2017-01-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am, tests/key-tests/Makefile.am: tests:
	do not run key-tests and cert-tests under leak sanitizer The reason is that we cannot distinguish between a memory leak on
	application failure (which is followed by exit- thus should be
	ignored) and an address sanitizer issue (which should never be
	ignored).  As such we disable leak detection with asan and rely on
	valgrind.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-01-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/key-tests/Makefile.am: tests: added missing file

2017-01-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: Build and Check - separate build
	dir (x86): force build in gitlab shared runners In the Centos7 based runners there is an issue running autogen.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-01-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitignore, src/Makefile.am: tools: use stamp files to allow
	parallel build of autogen files Autogen seems to output on the creates files gradually, something
	that makes 'make' believe that the command is complete prior to the
	output file being fully populated. The current approach uses stamp
	files to ensure that no incomplete files are used for compilation.

2017-01-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update [ci skip]

2017-01-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS, doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: 
	updated auto-generated files

2017-01-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, m4/hooks.m4: bumped version

2017-01-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update [ci skip]

2017-01-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/opencdk/read-packet.c: opencdk: added error checking in the
	stream reading functions This addresses an out of memory error. Issue found using oss-fuzz:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=337 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/opencdk/pubkey.c: opencdk: cdk_pk_get_keyid: fix stack
	overflow Issue found using oss-fuzz:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=340 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/opencdk/read-packet.c: opencdk: read_attribute: added more
	precise checks when reading stream That addresses heap read overflows found using oss-fuzz:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=338   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=346 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-01  Alex Gaynor <alex.gaynor@gmail.com>

	* lib/opencdk/read-packet.c: Corrected a leak in OpenPGP sub-packet
	parsing.  Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>

2016-12-30  Alex Gaynor <alex.gaynor@gmail.com>

	* lib/opencdk/read-packet.c: Attempt to fix a leak in OpenPGP cert
	parsing.

2016-12-26  Alex Gaynor <alex.gaynor@gmail.com>

	* lib/opencdk/read-packet.c: Do not infinite loop if an EOF occurs
	while skipping a PGP packet Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/opencdk/misc.c: opencdk: Fixes to prevent undefined behavior
	(found with libubsan)

2017-01-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2017-01-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/auth/rsa.c: auth rsa: eliminated memory leak on pkcs-1
	formatting attack path Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update [ci skip]

2016-12-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/verify.c: pkcs11 verification: ensure that an issuer we
	retrieve is not blacklist It may happen in p11-kit trust module that a trusted certificate is
	both in the trusted set, and the blacklisted set. To avoid accepting
	a certificate when in both sets, we always check whether a trusted
	issuer certificate is in the blacklisted set.

2016-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: improved error reporting on file error

2016-12-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update [ci skip]

2016-12-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509_ext.c: gnutls_x509_ext_import_proxy: fix issue
	reading the policy language If the language was set but the policy wasn't, that could lead to a
	double free, as the value returned to the user was freed.

2016-12-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* : commit 5ca126e1a5daf071ce690f28823fa97de6a7ae68 Author: Nikos
	Mavrogiannopoulos <nmav@redhat.com> Date:   Thu Dec 15 17:05:59 2016
	+0100

2016-12-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-12-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/pkcs8-key-decode-encrypted.c,
	tests/pkcs8-key-decode.c: tests: added test for PKCS#8 encrypted key
	decoding This also verifies that the return value when attempting to decrypt
	without a password is GNUTLS_E_DECRYPTION_FAILED.

2016-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/key-tests/Makefile.am, tests/key-tests/pkcs8-invalid: tests:
	added test suite with PKCS#8 files that have invalid encryption

2016-12-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey_pkcs8.c: PKCS#7 decrypt_data: merge all errors
	during decryption to GNUTLS_E_DECRYPTION_FAILED

2016-12-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey_pkcs8.c: pkcs8: ensure that the correct error
	code is returned on decryption failure

2016-12-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey_pkcs8.c: PKCS#5,7 decryption: added sanity check
	on padding size Relates #148

2016-12-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey_pkcs8.c: PKCS#5,7 decryption: fail without leak
	on unknown MAC

2016-12-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey_pkcs8.c: PKCS#5,7 decryption: fail early on
	invalid block sizes

2016-12-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey_pkcs8.c, lib/x509/x509_int.h: PKCS#5,7
	decryption: enforce limits in the support parameter sizes This allows to detect invalid parameters early rather than later.
	Relates #148

2016-12-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-07-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/tpmtool-args.def, src/tpmtool.c: tpmtool: Added --test-sign
	parameter

2016-12-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/tpmtool.c: compiler warnings elimination and other bug fixes

2015-06-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/tpmtool.c: tpmtool: added newline in error messages

2016-12-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, lib/Makefile.am, lib/abstract_int.h,
	lib/gnutls_errors.c, lib/gnutls_global.c, lib/gnutls_global.h,
	lib/gnutls_privkey.c, lib/includes/gnutls/gnutls.h.in, lib/tpm.c: 
	tpm: backported improvements from master branch  * Load libtspi dynamically using dlopen - prevents direct linking
	 with openssl * Fix handling of keys requiring authorization  * In import_tpm_key_cb() fix the wrong password loop

2016-12-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def: doc: updated to documentation of certtool
	[ci skip] This corrects options which incorrectly mentioned they support URLs.

2016-12-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: Don't trash DER CRQ output with text data Backported patch from master.

2016-11-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-11-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testpkcs11: tests: backported test suite for p11tool
	--set-id and --set-label options

2015-03-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: 
	p11tool: added --set-id and --set-label options

2015-03-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c,
	lib/pkcs11_int.c, lib/pkcs11_int.h: added
	gnutls_pkcs11_obj_set_info() This function allows setting information such as the CKA_ID and the
	CKA_LABEL of an object.

2016-11-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testpkcs11: tests: check whether PKCS #11 ID set on
	copy/generation is correct

2016-11-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: 
	p11tool: allow setting the CKA_ID on object
	initialization/generation

2016-11-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/libgnutls.map: exported new functions

2015-03-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: pkcs11:
	enhanced key generation functions to allow specifying a CKA_ID

2015-03-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h, lib/pkcs11_write.c: enhanced copy
	functions to allow specifying a CKA_ID

2016-11-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs12_encr.c: pkcs12: fixed the calculation of p_size Include the trailing zero into the size calculation.

2016-11-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-11-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/pkcs12-decode/Makefile.am, tests/pkcs12-decode/pkcs12: 
	tests: added pkcs12 check with openssl generated structure and long
	password

2016-11-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs12_encr.c: pkcs12: fixed the calculation of p_size That affects passwords which exceed 32 characters.

2016-11-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/pk.c: _wrap_nettle_pk_verify: use FAIL_IF_LIB_ERROR
	prior to returning success This will prevent verification to succeed if the system is in error
	state.

2016-11-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-10-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/signature.c, lib/gnutls_alert.c: Terminate handshake if
	only unknown or disabled signatures are advertized by the peer That is, do not attempt to proceed assuming that the peer supports
	SHA-1.

2016-10-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/status_request.c: certificate status requestion response
	is optional according to RFC6066

2016-10-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: allow setting key purposes for non-CA
	certificates That is, allow setting code signing, or time stamping key purpose in
	certificates that are not marked as CA. The previous restriction
	served no purpose.

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/multi-alerts.c: tests: added check to
	verify that the server will bail out after many alerts

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/naked-alerts.c: tests: added check to
	verify that the server will bail out after receiving only alerts

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-common.h: tests: backported the common certs from
	master

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c: 
	handshake: set a maximum number of warning messages that can be
	received per handshake That is to avoid DoS due to the assymetry of cost of sending an
	alert vs the cost of processing.

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_record.c: record: disallow parsing of alert messages
	prior to session start

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-common.c: certtool: improve text on missing options
	for cert generation

2016-10-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/pkcs11.c: p11tool: avoid asking the security officer PIN twice
	on initialization

2016-10-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/pkcs11.c: p11tool: improved messages on token initialization

2016-10-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/pkcs11.c: p11tool: corrected check of PIN existance in token
	initialization

2016-10-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am: tests: link tests which utilize nettle with
	nettle

2016-10-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/Makefile.am, doc/manpages/Makefile.am: updated auto-generated
	files

2016-10-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-10-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_extensions.c: TLS extensions: only cache the extension
	IDs from exts that the server supports That avoids imposing any artificial limits on the number of
	extensions that a server can handle.  Resolves #136

2016-10-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: added safety net when generating a
	certificate request That is, do not allow specifying --generate-request --load-pubkey
	without specifying --load-privkey. Previously if --load-pubkey would
	have been used, it would have been ignored, causing confusion to the
	users.

2016-09-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-09-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_handshake.c, lib/gnutls_int.h: Increased the maximum
	size allowed for handshake messages to 128kb This would allow the library to cope with larger packets, as well as
	TLS 1.3 hellos. Suggested by Hubert Kario.

2016-09-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-09-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_x509.c: gnutls_certificate_set_*key: ensure proper
	cleanup on key mismatch failures That is, ensure that we keep no local references that are shared
	with the caller, and that we properly free all initialized values.

2016-09-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-09-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system.c: _gnutls_ucs2_to_utf8: fixed use of
	WideCharToMultiByte in windows

2016-09-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/ocsptool.c: ocsptool: do not enter a spurious newline to
	responses.

2015-11-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/template-test,
	tests/cert-tests/template-unique.pem,
	tests/cert-tests/template-unique.tmpl: tests: verify that unique IDs
	are generated as expected

2015-11-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def, src/certtool-cfg.c, src/certtool-cfg.h,
	src/certtool.c: certtool: Allow writing unique IDs in generated
	certificates

2016-09-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-09-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, m4/hooks.m4: bumped version

2015-11-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/x509.h, lib/libgnutls.map,
	lib/x509/x509_write.c: Added gnutls_x509_crt_set_issuer_unique_id()
	and gnutls_x509_crt_set_subject_unique_id()

2016-09-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-09-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_pk.c: _gnutls_encode_ber_rs_raw: zero-pad values when
	necessary This addresses issue when encoding values obtained via PKCS#11 which
	may not be necessarily padded.  Resolves #122

2016-09-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/template-test: tests: don't run overflow tests on
	archs which fail This addresses a CI failure on x86.

2016-09-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/slow/hash-large.c: tests: backported hash-large from master

2016-09-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: use the gitlab.com shared runners Backported from master branch

2016-08-28  David Woodhouse <dwmw2@infradead.org>

	* lib/x509/pkcs12.c: gnutls_pkcs12_simple_parse: set the key value
	to null on failure

2016-08-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/ocsp.c: ocsp: corrected the comparison of the serial size
	in OCSP response Previously the OCSP certificate check wouldn't verify the serial
	length and could succeed in cases it shouldn't.  Reported by Stefan Buehler.

2016-08-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/pkcs8-decode/Makefile.am, tests/pkcs8-decode/pkcs8,
	tests/pkcs8-decode/pkcs8-pbes2-sha256.pem: tests: added decoding of
	key with pbes2 and SHA256 PRF

2016-08-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS, lib/algorithms.h, lib/algorithms/mac.c, lib/gnutls_int.h,
	lib/includes/gnutls/x509.h, lib/pkix.asn, lib/pkix_asn1_tab.c,
	lib/x509/Makefile.am, lib/x509/pbkdf2-sha1.c,
	lib/x509/pbkdf2-sha1.h, lib/x509/pkcs12.c,
	lib/x509/privkey_openssl.c, lib/x509/privkey_pkcs8.c,
	lib/x509/x509_int.h, tests/gc.c: Added support for decrypting PKCS#8
	files which use HMAC-SHA256 as PRF This backports nettle pbkdf2 support, and improves compatibility
	with new openssl versions.

2014-08-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs12.c: pkcs12: increased the number of iterations for
	MAC

2016-08-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-api.c: gnutls_key_generate: fail if the state of the
	library is invalid Suggested by Stephan Mueller.

2016-08-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-08-08  Stefan Sørensen <stefan.sorensen@spectralink.com>

	* lib/x509/pkcs12.c: Fix gnutls_pkcs12_simple_parse to always
	extract the complete chain gnutls_pkcs12_simple_parse was only collecting extra certificates
	that was possible elements of the certificate chain when the
	extra_certs argument was not NULL. Fix by allways collecting all the
	certificates, any unneeded certificates are released before
	returning if extra_certs is NULL anyway.  Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>

2016-08-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/nettle/pk.c: nettle: use rsa_*_key_prepare on key import Previously we calculated the size of the key directly, but by using
	the rsa_*_key_prepare we benefit from any checks that may be
	introduced in the future. Specifically any checks for invalid public
	keys (e.g., keys that may crash the underlying gmp functions).  This patch avoids calling rsa_private_key_prepare every time we
	construct a nettle private key struct, because this function
	requires a bigint multiplication. We call that function once on
	private key import.

2016-08-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/pk.c: Revert "nettle: use rsa_*_key_prepare" This reverts commit a2c3ee54ea8080eeb59fcfeec88a842324982c90.

2016-08-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/pk.c: nettle: use rsa_*_key_prepare Previously we calculated the size of the key directly, but by using
	the rsa_*_key_prepare we benefit from any checks that may be
	introduced in the future. Specifically any checks for invalid public
	keys (e.g., keys that may crash the underlying gmp functions).

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-07-09  Tim Kosse <tim.kosse@filezilla-project.org>

	* lib/x509/x509.c: gnutls_x509_crt_list_import2 was ignoring the
	passed flags if all certificates in the list fit within the
	initially allocated memory.

2016-07-09  Tim Kosse <tim.kosse@filezilla-project.org>

	* lib/x509/crl.c: gnutls_x509_crl_list_import2 was ignoring the
	passed flags if all CTLs in the list fit within the initially
	allocated memory.

2016-07-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/minitasn1/coding.c, lib/minitasn1/decoding.c,
	lib/minitasn1/element.c, lib/minitasn1/element.h,
	lib/minitasn1/int.h, lib/minitasn1/libtasn1.h,
	lib/minitasn1/parser_aux.c, lib/minitasn1/parser_aux.h,
	lib/minitasn1/structure.c: minitasn1: updated to libtasn1 4.9

2016-07-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: NEWS: corrected release date [ci skip]

2016-07-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: released 3.3.24

2016-06-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac: configure: check for libdl irrespective of FIPS140
	configuration This allows to link to libdl for the tests that require it.

2016-07-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, m4/hooks.m4: bumped version

2016-07-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* libdane/errors.c, libdane/includes/gnutls/dane.h: dane: corrected
	the license of libdane files The license was always LGPL version 2.1, and these files mentioned
	LGPL version 3. Reported by Thomas Petazzoni.

2016-06-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am: tests: account pkcs11/pkcs11-mock-ext.h in
	Makefile

2016-06-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am: tests: link pkcs11-import-url-privkey with
	libdl That is because it uses dlopen().

2016-06-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-06-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/pkcs11/pkcs11-import-url-privkey.c,
	tests/pkcs11/pkcs11-mock-ext.h, tests/pkcs11/pkcs11-mock.c: tests:
	added check to verify the tolerance of broken C_GetAttributes That is, test gnutls_pkcs11_obj_list_import_url4() when importing
	private keys from tokens that return CKR_OK on sensitive objects,
	and tokens that return CKR_ATTRIBUTE_SENSTIVE.  Relates #108

2016-06-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11_int.c: pkcs11_get_attribute_avalue: correctly handle a
	-1 value length from C_GetAttributeValue That is, work-around modules which do not return an error on
	sensitive objects.  Relates #108

2016-06-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-06-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11_int.c: pkcs11_get_attribute_avalue: do not assign
	values on failure When C_GetAttributeValue() returns size but does not return data
	then pkcs11_get_attribute_avalue() would set the return data pointer
	to a free'd value. This is against the convention expected by
	callers, i.e, set data to NULL. Reported by Anthony Alba in #108.

2016-06-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testpkcs11, tests/suite/testpkcs11.softhsm: tests:
	updated testpkcs11 to support softhsmv2

2016-06-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/{suite => pkcs11}/pkcs11-chainverify.c,
	tests/{suite => pkcs11}/pkcs11-combo.c, tests/{suite =>
	pkcs11}/pkcs11-get-issuer.c, tests/{suite =>
	pkcs11}/pkcs11-is-known.c, tests/{suite => pkcs11}/softhsm.h,
	tests/suite/Makefile.am: tests: moved pkcs11 tests to main test
	suite

2016-06-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/pkcs11-is-known.c: tests: backported pkcs11-is-known
	from master

2016-06-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: gnutls_pkcs11_crt_is_known: always assume
	GNUTLS_PKCS11_OBJ_FLAG_COMPARE unless
	GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is given

2016-06-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: find_cert_cb: minor cleanups in find_cert_cb

2016-06-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-06-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-combo.c,
	tests/suite/pkcs11-get-issuer.c, tests/suite/pkcs11-is-known.c,
	tests/suite/softhsm.h: tests: backported the softhsmv2 pkcs11 checks
	from 3.4.0

2016-06-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: pkcs11: correctly encode the serial number when
	searching for certificate In gnutls_pkcs11_crt_is_known() corrected the encoding of the serial
	number to TLV DER from LV DER. This is the encoding we use when
	storing that number.

2016-06-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: pkcs11: correctly account check_found_cert()

2016-06-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11_write.c: Amended "Corrected the writing of serial
	number in PKCS#11 modules" This corrects the writing of the serial number.

2016-06-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-06-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_buffers.c: dtls: corrected reconstruction of handshake
	packets received out of order That is, when the handshake packet is split into multiple different
	chunks and received out of order, make sure that reconstruction
	occurs properly. Reported by Guillaume Roguez.

2016-06-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11_write.c: Corrected the writing of serial number in
	PKCS#11 modules That is previously the serial number was written in raw format, but
	in PKCS#11 the serial number must be set encoded as integer. Report
	and fix by Stanislav Zidek.

2016-05-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-05-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11_privkey.c: pkcs11: when generating a private key ensure
	the public key is not private This is a backport from the 3.4.x branch.

2016-05-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/accelerated/x86/x86-common.c: x86-common: use secure_getenv()

2016-05-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac: configure.ac: check for secure_getenv where
	available and always enable system extensions

2016-05-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-05-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/fips.c, lib/gnutls_global.c, lib/gnutls_mem.h, lib/system.c: 
	env: use secure_getenv when reading environment variables

2016-05-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: pkcs11: added sanity check to find_obj_url_cb() for
	object validity Also avoid unnecessary recursion.

2016-05-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/eagain, tests/suite/testsrn: tests: use /bin/bash in
	tests which require common.sh

2016-05-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/Makefile.am, tests/suite/testcompat,
	tests/suite/testcompat-common, tests/suite/testcompat-main: tests:
	backported full openssl suite from master Removed the priority strings not applicable in 3.3.x.

2016-05-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/dsa/testdsa, tests/openpgp-certs/testcerts,
	tests/scripts/common.sh, tests/suite/eagain,
	tests/suite/mini-eagain2.c, tests/suite/testcompat-main,
	tests/suite/testsrn: tests: simplified server launching process Also attempt to use a new port on every started server and added a
	waiting period for the port to become re-usable.

2016-05-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/version-checks.c: added check for the VERS-ALL priority
	keyword

2016-05-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_priority.c: gnutls_priority_init: recognize the
	VERS-ALL keyword This keyword is identical to VERS-TLS-ALL, but it will allow to
	re-use priority strings from 3.4.x+ to this branch of gnutls.

2016-05-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am: tests: do not use pkglib to generate
	libpkcs11mock1.so This resulted in the test library being installed. Install we use
	noinst for the library, but pass -rpath to LDFLAGS as a hack to for
	libtool to generate the shared version.

2016-05-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS, configure.ac, m4/hooks.m4: released 3.3.23

2016-05-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli.c, src/socket.c, src/socket.h: gnutls-cli: allow operation
	with stdin input That is once commands from stdin are given, they are not only sent
	to server, but we also wait for a response prior to exiting.  Resolves #96

2016-05-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update [ci skip]

2016-05-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-05-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli.c: gnutls-cli: corrected check for OCSP verification
	success

2016-01-18  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_global.c: gnutls_global_init: log gnutls' version on
	initialization

2016-05-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update [ci skip]

2016-05-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/mini-server-name.c: tests: backported
	server name checks

2016-05-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/server_name.c: server_name: only save the supported server
	names in the session Invalid server names with embedded nulls and unsupported types are
	not saved.

2016-05-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-05-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_x509.c: cert cred: add the CN to the list of known
	hostnames only if no dns_names That is, follow rfc6125 and support CN as a fallback only.

2016-05-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_x509.c: gnutls_certificate_set_key: import the DNS
	names of the certificates That is, only when no (NULL) names are provided.

2016-05-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/pkcs11/pkcs11-cert-import-url-exts.c,
	tests/pkcs11/pkcs11-get-exts.c,
	tests/pkcs11/pkcs11-get-raw-issuer-exts.c: Revert "tests: ignore
	failure to load pkcs11 mock provider" This reverts commit ae40598e5597b1b1f01a7e55d35b5f476d7d19d7.

2016-05-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, tests/Makefile.am: tests: don't run pkcs11 mock
	module tests under buggy p11-kit

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/pkcs11/pkcs11-cert-import-url-exts.c,
	tests/pkcs11/pkcs11-get-exts.c,
	tests/pkcs11/pkcs11-get-raw-issuer-exts.c: tests: ignore failure to
	load pkcs11 mock provider GnuTLS 3.3.x can work with old versions of p11-kit which do not have
	the necessary fixes to load absolute paths.

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/gnettle.h: Fixed _NETTLE_UPDATE macro The macro was not using the input parameters but rather the actual
	variable name from the function (which was identical to input).
	Patch by Stanislav Zidek.

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_x509.c: gnutls_certificate_set_key: duplicate the
	provided memory That is, do not assume that a heap allocated value is provided.

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update [ci skip]

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-05-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/pkcs11/pkcs11-cert-import-url-exts.c,
	tests/pkcs11/pkcs11-get-exts.c,
	tests/pkcs11/pkcs11-get-raw-issuer-exts.c,
	tests/pkcs11/pkcs11-mock.c, tests/pkcs11/pkcs11-mock.h: tests: added
	a basic PKCS#11 mock module This is used to test gnutls_pkcs11_obj_get_exts(),
	gnutls_x509_crt_import_url(), and gnutls_pkcs11_get_raw_issuer()
	with the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag.

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: pkcs11: find_cert_cb: do not use C_FindObjectsInit()
	when another is already running While some modules implicitly terminated the previous run, this is
	not something that PKCS#11 modules are expected to typically do.

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: pkcs11: the flag
	GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT will be respected by
	imported certificates That is, certificates imported with gnutls_pkcs11_obj_import_url()
	or gnutls_x509_crt_import_url() will be able to be extracted with
	their extensions overriden. Previously that was available only on
	gnutls_pkcs11_get_raw_issuer() and friends.

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11x.c: pkcs11: find_ext_cb: eliminated memory leak

2016-05-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11x.c: gnutls_pkcs11_obj_get_exts: updated documentation
	[ci skip]

2016-04-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_privkey_raw.c: corrected import issue in
	gnutls_privkey_import_ecc_raw

2016-04-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/privkey.c: x509/privkey: in raw import functions set the
	parameter's algorithm type

2016-04-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/dane.c: tests: enhanced dane testing with offline
	verification checks

2016-04-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* libdane/dane.c: dane: verification will not fail if a CA entry is
	encountered but cannot be verified That addresses the issue of verifying a single certificate against a
	list of TLSA entries that contain an entry with CA usage (cert usage
	0). With the previous behavior verification would have failed, while
	now this entry will be skipped.

2016-04-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_cert.c, libdane/dane.c: doc: improved documentation on
	certificate and DANE verification functions

2016-04-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/pk.c: _wrap_nettle_pk_derive: reject values of public
	key that are over the prime That is do not canonicalise the value we get from the network, but
	rather check it for validity. This saves a modular reduction on
	handshake and performs a sanity check on the peer's (client)
	parameters.  Reported by Hubert Kario.  Resolves #84

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_sig.c: handshake: do not overwrite the server's
	signature algorithm That is, correct a bug under which a client sending a certificate
	would overwrite the server's idea about the used signature
	algorithm.  Reported by Hubert Kario.

2016-04-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/ocsp.c: gnutls_ocsp_resp_get_single: fail if thisUpdate
	is not available or unparsable That is because this field is not optional, and a failure on its
	parsing is always fatal. Reported by Yuan Jochen Kang.

2016-04-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/ocsp_output.c, lib/x509/output.c: x509 output: don't warn
	about insecure algorithm when unknown

2016-04-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkix.asn, lib/pkix_asn1_tab.c: pkix.asn: corrected byKey
	definition OCSP is defined in an EXPLICIT tags module, and as such we must tag
	explicitly all of its tags.

2016-04-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/name_constraints.c: name constraints: enforce the rules
	for IP constraints when adding This will prevent gnutls from generating badly formed certificates.

2016-04-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-04-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/ocsptool-common.c: ocsptool: use HTTP/1.0 for requests This avoids issue with servers serving chunk encoding which ocsptool
	doesn't support. Reported by Thomas Klute.

2016-03-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-03-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: x509/output: simplified cidr_to_string()

2016-03-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: x509/output: print RFC5280 CIDRs in name
	constraints

2016-03-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system.c: system_recv_timeout(): verify that the file
	descriptor is acceptable for select()

2016-03-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-03-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/template-nc.pem: tests: template-test was updated
	for OCSP key purpose reordering

2016-03-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: do not require a CA for OCSP signing This follows the recommendations in RFC6960 in 4.2.2.2 which allow a
	CA to delegate OCSP signing to another certificate without requiring
	it to be a CA.  Reported by Thomas Klute.

2016-03-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/accelerated/x86/x86-common.c: x86-common: CPUID override will
	only work if CPU has already the capability present This resolves test suite failure on CPUs with limited capabilities.
	Reported by Andreas Metzler.

2016-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>
