLACE_REALLOC REPLACE_RANDOM_R +REPLACE_QSORT_R REPLACE_PUTENV REPLACE_PTSNAME_R REPLACE_PTSNAME @@ -1142,6 +1156,7 @@ GNULIB_REALPATH GNULIB_REALLOC_POSIX GNULIB_RANDOM_R GNULIB_RANDOM +GNULIB_QSORT_R GNULIB_PUTENV GNULIB_PTSNAME_R GNULIB_PTSNAME @@ -1160,7 +1175,6 @@ GNULIB_CANONICALIZE_FILE_NAME GNULIB_CALLOC_POSIX GNULIB_ATOLL GNULIB__EXIT -SED HAVE_LD_VERSION_SCRIPT_FALSE HAVE_LD_VERSION_SCRIPT_TRUE HAVE_LD_OUTPUT_DEF_FALSE @@ -1347,6 +1361,10 @@ GL_COND_LIBTOOL_FALSE GL_COND_LIBTOOL_TRUE LIBICONV_PREFIX HAVE_LIBICONV +LIBNSL_PREFIX +LTLIBNSL +LIBNSL +HAVE_LIBNSL LIBPTHREAD_PREFIX LTLIBPTHREAD LIBPTHREAD @@ -1401,9 +1419,11 @@ REPLACE_USLEEP REPLACE_UNLINKAT REPLACE_UNLINK REPLACE_TTYNAME_R +REPLACE_SYMLINKAT REPLACE_SYMLINK REPLACE_SLEEP REPLACE_RMDIR +REPLACE_READLINKAT REPLACE_READLINK REPLACE_READ REPLACE_PWRITE @@ -1547,21 +1567,19 @@ LIBTASN1_LIBS LIBTASN1_CFLAGS GMP_LIBS GMP_CFLAGS +USE_NETTLE3_FALSE +USE_NETTLE3_TRUE ENABLE_NETTLE_FALSE ENABLE_NETTLE_TRUE HOGWEED_LIBS HOGWEED_CFLAGS NETTLE_LIBS NETTLE_CFLAGS -PKG_CONFIG DLL_VERSION CRYWRAP_PATCHLEVEL CXX_LT_AGE CXX_LT_REVISION CXX_LT_CURRENT -LT_XSSL_AGE -LT_XSSL_REVISION -LT_XSSL_CURRENT LT_DANE_AGE LT_DANE_REVISION LT_DANE_CURRENT @@ -1581,6 +1599,9 @@ ASM_X86_32_FALSE ASM_X86_32_TRUE ASM_X86_64_FALSE ASM_X86_64_TRUE +ENABLE_PADLOCK_FALSE +ENABLE_PADLOCK_TRUE +ENABLE_PADLOCK ELF_FALSE ELF_TRUE MACOSX_FALSE @@ -1596,6 +1617,7 @@ PATCH_VERSION MINOR_VERSION MAJOR_VERSION AUTOGEN +SED YFLAGS YACC am__fastdepCXX_FALSE @@ -1633,6 +1655,7 @@ CPPFLAGS LDFLAGS CFLAGS CC +PKG_CONFIG AM_BACKSLASH AM_DEFAULT_VERBOSITY AM_DEFAULT_V @@ -1687,6 +1710,7 @@ infodir docdir oldincludedir includedir +runstatedir localstatedir sharedstatedir sysconfdir @@ -1714,6 +1738,7 @@ enable_dependency_tracking enable_largefile enable_cxx enable_hardware_acceleration +enable_padlock with_nettle_mini with_included_libtasn1 enable_dtls_srtp_support @@ -1743,6 +1768,7 @@ with_libiconv_prefix with_libintl_prefix with_librt_prefix with_libpthread_prefix +with_libnsl_prefix enable_ld_version_script enable_valgrind_tests enable_gcc_warnings @@ -1753,14 +1779,17 @@ enable_fast_install with_sysroot enable_libtool_lock enable_self_checks -enable_fips140_mode with_libdl_prefix +enable_fips140_mode enable_non_suiteb_curves +with_arcfour128 +with_ssl3 enable_libdane with_unbound_root_key_file with_system_priority_file with_p11_kit with_tpm +with_trousers_lib enable_local_libopts enable_libopts_install with_autoopts_config @@ -1772,6 +1801,7 @@ enable_optional_args with_zlib with_libz_prefix with_default_trust_store_pkcs11 +with_default_trust_store_dir with_default_trust_store_file with_default_crl_file with_default_blacklist_file @@ -1782,6 +1812,7 @@ enable_crywrap ac_precious_vars='build_alias host_alias target_alias +PKG_CONFIG CC CFLAGS LDFLAGS @@ -1795,7 +1826,6 @@ CXXFLAGS CCC YACC YFLAGS -PKG_CONFIG NETTLE_CFLAGS NETTLE_LIBS HOGWEED_CFLAGS @@ -1847,6 +1877,7 @@ datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' +runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' @@ -2099,6 +2130,15 @@ do | -silent | --silent | --silen | --sile | --sil) silent=yes ;; + -runstatedir | --runstatedir | --runstatedi | --runstated \ + | --runstate | --runstat | --runsta | --runst | --runs \ + | --run | --ru | --r) + ac_prev=runstatedir ;; + -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ + | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ + | --run=* | --ru=* | --r=*) + runstatedir=$ac_optarg ;; + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ @@ -2236,7 +2276,7 @@ fi for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir + libdir localedir mandir runstatedir do eval ac_val=\$$ac_var # Remove trailing slashes. @@ -2349,7 +2389,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures GnuTLS 3.3.5 to adapt to many kinds of systems. +\`configure' configures GnuTLS 3.3.27 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -2389,6 +2429,7 @@ Fine tuning of the installation directories: --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] + --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] @@ -2419,7 +2460,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of GnuTLS 3.3.5:";; + short | recursive ) echo "Configuration of GnuTLS 3.3.27:";; esac cat <<\_ACEOF @@ -2437,6 +2478,7 @@ Optional Features: --disable-cxx unconditionally disable the C++ library --disable-hardware-acceleration unconditionally disable hardware acceleration + --disable-padlock unconditionally disable padlock acceleration --disable-dtls-srtp-support disable support for the DTLS-SRTP extension --disable-alpn-support disable support for the Application Layer Protocol @@ -2470,7 +2512,8 @@ Optional Features: --enable-ld-version-script enable linker version script (default is enabled when possible) - --enable-valgrind-tests run self tests under valgrind + --disable-valgrind-tests + don't try to run self tests under valgrind --enable-gcc-warnings turn on lots of GCC warnings (for developers) --enable-static[=PKGS] build static libraries [default=no] --enable-shared[=PKGS] build shared libraries [default=yes] @@ -2507,6 +2550,8 @@ Optional Packages: --without-librt-prefix don't search for librt in includedir and libdir --with-libpthread-prefix[=DIR] search for libpthread in DIR/include and DIR/lib --without-libpthread-prefix don't search for libpthread in includedir and libdir + --with-libnsl-prefix[=DIR] search for libnsl in DIR/include and DIR/lib + --without-libnsl-prefix don't search for libnsl in includedir and libdir --with-pic[=PKGS] try to use only PIC/non-PIC objects [default=use both] --with-gnu-ld assume the C compiler uses GNU ld [default=no] @@ -2514,12 +2559,15 @@ Optional Packages: (or the compiler's sysroot if not specified). --with-libdl-prefix[=DIR] search for libdl in DIR/include and DIR/lib --without-libdl-prefix don't search for libdl in includedir and libdir + --with-arcfour128 include ARCFOUR128 in priority strings + --with-ssl3 include SSL3.0 in priority strings --with-unbound-root-key-file specify the unbound root key file --with-system-priority-file specify the system priority file --without-p11-kit Build without p11-kit and PKCS#11 support --without-tpm Disable TPM (trousers) support. + --with-trousers-lib=LIB set the location of the trousers library --with-autoopts-config specify the config-info script --with-regex-header a reg expr header is specified --with-libregex libregex installation prefix @@ -2530,6 +2578,8 @@ Optional Packages: --without-libz-prefix don't search for libz in includedir and libdir --with-default-trust-store-pkcs11=URI use the given pkcs11 uri as default trust store + --with-default-trust-store-dir=DIR + use the given directory as default trust store --with-default-trust-store-file=FILE use the given file default trust store --with-default-crl-file=FILE @@ -2540,6 +2590,7 @@ Optional Packages: care) Some influential environment variables: + PKG_CONFIG path to pkg-config utility CC C compiler command CFLAGS C compiler flags LDFLAGS linker flags, e.g. -L if you have libraries in a @@ -2558,7 +2609,6 @@ Some influential environment variables: YFLAGS The list of arguments that will be passed by default to $YACC. This script will default YFLAGS to the empty string to avoid a default value of `-d' given by some make applications. - PKG_CONFIG path to pkg-config utility NETTLE_CFLAGS C compiler flags for NETTLE, overriding pkg-config NETTLE_LIBS linker flags for NETTLE, overriding pkg-config @@ -2647,7 +2697,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -GnuTLS configure 3.3.5 +GnuTLS configure 3.3.27 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2984,6 +3034,73 @@ fi } # ac_fn_cxx_try_compile +# ac_fn_c_check_func LINENO FUNC VAR +# ---------------------------------- +# Tests whether FUNC exists, setting the cache variable VAR accordingly +ac_fn_c_check_func () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 +$as_echo_n "checking for $2... " >&6; } +if eval \${$3+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +/* Define $2 to an innocuous variant, in case declares $2. + For example, HP-UX 11i declares gettimeofday. */ +#define $2 innocuous_$2 + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $2 (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef $2 + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $2 (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$2 || defined __stub___$2 +choke me +#endif + +int +main () +{ +return $2 (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + eval "$3=yes" +else + eval "$3=no" +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + +} # ac_fn_c_check_func + # ac_fn_c_compute_int LINENO EXPR VAR INCLUDES # -------------------------------------------- # Tries to find the compile-time value of EXPR in a program that includes @@ -3167,73 +3284,6 @@ rm -f conftest.val } # ac_fn_c_compute_int -# ac_fn_c_check_func LINENO FUNC VAR -# ---------------------------------- -# Tests whether FUNC exists, setting the cache variable VAR accordingly -ac_fn_c_check_func () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -$as_echo_n "checking for $2... " >&6; } -if eval \${$3+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -/* Define $2 to an innocuous variant, in case declares $2. - For example, HP-UX 11i declares gettimeofday. */ -#define $2 innocuous_$2 - -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $2 (); below. - Prefer to if __STDC__ is defined, since - exists even on freestanding compilers. */ - -#ifdef __STDC__ -# include -#else -# include -#endif - -#undef $2 - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char $2 (); -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined __stub_$2 || defined __stub___$2 -choke me -#endif - -int -main () -{ -return $2 (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - eval "$3=yes" -else - eval "$3=no" -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -fi -eval ac_res=\$$3 - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - -} # ac_fn_c_check_func - # ac_fn_c_check_type LINENO TYPE VAR INCLUDES # ------------------------------------------- # Tests whether TYPE exists after having included INCLUDES, setting cache @@ -3477,7 +3527,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by GnuTLS $as_me 3.3.5, which was +It was created by GnuTLS $as_me 3.3.27, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3781,6 +3831,7 @@ gl_header_list="$gl_header_list features.h" gl_header_list="$gl_header_list inttypes.h" gl_func_list="$gl_func_list shutdown" gl_header_list="$gl_header_list arpa/inet.h" +gl_func_list="$gl_func_list getdtablesize" gl_header_list="$gl_header_list stdio_ext.h" gl_header_list="$gl_header_list termios.h" gl_func_list="$gl_func_list __fsetlocking" @@ -3960,7 +4011,7 @@ case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac -am__api_version='1.14' +am__api_version='1.15' # Find a good install program. We prefer a C program (faster), # so one script is as good as another. But avoid the broken or @@ -4132,8 +4183,8 @@ test "$program_suffix" != NONE && ac_script='s/[\\$]/&&/g;s/;s,x,x,$//' program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"` -# expand $ac_aux_dir to an absolute path -am_aux_dir=`cd $ac_aux_dir && pwd` +# Expand $ac_aux_dir to an absolute path. +am_aux_dir=`cd "$ac_aux_dir" && pwd` if test x"${MISSING+set}" != xset; then case $am_aux_dir in @@ -4152,7 +4203,7 @@ else $as_echo "$as_me: WARNING: 'missing' script is too old or missing" >&2;} fi -if test x"${install_sh}" != xset; then +if test x"${install_sh+set}" != xset; then case $am_aux_dir in *\ * | *\ *) install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;; @@ -4446,7 +4497,7 @@ fi # Define the identity of the package. PACKAGE='gnutls' - VERSION='3.3.5' + VERSION='3.3.27' cat >>confdefs.h <<_ACEOF @@ -4480,8 +4531,8 @@ MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"} # mkdir_p='$(MKDIR_P)' -# We need awk for the "check" target. The system "awk" is bad on -# some platforms. +# We need awk for the "check" target (and possibly the TAP driver). The +# system "awk" is bad on some platforms. # Always define AMTAR for backward compatibility. Yes, it's still used # in the wild :-( We should find a proper way to deprecate it ... AMTAR='$${TAR-tar}' @@ -4588,6 +4639,122 @@ $as_echo "*** *** Checking for compilation programs... " >&6; } + + +if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args. +set dummy ${ac_tool_prefix}pkg-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_PKG_CONFIG+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $PKG_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PKG_CONFIG=$ac_cv_path_PKG_CONFIG +if test -n "$PKG_CONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5 +$as_echo "$PKG_CONFIG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_path_PKG_CONFIG"; then + ac_pt_PKG_CONFIG=$PKG_CONFIG + # Extract the first word of "pkg-config", so it can be a program name with args. +set dummy pkg-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $ac_pt_PKG_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG +if test -n "$ac_pt_PKG_CONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5 +$as_echo "$ac_pt_PKG_CONFIG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_pt_PKG_CONFIG" = x; then + PKG_CONFIG="" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + PKG_CONFIG=$ac_pt_PKG_CONFIG + fi +else + PKG_CONFIG="$ac_cv_path_PKG_CONFIG" +fi + +fi +if test -n "$PKG_CONFIG"; then + _pkg_min_version=0.9.0 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5 +$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; } + if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + PKG_CONFIG="" + fi + +fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' @@ -6324,6 +6491,8 @@ $as_echo "$ac_cv_safe_to_define___extensions__" >&6; } $as_echo "#define _GNU_SOURCE 1" >>confdefs.h + $as_echo "#define __USE_MINGW_ANSI_STDIO 1" >>confdefs.h + $as_echo "#define _POSIX_PTHREAD_SEMANTICS 1" >>confdefs.h $as_echo "#define _TANDEM_SOURCE 1" >>confdefs.h @@ -6861,6 +7030,9 @@ fi # Code from module fseeko: # Code from module fstat: + # Code from module ftell: + # Code from module ftello: + # Code from module getaddrinfo: # Code from module getdelim: # Code from module getline: @@ -6881,6 +7053,7 @@ fi # Code from module malloc-posix: # Code from module malloca: # Code from module memchr: + # Code from module minmax: # Code from module mktime: # Code from module msvc-inval: # Code from module msvc-nothrow: @@ -6889,6 +7062,7 @@ fi # Code from module netinet_in: # Code from module parse-datetime: # Code from module progname: + # Code from module read-file: # Code from module realloc-posix: # Code from module recv: # Code from module recvfrom: @@ -7673,6 +7847,75 @@ fi done test -n "$YACC" || YACC="yacc" +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a sed that does not truncate output" >&5 +$as_echo_n "checking for a sed that does not truncate output... " >&6; } +if ${ac_cv_path_SED+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/ + for ac_i in 1 2 3 4 5 6 7; do + ac_script="$ac_script$as_nl$ac_script" + done + echo "$ac_script" 2>/dev/null | sed 99q >conftest.sed + { ac_script=; unset ac_script;} + if test -z "$SED"; then + ac_path_SED_found=false + # Loop through the user's path and test for each of PROGNAME-LIST + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_prog in sed gsed; do + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_SED="$as_dir/$ac_prog$ac_exec_ext" + as_fn_executable_p "$ac_path_SED" || continue +# Check for GNU ac_path_SED and select it if it is found. + # Check for GNU $ac_path_SED +case `"$ac_path_SED" --version 2>&1` in +*GNU*) + ac_cv_path_SED="$ac_path_SED" ac_path_SED_found=:;; +*) + ac_count=0 + $as_echo_n 0123456789 >"conftest.in" + while : + do + cat "conftest.in" "conftest.in" >"conftest.tmp" + mv "conftest.tmp" "conftest.in" + cp "conftest.in" "conftest.nl" + $as_echo '' >> "conftest.nl" + "$ac_path_SED" -f conftest.sed < "conftest.nl" >"conftest.out" 2>/dev/null || break + diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break + as_fn_arith $ac_count + 1 && ac_count=$as_val + if test $ac_count -gt ${ac_path_SED_max-0}; then + # Best one so far, save it but keep looking for a better one + ac_cv_path_SED="$ac_path_SED" + ac_path_SED_max=$ac_count + fi + # 10*(2^10) chars as input seems more than enough + test $ac_count -gt 10 && break + done + rm -f conftest.in conftest.tmp conftest.nl conftest.out;; +esac + + $ac_path_SED_found && break 3 + done + done + done +IFS=$as_save_IFS + if test -z "$ac_cv_path_SED"; then + as_fn_error $? "no acceptable sed could be found in \$PATH" "$LINENO" 5 + fi +else + ac_cv_path_SED=$SED +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_SED" >&5 +$as_echo "$ac_cv_path_SED" >&6; } + SED="$ac_cv_path_SED" + rm -f conftest.sed + # Extract the first word of "autogen", so it can be a program name with args. set dummy autogen; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 @@ -7712,6 +7955,8 @@ fi + + if test x"$AUTOGEN" = "x/bin/true"; then { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: *** @@ -7947,6 +8192,7 @@ else fi +use_accel=yes case "$host" in *mingw32* | *mingw64*) have_win=yes @@ -7954,6 +8200,19 @@ case "$host" in *darwin*) have_macosx=yes ;; + *solaris*) + use_accel=no + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: +*** +*** In solaris hardware acceleration is disabled by default due to issues +*** with the assembler. Use --enable-hardware-acceleration to enable it. +*** " >&5 +$as_echo "$as_me: WARNING: +*** +*** In solaris hardware acceleration is disabled by default due to issues +*** with the assembler. Use --enable-hardware-acceleration to enable it. +*** " >&2;} + ;; *) have_elf=yes ;; @@ -7987,8 +8246,6 @@ fi # Check whether --enable-hardware-acceleration was given. if test "${enable_hardware_acceleration+set}" = set; then : enableval=$enable_hardware_acceleration; use_accel=$enableval -else - use_accel=yes fi hw_accel=none @@ -8021,6 +8278,28 @@ esac fi +# Check whether --enable-padlock was given. +if test "${enable_padlock+set}" = set; then : + enableval=$enable_padlock; use_padlock=$enableval +else + use_padlock=yes +fi + + +if test "$use_padlock" != "no"; then + +$as_echo "#define ENABLE_PADLOCK 1" >>confdefs.h + + +fi + if test "$use_padlock" = "yes"; then + ENABLE_PADLOCK_TRUE= + ENABLE_PADLOCK_FALSE='#' +else + ENABLE_PADLOCK_TRUE='#' + ENABLE_PADLOCK_FALSE= +fi + if test x"$hw_accel" = x"x86-64"; then ASM_X86_64_TRUE= ASM_X86_64_FALSE='#' @@ -8064,131 +8343,15 @@ fi - -if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then - if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args. -set dummy ${ac_tool_prefix}pkg-config; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_path_PKG_CONFIG+:} false; then : - $as_echo_n "(cached) " >&6 -else - case $PKG_CONFIG in - [\\/]* | ?:[\\/]*) - ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path. - ;; - *) - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - ;; -esac -fi -PKG_CONFIG=$ac_cv_path_PKG_CONFIG -if test -n "$PKG_CONFIG"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5 -$as_echo "$PKG_CONFIG" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -fi -if test -z "$ac_cv_path_PKG_CONFIG"; then - ac_pt_PKG_CONFIG=$PKG_CONFIG - # Extract the first word of "pkg-config", so it can be a program name with args. -set dummy pkg-config; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then : - $as_echo_n "(cached) " >&6 -else - case $ac_pt_PKG_CONFIG in - [\\/]* | ?:[\\/]*) - ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path. - ;; - *) - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - ;; -esac -fi -ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG -if test -n "$ac_pt_PKG_CONFIG"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5 -$as_echo "$ac_pt_PKG_CONFIG" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - if test "x$ac_pt_PKG_CONFIG" = x; then - PKG_CONFIG="" - else - case $cross_compiling:$ac_tool_warned in -yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 -$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} -ac_tool_warned=yes ;; -esac - PKG_CONFIG=$ac_pt_PKG_CONFIG - fi -else - PKG_CONFIG="$ac_cv_path_PKG_CONFIG" -fi - -fi -if test -n "$PKG_CONFIG"; then - _pkg_min_version=0.9.0 - { $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5 -$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; } - if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - PKG_CONFIG="" - fi - -fi - # Library code modified: REVISION++ # Interfaces changed/added/removed: CURRENT++ REVISION=0 # Interfaces added: AGE++ # Interfaces removed: AGE=0 (+bump all symbol versions in .map) - LT_CURRENT=66 + LT_CURRENT=71 - LT_REVISION=0 + LT_REVISION=1 - LT_AGE=38 + LT_AGE=43 LT_SSL_CURRENT=27 @@ -8198,18 +8361,11 @@ fi LT_SSL_AGE=0 - LT_DANE_CURRENT=4 - - LT_DANE_REVISION=1 - - LT_DANE_AGE=4 + LT_DANE_CURRENT=5 + LT_DANE_REVISION=0 - LT_XSSL_CURRENT=0 - - LT_XSSL_REVISION=0 - - LT_XSSL_AGE=0 + LT_DANE_AGE=5 CXX_LT_CURRENT=29 @@ -8290,14 +8446,14 @@ $as_echo "no" >&6; } as_fn_error $? " *** - *** Libnettle 2.7 was not found. + *** Libnettle 2.7.1 was not found. " "$LINENO" 5 elif test $pkg_failed = untried; then as_fn_error $? " *** - *** Libnettle 2.7 was not found. + *** Libnettle 2.7.1 was not found. " "$LINENO" 5 else @@ -8399,6 +8555,24 @@ fi $as_echo "#define HAVE_LIBNETTLE 1" >>confdefs.h + nettle_version=`$PKG_CONFIG --modversion nettle` + + if $PKG_CONFIG --atleast-version=3.0 nettle; then + +$as_echo "#define USE_NETTLE3 1" >>confdefs.h + + use_nettle3=yes + else + use_nettle3=no + fi + if test "$use_nettle3" = "yes"; then + USE_NETTLE3_TRUE= + USE_NETTLE3_FALSE='#' +else + USE_NETTLE3_TRUE='#' + USE_NETTLE3_FALSE= +fi + GNUTLS_REQUIRES_PRIVATE="Requires.private: nettle, hogweed" @@ -8487,12 +8661,12 @@ if test -n "$PKG_CONFIG"; then pkg_cv_LIBTASN1_CFLAGS="$LIBTASN1_CFLAGS" else if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libtasn1 >= 3.4\""; } >&5 - ($PKG_CONFIG --exists --print-errors "libtasn1 >= 3.4") 2>&5 + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libtasn1 >= 3.9\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libtasn1 >= 3.9") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then - pkg_cv_LIBTASN1_CFLAGS=`$PKG_CONFIG --cflags "libtasn1 >= 3.4" 2>/dev/null` + pkg_cv_LIBTASN1_CFLAGS=`$PKG_CONFIG --cflags "libtasn1 >= 3.9" 2>/dev/null` else pkg_failed=yes fi @@ -8505,12 +8679,12 @@ if test -n "$PKG_CONFIG"; then pkg_cv_LIBTASN1_LIBS="$LIBTASN1_LIBS" else if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libtasn1 >= 3.4\""; } >&5 - ($PKG_CONFIG --exists --print-errors "libtasn1 >= 3.4") 2>&5 + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libtasn1 >= 3.9\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libtasn1 >= 3.9") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then - pkg_cv_LIBTASN1_LIBS=`$PKG_CONFIG --libs "libtasn1 >= 3.4" 2>/dev/null` + pkg_cv_LIBTASN1_LIBS=`$PKG_CONFIG --libs "libtasn1 >= 3.9" 2>/dev/null` else pkg_failed=yes fi @@ -8529,9 +8703,9 @@ else _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then - LIBTASN1_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libtasn1 >= 3.4"` + LIBTASN1_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libtasn1 >= 3.9"` else - LIBTASN1_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libtasn1 >= 3.4"` + LIBTASN1_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libtasn1 >= 3.9"` fi # Put the nasty error message in config.log where it belongs echo "$LIBTASN1_PKG_ERRORS" >&5 @@ -8574,6 +8748,22 @@ fi if test "$included_libtasn1" = "no"; then GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, libtasn1" + oldlibs="$LIBS" + LIBS="$LIBS $LIBTASN1_LIBS" + oldcflags="$CFLAGS" + CFLAGS="$CFLAGS $LIBTASN1_CFLAGS" + ac_fn_c_check_func "$LINENO" "asn1_decode_simple_ber" "ac_cv_func_asn1_decode_simple_ber" +if test "x$ac_cv_func_asn1_decode_simple_ber" = xyes; then : + +$as_echo "#define HAVE_ASN1_DECODE_SIMPLE_BER 1" >>confdefs.h + +fi + + LIBS="$oldlibs" + else + +$as_echo "#define HAVE_ASN1_DECODE_SIMPLE_BER 1" >>confdefs.h + fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C99 macros are supported" >&5 @@ -9235,9 +9425,11 @@ $as_echo "#define GNUTLS_POINTER_TO_INT_CAST (long long)" >>confdefs.h REPLACE_PWRITE=0; REPLACE_READ=0; REPLACE_READLINK=0; + REPLACE_READLINKAT=0; REPLACE_RMDIR=0; REPLACE_SLEEP=0; REPLACE_SYMLINK=0; + REPLACE_SYMLINKAT=0; REPLACE_TTYNAME_R=0; REPLACE_UNLINK=0; REPLACE_UNLINKAT=0; @@ -12002,7 +12194,7 @@ $as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h esac -for ac_func in fork getrusage getpwuid_r nanosleep daemon getpid clock_gettime iconv localtime vasprintf +for ac_func in secure_getenv fork inet_ntop inet_pton getrusage getpwuid_r nanosleep daemon getpid clock_gettime iconv localtime vasprintf do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -12014,6 +12206,67 @@ _ACEOF fi done +if test "$ac_cv_func_vasprintf" != "yes";then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for va_copy" >&5 +$as_echo_n "checking for va_copy... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include + va_list a; +int +main () +{ + + va_list b; + va_copy(b,a); + va_end(b); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + +$as_echo "#define HAVE_VA_COPY 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: va_copy" >&5 +$as_echo "va_copy" >&6; } +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include + va_list a; +int +main () +{ + + va_list b; + __va_copy(b,a); + va_end(b); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + +$as_echo "#define HAVE___VA_COPY 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: __va_copy" >&5 +$as_echo "__va_copy" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + as_fn_error $? "Your system lacks vasprintf() and va_copy()" "$LINENO" 5 +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi + if test "$ac_cv_func_fork" != "no"; then HAVE_FORK_TRUE= HAVE_FORK_FALSE='#' @@ -13696,6 +13949,559 @@ $as_echo "$LIBRT" >&6; } gnutls_needs_librt=yes fi +if test "$ac_cv_func_inet_pton" != "yes";then + + + + + + + + + + + + + + use_additional=yes + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_includedir=\"$includedir\" + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + +# Check whether --with-libnsl-prefix was given. +if test "${with_libnsl_prefix+set}" = set; then : + withval=$with_libnsl_prefix; + if test "X$withval" = "Xno"; then + use_additional=no + else + if test "X$withval" = "X"; then + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_includedir=\"$includedir\" + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + else + additional_includedir="$withval/include" + additional_libdir="$withval/$acl_libdirstem" + if test "$acl_libdirstem2" != "$acl_libdirstem" \ + && ! test -d "$withval/$acl_libdirstem"; then + additional_libdir="$withval/$acl_libdirstem2" + fi + fi + fi + +fi + + LIBNSL= + LTLIBNSL= + INCNSL= + LIBNSL_PREFIX= + HAVE_LIBNSL= + rpathdirs= + ltrpathdirs= + names_already_handled= + names_next_round='nsl ' + while test -n "$names_next_round"; do + names_this_round="$names_next_round" + names_next_round= + for name in $names_this_round; do + already_handled= + for n in $names_already_handled; do + if test "$n" = "$name"; then + already_handled=yes + break + fi + done + if test -z "$already_handled"; then + names_already_handled="$names_already_handled $name" + uppername=`echo "$name" | sed -e 'y|abcdefghijklmnopqrstuvwxyz./-|ABCDEFGHIJKLMNOPQRSTUVWXYZ___|'` + eval value=\"\$HAVE_LIB$uppername\" + if test -n "$value"; then + if test "$value" = yes; then + eval value=\"\$LIB$uppername\" + test -z "$value" || LIBNSL="${LIBNSL}${LIBNSL:+ }$value" + eval value=\"\$LTLIB$uppername\" + test -z "$value" || LTLIBNSL="${LTLIBNSL}${LTLIBNSL:+ }$value" + else + : + fi + else + found_dir= + found_la= + found_so= + found_a= + eval libname=\"$acl_libname_spec\" # typically: libname=lib$name + if test -n "$acl_shlibext"; then + shrext=".$acl_shlibext" # typically: shrext=.so + else + shrext= + fi + if test $use_additional = yes; then + dir="$additional_libdir" + if test -n "$acl_shlibext"; then + if test -f "$dir/$libname$shrext"; then + found_dir="$dir" + found_so="$dir/$libname$shrext" + else + if test "$acl_library_names_spec" = '$libname$shrext$versuffix'; then + ver=`(cd "$dir" && \ + for f in "$libname$shrext".*; do echo "$f"; done \ + | sed -e "s,^$libname$shrext\\\\.,," \ + | sort -t '.' -n -r -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 \ + | sed 1q ) 2>/dev/null` + if test -n "$ver" && test -f "$dir/$libname$shrext.$ver"; then + found_dir="$dir" + found_so="$dir/$libname$shrext.$ver" + fi + else + eval library_names=\"$acl_library_names_spec\" + for f in $library_names; do + if test -f "$dir/$f"; then + found_dir="$dir" + found_so="$dir/$f" + break + fi + done + fi + fi + fi + if test "X$found_dir" = "X"; then + if test -f "$dir/$libname.$acl_libext"; then + found_dir="$dir" + found_a="$dir/$libname.$acl_libext" + fi + fi + if test "X$found_dir" != "X"; then + if test -f "$dir/$libname.la"; then + found_la="$dir/$libname.la" + fi + fi + fi + if test "X$found_dir" = "X"; then + for x in $LDFLAGS $LTLIBNSL; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + case "$x" in + -L*) + dir=`echo "X$x" | sed -e 's/^X-L//'` + if test -n "$acl_shlibext"; then + if test -f "$dir/$libname$shrext"; then + found_dir="$dir" + found_so="$dir/$libname$shrext" + else + if test "$acl_library_names_spec" = '$libname$shrext$versuffix'; then + ver=`(cd "$dir" && \ + for f in "$libname$shrext".*; do echo "$f"; done \ + | sed -e "s,^$libname$shrext\\\\.,," \ + | sort -t '.' -n -r -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 \ + | sed 1q ) 2>/dev/null` + if test -n "$ver" && test -f "$dir/$libname$shrext.$ver"; then + found_dir="$dir" + found_so="$dir/$libname$shrext.$ver" + fi + else + eval library_names=\"$acl_library_names_spec\" + for f in $library_names; do + if test -f "$dir/$f"; then + found_dir="$dir" + found_so="$dir/$f" + break + fi + done + fi + fi + fi + if test "X$found_dir" = "X"; then + if test -f "$dir/$libname.$acl_libext"; then + found_dir="$dir" + found_a="$dir/$libname.$acl_libext" + fi + fi + if test "X$found_dir" != "X"; then + if test -f "$dir/$libname.la"; then + found_la="$dir/$libname.la" + fi + fi + ;; + esac + if test "X$found_dir" != "X"; then + break + fi + done + fi + if test "X$found_dir" != "X"; then + LTLIBNSL="${LTLIBNSL}${LTLIBNSL:+ }-L$found_dir -l$name" + if test "X$found_so" != "X"; then + if test "$enable_rpath" = no \ + || test "X$found_dir" = "X/usr/$acl_libdirstem" \ + || test "X$found_dir" = "X/usr/$acl_libdirstem2"; then + LIBNSL="${LIBNSL}${LIBNSL:+ }$found_so" + else + haveit= + for x in $ltrpathdirs; do + if test "X$x" = "X$found_dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + ltrpathdirs="$ltrpathdirs $found_dir" + fi + if test "$acl_hardcode_direct" = yes; then + LIBNSL="${LIBNSL}${LIBNSL:+ }$found_so" + else + if test -n "$acl_hardcode_libdir_flag_spec" && test "$acl_hardcode_minus_L" = no; then + LIBNSL="${LIBNSL}${LIBNSL:+ }$found_so" + haveit= + for x in $rpathdirs; do + if test "X$x" = "X$found_dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + rpathdirs="$rpathdirs $found_dir" + fi + else + haveit= + for x in $LDFLAGS $LIBNSL; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + if test "X$x" = "X-L$found_dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + LIBNSL="${LIBNSL}${LIBNSL:+ }-L$found_dir" + fi + if test "$acl_hardcode_minus_L" != no; then + LIBNSL="${LIBNSL}${LIBNSL:+ }$found_so" + else + LIBNSL="${LIBNSL}${LIBNSL:+ }-l$name" + fi + fi + fi + fi + else + if test "X$found_a" != "X"; then + LIBNSL="${LIBNSL}${LIBNSL:+ }$found_a" + else + LIBNSL="${LIBNSL}${LIBNSL:+ }-L$found_dir -l$name" + fi + fi + additional_includedir= + case "$found_dir" in + */$acl_libdirstem | */$acl_libdirstem/) + basedir=`echo "X$found_dir" | sed -e 's,^X,,' -e "s,/$acl_libdirstem/"'*$,,'` + if test "$name" = 'nsl'; then + LIBNSL_PREFIX="$basedir" + fi + additional_includedir="$basedir/include" + ;; + */$acl_libdirstem2 | */$acl_libdirstem2/) + basedir=`echo "X$found_dir" | sed -e 's,^X,,' -e "s,/$acl_libdirstem2/"'*$,,'` + if test "$name" = 'nsl'; then + LIBNSL_PREFIX="$basedir" + fi + additional_includedir="$basedir/include" + ;; + esac + if test "X$additional_includedir" != "X"; then + if test "X$additional_includedir" != "X/usr/include"; then + haveit= + if test "X$additional_includedir" = "X/usr/local/include"; then + if test -n "$GCC"; then + case $host_os in + linux* | gnu* | k*bsd*-gnu) haveit=yes;; + esac + fi + fi + if test -z "$haveit"; then + for x in $CPPFLAGS $INCNSL; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + if test "X$x" = "X-I$additional_includedir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + if test -d "$additional_includedir"; then + INCNSL="${INCNSL}${INCNSL:+ }-I$additional_includedir" + fi + fi + fi + fi + fi + if test -n "$found_la"; then + save_libdir="$libdir" + case "$found_la" in + */* | *\\*) . "$found_la" ;; + *) . "./$found_la" ;; + esac + libdir="$save_libdir" + for dep in $dependency_libs; do + case "$dep" in + -L*) + additional_libdir=`echo "X$dep" | sed -e 's/^X-L//'` + if test "X$additional_libdir" != "X/usr/$acl_libdirstem" \ + && test "X$additional_libdir" != "X/usr/$acl_libdirstem2"; then + haveit= + if test "X$additional_libdir" = "X/usr/local/$acl_libdirstem" \ + || test "X$additional_libdir" = "X/usr/local/$acl_libdirstem2"; then + if test -n "$GCC"; then + case $host_os in + linux* | gnu* | k*bsd*-gnu) haveit=yes;; + esac + fi + fi + if test -z "$haveit"; then + haveit= + for x in $LDFLAGS $LIBNSL; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + if test "X$x" = "X-L$additional_libdir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + if test -d "$additional_libdir"; then + LIBNSL="${LIBNSL}${LIBNSL:+ }-L$additional_libdir" + fi + fi + haveit= + for x in $LDFLAGS $LTLIBNSL; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + if test "X$x" = "X-L$additional_libdir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + if test -d "$additional_libdir"; then + LTLIBNSL="${LTLIBNSL}${LTLIBNSL:+ }-L$additional_libdir" + fi + fi + fi + fi + ;; + -R*) + dir=`echo "X$dep" | sed -e 's/^X-R//'` + if test "$enable_rpath" != no; then + haveit= + for x in $rpathdirs; do + if test "X$x" = "X$dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + rpathdirs="$rpathdirs $dir" + fi + haveit= + for x in $ltrpathdirs; do + if test "X$x" = "X$dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + ltrpathdirs="$ltrpathdirs $dir" + fi + fi + ;; + -l*) + names_next_round="$names_next_round "`echo "X$dep" | sed -e 's/^X-l//'` + ;; + *.la) + names_next_round="$names_next_round "`echo "X$dep" | sed -e 's,^X.*/,,' -e 's,^lib,,' -e 's,\.la$,,'` + ;; + *) + LIBNSL="${LIBNSL}${LIBNSL:+ }$dep" + LTLIBNSL="${LTLIBNSL}${LTLIBNSL:+ }$dep" + ;; + esac + done + fi + else + LIBNSL="${LIBNSL}${LIBNSL:+ }-l$name" + LTLIBNSL="${LTLIBNSL}${LTLIBNSL:+ }-l$name" + fi + fi + fi + done + done + if test "X$rpathdirs" != "X"; then + if test -n "$acl_hardcode_libdir_separator"; then + alldirs= + for found_dir in $rpathdirs; do + alldirs="${alldirs}${alldirs:+$acl_hardcode_libdir_separator}$found_dir" + done + acl_save_libdir="$libdir" + libdir="$alldirs" + eval flag=\"$acl_hardcode_libdir_flag_spec\" + libdir="$acl_save_libdir" + LIBNSL="${LIBNSL}${LIBNSL:+ }$flag" + else + for found_dir in $rpathdirs; do + acl_save_libdir="$libdir" + libdir="$found_dir" + eval flag=\"$acl_hardcode_libdir_flag_spec\" + libdir="$acl_save_libdir" + LIBNSL="${LIBNSL}${LIBNSL:+ }$flag" + done + fi + fi + if test "X$ltrpathdirs" != "X"; then + for found_dir in $ltrpathdirs; do + LTLIBNSL="${LTLIBNSL}${LTLIBNSL:+ }-R$found_dir" + done + fi + + + + + + + + ac_save_CPPFLAGS="$CPPFLAGS" + + for element in $INCNSL; do + haveit= + for x in $CPPFLAGS; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + if test "X$x" = "X$element"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + CPPFLAGS="${CPPFLAGS}${CPPFLAGS:+ }$element" + fi + done + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnsl" >&5 +$as_echo_n "checking for libnsl... " >&6; } +if ${ac_cv_libnsl+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ac_save_LIBS="$LIBS" + case " $LIBNSL" in + *" -l"*) LIBS="$LIBS $LIBNSL" ;; + *) LIBS="$LIBNSL $LIBS" ;; + esac + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +inet_pton(0,0,0); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_libnsl=yes +else + ac_cv_libnsl='no' +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LIBS="$ac_save_LIBS" + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_libnsl" >&5 +$as_echo "$ac_cv_libnsl" >&6; } + if test "$ac_cv_libnsl" = yes; then + HAVE_LIBNSL=yes + +$as_echo "#define HAVE_LIBNSL 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to link with libnsl" >&5 +$as_echo_n "checking how to link with libnsl... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LIBNSL" >&5 +$as_echo "$LIBNSL" >&6; } + else + HAVE_LIBNSL=no + CPPFLAGS="$ac_save_CPPFLAGS" + LIBNSL= + LTLIBNSL= + LIBNSL_PREFIX= + fi + + + + + + + +fi + if test "$ac_cv_func_clock_gettime" != "yes";then @@ -15034,17 +15840,19 @@ else for ac_kw in __restrict __restrict__ _Restrict restrict; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -typedef int * int_ptr; - int foo (int_ptr $ac_kw ip) { - return ip[0]; - } +typedef int *int_ptr; + int foo (int_ptr $ac_kw ip) { return ip[0]; } + int bar (int [$ac_kw]); /* Catch GCC bug 14050. */ + int bar (int ip[$ac_kw]) { return ip[0]; } + int main () { int s[1]; - int * $ac_kw t = s; - t[0] = 0; - return foo(t) + int *$ac_kw t = s; + t[0] = 0; + return foo (t) + bar (t); + ; return 0; } @@ -16616,75 +17424,6 @@ fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a sed that does not truncate output" >&5 -$as_echo_n "checking for a sed that does not truncate output... " >&6; } -if ${ac_cv_path_SED+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/ - for ac_i in 1 2 3 4 5 6 7; do - ac_script="$ac_script$as_nl$ac_script" - done - echo "$ac_script" 2>/dev/null | sed 99q >conftest.sed - { ac_script=; unset ac_script;} - if test -z "$SED"; then - ac_path_SED_found=false - # Loop through the user's path and test for each of PROGNAME-LIST - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_prog in sed gsed; do - for ac_exec_ext in '' $ac_executable_extensions; do - ac_path_SED="$as_dir/$ac_prog$ac_exec_ext" - as_fn_executable_p "$ac_path_SED" || continue -# Check for GNU ac_path_SED and select it if it is found. - # Check for GNU $ac_path_SED -case `"$ac_path_SED" --version 2>&1` in -*GNU*) - ac_cv_path_SED="$ac_path_SED" ac_path_SED_found=:;; -*) - ac_count=0 - $as_echo_n 0123456789 >"conftest.in" - while : - do - cat "conftest.in" "conftest.in" >"conftest.tmp" - mv "conftest.tmp" "conftest.in" - cp "conftest.in" "conftest.nl" - $as_echo '' >> "conftest.nl" - "$ac_path_SED" -f conftest.sed < "conftest.nl" >"conftest.out" 2>/dev/null || break - diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break - as_fn_arith $ac_count + 1 && ac_count=$as_val - if test $ac_count -gt ${ac_path_SED_max-0}; then - # Best one so far, save it but keep looking for a better one - ac_cv_path_SED="$ac_path_SED" - ac_path_SED_max=$ac_count - fi - # 10*(2^10) chars as input seems more than enough - test $ac_count -gt 10 && break - done - rm -f conftest.in conftest.tmp conftest.nl conftest.out;; -esac - - $ac_path_SED_found && break 3 - done - done - done -IFS=$as_save_IFS - if test -z "$ac_cv_path_SED"; then - as_fn_error $? "no acceptable sed could be found in \$PATH" "$LINENO" 5 - fi -else - ac_cv_path_SED=$SED -fi - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_SED" >&5 -$as_echo "$ac_cv_path_SED" >&6; } - SED="$ac_cv_path_SED" - rm -f conftest.sed - GNULIB__EXIT=0; GNULIB_ATOLL=0; @@ -16704,6 +17443,7 @@ $as_echo "$ac_cv_path_SED" >&6; } GNULIB_PTSNAME=0; GNULIB_PTSNAME_R=0; GNULIB_PUTENV=0; + GNULIB_QSORT_R=0; GNULIB_RANDOM=0; GNULIB_RANDOM_R=0; GNULIB_REALLOC_POSIX=0; @@ -16755,6 +17495,7 @@ $as_echo "$ac_cv_path_SED" >&6; } REPLACE_PTSNAME=0; REPLACE_PTSNAME_R=0; REPLACE_PUTENV=0; + REPLACE_QSORT_R=0; REPLACE_RANDOM_R=0; REPLACE_REALLOC=0; REPLACE_REALPATH=0; @@ -17228,7 +17969,7 @@ else # Guess yes on glibc systems. *-gnu*) gl_cv_func_snprintf_retval_c99="guessing yes";; # Guess yes on FreeBSD >= 5. - freebsd[1-4]*) gl_cv_func_snprintf_retval_c99="guessing no";; + freebsd[1-4].*) gl_cv_func_snprintf_retval_c99="guessing no";; freebsd* | kfreebsd*) gl_cv_func_snprintf_retval_c99="guessing yes";; # Guess yes on Mac OS X >= 10.3. darwin[1-6].*) gl_cv_func_snprintf_retval_c99="guessing no";; @@ -17424,6 +18165,7 @@ fi REPLACE_NULL=0; + HAVE_MAX_ALIGN_T=1; HAVE_WCHAR_T=1; @@ -18691,6 +19433,344 @@ _ACEOF + case "$host_os" in + osf*) + +$as_echo "#define _POSIX_PII_SOCKET 1" >>confdefs.h + + ;; + esac + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether is self-contained" >&5 +$as_echo_n "checking whether is self-contained... " >&6; } +if ${gl_cv_header_sys_socket_h_selfcontained+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + gl_cv_header_sys_socket_h_selfcontained=yes +else + gl_cv_header_sys_socket_h_selfcontained=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_header_sys_socket_h_selfcontained" >&5 +$as_echo "$gl_cv_header_sys_socket_h_selfcontained" >&6; } + if test $gl_cv_header_sys_socket_h_selfcontained = yes; then + for ac_func in shutdown +do : + ac_fn_c_check_func "$LINENO" "shutdown" "ac_cv_func_shutdown" +if test "x$ac_cv_func_shutdown" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SHUTDOWN 1 +_ACEOF + +fi +done + + if test $ac_cv_func_shutdown = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether defines the SHUT_* macros" >&5 +$as_echo_n "checking whether defines the SHUT_* macros... " >&6; } +if ${gl_cv_header_sys_socket_h_shut+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +int a[] = { SHUT_RD, SHUT_WR, SHUT_RDWR }; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + gl_cv_header_sys_socket_h_shut=yes +else + gl_cv_header_sys_socket_h_shut=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_header_sys_socket_h_shut" >&5 +$as_echo "$gl_cv_header_sys_socket_h_shut" >&6; } + if test $gl_cv_header_sys_socket_h_shut = no; then + SYS_SOCKET_H='sys/socket.h' + fi + fi + fi + # We need to check for ws2tcpip.h now. + + + + + + + + + : + + + + + + + + + if test $gl_cv_have_include_next = yes; then + gl_cv_next_sys_socket_h='<'sys/socket.h'>' + else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking absolute name of " >&5 +$as_echo_n "checking absolute name of ... " >&6; } +if ${gl_cv_next_sys_socket_h+:} false; then : + $as_echo_n "(cached) " >&6 +else + + if test $ac_cv_header_sys_socket_h = yes; then + + + + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +_ACEOF + case "$host_os" in + aix*) gl_absname_cpp="$ac_cpp -C" ;; + *) gl_absname_cpp="$ac_cpp" ;; + esac + + case "$host_os" in + mingw*) + gl_dirsep_regex='[/\\]' + ;; + *) + gl_dirsep_regex='\/' + ;; + esac + gl_make_literal_regex_sed='s,[]$^\\.*/[],\\&,g' + gl_header_literal_regex=`echo 'sys/socket.h' \ + | sed -e "$gl_make_literal_regex_sed"` + gl_absolute_header_sed="/${gl_dirsep_regex}${gl_header_literal_regex}/"'{ + s/.*"\(.*'"${gl_dirsep_regex}${gl_header_literal_regex}"'\)".*/\1/ + s|^/[^/]|//&| + p + q + }' + + gl_cv_absolute_sys_socket_h=`(eval "$gl_absname_cpp conftest.$ac_ext") 2>&5 | + sed -n "$gl_absolute_header_sed"` + + gl_header=$gl_cv_absolute_sys_socket_h + gl_cv_next_sys_socket_h='"'$gl_header'"' + else + gl_cv_next_sys_socket_h='<'sys/socket.h'>' + fi + + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_next_sys_socket_h" >&5 +$as_echo "$gl_cv_next_sys_socket_h" >&6; } + fi + NEXT_SYS_SOCKET_H=$gl_cv_next_sys_socket_h + + if test $gl_cv_have_include_next = yes || test $gl_cv_have_include_next = buggy; then + # INCLUDE_NEXT_AS_FIRST_DIRECTIVE='include_next' + gl_next_as_first_directive='<'sys/socket.h'>' + else + # INCLUDE_NEXT_AS_FIRST_DIRECTIVE='include' + gl_next_as_first_directive=$gl_cv_next_sys_socket_h + fi + NEXT_AS_FIRST_DIRECTIVE_SYS_SOCKET_H=$gl_next_as_first_directive + + + + + if test $ac_cv_header_sys_socket_h = yes; then + HAVE_SYS_SOCKET_H=1 + HAVE_WS2TCPIP_H=0 + else + HAVE_SYS_SOCKET_H=0 + if test $ac_cv_header_ws2tcpip_h = yes; then + HAVE_WS2TCPIP_H=1 + else + HAVE_WS2TCPIP_H=0 + fi + fi + + + + ac_fn_c_check_type "$LINENO" "struct sockaddr_storage" "ac_cv_type_struct_sockaddr_storage" " + /* sys/types.h is not needed according to POSIX, but the + sys/socket.h in i386-unknown-freebsd4.10 and + powerpc-apple-darwin5.5 required it. */ +#include +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_WS2TCPIP_H +#include +#endif + +" +if test "x$ac_cv_type_struct_sockaddr_storage" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_STRUCT_SOCKADDR_STORAGE 1 +_ACEOF + + +fi +ac_fn_c_check_type "$LINENO" "sa_family_t" "ac_cv_type_sa_family_t" " + /* sys/types.h is not needed according to POSIX, but the + sys/socket.h in i386-unknown-freebsd4.10 and + powerpc-apple-darwin5.5 required it. */ +#include +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_WS2TCPIP_H +#include +#endif + +" +if test "x$ac_cv_type_sa_family_t" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_SA_FAMILY_T 1 +_ACEOF + + +fi + + if test $ac_cv_type_struct_sockaddr_storage = no; then + HAVE_STRUCT_SOCKADDR_STORAGE=0 + fi + if test $ac_cv_type_sa_family_t = no; then + HAVE_SA_FAMILY_T=0 + fi + if test $ac_cv_type_struct_sockaddr_storage != no; then + ac_fn_c_check_member "$LINENO" "struct sockaddr_storage" "ss_family" "ac_cv_member_struct_sockaddr_storage_ss_family" "#include + #ifdef HAVE_SYS_SOCKET_H + #include + #endif + #ifdef HAVE_WS2TCPIP_H + #include + #endif + +" +if test "x$ac_cv_member_struct_sockaddr_storage_ss_family" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_STRUCT_SOCKADDR_STORAGE_SS_FAMILY 1 +_ACEOF + + +else + HAVE_STRUCT_SOCKADDR_STORAGE_SS_FAMILY=0 +fi + + fi + if test $HAVE_STRUCT_SOCKADDR_STORAGE = 0 || test $HAVE_SA_FAMILY_T = 0 \ + || test $HAVE_STRUCT_SOCKADDR_STORAGE_SS_FAMILY = 0; then + SYS_SOCKET_H='sys/socket.h' + fi + + + + + : + + + + + + if test $ac_cv_header_sys_socket_h != yes; then + for ac_header in winsock2.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "winsock2.h" "ac_cv_header_winsock2_h" "$ac_includes_default" +if test "x$ac_cv_header_winsock2_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_WINSOCK2_H 1 +_ACEOF + +fi + +done + + fi + if test "$ac_cv_header_winsock2_h" = yes; then + HAVE_WINSOCK2_H=1 + UNISTD_H_HAVE_WINSOCK2_H=1 + SYS_IOCTL_H_HAVE_WINSOCK2_H=1 + else + HAVE_WINSOCK2_H=0 + fi + + + + + for gl_func in socket connect accept bind getpeername getsockname getsockopt listen recv send recvfrom sendto setsockopt shutdown accept4; do + as_gl_Symbol=`$as_echo "gl_cv_have_raw_decl_$gl_func" | $as_tr_sh` + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $gl_func is declared without a macro" >&5 +$as_echo_n "checking whether $gl_func is declared without a macro... " >&6; } +if eval \${$as_gl_Symbol+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Some systems require prerequisite headers. */ +#include +#include + +int +main () +{ +#undef $gl_func + (void) $gl_func; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$as_gl_Symbol=yes" +else + eval "$as_gl_Symbol=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +eval ac_res=\$$as_gl_Symbol + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + if eval test \"x\$"$as_gl_Symbol"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_RAW_DECL_$gl_func" | $as_tr_cpp` 1 +_ACEOF + + eval ac_cv_have_decl_$gl_func=yes +fi + done + + + + + + @@ -22757,8 +23837,12 @@ else /* Test _Alignas only on platforms where gnulib can help. */ #if \ ((defined __cplusplus && 201103 <= __cplusplus) \ - || __GNUC__ || __IBMC__ || __IBMCPP__ || __ICC \ - || 0x5110 <= __SUNPRO_C || 1300 <= _MSC_VER) + || (defined __APPLE__ && defined __MACH__ \ + ? 4 < __GNUC__ + (1 <= __GNUC_MINOR__) \ + : __GNUC__) \ + || __HP_cc || __HP_aCC || __IBMC__ || __IBMCPP__ \ + || __ICC || 0x5110 <= __SUNPRO_C \ + || 1300 <= _MSC_VER) struct alignas_test { char c; char alignas (8) alignas_8; }; char test_alignas[offsetof (struct alignas_test, alignas_8) == 8 ? 1 : -1]; @@ -22829,6 +23913,15 @@ fi STDDEF_H= + ac_fn_c_check_type "$LINENO" "max_align_t" "ac_cv_type_max_align_t" "#include + +" +if test "x$ac_cv_type_max_align_t" = xyes; then : + +else + HAVE_MAX_ALIGN_T=0; STDDEF_H=stddef.h +fi + if test $gt_cv_c_wchar_t = no; then HAVE_WCHAR_T=0 STDDEF_H=stddef.h @@ -22958,6 +24051,8 @@ $as_echo "$gl_cv_next_stddef_h" >&6; } + + if test $gl_cv_have_include_next = yes; then gl_cv_next_stdio_h='<'stdio.h'>' else @@ -23691,343 +24786,6 @@ $as_echo "#define GNULIB_TEST_STRVERSCMP 1" >>confdefs.h - case "$host_os" in - osf*) - -$as_echo "#define _POSIX_PII_SOCKET 1" >>confdefs.h - - ;; - esac - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether is self-contained" >&5 -$as_echo_n "checking whether is self-contained... " >&6; } -if ${gl_cv_header_sys_socket_h_selfcontained+:} false; then : - $as_echo_n "(cached) " >&6 -else - - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - gl_cv_header_sys_socket_h_selfcontained=yes -else - gl_cv_header_sys_socket_h_selfcontained=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_header_sys_socket_h_selfcontained" >&5 -$as_echo "$gl_cv_header_sys_socket_h_selfcontained" >&6; } - if test $gl_cv_header_sys_socket_h_selfcontained = yes; then - for ac_func in shutdown -do : - ac_fn_c_check_func "$LINENO" "shutdown" "ac_cv_func_shutdown" -if test "x$ac_cv_func_shutdown" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_SHUTDOWN 1 -_ACEOF - -fi -done - - if test $ac_cv_func_shutdown = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether defines the SHUT_* macros" >&5 -$as_echo_n "checking whether defines the SHUT_* macros... " >&6; } -if ${gl_cv_header_sys_socket_h_shut+:} false; then : - $as_echo_n "(cached) " >&6 -else - - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -int a[] = { SHUT_RD, SHUT_WR, SHUT_RDWR }; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - gl_cv_header_sys_socket_h_shut=yes -else - gl_cv_header_sys_socket_h_shut=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_header_sys_socket_h_shut" >&5 -$as_echo "$gl_cv_header_sys_socket_h_shut" >&6; } - if test $gl_cv_header_sys_socket_h_shut = no; then - SYS_SOCKET_H='sys/socket.h' - fi - fi - fi - # We need to check for ws2tcpip.h now. - - - - - - - - - : - - - - - - - - - if test $gl_cv_have_include_next = yes; then - gl_cv_next_sys_socket_h='<'sys/socket.h'>' - else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking absolute name of " >&5 -$as_echo_n "checking absolute name of ... " >&6; } -if ${gl_cv_next_sys_socket_h+:} false; then : - $as_echo_n "(cached) " >&6 -else - - if test $ac_cv_header_sys_socket_h = yes; then - - - - - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -_ACEOF - case "$host_os" in - aix*) gl_absname_cpp="$ac_cpp -C" ;; - *) gl_absname_cpp="$ac_cpp" ;; - esac - - case "$host_os" in - mingw*) - gl_dirsep_regex='[/\\]' - ;; - *) - gl_dirsep_regex='\/' - ;; - esac - gl_make_literal_regex_sed='s,[]$^\\.*/[],\\&,g' - gl_header_literal_regex=`echo 'sys/socket.h' \ - | sed -e "$gl_make_literal_regex_sed"` - gl_absolute_header_sed="/${gl_dirsep_regex}${gl_header_literal_regex}/"'{ - s/.*"\(.*'"${gl_dirsep_regex}${gl_header_literal_regex}"'\)".*/\1/ - s|^/[^/]|//&| - p - q - }' - - gl_cv_absolute_sys_socket_h=`(eval "$gl_absname_cpp conftest.$ac_ext") 2>&5 | - sed -n "$gl_absolute_header_sed"` - - gl_header=$gl_cv_absolute_sys_socket_h - gl_cv_next_sys_socket_h='"'$gl_header'"' - else - gl_cv_next_sys_socket_h='<'sys/socket.h'>' - fi - - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_next_sys_socket_h" >&5 -$as_echo "$gl_cv_next_sys_socket_h" >&6; } - fi - NEXT_SYS_SOCKET_H=$gl_cv_next_sys_socket_h - - if test $gl_cv_have_include_next = yes || test $gl_cv_have_include_next = buggy; then - # INCLUDE_NEXT_AS_FIRST_DIRECTIVE='include_next' - gl_next_as_first_directive='<'sys/socket.h'>' - else - # INCLUDE_NEXT_AS_FIRST_DIRECTIVE='include' - gl_next_as_first_directive=$gl_cv_next_sys_socket_h - fi - NEXT_AS_FIRST_DIRECTIVE_SYS_SOCKET_H=$gl_next_as_first_directive - - - - - if test $ac_cv_header_sys_socket_h = yes; then - HAVE_SYS_SOCKET_H=1 - HAVE_WS2TCPIP_H=0 - else - HAVE_SYS_SOCKET_H=0 - if test $ac_cv_header_ws2tcpip_h = yes; then - HAVE_WS2TCPIP_H=1 - else - HAVE_WS2TCPIP_H=0 - fi - fi - - - - ac_fn_c_check_type "$LINENO" "struct sockaddr_storage" "ac_cv_type_struct_sockaddr_storage" " - /* sys/types.h is not needed according to POSIX, but the - sys/socket.h in i386-unknown-freebsd4.10 and - powerpc-apple-darwin5.5 required it. */ -#include -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_WS2TCPIP_H -#include -#endif - -" -if test "x$ac_cv_type_struct_sockaddr_storage" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRUCT_SOCKADDR_STORAGE 1 -_ACEOF - - -fi -ac_fn_c_check_type "$LINENO" "sa_family_t" "ac_cv_type_sa_family_t" " - /* sys/types.h is not needed according to POSIX, but the - sys/socket.h in i386-unknown-freebsd4.10 and - powerpc-apple-darwin5.5 required it. */ -#include -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_WS2TCPIP_H -#include -#endif - -" -if test "x$ac_cv_type_sa_family_t" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_SA_FAMILY_T 1 -_ACEOF - - -fi - - if test $ac_cv_type_struct_sockaddr_storage = no; then - HAVE_STRUCT_SOCKADDR_STORAGE=0 - fi - if test $ac_cv_type_sa_family_t = no; then - HAVE_SA_FAMILY_T=0 - fi - if test $ac_cv_type_struct_sockaddr_storage != no; then - ac_fn_c_check_member "$LINENO" "struct sockaddr_storage" "ss_family" "ac_cv_member_struct_sockaddr_storage_ss_family" "#include - #ifdef HAVE_SYS_SOCKET_H - #include - #endif - #ifdef HAVE_WS2TCPIP_H - #include - #endif - -" -if test "x$ac_cv_member_struct_sockaddr_storage_ss_family" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRUCT_SOCKADDR_STORAGE_SS_FAMILY 1 -_ACEOF - - -else - HAVE_STRUCT_SOCKADDR_STORAGE_SS_FAMILY=0 -fi - - fi - if test $HAVE_STRUCT_SOCKADDR_STORAGE = 0 || test $HAVE_SA_FAMILY_T = 0 \ - || test $HAVE_STRUCT_SOCKADDR_STORAGE_SS_FAMILY = 0; then - SYS_SOCKET_H='sys/socket.h' - fi - - - - - : - - - - - - if test $ac_cv_header_sys_socket_h != yes; then - for ac_header in winsock2.h -do : - ac_fn_c_check_header_mongrel "$LINENO" "winsock2.h" "ac_cv_header_winsock2_h" "$ac_includes_default" -if test "x$ac_cv_header_winsock2_h" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_WINSOCK2_H 1 -_ACEOF - -fi - -done - - fi - if test "$ac_cv_header_winsock2_h" = yes; then - HAVE_WINSOCK2_H=1 - UNISTD_H_HAVE_WINSOCK2_H=1 - SYS_IOCTL_H_HAVE_WINSOCK2_H=1 - else - HAVE_WINSOCK2_H=0 - fi - - - - - for gl_func in socket connect accept bind getpeername getsockname getsockopt listen recv send recvfrom sendto setsockopt shutdown accept4; do - as_gl_Symbol=`$as_echo "gl_cv_have_raw_decl_$gl_func" | $as_tr_sh` - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $gl_func is declared without a macro" >&5 -$as_echo_n "checking whether $gl_func is declared without a macro... " >&6; } -if eval \${$as_gl_Symbol+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Some systems require prerequisite headers. */ -#include -#include - -int -main () -{ -#undef $gl_func - (void) $gl_func; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - eval "$as_gl_Symbol=yes" -else - eval "$as_gl_Symbol=no" -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -eval ac_res=\$$as_gl_Symbol - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } - if eval test \"x\$"$as_gl_Symbol"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_RAW_DECL_$gl_func" | $as_tr_cpp` 1 -_ACEOF - - eval ac_cv_have_decl_$gl_func=yes -fi - done - - - - - @@ -25968,6 +26726,11 @@ $as_echo "$opt_valgrind_tests" >&6; } + + + + + : @@ -27942,6 +28705,13 @@ $as_echo "#define GNULIB_TEST_CONNECT 1" >>confdefs.h + : + + + + + + $as_echo "#define HAVE_DUP2 1" >>confdefs.h @@ -27961,7 +28731,9 @@ else linux*) # On linux between 2008-07-27 and 2009-05-11, dup2 of a # closed fd may yield -EBADF instead of -1 / errno=EBADF. gl_cv_func_dup2_works="guessing no" ;; - freebsd*) # on FreeBSD 6.1, dup2(1,1000000) gives EMFILE, not EBADF. + aix* | freebsd*) + # on AIX 7.1 and FreeBSD 6.1, dup2 (1,toobig) gives EMFILE, + # not EBADF. gl_cv_func_dup2_works="guessing no" ;; haiku*) # on Haiku alpha 2, dup2(1, 1) resets FD_CLOEXEC. gl_cv_func_dup2_works="guessing no" ;; @@ -27978,6 +28750,11 @@ int main () { int result = 0; +#ifdef HAVE_GETDTABLESIZE + int bad_fd = getdtablesize (); +#else + int bad_fd = 1000000; +#endif #ifdef FD_CLOEXEC if (fcntl (1, F_SETFD, FD_CLOEXEC) == -1) result |= 1; @@ -27992,7 +28769,7 @@ int result = 0; if (dup2 (0, 0) != -1) result |= 8; /* Many gnulib modules require POSIX conformance of EBADF. */ - if (dup2 (2, 1000000) == -1 && errno != EBADF) + if (dup2 (2, bad_fd) == -1 && errno != EBADF) result |= 16; /* Flush out some cygwin core dumps. */ if (dup2 (2, -1) != -1 || errno != EBADF) @@ -28536,6 +29313,239 @@ $as_echo "#define GNULIB_TEST_FSTAT 1" >>confdefs.h + + + if test $HAVE_FTELLO = 0 || test $REPLACE_FTELLO = 1; then + REPLACE_FTELL=1 + fi + + if test $REPLACE_FTELL = 1; then + + + + + + + + + ggl_LIBOBJS="$ggl_LIBOBJS ftell.$ac_objext" + + fi + + + + + + GNULIB_FTELL=1 + + + + + +$as_echo "#define GNULIB_TEST_FTELL 1" >>confdefs.h + + + + + + + + + + + + + : + + + + + + if test $ac_cv_have_decl_ftello = no; then + HAVE_DECL_FTELLO=0 + fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ftello" >&5 +$as_echo_n "checking for ftello... " >&6; } +if ${gl_cv_func_ftello+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +ftello (stdin); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + gl_cv_func_ftello=yes +else + gl_cv_func_ftello=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_func_ftello" >&5 +$as_echo "$gl_cv_func_ftello" >&6; } + if test $gl_cv_func_ftello = no; then + HAVE_FTELLO=0 + else + if test $WINDOWS_64_BIT_OFF_T = 1; then + REPLACE_FTELLO=1 + fi + if test $gl_cv_var_stdin_large_offset = no; then + REPLACE_FTELLO=1 + fi + if test $REPLACE_FTELLO = 0; then + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ftello works" >&5 +$as_echo_n "checking whether ftello works... " >&6; } +if ${gl_cv_func_ftello_works+:} false; then : + $as_echo_n "(cached) " >&6 +else + + case "$host_os" in + # Guess no on Solaris. + solaris*) gl_cv_func_ftello_works="guessing no" ;; + # Guess yes otherwise. + *) gl_cv_func_ftello_works="guessing yes" ;; + esac + if test "$cross_compiling" = yes; then : + : +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include +#define TESTFILE "conftest.tmp" +int +main (void) +{ + FILE *fp; + + /* Create a file with some contents. */ + fp = fopen (TESTFILE, "w"); + if (fp == NULL) + return 70; + if (fwrite ("foogarsh", 1, 8, fp) < 8) + return 71; + if (fclose (fp)) + return 72; + + /* The file's contents is now "foogarsh". */ + + /* Try writing after reading to EOF. */ + fp = fopen (TESTFILE, "r+"); + if (fp == NULL) + return 73; + if (fseek (fp, -1, SEEK_END)) + return 74; + if (!(getc (fp) == 'h')) + return 1; + if (!(getc (fp) == EOF)) + return 2; + if (!(ftell (fp) == 8)) + return 3; + if (!(ftell (fp) == 8)) + return 4; + if (!(putc ('!', fp) == '!')) + return 5; + if (!(ftell (fp) == 9)) + return 6; + if (!(fclose (fp) == 0)) + return 7; + fp = fopen (TESTFILE, "r"); + if (fp == NULL) + return 75; + { + char buf[10]; + if (!(fread (buf, 1, 10, fp) == 9)) + return 10; + if (!(memcmp (buf, "foogarsh!", 9) == 0)) + return 11; + } + if (!(fclose (fp) == 0)) + return 12; + + /* The file's contents is now "foogarsh!". */ + + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + gl_cv_func_ftello_works=yes +else + gl_cv_func_ftello_works=no +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_func_ftello_works" >&5 +$as_echo "$gl_cv_func_ftello_works" >&6; } + case "$gl_cv_func_ftello_works" in + *yes) ;; + *) + REPLACE_FTELLO=1 + +$as_echo "#define FTELLO_BROKEN_AFTER_SWITCHING_FROM_READ_TO_WRITE 1" >>confdefs.h + + ;; + esac + fi + fi + + if test $HAVE_FTELLO = 0 || test $REPLACE_FTELLO = 1; then + + + + + + + + + ggl_LIBOBJS="$ggl_LIBOBJS ftello.$ac_objext" + + + for ac_func in _ftelli64 +do : + ac_fn_c_check_func "$LINENO" "_ftelli64" "ac_cv_func__ftelli64" +if test "x$ac_cv_func__ftelli64" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE__FTELLI64 1 +_ACEOF + +fi +done + + + fi + + + + + + GNULIB_FTELLO=1 + + + + + +$as_echo "#define GNULIB_TEST_FTELLO 1" >>confdefs.h + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to do getaddrinfo, freeaddrinfo and getnameinfo" >&5 $as_echo "$as_me: checking how to do getaddrinfo, freeaddrinfo and getnameinfo" >&6;} GETADDRINFO_LIB= @@ -30388,6 +31398,9 @@ $as_echo "#define GNULIB_TEST_MEMCHR 1" >>confdefs.h + + + : @@ -31111,6 +32124,7 @@ cat >>confdefs.h <<_ACEOF #define HAVE_DECL_PROGRAM_INVOCATION_SHORT_NAME $ac_have_decl _ACEOF + : @@ -32172,202 +33186,6 @@ $as_echo "#define GNULIB_TEST_SOCKET 1" >>confdefs.h - - - - : - - - - - - if test $ac_cv_header_sys_socket_h != yes; then - for ac_header in winsock2.h -do : - ac_fn_c_check_header_mongrel "$LINENO" "winsock2.h" "ac_cv_header_winsock2_h" "$ac_includes_default" -if test "x$ac_cv_header_winsock2_h" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_WINSOCK2_H 1 -_ACEOF - -fi - -done - - fi - if test "$ac_cv_header_winsock2_h" = yes; then - HAVE_WINSOCK2_H=1 - UNISTD_H_HAVE_WINSOCK2_H=1 - SYS_IOCTL_H_HAVE_WINSOCK2_H=1 - else - HAVE_WINSOCK2_H=0 - fi - - LIBSOCKET= - if test $HAVE_WINSOCK2_H = 1; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we need to call WSAStartup in winsock2.h and -lws2_32" >&5 -$as_echo_n "checking if we need to call WSAStartup in winsock2.h and -lws2_32... " >&6; } -if ${gl_cv_func_wsastartup+:} false; then : - $as_echo_n "(cached) " >&6 -else - - gl_save_LIBS="$LIBS" - LIBS="$LIBS -lws2_32" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#ifdef HAVE_WINSOCK2_H -# include -#endif -int -main () -{ - - WORD wVersionRequested = MAKEWORD(1, 1); - WSADATA wsaData; - int err = WSAStartup(wVersionRequested, &wsaData); - WSACleanup (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - gl_cv_func_wsastartup=yes -else - gl_cv_func_wsastartup=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - LIBS="$gl_save_LIBS" - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_func_wsastartup" >&5 -$as_echo "$gl_cv_func_wsastartup" >&6; } - if test "$gl_cv_func_wsastartup" = "yes"; then - -$as_echo "#define WINDOWS_SOCKETS 1" >>confdefs.h - - LIBSOCKET='-lws2_32' - fi - else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing setsockopt" >&5 -$as_echo_n "checking for library containing setsockopt... " >&6; } -if ${gl_cv_lib_socket+:} false; then : - $as_echo_n "(cached) " >&6 -else - - gl_cv_lib_socket= - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -extern -#ifdef __cplusplus -"C" -#endif -char setsockopt(); -int -main () -{ -setsockopt(); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - -else - gl_save_LIBS="$LIBS" - LIBS="$gl_save_LIBS -lsocket" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -extern -#ifdef __cplusplus -"C" -#endif -char setsockopt(); -int -main () -{ -setsockopt(); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - gl_cv_lib_socket="-lsocket" -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - if test -z "$gl_cv_lib_socket"; then - LIBS="$gl_save_LIBS -lnetwork" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -extern -#ifdef __cplusplus -"C" -#endif -char setsockopt(); -int -main () -{ -setsockopt(); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - gl_cv_lib_socket="-lnetwork" -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - if test -z "$gl_cv_lib_socket"; then - LIBS="$gl_save_LIBS -lnet" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -extern -#ifdef __cplusplus -"C" -#endif -char setsockopt(); -int -main () -{ -setsockopt(); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - gl_cv_lib_socket="-lnet" -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - fi - fi - LIBS="$gl_save_LIBS" - -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - if test -z "$gl_cv_lib_socket"; then - gl_cv_lib_socket="none needed" - fi - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_lib_socket" >&5 -$as_echo "$gl_cv_lib_socket" >&6; } - if test "$gl_cv_lib_socket" != "none needed"; then - LIBSOCKET="$gl_cv_lib_socket" - fi - fi - - - - - - - : - - ac_fn_c_check_type "$LINENO" "socklen_t" "ac_cv_type_socklen_t" " /* is not needed according to POSIX, but the in i386-unknown-freebsd4.10 and @@ -32491,8 +33309,12 @@ else /* Test _Alignas only on platforms where gnulib can help. */ #if \ ((defined __cplusplus && 201103 <= __cplusplus) \ - || __GNUC__ || __IBMC__ || __IBMCPP__ || __ICC \ - || 0x5110 <= __SUNPRO_C || 1300 <= _MSC_VER) + || (defined __APPLE__ && defined __MACH__ \ + ? 4 < __GNUC__ + (1 <= __GNUC_MINOR__) \ + : __GNUC__) \ + || __HP_cc || __HP_aCC || __IBMC__ || __IBMCPP__ \ + || __ICC || 0x5110 <= __SUNPRO_C \ + || 1300 <= _MSC_VER) struct alignas_test { char c; char alignas (8) alignas_8; }; char test_alignas[offsetof (struct alignas_test, alignas_8) == 8 ? 1 : -1]; @@ -32563,6 +33385,15 @@ fi STDDEF_H= + ac_fn_c_check_type "$LINENO" "max_align_t" "ac_cv_type_max_align_t" "#include + +" +if test "x$ac_cv_type_max_align_t" = xyes; then : + +else + HAVE_MAX_ALIGN_T=0; STDDEF_H=stddef.h +fi + if test $gt_cv_c_wchar_t = no; then HAVE_WCHAR_T=0 STDDEF_H=stddef.h @@ -32692,6 +33523,8 @@ $as_echo "$gl_cv_next_stddef_h" >&6; } + + if test $gl_cv_have_include_next = yes; then gl_cv_next_stdio_h='<'stdio.h'>' else @@ -33144,353 +33977,94 @@ done fi - fi - - - - - - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether is self-contained" >&5 -$as_echo_n "checking whether is self-contained... " >&6; } -if ${gl_cv_header_sys_select_h_selfcontained+:} false; then : - $as_echo_n "(cached) " >&6 -else - - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -struct timeval b; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - gl_cv_header_sys_select_h_selfcontained=yes -else - gl_cv_header_sys_select_h_selfcontained=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - if test $gl_cv_header_sys_select_h_selfcontained = yes; then - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -int memset; int bzero; - ; - return 0; -} - -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ - - #undef memset - #define memset nonexistent_memset - extern - #ifdef __cplusplus - "C" - #endif - void *memset (void *, int, unsigned long); - #undef bzero - #define bzero nonexistent_bzero - extern - #ifdef __cplusplus - "C" - #endif - void bzero (void *, unsigned long); - fd_set fds; - FD_ZERO (&fds); - - ; - return 0; -} - -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - -else - gl_cv_header_sys_select_h_selfcontained=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - fi - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_header_sys_select_h_selfcontained" >&5 -$as_echo "$gl_cv_header_sys_select_h_selfcontained" >&6; } - - - - - - - : - - - - - - - - - if test $gl_cv_have_include_next = yes; then - gl_cv_next_sys_select_h='<'sys/select.h'>' - else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking absolute name of " >&5 -$as_echo_n "checking absolute name of ... " >&6; } -if ${gl_cv_next_sys_select_h+:} false; then : - $as_echo_n "(cached) " >&6 -else - - if test $ac_cv_header_sys_select_h = yes; then - - - - - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -_ACEOF - case "$host_os" in - aix*) gl_absname_cpp="$ac_cpp -C" ;; - *) gl_absname_cpp="$ac_cpp" ;; - esac - - case "$host_os" in - mingw*) - gl_dirsep_regex='[/\\]' - ;; - *) - gl_dirsep_regex='\/' - ;; - esac - gl_make_literal_regex_sed='s,[]$^\\.*/[],\\&,g' - gl_header_literal_regex=`echo 'sys/select.h' \ - | sed -e "$gl_make_literal_regex_sed"` - gl_absolute_header_sed="/${gl_dirsep_regex}${gl_header_literal_regex}/"'{ - s/.*"\(.*'"${gl_dirsep_regex}${gl_header_literal_regex}"'\)".*/\1/ - s|^/[^/]|//&| - p - q - }' - - gl_cv_absolute_sys_select_h=`(eval "$gl_absname_cpp conftest.$ac_ext") 2>&5 | - sed -n "$gl_absolute_header_sed"` - - gl_header=$gl_cv_absolute_sys_select_h - gl_cv_next_sys_select_h='"'$gl_header'"' - else - gl_cv_next_sys_select_h='<'sys/select.h'>' - fi - - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_next_sys_select_h" >&5 -$as_echo "$gl_cv_next_sys_select_h" >&6; } - fi - NEXT_SYS_SELECT_H=$gl_cv_next_sys_select_h - - if test $gl_cv_have_include_next = yes || test $gl_cv_have_include_next = buggy; then - # INCLUDE_NEXT_AS_FIRST_DIRECTIVE='include_next' - gl_next_as_first_directive='<'sys/select.h'>' - else - # INCLUDE_NEXT_AS_FIRST_DIRECTIVE='include' - gl_next_as_first_directive=$gl_cv_next_sys_select_h - fi - NEXT_AS_FIRST_DIRECTIVE_SYS_SELECT_H=$gl_next_as_first_directive - - - - - if test $ac_cv_header_sys_select_h = yes; then - HAVE_SYS_SELECT_H=1 - else - HAVE_SYS_SELECT_H=0 - fi - - - - - - : - - - - - - if test $ac_cv_header_sys_socket_h != yes; then - for ac_header in winsock2.h -do : - ac_fn_c_check_header_mongrel "$LINENO" "winsock2.h" "ac_cv_header_winsock2_h" "$ac_includes_default" -if test "x$ac_cv_header_winsock2_h" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_WINSOCK2_H 1 -_ACEOF - -fi - -done - - fi - if test "$ac_cv_header_winsock2_h" = yes; then - HAVE_WINSOCK2_H=1 - UNISTD_H_HAVE_WINSOCK2_H=1 - SYS_IOCTL_H_HAVE_WINSOCK2_H=1 - else - HAVE_WINSOCK2_H=0 - fi - - + fi - for gl_func in pselect select; do - as_gl_Symbol=`$as_echo "gl_cv_have_raw_decl_$gl_func" | $as_tr_sh` - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $gl_func is declared without a macro" >&5 -$as_echo_n "checking whether $gl_func is declared without a macro... " >&6; } -if eval \${$as_gl_Symbol+:} false; then : + + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether is self-contained" >&5 +$as_echo_n "checking whether is self-contained... " >&6; } +if ${gl_cv_header_sys_select_h_selfcontained+:} false; then : $as_echo_n "(cached) " >&6 else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -/* Some systems require prerequisite headers. */ -#include -#if !(defined __GLIBC__ && !defined __UCLIBC__) && HAVE_SYS_TIME_H -# include -#endif + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ #include - int main () { -#undef $gl_func - (void) $gl_func; +struct timeval b; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : - eval "$as_gl_Symbol=yes" + gl_cv_header_sys_select_h_selfcontained=yes else - eval "$as_gl_Symbol=no" + gl_cv_header_sys_select_h_selfcontained=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -eval ac_res=\$$as_gl_Symbol - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } - if eval test \"x\$"$as_gl_Symbol"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_RAW_DECL_$gl_func" | $as_tr_cpp` 1 -_ACEOF - - eval ac_cv_have_decl_$gl_func=yes -fi - done - - - - - - - - case "$host_os" in - osf*) - -$as_echo "#define _POSIX_PII_SOCKET 1" >>confdefs.h - - ;; - esac - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether is self-contained" >&5 -$as_echo_n "checking whether is self-contained... " >&6; } -if ${gl_cv_header_sys_socket_h_selfcontained+:} false; then : - $as_echo_n "(cached) " >&6 -else - - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + if test $gl_cv_header_sys_select_h_selfcontained = yes; then + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -#include +#include int main () { - +int memset; int bzero; ; return 0; } -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - gl_cv_header_sys_socket_h_selfcontained=yes -else - gl_cv_header_sys_socket_h_selfcontained=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_header_sys_socket_h_selfcontained" >&5 -$as_echo "$gl_cv_header_sys_socket_h_selfcontained" >&6; } - if test $gl_cv_header_sys_socket_h_selfcontained = yes; then - for ac_func in shutdown -do : - ac_fn_c_check_func "$LINENO" "shutdown" "ac_cv_func_shutdown" -if test "x$ac_cv_func_shutdown" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_SHUTDOWN 1 _ACEOF - -fi -done - - if test $ac_cv_func_shutdown = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether defines the SHUT_* macros" >&5 -$as_echo_n "checking whether defines the SHUT_* macros... " >&6; } -if ${gl_cv_header_sys_socket_h_shut+:} false; then : - $as_echo_n "(cached) " >&6 -else - - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +if ac_fn_c_try_compile "$LINENO"; then : + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -#include +#include int main () { -int a[] = { SHUT_RD, SHUT_WR, SHUT_RDWR }; + + #undef memset + #define memset nonexistent_memset + extern + #ifdef __cplusplus + "C" + #endif + void *memset (void *, int, unsigned long); + #undef bzero + #define bzero nonexistent_bzero + extern + #ifdef __cplusplus + "C" + #endif + void bzero (void *, unsigned long); + fd_set fds; + FD_ZERO (&fds); + ; return 0; } + _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - gl_cv_header_sys_socket_h_shut=yes +if ac_fn_c_try_link "$LINENO"; then : + else - gl_cv_header_sys_socket_h_shut=no + gl_cv_header_sys_select_h_selfcontained=no fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_header_sys_socket_h_shut" >&5 -$as_echo "$gl_cv_header_sys_socket_h_shut" >&6; } - if test $gl_cv_header_sys_socket_h_shut = no; then - SYS_SOCKET_H='sys/socket.h' +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi - fi - fi - # We need to check for ws2tcpip.h now. - +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_header_sys_select_h_selfcontained" >&5 +$as_echo "$gl_cv_header_sys_select_h_selfcontained" >&6; } @@ -33507,22 +34081,22 @@ $as_echo "$gl_cv_header_sys_socket_h_shut" >&6; } if test $gl_cv_have_include_next = yes; then - gl_cv_next_sys_socket_h='<'sys/socket.h'>' + gl_cv_next_sys_select_h='<'sys/select.h'>' else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking absolute name of " >&5 -$as_echo_n "checking absolute name of ... " >&6; } -if ${gl_cv_next_sys_socket_h+:} false; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking absolute name of " >&5 +$as_echo_n "checking absolute name of ... " >&6; } +if ${gl_cv_next_sys_select_h+:} false; then : $as_echo_n "(cached) " >&6 else - if test $ac_cv_header_sys_socket_h = yes; then + if test $ac_cv_header_sys_select_h = yes; then cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -#include +#include _ACEOF case "$host_os" in aix*) gl_absname_cpp="$ac_cpp -C" ;; @@ -33538,7 +34112,7 @@ _ACEOF ;; esac gl_make_literal_regex_sed='s,[]$^\\.*/[],\\&,g' - gl_header_literal_regex=`echo 'sys/socket.h' \ + gl_header_literal_regex=`echo 'sys/select.h' \ | sed -e "$gl_make_literal_regex_sed"` gl_absolute_header_sed="/${gl_dirsep_regex}${gl_header_literal_regex}/"'{ s/.*"\(.*'"${gl_dirsep_regex}${gl_header_literal_regex}"'\)".*/\1/ @@ -33547,123 +34121,40 @@ _ACEOF q }' - gl_cv_absolute_sys_socket_h=`(eval "$gl_absname_cpp conftest.$ac_ext") 2>&5 | + gl_cv_absolute_sys_select_h=`(eval "$gl_absname_cpp conftest.$ac_ext") 2>&5 | sed -n "$gl_absolute_header_sed"` - gl_header=$gl_cv_absolute_sys_socket_h - gl_cv_next_sys_socket_h='"'$gl_header'"' + gl_header=$gl_cv_absolute_sys_select_h + gl_cv_next_sys_select_h='"'$gl_header'"' else - gl_cv_next_sys_socket_h='<'sys/socket.h'>' + gl_cv_next_sys_select_h='<'sys/select.h'>' fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_next_sys_socket_h" >&5 -$as_echo "$gl_cv_next_sys_socket_h" >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_next_sys_select_h" >&5 +$as_echo "$gl_cv_next_sys_select_h" >&6; } fi - NEXT_SYS_SOCKET_H=$gl_cv_next_sys_socket_h + NEXT_SYS_SELECT_H=$gl_cv_next_sys_select_h if test $gl_cv_have_include_next = yes || test $gl_cv_have_include_next = buggy; then # INCLUDE_NEXT_AS_FIRST_DIRECTIVE='include_next' - gl_next_as_first_directive='<'sys/socket.h'>' + gl_next_as_first_directive='<'sys/select.h'>' else # INCLUDE_NEXT_AS_FIRST_DIRECTIVE='include' - gl_next_as_first_directive=$gl_cv_next_sys_socket_h + gl_next_as_first_directive=$gl_cv_next_sys_select_h fi - NEXT_AS_FIRST_DIRECTIVE_SYS_SOCKET_H=$gl_next_as_first_directive + NEXT_AS_FIRST_DIRECTIVE_SYS_SELECT_H=$gl_next_as_first_directive - if test $ac_cv_header_sys_socket_h = yes; then - HAVE_SYS_SOCKET_H=1 - HAVE_WS2TCPIP_H=0 + if test $ac_cv_header_sys_select_h = yes; then + HAVE_SYS_SELECT_H=1 else - HAVE_SYS_SOCKET_H=0 - if test $ac_cv_header_ws2tcpip_h = yes; then - HAVE_WS2TCPIP_H=1 - else - HAVE_WS2TCPIP_H=0 - fi - fi - - - - ac_fn_c_check_type "$LINENO" "struct sockaddr_storage" "ac_cv_type_struct_sockaddr_storage" " - /* sys/types.h is not needed according to POSIX, but the - sys/socket.h in i386-unknown-freebsd4.10 and - powerpc-apple-darwin5.5 required it. */ -#include -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_WS2TCPIP_H -#include -#endif - -" -if test "x$ac_cv_type_struct_sockaddr_storage" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRUCT_SOCKADDR_STORAGE 1 -_ACEOF - - -fi -ac_fn_c_check_type "$LINENO" "sa_family_t" "ac_cv_type_sa_family_t" " - /* sys/types.h is not needed according to POSIX, but the - sys/socket.h in i386-unknown-freebsd4.10 and - powerpc-apple-darwin5.5 required it. */ -#include -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_WS2TCPIP_H -#include -#endif - -" -if test "x$ac_cv_type_sa_family_t" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_SA_FAMILY_T 1 -_ACEOF - - -fi - - if test $ac_cv_type_struct_sockaddr_storage = no; then - HAVE_STRUCT_SOCKADDR_STORAGE=0 - fi - if test $ac_cv_type_sa_family_t = no; then - HAVE_SA_FAMILY_T=0 + HAVE_SYS_SELECT_H=0 fi - if test $ac_cv_type_struct_sockaddr_storage != no; then - ac_fn_c_check_member "$LINENO" "struct sockaddr_storage" "ss_family" "ac_cv_member_struct_sockaddr_storage_ss_family" "#include - #ifdef HAVE_SYS_SOCKET_H - #include - #endif - #ifdef HAVE_WS2TCPIP_H - #include - #endif -" -if test "x$ac_cv_member_struct_sockaddr_storage_ss_family" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRUCT_SOCKADDR_STORAGE_SS_FAMILY 1 -_ACEOF - - -else - HAVE_STRUCT_SOCKADDR_STORAGE_SS_FAMILY=0 -fi - - fi - if test $HAVE_STRUCT_SOCKADDR_STORAGE = 0 || test $HAVE_SA_FAMILY_T = 0 \ - || test $HAVE_STRUCT_SOCKADDR_STORAGE_SS_FAMILY = 0; then - SYS_SOCKET_H='sys/socket.h' - fi @@ -33699,7 +34190,7 @@ done - for gl_func in socket connect accept bind getpeername getsockname getsockopt listen recv send recvfrom sendto setsockopt shutdown accept4; do + for gl_func in pselect select; do as_gl_Symbol=`$as_echo "gl_cv_have_raw_decl_$gl_func" | $as_tr_sh` { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $gl_func is declared without a macro" >&5 $as_echo_n "checking whether $gl_func is declared without a macro... " >&6; } @@ -33711,7 +34202,10 @@ else /* Some systems require prerequisite headers. */ #include -#include +#if !(defined __GLIBC__ && !defined __UCLIBC__) && HAVE_SYS_TIME_H +# include +#endif +#include int main () @@ -33754,6 +34248,8 @@ fi + + : @@ -34955,6 +35451,14 @@ $as_echo "$gl_cv_cc_uninitialized_supported" >&6; } fi # List all gcc warning categories. + # To compare this list to your installed GCC's, run this Bash command: + # + # comm -3 \ + # <(sed -n 's/^ *\(-[^ ]*\) .*/\1/p' manywarnings.m4 | sort) \ + # <(gcc --help=warnings | sed -n 's/^ \(-[^ ]*\) .*/\1/p' | sort | + # grep -v -x -f <( + # awk '/^[^#]/ {print ws}' ../build-aux/gcc-warning.spec)) + gl_manywarn_set= for gl_manywarn_item in \ -W \ @@ -34973,6 +35477,7 @@ $as_echo "$gl_cv_cc_uninitialized_supported" >&6; } -Wcomments \ -Wcoverage-mismatch \ -Wcpp \ + -Wdate-time \ -Wdeprecated \ -Wdeprecated-declarations \ -Wdisabled-optimization \ @@ -35012,9 +35517,9 @@ $as_echo "$gl_cv_cc_uninitialized_supported" >&6; } -Wnarrowing \ -Wnested-externs \ -Wnonnull \ - -Wnormalized=nfc \ -Wold-style-declaration \ -Wold-style-definition \ + -Wopenmp-simd \ -Woverflow \ -Woverlength-strings \ -Woverride-init \ @@ -35065,13 +35570,26 @@ $as_echo "$gl_cv_cc_uninitialized_supported" >&6; } -Wvla \ -Wvolatile-register-var \ -Wwrite-strings \ - -fdiagnostics-show-option \ - -funit-at-a-time \ \ ; do gl_manywarn_set="$gl_manywarn_set $gl_manywarn_item" done + # gcc --help=warnings outputs an unusual form for this option; list + # it here so that the above 'comm' command doesn't report a false match. + gl_manywarn_set="$gl_manywarn_set -Wnormalized=nfc" + + # These are needed for older GCC versions. + if test -n "$GCC"; then + case `($CC --version) 2>/dev/null` in + 'gcc (GCC) '[0-3].* | \ + 'gcc (GCC) '4.[0-7].*) + gl_manywarn_set="$gl_manywarn_set -fdiagnostics-show-option" + gl_manywarn_set="$gl_manywarn_set -funit-at-a-time" + ;; + esac + fi + # Disable specific options as needed. if test "$gl_cv_cc_nomfi_needed" = yes; then gl_manywarn_set="$gl_manywarn_set -Wno-missing-field-initializers" @@ -45783,22 +46301,6 @@ else fi -# Check whether --enable-fips140-mode was given. -if test "${enable_fips140_mode+set}" = set; then : - enableval=$enable_fips140_mode; enable_fips=$enableval -else - enable_fips=no -fi - - if test "$enable_fips" = "yes"; then - ENABLE_FIPS140_TRUE= - ENABLE_FIPS140_FALSE='#' -else - ENABLE_FIPS140_TRUE='#' - ENABLE_FIPS140_FALSE= -fi - -if test "$enable_fips" = "yes" ;then @@ -46349,6 +46851,23 @@ $as_echo "$LIBDL" >&6; } + +# Check whether --enable-fips140-mode was given. +if test "${enable_fips140_mode+set}" = set; then : + enableval=$enable_fips140_mode; enable_fips=$enableval +else + enable_fips=no +fi + + if test "$enable_fips" = "yes"; then + ENABLE_FIPS140_TRUE= + ENABLE_FIPS140_FALSE='#' +else + ENABLE_FIPS140_TRUE='#' + ENABLE_FIPS140_FALSE= +fi + +if test "$enable_fips" = "yes" ;then if test "x$HAVE_LIBDL" = "xyes";then enable_self_checks=yes @@ -46385,6 +46904,14 @@ if test "$enable_non_suiteb" = "yes" ;then $as_echo "#define ENABLE_NON_SUITEB_CURVES 1" >>confdefs.h fi + if test "$enable_non_suiteb" = "yes"; then + ENABLE_NON_SUITEB_CURVES_TRUE= + ENABLE_NON_SUITEB_CURVES_FALSE='#' +else + ENABLE_NON_SUITEB_CURVES_TRUE='#' + ENABLE_NON_SUITEB_CURVES_FALSE= +fi + if test "$enable_self_checks" = "yes"; then ENABLE_SELF_CHECKS_TRUE= @@ -46400,6 +46927,50 @@ $as_echo "#define ENABLE_SELF_CHECKS 1" >>confdefs.h fi + +# Check whether --with-arcfour128 was given. +if test "${with_arcfour128+set}" = set; then : + withval=$with_arcfour128; enable_arcfour=$withval +else + enable_arcfour=no +fi + +if test "$enable_arcfour" = "yes" ;then + +$as_echo "#define ENABLE_ARCFOUR128 1" >>confdefs.h + +fi + if test "$enable_arcfour" = "yes"; then + ENABLE_ARCFOUR128_TRUE= + ENABLE_ARCFOUR128_FALSE='#' +else + ENABLE_ARCFOUR128_TRUE='#' + ENABLE_ARCFOUR128_FALSE= +fi + + + +# Check whether --with-ssl3 was given. +if test "${with_ssl3+set}" = set; then : + withval=$with_ssl3; enable_ssl3=$withval +else + enable_ssl3=no +fi + +if test "$enable_ssl3" = "yes" ;then + +$as_echo "#define ENABLE_SSL3 1" >>confdefs.h + +fi + if test "$enable_ssl3" = "yes"; then + ENABLE_SSL3_TRUE= + ENABLE_SSL3_FALSE='#' +else + ENABLE_SSL3_TRUE='#' + ENABLE_SSL3_FALSE= +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build libdane" >&5 $as_echo_n "checking whether to build libdane... " >&6; } # Check whether --enable-libdane was given. @@ -46478,7 +47049,11 @@ else if test -f /var/lib/unbound/root.key;then unbound_root_key_file="/var/lib/unbound/root.key" else - unbound_root_key_file="/etc/unbound/root.key" + if test -f /usr/share/dns/root.key;then + unbound_root_key_file="/usr/share/dns/root.key" + else + unbound_root_key_file="/etc/unbound/root.key" + fi fi fi @@ -46507,7 +47082,8 @@ cat >>confdefs.h <<_ACEOF _ACEOF -P11_KIT_MINIMUM=0.20.0 + +P11_KIT_MINIMUM=0.20.7 # Check whether --with-p11-kit was given. if test "${with_p11_kit+set}" = set; then : @@ -46595,6 +47171,14 @@ $as_echo "#define ENABLE_PKCS11 1" >>confdefs.h else GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, p11-kit-1" fi + if ! $PKG_CONFIG --atleast-version=0.22.0 p11-kit-1; then + with_buggy_p11_kit=yes + fi + if $PKG_CONFIG --atleast-version=0.23.1 p11-kit-1; then + +$as_echo "#define P11_KIT_HAS_PIN_VALUE 1" >>confdefs.h + + fi else with_p11_kit=no { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: @@ -46618,6 +47202,14 @@ else ENABLE_PKCS11_FALSE= fi + if test "$with_buggy_p11_kit" = "yes"; then + HAVE_BUGGY_P11_KIT_TRUE= + HAVE_BUGGY_P11_KIT_FALSE='#' +else + HAVE_BUGGY_P11_KIT_TRUE='#' + HAVE_BUGGY_P11_KIT_FALSE= +fi + # Check whether --with-tpm was given. @@ -46683,6 +47275,37 @@ else fi +for l in /usr/lib64 /usr/lib /lib64 /lib /usr/lib/x86_64-linux-gnu/; do + if test -f "${l}/libtspi.so.1";then + default_trousers_lib="${l}/libtspi.so.1" + break + fi +done + + +# Check whether --with-trousers-lib was given. +if test "${with_trousers_lib+set}" = set; then : + withval=$with_trousers_lib; ac_trousers_lib=$withval +else + ac_trousers_lib=$default_trousers_lib +fi + + +if test "$with_tpm" != "no" && test -z "$ac_trousers_lib"; then + as_fn_error $? " + *** + *** unable to find trousers library, please specify with --with-trousers-lib= + *** + " "$LINENO" 5 +fi + + +cat >>confdefs.h <<_ACEOF +#define TROUSERS_LIB "$ac_trousers_lib" +_ACEOF + + + ac_header_dirent=no @@ -46931,6 +47554,62 @@ fi done + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working stdnoreturn.h" >&5 +$as_echo_n "checking for working stdnoreturn.h... " >&6; } +if ${gl_cv_header_working_stdnoreturn_h+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + #include + /* Do not check for 'noreturn' after the return type. + C11 allows it, but it's rarely done that way + and circa-2012 bleeding-edge GCC rejects it when given + -Werror=old-style-declaration. */ + noreturn void foo1 (void) { exit (0); } + _Noreturn void foo2 (void) { exit (0); } + int testit (int argc, char **argv) { + if (argc & 1) + return 0; + (argv[0][0] ? foo1 : foo2) (); + } + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + gl_cv_header_working_stdnoreturn_h=yes +else + gl_cv_header_working_stdnoreturn_h=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_header_working_stdnoreturn_h" >&5 +$as_echo "$gl_cv_header_working_stdnoreturn_h" >&6; } + + if test $gl_cv_header_working_stdnoreturn_h = yes; then + STDNORETURN_H='' + else + STDNORETURN_H='stdnoreturn.h' + fi + + + if test -n "$STDNORETURN_H"; then + GL_GENERATE_STDNORETURN_H_TRUE= + GL_GENERATE_STDNORETURN_H_FALSE='#' +else + GL_GENERATE_STDNORETURN_H_TRUE='#' + GL_GENERATE_STDNORETURN_H_FALSE= +fi + + + # ---------------------------------------------------------------------- # check for various programs used during the build. # On OS/X, "wchar.h" needs "runetype.h" to work properly. @@ -47123,37 +47802,46 @@ _ACEOF fi +ac_fn_c_check_type "$LINENO" "ptrdiff_t" "ac_cv_type_ptrdiff_t" "$ac_includes_default" +if test "x$ac_cv_type_ptrdiff_t" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_PTRDIFF_T 1 +_ACEOF + + +fi # The cast to long int works around a bug in the HP C Compiler # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of char*" >&5 -$as_echo_n "checking size of char*... " >&6; } -if ${ac_cv_sizeof_charp+:} false; then : +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of char *" >&5 +$as_echo_n "checking size of char *... " >&6; } +if ${ac_cv_sizeof_char_p+:} false; then : $as_echo_n "(cached) " >&6 else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (char*))" "ac_cv_sizeof_charp" "$ac_includes_default"; then : + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (char *))" "ac_cv_sizeof_char_p" "$ac_includes_default"; then : else - if test "$ac_cv_type_charp" = yes; then + if test "$ac_cv_type_char_p" = yes; then { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (char*) +as_fn_error 77 "cannot compute sizeof (char *) See \`config.log' for more details" "$LINENO" 5; } else - ac_cv_sizeof_charp=0 + ac_cv_sizeof_char_p=0 fi fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_charp" >&5 -$as_echo "$ac_cv_sizeof_charp" >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_char_p" >&5 +$as_echo "$ac_cv_sizeof_char_p" >&6; } cat >>confdefs.h <<_ACEOF -#define SIZEOF_CHARP $ac_cv_sizeof_charp +#define SIZEOF_CHAR_P $ac_cv_sizeof_char_p _ACEOF @@ -47902,14 +48590,14 @@ fi Xyes|Xno|X ) case "X${libopts_cv_with_libregex_root}" in Xyes|Xno|X ) libopts_cv_with_libregex_cflags=no ;; - * ) libopts_cv_with_libregex_cflags=-I${libopts_cv_with_libregex_root}/include ;; + * ) libopts_cv_with_libregex_cflags=-I${libopts_cv_with_libregex_root}/include ;; esac esac case "X${libopts_cv_with_libregex_libs}" in Xyes|Xno|X ) case "X${libopts_cv_with_libregex_root}" in Xyes|Xno|X ) libopts_cv_with_libregex_libs=no ;; - * ) libopts_cv_with_libregex_libs="-L${libopts_cv_with_libregex_root}/lib -lregex";; + * ) libopts_cv_with_libregex_libs="-L${libopts_cv_with_libregex_root}/lib -lregex" ;; esac esac libopts_save_CPPFLAGS="${CPPFLAGS}" @@ -47943,7 +48631,7 @@ else #include #include REGEX_HEADER static regex_t re; -void comp_re( char const* pzPat ) { +void comp_re(char const * pzPat) { int res = regcomp( &re, pzPat, REG_EXTENDED|REG_ICASE|REG_NEWLINE ); if (res == 0) return; exit( res ); } @@ -48006,8 +48694,8 @@ else /* end confdefs.h. */ #include #include -int main (int argc, char** argv) { - char* pz = pathfind( getenv( "PATH" ), "sh", "x" ); +int main (int argc, char ** argv) { + char * pz = pathfind( getenv( "PATH" ), "sh", "x" ); return (pz == 0) ? 1 : 0; } _ACEOF @@ -48079,7 +48767,7 @@ else /* end confdefs.h. */ #include #include -int main (int argc, char** argv) { +int main (int argc, char ** argv) { #ifndef PATH_MAX choke me!! #else @@ -48182,8 +48870,8 @@ else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include -int main (int argc, char** argv) { -FILE* fp = fopen("conftest.$ac_ext", "rb"); +int main (int argc, char ** argv) { +FILE * fp = fopen("conftest.$ac_ext", "rb"); return (fp == NULL) ? 1 : fclose(fp); } _ACEOF if ac_fn_c_try_run "$LINENO"; then : @@ -48228,8 +48916,8 @@ else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include -int main (int argc, char** argv) { -FILE* fp = fopen("conftest.$ac_ext", "rt"); +int main (int argc, char ** argv) { +FILE * fp = fopen("conftest.$ac_ext", "rt"); return (fp == NULL) ? 1 : fclose(fp); } _ACEOF if ac_fn_c_try_run "$LINENO"; then : @@ -49025,11 +49713,26 @@ _ACEOF fi +# Check whether --with-default-trust-store-dir was given. +if test "${with_default_trust_store_dir+set}" = set; then : + withval=$with_default_trust_store_dir; +fi + + +if test "x$with_default_trust_store_dir" != x; then + +cat >>confdefs.h <<_ACEOF +#define DEFAULT_TRUST_STORE_DIR "$with_default_trust_store_dir" +_ACEOF + +fi + + # Check whether --with-default-trust-store-file was given. if test "${with_default_trust_store_file+set}" = set; then : withval=$with_default_trust_store_file; with_default_trust_store_file="$withval" else - if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x;then + if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x;then for i in \ /etc/ssl/ca-bundle.pem \ /etc/ssl/certs/ca-certificates.crt \ @@ -49888,6 +50591,10 @@ if test -z "${ELF_TRUE}" && test -z "${ELF_FALSE}"; then as_fn_error $? "conditional \"ELF\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${ENABLE_PADLOCK_TRUE}" && test -z "${ENABLE_PADLOCK_FALSE}"; then + as_fn_error $? "conditional \"ENABLE_PADLOCK\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${ASM_X86_64_TRUE}" && test -z "${ASM_X86_64_FALSE}"; then as_fn_error $? "conditional \"ASM_X86_64\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -49912,6 +50619,10 @@ if test -z "${ENABLE_NETTLE_TRUE}" && test -z "${ENABLE_NETTLE_FALSE}"; then as_fn_error $? "conditional \"ENABLE_NETTLE\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_NETTLE3_TRUE}" && test -z "${USE_NETTLE3_FALSE}"; then + as_fn_error $? "conditional \"USE_NETTLE3\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${ENABLE_MINITASN1_TRUE}" && test -z "${ENABLE_MINITASN1_FALSE}"; then as_fn_error $? "conditional \"ENABLE_MINITASN1\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -50148,10 +50859,22 @@ if test -z "${ENABLE_FIPS140_TRUE}" && test -z "${ENABLE_FIPS140_FALSE}"; then as_fn_error $? "conditional \"ENABLE_FIPS140\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${ENABLE_NON_SUITEB_CURVES_TRUE}" && test -z "${ENABLE_NON_SUITEB_CURVES_FALSE}"; then + as_fn_error $? "conditional \"ENABLE_NON_SUITEB_CURVES\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${ENABLE_SELF_CHECKS_TRUE}" && test -z "${ENABLE_SELF_CHECKS_FALSE}"; then as_fn_error $? "conditional \"ENABLE_SELF_CHECKS\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${ENABLE_ARCFOUR128_TRUE}" && test -z "${ENABLE_ARCFOUR128_FALSE}"; then + as_fn_error $? "conditional \"ENABLE_ARCFOUR128\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${ENABLE_SSL3_TRUE}" && test -z "${ENABLE_SSL3_FALSE}"; then + as_fn_error $? "conditional \"ENABLE_SSL3\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${ENABLE_DANE_TRUE}" && test -z "${ENABLE_DANE_FALSE}"; then as_fn_error $? "conditional \"ENABLE_DANE\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -50160,10 +50883,18 @@ if test -z "${ENABLE_PKCS11_TRUE}" && test -z "${ENABLE_PKCS11_FALSE}"; then as_fn_error $? "conditional \"ENABLE_PKCS11\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${HAVE_BUGGY_P11_KIT_TRUE}" && test -z "${HAVE_BUGGY_P11_KIT_FALSE}"; then + as_fn_error $? "conditional \"HAVE_BUGGY_P11_KIT\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${ENABLE_TROUSERS_TRUE}" && test -z "${ENABLE_TROUSERS_FALSE}"; then as_fn_error $? "conditional \"ENABLE_TROUSERS\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${GL_GENERATE_STDNORETURN_H_TRUE}" && test -z "${GL_GENERATE_STDNORETURN_H_FALSE}"; then + as_fn_error $? "conditional \"GL_GENERATE_STDNORETURN_H\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${INSTALL_LIBOPTS_TRUE}" && test -z "${INSTALL_LIBOPTS_FALSE}"; then as_fn_error $? "conditional \"INSTALL_LIBOPTS\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -50585,7 +51316,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by GnuTLS $as_me 3.3.5, which was +This file was extended by GnuTLS $as_me 3.3.27, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -50655,7 +51386,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -GnuTLS config.status 3.3.5 +GnuTLS config.status 3.3.27 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -52918,6 +53649,7 @@ fi Local libopts: ${enable_local_libopts} Local libtasn1: ${included_libtasn1} Use nettle-mini: ${mini_nettle} + nettle-version: ${nettle_version} " >&5 $as_echo "$as_me: summary of build options: @@ -52931,12 +53663,14 @@ $as_echo "$as_me: summary of build options: Local libopts: ${enable_local_libopts} Local libtasn1: ${included_libtasn1} Use nettle-mini: ${mini_nettle} + nettle-version: ${nettle_version} " >&6;} { $as_echo "$as_me:${as_lineno-$LINENO}: External hardware support: /dev/crypto: $enable_cryptodev Hardware accel: $hw_accel + Padlock accel: $use_padlock PKCS#11 support: $with_p11_kit TPM support: $with_tpm " >&5 @@ -52944,9 +53678,18 @@ $as_echo "$as_me: External hardware support: /dev/crypto: $enable_cryptodev Hardware accel: $hw_accel + Padlock accel: $use_padlock PKCS#11 support: $with_p11_kit TPM support: $with_tpm " >&6;} +if test -n "$ac_trousers_lib";then +{ $as_echo "$as_me:${as_lineno-$LINENO}: + TPM library: $ac_trousers_lib +" >&5 +$as_echo "$as_me: + TPM library: $ac_trousers_lib +" >&6;} +fi { $as_echo "$as_me:${as_lineno-$LINENO}: Optional features: (note that included applications might not compile properly @@ -53018,6 +53761,7 @@ $as_echo "$as_me: Optional libraries: { $as_echo "$as_me:${as_lineno-$LINENO}: System files: Trust store pkcs11: $with_default_trust_store_pkcs11 + Trust store dir: $with_default_trust_store_dir Trust store file: $with_default_trust_store_file Blacklist file: $with_default_blacklist_file CRL file: $with_default_crl_file @@ -53027,6 +53771,7 @@ $as_echo "$as_me: Optional libraries: $as_echo "$as_me: System files: Trust store pkcs11: $with_default_trust_store_pkcs11 + Trust store dir: $with_default_trust_store_dir Trust store file: $with_default_trust_store_file Blacklist file: $with_default_blacklist_file CRL file: $with_default_crl_file diff --git a/configure.ac b/configure.ac index 25796ca..03fa174 100644 --- a/configure.ac +++ b/configure.ac @@ -21,12 +21,12 @@ dnl Process this file with autoconf to produce a configure script. # USA AC_PREREQ(2.61) -AC_INIT([GnuTLS], [3.3.5], [bugs@gnutls.org]) +AC_INIT([GnuTLS], [3.3.27], [bugs@gnutls.org]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_MACRO_DIR([m4]) AC_CANONICAL_HOST -AM_INIT_AUTOMAKE([1.12.2 subdir-objects no-dist-gzip dist-xz dist-lzip -Wall -Wno-override]) +AM_INIT_AUTOMAKE([1.12.2 subdir-objects no-dist-gzip dist-xz -Wall -Wno-override]) m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) AC_CONFIG_HEADERS([config.h]) @@ -35,6 +35,7 @@ AC_MSG_RESULT([*** ]) dnl Checks for programs. +PKG_PROG_PKG_CONFIG AC_PROG_CC gl_EARLY ggl_EARLY @@ -43,8 +44,11 @@ AM_PROG_AR AC_PROG_CXX AM_PROG_CC_C_O AC_PROG_YACC +AC_PROG_SED AC_CHECK_PROG([AUTOGEN], [autogen], [autogen], [/bin/true]) +AC_USE_SYSTEM_EXTENSIONS + if test x"$AUTOGEN" = "x/bin/true"; then AC_MSG_WARN([[ *** @@ -77,6 +81,7 @@ AM_CONDITIONAL(ENABLE_CXX, test "$use_cxx" != "no") AM_CONDITIONAL(WANT_TEST_SUITE, [test -f tests/suite/mini-eagain2.c]) dnl Detect windows build +use_accel=yes case "$host" in *mingw32* | *mingw64*) have_win=yes @@ -84,6 +89,14 @@ case "$host" in *darwin*) have_macosx=yes ;; + *solaris*) + use_accel=no + AC_MSG_WARN([[ +*** +*** In solaris hardware acceleration is disabled by default due to issues +*** with the assembler. Use --enable-hardware-acceleration to enable it. +*** ]]) + ;; *) have_elf=yes ;; @@ -96,7 +109,7 @@ AM_CONDITIONAL(ELF, test "$have_elf" = yes) dnl Hardware Acceleration AC_ARG_ENABLE(hardware-acceleration, AS_HELP_STRING([--disable-hardware-acceleration], [unconditionally disable hardware acceleration]), - use_accel=$enableval, use_accel=yes) + use_accel=$enableval) hw_accel=none @@ -116,6 +129,15 @@ esac fi +AC_ARG_ENABLE(padlock, + AS_HELP_STRING([--disable-padlock], [unconditionally disable padlock acceleration]), + use_padlock=$enableval, use_padlock=yes) + +if test "$use_padlock" != "no"; then + AC_DEFINE([ENABLE_PADLOCK], 1, [Enable padlock acceleration]) + AC_SUBST([ENABLE_PADLOCK]) +fi +AM_CONDITIONAL(ENABLE_PADLOCK, test "$use_padlock" = "yes") AM_CONDITIONAL(ASM_X86_64, test x"$hw_accel" = x"x86-64") AM_CONDITIONAL(ASM_X86_32, test x"$hw_accel" = x"x86") AM_CONDITIONAL(ASM_X86, test x"$hw_accel" = x"x86" || test x"$hw_accel" = x"x86-64") @@ -145,7 +167,30 @@ AC_C_BIGENDIAN dnl No fork on MinGW, disable some self-tests until we fix them. dnl Check clock_gettime and pthread_mutex_lock in libc (avoid linking to other libs) -AC_CHECK_FUNCS([fork getrusage getpwuid_r nanosleep daemon getpid clock_gettime iconv localtime vasprintf],,) +AC_CHECK_FUNCS([secure_getenv fork inet_ntop inet_pton getrusage getpwuid_r nanosleep daemon getpid clock_gettime iconv localtime vasprintf],,) +if test "$ac_cv_func_vasprintf" != "yes";then + AC_MSG_CHECKING([for va_copy]) + AC_LINK_IFELSE([AC_LANG_PROGRAM([ + #include + va_list a;],[ + va_list b; + va_copy(b,a); + va_end(b);])], + [AC_DEFINE(HAVE_VA_COPY, 1, [Have va_copy()]) + AC_MSG_RESULT(va_copy)], + [AC_LINK_IFELSE([AC_LANG_PROGRAM([ + #include + va_list a;],[ + va_list b; + __va_copy(b,a); + va_end(b);])], + [AC_DEFINE(HAVE___VA_COPY, 1, [Have __va_copy()]) + AC_MSG_RESULT(__va_copy)], + [AC_MSG_RESULT(no) + AC_MSG_ERROR([Your system lacks vasprintf() and va_copy()])]) + ]) +fi + AM_CONDITIONAL(HAVE_FORK, test "$ac_cv_func_fork" != "no") AC_LIB_HAVE_LINKFLAGS(rt,, [#include @@ -164,6 +209,10 @@ if test "$ac_cv_func_nanosleep" != "yes";then gnutls_needs_librt=yes fi +if test "$ac_cv_func_inet_pton" != "yes";then + AC_LIB_HAVE_LINKFLAGS(nsl,, [#include ], [inet_pton(0,0,0);]) +fi + if test "$ac_cv_func_clock_gettime" != "yes";then AC_LIB_HAVE_LINKFLAGS(rt,, [#include ], [clock_gettime (0, 0);]) gnutls_needs_librt=yes @@ -268,12 +317,13 @@ AC_ARG_ENABLE(self-checks, AS_HELP_STRING([--enable-self-checks], [enable self checking functionality]), enable_self_checks=$enableval, enable_self_checks=no) +AC_LIB_HAVE_LINKFLAGS(dl,, [#include ], [dladdr (0, 0);]) + AC_ARG_ENABLE(fips140-mode, AS_HELP_STRING([--enable-fips140-mode], [enable FIPS140-2 mode (implies self checks)]), enable_fips=$enableval, enable_fips=no) AM_CONDITIONAL(ENABLE_FIPS140, test "$enable_fips" = "yes") if [ test "$enable_fips" = "yes" ];then - AC_LIB_HAVE_LINKFLAGS(dl,, [#include ], [dladdr (0, 0);]) if test "x$HAVE_LIBDL" = "xyes";then enable_self_checks=yes @@ -296,12 +346,29 @@ AC_ARG_ENABLE(non-suiteb-curves, if [ test "$enable_non_suiteb" = "yes" ];then AC_DEFINE([ENABLE_NON_SUITEB_CURVES], 1, [Enable all curves]) fi +AM_CONDITIONAL(ENABLE_NON_SUITEB_CURVES, test "$enable_non_suiteb" = "yes") AM_CONDITIONAL(ENABLE_SELF_CHECKS, test "$enable_self_checks" = "yes") if [ test "$enable_self_checks" = "yes" ];then AC_DEFINE([ENABLE_SELF_CHECKS], 1, [Self checks are included in the library]) fi +AC_ARG_WITH(arcfour128, + AS_HELP_STRING([--with-arcfour128], [include ARCFOUR128 in priority strings]), + enable_arcfour=$withval, enable_arcfour=no) +if [ test "$enable_arcfour" = "yes" ];then + AC_DEFINE([ENABLE_ARCFOUR128], 1, [Enable ARCFOUR128]) +fi +AM_CONDITIONAL(ENABLE_ARCFOUR128, test "$enable_arcfour" = "yes") + +AC_ARG_WITH(ssl3, + AS_HELP_STRING([--with-ssl3], [include SSL3.0 in priority strings]), + enable_ssl3=$withval, enable_ssl3=no) +if [ test "$enable_ssl3" = "yes" ];then + AC_DEFINE([ENABLE_SSL3], 1, [Enable SSL3.0]) +fi +AM_CONDITIONAL(ENABLE_SSL3, test "$enable_ssl3" = "yes") + AC_MSG_CHECKING([whether to build libdane]) AC_ARG_ENABLE(libdane, AS_HELP_STRING([--disable-libdane], @@ -341,7 +408,11 @@ else if test -f /var/lib/unbound/root.key;then unbound_root_key_file="/var/lib/unbound/root.key" else - unbound_root_key_file="/etc/unbound/root.key" + if test -f /usr/share/dns/root.key;then + unbound_root_key_file="/usr/share/dns/root.key" + else + unbound_root_key_file="/etc/unbound/root.key" + fi fi fi ) @@ -358,8 +429,9 @@ system_priority_file="/etc/gnutls/default-priorities" AC_DEFINE_UNQUOTED([SYSTEM_PRIORITY_FILE], ["$system_priority_file"], [The system priority file]) + dnl Check for p11-kit -P11_KIT_MINIMUM=0.20.0 +P11_KIT_MINIMUM=0.20.7 AC_ARG_WITH(p11-kit, AS_HELP_STRING([--without-p11-kit], [Build without p11-kit and PKCS#11 support])) @@ -372,6 +444,12 @@ if test "$with_p11_kit" != "no"; then else GNUTLS_REQUIRES_PRIVATE="${GNUTLS_REQUIRES_PRIVATE}, p11-kit-1" fi + if ! $PKG_CONFIG --atleast-version=0.22.0 p11-kit-1; then + with_buggy_p11_kit=yes + fi + if $PKG_CONFIG --atleast-version=0.23.1 p11-kit-1; then + AC_DEFINE([P11_KIT_HAS_PIN_VALUE], 1, [p11-kit supports p11_kit_uri_get_pin_value()]) + fi else with_p11_kit=no AC_MSG_WARN([[ @@ -383,6 +461,7 @@ if test "$with_p11_kit" != "no"; then fi AM_CONDITIONAL(ENABLE_PKCS11, test "$with_p11_kit" != "no") +AM_CONDITIONAL(HAVE_BUGGY_P11_KIT, test "$with_buggy_p11_kit" = "yes") AC_ARG_WITH(tpm, AS_HELP_STRING([--without-tpm], @@ -412,6 +491,28 @@ fi AM_CONDITIONAL(ENABLE_TROUSERS, test "$with_tpm" != "no") +for l in /usr/lib64 /usr/lib /lib64 /lib /usr/lib/x86_64-linux-gnu/; do + if test -f "${l}/libtspi.so.1";then + default_trousers_lib="${l}/libtspi.so.1" + break + fi +done + +AC_ARG_WITH(trousers-lib, AS_HELP_STRING([--with-trousers-lib=LIB], + [set the location of the trousers library]), + ac_trousers_lib=$withval, ac_trousers_lib=$default_trousers_lib) + +if test "$with_tpm" != "no" && test -z "$ac_trousers_lib"; then + AC_MSG_ERROR([[ + *** + *** unable to find trousers library, please specify with --with-trousers-lib= + *** + ]]) +fi + +AC_DEFINE_UNQUOTED(TROUSERS_LIB, ["$ac_trousers_lib"], [the location of the trousers library]) +AC_SUBST(TROUSERS_LIB) + LIBOPTS_CHECK([src/libopts]) if test "$NEED_LIBOPTS_DIR" = "true";then dnl replace libopts-generated files with distributed backups, if present @@ -492,11 +593,20 @@ if test "x$with_default_trust_store_pkcs11" != x; then ["$with_default_trust_store_pkcs11"], [use the given pkcs11 uri as default trust store]) fi +AC_ARG_WITH([default-trust-store-dir], + [AS_HELP_STRING([--with-default-trust-store-dir=DIR], + [use the given directory as default trust store])]) + +if test "x$with_default_trust_store_dir" != x; then + AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_DIR], + ["$with_default_trust_store_dir"], [use the given directory as default trust store]) +fi + dnl auto detect http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.html AC_ARG_WITH([default-trust-store-file], [AS_HELP_STRING([--with-default-trust-store-file=FILE], [use the given file default trust store])], with_default_trust_store_file="$withval", - [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x;then + [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x;then for i in \ /etc/ssl/ca-bundle.pem \ /etc/ssl/certs/ca-certificates.crt \ @@ -775,15 +885,22 @@ AC_MSG_NOTICE([summary of build options: Local libopts: ${enable_local_libopts} Local libtasn1: ${included_libtasn1} Use nettle-mini: ${mini_nettle} + nettle-version: ${nettle_version} ]) AC_MSG_NOTICE([External hardware support: /dev/crypto: $enable_cryptodev Hardware accel: $hw_accel + Padlock accel: $use_padlock PKCS#11 support: $with_p11_kit TPM support: $with_tpm ]) +if test -n "$ac_trousers_lib";then +AC_MSG_NOTICE([ + TPM library: $ac_trousers_lib +]) +fi AC_MSG_NOTICE([Optional features: (note that included applications might not compile properly @@ -823,6 +940,7 @@ AC_MSG_NOTICE([Optional libraries: AC_MSG_NOTICE([System files: Trust store pkcs11: $with_default_trust_store_pkcs11 + Trust store dir: $with_default_trust_store_dir Trust store file: $with_default_trust_store_file Blacklist file: $with_default_blacklist_file CRL file: $with_default_crl_file diff --git a/doc/Makefile.am b/doc/Makefile.am index d132751..e531e06 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -62,7 +62,7 @@ invoke-certtool.texi: $(top_srcdir)/src/certtool-args.def invoke-gnutls-serv.tex fi; \ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ rm -f $@ && \ - sed -e 's/@subheading/@subsubheading/g' \ + $(SED) -e 's/@subheading/@subsubheading/g' \ -e 's/@section/@subsection/g' $@.tmp > $@ && \ rm -f $@.tmp @@ -73,7 +73,7 @@ invoke-ocsptool.texi: $(top_srcdir)/src/ocsptool-args.def invoke-certtool.texi fi; \ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ rm -f $@ && \ - sed -e 's/@subheading/@subsubheading/g' \ + $(SED) -e 's/@subheading/@subsubheading/g' \ -e 's/@section/@subsection/g' $@.tmp > $@ && \ rm -f $@.tmp @@ -84,7 +84,7 @@ invoke-danetool.texi: $(top_srcdir)/src/danetool-args.def invoke-ocsptool.texi fi; \ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ rm -f $@ && \ - sed -e 's/@subheading/@subsubheading/g' \ + $(SED) -e 's/@subheading/@subsubheading/g' \ -e 's/@section/@subsection/g' $@.tmp > $@ && \ rm -f $@.tmp @@ -95,7 +95,7 @@ invoke-srptool.texi: $(top_srcdir)/src/srptool-args.def invoke-danetool.texi fi; \ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ rm -f $@ && \ - sed -e 's/@subheading/@subsubheading/g' \ + $(SED) -e 's/@subheading/@subsubheading/g' \ -e 's/@section/@subsubsection/g' $@.tmp > $@ && \ rm -f $@.tmp @@ -106,7 +106,7 @@ invoke-psktool.texi: $(top_srcdir)/src/psktool-args.def invoke-srptool.texi fi; \ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ rm -f $@ && \ - sed -e 's/@subheading/@subsubheading/g' \ + $(SED) -e 's/@subheading/@subsubheading/g' \ -e 's/@section/@subsubsection/g' $@.tmp > $@ && \ rm -f $@.tmp @@ -117,7 +117,7 @@ invoke-p11tool.texi: $(top_srcdir)/src/p11tool-args.def invoke-psktool.texi fi; \ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ rm -f $@ && \ - sed -e 's/@subheading/@subsubheading/g' \ + $(SED) -e 's/@subheading/@subsection/g' \ -e 's/@section/@subsection/g' $@.tmp > $@ && \ rm -f $@.tmp @@ -128,7 +128,7 @@ invoke-tpmtool.texi: $(top_srcdir)/src/tpmtool-args.def invoke-p11tool.texi fi; \ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ rm -f $@ && \ - sed -e 's/@subheading/@subsubheading/g' \ + $(SED) -e 's/@subheading/@subsection/g' \ -e 's/@section/@subsection/g' $@.tmp > $@ && \ rm -f $@.tmp @@ -405,9 +405,9 @@ stamp_functions: $(API_FILES) for i in $^; do \ $(srcdir)/scripts/split-texi.pl functions < $$i; \ done - sed -i 's/\@anchor{.*//g' functions/* - sed -i 's/\@subheading.*//g' functions/* - cd functions && for i in *;do grep ^"@deftypefun" $$i | sed 's/@deftypefun/@item/g;s/ {/ @var{/;s/ {/ @ref{/' > ../functions/$$i.short;done + $(SED) -i 's/\@anchor{.*//g' functions/* + $(SED) -i 's/\@subheading.*//g' functions/* + cd functions && for i in *;do grep ^"@deftypefun" $$i | $(SED) 's/@deftypefun/@item/g;s/ {/ @var{/;s/ {/ @ref{/' > ../functions/$$i.short;done echo $@ > $@ stamp_enums: enums.texi @@ -438,7 +438,7 @@ compare-makefile: enums.texi @echo "******************************************************************************" @echo "If the following step fails copy $(srcdir)/doc/tmp-compare-makefile to doc/Makefile.am" @echo "******************************************************************************" - ENUMS=`grep '^@c ' $< | sed 's/@c //g' | sort -d`; \ + ENUMS=`grep '^@c ' $< | $(SED) 's/@c //g' | sort -d`; \ STR=""; \ for i in $$ENUMS; do \ STR="$$STR\nENUMS += enums/$$i"; \ @@ -453,7 +453,7 @@ compare-makefile: enums.texi MANS="$$MANS\nFUNCS += functions/$$i\nFUNCS += functions/$$i.short"; \ done; \ grep -v -e '^FUNCS += ' $(srcdir)/Makefile.am > tmp-$@; \ - echo "\"s,^FUNCS =,FUNCS =$$MANS,\" -i tmp-$@"|xargs sed + echo "\"s,^FUNCS =,FUNCS =$$MANS,\" -i tmp-$@"|xargs $(SED) @echo "******************************************************************************" @echo "If the following step fails copy $(srcdir)/doc/tmp-compare-makefile to doc/Makefile.am" @echo "******************************************************************************" @@ -498,7 +498,7 @@ endif !HAVE_GUILE gnutls.xml: epub.texi makeinfo --docbook $< - sed -i 's/\&\#8226;//g' $@ + $(SED) -i 's/\&\#8226;//g' $@ gnutls.epub: gnutls.xml dbtoepub $< @@ -541,6 +541,7 @@ ENUMS += enums/gnutls_params_type_t ENUMS += enums/gnutls_pin_flag_t ENUMS += enums/gnutls_pk_algorithm_t ENUMS += enums/gnutls_pkcs11_obj_attr_t +ENUMS += enums/gnutls_pkcs11_obj_flags ENUMS += enums/gnutls_pkcs11_obj_info_t ENUMS += enums/gnutls_pkcs11_obj_type_t ENUMS += enums/gnutls_pkcs11_token_info_t @@ -581,6 +582,8 @@ FUNCS += functions/dane_query_status FUNCS += functions/dane_query_status.short FUNCS += functions/dane_query_tlsa FUNCS += functions/dane_query_tlsa.short +FUNCS += functions/dane_query_to_raw_tlsa +FUNCS += functions/dane_query_to_raw_tlsa.short FUNCS += functions/dane_raw_tlsa FUNCS += functions/dane_raw_tlsa.short FUNCS += functions/dane_state_deinit @@ -735,6 +738,8 @@ FUNCS += functions/gnutls_certificate_set_x509_system_trust FUNCS += functions/gnutls_certificate_set_x509_system_trust.short FUNCS += functions/gnutls_certificate_set_x509_trust FUNCS += functions/gnutls_certificate_set_x509_trust.short +FUNCS += functions/gnutls_certificate_set_x509_trust_dir +FUNCS += functions/gnutls_certificate_set_x509_trust_dir.short FUNCS += functions/gnutls_certificate_set_x509_trust_file FUNCS += functions/gnutls_certificate_set_x509_trust_file.short FUNCS += functions/gnutls_certificate_set_x509_trust_mem @@ -1263,8 +1268,12 @@ FUNCS += functions/gnutls_pkcs11_copy_secret_key FUNCS += functions/gnutls_pkcs11_copy_secret_key.short FUNCS += functions/gnutls_pkcs11_copy_x509_crt FUNCS += functions/gnutls_pkcs11_copy_x509_crt.short +FUNCS += functions/gnutls_pkcs11_copy_x509_crt2 +FUNCS += functions/gnutls_pkcs11_copy_x509_crt2.short FUNCS += functions/gnutls_pkcs11_copy_x509_privkey FUNCS += functions/gnutls_pkcs11_copy_x509_privkey.short +FUNCS += functions/gnutls_pkcs11_copy_x509_privkey2 +FUNCS += functions/gnutls_pkcs11_copy_x509_privkey2.short FUNCS += functions/gnutls_pkcs11_crt_is_known FUNCS += functions/gnutls_pkcs11_crt_is_known.short FUNCS += functions/gnutls_pkcs11_deinit @@ -1287,6 +1296,12 @@ FUNCS += functions/gnutls_pkcs11_obj_export3 FUNCS += functions/gnutls_pkcs11_obj_export3.short FUNCS += functions/gnutls_pkcs11_obj_export_url FUNCS += functions/gnutls_pkcs11_obj_export_url.short +FUNCS += functions/gnutls_pkcs11_obj_flags_get_str +FUNCS += functions/gnutls_pkcs11_obj_flags_get_str.short +FUNCS += functions/gnutls_pkcs11_obj_get_exts +FUNCS += functions/gnutls_pkcs11_obj_get_exts.short +FUNCS += functions/gnutls_pkcs11_obj_get_flags +FUNCS += functions/gnutls_pkcs11_obj_get_flags.short FUNCS += functions/gnutls_pkcs11_obj_get_info FUNCS += functions/gnutls_pkcs11_obj_get_info.short FUNCS += functions/gnutls_pkcs11_obj_get_type @@ -1299,16 +1314,22 @@ FUNCS += functions/gnutls_pkcs11_obj_list_import_url FUNCS += functions/gnutls_pkcs11_obj_list_import_url.short FUNCS += functions/gnutls_pkcs11_obj_list_import_url2 FUNCS += functions/gnutls_pkcs11_obj_list_import_url2.short +FUNCS += functions/gnutls_pkcs11_obj_set_info +FUNCS += functions/gnutls_pkcs11_obj_set_info.short FUNCS += functions/gnutls_pkcs11_obj_set_pin_function FUNCS += functions/gnutls_pkcs11_obj_set_pin_function.short FUNCS += functions/gnutls_pkcs11_privkey_deinit FUNCS += functions/gnutls_pkcs11_privkey_deinit.short +FUNCS += functions/gnutls_pkcs11_privkey_export_pubkey +FUNCS += functions/gnutls_pkcs11_privkey_export_pubkey.short FUNCS += functions/gnutls_pkcs11_privkey_export_url FUNCS += functions/gnutls_pkcs11_privkey_export_url.short FUNCS += functions/gnutls_pkcs11_privkey_generate FUNCS += functions/gnutls_pkcs11_privkey_generate.short FUNCS += functions/gnutls_pkcs11_privkey_generate2 FUNCS += functions/gnutls_pkcs11_privkey_generate2.short +FUNCS += functions/gnutls_pkcs11_privkey_generate3 +FUNCS += functions/gnutls_pkcs11_privkey_generate3.short FUNCS += functions/gnutls_pkcs11_privkey_get_info FUNCS += functions/gnutls_pkcs11_privkey_get_info.short FUNCS += functions/gnutls_pkcs11_privkey_get_pk_algorithm @@ -2029,6 +2050,8 @@ FUNCS += functions/gnutls_x509_crq_get_dn_oid FUNCS += functions/gnutls_x509_crq_get_dn_oid.short FUNCS += functions/gnutls_x509_crq_get_extension_by_oid FUNCS += functions/gnutls_x509_crq_get_extension_by_oid.short +FUNCS += functions/gnutls_x509_crq_get_extension_by_oid2 +FUNCS += functions/gnutls_x509_crq_get_extension_by_oid2.short FUNCS += functions/gnutls_x509_crq_get_extension_data FUNCS += functions/gnutls_x509_crq_get_extension_data.short FUNCS += functions/gnutls_x509_crq_get_extension_data2 @@ -2135,6 +2158,8 @@ FUNCS += functions/gnutls_x509_crt_get_expiration_time FUNCS += functions/gnutls_x509_crt_get_expiration_time.short FUNCS += functions/gnutls_x509_crt_get_extension_by_oid FUNCS += functions/gnutls_x509_crt_get_extension_by_oid.short +FUNCS += functions/gnutls_x509_crt_get_extension_by_oid2 +FUNCS += functions/gnutls_x509_crt_get_extension_by_oid2.short FUNCS += functions/gnutls_x509_crt_get_extension_data FUNCS += functions/gnutls_x509_crt_get_extension_data.short FUNCS += functions/gnutls_x509_crt_get_extension_data2 @@ -2263,6 +2288,8 @@ FUNCS += functions/gnutls_x509_crt_set_issuer_dn FUNCS += functions/gnutls_x509_crt_set_issuer_dn.short FUNCS += functions/gnutls_x509_crt_set_issuer_dn_by_oid FUNCS += functions/gnutls_x509_crt_set_issuer_dn_by_oid.short +FUNCS += functions/gnutls_x509_crt_set_issuer_unique_id +FUNCS += functions/gnutls_x509_crt_set_issuer_unique_id.short FUNCS += functions/gnutls_x509_crt_set_key FUNCS += functions/gnutls_x509_crt_set_key.short FUNCS += functions/gnutls_x509_crt_set_key_purpose_oid @@ -2291,6 +2318,8 @@ FUNCS += functions/gnutls_x509_crt_set_subject_alt_name FUNCS += functions/gnutls_x509_crt_set_subject_alt_name.short FUNCS += functions/gnutls_x509_crt_set_subject_key_id FUNCS += functions/gnutls_x509_crt_set_subject_key_id.short +FUNCS += functions/gnutls_x509_crt_set_subject_unique_id +FUNCS += functions/gnutls_x509_crt_set_subject_unique_id.short FUNCS += functions/gnutls_x509_crt_set_version FUNCS += functions/gnutls_x509_crt_set_version.short FUNCS += functions/gnutls_x509_crt_sign @@ -2319,6 +2348,8 @@ FUNCS += functions/gnutls_x509_dn_oid_known FUNCS += functions/gnutls_x509_dn_oid_known.short FUNCS += functions/gnutls_x509_dn_oid_name FUNCS += functions/gnutls_x509_dn_oid_name.short +FUNCS += functions/gnutls_x509_ext_deinit +FUNCS += functions/gnutls_x509_ext_deinit.short FUNCS += functions/gnutls_x509_ext_export_aia FUNCS += functions/gnutls_x509_ext_export_aia.short FUNCS += functions/gnutls_x509_ext_export_authority_key_id @@ -2367,6 +2398,8 @@ FUNCS += functions/gnutls_x509_ext_import_subject_alt_names FUNCS += functions/gnutls_x509_ext_import_subject_alt_names.short FUNCS += functions/gnutls_x509_ext_import_subject_key_id FUNCS += functions/gnutls_x509_ext_import_subject_key_id.short +FUNCS += functions/gnutls_x509_ext_print +FUNCS += functions/gnutls_x509_ext_print.short FUNCS += functions/gnutls_x509_key_purpose_deinit FUNCS += functions/gnutls_x509_key_purpose_deinit.short FUNCS += functions/gnutls_x509_key_purpose_get @@ -2391,6 +2424,8 @@ FUNCS += functions/gnutls_x509_name_constraints_get_permitted FUNCS += functions/gnutls_x509_name_constraints_get_permitted.short FUNCS += functions/gnutls_x509_name_constraints_init FUNCS += functions/gnutls_x509_name_constraints_init.short +FUNCS += functions/gnutls_x509_othername_to_virtual +FUNCS += functions/gnutls_x509_othername_to_virtual.short FUNCS += functions/gnutls_x509_policies_deinit FUNCS += functions/gnutls_x509_policies_deinit.short FUNCS += functions/gnutls_x509_policies_get @@ -2471,6 +2506,8 @@ FUNCS += functions/gnutls_x509_trust_list_add_named_crt FUNCS += functions/gnutls_x509_trust_list_add_named_crt.short FUNCS += functions/gnutls_x509_trust_list_add_system_trust FUNCS += functions/gnutls_x509_trust_list_add_system_trust.short +FUNCS += functions/gnutls_x509_trust_list_add_trust_dir +FUNCS += functions/gnutls_x509_trust_list_add_trust_dir.short FUNCS += functions/gnutls_x509_trust_list_add_trust_file FUNCS += functions/gnutls_x509_trust_list_add_trust_file.short FUNCS += functions/gnutls_x509_trust_list_add_trust_mem @@ -2489,5 +2526,7 @@ FUNCS += functions/gnutls_x509_trust_list_remove_trust_mem FUNCS += functions/gnutls_x509_trust_list_remove_trust_mem.short FUNCS += functions/gnutls_x509_trust_list_verify_crt FUNCS += functions/gnutls_x509_trust_list_verify_crt.short +FUNCS += functions/gnutls_x509_trust_list_verify_crt2 +FUNCS += functions/gnutls_x509_trust_list_verify_crt2.short FUNCS += functions/gnutls_x509_trust_list_verify_named_crt FUNCS += functions/gnutls_x509_trust_list_verify_named_crt.short diff --git a/doc/Makefile.in b/doc/Makefile.in index 2bf8fb9..dff2d02 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -35,7 +35,17 @@ # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -106,11 +116,6 @@ host_triplet = @host@ EXTRA_PROGRAMS = errcodes$(EXEEXT) printlist$(EXEEXT) \ alert-printlist$(EXEEXT) subdir = doc -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp $(gnutls_TEXINFOS) \ - $(top_srcdir)/build-aux/mdate-sh $(srcdir)/version.texi \ - $(srcdir)/stamp-vti $(srcdir)/version-guile.texi \ - $(srcdir)/stamp-1 $(top_srcdir)/build-aux/texinfo.tex TODO ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/src/gl/m4/bison.m4 \ @@ -144,6 +149,7 @@ am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/src/gl/m4/tm_gmtoff.m4 \ $(top_srcdir)/src/gl/m4/xalloc.m4 \ $(top_srcdir)/src/libopts/m4/libopts.m4 \ + $(top_srcdir)/src/libopts/m4/stdnoreturn.m4 \ $(top_srcdir)/gl/m4/00gnulib.m4 \ $(top_srcdir)/gl/m4/absolute-header.m4 \ $(top_srcdir)/gl/m4/alloca.m4 $(top_srcdir)/gl/m4/base64.m4 \ @@ -220,6 +226,9 @@ am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/m4/xsize.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/version.texi \ + $(srcdir)/stamp-vti $(srcdir)/version-guile.texi \ + $(srcdir)/stamp-1 $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -386,6 +395,10 @@ ETAGS = etags CTAGS = ctags DIST_SUBDIRS = examples cyclo scripts manpages credentials latex \ reference +am__DIST_COMMON = $(gnutls_TEXINFOS) $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/mdate-sh \ + $(top_srcdir)/build-aux/texinfo.tex TODO DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -462,6 +475,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EMULTIHOP_HIDDEN = @EMULTIHOP_HIDDEN@ EMULTIHOP_VALUE = @EMULTIHOP_VALUE@ +ENABLE_PADLOCK = @ENABLE_PADLOCK@ ENOLINK_HIDDEN = @ENOLINK_HIDDEN@ ENOLINK_VALUE = @ENOLINK_VALUE@ EOVERFLOW_HIDDEN = @EOVERFLOW_HIDDEN@ @@ -621,6 +635,7 @@ GNULIB_PUTCHAR = @GNULIB_PUTCHAR@ GNULIB_PUTENV = @GNULIB_PUTENV@ GNULIB_PUTS = @GNULIB_PUTS@ GNULIB_PWRITE = @GNULIB_PWRITE@ +GNULIB_QSORT_R = @GNULIB_QSORT_R@ GNULIB_RAISE = @GNULIB_RAISE@ GNULIB_RANDOM = @GNULIB_RANDOM@ GNULIB_RANDOM_R = @GNULIB_RANDOM_R@ @@ -832,6 +847,7 @@ HAVE_LCHMOD = @HAVE_LCHMOD@ HAVE_LCHOWN = @HAVE_LCHOWN@ HAVE_LIBDL = @HAVE_LIBDL@ HAVE_LIBICONV = @HAVE_LIBICONV@ +HAVE_LIBNSL = @HAVE_LIBNSL@ HAVE_LIBPTHREAD = @HAVE_LIBPTHREAD@ HAVE_LIBRT = @HAVE_LIBRT@ HAVE_LIBZ = @HAVE_LIBZ@ @@ -839,6 +855,7 @@ HAVE_LINK = @HAVE_LINK@ HAVE_LINKAT = @HAVE_LINKAT@ HAVE_LONG_LONG_INT = @HAVE_LONG_LONG_INT@ HAVE_LSTAT = @HAVE_LSTAT@ +HAVE_MAX_ALIGN_T = @HAVE_MAX_ALIGN_T@ HAVE_MBRLEN = @HAVE_MBRLEN@ HAVE_MBRTOWC = @HAVE_MBRTOWC@ HAVE_MBSINIT = @HAVE_MBSINIT@ @@ -1004,6 +1021,8 @@ LIBICONV_PREFIX = @LIBICONV_PREFIX@ LIBIDN_CFLAGS = @LIBIDN_CFLAGS@ LIBIDN_LIBS = @LIBIDN_LIBS@ LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBNSL_PREFIX = @LIBNSL_PREFIX@ LIBOBJS = @LIBOBJS@ LIBOPTS_CFLAGS = @LIBOPTS_CFLAGS@ LIBOPTS_DIR = @LIBOPTS_DIR@ @@ -1028,6 +1047,7 @@ LTALLOCA = @LTALLOCA@ LTLIBDL = @LTLIBDL@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ +LTLIBNSL = @LTLIBNSL@ LTLIBOBJS = @LTLIBOBJS@ LTLIBPTHREAD = @LTLIBPTHREAD@ LTLIBRT = @LTLIBRT@ @@ -1041,9 +1061,6 @@ LT_REVISION = @LT_REVISION@ LT_SSL_AGE = @LT_SSL_AGE@ LT_SSL_CURRENT = @LT_SSL_CURRENT@ LT_SSL_REVISION = @LT_SSL_REVISION@ -LT_XSSL_AGE = @LT_XSSL_AGE@ -LT_XSSL_CURRENT = @LT_XSSL_CURRENT@ -LT_XSSL_REVISION = @LT_XSSL_REVISION@ MAJOR_VERSION = @MAJOR_VERSION@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ @@ -1207,10 +1224,12 @@ REPLACE_PTSNAME = @REPLACE_PTSNAME@ REPLACE_PTSNAME_R = @REPLACE_PTSNAME_R@ REPLACE_PUTENV = @REPLACE_PUTENV@ REPLACE_PWRITE = @REPLACE_PWRITE@ +REPLACE_QSORT_R = @REPLACE_QSORT_R@ REPLACE_RAISE = @REPLACE_RAISE@ REPLACE_RANDOM_R = @REPLACE_RANDOM_R@ REPLACE_READ = @REPLACE_READ@ REPLACE_READLINK = @REPLACE_READLINK@ +REPLACE_READLINKAT = @REPLACE_READLINKAT@ REPLACE_REALLOC = @REPLACE_REALLOC@ REPLACE_REALPATH = @REPLACE_REALPATH@ REPLACE_REMOVE = @REPLACE_REMOVE@ @@ -1242,6 +1261,7 @@ REPLACE_STRTOK_R = @REPLACE_STRTOK_R@ REPLACE_STRTOUMAX = @REPLACE_STRTOUMAX@ REPLACE_STRUCT_TIMEVAL = @REPLACE_STRUCT_TIMEVAL@ REPLACE_SYMLINK = @REPLACE_SYMLINK@ +REPLACE_SYMLINKAT = @REPLACE_SYMLINKAT@ REPLACE_TIMEGM = @REPLACE_TIMEGM@ REPLACE_TMPFILE = @REPLACE_TMPFILE@ REPLACE_TTYNAME_R = @REPLACE_TTYNAME_R@ @@ -1274,9 +1294,11 @@ STDALIGN_H = @STDALIGN_H@ STDBOOL_H = @STDBOOL_H@ STDDEF_H = @STDDEF_H@ STDINT_H = @STDINT_H@ +STDNORETURN_H = @STDNORETURN_H@ STRIP = @STRIP@ SYS_TIME_H_DEFINES_STRUCT_TIMESPEC = @SYS_TIME_H_DEFINES_STRUCT_TIMESPEC@ TIME_H_DEFINES_STRUCT_TIMESPEC = @TIME_H_DEFINES_STRUCT_TIMESPEC@ +TROUSERS_LIB = @TROUSERS_LIB@ TSS_CFLAGS = @TSS_CFLAGS@ TSS_LIBS = @TSS_LIBS@ UINT32_MAX_LT_UINTMAX_MAX = @UINT32_MAX_LT_UINTMAX_MAX@ @@ -1360,6 +1382,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -1490,8 +1513,8 @@ ENUMS = enums/dane_cert_type_t enums/dane_cert_usage_t \ enums/gnutls_openpgp_crt_fmt_t \ enums/gnutls_openpgp_crt_status_t enums/gnutls_params_type_t \ enums/gnutls_pin_flag_t enums/gnutls_pk_algorithm_t \ - enums/gnutls_pkcs11_obj_attr_t enums/gnutls_pkcs11_obj_info_t \ - enums/gnutls_pkcs11_obj_type_t \ + enums/gnutls_pkcs11_obj_attr_t enums/gnutls_pkcs11_obj_flags \ + enums/gnutls_pkcs11_obj_info_t enums/gnutls_pkcs11_obj_type_t \ enums/gnutls_pkcs11_token_info_t \ enums/gnutls_pkcs11_url_type_t enums/gnutls_pkcs12_bag_type_t \ enums/gnutls_pkcs_encrypt_flags_t enums/gnutls_privkey_flags_t \ @@ -1514,7 +1537,9 @@ FUNCS = functions/dane_cert_type_name \ functions/dane_query_deinit.short functions/dane_query_entries \ functions/dane_query_entries.short functions/dane_query_status \ functions/dane_query_status.short functions/dane_query_tlsa \ - functions/dane_query_tlsa.short functions/dane_raw_tlsa \ + functions/dane_query_tlsa.short \ + functions/dane_query_to_raw_tlsa \ + functions/dane_query_to_raw_tlsa.short functions/dane_raw_tlsa \ functions/dane_raw_tlsa.short functions/dane_state_deinit \ functions/dane_state_deinit.short functions/dane_state_init \ functions/dane_state_init.short \ @@ -1661,6 +1686,8 @@ FUNCS = functions/dane_cert_type_name \ functions/gnutls_certificate_set_x509_system_trust.short \ functions/gnutls_certificate_set_x509_trust \ functions/gnutls_certificate_set_x509_trust.short \ + functions/gnutls_certificate_set_x509_trust_dir \ + functions/gnutls_certificate_set_x509_trust_dir.short \ functions/gnutls_certificate_set_x509_trust_file \ functions/gnutls_certificate_set_x509_trust_file.short \ functions/gnutls_certificate_set_x509_trust_mem \ @@ -2158,8 +2185,12 @@ FUNCS = functions/dane_cert_type_name \ functions/gnutls_pkcs11_copy_secret_key.short \ functions/gnutls_pkcs11_copy_x509_crt \ functions/gnutls_pkcs11_copy_x509_crt.short \ + functions/gnutls_pkcs11_copy_x509_crt2 \ + functions/gnutls_pkcs11_copy_x509_crt2.short \ functions/gnutls_pkcs11_copy_x509_privkey \ functions/gnutls_pkcs11_copy_x509_privkey.short \ + functions/gnutls_pkcs11_copy_x509_privkey2 \ + functions/gnutls_pkcs11_copy_x509_privkey2.short \ functions/gnutls_pkcs11_crt_is_known \ functions/gnutls_pkcs11_crt_is_known.short \ functions/gnutls_pkcs11_deinit \ @@ -2182,6 +2213,12 @@ FUNCS = functions/dane_cert_type_name \ functions/gnutls_pkcs11_obj_export3.short \ functions/gnutls_pkcs11_obj_export_url \ functions/gnutls_pkcs11_obj_export_url.short \ + functions/gnutls_pkcs11_obj_flags_get_str \ + functions/gnutls_pkcs11_obj_flags_get_str.short \ + functions/gnutls_pkcs11_obj_get_exts \ + functions/gnutls_pkcs11_obj_get_exts.short \ + functions/gnutls_pkcs11_obj_get_flags \ + functions/gnutls_pkcs11_obj_get_flags.short \ functions/gnutls_pkcs11_obj_get_info \ functions/gnutls_pkcs11_obj_get_info.short \ functions/gnutls_pkcs11_obj_get_type \ @@ -2194,16 +2231,22 @@ FUNCS = functions/dane_cert_type_name \ functions/gnutls_pkcs11_obj_list_import_url.short \ functions/gnutls_pkcs11_obj_list_import_url2 \ functions/gnutls_pkcs11_obj_list_import_url2.short \ + functions/gnutls_pkcs11_obj_set_info \ + functions/gnutls_pkcs11_obj_set_info.short \ functions/gnutls_pkcs11_obj_set_pin_function \ functions/gnutls_pkcs11_obj_set_pin_function.short \ functions/gnutls_pkcs11_privkey_deinit \ functions/gnutls_pkcs11_privkey_deinit.short \ + functions/gnutls_pkcs11_privkey_export_pubkey \ + functions/gnutls_pkcs11_privkey_export_pubkey.short \ functions/gnutls_pkcs11_privkey_export_url \ functions/gnutls_pkcs11_privkey_export_url.short \ functions/gnutls_pkcs11_privkey_generate \ functions/gnutls_pkcs11_privkey_generate.short \ functions/gnutls_pkcs11_privkey_generate2 \ functions/gnutls_pkcs11_privkey_generate2.short \ + functions/gnutls_pkcs11_privkey_generate3 \ + functions/gnutls_pkcs11_privkey_generate3.short \ functions/gnutls_pkcs11_privkey_get_info \ functions/gnutls_pkcs11_privkey_get_info.short \ functions/gnutls_pkcs11_privkey_get_pk_algorithm \ @@ -2910,6 +2953,8 @@ FUNCS = functions/dane_cert_type_name \ functions/gnutls_x509_crq_get_dn_oid.short \ functions/gnutls_x509_crq_get_extension_by_oid \ functions/gnutls_x509_crq_get_extension_by_oid.short \ + functions/gnutls_x509_crq_get_extension_by_oid2 \ + functions/gnutls_x509_crq_get_extension_by_oid2.short \ functions/gnutls_x509_crq_get_extension_data \ functions/gnutls_x509_crq_get_extension_data.short \ functions/gnutls_x509_crq_get_extension_data2 \ @@ -3016,6 +3061,8 @@ FUNCS = functions/dane_cert_type_name \ functions/gnutls_x509_crt_get_expiration_time.short \ functions/gnutls_x509_crt_get_extension_by_oid \ functions/gnutls_x509_crt_get_extension_by_oid.short \ + functions/gnutls_x509_crt_get_extension_by_oid2 \ + functions/gnutls_x509_crt_get_extension_by_oid2.short \ functions/gnutls_x509_crt_get_extension_data \ functions/gnutls_x509_crt_get_extension_data.short \ functions/gnutls_x509_crt_get_extension_data2 \ @@ -3144,6 +3191,8 @@ FUNCS = functions/dane_cert_type_name \ functions/gnutls_x509_crt_set_issuer_dn.short \ functions/gnutls_x509_crt_set_issuer_dn_by_oid \ functions/gnutls_x509_crt_set_issuer_dn_by_oid.short \ + functions/gnutls_x509_crt_set_issuer_unique_id \ + functions/gnutls_x509_crt_set_issuer_unique_id.short \ functions/gnutls_x509_crt_set_key \ functions/gnutls_x509_crt_set_key.short \ functions/gnutls_x509_crt_set_key_purpose_oid \ @@ -3172,6 +3221,8 @@ FUNCS = functions/dane_cert_type_name \ functions/gnutls_x509_crt_set_subject_alt_name.short \ functions/gnutls_x509_crt_set_subject_key_id \ functions/gnutls_x509_crt_set_subject_key_id.short \ + functions/gnutls_x509_crt_set_subject_unique_id \ + functions/gnutls_x509_crt_set_subject_unique_id.short \ functions/gnutls_x509_crt_set_version \ functions/gnutls_x509_crt_set_version.short \ functions/gnutls_x509_crt_sign \ @@ -3200,6 +3251,8 @@ FUNCS = functions/dane_cert_type_name \ functions/gnutls_x509_dn_oid_known.short \ functions/gnutls_x509_dn_oid_name \ functions/gnutls_x509_dn_oid_name.short \ + functions/gnutls_x509_ext_deinit \ + functions/gnutls_x509_ext_deinit.short \ functions/gnutls_x509_ext_export_aia \ functions/gnutls_x509_ext_export_aia.short \ functions/gnutls_x509_ext_export_authority_key_id \ @@ -3248,6 +3301,8 @@ FUNCS = functions/dane_cert_type_name \ functions/gnutls_x509_ext_import_subject_alt_names.short \ functions/gnutls_x509_ext_import_subject_key_id \ functions/gnutls_x509_ext_import_subject_key_id.short \ + functions/gnutls_x509_ext_print \ + functions/gnutls_x509_ext_print.short \ functions/gnutls_x509_key_purpose_deinit \ functions/gnutls_x509_key_purpose_deinit.short \ functions/gnutls_x509_key_purpose_get \ @@ -3272,6 +3327,8 @@ FUNCS = functions/dane_cert_type_name \ functions/gnutls_x509_name_constraints_get_permitted.short \ functions/gnutls_x509_name_constraints_init \ functions/gnutls_x509_name_constraints_init.short \ + functions/gnutls_x509_othername_to_virtual \ + functions/gnutls_x509_othername_to_virtual.short \ functions/gnutls_x509_policies_deinit \ functions/gnutls_x509_policies_deinit.short \ functions/gnutls_x509_policies_get \ @@ -3352,6 +3409,8 @@ FUNCS = functions/dane_cert_type_name \ functions/gnutls_x509_trust_list_add_named_crt.short \ functions/gnutls_x509_trust_list_add_system_trust \ functions/gnutls_x509_trust_list_add_system_trust.short \ + functions/gnutls_x509_trust_list_add_trust_dir \ + functions/gnutls_x509_trust_list_add_trust_dir.short \ functions/gnutls_x509_trust_list_add_trust_file \ functions/gnutls_x509_trust_list_add_trust_file.short \ functions/gnutls_x509_trust_list_add_trust_mem \ @@ -3370,6 +3429,8 @@ FUNCS = functions/dane_cert_type_name \ functions/gnutls_x509_trust_list_remove_trust_mem.short \ functions/gnutls_x509_trust_list_verify_crt \ functions/gnutls_x509_trust_list_verify_crt.short \ + functions/gnutls_x509_trust_list_verify_crt2 \ + functions/gnutls_x509_trust_list_verify_crt2.short \ functions/gnutls_x509_trust_list_verify_named_crt \ functions/gnutls_x509_trust_list_verify_named_crt.short all: $(BUILT_SOURCES) @@ -3389,7 +3450,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu doc/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -3515,15 +3575,16 @@ $(srcdir)/stamp-vti: gnutls.texi $(top_srcdir)/configure echo "@set UPDATED $$1 $$2 $$3"; \ echo "@set UPDATED-MONTH $$2 $$3"; \ echo "@set EDITION $(VERSION)"; \ - echo "@set VERSION $(VERSION)") > vti.tmp - @cmp -s vti.tmp $(srcdir)/version.texi \ - || (echo "Updating $(srcdir)/version.texi"; \ - cp vti.tmp $(srcdir)/version.texi) - -@rm -f vti.tmp + echo "@set VERSION $(VERSION)") > vti.tmp$$$$ && \ + (cmp -s vti.tmp$$$$ $(srcdir)/version.texi \ + || (echo "Updating $(srcdir)/version.texi" && \ + cp vti.tmp$$$$ $(srcdir)/version.texi.tmp$$$$ && \ + mv $(srcdir)/version.texi.tmp$$$$ $(srcdir)/version.texi)) && \ + rm -f vti.tmp$$$$ $(srcdir)/version.texi.$$$$ @cp $(srcdir)/version.texi $@ mostlyclean-vti: - -rm -f vti.tmp + -rm -f vti.tmp* $(srcdir)/version.texi.tmp* maintainer-clean-vti: -rm -f $(srcdir)/stamp-vti $(srcdir)/version.texi @@ -3538,15 +3599,16 @@ $(srcdir)/stamp-1: gnutls-guile.texi $(top_srcdir)/configure echo "@set UPDATED $$1 $$2 $$3"; \ echo "@set UPDATED-MONTH $$2 $$3"; \ echo "@set EDITION $(VERSION)"; \ - echo "@set VERSION $(VERSION)") > 1.tmp - @cmp -s 1.tmp $(srcdir)/version-guile.texi \ - || (echo "Updating $(srcdir)/version-guile.texi"; \ - cp 1.tmp $(srcdir)/version-guile.texi) - -@rm -f 1.tmp + echo "@set VERSION $(VERSION)") > 1.tmp$$$$ && \ + (cmp -s 1.tmp$$$$ $(srcdir)/version-guile.texi \ + || (echo "Updating $(srcdir)/version-guile.texi" && \ + cp 1.tmp$$$$ $(srcdir)/version-guile.texi.tmp$$$$ && \ + mv $(srcdir)/version-guile.texi.tmp$$$$ $(srcdir)/version-guile.texi)) && \ + rm -f 1.tmp$$$$ $(srcdir)/version-guile.texi.$$$$ @cp $(srcdir)/version-guile.texi $@ mostlyclean-1: - -rm -f 1.tmp + -rm -f 1.tmp* $(srcdir)/version-guile.texi.tmp* maintainer-clean-1: -rm -f $(srcdir)/stamp-1 $(srcdir)/version-guile.texi @@ -4054,6 +4116,8 @@ uninstall-am: uninstall-dvi-am uninstall-html-am uninstall-imagesDATA \ uninstall-dvi-am uninstall-html-am uninstall-imagesDATA \ uninstall-info-am uninstall-pdf-am uninstall-ps-am +.PRECIOUS: Makefile + -include $(top_srcdir)/doc/doc.mk @@ -4088,7 +4152,7 @@ invoke-certtool.texi: $(top_srcdir)/src/certtool-args.def invoke-gnutls-serv.tex fi; \ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ rm -f $@ && \ - sed -e 's/@subheading/@subsubheading/g' \ + $(SED) -e 's/@subheading/@subsubheading/g' \ -e 's/@section/@subsection/g' $@.tmp > $@ && \ rm -f $@.tmp @@ -4099,7 +4163,7 @@ invoke-ocsptool.texi: $(top_srcdir)/src/ocsptool-args.def invoke-certtool.texi fi; \ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ rm -f $@ && \ - sed -e 's/@subheading/@subsubheading/g' \ + $(SED) -e 's/@subheading/@subsubheading/g' \ -e 's/@section/@subsection/g' $@.tmp > $@ && \ rm -f $@.tmp @@ -4110,7 +4174,7 @@ invoke-danetool.texi: $(top_srcdir)/src/danetool-args.def invoke-ocsptool.texi fi; \ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ rm -f $@ && \ - sed -e 's/@subheading/@subsubheading/g' \ + $(SED) -e 's/@subheading/@subsubheading/g' \ -e 's/@section/@subsection/g' $@.tmp > $@ && \ rm -f $@.tmp @@ -4121,7 +4185,7 @@ invoke-srptool.texi: $(top_srcdir)/src/srptool-args.def invoke-danetool.texi fi; \ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ rm -f $@ && \ - sed -e 's/@subheading/@subsubheading/g' \ + $(SED) -e 's/@subheading/@subsubheading/g' \ -e 's/@section/@subsubsection/g' $@.tmp > $@ && \ rm -f $@.tmp @@ -4132,7 +4196,7 @@ invoke-psktool.texi: $(top_srcdir)/src/psktool-args.def invoke-srptool.texi fi; \ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ rm -f $@ && \ - sed -e 's/@subheading/@subsubheading/g' \ + $(SED) -e 's/@subheading/@subsubheading/g' \ -e 's/@section/@subsubsection/g' $@.tmp > $@ && \ rm -f $@.tmp @@ -4143,7 +4207,7 @@ invoke-p11tool.texi: $(top_srcdir)/src/p11tool-args.def invoke-psktool.texi fi; \ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ rm -f $@ && \ - sed -e 's/@subheading/@subsubheading/g' \ + $(SED) -e 's/@subheading/@subsection/g' \ -e 's/@section/@subsection/g' $@.tmp > $@ && \ rm -f $@.tmp @@ -4154,7 +4218,7 @@ invoke-tpmtool.texi: $(top_srcdir)/src/tpmtool-args.def invoke-p11tool.texi fi; \ $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \ rm -f $@ && \ - sed -e 's/@subheading/@subsubheading/g' \ + $(SED) -e 's/@subheading/@subsection/g' \ -e 's/@section/@subsection/g' $@.tmp > $@ && \ rm -f $@.tmp @@ -4327,9 +4391,9 @@ stamp_functions: $(API_FILES) for i in $^; do \ $(srcdir)/scripts/split-texi.pl functions < $$i; \ done - sed -i 's/\@anchor{.*//g' functions/* - sed -i 's/\@subheading.*//g' functions/* - cd functions && for i in *;do grep ^"@deftypefun" $$i | sed 's/@deftypefun/@item/g;s/ {/ @var{/;s/ {/ @ref{/' > ../functions/$$i.short;done + $(SED) -i 's/\@anchor{.*//g' functions/* + $(SED) -i 's/\@subheading.*//g' functions/* + cd functions && for i in *;do grep ^"@deftypefun" $$i | $(SED) 's/@deftypefun/@item/g;s/ {/ @var{/;s/ {/ @ref{/' > ../functions/$$i.short;done echo $@ > $@ stamp_enums: enums.texi @@ -4360,7 +4424,7 @@ compare-makefile: enums.texi @echo "******************************************************************************" @echo "If the following step fails copy $(srcdir)/doc/tmp-compare-makefile to doc/Makefile.am" @echo "******************************************************************************" - ENUMS=`grep '^@c ' $< | sed 's/@c //g' | sort -d`; \ + ENUMS=`grep '^@c ' $< | $(SED) 's/@c //g' | sort -d`; \ STR=""; \ for i in $$ENUMS; do \ STR="$$STR\nENUMS += enums/$$i"; \ @@ -4375,7 +4439,7 @@ compare-makefile: enums.texi MANS="$$MANS\nFUNCS += functions/$$i\nFUNCS += functions/$$i.short"; \ done; \ grep -v -e '^FUNCS += ' $(srcdir)/Makefile.am > tmp-$@; \ - echo "\"s,^FUNCS =,FUNCS =$$MANS,\" -i tmp-$@"|xargs sed + echo "\"s,^FUNCS =,FUNCS =$$MANS,\" -i tmp-$@"|xargs $(SED) @echo "******************************************************************************" @echo "If the following step fails copy $(srcdir)/doc/tmp-compare-makefile to doc/Makefile.am" @echo "******************************************************************************" @@ -4396,7 +4460,7 @@ compare-makefile: enums.texi gnutls.xml: epub.texi makeinfo --docbook $< - sed -i 's/\&\#8226;//g' $@ + $(SED) -i 's/\&\#8226;//g' $@ gnutls.epub: gnutls.xml dbtoepub $< diff --git a/doc/TODO b/doc/TODO index 05fde85..a249d37 100644 --- a/doc/TODO +++ b/doc/TODO @@ -3,6 +3,9 @@ anything), contact the developer's mailing list (gnutls-dev@lists.gnupg.org), in order to avoid having people working on the same thing. Current list: +* gnutls-cli: Allow separation of the connecting IP and the hostname to + advertize or check. That is, allow specifying an IP to connect to and + a hostname to check. * Allow setting a fixed key on the anonymous key exchange methods (to allow it being used with the tofu API). * Deprecate GNUTLS_E_CERTIFICATE_LIST_UNSORTED, and automatically sort diff --git a/doc/abstract-api.texi b/doc/abstract-api.texi index 82a8415..824c54f 100644 --- a/doc/abstract-api.texi +++ b/doc/abstract-api.texi @@ -25,6 +25,9 @@ Note that the @code{pcert_list} and @code{key} will become part of the credent structure and must not be deallocated. They will be automatically deallocated when the @code{res} structure is deinitialized. +If that function fails to load the @code{res} structure is at an undefined state, it must +not be reused to load other keys or certificates. + @strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success, or a negative error code. @strong{Since:} 3.0 @@ -45,7 +48,7 @@ int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs, const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_pcert_st** pcert, unsigned int *pcert_length, gnutls_privkey_t * pkey); - @code{req_ca_cert} is only used in X.509 certificates. + @code{req_ca_dn} is only used in X.509 certificates. Contains a list with the CA names that the server considers trusted. Normally we should send a certificate that is signed by one of these CAs. These names are DER encoded. To get a more @@ -54,7 +57,7 @@ meaningful value use the function @code{gnutls_x509_rdn_get()} . @code{pk_algos} contains a list with server's acceptable signature algorithms. The certificate returned should support the server's given algorithms. - @code{pcert} should contain a single certificate and public or a list of them. + @code{pcert} should contain a single certificate and public key or a list of them. @code{pcert_length} is the size of the previous list. @@ -62,6 +65,8 @@ The certificate returned should support the server's given algorithms. If the callback function is provided then gnutls will call it, in the handshake, after the certificate request message has been received. +All the provided by the callback values will not be released or +modified by gnutls. In server side pk_algos and req_ca_dn are NULL. @@ -1451,7 +1456,7 @@ negative error value. @var{format}: Indicate the format to use -@var{out}: Newly allocated datum with (0) terminated string. +@var{out}: Newly allocated datum with null terminated string. This function will pretty print public key information, suitable for display to a human. diff --git a/doc/algorithms.texi b/doc/algorithms.texi index 4ba9794..4f3ddd0 100644 --- a/doc/algorithms.texi +++ b/doc/algorithms.texi @@ -9,7 +9,7 @@ @tab SSL3.0 @item TLS_@-RSA_@-NULL_@-SHA256 @tab 0x00 0x3B -@tab SSL3.0 +@tab TLS1.2 @item TLS_@-RSA_@-ARCFOUR_@-128_@-SHA1 @tab 0x00 0x05 @tab SSL3.0 @@ -27,10 +27,10 @@ @tab SSL3.0 @item TLS_@-RSA_@-CAMELLIA_@-128_@-CBC_@-SHA256 @tab 0x00 0xBA -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-RSA_@-CAMELLIA_@-256_@-CBC_@-SHA256 @tab 0x00 0xC0 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-RSA_@-CAMELLIA_@-128_@-CBC_@-SHA1 @tab 0x00 0x41 @tab SSL3.0 @@ -39,10 +39,10 @@ @tab SSL3.0 @item TLS_@-RSA_@-AES_@-128_@-CBC_@-SHA256 @tab 0x00 0x3C -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-RSA_@-AES_@-256_@-CBC_@-SHA256 @tab 0x00 0x3D -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-RSA_@-AES_@-128_@-GCM_@-SHA256 @tab 0x00 0x9C @tab TLS1.2 @@ -75,10 +75,10 @@ @tab SSL3.0 @item TLS_@-DHE_@-DSS_@-CAMELLIA_@-128_@-CBC_@-SHA256 @tab 0x00 0xBD -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-DHE_@-DSS_@-CAMELLIA_@-256_@-CBC_@-SHA256 @tab 0x00 0xC3 -@tab SSL3.0 +@tab TLS1.2 @item TLS_@-DHE_@-DSS_@-CAMELLIA_@-128_@-CBC_@-SHA1 @tab 0x00 0x44 @tab SSL3.0 @@ -87,10 +87,10 @@ @tab SSL3.0 @item TLS_@-DHE_@-DSS_@-AES_@-128_@-CBC_@-SHA256 @tab 0x00 0x40 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-DHE_@-DSS_@-AES_@-256_@-CBC_@-SHA256 @tab 0x00 0x6A -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-DHE_@-DSS_@-AES_@-128_@-GCM_@-SHA256 @tab 0x00 0xA2 @tab TLS1.2 @@ -114,10 +114,10 @@ @tab SSL3.0 @item TLS_@-DHE_@-RSA_@-CAMELLIA_@-128_@-CBC_@-SHA256 @tab 0x00 0xBE -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-DHE_@-RSA_@-CAMELLIA_@-256_@-CBC_@-SHA256 @tab 0x00 0xC4 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-DHE_@-RSA_@-CAMELLIA_@-128_@-CBC_@-SHA1 @tab 0x00 0x45 @tab SSL3.0 @@ -126,10 +126,10 @@ @tab SSL3.0 @item TLS_@-DHE_@-RSA_@-AES_@-128_@-CBC_@-SHA256 @tab 0x00 0x67 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-DHE_@-RSA_@-AES_@-256_@-CBC_@-SHA256 @tab 0x00 0x6B -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-DHE_@-RSA_@-AES_@-128_@-GCM_@-SHA256 @tab 0x00 0x9E @tab TLS1.2 @@ -156,16 +156,16 @@ @tab SSL3.0 @item TLS_@-ECDHE_@-RSA_@-AES_@-256_@-CBC_@-SHA384 @tab 0xC0 0x28 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-ECDHE_@-RSA_@-ARCFOUR_@-128_@-SHA1 @tab 0xC0 0x11 @tab SSL3.0 @item TLS_@-ECDHE_@-RSA_@-CAMELLIA_@-128_@-CBC_@-SHA256 @tab 0xC0 0x76 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-ECDHE_@-RSA_@-CAMELLIA_@-256_@-CBC_@-SHA384 @tab 0xC0 0x77 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-ECDHE_@-ECDSA_@-NULL_@-SHA1 @tab 0xC0 0x06 @tab SSL3.0 @@ -183,16 +183,16 @@ @tab SSL3.0 @item TLS_@-ECDHE_@-ECDSA_@-CAMELLIA_@-128_@-CBC_@-SHA256 @tab 0xC0 0x72 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-ECDHE_@-ECDSA_@-CAMELLIA_@-256_@-CBC_@-SHA384 @tab 0xC0 0x73 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-ECDHE_@-ECDSA_@-AES_@-128_@-CBC_@-SHA256 @tab 0xC0 0x23 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-ECDHE_@-RSA_@-AES_@-128_@-CBC_@-SHA256 @tab 0xC0 0x27 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-ECDHE_@-ECDSA_@-CAMELLIA_@-128_@-GCM_@-SHA256 @tab 0xC0 0x86 @tab TLS1.2 @@ -213,7 +213,7 @@ @tab TLS1.2 @item TLS_@-ECDHE_@-ECDSA_@-AES_@-256_@-CBC_@-SHA384 @tab 0xC0 0x24 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-ECDHE_@-RSA_@-CAMELLIA_@-128_@-GCM_@-SHA256 @tab 0xC0 0x8A @tab TLS1.2 @@ -243,10 +243,10 @@ @tab SSL3.0 @item TLS_@-ECDHE_@-PSK_@-AES_@-128_@-CBC_@-SHA256 @tab 0xC0 0x37 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-ECDHE_@-PSK_@-AES_@-256_@-CBC_@-SHA384 @tab 0xC0 0x38 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-ECDHE_@-PSK_@-ARCFOUR_@-128_@-SHA1 @tab 0xC0 0x33 @tab SSL3.0 @@ -255,16 +255,16 @@ @tab SSL3.0 @item TLS_@-ECDHE_@-PSK_@-NULL_@-SHA256 @tab 0xC0 0x3A -@tab SSL3.0 +@tab TLS1.2 @item TLS_@-ECDHE_@-PSK_@-NULL_@-SHA384 @tab 0xC0 0x3B -@tab SSL3.0 +@tab TLS1.0 @item TLS_@-ECDHE_@-PSK_@-CAMELLIA_@-128_@-CBC_@-SHA256 @tab 0xC0 0x9A -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-ECDHE_@-PSK_@-CAMELLIA_@-256_@-CBC_@-SHA384 @tab 0xC0 0x9B -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-ECDHE_@-PSK_@-SALSA20_@-256_@-SHA1 @tab 0xE4 0x19 @tab SSL3.0 @@ -285,7 +285,7 @@ @tab SSL3.0 @item TLS_@-PSK_@-AES_@-128_@-CBC_@-SHA256 @tab 0x00 0xAE -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-PSK_@-AES_@-256_@-GCM_@-SHA384 @tab 0x00 0xA9 @tab TLS1.2 @@ -303,13 +303,13 @@ @tab SSL3.0 @item TLS_@-PSK_@-NULL_@-SHA256 @tab 0x00 0xB0 -@tab SSL3.0 +@tab TLS1.2 @item TLS_@-PSK_@-CAMELLIA_@-128_@-CBC_@-SHA256 @tab 0xC0 0x94 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-PSK_@-CAMELLIA_@-256_@-CBC_@-SHA384 @tab 0xC0 0x95 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-PSK_@-SALSA20_@-256_@-SHA1 @tab 0xE4 0x17 @tab SSL3.0 @@ -318,22 +318,22 @@ @tab SSL3.0 @item TLS_@-PSK_@-AES_@-256_@-CBC_@-SHA384 @tab 0x00 0xAF -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-PSK_@-NULL_@-SHA384 @tab 0x00 0xB1 -@tab SSL3.0 +@tab TLS1.2 @item TLS_@-RSA_@-PSK_@-ARCFOUR_@-128_@-SHA1 @tab 0x00 0x92 -@tab SSL3.0 +@tab TLS1.0 @item TLS_@-RSA_@-PSK_@-3DES_@-EDE_@-CBC_@-SHA1 @tab 0x00 0x93 -@tab SSL3.0 +@tab TLS1.0 @item TLS_@-RSA_@-PSK_@-AES_@-128_@-CBC_@-SHA1 @tab 0x00 0x94 -@tab SSL3.0 +@tab TLS1.0 @item TLS_@-RSA_@-PSK_@-AES_@-256_@-CBC_@-SHA1 @tab 0x00 0x95 -@tab SSL3.0 +@tab TLS1.0 @item TLS_@-RSA_@-PSK_@-CAMELLIA_@-128_@-GCM_@-SHA256 @tab 0xC0 0x92 @tab TLS1.2 @@ -345,28 +345,28 @@ @tab TLS1.2 @item TLS_@-RSA_@-PSK_@-AES_@-128_@-CBC_@-SHA256 @tab 0x00 0xB6 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-RSA_@-PSK_@-NULL_@-SHA1 @tab 0x00 0x2E -@tab SSL3.0 +@tab TLS1.0 @item TLS_@-RSA_@-PSK_@-NULL_@-SHA256 @tab 0x00 0xB8 -@tab SSL3.0 +@tab TLS1.2 @item TLS_@-RSA_@-PSK_@-AES_@-256_@-GCM_@-SHA384 @tab 0x00 0xAD @tab TLS1.2 @item TLS_@-RSA_@-PSK_@-AES_@-256_@-CBC_@-SHA384 @tab 0x00 0xB7 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-RSA_@-PSK_@-NULL_@-SHA384 @tab 0x00 0xB9 -@tab SSL3.0 +@tab TLS1.2 @item TLS_@-RSA_@-PSK_@-CAMELLIA_@-128_@-CBC_@-SHA256 @tab 0xC0 0x98 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-RSA_@-PSK_@-CAMELLIA_@-256_@-CBC_@-SHA384 @tab 0xC0 0x99 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-DHE_@-PSK_@-ARCFOUR_@-128_@-SHA1 @tab 0x00 0x8E @tab SSL3.0 @@ -381,7 +381,7 @@ @tab SSL3.0 @item TLS_@-DHE_@-PSK_@-AES_@-128_@-CBC_@-SHA256 @tab 0x00 0xB2 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-DHE_@-PSK_@-AES_@-128_@-GCM_@-SHA256 @tab 0x00 0xAA @tab TLS1.2 @@ -390,22 +390,22 @@ @tab SSL3.0 @item TLS_@-DHE_@-PSK_@-NULL_@-SHA256 @tab 0x00 0xB4 -@tab SSL3.0 +@tab TLS1.2 @item TLS_@-DHE_@-PSK_@-NULL_@-SHA384 @tab 0x00 0xB5 -@tab SSL3.0 +@tab TLS1.2 @item TLS_@-DHE_@-PSK_@-AES_@-256_@-CBC_@-SHA384 @tab 0x00 0xB3 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-DHE_@-PSK_@-AES_@-256_@-GCM_@-SHA384 @tab 0x00 0xAB @tab TLS1.2 @item TLS_@-DHE_@-PSK_@-CAMELLIA_@-128_@-CBC_@-SHA256 @tab 0xC0 0x96 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-DHE_@-PSK_@-CAMELLIA_@-256_@-CBC_@-SHA384 @tab 0xC0 0x97 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-DHE_@-PSK_@-CAMELLIA_@-128_@-GCM_@-SHA256 @tab 0xC0 0x90 @tab TLS1.2 @@ -426,10 +426,10 @@ @tab SSL3.0 @item TLS_@-DH_@-ANON_@-CAMELLIA_@-128_@-CBC_@-SHA256 @tab 0x00 0xBF -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-DH_@-ANON_@-CAMELLIA_@-256_@-CBC_@-SHA256 @tab 0x00 0xC5 -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-DH_@-ANON_@-CAMELLIA_@-128_@-CBC_@-SHA1 @tab 0x00 0x46 @tab SSL3.0 @@ -438,10 +438,10 @@ @tab SSL3.0 @item TLS_@-DH_@-ANON_@-AES_@-128_@-CBC_@-SHA256 @tab 0x00 0x6C -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-DH_@-ANON_@-AES_@-256_@-CBC_@-SHA256 @tab 0x00 0x6D -@tab TLS1.0 +@tab TLS1.2 @item TLS_@-DH_@-ANON_@-AES_@-128_@-GCM_@-SHA256 @tab 0x00 0xA6 @tab TLS1.2 @@ -567,6 +567,7 @@ @item RSA-PSK @item DHE-PSK @item ECDHE-PSK +@item RSA-EXPORT @end table @heading Public key algorithms diff --git a/doc/certtool.cfg b/doc/certtool.cfg index 47d4d38..52b6c8b 100644 --- a/doc/certtool.cfg +++ b/doc/certtool.cfg @@ -48,9 +48,10 @@ cn = "Cindy Lauper" # jurisdictionOfIncorporationStateOrProvinceName, # jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs. -#dn = "cn=Nik,st=Attiki,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias" +#dn = "cn = Nikos,st = New\, Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias" # The serial number of the certificate +# Comment the field for a time-based serial number. serial = 007 # In how many days, counting from today, this certificate will expire. @@ -150,24 +151,41 @@ encryption_key # ca_issuers_uri = http://my.ca.issuer # Certificate policies -# policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0 -# policy1_txt = "This is a long policy to summarize" -# policy1_url = http://www.example.com/a-policy-to-read +#policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0 +#policy1_txt = "This is a long policy to summarize" +#policy1_url = http://www.example.com/a-policy-to-read -# policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1 -# policy2_txt = "This is a short policy" -# policy2_url = http://www.example.com/another-policy-to-read +#policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1 +#policy2_txt = "This is a short policy" +#policy2_url = http://www.example.com/another-policy-to-read + +# Name constraints + +# DNS +#nc_permit_dns = example.com +#nc_exclude_dns = test.example.com + +# EMAIL +#nc_permit_email = "nmav@@ex.net" + +# Exclude subdomains of example.com +#nc_exclude_email = .example.com + +# Exclude all e-mail addresses of example.com +#nc_exclude_email = example.com # Options for proxy certificates -# proxy_policy_language = 1.3.6.1.5.5.7.21.1 +#proxy_policy_language = 1.3.6.1.5.5.7.21.1 # Options for generating a CRL -# next CRL update will be in 43 days (wow) +# The number of days the next CRL update will be due. +# next CRL update will be in 43 days #crl_next_update = 43 # this is the 5th CRL by this CA +# Comment the field for a time-based number. #crl_number = 5 diff --git a/doc/cha-auth.texi b/doc/cha-auth.texi index 4079985..da1a114 100644 --- a/doc/cha-auth.texi +++ b/doc/cha-auth.texi @@ -33,7 +33,7 @@ methods in @acronym{GnuTLS} in various scenarios. @subsection Two peers with an out-of-band channel -Let's consider two peers need to communicate over an untrusted channel +Let's consider two peers who need to communicate over an untrusted channel (the Internet), but have an out-of-band channel available. The latter channel is considered safe from eavesdropping and message modification and thus can be used for an initial bootstrapping of the protocol. The options @@ -44,7 +44,7 @@ client communicate a shared randomly generated key over the trusted channel and use it to negotiate further sessions over the untrusted channel. @item Passwords (see @ref{SRP authentication}). The client communicates -to the server his username and password of choice and uses it to +to the server its username and password of choice and uses it to negotiate further sessions over the untrusted channel. @item Public keys (see @ref{Certificate authentication}). The client @@ -101,7 +101,7 @@ the client provided over the initial server-authenticated channel. The available options are: @itemize @item Passwords (see @ref{SRP authentication}). The client communicates -to the server his username and password of choice on the initial +to the server its username and password of choice on the initial server-authenticated connection and uses it to negotiate further sessions. This is possible because the SRP protocol allows for the server to be authenticated using a certificate and the client using the diff --git a/doc/cha-bib.texi b/doc/cha-bib.texi index c5f7107..82b1cac 100644 --- a/doc/cha-bib.texi +++ b/doc/cha-bib.texi @@ -196,8 +196,8 @@ J. Altman, N. Williams, L. Zhu, "Channel Bindings for TLS", July 2010, available from @url{http://www.ietf.org/rfc/rfc5929}. @item @anchor{PKCS11URI}[PKCS11URI] -J. Pechanec, D. Moffat, "The PKCS#11 URI Scheme", January 2013, -Work in progress, available from @url{http://tools.ietf.org/html/draft-pechanec-pkcs11uri-08}. +J. Pechanec, D. Moffat, "The PKCS#11 URI Scheme", September 2013, +Work in progress, available from @url{http://tools.ietf.org/html/draft-pechanec-pkcs11uri-13}. @item @anchor{TPMURI}[TPMURI] C. Latze, N. Mavrogiannopoulos, "The TPMKEY URI Scheme", January 2013, diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi index 00bc542..10a7477 100644 --- a/doc/cha-cert-auth.texi +++ b/doc/cha-cert-auth.texi @@ -85,6 +85,7 @@ acceptable. The framework is illustrated on @ref{fig-x509}. * X.509 public and private keys:: * Verifying X.509 certificate paths:: * Verifying a certificate in the context of TLS session:: +* Verification using PKCS11:: @end menu @node X.509 certificate structure @@ -207,13 +208,11 @@ requires to retrieve the extension, and the second is the parsing part. To enumerate and retrieve the DER-encoded extension data available in a certificate the following two functions are available. -@showfuncB{gnutls_x509_crt_get_extension_info,gnutls_x509_crt_get_extension_data2} +@showfuncC{gnutls_x509_crt_get_extension_info,gnutls_x509_crt_get_extension_data2,gnutls_x509_crt_get_extension_by_oid2} After a supported DER-encoded extension is retrieved it can be parsed using the APIs in @code{x509-ext.h}. Complex extensions may require initializing an intermediate structure that holds the -parsed extension data. - -Examples of simple parsing functions are shown below. +parsed extension data. Examples of simple parsing functions are shown below. @showfuncD{gnutls_x509_ext_import_basic_constraints,gnutls_x509_ext_export_basic_constraints,gnutls_x509_ext_import_key_usage,gnutls_x509_ext_export_key_usage} More complex extensions, such as Name Constraints, require an intermediate structure, in that @@ -321,6 +320,7 @@ provided. @showfuncdesc{gnutls_x509_trust_list_add_named_crt} @showfuncdesc{gnutls_x509_trust_list_add_crls} @showfuncdesc{gnutls_x509_trust_list_verify_crt} +@showfuncdesc{gnutls_x509_trust_list_verify_crt2} @showfuncdesc{gnutls_x509_trust_list_verify_named_crt} @showfuncdesc{gnutls_x509_trust_list_add_trust_file} @@ -347,26 +347,94 @@ This purpose is served by the functions @funcref{gnutls_x509_trust_list_add_name When operating in the context of a TLS session, the trusted certificate authority list may also be set using: -@showfuncC{gnutls_certificate_set_x509_trust_file,gnutls_certificate_set_x509_crl_file,gnutls_certificate_set_x509_system_trust} +@showfuncD{gnutls_certificate_set_x509_trust_file,gnutls_certificate_set_x509_trust_dir,gnutls_certificate_set_x509_crl_file,gnutls_certificate_set_x509_system_trust} + +These functions allow the specification of the trusted certificate authorities, either +via a file, a directory or use the system-specified certificate authories. +Unless the authorities are application specific, it is generally recommended +to use the system trust storage (see @funcref{gnutls_certificate_set_x509_system_trust}). -In that case it is not required to setup a trusted list as above, and +Unlike the previous section it is not required to setup a trusted list, and the function @funcref{gnutls_certificate_verify_peers3} -may be used to verify the peer's certificate chain and identity. The flags -are set similarly to the verification functions in the previous section. +is used to verify the peer's certificate chain and identity. The reported +verification status is identical to the verification functions described +in the previous section. Note that in certain cases it is required to check the marked purpose of -the end certificate (e.g. @code{GNUTLS_KP_TLS_WWW_SERVER}); in these case -@funcref{gnutls_certificate_verify_peers} should be used instead. +the end certificate (e.g. @code{GNUTLS_KP_TLS_WWW_SERVER}); in these cases +the more advanced @funcref{gnutls_certificate_verify_peers} should be used instead. There is also the possibility to pass some input to the verification -functions in the form of flags. For @funcref{gnutls_x509_trust_list_verify_crt} the -flags are passed straightforward, but -@funcref{gnutls_certificate_verify_peers3} depends on the flags set by -calling @funcref{gnutls_certificate_set_verify_flags}. All the available +functions in the form of flags. For @funcref{gnutls_x509_trust_list_verify_crt2} the +flags are passed directly, but for +@funcref{gnutls_certificate_verify_peers3}, the flags are set using +@funcref{gnutls_certificate_set_verify_flags}. All the available flags are part of the enumeration @code{gnutls_@-certificate_@-verify_@-flags} shown in @ref{gnutls_certificate_verify_flags}. @showenumdesc{gnutls_certificate_verify_flags,The @code{gnutls_@-certificate_@-verify_@-flags} enumeration.} +@node Verification using PKCS11 +@subsubsection Verifying a certificate using PKCS #11 +@cindex verifying certificate with pkcs11 + +Some systems provide a system wide trusted certificate storage accessible using +the PKCS #11 API. That is, the trusted certificates are queried and accessed using the +PKCS #11 API, and trusted certificate properties, such as purpose, are marked using +attached extensions. One example is the p11-kit trust module@footnote{see @url{http://p11-glue.freedesktop.org/trust-module.html}.}. + +These special PKCS #11 modules can be used for GnuTLS certificate verification if marked as trust +policy modules, i.e., with @code{trust-policy: yes} in the p11-kit module file. +The way to use them is by specifying to the file verification function (e.g., @funcref{gnutls_certificate_set_x509_trust_file}), +a pkcs11 URL, or simply @code{pkcs11:} to use all the marked with trust policy modules. + +The trust modules of p11-kit assign a purpose to trusted authorities using the extended +key usage object identifiers. The common purposes are shown in @ref{tab:purposes}. Note +that typically according to @xcite{RFC5280} the extended key usage object identifiers apply to end certificates. Their +application to CA certificates is an extension used by the trust modules. + +@float Table,tab:purposes +@multitable @columnfractions .2 .2 .6 + +@headitem Purpose @tab OID @tab Description + +@item GNUTLS_KP_TLS_WWW_SERVER @tab +1.3.6.1.5.5.7.3.1 @tab +The certificate is to be used for TLS WWW authentication. When in a CA certificate, it +indicates that the CA is allowed to sign certificates for TLS WWW authentication. + +@item GNUTLS_KP_TLS_WWW_CLIENT @tab +1.3.6.1.5.5.7.3.2 @tab +The certificate is to be used for TLS WWW client authentication. When in a CA certificate, it +indicates that the CA is allowed to sign certificates for TLS WWW client authentication. + +@item GNUTLS_KP_CODE_SIGNING @tab +1.3.6.1.5.5.7.3.3 @tab +The certificate is to be used for code signing. When in a CA certificate, it +indicates that the CA is allowed to sign certificates for code signing. + +@item GNUTLS_KP_EMAIL_PROTECTION @tab +1.3.6.1.5.5.7.3.4 @tab +The certificate is to be used for email protection. When in a CA certificate, it +indicates that the CA is allowed to sign certificates for email users. + +@item GNUTLS_KP_OCSP_SIGNING @tab +1.3.6.1.5.5.7.3.9 @tab +The certificate is to be used for signing OCSP responses. When in a CA certificate, it +indicates that the CA is allowed to sign certificates which sign OCSP reponses. + +@item GNUTLS_KP_ANY @tab +2.5.29.37.0 @tab +The certificate is to be used for any purpose. When in a CA certificate, it +indicates that the CA is allowed to sign any kind of certificates. + +@end multitable +@caption{Key purpose object identifiers.} +@end float + +With such modules, it is recommended to use the verification functions @funcref{gnutls_x509_trust_list_verify_crt2}, +or @funcref{gnutls_certificate_verify_peers}, which allow to explicitly specify the key purpose. The +other verification functions which do not allow setting a purpose, would operate as if +@code{GNUTLS_KP_TLS_WWW_SERVER} was requested from the trusted authorities. @node OpenPGP certificates @subsection @acronym{OpenPGP} certificates @@ -586,7 +654,7 @@ used to preprocess the input to the signature algorithm. This works as long as it is difficult enough to generate two different messages with the same hash algorithm output. In that case the same signature could be used as a proof for both messages. Nobody wants to sign an innocent -message of donating 1 euro to Greenpeace and find out that he +message of donating 1 euro to Greenpeace and find out that they donated 1.000.000 euros to Bad Inc. For a hash algorithm to be called cryptographic the following three diff --git a/doc/cha-cert-auth2.texi b/doc/cha-cert-auth2.texi index a6482a8..e3708ba 100644 --- a/doc/cha-cert-auth2.texi +++ b/doc/cha-cert-auth2.texi @@ -146,14 +146,14 @@ revocation checking, however, several problems with CRLs have been identified @xcite{RIVESTCRL}. The Online Certificate Status Protocol, or @acronym{OCSP} @xcite{RFC2560}, -is a widely implemented protocol to perform certificate revocation status +is a widely implemented protocol which performs certificate revocation status checking. An application that wish to verify the identity of a peer will verify the certificate against a set of trusted certificates and then check whether the certificate is listed in a CRL and/or perform an OCSP check for the certificate. Note that in the context of a TLS session the server may provide an -OCSP response that will used during the TLS certificate verification +OCSP response that will be used during the TLS certificate verification (see @funcref{gnutls_certificate_verify_peers2}). You may obtain this response using @funcref{gnutls_ocsp_status_request_get}. @@ -169,8 +169,8 @@ extracts this information from a certificate. There are several functions in GnuTLS for creating and manipulating OCSP requests and responses. The general idea is that a client -application create an OCSP request object, store some information -about the certificate to check in the request, and then export the +application creates an OCSP request object, stores some information +about the certificate to check in the request, and then exports the request in DER format. The request will then need to be sent to the OCSP responder, which needs to be done by the application (GnuTLS does not send and receive OCSP packets). Normally an OCSP response is diff --git a/doc/cha-crypto.texi b/doc/cha-crypto.texi index 8c92deb..24b1b4d 100644 --- a/doc/cha-crypto.texi +++ b/doc/cha-crypto.texi @@ -5,7 +5,8 @@ it does not provide access to basic cryptographic primitives. However it abstracts the internal cryptographic back-end (see @ref{Cryptographic Backend}), providing symmetric crypto, hash and HMAC algorithms, as well access -to the random number generation. +to the random number generation. For a low-level crypto API the usage of nettle +@footnote{See @uref{http://www.lysator.liu.se/~nisse/nettle/}.} library is recommended. @menu * Symmetric algorithms:: diff --git a/doc/cha-errors.texi b/doc/cha-errors.texi index 0948d05..1154c01 100644 --- a/doc/cha-errors.texi +++ b/doc/cha-errors.texi @@ -3,7 +3,7 @@ @cindex error codes The error codes used throughout the library are described below. The -return code @code{GNUTLS_E_SUCCESS} indicate successful operation, and +return code @code{GNUTLS_E_SUCCESS} indicates a successful operation, and is guaranteed to have the value 0, so you can use it in logical expressions. diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 61d748a..ce48be7 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -30,6 +30,7 @@ and the manpages is recommended. * Common types:: * Debugging and auditing:: * Thread safety:: +* Sessions and fork:: * Callback functions:: @end menu @@ -61,8 +62,8 @@ and/or verify the indentity of the peer. The information stored in the credentials structures is initialized once and then can be shared by many @acronym{TLS} sessions. -A @acronym{GnuTLS} session contains all the required information -to handle one secure connection. The session communicates with the +A @acronym{GnuTLS} session contains all the required state and +information to handle one secure connection. The session communicates with the peers using the provided functions of the transport layer. Every session has a unique session ID shared with the peer. @@ -147,7 +148,38 @@ verbose information on the @acronym{GnuTLS} functions internal flow. Alternatively the environment variable @code{GNUTLS_DEBUG_LEVEL} can be set to a logging level and GnuTLS will output debugging output to standard -error. +error. Other available environment variables are shown in @ref{tab:environment}. + +@float Table,tab:environment +@multitable @columnfractions .30 .70 + +@headitem Variable @tab Purpose + +@item @code{GNUTLS_DEBUG_LEVEL} +@tab When set to a numeric value, it sets the default debugging level for GnuTLS applications. + +@item @code{GNUTLS_CPUID_OVERRIDE} +@tab That environment variable can be used to +explicitly enable/disable the use of certain CPU capabilities. Note that CPU +detection cannot be overriden, i.e., VIA options cannot be enabled on an Intel +CPU. The currently available options are: +@itemize +@item 0x1: Disable all run-time detected optimizations +@item 0x2: Enable AES-NI +@item 0x4: Enable SSSE3 +@item 0x8: Enable PCLMUL +@item 0x100000: Enable VIA padlock +@item 0x200000: Enable VIA PHE +@item 0x400000: Enable VIA PHE SHA512 +@end itemize + +@item @code{GNUTLS_FORCE_FIPS_MODE} +@tab In setups where GnuTLS is compiled with support for FIPS140-2 (see --enable-fips140-mode in configure), that option if set to one enforces the FIPS140 mode. + +@end multitable +@caption{Environment variables used by the library.} +@end float + When debugging is not required, important issues, such as detected attacks on the protocol still need to be logged. This is provided @@ -171,6 +203,13 @@ If, however, an object needs to be shared across threads then access must be protected with a mutex. Read-only access to objects, for example the credentials holding structures, is also thread-safe. +A @code{gnutls_session_t} object can be shared by two threads, one sending, +the other receiving. In that case rehandshakes, if required, +must only be handled by a single thread being active. The termination of a session +should be handled, either by a single thread being active, or by the sender thread +using @funcref{gnutls_bye} with @code{GNUTLS_SHUT_WR} and the receiving thread +waiting for a return value of zero. + The random generator of the cryptographic back-end, utilizes mutex locks (e.g., pthreads on GNU/Linux and CriticalSection on Windows) which are setup by @acronym{GnuTLS} on library initialization. Prior to version 3.3.0 they were setup by calling @funcref{gnutls_global_init}. On special systems @@ -194,6 +233,17 @@ int main() @showfuncdesc{gnutls_global_set_mutex} +@node Sessions and fork +@subsection Sessions and fork +@cindex fork + +A @code{gnutls_session_t} object can be shared by two processes after a fork, +one sending, the other receiving. In that case rehandshakes, +cannot and must not be performed. As with threads, the termination of a session should be +handled by the sender process using @funcref{gnutls_bye} with @code{GNUTLS_SHUT_WR} +and the receiving process waiting for a return value of zero. + + @node Callback functions @subsection Callback functions @cindex callback functions @@ -240,8 +290,10 @@ library. @node Initialization @subsection Initialization -GnuTLS must be initialized before it can be used. The library is -initialized on load; prior to 3.3.0 was initialized by calling @funcref{gnutls_global_init}. +The GnuTLS library is initialized on load; prior to 3.3.0 was initialized by calling @funcref{gnutls_global_init}@footnote{ +The original behavior of requiring explicit initialization can obtained by setting the +GNUTLS_NO_EXPLICIT_INIT environment variable to 1, or by using the macro GNUTLS_SKIP_GLOBAL_INIT +in a global section of your program.}. The initialization typically enables CPU-specific acceleration, performs any required precalculations needed, opens any required system devices (e.g., /dev/urandom on Linux) and initializes subsystems that could be used later. @@ -249,6 +301,11 @@ and initializes subsystems that could be used later. The resources allocated by the initialization process will be released on library deinitialization, or explictly by calling @funcref{gnutls_global_deinit}. +Note that during initialization file descriptors may be kept open by +GnuTLS (e.g. /dev/urandom) on library load. Applications closing all unknown file +descriptors must immediately call @funcref{gnutls_global_init}, after that, to +ensure they don't disrupt GnuTLS' operation. + @c In order to take advantage of the internationalization features in @c GnuTLS, such as translated error messages, the application must set @c the current locale using @code{setlocale} before initializing GnuTLS. @@ -931,7 +988,9 @@ The message authenticity security level is of 128 bits or more, and the certificate verification profile is set to GNUTLS_PROFILE_HIGH (128-bits). @item SECURE256 @tab -Currently alias for SECURE192. +Currently alias for SECURE192. This option, will enable ciphers which use a +256-bit key but, due to limitations of the TLS protocol, the overall security +level will be 192-bits (the security level depends on more factors than cipher key size). @item SUITEB128 @tab Means all the NSA Suite B cryptography (RFC5430) ciphersuites @@ -1189,9 +1248,9 @@ authentication. @headitem Security bits @tab RSA, DH and SRP parameter size @tab ECC key size @tab Security parameter @tab Description -@item <72 -@tab <1008 -@tab <160 +@item <64 +@tab <768 +@tab <128 @tab @code{INSECURE} @tab Considered to be insecure @@ -1337,7 +1396,9 @@ for expiration. A server utilizing tickets should generate ticket encryption and authentication keys using @funcref{gnutls_session_ticket_key_generate}. Those keys should be associated with the GnuTLS session using -@funcref{gnutls_session_ticket_enable_server}. +@funcref{gnutls_session_ticket_enable_server}, and should be rotated regularly +(e.g., every few hours), to prevent them from becoming long-term keys which +if revealed could be used to decrypt all previous sessions. @showfuncdesc{gnutls_session_ticket_enable_server} @showfuncdesc{gnutls_session_ticket_key_generate} diff --git a/doc/cha-internals.texi b/doc/cha-internals.texi index 6a04ac2..3c4a390 100644 --- a/doc/cha-internals.texi +++ b/doc/cha-internals.texi @@ -321,6 +321,33 @@ When writing GTK-DOC style documentation for your new APIs, don't forget to add @code{Since:} tags to indicate the GnuTLS version the API was introduced in. +@subsubheading Heartbeat extension. + +One such extension is HeartBeat protocol (RFC6520: +@url{https://tools.ietf.org/html/rfc6520}) implementation. To enable +it use option --heartbeat with example client and server supplied with +gnutls: + +@example +./doc/credentials/gnutls-http-serv --priority "NORMAL:-CIPHER-ALL:+NULL" -d 100 \ + --heartbeat --echo +./src/gnutls-cli --priority "NORMAL:-CIPHER-ALL:+NULL" -d 100 localhost -p 5556 \ + --insecure --heartbeat +@end example + +After that pasting +@example +**HEARTBEAT** +@end example +command into gnutls-cli will trigger corresponding command on the server and it will send HeartBeat Request with random length to client. + +Another way is to run capabilities check with: + +@example +./doc/credentials/gnutls-http-serv -d 100 --heartbeat +./src/gnutls-cli-debug localhost -p 5556 +@end example + @subheading Adding a new Supplemental Data Handshake Message TLS handshake extensions allow to send so called supplemental data @@ -421,32 +448,6 @@ typedef enum @} gnutls_supplemental_data_format_type_t; @end example -@subsubheading Heartbeat extension. - -One such extension is HeartBeat protocol (RFC6520: -@url{https://tools.ietf.org/html/rfc6520}) implementation. To enable -it use option --heartbeat with example client and server supplied with -gnutls: - -@example -./doc/credentials/gnutls-http-serv --priority "NORMAL:-CIPHER-ALL:+NULL" -d 100 \ - --heartbeat --echo -./src/gnutls-cli --priority "NORMAL:-CIPHER-ALL:+NULL" -d 100 localhost -p 5556 \ - --insecure --heartbeat -@end example - -After that pasting -@example -**HEARTBEAT** -@end example -command into gnutls-cli will trigger corresponding command on the server and it will send HeartBeat Request with random length to client. - -Another way is to run capabilities check with: - -@example -./doc/credentials/gnutls-http-serv -d 100 --heartbeat -./src/gnutls-cli-debug localhost -p 5556 -@end example @node Cryptographic Backend @section Cryptographic Backend diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi index 6075020..319d68b 100644 --- a/doc/cha-intro-tls.texi +++ b/doc/cha-intro-tls.texi @@ -138,15 +138,6 @@ This is an 128-bit block cipher developed by Mitsubishi and NTT. It is one of the approved ciphers of the European NESSIE and Japanese CRYPTREC projects. -@item SALSA20_@-256 @tab -SALSA20_256 is a fast stream cipher. This is currently a GnuTLS -extension. - -@item ESTREAM_@-SALSA20_@-256 @tab -ESTREAM_@-SALSA20_@-256 is a faster variant of SALSA20, and is one of the -selected ciphers of the ESTREAM competition. This is currently a GnuTLS -extension. - @end multitable @caption{Supported ciphers.} @end float @@ -166,10 +157,6 @@ designed by NSA. Outputs 160 bits of data. @item MAC_@-SHA256 @tab An HMAC based on SHA256. Outputs 256 bits of data. -@item MAC_@-UMAC @tab -This is a very fast MAC algorithm based on universal hashing, described in -@xcite{RFC4418}. This is currently a GnuTLS extension. - @item MAC_@-AEAD @tab This indicates that an authenticated encryption algorithm, such as GCM, is in use. @@ -450,6 +437,12 @@ to the client. Because session parameters are sensitive they are encrypted and authenticated with a key only known to the server and then sent to the client. The Session Tickets extension is described in RFC 5077 @xcite{TLSTKT}. +A disadvantage of session tickets is that they eliminate the effects of +forward secrecy when a server uses the same key for long time. That is, +the secrecy of all sessions on a server using tickets depends on the ticket +key being kept secret. For that reason server keys should be rotated and discarded +regularly. + Since version 3.1.3 GnuTLS clients transparently support session tickets. @node HeartBeat diff --git a/doc/cha-support.texi b/doc/cha-support.texi index 4ff30c5..6ba2792 100644 --- a/doc/cha-support.texi +++ b/doc/cha-support.texi @@ -168,5 +168,5 @@ specific product using the library, and typically in the case of software they a @end itemize Obtaining such a certification is an expensive and elaborate job that has no immediate value for a continuously developed free software library (as the certification is tied to the -particular version tested), and in the case of algorithm verification of FIPS 140-2 it doesn't make much sense as the library is freely available and anyone can verify the correctness -of algorithm implementation. As such we are not actively pursuing this kind of certification. If you are, nevertheless, interested, see @ref{Commercial Support}. +particular version tested). While, as a free software project, we are not actively pursuing this kind of certification, GnuTLS has been FIPS-140-2 certified in several systems by +third parties. If you are, interested, see @ref{Commercial Support}. diff --git a/doc/cha-tokens.texi b/doc/cha-tokens.texi index 8898d44..756a9ca 100644 --- a/doc/cha-tokens.texi +++ b/doc/cha-tokens.texi @@ -10,7 +10,28 @@ perfect forward secrecy offering ciphersuite are also to be assumed compromised. If such threats need to be addressed, then it may be wise storing the keys in a security module such as a smart card, an HSM or the TPM chip. Those modules ensure the protection of the cryptographic keys by only allowing operations on them and -preventing their extraction. +preventing their extraction. The purpose of the abstract key API is to provide +an API that will allow the handle of keys in memory and files, as well as keys +stored in such modules. + +In GnuTLS the approach is to handle all keys transparently by the high level API, e.g., +the API that loads a key or certificate from a file. +The high-level API will accept URIs in addition to files that specify keys on an HSM or in TPM, +and a callback function will be used to obtain any required keys. The URI format is defined in +@xcite{TPMURI} and @xcite{PKCS11URI}, and is in the process of being standardized across systems. + +More information on the API is provided in the next sections. Examples of a URI of a certificate +stored in an HSM, as well as a key stored in the TPM chip are shown below. To discover the URIs +of the objects the @code{p11tool} (see @ref{p11tool Invocation}), +or @code{tpmtool} (see @ref{tpmtool Invocation}) may be used. + +@example +pkcs11:token=Nikos;serial=307521161601031;model=PKCS%2315; \ +manufacturer=EnterSafe;object=test1;objecttype=cert + +tpmkey:uuid=42309df8-d101-11e1-a89a-97bb33c23ad1;storage=user +@end example + @menu * Abstract key types:: @@ -27,7 +48,7 @@ Since there are many forms of a public or private keys supported by @acronym{Gnu on them. For these reasons the abstract @code{gnutls_privkey_t} and @code{gnutls_pubkey_t} were introduced in @code{gnutls/@-abstract.h} header. Those types are initialized using a specific type of key and then can be used to perform operations in an abstract way. For example in order -to sign an X.509 certificate with a key that resides in a token the following steps must be +to sign an X.509 certificate with a key that resides in a token the following steps can be used. @example @@ -181,8 +202,8 @@ available in @code{gnutls/pkcs11.h}. Moreover @acronym{PKCS} #11 can be (ab)used to allow all applications in the same operating system to access shared cryptographic keys and certificates in a uniform way, as in @ref{fig-pkcs11-vision}. That way applications could load their trusted certificate list, as well as user -certificates from a common PKCS #11 module. Such a provider exists in the @acronym{Gnome} -system, being the @acronym{Gnome Keyring}. +certificates from a common PKCS #11 module. Such a provider is the p11-kit trust +storage module@footnote{@url{http://p11-glue.freedesktop.org/trust-module.html}}. @float Figure,fig-pkcs11-vision @image{pkcs11-vision,9cm} @@ -195,7 +216,7 @@ system, being the @acronym{Gnome Keyring}. * Reading objects:: * Writing objects:: * Using a PKCS11 token with TLS:: -* p11tool Invocation:: Invoking p11tool +* p11tool Invocation:: @end menu @node PKCS11 Initialization @@ -393,7 +414,7 @@ In GnuTLS the TPM functionality is available in @code{gnutls/tpm.h}. * Keys in TPM:: * Key generation:: * Using keys:: -* tpmtool Invocation:: Invoking tpmtool +* tpmtool Invocation:: @end menu @node Keys in TPM diff --git a/doc/cha-upgrade.texi b/doc/cha-upgrade.texi index 5621ee0..e381f34 100644 --- a/doc/cha-upgrade.texi +++ b/doc/cha-upgrade.texi @@ -67,7 +67,7 @@ They are replaced by the safer function @funcref{gnutls_session_get_random} @item @funcintref{gnutls_certificate_get_openpgp_keyring} @tab Removed. -@item @funcintref{gnutls_ia_*} +@item @funcintref{gnutls_ia_} @tab Removed. The inner application extensions were completely removed (they failed to be standardized). @end multitable @@ -104,3 +104,19 @@ when the flag @code{GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA} is specified. @end multitable +@heading Upgrading to 3.3.x from 3.2.x + +GnuTLS 3.3.x is source and binary compatible with GnuTLS 3.2.x releases; +however there few changes in semantics which are listed below. + +@multitable @columnfractions .30 .60 +@headitem Old function @tab Replacement + +@item @funcintref{gnutls_global_init} +@tab No longer required. The library is initialized using a constructor. + +@item @funcintref{gnutls_global_deinit} +@tab No longer required. The library is deinitialized using a destructor. + +@end multitable + diff --git a/doc/core.c.texi b/doc/core.c.texi index 9281993..d0c403b 100644 --- a/doc/core.c.texi +++ b/doc/core.c.texi @@ -1,386 +1,356 @@ @c Automatically generated, do not edit. -@c snarfed from ../guile/src/core.c:3345 +@c snarfed from ../guile/src/core.c:3361 @deffn {Scheme Procedure} set-log-level! level Enable GnuTLS logging up to @var{level} (an integer). @end deffn -@c snarfed from ../guile/src/core.c:3327 +@c snarfed from ../guile/src/core.c:3343 @deffn {Scheme Procedure} set-log-procedure! proc Use @var{proc} (a two-argument procedure) as the global GnuTLS log procedure. @end deffn -@c snarfed from ../guile/src/core.c:3288 +@c snarfed from ../guile/src/core.c:3304 @deffn {Scheme Procedure} set-certificate-credentials-openpgp-keys! cred pub sec Use certificate @var{pub} and secret key @var{sec} in certificate credentials @var{cred}. @end deffn -@c snarfed from ../guile/src/core.c:3250 +@c snarfed from ../guile/src/core.c:3266 @deffn {Scheme Procedure} openpgp-keyring-contains-key-id? keyring id Return @code{#f} if key ID @var{id} is in @var{keyring}, @code{#f} otherwise. @end deffn -@c snarfed from ../guile/src/core.c:3204 +@c snarfed from ../guile/src/core.c:3220 @deffn {Scheme Procedure} import-openpgp-keyring data format Import @var{data} (a u8vector) according to @var{format} and return the imported keyring. @end deffn -@c snarfed from ../guile/src/core.c:3178 +@c snarfed from ../guile/src/core.c:3194 @deffn {Scheme Procedure} openpgp-certificate-usage key Return a list of values denoting the key usage of @var{key}. @end deffn -@c snarfed from ../guile/src/core.c:3161 +@c snarfed from ../guile/src/core.c:3177 @deffn {Scheme Procedure} openpgp-certificate-version key Return the version of the OpenPGP message format (RFC2440) honored by @var{key}. @end deffn -@c snarfed from ../guile/src/core.c:3140 +@c snarfed from ../guile/src/core.c:3156 @deffn {Scheme Procedure} openpgp-certificate-algorithm key Return two values: the certificate algorithm used by @var{key} and the number of bits used. @end deffn -@c snarfed from ../guile/src/core.c:3104 +@c snarfed from ../guile/src/core.c:3120 @deffn {Scheme Procedure} openpgp-certificate-names key Return the list of names for @var{key}. @end deffn -@c snarfed from ../guile/src/core.c:3081 +@c snarfed from ../guile/src/core.c:3097 @deffn {Scheme Procedure} openpgp-certificate-name key index Return the @var{index}th name of @var{key}. @end deffn -@c snarfed from ../guile/src/core.c:3023 +@c snarfed from ../guile/src/core.c:3039 @deffn {Scheme Procedure} openpgp-certificate-fingerprint key Return a new u8vector denoting the fingerprint of @var{key}. @end deffn -@c snarfed from ../guile/src/core.c:2993 +@c snarfed from ../guile/src/core.c:3009 @deffn {Scheme Procedure} openpgp-certificate-fingerprint! key fpr Store in @var{fpr} (a u8vector) the fingerprint of @var{key}. Return the number of bytes stored in @var{fpr}. @end deffn -@c snarfed from ../guile/src/core.c:2958 +@c snarfed from ../guile/src/core.c:2974 @deffn {Scheme Procedure} openpgp-certificate-id! key id Store the ID (an 8 byte sequence) of certificate @var{key} in @var{id} (a u8vector). @end deffn -@c snarfed from ../guile/src/core.c:2932 +@c snarfed from ../guile/src/core.c:2948 @deffn {Scheme Procedure} openpgp-certificate-id key Return the ID (an 8-element u8vector) of certificate @var{key}. @end deffn -@c snarfed from ../guile/src/core.c:2877 +@c snarfed from ../guile/src/core.c:2893 @deffn {Scheme Procedure} import-openpgp-private-key data format [pass] Return a new OpenPGP private key object resulting from the import of @var{data} (a uniform array) according to @var{format}. Optionally, a passphrase may be provided. @end deffn -@c snarfed from ../guile/src/core.c:2832 +@c snarfed from ../guile/src/core.c:2848 @deffn {Scheme Procedure} import-openpgp-certificate data format Return a new OpenPGP certificate object resulting from the import of @var{data} (a uniform array) according to @var{format}. @end deffn -@c snarfed from ../guile/src/core.c:2768 +@c snarfed from ../guile/src/core.c:2784 @deffn {Scheme Procedure} x509-certificate-subject-alternative-name cert index Return two values: the alternative name type for @var{cert} (i.e., one of the @code{x509-subject-alternative-name/} values) and the actual subject alternative name (a string) at @var{index}. Both values are @code{#f} if no alternative name is available at @var{index}. @end deffn -@c snarfed from ../guile/src/core.c:2733 +@c snarfed from ../guile/src/core.c:2749 @deffn {Scheme Procedure} x509-certificate-subject-key-id cert Return the subject key ID (a u8vector) for @var{cert}. @end deffn -@c snarfed from ../guile/src/core.c:2702 +@c snarfed from ../guile/src/core.c:2718 @deffn {Scheme Procedure} x509-certificate-authority-key-id cert Return the key ID (a u8vector) of the X.509 certificate authority of @var{cert}. @end deffn -@c snarfed from ../guile/src/core.c:2670 +@c snarfed from ../guile/src/core.c:2686 @deffn {Scheme Procedure} x509-certificate-key-id cert Return a statistically unique ID (a u8vector) for @var{cert} that depends on its public key parameters. This is normally a 20-byte SHA-1 hash. @end deffn -@c snarfed from ../guile/src/core.c:2648 +@c snarfed from ../guile/src/core.c:2664 @deffn {Scheme Procedure} x509-certificate-version cert Return the version of @var{cert}. @end deffn -@c snarfed from ../guile/src/core.c:2621 +@c snarfed from ../guile/src/core.c:2637 @deffn {Scheme Procedure} x509-certificate-key-usage cert Return the key usage of @var{cert} (i.e., a list of @code{key-usage/} values), or the empty list if @var{cert} does not contain such information. @end deffn -@c snarfed from ../guile/src/core.c:2598 +@c snarfed from ../guile/src/core.c:2614 @deffn {Scheme Procedure} x509-certificate-public-key-algorithm cert Return two values: the public key algorithm (i.e., one of the @code{pk-algorithm/} values) of @var{cert} and the number of bits used. @end deffn -@c snarfed from ../guile/src/core.c:2575 +@c snarfed from ../guile/src/core.c:2591 @deffn {Scheme Procedure} x509-certificate-signature-algorithm cert Return the signature algorithm used by @var{cert} (i.e., one of the @code{sign-algorithm/} values). @end deffn -@c snarfed from ../guile/src/core.c:2543 +@c snarfed from ../guile/src/core.c:2559 @deffn {Scheme Procedure} x509-certificate-matches-hostname? cert hostname Return true if @var{cert} matches @var{hostname}, a string denoting a DNS host name. This is the basic implementation of @uref{http://tools.ietf.org/html/rfc2818, RFC 2818} (aka. HTTPS). @end deffn -@c snarfed from ../guile/src/core.c:2525 +@c snarfed from ../guile/src/core.c:2541 @deffn {Scheme Procedure} x509-certificate-issuer-dn-oid cert index Return the OID (a string) at @var{index} from @var{cert}'s issuer DN. Return @code{#f} if no OID is available at @var{index}. @end deffn -@c snarfed from ../guile/src/core.c:2511 +@c snarfed from ../guile/src/core.c:2527 @deffn {Scheme Procedure} x509-certificate-dn-oid cert index Return OID (a string) at @var{index} from @var{cert}. Return @code{#f} if no OID is available at @var{index}. @end deffn -@c snarfed from ../guile/src/core.c:2449 +@c snarfed from ../guile/src/core.c:2465 @deffn {Scheme Procedure} x509-certificate-issuer-dn cert Return the distinguished name (DN) of X.509 certificate @var{cert}. @end deffn -@c snarfed from ../guile/src/core.c:2436 +@c snarfed from ../guile/src/core.c:2452 @deffn {Scheme Procedure} x509-certificate-dn cert Return the distinguished name (DN) of X.509 certificate @var{cert}. The form of the DN is as described in @uref{http://tools.ietf.org/html/rfc2253, RFC 2253}. @end deffn -@c snarfed from ../guile/src/core.c:2346 +@c snarfed from ../guile/src/core.c:2362 @deffn {Scheme Procedure} pkcs8-import-x509-private-key data format [pass [encrypted]] Return a new X.509 private key object resulting from the import of @var{data} (a uniform array) according to @var{format}. Optionally, if @var{pass} is not @code{#f}, it should be a string denoting a passphrase. @var{encrypted} tells whether the private key is encrypted (@code{#t} by default). @end deffn -@c snarfed from ../guile/src/core.c:2297 +@c snarfed from ../guile/src/core.c:2313 @deffn {Scheme Procedure} import-x509-private-key data format Return a new X.509 private key object resulting from the import of @var{data} (a uniform array) according to @var{format}. @end deffn -@c snarfed from ../guile/src/core.c:2252 +@c snarfed from ../guile/src/core.c:2268 @deffn {Scheme Procedure} import-x509-certificate data format Return a new X.509 certificate object resulting from the import of @var{data} (a uniform array) according to @var{format}. @end deffn -@c snarfed from ../guile/src/core.c:2224 +@c snarfed from ../guile/src/core.c:2240 @deffn {Scheme Procedure} server-session-psk-username session Return the username associated with PSK server session @var{session}. @end deffn -@c snarfed from ../guile/src/core.c:2180 +@c snarfed from ../guile/src/core.c:2196 @deffn {Scheme Procedure} set-psk-client-credentials! cred username key key-format Set the client credentials for @var{cred}, a PSK client credentials object. @end deffn -@c snarfed from ../guile/src/core.c:2160 +@c snarfed from ../guile/src/core.c:2176 @deffn {Scheme Procedure} make-psk-client-credentials Return a new PSK client credentials object. @end deffn -@c snarfed from ../guile/src/core.c:2132 +@c snarfed from ../guile/src/core.c:2148 @deffn {Scheme Procedure} set-psk-server-credentials-file! cred file Use @var{file} as the password file for PSK server credentials @var{cred}. @end deffn -@c snarfed from ../guile/src/core.c:2112 +@c snarfed from ../guile/src/core.c:2128 @deffn {Scheme Procedure} make-psk-server-credentials Return new PSK server credentials. @end deffn -@c snarfed from ../guile/src/core.c:1824 +@c snarfed from ../guile/src/core.c:1840 @deffn {Scheme Procedure} peer-certificate-status session Verify the peer certificate for @var{session} and return a list of @code{certificate-status} values (such as @code{certificate-status/revoked}), or the empty list if the certificate is valid. @end deffn -@c snarfed from ../guile/src/core.c:1796 +@c snarfed from ../guile/src/core.c:1812 @deffn {Scheme Procedure} set-certificate-credentials-verify-flags! cred [flags...] Set the certificate verification flags to @var{flags}, a series of @code{certificate-verify} values. @end deffn -@c snarfed from ../guile/src/core.c:1774 +@c snarfed from ../guile/src/core.c:1790 @deffn {Scheme Procedure} set-certificate-credentials-verify-limits! cred max-bits max-depth Set the verification limits of @code{peer-certificate-status} for certificate credentials @var{cred} to @var{max_bits} bits for an acceptable certificate and @var{max_depth} as the maximum depth of a certificate chain. @end deffn -@c snarfed from ../guile/src/core.c:1732 +@c snarfed from ../guile/src/core.c:1748 @deffn {Scheme Procedure} set-certificate-credentials-x509-keys! cred certs privkey Have certificate credentials @var{cred} use the X.509 certificates listed in @var{certs} and X.509 private key @var{privkey}. @end deffn -@c snarfed from ../guile/src/core.c:1686 +@c snarfed from ../guile/src/core.c:1702 @deffn {Scheme Procedure} set-certificate-credentials-x509-key-data! cred cert key format Use X.509 certificate @var{cert} and private key @var{key}, both uniform arrays containing the X.509 certificate and key in format @var{format}, for certificate credentials @var{cred}. @end deffn -@c snarfed from ../guile/src/core.c:1666 +@c snarfed from ../guile/src/core.c:1682 @deffn {Scheme Procedure} set-certificate-credentials-x509-crl-data! cred data format Use @var{data} (a uniform array) as the X.509 CRL (certificate revocation list) database for @var{cred}. On success, return the number of CRLs processed. @end deffn -@c snarfed from ../guile/src/core.c:1647 +@c snarfed from ../guile/src/core.c:1663 @deffn {Scheme Procedure} set-certificate-credentials-x509-trust-data! cred data format Use @var{data} (a uniform array) as the X.509 trust database for @var{cred}. On success, return the number of certificates processed. @end deffn -@c snarfed from ../guile/src/core.c:1628 +@c snarfed from ../guile/src/core.c:1644 @deffn {Scheme Procedure} set-certificate-credentials-x509-crl-file! cred file format Use @var{file} as the X.509 CRL (certificate revocation list) file for certificate credentials @var{cred}. On success, return the number of CRLs processed. @end deffn -@c snarfed from ../guile/src/core.c:1609 +@c snarfed from ../guile/src/core.c:1625 @deffn {Scheme Procedure} set-certificate-credentials-x509-trust-file! cred file format Use @var{file} as the X.509 trust file for certificate credentials @var{cred}. On success, return the number of certificates processed. @end deffn -@c snarfed from ../guile/src/core.c:1567 +@c snarfed from ../guile/src/core.c:1583 @deffn {Scheme Procedure} set-certificate-credentials-x509-key-files! cred cert-file key-file format Use @var{file} as the password file for PSK server credentials @var{cred}. @end deffn -@c snarfed from ../guile/src/core.c:1545 +@c snarfed from ../guile/src/core.c:1561 @deffn {Scheme Procedure} set-certificate-credentials-rsa-export-parameters! cred rsa-params Use RSA parameters @var{rsa_params} for certificate credentials @var{cred}. @end deffn -@c snarfed from ../guile/src/core.c:1523 +@c snarfed from ../guile/src/core.c:1539 @deffn {Scheme Procedure} set-certificate-credentials-dh-parameters! cred dh-params Use Diffie-Hellman parameters @var{dh_params} for certificate credentials @var{cred}. @end deffn -@c snarfed from ../guile/src/core.c:1503 +@c snarfed from ../guile/src/core.c:1519 @deffn {Scheme Procedure} make-certificate-credentials Return new certificate credentials (i.e., for use with either X.509 or OpenPGP certificates. @end deffn -@c snarfed from ../guile/src/core.c:1397 +@c snarfed from ../guile/src/core.c:1413 @deffn {Scheme Procedure} pkcs1-export-rsa-parameters rsa-params format Export Diffie-Hellman parameters @var{rsa_params} in PKCS1 format according for @var{format} (an @code{x509-certificate-format} value). Return a @code{u8vector} containing the result. @end deffn -@c snarfed from ../guile/src/core.c:1352 +@c snarfed from ../guile/src/core.c:1368 @deffn {Scheme Procedure} pkcs1-import-rsa-parameters array format Import Diffie-Hellman parameters in PKCS1 format (further specified by @var{format}, an @code{x509-certificate-format} value) from @var{array} (a homogeneous array) and return a new @code{rsa-params} object. @end deffn -@c snarfed from ../guile/src/core.c:1320 +@c snarfed from ../guile/src/core.c:1336 @deffn {Scheme Procedure} make-rsa-parameters bits Return new RSA parameters. @end deffn -@c snarfed from ../guile/src/core.c:1299 +@c snarfed from ../guile/src/core.c:1315 @deffn {Scheme Procedure} set-anonymous-server-dh-parameters! cred dh-params Set the Diffie-Hellman parameters of anonymous server credentials @var{cred}. @end deffn -@c snarfed from ../guile/src/core.c:1279 +@c snarfed from ../guile/src/core.c:1295 @deffn {Scheme Procedure} make-anonymous-client-credentials Return anonymous client credentials. @end deffn -@c snarfed from ../guile/src/core.c:1261 +@c snarfed from ../guile/src/core.c:1277 @deffn {Scheme Procedure} make-anonymous-server-credentials Return anonymous server credentials. @end deffn -@c snarfed from ../guile/src/core.c:1240 +@c snarfed from ../guile/src/core.c:1256 @deffn {Scheme Procedure} set-session-dh-prime-bits! session bits Use @var{bits} DH prime bits for @var{session}. @end deffn -@c snarfed from ../guile/src/core.c:1218 +@c snarfed from ../guile/src/core.c:1234 @deffn {Scheme Procedure} pkcs3-export-dh-parameters dh-params format Export Diffie-Hellman parameters @var{dh_params} in PKCS3 format according for @var{format} (an @code{x509-certificate-format} value). Return a @code{u8vector} containing the result. @end deffn -@c snarfed from ../guile/src/core.c:1173 +@c snarfed from ../guile/src/core.c:1189 @deffn {Scheme Procedure} pkcs3-import-dh-parameters array format Import Diffie-Hellman parameters in PKCS3 format (further specified by @var{format}, an @code{x509-certificate-format} value) from @var{array} (a homogeneous array) and return a new @code{dh-params} object. @end deffn -@c snarfed from ../guile/src/core.c:1141 +@c snarfed from ../guile/src/core.c:1157 @deffn {Scheme Procedure} make-dh-parameters bits Return new Diffie-Hellman parameters. @end deffn -@c snarfed from ../guile/src/core.c:1060 +@c snarfed from ../guile/src/core.c:1076 @deffn {Scheme Procedure} set-session-transport-port! session port Use @var{port} as the input/output port for @var{session}. @end deffn -@c snarfed from ../guile/src/core.c:1009 +@c snarfed from ../guile/src/core.c:1025 @deffn {Scheme Procedure} set-session-transport-fd! session fd Use file descriptor @var{fd} as the underlying transport for @var{session}. @end deffn -@c snarfed from ../guile/src/core.c:964 +@c snarfed from ../guile/src/core.c:980 @deffn {Scheme Procedure} session-record-port session Return a read-write port that may be used to communicate over @var{session}. All invocations of @code{session-port} on a given session return the same object (in the sense of @code{eq?}). @end deffn -@c snarfed from ../guile/src/core.c:738 +@c snarfed from ../guile/src/core.c:754 @deffn {Scheme Procedure} record-receive! session array Receive data from @var{session} into @var{array}, a uniform homogeneous array. Return the number of bytes actually received. @end deffn -@c snarfed from ../guile/src/core.c:705 +@c snarfed from ../guile/src/core.c:721 @deffn {Scheme Procedure} record-send session array Send the record constituted by @var{array} through @var{session}. @end deffn -@c snarfed from ../guile/src/core.c:621 +@c snarfed from ../guile/src/core.c:690 +@deffn {Scheme Procedure} set-session-server-name! session type name +For a client, this procedure provides a way to inform the server that it is known under @var{name}, @i{via} the @code{SERVER NAME} TLS extension. @var{type} must be a @code{server-name-type} value, @var{server-name-type/dns} for DNS names. +@end deffn + +@c snarfed from ../guile/src/core.c:605 @deffn {Scheme Procedure} set-session-credentials! session cred Use @var{cred} as @var{session}'s credentials. @end deffn -@c snarfed from ../guile/src/core.c:599 +@c snarfed from ../guile/src/core.c:583 @deffn {Scheme Procedure} cipher-suite->string kx cipher mac Return the name of the given cipher suite. @end deffn -@c snarfed from ../guile/src/core.c:560 +@c snarfed from ../guile/src/core.c:544 @deffn {Scheme Procedure} set-session-priorities! session priorities -Have @var{session} use the given @var{priorities} for the ciphers, key exchange methods, MACs and compression methods. @var{priorities} must be a string (see Priority Strings). When @var{priorities} cannot be parsed, an @code{error/invalid-request} error is raised, with an extra argument indication the position of the error. +Have @var{session} use the given @var{priorities} for the ciphers, key exchange methods, MACs and compression methods. @var{priorities} must be a string (@pxref{Priority Strings,,, gnutls, GnuTLS@comma{} Transport Layer Security Library for the GNU system}). When @var{priorities} cannot be parsed, an @code{error/invalid-request} error is raised, with an extra argument indication the position of the error. @end deffn -@c snarfed from ../guile/src/core.c:539 -@deffn {Scheme Procedure} set-session-default-export-priority! session -Have @var{session} use the default export priorities. -@end deffn - -@c snarfed from ../guile/src/core.c:523 +@c snarfed from ../guile/src/core.c:521 @deffn {Scheme Procedure} set-session-default-priority! session Have @var{session} use the default priorities. @end deffn -@c snarfed from ../guile/src/priorities.i.c:110 -@deffn {Scheme Procedure} set-session-certificate-type-priority! session items -Use @var{items} (a list) as the list of preferred certificate-type for @var{session}. -@end deffn - -@c snarfed from ../guile/src/priorities.i.c:89 -@deffn {Scheme Procedure} set-session-protocol-priority! session items -Use @var{items} (a list) as the list of preferred protocol for @var{session}. -@end deffn - -@c snarfed from ../guile/src/priorities.i.c:68 -@deffn {Scheme Procedure} set-session-kx-priority! session items -Use @var{items} (a list) as the list of preferred kx for @var{session}. -@end deffn - -@c snarfed from ../guile/src/priorities.i.c:47 -@deffn {Scheme Procedure} set-session-compression-method-priority! session items -Use @var{items} (a list) as the list of preferred compression-method for @var{session}. -@end deffn - -@c snarfed from ../guile/src/priorities.i.c:26 -@deffn {Scheme Procedure} set-session-mac-priority! session items -Use @var{items} (a list) as the list of preferred mac for @var{session}. -@end deffn - -@c snarfed from ../guile/src/priorities.i.c:5 -@deffn {Scheme Procedure} set-session-cipher-priority! session items -Use @var{items} (a list) as the list of preferred cipher for @var{session}. -@end deffn - @c snarfed from ../guile/src/core.c:500 @deffn {Scheme Procedure} set-server-session-certificate-request! session request Tell how @var{session}, a server-side session, should deal with certificate requests. @var{request} should be either @code{certificate-request/request} or @code{certificate-request/require}. @@ -551,31 +521,36 @@ Return true if @var{obj} is of type @code{anonymous-client-credentials}. Return true if @var{obj} is of type @code{session}. @end deffn -@c snarfed from ../guile/src/enum-map.i.c:915 +@c snarfed from ../guile/src/enum-map.i.c:955 @deffn {Scheme Procedure} openpgp-certificate-format->string enumval Return a string describing @var{enumval}, a @code{openpgp-certificate-format} value. @end deffn -@c snarfed from ../guile/src/enum-map.i.c:874 +@c snarfed from ../guile/src/enum-map.i.c:914 @deffn {Scheme Procedure} error->string enumval Return a string describing @var{enumval}, a @code{error} value. @end deffn -@c snarfed from ../guile/src/enum-map.i.c:853 +@c snarfed from ../guile/src/enum-map.i.c:893 @deffn {Scheme Procedure} certificate-verify->string enumval Return a string describing @var{enumval}, a @code{certificate-verify} value. @end deffn -@c snarfed from ../guile/src/enum-map.i.c:808 +@c snarfed from ../guile/src/enum-map.i.c:848 @deffn {Scheme Procedure} key-usage->string enumval Return a string describing @var{enumval}, a @code{key-usage} value. @end deffn -@c snarfed from ../guile/src/enum-map.i.c:760 +@c snarfed from ../guile/src/enum-map.i.c:800 @deffn {Scheme Procedure} psk-key-format->string enumval Return a string describing @var{enumval}, a @code{psk-key-format} value. @end deffn +@c snarfed from ../guile/src/enum-map.i.c:759 +@deffn {Scheme Procedure} server-name-type->string enumval +Return a string describing @var{enumval}, a @code{server-name-type} value. +@end deffn + @c snarfed from ../guile/src/enum-map.i.c:719 @deffn {Scheme Procedure} sign-algorithm->string enumval Return a string describing @var{enumval}, a @code{sign-algorithm} value. diff --git a/doc/credentials/Makefile.in b/doc/credentials/Makefile.in index 9e795ce..fb897dd 100644 --- a/doc/credentials/Makefile.in +++ b/doc/credentials/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -34,7 +34,17 @@ # along with this file; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -98,7 +108,6 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = doc/credentials -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/src/gl/m4/bison.m4 \ @@ -132,6 +141,7 @@ am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/src/gl/m4/tm_gmtoff.m4 \ $(top_srcdir)/src/gl/m4/xalloc.m4 \ $(top_srcdir)/src/libopts/m4/libopts.m4 \ + $(top_srcdir)/src/libopts/m4/stdnoreturn.m4 \ $(top_srcdir)/gl/m4/00gnulib.m4 \ $(top_srcdir)/gl/m4/absolute-header.m4 \ $(top_srcdir)/gl/m4/alloca.m4 $(top_srcdir)/gl/m4/base64.m4 \ @@ -208,6 +218,7 @@ am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/m4/xsize.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -267,6 +278,7 @@ am__define_uniq_tagged_files = \ ETAGS = etags CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) +am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -343,6 +355,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EMULTIHOP_HIDDEN = @EMULTIHOP_HIDDEN@ EMULTIHOP_VALUE = @EMULTIHOP_VALUE@ +ENABLE_PADLOCK = @ENABLE_PADLOCK@ ENOLINK_HIDDEN = @ENOLINK_HIDDEN@ ENOLINK_VALUE = @ENOLINK_VALUE@ EOVERFLOW_HIDDEN = @EOVERFLOW_HIDDEN@ @@ -502,6 +515,7 @@ GNULIB_PUTCHAR = @GNULIB_PUTCHAR@ GNULIB_PUTENV = @GNULIB_PUTENV@ GNULIB_PUTS = @GNULIB_PUTS@ GNULIB_PWRITE = @GNULIB_PWRITE@ +GNULIB_QSORT_R = @GNULIB_QSORT_R@ GNULIB_RAISE = @GNULIB_RAISE@ GNULIB_RANDOM = @GNULIB_RANDOM@ GNULIB_RANDOM_R = @GNULIB_RANDOM_R@ @@ -713,6 +727,7 @@ HAVE_LCHMOD = @HAVE_LCHMOD@ HAVE_LCHOWN = @HAVE_LCHOWN@ HAVE_LIBDL = @HAVE_LIBDL@ HAVE_LIBICONV = @HAVE_LIBICONV@ +HAVE_LIBNSL = @HAVE_LIBNSL@ HAVE_LIBPTHREAD = @HAVE_LIBPTHREAD@ HAVE_LIBRT = @HAVE_LIBRT@ HAVE_LIBZ = @HAVE_LIBZ@ @@ -720,6 +735,7 @@ HAVE_LINK = @HAVE_LINK@ HAVE_LINKAT = @HAVE_LINKAT@ HAVE_LONG_LONG_INT = @HAVE_LONG_LONG_INT@ HAVE_LSTAT = @HAVE_LSTAT@ +HAVE_MAX_ALIGN_T = @HAVE_MAX_ALIGN_T@ HAVE_MBRLEN = @HAVE_MBRLEN@ HAVE_MBRTOWC = @HAVE_MBRTOWC@ HAVE_MBSINIT = @HAVE_MBSINIT@ @@ -885,6 +901,8 @@ LIBICONV_PREFIX = @LIBICONV_PREFIX@ LIBIDN_CFLAGS = @LIBIDN_CFLAGS@ LIBIDN_LIBS = @LIBIDN_LIBS@ LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBNSL_PREFIX = @LIBNSL_PREFIX@ LIBOBJS = @LIBOBJS@ LIBOPTS_CFLAGS = @LIBOPTS_CFLAGS@ LIBOPTS_DIR = @LIBOPTS_DIR@ @@ -909,6 +927,7 @@ LTALLOCA = @LTALLOCA@ LTLIBDL = @LTLIBDL@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ +LTLIBNSL = @LTLIBNSL@ LTLIBOBJS = @LTLIBOBJS@ LTLIBPTHREAD = @LTLIBPTHREAD@ LTLIBRT = @LTLIBRT@ @@ -922,9 +941,6 @@ LT_REVISION = @LT_REVISION@ LT_SSL_AGE = @LT_SSL_AGE@ LT_SSL_CURRENT = @LT_SSL_CURRENT@ LT_SSL_REVISION = @LT_SSL_REVISION@ -LT_XSSL_AGE = @LT_XSSL_AGE@ -LT_XSSL_CURRENT = @LT_XSSL_CURRENT@ -LT_XSSL_REVISION = @LT_XSSL_REVISION@ MAJOR_VERSION = @MAJOR_VERSION@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ @@ -1088,10 +1104,12 @@ REPLACE_PTSNAME = @REPLACE_PTSNAME@ REPLACE_PTSNAME_R = @REPLACE_PTSNAME_R@ REPLACE_PUTENV = @REPLACE_PUTENV@ REPLACE_PWRITE = @REPLACE_PWRITE@ +REPLACE_QSORT_R = @REPLACE_QSORT_R@ REPLACE_RAISE = @REPLACE_RAISE@ REPLACE_RANDOM_R = @REPLACE_RANDOM_R@ REPLACE_READ = @REPLACE_READ@ REPLACE_READLINK = @REPLACE_READLINK@ +REPLACE_READLINKAT = @REPLACE_READLINKAT@ REPLACE_REALLOC = @REPLACE_REALLOC@ REPLACE_REALPATH = @REPLACE_REALPATH@ REPLACE_REMOVE = @REPLACE_REMOVE@ @@ -1123,6 +1141,7 @@ REPLACE_STRTOK_R = @REPLACE_STRTOK_R@ REPLACE_STRTOUMAX = @REPLACE_STRTOUMAX@ REPLACE_STRUCT_TIMEVAL = @REPLACE_STRUCT_TIMEVAL@ REPLACE_SYMLINK = @REPLACE_SYMLINK@ +REPLACE_SYMLINKAT = @REPLACE_SYMLINKAT@ REPLACE_TIMEGM = @REPLACE_TIMEGM@ REPLACE_TMPFILE = @REPLACE_TMPFILE@ REPLACE_TTYNAME_R = @REPLACE_TTYNAME_R@ @@ -1155,9 +1174,11 @@ STDALIGN_H = @STDALIGN_H@ STDBOOL_H = @STDBOOL_H@ STDDEF_H = @STDDEF_H@ STDINT_H = @STDINT_H@ +STDNORETURN_H = @STDNORETURN_H@ STRIP = @STRIP@ SYS_TIME_H_DEFINES_STRUCT_TIMESPEC = @SYS_TIME_H_DEFINES_STRUCT_TIMESPEC@ TIME_H_DEFINES_STRUCT_TIMESPEC = @TIME_H_DEFINES_STRUCT_TIMESPEC@ +TROUSERS_LIB = @TROUSERS_LIB@ TSS_CFLAGS = @TSS_CFLAGS@ TSS_LIBS = @TSS_LIBS@ UINT32_MAX_LT_UINTMAX_MAX = @UINT32_MAX_LT_UINTMAX_MAX@ @@ -1241,6 +1262,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -1269,7 +1291,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/credentials/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu doc/credentials/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -1564,6 +1585,8 @@ uninstall-am: mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ ps ps-am tags tags-am uninstall uninstall-am +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/doc/credentials/openpgp/Makefile.in b/doc/credentials/openpgp/Makefile.in index 344ada1..03119af 100644 --- a/doc/credentials/openpgp/Makefile.in +++ b/doc/credentials/openpgp/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -14,7 +14,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -78,7 +88,6 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = doc/credentials/openpgp -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/src/gl/m4/bison.m4 \ @@ -112,6 +121,7 @@ am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/src/gl/m4/tm_gmtoff.m4 \ $(top_srcdir)/src/gl/m4/xalloc.m4 \ $(top_srcdir)/src/libopts/m4/libopts.m4 \ + $(top_srcdir)/src/libopts/m4/stdnoreturn.m4 \ $(top_srcdir)/gl/m4/00gnulib.m4 \ $(top_srcdir)/gl/m4/absolute-header.m4 \ $(top_srcdir)/gl/m4/alloca.m4 $(top_srcdir)/gl/m4/base64.m4 \ @@ -188,6 +198,7 @@ am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/m4/xsize.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -212,6 +223,7 @@ am__can_run_installinfo = \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ ALLOCA = @ALLOCA@ @@ -263,6 +275,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EMULTIHOP_HIDDEN = @EMULTIHOP_HIDDEN@ EMULTIHOP_VALUE = @EMULTIHOP_VALUE@ +ENABLE_PADLOCK = @ENABLE_PADLOCK@ ENOLINK_HIDDEN = @ENOLINK_HIDDEN@ ENOLINK_VALUE = @ENOLINK_VALUE@ EOVERFLOW_HIDDEN = @EOVERFLOW_HIDDEN@ @@ -422,6 +435,7 @@ GNULIB_PUTCHAR = @GNULIB_PUTCHAR@ GNULIB_PUTENV = @GNULIB_PUTENV@ GNULIB_PUTS = @GNULIB_PUTS@ GNULIB_PWRITE = @GNULIB_PWRITE@ +GNULIB_QSORT_R = @GNULIB_QSORT_R@ GNULIB_RAISE = @GNULIB_RAISE@ GNULIB_RANDOM = @GNULIB_RANDOM@ GNULIB_RANDOM_R = @GNULIB_RANDOM_R@ @@ -633,6 +647,7 @@ HAVE_LCHMOD = @HAVE_LCHMOD@ HAVE_LCHOWN = @HAVE_LCHOWN@ HAVE_LIBDL = @HAVE_LIBDL@ HAVE_LIBICONV = @HAVE_LIBICONV@ +HAVE_LIBNSL = @HAVE_LIBNSL@ HAVE_LIBPTHREAD = @HAVE_LIBPTHREAD@ HAVE_LIBRT = @HAVE_LIBRT@ HAVE_LIBZ = @HAVE_LIBZ@ @@ -640,6 +655,7 @@ HAVE_LINK = @HAVE_LINK@ HAVE_LINKAT = @HAVE_LINKAT@ HAVE_LONG_LONG_INT = @HAVE_LONG_LONG_INT@ HAVE_LSTAT = @HAVE_LSTAT@ +HAVE_MAX_ALIGN_T = @HAVE_MAX_ALIGN_T@ HAVE_MBRLEN = @HAVE_MBRLEN@ HAVE_MBRTOWC = @HAVE_MBRTOWC@ HAVE_MBSINIT = @HAVE_MBSINIT@ @@ -805,6 +821,8 @@ LIBICONV_PREFIX = @LIBICONV_PREFIX@ LIBIDN_CFLAGS = @LIBIDN_CFLAGS@ LIBIDN_LIBS = @LIBIDN_LIBS@ LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBNSL_PREFIX = @LIBNSL_PREFIX@ LIBOBJS = @LIBOBJS@ LIBOPTS_CFLAGS = @LIBOPTS_CFLAGS@ LIBOPTS_DIR = @LIBOPTS_DIR@ @@ -829,6 +847,7 @@ LTALLOCA = @LTALLOCA@ LTLIBDL = @LTLIBDL@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ +LTLIBNSL = @LTLIBNSL@ LTLIBOBJS = @LTLIBOBJS@ LTLIBPTHREAD = @LTLIBPTHREAD@ LTLIBRT = @LTLIBRT@ @@ -842,9 +861,6 @@ LT_REVISION = @LT_REVISION@ LT_SSL_AGE = @LT_SSL_AGE@ LT_SSL_CURRENT = @LT_SSL_CURRENT@ LT_SSL_REVISION = @LT_SSL_REVISION@ -LT_XSSL_AGE = @LT_XSSL_AGE@ -LT_XSSL_CURRENT = @LT_XSSL_CURRENT@ -LT_XSSL_REVISION = @LT_XSSL_REVISION@ MAJOR_VERSION = @MAJOR_VERSION@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ @@ -1008,10 +1024,12 @@ REPLACE_PTSNAME = @REPLACE_PTSNAME@ REPLACE_PTSNAME_R = @REPLACE_PTSNAME_R@ REPLACE_PUTENV = @REPLACE_PUTENV@ REPLACE_PWRITE = @REPLACE_PWRITE@ +REPLACE_QSORT_R = @REPLACE_QSORT_R@ REPLACE_RAISE = @REPLACE_RAISE@ REPLACE_RANDOM_R = @REPLACE_RANDOM_R@ REPLACE_READ = @REPLACE_READ@ REPLACE_READLINK = @REPLACE_READLINK@ +REPLACE_READLINKAT = @REPLACE_READLINKAT@ REPLACE_REALLOC = @REPLACE_REALLOC@ REPLACE_REALPATH = @REPLACE_REALPATH@ REPLACE_REMOVE = @REPLACE_REMOVE@ @@ -1043,6 +1061,7 @@ REPLACE_STRTOK_R = @REPLACE_STRTOK_R@ REPLACE_STRTOUMAX = @REPLACE_STRTOUMAX@ REPLACE_STRUCT_TIMEVAL = @REPLACE_STRUCT_TIMEVAL@ REPLACE_SYMLINK = @REPLACE_SYMLINK@ +REPLACE_SYMLINKAT = @REPLACE_SYMLINKAT@ REPLACE_TIMEGM = @REPLACE_TIMEGM@ REPLACE_TMPFILE = @REPLACE_TMPFILE@ REPLACE_TTYNAME_R = @REPLACE_TTYNAME_R@ @@ -1075,9 +1094,11 @@ STDALIGN_H = @STDALIGN_H@ STDBOOL_H = @STDBOOL_H@ STDDEF_H = @STDDEF_H@ STDINT_H = @STDINT_H@ +STDNORETURN_H = @STDNORETURN_H@ STRIP = @STRIP@ SYS_TIME_H_DEFINES_STRUCT_TIMESPEC = @SYS_TIME_H_DEFINES_STRUCT_TIMESPEC@ TIME_H_DEFINES_STRUCT_TIMESPEC = @TIME_H_DEFINES_STRUCT_TIMESPEC@ +TROUSERS_LIB = @TROUSERS_LIB@ TSS_CFLAGS = @TSS_CFLAGS@ TSS_LIBS = @TSS_LIBS@ UINT32_MAX_LT_UINTMAX_MAX = @UINT32_MAX_LT_UINTMAX_MAX@ @@ -1161,6 +1182,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -1185,7 +1207,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/credentials/openpgp/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu doc/credentials/openpgp/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -1360,6 +1381,8 @@ uninstall-am: mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags-am uninstall uninstall-am +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/doc/credentials/srp/Makefile.in b/doc/credentials/srp/Makefile.in index 116841c..4de2814 100644 --- a/doc/credentials/srp/Makefile.in +++ b/doc/credentials/srp/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -14,7 +14,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -78,7 +88,6 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = doc/credentials/srp -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/src/gl/m4/bison.m4 \ @@ -112,6 +121,7 @@ am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/src/gl/m4/tm_gmtoff.m4 \ $(top_srcdir)/src/gl/m4/xalloc.m4 \ $(top_srcdir)/src/libopts/m4/libopts.m4 \ + $(top_srcdir)/src/libopts/m4/stdnoreturn.m4 \ $(top_srcdir)/gl/m4/00gnulib.m4 \ $(top_srcdir)/gl/m4/absolute-header.m4 \ $(top_srcdir)/gl/m4/alloca.m4 $(top_srcdir)/gl/m4/base64.m4 \ @@ -188,6 +198,7 @@ am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/m4/xsize.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -212,6 +223,7 @@ am__can_run_installinfo = \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ ALLOCA = @ALLOCA@ @@ -263,6 +275,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EMULTIHOP_HIDDEN = @EMULTIHOP_HIDDEN@ EMULTIHOP_VALUE = @EMULTIHOP_VALUE@ +ENABLE_PADLOCK = @ENABLE_PADLOCK@ ENOLINK_HIDDEN = @ENOLINK_HIDDEN@ ENOLINK_VALUE = @ENOLINK_VALUE@ EOVERFLOW_HIDDEN = @EOVERFLOW_HIDDEN@ @@ -422,6 +435,7 @@ GNULIB_PUTCHAR = @GNULIB_PUTCHAR@ GNULIB_PUTENV = @GNULIB_PUTENV@ GNULIB_PUTS = @GNULIB_PUTS@ GNULIB_PWRITE = @GNULIB_PWRITE@ +GNULIB_QSORT_R = @GNULIB_QSORT_R@ GNULIB_RAISE = @GNULIB_RAISE@ GNULIB_RANDOM = @GNULIB_RANDOM@ GNULIB_RANDOM_R = @GNULIB_RANDOM_R@ @@ -633,6 +647,7 @@ HAVE_LCHMOD = @HAVE_LCHMOD@ HAVE_LCHOWN = @HAVE_LCHOWN@ HAVE_LIBDL = @HAVE_LIBDL@ HAVE_LIBICONV = @HAVE_LIBICONV@ +HAVE_LIBNSL = @HAVE_LIBNSL@ HAVE_LIBPTHREAD = @HAVE_LIBPTHREAD@ HAVE_LIBRT = @HAVE_LIBRT@ HAVE_LIBZ = @HAVE_LIBZ@ @@ -640,6 +655,7 @@ HAVE_LINK = @HAVE_LINK@ HAVE_LINKAT = @HAVE_LINKAT@ HAVE_LONG_LONG_INT = @HAVE_LONG_LONG_INT@ HAVE_LSTAT = @HAVE_LSTAT@ +HAVE_MAX_ALIGN_T = @HAVE_MAX_ALIGN_T@ HAVE_MBRLEN = @HAVE_MBRLEN@ HAVE_MBRTOWC = @HAVE_MBRTOWC@ HAVE_MBSINIT = @HAVE_MBSINIT@ @@ -805,6 +821,8 @@ LIBICONV_PREFIX = @LIBICONV_PREFIX@ LIBIDN_CFLAGS = @LIBIDN_CFLAGS@ LIBIDN_LIBS = @LIBIDN_LIBS@ LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBNSL_PREFIX = @LIBNSL_PREFIX@ LIBOBJS = @LIBOBJS@ LIBOPTS_CFLAGS = @LIBOPTS_CFLAGS@ LIBOPTS_DIR = @LIBOPTS_DIR@ @@ -829,6 +847,7 @@ LTALLOCA = @LTALLOCA@ LTLIBDL = @LTLIBDL@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ +LTLIBNSL = @LTLIBNSL@ LTLIBOBJS = @LTLIBOBJS@ LTLIBPTHREAD = @LTLIBPTHREAD@ LTLIBRT = @LTLIBRT@ @@ -842,9 +861,6 @@ LT_REVISION = @LT_REVISION@ LT_SSL_AGE = @LT_SSL_AGE@ LT_SSL_CURRENT = @LT_SSL_CURRENT@ LT_SSL_REVISION = @LT_SSL_REVISION@ -LT_XSSL_AGE = @LT_XSSL_AGE@ -LT_XSSL_CURRENT = @LT_XSSL_CURRENT@ -LT_XSSL_REVISION = @LT_XSSL_REVISION@ MAJOR_VERSION = @MAJOR_VERSION@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ @@ -1008,10 +1024,12 @@ REPLACE_PTSNAME = @REPLACE_PTSNAME@ REPLACE_PTSNAME_R = @REPLACE_PTSNAME_R@ REPLACE_PUTENV = @REPLACE_PUTENV@ REPLACE_PWRITE = @REPLACE_PWRITE@ +REPLACE_QSORT_R = @REPLACE_QSORT_R@ REPLACE_RAISE = @REPLACE_RAISE@ REPLACE_RANDOM_R = @REPLACE_RANDOM_R@ REPLACE_READ = @REPLACE_READ@ REPLACE_READLINK = @REPLACE_READLINK@ +REPLACE_READLINKAT = @REPLACE_READLINKAT@ REPLACE_REALLOC = @REPLACE_REALLOC@ REPLACE_REALPATH = @REPLACE_REALPATH@ REPLACE_REMOVE = @REPLACE_REMOVE@ @@ -1043,6 +1061,7 @@ REPLACE_STRTOK_R = @REPLACE_STRTOK_R@ REPLACE_STRTOUMAX = @REPLACE_STRTOUMAX@ REPLACE_STRUCT_TIMEVAL = @REPLACE_STRUCT_TIMEVAL@ REPLACE_SYMLINK = @REPLACE_SYMLINK@ +REPLACE_SYMLINKAT = @REPLACE_SYMLINKAT@ REPLACE_TIMEGM = @REPLACE_TIMEGM@ REPLACE_TMPFILE = @REPLACE_TMPFILE@ REPLACE_TTYNAME_R = @REPLACE_TTYNAME_R@ @@ -1075,9 +1094,11 @@ STDALIGN_H = @STDALIGN_H@ STDBOOL_H = @STDBOOL_H@ STDDEF_H = @STDDEF_H@ STDINT_H = @STDINT_H@ +STDNORETURN_H = @STDNORETURN_H@ STRIP = @STRIP@ SYS_TIME_H_DEFINES_STRUCT_TIMESPEC = @SYS_TIME_H_DEFINES_STRUCT_TIMESPEC@ TIME_H_DEFINES_STRUCT_TIMESPEC = @TIME_H_DEFINES_STRUCT_TIMESPEC@ +TROUSERS_LIB = @TROUSERS_LIB@ TSS_CFLAGS = @TSS_CFLAGS@ TSS_LIBS = @TSS_LIBS@ UINT32_MAX_LT_UINTMAX_MAX = @UINT32_MAX_LT_UINTMAX_MAX@ @@ -1161,6 +1182,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -1185,7 +1207,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/credentials/srp/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu doc/credentials/srp/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -1360,6 +1381,8 @@ uninstall-am: mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags-am uninstall uninstall-am +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/doc/credentials/x509/Makefile.in b/doc/credentials/x509/Makefile.in index ee14f76..87bf696 100644 --- a/doc/credentials/x509/Makefile.in +++ b/doc/credentials/x509/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -14,7 +14,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -78,7 +88,6 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = doc/credentials/x509 -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/src/gl/m4/bison.m4 \ @@ -112,6 +121,7 @@ am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/src/gl/m4/tm_gmtoff.m4 \ $(top_srcdir)/src/gl/m4/xalloc.m4 \ $(top_srcdir)/src/libopts/m4/libopts.m4 \ + $(top_srcdir)/src/libopts/m4/stdnoreturn.m4 \ $(top_srcdir)/gl/m4/00gnulib.m4 \ $(top_srcdir)/gl/m4/absolute-header.m4 \ $(top_srcdir)/gl/m4/alloca.m4 $(top_srcdir)/gl/m4/base64.m4 \ @@ -188,6 +198,7 @@ am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/m4/xsize.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -212,6 +223,7 @@ am__can_run_installinfo = \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ ALLOCA = @ALLOCA@ @@ -263,6 +275,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EMULTIHOP_HIDDEN = @EMULTIHOP_HIDDEN@ EMULTIHOP_VALUE = @EMULTIHOP_VALUE@ +ENABLE_PADLOCK = @ENABLE_PADLOCK@ ENOLINK_HIDDEN = @ENOLINK_HIDDEN@ ENOLINK_VALUE = @ENOLINK_VALUE@ EOVERFLOW_HIDDEN = @EOVERFLOW_HIDDEN@ @@ -422,6 +435,7 @@ GNULIB_PUTCHAR = @GNULIB_PUTCHAR@ GNULIB_PUTENV = @GNULIB_PUTENV@ GNULIB_PUTS = @GNULIB_PUTS@ GNULIB_PWRITE = @GNULIB_PWRITE@ +GNULIB_QSORT_R = @GNULIB_QSORT_R@ GNULIB_RAISE = @GNULIB_RAISE@ GNULIB_RANDOM = @GNULIB_RANDOM@ GNULIB_RANDOM_R = @GNULIB_RANDOM_R@ @@ -633,6 +647,7 @@ HAVE_LCHMOD = @HAVE_LCHMOD@ HAVE_LCHOWN = @HAVE_LCHOWN@ HAVE_LIBDL = @HAVE_LIBDL@ HAVE_LIBICONV = @HAVE_LIBICONV@ +HAVE_LIBNSL = @HAVE_LIBNSL@ HAVE_LIBPTHREAD = @HAVE_LIBPTHREAD@ HAVE_LIBRT = @HAVE_LIBRT@ HAVE_LIBZ = @HAVE_LIBZ@ @@ -640,6 +655,7 @@ HAVE_LINK = @HAVE_LINK@ HAVE_LINKAT = @HAVE_LINKAT@ HAVE_LONG_LONG_INT = @HAVE_LONG_LONG_INT@ HAVE_LSTAT = @HAVE_LSTAT@ +HAVE_MAX_ALIGN_T = @HAVE_MAX_ALIGN_T@ HAVE_MBRLEN = @HAVE_MBRLEN@ HAVE_MBRTOWC = @HAVE_MBRTOWC@ HAVE_MBSINIT = @HAVE_MBSINIT@ @@ -805,6 +821,8 @@ LIBICONV_PREFIX = @LIBICONV_PREFIX@ LIBIDN_CFLAGS = @LIBIDN_CFLAGS@ LIBIDN_LIBS = @LIBIDN_LIBS@ LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBNSL_PREFIX = @LIBNSL_PREFIX@ LIBOBJS = @LIBOBJS@ LIBOPTS_CFLAGS = @LIBOPTS_CFLAGS@ LIBOPTS_DIR = @LIBOPTS_DIR@ @@ -829,6 +847,7 @@ LTALLOCA = @LTALLOCA@ LTLIBDL = @LTLIBDL@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ +LTLIBNSL = @LTLIBNSL@ LTLIBOBJS = @LTLIBOBJS@ LTLIBPTHREAD = @LTLIBPTHREAD@ LTLIBRT = @LTLIBRT@ @@ -842,9 +861,6 @@ LT_REVISION = @LT_REVISION@ LT_SSL_AGE = @LT_SSL_AGE@ LT_SSL_CURRENT = @LT_SSL_CURRENT@ LT_SSL_REVISION = @LT_SSL_REVISION@ -LT_XSSL_AGE = @LT_XSSL_AGE@ -LT_XSSL_CURRENT = @LT_XSSL_CURRENT@ -LT_XSSL_REVISION = @LT_XSSL_REVISION@ MAJOR_VERSION = @MAJOR_VERSION@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ @@ -1008,10 +1024,12 @@ REPLACE_PTSNAME = @REPLACE_PTSNAME@ REPLACE_PTSNAME_R = @REPLACE_PTSNAME_R@ REPLACE_PUTENV = @REPLACE_PUTENV@ REPLACE_PWRITE = @REPLACE_PWRITE@ +REPLACE_QSORT_R = @REPLACE_QSORT_R@ REPLACE_RAISE = @REPLACE_RAISE@ REPLACE_RANDOM_R = @REPLACE_RANDOM_R@ REPLACE_READ = @REPLACE_READ@ REPLACE_READLINK = @REPLACE_READLINK@ +REPLACE_READLINKAT = @REPLACE_READLINKAT@ REPLACE_REALLOC = @REPLACE_REALLOC@ REPLACE_REALPATH = @REPLACE_REALPATH@ REPLACE_REMOVE = @REPLACE_REMOVE@ @@ -1043,6 +1061,7 @@ REPLACE_STRTOK_R = @REPLACE_STRTOK_R@ REPLACE_STRTOUMAX = @REPLACE_STRTOUMAX@ REPLACE_STRUCT_TIMEVAL = @REPLACE_STRUCT_TIMEVAL@ REPLACE_SYMLINK = @REPLACE_SYMLINK@ +REPLACE_SYMLINKAT = @REPLACE_SYMLINKAT@ REPLACE_TIMEGM = @REPLACE_TIMEGM@ REPLACE_TMPFILE = @REPLACE_TMPFILE@ REPLACE_TTYNAME_R = @REPLACE_TTYNAME_R@ @@ -1075,9 +1094,11 @@ STDALIGN_H = @STDALIGN_H@ STDBOOL_H = @STDBOOL_H@ STDDEF_H = @STDDEF_H@ STDINT_H = @STDINT_H@ +STDNORETURN_H = @STDNORETURN_H@ STRIP = @STRIP@ SYS_TIME_H_DEFINES_STRUCT_TIMESPEC = @SYS_TIME_H_DEFINES_STRUCT_TIMESPEC@ TIME_H_DEFINES_STRUCT_TIMESPEC = @TIME_H_DEFINES_STRUCT_TIMESPEC@ +TROUSERS_LIB = @TROUSERS_LIB@ TSS_CFLAGS = @TSS_CFLAGS@ TSS_LIBS = @TSS_LIBS@ UINT32_MAX_LT_UINTMAX_MAX = @UINT32_MAX_LT_UINTMAX_MAX@ @@ -1161,6 +1182,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -1187,7 +1209,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/credentials/x509/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu doc/credentials/x509/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -1362,6 +1383,8 @@ uninstall-am: mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags-am uninstall uninstall-am +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/doc/crypto-api.texi b/doc/crypto-api.texi index 0844b58..6e28279 100644 --- a/doc/crypto-api.texi +++ b/doc/crypto-api.texi @@ -432,7 +432,9 @@ Returns the size of the nonce used by the MAC in TLS. This function will generate random data and store it to output buffer. -@strong{Returns:} Zero or a negative error code on error. +This function is thread-safe and also fork-safe. + +@strong{Returns:} Zero on success, or a negative error code on error. @strong{Since:} 2.12.0 @end deftypefun diff --git a/doc/cyclo/Makefile.in b/doc/cyclo/Makefile.in index 1043849..41bfd3d 100644 --- a/doc/cyclo/Makefile.in +++ b/doc/cyclo/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -34,7 +34,17 @@ # along with this file; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -98,7 +108,6 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = doc/cyclo -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/src/gl/m4/bison.m4 \ @@ -132,6 +141,7 @@ am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/src/gl/m4/tm_gmtoff.m4 \ $(top_srcdir)/src/gl/m4/xalloc.m4 \ $(top_srcdir)/src/libopts/m4/libopts.m4 \ + $(top_srcdir)/src/libopts/m4/stdnoreturn.m4 \ $(top_srcdir)/gl/m4/00gnulib.m4 \ $(top_srcdir)/gl/m4/absolute-header.m4 \ $(top_srcdir)/gl/m4/alloca.m4 $(top_srcdir)/gl/m4/base64.m4 \ @@ -208,6 +218,7 @@ am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/m4/xsize.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -232,6 +243,7 @@ am__can_run_installinfo = \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ ALLOCA = @ALLOCA@ @@ -283,6 +295,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EMULTIHOP_HIDDEN = @EMULTIHOP_HIDDEN@ EMULTIHOP_VALUE = @EMULTIHOP_VALUE@ +ENABLE_PADLOCK = @ENABLE_PADLOCK@ ENOLINK_HIDDEN = @ENOLINK_HIDDEN@ ENOLINK_VALUE = @ENOLINK_VALUE@ EOVERFLOW_HIDDEN = @EOVERFLOW_HIDDEN@ @@ -442,6 +455,7 @@ GNULIB_PUTCHAR = @GNULIB_PUTCHAR@ GNULIB_PUTENV = @GNULIB_PUTENV@ GNULIB_PUTS = @GNULIB_PUTS@ GNULIB_PWRITE = @GNULIB_PWRITE@ +GNULIB_QSORT_R = @GNULIB_QSORT_R@ GNULIB_RAISE = @GNULIB_RAISE@ GNULIB_RANDOM = @GNULIB_RANDOM@ GNULIB_RANDOM_R = @GNULIB_RANDOM_R@ @@ -653,6 +667,7 @@ HAVE_LCHMOD = @HAVE_LCHMOD@ HAVE_LCHOWN = @HAVE_LCHOWN@ HAVE_LIBDL = @HAVE_LIBDL@ HAVE_LIBICONV = @HAVE_LIBICONV@ +HAVE_LIBNSL = @HAVE_LIBNSL@ HAVE_LIBPTHREAD = @HAVE_LIBPTHREAD@ HAVE_LIBRT = @HAVE_LIBRT@ HAVE_LIBZ = @HAVE_LIBZ@ @@ -660,6 +675,7 @@ HAVE_LINK = @HAVE_LINK@ HAVE_LINKAT = @HAVE_LINKAT@ HAVE_LONG_LONG_INT = @HAVE_LONG_LONG_INT@ HAVE_LSTAT = @HAVE_LSTAT@ +HAVE_MAX_ALIGN_T = @HAVE_MAX_ALIGN_T@ HAVE_MBRLEN = @HAVE_MBRLEN@ HAVE_MBRTOWC = @HAVE_MBRTOWC@ HAVE_MBSINIT = @HAVE_MBSINIT@ @@ -825,6 +841,8 @@ LIBICONV_PREFIX = @LIBICONV_PREFIX@ LIBIDN_CFLAGS = @LIBIDN_CFLAGS@ LIBIDN_LIBS = @LIBIDN_LIBS@ LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBNSL_PREFIX = @LIBNSL_PREFIX@ LIBOBJS = @LIBOBJS@ LIBOPTS_CFLAGS = @LIBOPTS_CFLAGS@ LIBOPTS_DIR = @LIBOPTS_DIR@ @@ -849,6 +867,7 @@ LTALLOCA = @LTALLOCA@ LTLIBDL = @LTLIBDL@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ +LTLIBNSL = @LTLIBNSL@ LTLIBOBJS = @LTLIBOBJS@ LTLIBPTHREAD = @LTLIBPTHREAD@ LTLIBRT = @LTLIBRT@ @@ -862,9 +881,6 @@ LT_REVISION = @LT_REVISION@ LT_SSL_AGE = @LT_SSL_AGE@ LT_SSL_CURRENT = @LT_SSL_CURRENT@ LT_SSL_REVISION = @LT_SSL_REVISION@ -LT_XSSL_AGE = @LT_XSSL_AGE@ -LT_XSSL_CURRENT = @LT_XSSL_CURRENT@ -LT_XSSL_REVISION = @LT_XSSL_REVISION@ MAJOR_VERSION = @MAJOR_VERSION@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ @@ -1028,10 +1044,12 @@ REPLACE_PTSNAME = @REPLACE_PTSNAME@ REPLACE_PTSNAME_R = @REPLACE_PTSNAME_R@ REPLACE_PUTENV = @REPLACE_PUTENV@ REPLACE_PWRITE = @REPLACE_PWRITE@ +REPLACE_QSORT_R = @REPLACE_QSORT_R@ REPLACE_RAISE = @REPLACE_RAISE@ REPLACE_RANDOM_R = @REPLACE_RANDOM_R@ REPLACE_READ = @REPLACE_READ@ REPLACE_READLINK = @REPLACE_READLINK@ +REPLACE_READLINKAT = @REPLACE_READLINKAT@ REPLACE_REALLOC = @REPLACE_REALLOC@ REPLACE_REALPATH = @REPLACE_REALPATH@ REPLACE_REMOVE = @REPLACE_REMOVE@ @@ -1063,6 +1081,7 @@ REPLACE_STRTOK_R = @REPLACE_STRTOK_R@ REPLACE_STRTOUMAX = @REPLACE_STRTOUMAX@ REPLACE_STRUCT_TIMEVAL = @REPLACE_STRUCT_TIMEVAL@ REPLACE_SYMLINK = @REPLACE_SYMLINK@ +REPLACE_SYMLINKAT = @REPLACE_SYMLINKAT@ REPLACE_TIMEGM = @REPLACE_TIMEGM@ REPLACE_TMPFILE = @REPLACE_TMPFILE@ REPLACE_TTYNAME_R = @REPLACE_TTYNAME_R@ @@ -1095,9 +1114,11 @@ STDALIGN_H = @STDALIGN_H@ STDBOOL_H = @STDBOOL_H@ STDDEF_H = @STDDEF_H@ STDINT_H = @STDINT_H@ +STDNORETURN_H = @STDNORETURN_H@ STRIP = @STRIP@ SYS_TIME_H_DEFINES_STRUCT_TIMESPEC = @SYS_TIME_H_DEFINES_STRUCT_TIMESPEC@ TIME_H_DEFINES_STRUCT_TIMESPEC = @TIME_H_DEFINES_STRUCT_TIMESPEC@ +TROUSERS_LIB = @TROUSERS_LIB@ TSS_CFLAGS = @TSS_CFLAGS@ TSS_LIBS = @TSS_LIBS@ UINT32_MAX_LT_UINTMAX_MAX = @UINT32_MAX_LT_UINTMAX_MAX@ @@ -1181,6 +1202,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -1206,7 +1228,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/cyclo/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu doc/cyclo/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -1381,6 +1402,8 @@ uninstall-am: mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags-am uninstall uninstall-am +.PRECIOUS: Makefile + cyclo-gnutls.html: (cd ${top_srcdir}/lib && \ diff --git a/doc/dane-api.texi b/doc/dane-api.texi index 4fd36aa..d33ae33 100644 --- a/doc/dane-api.texi +++ b/doc/dane-api.texi @@ -103,6 +103,36 @@ data for the given host. negative error value. @end deftypefun +@subheading dane_query_to_raw_tlsa +@anchor{dane_query_to_raw_tlsa} +@deftypefun {int} {dane_query_to_raw_tlsa} (dane_query_t @var{q}, unsigned int * @var{data_entries}, char *** @var{dane_data}, int ** @var{dane_data_len}, int * @var{secure}, int * @var{bogus}) +@var{q}: The query result structure + +@var{data_entries}: Pointer set to the number of entries in the query + +@var{dane_data}: Pointer to contain an array of DNS rdata items, terminated with a NULL pointer; +caller must guarantee that the referenced data remains +valid until @code{dane_query_deinit()} is called. + +@var{dane_data_len}: Pointer to contain the length n bytes of the dane_data items + +@var{secure}: Pointer set true if the result is validated securely, false if +validation failed or the domain queried has no security info + +@var{bogus}: Pointer set true if the result was not secure due to a security failure + +This function will provide the DANE data from the query +response. + +The pointers dane_data and dane_data_len are allocated with @code{gnutls_malloc()} +to contain the data from the query result structure (individual + @code{dane_data} items simply point to the original data and are not allocated separately). +The returned @code{dane_data} are only valid during the lifetime of @code{q} . + +@strong{Returns:} On success, @code{DANE_E_SUCCESS} (0) is returned, otherwise a +negative error value. +@end deftypefun + @subheading dane_raw_tlsa @anchor{dane_raw_tlsa} @deftypefun {int} {dane_raw_tlsa} (dane_state_t @var{s}, dane_query_t * @var{r}, char *const * @var{dane_data}, const int * @var{dane_data_len}, int @var{secure}, int @var{bogus}) @@ -123,7 +153,8 @@ validation failed or the domain queried has no security info and the result is due to a security failure, bogus is true. This function will fill in the TLSA (DANE) structure from -the given raw DNS record data. +the given raw DNS record data. The @code{dane_data} must be valid +during the lifetime of the query. @strong{Returns:} On success, @code{DANE_E_SUCCESS} (0) is returned, otherwise a negative error value. @@ -222,19 +253,22 @@ If no information via DANE can be obtained the flag @code{DANE_VERIFY_NO_DANE_IN is set. If a DNSSEC signature is not available for the DANE record then the verify flag @code{DANE_VERIFY_NO_DNSSEC_DATA} is set. -Note that the CA constraint only applies for the directly certifying CA -and does not account for long CA chains. Moreover this function does not -validate the provided chain. - Due to the many possible options of DANE, there is no single threat model countered. When notifying the user about DANE verification results it may be better to mention: DANE verification did not reject the certificate, rather than mentioning a successful DANE verication. -If the @code{q} parameter is provided it will be used for caching entries. - -@strong{Returns:} On success, @code{DANE_E_SUCCESS} (0) is returned, otherwise a -negative error value. +Note that this function is designed to be run in addition to +PKIX - certificate chain - verification. To be run independently +the @code{DANE_VFLAG_ONLY_CHECK_EE_USAGE} flag should be specified; +then the function will check whether the key of the peer matches the +key advertized in the DANE entry. + +@strong{Returns:} a negative error code on error and @code{DANE_E_SUCCESS} (0) +when the DANE entries were successfully parsed, irrespective of +whether they were verified (see @code{verify} for that information). If +no usable entries were encountered @code{DANE_E_REQUESTED_DATA_NOT_AVAILABLE} +will be returned. @end deftypefun @subheading dane_verify_crt_raw @@ -262,18 +296,24 @@ If no information via DANE can be obtained the flag @code{DANE_VERIFY_NO_DANE_IN is set. If a DNSSEC signature is not available for the DANE record then the verify flag @code{DANE_VERIFY_NO_DNSSEC_DATA} is set. -Note that the CA constraint only applies for the directly certifying CA -and does not account for long CA chains. - Due to the many possible options of DANE, there is no single threat model countered. When notifying the user about DANE verification results it may be better to mention: DANE verification did not reject the certificate, rather than mentioning a successful DANE verication. +Note that this function is designed to be run in addition to +PKIX - certificate chain - verification. To be run independently +the @code{DANE_VFLAG_ONLY_CHECK_EE_USAGE} flag should be specified; +then the function will check whether the key of the peer matches the +key advertized in the DANE entry. + If the @code{q} parameter is provided it will be used for caching entries. -@strong{Returns:} On success, @code{DANE_E_SUCCESS} (0) is returned, otherwise a -negative error value. +@strong{Returns:} a negative error code on error and @code{DANE_E_SUCCESS} (0) +when the DANE entries were successfully parsed, irrespective of +whether they were verified (see @code{verify} for that information). If +no usable entries were encountered @code{DANE_E_REQUESTED_DATA_NOT_AVAILABLE} +will be returned. @end deftypefun @subheading dane_verify_session_crt @@ -300,10 +340,13 @@ CA constrains and/or the certificate available via DANE. See @code{dane_verify_crt()} for more information. This will not verify the chain for validity; unless the DANE -verification is restricted to end certificates, this has to +verification is restricted to end certificates, this must be be performed separately using @code{gnutls_certificate_verify_peers3()} . -@strong{Returns:} On success, @code{DANE_E_SUCCESS} (0) is returned, otherwise a -negative error value. +@strong{Returns:} a negative error code on error and @code{DANE_E_SUCCESS} (0) +when the DANE entries were successfully parsed, irrespective of +whether they were verified (see @code{verify} for that information). If +no usable entries were encountered @code{DANE_E_REQUESTED_DATA_NOT_AVAILABLE} +will be returned. @end deftypefun diff --git a/doc/dtls-api.texi b/doc/dtls-api.texi index ae54212..832cf3a 100644 --- a/doc/dtls-api.texi +++ b/doc/dtls-api.texi @@ -176,9 +176,6 @@ handshake will be aborted with @code{GNUTLS_E_TIMEDOUT} . The DTLS protocol recommends the values of 1 sec and 60 seconds respectively. -If the retransmission timeout is zero then the handshake will operate -in a non-blocking way, i.e., return @code{GNUTLS_E_AGAIN} . - To disable retransmissions set a @code{retrans_timeout} larger than the @code{total_timeout} . @strong{Since:} 3.0 diff --git a/doc/enums.texi b/doc/enums.texi index c32e8c6..9e49a29 100644 --- a/doc/enums.texi +++ b/doc/enums.texi @@ -33,9 +33,9 @@ AES in GCM mode with 256-bit keys. @item GNUTLS_@-CIPHER_@-CAMELLIA_@-192_@-CBC Camellia in CBC mode with 192-bit keys. @item GNUTLS_@-CIPHER_@-SALSA20_@-256 --- undescribed -- +Salsa20 with 256-bit keys. @item GNUTLS_@-CIPHER_@-ESTREAM_@-SALSA20_@-256 --- undescribed -- +Estream's Salsa20 variant with 256-bit keys. @item GNUTLS_@-CIPHER_@-CAMELLIA_@-128_@-GCM CAMELLIA in GCM mode with 128-bit keys. @item GNUTLS_@-CIPHER_@-CAMELLIA_@-256_@-GCM @@ -257,7 +257,8 @@ recognized. The SRP/PSK username is missing or not known. @item GNUTLS_@-A_@-NO_@-APPLICATION_@-PROTOCOL --- undescribed -- +The ALPN protocol requested is +not supported by the peer. @end table @c gnutls_handshake_description_t @@ -478,9 +479,9 @@ Digital signature algorithm ECDSA with SHA-384. @item GNUTLS_@-SIGN_@-ECDSA_@-SHA512 Digital signature algorithm ECDSA with SHA-512. @item GNUTLS_@-SIGN_@-DSA_@-SHA384 --- undescribed -- +Digital signature algorithm DSA with SHA-384 @item GNUTLS_@-SIGN_@-DSA_@-SHA512 --- undescribed -- +Digital signature algorithm DSA with SHA-512 @end table @c gnutls_ecc_curve_t @@ -738,22 +739,24 @@ applies the SUITEB192 rules @table @code @item GNUTLS_@-PKCS_@-PLAIN Unencrypted private key. -@item GNUTLS_@-PKCS_@-USE_@-PKCS12_@-3DES +@item GNUTLS_@-PKCS_@-PKCS12_@-3DES PKCS-12 3DES. -@item GNUTLS_@-PKCS_@-USE_@-PKCS12_@-ARCFOUR +@item GNUTLS_@-PKCS_@-PKCS12_@-ARCFOUR PKCS-12 ARCFOUR. -@item GNUTLS_@-PKCS_@-USE_@-PKCS12_@-RC2_@-40 +@item GNUTLS_@-PKCS_@-PKCS12_@-RC2_@-40 PKCS-12 RC2-40. -@item GNUTLS_@-PKCS_@-USE_@-PBES2_@-3DES +@item GNUTLS_@-PKCS_@-PBES2_@-3DES PBES2 3DES. -@item GNUTLS_@-PKCS_@-USE_@-PBES2_@-AES_@-128 +@item GNUTLS_@-PKCS_@-PBES2_@-AES_@-128 PBES2 AES-128. -@item GNUTLS_@-PKCS_@-USE_@-PBES2_@-AES_@-192 +@item GNUTLS_@-PKCS_@-PBES2_@-AES_@-192 PBES2 AES-192. -@item GNUTLS_@-PKCS_@-USE_@-PBES2_@-AES_@-256 +@item GNUTLS_@-PKCS_@-PBES2_@-AES_@-256 PBES2 AES-256. @item GNUTLS_@-PKCS_@-NULL_@-PASSWORD Some schemas distinguish between an empty and a NULL password. +@item GNUTLS_@-PKCS_@-PBES2_@-DES +PBES2 single DES. @end table @c gnutls_openpgp_crt_fmt_t @@ -818,6 +821,43 @@ on error. @end deftypefun +@c gnutls_pkcs11_obj_flags +@table @code +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-LOGIN +Force login in the token for the operation. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-TRUSTED +object marked as trusted. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-SENSITIVE +object marked as sensitive (unexportable). +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-LOGIN_@-SO +force login as a security officer in the token for the operation. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-PRIVATE +marked as private (requires PIN to access). +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-NOT_@-PRIVATE +marked as not private. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-RETRIEVE_@-ANY +When retrieving an object, do not set any requirements. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-RETRIEVE_@-TRUSTED +When retrieving an object, only retrieve the marked as trusted. +In @code{gnutls_pkcs11_crt_is_known()} it implies @code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_COMPARE} if @code{GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY} is not given. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-RETRIEVE_@-DISTRUSTED +When retrieving an object, only retrieve the marked as distrusted. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-COMPARE +When checking an object's presence, fully compare it before returning any result. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-PRESENT_@-IN_@-TRUSTED_@-MODULE +The object must be present in a marked as trusted module. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-CA +Mark the object as a CA. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-KEY_@-WRAP +Mark the generated key pair as wrapping and unwrapping keys. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-COMPARE_@-KEY +When checking an object's presence, compare the key before returning any result. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-OVERWRITE_@-TRUSTMOD_@-EXT +When an issuer is requested, override its extensions with the ones present in the trust module. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-NO_@-STORE_@-PUBKEY +When generating a keypair don't store the public key (store). +@end table + @c gnutls_pkcs11_url_type_t @table @code @item GNUTLS_@-PKCS11_@-URL_@-GENERIC @@ -855,19 +895,21 @@ The library's used to access the object manufacturer name. @c gnutls_pkcs11_obj_attr_t @table @code @item GNUTLS_@-PKCS11_@-OBJ_@-ATTR_@-CRT_@-ALL -Specify all certificates. +Specify all certificates in the specified token. @item GNUTLS_@-PKCS11_@-OBJ_@-ATTR_@-CRT_@-TRUSTED -Specify all certificates marked as trusted. +Specify all certificates marked as trusted in the specified token. @item GNUTLS_@-PKCS11_@-OBJ_@-ATTR_@-CRT_@-WITH_@-PRIVKEY -Specify all certificates with a corresponding private key. +Specify all certificates with a corresponding private key in the specified token. @item GNUTLS_@-PKCS11_@-OBJ_@-ATTR_@-PUBKEY -Specify all public keys. +Specify all public keys in the specified token. @item GNUTLS_@-PKCS11_@-OBJ_@-ATTR_@-PRIVKEY -Specify all private keys. +Specify all private keys in the specified token. @item GNUTLS_@-PKCS11_@-OBJ_@-ATTR_@-ALL -Specify all objects. +Specify all objects in the specified token. @item GNUTLS_@-PKCS11_@-OBJ_@-ATTR_@-CRT_@-TRUSTED_@-CA -Specify all certificates marked as trusted and are CAs. +Specify all certificates marked as trusted and are CAs in the specified token. +@item GNUTLS_@-PKCS11_@-OBJ_@-ATTR_@-MATCH +Only the objects that match the URL. @end table @c gnutls_pkcs11_token_info_t @@ -896,6 +938,8 @@ Private key. Secret key. @item GNUTLS_@-PKCS11_@-OBJ_@-DATA Data object. +@item GNUTLS_@-PKCS11_@-OBJ_@-X509_@-CRT_@-EXTENSION +X.509 certificate extension (supported by p11-kit trust module only). @end table @c gnutls_pubkey_flags_t diff --git a/doc/enums/gnutls_alert_description_t b/doc/enums/gnutls_alert_description_t index 8cbed46..9250684 100644 --- a/doc/enums/gnutls_alert_description_t +++ b/doc/enums/gnutls_alert_description_t @@ -63,5 +63,6 @@ recognized. The SRP/PSK username is missing or not known. @item GNUTLS_@-A_@-NO_@-APPLICATION_@-PROTOCOL --- undescribed -- +The ALPN protocol requested is +not supported by the peer. @end table diff --git a/doc/enums/gnutls_cipher_algorithm_t b/doc/enums/gnutls_cipher_algorithm_t index 355217a..b0e1ad0 100644 --- a/doc/enums/gnutls_cipher_algorithm_t +++ b/doc/enums/gnutls_cipher_algorithm_t @@ -33,9 +33,9 @@ AES in GCM mode with 256-bit keys. @item GNUTLS_@-CIPHER_@-CAMELLIA_@-192_@-CBC Camellia in CBC mode with 192-bit keys. @item GNUTLS_@-CIPHER_@-SALSA20_@-256 --- undescribed -- +Salsa20 with 256-bit keys. @item GNUTLS_@-CIPHER_@-ESTREAM_@-SALSA20_@-256 --- undescribed -- +Estream's Salsa20 variant with 256-bit keys. @item GNUTLS_@-CIPHER_@-CAMELLIA_@-128_@-GCM CAMELLIA in GCM mode with 128-bit keys. @item GNUTLS_@-CIPHER_@-CAMELLIA_@-256_@-GCM diff --git a/doc/enums/gnutls_pkcs11_obj_attr_t b/doc/enums/gnutls_pkcs11_obj_attr_t index 2ab77a6..fcfa9ab 100644 --- a/doc/enums/gnutls_pkcs11_obj_attr_t +++ b/doc/enums/gnutls_pkcs11_obj_attr_t @@ -3,17 +3,19 @@ @c gnutls_pkcs11_obj_attr_t @table @code @item GNUTLS_@-PKCS11_@-OBJ_@-ATTR_@-CRT_@-ALL -Specify all certificates. +Specify all certificates in the specified token. @item GNUTLS_@-PKCS11_@-OBJ_@-ATTR_@-CRT_@-TRUSTED -Specify all certificates marked as trusted. +Specify all certificates marked as trusted in the specified token. @item GNUTLS_@-PKCS11_@-OBJ_@-ATTR_@-CRT_@-WITH_@-PRIVKEY -Specify all certificates with a corresponding private key. +Specify all certificates with a corresponding private key in the specified token. @item GNUTLS_@-PKCS11_@-OBJ_@-ATTR_@-PUBKEY -Specify all public keys. +Specify all public keys in the specified token. @item GNUTLS_@-PKCS11_@-OBJ_@-ATTR_@-PRIVKEY -Specify all private keys. +Specify all private keys in the specified token. @item GNUTLS_@-PKCS11_@-OBJ_@-ATTR_@-ALL -Specify all objects. +Specify all objects in the specified token. @item GNUTLS_@-PKCS11_@-OBJ_@-ATTR_@-CRT_@-TRUSTED_@-CA -Specify all certificates marked as trusted and are CAs. +Specify all certificates marked as trusted and are CAs in the specified token. +@item GNUTLS_@-PKCS11_@-OBJ_@-ATTR_@-MATCH +Only the objects that match the URL. @end table diff --git a/doc/enums/gnutls_pkcs11_obj_flags b/doc/enums/gnutls_pkcs11_obj_flags new file mode 100644 index 0000000..942b395 --- /dev/null +++ b/doc/enums/gnutls_pkcs11_obj_flags @@ -0,0 +1,56 @@ + +@subheading int +@anchor{int} +@deftypefun {typedef} {int} (* @var{gnutls_pkcs11_token_callback_t}) +@var{gnutls_pkcs11_token_callback_t}: -- undescribed -- + +Token callback function. The callback will be used to ask the user +to re-insert the token with given (null terminated) label. The +callback should return zero if token has been inserted by user and +a negative error code otherwise. It might be called multiple times +if the token is not detected and the retry counter will be +increased. + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code +on error. + +@strong{Since:} 2.12.0 +@end deftypefun + + +@c gnutls_pkcs11_obj_flags +@table @code +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-LOGIN +Force login in the token for the operation. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-TRUSTED +object marked as trusted. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-SENSITIVE +object marked as sensitive (unexportable). +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-LOGIN_@-SO +force login as a security officer in the token for the operation. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-PRIVATE +marked as private (requires PIN to access). +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-NOT_@-PRIVATE +marked as not private. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-RETRIEVE_@-ANY +When retrieving an object, do not set any requirements. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-RETRIEVE_@-TRUSTED +When retrieving an object, only retrieve the marked as trusted. +In @code{gnutls_pkcs11_crt_is_known()} it implies @code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_COMPARE} if @code{GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY} is not given. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-RETRIEVE_@-DISTRUSTED +When retrieving an object, only retrieve the marked as distrusted. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-COMPARE +When checking an object's presence, fully compare it before returning any result. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-PRESENT_@-IN_@-TRUSTED_@-MODULE +The object must be present in a marked as trusted module. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-CA +Mark the object as a CA. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-MARK_@-KEY_@-WRAP +Mark the generated key pair as wrapping and unwrapping keys. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-COMPARE_@-KEY +When checking an object's presence, compare the key before returning any result. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-OVERWRITE_@-TRUSTMOD_@-EXT +When an issuer is requested, override its extensions with the ones present in the trust module. +@item GNUTLS_@-PKCS11_@-OBJ_@-FLAG_@-NO_@-STORE_@-PUBKEY +When generating a keypair don't store the public key (store). +@end table diff --git a/doc/enums/gnutls_pkcs11_obj_type_t b/doc/enums/gnutls_pkcs11_obj_type_t index 5c24fd3..ecd6267 100644 --- a/doc/enums/gnutls_pkcs11_obj_type_t +++ b/doc/enums/gnutls_pkcs11_obj_type_t @@ -14,4 +14,6 @@ Private key. Secret key. @item GNUTLS_@-PKCS11_@-OBJ_@-DATA Data object. +@item GNUTLS_@-PKCS11_@-OBJ_@-X509_@-CRT_@-EXTENSION +X.509 certificate extension (supported by p11-kit trust module only). @end table diff --git a/doc/enums/gnutls_pkcs11_url_type_t b/doc/enums/gnutls_pkcs11_url_type_t index 6609822..896e3cc 100644 --- a/doc/enums/gnutls_pkcs11_url_type_t +++ b/doc/enums/gnutls_pkcs11_url_type_t @@ -1,22 +1,4 @@ -@subheading int -@anchor{int} -@deftypefun {typedef} {int} (* @var{gnutls_pkcs11_token_callback_t}) -@var{gnutls_pkcs11_token_callback_t}: -- undescribed -- - -Token callback function. The callback will be used to ask the user -to re-insert the token with given (null terminated) label. The -callback should return zero if token has been inserted by user and -a negative error code otherwise. It might be called multiple times -if the token is not detected and the retry counter will be -increased. - -@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code -on error. - -@strong{Since:} 2.12.0 -@end deftypefun - @c gnutls_pkcs11_url_type_t @table @code diff --git a/doc/enums/gnutls_pkcs_encrypt_flags_t b/doc/enums/gnutls_pkcs_encrypt_flags_t index 3ca9be2..9bc1780 100644 --- a/doc/enums/gnutls_pkcs_encrypt_flags_t +++ b/doc/enums/gnutls_pkcs_encrypt_flags_t @@ -4,20 +4,22 @@ @table @code @item GNUTLS_@-PKCS_@-PLAIN Unencrypted private key. -@item GNUTLS_@-PKCS_@-USE_@-PKCS12_@-3DES +@item GNUTLS_@-PKCS_@-PKCS12_@-3DES PKCS-12 3DES. -@item GNUTLS_@-PKCS_@-USE_@-PKCS12_@-ARCFOUR +@item GNUTLS_@-PKCS_@-PKCS12_@-ARCFOUR PKCS-12 ARCFOUR. -@item GNUTLS_@-PKCS_@-USE_@-PKCS12_@-RC2_@-40 +@item GNUTLS_@-PKCS_@-PKCS12_@-RC2_@-40 PKCS-12 RC2-40. -@item GNUTLS_@-PKCS_@-USE_@-PBES2_@-3DES +@item GNUTLS_@-PKCS_@-PBES2_@-3DES PBES2 3DES. -@item GNUTLS_@-PKCS_@-USE_@-PBES2_@-AES_@-128 +@item GNUTLS_@-PKCS_@-PBES2_@-AES_@-128 PBES2 AES-128. -@item GNUTLS_@-PKCS_@-USE_@-PBES2_@-AES_@-192 +@item GNUTLS_@-PKCS_@-PBES2_@-AES_@-192 PBES2 AES-192. -@item GNUTLS_@-PKCS_@-USE_@-PBES2_@-AES_@-256 +@item GNUTLS_@-PKCS_@-PBES2_@-AES_@-256 PBES2 AES-256. @item GNUTLS_@-PKCS_@-NULL_@-PASSWORD Some schemas distinguish between an empty and a NULL password. +@item GNUTLS_@-PKCS_@-PBES2_@-DES +PBES2 single DES. @end table diff --git a/doc/enums/gnutls_sign_algorithm_t b/doc/enums/gnutls_sign_algorithm_t index 647ff80..e782f7f 100644 --- a/doc/enums/gnutls_sign_algorithm_t +++ b/doc/enums/gnutls_sign_algorithm_t @@ -41,7 +41,7 @@ Digital signature algorithm ECDSA with SHA-384. @item GNUTLS_@-SIGN_@-ECDSA_@-SHA512 Digital signature algorithm ECDSA with SHA-512. @item GNUTLS_@-SIGN_@-DSA_@-SHA384 --- undescribed -- +Digital signature algorithm DSA with SHA-384 @item GNUTLS_@-SIGN_@-DSA_@-SHA512 --- undescribed -- +Digital signature algorithm DSA with SHA-512 @end table diff --git a/doc/error_codes.texi b/doc/error_codes.texi index c0c8f06..c99bd83 100644 --- a/doc/error_codes.texi +++ b/doc/error_codes.texi @@ -3,7 +3,7 @@ @item -3 @tab GNUTLS_@-E_@-UNKNOWN_@-COMPRESSION_@-ALGORITHM @tab Could not negotiate a supported compression method. @item -6 @tab GNUTLS_@-E_@-UNKNOWN_@-CIPHER_@-TYPE @tab The cipher type is unsupported. @item -7 @tab GNUTLS_@-E_@-LARGE_@-PACKET @tab The transmitted packet is too large (EMSGSIZE). -@item -8 @tab GNUTLS_@-E_@-UNSUPPORTED_@-VERSION_@-PACKET @tab A record packet with illegal version was received. +@item -8 @tab GNUTLS_@-E_@-UNSUPPORTED_@-VERSION_@-PACKET @tab A packet with illegal or unsupported version was received. @item -9 @tab GNUTLS_@-E_@-UNEXPECTED_@-PACKET_@-LENGTH @tab A TLS packet with unexpected length was received. @item -10 @tab GNUTLS_@-E_@-INVALID_@-SESSION @tab The specified session has been invalidated for some reason. @item -12 @tab GNUTLS_@-E_@-FATAL_@-ALERT_@-RECEIVED @tab A TLS fatal alert has been received. @@ -83,8 +83,6 @@ @item -99 @tab GNUTLS_@-E_@-INVALID_@-PASSWORD @tab The given password contains invalid characters. @item -100 @tab GNUTLS_@-E_@-MAC_@-VERIFY_@-FAILED @tab The Message Authentication Code verification failed. @item -101 @tab GNUTLS_@-E_@-CONSTRAINT_@-ERROR @tab Some constraint limits were reached. -@item -102 @tab GNUTLS_@-E_@-WARNING_@-IA_@-IPHF_@-RECEIVED @tab Received a TLS/IA Intermediate Phase Finished message -@item -103 @tab GNUTLS_@-E_@-WARNING_@-IA_@-FPHF_@-RECEIVED @tab Received a TLS/IA Final Phase Finished message @item -104 @tab GNUTLS_@-E_@-IA_@-VERIFY_@-FAILED @tab Verifying TLS/IA phase checksum failed @item -105 @tab GNUTLS_@-E_@-UNKNOWN_@-ALGORITHM @tab The specified algorithm or protocol is unknown. @item -106 @tab GNUTLS_@-E_@-UNSUPPORTED_@-SIGNATURE_@-ALGORITHM @tab The signature algorithm is not supported. @@ -144,6 +142,7 @@ @item -332 @tab GNUTLS_@-E_@-TPM_@-SESSION_@-ERROR @tab Cannot initialize a session with the TPM. @item -333 @tab GNUTLS_@-E_@-TPM_@-KEY_@-NOT_@-FOUND @tab TPM key was not found in persistent storage. @item -334 @tab GNUTLS_@-E_@-TPM_@-UNINITIALIZED @tab TPM is not initialized. +@item -335 @tab GNUTLS_@-E_@-TPM_@-NO_@-LIB @tab The TPM library (trousers) cannot be found. @item -340 @tab GNUTLS_@-E_@-NO_@-CERTIFICATE_@-STATUS @tab There is no certificate status (OCSP). @item -341 @tab GNUTLS_@-E_@-OCSP_@-RESPONSE_@-ERROR @tab The OCSP response is invalid @item -342 @tab GNUTLS_@-E_@-RANDOM_@-DEVICE_@-ERROR @tab Error in the system's randomness device. diff --git a/doc/examples/Makefile.am b/doc/examples/Makefile.am index 0915f9b..69f1db9 100644 --- a/doc/examples/Makefile.am +++ b/doc/examples/Makefile.am @@ -24,9 +24,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/lib/includes -I$(top_builddir)/lib/includes \ -I$(top_srcdir)/extra/includes \ -I$(top_srcdir)/src/gl \ - -I$(top_builddir)/src/gl \ - -I$(top_srcdir)/gl \ - -I$(top_builddir)/gl + -I$(top_builddir)/src/gl # Gnulib warns and suggests use of fseeko instead of fseek, which is # used in ex-cert-select.c, but certificate files will not be > 4 GB, diff --git a/doc/examples/Makefile.in b/doc/examples/Makefile.in index 7385449..5fcbbf7 100644 --- a/doc/examples/Makefile.in +++ b/doc/examples/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -36,7 +36,17 @@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -114,8 +124,6 @@ noinst_PROGRAMS = ex-client-resume$(EXEEXT) ex-client-dtls$(EXEEXT) \ @ENABLE_SRP_TRUE@am__append_7 = ex-client-srp ex-serv-srp @ENABLE_OCSP_TRUE@am__append_8 = ex-ocsp-client subdir = doc/examples -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/build-aux/depcomp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/src/gl/m4/bison.m4 \ @@ -149,6 +157,7 @@ am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/src/gl/m4/tm_gmtoff.m4 \ $(top_srcdir)/src/gl/m4/xalloc.m4 \ $(top_srcdir)/src/libopts/m4/libopts.m4 \ + $(top_srcdir)/src/libopts/m4/stdnoreturn.m4 \ $(top_srcdir)/gl/m4/00gnulib.m4 \ $(top_srcdir)/gl/m4/absolute-header.m4 \ $(top_srcdir)/gl/m4/alloca.m4 $(top_srcdir)/gl/m4/base64.m4 \ @@ -225,6 +234,7 @@ am__aclocal_m4_deps = $(top_srcdir)/src/gl/m4/arpa_inet_h.m4 \ $(top_srcdir)/m4/xsize.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -461,6 +471,8 @@ am__define_uniq_tagged_files = \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in \ + $(top_srcdir)/build-aux/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ ALLOCA = @ALLOCA@ @@ -512,6 +524,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EMULTIHOP_HIDDEN = @EMULTIHOP_HIDDEN@ EMULTIHOP_VALUE = @EMULTIHOP_VALUE@ +ENABLE_PADLOCK = @ENABLE_PADLOCK@ ENOLINK_HIDDEN = @ENOLINK_HIDDEN@ ENOLINK_VALUE = @ENOLINK_VALUE@ EOVERFLOW_HIDDEN = @EOVERFLOW_HIDDEN@ @@ -671,6 +684,7 @@ GNULIB_PUTCHAR = @GNULIB_PUTCHAR@ GNULIB_PUTENV = @GNULIB_PUTENV@ GNULIB_PUTS = @GNULIB_PUTS@ GNULIB_PWRITE = @GNULIB_PWRITE@ +GNULIB_QSORT_R = @GNULIB_QSORT_R@ GNULIB_RAISE = @GNULIB_RAISE@ GNULIB_RANDOM = @GNULIB_RANDOM@ GNULIB_RANDOM_R = @GNULIB_RANDOM_R@ @@ -882,6 +896,7 @@ HAVE_LCHMOD = @HAVE_LCHMOD@ HAVE_LCHOWN = @HAVE_LCHOWN@ HAVE_LIBDL = @HAVE_LIBDL@ HAVE_LIBICONV = @HAVE_LIBICONV@ +HAVE_LIBNSL = @HAVE_LIBNSL@ HAVE_LIBPTHREAD = @HAVE_LIBPTHREAD@ HAVE_LIBRT = @HAVE_LIBRT@ HAVE_LIBZ = @HAVE_LIBZ@ @@ -889,6 +904,7 @@ HAVE_LINK = @HAVE_LINK@ HAVE_LINKAT = @HAVE_LINKAT@ HAVE_LONG_LONG_INT = @HAVE_LONG_LONG_INT@ HAVE_LSTAT = @HAVE_LSTAT@ +HAVE_MAX_ALIGN_T = @HAVE_MAX_ALIGN_T@ HAVE_MBRLEN = @HAVE_MBRLEN@ HAVE_MBRTOWC = @HAVE_MBRTOWC@ HAVE_MBSINIT = @HAVE_MBSINIT@ @@ -1054,6 +1070,8 @@ LIBICONV_PREFIX = @LIBICONV_PREFIX@ LIBIDN_CFLAGS = @LIBIDN_CFLAGS@ LIBIDN_LIBS = @LIBIDN_LIBS@ LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBNSL_PREFIX = @LIBNSL_PREFIX@ LIBOBJS = @LIBOBJS@ LIBOPTS_CFLAGS = @LIBOPTS_CFLAGS@ LIBOPTS_DIR = @LIBOPTS_DIR@ @@ -1078,6 +1096,7 @@ LTALLOCA = @LTALLOCA@ LTLIBDL = @LTLIBDL@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ +LTLIBNSL = @LTLIBNSL@ LTLIBOBJS = @LTLIBOBJS@ LTLIBPTHREAD = @LTLIBPTHREAD@ LTLIBRT = @LTLIBRT@ @@ -1091,9 +1110,6 @@ LT_REVISION = @LT_REVISION@ LT_SSL_AGE = @LT_SSL_AGE@ LT_SSL_CURRENT = @LT_SSL_CURRENT@ LT_SSL_REVISION = @LT_SSL_REVISION@ -LT_XSSL_AGE = @LT_XSSL_AGE@ -LT_XSSL_CURRENT = @LT_XSSL_CURRENT@ -LT_XSSL_REVISION = @LT_XSSL_REVISION@ MAJOR_VERSION = @MAJOR_VERSION@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ @@ -1257,10 +1273,12 @@ REPLACE_PTSNAME = @REPLACE_PTSNAME@ REPLACE_PTSNAME_R = @REPLACE_PTSNAME_R@ REPLACE_PUTENV = @REPLACE_PUTENV@ REPLACE_PWRITE = @REPLACE_PWRITE@ +REPLACE_QSORT_R = @REPLACE_QSORT_R@ REPLACE_RAISE = @REPLACE_RAISE@ REPLACE_RANDOM_R = @REPLACE_RANDOM_R@ REPLACE_READ = @REPLACE_READ@ REPLACE_READLINK = @REPLACE_READLINK@ +REPLACE_READLINKAT = @REPLACE_READLINKAT@ REPLACE_REALLOC = @REPLACE_REALLOC@ REPLACE_REALPATH = @REPLACE_REALPATH@ REPLACE_REMOVE = @REPLACE_REMOVE@ @@ -1292,6 +1310,7 @@ REPLACE_STRTOK_R = @REPLACE_STRTOK_R@ REPLACE_STRTOUMAX = @REPLACE_STRTOUMAX@ REPLACE_STRUCT_TIMEVAL = @REPLACE_STRUCT_TIMEVAL@ REPLACE_SYMLINK = @REPLACE_SYMLINK@ +REPLACE_SYMLINKAT = @REPLACE_SYMLINKAT@ REPLACE_TIMEGM = @REPLACE_TIMEGM@ REPLACE_TMPFILE = @REPLACE_TMPFILE@ REPLACE_TTYNAME_R = @REPLACE_TTYNAME_R@ @@ -1324,9 +1343,11 @@ STDALIGN_H = @STDALIGN_H@ STDBOOL_H = @STDBOOL_H@ STDDEF_H = @STDDEF_H@ STDINT_H = @STDINT_H@ +STDNORETURN_H = @STDNORETURN_H@ STRIP = @STRIP@ SYS_TIME_H_DEFINES_STRUCT_TIMESPEC = @SYS_TIME_H_DEFINES_STRUCT_TIMESPEC@ TIME_H_DEFINES_STRUCT_TIMESPEC = @TIME_H_DEFINES_STRUCT_TIMESPEC@ +TROUSERS_LIB = @TROUSERS_LIB@ TSS_CFLAGS = @TSS_CFLAGS@ TSS_LIBS = @TSS_LIBS@ UINT32_MAX_LT_UINTMAX_MAX = @UINT32_MAX_LT_UINTMAX_MAX@ @@ -1410,6 +1431,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -1426,8 +1448,7 @@ AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS) AM_CPPFLAGS = -I$(top_srcdir)/lib/includes \ -I$(top_builddir)/lib/includes -I$(top_srcdir)/extra/includes \ -I$(top_srcdir)/src/gl -I$(top_builddir)/src/gl \ - -I$(top_srcdir)/gl -I$(top_builddir)/gl -D_GL_NO_LARGE_FILES \ - -DNO_LIBCURL + -D_GL_NO_LARGE_FILES -DNO_LIBCURL AM_LDFLAGS = -no-install LDADD = libexamples.la \ ../../lib/libgnutls.la \ @@ -1461,7 +1482,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/examples/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu doc/examples/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -1862,6 +1882,8 @@ uninstall-am: mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/doc/examples/ex-cert-select-pkcs11.c b/doc/examples/ex-cert-select-pkcs11.c index a7f4e7c..dd16676 100644 --- a/doc/examples/ex-cert-select-pkcs11.c +++ b/doc/examples/ex-cert-select-pkcs11.c @@ -80,14 +80,15 @@ int main(void) */ if (gnutls_check_version("3.1.4") == NULL) { - fprintf(stderr, "GnuTLS 3.1.4 is required for this example\n"); + fprintf(stderr, "GnuTLS 3.1.4 or later is required for this example\n"); exit(1); } + /* for backwards compatibility with gnutls < 3.3.0 */ gnutls_global_init(); - /* PKCS11 private key operations might require PIN. - * Register a callback. - */ + + /* The PKCS11 private key operations may require PIN. + * Register a callback. */ gnutls_pkcs11_set_pin_function(pin_callback, NULL); /* X509 stuff */ diff --git a/doc/examples/ex-cert-select.c b/doc/examples/ex-cert-select.c index 7437e26..4c15f0b 100644 --- a/doc/examples/ex-cert-select.c +++ b/doc/examples/ex-cert-select.c @@ -94,10 +94,11 @@ int main(void) gnutls_certificate_credentials_t xcred; if (gnutls_check_version("3.1.4") == NULL) { - fprintf(stderr, "GnuTLS 3.1.4 is required for this example\n"); + fprintf(stderr, "GnuTLS 3.1.4 or later is required for this example\n"); exit(1); } + /* for backwards compatibility with gnutls < 3.3.0 */ gnutls_global_init(); load_keys(); diff --git a/doc/examples/ex-client-dtls.c b/doc/examples/ex-client-dtls.c index dcb0e10..dea3b68 100644 --- a/doc/examples/ex-client-dtls.c +++ b/doc/examples/ex-client-dtls.c @@ -34,10 +34,11 @@ int main(void) gnutls_certificate_credentials_t xcred; if (gnutls_check_version("3.1.4") == NULL) { - fprintf(stderr, "GnuTLS 3.1.4 is required for this example\n"); + fprintf(stderr, "GnuTLS 3.1.4 or later is required for this example\n"); exit(1); } + /* for backwards compatibility with gnutls < 3.3.0 */ gnutls_global_init(); /* X509 stuff */ @@ -74,8 +75,7 @@ int main(void) /* set the connection MTU */ gnutls_dtls_set_mtu(session, 1000); - gnutls_handshake_set_timeout(session, - GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); + /* gnutls_dtls_set_timeouts(session, 1000, 60000); */ /* Perform the TLS handshake */ do { diff --git a/doc/examples/ex-client-srp.c b/doc/examples/ex-client-srp.c index 4542724..e023289 100644 --- a/doc/examples/ex-client-srp.c +++ b/doc/examples/ex-client-srp.c @@ -31,10 +31,11 @@ int main(void) gnutls_certificate_credentials_t cert_cred; if (gnutls_check_version("3.1.4") == NULL) { - fprintf(stderr, "GnuTLS 3.1.4 is required for this example\n"); + fprintf(stderr, "GnuTLS 3.1.4 or later is required for this example\n"); exit(1); } + /* for backwards compatibility with gnutls < 3.3.0 */ gnutls_global_init(); gnutls_srp_allocate_client_credentials(&srp_cred); diff --git a/doc/examples/ex-client-x509.c b/doc/examples/ex-client-x509.c index 01762e8..8ee429a 100644 --- a/doc/examples/ex-client-x509.c +++ b/doc/examples/ex-client-x509.c @@ -33,10 +33,11 @@ int main(void) gnutls_certificate_credentials_t xcred; if (gnutls_check_version("3.1.4") == NULL) { - fprintf(stderr, "GnuTLS 3.1.4 is required for this example\n"); + fprintf(stderr, "GnuTLS 3.1.4 or later is required for this example\n"); exit(1); } + /* for backwards compatibility with gnutls < 3.3.0 */ gnutls_global_init(); /* X509 stuff */ diff --git a/doc/examples/ex-serv-anon.c b/doc/examples/ex-serv-anon.c index dc0a55b..5c164e3 100644 --- a/doc/examples/ex-serv-anon.c +++ b/doc/examples/ex-serv-anon.c @@ -55,10 +55,11 @@ int main(void) int optval = 1; if (gnutls_check_version("3.1.4") == NULL) { - fprintf(stderr, "GnuTLS 3.1.4 is required for this example\n"); + fprintf(stderr, "GnuTLS 3.1.4 or later is required for this example\n"); exit(1); } + /* for backwards compatibility with gnutls < 3.3.0 */ gnutls_global_init(); gnutls_anon_allocate_server_credentials(&anoncred); diff --git a/doc/examples/ex-serv-dtls.c b/doc/examples/ex-serv-dtls.c index 7e35bbc..ad51fd9 100644 --- a/doc/examples/ex-serv-dtls.c +++ b/doc/examples/ex-serv-dtls.c @@ -28,7 +28,7 @@ */ #define MAX_BUFFER 1024 -#define PORT 5556 +#define PORT 5557 typedef struct { gnutls_session_t session; diff --git a/doc/examples/ex-serv-pgp.c b/doc/examples/ex-serv-pgp.c index d68a11c..9cd4395 100644 --- a/doc/examples/ex-serv-pgp.c +++ b/doc/examples/ex-serv-pgp.c @@ -64,10 +64,11 @@ int main(void) strcpy(name, "Echo Server"); if (gnutls_check_version("3.1.4") == NULL) { - fprintf(stderr, "GnuTLS 3.1.4 is required for this example\n"); + fprintf(stderr, "GnuTLS 3.1.4 or later is required for this example\n"); exit(1); } + /* for backwards compatibility with gnutls < 3.3.0 */ gnutls_global_init(); gnutls_certificate_allocate_credentials(&cred); diff --git a/doc/examples/ex-serv-psk.c b/doc/examples/ex-serv-psk.c index c83658b..ed61f00 100644 --- a/doc/examples/ex-serv-psk.c +++ b/doc/examples/ex-serv-psk.c @@ -79,10 +79,11 @@ int main(void) int kx; if (gnutls_check_version("3.1.4") == NULL) { - fprintf(stderr, "GnuTLS 3.1.4 is required for this example\n"); + fprintf(stderr, "GnuTLS 3.1.4 or later is required for this example\n"); exit(1); } + /* for backwards compatibility with gnutls < 3.3.0 */ gnutls_global_init(); gnutls_certificate_allocate_credentials(&x509_cred); diff --git a/doc/examples/ex-serv-srp.c b/doc/examples/ex-serv-srp.c index 9f1f58a..c79ceb2 100644 --- a/doc/examples/ex-serv-srp.c +++ b/doc/examples/ex-serv-srp.c @@ -47,10 +47,11 @@ int main(void) strcpy(name, "Echo Server"); if (gnutls_check_version("3.1.4") == NULL) { - fprintf(stderr, "GnuTLS 3.1.4 is required for this example\n"); + fprintf(stderr, "GnuTLS 3.1.4 or later is required for this example\n"); exit(1); } + /* for backwards compatibility with gnutls < 3.3.0 */ gnutls_global_init(); /* SRP_PASSWD a password file (created with the included srptool utility) diff --git a/doc/examples/ex-serv-x509.c b/doc/examples/ex-serv-x509.c index 5380d60..69061e6 100644 --- a/doc/examples/ex-serv-x509.c +++ b/doc/examples/ex-serv-x509.c @@ -67,8 +67,7 @@ int main(void) char buffer[MAX_BUF + 1]; int optval = 1; - /* this must be called once in the program - */ + /* for backwards compatibility with gnutls < 3.3.0 */ gnutls_global_init(); gnutls_certificate_allocate_credentials(&x509_cred); diff --git a/doc/functions/dane_query_to_raw_tlsa b/doc/functions/dane_query_to_raw_tlsa new file mode 100644 index 0000000..24605a6 --- /dev/null +++ b/doc/functions/dane_query_to_raw_tlsa @@ -0,0 +1,31 @@ + + + + +@deftypefun {int} {dane_query_to_raw_tlsa} (dane_query_t @var{q}, unsigned int * @var{data_entries}, char *** @var{dane_data}, int ** @var{dane_data_len}, int * @var{secure}, int * @var{bogus}) +@var{q}: The query result structure + +@var{data_entries}: Pointer set to the number of entries in the query + +@var{dane_data}: Pointer to contain an array of DNS rdata items, terminated with a NULL pointer; +caller must guarantee that the referenced data remains +valid until @code{dane_query_deinit()} is called. + +@var{dane_data_len}: Pointer to contain the length n bytes of the dane_data items + +@var{secure}: Pointer set true if the result is validated securely, false if +validation failed or the domain queried has no security info + +@var{bogus}: Pointer set true if the result was not secure due to a security failure + +This function will provide the DANE data from the query +response. + +The pointers dane_data and dane_data_len are allocated with @code{gnutls_malloc()} +to contain the data from the query result structure (individual + @code{dane_data} items simply point to the original data and are not allocated separately). +The returned @code{dane_data} are only valid during the lifetime of @code{q} . + +@strong{Returns:} On success, @code{DANE_E_SUCCESS} (0) is returned, otherwise a +negative error value. +@end deftypefun diff --git a/doc/functions/dane_query_to_raw_tlsa.short b/doc/functions/dane_query_to_raw_tlsa.short new file mode 100644 index 0000000..88f7c08 --- /dev/null +++ b/doc/functions/dane_query_to_raw_tlsa.short @@ -0,0 +1 @@ +@item @var{int} @ref{dane_query_to_raw_tlsa} (dane_query_t @var{q}, unsigned int * @var{data_entries}, char *** @var{dane_data}, int ** @var{dane_data_len}, int * @var{secure}, int * @var{bogus}) diff --git a/doc/functions/dane_raw_tlsa b/doc/functions/dane_raw_tlsa index cefc0db..20dfb32 100644 --- a/doc/functions/dane_raw_tlsa +++ b/doc/functions/dane_raw_tlsa @@ -20,7 +20,8 @@ validation failed or the domain queried has no security info and the result is due to a security failure, bogus is true. This function will fill in the TLSA (DANE) structure from -the given raw DNS record data. +the given raw DNS record data. The @code{dane_data} must be valid +during the lifetime of the query. @strong{Returns:} On success, @code{DANE_E_SUCCESS} (0) is returned, otherwise a negative error value. diff --git a/doc/functions/dane_verify_crt b/doc/functions/dane_verify_crt index eb99190..c0b6840 100644 --- a/doc/functions/dane_verify_crt +++ b/doc/functions/dane_verify_crt @@ -29,17 +29,20 @@ If no information via DANE can be obtained the flag @code{DANE_VERIFY_NO_DANE_IN is set. If a DNSSEC signature is not available for the DANE record then the verify flag @code{DANE_VERIFY_NO_DNSSEC_DATA} is set. -Note that the CA constraint only applies for the directly certifying CA -and does not account for long CA chains. Moreover this function does not -validate the provided chain. - Due to the many possible options of DANE, there is no single threat model countered. When notifying the user about DANE verification results it may be better to mention: DANE verification did not reject the certificate, rather than mentioning a successful DANE verication. -If the @code{q} parameter is provided it will be used for caching entries. - -@strong{Returns:} On success, @code{DANE_E_SUCCESS} (0) is returned, otherwise a -negative error value. +Note that this function is designed to be run in addition to +PKIX - certificate chain - verification. To be run independently +the @code{DANE_VFLAG_ONLY_CHECK_EE_USAGE} flag should be specified; +then the function will check whether the key of the peer matches the +key advertized in the DANE entry. + +@strong{Returns:} a negative error code on error and @code{DANE_E_SUCCESS} (0) +when the DANE entries were successfully parsed, irrespective of +whether they were verified (see @code{verify} for that information). If +no usable entries were encountered @code{DANE_E_REQUESTED_DATA_NOT_AVAILABLE} +will be returned. @end deftypefun diff --git a/doc/functions/dane_verify_crt_raw b/doc/functions/dane_verify_crt_raw index bb6ec59..433905e 100644 --- a/doc/functions/dane_verify_crt_raw +++ b/doc/functions/dane_verify_crt_raw @@ -25,16 +25,22 @@ If no information via DANE can be obtained the flag @code{DANE_VERIFY_NO_DANE_IN is set. If a DNSSEC signature is not available for the DANE record then the verify flag @code{DANE_VERIFY_NO_DNSSEC_DATA} is set. -Note that the CA constraint only applies for the directly certifying CA -and does not account for long CA chains. - Due to the many possible options of DANE, there is no single threat model countered. When notifying the user about DANE verification results it may be better to mention: DANE verification did not reject the certificate, rather than mentioning a successful DANE verication. +Note that this function is designed to be run in addition to +PKIX - certificate chain - verification. To be run independently +the @code{DANE_VFLAG_ONLY_CHECK_EE_USAGE} flag should be specified; +then the function will check whether the key of the peer matches the +key advertized in the DANE entry. + If the @code{q} parameter is provided it will be used for caching entries. -@strong{Returns:} On success, @code{DANE_E_SUCCESS} (0) is returned, otherwise a -negative error value. +@strong{Returns:} a negative error code on error and @code{DANE_E_SUCCESS} (0) +when the DANE entries were successfully parsed, irrespective of +whether they were verified (see @code{verify} for that information). If +no usable entries were encountered @code{DANE_E_REQUESTED_DATA_NOT_AVAILABLE} +will be returned. @end deftypefun diff --git a/doc/functions/dane_verify_session_crt b/doc/functions/dane_verify_session_crt index 73c2dcf..3c16a3d 100644 --- a/doc/functions/dane_verify_session_crt +++ b/doc/functions/dane_verify_session_crt @@ -24,9 +24,12 @@ CA constrains and/or the certificate available via DANE. See @code{dane_verify_crt()} for more information. This will not verify the chain for validity; unless the DANE -verification is restricted to end certificates, this has to +verification is restricted to end certificates, this must be be performed separately using @code{gnutls_certificate_verify_peers3()} . -@strong{Returns:} On success, @code{DANE_E_SUCCESS} (0) is returned, otherwise a -negative error value. +@strong{Returns:} a negative error code on error and @code{DANE_E_SUCCESS} (0) +when the DANE entries were successfully parsed, irrespective of +whether they were verified (see @code{verify} for that information). If +no usable entries were encountered @code{DANE_E_REQUESTED_DATA_NOT_AVAILABLE} +will be returned. @end deftypefun diff --git a/doc/functions/gnutls_alpn_get_selected_protocol b/doc/functions/gnutls_alpn_get_selected_protocol index 6cb8651..95e86f4 100644 --- a/doc/functions/gnutls_alpn_get_selected_protocol +++ b/doc/functions/gnutls_alpn_get_selected_protocol @@ -11,8 +11,11 @@ This function allows you to get the negotiated protocol name. The returned protocol should be treated as opaque, constant value and only valid during the session life. +The selected protocol is the first supported by the list sent +by the client. + @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a negative error code is returned. -Since 3.1.11 +Since 3.2.0 @end deftypefun diff --git a/doc/functions/gnutls_alpn_set_protocols b/doc/functions/gnutls_alpn_set_protocols index b81a41a..f914065 100644 --- a/doc/functions/gnutls_alpn_set_protocols +++ b/doc/functions/gnutls_alpn_set_protocols @@ -12,7 +12,7 @@ @var{flags}: zero or @code{GNUTLS_ALPN_} * This function is to be used by both clients and servers, to declare -the supported ALPN protocols, which are used during peer negotiation. +the supported ALPN protocols, which are used during negotiation with peer. If @code{GNUTLS_ALPN_MAND} is specified the connection will be aborted if no matching ALPN protocol is found. @@ -20,5 +20,5 @@ if no matching ALPN protocol is found. @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a negative error code is returned. -Since 3.1.11 +Since 3.2.0 @end deftypefun diff --git a/doc/functions/gnutls_certificate_get_issuer b/doc/functions/gnutls_certificate_get_issuer index b808ebc..8991247 100644 --- a/doc/functions/gnutls_certificate_get_issuer +++ b/doc/functions/gnutls_certificate_get_issuer @@ -9,9 +9,12 @@ @var{issuer}: Will hold the issuer if any. Should be treated as constant. -@var{flags}: Use zero. +@var{flags}: Use zero or @code{GNUTLS_TL_GET_COPY} This function will return the issuer of a given certificate. +As with @code{gnutls_x509_trust_list_get_issuer()} this function requires +the @code{GNUTLS_TL_GET_COPY} flag in order to operate with PKCS @code{11} trust +lists. In that case the issuer must be freed using @code{gnutls_x509_crt_deinit()} . @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a negative error value. diff --git a/doc/functions/gnutls_certificate_get_peers b/doc/functions/gnutls_certificate_get_peers index 39d05a8..a69471c 100644 --- a/doc/functions/gnutls_certificate_get_peers +++ b/doc/functions/gnutls_certificate_get_peers @@ -16,7 +16,7 @@ issuer's certificate, then the issuer's issuer etc. In case of OpenPGP keys a single key will be returned in raw format. -@strong{Returns:} a pointer to a @code{gnutls_datum_t} containing our +@strong{Returns:} a pointer to a @code{gnutls_datum_t} containing the peer's certificates, or @code{NULL} in case of an error or if no certificate was used. @end deftypefun diff --git a/doc/functions/gnutls_certificate_set_key b/doc/functions/gnutls_certificate_set_key index 571fb8f..7381fa6 100644 --- a/doc/functions/gnutls_certificate_set_key +++ b/doc/functions/gnutls_certificate_set_key @@ -25,6 +25,9 @@ Note that the @code{pcert_list} and @code{key} will become part of the credent structure and must not be deallocated. They will be automatically deallocated when the @code{res} structure is deinitialized. +If that function fails to load the @code{res} structure is at an undefined state, it must +not be reused to load other keys or certificates. + @strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success, or a negative error code. @strong{Since:} 3.0 diff --git a/doc/functions/gnutls_certificate_set_retrieve_function b/doc/functions/gnutls_certificate_set_retrieve_function index 201892e..743bfce 100644 --- a/doc/functions/gnutls_certificate_set_retrieve_function +++ b/doc/functions/gnutls_certificate_set_retrieve_function @@ -16,7 +16,7 @@ The callback's function prototype is: int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs, const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr2_st* st); - @code{req_ca_cert} is only used in X.509 certificates. + @code{req_ca_dn} is only used in X.509 certificates. Contains a list with the CA names that the server considers trusted. Normally we should send a certificate that is signed by one of these CAs. These names are DER encoded. To get a more diff --git a/doc/functions/gnutls_certificate_set_retrieve_function2 b/doc/functions/gnutls_certificate_set_retrieve_function2 index 8c63845..d27151b 100644 --- a/doc/functions/gnutls_certificate_set_retrieve_function2 +++ b/doc/functions/gnutls_certificate_set_retrieve_function2 @@ -15,7 +15,7 @@ int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs, const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_pcert_st** pcert, unsigned int *pcert_length, gnutls_privkey_t * pkey); - @code{req_ca_cert} is only used in X.509 certificates. + @code{req_ca_dn} is only used in X.509 certificates. Contains a list with the CA names that the server considers trusted. Normally we should send a certificate that is signed by one of these CAs. These names are DER encoded. To get a more @@ -24,7 +24,7 @@ meaningful value use the function @code{gnutls_x509_rdn_get()} . @code{pk_algos} contains a list with server's acceptable signature algorithms. The certificate returned should support the server's given algorithms. - @code{pcert} should contain a single certificate and public or a list of them. + @code{pcert} should contain a single certificate and public key or a list of them. @code{pcert_length} is the size of the previous list. @@ -32,6 +32,8 @@ The certificate returned should support the server's given algorithms. If the callback function is provided then gnutls will call it, in the handshake, after the certificate request message has been received. +All the provided by the callback values will not be released or +modified by gnutls. In server side pk_algos and req_ca_dn are NULL. diff --git a/doc/functions/gnutls_certificate_set_x509_key b/doc/functions/gnutls_certificate_set_x509_key index c903c03..5a92d14 100644 --- a/doc/functions/gnutls_certificate_set_x509_key +++ b/doc/functions/gnutls_certificate_set_x509_key @@ -21,6 +21,9 @@ the certificate chain in @code{cert_list} . Note that the certificates and keys provided, can be safely deinitialized after this function is called. +If that function fails to load the @code{res} structure is at an undefined state, it must +not be reused to load other keys or certificates. + @strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success, or a negative error code. @strong{Since:} 2.4.0 diff --git a/doc/functions/gnutls_certificate_set_x509_key_file b/doc/functions/gnutls_certificate_set_x509_key_file index e4fedb0..b84efe3 100644 --- a/doc/functions/gnutls_certificate_set_x509_key_file +++ b/doc/functions/gnutls_certificate_set_x509_key_file @@ -30,5 +30,8 @@ that the supported URLs are the ones indicated by @code{gnutls_url_is_supported( In case the @code{certfile} is provided as a PKCS @code{11} URL, then the certificate, and its present issuers in the token are are imported (i.e., the required trust chain). +If that function fails to load the @code{res} structure is at an undefined state, it must +not be reused to load other keys or certificates. + @strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success, or a negative error code. @end deftypefun diff --git a/doc/functions/gnutls_certificate_set_x509_key_file2 b/doc/functions/gnutls_certificate_set_x509_key_file2 index a8562dc..37cda94 100644 --- a/doc/functions/gnutls_certificate_set_x509_key_file2 +++ b/doc/functions/gnutls_certificate_set_x509_key_file2 @@ -34,5 +34,8 @@ that the supported URLs are the ones indicated by @code{gnutls_url_is_supported( In case the @code{certfile} is provided as a PKCS @code{11} URL, then the certificate, and its present issuers in the token are are imported (i.e., the required trust chain). +If that function fails to load the @code{res} structure is at an undefined state, it must +not be reused to load other keys or certificates. + @strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success, or a negative error code. @end deftypefun diff --git a/doc/functions/gnutls_certificate_set_x509_trust_dir b/doc/functions/gnutls_certificate_set_x509_trust_dir new file mode 100644 index 0000000..9b256eb --- /dev/null +++ b/doc/functions/gnutls_certificate_set_x509_trust_dir @@ -0,0 +1,20 @@ + + + + +@deftypefun {int} {gnutls_certificate_set_x509_trust_dir} (gnutls_certificate_credentials_t @var{cred}, const char * @var{ca_dir}, gnutls_x509_crt_fmt_t @var{type}) +@var{cred}: is a @code{gnutls_certificate_credentials_t} structure. + +@var{ca_dir}: is a directory containing the list of trusted CAs (DER or PEM list) + +@var{type}: is PEM or DER + +This function adds the trusted CAs present in the directory in order to +verify client or server certificates. This function is identical +to @code{gnutls_certificate_set_x509_trust_file()} but loads all certificates +in a directory. + +@strong{Returns:} the number of certificates processed + +@strong{Since:} 3.3.6 +@end deftypefun diff --git a/doc/functions/gnutls_certificate_set_x509_trust_dir.short b/doc/functions/gnutls_certificate_set_x509_trust_dir.short new file mode 100644 index 0000000..8f5e390 --- /dev/null +++ b/doc/functions/gnutls_certificate_set_x509_trust_dir.short @@ -0,0 +1 @@ +@item @var{int} @ref{gnutls_certificate_set_x509_trust_dir} (gnutls_certificate_credentials_t @var{cred}, const char * @var{ca_dir}, gnutls_x509_crt_fmt_t @var{type}) diff --git a/doc/functions/gnutls_certificate_set_x509_trust_file b/doc/functions/gnutls_certificate_set_x509_trust_file index f211747..52f7541 100644 --- a/doc/functions/gnutls_certificate_set_x509_trust_file +++ b/doc/functions/gnutls_certificate_set_x509_trust_file @@ -23,6 +23,5 @@ This function can also accept URLs. In that case it will import all certificates that are marked as trusted. Note that the supported URLs are the ones indicated by @code{gnutls_url_is_supported()} . -@strong{Returns:} number of certificates processed, or a negative error code on -error. +@strong{Returns:} the number of certificates processed @end deftypefun diff --git a/doc/functions/gnutls_certificate_verify_peers b/doc/functions/gnutls_certificate_verify_peers index 91c9081..776f5d4 100644 --- a/doc/functions/gnutls_certificate_verify_peers +++ b/doc/functions/gnutls_certificate_verify_peers @@ -19,18 +19,19 @@ The default verification flags used by this function can be overridden using @code{gnutls_certificate_set_verify_flags()} . See the documentation of @code{gnutls_certificate_verify_peers2()} for details in the verification process. -The acceptable data types are @code{GNUTLS_DT_DNS_HOSTNAME} and @code{GNUTLS_DT_KEY_PURPOSE_OID} . +The acceptable @code{data} types are @code{GNUTLS_DT_DNS_HOSTNAME} and @code{GNUTLS_DT_KEY_PURPOSE_OID} . +The former accepts as data a null-terminated hostname, and the latter a null-terminated +object identifier (e.g., @code{GNUTLS_KP_TLS_WWW_SERVER} ). If a DNS hostname is provided then this function will compare -the hostname in the certificate against the given. The comparison will -be accurate for ascii names; non-ascii names are compared byte-by-byte. -If names do not match the @code{GNUTLS_CERT_UNEXPECTED_OWNER} status flag will be set. - +the hostname in the certificate against the given. If names do not match the +@code{GNUTLS_CERT_UNEXPECTED_OWNER} status flag will be set. If a key purpose OID is provided and the end-certificate contains the extended key usage PKIX extension, it will be required to be have the provided key purpose -(e.g., @code{GNUTLS_KP_TLS_WWW_SERVER} ), or be marked for any purpose, otherwise -verification will fail with @code{GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE} status. +or be marked for any purpose, otherwise verification will fail with @code{GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE} status. -@strong{Returns:} a negative error code on error and @code{GNUTLS_E_SUCCESS} (0) on success. +@strong{Returns:} a negative error code on error and @code{GNUTLS_E_SUCCESS} (0) +when the peer's certificate was successfully parsed, irrespective of whether +it was verified. @strong{Since:} 3.3.0 @end deftypefun diff --git a/doc/functions/gnutls_certificate_verify_peers2 b/doc/functions/gnutls_certificate_verify_peers2 index 9e2fd19..512a009 100644 --- a/doc/functions/gnutls_certificate_verify_peers2 +++ b/doc/functions/gnutls_certificate_verify_peers2 @@ -26,5 +26,7 @@ Note that you must also check the peer's name in order to check if the verified certificate belongs to the actual peer, see @code{gnutls_x509_crt_check_hostname()} , or use @code{gnutls_certificate_verify_peers3()} . -@strong{Returns:} a negative error code on error and @code{GNUTLS_E_SUCCESS} (0) on success. +@strong{Returns:} a negative error code on error and @code{GNUTLS_E_SUCCESS} (0) +when the peer's certificate was successfully parsed, irrespective of whether +it was verified. @end deftypefun diff --git a/doc/functions/gnutls_certificate_verify_peers3 b/doc/functions/gnutls_certificate_verify_peers3 index c2f8301..def2136 100644 --- a/doc/functions/gnutls_certificate_verify_peers3 +++ b/doc/functions/gnutls_certificate_verify_peers3 @@ -25,7 +25,9 @@ If names do not match the @code{GNUTLS_CERT_UNEXPECTED_OWNER} status flag will In order to verify the purpose of the end-certificate (by checking the extended key usage), use @code{gnutls_certificate_verify_peers()} . -@strong{Returns:} a negative error code on error and @code{GNUTLS_E_SUCCESS} (0) on success. +@strong{Returns:} a negative error code on error and @code{GNUTLS_E_SUCCESS} (0) +when the peer's certificate was successfully parsed, irrespective of whether +it was verified. @strong{Since:} 3.1.4 @end deftypefun diff --git a/doc/functions/gnutls_dh_get_group b/doc/functions/gnutls_dh_get_group index 2c8e5e8..131c9f2 100644 --- a/doc/functions/gnutls_dh_get_group +++ b/doc/functions/gnutls_dh_get_group @@ -15,6 +15,9 @@ the generator used. This function should be used for both anonymous and ephemeral Diffie-Hellman. The output parameters must be freed with @code{gnutls_free()} . +Note, that the prime and generator are exported as non-negative +integers and may include a leading zero byte. + @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise an error code is returned. @end deftypefun diff --git a/doc/functions/gnutls_dh_get_pubkey b/doc/functions/gnutls_dh_get_pubkey index b3d3554..9af9546 100644 --- a/doc/functions/gnutls_dh_get_pubkey +++ b/doc/functions/gnutls_dh_get_pubkey @@ -12,6 +12,9 @@ Diffie-Hellman key exchange. This function should be used for both anonymous and ephemeral Diffie-Hellman. The output parameters must be freed with @code{gnutls_free()} . +Note, that public key is exported as non-negative +integer and may include a leading zero byte. + @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise an error code is returned. @end deftypefun diff --git a/doc/functions/gnutls_dh_set_prime_bits b/doc/functions/gnutls_dh_set_prime_bits index 6cdcb70..18b4a35 100644 --- a/doc/functions/gnutls_dh_set_prime_bits +++ b/doc/functions/gnutls_dh_set_prime_bits @@ -16,8 +16,8 @@ In the client side it sets the minimum accepted number of bits. If a server sends a prime with less bits than that @code{GNUTLS_E_DH_PRIME_UNACCEPTABLE} will be returned by the handshake. -Note that values lower than 512 bits may allow decryption of the -exchanged data. +Note that this function will warn via the audit log for value that +are believed to be weak. The function has no effect in server side. diff --git a/doc/functions/gnutls_dtls_set_timeouts b/doc/functions/gnutls_dtls_set_timeouts index 751132f..7aa688d 100644 --- a/doc/functions/gnutls_dtls_set_timeouts +++ b/doc/functions/gnutls_dtls_set_timeouts @@ -18,9 +18,6 @@ handshake will be aborted with @code{GNUTLS_E_TIMEDOUT} . The DTLS protocol recommends the values of 1 sec and 60 seconds respectively. -If the retransmission timeout is zero then the handshake will operate -in a non-blocking way, i.e., return @code{GNUTLS_E_AGAIN} . - To disable retransmissions set a @code{retrans_timeout} larger than the @code{total_timeout} . @strong{Since:} 3.0 diff --git a/doc/functions/gnutls_error_is_fatal b/doc/functions/gnutls_error_is_fatal index 8986bdd..3f389ec 100644 --- a/doc/functions/gnutls_error_is_fatal +++ b/doc/functions/gnutls_error_is_fatal @@ -17,6 +17,5 @@ This function is only useful if you are dealing with errors from functions that relate to a TLS session (e.g., record layer or handshake layer handling functions). -@strong{Returns:} zero on non fatal errors or positive @code{error} values. Non-zero -on fatal error codes. +@strong{Returns:} Non-zero value on fatal errors or zero on non-fatal. @end deftypefun diff --git a/doc/functions/gnutls_handshake b/doc/functions/gnutls_handshake index 088079c..4c103e8 100644 --- a/doc/functions/gnutls_handshake +++ b/doc/functions/gnutls_handshake @@ -13,18 +13,26 @@ return a negative error code. In case of a client, if the client has asked to resume a session, but the server couldn't, then a full handshake will be performed. -The non-fatal errors such as @code{GNUTLS_E_AGAIN} and -@code{GNUTLS_E_INTERRUPTED} interrupt the handshake procedure, which -should be resumed later. Call this function again, until it +The non-fatal errors expected by this function are: +@code{GNUTLS_E_INTERRUPTED} , @code{GNUTLS_E_AGAIN} , +@code{GNUTLS_E_WARNING_ALERT_RECEIVED} , and @code{GNUTLS_E_GOT_APPLICATION_DATA} , +the latter only in a case of rehandshake. + +The former two interrupt the handshake procedure due to the lower +layer being interrupted, and the latter because of an alert that +may be sent by a server (it is always a good idea to check any +received alerts). On these errors call this function again, until it returns 0; cf. @code{gnutls_record_get_direction()} and -@code{gnutls_error_is_fatal()} . +@code{gnutls_error_is_fatal()} . In DTLS sessions the non-fatal error +@code{GNUTLS_E_LARGE_PACKET} is also possible, and indicates that +the MTU should be adjusted. If this function is called by a server after a rehandshake request then @code{GNUTLS_E_GOT_APPLICATION_DATA} or @code{GNUTLS_E_WARNING_ALERT_RECEIVED} may be returned. Note that these are non fatal errors, only in the specific case of a rehandshake. Their meaning is that the client rejected the rehandshake request or -in the case of @code{GNUTLS_E_GOT_APPLICATION_DATA} it might also mean that +in the case of @code{GNUTLS_E_GOT_APPLICATION_DATA} it could also mean that some data were pending. @strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise a negative error code. diff --git a/doc/functions/gnutls_handshake_set_max_packet_length b/doc/functions/gnutls_handshake_set_max_packet_length index bb09995..c1b8998 100644 --- a/doc/functions/gnutls_handshake_set_max_packet_length +++ b/doc/functions/gnutls_handshake_set_max_packet_length @@ -10,9 +10,12 @@ This function will set the maximum size of all handshake messages. Handshakes over this size are rejected with @code{GNUTLS_E_HANDSHAKE_TOO_LARGE} error code. The default value is -48kb which is typically large enough. Set this to 0 if you do not +128kb which is typically large enough. Set this to 0 if you do not want to set an upper limit. The reason for restricting the handshake message sizes are to limit Denial of Service attacks. + +Note that the maximum handshake size was increased to 128kb +from 48kb in GnuTLS 3.3.25. @end deftypefun diff --git a/doc/functions/gnutls_handshake_set_timeout b/doc/functions/gnutls_handshake_set_timeout index 0a11ec1..9f787f7 100644 --- a/doc/functions/gnutls_handshake_set_timeout +++ b/doc/functions/gnutls_handshake_set_timeout @@ -9,7 +9,8 @@ This function sets the timeout for the handshake process to the provided value. Use an @code{ms} value of zero to disable -timeout. +timeout, or @code{GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT} for a reasonable +default value. @strong{Since:} 3.1.0 @end deftypefun diff --git a/doc/functions/gnutls_openpgp_keyring_deinit b/doc/functions/gnutls_openpgp_keyring_deinit index 4ea2297..18f7890 100644 --- a/doc/functions/gnutls_openpgp_keyring_deinit +++ b/doc/functions/gnutls_openpgp_keyring_deinit @@ -3,7 +3,7 @@ @deftypefun {void} {gnutls_openpgp_keyring_deinit} (gnutls_openpgp_keyring_t @var{keyring}) -@var{keyring}: The structure to be initialized +@var{keyring}: A pointer to the type to be initialized This function will deinitialize a keyring structure. @end deftypefun diff --git a/doc/functions/gnutls_openpgp_keyring_get_crt b/doc/functions/gnutls_openpgp_keyring_get_crt index 1595f11..7f8eb5b 100644 --- a/doc/functions/gnutls_openpgp_keyring_get_crt +++ b/doc/functions/gnutls_openpgp_keyring_get_crt @@ -7,7 +7,7 @@ @var{idx}: the index of the certificate to export -@var{cert}: An uninitialized @code{gnutls_openpgp_crt_t} structure +@var{cert}: An uninitialized @code{gnutls_openpgp_crt_t} type This function will extract an OpenPGP certificate from the given keyring. If the index given is out of range diff --git a/doc/functions/gnutls_openpgp_keyring_init b/doc/functions/gnutls_openpgp_keyring_init index 1cfaa78..6ae7212 100644 --- a/doc/functions/gnutls_openpgp_keyring_init +++ b/doc/functions/gnutls_openpgp_keyring_init @@ -3,7 +3,7 @@ @deftypefun {int} {gnutls_openpgp_keyring_init} (gnutls_openpgp_keyring_t * @var{keyring}) -@var{keyring}: The structure to be initialized +@var{keyring}: A pointer to the type to be initialized This function will initialize an keyring structure. diff --git a/doc/functions/gnutls_pkcs11_copy_x509_crt b/doc/functions/gnutls_pkcs11_copy_x509_crt index 6a8e272..09b2fcb 100644 --- a/doc/functions/gnutls_pkcs11_copy_x509_crt +++ b/doc/functions/gnutls_pkcs11_copy_x509_crt @@ -5,9 +5,9 @@ @deftypefun {int} {gnutls_pkcs11_copy_x509_crt} (const char * @var{token_url}, gnutls_x509_crt_t @var{crt}, const char * @var{label}, unsigned int @var{flags}) @var{token_url}: A PKCS @code{11} URL specifying a token -@var{crt}: A certificate +@var{crt}: The certificate to copy -@var{label}: A name to be used for the stored data +@var{label}: The name to be used for the stored data @var{flags}: One of GNUTLS_PKCS11_OBJ_FLAG_* diff --git a/doc/functions/gnutls_pkcs11_copy_x509_crt2 b/doc/functions/gnutls_pkcs11_copy_x509_crt2 new file mode 100644 index 0000000..255540a --- /dev/null +++ b/doc/functions/gnutls_pkcs11_copy_x509_crt2 @@ -0,0 +1,23 @@ + + + + +@deftypefun {int} {gnutls_pkcs11_copy_x509_crt2} (const char * @var{token_url}, gnutls_x509_crt_t @var{crt}, const char * @var{label}, const gnutls_datum_t * @var{cid}, unsigned int @var{flags}) +@var{token_url}: A PKCS @code{11} URL specifying a token + +@var{crt}: The certificate to copy + +@var{label}: The name to be used for the stored data + +@var{cid}: The CKA_ID to set for the object -if NULL, the ID will be derived from the public key + +@var{flags}: One of GNUTLS_PKCS11_OBJ_FLAG_* + +This function will copy a certificate into a PKCS @code{11} token specified by +a URL. The certificate can be marked as trusted or not. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.3.26 +@end deftypefun diff --git a/doc/functions/gnutls_pkcs11_copy_x509_crt2.short b/doc/functions/gnutls_pkcs11_copy_x509_crt2.short new file mode 100644 index 0000000..de3eafd --- /dev/null +++ b/doc/functions/gnutls_pkcs11_copy_x509_crt2.short @@ -0,0 +1 @@ +@item @var{int} @ref{gnutls_pkcs11_copy_x509_crt2} (const char * @var{token_url}, gnutls_x509_crt_t @var{crt}, const char * @var{label}, const gnutls_datum_t * @var{cid}, unsigned int @var{flags}) diff --git a/doc/functions/gnutls_pkcs11_copy_x509_privkey2 b/doc/functions/gnutls_pkcs11_copy_x509_privkey2 new file mode 100644 index 0000000..34345b5 --- /dev/null +++ b/doc/functions/gnutls_pkcs11_copy_x509_privkey2 @@ -0,0 +1,26 @@ + + + + +@deftypefun {int} {gnutls_pkcs11_copy_x509_privkey2} (const char * @var{token_url}, gnutls_x509_privkey_t @var{key}, const char * @var{label}, const gnutls_datum_t * @var{cid}, unsigned int @var{key_usage}, unsigned int @var{flags}) +@var{token_url}: A PKCS @code{11} URL specifying a token + +@var{key}: A private key + +@var{label}: A name to be used for the stored data + +@var{cid}: The CKA_ID to set for the object -if NULL, the ID will be derived from the public key + +@var{key_usage}: One of GNUTLS_KEY_* + +@var{flags}: One of GNUTLS_PKCS11_OBJ_* flags + +This function will copy a private key into a PKCS @code{11} token specified by +a URL. It is highly recommended flags to contain @code{GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE} +unless there is a strong reason not to. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.3.26 +@end deftypefun diff --git a/doc/functions/gnutls_pkcs11_copy_x509_privkey2.short b/doc/functions/gnutls_pkcs11_copy_x509_privkey2.short new file mode 100644 index 0000000..2953b75 --- /dev/null +++ b/doc/functions/gnutls_pkcs11_copy_x509_privkey2.short @@ -0,0 +1 @@ +@item @var{int} @ref{gnutls_pkcs11_copy_x509_privkey2} (const char * @var{token_url}, gnutls_x509_privkey_t @var{key}, const char * @var{label}, const gnutls_datum_t * @var{cid}, unsigned int @var{key_usage}, unsigned int @var{flags}) diff --git a/doc/functions/gnutls_pkcs11_crt_is_known b/doc/functions/gnutls_pkcs11_crt_is_known index 1a9455b..573f86a 100644 --- a/doc/functions/gnutls_pkcs11_crt_is_known +++ b/doc/functions/gnutls_pkcs11_crt_is_known @@ -11,7 +11,7 @@ This function will check whether the provided certificate is stored in the specified token. This is useful in combination with -@code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED} or +@code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED} or @code{GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED} , to check whether a CA is present or a certificate is blacklisted in a trust PKCS @code{11} module. diff --git a/doc/functions/gnutls_pkcs11_get_raw_issuer b/doc/functions/gnutls_pkcs11_get_raw_issuer index 112d074..2c86955 100644 --- a/doc/functions/gnutls_pkcs11_get_raw_issuer +++ b/doc/functions/gnutls_pkcs11_get_raw_issuer @@ -7,7 +7,7 @@ @var{cert}: is the certificate to find issuer for -@var{issuer}: Will hold the issuer if any in an allocated buffer. +@var{issuer}: Will hold the issuer if any in an allocated buffer. @var{fmt}: The format of the exported issuer. diff --git a/doc/functions/gnutls_pkcs11_obj_flags_get_str b/doc/functions/gnutls_pkcs11_obj_flags_get_str new file mode 100644 index 0000000..ac8d193 --- /dev/null +++ b/doc/functions/gnutls_pkcs11_obj_flags_get_str @@ -0,0 +1,15 @@ + + + + +@deftypefun {char *} {gnutls_pkcs11_obj_flags_get_str} (unsigned int @var{flags}) +@var{flags}: holds the flags + +This function given an or-sequence of @code{GNUTLS_PKCS11_OBJ_FLAG_MARK} , +will return an allocated string with its description. The string +needs to be deallocated using @code{gnutls_free()} . + +@strong{Returns:} If flags is zero @code{NULL} is returned, otherwise an allocated string. + +@strong{Since:} 3.3.7 +@end deftypefun diff --git a/doc/functions/gnutls_pkcs11_obj_flags_get_str.short b/doc/functions/gnutls_pkcs11_obj_flags_get_str.short new file mode 100644 index 0000000..535d55a --- /dev/null +++ b/doc/functions/gnutls_pkcs11_obj_flags_get_str.short @@ -0,0 +1 @@ +@item @var{char *} @ref{gnutls_pkcs11_obj_flags_get_str} (unsigned int @var{flags}) diff --git a/doc/functions/gnutls_pkcs11_obj_get_exts b/doc/functions/gnutls_pkcs11_obj_get_exts new file mode 100644 index 0000000..6b65db2 --- /dev/null +++ b/doc/functions/gnutls_pkcs11_obj_get_exts @@ -0,0 +1,24 @@ + + + + +@deftypefun {int} {gnutls_pkcs11_obj_get_exts} (gnutls_pkcs11_obj_t @var{obj}, gnutls_x509_ext_st ** @var{exts}, unsigned int * @var{exts_size}, unsigned int @var{flags}) +@var{obj}: should contain a @code{gnutls_pkcs11_obj_t} type + +@var{exts}: a pointer to a @code{gnutls_x509_ext_st} pointer + +@var{exts_size}: will be updated with the number of @code{exts} + +@var{flags}: Or sequence of @code{GNUTLS_PKCS11_OBJ_} * flags + +This function will return information about attached extensions +that associate to the provided object (which should be a certificate). +The extensions are the attached p11-kit trust module extensions. + +Each element of @code{exts} must be deinitialized using @code{gnutls_x509_ext_deinit()} +while @code{exts} should be deallocated using @code{gnutls_free()} . + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error. + +@strong{Since:} 3.3.8 +@end deftypefun diff --git a/doc/functions/gnutls_pkcs11_obj_get_exts.short b/doc/functions/gnutls_pkcs11_obj_get_exts.short new file mode 100644 index 0000000..bf7b110 --- /dev/null +++ b/doc/functions/gnutls_pkcs11_obj_get_exts.short @@ -0,0 +1 @@ +@item @var{int} @ref{gnutls_pkcs11_obj_get_exts} (gnutls_pkcs11_obj_t @var{obj}, gnutls_x509_ext_st ** @var{exts}, unsigned int * @var{exts_size}, unsigned int @var{flags}) diff --git a/doc/functions/gnutls_pkcs11_obj_get_flags b/doc/functions/gnutls_pkcs11_obj_get_flags new file mode 100644 index 0000000..968ba43 --- /dev/null +++ b/doc/functions/gnutls_pkcs11_obj_get_flags @@ -0,0 +1,18 @@ + + + + +@deftypefun {int} {gnutls_pkcs11_obj_get_flags} (gnutls_pkcs11_obj_t @var{obj}, unsigned int * @var{oflags}) +@var{obj}: The structure that holds the object + +@var{oflags}: Will hold the output flags + +This function will return the flags of the object being +stored in the structure. The @code{oflags} are the @code{GNUTLS_PKCS11_OBJ_FLAG_MARK} +flags. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.3.7 +@end deftypefun diff --git a/doc/functions/gnutls_pkcs11_obj_get_flags.short b/doc/functions/gnutls_pkcs11_obj_get_flags.short new file mode 100644 index 0000000..a405edc --- /dev/null +++ b/doc/functions/gnutls_pkcs11_obj_get_flags.short @@ -0,0 +1 @@ +@item @var{int} @ref{gnutls_pkcs11_obj_get_flags} (gnutls_pkcs11_obj_t @var{obj}, unsigned int * @var{oflags}) diff --git a/doc/functions/gnutls_pkcs11_obj_get_info b/doc/functions/gnutls_pkcs11_obj_get_info index 8331296..4cdb2fe 100644 --- a/doc/functions/gnutls_pkcs11_obj_get_info +++ b/doc/functions/gnutls_pkcs11_obj_get_info @@ -2,8 +2,8 @@ -@deftypefun {int} {gnutls_pkcs11_obj_get_info} (gnutls_pkcs11_obj_t @var{crt}, gnutls_pkcs11_obj_info_t @var{itype}, void * @var{output}, size_t * @var{output_size}) -@var{crt}: should contain a @code{gnutls_pkcs11_obj_t} structure +@deftypefun {int} {gnutls_pkcs11_obj_get_info} (gnutls_pkcs11_obj_t @var{obj}, gnutls_pkcs11_obj_info_t @var{itype}, void * @var{output}, size_t * @var{output_size}) +@var{obj}: should contain a @code{gnutls_pkcs11_obj_t} structure @var{itype}: Denotes the type of information requested diff --git a/doc/functions/gnutls_pkcs11_obj_get_info.short b/doc/functions/gnutls_pkcs11_obj_get_info.short index a3fd506..a13017e 100644 --- a/doc/functions/gnutls_pkcs11_obj_get_info.short +++ b/doc/functions/gnutls_pkcs11_obj_get_info.short @@ -1 +1 @@ -@item @var{int} @ref{gnutls_pkcs11_obj_get_info} (gnutls_pkcs11_obj_t @var{crt}, gnutls_pkcs11_obj_info_t @var{itype}, void * @var{output}, size_t * @var{output_size}) +@item @var{int} @ref{gnutls_pkcs11_obj_get_info} (gnutls_pkcs11_obj_t @var{obj}, gnutls_pkcs11_obj_info_t @var{itype}, void * @var{output}, size_t * @var{output_size}) diff --git a/doc/functions/gnutls_pkcs11_obj_get_type b/doc/functions/gnutls_pkcs11_obj_get_type index d8b4d59..8d8fd73 100644 --- a/doc/functions/gnutls_pkcs11_obj_get_type +++ b/doc/functions/gnutls_pkcs11_obj_get_type @@ -5,10 +5,10 @@ @deftypefun {gnutls_pkcs11_obj_type_t} {gnutls_pkcs11_obj_get_type} (gnutls_pkcs11_obj_t @var{obj}) @var{obj}: Holds the PKCS 11 object -This function will return the type of the certificate being +This function will return the type of the object being stored in the structure. -@strong{Returns:} The type of the certificate. +@strong{Returns:} The type of the object @strong{Since:} 2.12.0 @end deftypefun diff --git a/doc/functions/gnutls_pkcs11_obj_import_url b/doc/functions/gnutls_pkcs11_obj_import_url index 0e58938..9925203 100644 --- a/doc/functions/gnutls_pkcs11_obj_import_url +++ b/doc/functions/gnutls_pkcs11_obj_import_url @@ -7,7 +7,7 @@ @var{url}: a PKCS 11 url identifying the key -@var{flags}: One of GNUTLS_PKCS11_OBJ_* flags +@var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags This function will "import" a PKCS 11 URL identifying an object (e.g. certificate) to the @code{gnutls_pkcs11_obj_t} structure. This does not involve any diff --git a/doc/functions/gnutls_pkcs11_obj_list_import_url b/doc/functions/gnutls_pkcs11_obj_list_import_url index 3dea9b9..3e18f9d 100644 --- a/doc/functions/gnutls_pkcs11_obj_list_import_url +++ b/doc/functions/gnutls_pkcs11_obj_list_import_url @@ -11,7 +11,7 @@ @var{attrs}: Attributes of type @code{gnutls_pkcs11_obj_attr_t} that can be used to limit output -@var{flags}: One of GNUTLS_PKCS11_OBJ_* flags +@var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags This function will initialize and set values to an object list by using all objects identified by a PKCS 11 URL. diff --git a/doc/functions/gnutls_pkcs11_obj_list_import_url2 b/doc/functions/gnutls_pkcs11_obj_list_import_url2 index 5d15e13..4085c74 100644 --- a/doc/functions/gnutls_pkcs11_obj_list_import_url2 +++ b/doc/functions/gnutls_pkcs11_obj_list_import_url2 @@ -11,12 +11,15 @@ @var{attrs}: Attributes of type @code{gnutls_pkcs11_obj_attr_t} that can be used to limit output -@var{flags}: One of GNUTLS_PKCS11_OBJ_* flags +@var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags This function will initialize and set values to an object list by using all objects identified by the PKCS 11 URL. The output is stored in @code{p_list} , which will be initialized. +All returned objects must be deinitialized using @code{gnutls_pkcs11_obj_deinit()} , +and @code{p_list} must be free'd using @code{gnutls_free()} . + @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a negative error value. diff --git a/doc/functions/gnutls_pkcs11_obj_set_info b/doc/functions/gnutls_pkcs11_obj_set_info new file mode 100644 index 0000000..4dbacfe --- /dev/null +++ b/doc/functions/gnutls_pkcs11_obj_set_info @@ -0,0 +1,23 @@ + + + + +@deftypefun {int} {gnutls_pkcs11_obj_set_info} (gnutls_pkcs11_obj_t @var{obj}, gnutls_pkcs11_obj_info_t @var{itype}, const void * @var{data}, size_t @var{data_size}, unsigned @var{flags}) +@var{obj}: should contain a @code{gnutls_pkcs11_obj_t} structure + +@var{itype}: Denotes the type of information to be set + +@var{data}: the data to set + +@var{data_size}: the size of data + +@var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags + +This function will set attributes on the provided object. +Available options for @code{itype} are @code{GNUTLS_PKCS11_OBJ_LABEL} , +@code{GNUTLS_PKCS11_OBJ_ID_HEX} , and @code{GNUTLS_PKCS11_OBJ_ID} . + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success or a negative error code on error. + +@strong{Since:} 3.3.26 +@end deftypefun diff --git a/doc/functions/gnutls_pkcs11_obj_set_info.short b/doc/functions/gnutls_pkcs11_obj_set_info.short new file mode 100644 index 0000000..5a335b2 --- /dev/null +++ b/doc/functions/gnutls_pkcs11_obj_set_info.short @@ -0,0 +1 @@ +@item @var{int} @ref{gnutls_pkcs11_obj_set_info} (gnutls_pkcs11_obj_t @var{obj}, gnutls_pkcs11_obj_info_t @var{itype}, const void * @var{data}, size_t @var{data_size}, unsigned @var{flags}) diff --git a/doc/functions/gnutls_pkcs11_privkey_export_pubkey b/doc/functions/gnutls_pkcs11_privkey_export_pubkey new file mode 100644 index 0000000..719f4cc --- /dev/null +++ b/doc/functions/gnutls_pkcs11_privkey_export_pubkey @@ -0,0 +1,23 @@ + + + + +@deftypefun {int} {gnutls_pkcs11_privkey_export_pubkey} (gnutls_pkcs11_privkey_t @var{pkey}, gnutls_x509_crt_fmt_t @var{fmt}, gnutls_datum_t * @var{data}, unsigned int @var{flags}) +@var{pkey}: The private key + +@var{fmt}: the format of output params. PEM or DER. + +@var{data}: will hold the public key + +@var{flags}: should be zero + +This function will extract the public key (modulus and public +exponent) from the private key specified by the @code{url} private key. +This public key will be stored in @code{pubkey} in the format specified +by @code{fmt} . @code{pubkey} should be deinitialized using @code{gnutls_free()} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.3.7 +@end deftypefun diff --git a/doc/functions/gnutls_pkcs11_privkey_export_pubkey.short b/doc/functions/gnutls_pkcs11_privkey_export_pubkey.short new file mode 100644 index 0000000..a98ebb5 --- /dev/null +++ b/doc/functions/gnutls_pkcs11_privkey_export_pubkey.short @@ -0,0 +1 @@ +@item @var{int} @ref{gnutls_pkcs11_privkey_export_pubkey} (gnutls_pkcs11_privkey_t @var{pkey}, gnutls_x509_crt_fmt_t @var{fmt}, gnutls_datum_t * @var{data}, unsigned int @var{flags}) diff --git a/doc/functions/gnutls_pkcs11_privkey_generate2 b/doc/functions/gnutls_pkcs11_privkey_generate2 index e95bc2e..607c00f 100644 --- a/doc/functions/gnutls_pkcs11_privkey_generate2 +++ b/doc/functions/gnutls_pkcs11_privkey_generate2 @@ -11,11 +11,11 @@ @var{label}: a label -@var{fmt}: the format of output params. PEM or DER. +@var{fmt}: the format of output params. PEM or DER @var{pubkey}: will hold the public key (may be @code{NULL} ) -@var{flags}: should be zero +@var{flags}: zero or an OR'ed sequence of @code{GNUTLS_PKCS11_OBJ_FLAGs} This function will generate a private key in the specified by the @code{url} token. The private key will be generate within @@ -23,6 +23,10 @@ the token and will not be exportable. This function will store the DER-encoded public key in the SubjectPublicKeyInfo format in @code{pubkey} . The @code{pubkey} should be deinitialized using @code{gnutls_free()} . +Note that when generating an elliptic curve key, the curve +can be substituted in the place of the bits parameter using the +@code{GNUTLS_CURVE_TO_BITS()} macro. + @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a negative error value. diff --git a/doc/functions/gnutls_pkcs11_privkey_generate3 b/doc/functions/gnutls_pkcs11_privkey_generate3 new file mode 100644 index 0000000..b6a7c9f --- /dev/null +++ b/doc/functions/gnutls_pkcs11_privkey_generate3 @@ -0,0 +1,36 @@ + + + + +@deftypefun {int} {gnutls_pkcs11_privkey_generate3} (const char * @var{url}, gnutls_pk_algorithm_t @var{pk}, unsigned int @var{bits}, const char * @var{label}, const gnutls_datum_t * @var{cid}, gnutls_x509_crt_fmt_t @var{fmt}, gnutls_datum_t * @var{pubkey}, unsigned int @var{flags}) +@var{url}: a token URL + +@var{pk}: the public key algorithm + +@var{bits}: the security bits + +@var{label}: a label + +@var{cid}: The CKA_ID to use for the new object + +@var{fmt}: the format of output params. PEM or DER + +@var{pubkey}: will hold the public key (may be @code{NULL} ) + +@var{flags}: zero or an OR'ed sequence of @code{GNUTLS_PKCS11_OBJ_FLAGs} + +This function will generate a private key in the specified +by the @code{url} token. The private key will be generate within +the token and will not be exportable. This function will +store the DER-encoded public key in the SubjectPublicKeyInfo format +in @code{pubkey} . The @code{pubkey} should be deinitialized using @code{gnutls_free()} . + +Note that when generating an elliptic curve key, the curve +can be substituted in the place of the bits parameter using the +@code{GNUTLS_CURVE_TO_BITS()} macro. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. + +@strong{Since:} 3.3.26 +@end deftypefun diff --git a/doc/functions/gnutls_pkcs11_privkey_generate3.short b/doc/functions/gnutls_pkcs11_privkey_generate3.short new file mode 100644 index 0000000..97b1261 --- /dev/null +++ b/doc/functions/gnutls_pkcs11_privkey_generate3.short @@ -0,0 +1 @@ +@item @var{int} @ref{gnutls_pkcs11_privkey_generate3} (const char * @var{url}, gnutls_pk_algorithm_t @var{pk}, unsigned int @var{bits}, const char * @var{label}, const gnutls_datum_t * @var{cid}, gnutls_x509_crt_fmt_t @var{fmt}, gnutls_datum_t * @var{pubkey}, unsigned int @var{flags}) diff --git a/doc/functions/gnutls_pkcs11_privkey_import_url b/doc/functions/gnutls_pkcs11_privkey_import_url index 4553aad..3a81af5 100644 --- a/doc/functions/gnutls_pkcs11_privkey_import_url +++ b/doc/functions/gnutls_pkcs11_privkey_import_url @@ -7,7 +7,7 @@ @var{url}: a PKCS 11 url identifying the key -@var{flags}: sequence of GNUTLS_PKCS_PRIVKEY_* +@var{flags}: Or sequence of GNUTLS_PKCS11_OBJ_* flags This function will "import" a PKCS 11 URL identifying a private key to the @code{gnutls_pkcs11_privkey_t} structure. In reality since diff --git a/doc/functions/gnutls_pkcs12_simple_parse b/doc/functions/gnutls_pkcs12_simple_parse index c673098..c9ff549 100644 --- a/doc/functions/gnutls_pkcs12_simple_parse +++ b/doc/functions/gnutls_pkcs12_simple_parse @@ -3,9 +3,9 @@ @deftypefun {int} {gnutls_pkcs12_simple_parse} (gnutls_pkcs12_t @var{p12}, const char * @var{password}, gnutls_x509_privkey_t * @var{key}, gnutls_x509_crt_t ** @var{chain}, unsigned int * @var{chain_len}, gnutls_x509_crt_t ** @var{extra_certs}, unsigned int * @var{extra_certs_len}, gnutls_x509_crl_t * @var{crl}, unsigned int @var{flags}) -@var{p12}: the PKCS12 blob. +@var{p12}: should contain a gnutls_pkcs12_t structure -@var{password}: optional password used to decrypt PKCS12 blob, bags and keys. +@var{password}: optional password used to decrypt the structure, bags and keys. @var{key}: a structure to store the parsed private key. @@ -14,7 +14,7 @@ @var{chain_len}: will be updated with the number of additional (may be @code{NULL} ) @var{extra_certs}: optional pointer to receive an array of additional -certificates found in the PKCS12 blob (may be @code{NULL} ). +certificates found in the PKCS12 structure (may be @code{NULL} ). @var{extra_certs_len}: will be updated with the number of additional certs (may be @code{NULL} ). @@ -23,27 +23,23 @@ certs (may be @code{NULL} ). @var{flags}: should be zero or one of GNUTLS_PKCS12_SP_* -This function parses a PKCS12 blob in @code{p12blob} and extracts the -private key, the corresponding certificate chain, and any additional +This function parses a PKCS12 structure in @code{pkcs12} and extracts the +private key, the corresponding certificate chain, any additional certificates and a CRL. -The @code{extra_certs_ret} and @code{extra_certs_len} parameters are optional +The @code{extra_certs} and @code{extra_certs_len} parameters are optional and both may be set to @code{NULL} . If either is non-@code{NULL} , then both must -be set. +be set. The value for @code{extra_certs} is allocated +using @code{gnutls_malloc()} . -Encrypted PKCS12 bags and PKCS8 private keys are supported. However, -only password based security, and the same password for all -operations, are supported. +Encrypted PKCS12 bags and PKCS8 private keys are supported, but +only with password based security and the same password for all +operations. -A PKCS12 file may contain many keys and/or certificates, and there -is no way to identify which key/certificate pair you want. You -should make sure the PKCS12 file only contain one key/certificate -pair and/or one CRL. - -It is believed that the limitations of this function are acceptable -for common usage, and that any more flexibility would introduce -complexity that would make it harder to use this functionality at -all. +Note that a PKCS12 structure may contain many keys and/or certificates, +and there is no way to identify which key/certificate pair you want. +For this reason this function is useful for PKCS12 files that contain +only one key/certificate pair and/or one CRL. If the provided structure has encrypted fields but no password is provided then this function returns @code{GNUTLS_E_DECRYPTION_FAILED} . @@ -53,8 +49,11 @@ certificates, to comply with TLS' requirements. If, however, the flag @code{GNUTLS_PKCS12_SP_INCLUDE_SELF_SIGNED} is specified then self signed certificates will be included in the chain. +Prior to using this function the PKCS @code{12} structure integrity must +be verified using @code{gnutls_pkcs12_verify_mac()} . + @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a negative error value. -@strong{Since:} 3.1 +@strong{Since:} 3.1.0 @end deftypefun diff --git a/doc/functions/gnutls_prf b/doc/functions/gnutls_prf index 6cd1d0b..1f746d1 100644 --- a/doc/functions/gnutls_prf +++ b/doc/functions/gnutls_prf @@ -9,7 +9,7 @@ @var{label}: label used in PRF computation, typically a short string. -@var{server_random_first}: non-0 if server random field should be first in seed +@var{server_random_first}: non-zero if server random field should be first in seed @var{extra_size}: length of the @code{extra} variable. @@ -20,13 +20,15 @@ @var{out}: pre-allocated buffer to hold the generated data. Applies the TLS Pseudo-Random-Function (PRF) on the master secret -and the provided data, seeded with the client and server random fields, -as specified in RFC5705. +and the provided data, seeded with the client and server random fields. + +The output of this function is identical to RFC5705 extractor if @code{extra} and @code{extra_size} are set to zero. Otherwise, @code{extra} should contain the context +value prefixed by a two-byte length. The @code{label} variable usually contains a string denoting the purpose for the generated data. The @code{server_random_first} indicates whether the client random field or the server random field should be first -in the seed. Non-0 indicates that the server random field is first, +in the seed. Non-zero indicates that the server random field is first, 0 that the client random field is first. The @code{extra} variable can be used to add more data to the seed, after diff --git a/doc/functions/gnutls_priority_init b/doc/functions/gnutls_priority_init index afdfdce..0e4e6f9 100644 --- a/doc/functions/gnutls_priority_init +++ b/doc/functions/gnutls_priority_init @@ -5,9 +5,9 @@ @deftypefun {int} {gnutls_priority_init} (gnutls_priority_t * @var{priority_cache}, const char * @var{priorities}, const char ** @var{err_pos}) @var{priority_cache}: is a @code{gnutls_prioritity_t} structure. -@var{priorities}: is a string describing priorities +@var{priorities}: is a string describing priorities (may be @code{NULL} ) -@var{err_pos}: In case of an error this will have the position in the string the error occured +@var{err_pos}: In case of an error this will have the position in the string the error occurred Sets priorities for the ciphers, key exchange methods, macs and compression methods. @@ -84,6 +84,9 @@ enabled, SSL3.0 is disabled, and libz compression enabled. Note that "NORMAL:@code{COMPAT} " is the most compatible mode. +A @code{NULL} @code{priorities} string indicates the default priorities to be +used (this is available since GnuTLS 3.3.0). + @strong{Returns:} On syntax error @code{GNUTLS_E_INVALID_REQUEST} is returned, @code{GNUTLS_E_SUCCESS} on success, or an error code. @end deftypefun diff --git a/doc/functions/gnutls_pubkey_print b/doc/functions/gnutls_pubkey_print index 9c09ed2..c17098e 100644 --- a/doc/functions/gnutls_pubkey_print +++ b/doc/functions/gnutls_pubkey_print @@ -7,7 +7,7 @@ @var{format}: Indicate the format to use -@var{out}: Newly allocated datum with (0) terminated string. +@var{out}: Newly allocated datum with null terminated string. This function will pretty print public key information, suitable for display to a human. diff --git a/doc/functions/gnutls_random_art b/doc/functions/gnutls_random_art index 5a5c29a..15628b1 100644 --- a/doc/functions/gnutls_random_art +++ b/doc/functions/gnutls_random_art @@ -3,7 +3,7 @@ @deftypefun {int} {gnutls_random_art} (gnutls_random_art_t @var{type}, const char * @var{key_type}, unsigned int @var{key_size}, void * @var{fpr}, size_t @var{fpr_size}, gnutls_datum_t * @var{art}) -@var{type}: The type of the random art +@var{type}: The type of the random art (for now only @code{GNUTLS_RANDOM_ART_OPENSSH} is supported) @var{key_type}: The type of the key (RSA, DSA etc.) @@ -16,7 +16,7 @@ @var{art}: The returned random art This function will convert a given fingerprint to an "artistic" -image. The returned image is allocated using @code{gnutls_malloc()} +image. The returned image is allocated using @code{gnutls_malloc()} . @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise an error code is returned. diff --git a/doc/functions/gnutls_record_check_corked b/doc/functions/gnutls_record_check_corked index 23fc76d..cb7c10c 100644 --- a/doc/functions/gnutls_record_check_corked +++ b/doc/functions/gnutls_record_check_corked @@ -6,7 +6,7 @@ @var{session}: is a @code{gnutls_session_t} structure. This function checks if there pending corked -data in the gnutls buffers --see @code{gnutls_cork()} . +data in the gnutls buffers --see @code{gnutls_record_cork()} . @strong{Returns:} Returns the size of the corked data or zero. diff --git a/doc/functions/gnutls_record_cork b/doc/functions/gnutls_record_cork index 3d39427..08ac0ed 100644 --- a/doc/functions/gnutls_record_cork +++ b/doc/functions/gnutls_record_cork @@ -5,9 +5,8 @@ @deftypefun {void} {gnutls_record_cork} (gnutls_session_t @var{session}) @var{session}: is a @code{gnutls_session_t} structure. -If called @code{gnutls_record_send()} will no longer send partial records. -All queued records will be sent when @code{gnutls_uncork()} is called, or -when the maximum record size is reached. +If called, @code{gnutls_record_send()} will no longer send any records. +Any sent records will be cached until @code{gnutls_record_uncork()} is called. This function is safe to use with DTLS after GnuTLS 3.3.0. diff --git a/doc/functions/gnutls_record_get_direction b/doc/functions/gnutls_record_get_direction index 9a1a99f..d023365 100644 --- a/doc/functions/gnutls_record_get_direction +++ b/doc/functions/gnutls_record_get_direction @@ -16,5 +16,8 @@ reading or writing, @code{gnutls_record_get_direction()} returns 0 if the interrupted function was trying to read data, and 1 if it was trying to write data. +This function's output is unreliable if you are using the + @code{session} in different threads, for sending and receiving. + @strong{Returns:} 0 if trying to read data, 1 if trying to write data. @end deftypefun diff --git a/doc/functions/gnutls_record_uncork b/doc/functions/gnutls_record_uncork index b0efbda..10d3d8d 100644 --- a/doc/functions/gnutls_record_uncork +++ b/doc/functions/gnutls_record_uncork @@ -7,7 +7,7 @@ @var{flags}: Could be zero or @code{GNUTLS_RECORD_WAIT} -This resets the effect of @code{gnutls_cork()} , and flushes any pending +This resets the effect of @code{gnutls_record_cork()} , and flushes any pending data. If the @code{GNUTLS_RECORD_WAIT} flag is specified then this function will block until the data is sent or a fatal error occurs (i.e., the function will retry on @code{GNUTLS_E_AGAIN} and diff --git a/doc/functions/gnutls_rnd b/doc/functions/gnutls_rnd index 2f938dd..3d8ac3d 100644 --- a/doc/functions/gnutls_rnd +++ b/doc/functions/gnutls_rnd @@ -12,7 +12,9 @@ This function will generate random data and store it to output buffer. -@strong{Returns:} Zero or a negative error code on error. +This function is thread-safe and also fork-safe. + +@strong{Returns:} Zero on success, or a negative error code on error. @strong{Since:} 2.12.0 @end deftypefun diff --git a/doc/functions/gnutls_session_get_data b/doc/functions/gnutls_session_get_data index 9daf4e9..5a60d85 100644 --- a/doc/functions/gnutls_session_get_data +++ b/doc/functions/gnutls_session_get_data @@ -12,7 +12,8 @@ Returns all session parameters needed to be stored to support resumption. The client should call this, and store the returned session data. A session may be resumed later by calling @code{gnutls_session_set_data()} . -This function must be called after a successful handshake. +This function must be called after a successful (full) handshake. It should +not be used in resumed sessions --see @code{gnutls_session_is_resumed()} . @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise an error code is returned. diff --git a/doc/functions/gnutls_session_get_data2 b/doc/functions/gnutls_session_get_data2 index 41caded..824eeb7 100644 --- a/doc/functions/gnutls_session_get_data2 +++ b/doc/functions/gnutls_session_get_data2 @@ -10,7 +10,9 @@ Returns all session parameters needed to be stored to support resumption. The client should call this, and store the returned session data. A session may be resumed later by calling @code{gnutls_session_set_data()} . -This function must be called after a successful handshake. +This function must be called after a successful (full) handshake. It should +not be used in resumed sessions --see @code{gnutls_session_is_resumed()} . + The returned @code{data} are allocated and must be released using @code{gnutls_free()} . @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise diff --git a/doc/functions/gnutls_set_default_priority b/doc/functions/gnutls_set_default_priority index 36ef0bc..b94983f 100644 --- a/doc/functions/gnutls_set_default_priority +++ b/doc/functions/gnutls_set_default_priority @@ -5,17 +5,9 @@ @deftypefun {int} {gnutls_set_default_priority} (gnutls_session_t @var{session}) @var{session}: is a @code{gnutls_session_t} structure. -Sets some default priority on the ciphers, key exchange methods, -macs and compression methods. - -This typically sets a default priority that is considered -sufficiently secure to establish encrypted sessions. - -This function is kept around for backwards compatibility, but -because of its wide use it is still fully supported. If you wish -to allow users to provide a string that specify which ciphers to -use (which is recommended), you should use -@code{gnutls_priority_set_direct()} or @code{gnutls_priority_set()} instead. +Sets the default priority on the ciphers, key exchange methods, +macs and compression methods. For more fine-tuning you could +use @code{gnutls_priority_set_direct()} or @code{gnutls_priority_set()} instead. @strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, or an error code. @end deftypefun diff --git a/doc/functions/gnutls_srp_set_server_credentials_function b/doc/functions/gnutls_srp_set_server_credentials_function index 9ffbd41..37cb6c4 100644 --- a/doc/functions/gnutls_srp_set_server_credentials_function +++ b/doc/functions/gnutls_srp_set_server_credentials_function @@ -11,13 +11,18 @@ This function can be used to set a callback to retrieve the user's SRP credentials. The callback's function form is: int (*callback)(gnutls_session_t, const char* username, -gnutls_datum_t* salt, gnutls_datum_t *verifier, gnutls_datum_t* generator, -gnutls_datum_t* prime); +gnutls_datum_t *salt, gnutls_datum_t *verifier, gnutls_datum_t *generator, +gnutls_datum_t *prime); @code{username} contains the actual username. The @code{salt} , @code{verifier} , @code{generator} and @code{prime} must be filled in using the @code{gnutls_malloc()} . For convenience @code{prime} and @code{generator} may also be one of the static parameters defined in gnutls.h. +Initially, the data field is NULL in every @code{gnutls_datum_t} +structure that the callback has to fill in. When the +callback is done GnuTLS deallocates all of those buffers +which are non-NULL, regardless of the return value. + In order to prevent attackers from guessing valid usernames, if a user does not exist, g and n values should be filled in using a random user's parameters. In that case the callback must diff --git a/doc/functions/gnutls_tdb_set_store_commitment_func b/doc/functions/gnutls_tdb_set_store_commitment_func index 99b4860..4420a4d 100644 --- a/doc/functions/gnutls_tdb_set_store_commitment_func +++ b/doc/functions/gnutls_tdb_set_store_commitment_func @@ -10,7 +10,9 @@ This function will associate a commitment (hash) storage function with the trust storage structure. The function is of the following form. -gnutls_tdb_store_commitment_func(const char* db_name, const char* host, +int gnutls_tdb_store_commitment_func(const char* db_name, const char* host, const char* service, time_t expiration, gnutls_digest_algorithm_t, const gnutls_datum_t* hash); + +The @code{db_name} should be used to pass any private data to this function. @end deftypefun diff --git a/doc/functions/gnutls_tdb_set_store_func b/doc/functions/gnutls_tdb_set_store_func index 6e76510..0152d2b 100644 --- a/doc/functions/gnutls_tdb_set_store_func +++ b/doc/functions/gnutls_tdb_set_store_func @@ -10,7 +10,9 @@ This function will associate a storage function with the trust storage structure. The function is of the following form. -gnutls_tdb_store_func(const char* db_name, const char* host, +int gnutls_tdb_store_func(const char* db_name, const char* host, const char* service, time_t expiration, const gnutls_datum_t* pubkey); + +The @code{db_name} should be used to pass any private data to this function. @end deftypefun diff --git a/doc/functions/gnutls_tdb_set_verify_func b/doc/functions/gnutls_tdb_set_verify_func index 2972b8b..9e885d2 100644 --- a/doc/functions/gnutls_tdb_set_verify_func +++ b/doc/functions/gnutls_tdb_set_verify_func @@ -10,6 +10,11 @@ This function will associate a retrieval function with the trust storage structure. The function is of the following form. -gnutls_tdb_verify_func(const char* db_name, const char* host, +int gnutls_tdb_verify_func(const char* db_name, const char* host, const char* service, const gnutls_datum_t* pubkey); + +The verify function should return zero on a match, @code{GNUTLS_E_CERTIFICATE_KEY_MISMATCH} +if there is a mismatch and any other negative error code otherwise. + +The @code{db_name} should be used to pass any private data to this function. @end deftypefun diff --git a/doc/functions/gnutls_transport_set_errno b/doc/functions/gnutls_transport_set_errno index f5e3451..544b68c 100644 --- a/doc/functions/gnutls_transport_set_errno +++ b/doc/functions/gnutls_transport_set_errno @@ -8,7 +8,7 @@ @var{err}: error value to store in session-specific errno variable. Store @code{err} in the session-specific errno variable. Useful values -for @code{err} is EAGAIN and EINTR, other values are treated will be +for @code{err} are EINTR, EAGAIN and EMSGSIZE, other values are treated will be treated as real errors in the push/pull function. This function is useful in replacement push and pull functions set by diff --git a/doc/functions/gnutls_x509_aki_get_cert_issuer b/doc/functions/gnutls_x509_aki_get_cert_issuer index 052a472..9f5b82a 100644 --- a/doc/functions/gnutls_x509_aki_get_cert_issuer +++ b/doc/functions/gnutls_x509_aki_get_cert_issuer @@ -7,16 +7,17 @@ @var{seq}: The index of the name to get -@var{san_type}: Will hold the type of the name (of @code{gnutls_subject_alt_names_t} ), may be null +@var{san_type}: Will hold the type of the name (of @code{gnutls_subject_alt_names_t} ) -@var{san}: The alternative name data (may be null and should be treated as constant) +@var{san}: The alternative name data -@var{othername_oid}: The object identifier if @code{san_type} is @code{GNUTLS_SAN_OTHERNAME} (should be treated as constant) +@var{othername_oid}: The object identifier if @code{san_type} is @code{GNUTLS_SAN_OTHERNAME} -@var{serial}: The authorityCertSerialNumber number (may be null) +@var{serial}: The authorityCertSerialNumber number This function will return a specific authorityCertIssuer name as stored in -the @code{aki} structure, as well as the authorityCertSerialNumber. +the @code{aki} structure, as well as the authorityCertSerialNumber. All the returned +values should be treated as constant, and may be set to @code{NULL} when are not required. @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, @code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} if the index is out of bounds, otherwise a negative error value. diff --git a/doc/functions/gnutls_x509_aki_get_id b/doc/functions/gnutls_x509_aki_get_id index d4e7bd4..bf891e0 100644 --- a/doc/functions/gnutls_x509_aki_get_id +++ b/doc/functions/gnutls_x509_aki_get_id @@ -8,7 +8,7 @@ @var{id}: Will hold the identifier This function will return the key identifier as stored in -the @code{aki} structure. +the @code{aki} structure. The identifier should be treated as constant. @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, @code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} if the index is out of bounds, otherwise a negative error value. diff --git a/doc/functions/gnutls_x509_crl_export b/doc/functions/gnutls_x509_crl_export index 709de29..cd023da 100644 --- a/doc/functions/gnutls_x509_crl_export +++ b/doc/functions/gnutls_x509_crl_export @@ -21,5 +21,5 @@ If the structure is PEM encoded, it will have a header of "BEGIN X509 CRL". @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a -negative error value. and a negative error code on failure. +negative error value. @end deftypefun diff --git a/doc/functions/gnutls_x509_crl_export2 b/doc/functions/gnutls_x509_crl_export2 index 864c067..2ffd76a 100644 --- a/doc/functions/gnutls_x509_crl_export2 +++ b/doc/functions/gnutls_x509_crl_export2 @@ -17,7 +17,7 @@ If the structure is PEM encoded, it will have a header of "BEGIN X509 CRL". @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a -negative error value. and a negative error code on failure. +negative error value. Since 3.1.3 @end deftypefun diff --git a/doc/functions/gnutls_x509_crl_get_crt_serial b/doc/functions/gnutls_x509_crl_get_crt_serial index 9cd4563..93d3b5b 100644 --- a/doc/functions/gnutls_x509_crl_get_crt_serial +++ b/doc/functions/gnutls_x509_crl_get_crt_serial @@ -20,5 +20,5 @@ Note that this function will have performance issues in large sequences of revoked certificates. In that case use @code{gnutls_x509_crl_iter_crt_serial()} . @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a -negative error value. and a negative error code on error. +negative error value. @end deftypefun diff --git a/doc/functions/gnutls_x509_crl_get_issuer_dn2 b/doc/functions/gnutls_x509_crl_get_issuer_dn2 index d0eb561..582b252 100644 --- a/doc/functions/gnutls_x509_crl_get_issuer_dn2 +++ b/doc/functions/gnutls_x509_crl_get_issuer_dn2 @@ -13,7 +13,7 @@ described in RFC4514. The output string will be ASCII or UTF-8 encoded, depending on the certificate data. @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a -negative error value. and a negative error code on error. +negative error value. @strong{Since:} 3.1.10 @end deftypefun diff --git a/doc/functions/gnutls_x509_crl_get_signature b/doc/functions/gnutls_x509_crl_get_signature index 92bf829..103600b 100644 --- a/doc/functions/gnutls_x509_crl_get_signature +++ b/doc/functions/gnutls_x509_crl_get_signature @@ -12,5 +12,5 @@ This function will extract the signature field of a CRL. @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a -negative error value. and a negative error code on error. +negative error value. @end deftypefun diff --git a/doc/functions/gnutls_x509_crl_iter_crt_serial b/doc/functions/gnutls_x509_crl_iter_crt_serial index 6364112..8362146 100644 --- a/doc/functions/gnutls_x509_crl_iter_crt_serial +++ b/doc/functions/gnutls_x509_crl_iter_crt_serial @@ -24,5 +24,5 @@ is returned and the iterator is reset. After use, the iterator must be deinitialized using @code{gnutls_x509_crl_iter_deinit()} . @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a -negative error value. and a negative error code on error. +negative error value. @end deftypefun diff --git a/doc/functions/gnutls_x509_crl_print b/doc/functions/gnutls_x509_crl_print index 73e9248..3f6b52b 100644 --- a/doc/functions/gnutls_x509_crl_print +++ b/doc/functions/gnutls_x509_crl_print @@ -7,7 +7,7 @@ @var{format}: Indicate the format to use -@var{out}: Newly allocated datum with (0) terminated string. +@var{out}: Newly allocated datum with null terminated string. This function will pretty print a X.509 certificate revocation list, suitable for display to a human. diff --git a/doc/functions/gnutls_x509_crq_get_extension_by_oid2 b/doc/functions/gnutls_x509_crq_get_extension_by_oid2 new file mode 100644 index 0000000..5dd933d --- /dev/null +++ b/doc/functions/gnutls_x509_crq_get_extension_by_oid2 @@ -0,0 +1,27 @@ + + + + +@deftypefun {int} {gnutls_x509_crq_get_extension_by_oid2} (gnutls_x509_crq_t @var{crq}, const char * @var{oid}, int @var{indx}, gnutls_datum_t * @var{output}, unsigned int * @var{critical}) +@var{crq}: should contain a @code{gnutls_x509_crq_t} structure + +@var{oid}: holds an Object Identifier in a null terminated string + +@var{indx}: In case multiple same OIDs exist in the extensions, this +specifies which to get. Use (0) to get the first one. + +@var{output}: will hold the allocated extension data + +@var{critical}: will be non-zero if the extension is marked as critical + +This function will return the extension specified by the OID in +the certificate. The extensions will be returned as binary data +DER encoded, in the provided buffer. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error code in case of an error. If the certificate does not +contain the specified extension +@code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} will be returned. + +@strong{Since:} 3.3.8 +@end deftypefun diff --git a/doc/functions/gnutls_x509_crq_get_extension_by_oid2.short b/doc/functions/gnutls_x509_crq_get_extension_by_oid2.short new file mode 100644 index 0000000..88f111f --- /dev/null +++ b/doc/functions/gnutls_x509_crq_get_extension_by_oid2.short @@ -0,0 +1 @@ +@item @var{int} @ref{gnutls_x509_crq_get_extension_by_oid2} (gnutls_x509_crq_t @var{crq}, const char * @var{oid}, int @var{indx}, gnutls_datum_t * @var{output}, unsigned int * @var{critical}) diff --git a/doc/functions/gnutls_x509_crq_print b/doc/functions/gnutls_x509_crq_print index a598f2a..0d4e7dd 100644 --- a/doc/functions/gnutls_x509_crq_print +++ b/doc/functions/gnutls_x509_crq_print @@ -7,7 +7,7 @@ @var{format}: Indicate the format to use -@var{out}: Newly allocated datum with (0) terminated string. +@var{out}: Newly allocated datum with null terminated string. This function will pretty print a certificate request, suitable for display to a human. diff --git a/doc/functions/gnutls_x509_crt_check_hostname b/doc/functions/gnutls_x509_crt_check_hostname index 9ff0396..0b61ff2 100644 --- a/doc/functions/gnutls_x509_crt_check_hostname +++ b/doc/functions/gnutls_x509_crt_check_hostname @@ -9,14 +9,10 @@ This function will check if the given certificate's subject matches the given hostname. This is a basic implementation of the matching -described in RFC2818 (HTTPS), which takes into account wildcards, +described in RFC6125, and takes into account wildcards, and the DNSName/IPAddress subject alternative name PKIX extension. -The comparison may have false-negatives as it is done byte by byte in -non-ascii names. - -Wildcards are only considered if the domain name consists of three -components or more, and the wildcard starts at the leftmost position. +For details see also @code{gnutls_x509_crt_check_hostname2()} . @strong{Returns:} non-zero for a successful match, and zero on failure. @end deftypefun diff --git a/doc/functions/gnutls_x509_crt_check_hostname2 b/doc/functions/gnutls_x509_crt_check_hostname2 index db7d47b..602f046 100644 --- a/doc/functions/gnutls_x509_crt_check_hostname2 +++ b/doc/functions/gnutls_x509_crt_check_hostname2 @@ -11,11 +11,18 @@ This function will check if the given certificate's subject matches the given hostname. This is a basic implementation of the matching -described in RFC2818 (HTTPS), which takes into account wildcards, +described in RFC6125, and takes into account wildcards, and the DNSName/IPAddress subject alternative name PKIX extension. -The comparison may have false-negatives as it is done byte by byte in -non-ascii names. +IPv4 addresses are accepted by this function in the dotted-decimal +format (e.g, ddd.ddd.ddd.ddd), and IPv6 addresses in the hexadecimal +x:x:x:x:x:x:x:x format. For them the IPAddress subject alternative +name extension is consulted, as well as the DNSNames in case of a non-match. +The latter fallback exists due to misconfiguration of many servers +which place an IPAddress inside the DNSName extension. + +The comparison of dns names may have false-negatives as it is done byte +by byte in non-ascii names. When the flag @code{GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS} is specified no wildcards are considered. Otherwise they are only considered if the diff --git a/doc/functions/gnutls_x509_crt_check_issuer b/doc/functions/gnutls_x509_crt_check_issuer index dfb4362..899cac5 100644 --- a/doc/functions/gnutls_x509_crt_check_issuer +++ b/doc/functions/gnutls_x509_crt_check_issuer @@ -11,6 +11,9 @@ This function will check if the given certificate was issued by the given issuer. It checks the DN fields and the authority key identifier and subject key identifier fields match. +If the same certificate is provided at the @code{cert} and @code{issuer} fields, +it will check whether the certificate is self-signed. + @strong{Returns:} It will return true (1) if the given certificate is issued by the given issuer, and false (0) if not. @end deftypefun diff --git a/doc/functions/gnutls_x509_crt_get_authority_info_access b/doc/functions/gnutls_x509_crt_get_authority_info_access index a3aece5..02304e1 100644 --- a/doc/functions/gnutls_x509_crt_get_authority_info_access +++ b/doc/functions/gnutls_x509_crt_get_authority_info_access @@ -11,7 +11,7 @@ @var{data}: output data to be freed with @code{gnutls_free()} . -@var{critical}: pointer to output integer that is set to non-0 if the extension is marked as critical (may be @code{NULL} ) +@var{critical}: pointer to output integer that is set to non-zero if the extension is marked as critical (may be @code{NULL} ) Note that a simpler API to access the authority info data is provided by @code{gnutls_x509_aia_get()} and @code{gnutls_x509_ext_import_aia()} . @@ -37,17 +37,20 @@ hold the accessLocation GeneralName type (e.g., If @code{what} is @code{GNUTLS_IA_URI} , @code{data} will hold the accessLocation URI data. Requesting this @code{what} value leads to an error if the -accessLocation is not of the "uniformResourceIdentifier" type. +accessLocation is not of the "uniformResourceIdentifier" type. If @code{what} is @code{GNUTLS_IA_OCSP_URI} , @code{data} will hold the OCSP URI. Requesting this @code{what} value leads to an error if the accessMethod is not 1.3.6.1.5.5.7.48.1 aka OSCP, or if accessLocation is not of -the "uniformResourceIdentifier" type. +the "uniformResourceIdentifier" type. In that case @code{GNUTLS_E_UNKNOWN_ALGORITHM} +will be returned, and @code{seq} should be increased and this function +called again. If @code{what} is @code{GNUTLS_IA_CAISSUERS_URI} , @code{data} will hold the caIssuers URI. Requesting this @code{what} value leads to an error if the accessMethod is not 1.3.6.1.5.5.7.48.2 aka caIssuers, or if accessLocation is not of the "uniformResourceIdentifier" type. +In that case handle as in @code{GNUTLS_IA_OCSP_URI} . More @code{what} values may be allocated in the future as needed. diff --git a/doc/functions/gnutls_x509_crt_get_ca_status b/doc/functions/gnutls_x509_crt_get_ca_status index e7a5724..38ad9e4 100644 --- a/doc/functions/gnutls_x509_crt_get_ca_status +++ b/doc/functions/gnutls_x509_crt_get_ca_status @@ -15,7 +15,9 @@ does not have CA flag set. Use @code{gnutls_x509_crt_get_basic_constraints()} if you want to read the pathLenConstraint field too. -@strong{Returns:} A negative error code may be returned in case of parsing error. -If the certificate does not contain the basicConstraints extension -@code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} will be returned. +@strong{Returns:} If the certificate is a CA a positive value will be +returned, or (0) if the certificate does not have CA flag set. A +negative error code may be returned in case of errors. If the +certificate does not contain the basicConstraints extension +GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. @end deftypefun diff --git a/doc/functions/gnutls_x509_crt_get_extension_by_oid2 b/doc/functions/gnutls_x509_crt_get_extension_by_oid2 new file mode 100644 index 0000000..a45fa69 --- /dev/null +++ b/doc/functions/gnutls_x509_crt_get_extension_by_oid2 @@ -0,0 +1,26 @@ + + + + +@deftypefun {int} {gnutls_x509_crt_get_extension_by_oid2} (gnutls_x509_crt_t @var{cert}, const char * @var{oid}, int @var{indx}, gnutls_datum_t * @var{output}, unsigned int * @var{critical}) +@var{cert}: should contain a @code{gnutls_x509_crt_t} structure + +@var{oid}: holds an Object Identified in null terminated string + +@var{indx}: In case multiple same OIDs exist in the extensions, this specifies which to send. Use (0) to get the first one. + +@var{output}: will hold the allocated extension data + +@var{critical}: will be non-zero if the extension is marked as critical + +This function will return the extension specified by the OID in the +certificate. The extensions will be returned as binary data DER +encoded, in the provided buffer. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, +otherwise a negative error code is returned. If the certificate does not +contain the specified extension +GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. + +@strong{Since:} 3.3.8 +@end deftypefun diff --git a/doc/functions/gnutls_x509_crt_get_extension_by_oid2.short b/doc/functions/gnutls_x509_crt_get_extension_by_oid2.short new file mode 100644 index 0000000..9831b32 --- /dev/null +++ b/doc/functions/gnutls_x509_crt_get_extension_by_oid2.short @@ -0,0 +1 @@ +@item @var{int} @ref{gnutls_x509_crt_get_extension_by_oid2} (gnutls_x509_crt_t @var{cert}, const char * @var{oid}, int @var{indx}, gnutls_datum_t * @var{output}, unsigned int * @var{critical}) diff --git a/doc/functions/gnutls_x509_crt_print b/doc/functions/gnutls_x509_crt_print index 6891bd8..ccfa8a9 100644 --- a/doc/functions/gnutls_x509_crt_print +++ b/doc/functions/gnutls_x509_crt_print @@ -7,7 +7,7 @@ @var{format}: Indicate the format to use -@var{out}: Newly allocated datum with (0) terminated string. +@var{out}: Newly allocated datum with null terminated string. This function will pretty print a X.509 certificate, suitable for display to a human. diff --git a/doc/functions/gnutls_x509_crt_set_crq b/doc/functions/gnutls_x509_crt_set_crq index bdbd801..7d5541d 100644 --- a/doc/functions/gnutls_x509_crt_set_crq +++ b/doc/functions/gnutls_x509_crt_set_crq @@ -11,6 +11,9 @@ This function will set the name and public parameters as well as the extensions from the given certificate request to the certificate. Only RSA keys are currently supported. +Note that this function will only set the @code{crq} if it is self +signed and the signature is correct. See @code{gnutls_x509_crq_sign2()} . + @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a negative error value. @end deftypefun diff --git a/doc/functions/gnutls_x509_crt_set_issuer_unique_id b/doc/functions/gnutls_x509_crt_set_issuer_unique_id new file mode 100644 index 0000000..fe93487 --- /dev/null +++ b/doc/functions/gnutls_x509_crt_set_issuer_unique_id @@ -0,0 +1,16 @@ + + + + +@deftypefun {int} {gnutls_x509_crt_set_issuer_unique_id} (gnutls_x509_crt_t @var{cert}, const void * @var{id}, size_t @var{id_size}) +@var{cert}: a certificate of type @code{gnutls_x509_crt_t} + +@var{id}: The unique ID + +@var{id_size}: Holds the size of the unique ID. + +This function will set the X.509 certificate's issuer unique ID field. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. +@end deftypefun diff --git a/doc/functions/gnutls_x509_crt_set_issuer_unique_id.short b/doc/functions/gnutls_x509_crt_set_issuer_unique_id.short new file mode 100644 index 0000000..10eec97 --- /dev/null +++ b/doc/functions/gnutls_x509_crt_set_issuer_unique_id.short @@ -0,0 +1 @@ +@item @var{int} @ref{gnutls_x509_crt_set_issuer_unique_id} (gnutls_x509_crt_t @var{cert}, const void * @var{id}, size_t @var{id_size}) diff --git a/doc/functions/gnutls_x509_crt_set_subject_unique_id b/doc/functions/gnutls_x509_crt_set_subject_unique_id new file mode 100644 index 0000000..d0ca8d2 --- /dev/null +++ b/doc/functions/gnutls_x509_crt_set_subject_unique_id @@ -0,0 +1,16 @@ + + + + +@deftypefun {int} {gnutls_x509_crt_set_subject_unique_id} (gnutls_x509_crt_t @var{cert}, const void * @var{id}, size_t @var{id_size}) +@var{cert}: a certificate of type @code{gnutls_x509_crt_t} + +@var{id}: The unique ID + +@var{id_size}: Holds the size of the unique ID. + +This function will set the X.509 certificate's subject unique ID field. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. +@end deftypefun diff --git a/doc/functions/gnutls_x509_crt_set_subject_unique_id.short b/doc/functions/gnutls_x509_crt_set_subject_unique_id.short new file mode 100644 index 0000000..dec6d99 --- /dev/null +++ b/doc/functions/gnutls_x509_crt_set_subject_unique_id.short @@ -0,0 +1 @@ +@item @var{int} @ref{gnutls_x509_crt_set_subject_unique_id} (gnutls_x509_crt_t @var{cert}, const void * @var{id}, size_t @var{id_size}) diff --git a/doc/functions/gnutls_x509_ext_deinit b/doc/functions/gnutls_x509_ext_deinit new file mode 100644 index 0000000..b085fab --- /dev/null +++ b/doc/functions/gnutls_x509_ext_deinit @@ -0,0 +1,11 @@ + + + + +@deftypefun {void} {gnutls_x509_ext_deinit} (gnutls_x509_ext_st * @var{ext}) +@var{ext}: The extensions structure + +This function will deinitialize an extensions structure. + +@strong{Since:} 3.3.8 +@end deftypefun diff --git a/doc/functions/gnutls_x509_ext_deinit.short b/doc/functions/gnutls_x509_ext_deinit.short new file mode 100644 index 0000000..103ce4f --- /dev/null +++ b/doc/functions/gnutls_x509_ext_deinit.short @@ -0,0 +1 @@ +@item @var{void} @ref{gnutls_x509_ext_deinit} (gnutls_x509_ext_st * @var{ext}) diff --git a/doc/functions/gnutls_x509_ext_import_proxy b/doc/functions/gnutls_x509_ext_import_proxy index 4548305..29b34d4 100644 --- a/doc/functions/gnutls_x509_ext_import_proxy +++ b/doc/functions/gnutls_x509_ext_import_proxy @@ -17,6 +17,7 @@ field and the actual value, -1 indicate that the field is absent. This function will return the information from a proxy certificate extension. It reads the ProxyCertInfo X.509 extension (1.3.6.1.5.5.7.1.14). +The @code{policyLanguage} and @code{policy} values must be deinitialized using @code{gnutls_free()} after use. @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a negative error value. diff --git a/doc/functions/gnutls_x509_ext_print b/doc/functions/gnutls_x509_ext_print new file mode 100644 index 0000000..39993d7 --- /dev/null +++ b/doc/functions/gnutls_x509_ext_print @@ -0,0 +1,21 @@ + + + + +@deftypefun {int} {gnutls_x509_ext_print} (gnutls_x509_ext_st * @var{exts}, unsigned int @var{exts_size}, gnutls_certificate_print_formats_t @var{format}, gnutls_datum_t * @var{out}) +@var{exts}: The structures to be printed + +@var{exts_size}: the number of available structures + +@var{format}: Indicate the format to use + +@var{out}: Newly allocated datum with null terminated string. + +This function will pretty print X.509 certificate extensions, +suitable for display to a human. + +The output @code{out} needs to be deallocated using @code{gnutls_free()} . + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. +@end deftypefun diff --git a/doc/functions/gnutls_x509_ext_print.short b/doc/functions/gnutls_x509_ext_print.short new file mode 100644 index 0000000..d4ec00a --- /dev/null +++ b/doc/functions/gnutls_x509_ext_print.short @@ -0,0 +1 @@ +@item @var{int} @ref{gnutls_x509_ext_print} (gnutls_x509_ext_st * @var{exts}, unsigned int @var{exts_size}, gnutls_certificate_print_formats_t @var{format}, gnutls_datum_t * @var{out}) diff --git a/doc/functions/gnutls_x509_key_purpose_get b/doc/functions/gnutls_x509_key_purpose_get index 5bf6f4c..24907df 100644 --- a/doc/functions/gnutls_x509_key_purpose_get +++ b/doc/functions/gnutls_x509_key_purpose_get @@ -10,7 +10,7 @@ @var{oid}: Will hold the object identifier of the key purpose (to be treated as constant) This function will retrieve the specified by the index key purpose in the -purposes structure. +purposes structure. The object identifier will be a null terminated string. @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, @code{GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE} if the index is out of bounds, otherwise a negative error value. diff --git a/doc/functions/gnutls_x509_name_constraints_add_excluded b/doc/functions/gnutls_x509_name_constraints_add_excluded index d058a8a..f095ccf 100644 --- a/doc/functions/gnutls_x509_name_constraints_add_excluded +++ b/doc/functions/gnutls_x509_name_constraints_add_excluded @@ -10,7 +10,11 @@ @var{name}: The data of the constraints This function will add a name constraint to the list of excluded -constraints. +constraints. The constraints @code{type} can be any of the following types: +@code{GNUTLS_SAN_DNSNAME} , @code{GNUTLS_SAN_RFC822NAME} , @code{GNUTLS_SAN_DN} , +@code{GNUTLS_SAN_URI} , @code{GNUTLS_SAN_IPADDRESS} . For the latter, an IP address +in network byte order is expected, followed by its network mask (which is +4 bytes in IPv4 or 16-bytes in IPv6). @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a negative error value. diff --git a/doc/functions/gnutls_x509_name_constraints_add_permitted b/doc/functions/gnutls_x509_name_constraints_add_permitted index 4d8067f..f32060e 100644 --- a/doc/functions/gnutls_x509_name_constraints_add_permitted +++ b/doc/functions/gnutls_x509_name_constraints_add_permitted @@ -10,7 +10,10 @@ @var{name}: The data of the constraints This function will add a name constraint to the list of permitted -constraints. +constraints. The constraints @code{type} can be any of the following types: +@code{GNUTLS_SAN_DNSNAME} , @code{GNUTLS_SAN_RFC822NAME} , @code{GNUTLS_SAN_DN} , +@code{GNUTLS_SAN_URI} , @code{GNUTLS_SAN_IPADDRESS} . For the latter, an IP address +in network byte order is expected, followed by its network mask. @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a negative error value. diff --git a/doc/functions/gnutls_x509_othername_to_virtual b/doc/functions/gnutls_x509_othername_to_virtual new file mode 100644 index 0000000..951f1f2 --- /dev/null +++ b/doc/functions/gnutls_x509_othername_to_virtual @@ -0,0 +1,20 @@ + + + + +@deftypefun {int} {gnutls_x509_othername_to_virtual} (const char * @var{oid}, const gnutls_datum_t * @var{othername}, unsigned int * @var{virt_type}, gnutls_datum_t * @var{virt}) +@var{oid}: The othername object identifier + +@var{othername}: -- undescribed -- + +@var{virt_type}: GNUTLS_SAN_OTHERNAME_XXX + +@var{virt}: allocated printable data + +This function will parse and convert the othername data to a virtual +type supported by gnutls. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a negative error value. + +@strong{Since:} 3.3.8 +@end deftypefun diff --git a/doc/functions/gnutls_x509_othername_to_virtual.short b/doc/functions/gnutls_x509_othername_to_virtual.short new file mode 100644 index 0000000..13b4a64 --- /dev/null +++ b/doc/functions/gnutls_x509_othername_to_virtual.short @@ -0,0 +1 @@ +@item @var{int} @ref{gnutls_x509_othername_to_virtual} (const char * @var{oid}, const gnutls_datum_t * @var{othername}, unsigned int * @var{virt_type}, gnutls_datum_t * @var{virt}) diff --git a/doc/functions/gnutls_x509_trust_list_add_crls b/doc/functions/gnutls_x509_trust_list_add_crls index 33ace7c..5c8f966 100644 --- a/doc/functions/gnutls_x509_trust_list_add_crls +++ b/doc/functions/gnutls_x509_trust_list_add_crls @@ -18,7 +18,10 @@ to the trusted list. The list of CRLs must not be deinitialized during this structure's lifetime. This function must be called after @code{gnutls_x509_trust_list_add_cas()} -to allow verifying the CRLs for validity. +to allow verifying the CRLs for validity. If the flag @code{GNUTLS_TL_NO_DUPLICATES} +is given, then any provided CRLs that are a duplicate, will be deinitialized +and not added to the list (that assumes that @code{gnutls_x509_trust_list_deinit()} +will be called with all=1). @strong{Returns:} The number of added elements is returned. diff --git a/doc/functions/gnutls_x509_trust_list_add_system_trust b/doc/functions/gnutls_x509_trust_list_add_system_trust index 0d5980f..62e3ecd 100644 --- a/doc/functions/gnutls_x509_trust_list_add_system_trust +++ b/doc/functions/gnutls_x509_trust_list_add_system_trust @@ -10,9 +10,11 @@ @var{tl_vflags}: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL This function adds the system's default trusted certificate -authorities to the trusted list. Note that on unsupported system +authorities to the trusted list. Note that on unsupported systems this function returns @code{GNUTLS_E_UNIMPLEMENTED_FEATURE} . +This function implies the flag @code{GNUTLS_TL_NO_DUPLICATES} . + @strong{Returns:} The number of added elements or a negative error code on error. @strong{Since:} 3.1 diff --git a/doc/functions/gnutls_x509_trust_list_add_trust_dir b/doc/functions/gnutls_x509_trust_list_add_trust_dir new file mode 100644 index 0000000..9453688 --- /dev/null +++ b/doc/functions/gnutls_x509_trust_list_add_trust_dir @@ -0,0 +1,25 @@ + + + + +@deftypefun {int} {gnutls_x509_trust_list_add_trust_dir} (gnutls_x509_trust_list_t @var{list}, const char * @var{ca_dir}, const char * @var{crl_dir}, gnutls_x509_crt_fmt_t @var{type}, unsigned int @var{tl_flags}, unsigned int @var{tl_vflags}) +@var{list}: The structure of the list + +@var{ca_dir}: A directory containing the CAs (optional) + +@var{crl_dir}: A directory containing a list of CRLs (optional) + +@var{type}: The format of the certificates + +@var{tl_flags}: GNUTLS_TL_* + +@var{tl_vflags}: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL + +This function will add the given certificate authorities +to the trusted list. Only directories are accepted by +this function. + +@strong{Returns:} The number of added elements is returned. + +@strong{Since:} 3.3.6 +@end deftypefun diff --git a/doc/functions/gnutls_x509_trust_list_add_trust_dir.short b/doc/functions/gnutls_x509_trust_list_add_trust_dir.short new file mode 100644 index 0000000..5bcfc19 --- /dev/null +++ b/doc/functions/gnutls_x509_trust_list_add_trust_dir.short @@ -0,0 +1 @@ +@item @var{int} @ref{gnutls_x509_trust_list_add_trust_dir} (gnutls_x509_trust_list_t @var{list}, const char * @var{ca_dir}, const char * @var{crl_dir}, gnutls_x509_crt_fmt_t @var{type}, unsigned int @var{tl_flags}, unsigned int @var{tl_vflags}) diff --git a/doc/functions/gnutls_x509_trust_list_add_trust_file b/doc/functions/gnutls_x509_trust_list_add_trust_file index ee50e4e..6d730e0 100644 --- a/doc/functions/gnutls_x509_trust_list_add_trust_file +++ b/doc/functions/gnutls_x509_trust_list_add_trust_file @@ -16,8 +16,11 @@ @var{tl_vflags}: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL This function will add the given certificate authorities -to the trusted list. pkcs11 URLs are also accepted, instead -of files, by this function. +to the trusted list. PKCS @code{11} URLs are also accepted, instead +of files, by this function. A PKCS @code{11} URL implies a trust +database (a specially marked module in p11-kit); the URL "pkcs11:" +implies all trust databases in the system. Only a single URL specifying +trust databases can be set; they cannot be stacked with multiple calls. @strong{Returns:} The number of added elements is returned. diff --git a/doc/functions/gnutls_x509_trust_list_get_issuer b/doc/functions/gnutls_x509_trust_list_get_issuer index 8ee9816..4f8100f 100644 --- a/doc/functions/gnutls_x509_trust_list_get_issuer +++ b/doc/functions/gnutls_x509_trust_list_get_issuer @@ -9,10 +9,13 @@ @var{issuer}: Will hold the issuer if any. Should be treated as constant. -@var{flags}: Use zero. +@var{flags}: Use zero or @code{GNUTLS_TL_GET_COPY} -This function will attempt to find the issuer of the -given certificate. +This function will find the issuer of the given certificate. +If the flag @code{GNUTLS_TL_GET_COPY} is specified a copy of the issuer +will be returned which must be freed using @code{gnutls_x509_crt_deinit()} . +Note that the flag @code{GNUTLS_TL_GET_COPY} is required for this function +to work with PKCS @code{11} trust lists in a thread-safe way. @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a negative error value. diff --git a/doc/functions/gnutls_x509_trust_list_verify_crt2 b/doc/functions/gnutls_x509_trust_list_verify_crt2 new file mode 100644 index 0000000..6bd0c27 --- /dev/null +++ b/doc/functions/gnutls_x509_trust_list_verify_crt2 @@ -0,0 +1,46 @@ + + + + +@deftypefun {int} {gnutls_x509_trust_list_verify_crt2} (gnutls_x509_trust_list_t @var{list}, gnutls_x509_crt_t * @var{cert_list}, unsigned int @var{cert_list_size}, gnutls_typed_vdata_st * @var{data}, unsigned int @var{elements}, unsigned int @var{flags}, unsigned int * @var{voutput}, gnutls_verify_output_function @var{func}) +@var{list}: The structure of the list + +@var{cert_list}: is the certificate list to be verified + +@var{cert_list_size}: is the certificate list size + +@var{data}: an array of typed data + +@var{elements}: the number of data elements + +@var{flags}: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations. + +@var{voutput}: will hold the certificate verification output. + +@var{func}: If non-null will be called on each chain element verification with the output. + +This function will try to verify the given certificate and return +its status. The @code{verify} parameter will hold an OR'ed sequence of +@code{gnutls_certificate_status_t} flags. + +Additionally a certificate verification profile can be specified +from the ones in @code{gnutls_certificate_verification_profiles_t} by +ORing the result of @code{GNUTLS_PROFILE_TO_VFLAGS()} to the verification +flags. + +The acceptable @code{data} types are @code{GNUTLS_DT_DNS_HOSTNAME} and @code{GNUTLS_DT_KEY_PURPOSE_OID} . +The former accepts as data a null-terminated hostname, and the latter a null-terminated +object identifier (e.g., @code{GNUTLS_KP_TLS_WWW_SERVER} ). +If a DNS hostname is provided then this function will compare +the hostname in the certificate against the given. If names do not match the +@code{GNUTLS_CERT_UNEXPECTED_OWNER} status flag will be set. +If a key purpose OID is provided and the end-certificate contains the extended key +usage PKIX extension, it will be required to be have the provided key purpose +or be marked for any purpose, otherwise verification will fail with @code{GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE} status. + +@strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a +negative error value. Note that verification failure will not result to an +error code, only @code{voutput} will be updated. + +@strong{Since:} 3.3.8 +@end deftypefun diff --git a/doc/functions/gnutls_x509_trust_list_verify_crt2.short b/doc/functions/gnutls_x509_trust_list_verify_crt2.short new file mode 100644 index 0000000..7c3b35b --- /dev/null +++ b/doc/functions/gnutls_x509_trust_list_verify_crt2.short @@ -0,0 +1 @@ +@item @var{int} @ref{gnutls_x509_trust_list_verify_crt2} (gnutls_x509_trust_list_t @var{list}, gnutls_x509_crt_t * @var{cert_list}, unsigned int @var{cert_list_size}, gnutls_typed_vdata_st * @var{data}, unsigned int @var{elements}, unsigned int @var{flags}, unsigned int * @var{voutput}, gnutls_verify_output_function @var{func}) diff --git a/doc/gnutls-api.texi b/doc/gnutls-api.texi index d64e9b5..433d7b6 100644 --- a/doc/gnutls-api.texi +++ b/doc/gnutls-api.texi @@ -91,10 +91,13 @@ This function allows you to get the negotiated protocol name. The returned protocol should be treated as opaque, constant value and only valid during the session life. +The selected protocol is the first supported by the list sent +by the client. + @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a negative error code is returned. -Since 3.1.11 +Since 3.2.0 @end deftypefun @subheading gnutls_alpn_set_protocols @@ -109,7 +112,7 @@ Since 3.1.11 @var{flags}: zero or @code{GNUTLS_ALPN_} * This function is to be used by both clients and servers, to declare -the supported ALPN protocols, which are used during peer negotiation. +the supported ALPN protocols, which are used during negotiation with peer. If @code{GNUTLS_ALPN_MAND} is specified the connection will be aborted if no matching ALPN protocol is found. @@ -117,7 +120,7 @@ if no matching ALPN protocol is found. @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a negative error code is returned. -Since 3.1.11 +Since 3.2.0 @end deftypefun @subheading gnutls_anon_allocate_client_credentials @@ -412,9 +415,12 @@ is returned. @var{issuer}: Will hold the issuer if any. Should be treated as constant. -@var{flags}: Use zero. +@var{flags}: Use zero or @code{GNUTLS_TL_GET_COPY} This function will return the issuer of a given certificate. +As with @code{gnutls_x509_trust_list_get_issuer()} this function requires +the @code{GNUTLS_TL_GET_COPY} flag in order to operate with PKCS @code{11} trust +lists. In that case the issuer must be freed using @code{gnutls_x509_crt_deinit()} . @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise a negative error value. @@ -452,7 +458,7 @@ issuer's certificate, then the issuer's issuer etc. In case of OpenPGP keys a single key will be returned in raw format. -@strong{Returns:} a pointer to a @code{gnutls_datum_t} containing our +@strong{Returns:} a pointer to a @code{gnutls_datum_t} containing the peer's certificates, or @code{NULL} in case of an error or if no certificate was used. @end deftypefun @@ -618,7 +624,7 @@ The callback's function prototype is: int (*callback)(gnutls_session_t, const gnutls_datum_t* req_ca_dn, int nreqs, const gnutls_pk_algorithm_t* pk_algos, int pk_algos_length, gnutls_retr2_st* st); - @code{req_ca_cert} is only used in X.509 certificates. + @code{req_ca_dn} is only used in X.509 certificates. Contains a list with the CA names that the server considers trusted. Normally we should send a certificate that is signed by one of these CAs. These names are DER encoded. To get a more @@ -772,6 +778,9 @@ the certificate chain in @code{cert_list} . Note that the certificates and keys provided, can be safely deinitialized after this function is called. +If that function fails to load the @code{res} structure is at an undefined state, it must +not be reused to load other keys or certificates. + @strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success, or a negative error code. @strong{Since:} 2.4.0 @@ -807,6 +816,9 @@ that the supported URLs are the ones indicated by @code{gnutls_url_is_supported( In case the @code{certfile} is provided as a PKCS @code{11} URL, then the certificate, and its present issuers in the token are are imported (i.e., the required trust chain). +If that function fails to load the @code{res} structure is at an undefined state, it must +not be reused to load other keys or certificates. + @strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success, or a negative error code. @end deftypefun @@ -844,6 +856,9 @@ that the supported URLs are the ones indicated by @code{gnutls_url_is_supported( In case the @code{certfile} is provided as a PKCS @code{11} URL, then the certificate, and its present issuers in the token are are imported (i.e., the required trust chain). +If that function fails to load the @code{res} structure is at an undefined state, it must +not be reused to load other keys or certificates. + @strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) on success, or a negative error code. @end deftypefun @@ -1028,6 +1043,25 @@ on error. @strong{Since:} 2.4.0 @end deftypefun +@subheading gnutls_certificate_set_x509_trust_dir +@anchor{gnutls_certificate_set_x509_trust_dir} +@deftypefun {int} {gnutls_certificate_set_x509_trust_dir} (gnutls_certificate_credentials_t @var{cred}, const char * @var{ca_dir}, gnutls_x509_crt_fmt_t @var{type}) +@var{cred}: is a @code{gnutls_certificate_credentials_t} structure. + +@var{ca_dir}: is a directory containing the list of trusted CAs (DER or PEM list) + +@var{type}: is PEM or DER + +This function adds the trusted CAs present in the directory in order to +verify client or server certificates. This function is identical +to @code{gnutls_certificate_set_x509_trust_file()} but loads all certificates +in a directory. + +@strong{Returns:} the number of certificates processed + +@strong{Since:} 3.3.6 +@end deftypefun + @subheading gnutls_certificate_set_x509_trust_file @anchor{gnutls_certificate_set_x509_trust_file} @deftypefun {int} {gnutls_certificate_set_x509_trust_file} (gnutls_certificate_credentials_t @var{cred}, const char * @var{cafile}, gnutls_x509_crt_fmt_t @var{type}) @@ -1051,8 +1085,7 @@ This function can also accept URLs. In that case it will import all certificates that are marked as trusted. Note that the supported URLs are the ones indicated by @code{gnutls_url_is_supported()} . -@strong{Returns:} number of certificates processed, or a negative error code on -error. +@strong{Returns:} the number of certificates processed @end deftypefun @subheading gnutls_certificate_set_x509_trust_mem @@ -1163,18 +1196,19 @@ The default verification flags used by this function can be overridden using @code{gnutls_certificate_set_verify_flags()} . See the documentation of @code{gnutls_certificate_verify_peers2()} for details in the verification process. -The acceptable data types are @code{GNUTLS_DT_DNS_HOSTNAME} and @code{GNUTLS_DT_KEY_PURPOSE_OID} . +The acceptable @code{data} types are @code{GNUTLS_DT_DNS_HOSTNAME} and @code{GNUTLS_DT_KEY_PURPOSE_OID} . +The former accepts as data a null-terminated hostname, and the latter a null-terminated +object identifier (e.g., @code{GNUTLS_KP_TLS_WWW_SERVER} ). If a DNS hostname is provided then this function will compare -the hostname in the certificate against the given. The comparison will -be accurate for ascii names; non-ascii names are compared byte-by-byte. -If names do not match the @code{GNUTLS_CERT_UNEXPECTED_OWNER} status flag will be set. - +the hostname in the certificate against the given. If names do not match the +@code{GNUTLS_CERT_UNEXPECTED_OWNER} status flag will be set. If a key purpose OID is provided and the end-certificate contains the extended key usage PKIX extension, it will be required to be have the provided key purpose -(e.g., @code{GNUTLS_KP_TLS_WWW_SERVER} ), or be marked for any purpose, otherwise -verification will fail with @code{GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE} status. +or be marked for any purpose, otherwise verification will fail with @code{GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE} status. -@strong{Returns:} a negative error code on error and @code{GNUTLS_E_SUCCESS} (0) on success. +@strong{Returns:} a negative error code on error and @code{GNUTLS_E_SUCCESS} (0) +when the peer's certificate was successfully parsed, irrespective of whether +it was verified. @strong{Since:} 3.3.0 @end deftypefun @@ -1205,7 +1239,9 @@ Note that you must also check the peer's name in order to check if the verified certificate belongs to the actual peer, see @code{gnutls_x509_crt_check_hostname()} , or use @code{gnutls_certificate_verify_peers3()} . -@strong{Returns:} a negative error code on error and @code{GNUTLS_E_SUCCESS} (0) on success. +@strong{Returns:} a negative error code on error and @code{GNUTLS_E_SUCCESS} (0) +when the peer's certificate was successfully parsed, irrespective of whether +it was verified. @end deftypefun @subheading gnutls_certificate_verify_peers3 @@ -1233,7 +1269,9 @@ If names do not match the @code{GNUTLS_CERT_UNEXPECTED_OWNER} status flag will In order to verify the purpose of the end-certificate (by checking the extended key usage), use @code{gnutls_certificate_verify_peers()} . -@strong{Returns:} a negative error code on error and @code{GNUTLS_E_SUCCESS} (0) on success. +@strong{Returns:} a negative error code on error and @code{GNUTLS_E_SUCCESS} (0) +when the peer's certificate was successfully parsed, irrespective of whether +it was verified. @strong{Since:} 3.1.4 @end deftypefun @@ -1615,6 +1653,9 @@ the generator used. This function should be used for both anonymous and ephemeral Diffie-Hellman. The output parameters must be freed with @code{gnutls_free()} . +Note, that the prime and generator are exported as non-negative +integers and may include a leading zero byte. + @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise an error code is returned. @end deftypefun @@ -1659,6 +1700,9 @@ Diffie-Hellman key exchange. This function should be used for both anonymous and ephemeral Diffie-Hellman. The output parameters must be freed with @code{gnutls_free()} . +Note, that public key is exported as non-negative +integer and may include a leading zero byte. + @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise an error code is returned. @end deftypefun @@ -1848,8 +1892,8 @@ In the client side it sets the minimum accepted number of bits. If a server sends a prime with less bits than that @code{GNUTLS_E_DH_PRIME_UNACCEPTABLE} will be returned by the handshake. -Note that values lower than 512 bits may allow decryption of the -exchanged data. +Note that this function will warn via the audit log for value that +are believed to be weak. The function has no effect in server side. @@ -1962,8 +2006,7 @@ This function is only useful if you are dealing with errors from functions that relate to a TLS session (e.g., record layer or handshake layer handling functions). -@strong{Returns:} zero on non fatal errors or positive @code{error} values. Non-zero -on fatal error codes. +@strong{Returns:} Non-zero value on fatal errors or zero on non-fatal. @end deftypefun @subheading gnutls_error_to_alert @@ -2173,18 +2216,26 @@ return a negative error code. In case of a client, if the client has asked to resume a session, but the server couldn't, then a full handshake will be performed. -The non-fatal errors such as @code{GNUTLS_E_AGAIN} and -@code{GNUTLS_E_INTERRUPTED} interrupt the handshake procedure, which -should be resumed later. Call this function again, until it +The non-fatal errors expected by this function are: +@code{GNUTLS_E_INTERRUPTED} , @code{GNUTLS_E_AGAIN} , +@code{GNUTLS_E_WARNING_ALERT_RECEIVED} , and @code{GNUTLS_E_GOT_APPLICATION_DATA} , +the latter only in a case of rehandshake. + +The former two interrupt the handshake procedure due to the lower +layer being interrupted, and the latter because of an alert that +may be sent by a server (it is always a good idea to check any +received alerts). On these errors call this function again, until it returns 0; cf. @code{gnutls_record_get_direction()} and -@code{gnutls_error_is_fatal()} . +@code{gnutls_error_is_fatal()} . In DTLS sessions the non-fatal error +@code{GNUTLS_E_LARGE_PACKET} is also possible, and indicates that +the MTU should be adjusted. If this function is called by a server after a rehandshake request then @code{GNUTLS_E_GOT_APPLICATION_DATA} or @code{GNUTLS_E_WARNING_ALERT_RECEIVED} may be returned. Note that these are non fatal errors, only in the specific case of a rehandshake. Their meaning is that the client rejected the rehandshake request or -in the case of @code{GNUTLS_E_GOT_APPLICATION_DATA} it might also mean that +in the case of @code{GNUTLS_E_GOT_APPLICATION_DATA} it could also mean that some data were pending. @strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, otherwise a negative error code. @@ -2273,11 +2324,14 @@ there is a man-in-the-middle attack being performed. This function will set the maximum size of all handshake messages. Handshakes over this size are rejected with @code{GNUTLS_E_HANDSHAKE_TOO_LARGE} error code. The default value is -48kb which is typically large enough. Set this to 0 if you do not +128kb which is typically large enough. Set this to 0 if you do not want to set an upper limit. The reason for restricting the handshake message sizes are to limit Denial of Service attacks. + +Note that the maximum handshake size was increased to 128kb +from 48kb in GnuTLS 3.3.25. @end deftypefun @subheading gnutls_handshake_set_post_client_hello_function @@ -2356,7 +2410,8 @@ Since 3.1.9 This function sets the timeout for the handshake process to the provided value. Use an @code{ms} value of zero to disable -timeout. +timeout, or @code{GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT} for a reasonable +default value. @strong{Since:} 3.1.0 @end deftypefun @@ -2970,7 +3025,7 @@ to signature algorithms. @var{label}: label used in PRF computation, typically a short string. -@var{server_random_first}: non-0 if server random field should be first in seed +@var{server_random_first}: non-zero if server random field should be first in seed @var{extra_size}: length of the @code{extra} variable. @@ -2981,13 +3036,15 @@ to signature algorithms. @var{out}: pre-allocated buffer to hold the generated data. Applies the TLS Pseudo-Random-Function (PRF) on the master secret -and the provided data, seeded with the client and server random fields, -as specified in RFC5705. +and the provided data, seeded with the client and server random fields. + +The output of this function is identical to RFC5705 extractor if @code{extra} and @code{extra_size} are set to zero. Otherwise, @code{extra} should contain the context +value prefixed by a two-byte length. The @code{label} variable usually contains a string denoting the purpose for the generated data. The @code{server_random_first} indicates whether the client random field or the server random field should be first -in the seed. Non-0 indicates that the server random field is first, +in the seed. Non-zero indicates that the server random field is first, 0 that the client random field is first. The @code{extra} variable can be used to add more data to the seed, after @@ -3130,9 +3187,9 @@ Once the last available index is crossed then @deftypefun {int} {gnutls_priority_init} (gnutls_priority_t * @var{priority_cache}, const char * @var{priorities}, const char ** @var{err_pos}) @var{priority_cache}: is a @code{gnutls_prioritity_t} structure. -@var{priorities}: is a string describing priorities +@var{priorities}: is a string describing priorities (may be @code{NULL} ) -@var{err_pos}: In case of an error this will have the position in the string the error occured +@var{err_pos}: In case of an error this will have the position in the string the error occurred Sets priorities for the ciphers, key exchange methods, macs and compression methods. @@ -3209,6 +3266,9 @@ enabled, SSL3.0 is disabled, and libz compression enabled. Note that "NORMAL:@code{COMPAT} " is the most compatible mode. +A @code{NULL} @code{priorities} string indicates the default priorities to be +used (this is available since GnuTLS 3.3.0). + @strong{Returns:} On syntax error @code{GNUTLS_E_INVALID_REQUEST} is returned, @code{GNUTLS_E_SUCCESS} on success, or an error code. @end deftypefun @@ -3558,7 +3618,7 @@ should return @code{GNUTLS_E_SUCCESS} (0) on success. @subheading gnutls_random_art @anchor{gnutls_random_art} @deftypefun {int} {gnutls_random_art} (gnutls_random_art_t @var{type}, const char * @var{key_type}, unsigned int @var{key_size}, void * @var{fpr}, size_t @var{fpr_size}, gnutls_datum_t * @var{art}) -@var{type}: The type of the random art +@var{type}: The type of the random art (for now only @code{GNUTLS_RANDOM_ART_OPENSSH} is supported) @var{key_type}: The type of the key (RSA, DSA etc.) @@ -3571,7 +3631,7 @@ should return @code{GNUTLS_E_SUCCESS} (0) on success. @var{art}: The returned random art This function will convert a given fingerprint to an "artistic" -image. The returned image is allocated using @code{gnutls_malloc()} +image. The returned image is allocated using @code{gnutls_malloc()} . @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise an error code is returned. @@ -3622,7 +3682,7 @@ padding, false (0) if the current session does not. @var{session}: is a @code{gnutls_session_t} structure. This function checks if there pending corked -data in the gnutls buffers --see @code{gnutls_cork()} . +data in the gnutls buffers --see @code{gnutls_record_cork()} . @strong{Returns:} Returns the size of the corked data or zero. @@ -3647,9 +3707,8 @@ is guaranteed not to block. @deftypefun {void} {gnutls_record_cork} (gnutls_session_t @var{session}) @var{session}: is a @code{gnutls_session_t} structure. -If called @code{gnutls_record_send()} will no longer send partial records. -All queued records will be sent when @code{gnutls_uncork()} is called, or -when the maximum record size is reached. +If called, @code{gnutls_record_send()} will no longer send any records. +Any sent records will be cached until @code{gnutls_record_uncork()} is called. This function is safe to use with DTLS after GnuTLS 3.3.0. @@ -3686,6 +3745,9 @@ reading or writing, @code{gnutls_record_get_direction()} returns 0 if the interrupted function was trying to read data, and 1 if it was trying to write data. +This function's output is unreliable if you are using the + @code{session} in different threads, for sending and receiving. + @strong{Returns:} 0 if trying to read data, 1 if trying to write data. @end deftypefun @@ -3914,7 +3976,7 @@ timeout (the default). @var{flags}: Could be zero or @code{GNUTLS_RECORD_WAIT} -This resets the effect of @code{gnutls_cork()} , and flushes any pending +This resets the effect of @code{gnutls_record_cork()} , and flushes any pending data. If the @code{GNUTLS_RECORD_WAIT} flag is specified then this function will block until the data is sent or a fatal error occurs (i.e., the function will retry on @code{GNUTLS_E_AGAIN} and @@ -4140,7 +4202,8 @@ applications. Returns all session parameters needed to be stored to support resumption. The client should call this, and store the returned session data. A session may be resumed later by calling @code{gnutls_session_set_data()} . -This function must be called after a successful handshake. +This function must be called after a successful (full) handshake. It should +not be used in resumed sessions --see @code{gnutls_session_is_resumed()} . @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise an error code is returned. @@ -4156,7 +4219,9 @@ an error code is returned. Returns all session parameters needed to be stored to support resumption. The client should call this, and store the returned session data. A session may be resumed later by calling @code{gnutls_session_set_data()} . -This function must be called after a successful handshake. +This function must be called after a successful (full) handshake. It should +not be used in resumed sessions --see @code{gnutls_session_is_resumed()} . + The returned @code{data} are allocated and must be released using @code{gnutls_free()} . @strong{Returns:} On success, @code{GNUTLS_E_SUCCESS} (0) is returned, otherwise @@ -4399,17 +4464,9 @@ error code. @deftypefun {int} {gnutls_set_default_priority} (gnutls_session_t @var{session}) @var{session}: is a @code{gnutls_session_t} structure. -Sets some default priority on the ciphers, key exchange methods, -macs and compression methods. - -This typically sets a default priority that is considered -sufficiently secure to establish encrypted sessions. - -This function is kept around for backwards compatibility, but -because of its wide use it is still fully supported. If you wish -to allow users to provide a string that specify which ciphers to -use (which is recommended), you should use -@code{gnutls_priority_set_direct()} or @code{gnutls_priority_set()} instead. +Sets the default priority on the ciphers, key exchange methods, +macs and compression methods. For more fine-tuning you could +use @code{gnutls_priority_set_direct()} or @code{gnutls_priority_set()} instead. @strong{Returns:} @code{GNUTLS_E_SUCCESS} on success, or an error code. @end deftypefun @@ -4763,13 +4820,18 @@ This function can be used to set a callback to retrieve the user's SRP credentials. The callback's function form is: int (*callback)(gnutls_session_t, const char* username, -gnutls_datum_t* salt, gnutls_datum_t *verifier, gnutls_datum_t* generator, -gnutls_datum_t* prime); +gnutls_datum_t *salt, gnutls_datum_t *verifier, gnutls_datum_t *generator, +gnutls_datum_t *prime); @code{username} contains the actual username. The @code{salt} , @code{verifier} , @code{generator} and @code{prime} must be filled in using the @code{gnutls_malloc()} . For convenience @code{prime} and @code{generator} may also be one of the static parameters defined in gnutls.h. +Initially, the data field is NULL in every @code{gnutls_datum_t} +structure that the callback has to fill in. When the +callback is done GnuTLS deallocates all of those buffers +which are non-NULL, regardless of the return value. + In order to prevent attackers from guessing valid usernames, if a user does not exist, g and n values should be filled in using a random user's parameters. In that case the callback must @@ -5122,9 +5184,11 @@ negative error value. This function will associate a commitment (hash) storage function with the trust storage structure. The function is of the following form. -gnutls_tdb_store_commitment_func(const char* db_name, const char* host, +int gnutls_tdb_store_commitment_func(const char* db_name, const char* host, const char* service, time_t expiration, gnutls_digest_algorithm_t, const gnutls_datum_t* hash); + +The @code{db_name} should be used to pass any private data to this function. @end deftypefun @subheading gnutls_tdb_set_store_func @@ -5137,9 +5201,11 @@ gnutls_digest_algorithm_t, const gnutls_datum_t* hash); This function will associate a storage function with the trust storage structure. The function is of the following form. -gnutls_tdb_store_func(const char* db_name, const char* host, +int gnutls_tdb_store_func(const char* db_name, const char* host, const char* service, time_t expiration, const gnutls_datum_t* pubkey); + +The @code{db_name} should be used to pass any private data to this function. @end deftypefun @subheading gnutls_tdb_set_verify_func @@ -5152,8 +5218,13 @@ const gnutls_datum_t* pubkey); This function will associate a retrieval function with the trust storage structure. The function is of the following form. -gnutls_tdb_verify_func(const char* db_name, const char* host, +int gnutls_tdb_verify_func(const char* db_name, const char* host, const char* service, const gnutls_datum_t* pubkey); + +The verify function should return zero on a match, @code{GNUTLS_E_CERTIFICATE_KEY_MISMATCH} +if there is a mismatch and any other negative error code otherwise. + +The @code{db_name} should be used to pass any private data to this function. @end deftypefun @subheading gnutls_transport_get_int @@ -5220,7 +5291,7 @@ and PULL). These should have been set using @var{err}: error value to store in session-specific errno variable. Store @code{err} in the session-specific errno variable. Useful values -for @code{err} is EAGAIN and EINTR, other values are treated will be +for @code{err} are EINTR, EAGAIN and EMSGSIZE, other values are treated will be treated as real errors in the push/pull function. This function is useful in replacement push and pull functions set by diff --git a/doc/gnutls-guile.html b/doc/gnutls-guile.html index c4ba107..c02da5e 100644 --- a/doc/gnutls-guile.html +++ b/doc/gnutls-guile.html @@ -1,7 +1,7 @@ - - + -GnuTLS-Guile 3.3.5 +GnuTLS-Guile 3.3.26 - - + + @@ -28,16 +28,16 @@ Documentation License". -->