Version 0.8.10 (09/08/2003) - Backported the bug fix of server name indication from 0.9.x releases. - The tex files are now included in the distribution. Version 0.8.9 (29/06/2003) - Corrected a null pointer dereference in gnutls_certificate_get_ours(). Report and Patch by Steve Langasek . - The gnutls_transport_ptr type was changed to a pointer type (void*). (programs would need recompile, since the library version has changed) Version 0.8.8 (10/06/2003) - Corrected a bug in the record layer buffering, which affected the case where external pull function was used. Report and patch by Sergey Poznyakoff . - Corrected a bug in gnutls-srpcrypt where a non allocated variable was freed. Version 0.8.7 (12/05/2003) - Some corrections in the Makefiles, to prevent some build errors in solaris. - Corrections in the TLS layer openpgp certificate packet parser. Version 0.8.6 (25/03/2003) - Corrected a parsing error in the Certificate request message. - Corrected behaviour when a certificate request message is received. Now a certificate packet is always sent, and in SSL 3.0 cipher suites a no_certificate alert is sent instead. Version 0.8.5 (22/03/2003) - Allow larger MPI parameters in certificates. - Implemented the counter measure discussed in the paper "Attacking RSA-based Sessions in SSL/TLS", against the attack discribed in the same paper. - The RSA premaster secret version check can no longer be disabled. Version 0.8.4 (10/03/2003) - Corrected a broken buffer check in _gnutls_io_read_buffered(), which caused some unexpected packet length errors. Report and patch by Ian Peters . Version 0.8.3 (04/03/2003) - Corrected a bug in 64 bit architectures, which affected the serial number calculation in the record layer. Version 0.8.2 (03/03/2003) - Added protection against the new TLS 1.0 record layer timing attack. Version 0.8.1 (22/01/2003) - Improved the SRP support, to prevent attackers guessing the available usernames by brute force. - Improved the SRP detection in gnutls-cli-debug - Some fixes which now allow compilation. Version 0.8.0 (20/01/2003) - Added gnutls_x509_extract_dn_string() which returns a distinguished name in a single string. - Added gnutls_openpgp_extract_key_name_string() which returns an openpgp user ID in a single string. - Added gnutls_x509_extract_certificate_ca_status() which returns the CA status of the given certificate. - Added SRP-6 support. Follows draft-ietf-tls-srp-04. - If libtasn1 is not present in the system, it is included in the main gnutls library. - If liblzo is present in the system, then the included minilzo will not be used, and libgnutls-extra will depend on liblzo. - GNUTLS_E_PARSING_ERROR error code was replaced by GNUTLS_E_BASE64_DECODING_ERROR, and GNUTLS_E_SRP_PWD_PARSING_ERROR. GNUTLS_E_ASCII_ARMOR_ERROR was also replaced by GNUTLS_E_BASE64_DECODING_ERROR. Version 0.6.0 (8/12/2002) - Added "gnutls/compat4.h" header. This is included in gnutls.h to emulate the old 0.4.x API. - Example programs are now stored in doc/examples/ - Several improvements and updates in the documentation. - Added the certificate authenticated SRP cipher suites. - gnutls_x509_extract_certificate_dn_string() was updated to return an RFC2253 conforming string. - Added the SRP related functions: gnutls_srp_verifier() gnutls_srp_base64_encode() gnutls_srp_base64_decode() - Added the function gnutls_srp_set_server_credentials_function() to allow retrieving SRP parameters from an external backend - other than password files. - Added the function gnutls_openpgp_set_recv_key_function() which can be used to set a callback, to get OpenPGP keys. - Exported the functions: gnutls_malloc() gnutls_free() which should be used by callback functions. - Changed the semantics of gnutls_pem_base64_encode_alloc() and gnutls_pem_base64_decode_alloc(). In the default case were the gnutls library is used with malloc/realloc/free, these are binary compatible. Version 0.5.11 (5/11/2002) - Some fixes in 'gnutls-cli' client program to prevent some segmentation faults at exit. - Example programs found in the documentation can now be generated by running "make examples" in doc/tex directory. - Added more descriptive error strings, to gnutls_strerror(). - Documented error codes, and the function reference list is now sorted. - Optimized buffering code. - gnutls_x509_extract_certificate_dn_string() was rewritten. - Added GNUTLS_E_SHORT_MEMORY_BUFFER error code, which is returned in the case where the memory buffer provided is not long enough. - Depends on the new OpenCDK 0.3.2. Version 0.5.10 (13/10/2002) - Updated documentation. - Added server name extension. This allows clients to specify the name of the server they connect to. Useful to HTTPS. - Several corrections in the code base, mostly in signed/unsigned, checkings. Version 0.5.9 (10/10/2002) - Corrected some code which worked fine in gcc 3.2, but not with any other compiler. - Updated 'gnutls-cli' with the '--starttls' option, to allow testing starttls implementations. - Added gnutls_x509_extract_key_pk_algorithm() function which extracts the private key type, of a DER encoded key. - Added gnutls_x509_extract_certificate_dn_string() which returns the certificate's distinguished name in a single string. - Added gnutls_set_default_priority() and gnutls_set_default_export_priority() functions, to avoid calling all the *_priority() functions if the defaults are acceptable. - Added int gnutls_x509_check_certificates_hostname() which check whether the given hostname matches the owner of the given X.509 certificate. Version 0.5.8 (25/09/2002) - Updated documentation. - Added gnutls_record_get_direction() which replaces the obsolete gnutls_handshake_get_direction(). - Added function to convert error codes to alert descriptions - Added LZO compression Version 0.5.7 (11/09/2002) - Some fixes in the memory allocation functions (realloc). - Improved the string functions used in XML certificate generation. - Removed dependency on libgdbm. - Corrected bug in gnutls_dh_params_set() which affected gnutls_dh_params_deinit(). - Corrected bug in session resuming code in server side. Version 0.5.6 (6/09/2002) - Corrected bugs in SRP implementation, which prevented gnutls to interoperate with other implementations. (interoperability testing was done by David Taylor) - Corrected bug in cert_type extension. - Corrected extension type checks which used an 8 bit extension size, instead of 16 bits. - Added versioning in the XML output of certificate functions. - Removed the X.509 test suite. Version 0.5.5 (3/09/2002) - Updated the SRP implementation to the latest draft. The blowfish crypt implementation was removed, since the new draft does not allow other hash algorithms except for the srpsha. - Renamed all the constructed types in order to have more consistent names. - Improved the certificate and key read functions. Now they can read the certificate and the private key from the same file. - Updated and corrected documentation. Version 0.5.4 (27/08/2002) - Fixes in TLS 1.0 PRF and SSL3 random functions. - gnutls_handshake_set_exportable_detection() was obsoleted. - Added gnutls_openpgp_extract_key_id() which returns the key ID. - Corrected bug in DHE key exchange - Added support for temporary RSA keys which are needed for the export cipher suites. - Added the TLS_RSA_EXPORT_ARCFOUR_40_MD5 ciphersuite. Version 0.5.3 (23/08/2002) - No changes. Replaces the tarball of 0.5.2 which accidentaly contained code from the unstable branch. Version 0.5.2 (22/08/2002) - Added an error code that is returned in clients which connect to export only servers. This must be enabled using the gnutls_handshake_set_exportable_detection() function. - Updated openssl compatibility layer. - Added gnutls_handshake_get_direction() function which returns the state of the handshake when interrupted. Version 0.5.1 (17/07/2002) - Corrected the m4 macros which used instead of - Documentation fixes - Added gnutls_transport_set_ptr2() function, which accepts two different pointers, to be used while receiving, and while sending data. - Semantic changes in gnutls_record_set_max_size(). The requested size is now immediately enforced at the output buffers. - gnutls_global_init_extra() now fails if the library versions do not match. - Fixes in client and server example programs. Null encryption can be used in these programs, to assist in debuging. - Fixes in zlib compression code. Version 0.5.0 (6/07/2002) - Added X.509 certificate tests in tests/ directory - Removed stubs for SRP and Anonymous authentication. They served no purpose since they are always included, unless it was requested not to do so. - Added gnutls_handshake_set_private_extensions() function. This function can be used to enable private (gnutls specific) cipher suites and compression algorithms. - Added check for C99 macro support by the compiler. - Added functions gnutls_b64_encode_fmt2() and gnutls_b64_decode_fmt2() - Added the new libtasn1 library. - Removed the gdbm backend. Applications are now responsible for the session resuming backend. The gnutls-serv application contains an simple example on how to use gdbm for resuming. - Headers for the gnutls library are now installed in $(includedir)/gnutls - Added an OpenSSL compatible interface (with some limitations). - Added functions to convert DER encoded certificates to XML format. Version 0.4.4 (24/06/2002) - Corrected bug in PKCS-1 RSA encryption which prevented gnutls to encrypt using keys of some specific size. Version 0.4.3 (23/05/2002) - The gnutls-extra library now compiles fine, if the opencdk library is not present. - Several bug fixes. - Added gnutls_global_set_mem_func() function, to set the memory allocation functions, if other than the defaults are to be used. - The default memory allocation functions are now the ones in libc. Version 0.4.2 (21/05/2002) - Separated ASN.1 structures parser documentation and TLS library documentation. - Added gnutls_handshake_set_rsa_pms() function, which disables the version check in RSA premaster secret. - Added gnutls_session_is_resumed() function, which reports if a session is a resumed one. - Added gnutls_state_set_ptr() and gnutls_state_get_ptr() functions, to assist in callback functions. - Replaced the included 1024 bit prime for Diffie Hellman, with a new random one. - Relicensed the library under the GNU Lesser General Public License - Added gnutls-extra library which contains the GPL covered code of gnutls. Version 0.4.1 (7/04/2002) - Now uses alloca() for temporary variables - Optimized RSA signing - Added functions to return the peer's certificate activation and expiration time. - Corrected time function's behaviour (the time value returned no longer relate to local timezone). Version 0.4.0 (1/04/2002) - Added support for RFC2630 (PKCS7) X.509 certificate sets - Added new functions: gnutls_x509_extract_certificate_pk_algorithm(), gnutls_openpgp_extract_key_pk_algorithm(). - Several optimizations in the Handshake protocol - Several optimizations in RSA algorithm - Unified the return values because of small buffers. Version 0.3.92 (23/03/2002) - Updated documentation - Combined error codes of ASN.1 parser and gnutls - Removed GNUTLS_CERT_TRUSTED from the CertificateStatus enumeration - Added protection against CBC chosen plaintext attack (disabled by default) - Improved and optimized compression support Version 0.3.91 (3/03/2002) - Added gnutls-cli-debug program - Corrections in session resumption - Rehandshake can now handle negotiation of different authentication type. - gnutls-cli, gnutls-serv, gnutls-srpcrypt and gnutls-cli-debug are now being installed. Version 0.3.90 (24/02/2002) - Handshake messages are not kept in memory any more. Now we use less memory during a handshake - Added support for certificates with DSA parameters - Added DHE_DSS cipher suites - Key exchange methods changed so they do not depend on the certificate type. Added certificate type negotiation TLS extension. - Added openpgp key support (EXPERIMENTAL) - Improved Diffie Hellman key exchange support. - Bug fixes in the RSA key exchange. - Added check for the requested TLS extensions - TLS extensions now use a 16 bit type field. - Added a minimal string library to assist in ASN.1 parsing - Changes in ASN.1 parser to work with the new bison - Added gnutls_x509_extract_subject_alt_name(), which deprecates gnutls_x509_extract_subject_dns_name() - gnutls_x509_set_trust_(file/mem) can now be called multiple times - gnutls_srp_server_set_cred_file() can now be called multiple times Version 0.3.5 (25/01/2002) - Corrected the RSA key exchange method, to avoid attacks against PKCS-1 formating. Version 0.3.4 (20/01/2002) - Corrected bugs in DHE_RSA key exchange method Version 0.3.3 (19/01/2002) - Added gnutls_x509pki_verify_certificate() - Added gnutls_x509pki_set_trust_mem() and gnutls_x509pki_set_key_mem() - Bug fixes in srpcrypt (based on patch by Marc Huber) - Bug fixes in the Handshake protocol (based on patch by Guillaume Morin) - Corrected library versioning Version 0.3.2 (5/01/2002) - Corrected bug which did not allow a client to accept multiple CA names - Added gnutls_fingerprint() - Added gnutls_x509pki_extract_certificate_serial() - Added gnutls_b64_encode_fmt() and gnutls_b64_decode_fmt() - Corrected behaviour in version advertizing - Updated documentation - Prefixed all types in gnutls.h with 'GNUTLS_' to avoid namespace collisions Version 0.3.1 (21/12/2001) - Corrections in the configuration files - Fixes a bug in anonymous authentication Version 0.3.0 (17/12/2001) - Corrected bug in new integer formatting (now we use the old format again) - Several corrections and usual cleanups Version 0.2.91 (10/12/2001) - Fixes in MPI handling (fixes possible bug with signed integers) - Removed name indication extension - Added gnutls_transport_get_ptr() and gnutls_db_get_ptr() - Optimizations in server certificate callback. - Fixes in anonymous authentication - Corrections in client ciphersuite selection Version 0.2.90 (7/12/2001) - gnutls_handshake(), gnutls_read() etc. functions no longer require the 'SOCKET cd' argument. This argument is set using the function gnutls_set_transport_ptr(). - introduced gnutls_x509pki_get_peer_certificate_list(). This function returns a list containing peer's certificate and issuers DER encoded. - Updated X.509 certificate handling API - Added callback to select the server certificate - More consistent function naming (changes in several function names) - Buffer overflow checking in ASN.1 structures parser - Updated documentation Version 0.2.11 (16/11/2001) - Changed the meaning of GNUTLS_E_REHANDSHAKE value. If this value is returned, then the caller should perform a handshake or send an alert to the peer. - Made receive buffer dynamic. Normaly if no large chunks are received it occupies less space. - Added max_record_size extension - Bugfixes in session handling - Improved non blocking IO support in the Handshake Protocol - Usual bugfixes and cleanups - Documentation updated (includes ASN.1 documentation) Version 0.2.10 (5/11/2001) - Corrected bugs and improved non blocking IO - Added hooks to use external database to store sessions - Usual cleanups Version 0.2.9 (27/10/2001) - AUTH_INFO types and structures were moved to library internals - AUTH_FAILED is no longer returned in SRP authentication (any fatal error in SRP means auth failed) - Introduced GNUTLS_E_INTERRUPTED - Added support for non blocking IO - gnutls_recv() and gnutls_send() are now obsolete - Changed semantics of gnutls_rehandshake() Version 0.2.4 (12/10/2001) - Better handling of X.509 certificate extensions - Added DHE_RSA ciphersuites - Updated the Name Indication (dnsname) extension - Improvements in Diffie Hellman primes handling Version 0.2.3 (19/09/2001) - Memory optimizations in gnutls_recv() - Fixed several memory leaks - Added ability to specify callback for x509 client certificate selection - Better documentation Version 0.2.2 (21/08/2001) - Several bugfixes (library and documentation) Version 0.2.1 (07/08/2001) - SRP fixes Version 0.2.0 (07/08/2001) - Partial support for X.509v3 Certificate extensions. - Added Internal memory handlers - Removed gnutls_x509_set_cn() - Added X.509 client authentication - Several bug fixes and protocol fixes Version 0.1.9 (30/07/2001) - Corrected bug(s) in ChangeCipherSpec packet (fixes renegotiate) - SRP is updated to conform to the newest draft. - Added support for DNSNAME extension. - Reentracy fixes in ASN.1 Parsing. - Optimizations in hash/hmac functions - (Error) message handling has changed - Better Protocol Version handling - Added X.509 Certificate Verification - gnutls_read() semantics are now closer to read(2) - added EOF - Documented some part of gnutls in doc/tex/ using Latex Version 0.1.4 (22/06/2001) - Corrected (srp) base64 encoding. - Changed bcrypt algorithm to include username. - Added RSA Ciphersuites (no certificate checking). - Fixes in SSL 2.0 client hello parsing. - Added ASN.1 and DER parsers. - Bugfixes in session resuming - Updated Ciphersuite selection algorithm - Added internal representation of X.509 structures. - Added global state Version 0.1.3 (01/06/2001) - Updated API (and the way it is documented - we use inline documentation) - Added function to access alert messages. - Added support for renegotiating parameters. - Better and Faster Resume Database handling. - Several bugfixes Version 0.1.2 (14/05/2001) - Updated API - Fixes in extension handling Version 0.1.1 (13/05/2001) - Added compatibility with Stanford's libsrp library Version 0.1.0 (09/05/2001) - Added SSL 2.0 client hello support - GNUTLS is a gnu library - Added support for TLS extensions. - Added support for SRP Version 0.0.7 (11/01/2001) - Added server side session resuming (using gdbm) - Added twofish algorithm Version 0.0.6 (20/12/2000) - Added client side session resuming - Better documentation (check doc/API) - Better socket handling (gnutls can be used with select()) - Some primitive support for non blocking IO and socket options has been added. Version 0.0.5 (7/12/2000) - Added Compression (using ZLIB) - Added SSL 3.0 support