+2017-03-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS, configure.ac, m4/hooks.m4: bumped version
+
+2017-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+2017-03-05 Alex Gaynor <alex.gaynor@gmail.com>
+
+ * lib/opencdk/read-packet.c: Enforce the max packet length for
+ OpenPGP subpackets as well This addresses: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>
+
+2017-03-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2017-03-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/opencdk/kbnode.c, lib/opencdk/keydb.c, lib/opencdk/literal.c,
+ lib/opencdk/opencdk.h, lib/opencdk/read-packet.c,
+ lib/openpgp/gnutls_openpgp.c, lib/openpgp/pgp.c,
+ lib/openpgp/privkey.c: opencdk: do not parse any secret keys in
+ packet when reading a certificate This reduces the attack surface on the parsers, and prevents any
+ bugs in the secret key parser to be exploitable by inserting secret
+ key sub-packets into an openpgp certificate. This addresses: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+2017-02-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/Makefile.am, tests/crt_apis.c: tests: backported crt_apis
+ from master branch In addition to other APIs, this explicitly tests
+ gnutls_x509_crt_set_subject_unique_id() and
+ gnutls_x509_crt_set_issuer_unique_id(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2017-02-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/certtool-cfg.c: certtool: increased buffer for reading from
+ user This allows reading longer than 128-byte fields interactively. The
+ new limit is 512-bytes. Relates #179 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2017-02-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/Makefile.am, tests/pkcs11/pkcs11-import-with-pin.c: tests:
+ added PKCS#11 test for pin input This introduces a test on PIN input to retrieve an object using
+ pin-value and pin-source (file). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2017-02-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/utils.c, tests/utils.h: tests: utils: added ability to use
+ tmpfiles Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2017-02-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/Makefile.am, tests/pkcs11/pkcs11-pubkey-import-rsa.c,
+ tests/pkcs11/pkcs11-pubkey-import.c: tests: backported PKCS#11 test In addition to public key import checks, this test ensures that the
+ pin-value attribute is functional. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2017-02-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2017-02-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * configure.ac, lib/pkcs11.c: Use p11_kit_uri_get_pin_value() if
+ available in p11-kit This allows parsing the pin-value attribute of the PKCS#11 URI. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2017-02-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/pk.c: nettle/pk: added error checking in
+ _rsa_params_to_pubkey Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2017-02-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/pk.c: nettle/pk: corrected memcpy of Q in DSA params Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2017-02-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2017-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/opencdk/read-packet.c: opencdk/read-packet.c: corrected typo
+ in type cast Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2017-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/opencdk/read-packet.c: cdk_pkt_read: enforce packet limits That ensures that there are no overflows in the subsequent
+ calculations. Resolves the oss-fuzz found bug:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 Relates: #159 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2017-02-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: gnutls_pkcs11_obj_list_import_url2: Always return an
+ initialized pointer When returning success, but no elements,
+ gnutls_pkcs11_obj_list_import_url4, could have returned zero number
+ of elements with a pointer that was uninitialized. Ensure that an
+ initialized (i.e., null in that case), pointer is always returned.
+ Reported by Jeremy Harris. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2017-01-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/opencdk/read-packet.c: opencdk: improved error code checking
+ in the stream reading functions This ammends 49be4f7b82eba2363bb8d4090950dad976a77a3a Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2017-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/cert-tests/Makefile.am, tests/key-tests/Makefile.am: tests:
+ do not run key-tests and cert-tests under leak sanitizer The reason is that we cannot distinguish between a memory leak on
+ application failure (which is followed by exit- thus should be
+ ignored) and an address sanitizer issue (which should never be
+ ignored). As such we disable leak detection with asan and rely on
+ valgrind. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+2017-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/key-tests/Makefile.am: tests: added missing file
+
+2017-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * .gitlab-ci.yml: .gitlab-ci.yml: Build and Check - separate build
+ dir (x86): force build in gitlab shared runners In the Centos7 based runners there is an issue running autogen. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+2017-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * .gitignore, src/Makefile.am: tools: use stamp files to allow
+ parallel build of autogen files Autogen seems to output on the creates files gradually, something
+ that makes 'make' believe that the command is complete prior to the
+ output file being fully populated. The current approach uses stamp
+ files to ensure that no incomplete files are used for compilation.
+
+2017-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update [ci skip]
+
+2017-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS, doc/Makefile.am, doc/manpages/Makefile.am, symbols.last:
+ updated auto-generated files
+
+2017-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * configure.ac, m4/hooks.m4: bumped version
+
+2017-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update [ci skip]
+
+2017-01-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/opencdk/read-packet.c: opencdk: added error checking in the
+ stream reading functions This addresses an out of memory error. Issue found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=337 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2017-01-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/opencdk/pubkey.c: opencdk: cdk_pk_get_keyid: fix stack
+ overflow Issue found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=340 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2017-01-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/opencdk/read-packet.c: opencdk: read_attribute: added more
+ precise checks when reading stream That addresses heap read overflows found using oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=338 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=346 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2017-01-01 Alex Gaynor <alex.gaynor@gmail.com>
+
+ * lib/opencdk/read-packet.c: Corrected a leak in OpenPGP sub-packet
+ parsing. Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>
+
+2016-12-30 Alex Gaynor <alex.gaynor@gmail.com>
+
+ * lib/opencdk/read-packet.c: Attempt to fix a leak in OpenPGP cert
+ parsing.
+
+2016-12-26 Alex Gaynor <alex.gaynor@gmail.com>
+
+ * lib/opencdk/read-packet.c: Do not infinite loop if an EOF occurs
+ while skipping a PGP packet Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>
+
+2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/opencdk/misc.c: opencdk: Fixes to prevent undefined behavior
+ (found with libubsan)
+
+2017-01-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2017-01-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/auth/rsa.c: auth rsa: eliminated memory leak on pkcs-1
+ formatting attack path Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2017-01-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update [ci skip]
+
+2016-12-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/verify.c: pkcs11 verification: ensure that an issuer we
+ retrieve is not blacklist It may happen in p11-kit trust module that a trusted certificate is
+ both in the trusted set, and the blacklisted set. To avoid accepting
+ a certificate when in both sets, we always check whether a trusted
+ issuer certificate is in the blacklisted set.
+
+2016-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/certtool.c: certtool: improved error reporting on file error
+
+2016-12-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update [ci skip]
+
+2016-12-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/x509_ext.c: gnutls_x509_ext_import_proxy: fix issue
+ reading the policy language If the language was set but the policy wasn't, that could lead to a
+ double free, as the value returned to the user was freed.
+
+2016-12-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * : commit 5ca126e1a5daf071ce690f28823fa97de6a7ae68 Author: Nikos
+ Mavrogiannopoulos <nmav@redhat.com> Date: Thu Dec 15 17:05:59 2016
+ +0100
+
+2016-12-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-12-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/Makefile.am, tests/pkcs8-key-decode-encrypted.c,
+ tests/pkcs8-key-decode.c: tests: added test for PKCS#8 encrypted key
+ decoding This also verifies that the return value when attempting to decrypt
+ without a password is GNUTLS_E_DECRYPTION_FAILED.
+
+2016-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/key-tests/Makefile.am, tests/key-tests/pkcs8-invalid: tests:
+ added test suite with PKCS#8 files that have invalid encryption
+
+2016-12-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/privkey_pkcs8.c: PKCS#7 decrypt_data: merge all errors
+ during decryption to GNUTLS_E_DECRYPTION_FAILED
+
+2016-12-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/privkey_pkcs8.c: pkcs8: ensure that the correct error
+ code is returned on decryption failure
+
+2016-12-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/privkey_pkcs8.c: PKCS#5,7 decryption: added sanity check
+ on padding size Relates #148
+
+2016-12-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/privkey_pkcs8.c: PKCS#5,7 decryption: fail without leak
+ on unknown MAC
+
+2016-12-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/privkey_pkcs8.c: PKCS#5,7 decryption: fail early on
+ invalid block sizes
+
+2016-12-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/privkey_pkcs8.c, lib/x509/x509_int.h: PKCS#5,7
+ decryption: enforce limits in the support parameter sizes This allows to detect invalid parameters early rather than later.
+ Relates #148
+
+2016-12-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2015-07-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/tpmtool-args.def, src/tpmtool.c: tpmtool: Added --test-sign
+ parameter
+
+2016-12-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/tpmtool.c: compiler warnings elimination and other bug fixes
+
+2015-06-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/tpmtool.c: tpmtool: added newline in error messages
+
+2016-12-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * configure.ac, lib/Makefile.am, lib/abstract_int.h,
+ lib/gnutls_errors.c, lib/gnutls_global.c, lib/gnutls_global.h,
+ lib/gnutls_privkey.c, lib/includes/gnutls/gnutls.h.in, lib/tpm.c:
+ tpm: backported improvements from master branch * Load libtspi dynamically using dlopen - prevents direct linking
+ with openssl * Fix handling of keys requiring authorization * In import_tpm_key_cb() fix the wrong password loop
+
+2016-12-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/certtool-args.def: doc: updated to documentation of certtool
+ [ci skip] This corrects options which incorrectly mentioned they support URLs.
+
+2016-12-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/certtool.c: Don't trash DER CRQ output with text data Backported patch from master.
+
+2016-11-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-11-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/testpkcs11: tests: backported test suite for p11tool
+ --set-id and --set-label options
+
+2015-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c:
+ p11tool: added --set-id and --set-label options
+
+2015-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c,
+ lib/pkcs11_int.c, lib/pkcs11_int.h: added
+ gnutls_pkcs11_obj_set_info() This function allows setting information such as the CKA_ID and the
+ CKA_LABEL of an object.
+
+2016-11-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/testpkcs11: tests: check whether PKCS #11 ID set on
+ copy/generation is correct
+
+2016-11-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c:
+ p11tool: allow setting the CKA_ID on object
+ initialization/generation
+
+2016-11-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/libgnutls.map: exported new functions
+
+2015-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: pkcs11:
+ enhanced key generation functions to allow specifying a CKA_ID
+
+2015-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/includes/gnutls/pkcs11.h, lib/pkcs11_write.c: enhanced copy
+ functions to allow specifying a CKA_ID
+
+2016-11-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/pkcs12_encr.c: pkcs12: fixed the calculation of p_size Include the trailing zero into the size calculation.
+
+2016-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/pkcs12-decode/Makefile.am, tests/pkcs12-decode/pkcs12:
+ tests: added pkcs12 check with openssl generated structure and long
+ password
+
+2016-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/pkcs12_encr.c: pkcs12: fixed the calculation of p_size That affects passwords which exceed 32 characters.
+
+2016-11-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/pk.c: _wrap_nettle_pk_verify: use FAIL_IF_LIB_ERROR
+ prior to returning success This will prevent verification to succeed if the system is in error
+ state.
+
+2016-11-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-10-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/ext/signature.c, lib/gnutls_alert.c: Terminate handshake if
+ only unknown or disabled signatures are advertized by the peer That is, do not attempt to proceed assuming that the peer supports
+ SHA-1.
+
+2016-10-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/ext/status_request.c: certificate status requestion response
+ is optional according to RFC6066
+
+2016-10-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/certtool.c: certtool: allow setting key purposes for non-CA
+ certificates That is, allow setting code signing, or time stamping key purpose in
+ certificates that are not marked as CA. The previous restriction
+ served no purpose.
+
+2016-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/Makefile.am, tests/multi-alerts.c: tests: added check to
+ verify that the server will bail out after many alerts
+
+2016-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/Makefile.am, tests/naked-alerts.c: tests: added check to
+ verify that the server will bail out after receiving only alerts
+
+2016-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/cert-common.h: tests: backported the common certs from
+ master
+
+2016-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c:
+ handshake: set a maximum number of warning messages that can be
+ received per handshake That is to avoid DoS due to the assymetry of cost of sending an
+ alert vs the cost of processing.
+
+2016-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_record.c: record: disallow parsing of alert messages
+ prior to session start
+
+2016-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/certtool-common.c: certtool: improve text on missing options
+ for cert generation
+
+2016-10-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/pkcs11.c: p11tool: avoid asking the security officer PIN twice
+ on initialization
+
+2016-10-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/pkcs11.c: p11tool: improved messages on token initialization
+
+2016-10-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/pkcs11.c: p11tool: corrected check of PIN existance in token
+ initialization
+
+2016-10-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/Makefile.am: tests: link tests which utilize nettle with
+ nettle
+
+2016-10-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/Makefile.am, doc/manpages/Makefile.am: updated auto-generated
+ files
+
+2016-10-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2016-10-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_extensions.c: TLS extensions: only cache the extension
+ IDs from exts that the server supports That avoids imposing any artificial limits on the number of
+ extensions that a server can handle. Resolves #136
+
+2016-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/certtool.c: certtool: added safety net when generating a
+ certificate request That is, do not allow specifying --generate-request --load-pubkey
+ without specifying --load-privkey. Previously if --load-pubkey would
+ have been used, it would have been ignored, causing confusion to the
+ users.
+
+2016-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_handshake.c, lib/gnutls_int.h: Increased the maximum
+ size allowed for handshake messages to 128kb This would allow the library to cope with larger packets, as well as
+ TLS 1.3 hellos. Suggested by Hubert Kario.
+
+2016-09-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-09-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_x509.c: gnutls_certificate_set_*key: ensure proper
+ cleanup on key mismatch failures That is, ensure that we keep no local references that are shared
+ with the caller, and that we properly free all initialized values.
+
+2016-09-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2016-09-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/system.c: _gnutls_ucs2_to_utf8: fixed use of
+ WideCharToMultiByte in windows
+
+2016-09-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/ocsptool.c: ocsptool: do not enter a spurious newline to
+ responses.
+
+2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/cert-tests/Makefile.am, tests/cert-tests/template-test,
+ tests/cert-tests/template-unique.pem,
+ tests/cert-tests/template-unique.tmpl: tests: verify that unique IDs
+ are generated as expected
+
+2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/certtool-args.def, src/certtool-cfg.c, src/certtool-cfg.h,
+ src/certtool.c: certtool: Allow writing unique IDs in generated
+ certificates
+
+2016-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * configure.ac, m4/hooks.m4: bumped version
+
+2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/includes/gnutls/x509.h, lib/libgnutls.map,
+ lib/x509/x509_write.c: Added gnutls_x509_crt_set_issuer_unique_id()
+ and gnutls_x509_crt_set_subject_unique_id()
+
+2016-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-09-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_pk.c: _gnutls_encode_ber_rs_raw: zero-pad values when
+ necessary This addresses issue when encoding values obtained via PKCS#11 which
+ may not be necessarily padded. Resolves #122
+
+2016-09-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/cert-tests/template-test: tests: don't run overflow tests on
+ archs which fail This addresses a CI failure on x86.
+
+2016-09-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/slow/hash-large.c: tests: backported hash-large from master
+
+2016-09-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * .gitlab-ci.yml: .gitlab-ci.yml: use the gitlab.com shared runners Backported from master branch
+
+2016-08-28 David Woodhouse <dwmw2@infradead.org>
+
+ * lib/x509/pkcs12.c: gnutls_pkcs12_simple_parse: set the key value
+ to null on failure
+
+2016-08-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/ocsp.c: ocsp: corrected the comparison of the serial size
+ in OCSP response Previously the OCSP certificate check wouldn't verify the serial
+ length and could succeed in cases it shouldn't. Reported by Stefan Buehler.
+
+2016-08-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/pkcs8-decode/Makefile.am, tests/pkcs8-decode/pkcs8,
+ tests/pkcs8-decode/pkcs8-pbes2-sha256.pem: tests: added decoding of
+ key with pbes2 and SHA256 PRF
+
+2016-08-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS, lib/algorithms.h, lib/algorithms/mac.c, lib/gnutls_int.h,
+ lib/includes/gnutls/x509.h, lib/pkix.asn, lib/pkix_asn1_tab.c,
+ lib/x509/Makefile.am, lib/x509/pbkdf2-sha1.c,
+ lib/x509/pbkdf2-sha1.h, lib/x509/pkcs12.c,
+ lib/x509/privkey_openssl.c, lib/x509/privkey_pkcs8.c,
+ lib/x509/x509_int.h, tests/gc.c: Added support for decrypting PKCS#8
+ files which use HMAC-SHA256 as PRF This backports nettle pbkdf2 support, and improves compatibility
+ with new openssl versions.
+
+2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/pkcs12.c: pkcs12: increased the number of iterations for
+ MAC
+
+2016-08-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/crypto-api.c: gnutls_key_generate: fail if the state of the
+ library is invalid Suggested by Stephan Mueller.
+
+2016-08-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-08-08 Stefan Sørensen <stefan.sorensen@spectralink.com>
+
+ * lib/x509/pkcs12.c: Fix gnutls_pkcs12_simple_parse to always
+ extract the complete chain gnutls_pkcs12_simple_parse was only collecting extra certificates
+ that was possible elements of the certificate chain when the
+ extra_certs argument was not NULL. Fix by allways collecting all the
+ certificates, any unneeded certificates are released before
+ returning if extra_certs is NULL anyway. Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+
+2016-08-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/nettle/pk.c: nettle: use rsa_*_key_prepare on key import Previously we calculated the size of the key directly, but by using
+ the rsa_*_key_prepare we benefit from any checks that may be
+ introduced in the future. Specifically any checks for invalid public
+ keys (e.g., keys that may crash the underlying gmp functions). This patch avoids calling rsa_private_key_prepare every time we
+ construct a nettle private key struct, because this function
+ requires a bigint multiplication. We call that function once on
+ private key import.
+
+2016-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/pk.c: Revert "nettle: use rsa_*_key_prepare" This reverts commit a2c3ee54ea8080eeb59fcfeec88a842324982c90.
+
+2016-08-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/pk.c: nettle: use rsa_*_key_prepare Previously we calculated the size of the key directly, but by using
+ the rsa_*_key_prepare we benefit from any checks that may be
+ introduced in the future. Specifically any checks for invalid public
+ keys (e.g., keys that may crash the underlying gmp functions).
+
+2016-07-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-07-09 Tim Kosse <tim.kosse@filezilla-project.org>
+
+ * lib/x509/x509.c: gnutls_x509_crt_list_import2 was ignoring the
+ passed flags if all certificates in the list fit within the
+ initially allocated memory.
+
+2016-07-09 Tim Kosse <tim.kosse@filezilla-project.org>
+
+ * lib/x509/crl.c: gnutls_x509_crl_list_import2 was ignoring the
+ passed flags if all CTLs in the list fit within the initially
+ allocated memory.
+
+2016-07-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/minitasn1/coding.c, lib/minitasn1/decoding.c,
+ lib/minitasn1/element.c, lib/minitasn1/element.h,
+ lib/minitasn1/int.h, lib/minitasn1/libtasn1.h,
+ lib/minitasn1/parser_aux.c, lib/minitasn1/parser_aux.h,
+ lib/minitasn1/structure.c: minitasn1: updated to libtasn1 4.9
+
+2016-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: NEWS: corrected release date [ci skip]
+
+2016-07-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: released 3.3.24
+
+2016-06-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * configure.ac: configure: check for libdl irrespective of FIPS140
+ configuration This allows to link to libdl for the tests that require it.
+
+2016-07-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * configure.ac, m4/hooks.m4: bumped version
+
+2016-07-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * libdane/errors.c, libdane/includes/gnutls/dane.h: dane: corrected
+ the license of libdane files The license was always LGPL version 2.1, and these files mentioned
+ LGPL version 3. Reported by Thomas Petazzoni.
+
+2016-06-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/Makefile.am: tests: account pkcs11/pkcs11-mock-ext.h in
+ Makefile
+
+2016-06-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/Makefile.am: tests: link pkcs11-import-url-privkey with
+ libdl That is because it uses dlopen().
+
+2016-06-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-06-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/Makefile.am, tests/pkcs11/pkcs11-import-url-privkey.c,
+ tests/pkcs11/pkcs11-mock-ext.h, tests/pkcs11/pkcs11-mock.c: tests:
+ added check to verify the tolerance of broken C_GetAttributes That is, test gnutls_pkcs11_obj_list_import_url4() when importing
+ private keys from tokens that return CKR_OK on sensitive objects,
+ and tokens that return CKR_ATTRIBUTE_SENSTIVE. Relates #108
+
+2016-06-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11_int.c: pkcs11_get_attribute_avalue: correctly handle a
+ -1 value length from C_GetAttributeValue That is, work-around modules which do not return an error on
+ sensitive objects. Relates #108
+
+2016-06-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2016-06-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11_int.c: pkcs11_get_attribute_avalue: do not assign
+ values on failure When C_GetAttributeValue() returns size but does not return data
+ then pkcs11_get_attribute_avalue() would set the return data pointer
+ to a free'd value. This is against the convention expected by
+ callers, i.e, set data to NULL. Reported by Anthony Alba in #108.
+
+2016-06-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/testpkcs11, tests/suite/testpkcs11.softhsm: tests:
+ updated testpkcs11 to support softhsmv2
+
+2016-06-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/Makefile.am, tests/{suite => pkcs11}/pkcs11-chainverify.c,
+ tests/{suite => pkcs11}/pkcs11-combo.c, tests/{suite =>
+ pkcs11}/pkcs11-get-issuer.c, tests/{suite =>
+ pkcs11}/pkcs11-is-known.c, tests/{suite => pkcs11}/softhsm.h,
+ tests/suite/Makefile.am: tests: moved pkcs11 tests to main test
+ suite
+
+2016-06-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/pkcs11-is-known.c: tests: backported pkcs11-is-known
+ from master
+
+2016-06-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: gnutls_pkcs11_crt_is_known: always assume
+ GNUTLS_PKCS11_OBJ_FLAG_COMPARE unless
+ GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is given
+
+2016-06-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: find_cert_cb: minor cleanups in find_cert_cb
+
+2016-06-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-06-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-combo.c,
+ tests/suite/pkcs11-get-issuer.c, tests/suite/pkcs11-is-known.c,
+ tests/suite/softhsm.h: tests: backported the softhsmv2 pkcs11 checks
+ from 3.4.0
+
+2016-06-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: pkcs11: correctly encode the serial number when
+ searching for certificate In gnutls_pkcs11_crt_is_known() corrected the encoding of the serial
+ number to TLV DER from LV DER. This is the encoding we use when
+ storing that number.
+
+2016-06-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: pkcs11: correctly account check_found_cert()
+
+2016-06-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11_write.c: Amended "Corrected the writing of serial
+ number in PKCS#11 modules" This corrects the writing of the serial number.
+
+2016-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_buffers.c: dtls: corrected reconstruction of handshake
+ packets received out of order That is, when the handshake packet is split into multiple different
+ chunks and received out of order, make sure that reconstruction
+ occurs properly. Reported by Guillaume Roguez.
+
+2016-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11_write.c: Corrected the writing of serial number in
+ PKCS#11 modules That is previously the serial number was written in raw format, but
+ in PKCS#11 the serial number must be set encoded as integer. Report
+ and fix by Stanislav Zidek.
+
+2016-05-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-05-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11_privkey.c: pkcs11: when generating a private key ensure
+ the public key is not private This is a backport from the 3.4.x branch.
+
+2016-05-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/accelerated/x86/x86-common.c: x86-common: use secure_getenv()
+
+2016-05-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * configure.ac: configure.ac: check for secure_getenv where
+ available and always enable system extensions
+
+2016-05-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2016-05-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/fips.c, lib/gnutls_global.c, lib/gnutls_mem.h, lib/system.c:
+ env: use secure_getenv when reading environment variables
+
+2016-05-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: pkcs11: added sanity check to find_obj_url_cb() for
+ object validity Also avoid unnecessary recursion.
+
+2016-05-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/eagain, tests/suite/testsrn: tests: use /bin/bash in
+ tests which require common.sh
+
+2016-05-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/suite/Makefile.am, tests/suite/testcompat,
+ tests/suite/testcompat-common, tests/suite/testcompat-main: tests:
+ backported full openssl suite from master Removed the priority strings not applicable in 3.3.x.
+
+2016-05-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/dsa/testdsa, tests/openpgp-certs/testcerts,
+ tests/scripts/common.sh, tests/suite/eagain,
+ tests/suite/mini-eagain2.c, tests/suite/testcompat-main,
+ tests/suite/testsrn: tests: simplified server launching process Also attempt to use a new port on every started server and added a
+ waiting period for the port to become re-usable.
+
+2016-05-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/version-checks.c: added check for the VERS-ALL priority
+ keyword
+
+2016-05-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_priority.c: gnutls_priority_init: recognize the
+ VERS-ALL keyword This keyword is identical to VERS-TLS-ALL, but it will allow to
+ re-use priority strings from 3.4.x+ to this branch of gnutls.
+
+2016-05-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/Makefile.am: tests: do not use pkglib to generate
+ libpkcs11mock1.so This resulted in the test library being installed. Install we use
+ noinst for the library, but pass -rpath to LDFLAGS as a hack to for
+ libtool to generate the shared version.
+
+2016-05-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS, configure.ac, m4/hooks.m4: released 3.3.23
+
+2016-05-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/cli.c, src/socket.c, src/socket.h: gnutls-cli: allow operation
+ with stdin input That is once commands from stdin are given, they are not only sent
+ to server, but we also wait for a response prior to exiting. Resolves #96
+
+2016-05-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update [ci skip]
+
+2016-05-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-05-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/cli.c: gnutls-cli: corrected check for OCSP verification
+ success
+
+2016-01-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_global.c: gnutls_global_init: log gnutls' version on
+ initialization
+
+2016-05-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update [ci skip]
+
+2016-05-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/Makefile.am, tests/mini-server-name.c: tests: backported
+ server name checks
+
+2016-05-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/ext/server_name.c: server_name: only save the supported server
+ names in the session Invalid server names with embedded nulls and unsupported types are
+ not saved.
+
+2016-05-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-05-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_x509.c: cert cred: add the CN to the list of known
+ hostnames only if no dns_names That is, follow rfc6125 and support CN as a fallback only.
+
+2016-05-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_x509.c: gnutls_certificate_set_key: import the DNS
+ names of the certificates That is, only when no (NULL) names are provided.
+
+2016-05-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/pkcs11/pkcs11-cert-import-url-exts.c,
+ tests/pkcs11/pkcs11-get-exts.c,
+ tests/pkcs11/pkcs11-get-raw-issuer-exts.c: Revert "tests: ignore
+ failure to load pkcs11 mock provider" This reverts commit ae40598e5597b1b1f01a7e55d35b5f476d7d19d7.
+
+2016-05-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * configure.ac, tests/Makefile.am: tests: don't run pkcs11 mock
+ module tests under buggy p11-kit
+
+2016-05-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/pkcs11/pkcs11-cert-import-url-exts.c,
+ tests/pkcs11/pkcs11-get-exts.c,
+ tests/pkcs11/pkcs11-get-raw-issuer-exts.c: tests: ignore failure to
+ load pkcs11 mock provider GnuTLS 3.3.x can work with old versions of p11-kit which do not have
+ the necessary fixes to load absolute paths.
+
+2016-05-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/gnettle.h: Fixed _NETTLE_UPDATE macro The macro was not using the input parameters but rather the actual
+ variable name from the function (which was identical to input).
+ Patch by Stanislav Zidek.
+
+2016-05-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_x509.c: gnutls_certificate_set_key: duplicate the
+ provided memory That is, do not assume that a heap allocated value is provided.
+
+2016-05-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update [ci skip]
+
+2016-05-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-05-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/Makefile.am, tests/pkcs11/pkcs11-cert-import-url-exts.c,
+ tests/pkcs11/pkcs11-get-exts.c,
+ tests/pkcs11/pkcs11-get-raw-issuer-exts.c,
+ tests/pkcs11/pkcs11-mock.c, tests/pkcs11/pkcs11-mock.h: tests: added
+ a basic PKCS#11 mock module This is used to test gnutls_pkcs11_obj_get_exts(),
+ gnutls_x509_crt_import_url(), and gnutls_pkcs11_get_raw_issuer()
+ with the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag.
+
+2016-05-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: pkcs11: find_cert_cb: do not use C_FindObjectsInit()
+ when another is already running While some modules implicitly terminated the previous run, this is
+ not something that PKCS#11 modules are expected to typically do.
+
+2016-05-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: pkcs11: the flag
+ GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT will be respected by
+ imported certificates That is, certificates imported with gnutls_pkcs11_obj_import_url()
+ or gnutls_x509_crt_import_url() will be able to be extracted with
+ their extensions overriden. Previously that was available only on
+ gnutls_pkcs11_get_raw_issuer() and friends.
+
+2016-05-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11x.c: pkcs11: find_ext_cb: eliminated memory leak
+
+2016-05-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11x.c: gnutls_pkcs11_obj_get_exts: updated documentation
+ [ci skip]
+
+2016-04-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_privkey_raw.c: corrected import issue in
+ gnutls_privkey_import_ecc_raw
+
+2016-04-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/privkey.c: x509/privkey: in raw import functions set the
+ parameter's algorithm type
+
+2016-04-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/dane.c: tests: enhanced dane testing with offline
+ verification checks
+
+2016-04-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * libdane/dane.c: dane: verification will not fail if a CA entry is
+ encountered but cannot be verified That addresses the issue of verifying a single certificate against a
+ list of TLSA entries that contain an entry with CA usage (cert usage
+ 0). With the previous behavior verification would have failed, while
+ now this entry will be skipped.
+
+2016-04-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_cert.c, libdane/dane.c: doc: improved documentation on
+ certificate and DANE verification functions
+
+2016-04-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/pk.c: _wrap_nettle_pk_derive: reject values of public
+ key that are over the prime That is do not canonicalise the value we get from the network, but
+ rather check it for validity. This saves a modular reduction on
+ handshake and performs a sanity check on the peer's (client)
+ parameters. Reported by Hubert Kario. Resolves #84
+
+2016-04-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_sig.c: handshake: do not overwrite the server's
+ signature algorithm That is, correct a bug under which a client sending a certificate
+ would overwrite the server's idea about the used signature
+ algorithm. Reported by Hubert Kario.
+
+2016-04-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/ocsp.c: gnutls_ocsp_resp_get_single: fail if thisUpdate
+ is not available or unparsable That is because this field is not optional, and a failure on its
+ parsing is always fatal. Reported by Yuan Jochen Kang.
+
+2016-04-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/ocsp_output.c, lib/x509/output.c: x509 output: don't warn
+ about insecure algorithm when unknown
+
+2016-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkix.asn, lib/pkix_asn1_tab.c: pkix.asn: corrected byKey
+ definition OCSP is defined in an EXPLICIT tags module, and as such we must tag
+ explicitly all of its tags.
+
+2016-04-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/name_constraints.c: name constraints: enforce the rules
+ for IP constraints when adding This will prevent gnutls from generating badly formed certificates.
+
+2016-04-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2016-04-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/ocsptool-common.c: ocsptool: use HTTP/1.0 for requests This avoids issue with servers serving chunk encoding which ocsptool
+ doesn't support. Reported by Thomas Klute.
+
+2016-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/output.c: x509/output: simplified cidr_to_string()
+
+2016-03-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/output.c: x509/output: print RFC5280 CIDRs in name
+ constraints
+
+2016-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/system.c: system_recv_timeout(): verify that the file
+ descriptor is acceptable for select()
+
+2016-03-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-03-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/cert-tests/template-nc.pem: tests: template-test was updated
+ for OCSP key purpose reordering
+
+2016-03-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/certtool.c: certtool: do not require a CA for OCSP signing This follows the recommendations in RFC6960 in 4.2.2.2 which allow a
+ CA to delegate OCSP signing to another certificate without requiring
+ it to be a CA. Reported by Thomas Klute.
+
+2016-03-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/accelerated/x86/x86-common.c: x86-common: CPUID override will
+ only work if CPU has already the capability present This resolves test suite failure on CPUs with limited capabilities.
+ Reported by Andreas Metzler.
+
+2016-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_handshake.c: handshake: parse the mandatory to parse
+ extension prior to any callback call This relates to the change of ALPN extension to mandatory to parse,
+ and allows applications to get ALPN data prior to handshake
+ completion.
+
+2016-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/mini-x509-callbacks.c: tests: verify that the
+ post-client-hello callback has access to ALPN data
+
+2016-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/resume.c: tests: added checks for session resumption and
+ ALPN This checks whether the ALPN extension is re-read on resumption and
+ is negotiated.
+
+2016-02-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/resume.c: tests: resume: simplified structure assignment
+ using C99 syntax
+
+2016-03-15 Yuriy M. Kaminskiy <yumkam@gmail.com>
+
+ * lib/ext/alpn.c: alpn: ALPN state is per-connection, it should not
+ be saved with session data In addition the extension was moved to the mandatory to parse to
+ ensure it is always parsed when sessions are resumed. rfc7301: Unlike many other TLS extensions, this extension does not
+ establish properties of the session, only of the connection.
+ When session resumption or session tickets [RFC5077] are used, the
+ previous contents of this extension are irrelevant, and only the
+ values in the new handshake messages are considered. Signed-off-by: Yuriy M. Kaminskiy <yumkam@gmail.com> Signed-off-by:
+ Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+2016-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/cli.c: gnutls-cli: fix invalid initialization in
+ cert_verify_ocsp()
+
+2016-03-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2016-03-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update [ci skip]
+
+2016-03-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/mini-loss-time.c: tests: backported mini-loss-time fixes
+
+2016-03-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update [ci skip]
+
+2016-03-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/slow/Makefile.am: tests: do not run hash-large twice
+
+2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/version-checks.c: tests: corrected typo in version-checks
+
+2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * .gitlab-ci.yml: .gitlab-ci.yml: added check on build with SSL 3.0
+
+2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/suite/testsrn: tests: backported testsrn from 3.4 branch
+
+2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/Makefile.am, tests/cert-common.h, tests/version-checks.c:
+ tests: added check for version negotiation default prio string That verifies whether the support versions are negotiated.
+
+2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * configure.ac, lib/gnutls_priority.c: Remove SSL 3.0 from the
+ default priority strings That can be reverted by using the --with-ssl3 configure option.
+
+2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/slow/Makefile.am: tests: include test-hash-large into dist
+
+2016-03-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * .gitlab-ci.yml: .gitlab-ci.yml: separate builds with asan
+
+2016-03-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/openpgp/extras.c: gnutls_openpgp_keyring_import: backported
+ mem leak fix
+
+2016-03-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/p11tool.c: p11tool: avoid warning with cast
+
+2016-03-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/certtool.c: certtool: eliminated memory leaks on cert
+ verification
+
+2016-03-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/certtool.c: certtool: backported memory leak fixes in PKCS#12
+ handling
+
+2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/certtool.c: certtool: eliminate leaks in _verify_x509_mem()
+
+2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/certtool.c: certtool: eliminate memory leaks in certificate
+ generation
+
+2016-02-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * configure.ac, m4/hooks.m4: bumped version [ci skip]
+
+2016-02-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/certtool.c: certtool: avoid warning with cast
+
+2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/ext/ecc.c: ecc: optimized extension parsing
+
+2016-02-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * .gitlab-ci.yml: .gitlab-ci.yml: fixed asan build for nettle3
+
+2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update [ci skip]
+
+2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_state.c: timespec_sub_ms: fixed operation in 32-bit
+ systems
+
+2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: pkcs11: Fixes to prevent undefined behavior (found
+ with libubsan)
+
+2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/includes/gnutls/gnutls.h.in: gnutls.h: Fixes to prevent
+ undefined behavior (found with libubsan)
+
+2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_mem.h, lib/x509/x509.c: x509: Fixes to prevent
+ undefined behavior (found with libubsan)
+
+2016-02-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * .gitlab-ci.yml: .gitlab-ci.yml: added libasan build with nettle3
+
+2016-02-25 Jan Vcelak <jan.vcelak@nic.cz>
+
+ * lib/x509/privkey_pkcs8.c: gnutls_x509_privkey_import: add missing
+ algorithm setting for DSA keys The algorithm number was set only in the private key structure, not
+ in the nested structure with parameters. This made certain
+ operations to fail (e.g., copying the key into a PKCS #11 token). Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>
+
+2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/cert-tests/template-date.pem,
+ tests/cert-tests/template-dn.pem,
+ tests/cert-tests/template-generalized.pem,
+ tests/cert-tests/template-nc.pem,
+ tests/cert-tests/template-overflow.pem,
+ tests/cert-tests/template-overflow2.pem,
+ tests/cert-tests/template-test, tests/cert-tests/template-test.pem,
+ tests/cert-tests/template-utf8.pem: tests: regenerate the results in
+ template-test using UTC times
+
+2016-02-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-02-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/common.c, lib/x509/common.h: When writing the Time ASN.1
+ structure follow the RFC5280 recommendations That is make sure we generate dates with UTCTime prior to 2050 and
+ GeneralizedTime format after 2050.
+
+2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/cert-tests/Makefile.am, tests/cert-tests/template-date.pem,
+ tests/cert-tests/template-dn.pem,
+ tests/cert-tests/template-generalized.pem,
+ tests/cert-tests/template-generalized.tmpl,
+ tests/cert-tests/template-nc.pem,
+ tests/cert-tests/template-overflow.pem,
+ tests/cert-tests/template-overflow2.pem,
+ tests/cert-tests/template-test, tests/cert-tests/template-test.pem,
+ tests/cert-tests/template-utf8.pem: tests: verify that we generate
+ dates with UTCTime prior to 2050 Also that we generate dates with GeneralizedTime format after 2050.
+
+2016-02-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/cipher.c: Prevent the encryption or decryption of more
+ than 2^32 bytes with nettle2 That is because of nettle2 API limitations. Unlike the hash
+ functions there is no real need for a wrapper as encrypting or
+ decrypting that amount of data is unlikely.
+
+2016-02-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/dsa/testdsa, tests/scripts/common.sh: tests: backported
+ testdsa to prevent random failures in test suite
+
+2016-02-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2016-02-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/accelerated/x86/hmac-padlock.c,
+ lib/accelerated/x86/hmac-x86-ssse3.c,
+ lib/accelerated/x86/sha-padlock.c,
+ lib/accelerated/x86/sha-padlock.h,
+ lib/accelerated/x86/sha-x86-ssse3.c, lib/accelerated/x86/sha-x86.h,
+ lib/accelerated/x86/x86-common.h, lib/nettle/gnettle.h,
+ lib/nettle/mac.c: nettle: use the correct type for hash and MAC
+ functions In addition allow for hashing of more than UINT_MAX data bytes with
+ nettle 2.x in 64-bit systems.
+
+2016-02-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/slow/Makefile.am, tests/slow/hash-large.c,
+ tests/slow/test-hash-large: tests: check whether large buffer hashes
+ and MAC work as expected
+
+2016-02-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/set_pkcs12_cred.c: tests: set_pkcs12_cred: existing tests
+ are disabled when in FIPS140-2 mode The tests require access to the RC4 cipher which is not available.
+
+2016-02-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS, configure.ac, m4/hooks.m4: bumped version
+
+2016-01-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update [ci skip]
+
+2016-01-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/cert-tests/template-date.pem,
+ tests/cert-tests/template-dn.pem, tests/cert-tests/template-nc.pem,
+ tests/cert-tests/template-overflow.pem,
+ tests/cert-tests/template-overflow2.pem,
+ tests/cert-tests/template-test.pem: Revert "tests: updated to
+ account for cert generation after
+ c1405c6e08ef55421108bd4395588368f4122dda fix" This reverts commit 09dcbe564a85c021ebcbf7a3f28075d19c399ce4.
+
+2016-01-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/x509_ext.c: Revert "Fix out-of-bounds read in
+ gnutls_x509_ext_export_key_usage" This was a false negative and not a real out-of-bounds read. This
+ reverts commit c1405c6e08ef55421108bd4395588368f4122dda.
+
+2016-01-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * .gitlab-ci.yml: .gitlab-ci.yml: Added build with ARCFOUR
+
+2016-01-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS, configure.ac, lib/gnutls_priority.c, tests/priorities.c:
+ Added configure flag --with-arcfour128 This flag will re-enable ARCFOUR in the priority strings by default.
+
+2016-01-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2016-01-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/mini-global-load.c, tests/mini-x509.c, tests/priorities.c,
+ tests/record-sizes.c: Revert "Revert "tests: updated to account for
+ ARCFOUR being disabled"" This reverts commit a2f907d0d4e52eb4dd24cc1f5d7d892b21abfd83.
+
+2016-01-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_priority.c: Revert "Revert "ARCFOUR is disabled from
+ the default priority strings"" This reverts commit b3b5db319d4246e4735017cc423b92175f713a89.
+
+2016-01-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_pubkey.c: gnutls_pubkey_import_x509_raw: fixed memory
+ leak
+
+2016-01-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/output.c: x509: place newline when printing unsupported
+ othernames
+
+2016-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2016-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/ext/alpn.c: alpn: when parsing the list of protocols return at
+ the first mutually common That resolves an issue where the server wouldn't select the first
+ mutually supported. Resolves #63
+
+2016-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/mini-alpn.c: tests: mini-alpn: corrected protocol selection
+ order
+
+2016-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/mini-alpn.c: tests: alpn: enhance the testing of ALPN
+ negotiation
+
+2016-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/ext/alpn.c: alpn: document how the selected protocol is
+ selected [ci skip]
+
+2016-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/mini-alpn.c: tests: verify that the selected ALPN protocol
+ is the first advertised
+
+2016-01-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: released 3.3.20
+
+2016-01-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: reverted ARCFOUR removal change
+
+2016-01-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/mini-global-load.c, tests/mini-x509.c, tests/priorities.c,
+ tests/record-sizes.c: Revert "tests: updated to account for ARCFOUR
+ being disabled" This reverts commit 45926d9561b2e888c505524663b7c7ad87c263bc.
+
+2016-01-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_priority.c: Revert "ARCFOUR is disabled from the
+ default priority strings" This reverts commit 76be7bda79d6785eeab3ef8e96db026ad7aac9c3.
+
+2016-01-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * configure.ac: configure: no longer distribute lzip tarballs
+
+2015-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/libopts/text_mmap.c: libopts: use the O_BINARY flag in windows
+ for files
+
+2015-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/libopts/COPYING.gplv3, src/libopts/COPYING.lgplv3,
+ src/libopts/COPYING.mbsd, src/libopts/Makefile.am,
+ src/libopts/README, src/libopts/ag-char-map.h, src/libopts/alias.c,
+ src/libopts/ao-strs.c, src/libopts/ao-strs.h,
+ src/libopts/autoopts.c, src/libopts/autoopts.h,
+ src/libopts/autoopts/options.h, src/libopts/autoopts/project.h,
+ src/libopts/autoopts/usage-txt.h, src/libopts/boolean.c,
+ src/libopts/check.c, src/libopts/compat/compat.h,
+ src/libopts/compat/pathfind.c, src/libopts/compat/windows-config.h,
+ src/libopts/configfile.c, src/libopts/cook.c, src/libopts/enum.c,
+ src/libopts/env.c, src/libopts/file.c, src/libopts/find.c,
+ src/libopts/genshell.c, src/libopts/genshell.h,
+ src/libopts/gettext.h, src/libopts/init.c, src/libopts/intprops.h,
+ src/libopts/libopts.c, src/libopts/load.c,
+ src/libopts/m4/libopts.m4, src/libopts/m4/liboptschk.m4,
+ src/libopts/m4/stdnoreturn.m4, src/libopts/makeshell.c,
+ src/libopts/nested.c, src/libopts/numeric.c,
+ src/libopts/option-value-type.c,
+ src/libopts/option-xat-attribute.c, src/libopts/parse-duration.c,
+ src/libopts/parse-duration.h, src/libopts/pgusage.c,
+ src/libopts/proto.h, src/libopts/putshell.c, src/libopts/reset.c,
+ src/libopts/restore.c, src/libopts/save.c, src/libopts/sort.c,
+ src/libopts/stack.c, src/libopts/stdnoreturn.in.h,
+ src/libopts/streqvcmp.c, src/libopts/text_mmap.c,
+ src/libopts/time.c, src/libopts/tokenize.c, src/libopts/usage.c,
+ src/libopts/version.c: libopts: updated to 5.18.6
+
+2016-01-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * configure.ac, m4/hooks.m4: bumped version
+
+2016-01-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * Makefile.am, symbols.last: symbols.last: don't include internal
+ symbols into exported list
+
+2016-01-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: NEWS: doc update
+
+2016-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/cert-tests/template-date.pem,
+ tests/cert-tests/template-dn.pem, tests/cert-tests/template-nc.pem,
+ tests/cert-tests/template-overflow.pem,
+ tests/cert-tests/template-overflow2.pem,
+ tests/cert-tests/template-test.pem: tests: updated to account for
+ cert generation after c1405c6e08ef55421108bd4395588368f4122dda fix
+
+2016-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/Makefile.am: tests: Makefile.am: removed invalid program ld
+ flags
+
+2016-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2016-01-04 Tim Kosse <tim.kosse@filezilla-project.org>
+
+ * lib/x509/x509_ext.c: Fix out-of-bounds read in
+ gnutls_x509_ext_export_key_usage
+
+2016-01-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * .gitlab-ci.yml: .gitlab-ci.yml: optimized build process That is, in slow asan and valgrind builds don't check the full test
+ suite.
+
+2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11_privkey.c: pkcs11: fixes to store the imported URL This ammends 603d0db776537c19bdfd907e0fc77c7321874bf0 with changes
+ for the 3.3.x branch.
+
+2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update [ci skip]
+
+2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11_privkey.c: pkcs11: import public keys from any
+ available object That is, load public keys from the public key object, or the
+ certificate object if they are present. That affects non-RSA public
+ keys which do not contain all required fields on the private key
+ object.
+
+2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11_write.c: gnutls_pkcs11_copy_x509_privkey2: corrected
+ the writing of ECC private key
+
+2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11_write.c: gnutls_pkcs11_copy_x509_privkey2: corrected
+ the type of the written object Previously only RSA objects were correctly written.
+
+2015-12-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: NEWS: doc update [ci skip]
+
+2015-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/ext/max_record.c: max_record: don't consider this extension on
+ DTLS That is because it doesn't work as expected, and does not fragment
+ handshake messages. Relates with #61
+
+2015-12-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-04-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/name_constraints.c, tests/name-constraints.c: Handle DNS
+ name constraints with leading dot Patch by Fotis Loukos. Resolves 3 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2015-12-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/mini-global-load.c, tests/mini-x509.c, tests/priorities.c,
+ tests/record-sizes.c: tests: updated to account for ARCFOUR being
+ disabled
+
+2015-12-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2015-12-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_priority.c: ARCFOUR is disabled from the default
+ priority strings ARCFOUR is a cipher known to be broken theoretically and
+ practically. Configurations that depend on that cipher being on
+ should explicitly enable it. Resolves #23
+
+2015-12-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11_privkey.c: Do not allow importing public keys from PKCS
+ #11 private keys for DSA and ECDSA This prevents the reading of the public key when non-RSA keys are
+ available. This is a much cleaner approach than
+ 5a4e692511dc3a829eda0d7c5a87e56cbc2055f0.
+
+2015-12-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_pubkey.c, lib/pkcs11.c, lib/pkcs11_int.h,
+ lib/pkcs11_privkey.c: Revert "Do not allow importing public keys
+ from PKCS #11 private keys for DSA and ECDSA" This reverts commit 0e79aabab519a6b568cf8c31b38523cce7416bd8.
+
+2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_pubkey.c, lib/pkcs11.c, lib/pkcs11_int.h,
+ lib/pkcs11_privkey.c: Do not allow importing public keys from PKCS
+ #11 private keys for DSA and ECDSA That is, because they do not contain all the required parameters for
+ a direct import. Reported by Jan Vcelak.
+
+2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11_privkey.c: pkcs11: avoid setting a variable which isn't
+ used
+
+2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: pkcs11:
+ deinitialize gnutls_pkcs11_obj_t's pubkey on deinit
+
+2015-12-06 Jan Vcelak <jan.vcelak@nic.cz>
+
+ * lib/pkcs11_privkey.c: pkcs11: fix passing of incorrect variable in
+ privkey_get_pubkey The code worked for RSA because the content of the variables
+ matched. But it doesn't match for ECC. CKM_RSA_PKCS_KEY_PAIR_GEN (0x0) == CKK_RSA (0x0)
+ CKM_ECDSA_KEY_PAIR_GEN (0x1040) != CKK_ECDSA (0x3) Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>
+
+2015-11-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/x509.c: allow specifying NULL buffer in
+ gnutls_x509_crt_get_*_unique_id()
+
+2015-11-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: released 3.3.19
+
+2015-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * symbols.last: updated auto-generated files
+
+2015-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/scripts/getfuncs.pl: getfuncs.pl: don't consider functions
+ with _gnutls prefix
+
+2015-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_global.c, lib/includes/gnutls/gnutls.h.in,
+ lib/libgnutls.map: gnutls_global_init_skip: prefixed with an
+ underscore
+
+2015-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * configure.ac, m4/hooks.m4: bumped version
+
+2015-11-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/global-init-override.c, tests/global-init.c: tests:
+ corrected copyright info
+
+2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/Makefile.am, tests/global-init-override.c: tests: added
+ check for overriding global initialization
+
+2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * doc/cha-gtls-app.texi: documented GNUTLS_SKIP_GLOBAL_INIT macro
+
+2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_global.c, lib/includes/gnutls/gnutls.h.in,
+ lib/libgnutls.map: Added GNUTLS_SKIP_GLOBAL_INIT macro to allow
+ programs skip implicit global initialization
+
+2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/utils.c, tests/utils.h: utils: backported sec_sleep()
+
+2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/mini-handshake-timeout.c: tests: backported
+ mini-handshake-timeout
+
+2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * .gitlab-ci.yml: .gitlab-ci.yml: added build and check in FIPS140-2
+ mode
+
+2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/mini-dtls-record.c, tests/resume-dtls.c: tests: backported
+ mini-dtls-record.c and resume-dtls.c
+
+2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * .gitlab-ci.yml: .gitlab-ci.yml: remove the minimal library from
+ targets
+
+2015-11-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/x509_write.c: disable_optional_stuff: don't disable
+ unique IDs if set There are sideways set these values even if they are not in the
+ public API, and we shouldn't disable them unconditionally.
+
+2015-11-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * .gitlab-ci.yml: Added CI build rules
+
+2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-11-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/algorithms/ciphersuites.c, tests/mini-record.c: Require TLS
+ 1.2 for all the ciphersuites which are defined for it only This solves an interoperability issue with openssl. Reported by
+ Viktor Dukhovni.
+
+2015-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2015-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/auth/dhe.c, lib/auth/ecdhe.c: Allow switching a ciphersuite to
+ DHE and ECDHE on a rehandshake
+
+2015-11-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-11-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls.pc.in: gnutls.pc: don't use the libtool version of the
+ link options Reported by Dan Kegel. Resolves #49
+
+2015-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2015-10-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/algorithms/ciphers.c, lib/gnutls_cipher_int.c,
+ lib/gnutls_priority.c: Disable the NULL cipher on runtime when
+ FIPS140 mode is enabled instead of statically That way the NULL cipher can be used when not in FIPS140 mode.
+
+2015-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/algorithms.h, lib/algorithms/ciphers.c, lib/algorithms/kx.c,
+ lib/gnutls_int.h, lib/gnutls_priority.c: backport: Tolerate priority
+ strings with names of legacy ciphers and key exchanges That enables better backwards compatibility with old applications
+ which disable or enable algorithms which no longer are supported.
+ Relates #44
+
+2015-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2015-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11_write.c: pkcs11: write CKA_ISSUER and CKA_SERIAL_NUMBER
+ when writing on a certificate That allows NSS to read and use the written certificate. Resolves
+ #43
+
+2015-10-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-10-12 Lennert Buytenhek <buytenh@wantstofly.org>
+
+ * lib/nettle/pk.c: Fix memory leak in wrap_nettle_hash_algorithm(). wrap_nettle_hash_algorithm() leaks an mpz_t if it is called with pk
+ == GNUTLS_PK_RSA and sig == NULL, in which case it will return
+ without going through the regular exit path that clears the mpz_t it
+ allocated at the beginning of the function. Use the regular exit
+ path instead to fix this. This leak can be triggered via calls to
+ gnutls_pubkey_get_preferred_hash_algorithm(). Signed-off-by: Lennert Buytenhek <buytenh@wantstofly.org>
+
+2015-09-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_str.c: _gnutls_hex2bin: avoid overrun in the provided
+ buffer
+
+2015-09-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/manpages/tpmtool.1: tpmtool.1: updated
+
+2015-09-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS, configure.ac, m4/hooks.m4: bumped version
+
+2015-09-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/output.c: Don't use formatted output for fixed strings Resolves #35
+
+2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_session_pack.c: session packing: corrected issue in PSK
+ session unpack
+
+2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/verify-high.c, lib/x509/verify-high2.c: x509: when
+ appending CRLs to a trust list ensure that we don't have duplicates That is, overwrite CRLs if they have been obsoleted.
+
+2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/certtool.c: certtool: allow exporting very long CRLs
+
+2015-08-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/cert-tests/Makefile.am, tests/cert-tests/crl: tests: check
+ whether the CRL generation code works as expected
+
+2015-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/certtool.c: certtool: removed limit on maximum imported
+ certificates in the -i option
+
+2015-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/certtool-common.c, src/certtool.c: certtool: eliminated memory
+ leaks due to new cert loading code
+
+2015-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/certtool-common.c, src/certtool-common.h: certtool: lifted
+ limits on file size to load
+
+2015-08-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * Makefile.am: before dist ensure that included libopts matches
+ autogen
+
+2015-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/suite/mini-eagain2.c: tests: backported fix in mini-eagain2
+
+2015-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11_write.c: pkcs11: increase attributes size in
+ gnutls_pkcs11_copy_x509_privkey
+
+2015-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * configure.ac, m4/hooks.m4: bumped version
+
+2015-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-08-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2015-08-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: pkcs11: set
+ the CKA_TOKEN attribute on generated public keys That also introduces the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY
+ flag, to simulate the previous behavior.
+
+2015-07-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/ext/safe_renegotiation.c: safe renegotiation: simulate
+ receiving the extension on receival of SCSV
+
+2015-07-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-07-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/ext/safe_renegotiation.c: safe renegotiation: handle case
+ where client didn't send any extension That was affected by the "don't try to send extensions we didn't
+ receive".
+
+2015-07-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_extensions.c, lib/gnutls_handshake.c, lib/gnutls_int.h:
+ As server don't try to send extensions we didn't receive.
+
+2015-07-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/common.c: Reset the output value on error in
+ _gnutls_x509_dn_to_string() Reported by Kurt Roeckx.
+
+2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_state.c: gnutls_prf: document that this is not
+ identical to RFC5705
+
+2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/p11tool-args.def: p11tool: fix documentation for
+ --generate-ecc and generate-dsa
+
+2015-07-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS, configure.ac, m4/hooks.m4: bumped version
+
+2015-07-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/ext/dumbfw.c: corrected function name
+
+2015-07-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-07-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/auth/dhe_psk.c: PSK: set the hint in DHE-PSK and ECDHE-PSK
+ ciphersuites
+
+2015-07-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/ext/dumbfw.c: dumbfw: don't append a size prefix in the pad Reported by Hannes Mehnert.
+
+2015-07-02 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+
+ * src/certtool.c: certtool --outder should not emit signature
+ verification status When emitting binary-formatted output, send signature verification
+ status to stderr, since it is not binary-formatted output. A simpler version of this patch would be to always send signature
+ verification to stderr, but that would change the text-formatted
+ output.
+
+2015-07-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_pubkey.c: DSA: the numeric number of bits returned from
+ public key should depend on P not Y That allows to do the proper evaluation to check certificate
+ strength. Reported by Hubert Kario.
+
+2015-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2015-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/name_constraints.c: name constraints: don't reject
+ certificates if a CA has the URI or IPADDRESS constraints Don't reject certificates if a CA has the URI or IPADDRESS
+ constraints, and the end certificate doesn't have an IPaddress name
+ or a URI set.
+
+2015-06-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/privkey.c: enhanced header matching code for private keys
+ to skip unrelated data
+
+2015-06-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2015-06-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/Makefile.am, tests/suite/ciphersuite/scan-gnutls.sh,
+ tests/suite/ciphersuite/test-ciphers.js,
+ tests/suite/ciphersuite/test-ciphersuites.sh,
+ tests/suite/test-ciphersuite-names: tests: backported
+ test-ciphersuite-names from master
+
+2015-06-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/privkey.c: gnutls_x509_privkey_import2: better behavior
+ when provided with an unencrypted file That is, it will attempt to decode it first as plain file prior to
+ trying all encrypted options.
+
+2015-06-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/key_decode.c, lib/x509/mpi.c: _gnutls_get_asn_mpis() will
+ release any data on failure Resolves #15
+
+2015-06-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/testcompat-main: tests: backported test-compat-main
+ from master
+
+2015-06-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/nettle/cipher.c: Corrected camellia256 set key in nettle3
+ compat mode
+
+2015-06-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/int/drbg-aes.c: drbg-aes: include gnutls_errors.h
+
+2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/int/drbg-aes-self-test.c: fips140: added check for
+ reseed detection
+
+2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/rng-fork.c: tests: check random generator for long outputs
+ as well
+
+2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/int/drbg-aes.c: fips140: reset the reseed counter only
+ on reseed
+
+2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/int/drbg-aes-self-test.c: fips140: added more checks on
+ the reseed and generate function
+
+2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/int/drbg-aes.c, lib/nettle/int/drbg-aes.h: fips140:
+ enforce the max_number_of_bits_per_request
+
+2015-05-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/ocsp_output.c: Check the OID size for match when
+ comparing for the OCSP nonce extension Reported by Hanno Böck.
+
+2015-05-23 Armin Burgmeier <armin@arbur.net>
+
+ * lib/gnutls_ui.c: gnutls_dh_get_prime_bits: return 0 if DH is not
+ used Before, the number of bits of a zero-length number was attempted to
+ be extracted, resulting in an error. The changed behaviour is
+ consistent with the documentation which explicitly states that 0
+ should be returned if no DH key exchange was performed.
+
+2015-05-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_ui.c: gnutls_dh_get_group: mention that the values may
+ include a leading zero
+
+2015-05-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_ui.c: gnutls_dh_set_prime_bits: warn when overriding
+ the DH max prime size with 1007 bits or less
+
+2015-05-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2015-05-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * configure.ac, lib/accelerated/x86/aes-gcm-padlock.c,
+ lib/accelerated/x86/aes-gcm-x86-aesni.c,
+ lib/accelerated/x86/aes-gcm-x86-ssse3.c,
+ lib/accelerated/x86/aes-padlock.c,
+ lib/accelerated/x86/sha-padlock.c,
+ lib/accelerated/x86/sha-x86-ssse3.c, lib/nettle/Makefile.am,
+ lib/nettle/cipher.c, lib/nettle/int/dsa-fips.h,
+ lib/nettle/int/dsa-keygen-fips186.c, lib/nettle/int/dsa-validate.c,
+ lib/nettle/pk.c, m4/hooks.m4, tests/dsa/testdsa: Allow using nettle3
+ with gnutls3.3
+
+2015-05-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/sign-md5-rep.c: tests: updated sign-md5-rep to reduce false
+ failures
+
+2015-05-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/mini-loss-time.c: tests: eliminate mem leaks in
+ mini-loss-time
+
+2015-05-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/mini-loss-time.c: tests: backported mini-loss-time from
+ master
+
+2015-04-28 Jan Vcelak <jan.vcelak@nic.cz>
+
+ * lib/nettle/pk.c: fix memory leak in ECDSA key parameters
+ verification Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>
+
+2015-05-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: updated NEWS
+
+2015-05-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS, configure.ac, m4/hooks.m4: released 3.3.15
+
+2015-04-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_dtls.c: doc: updated gnutls_dtls_set_timeouts
+
+2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_handshake.c: gnutls_handshake_set_timeout will properly
+ work with DTLS
+
+2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * doc/examples/ex-client-dtls.c: doc: fixed example with DTLS
+ timeouts
+
+2015-04-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/minitasn1/decoding.c, lib/minitasn1/libtasn1.h: updated
+ minitasn1
+
+2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/Makefile.am, tests/sign-md5-rep.c: tests: added reproducer
+ for the MD5 acceptance issue Reported by Karthikeyan Bhargavan.
+
+ http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007572.htmlConflicts: tests/Makefile.am
+
+2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/ext/signature.c: before falling back to SHA1 as signature
+ algorithm in TLS 1.2 check if it is enabled
+
+2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/ext/signature.c: _gnutls_session_sign_algo_enabled: do not
+ consider any values from the extension data to decide acceptable
+ algorithms
+
+2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/auth/cert.c: set the value used by
+ gnutls_certificate_client_get_request_status prior to selecting
+ certificate That allows gnutls_certificate_client_get_request_status() to be
+ properly operating from the callback. Reported by Anton Lavrentiev.
+
+2015-04-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_cert.c: fixed doc: reported by Anton Lavrentiev
+
+2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_ui.c: gnutls_certificate_get_ours: will return the
+ certificate even if a callback was used This corrects a bug where this function would not work, when
+ gnutls_certificate_set_retrieve_function2() was used.
+
+2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/x509.c: ensure that the X.509 version number is one byte
+ only
+
+2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/x509.c: Check for invalid length in the X.509 version
+ field If such an invalid length is detected, reject the certificate.
+ Reported by Hanno Böck.
+
+2015-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/mini-loss-time.c: tests: mini-loss-time: ignore sigpipe
+
+2015-03-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: released 3.3.14
+
+2015-03-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/suite/testcompat-main: tests: change the default port in
+ testcompat to avoid clash with testsrn
+
+2015-03-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/texinfo.css: doc: increase border spacing in HTML tables
+
+2015-03-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * configure.ac, m4/hooks.m4: bumped version
+
+2015-03-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_int.h: do not penalize CBC ciphers with the maximum
+ send data size That reduced the maximum send size for CBC ciphers from 16384 to
+ 16384-(block size), which was unnecessary and was causing issues:
+ https://bugs.winehq.org/show_bug.cgi?id=37500
+
+2015-03-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/algorithms/ciphersuites.c,
+ tests/suite/ciphersuite/scan-gnutls.sh: made ciphersuites.c more
+ self-contained to be handled by test-ciphersuites.sh
+
+2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/x509_ext.c: Better fix for the double free in dist point
+ parsing
+
+2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/minitasn1/parser_aux.c, lib/minitasn1/parser_aux.h: updated
+ libtasn1
+
+2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_datum.c, lib/gnutls_datum.h, lib/x509/gnutls-idna.c,
+ lib/x509/x509_ext.c: gnutls_subject_alt_names_set and
+ gnutls_x509_aki_set_cert_issuer will set null-terminated strings
+
+2015-03-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/x509_ext.c: eliminated double-free in the parsing of dist
+ points Reported by Robert Święcki.
+
+2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11_privkey.c: gnutls_pkcs11_privkey_generate2: increased
+ the size of ck_attributes
+
+2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11_privkey.c: pkcs11: check gnutls_rnd() for error
+ condition
+
+2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11_privkey.c: gnutls_pkcs11_privkey_generate2: set a
+ CKA_ID on key generation
+
+2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11_write.c: pkcs11: set the CKA_SIGN and CKA_DECRYPT flags
+ when writing a private key
+
+2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/ext/server_name.c: When an application calls
+ gnutls_server_name_set() with a name of zero size disable the
+ extension Resolves #2
+
+2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/name_constraints.c: name constraints: when no name of the
+ type is found, accept the certificate This follows RFC5280 advice closely. Reported by Fotis Loukos.
+
+2015-03-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_handshake.c: avoid overflow when receiving DTLS 0.9 CCS
+
+2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_supplemental.c: Fixed handling of supplemental data
+ with types > 255. Patch by Thierry Quemerais.
+
+2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_priority.c: doc update
+
+2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_priority.c: gnutls_priority_init: document that
+ priorities can be NULL
+
+2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/crypto-selftests.c: corrected self test for 3DES
+
+2015-03-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11.c: pkcs11: only set ID and label when both size and
+ data are set
+
+2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * configure.ac: configure: check for /usr/share/dns/root.key as well
+ for dns root key
+
+2015-03-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * m4/hooks.m4: corrected macro which checks libtasn1 for
+ asn1_decode_simple_ber
+
+2015-03-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/minitasn1/decoding.c, lib/minitasn1/libtasn1.h,
+ lib/minitasn1/parser_aux.c: minitasn1: updated to libtasn1 4.3
+
+2015-03-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/cha-internals.texi: rearranged internal documentation
+
+2015-03-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/cli-args.def, src/cli-debug-args.def, src/danetool-args.def,
+ src/socket.c: tools: added ftp as a starttls protocol
+
+2015-03-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/cli-args.def: gnutls-cli: starttls and starttls-proto can't
+ mix
+
+2015-03-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/cha-gtls-app.texi: expand on SECURE256 being an alias to
+ SECURE192
+
+2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/tests.c: gnutls-cli-debug: corrected check of certificate
+ chain order
+
+2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/x509cert.c: tests: added small test to verify that
+ GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED succeeds with a single cert
+
+2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/cli-debug.c, src/tests.c: gnutls-cli-debug: disable
+ unsupported TLS protocols as soon
+
+2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/socket.c: cli sockets: check for a digit prior using atoi
+
+2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/tests.c: gnutls-cli-debug: a cert list of size 1 is always
+ sorted
+
+2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/socket.c: gnutls-cli-debug: do not warn multiple times about
+ unknown protocols
+
+2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * doc/cha-support.texi: updated documentation on FIPS140-2
+
+2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/cert-tests/Makefile.am,
+ tests/cert-tests/template-basic.pem,
+ tests/cert-tests/template-basic.tmpl,
+ tests/cert-tests/template-test: Revert "tests: template-test: added
+ a baseline check to detect slow systems" This reverts commit 2ee2a78178a842c9b0ef2ca3e12909ca3bb9fe79.
+
+2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/cert-tests/template-test: tests: don't perform the overflow
+ check in 32-bit systems
+
+2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/cert-tests/template-date.pem,
+ tests/cert-tests/template-date.tmpl: tests: date parsing test was
+ modified to work in 32-bit systems
+
+2015-03-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/cert-tests/Makefile.am,
+ tests/cert-tests/template-basic.pem,
+ tests/cert-tests/template-basic.tmpl,
+ tests/cert-tests/template-test: tests: template-test: added a
+ baseline check to detect slow systems
+
+2015-03-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/testpkcs11: testpkcs11: do not ignore the failure to
+ write a trusted CA
+
+2015-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/testpkcs11: testpkcs11: detect softhsm2
+
+2015-03-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_pubkey.c, lib/tpm.c, lib/x509/common.c,
+ lib/x509/common.h, lib/x509/dn.c, lib/x509/ocsp.c,
+ lib/x509/pkcs12.c, lib/x509/pkcs12_bag.c, lib/x509/x509_ext.c,
+ m4/hooks.m4: use asn1_decode_simple_ber if available
+
+2015-02-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/includes/gnutls/abstract.h: list
+ gnutls_pubkey_get_verify_algorithm as deprected
+
+2015-02-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_handshake.c: corrected typo in gnutls_handshake(),
+ spotted by Andris Mednis
+
+2015-02-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS, configure.ac, m4/hooks.m4: released 3.3.13
+
+2015-02-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/cert-tests/Makefile.am, tests/cert-tests/invalid-sig,
+ tests/cert-tests/invalid-sig2.pem,
+ tests/cert-tests/invalid-sig3.pem: tests: added checks for invalid
+ X.509 certificate signatures
+
+2015-02-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_session.c: doc update: document that session_get_data()
+ must be used in non-resumed sessions
+
+2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/suite/testcompat-main: tests: testcompat: disable tests with
+ NULL ciphersuites; debian doesn't support them
+
+2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_buffers.c: fixed handling of GNUTLS_E_INT_CHECK_AGAIN
+
+2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/mini-overhead.c, tests/mini-record.c: tests: require DTLS
+ 1.2 when using GCM
+
+2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/algorithms/ciphersuites.c: corrected check which prevented
+ client to sent an unacceptable for the version ciphersuite
+
+2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_record.c: fixed sequence number copy
+
+2015-02-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-02-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/x509.c: when importing a certificate ensure that the
+ signature parameters match
+
+2015-02-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-02-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/accelerated/x86/x86-common.c: Allow AESNI GCM accelaration in
+ x86
+
+2015-02-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/cli.c: handle differently OCSP responses that are revoked and
+ of unknown status
+
+2015-02-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/common.c: compilation fix with return on void function;
+ reported by David Marx
+
+2015-01-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_state.c: doc update
+
+2015-01-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_buffers.c: set the appropriate direction when
+ _gnutls_io_write_flush() is called
+
+2015-01-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * doc/cha-gtls-app.texi: documented using a session with fork or
+ multiple threads
+
+2015-01-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_buffers.c: print errno in a more uniform way
+
+2015-01-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/x509.c: on certificate import check whether the two
+ signature algorithms match
+
+2015-01-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_buffers.c: simplified _gnutls_writev() by requiring the
+ total length
+
+2015-01-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/cli.c, src/ocsptool-common.c, src/ocsptool-common.h: don't be
+ so verbose about the OCSP nonce; it is universally unsupported
+
+2015-01-17 Tim Ruehsen <tim.ruehsen@gmx.de>
+
+ * src/cli.c, src/ocsptool-common.c: OCSP check the whole cert chain Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2015-01-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: released 3.3.12
+
+2015-01-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-01-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * configure.ac, m4/hooks.m4: bumped versions
+
+2015-01-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-01-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * libdane/errors.c: corrected typos Reported by Guido Kroon.
+
+2015-01-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/algorithms/protocols.c, lib/gnutls_int.h: Added the notion of
+ obsolete versions That prevents using these versions as record version numbers, unless
+ they are the only protocol supported. This avoids the issues with
+ servers that have banned SSL 3.0 record versions.
+
+2015-01-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/ocsptool-common.c: ocsptool: follow the documented process for
+ gnutls_x509_crt_get_authority_info_access
+
+2015-01-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/x509.c: gnutls_x509_crt_get_authority_info_access: doc
+ update
+
+2015-01-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/ocsptool-common.c: ocsptool-common: iterate through all AIA
+ items prior to decidig the OCSP server
+
+2015-01-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/cli-args.def: simplified text for inline-commands-prefix
+
+2015-01-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update: added urls of savannah reports
+
+2015-01-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-01-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/cli-args.def, src/cli.c, src/socket.c: gnutls-cli: added
+ --starttls-proto option
+
+2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: pkcs11: cleanup the name of types Conflicts: lib/pkcs11.c
+
+2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: pkcs11: when importing a public key, import it's
+ data as well (version 2 fix)
+
+2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/verify.c: doc update
+
+2015-01-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11.c: pkcs11: when importing a public key, import it's
+ data as well
+
+2015-01-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_cert.c: doc update
+
+2015-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_state.c: When setting up TLS with cert-type OpenPGP
+ from a client, the server verifies if it supports the extension’s
+ contents in _gnutls_session_cert_type_supported(). This function
+ checks for cred->get_cert_callback but not cred->get_cert_callback2.
+ As a result, servers setup for OpenPGP certificate credential
+ callback with gnutls_certificate_set_retrieve_function2() are unable
+ to use the OpenPGP certificate type. The solution is to consider cred->get_cert_callback2 alongside
+ cred->get_cert_callback in _gnutls_session_cert_type_supported(). Patch by Rick van Rein.
+
+2015-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_privkey.c: gnutls_privkey_import_openpgp_raw: do not
+ release the cached value
+
+2015-01-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2015-01-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_buffers.c, lib/gnutls_errors.h: When receiving a TLS
+ record with multiple handshake packets, parse them in one go That resolves: https://savannah.gnu.org/support/?108712
+
+2015-01-08 Ludovic Courtès <ludo@gnu.org>
+
+ * NEWS, guile/modules/gnutls.in: guile: Call 'load-extension' both
+ during expansion and at run time. Fixes <https://bugzilla.redhat.com/show_bug.cgi?id=1177847>. * guile/modules/gnutls.in: Wrap '%libdir' definition and 'load-extension' call in 'eval-when'. * NEWS: Update.
+
+2015-01-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_buffers.c: in DTLS don't combine multiple packets which
+ exceed MTU Resolves: https://savannah.gnu.org/support/?108715
+
+2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_buffers.c: Added more precise check of push functions
+ availability
+
+2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/Makefile.am: danetool: only compile when dane is enabled
+
+2014-12-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/crypto-backend.c: Allow a random generator with the same
+ priority to re-register That corrects an issue where the library is deinitialized, and
+ reinitialization wouldn't register the same rnd module. Reported by
+ Stanislav Zidek.
+
+2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/certtool-cfg.c: certtool: modified check for READ_NUMERIC
+
+2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/certtool-cfg.c: certtool: use 64-bit type for CRL serial
+ number
+
+2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/certtool-cfg.c: certtool: check for overflows when reading
+ serial numbers
+
+2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/certtool-cfg.c, src/certtool-cfg.h: certtool: use int64_t as
+ type for integers read
+
+2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/socket.c: gnutls-cli-debug: more precise handling of SMTP
+ protocol Patch by Andreas Metzler.
+
+2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * gl/Makefile.am, gl/alloca.in.h, gl/asnprintf.c, gl/asprintf.c,
+ gl/base64.c, gl/base64.h, gl/byteswap.in.h, gl/c-ctype.c,
+ gl/c-ctype.h, gl/errno.in.h, gl/float+.h, gl/float.c,
+ gl/float.in.h, gl/fstat.c, gl/ftell.c, gl/ftello.c, gl/getdelim.c,
+ gl/getline.c, gl/gettext.h, gl/gettimeofday.c, gl/hash-pjw-bare.c,
+ gl/hash-pjw-bare.h, gl/intprops.h, gl/itold.c, gl/lseek.c,
+ gl/m4/00gnulib.m4, gl/m4/absolute-header.m4, gl/m4/alloca.m4,
+ gl/m4/base64.m4, gl/m4/byteswap.m4, gl/m4/codeset.m4,
+ gl/m4/errno_h.m4, gl/m4/exponentd.m4, gl/m4/extensions.m4,
+ gl/m4/extern-inline.m4, gl/m4/fcntl-o.m4, gl/m4/fcntl_h.m4,
+ gl/m4/fdopen.m4, gl/m4/float_h.m4, gl/m4/fpieee.m4,
+ gl/m4/fseeko.m4, gl/m4/fstat.m4, gl/m4/ftell.m4, gl/m4/ftello.m4,
+ gl/m4/func.m4, gl/m4/getdelim.m4, gl/m4/getline.m4,
+ gl/m4/getpagesize.m4, gl/m4/gettext.m4, gl/m4/gettimeofday.m4,
+ gl/m4/glibc2.m4, gl/m4/glibc21.m4, gl/m4/gnulib-cache.m4,
+ gl/m4/gnulib-common.m4, gl/m4/gnulib-comp.m4, gl/m4/gnulib-tool.m4,
+ gl/m4/iconv.m4, gl/m4/include_next.m4, gl/m4/intdiv0.m4,
+ gl/m4/intl.m4, gl/m4/intldir.m4, gl/m4/intlmacosx.m4,
+ gl/m4/intmax.m4, gl/m4/intmax_t.m4, gl/m4/inttypes-pri.m4,
+ gl/m4/inttypes.m4, gl/m4/inttypes_h.m4, gl/m4/largefile.m4,
+ gl/m4/lcmessage.m4, gl/m4/ld-output-def.m4,
+ gl/m4/ld-version-script.m4, gl/m4/lib-ld.m4, gl/m4/lib-link.m4,
+ gl/m4/lib-prefix.m4, gl/m4/lock.m4, gl/m4/longlong.m4,
+ gl/m4/lseek.m4, gl/m4/malloc.m4, gl/m4/manywarnings.m4,
+ gl/m4/math_h.m4, gl/m4/memchr.m4, gl/m4/memmem.m4, gl/m4/minmax.m4,
+ gl/m4/mmap-anon.m4, gl/m4/msvc-inval.m4, gl/m4/msvc-nothrow.m4,
+ gl/m4/multiarch.m4, gl/m4/netdb_h.m4, gl/m4/netinet_in_h.m4,
+ gl/m4/nls.m4, gl/m4/off_t.m4, gl/m4/po.m4, gl/m4/printf-posix.m4,
+ gl/m4/printf.m4, gl/m4/progtest.m4, gl/m4/read-file.m4,
+ gl/m4/realloc.m4, gl/m4/size_max.m4, gl/m4/snprintf.m4,
+ gl/m4/socklen.m4, gl/m4/sockpfaf.m4, gl/m4/ssize_t.m4,
+ gl/m4/stdalign.m4, gl/m4/stdbool.m4, gl/m4/stddef_h.m4,
+ gl/m4/stdint.m4, gl/m4/stdint_h.m4, gl/m4/stdio_h.m4,
+ gl/m4/stdlib_h.m4, gl/m4/strcase.m4, gl/m4/string_h.m4,
+ gl/m4/strings_h.m4, gl/m4/strndup.m4, gl/m4/strnlen.m4,
+ gl/m4/strtok_r.m4, gl/m4/strverscmp.m4, gl/m4/sys_socket_h.m4,
+ gl/m4/sys_stat_h.m4, gl/m4/sys_time_h.m4, gl/m4/sys_types_h.m4,
+ gl/m4/sys_uio_h.m4, gl/m4/threadlib.m4, gl/m4/time_h.m4,
+ gl/m4/time_r.m4, gl/m4/uintmax_t.m4, gl/m4/ungetc.m4,
+ gl/m4/unistd_h.m4, gl/m4/valgrind-tests.m4, gl/m4/vasnprintf.m4,
+ gl/m4/vasprintf.m4, gl/m4/visibility.m4, gl/m4/vsnprintf.m4,
+ gl/m4/warn-on-use.m4, gl/m4/warnings.m4, gl/m4/wchar_h.m4,
+ gl/m4/wchar_t.m4, gl/m4/wint_t.m4, gl/m4/xsize.m4, gl/malloc.c,
+ gl/memchr.c, gl/memmem.c, gl/minmax.h, gl/msvc-inval.c,
+ gl/msvc-inval.h, gl/msvc-nothrow.c, gl/msvc-nothrow.h,
+ gl/netdb.in.h, gl/netinet_in.in.h, gl/printf-args.c,
+ gl/printf-args.h, gl/printf-parse.c, gl/printf-parse.h,
+ gl/read-file.c, gl/read-file.h, gl/realloc.c, gl/size_max.h,
+ gl/snprintf.c, gl/stdalign.in.h, gl/stdbool.in.h, gl/stddef.in.h,
+ gl/stdint.in.h, gl/stdio-impl.h, gl/stdio.in.h, gl/stdlib.in.h,
+ gl/str-two-way.h, gl/strcasecmp.c, gl/string.in.h, gl/strings.in.h,
+ gl/strncasecmp.c, gl/strndup.c, gl/strnlen.c, gl/strtok_r.c,
+ gl/strverscmp.c, gl/sys_socket.in.h, gl/sys_stat.in.h,
+ gl/sys_time.in.h, gl/sys_types.in.h, gl/sys_uio.in.h,
+ gl/tests/Makefile.am, gl/tests/binary-io.h, gl/tests/fcntl.in.h,
+ gl/tests/fdopen.c, gl/tests/fpucw.h, gl/tests/getpagesize.c,
+ gl/tests/init.sh, gl/tests/inttypes.in.h, gl/tests/macros.h,
+ gl/tests/signature.h, gl/tests/test-alloca-opt.c,
+ gl/tests/test-base64.c, gl/tests/test-binary-io.c,
+ gl/tests/test-byteswap.c, gl/tests/test-c-ctype.c,
+ gl/tests/test-errno.c, gl/tests/test-fcntl-h.c,
+ gl/tests/test-fdopen.c, gl/tests/test-fgetc.c,
+ gl/tests/test-float.c, gl/tests/test-fputc.c,
+ gl/tests/test-fread.c, gl/tests/test-fstat.c,
+ gl/tests/test-ftell.c, gl/tests/test-ftell3.c,
+ gl/tests/test-ftello.c, gl/tests/test-ftello3.c,
+ gl/tests/test-ftello4.c, gl/tests/test-func.c,
+ gl/tests/test-fwrite.c, gl/tests/test-getdelim.c,
+ gl/tests/test-getline.c, gl/tests/test-gettimeofday.c,
+ gl/tests/test-iconv.c, gl/tests/test-init.sh,
+ gl/tests/test-intprops.c, gl/tests/test-inttypes.c,
+ gl/tests/test-memchr.c, gl/tests/test-netdb.c,
+ gl/tests/test-netinet_in.c, gl/tests/test-read-file.c,
+ gl/tests/test-snprintf.c, gl/tests/test-stdalign.c,
+ gl/tests/test-stdbool.c, gl/tests/test-stddef.c,
+ gl/tests/test-stdint.c, gl/tests/test-stdio.c,
+ gl/tests/test-stdlib.c, gl/tests/test-string.c,
+ gl/tests/test-strings.c, gl/tests/test-strnlen.c,
+ gl/tests/test-strverscmp.c, gl/tests/test-sys_socket.c,
+ gl/tests/test-sys_stat.c, gl/tests/test-sys_time.c,
+ gl/tests/test-sys_types.c, gl/tests/test-sys_uio.c,
+ gl/tests/test-sys_wait.h, gl/tests/test-time.c,
+ gl/tests/test-u64.c, gl/tests/test-unistd.c,
+ gl/tests/test-vasnprintf.c, gl/tests/test-vasprintf.c,
+ gl/tests/test-vc-list-files-cvs.sh,
+ gl/tests/test-vc-list-files-git.sh, gl/tests/test-verify.c,
+ gl/tests/test-vsnprintf.c, gl/tests/test-wchar.c,
+ gl/tests/zerosize-ptr.h, gl/time.in.h, gl/time_r.c, gl/u64.h,
+ gl/unistd.in.h, gl/vasnprintf.c, gl/vasnprintf.h, gl/vasprintf.c,
+ gl/verify.h, gl/vsnprintf.c, gl/wchar.in.h, gl/xsize.h,
+ src/gl/Makefile.am, src/gl/accept.c, src/gl/alloca.in.h,
+ src/gl/arpa_inet.in.h, src/gl/asnprintf.c, src/gl/bind.c,
+ src/gl/c-ctype.c, src/gl/c-ctype.h, src/gl/close.c,
+ src/gl/connect.c, src/gl/dup2.c, src/gl/errno.in.h, src/gl/error.c,
+ src/gl/error.h, src/gl/exitfail.c, src/gl/exitfail.h,
+ src/gl/fd-hook.c, src/gl/fd-hook.h, src/gl/float+.h,
+ src/gl/float.c, src/gl/float.in.h, src/gl/fseek.c, src/gl/fseeko.c,
+ src/gl/fstat.c, src/gl/ftell.c, src/gl/ftello.c,
+ src/gl/gai_strerror.c, src/gl/getaddrinfo.c, src/gl/getdelim.c,
+ src/gl/getline.c, src/gl/getpass.c, src/gl/getpass.h,
+ src/gl/getpeername.c, src/gl/gettext.h, src/gl/gettime.c,
+ src/gl/gettimeofday.c, src/gl/inet_ntop.c, src/gl/inet_pton.c,
+ src/gl/intprops.h, src/gl/itold.c, src/gl/listen.c, src/gl/lseek.c,
+ src/gl/m4/00gnulib.m4, src/gl/m4/absolute-header.m4,
+ src/gl/m4/alloca.m4, src/gl/m4/arpa_inet_h.m4, src/gl/m4/bison.m4,
+ src/gl/m4/clock_time.m4, src/gl/m4/close.m4, src/gl/m4/dup2.m4,
+ src/gl/m4/eealloc.m4, src/gl/m4/environ.m4, src/gl/m4/errno_h.m4,
+ src/gl/m4/error.m4, src/gl/m4/exponentd.m4,
+ src/gl/m4/extensions.m4, src/gl/m4/extern-inline.m4,
+ src/gl/m4/float_h.m4, src/gl/m4/fseek.m4, src/gl/m4/fseeko.m4,
+ src/gl/m4/fstat.m4, src/gl/m4/ftell.m4, src/gl/m4/ftello.m4,
+ src/gl/m4/getaddrinfo.m4, src/gl/m4/getdelim.m4,
+ src/gl/m4/getline.m4, src/gl/m4/getpass.m4, src/gl/m4/gettime.m4,
+ src/gl/m4/gettimeofday.m4, src/gl/m4/gnulib-cache.m4,
+ src/gl/m4/gnulib-common.m4, src/gl/m4/gnulib-comp.m4,
+ src/gl/m4/gnulib-tool.m4, src/gl/m4/hostent.m4,
+ src/gl/m4/include_next.m4, src/gl/m4/inet_ntop.m4,
+ src/gl/m4/inet_pton.m4, src/gl/m4/intmax_t.m4,
+ src/gl/m4/inttypes_h.m4, src/gl/m4/largefile.m4,
+ src/gl/m4/longlong.m4, src/gl/m4/lseek.m4, src/gl/m4/malloc.m4,
+ src/gl/m4/malloca.m4, src/gl/m4/math_h.m4, src/gl/m4/memchr.m4,
+ src/gl/m4/minmax.m4, src/gl/m4/mktime.m4, src/gl/m4/mmap-anon.m4,
+ src/gl/m4/msvc-inval.m4, src/gl/m4/msvc-nothrow.m4,
+ src/gl/m4/multiarch.m4, src/gl/m4/netdb_h.m4,
+ src/gl/m4/netinet_in_h.m4, src/gl/m4/off_t.m4,
+ src/gl/m4/parse-datetime.m4, src/gl/m4/printf.m4,
+ src/gl/m4/read-file.m4, src/gl/m4/realloc.m4, src/gl/m4/select.m4,
+ src/gl/m4/servent.m4, src/gl/m4/setenv.m4, src/gl/m4/signal_h.m4,
+ src/gl/m4/size_max.m4, src/gl/m4/snprintf.m4,
+ src/gl/m4/socketlib.m4, src/gl/m4/sockets.m4, src/gl/m4/socklen.m4,
+ src/gl/m4/sockpfaf.m4, src/gl/m4/ssize_t.m4, src/gl/m4/stdalign.m4,
+ src/gl/m4/stdbool.m4, src/gl/m4/stddef_h.m4, src/gl/m4/stdint.m4,
+ src/gl/m4/stdint_h.m4, src/gl/m4/stdio_h.m4, src/gl/m4/stdlib_h.m4,
+ src/gl/m4/strdup.m4, src/gl/m4/strerror.m4, src/gl/m4/string_h.m4,
+ src/gl/m4/sys_select_h.m4, src/gl/m4/sys_socket_h.m4,
+ src/gl/m4/sys_stat_h.m4, src/gl/m4/sys_time_h.m4,
+ src/gl/m4/sys_types_h.m4, src/gl/m4/sys_uio_h.m4,
+ src/gl/m4/time_h.m4, src/gl/m4/time_r.m4, src/gl/m4/timespec.m4,
+ src/gl/m4/tm_gmtoff.m4, src/gl/m4/unistd_h.m4,
+ src/gl/m4/vasnprintf.m4, src/gl/m4/warn-on-use.m4,
+ src/gl/m4/wchar_h.m4, src/gl/m4/wchar_t.m4, src/gl/m4/wint_t.m4,
+ src/gl/m4/xalloc.m4, src/gl/m4/xsize.m4, src/gl/malloc.c,
+ src/gl/malloca.c, src/gl/malloca.h, src/gl/memchr.c,
+ src/gl/minmax.h, src/gl/mktime.c, src/gl/msvc-inval.c,
+ src/gl/msvc-inval.h, src/gl/msvc-nothrow.c, src/gl/msvc-nothrow.h,
+ src/gl/netdb.in.h, src/gl/netinet_in.in.h, src/gl/parse-datetime.h,
+ src/gl/parse-datetime.y, src/gl/printf-args.c,
+ src/gl/printf-args.h, src/gl/printf-parse.c, src/gl/printf-parse.h,
+ src/gl/progname.c, src/gl/progname.h, src/gl/read-file.c,
+ src/gl/read-file.h, src/gl/realloc.c, src/gl/recv.c,
+ src/gl/recvfrom.c, src/gl/select.c, src/gl/send.c, src/gl/sendto.c,
+ src/gl/setenv.c, src/gl/setsockopt.c, src/gl/shutdown.c,
+ src/gl/signal.in.h, src/gl/size_max.h, src/gl/snprintf.c,
+ src/gl/socket.c, src/gl/sockets.c, src/gl/sockets.h,
+ src/gl/stdalign.in.h, src/gl/stdbool.in.h, src/gl/stddef.in.h,
+ src/gl/stdint.in.h, src/gl/stdio-impl.h, src/gl/stdio.in.h,
+ src/gl/stdlib.in.h, src/gl/strdup.c, src/gl/strerror-override.c,
+ src/gl/strerror-override.h, src/gl/strerror.c, src/gl/string.in.h,
+ src/gl/sys_select.in.h, src/gl/sys_socket.in.h,
+ src/gl/sys_stat.in.h, src/gl/sys_time.in.h, src/gl/sys_types.in.h,
+ src/gl/sys_uio.in.h, src/gl/time.in.h, src/gl/time_r.c,
+ src/gl/timespec.h, src/gl/unistd.in.h, src/gl/unsetenv.c,
+ src/gl/vasnprintf.c, src/gl/vasnprintf.h, src/gl/verify.h,
+ src/gl/w32sock.h, src/gl/wchar.in.h, src/gl/xalloc-die.c,
+ src/gl/xalloc-oversized.h, src/gl/xalloc.h, src/gl/xmalloc.c,
+ src/gl/xsize.h: updated gnulib
+
+2015-01-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/cli-debug.c: gnutls-cli-debug: corrected the skip of ignored
+ checks
+
+2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/certtool.c: certtool: --pubkey-info will load a public key
+ from stdin
+
+2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/system.h: include netinet/in.h if present to access ipv6
+ related structures Based on patch by Rumko. https://savannah.gnu.org/support/?108713
+
+2014-12-30 Matthias-Christian Ott <ott@mirix.org>
+
+ * lib/gnutls_cipher_int.c: Don't call _gnutls_cipher_encrypt2 with
+ textlen = 0 in _gnutls_auth_cipher_encrypt2_tag If the plaintext is shorter than the block size of the used cipher,
+ _gnutls_auth_cipher_encrypt2_tag calls _gnutls_cipher_encrypt2 with
+ textlen = 0. By definition _gnutls_cipher_encrypt2 does nothing in
+ this case and thus does not need to be called.
+
+2014-12-30 Matthias-Christian Ott <ott@mirix.org>
+
+ * lib/accelerated/x86/aes-gcm-padlock.c,
+ lib/accelerated/x86/aes-padlock.c: Handle zero length plaintext for
+ VIA PadLock functions If the plaintext is shorter than the block size of the used cipher,
+ _gnutls_auth_cipher_encrypt2_tag calls _gnutls_cipher_encrypt2 with
+ textlen = 0. padlock_ecb_encrypt and padlock_cbc_encrypt assume that
+ the plaintext length (last parameter) is greater than zero and
+ segfault otherwise. The assembler code for both functions is
+ automatically generated and imported from OpenSSL, so to ease
+ maintenance the length should be validated in the functions that
+ call padlock_ecb_encrypt or padlock_cbc_encrypt.
+
+2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/openpgp-keyring.c: tests: enhanced openpgp-keyring test
+
+2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/openpgp/output.c: openpgp: properly print names in oneline
+ output as well
+
+2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/openpgp/output.c: updates in openpgp DSA key printing
+
+2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/openpgp/output.c: properly print openpgp names
+
+2014-12-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/cli-debug.c, src/common.c, src/tests.c: tools: use OCSP
+ functions only when OCSP is enabled
+
+2014-12-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_pubkey.c: Corrected encoding and decoding of ANSI X9.62 That affects gnutls_pubkey_export_ecc_x962() and
+ gnutls_pubkey_import_ecc_x962().
+
+2014-12-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/certtool-args.def, src/p11tool-args.def: tools: document the
+ available curves
+
+2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/pkcs11_int.h,
+ lib/pkcs11_privkey.c, lib/pkcs11_secret.c, lib/pkcs11_write.c: Use
+ hints to support incomplete PKCS#11 URIs
+
+2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/examples/Makefile.am, src/Makefile.am, src/gl/Makefile.am,
+ src/gl/m4/gnulib-cache.m4, src/gl/m4/gnulib-comp.m4: completely
+ separated the two gnulibs to avoid conflicts
+
+2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * gl/Makefile.am, gl/m4/extensions.m4, gl/m4/extern-inline.m4,
+ gl/m4/gnulib-comp.m4, gl/m4/iconv.m4, gl/m4/printf.m4,
+ gl/m4/stdalign.m4, gl/m4/stddef_h.m4, gl/m4/stdio_h.m4,
+ gl/stdalign.in.h, gl/stddef.in.h, gl/tests/test-fcntl-h.c,
+ gl/tests/test-stddef.c, gl/unistd.in.h, gl/vasnprintf.c,
+ src/gl/Makefile.am, src/gl/m4/extensions.m4,
+ src/gl/m4/extern-inline.m4, src/gl/m4/gnulib-comp.m4,
+ src/gl/m4/printf.m4, src/gl/m4/stdalign.m4, src/gl/m4/stddef_h.m4,
+ src/gl/m4/stdio_h.m4, src/gl/parse-datetime.y,
+ src/gl/stdalign.in.h, src/gl/stddef.in.h, src/gl/timespec.h,
+ src/gl/unistd.in.h, src/gl/vasnprintf.c: updated gnulib
+
+2014-12-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-12-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/verify-high2.c: when importing object CAs from PKCS#11
+ URL, import the marked as trusted only
+
+2014-12-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11.c: pkcs11: when matching objects, also match the label
+
+2014-12-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/suite/pkcs11-chainverify.c: added missing variable
+
+2014-12-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/Makefile.am: Added p11-kit cflags in x509/
+
+2014-12-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-combo.c,
+ tests/suite/pkcs11-get-issuer.c, tests/suite/pkcs11-is-known.c,
+ tests/suite/softhsm.h, tests/suite/testpkcs11.softhsm: Added
+ softhsm.h to share code in softhsm detection Conflicts: tests/suite/pkcs11-chainverify.c tests/suite/pkcs11-privkey.c
+
+2014-12-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11_int.h, lib/x509/verify-high2.c: Directly import PKCS
+ #11 object URLs as trusted certificates That is, don't treat them as trusted modules, because they aren't a
+ token URL, but rather a direct reference to specific objects.
+
+2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_buffers.c, lib/gnutls_record.c: corrected documentation
+ for the cork/uncork functions Reported by Jaak Ristioja.
+
+2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_record.c: doc update
+
+2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/algorithms/protocols.c: Added more precise version check in
+ _gnutls_version_lowest
+
+2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/algorithms.h, lib/algorithms/protocols.c,
+ lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_priority.c: The
+ record version in the client Hello will be set to the lowest
+ supported protocol There should have been no harm in keeping it SSL 3.0 but
+ unfortunately in draft-thomson-sslv3-diediedie-00 it has been marked
+ as MUST NOT do that. That will be fixed in a later revision but
+ since then there are servers not accepting SSL 3.0 as a valid record
+ version (note that this is about the record version, which describes
+ the format of the packet, nothing to do with the negotiated
+ version).
+
+2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_record.c: corrected documentation of gnutls_cork()
+
+2014-12-12 Ludovic Courtès <ludo@gnu.org>
+
+ * NEWS, doc/gnutls-guile.texi, guile/modules/gnutls.in,
+ guile/modules/gnutls/build/smobs.scm, guile/src/core.c,
+ guile/tests/openpgp-auth.scm, guile/tests/x509-auth.scm: Revert
+ "guile: Remove RSA parameters and related procedures." This reverts commit 9f5788469f6f3f3fdd4cf064621a903607f10f2f; this
+ will be done in the 3.4 branch, as for the C library. Update NEWS
+ accordingly.
+
+2014-12-12 Ludovic Courtès <ludo@gnu.org>
+
+ * NEWS: Update 'NEWS'.
+
+2014-12-11 Ludovic Courtès <ludo@gnu.org>
+
+ * guile/tests/openpgp-keyring.scm: guile: Open binary file in binary
+ mode, for the sake of MinGW. Reported by Eli Zaretskii <eliz@gnu.org>. * guile/tests/openpgp-keyring.scm: Use 'open-file' with "rb" instead
+ of 'open-input-file'.
+
+2014-12-11 Ludovic Courtès <ludo@gnu.org>
+
+ * guile/src/Makefile.am: guile: Link with '-no-undefined'. Fixes builds on MinGW. Reported by Eli Zaretskii <eliz@gnu.org>. * guile/src/Makefile.am (guile_gnutls_v_2_la_LDFLAGS): Add -no-undefined.
+
+2014-12-04 Ludovic Courtès <ludo@gnu.org>
+
+ * guile/src/Makefile.am: guile: Build with warnings. * guile/src/Makefile.am (AM_CFLAGS) [HAVE_GCC]: Add -Wall -Wextra -Wno-unused-parameter.
+
+2014-12-04 Ludovic Courtès <ludo@gnu.org>
+
+ * guile/modules/Makefile.am, guile/modules/gnutls.in,
+ guile/modules/gnutls/build/priorities.scm, guile/src/Makefile.am,
+ guile/src/core.c, guile/src/make-session-priorities.scm,
+ guile/tests/session-record-port.scm, guile/tests/x509-auth.scm:
+ guile: Remove the deprecated priority API. * guile/modules/gnutls/build/priorities.scm: Remove. * guile/src/make-session-priorities.scm: Remove. * guile/modules/Makefile.am (EXTRA_DIST): Adjust accordingly. * guile/src/Makefile.am (EXTRA_DIST): Likewise. (GENERATED_BINDINGS): Remove 'priorities.i.c'. (priorities.i.c): Remove target. * guile/src/core.c: Don't include it. (scm_gnutls_set_default_priority_x): Remove. * guile/modules/gnutls.in (gnutls): Adjust export list. * guile/tests/session-record-port.scm: Use
+ 'set-session-priorities!'. * guile/tests/x509-auth.scm: Likewise.
+
+2014-12-04 Ludovic Courtès <ludo@gnu.org>
+
+ * doc/gnutls-guile.texi, guile/modules/gnutls.in,
+ guile/modules/gnutls/build/smobs.scm, guile/src/core.c,
+ guile/tests/openpgp-auth.scm, guile/tests/x509-auth.scm: guile:
+ Remove RSA parameters and related procedures. * guile/modules/gnutls/build/smobs.scm (%rsa-parameters-smob):
+ Remove. (%gnutls-smobs): Remove it. * guile/src/core.c (scm_gnutls_make_rsa_parameters, scm_gnutls_pkcs1_import_rsa_parameters, scm_gnutls_pkcs1_export_rsa_parameters, scm_gnutls_set_certificate_credentials_rsa_export_params_x):
+ Remove. * guile/modules/gnutls.in: Adjust export list. * guile/tests/openpgp-auth.scm (import-rsa-params): Remove. Remove references to it and to 'set-certificate-credentials-rsa-export-parameters!'. * guile/tests/x509-auth.scm: Likewise. * doc/gnutls-guile.texi (Representation of Binary Data): Remove references to RSA parameters. Adjust example accordingly. (OpenPGP Authentication Guile Example): Likewise.
+
+2014-12-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/random.c: gnutls_rnd: doc update
+
+2014-12-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/pkcs12.c: gnutls_pkcs12_simple_parse: doc update
+
+2014-12-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * libdane/dane.c: improved documentation on dane
+
+2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/pkcs11.c: p11tool: use Sleep() in windows
+
+2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/certtool-cfg.c: certtool: ensure that default_serial_int is
+ 64-bits or more
+
+2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/socket.c: use select() instead of alarm for better portability Based on patch by Eli Zaretskii.
+
+2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: released 3.3.11
+
+2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * configure.ac, m4/hooks.m4: bumped version
+
+2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/suite/testcompat-main: testcompat: corrected usage of null
+ cipher
+
+2014-12-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/rnd-fips.c: added the .check function in FIPS140-2 code
+
+2014-12-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/dn.c: _gnutls_x509_get_dn() always return a null
+ terminated string
+
+2014-12-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/random.h: if the rnd structure doesn't provide check,
+ _gnutls_rnd_check() will succeed
+
+2014-11-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/x509.c: Reorganized, and eliminated memory leak in
+ _gnutls_x509_crt_check_revocation() Reported by Tim Rühsen.
+
+2014-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/includes/gnutls/gnutls.h.in, lib/includes/gnutls/pkcs11.h: doc
+ update
+
+2014-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: Added
+ check for whether %NO_EXTENSIONS is required
+
+2014-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_ui.c: gnutls_session_get_desc: allow proper printing of
+ the NULL KX
+
+2014-11-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_x509.c: gnutls_certificate_set_x509_key_*: eliminated
+ memory leak when certificate could not be parsed Reported by Georg Richter.
+
+2014-11-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/socket.c: gnutls-cli-debug: do not print error on unknown
+ protocols
+
+2014-11-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_x509.c: documented the limitations of the loading
+ functions
+
+2014-11-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_x509.c: corrected memleak in read_key_mem() Patch by Georg Richter.
+
+2014-11-24 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: Added
+ check for sorted certificate chain
+
+2014-11-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_handshake.c, lib/gnutls_record.c,
+ tests/mini-rehandshake-2.c: restore only the documented behavior
+
+2014-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/Makefile.am, tests/mini-rehandshake-2.c: tests: added test
+ for GNUTLS_E_GOT_APPLICATION_DATA on rehandshake Conflicts: tests/Makefile.am
+
+2014-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_handshake.c, lib/gnutls_record.c: treat
+ GNUTLS_E_GOT_APPLICATION_DATA as non-fatal if initial negotiation is
+ complete This corrects a regression introduced in
+ b5a0de2e6da98866cafb770c3141b7353d030ab2 Reported by Dan Winship.
+ https://savannah.gnu.org/support/?108690
+
+2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_priority.c: Revert "The priority modifier
+ %LATEST_RECORD_VERSION is now the default" This reverts commit 96b408b20fe8707306f38cba6f652556b99a47e4.
+
+2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/rnd-common.c: _rnd_get_event: use memset to avoid
+ valgrind complaints
+
+2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/fips.c: compilation fix for FIPS140-2 mode
+
+2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/ocsp.c: deinitialize the OCSP response der data That also makes sure that reinitialization of ASN1 structures are
+ done when it is required only.
+
+2014-11-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_priority.c: NORMAL priority: prioritize the less than
+ 256-bits curves at the lowest level
+
+2014-11-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/fips.c, lib/fips.h, lib/gnutls_global.c: properly reset the
+ zombie mode in FIPS mode This amends 9158f590f4a18c84fc9eb41877b29d73b30af879
+
+2014-11-15 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-11-14 David Weber <dave@veryflatcat.com>
+
+ * src/cli.c, src/serv.c: Fixed SRTP profile configuration in cli.c
+ and serv.c. I have tested the fix in 3.3.10. This commit is UNTESTED as i am
+ unable to compile gnutls (./configure complains about gl_INIT and
+ ggl_INIT). Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/common.c: gnutls-cli: print info on the OCSP status request
+
+2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/ocsp.c: use the original DER/BER data when verifying an
+ OCSP response Conflicts: lib/x509/ocsp.c
+
+2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/system.c: windows: updated _gnutls_ucs2_to_utf8()
+
+2014-11-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: check
+ for OCSP status response Conflicts: src/tests.c
+
+2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/cli-debug.c, src/tests.c, src/tests.h: added check for servers
+ that disallow the SSL 3.0 record version
+
+2014-11-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/cert-tests/crq: corrected crq test case; reported by Andreas
+ Metzler
+
+2014-11-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11.c: set the GNUTLS_PIN_CONTEXT_SPECIFIC flag on PIN
+ callback
+
+2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/rnd-common.h: rnd: removed the packed attribute from
+ event_st That prevents a SIGBUS on solaris sparc systems. Reported by Thomas
+ Thorberger.
+
+2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_priority.c: The priority modifier
+ %LATEST_RECORD_VERSION is now the default This works-around issue with servers that forbit the SSL 3.0 version
+ number from the first packet of the record protocol.
+
+2014-11-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/suite/testcompat-common, tests/suite/testcompat-main:
+ testcompat: updated
+
+2014-11-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * configure.ac, m4/hooks.m4: bumped version
+
+2014-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * configure.ac, tests/cert-tests/Makefile.am, tests/cert-tests/crq:
+ Added check with the invalid crq sent by Sean Burford
+
+2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_ecc.c: when exporting curve coordinates to X9.63
+ format, perform additional sanity checks on input Reported by Sean Burford.
+
+2014-11-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/cha-intro-tls.texi: doc update
+
+2014-11-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/cha-gtls-app.texi, doc/cha-intro-tls.texi: doc: updated text
+ on session tickets
+
+2014-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/socket.c: tools: include arpa/inet.h in socket.c
+
+2014-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/examples/ex-serv-dtls.c: doc: use the same port for DTLS
+ client and server
+
+2014-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11.c: pkcs11: pass the correct user type to protected
+ authentication login
+
+2014-11-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * doc/cha-gtls-app.texi: doc: corrected values for INSECURE level
+
+2014-11-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11.c, lib/pkcs11_int.h: pkcs11_login: set the correct user
+ type on reauthentication
+
+2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: pkcs11:
+ force login on tokens that require it
+
+2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: added
+ support for PKCS #11 keys that require reauthentication and
+ simplified pkcs11_login
+
+2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * gl/unistd.in.h, src/gl/unistd.in.h: applied patch by A. Klitzing
+ to improve compatibile with some apple systems Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+2014-11-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/cli-debug.c, src/common.c, src/common.h, src/tests.c:
+ gnutls-cli-debug: backported changes from 3.4.0 branch
+
+2014-11-05 Chen Hongzhi <hongzhi.chen@me.com>
+
+ * lib/x509/pkcs12.c: Fix double-free in gnutls_pkcs12_simple_parse() Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+2014-11-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/scripts/mytexi2latex: mytexi2latex: handle na@"ive
+
+2014-11-04 Chris Barry <chris@barry.im>
+
+ * doc/cha-auth.texi, doc/cha-cert-auth.texi,
+ doc/cha-cert-auth2.texi, doc/cha-errors.texi, doc/sec-tls-app.texi:
+ Cleaning up some awkward phrasings. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/ext/alpn.c: updated text
+
+2014-11-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-11-03 Jaak Ristioja <jaak.ristioja@cyber.ee>
+
+ * lib/system_override.c: doc: Added missing reference for EMSGSIZE
+ to inline documentation of gnutls_transport_set_errno(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+2014-11-03 Jaak Ristioja <jaak.ristioja@cyber.ee>
+
+ * lib/system_override.c: doc: Fixed typo in inline comment of
+ gnutls_transport_set_errno(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+2014-11-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_errors.c: updated the text for
+ GNUTLS_E_UNSUPPORTED_VERSION_PACKET
+
+2014-11-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/common.c: when calling gnutls_x509_crt_get_subject_key_id
+ set the id_size
+
+2014-11-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11.c: deinitialize the temporary spki data
+
+2014-10-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/Makefile.am, tests/init_fds.c: tests: added test for
+ gnutls_global_init after all descriptors are closed Conflicts: tests/Makefile.am
+
+2014-10-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_global.c, lib/nettle/rnd-common.c, lib/random.h:
+ corrected check for urandom fd
+
+2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_global.c: corrected exit state from gnutls_global_init
+
+2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * doc/cha-gtls-app.texi: updated text for gnutls_fd_in_use() to
+ account the new behavior
+
+2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_state.c, lib/includes/gnutls/gnutls.h.in,
+ lib/libgnutls.map, lib/nettle/rnd-common.c: dropped
+ gnutls_fd_in_use, it is no longer necessary Conflicts: lib/libgnutls.map
+
+2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/crypto-backend.h, lib/gnutls_global.c,
+ lib/nettle/rnd-common.c, lib/nettle/rnd-common.h, lib/nettle/rnd.c,
+ lib/random.h: When gnutls_global_init() is called manually from the
+ application check the urandom fd for validity That addresses the issue where a server closes all open file
+ descriptors and then calls gnutls_global_init(). Conflicts: lib/nettle/rnd-common.c
+
+2014-10-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/pk.c: _gnutls_dh_generate_key() will account the q_bits
+
+2014-10-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-10-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-10-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/nettle/rnd.c: doc update
+
+2014-10-28 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_state.c: do not explicitly refresh rnd state on session
+ deinit It is already being refreshed during the session lifetime.
+
+2014-10-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * configure.ac: disable hardware acceleration by default in solaris
+
+2014-10-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/dtls/dtls: tests: dtls-stress -r disabled as it causes
+ issues when used with freebsd kernel
+
+2014-10-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/accelerated/x86/elf/aes-ssse3-x86.s,
+ lib/accelerated/x86/elf/aes-ssse3-x86_64.s,
+ lib/accelerated/x86/elf/aesni-x86.s,
+ lib/accelerated/x86/elf/aesni-x86_64.s,
+ lib/accelerated/x86/elf/cpuid-x86.s,
+ lib/accelerated/x86/elf/cpuid-x86_64.s,
+ lib/accelerated/x86/elf/e_padlock-x86.s,
+ lib/accelerated/x86/elf/e_padlock-x86_64.s,
+ lib/accelerated/x86/elf/ghash-x86_64.s,
+ lib/accelerated/x86/elf/sha1-ssse3-x86.s,
+ lib/accelerated/x86/elf/sha1-ssse3-x86_64.s,
+ lib/accelerated/x86/elf/sha256-avx-x86_64.s,
+ lib/accelerated/x86/elf/sha256-ssse3-x86.s,
+ lib/accelerated/x86/elf/sha512-ssse3-x86.s,
+ lib/accelerated/x86/elf/sha512-ssse3-x86_64.s: do not use the ifdef
+ directive in assembly files, as it isn't portable
+
+2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * configure.ac, lib/Makefile.am: check and use libnsl (used in
+ solaris)
+
+2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/accelerated/x86/elf/aes-ssse3-x86.s,
+ lib/accelerated/x86/elf/aes-ssse3-x86_64.s,
+ lib/accelerated/x86/elf/aesni-x86.s,
+ lib/accelerated/x86/elf/aesni-x86_64.s,
+ lib/accelerated/x86/elf/cpuid-x86.s,
+ lib/accelerated/x86/elf/cpuid-x86_64.s,
+ lib/accelerated/x86/elf/e_padlock-x86.s,
+ lib/accelerated/x86/elf/e_padlock-x86_64.s,
+ lib/accelerated/x86/elf/ghash-x86_64.s,
+ lib/accelerated/x86/elf/sha1-ssse3-x86.s,
+ lib/accelerated/x86/elf/sha1-ssse3-x86_64.s,
+ lib/accelerated/x86/elf/sha256-avx-x86_64.s,
+ lib/accelerated/x86/elf/sha256-ssse3-x86.s,
+ lib/accelerated/x86/elf/sha512-ssse3-x86.s,
+ lib/accelerated/x86/elf/sha512-ssse3-x86_64.s: use the
+ .note.GNU-stack in linux systems only
+
+2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * gl/Makefile.am, gl/m4/extern-inline.m4, gl/m4/gnulib-common.m4,
+ gl/m4/manywarnings.m4, gl/m4/stdlib_h.m4, gl/m4/threadlib.m4,
+ gl/m4/unistd_h.m4, gl/stdlib.in.h, gl/tests/fcntl.in.h,
+ gl/unistd.in.h, gl/vasnprintf.c, maint.mk, src/gl/Makefile.am,
+ src/gl/error.c, src/gl/getpass.c, src/gl/m4/extern-inline.m4,
+ src/gl/m4/gnulib-common.m4, src/gl/m4/stdlib_h.m4,
+ src/gl/m4/unistd_h.m4, src/gl/parse-datetime.y, src/gl/stdlib.in.h,
+ src/gl/sys_select.in.h, src/gl/unistd.in.h, src/gl/vasnprintf.c:
+ updated gnulib
+
+2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/pkcs11-get-issuer.c: tests: check the issuer value
+ validity of gnutls_x509_trust_list_get_issuer
+
+2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/verify-high.c: corrected bug in
+ gnutls_x509_trust_list_get_issuer() when used without the
+ GNUTLS_TL_GET_COPY flag
+
+2014-10-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/slow/Makefile.am: tests: include minitasn1 when needed
+
+2014-10-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/danetool.c: use HAVE_DANE ifdef for unused functions
+
+2014-10-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/libgnutls.map: exported gnutls_fd_in_use
+
+2014-10-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-10-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * doc/cha-gtls-app.texi: document gnutls_fd_in_use()
+
+2014-10-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11_privkey.c: corrected FIND_OBJECT loop when the token
+ func is used
+
+2014-10-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_state.c: gnutls_fd_in_use: mention version
+
+2014-10-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_state.c, lib/includes/gnutls/gnutls.h.in,
+ lib/nettle/rnd-common.c, lib/random.h: added gnutls_fd_in_use() to
+ check whether a file descriptor is in use
+
+2014-10-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/nettle/pk.c: fips140-2: limit the FIPS code in fips mode
+
+2014-10-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/pk.c: fips140-2: use the FIPS algorithms only when in
+ FIPS140-2 mode
+
+2014-10-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-08-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/certtool.c: certtool: default pkcs-cipher is now 3des as in
+ PKCS #12
+
+2014-10-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/cli-args.def: gnutls-cli: prevent the combination of the -p
+ and --list options As -p may be mistaken for --priority that would prevent wrong
+ outputs.
+
+2014-10-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/verify-high2.c: avoid d from getting out of scope
+
+2014-10-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/udp-serv.c: gnutls-serv: avoid possible buffer overrun
+
+2014-10-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/privkey.c: avoid memory leak on
+ gnutls_x509_privkey_generate() failure
+
+2014-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/int/dsa-fips.h, lib/nettle/int/dsa-keygen-fips186.c,
+ lib/nettle/int/dsa-validate.c: in FIPS140-2 mode only disable
+ 1024-bit DSA parameters when generating
+
+2014-10-14 Ludovic Courtès <ludo@gnu.org>
+
+ * guile/src/core.c: guile: Remove trailing zero in
+ 'gnutls_server_name_set' call. In GnuTLS 3.2.19 (and possibly 3.3.9 and 3.1.17),
+ 'set-session-server-name!' would pass a trailing nul character on
+ the wire after the server name, which would thus be rejected by
+ servers.
+
+2014-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/int/dsa-fips.h, lib/nettle/int/provable-prime.c,
+ lib/nettle/int/rsa-keygen-fips186.c: FIPS140-2 RSA key generation
+ changes to account for seed starting with null byte
+
+2014-10-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/libopts/Makefile.am: corrected libopt's Makefile.am reported by Marius Schamschula.
+
+2014-10-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/int/rsa-keygen-fips186.c: use lcm(p-1,q-1) instead of
+ phi(n) for RSA key generation in FIPS-140-2 mode
+
+2014-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/accelerated/x86/sha-x86-ssse3.c: corrected the SSSE3 optimized
+ SHA224
+
+2014-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/rnd-common.c: simplified getrusage code; the failure
+ check code wasn't needed
+
+2014-10-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-10-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/x509-extensions.c: tests: added check for import failure of
+ v1 certificate with extensions
+
+2014-10-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/x509.c: do not allow importing X.509 certificates with
+ version < 3 and extensions present
+
+2014-10-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * cfg.mk: update the guile manual along the C one
+
+2014-10-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS, configure.ac, m4/hooks.m4: bumped version
+
+2014-10-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-10-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/libopts/Makefile.am, src/libopts/ag-char-map.h,
+ src/libopts/ao-strs.c, src/libopts/ao-strs.h,
+ src/libopts/autoopts.h, src/libopts/autoopts/options.h,
+ src/libopts/autoopts/usage-txt.h, src/libopts/compat/_Noreturn.h,
+ src/libopts/genshell.c, src/libopts/genshell.h,
+ src/libopts/intprops.h, src/libopts/m4/libopts.m4,
+ src/libopts/m4/stdnoreturn.m4, src/libopts/option-value-type.c,
+ src/libopts/option-value-type.h,
+ src/libopts/option-xat-attribute.c,
+ src/libopts/option-xat-attribute.h, src/libopts/parse-duration.c,
+ src/libopts/proto.h, src/libopts/stdnoreturn.in.h,
+ src/libopts/version.c: updated to libopts 5.18.4
+
+2014-10-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/nettle/rnd-common.c: place all rusage variables into
+ HAVE_GETRUSAGE block
+
+2014-10-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-10-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/nettle/rnd-common.c: rnd: if RUSAGE_THREAD fails try
+ RUSAGE_SELF
+
+2014-10-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/pkcs11-combo.c: tests: pkcs11-combo: use unique db
+ file
+
+2014-10-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/ext/session_ticket.c: use wait and retransmit when receiving
+ session tickets
+
+2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/dtls/dtls, tests/dtls/dtls-stress.c: tests: added -r option
+ to dtls-stress That allows it to replay messages in a kind of arbitrary way.
+
+2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/ext/heartbeat.c: forbid heartbeat messages during a handshake
+
+2014-10-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c:
+ added internal variable to track handshake status Conflicts: lib/gnutls_handshake.c
+
+2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * .gitignore: more files to ignore
+
+2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/pkcs11-is-known.c: tests: updated time in
+ pkcs11-is-known
+
+2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: pkcs11: handle errors from override_cert_exts as
+ fatal
+
+2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/chainverify.c, tests/suite/pkcs11-chainverify.c,
+ tests/test-chains.h: tests: allow running specific chainverify tests
+ on fixed dates Conflicts: tests/chainverify.c tests/suite/pkcs11-chainverify.c tests/test-chains.h
+
+2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/common.c: _gnutls_check_valid_key_id: corrected
+ activation/expiration check
+
+2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c, lib/x509/common.c, lib/x509/common.h: pkcs11:
+ simplified and optimized loop
+
+2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * doc/cha-crypto.texi: mention nettle as the recommended crypto
+ backend
+
+2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/Makefile.am, tests/suite/pkcs11-combo.c: tests: Added
+ check to ensure that trust list combination with extra certificates
+ works
+
+2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/verify-high.c: when both a trust module and additional
+ CAs are present account the latter as well That solves an issue in openconnect which used the system trust
+ module, plus additional certificates. Conflicts: lib/x509/verify-high.c
+
+2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/verify-high.c, lib/x509/verify-high.h: simplify the
+ handling of trust_list_get_issuer() when GNUTLS_TL_GET_COPY is not
+ given
+
+2014-10-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/pk.c: corrected assignment
+
+2014-10-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/libgnutls.map: corrected the name of exported function
+
+2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/test-chains.h: tests: corrected test for v1 cert signing
+ (removed bogus authorityIdentifier)
+
+2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/certtool.c: certtool: only set the authority key identifier,
+ if there is a corresponding subject key identifier
+
+2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: pkcs11: do not shortcut checks when
+ GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY is specified
+
+2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c, lib/x509/common.c, lib/x509/common.h: pkcs11: always
+ check for a valid subjectKeyIdentifier match That way, expired certificates can co-exist with their replacements.
+
+2014-10-06 Armin Burgmeier <armin@arbur.net>
+
+ * lib/x509/verify-high2.c: Return an error if multiple PKCS11 URLs
+ are added to a trust list Before, the new URL would overwrite the old URL, and the memory of
+ theold URL would be leaked. It is documented that only one URL can
+ be used, so it should be safe to reject any attempt to add another
+ one. Signed-off-by: Armin Burgmeier <armin@arbur.net>
+
+2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c, lib/x509/common.c, lib/x509/common.h: pkcs11: when
+ no CKA_ID can be relied on fallback on checking the
+ SubjectKeyIdentifier Patch by David Woodhouse.
+
+2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_global.c: report the FIPS140-2 mode
+
+2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/libgnutls.map, lib/nettle/pk.c: added FIPS140-2 ECDH
+ verification functions
+
+2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/libgnutls.map, lib/nettle/pk.c: added FIPS140-2 DH
+ verification functions
+
+2014-10-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/suite/pkcs11-is-known.c: tests: corrected check with
+ gnutls_x509_trust_list_get_issuer
+
+2014-10-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/verify-high2.c: corrected remove_pkcs11_url()
+
+2014-10-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/suite/Makefile.am, tests/suite/pkcs11-is-known.c: tests:
+ check gnutls_pkcs11_crt_is_known() when multiple same DNs are
+ present
+
+2014-10-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11.c: pkcs11: when checking for presence do not give up on
+ the first mismatch
+
+2014-10-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11.c: address memory leak in gnutls_pkcs11_crt_is_known()
+
+2014-10-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/verify-high2.c: doc update: clarifications in
+ gnutls_x509_trust_list_add_trust_file
+
+2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/verify-high.c: corrected compilation for non-pkcs11;
+ reported by David Woodhouse.
+
+2014-09-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: corrected typo
+
+2014-10-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-10-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/suite/pkcs11-get-issuer.c, tests/x509cert.c: tests: added
+ check for GNUTLS_TL_GET_COPY
+
+2014-10-01 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_cert.c, lib/gnutls_x509.c, lib/includes/gnutls/x509.h,
+ lib/x509/ocsp.c, lib/x509/verify-high.c: Added GNUTLS_TL_GET_COPY
+ flag and documented the limitations of
+ gnutls_x509_trust_list_get_issuer()
+
+2014-09-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/opencdk/stream.h: opencdk: changed filter_fnct_t to match the
+ actual function prototypes
+
+2014-09-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-09-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_buffers.c, lib/gnutls_handshake.c: do not allow
+ GNUTLS_E_LARGE_PACKET to be returned from non-DTLS sessions
+
+2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/system.c: gnutls_x509_trust_list_add_system_trust() will not
+ allow duplicate entries
+
+2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/verify-high2.c: use _DIRENT_HAVE_D_TYPE to detect
+ d->d_type
+
+2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/x509.c: corrected type
+
+2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c:
+ protect DTLS clients that don't handle GNUTLS_E_LARGE_PACKET from an
+ infinite loop on handshake
+
+2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_errors.c: removed unused error values
+
+2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_handshake.c, lib/gnutls_record.c, lib/gnutls_record.h:
+ restrict the number of non-fatal errors gnutls_handshake() can
+ return
+
+2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_errors.c: optimized gnutls_error_is_fatal() by
+ splitting the errors to two tables
+
+2014-09-22 Ludovic Courtès <ludo@gnu.org>
+
+ * guile/src/core.c: guile: Restore cross-reference in
+ 'set-session-priorities!' docstring. This had been destroyed in 32d90395.
+
+2014-09-22 Ludovic Courtès <ludo@gnu.org>
+
+ * guile/modules/gnutls.in, guile/modules/gnutls/build/enums.scm,
+ guile/src/core.c, guile/tests/anonymous-auth.scm: guile: Add
+ bindings for 'gnutls_server_name_set'. This adds the 'set-session-server-name!' procedure and the
+ 'server-name-type' enum type.
+
+2014-09-18 Armin Burgmeier <armin@arbur.net>
+
+ * lib/x509/verify-high.c: Memory leak fix on certificate copy
+ failure Signed-off-by: Armin Burgmeier <armin@arbur.net>
+
+2014-09-17 Armin Burgmeier <armin@arbur.net>
+
+ * lib/gnutls_ui.c: Fix a documentation typo Signed-off-by: Armin Burgmeier <armin@arbur.net>
+
+2014-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * cfg.mk, lib/accelerated/x86/files.mk: regenerated files.mk
+
+2014-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * libdane/dane.c: libdane: do not require the CA to be a direct CA
+
+2014-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/scripts/common.sh, tests/suite/testpkcs11: tests: enhanced
+ test suite to pass more of the PKCS #11 API under valgrind
+
+2014-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/serv-args.def, src/serv.c: gnutls-serv: added the --provider
+ option
+
+2014-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/common.c: tools: corrected pin entry
+
+2014-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_x509.c: cleaned up memory deallocation in
+ read_cert_url() That caused unexpected results when loading PKCS #11 URLs. Reported
+ by Joseph Peruski.
+
+2014-09-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/certtool.cfg: updated certtool.cfg
+
+2014-09-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
+ auto-generated files
+
+2014-09-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/test-chains.h: tests: added checks with modified certificate This tests whether a modified of a DER certificate, that is
+ cancelled out while we parse it, would result to a good signature.
+
+2014-09-18 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-09-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * configure.ac: depend on p11-kit 0.20.7
+
+2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * configure.ac, lib/pkcs11x.h: depend on p11-kit 0.20.6
+
+2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * m4/hooks.m4: require libtasn1 3.9 or later That is because of the ocsp fix.
+
+2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/verify-tofu.c: removed unused variable
+
+2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_x509.c: added sanity check on cleanup
+
+2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/certtool.c: certtool: corrected typo in printing error
+
+2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: pkcs11: correctly reallocate the read buffer Report and patch by David Woodhouse.
+
+2014-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * doc/cha-cert-auth.texi: updated documentation on PKCS #11 trust
+ module verification
+
+2014-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/common.h, lib/x509/verify-high.c, lib/x509/verify.c:
+ unified the key purpose checks functions
+
+2014-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/includes/gnutls/x509.h, lib/x509/common.h,
+ lib/x509/verify-high.c, lib/x509/verify.c: check for CAs with the
+ same key in gnutls_x509_trust_list_add_cas That way when GNUTLS_TL_NO_DUPLICATE_KEY is specified the added CA
+ will overwrite any previous one with the same name and key.
+
+2014-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/verify-high.c: hostname and key purpose checks were moved
+ above CRL checks
+
+2014-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/output.c, lib/x509/x509_ext.c: doc update
+
+2014-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * m4/hooks.m4: bumped library version
+
+2014-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/crl.c: corrected gnutls_x509_crl_get_raw_issuer_dn()
+
+2014-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/common.c: only deallocate data when allocation succeeds
+
+2014-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-09-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/minitasn1/decoding.c: updated libtasn1
+
+2014-09-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * doc/cha-gtls-app.texi: documented the environment variables
+
+2014-09-15 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/verify-tofu.c, lib/x509/common.c, lib/x509/common.h:
+ Backported x509_raw_crt_to_raw_pubkey and x509_crt_to_raw_pubkey
+
+2014-09-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-09-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/pkcs11.c: p11tool: print Attached Extensions, instead of
+ extensions
+
+2014-09-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/verify-high.c: when adding a duplicate certificate, keep
+ the last entry
+
+2014-09-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/pkcs11-get-issuer.c: pkcs11-get-issuer: do not
+ hardcode the chain number, use its name
+
+2014-09-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/includes/gnutls/x509-ext.h, lib/libgnutls.map,
+ lib/x509/output.c, lib/x509/x509.c, lib/x509/x509_ext.c,
+ src/pkcs11.c: fixes in the extension handling
+
+2014-09-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/pkcs11.c: p11tool: will print trust module extensions if
+ present
+
+2014-09-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/verify-high.c, lib/x509/verify.c, lib/x509/x509_int.h:
+ check the key purpose of the CA certificate when in pkcs11 cert
+ validation
+
+2014-09-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/Makefile.am, lib/includes/gnutls/pkcs11.h,
+ lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/pkcs11.c,
+ lib/pkcs11_int.c, lib/pkcs11_int.h, lib/x509/common.h,
+ lib/x509/output.c, lib/x509/x509_ext.c: allow retrieving extensions
+ in a trust module using
+ GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT Conflicts: lib/pkcs11.c
+
+2014-09-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/verify-tofu.c, lib/x509/common.h, lib/x509/extensions.c,
+ lib/x509/ocsp.c: export x509_crt_to_raw_pubkey() in x509/common.h
+ and prefixed s/get_extension with _gnutls
+
+2014-09-10 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/verify-high.c: doc update
+
+2014-09-09 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_cert.c, lib/gnutls_x509.c, lib/gnutls_x509.h,
+ lib/includes/gnutls/x509.h, lib/libgnutls.map,
+ lib/x509/verify-high.c: gnutls_x509_trust_list_verify_crt2 is in par
+ with gnutls_certificate_verify_peers That is, it accepts a list of gnutls_typed_vdata_st and allows for
+ flexibility. Conflicts: lib/libgnutls.map
+
+2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/x509_ext.c: doc update
+
+2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/x509/crq.c,
+ lib/x509/x509.c: Added gnutls_x509_crt_get_extension_by_oid2() and
+ gnutls_x509_crq_get_extension_by_oid2()
+
+2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_x509.c, lib/includes/gnutls/x509.h, lib/libgnutls.map,
+ lib/x509/verify-high.c: Added
+ gnutls_x509_trust_list_verify_purpose_crt() Conflicts: lib/libgnutls.map
+
+2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * configure.ac, lib/pkcs11.c, lib/pkcs11x.c, lib/pkcs11x.h: simulate
+ pkcs11x.h when it doesn't exist
+
+2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/Makefile.am, lib/pkcs11.c, lib/pkcs11x.h: added pkcs11x.h
+
+2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/Makefile.am, tests/crlverify.c: tests: Added crlverify to
+ check gnutls_x509_crl_verify and gnutls_x509_trust_list_add_crls Conflicts: tests/Makefile.am
+
+2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/verify.c: gnutls_x509_crl_verify: do not always set the
+ invalid status Reported by Armin Burgmeier.
+
+2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_ui.c: doc update
+
+2014-09-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11x.c: added missing file
+
+2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/verify.c: Revert "gnutls_x509_crl_verify: do not always
+ set the invalid status" This reverts commit 950b62da58542938adec366620948c85b78607dd.
+
+2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/verify.c: gnutls_x509_crl_verify: do not always set the
+ invalid status Reported by Armin Burgmeier.
+
+2014-09-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/tpmtool.c: tpmtool: corrected key password read
+
+2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/danetool.c: set umask prior to calling mkstemp
+
+2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/verify-high.c: initialize verification output to zero
+
+2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_buffers.c: dtls: when discarding packet, discard the
+ correct number of bytes
+
+2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/rfc2818_hostname.c: check_ip: initialize ret
+
+2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/tpm.c: gnutls_tpm_privkey_generate: initialize input values to
+ null to prevent any issue
+
+2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: do not dereference find_data->p_list in pkcs11
+ callback
+
+2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/rnd-fips.c: corrected issue in fips RNG
+
+2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/pk.c: added comment to clarify check
+
+2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/opencdk/literal.c: opencdk: corrected unsigned comparison
+
+2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/tpm.c: fixes in loop for SRK password input
+
+2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/common.c: apps: corrected GNUTLS_PIN reading
+
+2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/verify-high2.c: gnutls_x509_trust_list_add_trust_dir:
+ corrected CRL loading error
+
+2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/certtool-cfg.c: certtool: corrected copy+paste error
+
+2014-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/verify-high2.c: corrected usage of readdir_r()
+
+2014-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/ocsptool-common.c: ocsptool: better error message
+
+2014-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/verify-high2.c: reentrant fixes for
+ gnutls_x509_trust_list_add_trust_dir() handle unknown file types
+
+2014-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/ocsp.c: doc update
+
+2014-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * m4/hooks.m4, tests/ocsp.c: Revert "require libtasn0 3.9 or later" This reverts commit 07a906b4e5c9d1446aee1bf4e091fefa1f1eb1da.
+
+2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/x509_dn.c: optimized escaped comma handling
+
+2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * m4/hooks.m4, tests/ocsp.c: require libtasn1 3.9 or later That is because of the ocsp fix.
+
+2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/crq_apis.c: tests: extended crq API checks
+
+2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/x509_write.c: doc update
+
+2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/x509_dn.c: when setting a DN properly handle spaces and
+ escaped commas
+
+2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/common.c, lib/x509/common.h, lib/x509/crl.c,
+ lib/x509/x509.c: The get_raw_dn() functions were modified to work
+ even if the certificate is generated (not imported)
+
+2014-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_dtls.c: Disallow zero fragments in DTLS for packets
+ which have data. Reported by Manuel Pégourié-Gonnard.
+
+2014-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * configure.ac, lib/vasprintf.c: steal openconnect's vasprintf()
+ implementation
+
+2014-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/vasprintf.c: corrected bundled vasprintf(); reported by Jeff
+ Lee
+
+2014-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * configure.ac, m4/hooks.m4: bumped version
+
+2014-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/minitasn1/decoding.c, lib/minitasn1/libtasn1.h: updated
+ included libtasn1
+
+2014-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/ocsp.c: tests: Added tests on the invalid OCSP response
+
+2014-09-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-09-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/common.h, lib/x509/verify.c: when comparing an
+ end-certificate with the trusted list compare the entire certificate
+
+2014-09-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/test-chains.h: tests: Added test for amazon.com chain with
+ new verisign CA.
+
+2014-09-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/x509/common.c,
+ lib/x509/common.h, lib/x509/crl.c, lib/x509/verify.c,
+ lib/x509/x509.c, lib/x509/x509_int.h: when comparing a CA
+ certificate with the trusted list compare the name and key That is to handle cases where a CA certificate was superceded by a
+ different one with the same name and the same key. That can happen
+ when an intermediate CA certificate is replaced by a self-signed
+ one.
+
+2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/common.c, lib/x509/crl.c, lib/x509/x509.c: avoid new
+ allocations and keep a pointer to the DER data for DN
+
+2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/crl.c, lib/x509/verify.c, lib/x509/x509_int.h: when
+ importing a CRL keep the DER data
+
+2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/common.c, lib/x509/common.h, lib/x509/crq.c,
+ lib/x509/verify.c, lib/x509/x509.c, lib/x509/x509_int.h: when
+ importing a certificate, keep the DER data
+
+2014-09-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/fips.c: fips140: check the integrity of GMP
+
+2014-09-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/fips.c, lib/fips.h, lib/gnutls_global.c,
+ lib/nettle/int/dsa-fips.h: perform the FIPS140-2 self tests in two
+ rounds One round is before the AES acceleration is registered, and the
+ second is after. That is to allow testing of the AES implementation
+ used in the DRBG. That is a hack until nettle handles all cipher
+ acceleration. Conflicts: lib/gnutls_global.c
+
+2014-09-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-09-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/name_constraints.c: name constraints: do not check CN
+ when a DNSname is available
+
+2014-09-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/int/drbg-aes-self-test.c, lib/nettle/int/drbg-aes.h:
+ drbg-aes: added checks in the error handling of the functions That coverts the instantiate and generation functions.
+
+2014-09-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/crypto-selftests.c: fips140: fail on encryption test failure
+
+2014-09-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/int/drbg-aes.c: drbg-aes: if the continuous test fails,
+ put the library into error state
+
+2014-08-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/cha-tokens.texi, doc/cha-upgrade.texi, doc/latex/cover.tex:
+ small doc updates
+
+2014-08-31 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/Makefile.am, doc/cha-tokens.texi, doc/latex/cover.tex: doc:
+ fixes in sectioning for p11tool and tpmtool invocation
+
+2014-08-29 Tristan Matthews <le.businessman@gmail.com>
+
+ * lib/ext/alpn.c: alpn: fix version documentation Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+2014-08-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/pkcs11.c: p11tool: allow printing multiple types of tokens
+
+2014-08-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/rfc2818_hostname.c: refer to rfc6125
+
+2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/privkey.c: additional sanity check in RSA key generation
+ testing in FIPS-140-2 mode The encrypted data are checked to differ from the plaintext, to
+ prevent any issues with an accidental null encryption.
+
+2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/privkey.c: when in FIPS140-2 mode switch the library to
+ error state if key generation fails
+
+2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * cfg.mk, configure.ac, devel/openssl,
+ lib/accelerated/x86/Makefile.am, lib/accelerated/x86/x86-common.c:
+ added configuration option --disable-padlock That allows keeping hardware acceleration in x86 but without support
+ for padlock.
+
+2014-08-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-08-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/pkcs11.c: p11tool: when listing tokens, list their type as
+ well
+
+2014-08-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/accelerated/x86/x86-common.c: hide _gnutls_x86_cpuid_s
+
+2014-08-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: gnutls_pkcs11_obj_list_import_url2() will import
+ data in a single pass
+
+2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: pkcs11: when reading PKCS #11 objects, read multiple
+ objects at a time That improves the performance significantly when reading from tokens
+ with a significant number of objects. Reported by David Woodhouse.
+
+2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: pkcs11: do not fail the entire operation if a single
+ object cannot be imported
+
+2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: pkcs11: allow objects without label or without ID
+
+2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/test-chains.h: tests: updated name constraints checks to not
+ include a CN
+
+2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/name_constraints.c, lib/x509/x509.c: doc update
+
+2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/verify.c: only check name constraints in non-CA
+ certificates
+
+2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/name_constraints.c: ignore constraints for different type
+ than the checked
+
+2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/name_constraints.c: when verifying name constrains
+ enforce the single CN rule
+
+2014-08-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/libopts/autoopts.h: check for stdnoreturn.h presence
+
+2014-08-24 Alon Bar-Lev <alon.barlev@gmail.com>
+
+ * tests/Makefile.am, tests/x509cert-tl.c: build: tests: x509cert-tl:
+ support separate builddir Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
+
+2014-08-24 Alon Bar-Lev <alon.barlev@gmail.com>
+
+ * lib/gnutls_privkey.c: build: condition pkcs11 block Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
+
+2014-08-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: released 3.3.7
+
+2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_record.c: record: tolerate a finished packet with
+ errors in DTLS
+
+2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_record.c: record: in DTLS discard only messages that
+ cause unexpected packet errors
+
+2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/socket.c: tools: use the AI_IDN flag in getaddrinfo if it
+ exists
+
+2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/certtool-common.c, src/certtool-extras.c, src/common.c,
+ src/danetool.c, src/socket.c: danetool: added openssl-linking
+ exception That allows linking against unbound.
+
+2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/danetool.c: danetool: ensure the temporary file is always
+ removed
+
+2014-08-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_errors.c: doc update
+
+2014-08-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/int/dsa-keygen-fips186.c: prevent 1024-bit DSA
+ parameter generation only when FIPS-mode is enabled.
+
+2014-08-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/int/dsa-keygen-fips186.c: Revert "removed pbits=1024,
+ qbits=160 from the acceptable bit sizes in FIPS140-2 DSA parameter
+ generation." This reverts commit 110527d9bb9ca70a66ae8173769067f133fd3cf7.
+
+2014-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/system.c: use the windows API in windows even if iconv is
+ available
+
+2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/minitasn1/decoding.c: updated libtasn1
+
+2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/minitasn1/decoding.c: updated minitasn1
+
+2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * m4/hooks.m4: configure: print error message when nettle is 3.0 or
+ later
+
+2014-08-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/crl.c, lib/x509/pkcs7.c, lib/x509/privkey.c,
+ lib/x509/x509.c, lib/x509/x509_int.h: Safer reinitialization of
+ structures on re-import to avoid memory leaks. That also adds the gnutls_pkcs7_t structure into the list of allowed
+ to re-import.
+
+2014-08-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/verify-tofu.c: doc update
+
+2014-08-17 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/verify-tofu.c: doc update
+
+2014-08-16 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/crl.c, lib/x509/pkcs12.c, lib/x509/privkey.c,
+ lib/x509/privkey_pkcs8.c, lib/x509/x509.c, lib/x509/x509_int.h:
+ Re-initialize the ASN.1 structures on every import That allows to import a key/certificate on a structure even if the
+ previous import failed.
+
+2014-08-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * symbols.last: symbols.last: added private entry
+
+2014-08-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/cli-args.def, src/cli.c: gnutls-cli: added --fips140-mode
+ command line option That option will report the status of the FIPS140-2 mode in the
+ library.
+
+2014-08-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-08-14 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/fips.c: The environment variable GNUTLS_FORCE_FIPS_MODE can be
+ used to force the FIPS-140-2 mode
+
+2014-08-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/common.h: gnutls-cli/danetool: corrected check on ipv6 IPs
+
+2014-08-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-08-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/cli-debug.c, src/cli.c, src/common.h, src/danetool.c:
+ gnutls-cli/danetool: added a common check for hostname being an IP
+
+2014-08-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/rfc2818_hostname.c: Follow the rfc6125 requirement that a
+ single CN must be present for hostname verification. Follow up on the original commit that simplifies checking for more
+ than a single hostname.
+
+2014-08-13 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/rfc2818_hostname.c, tests/hostname-check.c: Follow the
+ rfc6125 requirement that a single CN must be present for hostname
+ verification.
+
+2014-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/hostname-check.c: tests: check that
+ gnutls_x509_crt_check_hostname() will correctly use the last CN when
+ multiple
+
+2014-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/rfc2818_hostname.c: when checking the hostname of a
+ certificate with multiple CNs use the "most specific" CN In our case we use the last CN present in the DN. Reported by David
+ Woodhouse. https://bugzilla.mozilla.org/show_bug.cgi?id=307234#c2
+
+2014-08-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/benchmark-cipher.c: gnutls-cli: more organized printing of
+ cipher benchmark output
+
+2014-08-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/benchmark-tls.c: gnutls-cli: removed salsa20 from the
+ benchmarked ciphers
+
+2014-08-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-08-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/algorithms.h, lib/algorithms/mac.c, lib/libgnutls.map:
+ mac_to_entry -> _gnutls_mac_to_entry
+
+2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/libgnutls.map, tests/pkcs12_s2k.c: tests: updated string to
+ keys tests for new internal API
+
+2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/pkcs12-decode/Makefile.am, tests/pkcs12-decode/pkcs12:
+ tests: test the decoding of a PKCS #12 structure with SHA256 MAC
+
+2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/algorithms.h, lib/x509/pkcs12.c, lib/x509/pkcs12_encr.c,
+ lib/x509/privkey_pkcs8.c, lib/x509/x509_int.h: pkcs12: Allow
+ verification with structures that support other than HMAC-SHA1 MACs.
+
+2014-08-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: gnutls_pkcs11_obj_flags_get_str: mention UNWRAP
+
+2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/pkcs12.c: updated doc for gnutls_pkcs12_simple_parse()
+
+2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/danetool.c: danetool: obtain certificate only once
+
+2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * m4/hooks.m4: bumped version
+
+2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: added new
+ functions
+
+2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: pkcs11:
+ modified prototype and doc to be recognized by doc parser
+
+2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/cli-debug-args.def, src/danetool-args.def, src/socket.c:
+ danetool/gnutls-cli-debug: added support for imap starttls
+
+2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/manpages/tpmtool.1: auto-generated files update
+
+2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/cli-debug-args.def, src/cli-debug.c: gnutls-cli-debug:
+ supports SMTP starttls
+
+2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/danetool-args.def, src/danetool.c, src/socket.c, src/socket.h:
+ danetool: supports SMTP starttls
+
+2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/danetool-args.def, src/danetool.c, src/socket.c: danetool:
+ improvements in information presentation
+
+2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * libdane/dane.c: libdane: disable debugging mode
+
+2014-08-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-08-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/Makefile.am, src/cli.c, src/danetool.c,
+ src/ocsptool-common.c, src/socket.c, src/socket.h,
+ tests/suite/testdane: danetool: if the certificate to verify against
+ is not provide it try to obtain it
+
+2014-08-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_handshake.c: updated documentation for
+ gnutls_handshake()
+
+2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_pk.c: protect _gnutls_params_get_rsa_raw() from
+ crashing when exporting an RSA public key That could happen in case of PKCS #11 abstract keys.
+
+2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11_privkey.c: corrected typo
+
+2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c:
+ p11tool: added --info parameter That allows obtaining information on a specific object.
+
+2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c: pkcs11: added
+ GNUTLS_PKCS11_OBJ_ATTR_MATCH flag This flag allows listing only the tokens that match the URL. That
+ is, this performs an object URL comparison, rather than a token URL
+ usage.
+
+2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/p11tool.c: p11tool: only print the debugging message in
+ debuglevel > 4
+
+2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: pkcs11: check CKA_UNWRAP as well for enabling
+ GNUTLS_PKCS11_OBJ_FLAG_MARK_KEY_WRAP
+
+2014-08-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/cha-intro-tls.texi: removed reference to UMAC
+
+2014-08-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/cha-intro-tls.texi: removed references to SALSA20
+
+2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11_privkey.c: doc update
+
+2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11_privkey.c: pkcs11: simplified pkcs11_privkey handling A PKCS #11 always holds an open session to the key.
+
+2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c,
+ src/pkcs11.c: gnutls_pkcs11_flags_get_str ->
+ gnutls_pkcs11_obj_flags_get_str
+
+2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-get-issuer.c:
+ tests: ensure that no environment variables confuse softhsm
+
+2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/testpkcs11: testpkcs11: exit if
+ export_pubkey_of_privkey fails
+
+2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c,
+ lib/pkcs11_int.h, lib/pkcs11_privkey.c, src/p11tool.c, src/pkcs11.c:
+ pkcs11: added new functions to query the object's flags gnutls_pkcs11_obj_get_flags() allows obtaining an object's flags,
+ and gnutls_pkcs11_flags_get_str() allows printing them.
+
+2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/includes/gnutls/pkcs11.h: pkcs11.h: introduced
+ gnutls_pkcs11_obj_flags
+
+2014-08-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-08-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c:
+ p11tool: simplify the passing of flags and pass the key wrapping
+ flag
+
+2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/benchmark-tls.c: gnutls-cli: TLS benchmark parameters were
+ updated
+
+2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_privkey.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c:
+ _gnutls_privkey_get_mpis: extended to work for PKCS #11 keys
+
+2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c, lib/pkcs11_privkey.c: doc update
+
+2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map,
+ lib/pkcs11_privkey.c, src/pkcs11.c: changed semantics of
+ gnutls_pkcs11_privkey_get_pubkey; named
+ gnutls_pkcs11_privkey_export_pubkey Conflicts: lib/libgnutls.map
+
+2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11_privkey.c: gnutls_pkcs11_privkey_get_pubkey: return
+ GNUTLS_E_INVALID_REQUEST on invalid params
+
+2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/p11tool.c: p11tool: activate the --batch option
+
+2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/testpkcs11: testpkcs11: Test the export of public key
+
+2014-08-06 Wolfgang Meyer zu Bergsten <w.bergsten@sirrix.com>
+
+ * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c:
+ add public key export to p11tool Signed-off-by: Wolfgang Meyer zu Bergsten <w.bergsten@sirrix.com>
+
+2014-08-04 Wolfgang Meyer zu Bergsten <w.bergsten@sirrix.com>
+
+ * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map,
+ lib/pkcs11_privkey.c: add pubkey export from private key in pkcs11
+ subsystem There are cases where we need to export the public key of private
+ key at a later time. Previously, the public key was only available
+ immediately after creation of a key pair. This patch allows to
+ retrieve the public key of a private key at any time after creation. Signed-off-by: Wolfgang Meyer zu Bergsten <w.bergsten@sirrix.com>
+
+2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11_privkey.c: documented flags format
+
+2014-08-04 Wolfgang Meyer zu Bergsten <w.bergsten@sirrix.com>
+
+ * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: improve
+ compatibility in pkcs11 key generation * add key wrap/unwrap key usage * explicitly set public exponent in template Signed-off-by: Wolfgang Meyer zu Bergsten <w.bergsten@sirrix.com>
+
+2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/cli-debug.c, src/tests.c: gnutls-cli-debug: added AES and
+ CAMELLIA to the list of default ciphers
+
+2014-08-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_state.c, lib/x509/x509.c: doc: replaced non-0 with
+ non-zero
+
+2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/privkey_pkcs8.c: pkcs8: initialize parameters on
+ decryption
+
+2014-07-31 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/rnd-common.c, lib/system.h, lib/x509/verify-high2.c:
+ several windows compilation fixes Conflicts: lib/atfork.h
+
+2014-07-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * src/libopts/COPYING.gplv3, src/libopts/COPYING.lgplv3,
+ src/libopts/README, src/libopts/ag-char-map.h, src/libopts/alias.c,
+ src/libopts/ao-strs.c, src/libopts/ao-strs.h,
+ src/libopts/autoopts.c, src/libopts/autoopts.h,
+ src/libopts/autoopts/options.h, src/libopts/autoopts/project.h,
+ src/libopts/autoopts/usage-txt.h, src/libopts/boolean.c,
+ src/libopts/check.c, src/libopts/compat/compat.h,
+ src/libopts/compat/windows-config.h, src/libopts/configfile.c,
+ src/libopts/cook.c, src/libopts/enum.c, src/libopts/env.c,
+ src/libopts/file.c, src/libopts/find.c, src/libopts/genshell.c,
+ src/libopts/genshell.h, src/libopts/gettext.h, src/libopts/init.c,
+ src/libopts/load.c, src/libopts/m4/libopts.m4,
+ src/libopts/m4/liboptschk.m4, src/libopts/makeshell.c,
+ src/libopts/nested.c, src/libopts/numeric.c,
+ src/libopts/option-value-type.c, src/libopts/option-value-type.h,
+ src/libopts/option-xat-attribute.c,
+ src/libopts/option-xat-attribute.h, src/libopts/parse-duration.c,
+ src/libopts/parse-duration.h, src/libopts/pgusage.c,
+ src/libopts/proto.h, src/libopts/putshell.c, src/libopts/reset.c,
+ src/libopts/restore.c, src/libopts/save.c, src/libopts/sort.c,
+ src/libopts/stack.c, src/libopts/streqvcmp.c,
+ src/libopts/text_mmap.c, src/libopts/time.c,
+ src/libopts/tokenize.c, src/libopts/usage.c, src/libopts/version.c:
+ updated to libopts 5.18.3
+
+2014-07-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * build-aux/config.rpath, build-aux/gendocs.sh,
+ doc/gendocs_template, gl/m4/gnulib-common.m4, gl/m4/intl.m4,
+ gl/m4/po.m4, gl/m4/printf.m4, gl/m4/valgrind-tests.m4,
+ gl/tests/fcntl.in.h, maint.mk, src/gl/error.c, src/gl/m4/dup2.m4,
+ src/gl/m4/gnulib-common.m4, src/gl/m4/printf.m4, src/gl/mktime.c,
+ src/gl/select.c, src/gl/xalloc.h: updated gnulib
+
+2014-07-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/pkcs12.c: updated documentation for
+ gnutls_pkcs12_simple_parse
+
+2014-07-29 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS, configure.ac, m4/hooks.m4: bumped versions
+
+2014-07-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-07-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/Makefile.am, lib/inet_pton.c, lib/system.h,
+ lib/x509/rfc2818_hostname.c: Added replacements of inet_aton and
+ inet_pton on systems they are not present gnulib is avoided due to keep the gnulib network replacements out of
+ the library.
+
+2014-07-28 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * doc/cha-cert-auth.texi: Added text on PKCS #11 verification
+
+2014-07-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/includes/gnutls/abstract.h, lib/includes/gnutls/gnutls.h.in,
+ lib/includes/gnutls/ocsp.h, lib/includes/gnutls/pkcs11.h,
+ lib/includes/gnutls/x509.h: removed comma at the end of enumerations That patch allows compilers that don't support C99 syntax to compile
+ applications that use a header of gnutls. Report and patch Ryan
+ Schmidt.
+
+2014-07-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * Makefile.am, configure.ac, doc/Makefile.am: check for sed in
+ configure.ac and use the output variable in Makefiles
+
+2014-07-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_handshake.c: doc update
+
+2014-07-23 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/dane.c: tests: dane: add flag DANE_F_IGNORE_LOCAL_RESOLVER
+ to dane_state_init That prevents unbound from complaining in systems where no DNSSEC
+ functionality is present.
+
+2014-07-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * libdane/dane.c: doc update
+
+2014-07-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/Makefile.am: tests: added libdane/includes to includes dir
+
+2014-07-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: released 3.3.6
+
+2014-07-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: Added
+ missing functions
+
+2014-07-22 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * m4/hooks.m4: bumped library version
+
+2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * libdane/dane.c: libdane: simplified initialization of variables.
+
+2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * libdane/dane.c: libdane: bogus and secure values are always
+ initialized in dane_query_to_raw_tlsa
+
+2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/dane.c: tests: eliminated leak from dane check
+
+2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * libdane/dane.c: libdane: use gnutls_malloc() and doc update
+
+2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/Makefile.am, tests/dane.c: Added self test for DANE raw
+ functions
+
+2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/danetool-args.def, src/danetool.c: danetool: added option to
+ print the raw entries.
+
+2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * libdane/dane.c: doc update
+
+2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/libgnutls.map: moved _gnutls_prf_raw to FIPS140 symbols
+
+2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/accelerated/x86/aes-gcm-x86-pclmul.c,
+ lib/accelerated/x86/aes-padlock.c: Added sanity check on padlock AES
+ IV set.
+
+2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_state.c, lib/libgnutls.map: fips140-2: Added
+ _gnutls_prf_raw() which can calculate the TLS PRF without depending
+ on a session structure.
+
+2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/fips.c: fips140-2: do not check the libtasn1's integrity
+
+2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/algorithms/ciphersuites.c: RSA-PSK ciphersuites are only
+ allowed in TLS 1.0. That is because they implement the EncryptedPreMasterSecret encoding
+ according to RFC 4279, which uses the TLS 1.0 (RFC 2246) encoding,
+ and there can be ambiguities when using that over SSL 3.0. See:
+ http://lists.gnupg.org/pipermail/gnutls-help/2014-July/003546.html
+
+2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_priority.c: gnutls_priority_init: set err_pos prior to
+ any action That allows a valid err_pos, even on a memory allocation error.
+ Reported by Dan Fandrich.
+
+2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * doc/TODO: updated TODO
+
+2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/algorithms/ciphersuites.c: minimum version was changed to TLS
+ 1.0 for ciphersuites with SHA2 These ciphersuites could not be used with SSL 3.0 that only defines
+ usage of MD5 or SHA1 MACs. Reported by Manuel Pegourie-Gonnard.
+
+2014-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/pkcs11.c: ignore CKR_CRYPTOKI_ALREADY_INITIALIZED when
+ returned on reinitialization
+
+2014-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/Makefile.am, tests/x509cert-dir/ca.pem, tests/x509cert-tl.c:
+ tests: x509cert-tl checks gnutls_x509_trust_list_add_trust_dir()
+
+2014-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_x509.c: doc update
+
+2014-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_x509.c, lib/includes/gnutls/gnutls.h.in,
+ lib/libgnutls.map: Added gnutls_certificate_set_x509_trust_dir()
+
+2014-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/system.c,
+ lib/x509/verify-high2.c: Added
+ gnutls_x509_trust_list_add_trust_dir() This essentially exports the functionality to read from a directory
+ with trusted certificates.
+
+2014-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * configure.ac, lib/system.c: Allow specifying a directory as trust
+ store
+
+2014-07-11 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * NEWS: doc update
+
+2014-07-10 Simon Arlott <sa.me.uk>
+
+ * libdane/dane.c, libdane/includes/gnutls/dane.h,
+ libdane/libdane.map: libdane: add function dane_query_to_raw_tlsa This function converts a dane_query_t into the parameters needed for
+ dane_raw_tlsa() to make it easy to copy the results of the
+ (synchronous) lookup query from one process to another. This code allocates an unnecessary extra NULL entry for
+ dane_data_len to avoid trying to malloc 0 bytes if q->data_entries
+ is 0 (it is possible for malloc/calloc to return NULL when requested
+ to allocate 0 bytes). Signed-off-by: Simon Arlott
+
+2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/fips.c: FIPS140-2 tests: no need for MD5 check
+
+2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/fips.c: FIPS140-2 tests: removed redundant checks We keep on check per cipher which is required, and avoid multiple
+ (and time-consuming) tests.
+
+2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/accelerated/x86/x86-common.c: Allow specifying
+ GNUTLS_CPUID_OVERRIDE in either hex or decimal.
+
+2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/accelerated/x86/x86-common.c: Added option to disable any cpu
+ optimizations
+
+2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/accelerated/x86/x86-common.c,
+ lib/accelerated/x86/x86-common.h: simplified housekeeping of CPUID
+ registers
+
+2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/accelerated/x86/x86-common.c: Allow overriding the detected
+ CPUID using the GNUTLS_CPUID_OVERRIDE environment variable
+
+2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/privkey.c: FIPS140-2 tests: Added pairwise consistency
+ check for RSA encryption
+
+2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/crypto-selftests-pk.c: FIPS140-2 tests: check with DSA-2048
+ and DSA-3072 bit keys, as well as SHA256.
+
+2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/crypto-selftests-pk.c: FIPS140-2 tests: check with RSA-2048
+ and RSA-3072 bit keys
+
+2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/crypto-selftests-pk.c: tests: check RSA with SHA256
+
+2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/crypto-selftests-pk.c: FIPS140-2 mode: test whether RSA
+ encrypted data differ from plaintext
+
+2014-07-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/cipher.c: FIPS140-2 mode: enforce the minimum GCM IV
+ size required by SP800-38D (section 8.2)
+
+2014-07-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-07-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/certtool-args.def, src/certtool-common.c,
+ src/certtool-common.h, src/certtool.c, src/p11tool-args.def,
+ src/p11tool.c: p11tool/certtool: Added --curve parameter. The curve parameter allows to explicitly specify the curve to use
+ when generating a key.
+
+2014-07-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-07-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/gnutls_pubkey.c, lib/pkcs11.c, lib/pkcs11_privkey.c,
+ lib/pkcs11_write.c, lib/x509/key_encode.c, lib/x509/x509_int.h: set
+ CKA_EC_PARAMS when generating an ECDSA key
+
+2014-07-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/pkcs11.c: p11tool: only print warning about key sizes in RSA
+ keys
+
+2014-07-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/pkcs11.c: p11tool: make brief output more brief
+
+2014-07-07 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/mpi.c, lib/nettle/pk.c: mpi: use zeroize_key() instead
+ of memset()
+
+2014-07-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * libdane/dane.c: dane: Skip DANE entries that may contain unknown
+ info That would allow skipping any future entries without failing.
+ Reported by Simon Arlott.
+
+2014-07-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * libdane/dane.c: dane: Added sanity check in dane_verify_crt_raw() That allows calling the function will an empty chain. Reported by
+ Simon Arlott.
+
+2014-07-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/examples/ex-cert-select-pkcs11.c,
+ doc/examples/ex-cert-select.c, doc/examples/ex-client-dtls.c,
+ doc/examples/ex-client-srp.c, doc/examples/ex-client-x509.c,
+ doc/examples/ex-serv-anon.c, doc/examples/ex-serv-pgp.c,
+ doc/examples/ex-serv-psk.c, doc/examples/ex-serv-srp.c,
+ doc/examples/ex-serv-x509.c: examples: mention that
+ gnutls_global_init() is optional
+
+2014-07-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/cha-tokens.texi: doc: mention and link to trust storage module
+
+2014-07-06 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/cha-bib.texi, doc/cha-tokens.texi: doc update
+
+2014-07-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-07-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11_privkey.c: pkcs11: Removed length check of attribute as
+ a sanity check for valid keys. There can be keys where the id or label is empty and thus with zero
+ length.
+
+2014-07-04 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: Increased number of attributes
+
+2014-07-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-07-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11_privkey.c: try to restart on session errors, to avoid
+ having a failed call.
+
+2014-07-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: corrected pkcs11 reinitialization
+
+2014-07-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11_privkey.c: If we get a PKCS #11 session error,
+ invalidate the cached session.
+
+2014-07-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c: set the maximum value when printing
+ library_description
+
+2014-07-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c, lib/pkcs11_privkey.c: On fork invalidate the PKCS
+ #11 privkey cached session
+
+2014-07-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-07-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/pkcs11.c: p11tool: don't outsmart user and override login type Unfortunately tokens vary on their requirements for writing trusted
+ and private objects, and there is no one-size fits all policy. Thus
+ allow a proper failure and warn the user that so-login may be
+ required.
+
+2014-07-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/testpkcs11: testpkcs11: Try to write the trusted
+ object both by so-pin and normal pin
+
+2014-07-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/suite/testpkcs11: tests: testpkcs11: temp parameters are
+ deleted after generation
+
+2014-07-02 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * configure.ac, m4/hooks.m4: bumped version
+
+2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/Makefile.am: tests: added testpkcs11.sc-hsm
+
+2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/p11tool-args.def, src/pkcs11.c: p11tool: use GNUTLS_PIN and
+ GNUTLS_SO_PIN when setting the PINs of an initialized token.
+
+2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/slow/gendh.c: tests: gendh: increased the DH prime size to
+ allow usage under FIPS140-2 mode
+
+2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/common.c: tools: when in batch mode and no PIN, print a note
+ about using the environment variables
+
+2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/crq_key_id.c: tests: crq_key_id: increased generated DSA key
+ size and changed hash to SHA256 That allows the test to operate under the FIPS140-2 mode.
+
+2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/crq_key_id.c: tests: improved error reporting in crq_key_id
+
+2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * doc/cha-upgrade.texi: doc: properly terminate table
+
+2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/int/dsa-keygen-fips186.c: removed pbits=1024, qbits=160
+ from the acceptable bit sizes in FIPS140-2 DSA parameter generation.
+
+2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/certtool.c, src/common.c, src/common.h, src/danetool.c,
+ src/pkcs11.c, src/serv.c: tools: PIN callback will respect batch
+ mode and will not ask for PIN.
+
+2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/certtool-common.h, src/p11tool-args.def, src/p11tool.c,
+ src/p11tool.h, src/pkcs11.c: p11tool: Ask for label if not
+ specified. Added --batch parameter to disable interaction.
+
+2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/p11tool.c, src/p11tool.h, src/pkcs11.c: p11tool: If there is
+ only a single token available, don't bother complaining about
+ specifying the correct URL
+
+2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/nettle/int/drbg-aes.h: updated comment
+
+2014-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/certtool-args.def: certtool: document that URLs are supported
+
+2014-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/p11tool-args.def: p11tool: document GNUTLS_SO_PIN env variable
+
+2014-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/suite/Makefile.am, tests/suite/testpkcs11,
+ tests/suite/testpkcs11.pkcs15, tests/suite/testpkcs11.sc-hsm,
+ tests/suite/testpkcs11.softhsm: tests: improved testpkcs11 suite
+
+2014-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c:
+ gnutls_pkcs11_privkey_generate2(): corrected public key extraction
+ (for ECDSA keys)
+
+2014-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/common.c: p11tool/certtool: use GNUTLS_SO_PIN for reading
+ security officer's PIN
+
+2014-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * src/certtool-common.h, src/p11tool-args.def, src/p11tool.c,
+ src/pkcs11.c: p11tool: added options --set-pin and --set-so-pin These allow for an non-interactive --initialize process.
+
+2014-06-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/rfc2818_hostname.c: Added explicit documentation on IPv4
+ and IPv6 address matching.
+
+2014-06-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * tests/long-session-id.c: tests: long-session-id: ignore SIGPIPE
+
+2014-06-29 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/cha-upgrade.texi: doc: Added text on upgrading to 3.3.x from
+ 3.2.x
+
+2014-06-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/rfc2818_hostname.c: do not exit the loop in case a name
+ doesn't fit into our buffer.
+
+2014-06-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/rfc2818_hostname.c: when verifying an IP, also verify it
+ as a hostname There are several misconfigured servers that placed their IP as a
+ DNS name. Pointed out by David Woodhouse.
+
+2014-06-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/output.c: supress warnings
+
+2014-06-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * NEWS: doc update
+
+2014-06-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * configure.ac, lib/x509/rfc2818_hostname.c: check of inet_pton
+ instead for AF_INET6
+
+2014-06-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * configure.ac, lib/x509/output.c: Use inet_ntop() for printing IP
+ addresses. The old dumb code is used in systems that don't have that function.
+
+2014-06-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * tests/hostname-check.c: tests: Added test cases for IPv4/6
+ matching.
+
+2014-06-27 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * lib/x509/rfc2818_hostname.c: gnutls_x509_crt_check_hostname()
+ checks text ip addresses as well. That aligns the documentation with the implementation. Reported by
+ David Woodhouse.
+
+2014-06-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/gnutls_str.c: initialize str to NULL
+
+2014-06-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * lib/x509/crl.c: fixed documentation
+
2014-06-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* tests/cert-tests/aki, tests/cert-tests/pathlen,
lib/accelerated/x86/aes-padlock.c,
lib/accelerated/x86/sha-padlock.c,
lib/accelerated/x86/sha-x86-ssse3.c,
- lib/accelerated/x86/x86-common.c, lib/accelerated/x86/x86-common.h,
- lib/accelerated/x86/x86.h: x86.h was renamed to x86-common.h to
- avoid clashes with system headers.
+ lib/accelerated/x86/x86-common.c, lib/accelerated/x86/{x86.h =>
+ x86-common.h}: x86.h was renamed to x86-common.h to avoid clashes
+ with system headers.
2014-04-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2014-04-03 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * configure.ac, tests/Makefile.am, tests/key-id/Makefile.am,
- tests/key-id/README, tests/key-id/ca-gnutls-keyid.pem,
- tests/key-id/ca-no-keyid.pem, tests/key-id/ca-weird-keyid.pem,
- tests/key-id/key-ca.pem, tests/key-id/key-id,
- tests/key-id/key-user.pem, tests/key-tests/Makefile.am,
- tests/key-tests/README, tests/key-tests/ca-gnutls-keyid.pem,
- tests/key-tests/ca-no-keyid.pem,
- tests/key-tests/ca-weird-keyid.pem, tests/key-tests/key-ca-1234.p8,
+ * configure.ac, tests/Makefile.am, tests/{key-id =>
+ key-tests}/Makefile.am, tests/{key-id => key-tests}/README,
+ tests/{key-id => key-tests}/ca-gnutls-keyid.pem, tests/{key-id =>
+ key-tests}/ca-no-keyid.pem, tests/{key-id =>
+ key-tests}/ca-weird-keyid.pem, tests/key-tests/key-ca-1234.p8,
tests/key-tests/key-ca-empty.p8, tests/key-tests/key-ca-null.p8,
- tests/key-tests/key-ca.pem, tests/key-tests/key-id,
- tests/key-tests/key-user.pem, tests/key-tests/pkcs8: Added self-test
- for PKCS #8 key conversion and reading
+ tests/{key-id => key-tests}/key-ca.pem, tests/{key-id =>
+ key-tests}/key-id, tests/{key-id => key-tests}/key-user.pem,
+ tests/key-tests/pkcs8: Added self-test for PKCS #8 key conversion
+ and reading
2014-04-03 Nikos Mavrogiannopoulos <nmav@redhat.com>
2014-03-06 Kevin Cernekee <cernekee@gmail.com>
- * .gitignore, doc/manpages/Makefile.am, src/Makefile.am,
- src/psk-args.def, src/psk.c, src/psktool-args.def: Rename
- psk-args.def to psktool-args.def Other utilities generate invoke-%.texi from %-args.def, but
+ * .gitignore, doc/manpages/Makefile.am, src/Makefile.am, src/psk.c,
+ src/{psk-args.def => psktool-args.def}: Rename psk-args.def to
+ psktool-args.def Other utilities generate invoke-%.texi from %-args.def, but
currently invoke-psktool.texi is generated from psk-args.def. If we
make psktool conform to the same convention as the other utilities,
we can use a generic pattern to handle all of them the same way. Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
2014-01-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* doc/scripts/getfuncs-map.pl, lib/libgnutls.map: added
- gnutls_realloc_fast to false positives Conflicts: lib/libgnutls.map
+ gnutls_realloc_fast to false positives Conflicts: lib/libgnutls.map
2014-01-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2013-12-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/Makefile.am: libtasn1 generated files are set in BUILT_SOURCES Conflicts: lib/Makefile.am
+ * lib/Makefile.am: libtasn1 generated files are set in BUILT_SOURCES Conflicts: lib/Makefile.am
2013-12-18 Nikos Mavrogiannopoulos <nmav@redhat.com>
2013-12-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * lib/accelerated/x86/Makefile.am,
- lib/accelerated/x86/hmac-x86-ssse3.c,
- lib/accelerated/x86/hmac-x86.c,
- lib/accelerated/x86/sha-x86-ssse3.c, lib/accelerated/x86/sha-x86.c:
- use better names for files
+ * lib/accelerated/x86/Makefile.am, lib/accelerated/x86/{hmac-x86.c
+ => hmac-x86-ssse3.c}, lib/accelerated/x86/{sha-x86.c =>
+ sha-x86-ssse3.c}: use better names for files
2013-12-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2013-12-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* lib/accelerated/x86/Makefile.am,
- lib/accelerated/x86/aes-gcm-x86-pclmul.c,
+ lib/accelerated/x86/{aes-gcm-x86.c => aes-gcm-x86-pclmul.c},
lib/accelerated/x86/aes-gcm-x86-ssse3.c,
- lib/accelerated/x86/aes-gcm-x86.c, lib/accelerated/x86/aes-x86.c,
- lib/accelerated/x86/aes-x86.h, lib/accelerated/x86/hmac-x86.c,
- lib/accelerated/x86/sha-x86.c, lib/accelerated/x86/sha-x86.h: When
- PCLMUL isn't available use the SSSE3 implementation of AES to
- optimize GCM.
+ lib/accelerated/x86/aes-x86.c, lib/accelerated/x86/aes-x86.h,
+ lib/accelerated/x86/hmac-x86.c, lib/accelerated/x86/sha-x86.c,
+ lib/accelerated/x86/sha-x86.h: When PCLMUL isn't available use the
+ SSSE3 implementation of AES to optimize GCM.
2013-12-14 Nikos Mavrogiannopoulos <nmav@gnutls.org>
devel/perlasm/sha512-ssse3-x86_64.pl,
lib/accelerated/x86/Makefile.am, lib/accelerated/x86/aes-padlock.h,
lib/accelerated/x86/aes-x86.c,
- lib/accelerated/x86/coff/aesni-x86.s,
- lib/accelerated/x86/coff/aesni-x86_64.s,
- lib/accelerated/x86/coff/appro-aes-gcm-x86-64-coff.s,
- lib/accelerated/x86/coff/appro-aes-x86-64-coff.s,
- lib/accelerated/x86/coff/appro-aes-x86-coff.s,
- lib/accelerated/x86/coff/cpuid-x86-64-coff.s,
- lib/accelerated/x86/coff/cpuid-x86-coff.s,
- lib/accelerated/x86/coff/cpuid-x86.s,
- lib/accelerated/x86/coff/cpuid-x86_64.s,
- lib/accelerated/x86/coff/e_padlock-x86.s,
- lib/accelerated/x86/coff/e_padlock-x86_64.s,
- lib/accelerated/x86/coff/ghash-x86_64.s,
- lib/accelerated/x86/coff/openssl-cpuid-x86.s,
+ lib/accelerated/x86/coff/{appro-aes-x86-coff.s => aesni-x86.s},
+ lib/accelerated/x86/coff/{appro-aes-x86-64-coff.s =>
+ aesni-x86_64.s}, lib/accelerated/x86/coff/{cpuid-x86-coff.s =>
+ cpuid-x86.s}, lib/accelerated/x86/coff/{cpuid-x86-64-coff.s =>
+ cpuid-x86_64.s}, lib/accelerated/x86/coff/{padlock-x86-coff.s =>
+ e_padlock-x86.s}, lib/accelerated/x86/coff/{padlock-x86-64-coff.s
+ => e_padlock-x86_64.s},
+ lib/accelerated/x86/coff/{appro-aes-gcm-x86-64-coff.s =>
+ ghash-x86_64.s}, lib/accelerated/x86/coff/openssl-cpuid-x86.s,
lib/accelerated/x86/coff/openssl-cpuid-x86_64.s,
- lib/accelerated/x86/coff/padlock-x86-64-coff.s,
- lib/accelerated/x86/coff/padlock-x86-coff.s,
lib/accelerated/x86/coff/sha1-ssse3-x86.s,
lib/accelerated/x86/coff/sha1-ssse3-x86_64.s,
lib/accelerated/x86/coff/sha256-avx-x86_64.s,
lib/accelerated/x86/coff/sha256-ssse3-x86.s,
lib/accelerated/x86/coff/sha512-ssse3-x86.s,
lib/accelerated/x86/coff/sha512-ssse3-x86_64.s,
- lib/accelerated/x86/elf/aesni-x86.s,
- lib/accelerated/x86/elf/aesni-x86_64.s,
- lib/accelerated/x86/elf/appro-aes-gcm-x86-64.s,
- lib/accelerated/x86/elf/appro-aes-x86-64.s,
- lib/accelerated/x86/elf/appro-aes-x86.s,
- lib/accelerated/x86/elf/cpuid-x86-64.s,
- lib/accelerated/x86/elf/cpuid-x86_64.s,
- lib/accelerated/x86/elf/e_padlock-x86.s,
- lib/accelerated/x86/elf/e_padlock-x86_64.s,
- lib/accelerated/x86/elf/ghash-x86_64.s,
- lib/accelerated/x86/elf/padlock-x86-64.s,
- lib/accelerated/x86/elf/padlock-x86.s,
+ lib/accelerated/x86/elf/{appro-aes-x86.s => aesni-x86.s},
+ lib/accelerated/x86/elf/{appro-aes-x86-64.s => aesni-x86_64.s},
+ lib/accelerated/x86/elf/{cpuid-x86-64.s => cpuid-x86_64.s},
+ lib/accelerated/x86/elf/{padlock-x86.s => e_padlock-x86.s},
+ lib/accelerated/x86/elf/{padlock-x86-64.s => e_padlock-x86_64.s},
+ lib/accelerated/x86/elf/{appro-aes-gcm-x86-64.s => ghash-x86_64.s},
lib/accelerated/x86/elf/sha1-ssse3-x86.s,
lib/accelerated/x86/elf/sha1-ssse3-x86_64.s,
lib/accelerated/x86/elf/sha256-avx-x86_64.s,
lib/accelerated/x86/elf/sha512-ssse3-x86.s,
lib/accelerated/x86/elf/sha512-ssse3-x86_64.s,
lib/accelerated/x86/files.mk, lib/accelerated/x86/hmac-x86.c,
- lib/accelerated/x86/macosx/aesni-x86.s,
- lib/accelerated/x86/macosx/aesni-x86_64.s,
- lib/accelerated/x86/macosx/appro-aes-gcm-x86-64-macosx.s,
- lib/accelerated/x86/macosx/appro-aes-x86-64-macosx.s,
- lib/accelerated/x86/macosx/appro-aes-x86-macosx.s,
- lib/accelerated/x86/macosx/cpuid-x86-64-macosx.s,
+ lib/accelerated/x86/macosx/{appro-aes-x86-macosx.s => aesni-x86.s},
+ lib/accelerated/x86/macosx/{appro-aes-x86-64-macosx.s =>
+ aesni-x86_64.s}, lib/accelerated/x86/macosx/cpuid-x86-64-macosx.s,
lib/accelerated/x86/macosx/cpuid-x86-macosx.s,
lib/accelerated/x86/macosx/cpuid-x86.s,
lib/accelerated/x86/macosx/cpuid-x86_64.s,
- lib/accelerated/x86/macosx/e_padlock-x86.s,
- lib/accelerated/x86/macosx/e_padlock-x86_64.s,
- lib/accelerated/x86/macosx/ghash-x86_64.s,
- lib/accelerated/x86/macosx/openssl-cpuid-x86.s,
+ lib/accelerated/x86/macosx/{padlock-x86-macosx.s =>
+ e_padlock-x86.s},
+ lib/accelerated/x86/macosx/{padlock-x86-64-macosx.s =>
+ e_padlock-x86_64.s},
+ lib/accelerated/x86/macosx/{appro-aes-gcm-x86-64-macosx.s =>
+ ghash-x86_64.s}, lib/accelerated/x86/macosx/openssl-cpuid-x86.s,
lib/accelerated/x86/macosx/openssl-cpuid-x86_64.s,
- lib/accelerated/x86/macosx/padlock-x86-64-macosx.s,
- lib/accelerated/x86/macosx/padlock-x86-macosx.s,
lib/accelerated/x86/macosx/sha1-ssse3-x86.s,
lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s,
lib/accelerated/x86/macosx/sha256-avx-x86_64.s,
2013-11-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * : Merged the FIPS140-2 support code. Conflicts: lib/gnutls_global.c tests/mini-overhead.c
+ * : Merged the FIPS140-2 support code. Conflicts: lib/gnutls_global.c tests/mini-overhead.c
2013-11-30 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2013-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * configure.ac, lib/nettle/Makefile.am, lib/nettle/gcm-camellia.c,
- lib/nettle/gcm-camellia.h, lib/nettle/int/drbg-aes-self-test.c,
- lib/nettle/int/drbg-aes.c, lib/nettle/int/drbg-aes.h,
- lib/nettle/int/gcm-camellia.c, lib/nettle/int/gcm-camellia.h,
- lib/nettle/rnd-fips.c: Added DRBG submitted to nettle in gnutls.
+ * configure.ac, lib/nettle/Makefile.am,
+ lib/nettle/int/drbg-aes-self-test.c, lib/nettle/int/drbg-aes.c,
+ lib/nettle/int/drbg-aes.h, lib/nettle/{ => int}/gcm-camellia.c,
+ lib/nettle/{ => int}/gcm-camellia.h, lib/nettle/rnd-fips.c: Added
+ DRBG submitted to nettle in gnutls.
2013-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com>
lib/x509/verify-high.c, lib/x509/x509.c, lib/xssl.c: Added support
for fips states. This implies that when in FIPS mode and the library is not in
operational state (i.e., all self checks succeeded), crypto
- functionality of the library will fail. This includes: * API functions of gnutls/crypto.h * API functions of gnutls/abstract.h * API functions of gnutls/x509.h * gnutls_init() * API functions of gnutls/xssl.h
+ functionality of the library will fail. This includes: * API functions of gnutls/crypto.h * API functions of gnutls/abstract.h * API functions of gnutls/x509.h * gnutls_init() * API functions of gnutls/xssl.h
2013-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com>
2013-11-26 Nikos Mavrogiannopoulos <nmav@redhat.com>
* configure.ac, lib/Makefile.am: Do not link gnutls against librt
- unlress it is really necessary. Conflicts: configure.ac lib/Makefile.am
+ unlress it is really necessary. Conflicts: configure.ac lib/Makefile.am
2013-11-24 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2013-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gl/Makefile.am, gl/m4/gnulib-cache.m4, gl/m4/gnulib-comp.m4,
- gl/strerror-override.c, gl/strerror-override.h, gl/strerror.c,
- gl/tests/Makefile.am, gl/tests/strerror-override.c,
- gl/tests/strerror-override.h, gl/tests/strerror.c: Added strerror
- module.
+ gl/{tests => }/strerror-override.c, gl/{tests =>
+ }/strerror-override.h, gl/{tests => }/strerror.c,
+ gl/tests/Makefile.am: Added strerror module.
2013-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2013-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com>
- * gl/Makefile.am, gl/base64.c, gl/intprops.h,
+ * gl/Makefile.am, gl/base64.c, gl/{tests => }/intprops.h,
gl/m4/extern-inline.m4, gl/m4/gnulib-cache.m4,
- gl/m4/gnulib-comp.m4, gl/tests/Makefile.am, gl/tests/intprops.h,
- maint.mk: Added intprops module (which is needed by newer libtasn1
- versions)
+ gl/m4/gnulib-comp.m4, gl/tests/Makefile.am, maint.mk: Added intprops
+ module (which is needed by newer libtasn1 versions)
2013-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com>
gl/basename-lgpl.c, gl/bind.c, gl/byteswap.in.h, gl/c-ctype.c,
gl/c-ctype.h, gl/close.c, gl/closedir.c, gl/connect.c,
gl/dirent-private.h, gl/dirent.in.h, gl/dirname-lgpl.c,
- gl/dirname.h, gl/dosname.h, gl/dup2.c, gl/errno.in.h, gl/error.c,
- gl/error.h, gl/fd-hook.c, gl/fd-hook.h, gl/filename.h, gl/float+.h,
- gl/float.c, gl/float.in.h, gl/fpucw.h, gl/frexp.c, gl/frexpl.c,
- gl/fseek.c, gl/fseeko.c, gl/fseterr.c, gl/fseterr.h, gl/fstat.c,
- gl/ftell.c, gl/ftello.c, gl/gai_strerror.c, gl/getaddrinfo.c,
- gl/getdelim.c, gl/getline.c, gl/getopt.c, gl/getopt.in.h,
- gl/getopt1.c, gl/getopt_int.h, gl/getpass.c, gl/getpass.h,
- gl/getpeername.c, gl/getsubopt.c, gl/gettext.h, gl/gettimeofday.c,
- gl/hash-pjw-bare.c, gl/hash-pjw-bare.h, gl/inet_ntop.c,
- gl/inet_pton.c, gl/intprops.h, gl/isnan.c, gl/isnand-nolibm.h,
- gl/isnand.c, gl/isnanf-nolibm.h, gl/isnanf.c, gl/isnanl-nolibm.h,
- gl/isnanl.c, gl/itold.c, gl/listen.c, gl/lseek.c,
- gl/m4/alphasort.m4, gl/m4/argp.m4, gl/m4/closedir.m4,
+ gl/dirname.h, gl/dup2.c, gl/errno.in.h, gl/error.c, gl/error.h,
+ gl/fd-hook.c, gl/fd-hook.h, gl/filename.h, gl/float+.h, gl/float.c,
+ gl/float.in.h, gl/frexp.c, gl/frexpl.c, gl/fseek.c, gl/fseeko.c,
+ gl/fseterr.c, gl/fseterr.h, gl/fstat.c, gl/ftell.c, gl/ftello.c,
+ gl/gai_strerror.c, gl/getaddrinfo.c, gl/getdelim.c, gl/getline.c,
+ gl/getopt.c, gl/getopt.in.h, gl/getopt1.c, gl/getopt_int.h,
+ gl/getpass.c, gl/getpass.h, gl/getpeername.c, gl/getsubopt.c,
+ gl/gettext.h, gl/gettimeofday.c, gl/hash-pjw-bare.c,
+ gl/hash-pjw-bare.h, gl/inet_ntop.c, gl/inet_pton.c, gl/isnan.c,
+ gl/isnand-nolibm.h, gl/isnand.c, gl/isnanf-nolibm.h, gl/isnanf.c,
+ gl/isnanl-nolibm.h, gl/isnanl.c, gl/itold.c, gl/listen.c,
+ gl/lseek.c, gl/m4/alphasort.m4, gl/m4/argp.m4, gl/m4/closedir.m4,
gl/m4/dirent_h.m4, gl/m4/dirname.m4, gl/m4/double-slash-root.m4,
gl/m4/eealloc.m4, gl/m4/environ.m4, gl/m4/error.m4,
gl/m4/exponentf.m4, gl/m4/exponentl.m4, gl/m4/frexp.m4,
gl/stdalign.in.h, gl/stdarg.in.h, gl/stdbool.in.h, gl/stddef.in.h,
gl/stdint.in.h, gl/stdio-impl.h, gl/stdio.in.h, gl/stdlib.in.h,
gl/str-two-way.h, gl/strcasecmp.c, gl/strchrnul.c,
- gl/strchrnul.valgrind, gl/strdup.c, gl/strerror-override.c,
- gl/strerror-override.h, gl/strerror.c, gl/string.in.h,
+ gl/strchrnul.valgrind, gl/strdup.c, gl/string.in.h,
gl/strings.in.h, gl/stripslash.c, gl/strncasecmp.c, gl/strndup.c,
gl/strnlen.c, gl/strtok_r.c, gl/strverscmp.c, gl/sys_select.in.h,
gl/sys_socket.in.h, gl/sys_stat.in.h, gl/sys_time.in.h,
gl/sys_types.in.h, gl/sys_uio.in.h, gl/sysexits.in.h,
- gl/tests/Makefile.am, gl/tests/dosname.h, gl/tests/fpucw.h,
- gl/tests/infinity.h, gl/tests/intprops.h, gl/tests/malloca.c,
- gl/tests/malloca.h, gl/tests/malloca.valgrind,
+ gl/tests/Makefile.am, gl/{ => tests}/dosname.h, gl/{ =>
+ tests}/fpucw.h, gl/tests/infinity.h, gl/{ => tests}/intprops.h,
+ gl/tests/malloca.c, gl/tests/malloca.h, gl/tests/malloca.valgrind,
gl/tests/minus-zero.h, gl/tests/nan.h, gl/tests/putenv.c,
- gl/tests/randomd.c, gl/tests/randoml.c, gl/tests/setenv.c,
- gl/tests/strerror-override.c, gl/tests/strerror-override.h,
- gl/tests/strerror.c, gl/tests/test-argp-2.sh, gl/tests/test-argp.c,
- gl/tests/test-dirent.c, gl/tests/test-environ.c,
- gl/tests/test-fprintf-posix.h, gl/tests/test-frexp.c,
- gl/tests/test-frexp.h, gl/tests/test-frexpl.c,
- gl/tests/test-fseterr.c, gl/tests/test-getopt.c,
- gl/tests/test-getopt.h, gl/tests/test-getopt_long.h,
- gl/tests/test-isnand-nolibm.c, gl/tests/test-isnand.h,
- gl/tests/test-isnanf-nolibm.c, gl/tests/test-isnanf.h,
- gl/tests/test-isnanl-nolibm.c, gl/tests/test-isnanl.h,
- gl/tests/test-malloc-gnu.c, gl/tests/test-malloca.c,
- gl/tests/test-math.c, gl/tests/test-printf-frexp.c,
- gl/tests/test-printf-frexpl.c, gl/tests/test-printf-posix.h,
- gl/tests/test-printf-posix.output, gl/tests/test-rawmemchr.c,
- gl/tests/test-setenv.c, gl/tests/test-signbit.c,
- gl/tests/test-sleep.c, gl/tests/test-strchrnul.c,
- gl/tests/test-sysexits.c, gl/tests/test-unsetenv.c,
- gl/tests/test-version-etc.c, gl/tests/test-version-etc.sh,
- gl/tests/test-vfprintf-posix.c, gl/tests/test-vfprintf-posix.sh,
- gl/tests/test-vprintf-posix.c, gl/tests/test-vprintf-posix.sh,
- gl/tests/unsetenv.c, gl/time.in.h, gl/time_r.c, gl/u64.h,
- gl/unistd.in.h, gl/vasnprintf.c, gl/vasnprintf.h, gl/vasprintf.c,
- gl/verify.h, gl/version-etc-fsf.c, gl/version-etc.c,
- gl/version-etc.h, gl/vfprintf.c, gl/vprintf.c, gl/vsnprintf.c,
- gl/w32sock.h, gl/wchar.in.h, gl/xsize.h, src/certtool.c,
- src/cli-debug.c, src/cli.c, src/danetool.c, src/ocsptool-common.c,
- src/ocsptool.c, src/p11tool.c, src/psk.c, src/serv.c,
- src/srptool.c, src/tpmtool.c: gnulib only contains lgplv2 modules
+ gl/tests/randomd.c, gl/tests/randoml.c, gl/tests/setenv.c, gl/{ =>
+ tests}/strerror-override.c, gl/{ => tests}/strerror-override.h,
+ gl/{ => tests}/strerror.c, gl/tests/test-argp-2.sh,
+ gl/tests/test-argp.c, gl/tests/test-dirent.c,
+ gl/tests/test-environ.c, gl/tests/test-fprintf-posix.h,
+ gl/tests/test-frexp.c, gl/tests/test-frexp.h,
+ gl/tests/test-frexpl.c, gl/tests/test-fseterr.c,
+ gl/tests/test-getopt.c, gl/tests/test-getopt.h,
+ gl/tests/test-getopt_long.h, gl/tests/test-isnand-nolibm.c,
+ gl/tests/test-isnand.h, gl/tests/test-isnanf-nolibm.c,
+ gl/tests/test-isnanf.h, gl/tests/test-isnanl-nolibm.c,
+ gl/tests/test-isnanl.h, gl/tests/test-malloc-gnu.c,
+ gl/tests/test-malloca.c, gl/tests/test-math.c,
+ gl/tests/test-printf-frexp.c, gl/tests/test-printf-frexpl.c,
+ gl/tests/test-printf-posix.h, gl/tests/test-printf-posix.output,
+ gl/tests/test-rawmemchr.c, gl/tests/test-setenv.c,
+ gl/tests/test-signbit.c, gl/tests/test-sleep.c,
+ gl/tests/test-strchrnul.c, gl/tests/test-sysexits.c,
+ gl/tests/test-unsetenv.c, gl/tests/test-version-etc.c,
+ gl/tests/test-version-etc.sh, gl/tests/test-vfprintf-posix.c,
+ gl/tests/test-vfprintf-posix.sh, gl/tests/test-vprintf-posix.c,
+ gl/tests/test-vprintf-posix.sh, gl/tests/unsetenv.c, gl/time.in.h,
+ gl/time_r.c, gl/u64.h, gl/unistd.in.h, gl/vasnprintf.c,
+ gl/vasnprintf.h, gl/vasprintf.c, gl/verify.h, gl/version-etc-fsf.c,
+ gl/version-etc.c, gl/version-etc.h, gl/vfprintf.c, gl/vprintf.c,
+ gl/vsnprintf.c, gl/w32sock.h, gl/wchar.in.h, gl/xsize.h,
+ src/certtool.c, src/cli-debug.c, src/cli.c, src/danetool.c,
+ src/ocsptool-common.c, src/ocsptool.c, src/p11tool.c, src/psk.c,
+ src/serv.c, src/srptool.c, src/tpmtool.c: gnulib only contains
+ lgplv2 modules
2013-08-05 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2013-07-26 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * tests/Makefile.am, tests/mini.c, tests/record-sizes.c: Updated
- mini test.
+ * tests/Makefile.am, tests/{mini.c => record-sizes.c}: Updated mini
+ test.
2013-07-25 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* configure.ac, lib/algorithms/ciphersuites.c, lib/algorithms/kx.c,
lib/auth/Makefile.am, lib/auth/anon_ecdh.c, lib/auth/cert.c,
lib/auth/cert.h, lib/auth/dh_common.c, lib/auth/dhe.c,
- lib/auth/dhe_psk.c, lib/auth/ecdh_common.c, lib/auth/ecdh_common.h,
- lib/auth/ecdhe.c, lib/auth/ecdhe.h, lib/auth/rsa_export.c,
+ lib/auth/dhe_psk.c, lib/auth/{ecdh_common.c => ecdhe.c},
+ lib/auth/{ecdh_common.h => ecdhe.h}, lib/auth/rsa_export.c,
lib/gnutls_handshake.c, lib/gnutls_kx.c, lib/gnutls_priority.c,
lib/gnutls_rsa_export.c, lib/gnutls_state.c, lib/gnutls_ui.c,
m4/hooks.m4: Added options to disable more key exchange mechanisms. In that DHE was separated from ECDHE.
* NEWS, lib/Makefile.am, lib/gnutls_cert.c, lib/gnutls_errors.c,
lib/includes/Makefile.am, lib/includes/gnutls/gnutls.h.in,
- lib/includes/gnutls/sbuf.h, lib/includes/gnutls/xssl.h,
- lib/libgnutls.map, lib/sbuf.c, lib/sbuf.h, lib/sbuf_getline.c,
- lib/xssl.c, lib/xssl.h, lib/xssl_getline.c, tests/Makefile.am,
- tests/mini-sbuf.c, tests/mini-xssl.c: Added new interface.
+ lib/includes/gnutls/{sbuf.h => xssl.h}, lib/libgnutls.map,
+ lib/{sbuf.c => xssl.c}, lib/{sbuf.h => xssl.h}, lib/{sbuf_getline.c
+ => xssl_getline.c}, tests/Makefile.am, tests/mini-sbuf.c,
+ tests/mini-xssl.c: Added new interface.
2013-01-27 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2012-11-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * build-aux/gendocs.sh, configure.ac, gl/Makefile.am, gl/dup2.c,
- gl/errno.in.h, gl/m4/errno_h.m4, gl/m4/gnulib-cache.m4,
+ * build-aux/gendocs.sh, configure.ac, gl/Makefile.am, gl/{tests =>
+ }/dup2.c, gl/errno.in.h, gl/m4/errno_h.m4, gl/m4/gnulib-cache.m4,
gl/m4/gnulib-comp.m4, gl/m4/select.m4, gl/m4/stdlib_h.m4,
gl/select.c, gl/stdlib.in.h, gl/strerror-override.c,
- gl/strerror-override.h, gl/tests/Makefile.am, gl/tests/dup2.c,
- gl/tests/fcntl.in.h, gl/tests/test-fcntl-h.c,
- gl/tests/test-iconv.c, gl/tests/test-select.h, lib/system.c,
- m4/hooks.m4, maint.mk: use gnulib to detect iconv.
+ gl/strerror-override.h, gl/tests/Makefile.am, gl/tests/fcntl.in.h,
+ gl/tests/test-fcntl-h.c, gl/tests/test-iconv.c,
+ gl/tests/test-select.h, lib/system.c, m4/hooks.m4, maint.mk: use
+ gnulib to detect iconv.
2012-11-20 Nikos Mavrogiannopoulos <nmav@gnutls.org>
2012-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
- * Removed GNUTLS_CERT_REVOCATION_DATA_INVALID and no longer fail on
- OCSP parsing errors.
+ * NEWS, lib/gnutls_cert.c, lib/gnutls_x509.c,
+ lib/includes/gnutls/gnutls.h.in: Removed
+ GNUTLS_CERT_REVOCATION_DATA_INVALID and no longer fail on OCSP
+ parsing errors.
+
+2012-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * doc/cha-cert-auth.texi, doc/cha-tokens.texi: doc update
+
+2012-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org>
+
+ * gnutls-cli-debug uses server name indication.
-----
projects / platform / upstream / gnutls.git / blobdiff