* Change ne_sock_close() to no longer wait for SSL closure alert:
o fixes possible hang with IIS servers when closing SSL connection
o this reverts the behaviour with OpenSSL to match 0.28.x,
and changes the behaviour with GnuTLS to match that with
OpenSSL
* Fix memory leak with GnuTLS
* API clarification in ne_sock_close():
o SSL closure handling now documented
o return value semantics fixed to describe the implementation
Changes in release neon 0.29.2, 30 December 2009 (PGP signature)
* Fix spurious 'certificate verify failed' errors with OpenSSL (Tom C)
* Fix unnecessary re-authentication with SSPI (Danil Shopyrin)
o Note that this change was previously listed in the 0.29.1 changes, however the patch had not been merged.
Changes in release neon 0.29.1, 15 December 2009 (PGP signature)
* Fixes for (Unix) NTLM implementation:
o fix handling of session timeout (Kai Sommerfeld)
o fix possible crash (basic@mozdev.org)
* Build fixes for Win32:
o fix use of socklen_t with recent SDKs (Stefan Kung)
o fix USE_GETADDRINFO on Win2K (Kai Sommerfeld)
* Fix build with versions of GnuTLS older than 2.8.0.
* Interface changes:
o none, API and ABI backwards-compatible with 0.28.x and 0.27.x
* New interfaces and features:
o added NTLM auth support for Unix builds (Kai Sommerfeld,
Daniel Stenberg)
o ne_auth.h: added NE_AUTH_GSSAPI and NE_AUTH_NTLM auth protocol codes
o added ne_acl3744.h, updated WebDAV ACL support (Henrik Holst)
o added built-in SOCKS v4/v4a/v5 support: ne_socket.h:ne_sock_proxy(),
and ne_session.h:ne_session_socks_proxy()
o added support for system-default proxies: ne_session_system_proxy(),
implemented using libproxy where available
o ne_session.h: added NE_SESSFLAG_EXPECT100 session flag,
SSL verification failure bits extended by NE_SSL_BADCHAIN and
NE_SSL_REVOKED, better handling of failures within the cert chain
(thanks to Ludwig Nussel)
o ne_socket.h: ne_sock_writev() (Julien Reichel), ne_sock_set_error(),
ne_iaddr_raw(), ne_iaddr_parse()
o ne_string.h: ne_buffer_qappend(), ne_strnqdup()
* Deprecated interfaces:
o ne_acl.h is obsoleted by ne_acl3744.h (but is still present)
o obsolete feature "NE_FEATURE_SOCKS" now never marked present
* Other changes:
o fix handling of "stale" flag in RFC2069-style Digest auth challenge
o ne_free() implemented as a function on Win32 (thanks to Helge Hess)
o symbol versioning used for new symbols, where supported
o ensure SSL connections are closed cleanly with OpenSSL
o fix build with OpenSSL 1.0 beta
o updated Polish (pl) translation (Arfrever Frehtes Taifersar Arahesis)
* SECURITY (CVE-2009-2473): Fix "billion laughs" attack against expat;
could allow a Denial of Service attack by a malicious server.
* SECURITY (CVE-2009-2474): Fix handling of an embedded NUL byte in a
certificate subject name; could allow an undetected MITM attack against
an SSL server if a trusted CA issues such a cert.
Tested by Daniel Horecki with SVN client.
add a local copy of SSL_SESSION_cmp which is missing in openssl 1.0.0 betas.
based on hack found at: http://trac.macports.org/ticket/19124
This fixes subversion-base build on NetBSD-current.
While here update to neon-0.28.5.
Changes in release neon 0.28.5, 3 July 2009 (PGP signature)
* Enable support for X.509v1 CA certificates in GnuTLS.
* Fix handling of EINTR in connect() calls.
* Fix use of builds with SOCK_CLOEXEC support on older Linux kernels.
Changes in release neon 0.28.4, 3 March 2009 (PGP signature)
* Fix ne_forget_auth (Kai Sommerfeld)
* GnuTLS support fixes:
o fix handling of PKCS#12 client certs with multiple certs or keys
o fix crash with OpenPGP certificate
o use pkg-config data in configure, in preference to libgnutls-config
* Add PKCS#11 support for OpenSSL builds (where pakchois is available)
* Fix small memory leak in PKCS#11 code.
* Fix build on Haiku (scott mc)
Remove comment about checking subversion for neon > 0.27 as 0.28.3 is
in fact the prefered version for the current subversion.
Several years of bug fixes.
* Fix buffer under-read in URI parser (Laszlo Boszormenyi, CVE-2007-0157)
* Fix regression in handling of "attempt" argument passed to auth callbacks;
ensure the value only increments for each invocation of the callback
* Fix handling of "nextnonce" parameter in Digest authentication
Changes 0.26.2:
* Fix error reported for LOCK responses lacking a Lock-Token header.
* Use Libs.private in neon.pc for newer versions of pkg-config.
* Build fix for platforms without libintl.h.
* Build fixes for MinGW.
* Build fix for h_errno detection on HP-UX 10.
* Win32: enable debugging; build fixes with some SDKs.
Changes 0.26.1:
* Build fixes for Win32 (D.J. Heap) and OS X.
* Add Simplified Chinese translation
Changes in release 0.26.0:
* Added internationalization support:
* Added support for GnuTLS
* Changes and additions to URI support:
* Changed results callbacks for ne_lock_discover, PROPFIND interfaces:
* Added functions which give control over authentication protocol use:
* Added ne_unhook_* functions to remove hooks
* Added ne_set_session_flags()/ne_get_session_flags() functions:
* Added ne_set_request_flags()/ne_get_request_flags() functions:
* Change ne_md5.h interface to make struct ne_md5_ctx opaque:
* Fixed ne_get_range(), added ne_get_range64()
* Removed NE_FREE() macro from ne_alloc.h
* Added ne_strcasecmp(), ne_strncasecmp(), ne_tolower() functions
* Changed ne_sock_init()/ne_sock_exit() such that ne_sock_exit()
* Added "--enable-threadsafe-ssl=posix" configure flag, to enable
* The manual is now licensed under the GPL rather than the GFDL
Changes in release 0.25.5:
* ne_ssl_clicert_decrypt(): catch and fail to load a client cert
with mismatched key/cert pair.
* Fix build issue on AIX 5.1.
* Fix warnings if built against OpenSSL >= 0.9.8.
* Win32: fix issues in SSPI implementation (Stefan Küng).
Changes in release 0.25.4:
* GSSAPI fixes for non-MIT implementations (Mikhail Teterin).
* Fix ne_print_request_header() et al to use 8K buffer size on all
platforms (fixes issue with long Destination: URLs on Win32).
* Win32 build fix for !USE_GETADDRINFO configuration.
* Documentation updates.
Changes in release 0.25.3:
* ne_lock() and ne_unlock(): fix cases where NE_ERROR would be returned
instead of e.g. NE_AUTH on auth failure.
* Prevent use of poll() on Darwin.
* Fix gethostbyname-based resolver on LP64 platforms (Matthew Sanderson).
Changes in release 0.25.2:
* Really fix the Win32 build.
Changes in release 0.25.1:
* ne_get_content_type(): fix cases where the charset field was not set
to NULL after successful return (Johannes Schneider)
* Compressed response handling fixes:
- fix double invocation of reader callback with len=0
- fix cases where the reader callback return value was ignored
* Cache the new SSL session if the old one was expired (Robert Eiglmaier)
* Win32: fix build issues.
Changes in release 0.25.0:
* New interfaces:
- ne_get_response_header() replaces ne_add_response_header_handler
- ne_read_response_to_fd() and ne_discard_response() for use with
ne_begin_request/ne_end_request style response handling
- ne_xmlreq.h: ne_xml_parse_response() and ne_xml_dispatch_request()
- ne_has_support() for feature detection, replaces ne_support_ssl()
- ne_set_addrlist() can be used to bypass normal DNS hostname resolver
- ne_buffer_czappend(), convenience wrapper for ne_buffer_append.
- ne_iaddr_typeof() returns type of a socket object
- ne_get_content_type() replaces ne_content_type_handler()
- ne_set_request_expect100() replaces ne_set_expect100()
* New interfaces on LFS systems for large file support:
- ne_set_request_body_fd64() call for using an fd opened using O_LARGEFILE
- ne_set_request_body_provider64(), takes an off64_t length argument
* Interface changes:
- ne_set_request_body_fd takes offset and length arguments and returns void
- ne_set_request_body_provider takes length as off_t rather than size_t;
provider callbacks now MUST set session error string if returning an error
- response body reader callback returns an integer and can abort the response
- ne_decompress_destroy() returns void; errors are caught earlier
- ne_xml_failed() replaces ne_xml_valid(), with different return value logic
- ne_xml_parse() can return an error; ne_xml_parse_v() aborts the response if
the parse either fails or is aborted by a handler returning NE_XML_ABORT
- ne_path_escape() now escapes all but unreserved characters
- ne_ssl_clicert_name() and ne_ssl_cert_identity() clarified to return UTF-8
- ne_ssl_clicert_name() clicert object argument is now const
- ne_uri_parse()/ne_uri_free() memory handling clarified
- removed the buffer length requirement for ne_read_response_block()
* Bug fixes:
- properly handle multiple Authentication challenges per request
- fixes and improvements to the Negotiate auth implementation
- handle proxies which send a 401 auth challenge to a CONNECT request
- XML: handle the UTF-8 BOM even if the underlying parser does not
- Win32: Fix timezone handling (Jiang Lei)
- ne_lock_refresh() works and will update timeout of passed-in lock
- persistent connection timeout handling fixes for CygWin et al
- impose hard limit of 1024 props per resource in ne_props.h response parsing
* New platform-specific features:
- Win32: Negotiate/NTLM support using SSPI (Vladimir Berezniker)
- Win32: Add IPv6 support using ENABLE_IPV6 neon.mak flag (Kai Sommerfeld)
* Removed features:
- the cookies interface has been removed
- removed functions: ne_service_lookup(), ne_put_if_unmodified()
- "qop=auth-int" support removed from Digest auth implementation
* Default XML parser search changed to check for expat before libxml2.
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
Changes in release 0.24.5:
* SECURITY (CVE CAN-2004-0179): Fix format string vulnerabilities in
XML/207 response handling, reported by greuff@void.at.
* Performance fix: avoid seeding the SSL PRNG if not creating an SSL socket.
* ne_ssl_readable_dname() is now defined to return UTF-8 strings.
* Fix case where gssapi/gssapi_generic.h was included but not present.
* Fix ne_utils.c build on platforms where zlib does "#define const".
* Fix use of ne_proppatch_operation with some C++ compilers.
* Update libtool for fix to --enable-shared on Darwin.
* BeOS: check for gethostbyname in -lbind (David Reid).
* Ignore unclean SSL closure when response body is delimited by EOF
("Could not read response body: Secure connection truncated" errors
with some buggy SSL servers).
* Fix test/ssl.c syntax errors with C89 compilers (Radu Greab).
* Respect configure's --datadir argument (Max Bowsher).
* Fix build on Windows when OpenSSL is not used.
* Fix use of SSLv2 (spurious "Server did not present certificate" error).
* When using SSL via a proxy, prevent leaking server auth credentials to the
proxy, or proxy auth credentials to the server.
* Fix name resolver with some old versions of glibc.
* Fix problems with configure's "time_t format string" detection.
* Fix problems when a broken Kerberos installation is found.
* When verifying SSL certificates, check iPaddress names in the subjectAltName
extension.
Update BUILDLINK_DEPENDS to 0.24.4 since there was an XML API change in
0.24.0.
Changes in release 0.24.1:
* Add support for "GSS-Negotiate" Kerberos authentication scheme (from
Risko Gergely and Burjan Gabor).
* Disable Nagle to improve performance of small requests (thanks to
Jim Whitehead and Teng Xu).
* Fix compatibility with OpenSSL 0.9.6 (broken in 0.24.0).
* Fix prototype mismatch in ne_207.c.
* Define ssize_t from ne_request.h for Win32.
* Prevent segfault on zlib initialization failures.
* ne_sock_init does not fail if PRNG could not be seeded.
* Fix segfault in cookies code (Markus Mueller).
* Documentation updates.
Changes in release 0.24.0:
* Major changes to XML interface:
- have the start-element callback either accept, decline, abort,
or return a state integer.
- remove 'struct ne_xml_elm'; callbacks are passed {nspace, name}
strings along with a state integer.
- dropped "collect", "strip-leading-whitespace" modes
- push responsibility for accumulating cdata onto caller; drop 'cdata'
argument from end-element callback.
- don't abort if no handler accepts a particular element, just ignore
that branch of the tree.
- dropped support for libxml 1.x and expat < 1.95.0.
- guarantee that start_element callback is not passed attrs=NULL
- add ne_xml_doc_encoding() to retrieve encoding of parsed XML document.
* Major changes to SSL interface:
- rewrite of interfaces for handling server and client certificates;
ne_ssl.h: many new functions available.
- only PKCS#12-encoded client certs are supported.
- changes to most names of SSL-related functions operating on an
ne_session, e.g. ne_ssl_load_cert->ne_ssl_trust_cert.
- client cert provider callback is passed the set of acceptable CA
names sent by the server
- the entire chain of certs presented by server is now accessible
* Remove unused ne_register_progress() from socket layer.
* Changes to resolver interface: ne_addr_first and _next return const;
ne_addr_print renamed to ne_iaddr_print; ne_iaddr_make and ne_iaddr_free
have been added.
* ne_request_create() now duplicates the method string passed in.
* ne_redirect_location() will now return NULL in some cases.
* Split socket creation to ne_sock_create() from ne_sock_connect:
- should report connect() error messages properly on Win32.
* Fix several memory leaks in error handling paths.
* Add a pkg-config file, neon.pc.in.
changes:
-Fix for handling EINTR during write() call (Sergey N Ushakov).
-When available, use pkg-config to determine compiler flags needed to use
OpenSSL headers and libraries.
