GnuTLS NEWS -- History of user-visible changes. -*- outline -*-
-Copyright (C) 2000-2014 Free Software Foundation, Inc.
-Copyright (C) 2013, 2014 Nikos Mavrogiannopoulos
+Copyright (C) 2000-2016 Free Software Foundation, Inc.
+Copyright (C) 2013-2016 Nikos Mavrogiannopoulos
See the end for copying conditions.
+* Version 3.3.27 (released 2017-03-06)
+
+** libgnutls: read the pin-value attribute if the p11-kit version allows it.
+
+** libgnutls: Addressed integer overflow resulting to invalid memory write
+ in OpenPGP certificate parsing. Issue found using oss-fuzz project:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 [GNUTLS-SA-2017-3A]
+
+** libgnutls: Addressed crashes in OpenPGP certificate parsing, related
+ to private key parser. No longer allow OpenPGP certificates (public keys)
+ to contain private key sub-packets. Issue found using oss-fuzz project:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 [GNUTLS-SA-2017-3B]
+
+** libgnutls: Addressed large allocation in OpenPGP certificate parsing, that
+ could lead in out-of-memory condition. Issue found using oss-fuzz project,
+ and was fixed by Alex Gaynor:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 [GNUTLS-SA-2017-3C]
+
+** API and ABI modifications:
+No changes since last version.
+
+
+* Version 3.3.26 (released 2016-01-09)
+
+** libgnutls: Handle status request responses as optional (following
+ RFC6066). This improves compatibility with implementations not sending
+ these messages (including specific versions on the GnuTLS 3.5.x branch).
+
+** libgnutls: Set limits on the maximum number of alerts handled. That is,
+ applications using gnutls could be tricked into an busy loop if the
+ peer sends continuously alert messages. Applications which set a maximum
+ handshake time (via gnutls_handshake_set_timeout) will eventually recover
+ but others may remain in a busy loops indefinitely. This is related but
+ not identical to CVE-2016-8610, due to the difference in alert handling
+ of the libraries (gnutls delegates that handling to applications).
+
+** libgnutls: Fixed issue in PKCS#12 password encoding, which truncated
+ passwords over 32-characters. Reported by Mario Klebsch.
+
+** libgnutls: Backported functionality allowing to manipulate the IDs
+ of PKCS#11 objects.
+
+** libgnutls: Link to trousers (TPM library) dynamically. Backported TPM
+ key handling improvements from master branch.
+
+** libgnutls: Backported several fixes in PKCS#8 decryption (related to
+ gitlab issue #148).
+
+** libgnutls: Fix double free in certificate information printing. If the PKIX
+ extension proxy was set with a policy language set but no policy specified,
+ that could lead to a double free. [GNUTLS-SA-2017-1]
+
+** libgnutls: Addressed memory leak in server side error path
+ (issue found using oss-fuzz project)
+
+** libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate
+ parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project)
+
+** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing.
+ (issues found using oss-fuzz project) [GNUTLS-SA-2017-2]
+
+** tpmtool: backported the --test-sign option.
+
+** API and ABI modifications:
+gnutls_pkcs11_obj_set_info: Added
+gnutls_pkcs11_privkey_generate3: Added
+gnutls_pkcs11_copy_x509_privkey2: Added
+gnutls_pkcs11_copy_x509_crt2: Added
+
+
+* Version 3.3.25 (released 2016-10-9)
+
+** libgnutls: Ensure proper cleanups on gnutls_certificate_set_*key()
+ failures due to key mismatch. This prevents leaks or double freeing
+ on such failures.
+
+** libgnutls: Corrected the comparison of the serial size in OCSP response.
+ Previously the OCSP certificate check wouldn't verify the serial length
+ and could succeed in cases it shouldn't (GNUTLS-SA-2016-3).
+ Reported by Stefan Buehler.
+
+** libgnutls: Fixes in gnutls_x509_crt_list_import2, which was
+ ignoring flags if all certificates in the list fit within the
+ initially allocated memory.
+
+** libgnutls: Fix gnutls_pkcs12_simple_parse to always extract the complete chain,
+ even when the extra_certs was non-null. Report and fix by Stefan Sørensen.
+
+** libgnutls: Added support for decrypting PKCS#8 files which use the HMAC-SHA256
+ as PRF.
+
+** libgnutls: Addressed issue with PKCS#11 signature generation on ECDSA
+ keys. The signature is now written as unsigned integers into the DSASignatureValue
+ structure. Previously signed integers could be written depending on what
+ the underlying module would produce. Addresses #122.
+
+** libgnutls: backported X.509 unique ID functionality from later versions.
+
+** libgnutls: Increased the maximum size of the handshake message hash.
+ This will allow the library to cope better with larger packets, as
+ the ones offered by current TLS 1.3 drafts.
+
+** API and ABI modifications:
+gnutls_x509_crt_set_issuer_unique_id: Added
+gnutls_x509_crt_set_subject_unique_id: Added
+
+
+* Version 3.3.24 (released 2016-07-06)
+
+** libgnutls: Address issue when utilizing the p11-kit trust store
+ for certificate verification (GNUTLS-SA-2016-2).
+
+** libgnutls: when generating private keys mark the public key as not
+ private.
+
+** libgnutls: use secure_getenv() where available to obtain environment
+ variables.
+
+** libgnutls: Fixed DTLS handshake packet reconstruction. Reported by
+ Guillaume Roguez.
+
+** libgnutls: Fixed issues with PKCS#11 reading of sensitive objects
+ from SafeNet Network HSM. Reported by Anthony Alba.
+
+** libgnutls: Corrected reading and writing of PKCS#11 CKA_SERIAL_NUMBER. Report
+ and fix by Stanislav Židek.
+
+** libgnutls: Enhanced the priority functions to understand -VERS-ALL keyword
+ to allow compatibility of priority strings between 3.4.x and 3.3.x.
+
+** API and ABI modifications:
+No changes since last version.
+
+
+* Version 3.3.23 (released 2016-05-20)
+
+** libgnutls: Corrected behavior of ALPN extension parsing during session
+ resumption. Report and patches by Yuriy M. Kaminskiy.
+
+** libgnutls: Properly print the IP Adress name constraints.
+
+** libgnutls: Fixes in gnutls_privkey_import_ecc_raw().
+
+** libgnutls: Fixed gnutls_pkcs11_get_raw_issuer() usage with the
+ GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag. Previously that
+ operation could fail on certain PKCS#11 modules.
+
+** libgnutls: gnutls_pkcs11_obj_import_url() and gnutls_x509_crt_import_pkcs11_url()
+ can accept the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag.
+
+** libgnutls: gnutls_certificate_set_key() was enhanced to import the DNS
+ name of the certificates if the provided names are NULL.
+
+** libgnutls: when receiving SNI names, only save and expose to application
+ the supported DNS names.
+
+** libgnutls: when importing the certificate names at the
+ gnutls_certificate_set* functions, only consider the CN as a fallback
+ if DNS names are provided via the alternative name extension.
+
+** ocsptool: use HTTP/1.0 for requests. This avoids issue with servers
+ serving chunk encoding which ocsptool doesn't support. Reported by Thomas
+ Klute.
+
+** certtool: do not require a CA for OCSP signing tag. This follows the
+ recommendations in RFC6960 in 4.2.2.2 which allow a CA to delegate OCSP
+ signing to another certificate without requiring it to be a CA. Reported
+ by Thomas Klute.
+
+** gnutls-cli: on OCSP verification do not fail if we have a single valid
+ reply. Report and reproducer by Thomas Klute.
+
+** API and ABI modifications:
+No changes since last version.
+
+
+* Version 3.3.22 (released 2016-03-10)
+
+** libgnutls: Eliminated issues preventing buffers more than 2^32 bytes
+ to be used with hashing functions.
+
+** libgnutls: Follow closely RFC5280 recommendations and use UTCTime for
+ dates prior to 2050. Backported from 3.4.x branch.
+
+** libgnutls: Several fixes to prevent relying on undefined behavior of C
+ (found with libubsan).
+
+** libgnutls: SSL 3.0 is no longer included in the default priorities
+ list. It has to be explicitly enabled, e.g., with a string like
+ "NORMAL:+VERS-SSL3.0". The previous behavior can be restored using
+ the flag --with-ssl3 to configure.
+
+** API and ABI modifications:
+No changes since last version.
+
+
+* Version 3.3.21 (released 2016-02-03)
+
+** libgnutls: Corrected ALPN protocol negotiation. Before GnuTLS would negotiate
+ the last commonly supported protocol, rather than the first. Reported by
+ Remi Denis-Courmont (#63).
+
+** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities
+ list. It has to be explicitly enabled, e.g., with a string like
+ "NORMAL:+ARCFOUR-128". The previous behavior can be restored using
+ the flag --with-arcfour128 to configure.
+
+** libgnutls: Corrected regression caused by incorrect fix in
+ gnutls_x509_ext_export_key_usage() at 3.3.20 release.
+
+** API and ABI modifications:
+No changes since last version.
+
+
+* Version 3.3.20 (released 2016-01-08)
+
+** libgnutls: Corrected memory leak in gnutls_pubkey_import_privkey() when
+ used with PKCS #11 keys.
+
+** libgnutls: For DSA and ECDSA keys in PKCS #11 objects, import
+ their public keys from either a public key object or a certificate.
+ That is, because private keys do not contain all the required
+ parameters for a direct import. Reported by Jan Vcelak.
+
+** libgnutls: Fixed issue when writing ECDSA private keys in PKCS #11
+ tokens.
+
+** libgnutls: Fixed out-of-bounds read in gnutls_x509_ext_export_key_usage(),
+ report and patch by Tim Kosse.
+
+** libgnutls: Handle DNS name constraints with a leading dot. Backported
+ from 3.4.x branch.
+
+** libgnutls: The max-record extension is no longer negotiated on DTLS. This resolves
+ issue with the max-record being negotiated but ignored.
+
+** API and ABI modifications:
+No changes since last version.
+
+
+* Version 3.3.19 (released 2015-11-22)
+
+** libgnutls: Properly require TLS 1.2 to all the CBC-SHA256 and CBC-SHA384
+ ciphersuites. This solves an interoperability issue with openssl.
+ Reported by Viktor Dukhovni.
+
+** libgnutls: Fixed memory leak in gnutls_pubkey_get_preferred_hash_algorithm(),
+ patch by Lennert Buytenhek.
+
+** libgnutls: When writing a certificate into a PKCS #11 token, ensure
+ that CKA_SERIAL_NUMBER and CKA_ISSUER are written.
+
+** libgnutls: Allow the presence of legacy ciphers and key exchanges in
+ priority strings and consider them a no-op.
+
+** libgnutls: On a rehandshake allow switching from anonymous to ECDHE and
+ DHE ciphersuites.
+
+** libgnutls: Added GNUTLS_SKIP_GLOBAL_INIT macro to allow programs skipping
+ the implicit global initialization.
+
+** gnutls.pc: Don't include libtool specific options to link flags.
+ Reported by Dan Kegel.
+
+** API and ABI modifications:
+GNUTLS_SKIP_GLOBAL_INIT: Added
+
+
+* Version 3.3.18 (released 2015-09-12)
+
+** libgnutls: When re-importing CRLs to a trust list ensure that there
+ are no duplicate entries.
+
+** certtool: Removed any arbitrary limits imposed on input file sizes
+ and maximum number of certificates imported.
+
+** API and ABI modifications:
+ No changes since last version.
+
+
+* Version 3.3.17 (released 2015-08-10)
+
+** libgnutls: Fix issue with server side sending the status request
+ extension even when not requested. Reported by Jeremy Harris.
+
+** libgnutls: gnutls_pkcs11_privkey_generate2() will store the generated
+ public key, unless the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY flag is
+ specified.
+
+** libgnutls: fixed double free in DN decoding [GNUTLS-SA-2015-3].
+
+** API and ABI modifications:
+ No changes since last version.
+
+
+* Version 3.3.16 (released 2015-07-12)
+
+** libgnutls: Allow compilation with nettle 3.0 or later
+
+** libgnutls: corrected failure when importing plain files
+ with gnutls_x509_privkey_import2(), and a password was provided.
+
+** libgnutls: Don't reject certificates if a CA has the URI or IP address
+ name constraints, and the end certificate doesn't have an IP address
+ name or a URI set.
+
+** libgnutls: set and read the hint in DHE-PSK and ECDHE-PSK ciphersuites.
+
+** API and ABI modifications:
+ No changes since last version.
+
+
+* Version 3.3.15 (released 2015-05-03)
+
+** libgnutls: gnutls_certificate_get_ours: will return the certificate even
+if a callback was used to send it.
+
+** libgnutls: Fix for MD5 downgrade in TLS 1.2 signatures. Reported by
+Karthikeyan Bhargavan [GNUTLS-SA-2015-2].
+
+** libgnutls: Check for invalid length in the X.509 version field. Without the check
+certificates with invalid length would be detected as having an arbitrary
+version. Reported by Hanno Böck.
+
+** API and ABI modifications:
+No changes since last version.
+
+
+* Version 3.3.14 (released 2015-03-30)
+
+** libgnutls: When retrieving OCTET STRINGS from PKCS #12 ContentInfo
+structures use BER to decode them (requires libtasn1 4.3). That allows
+to decode some more complex structures.
+
+** libgnutls: When an end-certificate with no name is present and there
+are CA name constraints, don't reject the certificate. This follows RFC5280
+advice closely. Reported by Fotis Loukos.
+
+** libgnutls: Fixed handling of supplemental data with types > 255.
+Patch by Thierry Quemerais.
+
+** libgnutls: Fixed double free in the parsing of CRL distribution points certificate
+extension. Reported by Robert Święcki.
+
+** libgnutls: Fixed a two-byte stack overflow in DTLS 0.9 protocol. That
+protocol is not enabled by default (used by openconnect VPN).
+
+** libgnutls: The maximum user data send size is set to be the same for
+block and non-block ciphersuites. This addresses a regression with wine:
+https://bugs.winehq.org/show_bug.cgi?id=37500
+
+** libgnutls: When generating PKCS #11 keys, set CKA_ID, CKA_SIGN,
+and CKA_DECRYPT when needed.
+
+** libgnutls: Allow names with zero size to be set using
+gnutls_server_name_set(). That will disable the Server Name Indication.
+Resolves issue with wine: https://gitlab.com/gnutls/gnutls/issues/2
+
+** API and ABI modifications:
+No changes since last version.
+
+
+* Version 3.3.13 (released 2015-02-25)
+
+** libgnutls: Enable AESNI in GCM on x86
+
+** libgnutls: Fixes in DTLS message handling
+
+** libgnutls: Check certificate algorithm consistency, i.e.,
+check whether the signatureAlgorithm field matches the signature
+field inside TBSCertificate.
+
+** gnutls-cli: Fixes in OCSP verification.
+
+** API and ABI modifications:
+No changes since last version.
+
+
+* Version 3.3.12 (released 2015-01-17)
+
+** libgnutls: When negotiating TLS use the lowest enabled version in
+the client hello, rather than the lowest supported. In addition, do
+not use SSL 3.0 as a version in the TLS record layer, unless SSL 3.0
+is the only protocol supported. That addresses issues with servers that
+immediately drop the connection when the encounter SSL 3.0 as the record
+version number. See:
+http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html
+
+** libgnutls: Corrected encoding and decoding of ANSI X9.62 parameters.
+
+** libgnutls: Handle zero length plaintext for VIA PadLock functions.
+This solves a potential crash on AES encryption for small size plaintext.
+Patch by Matthias-Christian Ott.
+
+** libgnutls: In DTLS don't combine multiple packets which exceed MTU.
+Reported by Andreas Schultz. https://savannah.gnu.org/support/?108715
+
+** libgnutls: In DTLS decode all handshake packets present in a record
+packet, in a single pass. Reported by Andreas Schultz.
+https://savannah.gnu.org/support/?108712
+
+** libgnutls: When importing a CA file with a PKCS #11 URL, simply
+import the certificates, if the URL specifies objects, rather than
+treating it as trust module.
+
+** libgnutls: When importing a PKCS #11 URL and we know the type of
+object we are importing, don't require the object type in the URL.
+
+** libgnutls: fixed openpgp authentication when gnutls_certificate_set_retrieve_function2
+was used by the server.
+
+** guile: Fix compilation on MinGW. Previously only the static version of the
+'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile.
+
+** guile: Fix harmless warning during compilation of gnutls.scm
+Initially reported at <https://bugzilla.redhat.com/show_bug.cgi?id=1177847>.
+
+** certtool: --pubkey-info will also attempt to load a public key
+from stdin.
+
+** gnutls-cli: Added --starttls-proto option. That allows to specify a
+protocol for starttls negotiation.
+
+** API and ABI modifications:
+No changes since last version.
+
+
+* Version 3.3.11 (released 2014-12-11)
+
+** libgnutls: Corrected regression introduced in 3.3.9 related to
+session renegotiation. Reported by Dan Winship.
+
+** libgnutls: Corrected parsing issue with OCSP responses.
+
+** API and ABI modifications:
+No changes since last version.
+
+
+* Version 3.3.10 (released 2014-11-10)
+
+** libgnutls: Refuse to import v1 or v2 certificates that contain
+extensions.
+
+** libgnutls: Fixes in usage of PKCS #11 token callback
+
+** libgnutls: Fixed bug in gnutls_x509_trust_list_get_issuer() when used
+with a PKCS #11 trust module and without the GNUTLS_TL_GET_COPY flag.
+Reported by David Woodhouse.
+
+** libgnutls: Removed superfluous random generator refresh on every call
+of gnutls_deinit(). That reduces load and usage of /dev/urandom.
+
+** libgnutls: Corrected issue in export of ECC parameters to X9.63 format.
+Reported by Sean Burford [GNUTLS-SA-2014-5].
+
+** libgnutls: When gnutls_global_init() is called for a second time, it
+will check whether the /dev/urandom fd kept is still open and matches
+the original one. That behavior works around issues with servers that
+close all file descriptors.
+
+** libgnutls: Corrected behavior with PKCS #11 objects that are marked
+as CKA_ALWAYS_AUTHENTICATE.
+
+** certtool: The default cipher for PKCS #12 structures is 3des-pkcs12.
+That option is more compatible than AES or RC4.
+
+** API and ABI modifications:
+No changes since last version.
+
+
+* Version 3.3.9 (released 2014-10-13)
+
+** libgnutls: Fixes in the transparent import of PKCS #11 certificates.
+Reported by Joseph Peruski.
+
+** libgnutls: Fixed issue with unexpected non-fatal errors resetting the
+handshake's hash buffer, in applications using the heartbeat extension
+or DTLS. Reported by Joeri de Ruiter.
+
+** libgnutls: When both a trust module and additional CAs are present
+account the latter as well; reported by David Woodhouse.
+
+** libgnutls: added GNUTLS_TL_GET_COPY flag for
+gnutls_x509_trust_list_get_issuer(). That allows the function to be used
+in a thread safe way when PKCS #11 trust modules are in use.
+
+** libgnutls: fix issue in DTLS retransmission when session tickets
+were in use; reported by Manuel Pégourié-Gonnard.
+
+** libgnutls-dane: Do not require the CA on a ca match to be direct CA.
+
+** libgnutls: Prevent abort() in library if getrusage() fails. Try to
+detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work.
+
+** guile: new 'set-session-server-name!' procedure; see the manual for
+details.
+
+** certtool: The authority key identifier will be set in a certificate only
+if the CA's subject key identifier is set.
+
+** API and ABI modifications:
+No changes since last version.
+
+
+* Version 3.3.8 (released 2014-09-18)
+
+** libgnutls: Updates in the name constraints checks. No name constraints
+will be checked for intermediate certificates. As our support for name
+constraints is limited to e-mail addresses in DNS names, it is pointless
+to check them on intermediate certificates.
+
+** libgnutls: Fixed issues in PKCS #11 object listing. Previously multiple
+object listing would fail completely if a single object could not be exported.
+
+** libgnutls: Improved the performance of PKCS #11 object listing/retrieving,
+by retrieving them in large batches. Report and suggestion by David
+Woodhouse.
+
+** libgnutls: Fixed issue with certificates being sanitized by gnutls prior
+to signature verification. That resulted to certain non-DER compliant modifications
+of valid certificates, being corrected by libtasn1's parser and restructured as
+the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from
+Codenomicon.
+
+** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle
+strings with embedded spaces and escaped commas.
+
+** libgnutls: when comparing a CA certificate with the trusted list compare
+the name and key only instead of the whole certificate. That is to handle
+cases where a CA certificate was superceded by a different one with the same
+name and the same key.
+
+** libgnutls: when verifying a certificate against a p11-kit trusted
+module, use the attached extensions in the module to override the CA's
+extensions (that requires p11-kit 0.20.7).
+
+** libgnutls: In DTLS prevent sending zero-size fragments in certain cases
+of MTU split. Reported by Manuel Pégourié-Gonnard.
+
+** libgnutls: Added gnutls_x509_trust_list_verify_crt2() which allows
+verifying using a hostname and a purpose (extended key usage). That
+enhances PKCS #11 trust module verification, as it can now check the purpose
+when this function is used.
+
+** libgnutls: Corrected gnutls_x509_crl_verify() which would always report
+a CRL signature as invalid. Reported by Armin Burgmeier.
+
+** libgnutls: added option --disable-padlock to allow disabling the padlock
+CPU acceleration.
+
+** p11tool: when listing tokens, list their type as well.
+
+** p11tool: when listing objects from a trust module print any attached
+extensions on certificates.
+
+** API and ABI modifications:
+gnutls_x509_crq_get_extension_by_oid2: Added
+gnutls_x509_crt_get_extension_by_oid2: Added
+gnutls_x509_trust_list_verify_crt2: Added
+gnutls_x509_ext_print: Added
+gnutls_x509_ext_deinit: Added
+gnutls_x509_othername_to_virtual: Added
+gnutls_pkcs11_obj_get_exts: Added
+
+
+* Version 3.3.7 (released 2014-08-24)
+
+** libgnutls: Added function to export the public key of a PKCS #11
+private key. Contributed by Wolfgang Meyer zu Bergsten.
+
+** libgnutls: Explicitly set the exponent in PKCS #11 key generation.
+That improves compatibility with certain PKCS #11 modules. Contributed by
+Wolfgang Meyer zu Bergsten.
+
+** libgnutls: When generating a PKCS #11 private key allow setting
+the WRAP/UNWRAP flags. Contributed by Wolfgang Meyer zu Bergsten.
+
+** libgnutls: gnutls_pkcs11_privkey_t will always hold an open session
+to the key.
+
+** libgnutls: bundle replacements of inet_pton and inet_aton if not
+available.
+
+** libgnutls: initialize parameters variable on PKCS #8 decryption.
+
+** libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1
+algorithms.
+
+** libgnutls: gnutls_x509_crt_check_hostname() will follow the RFC6125
+requirement of checking the Common Name (CN) part of DN only if there is
+a single CN present in the certificate.
+
+** libgnutls: The environment variable GNUTLS_FORCE_FIPS_MODE can be used
+to force the FIPS mode, when set to 1.
+
+** libgnutls: In DTLS ignore only errors that relate to unexpected packets
+and decryption failures.
+
+** p11tool: Added --info parameter.
+
+** certtool: Added --mark-wrap parameter.
+
+** danetool: --check will attempt to retrieve the server's certificate
+chain and verify against it.
+
+** danetool/gnutls-cli-debug: Added --app-proto parameters which can
+be used to enforce starttls (currently only SMTP and IMAP) on the connection.
+
+** danetool: Added openssl linking exception, to allow linking
+with libunbound.
+
+** API and ABI modifications:
+GNUTLS_PKCS11_OBJ_ATTR_MATCH: Added
+gnutls_pkcs11_privkey_export_pubkey: Added
+gnutls_pkcs11_obj_flags_get_str: Added
+gnutls_pkcs11_obj_get_flags: Added
+
+
+* Version 3.3.6 (released 2014-07-23)
+
+** libgnutls: Use inet_ntop to print IP addresses when available
+
+** libgnutls: gnutls_x509_crt_check_hostname and friends will also check
+IP addresses, and match documented behavior. Reported by David Woodhouse.
+
+** libgnutls: DSA key generation in FIPS140-2 mode doesn't allow 1024
+bit parameters.
+
+** libgnutls: fixed issue in gnutls_pkcs11_reinit() which prevented tokens
+being usable after a reinitialization.
+
+** libgnutls: fixed PKCS #11 private key operations after a fork.
+
+** libgnutls: fixed PKCS #11 ECDSA key generation.
+
+** libgnutls: The GNUTLS_CPUID_OVERRIDE environment variable can be used to
+explicitly enable/disable the use of certain CPU capabilities. Note that CPU
+detection cannot be overriden, i.e., VIA options cannot be enabled on an Intel
+CPU. The currently available options are:
+ 0x1: Disable all run-time detected optimizations
+ 0x2: Enable AES-NI
+ 0x4: Enable SSSE3
+ 0x8: Enable PCLMUL
+ 0x100000: Enable VIA padlock
+ 0x200000: Enable VIA PHE
+ 0x400000: Enable VIA PHE SHA512
+
+** libdane: added dane_query_to_raw_tlsa(); patch by Simon Arlott.
+
+** p11tool: use GNUTLS_SO_PIN to read the security officer's PIN if set.
+
+** p11tool: ask for label when one isn't provided.
+
+** p11tool: added --batch parameter to disable any interactivity.
+
+** p11tool: will not implicitly enable so-login for certain types of
+objects. That avoids issues with tokens that require different login
+types.
+
+** certtool/p11tool: Added the --curve parameter which allows to explicitly
+specify the curve to use.
+
+** API and ABI modifications:
+gnutls_certificate_set_x509_trust_dir: Added
+gnutls_x509_trust_list_add_trust_dir: Added
+
+
* Version 3.3.5 (released 2014-06-26)
** libgnutls: Added gnutls_record_recv_packet() and gnutls_packet_deinit().
projects / platform / upstream / gnutls.git / blobdiff