-2016-04-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2017-03-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: released 3.4.11
-
-2016-04-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * configure.ac: tests: do not enable valgrind in non-git builds
+ * NEWS, configure.ac, m4/hooks.m4: bumped version
-2016-04-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2017-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/ocsp_output.c, lib/x509/output.c: x509 output: don't warn
- about insecure algorithm when unknown
+ * NEWS: doc update Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2016-04-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2017-03-05 Alex Gaynor <alex.gaynor@gmail.com>
- * tests/suite/Makefile.am, tests/suite/testcompat-openssl.sh: tests:
- disable unsupported curves from compatibility checks This allows running make check even when compiling with
- disable-suiteb-curves.
+ * lib/opencdk/read-packet.c: Enforce the max packet length for
+ OpenPGP subpackets as well This addresses: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>
-2016-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2017-03-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_state.c: dtls: added missing dtls.h to state.c
+ * NEWS: doc update
-2016-04-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2017-03-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * configure.ac, m4/hooks.m4: bumped version
+ * lib/opencdk/kbnode.c, lib/opencdk/keydb.c, lib/opencdk/literal.c,
+ lib/opencdk/opencdk.h, lib/opencdk/read-packet.c,
+ lib/openpgp/gnutls_openpgp.c, lib/openpgp/pgp.c,
+ lib/openpgp/privkey.c: opencdk: do not parse any secret keys in
+ packet when reading a certificate This reduces the attack surface on the parsers, and prevents any
+ bugs in the secret key parser to be exploitable by inserting secret
+ key sub-packets into an openpgp certificate. This addresses: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2016-04-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2017-02-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: doc update
+ * tests/Makefile.am, tests/crt_apis.c: tests: backported crt_apis
+ from master branch In addition to other APIs, this explicitly tests
+ gnutls_x509_crt_set_subject_unique_id() and
+ gnutls_x509_crt_set_issuer_unique_id(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-2016-04-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2017-02-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/minitasn1/coding.c, lib/minitasn1/decoding.c,
- lib/minitasn1/element.c, lib/minitasn1/element.h,
- lib/minitasn1/int.h, lib/minitasn1/libtasn1.h,
- lib/minitasn1/parser_aux.c, lib/minitasn1/parser_aux.h,
- lib/minitasn1/structure.c: minitasn1: updated to latest git version
+ * src/certtool-cfg.c: certtool: increased buffer for reading from
+ user This allows reading longer than 128-byte fields interactively. The
+ new limit is 512-bytes. Relates #179 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-2016-04-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2017-02-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * doc/cha-gtls-app.texi: doc: Replace references to select with poll
- and other fixes
+ * tests/Makefile.am, tests/pkcs11/pkcs11-import-with-pin.c: tests:
+ added PKCS#11 test for pin input This introduces a test on PIN input to retrieve an object using
+ pin-value and pin-source (file). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-2016-04-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2017-02-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * doc/cha-gtls-app.texi: doc: replace inaccurate sentence with
- reference to gnutls_record_discard_queued [ci skip]
+ * tests/utils.c, tests/utils.h: tests: utils: added ability to use
+ tmpfiles Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-2016-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2017-02-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_state.c: gnutls_record_get_direction: doc update [ci
- skip]
+ * tests/Makefile.am, tests/pkcs11/pkcs11-pubkey-import-rsa.c,
+ tests/pkcs11/pkcs11-pubkey-import.c: tests: backported PKCS#11 test In addition to public key import checks, this test ensures that the
+ pin-value attribute is functional. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-2016-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2017-02-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/x509sign-verify2.c: tests: reduce the number of loops in
- x509sign-verify2 This enables running the test in reasonable time under valgrind.
+ * NEWS: doc update Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-2016-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2017-02-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/pkix.asn, lib/pkix_asn1_tab.c: pkix.asn: corrected byKey
- definition OCSP is defined in an EXPLICIT tags module, and as such we must tag
- explicitly all of its tags.
+ * configure.ac, lib/pkcs11.c: Use p11_kit_uri_get_pin_value() if
+ available in p11-kit This allows parsing the pin-value attribute of the PKCS#11 URI. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-2016-04-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2017-02-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/name_constraints.c: name constraints: enforce the rules
- for IP constraints when adding This will prevent gnutls from generating badly formed certificates.
+ * lib/nettle/pk.c: nettle/pk: added error checking in
+ _rsa_params_to_pubkey Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-2016-04-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2017-02-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/common.c, lib/x509/common.h, lib/x509/x509.c:
- _gnutls_parse_general_name2: allow parsing empty names This allows parsing empty general names such as an empty DNSname
- used in name constraints.
+ * lib/nettle/pk.c: nettle/pk: corrected memcpy of Q in DSA params Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-2016-04-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2017-02-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc update
-2016-04-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2017-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/ocsptool-common.c: ocsptool: use HTTP/1.0 for requests This avoids issue with servers serving chunk encoding which ocsptool
- doesn't support. Reported by Thomas Klute.
+ * lib/opencdk/read-packet.c: opencdk/read-packet.c: corrected typo
+ in type cast Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-2016-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2017-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: doc update
+ * lib/opencdk/read-packet.c: cdk_pkt_read: enforce packet limits That ensures that there are no overflows in the subsequent
+ calculations. Resolves the oss-fuzz found bug:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 Relates: #159 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-2016-03-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2017-02-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/certtool-long-cn: tests: delete outfile in
- certtool-long-cn
+ * lib/pkcs11.c: gnutls_pkcs11_obj_list_import_url2: Always return an
+ initialized pointer When returning success, but no elements,
+ gnutls_pkcs11_obj_list_import_url4, could have returned zero number
+ of elements with a pointer that was uninitialized. Ensure that an
+ initialized (i.e., null in that case), pointer is always returned.
+ Reported by Jeremy Harris. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-2016-03-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2017-01-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/Makefile.am, tests/cert-tests/name-constraints,
- tests/cert-tests/name-constraints-ip2.pem: tests: verify the output
- of name constraints IP decoding
+ * lib/opencdk/read-packet.c: opencdk: improved error code checking
+ in the stream reading functions This ammends 49be4f7b82eba2363bb8d4090950dad976a77a3a Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-2016-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2017-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/output.c: x509/output: simplified cidr_to_string()
+ * tests/cert-tests/Makefile.am, tests/key-tests/Makefile.am: tests:
+ do not run key-tests and cert-tests under leak sanitizer The reason is that we cannot distinguish between a memory leak on
+ application failure (which is followed by exit- thus should be
+ ignored) and an address sanitizer issue (which should never be
+ ignored). As such we disable leak detection with asan and rely on
+ valgrind. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2016-03-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2017-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/output.c: x509/output: print RFC5280 CIDRs in name
- constraints
+ * tests/key-tests/Makefile.am: tests: added missing file
-2016-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2017-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update
+ * .gitlab-ci.yml: .gitlab-ci.yml: Build and Check - separate build
+ dir (x86): force build in gitlab shared runners In the Centos7 based runners there is an issue running autogen. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2016-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2017-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_dtls.c, lib/gnutls_dtls.h, lib/gnutls_state.c: dtls:
- reset the record number sliding window on gnutls_record_set_state() This addresses issue where gnutls_record_set_state() was called with
- a new state but the sliding window information was not updated, thus
- blocking any incoming packets. Resolves #82
+ * .gitignore, src/Makefile.am: tools: use stamp files to allow
+ parallel build of autogen files Autogen seems to output on the creates files gradually, something
+ that makes 'make' believe that the command is complete prior to the
+ output file being fully populated. The current approach uses stamp
+ files to ensure that no incomplete files are used for compilation.
-2016-03-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2017-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_record.c: DTLS: save last valid record sequence number This will allow to report a valid number to
- gnutls_record_get_state() callers in case of DTLS. Reported by
- Fridolin Pokorny.
+ * NEWS: doc update [ci skip]
-2016-03-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2017-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_state.c: gnutls_record_get_state: Allow for NULL
- parameters
+ * NEWS, doc/Makefile.am, doc/manpages/Makefile.am, symbols.last:
+ updated auto-generated files
-2016-03-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2017-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/ocsptool.c: ocsptool: don't exit with error code on
- verification failures when --ignore-errors is given
+ * configure.ac, m4/hooks.m4: bumped version
-2016-03-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2017-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/ocsptool.c: ocsptool: exit with error on verification failures
+ * NEWS: doc update [ci skip]
-2016-03-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2017-01-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/ocsp.c: ocsp: gnutls_ocsp_resp_verify_direct will skip
- additional checks for certificates matching issuer That eliminates issue with ocsptool rejecting OCSP responses signed
- by the same CA that signed the certificate. Reported by Thomas
- Klute.
+ * lib/opencdk/read-packet.c: opencdk: added error checking in the
+ stream reading functions This addresses an out of memory error. Issue found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=337 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-2016-03-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2017-01-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/ocsptool-args.def, src/ocsptool.c: ocsptool: Allow saving
- responses even if verification fails In addition do not enter a spurious newline to responses.
+ * lib/opencdk/pubkey.c: opencdk: cdk_pk_get_keyid: fix stack
+ overflow Issue found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=340 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-2016-03-23 Maya Rashish <coypu@sdf.org>
+2017-01-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/dtls/dtls-stress.c: Avoid using strerror in dtls stress test Using it results in build failure on NetBSD: undefined reference to
- `rpl_strerror'
+ * lib/opencdk/read-packet.c: opencdk: read_attribute: added more
+ precise checks when reading stream That addresses heap read overflows found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=338 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=346 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-2016-03-23 Maya Rashish <coypu@sdf.org>
+2017-01-01 Alex Gaynor <alex.gaynor@gmail.com>
- * tests/utils.h: Add missing header to testsuite This causes a problem for NetBSD+clang tests, because SIGTERM and
- kill are undefined. Resolves #80 Signed-off-by: Maya Rashish <coypu@sdf.org>
+ * lib/opencdk/read-packet.c: Corrected a leak in OpenPGP sub-packet
+ parsing. Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>
-2016-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-12-30 Alex Gaynor <alex.gaynor@gmail.com>
- * NEWS: doc update [ci skip]
+ * lib/opencdk/read-packet.c: Attempt to fix a leak in OpenPGP cert
+ parsing.
-2016-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-12-26 Alex Gaynor <alex.gaynor@gmail.com>
- * tests/mini-x509-callbacks.c: tests: verify that the
- post-client-hello callback has access to ALPN data
+ * lib/opencdk/read-packet.c: Do not infinite loop if an EOF occurs
+ while skipping a PGP packet Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>
-2016-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_handshake.c: handshake: parse the mandatory to parse
- extension prior to any callback call This relates to the change of ALPN extension to mandatory to parse,
- and allows applications to get ALPN data prior to handshake
- completion.
+ * lib/opencdk/misc.c: opencdk: Fixes to prevent undefined behavior
+ (found with libubsan)
-2016-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2017-01-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/resume.c: tests: added checks for session resumption and
- ALPN This checks whether the ALPN extension is re-read on resumption and
- is negotiated.
+ * NEWS: doc update
-2016-02-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2017-01-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/resume.c: tests: resume: simplified structure assignment
- using C99 syntax
+ * lib/auth/rsa.c: auth rsa: eliminated memory leak on pkcs-1
+ formatting attack path Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-2016-03-15 Yuriy M. Kaminskiy <yumkam@gmail.com>
+2017-01-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/ext/alpn.c: alpn: ALPN state is per-connection, it should not
- be saved with session data In addition the extension was moved to the mandatory to parse to
- ensure it is always parsed when sessions are resumed. rfc7301: Unlike many other TLS extensions, this extension does not
- establish properties of the session, only of the connection.
- When session resumption or session tickets [RFC5077] are used, the
- previous contents of this extension are irrelevant, and only the
- values in the new handshake messages are considered. Signed-off-by: Yuriy M. Kaminskiy <yumkam@gmail.com> Signed-off-by:
- Nikos Mavrogiannopoulos <nmav@gnutls.org>
+ * NEWS: doc update [ci skip]
-2016-03-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-12-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/accelerated/x86/x86-common.c: x86-common: CPUID override will
- only work if CPU has already the capability present This resolves test suite failure on CPUs with limited capabilities.
- Reported by Andreas Metzler.
+ * lib/x509/verify.c: pkcs11 verification: ensure that an issuer we
+ retrieve is not blacklist It may happen in p11-kit trust module that a trusted certificate is
+ both in the trusted set, and the blacklisted set. To avoid accepting
+ a certificate when in both sets, we always check whether a trusted
+ issuer certificate is in the blacklisted set.
-2016-03-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update
+ * src/certtool.c: certtool: improved error reporting on file error
-2016-03-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-12-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/ext/server_name.c: gnutls_server_name_set: accept non-null
- terminated hostnames The introduction of IDNA support introduced a regression and this
- function does not operate correctly when given non-null terminated
- strings. Reported by Tim Ruehsen. Relates #78
+ * NEWS: doc update [ci skip]
-2016-03-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-12-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/mini-server-name.c: tests: added check for non-null
- terminated server name This checks whether a non-null terminated server name, but with
- correct length is correctly accepted by gnutls_server_name_set(). Relates #78
+ * lib/x509/x509_ext.c: gnutls_x509_ext_import_proxy: fix issue
+ reading the policy language If the language was set but the policy wasn't, that could lead to a
+ double free, as the value returned to the user was freed.
-2016-03-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-12-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/cert-tests/template-nc.pem: tests: template-test was updated
- for OCSP key purpose reordering
+ * : commit 5ca126e1a5daf071ce690f28823fa97de6a7ae68 Author: Nikos
+ Mavrogiannopoulos <nmav@redhat.com> Date: Thu Dec 15 17:05:59 2016
+ +0100
-2016-03-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-12-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc update
-2016-03-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-12-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool.c: certtool: do not require a CA for OCSP signing This follows the recommendations in RFC6960 in 4.2.2.2 which allow a
- CA to delegate OCSP signing to another certificate without requiring
- it to be a CA. Reported by Thomas Klute.
+ * tests/Makefile.am, tests/pkcs8-key-decode-encrypted.c,
+ tests/pkcs8-key-decode.c: tests: added test for PKCS#8 encrypted key
+ decoding This also verifies that the return value when attempting to decrypt
+ without a password is GNUTLS_E_DECRYPTION_FAILED.
-2016-03-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * devel/ABI-x86_64.dump, devel/abi-unchecked-symbols,
- devel/abi-unchecked-symbols.txt: abi-check: corrected type of
- gnutls_x509_crl_get_issuer_dn That will avoid any accidental ABI breakage on that symbol.
+ * tests/key-tests/Makefile.am, tests/key-tests/pkcs8-invalid: tests:
+ added test suite with PKCS#8 files that have invalid encryption
-2016-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-12-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * .gitlab-ci.yml: .gitlab-ci.yml: added abi-checker rule This allows to test ABI incompatibilities as soon as possible.
+ * lib/x509/privkey_pkcs8.c: PKCS#7 decrypt_data: merge all errors
+ during decryption to GNUTLS_E_DECRYPTION_FAILED
-2016-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-12-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * Makefile.am, devel/ABI-dane-x86_64.dump, devel/ABI-x86_64.dump,
- devel/abi-unchecked-symbols, devel/abi-unchecked-symbols.txt,
- devel/abi.xml, devel/abi3.2.xml, devel/abi3.4.xml: Makefile: made
- abi-checks self-contained That is, they no longer assume a given directory structure to exist
- outside git. It now includes a static dump of the symbols in 3.4.0
- for x86_64 and we compare with it.
+ * lib/x509/privkey_pkcs8.c: pkcs8: ensure that the correct error
+ code is returned on decryption failure
-2016-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-12-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/cli.c: gnutls-cli: fix invalid initialization in
- cert_verify_ocsp()
+ * lib/x509/privkey_pkcs8.c: PKCS#5,7 decryption: added sanity check
+ on padding size Relates #148
-2016-03-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-12-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: doc update
+ * lib/x509/privkey_pkcs8.c: PKCS#5,7 decryption: fail without leak
+ on unknown MAC
-2016-03-08 Jan Vcelak <jan.vcelak@nic.cz>
+2016-12-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/pkcs11_privkey.c: pkcs11: implement correct DSA key pair
- generating Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>
+ * lib/x509/privkey_pkcs8.c: PKCS#5,7 decryption: fail early on
+ invalid block sizes
-2016-02-25 Jan Vcelak <jan.vcelak@nic.cz>
+2016-12-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/pkcs11_int.c, lib/pkcs11_int.h: pkcs11: add interface for
- C_GenerateKey Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>
+ * lib/x509/privkey_pkcs8.c, lib/x509/x509_int.h: PKCS#5,7
+ decryption: enforce limits in the support parameter sizes This allows to detect invalid parameters early rather than later.
+ Relates #148
-2016-03-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-12-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suite/testpkcs11.sh: tests: testpkcs11: the test will always
- fail in code path failures
+ * NEWS: doc update
-2016-03-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-07-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/mini-loss-time.c: tests: mini-loss-time: improved timeout
- detection
+ * src/tpmtool-args.def, src/tpmtool.c: tpmtool: Added --test-sign
+ parameter
-2016-02-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-12-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/mini-loss-time.c: tests: mini-loss-time: ensure client
- timeouts after the server is This addresses issue with the server detecting the client
- disconnection prior to its timeout. Reported by Steven Chamberlain,
- Andreas Metzler.
+ * src/tpmtool.c: compiler warnings elimination and other bug fixes
-2016-03-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-06-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_ui.c: gnutls_ocsp_status_request_is_checked: document
- the version the flag was introduced at
+ * src/tpmtool.c: tpmtool: added newline in error messages
-2016-03-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-12-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * doc/doc.mk: doc: generate manpages for all functions That addresses issue where certain manpages were created empty. See
- https://bugzilla.redhat.com/show_bug.cgi?id=1306800
+ * configure.ac, lib/Makefile.am, lib/abstract_int.h,
+ lib/gnutls_errors.c, lib/gnutls_global.c, lib/gnutls_global.h,
+ lib/gnutls_privkey.c, lib/includes/gnutls/gnutls.h.in, lib/tpm.c:
+ tpm: backported improvements from master branch * Load libtspi dynamically using dlopen - prevents direct linking
+ with openssl * Fix handling of keys requiring authorization * In import_tpm_key_cb() fix the wrong password loop
-2016-03-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-12-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * doc/cha-gtls-app.texi: doc: mention
- gnutls_certificate_set_x509_trust_dir() It was not mentioned in the "Client or server certificate
- verification" section. Resolves #76
+ * src/certtool-args.def: doc: updated to documentation of certtool
+ [ci skip] This corrects options which incorrectly mentioned they support URLs.
-2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-12-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/slow/Makefile.am: tests: include test-hash-large into dist
+ * src/certtool.c: Don't trash DER CRQ output with text data Backported patch from master.
-2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-11-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc update
-2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-11-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * po/zh_CN.po.in: Sync with TP [ci skip]
+ * tests/suite/testpkcs11: tests: backported test suite for p11tool
+ --set-id and --set-label options
-2016-03-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_global.c: Disable weak symbols for
- _gnutls_global_init_skip() under windows That is to avoid an issue with running gnutls under windows; that
- renders GNUTLS_SKIP_GLOBAL_INIT a no-op under windows. Relates #74
+ * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c:
+ p11tool: added --set-id and --set-label options
-2016-02-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * configure.ac, m4/hooks.m4: bumped version [ci skip]
+ * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c,
+ lib/pkcs11_int.c, lib/pkcs11_int.h: added
+ gnutls_pkcs11_obj_set_info() This function allows setting information such as the CKA_ID and the
+ CKA_LABEL of an object.
-2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-11-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/ext/ecc.c: ecc: optimized extension parsing
+ * tests/suite/testpkcs11: tests: check whether PKCS #11 ID set on
+ copy/generation is correct
-2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-11-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: doc update [ci skip]
+ * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c:
+ p11tool: allow setting the CKA_ID on object
+ initialization/generation
-2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-11-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_state.c: timespec_sub_ms: fixed operation in 32-bit
- systems
+ * lib/libgnutls.map: exported new functions
-2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/pkcs11.c, lib/pkcs11_int.h: pkcs11: Fixes to prevent undefined
- behavior (found with libubsan)
+ * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: pkcs11:
+ enhanced key generation functions to allow specifying a CKA_ID
-2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/nettle/cipher.c: cipher.c: Fixes to prevent undefined behavior
- (found with libubsan)
+ * lib/includes/gnutls/pkcs11.h, lib/pkcs11_write.c: enhanced copy
+ functions to allow specifying a CKA_ID
-2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-11-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/opencdk/misc.c: opencdk: Fixes to prevent undefined behavior
- (found with libubsan)
+ * lib/x509/pkcs12_encr.c: pkcs12: fixed the calculation of p_size Include the trailing zero into the size calculation.
-2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/includes/gnutls/gnutls.h.in: gnutls.h: Fixes to prevent
- undefined behavior (found with libubsan)
+ * NEWS: doc update
-2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_mem.h, lib/x509/x509.c: x509: Fixes to prevent
- undefined behavior (found with libubsan)
+ * tests/pkcs12-decode/Makefile.am, tests/pkcs12-decode/pkcs12:
+ tests: added pkcs12 check with openssl generated structure and long
+ password
-2016-02-28 Andreas Metzler <ametzler@bebt.de>
+2016-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/p11tool-args.def: Let p11tool --provider option accept
- filenames. Drop 'file-exists = yes;' to allow specifying either an absolute
- pathname or a file in P11_MODULE_PATH.
+ * lib/x509/pkcs12_encr.c: pkcs12: fixed the calculation of p_size That affects passwords which exceed 32 characters.
-2016-02-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-11-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-is-known.c,
- tests/suite/softhsm.h, tests/suite/testpkcs11.softhsm,
- tests/utils.c, tests/utils.h: tests: enable softhsmv2 test suite by
- default Also do not fatally fail with known softhsmv2 bugs.
+ * lib/nettle/pk.c: _wrap_nettle_pk_verify: use FAIL_IF_LIB_ERROR
+ prior to returning success This will prevent verification to succeed if the system is in error
+ state.
-2016-02-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-11-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc update
-2016-02-26 Jan Vcelak <jan.vcelak@nic.cz>
+2016-10-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suite/testpkcs11.sh: pkcs11: tests for RSA, ECC, DSA private
- key import Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>
+ * lib/ext/signature.c, lib/gnutls_alert.c: Terminate handshake if
+ only unknown or disabled signatures are advertized by the peer That is, do not attempt to proceed assuming that the peer supports
+ SHA-1.
-2016-02-26 Jan Vcelak <jan.vcelak@nic.cz>
+2016-10-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suite/testpkcs11.sh: pkcs11: tests for DSA key generating Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>
+ * NEWS: doc update
-2016-02-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * doc/cha-gtls-app.texi: added getpid() to the list of system calls
- used
+ * lib/ext/status_request.c: certificate status requestion response
+ is optional according to RFC6066
-2016-02-25 Jan Vcelak <jan.vcelak@nic.cz>
+2016-10-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/privkey_pkcs8.c: gnutls_x509_privkey_import: add missing
- algorithm setting for DSA keys The algorithm number was set only in the private key structure, not
- in the nested structure with parameters. This made certain
- operations to fail (e.g., copying the key into a PKCS #11 token). Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>
+ * src/certtool.c: certtool: allow setting key purposes for non-CA
+ certificates That is, allow setting code signing, or time stamping key purpose in
+ certificates that are not marked as CA. The previous restriction
+ served no purpose.
-2016-02-24 Sebastian Dröge <sebastian@centricular.com>
+2016-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * configure.ac: configure: Android is ELF too Without this, compiling Android for x86 or x86-64 fails because the
- assembly optimizations are not compiled in.
+ * tests/Makefile.am, tests/multi-alerts.c: tests: added check to
+ verify that the server will bail out after many alerts
-2016-02-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: doc update
+ * tests/Makefile.am, tests/naked-alerts.c: tests: added check to
+ verify that the server will bail out after receiving only alerts
-2016-02-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/Makefile.am, tests/pcert-list.c: tests: added tests for
- gnutls_pcert_list_import_x509_raw()
+ * tests/cert-common.h: tests: backported the common certs from
+ master
-2016-02-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/x509.c: gnutls_x509_crt_list_import: corrected memory
- leak This was triggered if GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED was
- specified and a failure occurred.
+ * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c:
+ handshake: set a maximum number of warning messages that can be
+ received per handshake That is to avoid DoS due to the assymetry of cost of sending an
+ alert vs the cost of processing.
-2016-02-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/common.c: _gnutls_sort_clist: fixed issues when used with
- func option This function would incorrectly call func() on elements that were
- included in the list, and would not call func() if the size of the
- final chain was one.
+ * lib/gnutls_record.c: record: disallow parsing of alert messages
+ prior to session start
-2016-02-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/algorithms/secparams.c: DH/DSA: allow the generation of larger
- than 15360 bit parameters
+ * src/certtool-common.c: certtool: improve text on missing options
+ for cert generation
-2016-02-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-10-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/slow/hash-large.c: tests: eliminated mem leak in hash-large
+ * src/pkcs11.c: p11tool: avoid asking the security officer PIN twice
+ on initialization
-2016-02-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-10-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: doc update [ci skip]
+ * src/pkcs11.c: p11tool: improved messages on token initialization
-2016-02-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-10-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/slow/Makefile.am, tests/slow/hash-large.c,
- tests/slow/test-hash-large: tests: check whether large buffer hashes
- and MAC work as expected
+ * src/pkcs11.c: p11tool: corrected check of PIN existance in token
+ initialization
-2016-02-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-10-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/accelerated/x86/hmac-padlock.c,
- lib/accelerated/x86/hmac-x86-ssse3.c,
- lib/accelerated/x86/sha-padlock.c,
- lib/accelerated/x86/sha-padlock.h,
- lib/accelerated/x86/sha-x86-ssse3.c, lib/nettle/mac.c: nettle: use
- the correct type for hash and MAC functions
+ * tests/Makefile.am: tests: link tests which utilize nettle with
+ nettle
-2016-02-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-10-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/benchmark-cipher.c: gnutls-cli: improved indentation in
- benchmark output
+ * doc/Makefile.am, doc/manpages/Makefile.am: updated auto-generated
+ files
-2016-02-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-10-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/set_pkcs12_cred.c: tests: set_pkcs12_cred: existing tests
- are disabled when in FIPS140-2 mode The tests require access to the RC4 cipher which is not available.
+ * NEWS: doc update
-2016-02-09 Andreas Metzler <ametzler@bebt.de>
+2016-10-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * doc/cha-gtls-app.texi: improve doc on special keywords in priority
- string Special keywords in priority strings like %COMPAT may not be
- prefixed with +, - or !, "NORMAL:+%COMPAT is invalid.
+ * lib/gnutls_extensions.c: TLS extensions: only cache the extension
+ IDs from exts that the server supports That avoids imposing any artificial limits on the number of
+ extensions that a server can handle. Resolves #136
-2016-02-06 Attila Molnar <attilamolnar@hush.com>
+2016-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * doc/cha-cert-auth.texi, doc/cha-gtls-app.texi,
- doc/cha-tokens.texi, lib/gnutls_auth.c, lib/gnutls_dtls.c,
- lib/gnutls_extensions.c, src/tpmtool-args.def: doc: Fix some typos
+ * src/certtool.c: certtool: added safety net when generating a
+ certificate request That is, do not allow specifying --generate-request --load-pubkey
+ without specifying --load-privkey. Previously if --load-pubkey would
+ have been used, it would have been ignored, causing confusion to the
+ users.
-2016-02-06 Attila Molnar <attilamolnar@hush.com>
+2016-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * doc/cha-gtls-app.texi, src/certtool-cfg.c, src/serv-args.def:
- Remove remaining RSA-EXPORT support leftovers from doc and messages
+ * NEWS: doc update
-2016-02-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suite/pkcs11-pubkey-import-ecdsa.c: tests:
- pkcs11-pubkey-import-ecdsa will only work under softhsmv2
+ * lib/gnutls_handshake.c, lib/gnutls_int.h: Increased the maximum
+ size allowed for handshake messages to 128kb This would allow the library to cope with larger packets, as well as
+ TLS 1.3 hellos. Suggested by Hubert Kario.
-2016-02-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-09-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS, configure.ac, m4/hooks.m4: bumped version
+ * NEWS: doc update
-2016-01-31 Andreas Metzler <ametzler@bebt.de>
+2016-09-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_pubkey.c, lib/openpgp/gnutls_openpgp.c,
- lib/x509/pkcs12_bag.c, lib/x509/x509.c, lib/x509/x509_ext.c,
- src/certtool-cfg.c: Fix some more typos. certifcate, funtion, withing, missmatch
+ * lib/gnutls_x509.c: gnutls_certificate_set_*key: ensure proper
+ cleanup on key mismatch failures That is, ensure that we keep no local references that are shared
+ with the caller, and that we properly free all initialized values.
-2016-01-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-09-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update [ci skip]
+ * NEWS: doc update
-2016-01-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-09-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/template-date.pem,
- tests/cert-tests/template-dn.pem,
- tests/cert-tests/template-generalized.pem,
- tests/cert-tests/template-nc.pem,
- tests/cert-tests/template-overflow.pem,
- tests/cert-tests/template-overflow2.pem,
- tests/cert-tests/template-test.pem,
- tests/cert-tests/template-unique.pem: Revert "tests: updated to
- account for cert generation after
- 2adb9b2bfb31afebbdd9f990e2b74c9a3d4e5c57 fix" This reverts commit 735dbde324be6c8785a3dea5f09c82b6a8ad298b.
+ * lib/system.c: _gnutls_ucs2_to_utf8: fixed use of
+ WideCharToMultiByte in windows
-2016-01-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-09-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/x509_ext.c: Revert "Fix out-of-bounds read in
- gnutls_x509_ext_export_key_usage" This was not really an out-of-bounds check. Added documentation to
- make that clear. This reverts commit ffbc9aaea7dcf29c03784d128b83f0682357858d.
+ * src/ocsptool.c: ocsptool: do not enter a spurious newline to
+ responses.
-2016-01-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_global.c: gnutls_global_init: log gnutls' version on
- initialization
+ * tests/cert-tests/Makefile.am, tests/cert-tests/template-test,
+ tests/cert-tests/template-unique.pem,
+ tests/cert-tests/template-unique.tmpl: tests: verify that unique IDs
+ are generated as expected
-2016-01-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * doc/cha-gtls-app.texi: doc: corrected typo [ci skip]
+ * src/certtool-args.def, src/certtool-cfg.c, src/certtool-cfg.h,
+ src/certtool.c: certtool: Allow writing unique IDs in generated
+ certificates
-2016-01-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc update
-2015-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/output.c: x509: tolerate missing subject or issuer fields
+ * configure.ac, m4/hooks.m4: bumped version
-2016-01-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_pubkey.c: gnutls_pubkey_import_x509_raw: fixed memory
- leak
+ * lib/includes/gnutls/x509.h, lib/libgnutls.map,
+ lib/x509/x509_write.c: Added gnutls_x509_crt_set_issuer_unique_id()
+ and gnutls_x509_crt_set_subject_unique_id()
-2016-01-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/output.c: x509: place newline when printing unsupported
- othernames
+ * NEWS: doc update
-2016-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-09-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update [ci skip]
+ * lib/gnutls_pk.c: _gnutls_encode_ber_rs_raw: zero-pad values when
+ necessary This addresses issue when encoding values obtained via PKCS#11 which
+ may not be necessarily padded. Resolves #122
-2016-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-09-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/ext/alpn.c: alpn: when parsing the list of protocols return at
- the first mutually common That resolves an issue where the server wouldn't select the first
- mutually supported. Resolves #63
+ * tests/cert-tests/template-test: tests: don't run overflow tests on
+ archs which fail This addresses a CI failure on x86.
-2016-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-09-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/mini-alpn.c: tests: mini-alpn: corrected protocol selection
- order
+ * tests/slow/hash-large.c: tests: backported hash-large from master
-2016-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-09-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/mini-alpn.c: tests: alpn: enhance the testing of ALPN
- negotiation
+ * .gitlab-ci.yml: .gitlab-ci.yml: use the gitlab.com shared runners Backported from master branch
-2016-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-08-28 David Woodhouse <dwmw2@infradead.org>
- * lib/ext/alpn.c: alpn: document how the selected protocol is
- selected [ci skip]
+ * lib/x509/pkcs12.c: gnutls_pkcs12_simple_parse: set the key value
+ to null on failure
-2016-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-08-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/mini-alpn.c: tests: verify that the selected ALPN protocol
- is the first advertised
+ * lib/x509/ocsp.c: ocsp: corrected the comparison of the serial size
+ in OCSP response Previously the OCSP certificate check wouldn't verify the serial
+ length and could succeed in cases it shouldn't. Reported by Stefan Buehler.
-2015-12-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-08-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * Makefile.am, src/Makefile.am: build: fix make distclean by
- including src/gl only once
+ * tests/pkcs8-decode/Makefile.am, tests/pkcs8-decode/pkcs8,
+ tests/pkcs8-decode/pkcs8-pbes2-sha256.pem: tests: added decoding of
+ key with pbes2 and SHA256 PRF
-2016-01-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-08-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * symbols.last: symbols.last: added new symbol
+ * NEWS, lib/algorithms.h, lib/algorithms/mac.c, lib/gnutls_int.h,
+ lib/includes/gnutls/x509.h, lib/pkix.asn, lib/pkix_asn1_tab.c,
+ lib/x509/Makefile.am, lib/x509/pbkdf2-sha1.c,
+ lib/x509/pbkdf2-sha1.h, lib/x509/pkcs12.c,
+ lib/x509/privkey_openssl.c, lib/x509/privkey_pkcs8.c,
+ lib/x509/x509_int.h, tests/gc.c: Added support for decrypting PKCS#8
+ files which use HMAC-SHA256 as PRF This backports nettle pbkdf2 support, and improves compatibility
+ with new openssl versions.
-2016-01-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS, configure.ac, m4/hooks.m4: bumped version
+ * lib/x509/pkcs12.c: pkcs12: increased the number of iterations for
+ MAC
-2016-01-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-08-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/verify-high.c: trust_list_get_issuer_by_dn: fixed check
- for DN or SPKI
+ * lib/crypto-api.c: gnutls_key_generate: fail if the state of the
+ library is invalid Suggested by Stephan Mueller.
-2016-01-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-08-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * Makefile.am: symbols.last: don't include internal symbols into
- exported list
+ * NEWS: doc update
-2016-01-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-08-08 Stefan Sørensen <stefan.sorensen@spectralink.com>
- * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
- auto-generated files
+ * lib/x509/pkcs12.c: Fix gnutls_pkcs12_simple_parse to always
+ extract the complete chain gnutls_pkcs12_simple_parse was only collecting extra certificates
+ that was possible elements of the certificate chain when the
+ extra_certs argument was not NULL. Fix by allways collecting all the
+ certificates, any unneeded certificates are released before
+ returning if extra_certs is NULL anyway. Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
-2016-01-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-08-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * configure.ac: configure: no longer distribute lzip tarballs
+ * lib/nettle/pk.c: nettle: use rsa_*_key_prepare on key import Previously we calculated the size of the key directly, but by using
+ the rsa_*_key_prepare we benefit from any checks that may be
+ introduced in the future. Specifically any checks for invalid public
+ keys (e.g., keys that may crash the underlying gmp functions). This patch avoids calling rsa_private_key_prepare every time we
+ construct a nettle private key struct, because this function
+ requires a bigint multiplication. We call that function once on
+ private key import.
-2016-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/template-date.pem,
- tests/cert-tests/template-dn.pem,
- tests/cert-tests/template-generalized.pem,
- tests/cert-tests/template-nc.pem,
- tests/cert-tests/template-overflow.pem,
- tests/cert-tests/template-overflow2.pem,
- tests/cert-tests/template-test.pem,
- tests/cert-tests/template-unique.pem: tests: updated to account for
- cert generation after 2adb9b2bfb31afebbdd9f990e2b74c9a3d4e5c57 fix
+ * lib/nettle/pk.c: Revert "nettle: use rsa_*_key_prepare" This reverts commit a2c3ee54ea8080eeb59fcfeec88a842324982c90.
-2016-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-08-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/pk.c: nettle: use rsa_*_key_prepare Previously we calculated the size of the key directly, but by using
+ the rsa_*_key_prepare we benefit from any checks that may be
+ introduced in the future. Specifically any checks for invalid public
+ keys (e.g., keys that may crash the underlying gmp functions).
+
+2016-07-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc update
-2016-01-04 Tim Kosse <tim.kosse@filezilla-project.org>
+2016-07-09 Tim Kosse <tim.kosse@filezilla-project.org>
- * lib/x509/x509_ext.c: Fix out-of-bounds read in
- gnutls_x509_ext_export_key_usage
+ * lib/x509/x509.c: gnutls_x509_crt_list_import2 was ignoring the
+ passed flags if all certificates in the list fit within the
+ initially allocated memory.
-2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-07-09 Tim Kosse <tim.kosse@filezilla-project.org>
- * .gitlab-ci.yml: .gitlab-ci.yml: optimized build process That is, in slow asan and valgrind builds don't check the full test
- suite.
+ * lib/x509/crl.c: gnutls_x509_crl_list_import2 was ignoring the
+ passed flags if all CTLs in the list fit within the initially
+ allocated memory.
-2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-07-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update [ci skip]
+ * lib/minitasn1/coding.c, lib/minitasn1/decoding.c,
+ lib/minitasn1/element.c, lib/minitasn1/element.h,
+ lib/minitasn1/int.h, lib/minitasn1/libtasn1.h,
+ lib/minitasn1/parser_aux.c, lib/minitasn1/parser_aux.h,
+ lib/minitasn1/structure.c: minitasn1: updated to libtasn1 4.9
-2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: doc update [ci skip]
+ * NEWS: NEWS: corrected release date [ci skip]
-2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-07-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/pkcs11_write.c: gnutls_pkcs11_copy_x509_privkey2: corrected
- the writing of ECC private key
+ * NEWS: released 3.3.24
-2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-06-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suite/Makefile.am,
- tests/suite/pkcs11-pubkey-import-ecdsa.c,
- tests/suite/pkcs11-pubkey-import-rsa.c,
- tests/suite/pkcs11-pubkey-import.c: tests: pkcs11-pubkey-import will
- check both RSA and ECDSA keys
+ * configure.ac: configure: check for libdl irrespective of FIPS140
+ configuration This allows to link to libdl for the tests that require it.
-2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-07-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/pkcs11_write.c: gnutls_pkcs11_copy_x509_privkey2: corrected
- the type of the written object Previously only RSA objects were correctly written.
+ * configure.ac, m4/hooks.m4: bumped version
-2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-07-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/cert-common.h: tests: added ECDSA key in cert-common.h
+ * libdane/errors.c, libdane/includes/gnutls/dane.h: dane: corrected
+ the license of libdane files The license was always LGPL version 2.1, and these files mentioned
+ LGPL version 3. Reported by Thomas Petazzoni.
-2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-06-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/pkcs11_privkey.c: pkcs11: import public keys from any
- available object That is, load public keys from the public key object, or the
- certificate object if they are present. That affects non-RSA public
- keys which do not contain all required fields on the private key
- object.
+ * tests/Makefile.am: tests: account pkcs11/pkcs11-mock-ext.h in
+ Makefile
-2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-06-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_db.h: session DB: made the magic number depending on
- gnutls' version That will make sure that sessions not stored by this version of
- gnutls will not be resumed by another (which may be incompatible).
+ * tests/Makefile.am: tests: link pkcs11-import-url-privkey with
+ libdl That is because it uses dlopen().
-2015-12-26 Andreas Metzler <ametzler@bebt.de>
+2016-06-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * README, lib/ext/srtp.c, lib/gnutls_priority.c, lib/locks.c,
- lib/opencdk/keydb.c, lib/x509/pkcs7.c,
- tests/mini-handshake-timeout.c: Fix some typos [ci skip]
+ * NEWS: doc update
-2015-12-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-06-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: NEWS: doc update [ci skip]
+ * tests/Makefile.am, tests/pkcs11/pkcs11-import-url-privkey.c,
+ tests/pkcs11/pkcs11-mock-ext.h, tests/pkcs11/pkcs11-mock.c: tests:
+ added check to verify the tolerance of broken C_GetAttributes That is, test gnutls_pkcs11_obj_list_import_url4() when importing
+ private keys from tokens that return CKR_OK on sensitive objects,
+ and tokens that return CKR_ATTRIBUTE_SENSTIVE. Relates #108
-2015-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-06-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/ext/max_record.c: max_record: don't consider this extension on
- DTLS That is because it doesn't work as expected, and does not fragment
- handshake messages. Relates with #61
+ * lib/pkcs11_int.c: pkcs11_get_attribute_avalue: correctly handle a
+ -1 value length from C_GetAttributeValue That is, work-around modules which do not return an error on
+ sensitive objects. Relates #108
-2015-12-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-06-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * doc/cha-crypto.texi, lib/includes/gnutls/gnutls.h.in: updated
- documentation on supported algorithms [ci skip]
+ * NEWS: doc update
-2015-12-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-06-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * doc/cha-intro-tls.texi: Added SHA384 to the list of TLS support
- MAC algorithms
+ * lib/pkcs11_int.c: pkcs11_get_attribute_avalue: do not assign
+ values on failure When C_GetAttributeValue() returns size but does not return data
+ then pkcs11_get_attribute_avalue() would set the return data pointer
+ to a free'd value. This is against the convention expected by
+ callers, i.e, set data to NULL. Reported by Anthony Alba in #108.
-2015-12-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-06-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/no-signal.c: tests: don't run the no-signal test in systems
- which MSG_NOSIGNAL is not available
+ * tests/suite/testpkcs11, tests/suite/testpkcs11.softhsm: tests:
+ updated testpkcs11 to support softhsmv2
-2015-12-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-06-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * doc/manpages/tpmtool.1: doc: manpages: remove generated tpmtool.1
- page
+ * tests/Makefile.am, tests/{suite => pkcs11}/pkcs11-chainverify.c,
+ tests/{suite => pkcs11}/pkcs11-combo.c, tests/{suite =>
+ pkcs11}/pkcs11-get-issuer.c, tests/{suite =>
+ pkcs11}/pkcs11-is-known.c, tests/{suite => pkcs11}/softhsm.h,
+ tests/suite/Makefile.am: tests: moved pkcs11 tests to main test
+ suite
-2015-12-17 Alon Bar-Lev <alon.barlev@gmail.com>
+2016-06-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * .gitignore: .gitignore: add m4/extern-inline.m4
+ * tests/suite/pkcs11-is-known.c: tests: backported pkcs11-is-known
+ from master
-2015-12-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-06-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: doc update
+ * lib/pkcs11.c: gnutls_pkcs11_crt_is_known: always assume
+ GNUTLS_PKCS11_OBJ_FLAG_COMPARE unless
+ GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is given
-2015-12-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-06-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/pkcs7: tests: added check to verify that the
- PKCS#7 embedded data are recovered as expected
+ * lib/pkcs11.c: find_cert_cb: minor cleanups in find_cert_cb
-2015-12-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-06-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool-args.def, src/certtool.c: certtool: introduced the
- --p7-show-data option This option allows printing the embedded data in a PKCS#7 signed
- structure.
+ * NEWS: doc update
-2015-12-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-06-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/includes/gnutls/pkcs7.h, lib/libgnutls.map, lib/x509/pkcs7.c:
- gnutls_pkcs7_get_embedded_data: added function This function allows extracting the embedded data from a PKCS#7
- signed structure.
+ * tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-combo.c,
+ tests/suite/pkcs11-get-issuer.c, tests/suite/pkcs11-is-known.c,
+ tests/suite/softhsm.h: tests: backported the softhsmv2 pkcs11 checks
+ from 3.4.0
-2015-12-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-06-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/pkcs7-gen.c: tests: updated pkcs7-gen to account for
- content-type attribute
+ * lib/pkcs11.c: pkcs11: correctly encode the serial number when
+ searching for certificate In gnutls_pkcs11_crt_is_known() corrected the encoding of the serial
+ number to TLV DER from LV DER. This is the encoding we use when
+ storing that number.
-2015-12-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-06-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: doc update
+ * lib/pkcs11.c: pkcs11: correctly account check_found_cert()
-2015-12-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-06-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/pkcs7: tests: check whether the content-type
- attribute is set if we sign using time
+ * lib/pkcs11_write.c: Amended "Corrected the writing of serial
+ number in PKCS#11 modules" This corrects the writing of the serial number.
-2015-12-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/pkcs7.c: pkcs7: set by default the content type attribute That is a requirement of rfc5652. Relates #59
+ * NEWS: doc update
-2015-12-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/crq.c, lib/x509/mpi.c, lib/x509/pkcs7.c,
- lib/x509/sign.c, lib/x509/x509_int.h: pkcs7: use the
- PK_PKIX1_RSA_OID when writing RSA signature OIDs for PKCS#7
- structures That is because there are implementations which cannot cope with the
- normal RSA signature OIDs. Relates #59
+ * lib/gnutls_buffers.c: dtls: corrected reconstruction of handshake
+ packets received out of order That is, when the handshake packet is split into multiple different
+ chunks and received out of order, make sure that reconstruction
+ occurs properly. Reported by Guillaume Roguez.
-2015-12-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/pkcs7.c, tests/cert-tests/p7-combined.out: pkcs7: Disable
- the optional fields prior to generating the PKCS#7 structure This resolves issue with our PKCS#7 structures not being parsed by
- MacOSX' tools. Relates #59
+ * lib/pkcs11_write.c: Corrected the writing of serial number in
+ PKCS#11 modules That is previously the serial number was written in raw format, but
+ in PKCS#11 the serial number must be set encoded as integer. Report
+ and fix by Stanislav Zidek.
-2015-12-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-05-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool.c: certtool: warn if an ECDSA key is marked for
- encryption
+ * NEWS: doc update
-2015-12-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-05-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool.c: certtool: corrected invalid free
+ * lib/pkcs11_privkey.c: pkcs11: when generating a private key ensure
+ the public key is not private This is a backport from the 3.4.x branch.
-2015-12-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-05-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_session_pack.c, lib/gnutls_state.c, lib/gnutls_ui.c:
- make sure gnutls_assert is present at the cases where
- GNUTLS_E_INTERNAL_ERROR is returned
+ * lib/accelerated/x86/x86-common.c: x86-common: use secure_getenv()
-2015-12-14 Gustavo Zacarias <gustavo@zacarias.com.ar>
+2016-05-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * configure.ac: configure: really make --disable-crywrap work The crywrap variable is set regardless of the state of
- enable_crywrap, hence --disable-crywrap never works. Just put the
- tests for crywrap deps inside the enable_crywrap conditional. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+ * configure.ac: configure.ac: check for secure_getenv where
+ available and always enable system extensions
-2015-12-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-05-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc update
-2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-05-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/algorithms/ciphersuites.c: updated chacha20 ciphers to conform
- to latest draft
+ * lib/fips.c, lib/gnutls_global.c, lib/gnutls_mem.h, lib/system.c:
+ env: use secure_getenv when reading environment variables
-2015-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-05-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/algorithms/ciphers.c, lib/algorithms/ciphersuites.c,
- lib/gnutls_cipher.c, lib/gnutls_constate.c, lib/gnutls_dtls.c,
- lib/gnutls_int.h: Modified the CHACHA20 cipher to conform to
- draft-ietf-tls-chacha20-poly1305-02
+ * lib/pkcs11.c: pkcs11: added sanity check to find_obj_url_cb() for
+ object validity Also avoid unnecessary recursion.
-2015-12-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-05-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/cli-debug.c: gnutls-cli-debug: rephrased inappropriate
- fallback test description to match the rest
+ * tests/suite/eagain, tests/suite/testsrn: tests: use /bin/bash in
+ tests which require common.sh
-2015-12-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-05-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update
+ * tests/suite/Makefile.am, tests/suite/testcompat,
+ tests/suite/testcompat-common, tests/suite/testcompat-main: tests:
+ backported full openssl suite from master Removed the priority strings not applicable in 3.3.x.
-2015-12-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-05-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * .gitlab-ci.yml: .gitlab-ci.yml: valgrind build was moved at the
- end as it is the slowest build
+ * tests/dsa/testdsa, tests/openpgp-certs/testcerts,
+ tests/scripts/common.sh, tests/suite/eagain,
+ tests/suite/mini-eagain2.c, tests/suite/testcompat-main,
+ tests/suite/testsrn: tests: simplified server launching process Also attempt to use a new port on every started server and added a
+ waiting period for the port to become re-usable.
-2015-12-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-05-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/certtool-args.def, src/certtool.c: certtool: the
- --p7-include-cert option is enabled by default This allows to generate PKCS#7 structures by default that can be
- read by iOS.
+ * tests/version-checks.c: added check for the VERS-ALL priority
+ keyword
-2015-12-13 sskaje <sskaje@gmail.com>
+2016-05-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/certtool-args.def, src/certtool.c: #56 Feature: certtool
- --p7-sign support GNUTLS_PKCS7_INCLUDE_CERT
+ * lib/gnutls_priority.c: gnutls_priority_init: recognize the
+ VERS-ALL keyword This keyword is identical to VERS-TLS-ALL, but it will allow to
+ re-use priority strings from 3.4.x+ to this branch of gnutls.
-2015-12-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-05-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/pkcs11_privkey.c: Do not allow importing public keys from PKCS
- #11 private keys for DSA and ECDSA This prevents the reading of the public key when non-RSA keys are
- available. This is a much cleaner approach than
- 5a4e692511dc3a829eda0d7c5a87e56cbc2055f0.
+ * tests/Makefile.am: tests: do not use pkglib to generate
+ libpkcs11mock1.so This resulted in the test library being installed. Install we use
+ noinst for the library, but pass -rpath to LDFLAGS as a hack to for
+ libtool to generate the shared version.
-2015-12-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-05-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_pubkey.c, lib/pkcs11.c, lib/pkcs11_int.h,
- lib/pkcs11_privkey.c: Revert "Do not allow importing public keys
- from PKCS #11 private keys for DSA and ECDSA" This reverts commit 9146ba63f5aa48358cb80aa7ccf9131cf2abdbe6.
+ * NEWS, configure.ac, m4/hooks.m4: released 3.3.23
-2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-05-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/Makefile.am, tests/cert-common.h: tests: cert-common.h:
- backported from master branch
+ * src/cli.c, src/socket.c, src/socket.h: gnutls-cli: allow operation
+ with stdin input That is once commands from stdin are given, they are not only sent
+ to server, but we also wait for a response prior to exiting. Resolves #96
-2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-05-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: doc update
+ * NEWS: doc update [ci skip]
-2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-05-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suite/Makefile.am, tests/suite/pkcs11-pubkey-import.c:
- tests: check whether gnutls_pubkey_import_privkey() operates well
- for PKCS#11 RSA keys
+ * NEWS: doc update
-2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-05-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_pubkey.c, lib/pkcs11.c, lib/pkcs11_int.h,
- lib/pkcs11_privkey.c: Do not allow importing public keys from PKCS
- #11 private keys for DSA and ECDSA That is, because they do not contain all the required parameters for
- a direct import. Reported by Jan Vcelak.
+ * src/cli.c: gnutls-cli: corrected check for OCSP verification
+ success
-2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-01-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/pkcs11_privkey.c: pkcs11: avoid setting a variable which isn't
- used
+ * lib/gnutls_global.c: gnutls_global_init: log gnutls' version on
+ initialization
-2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-05-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: pkcs11:
- deinitialize gnutls_pkcs11_obj_t's pubkey on deinit
+ * NEWS: doc update [ci skip]
-2015-12-06 Jan Vcelak <jan.vcelak@nic.cz>
+2016-05-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/pkcs11_privkey.c: pkcs11: fix passing of incorrect variable in
- privkey_get_pubkey The code worked for RSA because the content of the variables
- matched. But it doesn't match for ECC. CKM_RSA_PKCS_KEY_PAIR_GEN (0x0) == CKK_RSA (0x0)
- CKM_ECDSA_KEY_PAIR_GEN (0x1040) != CKK_ECDSA (0x3) Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>
+ * tests/Makefile.am, tests/mini-server-name.c: tests: backported
+ server name checks
-2015-12-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-05-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/benchmark-tls.c: gnutls-cli: don't use RSA ciphersuites to
- test chacha20 as they are not defined
+ * lib/ext/server_name.c: server_name: only save the supported server
+ names in the session Invalid server names with embedded nulls and unsupported types are
+ not saved.
-2015-12-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-05-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/x509.c: documented bug in
- gnutls_x509_crt_get_*_unique_id()
+ * NEWS: doc update
-2015-11-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-05-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/x509.c: allow specifying NULL buffer in
- gnutls_x509_crt_get_*_unique_id()
+ * lib/gnutls_x509.c: cert cred: add the CN to the list of known
+ hostnames only if no dns_names That is, follow rfc6125 and support CN as a fallback only.
-2015-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-05-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/slow/override-ciphers, tests/slow/test-ciphers: tests:
- cipher-test will forward the prog exit code as the script exit code
+ * lib/gnutls_x509.c: gnutls_certificate_set_key: import the DNS
+ names of the certificates That is, only when no (NULL) names are provided.
-2015-11-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-05-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/cert-tests/Makefile.am: tests: changes for running tests
- under windows
+ * tests/pkcs11/pkcs11-cert-import-url-exts.c,
+ tests/pkcs11/pkcs11-get-exts.c,
+ tests/pkcs11/pkcs11-get-raw-issuer-exts.c: Revert "tests: ignore
+ failure to load pkcs11 mock provider" This reverts commit ae40598e5597b1b1f01a7e55d35b5f476d7d19d7.
-2015-11-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-05-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * .gitlab-ci.yml: .gitlab-ci.yml: backported from master
+ * configure.ac, tests/Makefile.am: tests: don't run pkcs11 mock
+ module tests under buggy p11-kit
-2015-11-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-05-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/ocsp_output.c: ocsp_output: when next update is not
- present don't print error message That is because this field is optional. Resolves #53
+ * tests/pkcs11/pkcs11-cert-import-url-exts.c,
+ tests/pkcs11/pkcs11-get-exts.c,
+ tests/pkcs11/pkcs11-get-raw-issuer-exts.c: tests: ignore failure to
+ load pkcs11 mock provider GnuTLS 3.3.x can work with old versions of p11-kit which do not have
+ the necessary fixes to load absolute paths.
-2015-11-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-05-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/slow/Makefile.am, tests/slow/override-ciphers: tests:
- override-ciphers will not run mac tests on windows There is some issue with symbols for self tests not being exported.
+ * lib/nettle/gnettle.h: Fixed _NETTLE_UPDATE macro The macro was not using the input parameters but rather the actual
+ variable name from the function (which was identical to input).
+ Patch by Stanislav Zidek.
-2015-11-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-05-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/Makefile.am, tests/cert-tests/certtool: tests:
- updates for certtool test to run under windows
+ * lib/gnutls_x509.c: gnutls_certificate_set_key: duplicate the
+ provided memory That is, do not assume that a heap allocated value is provided.
-2015-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-05-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/Makefile.am, tests/cert-tests/aki,
- tests/cert-tests/certtool, tests/cert-tests/certtool-long-cn,
- tests/cert-tests/pathlen, tests/cert-tests/pem-decoding,
- tests/cert-tests/pkcs7, tests/pkcs8-decode/pkcs8: tests: changes for
- running tests under windows
+ * NEWS: doc update [ci skip]
-2015-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-05-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/system.c: use consistent terms in system.c and
- system-keys-win.c
+ * NEWS: doc update
-2015-11-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-05-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * .gitlab-ci.yml: .gitlab-ci.yml: backported from master
+ * tests/Makefile.am, tests/pkcs11/pkcs11-cert-import-url-exts.c,
+ tests/pkcs11/pkcs11-get-exts.c,
+ tests/pkcs11/pkcs11-get-raw-issuer-exts.c,
+ tests/pkcs11/pkcs11-mock.c, tests/pkcs11/pkcs11-mock.h: tests: added
+ a basic PKCS#11 mock module This is used to test gnutls_pkcs11_obj_get_exts(),
+ gnutls_x509_crt_import_url(), and gnutls_pkcs11_get_raw_issuer()
+ with the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag.
-2015-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-05-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/libopts/text_mmap.c: libopts: use the O_BINARY flag in windows
- for files
+ * lib/pkcs11.c: pkcs11: find_cert_cb: do not use C_FindObjectsInit()
+ when another is already running While some modules implicitly terminated the previous run, this is
+ not something that PKCS#11 modules are expected to typically do.
-2015-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-05-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/libopts/COPYING.gplv3, src/libopts/COPYING.lgplv3,
- src/libopts/COPYING.mbsd, src/libopts/Makefile.am,
- src/libopts/README, src/libopts/ag-char-map.h, src/libopts/alias.c,
- src/libopts/ao-strs.c, src/libopts/ao-strs.h,
- src/libopts/autoopts.c, src/libopts/autoopts.h,
- src/libopts/autoopts/options.h, src/libopts/autoopts/project.h,
- src/libopts/autoopts/usage-txt.h, src/libopts/boolean.c,
- src/libopts/check.c, src/libopts/compat/compat.h,
- src/libopts/compat/pathfind.c, src/libopts/compat/windows-config.h,
- src/libopts/configfile.c, src/libopts/cook.c, src/libopts/enum.c,
- src/libopts/env.c, src/libopts/file.c, src/libopts/find.c,
- src/libopts/genshell.c, src/libopts/genshell.h,
- src/libopts/gettext.h, src/libopts/init.c, src/libopts/intprops.h,
- src/libopts/libopts.c, src/libopts/load.c,
- src/libopts/m4/libopts.m4, src/libopts/m4/liboptschk.m4,
- src/libopts/m4/stdnoreturn.m4, src/libopts/makeshell.c,
- src/libopts/nested.c, src/libopts/numeric.c,
- src/libopts/option-value-type.c,
- src/libopts/option-xat-attribute.c, src/libopts/parse-duration.c,
- src/libopts/parse-duration.h, src/libopts/pgusage.c,
- src/libopts/proto.h, src/libopts/putshell.c, src/libopts/reset.c,
- src/libopts/restore.c, src/libopts/save.c, src/libopts/sort.c,
- src/libopts/stack.c, src/libopts/stdnoreturn.in.h,
- src/libopts/streqvcmp.c, src/libopts/text_mmap.c,
- src/libopts/time.c, src/libopts/tokenize.c, src/libopts/usage.c,
- src/libopts/version.c: libopts: updated to 5.18.6
+ * lib/pkcs11.c: pkcs11: the flag
+ GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT will be respected by
+ imported certificates That is, certificates imported with gnutls_pkcs11_obj_import_url()
+ or gnutls_x509_crt_import_url() will be able to be extracted with
+ their extensions overriden. Previously that was available only on
+ gnutls_pkcs11_get_raw_issuer() and friends.
-2015-11-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-05-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/slow/Makefile.am: tests: use gnulib where needed
+ * lib/pkcs11x.c: pkcs11: find_ext_cb: eliminated memory leak
-2015-11-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-05-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * cross.mk: cross.mk: updated windows cross compile makefile
+ * lib/pkcs11x.c: gnutls_pkcs11_obj_get_exts: updated documentation
+ [ci skip]
-2015-11-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-04-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/global-init-override.c: tests: disable global-init-override
- test in windows Gcc does not support weak symbols on this platform.
+ * lib/gnutls_privkey_raw.c: corrected import issue in
+ gnutls_privkey_import_ecc_raw
-2015-11-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-04-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/socket.c: tools: don't call endservent in windows
+ * lib/x509/privkey.c: x509/privkey: in raw import functions set the
+ parameter's algorithm type
-2015-11-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-04-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/Makefile.am: tests: included missing files
+ * tests/dane.c: tests: enhanced dane testing with offline
+ verification checks
-2015-11-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-04-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/nettle/cipher.c: added cast to silence gcc warning
+ * libdane/dane.c: dane: verification will not fail if a CA entry is
+ encountered but cannot be verified That addresses the issue of verifying a single certificate against a
+ list of TLSA entries that contain an entry with CA usage (cert usage
+ 0). With the previous behavior verification would have failed, while
+ now this entry will be skipped.
-2015-11-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-04-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: released 3.4.7
+ * lib/gnutls_cert.c, libdane/dane.c: doc: improved documentation on
+ certificate and DANE verification functions
-2015-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-04-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/system-keys-win.c: system-keys-win: allow reinitialization of
- the library after a deinitialization
+ * lib/nettle/pk.c: _wrap_nettle_pk_derive: reject values of public
+ key that are over the prime That is do not canonicalise the value we get from the network, but
+ rather check it for validity. This saves a modular reduction on
+ handshake and performs a sanity check on the peer's (client)
+ parameters. Reported by Hubert Kario. Resolves #84
-2015-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-04-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
- auto-generated files
+ * lib/gnutls_sig.c: handshake: do not overwrite the server's
+ signature algorithm That is, correct a bug under which a client sending a certificate
+ would overwrite the server's idea about the used signature
+ algorithm. Reported by Hubert Kario.
-2015-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-04-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * doc/scripts/getfuncs.pl: getfuncs.pl: don't consider functions
- with _gnutls prefix
+ * lib/x509/ocsp.c: gnutls_ocsp_resp_get_single: fail if thisUpdate
+ is not available or unparsable That is because this field is not optional, and a failure on its
+ parsing is always fatal. Reported by Yuan Jochen Kang.
-2015-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-04-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_global.c, lib/includes/gnutls/gnutls.h.in,
- lib/libgnutls.map: gnutls_global_init_skip: prefixed with an
- underscore
+ * lib/x509/ocsp_output.c, lib/x509/output.c: x509 output: don't warn
+ about insecure algorithm when unknown
-2015-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * configure.ac, m4/hooks.m4: bumped version
+ * lib/pkix.asn, lib/pkix_asn1_tab.c: pkix.asn: corrected byKey
+ definition OCSP is defined in an EXPLICIT tags module, and as such we must tag
+ explicitly all of its tags.
-2015-11-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-04-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool.c: certtool: check fread_file() for errors in all
- situations This caused certtool to crash on invalid input on stdin. Reported
- by Christoph Biedl.
+ * lib/x509/name_constraints.c: name constraints: enforce the rules
+ for IP constraints when adding This will prevent gnutls from generating badly formed certificates.
-2015-11-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-04-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/x509_write.c: doc update
+ * NEWS: doc update
-2015-11-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-04-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_ui.c: gnutls_certificate_set_flags: Added since
+ * src/ocsptool-common.c: ocsptool: use HTTP/1.0 for requests This avoids issue with servers serving chunk encoding which ocsptool
+ doesn't support. Reported by Thomas Klute.
-2015-11-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc update
-2015-11-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/set_x509_key_mem.c: tests: check gnutls_certificate_flags
+ * lib/x509/output.c: x509/output: simplified cidr_to_string()
-2015-11-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-03-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/auth/cert.h, lib/gnutls_cert.c, lib/gnutls_ui.c,
- lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: Added
- gnutls_certificate_flags() and
- GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH That allows a user of the credentials to disable the certificate
- matching action. That is, to disable the calls to sign and verify on
- initialization.
+ * lib/x509/output.c: x509/output: print RFC5280 CIDRs in name
+ constraints
-2015-11-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/Makefile.am: link with libdl when trousers is enabled;
- reported by Andreas Schneider
+ * lib/system.c: system_recv_timeout(): verify that the file
+ descriptor is acceptable for select()
-2015-11-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc update
-2015-11-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/crypto-selftests.c: enhanced cipher selftests with variable
- key sizes on arcfour
-
-2015-11-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/nettle/cipher.c: Do not enforce a maximum key size on ARCFOUR That makes the library consistent with the behavior of previous
- versions (3.3.x)
-
-2015-11-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/tests.c: gnutls-cli-debug: make TLS 1.6 fallback check more
- reliable
+ * tests/cert-tests/template-nc.pem: tests: template-test was updated
+ for OCSP key purpose reordering
-2015-11-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_pubkey.c, lib/x509/x509_write.c: doc update
+ * src/certtool.c: certtool: do not require a CA for OCSP signing This follows the recommendations in RFC6960 in 4.2.2.2 which allow a
+ CA to delegate OCSP signing to another certificate without requiring
+ it to be a CA. Reported by Thomas Klute.
-2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * .gitlab-ci.yml: .gitlab-ci.yml: disable non-suiteb curves in all
- systems as we have multiple which are fedoras
+ * lib/accelerated/x86/x86-common.c: x86-common: CPUID override will
+ only work if CPU has already the capability present This resolves test suite failure on CPUs with limited capabilities.
+ Reported by Andreas Metzler.
-2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc update
-2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/global-init-override.c, tests/global-init.c: tests:
- corrected copyright info
+ * lib/gnutls_handshake.c: handshake: parse the mandatory to parse
+ extension prior to any callback call This relates to the change of ALPN extension to mandatory to parse,
+ and allows applications to get ALPN data prior to handshake
+ completion.
-2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/Makefile.am, tests/global-init-override.c: tests: added
- check for overriding global initialization
+ * tests/mini-x509-callbacks.c: tests: verify that the
+ post-client-hello callback has access to ALPN data
-2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * doc/cha-gtls-app.texi: documented GNUTLS_SKIP_GLOBAL_INIT macro
+ * tests/resume.c: tests: added checks for session resumption and
+ ALPN This checks whether the ALPN extension is re-read on resumption and
+ is negotiated.
-2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-02-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_global.c, lib/includes/gnutls/gnutls.h.in,
- lib/libgnutls.map: Added GNUTLS_SKIP_GLOBAL_INIT macro to allow
- programs skip implicit global initialization
+ * tests/resume.c: tests: resume: simplified structure assignment
+ using C99 syntax
-2015-11-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-03-15 Yuriy M. Kaminskiy <yumkam@gmail.com>
- * .gitlab-ci.yml: .gitlab-ci.yml: backported
+ * lib/ext/alpn.c: alpn: ALPN state is per-connection, it should not
+ be saved with session data In addition the extension was moved to the mandatory to parse to
+ ensure it is always parsed when sessions are resumed. rfc7301: Unlike many other TLS extensions, this extension does not
+ establish properties of the session, only of the connection.
+ When session resumption or session tickets [RFC5077] are used, the
+ previous contents of this extension are irrelevant, and only the
+ values in the new handshake messages are considered. Signed-off-by: Yuriy M. Kaminskiy <yumkam@gmail.com> Signed-off-by:
+ Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2015-11-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * doc/cha-gtls-app.texi: doc: document how to use gnutls with
- seccomp
+ * src/cli.c: gnutls-cli: fix invalid initialization in
+ cert_verify_ocsp()
-2015-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc update
-2015-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/auth/dh_common.c: deinitialize client_Y if needed to avoid
- leak This is a more conservative fix comparing to
- 0e370b7b34c96f7929f9070ad8287c6cf52e7901 ("deinitialize all
- handshake keys when handshake is over").
+ * NEWS: doc update [ci skip]
-2015-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_state.c: Revert "deinitialize all handshake keys when
- handshake is over" This reverts commit 0e370b7b34c96f7929f9070ad8287c6cf52e7901.
+ * tests/mini-loss-time.c: tests: backported mini-loss-time fixes
-2015-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2015-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/x509_write.c:
- gnutls_x509_crt_set_subject/issuer_unique_id: added Since in doc
+ * NEWS: doc update [ci skip]
-2015-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_pubkey.c: doc update
+ * tests/slow/Makefile.am: tests: do not run hash-large twice
-2015-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * doc/cha-crypto.texi, lib/includes/gnutls/pkcs7.h,
- lib/x509/pkcs7.c: Added documentation on PKCS #7 signing
+ * tests/version-checks.c: tests: corrected typo in version-checks
-2015-11-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * .gitlab-ci.yml: .gitlab-ci.yml: disable guile in asan builds
+ * .gitlab-ci.yml: .gitlab-ci.yml: added check on build with SSL 3.0
-2015-11-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_state.c: deinitialize all handshake keys when handshake
- is over
+ * tests/suite/testsrn: tests: backported testsrn from 3.4 branch
-2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/suite/Makefile.am, tests/suite/eagain,
- tests/suite/eagain.sh, tests/suite/invalid-cert,
- tests/suite/invalid-cert.sh, tests/suite/testcompat-openssl.sh,
- tests/suite/testcompat-polarssl.sh, tests/suite/testdane,
- tests/suite/testdane.sh, tests/suite/testrandom,
- tests/suite/testrandom.sh, tests/suite/testrng,
- tests/suite/testrng.sh, tests/suite/testsrn, tests/suite/testsrn.sh:
- tests: suite: more shell scripts were given the .sh suffix and
- simplified makefile
+ * tests/Makefile.am, tests/cert-common.h, tests/version-checks.c:
+ tests: added check for version negotiation default prio string That verifies whether the support versions are negotiated.
-2015-11-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/suite/Makefile.am, tests/suite/chain, tests/suite/chain.sh,
- tests/suite/test-ciphersuite-names,
- tests/suite/test-ciphersuite-names.sh, tests/suite/testpkcs11,
- tests/suite/testpkcs11.sh: tests: suite: don't run shell scripts
- with valgrind
+ * NEWS: doc update
-2015-11-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/suite/testsrn: tests: testsrn: output errors on stderr
+ * configure.ac, lib/gnutls_priority.c: Remove SSL 3.0 from the
+ default priority strings That can be reverted by using the --with-ssl3 configure option.
-2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update
+ * tests/slow/Makefile.am: tests: include test-hash-large into dist
-2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/Makefile.am, tests/cert-tests/template-test,
- tests/cert-tests/template-unique.pem,
- tests/cert-tests/template-unique.tmpl: tests: verify that unique IDs
- are generated as expected
+ * .gitlab-ci.yml: .gitlab-ci.yml: separate builds with asan
-2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool-args.def, src/certtool-cfg.c, src/certtool-cfg.h,
- src/certtool.c: certtool: Allow writing unique IDs in generated
- certificates
+ * lib/openpgp/extras.c: gnutls_openpgp_keyring_import: backported
+ mem leak fix
-2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/includes/gnutls/x509.h, lib/libgnutls.map,
- lib/x509/x509_write.c: Added gnutls_x509_crt_set_issuer_unique_id()
- and gnutls_x509_crt_set_subject_unique_id()
+ * src/p11tool.c: p11tool: avoid warning with cast
-2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/output.c: properly indent unique IDs
+ * src/certtool.c: certtool: eliminated memory leaks on cert
+ verification
-2015-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-03-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * doc/cha-gtls-app.texi: documented the GNUTLS_NO_EXPLICIT_INIT
- environment variable
+ * src/certtool.c: certtool: backported memory leak fixes in PKCS#12
+ handling
-2015-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/crypto-api.c: crypto-api: doc update
+ * src/certtool.c: certtool: eliminate leaks in _verify_x509_mem()
-2015-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update
+ * src/certtool.c: certtool: eliminate memory leaks in certificate
+ generation
-2015-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-02-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/auth/dhe.c, lib/auth/ecdhe.c: Allow switching a ciphersuite to
- DHE and ECDHE on a rehandshake
+ * configure.ac, m4/hooks.m4: bumped version [ci skip]
-2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-02-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update
+ * src/certtool.c: certtool: avoid warning with cast
-2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool.c: certtool: eliminate leaks in _verify_x509_mem()
+ * lib/ext/ecc.c: ecc: optimized extension parsing
-2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-02-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/suite/testdane: testdane: improved error detection in sites
+ * .gitlab-ci.yml: .gitlab-ci.yml: fixed asan build for nettle3
-2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suite/Makefile.am, tests/suite/chain,
- tests/suite/pkcs11-is-known.c, tests/suite/suppressions.valgrind,
- tests/suite/testsrn, tests/suite/x509paths/suppressions.valgrind:
- tests: suite: eliminate many leaks in the tests and run them under
- valgrind
+ * NEWS: doc update [ci skip]
-2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/openpgp-certs/Makefile.am,
- tests/openpgp-certs/suppressions.valgrind,
- tests/openpgp-certs/testcerts: tests: openpgp-certs: use valgrind
+ * lib/gnutls_state.c: timespec_sub_ms: fixed operation in 32-bit
+ systems
-2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/openpgp/extras.c: openpgp: eliminate leaks in
- gnutls_openpgp_keyring_import()
+ * lib/pkcs11.c: pkcs11: Fixes to prevent undefined behavior (found
+ with libubsan)
-2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suite/mini-eagain2.c: tests: eliminate leaks in
- mini-eagain2.c
+ * lib/includes/gnutls/gnutls.h.in: gnutls.h: Fixes to prevent
+ undefined behavior (found with libubsan)
-2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool.c: certtool: eliminate memory leaks in certificate
- generation
+ * lib/gnutls_mem.h, lib/x509/x509.c: x509: Fixes to prevent
+ undefined behavior (found with libubsan)
-2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-02-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/key-tests/Makefile.am, tests/key-tests/key-id,
- tests/key-tests/pkcs8, tests/key-tests/suppressions.valgrind: tests:
- key-tests: use valgrind
+ * .gitlab-ci.yml: .gitlab-ci.yml: added libasan build with nettle3
-2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-02-25 Jan Vcelak <jan.vcelak@nic.cz>
- * lib/gnutls_pubkey.c: gnutls_x509_crt_set_pubkey: clarify usage
+ * lib/x509/privkey_pkcs8.c: gnutls_x509_privkey_import: add missing
+ algorithm setting for DSA keys The algorithm number was set only in the private key structure, not
+ in the nested structure with parameters. This made certain
+ operations to fail (e.g., copying the key into a PKCS #11 token). Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>
-2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/pkcs12-decode/Makefile.am, tests/pkcs12-decode/pkcs12,
- tests/pkcs12-decode/suppressions.valgrind: tests: run the PKCS #12
- tests under valgrind
+ * tests/cert-tests/template-date.pem,
+ tests/cert-tests/template-dn.pem,
+ tests/cert-tests/template-generalized.pem,
+ tests/cert-tests/template-nc.pem,
+ tests/cert-tests/template-overflow.pem,
+ tests/cert-tests/template-overflow2.pem,
+ tests/cert-tests/template-test, tests/cert-tests/template-test.pem,
+ tests/cert-tests/template-utf8.pem: tests: regenerate the results in
+ template-test using UTC times
-2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-02-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc update
-2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/pkcs12.c, lib/x509/privkey_pkcs8.c: pkcs12: correctly set
- salt size in gnutls_pkcs12_mac_info Also eliminate leaks in PKCS #12 parsing.
-
-2015-11-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-02-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool.c: certtool: make sure that pkcs12 structures are
- deinitialized
+ * lib/x509/common.c, lib/x509/common.h: When writing the Time ASN.1
+ structure follow the RFC5280 recommendations That is make sure we generate dates with UTCTime prior to 2050 and
+ GeneralizedTime format after 2050.
-2015-11-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/crypto-backend.c: crypto-backend: ensure there are no leaks on
- deinitialization
+ * tests/cert-tests/Makefile.am, tests/cert-tests/template-date.pem,
+ tests/cert-tests/template-dn.pem,
+ tests/cert-tests/template-generalized.pem,
+ tests/cert-tests/template-generalized.tmpl,
+ tests/cert-tests/template-nc.pem,
+ tests/cert-tests/template-overflow.pem,
+ tests/cert-tests/template-overflow2.pem,
+ tests/cert-tests/template-test, tests/cert-tests/template-test.pem,
+ tests/cert-tests/template-utf8.pem: tests: verify that we generate
+ dates with UTCTime prior to 2050 Also that we generate dates with GeneralizedTime format after 2050.
-2015-11-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-02-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/algorithms/ciphersuites.c, tests/mini-etm.c,
- tests/mini-record.c: Require TLS 1.2 for all the ciphersuites which
- are defined for it only This solves an interoperability issue with openssl. Reported by
- Viktor Dukhovni.
+ * lib/nettle/cipher.c: Prevent the encryption or decryption of more
+ than 2^32 bytes with nettle2 That is because of nettle2 API limitations. Unlike the hash
+ functions there is no real need for a wrapper as encrypting or
+ decrypting that amount of data is unlikely.
-2015-11-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-02-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/certtool-common.h, src/p11tool-args.def, src/p11tool.c,
- src/pkcs11.c: p11tool: introduced --only-urls option This option allows printing a compact listing containing only of
- URLs.
+ * tests/dsa/testdsa, tests/scripts/common.sh: tests: backported
+ testdsa to prevent random failures in test suite
-2015-11-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-02-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc update
-2015-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-02-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/Makefile.am, tests/mini-x509-default-prio.c: tests: added
- check for gnutls_priority_set_default
+ * lib/accelerated/x86/hmac-padlock.c,
+ lib/accelerated/x86/hmac-x86-ssse3.c,
+ lib/accelerated/x86/sha-padlock.c,
+ lib/accelerated/x86/sha-padlock.h,
+ lib/accelerated/x86/sha-x86-ssse3.c, lib/accelerated/x86/sha-x86.h,
+ lib/accelerated/x86/x86-common.h, lib/nettle/gnettle.h,
+ lib/nettle/mac.c: nettle: use the correct type for hash and MAC
+ functions In addition allow for hashing of more than UINT_MAX data bytes with
+ nettle 2.x in 64-bit systems.
-2015-11-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-02-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * .gitlab-ci.yml: .gitlab-ci.yml: use static libasan This prevents issues with tests which use LD_PRELOAD.
+ * tests/slow/Makefile.am, tests/slow/hash-large.c,
+ tests/slow/test-hash-large: tests: check whether large buffer hashes
+ and MAC work as expected
-2015-11-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-02-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * .gitlab-ci.yml: .gitlab-ci.yml: disable non-suiteb curves on build
- on Fedora system
+ * tests/set_pkcs12_cred.c: tests: set_pkcs12_cred: existing tests
+ are disabled when in FIPS140-2 mode The tests require access to the RC4 cipher which is not available.
-2015-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-02-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/socket.c: tools: better ftp auth tls negotiation
+ * NEWS, configure.ac, m4/hooks.m4: bumped version
-2015-11-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-01-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/socket.c: tools: only check for status code in FTP starttls
- negotiation
+ * NEWS: doc update [ci skip]
-2015-11-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-01-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/socket.c: tools: print more info in starttls negotiation when
- --verbose is given
+ * tests/cert-tests/template-date.pem,
+ tests/cert-tests/template-dn.pem, tests/cert-tests/template-nc.pem,
+ tests/cert-tests/template-overflow.pem,
+ tests/cert-tests/template-overflow2.pem,
+ tests/cert-tests/template-test.pem: Revert "tests: updated to
+ account for cert generation after
+ c1405c6e08ef55421108bd4395588368f4122dda fix" This reverts commit 09dcbe564a85c021ebcbf7a3f28075d19c399ce4.
-2015-11-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-01-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls.pc.in: gnutls.pc: don't use the libtool version of the
- link options Reported by Dan Kegel. Resolves #49
+ * lib/x509/x509_ext.c: Revert "Fix out-of-bounds read in
+ gnutls_x509_ext_export_key_usage" This was a false negative and not a real out-of-bounds read. This
+ reverts commit c1405c6e08ef55421108bd4395588368f4122dda.
-2015-10-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-01-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/ext/heartbeat.c: removed inacurate text
+ * .gitlab-ci.yml: .gitlab-ci.yml: Added build with ARCFOUR
-2015-10-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-01-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * doc/cha-bib.texi, doc/cha-intro-tls.texi, doc/latex/gnutls.bib:
- doc: updated supplemental data documentation
+ * NEWS, configure.ac, lib/gnutls_priority.c, tests/priorities.c:
+ Added configure flag --with-arcfour128 This flag will re-enable ARCFOUR in the priority strings by default.
-2015-10-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-01-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suite/testdane: tests: testdane will not check hosts which
- are unreachable
+ * NEWS: doc update
-2015-10-20 Andreas Metzler <ametzler@bebt.de>
+2016-01-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/auto-verify.c, lib/gnutls_state.c: Documentation update The new simple verification functions were backported to 3.4.6,
- correct "Since:" to reflect this.
+ * tests/mini-global-load.c, tests/mini-x509.c, tests/priorities.c,
+ tests/record-sizes.c: Revert "Revert "tests: updated to account for
+ ARCFOUR being disabled"" This reverts commit a2f907d0d4e52eb4dd24cc1f5d7d892b21abfd83.
-2015-10-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-01-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
- auto-generated files
+ * lib/gnutls_priority.c: Revert "Revert "ARCFOUR is disabled from
+ the default priority strings"" This reverts commit b3b5db319d4246e4735017cc423b92175f713a89.
-2015-10-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-01-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: released 3.4.6
+ * lib/gnutls_pubkey.c: gnutls_pubkey_import_x509_raw: fixed memory
+ leak
-2015-10-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-01-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * doc/cha-gtls-app.texi: doc: documented future level
+ * lib/x509/output.c: x509: place newline when printing unsupported
+ othernames
-2015-10-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc update
-2015-10-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/pkcs11.h: pkcs11.h: relocated
- gnutls_pkcs11_copy_pubkey to allow discovery by buggy doc scripts
-
-2015-10-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update
+ * lib/ext/alpn.c: alpn: when parsing the list of protocols return at
+ the first mutually common That resolves an issue where the server wouldn't select the first
+ mutually supported. Resolves #63
-2015-10-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/ext/ext_master_secret.c: ext master secret: extension is
- marked as mandatory This forces the extension to be sent even where resuming sessions.
- Resolves #45
+ * tests/mini-alpn.c: tests: mini-alpn: corrected protocol selection
+ order
-2015-10-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/resume.c: tests: Check whether a resumed session contains
- the ext master secret extension Relates #45
+ * tests/mini-alpn.c: tests: alpn: enhance the testing of ALPN
+ negotiation
-2015-10-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update
+ * lib/ext/alpn.c: alpn: document how the selected protocol is
+ selected [ci skip]
-2015-10-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/suite/pkcs11-certs/server.pub, tests/suite/testpkcs11:
- tests: adapted testpkcs11 for use with 3.4.x certtool
+ * tests/mini-alpn.c: tests: verify that the selected ALPN protocol
+ is the first advertised
-2015-10-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-01-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/suite/testpkcs11, tests/suite/testpkcs11.softhsm: tests:
- verify that public keys are properly written Also disable parts of the suite that softhsm2 cannot properly work
- with, to allow running parts of the suite even with broken softhsm.
+ * NEWS: released 3.3.20
-2015-10-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-01-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update
+ * NEWS: reverted ARCFOUR removal change
-2015-10-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-01-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/pkcs11.c: p11tool: Allow writing a PKCS #11 pubkey object
+ * tests/mini-global-load.c, tests/mini-x509.c, tests/priorities.c,
+ tests/record-sizes.c: Revert "tests: updated to account for ARCFOUR
+ being disabled" This reverts commit 45926d9561b2e888c505524663b7c7ad87c263bc.
-2015-10-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-01-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c,
- lib/pkcs11_int.h, lib/pkcs11_privkey.c, lib/pkcs11_write.c: pkcs11:
- introduced gnutls_pkcs11_copy_pubkey That allows copying a public key to a PKCS #11 module.
+ * lib/gnutls_priority.c: Revert "ARCFOUR is disabled from the
+ default priority strings" This reverts commit 76be7bda79d6785eeab3ef8e96db026ad7aac9c3.
-2015-10-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-01-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * doc/Makefile.am: doc: set a path which includes new binaries when
- running autogen That makes sure that autogen will discover the binaries to obtain
- the --help output.
+ * configure.ac: configure: no longer distribute lzip tarballs
-2015-10-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/cli-debug-args.def: gnutls-cli-debug: updated doc
+ * src/libopts/text_mmap.c: libopts: use the O_BINARY flag in windows
+ for files
-2015-10-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/cli-debug-args.def, src/cli-debug.c, src/cli.c,
- src/danetool-args.def, src/danetool.c, src/socket.c, src/socket.h:
- tools: when the starttls-proto is specified automatically detect the
- port if not given
+ * src/libopts/COPYING.gplv3, src/libopts/COPYING.lgplv3,
+ src/libopts/COPYING.mbsd, src/libopts/Makefile.am,
+ src/libopts/README, src/libopts/ag-char-map.h, src/libopts/alias.c,
+ src/libopts/ao-strs.c, src/libopts/ao-strs.h,
+ src/libopts/autoopts.c, src/libopts/autoopts.h,
+ src/libopts/autoopts/options.h, src/libopts/autoopts/project.h,
+ src/libopts/autoopts/usage-txt.h, src/libopts/boolean.c,
+ src/libopts/check.c, src/libopts/compat/compat.h,
+ src/libopts/compat/pathfind.c, src/libopts/compat/windows-config.h,
+ src/libopts/configfile.c, src/libopts/cook.c, src/libopts/enum.c,
+ src/libopts/env.c, src/libopts/file.c, src/libopts/find.c,
+ src/libopts/genshell.c, src/libopts/genshell.h,
+ src/libopts/gettext.h, src/libopts/init.c, src/libopts/intprops.h,
+ src/libopts/libopts.c, src/libopts/load.c,
+ src/libopts/m4/libopts.m4, src/libopts/m4/liboptschk.m4,
+ src/libopts/m4/stdnoreturn.m4, src/libopts/makeshell.c,
+ src/libopts/nested.c, src/libopts/numeric.c,
+ src/libopts/option-value-type.c,
+ src/libopts/option-xat-attribute.c, src/libopts/parse-duration.c,
+ src/libopts/parse-duration.h, src/libopts/pgusage.c,
+ src/libopts/proto.h, src/libopts/putshell.c, src/libopts/reset.c,
+ src/libopts/restore.c, src/libopts/save.c, src/libopts/sort.c,
+ src/libopts/stack.c, src/libopts/stdnoreturn.in.h,
+ src/libopts/streqvcmp.c, src/libopts/text_mmap.c,
+ src/libopts/time.c, src/libopts/tokenize.c, src/libopts/usage.c,
+ src/libopts/version.c: libopts: updated to 5.18.6
-2015-10-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-01-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: doc update
+ * configure.ac, m4/hooks.m4: bumped version
-2015-10-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-01-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: doc update
+ * Makefile.am, symbols.last: symbols.last: don't include internal
+ symbols into exported list
-2015-10-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-01-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * .gitlab-ci.yml: backport: .gitlab-ci.yml: combined the slow build
- with the separate build dir
+ * NEWS: NEWS: doc update
-2015-10-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2016-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/algorithms/ciphers.c, lib/gnutls_cipher_int.c,
- lib/gnutls_priority.c: Disable the NULL cipher on runtime when
- FIPS140 mode is enabled instead of statically That way the NULL cipher can be used when not in FIPS140 mode.
+ * tests/cert-tests/template-date.pem,
+ tests/cert-tests/template-dn.pem, tests/cert-tests/template-nc.pem,
+ tests/cert-tests/template-overflow.pem,
+ tests/cert-tests/template-overflow2.pem,
+ tests/cert-tests/template-test.pem: tests: updated to account for
+ cert generation after c1405c6e08ef55421108bd4395588368f4122dda fix
-2015-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/algorithms.h, lib/algorithms/ciphers.c, lib/algorithms/kx.c,
- lib/gnutls_int.h, lib/gnutls_priority.c: backport: Tolerate priority
- strings with names of legacy ciphers and key exchanges That enables better backwards compatibility with old applications
- which disable or enable algorithms which no longer are supported.
- Relates #44
+ * tests/Makefile.am: tests: Makefile.am: removed invalid program ld
+ flags
-2015-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2016-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc update
-2015-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/pkcs11_write.c: pkcs11: write CKA_ISSUER and CKA_SERIAL_NUMBER
- when writing on a certificate That allows NSS to read and use the written certificate. Relates
- #43
+2016-01-04 Tim Kosse <tim.kosse@filezilla-project.org>
-2015-10-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+ * lib/x509/x509_ext.c: Fix out-of-bounds read in
+ gnutls_x509_ext_export_key_usage
- * tests/sec-params.c: tests: enhanced sec-params check to account
- for future sec-param
+2016-01-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2015-10-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
+ * .gitlab-ci.yml: .gitlab-ci.yml: optimized build process That is, in slow asan and valgrind builds don't check the full test
+ suite.
-2015-10-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/certtool-common.c: certtool: recognize the future sec-param
+ * lib/pkcs11_privkey.c: pkcs11: fixes to store the imported URL This ammends 603d0db776537c19bdfd907e0fc77c7321874bf0 with changes
+ for the 3.3.x branch.
-2015-10-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/algorithms/secparams.c, lib/includes/gnutls/gnutls.h.in:
- Introduced the security parameter future (256) and switched ultra to
- 192 bits For ultra, this was its documented strength, and now follows RFC3766
- recommendations for sizes.
+ * NEWS: doc update [ci skip]
-2015-10-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/certtool-common.c: certtool: be more specific on the help
- message for --sec-param when --bits are given
+ * NEWS: doc update
-2015-10-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/suite/testpkcs11.softhsm: tests: better detection of softhsm
- library
+ * lib/pkcs11_privkey.c: pkcs11: import public keys from any
+ available object That is, load public keys from the public key object, or the
+ certificate object if they are present. That affects non-RSA public
+ keys which do not contain all required fields on the private key
+ object.
-2015-10-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * configure.ac, m4/hooks.m4: bumped version
+ * lib/pkcs11_write.c: gnutls_pkcs11_copy_x509_privkey2: corrected
+ the writing of ECC private key
-2015-09-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update
+ * lib/pkcs11_write.c: gnutls_pkcs11_copy_x509_privkey2: corrected
+ the type of the written object Previously only RSA objects were correctly written.
-2015-09-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-12-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * doc/cha-cert-auth.texi, doc/cha-gtls-app.texi,
- doc/examples/ex-client-x509.c, lib/Makefile.am, lib/auto-verify.c,
- lib/gnutls_alert.c, lib/gnutls_cert.c, lib/gnutls_errors.c,
- lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_priority.c,
- lib/gnutls_x509.c, lib/includes/gnutls/gnutls.h.in,
- lib/libgnutls.map, tests/Makefile.am, tests/auto-verify.c:
- Backported new verification functions for clients from 3.5.x branch The major use-case for the TLS protocol is verification of PKIX
- certificates. However, certificate verification support while is
- similar for almost all projects it requires around 100 lines of code
- (a callback) to be duplicated to all applications. That patch set
- gets rid of the callback and simplifies certificate verification
- support, by introducing a very simple API; one that would accept the
- session and the hostname only. Resolves #27
+ * NEWS: NEWS: doc update [ci skip]
-2015-08-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/Makefile.am, tests/eagain-common.h,
- tests/mini-session-verify-function.c: tests: added test for
- gnutls_session_set_verify_function
+ * lib/ext/max_record.c: max_record: don't consider this extension on
+ DTLS That is because it doesn't work as expected, and does not fragment
+ handshake messages. Relates with #61
-2015-08-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-12-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c,
- lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: Added
- gnutls_session_set_verify_function That allows to set a verification callback per session rather than
- only globally on the credentials structure.
+ * NEWS: doc update
-2015-10-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-04-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_record.c: gnutls_record_recv: simplified text on
- GNUTLS_E_REHANDSHAKE
+ * lib/x509/name_constraints.c, tests/name-constraints.c: Handle DNS
+ name constraints with leading dot Patch by Fotis Loukos. Resolves 3 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-2015-09-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-12-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool-common.c: certtool: print 16-bytes of hex values per
- line Also avoid a colon on the end of the line.
+ * tests/mini-global-load.c, tests/mini-x509.c, tests/priorities.c,
+ tests/record-sizes.c: tests: updated to account for ARCFOUR being
+ disabled
-2015-09-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-12-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc update
-2015-09-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-12-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool-common.c: certtool: switched the default level to
- HIGH for key generation That requires 3072 bits for RSA and DSA keys.
+ * lib/gnutls_priority.c: ARCFOUR is disabled from the default
+ priority strings ARCFOUR is a cipher known to be broken theoretically and
+ practically. Configurations that depend on that cipher being on
+ should explicitly enable it. Resolves #23
-2015-09-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-12-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: doc update
+ * lib/pkcs11_privkey.c: Do not allow importing public keys from PKCS
+ #11 private keys for DSA and ECDSA This prevents the reading of the public key when non-RSA keys are
+ available. This is a much cleaner approach than
+ 5a4e692511dc3a829eda0d7c5a87e56cbc2055f0.
-2015-09-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-12-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/cli-args.def, src/cli-debug-args.def, src/danetool-args.def,
- src/socket.c: tools: added xmpp into the starttls-proto options
+ * lib/gnutls_pubkey.c, lib/pkcs11.c, lib/pkcs11_int.h,
+ lib/pkcs11_privkey.c: Revert "Do not allow importing public keys
+ from PKCS #11 private keys for DSA and ECDSA" This reverts commit 0e79aabab519a6b568cf8c31b38523cce7416bd8.
-2015-09-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/cli-args.def, src/cli-debug-args.def, src/danetool-args.def,
- src/socket.c: tools: added ldap into the starttls-proto options
+ * NEWS: doc update
-2015-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/system.c: system.c: simplify gnutls_system_recv_timeout
+ * lib/gnutls_pubkey.c, lib/pkcs11.c, lib/pkcs11_int.h,
+ lib/pkcs11_privkey.c: Do not allow importing public keys from PKCS
+ #11 private keys for DSA and ECDSA That is, because they do not contain all the required parameters for
+ a direct import. Reported by Jan Vcelak.
-2015-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/cli-debug.c: gnutls-cli-debug: use RFC7627 instead of
- draft-ietf-tls-session-hash
+ * lib/pkcs11_privkey.c: pkcs11: avoid setting a variable which isn't
+ used
-2015-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/includes/gnutls/gnutls.h.in: updated documentation on
- gnutls_vdata_types_t based on DKG's suggestions
+ * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: pkcs11:
+ deinitialize gnutls_pkcs11_obj_t's pubkey on deinit
-2015-09-16 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+2015-12-06 Jan Vcelak <jan.vcelak@nic.cz>
- * lib/gnutls_cert.c: improve docs for
- gnutls_certificate_verify_peers*() The gnutls_certificate_verify_peers{,2,3}() functions all return
- GNUTLS_E_SUCCESS (0) even in situations when the peer's certificate
- was not verified. This is explained in the first paragraphs ("i.e.
- failure to trust a certificate does not imply a negative return
- value"), but the Returns: line isn't comparably clear.
+ * lib/pkcs11_privkey.c: pkcs11: fix passing of incorrect variable in
+ privkey_get_pubkey The code worked for RSA because the content of the variables
+ matched. But it doesn't match for ECC. CKM_RSA_PKCS_KEY_PAIR_GEN (0x0) == CKK_RSA (0x0)
+ CKM_ECDSA_KEY_PAIR_GEN (0x1040) != CKK_ECDSA (0x3) Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>
-2015-09-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-11-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_str.c: _gnutls_hex2bin: avoid overrun in the provided
- buffer
+ * lib/x509/x509.c: allow specifying NULL buffer in
+ gnutls_x509_crt_get_*_unique_id()
-2015-09-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-11-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS, configure.ac, m4/hooks.m4: bumped version
+ * NEWS: released 3.3.19
-2015-09-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * doc/manpages/tpmtool.1: tpmtool.1: updated
+ * symbols.last: updated auto-generated files
-2015-09-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/output.c: Don't use formatted output for fixed strings Resolves #35
+ * doc/scripts/getfuncs.pl: getfuncs.pl: don't consider functions
+ with _gnutls prefix
-2015-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/pkcs11_privkey.c: pkcs11: when storing public keys, make sure
- they are marked as not private
+ * lib/gnutls_global.c, lib/includes/gnutls/gnutls.h.in,
+ lib/libgnutls.map: gnutls_global_init_skip: prefixed with an
+ underscore
-2015-08-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update
+ * configure.ac, m4/hooks.m4: bumped version
-2015-08-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/tests.c: gnutls-cli-debug: corrected typo in inappropriate
- fallback check
+ * NEWS: doc update
-2015-08-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: added
- check for inappropriate fallback support
+ * tests/global-init-override.c, tests/global-init.c: tests:
+ corrected copyright info
-2015-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * doc/examples/ex-serv-anon.c: corrected typo in ex-server-anon
+ * tests/Makefile.am, tests/global-init-override.c: tests: added
+ check for overriding global initialization
-2015-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_str.c: hex decoding: more reasonable error codes That is, return GNUTLS_E_PARSING_ERROR instead of base64 decoding
- error, and document that fact.
+ * doc/cha-gtls-app.texi: documented GNUTLS_SKIP_GLOBAL_INIT macro
-2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/ext/ext_master_secret.c, lib/gnutls_db.c: Set the extended
- master secret status based on resumption data only That is, don't require a new negotiation with extensions.
+ * lib/gnutls_global.c, lib/includes/gnutls/gnutls.h.in,
+ lib/libgnutls.map: Added GNUTLS_SKIP_GLOBAL_INIT macro to allow
+ programs skip implicit global initialization
-2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/resume-dtls.c, tests/resume.c: tests: corrected resumption
- tests to disable tickets when needed That is, perform the tests that require no tickets, with tickets
- disabled.
+ * tests/utils.c, tests/utils.h: utils: backported sec_sleep()
-2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_session_pack.c: session packing: corrected issue in PSK
- session unpack
+ * tests/mini-handshake-timeout.c: tests: backported
+ mini-handshake-timeout
-2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/auth/psk.c: PSK: save the username in client side in the auth
- structure
+ * .gitlab-ci.yml: .gitlab-ci.yml: added build and check in FIPS140-2
+ mode
-2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_hash_int.h: _gnutls_hash() returns error code if any. Ideally we would like to eliminate any return codes from that
- function. However, since that's on exported API we cannot easily do
- without breaking the ABI. Reported by Benedikt Klotz. Resolves #28
+ * tests/mini-dtls-record.c, tests/resume-dtls.c: tests: backported
+ mini-dtls-record.c and resume-dtls.c
-2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: doc update
+ * .gitlab-ci.yml: .gitlab-ci.yml: remove the minimal library from
+ targets
-2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/verify-high.c, lib/x509/verify-high2.c: x509: when
- appending CRLs to a trust list ensure that we don't have duplicates That is, overwrite CRLs if they have been obsoleted.
+ * lib/x509/x509_write.c: disable_optional_stuff: don't disable
+ unique IDs if set There are sideways set these values even if they are not in the
+ public API, and we shouldn't disable them unconditionally.
-2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/certtool.c: certtool: allow exporting very long CRLs
+ * .gitlab-ci.yml: Added CI build rules
-2015-08-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc update
-2015-08-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/crl: tests: verify whether CRL date setting works
- as expected
+ * lib/algorithms/ciphersuites.c, tests/mini-record.c: Require TLS
+ 1.2 for all the ciphersuites which are defined for it only This solves an interoperability issue with openssl. Reported by
+ Viktor Dukhovni.
-2015-08-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool-args.def, src/certtool-cfg.c, src/certtool-cfg.h,
- src/certtool.c: certtool: Allow specifying CRL dates as fixed dates
+ * NEWS: doc update
-2015-08-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/crl: tests: verify CRL appending effectiveness
+ * lib/auth/dhe.c, lib/auth/ecdhe.c: Allow switching a ciphersuite to
+ DHE and ECDHE on a rehandshake
-2015-08-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/crl_write.c: gnutls_x509_crl_set_authority_key_id,
- gnutls_x509_crl_set_number allow overwritting That allows them to overwrite values which were previously set
- (e.g., on an imported CRL).
+ * NEWS: doc update
-2015-08-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-11-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool-args.def, src/certtool.c: certtool: allow appending
- certificates to a CRL
+ * lib/gnutls.pc.in: gnutls.pc: don't use the libtool version of the
+ link options Reported by Dan Kegel. Resolves #49
-2015-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc update
-2015-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool.c: certtool: removed limit on maximum imported
- certificates in the -i option
-
-2015-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-10-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/cert-tests/Makefile.am, tests/cert-tests/crl: tests: check
- whether the CRL generation code works as expected
+ * lib/algorithms/ciphers.c, lib/gnutls_cipher_int.c,
+ lib/gnutls_priority.c: Disable the NULL cipher on runtime when
+ FIPS140 mode is enabled instead of statically That way the NULL cipher can be used when not in FIPS140 mode.
-2015-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool-common.c, src/certtool.c: certtool: eliminated memory
- leaks due to new cert loading code
+ * lib/algorithms.h, lib/algorithms/ciphers.c, lib/algorithms/kx.c,
+ lib/gnutls_int.h, lib/gnutls_priority.c: backport: Tolerate priority
+ strings with names of legacy ciphers and key exchanges That enables better backwards compatibility with old applications
+ which disable or enable algorithms which no longer are supported.
+ Relates #44
-2015-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool-common.c, src/certtool-common.h: certtool: lifted
- limits on file size to load
+ * NEWS: doc update
-2015-08-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * Makefile.am: before dist ensure that included libopts matches
- autogen
+ * lib/pkcs11_write.c: pkcs11: write CKA_ISSUER and CKA_SERIAL_NUMBER
+ when writing on a certificate That allows NSS to read and use the written certificate. Resolves
+ #43
-2015-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-10-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: corrected date
+ * NEWS: doc update
-2015-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-10-12 Lennert Buytenhek <buytenh@wantstofly.org>
- * tests/cert-tests/Makefile.am: include all cert-tests into dist
+ * lib/nettle/pk.c: Fix memory leak in wrap_nettle_hash_algorithm(). wrap_nettle_hash_algorithm() leaks an mpz_t if it is called with pk
+ == GNUTLS_PK_RSA and sig == NULL, in which case it will return
+ without going through the regular exit path that clears the mpz_t it
+ allocated at the beginning of the function. Use the regular exit
+ path instead to fix this. This leak can be triggered via calls to
+ gnutls_pubkey_get_preferred_hash_algorithm(). Signed-off-by: Lennert Buytenhek <buytenh@wantstofly.org>
-2015-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-09-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
- auto-generated files for new functions
+ * lib/gnutls_str.c: _gnutls_hex2bin: avoid overrun in the provided
+ buffer
-2015-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-09-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update
+ * doc/manpages/tpmtool.1: tpmtool.1: updated
-2015-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-09-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/pkcs11.c: p11tool: test-sign will not fail if a pubkey is not
- found
+ * NEWS, configure.ac, m4/hooks.m4: bumped version
-2015-08-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-09-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/privkey.c: key decoding: set key to null for consistency
+ * lib/x509/output.c: Don't use formatted output for fixed strings Resolves #35
-2015-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/privkey.c: key decoding: simplify decoding logic by
- removing the fallback
+ * lib/gnutls_session_pack.c: session packing: corrected issue in PSK
+ session unpack
-2015-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc update
-2015-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/privkey.c: key decoding: corrected regression with PKCS
- #8 key decoding Reported by Daniel Berrange.
+ * lib/x509/verify-high.c, lib/x509/verify-high2.c: x509: when
+ appending CRLs to a trust list ensure that we don't have duplicates That is, overwrite CRLs if they have been obsoleted.
-2015-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/Makefile.am, tests/pkcs8-key-decode.c: tests: added check
- for decoding of a PKCS #8 key as fallback
+ * src/certtool.c: certtool: allow exporting very long CRLs
-2015-08-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-08-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc update
-2015-08-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: pkcs11: set
- the CKA_TOKEN attribute on generated public keys That also introduces the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY
- flag, to simulate the previous behavior.
+ * tests/cert-tests/Makefile.am, tests/cert-tests/crl: tests: check
+ whether the CRL generation code works as expected
-2015-08-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * cfg.mk: cfg.mk: fix order of arguments in gnulib-tool
+ * src/certtool.c: certtool: removed limit on maximum imported
+ certificates in the -i option
-2015-08-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/Makefile.am, tests/fallback-scsv.c: tests: added check for
- the fallback SCSV
+ * src/certtool-common.c, src/certtool.c: certtool: eliminated memory
+ leaks due to new cert loading code
-2015-08-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_handshake.c: handshake: check inappropriate fallback
- against the configured max version That allows to operate on a server which is explicitly configured to
- utilize earlier than TLS 1.2 versions.
+ * src/certtool-common.c, src/certtool-common.h: certtool: lifted
+ limits on file size to load
-2015-08-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-08-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/includes/gnutls/gnutls.h.in: corrected
- GNUTLS_E_INAPPROPRIATE_FALLBACK error code
+ * Makefile.am: before dist ensure that included libopts matches
+ autogen
-2015-08-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update
+ * tests/suite/mini-eagain2.c: tests: backported fix in mini-eagain2
-2015-08-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_handshake.c: copy_ciphersuites: use definition for
- reserved ciphersuites
+ * lib/pkcs11_write.c: pkcs11: increase attributes size in
+ gnutls_pkcs11_copy_x509_privkey
-2015-08-01 Alessandro Ghedini <alessandro@ghedini.me>
+2015-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * doc/cha-gtls-app.texi, lib/gnutls_handshake.c, lib/gnutls_int.h,
- lib/gnutls_priority.c, lib/priority_options.gperf: handshake: add
- FALLBACK_SCSV priority option This allows clients to enable the TLS_FALLBACK_SCSV mechanism during
- the handshake, as defined in RFC7507.
+ * configure.ac, m4/hooks.m4: bumped version
-2015-08-01 Alessandro Ghedini <alessandro@ghedini.me>
+2015-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/algorithms.h, lib/gnutls_alert.c, lib/gnutls_errors.c,
- lib/gnutls_handshake.c, lib/includes/gnutls/gnutls.h.in: handshake:
- check for TLS_FALLBACK_SCSV If TLS_FALLBACK_SCSV was sent by the client during the handshake,
- and the advertised protocol version is lower than
- GNUTLS_TLS_VERSION_MAX, send the "Inappropriate fallback" fatal
- alert and abort the handshake. This mechanism was defined in RFC7507.
+ * NEWS: doc update
-2015-08-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-08-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * build-aux/gendocs.sh, gl/Makefile.am, gl/m4/codeset.m4,
- gl/m4/extern-inline.m4, gl/m4/gettext.m4, gl/m4/glibc2.m4,
- gl/m4/glibc21.m4, gl/m4/gnulib-cache.m4, gl/m4/gnulib-common.m4,
- gl/m4/gnulib-comp.m4, gl/m4/iconv.m4, gl/m4/intdiv0.m4,
- gl/m4/intl.m4, gl/m4/intldir.m4, gl/m4/intlmacosx.m4,
- gl/m4/intmax.m4, gl/m4/lcmessage.m4, gl/m4/lock.m4,
- gl/m4/manywarnings.m4, gl/m4/nls.m4, gl/m4/po.m4,
- gl/m4/printf-posix.m4, gl/m4/progtest.m4, gl/m4/stdio_h.m4,
- gl/m4/sys_time_h.m4, gl/m4/threadlib.m4, gl/m4/time_h.m4,
- gl/m4/uintmax_t.m4, gl/m4/valgrind-tests.m4, gl/m4/visibility.m4,
- gl/stddef.in.h, gl/stdio.in.h, gl/string.in.h, gl/tests/init.sh,
- gl/tests/inttypes.in.h, gl/tests/test-read-file.c,
- gl/tests/test-stddef.c, gl/time.in.h, gl/wchar.in.h,
- src/gl/Makefile.am, src/gl/error.c, src/gl/error.h,
- src/gl/fseeko.c, src/gl/m4/extern-inline.m4,
- src/gl/m4/gnulib-cache.m4, src/gl/m4/gnulib-common.m4,
- src/gl/m4/stdio_h.m4, src/gl/m4/sys_time_h.m4, src/gl/m4/time_h.m4,
- src/gl/stddef.in.h, src/gl/stdio.in.h, src/gl/string.in.h,
- src/gl/time.in.h, src/gl/wchar.in.h, src/gl/xalloc.h: use the
- gettext-h gnulib module
+ * NEWS: doc update
-2015-08-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-08-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/certtool-long-cn: tests: added missing
- certtool-long-cn
+ * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: pkcs11: set
+ the CKA_TOKEN attribute on generated public keys That also introduces the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY
+ flag, to simulate the previous behavior.
2015-07-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2015-07-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/common.c: made data2hex() safer, and eliminated mem leak
-
-2015-07-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/cert-tests/Makefile.am, tests/cert-tests/very-long-dn.pem:
- tests: added check for proper handling of very long CNs
-
-2015-07-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/Makefile.am, tests/status-request-ok.c,
- tests/status-request.c: tests: added check for server sending (or
- not) status request messages
-
-2015-07-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
* NEWS: doc update
-2015-07-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * configure.ac: updated the required gettext version to match the
- macros from gnulib
-
2015-07-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib/ext/safe_renegotiation.c: safe renegotiation: handle case
2015-07-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/tpm.c: tpm: avoid warning
-
-2015-07-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
* lib/gnutls_extensions.c, lib/gnutls_handshake.c, lib/gnutls_int.h:
As server don't try to send extensions we didn't receive.
-2015-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-07-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update
-
-2015-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/tpm.c: tpm: use gnutls_hex_decode for uuid decoding
-
-2015-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/auth/psk_passwd.c: psk: use gnutls_hex_decode2 for key
- decoding
-
-2015-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/system-keys-win.c: system-keys-win: use gnutls_hex_decode for
- ID decoding
-
-2015-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/openpgp/gnutls_openpgp.c: openpgp: use gnutls_hex_decode for
- keyid decoding
-
-2015-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/common.c: DN decoding: use gnutls_hex_encode
-
-2015-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/extras/Makefile.am, lib/extras/hex.c, lib/extras/hex.h,
- lib/extras/licenses/CC0, lib/gnutls_str.c,
- lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: Introduced
- gnutls_hex_encode2() and gnutls_hex_decode2() These also use safer hex decoding functions which don't skip invalid
- input.
-
-2015-07-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2015-07-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/common.c: x509: simplified data to hex conversion in
- unknown DN names
-
-2015-07-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_state.c, tests/prf.c: gnutls_prf_rfc5705: Allow for
- non-null context and zero context length
-
-2015-07-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS, configure.ac, m4/hooks.m4: bumped version
-
-2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/prf.c: tests: added cross-check between gnutls_prf_rfc5705()
- and gnutls_prf()
-
-2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/Makefile.am, tests/safe-renegotiation/Makefile.am,
- tests/suite/Makefile.am: removed legacy libgcrypt flags
-
-2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_state.c, tests/prf.c: gnutls_prf_rfc5705: optimize in
- the common use case, by avoiding malloc Also don't handle specially the case of non-NULL context and
- context_size of zero.
+ * lib/x509/common.c: Reset the output value on error in
+ _gnutls_x509_dn_to_string() Reported by Kurt Roeckx.
2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * .gitignore: ignore more files
+ * lib/gnutls_state.c: gnutls_prf: document that this is not
+ identical to RFC5705
2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
* src/p11tool-args.def: p11tool: fix documentation for
--generate-ecc and generate-dsa
-2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_state.c: gnutls_prf_rfc5705: mention the version it was
- introduced at
-
-2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/Makefile.am, tests/prf.c: tests: added check for
- gnutls_prf() and gnutls_prf_rfc5705
-
-2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_state.c, lib/includes/gnutls/gnutls.h.in,
- lib/libgnutls.map: gnutls_prf_rfc5705: added That includes support for RFC5705 when the context field is used.
- Initial patch by Rick van Rein.
-
-2015-07-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-tokens.texi: doc update: explain more about PKCS #11 and
- fork
-
-2015-07-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * configure.ac: configure: print the trousers lib only when set
-
-2015-07-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/tpmtool-args.def, src/tpmtool.c: tpmtool: Added --test-sign
- parameter
-
-2015-07-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_global.c, lib/tpm.c: Deinitialize the TPM subsystem
- only when trousers support is enabled
-
-2015-07-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * configure.ac, lib/Makefile.am, lib/gnutls_errors.c,
- lib/gnutls_global.c, lib/gnutls_global.h,
- lib/includes/gnutls/gnutls.h.in, lib/tpm.c: TPM: don't link to
- trousers, use dlopen() That introduces --with-trousers-lib which can be used to specify the
- library to dlopen(). Resolves #18
-
-2015-07-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
- auto-generated files
-
2015-07-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS, configure.ac, m4/hooks.m4: bumped version
-2015-07-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-07-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/includes/gnutls/pkcs11.h: pkcs11: mention the version
- GNUTLS_PKCS11_TOKEN_MODNAME is available from
+ * lib/ext/dumbfw.c: corrected function name
2015-07-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* lib/auth/dhe_psk.c: PSK: set the hint in DHE-PSK and ECDHE-PSK
ciphersuites
-2015-07-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/pskself.c: tests: updated pskself to check the hint in all
- PSK ciphersuites
-
-2015-07-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2015-07-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/pkcs11.c: p11tool: be more compact in token URL printing
-
-2015-07-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/p11tool-args.def: p11tool: group the provided options for
- readability
-
-2015-07-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/p11tool-args.def, src/p11tool.c: p11tool: keep backwards
- compatibility by introducing --list-token-urls That is, the output of --list-tokens remains the same.
-
-2015-07-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/pkcs11.c: p11tool: print the module name of a token in verbose
- mode
-
-2015-07-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/pkcs11_int.h,
- lib/pkcs11_write.c, lib/pkcs11x.c: Added GNUTLS_PKCS11_TOKEN_MODNAME
- for gnutls_pkcs11_token_get_info That allows to obtain the shared module name of a token URL.
-
-2015-07-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/pkcs11.h: pkcs11.h: doc update
-
-2015-07-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/p11tool-args.def, src/p11tool.c: p11tool: less verbose output
- in --list-tokens unless --verbose is specified
-
-2015-07-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suppressions.valgrind: tests: added suppression for bash mem
- leak
-
-2015-07-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * configure.ac, tests/Makefile.am, tests/cert-tests/Makefile.am:
- tests: don't run certtool-utf8 when libidn is 1.30 or less This avoids test suite failures due to libidn.
-
-2015-07-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/cli-args.def: gnutls-cli: doc update
-
2015-07-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib/ext/dumbfw.c: dumbfw: don't append a size prefix in the pad Reported by Hannes Mehnert.
-2015-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * gl/m4/valgrind-tests.m4: gl: use /bin/true to run valgrind during
- configure Bash has memory leaks, which prevents the valgrind check to operate
- using the SHELL variable.
-
-2015-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/cert-tests/Makefile.am, tests/cert-tests/certtool-utf8:
- tests: added check for invalid UTF8 encoded string
+2015-07-02 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-2015-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * configure.ac: Revert "libidn support is disabled by default" This reverts commit 5fdffb2c177cb990480fb8b93c9257ccc5dfcaad.
-
-2015-07-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * : commit d63c088edd15f20318b396f2298744cbf9e1a392 Author: Daniel
- Kahn Gillmor <dkg@fifthhorseman.net> Date: Thu Jul 2 14:28:32 2015
- -0400
+ * src/certtool.c: certtool --outder should not emit signature
+ verification status When emitting binary-formatted output, send signature verification
+ status to stderr, since it is not binary-formatted output. A simpler version of this patch would be to always send signature
+ verification to stderr, but that would change the text-formatted
+ output.
2015-07-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2015-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/dsa/Makefile.am, tests/dsa/dsa-pubkey-1018.pem,
- tests/dsa/testdsa: tests: check whether we print the prime size in
- DSA keys
-
-2015-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/name_constraints.c: name constraints: simplified
- gnutls_x509_name_constraints_check_crt()
-
-2015-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/cert-tests/Makefile.am, tests/cert-tests/name-constraints,
- tests/cert-tests/name-constraints-ip.pem: tests: verify that
- unsupported name constraints are properly handled
+ * NEWS: doc update
2015-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
constraints, and the end certificate doesn't have an IPaddress name
or a URI set.
-2015-06-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * po/ms.po.in: Sync with TP.
-
-2015-06-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * configure.ac: libidn support is disabled by default That is until the issues with libidn get resolves. Relates #10
-
-2015-06-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2015-06-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/Makefile.am, tests/atfork.c: tests: added a test for the
- fork detection interface
-
-2015-06-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/resume-dtls.c: tests: resume-dtls: increased timeouts
-
-2015-06-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * configure.ac, lib/atfork.c, lib/atfork.h: Don't use
- pthread_atfork(), it is not safe to use with dlopen() http://austingroupbugs.net/view.php?id=851
-
-2015-06-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/atfork.c, lib/atfork.h: atfork: added underscore to
- gnutls_forkid
-
-2015-06-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/atfork.c, lib/atfork.h, lib/nettle/rnd-fips.c,
- lib/nettle/rnd.c, lib/pkcs11.c: simplified fork detection
-
2015-06-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib/x509/privkey.c: enhanced header matching code for private keys
to skip unrelated data
-2015-06-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-06-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/Makefile.am, tests/cert-tests/privkey-import,
- tests/cert-tests/privkey1.pem, tests/cert-tests/privkey2.pem,
- tests/cert-tests/privkey3.pem: tests: added private key import
- checks
+ * NEWS: doc update
2015-06-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/privkey.c: gnutls_x509_privkey_import: optimized private
- key loading
+ * tests/suite/Makefile.am, tests/suite/ciphersuite/scan-gnutls.sh,
+ tests/suite/ciphersuite/test-ciphers.js,
+ tests/suite/ciphersuite/test-ciphersuites.sh,
+ tests/suite/test-ciphersuite-names: tests: backported
+ test-ciphersuite-names from master
2015-06-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
2015-06-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/key-openssl.c: tests: added check to verify that
- gnutls_x509_privkey_import2 works for plain keys That is, when a password is provided and the key is non encrypted.
-
-2015-06-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
* lib/x509/key_decode.c, lib/x509/mpi.c: _gnutls_get_asn_mpis() will
release any data on failure Resolves #15
-2015-06-21 Alon Bar-Lev <alon.barlev@gmail.com>
+2015-06-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/aki, tests/cert-tests/certtool,
- tests/cert-tests/crq, tests/cert-tests/dane,
- tests/cert-tests/email, tests/cert-tests/invalid-sig,
- tests/cert-tests/pathlen, tests/cert-tests/pem-decoding,
- tests/cert-tests/pkcs7, tests/cert-tests/template-test,
- tests/dsa/testdsa, tests/dtls/dtls, tests/dtls/dtls-nb,
- tests/ecdsa/ecdsa, tests/key-tests/key-id, tests/key-tests/pkcs8,
- tests/nist-pkits/gnutls_test_entry, tests/nist-pkits/pkits_crl,
- tests/nist-pkits/pkits_crt, tests/nist-pkits/pkits_pkcs12,
- tests/nist-pkits/pkits_smime, tests/nist-pkits/pkits_test,
- tests/openpgp-certs/testcerts, tests/openpgp-certs/testselfsigs,
- tests/pkcs1-padding/pkcs1-pad, tests/pkcs12-decode/pkcs12,
- tests/pkcs8-decode/pkcs8, tests/rfc2253-escape-test,
- tests/rsa-md5-collision/rsa-md5-collision, tests/sha2/sha2,
- tests/sha2/sha2-dsa, tests/slow/override-ciphers,
- tests/slow/test-ciphers, tests/suite/certs/create-chain.sh,
- tests/suite/chain, tests/suite/crl-test, tests/suite/eagain,
- tests/suite/invalid-cert, tests/suite/testcompat-main-openssl,
- tests/suite/testcompat-main-polarssl,
- tests/suite/testcompat-openssl, tests/suite/testcompat-polarssl,
- tests/suite/testdane, tests/suite/testpkcs11,
- tests/suite/testpkcs11.pkcs15, tests/suite/testpkcs11.sc-hsm,
- tests/suite/testpkcs11.softhsm, tests/suite/testrandom,
- tests/suite/testrng, tests/suite/testsrn, tests/userid/userid:
- tests: tab indent + minor style changes Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
+ * tests/suite/testcompat-main: tests: backported test-compat-main
+ from master
-2015-06-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-06-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/suite/ciphersuite/scan-gnutls.sh: tests: modified
- test-ciphersuite-names to work with cpp 5.1.1
+ * lib/nettle/cipher.c: Corrected camellia256 set key in nettle3
+ compat mode
-2015-06-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-06-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suite/test-ciphersuite-names: tests: test-ciphersuite-names:
- create any needed dirs
+ * lib/nettle/int/drbg-aes.c: drbg-aes: include gnutls_errors.h
-2015-06-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suite/Makefile.am, tests/suite/ciphersuite/scan-gnutls.sh,
- tests/suite/ciphersuite/test-ciphersuites.sh,
- tests/suite/test-ciphersuite-names: tests: moved
- test-ciphersuites.sh one level up That simplifies running the script outside make check.
+ * lib/nettle/int/drbg-aes-self-test.c: fips140: added check for
+ reseed detection
-2015-06-21 Alon Bar-Lev <alon.barlev@gmail.com>
+2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suite/ciphersuite/scan-gnutls.sh,
- tests/suite/ciphersuite/test-ciphers.js,
- tests/suite/ciphersuite/test-ciphersuites.sh: tests: suite:
- ciphersuite: fixups fix separate builddir issue, without modifying locations, quite
- ugly. re-indent using tab. fix shebang. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
+ * tests/rng-fork.c: tests: check random generator for long outputs
+ as well
-2015-06-21 Alon Bar-Lev <alon.barlev@gmail.com>
+2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/pkcs1-padding/pkcs1-pad, tests/suite/testcompat-openssl,
- tests/suite/testcompat-polarssl: tests: enforce UTC timezone in
- datefudge tests Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
+ * lib/nettle/int/drbg-aes.c: fips140: reset the reseed counter only
+ on reseed
-2015-06-21 Alon Bar-Lev <alon.barlev@gmail.com>
+2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/aki, tests/cert-tests/certtool,
- tests/cert-tests/crq, tests/cert-tests/dane,
- tests/cert-tests/email, tests/cert-tests/invalid-sig,
- tests/cert-tests/pathlen, tests/cert-tests/pem-decoding,
- tests/cert-tests/pkcs7, tests/cert-tests/template-test,
- tests/ecdsa/ecdsa, tests/key-tests/key-id, tests/key-tests/pkcs8,
- tests/openpgp-certs/testselfsigs: tests: misc: shell cleanup leftovers minor sync. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
-
-2015-06-21 Alon Bar-Lev <alon.barlev@gmail.com>
-
- * configure.ac, tests/suite/certs/create-chain.sh,
- tests/suite/chain, tests/suite/crl-test, tests/suite/eagain,
- tests/suite/invalid-cert, tests/suite/testcompat-common,
- tests/suite/testcompat-main-openssl,
- tests/suite/testcompat-main-polarssl,
- tests/suite/testcompat-openssl, tests/suite/testcompat-polarssl,
- tests/suite/testdane, tests/suite/testpkcs11,
- tests/suite/testpkcs11.pkcs15, tests/suite/testpkcs11.sc-hsm,
- tests/suite/testpkcs11.softhsm, tests/suite/testrandom,
- tests/suite/testrng, tests/suite/testsrn: tests: suite: cleanup
- shell usage Add quotes for most usages of variables. Added ${} for variables. Cleanup indentation to be consistent with other tests. Fix separate builddir issues. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
+ * lib/nettle/int/drbg-aes-self-test.c: fips140: added more checks on
+ the reseed and generate function
-2015-06-21 Alon Bar-Lev <alon.barlev@gmail.com>
+2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/pkcs1-padding/pkcs1-pad, tests/pkcs12-decode/pkcs12,
- tests/pkcs8-decode/pkcs8, tests/rfc2253-escape-test,
- tests/rsa-md5-collision/rsa-md5-collision, tests/sha2/sha2,
- tests/sha2/sha2-dsa, tests/slow/override-ciphers,
- tests/slow/test-ciphers, tests/userid/userid: tests: misc: cleanup
- shell usage Add quotes for most usages of variables. Added ${} for variables. Cleanup indentation to be consistent with other tests. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
+ * lib/nettle/int/drbg-aes.c, lib/nettle/int/drbg-aes.h: fips140:
+ enforce the max_number_of_bits_per_request
-2015-06-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-05-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/Makefile.am: tests: fixed includes
+ * lib/x509/ocsp_output.c: Check the OID size for match when
+ comparing for the OCSP nonce extension Reported by Hanno Böck.
-2015-06-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-05-23 Armin Burgmeier <armin@arbur.net>
- * lib/gnutls_alert.c, lib/gnutls_cert.c, lib/gnutls_errors.c,
- lib/gnutls_global.c, lib/gnutls_str.h, lib/x509/ocsp_output.c: move
- all gettext definitions in gnutls_str.h
+ * lib/gnutls_ui.c: gnutls_dh_get_prime_bits: return 0 if DH is not
+ used Before, the number of bits of a zero-length number was attempted to
+ be extracted, resulting in an error. The changed behaviour is
+ consistent with the documentation which explicitly states that 0
+ should be returned if no DH key exchange was performed.
-2015-06-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-05-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * cross.mk: cross.mk: updated for 3.4.2
+ * lib/gnutls_ui.c: gnutls_dh_get_group: mention that the values may
+ include a leading zero
-2015-06-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-05-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_str.h: gnutls_str: include gettext.h when dgettext is
- available
+ * lib/gnutls_ui.c: gnutls_dh_set_prime_bits: warn when overriding
+ the DH max prime size with 1007 bits or less
-2015-06-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-05-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/Makefile.am, tests/mini-dtls-fork.c, tests/mini-dtls-mtu.c,
- tests/mini-dtls-pthread.c, tests/mini-dtls-record-asym.c,
- tests/openpgp-auth.c, tests/openpgp-auth2.c, tests/pkcs12_simple.c,
- tests/rsa-encrypt-decrypt.c, tests/utils.c, tests/utils.h,
- tests/x509sign-verify.c, tests/x509sign-verify2.c: tests: don't
- depend on gnulib That dependency unfortunately causes many portability problems on
- platforms where it should have worked out of the box.
+ * NEWS: doc update
-2015-06-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-05-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: doc update
+ * configure.ac, lib/accelerated/x86/aes-gcm-padlock.c,
+ lib/accelerated/x86/aes-gcm-x86-aesni.c,
+ lib/accelerated/x86/aes-gcm-x86-ssse3.c,
+ lib/accelerated/x86/aes-padlock.c,
+ lib/accelerated/x86/sha-padlock.c,
+ lib/accelerated/x86/sha-x86-ssse3.c, lib/nettle/Makefile.am,
+ lib/nettle/cipher.c, lib/nettle/int/dsa-fips.h,
+ lib/nettle/int/dsa-keygen-fips186.c, lib/nettle/int/dsa-validate.c,
+ lib/nettle/pk.c, m4/hooks.m4, tests/dsa/testdsa: Allow using nettle3
+ with gnutls3.3
-2015-06-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-05-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * devel/perlasm/cpuid-x86.pl, doc/scripts/cleanup-autogen.pl,
- doc/scripts/gdoc, doc/scripts/getfuncs-map.pl,
- doc/scripts/getfuncs.pl, doc/scripts/sort1.pl,
- doc/scripts/sort2.pl, doc/scripts/split-texi.pl,
- doc/scripts/split.pl, tests/nist-pkits/build-chain: use the same
- shebang for perl
+ * tests/sign-md5-rep.c: tests: updated sign-md5-rep to reduce false
+ failures
-2015-06-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-05-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/certtool: tests: added a verify-chain test case
+ * tests/mini-loss-time.c: tests: eliminate mem leaks in
+ mini-loss-time
-2015-06-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-05-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/scripts/common.sh: tests: don't quote provider in common.sh That caused testpkcs11 to fail.
+ * tests/mini-loss-time.c: tests: backported mini-loss-time from
+ master
-2015-06-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-04-28 Jan Vcelak <jan.vcelak@nic.cz>
- * tests/mini-alignment.c: tests: don't enforce alignment rules for
- caller buffers
+ * lib/nettle/pk.c: fix memory leak in ECDSA key parameters
+ verification Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>
-2015-06-17 Alon Bar-Lev <alon.barlev@gmail.com>
+2015-05-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/cert-tests/aki, tests/cert-tests/certtool,
- tests/cert-tests/crq, tests/cert-tests/dane,
- tests/cert-tests/email, tests/cert-tests/invalid-sig,
- tests/cert-tests/pathlen, tests/cert-tests/pem-decoding,
- tests/cert-tests/pkcs7, tests/cert-tests/template-test: tests:
- cert-tests: cleanup shell usage Add quotes for most usages of variables. Added ${} for variables. Cleanup trailing spaces. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
+ * NEWS: updated NEWS
-2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-05-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * .gitlab-ci.yml: Added gitlab-ci.yml
+ * NEWS, configure.ac, m4/hooks.m4: released 3.3.15
-2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-04-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/libgnutls.map: reduced the exported functions to the minimum
- needed
+ * lib/gnutls_dtls.c: doc: updated gnutls_dtls_set_timeouts
-2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_extensions.c: _gnutls_ext_register was made static
+ * lib/gnutls_handshake.c: gnutls_handshake_set_timeout will properly
+ work with DTLS
-2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/libgnutls.map: libgnutls.map: use a 3.4 related name for
- private functions This eliminates any collisions with functions from 3.3.x
+ * doc/examples/ex-client-dtls.c: doc: fixed example with DTLS
+ timeouts
-2015-06-18 Alon Bar-Lev <alon.barlev@gmail.com>
+2015-04-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/nist-pkits/build-chain, tests/nist-pkits/gnutls_test_entry,
- tests/nist-pkits/pkits, tests/nist-pkits/pkits_crl,
- tests/nist-pkits/pkits_crt, tests/nist-pkits/pkits_pkcs12,
- tests/nist-pkits/pkits_smime, tests/nist-pkits/pkits_test: tests:
- nist-pkits: cleanup shell/perl usage Add quotes for most usages of variables. Added ${} for variables. Consistent indent. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
+ * lib/minitasn1/decoding.c, lib/minitasn1/libtasn1.h: updated
+ minitasn1
-2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/Makefile.am: tests: force link with nettle of mini-alignment
+ * NEWS: doc update
-2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/Makefile.am, tests/oids.c: tests: Check the OID functions
+ * tests/Makefile.am, tests/sign-md5-rep.c: tests: added reproducer
+ for the MD5 acceptance issue Reported by Karthikeyan Bhargavan.
-2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+ http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007572.htmlConflicts: tests/Makefile.am
- * NEWS: doc update
+2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+ * lib/ext/signature.c: before falling back to SHA1 as signature
+ algorithm in TLS 1.2 check if it is enabled
- * lib/algorithms.h, lib/algorithms/ecc.c, lib/algorithms/mac.c,
- lib/algorithms/publickey.c, lib/algorithms/sign.c, lib/gnutls_pk.c,
- lib/gnutls_priority.c, lib/includes/gnutls/gnutls.h.in,
- lib/libgnutls.map, lib/x509/common.c, lib/x509/crl.c,
- lib/x509/key_decode.c, lib/x509/key_encode.c, lib/x509/mpi.c,
- lib/x509/ocsp.c, lib/x509/pkcs7.c, lib/x509/privkey.c,
- lib/x509/privkey_pkcs8.c: Exported functions to convert from and to
- OIDs
+2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2015-06-18 Saurav Babu <saurav.babu@samsung.com>
+ * lib/ext/signature.c: _gnutls_session_sign_algo_enabled: do not
+ consider any values from the extension data to decide acceptable
+ algorithms
- * src/cli.c: gnutls-cli: Fixed Possible Memory Leak This patch fixes possible memory leak in psk_callback() function,
- rawkey is allocated memory by gnutls_malloc() and is not freed when
- gnutls_hex_decode() returns with error Signed-off-by: Saurav Babu <saurav.babu@samsung.com>
+2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+ * lib/auth/cert.c: set the value used by
+ gnutls_certificate_client_get_request_status prior to selecting
+ certificate That allows gnutls_certificate_client_get_request_status() to be
+ properly operating from the callback. Reported by Anton Lavrentiev.
- * lib/x509/pkcs7.c: pkcs7: corrected write_signer_id() when
- GNUTLS_PKCS7_WRITE_SPKI was used
+2015-04-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
-2015-06-18 Alon Bar-Lev <alon.barlev@gmail.com>
+ * lib/gnutls_cert.c: fixed doc: reported by Anton Lavrentiev
- * tests/openpgp-certs/testcerts, tests/openpgp-certs/testselfsigs:
- tests: openpgp-certs: cleanup shell usage Add quotes for most usages of variables. Added ${} for variables. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
+2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-2015-06-18 Alon Bar-Lev <alon.barlev@gmail.com>
+ * NEWS: doc update
- * tests/key-tests/key-id, tests/key-tests/pkcs8: tests: key-tests:
- cleanup shell usage Add quotes for most usages of variables. Added ${} for variables. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
+2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-2015-06-18 Alon Bar-Lev <alon.barlev@gmail.com>
+ * lib/gnutls_ui.c: gnutls_certificate_get_ours: will return the
+ certificate even if a callback was used This corrects a bug where this function would not work, when
+ gnutls_certificate_set_retrieve_function2() was used.
- * tests/ecdsa/ecdsa: tests: ecdsa: cleanup shell usage Add quotes for most usages of variables. Added ${} for variables. Cleanup trailing spaces. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
+2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-2015-06-18 Alon Bar-Lev <alon.barlev@gmail.com>
+ * lib/x509/x509.c: ensure that the X.509 version number is one byte
+ only
- * tests/dsa/testdsa, tests/scripts/common.sh: tests: dsa: cleanup
- shell usage Add quotes for most usages of variables. Added ${} for variables. Cleanup trailing spaces. Removal of unneeded ';'. Minor fix in tests/scripts/common.sh at trap to pass message and
- avoid killing. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
+2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+ * lib/x509/x509.c: Check for invalid length in the X.509 version
+ field If such an invalid length is detected, reject the certificate.
+ Reported by Hanno Böck.
- * lib/gnutls_mbuffers.c: indentation fix
+2015-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
-2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+ * tests/mini-loss-time.c: tests: mini-loss-time: ignore sigpipe
- * lib/gnutls_int.h: Always align in 16-byte boundary our input to
- crypto That allows faster operations in almost all instruction sets.
+2015-03-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+ * NEWS: released 3.3.14
- * tests/Makefile.am, tests/mini-alignment.c: tests: added check for
- memory alignment
+2015-03-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2015-06-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+ * tests/suite/testcompat-main: tests: change the default port in
+ testcompat to avoid clash with testsrn
- * tests/cert-tests/template-test: tests: only run test with long
- dates in 64-bit systems
+2015-03-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+ * doc/texinfo.css: doc: increase border spacing in HTML tables
- * tests/cert-tests/template-date.pem,
- tests/cert-tests/template-dn.pem,
- tests/cert-tests/template-generalized.pem,
- tests/cert-tests/template-nc.pem,
- tests/cert-tests/template-overflow.pem,
- tests/cert-tests/template-overflow2.pem,
- tests/cert-tests/template-test, tests/cert-tests/template-test.pem,
- tests/cert-tests/template-utf8.pem: tests: regenerate the results in
- template-test using UTC times
-
-2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_pubkey.c: ensure that gnutls_pubkey_verify_data2
- returns 0 on success
+ * configure.ac, m4/hooks.m4: bumped version
-2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/includes/gnutls/pkcs7.h, lib/libgnutls.map, lib/x509/pkcs7.c:
- Added gnutls_pkcs7_get_signature_count
+ * NEWS: doc update
-2015-06-17 Alon Bar-Lev <alon.barlev@gmail.com>
+2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/suite/Makefile.am: tests: suite: run testpkcs11 if PKCS#11
- is enabled Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
+ * lib/gnutls_int.h: do not penalize CBC ciphers with the maximum
+ send data size That reduced the maximum send size for CBC ciphers from 16384 to
+ 16384-(block size), which was unnecessary and was causing issues:
+ https://bugs.winehq.org/show_bug.cgi?id=37500
-2015-06-17 Alon Bar-Lev <alon.barlev@gmail.com>
+2015-03-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/nist-pkits/gnutls_test_entry,
- tests/suite/certs/create-chain.sh: tests: remove bash usage Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
+ * lib/algorithms/ciphersuites.c,
+ tests/suite/ciphersuite/scan-gnutls.sh: made ciphersuites.c more
+ self-contained to be handled by test-ciphersuites.sh
-2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update
+ * lib/x509/x509_ext.c: Better fix for the double free in dist point
+ parsing
-2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/cert-tests/Makefile.am, tests/cert-tests/template-date.pem,
- tests/cert-tests/template-dn.pem,
- tests/cert-tests/template-generalized.pem,
- tests/cert-tests/template-generalized.tmpl,
- tests/cert-tests/template-nc.pem,
- tests/cert-tests/template-overflow.pem,
- tests/cert-tests/template-overflow2.pem,
- tests/cert-tests/template-test, tests/cert-tests/template-test.pem,
- tests/cert-tests/template-utf8.pem: tests: verify that we generate
- dates with UTCTime prior to 2050 Also that we generate dates with GeneralizedTime format after 2050.
+ * lib/minitasn1/parser_aux.c, lib/minitasn1/parser_aux.h: updated
+ libtasn1
-2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/common.c, lib/x509/common.h: When writing the Time ASN.1
- structure follow the RFC5280 recommendations
+ * lib/gnutls_datum.c, lib/gnutls_datum.h, lib/x509/gnutls-idna.c,
+ lib/x509/x509_ext.c: gnutls_subject_alt_names_set and
+ gnutls_x509_aki_set_cert_issuer will set null-terminated strings
-2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/common.c: Set time in PKCS #7 structures properly (in
- UTCTime format).
+ * lib/x509/x509_ext.c: eliminated double-free in the parsing of dist
+ points Reported by Robert Święcki.
-2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc update
-2015-06-16 Alon Bar-Lev <alon.barlev@gmail.com>
-
- * tests/cert-tests/pkcs7: tests: cert-tests: pkcs7: support separate
- builddir Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
-
-2015-06-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * symbols.last: account new symbols
+ * lib/pkcs11_privkey.c: gnutls_pkcs11_privkey_generate2: increased
+ the size of ck_attributes
-2015-06-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * doc/Makefile.am, doc/doc.mk, doc/manpages/Makefile.am: updated
- makefiles for the new functions
+ * lib/pkcs11_privkey.c: pkcs11: check gnutls_rnd() for error
+ condition
-2015-06-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/pkcs7.c, lib/x509/x509_ext.c: doc update
+ * lib/pkcs11_privkey.c: gnutls_pkcs11_privkey_generate2: set a
+ CKA_ID on key generation
-2015-06-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/Makefile.am, lib/x509/pkcs7-output.c,
- lib/x509/pkcs7_output.c: use common base for pkcs7 files
+ * lib/pkcs11_write.c: pkcs11: set the CKA_SIGN and CKA_DECRYPT flags
+ when writing a private key
-2015-06-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS, lib/libgnutls.map: added missing symbol
+ * lib/ext/server_name.c: When an application calls
+ gnutls_server_name_set() with a name of zero size disable the
+ extension Resolves #2
-2015-06-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: released 3.4.2
+ * NEWS: doc update
-2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool-args.def, src/certtool.c, tests/cert-tests/pkcs7:
- certtool: made explicit the inclusion of time in PKCS #7 signatures
+ * lib/x509/name_constraints.c: name constraints: when no name of the
+ type is found, accept the certificate This follows RFC5280 advice closely. Reported by Fotis Loukos.
-2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/common.c, lib/x509/common.h, lib/x509/pkcs7.c: pkcs7:
- write the DER encoded time
+ * lib/gnutls_handshake.c: avoid overflow when receiving DTLS 0.9 CCS
-2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool.c: certtool: include the signature time in PKCS #7
- signatures
+ * lib/gnutls_supplemental.c: Fixed handling of supplemental data
+ with types > 255. Patch by Thierry Quemerais.
-2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/pkcs7.c: pkcs7: corrected usage of
- GNUTLS_PKCS7_INCLUDE_TIME flag
+ * lib/gnutls_priority.c: doc update
-2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/full.p7b.out, tests/cert-tests/single-ca.p7b.out:
- tests: minor updates in pkcs7 output checks to match new certtool
+ * lib/gnutls_priority.c: gnutls_priority_init: document that
+ priorities can be NULL
-2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool.c: certtool: rely on gnutls_pkcs7_print() even more
+ * lib/crypto-selftests.c: corrected self test for 3DES
-2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/pkcs7_output.c: pkcs7: print certificates and CRLs in
- FULL mode
+ * lib/pkcs11.c: pkcs11: only set ID and label when both size and
+ data are set
-2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update
+ * configure.ac: configure: check for /usr/share/dns/root.key as well
+ for dns root key
-2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/certtool.c: certtool: use gnutls_pkcs7_print() - partially
+ * m4/hooks.m4: corrected macro which checks libtasn1 for
+ asn1_decode_simple_ber
-2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/includes/gnutls/pkcs7.h, lib/libgnutls.map,
- lib/x509/Makefile.am, lib/x509/pkcs7.c, lib/x509/pkcs7_output.c:
- Added gnutls_pkcs7_print()
+ * lib/minitasn1/decoding.c, lib/minitasn1/libtasn1.h,
+ lib/minitasn1/parser_aux.c: minitasn1: updated to libtasn1 4.3
-2015-06-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * configure.ac, m4/hooks.m4: bumped version
+ * doc/cha-internals.texi: rearranged internal documentation
-2015-06-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/Makefile.am, tests/x509sign-verify2.c: tests: added
- signature/verification stress test
+ * src/cli-args.def, src/cli-debug-args.def, src/danetool-args.def,
+ src/socket.c: tools: added ftp as a starttls protocol
-2015-06-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suite/testcompat-main-openssl,
- tests/suite/testcompat-main-polarssl: tests: check also individual
- ciphers for interoperability
+ * src/cli-args.def: gnutls-cli: starttls and starttls-proto can't
+ mix
-2015-06-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/fips.c: fips140: better debug messages when verifying MAC
+ * doc/cha-gtls-app.texi: expand on SECURE256 being an alias to
+ SECURE192
-2015-06-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/tpmtool.c: tpmtool: added newline in error messages
+ * src/tests.c: gnutls-cli-debug: corrected check of certificate
+ chain order
-2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/nettle/int/drbg-aes-self-test.c: fips140: added check for
- reseed detection
+ * tests/x509cert.c: tests: added small test to verify that
+ GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED succeeds with a single cert
-2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/rng-fork.c: tests: check random generator for long outputs
- as well
+ * src/cli-debug.c, src/tests.c: gnutls-cli-debug: disable
+ unsupported TLS protocols as soon
-2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/fips.c: fips140: when GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS is
- setup do not perform integrity tests
+ * src/socket.c: cli sockets: check for a digit prior using atoi
-2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/nettle/int/drbg-aes.c: fips140: reset the reseed counter only
- on reseed
+ * src/tests.c: gnutls-cli-debug: a cert list of size 1 is always
+ sorted
-2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/nettle/rnd-fips.c: fips140: when reseeding only reseed the
- required context not all
+ * src/socket.c: gnutls-cli-debug: do not warn multiple times about
+ unknown protocols
-2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/nettle/int/drbg-aes-self-test.c: fips140: added more checks on
- the reseed and generate function
+ * doc/cha-support.texi: updated documentation on FIPS140-2
-2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/nettle/int/drbg-aes.c, lib/nettle/int/drbg-aes.h: fips140:
- enforce the max_number_of_bits_per_request
+ * tests/cert-tests/Makefile.am,
+ tests/cert-tests/template-basic.pem,
+ tests/cert-tests/template-basic.tmpl,
+ tests/cert-tests/template-test: Revert "tests: template-test: added
+ a baseline check to detect slow systems" This reverts commit 2ee2a78178a842c9b0ef2ca3e12909ca3bb9fe79.
-2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/cert-tests/full.p7b.out, tests/cert-tests/pkcs7,
- tests/cert-tests/single-ca.p7b.out: tests: do not include times in
- the PKCS #7 checks as they depend on local timezone
+ * tests/cert-tests/template-test: tests: don't perform the overflow
+ check in 32-bit systems
-2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/pkcs7.c: pkcs7: addressed memory leaks
+ * tests/cert-tests/template-date.pem,
+ tests/cert-tests/template-date.tmpl: tests: date parsing test was
+ modified to work in 32-bit systems
-2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/pkcs7-attrs.c: doc update
+ * tests/cert-tests/Makefile.am,
+ tests/cert-tests/template-basic.pem,
+ tests/cert-tests/template-basic.tmpl,
+ tests/cert-tests/template-test: tests: template-test: added a
+ baseline check to detect slow systems
-2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc update
-2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/Makefile.am, tests/pkcs7-gen.c: tests: Added PKCS #7
- attribute generation check
+ * tests/suite/testpkcs11: testpkcs11: do not ignore the failure to
+ write a trusted CA
-2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/full.p7b.out, tests/cert-tests/single-ca.p7b.out:
- tests: updated for new certtool output
+ * tests/suite/testpkcs11: testpkcs11: detect softhsm2
-2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-03-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool.c: certtool: print signed and unsigned PKCS #7
- attributes
+ * lib/gnutls_pubkey.c, lib/tpm.c, lib/x509/common.c,
+ lib/x509/common.h, lib/x509/dn.c, lib/x509/ocsp.c,
+ lib/x509/pkcs12.c, lib/x509/pkcs12_bag.c, lib/x509/x509_ext.c,
+ m4/hooks.m4: use asn1_decode_simple_ber if available
-2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-02-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/includes/gnutls/pkcs7.h, lib/libgnutls.map, lib/pkix.asn,
- lib/pkix_asn1_tab.c, lib/x509/Makefile.am, lib/x509/pkcs7-attrs.c,
- lib/x509/pkcs7.c, lib/x509/x509_int.h: Added code to parse and set
- PKCS #7 attributes
+ * lib/includes/gnutls/abstract.h: list
+ gnutls_pubkey_get_verify_algorithm as deprected
-2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-02-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/pkcs7: tests: added PKCS #7 verification check
- with MD5
+ * lib/gnutls_handshake.c: corrected typo in gnutls_handshake(),
+ spotted by Andris Mednis
-2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-02-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_errors.c, lib/gnutls_pubkey.c,
- lib/includes/gnutls/abstract.h, lib/includes/gnutls/gnutls.h.in,
- lib/includes/gnutls/x509.h, lib/x509/pkcs7.c, lib/x509/x509.c: use
- the same flags in all verification functions
+ * NEWS, configure.ac, m4/hooks.m4: released 3.3.13
-2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-02-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/pkcs7.c: _decode_pkcs7_signed_data: fixed mem leaks
+ * tests/cert-tests/Makefile.am, tests/cert-tests/invalid-sig,
+ tests/cert-tests/invalid-sig2.pem,
+ tests/cert-tests/invalid-sig3.pem: tests: added checks for invalid
+ X.509 certificate signatures
-2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-02-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/common.h, lib/x509/x509.c, lib/x509/x509_int.h:
- Initialization of gnutls_x509_dn_t was modified to allow
- deinitialization after failure Part2: made gnutls_x509_crt_get_subject() and
- gnutls_x509_crt_get_issuer() return a constant value and avoid
- leaks.
+ * lib/gnutls_session.c: doc update: document that session_get_data()
+ must be used in non-resumed sessions
-2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * doc/Makefile.am, doc/cha-functions.texi, doc/doc.mk: doc:
- Separated the PKCS #7 in manual
+ * tests/suite/testcompat-main: tests: testcompat: disable tests with
+ NULL ciphersuites; debian doesn't support them
-2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc update
-2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/cert-tests/pkcs7: tests: check PKCS #7 structure signature
- generation
+ * lib/gnutls_buffers.c: fixed handling of GNUTLS_E_INT_CHECK_AGAIN
-2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/cert-tests/Makefile.am, tests/cert-tests/p7-combined.out,
- tests/cert-tests/pkcs7: tests: check PKCS #7 bundle generation
+ * tests/mini-overhead.c, tests/mini-record.c: tests: require DTLS
+ 1.2 when using GCM
-2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/certtool-args.def, src/certtool-common.c,
- src/certtool-common.h, src/certtool.c: certtool: added
- --p7-generate, --p7-sign and --p7-detached-sign
+ * lib/algorithms/ciphersuites.c: corrected check which prevented
+ client to sent an unacceptable for the version ciphersuite
-2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/includes/gnutls/pkcs7.h, lib/libgnutls.map,
- lib/x509/common.c, lib/x509/pkcs7.c: Added gnutls_pkcs7_sign()
+ * lib/gnutls_record.c: fixed sequence number copy
-2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-02-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/includes/gnutls/pkcs7.h, lib/libgnutls.map, lib/x509/pkcs7.c:
- Added gnutls_pkcs7_get_crl_raw2
+ * NEWS: doc update
-2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-02-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool.c: certtool: print the signing time when available
+ * lib/x509/x509.c: when importing a certificate ensure that the
+ signature parameters match
-2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-02-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/includes/gnutls/pkcs7.h, lib/x509/common.c, lib/x509/pkcs7.c:
- pkcs7 verification: parse the signing time
+ * NEWS: doc update
-2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-02-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/pkcs7.c: on PKCS #7 verification check the the content
- type matches the signed data
+ * lib/accelerated/x86/x86-common.c: Allow AESNI GCM accelaration in
+ x86
-2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-02-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/certtool.c: certtool: print more info about the PKCS #7 struct
+ * src/cli.c: handle differently OCSP responses that are revoked and
+ of unknown status
-2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-02-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool-args.def, src/certtool-common.c, src/certtool.c:
- certtool: allow verification against a direct PKCS #7 signer
+ * src/common.c: compilation fix with return on void function;
+ reported by David Marx
-2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-01-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/Makefile.am, tests/cert-tests/pkcs7,
- tests/cert-tests/pkcs7-detached.txt: tests: added checks with PKCS
- #7 detached data
+ * lib/gnutls_state.c: doc update
-2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-01-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/pkcs7.c: pkcs7 verification: return
- GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when no encapsulated data
- exist
+ * lib/gnutls_buffers.c: set the appropriate direction when
+ _gnutls_io_write_flush() is called
-2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-01-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool-args.def, src/certtool-common.h, src/certtool.c:
- certtool: allow verifying PKCS #7 with detached data
+ * doc/cha-gtls-app.texi: documented using a session with fork or
+ multiple threads
-2015-06-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-01-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/certtool-args.def, src/certtool.c: certtool: improved PKCS #7
- verification output
+ * lib/gnutls_buffers.c: print errno in a more uniform way
-2015-06-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-01-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/pkcs7: tests: check the key purpose in PKCS #7
- verification
+ * lib/x509/x509.c: on certificate import check whether the two
+ signature algorithms match
-2015-06-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-01-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/cert-tests/Makefile.am, tests/cert-tests/full.p7b.out,
- tests/cert-tests/pkcs7: tests: added PKCS #7 test with more than 1
- certs
+ * lib/gnutls_buffers.c: simplified _gnutls_writev() by requiring the
+ total length
-2015-06-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool-args.def, src/certtool-common.h, src/certtool.c:
- certtool: allow verification of PKCS #7 structures
+ * src/cli.c, src/ocsptool-common.c, src/ocsptool-common.h: don't be
+ so verbose about the OCSP nonce; it is universally unsupported
-2015-06-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-17 Tim Ruehsen <tim.ruehsen@gmx.de>
- * lib/includes/gnutls/x509.h, lib/x509/common.h, lib/x509/dn.c,
- lib/x509/x509.c: Initialization of gnutls_x509_dn_t was modified to
- allow deinitialization after failure
+ * src/cli.c, src/ocsptool-common.c: OCSP check the whole cert chain Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-2015-06-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/includes/Makefile.am, lib/includes/gnutls/pkcs7.h,
- lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/pkix.asn,
- lib/pkix_asn1_tab.c, lib/x509/dn.c, lib/x509/pkcs7.c: Added PKCS #7
- signature(s) verification
+ * NEWS: released 3.3.12
-2015-06-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c,
- lib/x509/verify-high.c: Added
- gnutls_pkcs11_get_raw_issuer_by_subject_key_id and
- gnutls_x509_trust_list_get_issuer_by_subject_key_id
+ * NEWS: doc update
-2015-06-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/dn.c: tests: added check for gnutls_x509_dn_get_str
+ * configure.ac, m4/hooks.m4: bumped versions
-2015-06-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/libgnutls.map, lib/x509/x509.c: added gnutls_x509_dn_get_str
+ * NEWS: doc update
-2015-06-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_privkey.c: doc update
-
-2015-06-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/compat.h, lib/includes/gnutls/x509.h,
- lib/x509/privkey.c, lib/x509/x509.c: Added
- gnutls_x509_crt_verify_data2() and kept gnutls_privkey_sign_data()
-
-2015-06-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/pkix.asn, lib/pkix_asn1_tab.c, lib/x509/pkcs7.c: verify PKCS
- #7 signed data
-
-2015-05-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/pkcs7.c, lib/x509/x509_int.h: updated PKCS #7 code to
- cache signed_data
-
-2015-06-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/pkcs11.c: When manual PKCS #11 configuration is requested
- don't initialize other providers
-
-2015-05-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool.c: certtool: deinitialize PKCS #7 resources
-
-2015-05-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/cert-tests/Makefile.am, tests/cert-tests/pkcs7,
- tests/cert-tests/single-ca.p7b.out: tests: Added tests for PKCS7
- cert extraction
-
-2015-05-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * gl/m4/codeset.m4, gl/m4/extern-inline.m4, gl/m4/gettext.m4,
- gl/m4/iconv.m4, gl/m4/intl.m4, gl/m4/intldir.m4,
- gl/m4/intlmacosx.m4, gl/m4/lcmessage.m4, gl/m4/manywarnings.m4,
- gl/m4/nls.m4, gl/m4/po.m4, gl/m4/stdio_h.m4, gl/stddef.in.h,
- gl/string.in.h, gl/tests/inttypes.in.h, gl/tests/test-read-file.c,
- gl/tests/test-stddef.c, src/gl/error.h, src/gl/fseeko.c,
- src/gl/m4/extern-inline.m4, src/gl/m4/stdio_h.m4,
- src/gl/stddef.in.h, src/gl/string.in.h, src/gl/xalloc.h: Revert
- "updated gnulib" This reverts commit c040ce6dd05b48b971d8dcc8fc8f23957ed15f9c.
-
-2015-05-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * configure.ac: silence format-signness warnings in gcc5
-
-2015-05-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * gl/m4/codeset.m4, gl/m4/extern-inline.m4, gl/m4/gettext.m4,
- gl/m4/iconv.m4, gl/m4/intl.m4, gl/m4/intldir.m4,
- gl/m4/intlmacosx.m4, gl/m4/lcmessage.m4, gl/m4/manywarnings.m4,
- gl/m4/nls.m4, gl/m4/po.m4, gl/m4/stdio_h.m4, gl/stddef.in.h,
- gl/string.in.h, gl/tests/inttypes.in.h, gl/tests/test-read-file.c,
- gl/tests/test-stddef.c, src/gl/error.h, src/gl/fseeko.c,
- src/gl/m4/extern-inline.m4, src/gl/m4/stdio_h.m4,
- src/gl/stddef.in.h, src/gl/string.in.h, src/gl/xalloc.h: updated
- gnulib
-
-2015-05-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/ocsp_output.c: Check the OID size for match when
- comparing for the OCSP nonce extension Reported by Hanno Böck.
-
-2015-05-23 Armin Burgmeier <armin@arbur.net>
-
- * lib/gnutls_ui.c: gnutls_dh_get_prime_bits: return 0 if DH is not
- used Before, the number of bits of a zero-length number was attempted to
- be extracted, resulting in an error. The changed behaviour is
- consistent with the documentation which explicitly states that 0
- should be returned if no DH key exchange was performed.
-
-2015-05-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_ui.c: gnutls_dh_get_group: mention that the values may
- include a leading zero
-
-2015-05-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_ui.c: gnutls_dh_set_prime_bits: warn when overriding
- the DH max prime size with 1007 bits or less
-
-2015-05-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/verify-tofu.c: cleanup unused variable
-
-2015-05-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/verify-tofu.c: corrected allocation check
-
-2015-05-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/pkcs11.c: removed useless check
-
-2015-05-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_pubkey.c: document intentional fallthrough in switch
-
-2015-05-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/ext/ecc.c: ecc ext: check return code of
- _gnutls_buffer_append_data
+ * libdane/errors.c: corrected typos Reported by Guido Kroon.
-2015-05-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-01-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/no-signal.c: tests: enhance the no-signal check to include
- proper data sending
+ * lib/algorithms/protocols.c, lib/gnutls_int.h: Added the notion of
+ obsolete versions That prevents using these versions as record version numbers, unless
+ they are the only protocol supported. This avoids the issues with
+ servers that have banned SSL 3.0 record versions.
-2015-05-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-01-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: doc update
+ * src/ocsptool-common.c: ocsptool: follow the documented process for
+ gnutls_x509_crt_get_authority_info_access
-2015-05-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-01-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/Makefile.am, tests/no-signal.c: tests: check the operation
- of GNUTLS_NO_SIGNAL
+ * lib/x509/x509.c: gnutls_x509_crt_get_authority_info_access: doc
+ update
-2015-05-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-01-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_state.c, lib/includes/gnutls/gnutls.h.in,
- lib/system.c, lib/system.h: Allow the usage of MSG_NOSIGNAL in send
- functions That introduces the GNUTLS_NO_SIGNAL flag for gnutls_init(), which
- is available in systems that support the MSG_NOSIGNAL flag to
- send(). That eases the usage of the library within other libraries.
- Resolves #11
+ * src/ocsptool-common.c: ocsptool-common: iterate through all AIA
+ items prior to decidig the OCSP server
-2015-05-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/accelerated/x86/aes-gcm-x86-pclmul.c,
- lib/accelerated/x86/hmac-padlock.c: include nettle/memxor when
- needed
+ * src/cli-args.def: simplified text for inline-commands-prefix
-2015-05-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/serv.c: gnutls-serv: send alert when wrong data have been
- received from client
+ * NEWS: doc update: added urls of savannah reports
-2015-05-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc update
-2015-05-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/nettle/cipher.c: camellia256-gcm: corrected regression Reported by Manuel Pegourie-Gonnard.
-
-2015-05-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_x509.c: doc update
-
-2015-05-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-bib.texi, doc/cha-cert-auth.texi, doc/latex/gnutls.bib:
- doc: added section about subject alternative names
-
-2015-05-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_dtls.c, lib/gnutls_dtls.h, lib/gnutls_handshake.c,
- lib/gnutls_int.h: handshake_start_time was moved out of the
- DTLS-specific variables
+ * src/cli-args.def, src/cli.c, src/socket.c: gnutls-cli: added
+ --starttls-proto option
-2015-05-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_handshake.c: apply default timeout for DTLS in
- gnutls_handshake_set_timeout
+ * lib/pkcs11.c: pkcs11: cleanup the name of types Conflicts: lib/pkcs11.c
-2015-05-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/hostname-check.c: tests: do not perform internationalized
- name checks without libidn
+ * lib/pkcs11.c: pkcs11: when importing a public key, import it's
+ data as well (version 2 fix)
-2015-05-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/sign-md5-rep.c: tests: updated sign-md5-rep to reduce false
- failures
+ * lib/x509/verify.c: doc update
-2015-05-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/mini-loss-time.c: tests: eliminate mem leaks in
- mini-loss-time
+ * lib/pkcs11.c: pkcs11: when importing a public key, import it's
+ data as well
-2015-05-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/suite/testdane: tests: testdane: remove dane.nox.su from the
- list of known to be good hosts
+ * lib/gnutls_cert.c: doc update
-2015-05-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc update
-2015-05-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/mini-loss-time.c: tests: mini-loss-time enhanced to check
- proper timeouts in both client and server
-
-2015-05-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_dtls.c, lib/gnutls_dtls.h, lib/gnutls_int.h,
- lib/gnutls_state.c: dtls: combined the total timeouts of DTLS and
- TLS handshake That also makes the waits for packets more robust against blocking.
-
-2015-05-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/compat.h: define
- GNUTLS_SUPPLEMENTAL_USER_MAPPING_DATA
-
-2015-05-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-tokens.texi: doc: updated text to account for pkcs11-url
- standardization
-
-2015-05-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/mini-dtls-mtu.c: tests: mini-dtls-mtu: compile in windows
-
-2015-05-04 Jaak Ristioja <jaak.ristioja@cyber.ee>
-
- * doc/cha-intro-tls.texi: doc: Fixed typo in heartbeat
- documentation.
-
-2015-05-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * cross.mk: cross.mk: updated for 3.4.1
-
-2015-05-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * devel/abi3.4.xml: updated abi base for 3.4
-
-2015-05-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: NEWS: updated
-
-2015-05-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS, configure.ac, m4/hooks.m4: released 3.4.1
-
-2015-04-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_dtls.c: doc: updated gnutls_dtls_set_timeouts
-
-2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/examples/ex-client-dtls.c: doc: fixed example with DTLS
- timeouts
-
-2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c: use
- macro for DTLS default timeout
+ * lib/gnutls_state.c: When setting up TLS with cert-type OpenPGP
+ from a client, the server verifies if it supports the extension’s
+ contents in _gnutls_session_cert_type_supported(). This function
+ checks for cred->get_cert_callback but not cred->get_cert_callback2.
+ As a result, servers setup for OpenPGP certificate credential
+ callback with gnutls_certificate_set_retrieve_function2() are unable
+ to use the OpenPGP certificate type. The solution is to consider cred->get_cert_callback2 alongside
+ cred->get_cert_callback in _gnutls_session_cert_type_supported(). Patch by Rick van Rein.
-2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_handshake.c: gnutls_handshake_set_timeout will properly
- work with DTLS
+ * lib/gnutls_privkey.c: gnutls_privkey_import_openpgp_raw: do not
+ release the cached value
-2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc update
-2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_handshake.c, lib/gnutls_record.c: document the need for
- gnutls_transport_set_pull_timeout_function
-
-2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-gtls-app.texi: doc: updated async operation text
-
-2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_handshake.c, lib/gnutls_state.c: disable default
- handshake timeout It caused issues with non-blocking TLS clients and servers which may
- not want to block while the pull timeout function waits.
-
-2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/Makefile.am, tests/mini-tls-nonblock.c: tests: added check
- to verify that pull timeout is not called on non-blocking sessions
-
-2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_dtls.c, lib/gnutls_dtls.h, lib/gnutls_handshake.c,
- lib/gnutls_int.h, lib/gnutls_record.c, lib/gnutls_state.c,
- lib/includes/gnutls/gnutls.h.in, lib/system_override.c:
- GNUTLS_NONBLOCK can be used for non-DTLS sessions as well
-
-2015-04-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/system_override.c: doc update
-
-2015-04-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/algorithms/ciphersuites.c: doc update
-
-2015-04-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/Makefile.am, tests/keygen.c, tests/slow/Makefile.am,
- tests/slow/keygen.c: tests: key generation test was moved to main
- checks This will allow to catch memory leaks with valgrind.
-
-2015-04-28 Jan Vcelak <jan.vcelak@nic.cz>
+2015-01-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/nettle/pk.c: fix memory leak in ECDSA key parameters
- verification Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>
+ * lib/gnutls_buffers.c, lib/gnutls_errors.h: When receiving a TLS
+ record with multiple handshake packets, parse them in one go That resolves: https://savannah.gnu.org/support/?108712
-2015-04-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-08 Ludovic Courtès <ludo@gnu.org>
- * lib/minitasn1/decoding.c, lib/minitasn1/libtasn1.h: updated
- minitasn1
+ * NEWS, guile/modules/gnutls.in: guile: Call 'load-extension' both
+ during expansion and at run time. Fixes <https://bugzilla.redhat.com/show_bug.cgi?id=1177847>. * guile/modules/gnutls.in: Wrap '%libdir' definition and 'load-extension' call in 'eval-when'. * NEWS: Update.
-2015-04-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc update
-2015-04-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/name_constraints.c, tests/name-constraints.c: Handle DNS
- name constraints with leading dot Patch by Fotis Loukos. Resolves 3 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-
-2015-04-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-upgrade.texi: doc update
+2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-2015-04-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
+ * lib/gnutls_buffers.c: in DTLS don't combine multiple packets which
+ exceed MTU Resolves: https://savannah.gnu.org/support/?108715
- * lib/pkcs11.c: updated text for gnutls_pkcs11_init
+2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-2015-04-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
+ * lib/gnutls_buffers.c: Added more precise check of push functions
+ availability
- * doc/cha-tokens.texi: updated pkcs11 loading documentation
+2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-2015-04-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+ * src/Makefile.am: danetool: only compile when dane is enabled
- * tests/mini-etm.c: tests: mini-etm: use TLS as the transport layer
+2014-12-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
-2015-04-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+ * lib/crypto-backend.c: Allow a random generator with the same
+ priority to re-register That corrects an issue where the library is deinitialized, and
+ reinitialization wouldn't register the same rnd module. Reported by
+ Stanislav Zidek.
- * tests/sign-md5-rep.c: tests: added comment for sign-md5-rep
+2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2015-04-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+ * src/certtool-cfg.c: certtool: modified check for READ_NUMERIC
- * .gitignore: more files to ignore
+2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2015-04-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+ * src/certtool-cfg.c: certtool: use 64-bit type for CRL serial
+ number
- * po/fr.po.in: Sync with TP.
+2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+ * src/certtool-cfg.c: certtool: check for overflows when reading
+ serial numbers
- * NEWS: doc update
+2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+ * src/certtool-cfg.c, src/certtool-cfg.h: certtool: use int64_t as
+ type for integers read
- * tests/Makefile.am, tests/sign-md5-rep.c: tests: added reproducer
- for the MD5 acceptance issue Reported by Karthikeyan Bhargavan.
+2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007572.html
+ * src/socket.c: gnutls-cli-debug: more precise handling of SMTP
+ protocol Patch by Andreas Metzler.
-2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/ext/signature.c: before falling back to SHA1 as signature
- algorithm in TLS 1.2 check if it is enabled
+ * NEWS: doc update
-2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/ext/signature.c: _gnutls_session_sign_algo_enabled: do not
- consider any values from the extension data to decide acceptable
- algorithms
-
-2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/mini-x509-cert-callback.c: tests: added unit tests for
- gnutls_certificate_client_get_request_status
-
-2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/auth/cert.c: set the value used by
- gnutls_certificate_client_get_request_status prior to selecting
- certificate That allows gnutls_certificate_client_get_request_status() to be
- properly operating from the callback. Reported by Anton Lavrentiev.
-
-2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_cert.c: updated doc for retrieve function
-
-2015-04-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-bib.texi, doc/latex/gnutls.bib: updated PKCS #11 URL
- references to rfc7512
-
-2015-04-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_cert.c: doc update
-
-2015-04-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/x509self.c: tests: added check for gnutls_credentials_get
-
-2015-04-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_auth.c, lib/gnutls_cert.c: doc update
-
-2015-04-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_cert.c: fixed doc: reported by Anton Lavrentiev
-
-2015-04-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-upgrade.texi: doc: corrected typo
-
-2015-04-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/resume-dtls.c: tests: resume-dtls: remove global variables
-
-2015-04-21 Andreas Metzler <ametzler@bebt.de>
-
- * doc/cha-gtls-app.texi: List all certificate type priority strings. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
-2015-04-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/auth/rsa.c: tls-rsa: keep a common code path when doing RSA
- decryption Suggested by Nimrod Aviram.
-
-2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/mini-dtls-rehandshake.c, tests/mini-handshake-timeout.c,
- tests/mini-key-material.c, tests/mini-loss-time.c,
- tests/mini-record-retvals.c, tests/mini-rehandshake-2.c: tests:
- initialize status where needed
-
-2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/openpgp-auth2.c: tests: cleanup openpgp-auth2
-
-2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/mini-dtls-rehandshake.c: tests: cleanup
- mini-dtls-rehandshake
-
-2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/resume-dtls.c, tests/resume.c: tests: resume: check for
- signals
-
-2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/certificate_set_x509_crl.c, tests/mini-record-range.c,
- tests/mini-x509-callbacks.c, tests/openpgp-auth2.c,
- tests/record-sizes-range.c, tests/resume.c: tests: reduced compiler
- warnings
-
-2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/mini-x509.c: tests: verify the return value of
- gnutls_certificate_get_ours when no cert is sent
-
-2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/resume-dtls.c, tests/resume.c: tests: close unused file
- descriptors in resume checks
-
-2015-04-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * configure.ac, src/Makefile.am: libopts: fixed the reading of the
- --enable-local-libopts flag
-
-2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/cli.c, src/common.c, src/common.h: gnutls-cli: when no
- certificate is sent, notify the user
-
-2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/Makefile.am, tests/mini-x509-cert-callback.c: tests: added
- check with X.509 certificates and callbacks That corresponds to functionality checked in openpgp-callback.c
-
-2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/openpgp-callback.c: tests: added check for
- gnutls_certificate_get_ours() when used in combination with
- callbacks
-
-2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/x509dn.c: tests: improved x509dn check
-
-2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_ui.c: gnutls_certificate_get_ours: will return the
- certificate even if a callback was used This corrects a bug where this function would not work, when
- gnutls_certificate_set_retrieve_function2() was used.
-
-2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/cli-args.def: gnutls-cli: when a certificate is specified
- require the corresponding private key
-
-2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/x509.c: ensure that the X.509 version number is one byte
- only
-
-2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/x509.c: Check for invalid length in the X.509 version
- field If such an invalid length is detected, reject the certificate.
- Reported by Hanno Böck.
-
-2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/ocsp.c: ocsp: initialize certs to NULL
-
-2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/serv.c: gnutls-serv: print when the peer's certificate is not
- verified
-
-2015-04-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * po/fr.po.in: Sync with TP.
-
-2015-04-18 Tim Kosse <tim.kosse@filezilla-project.org>
-
- * lib/system-keys-win.c: ncrypt.h lacks some defines with some
- versions of MinGW. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
-2015-04-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
- auto-generated files
-
-2015-04-18 Tim Kosse <tim.kosse@filezilla-project.org>
-
- * lib/system-keys-win.c: Fix a preprocessor warning about mismatched
- quotes. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
-2015-04-18 Tim Kosse <tim.kosse@filezilla-project.org>
-
- * lib/system-keys-win.c: Set _WIN32_WINNT to 0x600, at least with
- some MinGW versions ncrypt.h checks this define to be at least
- 0x600. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
-2015-04-18 Tim Kosse <tim.kosse@filezilla-project.org>
-
- * lib/gnutls_supplemental.c: Fix include order, include gnutls_int.h
- before gnutls.h, otherwise undefined external references to
- gnutls_free and gnutls_strdup are the result when statically linking
- against GnuTLS built by MinGW. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
-2015-04-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/benchmark-cipher.c: gnutls-cli: removed CCM from the ciphers
- tested with the old API That prevents a crash of the benchmark. Reported by James Cloos.
-
-2015-04-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_cipher_int.c: refuse to use the old cipher API with
- AEAD-only ciphers
-
-2015-04-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/mini-termination.c, tests/resume-dtls.c, tests/resume.c:
- tests: ignore sigpipe in resume and termination tests
-
-2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-internals.texi: doc: added error check in example
-
-2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-internals.texi: doc update
-
-2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-internals.texi: doc: removed stray @end
-
-2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_pubkey.c: doc update
-
-2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS, lib/x509/x509.c: doc update
-
-2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/output.c: x509: when printing the keyid of a certificate
- use the curve name for randomart
-
-2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/x509.c: gnutls_x509_crt_get_pk_* are based on
- gnutls_pubkey_export_*
-
-2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_pubkey.c: gnutls_pubkey_export_* are tolerable in null
- input
-
-2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_pubkey.c, lib/includes/gnutls/x509.h,
- lib/libgnutls.map, lib/x509/x509.c: Added
- gnutls_x509_crt_get_pk_ecc_raw()
-
-2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/extras/randomart.c: randomart: corrected usage of snprintf
-
-2015-04-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool.c: certtool: when generating an ECDSA key use the
- curve name in random art
-
-2015-04-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/extras/randomart.c: randomart: only print key size if it is
- non-zero
-
-2015-04-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * cross.mk: cross.mk: updated for 3.4.0
-
-2015-04-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/utils.c: Remove SOCK_CLOEXEC from socket() call. That allows compilation in systems where this flag doesn't exist.
- Resolves #7
-
-2015-04-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-gtls-app.texi: document the recommended re-handshake
- process
-
-2015-04-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/manpages/Makefile.am: remove duplicate entries from manpages
- Makefile
-
-2015-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2015-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/cert-tests/certtool: tests: enhanced cert tests with SHA256
- key IDs
-
-2015-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/certtool.c: certtool: modified to allow different key ID
- algorithms
-
-2015-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_pubkey.c, lib/includes/gnutls/x509.h,
- lib/x509/common.h, lib/x509/crq.c, lib/x509/privkey.c,
- lib/x509/x509.c: Added flags which modify the algorithm used for key
- ID calculation
-
-2015-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/certtool-args.def: doc update
-
-2015-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_record.c: doc update
-
-2015-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_record.c: gnutls_record_discard_queued() is both for
- TLS and DTLS
-
-2015-04-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-internals.texi: document the new crypto register functions
-
-2015-04-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/cli-args.def: doc update
-
-2015-04-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-tokens.texi: doc: avoid spaces in showfunc
-
-2015-04-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/slow/Makefile.am: tests: added files into dist
-
-2015-04-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * m4/hooks.m4: configure: ask for nettle 3.1
-
-2015-04-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: released 3.4.0
-
-2015-04-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/cli-args.def: gnutls-cli: document the method to override the
- detected ciphers
-
-2015-04-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/accelerated/x86/aes-ccm-x86-aesni.c: fixed AESNI CCM
- encryption
-
-2015-04-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/accelerated/x86/aes-ccm-x86-aesni.c: cleanups in CCM-aesni
-
-2015-04-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/testcompat-main-polarssl: tests: test CCM-8 against
- polarssl
-
-2015-04-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: test
- for AES-CCM
-
-2015-04-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * README.md: doc: added 'git submodule update' to clone steps
-
-2015-04-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS, doc/announce.txt: doc update
-
-2015-04-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/announce.txt: doc update
-
-2015-04-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/crypto-backend.c: removed unused functions
-
-2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/crypto-backend.c, lib/gnutls_cipher_int.c: extend the fallback
- to setkey in addition to init
-
-2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/crypto-backend.c: doc update
-
-2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/slow/Makefile.am, tests/slow/cipher-override2.c,
- tests/slow/override-ciphers: tests: verify the behavior of
- GNUTLS_E_NEED_FALLBACK
-
-2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/crypto-backend.c, lib/gnutls_cipher_int.c,
- lib/includes/gnutls/gnutls.h.in: introduced GNUTLS_E_NEED_FALLBACK
- to allow falling back from registered ciphers That allows a registered cipher to indicate that it cannot operate (e.g., due to memory constraints, or internal limits), and gnutls
- should proceed with the default algorithms.
-
-2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/algorithms/ciphersuites.c: ciphersuites: moved CCM
- ciphersuites in the appropriate ifdefs
-
-2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/ciphersuite/test-ciphers.js: tests: ciphersuite test
- will ignore the invalid names of TLS_DHE_PSK_WITH_AES_128_CCM_8 That is because the names in rfc6655 are for some reason different
- than the expected.
-
-2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-intro-tls.texi: document CCM and CCM-8
-
-2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/mini-record-2.c, tests/mini-record-failure.c,
- tests/mini-record.c: tests: added CCM and CCM_8 into ciphersuite
- tests
-
-2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/accelerated/x86/aes-ccm-x86-aesni.c,
- lib/accelerated/x86/x86-common.c, lib/algorithms/ciphers.c,
- lib/algorithms/ciphersuites.c, lib/includes/gnutls/gnutls.h.in,
- lib/nettle/cipher.c: Added CCM-8 ciphersuites
-
-2015-04-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/announce.txt: updated announce text
-
-2015-04-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * symbols.last: symbols: added the new supplemental functions
-
-2015-04-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-upgrade.texi: doc update
-
-2015-04-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/cert-tests/template-test: tests: delay tests that depend on
- timing when they fail That often prevents failures on busy systems.
-
-2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/nettle/cipher.c: don't enforce iv_size > block_size; it is no
- longer true for all ciphers
-
-2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_cipher.c: simplified calc_enc_length_stream
-
-2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/mini-supplementaldata.c: tests: updated supplemental API
-
-2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_extensions.c: gnutls_ext_register will fail on double
- registration
-
-2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_supplemental.c, lib/includes/gnutls/gnutls.h.in:
- gnutls_supplemental_register will fail on double registration
-
-2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS, symbols.last: symbols: added new exported functions
-
-2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/Makefile.am, doc/manpages/Makefile.am,
- doc/scripts/getfuncs-map.pl: doc: updated makefiles to include new
- functions
-
-2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/libgnutls.map: libgnutls.map: remove
- gnutls_record_set_max_empty_records
-
-2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/libgnutls.map: account for the renamed
- gnutls_supplemental_recv/send
-
-2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-internals.texi: document the export supplemental data API
-
-2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_supplemental.c, lib/includes/gnutls/gnutls.h.in:
- gnutls_do_recv/send_supplemental -> gnutls_supplemental_recv/send Also added the gnutls_ prefix to new types.
-
-2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_supplemental.c, lib/includes/gnutls/gnutls.h.in: Added
- documentation for gnutls_do_send/recv_supplemental
-
-2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/crypto-api.c, lib/gnutls_mem.c, lib/gnutls_privkey.c,
- lib/gnutls_pubkey.c, lib/includes/gnutls/abstract.h,
- lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c,
- lib/pkcs11_write.c, lib/safe-memfuncs.c, lib/tpm.c: doc updates
-
-2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-shared-key.texi, lib/auth/srp_sb64.c,
- lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map, lib/pkcs11.c,
- lib/tpm.c, lib/x509_b64.c: the base64 xxx_alloc functions were
- renamed to xxx2 That brings them in par with the rest of the allocation functions.
-
-2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool-common.h, src/p11tool-args.def, src/p11tool.c,
- src/pkcs11.c: p11tool: use the key usage flags to set PKCS #11
- properties
-
-2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/includes/gnutls/pkcs11.h, lib/pkcs11_int.h,
- lib/pkcs11_privkey.c, lib/pkcs11_write.c: pkcs11: use key_usage to
- set the appropriate flags
-
-2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_supplemental.c, lib/includes/gnutls/gnutls.h.in:
- cleanups in supplemental data support
-
-2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/auth/dh_common.c: DH: do not warn on zero q_bits
-
-2015-04-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: NEWS: rearrange entries
-
-2015-04-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool-common.c: certtool: certtool --generate-dh-params
- will account for --outder Resolves #5
-
-2015-04-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/algorithms/ciphersuites.c: chacha20-poly1305: ciphersuite
- numbers correspond to the latest draft
-
-2015-04-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/pkcs11.c: p11tool: improved output message
-
-2015-04-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/pkcs11.c: removed unecessary warning
-
-2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-tokens.texi, lib/includes/gnutls/abstract.h,
- lib/includes/gnutls/compat.h: doc update: account for new functions
-
-2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/pkcs11.c: p11tool: better output text
-
-2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_pubkey.c, lib/pkcs11.c, lib/pkcs11_int.h: pkcs11: added
- GNUTLS_PKCS11_OBJ_FLAG_EXPECT_PUBKEY Also enforce the expected flags despite any given flags in the URL.
-
-2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c:
- p11tool: added the --test-sign parameter That allows to check an existing key for signing/verification.
-
-2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_privkey.c, lib/gnutls_pubkey.c,
- lib/includes/gnutls/abstract.h, lib/libgnutls.map:
- gnutls_priv/pubkey_import_url replace:
- gnutls_privkey_import_pkcs11_url and gnutls_pubkey_import_pkcs11_url
-
-2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/certtool.c: certtool: corrected import of pubkey in DER format
-
-2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/Makefile.am, tests/mini-etm.c: tests: added check for EtM
- negotiation
-
-2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/algorithms.h, lib/algorithms/ciphers.c, lib/ext/etm.c,
- lib/gnutls_int.h, lib/gnutls_priority.c: only send EtM extension if
- we have CBC ciphersuites
-
-2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-upgrade.texi: mention gnutls_privkey_sign_raw_data in
- upgrade section
-
-2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_privkey.c, lib/includes/gnutls/compat.h,
- lib/libgnutls.map: gnutls_privkey_sign_raw_data: converted to macro
- over gnutls_privkey_sign_hash
-
-2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/x509sign-verify.c: tests: added check for the legacy
- gnutls_privkey_sign_raw_data
-
-2015-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/crypto-selftests.c: avoid compilation warnings in self checks
- (take 2)
-
-2015-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/crypto-selftests.c: Revert "selftests: avoid compilatio
- warnings" This reverts commit 196477d68f32b30d0de8e203a5c1c405af429603.
-
-2015-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2015-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/testpkcs11: tests: check whether PKCS #11 ID set on
- copy/generation is correct
-
-2015-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c:
- p11tool: allow setting the CKA_ID on object
- initialization/generation
-
-2015-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/libgnutls.map: exported new functions
-
-2015-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: pkcs11:
- enhanced key generation functions to allow specifying a CKA_ID
-
-2015-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/crypto-selftests.c: selftests: avoid compilatio warnings
-
-2015-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/pkcs11.h, lib/pkcs11_write.c: enhanced copy
- functions to allow specifying a CKA_ID
-
-2015-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/mini-server-name.c: tests: mini-server-name: ignore sigpipe
-
-2015-03-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suppressions.valgrind: tests: added more libidn-related
- valgrind suppressions
-
-2015-03-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/texinfo.css: doc: increase border spacing in HTML tables
-
-2015-03-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-intro-tls.texi: doc: list chacha20-poly1305 to the list of
- ciphers
-
-2015-03-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2015-03-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/manpages/Makefile.am: manpages: automatically adjust the
- copyright year on generated pages
-
-2015-03-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/Makefile.am, tests/mini-server-name.c: tests: added check
- for gnutls_server_name_get and gnutls_server_name_set
-
-2015-03-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/ciphersuite/test-ciphers.js: test-ciphers.js: improved
- ciphersuite checks
-
-2015-03-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/algorithms/ciphersuites.c: corrected
- GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305
-
-2015-03-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/ciphersuite/scan-gnutls.sh: updated
- test-ciphersuite.sh for new types
-
-2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/x509_ext.c: Better fix for the double free in dist point
- parsing
-
-2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/minitasn1/parser_aux.c, lib/minitasn1/parser_aux.h: updated
- minitasn1
-
-2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/pkcs11_write.c: gnutls_pkcs11_copy_x509_privkey: increase size
- for attributes
-
-2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/algorithms/ciphersuites.c: moved chacha20-poly1305
- ciphersuites to the 0xCD space
-
-2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/crypto-api.c: doc update: replace cryptographic algorithm by
- encryption algorithm
-
-2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_datum.c, lib/gnutls_datum.h, lib/x509/gnutls-idna.c,
- lib/x509/x509_ext.c: gnutls_subject_alt_names_set and
- gnutls_x509_aki_set_cert_issuer will set null-terminated strings
-
-2015-03-27 Jiřà Klimeš <jklimes@redhat.com>
-
- * lib/crypto-api.c: doc: be consistent in the function descriptions Signed-off-by: Jiřà Klimeš <jklimes@redhat.com>
-
-2015-03-27 Jiřà Klimeš <jklimes@redhat.com>
-
- * lib/crypto-api.c: doc: correct the description of crypto API
- functions Signed-off-by: Jiřà Klimeš <jklimes@redhat.com>
-
-2015-03-27 Jiřà Klimeš <jklimes@redhat.com>
-
- * doc/examples/ex-client-x509.c, lib/ext/server_name.c,
- lib/x509/output.c: Fix a few compiler warnings about unused
- variables [-Wunused-variable] Signed-off-by: Jiřà Klimeš <jklimes@redhat.com>
-
-2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_cipher.c: fixed CHACHA20-POLY1305 in DTLS
-
-2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/benchmark-cipher.c, src/benchmark-tls.c: gnutls-cli: added
- chacha-poly1305 into benchmarks
-
-2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_dtls.c: when calculating record overhead account for
- chacha20 which doesn't send the nonce on the wire
-
-2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/mini-record-2.c, tests/mini-record.c: tests: include
- chacha20 into transfer tests
-
-2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/algorithms.h, lib/algorithms/ciphersuites.c,
- lib/gnutls_cipher.c, lib/gnutls_constate.c, lib/gnutls_int.h: Added
- the CHACHA20-POLY1305 ciphersuites (with random IDs)
-
-2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/algorithms/ciphers.c, lib/crypto-selftests.c,
- lib/includes/gnutls/gnutls.h.in, lib/nettle/cipher.c: added
- chacha20-poly1305 as cipher
-
-2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/mini-record-retvals.c: tests: check retvals in block ciphers
-
-2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_int.h: do not penalize CBC ciphers with the maximum
- send data size That reduced the maximum send size for CBC ciphers from 16384 to
- 16384-(block size), which was unnecessary and was causing issues:
- https://bugs.winehq.org/show_bug.cgi?id=37500
-
-2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_int.h, lib/gnutls_priority.c, lib/gnutls_record.c,
- lib/includes/gnutls/gnutls.h.in:
- gnutls_record_set_max_empty_records: removed
-
-2015-03-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/x509_ext.c: eliminated double-free in the parsing of dist
- points Reported by Robert Święcki.
-
-2015-03-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_buffers.c: Added a tight loop around the legacy push
- function That reduces the need for more expensive outer loops. Originally
- suggested by Anton Lavrentiev.
-
-2015-03-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/gl/Makefile.am, src/gl/fseeko.c, src/gl/m4/dup2.m4,
- src/gl/m4/printf.m4, src/gl/m4/stdio_h.m4, src/gl/m4/time_h.m4,
- src/gl/signal.in.h, src/gl/stdio-impl.h, src/gl/stdio.in.h,
- src/gl/time.in.h, src/gl/vasnprintf.c, src/gl/xalloc.h: updated
- gnulib
-
-2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/p11tool-args.def: p11tool: more precise documentation of
- --set-id parameter
-
-2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * m4/hooks.m4: depend on nettle 3.1 or later
-
-2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/cert-tests/email: tests: updated email check for renamed
- --verify-email option
-
-2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/pkcs11_privkey.c: gnutls_pkcs11_privkey_generate2: increased
- the size of ck_attributes
-
-2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/pkcs11_privkey.c: pkcs11: check gnutls_rnd() for error
- condition
-
-2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/pkcs11_privkey.c: gnutls_pkcs11_privkey_generate2: set a
- CKA_ID on key generation
-
-2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/p11tool.c: p11tool: reduced debugging output
-
-2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/certtool-args.def, src/certtool.c: certtool: --purpose,
- --hostname were renamed to --verify-purpose, --verify-hostname
-
-2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/p11tool-args.def, src/p11tool.c: p11tool: added --mark-no-sign
- and --mark-no-decrypt options
-
-2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c,
- lib/pkcs11_write.c: pkcs11: added flags to mark keys as not-being
- signable or decryptable That adds GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_DECRYPT and
- GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN which can be set during
- generation or write of keys.
-
-2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/pkcs11_write.c: pkcs11: set the CKA_SIGN and CKA_DECRYPT flags
- when writing a private key
-
-2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/resume-dtls.c: tests: cleanups in resume-dtls
-
-2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/ext/server_name.c: ext: server_name: move name length check
- prior to IDN convertion
-
-2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/ext/server_name.c: When an application calls
- gnutls_server_name_set() with a name of zero size disable the
- extension Resolves #2
-
-2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/hostname-verify.c: gnutls_x509_crt_check_hostname2: check
- CN for match only if certificate would have been acceptable for
- GNUTLS_KP_TLS_WWW_SERVER
-
-2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/name_constraints.c: Apply DNS name constraints on CN
- field only on certificates acceptable for TLS WWW SERVER purpose Suggested by Fotis Loukos.
-
-2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/mini-loss-time.c: tests: mini-loss-time is less prone to
- timeouts
-
-2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/cert-tests/suppressions.valgrind: tests: added valgrind
- suppressions in cert-tests for libidn
-
-2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/certtool.c: certtool: eliminated memory leaks on verification
-
-2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/cert-tests/Makefile.am, tests/cert-tests/email,
- tests/cert-tests/email-certs/chain.exclude.test.example.com,
- tests/cert-tests/email-certs/chain.invalid.example.com,
- tests/cert-tests/email-certs/chain.test.example.com,
- tests/cert-tests/email-certs/chain.test.example.com-2: tests: Added
- email verification tests with certtool
-
-2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/certtool-args.def, src/certtool.c: certtool: added the --email
- option, to use in verification
-
-2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_cert.c, lib/includes/gnutls/gnutls.h.in,
- lib/includes/gnutls/openpgp.h, lib/includes/gnutls/x509.h,
- lib/libgnutls.map, lib/openpgp/compat.c,
- lib/openpgp/gnutls_openpgp.h, lib/openpgp/pgp.c,
- lib/x509/Makefile.am, lib/x509/email-verify.c,
- lib/x509/verify-high.c: Added gnutls_x509_crt_check_email(),
- gnutls_openpgp_crt_check_email() and GNUTLS_DT_RFC822NAME
-
-2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/test-chains.h: tests: verify that we accept a certificate
- with no name even if its CA has nameconstraints
-
-2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/name_constraints.c: name constraints: when no name of the
- type is found, accept the certificate This follows RFC5280 advice closely. Reported by Fotis Loukos.
-
-2015-03-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/resume-dtls.c: tests: increase the timeout in resume-dtls
-
-2015-03-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/pkcs11.c: gnutls_pkcs11_obj_export3: allow operation when
- raw.data is NULL and we have a public key
-
-2015-03-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/pkcs11.c: pkcs11: simplified export of objects That also allows to export public keys, even when a CKA_VALUE with
- the public key is not present. For that we use the key parameters,
- which we encode into a key. Issue reported by Frank Leavis.
-
-2015-03-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * GNUmakefile, build-aux/config.rpath, build-aux/gendocs.sh,
- build-aux/pmccabe2html, build-aux/snippet/arg-nonnull.h,
- build-aux/snippet/c++defs.h, build-aux/snippet/warn-on-use.h,
- build-aux/useless-if-before-free, build-aux/vc-list-files,
- doc/gendocs_template, gl/Makefile.am, gl/m4/gnulib-cache.m4,
- gl/m4/gnulib-comp.m4, gl/m4/ld-version-script.m4, gl/m4/printf.m4,
- gl/m4/stdio_h.m4, gl/m4/time_h.m4, gl/m4/ungetc.m4,
- gl/stdio-impl.h, gl/stdio.in.h, gl/tests/Makefile.am,
- gl/tests/init.sh, gl/tests/test-u64.c, gl/time.in.h, gl/u64.c,
- gl/u64.h, gl/vasnprintf.c, maint.mk: gnulib: removed u64 module
-
-2015-03-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/accelerated/x86/aes-gcm-x86-pclmul.c, lib/gnutls_int.h: drop
- support for gnulib's u64
-
-2015-03-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/testcompat-main-openssl: tests: check legacy RC4 in
- testcompat That would prevent losing compatibility without detecting it. That
- is currently the case since it is no longer enabled by default.
-
-2015-03-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/Makefile.am, tests/mini-record-retvals.c: tests: added check
- to verify the correctness of the record function return values
-
-2015-03-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/common.c, src/crywrap/crywrap.c, src/tests.c: tools: enable
- compilation with all options disabled
-
-2015-03-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_auth.c, lib/gnutls_ui.c: enable compilation with
- several options disabled
-
-2015-03-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2015-03-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_auth.c, lib/gnutls_state.c, lib/pkcs11.c,
- lib/pkcs11_privkey.c, lib/x509/crq.c, lib/x509/pkcs7.c: doc: avoid
- mentioning pointers when not needed
-
-2015-03-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * configure.ac: increase the maximum stack frame the compiler will
- warn for
-
-2015-03-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/algorithms/ciphersuites.c, lib/crypto-api.c, lib/ext/alpn.c,
- lib/ext/etm.c, lib/ext/ext_master_secret.c, lib/ext/heartbeat.c,
- lib/ext/max_record.c, lib/ext/safe_renegotiation.c,
- lib/ext/server_name.c, lib/ext/session_ticket.c,
- lib/ext/signature.c, lib/ext/srtp.c, lib/ext/status_request.c,
- lib/gnutls_alert.c, lib/gnutls_anon_cred.c, lib/gnutls_auth.c,
- lib/gnutls_buffers.c, lib/gnutls_cert.c, lib/gnutls_db.c,
- lib/gnutls_dh.c, lib/gnutls_dtls.c, lib/gnutls_handshake.c,
- lib/gnutls_pcert.c, lib/gnutls_priority.c, lib/gnutls_privkey.c,
- lib/gnutls_privkey_raw.c, lib/gnutls_psk.c, lib/gnutls_pubkey.c,
- lib/gnutls_range.c, lib/gnutls_record.c, lib/gnutls_session.c,
- lib/gnutls_session_pack.c, lib/gnutls_srp.c, lib/gnutls_state.c,
- lib/gnutls_ui.c, lib/gnutls_x509.c, lib/openpgp/extras.c,
- lib/openpgp/gnutls_openpgp.c, lib/openpgp/pgp.c,
- lib/openpgp/privkey.c, lib/pkcs11.c, lib/pkcs11_privkey.c,
- lib/pkcs11x.c, lib/system-keys-win.c, lib/system_override.c,
- lib/tpm.c, lib/verify-tofu.c, lib/x509/crl.c, lib/x509/crl_write.c,
- lib/x509/crq.c, lib/x509/dn.c, lib/x509/extensions.c,
- lib/x509/hostname-verify.c, lib/x509/name_constraints.c,
- lib/x509/ocsp.c, lib/x509/ocsp_output.c, lib/x509/output.c,
- lib/x509/pkcs12.c, lib/x509/pkcs12_bag.c, lib/x509/pkcs7.c,
- lib/x509/privkey.c, lib/x509/privkey_openssl.c,
- lib/x509/privkey_pkcs8.c, lib/x509/verify-high.c,
- lib/x509/verify-high2.c, lib/x509/x509.c, lib/x509/x509_ext.c,
- lib/x509/x509_write.c: doc: avoid using structure for opaque types
-
-2015-03-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/mini-extension.c: tests: include gnutls_ext_s/get_data into
- tests of mini-extension
-
-2015-03-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_extensions.c: updated documentation on non-return value
- of gnutls_ext_set_data
-
-2015-03-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/mini-dtls0-9.c: tests: fixed buffers in mini-dtls0-9
-
-2015-03-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_handshake.c: avoid overflow when receiving DTLS 0.9 CCS
-
-2015-03-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/auth/srp.c, lib/ext/alpn.c, lib/ext/etm.c,
- lib/ext/heartbeat.c, lib/ext/max_record.c,
- lib/ext/safe_renegotiation.c, lib/ext/server_name.c,
- lib/ext/session_ticket.c, lib/ext/signature.c, lib/ext/srp.c,
- lib/ext/srtp.c, lib/ext/status_request.c, lib/gnutls_extensions.c,
- lib/gnutls_extensions.h, lib/gnutls_int.h, lib/gnutls_str.h,
- lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: added
- gnutls_ext_set_data() and gnutls_ext_get_data() As a side effect the type which holds private data was reduced from
- union to void * pointer. That simplifies the exported API without
- reducing the options in the internal API.
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * .gitignore: more files to ignore
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/includes/gnutls/gnutls.h.in: set GNUTLS_DTLS_VERSION_MIN to be
- DTLS0.9 That allows standard DTLS ciphersuites to be used with DTLS0.9
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/Makefile.am, tests/mini-dtls0-9.c: tests: added test for
- DTLS 0.9
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/mini-extension.c: tests: updated mini-extension
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-internals.texi: mention the new functionality briefly in
- documentation
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_extensions.c, lib/gnutls_supplemental.c: mention that
- the registration functions are not thread safe
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_extensions.c, lib/gnutls_extensions.h: store a copy of
- the extensions name
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_global.c: deinitialize supplemental data on deinit
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_extensions.c, lib/gnutls_extensions.h,
- lib/gnutls_handshake.c, lib/includes/gnutls/gnutls.h.in: removed
- unused epoch change callback
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_global.c, lib/gnutls_supplemental.c,
- lib/gnutls_supplemental.h: deinitialize supplemental data on deinit
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_hash_int.h, lib/gnutls_supplemental.c: reduce warnings
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_extensions.c, lib/gnutls_str.c, lib/gnutls_str.h,
- lib/gnutls_supplemental.c: added documentation for the new functions
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/mini-supplementaldata.c: tests: remove warnings in
- mini-supplementaldata.c
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/includes/gnutls/gnutls.h.in, tests/mini-supplementaldata.c:
- updated types
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * .gitignore: more files to ignore
-
-2015-03-19 Thierry Quemerais <tquemerais@awox.com>
-
- * lib/gnutls_supplemental.c, lib/includes/gnutls/gnutls.h.in,
- lib/libgnutls.map, tests/Makefile.am, tests/mini-supplementaldata.c:
- Added a way to add custom supplemental data from public API. Signed-off-by: Thierry Quemerais <tquemerais@awox.com>
-
-2015-03-19 Thierry Quemerais <tquemerais@awox.com>
-
- * tests/mini-extension.c: Fixed extension test. Signed-off-by: Thierry Quemerais <tquemerais@awox.com>
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_str.h, lib/includes/gnutls/gnutls.h.in,
- tests/Makefile.am, tests/mini-extension.c: renamed gnutls_buffer_st
- -> gnutls_buffer_t
-
-2015-03-19 Thierry Quemerais <tquemerais@awox.com>
-
- * lib/gnutls_extensions.c, lib/gnutls_extensions.h,
- lib/gnutls_int.h, lib/gnutls_str.c, lib/gnutls_str.h,
- lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map,
- tests/mini-extension.c: Added a way to add custom extensions from
- public API. Signed-off-by: Thierry Quemerais <tquemerais@awox.com>
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * .gitignore: more files to ignore
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/pkcs11.h, lib/includes/gnutls/x509.h:
- gnutls_x509_crt_import_pkcs11_url moved to pkcs11.h as it was always
- defined there
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/inet_ntop.c: inet_ntop replacement: include sys/socket.h
-
-2015-03-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/inet_ntop.c, lib/system.h: inet_ntop replacement: do not
- depend on socklen_t
-
-2015-03-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/slow/Makefile.am: tests: link cipher tests directly with
- nettle when needed
-
-2015-03-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/mini-dtls-record.c: tests: mini-dtls-record: increase
- timeouts to avoid failure of test due to slow system
-
-2015-03-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/mini-dtls-record.c: tests: mini-dtls-record: removed the
- need for 64-bit number
-
-2015-03-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/mini-dtls-record.c: tests: increase verbosity of
- mini-dtls-record
-
-2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-crypto.texi: document the cipher override API
-
-2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/slow/Makefile.am, tests/slow/mac-override.c,
- tests/slow/override-ciphers: added test suite for overriden digests
- and MACs
-
-2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/accelerated/cryptodev.c, lib/accelerated/x86/x86-common.c,
- lib/crypto-backend.c, lib/crypto-backend.h,
- lib/includes/gnutls/crypto.h, lib/libgnutls.map: Added API to
- register MAC and digest algorithms.
-
-2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/slow/Makefile.am, tests/slow/cipher-override.c,
- tests/slow/override-ciphers: added test suite for overriden ciphers
-
-2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/accelerated/cryptodev-gcm.c, lib/accelerated/cryptodev.c,
- lib/accelerated/x86/x86-common.c, lib/crypto-backend.c,
- lib/crypto-backend.h, lib/includes/gnutls/crypto.h,
- lib/libgnutls.map: Added API to register AEAD and legacy ciphers.
-
-2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/accelerated/cryptodev-gcm.c: cryptodev: provide the new AEAD
- API
-
-2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_global.c: Added environment variable which can override
- automatic global initialization
-
-2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/crypto-backend.c, lib/crypto-backend.h: removed unused
- functions
-
-2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * m4/hooks.m4: configure: fail compilation if the minimum required
- libtasn1 is not present
-
-2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2015-03-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/long-session-id.c: tests: long-session-id uses the test
- framework
-
-2015-03-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2015-03-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * configure.ac, lib/pkcs11.c: depend on p11-kit 0.23.1 to conform to
- draft-pechanec-pkcs11uri-21
-
-2015-03-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/mini-dtls-record.c: tests: fixed shadowed variable in
- mini-dtls-record
-
-2015-03-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/long-session-id.c, tests/mini-dtls-fork.c,
- tests/mini-dtls-pthread.c, tests/mini-dtls-rehandshake.c,
- tests/mini-handshake-timeout.c, tests/utils.c, tests/utils.h: tests:
- use nanosleep for sleeping
-
-2015-03-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * README.md: README-alpha: move valgrind to testing tools
-
-2015-03-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * README.md: updated README-alpha
-
-2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_supplemental.c: Fixed handling of supplemental data
- with types > 255. Patch by Thierry Quemerais.
-
-2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_priority.c: doc update
-
-2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_priority.c: gnutls_priority_init: document that
- priorities can be NULL
-
-2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/testpkcs11.softhsm: testpkcs11: disallow softhsm
- 2.0.0b1 from being used to test PKCS #11
-
-2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/mini-eagain2.c: tests: mini-eagain2: call
- gnutls_handshake_set_timeout() at the proper time
-
-2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * README.md: added libasan as dependency
-
-2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/crypto-selftests.c: corrected self test for 3DES
-
-2015-03-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/pkcs11.c: pkcs11: correctly set the size of type
-
-2015-03-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/pkcs11.c: pkcs11: combined the fill for object attributes set
-
-2015-03-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/pkcs11.c: pkcs11: only set ID and label when both size and
- data are set
-
-2015-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2015-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2015-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/pkcs11.c: p11tool: exit with non-zero reason if no objects are
- found
-
-2015-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/testpkcs11: tests: added checks for p11tool --set-id
- and --set-label
-
-2015-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c:
- p11tool: added --set-id and --set-label options
-
-2015-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c,
- lib/pkcs11_int.c, lib/pkcs11_int.h: added
- gnutls_pkcs11_obj_set_info() This function allows setting information such as the CKA_ID and the
- CKA_LABEL of an object. Resolves #1
-
-2015-03-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/cert-tests/Makefile.am, tests/cert-tests/invalid-sig,
- tests/cert-tests/invalid-sig.pem: Added check for GNUTLS-SA-2015-1
-
-2015-03-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/test-chains.h: tests: removed test with invalid DER encoding
- in chainverify These certificates are now rejected earlier.
-
-2015-03-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/Makefile.am, tests/strict-der.c: tests: added a check for
- certificates with invalid DER encodings
-
-2015-03-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/common.c, lib/x509/common.h, lib/x509/crl.c,
- lib/x509/crq.c, lib/x509/dn.c, lib/x509/extensions.c,
- lib/x509/mpi.c, lib/x509/ocsp.c, lib/x509/privkey.c,
- lib/x509/privkey_pkcs8.c, lib/x509/x509.c, lib/x509/x509_ext.c:
- x509: use libtasn1's strict DER decoding rules in network obtained
- structures
-
-2015-03-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/common.c, m4/hooks.m4: depend on libtasn1 4.3
-
-2015-03-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/minitasn1/decoding.c, lib/minitasn1/libtasn1.h,
- lib/minitasn1/parser_aux.c: minitasn1: updated to libtasn1 4.3
-
-2015-03-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-internals.texi: rearranged internal documentation
-
-2015-03-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/cli-args.def, src/cli-debug-args.def, src/danetool-args.def,
- src/socket.c: tools: added ftp as a starttls protocol
-
-2015-03-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/cli-args.def: gnutls-cli: starttls and starttls-proto can't
- mix
-
-2015-03-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-gtls-app.texi: expand on SECURE256 being an alias to
- SECURE192
-
-2015-03-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/testcompat-polarssl: tests: do not run polarssl
- interop test on VIA
-
-2015-03-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/testcompat-common: use common license in all
- testcompat scripts
-
-2015-03-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/nettle/pk.c: removed unused function
-
-2015-03-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/TODO: doc update
-
-2015-03-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * Makefile.am, README-alpha, README.md: README-alpha is README.md on
- repository It contains information for developers.
-
-2015-03-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * Makefile.am, README, README.md: Revert "auto-generate README from
- README.md" This reverts commit aff4b2151b42c6a59e490c3714d3e1e64d2921dd.
-
-2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * README.md: cleaned up licensing
-
-2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * Makefile.am, README, README.md: auto-generate README from
- README.md
-
-2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * README.md: Revert "added README.md as link to README" This reverts commit 041d4f947eb6937d4af62eb35055668825c36833.
-
-2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * README.md: added README.md as link to README
-
-2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * README, README-alpha, README-alpha.md, README.md: Revert "renamed
- README files" This reverts commit 05b4fa46667d3f5972f6de6ac61ff959382c67a5.
-
-2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * README, README-alpha, README-alpha.md, README.md: renamed README
- files
-
-2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * README, README-alpha: README: converted to mark-down
-
-2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/tests.c: gnutls-cli-debug: corrected check of certificate
- chain order
-
-2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/x509cert.c: tests: added small test to verify that
- GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED succeeds with a single cert
-
-2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/cli-debug.c, src/tests.c: gnutls-cli-debug: disable
- unsupported TLS protocols as soon
-
-2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/socket.c: cli sockets: check for a digit prior using atoi
-
-2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/tests.c: gnutls-cli-debug: a cert list of size 1 is always
- sorted
-
-2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/socket.c: gnutls-cli-debug: do not warn multiple times about
- unknown protocols
-
-2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-support.texi: updated documentation on FIPS140-2
-
-2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/testcompat-main-openssl,
- tests/suite/testcompat-main-polarssl: tests: speed up testcompat
- check by remove less important options
-
-2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/softhsm.h: tests: updated paths for softhsm detection
-
-2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * README-alpha: README: mention nodejs
-
-2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * configure.ac: configure: check for /usr/share/dns/root.key as well
- for dns root key
-
-2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * README-alpha: README: mention dependency on dns-root-data
-
-2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/cert-tests/template-test: tests: don't perform the overflow
- check in 32-bit systems
-
-2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/cert-tests/template-date.pem,
- tests/cert-tests/template-date.tmpl: tests: date parsing test was
- modified to work in 32-bit systems
-
-2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool-cfg.c: certtool: in 32-bit systems use PRIu64 to
- print 64-bit values
-
-2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool-cfg.c: certtool: exit when there is an overflow in
- parsing days
-
-2015-03-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * README-alpha: README: mention that openssl and polarssl will be
- used for interop testing
-
-2015-03-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/cert-tests/template-test: Revert "tests: increased the
- retries with datefudge cert generation" This reverts commit a381fd148d2e181e19aad9ab9a9c5993080ce869.
-
-2015-03-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/cert-tests/Makefile.am,
- tests/cert-tests/template-basic.pem,
- tests/cert-tests/template-basic.tmpl,
- tests/cert-tests/template-test: Revert "tests: template-test: added
- a baseline check to detect slow systems" This reverts commit b7ef1265810ec55d0912db2e3fa4204d8c412377.
-
-2015-03-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/cert-tests/Makefile.am,
- tests/cert-tests/template-basic.pem,
- tests/cert-tests/template-basic.tmpl,
- tests/cert-tests/template-test: tests: template-test: added a
- baseline check to detect slow systems
-
-2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/cert-tests/template-test: tests: increased the retries with
- datefudge cert generation There are slow systems that are not always capable of generating the
- certificate within a single second.
-
-2015-03-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * README-alpha: add bison as a dependency
-
-2015-03-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * Makefile.am: build documentation last That allows the examples to depend on libgnu_gpl.la
-
-2015-03-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * README-alpha: list unbound dependency for DANE
-
-2015-03-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/testdane: tests: removed dane hosts which don't behave
- well
-
-2015-03-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * README-alpha: updated instructions for installed packages
-
-2015-03-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/latex/cover.tex: latex doc: updated copyright dates
-
-2015-03-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/gnutls.texi: updated copyright date
-
-2015-03-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_pubkey.c, lib/tpm.c, lib/x509/common.c,
- lib/x509/common.h, lib/x509/dn.c, lib/x509/ocsp.c,
- lib/x509/pkcs12.c, lib/x509/pkcs12_bag.c, lib/x509/x509_ext.c,
- m4/hooks.m4: use asn1_decode_simple_ber if available
-
-2015-03-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-library.texi: corrected typo
-
-2015-03-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-library.texi: mention libidn
-
-2015-03-04 Ilya V. Matveychikov <i.matveychikov@securitycode.ru>
-
- * tests/suite/asn1random.pl: asn1random.pl: generate simple tags
- only Do not emit tags with numbers greater than or equal 31 as they must
- be encoded an octet sequence (ref X.690-0207 # 8.1.2.4) Signed-off-by: Ilya V. Matveychikov <i.matveychikov@securitycode.ru>
-
-2015-03-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_priority.c: doc update
-
-2015-02-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/cert-tests/Makefile.am, tests/cert-tests/invalid-sig,
- tests/cert-tests/invalid-sig2.pem,
- tests/cert-tests/invalid-sig3.pem: tests: added checks for invalid
- X.509 certificate signatures
-
-2015-03-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-upgrade.texi: added the change of priority string NORMAL
- in documentation
-
-2015-03-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-library.texi: document the usage of a PKCS #11 trust
- module for verification
-
-2015-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/testcompat-main-openssl: tests: updated the suite to
- account for the removal of DSA by default
-
-2015-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/dsa/testdsa, tests/openpgp-callback.c, tests/openpgpself.c,
- tests/priorities.c: tests: updated the suite to account for the
- removal of DSA by default
-
-2015-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2015-03-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/testcompat-main-openssl,
- tests/suite/testcompat-main-polarssl,
- tests/suite/testcompat-openssl, tests/suite/testcompat-polarssl:
- cross-implementation test suite was relicensed to 3-clause BSD That way the suite can be used by projects with other licenses.
-
-2015-03-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2015-03-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_priority.c: DSA signatures and DHE-DSS are disabled by
- default DSA was an algorithm that was never deployed on the Internet and
- had, until very recently, several limitations such as restriction of
- its keys to 1024 bits, SHA1-only etc. Given that there are literally
- 0 internet (HTTPS) certificates using DSA, there is no point to
- enable it by default and increase our attack surface.
-
-2015-03-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/benchmark-cipher.c: gnutls-cli: include AES_128_CCM in
- benchmark-ciphers
-
-2015-02-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_session.c: doc update
-
-2015-02-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2015-02-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_privkey.c: doc update
-
-2015-02-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/Makefile.am, lib/inet_ntop.c, lib/system.c, lib/system.h,
- lib/x509/output.c: bundle inet_ntop in systems that don't have it
-
-2015-02-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
- auto-generated files
-
-2015-02-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/abstract.h: removed
- gnutls_pubkey_get_verify_algorithm from abstract.h
-
-2015-02-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_handshake.c: corrected typo in gnutls_handshake(),
- spotted by Andris Mednis
-
-2015-02-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_session.c: doc update: document that session_get_data()
- must be used in non-resumed sessions
-
-2015-02-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-tokens.texi: doc update
-
-2015-02-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/algorithms/ciphersuites.c, lib/gnutls_handshake.c: added
- comments
-
-2015-02-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * configure.ac, lib/pkcs11.c: Use p11_kit_uri_get_pin_value() if
- available in p11-kit
-
-2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_buffers.c: fixed handling of GNUTLS_E_INT_CHECK_AGAIN
-
-2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/algorithms/ciphersuites.c: removed unnecessary check and
- optimized function
-
-2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/algorithms/ciphersuites.c: corrected check which prevented
- client to sent an unacceptable for the version ciphersuite
-
-2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/mini-key-material.c: tests: mini-key-material: avoid memory
- leak
-
-2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/mini-dtls-lowmtu.c, tests/mini-overhead.c,
- tests/mini-record.c: tests: require DTLS 1.2 when using GCM
-
-2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_buffers.c: handle GNUTLS_E_INT_CHECK_AGAIN
-
-2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/algorithms.h, lib/algorithms/ciphersuites.c,
- lib/gnutls_handshake.c: check the negotiated TLS/DTLS version prior
- to offering a ciphersuite a server
-
-2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_priority.c: remove unnecessary assert
-
-2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-upgrade.texi: doc update
-
-2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/cve-2009-1415.c, tests/x509sign-verify.c: tests: modified
- tests with obsolete APIs with their replacement API
-
-2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-upgrade.texi: doc: added deprecated functions into upgrade
- plan
-
-2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/x509cert-tl.c: tests: added checks for
- gnutls_x509_crt_get_signature_algorithm and
- gnutls_x509_crt_get_preferred_hash_algorithm
-
-2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/crypto-backend.h, lib/gnutls_pk.c, lib/gnutls_pk.h,
- lib/gnutls_pubkey.c, lib/libgnutls.map, lib/nettle/pk.c,
- lib/x509/verify.c, lib/x509/x509.c: removed
- gnutls_pubkey_get_verify_algorithm() and unnecessary internal APIs
-
-2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/includes/gnutls/compat.h, lib/libgnutls.map, lib/x509/x509.c:
- removed gnutls_x509_crt_get_verify_algorithm()
-
-2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_pubkey.c, lib/includes/gnutls/abstract.h,
- lib/libgnutls.map: removed gnutls_pubkey_verify_hash() and
- gnutls_pubkey_verify_data()
-
-2015-02-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool-common.h: certtool: use unsigned for bits
-
-2015-02-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool.c, src/p11tool.c: certtool/p11tool: avoid cast to
- function call
-
-2015-02-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool-args.def, src/certtool.c: certtool: allow specifying
- a purpose and a hostname for chain verification
-
-2015-02-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/Makefile.am, tests/x509cert-invalid.c: tests: added check
- for invalid X.509 certificate
-
-2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/Makefile.am, tests/mini-key-material.c: tests: added check
- for gnutls_record_get_state()
-
-2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_constate.c: removed unused constants
-
-2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_state.c: memcpy fix in gnutls_record_get_state
-
-2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * ltmain.sh: removed ltmain.sh from root
-
-2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_state.c, lib/includes/gnutls/gnutls.h.in,
- lib/libgnutls.map: Added gnutls_record_get_state() and
- gnutls_record_set_state() These functions allow to export the key material and sequence
- numbers. That allows offloading the sending and receiving of
- individual records.
-
-2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_record.c: fixed sequence number copy
-
-2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_handshake.c, lib/includes/gnutls/gnutls.h.in:
- gnutls_handshake_set_hook_function: will provide the raw handshake
- data
-
-2015-02-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/includes/gnutls/gnutls.h.in: use explicit casts to unsigned
- int in the CURVE_TO_BITS et al
-
-2015-02-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/pkcs12_encr.c: use cast in _gnutls_hash_fast
-
-2015-02-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/x509.c: when importing a certificate ensure that the
- signature parameters match
-
-2015-02-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/accelerated/x86/x86-common.c: Allow AESNI GCM accelaration in
- x86
-
-2015-02-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/cli-args.def, src/cli.c: gnutls-cli: added --save-cert option
-
-2015-02-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/includes/gnutls/gnutls.h.in: added missing prototypes
-
-2015-02-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/cli.c: handle differently OCSP responses that are revoked and
- of unknown status
-
-2015-02-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/common.c: compilation fix with return on void function;
- reported by David Marx
-
-2015-01-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_state.c: doc update
-
-2015-01-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_buffers.c: set the appropriate direction when
- _gnutls_io_write_flush() is called
-
-2015-01-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/Makefile.am, tests/mini-dtls-pthread.c: tests: added check
- for operation under different threads and DTLS
-
-2015-01-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/Makefile.am, tests/mini-dtls-fork.c: tests: added check for
- operation under different processes and DTLS
-
-2015-01-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: Revert "doc update" This reverts commit eabf1f27d255577bad60d302abf46a969848fcd7.
-
-2015-01-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_record.c, lib/includes/gnutls/gnutls.h.in,
- lib/libgnutls.map: Revert "Added gnutls_record_is_async()" This reverts commit 2232822aabe473d124f924d64ff52981d685fd41.
-
-2015-01-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-gtls-app.texi: documented using a session with fork or
- multiple threads
-
-2015-01-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2015-01-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_record.c, lib/includes/gnutls/gnutls.h.in,
- lib/libgnutls.map: Added gnutls_record_is_async() That function indicates whether gnutls_record_recv() and
- gnutls_record_send() can be used independently and in parallel.
-
-2015-01-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_buffers.c: print errno in a more uniform way
-
-2015-01-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS, lib/system.c: doc update
-
-2015-01-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_buffers.c, lib/gnutls_handshake.c, lib/gnutls_state.c,
- lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map, lib/system.c,
- lib/system.h, lib/system_override.c: exported
- gnutls_system_recv_timeout()
-
-2015-01-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_buffers.c: simplified _gnutls_writev() by requiring the
- total length
-
-2015-01-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/opencdk/kbnode.c, lib/opencdk/read-packet.c: opencdk: small
- fixed to reduce warnings
-
-2015-01-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_ui.c: doc update
-
-2015-01-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/cli.c, src/ocsptool-common.c, src/ocsptool-common.h: don't be
- so verbose about the OCSP nonce; it is universally unsupported
-
-2015-01-17 Tim Ruehsen <tim.ruehsen@gmx.de>
-
- * src/cli.c, src/ocsptool-common.c: OCSP check the whole cert chain Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-
-2015-01-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/x509.c: on certificate import check whether the two
- signature algorithms match
-
-2015-01-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * cross.mk: cross.mk: use 3.3.12
-
-2015-01-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/key_decode.c: doc update
-
-2015-01-12 Luke Dashjr <luke-jr+git@utopios.org>
-
- * Makefile.am, configure.ac, doc/manpages/Makefile.am: Added
- configure option --disable-tools
-
-2015-01-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * libdane/errors.c: corrected typos Reported by Guido Kroon.
-
-2015-01-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/algorithms/protocols.c, lib/gnutls_int.h: Added the notion of
- obsolete versions That prevents using these versions as record version numbers, unless
- they are the only protocol supported. This avoids the issues with
- servers that have banned SSL 3.0 record versions.
-
-2015-01-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/ocsptool-common.c: ocsptool: follow the documented process for
- gnutls_x509_crt_get_authority_info_access
-
-2015-01-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/x509.c: gnutls_x509_crt_get_authority_info_access: doc
- update
-
-2015-01-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/ocsptool-common.c: ocsptool-common: iterate through all AIA
- items prior to decidig the OCSP server
-
-2015-01-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/fips.c: use a FIPS key that agree's with fedora's fipshmac
-
-2015-01-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * devel/DCO/people-dco.txt: DCO: Added Luke Dashjr
-
-2015-01-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/cli-args.def: simplified text for inline-commands-prefix
-
-2015-01-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/cli-args.def, src/cli.c, src/socket.c: gnutls-cli: added
- --starttls-proto option
-
-2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/pkcs11.c: pkcs11: cleanup the name of types
-
-2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/softhsm.h: tests: updates in softhsm detection
-
-2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/pkcs11.c: pkcs11: when importing a public key, import it's
- data as well (version 2 fix)
-
-2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/verify.c: doc update
-
-2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/testpkcs11: testpkcs11: do not ignore the failure to
- write a trusted CA
-
-2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/libgnutls.map: removed gnutls_pubkey_get_pk_* from the
- exported function list
-
-2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/key-import-export.c: tests: key-import-export: enhanced to
- test gnutls_pubkey_*_ecc_x962
-
-2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_pubkey.c: gnutls_pubkey_t: allow the import of another
- parameter set without a leak
-
-2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_pubkey.c: removed ABI-compatibility functions
-
-2015-01-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/certtool-args.def: doc update
-
-2015-01-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/testpkcs11.softhsm: testpkcs11: modified to support
- both softhsmv1 and v2
-
-2015-01-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/pkcs11.c: pkcs11: when importing a public key, import it's
- data as well
-
-2015-01-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/key-import-export.c: tests: enhanced key-import-export to
- check output of pubkeys
-
-2015-01-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/openpgp-callback.c: tests: eliminated leaks
-
-2015-01-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_cert.c: doc update
-
-2015-01-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/Makefile.am, tests/key-import-export.c: tests: added checks
- for private key import/export functions
-
-2015-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/TODO: doc update
-
-2015-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/Makefile.am, tests/openpgp-callback.c: tests: Added test
- case for openpgp keys loaded by callback
-
-2015-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_state.c: When setting up TLS with cert-type OpenPGP
- from a client, the server verifies if it supports the extension’s
- contents in _gnutls_session_cert_type_supported(). This function
- checks for cred->get_cert_callback but not cred->get_cert_callback2.
- As a result, servers setup for OpenPGP certificate credential
- callback with gnutls_certificate_set_retrieve_function2() are unable
- to use the OpenPGP certificate type. The solution is to consider cred->get_cert_callback2 alongside
- cred->get_cert_callback in _gnutls_session_cert_type_supported(). Patch by Rick van Rein.
-
-2015-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_privkey.c: gnutls_privkey_import_openpgp_raw: do not
- release the cached value
-
-2015-01-08 Ludovic Courtès <ludo@gnu.org>
-
- * NEWS, guile/modules/gnutls.in: guile: Call 'load-extension' both
- during expansion and at run time. Fixes <https://bugzilla.redhat.com/show_bug.cgi?id=1177847>. * guile/modules/gnutls.in: Wrap '%libdir' definition and 'load-extension' call in 'eval-when'.
-
-2015-01-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_buffers.c, lib/gnutls_errors.h: When receiving a TLS
- record with multiple handshake packets, parse them in one go That resolves: https://savannah.gnu.org/support/?108712
-
-2015-01-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/mini-dtls-record-asym.c: tests: updated
- mini-dtls-record-asym
-
-2015-01-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/mini-dtls-record-asym.c: tests: better documentation of
- mini-dtls-record-asym purpose
-
-2015-01-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/mini-dtls-mtu.c, tests/utils.c, tests/utils.h: tests: moved
- udp_socketpair to utils
-
-2015-01-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/mini-dtls-record-asym.c: tests: corrected asymmetric MTU
- test for DTLS and added caching
-
-2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/Makefile.am, tests/mini-dtls-record-asym.c: Added test case
- for DTLS handshake packet reconstruction when it exceeds MTU https://savannah.gnu.org/support/?108712
-
-2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_buffers.c: simplified _gnutls_dgram_read()
-
-2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/Makefile.am: danetool: only compile when dane is enabled
-
-2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_buffers.c: in DTLS don't combine multiple packets which
- exceed MTU Resolves: https://savannah.gnu.org/support/?108715
-
-2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_buffers.c: Added more precise check of push functions
- availability
-
-2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_buffers.c, lib/gnutls_state.c, lib/system.c,
- lib/system.h: Revert "in DTLS don't use writev() when multiple
- packets which exceed MTU are queued" This reverts commit 43082a67c7514d65301d157fb567a133138a85ab.
-
-2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_buffers.c: Revert "Give precedence to vector push
- function" This reverts commit cb4ea413569803cbbf291abb27d30d14bfa971c5.
-
-2015-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_buffers.c: Give precedence to vector push function
-
-2015-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_buffers.c, lib/gnutls_state.c, lib/system.c,
- lib/system.h: in DTLS don't use writev() when multiple packets which
- exceed MTU are queued That change requires the system_write() to be registered
- unconditionally, even when writev() is available. Resolves:
- https://savannah.gnu.org/support/?108715
-
-2015-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/Makefile.am, tests/mini-dtls-mtu.c: tests: added check to
- ensure that DTLS handshake packets will not exceed MTU
-
-2015-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/certtool.c: certtool: warn when setting a certificate's
- expiration longer than the CA's expiration
-
-2015-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/testpkcs11: testpkcs11: detect softhsm2
-
-2015-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/mini-global-load.c, tests/mini-x509.c, tests/priorities.c,
- tests/record-sizes.c: tests: account for disabling of ARCFOUR where
- needed
-
-2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool-cfg.c: certtool: modified check for READ_NUMERIC
-
-2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool-cfg.c: certtool: use 64-bit type for CRL serial
- number
-
-2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool-cfg.c: certtool: check for overflows when reading
- serial numbers
-
-2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool-cfg.c, src/certtool-cfg.h: certtool: use int64_t as
- type for integers read
-
-2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/socket.c: gnutls-cli-debug: more precise handling of SMTP
- protocol Patch by Andreas Metzler.
-
-2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * gl/Makefile.am, gl/alloca.in.h, gl/asnprintf.c, gl/asprintf.c,
- gl/base64.c, gl/base64.h, gl/byteswap.in.h, gl/c-ctype.c,
- gl/c-ctype.h, gl/errno.in.h, gl/float+.h, gl/float.c,
- gl/float.in.h, gl/fstat.c, gl/ftell.c, gl/ftello.c, gl/getdelim.c,
- gl/getline.c, gl/gettext.h, gl/gettimeofday.c, gl/hash-pjw-bare.c,
- gl/hash-pjw-bare.h, gl/intprops.h, gl/itold.c, gl/lseek.c,
- gl/m4/00gnulib.m4, gl/m4/absolute-header.m4, gl/m4/alloca.m4,
- gl/m4/base64.m4, gl/m4/byteswap.m4, gl/m4/codeset.m4,
- gl/m4/errno_h.m4, gl/m4/exponentd.m4, gl/m4/extensions.m4,
- gl/m4/extern-inline.m4, gl/m4/fcntl-o.m4, gl/m4/fcntl_h.m4,
- gl/m4/fdopen.m4, gl/m4/float_h.m4, gl/m4/fpieee.m4,
- gl/m4/fseeko.m4, gl/m4/fstat.m4, gl/m4/ftell.m4, gl/m4/ftello.m4,
- gl/m4/func.m4, gl/m4/getdelim.m4, gl/m4/getline.m4,
- gl/m4/getpagesize.m4, gl/m4/gettext.m4, gl/m4/gettimeofday.m4,
- gl/m4/glibc2.m4, gl/m4/glibc21.m4, gl/m4/gnulib-cache.m4,
- gl/m4/gnulib-common.m4, gl/m4/gnulib-comp.m4, gl/m4/gnulib-tool.m4,
- gl/m4/iconv.m4, gl/m4/include_next.m4, gl/m4/intdiv0.m4,
- gl/m4/intl.m4, gl/m4/intldir.m4, gl/m4/intlmacosx.m4,
- gl/m4/intmax.m4, gl/m4/intmax_t.m4, gl/m4/inttypes-pri.m4,
- gl/m4/inttypes.m4, gl/m4/inttypes_h.m4, gl/m4/largefile.m4,
- gl/m4/lcmessage.m4, gl/m4/ld-output-def.m4,
- gl/m4/ld-version-script.m4, gl/m4/lib-ld.m4, gl/m4/lib-link.m4,
- gl/m4/lib-prefix.m4, gl/m4/lock.m4, gl/m4/longlong.m4,
- gl/m4/lseek.m4, gl/m4/malloc.m4, gl/m4/manywarnings.m4,
- gl/m4/math_h.m4, gl/m4/memchr.m4, gl/m4/memmem.m4, gl/m4/minmax.m4,
- gl/m4/mmap-anon.m4, gl/m4/msvc-inval.m4, gl/m4/msvc-nothrow.m4,
- gl/m4/multiarch.m4, gl/m4/netdb_h.m4, gl/m4/netinet_in_h.m4,
- gl/m4/nls.m4, gl/m4/off_t.m4, gl/m4/po.m4, gl/m4/printf-posix.m4,
- gl/m4/printf.m4, gl/m4/progtest.m4, gl/m4/read-file.m4,
- gl/m4/realloc.m4, gl/m4/size_max.m4, gl/m4/snprintf.m4,
- gl/m4/socklen.m4, gl/m4/sockpfaf.m4, gl/m4/ssize_t.m4,
- gl/m4/stdalign.m4, gl/m4/stdbool.m4, gl/m4/stddef_h.m4,
- gl/m4/stdint.m4, gl/m4/stdint_h.m4, gl/m4/stdio_h.m4,
- gl/m4/stdlib_h.m4, gl/m4/strcase.m4, gl/m4/string_h.m4,
- gl/m4/strings_h.m4, gl/m4/strndup.m4, gl/m4/strnlen.m4,
- gl/m4/strtok_r.m4, gl/m4/strverscmp.m4, gl/m4/sys_socket_h.m4,
- gl/m4/sys_stat_h.m4, gl/m4/sys_time_h.m4, gl/m4/sys_types_h.m4,
- gl/m4/sys_uio_h.m4, gl/m4/threadlib.m4, gl/m4/time_h.m4,
- gl/m4/time_r.m4, gl/m4/uintmax_t.m4, gl/m4/ungetc.m4,
- gl/m4/unistd_h.m4, gl/m4/valgrind-tests.m4, gl/m4/vasnprintf.m4,
- gl/m4/vasprintf.m4, gl/m4/visibility.m4, gl/m4/vsnprintf.m4,
- gl/m4/warn-on-use.m4, gl/m4/warnings.m4, gl/m4/wchar_h.m4,
- gl/m4/wchar_t.m4, gl/m4/wint_t.m4, gl/m4/xsize.m4, gl/malloc.c,
- gl/memchr.c, gl/memmem.c, gl/minmax.h, gl/msvc-inval.c,
- gl/msvc-inval.h, gl/msvc-nothrow.c, gl/msvc-nothrow.h,
- gl/netdb.in.h, gl/netinet_in.in.h, gl/printf-args.c,
- gl/printf-args.h, gl/printf-parse.c, gl/printf-parse.h,
- gl/read-file.c, gl/read-file.h, gl/realloc.c, gl/size_max.h,
- gl/snprintf.c, gl/stdalign.in.h, gl/stdbool.in.h, gl/stddef.in.h,
- gl/stdint.in.h, gl/stdio-impl.h, gl/stdio.in.h, gl/stdlib.in.h,
- gl/str-two-way.h, gl/strcasecmp.c, gl/string.in.h, gl/strings.in.h,
- gl/strncasecmp.c, gl/strndup.c, gl/strnlen.c, gl/strtok_r.c,
- gl/strverscmp.c, gl/sys_socket.in.h, gl/sys_stat.in.h,
- gl/sys_time.in.h, gl/sys_types.in.h, gl/sys_uio.in.h,
- gl/tests/Makefile.am, gl/tests/binary-io.h, gl/tests/fcntl.in.h,
- gl/tests/fdopen.c, gl/tests/fpucw.h, gl/tests/getpagesize.c,
- gl/tests/init.sh, gl/tests/inttypes.in.h, gl/tests/macros.h,
- gl/tests/signature.h, gl/tests/test-alloca-opt.c,
- gl/tests/test-base64.c, gl/tests/test-binary-io.c,
- gl/tests/test-byteswap.c, gl/tests/test-c-ctype.c,
- gl/tests/test-errno.c, gl/tests/test-fcntl-h.c,
- gl/tests/test-fdopen.c, gl/tests/test-fgetc.c,
- gl/tests/test-float.c, gl/tests/test-fputc.c,
- gl/tests/test-fread.c, gl/tests/test-fstat.c,
- gl/tests/test-ftell.c, gl/tests/test-ftell3.c,
- gl/tests/test-ftello.c, gl/tests/test-ftello3.c,
- gl/tests/test-ftello4.c, gl/tests/test-func.c,
- gl/tests/test-fwrite.c, gl/tests/test-getdelim.c,
- gl/tests/test-getline.c, gl/tests/test-gettimeofday.c,
- gl/tests/test-iconv.c, gl/tests/test-init.sh,
- gl/tests/test-intprops.c, gl/tests/test-inttypes.c,
- gl/tests/test-memchr.c, gl/tests/test-netdb.c,
- gl/tests/test-netinet_in.c, gl/tests/test-read-file.c,
- gl/tests/test-snprintf.c, gl/tests/test-stdalign.c,
- gl/tests/test-stdbool.c, gl/tests/test-stddef.c,
- gl/tests/test-stdint.c, gl/tests/test-stdio.c,
- gl/tests/test-stdlib.c, gl/tests/test-string.c,
- gl/tests/test-strings.c, gl/tests/test-strnlen.c,
- gl/tests/test-strverscmp.c, gl/tests/test-sys_socket.c,
- gl/tests/test-sys_stat.c, gl/tests/test-sys_time.c,
- gl/tests/test-sys_types.c, gl/tests/test-sys_uio.c,
- gl/tests/test-sys_wait.h, gl/tests/test-time.c,
- gl/tests/test-u64.c, gl/tests/test-unistd.c,
- gl/tests/test-vasnprintf.c, gl/tests/test-vasprintf.c,
- gl/tests/test-vc-list-files-cvs.sh,
- gl/tests/test-vc-list-files-git.sh, gl/tests/test-verify.c,
- gl/tests/test-vsnprintf.c, gl/tests/test-wchar.c,
- gl/tests/zerosize-ptr.h, gl/time.in.h, gl/time_r.c, gl/u64.h,
- gl/unistd.in.h, gl/vasnprintf.c, gl/vasnprintf.h, gl/vasprintf.c,
- gl/verify.h, gl/vsnprintf.c, gl/wchar.in.h, gl/xsize.h,
- src/gl/Makefile.am, src/gl/accept.c, src/gl/alloca.in.h,
- src/gl/arpa_inet.in.h, src/gl/asnprintf.c, src/gl/bind.c,
- src/gl/c-ctype.c, src/gl/c-ctype.h, src/gl/close.c,
- src/gl/connect.c, src/gl/dup2.c, src/gl/errno.in.h, src/gl/error.c,
- src/gl/error.h, src/gl/exitfail.c, src/gl/exitfail.h,
- src/gl/fd-hook.c, src/gl/fd-hook.h, src/gl/float+.h,
- src/gl/float.c, src/gl/float.in.h, src/gl/fseek.c, src/gl/fseeko.c,
- src/gl/fstat.c, src/gl/ftell.c, src/gl/ftello.c,
- src/gl/gai_strerror.c, src/gl/getaddrinfo.c, src/gl/getdelim.c,
- src/gl/getline.c, src/gl/getpass.c, src/gl/getpass.h,
- src/gl/getpeername.c, src/gl/gettext.h, src/gl/gettime.c,
- src/gl/gettimeofday.c, src/gl/inet_ntop.c, src/gl/inet_pton.c,
- src/gl/intprops.h, src/gl/itold.c, src/gl/listen.c, src/gl/lseek.c,
- src/gl/m4/00gnulib.m4, src/gl/m4/absolute-header.m4,
- src/gl/m4/alloca.m4, src/gl/m4/arpa_inet_h.m4, src/gl/m4/bison.m4,
- src/gl/m4/clock_time.m4, src/gl/m4/close.m4, src/gl/m4/dup2.m4,
- src/gl/m4/eealloc.m4, src/gl/m4/environ.m4, src/gl/m4/errno_h.m4,
- src/gl/m4/error.m4, src/gl/m4/exponentd.m4,
- src/gl/m4/extensions.m4, src/gl/m4/extern-inline.m4,
- src/gl/m4/float_h.m4, src/gl/m4/fseek.m4, src/gl/m4/fseeko.m4,
- src/gl/m4/fstat.m4, src/gl/m4/ftell.m4, src/gl/m4/ftello.m4,
- src/gl/m4/getaddrinfo.m4, src/gl/m4/getdelim.m4,
- src/gl/m4/getline.m4, src/gl/m4/getpass.m4, src/gl/m4/gettime.m4,
- src/gl/m4/gettimeofday.m4, src/gl/m4/gnulib-cache.m4,
- src/gl/m4/gnulib-common.m4, src/gl/m4/gnulib-comp.m4,
- src/gl/m4/gnulib-tool.m4, src/gl/m4/hostent.m4,
- src/gl/m4/include_next.m4, src/gl/m4/inet_ntop.m4,
- src/gl/m4/inet_pton.m4, src/gl/m4/intmax_t.m4,
- src/gl/m4/inttypes_h.m4, src/gl/m4/largefile.m4,
- src/gl/m4/longlong.m4, src/gl/m4/lseek.m4, src/gl/m4/malloc.m4,
- src/gl/m4/malloca.m4, src/gl/m4/math_h.m4, src/gl/m4/memchr.m4,
- src/gl/m4/minmax.m4, src/gl/m4/mktime.m4, src/gl/m4/mmap-anon.m4,
- src/gl/m4/msvc-inval.m4, src/gl/m4/msvc-nothrow.m4,
- src/gl/m4/multiarch.m4, src/gl/m4/netdb_h.m4,
- src/gl/m4/netinet_in_h.m4, src/gl/m4/off_t.m4,
- src/gl/m4/parse-datetime.m4, src/gl/m4/printf.m4,
- src/gl/m4/read-file.m4, src/gl/m4/realloc.m4, src/gl/m4/select.m4,
- src/gl/m4/servent.m4, src/gl/m4/setenv.m4, src/gl/m4/signal_h.m4,
- src/gl/m4/size_max.m4, src/gl/m4/snprintf.m4,
- src/gl/m4/socketlib.m4, src/gl/m4/sockets.m4, src/gl/m4/socklen.m4,
- src/gl/m4/sockpfaf.m4, src/gl/m4/ssize_t.m4, src/gl/m4/stdalign.m4,
- src/gl/m4/stdbool.m4, src/gl/m4/stddef_h.m4, src/gl/m4/stdint.m4,
- src/gl/m4/stdint_h.m4, src/gl/m4/stdio_h.m4, src/gl/m4/stdlib_h.m4,
- src/gl/m4/strdup.m4, src/gl/m4/strerror.m4, src/gl/m4/string_h.m4,
- src/gl/m4/sys_select_h.m4, src/gl/m4/sys_socket_h.m4,
- src/gl/m4/sys_stat_h.m4, src/gl/m4/sys_time_h.m4,
- src/gl/m4/sys_types_h.m4, src/gl/m4/sys_uio_h.m4,
- src/gl/m4/time_h.m4, src/gl/m4/time_r.m4, src/gl/m4/timespec.m4,
- src/gl/m4/tm_gmtoff.m4, src/gl/m4/unistd_h.m4,
- src/gl/m4/vasnprintf.m4, src/gl/m4/warn-on-use.m4,
- src/gl/m4/wchar_h.m4, src/gl/m4/wchar_t.m4, src/gl/m4/wint_t.m4,
- src/gl/m4/xalloc.m4, src/gl/m4/xsize.m4, src/gl/malloc.c,
- src/gl/malloca.c, src/gl/malloca.h, src/gl/memchr.c,
- src/gl/minmax.h, src/gl/mktime.c, src/gl/msvc-inval.c,
- src/gl/msvc-inval.h, src/gl/msvc-nothrow.c, src/gl/msvc-nothrow.h,
- src/gl/netdb.in.h, src/gl/netinet_in.in.h, src/gl/parse-datetime.h,
- src/gl/parse-datetime.y, src/gl/printf-args.c,
- src/gl/printf-args.h, src/gl/printf-parse.c, src/gl/printf-parse.h,
- src/gl/progname.c, src/gl/progname.h, src/gl/read-file.c,
- src/gl/read-file.h, src/gl/realloc.c, src/gl/recv.c,
- src/gl/recvfrom.c, src/gl/select.c, src/gl/send.c, src/gl/sendto.c,
- src/gl/setenv.c, src/gl/setsockopt.c, src/gl/shutdown.c,
- src/gl/signal.in.h, src/gl/size_max.h, src/gl/snprintf.c,
- src/gl/socket.c, src/gl/sockets.c, src/gl/sockets.h,
- src/gl/stdalign.in.h, src/gl/stdbool.in.h, src/gl/stddef.in.h,
- src/gl/stdint.in.h, src/gl/stdio-impl.h, src/gl/stdio.in.h,
- src/gl/stdlib.in.h, src/gl/strdup.c, src/gl/strerror-override.c,
- src/gl/strerror-override.h, src/gl/strerror.c, src/gl/string.in.h,
- src/gl/sys_select.in.h, src/gl/sys_socket.in.h,
- src/gl/sys_stat.in.h, src/gl/sys_time.in.h, src/gl/sys_types.in.h,
- src/gl/sys_uio.in.h, src/gl/time.in.h, src/gl/time_r.c,
- src/gl/timespec.h, src/gl/unistd.in.h, src/gl/unsetenv.c,
- src/gl/vasnprintf.c, src/gl/vasnprintf.h, src/gl/verify.h,
- src/gl/w32sock.h, src/gl/wchar.in.h, src/gl/xalloc-die.c,
- src/gl/xalloc-oversized.h, src/gl/xalloc.h, src/gl/xmalloc.c,
- src/gl/xsize.h: updated gnulib
-
-2015-01-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/cli-debug.c: gnutls-cli-debug: corrected the skip of ignored
- checks
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/output.c: use explicit casts in the dummy ip conversion
- functions
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-gtls-app.texi, doc/cha-intro-tls.texi,
- lib/gnutls_priority.c: ARCFOUR-128 is disabled by default
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/system-keys-win.c: system-keys-win: use LoadLibraryA to load
- ncrypt.dll
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * Makefile.am, devel/abi3.4.xml: Updated abi-compliance-checker for
- 3.4 API
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * Makefile.am, symbols.last: updated export symbols list (due to ABI
- breakage)
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/Makefile.am: doc: updated auto-generated files
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/doc.mk, doc/manpages/Makefile.am: generate manpages for urls.h
- and system-keys.h
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/pkcs11-get-issuer.c: tests: added check for
- gnutls_x509_trust_list_get_issuer_by_dn()
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/libgnutls.map: updated libgnutls.map for new functions
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/Makefile.am, doc/doc.mk, doc/manpages/Makefile.am: doc:
- updated auto-generated files and added urls.h
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/cert-tests/Makefile.am, tests/cert-tests/certtool: tests:
- added checks for the new --key-id and --fingerprint certtool options
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool-args.def, src/certtool.c: certtool: Added
- --fingerprint and --key-id options
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool.c: certtool: --pubkey-info will load a public key
- from stdin
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/system.h: include netinet/in.h if present to access ipv6
- related structures Based on patch by Rumko. https://savannah.gnu.org/support/?108713
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_priority.c: VERS-ALL adds all protocols if used with
- '+'
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-gtls-app.texi, lib/gnutls_priority.c: priority strings
- VERS-TLS-ALL and VERS-DTLS-ALL are restricted to the corresponding
- protocols That introduces VERS-ALL which behaves as VERS-TLS-ALL previously.
-
-2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/includes/gnutls/gnutls.h.in: gnutls.h: made DTLS protocol
- version numbering distinct
-
-2014-12-30 Matthias-Christian Ott <ott@mirix.org>
-
- * lib/gnutls_cipher_int.c: Don't call _gnutls_cipher_encrypt2 with
- textlen = 0 in _gnutls_auth_cipher_encrypt2_tag If the plaintext is shorter than the block size of the used cipher,
- _gnutls_auth_cipher_encrypt2_tag calls _gnutls_cipher_encrypt2 with
- textlen = 0. By definition _gnutls_cipher_encrypt2 does nothing in
- this case and thus does not need to be called.
-
-2014-12-30 Matthias-Christian Ott <ott@mirix.org>
-
- * lib/accelerated/x86/aes-gcm-padlock.c,
- lib/accelerated/x86/aes-padlock.c: Handle zero length plaintext for
- VIA PadLock functions If the plaintext is shorter than the block size of the used cipher,
- _gnutls_auth_cipher_encrypt2_tag calls _gnutls_cipher_encrypt2 with
- textlen = 0. padlock_ecb_encrypt and padlock_cbc_encrypt assume that
- the plaintext length (last parameter) is greater than zero and
- segfault otherwise. The assembler code for both functions is
- automatically generated and imported from OpenSSL, so to ease
- maintenance the length should be validated in the functions that
- call padlock_ecb_encrypt or padlock_cbc_encrypt.
-
-2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/system.c: use backslashes in windows path
-
-2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/openpgp-keyring.c: tests: enhanced openpgp-keyring test
-
-2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/openpgp/output.c: openpgp: properly print names in oneline
- output as well
-
-2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/openpgp/output.c: updates in openpgp DSA key printing
-
-2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/openpgp/output.c: properly print openpgp names
-
-2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/opencdk/Makefile.am: opencdk: print all warnings on
- compilation
-
-2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/opencdk/armor.c: opencdk: eliminated warning from armor.c
-
-2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/opencdk/keydb.c: removed cache support for opencdk's keydb It's implementation looked buggy.
-
-2014-12-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: updated guile comments
-
-2014-12-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/cli-debug.c, src/common.c, src/tests.c: tools: use OCSP
- functions only when OCSP is enabled
-
-2014-12-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_pubkey.c: Corrected encoding and decoding of ANSI X9.62 That affects gnutls_pubkey_export_ecc_x962() and
- gnutls_pubkey_import_ecc_x962().
-
-2014-12-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool-args.def, src/p11tool-args.def: tools: document the
- available curves
-
-2014-12-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-combo.c,
- tests/suite/pkcs11-get-issuer.c, tests/suite/pkcs11-is-known.c,
- tests/suite/pkcs11-privkey.c, tests/suite/softhsm.h,
- tests/suite/testpkcs11.softhsm: PKCS #11 tests: ported to softhsmv2 The C programs still rely on softhsmv1 since there are issues with
- softhsmv2 and CKA_TRUSTED.
- https://bugzilla.redhat.com/show_bug.cgi?id=1177086
-
-2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/safe-memfuncs.c: updated documentation of gnutls_memcmp()
-
-2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-tokens.texi, lib/x509/x509.c: use everywhere the new name
- of gnutls_x509_crt_import_pkcs11_url
-
-2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/pkcs11_privkey.c: better cleanup in
- gnutls_pkcs11_privkey_import_url and allow reuse
-
-2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/examples/Makefile.am, src/Makefile.am, src/gl/Makefile.am,
- src/gl/m4/gnulib-cache.m4, src/gl/m4/gnulib-comp.m4: completely
- separated the two gnulibs to avoid conflicts
-
-2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * gl/Makefile.am, gl/m4/extensions.m4, gl/m4/extern-inline.m4,
- gl/m4/gnulib-comp.m4, gl/m4/iconv.m4, gl/m4/printf.m4,
- gl/m4/stdalign.m4, gl/m4/stddef_h.m4, gl/m4/stdio_h.m4,
- gl/stdalign.in.h, gl/stddef.in.h, gl/tests/test-fcntl-h.c,
- gl/tests/test-stddef.c, gl/unistd.in.h, gl/vasnprintf.c,
- src/gl/Makefile.am, src/gl/m4/extensions.m4,
- src/gl/m4/extern-inline.m4, src/gl/m4/gnulib-comp.m4,
- src/gl/m4/printf.m4, src/gl/m4/stdalign.m4, src/gl/m4/stddef_h.m4,
- src/gl/m4/stdio_h.m4, src/gl/parse-datetime.y,
- src/gl/stdalign.in.h, src/gl/stddef.in.h, src/gl/timespec.h,
- src/gl/unistd.in.h, src/gl/vasnprintf.c: updated gnulib
-
-2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_privkey.c, lib/pkcs11_privkey.c, lib/urls.c,
- lib/urls.h, lib/x509/x509.c: dropped the sanitize URL approach
-
-2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/pkcs11_int.h,
- lib/pkcs11_privkey.c, lib/pkcs11_secret.c, lib/pkcs11_write.c:
- Instead of sanitizing URLs, use hints to support incomplete PKCS#11
- URIs
-
-2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/x509/x509.c:
- gnutls_x509_crt_import_url replaces
- gnutls_x509_crt_import_pkcs11_url
-
-2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/pkcs11.c: use p11_kit_uri_get_pin_source instead of
- p11_kit_uri_get_pinfile
-
-2014-12-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2014-12-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/examples/ex-pkcs11-list.c: ex-pkcs11-list.c: updated for new
- API
-
-2014-12-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c,
- lib/x509/verify-high.c, lib/x509/verify-high2.c: combined
- gnutls_pkcs11_obj_attr_t with gnutls_pkcs11_obj_flags That was done in an API-backwards compatible way. That introduces
- gnutls_pkcs11_obj_list_import_url3() and
- gnutls_pkcs11_obj_list_import_url4().
-
-2014-12-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c,
- lib/x509/verify-high2.c: first attempt to unify obj_attrs with
- obj_flags
-
-2014-12-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/pkcs11-is-known.c: tests: pkcs11-is-known checks
- whether the import of PKCS #11 objects as trusted certs works
-
-2014-12-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-combo.c,
- tests/suite/pkcs11-get-issuer.c, tests/suite/pkcs11-is-known.c,
- tests/suite/pkcs11-privkey.c, tests/suite/softhsm.h,
- tests/suite/testpkcs11.softhsm: Added softhsm.h to share code in
- softhsm detection
-
-2014-12-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/pkcs11_int.h, lib/x509/verify-high2.c: Directly import PKCS
- #11 object URLs as trusted certificates That is, don't treat them as trusted modules, because they aren't a
- token URL, but rather a direct reference to specific objects.
-
-2014-12-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_psk.c: PSK: added sanity check on PSK key size set
-
-2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/tests.c: gnutls-cli-debug: removed ARCFOUR-40 from the ciphers
- to use It is no longer supported.
-
-2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_str.c: _gnutls_buffer_append_data returns zero on
- success
-
-2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_buffers.c, lib/gnutls_record.c: corrected documentation
- for the cork/uncork functions Reported by Jaak Ristioja.
-
-2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_record.c: doc update
-
-2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/algorithms/protocols.c: Added more precise version check in
- _gnutls_version_lowest
-
-2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_record.c: corrected documentation of gnutls_cork()
-
-2014-12-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_str.c: Added 32-bit overflow protection in
- _gnutls_buffer_append_data()
-
-2014-12-17 Jaak Ristioja <jaak.ristioja@cyber.ee>
-
- * lib/gnutls_str.c: Remove redundant condition in
- align_allocd_with_data(). At all call-sites of align_allocd_with_data() dest->data is
- non-NULL. Signed-off-by: Jaak Ristioja <jaak.ristioja@cyber.ee>
-
-2014-12-17 Jaak Ristioja <jaak.ristioja@cyber.ee>
-
- * lib/gnutls_str.c: Deduplicated some code in
- _gnutls_buffer_append_data(). Signed-off-by: Jaak Ristioja <jaak.ristioja@cyber.ee>
-
-2014-12-17 Jaak Ristioja <jaak.ristioja@cyber.ee>
-
- * lib/gnutls_str.c: Explicitly marked some variables const in
- _gnutls_buffer_append_data(). Signed-off-by: Jaak Ristioja <jaak.ristioja@cyber.ee>
-
-2014-12-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * devel/DCO/people-dco.txt: DCO: added Jaak Ristioja
-
-2014-12-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/slow/cipher-test.c: test-ciphers: do not fail on processor
- which don't have the AES-NI instructions
-
-2014-12-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_str.c: _gnutls_buffer_*: moved common operations to
- function
-
-2014-12-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_str.c: _gnutls_buffer_append_data: moved common code
- outside the if-clause
-
-2014-12-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/testcompat-main-polarssl: tests: disable SSL 3.0
- checks with polarssl It seems that SSL 3.0 is disabled in Debian's polarssl.
-
-2014-12-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/testdane: testdane: removed www.vulcano.cl from good
- hosts
-
-2014-12-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/x509cert-tl.c: tests: enhanced x509cert-tl Verify gnutls_x509_trust_list_verify_crt2() in combination with
- gnutls_x509_trust_list_add_named_crt().
-
-2014-12-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/verify-high.c: use
- gnutls_x509_trust_list_verify_named_crt in
- gnutls_x509_trust_list_verify_crt2
-
-2014-12-12 Ludovic Courtès <ludo@gnu.org>
-
- * NEWS: Update 'NEWS'.
-
-2014-12-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/random.c: gnutls_rnd: doc update
-
-2014-12-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/pkcs12.c: gnutls_pkcs12_simple_parse: doc update
-
-2014-12-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * libdane/dane.c: improved documentation on dane
-
-2014-12-11 Ludovic Courtès <ludo@gnu.org>
-
- * guile/tests/openpgp-keyring.scm: guile: Open binary file in binary
- mode, for the sake of MinGW. Reported by Eli Zaretskii <eliz@gnu.org>. * guile/tests/openpgp-keyring.scm: Use 'open-file' with "rb" instead
- of 'open-input-file'.
-
-2014-12-11 Ludovic Courtès <ludo@gnu.org>
-
- * guile/src/Makefile.am: guile: Link with '-no-undefined'. Fixes builds on MinGW. Reported by Eli Zaretskii <eliz@gnu.org>. * guile/src/Makefile.am (guile_gnutls_v_2_la_LDFLAGS): Add -no-undefined.
-
-2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/pkcs11.c: p11tool: use Sleep() in windows
-
-2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool-cfg.c: certtool: ensure that default_serial_int is
- 64-bits or more
-
-2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/socket.c: use select() instead of alarm for better portability Based on patch by Eli Zaretskii.
-
-2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * cross.mk: cross.mk: updated for 3.3.11
-
-2014-12-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/crypto-backend.c: Allow a random generator with the same
- priority to re-register That corrects an issue where the library is deinitialized, and
- reinitialization wouldn't register the same rnd module. Reported by
- Stanislav Zidek.
-
-2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/x509cert.c: tests: x509cert: verify that length returned
- from gnutls_x509_crt_get_dn matches strlen
-
-2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/testcompat-main-openssl: testcompat: corrected usage
- of null cipher
-
-2014-12-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/nettle/rnd-fips.c: added the .check function in FIPS140-2 code
-
-2014-12-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/common.c: corrected typo
-
-2014-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * configure.ac: configure: added option --without-idn
-
-2014-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/accelerated/x86/aes-gcm-padlock.c,
- lib/accelerated/x86/aes-gcm-x86-aesni.c,
- lib/accelerated/x86/aes-gcm-x86-ssse3.c: accelerated: added required
- casts
-
-2014-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2014-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-gtls-app.texi, lib/gnutls_priority.c: the priority string
- EXPORT is no more
-
-2014-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/accelerated/x86/aes-ccm-x86-aesni.c: aesni-ccm: removed unused
- struct entries
-
-2014-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/accelerated/x86/Makefile.am,
- lib/accelerated/x86/aes-ccm-x86-aesni.c,
- lib/accelerated/x86/aes-x86.h, lib/accelerated/x86/x86-common.c:
- added AESNI accelerated CCM
-
-2014-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/accelerated/x86/aes-gcm-padlock.c,
- lib/accelerated/x86/aes-gcm-x86-aesni.c,
- lib/accelerated/x86/aes-gcm-x86-ssse3.c: more nettle3 related
- changes
-
-2014-12-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * libdane/dane.c: dane: use the new _gnutls_buffer_to_datum
-
-2014-12-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/ocsp.c: tests: corrected the expected lengths in ocsp
-
-2014-12-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_cert.c, lib/gnutls_session_pack.c, lib/gnutls_str.c,
- lib/gnutls_str.h, lib/openpgp/output.c, lib/pkcs11.c, lib/tpm.c,
- lib/x509/dn.c, lib/x509/ocsp_output.c, lib/x509/output.c:
- _gnutls_buffer_to_datum: includes code for exporting strings
-
-2014-12-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/verify-high.c: when the trusted list contains a non-CA
- certificate warn via the audit log
-
-2014-12-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/algorithms/ciphersuites.c: modified the CCM ciphersuite's name
- to match the one in the IANA registry
-
-2014-12-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/ciphersuite/scan-gnutls.sh,
- tests/suite/ciphersuite/test-ciphers.js: ciphersuite test: enhanced
- check for correct ciphersuites
-
-2014-12-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/ciphersuite/scan-gnutls.sh: ciphersuites tests: add
- missing includes
-
-2014-12-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/ciphersuite/scan-gnutls.sh: ciphersuite tests: define
- HAVE_CONFIG_H
-
-2014-12-04 Ludovic Courtès <ludo@gnu.org>
-
- * guile/src/Makefile.am: guile: Build with warnings. * guile/src/Makefile.am (AM_CFLAGS) [HAVE_GCC]: Add -Wall -Wextra -Wno-unused-parameter.
-
-2014-12-04 Ludovic Courtès <ludo@gnu.org>
-
- * guile/modules/Makefile.am, guile/modules/gnutls.in,
- guile/modules/gnutls/build/priorities.scm, guile/src/Makefile.am,
- guile/src/core.c, guile/src/make-session-priorities.scm,
- guile/tests/session-record-port.scm, guile/tests/x509-auth.scm:
- guile: Remove the deprecated priority API. * guile/modules/gnutls/build/priorities.scm: Remove. * guile/src/make-session-priorities.scm: Remove. * guile/modules/Makefile.am (EXTRA_DIST): Adjust accordingly. * guile/src/Makefile.am (EXTRA_DIST): Likewise. (GENERATED_BINDINGS): Remove 'priorities.i.c'. (priorities.i.c): Remove target. * guile/src/core.c: Don't include it. (scm_gnutls_set_default_priority_x): Remove. * guile/modules/gnutls.in (gnutls): Adjust export list. * guile/tests/session-record-port.scm: Use
- 'set-session-priorities!'. * guile/tests/x509-auth.scm: Likewise.
-
-2014-12-04 Ludovic Courtès <ludo@gnu.org>
-
- * doc/gnutls-guile.texi, guile/modules/gnutls.in,
- guile/modules/gnutls/build/smobs.scm, guile/src/core.c,
- guile/tests/openpgp-auth.scm, guile/tests/x509-auth.scm: guile:
- Remove RSA parameters and related procedures. * guile/modules/gnutls/build/smobs.scm (%rsa-parameters-smob):
- Remove. (%gnutls-smobs): Remove it. * guile/src/core.c (scm_gnutls_make_rsa_parameters, scm_gnutls_pkcs1_import_rsa_parameters, scm_gnutls_pkcs1_export_rsa_parameters, scm_gnutls_set_certificate_credentials_rsa_export_params_x):
- Remove. * guile/modules/gnutls.in: Adjust export list. * guile/tests/openpgp-auth.scm (import-rsa-params): Remove. Remove references to it and to 'set-certificate-credentials-rsa-export-parameters!'. * guile/tests/x509-auth.scm: Likewise. * doc/gnutls-guile.texi (Representation of Binary Data): Remove references to RSA parameters. Adjust example accordingly. (OpenPGP Authentication Guile Example): Likewise.
-
-2014-12-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/TODO: updated TODO list
-
-2014-12-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/libgnutls.map: removed several of the unneeded exported
- internal symbols
-
-2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-upgrade.texi: doc: corrected typo
-
-2014-11-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/nettle/cipher.c: use unsigned long in gcm_cast_st
-
-2014-11-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/nettle/cipher.c: corrected issue in AES-256-GCM
-
-2014-11-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/slow/Makefile.am, tests/slow/test-ciphers: tests: enhanced
- cipher check to include all ciphers.
-
-2014-11-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/nettle/cipher.c: simplified abstractions over nettle based on
- Niels' comments.
-
-2014-11-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/crypto-api.c: API doc update
-
-2014-11-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/crypto-selftests.c: Added test vectors for CCM mode
-
-2014-11-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/nettle/cipher.c: CCM: corrected AEAD decryption
-
-2014-11-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_priority.c: CCM mode moved to the lowest priority
-
-2014-11-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/accelerated/x86/aes-gcm-aead.h: aes-gcm-aead.h: generalized
-
-2014-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/benchmark-tls.c: gnutls-cli: added benchmark for CCM
-
-2014-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/priorities.c, tests/suite/testcompat-main-polarssl: tests:
- updated for AES-128-CCM ciphersuites
-
-2014-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_cipher.c: use the new AEAD API in gnutls_cipher.c
-
-2014-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/algorithms/ciphers.c, lib/algorithms/ciphersuites.c,
- lib/gnutls_priority.c, lib/includes/gnutls/gnutls.h.in,
- lib/nettle/cipher.c: Added definitions for CCM ciphersuites
-
-2014-11-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS, doc/cha-crypto.texi, lib/accelerated/x86/Makefile.am,
- lib/accelerated/x86/aes-gcm-aead.h,
- lib/accelerated/x86/aes-gcm-padlock.c,
- lib/accelerated/x86/aes-gcm-x86-aesni.c,
- lib/accelerated/x86/aes-gcm-x86-pclmul.c,
- lib/accelerated/x86/aes-gcm-x86-ssse3.c, lib/crypto-api.c,
- lib/crypto-backend.h, lib/crypto-selftests.c,
- lib/gnutls_cipher_int.c, lib/gnutls_cipher_int.h,
- lib/includes/gnutls/crypto.h, lib/libgnutls.map,
- lib/nettle/cipher.c: Modified crypto backend to accomodate for the
- CCM ciphersuites
-
-2014-11-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/nettle/int/dsa-fips.h, lib/nettle/int/dsa-keygen-fips186.c,
- lib/nettle/int/dsa-validate.c, lib/nettle/pk.c: More nettle2 updates
- (in FIPS140-2 mode)
-
-2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/accelerated/x86/aes-gcm-padlock.c,
- lib/accelerated/x86/aes-gcm-x86-aesni.c,
- lib/accelerated/x86/aes-gcm-x86-ssse3.c,
- lib/accelerated/x86/aes-padlock.c,
- lib/accelerated/x86/aes-padlock.h, lib/accelerated/x86/aes-x86.h,
- lib/accelerated/x86/sha-padlock.c,
- lib/accelerated/x86/sha-x86-ssse3.c, lib/nettle/Makefile.am,
- lib/nettle/cipher.c, lib/nettle/int/gcm-camellia.c,
- lib/nettle/int/gcm-camellia.h, lib/nettle/pk.c, m4/hooks.m4,
- tests/dsa/testdsa: ported to nettle 3.0
-
-2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * m4/hooks.m4: reduced current soversion
-
-2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS, doc/cha-upgrade.texi, lib/libgnutls.map: documented the
- removal of deprecated functions
-
-2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_priority.c: corrected comparison
-
-2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/auth/cert.c, lib/auth/cert.h, lib/gnutls_cert.c,
- lib/gnutls_priority.c, lib/gnutls_state.c,
- lib/includes/gnutls/compat.h: removed the old gnutls_retr_st
- compatibility functions
-
-2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * configure.ac, lib/Makefile.am, lib/gnutls_rsa_export.c,
- lib/gnutls_ui.c, lib/includes/gnutls/compat.h, m4/hooks.m4: Removed
- binary compatibility with RSA-EXPORT using applications
-
-2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_priority.c, lib/includes/gnutls/compat.h: removed the
- old priority functions That is: gnutls_cipher_set_priority gnutls_mac_set_priority
- gnutls_compression_set_priority gnutls_kx_set_priority
- gnutls_protocol_set_priority gnutls_certificate_type_set_priority
-
-2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/compat.h, lib/x509/x509.c: removed
- gnutls_x509_crt_verify_hash() and gnutls_x509_crt_verify_data()
-
-2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_cert.c, lib/gnutls_int.h, lib/gnutls_sig.c,
- lib/includes/gnutls/compat.h: gnutls_sign_callback_set() and
- gnutls_sign_callback_get() were removed
-
-2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/gnutls.h.in: renumbered fields in gnutls.h
-
-2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/libgnutls.map, m4/hooks.m4: increased gnutls' soversion
-
-2014-12-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/random.h: if the rnd structure doesn't provide check,
- _gnutls_rnd_check() will succeed
-
-2014-11-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/Makefile.am, tests/x509-verify-with-crl.c: tests: Added
- check for verification using CRLs
-
-2014-11-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/x509.c: Reorganized, and eliminated memory leak in
- _gnutls_x509_crt_check_revocation() Reported by Tim Rühsen.
-
-2014-11-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/systemkey.c: systemkey: updated for new
- gnutls_system_key_iter_get_info
-
-2014-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/system-keys.h, lib/system-keys-dummy.c,
- lib/system-keys-win.c: gnutls_system_key_iter_get_info() allows
- restricting results to a specific certificate type
-
-2014-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_x509.c: removed unneeded variable
-
-2014-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/gnutls.h.in, lib/includes/gnutls/pkcs11.h: doc
- update
-
-2014-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-gtls-app.texi: doc: added recommendation to use the higher
- level functions to load keys
-
-2014-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/certtool-cfg.c: certtool: avoid gcc warnings
-
-2014-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: Added
- check for whether %NO_EXTENSIONS is required
-
-2014-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_ui.c: gnutls_session_get_desc: allow proper printing of
- the NULL KX
+ * gl/Makefile.am, gl/alloca.in.h, gl/asnprintf.c, gl/asprintf.c,
+ gl/base64.c, gl/base64.h, gl/byteswap.in.h, gl/c-ctype.c,
+ gl/c-ctype.h, gl/errno.in.h, gl/float+.h, gl/float.c,
+ gl/float.in.h, gl/fstat.c, gl/ftell.c, gl/ftello.c, gl/getdelim.c,
+ gl/getline.c, gl/gettext.h, gl/gettimeofday.c, gl/hash-pjw-bare.c,
+ gl/hash-pjw-bare.h, gl/intprops.h, gl/itold.c, gl/lseek.c,
+ gl/m4/00gnulib.m4, gl/m4/absolute-header.m4, gl/m4/alloca.m4,
+ gl/m4/base64.m4, gl/m4/byteswap.m4, gl/m4/codeset.m4,
+ gl/m4/errno_h.m4, gl/m4/exponentd.m4, gl/m4/extensions.m4,
+ gl/m4/extern-inline.m4, gl/m4/fcntl-o.m4, gl/m4/fcntl_h.m4,
+ gl/m4/fdopen.m4, gl/m4/float_h.m4, gl/m4/fpieee.m4,
+ gl/m4/fseeko.m4, gl/m4/fstat.m4, gl/m4/ftell.m4, gl/m4/ftello.m4,
+ gl/m4/func.m4, gl/m4/getdelim.m4, gl/m4/getline.m4,
+ gl/m4/getpagesize.m4, gl/m4/gettext.m4, gl/m4/gettimeofday.m4,
+ gl/m4/glibc2.m4, gl/m4/glibc21.m4, gl/m4/gnulib-cache.m4,
+ gl/m4/gnulib-common.m4, gl/m4/gnulib-comp.m4, gl/m4/gnulib-tool.m4,
+ gl/m4/iconv.m4, gl/m4/include_next.m4, gl/m4/intdiv0.m4,
+ gl/m4/intl.m4, gl/m4/intldir.m4, gl/m4/intlmacosx.m4,
+ gl/m4/intmax.m4, gl/m4/intmax_t.m4, gl/m4/inttypes-pri.m4,
+ gl/m4/inttypes.m4, gl/m4/inttypes_h.m4, gl/m4/largefile.m4,
+ gl/m4/lcmessage.m4, gl/m4/ld-output-def.m4,
+ gl/m4/ld-version-script.m4, gl/m4/lib-ld.m4, gl/m4/lib-link.m4,
+ gl/m4/lib-prefix.m4, gl/m4/lock.m4, gl/m4/longlong.m4,
+ gl/m4/lseek.m4, gl/m4/malloc.m4, gl/m4/manywarnings.m4,
+ gl/m4/math_h.m4, gl/m4/memchr.m4, gl/m4/memmem.m4, gl/m4/minmax.m4,
+ gl/m4/mmap-anon.m4, gl/m4/msvc-inval.m4, gl/m4/msvc-nothrow.m4,
+ gl/m4/multiarch.m4, gl/m4/netdb_h.m4, gl/m4/netinet_in_h.m4,
+ gl/m4/nls.m4, gl/m4/off_t.m4, gl/m4/po.m4, gl/m4/printf-posix.m4,
+ gl/m4/printf.m4, gl/m4/progtest.m4, gl/m4/read-file.m4,
+ gl/m4/realloc.m4, gl/m4/size_max.m4, gl/m4/snprintf.m4,
+ gl/m4/socklen.m4, gl/m4/sockpfaf.m4, gl/m4/ssize_t.m4,
+ gl/m4/stdalign.m4, gl/m4/stdbool.m4, gl/m4/stddef_h.m4,
+ gl/m4/stdint.m4, gl/m4/stdint_h.m4, gl/m4/stdio_h.m4,
+ gl/m4/stdlib_h.m4, gl/m4/strcase.m4, gl/m4/string_h.m4,
+ gl/m4/strings_h.m4, gl/m4/strndup.m4, gl/m4/strnlen.m4,
+ gl/m4/strtok_r.m4, gl/m4/strverscmp.m4, gl/m4/sys_socket_h.m4,
+ gl/m4/sys_stat_h.m4, gl/m4/sys_time_h.m4, gl/m4/sys_types_h.m4,
+ gl/m4/sys_uio_h.m4, gl/m4/threadlib.m4, gl/m4/time_h.m4,
+ gl/m4/time_r.m4, gl/m4/uintmax_t.m4, gl/m4/ungetc.m4,
+ gl/m4/unistd_h.m4, gl/m4/valgrind-tests.m4, gl/m4/vasnprintf.m4,
+ gl/m4/vasprintf.m4, gl/m4/visibility.m4, gl/m4/vsnprintf.m4,
+ gl/m4/warn-on-use.m4, gl/m4/warnings.m4, gl/m4/wchar_h.m4,
+ gl/m4/wchar_t.m4, gl/m4/wint_t.m4, gl/m4/xsize.m4, gl/malloc.c,
+ gl/memchr.c, gl/memmem.c, gl/minmax.h, gl/msvc-inval.c,
+ gl/msvc-inval.h, gl/msvc-nothrow.c, gl/msvc-nothrow.h,
+ gl/netdb.in.h, gl/netinet_in.in.h, gl/printf-args.c,
+ gl/printf-args.h, gl/printf-parse.c, gl/printf-parse.h,
+ gl/read-file.c, gl/read-file.h, gl/realloc.c, gl/size_max.h,
+ gl/snprintf.c, gl/stdalign.in.h, gl/stdbool.in.h, gl/stddef.in.h,
+ gl/stdint.in.h, gl/stdio-impl.h, gl/stdio.in.h, gl/stdlib.in.h,
+ gl/str-two-way.h, gl/strcasecmp.c, gl/string.in.h, gl/strings.in.h,
+ gl/strncasecmp.c, gl/strndup.c, gl/strnlen.c, gl/strtok_r.c,
+ gl/strverscmp.c, gl/sys_socket.in.h, gl/sys_stat.in.h,
+ gl/sys_time.in.h, gl/sys_types.in.h, gl/sys_uio.in.h,
+ gl/tests/Makefile.am, gl/tests/binary-io.h, gl/tests/fcntl.in.h,
+ gl/tests/fdopen.c, gl/tests/fpucw.h, gl/tests/getpagesize.c,
+ gl/tests/init.sh, gl/tests/inttypes.in.h, gl/tests/macros.h,
+ gl/tests/signature.h, gl/tests/test-alloca-opt.c,
+ gl/tests/test-base64.c, gl/tests/test-binary-io.c,
+ gl/tests/test-byteswap.c, gl/tests/test-c-ctype.c,
+ gl/tests/test-errno.c, gl/tests/test-fcntl-h.c,
+ gl/tests/test-fdopen.c, gl/tests/test-fgetc.c,
+ gl/tests/test-float.c, gl/tests/test-fputc.c,
+ gl/tests/test-fread.c, gl/tests/test-fstat.c,
+ gl/tests/test-ftell.c, gl/tests/test-ftell3.c,
+ gl/tests/test-ftello.c, gl/tests/test-ftello3.c,
+ gl/tests/test-ftello4.c, gl/tests/test-func.c,
+ gl/tests/test-fwrite.c, gl/tests/test-getdelim.c,
+ gl/tests/test-getline.c, gl/tests/test-gettimeofday.c,
+ gl/tests/test-iconv.c, gl/tests/test-init.sh,
+ gl/tests/test-intprops.c, gl/tests/test-inttypes.c,
+ gl/tests/test-memchr.c, gl/tests/test-netdb.c,
+ gl/tests/test-netinet_in.c, gl/tests/test-read-file.c,
+ gl/tests/test-snprintf.c, gl/tests/test-stdalign.c,
+ gl/tests/test-stdbool.c, gl/tests/test-stddef.c,
+ gl/tests/test-stdint.c, gl/tests/test-stdio.c,
+ gl/tests/test-stdlib.c, gl/tests/test-string.c,
+ gl/tests/test-strings.c, gl/tests/test-strnlen.c,
+ gl/tests/test-strverscmp.c, gl/tests/test-sys_socket.c,
+ gl/tests/test-sys_stat.c, gl/tests/test-sys_time.c,
+ gl/tests/test-sys_types.c, gl/tests/test-sys_uio.c,
+ gl/tests/test-sys_wait.h, gl/tests/test-time.c,
+ gl/tests/test-u64.c, gl/tests/test-unistd.c,
+ gl/tests/test-vasnprintf.c, gl/tests/test-vasprintf.c,
+ gl/tests/test-vc-list-files-cvs.sh,
+ gl/tests/test-vc-list-files-git.sh, gl/tests/test-verify.c,
+ gl/tests/test-vsnprintf.c, gl/tests/test-wchar.c,
+ gl/tests/zerosize-ptr.h, gl/time.in.h, gl/time_r.c, gl/u64.h,
+ gl/unistd.in.h, gl/vasnprintf.c, gl/vasnprintf.h, gl/vasprintf.c,
+ gl/verify.h, gl/vsnprintf.c, gl/wchar.in.h, gl/xsize.h,
+ src/gl/Makefile.am, src/gl/accept.c, src/gl/alloca.in.h,
+ src/gl/arpa_inet.in.h, src/gl/asnprintf.c, src/gl/bind.c,
+ src/gl/c-ctype.c, src/gl/c-ctype.h, src/gl/close.c,
+ src/gl/connect.c, src/gl/dup2.c, src/gl/errno.in.h, src/gl/error.c,
+ src/gl/error.h, src/gl/exitfail.c, src/gl/exitfail.h,
+ src/gl/fd-hook.c, src/gl/fd-hook.h, src/gl/float+.h,
+ src/gl/float.c, src/gl/float.in.h, src/gl/fseek.c, src/gl/fseeko.c,
+ src/gl/fstat.c, src/gl/ftell.c, src/gl/ftello.c,
+ src/gl/gai_strerror.c, src/gl/getaddrinfo.c, src/gl/getdelim.c,
+ src/gl/getline.c, src/gl/getpass.c, src/gl/getpass.h,
+ src/gl/getpeername.c, src/gl/gettext.h, src/gl/gettime.c,
+ src/gl/gettimeofday.c, src/gl/inet_ntop.c, src/gl/inet_pton.c,
+ src/gl/intprops.h, src/gl/itold.c, src/gl/listen.c, src/gl/lseek.c,
+ src/gl/m4/00gnulib.m4, src/gl/m4/absolute-header.m4,
+ src/gl/m4/alloca.m4, src/gl/m4/arpa_inet_h.m4, src/gl/m4/bison.m4,
+ src/gl/m4/clock_time.m4, src/gl/m4/close.m4, src/gl/m4/dup2.m4,
+ src/gl/m4/eealloc.m4, src/gl/m4/environ.m4, src/gl/m4/errno_h.m4,
+ src/gl/m4/error.m4, src/gl/m4/exponentd.m4,
+ src/gl/m4/extensions.m4, src/gl/m4/extern-inline.m4,
+ src/gl/m4/float_h.m4, src/gl/m4/fseek.m4, src/gl/m4/fseeko.m4,
+ src/gl/m4/fstat.m4, src/gl/m4/ftell.m4, src/gl/m4/ftello.m4,
+ src/gl/m4/getaddrinfo.m4, src/gl/m4/getdelim.m4,
+ src/gl/m4/getline.m4, src/gl/m4/getpass.m4, src/gl/m4/gettime.m4,
+ src/gl/m4/gettimeofday.m4, src/gl/m4/gnulib-cache.m4,
+ src/gl/m4/gnulib-common.m4, src/gl/m4/gnulib-comp.m4,
+ src/gl/m4/gnulib-tool.m4, src/gl/m4/hostent.m4,
+ src/gl/m4/include_next.m4, src/gl/m4/inet_ntop.m4,
+ src/gl/m4/inet_pton.m4, src/gl/m4/intmax_t.m4,
+ src/gl/m4/inttypes_h.m4, src/gl/m4/largefile.m4,
+ src/gl/m4/longlong.m4, src/gl/m4/lseek.m4, src/gl/m4/malloc.m4,
+ src/gl/m4/malloca.m4, src/gl/m4/math_h.m4, src/gl/m4/memchr.m4,
+ src/gl/m4/minmax.m4, src/gl/m4/mktime.m4, src/gl/m4/mmap-anon.m4,
+ src/gl/m4/msvc-inval.m4, src/gl/m4/msvc-nothrow.m4,
+ src/gl/m4/multiarch.m4, src/gl/m4/netdb_h.m4,
+ src/gl/m4/netinet_in_h.m4, src/gl/m4/off_t.m4,
+ src/gl/m4/parse-datetime.m4, src/gl/m4/printf.m4,
+ src/gl/m4/read-file.m4, src/gl/m4/realloc.m4, src/gl/m4/select.m4,
+ src/gl/m4/servent.m4, src/gl/m4/setenv.m4, src/gl/m4/signal_h.m4,
+ src/gl/m4/size_max.m4, src/gl/m4/snprintf.m4,
+ src/gl/m4/socketlib.m4, src/gl/m4/sockets.m4, src/gl/m4/socklen.m4,
+ src/gl/m4/sockpfaf.m4, src/gl/m4/ssize_t.m4, src/gl/m4/stdalign.m4,
+ src/gl/m4/stdbool.m4, src/gl/m4/stddef_h.m4, src/gl/m4/stdint.m4,
+ src/gl/m4/stdint_h.m4, src/gl/m4/stdio_h.m4, src/gl/m4/stdlib_h.m4,
+ src/gl/m4/strdup.m4, src/gl/m4/strerror.m4, src/gl/m4/string_h.m4,
+ src/gl/m4/sys_select_h.m4, src/gl/m4/sys_socket_h.m4,
+ src/gl/m4/sys_stat_h.m4, src/gl/m4/sys_time_h.m4,
+ src/gl/m4/sys_types_h.m4, src/gl/m4/sys_uio_h.m4,
+ src/gl/m4/time_h.m4, src/gl/m4/time_r.m4, src/gl/m4/timespec.m4,
+ src/gl/m4/tm_gmtoff.m4, src/gl/m4/unistd_h.m4,
+ src/gl/m4/vasnprintf.m4, src/gl/m4/warn-on-use.m4,
+ src/gl/m4/wchar_h.m4, src/gl/m4/wchar_t.m4, src/gl/m4/wint_t.m4,
+ src/gl/m4/xalloc.m4, src/gl/m4/xsize.m4, src/gl/malloc.c,
+ src/gl/malloca.c, src/gl/malloca.h, src/gl/memchr.c,
+ src/gl/minmax.h, src/gl/mktime.c, src/gl/msvc-inval.c,
+ src/gl/msvc-inval.h, src/gl/msvc-nothrow.c, src/gl/msvc-nothrow.h,
+ src/gl/netdb.in.h, src/gl/netinet_in.in.h, src/gl/parse-datetime.h,
+ src/gl/parse-datetime.y, src/gl/printf-args.c,
+ src/gl/printf-args.h, src/gl/printf-parse.c, src/gl/printf-parse.h,
+ src/gl/progname.c, src/gl/progname.h, src/gl/read-file.c,
+ src/gl/read-file.h, src/gl/realloc.c, src/gl/recv.c,
+ src/gl/recvfrom.c, src/gl/select.c, src/gl/send.c, src/gl/sendto.c,
+ src/gl/setenv.c, src/gl/setsockopt.c, src/gl/shutdown.c,
+ src/gl/signal.in.h, src/gl/size_max.h, src/gl/snprintf.c,
+ src/gl/socket.c, src/gl/sockets.c, src/gl/sockets.h,
+ src/gl/stdalign.in.h, src/gl/stdbool.in.h, src/gl/stddef.in.h,
+ src/gl/stdint.in.h, src/gl/stdio-impl.h, src/gl/stdio.in.h,
+ src/gl/stdlib.in.h, src/gl/strdup.c, src/gl/strerror-override.c,
+ src/gl/strerror-override.h, src/gl/strerror.c, src/gl/string.in.h,
+ src/gl/sys_select.in.h, src/gl/sys_socket.in.h,
+ src/gl/sys_stat.in.h, src/gl/sys_time.in.h, src/gl/sys_types.in.h,
+ src/gl/sys_uio.in.h, src/gl/time.in.h, src/gl/time_r.c,
+ src/gl/timespec.h, src/gl/unistd.in.h, src/gl/unsetenv.c,
+ src/gl/vasnprintf.c, src/gl/vasnprintf.h, src/gl/verify.h,
+ src/gl/w32sock.h, src/gl/wchar.in.h, src/gl/xalloc-die.c,
+ src/gl/xalloc-oversized.h, src/gl/xalloc.h, src/gl/xmalloc.c,
+ src/gl/xsize.h: updated gnulib
-2014-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2015-01-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_ui.c: gnutls_session_get_desc will return NULL if
- initial negotiation is not complete
+ * src/cli-debug.c: gnutls-cli-debug: corrected the skip of ignored
+ checks
-2014-11-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc update
-2014-11-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/mini-chain-unsorted.c: tests: small fix in
- mini-chain-unsorted
-
-2014-11-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_pcert.c, lib/gnutls_x509.c, lib/x509/common.c,
- lib/x509/common.h, lib/x509/x509.c:
- GNUTLS_E_CERTIFICATE_LIST_UNSORTED can be returned from
- gnutls_pcert_import_x509_list That is when it cannot sort the list and GNUTLS_X509_CRT_LIST_SORT
- is specified.
-
-2014-11-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_pcert.c: gnutls_pcert_import_x509_list: only sort the
- lists it can sort
-
-2014-11-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc update
-2014-11-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/system-keys-win.c: simplified windows URLs
-
-2014-11-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/system-keys-win.c: system-keys-win: include urls.h
-
-2014-11-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/Makefile.am, tests/mini-cert-status.c,
- tests/mini-chain-unsorted.c: tests: added mini-chain-unsorted
-
-2014-11-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_pcert.c, lib/gnutls_x509.c,
- lib/includes/gnutls/abstract.h, lib/includes/gnutls/x509.h,
- lib/libgnutls.map, lib/x509/common.c, lib/x509/common.h,
- lib/x509/verify-high.c, lib/x509/x509.c: Added flag
- GNUTLS_X509_CRT_LIST_SORT for gnutls_x509_crt_list_import* That also allows automatically sorting input chains to the
- gnutls_certificate_credentials_t structure.
-
-2014-11-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/Makefile.am, tests/set_x509_key_file.c: tests: Added check
- for memory leaks when a file cannot be loaded.
-
-2014-11-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_x509.c: gnutls_certificate_set_x509_key_*: eliminated
- memory leak when certificate could not be parsed Reported by Georg Richter.
-
-2014-11-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * libdane/dane.c: libdane: undef gnutls_assert() before redefining
- it
-
-2014-11-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/socket.c: gnutls-cli-debug: do not print error on unknown
- protocols
+ * src/certtool.c: certtool: --pubkey-info will load a public key
+ from stdin
-2014-11-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/Makefile.am, tests/set_x509_key_mem.c: tests: added leak
- check for gnutls_set_x509_key_mem2()
+ * lib/system.h: include netinet/in.h if present to access ipv6
+ related structures Based on patch by Rumko. https://savannah.gnu.org/support/?108713
-2014-11-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-30 Matthias-Christian Ott <ott@mirix.org>
- * lib/gnutls_x509.c: documented the limitations of the loading
- functions
+ * lib/gnutls_cipher_int.c: Don't call _gnutls_cipher_encrypt2 with
+ textlen = 0 in _gnutls_auth_cipher_encrypt2_tag If the plaintext is shorter than the block size of the used cipher,
+ _gnutls_auth_cipher_encrypt2_tag calls _gnutls_cipher_encrypt2 with
+ textlen = 0. By definition _gnutls_cipher_encrypt2 does nothing in
+ this case and thus does not need to be called.
-2014-11-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-30 Matthias-Christian Ott <ott@mirix.org>
- * lib/gnutls_x509.c: corrected memleak in read_key_mem() Patch by Georg Richter.
+ * lib/accelerated/x86/aes-gcm-padlock.c,
+ lib/accelerated/x86/aes-padlock.c: Handle zero length plaintext for
+ VIA PadLock functions If the plaintext is shorter than the block size of the used cipher,
+ _gnutls_auth_cipher_encrypt2_tag calls _gnutls_cipher_encrypt2 with
+ textlen = 0. padlock_ecb_encrypt and padlock_cbc_encrypt assume that
+ the plaintext length (last parameter) is greater than zero and
+ segfault otherwise. The assembler code for both functions is
+ automatically generated and imported from OpenSSL, so to ease
+ maintenance the length should be validated in the functions that
+ call padlock_ecb_encrypt or padlock_cbc_encrypt.
-2014-11-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: Added
- check for sorted certificate chain
+ * tests/openpgp-keyring.c: tests: enhanced openpgp-keyring test
-2014-11-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_db.c: do not allow the resumption of a session which
- switches the state of ext_master_secret
+ * lib/openpgp/output.c: openpgp: properly print names in oneline
+ output as well
-2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/rfc2253-escape-test: tests: run rfc2253-escape-test under
- valgrind
+ * lib/openpgp/output.c: updates in openpgp DSA key printing
-2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/custom-urls.c: tests: enhanced custom-url check
+ * lib/openpgp/output.c: properly print openpgp names
-2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_privkey.c, lib/gnutls_x509.c: sanitize URLs at the
- proper place
+ * src/cli-debug.c, src/common.c, src/tests.c: tools: use OCSP
+ functions only when OCSP is enabled
-2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/x509.c: corrected freeing of custom URL
+ * lib/gnutls_pubkey.c: Corrected encoding and decoding of ANSI X9.62 That affects gnutls_pubkey_export_ecc_x962() and
+ gnutls_pubkey_import_ecc_x962().
-2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * doc/cha-tokens.texi, lib/includes/gnutls/urls.h: doc update
+ * src/certtool-args.def, src/p11tool-args.def: tools: document the
+ available curves
-2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/suite/suppressions.valgrind, tests/suppressions.valgrind:
- Added memxor_different_alignment into suppressions
+ * NEWS: doc update
-2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * doc/cha-tokens.texi, lib/gnutls_x509.c,
- lib/includes/gnutls/urls.h, lib/urls.c, lib/urls.h: Allow the
- construction of chains with custom URLs
+ * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/pkcs11_int.h,
+ lib/pkcs11_privkey.c, lib/pkcs11_secret.c, lib/pkcs11_write.c: Use
+ hints to support incomplete PKCS#11 URIs
-2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * .gitignore: updated ignored files
+ * doc/examples/Makefile.am, src/Makefile.am, src/gl/Makefile.am,
+ src/gl/m4/gnulib-cache.m4, src/gl/m4/gnulib-comp.m4: completely
+ separated the two gnulibs to avoid conflicts
-2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/Makefile.am, src/systemkey-tool.c, src/systemkey.c: renamed
- systemkey-tool to systemkey, and don't install it by default
+ * gl/Makefile.am, gl/m4/extensions.m4, gl/m4/extern-inline.m4,
+ gl/m4/gnulib-comp.m4, gl/m4/iconv.m4, gl/m4/printf.m4,
+ gl/m4/stdalign.m4, gl/m4/stddef_h.m4, gl/m4/stdio_h.m4,
+ gl/stdalign.in.h, gl/stddef.in.h, gl/tests/test-fcntl-h.c,
+ gl/tests/test-stddef.c, gl/unistd.in.h, gl/vasnprintf.c,
+ src/gl/Makefile.am, src/gl/m4/extensions.m4,
+ src/gl/m4/extern-inline.m4, src/gl/m4/gnulib-comp.m4,
+ src/gl/m4/printf.m4, src/gl/m4/stdalign.m4, src/gl/m4/stddef_h.m4,
+ src/gl/m4/stdio_h.m4, src/gl/parse-datetime.y,
+ src/gl/stdalign.in.h, src/gl/stddef.in.h, src/gl/timespec.h,
+ src/gl/unistd.in.h, src/gl/vasnprintf.c: updated gnulib
-2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc update
-2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/Makefile.am, tests/custom-urls.c: tests: added check for
- registration of custom URLs
+ * lib/x509/verify-high2.c: when importing object CAs from PKCS#11
+ URL, import the marked as trusted only
-2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/includes/gnutls/urls.h, lib/libgnutls.map, lib/urls.c: export
- gnutls_register_custom_url
+ * lib/pkcs11.c: pkcs11: when matching objects, also match the label
-2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_x509.c: correctly handle non-pkcs11 URLs in
- read_cert_url
+ * tests/suite/pkcs11-chainverify.c: added missing variable
-2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * .gitignore: more files to ignore
+ * lib/x509/Makefile.am: Added p11-kit cflags in x509/
-2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * doc/Makefile.am, doc/cha-tokens.texi, lib/gnutls_privkey.c,
- lib/gnutls_pubkey.c, lib/gnutls_x509.c, lib/gnutls_x509.h,
- lib/includes/Makefile.am, lib/includes/gnutls/urls.h,
- lib/system-keys-win.c, lib/urls.c, lib/urls.h, lib/x509/x509.c:
- Added the ability to register application specific URLs for keys and
- certs
+ * tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-combo.c,
+ tests/suite/pkcs11-get-issuer.c, tests/suite/pkcs11-is-known.c,
+ tests/suite/softhsm.h, tests/suite/testpkcs11.softhsm: Added
+ softhsm.h to share code in softhsm detection Conflicts: tests/suite/pkcs11-chainverify.c tests/suite/pkcs11-privkey.c
-2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/system-keys-win.c: system-keys-win: use macros for the URL
+ * lib/pkcs11_int.h, lib/x509/verify-high2.c: Directly import PKCS
+ #11 object URLs as trusted certificates That is, don't treat them as trusted modules, because they aren't a
+ token URL, but rather a direct reference to specific objects.
-2014-11-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_handshake.c: doc update
+ * lib/gnutls_buffers.c, lib/gnutls_record.c: corrected documentation
+ for the cork/uncork functions Reported by Jaak Ristioja.
-2014-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/Makefile.am, tests/mini-rehandshake-2.c: tests: added test
- for GNUTLS_E_GOT_APPLICATION_DATA on rehandshake
+ * lib/gnutls_record.c: doc update
-2014-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_handshake.c, lib/gnutls_record.c: treat
- GNUTLS_E_GOT_APPLICATION_DATA as non-fatal if initial negotiation is
- complete This corrects a regression introduced in
- b5a0de2e6da98866cafb770c3141b7353d030ab2 Reported by Dan Winship.
- https://savannah.gnu.org/support/?108690
+ * NEWS: doc update
-2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: removed old news
+ * lib/algorithms/protocols.c: Added more precise version check in
+ _gnutls_version_lowest
2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
the format of the packet, nothing to do with the negotiated
version).
-2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_priority.c: Revert "The priority modifier
- %LATEST_RECORD_VERSION is now the default" This reverts commit 66c419cc6336ea9a2747574588ffee77458b838f.
-
-2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/ocsp.c: deinitialize the OCSP response der data That also makes sure that reinitialization of ASN1 structures are
- done when it is required only.
-
-2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/Makefile.am, lib/gnutls_priority.c,
- lib/includes/gnutls/gnutls.h.in, src/cli.c:
- gnutls_priority_string_list: allow printing the special keywords as
- well.
-
-2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/nettle/rnd-common.c: simplified code involving getrandom() and
- getentropy()
-
-2014-11-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * configure.ac: configure: detect android system and define a
- variable
-
-2014-11-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/Makefile.am, lib/system-keys-dummy.c, lib/system-keys-win.c,
- lib/system-keys.c: separated system-keys implementations
-
-2014-11-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/libgnutls.map: removed redundant local
-
-2014-11-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/suite/testpkcs11: tests: added check for the abbreviated
- URLs which don't contain object information
+ * lib/gnutls_record.c: corrected documentation of gnutls_cork()
-2014-11-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-12 Ludovic Courtès <ludo@gnu.org>
- * lib/Makefile.am, lib/gnutls_x509.c, lib/pkcs11_privkey.c,
- lib/urls.c, lib/urls.h, lib/x509/x509.c: prior to importing objects
- with URLs sanitize them That allows to use out of band information to complete missing parts
- in URLs (e.g., object-type=cert, when there is a certificate).
+ * NEWS, doc/gnutls-guile.texi, guile/modules/gnutls.in,
+ guile/modules/gnutls/build/smobs.scm, guile/src/core.c,
+ guile/tests/openpgp-auth.scm, guile/tests/x509-auth.scm: Revert
+ "guile: Remove RSA parameters and related procedures." This reverts commit 9f5788469f6f3f3fdd4cf064621a903607f10f2f; this
+ will be done in the 3.4 branch, as for the C library. Update NEWS
+ accordingly.
-2014-11-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-12 Ludovic Courtès <ludo@gnu.org>
- * lib/system-keys.c: compilation fixes
+ * NEWS: Update 'NEWS'.
-2014-11-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-12-11 Ludovic Courtès <ludo@gnu.org>
- * NEWS: doc update
+ * guile/tests/openpgp-keyring.scm: guile: Open binary file in binary
+ mode, for the sake of MinGW. Reported by Eli Zaretskii <eliz@gnu.org>. * guile/tests/openpgp-keyring.scm: Use 'open-file' with "rb" instead
+ of 'open-input-file'.
-2014-11-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-12-11 Ludovic Courtès <ludo@gnu.org>
- * lib/Makefile.am, lib/gnutls_errors.c, lib/gnutls_global.c,
- lib/gnutls_privkey.c, lib/gnutls_sig.c, lib/gnutls_sig.h,
- lib/gnutls_str.c, lib/gnutls_str.h, lib/gnutls_x509.c,
- lib/includes/gnutls/abstract.h, lib/includes/gnutls/gnutls.h.in,
- lib/includes/gnutls/pkcs11.h, lib/includes/gnutls/system-keys.h,
- lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/pkcs11.c,
- lib/pkcs11_int.h, lib/system-keys.c, lib/system-keys.h,
- lib/x509/Makefile.am, lib/x509/x509.c, src/Makefile.am,
- src/systemkey-args.def, src/systemkey-tool.c: Added API to
- read/write/delete key-cert pairs (limited to windows for now)
+ * guile/src/Makefile.am: guile: Link with '-no-undefined'. Fixes builds on MinGW. Reported by Eli Zaretskii <eliz@gnu.org>. * guile/src/Makefile.am (guile_gnutls_v_2_la_LDFLAGS): Add -no-undefined.
-2014-11-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-04 Ludovic Courtès <ludo@gnu.org>
- * lib/gnutls_priority.c: NORMAL priority: prioritize the less than
- 256-bits curves at the lowest level
+ * guile/src/Makefile.am: guile: Build with warnings. * guile/src/Makefile.am (AM_CFLAGS) [HAVE_GCC]: Add -Wall -Wextra -Wno-unused-parameter.
-2014-11-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-04 Ludovic Courtès <ludo@gnu.org>
- * src/certtool-args.def, src/certtool-cfg.c, src/certtool-cfg.h,
- src/certtool.c: certtool: Allow to set the nonRepudiation,
- keyAgreement and dataEncipherment flags
+ * guile/modules/Makefile.am, guile/modules/gnutls.in,
+ guile/modules/gnutls/build/priorities.scm, guile/src/Makefile.am,
+ guile/src/core.c, guile/src/make-session-priorities.scm,
+ guile/tests/session-record-port.scm, guile/tests/x509-auth.scm:
+ guile: Remove the deprecated priority API. * guile/modules/gnutls/build/priorities.scm: Remove. * guile/src/make-session-priorities.scm: Remove. * guile/modules/Makefile.am (EXTRA_DIST): Adjust accordingly. * guile/src/Makefile.am (EXTRA_DIST): Likewise. (GENERATED_BINDINGS): Remove 'priorities.i.c'. (priorities.i.c): Remove target. * guile/src/core.c: Don't include it. (scm_gnutls_set_default_priority_x): Remove. * guile/modules/gnutls.in (gnutls): Adjust export list. * guile/tests/session-record-port.scm: Use
+ 'set-session-priorities!'. * guile/tests/x509-auth.scm: Likewise.
-2014-11-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-04 Ludovic Courtès <ludo@gnu.org>
- * src/certtool-args.def: list the OIDs in the certtool cfg file
- documentation
+ * doc/gnutls-guile.texi, guile/modules/gnutls.in,
+ guile/modules/gnutls/build/smobs.scm, guile/src/core.c,
+ guile/tests/openpgp-auth.scm, guile/tests/x509-auth.scm: guile:
+ Remove RSA parameters and related procedures. * guile/modules/gnutls/build/smobs.scm (%rsa-parameters-smob):
+ Remove. (%gnutls-smobs): Remove it. * guile/src/core.c (scm_gnutls_make_rsa_parameters, scm_gnutls_pkcs1_import_rsa_parameters, scm_gnutls_pkcs1_export_rsa_parameters, scm_gnutls_set_certificate_credentials_rsa_export_params_x):
+ Remove. * guile/modules/gnutls.in: Adjust export list. * guile/tests/openpgp-auth.scm (import-rsa-params): Remove. Remove references to it and to 'set-certificate-credentials-rsa-export-parameters!'. * guile/tests/x509-auth.scm: Likewise. * doc/gnutls-guile.texi (Representation of Binary Data): Remove references to RSA parameters. Adjust example accordingly. (OpenPGP Authentication Guile Example): Likewise.
-2014-11-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/fips.c, lib/fips.h, lib/gnutls_global.c: properly reset the
- zombie mode in FIPS mode This amends 9158f590f4a18c84fc9eb41877b29d73b30af879
+ * lib/random.c: gnutls_rnd: doc update
-2014-11-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * doc/TODO: doc update
+ * lib/x509/pkcs12.c: gnutls_pkcs12_simple_parse: doc update
-2014-11-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update
+ * libdane/dane.c: improved documentation on dane
-2014-11-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_x509.c: partially reverted
- 999d221fd2241ff73f884bf33d8cbe6eb8299184 That change allows to use the intermediate certificates in chains as
- OCSP anchors.
+ * src/pkcs11.c: p11tool: use Sleep() in windows
-2014-11-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/certtool.c: certtool: print message when the system trust is
- used
+ * src/certtool-cfg.c: certtool: ensure that default_serial_int is
+ 64-bits or more
-2014-11-14 David Weber <dave@veryflatcat.com>
+2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/cli.c, src/serv.c: Fixed SRTP profile configuration in cli.c
- and serv.c. I have tested the fix in 3.3.10. This commit is UNTESTED as i am
- unable to compile gnutls (./configure complains about gl_INIT and
- ggl_INIT). Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+ * src/socket.c: use select() instead of alarm for better portability Based on patch by Eli Zaretskii.
-2014-11-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/ocsp.c: tests: ocsp: added the signature in check
+ * NEWS: released 3.3.11
-2014-11-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/ocsp_output.c: only print about additional certificates
- if they are present
+ * configure.ac, m4/hooks.m4: bumped version
-2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/ocsp.c: ocsp: fix DN decoding in
- gnutls_ocsp_resp_get_responder_raw_id
+ * tests/suite/testcompat-main: testcompat: corrected usage of null
+ cipher
-2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-12-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/ocsp.c: tests: ocsp: added check with a long response
+ * lib/nettle/rnd-fips.c: added the .check function in FIPS140-2 code
-2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-12-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/ocsp.c: use the original DER/BER data when verifying an
- OCSP response
+ * lib/x509/dn.c: _gnutls_x509_get_dn() always return a null
+ terminated string
-2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-12-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_pubkey.c: _pkcs1_rsa_verify_sig() simplify hashing
+ * lib/random.h: if the rnd structure doesn't provide check,
+ _gnutls_rnd_check() will succeed
-2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/ocsp.c: ocsp: eliminated duplicate code
+ * lib/x509/x509.c: Reorganized, and eliminated memory leak in
+ _gnutls_x509_crt_check_revocation() Reported by Tim Rühsen.
-2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool-args.def: clarified the multiple paths printing of
- the verify options
+ * lib/includes/gnutls/gnutls.h.in, lib/includes/gnutls/pkcs11.h: doc
+ update
-2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/cli.c: gnutls-cli: allow printing the certificates in OCSP
- responses when --print-cert is specified
+ * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: Added
+ check for whether %NO_EXTENSIONS is required
-2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_x509.c, lib/x509/ocsp.c: updated OCSP verification code
- to better use the trust list, and the KeyHash
+ * lib/gnutls_ui.c: gnutls_session_get_desc: allow proper printing of
+ the NULL KX
-2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/ocsp_output.c: OCSP printing: Add header in front of
- certificates
+ * lib/gnutls_x509.c: gnutls_certificate_set_x509_key_*: eliminated
+ memory leak when certificate could not be parsed Reported by Georg Richter.
-2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/includes/gnutls/pkcs11.h, lib/includes/gnutls/x509.h,
- lib/pkcs11.c, lib/x509/verify-high.c: added
- gnutls_pkcs11_get_raw_issuer_by_dn and
- gnutls_x509_trust_list_get_issuer_by_dn
+ * src/socket.c: gnutls-cli-debug: do not print error on unknown
+ protocols
-2014-11-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-11-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: check
- for OCSP status response
+ * lib/gnutls_x509.c: documented the limitations of the loading
+ functions
-2014-11-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-11-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/cert-tests/crq: corrected crq test case; reported by Andreas
- Metzler
+ * lib/gnutls_x509.c: corrected memleak in read_key_mem() Patch by Georg Richter.
-2014-11-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-11-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/pkcs11.c: set the GNUTLS_PIN_CONTEXT_SPECIFIC flag on PIN
- callback
+ * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: Added
+ check for sorted certificate chain
-2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/includes/gnutls/ocsp.h, lib/libgnutls.map, lib/x509/ocsp.c,
- lib/x509/ocsp_output.c, tests/ocsp.c: replaced
- gnutls_ocsp_resp_get_responder_by_key with
- gnutls_ocsp_resp_get_responder_raw_id In addition reverted gnutls_ocsp_resp_get_responder() to the old
- buggy behavior of returning 0 if the element was missing.
+ * lib/gnutls_handshake.c, lib/gnutls_record.c,
+ tests/mini-rehandshake-2.c: restore only the documented behavior
-2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/certtool.c: certtool: make sure that GNUTLS_PKCS_PLAIN is set
- when no password should be asked
+ * NEWS: doc update
-2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/privkey.c: gnutls_x509_privkey_import2: will not use a
- callback if GNUTLS_PKCS_PLAIN is specified
+ * tests/Makefile.am, tests/mini-rehandshake-2.c: tests: added test
+ for GNUTLS_E_GOT_APPLICATION_DATA on rehandshake Conflicts: tests/Makefile.am
-2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/fips.c: the FIPS140-2 testing mode is disabled after
- self-checks
+ * lib/gnutls_handshake.c, lib/gnutls_record.c: treat
+ GNUTLS_E_GOT_APPLICATION_DATA as non-fatal if initial negotiation is
+ complete This corrects a regression introduced in
+ b5a0de2e6da98866cafb770c3141b7353d030ab2 Reported by Dan Winship.
+ https://savannah.gnu.org/support/?108690
-2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/ocsp.c: updated OCSP tests to account for the new key ID
+ * NEWS: doc update
-2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/ocsp.c: doc update and gnutls_ocsp_resp_get_responder()
- will always initialized output data
+ * lib/gnutls_priority.c: Revert "The priority modifier
+ %LATEST_RECORD_VERSION is now the default" This reverts commit 96b408b20fe8707306f38cba6f652556b99a47e4.
2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib/nettle/rnd-common.c: _rnd_get_event: use memset to avoid
valgrind complaints
-2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/cli.c: gnutls-cli: print the OCSP response in verbose mode
-
-2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/ocsp.c: corrected documentation of OCSP response
- verification
+ * lib/fips.c: compilation fix for FIPS140-2 mode
-2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/includes/gnutls/ocsp.h, lib/libgnutls.map, lib/x509/ocsp.c,
- lib/x509/ocsp_output.c: Added
- gnutls_ocsp_resp_get_responder_by_key()
+ * lib/x509/ocsp.c: deinitialize the OCSP response der data That also makes sure that reinitialization of ASN1 structures are
+ done when it is required only.
-2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/dn.c: dn parsing: return
- GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when DN is not available
+ * lib/gnutls_priority.c: NORMAL priority: prioritize the less than
+ 256-bits curves at the lowest level
-2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/cli-args.def, src/cli.c, src/common.c: gnutls-cli: added
- option to save the OCSP response
+ * lib/fips.c, lib/fips.h, lib/gnutls_global.c: properly reset the
+ zombie mode in FIPS mode This amends 9158f590f4a18c84fc9eb41877b29d73b30af879
-2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/abstract_int.h, lib/gnutls_privkey.c, lib/gnutls_sig.c,
- lib/includes/gnutls/abstract.h: added the notion of preferred sign
- algorithm in a private key This can be set for keys imported with gnutls_privkey_import_ext3()
- with the info callback. It is only considered for client side keys
- in TLS sessions.
+ * NEWS: doc update
-2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-14 David Weber <dave@veryflatcat.com>
- * doc/cha-gtls-app.texi, lib/ext/ext_master_secret.c,
- lib/gnutls_int.h, lib/gnutls_priority.c, lib/priority_options.gperf:
- Added priority string %NO_SESSION_HASH to prevent advertising the
- extended master secret extension
+ * src/cli.c, src/serv.c: Fixed SRTP profile configuration in cli.c
+ and serv.c. I have tested the fix in 3.3.10. This commit is UNTESTED as i am
+ unable to compile gnutls (./configure complains about gl_INIT and
+ ggl_INIT). Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/ext/status_request.c: certificate status requestion response
- is optional according to RFC6066
+ * src/common.c: gnutls-cli: print info on the OCSP status request
-2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_ui.c, lib/includes/gnutls/gnutls.h.in, src/common.c:
- Added flag GNUTLS_OCSP_SR_IS_AVAIL for
- gnutls_ocsp_status_request_is_checked
+ * lib/x509/ocsp.c: use the original DER/BER data when verifying an
+ OCSP response Conflicts: lib/x509/ocsp.c
-2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/nettle/rnd-common.h: rnd: removed the packed attribute from
- event_st That prevents a SIGBUS on solaris sparc systems. Reported by Thomas
- Thorberger.
+ * lib/system.c: windows: updated _gnutls_ucs2_to_utf8()
-2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_priority.c: The priority modifier
- %LATEST_RECORD_VERSION is now the default This works-around issue with servers that forbit the SSL 3.0 version
- number from the first packet of the record protocol.
+ * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: check
+ for OCSP status response Conflicts: src/tests.c
2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
* src/cli-debug.c, src/tests.c, src/tests.h: added check for servers
that disallow the SSL 3.0 record version
-2014-11-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/common.c: gnutls-cli: print whether status request has been
- checked
-
-2014-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_x509.c: doc update
+ * tests/cert-tests/crq: corrected crq test case; reported by Andreas
+ Metzler
-2014-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_privkey.c, lib/includes/gnutls/x509.h,
- lib/libgnutls.map, lib/pin.c, lib/pin.h, lib/pkcs11.c, lib/tpm.c,
- lib/x509/privkey.c, lib/x509/x509_int.h: Enable PIN support to
- gnutls_x509_privkey_t
+ * lib/pkcs11.c: set the GNUTLS_PIN_CONTEXT_SPECIFIC flag on PIN
+ callback
-2014-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/system.c, lib/system.h, lib/x509/common.c,
- lib/x509/x509_ext.c: _gnutls_ucs2_to_utf8() can handle little endian
- strings.
+ * lib/nettle/rnd-common.h: rnd: removed the packed attribute from
+ event_st That prevents a SIGBUS on solaris sparc systems. Reported by Thomas
+ Thorberger.
-2014-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc update
-2014-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/Makefile.am, lib/crypto-api.c, lib/ext/session_ticket.c,
- lib/gnutls_cipher.c, lib/includes/gnutls/gnutls.h.in,
- lib/libgnutls.map, lib/safe-memfuncs.c, lib/safe-memset.c: Added
- gnutls_memcmp() and exported it.
-
-2014-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/abstract.h: indentation fix
-
-2014-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: doc update
+ * lib/gnutls_priority.c: The priority modifier
+ %LATEST_RECORD_VERSION is now the default This works-around issue with servers that forbit the SSL 3.0 version
+ number from the first packet of the record protocol.
-2014-11-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/includes/gnutls/pkcs12.h, lib/libgnutls.map,
- lib/x509/pkcs12_bag.c: added gnutls_pkcs12_bag_set_privkey() Conflicts: lib/libgnutls.map
+ * tests/suite/testcompat-common, tests/suite/testcompat-main:
+ testcompat: updated
-2014-11-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/abstract_int.h, lib/gnutls_privkey.c,
- lib/includes/gnutls/abstract.h: dropped unused copy_func
+ * configure.ac, m4/hooks.m4: bumped version
-2014-11-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/gnutls-idna.h: silence warning
+ * NEWS: doc update
2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-11-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update
-
-2014-11-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
* doc/cha-intro-tls.texi: doc update
2014-11-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS, lib/ext/session_ticket.c, lib/gnutls_mem.h,
- lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: exported
- gnutls_memset()
-
-2014-11-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
* doc/cha-gtls-app.texi, doc/cha-intro-tls.texi: doc: updated text
on session tickets
* doc/examples/ex-serv-dtls.c: doc: use the same port for DTLS
client and server
-2014-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/pkcs11.c: pkcs11: pass the correct user type to protected
- authentication login
-
-2014-11-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-gtls-app.texi: doc: corrected values for INSECURE level
-
-2014-11-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/pkcs11_write.c:
- pkcs11: support the CKA_EXTRACTABLE and CKA_NEVER_EXTRACTABLE flags
-
-2014-11-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/pkcs11_write.c:
- pkcs11: added the flag GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH
-
-2014-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/pkcs11_privkey.c: pkcs11: perform reauth at the appropriate
- state
-
-2014-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/pkcs11.c, lib/pkcs11_int.h: pkcs11_login: set the correct user
- type on reauthentication
-
-2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * gl/unistd.in.h, src/gl/unistd.in.h: applied patch by A. Klitzing
- to improve compatibile with some apple systems Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
-2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: pkcs11:
- force login on tokens that require it
-
-2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/pkcs11.c: pkcs11: always set slot_info
-
-2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/testcompat-main-openssl: testcompat-openssl: disable
- SSL 3.0 as it is not supported on debian
-
-2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/testcompat-main-polarssl: fixed polarssl compatibility
- checks on debian
-
-2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_write.c, lib/pkcs11x.c:
- pkcs11: eliminated the need for struct token_info
-
-2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: added
- support for PKCS #11 keys that require reauthentication and
- simplified pkcs11_login
-
-2014-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/cli-debug.c: gnutls-cli-debug: clarified text
-
-2014-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/Makefile.am, tests/suite/testcompat,
- tests/suite/testcompat-main, tests/suite/testcompat-main-openssl,
- tests/suite/testcompat-main-polarssl,
- tests/suite/testcompat-openssl, tests/suite/testcompat-polarssl:
- tests: separated the two testcompat tests (openssl/polarssl)
-
-2014-11-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/algorithms/ciphers.c: added missing comma
-
-2014-11-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/tests.c: gnutls-cli-debug: corrected heartbeat check
-
-2014-11-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/tests.c: gnutls-cli-debug: fixes in tests to prevent false
- negatives
-
-2014-11-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/tests.c: gnutls-cli-debug: fixes in tests to prevent false
- negatives
+ * lib/pkcs11.c: pkcs11: pass the correct user type to protected
+ authentication login
-2014-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suite/testcompat-main: tests: added interoperability tests
- with openssl's PSK
+ * doc/cha-gtls-app.texi: doc: corrected values for INSECURE level
-2014-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_constate.c, lib/gnutls_int.h: corrected calculation for
- max send data and other uses of _gnutls_cipher_type()
+ * NEWS: doc update
-2014-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/algorithms/ciphers.c: modernized cipher table
+ * lib/pkcs11.c, lib/pkcs11_int.h: pkcs11_login: set the correct user
+ type on reauthentication
-2014-11-05 Chen Hongzhi <hongzhi.chen@me.com>
+2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/pkcs12.c: Fix double-free in gnutls_pkcs12_simple_parse() Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+ * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: pkcs11:
+ force login on tokens that require it
-2014-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_cipher.c: simplified checks for EtM
+ * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: added
+ support for PKCS #11 keys that require reauthentication and
+ simplified pkcs11_login
-2014-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/anonself.c: tests: enhanced test to check the return value
- of gnutls_record_send()
+ * gl/unistd.in.h, src/gl/unistd.in.h: applied patch by A. Klitzing
+ to improve compatibile with some apple systems Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2014-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/mini-x509-2.c: tests: Added unit tests for
- gnutls_certificate_get_ours in mini-x509-2
+ * src/cli-debug.c, src/common.c, src/common.h, src/tests.c:
+ gnutls-cli-debug: backported changes from 3.4.0 branch
-2014-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-05 Chen Hongzhi <hongzhi.chen@me.com>
- * lib/gnutls_constate.c, lib/gnutls_handshake.c, lib/gnutls_int.h,
- lib/gnutls_session.c, lib/gnutls_ui.c, lib/gnutls_v2_compat.c,
- lib/includes/gnutls/gnutls.h.in: introduced
- GNUTLS_MAX_SESSION_ID_SIZE
+ * lib/x509/pkcs12.c: Fix double-free in gnutls_pkcs12_simple_parse() Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-11-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
doc/cha-cert-auth2.texi, doc/cha-errors.texi, doc/sec-tls-app.texi:
Cleaning up some awkward phrasings. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2014-11-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * .gitignore, tests/Makefile.am, tests/mini-record-failure.c: tests:
- Added test for MAC verification checks
-
-2014-11-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/ext/etm.c, lib/gnutls_cipher.c, lib/gnutls_cipher_int.c: EtM
- fixes: it only applies to block ciphers
-
-2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/cli-debug.c: gnutls-cli-debug: reorganized output
-
-2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/cli-debug.c, src/tests.c: moved the HTTPS server name outside
- of verbose tests; only run when the HTTPS protocol is used
-
-2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/cli-debug.c, src/common.c, src/common.h, src/tests.c: enhanced
- gnutls-cli-debug verbose output (uses files for mass text)
-
-2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: Added
- tests for EtM and extended master secret support In addition reworked the output for existing tests.
-
-2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/socket.c: tools: only warn of an error if it is fatal
-
-2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/testcompat-main, tests/suite/testcompat-polarssl:
- testcompat: increased the number of test cases checked
-
2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib/ext/alpn.c: updated text
-2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-11-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc update
-2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/testcompat-polarssl: testcompat-polarssl: try to run
- the test only if polarssl binaries are available
-
-2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/testcompat-common, tests/suite/testcompat-polarssl:
- testcompat: check the PSK ciphersuite interoperability against
- polarssl
-
-2014-11-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/Makefile.am, tests/suite/testcompat,
- tests/suite/testcompat-common, tests/suite/testcompat-main,
- tests/suite/testcompat-polarssl: testcompat: added interop tests
- with polarssl
-
2014-11-03 Jaak Ristioja <jaak.ristioja@cyber.ee>
* lib/system_override.c: doc: Added missing reference for EMSGSIZE
* lib/system_override.c: doc: Fixed typo in inline comment of
gnutls_transport_set_errno(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-2014-11-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2014-11-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-gtls-app.texi, lib/ext/Makefile.am, lib/ext/etm.c,
- lib/ext/etm.h, lib/gnutls_buffers.c, lib/gnutls_cipher.c,
- lib/gnutls_cipher_int.c, lib/gnutls_cipher_int.h,
- lib/gnutls_constate.c, lib/gnutls_extensions.c, lib/gnutls_int.h,
- lib/gnutls_priority.c, lib/gnutls_session_pack.c,
- lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map,
- lib/priority_options.gperf, src/common.c: Added support for RFC7366
- (encrypt then authenticate) It implements a revised version of RFC7366, to avoid
- interoperability issues:
- http://www.ietf.org/mail-archive/web/tls/current/msg14349.html This
- is currently enabled by default, unless %NO_ETM, or %COMPAT is
- specified.
-
-2014-11-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/algorithms.h, lib/algorithms/ciphers.c, lib/crypto-api.c,
- lib/gnutls_cipher.c, lib/gnutls_constate.c, lib/gnutls_dtls.c,
- lib/gnutls_int.h, lib/gnutls_range.c: Made AEAD type an alternative
- to stream and block That way the terminology becomes closer to the TLS rfc.
-
2014-11-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* lib/gnutls_errors.c: updated the text for
2014-11-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: doc update
-
-2014-11-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/Makefile.am, tests/suite/pkcs11-privkey.c: tests:
- Added check for gnutls_certificate_set_x509_key_file2() and PKCS #11
- + PIN
-
-2014-11-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * .gitignore: more files to ignore
-
-2014-11-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
* lib/x509/common.c: when calling gnutls_x509_crt_get_subject_key_id
set the id_size
2014-10-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests/Makefile.am, tests/init_fds.c: tests: added test for
- gnutls_global_init after all descriptors are closed
+ gnutls_global_init after all descriptors are closed Conflicts: tests/Makefile.am
2014-10-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* lib/gnutls_global.c, lib/nettle/rnd-common.c, lib/random.h:
corrected check for urandom fd
-2014-10-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/dtls/dtls-stress.c: tests: dtls-stress: fix issues in the
- suite
-
-2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_x509.c: Do not require a PIN callback in the
- certificate credentials when a password is specified
-
2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_x509.c: doc update
+ * lib/gnutls_global.c: corrected exit state from gnutls_global_init
2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_global.c: corrected exit state from gnutls_global_init
+ * NEWS: doc update
2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib/gnutls_state.c, lib/includes/gnutls/gnutls.h.in,
lib/libgnutls.map, lib/nettle/rnd-common.c: dropped
- gnutls_fd_in_use, it is no longer necessary
+ gnutls_fd_in_use, it is no longer necessary Conflicts: lib/libgnutls.map
2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
lib/nettle/rnd-common.c, lib/nettle/rnd-common.h, lib/nettle/rnd.c,
lib/random.h: When gnutls_global_init() is called manually from the
application check the urandom fd for validity That addresses the issue where a server closes all open file
- descriptors and then calls gnutls_global_init().
-
-2014-10-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS, configure.ac, lib/nettle/rnd-common.c: Added support for
- getentropy() and reworked getrandom support
+ descriptors and then calls gnutls_global_init(). Conflicts: lib/nettle/rnd-common.c
2014-10-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc update
-2014-10-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_dh.c, lib/includes/gnutls/gnutls.h.in,
- lib/libgnutls.map: Added gnutls_dh_params_import_raw2(), which
- allows to specify the number of bits for key size
-
-2014-10-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2014-10-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * configure.ac, lib/nettle/rnd-common.c: use Linux' getrandom() when
- available
-
-2014-10-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/nettle/rnd.c: use the random rnd context when refreshing the
- nonce context That avoids frequent reads from /dev/urandom.
-
2014-10-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_state.c: do not explicitly refresh rnd state on session
- deinit It is already being refreshed during the session lifetime.
+ * NEWS: doc update
2014-10-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2014-10-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/nettle/rnd.c: increase the reseed time
-
-2014-10-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/crypto-selftests.c: tests: enhance cipher test to include tag
- verification error
-
-2014-10-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/crypto-api.c: better documented the new API
-
-2014-10-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/crypto-api.c: harmonise variable names
+ * lib/gnutls_state.c: do not explicitly refresh rnd state on session
+ deinit It is already being refreshed during the session lifetime.
2014-10-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2014-10-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_handshake.c, lib/gnutls_int.h: Improved support of
- draft-ietf-tls-session-hash-02. Now the session hash is calculated correctly even when a client
- certificate is sent. That is, the session hash now does not take
- into account the CertificateVerify message.
-
-2014-10-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/crypto-api.c: doc update
-
-2014-10-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2014-10-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/cha-crypto.texi: doc: list the AEAD API
-
-2014-10-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS, lib/crypto-api.c, lib/crypto-selftests.c,
- lib/gnutls_cipher_int.h, lib/includes/gnutls/crypto.h,
- lib/libgnutls.map: Added a new simple to use AEAD API
+ * tests/dtls/dtls: tests: dtls-stress -r disabled as it causes
+ issues when used with freebsd kernel
2014-10-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS, m4/hooks.m4: the openssl compatibility library isn't built
- by default
-
-2014-10-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * cfg.mk, lib/accelerated/x86/elf/aes-ssse3-x86.s,
+ * lib/accelerated/x86/elf/aes-ssse3-x86.s,
lib/accelerated/x86/elf/aes-ssse3-x86_64.s,
lib/accelerated/x86/elf/aesni-x86.s,
lib/accelerated/x86/elf/aesni-x86_64.s,
lib/accelerated/x86/elf/ghash-x86_64.s,
lib/accelerated/x86/elf/sha1-ssse3-x86.s,
lib/accelerated/x86/elf/sha1-ssse3-x86_64.s,
+ lib/accelerated/x86/elf/sha256-avx-x86_64.s,
lib/accelerated/x86/elf/sha256-ssse3-x86.s,
lib/accelerated/x86/elf/sha512-ssse3-x86.s,
lib/accelerated/x86/elf/sha512-ssse3-x86_64.s: do not use the ifdef
directive in assembly files, as it isn't portable
-2014-10-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_cipher.c: eliminate IV size usage in TLS
- encryption/decryption; it was a remnant of salsa20
-
-2014-10-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/ext/ext_master_secret.c: corrected likely macro usage Spotted by Manuel Pégourié-Gonnard.
-
-2014-10-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/algorithms/ciphersuites.c, lib/gnutls_cipher.c,
- lib/gnutls_cipher_int.h, tests/mini-overhead.c: removed support for
- SALSA20 and for stream ciphers with IV The proposal was not adopted by the TLS WG, and the AEAD path will
- be used.
-
-2014-10-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-gtls-app.texi, lib/gnutls_int.h, lib/gnutls_priority.c,
- lib/priority_options.gperf: Added priority string %NO_TICKETS that
- disables session ticket support This is implied by the priority string PFS.
-
-2014-10-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/ext/ext_master_secret.c, lib/gnutls_kx.c: do not negotiate nor
- use the 'extended master secret' in SSL 3.0 According to Alfredo Pironti support for that protocol will be
- dropped from the draft.
-
-2014-10-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * cross.mk: compile 3.3.9 by default
-
-2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_handshake.c: always send the mandatory extensions (even
- in SSL 3.0) The only way to force no extensions and usage of SCSVs is the
- %NO_EXTENSIONS priority string.
-
-2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/ext/ext_master_secret.c: EXT MASTER SECRET moved to mandatory
- extensions
-
2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
* configure.ac, lib/Makefile.am: check and use libnsl (used in
2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/accelerated/x86/coff/aes-ssse3-x86_64.s,
- lib/accelerated/x86/coff/aesni-x86.s,
- lib/accelerated/x86/coff/aesni-x86_64.s,
- lib/accelerated/x86/coff/e_padlock-x86_64.s,
- lib/accelerated/x86/coff/ghash-x86_64.s,
- lib/accelerated/x86/coff/sha1-ssse3-x86_64.s,
- lib/accelerated/x86/coff/sha256-ssse3-x86.s,
- lib/accelerated/x86/coff/sha512-ssse3-x86.s,
- lib/accelerated/x86/coff/sha512-ssse3-x86_64.s,
- lib/accelerated/x86/elf/aes-ssse3-x86.s,
+ * lib/accelerated/x86/elf/aes-ssse3-x86.s,
lib/accelerated/x86/elf/aes-ssse3-x86_64.s,
lib/accelerated/x86/elf/aesni-x86.s,
lib/accelerated/x86/elf/aesni-x86_64.s,
lib/accelerated/x86/elf/ghash-x86_64.s,
lib/accelerated/x86/elf/sha1-ssse3-x86.s,
lib/accelerated/x86/elf/sha1-ssse3-x86_64.s,
+ lib/accelerated/x86/elf/sha256-avx-x86_64.s,
lib/accelerated/x86/elf/sha256-ssse3-x86.s,
lib/accelerated/x86/elf/sha512-ssse3-x86.s,
- lib/accelerated/x86/elf/sha512-ssse3-x86_64.s,
- lib/accelerated/x86/macosx/aes-ssse3-x86_64.s,
- lib/accelerated/x86/macosx/aesni-x86.s,
- lib/accelerated/x86/macosx/aesni-x86_64.s,
- lib/accelerated/x86/macosx/e_padlock-x86_64.s,
- lib/accelerated/x86/macosx/ghash-x86_64.s,
- lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s,
- lib/accelerated/x86/macosx/sha256-ssse3-x86.s,
- lib/accelerated/x86/macosx/sha512-ssse3-x86.s,
- lib/accelerated/x86/macosx/sha512-ssse3-x86_64.s: updated asm
- sources
-
-2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * devel/openssl: updated perl asm sources
-
-2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * cfg.mk: use the GNU-stack note in linux systems
+ lib/accelerated/x86/elf/sha512-ssse3-x86_64.s: use the
+ .note.GNU-stack in linux systems only
2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
+ * NEWS: doc update
+
+2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
* tests/suite/pkcs11-get-issuer.c: tests: check the issuer value
validity of gnutls_x509_trust_list_get_issuer
* lib/libgnutls.map: exported gnutls_fd_in_use
-2014-10-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-10-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * doc/cha-gtls-app.texi: document gnutls_fd_in_use()
+ * NEWS: doc update
2014-10-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_state.c: gnutls_fd_in_use: mention version
+ * doc/cha-gtls-app.texi: document gnutls_fd_in_use()
2014-10-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-10-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+ * lib/gnutls_state.c: gnutls_fd_in_use: mention version
+
+2014-10-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
* lib/gnutls_state.c, lib/includes/gnutls/gnutls.h.in,
lib/nettle/rnd-common.c, lib/random.h: added gnutls_fd_in_use() to
check whether a file descriptor is in use
2014-10-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_state.h: added prototype to avoid compiler warning
-
-2014-10-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
* lib/nettle/pk.c: fips140-2: limit the FIPS code in fips mode
2014-10-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib/nettle/pk.c: fips140-2: use the FIPS algorithms only when in
FIPS140-2 mode
-2014-10-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/dtls/dtls-stress.c: dtls-stress: reindented code
-
-2014-10-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/dtls/dtls-stress.c: tests: dtls-stress: only replay when
- send succeeds
-
-2014-10-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/testsrn: testsrn: do not assume that SSL 3.0 is
- enabled by default
-
-2014-10-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-10-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: added
- test that checks the fallback from TLS 1.6
+ * NEWS: doc update
-2014-10-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-08-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c,
- lib/libgnutls.map: added _gnutls_hello_set_default_version() which
- allows to override the clienthello version
+ * src/certtool.c: certtool: default pkcs-cipher is now 3des as in
+ PKCS #12
2014-10-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib/x509/privkey.c: avoid memory leak on
gnutls_x509_privkey_generate() failure
-2014-10-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2014-10-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/cli-args.def, src/cli.c: gnutls-cli: added option
- --priority-list
-
-2014-10-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_priority.c, lib/includes/gnutls/gnutls.h.in,
- lib/libgnutls.map: added gnutls_priority_string_list(), a function
- to iterate all priority strings
-
-2014-10-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_priority.c: put all priority strings into a table
-
-2014-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-gtls-app.texi: updated documentation for SSL 3.0 removal
-
-2014-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2014-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_priority.c: SSL 3.0 is no longer on the default
- priorities list
-
2014-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib/nettle/int/dsa-fips.h, lib/nettle/int/dsa-keygen-fips186.c,
the wire after the server name, which would thus be rejected by
servers.
-2014-10-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/libopts/Makefile.am: corrected libopt's Makefile.am reported by Marius Schamschula.
-
-2014-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_pubkey.c: use _gnutls_hash_fast() in DSA/ECDSA
- verification
-
2014-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib/nettle/int/dsa-fips.h, lib/nettle/int/provable-prime.c,
lib/nettle/int/rsa-keygen-fips186.c: FIPS140-2 RSA key generation
changes to account for seed starting with null byte
+2014-10-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/libopts/Makefile.am: corrected libopt's Makefile.am reported by Marius Schamschula.
+
+2014-10-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/int/rsa-keygen-fips186.c: use lcm(p-1,q-1) instead of
+ phi(n) for RSA key generation in FIPS-140-2 mode
+
2014-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib/accelerated/x86/sha-x86-ssse3.c: corrected the SSSE3 optimized
* lib/nettle/rnd-common.c: simplified getrusage code; the failure
check code wasn't needed
-2014-10-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-10-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/nettle/int/rsa-keygen-fips186.c: use lcm(p-1,q-1) instead of
- phi(n) for RSA key generation in FIPS-140-2 mode
+ * NEWS: doc update
2014-10-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
* cfg.mk: update the guile manual along the C one
+2014-10-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS, configure.ac, m4/hooks.m4: bumped version
+
+2014-10-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
2014-10-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* src/libopts/Makefile.am, src/libopts/ag-char-map.h,
2014-10-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+ * NEWS: doc update
+
+2014-10-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
* lib/nettle/rnd-common.c: rnd: if RUSAGE_THREAD fails try
RUSAGE_SELF
2014-10-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/test-chains.h: tests: removed last remnants of
- GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE
+ * tests/suite/pkcs11-combo.c: tests: pkcs11-combo: use unique db
+ file
2014-10-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suite/pkcs11-combo.c: tests: pkcs11-combo: use unique db
- file
+ * NEWS: doc update
-2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/ext/heartbeat.c: forbid heartbeat messages during a handshake
+ * lib/ext/session_ticket.c: use wait and retransmit when receiving
+ session tickets
-2014-10-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c:
- added internal variable to track handshake status
+ * tests/dtls/dtls, tests/dtls/dtls-stress.c: tests: added -r option
+ to dtls-stress That allows it to replay messages in a kind of arbitrary way.
-2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/ocsptool-common.c: ocsptool: avoid shadowing a global variable
+ * lib/ext/heartbeat.c: forbid heartbeat messages during a handshake
-2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-10-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS, lib/includes/gnutls/x509.h, lib/x509/verify.c: removed flag
- GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE
+ * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c:
+ added internal variable to track handshake status Conflicts: lib/gnutls_handshake.c
2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests/chainverify.c, tests/suite/pkcs11-chainverify.c,
tests/test-chains.h: tests: allow running specific chainverify tests
- on fixed dates
+ on fixed dates Conflicts: tests/chainverify.c tests/suite/pkcs11-chainverify.c tests/test-chains.h
2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+ * NEWS: doc update
+
+2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
* lib/x509/verify-high.c: when both a trust module and additional
CAs are present account the latter as well That solves an issue in openconnect which used the system trust
- module, plus additional certificates.
+ module, plus additional certificates. Conflicts: lib/x509/verify-high.c
2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
handling of trust_list_get_issuer() when GNUTLS_TL_GET_COPY is not
given
-2014-10-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2014-10-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2014-09-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/common.c: tools: print the status of safe renegotiation and
- extended master secret
-
-2014-09-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/mini-x509.c, tests/resume.c: tests: check whether the
- extended master secret is negotiated by default
-
-2014-10-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/ext/Makefile.am, lib/ext/ext_master_secret.c,
- lib/ext/ext_master_secret.h, lib/gnutls_constate.c,
- lib/gnutls_extensions.c, lib/gnutls_handshake.c,
- lib/gnutls_handshake.h, lib/gnutls_int.h, lib/gnutls_kx.c,
- lib/gnutls_session_pack.c, lib/gnutls_state.c,
- lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: Added support
- for the extended master secret calculation That is performed implicitly unless GNUTLS_NO_EXTENSIONS is
- specified. The implementation follows
- draft-ietf-tls-session-hash-02.
-
2014-10-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib/nettle/pk.c: corrected assignment
* lib/libgnutls.map: corrected the name of exported function
-2014-10-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: doc update
-2014-10-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/Makefile.am, tests/mini-dtls-discard.c: tests: added check
- for gnutls_record_discard_queued()
-
-2014-10-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_record.c, lib/includes/gnutls/gnutls.h.in,
- lib/libgnutls.map: Added gnutls_record_discard_queued() That function allows to discard queued data in DTLS.
-
2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests/test-chains.h: tests: corrected test for v1 cert signing
2014-10-06 Armin Burgmeier <armin@arbur.net>
- * tests/suite/pkcs11-chainverify.c: Add a test for PKCS11 CA
- iteration Signed-off-by: Armin Burgmeier <armin@arbur.net>
-
-2014-10-06 Armin Burgmeier <armin@arbur.net>
-
- * lib/x509/verify-high.c: Also iterate over the CA certificates in a
- PKCS11 token Signed-off-by: Armin Burgmeier <armin@arbur.net>
-
-2014-10-06 Armin Burgmeier <armin@arbur.net>
-
* lib/x509/verify-high2.c: Return an error if multiple PKCS11 URLs
are added to a trust list Before, the new URL would overwrite the old URL, and the memory of
theold URL would be leaked. It is documented that only one URL can
no CKA_ID can be relied on fallback on checking the
SubjectKeyIdentifier Patch by David Woodhouse.
-2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/libgnutls.map, lib/nettle/pk.c: added FIPS140-2 ECDH
- verification functions
+ * lib/gnutls_global.c: report the FIPS140-2 mode
2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/includes/gnutls/gnutls.h.in: removed unused definition
+ * lib/libgnutls.map, lib/nettle/pk.c: added FIPS140-2 ECDH
+ verification functions
2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-10-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/pkcs11.c: address memory leak in gnutls_pkcs11_crt_is_known()
-
-2014-10-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
* tests/suite/Makefile.am, tests/suite/pkcs11-is-known.c: tests:
check gnutls_pkcs11_crt_is_known() when multiple same DNs are
present
* lib/pkcs11.c: pkcs11: when checking for presence do not give up on
the first mismatch
+2014-10-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11.c: address memory leak in gnutls_pkcs11_crt_is_known()
+
2014-10-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* lib/x509/verify-high2.c: doc update: clarifications in
* lib/x509/verify-high.c: corrected compilation for non-pkcs11;
reported by David Woodhouse.
-2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_state.c: avoid calls in gnutls_init()
-
-2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_dtls.c, lib/gnutls_handshake.c, lib/gnutls_int.h,
- lib/gnutls_state.c: the handshake function has a timeout value by
- default
-
-2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/ext/session_ticket.c: use wait and retransmit when receiving
- session tickets
-
-2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-09-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/dtls/dtls, tests/dtls/dtls-stress.c: tests: added -r option
- to dtls-stress That allows it to replay messages in a kind of arbitrary way.
+ * NEWS: corrected typo
-2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-10-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_global.c: report the FIPS140-2 mode
+ * NEWS: doc update
2014-10-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2014-09-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * NEWS: updated news entry
-
-2014-09-30 Ludovic Courtès <ludo@gnu.org>
-
- * doc/gnutls-guile.texi: guile: doc: Remove erroneous @ifnottex.
-
-2014-09-30 Ludovic Courtès <ludo@gnu.org>
-
- * NEWS: Add NEWS entry for Guile changes.
-
-2014-09-30 Ludovic Courtès <ludo@gnu.org>
-
- * doc/gnutls-guile.texi: guile: doc: Make it clear that the bindings
- are part of GnuTLS.
-
-2014-09-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_handshake.c: if receiving a ChangeCipherSpec fails,
- return GNUTLS_E_UNEXPECTED_PACKET That is more precise than the current
- GNUTLS_E_UNEXPECTED_PACKET_LENGTH
-
-2014-09-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/accelerated/x86/x86-common.c: use __hidden in solaris to
- provide the hidden visibility attribute
-
-2014-09-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/accelerated/x86/x86-common.h: no need to define
- _gnutls_x86_cpuid_s
-
-2014-09-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_cipher.c, lib/nettle/cipher.c: use
- MAX_CIPHER_BLOCK_SIZE more consistently
+ * NEWS: doc update
2014-09-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/danetool.c, src/tpmtool.c: more compiler warning fixes
-
-2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * configure.ac: configure: enabled more warnings
-
-2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/ext/session_ticket.c, lib/gnutls_dtls.h,
- lib/gnutls_privkey.c, lib/openpgp/output.c, lib/random.c,
- lib/system.c, lib/x509/ocsp_output.c, lib/x509/pkcs12.c,
- src/certtool.c, src/cli.c: fixed compilation warnings
-
-2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
* lib/x509/verify-high2.c: use _DIRENT_HAVE_D_TYPE to detect
d->d_type
2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * configure.ac: configure: don't both with checks for padlock in
- non-x86
-
-2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * doc/Makefile.am, doc/manpages/Makefile.am, lib/libgnutls.map,
- symbols.last: updated auto-generated files
-
-2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * Makefile.am, README-alpha, devel/abi.xml, devel/abi3.2.xml: run
- abi-compliance-checker prior to release
-
-2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/libgnutls.map: indented symbols
-
-2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
* lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c:
protect DTLS clients that don't handle GNUTLS_E_LARGE_PACKET from an
infinite loop on handshake
* lib/gnutls_errors.c: optimized gnutls_error_is_fatal() by
splitting the errors to two tables
-2014-09-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2014-09-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_x509.c, lib/includes/gnutls/gnutls.h.in,
- lib/includes/gnutls/openpgp.h, lib/openpgp/gnutls_openpgp.c,
- tests/openpgp-auth.c, tests/x509cert.c: use unsigned types in
- prototypes
-
-2014-09-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * configure.ac: enable gcc warnings by default
-
-2014-09-23 Armin Burgmeier <armin@arbur.net>
-
- * tests/openpgp-auth.c, tests/x509cert.c: Check the credentials
- getter functions as part of the unit tests
-
-2014-09-18 Armin Burgmeier <armin@arbur.net>
-
- * lib/includes/gnutls/x509.h, lib/libgnutls.map,
- lib/x509/verify-high.c: Add an interface to iterate the trusted CA
- certificates in a trust list Signed-off-by: Armin Burgmeier <armin@arbur.net>
-
-2014-09-18 Armin Burgmeier <armin@arbur.net>
-
- * lib/includes/gnutls/openpgp.h, lib/libgnutls.map,
- lib/openpgp/gnutls_openpgp.c: Add getter functions for openpgp keys
- and certificates Signed-off-by: Armin Burgmeier <armin@arbur.net>
-
-2014-09-17 Armin Burgmeier <armin@arbur.net>
-
- * lib/gnutls_x509.c, lib/includes/gnutls/gnutls.h.in,
- lib/libgnutls.map: Add functions to obtain X.509 keys and
- certificates from certificate credentials Signed-off-by: Armin Burgmeier <armin@arbur.net>
-
-2014-09-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_privkey.c, lib/includes/gnutls/abstract.h,
- lib/libgnutls.map: enabled gnutls_privkey_export_pkcs11
-
-2014-09-17 Armin Burgmeier <armin@arbur.net>
-
- * lib/gnutls_privkey.c, lib/includes/gnutls/abstract.h,
- lib/libgnutls.map: Add functions to export X.509 and OpenPGP private
- keys from the abstract type Signed-off-by: Armin Burgmeier <armin@arbur.net>
-
-2014-09-17 Armin Burgmeier <armin@arbur.net>
-
- * lib/gnutls_x509.c, lib/includes/gnutls/x509.h, lib/libgnutls.map:
- Add a function to obtain the trust list of a
- gnutls_certificate_credentials_t Signed-off-by: Armin Burgmeier <armin@arbur.net>
-
-2014-09-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/gnutls_pubkey.c: doc update
-
-2014-09-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * .gitignore: more files to ignore
-
-2014-09-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS, lib/gnutls_pcert.c, lib/includes/gnutls/abstract.h: removed
- gnutls_pcert_get_type()
-
-2014-09-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * configure.ac: only enable crywrap if libidn is present
-
2014-09-22 Ludovic Courtès <ludo@gnu.org>
* guile/src/core.c: guile: Restore cross-reference in
bindings for 'gnutls_server_name_set'. This adds the 'set-session-server-name!' procedure and the
'server-name-type' enum type.
-2014-09-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2014-09-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/chainverify.c, tests/suite/certs/create-chain.sh,
- tests/suite/pkcs11-chainverify.c, tests/test-chains.h: tests: Added
- checks for key purpose verification
-
-2014-09-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_cert.c, lib/includes/gnutls/gnutls.h.in,
- lib/includes/gnutls/x509.h, lib/x509/common.h,
- lib/x509/verify-high.c, lib/x509/verify.c, lib/x509/x509_int.h:
- Verify key purpose on intermediate certificate if
- GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE is specified That introduces the verification flag
- GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE, and the verification
- result GNUTLS_CERT_PURPOSE_MISMATCH. The reason that this
- verification test must be explicitly enabled is because it is only
- defined in CA Forum's Baseline requirements 1.1.9 but not any IETF
- document.
-
-2014-09-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/certtool-args.def: certtool: updated the extended key usage
- documentation
-
-2014-09-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/gnutls.h.in: added missing prototype
-
-2014-09-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2014-09-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/abstract_int.h, lib/gnutls_privkey.c,
- lib/includes/gnutls/abstract.h, lib/libgnutls.map: introduced
- gnutls_privkey_import_ext3() That function allows copying an external specified private key, as
- well as allow variability on the capabilities of an external key.
-
-2014-09-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * cross.mk: updated cross.mk
-
-2014-09-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2014-09-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/output.c: when printing a certificate request also print
- its signature algorithm
-
-2014-09-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/x509/crq.c:
- added gnutls_x509_crq_get_signature_algorithm()
-
-2014-09-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2014-09-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/includes/gnutls/abstract.h: Added missing prototype
-
-2014-09-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map,
- lib/pkcs11_privkey.c: Added gnutls_pkcs11_privkey_cpy()
-
-2014-09-17 Armin Burgmeier <armin@arbur.net>
-
- * lib/gnutls_ui.c, lib/includes/gnutls/gnutls.h.in,
- lib/libgnutls.map: Add gnutls_certificate_get_verify_flags Signed-off-by: Armin Burgmeier <armin@arbur.net>
-
-2014-09-17 Armin Burgmeier <armin@arbur.net>
-
- * lib/gnutls_pcert.c, lib/includes/gnutls/abstract.h,
- lib/libgnutls.map: Add API to retrieve a X.509 or OpenPGP
- certificate from a gnutls_pcert_t Signed-off-by: Armin Burgmeier <armin@arbur.net>
-
2014-09-18 Armin Burgmeier <armin@arbur.net>
* lib/x509/verify-high.c: Memory leak fix on certificate copy
2014-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+ * NEWS: doc update
+
+2014-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
* libdane/dane.c: libdane: do not require the CA to be a direct CA
2014-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+ * NEWS: doc update
+
+2014-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
* tests/scripts/common.sh, tests/suite/testpkcs11: tests: enhanced
test suite to pass more of the PKCS #11 API under valgrind
* doc/certtool.cfg: updated certtool.cfg
+2014-09-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
+ auto-generated files
+
2014-09-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
* tests/test-chains.h: tests: added checks with modified certificate This tests whether a modified of a DER certificate, that is
2014-09-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * configure.ac: require explicit disabling of PKCS #11 in configure
-
-2014-09-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * devel/DCO/people-dco.txt: Added Armin's DCO
-
-2014-09-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/verify-high.c, lib/x509/verify.c: updated details on
- certificate verification
+ * NEWS: doc update
2014-09-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * configure.ac: depend on p11-kit 0.20.7
-
-2014-09-16 Armin Burgmeier <armin@arbur.net>
-
- * lib/x509/verify.c, tests/test-chains.h: Check for all error
- conditions when verifying a certificate This allows to check for all possible flaws with a certificate chain
- with a single call to gnutls_x509_crt_list_verify and friends. Signed-off-by: Armin Burgmeier <armin@arbur.net>
-
-2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * configure.ac, lib/pkcs11x.h: depend on p11-kit 0.20.6
-
-2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/verify.c: removed unneeded set of status
+ * configure.ac: depend on p11-kit 0.20.7
2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/verify.c: pkcs11: when a signer isn't found in PKCS #11
- force the verification of the chain That allows obtaining any additional flags from the chain such as
- insecure algorithms or expirations.
+ * configure.ac, lib/pkcs11x.h: depend on p11-kit 0.20.6
-2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/psk.c: psktool: corrected resource leak on failure
+ * m4/hooks.m4: require libtasn1 3.9 or later That is because of the ocsp fix.
2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_x509.c: added sanity check on cleanup
+ * lib/verify-tofu.c: removed unused variable
2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/verify-tofu.c: removed unused variable
+ * lib/gnutls_x509.c: added sanity check on cleanup
2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+ * m4/hooks.m4: bumped library version
+
+2014-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
* lib/x509/crl.c: corrected gnutls_x509_crl_get_raw_issuer_dn()
-2014-09-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/common.c: only deallocate data when allocation succeeds
+
+2014-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/scripts/common.sh: tests: use the PID number in RPORT The shell's RANDOM isn't that random.
+ * NEWS: doc update
2014-09-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
* doc/cha-gtls-app.texi: documented the environment variables
-2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * configure.ac, lib/pkcs11.c, lib/pkcs11x.c, lib/pkcs11x.h: simulate
- pkcs11x.h when it doesn't exist
-
-2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/Makefile.am, tests/crlverify.c: tests: Added crlverify to
- check gnutls_x509_crl_verify and gnutls_x509_trust_list_add_crls
-
-2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/certs/create-chain.sh: create-chain.sh: generate CRL
-
-2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/verify.c: gnutls_x509_crl_verify: do not always set the
- invalid status Reported by Armin Burgmeier.
-
-2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/verify.c: Revert "gnutls_x509_crl_verify: do not always
- set the invalid status" This reverts commit a922ee10c5f3902988e5730a1e6fbf77b033058c.
-
-2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/verify.c: gnutls_x509_crl_verify: do not always set the
- invalid status Reported by Armin Burgmeier.
-
-2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-09-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_ui.c: doc update
+ * lib/verify-tofu.c, lib/x509/common.c, lib/x509/common.h:
+ Backported x509_raw_crt_to_raw_pubkey and x509_crt_to_raw_pubkey
2014-09-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/pkcs11x.c: added missing file
+ * NEWS: doc update
2014-09-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-09-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/Makefile.am, lib/includes/gnutls/pkcs11.h, lib/libgnutls.map,
- lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_write.c, lib/pkcs11x.h,
- lib/verify-tofu.c, lib/x509/common.c, lib/x509/common.h: added
- gnutls_pkcs11_copy_attached_extension()
-
-2014-09-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
* tests/suite/pkcs11-get-issuer.c: pkcs11-get-issuer: do not
hardcode the chain number, use its name
2014-09-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/crq.c, lib/x509/verify-high.c, lib/x509/x509.c: Revert
- "corrected planned version number" This reverts commit 5e44f432580f8b9533223acc3060db26446f0e96.
-
-2014-09-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
* lib/includes/gnutls/x509-ext.h, lib/libgnutls.map,
lib/x509/output.c, lib/x509/x509.c, lib/x509/x509_ext.c,
src/pkcs11.c: fixes in the extension handling
lib/pkcs11_int.c, lib/pkcs11_int.h, lib/x509/common.h,
lib/x509/output.c, lib/x509/x509_ext.c: allow retrieving extensions
in a trust module using
- GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT
+ GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT Conflicts: lib/pkcs11.c
2014-09-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-09-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/crq.c, lib/x509/verify-high.c, lib/x509/x509.c: corrected
- planned version number
-
-2014-09-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
* lib/gnutls_cert.c, lib/gnutls_x509.c, lib/gnutls_x509.h,
lib/includes/gnutls/x509.h, lib/libgnutls.map,
lib/x509/verify-high.c: gnutls_x509_trust_list_verify_crt2 is in par
with gnutls_certificate_verify_peers That is, it accepts a list of gnutls_typed_vdata_st and allows for
- flexibility.
+ flexibility. Conflicts: lib/libgnutls.map
2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib/gnutls_x509.c, lib/includes/gnutls/x509.h, lib/libgnutls.map,
lib/x509/verify-high.c: Added
- gnutls_x509_trust_list_verify_purpose_crt()
+ gnutls_x509_trust_list_verify_purpose_crt() Conflicts: lib/libgnutls.map
+
+2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * configure.ac, lib/pkcs11.c, lib/pkcs11x.c, lib/pkcs11x.h: simulate
+ pkcs11x.h when it doesn't exist
+
+2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/Makefile.am, lib/pkcs11.c, lib/pkcs11x.h: added pkcs11x.h
+
+2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/Makefile.am, tests/crlverify.c: tests: Added crlverify to
+ check gnutls_x509_crl_verify and gnutls_x509_trust_list_add_crls Conflicts: tests/Makefile.am
+
+2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/verify.c: gnutls_x509_crl_verify: do not always set the
+ invalid status Reported by Armin Burgmeier.
+
+2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_ui.c: doc update
+
+2014-09-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11x.c: added missing file
+
+2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/verify.c: Revert "gnutls_x509_crl_verify: do not always
+ set the invalid status" This reverts commit 950b62da58542938adec366620948c85b78607dd.
+
+2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/verify.c: gnutls_x509_crl_verify: do not always set the
+ invalid status Reported by Armin Burgmeier.
+
+2014-09-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/hostname-verify.c: check_ip: initialize ret
+ * lib/x509/rfc2818_hostname.c: check_ip: initialize ret
2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
* src/certtool-cfg.c: certtool: corrected copy+paste error
-2014-09-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/suite/suppressions.valgrind, tests/suppressions.valgrind:
- tests: simply valgrind suppressions for libidn
-
2014-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/dsa/testdsa, tests/openpgp-certs/testcerts,
- tests/scripts/common.sh, tests/suite/testcompat-main,
- tests/suite/testpkcs11, tests/suite/testsrn: use random ports in
- tests, unless a port is provided
+ * NEWS: doc update
2014-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool-args.def: doc update
+ * tests/ocsp.c: doc update
+
+2014-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * m4/hooks.m4, tests/ocsp.c: Revert "require libtasn0 3.9 or later" This reverts commit 07a906b4e5c9d1446aee1bf4e091fefa1f1eb1da.
2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+ * NEWS: doc update
+
+2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
* m4/hooks.m4, tests/ocsp.c: require libtasn1 3.9 or later That is because of the ocsp fix.
2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/common.c: simplified _gnutls_x509_get_signed_data()
-
-2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
* lib/x509/common.c, lib/x509/common.h, lib/x509/crl.c,
lib/x509/x509.c: The get_raw_dn() functions were modified to work
even if the certificate is generated (not imported)
2014-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/gnutls_dtls.c: Disallow zero fragments in DTLS for packets
- which have data. Reported by Manuel Pégourié-Gonnard.
+ * NEWS: doc update
2014-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/Makefile.am, tests/mini-dtls-lowmtu.c: tests: Check the
- behavior of a DTLS server in a low-mtu scenario. http://permalink.gmane.org/gmane.network.gnutls.general/3582
+ * lib/gnutls_dtls.c: Disallow zero fragments in DTLS for packets
+ which have data. Reported by Manuel Pégourié-Gonnard.
2014-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+ * configure.ac, m4/hooks.m4: bumped version
+
+2014-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
* lib/minitasn1/decoding.c, lib/minitasn1/libtasn1.h: updated
- libtasn1
+ included libtasn1
2014-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-09-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/fips.c: fips140: check the integrity of GMP
+ * NEWS: doc update
2014-09-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
when an intermediate CA certificate is replaced by a self-signed
one.
+2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/common.c, lib/x509/crl.c, lib/x509/x509.c: avoid new
+ allocations and keep a pointer to the DER data for DN
+
+2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/crl.c, lib/x509/verify.c, lib/x509/x509_int.h: when
+ importing a CRL keep the DER data
+
+2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/common.c, lib/x509/common.h, lib/x509/crq.c,
+ lib/x509/verify.c, lib/x509/x509.c, lib/x509/x509_int.h: when
+ importing a certificate, keep the DER data
+
+2014-09-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/fips.c: fips140: check the integrity of GMP
+
2014-09-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib/fips.c, lib/fips.h, lib/gnutls_global.c,
rounds One round is before the AES acceleration is registered, and the
second is after. That is to allow testing of the AES implementation
used in the DRBG. That is a hack until nettle handles all cipher
- acceleration.
+ acceleration. Conflicts: lib/gnutls_global.c
+
+2014-09-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
2014-09-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-08-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/hostname-verify.c: remove text not applicable in that
- version
-
-2014-08-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/hostname-verify.c: refer to rfc6125
+ * lib/x509/rfc2818_hostname.c: refer to rfc6125
2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/common.c, lib/x509/crl.c, lib/x509/x509.c: avoid new
- allocations and keep a pointer to the DER data for DN
-
-2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/crl.c, lib/x509/verify.c, lib/x509/x509_int.h: when
- importing a CRL keep the DER data
-
-2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/common.c, lib/x509/common.h, lib/x509/crq.c,
- lib/x509/verify.c, lib/x509/x509.c, lib/x509/x509_int.h: when
- importing a certificate, keep the DER data
-
-2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/ext/session_ticket.c: doc update
-
-2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
* cfg.mk, configure.ac, devel/openssl,
lib/accelerated/x86/Makefile.am, lib/accelerated/x86/x86-common.c:
added configuration option --disable-padlock That allows keeping hardware acceleration in x86 but without support
for padlock.
-2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-08-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * devel/openssl, lib/accelerated/x86/coff/ghash-x86_64.s,
- lib/accelerated/x86/coff/sha1-ssse3-x86_64.s,
- lib/accelerated/x86/coff/sha512-ssse3-x86_64.s,
- lib/accelerated/x86/elf/ghash-x86_64.s,
- lib/accelerated/x86/elf/sha1-ssse3-x86_64.s,
- lib/accelerated/x86/elf/sha512-ssse3-x86_64.s,
- lib/accelerated/x86/macosx/ghash-x86_64.s,
- lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s,
- lib/accelerated/x86/macosx/sha512-ssse3-x86_64.s: Revert "updated
- asm sources" This reverts commit 97895066e18abc5689ede9af1a463539ea783e90.
+ * NEWS: doc update
2014-08-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-08-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * devel/openssl, lib/accelerated/x86/coff/ghash-x86_64.s,
- lib/accelerated/x86/coff/sha1-ssse3-x86_64.s,
- lib/accelerated/x86/coff/sha512-ssse3-x86_64.s,
- lib/accelerated/x86/elf/ghash-x86_64.s,
- lib/accelerated/x86/elf/sha1-ssse3-x86_64.s,
- lib/accelerated/x86/elf/sha512-ssse3-x86_64.s,
- lib/accelerated/x86/macosx/ghash-x86_64.s,
- lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s,
- lib/accelerated/x86/macosx/sha512-ssse3-x86_64.s: updated asm
- sources
-
-2014-08-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
* lib/pkcs11.c: gnutls_pkcs11_obj_list_import_url2() will import
data in a single pass
2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suite/suppressions.valgrind: tests: added more idna valgrind
- suppressions
+ * NEWS: doc update
2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/test-chains.h: tests: updated name constraints checks to not
- include a CN
+ * NEWS: doc update
2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/Makefile.am,
- tests/cert-tests/name-constraints-err.pem,
- tests/cert-tests/name-constraints-err.pem.out,
- tests/cert-tests/verify-test: Revert "tests: Added a nameconstraints
- test based on the CN bypass" The bypass check was included in
- chainverify. This reverts commit c9417bcc0614aaa2668486d294f5759b4082a23a.
+ * tests/test-chains.h: tests: updated name constraints checks to not
+ include a CN
2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/cert-tests/Makefile.am,
- tests/cert-tests/name-constraints-err.pem,
- tests/cert-tests/name-constraints-err.pem.out,
- tests/cert-tests/verify-test: tests: Added a nameconstraints test
- based on the CN bypass That was discussed in:
- http://permalink.gmane.org/gmane.comp.encryption.openssl.devel/26660
-
-2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
* lib/x509/name_constraints.c: when verifying name constrains
enforce the single CN rule
-2014-08-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * cross.mk: cross.mk: compile gnutls without p11-kit by default
-
-2014-08-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * cross.mk: cross.mk: do not delete the pkgconfig directory
-
-2014-08-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * devel/DCO/people-dco.txt: Added Alon's DCO link
-
2014-08-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* src/libopts/autoopts.h: check for stdnoreturn.h presence
* lib/gnutls_privkey.c: build: condition pkcs11 block Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
+2014-08-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: released 3.3.7
+
2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* lib/gnutls_record.c: record: tolerate a finished packet with
2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_record.c: record: in DTLS discard only messages that
- cause unexpected packet errors
+ * NEWS: doc update
2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/suite/suppressions.valgrind: tests: suppress more libidn
- warnings
+ * lib/gnutls_record.c: record: in DTLS discard only messages that
+ cause unexpected packet errors
2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/danetool.c: danetool: ensure the temporary file is always
- removed
+ * src/socket.c: tools: use the AI_IDN flag in getaddrinfo if it
+ exists
2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/ext/server_name.c, lib/includes/gnutls/gnutls.h.in: the
- server_name extension will convert input and output names to IDNA.
+ * NEWS: doc update
2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/Makefile.am, src/socket.c: tools: use idna_to_ascii_8z() to
- convert internationalized hostnames
-
-2014-08-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/x509/gnutls-idna.h, lib/x509/hostname-verify.c,
- lib/x509/output.c: hostname-verify: use idn_free()
+ * src/certtool-common.c, src/certtool-extras.c, src/common.c,
+ src/danetool.c, src/socket.c: danetool: added openssl-linking
+ exception That allows linking against unbound.
-2014-08-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/gnutls_errors.c: doc update
-
-2014-08-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/nettle/int/dsa-keygen-fips186.c: prevent 1024-bit DSA
- parameter generation only when FIPS-mode is enabled.
-
-2014-08-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/nettle/int/dsa-keygen-fips186.c: Revert "removed pbits=1024,
- qbits=160 from the acceptable bit sizes in FIPS140-2 DSA parameter
- generation." This reverts commit 110527d9bb9ca70a66ae8173769067f133fd3cf7.
-
-2014-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/system.c: use the windows API in windows even if iconv is
- available
-
-2014-08-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * cross.mk: win32: updated Makefile and added the ability build
- openconnect
-
-2014-08-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * configure.ac: check for the correct version of libidn
-
-2014-08-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/hostname-check.c: tests: Added case sensitive checks in
- hostname verification
-
-2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/suppressions.valgrind: tests: copied valgrind
- suppressions to suite
-
-2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/minitasn1/decoding.c: updated libtasn1
+ * src/danetool.c: danetool: ensure the temporary file is always
+ removed
-2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-08-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suppressions.valgrind: tests: suppress valgrind warnings due
- to libidn
+ * lib/gnutls_errors.c: doc update
-2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-08-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS: doc update
+ * lib/nettle/int/dsa-keygen-fips186.c: prevent 1024-bit DSA
+ parameter generation only when FIPS-mode is enabled.
-2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-08-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/Makefile.am, lib/x509/gnutls-idna.h,
- lib/x509/hostname-verify.c, lib/x509/output.c:
- gnutls_x509_crt_print() will print the IDNA A-label names as well.
+ * lib/nettle/int/dsa-keygen-fips186.c: Revert "removed pbits=1024,
+ qbits=160 from the acceptable bit sizes in FIPS140-2 DSA parameter
+ generation." This reverts commit 110527d9bb9ca70a66ae8173769067f133fd3cf7.
-2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/hostname-check.c: tests: added UTF-8 hostname comparison
- checks
+ * lib/system.c: use the windows API in windows even if iconv is
+ available
2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * configure.ac, lib/Makefile.am, lib/x509/hostname-verify.c: Added
- support for RFC6125 hostname comparison That adds the dependency on libidn.
+ * lib/minitasn1/decoding.c: updated libtasn1
2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/x509/Makefile.am, lib/x509/hostname-verify.c,
- lib/x509/rfc2818_hostname.c: renamed rfc2818_hostname to
- hostname-verify The file no longer follows RFC2818.
+ * lib/minitasn1/decoding.c: updated minitasn1
2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/minitasn1/decoding.c: updated minitasn1
+ * m4/hooks.m4: configure: print error message when nettle is 3.0 or
+ later
2014-08-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
Re-initialize the ASN.1 structures on every import That allows to import a key/certificate on a structure even if the
previous import failed.
+2014-08-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * symbols.last: symbols.last: added private entry
+
2014-08-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
* src/cli-args.def, src/cli.c: gnutls-cli: added --fips140-mode
2014-08-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+ * NEWS: doc update
+
+2014-08-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
* lib/fips.c: The environment variable GNUTLS_FORCE_FIPS_MODE can be
used to force the FIPS-140-2 mode
2014-08-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/rfc2818_hostname.c: Follow the rfc6125 requirement that a
- single CN must be present for hostname verification. Follow up on the original commit that simplifies checking for more
- than a single hostname.
+ * NEWS: doc update
2014-08-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2014-08-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+ * lib/x509/rfc2818_hostname.c: Follow the rfc6125 requirement that a
+ single CN must be present for hostname verification. Follow up on the original commit that simplifies checking for more
+ than a single hostname.
+
+2014-08-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
* lib/x509/rfc2818_hostname.c, tests/hostname-check.c: Follow the
rfc6125 requirement that a single CN must be present for hostname
verification.
2014-08-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * m4/hooks.m4: bumped current and age version to allow 3.3.x
- releases with new symbols
-
-2014-08-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/pkcs12_encr.c: _gnutls_pkcs12_string_to_key(): enforce a
- block size of 64-bytes
+ * NEWS: doc update
2014-08-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib/algorithms.h, lib/algorithms/mac.c, lib/libgnutls.map:
mac_to_entry -> _gnutls_mac_to_entry
-2014-08-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/pkcs11.c: gnutls_pkcs11_obj_flags_get_str: mention UNWRAP
-
-2014-08-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/pkcs12.c: pkcs12: added check for null OID in
- gnutls_pkcs12_generate_mac2
-
-2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * tests/pkcs12_encode.c: tests: check gnutls_pkcs12_generate_mac2()
-
-2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/includes/gnutls/pkcs12.h, lib/libgnutls.map,
- lib/x509/pkcs12.c: pkcs12: added gnutls_pkcs12_generate_mac2() That allows a choice on the MAC algorithm to be used.
-
-2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * NEWS: doc update
-
-2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool.c: certtool: --p12-info will provide information on
- the MAC algorithm
-
-2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/includes/gnutls/pkcs12.h, lib/libgnutls.map,
- lib/x509/pkcs12.c: pkcs12: added gnutls_pkcs12_mac_info to obtain
- information on the MAC
-
2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* lib/libgnutls.map, tests/pkcs12_s2k.c: tests: updated string to
lib/x509/privkey_pkcs8.c, lib/x509/x509_int.h: pkcs12: Allow
verification with structures that support other than HMAC-SHA1 MACs.
-2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+2014-08-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/gc.c: tests: remove test for nettle's pbkdf2; this is tested
- in nettle
+ * lib/pkcs11.c: gnutls_pkcs11_obj_flags_get_str: mention UNWRAP
2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/suite/testdane: testdane: re-enabled DANE checks and added
- checks on SMTP
+ * src/danetool.c: danetool: obtain certificate only once
2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * src/danetool.c: danetool: obtain certificate only once
+ * m4/hooks.m4: bumped version
+
+2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: added new
+ functions
2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+ * doc/manpages/tpmtool.1: auto-generated files update
+
+2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
* src/cli-debug-args.def, src/cli-debug.c: gnutls-cli-debug:
supports SMTP starttls
2014-08-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/gnutls_handshake.c: updated documentation for
- gnutls_handshake()
+ * NEWS: doc update
2014-08-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
tests/suite/testdane: danetool: if the certificate to verify against
is not provide it try to obtain it
-2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+2014-08-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/x509/Makefile.am, lib/x509/pbkdf2-sha1.c,
- lib/x509/pbkdf2-sha1.h, lib/x509/privkey_openssl.c,
- lib/x509/privkey_pkcs8.c, tests/gc.c: pbkdf2: removed internal
- implementation, use nettle's
+ * lib/gnutls_handshake.c: updated documentation for
+ gnutls_handshake()
2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+ * NEWS: doc update
+
+2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
* src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c:
p11tool: added --info parameter That allows obtaining information on a specific object.
2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suite/testpkcs11: testpkcs11: rearranged checks to avoid
- wrong deletions
+ * NEWS: doc update
2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+ * NEWS: doc update
+
+2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
* lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c,
src/pkcs11.c: gnutls_pkcs11_flags_get_str ->
gnutls_pkcs11_obj_flags_get_str
2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * tests/suite/testpkcs11: testpkcs11: test the trusted and ca flags
- being set
+ * tests/suite/testpkcs11: testpkcs11: exit if
+ export_pubkey_of_privkey fails
2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib/includes/gnutls/pkcs11.h: pkcs11.h: introduced
gnutls_pkcs11_obj_flags
-2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/suite/testpkcs11: testpkcs11: exit if
- export_pubkey_of_privkey fails
-
2014-08-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc update
2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * README: README: removed gmplib 4.2.2 reference
+ * src/benchmark-tls.c: gnutls-cli: TLS benchmark parameters were
+ updated
2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/benchmark-tls.c: gnutls-cli: TLS benchmark parameters were
- updated
+ * NEWS: doc update
2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
* lib/includes/gnutls/pkcs11.h, lib/libgnutls.map,
lib/pkcs11_privkey.c, src/pkcs11.c: changed semantics of
gnutls_pkcs11_privkey_get_pubkey; named
- gnutls_pkcs11_privkey_export_pubkey
+ gnutls_pkcs11_privkey_export_pubkey Conflicts: lib/libgnutls.map
+
+2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
* src/cli-debug.c, src/tests.c: gnutls-cli-debug: added AES and
CAMELLIA to the list of default ciphers
-2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-gtls-app.texi: doc update
-
-2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * doc/cha-gtls-app.texi: mention profile in security parameters
- table
-
-2014-08-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * devel/DCO/people-dco.txt: Added people who have sent a DCO for
- gnutls
-
-2014-08-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * NEWS: doc update
-
-2014-08-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/privkey_pkcs8.c: pkcs12: fixes in decryption with null
- password
-
-2014-08-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/certtool.c: certtool: free unused variables
-
-2014-08-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/pkcs8-decode/Makefile.am,
- tests/pkcs8-decode/suppressions.valgrind: added missing file
-
-2014-08-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/certtool.c: certtool: print more information on PKCS #12
- structures. use gnutls_pkcs12_bag_enc_info to print more information on
- encrypted PKCS #12 structures.
-
-2014-08-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/pkcs12.h, lib/libgnutls.map,
- lib/x509/pkcs12_bag.c, lib/x509/privkey_pkcs8.c,
- lib/x509/x509_int.h: added new function to obtain information on a
- PKCS #12 encrypted bag New function: gnutls_pkcs12_bag_enc_info()
-
-2014-08-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/privkey_pkcs8.c: doc update
-
-2014-08-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * src/certtool.c: certtool: default pkcs-cipher is now 3des as in
- PKCS #12
-
-2014-08-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
-
- * lib/includes/gnutls/x509.h, lib/x509/privkey_pkcs8.c,
- src/certtool.c: gnutls_pkcs8_info: will return OID value even on
- unsupported structures
-
2014-08-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* lib/gnutls_state.c, lib/x509/x509.c: doc: replaced non-0 with
2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS, src/certtool-args.def: doc update
-
-2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/privkey_pkcs8.c: simplified decrypt_data() and initialize
- parameters on decryption
-
-2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/privkey_pkcs8.c: further increase iteration count
-
-2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * src/certtool.c, tests/pkcs8-decode/Makefile.am,
- tests/pkcs8-decode/openssl-3des.p8.txt,
- tests/pkcs8-decode/openssl-aes128.p8.txt,
- tests/pkcs8-decode/openssl-aes256.p8.txt, tests/pkcs8-decode/pkcs8:
- certtool: improved PKCS #8 information printing
-
-2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * tests/pkcs8-decode/Makefile.am,
- tests/pkcs8-decode/openssl-3des.p8,
- tests/pkcs8-decode/openssl-3des.p8.txt,
- tests/pkcs8-decode/openssl-aes128.p8,
- tests/pkcs8-decode/openssl-aes128.p8.txt,
- tests/pkcs8-decode/openssl-aes256.p8,
- tests/pkcs8-decode/openssl-aes256.p8.txt, tests/pkcs8-decode/pkcs8:
- tests: added more PKCS #8 decoding tests
-
-2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/privkey_pkcs8.c, lib/x509/x509_int.h: small fixes and
- optimizations in PKCS #8 information
-
-2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
* NEWS: doc update
2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * src/certtool-args.def, src/certtool.c: certtool: added --p8-info
- option
-
-2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/x509.h, lib/libgnutls.map,
- lib/x509/privkey_pkcs8.c, lib/x509/x509_int.h: added new functions
- to obtain information on PKCS #8 structures. Added gnutls_pkcs8_info(), gnutls_pkcs_schema_get_name(), and
- gnutls_pkcs_schema_get_oid().
-
-2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/includes/gnutls/x509.h, lib/pkix.asn, lib/pkix_asn1_tab.c,
- lib/x509/privkey_pkcs8.c, lib/x509/x509_int.h: PKCS #8 encryption
- support was made more compact and manageable
-
-2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/x509/pkcs12.c: pkcs12: increased the number of iterations for
- MAC
-
-2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/atfork.c: removed debugging info
-
-2014-07-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * lib/atfork.h, lib/nettle/rnd-common.c, lib/system.h,
- lib/x509/verify-high2.c: several windows compilation fixes
+ * lib/x509/privkey_pkcs8.c: pkcs8: initialize parameters on
+ decryption
2014-07-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * lib/includes/gnutls/gnutls.h.in: gnutls.h: use _SYM_EXPORT to
- export other than function symbols
+ * lib/nettle/rnd-common.c, lib/system.h, lib/x509/verify-high2.c:
+ several windows compilation fixes Conflicts: lib/atfork.h
2014-07-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2014-07-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * NEWS, configure.ac: master now holds the 3.4.0 release
-
-2014-07-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
-
- * configure.ac, lib/Makefile.am, lib/atfork.c, lib/atfork.h,
- lib/gnutls_global.c, lib/nettle/rnd-fips.c, lib/nettle/rnd.c,
- lib/pkcs11.c: Use pthread_atfork() and variants to detect fork
+ * NEWS, configure.ac, m4/hooks.m4: bumped versions
2014-07-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
lib/accelerated/x86/aes-padlock.c,
lib/accelerated/x86/sha-padlock.c,
lib/accelerated/x86/sha-x86-ssse3.c,
- lib/accelerated/x86/x86-common.c, lib/accelerated/x86/x86-common.h,
- lib/accelerated/x86/x86.h: x86.h was renamed to x86-common.h to
- avoid clashes with system headers.
+ lib/accelerated/x86/x86-common.c, lib/accelerated/x86/{x86.h =>
+ x86-common.h}: x86.h was renamed to x86-common.h to avoid clashes
+ with system headers.
2014-04-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2014-04-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * configure.ac, tests/Makefile.am, tests/key-id/Makefile.am,
- tests/key-id/README, tests/key-id/ca-gnutls-keyid.pem,
- tests/key-id/ca-no-keyid.pem, tests/key-id/ca-weird-keyid.pem,
- tests/key-id/key-ca.pem, tests/key-id/key-id,
- tests/key-id/key-user.pem, tests/key-tests/Makefile.am,
- tests/key-tests/README, tests/key-tests/ca-gnutls-keyid.pem,
- tests/key-tests/ca-no-keyid.pem,
- tests/key-tests/ca-weird-keyid.pem, tests/key-tests/key-ca-1234.p8,
+ * configure.ac, tests/Makefile.am, tests/{key-id =>
+ key-tests}/Makefile.am, tests/{key-id => key-tests}/README,
+ tests/{key-id => key-tests}/ca-gnutls-keyid.pem, tests/{key-id =>
+ key-tests}/ca-no-keyid.pem, tests/{key-id =>
+ key-tests}/ca-weird-keyid.pem, tests/key-tests/key-ca-1234.p8,
tests/key-tests/key-ca-empty.p8, tests/key-tests/key-ca-null.p8,
- tests/key-tests/key-ca.pem, tests/key-tests/key-id,
- tests/key-tests/key-user.pem, tests/key-tests/pkcs8: Added self-test
- for PKCS #8 key conversion and reading
+ tests/{key-id => key-tests}/key-ca.pem, tests/{key-id =>
+ key-tests}/key-id, tests/{key-id => key-tests}/key-user.pem,
+ tests/key-tests/pkcs8: Added self-test for PKCS #8 key conversion
+ and reading
2014-04-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-03-06 Kevin Cernekee <cernekee@gmail.com>
- * .gitignore, doc/manpages/Makefile.am, src/Makefile.am,
- src/psk-args.def, src/psk.c, src/psktool-args.def: Rename
- psk-args.def to psktool-args.def Other utilities generate invoke-%.texi from %-args.def, but
+ * .gitignore, doc/manpages/Makefile.am, src/Makefile.am, src/psk.c,
+ src/{psk-args.def => psktool-args.def}: Rename psk-args.def to
+ psktool-args.def Other utilities generate invoke-%.texi from %-args.def, but
currently invoke-psktool.texi is generated from psk-args.def. If we
make psktool conform to the same convention as the other utilities,
we can use a generic pattern to handle all of them the same way. Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
2014-01-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* doc/scripts/getfuncs-map.pl, lib/libgnutls.map: added
- gnutls_realloc_fast to false positives Conflicts: lib/libgnutls.map
+ gnutls_realloc_fast to false positives Conflicts: lib/libgnutls.map
2014-01-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2013-12-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/Makefile.am: libtasn1 generated files are set in BUILT_SOURCES Conflicts: lib/Makefile.am
+ * lib/Makefile.am: libtasn1 generated files are set in BUILT_SOURCES Conflicts: lib/Makefile.am
2013-12-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
2013-12-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/accelerated/x86/Makefile.am,
- lib/accelerated/x86/hmac-x86-ssse3.c,
- lib/accelerated/x86/hmac-x86.c,
- lib/accelerated/x86/sha-x86-ssse3.c, lib/accelerated/x86/sha-x86.c:
- use better names for files
+ * lib/accelerated/x86/Makefile.am, lib/accelerated/x86/{hmac-x86.c
+ => hmac-x86-ssse3.c}, lib/accelerated/x86/{sha-x86.c =>
+ sha-x86-ssse3.c}: use better names for files
2013-12-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2013-12-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* lib/accelerated/x86/Makefile.am,
- lib/accelerated/x86/aes-gcm-x86-pclmul.c,
+ lib/accelerated/x86/{aes-gcm-x86.c => aes-gcm-x86-pclmul.c},
lib/accelerated/x86/aes-gcm-x86-ssse3.c,
- lib/accelerated/x86/aes-gcm-x86.c, lib/accelerated/x86/aes-x86.c,
- lib/accelerated/x86/aes-x86.h, lib/accelerated/x86/hmac-x86.c,
- lib/accelerated/x86/sha-x86.c, lib/accelerated/x86/sha-x86.h: When
- PCLMUL isn't available use the SSSE3 implementation of AES to
- optimize GCM.
+ lib/accelerated/x86/aes-x86.c, lib/accelerated/x86/aes-x86.h,
+ lib/accelerated/x86/hmac-x86.c, lib/accelerated/x86/sha-x86.c,
+ lib/accelerated/x86/sha-x86.h: When PCLMUL isn't available use the
+ SSSE3 implementation of AES to optimize GCM.
2013-12-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
devel/perlasm/sha512-ssse3-x86_64.pl,
lib/accelerated/x86/Makefile.am, lib/accelerated/x86/aes-padlock.h,
lib/accelerated/x86/aes-x86.c,
- lib/accelerated/x86/coff/aesni-x86.s,
- lib/accelerated/x86/coff/aesni-x86_64.s,
- lib/accelerated/x86/coff/appro-aes-gcm-x86-64-coff.s,
- lib/accelerated/x86/coff/appro-aes-x86-64-coff.s,
- lib/accelerated/x86/coff/appro-aes-x86-coff.s,
- lib/accelerated/x86/coff/cpuid-x86-64-coff.s,
- lib/accelerated/x86/coff/cpuid-x86-coff.s,
- lib/accelerated/x86/coff/cpuid-x86.s,
- lib/accelerated/x86/coff/cpuid-x86_64.s,
- lib/accelerated/x86/coff/e_padlock-x86.s,
- lib/accelerated/x86/coff/e_padlock-x86_64.s,
- lib/accelerated/x86/coff/ghash-x86_64.s,
- lib/accelerated/x86/coff/openssl-cpuid-x86.s,
+ lib/accelerated/x86/coff/{appro-aes-x86-coff.s => aesni-x86.s},
+ lib/accelerated/x86/coff/{appro-aes-x86-64-coff.s =>
+ aesni-x86_64.s}, lib/accelerated/x86/coff/{cpuid-x86-coff.s =>
+ cpuid-x86.s}, lib/accelerated/x86/coff/{cpuid-x86-64-coff.s =>
+ cpuid-x86_64.s}, lib/accelerated/x86/coff/{padlock-x86-coff.s =>
+ e_padlock-x86.s}, lib/accelerated/x86/coff/{padlock-x86-64-coff.s
+ => e_padlock-x86_64.s},
+ lib/accelerated/x86/coff/{appro-aes-gcm-x86-64-coff.s =>
+ ghash-x86_64.s}, lib/accelerated/x86/coff/openssl-cpuid-x86.s,
lib/accelerated/x86/coff/openssl-cpuid-x86_64.s,
- lib/accelerated/x86/coff/padlock-x86-64-coff.s,
- lib/accelerated/x86/coff/padlock-x86-coff.s,
lib/accelerated/x86/coff/sha1-ssse3-x86.s,
lib/accelerated/x86/coff/sha1-ssse3-x86_64.s,
lib/accelerated/x86/coff/sha256-avx-x86_64.s,
lib/accelerated/x86/coff/sha256-ssse3-x86.s,
lib/accelerated/x86/coff/sha512-ssse3-x86.s,
lib/accelerated/x86/coff/sha512-ssse3-x86_64.s,
- lib/accelerated/x86/elf/aesni-x86.s,
- lib/accelerated/x86/elf/aesni-x86_64.s,
- lib/accelerated/x86/elf/appro-aes-gcm-x86-64.s,
- lib/accelerated/x86/elf/appro-aes-x86-64.s,
- lib/accelerated/x86/elf/appro-aes-x86.s,
- lib/accelerated/x86/elf/cpuid-x86-64.s,
- lib/accelerated/x86/elf/cpuid-x86_64.s,
- lib/accelerated/x86/elf/e_padlock-x86.s,
- lib/accelerated/x86/elf/e_padlock-x86_64.s,
- lib/accelerated/x86/elf/ghash-x86_64.s,
- lib/accelerated/x86/elf/padlock-x86-64.s,
- lib/accelerated/x86/elf/padlock-x86.s,
+ lib/accelerated/x86/elf/{appro-aes-x86.s => aesni-x86.s},
+ lib/accelerated/x86/elf/{appro-aes-x86-64.s => aesni-x86_64.s},
+ lib/accelerated/x86/elf/{cpuid-x86-64.s => cpuid-x86_64.s},
+ lib/accelerated/x86/elf/{padlock-x86.s => e_padlock-x86.s},
+ lib/accelerated/x86/elf/{padlock-x86-64.s => e_padlock-x86_64.s},
+ lib/accelerated/x86/elf/{appro-aes-gcm-x86-64.s => ghash-x86_64.s},
lib/accelerated/x86/elf/sha1-ssse3-x86.s,
lib/accelerated/x86/elf/sha1-ssse3-x86_64.s,
lib/accelerated/x86/elf/sha256-avx-x86_64.s,
lib/accelerated/x86/elf/sha512-ssse3-x86.s,
lib/accelerated/x86/elf/sha512-ssse3-x86_64.s,
lib/accelerated/x86/files.mk, lib/accelerated/x86/hmac-x86.c,
- lib/accelerated/x86/macosx/aesni-x86.s,
- lib/accelerated/x86/macosx/aesni-x86_64.s,
- lib/accelerated/x86/macosx/appro-aes-gcm-x86-64-macosx.s,
- lib/accelerated/x86/macosx/appro-aes-x86-64-macosx.s,
- lib/accelerated/x86/macosx/appro-aes-x86-macosx.s,
- lib/accelerated/x86/macosx/cpuid-x86-64-macosx.s,
+ lib/accelerated/x86/macosx/{appro-aes-x86-macosx.s => aesni-x86.s},
+ lib/accelerated/x86/macosx/{appro-aes-x86-64-macosx.s =>
+ aesni-x86_64.s}, lib/accelerated/x86/macosx/cpuid-x86-64-macosx.s,
lib/accelerated/x86/macosx/cpuid-x86-macosx.s,
lib/accelerated/x86/macosx/cpuid-x86.s,
lib/accelerated/x86/macosx/cpuid-x86_64.s,
- lib/accelerated/x86/macosx/e_padlock-x86.s,
- lib/accelerated/x86/macosx/e_padlock-x86_64.s,
- lib/accelerated/x86/macosx/ghash-x86_64.s,
- lib/accelerated/x86/macosx/openssl-cpuid-x86.s,
+ lib/accelerated/x86/macosx/{padlock-x86-macosx.s =>
+ e_padlock-x86.s},
+ lib/accelerated/x86/macosx/{padlock-x86-64-macosx.s =>
+ e_padlock-x86_64.s},
+ lib/accelerated/x86/macosx/{appro-aes-gcm-x86-64-macosx.s =>
+ ghash-x86_64.s}, lib/accelerated/x86/macosx/openssl-cpuid-x86.s,
lib/accelerated/x86/macosx/openssl-cpuid-x86_64.s,
- lib/accelerated/x86/macosx/padlock-x86-64-macosx.s,
- lib/accelerated/x86/macosx/padlock-x86-macosx.s,
lib/accelerated/x86/macosx/sha1-ssse3-x86.s,
lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s,
lib/accelerated/x86/macosx/sha256-avx-x86_64.s,
2013-11-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * : Merged the FIPS140-2 support code. Conflicts: lib/gnutls_global.c tests/mini-overhead.c
+ * : Merged the FIPS140-2 support code. Conflicts: lib/gnutls_global.c tests/mini-overhead.c
2013-11-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2013-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * configure.ac, lib/nettle/Makefile.am, lib/nettle/gcm-camellia.c,
- lib/nettle/gcm-camellia.h, lib/nettle/int/drbg-aes-self-test.c,
- lib/nettle/int/drbg-aes.c, lib/nettle/int/drbg-aes.h,
- lib/nettle/int/gcm-camellia.c, lib/nettle/int/gcm-camellia.h,
- lib/nettle/rnd-fips.c: Added DRBG submitted to nettle in gnutls.
+ * configure.ac, lib/nettle/Makefile.am,
+ lib/nettle/int/drbg-aes-self-test.c, lib/nettle/int/drbg-aes.c,
+ lib/nettle/int/drbg-aes.h, lib/nettle/{ => int}/gcm-camellia.c,
+ lib/nettle/{ => int}/gcm-camellia.h, lib/nettle/rnd-fips.c: Added
+ DRBG submitted to nettle in gnutls.
2013-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
lib/x509/verify-high.c, lib/x509/x509.c, lib/xssl.c: Added support
for fips states. This implies that when in FIPS mode and the library is not in
operational state (i.e., all self checks succeeded), crypto
- functionality of the library will fail. This includes: * API functions of gnutls/crypto.h * API functions of gnutls/abstract.h * API functions of gnutls/x509.h * gnutls_init() * API functions of gnutls/xssl.h
+ functionality of the library will fail. This includes: * API functions of gnutls/crypto.h * API functions of gnutls/abstract.h * API functions of gnutls/x509.h * gnutls_init() * API functions of gnutls/xssl.h
2013-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
2013-11-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
* configure.ac, lib/Makefile.am: Do not link gnutls against librt
- unlress it is really necessary. Conflicts: configure.ac lib/Makefile.am
+ unlress it is really necessary. Conflicts: configure.ac lib/Makefile.am
2013-11-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2013-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gl/Makefile.am, gl/m4/gnulib-cache.m4, gl/m4/gnulib-comp.m4,
- gl/strerror-override.c, gl/strerror-override.h, gl/strerror.c,
- gl/tests/Makefile.am, gl/tests/strerror-override.c,
- gl/tests/strerror-override.h, gl/tests/strerror.c: Added strerror
- module.
+ gl/{tests => }/strerror-override.c, gl/{tests =>
+ }/strerror-override.h, gl/{tests => }/strerror.c,
+ gl/tests/Makefile.am: Added strerror module.
2013-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2013-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * gl/Makefile.am, gl/base64.c, gl/intprops.h,
+ * gl/Makefile.am, gl/base64.c, gl/{tests => }/intprops.h,
gl/m4/extern-inline.m4, gl/m4/gnulib-cache.m4,
- gl/m4/gnulib-comp.m4, gl/tests/Makefile.am, gl/tests/intprops.h,
- maint.mk: Added intprops module (which is needed by newer libtasn1
- versions)
+ gl/m4/gnulib-comp.m4, gl/tests/Makefile.am, maint.mk: Added intprops
+ module (which is needed by newer libtasn1 versions)
2013-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
gl/basename-lgpl.c, gl/bind.c, gl/byteswap.in.h, gl/c-ctype.c,
gl/c-ctype.h, gl/close.c, gl/closedir.c, gl/connect.c,
gl/dirent-private.h, gl/dirent.in.h, gl/dirname-lgpl.c,
- gl/dirname.h, gl/dosname.h, gl/dup2.c, gl/errno.in.h, gl/error.c,
- gl/error.h, gl/fd-hook.c, gl/fd-hook.h, gl/filename.h, gl/float+.h,
- gl/float.c, gl/float.in.h, gl/fpucw.h, gl/frexp.c, gl/frexpl.c,
- gl/fseek.c, gl/fseeko.c, gl/fseterr.c, gl/fseterr.h, gl/fstat.c,
- gl/ftell.c, gl/ftello.c, gl/gai_strerror.c, gl/getaddrinfo.c,
- gl/getdelim.c, gl/getline.c, gl/getopt.c, gl/getopt.in.h,
- gl/getopt1.c, gl/getopt_int.h, gl/getpass.c, gl/getpass.h,
- gl/getpeername.c, gl/getsubopt.c, gl/gettext.h, gl/gettimeofday.c,
- gl/hash-pjw-bare.c, gl/hash-pjw-bare.h, gl/inet_ntop.c,
- gl/inet_pton.c, gl/intprops.h, gl/isnan.c, gl/isnand-nolibm.h,
- gl/isnand.c, gl/isnanf-nolibm.h, gl/isnanf.c, gl/isnanl-nolibm.h,
- gl/isnanl.c, gl/itold.c, gl/listen.c, gl/lseek.c,
- gl/m4/alphasort.m4, gl/m4/argp.m4, gl/m4/closedir.m4,
+ gl/dirname.h, gl/dup2.c, gl/errno.in.h, gl/error.c, gl/error.h,
+ gl/fd-hook.c, gl/fd-hook.h, gl/filename.h, gl/float+.h, gl/float.c,
+ gl/float.in.h, gl/frexp.c, gl/frexpl.c, gl/fseek.c, gl/fseeko.c,
+ gl/fseterr.c, gl/fseterr.h, gl/fstat.c, gl/ftell.c, gl/ftello.c,
+ gl/gai_strerror.c, gl/getaddrinfo.c, gl/getdelim.c, gl/getline.c,
+ gl/getopt.c, gl/getopt.in.h, gl/getopt1.c, gl/getopt_int.h,
+ gl/getpass.c, gl/getpass.h, gl/getpeername.c, gl/getsubopt.c,
+ gl/gettext.h, gl/gettimeofday.c, gl/hash-pjw-bare.c,
+ gl/hash-pjw-bare.h, gl/inet_ntop.c, gl/inet_pton.c, gl/isnan.c,
+ gl/isnand-nolibm.h, gl/isnand.c, gl/isnanf-nolibm.h, gl/isnanf.c,
+ gl/isnanl-nolibm.h, gl/isnanl.c, gl/itold.c, gl/listen.c,
+ gl/lseek.c, gl/m4/alphasort.m4, gl/m4/argp.m4, gl/m4/closedir.m4,
gl/m4/dirent_h.m4, gl/m4/dirname.m4, gl/m4/double-slash-root.m4,
gl/m4/eealloc.m4, gl/m4/environ.m4, gl/m4/error.m4,
gl/m4/exponentf.m4, gl/m4/exponentl.m4, gl/m4/frexp.m4,
gl/stdalign.in.h, gl/stdarg.in.h, gl/stdbool.in.h, gl/stddef.in.h,
gl/stdint.in.h, gl/stdio-impl.h, gl/stdio.in.h, gl/stdlib.in.h,
gl/str-two-way.h, gl/strcasecmp.c, gl/strchrnul.c,
- gl/strchrnul.valgrind, gl/strdup.c, gl/strerror-override.c,
- gl/strerror-override.h, gl/strerror.c, gl/string.in.h,
+ gl/strchrnul.valgrind, gl/strdup.c, gl/string.in.h,
gl/strings.in.h, gl/stripslash.c, gl/strncasecmp.c, gl/strndup.c,
gl/strnlen.c, gl/strtok_r.c, gl/strverscmp.c, gl/sys_select.in.h,
gl/sys_socket.in.h, gl/sys_stat.in.h, gl/sys_time.in.h,
gl/sys_types.in.h, gl/sys_uio.in.h, gl/sysexits.in.h,
- gl/tests/Makefile.am, gl/tests/dosname.h, gl/tests/fpucw.h,
- gl/tests/infinity.h, gl/tests/intprops.h, gl/tests/malloca.c,
- gl/tests/malloca.h, gl/tests/malloca.valgrind,
+ gl/tests/Makefile.am, gl/{ => tests}/dosname.h, gl/{ =>
+ tests}/fpucw.h, gl/tests/infinity.h, gl/{ => tests}/intprops.h,
+ gl/tests/malloca.c, gl/tests/malloca.h, gl/tests/malloca.valgrind,
gl/tests/minus-zero.h, gl/tests/nan.h, gl/tests/putenv.c,
- gl/tests/randomd.c, gl/tests/randoml.c, gl/tests/setenv.c,
- gl/tests/strerror-override.c, gl/tests/strerror-override.h,
- gl/tests/strerror.c, gl/tests/test-argp-2.sh, gl/tests/test-argp.c,
- gl/tests/test-dirent.c, gl/tests/test-environ.c,
- gl/tests/test-fprintf-posix.h, gl/tests/test-frexp.c,
- gl/tests/test-frexp.h, gl/tests/test-frexpl.c,
- gl/tests/test-fseterr.c, gl/tests/test-getopt.c,
- gl/tests/test-getopt.h, gl/tests/test-getopt_long.h,
- gl/tests/test-isnand-nolibm.c, gl/tests/test-isnand.h,
- gl/tests/test-isnanf-nolibm.c, gl/tests/test-isnanf.h,
- gl/tests/test-isnanl-nolibm.c, gl/tests/test-isnanl.h,
- gl/tests/test-malloc-gnu.c, gl/tests/test-malloca.c,
- gl/tests/test-math.c, gl/tests/test-printf-frexp.c,
- gl/tests/test-printf-frexpl.c, gl/tests/test-printf-posix.h,
- gl/tests/test-printf-posix.output, gl/tests/test-rawmemchr.c,
- gl/tests/test-setenv.c, gl/tests/test-signbit.c,
- gl/tests/test-sleep.c, gl/tests/test-strchrnul.c,
- gl/tests/test-sysexits.c, gl/tests/test-unsetenv.c,
- gl/tests/test-version-etc.c, gl/tests/test-version-etc.sh,
- gl/tests/test-vfprintf-posix.c, gl/tests/test-vfprintf-posix.sh,
- gl/tests/test-vprintf-posix.c, gl/tests/test-vprintf-posix.sh,
- gl/tests/unsetenv.c, gl/time.in.h, gl/time_r.c, gl/u64.h,
- gl/unistd.in.h, gl/vasnprintf.c, gl/vasnprintf.h, gl/vasprintf.c,
- gl/verify.h, gl/version-etc-fsf.c, gl/version-etc.c,
- gl/version-etc.h, gl/vfprintf.c, gl/vprintf.c, gl/vsnprintf.c,
- gl/w32sock.h, gl/wchar.in.h, gl/xsize.h, src/certtool.c,
- src/cli-debug.c, src/cli.c, src/danetool.c, src/ocsptool-common.c,
- src/ocsptool.c, src/p11tool.c, src/psk.c, src/serv.c,
- src/srptool.c, src/tpmtool.c: gnulib only contains lgplv2 modules
+ gl/tests/randomd.c, gl/tests/randoml.c, gl/tests/setenv.c, gl/{ =>
+ tests}/strerror-override.c, gl/{ => tests}/strerror-override.h,
+ gl/{ => tests}/strerror.c, gl/tests/test-argp-2.sh,
+ gl/tests/test-argp.c, gl/tests/test-dirent.c,
+ gl/tests/test-environ.c, gl/tests/test-fprintf-posix.h,
+ gl/tests/test-frexp.c, gl/tests/test-frexp.h,
+ gl/tests/test-frexpl.c, gl/tests/test-fseterr.c,
+ gl/tests/test-getopt.c, gl/tests/test-getopt.h,
+ gl/tests/test-getopt_long.h, gl/tests/test-isnand-nolibm.c,
+ gl/tests/test-isnand.h, gl/tests/test-isnanf-nolibm.c,
+ gl/tests/test-isnanf.h, gl/tests/test-isnanl-nolibm.c,
+ gl/tests/test-isnanl.h, gl/tests/test-malloc-gnu.c,
+ gl/tests/test-malloca.c, gl/tests/test-math.c,
+ gl/tests/test-printf-frexp.c, gl/tests/test-printf-frexpl.c,
+ gl/tests/test-printf-posix.h, gl/tests/test-printf-posix.output,
+ gl/tests/test-rawmemchr.c, gl/tests/test-setenv.c,
+ gl/tests/test-signbit.c, gl/tests/test-sleep.c,
+ gl/tests/test-strchrnul.c, gl/tests/test-sysexits.c,
+ gl/tests/test-unsetenv.c, gl/tests/test-version-etc.c,
+ gl/tests/test-version-etc.sh, gl/tests/test-vfprintf-posix.c,
+ gl/tests/test-vfprintf-posix.sh, gl/tests/test-vprintf-posix.c,
+ gl/tests/test-vprintf-posix.sh, gl/tests/unsetenv.c, gl/time.in.h,
+ gl/time_r.c, gl/u64.h, gl/unistd.in.h, gl/vasnprintf.c,
+ gl/vasnprintf.h, gl/vasprintf.c, gl/verify.h, gl/version-etc-fsf.c,
+ gl/version-etc.c, gl/version-etc.h, gl/vfprintf.c, gl/vprintf.c,
+ gl/vsnprintf.c, gl/w32sock.h, gl/wchar.in.h, gl/xsize.h,
+ src/certtool.c, src/cli-debug.c, src/cli.c, src/danetool.c,
+ src/ocsptool-common.c, src/ocsptool.c, src/p11tool.c, src/psk.c,
+ src/serv.c, src/srptool.c, src/tpmtool.c: gnulib only contains
+ lgplv2 modules
2013-08-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2013-07-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/Makefile.am, tests/mini.c, tests/record-sizes.c: Updated
- mini test.
+ * tests/Makefile.am, tests/{mini.c => record-sizes.c}: Updated mini
+ test.
2013-07-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* configure.ac, lib/algorithms/ciphersuites.c, lib/algorithms/kx.c,
lib/auth/Makefile.am, lib/auth/anon_ecdh.c, lib/auth/cert.c,
lib/auth/cert.h, lib/auth/dh_common.c, lib/auth/dhe.c,
- lib/auth/dhe_psk.c, lib/auth/ecdh_common.c, lib/auth/ecdh_common.h,
- lib/auth/ecdhe.c, lib/auth/ecdhe.h, lib/auth/rsa_export.c,
+ lib/auth/dhe_psk.c, lib/auth/{ecdh_common.c => ecdhe.c},
+ lib/auth/{ecdh_common.h => ecdhe.h}, lib/auth/rsa_export.c,
lib/gnutls_handshake.c, lib/gnutls_kx.c, lib/gnutls_priority.c,
lib/gnutls_rsa_export.c, lib/gnutls_state.c, lib/gnutls_ui.c,
m4/hooks.m4: Added options to disable more key exchange mechanisms. In that DHE was separated from ECDHE.
* NEWS, lib/Makefile.am, lib/gnutls_cert.c, lib/gnutls_errors.c,
lib/includes/Makefile.am, lib/includes/gnutls/gnutls.h.in,
- lib/includes/gnutls/sbuf.h, lib/includes/gnutls/xssl.h,
- lib/libgnutls.map, lib/sbuf.c, lib/sbuf.h, lib/sbuf_getline.c,
- lib/xssl.c, lib/xssl.h, lib/xssl_getline.c, tests/Makefile.am,
- tests/mini-sbuf.c, tests/mini-xssl.c: Added new interface.
+ lib/includes/gnutls/{sbuf.h => xssl.h}, lib/libgnutls.map,
+ lib/{sbuf.c => xssl.c}, lib/{sbuf.h => xssl.h}, lib/{sbuf_getline.c
+ => xssl_getline.c}, tests/Makefile.am, tests/mini-sbuf.c,
+ tests/mini-xssl.c: Added new interface.
2013-01-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2012-11-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * build-aux/gendocs.sh, configure.ac, gl/Makefile.am, gl/dup2.c,
- gl/errno.in.h, gl/m4/errno_h.m4, gl/m4/gnulib-cache.m4,
+ * build-aux/gendocs.sh, configure.ac, gl/Makefile.am, gl/{tests =>
+ }/dup2.c, gl/errno.in.h, gl/m4/errno_h.m4, gl/m4/gnulib-cache.m4,
gl/m4/gnulib-comp.m4, gl/m4/select.m4, gl/m4/stdlib_h.m4,
gl/select.c, gl/stdlib.in.h, gl/strerror-override.c,
- gl/strerror-override.h, gl/tests/Makefile.am, gl/tests/dup2.c,
- gl/tests/fcntl.in.h, gl/tests/test-fcntl-h.c,
- gl/tests/test-iconv.c, gl/tests/test-select.h, lib/system.c,
- m4/hooks.m4, maint.mk: use gnulib to detect iconv.
+ gl/strerror-override.h, gl/tests/Makefile.am, gl/tests/fcntl.in.h,
+ gl/tests/test-fcntl-h.c, gl/tests/test-iconv.c,
+ gl/tests/test-select.h, lib/system.c, m4/hooks.m4, maint.mk: use
+ gnulib to detect iconv.
2012-11-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>