summaryrefslogtreecommitdiff
path: root/NEWS
Commit message (Collapse)AuthorAgeFilesLines
* NEWS: update for 3.7.0 releaseDaiki Ueno2020-12-021-6/+50
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* crypto-backend: remove ability of overriding ciphersDaiki Ueno2020-11-201-0/+7
| | | | | | | Those functions has been deprecated in 3.6.9 as they do not have active use cases. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* NEWS: add entry for QUIC related API functionsDaiki Ueno2020-11-191-0/+10
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* _gnutls_x509_read_value: don't count terminating null byte for OIDsNikos Mavrogiannopoulos2020-11-121-0/+6
| | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> Co-authored-by: Daiki Ueno <ueno@gnu.org>
* Merge branch 'cert_validation' into 'master'Daiki Ueno2020-11-101-0/+5
|\ | | | | | | | | | | | | Adds a new API gnutls_session_set_verify_output_function() that allows TLS applications Closes #1012 See merge request gnutls/gnutls!1339
| * Adds a new API gnutls_session_set_verify_output_function() that allows TLS ↵Sahana Prasad2020-11-101-0/+5
| | | | | | | | | | | | | | | | | | applications to have a way to pass the gnutls_verify_output_function() as a callback so that the full path of the certificate chain to the trusted root can be avaiable as output. Signed-off-by: Sahana Prasad <sahana@redhat.com>
* | build: hard require nettle 3.6Daiki Ueno2020-11-041-0/+2
|/ | | | | | | This allows us to remove several backports, including XTS, CFB8, raw-ChaCha, CMAC64, Curve448, and the GOST curves and hashes. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* src/cli: adds new option '--ca-auto-retrieve' that can be used with ↵Sahana Prasad2020-09-021-0/+2
| | | | | | | | | | gnutls-cli to automatically download missing intermediate CAs in a certificate chain lib/cred-cert.c : adds set and get APIs to get user data in the gnutls_x509_trust_list_set_getissuer_function() callback. Signed-off-by: Sahana Prasad <sahana@redhat.com>
* NEWS: add missing API modifications to 3.6.14 entryDaiki Ueno2020-06-071-0/+2
| | | | | | | Reported by Andreas Metzler in: https://lists.gnupg.org/pipermail/gnutls-help/2020-June/004650.html Signed-off-by: Daiki Ueno <ueno@gnu.org>
* devel/libgnutls-latest-x86_64.abi, doc, NEWS, and manpage updatesSahana Prasad2020-06-031-0/+8
| | | | Signed-off-by: Sahana Prasad <sahana@redhat.com>
* Release 3.6.14 [ci skip]Daiki Ueno2020-06-031-1/+33
| | | | Signed-off-by: Daiki Ueno <ueno@gnu.org>
* lib: add support for AES-192-GCMDmitry Baryshkov2020-05-271-0/+1
| | | | | | Add support for AES-192 in GCM mode. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* pkcs7: add function to display signature informationDmitry Baryshkov2020-05-141-0/+1
| | | | | | | Basically export print_pkcs7_info() in a way usable by external applications. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* nettle: expose SIV-CMAC through the AEAD interfaceDaiki Ueno2020-05-041-0/+6
| | | | | | | | | This adds a couple of new cipher algorithms GNUTLS_CIPHER_AES_128_SIV and GNUTLS_CIPHER_AES_256_SIV, exposing nettle_siv_cmac_aes{128,256}* functions. Note that they can only used with the AEAD interface and authentication tags are prepended (not appended) to the ciphertext. Signed-off-by: Daiki Ueno <ueno@gnu.org>
* NEWS: updated for release3.6.13Nikos Mavrogiannopoulos2020-03-311-2/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc updateNikos Mavrogiannopoulos2020-03-301-3/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: doc updatetmp-added-reproducer-for-960Nikos Mavrogiannopoulos2020-03-301-0/+5
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Merge branch 'better_SSL3.0_tests' into 'master'Nikos Mavrogiannopoulos2020-03-271-0/+3
|\ | | | | | | | | improve gnutls-cli-debug testing of old SSL 3.0 servers See merge request gnutls/gnutls!1221
| * add NEWS entryDaniel Lenski2020-03-221-0/+3
| | | | | | | | Signed-off-by: Daniel Lenski <dlenski@gmail.com>
* | Merge branch 'tmp-get-keylog-func' into 'master'Daiki Ueno2020-03-251-0/+1
|\ \ | | | | | | | | | | | | gnutls_session_get_keylog_function: new function See merge request gnutls/gnutls!1220
| * | gnutls_session_get_keylog_function: new functiontmp-get-keylog-funcDaiki Ueno2020-03-221-0/+1
| |/ | | | | | | | | | | | | | | This adds a way to retrieve the keylog function set by gnutls_session_set_keylog_function() to allow application protocols to implement custom logging facility. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | Update NEWS fileAnder Juaristi2020-03-231-0/+7
|/ | | | Signed-off-by: Ander Juaristi <a@juaristi.eus>
* state: add function to get the current hash algorithmtmp-prf-getDaiki Ueno2020-03-191-0/+1
| | | | | | | | This is particularly useful when the application applies key derivation function by itself with the same underlying hash algorithm as the session. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* keylogfile: simplify the callback mechanismtmp-keylog-funcDaiki Ueno2020-02-221-2/+4
| | | | | | | | | | This partially reverts commit 97117556 with a simpler interface. The original intention of having the callback mechanism was to reuse it for monitoring QUIC encryption changes. However, it turned out to be insufficient because such changes must be emitted after a new epoch is ready. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* keylogfile: generalize with a callbacktmp-keylog-hookDaiki Ueno2020-02-071-0/+2
| | | | | | | | | This refactors the keylogfile mechanism by adding a callback to get notified when a new secret is derived and installed. That way, consumers can implement custom logging feature per session, which is particularly useful in QUIC implementation. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* crypto-api: add generic crypto functions for KDFDaiki Ueno2020-02-041-0/+9
| | | | | | | | | | This exposes HKDF and PBKDF2 functions from the library. Instead of defining a single KDF interface as in PKCS #11, this patch defines 3 distinct functions for HKDF-Extract, HKDF-Expand, and PBKDF2 derivation, so that we can take advantage of compile time checking of necesssary parameters. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* NEWS: fixed issue number for 448gnutls_3_6_123.6.12Nikos Mavrogiannopoulos2020-02-011-1/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* NEWS: refactored for releaseNikos Mavrogiannopoulos2020-02-011-30/+30
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Merge branch 'tmp-ed448' into 'master'Daiki Ueno2020-01-241-0/+3
|\ | | | | | | | | algorithms: implement X448 key exchange and Ed448 signature scheme See merge request gnutls/gnutls!984
| * algorithms: implement X448 key exchange and Ed448 signature schemeDaiki Ueno2020-01-231-0/+3
| | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | Merge branch 'tmp-tls13-ocsp' into 'master'Nikos Mavrogiannopoulos2020-01-201-0/+5
|\ \ | |/ |/| | | | | | | | | tls13: fix issues with client OCSP responses Closes #876 See merge request gnutls/gnutls!1169
| * tls13: request OCSP responses as a serverNikos Mavrogiannopoulos2020-01-201-1/+2
| | | | | | | | | | | | | | | | | | | | | | The TLS1.3 protocol requires the server to advertise an empty OCSP status request extension on its certificate verify message for an OCSP response to be sent by the client. We now always send this extension to allow clients attaching those responses. Resolves: #876 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * tls13: do not send OCSP responses as client without server requestingNikos Mavrogiannopoulos2020-01-151-0/+4
| | | | | | | | | | | | | | | | | | In client side ensure we see a request for OCSP from servers before sending one. Relates: #876 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | doc update [ci skip]Nikos Mavrogiannopoulos2020-01-151-0/+3
|/ | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Merge branch 'override-default-priority' into 'master'Nikos Mavrogiannopoulos2020-01-131-0/+3
|\ | | | | | | | | libgnutls: Add system-wide default-priority-string override. See merge request gnutls/gnutls!1158
| * libgnutls: Add system-wide default-priority-string override.Dimitri John Ledkov2020-01-131-0/+3
| | | | | | | | Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
* | Merge branch 'gost-priorities' into 'master'Dmitry Eremin-Solenikov2020-01-121-2/+6
|\ \ | |/ |/| | | | | Extend GOST priority settings and documentation See merge request gnutls/gnutls!1160
| * NEWS: expand documentation for GOST priority stringsDmitry Eremin-Solenikov2020-01-101-2/+6
| | | | | | | | | | | | | | Use +GOST-ALL shortcut to enable GOST ciphersuites. Also document newly added GOST shortcuts. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | Merge branch 'tmp-ocsp-check' into 'master'903-add-crl-and-crq-fuzzersNikos Mavrogiannopoulos2020-01-091-0/+4
|\ \ | | | | | | | | | | | | | | | | | | Provide flag to identify sessions that an OCSP response was requested Closes #829 See merge request gnutls/gnutls!1131
| * | Provide flag to identify sessions that an OCSP response was requestedNikos Mavrogiannopoulos2019-12-151-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | That adds the flag GNUTLS_SFLAGS_CLI_REQUESTED_OCSP which can be checked by a server application to determine whether the client has requested stapled OCSP responses. This includes minor cleanups in the status request handling code. Resolves: #829 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | | x509: reject certificates having duplicate extensionsNikos Mavrogiannopoulos2020-01-031-0/+5
| |/ |/| | | | | | | | | | | | | | | | | | | According to RFC5280 a certificate must not include more than one instance of a particular extension. We were previously printing warnings when such extensions were found, but that is insufficient to flag such certificates. Instead, refuse to import them. Resolves: #887 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | x509: do not tolerate invalid DER timeNikos Mavrogiannopoulos2019-12-261-1/+4
| | | | | | | | | | | | | | | | | | | | | | This effectively reverts !400 and ensures that we no longer tolerate invalid DER time. This complements the previous commit by Lili Quan and ensures we provide the --disable-strict-der-time backwards compatibility option. Resolves: #207 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | certtool: always set extensions from templateNikos Mavrogiannopoulos2019-12-231-4/+7
| | | | | | | | | | | | | | | | | | Previously we would only set these extensions specific with add_extension when generating using --generate-certificate. The change makes sure these options are considered even when generating an extension from a certificate request. Issue reported on the mailing list. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | tests: ensure test suite does not apply global configNikos Mavrogiannopoulos2019-12-201-1/+2
| | | | | | | | | | | | | | | | When running the test suite we do not apply the global gnutls configration as it may change options that are tested. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | _gnutls_verify_crt_status: apply algorithm checks to trusted CAsNikos Mavrogiannopoulos2019-12-191-0/+5
| | | | | | | | | | | | | | | | | | | | | | If a CA is found in the trusted list, check in addition to time validity, whether the algorithms comply to the expected level. This addresses the problem of accepting CAs which would have been marked as insecure otherwise. Resolves: #877 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | certtool: added option to apply a certificate verification profileNikos Mavrogiannopoulos2019-12-191-0/+4
| | | | | | | | | | | | This applies to the --verify and --verify-chain commands. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | is_level_acceptable: apply the system-wide profile in all verificationsNikos Mavrogiannopoulos2019-12-191-0/+3
| | | | | | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | Introduced check to reject certificates with non-digits in time fieldLili Quan2019-12-191-0/+2
| | | | | | | | | | | | | | | | According to RFC5280 we should reject such certificates. Resolves: #870 Signed-off-by: Lili Quan <13132239506@163.com>
* | NEWS: add news entry, describing TLS 1.3 vs GOST issuesDmitry Eremin-Solenikov2019-12-181-0/+8
|/ | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* abi: updated to latest const changes and added NEWS entrytmp-more-const-1Nikos Mavrogiannopoulos2019-12-101-0/+9
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
View Lorry Controller Status