Updated: {gnutls/libgnutls26/libgnutls-devel}-2.12.11-1: Library implementing TLS 1.0 and SSL 3.0 protocols

dr.volker.zell@oracle.com dr.volker.zell@oracle.com
Fri Oct 21 13:59:00 GMT 2011


New versions of 'gnutls/libgnutls26/libgnutls-devel' have been uploaded to a server near you.

 o Update to latest upstream version
 o Build for cygwin 1.7.9 with gcc-4.5.3

gnutls NEWS:
Version 2.12.11 (released 2011-09-18)

** libgnutls: Memory leak fixes in credentials private key 
deinitialization. Reported by Dan Winship.

** libgnutls: Allow CA importing of 0 certificates to succeed.
Reported by Jonathan Nieder <jrnieder@gmail.com> in

** API and ABI modifications:
No changes since last version.

* Version 2.12.10 (released 2011-09-01)

** libgnutls: OpenPGP certificate type is not enabled
by default.

** libgnutls: Corrected issue in gnutls_record_recv()
triggered on encryption or compression error.

** libgnutls: Corrected parsing of XMPP subject alternative 

** libgnutls: gnutls_certificate_set_x509_key() and
gnutls_certificate_set_openpgp_key() operate as in 2.10.x
and allow the release of the private key during the
lifetime of the certificate structure.

** API and ABI modifications:
GNUTLS_PRIVKEY_IMPORT_COPY: new gnutls_privkey_import() flag

* Version 2.12.9 (released 2011-08-21)

** libgnutls-extra: Replaced enumeration with unsigned
int, in openssl.h to make it identical to the 3.0.0 version.
This shouldn't introduce binary incompatibility.

** libgnutls: When asking for a PIN multiple times, the
flags in the callback were not being updated to reflect
for PIN low count or final try.

** API and ABI modifications:
GNUTLS_PKCS11_PIN_WRONG: New flag for PIN callback

* Version 2.12.8 (released 2011-08-08)

** libgnutls: PKCS #11 back-end was replaced by p11-kit
http://p11-glue.freedesktop.org/p11-kit.html. This backports
the 3.0.0 PKCS #11 back-end. Rewrite by Stef Walter.

** libgnutls: gcrypt: replaced occurences of gcry_sexp_nth_mpi (..., 0)
with gcry_sexp_nth_mpi (..., GCRYMPI_FMT_USG) to fix errors with 1.5.0.
Patch by Andreas Metzler.

** libgnutls: Verify that a certificate list specified
using gnutls_certificate_set_x509_key*(), is sorted
according to TLS specification (from subject to issuer).

** libgnutls: Added GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED flag for
gnutls_x509_crt_list_import. It checks whether the list to be 
imported is properly sorted.

** libgnutls: writev_emu: stop on the first incomplete write. Patch by
Sjoerd Simons.

** libgnutls: Fix zlib handling in gnutls.pc. Patch by Andreas

** certtool: bug fixes in certificate request generation. Patch
by Petr Písař.

** API and ABI modifications:
GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED: New element in gnutls_certificate_import_flags

* Version 2.12.7 (released 2011-06-18)

** p11tool: Require login as security officer if --trusted option is
provided. Reported by Rickard Bellgrim.

** libgnutls: The CKA_SUBJECT field is specified when copying certificates
in PKCS #11 smart-cards. Patch by Rickard Bellgrim.

** libgnutls: Write label when writing private keys in PKCS #11 tokens.
Reported by Rickard Bellgrim.

** libgnutls: Accept CKR_USER_ALREADY_LOGGED_IN as a valid error code
when logging in to PKCS #11 tokens.

** API and ABI modifications:
No changes since last version.

* Version 2.12.6 (released 2011-06-4)

** libgnutls: Allow usage of DSA signatures with truncated hash.
Following: http://tools.ietf.org/html/draft-mavrogiannopoulos-tls-dss-00

** libgnutls: Prevent the usage of write() and friends when no data
are to be sent.

** libgnutls: Correctly set compression method when resuming sessions.
Reported by Dash Shendy.

** libgnutls: gnutls_pubkey_get_pk_dsa_raw() and gnutls_pubkey_get_pk_rsa_raw
add leading zeros to the exported values.

** libgnutls: Added gnutls_global_set_time_function() to allow overriding the
default system time() function.

** API and ABI modifications:
gnutls_global_set_time_function: ADDED

* Version 2.12.5 (released 2011-05-14)

** certtool: Can now load private keys and public keys from PKCS #11 tokens
via URLs.

** libgnutls: PKCS #11 URLs conform to the latest draft
being http://tools.ietf.org/html/draft-pechanec-pkcs11uri-04.

** libgnutls: gnutls_pkcs11_privkey_import_url() will now correctly read
the public key algorithm of the key.

** libgnutls: Added gnutls_x509_crq_verify() to allow
verification of the self signature in a certificate request.
This allows verifying whether the owner of the private key
is the generator of the request.

** libgnutls: gnutls_x509_crt_set_crq() implicitly verifies
the self signature of the request.

** API and ABI modifications:
gnutls_x509_crq_verify: ADDED

* Version 2.12.4 (released 2011-05-06)

** libgnutls: Added gnutls_certificate_get_issuer() to
compensate for the deprecated gnutls_certificate_get_x509_cas().

** libgnutls: Limited allowed wildcards to gnutls_x509_crt_check_hostname()
to prevent denial of service attacks. Reported by Kalle Olavi Niemitalo.

** guile: Fix tests to match the `exit' behavior introduced in Guile 2.0.1.
This fix makes tests behave correctly wrt. to the Guile bug fix at

** API and ABI modifications:
gnutls_certificate_get_issuer: ADDED

* Version 2.12.3 (released 2011-04-22)

* libgnutls: Several minor bugfixes.

* libgnutls: Restored HMAC-MD5 for compatibility. Although considered 
weak, several sites require it for connection. It is enabled for
"NORMAL" and "PERFORMANCE" priority strings.

* libgnutls: depend on libdl.

* libgnutls: gnutls_transport_set_global_errno() was deprecated.
Use your system's errno fascility or gnutls_transport_set_errno().

* gnutls-cli: Correction with usage of select to check for
pending data in gnutls sessions. It now uses gnutls_record_check_pending().
Reported by Herbert J. Skuhra.

* tests: More fixes and updates for win32. Patches by LRN.

* libgnutls: Several files unnecessarily included <gcrypt.h>; this has been fixed.

** API and ABI modifications:
gnutls_transport_set_global_errno: DEPRECATED

* Version 2.12.2 (released 2011-04-08)

** libgnutls: Several updates and fixes for win32. Patches by LRN.

** libgnutls: Several bug and memory leak fixes.

** srptool: Accepts the -d option to enable debugging.

** libgnutls: Corrected bug in gnutls_srp_verifier() that prevented
the allocation of a verifier. Reported by Andrew Wiseman.

** API and ABI modifications:
No changes since last version.

* Version 2.12.1 (released 2011-04-02)

** certtool: Generated certificate request with stricter permissions.
Reported by Luca Capello.

** libgnutls: Bug fixes in opencdk code. Reported by Vitaly Kruglikov.

** libgnutls: Corrected windows system_errno() function prototype.

** libgnutls: C++ compatibility fix for compat.h. Reported by Mark Brand.

** libgnutls: Fix size of gnutls_openpgp_keyid_t by using the
GNUTLS_OPENPGP_KEYID_SIZE definition. Reported by Andreas Metzler.

** API and ABI modifications:
No changes since last version.

* Version 2.12.0 (released 2011-03-24)

** certtool: Warns on generation of DSA keys of over 1024 bits, about
the incompatibility with TLS other than 1.2.

** libgnutls: Modified signature algorithm selection in client
certificate request, to avoid failures in DSA certificates.

** libgnutls: Instead of failing with internal error, return 
key with the negotiated protocol is encountered.

** libgnutls: Bug fixes in the RSA ciphersuite behavior with openpgp keys.

** libgnutls: Force state update when fork is detected in the nettle

** libgnutls: modified gnutls_pubkey_import_openpgp() to use the preferred
subkey instead of setting explicitly one.

** libgnutls: Corrected default behavior in record version of Client Hellos.

** libgnutls-openssl: modified to use modern gnutls' functions.
This introduces an ABI incompatibility with previous versions.

** API and ABI modifications:
gnutls_pubkey_import_openpgp: MODIFIED

* Version 2.11.7 (released 2011-03-09)

** libgnutls: Corrected signature generation and verification
in the Certificate Verify message when in TLS 1.2. Reported
by Todd A. Ouska.

** libgnutls: Corrected issue in DHE-PSK ciphersuites that ignored
the PSK callback.

** libgnutls: SRP and PSK are no longer set on the default priorities. 
They have to be explicitly set.

** libgnutls: During handshake message verification using DSS
use the hash algorithm required by it.

** libgnutls: gnutls_x509_privkey_sign_hash() is deprecated.
Use gnutls_privkey_sign_hash() instead.

** libgnutls: gnutls_transport_set_lowat() is deprecated. Support
for this functionality will be dropped in later versions.

** libgnutls: gnutls_pubkey_verify_data, gnutls_pubkey_verify_hash,
gnutls_x509_privkey_verify_data, gnutls_x509_crt_verify_data, 
gnutls_x509_crt_verify_hash return the negative error code 
GNUTLS_E_PK_SIG_VERIFY_FAILED if verification fails to simplify error 

** libgnutls: Added helper functions for signature verification:
gnutls_pubkey_verify_data() and gnutls_pubkey_import_privkey().

** libgnutls: Modified gnutls_privkey_sign_data().

** gnutls_x509_crl_privkey_sign2(), gnutls_x509_crq_sign2()
gnutls_x509_privkey_sign_hash(), gnutls_x509_privkey_sign_data(),
gnutls_x509_crt_verify_hash(), gnutls_x509_crt_verify_data(), were
deprecated for gnutls_x509_crl_privkey_sign(),
gnutls_x509_crq_privkey_sign(), gnutls_privkey_sign_hash(),
gnutls_privkey_sign_data(), gnutls_pubkey_verify_hash()
gnutls_pubkey_verify_data() respectively.

** libgnutls: gnutls_*_export_raw() functions now add leading zero in

** libgnutls: Added gnutls_transport_set_vec_push_function() that
can be used to specify a writev() like function. Using that gnutls
can provide more efficient writes to network layer in systems that 
support it.

** crypto.h: Fix use with C++.
Reported by "Brendan Doherty" <brendand@gentrack.com>.

** API and ABI modifications:
gnutls_transport_set_vec_push_function: ADDED
gnutls_x509_crl_get_raw_issuer_dn: ADDED
gnutls_pubkey_import_privkey: ADDED
gnutls_pubkey_verify_data: ADDED
gnutls_privkey_sign_hash: MODIFIED (was added in 2.11.0)
gnutls_privkey_sign_data: MODIFIED (was added in 2.11.0)
gnutls_x509_crq_sign2: DEPRECATED (use: gnutls_x509_crq_privkey_sign)
gnutls_x509_crq_sign: DEPRECATED (use: gnutls_x509_crq_privkey_sign)
gnutls_x509_crq_get_preferred_hash_algorithm: REMOVED (was added in 2.11.0)
gnutls_x509_crl_sign: DEPRECATED (use: gnutls_x509_crl_privkey_sign)
gnutls_x509_crl_sign2: DEPRECATED (use: gnutls_x509_crl_privkey_sign)
gnutls_x509_privkey_sign_data: DEPRECATED (use: gnutls_privkey_sign_data)
gnutls_x509_privkey_sign_hash: DEPRECATED (use: gnutls_privkey_sign_hash)
gnutls_x509_privkey_verify_data: DEPRECATED (use: gnutls_pubkey_verify_data)
gnutls_psk_netconf_derive_key: DEPRECATED
gnutls_session_set_finished_function: DEPRECATED
gnutls_ext_register: DEPRECATED
gnutls_certificate_get_x509_crls: DEPRECATED
gnutls_certificate_get_x509_cas: DEPRECATED
gnutls_certificate_get_openpgp_keyring: DEPRECATED
gnutls_session_get_server_random: DEPRECATED
gnutls_session_get_client_random: DEPRECATED
gnutls_session_get_master_secret: DEPRECATED
gnutls_transport_set_lowat: DEPRECATED
gnutls_x509_crt_verify_hash: DEPRECATED (use: gnutls_pubkey_verify_hash)
gnutls_x509_crt_verify_data: DEPRECATED (use: gnutls_pubkey_verify_data)
gnutls_x509_crt_get_verify_algorithm: DEPRECATED (use: gnutls_pubkey_get_verify_algorithm)
gnutls_x509_crt_get_preferred_hash_algorithm: DEPRECATED (use: gnutls_pubkey_get_preferred_hash_algorithm)
gnutls_openpgp_privkey_sign_hash: DEPRECATED (use: gnutls_privkey_sign_hash)
gnutls_openpgp_privkey_decrypt_data: REMOVED (was added in 2.11.0)
gnutls_pkcs11_privkey_sign_hash: REMOVED (was added in 2.11.0)
gnutls_pkcs11_privkey_decrypt_data: REMOVED (was added in 2.11.0)
gnutls_pkcs11_privkey_sign_data: REMOVED (was added in 2.11.0)
gnutls_x509_privkey_sign_data2: REMOVED (was added in 2.11.0)

* Version 2.11.6 (released 2010-12-06)

** libgnutls: Record version of Client Hellos is now set by default to
SSL 3.0. To restore the previous default behavior use %LATEST_RECORD_VERSION
priority string.

** libgnutls: Use ASN1_NULL when writing parameters for RSA signatures. 
This makes us comply with RFC3279. Reported by Michael Rommel.

** gnutls-serv: Corrected a buffer overflow. Reported and patch by Tomas Mraz.

** API and ABI modifications:
No changes since last version.

* Version 2.11.5 (released 2010-12-01)

** libgnutls: Reverted default behavior for verification and
introduced GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT. Thus by default
V1 trusted CAs are allowed, unless the new flag is specified.

** libgnutls: Correctly add leading zero to PKCS #8 encoded DSA key.
Reported by Jeffrey Walton.

** libgnutls: Added SIGN-ALL, CTYPE-ALL, COMP-ALL, and VERS-TLS-ALL
as priority strings. Those allow to set all the supported algorithms
at once.

** p11tool: Introduced. It allows manipulating pkcs 11 tokens.

** gnutls-cli: Print channel binding only in verbose mode.
Before it printed it after the 'Compression:' output, thus breaking
Emacs starttls.el string searches.

** API and ABI modifications:
gnutls_pkcs11_token_init: New function
gnutls_pkcs11_token_set_pin: New function

* Version 2.11.4 (released 2010-10-15)

** libgnutls: Add new API gnutls_session_channel_binding.
The function is used to get the channel binding data.  Currently only
the "tls-unique" (RFC 5929) channel binding type is supported, through
the GNUTLS_CB_TLS_UNIQUE type.  See new section "Channel Bindings" in
the manual.

** gnutls-cli, gnutls-serv: Print 'tls-unique' Channel Bindings.

** doc: Added pkcs11.h header file to GTK-DOC manual.

** build: Update gnulib files.

** i18n: Update translations.

** tests: Add self tests gendh.c.  Speed up Guile self checks.

** API and ABI modifications:
gnutls_session_channel_binding: New function.
gnutls_channel_binding_t: New enumeration.
GNUTLS_CB_TLS_UNIQUE: New gnutls_channel_binding_t enum member.

* Version 2.11.3 (released 2010-10-14)

** Indent code to follow the GNU Coding Standard.
You should be able to unpack the 2.11.2 release and run 'make indent'
twice to get exactly the same content as 2.11.3 except for generated
files.  Using GNU Indent 2.2.11.

** API and ABI modifications:
No changes since last version.

* Version 2.11.2 (released 2010-10-08)

** libgnutls: Several bug fixes on session resumption
and session tickets support.

** libgnutls: Add new extended key usage ipsecIKE.

** certtool: Renamed PKCS #11 options to: --p11-provider,
--p11-export-url, --p11-list-certs, --p11-list-certs,
--p11-list-privkeys, --p11-list-trusted, --p11-list-all-certs,
--p11-list-all, --p11-list-tokens, --p11-login, --p11-write,
--p11-write-label, --p11-write-trusted, --p11-detailed-url,

** libgnutls: Corrected bug that caused importing DSA keys as RSA,
introduced with the new nettle code.

** libgnutls: Corrected advertizing issue for session tickets.

** API and ABI modifications:
gnutls_x509_crt_get_subject_unique_id: ADDED.
gnutls_x509_crt_get_issuer_unique_id: ADDED.

* Version 2.11.1 (released 2010-09-14)

** libgnutls: Nettle is the default crypto back end. Use --with-libgcrypt
to use the libgcrypt back end.

** libgnutls: Depend on nettle 2.1. This makes nettle a fully working
backend crypto library.

** libgnutls: Added RSA_NULL_SHA1 and SHA256 ciphersuites.

** libgnutls: Several updates in the buffering internal interface.

** libgnutls: Is now more liberal in the PEM decoding. That is spaces and 
tabs are being skipped.

** libgnutls: Added support for draft-pechanec-pkcs11uri-02.

** libgnutls: The %COMPAT flag now allows larger records that violate the
TLS spec.

** libgnutls: by default lowat level has been set to zero to avoid unnecessary
system calls. Applications that depended on it being 1 should explicitly call

** libgnutls: Updated documentation and gnutls_pk_params_t mappings
to ECRYPT II recommendations. Mappings were moved to a single location
and DSA keys are handled differently (since DSA2 allows for 1024,2048
and 3072 keys only).

** libgnutls: gnutls_x509_privkey_import() will fallback to
gnutls_x509_privkey_import_pkcs8() without a password, if it
is unable to decode the key.

** libgnutls: HMAC-MD5 no longer used by default.

** API and ABI modifications:
gnutls_openpgp_privkey_sec_param: ADDED
gnutls_x509_privkey_sec_param: ADDED

* Version 2.11.0 (released 2010-07-22)

** libgnutls: support scattered write using writev(). This takes
advantage of the new buffering layer and allows queuing of packets
and flushing them. This is currently used for handshake messages

** libgnutls: Added gnutls_global_set_mutex() to allow setting
alternative locking procedures. By default the system available
locking is used. In *NIX pthreads are used and in windows the
critical section API. This follows a different approach than the
previous versions that depended on libgcrypt initialization. The
locks are now set by default in systems that support it. Programs
that used gcry_control() to set thread locks should insert it into
a block of

** libgnutls: Added support for reading DN from EV-certificates.
New DN values:

** libgnutls: Added support for DSA signing/verifying with bit 
length over 1024.

** libgnutls-extra: When in FIPS mode gnutls_global_init_extra()
has to be called to register any required md5 handlers.

** libgnutls: Internal buffering code was replaced by simpler
code contributed by Jonathan Bastien-Filiatrault.

** libgnutls: Internal API for extensions augmented to allow
safe storing and loading of data on resumption. This allows writing
self-contained extensions (when possible). As a side effect
the OPRFI extension was removed.

** libgnutls: Added support for DSA-SHA256 and DSA-SHA224

** libgnutls: Added PKCS #11 support and an API to access objects in
gnutls/pkcs11.h. Currently certificates and public keys can be
imported from tokens, and operations can be performed on private keys.

** libgnutls: Added abstract gnutls_privkey_t and gnutls_pubkey_t

** libgnutls: Added initial support for the nettle library. It uses
the system's random generator for seeding. That is /dev/urandom in Linux, 
system calls in Win32 and EGD on other systems.

** libgnutls: Corrected issue on the %SSL3_RECORD_VERSION priority string. It now
    works even when resuming a session.

** libgnutls: Added gnutls_certificate_set_retrieve_function() to replace the
similar gnutls_certificate_set_server_retrieve_function() and
gnutls_certificate_set_client_retrieve_function(). In addition it support
PKCS #11 private keys.

** libgnutls: Added  gnutls_pkcs11_copy_x509_crt(), gnutls_pkcs11_copy_x509_privkey(),
and gnutls_pkcs11_delete_url() to allow copying and deleting data in tokens.

** libgnutls: Added gnutls_sec_param_to_pk_bits() et al. to allow select bit
sizes for private keys using a human understandable scale.

** certtool: Added new options: --pkcs11-list-tokens, --pkcs11-list-all
--pkcs11-list-all-certs, --pkcs11-list-trusted, --pkcs11-list-certs,
--pkcs11-delete-url, --pkcs11-write

certtool: The --pkcs-cipher is taken into account when generating a
private key. The default cipher used now is aes-128. The old behavior can
be simulated by specifying "--pkcs-cipher 3des-pkcs12".

certtool: Added --certificate-pubkey to print the public key of the

** gnutls-cli/gnutls-serv: --x509cafile, --x509certfile and --x509keyfile
can now accept a PKCS #11 URL in addition to a file. This will allow for
example to use the Gnome-keyring trusted certificate list to verify
connections using a url such as:

** API and ABI modifications:
gnutls_certificate_set_server_retrieve_function: DEPRECATED
gnutls_certificate_set_client_retrieve_function: DEPRECATED
gnutls_sign_callback_set: DEPRECATED
gnutls_global_set_mutex: ADDED
gnutls_pubkey_get_preferred_hash_algorithm: ADDED
gnutls_x509_crt_get_preferred_hash_algorithm: ADDED
gnutls_x509_privkey_export_rsa_raw2: ADDED
gnutls_rnd: ADDED
gnutls_sec_param_to_pk_bits: ADDED
gnutls_pk_bits_to_sec_param: ADDED
gnutls_sec_param_get_name: ADDED
gnutls_pkcs11_type_get_name: ADDED
gnutls_certificate_set_retrieve_function: ADDED
gnutls_pkcs11_init: ADDED
gnutls_pkcs11_deinit: ADDED
gnutls_pkcs11_set_pin_function: ADDED
gnutls_pkcs11_set_token_function: ADDED
gnutls_pkcs11_add_provider: ADDED
gnutls_pkcs11_obj_init: ADDED
gnutls_pkcs11_obj_import_url: ADDED
gnutls_pkcs11_obj_export_url: ADDED
gnutls_pkcs11_obj_deinit: ADDED
gnutls_pkcs11_obj_export: ADDED
gnutls_pkcs11_obj_list_import_url: ADDED
gnutls_pkcs11_obj_export: ADDED
gnutls_x509_crt_import_pkcs11: ADDED
gnutls_pkcs11_obj_get_type: ADDED
gnutls_x509_crt_list_import_pkcs11: ADDED
gnutls_x509_crt_import_pkcs11_url: ADDED
gnutls_pkcs11_obj_get_info: ADDED
gnutls_pkcs11_token_get_info: ADDED
gnutls_pkcs11_token_get_url: ADDED
gnutls_pkcs11_privkey_init: ADDED
gnutls_pkcs11_privkey_deinit: ADDED
gnutls_pkcs11_privkey_get_pk_algorithm: ADDED
gnutls_pkcs11_privkey_get_info: ADDED
gnutls_pkcs11_privkey_import_url: ADDED
gnutls_pkcs11_privkey_sign_data: ADDED
gnutls_pkcs11_privkey_sign_hash: ADDED
gnutls_pkcs11_privkey_decrypt_data: ADDED
gnutls_privkey_init: ADDED
gnutls_privkey_deinit: ADDED
gnutls_privkey_get_pk_algorithm: ADDED
gnutls_privkey_get_type: ADDED
gnutls_privkey_import_pkcs11: ADDED
gnutls_privkey_import_x509: ADDED
gnutls_privkey_import_openpgp: ADDED
gnutls_privkey_sign_data: ADDED
gnutls_privkey_sign_hash: ADDED
gnutls_privkey_decrypt_data: ADDED
gnutls_pkcs11_privkey_export_url: ADDED
gnutls_x509_crq_privkey_sign: ADDED
gnutls_x509_crl_privkey_sign: ADDED
gnutls_x509_crt_privkey_sign: ADDED
gnutls_pubkey_init: ADDED
gnutls_pubkey_deinit: ADDED
gnutls_pubkey_get_pk_algorithm: ADDED
gnutls_pubkey_import_x509: ADDED
gnutls_pubkey_import_openpgp: ADDED
gnutls_pubkey_get_pk_rsa_raw: ADDED
gnutls_pubkey_get_pk_dsa_raw: ADDED
gnutls_pubkey_export: ADDED
gnutls_pubkey_get_key_id: ADDED
gnutls_pubkey_get_key_usage: ADDED
gnutls_pubkey_verify_hash: ADDED
gnutls_pubkey_get_verify_algorithm: ADDED
gnutls_pkcs11_type_get_name: ADDED
gnutls_pubkey_import_pkcs11_url: ADDED
gnutls_pubkey_import: ADDED
gnutls_pubkey_import_pkcs11: ADDED
gnutls_pubkey_import_dsa_raw: ADDED
gnutls_pubkey_import_rsa_raw: ADDED
gnutls_x509_crt_set_pubkey: ADDED
gnutls_x509_crq_set_pubkey: ADDED
gnutls_pkcs11_copy_x509_crt: ADDED
gnutls_pkcs11_copy_x509_privkey: ADDED
gnutls_pkcs11_delete_url: ADDED

* Version 2.10.1 (released 2010-07-25)

** libgnutls: Added support for broken certificates that indicate RSA
with strange OIDs.

** gnutls-cli: Allow verification using V1 CAs.

** libgnutls: gnutls_x509_privkey_import() will fallback to
gnutls_x509_privkey_import_pkcs8() without a password, if it
is unable to decode the key.

** libgnutls: Correctly deinitialize crypto API functions to prevent
a memory leak.  Reported by Mads Kiilerich.

** certtool: If asked to generate DSA keys of size more than 1024 bits,
issue a warning, that the output key might not be working everywhere.

** certtool: The --pkcs-cipher is taken into account when generating a
private key. The default cipher used now is aes-128. The old behavior
can be simulated by specifying "--pkcs-cipher 3des-pkcs12".

** API and ABI modifications:
No changes since last version.

* Version 2.10.0 (released 2010-06-25)

** API and ABI modifications:
No changes since last version.

* Version 2.9.12 (released 2010-06-17)

** gnutls-cli: Make --starttls work again.
Problem introduced in patch to use read() instead of fgets() committed
on 2010-01-27.

** API and ABI modifications:
No changes since last version.

* Version 2.9.11 (released 2010-06-07)

** libgnutls: Removed two APIs related to safe renegotiation.
Use priority strings instead.  The APIs were
gnutls_safe_negotiation_set_initial and gnutls_safe_renegotiation_set.
(Remember that we don't promise ABI stability during development
series, so this doesn't cause an shared library ABI increment.)

** tests: More self testing of safe renegotiation extension.
See tests/safe-renegotiation/README for more information.

** doc: a PDF version of the API reference manual (GTK-DOC) is now built.

** doc: Terms 'GNUTLS' and 'GNU TLS' were changed to 'GnuTLS' for consistency.

** API and ABI modifications:
gnutls_safe_negotiation_set_initial: REMOVED.
gnutls_safe_renegotiation_set: REMOVED.

* Version 2.9.10 (released 2010-04-22)

** libgnutls: Time verification extended to trusted certificate list.

** certtool: Display postalCode and Name X.509 DN attributes correctly.
Based on patch by Pavan Konjarla.  Adds new constant

** libgnutls: Added Steve Dispensa's patch for safe renegotiation (RFC 5746)
Solves the issue discussed in:
<http://www.ietf.org/mail-archive/web/tls/current/msg03928.html> and
Note that to allow connecting to unpatched servers the full protection
is only enabled if the priority string %SAFE_RENEGOTIATION is
specified. You can check whether protection is in place by querying
gnutls_safe_renegotiation_status().  New error codes

** libgnutls: When checking openpgp self signature also check the signatures
** of all subkeys.
Ilari Liusvaara noticed and reported the issue and provided test
vectors as well.

** libgnutls: Added cryptodev support (/dev/crypto).
Tested with http://www.logix.cz/michal/devel/cryptodev/.  Added
benchmark utility for AES.  Adds new error codes

** libgnutls: Exported API to access encryption and hash algorithms.
The new API functions are gnutls_cipher_decrypt, gnutls_cipher_deinit,
gnutls_cipher_encrypt, gnutls_cipher_get_block_size,
gnutls_cipher_init, gnutls_hash, gnutls_hash_deinit, gnutls_hash_fast,
gnutls_hash_get_len, gnutls_hash_init, gnutls_hash_output,
gnutls_hmac, gnutls_hmac_deinit, gnutls_hmac_fast,
gnutls_hmac_get_len, gnutls_hmac_init, gnutls_hmac_output.  New API
constants are GNUTLS_MAC_SHA224 and GNUTLS_DIG_SHA224.

** libgnutls: Added gnutls_certificate_set_verify_function() to allow
verification of certificate upon receipt rather than waiting until the
end of the handshake.

** libgnutls: Don't send alerts during handshake.
Instead new error code GNUTLS_E_UNKNOWN_SRP_USERNAME is added.

** certtool: Corrected two issues that affected certificate request generation.
(1) Null padding is added on integers (found thanks to Wilankar Trupti),
(2) In optional SignatureAlgorithm parameters field for DSA keys the DSA
parameters were added. Those were rejected by Verisign. Gnutls no longer adds 
those parameters there since other implementations don't do either and having 
them does not seem to offer anything (anyway you need the signer's certificate
to verify thus public key will be available). Found thanks to Boyan Kasarov.
This however has the side-effect that public key IDs shown by certtool are
now different than previous gnutls releases.
(3) the option --pgp-certificate-info will verify self signatures

** certtool: Allow exporting of Certificate requests on DER format.

** certtool: New option --no-crq-extensions to avoid extensions in CSRs.

** gnutls-cli: Handle reading binary data from server.
Reported by and tiny patch from Vitaly Mayatskikh
<v.mayatskih@gmail.com> in

** minitasn1: Upgraded to libtasn1 version 2.6.

** i18n: Updated Czech, Dutch, French, Polish, Swedish translation.
** Added Italian and Simplified Chinese translation.
Thanks to Petr Pisar, Erwin Poeze, Nicolas Provost, Jakub Bogusz,
Daniel Nylander, Sergio Zanchetta, Tao Wei, and Aron Xu.

** doc: The GTK-DOC manual is significantly improved.

** API and ABI modifications:
%DISABLE_SAFE_RENEGOTIATION: Added to priority strings (do not use).
%INITIAL_SAFE_RENEGOTIATION: Added to priority strings.
%UNSAFE_RENEGOTIATION: Added to priority strings.
gnutls_certificate_set_verify_function: ADDED.
gnutls_cipher_decrypt: ADDED.
gnutls_cipher_deinit: ADDED.
gnutls_cipher_encrypt: ADDED.
gnutls_cipher_get_block_size: ADDED.
gnutls_cipher_init: ADDED.
gnutls_hash: ADDED.
gnutls_hash_deinit: ADDED.
gnutls_hash_fast: ADDED.
gnutls_hash_get_len: ADDED.
gnutls_hash_init: ADDED.
gnutls_hash_output: ADDED.
gnutls_hmac: ADDED.
gnutls_hmac_deinit: ADDED.
gnutls_hmac_fast: ADDED.
gnutls_hmac_get_len: ADDED.
gnutls_hmac_init: ADDED.
gnutls_hmac_output: ADDED.
gnutls_safe_negotiation_set_initial: ADDED.
gnutls_safe_renegotiation_set: ADDED.
gnutls_safe_renegotiation_status: ADDED.

* Version 2.9.9 (released 2009-11-09)

** libgnutls: Cleanups and several bug fixes.
Found by Steve Grubb and Tomas Mraz.

** Link libgcrypt explicitly to certtool, gnutls-cli, gnutls-serv.

** Fix --disable-valgrind-tests.
Reported by Ingmar Vanhassel in

** API and ABI modifications:
No changes since last version.

* Version 2.9.8 (released 2009-11-05)

** libgnutls: Fix for memory leaks on interrupted handshake.
Reported by Tang Tong.

** libgnutls: Addition of support for TLS 1.2 signature algorithms
** extension and certificate verify field.
This requires changes for TLS 1.2 servers and clients that use
callbacks for certificate retrieval.  They are now required to check
with gnutls_sign_algorithm_get_requested() whether the certificate
they send complies with the peer's preferences in signature

** libgnutls: In server side when resuming a session do not overwrite the 
** initial session data with the resumed session data.

** libgnutls: Added support for AES-128, AES-192 and AES-256 in PKCS #8
** encryption.
This affects also PKCS #12 encoded files.  This adds the following new

** libgnutls: Fix PKCS#12 encoding.
The error you would get was "The OID is not supported.".  Problem
introduced for the v2.8.x branch in 2.7.6.

** certtool: Added the --pkcs-cipher option.
To explicitely specify the encryption algorithm to use.

** tests: Added "pkcs12_encode" self-test to check PKCS#12 functions.

** tests: Fix time bomb in chainverify self-test.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in

** tests: Fix expired cert in chainverify self-test.

** i18n: Vietnamese translation updated.
Thanks to Clytie Siddall.

** API and ABI modifications:
GNUTLS_CIPHER_AES_192_CBC: ADDED to gnutls/gnutls.h.
GNUTLS_PKCS_USE_PBES2_AES_128: ADDED to gnutls/x509.h.
GNUTLS_PKCS_USE_PBES2_AES_192: ADDED to gnutls/x509.h.
GNUTLS_PKCS_USE_PBES2_AES_256: ADDED to gnutls/x509.h.
GNUTLS_BAG_SECRET: ADDED to gnutls/pkcs12.h.
GNUTLS_DIG_UNKNOWN: ADDED to gnutls/gnutls.h.
gnutls_sign_algorithm_get_requested: ADDED.

* Version 2.9.7 (released 2009-10-06)

** libgnutls: TLS 1.2 server mode fixes.
Now interoperates against Opera.  Contributed by Daiki Ueno.

** libgnutlsxx: Fix link problems.
Tiny patch from Boyan Kasarov <bkasarov@gmail.com>.

** guile: Compatibility with guile 2.x.
By Ludovic Courtes <ludovic.courtes@laas.fr>.

** API and ABI modifications:
No changes since last version.

* Version 2.9.6 (released 2009-09-22)

** libgnutls: Enable Camellia ciphers by default.

** API and ABI modifications:
No changes since last version.

* Version 2.9.5 (released 2009-09-10)

** libgnutls: Add new functions to extract X.509 Issuer Alternative Names.
The new functions are gnutls_x509_crt_get_issuer_alt_name2,
gnutls_x509_crt_get_issuer_alt_name, and
gnutls_x509_crt_get_issuer_alt_othername_oid.  Contributed by Brad
Hards <bradh@frogmouth.net>.

** API and ABI modifications:
gnutls_x509_crt_get_issuer_alt_name2: ADDED.
gnutls_x509_crt_get_issuer_alt_name: ADDED.
gnutls_x509_crt_get_issuer_alt_othername_oid: ADDED.

* Version 2.9.4 (released 2009-09-03)

** libgnutls: Client-side TLS 1.2 and SHA-256 ciphersuites now works.
The new supported ciphersuites are AES-128/256 in CBC mode with
ANON-DH/RSA/DHE-DSS/DHE-RSA.  Contributed by Daiki Ueno.  Further,
SHA-256 is now the preferred default MAC (however it is only used with
TLS 1.2).

** libgnutls: Make OpenPGP hostname checking work again.
The patch to resolve the X.509 CN/SAN issue accidentally broken
OpenPGP hostname comparison.

** libgnutls: When printing X.509 certificates, handle XMPP SANs better.
Reported by Howard Chu <hyc@symas.com> in

** Fix use of deprecated types internally.
Use of deprecated types in GnuTLS from now on will lead to a compile
error, to prevent this from happening again.

** API and ABI modifications:
No changes since last version.

* Version 2.9.3 (released 2009-08-19)

** libgnutls: Support for TLS tickets was contributed by Daiki Ueno.
The new APIs are gnutls_session_ticket_enable_client,
gnutls_session_ticket_enable_server, and

** gnutls-cli, gnutls-serv: New parameter --noticket to disable TLS tickets.

** API and ABI modifications:
gnutls_session_ticket_key_generate: ADDED.
gnutls_session_ticket_enable_client: ADDED.
gnutls_session_ticket_enable_server: ADDED.

* Version 2.9.2 (released 2009-08-14)

** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields.
By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS
into 1) not printing the entire CN/SAN field value when printing a
certificate and 2) cause incorrect positive matches when matching a
hostname against a certificate.  Some CAs apparently have poor
checking of CN/SAN values and issue these (arguable invalid)
certificates.  Combined, this can be used by attackers to become a
MITM on server-authenticated TLS sessions.  The problem is mitigated
since attackers needs to get one certificate per site they want to
attack, and the attacker reveals his tracks by applying for a
certificate at the CA.  It does not apply to client authenticated TLS
sessions.  Research presented independently by Dan Kaminsky and Moxie
Marlinspike at BlackHat09.  Thanks to Tomas Hoger <thoger@redhat.com>
for providing one part of the patch.  [GNUTLS-SA-2009-4] [CVE-2009-2730].

** libgnutls: Fix rare failure in gnutls_x509_crt_import.
The function may fail incorrectly when an earlier certificate was
imported to the same gnutls_x509_crt_t structure.

** minitasn1: Internal copy updated to libtasn1 v2.3.

** libgnutls: Fix return value of gnutls_certificate_client_get_request_status.
Before it always returned false.  Reported by Peter Hendrickson
<pdh@wiredyne.com> in

** libgnutls: Fix off-by-one size computation error in unknown DN printing.
The error resulted in truncated strings when printing unknown OIDs in
X.509 certificate DNs.  Reported by Tim Kosse
<tim.kosse@filezilla-project.org> in

** libgnutls: Fix PKCS#12 decryption from password.
The encryption key derived from the password was incorrect for (on
average) 1 in every 128 input for random inputs.  Reported by "Kukosa,
Tomas" <tomas.kukosa@siemens-enterprise.com> in

** libgnutls: Return correct bit lengths of some MPIs.
gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and
gnutls_dh_get_peers_public_bits.  Before the reported value was
overestimated.  Reported by Peter Hendrickson <pdh@wiredyne.com> in

** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN.
Report and patch by Tim Kosse <tim.kosse@filezilla-project.org> in

** libgnutls: Relax checking of required libtasn1/libgcrypt versions.
Before we required that the runtime library used the same (or more
recent) libgcrypt/libtasn1 as it was compiled with.  Now we just check
that the runtime usage is above the minimum required.  Reported by
Marco d'Itri <md@linux.it> via Andreas Metzler
<ametzler@downhill.at.eu.org> in <http://bugs.debian.org/540449>.

** tests: Added new self-test pkcs12_s2k_pem to detect MPI bit length error.

** tests: Improved test vectors in self-test pkcs12_s2k.

** tests: Added new self-test dn2 to detect off-by-one size error.

** tests: Fix failure in "chainverify" because a certificate have expired.

** API and ABI modifications:
No changes since last version.

* Version 2.9.1 (released 2009-06-08)

** libgnutls: Fix crash in gnutls_global_init after earlier init/deinit cycle.
Forwarded by Martin von Gagern <Martin.vGagern@gmx.net> from

** tests: Added new self-tests init_roundtrip.c to detect previous problem.

** Reduce stack usage for some CRQ functions.

** Doc fixes for CRQ functions.

** API and ABI modifications:
No changes since last version.

* Version 2.9.0 (released 2009-05-28)

** Doc fixes.

** API and ABI modifications:
No changes since last version.


If you want to unsubscribe from the cygwin-announce mailing list, please
use the automated form at:


If this does not work, then look at the "List-Unsubscribe: " tag in the
email header of this message.  Send email to the address specified
there.  It will be in the format:


If you need more information on unsubscribing, start reading here:


Please read *all* of the information on unsubscribing that is available
starting at this URL.

More information about the Cygwin-announce mailing list