1 GNU TLS NEWS -- History of user-visible changes. -*- outline -*-
2 Copyright (C) 2004, 2005, 2006, 2007, 2008 Simon Josefsson
3 Copyright (C) 2000, 2001, 2002, 2003, 2004 Nikos Mavrogiannopoulos
4 See the end for copying conditions.
6 * Version 2.5.8 (unreleased)
8 ** certtool: updated so it can add several subject alternative names using
11 ** libgnutls: gnutls_x509_crt_set_subject_alt_name() was added that can
12 either set or append alternative names. It can also handle binary structures
15 ** libgnutls: Fix crash in hashing code when using non-libgcrypt handlers.
17 ** libgnutls: New function to set minimum acceptable SRP bits.
18 The function is gnutls_srp_set_prime_bits. Tiny patch by Kevin Quick
19 <quick@sparq.org> in <https://savannah.gnu.org/support/index.php?106454>.
21 ** libgnutls: Check for overflows in gnutls_calloc and gnutls_secure_calloc.
22 Also fix overflows in calls to those functions. Reported by Werner
25 ** libgnutls-extra: Add function to work with Libgcrypt in FIPS mode.
26 The function is gnutls_register_md5_handler. When libgcrypt is in
27 FIPS mode, MD5 is disabled, but TLS normally requires use of MD5 in
30 ** Opencdk: Add calls to gnutls_assert to ease debugging.
34 ** API and ABI modifications:
35 gnutls_srp_set_prime_bits: ADDED
36 gnutls_register_md5_handler: ADDED
37 gnutls_x509_crt_set_crl_dist_points2: ADDED
38 gnutls_x509_crt_set_subject_alt_name: ADDED
40 * Version 2.5.7 (released 2008-09-16)
42 ** libgnutls: New interfaces to get name of public key and signing algorithms.
43 The functions are gnutls_sign_get_name and gnutls_pk_get_name.
45 ** libgnutls: Don't crash when gnutls_credentials_set is called twice.
47 ** libgnutls: Fix libgnutls shared library version.
48 It wasn't properly incremented after adding symbols in the last
51 ** manual: Now mention supported public key and public key signing algorithms.
53 ** tests/openssl: initialize gnutls before use.
55 ** tests/setcredcrash: New test to catch regressions of gnutls_credentials_set.
57 ** GTK-DOC manual: mention new symbols in 2.6.x. Mention crypto.h functions.
59 ** API and ABI modifications:
60 gnutls_sign_get_name: ADDED
61 gnutls_pk_get_name: ADDED
63 * Version 2.5.6 (released 2008-09-08)
65 ** libgnutls: Add interface to deal with public key and signature algorithms.
66 The functions are called gnutls_pk_list, gnutls_pk_get_id,
67 gnutls_sign_list, and gnutls_sign_get_id. Suggested by Sam
68 Varshavchik <mrsam@courier-mta.com>.
70 ** libgnutls: Refactor and clean up some code.
72 ** libgnutls: Fix compile error with Sun CC.
74 ** gnutls-cli: Improve --list output to include public key and signature algs.
76 ** gnutls-cli, gnutls-serv: Remove --copyright parameter.
77 Use standard --version to get license info.
79 ** gnutls-cli.1: Document all new parameters.
80 Thanks to James Westby <jw+debian@jameswestby.net>.
82 ** tests: New self-test pgps2kgnu to test parsing of encrypted secrets.
83 Contributed by Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>.
85 ** API and ABI modifications:
87 gnutls_pk_get_id: ADDED
88 gnutls_sign_list: ADDED
89 gnutls_sign_get_id: ADDED
91 * Version 2.5.5 (released 2008-08-29)
93 ** libgnutls: New API to get a string corresponding to a error symbol.
94 The function is gnutls_strerror_name.
96 ** libgnutls: Fix include paths so that building with internal libtasn1 works.
97 Reported by "jth.net ApS" <info@jth.net>.
99 ** libgnutls: Fix segmentation fault when generating private keys.
100 Reported by Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>.
102 ** libgnutls: Remove code to import certificate chains in PKCS#7 format.
103 The code has not worked since v0.9.0 and apparently nobody has missed
104 it, so we decided to remove the code rather than fix it. If you have
105 old certificate chains stored in PKCS#7 format, you can convert them
106 to a list of PEM certificates by using 'certtool --p7-info'. Reported
107 by Christian Grothoff <christian@grothoff.org>.
109 ** opencdk: Parse (but not decrypt) encrypted secret keys.
110 Contributed by Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>.
112 ** libgnutls: Fix many warnings.
114 ** Included copy of libtasn1 is upgraded to version 1.5.
116 ** Add French translation, thanks to Nicolas Provost.
118 ** API and ABI modifications:
119 gnutls_strerror_name: ADDED
121 * Version 2.5.4 (released 2008-08-19)
123 ** Fix secure memory initialization of libgcrypt.
124 Reported by Joe Orton <joe@manyfish.co.uk> in
125 <http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2992>.
128 Reference to NIST SP 800-57 in the manual on key size recommendations.
129 Added 'Since:' tags to new APIs for gtk-doc.
131 ** API and ABI modifications:
132 No changes since last version.
134 * Version 2.5.3 (released 2008-08-14)
136 ** libgnutls: New API to set the public parameters in a certificate request
137 ** from a private key.
138 The function is gnutls_x509_crq_set_key_rsa_raw. Inspired by
139 discussion with "Zach C." <fxchip@gmail.com>.
141 ** libgnutls: New API to set a callback to extract TLS Finished data.
142 The function to register is gnutls_session_set_finished_function and
143 it takes a callback of the gnutls_finished_callback_func type.
145 ** libgnutls: Drop final comma after GNUTLS_CRT_PRINT_UNSIGNED_FULL in enum.
146 Reported in <https://savannah.gnu.org/support/?106453>.
148 ** libgnutls: Fix namespace problem with TLS_MASTER_SIZE and TLS_RANDOM_SIZE.
149 The new names are GNUTLS_MASTER_SIZE and GNUTLS_RANDOM_SIZE. The old
150 names are mapped to the new names in compat.h. These mappings will
151 likely be removed more quickly than other mappings in that file due to
152 the namespace violation.
154 ** libgnutlsxx: Make it build when SRP is disabled.
156 ** doc: Add doxygen files in doc/doxygen/.
158 ** API and ABI modifications:
159 gnutls_x509_crq_set_key_rsa_raw: ADDED
160 gnutls_session_set_finished_function: ADDED
161 gnutls_finished_callback_func: ADDED
162 GNUTLS_MASTER_SIZE: ADDED
163 GNUTLS_RANDOM_SIZE: ADDED
164 TLS_MASTER_SIZE: DEPRECATED
165 TLS_RANDOM_SIZE: DEPRECATED
167 * Version 2.5.2 (released 2008-07-08)
169 ** libgnutls: Fix bug in gnutls_dh_params_generate2.
170 The prime and generator was swapped.
172 ** libgnutls: New interface to register a new TLS extension handler.
173 The new function gnutls_ext_register can be used to register handlers
174 for specific TLS extension types. The callback functions have the new
175 types gnutls_ext_recv_func and gnutls_ext_send_func. A type to
176 classify TLS extensions, gnutls_ext_parse_type_t, has been added as
179 ** Move more code for TLS/IA extension from libgnutls to libgnutls-extra.
180 This was made possible by using the new gnutls_ext_register interface.
181 The TLS/IA functionality has only been supported through the
182 libgnutls-extra library, so it makes sense for the code to belong
185 ** API and ABI modifications:
186 gnutls_ext_recv_func: ADDED
187 gnutls_ext_send_func: ADDED
188 gnutls_ext_parse_type_t: ADDED
189 gnutls_ext_register: ADDED
191 * Version 2.5.1 (released 2008-07-02)
195 ** API and ABI modifications:
196 No changes since last version.
198 * Version 2.5.0 (released 2008-07-02)
200 ** Port fixes from v2.4.1 release, see below.
202 ** Added API to replace and update the crypto backend.
203 The header gnutls/crypto.h is now officially supported, and declares
206 ** Rewritten opencdk crypto backend, to use the gnutls internal one.
208 ** Update gnulib and translations.
209 The gnulib gc crypto code has been removed since it was never finished
210 and is no longer even used. An internal non-libgcrypt crypto
211 implementation may be added in the future, but we'll decide that later
214 ** API and ABI modifications:
215 gnutls_crypto_bigint_register2: ADDED.
216 gnutls_crypto_cipher_register2: ADDED.
217 gnutls_crypto_digest_register2: ADDED.
218 gnutls_crypto_mac_register2: ADDED.
219 gnutls_crypto_pk_register2: ADDED.
220 gnutls_crypto_rnd_register2: ADDED.
221 gnutls_crypto_single_cipher_register2: ADDED.
222 gnutls_crypto_single_digest_register2: ADDED.
223 gnutls_crypto_single_mac_register2: ADDED.
225 * Version 2.4.2 (released 2008-09-15)
227 ** libgnutls: Don't crash when gnutls_credentials_set is called twice.
229 ** libgnutls: Corrected memory leak in X.509 functions.
230 Thanks to Colin Leroy <colin@colino.net>.
232 ** libgnutls: Fix compile error with Sun CC.
234 ** gnutls-cli.1: Document all new parameters.
235 Thanks to James Westby <jw+debian@jameswestby.net>.
237 ** tests/openssl: initialize gnutls before use.
238 Fixes crash with libgcrypt 1.4.2. Reported by Ludovic Courtes
239 <ludovic.courtes@laas.fr>.
241 ** doc/: Fix texinfo markup for old texinfo versions.
243 ** Included copy of libtasn1 is upgraded to version 1.5.
245 ** API and ABI modifications:
246 No changes since last version.
248 * Version 2.4.1 (released 2008-06-30)
250 ** libgnutls: Fix local crash in gnutls_handshake. [GNUTLS-SA-2008-2]
251 If the gnutls_handshake function is called for a normal session, which
252 can happen for re-handshakes, the library would crash because it tried
253 to hash some data using a libgcrypt handle that had been deallocated.
254 Report and tiny patch from Tomas Mraz <tmraz@redhat.com>. Any updates
255 with more details about this vulnerability will be added to
256 <http://www.gnu.org/software/gnutls/security.html>
258 ** libgnutls: Fix memory leaks when doing a re-handshake.
259 Reported by Sam Varshavchik <mrsam@courier-mta.com> in
260 <http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2928>.
262 ** Fix compiler warnings.
263 Reported by Massimo Gaspari <massimo.gaspari@alice.it> in
264 <http://thread.gmane.org/gmane.network.gnutls.general/1281>.
266 ** Fix ordering of -I's to avoid opencdk.h conflict with system headers.
267 Reported by Roman Bogorodskiy <novel@FreeBSD.org> in
268 <http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2930>.
270 ** srptool: Fix a problem where --verify check does not succeed.
271 Report and tiny patch by Matthias Koenig <mkoenig@suse.de> in
272 <http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2944>.
274 ** API and ABI modifications:
275 No changes since last version.
277 * Version 2.4.0 (released 2008-06-19)
279 ** Major changes compared to the v2.2 branch:
281 *** The OpenPGP sub-system has been improved and now supports subkeys.
283 *** The PSK sub-system has been improved and now supports password
284 *** derivation and PSK identity hints.
285 The password derivation algorithms support is documented in
286 draft-ietf-netconf-tls-02.txt.
288 *** The certtool --inder and --outder has been replaced by --inraw and --outraw.
289 This aligns terminology with OpenPGP, which doesn't use DER encoding.
290 The old parameters will continue to work for some time.
292 *** Certtool now confirm passwords and changes permissions of private key files.
294 *** The default handshake size limit has been increased to 48kb.
295 It appears as if some valid handshakes are large due to sending many
296 CA certificates. (The earlier limit was 16kb.)
298 *** LZO compression is now disabled by default.
299 The main reason is that LZO compression in TLS is not standardized,
300 but license compatiblity issues with minilzo triggered us to make this
303 *** Improvements for cross-compilation to Windows and OpenWRT.
305 *** The look of the GTK-DOC manual has been improved.
306 Major developer visible changes compared to the v2.2 branch:
308 *** Full OpenPGP support is part of libgnutls, licensed under the LGPL.
310 *** New APIs to access the raw X.509 Subject and Issuer DN's and
311 *** elements from the certificate credentials structure.
314 *** New APIs to improve working with username/passwords and PSK.
316 *** Names of constants to affect certificate printing changed.
317 The constants are used for OpenPGP too, which the names didn't
318 reflect, so the following name change has been made:
321 GNUTLS_X509_CRT_FULL GNUTLS_CRT_PRINT_FULL
322 GNUTLS_X509_CRT_ONELINE GNUTLS_CRT_PRINT_ONELINE
323 GNUTLS_X509_CRT_UNSIGNED_FULL GNUTLS_CRT_PRINT_UNSIGNED_FULL
325 The old names will be mapped to the new names for some time.
327 *** The function gnutls_openpgp_privkey_get_id has been renamed to
328 *** gnutls_openpgp_privkey_get_key_id.
329 A compatibility mapping exists to avoid breaking API backwards
332 *** Replaced all uses of alloca with malloc and free.
334 *** We no longer build with -D_REENTRANT -D_THREAD_SAFE.
335 We have been unable to find a documented rationale for this practice.
337 *** Of course, many smaller fixes have been made, see the ChangeLog file.
339 *** API/ABI changes in GnuTLS 2.4
340 All OpenPGP related functions have been moved from libgnutls-extra to
341 libgnutls, and several new functions have been added (see below).
342 Before making the release, we discussed whether moving functions from
343 libgnutls-extra to libgnutls would require us to increment the ABI
344 version, but the general opinion was that this would not be required.
345 All older functions continue to work the same. We are open to the
346 possibility that this decision will lead to problem on some platform,
347 and if it turns out that the Right Thing should have been to increment
348 the shared library version, we would need to release an update within
349 the 2.4.x branch that increments the shared library version.
351 This release adds the following functions:
353 gnutls_psk_client_get_hint
354 gnutls_psk_set_server_credentials_hint
355 gnutls_psk_netconf_derive_key
357 Used to get/set the PSK identity hint, and derive PSK keys from
358 passwords a'la netconf.
360 gnutls_x509_dn_deinit
361 gnutls_x509_dn_export
362 gnutls_x509_dn_import
365 Used to handle X.509 Certificate DN's directly.
369 Converts a data buffer to hex. Useful for handling PSK/SRP shared
372 gnutls_certificate_get_x509_cas
373 gnutls_certificate_get_x509_crls
374 gnutls_certificate_get_openpgp_keyring
376 Functions for direct access to credential elements.
378 gnutls_openpgp_crt_get_auth_subkey
379 gnutls_openpgp_crt_get_key_id
380 gnutls_openpgp_crt_get_pk_dsa_raw
381 gnutls_openpgp_crt_get_pk_rsa_raw
382 gnutls_openpgp_crt_get_preferred_key_id
383 gnutls_openpgp_crt_get_revoked_status
384 gnutls_openpgp_crt_get_subkey_count
385 gnutls_openpgp_crt_get_subkey_creation_time
386 gnutls_openpgp_crt_get_subkey_expiration_time
387 gnutls_openpgp_crt_get_subkey_fingerprint
388 gnutls_openpgp_crt_get_subkey_id
389 gnutls_openpgp_crt_get_subkey_idx
390 gnutls_openpgp_crt_get_subkey_pk_algorithm
391 gnutls_openpgp_crt_get_subkey_pk_dsa_raw
392 gnutls_openpgp_crt_get_subkey_pk_rsa_raw
393 gnutls_openpgp_crt_get_subkey_revoked_status
394 gnutls_openpgp_crt_get_subkey_usage
395 gnutls_openpgp_crt_print
396 gnutls_openpgp_crt_set_preferred_key_id
397 gnutls_openpgp_keyring_get_crt
398 gnutls_openpgp_keyring_get_crt_count
399 gnutls_openpgp_privkey_export
400 gnutls_openpgp_privkey_export_dsa_raw
401 gnutls_openpgp_privkey_export_rsa_raw
402 gnutls_openpgp_privkey_export_subkey_dsa_raw
403 gnutls_openpgp_privkey_export_subkey_rsa_raw
404 gnutls_openpgp_privkey_get_fingerprint
405 gnutls_openpgp_privkey_get_key_id
406 gnutls_openpgp_privkey_get_pk_algorithm
407 gnutls_openpgp_privkey_get_preferred_key_id
408 gnutls_openpgp_privkey_get_revoked_status
409 gnutls_openpgp_privkey_get_subkey_count
410 gnutls_openpgp_privkey_get_subkey_creation_time
411 gnutls_openpgp_privkey_get_subkey_expiration_time
412 gnutls_openpgp_privkey_get_subkey_fingerprint
413 gnutls_openpgp_privkey_get_subkey_id
414 gnutls_openpgp_privkey_get_subkey_idx
415 gnutls_openpgp_privkey_get_subkey_pk_algorithm
416 gnutls_openpgp_privkey_get_subkey_revoked_status
417 gnutls_openpgp_privkey_set_preferred_key_id
419 New OpenPGP related functions.
421 The function gnutls_openpgp_crt_get_key_id is the same as the old
422 from gnutls_openpgp_crt_get_id, see above.
424 The release also adds a new header file 'gnutls/crypto.h', however it
425 is currently not used.
427 ** libgnutls [OpenPGP]: New APIs to retrieve fingerprint from OpenPGP subkeys.
428 Contributed by Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>.
430 ** API and ABI modifications:
431 gnutls_openpgp_crt_get_subkey_fingerprint: ADDED.
432 gnutls_openpgp_privkey_get_subkey_fingerprint: ADDED.
434 * Version 2.3.15 (released 2008-06-15)
436 ** Disable the openpgp-certs self-tests.
437 It results in failure under Wine and doesn't work on Debian buildds.
439 ** API and ABI modifications:
440 No changes since last version.
442 * Version 2.3.14 (released 2008-06-11)
444 ** libgnutls [OpenPGP]: Changed OpenPGP verification behaviour.
445 An OpenPGP certificate is now only considered verified if all the user
448 ** Examples: Make C++ example compile.
449 Earlier it may have failed with an unresolved reference to strlen.
451 ** Documentation: Doc fix for gnutls_x509_crt_get_extension_oid.
452 Reported by Sam Varshavchik <mrsam@courier-mta.com>.
454 ** API and ABI modifications:
455 No changes since last version.
457 * Version 2.3.13 (released 2008-06-07)
459 ** libgnutls [OpenPGP]: Make OpenPGP handshakes work again.
461 ** doc/: Add psktool to info index. Some minor cleanups.
463 ** tests/: Added non-forking TLS handshake test, see tests/mini.c.
465 ** tests/: Added libgcrypt.supp which can be used with valgrind.
466 The file suppresses the known libgcrypt memory leaks, so they aren't
467 printed when you run valgrind on the gnutls self-tests. Use it as
468 follows: valgrind --suppressions=libgcrypt.supp ./x509self or add
469 '--suppressions=/home/you/src/gnutls/tests/libgcrypt.supp' to your
472 ** tests/: Reduce amount of debugging output by default.
473 Use --verbose for each test to get the full output.
475 ** tests/: Fix memory leaks in several self-tests.
476 None of the self tests should be leaking memory when running valgrind
477 or similar tools. (Known exceptions are dhepskself, pskself, and
478 set_pkcs12_cred, which appear likely to be due to memory leaks in the
481 ** API and ABI modifications:
482 No changes since last version.
484 * Version 2.3.12 (released 2008-06-04)
486 ** Merge gnutls_with_netconf branch.
488 *** libgnutls [PSK]: New API to retrieve PSK identity hint in client.
489 The function is gnutls_psk_client_get_hint.
491 *** libgnutls [PSK]: New API to set PSK identity hint in server.
492 The function is gnutls_psk_set_server_credentials_hint.
494 *** libgnutls [PSK]: Support server key exchange with PSK identity hint.
495 In the client, the message is parsed and the application can use
496 gnutls_psk_client_get_hint to retrieve the hint. In the server, the
497 message is sent if the application has specified a PSK identity hint
498 using gnutls_psk_set_server_credentials_hint.
500 *** libgnutls [PSK]: Support Netconf PSK key derivation.
501 The function gnutls_psk_netconf_derive_key supports the PSK key
502 derivation as specified in draft-ietf-netconf-tls-02.txt. New self
505 *** psktool: Support new --netconf-hint to generate PSK key from password.
506 Uses the Netconf algorithm to derive PSK key from password.
508 *** gnutls-serv: Support new --pskhint parameter to set PSK identity hint.
510 *** gnutls-cli: Always support PSK modes, through a callback.
511 The callback will derive a PSK key using Netconf algorithm. It will
512 print the PSK identity hint to help the user.
514 *** New PSK example client and server.
515 See doc/examples/ex-client-psk.c and doc/examples/ex-serv-psk.c.
517 ** libgnutls: Fix gnutls_x509_crl_set_version on arm platforms.
518 The code didn't work properly on platforms where 'char' is unsigned,
519 when you set version 0. Reported by Laurence Withers
520 <l@lwithers.me.uk> in
521 <http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2825>.
523 ** libgnutls-openssl: added RAND_pseudo_bytes API.
524 Patch from Robert Millan <rmh@aybabtu.com>.
526 ** API and ABI modifications:
527 RAND_pseudo_bytes: ADDED to libgnutls-openssl.
528 gnutls_psk_client_get_hint: ADDED.
529 gnutls_psk_set_server_credentials_hint: ADDED.
530 gnutls_psk_netconf_derive_key: ADDED
532 * Version 2.3.11 (released 2008-05-20)
534 ** Fix flaw in fix for GNUTLS-SA-2008-1-3.
535 The flaw would result in incorrectly terminated sessions with the
536 error "Decryption has failed" when the server sends a small packet
537 (typically when the session is closed). Reported by Andreas Metzler
538 <ametzler@downhill.at.eu.org> in
539 <http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2807>.
541 ** Don't use gnulib headers when building C++ library.
542 Fixes builds under Windows.
544 ** Make umask a requirement.
545 We don't know of any system that lacks it, even GNU CoreUtils use it
548 ** Update gnulib files.
549 Fixes a problem where it pulled in a replacement for memcmp under
550 MinGW, which caused the C++ example to fail to build.
552 ** API and ABI modifications:
553 No changes since last version.
555 * Version 2.3.10 (released 2008-05-19)
557 ** Added wide wildcard hostname matching.
558 Tiny patch by Jean-Philippe Garcia Ballester.
560 ** Fix three security vulnerabilities. [GNUTLS-SA-2008-1]
561 Thanks to CERT-FI for finding the bugs and providing detailed reports,
562 which allowed the bugs to be reproduced and fixed easily. Patches
563 developed by Simon Josefsson and Nikos Mavrogiannopoulos. Any updates
564 with more details about these vulnerabilities will be added to
565 <http://www.gnu.org/software/gnutls/security.html>
567 *** [GNUTLS-SA-2008-1-1]
568 *** libgnutls: Fix crash when sending invalid server name.
569 The crash can be triggered remotely before authentication, which can
570 lead to a Daniel of Service attack to disable the server. The bug
571 cause gnutls to store more session resumption data than what was
572 allocated for, thus overwriting unallocated memory.
574 *** [GNUTLS-SA-2008-1-2]
575 *** libgnutls: Fix crash when sending repeated client hellos.
576 The crash can be triggered remotely before authentication, which can
577 lead to a Daniel of Service attack to disable the server. The bug
578 triggers a null-pointer dereference.
580 *** [GNUTLS-SA-2008-1-3]
581 *** libgnutls: Fix crash in cipher padding decoding for invalid record lengths.
582 The crash can be triggered remotely before authentication, which can
583 lead to a Daniel of Service attack to disable the server. The bug
584 cause gnutls to read memory beyond the end of the received record.
586 ** libgnutlsxx: Updated API according to patches from Eduardo
587 Villanueva Che (discussion at
588 <http://lists.gnu.org/archive/html/gnutls-devel/2007-02/msg00017.html>)
590 ** Use umask to restrict permissions to owner before creating a file.
592 ** API and ABI modifications:
593 No changes since last version.
595 * Version 2.3.9 (released 2008-05-16)
597 ** libgnutls: Fix build failures if SRP/OpenPGP is disabled.
598 Based on report and tiny patches from
599 <jared.jennings.ctr@eglin.af.mil>, see
600 <https://savannah.gnu.org/support/index.php?106342>.
602 ** libgnutls: Translation fixes.
604 ** gnutls-cli: Fix so that PSK authentication works.
605 Also improve manual to give example for gnutls-cli PSK authentication.
607 ** certtool: Encrypting a private key now require a confirmed password.
608 Before './certtool -k -8' would merely ask for a password once.
609 Reported by Daniel 'NebuchadnezzaR' Dehennin
610 <nebuchadnezzar@asgardr.info> see
611 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=364287>.
613 ** certtool: When writing private keys to files, change permissions of file.
614 Now the file which the private key is saved to is chmod'ed 0600.
615 Reported by martin f krafft <madduck@debian.org> see
616 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=373169>.
618 ** guile: Fix -fgnu89-inline test.
620 ** Removed --enable-profile-mode.
621 The code linked gnutls with the libfc project (Function Check) which
622 appears to have been stalled since around 2002.
624 ** Clean up header file checks by ./configure.
626 ** Update of gnulib files.
628 ** API and ABI modifications:
629 No changes since last version.
631 * Version 2.3.8 (released 2008-04-29)
633 ** libgnutls: Increase default handshake packet size limit to 48kb.
634 The old limit was 16kb and some servers send huge list of trusted CAs,
635 thus running into the limit. FYI, applications can further increase
636 this limit using gnutls_handshake_set_max_packet_length. Thanks to
637 Marc Haber <mh+debian-bugs@zugschlus.de> and "Marc F. Clemente"
638 <marc@mclemente.net> for reporting and providing test servers.
640 ** libgnutls: Add new error code: GNUTLS_E_HANDSHAKE_TOO_LARGE
641 Returned when the handshake data size is too large. Before
642 GNUTLS_E_MEMORY_ERROR was used, which could be confused with other
645 ** libgnutls: Hide definitions in crypto.h.
646 We have decided that the APIs defined in crypto.h are not stable
647 enough for v2.4, so don't use any of those functions.
649 ** gnutls-cli: exit when hostname doesn't match certificate.
650 Use --insecure to avoid hostname comparison.
652 ** certtool: --inder and --outder replaced by --inraw and --outraw.
653 The reason is to align terminology with OpenPGP, which doesn't use
654 DER. The old parameters will continue to work for some time.
656 ** doc: Add section 'Index of new symbols in 2.4.0' to the GTK-DOC manual.
658 ** doc: Many cosmetic fixes, to silence (most) gtk-doc warnings.
660 ** Mingw32: Revert libgcrypt vasprintf work-around added in last release.
661 Use libgcrypt 1.4.1 or later when building on MinGW32, it removes the
662 vasprintf symbol from the libgcrypt library which caused problems.
664 ** Update of gnulib files.
666 ** tests: New self-test of crypto.h RNG code tests/crypto_rng.
668 ** API and ABI modifications:
669 GNUTLS_E_HANDSHAKE_TOO_LARGE: ADDED.
671 * Version 2.3.7 (released 2008-04-21)
673 ** opencdk now properly sets the key usage bits into openpgp keys.
675 ** gnutls-cli: Fix crash on TLS handshake failures.
676 Reported by "Marc F. Clemente" <marc@mclemente.net> in Debian BTS #466477.
677 This is similar to <http://bugs.debian.org/429183>.
679 ** certtool: with --generate-request and newly generated keys, print the key.
681 ** Build fixes for MinGW.
682 Missing rpl_fseeko symbol in lib/opencdk/. Better checks for linking
683 with -lws2_32 when needed. Use ASCII only isprint() when printing
684 X.509 certificate information, to avoid non-ASCII but printable
685 characters. Thanks to Massimo Gaspari <massimo.gaspari@alice.it> for
688 ** Update internal copy of libtasn1 to version 1.4.
690 ** API and ABI modifications:
691 No changes since last version.
693 * Version 2.3.6 (released 2008-04-17)
695 ** Make gnutls_x509_crq_sign2 set certificate request version if not set.
696 ** Improve documentation for gnutls_x509_crq_sign2.
697 Based on report from "John Brooks" <aspecialj@gmail.com> in
698 <http://permalink.gmane.org/gmane.network.gnutls.general/1154>.
700 ** tests/pathlen: run diff without parameters to improve portability.
701 Based on HPUX build hints in
702 <http://hpux.cs.utah.edu/hppd/cgi-bin/wwwtar?/hpux/Gnu/gnutls-2.3.4/gnutls-2.3.4-src-11.11.tar.gz+gnutls-2.3.4/HPUX.Install+text>.
704 ** Don't use %e specifier with strftime, it doesn't work under Windows.
705 Reported by Massimo Gaspari <massimo.gaspari@alice.it> in
706 <http://permalink.gmane.org/gmane.network.gnutls.general/1170>.
708 ** Remove all uses of gnutls_alloca/gnutls_afree.
709 Use normal gnutls_malloc instead. One reason is increased portability
710 to Windows, the other is that several of the uses may be unsafe
711 because the size of data allocated could be large. Reported by
712 Massimo Gaspari <massimo.gaspari@alice.it> in
713 <http://permalink.gmane.org/gmane.network.gnutls.general/1170>.
715 ** Build Guile code with -fgnu89-inline only when supported.
716 Reported by Kris Karas <ktk@enterprise.bidmc.harvard.edu> in
717 <http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2708>.
719 ** Several GTK-DOC related fixes.
721 ** Clean up OpenCDK related code.
722 GnuTLS now requires its internal OpenCDK code rather than the external
723 GPL library OpenCDK. Unfortunately, we don't have resources to
724 maintain an external library (help welcome).
726 ** API and ABI modifications:
727 No changes since last version.
729 * Version 2.3.5 (released 2008-04-14)
731 ** Build fix for MinGW and --disable-shared.
732 Reported by Massimo Gaspari <massimo.gaspari@alice.it> in
733 <http://permalink.gmane.org/gmane.network.gnutls.general/1145>.
735 ** Document how to generate CRLs.
736 Suggested by "Rainer Gerhards" <rgerhards@gmail.com>.
738 ** Documented the --priority option to gnutls-cli and gnutls-serv.
740 ** Several minor fixes in the OpenPGP interface.
741 Thanks to Daniel Kahn Gillmor.
743 ** Fix fopen file descriptor leak in PSK server code.
744 Thanks to Laurence Withers <l@lwithers.me.uk>, see
745 <http://lists.gnu.org/archive/html/gnutls-devel/2008-04/msg00002.html>.
747 ** Translations files not stored directly in git to avoid merge conflicts.
749 ** New APIs to let applications replace the RNG used.
750 Update all RNG callers in the code to use the new interface.
752 ** Guile code now built with -fgnu89-inline to fix inline semantic problem.
754 ** Update gnulib files.
756 ** API and ABI modifications:
757 gnutls_crypto_rnd_register: ADDED
758 gnutls_rnd_level_t: ADDED
759 GNUTLS_RND_KEY: ADDED, gnutls_rnd_level_t member
760 GNUTLS_RND_RANDOM: ADDED, gnutls_rnd_level_t member
761 GNUTLS_RND_NONCE: ADDED, gnutls_rnd_level_t member
762 gnutls_crypto_rnd_st: ADDED
763 GNUTLS_DIG_SHA224: ADDED
764 GNUTLS_SIGN_RSA_SHA224: ADDED
765 gnutls_openpgp_crt_get_auth_subkey: MODIFIED
767 * Version 2.3.4 (released 2008-03-19)
769 ** Finish renaming of gnutls_certificate_export_x509_cas etc.
770 They weren't renamed in the public header file.
772 ** Added functions to register a cipher/mac/digest. This allows to
773 override the included ones.
775 ** Fix a bunch of compiler warnings.
777 ** API and ABI modifications:
778 gnutls_crypto_cipher_st: ADDED
779 gnutls_crypto_mac_st: ADDED
780 gnutls_crypto_digest_st: ADDED
781 gnutls_crypto_cipher_register: ADDED
782 gnutls_crypto_mac_register: ADDED
783 gnutls_crypto_digest_register: ADDED
784 GNUTLS_E_CRYPTO_ALREADY_REGISTERED: ADDED
786 * Version 2.3.3 (released 2008-03-10)
788 ** Fix build failure in libextra/gnutls_extra.c that needed opencdk.h.
789 Reported by Roman Bogorodskiy <novel@FreeBSD.org>.
791 ** No longer compiled using -D_REENTRANT -D_THREAD_SAFE.
792 We could not find any modern justification for enabling these flags by
793 default. If you know of some platform that needs one of the flags to
794 work properly, please let us know. (Actually introduced in v2.3.0 but
795 not documented until now.)
797 ** Importing many CA certificates are now considerably faster.
798 This affect gnutls_certificate_set_x509_trust_mem,
799 gnutls_certificate_set_x509_trust, and
800 gnutls_certificate_set_x509_trust_file. The complexity was reduced
801 from O(2*n^2) to O(n). When adding 206 files containing 408
802 certificates, using gnutls_certificate_set_x509_trust_file, the time
803 dropped from 40 seconds to 0.3 seconds. Thanks to Edgar Fuß for code
804 to trigger the problem. See also
805 <http://blog.josefsson.org/2008/02/27/real-world-performance-tuning-with-callgrind/>.
807 ** Clarify documentation for gnutls_x509_crt_set_subject_alternative_name
808 ** to be explicit that it takes zero terminated data.
810 ** gnutls-cli --print-cert now print PKCS#3 format Diffie-Hellman parameters.
812 ** Documentation fixes for the GTK-DOC manual.
814 ** Fix compilation error related to __FUNCTION__ on some systems.
815 Reported by Tim Mooney, see
816 <https://savannah.gnu.org/support/?106267>.
818 ** Updated translations.
820 ** Update gnulib files.
822 ** API and ABI modifications:
823 gnutls_hex2bin: MODIFIED, uses size_t instead of int for string length,
824 and char* instead of void* for output buffer.
826 * Version 2.3.2 (released 2008-02-26)
828 ** Fix srcdir!=objdir failure in openpgpself test.
830 ** Improved API documentation output from GTK-DOC.
832 ** Added gnutls_x509_dn_export(). Patch by Joe Orton.
834 ** Renamed gnutls_certificate_export_x509_cas and friends.
835 See <http://lists.gnu.org/archive/html/gnutls-devel/2008-02/msg00043.html>.
837 ** Internal header files cleanup.
839 ** API and ABI modifications:
840 gnutls_certificate_export_x509_cas: RENAMED to gnutls_certificate_get_x509_cas
841 gnutls_certificate_export_x509_crls: RENAMED to gnutls_certificate_get_x509_crls
842 gnutls_certificate_export_openpgp_keyring: RENAMED to gnutls_certificate_get_openpgp_keyring
843 gnutls_x509_dn_export: ADDED
845 * Version 2.3.1 (released 2008-02-21)
847 ** OpenPGP support merged into libgnutls and is now licensed under LGPL.
848 The included copy of OpenCDK has been stripped down and re-licensed
851 ** Cipher priority string handling now handle strings that starts with NULL.
852 Thanks to Laurence Withers <l@lwithers.me.uk>.
854 ** gnutls-cli: When -d is used, also prints RNG information from libgcrypt.
856 ** Corrected memory leaks in session resuming and DHE ciphersuites. Reported
859 ** Increased the default certificate verification chain limits and allowed
860 for checks without limitation.
862 ** Corrected the behaviour of gnutls_x509_crt_get_subject_alt_name()
863 and gnutls_x509_crt_get_subject_alt_name() to not null terminate binary
864 strings and return the proper size.
866 ** Add section 'On Record Padding' to the manual.
867 This collects all problems related to record padding with
868 Nokia/Sony-Ericsson phones that we know about.
870 ** Several improvements in the OpenPGP authentication.
871 Now subkeys can be used for authentication, according to
872 draft-mavrogiannopoulos-rfc5081bis-00.txt.
874 ** certtool can print information on OpenPGP certificates and keys.
876 ** Added gnutls_x509_dn_import/init/deinit() to access raw DER DN.
879 ** Added gnutls_certificate_export_x509_cas and other functions to
880 export elements from the certificate credentials structure. Based on
881 suggestion from Joe Orton.
884 Clarify that srp_base64 is not the same as normal base64.
886 ** Fix non-portable use of brace expansion in makefiles.
888 ** API and ABI modifications:
889 gnutls_certificate_export_x509_cas: ADDED
890 gnutls_certificate_export_x509_crls: ADDED
891 gnutls_certificate_export_openpgp_keyring: ADDED
892 gnutls_openpgp_keyid_t: ADDED, instead of hard-coded 'unsigned char[8]'.
893 gnutls_openpgp_crt_get_key_id: ADDED, obsoletes gnutls_openpgp_crt_get_id.
894 gnutls_openpgp_crt_get_revoked_status: ADDED
895 gnutls_openpgp_crt_get_subkey_count: ADDED
896 gnutls_openpgp_crt_get_subkey_idx: ADDED
897 gnutls_openpgp_crt_get_subkey_revoked_status: ADDED
898 gnutls_openpgp_crt_get_subkey_pk_algorithm: ADDED
899 gnutls_openpgp_crt_get_subkey_creation_time: ADDED
900 gnutls_openpgp_crt_get_subkey_expiration_time: ADDED
901 gnutls_openpgp_crt_get_subkey_id: ADDED
902 gnutls_openpgp_crt_get_subkey_usage: ADDED
903 gnutls_openpgp_privkey_get_fingerprint: ADDED
904 gnutls_openpgp_privkey_get_key_id: ADDED
905 gnutls_openpgp_privkey_get_subkey_count: ADDED
906 gnutls_openpgp_privkey_get_subkey_idx: ADDED
907 gnutls_openpgp_privkey_get_subkey_revoked_status: ADDED
908 gnutls_openpgp_privkey_get_revoked_status: ADDED
909 gnutls_openpgp_privkey_get_subkey_pk_algorithm: ADDED
910 gnutls_openpgp_privkey_get_subkey_expiration_time: ADDED
911 gnutls_openpgp_privkey_get_subkey_id: ADDED
912 gnutls_openpgp_privkey_get_subkey_creation_time: ADDED
913 gnutls_openpgp_crt_get_subkey_pk_dsa_raw: ADDED
914 gnutls_openpgp_crt_get_subkey_pk_rsa_raw: ADDED
915 gnutls_openpgp_crt_get_pk_dsa_raw: ADDED
916 gnutls_openpgp_crt_get_pk_rsa_raw: ADDED
917 gnutls_openpgp_privkey_export_subkey_dsa_raw: ADDED
918 gnutls_openpgp_privkey_export_subkey_rsa_raw: ADDED
919 gnutls_openpgp_privkey_export_dsa_raw: ADDED
920 gnutls_openpgp_privkey_export_rsa_raw: ADDED
921 gnutls_openpgp_privkey_export: ADDED
922 gnutls_certificate_set_openpgp_key_file2: ADDED
923 gnutls_certificate_set_openpgp_key_mem2: ADDED
924 gnutls_x509_dn_init: ADDED
925 gnutls_x509_dn_import: ADDED
926 gnutls_x509_dn_deinit: ADDED
927 GNUTLS_E_OPENPGP_SUBKEY_ERROR: ADDED
928 gnutls_hex2bin: ADDED
929 GNUTLS_CRT_PRINT_FULL: ADDED, same as old GNUTLS_X509_CRT_FULL.
930 GNUTLS_CRT_PRINT_ONELINE: ADDED, same as old GNUTLS_X509_CRT_ONELINE.
931 GNUTLS_CRT_PRINT_UNSIGNED_FULL: ADDED, same as
932 old GNUTLS_X509_CRT_UNSIGNED_FULL.
934 * Version 2.3.0 (released 2008-01-08)
936 ** LZO compression is now disabled by default.
937 The reason is that LZO compression is not standardized in TLS. If you
938 wish to experiment with it, you will have to supply --with-lzo when
939 invoking ./configure. The internal copy of minilzo is no longer
940 included with GnuTLS, so you will need to install liblzo or liblzo2 on
941 your system to have --with-lzo to be effective.
943 ** More than one server name field is now sent to the server properly.
944 Thanks to mark.phillips@virgin.net.
946 ** Fixes the post_client_hello_function(). The extensions are now parsed
947 in a callback friendly way.
949 ** Fix for certificate selection in servers with certificate callbacks.
951 ** Updated translations.
953 ** Update gnulib files.
955 ** API and ABI modifications:
956 No changes since last version.
958 * Version 2.2.5 (released 2008-05-19)
960 ** Fix flaw in fix for GNUTLS-SA-2008-1-3.
961 The flaw would result in incorrectly terminated sessions with the
962 error "Decryption has failed" when the server sends a small packet
963 (typically when the session is closed). Reported by Andreas Metzler
964 <ametzler@downhill.at.eu.org> in
965 <http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2807>.
967 ** API and ABI modifications:
968 No changes since last version.
970 * Version 2.2.4 (released 2008-05-19)
972 ** Fix three security vulnerabilities. [GNUTLS-SA-2008-1]
973 Thanks to CERT-FI for finding the bugs and providing detailed reports,
974 which allowed the bugs to be reproduced and fixed easily. Patches
975 developed by Simon Josefsson and Nikos Mavrogiannopoulos. Any updates
976 with more details about these vulnerabilities will be added to
977 <http://www.gnu.org/software/gnutls/security.html>
979 *** [GNUTLS-SA-2008-1-1]
980 *** libgnutls: Fix crash when sending invalid server name.
981 The crash can be triggered remotely before authentication, which can
982 lead to a Daniel of Service attack to disable the server. The bug
983 cause gnutls to store more session resumption data than what was
984 allocated for, thus overwriting unallocated memory.
986 *** [GNUTLS-SA-2008-1-2]
987 *** libgnutls: Fix crash when sending repeated client hellos.
988 The crash can be triggered remotely before authentication, which can
989 lead to a Daniel of Service attack to disable the server. The bug
990 triggers a null-pointer dereference.
992 *** [GNUTLS-SA-2008-1-3]
993 *** libgnutls: Fix crash in cipher padding decoding for invalid record lengths.
994 The crash can be triggered remotely before authentication, which can
995 lead to a Daniel of Service attack to disable the server. The bug
996 cause gnutls to read memory beyond the end of the received record.
998 ** API and ABI modifications:
999 No changes since last version.
1001 * Version 2.2.3 (released 2008-05-06)
1003 ** Increase default handshake packet size limit to 48kb.
1004 The old limit was 16kb and some servers send huge list of trusted CAs,
1005 thus running into the limit. FYI, applications can further increase
1006 this limit using gnutls_handshake_set_max_packet_length. Thanks to
1007 Marc Haber <mh+debian-bugs@zugschlus.de> and "Marc F. Clemente"
1008 <marc@mclemente.net> for reporting and providing test servers.
1010 ** Fix compilation error related to __FUNCTION__ on some systems.
1011 Reported by Tim Mooney, see
1012 <https://savannah.gnu.org/support/?106267>.
1014 ** Documented the --priority option to gnutls-cli and gnutls-serv.
1016 ** Fix fopen file descriptor leak in PSK server code.
1017 Thanks to Laurence Withers <l@lwithers.me.uk>, see
1018 <http://lists.gnu.org/archive/html/gnutls-devel/2008-04/msg00002.html>.
1020 ** Build Guile code with -fgnu89-inline only when supported.
1021 Reported by Kris Karas <ktk@enterprise.bidmc.harvard.edu> in
1022 <http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2708>.
1024 ** Make Camellia encryption work.
1025 Reported by Yoshisato YANAGISAWA <yanagisawa@csg.is.titech.ac.jp> in
1026 <http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2746>.
1028 ** API and ABI modifications:
1029 No changes since last version.
1031 * Version 2.2.2 (released 2008-02-21)
1033 ** Cipher priority string handling now handle strings that starts with NULL.
1034 Thanks to Laurence Withers <l@lwithers.me.uk>.
1036 ** Corrected memory leaks in session resuming and DHE ciphersuites. Reported
1039 ** Increased the default certificate verification chain limits and allowed
1040 for checks without limitation.
1042 ** Corrected the behaviour of gnutls_x509_crt_get_subject_alt_name()
1043 and gnutls_x509_crt_get_subject_alt_name() to not null terminate binary
1044 strings and return the proper size.
1046 ** API and ABI modifications:
1047 No changes since last version.
1049 * Version 2.2.1 (released 2008-01-17)
1051 ** Prevent linking libextra against previously installed libgnutls.
1052 Tiny patch from "Alon Bar-Lev" <alon.barlev@gmail.com>, see
1053 <http://bugs.gentoo.org/show_bug.cgi?id=202269>.
1055 ** Fixes the post_client_hello_function(). The extensions are now parsed
1056 in a callback friendly way.
1058 ** Fix for certificate selection in servers with certificate callbacks.
1060 ** API and ABI modifications:
1061 No changes since last version.
1063 * Version 2.2.0 (released 2007-12-14)
1065 ** Update internal copy of libtasn1 to version 1.2.
1067 ** Certtool --verify-chain now handle inputs larger than 64kb.
1068 This fixes the self-test "rsa-md5-collision" under MinGW+Wine with
1069 recent versions of libgcrypt. The problem was that Wine with the
1070 libgcrypt RNG generates huge amounts of debugging output.
1072 ** Translation updates.
1073 Added Dutch translation. Updated Polish and Swedish translation.
1075 ** Major changes compared to the v2.0 branch:
1077 *** SRP support aligned with newly published RFC 5054.
1079 *** OpenPGP support aligned with newly published RFC 5081.
1081 *** Support for DSA2 keys.
1083 *** Support for Camellia cipher.
1085 *** Support for Opaque PRF Input extension.
1087 *** PKCS#8 parser now handle DSA keys.
1089 *** Change from GPLv2 to GPLv3 for command-line tools, libgnutls-extra, etc.
1090 Notice that liblzo2 2.02 is licensed under GPLv2 only. Earlier
1091 versions, such as 2.01 which is included with GnuTLS, is available
1092 under GPLv2 or later. If this incompatibility causes problems, we
1093 recommend you to disable LZO using --without-lzo. LZO compression is
1094 not a standard TLS compression algorithm, so the impact should be
1097 *** Functions for disabling record protocol padding.
1098 Works around bugs on Nokia/Ericsson phones.
1100 *** New functions gnutls_priority_set() for setting cipher priorities easily.
1101 Priorities like "COMPAT" also enables other work arounds, such as
1104 *** Other minor improvements and bug fixes.
1106 ** Backwards incompatible API/ABI changes in GnuTLS 2.2
1107 To adapt to changes in the TLS extension specifications for OpenPGP
1108 and SRP, the GnuTLS API had to be modified. This means breaking the
1109 API and ABI backwards compatibility. That is something we try to
1110 avoid unless it is necessary. We decided to also remove the already
1111 deprecated stub functions for X.509 to XML conversion and TLS
1112 authorization (see below) when we had the opportunity.
1114 Generally, most applications does not need to be modified. Just
1115 re-compile them against the latest GnuTLS release, and it should work
1118 Applications that use the OpenPGP or SRP features needs to be
1119 modified. Below is a list of the modified APIs and discussion of what
1120 the minimal things you need to modify in your application to make it
1121 work with GnuTLS 2.2.
1123 Note that GnuTLS 2.2 also introduces new APIs -- such as
1124 gnutls_set_priority() that is superior to
1125 gnutls_set_default_priority() -- that you may want to start using.
1126 However, using those new APIs is not required to use GnuTLS 2.2 since
1127 the old functions continue are still supported. This text only
1128 discuss what you minimally have to modify.
1130 *** XML related changes
1131 The function `gnutls_x509_crt_to_xml' has been removed. It has been
1132 deprecated and only returned an error code since GnuTLS version
1133 1.2.11. Nobody has complained, so users doesn't seem to miss the
1134 functionality. We don't know of any other library to convert X.509
1135 certificates into XML format, but we decided (long ago) that GnuTLS
1136 isn't the right place for this kind of functionality. If you want
1137 help to find some other library to use here, please explain and
1138 discuss your use case on help-gnutls@gnu.org.
1140 *** TLS Authorization related changes
1141 Everything related to TLS authorizations have been removed, they were
1142 only stub functions that returned an error code:
1144 GNUTLS_SUPPLEMENTAL_AUTHZ_DATA
1145 gnutls_authz_data_format_type_t
1146 gnutls_authz_recv_callback_func
1147 gnutls_authz_send_callback_func
1149 gnutls_authz_send_x509_attr_cert
1150 gnutls_authz_send_saml_assertion
1151 gnutls_authz_send_x509_attr_cert_url
1152 gnutls_authz_send_saml_assertion_url
1154 *** SRP related changes
1155 The callback gnutls_srp_client_credentials_function has a new
1156 prototype, and its semantic has changed. You need to rewrite the
1157 callback, see the updated function documentation and SRP example code
1158 (doc/examples/ex-client-srp.c and doc/examples/ex-serv-srp.c) for more
1161 The alert codes GNUTLS_A_MISSING_SRP_USERNAME and
1162 GNUTLS_A_UNKNOWN_SRP_USERNAME are no longer used by the SRP
1163 specification, instead the GNUTLS_A_UNKNOWN_PSK_IDENTITY alert is
1164 used. There are #define's to map the old names to the new. You may
1165 run into problems if you have a switch-case with cases for both SRP
1166 alerts, since they are now mapped to the same value. The solution is
1167 to drop the SRP alerts from such switch cases, as they are now
1168 deprecated in favor of GNUTLS_A_UNKNOWN_PSK_IDENTITY.
1170 *** OpenPGP related changes
1171 The function `gnutls_certificate_set_openpgp_keyserver' have been
1172 removed. There is no replacement functionality inside GnuTLS. If you
1173 need keyserver functionality, consider using the GnuPG tools.
1175 All functions, types, and error codes related to OpenPGP trustdb
1176 format have been removed. The trustdb format is a non-standard
1177 GnuPG-specific format, and we recommend you to use key rings instead.
1178 The following have been removed:
1180 gnutls_certificate_set_openpgp_trustdb
1181 gnutls_openpgp_trustdb_init
1182 gnutls_openpgp_trustdb_deinit
1183 gnutls_openpgp_trustdb_import
1184 gnutls_openpgp_key_verify_trustdb
1185 gnutls_openpgp_trustdb_t
1186 GNUTLS_E_OPENPGP_TRUSTDB_VERSION_UNSUPPORTED
1188 The following functions has an added parameter of the (new) type
1189 `gnutls_openpgp_crt_fmt_t'. The type specify the format of the data
1190 (binary or base64). The functions are:
1191 gnutls_certificate_set_openpgp_key_file
1192 gnutls_certificate_set_openpgp_key_mem
1193 gnutls_certificate_set_openpgp_keyring_mem
1194 gnutls_certificate_set_openpgp_keyring_file
1196 To improve terminology and align with the X.509 interface, some
1197 functions have been renamed. Compatibility mappings exists. The old
1198 and new names of the affected functions and types are:
1201 gnutls_openpgp_key_t gnutls_openpgp_crt_t
1202 gnutls_openpgp_key_fmt_t gnutls_openpgp_crt_fmt_t
1203 gnutls_openpgp_key_status_t gnutls_openpgp_crt_status_t
1204 GNUTLS_OPENPGP_KEY GNUTLS_OPENPGP_CERT
1205 GNUTLS_OPENPGP_KEY_FINGERPRINT GNUTLS_OPENPGP_CERT_FINGERPRINT
1206 gnutls_openpgp_key_init gnutls_openpgp_crt_init
1207 gnutls_openpgp_key_deinit gnutls_openpgp_crt_deinit
1208 gnutls_openpgp_key_import gnutls_openpgp_crt_import
1209 gnutls_openpgp_key_export gnutls_openpgp_crt_export
1210 gnutls_openpgp_key_get_key_usage gnutls_openpgp_crt_get_key_usage
1211 gnutls_openpgp_key_get_fingerprint gnutls_openpgp_crt_get_fingerprint
1212 gnutls_openpgp_key_get_pk_algorithm gnutls_openpgp_crt_get_pk_algorithm
1213 gnutls_openpgp_key_get_name gnutls_openpgp_crt_get_name
1214 gnutls_openpgp_key_get_version gnutls_openpgp_crt_get_version
1215 gnutls_openpgp_key_get_creation_time gnutls_openpgp_crt_get_creation_time
1216 gnutls_openpgp_key_get_expiration_time gnutls_openpgp_crt_get_expiration_time
1217 gnutls_openpgp_key_get_id gnutls_openpgp_crt_get_id
1218 gnutls_openpgp_key_check_hostname gnutls_openpgp_crt_check_hostname
1219 gnutls_openpgp_send_key gnutls_openpgp_send_cert
1221 ** API and ABI modifications:
1222 No changes since last version.
1224 * Version 2.1.8 (released 2007-12-10)
1226 ** The GPL version has been changed from version 2 to version 3.
1227 This affects the self-tests, command-line tools, the libgnutls-extra
1228 library, the relevant guile parts, and the build environment.
1230 ** Added gnutls_x509_crt_get_subject_alt_name2().
1232 ** Corrected a segfault when setting an empty gnutls_priority_t
1233 at gnutls_priority_set().
1235 ** Use gettext 0.17 which updates m4/lib-*.m4 macros.
1236 Fixes a problem with spurious -L/usr/lib additions.
1238 ** API and ABI modifications:
1239 gnutls_x509_crt_get_subject_alt_name2: ADD.
1241 * Version 2.1.7 (released 2007-11-29)
1243 ** PKCS #8 parser can now encode/decode DSA keys.
1245 ** Updated gnutls_set_default_priority2() now renamed to
1246 gnutls_priority_set() and gnutls_priority_set_direct() which
1247 accept a string to indicate preferences of ciphersuite parameters.
1249 ** gnutls-cli and gnutls-serv now have a --priority option to set
1250 the priority string.
1252 ** The gnutls_*_convert_priority() functions were deprecated by
1253 the gnutls_priority_set() and gnutls_priority_set_direct().
1255 ** Internal copy of OpenCDK upgraded to version 0.6.6.
1257 ** API and ABI modifications:
1258 gnutls_priority_init: ADD.
1259 gnutls_priority_deinit: ADD.
1260 gnutls_priority_set: ADD.
1261 gnutls_priority_set_direct: ADD.
1262 gnutls_set_default_priority2: RENAMED to gnutls_priority_set_direct()
1263 gnutls_mac_convert_priority: REMOVED
1264 gnutls_compression_convert_priority: REMOVED
1265 gnutls_protocol_convert_priority: REMOVED
1266 gnutls_kx_convert_priority: REMOVED
1267 gnutls_cipher_convert_priority: REMOVED
1268 gnutls_certificate_type_convert_priority: REMOVED
1269 gnutls_set_default_priority: UNDEPRECATED
1270 gnutls_set_default_priority_export: UNDEPRECATED
1272 ** Undocumented API and ABI modifications earlier in the 2.1.x series:
1273 GNUTLS_CIPHER_UNKNOWN: ADD.
1274 GNUTLS_CIPHER_CAMELLIA_128_CBC: ADD.
1275 GNUTLS_CIPHER_CAMELLIA_256_CBC: ADD.
1276 GNUTLS_KX_UNKNOWN: ADD.
1277 GNUTLS_COMP_UNKNOWN: ADD.
1278 GNUTLS_CRT_UNKNOWN: ADD.
1279 gnutls_mac_get_id: ADD.
1280 gnutls_compression_get_id: ADD.
1281 gnutls_cipher_get_id: ADD.
1282 gnutls_kx_get_id: ADD.
1283 gnutls_protocol_get_id: ADD.
1284 gnutls_certificate_type_get_id: ADD.
1285 gnutls_handshake_post_client_hello_func: ADD.
1286 gnutls_certificate_send_x509_rdn_sequence: ADD prototype to gnutls.h.in.
1288 * Version 2.1.6 (released 2007-11-15)
1290 ** Corrected bug in decompression of expanded compression data.
1292 ** Added the --to-p8 option to certtool to convert private keys
1295 ** Introduced the GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR error code.
1297 ** gnutls_certificate_set_x509_key_* can now read PKCS #8 unencrypted
1300 ** Fixed GNUTLS_E_UNKNOWN_ALGORITHM vs GNUTLS_E_UNKNOWN_HASH_ALGORITHM.
1301 During the 2.1.x series the GNUTLS_E_UNKNOWN_HASH_ALGORITHM error code
1302 was renamed to GNUTLS_E_UNKNOWN_ALGORITHM, unfortunately without being
1303 documented. This caused some problems (e.g., debian #450854). To
1304 avoid backwards compatibility problems, this release revert this
1305 change, so that GNUTLS_E_UNKNOWN_HASH_ALGORITHM works just like it has
1306 done in GnuTLS 2.0.x and earlier, and add a new error code
1307 GNUTLS_E_UNKNOWN_ALGORITHM.
1309 ** Fixes several gtk-doc warnings.
1311 ** API and ABI modifications:
1312 GNUTLS_E_UNKNOWN_ALGORITHM: CHANGED.
1313 GNUTLS_E_UNKNOWN_HASH_ALGORITHM: CHANGED.
1314 GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR: ADD.
1316 * Version 2.1.5 (released 2007-11-01)
1318 ** Fix PKCS#3 parameter export problem.
1320 ** Improve certtool queries, they now print the default value.
1324 ** Update gnulib files.
1326 ** API and ABI modifications:
1327 No changes since last version.
1329 * Version 2.1.4 (released 2007-10-27)
1331 ** Added the --v1 option to certtool, to allow generating X.509
1332 version 1 certificates.
1334 ** certtool: Add option --disable-quick-random to enable the old behaviour
1335 of using /dev/random to generate keys.
1337 ** Added priority functions that accept strings.
1339 ** Added gnutls_set_default_priority2() which accepts a flag to indicate
1340 priorities preferences.
1342 ** Added gnutls_record_disable_padding() to allow servers talking to
1343 buggy clients that complain if the TLS 1.0 record protocol padding is
1346 ** Introduced gnutls_session_enable_compatibility_mode() to allow enabling
1347 all supported compatibility options (like disabling padding).
1349 ** The gnutls_certificate_set_openpgp_* functions were modified to include
1350 the format. This makes the interface consistent with the x509 functions.
1352 ** Internal copy of OpenCDK upgraded to version 0.6.5.
1354 ** Update gnulib files.
1356 ** API and ABI modifications:
1357 gnutls_certificate_set_openpgp_key_mem: MODIFIED
1358 gnutls_certificate_set_openpgp_key_file: MODIFIED
1359 gnutls_certificate_set_openpgp_keyring_mem: MODIFIED
1360 gnutls_certificate_set_openpgp_keyring_file: MODIFIED
1361 gnutls_set_default_priority: DEPRECATED
1362 gnutls_set_default_priority_export: DEPRECATED
1363 gnutls_set_default_priority2: ADDED
1364 gnutls_session_enable_compatibility_mode: ADDED
1365 gnutls_record_disable_padding: ADDED
1366 gnutls_mac_convert_priority: ADDED
1367 gnutls_compression_convert_priority: ADDED
1368 gnutls_protocol_convert_priority: ADDED
1369 gnutls_kx_convert_priority: ADDED
1370 gnutls_cipher_convert_priority: ADDED
1371 gnutls_certificate_type_convert_priority: ADDED
1372 gnutls_openpgp_key_t: RENAMED to gnutls_openpgp_crt_t
1373 gnutls_openpgp_key_status_t: RENAMED to gnutls_openpgp_crt_status_t
1374 gnutls_openpgp_send_key: RENAMED to gnutls_openpgp_send_cert
1375 gnutls_openpgp_key_init: RENAMED to gnutls_openpgp_crt_init
1376 gnutls_openpgp_key_import: RENAMED to gnutls_openpgp_crt_import
1377 gnutls_openpgp_key_export: RENAMED to gnutls_openpgp_crt_export
1378 gnutls_openpgp_key_check_hostname: RENAMED to gnutls_openpgp_crt_check_hostname
1379 gnutls_openpgp_key_get_creation_time: RENAMED to gnutls_openpgp_crt_get_creation_time
1380 gnutls_openpgp_key_get_expiration_time: RENAMED to gnutls_openpgp_crt_get_expiration_time
1381 gnutls_openpgp_key_get_fingerprint: RENAMED to gnutls_openpgp_crt_get_fingerprint
1382 gnutls_openpgp_key_get_version: RENAMED to gnutls_openpgp_crt_get_version
1383 gnutls_openpgp_key_get_pk_algorithm: RENAMED to gnutls_openpgp_crt_get_pk_algorithm
1384 gnutls_openpgp_key_get_name: RENAMED to gnutls_openpgp_crt_get_name
1385 gnutls_openpgp_key_deinit: RENAMED to gnutls_openpgp_crt_deinit
1386 gnutls_openpgp_key_get_id: RENAMED to gnutls_openpgp_crt_get_id
1387 gnutls_openpgp_key_get_key_usage: RENAMED to gnutls_openpgp_crt_get_key_usage
1388 gnutls_openpgp_key_verify_ring: RENAMED to gnutls_openpgp_crt_verify_ring
1389 gnutls_openpgp_key_verify_self: RENAMED to gnutls_openpgp_crt_verify_self
1391 * Version 2.1.3 (released 2007-10-17)
1393 ** TLS authorization support removed.
1394 This technique may be patented in the future, and it is not of crucial
1395 importance for the Internet community. After deliberation we have
1396 concluded that the best thing we can do in this situation is to
1397 encourage society not to adopt this technique. We have decided to
1398 lead the way with our own actions.
1400 ** Re-enabled the 256 bit ciphers in the default priorities.
1402 ** Corrected bugs in openpgp key verification using a keyring (both in
1405 ** API and ABI modifications:
1406 gnutls_certificate_set_openpgp_keyserver: REMOVED
1407 gnutls_authz_data_format_type_t,
1408 gnutls_authz_recv_callback_func,
1409 gnutls_authz_send_callback_func,
1410 gnutls_authz_enable,
1411 gnutls_authz_send_x509_attr_cert,
1412 gnutls_authz_send_saml_assertion,
1413 gnutls_authz_send_x509_attr_cert_url,
1414 gnutls_authz_send_saml_assertion_url: REMOVED.
1415 GNUTLS_SUPPLEMENTAL_USER_MAPPING_DATA: ADDED. To avoid that the
1416 gnutls_supplemental_data_format_type_t enum type becomes empty.
1418 * Version 2.1.2 (released 2007-10-14)
1420 ** Removed all the trustdb code from openpgp authentication.
1421 We now use only the well-specified keyrings.
1423 ** The 256 bit ciphers are not enabled in the default priorities.
1425 ** Added support for DSA2 using libgcrypt 1.3.0.
1427 ** certtool: Fixed data corruption when using --outder.
1429 ** Removed all the xml related stubs and functions.
1431 ** Added capability to set a callback after the client hello is received
1432 by the server in order to adjust parameters before the handshake.
1434 ** SRP was corrected to adhere to the latest draft (published soon as RFC)
1436 ** Corrected bug which did not allow a server to run without supporting
1439 ** Updated the DN parser which now prints wrongly decoded values as hex
1442 ** certtool: Add option --quick-random.
1443 For generating low security test credentials.
1445 ** API and ABI modifications:
1446 gnutls_x509_crt_to_xml: REMOVED
1447 gnutls_openpgp_key_to_xml: REMOVED
1448 gnutls_openpgp_key_verify_trustdb: REMOVED
1449 gnutls_openpgp_trustdb_init: REMOVED
1450 gnutls_openpgp_trustdb_deinit: REMOVED
1451 gnutls_openpgp_trustdb_import: REMOVED
1452 gnutls_certificate_set_openpgp_trustdb: REMOVED
1453 gnutls_srp_client_credentials_function: CHANGED
1454 gnutls_handshake_set_post_client_hello_function: ADDED
1455 gnutls_mac_get_key_size: ADDED
1456 GNUTLS_E_OPENPGP_TRUSTDB_VERSION_UNSUPPORTED: DEPRECATED.
1457 GNUTLS_A_MISSING_SRP_USERNAME: DEPRECATED
1458 GNUTLS_A_UNKNOWN_SRP_USERNAME: DEPRECATED
1460 * Version 2.1.1 (released 2007-09-24)
1462 ** Added support for Camellia cipher, thanks to Yoshisato YANAGISAWA.
1463 Camellia is only enabled in GnuTLS if the installed libgcrypt has been
1464 compiled with Camellia support. See the libgcrypt documentation on
1465 how to enable it. Unconditionally disable it using the configure
1466 option --disable-camellia. Fixes #1.
1468 ** Properly document in the NEWS file the API change in the last release.
1470 ** API and ABI modifications:
1471 No changes since last version.
1473 * Version 2.1.0 (released 2007-09-20)
1475 ** Support for draft-rescorla-tls-opaque-prf-input-00.txt.
1476 The support is disabled by default. Since no value has been allocated
1477 by the IANA for this extension yet, you will need to provide one
1478 yourself by invoking './configure --enable-opaque-prf-input=42'.
1481 ** Example code: Fix compilation flaw under MinGW.
1483 ** API and ABI modifications:
1484 gnutls_oprfi_callback_func: ADD, new typedef function prototype.
1485 gnutls_oprfi_enable_client: ADD, new function.
1486 gnutls_oprfi_enable_server: ADD, new function.
1488 * Version 2.0.4 (released 2007-11-16)
1490 ** Corrected bug in decompression of expanded compression data.
1492 ** API and ABI modifications:
1493 No changes since last version.
1495 * Version 2.0.3 (released 2007-11-10)
1497 ** This version backports several fixes from the 2.1.x branch.
1499 ** Fixed PKCS #3 parameter export.
1501 ** Added gnutls_record_disable_padding() to allow servers talking to
1502 buggy clients that complain if the TLS 1.0 record protocol padding is
1505 ** Introduced gnutls_session_enable_compatibility_mode() to allow enabling
1506 all supported compatibility options (like disabling padding).
1508 ** Corrected bug which did not allow a server to run without supporting
1511 ** API and ABI modifications:
1512 gnutls_session_enable_compatibility_mode: ADDED
1513 gnutls_record_disable_padding: ADDED
1515 * Version 2.0.2 (released 2007-10-17)
1517 ** TLS authorization support removed.
1518 This technique may be patented in the future, and it is not of crucial
1519 importance for the Internet community. After deliberation we have
1520 concluded that the best thing we can do in this situation is to
1521 encourage society not to adopt this technique. We have decided to
1522 lead the way with our own actions.
1524 ** certtool: Fixed data corruption when using --outder.
1526 ** Fix configure-time Guile detection.
1528 ** API and ABI modifications:
1529 GNUTLS_SUPPLEMENTAL_USER_MAPPING_DATA: ADDED. To avoid that the
1530 gnutls_supplemental_data_format_type_t enum type becomes empty.
1532 * Version 2.0.1 (released 2007-09-20)
1534 ** New directory doc/credentials/ with test credentials.
1535 This collects the test credentials from the web page and from src/.
1536 The script gnutls-http-serv has also been moved to that directory.
1538 ** Update SRP extension type and cipher suite with official IANA values.
1539 This breaks backwards compatibility with SRP in older versions of
1540 GnuTLS, but this is intentional to speed up the adoption of the
1541 official values. The old values we used were incorrect.
1543 ** Guile: Fix `x509-certificate-dn-oid'
1545 ** API and ABI modifications:
1546 No changes since last version.
1548 * Version 2.0.0 (released 2007-09-04)
1550 ** Included copy of Libtasn1 upgraded to version 1.1.
1552 ** Disable building of some examples if anonymous ciphers are disabled.
1554 ** Don't build examples for disabled features.
1556 ** API and ABI modifications:
1557 No changes since last version.
1559 * Version 1.7.19 (released 2007-08-27)
1561 ** Fix gnutls_error_is_fatal so that positive "errors" are non-critical.
1562 This solves connection problems in mutt, see
1563 <http://bugs.debian.org/439640>.
1565 ** Update gnulib files.
1566 In particular, the getpass module -- with its dependencies on getline,
1567 getdelim, fseeko etc -- where moved from the lgl/ (used by the core
1568 library) directory to the gl/ directory (only used by the command line
1569 tools). The reason is that getpass is now only used by the
1570 command-line tools, and reducing the number of gnulib modules linked
1571 to the core library helps portability and reduces size.
1575 ** Disable building of PGP examples if PGP is disabled.
1577 ** Included copy of OpenCDK upgraded to version 0.6.4.
1579 ** API and ABI modifications:
1580 No changes since last version.
1582 * Version 1.7.18 (released 2007-08-16)
1584 ** Install images for the info manual.
1585 This has a side effect of renaming the images. See
1586 <http://thread.gmane.org/gmane.comp.tex.texinfo.bugs/3533> for
1587 discussions on the approach chosen.
1589 ** Fix pointer mix to variables of different size.
1590 Patch extracted from
1591 <http://cvs.fedora.redhat.com/viewcvs/devel/gnutls/gnutls-1.6.3-incompat-pointers.patch?rev=1.1&view=auto>.
1593 ** Fix warnings during build.
1594 Thanks to Andreas Metzler <ametzler@downhill.at.eu.org>.
1596 ** API and ABI modifications:
1597 No changes since last version.
1599 * Version 1.7.17 (released 2007-08-15)
1601 ** New functions to perform external signing.
1602 Set the signing callback function (of the gnutls_sign_func prototype)
1603 using the gnutls_sign_callback_set function. In the callback, you may
1604 find the new functions gnutls_x509_privkey_sign_hash and
1605 gnutls_openpgp_privkey_sign_hash useful. A new function
1606 gnutls_sign_callback_get is also added, to retrieve the function
1607 pointer. Thanks to "Alon Bar-Lev" <alon.barlev@gmail.com> for
1608 comments and testing.
1610 ** New self test of client and server authenticated X.509 TLS sessions.
1611 See tests/x509self.c and tests/x509signself.c. The latter also tests
1612 the new external signing callback interface.
1614 ** New errors GNUTLS_E_APPLICATION_ERROR_MIN..GNUTLS_E_APPLICATION_ERROR_MAX.
1615 These two actually describe the outer limits of a range of error codes
1616 reserved to the application. All of the errors are treated as fatal
1617 by the library (it has to since it doesn't know the semantics of the
1618 error codes). This can be useful in callbacks, to signal some
1619 application-specific error condition, which will usually eventually
1620 cause some gnutls API to return the same error code as the callback,
1621 which then can be inspected by the application. Note that error codes
1624 ** gnutls_set_default_priority now disable TLS 1.2 by default.
1625 The RFC is not released yet, and we're approaching a major release so
1626 let's not enable it just yet.
1628 ** Fix namespace so that gnutls_*_t is used consistently.
1629 Before, many places in the GnuTLS code used the old deprecated type
1630 names without the '_t' suffix.
1632 ** Build fixes for Guile code.
1633 Patch from Ludovic Courtes <ludovic.courtes@laas.fr>.
1635 ** More documentation fixes.
1636 In particular, the section headings were modified for casing. By
1637 Ludovic Courtes <ludovic.courtes@laas.fr>.
1639 ** Updated Polish and Swedish translations.
1640 Thanks to Jakub Bogusz <qboosh@pld-linux.org> and Daniel Nylander
1641 <po@danielnylander.se>.
1643 ** API and ABI modifications:
1644 gnutls_sign_func: ADD, new type for sign callback.
1645 gnutls_sign_callback_set: ADD, new function to set sign callback.
1646 gnutls_sign_callback_get: ADD, new function to retrieve sign callback.
1647 gnutls_x509_privkey_sign_hash,
1648 gnutls_openpgp_privkey_sign_hash: ADD, new functions useful in sign callback.
1649 GNUTLS_E_APPLICATION_ERROR_MIN,
1650 GNUTLS_E_APPLICATION_ERROR_MAX: ADD, new CPP #defines for error codes.
1652 * Version 1.7.16 (released 2007-08-07)
1654 ** Fix sanity checks and return values in certificate selection.
1655 In some cases, GnuTLS omitted to report suitable error codes when no
1656 suitable certificate was found.
1658 ** Fix gnutls-cli starttls EOF on Mac OS X.
1659 Thanks to Hal Eden <n.mavrogiannopoulos@gmail.com>.
1661 ** Documentation fixes.
1662 In particular, the section headings were modified for casing. By
1663 Ludovic Courtes <ludovic.courtes@laas.fr>.
1665 ** Update gnulib files.
1667 ** API and ABI modifications:
1668 No changes since last version.
1670 * Version 1.7.15 (released 2007-07-02)
1672 ** Fix self-tests key-id under mingw32.
1674 ** Test that the Guile header files are recent enough to work.
1675 Before we just tested that the command line tool 'guile' was recent
1676 enough, which may not be sufficient if you still have an old
1677 libguile.h header installed.
1679 ** Guile bindings are now installed under $prefix by default.
1680 Use --without-guile-site-dir to install it under $pkgdatadir/site/
1681 where $pkgdatadir is as returned by "guile-config info pkgdatadir".
1682 Use --with-guile-site-dir=/your/own/path to specify the path manually.
1683 The default, --with-guile-site-dir, will install the Guile bindings
1684 under $datadir/guile/site. There is a new section 'Guile
1685 Preparations' in the manual that discuss these issues.
1687 ** Fix run-time library path ordering in linking the Guile bindings.
1689 ** Improved manual on downloading, installing, getting help, bug reports etc.
1690 Suggested by Ludovic Courtès <ludovic.courtes@laas.fr>.
1692 ** Add Malay message translations.
1693 Thanks to Sharuzzaman Ahmat Raslan <sharuzzaman@myrealbox.com>.
1695 ** API and ABI modifications:
1696 No changes since last version.
1698 * Version 1.7.14 (released 2007-06-26)
1700 ** Don't enable Guile bindings unless we have Guile 1.8 or later.
1701 Patch from Ludovic Courtès <ludovic.courtes@laas.fr>.
1703 ** Fix memory leak during DSA signature verification.
1704 Patch from Ludovic Courtès <ludovic.courtes@laas.fr>.
1706 ** Fix crash in gnutls-cli when TLS handshake fails.
1707 Reported by Marc Haber <mh+debian-bugs@zugschlus.de> and Andreas
1708 Metzler <ametzler@downhill.at.eu.org> via Debian BTS #429183, see
1709 <http://bugs.debian.org/429183>.
1711 ** Minor OpenPGP fixes in stream_to_datum.
1712 Patch from Timo Schulz <twoaday@freakmail.de> and Ludovic Courtès
1713 <ludovic.courtes@laas.fr>.
1715 ** Fix off-by-one in TLS 1.2 handshake.
1716 Patch from Ludovic Courtès <ludovic.courtes@laas.fr>.
1718 ** Minor Guile binding self-test cleanup.
1719 Patch from Ludovic Courtès <ludovic.courtes@laas.fr>.
1721 ** Update gnulib files.
1723 ** API and ABI modifications:
1724 No changes since last version.
1726 * Version 1.7.13 (released 2007-06-11)
1728 ** OpenCDK copy updated to version 0.6.3.
1730 ** Build fixes for GnuTLS Guile bindings.
1731 Patch from Ludovic Courtès <ludovic.courtes@laas.fr>.
1733 ** Build fix for GTK-DOC manual.
1735 ** Update gnulib files.
1737 ** API and ABI modifications:
1738 No changes since last version.
1740 * Version 1.7.12 (released 2007-06-08)
1742 ** Guile bindings for GnuTLS have been included.
1743 Contributed by Ludovic Courtès <ludovic.courtes@laas.fr>. There is a
1744 new chapter 'Guile Bindings' in the manual.
1746 ** Have PKCS8 parser return better error codes.
1747 Reported by Nate Nielsen <nielsen-list@memberwebs.com>, see
1748 <http://lists.gnupg.org/pipermail/gnutls-dev/2007-May/001653.html> and
1749 <http://lists.gnupg.org/pipermail/gnutls-dev/2007-May/001654.html>.
1751 ** Fix mem leak for sessions with client authentication via certificates.
1752 Reported by Andrew W. Nosenko <andrew.w.nosenko@gmail.com>, see
1753 <http://lists.gnupg.org/pipermail/gnutls-dev/2007-April/001539.html>.
1756 Reported by Dennis Vshivkov <walrus@amur.ru>, see
1757 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=333050>. Added
1758 self-test tests/parse_ca.c to test regressions.
1760 ** Fix build failures related to missing images in manual.
1761 Reported by Andreas Metzler <ametzler@downhill.at.eu.org>.
1763 ** Update gnulib files.
1765 ** API and ABI modifications:
1766 No changes since last version.
1768 * Version 1.7.11 (released 2007-05-26)
1770 ** Include opencdk.h in the release.
1771 Reported by Roman Bogorodskiy <novel@FreeBSD.org>.
1773 ** API and ABI modifications:
1774 No changes since last version.
1776 * Version 1.7.10 (released 2007-05-25)
1778 ** New API functions to extract DER encoded X.509 Subject/Issuer DN.
1779 Suggested by Nate Nielsen <nielsen-list@memberwebs.com>.
1781 ** Update of gnulib files.
1783 ** GnuTLS is now developed in GIT instead of CVS.
1784 See <http://repo.or.cz/w/gnutls.git> for a public repository.
1786 ** API and ABI modifications:
1787 gnutls_x509_crt_get_raw_issuer_dn: ADD.
1788 gnutls_x509_crt_get_raw_dn: ADD.
1790 * Version 1.7.9 (released 2007-05-12)
1792 ** X.509 certificates are preferred over OpenPGP keys.
1793 This is a change in the semantics of gnutls_set_default_priority.
1795 ** The included copy of OpenCDK has been updated to 0.6.1.
1796 There has been some API changes in OpenCDK, and the GnuTLS layer have
1797 been modified as well. Note that while there are API/ABI incompatible
1798 changes in OpenCDK, this does not influence GnuTLS's API/ABI because
1799 its API/ABI have not changed. From this version on, GnuTLS requires
1800 OpenCDK 0.6.0 or later.
1802 ** Fix build failure caused by missing doc/gnutls-logo.pdf.
1804 ** Change certtool's default serial number from 0 to a time-based value.
1806 ** Fix X.509 signing with RSA-PKCS#1 to set a NULL parameters fields.
1807 Before, we remove the parameters field, which resulted in a slightly
1808 different DER encoding which in turn caused signature verification
1809 failures of GnuTLS-generated RSA certificates in some other
1810 implementations (e.g., GnuPG 2.x's gpgsm). Depending on which RFCs
1811 you read, this may or may not be correct, but our new behaviour appear
1812 to be consistent with other widely used implementations.
1814 ** Fix mem leaks in gnutls_x509_crt_print.
1816 ** API and ABI modifications:
1817 No changes since last version.
1819 * Version 1.7.8 (released 2007-04-16)
1821 ** Added examples for the authorization extension.
1822 See doc/examples/ex-client-authz.c and doc/examples/ex-serv-authz.c.
1824 ** The examples only use gnutls_set_default_priority().
1825 The exception is when DH_ANON is needed.
1827 ** Improve gnutls_set_default_priority() priorities.
1828 The new approach is for it to try and negotiate all secure and
1829 standard mechanisms available. Currently, DH_ANON ciphersuites and
1830 LZO compressions are not enabled by default, because they are,
1831 respectively, insecure and non-standardized. Note that TLS 1.2 will
1832 not be enabled by default in non-experimental release until it has
1833 been approved by the IETF.
1835 ** gnutls-cli and gnutls-serv now uses the library's default priorities.
1836 This means that to get DH_ANON and LZO compression, you'll need to
1837 specify that manually using '--kx anon' or '--comp lzo'.
1839 ** Minor fixes to the human display format of X.509 certificates.
1841 ** New APIs to extract Distinguished Name's from X.509 certificates.
1842 Based on patch from Howard Chu <hyc@symas.com>.
1844 ** Improved library searching for opencdk.
1845 It will now add the appropriate -R or -Wl,-rpath flags as necessary.
1846 The deprecated opencdk.m4 is no longer used.
1848 ** New APIs to list supported algorithms in the library.
1849 The APIs are gnutls_cipher_list, gnutls_mac_list,
1850 gnutls_compression_list, gnutls_protocol_list,
1851 gnutls_certificate_type_list, gnutls_kx_list, and
1852 gnutls_cipher_suite_info. Suggested by Howard Chu <hyc@symas.com>.
1854 ** The gnutls_x509_crt_get_key_id API now handle non-RSA/DSA keys.
1856 ** New configure option --disable-tls-authorization to disable tls-authz.
1858 ** Fix prototype for `gnutls_psk_set_client_credentials'.
1859 The last parameter was renamed from 'flags' to 'format' and the type
1860 changed from 'unsigned int' to 'gnutls_psk_key_flags' (an enum type),
1861 which shouldn't cause any ABI changes. Reported by ludo@chbouib.org
1864 ** Fix allocation in gnutls_certificate_set_openpgp_key.
1865 Tiny patch from ludo@chbouib.org (Ludovic Courtès).
1867 ** API and ABI modifications:
1868 gnutls_x509_dn_t: ADD.
1869 gnutls_x509_ava_st: ADD.
1870 gnutls_x509_crt_get_subject,
1871 gnutls_x509_crt_get_issuer: ADD.
1872 gnutls_x509_dn_get_rdn_ava: ADD.
1873 gnutls_cipher_list: ADD.
1874 gnutls_mac_list: ADD.
1875 gnutls_compression_list: ADD.
1876 gnutls_protocol_list: ADD.
1877 gnutls_certificate_type_list: ADD.
1878 gnutls_kx_list: ADD.
1879 gnutls_cipher_suite_info: ADD.
1881 * Version 1.7.7 (released 2007-02-22)
1883 ** Support for supplemental handshake messages and authorization data.
1884 Supplemental data is described in RFC 4680 and the authorization
1885 extensions in draft-housley-tls-authz-extns-07.
1887 ** Support for authorization data in gnutls-cli and gnutls-serv.
1888 New parameters --authz-x509-attr-cert and --authz-saml-assertion.
1890 ** Fix for gnutls_x509_crt_check_hostname.
1891 Before it would have reported that the certificate matched a hostname
1892 when it did not have any dNSName or any CN field. Report and tiny
1893 patch from "Richard W.M. Jones" <rjones@redhat.com>.
1895 ** New self test for RFC 2818 comparison in gnutls_x509_crt_check_hostname.
1896 Tests regressions of the bug, and several other features.
1898 ** GnuTLS now matches URI's with IP Addresses against iPAddress SAN's.
1899 Before there were no support for iPAddress SAN's during comparison.
1901 ** New API to print information about CRL's.
1902 The function is gnutls_x509_crl_print.
1904 ** New API to extract signature value from CRL's.
1905 The function is gnutls_x509_crl_get_signature.
1907 ** Support for directoryName Subject Alternative Name's.
1908 The gnutls_x509_crt_get_subject_alt_name function returns the DN as a
1909 string in the provided buffer.
1911 ** Internal improvements to certtool.
1912 It uses gnutls_x509_crl_print to print CRL information. It uses some
1913 more gnulib modules to simplify error handling.
1915 ** API and ABI modifications:
1916 GNUTLS_HANDSHAKE_SUPPLEMENTAL: ADD, new gnutls_handshake_description_t element.
1917 gnutls_supplemental_data_format_type_t: ADD.
1918 gnutls_authz_data_format_type_t: ADD.
1919 gnutls_supplemental_get_name: ADD.
1920 gnutls_authz_recv_callback_func,
1921 gnutls_authz_send_callback_func: ADD, callback prototypes.
1922 gnutls_authz_enable: ADD.
1923 gnutls_authz_send_x509_attr_cert,
1924 gnutls_authz_send_saml_assertion,
1925 gnutls_authz_send_x509_attr_cert_url,
1926 gnutls_authz_send_saml_assertion_url: ADD.
1927 GNUTLS_SAN_DN: ADD, new gnutls_x509_subject_alt_name_t element.
1928 gnutls_x509_crl_print: ADD.
1929 gnutls_x509_crl_get_signature: ADD.
1931 * Version 1.7.6 (released 2007-02-12)
1933 ** Support for 'otherName' Subject Alternative Names.
1934 The existing API gnutls_x509_crt_get_subject_alt_name may now return
1935 the new type GNUTLS_SAN_OTHERNAME together with the otherName value.
1936 To find out the otherName OID (necessary for proper parsing of the
1937 value), use the new API gnutls_x509_crt_get_subject_alt_othername_oid.
1938 For known OIDs, gnutls_x509_crt_get_subject_alt_othername_oid will
1939 return "virtual" SAN values, e.g., GNUTLS_SAN_OTHERNAME_XMPP to
1940 simplify OID matching. Suggested by Matthias Wimmer <m@tthias.eu>.
1942 ** Certtool can print otherName SAN values for certificates.
1943 For known otherName OIDs (currently only id-on-xmppAddr as defined by
1944 RFC 3920), it will also print the name.
1946 ** Fix TLS 1.2 RSA signing in servers.
1947 Before it used the old-style MD5+SHA1 signature, but the TLS
1948 signatures should be normal PKCS#1 signatures. FYI, we use and
1949 require that DigestInfo parameters are present and NULL for TLS 1.2.
1951 ** Add APIs to access X.509 extensions sequentially.
1952 The existing APIs gnutls_x509_crt_get_extension_oid() and
1953 gnutls_x509_crt_get_extension_by_oid() does not permit callers to
1954 inspect the extensions in the order defined by the certificate.
1956 ** Add API to extract signature value from X.509 certificates.
1957 The function is gnutls_x509_crt_get_signature.
1959 ** Fix crash when generating proxy certificates in batch mode.
1960 If you don't specify a proxy policy in batch mode, it will use
1963 ** Add API to print information about X.509 certificates.
1964 The function is gnutls_x509_crt_print.
1966 ** Certtool uses the new API gnutls_x509_crt_print to print certificate info.
1967 One consequence of this is that the output syntax has changed
1968 slightly. Some more fields are printed.
1972 ** API and ABI modifications:
1973 gnutls_x509_crt_print: ADD
1974 gnutls_certificate_print_formats_t: ADD, new enum.
1975 gnutls_x509_crt_get_signature: ADD.
1976 gnutls_x509_crt_get_extension_data: ADD.
1977 gnutls_x509_crt_get_extension_info: ADD.
1978 gnutls_x509_crt_get_subject_alt_othername_oid: ADD.
1979 GNUTLS_SAN_OTHERNAME: ADD, new gnutls_x509_subject_alt_name_t element.
1980 GNUTLS_SAN_OTHERNAME_XMPP: ADD, new gnutls_x509_subject_alt_name_t element.
1982 * Version 1.7.5 (released 2007-02-06)
1984 ** Servers won't negotiate SRP RSA/DSS cipher suites if no SRP credential
1987 ** Default behaviour for the gnutls-cli and gnutls-serv tools improved.
1989 ** Fix --list output for gnutls-cli and gnutls-serv.
1990 Mention TLS1.2, SHA512 etc.
1992 ** Manual contains new section on setting up a test HTTP server.
1993 A server set up following those descriptions are available online via
1994 <http://www.gnutls.org/server.html>.
1996 ** Update of gnulib files.
1998 ** API and ABI modifications:
1999 No changes since last version.
2001 * Version 1.7.4 (released 2007-02-05)
2003 ** Support for RSA signing using SHA-256/384/512.
2004 A new self test "sha2" tries to build a long X.509 certificate chain
2005 testing all new hashes.
2007 ** The gnutls-serv tool now use static DH parameters if none are supplied.
2009 ** Discuss proxy certificates in the manual.
2011 ** Improve bibliographical citations in the manual.
2013 ** Update of gnulib files.
2015 ** Fix certtool template handling of pathLenConstraints.
2016 It now defaults to -1 instead of 0, which causes the field to be
2017 missing unless the template specify it.
2019 ** API and ABI modifications:
2022 GNUTLS_MAC_SHA512: New gnutls_mac_algorithm_t values.
2025 GNUTLS_DIG_SHA512: New gnutls_digest_algorithm_t values.
2026 GNUTLS_SIGN_RSA_SHA256,
2027 GNUTLS_SIGN_RSA_SHA384,
2028 GNUTLS_SIGN_RSA_SHA512: New gnutls_sign_algorithm_t values.
2030 * Version 1.7.3 (released 2007-02-01)
2032 ** New option to certtool: --generate-proxy.
2033 This will generate a Proxy Certificate from an end entity certificate.
2034 Proxy Certificates are documented in RFC 3820. You will need to
2035 specify the proxy certificate's private key with --load-privkey, the
2036 user certificate with --load-certificate and the private key used to
2037 sign the new proxy certificate with --load-ca-privkey. Certtool will
2038 query for proxy path length and the policy language OID. Currently
2039 only OIDs that have an empty policy are supported (which includes the
2040 two OIDs defined by RFC 3820).
2042 ** Certtool --certificate-info now prints information for Proxy Certificates.
2043 Before the proxy extension was just printed as DER encoded data.
2045 ** New APIs to set proxy subject names and get/set proxy cert extension.
2047 ** Fix parsing of pathLenConstraints in BasicConstraints with missing cA.
2049 ** Added self-test to test for regressions of pathLenConstraint bug.
2050 Incidentally, this also test (some) other regressions or changes in
2051 the output from certtool --certificate-info.
2053 ** When certtool generates CA certificates, pressing enter on the path
2054 ** length constraint query will now remove the field.
2055 Before it set the path length constraint to 0, which is a rather poor
2058 ** Certtool now print times in UTC when printing certificate/CRL info.
2060 ** Add better fix to work around C++ compiler bug on Mac OS X.
2061 Reported and tiny patch provided by Matthias Scheler <tron@NetBSD.org>.
2063 ** Fix import of ASCII armored OpenPGP keys.
2064 Patch by ludovic.courtes@laas.fr (Ludovic Courtès).
2066 ** Update of gnulib files.
2068 ** API and ABI modifications:
2069 gnutls_x509_crt_set_proxy_dn: ADD.
2070 gnutls_x509_crt_set_proxy: ADD.
2071 gnutls_x509_crt_get_proxy: ADD.
2073 * Version 1.7.2 (released 2007-01-14)
2075 ** Certtool now print the value of the pathLenConstraints field for certs.
2077 ** Certtool now query for path length constraints when generating CA certs.
2078 For batch uses, the certtool configuration name is "path_len".
2079 Suggested by Sascha Ziemann <sascha.ziemann@secunet.com>.
2081 ** Add new API to get/set pathLenConstraint in the Basic Constraints.
2082 The new functions gnutls_x509_crt_get_basic_constraints and
2083 gnutls_x509_crt_set_basic_constraints provide a superset of the
2084 functionality in the old gnutls_x509_crt_get_ca_status and
2085 gnutls_x509_crt_set_ca_status (respectively), but the old functions
2086 will continue to be supported.
2088 ** Add new API in OpenCDK to extract public/secret OpenPGP key to S-expr.
2089 The functions are cdk_pubkey_to_sexp and cdk_seckey_to_sexp. A proper
2090 OpenCDK release with this patch will be made soon, which should bump
2091 the OpenCDK version number. Patch by Mario Lenz <mario.lenz@gmx.net>.
2093 ** Certtool --to-p12 can now store more than one certificate in the blob.
2094 Before it could only store one certificate, but now it will read and
2095 store as many certificate there are from the --load-certificate file.
2096 Suggested by Sascha Ziemann <sascha.ziemann@secunet.com>.
2098 ** Clean up separation of gnutls and gnutls-extra for OpenPGP.
2099 In particular, the OpenPGP function variables are no longer part of
2100 the exported libgnutls interface, and no header files from
2101 libgnutls-extra (GPL) are needed by libgnutls (LGPL). The variables
2102 were never intended for non-internal purposes, and thus this does not
2103 imply a change in the external API/ABI.
2105 ** Print URL to gaa when missing, and fix srcdir!=builddir for GAA files.
2106 Reported by ludovic.courtes@laas.fr (Ludovic Courtès).
2108 ** GnuTLS no longer uses -mms-bitfields --enable-runtime-pseudo-reloc.
2109 Before these parameters were set to make GnuTLS build under mingw32,
2110 however, they appear to no longer be necessary.
2112 ** A minor fix to the C++ library to make it build.
2113 Reported by Pavlov Konstantin <thresh@altlinux.ru>.
2115 ** Update of gnulib files.
2117 ** API and ABI modifications:
2118 gnutls_x509_crt_get_basic_constraints: ADD.
2119 gnutls_x509_crt_set_basic_constraints: ADD.
2120 cdk_pubkey_to_sexp: ADD (in opencdk).
2121 cdk_seckey_to_sexp: ADD (in opencdk).
2123 * Version 1.7.1 (released 2006-12-28)
2125 ** TLS 1.2 server side fix.
2126 The Certificate Request sent did not contain the list of supported
2127 hashes field, thus violating the protocol. It will now contain an
2128 empty list. Reported by ludovic.courtes@laas.fr (Ludovic Courtès).
2130 ** TLS 1.2 DSA signature verification fix.
2131 Reported by ludovic.courtes@laas.fr (Ludovic Courtès).
2133 ** Fix the list of trusted CAs that server's send to clients.
2134 Before, the list contained issuer DN's instead of subject DN's of the
2135 trusted CAs. Reported by Max Kellermann <max@duempel.org>.
2137 ** Fix gnutls_certificate_set_x509_crl to initialize the CRL before using it.
2138 Also added a self-test in tests/certificate_set_x509_crl.c to test the
2139 function. Reported by Max Kellermann <max@duempel.org>.
2141 ** Encode UID fields in DN's as DirectoryString.
2142 Before GnuTLS encoded and parsed UID fields as IA5String. This was
2143 incorrect, it should have used DirectoryString. Now it will use
2144 DirectoryString for the UID field, but for backwards compatibility it
2145 will also accept IA5String UID's. Reported by Max Kellermann
2148 ** Improve out-of-sourcedir builds from CVS.
2149 Reported by ludovic.courtes@laas.fr (Ludovic Courtès).
2151 ** Bootstrap tools changed.
2152 We now require autoconf 2.61, automake 1.10, and gettext 0.16, when
2153 building GnuTLS from CVS. Libtool 1.5.22 is used.
2155 ** Fixed a syntax error in lib/gnutls.asn.
2156 Reported by Paul Millar <p.millar@physics.gla.ac.uk>.
2158 ** Added German translation of GnuTLS messages.
2160 ** Update of gnulib files.
2162 ** API and ABI modifications:
2163 No changes since last version.
2165 * Version 1.7.0 (released 2006-11-29)
2167 ** The default protocol priority try TLS 1.1 and TLS 1.2 too.
2168 The details is that the protocol priority set by
2169 `gnutls_set_default_priority' has been changed from TLS 1.0 and SSL
2170 3.0 to TLS 1.2, TLS 1.1, TLS 1.0 and SSL 3.0.
2172 ** Preliminary support for TLS 1.2.
2173 The client has been successfully tested against
2174 https://www.mikestoolbox.org:4433/.
2176 ** Anonself test now print a lot of debugging info, including TLS version.
2178 ** Doc fixes in OpenCDK, to avoid some gtk-doc warnings.
2180 ** Update of gnulib files.
2182 ** API and ABI modifications:
2183 GNUTLS_TLS1_2: New gnutls_protocol_t enum member.
2185 *** Pulled up from stable 1.6.x branch:
2187 ** Fix ./configure failure with non-GCC compilers.
2188 This fixes the following error message:
2189 configure: error: conditional "HAVE_LD_OUTPUT_DEF" was never defined.
2190 Reported by "Michael C. Vergallen" <mvergall@telenet.be>.
2192 * Version 1.6.3 (released 2007-05-26)
2194 ** New API functions to extract DER encoded X.509 Subject/Issuer DN.
2195 Suggested by Nate Nielsen <nielsen-list@memberwebs.com>. Backported
2196 from the 1.7.x branch, see
2197 <http://lists.gnu.org/archive/html/help-gnutls/2007-05/msg00029.html>.
2199 ** Have PKCS8 parser return better error codes.
2200 Reported by Nate Nielsen <nielsen-list@memberwebs.com>, see
2201 <http://lists.gnupg.org/pipermail/gnutls-dev/2007-May/001653.html> and
2202 <http://lists.gnupg.org/pipermail/gnutls-dev/2007-May/001654.html>.
2204 ** Fix mem leak for sessions with client authentication via certificates.
2205 Reported by Andrew W. Nosenko <andrew.w.nosenko@gmail.com>, see
2206 <http://lists.gnupg.org/pipermail/gnutls-dev/2007-April/001539.html>.
2208 ** Fix building of 'tlsia' self test.
2209 Earlier some gcc are known to build tlsia linking to
2210 $prefix/lib/libgnutls-extra.so rather than the libgnutls-extra.so in
2211 the build directory, even though command line parameters look OK.
2212 Changing order of some parameters fixes it.
2214 ** API and ABI modifications:
2215 gnutls_x509_crt_get_raw_issuer_dn: ADD.
2216 gnutls_x509_crt_get_raw_dn: ADD.
2218 * Version 1.6.2 (released 2007-04-18)
2220 ** Fix X.509 signing with RSA-PKCS#1 to set a NULL parameters fields.
2221 Before, we remove the parameters field, which resulted in a slightly
2222 different DER encoding which in turn caused signature verification
2223 failures of GnuTLS-generated RSA certificates in some other
2224 implementations (e.g., GnuPG 2.x's gpgsm). Depending on which RFCs
2225 you read, this may or may not be correct, but our new behaviour appear
2226 to be consistent with other widely used implementations.
2228 ** Regenerate the PKIX ASN.1 syntax tree.
2229 For some reason, after changing the ASN.1 type of ldap-UID in the last
2230 release, the generated C file built from the ASN.1 schema was not
2231 refreshed. This can cause problems when reading/writing UID
2232 components inside X.500 Distinguished Names. Reported by devel
2233 <dev001@pas-world.com>.
2235 ** Updated translations.
2237 ** API and ABI modifications:
2238 No changes since last version.
2240 * Version 1.6.1 (released 2006-12-28)
2242 ** Fix the list of trusted CAs that server's send to clients.
2243 Before, the list contained issuer DN's instead of subject DN's of the
2244 trusted CAs. Reported by Max Kellermann <max@duempel.org>.
2246 ** Fix gnutls_certificate_set_x509_crl to initialize the CRL before using it.
2247 Reported by Max Kellermann <max@duempel.org>.
2249 ** Encode UID fields in DN's as DirectoryString.
2250 Before GnuTLS encoded and parsed UID fields as IA5String. This was
2251 incorrect, it should have used DirectoryString. Now it will use
2252 DirectoryString for the UID field, but for backwards compatibility it
2253 will also accept IA5String UID's. Reported by Max Kellermann
2256 ** Fix ./configure failure with non-GCC compilers.
2257 This fixes the following error message:
2258 configure: error: conditional "HAVE_LD_OUTPUT_DEF" was never defined.
2259 Reported by "Michael C. Vergallen" <mvergall@telenet.be>.
2261 ** API and ABI modifications:
2262 No changes since last version.
2264 * Version 1.6.0 (released 2006-11-17)
2266 ** No changes since 1.5.5.
2267 The major changes compared to the 1.4.x branch are:
2269 *** A GnuTLS C++ library is part of the official distribution.
2270 Currently there are no examples or documentation, but hopefully this
2271 will change. See gnutlsxx.h for the API.
2273 *** Windows is a supported platform.
2274 There are, however, two know bugs. One is related to select() in
2275 command line tools (not, nota bene, in the library), the other is a
2276 problem with libgcrypt that causes delays. Help is needed to resolve
2277 those issues, so we feel we can't delay the release because of this.
2279 *** New APIs for custom push/pull function error reporting.
2280 The new APIs are gnutls_transport_set_errno and
2281 gnutls_transport_set_global_errno. See the release notes for version
2282 1.5.4 for more information.
2284 *** Self tests are run under valgrind, if available. See --disable-valgrind.
2286 * Version 1.5.5 (released 2006-11-16)
2288 ** Correctly bump shared library version after adding new APIs.
2289 This was forgotten in the last release.
2291 ** Fix unsigned vs signed problem in ex-x509-info.c example.
2292 Reported by Tim Kosse <tim.kosse@filezilla-project.org>.
2294 ** Fix the rsa-md5-collision self test to work for MinGW+Wine.
2296 ** Update of gnulib files.
2298 ** API and ABI modifications:
2299 No changes since last version.
2301 * Version 1.5.4 (released 2006-11-07)
2303 ** New API functions to set errno in push/pull functions.
2304 Under Windows, setting the errno variable in a push/pull replacement
2305 may end up setting the wrong errno variable, and GnuTLS send/recv
2306 functions become confused about the real errno returned from a failed
2307 push/pull function. Therefor, we have added two APIs to set the errno
2308 variable used by GnuTLS. The APIs can also help to keep things
2309 thread-safe, by avoiding potentially global variables. Typically,
2310 instead of setting errno in your push/pull function, you will call one
2311 of these functions. It is recommended to use
2312 gnutls_transport_set_errno, but if you don't have the session variable
2313 easily accessible in the push/pull replacement function, you can use
2314 gnutls_transport_set_global_errno. Suggested by Tim Kosse
2315 <tim.kosse@filezilla-project.org>.
2317 void gnutls_transport_set_errno (gnutls_session_t session, int err);
2318 void gnutls_transport_set_global_errno (int err);
2320 ** When calling `recv' or `send' Windows errors are handled properly.
2321 The Windows recv/send functions doesn't use errno, and GnuTLS now use
2322 WSAGetLastError to access the error condition instead.
2324 ** Several OpenPGP API fixes.
2325 All suggested by ludovic.courtes@laas.fr (Ludovic Courtès). The most
2326 important fix is to change the return value of
2327 gnutls_openpgp_privkey_get_pk_algorithm and
2328 gnutls_openpgp_key_get_pk_algorithm from 'int' to
2329 'gnutls_pk_algorithm_t', which is an enum type (and thus API/ABI
2330 compatible with 'int').
2332 ** When a GnuTLS server receive a SSLv2 Client Hello for an unknown TLS
2333 ** version, try to negotiate the highest version support by the GnuTLS server,
2334 ** instead of the lowest.
2335 Reported by <Pasi.Eronen@nokia.com>.
2337 ** Replace old constructs with use of gnulib modules.
2338 For example, we can now assume unistd.h, sys/stat.h, sys/socket.h in
2339 the code. If the headers doesn't exist on the target system, gnulib
2340 will make sure its replacement header files are used instead.
2342 ** Fix SOVERSION computation for *.def files.
2343 This fixes build errors similar to "No rule to make target
2344 `libgnutls-`expr', needed by `all-am'." when building for Windows.
2346 ** gnutls_check-version uses strverscmp from gnulib.
2348 ** Update of gnulib files.
2350 ** API and ABI modifications:
2351 gnutls_transport_set_errno: ADD
2352 gnutls_transport_set_global_errno: ADD
2354 * Version 1.5.3 (released 2006-10-26)
2356 ** Add new self-test of RSA-MD5 signature chains.
2357 Note that we already, since GnuTLS 1.2.9, reject RSA-MD5 signatures
2358 when verifying X.509 chains. The code is in tests/rsa-md5-collision/
2359 and is based on the work by Marc Stevens et al, see
2360 <http://www.win.tue.nl/hashclash/TargetCollidingCertificates/>.
2362 ** Re-factor self tests.
2364 ** The include copy of Libtasn1 is updated to version 0.3.7.
2366 ** The included copy of OpenCDK is updated to version 0.5.11.
2368 ** Fix the filename of the *.def file on Windows after library version bump.
2370 ** Separated the gnulib directory into one for LGPL modules and one for GPL.
2371 This allows the GPL'd part of GnuTLS to take advantage of the GPL'd
2372 gnulib modules. Earlier we could only use the LGPL'ed module from
2373 gnulib, because two gnulib directories in the same project didn't
2376 ** API and ABI modifications:
2377 No changes since last version.
2379 * Version 1.5.2 (released 2006-10-03)
2381 ** Decrement the shared library version back to 13 (as in the 1.4.x branch).
2382 Note that if you installed 1.5.0 or 1.5.1, they will have a higher
2383 shared library version than this version, so you'll have to remove
2384 them and possibly relink your applications. The reason for this is
2385 that no API/ABI changes have been made since the 1.4.x branch, and
2386 that incrementing the shared library version was a mistake. Reported
2387 by Andreas Metzler <ametzler@downhill.at.eu.org>.
2389 ** Fix off-by-one error when computing length to malloc.
2390 The code is used by gnutls_openpgp_add_keyring_file and
2391 gnutls_openpgp_add_keyring_mem. Reported by "Adam Langley"
2392 <agl@imperialviolet.org>.
2394 ** Add version script for the GnuTLS C++ library.
2395 Reported by Andreas Metzler <ametzler@downhill.at.eu.org>.
2397 ** Fix the C++ compiler detection logic.
2398 Reported by Andreas Metzler <ametzler@downhill.at.eu.org>.
2400 ** Update of gnulib files.
2402 ** API and ABI modifications:
2403 No changes since last version.
2405 * Version 1.5.1 (released 2006-09-21)
2407 ** Fix PKCS#1 verification to avoid a variant of Bleichenbacher's
2408 ** Crypto 06 rump session attack.
2409 In particular, we check that the digestAlgorithm.parameters field is
2410 missing or empty, to avoid that it can contain "garbage" that may be
2411 used to alter the numeric properties of the signature. See
2412 <http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html> (which is
2413 not exactly the same as the problem we fix here). Reported by Yutaka
2414 OIWA <y.oiwa@aist.go.jp>.
2416 See GNUTLS-SA-2006-4 on http://www.gnutls.org/security.html for more
2417 up to date information.
2419 ** Add self test to test for above flaw.
2421 ** Fix gnutls-cli-debug regarding resume support detection.
2422 Earlier, if the session-id from the server had a length of 0, it would
2423 indicate the the server supports resumption, which isn't the case.
2424 Reported by Kataja Kai <kai.kataja@op.fi>.
2426 ** Fix building of examples on FreeBSD by including netinet/in.h.
2427 Reported by Roman Bogorodskiy <novel@FreeBSD.org>.
2429 ** Fix certtool bug that caused the private key to not be loaded when
2430 generating a certificate with --load-request, which in turn triggered
2431 another unrelated bug in gnutls_x509_crt_sign2 (also fixed). Reported
2432 by Sascha Ziemann <sascha.ziemann@secunet.com>.
2434 ** gnutls-cli and gnutls-serv works on Windows.
2435 The problem was the select() call that doesn't work on file
2436 descriptors (stdin) on Windows. We borrowed some code from plibc to
2437 solve this. It appears to be somewhat unreliable though.
2439 ** Autoconf 2.60 is now used.
2441 ** API and ABI modifications:
2442 No changes since last version.
2444 * Version 1.5.0 (released 2006-08-13)
2446 ** Change SRP and Cert-Type extensions to match IANA registry.
2448 ** Fixed bug in OpenPGP authentication handshake.
2450 ** Improvements for building under MinGW.
2451 Provides internal inet_ntop and inet_pton functions and arpa/inet.h
2452 header. Calls WSAStartup and WSACleanup in gnutls_global_init and
2453 gnutls_global_deinit, respectively. Loads getaddrinfo and getnameinfo
2454 at run-time from ws2_32.dll, and falls back on a simple replacement if
2455 it is not available. Builds the library with -mms-bitfields
2456 -Wl,--enable-runtime-pseudo-reloc. Links with --output-def, to
2457 create *.def files, which are installed.
2459 ** The examples now (conditionally) include config.h and link to gnulib.
2460 No other source changes were necessary, so the examples should
2461 continue to be possible to use stand-alone without any autoconf or
2464 ** Added C++ header "gnutlsxx.h" and library "libgnutlsxx".
2465 You may unconditionally disable it with --disable-cxx. See
2466 includes/gnutls/gnutlsxx.h and lib/gnutlsxx.cpp for the
2469 ** Made command line tool '--version' behave according to GNU Standards.
2470 This enables 'make distcheck' to succeed.
2472 ** OpenCDK updated to 0.5.9 to fix some problems with OpenPGP support.
2474 ** Make --without-included-libtasn1 work.
2475 Reported by Daniel Black <dragonheart@gentoo.org>.
2477 ** Fix a crash (strcmp() on a NULL value) in the certificate verification logic.
2478 See http://www.gnu.org/software/gnutls/security.html regardging
2479 GNUTLS-SA-2006-2 for more up to date information. Reported by
2480 satyakumar <satyam_kkd@hyd.hellosoft.com>.
2482 ** API and ABI modifications:
2483 No changes since last version.
2485 * Version 1.4.5 (released 2006-11-06)
2487 ** When a GnuTLS server receive a SSLv2 Client Hello for an unknown TLS
2488 ** version, try to negotiate the highest version support by the GnuTLS server,
2489 ** instead of the lowest.
2490 Reported by <Pasi.Eronen@nokia.com>.
2492 ** Fix typo in doc/examples/ex-serv-pgp.c.
2493 Reported by Adam Langley" <agl@imperialviolet.org>.
2495 ** API and ABI modifications:
2496 No changes since last version.
2498 * Version 1.4.4 (released 2006-09-12)
2500 ** Relax the test that caught signatures that exploit the variant of
2501 ** Bleichenbacher's Crypto 06 rump session attack on our
2502 ** verification logic flaw.
2503 In particular, we now permit the digestAlgorithm.parameters field to
2504 be present but empty, whereas in 1.4.3 we actually checked that the
2507 ** Revert the removal of debug information for the GNUTLS-SA-2006-3 problem.
2508 The messages are only printed in debug mode, which is not recommended
2509 for normal use, and thus logging this situation cannot be abused as an
2510 oracle in typical recommended situations.
2512 ** API and ABI modifications:
2513 No changes since last version.
2515 * Version 1.4.3 (released 2006-09-08)
2517 ** Fix PKCS#1 verification to avoid a variant of Bleichenbacher's
2518 ** Crypto 06 rump session attack.
2519 In particular, we check that the digestAlgorithm.parameters field is
2520 empty, to avoid that it can contain "garbage" that may be used to
2521 alter the numeric properties of the signature. See
2522 <http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html> (which is
2523 not exactly the same as the problem we fix here). Reported by Yutaka
2524 OIWA <y.oiwa@aist.go.jp>.
2526 See GNUTLS-SA-2006-4 on http://www.gnutls.org/security.html for more
2527 up to date information.
2529 ** Fix PKCS#1 decryption to avoid Bleichenbacher's Crypto 98 attack.
2530 See <http://www.bell-labs.com/user/bleichen/papers/pkcs.ps.gz>.
2531 Reported by Werner Koch <wk@gnupg.org>.
2533 See GNUTLS-SA-2006-3 on http://www.gnutls.org/security.html for more
2534 up to date information.
2536 ** Fix crash in gnutls_x509_crt_sign2 if passed a NULL issuer_key.
2538 ** API and ABI modifications:
2539 No changes since last version.
2541 * Version 1.4.2 (released 2006-08-12)
2543 ** Fix a crash (strcmp() on a NULL value) in the certificate verification logic.
2544 This can happen if you call gnutls_certificate_verify_peers2 and have
2545 a certain mix of local CA certificates and the peer send special
2546 certificates, that together trigger certain behaviour. It is not
2547 known at this point whether the crash can be triggered without the
2548 special local CA certificate, and thus turn this into a remote crash
2549 of clients that verify server certificates when they talk to a server
2550 with the special server certificate. See GNUTLS-SA-2006-2 on
2551 http://www.gnu.org/software/gnutls/security.html for more up to date
2552 information. Reported by satyakumar <satyam_kkd@hyd.hellosoft.com>.
2554 ** Change SRP and Cert-Type extensions to match IANA registry.
2556 ** OpenCDK updated to 0.5.9 to fix some problems with OpenPGP support.
2558 ** Make --without-included-libtasn1 work.
2559 Reported by Daniel Black <dragonheart@gentoo.org>.
2561 ** API and ABI modifications:
2562 No changes since last version.
2564 * Version 1.4.1 (released 2006-06-14)
2566 ** Replaced inactive ifdefs to enable openpgp support in test programs.
2568 ** Fixed bug in OpenPGP authentication handshake.
2570 ** Fixed typographical in man pages.
2572 ** Build fixes of the manual.
2574 ** Added Swedish translation.
2576 ** API and ABI modifications:
2577 No changes since last version.
2579 * Version 1.4.0 (released 2006-05-15)
2581 ** Remove GnuTLS 0.8.x compatibility functions.
2583 ** The libgcrypt RNG is initialized in gnutls_global_init().
2585 ** TLS/IA API changes from Emile van Bergen.
2586 A dummy credential structure is not needed now, if you wish to use the
2587 low-level TLS/IA API, simply call gnutls_ia_enable to enable TLS/IA on
2590 ** The self-tests are now run under valgrind, if it is installed.
2592 ** Libtasn1 is updated to 0.3.4, and that version is now required.
2594 ** The command line tools now use getaddrinfo and support IPv6.
2596 ** API and ABI modifications:
2597 _gnutls_x509_get_raw_crt_activation_time,
2598 _gnutls_x509_get_raw_crt_expiration_time: Removed.
2599 gnutls_ia_require_inner_phase: Removed, replaced by gnutls_ia_enable.
2600 gnutls_ia_enable: Added.
2602 * Version 1.3.5 (released 2006-03-08)
2604 ** Error messages are now translated using GNU Gettext.
2606 ** The function gnutls_x509_crt_to_xml now return an internal error.
2607 This means that the code to convert X.509 certificates to XML format
2608 does not work any more. The reason is that the function called
2609 libtasn1 internal functions. It seems unclean for libtasn1 to export
2610 the APIs needed here. Instead it would be better to implement XML
2611 support inside libtasn1 properly. If you need this functionality
2612 strongly, please consider looking into implementing this suggested
2613 approach instead. As a workaround, you may also modify lib/x509/xml.c
2614 (change '#if 1' to '#if 0') and build using --with-included-libtasn1.
2616 ** Libraries are now built with libtool's -no-undefined.
2617 This helps producing libraries for Windows using mingw32.
2619 ** Doc fixes to explain that gnutls_record_send can block.
2621 ** Libtasn1 0.3.1 or later is now required.
2622 The include copy has been updated too.
2624 ** gnutls-cli can now recognize services and port numbers with the -p option.
2626 ** API and ABI modifications:
2627 No changes since last version.
2629 * Version 1.3.4 (released 2006-02-09)
2631 ** Fix read of out bounds bug in DER parser.
2632 Reported by Evgeny Legerov <admin@gleg.net>, and debugging help from
2633 Protover SSL. Libtasn1 0.2.18 is now required, which contains the
2634 previous bug fix. The included libtasn1 version in GnuTLS has been
2637 ** Fixed bug in non-blocking gnutls_bye(). gnutls_record_send() will no
2638 longer invalidate a session if the underlying send fails, but it will
2639 prevent future writes. That is to allow reading the already received data.
2640 Patches and bug reports by Yoann Vandoorselaere <yoann@prelude-ids.org>
2642 ** Corrected bugs in gnutls_certificate_set_x509_crl() and
2643 gnutls_certificate_set_x509_trust(), that caused memory corruption if
2644 more than one certificates were added. Report and patch by Max Kellermann.
2646 ** Fix build problems of OpenCDK on AIX.
2647 Thanks to "Heiden, John" <JHeiden@UTNet.UToledo.Edu>.
2649 ** API and ABI modifications:
2650 No changes since last version.
2652 * Version 1.3.3 (released 2006-01-12)
2654 ** New API to access the TLS master secret.
2655 When possible, you should use the TLS PRF functions instead.
2656 Suggested by Jouni Malinen <jkmaline@cc.hut.fi>.
2658 ** Improved handling when multiple libraries use GnuTLS at the same time.
2659 Now gnutls_global_init() can be called multiple times, and
2660 gnutls_global_deinit() will only deallocate the structure when it has
2661 been called as many times as gnutls_global_init() was called.
2663 ** Added a self test of TLS resume functionality.
2665 ** Fix crash in TLS resume code, caused by TLS/IA changes.
2667 ** Documentation fixes about thread unsafety, prompted by
2668 ** discussion with bryanh@giraffe-data.com (Bryan Henderson).
2669 In particular, gnutls_global_init() and gnutls_global_deinit() are not
2670 thread safe. Careful callers may want to protect the call using a
2671 mutex. The problem could also be ignored, which would cause a memory
2672 leak under rare conditions when two threads invoke the function
2673 roughly at the same time.
2675 ** Add 'const' keywords in various places, from Frediano ZIGLIO.
2677 ** The code was indented again, including the external header files.
2679 ** API and ABI modifications:
2680 New functions to retrieve the master secret value:
2681 gnutls_session_get_master_secret
2683 Add a 'const' keyword to existing API:
2684 gnutls_x509_crq_get_challenge_password
2686 * Version 1.3.2 (released 2005-12-15)
2688 ** GnuTLS now support TLS Inner application (TLS/IA).
2689 This is per draft-funk-tls-inner-application-extension-01. This
2690 functionality is added to libgnutls-extra, so it is licensed under the
2691 GNU General Public License.
2693 ** New APIs to access the TLS Pseudo-Random-Function (PRF).
2694 The PRF is used by some protocols building on TLS, such as EAP-PEAP
2695 and EAP-TTLS. One function to access the raw PRF and one to access
2696 the PRF seeded with the client/server random fields are provided.
2697 Suggested by Jouni Malinen <jkmaline@cc.hut.fi>.
2699 ** New APIs to acceess the client and server random fields in a session.
2700 These fields can be useful by protocols using TLS. Note that these
2701 fields are typically used as input to the TLS PRF, and if this is your
2702 intended use, you should use the TLS PRF API that use the
2703 client/server random field directly. Suggested by Jouni Malinen
2704 <jkmaline@cc.hut.fi>.
2706 ** Internal type cleanups.
2707 The uint8, uint16, uint32 types have been replaced by uint8_t,
2708 uint16_t, uint32_t. Gnulib is used to guarantee the presence of
2709 correct types on platforms that lack them. The uint type have been
2710 replaced by unsigned.
2712 ** API and ABI modifications:
2713 New functions to invoke the TLS Pseudo-Random-Function (PRF):
2717 New functions to retrieve the session's client and server random values:
2718 gnutls_session_get_server_random
2719 gnutls_session_get_client_random
2721 New function, to perform TLS/IA handshake:
2724 New function to decide whether to do a TLS/IA handshake:
2725 gnutls_ia_handshake_p
2727 New functions to allocate a TLS/IA credential:
2728 gnutls_ia_allocate_client_credentials
2729 gnutls_ia_free_client_credentials
2730 gnutls_ia_allocate_server_credentials
2731 gnutls_ia_free_server_credentials
2733 New functions to handle the AVP callback:
2734 gnutls_ia_set_client_avp_function
2735 gnutls_ia_set_client_avp_ptr
2736 gnutls_ia_get_client_avp_ptr
2737 gnutls_ia_set_server_avp_function
2738 gnutls_ia_set_server_avp_ptr
2739 gnutls_ia_get_server_avp_ptr
2741 New functions, to toggle TLS/IA application phases:
2742 gnutls_ia_require_inner_phase
2744 New function to mix session keys with inner secret:
2745 gnutls_ia_permute_inner_secret
2747 Low-level API (used internally by gnutls_ia_handshake):
2748 gnutls_ia_endphase_send
2752 New functions that can be used after successful TLS/IA negotiation:
2753 gnutls_ia_generate_challenge
2754 gnutls_ia_extract_inner_secret
2756 Enum type with TLS/IA modes:
2759 Enum type with TLS/IA packet types:
2762 Enum values for TLS/IA alerts:
2763 GNUTLS_A_INNER_APPLICATION_FAILURE
2764 GNUTLS_A_INNER_APPLICATION_VERIFICATION
2766 New error codes, to signal when an application phase has finished:
2767 GNUTLS_E_WARNING_IA_IPHF_RECEIVED
2768 GNUTLS_E_WARNING_IA_FPHF_RECEIVED
2770 New error code to signal TLS/IA verify failure:
2771 GNUTLS_E_IA_VERIFY_FAILED
2773 * Version 1.3.1 (released 2005-12-08)
2775 ** Support for DHE-PSK cipher suites has been added.
2776 This method offers perfect forward secrecy.
2778 ** Fix gnutls-cli STARTTLS hang when SIGINT is sent too quickly, thanks to
2779 Otto Maddox <ottomaddox@fastmail.fm> and Nozomu Ando <nand@mac.com>.
2781 ** Corrected a bug in certtool for 64 bit machines. Reported
2782 by Max Kellermann <max@duempel.org>.
2784 ** New function to set a X.509 private key and certificate pairs, and/or
2785 CRLs, from an PKCS#12 file, suggested by Emile van Bergen
2786 <emile@e-advies.nl>.
2788 The integrity of the PKCS#12 file is protected through a password
2789 based MAC; public-key based signatures for integrity protection are
2790 not supported. PKCS#12 bags may be encrypted using password derived
2791 symmetric keys, public-key based encryption is not supported. The
2792 PKCS#8 keys may be encrypted using passwords. The API use the same
2793 password for all operations. We believe that any more flexibility
2794 create too much complexity that would hurt overall security, but may
2795 add more PKCS#12 related APIs if real-world experience indicate
2798 ** gnutls_x509_privkey_import_pkcs8 now accept unencrypted PEM PKCS#8 keys,
2799 reported by Emile van Bergen <emile@e-advies.nl>.
2800 This will enable "certtool -k -8" to parse those keys.
2802 ** Certtool now generate keys in unencrypted PKCS#8 format for empty passwords.
2803 Use "certtool -p -8" and press press enter at the prompt. Earlier,
2804 certtool would have encrypted the key using an empty password.
2806 ** Certtool now accept --password for --key-info and encrypted PKCS#8 keys.
2807 Earlier it would have prompted the user for it, even if --password was
2810 ** Added self test of PKCS#8 parsing.
2811 Unencrypted and encrypted (pbeWithSHAAnd3-KeyTripleDES-CBC and
2812 pbeWithSHAAnd40BitRC2-CBC) formats are tested. The test is in
2815 ** API and ABI modifications:
2816 New function to set X.509 credentials from a PKCS#12 file:
2817 gnutls_certificate_set_x509_simple_pkcs12_file
2819 New gnutls_kx_algorithm_t enum type:
2822 New API to return session data (basically same as gnutls_session_get_data):
2823 gnutls_session_get_data2
2825 New API to set PSK Diffie-Hellman parameters:
2826 gnutls_psk_set_server_dh_params
2828 * Version 1.3.0 (2005-11-15)
2830 ** Support for TLS Pre-Shared Key (TLS-PSK) ciphersuites have been added.
2831 This add several new APIs, see below. Read the updated manual for
2832 more information. A new self test "pskself" has been added, that will
2833 test this functionality.
2835 ** The session resumption data are now system independent.
2837 ** The code has been re-indented to conform to the GNU coding style.
2839 ** Removed the RIPEMD ciphersuites.
2841 ** Added a discussion of the internals of gnutls in manual.
2843 ** Fixes for Tru64 UNIX 4.0D that lack MAP_FAILED, from Albert Chin.
2845 ** Remove trailing comma in enums, for IBM C v6, from Albert Chin.
2847 ** Make sure config.h is included first in a few files, from Albert Chin.
2849 ** Don't use C++ comments ("//") as they are invalid, from Albert Chin.
2851 ** Don't install SRP programs and man pages if --disable-srp-authentication,
2854 ** API and ABI modifications:
2855 New gnutls_kx_algorithm_t key exchange type: GNUTLS_KX_PSK
2857 New gnutls_credentials_type_t credential type:
2860 New credential types:
2861 gnutls_psk_server_credentials_t
2862 gnutls_psk_client_credentials_t
2864 New functions to allocate PSK credentials:
2865 gnutls_psk_allocate_client_credentials
2866 gnutls_psk_free_client_credentials
2867 gnutls_psk_free_server_credentials
2868 gnutls_psk_allocate_server_credentials
2870 New enum type for PSK key flags:
2871 gnutls_psk_key_flags
2873 New function prototypes for credential callback:
2874 gnutls_psk_client_credentials_function
2875 gnutls_psk_server_credentials_function
2877 New function to set PSK username and key:
2878 gnutls_psk_set_client_credentials
2880 New function to set PSK passwd file:
2881 gnutls_psk_set_server_credentials_file
2883 New function to extract PSK user in server:
2884 gnutls_psk_server_get_username
2886 New functions to set PSK callback:
2887 gnutls_psk_set_server_credentials_function
2888 gnutls_psk_set_client_credentials_function
2890 Use size_t instead of int for output size parameter:
2891 gnutls_srp_base64_encode
2892 gnutls_srp_base64_decode
2894 * Version 1.2.11 (2006-05-11)
2895 - The function gnutls_x509_crt_to_xml is not supported any more, and
2896 return an internal error. The reason is that the function called
2897 internal libtasn1 functions which are no longer exported from
2899 - Updated libtasn1 requirement to 0.3.4 and refreshed internal mintiasn1.
2900 - Updated gnulib compatibility files.
2901 - Fixed _gnutls_x509_get_raw_crt_expiration_time and
2902 _gnutls_x509_get_raw_crt_activation_time to return (time_t)-1 on errors.
2903 - API and ABI modifications:
2904 No changes since last version.
2906 * Version 1.2.10 (2006-02-09)
2907 - Fix read out bounds bug in DER parser. Reported by Evgeny Legerov
2908 <admin@gleg.net>, and debugging help from Protover SSL.
2909 - Libtasn1 0.2.18 is now required (contains the previous bug fix).
2910 The included version has been updated too.
2911 - Fix gnutls-cli STARTTLS hang when SIGINT is sent too quickly, thanks to
2912 Otto Maddox <ottomaddox@fastmail.fm> and Nozomu Ando <nand@mac.com>.
2913 - Corrected a bug in certtool for 64 bit machines. Reported
2914 by Max Kellermann <max@duempel.org>.
2915 - Corrected bugs in gnutls_certificate_set_x509_crl() and
2916 gnutls_certificate_set_x509_trust(), that caused memory corruption if
2917 more than one certificates were added. Report and patch by Max Kellermann.
2918 - Fixed bug in non-blocking gnutls_bye(). gnutls_record_send() will no
2919 longer invalidate a session if the underlying send fails, but it will
2920 prevent future writes. That is to allow reading the already received data.
2921 Patches and bug reports by Yoann Vandoorselaere <yoann@prelude-ids.org>
2923 * Version 1.2.9 (2005-11-07)
2924 - Documentation was updated and improved.
2925 - RSA-MD2 is now supported for verifying digital signatures.
2926 - Due to cryptographic advances, verifying untrusted X.509
2927 certificates signed with RSA-MD2 or RSA-MD5 will now fail with a
2928 GNUTLS_CERT_INSECURE_ALGORITHM verification output. For
2929 applications that must remain interoperable, you can use the
2930 GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 or GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5
2931 flags when verifying certificates. Naturally, this is not
2932 recommended default behaviour for applications. To enable the
2933 broken algorithms, call gnutls_certificate_set_verify_flags with the
2934 proper flag, to change the verification mode used by
2935 gnutls_certificate_verify_peers2.
2936 - Make it possible to send empty data through gnutls_record_send,
2937 to align with the send(2) API.
2938 - Some changes in the certificate receiving part of handshake to prevent
2939 some possible errors with non-blocking servers.
2940 - Added numeric version symbols to permit simple CPP-based feature
2941 tests, suggested by Daniel Stenberg <daniel@haxx.se>.
2942 - The (experimental) low-level crypto alternative to libgcrypt used
2943 earlier (Nettle) has been replaced with crypto code from gnulib.
2944 This leads to easier re-use of these components in other projects,
2945 leading to more review and simpler maintenance. The new configure
2946 parameter --with-builtin-crypto replace the old --with-nettle, and
2947 must be used if you wish to enable this functionality. See README
2948 under "Experimental" for more information. Internally, GnuTLS has
2949 been updated to use the new "Generic Crypto" API in gl/gc.h. The
2950 API is similar to the old crypto/gc.h, because the gnulib code were
2951 based on GnuTLS's gc.h.
2952 - Fix compiler warning in the "anonself" self test.
2953 - API and ABI modifications:
2954 gnutls_x509_crt_list_verify: Added 'const' to prototype in <gnutls/x509.h>.
2955 This doesn't reflect a change in behaviour,
2956 so we don't break backwards compatibility.
2957 GNUTLS_MAC_MD2: New gnutls_mac_algorithm_t value.
2958 GNUTLS_DIG_MD2: New gnutls_digest_algorithm_t value.
2959 GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2,
2960 GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5: New gnutls_certificate_verify_flags values.
2962 gnutls_x509_crt_list_verify,
2963 gnutls_x509_crt_verify, or
2964 gnutls_certificate_set_verify_flags.
2965 GNUTLS_CERT_INSECURE_ALGORITHM: New gnutls_certificate_status_t value,
2966 used when broken signature algorithms
2967 is used (currently RSA-MD2/MD5).
2968 LIBGNUTLS_VERSION_MAJOR,
2969 LIBGNUTLS_VERSION_MINOR,
2970 LIBGNUTLS_VERSION_PATCH,
2971 LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS
2972 version number, can be used for feature existence
2975 * Version 1.2.8 (2005-10-07)
2976 - Libgcrypt 1.2.2 is required to fix a bug for forking GnuTLS servers.
2977 - Don't install the auxilliary libexamples library used by the
2978 examples in doc/examples/ on "make install", report and tiny patch
2979 from Thomas Klausner <tk@giga.or.at>.
2980 - If you pass a X.509 CA or PGP trust database to the command line
2981 tool, it will now abort the connection if the server certificate
2982 validation fails. Use the parameter --insecure to continue even
2983 after certificate validation failures. Inspired from discussion
2984 with Alexander Kotelnikov <sacha@myxomop.com>.
2985 - The test for socklen_t has been moved to gnulib.
2986 - Link failures for duplicate or missing "program_name" symbol has been fixed,
2987 patch from Martin Lambers <marlam@marlam.de>.
2988 - The command line tool and the examples no longer uses mmap or bzero,
2989 to make them more portable, patch from Martin Lambers
2991 - Made the PKCS #12 API handle null passwords. Based on patch by
2992 Anton Altaparmakov <aia21@cam.ac.uk>.
2993 - The GTK-DOC manual should build with current released tools.
2994 (But a copy of the output is included, so the tools are not required.)
2995 - The inet_ntop function is now used through gnulib.
2996 - API and ABI modifications:
2997 No changes since last version.
2999 * Version 1.2.7 (2005-09-09)
3000 - The GNUTLS and GNUTLS-EXTRA libraries are now built with versioned symbols.
3001 - Certtool now complains when reading out-of-range X.509 serial
3002 numbers, suggested by Fran <e_agf@yahoo.es>.
3003 - Certtool now uses the readline library (when available) when reading
3004 X.509 serial numbers.
3005 - Fixed build problems in getpass on uClibc and Mingw32 platforms.
3006 - Fixed compile warning regarding socklen_t on Mingw32, reported by
3007 Martin Lambers <marlam@marlam.de>.
3008 - Fixed examples in doc/examples/, suggested by Fran <e_agf@yahoo.es>.
3009 - Gnulib is now used for the core library, enabling future code cleanups.
3010 - The gnutls-cli tool now use gnutls_certificate_verify_peers2,
3011 suggested by Daniel Stenberg <daniel@haxx.se>.
3012 - Doc fixes for gnutls_transport_set_push and gnutls_transport_set_pull.
3013 - Minilibtasn1 is now 0.2.17 (removed optional use of C99 macros).
3014 - Disable zlib support if zlib.h is not present.
3015 - A number of internal cleanups.
3016 - API and ABI modifications:
3017 No changes since last version.
3019 * Version 1.2.6 (2005-07-16)
3020 - MiniLZO updated to version 2.01 and moved to separate directory.
3021 - Collision between system LZO header files and MiniLZO header file
3022 fixed, reported by Matthias Urlichs <smurf@smurf.noris.de>.
3023 - Will now test for liblzo functionality in liblzo2 too, reported by
3024 Thomas Klausner <tk@giga.or.at>.
3025 - Minilibtasn1 is now 0.2.14 (no code changes).
3026 - Some code changes to avoid GTK-DOC warnings.
3027 - API and ABI modifications:
3028 No changes since last version.
3030 * Version 1.2.5 (2005-07-03)
3031 - More builddir != srcdir fixes, reported by Mike Castle
3032 <dalgoda@ix.netcom.com>.
3033 - Fixed off-by-one bug in the size parameter of gnutls_x509_crt_get*_dn,
3034 reported by Adam Langley <alangley@gmail.com>.
3035 - Corrected some stuff in minilzo detection. Pointed out by
3037 - MiniLZO updated to version 2.00.
3038 - gnutls_x509_crt_list_import now accept a DER formatted CRL.
3039 - API and ABI modifications:
3040 No changes since last version.
3042 * Version 1.2.4 (2005-05-28)
3043 - Corrected some bugs that could affect 64 bit systems.
3044 - Some corrections in the header files to include the prototype
3045 of memmem properly (affected 64 bit systems). Report and patch
3046 by Yoann Vandoorselaere <yoann@prelude-ids.org>.
3047 - Introduced the --fix-key option to certtool, which can be used to
3048 regenerate the (optional) parameters in a private key. It should
3049 be used together with --key-info.
3050 - Corrected a bug in certificate chain verification that could lead
3051 to marking a trusted chain as non trusted, if the last certificate in
3052 the chain was a self signed one.
3053 - Gnulib portability files were updated.
3054 - License were updated to reflect new FSF address.
3055 - API and ABI modifications:
3056 No changes since last version.
3058 * Version 1.2.3 (2005-04-28)
3059 - Corrected bug in record packet parsing that could lead
3060 to a denial of service attack.
3061 - Corrected bug in RSA key export. Previously exported keys
3062 can be fixed using certtool. Use certtool -k <infile >outfile
3063 - API and ABI modifications:
3064 gnutls_x509_privkey_fix(): Add.
3066 * Version 1.2.2 (2005-04-25)
3067 - gnutls_error_to_alert() now considers
3068 GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET.
3069 - Fixed error in session resuming that could cause a crash in a session.
3070 - Fixed pkcs12 friendly name and local key identifier decoding.
3071 - Internal cleanups, removed duplicate typedef/struct definitions,
3072 and made source code include external include file, to check
3073 function prototypes during compile time.
3074 - API and ABI modifications:
3075 No changes since last version. At least not intentional, but due
3076 to the include header changes, there may be inadvertant changes,
3077 please let us know if you find any.
3079 * Version 1.2.1 (2005-04-04)
3080 - gnutls_bye() will no longer fail when RDWR is used and application
3081 data are available for reading.
3082 - Added more strict checks for the SRP parameters (g,n), when they
3083 are not in the included list.
3084 - Added warning to certtool when MD5 is being used for digital
3086 - Optimizations ("-O2 -finline-functions") are not enabled by default,
3087 instead the standard autoconf defaults are used. Use `./configure
3088 CFLAGS="-O2 -finline-functions"' to get the old optimizations.
3089 - Added the option --get-dh-params to certtool, in order to get the
3090 parameters included in the library primes and generators.
3091 - Improved the semantics of GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, to
3092 allow only trusted Version 1 CAs and introduced
3093 GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT which has the old semantics.
3094 - Nettle self tests now build properly, reported by Pierre
3095 <pierre42d@9online.fr>.
3096 - Eliminated some memory leaks in DHE and RSA-EXPORT cipher suites.
3097 Reported by Yoann Vandoorselaere <yoann@prelude-ids.org>.
3098 - If the library has been compiled with features disabled, a warning is
3099 issued during the compilation of any program.
3100 - API and ABI modifications:
3101 gnutls_x509_crt_list_import(): Add
3102 gnutls_x509_crq_get_attribute_by_oid(): Add.
3103 gnutls_x509_crq_set_attribute_by_oid(): Add
3104 gnutls_x509_crt_set_extension_by_oid(): Add.
3105 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT: Modify semantics.
3106 GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT: Add, old behaviour.
3108 * Version 1.2.0 (2005-01-27)
3109 - Added the definitions and OIDs for the RIPEMD-160 hash algorithm.
3110 - Introduced gnutls_x509_crt_sign2(), gnutls_x509_crq_sign2() and
3111 gnutls_x509_crl_sign2().
3112 - Fixed license header in source code files.
3114 * Version 1.1.23 (2005-01-18)
3115 - It is now possible to generate PKCS#12 structures without private
3116 keys using "certtool --to-p12", suggested by Fabian Fagerholm
3118 - Certtool now prints information for the RSA and DSA parameters of
3119 certificates and private keys.
3120 - Corrected the write of CRL distribution points.
3121 - The certificate chain verification function now checks certificates
3122 in the reverse order to minimize the spent resources.
3123 - Corrected several bugs found by Marcin Garski <mgarski@post.pl>
3124 - The functions gnutls_x509_crl_get_issuer_dn, gnutls_x509_crq_get_dn,
3125 gnutls_x509_crt_get_issuer_dn, gnutls_x509_crt_get_dn, and
3126 gnutls_x509_rdn_get now set *sizeof_buf to the buffer length that is
3127 required, instead of the string length. That is, the value has been
3128 incremented by 1 to account for the terminating zero. Reported by
3129 Martin Lambers <marlam@web.de>.
3130 - Debug output shouldn't crash on platforms that doesn't handle NULL
3131 printf %s values. Reported by Michael.Ringe@aachen.utimaco.de.
3132 - Sync included copy of libtasn1 with version 0.2.13.
3133 - Client X.509 authenticated connections via gnutls-cli should now work again.
3135 * Version 1.1.22 (2004-11-04)
3136 - Replace GNU LD version script with Libtool -export-symbols-regex,
3137 from Joe Orton <joe@manyfish.co.uk>.
3138 - Documentation improvements.
3139 - Code indented using 'indent -i4 -kr'.
3140 - The API manual is included in Devhelp format. (Was in last release too,
3141 but the NEWS entry was forgotten.)
3142 - The OpenSSL compatibility code now use the internal crypto interface.
3143 - Added simple self test of OpenSSL compatibility library.
3144 - Internally, libtool convenience libraries are used.
3145 - Cleanups to configure.ac.
3147 * Version 1.1.21 (2004-10-27)
3148 - Print DN of certificates with unknown characters in them, but in hexform
3150 - Added second precision to the X.509 parsing and generation functions.
3151 - Corrected bug in _gnutls_x509_get_dn_oid(), and returns the
3153 - Add parameter --la-file to libgnutls-config and libgnutls-extra-config,
3154 tiny patch contributed by Joe Orton <joe@manyfish.co.uk>.
3155 - Add pkg-config meta files, suggested by Stéphane LOEUILLET
3156 <stephane.loeuillet@tiscali.fr>.
3157 - Fix memory initializaion bug in gnutls_certificate_set_x509_trust,
3158 tiny patch by Aleix Conchillo Flaque <aleix@member.fsf.org>.
3159 - Add self test of PKCS#12 functionality in "certtool", based on test
3160 vectors from Joe Orton <joe@manyfish.co.uk>.
3161 - Fix library order in libgnutls*-config --libs output, to permit
3162 static linking, reported by Yoann Vandoorselaere
3163 <yoann@prelude-ids.org>.
3165 * Version 1.1.20 (2004-10-12)
3166 - Fix compile problem in gl/getpass.c on some systems.
3168 * Version 1.1.19 (2004-10-07)
3169 - Fix memory leak in gnutls_certificate_verify_peers and
3170 gnutls_certificate_free_credentials, report and patch by Simon
3171 Posnjak <simon.posnjak@cetrtapot.si>.
3172 - Fix crash in `certtool --to-p12 --load-privkey foo', i.e. exporting
3173 a key and no certificate to PKCS#12.
3174 - Fix objdir != srcdir builds, reported by "Gerrit P. Haase"
3175 <gp@familiehaase.de>.
3176 - Fixes faulty getpass implementation in libextra/opencdk/, reported
3177 by Yoann Vandoorselaere <yoann@prelude-ids.org>.
3178 - Uses memmem instead of strnstr in lib/.
3179 - Using more GNULib portability files, although not yet inside lib/.
3180 - Added gnutls_certificate_verify_peers to gnutls/compat.h.
3181 Nikos deprecated gnutls_certificate_verify_peers in favor of
3182 gnutls_certificate_verify_peers2 earlier in the 1.1 branch.
3183 - Improvements to the manual.
3184 - Add new example "ex-rfc2818" for certificate verification, from Nikos.
3185 - Known bug: the library require snprintf. This has not yet been
3186 fixed, but will be handled via GNULib later on.
3188 * Version 1.1.18 (2004-08-24)
3189 - Corrected handling of certificate with dates after year 2038.
3190 - Corrected DER decoder which could incorrectly treat input as BER and fail.
3191 - Correct certtool --smime-to-p7 end of line character handling.
3192 - Added example client and server for anonymous authentication.
3193 - Added self test that tests anonymous TLS client and server.
3194 - Added self tests of Nettle and generic crypto layer.
3195 - Added API reference manual in HTML format in doc/reference/ using GTK-DOC.
3196 Online version at <http://www.gnu.org/software/gnutls/reference/>.
3197 - Assume C89 or better; removed checks for size_t, ptrdiff_t and time_t.
3198 - Man pages for API functions are included.
3200 * Version 1.1.17 (2004-08-18)
3201 - Bug fix of padding string in RSA PKCS#1 v1.5 type 2 encryption,
3202 reported by Robey Pointer <robey@danger.com>.
3203 - Generic crypto interface for secret key ciphers, hashes and randomness added.
3204 See section "Experimental" within section "COMPILATION ISSUES" in README.
3205 - Removed length limit on passwords read by 'certtool'.
3206 - Documentation fixes.
3208 * Version 1.1.16 (2004-08-15)
3209 - Fix missing gnulib linker parameter when building certtool.
3210 - Add gnulib module 'progname', needed by module 'error'.
3211 - Improve building with srcdir != objdir.
3213 * Version 1.1.15 (2004-08-15)
3214 - Certtool has simplistic --smime-to-p7 to translate RFC 2633 messages into
3216 - Ported to Mac OS X / Darwin.
3217 - Ported to FreeBSD.
3219 * Version 1.1.14 (2004-08-09)
3220 - Documentation converted to Texinfo format.
3221 - Bug fix of test suite.
3222 - Configure now print build information, used by Autobuild.
3224 * Version 1.1.13 (2004-08-05)
3225 - Added simple self test suite.
3227 * Version 1.1.12 (2004-08-02)
3228 - Updated the SRP authentication to conform to the
3229 latest (yet unreleased) draft. Unfortunately this breaks
3230 compatibility with previous versions.
3231 - Changed the makefiles to be more portable.
3232 - SRP ciphersuites were moved to the gnutls library.
3233 - Added some default limits in the verification of certificate
3234 chains, to avoid denial of service attacks. Also added
3235 gnutls_certificate_set_verify_limits() to override them.
3236 Issue pointed out by Patrik Hornik <patrik@hornik.sk>.
3237 - Added gnutls_certificate_verify_peers2().
3239 * Version 1.1.11 (2004-07-16)
3240 - Added the '_t' suffix to all exported symbols.
3241 - Fixed bug in RSA encryption, report and patch by Martijn Koster
3242 <mak@greenhills.co.uk>.
3243 - Corrected a bug in certificate verification. Pointed out by
3244 Yoann Vandoorselaere <yoann@prelude-ids.org>
3245 - Added the GNUTLS_VERIFY_DO_NOT_ALLOW_SAME flags to the
3246 verification functions.
3247 - The ephemeral DH and RSA parameters are no longer stored in the
3249 - Do not free the SRP (prime and generator) parameters obtained from the
3250 callback if they are the static ones defined in extra.h
3251 - Eliminated some memory leaks. Reported by Yoann Vandoorselaere.
3253 * Version 1.1.10 (2004-06-12)
3254 - Added gnutls_sign_algorithm_get_name() and gnutls_pk_algorithm_get_name()
3255 - Corrected bug in TLS renegotiation.
3256 - Corrected bug in OpenPGP key loading using a callback.
3257 - gnutls-srpcrypt was renamed to srptool
3258 - Allow handshake requests by the client.
3259 - Automatically disable certificate types that do not have corresponding
3261 - Added gnutls_auth_client_get_type() and gnutls_auth_server_get_type()
3262 - Opencdk library is being included if not found.
3263 - certtool can now add ip address SAN extension.
3264 - certtool has now support for more X.520 DN attribute types.
3265 - Better handling of EOF in gnutls_record_recv().
3266 - _gnutls_deinit() is no longer used. Sessions are not
3267 automatically removed any more, on abnormal termination.
3268 - Corrected session resuming in SRP ciphersuites.
3269 - Updated to conform to the latest srp draft (draft-ietf-tls-srp-07)
3270 - Added new functions to allow access to the ephemeral
3271 Diffie Hellman parameters.
3272 - Added the functions gnutls_x509_crt_get_pk_rsa_raw() and
3273 gnutls_x509_crt_get_pk_dsa_raw() to retrieve parameters from certificates.
3274 - Added the functions gnutls_dh_get_group(), gnutls_dh_get_pubkey() and
3275 gnutls_rsa_export_get_pubkey() to retrieve parameters of the DH or
3276 RSA-EXPORT key exchange.
3277 - Some fixes in the session resuming code.
3278 - Added gnutls_openpgp_keyring_check_id().
3280 * Version 1.1.9 (2004-04-14)
3281 - Added support for authority key identifier and the extended key usage
3282 X.509 extension fields. The certtoool was updated to support them.
3283 - The RC2 cipher is no more included. The one in libgcrypt is now used.
3284 - Added batch support to certtool. Now it can use templates.
3286 * Version 1.1.8 (2004-04-07)
3287 - Implemented all the tests for the SRP group parameters in
3288 client side. This may lead to incompatibility with very
3290 - Corrected bug in RSA parameters handling which could cause
3292 - Optimized the copying of rsa_params.
3294 * Version 1.1.7 (2004-03-29)
3295 - Added gnutls_certificate_set_params_function() and
3296 gnutls_anon_set_params_function() that set the RSA or DH
3297 parameters using a callback.
3298 - Added functions gnutls_rsa_params_cpy(), gnutls_dh_params_cpy()
3299 and gnutls_x509_privkey_cpy().
3300 - Corrected a compilation issue when opencdk was installed in a
3301 non standard directory.
3302 - Deprecated: gnutls_srp_server_set_select_function(),
3303 gnutls_certificate_client_set_select_function(), gnutls_srp_server_set_select_function().
3305 * Version 1.1.6 (2004-02-24)
3306 - Several bug fixes, by Arne Thomassen.
3307 - Fixed a bug where 'server name' extension was always sent.
3309 * Version 1.1.5 (2004-01-06)
3310 - Added the gnutls_sign_algorithm type.
3312 * Version 1.1.4 (2004-01-04)
3313 - Improved gnutls-cli's SRP behaviour in SRP ciphersuites.
3314 If they are of highest priority then the abbreviated handshake
3316 - Removed all references of missing files.
3317 - Changed handshake behaviour to send the lowest TLS version
3318 when an unsupported version was advertized. The current behaviour
3319 is to send the maximum version we support.
3320 - Corrected problem printing the DC attributes in a DN.
3322 * Version 1.1.3 (2003-12-30)
3323 - Implemented TLS 1.1 (and also obsoleted the TLS 1.0 CBC protection
3326 * Version 1.1.2 (2003-12-28)
3327 - Added CRL verification functionality to certtool.
3328 - Corrected the CRL distribution point extension handling.
3330 * Version 1.1.1 (2003-12-26)
3331 - Added PKCS #7 support to certtool utility.
3332 - Added support for reading and generating CRL distribution
3333 points extensions in certificates.
3334 - Added support for generating CRLs in the library and the
3336 - Added support for the Subject Key ID PKIX extension.
3338 * Version 1.1.0 (2003-12-21)
3339 - The error codes GNUTLS_E_NO_TEMPORARY_DH_PARAMS and GNUTLS_E_NO_TEMPORARY_RSA_PARAMS
3340 are no longer returned by the handshake function. Ciphersuites that
3341 require temporary parameters are removed when such parameters do not exist.
3342 - Added the callbacks gnutls_certificate_client_retrieve_function() and
3343 gnutls_certificate_server_retrieve_function(), to allow a client or a server
3344 to specify certificates for the handshake without storing them to the
3345 credentials structure.
3346 - Added support for generating and exporting DSA private keys.
3347 - Added gnutls_x509_crt_set_key_usage() and certtool can now set the
3348 certificate's key usage.
3349 - Added gnutls_openpgp_key_get_key_usage().
3351 * Version 1.0.25 (2005-04-27)
3352 - Corrected bug in record packet parsing that could lead
3353 to a denial of service attack.
3354 - Corrected bug in RSA key export.
3356 * Version 1.0.24 (2005-01-18)
3357 - Corrected several bugs found by Marcin Garski <mgarski@post.pl>
3359 * Version 1.0.23 (2004-11-13)
3360 - Replace GNU LD version script with Libtool -export-symbols-regex,
3361 from Joe Orton <joe@manyfish.co.uk>.
3362 - Copy libtasn1 has been updated to version 0.2.11.
3363 - Corrected the write of CRL distribution points.
3364 - It is now possible to generate PKCS#12 structures without private
3365 keys using "certtool --to-p12", suggested by Fabian Fagerholm
3368 * Version 1.0.22 (2004-10-28)
3369 - Print DN of certificates with unknown characters in them, but in hexform
3371 - Corrected bug in _gnutls_x509_get_dn_oid(), and returns the
3373 - Added second precision to the X.509 parsing functions.
3374 - Add parameter --la-file to libgnutls-config and libgnutls-extra-config,
3375 tiny patch contributed by Joe Orton <joe@manyfish.co.uk>.
3376 - Add pkg-config meta files, suggested by Stéphane LOEUILLET
3377 <stephane.loeuillet@tiscali.fr>.
3378 - Fix memory initializaion bug in gnutls_certificate_set_x509_trust,
3379 tiny patch by Aleix Conchillo Flaque <aleix@member.fsf.org>.
3380 - Fix certtool --password for PKCS #12, back ported from 1.1.x branch.
3381 - Fix library order in libgnutls*-config --libs output, to permit
3382 static linking, reported by Yoann Vandoorselaere
3383 <yoann@prelude-ids.org>.
3385 * Version 1.0.21 (2004-10-07)
3386 - Fix memory leak in gnutls_certificate_verify_peers and
3387 gnutls_certificate_free_credentials, report and patch by Simon
3388 Posnjak <simon.posnjak@cetrtapot.si>.
3389 - Fix crash in `certtool --to-p12 --load-privkey foo', i.e. exporting
3390 a key and no certificate to PKCS#12.
3391 - Fix objdir != srcdir builds, reported by "Gerrit P. Haase"
3392 <gp@familiehaase.de>.
3393 - Avoid redefining getpass if system already has it, reported by
3394 Yoann Vandoorselaere <yoann@prelude-ids.org>.
3395 - Add new example "ex-rfc2818" for certificate verification, from Nikos.
3396 - Known bug: the library require snprintf.
3398 * Version 1.0.20 (2004-08-18)
3399 - Bug fix of padding string in RSA PKCS#1 v1.5 type 2 encryption,
3400 reported by Robey Pointer <robey@danger.com>.
3402 * Version 1.0.19 (2004-08-09)
3403 - Bug fix of test suite.
3405 * Version 1.0.18 (2004-08-05)
3406 - Added simple self test suite.
3408 * Version 1.0.17 (2004-08-02)
3409 - Updated the SRP authentication to conform to the
3410 latest (yet unreleased) draft. Unfortunately this breaks
3411 compatibility with previous versions.
3412 - Changed the makefiles to be more portable.
3413 - Added some default limits in the verification of certificate
3414 chains, to avoid denial of service attacks. Also added
3415 gnutls_certificate_set_verify_limits() to override them.
3416 Issue pointed out by Patrik Hornik <patrik@hornik.sk>.
3417 - Added gnutls_certificate_verify_peers2().
3419 * Version 1.0.16 (2004-07-10)
3420 - Do not free the SRP (prime and generator) parameters obtained from the
3421 callback if they are the static ones defined in extra.h.
3422 - Eliminated some memory leaks. Reported by Yoann Vandoorselaere.
3423 - Some fixes in the makefiles.
3425 * Version 1.0.15 (2004-06-29)
3426 - Fixed bug in RSA encryption, report and patch by Martijn Koster
3427 <mak@greenhills.co.uk>.
3428 - Corrected a bug in certificate verification. Pointed out by
3429 Yoann Vandoorselaere <yoann@prelude-ids.org>.
3431 * Version 1.0.14 (2004-06-12)
3432 - Automatically disable certificate types that do not have corresponding
3434 - Updates in the documentation.
3435 - certtool can now add ip address SAN extension.
3436 - certtool has now support for more X.520 DN attribute types.
3437 - Opencdk library is being included if not found.
3438 - Added gnutls_openpgp_keyring_check_id().
3439 - Corrected a serious bug in the included libtasn1 library.
3440 - Corrected session resuming in SRP ciphersuites.
3441 - Updated to conform to the latest srp draft (draft-ietf-tls-srp-07)
3442 - Added the functions gnutls_x509_crt_get_pk_rsa_raw() and
3443 gnutls_x509_crt_get_pk_dsa_raw() to retrieve parameters from certificates.
3444 - Some fixes in the session resuming code.
3446 * Version 1.0.13 (2004-04-29)
3447 - Some complilation fixes.
3448 - Added the --xml parameter to the certtool utility.
3450 * Version 1.0.12 (2004-04-23)
3451 - Corrected bug in OpenPGP key loading using a callback.
3452 - Renamed gnutls-srpcrypt to srptool
3453 - Allow handshake requests by the client.
3454 * Things backported from the development branch:
3455 - Added support for authority key identifier and the extended key usage
3456 X.509 extension fields. The certtoool was updated to support them.
3457 - Added batch support to certtool. Now it can use templates.
3458 - The RC2 cipher is no more included. The one in libgcrypt is now used.
3460 * Version 1.0.11 (2004-04-17)
3461 - Added gnutls_sign_algorithm_get_name() and gnutls_pk_algorithm_get_name()
3462 - Corrected bug in TLS renegotiation.
3464 * Version 1.0.10 (2004-04-03)
3465 - Corrected bug in RSA parameters handling which could cause
3467 - Corrected bug in SSL 3.0 authentication.
3469 * Version 1.0.9 (2004-03-29)
3470 - Added gnutls_certificate_set_params_function() and
3471 gnutls_anon_set_params_function() that set the RSA or DH
3472 parameters using a callback.
3473 - Added functions gnutls_rsa_params_cpy(), gnutls_dh_params_cpy()
3474 and gnutls_x509_privkey_cpy().
3475 - Corrected a compilation issue when opencdk was installed in a
3476 non standard directory.
3477 - Documented the changes need in multi-threaded application due
3478 to the new libgcrypt.
3480 * Version 1.0.8 (2004-02-28)
3481 - Corrected bug in mutual certificate authentication in SSL 3.0.
3483 * Version 1.0.7 (2004-02-25)
3484 - Implemented TLS 1.1 (and also obsoleted the TLS 1.0 CBC protection
3486 - Some updates in the documentation.
3488 * Version 1.0.6 (2004-02-12)
3489 * Backported things from the development branch (while maintaining
3490 backwards compatibility):
3491 - Improved gnutls-cli's SRP behaviour in SRP ciphersuites.
3492 If they are of highest priority then the abbreviated handshake
3494 - The error codes GNUTLS_E_NO_TEMPORARY_DH_PARAMS and GNUTLS_E_NO_TEMPORARY_RSA_PARAMS
3495 are no longer returned by the handshake function. Ciphersuites that
3496 require temporary parameters are removed when such parameters do not exist.
3497 - Added the callbacks gnutls_certificate_client_retrieve_function() and
3498 gnutls_certificate_server_retrieve_function(), to allow a client or a server
3499 to specify certificates for the handshake without storing them to the
3500 credentials structure.
3501 - Added support for generating and exporting DSA private keys.
3503 * Version 1.0.5 (2004-02-11)
3504 - Fixed a bug where 'server name' extension was always sent.
3505 * Backported things from the development branch:
3506 - Added CRL verification functionality to certtool.
3507 - Corrected the CRL distribution point extension handling.
3508 - Added PKCS #7 support to certtool utility.
3509 - Added support for reading and generating CRL distribution
3510 points extensions in certificates.
3511 - Added support for generating CRLs in the library and the
3513 - Added support for the Subject Key ID PKIX extension.
3514 - Added the gnutls_sign_algorithm type.
3516 * Version 1.0.4 (2004-01-04)
3517 - Changed handshake behaviour to send the lowest TLS version
3518 when an unsupported version was advertized. The current behaviour
3519 is to send the maximum version we support.
3520 - certtool no longer asks the password in unencrypted private
3522 - The source is now compiled to use the reentrant libc functions.
3524 * Version 1.0.3 (2003-12-21)
3525 - Corrected bug in gnutls_bye() which made it return an error code
3526 of INVALID_REQUEST instead of success.
3527 - Corrected a bug in the GNUTLS_KEY key usage definitions.
3529 * Version 1.0.2 (2003-12-18)
3530 - Corrected a bug in the RSA key generation. This was
3531 generating unusable RSA keys.
3533 * Version 1.0.1 (2003-12-10)
3534 - Some minor fixes in the makefiles. They now include CFLAGS
3535 from libgcrypt or opencdk if installed in a non standard directory.
3536 - Fixed the SRP detection test in gnutls-cli-debug.
3537 - Added gnutls_rsa_params_export_pkcs1() and gnutls_rsa_params_import_pkcs1().
3539 * Version 1.0.0 (2003-12-04)
3540 - Exported the static SRP group parameters.
3541 - Some fixes in the certificate authenticated SRP ciphersuites.
3542 - Improved the support for draft-ietf-tls-srp-05. The two-phase
3543 handshake is now fully supported without any interaction with
3544 the application layer (except for a callback).
3546 * Version 0.9.99 (2003-11-28)
3547 - Some fixes in the gnutls.h header for the gnutls_server_name_set()
3548 and gnutls_server_name_get() prototypes.
3549 - Exported the gnutls_x509_privkey_sign_data(), gnutls_x509_privkey_verify_data()
3550 and gnutls_x509_crt_verify_data().
3551 - Some fixes in the openpgp authentication.
3552 - Removed the Twofish cipher.
3554 * Version 0.9.98 (2003-11-16)
3555 - The openssl compatibility layer was moved to gnutls-openssl
3556 library instead of being included in the gnutls-extra library.
3557 - Added the RIPEMD ciphersuites defined in draft-ietf-tls-openpgp-keys-04.
3558 - Building with openpgp support is now mandatory.
3559 - gnutls4 compatibility header is no longer included by default in
3561 - gnutls8 function usage yelds a deprecation warning in gcc3.
3562 - gnutls_x509_*_set_dn_by_oid() and gnutls_x509_*_get_*_dn_by_oid()
3563 functions have a raw_flag parameter added.
3564 - Added gnutls_x509_*_get_dn_oid() and gnutls_x509_crt_get_extension_oid()
3565 functions which return the available OIDs.
3567 * Version 0.9.97 (2003-11-11)
3568 - The certtool utility can now generate PKCS #12 structures
3569 without specifying a certificate.
3570 - Added capability to read CRLs to certtool.
3571 - Corrected some functions which return GNUTLS_E_SHORT_MEMORY_BUFFER
3572 to properly set the required buffer size.
3573 - Corrected a bug in libgcrypt detection.
3575 * Version 0.9.96 (2003-11-09)
3576 - Some changes to allow compilation with mingw32.
3577 - Several code cleanups.
3579 * Version 0.9.95 (2003-11-02)
3580 - Improved the verification functions. Added new verification
3581 output flags and removed the unused and redundant ones.
3582 - Improved the OpenPGP key support.
3583 - The prime utility was removed, and its functionality was moved
3586 * Version 0.9.94 (2003-10-30)
3587 - Added manpages for the included programs.
3588 - Documented and improved the certtool utility.
3589 - Added PKCS #12 support to certtool utility.
3591 * Version 0.9.93 (2003-10-26)
3592 - Corrected some compilation issues.
3593 - Improved the certtool command line utility.
3595 * Version 0.9.92 (2003-10-25)
3596 - The RFC2818 hostname verification is now case insensitive.
3597 - Added support for generating X.509 certificates.
3598 - Added the certtool, a tool for generating X.509 certificates
3600 * Version 0.9.91 (2003-10-17)
3601 - Fixed a compilation issue in the openpgp authentication part.
3603 * Version 0.9.90 (2003-10-08)
3604 - Updated the openpgp key API (depends on the unreleased new
3607 * Version 0.9.8 (2003-10-02)
3608 - Updated the SRP implementation to follow the latest draft
3609 (draft-ietf-tls-srp-05).
3610 - Improved the gnutls-cli behaviour in error handling,
3611 and added a check for the peer's hostname.
3612 - Use versioned symbols in the library (where available).
3613 - RIJNDAEL ciphersuites were renamed to AES.
3615 * Version 0.9.7 (2003-08-25)
3616 - The tex files are now included in the distribution.
3617 - The library can now decrypt PKCS #12 files encrypted with
3619 - The missing rfc2818_hostname object is now included.
3620 - Several corrections and bug fixes in the library by
3621 Arne Thomassen <arne@arne-thomassen.de>.
3622 - CR is now allowed in the base64 decoder.
3624 * Version 0.9.6 (2003-06-28)
3625 - Added gnutls_x509_privkey_get_key_id() and gnutls_x509_crt_get_key_id()
3626 functions which return a unique (per public key) ID. These can
3627 be used to check if the private key corresponds to a given certificate.
3628 - Corrections in the TLS layer openpgp certificate packet parser.
3629 - Corrected a bug in the record layer buffering, which affected
3630 the case where external pull function was used. Report and patch
3631 by Sergey Poznyakoff <gray@Mirddin.farlep.net>.
3632 - Corrected a bug in gnutls-srpcrypt where a non allocated variable
3634 - SRP programs are now built by default.
3635 - Added API to read and write to PKCS #12 structures. Prototypes
3637 - The gnutls_transport_ptr type was changed to a pointer type (void*).
3639 * Version 0.9.5 (2003-04-06)
3640 - Several improvements in the PKCS #7 handling
3641 - Eliminated several hard coded constants in MPI parameters.
3643 * Version 0.9.4 (2003-03-28)
3644 - Corrected a parsing error in the Certificate request message.
3645 - Corrected behaviour when a certificate request message is received.
3646 Now a certificate packet is always sent, and in SSL 3.0 cipher suites
3647 a no_certificate alert is sent instead.
3648 - Added functionality to generate PKCS #7 structures (with certificates).
3650 * Version 0.9.3 (2003-03-24)
3651 - Support for MD2 was dropped.
3652 - Improved the error logging functions, by adding a level, and
3653 by allowing debugging messages just by increasing the level.
3654 - The diffie Hellman ciphersuites are now of higher priority than
3656 - The RSA premaster secret version check can no longer be disabled.
3657 - Implemented the counter measure discussed in the paper "Attacking
3658 RSA-based Sessions in SSL/TLS", against the attack described in the
3660 - Added the functions: gnutls_handshake_get_last_in(),
3661 gnutls_handshake_get_last_out().
3662 - The gnutls_certificate_set_rsa_params() was renamed to
3663 gnutls_certificate_set_rsa_export_params().
3664 - Added the new functions: gnutls_certificate_set_x509_key()
3665 gnutls_certificate_set_x509_trust(), gnutls_certificate_set_x509_crl(),
3666 gnutls_x509_crt_export(), gnutls_x509_crl_export().
3667 - Added support for encoding and decoding PKCS #8 2.0 encrypted
3670 * Version 0.9.2 (2003-03-15)
3671 - Some corrections in the memory mapping code (file is unmapped after
3673 - Added support for PKCS#10 certificate requests generation.
3675 * Version 0.9.1 (2003-03-12)
3676 - Corrected a bug in 64 bit architectures, which affected the
3677 serial number calculation in the record layer.
3678 - Added gnutls_certificate_free_keys() which deletes all the
3679 private keys and certificates from the credentials structure.
3680 - Corrected a broken buffer check in _gnutls_io_read_buffered(),
3681 which caused some unexpected packet length errors. Report and patch
3682 by Ian Peters <itp@ximian.com>.
3683 - Added ability to generate RSA keys.
3684 - Increased the maximum parameter size in order to read some large keys
3685 by some CAs. Patch by Ian Peters <itp@ximian.com>.
3686 - Added an strnstr() function and the requirement in some functions to
3687 use null terminated PEM structures is no more.
3688 - Use mmap() if available to read files.
3689 - Fixed a memory leak in SRP code reported by Rupert Kittinger
3690 <r.kittinger@efkon.com>.
3692 * Version 0.9.0 (2003-03-03)
3693 - This version is not binary compatible with the previous ones.
3694 - The library notifies the application on empty and illegal SRP usernames,
3695 so that proper notification (via an alert) is sent to the peer.
3696 - Added ability to send some messages back to the application using
3697 the gnutls_global_set_log_function().
3698 - gnutls_dh_params_generate() and gnutls_rsa_params_generate() now use
3699 gnutls_malloc() to allocate the output parameters.
3700 - Added support for MD2 algorithm in certificate signature verification.
3701 - The RSA and DH parameter generation interface was changed. Added
3702 ability to import and export from and to PKCS3 structures. This
3703 was needed to read parameters generated using the openssl dhparam tool.
3704 - Several changes in the temporary (DH/RSA) parameter codebase. No DH
3705 parameters are now included in the library. Also the credentials structure
3706 can now hold only one temporary parameter of a kind.
3707 - Added a new Certificate, CRL, Private key and PKCS7 structures handling
3708 API, defined in gnutls/x509.h
3709 - Added gnutls_certificate_set_verify_flags() function to allow setting the
3710 verification flags in the credentials structure. They will be used in the
3711 *verify_peers functions.
3712 - Added protection against the new TLS 1.0 record layer timing attack.
3713 - Added support for Certificate revocation lists. Functions defined
3715 - The only functions that were removed are:
3716 gnutls_x509_certificate_to_xml()
3717 gnutls_x509_extract_dn_string()
3718 - Ported to libtasn1 0.2.x
3720 * Version 0.8.1 (2003-01-22)
3721 - Improved the SRP support, to prevent attackers guessing the
3722 available usernames by brute force.
3723 - Improved the SRP detection in gnutls-cli-debug
3724 - Some fixes which now allow compilation.
3726 * Version 0.8.0 (2003-01-20)
3727 - Added gnutls_x509_extract_dn_string() which returns a
3728 distinguished name in a single string.
3729 - Added gnutls_openpgp_extract_key_name_string() which returns
3730 an openpgp user ID in a single string.
3731 - Added gnutls_x509_extract_certificate_ca_status() which returns
3732 the CA status of the given certificate.
3733 - Added SRP-6 support. Follows draft-ietf-tls-srp-04.
3734 - If libtasn1 is not present in the system, it is included in
3735 the main gnutls library.
3736 - If liblzo is present in the system, then the included minilzo
3737 will not be used, and libgnutls-extra will depend on liblzo.
3738 - GNUTLS_E_PARSING_ERROR error code was replaced by GNUTLS_E_BASE64_DECODING_ERROR,
3739 and GNUTLS_E_SRP_PWD_PARSING_ERROR. GNUTLS_E_ASCII_ARMOR_ERROR was also
3740 replaced by GNUTLS_E_BASE64_DECODING_ERROR.
3742 * Version 0.6.0 (2002-12-08)
3743 - Added "gnutls/compat4.h" header. This is included in gnutls.h
3744 to emulate the old 0.4.x API.
3745 - Example programs are now stored in doc/examples/
3746 - Several improvements and updates in the documentation.
3747 - Added the certificate authenticated SRP cipher suites.
3748 - gnutls_x509_extract_certificate_dn_string() was updated to return
3749 an RFC2253 conforming string.
3750 - Added the SRP related functions:
3751 gnutls_srp_verifier()
3752 gnutls_srp_base64_encode()
3753 gnutls_srp_base64_decode()
3754 - Added the function gnutls_srp_set_server_credentials_function()
3755 to allow retrieving SRP parameters from an external backend - other
3756 than password files.
3757 - Added the function gnutls_openpgp_set_recv_key_function()
3758 which can be used to set a callback, to get OpenPGP keys.
3759 - Exported the functions:
3762 which should be used by callback functions.
3763 - Changed the semantics of gnutls_pem_base64_encode_alloc()
3764 and gnutls_pem_base64_decode_alloc(). In the default case
3765 were the gnutls library is used with malloc/realloc/free,
3766 these are binary compatible.
3768 * Version 0.5.11 (2002-11-05)
3769 - Some fixes in 'gnutls-cli' client program to prevent some segmentation
3771 - Example programs found in the documentation can now be generated by
3772 running "make examples" in doc/tex directory.
3773 - Added more descriptive error strings, to gnutls_strerror().
3774 - Documented error codes, and the function reference list is now sorted.
3775 - Optimized buffering code.
3776 - gnutls_x509_extract_certificate_dn_string() was rewritten.
3777 - Added GNUTLS_E_SHORT_MEMORY_BUFFER error code, which is returned in the
3778 case where the memory buffer provided is not long enough.
3779 - Depends on the new OpenCDK 0.3.2.
3781 * Version 0.5.10 (2002-10-13)
3782 - Updated documentation.
3783 - Added server name extension. This allows clients to specify the
3784 name of the server they connect to. Useful to HTTPS.
3785 - Several corrections in the code base, mostly in signed/unsigned,
3788 * Version 0.5.9 (2002-10-10)
3789 - Corrected some code which worked fine in gcc 3.2, but not with any
3791 - Updated 'gnutls-cli' with the '--starttls' option, to allow testing
3792 starttls implementations.
3793 - Added gnutls_x509_extract_key_pk_algorithm() function which extracts
3794 the private key type, of a DER encoded key.
3795 - Added gnutls_x509_extract_certificate_dn_string() which returns the
3796 certificate's distinguished name in a single string.
3797 - Added gnutls_set_default_priority() and gnutls_set_default_export_priority()
3798 functions, to avoid calling all the *_priority() functions if the defaults
3800 - Added int gnutls_x509_check_certificates_hostname() which check whether
3801 the given hostname matches the owner of the given X.509 certificate.
3803 * Version 0.5.8 (2002-09-25)
3804 - Updated documentation.
3805 - Added gnutls_record_get_direction() which replaces the obsolete
3806 gnutls_handshake_get_direction().
3807 - Added function to convert error codes to alert descriptions
3808 - Added LZO compression
3810 * Version 0.5.7 (2002-09-11)
3811 - Some fixes in the memory allocation functions (realloc).
3812 - Improved the string functions used in XML certificate generation.
3813 - Removed dependency on libgdbm.
3814 - Corrected bug in gnutls_dh_params_set() which affected
3815 gnutls_dh_params_deinit().
3816 - Corrected bug in session resuming code in server side.
3818 * Version 0.5.6 (2002-09-06)
3819 - Corrected bugs in SRP implementation, which prevented gnutls
3820 to interoperate with other implementations. (interoperability testing
3821 was done by David Taylor)
3822 - Corrected bug in cert_type extension.
3823 - Corrected extension type checks which used an 8 bit extension size,
3825 - Added versioning in the XML output of certificate functions.
3826 - Removed the X.509 test suite.
3828 * Version 0.5.5 (2002-09-03)
3829 - Updated the SRP implementation to the latest draft. The blowfish
3830 crypt implementation was removed, since the new draft does not allow
3831 other hash algorithms except for the srpsha.
3832 - Renamed all the constructed types in order to have more consistent
3834 - Improved the certificate and key read functions. Now they can read
3835 the certificate and the private key from the same file.
3836 - Updated and corrected documentation.
3838 * Version 0.5.4 (2002-08-27)
3839 - Fixes in TLS 1.0 PRF and SSL3 random functions.
3840 - gnutls_handshake_set_exportable_detection() was obsoleted.
3841 - Added gnutls_openpgp_extract_key_id() which returns the key ID.
3842 - Corrected bug in DHE key exchange
3843 - Added support for temporary RSA keys which are needed for the
3844 export cipher suites.
3845 - Added the TLS_RSA_EXPORT_ARCFOUR_40_MD5 ciphersuite.
3847 * Version 0.5.3 (2002-08-23)
3848 - No changes. Replaces the tarball of 0.5.2 which accidentally contained
3849 code from the unstable branch.
3851 * Version 0.5.2 (2002-08-22)
3852 - Added an error code that is returned in clients which connect
3853 to export only servers. This must be enabled using the
3854 gnutls_handshake_set_exportable_detection() function.
3855 - Updated openssl compatibility layer.
3856 - Added gnutls_handshake_get_direction() function which returns
3857 the state of the handshake when interrupted.
3859 * Version 0.5.1 (2002-07-17)
3860 - Corrected the m4 macros which used <gnutls.h> instead of
3862 - Documentation fixes
3863 - Added gnutls_transport_set_ptr2() function, which accepts two
3864 different pointers, to be used while receiving, and
3866 - Semantic changes in gnutls_record_set_max_size(). The requested
3867 size is now immediately enforced at the output buffers.
3868 - gnutls_global_init_extra() now fails if the library versions do
3870 - Fixes in client and server example programs. Null encryption can
3871 be used in these programs, to assist in debuging.
3872 - Fixes in zlib compression code.
3874 * Version 0.5.0 (2002-07-06)
3875 - Added X.509 certificate tests in tests/ directory
3876 - Removed stubs for SRP and Anonymous authentication. They served
3877 no purpose since they are always included, unless it was requested
3879 - Added gnutls_handshake_set_private_extensions() function. This
3880 function can be used to enable private (gnutls specific) cipher suites
3881 and compression algorithms.
3882 - Added check for C99 macro support by the compiler.
3883 - Added functions gnutls_b64_encode_fmt2() and gnutls_b64_decode_fmt2()
3884 - Added the new libtasn1 library.
3885 - Removed the gdbm backend. Applications are now responsible for the
3886 session resuming backend. The gnutls-serv application contains an
3887 simple example on how to use gdbm for resuming.
3888 - Headers for the gnutls library are now installed in $(includedir)/gnutls
3889 - Added an OpenSSL compatible interface (with some limitations).
3890 - Added functions to convert DER encoded certificates to XML format.
3892 * Version 0.4.4 (2002-06-24)
3893 - Corrected bug in PKCS-1 RSA encryption which prevented gnutls to encrypt
3894 using keys of some specific size.
3896 * Version 0.4.3 (2002-05-23)
3897 - The gnutls-extra library now compiles fine, if the opencdk library is
3899 - Several bug fixes.
3900 - Added gnutls_global_set_mem_func() function, to set the memory allocation
3901 functions, if other than the defaults are to be used.
3902 - The default memory allocation functions are now the ones in libc.
3904 * Version 0.4.2 (2002-05-21)
3905 - Separated ASN.1 structures parser documentation and TLS library
3907 - Added gnutls_handshake_set_rsa_pms() function, which disables the
3908 version check in RSA premaster secret.
3909 - Added gnutls_session_is_resumed() function, which reports if a session
3911 - Added gnutls_state_set_ptr() and gnutls_state_get_ptr() functions, to
3912 assist in callback functions.
3913 - Replaced the included 1024 bit prime for Diffie Hellman, with a new
3915 - Relicensed the library under the GNU Lesser General Public License
3916 - Added gnutls-extra library which contains the GPL covered code of gnutls.
3918 * Version 0.4.1 (2002-04-07)
3919 - Now uses alloca() for temporary variables
3920 - Optimized RSA signing
3921 - Added functions to return the peer's certificate activation and
3923 - Corrected time function's behaviour (the time value returned no longer
3924 relate to local timezone).
3926 * Version 0.4.0 (2002-04-01)
3927 - Added support for RFC2630 (PKCS7) X.509 certificate sets
3928 - Added new functions: gnutls_x509_extract_certificate_pk_algorithm(),
3929 gnutls_openpgp_extract_key_pk_algorithm().
3930 - Several optimizations in the Handshake protocol
3931 - Several optimizations in RSA algorithm
3932 - Unified the return values because of small buffers.
3934 * Version 0.3.92 (2002-03-23)
3935 - Updated documentation
3936 - Combined error codes of ASN.1 parser and gnutls
3937 - Removed GNUTLS_CERT_TRUSTED from the CertificateStatus enumeration
3938 - Added protection against CBC chosen plaintext attack (disabled by default)
3939 - Improved and optimized compression support
3941 * Version 0.3.91 (2002-03-03)
3942 - Added gnutls-cli-debug program
3943 - Corrections in session resumption
3944 - Rehandshake can now handle negotiation of different authentication
3946 - gnutls-cli, gnutls-serv, gnutls-srpcrypt and gnutls-cli-debug are
3947 now being installed.
3949 * Version 0.3.90 (2002-02-24)
3950 - Handshake messages are not kept in memory any more. Now we use
3951 less memory during a handshake
3952 - Added support for certificates with DSA parameters
3953 - Added DHE_DSS cipher suites
3954 - Key exchange methods changed so they do not depend on the
3955 certificate type. Added certificate type negotiation TLS extension.
3956 - Added openpgp key support (EXPERIMENTAL)
3957 - Improved Diffie Hellman key exchange support.
3958 - Bug fixes in the RSA key exchange.
3959 - Added check for the requested TLS extensions
3960 - TLS extensions now use a 16 bit type field.
3961 - Added a minimal string library to assist in ASN.1 parsing
3962 - Changes in ASN.1 parser to work with the new bison
3963 - Added gnutls_x509_extract_subject_alt_name(), which deprecates
3964 gnutls_x509_extract_subject_dns_name()
3965 - gnutls_x509_set_trust_(file/mem) can now be called multiple times
3966 - gnutls_srp_server_set_cred_file() can now be called multiple times
3968 * Version 0.3.5 (2002-01-25)
3969 - Corrected the RSA key exchange method, to avoid attacks against
3972 * Version 0.3.4 (2002-01-20)
3973 - Corrected bugs in DHE_RSA key exchange method
3975 * Version 0.3.3 (2002-01-19)
3976 - Added gnutls_x509pki_verify_certificate()
3977 - Added gnutls_x509pki_set_trust_mem() and gnutls_x509pki_set_key_mem()
3978 - Bug fixes in srpcrypt (based on patch by Marc Huber)
3979 - Bug fixes in the Handshake protocol (based on patch by Guillaume Morin)
3980 - Corrected library versioning
3982 * Version 0.3.2 (2002-01-05)
3983 - Corrected bug which did not allow a client to accept multiple CA names
3984 - Added gnutls_fingerprint()
3985 - Added gnutls_x509pki_extract_certificate_serial()
3986 - Added gnutls_b64_encode_fmt() and gnutls_b64_decode_fmt()
3987 - Corrected behaviour in version advertizing
3988 - Updated documentation
3989 - Prefixed all types in gnutls.h with 'GNUTLS_' to avoid namespace collisions
3991 * Version 0.3.1 (2001-12-21)
3992 - Corrections in the configuration files
3993 - Fixes a bug in anonymous authentication
3995 * Version 0.3.0 (2001-12-17)
3996 - Corrected bug in new integer formatting (now we use the old format again)
3997 - Several corrections and usual cleanups
3999 * Version 0.2.91 (2001-12-10)
4000 - Fixes in MPI handling (fixes possible bug with signed integers)
4001 - Removed name indication extension
4002 - Added gnutls_transport_get_ptr() and gnutls_db_get_ptr()
4003 - Optimizations in server certificate callback.
4004 - Fixes in anonymous authentication
4005 - Corrections in client ciphersuite selection
4007 * Version 0.2.90 (2001-12-07)
4008 - gnutls_handshake(), gnutls_read() etc. functions no longer require
4009 the 'SOCKET cd' argument. This argument is set using the function
4010 gnutls_set_transport_ptr().
4011 - introduced gnutls_x509pki_get_peer_certificate_list(). This function returns
4012 a list containing peer's certificate and issuers DER encoded.
4013 - Updated X.509 certificate handling API
4014 - Added callback to select the server certificate
4015 - More consistent function naming (changes in several function names)
4016 - Buffer overflow checking in ASN.1 structures parser
4017 - Updated documentation
4019 * Version 0.2.11 (2001-11-16)
4020 - Changed the meaning of GNUTLS_E_REHANDSHAKE value. If this value
4021 is returned, then the caller should perform a handshake or send
4022 an alert to the peer.
4023 - Made receive buffer dynamic. Normally if no large chunks are received
4024 it occupies less space.
4025 - Added max_record_size extension
4026 - Bugfixes in session handling
4027 - Improved non blocking IO support in the Handshake Protocol
4028 - Usual bugfixes and cleanups
4029 - Documentation updated (includes ASN.1 documentation)
4031 * Version 0.2.10 (2001-11-05)
4032 - Corrected bugs and improved non blocking IO
4033 - Added hooks to use external database to store sessions
4036 * Version 0.2.9 (2001-10-27)
4037 - AUTH_INFO types and structures were moved to library internals
4038 - AUTH_FAILED is no longer returned in SRP authentication
4039 (any fatal error in SRP means auth failed)
4040 - Introduced GNUTLS_E_INTERRUPTED
4041 - Added support for non blocking IO
4042 - gnutls_recv() and gnutls_send() are now obsolete
4043 - Changed semantics of gnutls_rehandshake()
4045 * Version 0.2.4 (2001-10-12)
4046 - Better handling of X.509 certificate extensions
4047 - Added DHE_RSA ciphersuites
4048 - Updated the Name Indication (dnsname) extension
4049 - Improvements in Diffie Hellman primes handling
4051 * Version 0.2.3 (2001-09-19)
4052 - Memory optimizations in gnutls_recv()
4053 - Fixed several memory leaks
4054 - Added ability to specify callback for x509 client certificate selection
4055 - Better documentation
4057 * Version 0.2.2 (2001-08-21)
4058 - Several bugfixes (library and documentation)
4060 * Version 0.2.1 (2001-08-07)
4063 * Version 0.2.0 (2001-08-07)
4064 - Partial support for X.509v3 Certificate extensions.
4065 - Added Internal memory handlers
4066 - Removed gnutls_x509_set_cn()
4067 - Added X.509 client authentication
4068 - Several bug fixes and protocol fixes
4070 * Version 0.1.9 (2001-07-30)
4071 - Corrected bug(s) in ChangeCipherSpec packet (fixes renegotiate)
4072 - SRP is updated to conform to the newest draft.
4073 - Added support for DNSNAME extension.
4074 - Reentracy fixes in ASN.1 Parsing.
4075 - Optimizations in hash/hmac functions
4076 - (Error) message handling has changed
4077 - Better Protocol Version handling
4078 - Added X.509 Certificate Verification
4079 - gnutls_read() semantics are now closer to read(2) - added EOF
4080 - Documented some part of gnutls in doc/tex/ using Latex
4082 * Version 0.1.4 (2001-06-22)
4083 - Corrected (srp) base64 encoding.
4084 - Changed bcrypt algorithm to include username.
4085 - Added RSA Ciphersuites (no certificate checking).
4086 - Fixes in SSL 2.0 client hello parsing.
4087 - Added ASN.1 and DER parsers.
4088 - Bugfixes in session resuming
4089 - Updated Ciphersuite selection algorithm
4090 - Added internal representation of X.509 structures.
4091 - Added global state
4093 * Version 0.1.3 (2001-06-01)
4094 - Updated API (and the way it is documented - we use inline documentation)
4095 - Added function to access alert messages.
4096 - Added support for renegotiating parameters.
4097 - Better and Faster Resume Database handling.
4100 * Version 0.1.2 (2001-05-14)
4102 - Fixes in extension handling
4104 * Version 0.1.1 (2001-05-13)
4105 - Added compatibility with Stanford's libsrp library
4107 * Version 0.1.0 (2001-05-09)
4108 - Added SSL 2.0 client hello support
4109 - GNUTLS is a gnu library
4110 - Added support for TLS extensions.
4111 - Added support for SRP
4113 * Version 0.0.7 (2001-01-11)
4114 - Added server side session resuming (using gdbm)
4115 - Added twofish algorithm
4117 * Version 0.0.6 (2000-12-20)
4118 - Added client side session resuming
4119 - Better documentation (check doc/API)
4120 - Better socket handling (gnutls can be used with select())
4121 - Some primitive support for non blocking IO and socket options has been added.
4123 * Version 0.0.5 (2000-12-07)
4124 - Added Compression (using ZLIB)
4125 - Added SSL 3.0 support
4127 ----------------------------------------------------------------------
4128 Copying and distribution of this file, with or without modification,
4129 are permitted in any medium without royalty provided the copyright
4130 notice and this notice are preserved.