diff options
author | sangsu <sangsu.choi@samsung.com> | 2016-06-08 10:28:40 +0900 |
---|---|---|
committer | sangsu <sangsu.choi@samsung.com> | 2016-06-08 10:35:43 +0900 |
commit | 1bd29a24229d1e3822fc47fdd4aac3c2ab9b8b85 (patch) | |
tree | c46dea10840a06f39e68270be849c0c54fa5c9ac /ChangeLog | |
parent | 1def961b3af11a5720a0360977c229f2cf1d10d0 (diff) | |
download | gnutls-1bd29a24229d1e3822fc47fdd4aac3c2ab9b8b85.tar.gz gnutls-1bd29a24229d1e3822fc47fdd4aac3c2ab9b8b85.tar.bz2 gnutls-1bd29a24229d1e3822fc47fdd4aac3c2ab9b8b85.zip |
Imported Upstream version 3.4.11upstream/3.4.11submit/upstream/20160613.071414
Change-Id: I27697380abe4d8ad82d6b77153db65afd9dd3771
Signed-off-by: sangsu <sangsu.choi@samsung.com>
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 10374 |
1 files changed, 10372 insertions, 2 deletions
@@ -1,3 +1,10363 @@ +2016-04-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: released 3.4.11 + +2016-04-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac: tests: do not enable valgrind in non-git builds + +2016-04-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/ocsp_output.c, lib/x509/output.c: x509 output: don't warn + about insecure algorithm when unknown + +2016-04-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/Makefile.am, tests/suite/testcompat-openssl.sh: tests: + disable unsupported curves from compatibility checks This allows running make check even when compiling with + disable-suiteb-curves. + +2016-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_state.c: dtls: added missing dtls.h to state.c + +2016-04-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac, m4/hooks.m4: bumped version + +2016-04-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2016-04-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/minitasn1/coding.c, lib/minitasn1/decoding.c, + lib/minitasn1/element.c, lib/minitasn1/element.h, + lib/minitasn1/int.h, lib/minitasn1/libtasn1.h, + lib/minitasn1/parser_aux.c, lib/minitasn1/parser_aux.h, + lib/minitasn1/structure.c: minitasn1: updated to latest git version + +2016-04-08 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-gtls-app.texi: doc: Replace references to select with poll + and other fixes + +2016-04-08 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-gtls-app.texi: doc: replace inaccurate sentence with + reference to gnutls_record_discard_queued [ci skip] + +2016-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_state.c: gnutls_record_get_direction: doc update [ci + skip] + +2016-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/x509sign-verify2.c: tests: reduce the number of loops in + x509sign-verify2 This enables running the test in reasonable time under valgrind. + +2016-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkix.asn, lib/pkix_asn1_tab.c: pkix.asn: corrected byKey + definition OCSP is defined in an EXPLICIT tags module, and as such we must tag + explicitly all of its tags. + +2016-04-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/name_constraints.c: name constraints: enforce the rules + for IP constraints when adding This will prevent gnutls from generating badly formed certificates. + +2016-04-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/common.c, lib/x509/common.h, lib/x509/x509.c: + _gnutls_parse_general_name2: allow parsing empty names This allows parsing empty general names such as an empty DNSname + used in name constraints. + +2016-04-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2016-04-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/ocsptool-common.c: ocsptool: use HTTP/1.0 for requests This avoids issue with servers serving chunk encoding which ocsptool + doesn't support. Reported by Thomas Klute. + +2016-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2016-03-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/certtool-long-cn: tests: delete outfile in + certtool-long-cn + +2016-03-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/Makefile.am, tests/cert-tests/name-constraints, + tests/cert-tests/name-constraints-ip2.pem: tests: verify the output + of name constraints IP decoding + +2016-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/output.c: x509/output: simplified cidr_to_string() + +2016-03-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/output.c: x509/output: print RFC5280 CIDRs in name + constraints + +2016-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2016-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_dtls.c, lib/gnutls_dtls.h, lib/gnutls_state.c: dtls: + reset the record number sliding window on gnutls_record_set_state() This addresses issue where gnutls_record_set_state() was called with + a new state but the sliding window information was not updated, thus + blocking any incoming packets. Resolves #82 + +2016-03-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_record.c: DTLS: save last valid record sequence number This will allow to report a valid number to + gnutls_record_get_state() callers in case of DTLS. Reported by + Fridolin Pokorny. + +2016-03-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_state.c: gnutls_record_get_state: Allow for NULL + parameters + +2016-03-24 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/ocsptool.c: ocsptool: don't exit with error code on + verification failures when --ignore-errors is given + +2016-03-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/ocsptool.c: ocsptool: exit with error on verification failures + +2016-03-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/ocsp.c: ocsp: gnutls_ocsp_resp_verify_direct will skip + additional checks for certificates matching issuer That eliminates issue with ocsptool rejecting OCSP responses signed + by the same CA that signed the certificate. Reported by Thomas + Klute. + +2016-03-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/ocsptool-args.def, src/ocsptool.c: ocsptool: Allow saving + responses even if verification fails In addition do not enter a spurious newline to responses. + +2016-03-23 Maya Rashish <coypu@sdf.org> + + * tests/dtls/dtls-stress.c: Avoid using strerror in dtls stress test Using it results in build failure on NetBSD: undefined reference to + `rpl_strerror' + +2016-03-23 Maya Rashish <coypu@sdf.org> + + * tests/utils.h: Add missing header to testsuite This causes a problem for NetBSD+clang tests, because SIGTERM and + kill are undefined. Resolves #80 Signed-off-by: Maya Rashish <coypu@sdf.org> + +2016-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update [ci skip] + +2016-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/mini-x509-callbacks.c: tests: verify that the + post-client-hello callback has access to ALPN data + +2016-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_handshake.c: handshake: parse the mandatory to parse + extension prior to any callback call This relates to the change of ALPN extension to mandatory to parse, + and allows applications to get ALPN data prior to handshake + completion. + +2016-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/resume.c: tests: added checks for session resumption and + ALPN This checks whether the ALPN extension is re-read on resumption and + is negotiated. + +2016-02-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/resume.c: tests: resume: simplified structure assignment + using C99 syntax + +2016-03-15 Yuriy M. Kaminskiy <yumkam@gmail.com> + + * lib/ext/alpn.c: alpn: ALPN state is per-connection, it should not + be saved with session data In addition the extension was moved to the mandatory to parse to + ensure it is always parsed when sessions are resumed. rfc7301: Unlike many other TLS extensions, this extension does not + establish properties of the session, only of the connection. + When session resumption or session tickets [RFC5077] are used, the + previous contents of this extension are irrelevant, and only the + values in the new handshake messages are considered. Signed-off-by: Yuriy M. Kaminskiy <yumkam@gmail.com> Signed-off-by: + Nikos Mavrogiannopoulos <nmav@gnutls.org> + +2016-03-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/accelerated/x86/x86-common.c: x86-common: CPUID override will + only work if CPU has already the capability present This resolves test suite failure on CPUs with limited capabilities. + Reported by Andreas Metzler. + +2016-03-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2016-03-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/ext/server_name.c: gnutls_server_name_set: accept non-null + terminated hostnames The introduction of IDNA support introduced a regression and this + function does not operate correctly when given non-null terminated + strings. Reported by Tim Ruehsen. Relates #78 + +2016-03-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-server-name.c: tests: added check for non-null + terminated server name This checks whether a non-null terminated server name, but with + correct length is correctly accepted by gnutls_server_name_set(). Relates #78 + +2016-03-15 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/template-nc.pem: tests: template-test was updated + for OCSP key purpose reordering + +2016-03-15 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2016-03-15 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool.c: certtool: do not require a CA for OCSP signing This follows the recommendations in RFC6960 in 4.2.2.2 which allow a + CA to delegate OCSP signing to another certificate without requiring + it to be a CA. Reported by Thomas Klute. + +2016-03-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * devel/ABI-x86_64.dump, devel/abi-unchecked-symbols, + devel/abi-unchecked-symbols.txt: abi-check: corrected type of + gnutls_x509_crl_get_issuer_dn That will avoid any accidental ABI breakage on that symbol. + +2016-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * .gitlab-ci.yml: .gitlab-ci.yml: added abi-checker rule This allows to test ABI incompatibilities as soon as possible. + +2016-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * Makefile.am, devel/ABI-dane-x86_64.dump, devel/ABI-x86_64.dump, + devel/abi-unchecked-symbols, devel/abi-unchecked-symbols.txt, + devel/abi.xml, devel/abi3.2.xml, devel/abi3.4.xml: Makefile: made + abi-checks self-contained That is, they no longer assume a given directory structure to exist + outside git. It now includes a static dump of the symbols in 3.4.0 + for x86_64 and we compare with it. + +2016-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli.c: gnutls-cli: fix invalid initialization in + cert_verify_ocsp() + +2016-03-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2016-03-08 Jan Vcelak <jan.vcelak@nic.cz> + + * lib/pkcs11_privkey.c: pkcs11: implement correct DSA key pair + generating Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz> + +2016-02-25 Jan Vcelak <jan.vcelak@nic.cz> + + * lib/pkcs11_int.c, lib/pkcs11_int.h: pkcs11: add interface for + C_GenerateKey Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz> + +2016-03-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testpkcs11.sh: tests: testpkcs11: the test will always + fail in code path failures + +2016-03-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/mini-loss-time.c: tests: mini-loss-time: improved timeout + detection + +2016-02-15 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/mini-loss-time.c: tests: mini-loss-time: ensure client + timeouts after the server is This addresses issue with the server detecting the client + disconnection prior to its timeout. Reported by Steven Chamberlain, + Andreas Metzler. + +2016-03-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_ui.c: gnutls_ocsp_status_request_is_checked: document + the version the flag was introduced at + +2016-03-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/doc.mk: doc: generate manpages for all functions That addresses issue where certain manpages were created empty. See + https://bugzilla.redhat.com/show_bug.cgi?id=1306800 + +2016-03-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-gtls-app.texi: doc: mention + gnutls_certificate_set_x509_trust_dir() It was not mentioned in the "Client or server certificate + verification" section. Resolves #76 + +2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/slow/Makefile.am: tests: include test-hash-large into dist + +2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2016-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * po/zh_CN.po.in: Sync with TP [ci skip] + +2016-03-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_global.c: Disable weak symbols for + _gnutls_global_init_skip() under windows That is to avoid an issue with running gnutls under windows; that + renders GNUTLS_SKIP_GLOBAL_INIT a no-op under windows. Relates #74 + +2016-02-29 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac, m4/hooks.m4: bumped version [ci skip] + +2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/ext/ecc.c: ecc: optimized extension parsing + +2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update [ci skip] + +2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_state.c: timespec_sub_ms: fixed operation in 32-bit + systems + +2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c, lib/pkcs11_int.h: pkcs11: Fixes to prevent undefined + behavior (found with libubsan) + +2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/cipher.c: cipher.c: Fixes to prevent undefined behavior + (found with libubsan) + +2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/opencdk/misc.c: opencdk: Fixes to prevent undefined behavior + (found with libubsan) + +2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/gnutls.h.in: gnutls.h: Fixes to prevent + undefined behavior (found with libubsan) + +2016-02-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_mem.h, lib/x509/x509.c: x509: Fixes to prevent + undefined behavior (found with libubsan) + +2016-02-28 Andreas Metzler <ametzler@bebt.de> + + * src/p11tool-args.def: Let p11tool --provider option accept + filenames. Drop 'file-exists = yes;' to allow specifying either an absolute + pathname or a file in P11_MODULE_PATH. + +2016-02-27 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-is-known.c, + tests/suite/softhsm.h, tests/suite/testpkcs11.softhsm, + tests/utils.c, tests/utils.h: tests: enable softhsmv2 test suite by + default Also do not fatally fail with known softhsmv2 bugs. + +2016-02-27 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2016-02-26 Jan Vcelak <jan.vcelak@nic.cz> + + * tests/suite/testpkcs11.sh: pkcs11: tests for RSA, ECC, DSA private + key import Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz> + +2016-02-26 Jan Vcelak <jan.vcelak@nic.cz> + + * tests/suite/testpkcs11.sh: pkcs11: tests for DSA key generating Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz> + +2016-02-27 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-gtls-app.texi: added getpid() to the list of system calls + used + +2016-02-25 Jan Vcelak <jan.vcelak@nic.cz> + + * lib/x509/privkey_pkcs8.c: gnutls_x509_privkey_import: add missing + algorithm setting for DSA keys The algorithm number was set only in the private key structure, not + in the nested structure with parameters. This made certain + operations to fail (e.g., copying the key into a PKCS #11 token). Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz> + +2016-02-24 Sebastian Dröge <sebastian@centricular.com> + + * configure.ac: configure: Android is ELF too Without this, compiling Android for x86 or x86-64 fails because the + assembly optimizations are not compiled in. + +2016-02-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2016-02-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/pcert-list.c: tests: added tests for + gnutls_pcert_list_import_x509_raw() + +2016-02-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/x509.c: gnutls_x509_crt_list_import: corrected memory + leak This was triggered if GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED was + specified and a failure occurred. + +2016-02-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/common.c: _gnutls_sort_clist: fixed issues when used with + func option This function would incorrectly call func() on elements that were + included in the list, and would not call func() if the size of the + final chain was one. + +2016-02-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/algorithms/secparams.c: DH/DSA: allow the generation of larger + than 15360 bit parameters + +2016-02-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/slow/hash-large.c: tests: eliminated mem leak in hash-large + +2016-02-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update [ci skip] + +2016-02-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/slow/Makefile.am, tests/slow/hash-large.c, + tests/slow/test-hash-large: tests: check whether large buffer hashes + and MAC work as expected + +2016-02-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/accelerated/x86/hmac-padlock.c, + lib/accelerated/x86/hmac-x86-ssse3.c, + lib/accelerated/x86/sha-padlock.c, + lib/accelerated/x86/sha-padlock.h, + lib/accelerated/x86/sha-x86-ssse3.c, lib/nettle/mac.c: nettle: use + the correct type for hash and MAC functions + +2016-02-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/benchmark-cipher.c: gnutls-cli: improved indentation in + benchmark output + +2016-02-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/set_pkcs12_cred.c: tests: set_pkcs12_cred: existing tests + are disabled when in FIPS140-2 mode The tests require access to the RC4 cipher which is not available. + +2016-02-09 Andreas Metzler <ametzler@bebt.de> + + * doc/cha-gtls-app.texi: improve doc on special keywords in priority + string Special keywords in priority strings like %COMPAT may not be + prefixed with +, - or !, "NORMAL:+%COMPAT is invalid. + +2016-02-06 Attila Molnar <attilamolnar@hush.com> + + * doc/cha-cert-auth.texi, doc/cha-gtls-app.texi, + doc/cha-tokens.texi, lib/gnutls_auth.c, lib/gnutls_dtls.c, + lib/gnutls_extensions.c, src/tpmtool-args.def: doc: Fix some typos + +2016-02-06 Attila Molnar <attilamolnar@hush.com> + + * doc/cha-gtls-app.texi, src/certtool-cfg.c, src/serv-args.def: + Remove remaining RSA-EXPORT support leftovers from doc and messages + +2016-02-03 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/pkcs11-pubkey-import-ecdsa.c: tests: + pkcs11-pubkey-import-ecdsa will only work under softhsmv2 + +2016-02-03 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS, configure.ac, m4/hooks.m4: bumped version + +2016-01-31 Andreas Metzler <ametzler@bebt.de> + + * lib/gnutls_pubkey.c, lib/openpgp/gnutls_openpgp.c, + lib/x509/pkcs12_bag.c, lib/x509/x509.c, lib/x509/x509_ext.c, + src/certtool-cfg.c: Fix some more typos. certifcate, funtion, withing, missmatch + +2016-01-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update [ci skip] + +2016-01-30 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/template-date.pem, + tests/cert-tests/template-dn.pem, + tests/cert-tests/template-generalized.pem, + tests/cert-tests/template-nc.pem, + tests/cert-tests/template-overflow.pem, + tests/cert-tests/template-overflow2.pem, + tests/cert-tests/template-test.pem, + tests/cert-tests/template-unique.pem: Revert "tests: updated to + account for cert generation after + 2adb9b2bfb31afebbdd9f990e2b74c9a3d4e5c57 fix" This reverts commit 735dbde324be6c8785a3dea5f09c82b6a8ad298b. + +2016-01-30 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/x509_ext.c: Revert "Fix out-of-bounds read in + gnutls_x509_ext_export_key_usage" This was not really an out-of-bounds check. Added documentation to + make that clear. This reverts commit ffbc9aaea7dcf29c03784d128b83f0682357858d. + +2016-01-18 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_global.c: gnutls_global_init: log gnutls' version on + initialization + +2016-01-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-gtls-app.texi: doc: corrected typo [ci skip] + +2016-01-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/output.c: x509: tolerate missing subject or issuer fields + +2016-01-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_pubkey.c: gnutls_pubkey_import_x509_raw: fixed memory + leak + +2016-01-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/output.c: x509: place newline when printing unsupported + othernames + +2016-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update [ci skip] + +2016-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/ext/alpn.c: alpn: when parsing the list of protocols return at + the first mutually common That resolves an issue where the server wouldn't select the first + mutually supported. Resolves #63 + +2016-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-alpn.c: tests: mini-alpn: corrected protocol selection + order + +2016-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-alpn.c: tests: alpn: enhance the testing of ALPN + negotiation + +2016-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/ext/alpn.c: alpn: document how the selected protocol is + selected [ci skip] + +2016-01-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-alpn.c: tests: verify that the selected ALPN protocol + is the first advertised + +2015-12-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * Makefile.am, src/Makefile.am: build: fix make distclean by + including src/gl only once + +2016-01-08 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * symbols.last: symbols.last: added new symbol + +2016-01-08 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS, configure.ac, m4/hooks.m4: bumped version + +2016-01-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify-high.c: trust_list_get_issuer_by_dn: fixed check + for DN or SPKI + +2016-01-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * Makefile.am: symbols.last: don't include internal symbols into + exported list + +2016-01-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated + auto-generated files + +2016-01-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac: configure: no longer distribute lzip tarballs + +2016-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/template-date.pem, + tests/cert-tests/template-dn.pem, + tests/cert-tests/template-generalized.pem, + tests/cert-tests/template-nc.pem, + tests/cert-tests/template-overflow.pem, + tests/cert-tests/template-overflow2.pem, + tests/cert-tests/template-test.pem, + tests/cert-tests/template-unique.pem: tests: updated to account for + cert generation after 2adb9b2bfb31afebbdd9f990e2b74c9a3d4e5c57 fix + +2016-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2016-01-04 Tim Kosse <tim.kosse@filezilla-project.org> + + * lib/x509/x509_ext.c: Fix out-of-bounds read in + gnutls_x509_ext_export_key_usage + +2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * .gitlab-ci.yml: .gitlab-ci.yml: optimized build process That is, in slow asan and valgrind builds don't check the full test + suite. + +2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update [ci skip] + +2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update [ci skip] + +2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11_write.c: gnutls_pkcs11_copy_x509_privkey2: corrected + the writing of ECC private key + +2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/Makefile.am, + tests/suite/pkcs11-pubkey-import-ecdsa.c, + tests/suite/pkcs11-pubkey-import-rsa.c, + tests/suite/pkcs11-pubkey-import.c: tests: pkcs11-pubkey-import will + check both RSA and ECDSA keys + +2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11_write.c: gnutls_pkcs11_copy_x509_privkey2: corrected + the type of the written object Previously only RSA objects were correctly written. + +2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-common.h: tests: added ECDSA key in cert-common.h + +2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11_privkey.c: pkcs11: import public keys from any + available object That is, load public keys from the public key object, or the + certificate object if they are present. That affects non-RSA public + keys which do not contain all required fields on the private key + object. + +2015-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_db.h: session DB: made the magic number depending on + gnutls' version That will make sure that sessions not stored by this version of + gnutls will not be resumed by another (which may be incompatible). + +2015-12-26 Andreas Metzler <ametzler@bebt.de> + + * README, lib/ext/srtp.c, lib/gnutls_priority.c, lib/locks.c, + lib/opencdk/keydb.c, lib/x509/pkcs7.c, + tests/mini-handshake-timeout.c: Fix some typos [ci skip] + +2015-12-24 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: NEWS: doc update [ci skip] + +2015-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/ext/max_record.c: max_record: don't consider this extension on + DTLS That is because it doesn't work as expected, and does not fragment + handshake messages. Relates with #61 + +2015-12-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-crypto.texi, lib/includes/gnutls/gnutls.h.in: updated + documentation on supported algorithms [ci skip] + +2015-12-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-intro-tls.texi: Added SHA384 to the list of TLS support + MAC algorithms + +2015-12-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/no-signal.c: tests: don't run the no-signal test in systems + which MSG_NOSIGNAL is not available + +2015-12-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/manpages/tpmtool.1: doc: manpages: remove generated tpmtool.1 + page + +2015-12-17 Alon Bar-Lev <alon.barlev@gmail.com> + + * .gitignore: .gitignore: add m4/extern-inline.m4 + +2015-12-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-12-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/pkcs7: tests: added check to verify that the + PKCS#7 embedded data are recovered as expected + +2015-12-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-args.def, src/certtool.c: certtool: introduced the + --p7-show-data option This option allows printing the embedded data in a PKCS#7 signed + structure. + +2015-12-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs7.h, lib/libgnutls.map, lib/x509/pkcs7.c: + gnutls_pkcs7_get_embedded_data: added function This function allows extracting the embedded data from a PKCS#7 + signed structure. + +2015-12-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/pkcs7-gen.c: tests: updated pkcs7-gen to account for + content-type attribute + +2015-12-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-12-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/pkcs7: tests: check whether the content-type + attribute is set if we sign using time + +2015-12-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/pkcs7.c: pkcs7: set by default the content type attribute That is a requirement of rfc5652. Relates #59 + +2015-12-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/crq.c, lib/x509/mpi.c, lib/x509/pkcs7.c, + lib/x509/sign.c, lib/x509/x509_int.h: pkcs7: use the + PK_PKIX1_RSA_OID when writing RSA signature OIDs for PKCS#7 + structures That is because there are implementations which cannot cope with the + normal RSA signature OIDs. Relates #59 + +2015-12-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/pkcs7.c, tests/cert-tests/p7-combined.out: pkcs7: Disable + the optional fields prior to generating the PKCS#7 structure This resolves issue with our PKCS#7 structures not being parsed by + MacOSX' tools. Relates #59 + +2015-12-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool.c: certtool: warn if an ECDSA key is marked for + encryption + +2015-12-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool.c: certtool: corrected invalid free + +2015-12-15 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_session_pack.c, lib/gnutls_state.c, lib/gnutls_ui.c: + make sure gnutls_assert is present at the cases where + GNUTLS_E_INTERNAL_ERROR is returned + +2015-12-14 Gustavo Zacarias <gustavo@zacarias.com.ar> + + * configure.ac: configure: really make --disable-crywrap work The crywrap variable is set regardless of the state of + enable_crywrap, hence --disable-crywrap never works. Just put the + tests for crywrap deps inside the enable_crywrap conditional. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> + +2015-12-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/algorithms/ciphersuites.c: updated chacha20 ciphers to conform + to latest draft + +2015-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/algorithms/ciphers.c, lib/algorithms/ciphersuites.c, + lib/gnutls_cipher.c, lib/gnutls_constate.c, lib/gnutls_dtls.c, + lib/gnutls_int.h: Modified the CHACHA20 cipher to conform to + draft-ietf-tls-chacha20-poly1305-02 + +2015-12-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/cli-debug.c: gnutls-cli-debug: rephrased inappropriate + fallback test description to match the rest + +2015-12-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-12-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * .gitlab-ci.yml: .gitlab-ci.yml: valgrind build was moved at the + end as it is the slowest build + +2015-12-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-args.def, src/certtool.c: certtool: the + --p7-include-cert option is enabled by default This allows to generate PKCS#7 structures by default that can be + read by iOS. + +2015-12-13 sskaje <sskaje@gmail.com> + + * src/certtool-args.def, src/certtool.c: #56 Feature: certtool + --p7-sign support GNUTLS_PKCS7_INCLUDE_CERT + +2015-12-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11_privkey.c: Do not allow importing public keys from PKCS + #11 private keys for DSA and ECDSA This prevents the reading of the public key when non-RSA keys are + available. This is a much cleaner approach than + 5a4e692511dc3a829eda0d7c5a87e56cbc2055f0. + +2015-12-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_pubkey.c, lib/pkcs11.c, lib/pkcs11_int.h, + lib/pkcs11_privkey.c: Revert "Do not allow importing public keys + from PKCS #11 private keys for DSA and ECDSA" This reverts commit 9146ba63f5aa48358cb80aa7ccf9131cf2abdbe6. + +2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/cert-common.h: tests: cert-common.h: + backported from master branch + +2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/Makefile.am, tests/suite/pkcs11-pubkey-import.c: + tests: check whether gnutls_pubkey_import_privkey() operates well + for PKCS#11 RSA keys + +2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_pubkey.c, lib/pkcs11.c, lib/pkcs11_int.h, + lib/pkcs11_privkey.c: Do not allow importing public keys from PKCS + #11 private keys for DSA and ECDSA That is, because they do not contain all the required parameters for + a direct import. Reported by Jan Vcelak. + +2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11_privkey.c: pkcs11: avoid setting a variable which isn't + used + +2015-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: pkcs11: + deinitialize gnutls_pkcs11_obj_t's pubkey on deinit + +2015-12-06 Jan Vcelak <jan.vcelak@nic.cz> + + * lib/pkcs11_privkey.c: pkcs11: fix passing of incorrect variable in + privkey_get_pubkey The code worked for RSA because the content of the variables + matched. But it doesn't match for ECC. CKM_RSA_PKCS_KEY_PAIR_GEN (0x0) == CKK_RSA (0x0) + CKM_ECDSA_KEY_PAIR_GEN (0x1040) != CKK_ECDSA (0x3) Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz> + +2015-12-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/benchmark-tls.c: gnutls-cli: don't use RSA ciphersuites to + test chacha20 as they are not defined + +2015-12-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/x509.c: documented bug in + gnutls_x509_crt_get_*_unique_id() + +2015-11-30 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/x509.c: allow specifying NULL buffer in + gnutls_x509_crt_get_*_unique_id() + +2015-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/slow/override-ciphers, tests/slow/test-ciphers: tests: + cipher-test will forward the prog exit code as the script exit code + +2015-11-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/Makefile.am: tests: changes for running tests + under windows + +2015-11-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * .gitlab-ci.yml: .gitlab-ci.yml: backported from master + +2015-11-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/ocsp_output.c: ocsp_output: when next update is not + present don't print error message That is because this field is optional. Resolves #53 + +2015-11-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/slow/Makefile.am, tests/slow/override-ciphers: tests: + override-ciphers will not run mac tests on windows There is some issue with symbols for self tests not being exported. + +2015-11-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/Makefile.am, tests/cert-tests/certtool: tests: + updates for certtool test to run under windows + +2015-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/Makefile.am, tests/cert-tests/aki, + tests/cert-tests/certtool, tests/cert-tests/certtool-long-cn, + tests/cert-tests/pathlen, tests/cert-tests/pem-decoding, + tests/cert-tests/pkcs7, tests/pkcs8-decode/pkcs8: tests: changes for + running tests under windows + +2015-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/system.c: use consistent terms in system.c and + system-keys-win.c + +2015-11-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * .gitlab-ci.yml: .gitlab-ci.yml: backported from master + +2015-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/libopts/text_mmap.c: libopts: use the O_BINARY flag in windows + for files + +2015-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/libopts/COPYING.gplv3, src/libopts/COPYING.lgplv3, + src/libopts/COPYING.mbsd, src/libopts/Makefile.am, + src/libopts/README, src/libopts/ag-char-map.h, src/libopts/alias.c, + src/libopts/ao-strs.c, src/libopts/ao-strs.h, + src/libopts/autoopts.c, src/libopts/autoopts.h, + src/libopts/autoopts/options.h, src/libopts/autoopts/project.h, + src/libopts/autoopts/usage-txt.h, src/libopts/boolean.c, + src/libopts/check.c, src/libopts/compat/compat.h, + src/libopts/compat/pathfind.c, src/libopts/compat/windows-config.h, + src/libopts/configfile.c, src/libopts/cook.c, src/libopts/enum.c, + src/libopts/env.c, src/libopts/file.c, src/libopts/find.c, + src/libopts/genshell.c, src/libopts/genshell.h, + src/libopts/gettext.h, src/libopts/init.c, src/libopts/intprops.h, + src/libopts/libopts.c, src/libopts/load.c, + src/libopts/m4/libopts.m4, src/libopts/m4/liboptschk.m4, + src/libopts/m4/stdnoreturn.m4, src/libopts/makeshell.c, + src/libopts/nested.c, src/libopts/numeric.c, + src/libopts/option-value-type.c, + src/libopts/option-xat-attribute.c, src/libopts/parse-duration.c, + src/libopts/parse-duration.h, src/libopts/pgusage.c, + src/libopts/proto.h, src/libopts/putshell.c, src/libopts/reset.c, + src/libopts/restore.c, src/libopts/save.c, src/libopts/sort.c, + src/libopts/stack.c, src/libopts/stdnoreturn.in.h, + src/libopts/streqvcmp.c, src/libopts/text_mmap.c, + src/libopts/time.c, src/libopts/tokenize.c, src/libopts/usage.c, + src/libopts/version.c: libopts: updated to 5.18.6 + +2015-11-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/slow/Makefile.am: tests: use gnulib where needed + +2015-11-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * cross.mk: cross.mk: updated windows cross compile makefile + +2015-11-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/global-init-override.c: tests: disable global-init-override + test in windows Gcc does not support weak symbols on this platform. + +2015-11-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/socket.c: tools: don't call endservent in windows + +2015-11-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/Makefile.am: tests: included missing files + +2015-11-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/nettle/cipher.c: added cast to silence gcc warning + +2015-11-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: released 3.4.7 + +2015-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/system-keys-win.c: system-keys-win: allow reinitialization of + the library after a deinitialization + +2015-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated + auto-generated files + +2015-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/scripts/getfuncs.pl: getfuncs.pl: don't consider functions + with _gnutls prefix + +2015-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_global.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map: gnutls_global_init_skip: prefixed with an + underscore + +2015-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac, m4/hooks.m4: bumped version + +2015-11-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool.c: certtool: check fread_file() for errors in all + situations This caused certtool to crash on invalid input on stdin. Reported + by Christoph Biedl. + +2015-11-19 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/x509_write.c: doc update + +2015-11-18 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_ui.c: gnutls_certificate_set_flags: Added since + +2015-11-18 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-11-18 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/set_x509_key_mem.c: tests: check gnutls_certificate_flags + +2015-11-18 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/auth/cert.h, lib/gnutls_cert.c, lib/gnutls_ui.c, + lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: Added + gnutls_certificate_flags() and + GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH That allows a user of the credentials to disable the certificate + matching action. That is, to disable the calls to sign and verify on + initialization. + +2015-11-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/Makefile.am: link with libdl when trousers is enabled; + reported by Andreas Schneider + +2015-11-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-11-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-selftests.c: enhanced cipher selftests with variable + key sizes on arcfour + +2015-11-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/cipher.c: Do not enforce a maximum key size on ARCFOUR That makes the library consistent with the behavior of previous + versions (3.3.x) + +2015-11-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/tests.c: gnutls-cli-debug: make TLS 1.6 fallback check more + reliable + +2015-11-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_pubkey.c, lib/x509/x509_write.c: doc update + +2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * .gitlab-ci.yml: .gitlab-ci.yml: disable non-suiteb curves in all + systems as we have multiple which are fedoras + +2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/global-init-override.c, tests/global-init.c: tests: + corrected copyright info + +2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/global-init-override.c: tests: added + check for overriding global initialization + +2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-gtls-app.texi: documented GNUTLS_SKIP_GLOBAL_INIT macro + +2015-11-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_global.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map: Added GNUTLS_SKIP_GLOBAL_INIT macro to allow + programs skip implicit global initialization + +2015-11-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * .gitlab-ci.yml: .gitlab-ci.yml: backported + +2015-11-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-gtls-app.texi: doc: document how to use gnutls with + seccomp + +2015-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/auth/dh_common.c: deinitialize client_Y if needed to avoid + leak This is a more conservative fix comparing to + 0e370b7b34c96f7929f9070ad8287c6cf52e7901 ("deinitialize all + handshake keys when handshake is over"). + +2015-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_state.c: Revert "deinitialize all handshake keys when + handshake is over" This reverts commit 0e370b7b34c96f7929f9070ad8287c6cf52e7901. + +2015-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/x509_write.c: + gnutls_x509_crt_set_subject/issuer_unique_id: added Since in doc + +2015-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_pubkey.c: doc update + +2015-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-crypto.texi, lib/includes/gnutls/pkcs7.h, + lib/x509/pkcs7.c: Added documentation on PKCS #7 signing + +2015-11-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * .gitlab-ci.yml: .gitlab-ci.yml: disable guile in asan builds + +2015-11-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_state.c: deinitialize all handshake keys when handshake + is over + +2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/Makefile.am, tests/suite/eagain, + tests/suite/eagain.sh, tests/suite/invalid-cert, + tests/suite/invalid-cert.sh, tests/suite/testcompat-openssl.sh, + tests/suite/testcompat-polarssl.sh, tests/suite/testdane, + tests/suite/testdane.sh, tests/suite/testrandom, + tests/suite/testrandom.sh, tests/suite/testrng, + tests/suite/testrng.sh, tests/suite/testsrn, tests/suite/testsrn.sh: + tests: suite: more shell scripts were given the .sh suffix and + simplified makefile + +2015-11-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/Makefile.am, tests/suite/chain, tests/suite/chain.sh, + tests/suite/test-ciphersuite-names, + tests/suite/test-ciphersuite-names.sh, tests/suite/testpkcs11, + tests/suite/testpkcs11.sh: tests: suite: don't run shell scripts + with valgrind + +2015-11-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testsrn: tests: testsrn: output errors on stderr + +2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/Makefile.am, tests/cert-tests/template-test, + tests/cert-tests/template-unique.pem, + tests/cert-tests/template-unique.tmpl: tests: verify that unique IDs + are generated as expected + +2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-args.def, src/certtool-cfg.c, src/certtool-cfg.h, + src/certtool.c: certtool: Allow writing unique IDs in generated + certificates + +2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/x509.h, lib/libgnutls.map, + lib/x509/x509_write.c: Added gnutls_x509_crt_set_issuer_unique_id() + and gnutls_x509_crt_set_subject_unique_id() + +2015-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/output.c: properly indent unique IDs + +2015-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-gtls-app.texi: documented the GNUTLS_NO_EXPLICIT_INIT + environment variable + +2015-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-api.c: crypto-api: doc update + +2015-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/auth/dhe.c, lib/auth/ecdhe.c: Allow switching a ciphersuite to + DHE and ECDHE on a rehandshake + +2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool.c: certtool: eliminate leaks in _verify_x509_mem() + +2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/testdane: testdane: improved error detection in sites + +2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/Makefile.am, tests/suite/chain, + tests/suite/pkcs11-is-known.c, tests/suite/suppressions.valgrind, + tests/suite/testsrn, tests/suite/x509paths/suppressions.valgrind: + tests: suite: eliminate many leaks in the tests and run them under + valgrind + +2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/openpgp-certs/Makefile.am, + tests/openpgp-certs/suppressions.valgrind, + tests/openpgp-certs/testcerts: tests: openpgp-certs: use valgrind + +2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/openpgp/extras.c: openpgp: eliminate leaks in + gnutls_openpgp_keyring_import() + +2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/mini-eagain2.c: tests: eliminate leaks in + mini-eagain2.c + +2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool.c: certtool: eliminate memory leaks in certificate + generation + +2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/key-tests/Makefile.am, tests/key-tests/key-id, + tests/key-tests/pkcs8, tests/key-tests/suppressions.valgrind: tests: + key-tests: use valgrind + +2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_pubkey.c: gnutls_x509_crt_set_pubkey: clarify usage + +2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/pkcs12-decode/Makefile.am, tests/pkcs12-decode/pkcs12, + tests/pkcs12-decode/suppressions.valgrind: tests: run the PKCS #12 + tests under valgrind + +2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-11-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/pkcs12.c, lib/x509/privkey_pkcs8.c: pkcs12: correctly set + salt size in gnutls_pkcs12_mac_info Also eliminate leaks in PKCS #12 parsing. + +2015-11-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool.c: certtool: make sure that pkcs12 structures are + deinitialized + +2015-11-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-backend.c: crypto-backend: ensure there are no leaks on + deinitialization + +2015-11-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/algorithms/ciphersuites.c, tests/mini-etm.c, + tests/mini-record.c: Require TLS 1.2 for all the ciphersuites which + are defined for it only This solves an interoperability issue with openssl. Reported by + Viktor Dukhovni. + +2015-11-08 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-common.h, src/p11tool-args.def, src/p11tool.c, + src/pkcs11.c: p11tool: introduced --only-urls option This option allows printing a compact listing containing only of + URLs. + +2015-11-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/mini-x509-default-prio.c: tests: added + check for gnutls_priority_set_default + +2015-11-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * .gitlab-ci.yml: .gitlab-ci.yml: use static libasan This prevents issues with tests which use LD_PRELOAD. + +2015-11-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * .gitlab-ci.yml: .gitlab-ci.yml: disable non-suiteb curves on build + on Fedora system + +2015-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/socket.c: tools: better ftp auth tls negotiation + +2015-11-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/socket.c: tools: only check for status code in FTP starttls + negotiation + +2015-11-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/socket.c: tools: print more info in starttls negotiation when + --verbose is given + +2015-11-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls.pc.in: gnutls.pc: don't use the libtool version of the + link options Reported by Dan Kegel. Resolves #49 + +2015-10-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/ext/heartbeat.c: removed inacurate text + +2015-10-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-bib.texi, doc/cha-intro-tls.texi, doc/latex/gnutls.bib: + doc: updated supplemental data documentation + +2015-10-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testdane: tests: testdane will not check hosts which + are unreachable + +2015-10-20 Andreas Metzler <ametzler@bebt.de> + + * lib/auto-verify.c, lib/gnutls_state.c: Documentation update The new simple verification functions were backported to 3.4.6, + correct "Since:" to reflect this. + +2015-10-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated + auto-generated files + +2015-10-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: released 3.4.6 + +2015-10-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-gtls-app.texi: doc: documented future level + +2015-10-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-10-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs11.h: pkcs11.h: relocated + gnutls_pkcs11_copy_pubkey to allow discovery by buggy doc scripts + +2015-10-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-10-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/ext/ext_master_secret.c: ext master secret: extension is + marked as mandatory This forces the extension to be sent even where resuming sessions. + Resolves #45 + +2015-10-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/resume.c: tests: Check whether a resumed session contains + the ext master secret extension Relates #45 + +2015-10-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-10-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/pkcs11-certs/server.pub, tests/suite/testpkcs11: + tests: adapted testpkcs11 for use with 3.4.x certtool + +2015-10-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testpkcs11, tests/suite/testpkcs11.softhsm: tests: + verify that public keys are properly written Also disable parts of the suite that softhsm2 cannot properly work + with, to allow running parts of the suite even with broken softhsm. + +2015-10-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-10-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/pkcs11.c: p11tool: Allow writing a PKCS #11 pubkey object + +2015-10-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c, + lib/pkcs11_int.h, lib/pkcs11_privkey.c, lib/pkcs11_write.c: pkcs11: + introduced gnutls_pkcs11_copy_pubkey That allows copying a public key to a PKCS #11 module. + +2015-10-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/Makefile.am: doc: set a path which includes new binaries when + running autogen That makes sure that autogen will discover the binaries to obtain + the --help output. + +2015-10-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/cli-debug-args.def: gnutls-cli-debug: updated doc + +2015-10-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/cli-debug-args.def, src/cli-debug.c, src/cli.c, + src/danetool-args.def, src/danetool.c, src/socket.c, src/socket.h: + tools: when the starttls-proto is specified automatically detect the + port if not given + +2015-10-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-10-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-10-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * .gitlab-ci.yml: backport: .gitlab-ci.yml: combined the slow build + with the separate build dir + +2015-10-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/algorithms/ciphers.c, lib/gnutls_cipher_int.c, + lib/gnutls_priority.c: Disable the NULL cipher on runtime when + FIPS140 mode is enabled instead of statically That way the NULL cipher can be used when not in FIPS140 mode. + +2015-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/algorithms.h, lib/algorithms/ciphers.c, lib/algorithms/kx.c, + lib/gnutls_int.h, lib/gnutls_priority.c: backport: Tolerate priority + strings with names of legacy ciphers and key exchanges That enables better backwards compatibility with old applications + which disable or enable algorithms which no longer are supported. + Relates #44 + +2015-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11_write.c: pkcs11: write CKA_ISSUER and CKA_SERIAL_NUMBER + when writing on a certificate That allows NSS to read and use the written certificate. Relates + #43 + +2015-10-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/sec-params.c: tests: enhanced sec-params check to account + for future sec-param + +2015-10-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-10-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-common.c: certtool: recognize the future sec-param + +2015-10-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/algorithms/secparams.c, lib/includes/gnutls/gnutls.h.in: + Introduced the security parameter future (256) and switched ultra to + 192 bits For ultra, this was its documented strength, and now follows RFC3766 + recommendations for sizes. + +2015-10-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-common.c: certtool: be more specific on the help + message for --sec-param when --bits are given + +2015-10-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/testpkcs11.softhsm: tests: better detection of softhsm + library + +2015-10-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac, m4/hooks.m4: bumped version + +2015-09-26 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-09-26 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-cert-auth.texi, doc/cha-gtls-app.texi, + doc/examples/ex-client-x509.c, lib/Makefile.am, lib/auto-verify.c, + lib/gnutls_alert.c, lib/gnutls_cert.c, lib/gnutls_errors.c, + lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_priority.c, + lib/gnutls_x509.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map, tests/Makefile.am, tests/auto-verify.c: + Backported new verification functions for clients from 3.5.x branch The major use-case for the TLS protocol is verification of PKIX + certificates. However, certificate verification support while is + similar for almost all projects it requires around 100 lines of code + (a callback) to be duplicated to all applications. That patch set + gets rid of the callback and simplifies certificate verification + support, by introducing a very simple API; one that would accept the + session and the hostname only. Resolves #27 + +2015-08-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/eagain-common.h, + tests/mini-session-verify-function.c: tests: added test for + gnutls_session_set_verify_function + +2015-08-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c, + lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: Added + gnutls_session_set_verify_function That allows to set a verification callback per session rather than + only globally on the credentials structure. + +2015-10-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_record.c: gnutls_record_recv: simplified text on + GNUTLS_E_REHANDSHAKE + +2015-09-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-common.c: certtool: print 16-bytes of hex values per + line Also avoid a colon on the end of the line. + +2015-09-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-09-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-common.c: certtool: switched the default level to + HIGH for key generation That requires 3072 bits for RSA and DSA keys. + +2015-09-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-09-18 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/cli-args.def, src/cli-debug-args.def, src/danetool-args.def, + src/socket.c: tools: added xmpp into the starttls-proto options + +2015-09-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-args.def, src/cli-debug-args.def, src/danetool-args.def, + src/socket.c: tools: added ldap into the starttls-proto options + +2015-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/system.c: system.c: simplify gnutls_system_recv_timeout + +2015-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-debug.c: gnutls-cli-debug: use RFC7627 instead of + draft-ietf-tls-session-hash + +2015-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/gnutls.h.in: updated documentation on + gnutls_vdata_types_t based on DKG's suggestions + +2015-09-16 Daniel Kahn Gillmor <dkg@fifthhorseman.net> + + * lib/gnutls_cert.c: improve docs for + gnutls_certificate_verify_peers*() The gnutls_certificate_verify_peers{,2,3}() functions all return + GNUTLS_E_SUCCESS (0) even in situations when the peer's certificate + was not verified. This is explained in the first paragraphs ("i.e. + failure to trust a certificate does not imply a negative return + value"), but the Returns: line isn't comparably clear. + +2015-09-14 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_str.c: _gnutls_hex2bin: avoid overrun in the provided + buffer + +2015-09-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS, configure.ac, m4/hooks.m4: bumped version + +2015-09-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/manpages/tpmtool.1: tpmtool.1: updated + +2015-09-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/output.c: Don't use formatted output for fixed strings Resolves #35 + +2015-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11_privkey.c: pkcs11: when storing public keys, make sure + they are marked as not private + +2015-08-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-08-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/tests.c: gnutls-cli-debug: corrected typo in inappropriate + fallback check + +2015-08-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: added + check for inappropriate fallback support + +2015-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/examples/ex-serv-anon.c: corrected typo in ex-server-anon + +2015-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_str.c: hex decoding: more reasonable error codes That is, return GNUTLS_E_PARSING_ERROR instead of base64 decoding + error, and document that fact. + +2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/ext/ext_master_secret.c, lib/gnutls_db.c: Set the extended + master secret status based on resumption data only That is, don't require a new negotiation with extensions. + +2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/resume-dtls.c, tests/resume.c: tests: corrected resumption + tests to disable tickets when needed That is, perform the tests that require no tickets, with tickets + disabled. + +2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_session_pack.c: session packing: corrected issue in PSK + session unpack + +2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/auth/psk.c: PSK: save the username in client side in the auth + structure + +2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_hash_int.h: _gnutls_hash() returns error code if any. Ideally we would like to eliminate any return codes from that + function. However, since that's on exported API we cannot easily do + without breaking the ABI. Reported by Benedikt Klotz. Resolves #28 + +2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify-high.c, lib/x509/verify-high2.c: x509: when + appending CRLs to a trust list ensure that we don't have duplicates That is, overwrite CRLs if they have been obsoleted. + +2015-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool.c: certtool: allow exporting very long CRLs + +2015-08-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-08-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/crl: tests: verify whether CRL date setting works + as expected + +2015-08-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-args.def, src/certtool-cfg.c, src/certtool-cfg.h, + src/certtool.c: certtool: Allow specifying CRL dates as fixed dates + +2015-08-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/crl: tests: verify CRL appending effectiveness + +2015-08-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/crl_write.c: gnutls_x509_crl_set_authority_key_id, + gnutls_x509_crl_set_number allow overwritting That allows them to overwrite values which were previously set + (e.g., on an imported CRL). + +2015-08-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-args.def, src/certtool.c: certtool: allow appending + certificates to a CRL + +2015-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool.c: certtool: removed limit on maximum imported + certificates in the -i option + +2015-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/Makefile.am, tests/cert-tests/crl: tests: check + whether the CRL generation code works as expected + +2015-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-common.c, src/certtool.c: certtool: eliminated memory + leaks due to new cert loading code + +2015-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-common.c, src/certtool-common.h: certtool: lifted + limits on file size to load + +2015-08-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * Makefile.am: before dist ensure that included libopts matches + autogen + +2015-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: corrected date + +2015-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/Makefile.am: include all cert-tests into dist + +2015-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated + auto-generated files for new functions + +2015-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/pkcs11.c: p11tool: test-sign will not fail if a pubkey is not + found + +2015-08-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/privkey.c: key decoding: set key to null for consistency + +2015-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/privkey.c: key decoding: simplify decoding logic by + removing the fallback + +2015-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/privkey.c: key decoding: corrected regression with PKCS + #8 key decoding Reported by Daniel Berrange. + +2015-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/pkcs8-key-decode.c: tests: added check + for decoding of a PKCS #8 key as fallback + +2015-08-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-08-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: pkcs11: set + the CKA_TOKEN attribute on generated public keys That also introduces the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY + flag, to simulate the previous behavior. + +2015-08-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * cfg.mk: cfg.mk: fix order of arguments in gnulib-tool + +2015-08-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/fallback-scsv.c: tests: added check for + the fallback SCSV + +2015-08-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_handshake.c: handshake: check inappropriate fallback + against the configured max version That allows to operate on a server which is explicitly configured to + utilize earlier than TLS 1.2 versions. + +2015-08-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/gnutls.h.in: corrected + GNUTLS_E_INAPPROPRIATE_FALLBACK error code + +2015-08-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-08-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_handshake.c: copy_ciphersuites: use definition for + reserved ciphersuites + +2015-08-01 Alessandro Ghedini <alessandro@ghedini.me> + + * doc/cha-gtls-app.texi, lib/gnutls_handshake.c, lib/gnutls_int.h, + lib/gnutls_priority.c, lib/priority_options.gperf: handshake: add + FALLBACK_SCSV priority option This allows clients to enable the TLS_FALLBACK_SCSV mechanism during + the handshake, as defined in RFC7507. + +2015-08-01 Alessandro Ghedini <alessandro@ghedini.me> + + * lib/algorithms.h, lib/gnutls_alert.c, lib/gnutls_errors.c, + lib/gnutls_handshake.c, lib/includes/gnutls/gnutls.h.in: handshake: + check for TLS_FALLBACK_SCSV If TLS_FALLBACK_SCSV was sent by the client during the handshake, + and the advertised protocol version is lower than + GNUTLS_TLS_VERSION_MAX, send the "Inappropriate fallback" fatal + alert and abort the handshake. This mechanism was defined in RFC7507. + +2015-08-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * build-aux/gendocs.sh, gl/Makefile.am, gl/m4/codeset.m4, + gl/m4/extern-inline.m4, gl/m4/gettext.m4, gl/m4/glibc2.m4, + gl/m4/glibc21.m4, gl/m4/gnulib-cache.m4, gl/m4/gnulib-common.m4, + gl/m4/gnulib-comp.m4, gl/m4/iconv.m4, gl/m4/intdiv0.m4, + gl/m4/intl.m4, gl/m4/intldir.m4, gl/m4/intlmacosx.m4, + gl/m4/intmax.m4, gl/m4/lcmessage.m4, gl/m4/lock.m4, + gl/m4/manywarnings.m4, gl/m4/nls.m4, gl/m4/po.m4, + gl/m4/printf-posix.m4, gl/m4/progtest.m4, gl/m4/stdio_h.m4, + gl/m4/sys_time_h.m4, gl/m4/threadlib.m4, gl/m4/time_h.m4, + gl/m4/uintmax_t.m4, gl/m4/valgrind-tests.m4, gl/m4/visibility.m4, + gl/stddef.in.h, gl/stdio.in.h, gl/string.in.h, gl/tests/init.sh, + gl/tests/inttypes.in.h, gl/tests/test-read-file.c, + gl/tests/test-stddef.c, gl/time.in.h, gl/wchar.in.h, + src/gl/Makefile.am, src/gl/error.c, src/gl/error.h, + src/gl/fseeko.c, src/gl/m4/extern-inline.m4, + src/gl/m4/gnulib-cache.m4, src/gl/m4/gnulib-common.m4, + src/gl/m4/stdio_h.m4, src/gl/m4/sys_time_h.m4, src/gl/m4/time_h.m4, + src/gl/stddef.in.h, src/gl/stdio.in.h, src/gl/string.in.h, + src/gl/time.in.h, src/gl/wchar.in.h, src/gl/xalloc.h: use the + gettext-h gnulib module + +2015-08-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/certtool-long-cn: tests: added missing + certtool-long-cn + +2015-07-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/ext/safe_renegotiation.c: safe renegotiation: simulate + receiving the extension on receival of SCSV + +2015-07-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/common.c: made data2hex() safer, and eliminated mem leak + +2015-07-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/Makefile.am, tests/cert-tests/very-long-dn.pem: + tests: added check for proper handling of very long CNs + +2015-07-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/status-request-ok.c, + tests/status-request.c: tests: added check for server sending (or + not) status request messages + +2015-07-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-07-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac: updated the required gettext version to match the + macros from gnulib + +2015-07-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/ext/safe_renegotiation.c: safe renegotiation: handle case + where client didn't send any extension That was affected by the "don't try to send extensions we didn't + receive". + +2015-07-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/tpm.c: tpm: avoid warning + +2015-07-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_extensions.c, lib/gnutls_handshake.c, lib/gnutls_int.h: + As server don't try to send extensions we didn't receive. + +2015-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/tpm.c: tpm: use gnutls_hex_decode for uuid decoding + +2015-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/auth/psk_passwd.c: psk: use gnutls_hex_decode2 for key + decoding + +2015-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/system-keys-win.c: system-keys-win: use gnutls_hex_decode for + ID decoding + +2015-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/openpgp/gnutls_openpgp.c: openpgp: use gnutls_hex_decode for + keyid decoding + +2015-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/common.c: DN decoding: use gnutls_hex_encode + +2015-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/extras/Makefile.am, lib/extras/hex.c, lib/extras/hex.h, + lib/extras/licenses/CC0, lib/gnutls_str.c, + lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: Introduced + gnutls_hex_encode2() and gnutls_hex_decode2() These also use safer hex decoding functions which don't skip invalid + input. + +2015-07-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-07-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/common.c: x509: simplified data to hex conversion in + unknown DN names + +2015-07-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_state.c, tests/prf.c: gnutls_prf_rfc5705: Allow for + non-null context and zero context length + +2015-07-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS, configure.ac, m4/hooks.m4: bumped version + +2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/prf.c: tests: added cross-check between gnutls_prf_rfc5705() + and gnutls_prf() + +2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/safe-renegotiation/Makefile.am, + tests/suite/Makefile.am: removed legacy libgcrypt flags + +2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_state.c, tests/prf.c: gnutls_prf_rfc5705: optimize in + the common use case, by avoiding malloc Also don't handle specially the case of non-NULL context and + context_size of zero. + +2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * .gitignore: ignore more files + +2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/p11tool-args.def: p11tool: fix documentation for + --generate-ecc and generate-dsa + +2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_state.c: gnutls_prf_rfc5705: mention the version it was + introduced at + +2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/prf.c: tests: added check for + gnutls_prf() and gnutls_prf_rfc5705 + +2015-07-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_state.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map: gnutls_prf_rfc5705: added That includes support for RFC5705 when the context field is used. + Initial patch by Rick van Rein. + +2015-07-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-tokens.texi: doc update: explain more about PKCS #11 and + fork + +2015-07-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac: configure: print the trousers lib only when set + +2015-07-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/tpmtool-args.def, src/tpmtool.c: tpmtool: Added --test-sign + parameter + +2015-07-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_global.c, lib/tpm.c: Deinitialize the TPM subsystem + only when trousers support is enabled + +2015-07-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac, lib/Makefile.am, lib/gnutls_errors.c, + lib/gnutls_global.c, lib/gnutls_global.h, + lib/includes/gnutls/gnutls.h.in, lib/tpm.c: TPM: don't link to + trousers, use dlopen() That introduces --with-trousers-lib which can be used to specify the + library to dlopen(). Resolves #18 + +2015-07-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated + auto-generated files + +2015-07-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS, configure.ac, m4/hooks.m4: bumped version + +2015-07-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/pkcs11.h: pkcs11: mention the version + GNUTLS_PKCS11_TOKEN_MODNAME is available from + +2015-07-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-07-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/auth/dhe_psk.c: PSK: set the hint in DHE-PSK and ECDHE-PSK + ciphersuites + +2015-07-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/pskself.c: tests: updated pskself to check the hint in all + PSK ciphersuites + +2015-07-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-07-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/pkcs11.c: p11tool: be more compact in token URL printing + +2015-07-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/p11tool-args.def: p11tool: group the provided options for + readability + +2015-07-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/p11tool-args.def, src/p11tool.c: p11tool: keep backwards + compatibility by introducing --list-token-urls That is, the output of --list-tokens remains the same. + +2015-07-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/pkcs11.c: p11tool: print the module name of a token in verbose + mode + +2015-07-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/pkcs11_int.h, + lib/pkcs11_write.c, lib/pkcs11x.c: Added GNUTLS_PKCS11_TOKEN_MODNAME + for gnutls_pkcs11_token_get_info That allows to obtain the shared module name of a token URL. + +2015-07-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs11.h: pkcs11.h: doc update + +2015-07-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/p11tool-args.def, src/p11tool.c: p11tool: less verbose output + in --list-tokens unless --verbose is specified + +2015-07-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suppressions.valgrind: tests: added suppression for bash mem + leak + +2015-07-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac, tests/Makefile.am, tests/cert-tests/Makefile.am: + tests: don't run certtool-utf8 when libidn is 1.30 or less This avoids test suite failures due to libidn. + +2015-07-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-args.def: gnutls-cli: doc update + +2015-07-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/ext/dumbfw.c: dumbfw: don't append a size prefix in the pad Reported by Hannes Mehnert. + +2015-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * gl/m4/valgrind-tests.m4: gl: use /bin/true to run valgrind during + configure Bash has memory leaks, which prevents the valgrind check to operate + using the SHELL variable. + +2015-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/Makefile.am, tests/cert-tests/certtool-utf8: + tests: added check for invalid UTF8 encoded string + +2015-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac: Revert "libidn support is disabled by default" This reverts commit 5fdffb2c177cb990480fb8b93c9257ccc5dfcaad. + +2015-07-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * : commit d63c088edd15f20318b396f2298744cbf9e1a392 Author: Daniel + Kahn Gillmor <dkg@fifthhorseman.net> Date: Thu Jul 2 14:28:32 2015 + -0400 + +2015-07-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_pubkey.c: DSA: the numeric number of bits returned from + public key should depend on P not Y That allows to do the proper evaluation to check certificate + strength. Reported by Hubert Kario. + +2015-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/dsa/Makefile.am, tests/dsa/dsa-pubkey-1018.pem, + tests/dsa/testdsa: tests: check whether we print the prime size in + DSA keys + +2015-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/name_constraints.c: name constraints: simplified + gnutls_x509_name_constraints_check_crt() + +2015-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/Makefile.am, tests/cert-tests/name-constraints, + tests/cert-tests/name-constraints-ip.pem: tests: verify that + unsupported name constraints are properly handled + +2015-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/name_constraints.c: name constraints: don't reject + certificates if a CA has the URI or IPADDRESS constraints Don't reject certificates if a CA has the URI or IPADDRESS + constraints, and the end certificate doesn't have an IPaddress name + or a URI set. + +2015-06-29 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * po/ms.po.in: Sync with TP. + +2015-06-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac: libidn support is disabled by default That is until the issues with libidn get resolves. Relates #10 + +2015-06-27 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-06-27 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/atfork.c: tests: added a test for the + fork detection interface + +2015-06-27 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/resume-dtls.c: tests: resume-dtls: increased timeouts + +2015-06-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac, lib/atfork.c, lib/atfork.h: Don't use + pthread_atfork(), it is not safe to use with dlopen() http://austingroupbugs.net/view.php?id=851 + +2015-06-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/atfork.c, lib/atfork.h: atfork: added underscore to + gnutls_forkid + +2015-06-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/atfork.c, lib/atfork.h, lib/nettle/rnd-fips.c, + lib/nettle/rnd.c, lib/pkcs11.c: simplified fork detection + +2015-06-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/privkey.c: enhanced header matching code for private keys + to skip unrelated data + +2015-06-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/Makefile.am, tests/cert-tests/privkey-import, + tests/cert-tests/privkey1.pem, tests/cert-tests/privkey2.pem, + tests/cert-tests/privkey3.pem: tests: added private key import + checks + +2015-06-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/privkey.c: gnutls_x509_privkey_import: optimized private + key loading + +2015-06-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/privkey.c: gnutls_x509_privkey_import2: better behavior + when provided with an unencrypted file That is, it will attempt to decode it first as plain file prior to + trying all encrypted options. + +2015-06-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/key-openssl.c: tests: added check to verify that + gnutls_x509_privkey_import2 works for plain keys That is, when a password is provided and the key is non encrypted. + +2015-06-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/key_decode.c, lib/x509/mpi.c: _gnutls_get_asn_mpis() will + release any data on failure Resolves #15 + +2015-06-21 Alon Bar-Lev <alon.barlev@gmail.com> + + * tests/cert-tests/aki, tests/cert-tests/certtool, + tests/cert-tests/crq, tests/cert-tests/dane, + tests/cert-tests/email, tests/cert-tests/invalid-sig, + tests/cert-tests/pathlen, tests/cert-tests/pem-decoding, + tests/cert-tests/pkcs7, tests/cert-tests/template-test, + tests/dsa/testdsa, tests/dtls/dtls, tests/dtls/dtls-nb, + tests/ecdsa/ecdsa, tests/key-tests/key-id, tests/key-tests/pkcs8, + tests/nist-pkits/gnutls_test_entry, tests/nist-pkits/pkits_crl, + tests/nist-pkits/pkits_crt, tests/nist-pkits/pkits_pkcs12, + tests/nist-pkits/pkits_smime, tests/nist-pkits/pkits_test, + tests/openpgp-certs/testcerts, tests/openpgp-certs/testselfsigs, + tests/pkcs1-padding/pkcs1-pad, tests/pkcs12-decode/pkcs12, + tests/pkcs8-decode/pkcs8, tests/rfc2253-escape-test, + tests/rsa-md5-collision/rsa-md5-collision, tests/sha2/sha2, + tests/sha2/sha2-dsa, tests/slow/override-ciphers, + tests/slow/test-ciphers, tests/suite/certs/create-chain.sh, + tests/suite/chain, tests/suite/crl-test, tests/suite/eagain, + tests/suite/invalid-cert, tests/suite/testcompat-main-openssl, + tests/suite/testcompat-main-polarssl, + tests/suite/testcompat-openssl, tests/suite/testcompat-polarssl, + tests/suite/testdane, tests/suite/testpkcs11, + tests/suite/testpkcs11.pkcs15, tests/suite/testpkcs11.sc-hsm, + tests/suite/testpkcs11.softhsm, tests/suite/testrandom, + tests/suite/testrng, tests/suite/testsrn, tests/userid/userid: + tests: tab indent + minor style changes Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> + +2015-06-23 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/ciphersuite/scan-gnutls.sh: tests: modified + test-ciphersuite-names to work with cpp 5.1.1 + +2015-06-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/test-ciphersuite-names: tests: test-ciphersuite-names: + create any needed dirs + +2015-06-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/Makefile.am, tests/suite/ciphersuite/scan-gnutls.sh, + tests/suite/ciphersuite/test-ciphersuites.sh, + tests/suite/test-ciphersuite-names: tests: moved + test-ciphersuites.sh one level up That simplifies running the script outside make check. + +2015-06-21 Alon Bar-Lev <alon.barlev@gmail.com> + + * tests/suite/ciphersuite/scan-gnutls.sh, + tests/suite/ciphersuite/test-ciphers.js, + tests/suite/ciphersuite/test-ciphersuites.sh: tests: suite: + ciphersuite: fixups fix separate builddir issue, without modifying locations, quite + ugly. re-indent using tab. fix shebang. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> + +2015-06-21 Alon Bar-Lev <alon.barlev@gmail.com> + + * tests/pkcs1-padding/pkcs1-pad, tests/suite/testcompat-openssl, + tests/suite/testcompat-polarssl: tests: enforce UTC timezone in + datefudge tests Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> + +2015-06-21 Alon Bar-Lev <alon.barlev@gmail.com> + + * tests/cert-tests/aki, tests/cert-tests/certtool, + tests/cert-tests/crq, tests/cert-tests/dane, + tests/cert-tests/email, tests/cert-tests/invalid-sig, + tests/cert-tests/pathlen, tests/cert-tests/pem-decoding, + tests/cert-tests/pkcs7, tests/cert-tests/template-test, + tests/ecdsa/ecdsa, tests/key-tests/key-id, tests/key-tests/pkcs8, + tests/openpgp-certs/testselfsigs: tests: misc: shell cleanup leftovers minor sync. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> + +2015-06-21 Alon Bar-Lev <alon.barlev@gmail.com> + + * configure.ac, tests/suite/certs/create-chain.sh, + tests/suite/chain, tests/suite/crl-test, tests/suite/eagain, + tests/suite/invalid-cert, tests/suite/testcompat-common, + tests/suite/testcompat-main-openssl, + tests/suite/testcompat-main-polarssl, + tests/suite/testcompat-openssl, tests/suite/testcompat-polarssl, + tests/suite/testdane, tests/suite/testpkcs11, + tests/suite/testpkcs11.pkcs15, tests/suite/testpkcs11.sc-hsm, + tests/suite/testpkcs11.softhsm, tests/suite/testrandom, + tests/suite/testrng, tests/suite/testsrn: tests: suite: cleanup + shell usage Add quotes for most usages of variables. Added ${} for variables. Cleanup indentation to be consistent with other tests. Fix separate builddir issues. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> + +2015-06-21 Alon Bar-Lev <alon.barlev@gmail.com> + + * tests/pkcs1-padding/pkcs1-pad, tests/pkcs12-decode/pkcs12, + tests/pkcs8-decode/pkcs8, tests/rfc2253-escape-test, + tests/rsa-md5-collision/rsa-md5-collision, tests/sha2/sha2, + tests/sha2/sha2-dsa, tests/slow/override-ciphers, + tests/slow/test-ciphers, tests/userid/userid: tests: misc: cleanup + shell usage Add quotes for most usages of variables. Added ${} for variables. Cleanup indentation to be consistent with other tests. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> + +2015-06-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am: tests: fixed includes + +2015-06-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_alert.c, lib/gnutls_cert.c, lib/gnutls_errors.c, + lib/gnutls_global.c, lib/gnutls_str.h, lib/x509/ocsp_output.c: move + all gettext definitions in gnutls_str.h + +2015-06-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * cross.mk: cross.mk: updated for 3.4.2 + +2015-06-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_str.h: gnutls_str: include gettext.h when dgettext is + available + +2015-06-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/mini-dtls-fork.c, tests/mini-dtls-mtu.c, + tests/mini-dtls-pthread.c, tests/mini-dtls-record-asym.c, + tests/openpgp-auth.c, tests/openpgp-auth2.c, tests/pkcs12_simple.c, + tests/rsa-encrypt-decrypt.c, tests/utils.c, tests/utils.h, + tests/x509sign-verify.c, tests/x509sign-verify2.c: tests: don't + depend on gnulib That dependency unfortunately causes many portability problems on + platforms where it should have worked out of the box. + +2015-06-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-06-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * devel/perlasm/cpuid-x86.pl, doc/scripts/cleanup-autogen.pl, + doc/scripts/gdoc, doc/scripts/getfuncs-map.pl, + doc/scripts/getfuncs.pl, doc/scripts/sort1.pl, + doc/scripts/sort2.pl, doc/scripts/split-texi.pl, + doc/scripts/split.pl, tests/nist-pkits/build-chain: use the same + shebang for perl + +2015-06-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/certtool: tests: added a verify-chain test case + +2015-06-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/scripts/common.sh: tests: don't quote provider in common.sh That caused testpkcs11 to fail. + +2015-06-18 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-alignment.c: tests: don't enforce alignment rules for + caller buffers + +2015-06-17 Alon Bar-Lev <alon.barlev@gmail.com> + + * tests/cert-tests/aki, tests/cert-tests/certtool, + tests/cert-tests/crq, tests/cert-tests/dane, + tests/cert-tests/email, tests/cert-tests/invalid-sig, + tests/cert-tests/pathlen, tests/cert-tests/pem-decoding, + tests/cert-tests/pkcs7, tests/cert-tests/template-test: tests: + cert-tests: cleanup shell usage Add quotes for most usages of variables. Added ${} for variables. Cleanup trailing spaces. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> + +2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * .gitlab-ci.yml: Added gitlab-ci.yml + +2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/libgnutls.map: reduced the exported functions to the minimum + needed + +2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_extensions.c: _gnutls_ext_register was made static + +2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/libgnutls.map: libgnutls.map: use a 3.4 related name for + private functions This eliminates any collisions with functions from 3.3.x + +2015-06-18 Alon Bar-Lev <alon.barlev@gmail.com> + + * tests/nist-pkits/build-chain, tests/nist-pkits/gnutls_test_entry, + tests/nist-pkits/pkits, tests/nist-pkits/pkits_crl, + tests/nist-pkits/pkits_crt, tests/nist-pkits/pkits_pkcs12, + tests/nist-pkits/pkits_smime, tests/nist-pkits/pkits_test: tests: + nist-pkits: cleanup shell/perl usage Add quotes for most usages of variables. Added ${} for variables. Consistent indent. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> + +2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am: tests: force link with nettle of mini-alignment + +2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/oids.c: tests: Check the OID functions + +2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/algorithms.h, lib/algorithms/ecc.c, lib/algorithms/mac.c, + lib/algorithms/publickey.c, lib/algorithms/sign.c, lib/gnutls_pk.c, + lib/gnutls_priority.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map, lib/x509/common.c, lib/x509/crl.c, + lib/x509/key_decode.c, lib/x509/key_encode.c, lib/x509/mpi.c, + lib/x509/ocsp.c, lib/x509/pkcs7.c, lib/x509/privkey.c, + lib/x509/privkey_pkcs8.c: Exported functions to convert from and to + OIDs + +2015-06-18 Saurav Babu <saurav.babu@samsung.com> + + * src/cli.c: gnutls-cli: Fixed Possible Memory Leak This patch fixes possible memory leak in psk_callback() function, + rawkey is allocated memory by gnutls_malloc() and is not freed when + gnutls_hex_decode() returns with error Signed-off-by: Saurav Babu <saurav.babu@samsung.com> + +2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/pkcs7.c: pkcs7: corrected write_signer_id() when + GNUTLS_PKCS7_WRITE_SPKI was used + +2015-06-18 Alon Bar-Lev <alon.barlev@gmail.com> + + * tests/openpgp-certs/testcerts, tests/openpgp-certs/testselfsigs: + tests: openpgp-certs: cleanup shell usage Add quotes for most usages of variables. Added ${} for variables. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> + +2015-06-18 Alon Bar-Lev <alon.barlev@gmail.com> + + * tests/key-tests/key-id, tests/key-tests/pkcs8: tests: key-tests: + cleanup shell usage Add quotes for most usages of variables. Added ${} for variables. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> + +2015-06-18 Alon Bar-Lev <alon.barlev@gmail.com> + + * tests/ecdsa/ecdsa: tests: ecdsa: cleanup shell usage Add quotes for most usages of variables. Added ${} for variables. Cleanup trailing spaces. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> + +2015-06-18 Alon Bar-Lev <alon.barlev@gmail.com> + + * tests/dsa/testdsa, tests/scripts/common.sh: tests: dsa: cleanup + shell usage Add quotes for most usages of variables. Added ${} for variables. Cleanup trailing spaces. Removal of unneeded ';'. Minor fix in tests/scripts/common.sh at trap to pass message and + avoid killing. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> + +2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_mbuffers.c: indentation fix + +2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_int.h: Always align in 16-byte boundary our input to + crypto That allows faster operations in almost all instruction sets. + +2015-06-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/mini-alignment.c: tests: added check for + memory alignment + +2015-06-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/template-test: tests: only run test with long + dates in 64-bit systems + +2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/template-date.pem, + tests/cert-tests/template-dn.pem, + tests/cert-tests/template-generalized.pem, + tests/cert-tests/template-nc.pem, + tests/cert-tests/template-overflow.pem, + tests/cert-tests/template-overflow2.pem, + tests/cert-tests/template-test, tests/cert-tests/template-test.pem, + tests/cert-tests/template-utf8.pem: tests: regenerate the results in + template-test using UTC times + +2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_pubkey.c: ensure that gnutls_pubkey_verify_data2 + returns 0 on success + +2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs7.h, lib/libgnutls.map, lib/x509/pkcs7.c: + Added gnutls_pkcs7_get_signature_count + +2015-06-17 Alon Bar-Lev <alon.barlev@gmail.com> + + * tests/suite/Makefile.am: tests: suite: run testpkcs11 if PKCS#11 + is enabled Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> + +2015-06-17 Alon Bar-Lev <alon.barlev@gmail.com> + + * tests/nist-pkits/gnutls_test_entry, + tests/suite/certs/create-chain.sh: tests: remove bash usage Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> + +2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/Makefile.am, tests/cert-tests/template-date.pem, + tests/cert-tests/template-dn.pem, + tests/cert-tests/template-generalized.pem, + tests/cert-tests/template-generalized.tmpl, + tests/cert-tests/template-nc.pem, + tests/cert-tests/template-overflow.pem, + tests/cert-tests/template-overflow2.pem, + tests/cert-tests/template-test, tests/cert-tests/template-test.pem, + tests/cert-tests/template-utf8.pem: tests: verify that we generate + dates with UTCTime prior to 2050 Also that we generate dates with GeneralizedTime format after 2050. + +2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/common.c, lib/x509/common.h: When writing the Time ASN.1 + structure follow the RFC5280 recommendations + +2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/common.c: Set time in PKCS #7 structures properly (in + UTCTime format). + +2015-06-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-06-16 Alon Bar-Lev <alon.barlev@gmail.com> + + * tests/cert-tests/pkcs7: tests: cert-tests: pkcs7: support separate + builddir Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> + +2015-06-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * symbols.last: account new symbols + +2015-06-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/Makefile.am, doc/doc.mk, doc/manpages/Makefile.am: updated + makefiles for the new functions + +2015-06-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/pkcs7.c, lib/x509/x509_ext.c: doc update + +2015-06-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/Makefile.am, lib/x509/pkcs7-output.c, + lib/x509/pkcs7_output.c: use common base for pkcs7 files + +2015-06-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS, lib/libgnutls.map: added missing symbol + +2015-06-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: released 3.4.2 + +2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-args.def, src/certtool.c, tests/cert-tests/pkcs7: + certtool: made explicit the inclusion of time in PKCS #7 signatures + +2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/common.c, lib/x509/common.h, lib/x509/pkcs7.c: pkcs7: + write the DER encoded time + +2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool.c: certtool: include the signature time in PKCS #7 + signatures + +2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/pkcs7.c: pkcs7: corrected usage of + GNUTLS_PKCS7_INCLUDE_TIME flag + +2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/full.p7b.out, tests/cert-tests/single-ca.p7b.out: + tests: minor updates in pkcs7 output checks to match new certtool + +2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool.c: certtool: rely on gnutls_pkcs7_print() even more + +2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/pkcs7_output.c: pkcs7: print certificates and CRLs in + FULL mode + +2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool.c: certtool: use gnutls_pkcs7_print() - partially + +2015-06-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs7.h, lib/libgnutls.map, + lib/x509/Makefile.am, lib/x509/pkcs7.c, lib/x509/pkcs7_output.c: + Added gnutls_pkcs7_print() + +2015-06-15 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac, m4/hooks.m4: bumped version + +2015-06-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/x509sign-verify2.c: tests: added + signature/verification stress test + +2015-06-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testcompat-main-openssl, + tests/suite/testcompat-main-polarssl: tests: check also individual + ciphers for interoperability + +2015-06-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/fips.c: fips140: better debug messages when verifying MAC + +2015-06-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/tpmtool.c: tpmtool: added newline in error messages + +2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/int/drbg-aes-self-test.c: fips140: added check for + reseed detection + +2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/rng-fork.c: tests: check random generator for long outputs + as well + +2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/fips.c: fips140: when GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS is + setup do not perform integrity tests + +2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/int/drbg-aes.c: fips140: reset the reseed counter only + on reseed + +2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/rnd-fips.c: fips140: when reseeding only reseed the + required context not all + +2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/int/drbg-aes-self-test.c: fips140: added more checks on + the reseed and generate function + +2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/int/drbg-aes.c, lib/nettle/int/drbg-aes.h: fips140: + enforce the max_number_of_bits_per_request + +2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/full.p7b.out, tests/cert-tests/pkcs7, + tests/cert-tests/single-ca.p7b.out: tests: do not include times in + the PKCS #7 checks as they depend on local timezone + +2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/pkcs7.c: pkcs7: addressed memory leaks + +2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/pkcs7-attrs.c: doc update + +2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/pkcs7-gen.c: tests: Added PKCS #7 + attribute generation check + +2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/full.p7b.out, tests/cert-tests/single-ca.p7b.out: + tests: updated for new certtool output + +2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool.c: certtool: print signed and unsigned PKCS #7 + attributes + +2015-06-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs7.h, lib/libgnutls.map, lib/pkix.asn, + lib/pkix_asn1_tab.c, lib/x509/Makefile.am, lib/x509/pkcs7-attrs.c, + lib/x509/pkcs7.c, lib/x509/x509_int.h: Added code to parse and set + PKCS #7 attributes + +2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/pkcs7: tests: added PKCS #7 verification check + with MD5 + +2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_errors.c, lib/gnutls_pubkey.c, + lib/includes/gnutls/abstract.h, lib/includes/gnutls/gnutls.h.in, + lib/includes/gnutls/x509.h, lib/x509/pkcs7.c, lib/x509/x509.c: use + the same flags in all verification functions + +2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/pkcs7.c: _decode_pkcs7_signed_data: fixed mem leaks + +2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/common.h, lib/x509/x509.c, lib/x509/x509_int.h: + Initialization of gnutls_x509_dn_t was modified to allow + deinitialization after failure Part2: made gnutls_x509_crt_get_subject() and + gnutls_x509_crt_get_issuer() return a constant value and avoid + leaks. + +2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/Makefile.am, doc/cha-functions.texi, doc/doc.mk: doc: + Separated the PKCS #7 in manual + +2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/pkcs7: tests: check PKCS #7 structure signature + generation + +2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/Makefile.am, tests/cert-tests/p7-combined.out, + tests/cert-tests/pkcs7: tests: check PKCS #7 bundle generation + +2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-args.def, src/certtool-common.c, + src/certtool-common.h, src/certtool.c: certtool: added + --p7-generate, --p7-sign and --p7-detached-sign + +2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/pkcs7.h, lib/libgnutls.map, + lib/x509/common.c, lib/x509/pkcs7.c: Added gnutls_pkcs7_sign() + +2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/pkcs7.h, lib/libgnutls.map, lib/x509/pkcs7.c: + Added gnutls_pkcs7_get_crl_raw2 + +2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool.c: certtool: print the signing time when available + +2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/pkcs7.h, lib/x509/common.c, lib/x509/pkcs7.c: + pkcs7 verification: parse the signing time + +2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/pkcs7.c: on PKCS #7 verification check the the content + type matches the signed data + +2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool.c: certtool: print more info about the PKCS #7 struct + +2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-args.def, src/certtool-common.c, src/certtool.c: + certtool: allow verification against a direct PKCS #7 signer + +2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/Makefile.am, tests/cert-tests/pkcs7, + tests/cert-tests/pkcs7-detached.txt: tests: added checks with PKCS + #7 detached data + +2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/pkcs7.c: pkcs7 verification: return + GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when no encapsulated data + exist + +2015-06-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-args.def, src/certtool-common.h, src/certtool.c: + certtool: allow verifying PKCS #7 with detached data + +2015-06-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-args.def, src/certtool.c: certtool: improved PKCS #7 + verification output + +2015-06-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/pkcs7: tests: check the key purpose in PKCS #7 + verification + +2015-06-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/Makefile.am, tests/cert-tests/full.p7b.out, + tests/cert-tests/pkcs7: tests: added PKCS #7 test with more than 1 + certs + +2015-06-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-args.def, src/certtool-common.h, src/certtool.c: + certtool: allow verification of PKCS #7 structures + +2015-06-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/x509.h, lib/x509/common.h, lib/x509/dn.c, + lib/x509/x509.c: Initialization of gnutls_x509_dn_t was modified to + allow deinitialization after failure + +2015-06-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/Makefile.am, lib/includes/gnutls/pkcs7.h, + lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/pkix.asn, + lib/pkix_asn1_tab.c, lib/x509/dn.c, lib/x509/pkcs7.c: Added PKCS #7 + signature(s) verification + +2015-06-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c, + lib/x509/verify-high.c: Added + gnutls_pkcs11_get_raw_issuer_by_subject_key_id and + gnutls_x509_trust_list_get_issuer_by_subject_key_id + +2015-06-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/dn.c: tests: added check for gnutls_x509_dn_get_str + +2015-06-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/libgnutls.map, lib/x509/x509.c: added gnutls_x509_dn_get_str + +2015-06-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_privkey.c: doc update + +2015-06-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/compat.h, lib/includes/gnutls/x509.h, + lib/x509/privkey.c, lib/x509/x509.c: Added + gnutls_x509_crt_verify_data2() and kept gnutls_privkey_sign_data() + +2015-06-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkix.asn, lib/pkix_asn1_tab.c, lib/x509/pkcs7.c: verify PKCS + #7 signed data + +2015-05-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/pkcs7.c, lib/x509/x509_int.h: updated PKCS #7 code to + cache signed_data + +2015-06-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11.c: When manual PKCS #11 configuration is requested + don't initialize other providers + +2015-05-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool.c: certtool: deinitialize PKCS #7 resources + +2015-05-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/Makefile.am, tests/cert-tests/pkcs7, + tests/cert-tests/single-ca.p7b.out: tests: Added tests for PKCS7 + cert extraction + +2015-05-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * gl/m4/codeset.m4, gl/m4/extern-inline.m4, gl/m4/gettext.m4, + gl/m4/iconv.m4, gl/m4/intl.m4, gl/m4/intldir.m4, + gl/m4/intlmacosx.m4, gl/m4/lcmessage.m4, gl/m4/manywarnings.m4, + gl/m4/nls.m4, gl/m4/po.m4, gl/m4/stdio_h.m4, gl/stddef.in.h, + gl/string.in.h, gl/tests/inttypes.in.h, gl/tests/test-read-file.c, + gl/tests/test-stddef.c, src/gl/error.h, src/gl/fseeko.c, + src/gl/m4/extern-inline.m4, src/gl/m4/stdio_h.m4, + src/gl/stddef.in.h, src/gl/string.in.h, src/gl/xalloc.h: Revert + "updated gnulib" This reverts commit c040ce6dd05b48b971d8dcc8fc8f23957ed15f9c. + +2015-05-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac: silence format-signness warnings in gcc5 + +2015-05-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * gl/m4/codeset.m4, gl/m4/extern-inline.m4, gl/m4/gettext.m4, + gl/m4/iconv.m4, gl/m4/intl.m4, gl/m4/intldir.m4, + gl/m4/intlmacosx.m4, gl/m4/lcmessage.m4, gl/m4/manywarnings.m4, + gl/m4/nls.m4, gl/m4/po.m4, gl/m4/stdio_h.m4, gl/stddef.in.h, + gl/string.in.h, gl/tests/inttypes.in.h, gl/tests/test-read-file.c, + gl/tests/test-stddef.c, src/gl/error.h, src/gl/fseeko.c, + src/gl/m4/extern-inline.m4, src/gl/m4/stdio_h.m4, + src/gl/stddef.in.h, src/gl/string.in.h, src/gl/xalloc.h: updated + gnulib + +2015-05-26 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/ocsp_output.c: Check the OID size for match when + comparing for the OCSP nonce extension Reported by Hanno Böck. + +2015-05-23 Armin Burgmeier <armin@arbur.net> + + * lib/gnutls_ui.c: gnutls_dh_get_prime_bits: return 0 if DH is not + used Before, the number of bits of a zero-length number was attempted to + be extracted, resulting in an error. The changed behaviour is + consistent with the documentation which explicitly states that 0 + should be returned if no DH key exchange was performed. + +2015-05-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_ui.c: gnutls_dh_get_group: mention that the values may + include a leading zero + +2015-05-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_ui.c: gnutls_dh_set_prime_bits: warn when overriding + the DH max prime size with 1007 bits or less + +2015-05-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/verify-tofu.c: cleanup unused variable + +2015-05-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/verify-tofu.c: corrected allocation check + +2015-05-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c: removed useless check + +2015-05-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_pubkey.c: document intentional fallthrough in switch + +2015-05-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/ext/ecc.c: ecc ext: check return code of + _gnutls_buffer_append_data + +2015-05-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/no-signal.c: tests: enhance the no-signal check to include + proper data sending + +2015-05-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-05-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/no-signal.c: tests: check the operation + of GNUTLS_NO_SIGNAL + +2015-05-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_state.c, lib/includes/gnutls/gnutls.h.in, + lib/system.c, lib/system.h: Allow the usage of MSG_NOSIGNAL in send + functions That introduces the GNUTLS_NO_SIGNAL flag for gnutls_init(), which + is available in systems that support the MSG_NOSIGNAL flag to + send(). That eases the usage of the library within other libraries. + Resolves #11 + +2015-05-15 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/accelerated/x86/aes-gcm-x86-pclmul.c, + lib/accelerated/x86/hmac-padlock.c: include nettle/memxor when + needed + +2015-05-15 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/serv.c: gnutls-serv: send alert when wrong data have been + received from client + +2015-05-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-05-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/cipher.c: camellia256-gcm: corrected regression Reported by Manuel Pegourie-Gonnard. + +2015-05-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_x509.c: doc update + +2015-05-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-bib.texi, doc/cha-cert-auth.texi, doc/latex/gnutls.bib: + doc: added section about subject alternative names + +2015-05-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_dtls.c, lib/gnutls_dtls.h, lib/gnutls_handshake.c, + lib/gnutls_int.h: handshake_start_time was moved out of the + DTLS-specific variables + +2015-05-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_handshake.c: apply default timeout for DTLS in + gnutls_handshake_set_timeout + +2015-05-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/hostname-check.c: tests: do not perform internationalized + name checks without libidn + +2015-05-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/sign-md5-rep.c: tests: updated sign-md5-rep to reduce false + failures + +2015-05-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/mini-loss-time.c: tests: eliminate mem leaks in + mini-loss-time + +2015-05-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testdane: tests: testdane: remove dane.nox.su from the + list of known to be good hosts + +2015-05-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-05-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/mini-loss-time.c: tests: mini-loss-time enhanced to check + proper timeouts in both client and server + +2015-05-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_dtls.c, lib/gnutls_dtls.h, lib/gnutls_int.h, + lib/gnutls_state.c: dtls: combined the total timeouts of DTLS and + TLS handshake That also makes the waits for packets more robust against blocking. + +2015-05-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/compat.h: define + GNUTLS_SUPPLEMENTAL_USER_MAPPING_DATA + +2015-05-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-tokens.texi: doc: updated text to account for pkcs11-url + standardization + +2015-05-03 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-dtls-mtu.c: tests: mini-dtls-mtu: compile in windows + +2015-05-04 Jaak Ristioja <jaak.ristioja@cyber.ee> + + * doc/cha-intro-tls.texi: doc: Fixed typo in heartbeat + documentation. + +2015-05-03 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * cross.mk: cross.mk: updated for 3.4.1 + +2015-05-03 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * devel/abi3.4.xml: updated abi base for 3.4 + +2015-05-03 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: NEWS: updated + +2015-05-03 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS, configure.ac, m4/hooks.m4: released 3.4.1 + +2015-04-30 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_dtls.c: doc: updated gnutls_dtls_set_timeouts + +2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/examples/ex-client-dtls.c: doc: fixed example with DTLS + timeouts + +2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c: use + macro for DTLS default timeout + +2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_handshake.c: gnutls_handshake_set_timeout will properly + work with DTLS + +2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_handshake.c, lib/gnutls_record.c: document the need for + gnutls_transport_set_pull_timeout_function + +2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-gtls-app.texi: doc: updated async operation text + +2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_handshake.c, lib/gnutls_state.c: disable default + handshake timeout It caused issues with non-blocking TLS clients and servers which may + not want to block while the pull timeout function waits. + +2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/mini-tls-nonblock.c: tests: added check + to verify that pull timeout is not called on non-blocking sessions + +2015-04-30 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_dtls.c, lib/gnutls_dtls.h, lib/gnutls_handshake.c, + lib/gnutls_int.h, lib/gnutls_record.c, lib/gnutls_state.c, + lib/includes/gnutls/gnutls.h.in, lib/system_override.c: + GNUTLS_NONBLOCK can be used for non-DTLS sessions as well + +2015-04-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/system_override.c: doc update + +2015-04-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/algorithms/ciphersuites.c: doc update + +2015-04-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/keygen.c, tests/slow/Makefile.am, + tests/slow/keygen.c: tests: key generation test was moved to main + checks This will allow to catch memory leaks with valgrind. + +2015-04-28 Jan Vcelak <jan.vcelak@nic.cz> + + * lib/nettle/pk.c: fix memory leak in ECDSA key parameters + verification Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz> + +2015-04-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/minitasn1/decoding.c, lib/minitasn1/libtasn1.h: updated + minitasn1 + +2015-04-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-04-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/name_constraints.c, tests/name-constraints.c: Handle DNS + name constraints with leading dot Patch by Fotis Loukos. Resolves 3 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> + +2015-04-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-upgrade.texi: doc update + +2015-04-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c: updated text for gnutls_pkcs11_init + +2015-04-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-tokens.texi: updated pkcs11 loading documentation + +2015-04-26 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-etm.c: tests: mini-etm: use TLS as the transport layer + +2015-04-26 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/sign-md5-rep.c: tests: added comment for sign-md5-rep + +2015-04-26 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * .gitignore: more files to ignore + +2015-04-26 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * po/fr.po.in: Sync with TP. + +2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/sign-md5-rep.c: tests: added reproducer + for the MD5 acceptance issue Reported by Karthikeyan Bhargavan. + + http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007572.html + +2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/ext/signature.c: before falling back to SHA1 as signature + algorithm in TLS 1.2 check if it is enabled + +2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/ext/signature.c: _gnutls_session_sign_algo_enabled: do not + consider any values from the extension data to decide acceptable + algorithms + +2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-x509-cert-callback.c: tests: added unit tests for + gnutls_certificate_client_get_request_status + +2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/auth/cert.c: set the value used by + gnutls_certificate_client_get_request_status prior to selecting + certificate That allows gnutls_certificate_client_get_request_status() to be + properly operating from the callback. Reported by Anton Lavrentiev. + +2015-04-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_cert.c: updated doc for retrieve function + +2015-04-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-bib.texi, doc/latex/gnutls.bib: updated PKCS #11 URL + references to rfc7512 + +2015-04-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_cert.c: doc update + +2015-04-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/x509self.c: tests: added check for gnutls_credentials_get + +2015-04-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_auth.c, lib/gnutls_cert.c: doc update + +2015-04-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_cert.c: fixed doc: reported by Anton Lavrentiev + +2015-04-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-upgrade.texi: doc: corrected typo + +2015-04-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/resume-dtls.c: tests: resume-dtls: remove global variables + +2015-04-21 Andreas Metzler <ametzler@bebt.de> + + * doc/cha-gtls-app.texi: List all certificate type priority strings. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> + +2015-04-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/auth/rsa.c: tls-rsa: keep a common code path when doing RSA + decryption Suggested by Nimrod Aviram. + +2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/mini-dtls-rehandshake.c, tests/mini-handshake-timeout.c, + tests/mini-key-material.c, tests/mini-loss-time.c, + tests/mini-record-retvals.c, tests/mini-rehandshake-2.c: tests: + initialize status where needed + +2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/openpgp-auth2.c: tests: cleanup openpgp-auth2 + +2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/mini-dtls-rehandshake.c: tests: cleanup + mini-dtls-rehandshake + +2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/resume-dtls.c, tests/resume.c: tests: resume: check for + signals + +2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/certificate_set_x509_crl.c, tests/mini-record-range.c, + tests/mini-x509-callbacks.c, tests/openpgp-auth2.c, + tests/record-sizes-range.c, tests/resume.c: tests: reduced compiler + warnings + +2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/mini-x509.c: tests: verify the return value of + gnutls_certificate_get_ours when no cert is sent + +2015-04-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/resume-dtls.c, tests/resume.c: tests: close unused file + descriptors in resume checks + +2015-04-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac, src/Makefile.am: libopts: fixed the reading of the + --enable-local-libopts flag + +2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli.c, src/common.c, src/common.h: gnutls-cli: when no + certificate is sent, notify the user + +2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/mini-x509-cert-callback.c: tests: added + check with X.509 certificates and callbacks That corresponds to functionality checked in openpgp-callback.c + +2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/openpgp-callback.c: tests: added check for + gnutls_certificate_get_ours() when used in combination with + callbacks + +2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/x509dn.c: tests: improved x509dn check + +2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_ui.c: gnutls_certificate_get_ours: will return the + certificate even if a callback was used This corrects a bug where this function would not work, when + gnutls_certificate_set_retrieve_function2() was used. + +2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-args.def: gnutls-cli: when a certificate is specified + require the corresponding private key + +2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/x509.c: ensure that the X.509 version number is one byte + only + +2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/x509.c: Check for invalid length in the X.509 version + field If such an invalid length is detected, reject the certificate. + Reported by Hanno Böck. + +2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/ocsp.c: ocsp: initialize certs to NULL + +2015-04-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/serv.c: gnutls-serv: print when the peer's certificate is not + verified + +2015-04-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * po/fr.po.in: Sync with TP. + +2015-04-18 Tim Kosse <tim.kosse@filezilla-project.org> + + * lib/system-keys-win.c: ncrypt.h lacks some defines with some + versions of MinGW. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> + +2015-04-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated + auto-generated files + +2015-04-18 Tim Kosse <tim.kosse@filezilla-project.org> + + * lib/system-keys-win.c: Fix a preprocessor warning about mismatched + quotes. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> + +2015-04-18 Tim Kosse <tim.kosse@filezilla-project.org> + + * lib/system-keys-win.c: Set _WIN32_WINNT to 0x600, at least with + some MinGW versions ncrypt.h checks this define to be at least + 0x600. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> + +2015-04-18 Tim Kosse <tim.kosse@filezilla-project.org> + + * lib/gnutls_supplemental.c: Fix include order, include gnutls_int.h + before gnutls.h, otherwise undefined external references to + gnutls_free and gnutls_strdup are the result when statically linking + against GnuTLS built by MinGW. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> + +2015-04-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/benchmark-cipher.c: gnutls-cli: removed CCM from the ciphers + tested with the old API That prevents a crash of the benchmark. Reported by James Cloos. + +2015-04-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_cipher_int.c: refuse to use the old cipher API with + AEAD-only ciphers + +2015-04-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-termination.c, tests/resume-dtls.c, tests/resume.c: + tests: ignore sigpipe in resume and termination tests + +2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-internals.texi: doc: added error check in example + +2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-internals.texi: doc update + +2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-internals.texi: doc: removed stray @end + +2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_pubkey.c: doc update + +2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS, lib/x509/x509.c: doc update + +2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/output.c: x509: when printing the keyid of a certificate + use the curve name for randomart + +2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/x509.c: gnutls_x509_crt_get_pk_* are based on + gnutls_pubkey_export_* + +2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_pubkey.c: gnutls_pubkey_export_* are tolerable in null + input + +2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_pubkey.c, lib/includes/gnutls/x509.h, + lib/libgnutls.map, lib/x509/x509.c: Added + gnutls_x509_crt_get_pk_ecc_raw() + +2015-04-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/extras/randomart.c: randomart: corrected usage of snprintf + +2015-04-14 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool.c: certtool: when generating an ECDSA key use the + curve name in random art + +2015-04-14 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/extras/randomart.c: randomart: only print key size if it is + non-zero + +2015-04-14 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * cross.mk: cross.mk: updated for 3.4.0 + +2015-04-14 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/utils.c: Remove SOCK_CLOEXEC from socket() call. That allows compilation in systems where this flag doesn't exist. + Resolves #7 + +2015-04-14 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-gtls-app.texi: document the recommended re-handshake + process + +2015-04-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/manpages/Makefile.am: remove duplicate entries from manpages + Makefile + +2015-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/certtool: tests: enhanced cert tests with SHA256 + key IDs + +2015-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool.c: certtool: modified to allow different key ID + algorithms + +2015-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_pubkey.c, lib/includes/gnutls/x509.h, + lib/x509/common.h, lib/x509/crq.c, lib/x509/privkey.c, + lib/x509/x509.c: Added flags which modify the algorithm used for key + ID calculation + +2015-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-args.def: doc update + +2015-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_record.c: doc update + +2015-04-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_record.c: gnutls_record_discard_queued() is both for + TLS and DTLS + +2015-04-08 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-internals.texi: document the new crypto register functions + +2015-04-08 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/cli-args.def: doc update + +2015-04-08 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-tokens.texi: doc: avoid spaces in showfunc + +2015-04-08 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/slow/Makefile.am: tests: added files into dist + +2015-04-08 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * m4/hooks.m4: configure: ask for nettle 3.1 + +2015-04-08 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: released 3.4.0 + +2015-04-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/cli-args.def: gnutls-cli: document the method to override the + detected ciphers + +2015-04-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/accelerated/x86/aes-ccm-x86-aesni.c: fixed AESNI CCM + encryption + +2015-04-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/accelerated/x86/aes-ccm-x86-aesni.c: cleanups in CCM-aesni + +2015-04-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/testcompat-main-polarssl: tests: test CCM-8 against + polarssl + +2015-04-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: test + for AES-CCM + +2015-04-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * README.md: doc: added 'git submodule update' to clone steps + +2015-04-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS, doc/announce.txt: doc update + +2015-04-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/announce.txt: doc update + +2015-04-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/crypto-backend.c: removed unused functions + +2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-backend.c, lib/gnutls_cipher_int.c: extend the fallback + to setkey in addition to init + +2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-backend.c: doc update + +2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/slow/Makefile.am, tests/slow/cipher-override2.c, + tests/slow/override-ciphers: tests: verify the behavior of + GNUTLS_E_NEED_FALLBACK + +2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-backend.c, lib/gnutls_cipher_int.c, + lib/includes/gnutls/gnutls.h.in: introduced GNUTLS_E_NEED_FALLBACK + to allow falling back from registered ciphers That allows a registered cipher to indicate that it cannot operate (e.g., due to memory constraints, or internal limits), and gnutls + should proceed with the default algorithms. + +2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/algorithms/ciphersuites.c: ciphersuites: moved CCM + ciphersuites in the appropriate ifdefs + +2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/ciphersuite/test-ciphers.js: tests: ciphersuite test + will ignore the invalid names of TLS_DHE_PSK_WITH_AES_128_CCM_8 That is because the names in rfc6655 are for some reason different + than the expected. + +2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-intro-tls.texi: document CCM and CCM-8 + +2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/mini-record-2.c, tests/mini-record-failure.c, + tests/mini-record.c: tests: added CCM and CCM_8 into ciphersuite + tests + +2015-04-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/accelerated/x86/aes-ccm-x86-aesni.c, + lib/accelerated/x86/x86-common.c, lib/algorithms/ciphers.c, + lib/algorithms/ciphersuites.c, lib/includes/gnutls/gnutls.h.in, + lib/nettle/cipher.c: Added CCM-8 ciphersuites + +2015-04-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/announce.txt: updated announce text + +2015-04-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * symbols.last: symbols: added the new supplemental functions + +2015-04-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-upgrade.texi: doc update + +2015-04-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/template-test: tests: delay tests that depend on + timing when they fail That often prevents failures on busy systems. + +2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/nettle/cipher.c: don't enforce iv_size > block_size; it is no + longer true for all ciphers + +2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_cipher.c: simplified calc_enc_length_stream + +2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-supplementaldata.c: tests: updated supplemental API + +2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_extensions.c: gnutls_ext_register will fail on double + registration + +2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_supplemental.c, lib/includes/gnutls/gnutls.h.in: + gnutls_supplemental_register will fail on double registration + +2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS, symbols.last: symbols: added new exported functions + +2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/Makefile.am, doc/manpages/Makefile.am, + doc/scripts/getfuncs-map.pl: doc: updated makefiles to include new + functions + +2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/libgnutls.map: libgnutls.map: remove + gnutls_record_set_max_empty_records + +2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/libgnutls.map: account for the renamed + gnutls_supplemental_recv/send + +2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-internals.texi: document the export supplemental data API + +2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_supplemental.c, lib/includes/gnutls/gnutls.h.in: + gnutls_do_recv/send_supplemental -> gnutls_supplemental_recv/send Also added the gnutls_ prefix to new types. + +2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_supplemental.c, lib/includes/gnutls/gnutls.h.in: Added + documentation for gnutls_do_send/recv_supplemental + +2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/crypto-api.c, lib/gnutls_mem.c, lib/gnutls_privkey.c, + lib/gnutls_pubkey.c, lib/includes/gnutls/abstract.h, + lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c, + lib/pkcs11_write.c, lib/safe-memfuncs.c, lib/tpm.c: doc updates + +2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-shared-key.texi, lib/auth/srp_sb64.c, + lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map, lib/pkcs11.c, + lib/tpm.c, lib/x509_b64.c: the base64 xxx_alloc functions were + renamed to xxx2 That brings them in par with the rest of the allocation functions. + +2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-common.h, src/p11tool-args.def, src/p11tool.c, + src/pkcs11.c: p11tool: use the key usage flags to set PKCS #11 + properties + +2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11_int.h, + lib/pkcs11_privkey.c, lib/pkcs11_write.c: pkcs11: use key_usage to + set the appropriate flags + +2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_supplemental.c, lib/includes/gnutls/gnutls.h.in: + cleanups in supplemental data support + +2015-04-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/auth/dh_common.c: DH: do not warn on zero q_bits + +2015-04-03 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: NEWS: rearrange entries + +2015-04-03 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-common.c: certtool: certtool --generate-dh-params + will account for --outder Resolves #5 + +2015-04-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/algorithms/ciphersuites.c: chacha20-poly1305: ciphersuite + numbers correspond to the latest draft + +2015-04-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/pkcs11.c: p11tool: improved output message + +2015-04-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/pkcs11.c: removed unecessary warning + +2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-tokens.texi, lib/includes/gnutls/abstract.h, + lib/includes/gnutls/compat.h: doc update: account for new functions + +2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/pkcs11.c: p11tool: better output text + +2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_pubkey.c, lib/pkcs11.c, lib/pkcs11_int.h: pkcs11: added + GNUTLS_PKCS11_OBJ_FLAG_EXPECT_PUBKEY Also enforce the expected flags despite any given flags in the URL. + +2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: + p11tool: added the --test-sign parameter That allows to check an existing key for signing/verification. + +2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_privkey.c, lib/gnutls_pubkey.c, + lib/includes/gnutls/abstract.h, lib/libgnutls.map: + gnutls_priv/pubkey_import_url replace: + gnutls_privkey_import_pkcs11_url and gnutls_pubkey_import_pkcs11_url + +2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool.c: certtool: corrected import of pubkey in DER format + +2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/mini-etm.c: tests: added check for EtM + negotiation + +2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/algorithms.h, lib/algorithms/ciphers.c, lib/ext/etm.c, + lib/gnutls_int.h, lib/gnutls_priority.c: only send EtM extension if + we have CBC ciphersuites + +2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-upgrade.texi: mention gnutls_privkey_sign_raw_data in + upgrade section + +2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_privkey.c, lib/includes/gnutls/compat.h, + lib/libgnutls.map: gnutls_privkey_sign_raw_data: converted to macro + over gnutls_privkey_sign_hash + +2015-04-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/x509sign-verify.c: tests: added check for the legacy + gnutls_privkey_sign_raw_data + +2015-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-selftests.c: avoid compilation warnings in self checks + (take 2) + +2015-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-selftests.c: Revert "selftests: avoid compilatio + warnings" This reverts commit 196477d68f32b30d0de8e203a5c1c405af429603. + +2015-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testpkcs11: tests: check whether PKCS #11 ID set on + copy/generation is correct + +2015-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: + p11tool: allow setting the CKA_ID on object + initialization/generation + +2015-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/libgnutls.map: exported new functions + +2015-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: pkcs11: + enhanced key generation functions to allow specifying a CKA_ID + +2015-03-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-selftests.c: selftests: avoid compilatio warnings + +2015-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11_write.c: enhanced copy + functions to allow specifying a CKA_ID + +2015-03-30 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/mini-server-name.c: tests: mini-server-name: ignore sigpipe + +2015-03-30 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suppressions.valgrind: tests: added more libidn-related + valgrind suppressions + +2015-03-30 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/texinfo.css: doc: increase border spacing in HTML tables + +2015-03-30 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-intro-tls.texi: doc: list chacha20-poly1305 to the list of + ciphers + +2015-03-30 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-03-30 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/manpages/Makefile.am: manpages: automatically adjust the + copyright year on generated pages + +2015-03-30 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/mini-server-name.c: tests: added check + for gnutls_server_name_get and gnutls_server_name_set + +2015-03-29 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/ciphersuite/test-ciphers.js: test-ciphers.js: improved + ciphersuite checks + +2015-03-29 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/algorithms/ciphersuites.c: corrected + GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305 + +2015-03-29 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/ciphersuite/scan-gnutls.sh: updated + test-ciphersuite.sh for new types + +2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/x509_ext.c: Better fix for the double free in dist point + parsing + +2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/minitasn1/parser_aux.c, lib/minitasn1/parser_aux.h: updated + minitasn1 + +2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11_write.c: gnutls_pkcs11_copy_x509_privkey: increase size + for attributes + +2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/algorithms/ciphersuites.c: moved chacha20-poly1305 + ciphersuites to the 0xCD space + +2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/crypto-api.c: doc update: replace cryptographic algorithm by + encryption algorithm + +2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_datum.c, lib/gnutls_datum.h, lib/x509/gnutls-idna.c, + lib/x509/x509_ext.c: gnutls_subject_alt_names_set and + gnutls_x509_aki_set_cert_issuer will set null-terminated strings + +2015-03-27 Jiří Klimeš <jklimes@redhat.com> + + * lib/crypto-api.c: doc: be consistent in the function descriptions Signed-off-by: Jiří Klimeš <jklimes@redhat.com> + +2015-03-27 Jiří Klimeš <jklimes@redhat.com> + + * lib/crypto-api.c: doc: correct the description of crypto API + functions Signed-off-by: Jiří Klimeš <jklimes@redhat.com> + +2015-03-27 Jiří Klimeš <jklimes@redhat.com> + + * doc/examples/ex-client-x509.c, lib/ext/server_name.c, + lib/x509/output.c: Fix a few compiler warnings about unused + variables [-Wunused-variable] Signed-off-by: Jiří Klimeš <jklimes@redhat.com> + +2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_cipher.c: fixed CHACHA20-POLY1305 in DTLS + +2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/benchmark-cipher.c, src/benchmark-tls.c: gnutls-cli: added + chacha-poly1305 into benchmarks + +2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_dtls.c: when calculating record overhead account for + chacha20 which doesn't send the nonce on the wire + +2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-record-2.c, tests/mini-record.c: tests: include + chacha20 into transfer tests + +2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/algorithms.h, lib/algorithms/ciphersuites.c, + lib/gnutls_cipher.c, lib/gnutls_constate.c, lib/gnutls_int.h: Added + the CHACHA20-POLY1305 ciphersuites (with random IDs) + +2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/algorithms/ciphers.c, lib/crypto-selftests.c, + lib/includes/gnutls/gnutls.h.in, lib/nettle/cipher.c: added + chacha20-poly1305 as cipher + +2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-record-retvals.c: tests: check retvals in block ciphers + +2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_int.h: do not penalize CBC ciphers with the maximum + send data size That reduced the maximum send size for CBC ciphers from 16384 to + 16384-(block size), which was unnecessary and was causing issues: + https://bugs.winehq.org/show_bug.cgi?id=37500 + +2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-03-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_int.h, lib/gnutls_priority.c, lib/gnutls_record.c, + lib/includes/gnutls/gnutls.h.in: + gnutls_record_set_max_empty_records: removed + +2015-03-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/x509_ext.c: eliminated double-free in the parsing of dist + points Reported by Robert Święcki. + +2015-03-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_buffers.c: Added a tight loop around the legacy push + function That reduces the need for more expensive outer loops. Originally + suggested by Anton Lavrentiev. + +2015-03-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/gl/Makefile.am, src/gl/fseeko.c, src/gl/m4/dup2.m4, + src/gl/m4/printf.m4, src/gl/m4/stdio_h.m4, src/gl/m4/time_h.m4, + src/gl/signal.in.h, src/gl/stdio-impl.h, src/gl/stdio.in.h, + src/gl/time.in.h, src/gl/vasnprintf.c, src/gl/xalloc.h: updated + gnulib + +2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/p11tool-args.def: p11tool: more precise documentation of + --set-id parameter + +2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * m4/hooks.m4: depend on nettle 3.1 or later + +2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/email: tests: updated email check for renamed + --verify-email option + +2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11_privkey.c: gnutls_pkcs11_privkey_generate2: increased + the size of ck_attributes + +2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11_privkey.c: pkcs11: check gnutls_rnd() for error + condition + +2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11_privkey.c: gnutls_pkcs11_privkey_generate2: set a + CKA_ID on key generation + +2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/p11tool.c: p11tool: reduced debugging output + +2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-03-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-args.def, src/certtool.c: certtool: --purpose, + --hostname were renamed to --verify-purpose, --verify-hostname + +2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/p11tool-args.def, src/p11tool.c: p11tool: added --mark-no-sign + and --mark-no-decrypt options + +2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c, + lib/pkcs11_write.c: pkcs11: added flags to mark keys as not-being + signable or decryptable That adds GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_DECRYPT and + GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN which can be set during + generation or write of keys. + +2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11_write.c: pkcs11: set the CKA_SIGN and CKA_DECRYPT flags + when writing a private key + +2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/resume-dtls.c: tests: cleanups in resume-dtls + +2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/ext/server_name.c: ext: server_name: move name length check + prior to IDN convertion + +2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/ext/server_name.c: When an application calls + gnutls_server_name_set() with a name of zero size disable the + extension Resolves #2 + +2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/hostname-verify.c: gnutls_x509_crt_check_hostname2: check + CN for match only if certificate would have been acceptable for + GNUTLS_KP_TLS_WWW_SERVER + +2015-03-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/name_constraints.c: Apply DNS name constraints on CN + field only on certificates acceptable for TLS WWW SERVER purpose Suggested by Fotis Loukos. + +2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/mini-loss-time.c: tests: mini-loss-time is less prone to + timeouts + +2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/suppressions.valgrind: tests: added valgrind + suppressions in cert-tests for libidn + +2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool.c: certtool: eliminated memory leaks on verification + +2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/Makefile.am, tests/cert-tests/email, + tests/cert-tests/email-certs/chain.exclude.test.example.com, + tests/cert-tests/email-certs/chain.invalid.example.com, + tests/cert-tests/email-certs/chain.test.example.com, + tests/cert-tests/email-certs/chain.test.example.com-2: tests: Added + email verification tests with certtool + +2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-args.def, src/certtool.c: certtool: added the --email + option, to use in verification + +2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_cert.c, lib/includes/gnutls/gnutls.h.in, + lib/includes/gnutls/openpgp.h, lib/includes/gnutls/x509.h, + lib/libgnutls.map, lib/openpgp/compat.c, + lib/openpgp/gnutls_openpgp.h, lib/openpgp/pgp.c, + lib/x509/Makefile.am, lib/x509/email-verify.c, + lib/x509/verify-high.c: Added gnutls_x509_crt_check_email(), + gnutls_openpgp_crt_check_email() and GNUTLS_DT_RFC822NAME + +2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/test-chains.h: tests: verify that we accept a certificate + with no name even if its CA has nameconstraints + +2015-03-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/name_constraints.c: name constraints: when no name of the + type is found, accept the certificate This follows RFC5280 advice closely. Reported by Fotis Loukos. + +2015-03-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/resume-dtls.c: tests: increase the timeout in resume-dtls + +2015-03-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c: gnutls_pkcs11_obj_export3: allow operation when + raw.data is NULL and we have a public key + +2015-03-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c: pkcs11: simplified export of objects That also allows to export public keys, even when a CKA_VALUE with + the public key is not present. For that we use the key parameters, + which we encode into a key. Issue reported by Frank Leavis. + +2015-03-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * GNUmakefile, build-aux/config.rpath, build-aux/gendocs.sh, + build-aux/pmccabe2html, build-aux/snippet/arg-nonnull.h, + build-aux/snippet/c++defs.h, build-aux/snippet/warn-on-use.h, + build-aux/useless-if-before-free, build-aux/vc-list-files, + doc/gendocs_template, gl/Makefile.am, gl/m4/gnulib-cache.m4, + gl/m4/gnulib-comp.m4, gl/m4/ld-version-script.m4, gl/m4/printf.m4, + gl/m4/stdio_h.m4, gl/m4/time_h.m4, gl/m4/ungetc.m4, + gl/stdio-impl.h, gl/stdio.in.h, gl/tests/Makefile.am, + gl/tests/init.sh, gl/tests/test-u64.c, gl/time.in.h, gl/u64.c, + gl/u64.h, gl/vasnprintf.c, maint.mk: gnulib: removed u64 module + +2015-03-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/accelerated/x86/aes-gcm-x86-pclmul.c, lib/gnutls_int.h: drop + support for gnulib's u64 + +2015-03-23 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testcompat-main-openssl: tests: check legacy RC4 in + testcompat That would prevent losing compatibility without detecting it. That + is currently the case since it is no longer enabled by default. + +2015-03-23 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/mini-record-retvals.c: tests: added check + to verify the correctness of the record function return values + +2015-03-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/common.c, src/crywrap/crywrap.c, src/tests.c: tools: enable + compilation with all options disabled + +2015-03-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_auth.c, lib/gnutls_ui.c: enable compilation with + several options disabled + +2015-03-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-03-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_auth.c, lib/gnutls_state.c, lib/pkcs11.c, + lib/pkcs11_privkey.c, lib/x509/crq.c, lib/x509/pkcs7.c: doc: avoid + mentioning pointers when not needed + +2015-03-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac: increase the maximum stack frame the compiler will + warn for + +2015-03-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/algorithms/ciphersuites.c, lib/crypto-api.c, lib/ext/alpn.c, + lib/ext/etm.c, lib/ext/ext_master_secret.c, lib/ext/heartbeat.c, + lib/ext/max_record.c, lib/ext/safe_renegotiation.c, + lib/ext/server_name.c, lib/ext/session_ticket.c, + lib/ext/signature.c, lib/ext/srtp.c, lib/ext/status_request.c, + lib/gnutls_alert.c, lib/gnutls_anon_cred.c, lib/gnutls_auth.c, + lib/gnutls_buffers.c, lib/gnutls_cert.c, lib/gnutls_db.c, + lib/gnutls_dh.c, lib/gnutls_dtls.c, lib/gnutls_handshake.c, + lib/gnutls_pcert.c, lib/gnutls_priority.c, lib/gnutls_privkey.c, + lib/gnutls_privkey_raw.c, lib/gnutls_psk.c, lib/gnutls_pubkey.c, + lib/gnutls_range.c, lib/gnutls_record.c, lib/gnutls_session.c, + lib/gnutls_session_pack.c, lib/gnutls_srp.c, lib/gnutls_state.c, + lib/gnutls_ui.c, lib/gnutls_x509.c, lib/openpgp/extras.c, + lib/openpgp/gnutls_openpgp.c, lib/openpgp/pgp.c, + lib/openpgp/privkey.c, lib/pkcs11.c, lib/pkcs11_privkey.c, + lib/pkcs11x.c, lib/system-keys-win.c, lib/system_override.c, + lib/tpm.c, lib/verify-tofu.c, lib/x509/crl.c, lib/x509/crl_write.c, + lib/x509/crq.c, lib/x509/dn.c, lib/x509/extensions.c, + lib/x509/hostname-verify.c, lib/x509/name_constraints.c, + lib/x509/ocsp.c, lib/x509/ocsp_output.c, lib/x509/output.c, + lib/x509/pkcs12.c, lib/x509/pkcs12_bag.c, lib/x509/pkcs7.c, + lib/x509/privkey.c, lib/x509/privkey_openssl.c, + lib/x509/privkey_pkcs8.c, lib/x509/verify-high.c, + lib/x509/verify-high2.c, lib/x509/x509.c, lib/x509/x509_ext.c, + lib/x509/x509_write.c: doc: avoid using structure for opaque types + +2015-03-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/mini-extension.c: tests: include gnutls_ext_s/get_data into + tests of mini-extension + +2015-03-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_extensions.c: updated documentation on non-return value + of gnutls_ext_set_data + +2015-03-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/mini-dtls0-9.c: tests: fixed buffers in mini-dtls0-9 + +2015-03-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_handshake.c: avoid overflow when receiving DTLS 0.9 CCS + +2015-03-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/auth/srp.c, lib/ext/alpn.c, lib/ext/etm.c, + lib/ext/heartbeat.c, lib/ext/max_record.c, + lib/ext/safe_renegotiation.c, lib/ext/server_name.c, + lib/ext/session_ticket.c, lib/ext/signature.c, lib/ext/srp.c, + lib/ext/srtp.c, lib/ext/status_request.c, lib/gnutls_extensions.c, + lib/gnutls_extensions.h, lib/gnutls_int.h, lib/gnutls_str.h, + lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: added + gnutls_ext_set_data() and gnutls_ext_get_data() As a side effect the type which holds private data was reduced from + union to void * pointer. That simplifies the exported API without + reducing the options in the internal API. + +2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * .gitignore: more files to ignore + +2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/gnutls.h.in: set GNUTLS_DTLS_VERSION_MIN to be + DTLS0.9 That allows standard DTLS ciphersuites to be used with DTLS0.9 + +2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/mini-dtls0-9.c: tests: added test for + DTLS 0.9 + +2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-extension.c: tests: updated mini-extension + +2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-internals.texi: mention the new functionality briefly in + documentation + +2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_extensions.c, lib/gnutls_supplemental.c: mention that + the registration functions are not thread safe + +2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_extensions.c, lib/gnutls_extensions.h: store a copy of + the extensions name + +2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_global.c: deinitialize supplemental data on deinit + +2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_extensions.c, lib/gnutls_extensions.h, + lib/gnutls_handshake.c, lib/includes/gnutls/gnutls.h.in: removed + unused epoch change callback + +2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_global.c, lib/gnutls_supplemental.c, + lib/gnutls_supplemental.h: deinitialize supplemental data on deinit + +2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_hash_int.h, lib/gnutls_supplemental.c: reduce warnings + +2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_extensions.c, lib/gnutls_str.c, lib/gnutls_str.h, + lib/gnutls_supplemental.c: added documentation for the new functions + +2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-supplementaldata.c: tests: remove warnings in + mini-supplementaldata.c + +2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/gnutls.h.in, tests/mini-supplementaldata.c: + updated types + +2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * .gitignore: more files to ignore + +2015-03-19 Thierry Quemerais <tquemerais@awox.com> + + * lib/gnutls_supplemental.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map, tests/Makefile.am, tests/mini-supplementaldata.c: + Added a way to add custom supplemental data from public API. Signed-off-by: Thierry Quemerais <tquemerais@awox.com> + +2015-03-19 Thierry Quemerais <tquemerais@awox.com> + + * tests/mini-extension.c: Fixed extension test. Signed-off-by: Thierry Quemerais <tquemerais@awox.com> + +2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_str.h, lib/includes/gnutls/gnutls.h.in, + tests/Makefile.am, tests/mini-extension.c: renamed gnutls_buffer_st + -> gnutls_buffer_t + +2015-03-19 Thierry Quemerais <tquemerais@awox.com> + + * lib/gnutls_extensions.c, lib/gnutls_extensions.h, + lib/gnutls_int.h, lib/gnutls_str.c, lib/gnutls_str.h, + lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map, + tests/mini-extension.c: Added a way to add custom extensions from + public API. Signed-off-by: Thierry Quemerais <tquemerais@awox.com> + +2015-03-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * .gitignore: more files to ignore + +2015-03-19 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs11.h, lib/includes/gnutls/x509.h: + gnutls_x509_crt_import_pkcs11_url moved to pkcs11.h as it was always + defined there + +2015-03-19 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/inet_ntop.c: inet_ntop replacement: include sys/socket.h + +2015-03-19 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/inet_ntop.c, lib/system.h: inet_ntop replacement: do not + depend on socklen_t + +2015-03-18 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/slow/Makefile.am: tests: link cipher tests directly with + nettle when needed + +2015-03-18 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-dtls-record.c: tests: mini-dtls-record: increase + timeouts to avoid failure of test due to slow system + +2015-03-18 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-dtls-record.c: tests: mini-dtls-record: removed the + need for 64-bit number + +2015-03-18 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-dtls-record.c: tests: increase verbosity of + mini-dtls-record + +2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-crypto.texi: document the cipher override API + +2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/slow/Makefile.am, tests/slow/mac-override.c, + tests/slow/override-ciphers: added test suite for overriden digests + and MACs + +2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/accelerated/cryptodev.c, lib/accelerated/x86/x86-common.c, + lib/crypto-backend.c, lib/crypto-backend.h, + lib/includes/gnutls/crypto.h, lib/libgnutls.map: Added API to + register MAC and digest algorithms. + +2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/slow/Makefile.am, tests/slow/cipher-override.c, + tests/slow/override-ciphers: added test suite for overriden ciphers + +2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/accelerated/cryptodev-gcm.c, lib/accelerated/cryptodev.c, + lib/accelerated/x86/x86-common.c, lib/crypto-backend.c, + lib/crypto-backend.h, lib/includes/gnutls/crypto.h, + lib/libgnutls.map: Added API to register AEAD and legacy ciphers. + +2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/accelerated/cryptodev-gcm.c: cryptodev: provide the new AEAD + API + +2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_global.c: Added environment variable which can override + automatic global initialization + +2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-backend.c, lib/crypto-backend.h: removed unused + functions + +2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * m4/hooks.m4: configure: fail compilation if the minimum required + libtasn1 is not present + +2015-03-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-03-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/long-session-id.c: tests: long-session-id uses the test + framework + +2015-03-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-03-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac, lib/pkcs11.c: depend on p11-kit 0.23.1 to conform to + draft-pechanec-pkcs11uri-21 + +2015-03-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/mini-dtls-record.c: tests: fixed shadowed variable in + mini-dtls-record + +2015-03-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/long-session-id.c, tests/mini-dtls-fork.c, + tests/mini-dtls-pthread.c, tests/mini-dtls-rehandshake.c, + tests/mini-handshake-timeout.c, tests/utils.c, tests/utils.h: tests: + use nanosleep for sleeping + +2015-03-14 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * README.md: README-alpha: move valgrind to testing tools + +2015-03-14 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * README.md: updated README-alpha + +2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_supplemental.c: Fixed handling of supplemental data + with types > 255. Patch by Thierry Quemerais. + +2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_priority.c: doc update + +2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_priority.c: gnutls_priority_init: document that + priorities can be NULL + +2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testpkcs11.softhsm: testpkcs11: disallow softhsm + 2.0.0b1 from being used to test PKCS #11 + +2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/mini-eagain2.c: tests: mini-eagain2: call + gnutls_handshake_set_timeout() at the proper time + +2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * README.md: added libasan as dependency + +2015-03-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-selftests.c: corrected self test for 3DES + +2015-03-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11.c: pkcs11: correctly set the size of type + +2015-03-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11.c: pkcs11: combined the fill for object attributes set + +2015-03-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11.c: pkcs11: only set ID and label when both size and + data are set + +2015-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/pkcs11.c: p11tool: exit with non-zero reason if no objects are + found + +2015-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testpkcs11: tests: added checks for p11tool --set-id + and --set-label + +2015-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: + p11tool: added --set-id and --set-label options + +2015-03-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c, + lib/pkcs11_int.c, lib/pkcs11_int.h: added + gnutls_pkcs11_obj_set_info() This function allows setting information such as the CKA_ID and the + CKA_LABEL of an object. Resolves #1 + +2015-03-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/Makefile.am, tests/cert-tests/invalid-sig, + tests/cert-tests/invalid-sig.pem: Added check for GNUTLS-SA-2015-1 + +2015-03-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/test-chains.h: tests: removed test with invalid DER encoding + in chainverify These certificates are now rejected earlier. + +2015-03-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/strict-der.c: tests: added a check for + certificates with invalid DER encodings + +2015-03-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/common.c, lib/x509/common.h, lib/x509/crl.c, + lib/x509/crq.c, lib/x509/dn.c, lib/x509/extensions.c, + lib/x509/mpi.c, lib/x509/ocsp.c, lib/x509/privkey.c, + lib/x509/privkey_pkcs8.c, lib/x509/x509.c, lib/x509/x509_ext.c: + x509: use libtasn1's strict DER decoding rules in network obtained + structures + +2015-03-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/common.c, m4/hooks.m4: depend on libtasn1 4.3 + +2015-03-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/minitasn1/decoding.c, lib/minitasn1/libtasn1.h, + lib/minitasn1/parser_aux.c: minitasn1: updated to libtasn1 4.3 + +2015-03-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-internals.texi: rearranged internal documentation + +2015-03-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-args.def, src/cli-debug-args.def, src/danetool-args.def, + src/socket.c: tools: added ftp as a starttls protocol + +2015-03-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-args.def: gnutls-cli: starttls and starttls-proto can't + mix + +2015-03-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-gtls-app.texi: expand on SECURE256 being an alias to + SECURE192 + +2015-03-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/testcompat-polarssl: tests: do not run polarssl + interop test on VIA + +2015-03-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/testcompat-common: use common license in all + testcompat scripts + +2015-03-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/nettle/pk.c: removed unused function + +2015-03-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/TODO: doc update + +2015-03-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * Makefile.am, README-alpha, README.md: README-alpha is README.md on + repository It contains information for developers. + +2015-03-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * Makefile.am, README, README.md: Revert "auto-generate README from + README.md" This reverts commit aff4b2151b42c6a59e490c3714d3e1e64d2921dd. + +2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * README.md: cleaned up licensing + +2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * Makefile.am, README, README.md: auto-generate README from + README.md + +2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * README.md: Revert "added README.md as link to README" This reverts commit 041d4f947eb6937d4af62eb35055668825c36833. + +2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * README.md: added README.md as link to README + +2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * README, README-alpha, README-alpha.md, README.md: Revert "renamed + README files" This reverts commit 05b4fa46667d3f5972f6de6ac61ff959382c67a5. + +2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * README, README-alpha, README-alpha.md, README.md: renamed README + files + +2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * README, README-alpha: README: converted to mark-down + +2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/tests.c: gnutls-cli-debug: corrected check of certificate + chain order + +2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/x509cert.c: tests: added small test to verify that + GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED succeeds with a single cert + +2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-debug.c, src/tests.c: gnutls-cli-debug: disable + unsupported TLS protocols as soon + +2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/socket.c: cli sockets: check for a digit prior using atoi + +2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/tests.c: gnutls-cli-debug: a cert list of size 1 is always + sorted + +2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/socket.c: gnutls-cli-debug: do not warn multiple times about + unknown protocols + +2015-03-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-support.texi: updated documentation on FIPS140-2 + +2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/testcompat-main-openssl, + tests/suite/testcompat-main-polarssl: tests: speed up testcompat + check by remove less important options + +2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/softhsm.h: tests: updated paths for softhsm detection + +2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * README-alpha: README: mention nodejs + +2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac: configure: check for /usr/share/dns/root.key as well + for dns root key + +2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * README-alpha: README: mention dependency on dns-root-data + +2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/template-test: tests: don't perform the overflow + check in 32-bit systems + +2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/template-date.pem, + tests/cert-tests/template-date.tmpl: tests: date parsing test was + modified to work in 32-bit systems + +2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-cfg.c: certtool: in 32-bit systems use PRIu64 to + print 64-bit values + +2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-cfg.c: certtool: exit when there is an overflow in + parsing days + +2015-03-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * README-alpha: README: mention that openssl and polarssl will be + used for interop testing + +2015-03-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/template-test: Revert "tests: increased the + retries with datefudge cert generation" This reverts commit a381fd148d2e181e19aad9ab9a9c5993080ce869. + +2015-03-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/Makefile.am, + tests/cert-tests/template-basic.pem, + tests/cert-tests/template-basic.tmpl, + tests/cert-tests/template-test: Revert "tests: template-test: added + a baseline check to detect slow systems" This reverts commit b7ef1265810ec55d0912db2e3fa4204d8c412377. + +2015-03-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/Makefile.am, + tests/cert-tests/template-basic.pem, + tests/cert-tests/template-basic.tmpl, + tests/cert-tests/template-test: tests: template-test: added a + baseline check to detect slow systems + +2015-03-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/template-test: tests: increased the retries with + datefudge cert generation There are slow systems that are not always capable of generating the + certificate within a single second. + +2015-03-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * README-alpha: add bison as a dependency + +2015-03-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * Makefile.am: build documentation last That allows the examples to depend on libgnu_gpl.la + +2015-03-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * README-alpha: list unbound dependency for DANE + +2015-03-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/testdane: tests: removed dane hosts which don't behave + well + +2015-03-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * README-alpha: updated instructions for installed packages + +2015-03-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/latex/cover.tex: latex doc: updated copyright dates + +2015-03-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/gnutls.texi: updated copyright date + +2015-03-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_pubkey.c, lib/tpm.c, lib/x509/common.c, + lib/x509/common.h, lib/x509/dn.c, lib/x509/ocsp.c, + lib/x509/pkcs12.c, lib/x509/pkcs12_bag.c, lib/x509/x509_ext.c, + m4/hooks.m4: use asn1_decode_simple_ber if available + +2015-03-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-library.texi: corrected typo + +2015-03-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-library.texi: mention libidn + +2015-03-04 Ilya V. Matveychikov <i.matveychikov@securitycode.ru> + + * tests/suite/asn1random.pl: asn1random.pl: generate simple tags + only Do not emit tags with numbers greater than or equal 31 as they must + be encoded an octet sequence (ref X.690-0207 # 8.1.2.4) Signed-off-by: Ilya V. Matveychikov <i.matveychikov@securitycode.ru> + +2015-03-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_priority.c: doc update + +2015-02-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/Makefile.am, tests/cert-tests/invalid-sig, + tests/cert-tests/invalid-sig2.pem, + tests/cert-tests/invalid-sig3.pem: tests: added checks for invalid + X.509 certificate signatures + +2015-03-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-upgrade.texi: added the change of priority string NORMAL + in documentation + +2015-03-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-library.texi: document the usage of a PKCS #11 trust + module for verification + +2015-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/testcompat-main-openssl: tests: updated the suite to + account for the removal of DSA by default + +2015-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/dsa/testdsa, tests/openpgp-callback.c, tests/openpgpself.c, + tests/priorities.c: tests: updated the suite to account for the + removal of DSA by default + +2015-03-03 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-03-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testcompat-main-openssl, + tests/suite/testcompat-main-polarssl, + tests/suite/testcompat-openssl, tests/suite/testcompat-polarssl: + cross-implementation test suite was relicensed to 3-clause BSD That way the suite can be used by projects with other licenses. + +2015-03-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-03-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_priority.c: DSA signatures and DHE-DSS are disabled by + default DSA was an algorithm that was never deployed on the Internet and + had, until very recently, several limitations such as restriction of + its keys to 1024 bits, SHA1-only etc. Given that there are literally + 0 internet (HTTPS) certificates using DSA, there is no point to + enable it by default and increase our attack surface. + +2015-03-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/benchmark-cipher.c: gnutls-cli: include AES_128_CCM in + benchmark-ciphers + +2015-02-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_session.c: doc update + +2015-02-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-02-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_privkey.c: doc update + +2015-02-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/Makefile.am, lib/inet_ntop.c, lib/system.c, lib/system.h, + lib/x509/output.c: bundle inet_ntop in systems that don't have it + +2015-02-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated + auto-generated files + +2015-02-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/abstract.h: removed + gnutls_pubkey_get_verify_algorithm from abstract.h + +2015-02-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_handshake.c: corrected typo in gnutls_handshake(), + spotted by Andris Mednis + +2015-02-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_session.c: doc update: document that session_get_data() + must be used in non-resumed sessions + +2015-02-23 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-tokens.texi: doc update + +2015-02-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/algorithms/ciphersuites.c, lib/gnutls_handshake.c: added + comments + +2015-02-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac, lib/pkcs11.c: Use p11_kit_uri_get_pin_value() if + available in p11-kit + +2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_buffers.c: fixed handling of GNUTLS_E_INT_CHECK_AGAIN + +2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/algorithms/ciphersuites.c: removed unnecessary check and + optimized function + +2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/algorithms/ciphersuites.c: corrected check which prevented + client to sent an unacceptable for the version ciphersuite + +2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-key-material.c: tests: mini-key-material: avoid memory + leak + +2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-dtls-lowmtu.c, tests/mini-overhead.c, + tests/mini-record.c: tests: require DTLS 1.2 when using GCM + +2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_buffers.c: handle GNUTLS_E_INT_CHECK_AGAIN + +2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/algorithms.h, lib/algorithms/ciphersuites.c, + lib/gnutls_handshake.c: check the negotiated TLS/DTLS version prior + to offering a ciphersuite a server + +2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_priority.c: remove unnecessary assert + +2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-upgrade.texi: doc update + +2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cve-2009-1415.c, tests/x509sign-verify.c: tests: modified + tests with obsolete APIs with their replacement API + +2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-upgrade.texi: doc: added deprecated functions into upgrade + plan + +2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/x509cert-tl.c: tests: added checks for + gnutls_x509_crt_get_signature_algorithm and + gnutls_x509_crt_get_preferred_hash_algorithm + +2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/crypto-backend.h, lib/gnutls_pk.c, lib/gnutls_pk.h, + lib/gnutls_pubkey.c, lib/libgnutls.map, lib/nettle/pk.c, + lib/x509/verify.c, lib/x509/x509.c: removed + gnutls_pubkey_get_verify_algorithm() and unnecessary internal APIs + +2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/compat.h, lib/libgnutls.map, lib/x509/x509.c: + removed gnutls_x509_crt_get_verify_algorithm() + +2015-02-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_pubkey.c, lib/includes/gnutls/abstract.h, + lib/libgnutls.map: removed gnutls_pubkey_verify_hash() and + gnutls_pubkey_verify_data() + +2015-02-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-common.h: certtool: use unsigned for bits + +2015-02-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool.c, src/p11tool.c: certtool/p11tool: avoid cast to + function call + +2015-02-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-args.def, src/certtool.c: certtool: allow specifying + a purpose and a hostname for chain verification + +2015-02-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/x509cert-invalid.c: tests: added check + for invalid X.509 certificate + +2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/mini-key-material.c: tests: added check + for gnutls_record_get_state() + +2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_constate.c: removed unused constants + +2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_state.c: memcpy fix in gnutls_record_get_state + +2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * ltmain.sh: removed ltmain.sh from root + +2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_state.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map: Added gnutls_record_get_state() and + gnutls_record_set_state() These functions allow to export the key material and sequence + numbers. That allows offloading the sending and receiving of + individual records. + +2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_record.c: fixed sequence number copy + +2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-02-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_handshake.c, lib/includes/gnutls/gnutls.h.in: + gnutls_handshake_set_hook_function: will provide the raw handshake + data + +2015-02-18 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/gnutls.h.in: use explicit casts to unsigned + int in the CURVE_TO_BITS et al + +2015-02-18 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/pkcs12_encr.c: use cast in _gnutls_hash_fast + +2015-02-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/x509.c: when importing a certificate ensure that the + signature parameters match + +2015-02-14 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/accelerated/x86/x86-common.c: Allow AESNI GCM accelaration in + x86 + +2015-02-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/cli-args.def, src/cli.c: gnutls-cli: added --save-cert option + +2015-02-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/gnutls.h.in: added missing prototypes + +2015-02-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/cli.c: handle differently OCSP responses that are revoked and + of unknown status + +2015-02-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/common.c: compilation fix with return on void function; + reported by David Marx + +2015-01-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_state.c: doc update + +2015-01-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_buffers.c: set the appropriate direction when + _gnutls_io_write_flush() is called + +2015-01-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/mini-dtls-pthread.c: tests: added check + for operation under different threads and DTLS + +2015-01-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/mini-dtls-fork.c: tests: added check for + operation under different processes and DTLS + +2015-01-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: Revert "doc update" This reverts commit eabf1f27d255577bad60d302abf46a969848fcd7. + +2015-01-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_record.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map: Revert "Added gnutls_record_is_async()" This reverts commit 2232822aabe473d124f924d64ff52981d685fd41. + +2015-01-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-gtls-app.texi: documented using a session with fork or + multiple threads + +2015-01-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2015-01-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_record.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map: Added gnutls_record_is_async() That function indicates whether gnutls_record_recv() and + gnutls_record_send() can be used independently and in parallel. + +2015-01-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_buffers.c: print errno in a more uniform way + +2015-01-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS, lib/system.c: doc update + +2015-01-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_buffers.c, lib/gnutls_handshake.c, lib/gnutls_state.c, + lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map, lib/system.c, + lib/system.h, lib/system_override.c: exported + gnutls_system_recv_timeout() + +2015-01-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_buffers.c: simplified _gnutls_writev() by requiring the + total length + +2015-01-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/opencdk/kbnode.c, lib/opencdk/read-packet.c: opencdk: small + fixed to reduce warnings + +2015-01-19 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_ui.c: doc update + +2015-01-19 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli.c, src/ocsptool-common.c, src/ocsptool-common.h: don't be + so verbose about the OCSP nonce; it is universally unsupported + +2015-01-17 Tim Ruehsen <tim.ruehsen@gmx.de> + + * src/cli.c, src/ocsptool-common.c: OCSP check the whole cert chain Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> + +2015-01-19 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/x509.c: on certificate import check whether the two + signature algorithms match + +2015-01-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * cross.mk: cross.mk: use 3.3.12 + +2015-01-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/key_decode.c: doc update + +2015-01-12 Luke Dashjr <luke-jr+git@utopios.org> + + * Makefile.am, configure.ac, doc/manpages/Makefile.am: Added + configure option --disable-tools + +2015-01-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * libdane/errors.c: corrected typos Reported by Guido Kroon. + +2015-01-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/algorithms/protocols.c, lib/gnutls_int.h: Added the notion of + obsolete versions That prevents using these versions as record version numbers, unless + they are the only protocol supported. This avoids the issues with + servers that have banned SSL 3.0 record versions. + +2015-01-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/ocsptool-common.c: ocsptool: follow the documented process for + gnutls_x509_crt_get_authority_info_access + +2015-01-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/x509.c: gnutls_x509_crt_get_authority_info_access: doc + update + +2015-01-15 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/ocsptool-common.c: ocsptool-common: iterate through all AIA + items prior to decidig the OCSP server + +2015-01-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/fips.c: use a FIPS key that agree's with fedora's fipshmac + +2015-01-14 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * devel/DCO/people-dco.txt: DCO: Added Luke Dashjr + +2015-01-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/cli-args.def: simplified text for inline-commands-prefix + +2015-01-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/cli-args.def, src/cli.c, src/socket.c: gnutls-cli: added + --starttls-proto option + +2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c: pkcs11: cleanup the name of types + +2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/softhsm.h: tests: updates in softhsm detection + +2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c: pkcs11: when importing a public key, import it's + data as well (version 2 fix) + +2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify.c: doc update + +2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testpkcs11: testpkcs11: do not ignore the failure to + write a trusted CA + +2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/libgnutls.map: removed gnutls_pubkey_get_pk_* from the + exported function list + +2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/key-import-export.c: tests: key-import-export: enhanced to + test gnutls_pubkey_*_ecc_x962 + +2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_pubkey.c: gnutls_pubkey_t: allow the import of another + parameter set without a leak + +2015-01-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_pubkey.c: removed ABI-compatibility functions + +2015-01-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-args.def: doc update + +2015-01-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/testpkcs11.softhsm: testpkcs11: modified to support + both softhsmv1 and v2 + +2015-01-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11.c: pkcs11: when importing a public key, import it's + data as well + +2015-01-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/key-import-export.c: tests: enhanced key-import-export to + check output of pubkeys + +2015-01-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/openpgp-callback.c: tests: eliminated leaks + +2015-01-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_cert.c: doc update + +2015-01-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/key-import-export.c: tests: added checks + for private key import/export functions + +2015-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/TODO: doc update + +2015-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/openpgp-callback.c: tests: Added test + case for openpgp keys loaded by callback + +2015-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_state.c: When setting up TLS with cert-type OpenPGP + from a client, the server verifies if it supports the extension’s + contents in _gnutls_session_cert_type_supported(). This function + checks for cred->get_cert_callback but not cred->get_cert_callback2. + As a result, servers setup for OpenPGP certificate credential + callback with gnutls_certificate_set_retrieve_function2() are unable + to use the OpenPGP certificate type. The solution is to consider cred->get_cert_callback2 alongside + cred->get_cert_callback in _gnutls_session_cert_type_supported(). Patch by Rick van Rein. + +2015-01-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_privkey.c: gnutls_privkey_import_openpgp_raw: do not + release the cached value + +2015-01-08 Ludovic Courtès <ludo@gnu.org> + + * NEWS, guile/modules/gnutls.in: guile: Call 'load-extension' both + during expansion and at run time. Fixes <https://bugzilla.redhat.com/show_bug.cgi?id=1177847>. * guile/modules/gnutls.in: Wrap '%libdir' definition and 'load-extension' call in 'eval-when'. + +2015-01-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_buffers.c, lib/gnutls_errors.h: When receiving a TLS + record with multiple handshake packets, parse them in one go That resolves: https://savannah.gnu.org/support/?108712 + +2015-01-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/mini-dtls-record-asym.c: tests: updated + mini-dtls-record-asym + +2015-01-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-dtls-record-asym.c: tests: better documentation of + mini-dtls-record-asym purpose + +2015-01-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-dtls-mtu.c, tests/utils.c, tests/utils.h: tests: moved + udp_socketpair to utils + +2015-01-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-dtls-record-asym.c: tests: corrected asymmetric MTU + test for DTLS and added caching + +2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/mini-dtls-record-asym.c: Added test case + for DTLS handshake packet reconstruction when it exceeds MTU https://savannah.gnu.org/support/?108712 + +2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_buffers.c: simplified _gnutls_dgram_read() + +2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/Makefile.am: danetool: only compile when dane is enabled + +2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_buffers.c: in DTLS don't combine multiple packets which + exceed MTU Resolves: https://savannah.gnu.org/support/?108715 + +2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_buffers.c: Added more precise check of push functions + availability + +2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_buffers.c, lib/gnutls_state.c, lib/system.c, + lib/system.h: Revert "in DTLS don't use writev() when multiple + packets which exceed MTU are queued" This reverts commit 43082a67c7514d65301d157fb567a133138a85ab. + +2015-01-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_buffers.c: Revert "Give precedence to vector push + function" This reverts commit cb4ea413569803cbbf291abb27d30d14bfa971c5. + +2015-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_buffers.c: Give precedence to vector push function + +2015-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_buffers.c, lib/gnutls_state.c, lib/system.c, + lib/system.h: in DTLS don't use writev() when multiple packets which + exceed MTU are queued That change requires the system_write() to be registered + unconditionally, even when writev() is available. Resolves: + https://savannah.gnu.org/support/?108715 + +2015-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/mini-dtls-mtu.c: tests: added check to + ensure that DTLS handshake packets will not exceed MTU + +2015-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool.c: certtool: warn when setting a certificate's + expiration longer than the CA's expiration + +2015-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testpkcs11: testpkcs11: detect softhsm2 + +2015-01-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/mini-global-load.c, tests/mini-x509.c, tests/priorities.c, + tests/record-sizes.c: tests: account for disabling of ARCFOUR where + needed + +2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-cfg.c: certtool: modified check for READ_NUMERIC + +2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-cfg.c: certtool: use 64-bit type for CRL serial + number + +2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-cfg.c: certtool: check for overflows when reading + serial numbers + +2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-cfg.c, src/certtool-cfg.h: certtool: use int64_t as + type for integers read + +2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/socket.c: gnutls-cli-debug: more precise handling of SMTP + protocol Patch by Andreas Metzler. + +2015-01-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * gl/Makefile.am, gl/alloca.in.h, gl/asnprintf.c, gl/asprintf.c, + gl/base64.c, gl/base64.h, gl/byteswap.in.h, gl/c-ctype.c, + gl/c-ctype.h, gl/errno.in.h, gl/float+.h, gl/float.c, + gl/float.in.h, gl/fstat.c, gl/ftell.c, gl/ftello.c, gl/getdelim.c, + gl/getline.c, gl/gettext.h, gl/gettimeofday.c, gl/hash-pjw-bare.c, + gl/hash-pjw-bare.h, gl/intprops.h, gl/itold.c, gl/lseek.c, + gl/m4/00gnulib.m4, gl/m4/absolute-header.m4, gl/m4/alloca.m4, + gl/m4/base64.m4, gl/m4/byteswap.m4, gl/m4/codeset.m4, + gl/m4/errno_h.m4, gl/m4/exponentd.m4, gl/m4/extensions.m4, + gl/m4/extern-inline.m4, gl/m4/fcntl-o.m4, gl/m4/fcntl_h.m4, + gl/m4/fdopen.m4, gl/m4/float_h.m4, gl/m4/fpieee.m4, + gl/m4/fseeko.m4, gl/m4/fstat.m4, gl/m4/ftell.m4, gl/m4/ftello.m4, + gl/m4/func.m4, gl/m4/getdelim.m4, gl/m4/getline.m4, + gl/m4/getpagesize.m4, gl/m4/gettext.m4, gl/m4/gettimeofday.m4, + gl/m4/glibc2.m4, gl/m4/glibc21.m4, gl/m4/gnulib-cache.m4, + gl/m4/gnulib-common.m4, gl/m4/gnulib-comp.m4, gl/m4/gnulib-tool.m4, + gl/m4/iconv.m4, gl/m4/include_next.m4, gl/m4/intdiv0.m4, + gl/m4/intl.m4, gl/m4/intldir.m4, gl/m4/intlmacosx.m4, + gl/m4/intmax.m4, gl/m4/intmax_t.m4, gl/m4/inttypes-pri.m4, + gl/m4/inttypes.m4, gl/m4/inttypes_h.m4, gl/m4/largefile.m4, + gl/m4/lcmessage.m4, gl/m4/ld-output-def.m4, + gl/m4/ld-version-script.m4, gl/m4/lib-ld.m4, gl/m4/lib-link.m4, + gl/m4/lib-prefix.m4, gl/m4/lock.m4, gl/m4/longlong.m4, + gl/m4/lseek.m4, gl/m4/malloc.m4, gl/m4/manywarnings.m4, + gl/m4/math_h.m4, gl/m4/memchr.m4, gl/m4/memmem.m4, gl/m4/minmax.m4, + gl/m4/mmap-anon.m4, gl/m4/msvc-inval.m4, gl/m4/msvc-nothrow.m4, + gl/m4/multiarch.m4, gl/m4/netdb_h.m4, gl/m4/netinet_in_h.m4, + gl/m4/nls.m4, gl/m4/off_t.m4, gl/m4/po.m4, gl/m4/printf-posix.m4, + gl/m4/printf.m4, gl/m4/progtest.m4, gl/m4/read-file.m4, + gl/m4/realloc.m4, gl/m4/size_max.m4, gl/m4/snprintf.m4, + gl/m4/socklen.m4, gl/m4/sockpfaf.m4, gl/m4/ssize_t.m4, + gl/m4/stdalign.m4, gl/m4/stdbool.m4, gl/m4/stddef_h.m4, + gl/m4/stdint.m4, gl/m4/stdint_h.m4, gl/m4/stdio_h.m4, + gl/m4/stdlib_h.m4, gl/m4/strcase.m4, gl/m4/string_h.m4, + gl/m4/strings_h.m4, gl/m4/strndup.m4, gl/m4/strnlen.m4, + gl/m4/strtok_r.m4, gl/m4/strverscmp.m4, gl/m4/sys_socket_h.m4, + gl/m4/sys_stat_h.m4, gl/m4/sys_time_h.m4, gl/m4/sys_types_h.m4, + gl/m4/sys_uio_h.m4, gl/m4/threadlib.m4, gl/m4/time_h.m4, + gl/m4/time_r.m4, gl/m4/uintmax_t.m4, gl/m4/ungetc.m4, + gl/m4/unistd_h.m4, gl/m4/valgrind-tests.m4, gl/m4/vasnprintf.m4, + gl/m4/vasprintf.m4, gl/m4/visibility.m4, gl/m4/vsnprintf.m4, + gl/m4/warn-on-use.m4, gl/m4/warnings.m4, gl/m4/wchar_h.m4, + gl/m4/wchar_t.m4, gl/m4/wint_t.m4, gl/m4/xsize.m4, gl/malloc.c, + gl/memchr.c, gl/memmem.c, gl/minmax.h, gl/msvc-inval.c, + gl/msvc-inval.h, gl/msvc-nothrow.c, gl/msvc-nothrow.h, + gl/netdb.in.h, gl/netinet_in.in.h, gl/printf-args.c, + gl/printf-args.h, gl/printf-parse.c, gl/printf-parse.h, + gl/read-file.c, gl/read-file.h, gl/realloc.c, gl/size_max.h, + gl/snprintf.c, gl/stdalign.in.h, gl/stdbool.in.h, gl/stddef.in.h, + gl/stdint.in.h, gl/stdio-impl.h, gl/stdio.in.h, gl/stdlib.in.h, + gl/str-two-way.h, gl/strcasecmp.c, gl/string.in.h, gl/strings.in.h, + gl/strncasecmp.c, gl/strndup.c, gl/strnlen.c, gl/strtok_r.c, + gl/strverscmp.c, gl/sys_socket.in.h, gl/sys_stat.in.h, + gl/sys_time.in.h, gl/sys_types.in.h, gl/sys_uio.in.h, + gl/tests/Makefile.am, gl/tests/binary-io.h, gl/tests/fcntl.in.h, + gl/tests/fdopen.c, gl/tests/fpucw.h, gl/tests/getpagesize.c, + gl/tests/init.sh, gl/tests/inttypes.in.h, gl/tests/macros.h, + gl/tests/signature.h, gl/tests/test-alloca-opt.c, + gl/tests/test-base64.c, gl/tests/test-binary-io.c, + gl/tests/test-byteswap.c, gl/tests/test-c-ctype.c, + gl/tests/test-errno.c, gl/tests/test-fcntl-h.c, + gl/tests/test-fdopen.c, gl/tests/test-fgetc.c, + gl/tests/test-float.c, gl/tests/test-fputc.c, + gl/tests/test-fread.c, gl/tests/test-fstat.c, + gl/tests/test-ftell.c, gl/tests/test-ftell3.c, + gl/tests/test-ftello.c, gl/tests/test-ftello3.c, + gl/tests/test-ftello4.c, gl/tests/test-func.c, + gl/tests/test-fwrite.c, gl/tests/test-getdelim.c, + gl/tests/test-getline.c, gl/tests/test-gettimeofday.c, + gl/tests/test-iconv.c, gl/tests/test-init.sh, + gl/tests/test-intprops.c, gl/tests/test-inttypes.c, + gl/tests/test-memchr.c, gl/tests/test-netdb.c, + gl/tests/test-netinet_in.c, gl/tests/test-read-file.c, + gl/tests/test-snprintf.c, gl/tests/test-stdalign.c, + gl/tests/test-stdbool.c, gl/tests/test-stddef.c, + gl/tests/test-stdint.c, gl/tests/test-stdio.c, + gl/tests/test-stdlib.c, gl/tests/test-string.c, + gl/tests/test-strings.c, gl/tests/test-strnlen.c, + gl/tests/test-strverscmp.c, gl/tests/test-sys_socket.c, + gl/tests/test-sys_stat.c, gl/tests/test-sys_time.c, + gl/tests/test-sys_types.c, gl/tests/test-sys_uio.c, + gl/tests/test-sys_wait.h, gl/tests/test-time.c, + gl/tests/test-u64.c, gl/tests/test-unistd.c, + gl/tests/test-vasnprintf.c, gl/tests/test-vasprintf.c, + gl/tests/test-vc-list-files-cvs.sh, + gl/tests/test-vc-list-files-git.sh, gl/tests/test-verify.c, + gl/tests/test-vsnprintf.c, gl/tests/test-wchar.c, + gl/tests/zerosize-ptr.h, gl/time.in.h, gl/time_r.c, gl/u64.h, + gl/unistd.in.h, gl/vasnprintf.c, gl/vasnprintf.h, gl/vasprintf.c, + gl/verify.h, gl/vsnprintf.c, gl/wchar.in.h, gl/xsize.h, + src/gl/Makefile.am, src/gl/accept.c, src/gl/alloca.in.h, + src/gl/arpa_inet.in.h, src/gl/asnprintf.c, src/gl/bind.c, + src/gl/c-ctype.c, src/gl/c-ctype.h, src/gl/close.c, + src/gl/connect.c, src/gl/dup2.c, src/gl/errno.in.h, src/gl/error.c, + src/gl/error.h, src/gl/exitfail.c, src/gl/exitfail.h, + src/gl/fd-hook.c, src/gl/fd-hook.h, src/gl/float+.h, + src/gl/float.c, src/gl/float.in.h, src/gl/fseek.c, src/gl/fseeko.c, + src/gl/fstat.c, src/gl/ftell.c, src/gl/ftello.c, + src/gl/gai_strerror.c, src/gl/getaddrinfo.c, src/gl/getdelim.c, + src/gl/getline.c, src/gl/getpass.c, src/gl/getpass.h, + src/gl/getpeername.c, src/gl/gettext.h, src/gl/gettime.c, + src/gl/gettimeofday.c, src/gl/inet_ntop.c, src/gl/inet_pton.c, + src/gl/intprops.h, src/gl/itold.c, src/gl/listen.c, src/gl/lseek.c, + src/gl/m4/00gnulib.m4, src/gl/m4/absolute-header.m4, + src/gl/m4/alloca.m4, src/gl/m4/arpa_inet_h.m4, src/gl/m4/bison.m4, + src/gl/m4/clock_time.m4, src/gl/m4/close.m4, src/gl/m4/dup2.m4, + src/gl/m4/eealloc.m4, src/gl/m4/environ.m4, src/gl/m4/errno_h.m4, + src/gl/m4/error.m4, src/gl/m4/exponentd.m4, + src/gl/m4/extensions.m4, src/gl/m4/extern-inline.m4, + src/gl/m4/float_h.m4, src/gl/m4/fseek.m4, src/gl/m4/fseeko.m4, + src/gl/m4/fstat.m4, src/gl/m4/ftell.m4, src/gl/m4/ftello.m4, + src/gl/m4/getaddrinfo.m4, src/gl/m4/getdelim.m4, + src/gl/m4/getline.m4, src/gl/m4/getpass.m4, src/gl/m4/gettime.m4, + src/gl/m4/gettimeofday.m4, src/gl/m4/gnulib-cache.m4, + src/gl/m4/gnulib-common.m4, src/gl/m4/gnulib-comp.m4, + src/gl/m4/gnulib-tool.m4, src/gl/m4/hostent.m4, + src/gl/m4/include_next.m4, src/gl/m4/inet_ntop.m4, + src/gl/m4/inet_pton.m4, src/gl/m4/intmax_t.m4, + src/gl/m4/inttypes_h.m4, src/gl/m4/largefile.m4, + src/gl/m4/longlong.m4, src/gl/m4/lseek.m4, src/gl/m4/malloc.m4, + src/gl/m4/malloca.m4, src/gl/m4/math_h.m4, src/gl/m4/memchr.m4, + src/gl/m4/minmax.m4, src/gl/m4/mktime.m4, src/gl/m4/mmap-anon.m4, + src/gl/m4/msvc-inval.m4, src/gl/m4/msvc-nothrow.m4, + src/gl/m4/multiarch.m4, src/gl/m4/netdb_h.m4, + src/gl/m4/netinet_in_h.m4, src/gl/m4/off_t.m4, + src/gl/m4/parse-datetime.m4, src/gl/m4/printf.m4, + src/gl/m4/read-file.m4, src/gl/m4/realloc.m4, src/gl/m4/select.m4, + src/gl/m4/servent.m4, src/gl/m4/setenv.m4, src/gl/m4/signal_h.m4, + src/gl/m4/size_max.m4, src/gl/m4/snprintf.m4, + src/gl/m4/socketlib.m4, src/gl/m4/sockets.m4, src/gl/m4/socklen.m4, + src/gl/m4/sockpfaf.m4, src/gl/m4/ssize_t.m4, src/gl/m4/stdalign.m4, + src/gl/m4/stdbool.m4, src/gl/m4/stddef_h.m4, src/gl/m4/stdint.m4, + src/gl/m4/stdint_h.m4, src/gl/m4/stdio_h.m4, src/gl/m4/stdlib_h.m4, + src/gl/m4/strdup.m4, src/gl/m4/strerror.m4, src/gl/m4/string_h.m4, + src/gl/m4/sys_select_h.m4, src/gl/m4/sys_socket_h.m4, + src/gl/m4/sys_stat_h.m4, src/gl/m4/sys_time_h.m4, + src/gl/m4/sys_types_h.m4, src/gl/m4/sys_uio_h.m4, + src/gl/m4/time_h.m4, src/gl/m4/time_r.m4, src/gl/m4/timespec.m4, + src/gl/m4/tm_gmtoff.m4, src/gl/m4/unistd_h.m4, + src/gl/m4/vasnprintf.m4, src/gl/m4/warn-on-use.m4, + src/gl/m4/wchar_h.m4, src/gl/m4/wchar_t.m4, src/gl/m4/wint_t.m4, + src/gl/m4/xalloc.m4, src/gl/m4/xsize.m4, src/gl/malloc.c, + src/gl/malloca.c, src/gl/malloca.h, src/gl/memchr.c, + src/gl/minmax.h, src/gl/mktime.c, src/gl/msvc-inval.c, + src/gl/msvc-inval.h, src/gl/msvc-nothrow.c, src/gl/msvc-nothrow.h, + src/gl/netdb.in.h, src/gl/netinet_in.in.h, src/gl/parse-datetime.h, + src/gl/parse-datetime.y, src/gl/printf-args.c, + src/gl/printf-args.h, src/gl/printf-parse.c, src/gl/printf-parse.h, + src/gl/progname.c, src/gl/progname.h, src/gl/read-file.c, + src/gl/read-file.h, src/gl/realloc.c, src/gl/recv.c, + src/gl/recvfrom.c, src/gl/select.c, src/gl/send.c, src/gl/sendto.c, + src/gl/setenv.c, src/gl/setsockopt.c, src/gl/shutdown.c, + src/gl/signal.in.h, src/gl/size_max.h, src/gl/snprintf.c, + src/gl/socket.c, src/gl/sockets.c, src/gl/sockets.h, + src/gl/stdalign.in.h, src/gl/stdbool.in.h, src/gl/stddef.in.h, + src/gl/stdint.in.h, src/gl/stdio-impl.h, src/gl/stdio.in.h, + src/gl/stdlib.in.h, src/gl/strdup.c, src/gl/strerror-override.c, + src/gl/strerror-override.h, src/gl/strerror.c, src/gl/string.in.h, + src/gl/sys_select.in.h, src/gl/sys_socket.in.h, + src/gl/sys_stat.in.h, src/gl/sys_time.in.h, src/gl/sys_types.in.h, + src/gl/sys_uio.in.h, src/gl/time.in.h, src/gl/time_r.c, + src/gl/timespec.h, src/gl/unistd.in.h, src/gl/unsetenv.c, + src/gl/vasnprintf.c, src/gl/vasnprintf.h, src/gl/verify.h, + src/gl/w32sock.h, src/gl/wchar.in.h, src/gl/xalloc-die.c, + src/gl/xalloc-oversized.h, src/gl/xalloc.h, src/gl/xmalloc.c, + src/gl/xsize.h: updated gnulib + +2015-01-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/cli-debug.c: gnutls-cli-debug: corrected the skip of ignored + checks + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/output.c: use explicit casts in the dummy ip conversion + functions + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-gtls-app.texi, doc/cha-intro-tls.texi, + lib/gnutls_priority.c: ARCFOUR-128 is disabled by default + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/system-keys-win.c: system-keys-win: use LoadLibraryA to load + ncrypt.dll + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * Makefile.am, devel/abi3.4.xml: Updated abi-compliance-checker for + 3.4 API + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * Makefile.am, symbols.last: updated export symbols list (due to ABI + breakage) + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/Makefile.am: doc: updated auto-generated files + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/doc.mk, doc/manpages/Makefile.am: generate manpages for urls.h + and system-keys.h + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/pkcs11-get-issuer.c: tests: added check for + gnutls_x509_trust_list_get_issuer_by_dn() + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/libgnutls.map: updated libgnutls.map for new functions + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/Makefile.am, doc/doc.mk, doc/manpages/Makefile.am: doc: + updated auto-generated files and added urls.h + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/Makefile.am, tests/cert-tests/certtool: tests: + added checks for the new --key-id and --fingerprint certtool options + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-args.def, src/certtool.c: certtool: Added + --fingerprint and --key-id options + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool.c: certtool: --pubkey-info will load a public key + from stdin + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/system.h: include netinet/in.h if present to access ipv6 + related structures Based on patch by Rumko. https://savannah.gnu.org/support/?108713 + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_priority.c: VERS-ALL adds all protocols if used with + '+' + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-gtls-app.texi, lib/gnutls_priority.c: priority strings + VERS-TLS-ALL and VERS-DTLS-ALL are restricted to the corresponding + protocols That introduces VERS-ALL which behaves as VERS-TLS-ALL previously. + +2014-12-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/gnutls.h.in: gnutls.h: made DTLS protocol + version numbering distinct + +2014-12-30 Matthias-Christian Ott <ott@mirix.org> + + * lib/gnutls_cipher_int.c: Don't call _gnutls_cipher_encrypt2 with + textlen = 0 in _gnutls_auth_cipher_encrypt2_tag If the plaintext is shorter than the block size of the used cipher, + _gnutls_auth_cipher_encrypt2_tag calls _gnutls_cipher_encrypt2 with + textlen = 0. By definition _gnutls_cipher_encrypt2 does nothing in + this case and thus does not need to be called. + +2014-12-30 Matthias-Christian Ott <ott@mirix.org> + + * lib/accelerated/x86/aes-gcm-padlock.c, + lib/accelerated/x86/aes-padlock.c: Handle zero length plaintext for + VIA PadLock functions If the plaintext is shorter than the block size of the used cipher, + _gnutls_auth_cipher_encrypt2_tag calls _gnutls_cipher_encrypt2 with + textlen = 0. padlock_ecb_encrypt and padlock_cbc_encrypt assume that + the plaintext length (last parameter) is greater than zero and + segfault otherwise. The assembler code for both functions is + automatically generated and imported from OpenSSL, so to ease + maintenance the length should be validated in the functions that + call padlock_ecb_encrypt or padlock_cbc_encrypt. + +2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/system.c: use backslashes in windows path + +2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/openpgp-keyring.c: tests: enhanced openpgp-keyring test + +2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/openpgp/output.c: openpgp: properly print names in oneline + output as well + +2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/openpgp/output.c: updates in openpgp DSA key printing + +2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/openpgp/output.c: properly print openpgp names + +2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/opencdk/Makefile.am: opencdk: print all warnings on + compilation + +2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/opencdk/armor.c: opencdk: eliminated warning from armor.c + +2014-12-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/opencdk/keydb.c: removed cache support for opencdk's keydb It's implementation looked buggy. + +2014-12-27 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: updated guile comments + +2014-12-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/cli-debug.c, src/common.c, src/tests.c: tools: use OCSP + functions only when OCSP is enabled + +2014-12-24 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_pubkey.c: Corrected encoding and decoding of ANSI X9.62 That affects gnutls_pubkey_export_ecc_x962() and + gnutls_pubkey_import_ecc_x962(). + +2014-12-24 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-args.def, src/p11tool-args.def: tools: document the + available curves + +2014-12-24 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-combo.c, + tests/suite/pkcs11-get-issuer.c, tests/suite/pkcs11-is-known.c, + tests/suite/pkcs11-privkey.c, tests/suite/softhsm.h, + tests/suite/testpkcs11.softhsm: PKCS #11 tests: ported to softhsmv2 The C programs still rely on softhsmv1 since there are issues with + softhsmv2 and CKA_TRUSTED. + https://bugzilla.redhat.com/show_bug.cgi?id=1177086 + +2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/safe-memfuncs.c: updated documentation of gnutls_memcmp() + +2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-tokens.texi, lib/x509/x509.c: use everywhere the new name + of gnutls_x509_crt_import_pkcs11_url + +2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11_privkey.c: better cleanup in + gnutls_pkcs11_privkey_import_url and allow reuse + +2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/examples/Makefile.am, src/Makefile.am, src/gl/Makefile.am, + src/gl/m4/gnulib-cache.m4, src/gl/m4/gnulib-comp.m4: completely + separated the two gnulibs to avoid conflicts + +2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * gl/Makefile.am, gl/m4/extensions.m4, gl/m4/extern-inline.m4, + gl/m4/gnulib-comp.m4, gl/m4/iconv.m4, gl/m4/printf.m4, + gl/m4/stdalign.m4, gl/m4/stddef_h.m4, gl/m4/stdio_h.m4, + gl/stdalign.in.h, gl/stddef.in.h, gl/tests/test-fcntl-h.c, + gl/tests/test-stddef.c, gl/unistd.in.h, gl/vasnprintf.c, + src/gl/Makefile.am, src/gl/m4/extensions.m4, + src/gl/m4/extern-inline.m4, src/gl/m4/gnulib-comp.m4, + src/gl/m4/printf.m4, src/gl/m4/stdalign.m4, src/gl/m4/stddef_h.m4, + src/gl/m4/stdio_h.m4, src/gl/parse-datetime.y, + src/gl/stdalign.in.h, src/gl/stddef.in.h, src/gl/timespec.h, + src/gl/unistd.in.h, src/gl/vasnprintf.c: updated gnulib + +2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_privkey.c, lib/pkcs11_privkey.c, lib/urls.c, + lib/urls.h, lib/x509/x509.c: dropped the sanitize URL approach + +2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/pkcs11_int.h, + lib/pkcs11_privkey.c, lib/pkcs11_secret.c, lib/pkcs11_write.c: + Instead of sanitizing URLs, use hints to support incomplete PKCS#11 + URIs + +2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/x509/x509.c: + gnutls_x509_crt_import_url replaces + gnutls_x509_crt_import_pkcs11_url + +2014-12-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11.c: use p11_kit_uri_get_pin_source instead of + p11_kit_uri_get_pinfile + +2014-12-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-12-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/examples/ex-pkcs11-list.c: ex-pkcs11-list.c: updated for new + API + +2014-12-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c, + lib/x509/verify-high.c, lib/x509/verify-high2.c: combined + gnutls_pkcs11_obj_attr_t with gnutls_pkcs11_obj_flags That was done in an API-backwards compatible way. That introduces + gnutls_pkcs11_obj_list_import_url3() and + gnutls_pkcs11_obj_list_import_url4(). + +2014-12-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, + lib/x509/verify-high2.c: first attempt to unify obj_attrs with + obj_flags + +2014-12-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/pkcs11-is-known.c: tests: pkcs11-is-known checks + whether the import of PKCS #11 objects as trusted certs works + +2014-12-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-combo.c, + tests/suite/pkcs11-get-issuer.c, tests/suite/pkcs11-is-known.c, + tests/suite/pkcs11-privkey.c, tests/suite/softhsm.h, + tests/suite/testpkcs11.softhsm: Added softhsm.h to share code in + softhsm detection + +2014-12-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11_int.h, lib/x509/verify-high2.c: Directly import PKCS + #11 object URLs as trusted certificates That is, don't treat them as trusted modules, because they aren't a + token URL, but rather a direct reference to specific objects. + +2014-12-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_psk.c: PSK: added sanity check on PSK key size set + +2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/tests.c: gnutls-cli-debug: removed ARCFOUR-40 from the ciphers + to use It is no longer supported. + +2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_str.c: _gnutls_buffer_append_data returns zero on + success + +2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_buffers.c, lib/gnutls_record.c: corrected documentation + for the cork/uncork functions Reported by Jaak Ristioja. + +2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_record.c: doc update + +2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/algorithms/protocols.c: Added more precise version check in + _gnutls_version_lowest + +2014-12-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_record.c: corrected documentation of gnutls_cork() + +2014-12-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_str.c: Added 32-bit overflow protection in + _gnutls_buffer_append_data() + +2014-12-17 Jaak Ristioja <jaak.ristioja@cyber.ee> + + * lib/gnutls_str.c: Remove redundant condition in + align_allocd_with_data(). At all call-sites of align_allocd_with_data() dest->data is + non-NULL. Signed-off-by: Jaak Ristioja <jaak.ristioja@cyber.ee> + +2014-12-17 Jaak Ristioja <jaak.ristioja@cyber.ee> + + * lib/gnutls_str.c: Deduplicated some code in + _gnutls_buffer_append_data(). Signed-off-by: Jaak Ristioja <jaak.ristioja@cyber.ee> + +2014-12-17 Jaak Ristioja <jaak.ristioja@cyber.ee> + + * lib/gnutls_str.c: Explicitly marked some variables const in + _gnutls_buffer_append_data(). Signed-off-by: Jaak Ristioja <jaak.ristioja@cyber.ee> + +2014-12-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * devel/DCO/people-dco.txt: DCO: added Jaak Ristioja + +2014-12-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/slow/cipher-test.c: test-ciphers: do not fail on processor + which don't have the AES-NI instructions + +2014-12-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_str.c: _gnutls_buffer_*: moved common operations to + function + +2014-12-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_str.c: _gnutls_buffer_append_data: moved common code + outside the if-clause + +2014-12-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/testcompat-main-polarssl: tests: disable SSL 3.0 + checks with polarssl It seems that SSL 3.0 is disabled in Debian's polarssl. + +2014-12-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/testdane: testdane: removed www.vulcano.cl from good + hosts + +2014-12-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/x509cert-tl.c: tests: enhanced x509cert-tl Verify gnutls_x509_trust_list_verify_crt2() in combination with + gnutls_x509_trust_list_add_named_crt(). + +2014-12-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify-high.c: use + gnutls_x509_trust_list_verify_named_crt in + gnutls_x509_trust_list_verify_crt2 + +2014-12-12 Ludovic Courtès <ludo@gnu.org> + + * NEWS: Update 'NEWS'. + +2014-12-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/random.c: gnutls_rnd: doc update + +2014-12-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/pkcs12.c: gnutls_pkcs12_simple_parse: doc update + +2014-12-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * libdane/dane.c: improved documentation on dane + +2014-12-11 Ludovic Courtès <ludo@gnu.org> + + * guile/tests/openpgp-keyring.scm: guile: Open binary file in binary + mode, for the sake of MinGW. Reported by Eli Zaretskii <eliz@gnu.org>. * guile/tests/openpgp-keyring.scm: Use 'open-file' with "rb" instead + of 'open-input-file'. + +2014-12-11 Ludovic Courtès <ludo@gnu.org> + + * guile/src/Makefile.am: guile: Link with '-no-undefined'. Fixes builds on MinGW. Reported by Eli Zaretskii <eliz@gnu.org>. * guile/src/Makefile.am (guile_gnutls_v_2_la_LDFLAGS): Add -no-undefined. + +2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/pkcs11.c: p11tool: use Sleep() in windows + +2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-cfg.c: certtool: ensure that default_serial_int is + 64-bits or more + +2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/socket.c: use select() instead of alarm for better portability Based on patch by Eli Zaretskii. + +2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * cross.mk: cross.mk: updated for 3.3.11 + +2014-12-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-backend.c: Allow a random generator with the same + priority to re-register That corrects an issue where the library is deinitialized, and + reinitialization wouldn't register the same rnd module. Reported by + Stanislav Zidek. + +2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/x509cert.c: tests: x509cert: verify that length returned + from gnutls_x509_crt_get_dn matches strlen + +2014-12-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/testcompat-main-openssl: testcompat: corrected usage + of null cipher + +2014-12-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/rnd-fips.c: added the .check function in FIPS140-2 code + +2014-12-08 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/common.c: corrected typo + +2014-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac: configure: added option --without-idn + +2014-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/accelerated/x86/aes-gcm-padlock.c, + lib/accelerated/x86/aes-gcm-x86-aesni.c, + lib/accelerated/x86/aes-gcm-x86-ssse3.c: accelerated: added required + casts + +2014-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-gtls-app.texi, lib/gnutls_priority.c: the priority string + EXPORT is no more + +2014-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/accelerated/x86/aes-ccm-x86-aesni.c: aesni-ccm: removed unused + struct entries + +2014-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/accelerated/x86/Makefile.am, + lib/accelerated/x86/aes-ccm-x86-aesni.c, + lib/accelerated/x86/aes-x86.h, lib/accelerated/x86/x86-common.c: + added AESNI accelerated CCM + +2014-12-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/accelerated/x86/aes-gcm-padlock.c, + lib/accelerated/x86/aes-gcm-x86-aesni.c, + lib/accelerated/x86/aes-gcm-x86-ssse3.c: more nettle3 related + changes + +2014-12-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * libdane/dane.c: dane: use the new _gnutls_buffer_to_datum + +2014-12-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/ocsp.c: tests: corrected the expected lengths in ocsp + +2014-12-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_cert.c, lib/gnutls_session_pack.c, lib/gnutls_str.c, + lib/gnutls_str.h, lib/openpgp/output.c, lib/pkcs11.c, lib/tpm.c, + lib/x509/dn.c, lib/x509/ocsp_output.c, lib/x509/output.c: + _gnutls_buffer_to_datum: includes code for exporting strings + +2014-12-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify-high.c: when the trusted list contains a non-CA + certificate warn via the audit log + +2014-12-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/algorithms/ciphersuites.c: modified the CCM ciphersuite's name + to match the one in the IANA registry + +2014-12-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/ciphersuite/scan-gnutls.sh, + tests/suite/ciphersuite/test-ciphers.js: ciphersuite test: enhanced + check for correct ciphersuites + +2014-12-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/ciphersuite/scan-gnutls.sh: ciphersuites tests: add + missing includes + +2014-12-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/ciphersuite/scan-gnutls.sh: ciphersuite tests: define + HAVE_CONFIG_H + +2014-12-04 Ludovic Courtès <ludo@gnu.org> + + * guile/src/Makefile.am: guile: Build with warnings. * guile/src/Makefile.am (AM_CFLAGS) [HAVE_GCC]: Add -Wall -Wextra -Wno-unused-parameter. + +2014-12-04 Ludovic Courtès <ludo@gnu.org> + + * guile/modules/Makefile.am, guile/modules/gnutls.in, + guile/modules/gnutls/build/priorities.scm, guile/src/Makefile.am, + guile/src/core.c, guile/src/make-session-priorities.scm, + guile/tests/session-record-port.scm, guile/tests/x509-auth.scm: + guile: Remove the deprecated priority API. * guile/modules/gnutls/build/priorities.scm: Remove. * guile/src/make-session-priorities.scm: Remove. * guile/modules/Makefile.am (EXTRA_DIST): Adjust accordingly. * guile/src/Makefile.am (EXTRA_DIST): Likewise. (GENERATED_BINDINGS): Remove 'priorities.i.c'. (priorities.i.c): Remove target. * guile/src/core.c: Don't include it. (scm_gnutls_set_default_priority_x): Remove. * guile/modules/gnutls.in (gnutls): Adjust export list. * guile/tests/session-record-port.scm: Use + 'set-session-priorities!'. * guile/tests/x509-auth.scm: Likewise. + +2014-12-04 Ludovic Courtès <ludo@gnu.org> + + * doc/gnutls-guile.texi, guile/modules/gnutls.in, + guile/modules/gnutls/build/smobs.scm, guile/src/core.c, + guile/tests/openpgp-auth.scm, guile/tests/x509-auth.scm: guile: + Remove RSA parameters and related procedures. * guile/modules/gnutls/build/smobs.scm (%rsa-parameters-smob): + Remove. (%gnutls-smobs): Remove it. * guile/src/core.c (scm_gnutls_make_rsa_parameters, scm_gnutls_pkcs1_import_rsa_parameters, scm_gnutls_pkcs1_export_rsa_parameters, scm_gnutls_set_certificate_credentials_rsa_export_params_x): + Remove. * guile/modules/gnutls.in: Adjust export list. * guile/tests/openpgp-auth.scm (import-rsa-params): Remove. Remove references to it and to 'set-certificate-credentials-rsa-export-parameters!'. * guile/tests/x509-auth.scm: Likewise. * doc/gnutls-guile.texi (Representation of Binary Data): Remove references to RSA parameters. Adjust example accordingly. (OpenPGP Authentication Guile Example): Likewise. + +2014-12-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/TODO: updated TODO list + +2014-12-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/libgnutls.map: removed several of the unneeded exported + internal symbols + +2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-upgrade.texi: doc: corrected typo + +2014-11-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/nettle/cipher.c: use unsigned long in gcm_cast_st + +2014-11-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/cipher.c: corrected issue in AES-256-GCM + +2014-11-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/slow/Makefile.am, tests/slow/test-ciphers: tests: enhanced + cipher check to include all ciphers. + +2014-11-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/cipher.c: simplified abstractions over nettle based on + Niels' comments. + +2014-11-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-api.c: API doc update + +2014-11-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-selftests.c: Added test vectors for CCM mode + +2014-11-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/cipher.c: CCM: corrected AEAD decryption + +2014-11-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_priority.c: CCM mode moved to the lowest priority + +2014-11-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/accelerated/x86/aes-gcm-aead.h: aes-gcm-aead.h: generalized + +2014-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/benchmark-tls.c: gnutls-cli: added benchmark for CCM + +2014-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/priorities.c, tests/suite/testcompat-main-polarssl: tests: + updated for AES-128-CCM ciphersuites + +2014-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_cipher.c: use the new AEAD API in gnutls_cipher.c + +2014-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/algorithms/ciphers.c, lib/algorithms/ciphersuites.c, + lib/gnutls_priority.c, lib/includes/gnutls/gnutls.h.in, + lib/nettle/cipher.c: Added definitions for CCM ciphersuites + +2014-11-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS, doc/cha-crypto.texi, lib/accelerated/x86/Makefile.am, + lib/accelerated/x86/aes-gcm-aead.h, + lib/accelerated/x86/aes-gcm-padlock.c, + lib/accelerated/x86/aes-gcm-x86-aesni.c, + lib/accelerated/x86/aes-gcm-x86-pclmul.c, + lib/accelerated/x86/aes-gcm-x86-ssse3.c, lib/crypto-api.c, + lib/crypto-backend.h, lib/crypto-selftests.c, + lib/gnutls_cipher_int.c, lib/gnutls_cipher_int.h, + lib/includes/gnutls/crypto.h, lib/libgnutls.map, + lib/nettle/cipher.c: Modified crypto backend to accomodate for the + CCM ciphersuites + +2014-11-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/int/dsa-fips.h, lib/nettle/int/dsa-keygen-fips186.c, + lib/nettle/int/dsa-validate.c, lib/nettle/pk.c: More nettle2 updates + (in FIPS140-2 mode) + +2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/accelerated/x86/aes-gcm-padlock.c, + lib/accelerated/x86/aes-gcm-x86-aesni.c, + lib/accelerated/x86/aes-gcm-x86-ssse3.c, + lib/accelerated/x86/aes-padlock.c, + lib/accelerated/x86/aes-padlock.h, lib/accelerated/x86/aes-x86.h, + lib/accelerated/x86/sha-padlock.c, + lib/accelerated/x86/sha-x86-ssse3.c, lib/nettle/Makefile.am, + lib/nettle/cipher.c, lib/nettle/int/gcm-camellia.c, + lib/nettle/int/gcm-camellia.h, lib/nettle/pk.c, m4/hooks.m4, + tests/dsa/testdsa: ported to nettle 3.0 + +2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * m4/hooks.m4: reduced current soversion + +2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS, doc/cha-upgrade.texi, lib/libgnutls.map: documented the + removal of deprecated functions + +2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_priority.c: corrected comparison + +2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/auth/cert.c, lib/auth/cert.h, lib/gnutls_cert.c, + lib/gnutls_priority.c, lib/gnutls_state.c, + lib/includes/gnutls/compat.h: removed the old gnutls_retr_st + compatibility functions + +2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac, lib/Makefile.am, lib/gnutls_rsa_export.c, + lib/gnutls_ui.c, lib/includes/gnutls/compat.h, m4/hooks.m4: Removed + binary compatibility with RSA-EXPORT using applications + +2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_priority.c, lib/includes/gnutls/compat.h: removed the + old priority functions That is: gnutls_cipher_set_priority gnutls_mac_set_priority + gnutls_compression_set_priority gnutls_kx_set_priority + gnutls_protocol_set_priority gnutls_certificate_type_set_priority + +2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/compat.h, lib/x509/x509.c: removed + gnutls_x509_crt_verify_hash() and gnutls_x509_crt_verify_data() + +2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_cert.c, lib/gnutls_int.h, lib/gnutls_sig.c, + lib/includes/gnutls/compat.h: gnutls_sign_callback_set() and + gnutls_sign_callback_get() were removed + +2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/gnutls.h.in: renumbered fields in gnutls.h + +2014-12-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/libgnutls.map, m4/hooks.m4: increased gnutls' soversion + +2014-12-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/random.h: if the rnd structure doesn't provide check, + _gnutls_rnd_check() will succeed + +2014-11-30 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/x509-verify-with-crl.c: tests: Added + check for verification using CRLs + +2014-11-30 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/x509.c: Reorganized, and eliminated memory leak in + _gnutls_x509_crt_check_revocation() Reported by Tim Rühsen. + +2014-11-29 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/systemkey.c: systemkey: updated for new + gnutls_system_key_iter_get_info + +2014-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/system-keys.h, lib/system-keys-dummy.c, + lib/system-keys-win.c: gnutls_system_key_iter_get_info() allows + restricting results to a specific certificate type + +2014-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_x509.c: removed unneeded variable + +2014-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/gnutls.h.in, lib/includes/gnutls/pkcs11.h: doc + update + +2014-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-gtls-app.texi: doc: added recommendation to use the higher + level functions to load keys + +2014-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-cfg.c: certtool: avoid gcc warnings + +2014-11-25 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: Added + check for whether %NO_EXTENSIONS is required + +2014-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_ui.c: gnutls_session_get_desc: allow proper printing of + the NULL KX + +2014-11-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_ui.c: gnutls_session_get_desc will return NULL if + initial negotiation is not complete + +2014-11-27 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-11-27 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/mini-chain-unsorted.c: tests: small fix in + mini-chain-unsorted + +2014-11-27 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_pcert.c, lib/gnutls_x509.c, lib/x509/common.c, + lib/x509/common.h, lib/x509/x509.c: + GNUTLS_E_CERTIFICATE_LIST_UNSORTED can be returned from + gnutls_pcert_import_x509_list That is when it cannot sort the list and GNUTLS_X509_CRT_LIST_SORT + is specified. + +2014-11-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_pcert.c: gnutls_pcert_import_x509_list: only sort the + lists it can sort + +2014-11-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-11-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/system-keys-win.c: simplified windows URLs + +2014-11-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/system-keys-win.c: system-keys-win: include urls.h + +2014-11-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/mini-cert-status.c, + tests/mini-chain-unsorted.c: tests: added mini-chain-unsorted + +2014-11-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_pcert.c, lib/gnutls_x509.c, + lib/includes/gnutls/abstract.h, lib/includes/gnutls/x509.h, + lib/libgnutls.map, lib/x509/common.c, lib/x509/common.h, + lib/x509/verify-high.c, lib/x509/x509.c: Added flag + GNUTLS_X509_CRT_LIST_SORT for gnutls_x509_crt_list_import* That also allows automatically sorting input chains to the + gnutls_certificate_credentials_t structure. + +2014-11-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/set_x509_key_file.c: tests: Added check + for memory leaks when a file cannot be loaded. + +2014-11-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_x509.c: gnutls_certificate_set_x509_key_*: eliminated + memory leak when certificate could not be parsed Reported by Georg Richter. + +2014-11-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * libdane/dane.c: libdane: undef gnutls_assert() before redefining + it + +2014-11-24 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/socket.c: gnutls-cli-debug: do not print error on unknown + protocols + +2014-11-24 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/set_x509_key_mem.c: tests: added leak + check for gnutls_set_x509_key_mem2() + +2014-11-24 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_x509.c: documented the limitations of the loading + functions + +2014-11-24 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_x509.c: corrected memleak in read_key_mem() Patch by Georg Richter. + +2014-11-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: Added + check for sorted certificate chain + +2014-11-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_db.c: do not allow the resumption of a session which + switches the state of ext_master_secret + +2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/rfc2253-escape-test: tests: run rfc2253-escape-test under + valgrind + +2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/custom-urls.c: tests: enhanced custom-url check + +2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_privkey.c, lib/gnutls_x509.c: sanitize URLs at the + proper place + +2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/x509.c: corrected freeing of custom URL + +2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-tokens.texi, lib/includes/gnutls/urls.h: doc update + +2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/suppressions.valgrind, tests/suppressions.valgrind: + Added memxor_different_alignment into suppressions + +2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-tokens.texi, lib/gnutls_x509.c, + lib/includes/gnutls/urls.h, lib/urls.c, lib/urls.h: Allow the + construction of chains with custom URLs + +2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * .gitignore: updated ignored files + +2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/Makefile.am, src/systemkey-tool.c, src/systemkey.c: renamed + systemkey-tool to systemkey, and don't install it by default + +2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/custom-urls.c: tests: added check for + registration of custom URLs + +2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/urls.h, lib/libgnutls.map, lib/urls.c: export + gnutls_register_custom_url + +2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_x509.c: correctly handle non-pkcs11 URLs in + read_cert_url + +2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * .gitignore: more files to ignore + +2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/Makefile.am, doc/cha-tokens.texi, lib/gnutls_privkey.c, + lib/gnutls_pubkey.c, lib/gnutls_x509.c, lib/gnutls_x509.h, + lib/includes/Makefile.am, lib/includes/gnutls/urls.h, + lib/system-keys-win.c, lib/urls.c, lib/urls.h, lib/x509/x509.c: + Added the ability to register application specific URLs for keys and + certs + +2014-11-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/system-keys-win.c: system-keys-win: use macros for the URL + +2014-11-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_handshake.c: doc update + +2014-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/mini-rehandshake-2.c: tests: added test + for GNUTLS_E_GOT_APPLICATION_DATA on rehandshake + +2014-11-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_handshake.c, lib/gnutls_record.c: treat + GNUTLS_E_GOT_APPLICATION_DATA as non-fatal if initial negotiation is + complete This corrects a regression introduced in + b5a0de2e6da98866cafb770c3141b7353d030ab2 Reported by Dan Winship. + https://savannah.gnu.org/support/?108690 + +2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: removed old news + +2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/algorithms.h, lib/algorithms/protocols.c, + lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_priority.c: The + record version in the client Hello will be set to the lowest + supported protocol There should have been no harm in keeping it SSL 3.0 but + unfortunately in draft-thomson-sslv3-diediedie-00 it has been marked + as MUST NOT do that. That will be fixed in a later revision but + since then there are servers not accepting SSL 3.0 as a valid record + version (note that this is about the record version, which describes + the format of the packet, nothing to do with the negotiated + version). + +2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_priority.c: Revert "The priority modifier + %LATEST_RECORD_VERSION is now the default" This reverts commit 66c419cc6336ea9a2747574588ffee77458b838f. + +2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/ocsp.c: deinitialize the OCSP response der data That also makes sure that reinitialization of ASN1 structures are + done when it is required only. + +2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/Makefile.am, lib/gnutls_priority.c, + lib/includes/gnutls/gnutls.h.in, src/cli.c: + gnutls_priority_string_list: allow printing the special keywords as + well. + +2014-11-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/rnd-common.c: simplified code involving getrandom() and + getentropy() + +2014-11-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac: configure: detect android system and define a + variable + +2014-11-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/Makefile.am, lib/system-keys-dummy.c, lib/system-keys-win.c, + lib/system-keys.c: separated system-keys implementations + +2014-11-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/libgnutls.map: removed redundant local + +2014-11-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/testpkcs11: tests: added check for the abbreviated + URLs which don't contain object information + +2014-11-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/Makefile.am, lib/gnutls_x509.c, lib/pkcs11_privkey.c, + lib/urls.c, lib/urls.h, lib/x509/x509.c: prior to importing objects + with URLs sanitize them That allows to use out of band information to complete missing parts + in URLs (e.g., object-type=cert, when there is a certificate). + +2014-11-19 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/system-keys.c: compilation fixes + +2014-11-19 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-11-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/Makefile.am, lib/gnutls_errors.c, lib/gnutls_global.c, + lib/gnutls_privkey.c, lib/gnutls_sig.c, lib/gnutls_sig.h, + lib/gnutls_str.c, lib/gnutls_str.h, lib/gnutls_x509.c, + lib/includes/gnutls/abstract.h, lib/includes/gnutls/gnutls.h.in, + lib/includes/gnutls/pkcs11.h, lib/includes/gnutls/system-keys.h, + lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/pkcs11.c, + lib/pkcs11_int.h, lib/system-keys.c, lib/system-keys.h, + lib/x509/Makefile.am, lib/x509/x509.c, src/Makefile.am, + src/systemkey-args.def, src/systemkey-tool.c: Added API to + read/write/delete key-cert pairs (limited to windows for now) + +2014-11-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_priority.c: NORMAL priority: prioritize the less than + 256-bits curves at the lowest level + +2014-11-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-args.def, src/certtool-cfg.c, src/certtool-cfg.h, + src/certtool.c: certtool: Allow to set the nonRepudiation, + keyAgreement and dataEncipherment flags + +2014-11-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool-args.def: list the OIDs in the certtool cfg file + documentation + +2014-11-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/fips.c, lib/fips.h, lib/gnutls_global.c: properly reset the + zombie mode in FIPS mode This amends 9158f590f4a18c84fc9eb41877b29d73b30af879 + +2014-11-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/TODO: doc update + +2014-11-14 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-11-14 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_x509.c: partially reverted + 999d221fd2241ff73f884bf33d8cbe6eb8299184 That change allows to use the intermediate certificates in chains as + OCSP anchors. + +2014-11-14 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool.c: certtool: print message when the system trust is + used + +2014-11-14 David Weber <dave@veryflatcat.com> + + * src/cli.c, src/serv.c: Fixed SRTP profile configuration in cli.c + and serv.c. I have tested the fix in 3.3.10. This commit is UNTESTED as i am + unable to compile gnutls (./configure complains about gl_INIT and + ggl_INIT). Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> + +2014-11-14 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/ocsp.c: tests: ocsp: added the signature in check + +2014-11-14 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/ocsp_output.c: only print about additional certificates + if they are present + +2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/ocsp.c: ocsp: fix DN decoding in + gnutls_ocsp_resp_get_responder_raw_id + +2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/ocsp.c: tests: ocsp: added check with a long response + +2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/ocsp.c: use the original DER/BER data when verifying an + OCSP response + +2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_pubkey.c: _pkcs1_rsa_verify_sig() simplify hashing + +2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/ocsp.c: ocsp: eliminated duplicate code + +2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-args.def: clarified the multiple paths printing of + the verify options + +2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli.c: gnutls-cli: allow printing the certificates in OCSP + responses when --print-cert is specified + +2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_x509.c, lib/x509/ocsp.c: updated OCSP verification code + to better use the trust list, and the KeyHash + +2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/ocsp_output.c: OCSP printing: Add header in front of + certificates + +2014-11-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs11.h, lib/includes/gnutls/x509.h, + lib/pkcs11.c, lib/x509/verify-high.c: added + gnutls_pkcs11_get_raw_issuer_by_dn and + gnutls_x509_trust_list_get_issuer_by_dn + +2014-11-14 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: check + for OCSP status response + +2014-11-14 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/cert-tests/crq: corrected crq test case; reported by Andreas + Metzler + +2014-11-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11.c: set the GNUTLS_PIN_CONTEXT_SPECIFIC flag on PIN + callback + +2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/ocsp.h, lib/libgnutls.map, lib/x509/ocsp.c, + lib/x509/ocsp_output.c, tests/ocsp.c: replaced + gnutls_ocsp_resp_get_responder_by_key with + gnutls_ocsp_resp_get_responder_raw_id In addition reverted gnutls_ocsp_resp_get_responder() to the old + buggy behavior of returning 0 if the element was missing. + +2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool.c: certtool: make sure that GNUTLS_PKCS_PLAIN is set + when no password should be asked + +2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/privkey.c: gnutls_x509_privkey_import2: will not use a + callback if GNUTLS_PKCS_PLAIN is specified + +2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/fips.c: the FIPS140-2 testing mode is disabled after + self-checks + +2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/ocsp.c: updated OCSP tests to account for the new key ID + +2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/ocsp.c: doc update and gnutls_ocsp_resp_get_responder() + will always initialized output data + +2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/rnd-common.c: _rnd_get_event: use memset to avoid + valgrind complaints + +2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli.c: gnutls-cli: print the OCSP response in verbose mode + +2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/ocsp.c: corrected documentation of OCSP response + verification + +2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/ocsp.h, lib/libgnutls.map, lib/x509/ocsp.c, + lib/x509/ocsp_output.c: Added + gnutls_ocsp_resp_get_responder_by_key() + +2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/dn.c: dn parsing: return + GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when DN is not available + +2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-args.def, src/cli.c, src/common.c: gnutls-cli: added + option to save the OCSP response + +2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/abstract_int.h, lib/gnutls_privkey.c, lib/gnutls_sig.c, + lib/includes/gnutls/abstract.h: added the notion of preferred sign + algorithm in a private key This can be set for keys imported with gnutls_privkey_import_ext3() + with the info callback. It is only considered for client side keys + in TLS sessions. + +2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-gtls-app.texi, lib/ext/ext_master_secret.c, + lib/gnutls_int.h, lib/gnutls_priority.c, lib/priority_options.gperf: + Added priority string %NO_SESSION_HASH to prevent advertising the + extended master secret extension + +2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/ext/status_request.c: certificate status requestion response + is optional according to RFC6066 + +2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_ui.c, lib/includes/gnutls/gnutls.h.in, src/common.c: + Added flag GNUTLS_OCSP_SR_IS_AVAIL for + gnutls_ocsp_status_request_is_checked + +2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/rnd-common.h: rnd: removed the packed attribute from + event_st That prevents a SIGBUS on solaris sparc systems. Reported by Thomas + Thorberger. + +2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_priority.c: The priority modifier + %LATEST_RECORD_VERSION is now the default This works-around issue with servers that forbit the SSL 3.0 version + number from the first packet of the record protocol. + +2014-11-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-debug.c, src/tests.c, src/tests.h: added check for servers + that disallow the SSL 3.0 record version + +2014-11-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/common.c: gnutls-cli: print whether status request has been + checked + +2014-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_x509.c: doc update + +2014-11-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_privkey.c, lib/includes/gnutls/x509.h, + lib/libgnutls.map, lib/pin.c, lib/pin.h, lib/pkcs11.c, lib/tpm.c, + lib/x509/privkey.c, lib/x509/x509_int.h: Enable PIN support to + gnutls_x509_privkey_t + +2014-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/system.c, lib/system.h, lib/x509/common.c, + lib/x509/x509_ext.c: _gnutls_ucs2_to_utf8() can handle little endian + strings. + +2014-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/Makefile.am, lib/crypto-api.c, lib/ext/session_ticket.c, + lib/gnutls_cipher.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map, lib/safe-memfuncs.c, lib/safe-memset.c: Added + gnutls_memcmp() and exported it. + +2014-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/abstract.h: indentation fix + +2014-11-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-11-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs12.h, lib/libgnutls.map, + lib/x509/pkcs12_bag.c: added gnutls_pkcs12_bag_set_privkey() Conflicts: lib/libgnutls.map + +2014-11-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/abstract_int.h, lib/gnutls_privkey.c, + lib/includes/gnutls/abstract.h: dropped unused copy_func + +2014-11-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/gnutls-idna.h: silence warning + +2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac, tests/cert-tests/Makefile.am, tests/cert-tests/crq: + Added check with the invalid crq sent by Sean Burford + +2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_ecc.c: when exporting curve coordinates to X9.63 + format, perform additional sanity checks on input Reported by Sean Burford. + +2014-11-08 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-11-08 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-intro-tls.texi: doc update + +2014-11-08 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS, lib/ext/session_ticket.c, lib/gnutls_mem.h, + lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: exported + gnutls_memset() + +2014-11-08 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-gtls-app.texi, doc/cha-intro-tls.texi: doc: updated text + on session tickets + +2014-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/socket.c: tools: include arpa/inet.h in socket.c + +2014-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/examples/ex-serv-dtls.c: doc: use the same port for DTLS + client and server + +2014-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11.c: pkcs11: pass the correct user type to protected + authentication login + +2014-11-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-gtls-app.texi: doc: corrected values for INSECURE level + +2014-11-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/pkcs11_write.c: + pkcs11: support the CKA_EXTRACTABLE and CKA_NEVER_EXTRACTABLE flags + +2014-11-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/pkcs11_write.c: + pkcs11: added the flag GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH + +2014-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11_privkey.c: pkcs11: perform reauth at the appropriate + state + +2014-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11.c, lib/pkcs11_int.h: pkcs11_login: set the correct user + type on reauthentication + +2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * gl/unistd.in.h, src/gl/unistd.in.h: applied patch by A. Klitzing + to improve compatibile with some apple systems Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> + +2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: pkcs11: + force login on tokens that require it + +2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11.c: pkcs11: always set slot_info + +2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/testcompat-main-openssl: testcompat-openssl: disable + SSL 3.0 as it is not supported on debian + +2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/testcompat-main-polarssl: fixed polarssl compatibility + checks on debian + +2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_write.c, lib/pkcs11x.c: + pkcs11: eliminated the need for struct token_info + +2014-11-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: added + support for PKCS #11 keys that require reauthentication and + simplified pkcs11_login + +2014-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-debug.c: gnutls-cli-debug: clarified text + +2014-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/Makefile.am, tests/suite/testcompat, + tests/suite/testcompat-main, tests/suite/testcompat-main-openssl, + tests/suite/testcompat-main-polarssl, + tests/suite/testcompat-openssl, tests/suite/testcompat-polarssl: + tests: separated the two testcompat tests (openssl/polarssl) + +2014-11-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/algorithms/ciphers.c: added missing comma + +2014-11-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/tests.c: gnutls-cli-debug: corrected heartbeat check + +2014-11-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/tests.c: gnutls-cli-debug: fixes in tests to prevent false + negatives + +2014-11-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/tests.c: gnutls-cli-debug: fixes in tests to prevent false + negatives + +2014-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testcompat-main: tests: added interoperability tests + with openssl's PSK + +2014-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_constate.c, lib/gnutls_int.h: corrected calculation for + max send data and other uses of _gnutls_cipher_type() + +2014-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/algorithms/ciphers.c: modernized cipher table + +2014-11-05 Chen Hongzhi <hongzhi.chen@me.com> + + * lib/x509/pkcs12.c: Fix double-free in gnutls_pkcs12_simple_parse() Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> + +2014-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_cipher.c: simplified checks for EtM + +2014-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/anonself.c: tests: enhanced test to check the return value + of gnutls_record_send() + +2014-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/mini-x509-2.c: tests: Added unit tests for + gnutls_certificate_get_ours in mini-x509-2 + +2014-11-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_constate.c, lib/gnutls_handshake.c, lib/gnutls_int.h, + lib/gnutls_session.c, lib/gnutls_ui.c, lib/gnutls_v2_compat.c, + lib/includes/gnutls/gnutls.h.in: introduced + GNUTLS_MAX_SESSION_ID_SIZE + +2014-11-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/scripts/mytexi2latex: mytexi2latex: handle na@"ive + +2014-11-04 Chris Barry <chris@barry.im> + + * doc/cha-auth.texi, doc/cha-cert-auth.texi, + doc/cha-cert-auth2.texi, doc/cha-errors.texi, doc/sec-tls-app.texi: + Cleaning up some awkward phrasings. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> + +2014-11-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * .gitignore, tests/Makefile.am, tests/mini-record-failure.c: tests: + Added test for MAC verification checks + +2014-11-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/ext/etm.c, lib/gnutls_cipher.c, lib/gnutls_cipher_int.c: EtM + fixes: it only applies to block ciphers + +2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-debug.c: gnutls-cli-debug: reorganized output + +2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-debug.c, src/tests.c: moved the HTTPS server name outside + of verbose tests; only run when the HTTPS protocol is used + +2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-debug.c, src/common.c, src/common.h, src/tests.c: enhanced + gnutls-cli-debug verbose output (uses files for mass text) + +2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: Added + tests for EtM and extended master secret support In addition reworked the output for existing tests. + +2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/socket.c: tools: only warn of an error if it is fatal + +2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testcompat-main, tests/suite/testcompat-polarssl: + testcompat: increased the number of test cases checked + +2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/ext/alpn.c: updated text + +2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testcompat-polarssl: testcompat-polarssl: try to run + the test only if polarssl binaries are available + +2014-11-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testcompat-common, tests/suite/testcompat-polarssl: + testcompat: check the PSK ciphersuite interoperability against + polarssl + +2014-11-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/Makefile.am, tests/suite/testcompat, + tests/suite/testcompat-common, tests/suite/testcompat-main, + tests/suite/testcompat-polarssl: testcompat: added interop tests + with polarssl + +2014-11-03 Jaak Ristioja <jaak.ristioja@cyber.ee> + + * lib/system_override.c: doc: Added missing reference for EMSGSIZE + to inline documentation of gnutls_transport_set_errno(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> + +2014-11-03 Jaak Ristioja <jaak.ristioja@cyber.ee> + + * lib/system_override.c: doc: Fixed typo in inline comment of + gnutls_transport_set_errno(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> + +2014-11-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-11-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-gtls-app.texi, lib/ext/Makefile.am, lib/ext/etm.c, + lib/ext/etm.h, lib/gnutls_buffers.c, lib/gnutls_cipher.c, + lib/gnutls_cipher_int.c, lib/gnutls_cipher_int.h, + lib/gnutls_constate.c, lib/gnutls_extensions.c, lib/gnutls_int.h, + lib/gnutls_priority.c, lib/gnutls_session_pack.c, + lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map, + lib/priority_options.gperf, src/common.c: Added support for RFC7366 + (encrypt then authenticate) It implements a revised version of RFC7366, to avoid + interoperability issues: + http://www.ietf.org/mail-archive/web/tls/current/msg14349.html This + is currently enabled by default, unless %NO_ETM, or %COMPAT is + specified. + +2014-11-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/algorithms.h, lib/algorithms/ciphers.c, lib/crypto-api.c, + lib/gnutls_cipher.c, lib/gnutls_constate.c, lib/gnutls_dtls.c, + lib/gnutls_int.h, lib/gnutls_range.c: Made AEAD type an alternative + to stream and block That way the terminology becomes closer to the TLS rfc. + +2014-11-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_errors.c: updated the text for + GNUTLS_E_UNSUPPORTED_VERSION_PACKET + +2014-11-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-11-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/Makefile.am, tests/suite/pkcs11-privkey.c: tests: + Added check for gnutls_certificate_set_x509_key_file2() and PKCS #11 + + PIN + +2014-11-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * .gitignore: more files to ignore + +2014-11-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/common.c: when calling gnutls_x509_crt_get_subject_key_id + set the id_size + +2014-11-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11.c: deinitialize the temporary spki data + +2014-10-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/init_fds.c: tests: added test for + gnutls_global_init after all descriptors are closed + +2014-10-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_global.c, lib/nettle/rnd-common.c, lib/random.h: + corrected check for urandom fd + +2014-10-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/dtls/dtls-stress.c: tests: dtls-stress: fix issues in the + suite + +2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_x509.c: Do not require a PIN callback in the + certificate credentials when a password is specified + +2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_x509.c: doc update + +2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_global.c: corrected exit state from gnutls_global_init + +2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-gtls-app.texi: updated text for gnutls_fd_in_use() to + account the new behavior + +2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_state.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map, lib/nettle/rnd-common.c: dropped + gnutls_fd_in_use, it is no longer necessary + +2014-10-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-backend.h, lib/gnutls_global.c, + lib/nettle/rnd-common.c, lib/nettle/rnd-common.h, lib/nettle/rnd.c, + lib/random.h: When gnutls_global_init() is called manually from the + application check the urandom fd for validity That addresses the issue where a server closes all open file + descriptors and then calls gnutls_global_init(). + +2014-10-30 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS, configure.ac, lib/nettle/rnd-common.c: Added support for + getentropy() and reworked getrandom support + +2014-10-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/pk.c: _gnutls_dh_generate_key() will account the q_bits + +2014-10-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-10-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_dh.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map: Added gnutls_dh_params_import_raw2(), which + allows to specify the number of bits for key size + +2014-10-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-10-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac, lib/nettle/rnd-common.c: use Linux' getrandom() when + available + +2014-10-29 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/nettle/rnd.c: use the random rnd context when refreshing the + nonce context That avoids frequent reads from /dev/urandom. + +2014-10-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_state.c: do not explicitly refresh rnd state on session + deinit It is already being refreshed during the session lifetime. + +2014-10-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/nettle/rnd.c: doc update + +2014-10-28 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/nettle/rnd.c: increase the reseed time + +2014-10-26 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/crypto-selftests.c: tests: enhance cipher test to include tag + verification error + +2014-10-26 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/crypto-api.c: better documented the new API + +2014-10-26 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/crypto-api.c: harmonise variable names + +2014-10-26 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac: disable hardware acceleration by default in solaris + +2014-10-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_handshake.c, lib/gnutls_int.h: Improved support of + draft-ietf-tls-session-hash-02. Now the session hash is calculated correctly even when a client + certificate is sent. That is, the session hash now does not take + into account the CertificateVerify message. + +2014-10-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/crypto-api.c: doc update + +2014-10-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-10-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-crypto.texi: doc: list the AEAD API + +2014-10-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS, lib/crypto-api.c, lib/crypto-selftests.c, + lib/gnutls_cipher_int.h, lib/includes/gnutls/crypto.h, + lib/libgnutls.map: Added a new simple to use AEAD API + +2014-10-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS, m4/hooks.m4: the openssl compatibility library isn't built + by default + +2014-10-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * cfg.mk, lib/accelerated/x86/elf/aes-ssse3-x86.s, + lib/accelerated/x86/elf/aes-ssse3-x86_64.s, + lib/accelerated/x86/elf/aesni-x86.s, + lib/accelerated/x86/elf/aesni-x86_64.s, + lib/accelerated/x86/elf/cpuid-x86.s, + lib/accelerated/x86/elf/cpuid-x86_64.s, + lib/accelerated/x86/elf/e_padlock-x86.s, + lib/accelerated/x86/elf/e_padlock-x86_64.s, + lib/accelerated/x86/elf/ghash-x86_64.s, + lib/accelerated/x86/elf/sha1-ssse3-x86.s, + lib/accelerated/x86/elf/sha1-ssse3-x86_64.s, + lib/accelerated/x86/elf/sha256-ssse3-x86.s, + lib/accelerated/x86/elf/sha512-ssse3-x86.s, + lib/accelerated/x86/elf/sha512-ssse3-x86_64.s: do not use the ifdef + directive in assembly files, as it isn't portable + +2014-10-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_cipher.c: eliminate IV size usage in TLS + encryption/decryption; it was a remnant of salsa20 + +2014-10-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/ext/ext_master_secret.c: corrected likely macro usage Spotted by Manuel Pégourié-Gonnard. + +2014-10-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/algorithms/ciphersuites.c, lib/gnutls_cipher.c, + lib/gnutls_cipher_int.h, tests/mini-overhead.c: removed support for + SALSA20 and for stream ciphers with IV The proposal was not adopted by the TLS WG, and the AEAD path will + be used. + +2014-10-24 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-gtls-app.texi, lib/gnutls_int.h, lib/gnutls_priority.c, + lib/priority_options.gperf: Added priority string %NO_TICKETS that + disables session ticket support This is implied by the priority string PFS. + +2014-10-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/ext/ext_master_secret.c, lib/gnutls_kx.c: do not negotiate nor + use the 'extended master secret' in SSL 3.0 According to Alfredo Pironti support for that protocol will be + dropped from the draft. + +2014-10-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * cross.mk: compile 3.3.9 by default + +2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_handshake.c: always send the mandatory extensions (even + in SSL 3.0) The only way to force no extensions and usage of SCSVs is the + %NO_EXTENSIONS priority string. + +2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/ext/ext_master_secret.c: EXT MASTER SECRET moved to mandatory + extensions + +2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac, lib/Makefile.am: check and use libnsl (used in + solaris) + +2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/accelerated/x86/coff/aes-ssse3-x86_64.s, + lib/accelerated/x86/coff/aesni-x86.s, + lib/accelerated/x86/coff/aesni-x86_64.s, + lib/accelerated/x86/coff/e_padlock-x86_64.s, + lib/accelerated/x86/coff/ghash-x86_64.s, + lib/accelerated/x86/coff/sha1-ssse3-x86_64.s, + lib/accelerated/x86/coff/sha256-ssse3-x86.s, + lib/accelerated/x86/coff/sha512-ssse3-x86.s, + lib/accelerated/x86/coff/sha512-ssse3-x86_64.s, + lib/accelerated/x86/elf/aes-ssse3-x86.s, + lib/accelerated/x86/elf/aes-ssse3-x86_64.s, + lib/accelerated/x86/elf/aesni-x86.s, + lib/accelerated/x86/elf/aesni-x86_64.s, + lib/accelerated/x86/elf/cpuid-x86.s, + lib/accelerated/x86/elf/cpuid-x86_64.s, + lib/accelerated/x86/elf/e_padlock-x86.s, + lib/accelerated/x86/elf/e_padlock-x86_64.s, + lib/accelerated/x86/elf/ghash-x86_64.s, + lib/accelerated/x86/elf/sha1-ssse3-x86.s, + lib/accelerated/x86/elf/sha1-ssse3-x86_64.s, + lib/accelerated/x86/elf/sha256-ssse3-x86.s, + lib/accelerated/x86/elf/sha512-ssse3-x86.s, + lib/accelerated/x86/elf/sha512-ssse3-x86_64.s, + lib/accelerated/x86/macosx/aes-ssse3-x86_64.s, + lib/accelerated/x86/macosx/aesni-x86.s, + lib/accelerated/x86/macosx/aesni-x86_64.s, + lib/accelerated/x86/macosx/e_padlock-x86_64.s, + lib/accelerated/x86/macosx/ghash-x86_64.s, + lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s, + lib/accelerated/x86/macosx/sha256-ssse3-x86.s, + lib/accelerated/x86/macosx/sha512-ssse3-x86.s, + lib/accelerated/x86/macosx/sha512-ssse3-x86_64.s: updated asm + sources + +2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * devel/openssl: updated perl asm sources + +2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * cfg.mk: use the GNU-stack note in linux systems + +2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * gl/Makefile.am, gl/m4/extern-inline.m4, gl/m4/gnulib-common.m4, + gl/m4/manywarnings.m4, gl/m4/stdlib_h.m4, gl/m4/threadlib.m4, + gl/m4/unistd_h.m4, gl/stdlib.in.h, gl/tests/fcntl.in.h, + gl/unistd.in.h, gl/vasnprintf.c, maint.mk, src/gl/Makefile.am, + src/gl/error.c, src/gl/getpass.c, src/gl/m4/extern-inline.m4, + src/gl/m4/gnulib-common.m4, src/gl/m4/stdlib_h.m4, + src/gl/m4/unistd_h.m4, src/gl/parse-datetime.y, src/gl/stdlib.in.h, + src/gl/sys_select.in.h, src/gl/unistd.in.h, src/gl/vasnprintf.c: + updated gnulib + +2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/pkcs11-get-issuer.c: tests: check the issuer value + validity of gnutls_x509_trust_list_get_issuer + +2014-10-23 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify-high.c: corrected bug in + gnutls_x509_trust_list_get_issuer() when used without the + GNUTLS_TL_GET_COPY flag + +2014-10-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/slow/Makefile.am: tests: include minitasn1 when needed + +2014-10-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/danetool.c: use HAVE_DANE ifdef for unused functions + +2014-10-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/libgnutls.map: exported gnutls_fd_in_use + +2014-10-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-gtls-app.texi: document gnutls_fd_in_use() + +2014-10-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_state.c: gnutls_fd_in_use: mention version + +2014-10-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11_privkey.c: corrected FIND_OBJECT loop when the token + func is used + +2014-10-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_state.c, lib/includes/gnutls/gnutls.h.in, + lib/nettle/rnd-common.c, lib/random.h: added gnutls_fd_in_use() to + check whether a file descriptor is in use + +2014-10-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_state.h: added prototype to avoid compiler warning + +2014-10-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/nettle/pk.c: fips140-2: limit the FIPS code in fips mode + +2014-10-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/pk.c: fips140-2: use the FIPS algorithms only when in + FIPS140-2 mode + +2014-10-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/dtls/dtls-stress.c: dtls-stress: reindented code + +2014-10-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/dtls/dtls-stress.c: tests: dtls-stress: only replay when + send succeeds + +2014-10-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testsrn: testsrn: do not assume that SSL 3.0 is + enabled by default + +2014-10-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: added + test that checks the fallback from TLS 1.6 + +2014-10-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c, + lib/libgnutls.map: added _gnutls_hello_set_default_version() which + allows to override the clienthello version + +2014-10-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-args.def: gnutls-cli: prevent the combination of the -p + and --list options As -p may be mistaken for --priority that would prevent wrong + outputs. + +2014-10-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify-high2.c: avoid d from getting out of scope + +2014-10-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/udp-serv.c: gnutls-serv: avoid possible buffer overrun + +2014-10-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/privkey.c: avoid memory leak on + gnutls_x509_privkey_generate() failure + +2014-10-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-10-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-args.def, src/cli.c: gnutls-cli: added option + --priority-list + +2014-10-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_priority.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map: added gnutls_priority_string_list(), a function + to iterate all priority strings + +2014-10-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_priority.c: put all priority strings into a table + +2014-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-gtls-app.texi: updated documentation for SSL 3.0 removal + +2014-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_priority.c: SSL 3.0 is no longer on the default + priorities list + +2014-10-15 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/int/dsa-fips.h, lib/nettle/int/dsa-keygen-fips186.c, + lib/nettle/int/dsa-validate.c: in FIPS140-2 mode only disable + 1024-bit DSA parameters when generating + +2014-10-14 Ludovic Courtès <ludo@gnu.org> + + * guile/src/core.c: guile: Remove trailing zero in + 'gnutls_server_name_set' call. In GnuTLS 3.2.19 (and possibly 3.3.9 and 3.1.17), + 'set-session-server-name!' would pass a trailing nul character on + the wire after the server name, which would thus be rejected by + servers. + +2014-10-14 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/libopts/Makefile.am: corrected libopt's Makefile.am reported by Marius Schamschula. + +2014-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_pubkey.c: use _gnutls_hash_fast() in DSA/ECDSA + verification + +2014-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/int/dsa-fips.h, lib/nettle/int/provable-prime.c, + lib/nettle/int/rsa-keygen-fips186.c: FIPS140-2 RSA key generation + changes to account for seed starting with null byte + +2014-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/accelerated/x86/sha-x86-ssse3.c: corrected the SSSE3 optimized + SHA224 + +2014-10-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/rnd-common.c: simplified getrusage code; the failure + check code wasn't needed + +2014-10-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/int/rsa-keygen-fips186.c: use lcm(p-1,q-1) instead of + phi(n) for RSA key generation in FIPS-140-2 mode + +2014-10-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/x509-extensions.c: tests: added check for import failure of + v1 certificate with extensions + +2014-10-13 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/x509.c: do not allow importing X.509 certificates with + version < 3 and extensions present + +2014-10-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * cfg.mk: update the guile manual along the C one + +2014-10-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/libopts/Makefile.am, src/libopts/ag-char-map.h, + src/libopts/ao-strs.c, src/libopts/ao-strs.h, + src/libopts/autoopts.h, src/libopts/autoopts/options.h, + src/libopts/autoopts/usage-txt.h, src/libopts/compat/_Noreturn.h, + src/libopts/genshell.c, src/libopts/genshell.h, + src/libopts/intprops.h, src/libopts/m4/libopts.m4, + src/libopts/m4/stdnoreturn.m4, src/libopts/option-value-type.c, + src/libopts/option-value-type.h, + src/libopts/option-xat-attribute.c, + src/libopts/option-xat-attribute.h, src/libopts/parse-duration.c, + src/libopts/proto.h, src/libopts/stdnoreturn.in.h, + src/libopts/version.c: updated to libopts 5.18.4 + +2014-10-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/nettle/rnd-common.c: place all rusage variables into + HAVE_GETRUSAGE block + +2014-10-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/nettle/rnd-common.c: rnd: if RUSAGE_THREAD fails try + RUSAGE_SELF + +2014-10-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/test-chains.h: tests: removed last remnants of + GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE + +2014-10-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/pkcs11-combo.c: tests: pkcs11-combo: use unique db + file + +2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/ext/heartbeat.c: forbid heartbeat messages during a handshake + +2014-10-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c: + added internal variable to track handshake status + +2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/ocsptool-common.c: ocsptool: avoid shadowing a global variable + +2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS, lib/includes/gnutls/x509.h, lib/x509/verify.c: removed flag + GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE + +2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * .gitignore: more files to ignore + +2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/pkcs11-is-known.c: tests: updated time in + pkcs11-is-known + +2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c: pkcs11: handle errors from override_cert_exts as + fatal + +2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/chainverify.c, tests/suite/pkcs11-chainverify.c, + tests/test-chains.h: tests: allow running specific chainverify tests + on fixed dates + +2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/common.c: _gnutls_check_valid_key_id: corrected + activation/expiration check + +2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c, lib/x509/common.c, lib/x509/common.h: pkcs11: + simplified and optimized loop + +2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-crypto.texi: mention nettle as the recommended crypto + backend + +2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/Makefile.am, tests/suite/pkcs11-combo.c: tests: Added + check to ensure that trust list combination with extra certificates + works + +2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify-high.c: when both a trust module and additional + CAs are present account the latter as well That solves an issue in openconnect which used the system trust + module, plus additional certificates. + +2014-10-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify-high.c, lib/x509/verify-high.h: simplify the + handling of trust_list_get_issuer() when GNUTLS_TL_GET_COPY is not + given + +2014-10-08 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-10-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-09-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/common.c: tools: print the status of safe renegotiation and + extended master secret + +2014-09-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/mini-x509.c, tests/resume.c: tests: check whether the + extended master secret is negotiated by default + +2014-10-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/ext/Makefile.am, lib/ext/ext_master_secret.c, + lib/ext/ext_master_secret.h, lib/gnutls_constate.c, + lib/gnutls_extensions.c, lib/gnutls_handshake.c, + lib/gnutls_handshake.h, lib/gnutls_int.h, lib/gnutls_kx.c, + lib/gnutls_session_pack.c, lib/gnutls_state.c, + lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: Added support + for the extended master secret calculation That is performed implicitly unless GNUTLS_NO_EXTENSIONS is + specified. The implementation follows + draft-ietf-tls-session-hash-02. + +2014-10-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/pk.c: corrected assignment + +2014-10-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/libgnutls.map: corrected the name of exported function + +2014-10-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-10-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/mini-dtls-discard.c: tests: added check + for gnutls_record_discard_queued() + +2014-10-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_record.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map: Added gnutls_record_discard_queued() That function allows to discard queued data in DTLS. + +2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/test-chains.h: tests: corrected test for v1 cert signing + (removed bogus authorityIdentifier) + +2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool.c: certtool: only set the authority key identifier, + if there is a corresponding subject key identifier + +2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c: pkcs11: do not shortcut checks when + GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY is specified + +2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c, lib/x509/common.c, lib/x509/common.h: pkcs11: always + check for a valid subjectKeyIdentifier match That way, expired certificates can co-exist with their replacements. + +2014-10-06 Armin Burgmeier <armin@arbur.net> + + * tests/suite/pkcs11-chainverify.c: Add a test for PKCS11 CA + iteration Signed-off-by: Armin Burgmeier <armin@arbur.net> + +2014-10-06 Armin Burgmeier <armin@arbur.net> + + * lib/x509/verify-high.c: Also iterate over the CA certificates in a + PKCS11 token Signed-off-by: Armin Burgmeier <armin@arbur.net> + +2014-10-06 Armin Burgmeier <armin@arbur.net> + + * lib/x509/verify-high2.c: Return an error if multiple PKCS11 URLs + are added to a trust list Before, the new URL would overwrite the old URL, and the memory of + theold URL would be leaked. It is documented that only one URL can + be used, so it should be safe to reject any attempt to add another + one. Signed-off-by: Armin Burgmeier <armin@arbur.net> + +2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c, lib/x509/common.c, lib/x509/common.h: pkcs11: when + no CKA_ID can be relied on fallback on checking the + SubjectKeyIdentifier Patch by David Woodhouse. + +2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/libgnutls.map, lib/nettle/pk.c: added FIPS140-2 ECDH + verification functions + +2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/gnutls.h.in: removed unused definition + +2014-10-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/libgnutls.map, lib/nettle/pk.c: added FIPS140-2 DH + verification functions + +2014-10-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/pkcs11-is-known.c: tests: corrected check with + gnutls_x509_trust_list_get_issuer + +2014-10-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/verify-high2.c: corrected remove_pkcs11_url() + +2014-10-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11.c: address memory leak in gnutls_pkcs11_crt_is_known() + +2014-10-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/Makefile.am, tests/suite/pkcs11-is-known.c: tests: + check gnutls_pkcs11_crt_is_known() when multiple same DNs are + present + +2014-10-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11.c: pkcs11: when checking for presence do not give up on + the first mismatch + +2014-10-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/verify-high2.c: doc update: clarifications in + gnutls_x509_trust_list_add_trust_file + +2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify-high.c: corrected compilation for non-pkcs11; + reported by David Woodhouse. + +2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_state.c: avoid calls in gnutls_init() + +2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_dtls.c, lib/gnutls_handshake.c, lib/gnutls_int.h, + lib/gnutls_state.c: the handshake function has a timeout value by + default + +2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/ext/session_ticket.c: use wait and retransmit when receiving + session tickets + +2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/dtls/dtls, tests/dtls/dtls-stress.c: tests: added -r option + to dtls-stress That allows it to replay messages in a kind of arbitrary way. + +2014-10-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_global.c: report the FIPS140-2 mode + +2014-10-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/pkcs11-get-issuer.c, tests/x509cert.c: tests: added + check for GNUTLS_TL_GET_COPY + +2014-10-01 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_cert.c, lib/gnutls_x509.c, lib/includes/gnutls/x509.h, + lib/x509/ocsp.c, lib/x509/verify-high.c: Added GNUTLS_TL_GET_COPY + flag and documented the limitations of + gnutls_x509_trust_list_get_issuer() + +2014-09-30 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/opencdk/stream.h: opencdk: changed filter_fnct_t to match the + actual function prototypes + +2014-09-30 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: updated news entry + +2014-09-30 Ludovic Courtès <ludo@gnu.org> + + * doc/gnutls-guile.texi: guile: doc: Remove erroneous @ifnottex. + +2014-09-30 Ludovic Courtès <ludo@gnu.org> + + * NEWS: Add NEWS entry for Guile changes. + +2014-09-30 Ludovic Courtès <ludo@gnu.org> + + * doc/gnutls-guile.texi: guile: doc: Make it clear that the bindings + are part of GnuTLS. + +2014-09-27 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_handshake.c: if receiving a ChangeCipherSpec fails, + return GNUTLS_E_UNEXPECTED_PACKET That is more precise than the current + GNUTLS_E_UNEXPECTED_PACKET_LENGTH + +2014-09-27 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/accelerated/x86/x86-common.c: use __hidden in solaris to + provide the hidden visibility attribute + +2014-09-27 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/accelerated/x86/x86-common.h: no need to define + _gnutls_x86_cpuid_s + +2014-09-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_cipher.c, lib/nettle/cipher.c: use + MAX_CIPHER_BLOCK_SIZE more consistently + +2014-09-26 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_buffers.c, lib/gnutls_handshake.c: do not allow + GNUTLS_E_LARGE_PACKET to be returned from non-DTLS sessions + +2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/system.c: gnutls_x509_trust_list_add_system_trust() will not + allow duplicate entries + +2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/danetool.c, src/tpmtool.c: more compiler warning fixes + +2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac: configure: enabled more warnings + +2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/ext/session_ticket.c, lib/gnutls_dtls.h, + lib/gnutls_privkey.c, lib/openpgp/output.c, lib/random.c, + lib/system.c, lib/x509/ocsp_output.c, lib/x509/pkcs12.c, + src/certtool.c, src/cli.c: fixed compilation warnings + +2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/verify-high2.c: use _DIRENT_HAVE_D_TYPE to detect + d->d_type + +2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/x509.c: corrected type + +2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac: configure: don't both with checks for padlock in + non-x86 + +2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/Makefile.am, doc/manpages/Makefile.am, lib/libgnutls.map, + symbols.last: updated auto-generated files + +2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * Makefile.am, README-alpha, devel/abi.xml, devel/abi3.2.xml: run + abi-compliance-checker prior to release + +2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/libgnutls.map: indented symbols + +2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c: + protect DTLS clients that don't handle GNUTLS_E_LARGE_PACKET from an + infinite loop on handshake + +2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_errors.c: removed unused error values + +2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_handshake.c, lib/gnutls_record.c, lib/gnutls_record.h: + restrict the number of non-fatal errors gnutls_handshake() can + return + +2014-09-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_errors.c: optimized gnutls_error_is_fatal() by + splitting the errors to two tables + +2014-09-24 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-09-24 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_x509.c, lib/includes/gnutls/gnutls.h.in, + lib/includes/gnutls/openpgp.h, lib/openpgp/gnutls_openpgp.c, + tests/openpgp-auth.c, tests/x509cert.c: use unsigned types in + prototypes + +2014-09-24 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac: enable gcc warnings by default + +2014-09-23 Armin Burgmeier <armin@arbur.net> + + * tests/openpgp-auth.c, tests/x509cert.c: Check the credentials + getter functions as part of the unit tests + +2014-09-18 Armin Burgmeier <armin@arbur.net> + + * lib/includes/gnutls/x509.h, lib/libgnutls.map, + lib/x509/verify-high.c: Add an interface to iterate the trusted CA + certificates in a trust list Signed-off-by: Armin Burgmeier <armin@arbur.net> + +2014-09-18 Armin Burgmeier <armin@arbur.net> + + * lib/includes/gnutls/openpgp.h, lib/libgnutls.map, + lib/openpgp/gnutls_openpgp.c: Add getter functions for openpgp keys + and certificates Signed-off-by: Armin Burgmeier <armin@arbur.net> + +2014-09-17 Armin Burgmeier <armin@arbur.net> + + * lib/gnutls_x509.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map: Add functions to obtain X.509 keys and + certificates from certificate credentials Signed-off-by: Armin Burgmeier <armin@arbur.net> + +2014-09-24 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_privkey.c, lib/includes/gnutls/abstract.h, + lib/libgnutls.map: enabled gnutls_privkey_export_pkcs11 + +2014-09-17 Armin Burgmeier <armin@arbur.net> + + * lib/gnutls_privkey.c, lib/includes/gnutls/abstract.h, + lib/libgnutls.map: Add functions to export X.509 and OpenPGP private + keys from the abstract type Signed-off-by: Armin Burgmeier <armin@arbur.net> + +2014-09-17 Armin Burgmeier <armin@arbur.net> + + * lib/gnutls_x509.c, lib/includes/gnutls/x509.h, lib/libgnutls.map: + Add a function to obtain the trust list of a + gnutls_certificate_credentials_t Signed-off-by: Armin Burgmeier <armin@arbur.net> + +2014-09-24 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_pubkey.c: doc update + +2014-09-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * .gitignore: more files to ignore + +2014-09-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS, lib/gnutls_pcert.c, lib/includes/gnutls/abstract.h: removed + gnutls_pcert_get_type() + +2014-09-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac: only enable crywrap if libidn is present + +2014-09-22 Ludovic Courtès <ludo@gnu.org> + + * guile/src/core.c: guile: Restore cross-reference in + 'set-session-priorities!' docstring. This had been destroyed in 32d90395. + +2014-09-22 Ludovic Courtès <ludo@gnu.org> + + * guile/modules/gnutls.in, guile/modules/gnutls/build/enums.scm, + guile/src/core.c, guile/tests/anonymous-auth.scm: guile: Add + bindings for 'gnutls_server_name_set'. This adds the 'set-session-server-name!' procedure and the + 'server-name-type' enum type. + +2014-09-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-09-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/chainverify.c, tests/suite/certs/create-chain.sh, + tests/suite/pkcs11-chainverify.c, tests/test-chains.h: tests: Added + checks for key purpose verification + +2014-09-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_cert.c, lib/includes/gnutls/gnutls.h.in, + lib/includes/gnutls/x509.h, lib/x509/common.h, + lib/x509/verify-high.c, lib/x509/verify.c, lib/x509/x509_int.h: + Verify key purpose on intermediate certificate if + GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE is specified That introduces the verification flag + GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE, and the verification + result GNUTLS_CERT_PURPOSE_MISMATCH. The reason that this + verification test must be explicitly enabled is because it is only + defined in CA Forum's Baseline requirements 1.1.9 but not any IETF + document. + +2014-09-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-args.def: certtool: updated the extended key usage + documentation + +2014-09-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/gnutls.h.in: added missing prototype + +2014-09-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-09-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/abstract_int.h, lib/gnutls_privkey.c, + lib/includes/gnutls/abstract.h, lib/libgnutls.map: introduced + gnutls_privkey_import_ext3() That function allows copying an external specified private key, as + well as allow variability on the capabilities of an external key. + +2014-09-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * cross.mk: updated cross.mk + +2014-09-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-09-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/output.c: when printing a certificate request also print + its signature algorithm + +2014-09-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/x509/crq.c: + added gnutls_x509_crq_get_signature_algorithm() + +2014-09-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-09-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/abstract.h: Added missing prototype + +2014-09-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, + lib/pkcs11_privkey.c: Added gnutls_pkcs11_privkey_cpy() + +2014-09-17 Armin Burgmeier <armin@arbur.net> + + * lib/gnutls_ui.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map: Add gnutls_certificate_get_verify_flags Signed-off-by: Armin Burgmeier <armin@arbur.net> + +2014-09-17 Armin Burgmeier <armin@arbur.net> + + * lib/gnutls_pcert.c, lib/includes/gnutls/abstract.h, + lib/libgnutls.map: Add API to retrieve a X.509 or OpenPGP + certificate from a gnutls_pcert_t Signed-off-by: Armin Burgmeier <armin@arbur.net> + +2014-09-18 Armin Burgmeier <armin@arbur.net> + + * lib/x509/verify-high.c: Memory leak fix on certificate copy + failure Signed-off-by: Armin Burgmeier <armin@arbur.net> + +2014-09-17 Armin Burgmeier <armin@arbur.net> + + * lib/gnutls_ui.c: Fix a documentation typo Signed-off-by: Armin Burgmeier <armin@arbur.net> + +2014-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * cfg.mk, lib/accelerated/x86/files.mk: regenerated files.mk + +2014-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * libdane/dane.c: libdane: do not require the CA to be a direct CA + +2014-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/scripts/common.sh, tests/suite/testpkcs11: tests: enhanced + test suite to pass more of the PKCS #11 API under valgrind + +2014-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/serv-args.def, src/serv.c: gnutls-serv: added the --provider + option + +2014-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/common.c: tools: corrected pin entry + +2014-09-19 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_x509.c: cleaned up memory deallocation in + read_cert_url() That caused unexpected results when loading PKCS #11 URLs. Reported + by Joseph Peruski. + +2014-09-18 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/certtool.cfg: updated certtool.cfg + +2014-09-15 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/test-chains.h: tests: added checks with modified certificate This tests whether a modified of a DER certificate, that is + cancelled out while we parse it, would result to a good signature. + +2014-09-18 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac: require explicit disabling of PKCS #11 in configure + +2014-09-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * devel/DCO/people-dco.txt: Added Armin's DCO + +2014-09-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify-high.c, lib/x509/verify.c: updated details on + certificate verification + +2014-09-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac: depend on p11-kit 0.20.7 + +2014-09-16 Armin Burgmeier <armin@arbur.net> + + * lib/x509/verify.c, tests/test-chains.h: Check for all error + conditions when verifying a certificate This allows to check for all possible flaws with a certificate chain + with a single call to gnutls_x509_crt_list_verify and friends. Signed-off-by: Armin Burgmeier <armin@arbur.net> + +2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac, lib/pkcs11x.h: depend on p11-kit 0.20.6 + +2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify.c: removed unneeded set of status + +2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify.c: pkcs11: when a signer isn't found in PKCS #11 + force the verification of the chain That allows obtaining any additional flags from the chain such as + insecure algorithms or expirations. + +2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/psk.c: psktool: corrected resource leak on failure + +2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_x509.c: added sanity check on cleanup + +2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/verify-tofu.c: removed unused variable + +2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool.c: certtool: corrected typo in printing error + +2014-09-17 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c: pkcs11: correctly reallocate the read buffer Report and patch by David Woodhouse. + +2014-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-cert-auth.texi: updated documentation on PKCS #11 trust + module verification + +2014-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/common.h, lib/x509/verify-high.c, lib/x509/verify.c: + unified the key purpose checks functions + +2014-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/x509.h, lib/x509/common.h, + lib/x509/verify-high.c, lib/x509/verify.c: check for CAs with the + same key in gnutls_x509_trust_list_add_cas That way when GNUTLS_TL_NO_DUPLICATE_KEY is specified the added CA + will overwrite any previous one with the same name and key. + +2014-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify-high.c: hostname and key purpose checks were moved + above CRL checks + +2014-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/output.c, lib/x509/x509_ext.c: doc update + +2014-09-16 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/crl.c: corrected gnutls_x509_crl_get_raw_issuer_dn() + +2014-09-15 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/scripts/common.sh: tests: use the PID number in RPORT The shell's RANDOM isn't that random. + +2014-09-15 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/minitasn1/decoding.c: updated libtasn1 + +2014-09-15 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-gtls-app.texi: documented the environment variables + +2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac, lib/pkcs11.c, lib/pkcs11x.c, lib/pkcs11x.h: simulate + pkcs11x.h when it doesn't exist + +2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/crlverify.c: tests: Added crlverify to + check gnutls_x509_crl_verify and gnutls_x509_trust_list_add_crls + +2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/certs/create-chain.sh: create-chain.sh: generate CRL + +2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/verify.c: gnutls_x509_crl_verify: do not always set the + invalid status Reported by Armin Burgmeier. + +2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/verify.c: Revert "gnutls_x509_crl_verify: do not always + set the invalid status" This reverts commit a922ee10c5f3902988e5730a1e6fbf77b033058c. + +2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/verify.c: gnutls_x509_crl_verify: do not always set the + invalid status Reported by Armin Burgmeier. + +2014-09-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_ui.c: doc update + +2014-09-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11x.c: added missing file + +2014-09-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/pkcs11.c: p11tool: print Attached Extensions, instead of + extensions + +2014-09-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify-high.c: when adding a duplicate certificate, keep + the last entry + +2014-09-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/Makefile.am, lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, + lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_write.c, lib/pkcs11x.h, + lib/verify-tofu.c, lib/x509/common.c, lib/x509/common.h: added + gnutls_pkcs11_copy_attached_extension() + +2014-09-12 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/pkcs11-get-issuer.c: pkcs11-get-issuer: do not + hardcode the chain number, use its name + +2014-09-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/crq.c, lib/x509/verify-high.c, lib/x509/x509.c: Revert + "corrected planned version number" This reverts commit 5e44f432580f8b9533223acc3060db26446f0e96. + +2014-09-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/x509-ext.h, lib/libgnutls.map, + lib/x509/output.c, lib/x509/x509.c, lib/x509/x509_ext.c, + src/pkcs11.c: fixes in the extension handling + +2014-09-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/pkcs11.c: p11tool: will print trust module extensions if + present + +2014-09-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify-high.c, lib/x509/verify.c, lib/x509/x509_int.h: + check the key purpose of the CA certificate when in pkcs11 cert + validation + +2014-09-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/Makefile.am, lib/includes/gnutls/pkcs11.h, + lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/pkcs11.c, + lib/pkcs11_int.c, lib/pkcs11_int.h, lib/x509/common.h, + lib/x509/output.c, lib/x509/x509_ext.c: allow retrieving extensions + in a trust module using + GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT + +2014-09-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/verify-tofu.c, lib/x509/common.h, lib/x509/extensions.c, + lib/x509/ocsp.c: export x509_crt_to_raw_pubkey() in x509/common.h + and prefixed s/get_extension with _gnutls + +2014-09-10 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify-high.c: doc update + +2014-09-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/crq.c, lib/x509/verify-high.c, lib/x509/x509.c: corrected + planned version number + +2014-09-09 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_cert.c, lib/gnutls_x509.c, lib/gnutls_x509.h, + lib/includes/gnutls/x509.h, lib/libgnutls.map, + lib/x509/verify-high.c: gnutls_x509_trust_list_verify_crt2 is in par + with gnutls_certificate_verify_peers That is, it accepts a list of gnutls_typed_vdata_st and allows for + flexibility. + +2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/x509_ext.c: doc update + +2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/x509/crq.c, + lib/x509/x509.c: Added gnutls_x509_crt_get_extension_by_oid2() and + gnutls_x509_crq_get_extension_by_oid2() + +2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_x509.c, lib/includes/gnutls/x509.h, lib/libgnutls.map, + lib/x509/verify-high.c: Added + gnutls_x509_trust_list_verify_purpose_crt() + +2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/tpmtool.c: tpmtool: corrected key password read + +2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/danetool.c: set umask prior to calling mkstemp + +2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify-high.c: initialize verification output to zero + +2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_buffers.c: dtls: when discarding packet, discard the + correct number of bytes + +2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/hostname-verify.c: check_ip: initialize ret + +2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/tpm.c: gnutls_tpm_privkey_generate: initialize input values to + null to prevent any issue + +2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c: do not dereference find_data->p_list in pkcs11 + callback + +2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/rnd-fips.c: corrected issue in fips RNG + +2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/pk.c: added comment to clarify check + +2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/opencdk/literal.c: opencdk: corrected unsigned comparison + +2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/tpm.c: fixes in loop for SRK password input + +2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/common.c: apps: corrected GNUTLS_PIN reading + +2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify-high2.c: gnutls_x509_trust_list_add_trust_dir: + corrected CRL loading error + +2014-09-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-cfg.c: certtool: corrected copy+paste error + +2014-09-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/suppressions.valgrind, tests/suppressions.valgrind: + tests: simply valgrind suppressions for libidn + +2014-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/dsa/testdsa, tests/openpgp-certs/testcerts, + tests/scripts/common.sh, tests/suite/testcompat-main, + tests/suite/testpkcs11, tests/suite/testsrn: use random ports in + tests, unless a port is provided + +2014-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify-high2.c: corrected usage of readdir_r() + +2014-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/ocsptool-common.c: ocsptool: better error message + +2014-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify-high2.c: reentrant fixes for + gnutls_x509_trust_list_add_trust_dir() handle unknown file types + +2014-09-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-args.def: doc update + +2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/x509_dn.c: optimized escaped comma handling + +2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * m4/hooks.m4, tests/ocsp.c: require libtasn1 3.9 or later That is because of the ocsp fix. + +2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/crq_apis.c: tests: extended crq API checks + +2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/x509_write.c: doc update + +2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/x509_dn.c: when setting a DN properly handle spaces and + escaped commas + +2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/common.c: simplified _gnutls_x509_get_signed_data() + +2014-09-04 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/common.c, lib/x509/common.h, lib/x509/crl.c, + lib/x509/x509.c: The get_raw_dn() functions were modified to work + even if the certificate is generated (not imported) + +2014-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_dtls.c: Disallow zero fragments in DTLS for packets + which have data. Reported by Manuel Pégourié-Gonnard. + +2014-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/mini-dtls-lowmtu.c: tests: Check the + behavior of a DTLS server in a low-mtu scenario. http://permalink.gmane.org/gmane.network.gnutls.general/3582 + +2014-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac, lib/vasprintf.c: steal openconnect's vasprintf() + implementation + +2014-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/vasprintf.c: corrected bundled vasprintf(); reported by Jeff + Lee + +2014-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/minitasn1/decoding.c, lib/minitasn1/libtasn1.h: updated + libtasn1 + +2014-09-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/ocsp.c: tests: Added tests on the invalid OCSP response + +2014-09-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/fips.c: fips140: check the integrity of GMP + +2014-09-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/common.h, lib/x509/verify.c: when comparing an + end-certificate with the trusted list compare the entire certificate + +2014-09-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/test-chains.h: tests: Added test for amazon.com chain with + new verisign CA. + +2014-09-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/x509/common.c, + lib/x509/common.h, lib/x509/crl.c, lib/x509/verify.c, + lib/x509/x509.c, lib/x509/x509_int.h: when comparing a CA + certificate with the trusted list compare the name and key That is to handle cases where a CA certificate was superceded by a + different one with the same name and the same key. That can happen + when an intermediate CA certificate is replaced by a self-signed + one. + +2014-09-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/fips.c, lib/fips.h, lib/gnutls_global.c, + lib/nettle/int/dsa-fips.h: perform the FIPS140-2 self tests in two + rounds One round is before the AES acceleration is registered, and the + second is after. That is to allow testing of the AES implementation + used in the DRBG. That is a hack until nettle handles all cipher + acceleration. + +2014-09-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/name_constraints.c: name constraints: do not check CN + when a DNSname is available + +2014-09-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/int/drbg-aes-self-test.c, lib/nettle/int/drbg-aes.h: + drbg-aes: added checks in the error handling of the functions That coverts the instantiate and generation functions. + +2014-09-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-selftests.c: fips140: fail on encryption test failure + +2014-09-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/int/drbg-aes.c: drbg-aes: if the continuous test fails, + put the library into error state + +2014-08-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-tokens.texi, doc/cha-upgrade.texi, doc/latex/cover.tex: + small doc updates + +2014-08-31 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/Makefile.am, doc/cha-tokens.texi, doc/latex/cover.tex: doc: + fixes in sectioning for p11tool and tpmtool invocation + +2014-08-29 Tristan Matthews <le.businessman@gmail.com> + + * lib/ext/alpn.c: alpn: fix version documentation Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> + +2014-08-29 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/pkcs11.c: p11tool: allow printing multiple types of tokens + +2014-08-29 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/hostname-verify.c: remove text not applicable in that + version + +2014-08-29 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/hostname-verify.c: refer to rfc6125 + +2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/privkey.c: additional sanity check in RSA key generation + testing in FIPS-140-2 mode The encrypted data are checked to differ from the plaintext, to + prevent any issues with an accidental null encryption. + +2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/privkey.c: when in FIPS140-2 mode switch the library to + error state if key generation fails + +2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/common.c, lib/x509/crl.c, lib/x509/x509.c: avoid new + allocations and keep a pointer to the DER data for DN + +2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/crl.c, lib/x509/verify.c, lib/x509/x509_int.h: when + importing a CRL keep the DER data + +2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/common.c, lib/x509/common.h, lib/x509/crq.c, + lib/x509/verify.c, lib/x509/x509.c, lib/x509/x509_int.h: when + importing a certificate, keep the DER data + +2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/ext/session_ticket.c: doc update + +2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * cfg.mk, configure.ac, devel/openssl, + lib/accelerated/x86/Makefile.am, lib/accelerated/x86/x86-common.c: + added configuration option --disable-padlock That allows keeping hardware acceleration in x86 but without support + for padlock. + +2014-08-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * devel/openssl, lib/accelerated/x86/coff/ghash-x86_64.s, + lib/accelerated/x86/coff/sha1-ssse3-x86_64.s, + lib/accelerated/x86/coff/sha512-ssse3-x86_64.s, + lib/accelerated/x86/elf/ghash-x86_64.s, + lib/accelerated/x86/elf/sha1-ssse3-x86_64.s, + lib/accelerated/x86/elf/sha512-ssse3-x86_64.s, + lib/accelerated/x86/macosx/ghash-x86_64.s, + lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s, + lib/accelerated/x86/macosx/sha512-ssse3-x86_64.s: Revert "updated + asm sources" This reverts commit 97895066e18abc5689ede9af1a463539ea783e90. + +2014-08-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/pkcs11.c: p11tool: when listing tokens, list their type as + well + +2014-08-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/accelerated/x86/x86-common.c: hide _gnutls_x86_cpuid_s + +2014-08-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * devel/openssl, lib/accelerated/x86/coff/ghash-x86_64.s, + lib/accelerated/x86/coff/sha1-ssse3-x86_64.s, + lib/accelerated/x86/coff/sha512-ssse3-x86_64.s, + lib/accelerated/x86/elf/ghash-x86_64.s, + lib/accelerated/x86/elf/sha1-ssse3-x86_64.s, + lib/accelerated/x86/elf/sha512-ssse3-x86_64.s, + lib/accelerated/x86/macosx/ghash-x86_64.s, + lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s, + lib/accelerated/x86/macosx/sha512-ssse3-x86_64.s: updated asm + sources + +2014-08-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c: gnutls_pkcs11_obj_list_import_url2() will import + data in a single pass + +2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/suppressions.valgrind: tests: added more idna valgrind + suppressions + +2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c: pkcs11: when reading PKCS #11 objects, read multiple + objects at a time That improves the performance significantly when reading from tokens + with a significant number of objects. Reported by David Woodhouse. + +2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c: pkcs11: do not fail the entire operation if a single + object cannot be imported + +2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c: pkcs11: allow objects without label or without ID + +2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/test-chains.h: tests: updated name constraints checks to not + include a CN + +2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/Makefile.am, + tests/cert-tests/name-constraints-err.pem, + tests/cert-tests/name-constraints-err.pem.out, + tests/cert-tests/verify-test: Revert "tests: Added a nameconstraints + test based on the CN bypass" The bypass check was included in + chainverify. This reverts commit c9417bcc0614aaa2668486d294f5759b4082a23a. + +2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/name_constraints.c, lib/x509/x509.c: doc update + +2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/verify.c: only check name constraints in non-CA + certificates + +2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/name_constraints.c: ignore constraints for different type + than the checked + +2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/cert-tests/Makefile.am, + tests/cert-tests/name-constraints-err.pem, + tests/cert-tests/name-constraints-err.pem.out, + tests/cert-tests/verify-test: tests: Added a nameconstraints test + based on the CN bypass That was discussed in: + http://permalink.gmane.org/gmane.comp.encryption.openssl.devel/26660 + +2014-08-26 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/name_constraints.c: when verifying name constrains + enforce the single CN rule + +2014-08-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * cross.mk: cross.mk: compile gnutls without p11-kit by default + +2014-08-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * cross.mk: cross.mk: do not delete the pkgconfig directory + +2014-08-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * devel/DCO/people-dco.txt: Added Alon's DCO link + +2014-08-25 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/libopts/autoopts.h: check for stdnoreturn.h presence + +2014-08-24 Alon Bar-Lev <alon.barlev@gmail.com> + + * tests/Makefile.am, tests/x509cert-tl.c: build: tests: x509cert-tl: + support separate builddir Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> + +2014-08-24 Alon Bar-Lev <alon.barlev@gmail.com> + + * lib/gnutls_privkey.c: build: condition pkcs11 block Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> + +2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_record.c: record: tolerate a finished packet with + errors in DTLS + +2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_record.c: record: in DTLS discard only messages that + cause unexpected packet errors + +2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/suppressions.valgrind: tests: suppress more libidn + warnings + +2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/danetool.c: danetool: ensure the temporary file is always + removed + +2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/ext/server_name.c, lib/includes/gnutls/gnutls.h.in: the + server_name extension will convert input and output names to IDNA. + +2014-08-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/Makefile.am, src/socket.c: tools: use idna_to_ascii_8z() to + convert internationalized hostnames + +2014-08-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/gnutls-idna.h, lib/x509/hostname-verify.c, + lib/x509/output.c: hostname-verify: use idn_free() + +2014-08-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_errors.c: doc update + +2014-08-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/int/dsa-keygen-fips186.c: prevent 1024-bit DSA + parameter generation only when FIPS-mode is enabled. + +2014-08-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/int/dsa-keygen-fips186.c: Revert "removed pbits=1024, + qbits=160 from the acceptable bit sizes in FIPS140-2 DSA parameter + generation." This reverts commit 110527d9bb9ca70a66ae8173769067f133fd3cf7. + +2014-08-21 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/system.c: use the windows API in windows even if iconv is + available + +2014-08-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * cross.mk: win32: updated Makefile and added the ability build + openconnect + +2014-08-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac: check for the correct version of libidn + +2014-08-20 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/hostname-check.c: tests: Added case sensitive checks in + hostname verification + +2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/suppressions.valgrind: tests: copied valgrind + suppressions to suite + +2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/minitasn1/decoding.c: updated libtasn1 + +2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suppressions.valgrind: tests: suppress valgrind warnings due + to libidn + +2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/Makefile.am, lib/x509/gnutls-idna.h, + lib/x509/hostname-verify.c, lib/x509/output.c: + gnutls_x509_crt_print() will print the IDNA A-label names as well. + +2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/hostname-check.c: tests: added UTF-8 hostname comparison + checks + +2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac, lib/Makefile.am, lib/x509/hostname-verify.c: Added + support for RFC6125 hostname comparison That adds the dependency on libidn. + +2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/Makefile.am, lib/x509/hostname-verify.c, + lib/x509/rfc2818_hostname.c: renamed rfc2818_hostname to + hostname-verify The file no longer follows RFC2818. + +2014-08-20 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/minitasn1/decoding.c: updated minitasn1 + +2014-08-18 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/crl.c, lib/x509/pkcs7.c, lib/x509/privkey.c, + lib/x509/x509.c, lib/x509/x509_int.h: Safer reinitialization of + structures on re-import to avoid memory leaks. That also adds the gnutls_pkcs7_t structure into the list of allowed + to re-import. + +2014-08-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/verify-tofu.c: doc update + +2014-08-17 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/verify-tofu.c: doc update + +2014-08-16 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/crl.c, lib/x509/pkcs12.c, lib/x509/privkey.c, + lib/x509/privkey_pkcs8.c, lib/x509/x509.c, lib/x509/x509_int.h: + Re-initialize the ASN.1 structures on every import That allows to import a key/certificate on a structure even if the + previous import failed. + +2014-08-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-args.def, src/cli.c: gnutls-cli: added --fips140-mode + command line option That option will report the status of the FIPS140-2 mode in the + library. + +2014-08-14 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/fips.c: The environment variable GNUTLS_FORCE_FIPS_MODE can be + used to force the FIPS-140-2 mode + +2014-08-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/common.h: gnutls-cli/danetool: corrected check on ipv6 IPs + +2014-08-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/rfc2818_hostname.c: Follow the rfc6125 requirement that a + single CN must be present for hostname verification. Follow up on the original commit that simplifies checking for more + than a single hostname. + +2014-08-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/cli-debug.c, src/cli.c, src/common.h, src/danetool.c: + gnutls-cli/danetool: added a common check for hostname being an IP + +2014-08-13 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/rfc2818_hostname.c, tests/hostname-check.c: Follow the + rfc6125 requirement that a single CN must be present for hostname + verification. + +2014-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/hostname-check.c: tests: check that + gnutls_x509_crt_check_hostname() will correctly use the last CN when + multiple + +2014-08-12 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/rfc2818_hostname.c: when checking the hostname of a + certificate with multiple CNs use the "most specific" CN In our case we use the last CN present in the DN. Reported by David + Woodhouse. https://bugzilla.mozilla.org/show_bug.cgi?id=307234#c2 + +2014-08-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/benchmark-cipher.c: gnutls-cli: more organized printing of + cipher benchmark output + +2014-08-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/benchmark-tls.c: gnutls-cli: removed salsa20 from the + benchmarked ciphers + +2014-08-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * m4/hooks.m4: bumped current and age version to allow 3.3.x + releases with new symbols + +2014-08-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/pkcs12_encr.c: _gnutls_pkcs12_string_to_key(): enforce a + block size of 64-bytes + +2014-08-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/algorithms.h, lib/algorithms/mac.c, lib/libgnutls.map: + mac_to_entry -> _gnutls_mac_to_entry + +2014-08-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c: gnutls_pkcs11_obj_flags_get_str: mention UNWRAP + +2014-08-11 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/pkcs12.c: pkcs12: added check for null OID in + gnutls_pkcs12_generate_mac2 + +2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/pkcs12_encode.c: tests: check gnutls_pkcs12_generate_mac2() + +2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/pkcs12.h, lib/libgnutls.map, + lib/x509/pkcs12.c: pkcs12: added gnutls_pkcs12_generate_mac2() That allows a choice on the MAC algorithm to be used. + +2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool.c: certtool: --p12-info will provide information on + the MAC algorithm + +2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/pkcs12.h, lib/libgnutls.map, + lib/x509/pkcs12.c: pkcs12: added gnutls_pkcs12_mac_info to obtain + information on the MAC + +2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/libgnutls.map, tests/pkcs12_s2k.c: tests: updated string to + keys tests for new internal API + +2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/pkcs12-decode/Makefile.am, tests/pkcs12-decode/pkcs12: + tests: test the decoding of a PKCS #12 structure with SHA256 MAC + +2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/algorithms.h, lib/x509/pkcs12.c, lib/x509/pkcs12_encr.c, + lib/x509/privkey_pkcs8.c, lib/x509/x509_int.h: pkcs12: Allow + verification with structures that support other than HMAC-SHA1 MACs. + +2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/gc.c: tests: remove test for nettle's pbkdf2; this is tested + in nettle + +2014-08-10 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/pkcs12.c: updated doc for gnutls_pkcs12_simple_parse() + +2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/testdane: testdane: re-enabled DANE checks and added + checks on SMTP + +2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/danetool.c: danetool: obtain certificate only once + +2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: pkcs11: + modified prototype and doc to be recognized by doc parser + +2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/cli-debug-args.def, src/danetool-args.def, src/socket.c: + danetool/gnutls-cli-debug: added support for imap starttls + +2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/cli-debug-args.def, src/cli-debug.c: gnutls-cli-debug: + supports SMTP starttls + +2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/danetool-args.def, src/danetool.c, src/socket.c, src/socket.h: + danetool: supports SMTP starttls + +2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/danetool-args.def, src/danetool.c, src/socket.c: danetool: + improvements in information presentation + +2014-08-09 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * libdane/dane.c: libdane: disable debugging mode + +2014-08-08 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_handshake.c: updated documentation for + gnutls_handshake() + +2014-08-08 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/Makefile.am, src/cli.c, src/danetool.c, + src/ocsptool-common.c, src/socket.c, src/socket.h, + tests/suite/testdane: danetool: if the certificate to verify against + is not provide it try to obtain it + +2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/Makefile.am, lib/x509/pbkdf2-sha1.c, + lib/x509/pbkdf2-sha1.h, lib/x509/privkey_openssl.c, + lib/x509/privkey_pkcs8.c, tests/gc.c: pbkdf2: removed internal + implementation, use nettle's + +2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_pk.c: protect _gnutls_params_get_rsa_raw() from + crashing when exporting an RSA public key That could happen in case of PKCS #11 abstract keys. + +2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11_privkey.c: corrected typo + +2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: + p11tool: added --info parameter That allows obtaining information on a specific object. + +2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11.c: pkcs11: added + GNUTLS_PKCS11_OBJ_ATTR_MATCH flag This flag allows listing only the tokens that match the URL. That + is, this performs an object URL comparison, rather than a token URL + usage. + +2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/p11tool.c: p11tool: only print the debugging message in + debuglevel > 4 + +2014-08-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c: pkcs11: check CKA_UNWRAP as well for enabling + GNUTLS_PKCS11_OBJ_FLAG_MARK_KEY_WRAP + +2014-08-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-intro-tls.texi: removed reference to UMAC + +2014-08-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-intro-tls.texi: removed references to SALSA20 + +2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11_privkey.c: doc update + +2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testpkcs11: testpkcs11: rearranged checks to avoid + wrong deletions + +2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11_privkey.c: pkcs11: simplified pkcs11_privkey handling A PKCS #11 always holds an open session to the key. + +2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c, + src/pkcs11.c: gnutls_pkcs11_flags_get_str -> + gnutls_pkcs11_obj_flags_get_str + +2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-get-issuer.c: + tests: ensure that no environment variables confuse softhsm + +2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testpkcs11: testpkcs11: test the trusted and ca flags + being set + +2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c, + lib/pkcs11_int.h, lib/pkcs11_privkey.c, src/p11tool.c, src/pkcs11.c: + pkcs11: added new functions to query the object's flags gnutls_pkcs11_obj_get_flags() allows obtaining an object's flags, + and gnutls_pkcs11_flags_get_str() allows printing them. + +2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs11.h: pkcs11.h: introduced + gnutls_pkcs11_obj_flags + +2014-08-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testpkcs11: testpkcs11: exit if + export_pubkey_of_privkey fails + +2014-08-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-08-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: + p11tool: simplify the passing of flags and pass the key wrapping + flag + +2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * README: README: removed gmplib 4.2.2 reference + +2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/benchmark-tls.c: gnutls-cli: TLS benchmark parameters were + updated + +2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_privkey.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: + _gnutls_privkey_get_mpis: extended to work for PKCS #11 keys + +2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c, lib/pkcs11_privkey.c: doc update + +2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, + lib/pkcs11_privkey.c, src/pkcs11.c: changed semantics of + gnutls_pkcs11_privkey_get_pubkey; named + gnutls_pkcs11_privkey_export_pubkey + +2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11_privkey.c: gnutls_pkcs11_privkey_get_pubkey: return + GNUTLS_E_INVALID_REQUEST on invalid params + +2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/p11tool.c: p11tool: activate the --batch option + +2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testpkcs11: testpkcs11: Test the export of public key + +2014-08-06 Wolfgang Meyer zu Bergsten <w.bergsten@sirrix.com> + + * src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: + add public key export to p11tool Signed-off-by: Wolfgang Meyer zu Bergsten <w.bergsten@sirrix.com> + +2014-08-04 Wolfgang Meyer zu Bergsten <w.bergsten@sirrix.com> + + * lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, + lib/pkcs11_privkey.c: add pubkey export from private key in pkcs11 + subsystem There are cases where we need to export the public key of private + key at a later time. Previously, the public key was only available + immediately after creation of a key pair. This patch allows to + retrieve the public key of a private key at any time after creation. Signed-off-by: Wolfgang Meyer zu Bergsten <w.bergsten@sirrix.com> + +2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11_privkey.c: documented flags format + +2014-08-04 Wolfgang Meyer zu Bergsten <w.bergsten@sirrix.com> + + * lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: improve + compatibility in pkcs11 key generation * add key wrap/unwrap key usage * explicitly set public exponent in template Signed-off-by: Wolfgang Meyer zu Bergsten <w.bergsten@sirrix.com> + +2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/cli-debug.c, src/tests.c: gnutls-cli-debug: added AES and + CAMELLIA to the list of default ciphers + +2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-gtls-app.texi: doc update + +2014-08-06 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-gtls-app.texi: mention profile in security parameters + table + +2014-08-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * devel/DCO/people-dco.txt: Added people who have sent a DCO for + gnutls + +2014-08-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-08-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/privkey_pkcs8.c: pkcs12: fixes in decryption with null + password + +2014-08-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool.c: certtool: free unused variables + +2014-08-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/pkcs8-decode/Makefile.am, + tests/pkcs8-decode/suppressions.valgrind: added missing file + +2014-08-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool.c: certtool: print more information on PKCS #12 + structures. use gnutls_pkcs12_bag_enc_info to print more information on + encrypted PKCS #12 structures. + +2014-08-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/pkcs12.h, lib/libgnutls.map, + lib/x509/pkcs12_bag.c, lib/x509/privkey_pkcs8.c, + lib/x509/x509_int.h: added new function to obtain information on a + PKCS #12 encrypted bag New function: gnutls_pkcs12_bag_enc_info() + +2014-08-05 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/privkey_pkcs8.c: doc update + +2014-08-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/certtool.c: certtool: default pkcs-cipher is now 3des as in + PKCS #12 + +2014-08-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/x509.h, lib/x509/privkey_pkcs8.c, + src/certtool.c: gnutls_pkcs8_info: will return OID value even on + unsupported structures + +2014-08-05 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_state.c, lib/x509/x509.c: doc: replaced non-0 with + non-zero + +2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS, src/certtool-args.def: doc update + +2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/privkey_pkcs8.c: simplified decrypt_data() and initialize + parameters on decryption + +2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/privkey_pkcs8.c: further increase iteration count + +2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool.c, tests/pkcs8-decode/Makefile.am, + tests/pkcs8-decode/openssl-3des.p8.txt, + tests/pkcs8-decode/openssl-aes128.p8.txt, + tests/pkcs8-decode/openssl-aes256.p8.txt, tests/pkcs8-decode/pkcs8: + certtool: improved PKCS #8 information printing + +2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/pkcs8-decode/Makefile.am, + tests/pkcs8-decode/openssl-3des.p8, + tests/pkcs8-decode/openssl-3des.p8.txt, + tests/pkcs8-decode/openssl-aes128.p8, + tests/pkcs8-decode/openssl-aes128.p8.txt, + tests/pkcs8-decode/openssl-aes256.p8, + tests/pkcs8-decode/openssl-aes256.p8.txt, tests/pkcs8-decode/pkcs8: + tests: added more PKCS #8 decoding tests + +2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/privkey_pkcs8.c, lib/x509/x509_int.h: small fixes and + optimizations in PKCS #8 information + +2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-args.def, src/certtool.c: certtool: added --p8-info + option + +2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/x509.h, lib/libgnutls.map, + lib/x509/privkey_pkcs8.c, lib/x509/x509_int.h: added new functions + to obtain information on PKCS #8 structures. Added gnutls_pkcs8_info(), gnutls_pkcs_schema_get_name(), and + gnutls_pkcs_schema_get_oid(). + +2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/x509.h, lib/pkix.asn, lib/pkix_asn1_tab.c, + lib/x509/privkey_pkcs8.c, lib/x509/x509_int.h: PKCS #8 encryption + support was made more compact and manageable + +2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/pkcs12.c: pkcs12: increased the number of iterations for + MAC + +2014-08-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/atfork.c: removed debugging info + +2014-07-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/atfork.h, lib/nettle/rnd-common.c, lib/system.h, + lib/x509/verify-high2.c: several windows compilation fixes + +2014-07-31 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/includes/gnutls/gnutls.h.in: gnutls.h: use _SYM_EXPORT to + export other than function symbols + +2014-07-29 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * src/libopts/COPYING.gplv3, src/libopts/COPYING.lgplv3, + src/libopts/README, src/libopts/ag-char-map.h, src/libopts/alias.c, + src/libopts/ao-strs.c, src/libopts/ao-strs.h, + src/libopts/autoopts.c, src/libopts/autoopts.h, + src/libopts/autoopts/options.h, src/libopts/autoopts/project.h, + src/libopts/autoopts/usage-txt.h, src/libopts/boolean.c, + src/libopts/check.c, src/libopts/compat/compat.h, + src/libopts/compat/windows-config.h, src/libopts/configfile.c, + src/libopts/cook.c, src/libopts/enum.c, src/libopts/env.c, + src/libopts/file.c, src/libopts/find.c, src/libopts/genshell.c, + src/libopts/genshell.h, src/libopts/gettext.h, src/libopts/init.c, + src/libopts/load.c, src/libopts/m4/libopts.m4, + src/libopts/m4/liboptschk.m4, src/libopts/makeshell.c, + src/libopts/nested.c, src/libopts/numeric.c, + src/libopts/option-value-type.c, src/libopts/option-value-type.h, + src/libopts/option-xat-attribute.c, + src/libopts/option-xat-attribute.h, src/libopts/parse-duration.c, + src/libopts/parse-duration.h, src/libopts/pgusage.c, + src/libopts/proto.h, src/libopts/putshell.c, src/libopts/reset.c, + src/libopts/restore.c, src/libopts/save.c, src/libopts/sort.c, + src/libopts/stack.c, src/libopts/streqvcmp.c, + src/libopts/text_mmap.c, src/libopts/time.c, + src/libopts/tokenize.c, src/libopts/usage.c, src/libopts/version.c: + updated to libopts 5.18.3 + +2014-07-29 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * build-aux/config.rpath, build-aux/gendocs.sh, + doc/gendocs_template, gl/m4/gnulib-common.m4, gl/m4/intl.m4, + gl/m4/po.m4, gl/m4/printf.m4, gl/m4/valgrind-tests.m4, + gl/tests/fcntl.in.h, maint.mk, src/gl/error.c, src/gl/m4/dup2.m4, + src/gl/m4/gnulib-common.m4, src/gl/m4/printf.m4, src/gl/mktime.c, + src/gl/select.c, src/gl/xalloc.h: updated gnulib + +2014-07-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/pkcs12.c: updated documentation for + gnutls_pkcs12_simple_parse + +2014-07-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS, configure.ac: master now holds the 3.4.0 release + +2014-07-29 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac, lib/Makefile.am, lib/atfork.c, lib/atfork.h, + lib/gnutls_global.c, lib/nettle/rnd-fips.c, lib/nettle/rnd.c, + lib/pkcs11.c: Use pthread_atfork() and variants to detect fork + +2014-07-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-07-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/Makefile.am, lib/inet_pton.c, lib/system.h, + lib/x509/rfc2818_hostname.c: Added replacements of inet_aton and + inet_pton on systems they are not present gnulib is avoided due to keep the gnulib network replacements out of + the library. + +2014-07-28 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-cert-auth.texi: Added text on PKCS #11 verification + +2014-07-27 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/abstract.h, lib/includes/gnutls/gnutls.h.in, + lib/includes/gnutls/ocsp.h, lib/includes/gnutls/pkcs11.h, + lib/includes/gnutls/x509.h: removed comma at the end of enumerations That patch allows compilers that don't support C99 syntax to compile + applications that use a header of gnutls. Report and patch Ryan + Schmidt. + +2014-07-27 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * Makefile.am, configure.ac, doc/Makefile.am: check for sed in + configure.ac and use the output variable in Makefiles + +2014-07-24 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_handshake.c: doc update + +2014-07-23 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/dane.c: tests: dane: add flag DANE_F_IGNORE_LOCAL_RESOLVER + to dane_state_init That prevents unbound from complaining in systems where no DNSSEC + functionality is present. + +2014-07-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * libdane/dane.c: doc update + +2014-07-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am: tests: added libdane/includes to includes dir + +2014-07-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: released 3.3.6 + +2014-07-23 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: Added + missing functions + +2014-07-22 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * m4/hooks.m4: bumped library version + +2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * libdane/dane.c: libdane: simplified initialization of variables. + +2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * libdane/dane.c: libdane: bogus and secure values are always + initialized in dane_query_to_raw_tlsa + +2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/dane.c: tests: eliminated leak from dane check + +2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * libdane/dane.c: libdane: use gnutls_malloc() and doc update + +2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/Makefile.am, tests/dane.c: Added self test for DANE raw + functions + +2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/danetool-args.def, src/danetool.c: danetool: added option to + print the raw entries. + +2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * libdane/dane.c: doc update + +2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/libgnutls.map: moved _gnutls_prf_raw to FIPS140 symbols + +2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/accelerated/x86/aes-gcm-x86-pclmul.c, + lib/accelerated/x86/aes-padlock.c: Added sanity check on padlock AES + IV set. + +2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_state.c, lib/libgnutls.map: fips140-2: Added + _gnutls_prf_raw() which can calculate the TLS PRF without depending + on a session structure. + +2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/fips.c: fips140-2: do not check the libtasn1's integrity + +2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/algorithms/ciphersuites.c: RSA-PSK ciphersuites are only + allowed in TLS 1.0. That is because they implement the EncryptedPreMasterSecret encoding + according to RFC 4279, which uses the TLS 1.0 (RFC 2246) encoding, + and there can be ambiguities when using that over SSL 3.0. See: + http://lists.gnupg.org/pipermail/gnutls-help/2014-July/003546.html + +2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_priority.c: gnutls_priority_init: set err_pos prior to + any action That allows a valid err_pos, even on a memory allocation error. + Reported by Dan Fandrich. + +2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/TODO: updated TODO + +2014-07-22 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/algorithms/ciphersuites.c: minimum version was changed to TLS + 1.0 for ciphersuites with SHA2 These ciphersuites could not be used with SSL 3.0 that only defines + usage of MD5 or SHA1 MACs. Reported by Manuel Pegourie-Gonnard. + +2014-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/pkcs11.c: ignore CKR_CRYPTOKI_ALREADY_INITIALIZED when + returned on reinitialization + +2014-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/Makefile.am, tests/x509cert-dir/ca.pem, tests/x509cert-tl.c: + tests: x509cert-tl checks gnutls_x509_trust_list_add_trust_dir() + +2014-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_x509.c: doc update + +2014-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_x509.c, lib/includes/gnutls/gnutls.h.in, + lib/libgnutls.map: Added gnutls_certificate_set_x509_trust_dir() + +2014-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/system.c, + lib/x509/verify-high2.c: Added + gnutls_x509_trust_list_add_trust_dir() This essentially exports the functionality to read from a directory + with trusted certificates. + +2014-07-21 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac, lib/system.c: Allow specifying a directory as trust + store + +2014-07-11 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * NEWS: doc update + +2014-07-10 Simon Arlott <sa.me.uk> + + * libdane/dane.c, libdane/includes/gnutls/dane.h, + libdane/libdane.map: libdane: add function dane_query_to_raw_tlsa This function converts a dane_query_t into the parameters needed for + dane_raw_tlsa() to make it easy to copy the results of the + (synchronous) lookup query from one process to another. This code allocates an unnecessary extra NULL entry for + dane_data_len to avoid trying to malloc 0 bytes if q->data_entries + is 0 (it is possible for malloc/calloc to return NULL when requested + to allocate 0 bytes). Signed-off-by: Simon Arlott + +2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/fips.c: FIPS140-2 tests: no need for MD5 check + +2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/fips.c: FIPS140-2 tests: removed redundant checks We keep on check per cipher which is required, and avoid multiple + (and time-consuming) tests. + +2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/accelerated/x86/x86-common.c: Allow specifying + GNUTLS_CPUID_OVERRIDE in either hex or decimal. + +2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/accelerated/x86/x86-common.c: Added option to disable any cpu + optimizations + +2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/accelerated/x86/x86-common.c, + lib/accelerated/x86/x86-common.h: simplified housekeeping of CPUID + registers + +2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/accelerated/x86/x86-common.c: Allow overriding the detected + CPUID using the GNUTLS_CPUID_OVERRIDE environment variable + +2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/privkey.c: FIPS140-2 tests: Added pairwise consistency + check for RSA encryption + +2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-selftests-pk.c: FIPS140-2 tests: check with DSA-2048 + and DSA-3072 bit keys, as well as SHA256. + +2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-selftests-pk.c: FIPS140-2 tests: check with RSA-2048 + and RSA-3072 bit keys + +2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-selftests-pk.c: tests: check RSA with SHA256 + +2014-07-08 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/crypto-selftests-pk.c: FIPS140-2 mode: test whether RSA + encrypted data differ from plaintext + +2014-07-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/cipher.c: FIPS140-2 mode: enforce the minimum GCM IV + size required by SP800-38D (section 8.2) + +2014-07-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-07-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-args.def, src/certtool-common.c, + src/certtool-common.h, src/certtool.c, src/p11tool-args.def, + src/p11tool.c: p11tool/certtool: Added --curve parameter. The curve parameter allows to explicitly specify the curve to use + when generating a key. + +2014-07-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-07-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/gnutls_pubkey.c, lib/pkcs11.c, lib/pkcs11_privkey.c, + lib/pkcs11_write.c, lib/x509/key_encode.c, lib/x509/x509_int.h: set + CKA_EC_PARAMS when generating an ECDSA key + +2014-07-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/pkcs11.c: p11tool: only print warning about key sizes in RSA + keys + +2014-07-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/pkcs11.c: p11tool: make brief output more brief + +2014-07-07 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/mpi.c, lib/nettle/pk.c: mpi: use zeroize_key() instead + of memset() + +2014-07-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * libdane/dane.c: dane: Skip DANE entries that may contain unknown + info That would allow skipping any future entries without failing. + Reported by Simon Arlott. + +2014-07-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * libdane/dane.c: dane: Added sanity check in dane_verify_crt_raw() That allows calling the function will an empty chain. Reported by + Simon Arlott. + +2014-07-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/examples/ex-cert-select-pkcs11.c, + doc/examples/ex-cert-select.c, doc/examples/ex-client-dtls.c, + doc/examples/ex-client-srp.c, doc/examples/ex-client-x509.c, + doc/examples/ex-serv-anon.c, doc/examples/ex-serv-pgp.c, + doc/examples/ex-serv-psk.c, doc/examples/ex-serv-srp.c, + doc/examples/ex-serv-x509.c: examples: mention that + gnutls_global_init() is optional + +2014-07-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-tokens.texi: doc: mention and link to trust storage module + +2014-07-06 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-bib.texi, doc/cha-tokens.texi: doc update + +2014-07-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-07-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11_privkey.c: pkcs11: Removed length check of attribute as + a sanity check for valid keys. There can be keys where the id or label is empty and thus with zero + length. + +2014-07-04 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c: Increased number of attributes + +2014-07-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-07-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11_privkey.c: try to restart on session errors, to avoid + having a failed call. + +2014-07-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c: corrected pkcs11 reinitialization + +2014-07-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11_privkey.c: If we get a PKCS #11 session error, + invalidate the cached session. + +2014-07-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c: set the maximum value when printing + library_description + +2014-07-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c, lib/pkcs11_privkey.c: On fork invalidate the PKCS + #11 privkey cached session + +2014-07-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-07-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/pkcs11.c: p11tool: don't outsmart user and override login type Unfortunately tokens vary on their requirements for writing trusted + and private objects, and there is no one-size fits all policy. Thus + allow a proper failure and warn the user that so-login may be + required. + +2014-07-03 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/testpkcs11: testpkcs11: Try to write the trusted + object both by so-pin and normal pin + +2014-07-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/suite/testpkcs11: tests: testpkcs11: temp parameters are + deleted after generation + +2014-07-02 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * configure.ac, m4/hooks.m4: bumped version + +2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/Makefile.am: tests: added testpkcs11.sc-hsm + +2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/p11tool-args.def, src/pkcs11.c: p11tool: use GNUTLS_PIN and + GNUTLS_SO_PIN when setting the PINs of an initialized token. + +2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/slow/gendh.c: tests: gendh: increased the DH prime size to + allow usage under FIPS140-2 mode + +2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/common.c: tools: when in batch mode and no PIN, print a note + about using the environment variables + +2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/crq_key_id.c: tests: crq_key_id: increased generated DSA key + size and changed hash to SHA256 That allows the test to operate under the FIPS140-2 mode. + +2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/crq_key_id.c: tests: improved error reporting in crq_key_id + +2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * doc/cha-upgrade.texi: doc: properly terminate table + +2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/int/dsa-keygen-fips186.c: removed pbits=1024, qbits=160 + from the acceptable bit sizes in FIPS140-2 DSA parameter generation. + +2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool.c, src/common.c, src/common.h, src/danetool.c, + src/pkcs11.c, src/serv.c: tools: PIN callback will respect batch + mode and will not ask for PIN. + +2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-common.h, src/p11tool-args.def, src/p11tool.c, + src/p11tool.h, src/pkcs11.c: p11tool: Ask for label if not + specified. Added --batch parameter to disable interaction. + +2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/p11tool.c, src/p11tool.h, src/pkcs11.c: p11tool: If there is + only a single token available, don't bother complaining about + specifying the correct URL + +2014-07-02 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/nettle/int/drbg-aes.h: updated comment + +2014-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-args.def: certtool: document that URLs are supported + +2014-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/p11tool-args.def: p11tool: document GNUTLS_SO_PIN env variable + +2014-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/suite/Makefile.am, tests/suite/testpkcs11, + tests/suite/testpkcs11.pkcs15, tests/suite/testpkcs11.sc-hsm, + tests/suite/testpkcs11.softhsm: tests: improved testpkcs11 suite + +2014-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: + gnutls_pkcs11_privkey_generate2(): corrected public key extraction + (for ECDSA keys) + +2014-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/common.c: p11tool/certtool: use GNUTLS_SO_PIN for reading + security officer's PIN + +2014-07-01 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * src/certtool-common.h, src/p11tool-args.def, src/p11tool.c, + src/pkcs11.c: p11tool: added options --set-pin and --set-so-pin These allow for an non-interactive --initialize process. + +2014-06-30 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/rfc2818_hostname.c: Added explicit documentation on IPv4 + and IPv6 address matching. + +2014-06-29 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * tests/long-session-id.c: tests: long-session-id: ignore SIGPIPE + +2014-06-29 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-upgrade.texi: doc: Added text on upgrading to 3.3.x from + 3.2.x + +2014-06-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/rfc2818_hostname.c: do not exit the loop in case a name + doesn't fit into our buffer. + +2014-06-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/rfc2818_hostname.c: when verifying an IP, also verify it + as a hostname There are several misconfigured servers that placed their IP as a + DNS name. Pointed out by David Woodhouse. + +2014-06-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/output.c: supress warnings + +2014-06-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * NEWS: doc update + +2014-06-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac, lib/x509/rfc2818_hostname.c: check of inet_pton + instead for AF_INET6 + +2014-06-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * configure.ac, lib/x509/output.c: Use inet_ntop() for printing IP + addresses. The old dumb code is used in systems that don't have that function. + +2014-06-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * tests/hostname-check.c: tests: Added test cases for IPv4/6 + matching. + +2014-06-27 Nikos Mavrogiannopoulos <nmav@redhat.com> + + * lib/x509/rfc2818_hostname.c: gnutls_x509_crt_check_hostname() + checks text ip addresses as well. That aligns the documentation with the implementation. Reported by + David Woodhouse. + +2014-06-27 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/gnutls_str.c: initialize str to NULL + +2014-06-26 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * lib/x509/crl.c: fixed documentation + 2014-06-26 Nikos Mavrogiannopoulos <nmav@gnutls.org> * tests/cert-tests/aki, tests/cert-tests/pathlen, @@ -11994,8 +22354,18 @@ 2012-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> - * Removed GNUTLS_CERT_REVOCATION_DATA_INVALID and no longer fail on - OCSP parsing errors. + * NEWS, lib/gnutls_cert.c, lib/gnutls_x509.c, + lib/includes/gnutls/gnutls.h.in: Removed + GNUTLS_CERT_REVOCATION_DATA_INVALID and no longer fail on OCSP + parsing errors. + +2012-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * doc/cha-cert-auth.texi, doc/cha-tokens.texi: doc update + +2012-11-07 Nikos Mavrogiannopoulos <nmav@gnutls.org> + + * gnutls-cli-debug uses server name indication. ----- |