summaryrefslogtreecommitdiff
path: root/NEWS
Commit message (Collapse)AuthorAgeFilesLines
* pkcs7: add function to display signature informationDmitry Baryshkov2020-05-141-0/+1
| | | | | | | Basically export print_pkcs7_info() in a way usable by external applications. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* nettle: expose SIV-CMAC through the AEAD interfaceDaiki Ueno2020-05-041-0/+6
| | | | | | | | | This adds a couple of new cipher algorithms GNUTLS_CIPHER_AES_128_SIV and GNUTLS_CIPHER_AES_256_SIV, exposing nettle_siv_cmac_aes{128,256}* functions. Note that they can only used with the AEAD interface and authentication tags are prepended (not appended) to the ciphertext. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* NEWS: updated for release3.6.13Nikos Mavrogiannopoulos2020-03-311-2/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc updateNikos Mavrogiannopoulos2020-03-301-3/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc updatetmp-added-reproducer-for-960Nikos Mavrogiannopoulos2020-03-301-0/+5
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Merge branch 'better_SSL3.0_tests' into 'master'Nikos Mavrogiannopoulos2020-03-271-0/+3
|\ | | | | | | | | improve gnutls-cli-debug testing of old SSL 3.0 servers See merge request gnutls/gnutls!1221
| * add NEWS entryDaniel Lenski2020-03-221-0/+3
| | | | | | | | Signed-off-by: Daniel Lenski <dlenski@gmail.com>
* | Merge branch 'tmp-get-keylog-func' into 'master'Daiki Ueno2020-03-251-0/+1
|\ \ | | | | | | | | | | | | gnutls_session_get_keylog_function: new function See merge request gnutls/gnutls!1220
| * | gnutls_session_get_keylog_function: new functiontmp-get-keylog-funcDaiki Ueno2020-03-221-0/+1
| |/ | | | | | | | | | | | | | | This adds a way to retrieve the keylog function set by gnutls_session_set_keylog_function() to allow application protocols to implement custom logging facility. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | Update NEWS fileAnder Juaristi2020-03-231-0/+7
|/ | | | Signed-off-by: Ander Juaristi <a@juaristi.eus>
* state: add function to get the current hash algorithmtmp-prf-getDaiki Ueno2020-03-191-0/+1
| | | | | | | | This is particularly useful when the application applies key derivation function by itself with the same underlying hash algorithm as the session. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* keylogfile: simplify the callback mechanismtmp-keylog-funcDaiki Ueno2020-02-221-2/+4
| | | | | | | | | | This partially reverts commit 97117556 with a simpler interface. The original intention of having the callback mechanism was to reuse it for monitoring QUIC encryption changes. However, it turned out to be insufficient because such changes must be emitted after a new epoch is ready. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* keylogfile: generalize with a callbacktmp-keylog-hookDaiki Ueno2020-02-071-0/+2
| | | | | | | | | This refactors the keylogfile mechanism by adding a callback to get notified when a new secret is derived and installed. That way, consumers can implement custom logging feature per session, which is particularly useful in QUIC implementation. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* crypto-api: add generic crypto functions for KDFDaiki Ueno2020-02-041-0/+9
| | | | | | | | | | This exposes HKDF and PBKDF2 functions from the library. Instead of defining a single KDF interface as in PKCS #11, this patch defines 3 distinct functions for HKDF-Extract, HKDF-Expand, and PBKDF2 derivation, so that we can take advantage of compile time checking of necesssary parameters. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* NEWS: fixed issue number for 448gnutls_3_6_123.6.12Nikos Mavrogiannopoulos2020-02-011-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: refactored for releaseNikos Mavrogiannopoulos2020-02-011-30/+30
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Merge branch 'tmp-ed448' into 'master'Daiki Ueno2020-01-241-0/+3
|\ | | | | | | | | algorithms: implement X448 key exchange and Ed448 signature scheme See merge request gnutls/gnutls!984
| * algorithms: implement X448 key exchange and Ed448 signature schemeDaiki Ueno2020-01-231-0/+3
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | Merge branch 'tmp-tls13-ocsp' into 'master'Nikos Mavrogiannopoulos2020-01-201-0/+5
|\ \ | |/ |/| | | | | | | | | tls13: fix issues with client OCSP responses Closes #876 See merge request gnutls/gnutls!1169
| * tls13: request OCSP responses as a serverNikos Mavrogiannopoulos2020-01-201-1/+2
| | | | | | | | | | | | | | | | | | | | | | The TLS1.3 protocol requires the server to advertise an empty OCSP status request extension on its certificate verify message for an OCSP response to be sent by the client. We now always send this extension to allow clients attaching those responses. Resolves: #876 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * tls13: do not send OCSP responses as client without server requestingNikos Mavrogiannopoulos2020-01-151-0/+4
| | | | | | | | | | | | | | | | | | In client side ensure we see a request for OCSP from servers before sending one. Relates: #876 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | doc update [ci skip]Nikos Mavrogiannopoulos2020-01-151-0/+3
|/ | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Merge branch 'override-default-priority' into 'master'Nikos Mavrogiannopoulos2020-01-131-0/+3
|\ | | | | | | | | libgnutls: Add system-wide default-priority-string override. See merge request gnutls/gnutls!1158
| * libgnutls: Add system-wide default-priority-string override.Dimitri John Ledkov2020-01-131-0/+3
| | | | | | | | Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
* | Merge branch 'gost-priorities' into 'master'Dmitry Eremin-Solenikov2020-01-121-2/+6
|\ \ | |/ |/| | | | | Extend GOST priority settings and documentation See merge request gnutls/gnutls!1160
| * NEWS: expand documentation for GOST priority stringsDmitry Eremin-Solenikov2020-01-101-2/+6
| | | | | | | | | | | | | | Use +GOST-ALL shortcut to enable GOST ciphersuites. Also document newly added GOST shortcuts. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | Merge branch 'tmp-ocsp-check' into 'master'903-add-crl-and-crq-fuzzersNikos Mavrogiannopoulos2020-01-091-0/+4
|\ \ | | | | | | | | | | | | | | | | | | Provide flag to identify sessions that an OCSP response was requested Closes #829 See merge request gnutls/gnutls!1131
| * | Provide flag to identify sessions that an OCSP response was requestedNikos Mavrogiannopoulos2019-12-151-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | That adds the flag GNUTLS_SFLAGS_CLI_REQUESTED_OCSP which can be checked by a server application to determine whether the client has requested stapled OCSP responses. This includes minor cleanups in the status request handling code. Resolves: #829 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | | x509: reject certificates having duplicate extensionsNikos Mavrogiannopoulos2020-01-031-0/+5
| |/ |/| | | | | | | | | | | | | | | | | | | According to RFC5280 a certificate must not include more than one instance of a particular extension. We were previously printing warnings when such extensions were found, but that is insufficient to flag such certificates. Instead, refuse to import them. Resolves: #887 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | x509: do not tolerate invalid DER timeNikos Mavrogiannopoulos2019-12-261-1/+4
| | | | | | | | | | | | | | | | | | | | | | This effectively reverts !400 and ensures that we no longer tolerate invalid DER time. This complements the previous commit by Lili Quan and ensures we provide the --disable-strict-der-time backwards compatibility option. Resolves: #207 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | certtool: always set extensions from templateNikos Mavrogiannopoulos2019-12-231-4/+7
| | | | | | | | | | | | | | | | | | Previously we would only set these extensions specific with add_extension when generating using --generate-certificate. The change makes sure these options are considered even when generating an extension from a certificate request. Issue reported on the mailing list. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | tests: ensure test suite does not apply global configNikos Mavrogiannopoulos2019-12-201-1/+2
| | | | | | | | | | | | | | | | When running the test suite we do not apply the global gnutls configration as it may change options that are tested. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | _gnutls_verify_crt_status: apply algorithm checks to trusted CAsNikos Mavrogiannopoulos2019-12-191-0/+5
| | | | | | | | | | | | | | | | | | | | | | If a CA is found in the trusted list, check in addition to time validity, whether the algorithms comply to the expected level. This addresses the problem of accepting CAs which would have been marked as insecure otherwise. Resolves: #877 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | certtool: added option to apply a certificate verification profileNikos Mavrogiannopoulos2019-12-191-0/+4
| | | | | | | | | | | | This applies to the --verify and --verify-chain commands. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | is_level_acceptable: apply the system-wide profile in all verificationsNikos Mavrogiannopoulos2019-12-191-0/+3
| | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Introduced check to reject certificates with non-digits in time fieldLili Quan2019-12-191-0/+2
| | | | | | | | | | | | | | | | According to RFC5280 we should reject such certificates. Resolves: #870 Signed-off-by: Lili Quan <13132239506@163.com>
* | NEWS: add news entry, describing TLS 1.3 vs GOST issuesDmitry Eremin-Solenikov2019-12-181-0/+8
|/ | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* abi: updated to latest const changes and added NEWS entrytmp-more-const-1Nikos Mavrogiannopoulos2019-12-101-0/+9
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* released 3.6.11gnutls_3_6_11Nikos Mavrogiannopoulos2019-12-011-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: documented AES-CFB8 fix [ci skip]Nikos Mavrogiannopoulos2019-11-291-0/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* bumped versionNikos Mavrogiannopoulos2019-11-291-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_base64_decode2() succeeds decoding the empty stringNikos Mavrogiannopoulos2019-11-281-0/+4
| | | | | | | | | This is a behavioral change of the API but it conforms to the RFC4648 expectations. Resolves: #834 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: always include the CRL distribution points on CAsNikos Mavrogiannopoulos2019-11-251-0/+3
| | | | | | | | | Previously we would omit the CRL distribution points from a non-self signed CA certificate, even if contained in the template. Resolves: #765 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Add NEWS entry for the NetBSD KERN_ARND change.nia2019-10-311-0/+5
| | | | Signed-off-by: Nia Alarie <nia@NetBSD.org>
* session tickets: parse extension during session resumption on client sideNikos Mavrogiannopoulos2019-10-081-0/+3
| | | | | | | | | | It is possible for a server to send a new session ticket during TLS1.2 resumption. To be able to parse it as client we need to check the extension during resumption as well. Resolves: #841 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: added entry for 3.6.11Nikos Mavrogiannopoulos2019-10-051-3/+9
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Updated NEWS to reflect the added raw public-key handling functionality for ↵Tom Vrancken2019-10-041-0/+3
| | | | | | gnutls-cli/serv tools. Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
* bumped versionsgnutls_3_6_10Nikos Mavrogiannopoulos2019-09-291-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Merge branch 'tmp-asm-update-32' into 'master'Nikos Mavrogiannopoulos2019-09-281-0/+2
|\ | | | | | | | | | | | | Regenerate asm files with -fPIC Closes #818 See merge request gnutls/gnutls!1081
| * Regenerate asm files with -fPICAndreas Metzler2019-09-281-0/+2
| | | | | | | | | | | | | | | | | | CRYPTOGAMS' perl-scripts can produce different output if -fPIC is passed as option. Set -fPIC for the same files as openssl does. Closes #818 Signed-off-by: Andreas Metzler <ametzler@bebt.de>
View Lorry Controller Status