changes: bugfixes:
-Fixed memory leak in PKCS #8 key import
-Check key identifiers when checking for an issuer
pkgsrc note: This is just a last checkpoint on the 2.x branch, in case
it will be needed for the Q2 branch. Will update to 3.x RSN.
* libgnutls: When decoding a PKCS #11 URL the pin-source field is assumed to be
a file that stores the pin.
* libgnutls: Added strict tests in Diffie-Hellman and SRP key exchange public
keys.
* minitasn1: Upgraded to libtasn1 version 2.13 (pre-release).
* libgnutls: Corrections in record packet parsing.
* libgnutls: Fixes in SRP authentication.
* libgnutls: Added function to force explicit reinitialization of PKCS 11
modules. This is required on the child process after a fork.
* libgnutls: PKCS 11 objects that do not have ID no longer crash listing.
* API and ABI modifications: gnutls_pkcs11_reinit: Added
* Version 2.12.9 (released 2011-08-21)
** libgnutls-extra: Replaced enumeration with unsigned
int, in openssl.h to make it identical to the 3.0.0 version.
This shouldn't introduce binary incompatibility.
** libgnutls: When asking for a PIN multiple times, the
flags in the callback were not being updated to reflect
for PIN low count or final try.
** API and ABI modifications:
GNUTLS_PKCS11_PIN_WRONG: New flag for PIN callback
* libgnutls: PKCS-11 back-end was replaced by p11-kit
* libgnutls: gcrypt: replaced occurences of gcry_sexp_nth_mpi (..., 0)
with gcry_sexp_nth_mpi (..., GCRYMPI_FMT_USG) to fix errors with 1.5.0.
* libgnutls: Verify that a certificate liste specified using
gnutls_certificate_set_x509_key*(), is sorted according to TLS specification
* libgnutls: Added GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED flag for
gnutls_x509_crt_list_import. It checks whether the list to be imported is
properly sorted.
* libgnutls: writev_emu: stop on the first incomplete write.
* libgnutls: Fix zlib handling in gnutls.pc.
* certtool: bug fixes in certificate request generation.
* API and ABI modifications: GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED:
New element in gnutls_certificate_import_flags
changes:
-bugfixes
-minor feature additions
pkgsrc change: since the pkg was changed to build against "nettle"
instead of libgcrypt (whether this was a good idea or not...), the
latter isn't needed anymore, so remove the stale dependency
This can cause build breakage -- in this case addition of a local
dependency should restore the old state. (This dependency is technically
unnecessary often, but the assumption that gnutls needs libgcrypt
is sometimes hardwired in configure scripts and/or code.)
Package zlib was not found in the pkg-config search path.
... there is no zlib.pc, so comment out the part of the configure
script that adds that to the pkg-config file.
Bump PKGREVISION.
* libgnutls: Several minor bugfixes.
* libgnutls: Restored HMAC-MD5 for compatibility. Although considered weak,
several sites require it for connection. It is enabled for "NORMAL" and
"PERFORMANCE" priority strings.
* libgnutls: depend on libdl.
* libgnutls: gnutls_transport_set_global_errno() was deprecated. Use your
system's errno fascility or gnutls_transport_set_errno().
* gnutls-cli: Correction with usage of select to check for pending data in
gnutls sessions. It now uses gnutls_record_check_pending().
* tests: More fixes and updates for win32. Patches by LRN.
* libgnutls: Several files unnecessarily included <gcrypt.h>; this has been
fixed.
** API and ABI modifications: gnutls_transport_set_global_errno: DEPRECATED
Changes 2.12.2:
* libgnutls: Several updates and fixes for win32. Patches by LRN.
* libgnutls: Several bug and memory leak fixes.
* srptool: Accepts the -d option to enable debugging.
* libgnutls: Corrected bug in gnutls_srp_verifier() that prevented the
allocation of a verifier. Reported by Andrew Wiseman.
Changes 2.12.1:
* certtool: Generated certificate request with stricter permissions.
* libgnutls: Bug fixes in opencdk code. Reported by Vitaly Kruglikov.
* libgnutls: Corrected windows system_errno() function prototype.
* libgnutls: C++ compatibility fix for compat.h. Reported by Mark Brand.
* libgnutls: Fix size of gnutls_openpgp_keyid_t by using the
GNUTLS_OPENPGP_KEYID_SIZE definition. Reported by Andreas Metzler.
* libgnutls: Corrected verification of finished messages.
* libgnutls: Corrected signature generation and verification in the Certificate
Verify message when in TLS 1.2.
* pkg-config gnutls.pc improvements.
* API and ABI modifications: No changes since last version.
* Version 2.10.4 (released 2010-12-06)
** gnutls-serv: Corrected a buffer overflow. Reported and patch by Tomas Mraz.
** libgnutls: Use ASN1_NULL when writing parameters for RSA signatures.
This makes us comply with RFC3279. Reported by Michael Rommel.
** libgnutls: Reverted default behavior for verification and
introduced GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT. Thus by default
V1 trusted CAs are allowed, unless the new flag is specified.
** minitasn1: Updated to Libtasn1 2.9.
** API and ABI modifications:
No changes since last version.
* Version 2.10.2 (released 2010-09-30)
** Use Libtool 2.2.10 to ease MinGW64 builds.
** libgnutls: Add new extended key usage ipsecIKE.
** libgnutls: Is now more liberal in the PEM decoding.
That is spaces and tabs are being skipped.
** libgnutls: Renamed NULL MAC to MAC-NULL to prevent clash with NULL cipher.
This prevented the usage of the TLS ciphersuites with NULL cipher.
See <http://thread.gmane.org/gmane.network.gnutls.general/2093>.
** libgnutls: The %COMPAT flag now allows larger records that violate the
TLS spec.
** libgnutls: Fix asynchronous API handling.
The code was clearing session hash data on EAGAIN. Problem reported
by Sjoerd Simons <sjoerd.simons@collabora.co.uk> and Vivek
Dasmohapatra <vivek@collabora.co.uk>. See
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/4531>.
** gnutls-cli: Flush stdout/stderr before removing buffering.
Reported by Knut Anders Hatlen see
<http://savannah.gnu.org/support/?107481>.
* Version 2.8.5 (released 2009-11-02)
** libgnutls: In server side when resuming a session do not overwrite the
** initial session data with the resumed session data.
** libgnutls: Fix PKCS#12 encoding.
The error you would get was "The OID is not supported.". Problem
introduced for the v2.8.x branch in 2.7.6.
** guile: Compatibility with guile 2.x.
By Ludovic Courtes <ludovic.courtes@laas.fr>.
** tests: Fix expired cert in chainverify self-test.
** tests: Fix time bomb in chainverify self-test.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3925>.
** API and ABI modifications:
No changes since last version.
* Version 2.8.4 (released 2009-09-18)
** libgnutls: Enable Camellia ciphers by default.
** libgnutls: Make OpenPGP hostname checking work again.
The patch to resolve the X.509 CN/SAN issue accidentally broken
OpenPGP hostname comparison.
** libgnutls: When printing X.509 certificates, handle XMPP SANs better.
Reported by Howard Chu <hyc@symas.com> in
<https://savannah.gnu.org/support/?106975>.
** API and ABI modifications:
No changes since last version.
* Version 2.8.3 (released 2009-08-13)
** libgnutls: Fix patch for NUL in CN/SAN in last release.
Code intended to be removed would lead to an read-out-bound error in
some situations. Reported by Tomas Hoger <thoger@redhat.com>. A CVE
code have been allocated for the vulnerability: [CVE-2009-2730].
** libgnutls: Fix rare failure in gnutls_x509_crt_import.
The function may fail incorrectly when an earlier certificate was
imported to the same gnutls_x509_crt_t structure.
** libgnutls-extra, libgnutls-openssl: Fix MinGW cross-compiling build
error.
** tests: Made self-test mini-eagain take less time.
** doc: Typo fixes.
** API and ABI modifications:
No changes since last version.
* Version 2.8.2 (released 2009-08-10)
** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields.
By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS
into 1) not printing the entire CN/SAN field value when printing a
certificate and 2) cause incorrect positive matches when matching a
hostname against a certificate. Some CAs apparently have poor
checking of CN/SAN values and issue these (arguable invalid)
certificates. Combined, this can be used by attackers to become a
MITM on server-authenticated TLS sessions. The problem is mitigated
since attackers needs to get one certificate per site they want to
attack, and the attacker reveals his tracks by applying for a
certificate at the CA. It does not apply to client authenticated TLS
sessions. Research presented independently by Dan Kaminsky and Moxie
Marlinspike at BlackHat09. Thanks to Tomas Hoger <thoger@redhat.com>
for providing one part of the patch. [GNUTLS-SA-2009-4].
** libgnutls: Fix return value of gnutls_certificate_client_get_request_status.
Before it always returned false. Reported by Peter Hendrickson
<pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3668>.
** libgnutls: Fix off-by-one size computation error in unknown DN printing.
The error resulted in truncated strings when printing unknown OIDs in
X.509 certificate DNs. Reported by Tim Kosse
<tim.kosse@filezilla-project.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3651>.
** libgnutls: Return correct bit lengths of some MPIs.
gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and
gnutls_dh_get_peers_public_bits. Before the reported value was
overestimated. Reported by Peter Hendrickson <pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3607>.
** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN.
Report and patch by Tim Kosse <tim.kosse@filezilla-project.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3671>
and
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3670>.
** libgnutls: Relax checking of required libtasn1/libgcrypt versions.
Before we required that the runtime library used the same (or more
recent) libgcrypt/libtasn1 as it was compiled with. Now we just check
that the runtime usage is above the minimum required. Reported by
Marco d'Itri <md@linux.it> via Andreas Metzler
<ametzler@downhill.at.eu.org> in <http://bugs.debian.org/540449>.
** minitasn1: Internal copy updated to libtasn1 v2.3.
** tests: Fix failure in "chainverify" because a certificate have expired.
** API and ABI modifications:
No changes since last version.
it, and it only has a potential to conflict with the real openssl
(bad things will happen if a program links or dlopen()s both)
bump PKGREVISION
(the bug fixed in the added patches is already fixed upstream, will
be in the next release)
* Version 2.8.1 (released 2009-06-10)
** libgnutls: Fix crash in gnutls_global_init after earlier init/deinit cycle.
Forwarded by Martin von Gagern <Martin.vGagern@gmx.net> from
<http://bugs.gentoo.org/272388>.
** libgnutls: Fix PKCS#12 decryption from password.
The encryption key derived from the password was incorrect for (on
average) 1 in every 128 input for random inputs. Reported by "Kukosa,
Tomas" <tomas.kukosa@siemens-enterprise.com> in
<http://permalink.gmane.org/gmane.network.gnutls.general/1663>.
** API and ABI modifications:
No changes since last version.
* Version 2.8.0 (released 2009-05-27)
** doc: Fix gnutls_dh_get_prime_bits. Fix error codes and algorithm lists.
** Major changes compared to the v2.4 branch:
*** lib: Linker version scripts reduces number of exported symbols.
*** lib: Limit exported symbols on systems without LD linker scripts.
*** libgnutls: Fix namespace issue with version symbols.
*** libgnutls: Add functions to verify a hash against a certificate.
gnutls_x509_crt_verify_hash: ADDED
gnutls_x509_crt_get_verify_algorithm: ADDED
*** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6.
*** i18n: The GnuTLS gettext domain is now 'libgnutls' instead of 'gnutls'.
*** certtool: Query for multiple dnsName subjectAltName in interactive mode.
*** gnutls-cli: No longer accepts V1 CAs by default during X.509 chain verify.
*** gnutls-serv: No longer disable MAC padding by default.
*** gnutls-cli: Certificate information output format changed.
*** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5
*** and %VERIFY_ALLOW_X509_V1_CA_CRT.
*** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode.
*** libgnutls: gnutls_openpgp_crt_print supports oneline mode.
*** libgnutls: gnutls_handshake when sending client hello during a
rehandshake, will not offer a version number larger than the current.
*** libgnutls: New interface to get key id for certificate requests.
gnutls_x509_crq_get_key_id: ADDED.
*** libgnutls: gnutls_x509_crq_print will now also print public key id.
*** certtool: --verify-chain now prints results of using library verification.
*** libgnutls: Libgcrypt initialization changed.
*** libgnutls: Small byte reads via gnutls_record_recv() optimized.
*** gnutls-cli: Return non-zero exit code on error conditions.
*** gnutls-cli: Corrected bug which caused a rehandshake request to be ignored.
*** certtool: allow setting arbitrary key purpose object identifiers.
*** libgnutls: Change detection of when to use a linker version script.
Use --enable-ld-version-script or --disable-ld-version-script to
override auto-detection logic.
*** Fix warnings and build GnuTLS with more warnings enabled.
*** New API to set X.509 credentials from PKCS#12 memory structure.
gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED
*** Old libgnutls.m4 and libgnutls-config scripts removed.
Please use pkg-config instead.
*** libgnutls: Added functions to handle CRL extensions.
gnutls_x509_crl_get_authority_key_id: ADDED
gnutls_x509_crl_get_number: ADDED
gnutls_x509_crl_get_extension_oid: ADDED
gnutls_x509_crl_get_extension_info: ADDED
gnutls_x509_crl_get_extension_data: ADDED
gnutls_x509_crl_set_authority_key_id: ADDED
gnutls_x509_crl_set_number: ADDED
*** libgnutls: Added functions to handle X.509 extensions in Certificate
Requests.
gnutls_x509_crq_get_key_rsa_raw: ADDED
gnutls_x509_crq_get_attribute_info: ADDED
gnutls_x509_crq_get_attribute_data: ADDED
gnutls_x509_crq_get_extension_info: ADDED
gnutls_x509_crq_get_extension_data: ADDED
gnutls_x509_crq_get_key_usage: ADDED
gnutls_x509_crq_get_basic_constraints: ADDED
gnutls_x509_crq_get_subject_alt_name: ADDED
gnutls_x509_crq_get_subject_alt_othername_oid: ADDED
gnutls_x509_crq_get_extension_by_oid: ADDED
gnutls_x509_crq_set_subject_alt_name: ADDED
gnutls_x509_crq_set_basic_constraints: ADDED
gnutls_x509_crq_set_key_usage: ADDED
gnutls_x509_crq_get_key_purpose_oid: ADDED
gnutls_x509_crq_set_key_purpose_oid: ADDED
gnutls_x509_crq_print: ADDED
gnutls_x509_crt_set_crq_extensions: ADDED
*** certtool: Print and set CRL and CRQ extensions.
*** minitasn1: Internal copy updated to libtasn1 v2.1.
*** examples: Now released into the public domain.
*** The Texinfo and GTK-DOC manuals were improved.
*** Several self-tests were added and others improved.
*** API/ABI changes in GnuTLS 2.8 compared to GnuTLS 2.6.x
No offically supported interfaces have been modified or removed. The
library should be completely backwards compatible on both the source
and binary level.
The shared library no longer exports some symbols that have never been
officially supported, i.e., not mentioned in any of the header files.
The symbols are:
_gnutls*
gnutls_asn1_tab
Normally when symbols are removed, the shared library version has to
be incremented. This leads to a significant cost for everyone using
the library. Because none of the above symbols have ever been
intended for use by well-behaved applications, we decided that the it
would be better for those applications to pay the price rather than
incurring problems on the majority of applications.
If it turns out that applications have been using unofficial
interfaces, we will need to release a follow-on release on the v2.8
branch to exports additional interfaces. However, initial testing
suggests that few if any applications have been using any of the
internal symbols.
Although not a new change compared to 2.6.x, we'd like to remind you
interfaces have been modified so that X.509 chain verification now
also checks activation/expiration times on certificates. The affected
functions are:
gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times.
gnutls_certificate_verify_peers: Likewise.
gnutls_certificate_verify_peers2: Likewise.
GNUTLS_CERT_NOT_ACTIVATED: ADDED.
GNUTLS_CERT_EXPIRED: ADDED.
GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED.
This change in behaviour was made during the GnuTLS 2.6.x cycle, and
we gave our rationale for it in earlier release notes.
The following symbols have been added to the library:
gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED
gnutls_x509_crl_get_authority_key_id: ADDED
gnutls_x509_crl_get_extension_data: ADDED
gnutls_x509_crl_get_extension_info: ADDED
gnutls_x509_crl_get_extension_oid: ADDED
gnutls_x509_crl_get_number: ADDED
gnutls_x509_crl_set_authority_key_id: ADDED
gnutls_x509_crl_set_number: ADDED
gnutls_x509_crq_get_attribute_data: ADDED
gnutls_x509_crq_get_attribute_info: ADDED
gnutls_x509_crq_get_basic_constraints: ADDED
gnutls_x509_crq_get_extension_by_oid: ADDED
gnutls_x509_crq_get_extension_data: ADDED
gnutls_x509_crq_get_extension_info: ADDED
gnutls_x509_crq_get_key_id: ADDED.
gnutls_x509_crq_get_key_purpose_oid: ADDED
gnutls_x509_crq_get_key_rsa_raw: ADDED
gnutls_x509_crq_get_key_usage: ADDED
gnutls_x509_crq_get_subject_alt_name: ADDED
gnutls_x509_crq_get_subject_alt_othername_oid: ADDED
gnutls_x509_crq_print: ADDED
gnutls_x509_crq_set_basic_constraints: ADDED
gnutls_x509_crq_set_key_purpose_oid: ADDED
gnutls_x509_crq_set_key_usage: ADDED
gnutls_x509_crq_set_subject_alt_name: ADDED
gnutls_x509_crt_get_verify_algorithm: ADDED
gnutls_x509_crt_set_crq_extensions: ADDED
gnutls_x509_crt_verify_hash: ADDED
The following interfaces have been added to the header files:
GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_VERSION.
GNUTLS_VERSION_MAJOR: ADDED, replaces LIBGNUTLS_VERSION_MAJOR.
GNUTLS_VERSION_MINOR: ADDED, replaces LIBGNUTLS_VERSION_MINOR.
GNUTLS_VERSION_PATCH: ADDED, replaces LIBGNUTLS_VERSION_PATCH.
GNUTLS_VERSION_NUMBER: ADDED, replaces LIBGNUTLS_VERSION_NUMBER.
GNUTLS_EXTRA_VERSION: ADDED, replaces LIBGNUTLS_EXTRA_VERSION.
The following interfaces have been deprecated:
LIBGNUTLS_VERSION: DEPRECATED.
LIBGNUTLS_VERSION_MAJOR: DEPRECATED.
LIBGNUTLS_VERSION_MINOR: DEPRECATED.
LIBGNUTLS_VERSION_PATCH: DEPRECATED.
LIBGNUTLS_VERSION_NUMBER: DEPRECATED.
LIBGNUTLS_EXTRA_VERSION: DEPRECATED.
* Version 2.7.14 (released 2009-05-26)
** libgnutls: Fix namespace issue with version symbol for libgnutls-extra.
The symbol LIBGNUTLS_EXTRA_VERSION were renamed to
GNUTLS_EXTRA_VERSION. The old symbol will continue to work but is
deprecated.
** Doc: Several typo fixes in documentation.
Reported by Peter Hendrickson <pdh@wiredyne.com>.
** API and ABI modifications:
GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_EXTRA_VERSION.
LIBGNUTLS_EXTRA_VERSION: DEPRECATED.
* Version 2.7.13 (released 2009-05-25)
** libgnutls: Fix version of some exported symbols in the shared library.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3576>.
** tests: Handle recently expired certificates in chainverify self-test.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3580>.
** API and ABI modifications:
No changes since last version.
* Version 2.7.12 (released 2009-05-20)
** gnutls-serv, gnutls-cli-debug: Make them work on Windows.
** tests/crq_key_id: Don't read entropy from /dev/random in self-test.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3570>.
** Fix build failures.
Missing sa_family_t and vsnprintf on IRIX. Reported by "Tom
G. Christensen" <tgc@jupiterrise.com> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3571>.
** minitasn1: Internal copy updated to libtasn1 v2.2.
GnuTLS should work fine with libtasn1 v1.x and that is still
supported.
** API and ABI modifications:
No changes since last version.
* Version 2.7.11 (released 2009-05-18)
** minitasn1: Fix build failure when using internal libtasn1.
Reported by "Tom G. Christensen" <tgc@jupiterrise.com> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3548>.
** libgnutls: Fix build failure with --disable-cxx.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3557>.
** gnutls-serv: Fix build failure for unportable NI_MAXHOST/NI_MAXSERV.
Reported by "Tom G. Christensen" <tgc@jupiterrise.com> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3560>
** Building with many warning flags now requires --enable-gcc-warnings.
This avoids crying wolf for normal compiles.
** API and ABI modifications:
No changes since last version.
* Version 2.7.10 (released 2009-05-13)
** examples: Now released into the public domain.
This makes the license of the example code compatible with more
licenses, including the (L)GPL.
** minitasn1: Internal copy updated to libtasn1 v2.1.
GnuTLS should work fine with libtasn1 v1.x and that is still
supported.
** libgnutls: Fix crash in signature verification
The fix for the CVE-2009-1415 problem wasn't merged completely.
** doc: Fixes for GTK-DOC output.
** API and ABI modifications:
No changes since last version.
* Version 2.7.9 (released 2009-05-11)
** doc: Fix strings in man page of gnutls_priority_init.
** doc: Fix tables of error codes and supported algorithms.
** Fix build failure when cross-compiled using MinGW.
** Fix build failure when LZO is enabled.
Reported by Arfrever Frehtes Taifersar Arahesis
<arfrever.fta@gmail.com> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3522>.
** Fix build failure on systems without AF_INET6, e.g., Solaris 2.6.
Reported by "Tom G. Christensen" <tgc@jupiterrise.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3524>.
** Fix warnings in self-tests.
** API and ABI modifications:
No changes since last version.
* Version 2.7.8 (released 2009-05-03)
** libgnutls: Fix DSA key generation.
Merged from stable branch. [GNUTLS-SA-2009-2] [CVE-2009-1416]
** libgnutls: Check expiration/activation time on untrusted certificates.
Merged from stable branch. Reported by Romain Francoise
<romain@orebokech.com>. This changes the semantics of
gnutls_x509_crt_list_verify, which in turn is used by
gnutls_certificate_verify_peers and gnutls_certificate_verify_peers2.
We add two new gnutls_certificate_status_t codes for reporting the new
error condition, GNUTLS_CERT_NOT_ACTIVATED and GNUTLS_CERT_EXPIRED.
We also add a new gnutls_certificate_verify_flags flag,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS, that can be used to disable the new
behaviour. [GNUTLS-SA-2009-3] [CVE-2009-1417]
** lib: Linker version scripts reduces number of exported symbols.
The linker version script now lists all exported ABIs explicitly, to
avoid accidentally exporting unintended functions. Compared to
before, most symbols beginning with _gnutls* are no longer exported.
These functions have never been intended for use by applications, and
there were no prototypes for these function in the public header
files. Thus we believe it is possible to do this without incrementing
the library ABI version which normally has to be done when removing an
interface.
** lib: Limit exported symbols on systems without LD linker scripts.
Before all symbols were exported. Now we limit the exported symbols
to (for libgnutls and libgnutls-extra) gnutls* and (for libgnutls)
_gnutls*. This is a superset of the actual supported ABI, but still
an improvement compared to before. This is implemented using Libtool
-export-symbols-regex. It is more portable than linker version
scripts.
** libgnutls: Incremented CURRENT/AGE libtool version to reflect new symbols.
This should have been done in the last release.
** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6.
Reported by Peter Hendrickson <pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3476>.
** doc: Improved sections for the info manual.
We now follow the advice given by the texinfo manual on which
directory categories to use. In particular, libgnutls moved from the
'GNU Libraries' section to the 'Software libraries' and the command
line tools moved from 'Network Applications' to 'System
Administration'.
** API and ABI modifications:
gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times.
gnutls_certificate_verify_peers: Likewise.
gnutls_certificate_verify_peers2: Likewise.
GNUTLS_CERT_NOT_ACTIVATED: ADDED.
GNUTLS_CERT_EXPIRED: ADDED.
GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED.
* Version 2.7.7 (released 2009-04-20)
** libgnutls: Applied patch by Cedric Bail to add functions
gnutls_x509_crt_verify_hash() and gnutls_x509_crt_get_verify_algorithm().
** gnutls.pc: Add -ltasn1 to 'pkg-config --libs --static gnutls' output.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3467>.
** minitasn1: Internal copy updated to libtasn1 v1.8.
GnuTLS is also internally ready to be used with libtasn1 v2.0.
** doc: Fix build failure of errcodes/printlist.
Reported by Roman Bogorodskiy <novel@FreeBSD.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3435>.
** i18n: The GnuTLS gettext domain is now 'libgnutls' instead of 'gnutls'.
It is currently only used by the core library. This will enable a new
domain 'gnutls' for translations of the command line tools.
** Corrected possible memory corruption on signature verification failure.
Reported by Miroslav Kratochvil <exa.exa@gmail.com>
** API and ABI modifications:
gnutls_x509_crt_verify_hash: ADDED
gnutls_x509_crt_get_verify_algorithm: ADDED
* Version 2.7.6 (released 2009-02-27)
** certtool: Query for multiple dnsName subjectAltName in interactive mode.
This applies both to generating certificates and certificate requests.
** pkix.asn: Removed unneeded definitions to reduce memory usage.
** gnutls-cli: No longer accepts V1 CAs by default during X.509 chain verify.
Use --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT to permit V1 CAs to
be used for chain verification.
** gnutls-serv: No longer disable MAC padding by default.
Use --priority NORMAL:%COMPAT to disable MAC padding again.
** gnutls-cli: Certificate information output format changed.
The tool now uses libgnutls' functions to print certificate
information. This avoids code duplication.
** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5
** and %VERIFY_ALLOW_X509_V1_CA_CRT.
They can be used to override the default certificate chain validation
behaviour.
** libgnutls: Added %SSL3_RECORD_VERSION priority string that allows to
specify the client hello message record version. Used to overcome buggy
TLS servers. Report by Martin von Gagern.
** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode.
** libgnutls: gnutls_openpgp_crt_print supports oneline mode.
** doc: Update gnutls-cli and gnutls-serv --help output descriptions.
** API and ABI modifications:
No changes since last version.
* Version 2.7.5 (released 2009-02-06)
** libgnutls: Accept chains where intermediary certs are trusted.
Before GnuTLS needed to validate the entire chain back to a
self-signed certificate. GnuTLS will now stop looking when it has
found an intermediary trusted certificate. The new behaviour is
useful when chains, for example, contains a top-level CA, an
intermediary CA signed using RSA-MD5, and an end-entity certificate.
To avoid chain validation errors due to the RSA-MD5 cert, you can
explicitly add the intermediary RSA-MD5 cert to your trusted certs.
The signature on trusted certificates are not checked, so the chain
has a chance to validate correctly. Reported by "Douglas E. Engert"
<deengert@anl.gov> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351>.
** libgnutls: result_size in gnutls_hex_encode now holds
the size of the result. Report by John Brooks <special@dereferenced.net>.
** libgnutls: gnutls_handshake when sending client hello during a
rehandshake, will not offer a version number larger than the current.
Reported by Tristan Hill <stan@saticed.me.uk>.
** libgnutls: Permit V1 Certificate Authorities properly.
Before they were mistakenly rejected even though
GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT and/or
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT were supplied. Reported by
"Douglas E. Engert" <deengert@anl.gov> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351>.
** API and ABI modifications:
No changes since last version.
* Version 2.7.4 (released 2009-01-07)
** libgnutls: deprecate X.509 validation chains using MD5 and MD2 signatures.
This is a bugfix -- the previous attempt to do this from internal x509
certificate verification procedures did not return the correct value
for certificates using a weak hash. Reported by Daniel Kahn Gillmor
<dkg@fifthhorseman.net> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3332>,
debugged and patch by Tomas Mraz <tmraz@redhat.com> and Daniel Kahn
Gillmor <dkg@fifthhorseman.net>.
** libgnutls: New interface to get key id for certificate requests.
Patch from David Marín Carreño <davefx@gmail.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3321>.
** libgnutls: gnutls_x509_crq_print will now also print public key id.
** certtool: --verify-chain now prints results of using library verification.
Earlier, certtool --verify-chain used its own validation algorithm
which wasn't guaranteed to give the same result as the libgnutls
internal validation algorithm. Now this command print a new final
line with header 'Chain verification output:' that contains the result
from using the internal verification algorithm on the same chain.
** tests: Add crq_key_id self-test of gnutls_x509_crq_get_key_id.
** API and ABI modifications:
gnutls_x509_crq_get_key_id: ADDED.
* Version 2.7.3 (released 2008-12-10)
** libgnutls: Fix chain verification for chains that ends with RSA-MD2 CAs.
Reported by Michael Kiefer <Michael-Kiefer@web.de> in
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507633> forwarded by
Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3309>.
** libgnutls: Libgcrypt initialization changed.
If libgcrypt has not already been initialized, GnuTLS will now
initialize libgcrypt with disabled secure memory. Initialize
libgcrypt explicitly in your application if you want to enable secure
memory. Before GnuTLS initialized libgcrypt to use GnuTLS's memory
allocation functions, which doesn't use secure memory, so there is no
real change in behaviour.
** libgnutls: Fix memory leak in PSK authentication.
Reported by Michael Weiser <michael@weiser.dinsnail.net> in
<http://permalink.gmane.org/gmane.network.gnutls.general/1465>.
** libgnutls: Small byte reads via gnutls_record_recv() optimized.
** certtool: Move gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0) call earlier.
It needs to be invoked before libgcrypt is initialized.
** gnutls-cli: Return non-zero exit code on error conditions.
** gnutls-cli: Corrected bug which caused a rehandshake request to be ignored.
** tests: Added chainverify self-test that tests X.509 chain verifications.
** API and ABI modifications:
No changes since last version.
* Version 2.7.2 (released 2008-11-18)
** libgnutls: Fix X.509 certificate chain validation error. [GNUTLS-SA-2008-3]
The flaw makes it possible for man in the middle attackers (i.e.,
active attackers) to assume any name and trick GNU TLS clients into
trusting that name. Thanks for report and analysis from Martin von
Gagern <Martin.vGagern@gmx.net>. [CVE-2008-4989]
Any updates with more details about this vulnerability will be added
to <http://www.gnu.org/software/gnutls/security.html>
** libgnutls: Fix namespace issue with version symbols.
The symbols LIBGNUTLS_VERSION, LIBGNUTLS_VERSION_MAJOR,
LIBGNUTLS_VERSION_MINOR, LIBGNUTLS_VERSION_PATCH, and
LIBGNUTLS_VERSION_NUMBER were renamed to GNUTLS_VERSION_NUMBER,
GNUTLS_VERSION_MAJOR, GNUTLS_VERSION_MINOR, GNUTLS_VERSION_PATCH, and
GNUTLS_VERSION_NUMBER respectively. The old symbols will continue to
work but are deprecated.
** certtool: allow setting arbitrary key purpose object identifiers.
** libgnutls: Fix detection of C99 macros, to make debug logging work again.
** libgnutls: Add missing prototype for gnutls_srp_set_prime_bits.
Reported by Kevin Quick <quick@sparq.org> in
<https://savannah.gnu.org/support/index.php?106454>.
** libgnutls-extra: Make building with LZO compression work again.
Build failure reported by Arfrever Frehtes Taifersar Arahesis
<arfrever.fta@gmail.com> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3194>.
** libgnutls: Change detection of when to use a linker version script.
Use --enable-ld-version-script or --disable-ld-version-script to
override auto-detection logic.
** doc: Change license on the manual to GFDLv1.3+.
** doc: GTK-DOC fixes for new splitted configuration system.
** doc: Texinfo stylesheet uses white background.
** tests: Add cve-2008-4989.c self-test.
Tests regressions of the GNUTLS-SA-2008-3 security problem, and the
follow-on problem with crashes on length 1 certificate chains.
** gnulib: Deprecated modules removed.
Modules include memchr and memcmp.
** Fix warnings and build GnuTLS with more warnings enabled.
** minitasn1: Internal copy updated to libtasn1 v1.7.
** API and ABI modifications:
gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED
GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_VERSION.
GNUTLS_VERSION_MAJOR: ADDED, replaces LIBGNUTLS_VERSION_MAJOR.
GNUTLS_VERSION_MINOR: ADDED, replaces LIBGNUTLS_VERSION_MINOR.
GNUTLS_VERSION_PATCH: ADDED, replaces LIBGNUTLS_VERSION_PATCH.
GNUTLS_VERSION_NUMBER: ADDED, replaces LIBGNUTLS_VERSION_NUMBER.
LIBGNUTLS_VERSION: DEPRECATED.
LIBGNUTLS_VERSION_MAJOR: DEPRECATED.
LIBGNUTLS_VERSION_MINOR: DEPRECATED.
LIBGNUTLS_VERSION_PATCH: DEPRECATED.
LIBGNUTLS_VERSION_NUMBER: DEPRECATED.
* Version 2.7.1 (released 2008-10-31)
** certtool: print a PKCS #8 key even if it is not encrypted.
** Old libgnutls.m4 and libgnutls-config scripts removed.
Please use pkg-config instead.
** Configuration system modified.
There is now a configure script in lib/ and libextra/ as well, because
gnulib works better with a config.h per gnulib directory.
** API and ABI modifications:
No changes since last version.
* Version 2.7.0 (released 2008-10-16)
** libgnutls: Added functions to handle CRL extensions.
** libgnutls: Added functions to handle X.509 extensions in Certificate
Requests.
** libgnutls: Improved error string for GNUTLS_E_AGAIN.
Suggested by "Lavrentiev, Anton (NIH/NLM/NCBI) [C]" <lavr@ncbi.nlm.nih.gov>.
** certtool: Print and set CRL and CRQ extensions.
** libgnutls-extra: Protect internal symbols with static.
Fixes problem when linking certtool statically. Tiny patch from Aaron
Ucko <ucko@ncbi.nlm.nih.gov>.
** libgnutls-openssl: fix out of bounds access.
Problem in X509_get_subject_name and X509_get_issuer_name. Tiny patch
from Thomas Viehmann <tv@beamnet.de>.
** libgnutlsxx: Define server_session::get_srp_username even if no SRP.
** tests: Make tests compile when using internal libtasn1.
Patch by ludo@gnu.org (Ludovic Courtès).
** Changed detection of libtasn1 and libgcrypt to avoid depending on *-config.
We now require a libgcrypt that has Camellia constants declared in
gcrypt.h, which means v1.3.0 or later.
** API and ABI modifications:
gnutls_x509_crl_get_authority_key_id: ADDED
gnutls_x509_crl_get_number: ADDED
gnutls_x509_crl_get_extension_oid: ADDED
gnutls_x509_crl_get_extension_info: ADDED
gnutls_x509_crl_get_extension_data: ADDED
gnutls_x509_crl_set_authority_key_id: ADDED
gnutls_x509_crl_set_number: ADDED
gnutls_x509_crq_get_key_rsa_raw: ADDED
gnutls_x509_crq_get_attribute_info: ADDED
gnutls_x509_crq_get_attribute_data: ADDED
gnutls_x509_crq_get_extension_info: ADDED
gnutls_x509_crq_get_extension_data: ADDED
gnutls_x509_crq_get_key_usage: ADDED
gnutls_x509_crq_get_basic_constraints: ADDED
gnutls_x509_crq_get_subject_alt_name: ADDED
gnutls_x509_crq_get_subject_alt_othername_oid: ADDED
gnutls_x509_crq_get_extension_by_oid: ADDED
gnutls_x509_crq_set_subject_alt_name: ADDED
gnutls_x509_crq_set_basic_constraints: ADDED
gnutls_x509_crq_set_key_usage: ADDED
gnutls_x509_crq_get_key_purpose_oid: ADDED
gnutls_x509_crq_set_key_purpose_oid: ADDED
gnutls_x509_crq_print: ADDED
gnutls_x509_crt_set_crq_extensions: ADDED
* Version 2.6.6 (released 2009-04-30)
libgnutls: Corrected double free on signature verification failure.
Reported by Miroslav Kratochvil. See the advisory
for more details. [GNUTLS-SA-2009-1] [CVE-2009-1415]
libgnutls: Fix DSA key generation.
Noticed when investigating the previous GNUTLS-SA-2009-1 problem. All
DSA keys generated using GnuTLS 2.6.x are corrupt. See the advisory
for more details. [GNUTLS-SA-2009-2] [CVE-2009-1416]
libgnutls: Check expiration/activation time on untrusted certificates.
Reported by Romain Francoise. Before the
library did not check activation/expiration times on certificates, and
was documented as not doing so. We have realized that many
applications that use libgnutls, including gnutls-cli, fail to perform
proper checks. Implementing similar logic in all applications leads
to code duplication. Hence, we decided to check whether the current
time (as reported by the time function) is within the
activation/expiration period of certificates when verifying untrusted
certificates.
This changes the semantics of gnutls_x509_crt_list_verify, which in
turn is used by gnutls_certificate_verify_peers and
gnutls_certificate_verify_peers2. We add two new
gnutls_certificate_status_t codes for reporting the new error
condition, GNUTLS_CERT_NOT_ACTIVATED and GNUTLS_CERT_EXPIRED. We also
add a new gnutls_certificate_verify_flags flag,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS, that can be used to disable the new
behaviour.
API and ABI modifications:
gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times.
gnutls_certificate_verify_peers: Likewise.
gnutls_certificate_verify_peers2: Likewise.
GNUTLS_CERT_NOT_ACTIVATED: ADDED.
GNUTLS_CERT_EXPIRED: ADDED.
GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED.
* Version 2.6.5 (released 2009-04-11)
** libgnutls: Added %SSL3_RECORD_VERSION priority string that allows to
specify the client hello message record version. Used to overcome buggy
TLS servers. Report by Martin von Gagern.
** GnuTLS no longer uses the libtasn1-config script to find libtasn1.
Libtasn1 0.3.4 or later is required. This is to align with the
upcoming libtasn1 v2.0 release that doesn't have a libtasn1-script.
** API and ABI modifications:
No changes since last version.
