summaryrefslogtreecommitdiff
path: root/NEWS
Commit message (Collapse)AuthorAgeFilesLines
* NEWS: fixed issue number for 448gnutls_3_6_123.6.12Nikos Mavrogiannopoulos2020-02-011-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: refactored for releaseNikos Mavrogiannopoulos2020-02-011-30/+30
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Merge branch 'tmp-ed448' into 'master'Daiki Ueno2020-01-241-0/+3
|\ | | | | | | | | algorithms: implement X448 key exchange and Ed448 signature scheme See merge request gnutls/gnutls!984
| * algorithms: implement X448 key exchange and Ed448 signature schemeDaiki Ueno2020-01-231-0/+3
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | Merge branch 'tmp-tls13-ocsp' into 'master'Nikos Mavrogiannopoulos2020-01-201-0/+5
|\ \ | |/ |/| | | | | | | | | tls13: fix issues with client OCSP responses Closes #876 See merge request gnutls/gnutls!1169
| * tls13: request OCSP responses as a serverNikos Mavrogiannopoulos2020-01-201-1/+2
| | | | | | | | | | | | | | | | | | | | | | The TLS1.3 protocol requires the server to advertise an empty OCSP status request extension on its certificate verify message for an OCSP response to be sent by the client. We now always send this extension to allow clients attaching those responses. Resolves: #876 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * tls13: do not send OCSP responses as client without server requestingNikos Mavrogiannopoulos2020-01-151-0/+4
| | | | | | | | | | | | | | | | | | In client side ensure we see a request for OCSP from servers before sending one. Relates: #876 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | doc update [ci skip]Nikos Mavrogiannopoulos2020-01-151-0/+3
|/ | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Merge branch 'override-default-priority' into 'master'Nikos Mavrogiannopoulos2020-01-131-0/+3
|\ | | | | | | | | libgnutls: Add system-wide default-priority-string override. See merge request gnutls/gnutls!1158
| * libgnutls: Add system-wide default-priority-string override.Dimitri John Ledkov2020-01-131-0/+3
| | | | | | | | Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
* | Merge branch 'gost-priorities' into 'master'Dmitry Eremin-Solenikov2020-01-121-2/+6
|\ \ | |/ |/| | | | | Extend GOST priority settings and documentation See merge request gnutls/gnutls!1160
| * NEWS: expand documentation for GOST priority stringsDmitry Eremin-Solenikov2020-01-101-2/+6
| | | | | | | | | | | | | | Use +GOST-ALL shortcut to enable GOST ciphersuites. Also document newly added GOST shortcuts. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | Merge branch 'tmp-ocsp-check' into 'master'903-add-crl-and-crq-fuzzersNikos Mavrogiannopoulos2020-01-091-0/+4
|\ \ | | | | | | | | | | | | | | | | | | Provide flag to identify sessions that an OCSP response was requested Closes #829 See merge request gnutls/gnutls!1131
| * | Provide flag to identify sessions that an OCSP response was requestedNikos Mavrogiannopoulos2019-12-151-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | That adds the flag GNUTLS_SFLAGS_CLI_REQUESTED_OCSP which can be checked by a server application to determine whether the client has requested stapled OCSP responses. This includes minor cleanups in the status request handling code. Resolves: #829 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | | x509: reject certificates having duplicate extensionsNikos Mavrogiannopoulos2020-01-031-0/+5
| |/ |/| | | | | | | | | | | | | | | | | | | According to RFC5280 a certificate must not include more than one instance of a particular extension. We were previously printing warnings when such extensions were found, but that is insufficient to flag such certificates. Instead, refuse to import them. Resolves: #887 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | x509: do not tolerate invalid DER timeNikos Mavrogiannopoulos2019-12-261-1/+4
| | | | | | | | | | | | | | | | | | | | | | This effectively reverts !400 and ensures that we no longer tolerate invalid DER time. This complements the previous commit by Lili Quan and ensures we provide the --disable-strict-der-time backwards compatibility option. Resolves: #207 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | certtool: always set extensions from templateNikos Mavrogiannopoulos2019-12-231-4/+7
| | | | | | | | | | | | | | | | | | Previously we would only set these extensions specific with add_extension when generating using --generate-certificate. The change makes sure these options are considered even when generating an extension from a certificate request. Issue reported on the mailing list. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | tests: ensure test suite does not apply global configNikos Mavrogiannopoulos2019-12-201-1/+2
| | | | | | | | | | | | | | | | When running the test suite we do not apply the global gnutls configration as it may change options that are tested. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | _gnutls_verify_crt_status: apply algorithm checks to trusted CAsNikos Mavrogiannopoulos2019-12-191-0/+5
| | | | | | | | | | | | | | | | | | | | | | If a CA is found in the trusted list, check in addition to time validity, whether the algorithms comply to the expected level. This addresses the problem of accepting CAs which would have been marked as insecure otherwise. Resolves: #877 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | certtool: added option to apply a certificate verification profileNikos Mavrogiannopoulos2019-12-191-0/+4
| | | | | | | | | | | | This applies to the --verify and --verify-chain commands. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | is_level_acceptable: apply the system-wide profile in all verificationsNikos Mavrogiannopoulos2019-12-191-0/+3
| | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Introduced check to reject certificates with non-digits in time fieldLili Quan2019-12-191-0/+2
| | | | | | | | | | | | | | | | According to RFC5280 we should reject such certificates. Resolves: #870 Signed-off-by: Lili Quan <13132239506@163.com>
* | NEWS: add news entry, describing TLS 1.3 vs GOST issuesDmitry Eremin-Solenikov2019-12-181-0/+8
|/ | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* abi: updated to latest const changes and added NEWS entrytmp-more-const-1Nikos Mavrogiannopoulos2019-12-101-0/+9
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* released 3.6.11gnutls_3_6_11Nikos Mavrogiannopoulos2019-12-011-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: documented AES-CFB8 fix [ci skip]Nikos Mavrogiannopoulos2019-11-291-0/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* bumped versionNikos Mavrogiannopoulos2019-11-291-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* gnutls_base64_decode2() succeeds decoding the empty stringNikos Mavrogiannopoulos2019-11-281-0/+4
| | | | | | | | | This is a behavioral change of the API but it conforms to the RFC4648 expectations. Resolves: #834 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: always include the CRL distribution points on CAsNikos Mavrogiannopoulos2019-11-251-0/+3
| | | | | | | | | Previously we would omit the CRL distribution points from a non-self signed CA certificate, even if contained in the template. Resolves: #765 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Add NEWS entry for the NetBSD KERN_ARND change.nia2019-10-311-0/+5
| | | | Signed-off-by: Nia Alarie <nia@NetBSD.org>
* session tickets: parse extension during session resumption on client sideNikos Mavrogiannopoulos2019-10-081-0/+3
| | | | | | | | | | It is possible for a server to send a new session ticket during TLS1.2 resumption. To be able to parse it as client we need to check the extension during resumption as well. Resolves: #841 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: added entry for 3.6.11Nikos Mavrogiannopoulos2019-10-051-3/+9
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Updated NEWS to reflect the added raw public-key handling functionality for ↵Tom Vrancken2019-10-041-0/+3
| | | | | | gnutls-cli/serv tools. Signed-off-by: Tom Vrancken <dev@tomvrancken.nl>
* bumped versionsgnutls_3_6_10Nikos Mavrogiannopoulos2019-09-291-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Merge branch 'tmp-asm-update-32' into 'master'Nikos Mavrogiannopoulos2019-09-281-0/+2
|\ | | | | | | | | | | | | Regenerate asm files with -fPIC Closes #818 See merge request gnutls/gnutls!1081
| * Regenerate asm files with -fPICAndreas Metzler2019-09-281-0/+2
| | | | | | | | | | | | | | | | | | CRYPTOGAMS' perl-scripts can produce different output if -fPIC is passed as option. Set -fPIC for the same files as openssl does. Closes #818 Signed-off-by: Andreas Metzler <ametzler@bebt.de>
* | certtool: ensure that PKCS#8 file does not contain key descriptionNikos Mavrogiannopoulos2019-09-281-0/+3
|/ | | | | | Resolves: #840 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: document previous changes [ci skip]Dmitry Eremin-Solenikov2019-09-281-1/+7
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* Merge branch 'tmp-supported-versions' into 'master'Daiki Ueno2019-09-271-0/+3
|\ | | | | | | | | | | | | ext/supported_versions: reorder client precedence if necessary Closes #837 See merge request gnutls/gnutls!1074
| * ext/supported_versions: reorder client precedence if necessaryDaiki Ueno2019-09-271-0/+3
| | | | | | | | | | | | | | | | If the client advertises TLS < 1.2 before TLS 1.3 and the server is configured with TLS 1.3 enabled, the server should select TLS 1.3; otherwise the client will disconnect when seeing downgrade sentinel. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | gnutls_session_get_data2: fix operation without a timeout callbackNikos Mavrogiannopoulos2019-09-261-0/+4
|/ | | | | | | | | | | | | When TLS1.3 was introduced, gnutls_session_get_data2 was modified to assume that the callbacks set included the timeout one which was not previously necessary except for some special cases. This corrects that issue and makes sure that gnutls_session_get_data2() does not fail (but not necessarily succeed), if that timeout callback is not set. Resolves: #823 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* _gnutls_epoch_set_keys: do not forbid random padding in TLS1.x CBC ciphersuitesNikos Mavrogiannopoulos2019-09-061-0/+4
| | | | | | | | | | | | Since some point in 3.6.x we updated the calculation of maximum record size, however that did not include the possibility of random record padding available for CBC ciphersuites which exceeds the maximum. This commit allows for larger sizes for these ciphersuites to account for random padding as applied by gnutls 2.12.x. Resolves: #811 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* crypto-api: add gnutls_aead_cipher_{en,de}cryptv2tmp-encryptv2Daiki Ueno2019-08-091-0/+7
| | | | | | | This adds an in-place equivalent of gnutls_aead_cipher_encrypt() and gnutls_aead_cipher_decrypt(), that works on data buffers. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* pk: implement deterministic ECDSA/DSADaiki Ueno2019-08-081-0/+7
| | | | | | | This exposes the deterministic ECDSA/DSA functionality through the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* bumped version for 3.6.9gnutls_3_6_9Nikos Mavrogiannopoulos2019-07-251-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Support for Generalname registeredID from RFC 5280 in subject alt nameKarsten Ohme2019-07-221-0/+3
| | | | | | | | | | Added test certificates (cert10.der) with registered ID Updated Makefile for inclusion of test certificates Updated SAN unknown test certificates (cert5.der) Signed-off-by: Karsten Ohme <k_o_@users.sourceforge.net>
* NEWS: updated for upcoming release [ci skip]Nikos Mavrogiannopoulos2019-07-211-14/+15
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* doc update [ci skip]Nikos Mavrogiannopoulos2019-07-081-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: add an entry for AES-GMAC algorithmsDmitry Eremin-Solenikov2019-06-281-0/+5
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* Align _gnutls_x86_cpuid_s as OPENSSL_ia32cap_P would beNikos Mavrogiannopoulos2019-06-271-0/+3
| | | | | | | | | | | | We were not setting the third array member correctly, though this didn't have any impact to previous implementations as they did not rely on it. This also moves away from the custom implementation of cpuid (which was limited), and we now rely on the compiler's version. This effectively enables support for SHA_NI. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
View Lorry Controller Status