summaryrefslogtreecommitdiff
path: root/NEWS
Commit message (Collapse)AuthorAgeFilesLines
* released 3.6.11gnutls_3_6_11Nikos Mavrogiannopoulos2019-12-011-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: documented AES-CFB8 fix [ci skip]Nikos Mavrogiannopoulos2019-11-291-0/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* bumped versionNikos Mavrogiannopoulos2019-11-291-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_base64_decode2() succeeds decoding the empty stringNikos Mavrogiannopoulos2019-11-281-0/+4
| | | | | | | | | This is a behavioral change of the API but it conforms to the RFC4648 expectations. Resolves: #834 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: always include the CRL distribution points on CAsNikos Mavrogiannopoulos2019-11-251-0/+3
| | | | | | | | | Previously we would omit the CRL distribution points from a non-self signed CA certificate, even if contained in the template. Resolves: #765 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Add NEWS entry for the NetBSD KERN_ARND change.nia2019-10-311-0/+5
| | | | Signed-off-by: Nia Alarie <nia@NetBSD.org>
* session tickets: parse extension during session resumption on client sideNikos Mavrogiannopoulos2019-10-081-0/+3
| | | | | | | | | | It is possible for a server to send a new session ticket during TLS1.2 resumption. To be able to parse it as client we need to check the extension during resumption as well. Resolves: #841 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: added entry for 3.6.11Nikos Mavrogiannopoulos2019-10-051-3/+9
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Updated NEWS to reflect the added raw public-key handling functionality for ↵Tom Vrancken2019-10-041-0/+3
| | | | | | gnutls-cli/serv tools. Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
* bumped versionsgnutls_3_6_10Nikos Mavrogiannopoulos2019-09-291-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Merge branch 'tmp-asm-update-32' into 'master'Nikos Mavrogiannopoulos2019-09-281-0/+2
|\ | | | | | | | | | | | | Regenerate asm files with -fPIC Closes #818 See merge request gnutls/gnutls!1081
| * Regenerate asm files with -fPICAndreas Metzler2019-09-281-0/+2
| | | | | | | | | | | | | | | | | | CRYPTOGAMS' perl-scripts can produce different output if -fPIC is passed as option. Set -fPIC for the same files as openssl does. Closes #818 Signed-off-by: Andreas Metzler <ametzler@bebt.de>
* | certtool: ensure that PKCS#8 file does not contain key descriptionNikos Mavrogiannopoulos2019-09-281-0/+3
|/ | | | | | Resolves: #840 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: document previous changes [ci skip]Dmitry Eremin-Solenikov2019-09-281-1/+7
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* Merge branch 'tmp-supported-versions' into 'master'Daiki Ueno2019-09-271-0/+3
|\ | | | | | | | | | | | | ext/supported_versions: reorder client precedence if necessary Closes #837 See merge request gnutls/gnutls!1074
| * ext/supported_versions: reorder client precedence if necessaryDaiki Ueno2019-09-271-0/+3
| | | | | | | | | | | | | | | | If the client advertises TLS < 1.2 before TLS 1.3 and the server is configured with TLS 1.3 enabled, the server should select TLS 1.3; otherwise the client will disconnect when seeing downgrade sentinel. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | gnutls_session_get_data2: fix operation without a timeout callbackNikos Mavrogiannopoulos2019-09-261-0/+4
|/ | | | | | | | | | | | | When TLS1.3 was introduced, gnutls_session_get_data2 was modified to assume that the callbacks set included the timeout one which was not previously necessary except for some special cases. This corrects that issue and makes sure that gnutls_session_get_data2() does not fail (but not necessarily succeed), if that timeout callback is not set. Resolves: #823 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_epoch_set_keys: do not forbid random padding in TLS1.x CBC ciphersuitesNikos Mavrogiannopoulos2019-09-061-0/+4
| | | | | | | | | | | | Since some point in 3.6.x we updated the calculation of maximum record size, however that did not include the possibility of random record padding available for CBC ciphersuites which exceeds the maximum. This commit allows for larger sizes for these ciphersuites to account for random padding as applied by gnutls 2.12.x. Resolves: #811 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* crypto-api: add gnutls_aead_cipher_{en,de}cryptv2tmp-encryptv2Daiki Ueno2019-08-091-0/+7
| | | | | | | This adds an in-place equivalent of gnutls_aead_cipher_encrypt() and gnutls_aead_cipher_decrypt(), that works on data buffers. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* pk: implement deterministic ECDSA/DSADaiki Ueno2019-08-081-0/+7
| | | | | | | This exposes the deterministic ECDSA/DSA functionality through the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* bumped version for 3.6.9gnutls_3_6_9Nikos Mavrogiannopoulos2019-07-251-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Support for Generalname registeredID from RFC 5280 in subject alt nameKarsten Ohme2019-07-221-0/+3
| | | | | | | | | | Added test certificates (cert10.der) with registered ID Updated Makefile for inclusion of test certificates Updated SAN unknown test certificates (cert5.der) Signed-off-by: Karsten Ohme <k_o_@users.sourceforge.net>
* NEWS: updated for upcoming release [ci skip]Nikos Mavrogiannopoulos2019-07-211-14/+15
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* doc update [ci skip]Nikos Mavrogiannopoulos2019-07-081-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: add an entry for AES-GMAC algorithmsDmitry Eremin-Solenikov2019-06-281-0/+5
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* Align _gnutls_x86_cpuid_s as OPENSSL_ia32cap_P would beNikos Mavrogiannopoulos2019-06-271-0/+3
| | | | | | | | | | | | We were not setting the third array member correctly, though this didn't have any impact to previous implementations as they did not rely on it. This also moves away from the custom implementation of cpuid (which was limited), and we now rely on the compiler's version. This effectively enables support for SHA_NI. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* NEWS: document gnutls_hash/hmac_copy additionDmitry Eremin-Solenikov2019-06-261-0/+6
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* config: added ability to override and mark algorithms as disabledNikos Mavrogiannopoulos2019-06-201-1/+20
| | | | | | | | | | | | | | | | | | | | | | | | | This allows the system administrator or the distributor to use the gnutls configuration file to mark hashes, signature algorithms, TLS versions, curves, groups, ciphers KX, and MAC algorithms as insecure (the last four only in the context of a TLS session). It also allows to set a minimum profile which the applications cannot fall below. The options intentionally do not allow marking algorithms as secure so that the configuration file cannot be used as an attack vector. This change also makes sure that unsupported and disabled protocols during compile time (e.g., SSL3.0), do not get listed by gnutls-cli. The configuration file feature can be disabled at compile time with an empty --with-system-priority-file. This patch it introduces the function gnutls_get_system_config_file() allowing applications to check whether a configuration file was used. Resolves: #587 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Marked the crypto backend registration APIs as deprecatedtmp-deprecate-registration-apisNikos Mavrogiannopoulos2019-06-201-1/+10
| | | | | | | | This is to warn for a future conversion of these APIs to a no-op. Resolves: #789 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* gnutls_privkey_sign_hash2: accept the GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA flagtmp-fix-raw-flag-in-newapiNikos Mavrogiannopoulos2019-06-101-0/+9
| | | | | | | | | | Previously this flag was ignored, although documented not to. This patch also enables the tests sign-verify-newapi and sign-verify-data-newapi which were supposed to test this interface, but were never enabled. This was caught by Andreas Metzler. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* released 3.6.8Nikos Mavrogiannopoulos2019-05-281-9/+10
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* doc update [ci skip]Nikos Mavrogiannopoulos2019-05-271-0/+7
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc updateNikos Mavrogiannopoulos2019-05-231-1/+14
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* priority: add new option to allow small records (>= 64)Daiki Ueno2019-05-221-0/+3
| | | | | | | | | | | | There is a mismatch in the lower limit of record sizes in RFC 8449 (64) and our default (512). If the server advertises a smaller limit than our default, the client has no way to keep communicating with the server. This patch adds a new priority string option %ALLOW_SMALL_RECORDS to set the limit to 64. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* Apply STD3 ASCII rules in gnutls_idna_map()tmp-fix-evil-idnaTim Rühsen2019-05-201-0/+3
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Merge branch 'tmp-record-sizes' into 'master'Daiki Ueno2019-05-141-0/+1
|\ | | | | | | | | ext/record_size_limit: distinguish sending and receiving limits See merge request gnutls/gnutls!985
| * ext/record_size_limit: distinguish sending and receiving limitstmp-record-sizesDaiki Ueno2019-05-141-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The previous behavior was that both sending and receiving limits are negotiated to be the same value. It was problematic when: - client sends a record_size_limit with a large value in CH - server sends a record_size_limit with a smaller value in EE - client updates the limit for both sending and receiving, upon receiving EE - server sends a Certificate message larger than the limit With this patch, each peer maintains the sending / receiving limits separately so not to confuse with the contradicting settings. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | lib/nettle: fix carry flag in Streebog codeDmitry Eremin-Solenikov2019-05-131-0/+3
| | | | | | | | | | | | Fix carry flag being calculated incorrectly in Streebog code. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | _gnutls_srp_entry_free: follow consistent behavior in freeing datatmp-fix-srpNikos Mavrogiannopoulos2019-05-101-0/+3
|/ | | | | | | | | | | | | | _gnutls_srp_entry_free would previously not free any parameters that were known to gnutls to account for documented behavior of gnutls_srp_set_server_credentials_function(). This was not updated when the newly added 8192 parameter was added to the library. This introduces a safety check for generator parameters, even though in practice they are the same pointer. Resolves: #761 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* prf: add function to retrieve early keying materialDaiki Ueno2019-04-191-1/+3
| | | | | | | | | This adds a new function gnutls_prf_early, which shall be called in a handshake hook waiting for GNUTLS_HANDSHAKE_CLIENT_HELLO. The test needs to be run in a datefudge wrapper as the early secrets depend on the current time (through PSK). Signed-off-by: Daiki Ueno <dueno@redhat.com>
* doc update [ci skip]Nikos Mavrogiannopoulos2019-03-301-0/+8
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* released 3.6.7gnutls_3_6_7Nikos Mavrogiannopoulos2019-03-271-8/+15
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* handshake: increase the default number of tickets we send to 2tmp-increase-nr-of-ticketsNikos Mavrogiannopoulos2019-03-201-0/+4
| | | | | | | | | | | This makes it easier for clients which perform multiple connections to the server to use the tickets sent by a default server. That's because 2 tickets allow for 2 new connections (if one is using each ticket once as recommended), which in turn lead to 4 new and so on. Resolves: #596 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Merge branch 'tmp-fix-pkcs11-so' into 'master'Nikos Mavrogiannopoulos2019-03-191-0/+4
|\ | | | | | | | | | | | | pkcs11: security officer login implies writable session Closes #721 See merge request gnutls/gnutls!953
| * pkcs11: security officer login implies writable sessiontmp-fix-pkcs11-soNikos Mavrogiannopoulos2019-03-151-0/+4
| | | | | | | | | | | | | | | | | | According to the PKCS#11 v2.30, 6.7.1 there are no read-only Security Officer sessions. Resolves: #721 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | doc updateNikos Mavrogiannopoulos2019-03-161-0/+2
|/ | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Use https:// for csrc.nist.govTim Rühsen2019-03-131-1/+1
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* Use https:// for www.gnu.org and www.example.comTim Rühsen2019-03-131-10/+10
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* NEWS: fix NEWS entries [ci skip]Nikos Mavrogiannopoulos2019-03-081-8/+0
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Make false start and early start multi-thread recv/send safeNikos Mavrogiannopoulos2019-03-021-0/+3
| | | | | | | | | | | | | | | An application that is sending and receiving from different threads after handshake is complete cannot take advantage of false start because gnutls_record_send2() detects operations during the handshake process as invalid. Because in early start and false start the remaining handshake process needs only to receive data, and the sending side is already set-up, this error detection is bogus. With this patch we remove it. Resolves: #713 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
View Lorry Controller Status