diff options
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 325 |
1 files changed, 166 insertions, 159 deletions
@@ -53,6 +53,11 @@ See the end for copying conditions. ** certtool: Add parameter --no-text that prevents certtool from outputting text before PEM-encoded private key, public key, certificate, CRL or CSR. +** libgnutls: Added support for raw public-key authentication as defined in RFC7250. + Raw public-keys can be negotiated by enabling the corresponding certificate + types via the priority strings. The raw public-key mechanism must be explicitly + enabled via the GNUTLS_ENABLE_RAWPK init flag. + ** API and ABI modifications: GNUTLS_AUTO_REAUTH: Added GNUTLS_CIPHER_AES_128_CFB8: Added @@ -60,6 +65,8 @@ GNUTLS_CIPHER_AES_192_CFB8: Added GNUTLS_CIPHER_AES_256_CFB8: Added GNUTLS_MAC_AES_CMAC_128: Added GNUTLS_MAC_AES_CMAC_256: Added +GNUTLS_ENABLE_RAWPK: Added +GNUTLS_ENABLE_CERT_TYPE_NEG: Removed gnutls_record_get_max_early_data_size: Added gnutls_record_send_early_data: Added gnutls_record_recv_early_data: Added @@ -169,7 +176,7 @@ gnutls_ffdhe_6144_key_bits: Added ** Improved counter-measures for TLS CBC record padding. Kenny Paterson, Eyal Ronen and Adi Shamir reported that the existing counter-measures had certain issues and - were insufficient when the attacker has additional access to the CPU cache and + were insufficient when the attacker has additional access to the CPU cache and performs a chosen-plaintext attack. This affected the legacy CBC ciphersuites. [CVSS: medium] ** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation @@ -514,7 +521,7 @@ GNUTLS_SFLAGS_RFC7919: Added a flag. ** libgnutls: Improved TPM key handling. Check authorization requirements - prior to using a key and fix issue on loop for PIN input. Patches by + prior to using a key and fix issue on loop for PIN input. Patches by James Bottomley. ** libgnutls: In all functions accepting UTF-8 passwords, ensure that @@ -592,7 +599,7 @@ gnutls_x509_crq_get_dn3: Added not identical to CVE-2016-8610, due to the difference in alert handling of the libraries (gnutls delegates that handling to applications). -** libgnutls: Reverted the change which made the gnutls_certificate_set_*key* +** libgnutls: Reverted the change which made the gnutls_certificate_set_*key* functions return an index (introduced in 3.5.5), to avoid affecting programs which explicitly check success of the function as equality to zero. In order for these functions to return an index an explicit call to gnutls_certificate_set_flags @@ -952,11 +959,11 @@ gnutls_session_get_master_secret: Added ** libgnutls: Removed support for pthread_atfork() as it has undefined semantics when used with dlopen(), and may lead to a crash. -** libgnutls: corrected failure when importing plain files +** libgnutls: corrected failure when importing plain files with gnutls_x509_privkey_import2(), and a password was provided. ** libgnutls: Don't reject certificates if a CA has the URI or IP address - name constraints, and the end certificate doesn't have an IP address + name constraints, and the end certificate doesn't have an IP address name or a URI set. ** libgnutls: set and read the hint in DHE-PSK and ECDHE-PSK ciphersuites. @@ -1052,7 +1059,7 @@ explicitly enabled, since they reduce the overall security level. ** libgnutls: Added support for Chacha20-Poly1305 ciphersuites following draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10. That is currently provided as technology preview and is not enabled by -default, since there are no assigned ciphersuite points by IETF and there +default, since there are no assigned ciphersuite points by IETF and there is no guarrantee of compatibility between draft versions. The ciphersuite priority string to enable it is "+CHACHA20-POLY1305". @@ -1104,14 +1111,14 @@ applications closing all open file descriptors on startup. ** libgnutls: If a key purpose (extended key usage) is specified for verification, it is applied into intermediate certificates. The verification result -GNUTLS_CERT_PURPOSE_MISMATCH is also introduced. +GNUTLS_CERT_PURPOSE_MISMATCH is also introduced. ** libgnutls: When gnutls_certificate_set_x509_key_file2() is used in combination with PKCS #11, or TPM URLs, it will utilize the provided password as PIN if required. That removes the requirement for the application to set a callback for PINs in that case. -** libgnutls: priority strings VERS-TLS-ALL and VERS-DTLS-ALL are +** libgnutls: priority strings VERS-TLS-ALL and VERS-DTLS-ALL are restricted to the corresponding protocols only, and the VERS-ALL string is introduced to catch all possible protocols. @@ -1163,14 +1170,14 @@ when available. ** gnutls-cli: added options --priority-list and --save-cert. -** guile: Deprecated priority API has been removed. The old priority API, +** guile: Deprecated priority API has been removed. The old priority API, which had been deprecated for some time, is now gone; use 'set-session-priorities!' instead. -** guile: Remove RSA parameters and related procedures. This API had been -deprecated. +** guile: Remove RSA parameters and related procedures. This API had been +deprecated. -** guile: Fix compilation on MinGW. Previously only the static version of the +** guile: Fix compilation on MinGW. Previously only the static version of the 'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile. ** API and ABI modifications: @@ -1300,7 +1307,7 @@ being usable after a reinitialization. ** libgnutls: fixed PKCS #11 ECDSA key generation. -** libgnutls: The GNUTLS_CPUID_OVERRIDE environment variable can be used to +** libgnutls: The GNUTLS_CPUID_OVERRIDE environment variable can be used to explicitly enable/disable the use of certain CPU capabilities. Note that CPU detection cannot be overridden, i.e., VIA options cannot be enabled on an Intel CPU. The currently available options are: @@ -1467,7 +1474,7 @@ were moved to self-test.h. different recv and send pointers have been specified. Reported and investigated by JMRecio. -** libgnutls: Fixed issue in the RSA-PSK key exchange, which would +** libgnutls: Fixed issue in the RSA-PSK key exchange, which would result to illegal memory access if a server hint was provided. Reported by André Klitzing. @@ -1494,7 +1501,7 @@ That avoids long delays in gnutls initialization due to broken PKCS #11 modules. ** libgnutls: The PKCS #11 subsystem is re-initialized "automatically" -on the first PKCS #11 API call after a fork. +on the first PKCS #11 API call after a fork. ** libgnutls: certificate verification profiles were introduced that can be specified as flags to verification functions. They @@ -1508,15 +1515,15 @@ specified configuration file to be used to read pre-configured priority strings from. That can be used to impose system specific policies. ** libgnutls: Increased the default security level of priority -strings (NORMAL and PFS strings require at minimum a 1008 DH prime), -and set a verification profile by default. The LEGACY keyword is +strings (NORMAL and PFS strings require at minimum a 1008 DH prime), +and set a verification profile by default. The LEGACY keyword is introduced to set the old defaults. ** libgnutls: Added support for the name constraints PKIX extension. Currently only DNS names and e-mails are supported (no URIs, IPs or DNs). -** libgnutls: Security parameter SEC_PARAM_NORMAL was renamed to +** libgnutls: Security parameter SEC_PARAM_NORMAL was renamed to SEC_PARAM_MEDIUM to avoid confusion with the priority string NORMAL. ** libgnutls: Added new API in x509-ext.h to handle X.509 extensions. @@ -1573,7 +1580,7 @@ to SHA1. That option enables (when running on FIPS140-enabled system): o RSA, DSA and DH key generation as in FIPS-186-4 (using provable primes) o The DRBG-CTR-AES256 deterministic random generator from SP800-90A. - o Self-tests on initialization on ciphers/MACs, public key algorithms + o Self-tests on initialization on ciphers/MACs, public key algorithms and the random generator. o HMAC-SHA256 verification of the library on load. o MD5 is included for TLS purposes but cannot be used by the high level @@ -1685,7 +1692,7 @@ GCM mode is prioritized over CBC in all of the default priority strings. ** libgnutls: Added ciphersuite GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384. ** libgnutls: Fixed ciphersuites GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384, -GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 and GNUTLS_PSK_CAMELLIA_128_GCM_SHA256. +GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 and GNUTLS_PSK_CAMELLIA_128_GCM_SHA256. Reported by Stefan Buehler. ** libgnutls: Added support for ISO OID for RSA-SHA1 signatures. @@ -1727,7 +1734,7 @@ by Christian Grothoff. ** srptool: Fixed index command line option. Patch by Attila Molnar. ** gnutls-cli: Added support for inline commands, using the ---inline-commands-prefix and --inline-commands options. Patch by Raj Raman. +--inline-commands-prefix and --inline-commands options. Patch by Raj Raman. ** certtool: pathlen constraint is now read correctly. Reported by Christoph Seitz. @@ -1764,13 +1771,13 @@ gnutls_record_set_timeout: Exported ** libgnutls: Fixes in parsing of priority strings. Patch by Stefan Buehler. -** libgnutls: Solve issue with received TLS packets that exceed 2^14. +** libgnutls: Solve issue with received TLS packets that exceed 2^14. (this fixes a bug that was accidentally introduced in 3.2.2) ** libgnutls: Removed gnulib modules under LGPLv3 that could possibly be used by the library. -** libgnutls: Fixes in gnutls_record_send_range(). Report and initial fix by +** libgnutls: Fixes in gnutls_record_send_range(). Report and initial fix by Alfredo Pironti. ** API and ABI modifications: @@ -1835,7 +1842,7 @@ gnutls_session_set_id: Added ** libgnutls: Added UMAC-96 and UMAC-128 ** libgnutls: Added ciphersuites involving Salsa20 and UMAC-96. -As they are not standardized they are defined using private ciphersuite +As they are not standardized they are defined using private ciphersuite numbers. ** libgnutls: Added support for DTLS 1.2. @@ -1856,7 +1863,7 @@ gnutls_mac_get_nonce_size: Added * Version 3.1.10 (released 2013-03-22) -** certtool: When generating PKCS #12 files use by default the +** certtool: When generating PKCS #12 files use by default the ARCFOUR (RC4) cipher to be compatible with devices that don't support AES with PKCS #12. @@ -1873,12 +1880,12 @@ cards are present. ** libgnutls: Corrected issue in the (deprecated) external key signing interface, when used with TLS 1.2. Reported by Bjorn H. Christensen. -** libgnutls: Fixes in openpgp handshake with fingerprints. Reported by +** libgnutls: Fixes in openpgp handshake with fingerprints. Reported by Joke de Buhr. ** libgnutls-dane: Updated DANE verification options. -** configure: Trust store file must be explicitly set or unset when +** configure: Trust store file must be explicitly set or unset when cross compiling. ** API and ABI modifications: @@ -1901,7 +1908,7 @@ a PKCS #12 file from an encrypted key file. Reported by Yan Fiz. ** libgnutls: Corrected issue in gnutls_pubkey_verify_data(). -** libgnutls: Corrected parsing issue in XMPP within a subject +** libgnutls: Corrected parsing issue in XMPP within a subject alternative name. Reported by James Cloos. ** libgnutls: gnutls_pkcs11_reinit() will reinitialize all PKCS #11 @@ -1932,7 +1939,7 @@ with encrypted keys. Reported by Yan Fiz. PERFORMANCE was set to previous defaults 727 bits. Reported by Diego Elio Petteno. -** libgnutls: Corrected issue which prevented gnutls_pubkey_verify_hash() +** libgnutls: Corrected issue which prevented gnutls_pubkey_verify_hash() to operate with long keys. Reported by Erik A Jensen. ** API and ABI modifications: @@ -1956,7 +1963,7 @@ in a template from an RFC4514 string. ** libgnutls: DN variable 'T' was expanded to 'title'. -** libgnutls: Fixes in record padding parsing to prevent a timing attack. +** libgnutls: Fixes in record padding parsing to prevent a timing attack. Issue reported by Kenny Paterson and Nadhem Alfardan. ** libgnutls: Added functions to directly set the DN in a certificate @@ -1972,17 +1979,17 @@ by the specified priority string. The current values correspond to the previous defaults (727 bits), except for the SECURE128 and SECURE192 strings which increase the minimum to 1248 and 1776 respectively. -** libgnutls: Added the gnutls_record_cork() and uncork API to enable +** libgnutls: Added the gnutls_record_cork() and uncork API to enable buffering in sending application data. -** libgnutls: Removed default random padding, and added a length-hiding interface -instead. Both the server and the client must support this extension. Whether +** libgnutls: Removed default random padding, and added a length-hiding interface +instead. Both the server and the client must support this extension. Whether length-hiding can be used on a given session can be checked using gnutls_record_can_use_length_hiding(). Contributed by Alfredo Pironti. -** libgnutls: Added the experimental %NEW_PADDING priority string. It enables +** libgnutls: Added the experimental %NEW_PADDING priority string. It enables a new padding mechanism in TLS allowing arbitrary padding in TLS records -in all ciphersuites, which makes length-hiding more efficient and solves +in all ciphersuites, which makes length-hiding more efficient and solves the issues with timing attacks on CBC ciphersuites. ** libgnutls: Corrected gnutls_cipher_decrypt2() when used with AEAD @@ -2054,10 +2061,10 @@ extension. ** libgnutls: Handle BMPString (UCS-2) encoding in the Distinguished Name by translating it to UTF-8 (works on windows or systems with iconv). -** libgnutls: Added PKCS #11 key generation function that returns the +** libgnutls: Added PKCS #11 key generation function that returns the public key on generation. -** libgnutls: Corrected bug in priority string parsing, that mostly +** libgnutls: Corrected bug in priority string parsing, that mostly affected combined levels. Patch by Tim Kosse. ** certtool: The --pubkey-info option can be combined with the @@ -2065,7 +2072,7 @@ affected combined levels. Patch by Tim Kosse. ** certtool: It is able to set certificate policies via a template. -** certtool: Added --hex-numbers option which prints big numbers in +** certtool: Added --hex-numbers option which prints big numbers in an easier to parse format. ** p11tool: After key generation, outputs the public key (useful in @@ -2101,7 +2108,7 @@ gnutls_certificate_verify_peers3(). Contributed by Martin Storsjo. ** libgnutls: The X.509 verification functions check the key -usage bits and pathlen constraints and on failure output +usage bits and pathlen constraints and on failure output GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE. ** libgnutls: gnutls_x509_crl_verify() includes the time checks. @@ -2176,7 +2183,7 @@ GNUTLS_NO_EXTENSIONS can be used to prevent that. is fully RFC6091 compliant and RFC5081 support is only supported in client mode. -** libgnutls-dane: Added. It is a library to provide DANE with DNSSEC +** libgnutls-dane: Added. It is a library to provide DANE with DNSSEC certificate verification. ** gnutls-cli: Added --dane option to enable DANE certificate verification. @@ -2228,10 +2235,10 @@ of certificates in the windows platform. ** libgnutls: Added support for DTLS/TLS heartbeats by Olga Smolenchuk. (the work was done during Google Summer of Code). -** libgnutls: Added X.509 certificate verification flag +** libgnutls: Added X.509 certificate verification flag GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN. This flag allows the verification of unsorted certificate chains and is enabled by default for -TLS certificate verification (if gnutls_certificate_set_verify_flags() +TLS certificate verification (if gnutls_certificate_set_verify_flags() does not override it). ** libgnutls: Prints warning on certificates that contain keys of @@ -2273,7 +2280,7 @@ GNUTLS_SEC_PARAM_INSECURE: Added ** certtool: Changes in password handling of certtool. Ask password when required and only if the '--password' option is not -given. If the '--password' option is given during key generation then +given. If the '--password' option is given during key generation then assume the PKCS #8 file format, instead of ignoring the password. ** tpmtool: No longer asks for key password in registered keys. @@ -2302,7 +2309,7 @@ gnutls_sign_get_pk_algorithm: Added * Version 3.1.0 (released 2012-08-15) -** libgnutls: Added direct support for TPM as a cryptographic module +** libgnutls: Added direct support for TPM as a cryptographic module in gnutls/tpm.h. TPM keys can be used in functions accepting files using URLs of the following types: tpmkey:file=/path/to/file @@ -2328,8 +2335,8 @@ the whole certificate chain (if any) to the credentials structure, instead of only the end-user certificate. ** libgnutls: Key import functions such as gnutls_pkcs12_simple_parse() -and gnutls_x509_privkey_import_pkcs8(), return consistently -GNUTLS_E_DECRYPTION_FAILED if the input structure is encrypted but no +and gnutls_x509_privkey_import_pkcs8(), return consistently +GNUTLS_E_DECRYPTION_FAILED if the input structure is encrypted but no password was provided. ** libgnutls: Added gnutls_handshake_set_timeout() a function that @@ -2418,11 +2425,11 @@ No changes since last version. * Version 3.0.21 (released 2012-07-02) -** libgnutls: fixed bug in gnutls_x509_privkey_import() +** libgnutls: fixed bug in gnutls_x509_privkey_import() that prevented the loading of EC private keys when DER encoded. Reported by David Woodhouse. -** libgnutls: In DTLS larger to mtu records result to +** libgnutls: In DTLS larger to mtu records result to GNUTLS_E_LARGE_PACKET instead of being truncated. ** libgnutls: gnutls_dtls_get_data_mtu() is more precise. Based @@ -2431,11 +2438,11 @@ on patch by David Woodhouse. ** libgnutls: Fixed memory leak in PKCS #8 key import. ** libgnutls: Added support for an old version of the DTLS protocol -used by openconnect vpn client for compatibility with Cisco's AnyConnect +used by openconnect vpn client for compatibility with Cisco's AnyConnect SSL VPN. It is marked as GNUTLS_DTLS0_9. Do not use it for newer protocols as it has issues. -** libgnutls: Corrected bug that prevented resolving PKCS #11 URLs +** libgnutls: Corrected bug that prevented resolving PKCS #11 URLs if only the label is specified. Patch by David Woodhouse. ** libgnutls: When EMSGSIZE errno is seen then GNUTLS_E_LARGE_PACKET @@ -2465,7 +2472,7 @@ name type in certtool. ** certtool: Increase to 128 the maximum number of distinct options (e.g. dns_names) allowed. -** gnutls-cli: If --print-cert is given, print the certificate, +** gnutls-cli: If --print-cert is given, print the certificate, even on verification failure. ** API and ABI modifications: @@ -2482,7 +2489,7 @@ by David Smith. ** libgnutls: gnutls_record_check_pending() no longer returns unprocessed data, and thus ensure the non-blocking -of the next call to gnutls_record_recv(). +of the next call to gnutls_record_recv(). ** libgnutls: Added strict tests in Diffie-Hellman and SRP key exchange public keys. @@ -2509,7 +2516,7 @@ is returned on premature termination (and added unit test). ** libgnutls: Fixes for W64 API. Patch by B. Scott Michel. -** libgnutls: Corrected VIA padlock detection for old +** libgnutls: Corrected VIA padlock detection for old VIA processors. Reported by Kris Karas. ** libgnutls: Updated assembler files. @@ -2544,7 +2551,7 @@ No changes since last version. ** libgnutls: included assembler files for MacOSX. -** p11tool: Small fixes in handling of the --private command +** p11tool: Small fixes in handling of the --private command line option. ** certtool: The template option allows for setting the domain @@ -2560,7 +2567,7 @@ gnutls_x509_crt_set_authority_info_access: Added ** test suite: Only run under valgrind in the development system (the full git repository) -** command line apps: Link with local libopts if the +** command line apps: Link with local libopts if the installed is an old one. ** libgnutls: Eliminate double free during SRP @@ -2620,7 +2627,7 @@ status from an ocsp server. ** command line apps: Use gnu autogen (libopts) to parse command line arguments and template files. -** tests: Added stress test for DTLS packet losses and +** tests: Added stress test for DTLS packet losses and out-of-order receival. Contributed by Sean Buckheister. ** libgnutls: Several updates and corrections in the DTLS @@ -2699,7 +2706,7 @@ correctly aligned in rare circumstances. ** libgnutls: Corrected memory leaks in DH parameter generation and ecc_projective_check_point(). -** libgnutls: Added gnutls_x509_dn_oid_name() to +** libgnutls: Added gnutls_x509_dn_oid_name() to return a descriptive name of a DN OID. ** API and ABI modifications: @@ -2745,7 +2752,7 @@ gnutls_ocsp_resp_verify: Added. * Version 3.0.11 (released 2012-01-06) -** libgnutls: Corrected functionality of +** libgnutls: Corrected functionality of gnutls_record_get_direction(). Reported by Philip Allison. ** libgnutls: Provide less timing information when decoding @@ -2772,7 +2779,7 @@ issue in windows systems. ** libgnutls: Added ciphersuites: GNUTLS_PSK_WITH_AES_256_GCM_SHA384 and GNUTLS_DHE_PSK_WITH_AES_256_GCM_SHA384. -** libgnutls: Added function gnutls_random_art() to convert +** libgnutls: Added function gnutls_random_art() to convert fingerprints to images (currently ascii-art). ** libgnutls: Corrected bug in DSA private key parsing, which @@ -2855,13 +2862,13 @@ No changes since last version. ** gnutls-guile: Compilation fixes. -** libgnutls: Fixed possible buffer overflow in +** libgnutls: Fixed possible buffer overflow in gnutls_session_get_data(). Reported and fix by Alban Crequy. ** libgnutls: Bug fixes in the ciphersuites with NULL cipher. Reported by Fabrice Gautier. -** libgnutls: Bug fixes in ECC code for 64-bit MIPS systems. +** libgnutls: Bug fixes in ECC code for 64-bit MIPS systems. Thanks to Joseph Graham for providing access to such a system. ** libgnutls: Correctly report ECC private key parsing errors. @@ -2884,7 +2891,7 @@ No changes since last version. ** libgnutls: Corrections in VIA padlock code for VIA C5 processor and new detection of PHE with support for partial hashing. -** libgnutls: Corrected bug in gnutls_x509_data2hex. Report and fix +** libgnutls: Corrected bug in gnutls_x509_data2hex. Report and fix by Vincent Untz. ** minitasn1: Upgraded to libtasn1 version 2.10. @@ -2902,7 +2909,7 @@ removed. SHA256 and elliptic curves. ** gnutls-cli: Added --benchmark-soft-ciphers to benchmark -the software version of the ciphers instead of hw accelerated +the software version of the ciphers instead of hw accelerated (where available) ** libgnutls: Public key ID calculation is consistent among @@ -2917,13 +2924,13 @@ used with a gnutls_privkey_t and a gnutls_pcert_st structure using gnutls_certificate_set_key(). ** libgnutls: Fixes to enable external signing callback to -operate with TLS 1.2. +operate with TLS 1.2. -** libgnutls: Fixed crash when printing ECDSA certificate key +** libgnutls: Fixed crash when printing ECDSA certificate key ID. Reported by Erik Jensen. -** libgnutls: Corrected VIA padlock code for C3. In C3 benchmarks -show a 50x increase in AES speed and a 14x increase in VIA nano. Added +** libgnutls: Corrected VIA padlock code for C3. In C3 benchmarks +show a 50x increase in AES speed and a 14x increase in VIA nano. Added support for hashes and HMACs. ** libgnutls: Compilation fixed when p11-kit is not detected. @@ -2955,13 +2962,13 @@ number of discarded records in a DTLS session. ** libgnutls: All functions related to RSA-EXPORT were deprecated. Support for RSA-EXPORT ciphersuites will be ceased in future versions. -** libgnutls: Memory leak fixes in credentials private key +** libgnutls: Memory leak fixes in credentials private key deinitialization. Reported by Dan Winship. ** libgnutls: Memory leak fixes in ECC ciphersuites. -** libgnutls: Do not send an empty extension structure in server -hello. This affected old implementations that do not support extensions. +** libgnutls: Do not send an empty extension structure in server +hello. This affected old implementations that do not support extensions. Reported by J. Cameijo Cerdeira. ** libgnutls: Allow CA importing of 0 certificates to succeed. @@ -2977,11 +2984,11 @@ PKCS #11. ** libgnutls: Added gnutls_pkcs11_privkey_generate() to allow generating a key in a token. -** p11tool: Added generate-rsa, generate-dsa and +** p11tool: Added generate-rsa, generate-dsa and generate-ecc options to allow generating private keys in the token. -** libgnutls: gnutls_transport_set_lowat dummy macro was +** libgnutls: gnutls_transport_set_lowat dummy macro was removed. ** API and ABI modifications: @@ -3002,7 +3009,7 @@ by default. ** libgnutls: Corrected issue in gnutls_record_recv() triggered on encryption or compression error. -** libgnutls: Compatibility fixes in CPU ID detection +** libgnutls: Compatibility fixes in CPU ID detection for i386 and old GCC. ** gnutls-cli: Benchmark applications were incorporated @@ -3025,16 +3032,16 @@ GNUTLS_PRIVKEY_IMPORT_COPY: new gnutls_privkey_import() flag * Version 3.0.1 (released 2011-08-20) -** libgnutls: gnutls_certificate_set_x509_key_file() and -friends support server name indication. If multiple -certificates are set using these functions the proper one -will be selected during a handshake. +** libgnutls: gnutls_certificate_set_x509_key_file() and +friends support server name indication. If multiple +certificates are set using these functions the proper one +will be selected during a handshake. ** libgnutls: Added AES-256-GCM which was left out from the previous release. Reported by Benjamin Hof. -** libgnutls: When asking for a PKCS# 11 PIN multiple -times, the flags in the callback were not being updated +** libgnutls: When asking for a PKCS# 11 PIN multiple +times, the flags in the callback were not being updated to reflect for PIN low count or final try. ** libgnutls: Do not allow second instances of PKCS #11 @@ -3046,11 +3053,11 @@ modules. is being read if provided. ** libgnutls: Ensure that a certificate list specified -using gnutls_certificate_set_x509_key() and friends, is +using gnutls_certificate_set_x509_key() and friends, is sorted according to TLS specification (from subject to issuer). ** libgnutls: Added GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED flag for -gnutls_x509_crt_list_import. It checks whether the list to be +gnutls_x509_crt_list_import. It checks whether the list to be imported is properly sorted. ** crywrap: Added to the distribution. It is an application @@ -3109,10 +3116,10 @@ strings to enable the NSA SuiteB cryptography ciphersuites. ** libgnutls: Added gnutls_pubkey_verify_data2() that will verify data provided the signature algorithm. -** libgnutls: Simplified the handling of handshake messages to -be hashed. Instead of hashing during the handshake process we now -keep the data until handshake is over and hash them on request. -This uses more memory but eliminates issues with TLS 1.2 and +** libgnutls: Simplified the handling of handshake messages to +be hashed. Instead of hashing during the handshake process we now +keep the data until handshake is over and hash them on request. +This uses more memory but eliminates issues with TLS 1.2 and simplifies code. ** libgnutls: Added AES-GCM optimizations using the PCLMULQDQ @@ -3204,7 +3211,7 @@ GNUTLS_PK_ECC: New public key algorithm GNUTLS_SIGN_ECDSA_SHA1: New signature algorithm GNUTLS_SIGN_ECDSA_SHA256: New signature algorithm GNUTLS_SIGN_ECDSA_SHA384: New signature algorithm -GNUTLS_SIGN_ECDSA_SHA512: New signature algorithm +GNUTLS_SIGN_ECDSA_SHA512: New signature algorithm GNUTLS_SIGN_ECDSA_SHA224: New signature algorithm GNUTLS_ECC_CURVE_INVALID: New curve definition GNUTLS_ECC_CURVE_SECP224R1: New curve definition @@ -3222,7 +3229,7 @@ GNUTLS_ECC_CURVE_SECP521R1: New curve definition ** libgnutls: Added support for AES-NI if detected. Uses Andy Polyakov's AES-NI code. -** libgnutls: Restored HMAC-MD5 for compatibility. Although considered +** libgnutls: Restored HMAC-MD5 for compatibility. Although considered weak, several sites require it for connection. It is enabled for "NORMAL" and "PERFORMANCE" priority strings. @@ -3266,10 +3273,10 @@ by Todd A. Ouska. every error and not only on fatal ones. This allows easier handling of errors. -** libgnutls: Corrected issue in DHE-PSK ciphersuites that ignored +** libgnutls: Corrected issue in DHE-PSK ciphersuites that ignored the PSK callback. -** libgnutls: SRP and PSK are no longer set on the default priorities. +** libgnutls: SRP and PSK are no longer set on the default priorities. They have to be explicitly set. ** libgnutls: During handshake message verification using DSS @@ -3284,7 +3291,7 @@ on unexpected EOF, instead of GNUTLS_E_UNEXPECTED_PACKET_LENGTH. It was never standardized nor published as an RFC. ** libgnutls: Added new certificate verification functions, that -can provide more details and are more efficient. Check +can provide more details and are more efficient. Check gnutls_x509_trust_list_*. ** certtool: Uses the new certificate verification functions for @@ -3386,7 +3393,7 @@ the incompatibility with TLS other than 1.2. ** libgnutls: Modified signature algorithm selection in client certificate request, to avoid failures in DSA certificates. -** libgnutls: Instead of failing with internal error, return +** libgnutls: Instead of failing with internal error, return GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL if an incompatible DSA key with the negotiated protocol is encountered. @@ -3413,9 +3420,9 @@ gnutls_pubkey_import_openpgp: MODIFIED replaced by gnutls_privkey_sign_hash2(). ** libgnutls: gnutls_pubkey_verify_data, gnutls_pubkey_verify_hash, -gnutls_x509_privkey_verify_data, gnutls_x509_crt_verify_data, -gnutls_x509_crt_verify_hash return the negative error code -GNUTLS_E_PK_SIG_VERIFY_FAILED if verification fails to simplify error +gnutls_x509_privkey_verify_data, gnutls_x509_crt_verify_data, +gnutls_x509_crt_verify_hash return the negative error code +GNUTLS_E_PK_SIG_VERIFY_FAILED if verification fails to simplify error checking. ** libgnutls: Added helper functions for signature verification: @@ -3473,7 +3480,7 @@ gnutls_privkey_sign_hash: REMOVED (was added in 2.11.0) SSL 3.0. To restore the previous default behavior use %LATEST_RECORD_VERSION priority string. -** libgnutls: Use ASN1_NULL when writing parameters for RSA signatures. +** libgnutls: Use ASN1_NULL when writing parameters for RSA signatures. This makes us comply with RFC3279. Reported by Michael Rommel. ** gnutls-serv: Corrected a buffer overflow. Reported and patch by Tomas Mraz. @@ -3573,7 +3580,7 @@ backend crypto library. ** libgnutls: Several updates in the buffering internal interface. -** libgnutls: Is now more liberal in the PEM decoding. That is spaces and +** libgnutls: Is now more liberal in the PEM decoding. That is spaces and tabs are being skipped. ** libgnutls: Added support for draft-pechanec-pkcs11uri-02. @@ -3625,7 +3632,7 @@ jurisdictionOfIncorporationLocalityName, jurisdictionOfIncorporationStateOrProvinceName, jurisdictionOfIncorporationCountryName -** libgnutls: Added support for DSA signing/verifying with bit +** libgnutls: Added support for DSA signing/verifying with bit length over 1024. ** libgnutls-extra: When in FIPS mode gnutls_global_init_extra() @@ -3648,7 +3655,7 @@ imported from tokens, and operations can be performed on private keys. ** libgnutls: Added abstract gnutls_privkey_t and gnutls_pubkey_t ** libgnutls: Added initial support for the nettle library. It uses -the system's random generator for seeding. That is /dev/urandom in Linux, +the system's random generator for seeding. That is /dev/urandom in Linux, system calls in Win32 and EGD on other systems. ** libgnutls: Corrected issue on the %SSL3_RECORD_VERSION priority string. It now @@ -3868,8 +3875,8 @@ Instead new error code GNUTLS_E_UNKNOWN_SRP_USERNAME is added. ** certtool: Corrected two issues that affected certificate request generation. (1) Null padding is added on integers (found thanks to Wilankar Trupti), (2) In optional SignatureAlgorithm parameters field for DSA keys the DSA -parameters were added. Those were rejected by Verisign. Gnutls no longer adds -those parameters there since other implementations don't do either and having +parameters were added. Those were rejected by Verisign. Gnutls no longer adds +those parameters there since other implementations don't do either and having them does not seem to offer anything (anyway you need the signer's certificate to verify thus public key will be available). Found thanks to Boyan Kasarov. This however has the side-effect that public key IDs shown by certtool are @@ -3958,7 +3965,7 @@ with gnutls_sign_algorithm_get_requested() whether the certificate they send complies with the peer's preferences in signature algorithms. -** libgnutls: In server side when resuming a session do not overwrite the +** libgnutls: In server side when resuming a session do not overwrite the ** initial session data with the resumed session data. ** libgnutls: Added support for AES-128, AES-192 and AES-256 in PKCS #8 @@ -4201,7 +4208,7 @@ No changes since last version. * Version 2.8.5 (released 2009-11-02) -** libgnutls: In server side when resuming a session do not overwrite the +** libgnutls: In server side when resuming a session do not overwrite the ** initial session data with the resumed session data. ** libgnutls: Fix PKCS#12 encoding. @@ -4441,7 +4448,7 @@ The symbols are: _gnutls* gnutls_asn1_tab - + Normally when symbols are removed, the shared library version has to be incremented. This leads to a significant cost for everyone using the library. Because none of the above symbols have ever been @@ -4702,7 +4709,7 @@ Reported by Roman Bogorodskiy <novel@FreeBSD.org> in It is currently only used by the core library. This will enable a new domain 'gnutls' for translations of the command line tools. -** Corrected possible memory corruption on signature verification failure. +** Corrected possible memory corruption on signature verification failure. Reported by Miroslav Kratochvil <exa.exa@gmail.com> ** API and ABI modifications: @@ -4732,8 +4739,8 @@ information. This avoids code duplication. They can be used to override the default certificate chain validation behaviour. -** libgnutls: Added %SSL3_RECORD_VERSION priority string that allows to -specify the client hello message record version. Used to overcome buggy +** libgnutls: Added %SSL3_RECORD_VERSION priority string that allows to +specify the client hello message record version. Used to overcome buggy TLS servers. Report by Martin von Gagern. ** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode. @@ -5912,7 +5919,7 @@ The crash can be triggered remotely before authentication, which can lead to a Daniel of Service attack to disable the server. The bug cause gnutls to read memory beyond the end of the received record. -** libgnutlsxx: Updated API according to patches from Eduardo +** libgnutlsxx: Updated API according to patches from Eduardo Villanueva Che (discussion at <http://lists.gnu.org/archive/html/gnutls-devel/2007-02/msg00017.html>) @@ -6098,7 +6105,7 @@ gnutls_openpgp_crt_get_auth_subkey: MODIFIED ** Finish renaming of gnutls_certificate_export_x509_cas etc. They weren't renamed in the public header file. -** Added functions to register a cipher/mac/digest. This allows to +** Added functions to register a cipher/mac/digest. This allows to override the included ones. ** Fix a bunch of compiler warnings. @@ -6658,7 +6665,7 @@ No changes since last version. * Version 2.1.4 (released 2007-10-27) ** Added the --v1 option to certtool, to allow generating X.509 -version 1 certificates. +version 1 certificates. ** certtool: Add option --disable-quick-random to enable the old behaviour of using /dev/random to generate keys. @@ -6668,7 +6675,7 @@ of using /dev/random to generate keys. ** Added gnutls_set_default_priority2() which accepts a flag to indicate priorities preferences. -** Added gnutls_record_disable_padding() to allow servers talking to +** Added gnutls_record_disable_padding() to allow servers talking to buggy clients that complain if the TLS 1.0 record protocol padding is used. @@ -6816,7 +6823,7 @@ gnutls_oprfi_enable_server: ADD, new function. * Version 2.0.4 (released 2007-11-16) -** Corrected bug in decompression of expanded compression data. +** Corrected bug in decompression of expanded compression data. ** API and ABI modifications: No changes since last version. @@ -7963,13 +7970,13 @@ Protover SSL. Libtasn1 0.2.18 is now required, which contains the previous bug fix. The included libtasn1 version in GnuTLS has been updated. -** Fixed bug in non-blocking gnutls_bye(). gnutls_record_send() will no -longer invalidate a session if the underlying send fails, but it will +** Fixed bug in non-blocking gnutls_bye(). gnutls_record_send() will no +longer invalidate a session if the underlying send fails, but it will prevent future writes. That is to allow reading the already received data. Patches and bug reports by Yoann Vandoorselaere <yoann@prelude-ids.org> ** Corrected bugs in gnutls_certificate_set_x509_crl() and -gnutls_certificate_set_x509_trust(), that caused memory corruption if +gnutls_certificate_set_x509_trust(), that caused memory corruption if more than one certificates were added. Report and patch by Max Kellermann. ** Fix build problems of OpenCDK on AIX. @@ -8244,8 +8251,8 @@ Use size_t instead of int for output size parameter: - Corrected bugs in gnutls_certificate_set_x509_crl() and gnutls_certificate_set_x509_trust(), that caused memory corruption if more than one certificates were added. Report and patch by Max Kellermann. -- Fixed bug in non-blocking gnutls_bye(). gnutls_record_send() will no - longer invalidate a session if the underlying send fails, but it will +- Fixed bug in non-blocking gnutls_bye(). gnutls_record_send() will no + longer invalidate a session if the underlying send fails, but it will prevent future writes. That is to allow reading the already received data. Patches and bug reports by Yoann Vandoorselaere <yoann@prelude-ids.org> @@ -8361,7 +8368,7 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS <dalgoda@ix.netcom.com>. - Fixed off-by-one bug in the size parameter of gnutls_x509_crt_get*_dn, reported by Adam Langley <alangley@gmail.com>. -- Corrected some stuff in minilzo detection. Pointed out by +- Corrected some stuff in minilzo detection. Pointed out by Sergey Lipnevich. - MiniLZO updated to version 2.00. - gnutls_x509_crt_list_import now accept a DER formatted CRL. @@ -8424,7 +8431,7 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS <pierre42d@9online.fr>. - Eliminated some memory leaks in DHE and RSA-EXPORT cipher suites. Reported by Yoann Vandoorselaere <yoann@prelude-ids.org>. -- If the library has been compiled with features disabled, a warning is +- If the library has been compiled with features disabled, a warning is issued during the compilation of any program. - API and ABI modifications: gnutls_x509_crt_list_import(): Add @@ -8436,7 +8443,7 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS * Version 1.2.0 (2005-01-27) - Added the definitions and OIDs for the RIPEMD-160 hash algorithm. -- Introduced gnutls_x509_crt_sign2(), gnutls_x509_crq_sign2() and +- Introduced gnutls_x509_crt_sign2(), gnutls_x509_crq_sign2() and gnutls_x509_crl_sign2(). - Fixed license header in source code files. @@ -8560,14 +8567,14 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS - Changed the makefiles to be more portable. - SRP ciphersuites were moved to the gnutls library. - Added some default limits in the verification of certificate - chains, to avoid denial of service attacks. Also added + chains, to avoid denial of service attacks. Also added gnutls_certificate_set_verify_limits() to override them. Issue pointed out by Patrik Hornik <patrik@hornik.sk>. - Added gnutls_certificate_verify_peers2(). * Version 1.1.11 (2004-07-16) - Added the '_t' suffix to all exported symbols. -- Fixed bug in RSA encryption, report and patch by Martijn Koster +- Fixed bug in RSA encryption, report and patch by Martijn Koster <mak@greenhills.co.uk>. - Corrected a bug in certificate verification. Pointed out by Yoann Vandoorselaere <yoann@prelude-ids.org> @@ -8575,7 +8582,7 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS verification functions. - The ephemeral DH and RSA parameters are no longer stored in the session resume DB. -- Do not free the SRP (prime and generator) parameters obtained from the +- Do not free the SRP (prime and generator) parameters obtained from the callback if they are the static ones defined in extra.h - Eliminated some memory leaks. Reported by Yoann Vandoorselaere. @@ -8621,14 +8628,14 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS - Optimized the copying of rsa_params. * Version 1.1.7 (2004-03-29) -- Added gnutls_certificate_set_params_function() and +- Added gnutls_certificate_set_params_function() and gnutls_anon_set_params_function() that set the RSA or DH parameters using a callback. - Added functions gnutls_rsa_params_cpy(), gnutls_dh_params_cpy() and gnutls_x509_privkey_cpy(). - Corrected a compilation issue when opencdk was installed in a non standard directory. -- Deprecated: gnutls_srp_server_set_select_function(), +- Deprecated: gnutls_srp_server_set_select_function(), gnutls_certificate_client_set_select_function(), gnutls_srp_server_set_select_function(). * Version 1.1.6 (2004-02-24) @@ -8740,19 +8747,19 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS compatibility with previous versions. - Changed the makefiles to be more portable. - Added some default limits in the verification of certificate - chains, to avoid denial of service attacks. Also added + chains, to avoid denial of service attacks. Also added gnutls_certificate_set_verify_limits() to override them. Issue pointed out by Patrik Hornik <patrik@hornik.sk>. - Added gnutls_certificate_verify_peers2(). * Version 1.0.16 (2004-07-10) -- Do not free the SRP (prime and generator) parameters obtained from the +- Do not free the SRP (prime and generator) parameters obtained from the callback if they are the static ones defined in extra.h. - Eliminated some memory leaks. Reported by Yoann Vandoorselaere. - Some fixes in the makefiles. * Version 1.0.15 (2004-06-29) -- Fixed bug in RSA encryption, report and patch by Martijn Koster +- Fixed bug in RSA encryption, report and patch by Martijn Koster <mak@greenhills.co.uk>. - Corrected a bug in certificate verification. Pointed out by Yoann Vandoorselaere <yoann@prelude-ids.org>. @@ -8796,7 +8803,7 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS - Corrected bug in SSL 3.0 authentication. * Version 1.0.9 (2004-03-29) -- Added gnutls_certificate_set_params_function() and +- Added gnutls_certificate_set_params_function() and gnutls_anon_set_params_function() that set the RSA or DH parameters using a callback. - Added functions gnutls_rsa_params_cpy(), gnutls_dh_params_cpy() @@ -8875,7 +8882,7 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS * Version 0.9.99 (2003-11-28) - Some fixes in the gnutls.h header for the gnutls_server_name_set() and gnutls_server_name_get() prototypes. -- Exported the gnutls_x509_privkey_sign_data(), gnutls_x509_privkey_verify_data() +- Exported the gnutls_x509_privkey_sign_data(), gnutls_x509_privkey_verify_data() and gnutls_x509_crt_verify_data(). - Some fixes in the openpgp authentication. - Removed the Twofish cipher. @@ -8914,7 +8921,7 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS * Version 0.9.94 (2003-10-30) - Added manpages for the included programs. -- Documented and improved the certtool utility. +- Documented and improved the certtool utility. - Added PKCS #12 support to certtool utility. * Version 0.9.93 (2003-10-26) @@ -8946,7 +8953,7 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS - The library can now decrypt PKCS #12 files encrypted with the RC2-40 cipher. - The missing rfc2818_hostname object is now included. -- Several corrections and bug fixes in the library by +- Several corrections and bug fixes in the library by Arne Thomassen <arne@arne-thomassen.de>. - CR is now allowed in the base64 decoder. @@ -8977,7 +8984,7 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS - Added functionality to generate PKCS #7 structures (with certificates). * Version 0.9.3 (2003-03-24) -- Support for MD2 was dropped. +- Support for MD2 was dropped. - Improved the error logging functions, by adding a level, and by allowing debugging messages just by increasing the level. - The diffie Hellman ciphersuites are now of higher priority than @@ -8986,18 +8993,18 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS - Implemented the counter measure discussed in the paper "Attacking RSA-based Sessions in SSL/TLS", against the attack described in the same paper. -- Added the functions: gnutls_handshake_get_last_in(), +- Added the functions: gnutls_handshake_get_last_in(), gnutls_handshake_get_last_out(). -- The gnutls_certificate_set_rsa_params() was renamed to +- The gnutls_certificate_set_rsa_params() was renamed to gnutls_certificate_set_rsa_export_params(). - Added the new functions: gnutls_certificate_set_x509_key() gnutls_certificate_set_x509_trust(), gnutls_certificate_set_x509_crl(), gnutls_x509_crt_export(), gnutls_x509_crl_export(). -- Added support for encoding and decoding PKCS #8 2.0 encrypted +- Added support for encoding and decoding PKCS #8 2.0 encrypted RSA private keys. * Version 0.9.2 (2003-03-15) -- Some corrections in the memory mapping code (file is unmapped after +- Some corrections in the memory mapping code (file is unmapped after it is read). - Added support for PKCS#10 certificate requests generation. @@ -9015,27 +9022,27 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS - Added an strnstr() function and the requirement in some functions to use null terminated PEM structures is no more. - Use mmap() if available to read files. -- Fixed a memory leak in SRP code reported by Rupert Kittinger +- Fixed a memory leak in SRP code reported by Rupert Kittinger <r.kittinger@efkon.com>. * Version 0.9.0 (2003-03-03) - This version is not binary compatible with the previous ones. -- The library notifies the application on empty and illegal SRP usernames, +- The library notifies the application on empty and illegal SRP usernames, so that proper notification (via an alert) is sent to the peer. - Added ability to send some messages back to the application using the gnutls_global_set_log_function(). -- gnutls_dh_params_generate() and gnutls_rsa_params_generate() now use +- gnutls_dh_params_generate() and gnutls_rsa_params_generate() now use gnutls_malloc() to allocate the output parameters. - Added support for MD2 algorithm in certificate signature verification. - The RSA and DH parameter generation interface was changed. Added - ability to import and export from and to PKCS3 structures. This + ability to import and export from and to PKCS3 structures. This was needed to read parameters generated using the openssl dhparam tool. -- Several changes in the temporary (DH/RSA) parameter codebase. No DH - parameters are now included in the library. Also the credentials structure +- Several changes in the temporary (DH/RSA) parameter codebase. No DH + parameters are now included in the library. Also the credentials structure can now hold only one temporary parameter of a kind. -- Added a new Certificate, CRL, Private key and PKCS7 structures handling +- Added a new Certificate, CRL, Private key and PKCS7 structures handling API, defined in gnutls/x509.h -- Added gnutls_certificate_set_verify_flags() function to allow setting the +- Added gnutls_certificate_set_verify_flags() function to allow setting the verification flags in the credentials structure. They will be used in the *verify_peers functions. - Added protection against the new TLS 1.0 record layer timing attack. @@ -9053,19 +9060,19 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS - Some fixes which now allow compilation. * Version 0.8.0 (2003-01-20) -- Added gnutls_x509_extract_dn_string() which returns a +- Added gnutls_x509_extract_dn_string() which returns a distinguished name in a single string. - Added gnutls_openpgp_extract_key_name_string() which returns an openpgp user ID in a single string. - Added gnutls_x509_extract_certificate_ca_status() which returns the CA status of the given certificate. - Added SRP-6 support. Follows draft-ietf-tls-srp-04. -- If libtasn1 is not present in the system, it is included in +- If libtasn1 is not present in the system, it is included in the main gnutls library. - If liblzo is present in the system, then the included minilzo will not be used, and libgnutls-extra will depend on liblzo. -- GNUTLS_E_PARSING_ERROR error code was replaced by GNUTLS_E_BASE64_DECODING_ERROR, - and GNUTLS_E_SRP_PWD_PARSING_ERROR. GNUTLS_E_ASCII_ARMOR_ERROR was also +- GNUTLS_E_PARSING_ERROR error code was replaced by GNUTLS_E_BASE64_DECODING_ERROR, + and GNUTLS_E_SRP_PWD_PARSING_ERROR. GNUTLS_E_ASCII_ARMOR_ERROR was also replaced by GNUTLS_E_BASE64_DECODING_ERROR. * Version 0.6.0 (2002-12-08) @@ -9095,7 +9102,7 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS these are binary compatible. * Version 0.5.11 (2002-11-05) -- Some fixes in 'gnutls-cli' client program to prevent some segmentation +- Some fixes in 'gnutls-cli' client program to prevent some segmentation faults at exit. - Example programs found in the documentation can now be generated by running "make examples" in doc/tex directory. @@ -9121,7 +9128,7 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS starttls implementations. - Added gnutls_x509_extract_key_pk_algorithm() function which extracts the private key type, of a DER encoded key. -- Added gnutls_x509_extract_certificate_dn_string() which returns the +- Added gnutls_x509_extract_certificate_dn_string() which returns the certificate's distinguished name in a single string. - Added gnutls_set_default_priority() and gnutls_set_default_export_priority() functions, to avoid calling all the *_priority() functions if the defaults @@ -9145,7 +9152,7 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS - Corrected bug in session resuming code in server side. * Version 0.5.6 (2002-09-06) -- Corrected bugs in SRP implementation, which prevented gnutls +- Corrected bugs in SRP implementation, which prevented gnutls to interoperate with other implementations. (interoperability testing was done by David Taylor) - Corrected bug in cert_type extension. @@ -9157,10 +9164,10 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS * Version 0.5.5 (2002-09-03) - Updated the SRP implementation to the latest draft. The blowfish crypt implementation was removed, since the new draft does not allow - other hash algorithms except for the srpsha. + other hash algorithms except for the srpsha. - Renamed all the constructed types in order to have more consistent - names. -- Improved the certificate and key read functions. Now they can read + names. +- Improved the certificate and key read functions. Now they can read the certificate and the private key from the same file. - Updated and corrected documentation. @@ -9190,7 +9197,7 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS <gnutls/gnutls.h> - Documentation fixes - Added gnutls_transport_set_ptr2() function, which accepts two - different pointers, to be used while receiving, and + different pointers, to be used while receiving, and while sending data. - Semantic changes in gnutls_record_set_max_size(). The requested size is now immediately enforced at the output buffers. @@ -9272,15 +9279,15 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS - Corrections in session resumption - Rehandshake can now handle negotiation of different authentication type. -- gnutls-cli, gnutls-serv, gnutls-srpcrypt and gnutls-cli-debug are +- gnutls-cli, gnutls-serv, gnutls-srpcrypt and gnutls-cli-debug are now being installed. * Version 0.3.90 (2002-02-24) -- Handshake messages are not kept in memory any more. Now we use +- Handshake messages are not kept in memory any more. Now we use less memory during a handshake - Added support for certificates with DSA parameters - Added DHE_DSS cipher suites -- Key exchange methods changed so they do not depend on the +- Key exchange methods changed so they do not depend on the certificate type. Added certificate type negotiation TLS extension. - Added openpgp key support (EXPERIMENTAL) - Improved Diffie Hellman key exchange support. @@ -9289,7 +9296,7 @@ LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS - TLS extensions now use a 16 bit type field. - Added a minimal string library to assist in ASN.1 parsing - Changes in ASN.1 parser to work with the new bison -- Added gnutls_x509_extract_subject_alt_name(), which deprecates +- Added gnutls_x509_extract_subject_alt_name(), which deprecates gnutls_x509_extract_subject_dns_name() - gnutls_x509_set_trust_(file/mem) can now be called multiple times - gnutls_srp_server_set_cred_file() can now be called multiple times |