2016-12-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/key-tests/Makefile.am: tests: added missing test in dist

2016-12-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/starttls.sh: tests: corrected typos in starttls.sh This allows to detect chat in most systems.

2016-12-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS, configure.ac, m4/hooks.m4: bumped version

2016-12-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am,
	tests/rsa-md5-collision/colliding-chain-md5-1.pem,
	tests/rsa-md5-collision/colliding-chain-md5-2.pem,
	tests/rsa-md5-collision/rsa-md5-collision.sh: tests: reduced the
	intermediate steps in rsa-md5-collision

2016-12-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac: configure: break after finding the first libtspi It may happen that multiple versions are available on a system, and
	by using the first one we ensure, that we are using the 64-bit
	version on 64-bit system, instead of falling back to the 32-bit.

2016-12-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-12-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/keygen.c: tests: added operational -sign/verify- tests in
	keygen app This will check that a generated key is immediately usable for
	operations.

2016-12-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey.c: gnutls_x509_privkey_cpy: use
	_gnutls_pk_params_copy This ensures that all fields of parameters are copied. Inspired by
	patch of Dmitry Eremin-Solenikov.

2016-12-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/keygen.c: tests: enhanced keygen to include check of
	gnutls_x509_privkey_cpy

2016-12-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/crl_apis.c: tests: added tests for CRL
	generation APIs

2016-12-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/crl_write.c: x509 crl: document the nextUpdate field
	limitation

2016-12-06  Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

	* src/certtool.c, tests/cert-tests/data/arb-extensions.csr,
	tests/cert-tests/data/template-tlsfeature.csr: Don't trash DER CRQ
	output with text data Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

2016-12-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/crl_write.c: x509 crl: Allow generation of CRLs not to
	specify a nextUpdate

2016-12-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update [ci skip]

2016-12-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-overhead.c: tests: updated overhead calculation for new
	code

2016-11-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/dtls.c: DTLS: more precise overhead calculation That takes into account space available due to padding, and allows
	it to be included for use in the gnutls_get_data_mtu().  Resolves #140

2016-11-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/dtls1-2-mtu-check.c: tests: added check
	for MTU calculation on DTLS 1.2

2016-12-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/Makefile.am: src: clean all stamp files on 'make clean'

2016-12-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac: configure: search 64-bit paths for libtspi before
	32-bit paths That is, because 64-bit systems may have both 64-bit and 32-bit
	paths while 32-bit systems only the latter.

2016-12-03  James Bottomley <James.Bottomley@HansenPartnership.com>

	* lib/tpm.c: tpm: fix handling of keys requiring authorization There are several problems with the key handling in the tpm code.  The first, and most serious, is that we should make sure we
	understand the authorization requirements of a key *before* using
	it.  The reason for this is that the TPM has a dictionary attack
	defence and is programmed to lock up after a certain number of
	authorization failures (which can be very small).  If we try first
	without authorization, we may lock up the TPM.  The fix for this is
	to check whether authorization is required and supply it before
	using the key.  Secondly, if the key does require authorization but no password is
	supplied we should return immediately, since we know the TPM will
	give us an authorization error anyway.  Thirdly, we should unconditionally read the policy of the key rather
	than checking if a policy exists: Policies are tied to key objects,
	so if there is an old policy in s->tpm_key_policy, but we're
	creating a new key, the key it belonged to will be closed, meaning
	the policy will be invalid.  Fix this by always setting the policy
	each time we get a new key object.  Signed-off-by: James Bottomley
	<James.Bottomley@HansenPartnership.com>

2016-12-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/abstract_int.h, lib/privkey.c, lib/tpm.c: In
	import_tpm_key_cb() fix the wrong password loop When calling import_tpm_key() once it initializes the key, but a
	second call fails due to the key being already initialized. Ensure
	that failure of import_tpm_key() leaves the key on a clear state.  Reported by James Bottomley <James.Bottomley@HansenPartnership.com>.

2016-12-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/gl/Makefile.am, src/gl/accept.c, src/gl/alloca.in.h,
	src/gl/arpa_inet.in.h, src/gl/asnprintf.c, src/gl/basename-lgpl.c,
	src/gl/bind.c, src/gl/c-ctype.c, src/gl/c-ctype.h, src/gl/close.c,
	src/gl/connect.c, src/gl/dirname-lgpl.c, src/gl/dirname.h,
	src/gl/dosname.h, src/gl/dup2.c, src/gl/errno.in.h, src/gl/error.c,
	src/gl/error.h, src/gl/exitfail.c, src/gl/exitfail.h,
	src/gl/fd-hook.c, src/gl/fd-hook.h, src/gl/flexmember.h,
	src/gl/float+.h, src/gl/float.c, src/gl/float.in.h, src/gl/fseek.c,
	src/gl/fseeko.c, src/gl/fstat.c, src/gl/ftell.c, src/gl/ftello.c,
	src/gl/gai_strerror.c, src/gl/getaddrinfo.c, src/gl/getdelim.c,
	src/gl/getline.c, src/gl/getpass.c, src/gl/getpass.h,
	src/gl/getpeername.c, src/gl/getprogname.c, src/gl/getprogname.h,
	src/gl/gettext.h, src/gl/gettime.c, src/gl/gettimeofday.c,
	src/gl/inet_ntop.c, src/gl/inet_pton.c, src/gl/intprops.h,
	src/gl/itold.c, src/gl/limits.in.h, src/gl/listen.c,
	src/gl/lseek.c, src/gl/m4/00gnulib.m4,
	src/gl/m4/absolute-header.m4, src/gl/m4/alloca.m4,
	src/gl/m4/arpa_inet_h.m4, src/gl/m4/bison.m4,
	src/gl/m4/clock_time.m4, src/gl/m4/close.m4, src/gl/m4/dirname.m4,
	src/gl/m4/double-slash-root.m4, src/gl/m4/dup2.m4,
	src/gl/m4/eealloc.m4, src/gl/m4/environ.m4, src/gl/m4/errno_h.m4,
	src/gl/m4/error.m4, src/gl/m4/exponentd.m4,
	src/gl/m4/extensions.m4, src/gl/m4/extern-inline.m4,
	src/gl/m4/flexmember.m4, src/gl/m4/float_h.m4, src/gl/m4/fseek.m4,
	src/gl/m4/fseeko.m4, src/gl/m4/fstat.m4, src/gl/m4/ftell.m4,
	src/gl/m4/ftello.m4, src/gl/m4/getaddrinfo.m4,
	src/gl/m4/getdelim.m4, src/gl/m4/getline.m4, src/gl/m4/getpass.m4,
	src/gl/m4/getprogname.m4, src/gl/m4/gettime.m4,
	src/gl/m4/gettimeofday.m4, src/gl/m4/gnulib-cache.m4,
	src/gl/m4/gnulib-common.m4, src/gl/m4/gnulib-comp.m4,
	src/gl/m4/gnulib-tool.m4, src/gl/m4/hostent.m4,
	src/gl/m4/include_next.m4, src/gl/m4/inet_ntop.m4,
	src/gl/m4/inet_pton.m4, src/gl/m4/intmax_t.m4,
	src/gl/m4/inttypes_h.m4, src/gl/m4/largefile.m4,
	src/gl/m4/limits-h.m4, src/gl/m4/longlong.m4, src/gl/m4/lseek.m4,
	src/gl/m4/malloc.m4, src/gl/m4/malloca.m4, src/gl/m4/math_h.m4,
	src/gl/m4/memchr.m4, src/gl/m4/minmax.m4, src/gl/m4/mktime.m4,
	src/gl/m4/mmap-anon.m4, src/gl/m4/msvc-inval.m4,
	src/gl/m4/msvc-nothrow.m4, src/gl/m4/multiarch.m4,
	src/gl/m4/netdb_h.m4, src/gl/m4/netinet_in_h.m4,
	src/gl/m4/off_t.m4, src/gl/m4/parse-datetime.m4,
	src/gl/m4/printf.m4, src/gl/m4/read-file.m4, src/gl/m4/realloc.m4,
	src/gl/m4/select.m4, src/gl/m4/servent.m4, src/gl/m4/setenv.m4,
	src/gl/m4/signal_h.m4, src/gl/m4/size_max.m4,
	src/gl/m4/snprintf.m4, src/gl/m4/socketlib.m4,
	src/gl/m4/sockets.m4, src/gl/m4/socklen.m4, src/gl/m4/sockpfaf.m4,
	src/gl/m4/ssize_t.m4, src/gl/m4/stdalign.m4, src/gl/m4/stdbool.m4,
	src/gl/m4/stddef_h.m4, src/gl/m4/stdint.m4, src/gl/m4/stdint_h.m4,
	src/gl/m4/stdio_h.m4, src/gl/m4/stdlib_h.m4, src/gl/m4/strdup.m4,
	src/gl/m4/strerror.m4, src/gl/m4/strftime.m4,
	src/gl/m4/string_h.m4, src/gl/m4/sys_select_h.m4,
	src/gl/m4/sys_socket_h.m4, src/gl/m4/sys_stat_h.m4,
	src/gl/m4/sys_time_h.m4, src/gl/m4/sys_types_h.m4,
	src/gl/m4/sys_uio_h.m4, src/gl/m4/time_h.m4, src/gl/m4/time_r.m4,
	src/gl/m4/time_rz.m4, src/gl/m4/timegm.m4, src/gl/m4/timespec.m4,
	src/gl/m4/tm_gmtoff.m4, src/gl/m4/unistd_h.m4,
	src/gl/m4/vasnprintf.m4, src/gl/m4/warn-on-use.m4,
	src/gl/m4/wchar_h.m4, src/gl/m4/wchar_t.m4, src/gl/m4/wint_t.m4,
	src/gl/m4/xalloc.m4, src/gl/m4/xsize.m4, src/gl/malloc.c,
	src/gl/malloca.c, src/gl/malloca.h, src/gl/memchr.c,
	src/gl/minmax.h, src/gl/mktime-internal.h, src/gl/mktime.c,
	src/gl/msvc-inval.c, src/gl/msvc-inval.h, src/gl/msvc-nothrow.c,
	src/gl/msvc-nothrow.h, src/gl/netdb.in.h, src/gl/netinet_in.in.h,
	src/gl/parse-datetime.h, src/gl/parse-datetime.y,
	src/gl/printf-args.c, src/gl/printf-args.h, src/gl/printf-parse.c,
	src/gl/printf-parse.h, src/gl/progname.c, src/gl/progname.h,
	src/gl/read-file.c, src/gl/read-file.h, src/gl/realloc.c,
	src/gl/recv.c, src/gl/recvfrom.c, src/gl/select.c, src/gl/send.c,
	src/gl/sendto.c, src/gl/setenv.c, src/gl/setsockopt.c,
	src/gl/shutdown.c, src/gl/signal.in.h, src/gl/size_max.h,
	src/gl/snprintf.c, src/gl/socket.c, src/gl/sockets.c,
	src/gl/sockets.h, src/gl/stdalign.in.h, src/gl/stdbool.in.h,
	src/gl/stddef.in.h, src/gl/stdint.in.h, src/gl/stdio-impl.h,
	src/gl/stdio.in.h, src/gl/stdlib.in.h, src/gl/strdup.c,
	src/gl/strerror-override.c, src/gl/strerror-override.h,
	src/gl/strerror.c, src/gl/strftime.c, src/gl/strftime.h,
	src/gl/string.in.h, src/gl/stripslash.c, src/gl/sys_select.in.h,
	src/gl/sys_socket.c, src/gl/sys_socket.in.h, src/gl/sys_stat.in.h,
	src/gl/sys_time.in.h, src/gl/sys_types.in.h, src/gl/sys_uio.in.h,
	src/gl/time-internal.h, src/gl/time.in.h, src/gl/time_r.c,
	src/gl/time_rz.c, src/gl/timegm.c, src/gl/timespec.h,
	src/gl/unistd.c, src/gl/unistd.in.h, src/gl/unsetenv.c,
	src/gl/vasnprintf.c, src/gl/vasnprintf.h, src/gl/verify.h,
	src/gl/w32sock.h, src/gl/wchar.in.h, src/gl/xalloc-die.c,
	src/gl/xalloc-oversized.h, src/gl/xalloc.h, src/gl/xmalloc.c,
	src/gl/xsize.h: src gl: updated

2016-12-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* GNUmakefile, build-aux/gendocs.sh, build-aux/pmccabe2html,
	build-aux/snippet/arg-nonnull.h, build-aux/snippet/c++defs.h,
	build-aux/snippet/warn-on-use.h, build-aux/useless-if-before-free,
	build-aux/vc-list-files, doc/gendocs_template, gl/Makefile.am,
	gl/alloca.in.h, gl/getdelim.c, gl/iconv_open-aix.h,
	gl/iconv_open-hpux.h, gl/iconv_open-irix.h, gl/iconv_open-osf.h,
	gl/iconv_open-solaris.h, gl/intprops.h, gl/limits.in.h,
	gl/m4/extensions.m4, gl/m4/gnulib-cache.m4, gl/m4/gnulib-comp.m4,
	gl/m4/iconv.m4, gl/m4/limits-h.m4, gl/m4/manywarnings.m4,
	gl/m4/printf.m4, gl/m4/secure_getenv.m4, gl/m4/stdbool.m4,
	gl/m4/stdint.m4, gl/m4/stdio_h.m4, gl/m4/stdlib_h.m4,
	gl/m4/sys_types_h.m4, gl/m4/wchar_h.m4, gl/secure_getenv.c,
	gl/stdint.in.h, gl/stdlib.in.h, gl/string.in.h, gl/strverscmp.c,
	gl/sys_socket.in.h, gl/sys_time.in.h, gl/tests/Makefile.am,
	gl/tests/init.sh, gl/tests/test-iconv.c, gl/tests/test-init.sh,
	gl/tests/test-intprops.c, gl/tests/test-limits-h.c,
	gl/tests/test-stdint.c, gl/tests/test-strverscmp.c,
	gl/vasnprintf.c, gl/verify.h, gl/wchar.in.h, lib/Makefile.am,
	lib/gnutls.pc.in, maint.mk: gl: removed iconv module It is no longer used by the library.

2016-12-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac: configure.ac: detect trousers library on debian

2016-12-03  Andreas Metzler <ametzler@bebt.de>

	* configure.ac: Prevent unwanted linkage to -lhogweed Specify action-if-found for AC_CHECK_LIB when checking for !SuiteB
	curves to keep autoconf from adding -lhogweed to LIBS. This caused
	linkage of e.g. openssl wrapper and C++ library to -lhogweed. The
	issue only shows up if --disable-libdane is specified, since the
	dane autoconf test resets LIBS.

2016-12-02  James Bottomley <James.Bottomley@HansenPartnership.com>

	* configure.ac: Fix inability to find libtspi (trousers) on openSUSE For distro reasons, the path on openSUSE is /lib[64]/libtspi.so.1
	which the current code doesn't find.  Fix this by having it search
	all viable system library locations (/lib /lib64 /usr/lib and
	/usr/lib/lib64) Signed-off-by: James Bottomley
	<James.Bottomley@HansenPartnership.com>

2016-12-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: x509: fixed output of pubkey

2016-12-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/crl_write.c, lib/x509/x509_write.c: doc: document the
	fact that certificates and CRLs are unusable after generation They must be exported and re-imported if intended to be used for
	signing or verification.

2016-12-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/crl_write.c, lib/x509/x509_write.c: doc: no longer list
	SHA1 as a safe choice in X.509 signing

2016-12-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: prevent-null termination of buffers
	allocated with fread_file() We do not know whether their allocated size allows for that
	additional null, and we do not need the null termination.

2016-12-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/verify.c: gnutls_x509_crl_verify: always return zero on
	success Also document that in previous versions a positive number could be
	returned on success. Reported by Adrien Beraud.

2016-12-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/key-usage-ecdhe-rsa.c, tests/key-usage-rsa.c: tests:
	corrected space-tab issue

2016-12-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-12-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/tls-sig.c: Improved messages and violation handling in
	signature key usage checks This will now tolerate violations in server certificate, if
	%DEBUG_ALLOW_KEY_USAGE_VIOLATIONS is set.

2016-12-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/auth/cert.c, lib/cert.c, lib/x509.c, lib/x509.h: Removed
	redundant certificate key usage checks.  There were redundant checks when a certificate was obtained, as well
	as prior to performing operations with certificates/pubkeys.  Kept
	the checks prior to operations.

2016-12-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms.h, lib/algorithms/publickey.c, lib/cert.c,
	lib/handshake.c: _gnutls_map_pk_get_pk -> _gnutls_map_kx_get_pk

2016-11-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/state.c: gnutls_kx_get: allow calling the function during
	handshake Previous this function would return garbage during handshake,
	because parameters were not considered established, however there
	are valid uses of this function during it. For that reason this
	function is modified to return a correct value even during handshake
	(after a hello is being exchanged).

2016-11-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509.c: _gnutls_check_key_usage: check for invalid key
	exchange algorithm Reported by Dmitry Eremin-Solenikov.

2016-11-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/key-usage-ecdhe-rsa.c,
	tests/{key-usage.c => key-usage-rsa.c}: tests: added checks on
	signature key usage violations

2016-12-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: added docker tag on mingw builds That ensures that these builds are done on the gitlab.com runners
	which run as privileged containers (and thus have access to mount).

2016-11-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey.c: privkey: set the key parameters algorithm
	prior to returning success

2016-11-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/key_decode.c: When decoding a public key ensure that
	algorithm is written in the params struct Reported by Dmitry Eremin-Solenikov.

2016-11-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* cfg.mk: cfg.mk: disable checks for public submodule updates in CI

2016-11-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: do not require update to
	/proc/sys/fs/binfmt_misc to succeed In some CI systems, it is not possible to write to this filesystem,
	and they already have the wine executable registered. In the case we
	cannot write proceed to running the check and hope for the best.

2016-11-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/rsa-md5-collision/rsa-md5-collision.sh: tests: use datefudge
	in rsa-md5-collision check This makes sure that any failure detected is not because of expired
	certificates, but because of MD5 being disabled.

2016-11-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitignore, src/Makefile.am: tools: use stamp files to allow
	parallel build of autogen files Autogen seems to output on the creates files gradually, something
	that makes 'make' believe that the command is complete prior to the
	output file being fully populated. The current approach uses stamp
	files to ensure that no incomplete files are used for compilation.

2016-11-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* guile/tests/priorities.scm: guile: do not use +COMP-DEFLATE in
	priorities test This allows the test to work even in the cases where gnutls is
	compiled without zlib support.

2016-11-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml, cfg.mk: moved all syntax check exceptions in
	cfg.mk

2016-11-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: added zlib dependency

2016-11-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: fixed artifacts paths for Debian
	build

2016-11-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/str-unicode.c: tests: str-unicode: check whether exceptions
	are tolerated on decryption

2016-11-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/str-unicode.c: tests: added exception and join control
	characters in str-unicode

2016-11-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* cfg.mk, lib/unistring/Makefile.am,
	lib/unistring/m4/gnulib-cache.m4, lib/unistring/m4/gnulib-comp.m4,
	lib/unistring/unictype/pr_join_control.c,
	lib/unistring/unictype/pr_join_control.h: unistring: added
	property-join-control

2016-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* cfg.mk, lib/unistring/Makefile.am,
	lib/unistring/m4/gnulib-cache.m4, lib/unistring/m4/gnulib-comp.m4,
	lib/unistring/unictype/pr_default_ignorable_code_point.c,
	lib/unistring/unictype/pr_default_ignorable_code_point.h,
	lib/unistring/unictype/pr_not_a_character.c,
	lib/unistring/unictype/pr_not_a_character.h: unistring: added
	default_ignorable_code_point and not_a_character tests

2016-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* cfg.mk, lib/unistring/Makefile.am,
	lib/unistring/m4/gnulib-cache.m4, lib/unistring/m4/gnulib-comp.m4,
	lib/unistring/uninorm/compat-decomposition.c,
	lib/unistring/uninorm/decomposition.c,
	lib/unistring/uninorm/nfkc.c, lib/unistring/uninorm/nfkd.c: 
	unistring: added NFKC normalization

2016-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* cfg.mk, lib/unistring/unicase/special-casing-table.h,
	lib/unistring/unictype/categ_C.c, lib/unistring/unictype/categ_C.h,
	lib/unistring/unictype/categ_Cc.c,
	lib/unistring/unictype/categ_Cc.h,
	lib/unistring/unictype/categ_Cf.c,
	lib/unistring/unictype/categ_Cf.h,
	lib/unistring/unictype/categ_Cn.c,
	lib/unistring/unictype/categ_Cn.h,
	lib/unistring/unictype/categ_Co.c,
	lib/unistring/unictype/categ_Co.h,
	lib/unistring/unictype/categ_Cs.c,
	lib/unistring/unictype/categ_Cs.h,
	lib/unistring/unictype/categ_L.c, lib/unistring/unictype/categ_L.h,
	lib/unistring/unictype/categ_LC.c,
	lib/unistring/unictype/categ_LC.h,
	lib/unistring/unictype/categ_Ll.c,
	lib/unistring/unictype/categ_Ll.h,
	lib/unistring/unictype/categ_Lm.c,
	lib/unistring/unictype/categ_Lm.h,
	lib/unistring/unictype/categ_Lo.c,
	lib/unistring/unictype/categ_Lo.h,
	lib/unistring/unictype/categ_Lt.c,
	lib/unistring/unictype/categ_Lt.h,
	lib/unistring/unictype/categ_Lu.c,
	lib/unistring/unictype/categ_Lu.h,
	lib/unistring/unictype/categ_M.c, lib/unistring/unictype/categ_M.h,
	lib/unistring/unictype/categ_Mc.c,
	lib/unistring/unictype/categ_Mc.h,
	lib/unistring/unictype/categ_Me.c,
	lib/unistring/unictype/categ_Me.h,
	lib/unistring/unictype/categ_Mn.c,
	lib/unistring/unictype/categ_Mn.h,
	lib/unistring/unictype/categ_N.c, lib/unistring/unictype/categ_N.h,
	lib/unistring/unictype/categ_Nd.c,
	lib/unistring/unictype/categ_Nd.h,
	lib/unistring/unictype/categ_Nl.c,
	lib/unistring/unictype/categ_Nl.h,
	lib/unistring/unictype/categ_No.c,
	lib/unistring/unictype/categ_No.h,
	lib/unistring/unictype/categ_P.c, lib/unistring/unictype/categ_P.h,
	lib/unistring/unictype/categ_Pc.c,
	lib/unistring/unictype/categ_Pc.h,
	lib/unistring/unictype/categ_Pd.c,
	lib/unistring/unictype/categ_Pd.h,
	lib/unistring/unictype/categ_Pe.c,
	lib/unistring/unictype/categ_Pe.h,
	lib/unistring/unictype/categ_Pf.c,
	lib/unistring/unictype/categ_Pf.h,
	lib/unistring/unictype/categ_Pi.c,
	lib/unistring/unictype/categ_Pi.h,
	lib/unistring/unictype/categ_Po.c,
	lib/unistring/unictype/categ_Po.h,
	lib/unistring/unictype/categ_Ps.c,
	lib/unistring/unictype/categ_Ps.h,
	lib/unistring/unictype/categ_S.c, lib/unistring/unictype/categ_S.h,
	lib/unistring/unictype/categ_Sc.c,
	lib/unistring/unictype/categ_Sc.h,
	lib/unistring/unictype/categ_Sk.c,
	lib/unistring/unictype/categ_Sk.h,
	lib/unistring/unictype/categ_Sm.c,
	lib/unistring/unictype/categ_Sm.h,
	lib/unistring/unictype/categ_So.c,
	lib/unistring/unictype/categ_So.h,
	lib/unistring/unictype/categ_Z.c, lib/unistring/unictype/categ_Z.h,
	lib/unistring/unictype/categ_Zl.c,
	lib/unistring/unictype/categ_Zl.h,
	lib/unistring/unictype/categ_Zp.c,
	lib/unistring/unictype/categ_Zp.h,
	lib/unistring/unictype/categ_and.c,
	lib/unistring/unictype/categ_and_not.c,
	lib/unistring/unictype/categ_byname.c,
	lib/unistring/unictype/categ_byname.gperf,
	lib/unistring/unictype/categ_longname.c,
	lib/unistring/unictype/categ_name.c,
	lib/unistring/unictype/categ_none.c,
	lib/unistring/unictype/categ_of.c,
	lib/unistring/unictype/categ_of.h,
	lib/unistring/unictype/categ_or.c: unistring: included all possible
	categories for simplicity and extensibility

2016-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/str-unicode.c: tests: enhanced str-unicode with more char
	sets

2016-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/errors.c, lib/includes/gnutls/gnutls.h.in, lib/str-unicode.c: 
	gnutls_utf8_password_normalize: perform more strict check on input
	characters That is, ensure that the input characters are in the valid class of
	characters for the PRECIS FreeformClass.

2016-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/str-unicode.c: tests: fixed str-unicode tests with control
	characters

2016-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/str-unicode.c: gnutls_utf8_password_normalize: avoid use of
	strlen()

2016-11-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/pkcs12: tests:
	added pkcs12 file with long password

2016-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/Makefile.am, lib/{system/iconv.c => str-iconv.c}: renamed
	system/iconv.c -> str-iconv.c We no longer use the system's functionality for converting between
	charsets (we use libunistring), hence it is no longer suitable for
	the wrappers to stay in system/.

2016-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: x509: when printing ACE DNSnames ensure the
	actual name is also printed

2016-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/str-idna.c: tests: added unit tests of of
	_gnutls_idna_reverse_map

2016-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/libgnutls.map, lib/str-unicode.c, lib/str.h: introduced
	_gnutls_idna_reverse_map() This function allows mapping ACE formatted domains to UTF-8.

2016-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/common.c, lib/x509/output.c: Combined checks for
	printable characters

2016-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-11-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/crt_apis.c: tests: updated crt_apis to include setting UTF-8
	SAN

2016-11-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/crq_apis.c: tests: updated crq_apis to include setting UTF-8
	SAN

2016-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/str-unicode.c: gnutls_idna_map: check for printable data prior
	to mapping

2016-11-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/virt-san.c, lib/x509/x509_ext.c, lib/x509/x509_ext_int.h: 
	gnutls_x509_aia_set: IDNA encode when needed

2016-11-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/errors.c, lib/includes/gnutls/gnutls.h.in, lib/str-unicode.c,
	lib/str.h, lib/x509/crq.c, lib/x509/email-verify.c,
	lib/x509/virt-san.c, lib/x509/virt-san.h, lib/x509/x509_dn.c,
	lib/x509/x509_ext.c, lib/x509/x509_write.c: When writing alternative
	names to certificates ensure we write in ACE format

2016-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am,
	tests/cert-tests/data/openssl-keyid.p7b.out, tests/cert-tests/pkcs7: 
	tests: added pkcs7 verification with struct generated from openssl
	(with keyid)

2016-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am,
	tests/cert-tests/data/openssl.p7b.out, tests/cert-tests/pkcs7: 
	tests: added pkcs7 verification with struct generated from openssl

2016-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/credentials/x509/Makefile.am,
	doc/credentials/x509/cert-ecc-sign.pem: doc: added certificate for
	ECC with any purpose

2016-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/errors.c, lib/includes/gnutls/gnutls.h.in, lib/x509/pkcs7.c: 
	pkcs7: return GNUTLS_E_PK_SIG_VERIFY_FAILED on hash mismatch In addition introduce a new error code to warn about no embedded
	data.

2016-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7-output.c: pkcs7: only print signer's issuer DN when
	DN has contents

2016-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7.c: pkcs7: added recursive discovery of structure's
	signer This uses the PKCS#7 certificate list as a pool of certificates to
	generate a certificate chain that leads to our root CAs.

2016-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7.c: pkcs7: on data verification failure log the
	signer

2016-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am,
	tests/cert-tests/data/pkcs7-cat-ca.pem, tests/cert-tests/pkcs7-cat: 
	tests: added complex verification example using PKCS#7 That uses multiple intermediate certificates from the PKCS#7
	structure.

2016-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/verify-high.c: doc: updated
	gnutls_x509_trust_list_verify_crt2()

2016-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7.c: pkcs7: pass the verification flags down to
	gnutls_x509_trust_list_verify_crt2, in find_signer() This allows for flags like GNUTLS_VERIFY_DISABLE_TIME_CHECKS to
	apply when verifying PKCS#7 structures.

2016-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7.c: pkcs7: corrected iteration over stored
	certificates This allows to use all possibly stored certificates on chain
	discovery, not only the first.

2016-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7.c: pkcs7: added debug logging on verification
	discovery

2016-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/errors.h: errors.h: added _gnutls_reason_log

2016-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/errors.h: errors.h: added _gnutls_cert_log This log function allows to easily log the name of a certificate.

2016-11-24  Andreas Schneider <asn@samba.org>

	* src/certtool.c: certtool: One if check is enough Signed-off-by: Andreas Schneider <asn@samba.org>

2016-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/server_name.c: corrected log message [ci skip]

2016-11-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/libgnutls.map, lib/str-unicode.c, lib/str.h, tests/str-idna.c: 
	gnutls_idna_map was prefixed with underscore to avoid clashes with
	exported symbols

2016-11-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitignore: more files to ignore

2016-11-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/str.c, lib/x509/common.c, lib/x509/output.c: avoid the use of
	c_isascii() and use c_isprint() That latter detects correctly the printable characters we are
	interested in.

2016-11-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/str-idna.c: tests: added unit tests for
	gnutls_idna_map()

2016-11-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/server_name.c, lib/libgnutls.map, lib/str-unicode.c,
	lib/str.h, lib/x509.c, lib/x509/Makefile.am,
	lib/x509/email-verify.c, lib/x509/gnutls-idna.h,
	lib/x509/hostname-verify.c, lib/x509/output.c,
	lib/x509/pkcs7-output.c: IDNA code re-organization That introduces the internal function gnutls_idna_map(), which
	utilizes libidn and libunistring to convert hostnames to IDNA ACE
	form.

2016-11-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/data/aki-cert.pem,
	tests/cert-tests/data/arb-extensions.csr,
	tests/cert-tests/data/bmpstring.pem,
	tests/cert-tests/data/ca-no-pathlen.pem,
	tests/cert-tests/data/complex-cert.pem,
	tests/cert-tests/data/gost-cert.pem,
	tests/cert-tests/data/long-oids.pem,
	tests/cert-tests/data/multi-value-dn.pem,
	tests/cert-tests/data/name-constraints-ip2.pem,
	tests/cert-tests/data/no-ca-or-pathlen.pem,
	tests/cert-tests/data/template-tlsfeature.csr,
	tests/cert-tests/data/very-long-dn.pem,
	tests/cert-tests/data/xmpp-othername.pem, tests/dn2.c: tests:
	updated outputs to reflect new fingerprint/keyid formats

2016-11-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/aki, tests/cert-tests/pathlen: tests: made tmp
	files unique

2016-11-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-11-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: Align the printing of a certificate's
	fingerprint with the key ID printing

2016-11-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c, src/certtool-common.c: Print a key's or
	certificate's key ID with SHA256 in addition to SHA1

2016-11-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-cfg.c: certtool: address compiler warnings

2016-11-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-bib.texi, doc/cha-gtls-app.texi, doc/latex/gnutls.bib: 
	doc: document the RFC7613 normalization of passwords [ci skip]

2016-11-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* cfg.mk, lib/unistring/Makefile.am,
	lib/unistring/array-mergesort.h, lib/unistring/limits.in.h,
	lib/unistring/m4/gnulib-cache.m4, lib/unistring/m4/gnulib-comp.m4,
	lib/unistring/stdbool.in.h, lib/unistring/stdint.in.h,
	lib/unistring/sys_types.in.h, lib/unistring/unictype.in.h,
	lib/unistring/unictype/bitmap.h, lib/unistring/unictype/categ_C.c,
	lib/unistring/unictype/categ_C.h,
	lib/unistring/unictype/categ_Cc.c,
	lib/unistring/unictype/categ_Cc.h,
	lib/unistring/unictype/categ_Cf.c,
	lib/unistring/unictype/categ_Cf.h,
	lib/unistring/unictype/categ_Cn.c,
	lib/unistring/unictype/categ_Cn.h,
	lib/unistring/unictype/categ_Co.c,
	lib/unistring/unictype/categ_Co.h,
	lib/unistring/unictype/categ_Cs.c,
	lib/unistring/unictype/categ_Cs.h,
	lib/unistring/unictype/categ_L.c, lib/unistring/unictype/categ_L.h,
	lib/unistring/unictype/categ_LC.c,
	lib/unistring/unictype/categ_LC.h,
	lib/unistring/unictype/categ_Ll.c,
	lib/unistring/unictype/categ_Ll.h,
	lib/unistring/unictype/categ_Lm.c,
	lib/unistring/unictype/categ_Lm.h,
	lib/unistring/unictype/categ_Lo.c,
	lib/unistring/unictype/categ_Lo.h,
	lib/unistring/unictype/categ_Lt.c,
	lib/unistring/unictype/categ_Lt.h,
	lib/unistring/unictype/categ_Lu.c,
	lib/unistring/unictype/categ_Lu.h,
	lib/unistring/unictype/categ_M.c, lib/unistring/unictype/categ_M.h,
	lib/unistring/unictype/categ_Mc.c,
	lib/unistring/unictype/categ_Mc.h,
	lib/unistring/unictype/categ_Me.c,
	lib/unistring/unictype/categ_Me.h,
	lib/unistring/unictype/categ_Mn.c,
	lib/unistring/unictype/categ_Mn.h,
	lib/unistring/unictype/categ_N.c, lib/unistring/unictype/categ_N.h,
	lib/unistring/unictype/categ_Nd.c,
	lib/unistring/unictype/categ_Nd.h,
	lib/unistring/unictype/categ_Nl.c,
	lib/unistring/unictype/categ_Nl.h,
	lib/unistring/unictype/categ_No.c,
	lib/unistring/unictype/categ_No.h,
	lib/unistring/unictype/categ_P.c, lib/unistring/unictype/categ_P.h,
	lib/unistring/unictype/categ_Pc.c,
	lib/unistring/unictype/categ_Pc.h,
	lib/unistring/unictype/categ_Pd.c,
	lib/unistring/unictype/categ_Pd.h,
	lib/unistring/unictype/categ_Pe.c,
	lib/unistring/unictype/categ_Pe.h,
	lib/unistring/unictype/categ_Pf.c,
	lib/unistring/unictype/categ_Pf.h,
	lib/unistring/unictype/categ_Pi.c,
	lib/unistring/unictype/categ_Pi.h,
	lib/unistring/unictype/categ_Po.c,
	lib/unistring/unictype/categ_Po.h,
	lib/unistring/unictype/categ_Ps.c,
	lib/unistring/unictype/categ_Ps.h,
	lib/unistring/unictype/categ_S.c, lib/unistring/unictype/categ_S.h,
	lib/unistring/unictype/categ_Sc.c,
	lib/unistring/unictype/categ_Sc.h,
	lib/unistring/unictype/categ_Sk.c,
	lib/unistring/unictype/categ_Sk.h,
	lib/unistring/unictype/categ_Sm.c,
	lib/unistring/unictype/categ_Sm.h,
	lib/unistring/unictype/categ_So.c,
	lib/unistring/unictype/categ_So.h,
	lib/unistring/unictype/categ_Z.c, lib/unistring/unictype/categ_Z.h,
	lib/unistring/unictype/categ_Zl.c,
	lib/unistring/unictype/categ_Zl.h,
	lib/unistring/unictype/categ_Zp.c,
	lib/unistring/unictype/categ_Zp.h,
	lib/unistring/unictype/categ_Zs.c,
	lib/unistring/unictype/categ_and.c,
	lib/unistring/unictype/categ_and_not.c,
	lib/unistring/unictype/categ_byname.c,
	lib/unistring/unictype/categ_byname.gperf,
	lib/unistring/unictype/categ_longname.c,
	lib/unistring/unictype/categ_name.c,
	lib/unistring/unictype/categ_none.c,
	lib/unistring/unictype/categ_of.c,
	lib/unistring/unictype/categ_of.h,
	lib/unistring/unictype/categ_or.c,
	lib/unistring/unictype/categ_test.c,
	lib/unistring/unictype/combiningclass.c,
	lib/unistring/uninorm.in.h,
	lib/unistring/uninorm/canonical-decomposition.c,
	lib/unistring/uninorm/composition-table.gperf,
	lib/unistring/uninorm/composition.c,
	lib/unistring/uninorm/decompose-internal.c,
	lib/unistring/uninorm/decompose-internal.h,
	lib/unistring/uninorm/decomposition-table.c,
	lib/unistring/uninorm/decomposition-table.h,
	lib/unistring/uninorm/nfc.c, lib/unistring/uninorm/nfd.c,
	lib/unistring/uninorm/normalize-internal.h,
	lib/unistring/uninorm/u-normalize-internal.h,
	lib/unistring/uninorm/u16-normalize.c,
	lib/unistring/uninorm/u32-normalize.c,
	lib/unistring/uninorm/u8-normalize.c, lib/unistring/unistr.in.h,
	lib/unistring/unistr/u-cpy.h, lib/unistring/unistr/u16-cpy.c,
	lib/unistring/unistr/u16-mbtouc-unsafe-aux.c,
	lib/unistring/unistr/u16-mbtouc-unsafe.c,
	lib/unistring/unistr/u16-mbtoucr.c,
	lib/unistring/unistr/u16-to-u8.c,
	lib/unistring/unistr/u16-uctomb-aux.c,
	lib/unistring/unistr/u16-uctomb.c, lib/unistring/unistr/u32-cpy.c,
	lib/unistring/unistr/u32-mbtouc-unsafe.c,
	lib/unistring/unistr/u32-to-u8.c,
	lib/unistring/unistr/u32-uctomb.c, lib/unistring/unistr/u8-check.c,
	lib/unistring/unistr/u8-cpy.c,
	lib/unistring/unistr/u8-mbtouc-unsafe-aux.c,
	lib/unistring/unistr/u8-mbtouc-unsafe.c,
	lib/unistring/unistr/u8-mbtoucr.c,
	lib/unistring/unistr/u8-to-u16.c, lib/unistring/unistr/u8-to-u32.c,
	lib/unistring/unistr/u8-uctomb-aux.c,
	lib/unistring/unistr/u8-uctomb.c, lib/unistring/unitypes.in.h: 
	unistring: include only the required categories In addition fix the license text of the included library.

2016-11-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/server_name.c: server_name: log server name sent

2016-11-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: x509/output: improve log message on embedded
	null

2016-11-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* build-aux/snippet/unused-parameter.h: build-aux: added
	unused-parameter.h

2016-11-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: explicitly specify
	--with-included-unistring when needed

2016-11-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* m4/hooks.m4: hooks.m4: corrected typo

2016-11-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: ignore syntax-check issues caused
	by included unistring

2016-11-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitignore: more files to ignore

2016-11-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, lib/str-unicode.c, lib/str.h, lib/system/iconv.c,
	tests/conv-utf8.c, tests/str-unicode.c: unconditionally include
	unistring code That simplifies internationalization support, at the cost of
	including a version of libunistring, which is used on systems which
	do not ship it.

2016-11-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* Makefile.am, cfg.mk, configure.ac, lib/Makefile.am,
	lib/unistring/Makefile.am, lib/unistring/array-mergesort.h,
	lib/unistring/limits.in.h, lib/unistring/m4/00gnulib.m4,
	lib/unistring/m4/absolute-header.m4,
	lib/unistring/m4/gnulib-cache.m4,
	lib/unistring/m4/gnulib-common.m4, lib/unistring/m4/gnulib-comp.m4,
	lib/unistring/m4/gnulib-tool.m4, lib/unistring/m4/include_next.m4,
	lib/unistring/m4/inline.m4, lib/unistring/m4/libunistring-base.m4,
	lib/unistring/m4/limits-h.m4, lib/unistring/m4/longlong.m4,
	lib/unistring/m4/multiarch.m4, lib/unistring/m4/off_t.m4,
	lib/unistring/m4/ssize_t.m4, lib/unistring/m4/stdbool.m4,
	lib/unistring/m4/stdint.m4, lib/unistring/m4/sys_types_h.m4,
	lib/unistring/stdbool.in.h, lib/unistring/stdint.in.h,
	lib/unistring/sys_types.in.h, lib/unistring/unictype.in.h,
	lib/unistring/unictype/bitmap.h, lib/unistring/unictype/categ_C.c,
	lib/unistring/unictype/categ_C.h,
	lib/unistring/unictype/categ_Cc.c,
	lib/unistring/unictype/categ_Cc.h,
	lib/unistring/unictype/categ_Cf.c,
	lib/unistring/unictype/categ_Cf.h,
	lib/unistring/unictype/categ_Cn.c,
	lib/unistring/unictype/categ_Cn.h,
	lib/unistring/unictype/categ_Co.c,
	lib/unistring/unictype/categ_Co.h,
	lib/unistring/unictype/categ_Cs.c,
	lib/unistring/unictype/categ_Cs.h,
	lib/unistring/unictype/categ_L.c, lib/unistring/unictype/categ_L.h,
	lib/unistring/unictype/categ_LC.c,
	lib/unistring/unictype/categ_LC.h,
	lib/unistring/unictype/categ_Ll.c,
	lib/unistring/unictype/categ_Ll.h,
	lib/unistring/unictype/categ_Lm.c,
	lib/unistring/unictype/categ_Lm.h,
	lib/unistring/unictype/categ_Lo.c,
	lib/unistring/unictype/categ_Lo.h,
	lib/unistring/unictype/categ_Lt.c,
	lib/unistring/unictype/categ_Lt.h,
	lib/unistring/unictype/categ_Lu.c,
	lib/unistring/unictype/categ_Lu.h,
	lib/unistring/unictype/categ_M.c, lib/unistring/unictype/categ_M.h,
	lib/unistring/unictype/categ_Mc.c,
	lib/unistring/unictype/categ_Mc.h,
	lib/unistring/unictype/categ_Me.c,
	lib/unistring/unictype/categ_Me.h,
	lib/unistring/unictype/categ_Mn.c,
	lib/unistring/unictype/categ_Mn.h,
	lib/unistring/unictype/categ_N.c, lib/unistring/unictype/categ_N.h,
	lib/unistring/unictype/categ_Nd.c,
	lib/unistring/unictype/categ_Nd.h,
	lib/unistring/unictype/categ_Nl.c,
	lib/unistring/unictype/categ_Nl.h,
	lib/unistring/unictype/categ_No.c,
	lib/unistring/unictype/categ_No.h,
	lib/unistring/unictype/categ_P.c, lib/unistring/unictype/categ_P.h,
	lib/unistring/unictype/categ_Pc.c,
	lib/unistring/unictype/categ_Pc.h,
	lib/unistring/unictype/categ_Pd.c,
	lib/unistring/unictype/categ_Pd.h,
	lib/unistring/unictype/categ_Pe.c,
	lib/unistring/unictype/categ_Pe.h,
	lib/unistring/unictype/categ_Pf.c,
	lib/unistring/unictype/categ_Pf.h,
	lib/unistring/unictype/categ_Pi.c,
	lib/unistring/unictype/categ_Pi.h,
	lib/unistring/unictype/categ_Po.c,
	lib/unistring/unictype/categ_Po.h,
	lib/unistring/unictype/categ_Ps.c,
	lib/unistring/unictype/categ_Ps.h,
	lib/unistring/unictype/categ_S.c, lib/unistring/unictype/categ_S.h,
	lib/unistring/unictype/categ_Sc.c,
	lib/unistring/unictype/categ_Sc.h,
	lib/unistring/unictype/categ_Sk.c,
	lib/unistring/unictype/categ_Sk.h,
	lib/unistring/unictype/categ_Sm.c,
	lib/unistring/unictype/categ_Sm.h,
	lib/unistring/unictype/categ_So.c,
	lib/unistring/unictype/categ_So.h,
	lib/unistring/unictype/categ_Z.c, lib/unistring/unictype/categ_Z.h,
	lib/unistring/unictype/categ_Zl.c,
	lib/unistring/unictype/categ_Zl.h,
	lib/unistring/unictype/categ_Zp.c,
	lib/unistring/unictype/categ_Zp.h,
	lib/unistring/unictype/categ_Zs.c,
	lib/unistring/unictype/categ_Zs.h,
	lib/unistring/unictype/categ_and.c,
	lib/unistring/unictype/categ_and_not.c,
	lib/unistring/unictype/categ_byname.c,
	lib/unistring/unictype/categ_byname.gperf,
	lib/unistring/unictype/categ_longname.c,
	lib/unistring/unictype/categ_name.c,
	lib/unistring/unictype/categ_none.c,
	lib/unistring/unictype/categ_of.c,
	lib/unistring/unictype/categ_of.h,
	lib/unistring/unictype/categ_or.c,
	lib/unistring/unictype/categ_test.c,
	lib/unistring/unictype/combiningclass.c,
	lib/unistring/unictype/combiningclass.h,
	lib/unistring/uninorm.in.h,
	lib/unistring/uninorm/canonical-decomposition.c,
	lib/unistring/uninorm/composition-table.gperf,
	lib/unistring/uninorm/composition-table.h,
	lib/unistring/uninorm/composition.c,
	lib/unistring/uninorm/decompose-internal.c,
	lib/unistring/uninorm/decompose-internal.h,
	lib/unistring/uninorm/decomposition-table.c,
	lib/unistring/uninorm/decomposition-table.h,
	lib/unistring/uninorm/decomposition-table1.h,
	lib/unistring/uninorm/decomposition-table2.h,
	lib/unistring/uninorm/nfc.c, lib/unistring/uninorm/nfd.c,
	lib/unistring/uninorm/normalize-internal.h,
	lib/unistring/uninorm/u-normalize-internal.h,
	lib/unistring/uninorm/u16-normalize.c,
	lib/unistring/uninorm/u32-normalize.c,
	lib/unistring/uninorm/u8-normalize.c, lib/unistring/unistr.in.h,
	lib/unistring/unistr/u-cpy.h, lib/unistring/unistr/u16-cpy.c,
	lib/unistring/unistr/u16-mbtouc-unsafe-aux.c,
	lib/unistring/unistr/u16-mbtouc-unsafe.c,
	lib/unistring/unistr/u16-mbtoucr.c,
	lib/unistring/unistr/u16-to-u8.c,
	lib/unistring/unistr/u16-uctomb-aux.c,
	lib/unistring/unistr/u16-uctomb.c, lib/unistring/unistr/u32-cpy.c,
	lib/unistring/unistr/u32-mbtouc-unsafe.c,
	lib/unistring/unistr/u32-to-u8.c,
	lib/unistring/unistr/u32-uctomb.c, lib/unistring/unistr/u8-check.c,
	lib/unistring/unistr/u8-cpy.c,
	lib/unistring/unistr/u8-mbtouc-unsafe-aux.c,
	lib/unistring/unistr/u8-mbtouc-unsafe.c,
	lib/unistring/unistr/u8-mbtoucr.c,
	lib/unistring/unistr/u8-to-u16.c, lib/unistring/unistr/u8-to-u32.c,
	lib/unistring/unistr/u8-uctomb-aux.c,
	lib/unistring/unistr/u8-uctomb.c, lib/unistring/unitypes.in.h: lib:
	added unistring sub-library

2016-11-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
	auto-generated files for gnutls_utf8_password_normalize()

2016-11-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/str-unicode.c: tests: enhanced str-unicode with
	GNUTLS_UTF8_IGNORE_ERRS flag That is, enhanced to check the tolerable variant of
	gnutls_utf8_password_normalize()

2016-11-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: added build without libunistring

2016-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS, README.md: doc: mention the RFC7613 normalization and the
	libunistring dependency

2016-11-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/gnutls.h.in, lib/srp.c, lib/str-unicode.c,
	lib/str.h, lib/tpm.c, lib/x509/crq.c, lib/x509/pkcs7-crypt.c,
	lib/x509/privkey_openssl.c: tolerate non-valid UTF8 passwords when
	decrypting

2016-11-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/crl-basic.c, tests/name-constraints-ip.c: tests: addressed
	compiler warnings

2016-11-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system/iconv.c: _gnutls_utf8_to_ucs2: normalize to NFC UTF16
	output

2016-11-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey_openssl.c: openssl_hash_password: normalize the
	password prior to use

2016-11-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/tpm.c: TPM: normalize the password prior to use

2016-11-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/srp.c: _gnutls_calc_srp_sha: normalize the password prior to
	use

2016-11-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/crq.c: gnutls_x509_crq_set_challenge_password: normalize
	the password prior to use

2016-11-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/errors.c, lib/includes/gnutls/gnutls.h.in, lib/str-unicode.c,
	lib/str.h, lib/x509/pkcs7-crypt.c: PKCS#7/8: normalize the password
	according to rfc7613

2016-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls.pc.in: gnutls.pc: use the LT version of the lib
	variables

2016-11-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, lib/gnutls.pc.in, lib/system/iconv.c: Use
	libunistring when present instead of iconv() That allows us to rely to a single provider for unicode
	functionality.

2016-11-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/str-unicode.c: tests: added unit tests
	for gnutls_utf8_password_normalize()

2016-11-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, lib/Makefile.am, lib/includes/gnutls/gnutls.h.in,
	lib/libgnutls.map, lib/str-unicode.c, lib/str.h: Added function for
	UTF-8 normalization based on RFC7613 This introduces gnutls_utf8_password_normalize() and a dependency on
	libunistring.

2016-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/key-tests/Makefile.am, tests/key-tests/pkcs8-invalid: tests:
	added test suite with PKCS#8 files that have invalid encryption

2016-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7-crypt.c: PKCS#5,7 decryption: verify the
	correctness of padding That is, for block ciphers (i.e., cbc), verify that all the padding
	bytes match the expected contents according to RFC2898.  Relates #148

2016-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7-crypt.c: PKCS#5,7 decryption: added sanity check on
	padding size Relates #148

2016-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7-crypt.c: PKCS#5,7 decryption: fail without leak on
	unknown MAC

2016-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7-crypt.c: PKCS#5,7 decryption: fail early on invalid
	block sizes

2016-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7-crypt.c, lib/x509/privkey_pkcs8_pbes1.c,
	lib/x509/x509_int.h: PKCS#5,7 decryption: enforce limits in the
	support parameter sizes This allows to detect invalid parameters early rather than later.
	Relates #148

2016-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
	auto-generated files for new functions

2016-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7-output.c: pkcs7 output: use the new functions for
	DN output

2016-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/dn.c, tests/x509-dn-decode.c: tests: account for the strict
	RFC4514 compliance reversal Test the new functions only for the strict RFC4514 compliance to
	output strings, and test the old functions for the legacy format.

2016-11-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-11-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/ocsp_output.c, lib/x509/output.c: x509 output: use the
	new functions for DN output

2016-11-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/str.c: cleanups in _gnutls_buffer_to_datum()

2016-11-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: use the new APIs for DN extraction

2016-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/dn.c: _gnutls_x509_get_dn: when no data ensure we return
	GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE This aligns with the previous (prior to RFC4514 improvements)
	behavior of the function.

2016-11-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/ocsp.h, lib/includes/gnutls/x509.h,
	lib/libgnutls.map, lib/x509/crl.c, lib/x509/crq.c, lib/x509/dn.c,
	lib/x509/ocsp.c, lib/x509/x509.c, lib/x509/x509_dn.c,
	lib/x509/x509_int.h: Introduced new functions to allow multiple DN
	parsing modes The old DN parsing functions are changed to return the original
	non-fully compliant with RFC4514 string format, while the new ones
	return the compliant string by default. This allows applications
	which relied on the previous format to continue functioning without
	changes.

2016-11-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: include root dir log files in all
	builds

2016-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* gl/m4/gnulib-cache.m4: gl: removed invalid module name

2016-11-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/ocsptool-common.c, src/socket.c, src/socket.h: tools: added
	explicit socket flag to skip TLS initialization This allows proper error recovery when SOCKET_FLAG_RAW is specified
	and initialize_session() fails.

2016-11-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug:
	terminate sessions which cannot be re-used

2016-11-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/socket.c: sockets: only use gnutls_bye on a valid socket
	session

2016-11-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/pkcs11.c: p11tool: --initialize will no longer reset user PIN That is because it only resetted the user PIN and not the admin PIN,
	while at the same time it had problems to cope with the case where
	the URL changed between token initialization and PIN setting (which
	is the case if --label is provided to --initialize).

2016-11-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: 
	p11tool: added options to initialize a user and admin's PIN

2016-11-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/verify-tofu.c: gnutls_store_pubkey: document the default hosts
	format

2016-11-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/pk.c: _wrap_nettle_pk_verify: use FAIL_IF_LIB_ERROR
	prior to returning success This will prevent verification to succeed if the system is in error
	state.

2016-11-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/pk.c, lib/x509/privkey.c: fips140-2: moved PCT-test in
	wrap_nettle_generate_keys This allows it to run in any potential scenario, i.e., any call of
	_gnutls_pk_generate_keys().

2016-11-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-11-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: use included libtasn1 in CI
	systems which do not have 4.9

2016-09-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* m4/hooks.m4: bumped the version of the minimum required libtasn1 We now require the latest version that supports OIDs with elements
	that are longer than 32-bits.

2016-07-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am,
	tests/cert-tests/certtool-long-oids,
	tests/cert-tests/data/long-oids.pem: tests: added check for the
	decoding of certificates with long OIDs That is, OIDs which have an element which exceeds 2^32.

2016-11-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* Makefile.am: symbol-check: do not compare against symbols not
	exported by us

2016-11-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-11-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/priorities.c: tests: updated known ciphersuites test for
	CHACHA20-POLY1305 in the SECURE set

2016-11-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/priority.c: priorities: added CHACHA20-POLY1305 to SECURE set

2016-11-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: released 3.5.6

2016-11-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, m4/hooks.m4: bumped versions

2016-11-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* symbols.last: symbols.last: updated auto-generated file

2016-10-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-10-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/rng-no-onload.c: tests: added test to
	ensure that gnutls_rnd() is not called during initialization

2016-10-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-backend.h, lib/fips.c: doc: explicitly state that rng
	self_test mustn't require rng initialization

2016-10-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/auth/psk_passwd.c, lib/auth/rsa.c, lib/auth/rsa_psk.c,
	lib/auth/srp_passwd.c, lib/cipher.c, lib/crypto-api.c,
	lib/ext/heartbeat.c, lib/ext/session_ticket.c, lib/handshake.c,
	lib/mpi.c, lib/nettle/pk.c, lib/opencdk/misc.c,
	lib/pkcs11_secret.c, lib/random.h, lib/srp.c, lib/tpm.c,
	lib/x509/pkcs12.c, lib/x509/pkcs7-crypt.c: deprecated _gnutls_rnd()
	in favor of exported gnutls_rnd()

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, lib/global.c, lib/locks.h, lib/nettle/rnd-fips.c,
	lib/nettle/rnd.c, lib/random.c, lib/random.h: rng: split
	initialization in preinit and init This makes gnutls to initialize its random generator on the first
	call to gnutls_rnd(). That prevents blocking due to getrandom() on a
	constructor; that change allows to use gnutls-linked applications
	even in early boot in systems where getrandom() blocks waiting for
	entropy.

2016-10-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-backend.h, lib/nettle/rnd-fips.c, lib/nettle/rnd.c,
	lib/random.h: _gnutls_rnd_check: call _rnd_system_entropy_check
	directly

2016-11-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/gnutls-idna.c: x509: removed unused IDNA file

2016-11-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update [ci skip]

2016-11-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/handshake.c: handshake: log advertized version

2016-11-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms.h: algorithms.h: removed exported prototype from
	internal header

2016-11-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-gtls-app.texi, doc/cha-intro-tls.texi: doc update

2016-10-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-10-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am,
	tests/cert-tests/data/multi-value-dn.pem,
	tests/cert-tests/pem-decoding: tests: added decoding of multi-value
	DN

2016-10-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509_dn.c: x509_dn: forbid non-supported escaped chars on
	DN encoding

2016-10-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/x509-dn-decode.c: tests: enhanced RFC4514 with arbitrary
	escaped strings

2016-10-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509_dn.c: x509_dn: allow arbitrary escaped strings In addition fail encoding on unescaped '+'. We do not support it for
	DN encoding.

2016-10-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/data/aki-cert.pem,
	tests/cert-tests/data/arb-extensions.csr,
	tests/cert-tests/data/bmpstring.pem,
	tests/cert-tests/data/complex-cert.pem,
	tests/cert-tests/data/gost-cert.pem,
	tests/cert-tests/data/name-constraints-ip2.pem,
	tests/cert-tests/data/no-ca-or-pathlen.pem,
	tests/cert-tests/data/template-tlsfeature.csr,
	tests/cert-tests/data/very-long-dn.pem,
	tests/cert-tests/data/xmpp-othername.pem,
	tests/cert-tests/templates/template-dn.tmpl,
	tests/cert-tests/templates/template-krb5name.tmpl,
	tests/cert-tests/templates/template-nc.tmpl,
	tests/cert-tests/templates/template-othername-xmpp.tmpl,
	tests/cert-tests/templates/template-othername.tmpl,
	tests/cert-tests/templates/template-unique.tmpl, tests/crq_apis.c,
	tests/crt_apis.c, tests/dn.c, tests/dn2.c, tests/ocsp.c,
	tests/rfc2253-escape-test, tests/suite/crl/long.pem,
	tests/suite/data/test1.cat.out, tests/x509-dn-decode.c: tests:
	modified to account for backwards-encoded DN (according to RFC4514)

2016-10-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/key-tests/Makefile.am, tests/key-tests/README: tests:
	removed old README file The description in the file had no relevance to the existing tests.

2016-10-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509_dn.c: gnutls_x509_crt_set_*dn,
	gnutls_x509_dn_set_str: honor the reverse property of RFC4514 When converting an RFC4514 string to a DN ensure that the elements
	are encoded in reverse order, as required by the RFC.  Resolves #111

2016-07-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/dn.c: Encode string DNs backwards according to RFC4514 This makes the output string from functions such as
	gnutls_x509_crt_get*dn() to comply with RFC4514 requirements in DN
	element order.  Relates #111

2016-10-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab/issue_templates/Bug.md: Updated issue templates [ci skip]

2016-10-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab/issue_templates/Bug.md,
	.gitlab/issue_templates/Feature.md: Added issue templates [ci skip]

2016-10-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update [ci skip]

2016-10-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/nettle/Makefile.am, lib/nettle/{rnd-getentropy.c =>
	sysrng-getentropy.c}, lib/nettle/{rnd-linux.c => sysrng-linux.c},
	lib/nettle/{rnd-windows.c => sysrng-windows.c}, tests/rng-sigint.c: 
	nettle: renamed system random generator-related files for clarity

2016-10-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/rng-pthread.c: tests: introduced checks
	for gnutls_rnd() in multi-threaded scenario

2016-10-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/rng-fork.c: tests: introduced sanity checks in rng-fork

2016-10-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/int/drbg-aes-self-test.c: drbg-aes-self-test: corrected
	free call

2016-10-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/status-request-ext.c: tests: check for
	gnutls 3.3.x compatibility That is, check whether the status request extension is not sent by
	the server, if the server does not hold a status response. We
	require that behavior to be backwards compatible with gnutls 3.3.x.

2016-10-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/status_request.c, lib/gnutls_int.h, lib/handshake.c,
	lib/includes/gnutls/gnutls.h.in: Reverted the behavior of sending a
	status request extension even without a response That is, we no longer reply to a client's hello with a status
	request, with a status request extension. Although that behavior
	which was introduced in 6b76e0c899b1ff08df9bd9b41588f771f050be89 is
	legal, it creates incompatibility issues with gnutls 3.3.x branch.
	That is because versions prior 3.3.26 translates the presence of the
	extension as a guarrantee that the status response data will be
	sent. Even though, that is false assumption we replicate the
	previous behavior to allow such clients to connect to a gnutls 3.5.x
	server.  Relates !66

2016-10-27  Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

	* tests/suite/Makefile.am: tests: do not enable testpkcs11.sh twice Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

2016-10-22  Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

	* tests/starttls.sh: starttls: search for chat in sbin if it is not
	present in PATH Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

2016-10-21  Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

	* src/libopts/m4/libopts.m4: Fix autoconf warnings in libopts.m4 Without this patch Autoconf will spam console with the following
	kind of messages: configure.ac:650: warning: AC_LANG_CONFTEST: no AC_LANG_SOURCE call
	detected in body ../../lib/autoconf/lang.m4:193: AC_LANG_CONFTEST is
	expanded from...  ../../lib/autoconf/general.m4:2740: _AC_RUN_IFELSE
	is expanded from...  ../../lib/m4sugar/m4sh.m4:639: AS_IF is
	expanded from...  ../../lib/autoconf/general.m4:2759: AC_RUN_IFELSE
	is expanded from...  ../../lib/m4sugar/m4sh.m4:639: AS_IF is
	expanded from...  ../../lib/autoconf/general.m4:2042: AC_CACHE_VAL
	is expanded from...  src/libopts/m4/libopts.m4:386:
	LIBOPTS_RUN_FOPEN_TEXT is expanded from...
	src/libopts/m4/libopts.m4:425: INVOKE_LIBOPTS_MACROS is expanded
	from...  src/libopts/m4/libopts.m4:560: AM_COND_IF is expanded
	from...  src/libopts/m4/libopts.m4:581: LIBOPTS_CHECK is expanded
	from...  configure.ac:650: the top level Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

2016-10-22  Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

	* cfg.mk: cfg.mk: fix m4 files removal Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

2016-10-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/long-session-id.c: tests: better check for
	gnutls_ecc_curve_get result

2016-10-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/alert.c, lib/ext/signature.c: Terminate handshake if only
	unknown or disabled signatures are advertized by the peer That is, do not attempt to proceed assuming that the peer supports
	SHA-1.

2016-10-22  Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

	* tests/Makefile.am, tests/slow/Makefile.am,
	tests/slow/cipher-override2.c, tests/suite/Makefile.am: Fix
	compilation of tests if nettle is not installed in standard path Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

2016-10-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-debug.c: gnutls-cli-debug: corrected TLS1.2 detection

2016-10-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-10-22  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi, doc/examples/ex-serv-x509.c,
	lib/ext/status_request.c, lib/includes/gnutls/gnutls.h.in,
	lib/x509.c, tests/Makefile.am, tests/set_key.c,
	tests/set_x509_key.c, tests/set_x509_key_file.c,
	tests/set_x509_key_file_legacy.c,
	tests/set_x509_key_file_ocsp_multi.c,
	tests/set_x509_key_file_ocsp_multi2.c, tests/set_x509_key_utf8.c: 
	modified the gnutls_certificate_set_key* change While the change was fully backwards compatible for applications
	that were adding a single certificate, and applications that were
	checking for negative errors codes, many applications do not. As
	this may cause incompatibility issues with software properly
	utilizing the previously documented API, the change is reverted, and
	applications need to explicitly enable a flag
	(GNUTLS_CERTIFICATE_API_V2) in the credentials structure for the
	set_key functions to return an index.

2016-10-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testdane.sh: tests: removed nohats.ca from testdane The host seems to be unreliable.

2016-10-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .travis.yml: .travis.yml: use as many jobs as CPUs in OSX

2016-10-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .travis.yml: .travis.yml: do not run the public submodule checks
	of maint.mk These seem to be problematic to detect modification and are
	preventing the CI from operating.

2016-10-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .travis.yml: .travis.yml: simplified the submodule checkout The default submodule initialization in travis caused the MacOSX
	builds to fail.

2016-10-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/atfork.c, lib/pubkey.c: Added casts to prevent compiler
	warnings

2016-10-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/session.c: corrected typo

2016-10-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README.md: README.md: corrected link to travius build

2016-10-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .travis.yml, README.md, cfg.mk, m4/gettext.m4, m4/nls.m4,
	m4/po.m4, m4/progtest.m4: .travis.yml: added support for compiling
	in macosx

2016-10-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-10-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/session-tickets-missing.c,
	tests/session-tickets-ok.c: tests: added checks for the new
	GNUTLS_NO_TICKETS flag

2016-10-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/gnutls.h.in, lib/state.c: gnutls_init: added
	GNUTLS_NO_TICKETS flags These flags allow the callers to disable the automatically enabled
	session tickets. This could be done only with GNUTLS_NO_EXTENSIONS
	which also disabled other useful extensions.

2016-10-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/pkcs11/pkcs11-privkey-export.c: tests:
	added pkcs11-privkey-export This checks whether the public parts of RSA private and public keys
	can be properly extracted from a PKCS#11 module.

2016-10-19  Jakub Jelen <jjelen@redhat.com>

	* tests/pkcs11/pkcs11-mock.c: Expose CKA_PUBLIC_EXPONENT and
	CKA_MODULUS for private keys too

2016-10-19  Jakub Jelen <jjelen@redhat.com>

	* tests/pkcs11/pkcs11-mock.c: tests/pkcs11: Return also CKA_CLASS

2016-10-18  Jakub Jelen <jjelen@redhat.com>

	* tests/pkcs11/pkcs11-mock.c: tests/pkcs11: Expose SUBJECT for
	certificates, PUBLIC_EXPONENT and MODULUS for public keys to widen
	compatibility

2016-10-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS, lib/x509/pkcs7.c, lib/x509/x509.c: doc update [ci skip]

2016-10-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
	auto-generated files

2016-10-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS, lib/x509/pkcs7.c: doc update

2016-10-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: allow setting key purposes for non-CA
	certificates That is, allow setting code signing, or time stamping key purpose in
	certificates that are not marked as CA. The previous restriction
	served no purpose.

2016-10-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: introduce key purpose checks in p7
	direct verification

2016-10-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/x509/x509.c: 
	x509: introduced gnutls_x509_crt_check_key_purpose()

2016-10-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/errors.c, lib/includes/gnutls/gnutls.h.in, lib/x509/pkcs7.c,
	lib/x509/x509.c, lib/x509/x509_int.h: gnutls_x509_crt_verify_data2:
	introduce constraints checks on the provided certificate That is check the provided certificate for validity in time and key
	usage.

2016-10-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am,
	tests/cert-tests/data/code-signing-ca.pem,
	tests/cert-tests/data/code-signing-cert.pem,
	tests/cert-tests/pkcs7, tests/cert-tests/pkcs7-constraints,
	tests/cert-tests/pkcs7-constraints2, tests/pkcs7-gen.c,
	tests/suite/pkcs7-cat: tests: introduced verification constraints
	checks for PKCS#7 structures That is, key purpose checks and more elaborate time checks.

2016-10-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/credentials/gnutls-http-serv, src/serv.c: gnutls-serv: use the
	included known DH parameters by default

2016-10-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def: certtool: manpage update

2016-10-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/scripts/getfuncs-map.pl: getfuncs-map.pl: ignore the ffdhe
	exported parameters That is ignore the new variables exported which are not functions,
	and thus cannot be detected by getfuncs-map.pl.

2016-10-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
	auto-generated files

2016-10-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/crl-test: tests: crl-test: use a unique temp file

2016-10-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/Makefile.am, tests/suite/prime-check.c: tests: added
	sanity check for included primes

2016-10-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-bib.texi, doc/cha-gtls-app.texi,
	doc/examples/ex-serv-anon.c, doc/examples/ex-serv-dtls.c,
	doc/examples/ex-serv-psk.c, doc/examples/ex-serv-x509.c,
	doc/latex/gnutls.bib: doc: discuss the set_known_dh_params and use
	it in the examples

2016-10-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/set_known_dh_params_psk.c,
	tests/utils-adv.c, tests/utils.h: tests: check
	gnutls_psk_set_server_known_dh_params

2016-10-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/set_known_dh_params_anon.c,
	tests/utils-adv.c, tests/utils.h: tests: check
	gnutls_anon_set_server_known_dh_params

2016-10-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/set_known_dh_params_x509.c: tests: check
	gnutls_certificate_set_known_dh_params

2016-10-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/anon_cred.c, lib/auth/anon.h, lib/auth/cert.h,
	lib/auth/psk.h, lib/cert.c, lib/dh-primes.c, lib/dh.h,
	lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map, lib/psk.c: DH:
	introduced gnutls_*_set_known_dh_params() That is, the functions gnutls_certificate_set_known_dh_params(),
	gnutls_anon_set_server_known_dh_params(),
	gnutls_psk_set_server_known_dh_params().  These functions allow to
	statically set the DH parameters, based on the RFC7919 FFDHE
	parameters. This can simplify server configuration by allowing DH
	without loading parameters from file.  Relates #37

2016-10-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-common.c: certtool: --get-dh-params will output the
	FFDHE primes instead of the SRP primes

2016-10-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/Makefile.am, lib/dh-primes.c,
	lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: DH: export the
	FFDHE Diffie-Hellman values

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: use fedora's mingw-cmocka packages

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitignore: more files to ignore

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/pkcs7-cat-parse.c: tests: added check for
	PKCS#7 catalog file parsing and data extracting

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/data/full.p7b.out,
	tests/cert-tests/data/single-ca.p7b.out,
	tests/suite/data/test1.cat.out, tests/suite/data/test2.cat.out: 
	tests: updated pkcs7 text outputs to account for certtool update

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: --p7-info will include the PKCS#7
	encoded data in PEM format

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/data/test2.cat.out: tests: replaced large test2.cat
	with a smaller file

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-common.c: certtool: improve text on missing options
	for cert generation

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: Revert "certtool: improve text on missing options
	for cert generation" This reverts commit 7daed1fd0602bce7495d252f1a9b638fc41e38d3.

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_int.h, lib/handshake.c, lib/state.c: handshake: set a
	maximum number of warning messages that can be received per
	handshake That is to avoid DoS due to the assymetry of cost of sending an
	alert vs the cost of processing.

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/record.c: record: disallow parsing of alert messages prior to
	session start

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/naked-alerts.c: tests: added check to
	verify that the server will bail out after receiving only alerts

2016-10-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/multi-alerts.c: tests: added check to
	verify that the server will bail out after many alerts

2016-10-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: improve text on missing options for cert
	generation

2016-10-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-10-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/common.c: tools: removed redudant messages on PIN re-use

2016-10-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/pkcs11.c: p11tool: avoid asking the security officer PIN twice
	on initialization

2016-10-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/pkcs11.c: p11tool: improved messages on token initialization

2016-10-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/pkcs11.c: p11tool: corrected check of PIN existance in token
	initialization

2016-10-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/examples/ex-serv-x509.c: doc: set a default handshake timeout
	on example server

2016-10-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/serv.c: serv: set a timeout value in handshake

2016-10-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/dtls-etm.c: tests: added check for
	Encrypt-then-MAC under DTLS

2016-10-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/{mini-etm.c => tls-etm.c}: tests:
	cleanups in tls-etm.c

2016-10-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs7.h, lib/x509/pkcs7.c: 
	gnutls_pkcs7_get_embedded_data: added GNUTLS_PKCS7_EDATA_GET_RAW
	flag This flag allows the export of the stored embedded data with any
	wrapping encoding included. This in particular, it allows to read
	the data from the microsoft catalog PKCS#7 structures, which store
	as embedded data elements of a SEQUENCE, but only authenticate the
	inner parts without the bytes forming the SEQUENCE header.

2016-10-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac: configure: automatically disable non-suiteb curves That is, if the installed nettle doesn't provide the
	nettle_secp_192r1 symbol.

2016-10-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-10-11  Colin Walters <walters@verbum.org>

	* lib/priority.c: priorities: Do read crypto policy files with mtime
	of zero In a default Fedora Atomic Host installation,
	`/etc/crypto-policies/backends/gnutls.config` is a symlink to the
	default in `/usr/share/`.  On an OSTree-managed system, files in
	`/usr` have an mtime of zero (to help deduplication).  The simple fix here is to still try to read the first time, even if
	the file has an mtime of zero.

2016-10-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-10-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: corrected use of
	gnutls_pkcs7_get_embedded_data()

2016-10-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkix.asn, lib/pkix_asn1_tab.c: pkix.asn: simplified ASN.1
	description by eliminating pkcs-7-ContentType

2016-10-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
	auto-generated files

2016-10-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: print the enacapsulated content OID on
	verification

2016-10-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/Makefile.am, tests/suite/data/ca.pem,
	tests/suite/data/test1.cat.out, tests/suite/data/test2.cat.out,
	tests/suite/pkcs7-cat: tests: added checks for the decoding of
	various PKCS#7 structures

2016-10-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7-output.c, lib/x509/pkcs7.c, lib/x509/pkcs7_int.h: 
	pkcs7: print the eContent type in output functions if it does not
	match the defaults

2016-10-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs7.h, lib/libgnutls.map, lib/pkix.asn,
	lib/pkix_asn1_tab.c, lib/x509/pkcs7.c, lib/x509/x509_int.h: pkcs7:
	allow unknown and legacy signature data OIDs to be imported This allows to decode very old PKCS#7 structures where the content
	is not an octet string. In addition, it introduces
	gnutls_pkcs7_get_embedded_data_oid() to obtain the OID of the
	signature data.

2016-10-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-args.def, src/certtool.c: certtool: --p7-info can be
	combined with --p7-show-data to display embedded data

2016-10-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/Makefile.am: lib: link with LTLIBDL instead of LIBDL It fixes compilation issues on some systems.

2016-10-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: released 3.5.5

2016-10-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-10-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-internals.texi: doc: mention gnutls_session_ext_register
	and its supplemental data equivalent

2016-10-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, m4/hooks.m4: bumped version

2016-10-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/extensions.c: TLS extensions: only cache the extension IDs
	from exts that the server supports That avoids imposing any artificial limits on the number of
	extensions that a server can handle.  Resolves #136

2016-10-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/tls-session-ext-register.c: tests: check the registration of
	multiple extensions

2016-10-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi: doc: added gnutls_datum_t and giovec_t to
	indexes Resolves #137

2016-10-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7-output.c: pkcs7: removed any limits in hex encoding
	of attributes

2016-10-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: lift any limits in print_raw()

2016-10-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: added safety net when generating a
	certificate request That is, do not allow specifying --generate-request --load-pubkey
	without specifying --load-privkey. Previously if --load-pubkey would
	have been used, it would have been ignored, causing confusion to the
	users.

2016-10-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update [ci skip]

2016-10-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* Makefile.am: Makefile.am: improved the files-update output

2016-10-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
	auto-generated files

2016-10-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system/iconv.c: _gnutls_utf8_to_ucs2: force NFC normalization
	form in windows

2016-10-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-10-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/tls-session-supplemental.c,
	tests/{mini-supplementaldata.c => tls-supplemental.c}: tests: added
	checks for gnutls_session_supplemental_register

2016-10-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_int.h, lib/includes/gnutls/gnutls.h.in,
	lib/libgnutls.map, lib/state.c, lib/supplemental.c: Added
	session-specific supplemental data handling This allows a caller to add supplemental data handling which will
	only be made available for a specific session.

2016-10-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/{mini-extension.c =>
	tls-ext-register.c}, tests/tls-session-ext-register.c: tests: added
	checks for gnutls_session_ext_register

2016-09-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/extensions.c, lib/extensions.h, lib/gnutls_int.h,
	lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map, lib/state.c: 
	Added session-specific TLS extensions This allows a caller to add extensions which will be made available
	for a specific session.

2016-10-05  Ludovic Courtès <ludo@gnu.org>

	* guile/src/core.c: guile: Implement session record ports using the
	Guile 2.2 API.  This allows the Guile bindings to be built and used with Guile >=
	2.1.4, which introduced a new port API.  * guile/src/core.c (USING_GUILE_BEFORE_2_2): New macro.  (session_record_port_type) [!USING_GUILE_BEFORE_2_2]: New
	definition.  (read_from_session_record_port, write_to_session_record_port) (make_session_record_port) [!USING_GUILE_BEFORE_2_2]: New functions.
	Conditionalize the other same-named functions on
	USING_GUILE_BEFORE_2_2.  (scm_init_gnutls_session_record_port_type): Use
	'read_from_session_record_port' when !USING_GUILE_BEFORE_2_2.

2016-10-05  Ludovic Courtès <ludo@gnu.org>

	* guile/tests/session-record-port.scm: guile: Test
	'set-session-transport-fd!'.  * guile/tests/session-record-port.scm: Use
	'set-session-transport-fd!' on the server side.

2016-10-05  Ludovic Courtès <ludo@gnu.org>

	* guile/modules/gnutls/build/tests.scm: guile: Guile 2.x
	'uniform-vector-read!' replacement returns 0 upon EOF.  This problem was never hit in practice because our tests always got
	the non-EOF case.  * guile/modules/gnutls/build/tests.scm (uniform-vector-read!)
	[guile-2]: Return 0 upon EOF.

2016-10-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* extra/Makefile.am, lib/Makefile.am: win32: install the .def files
	in libdir instead of bindir Suggested by Eli Zaretskii.

2016-10-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-cfg.c: certtool: include arpa/inet.h unconditionally That is because we use inet_pton() which is either provided by the
	OS, or by gnulib.

2016-10-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/benchmark.c: gnutls-cli: fix compilation warning in win32

2016-10-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* extra/Makefile.am, m4/hooks.m4: Fixed the version in
	libgnutls-openssl.def file Previously the version set in that file would have been
	(incorrectly) equal to the version of the main library.

2016-10-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/certuniqueid.c, tests/mini-dtls-mtu.c: tests: avoid using
	%zd for formatted output It is not supported by windows.

2016-10-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/set_key_utf8.c, tests/set_x509_key_utf8.c: tests: skip tests
	which depend on libidn functionality if build without libidn

2016-10-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am: tests: fixed compilation of
	pkcs11-privkey-always-auth

2016-10-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system/keys-win.c: Fix build of system/keys-win.c with older
	mingw Patch by Eli Zaretskii <eliz@gnu>

2016-10-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/provable-dh, tests/cert-tests/provable-privkey,
	tests/cert-tests/provable-privkey-dsa2048,
	tests/cert-tests/provable-privkey-rsa2048: tests: introduced further
	parallelization in provable* tests This runs independent verification steps in parallel, improving
	running time significantly.

2016-10-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am: tests: provable-dh-default check is
	too slow and is only run when the complete suite is requested

2016-10-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/provable-privkey,
	tests/cert-tests/provable-privkey-dsa2048,
	tests/cert-tests/provable-privkey-gen-default,
	tests/cert-tests/provable-privkey-rsa2048: tests: split
	provable-privkey into multiple checks This allows the tests to be run in parallel.

2016-10-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/provable-dh,
	tests/cert-tests/provable-dh-default: tests: provable-dh was split
	into two programs This allows the test to be run more efficiently when run in
	parallel.

2016-09-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml, configure.ac: .gitlab-ci.yml: do not run the full
	test suite on valgrind test This allows the CI test to run on reasonable time.

2016-09-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-09-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitignore: more files to ignore

2016-09-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* devel/openssl: devel/openssl: updated to 1.1.0 release

2016-09-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/accelerated/aarch64/Makefile.am,
	lib/accelerated/aarch64/aarch64-common.c,
	lib/accelerated/aarch64/aes-aarch64.h,
	lib/accelerated/aarch64/aes-ccm-aarch64.c: aarch64: added optimized
	AES-CCM mode

2016-09-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* cfg.mk, devel/perlasm/ghash-aarch64.pl,
	devel/perlasm/ghash-aarch64.pl.license,
	lib/accelerated/aarch64/Makefile.am,
	lib/accelerated/aarch64/aarch64-common.c,
	lib/accelerated/aarch64/aes-gcm-aarch64.c,
	lib/accelerated/aarch64/elf/ghash-aarch64.s: Imported Andy
	Polyakov's implementation of AES-GCM in aarch64

2016-09-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* cfg.mk, devel/perlasm/aes-aarch64.pl,
	devel/perlasm/aes-aarch64.pl.license,
	lib/accelerated/aarch64/Makefile.am,
	lib/accelerated/aarch64/aarch64-common.c,
	lib/accelerated/aarch64/aes-aarch64.h,
	lib/accelerated/aarch64/aes-cbc-aarch64.c,
	lib/accelerated/aarch64/aes-gcm-aarch64.c,
	lib/accelerated/aarch64/elf/aes-aarch64.s: Imported Andy Polyakov's
	implementation of AES in aarch64

2016-09-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/accelerated/aarch64/Makefile.am,
	lib/accelerated/aarch64/aarch64-common.c,
	lib/accelerated/aarch64/hmac-sha-aarch64.c,
	lib/accelerated/aarch64/sha-aarch64.h: Added HMAC-SHA* optimizations
	for aarch64

2016-09-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* cfg.mk, configure.ac, devel/perlasm/arm-xlate.pl,
	devel/perlasm/sha1-armv8.pl, devel/perlasm/sha1-armv8.pl.license,
	devel/perlasm/sha256-armv8.pl,
	devel/perlasm/sha256-armv8.pl.license,
	devel/perlasm/sha512-armv8.pl,
	devel/perlasm/sha512-armv8.pl.license, lib/accelerated/Makefile.am,
	lib/accelerated/aarch64/Makefile.am,
	lib/accelerated/aarch64/README,
	lib/accelerated/aarch64/aarch64-common.c,
	lib/accelerated/aarch64/aarch64-common.h,
	lib/accelerated/aarch64/elf/sha1-armv8.s,
	lib/accelerated/aarch64/elf/sha256-armv8.s,
	lib/accelerated/aarch64/elf/sha512-armv8.s,
	lib/accelerated/aarch64/sha-aarch64.c,
	lib/accelerated/aarch64/sha-aarch64.h,
	lib/accelerated/accelerated.c: Imported Andy Polyakov's
	implementations for SHA* in aarch64

2016-10-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/server_name.c, lib/ext/server_name.h: fix zero-termination
	in _gnutls_server_name_set_raw() for large server names

2016-10-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/handshake-checks.c: _gnutls_check_id_for_change: added check
	for NULL username This is not required, but may prevent from issues if
	code-reorganizations which may set a NULL username, occur.

2016-10-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/openpgp/output.c, lib/x509/output.c: gnutls_*_crt_print:
	better error checking

2016-10-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitignore, tests/Makefile.am, tests/pkcs11/pkcs11-mock-ext.h,
	tests/pkcs11/pkcs11-mock.c,
	tests/pkcs11/pkcs11-privkey-always-auth.c: tests: added test for
	CKA_ALWAYS_AUTHENTICATE handling in PKCS#11 This checks whether GnuTLS properly calls login prior to any sign
	operations when the object is marked as CKA_ALWAYS_AUTHENTICATE.

2016-10-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: pkcs11: improved debugging output in pkcs11_login

2016-10-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/name_constraints.c: name constraints: removed unused
	variable

2016-09-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-common.c, src/ocsptool.c: tools: clarify errors when
	reading files Previously certtool and ocsptool would report: ``` $ certtool
	--generate-request --load-privkey=foo --outfile=bar Generating a
	PKCS #10 certificate request...  reading --load-privkey: foo ``` And that doesn't make apparent what the issue was. Modified to
	print: ``` error reading --load-privkey: foo ``` Report and initial patch by Thibault Nélis.  Resolves !97

2016-09-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/p11tool-args.def: p11tool: doc update [ci skip]

2016-09-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/ip-in-cidr.h, lib/x509/ip.c, lib/x509/name_constraints.c: 
	Removed C99 constructions in for-loops These constructions although valid for C99 they are being rejected
	by various compilers. Get rid of them.

2016-09-27  Daiki Ueno <dueno@redhat.com>

	* src/certtool.c: certtool: print correct size of EC keys Previously certtool complained about key size if --curve is given:  $ certtool --generate-privkey --ecc --curve secp256r1 --outfile
	 key.pem Generating a -2147483646 bit EC/ECDSA private key...   Note that ECDSA keys with size less than 256 are not widely
	 supported.

2016-09-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/p11tool-args.def: p11tool: documented the p11-kit relevancy of
	distrust and stapled

2016-09-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* devel/openssl, lib/pkcs11.c, lib/pkcs11_int.h,
	lib/pkcs11_write.c, lib/pkcs11x.c: pkcs11: forbid PKCS#11 extensions
	to be used in other than trust modules That is, only use the CKA_X_DISTRUSTED and the extension override in
	p11-kit trust modules, to avoid conflicts with potentially other
	PKCS#11 extensions.

2016-09-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: enabled valgrind tests build

2016-09-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/handshake-large-packet.c: tests: allow
	handshake-large-packet to run under valgrind That is, initialize the allocated buffers with a known value.

2016-09-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/p11tool-args.def, src/p11tool.c: p11tool: introduced the
	--mark-distrusted and --distrusted options This allows to mark objects as distrusted, as well as list all
	distrusted certificates (blacklisted) for a p11-kit trust module as:
	p11tool --list-all-certs --distrusted

2016-09-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/pkcs11_write.c: 
	pkcs11: introduced flag GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED This allows to mark objects as distrusted, as well as to be able to
	list distrusted objects.

2016-09-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c, lib/pkcs11x.c: pkcs11: only staple extensions from a
	trust module when they are from a non-distrusted certificate That is, make sure that the API for stapling extensions is only used
	for non-distrusted (blacklisted) certificates. The reason is to
	avoid duplicate extension entries from the p11-kit trust database.
	These come from blacklisted certificates, and we have no reason to
	support stapled extensions with blacklisted certificates.

2016-09-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/p11tool-args.def, src/p11tool.c: p11tool: allow to export a
	certificate with its stapled extensions

2016-09-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms/ecc.c: gnutls_oid_to_ecc_curve: fix null pointer
	dereference This addresses issue where an unknown curve would cause a null
	pointer dereference. This was introduced with the addition of
	X25519. Reported by Theofilos Petsios.

2016-09-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/status_request.c: Only send the status request extension
	on cert authentication That is, do not both asking for it, or replying to it, if we are not
	using any certificates.

2016-09-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/scripts/gdoc: gdoc: improved the detection and display of
	escaped characters (@%) This allows to properly display strings like %COMPAT and @SYSTEM in
	the manual and the manpages.

2016-09-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/priority.c: doc: gnutls_priority_init: fixed %COMPAT [ci skip]

2016-09-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: corrected debian build's
	dependency

2016-09-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-09-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/signature.c, lib/ext/signature.h, lib/tls-sig.c: On client
	side allow signing with the signature algorithm of our cert That allows to sign for example with DSA-SHA1 as client even if we
	do not allow DSA-SHA1 as signature algorithm for server's
	certificate. This allows to use a deprecated certificate without
	enabling deprecated algorithms globally.

2016-09-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/signature.c: _gnutls_session_get_sign_algo: always return
	GNUTLS_SIGN_UNKNOWN on failure

2016-09-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/cert-common.h, tests/server_ecdsa_key.c,
	tests/utils-adv.c, tests/utils.h: tests: added check for server-side
	ECDSA keys These tests check whether a server ECDSA key will be rejected by the
	client in case the client has no ECDSA signature algorithms
	available.

2016-09-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/cert-common.h, tests/client_dsa_key.c,
	tests/utils-adv.c, tests/utils.h: tests: added check for client-side
	DSA key This checks whether a client can use and send a DSA key, even if DSA
	is not enabled (which should prohibit the server from providing a
	DSA certificate).

2016-09-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def, src/certtool.c: certtool: do not require a
	certificate to generate a PKCS#12 file That is, allow generating PKCS#12 files with private keys only as
	well.

2016-09-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: added debian build

2016-09-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README.md: README.md: depend on softhsm2 and net-tools on debian

2016-09-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-server-name.c: tests: mini-server-name: skip invalid
	UTF-8 check if compiled without libidn This allows the test suite to run in systems without libidn.
	Reported by Thomas Klausner.

2016-09-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-server-name.c, tests/mini-session-verify-function.c,
	tests/utils.h, tests/x509-dn-decode.c: tests: added the macros
	test_fail() and test_success() These macros allow test programs which run multiple checks, to
	report the name of the check failed. Modified mini-server-name and
	x509-dn-decode to use the macro.

2016-09-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* cfg.mk: cfg.mk: removed invalid rule in web target

2016-09-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-09-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/handshake.c: added debugging message when session fails due to
	handshake hash buffer

2016-09-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/handshake-large-packet.c: tests: check
	whether large packets are allowed on the handshake

2016-09-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/extensions.c: Do not allow sending overflowed extensions field That is, restrict the extensions to a 2^16 total size.

2016-09-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-extension.c: tests: minor improvements in
	mini-extension This will improve recovery from error conditions.

2016-09-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_int.h, lib/handshake.c: Increased the maximum size
	allowed for handshake messages to 128kb This would allow the library to cope with larger packets, as well as
	TLS 1.3 hellos. Suggested by Hubert Kario.

2016-09-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/cert-common.h, tests/insecure_key.c,
	tests/utils-adv.c, tests/utils.h: tests: added check for insecure
	key That is, a check which verified whether a connection to a server
	with a very small key will fail the certificate verification check.

2016-09-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-09-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/errors.c, lib/includes/gnutls/gnutls.h.in, lib/nettle/pk.c,
	tests/rsa-illegal-import.c: Introduced separate error codes for
	invalid private and public keys This allows functions like decryption and verification to report the
	specific issue they encountered on public key error.  The new codes
	are GNUTLS_E_PK_INVALID_PUBKEY and GNUTLS_E_PK_INVALID_PRIVKEY

2016-09-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: no longer require gnutls-devel This package is no longer needed to run abi-check.

2016-09-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* Makefile.am: Makefile: abi-check no longer require gnutls headers
	to be installed This addresses the issue of requiring gnutls-devel in the CI system
	to run abi-check.

2016-09-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/manpages/Makefile.am: doc: remove the conditional self_test
	functions Also prevent them by re-entering the documented functions list by
	restricting the header files that contribute functions to the known
	list defined by $(HEADER_FILES).

2016-09-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* Makefile.am, doc/Makefile.am, doc/manpages/Makefile.am: 
	Makefile.am: introduced 'make files-update' rule This rule updates the makefiles in doc/ and the kept symbol list.
	This allows for easier automation of the symbol change 'make dist'
	breakages.

2016-09-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/manpages/Makefile.am: manpages: delete comparison temp file

2016-09-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* Makefile.am: Makefile.am: symbol changes were made more elaborate During make dist, the makefile will report the appropriate symbol
	change message with instructions and fail.

2016-09-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
	doc and symbol files for
	gnutls_certificate_set_ocsp_status_request_function2

2016-09-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* Makefile.am: Makefile.am: print the symbols.last diff on make dist This allows to manually verify the contents before overriding the
	old file.

2016-09-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/Makefile.am: doc: allow creation of gnutls.epub without
	running epub-fix

2016-09-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: use nproc as argument to 'make -j' That way, we use as many make processes, as the number of CPUs in
	the CI system.

2016-09-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: added build which runs 'make dist' This tests whether the manpages, info, html, pdf and epub manual are
	properly generated, and whether any new functions were included into
	makefiles.

2016-09-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/epub.texi: doc: fixed the epub documentation generation

2016-09-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/ext/status_request.c: 
	gnutls_certificate_set_ocsp_status_request_file: mention version it
	was enhanced

2016-09-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc: corrected typo

2016-09-12  Alex Monk <krenair@gmail.com>

	* doc/cha-gtls-app.texi: Add ECDHE-* to the priority string docs for
	key exchange algorithms GNUTLS_KX_ECDHE_PSK was added in 2.99.3 (released 2011-06-18) The
	other two were added in 2.99.2 (released 2011-05-26) Signed-off-by: Alex Monk <krenair@gmail.com>

2016-09-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-09-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: added check for position dependent
	code

2016-09-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* Makefile.am: Makefile.am: added check for position dependent code This check will verify that the generated library doesn't contain
	position dependent code. It depends on elf utilities.

2016-09-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/accelerated/x86/coff/aesni-x86.s,
	lib/accelerated/x86/elf/aesni-x86.s,
	lib/accelerated/x86/macosx/aesni-x86.s: openssl asm: reverted to
	AESNI-x86 code to gnutls 3.4.x code The newer code was creating position dependent code.

2016-09-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/cert-common.h, tests/set_key_utf8.c,
	tests/set_x509_key_utf8.c, tests/utils-adv.c: tests: added checks to
	verify server understanding of UTF8 hostnames This verifies whether a server can understand and serve requests
	which contain UTF-8 server names.

2016-09-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/set_key.c: tests: set_key: fixed the time override

2016-09-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/set_key.c: tests: set_key: enabled failure_mode test Also eliminated memory leaks related to it.

2016-09-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509.c: Added IDNA support in server side Any server names provided to server side by the
	gnutls_certificate_set_* functions, are converted to IDNA format for
	comparison with client provided values.

2016-09-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-09-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: restrict the freebsd builds to
	local branches only

2016-09-11  Alex Monk <krenair@gmail.com>

	* doc/cha-gtls-app.texi: Add SIGN-ECDSA-SHA* to the priority strings
	docs There were added in version 2.99.2, 2011-05-26 Signed-off-by: Alex Monk <krenair@gmail.com>

2016-09-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509.c: gnutls_certificate_set_*key: ensure proper cleanup on
	key mismatch failures That is, ensure that we keep no local references that are shared
	with the caller, and that we properly free all initialized values.

2016-09-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/set_key.c, tests/set_x509_key.c: tests: check key mismatch
	on gnutls_certificate_set_*key That is, check whether these functions can successfully recover from
	such condition, without leaks or double freeing.

2016-09-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/set_x509_key_file_ocsp_multi2.c: tests:
	added unit testing for
	gnutls_certificate_set_ocsp_status_request_function2

2016-09-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/set_key.c, tests/set_x509_key.c: tests:
	added unit tests for gnutls_certificate_set_x509_key() In addition these tests verify that the expected index is returned
	and that can be used with gnutls_certificate_get_crt_raw()
	afterwards.

2016-09-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/set_x509_key.c: tests: enhanced set_x509_key tests to
	include index verification That is, verify that correct indexes are returned, and these can be
	used with gnutls_certificate_get_crt_raw() afterwards.

2016-09-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/set_x509_key_file.c, tests/utils.c, tests/utils.h: tests:
	enhanced set_x509_key_file tests to include index verification That is, verify that correct indexes are returned, and these can be
	used with gnutls_certificate_get_crt_raw() afterwards.

2016-09-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/set_x509_key_file_ocsp_multi.c,
	tests/utils-adv.c: tests: more checks for functionality of
	gnutls_certificate_set_ocsp_status_request_file This introduces checks for the cases where
	gnutls_certificate_set_ocsp_status_request_file() is called with
	multiple indexes, to set an OCSP response for different
	certificates. The tests then verify whether the expected OCSP
	response is received.

2016-09-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/auth/cert.c, lib/auth/cert.h, lib/cert.c,
	lib/ext/status_request.c, lib/gnutls_int.h,
	lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map, lib/x509.c: 
	Added gnutls_certificate_set_ocsp_status_request_function2 That introduces a new function to allow setting an OCSP status
	request handling function per certificate. Furthermore it repurposes
	the flag parameters to an index option on
	gnutls_certificate_set_ocsp_status_request_file.  The changes above allow setting a different OCSP status response
	file per certificate, and a different function. The indexes they
	rely on to associate with existing certs are the indexes returned by
	the gnutls_certificate_set_key() and friends functions.

2016-09-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/cert.c, lib/x509.c: All the key and chain set functions return
	an index When setting key and certificate material to a
	gnutls_certificate_credentials_t structure, the corresponding set
	functions will return an index.  That index could be used later
	either on the get functions, or when setting corresponding data
	(e.g., an OCSP response).

2016-09-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/status_request.c: doc: clarifications in
	gnutls_certificate_set_ocsp_status_request_function()

2016-09-11  Andreas Metzler <ametzler@bebt.de>

	* lib/x509/x509_write.c, src/ocsptool-args.def: Typo fixes found by
	lintian.  incosistent, ommited

2016-09-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: added code-coverage output to
	clang build

2016-09-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: the code-coverage command will
	always succeed This works around random failures while calculating the code
	coverage.

2016-09-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: moved commonly installed packages
	into the before_script field

2016-09-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: added syntax check build

2016-09-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* cfg.mk: cfg.mk: revived 'make release'

2016-09-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, doc/Makefile.am, doc/examples/ex-pkcs11-list.c,
	doc/gnutls.texi, lib/Makefile.am, lib/algorithms/ciphers.c,
	lib/algorithms/ciphersuites.c, lib/algorithms/ecc.c,
	lib/algorithms/kx.c, lib/algorithms/mac.c,
	lib/algorithms/protocols.c, lib/algorithms/publickey.c,
	lib/algorithms/secparams.c, lib/auth/cert.c, lib/auth/dh_common.c,
	lib/auth/ecdhe.c, lib/auth/psk.c, lib/auth/psk_passwd.c,
	lib/auth/srp_passwd.c, lib/auto-verify.c, lib/buffers.c,
	lib/buffers.h, lib/cipher.c, lib/cipher_int.c, lib/compress.c,
	lib/crypto-api.c, lib/crypto-backend.c, lib/datum.h, lib/dtls-sw.c,
	lib/dtls.c, lib/dtls.h, lib/ecc.c, lib/errors.c, lib/ext/dumbfw.c,
	lib/ext/srp.h, lib/ext/status_request.c, lib/extras/hex.c,
	lib/fips.c, lib/gnutls.asn, lib/gnutls_int.h, lib/handshake.c,
	lib/includes/gnutls/abstract.h, lib/includes/gnutls/crypto.h,
	lib/includes/gnutls/gnutls.h.in, lib/includes/gnutls/x509.h,
	lib/mem.h, lib/minitasn1/decoding.c, lib/minitasn1/element.c,
	lib/minitasn1/libtasn1.h, lib/mpi.c, lib/nettle/cipher.c,
	lib/nettle/int/drbg-aes-self-test.c, lib/nettle/pk.c,
	lib/opencdk/armor.c, lib/opencdk/stream.c, lib/openpgp/openpgp.c,
	lib/pcert.c, lib/pk.c, lib/pkcs11.c, lib/pkcs11_privkey.c,
	lib/pkcs11_write.c, lib/pkcs11x.c, lib/prf.c, lib/privkey.c,
	lib/record.c, lib/session_pack.c, lib/str.c, lib/str.h,
	lib/supplemental.c, lib/system-keys.h, lib/system/inet_ntop.c,
	lib/system/keys-dummy.c, lib/system/keys-win.c, lib/verify-tofu.c,
	lib/x509.c, lib/x509.h, lib/x509/common.c, lib/x509/common.h,
	lib/x509/crl.c, lib/x509/crq.c, lib/x509/email-verify.c,
	lib/x509/extensions.c, lib/x509/hostname-verify.c, lib/x509/krb5.c,
	lib/x509/name_constraints.c, lib/x509/ocsp.c, lib/x509/output.c,
	lib/x509/pkcs12.c, lib/x509/pkcs7-attrs.c, lib/x509/pkcs7-crypt.c,
	lib/x509/pkcs7.c, lib/x509/privkey.c, lib/x509/privkey_pkcs8.c,
	lib/x509/time.c, lib/x509/tls_features.c, lib/x509/verify-high.c,
	lib/x509/verify.c, lib/x509/x509.c, lib/x509/x509_ext.c,
	lib/x509/x509_write.c, m4/hooks.m4, src/certtool-cfg.c,
	src/certtool.c, src/cli.c, src/danetool.c, src/list.h,
	src/ocsptool-common.c, src/ocsptool.c, src/pkcs11.c, src/serv.c,
	src/tests.c, tests/auto-verify.c, tests/cert-key-exchange.c,
	tests/cert-tests/Makefile.am, tests/certificate_set_x509_crl.c,
	tests/chainverify.c, tests/common-cert-key-exchange.c,
	tests/conv-utf8.c, tests/crl-basic.c, tests/crlverify.c,
	tests/crq-basic.c, tests/crq_key_id.c,
	tests/custom-urls-override.c, tests/custom-urls.c, tests/dane.c,
	tests/dtls-handshake-versions.c, tests/dtls-max-record.c,
	tests/dtls-rehandshake-anon.c, tests/dtls-rehandshake-cert-2.c,
	tests/dtls-rehandshake-cert-3.c, tests/dtls-rehandshake-cert.c,
	tests/dtls-sliding-window.c, tests/dtls/dtls-stress.c,
	tests/eagain-common.h, tests/fallback-scsv.c,
	tests/handshake-false-start.c, tests/handshake-versions.c,
	tests/hostname-check.c, tests/key-material-dtls.c,
	tests/key-usage.c, tests/mini-cert-status.c,
	tests/mini-chain-unsorted.c, tests/mini-dtls-heartbeat.c,
	tests/mini-dtls-large.c, tests/mini-dtls-lowmtu.c,
	tests/mini-dtls-mtu.c, tests/mini-eagain-dtls.c,
	tests/mini-eagain.c, tests/mini-emsgsize-dtls.c, tests/mini-etm.c,
	tests/mini-extension.c, tests/mini-global-load.c,
	tests/mini-key-material.c, tests/mini-record.c,
	tests/mini-rsa-psk.c, tests/mini-session-verify-function.c,
	tests/mini-supplementaldata.c, tests/mini-x509-2.c,
	tests/mini-x509-callbacks-intr.c, tests/mini-x509-callbacks.c,
	tests/mini-x509-cas.c, tests/mini-x509-default-prio.c,
	tests/mini-x509-dual.c, tests/mini-x509.c,
	tests/name-constraints-ip.c, tests/ocsp-tests/Makefile.am,
	tests/ocsp.c, tests/openpgp-auth.c, tests/openpgp-auth2.c,
	tests/openpgpself.c, tests/pgps2kgnu.c, tests/pkcs12_s2k.c,
	tests/pkcs12_s2k_pem.c, tests/pkcs12_simple.c,
	tests/pkcs8-key-decode.c, tests/prf.c,
	tests/rehandshake-ext-secret.c,
	tests/rehandshake-switch-cert-allow.c,
	tests/rehandshake-switch-cert-client-allow.c,
	tests/rehandshake-switch-cert-client.c,
	tests/rehandshake-switch-cert.c, tests/rehandshake-switch-psk-id.c,
	tests/rehandshake-switch-srp-id.c, tests/resume-dtls.c,
	tests/resume-with-false-start.c, tests/resume.c,
	tests/rsa-encrypt-decrypt.c, tests/send-client-cert.c,
	tests/session-export-funcs.c, tests/simple.c,
	tests/slow/cipher-override.c, tests/slow/cipher-override2.c,
	tests/srp.c, tests/test-chains.h, tests/tls-max-record.c,
	tests/tls-rehandshake-cert-2.c, tests/tls-rehandshake-cert.c,
	tests/tlsfeature-crt.c, tests/tlsfeature-ext.c, tests/utils-adv.c,
	tests/utils.c, tests/version-checks.c, tests/windows/cng-windows.c,
	tests/windows/crypt32.c, tests/x509-extensions.c,
	tests/x509cert-tl.c, tests/x509cert.c, tests/x509dn.c,
	tests/x509sign-verify.c, tests/x509sign-verify2.c: several spacing
	fixes to keep syntax-check happy

2016-09-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testrandom.sh: avoid the usage of '-a' and '-o' bash
	options This keeps syntax-check happy.

2016-09-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/str.c, src/certtool-cfg.c: avoid the usage of strncpy

2016-09-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/socket.c: removed signal.h from files that wasn't used at

2016-09-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* CONTRIBUTING.md, doc/cha-gtls-app.texi, guile/src/core.c,
	libdane/dane.c: doc update

2016-09-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/ip.c: gnutls_x509_cidr_to_rfc5280: removed double
	semi-colon

2016-09-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/system.c, lib/system/certs.c, lib/system/fastopen.c,
	lib/system/sockets.c, lib/system/threads.c, lib/x509/pkcs12_encr.c,
	lib/x509/pkcs7-output.c, lib/x509/time.c, lib/x509/x509_ext.c: 
	removed c-ctype.h from files that wasn't used at

2016-09-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac: configure.ac: quote parameters when needed

2016-09-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/extras/hex.c, lib/nettle/int/dsa-keygen-fips186.c,
	lib/nettle/int/dsa-validate.c,
	tests/pkcs11/pkcs11-import-url-privkey.c,
	tests/pkcs11/pkcs11-pubkey-import-ecdsa.c,
	tests/pkcs11/pkcs11-pubkey-import-rsa.c: removed assert.h from files
	that wasn't used at

2016-09-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* po/POTFILES.in: POTFILES: added libdane files

2016-09-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/tpmtool-args.def, tests/suite/testpkcs11.sh: doc update

2016-09-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/benchmark-cipher.c, tests/pkcs11/pkcs11-mock.c: tests/tools:
	avoid non-null check before free()

2016-09-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/latex/gnutls.tex: latex manual: added backwards compatibility
	options

2016-09-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: windows DLL builds now include all
	required dependencies Also improved naming conventions for builds

2016-09-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/system/inet_ntop.c: inet_ntop4: casted signed/unsigned
	comparison

2016-09-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/system.h: system.h: undefine macros before defining them

2016-09-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509_b64.c: _gnutls_fbase64_decode: use memsub macro instead
	of casts

2016-09-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli.c: gnutls-cli: use gnutls_set_default_priority if no
	priorities are given

2016-09-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/serv-args.def: gnutls-serv: removed '...' from documentation That caused caused problems in generated manpage.

2016-09-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac: configure: better document the random generator
	variant used

2016-09-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: released 3.5.4

2016-09-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: corrected wrong operation in
	minimal build

2016-09-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
	auto-generated files

2016-09-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS, lib/x509/ip.c: doc update

2016-09-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, m4/hooks.m4: bumped versions

2016-09-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-09-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/pkcs12-utf8: tests:
	do not run pkcs12-utf8 under windows This test required to pass UTF8 data under command line, and that
	doesn't seem to work under windows.

2016-09-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system/iconv.c: _gnutls_ucs2_to_utf8: corrected use of
	WideCharToMultiByte in windows

2016-09-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/conv-utf8.c: tests: added debugging info in conv-utf8

2016-09-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/name-constraints-ip.c: tests: don't build
	cmocka tests with libutils - they conflict

2016-09-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: keep config.log in windows builds

2016-09-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: corrected typo for libidn
	installation in windows64

2016-09-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: install our internal cmocka for
	windows

2016-09-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/conv-utf8.c: tests: added unit tests of
	_gnutls_utf8_to_ucs2 and _gnutls_ucs2_to_utf8

2016-09-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/libgnutls.map: libgnutls.map: export _gnutls_utf8_to_ucs2 and
	_gnutls_ucs2_to_utf8 for testing

2016-08-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs12_encr.c: pkcs12: enhanced to allow encrypting using
	UCS2 passwords That is use _gnutls_utf8_to_ucs2() to convert the provided password
	to UCS2.

2016-08-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system/iconv.c: _gnutls_ucs2_to_utf8: fixed null termination
	check in windows code

2016-08-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system.h, lib/system/iconv.c: Added _gnutls_utf8_to_ucs2() This function allows to convert between UTF8 to UCS2 big-endian.

2016-08-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/pkcs12-utf8: tests:
	added tests for PKCS#12 decoding with UTF8 passwords

2016-08-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7-crypt.c: pkcs7 encryption: corrected memory leaks

2016-09-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* Makefile.am: Makefile: local-code-coverage-output always succeeds

2016-09-02  Martin Ukrop <mukrop@redhat.com>

	* lib/x509/name_constraints.c, tests/name-constraints-ip.c: x509:
	Adjust IP name constraints behavior - Modified IPv4/IPv6 interaction in name constraints -- IPv4 and
	IPv6 no have empty intersection (previously: were treated
	independently).  - Current behavior is more conservative -- in case of IPv4
	constraint cert, subcerts will not be able to have IPv6 addresses.  - Tests updated accordingly.  - Behavior now matches NSS.

2016-09-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testpkcs11.sh: tests: added checks to verify behavior
	in writing pkcs11 objects That is, verify that private keys are marked as private by default,
	and public objects are marked as non-private by default.

2016-09-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/pkcs11.c: p11tool: eliminated memory leak in --list options

2016-09-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/p11tool-args.def, src/p11tool.c: p11tool: do not mark written
	objects as private by default That is, when --mark-private or --no-mark-private are not specified,
	set non-private for public objects and private for private ones.

2016-09-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-09-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/minitasn1/libtasn1.h, lib/minitasn1/parser_aux.c: minitasn1:
	updated to latest git version

2016-09-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pk.c: _gnutls_encode_ber_rs_raw: simplified That is, use a single allocation for temporary data.

2016-09-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: use fedora24 with address
	sanitizer The fix in fbb9618b25b77c65e24a6ce224d53bc9a0b81457 addresses the
	problems with asan in fedora24.

2016-09-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/slow/Makefile.am: tests: use LSAN_OPTIONS
	instead of ASAN_OPTIONS New versions of address sanitizer do not parse this file otherwise.

2016-09-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-09-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/pkcs11/softhsm.h: tests: corrected detection of 64-bit
	systems in softhsm.h

2016-09-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/pkcs11/pkcs11-ec-privkey-test.c: tests:
	added check for PKCS#11 signature validity That is, tests whether our generated DSASignatureValue with PKCS#11
	contains r, s values that are non-negative, i.e., are zero padded
	when necessary. This utilizes _gnutls_decode_ber_rs_raw().

2016-09-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/libgnutls.map, lib/pk.c, lib/pk.h: Introduced helper function
	_gnutls_decode_ber_rs_raw()

2016-09-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pk.c: _gnutls_encode_ber_rs_raw: zero-pad values when
	necessary This addresses issue when encoding values obtained via PKCS#11 which
	may not be necessarily padded.  Resolves #122

2016-09-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/template-test: tests: template-test: use uniform
	way to detect 32-bit systems

2016-09-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml, tests/pkcs11/softhsm.h: .gitlab-ci.yml: use the
	gitlab.com shared runners This removes the need to administer custom runners (except for the
	FreeBSD runner which cannot run under Linux), makes the testing on
	other platforms such as Debian simpler, and allows merge requests to
	pass through the CI.

2016-08-30  David Woodhouse <David.Woodhouse@intel.com>

	* lib/dtls-sw.c, lib/gnutls_int.h, tests/dtls-sliding-window.c,
	tests/mini-dtls-record.c: Import DTLS sliding window validation from
	OpenConnect ESP code In this implementation, the end of the sliding window is always
	advanced to the latest received packet, and we accept up to 64
	packets before that one. We no longer refuse to accept packets
	because they are *too* far ahead of what we've already seen.  Some of the test cases are fixed up accordingly.  This matches the code in OpenConnect esp-seqno.c at commit 314ac65.

2016-08-31  Jussi Kukkonen <jussi.kukkonen@intel.com>

	* src/Makefile.am: tools: Use correct include dir with minitasn This allows compiling certtool without libtasn headers.

2016-08-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/rnd-windows.c: nettle: removed unused variable in
	windows rng

2016-08-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am: tests: don't run danetool.sh when not compiled
	with dane support

2016-08-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-dtls-record.c: tests: mini-dtls-record: modified
	expected order to account for new SW behavior

2016-08-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/dtls-sw.c: dtls: ensure that the DTLS window doesn't get
	stalled That is ensure that it is forwarded at least one place if more than
	16 packets have been received since the first one.

2016-08-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/dtls-sliding-window.c: tests: enhance the DTLS window unit
	test to account for lost packets This adds tests for cases where many lost packets are encountered,
	such as 50% of the packets received, as well as 3 consequent packets
	being lost.

2016-08-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README.md: README.md: added coverage report [ci skip]

2016-08-28  David Woodhouse <dwmw2@infradead.org>

	* lib/x509/pkcs12.c: gnutls_pkcs12_simple_parse: set the key value
	to null on failure

2016-08-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/ocsp.c: tests: added basic operational check of
	gnutls_ocsp_resp_get_single()

2016-08-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/ocsp.c: gnutls_ocsp_resp_get_single: reorganized function
	to eliminate memory leaks Simplified and optimized the function operation, by removing
	unecessary memory allocations, as well as eliminate memory leaks on
	certain error cases.

2016-08-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/ocsp.c: ocsp: corrected the comparison of the serial size
	in OCSP response Previously the OCSP certificate check wouldn't verify the serial
	length and could succeed in cases it shouldn't.  Reported by Stefan Buehler.

2016-08-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli.c, src/ocsptool-common.c, src/socket.c: tools: eliminated
	memory leaks in deinitialization

2016-08-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-debug.c, src/cli.c, src/danetool.c,
	src/ocsptool-common.c, src/socket.c, src/socket.h: tools: allow
	socket_bye() to be used for non-polite terminations

2016-08-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/ocsp-tests/Makefile.am,
	tests/ocsp-tests/suppressions.valgrind: tests: added
	suppressions.valgrind in ocsp-tests

2016-08-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-08-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/key-tests/Makefile.am,
	tests/key-tests/data/pkcs8-pbes1-des-md5.pem,
	tests/key-tests/pkcs8-decode: tests: added check for the decoding of
	pbes1-des-md5 key

2016-08-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/Makefile.am, lib/x509/pkcs12.c, lib/x509/pkcs12_bag.c,
	lib/x509/pkcs7-crypt.c, lib/x509/pkcs7_int.h,
	lib/x509/privkey_pkcs8.c, lib/x509/privkey_pkcs8_pbes1.c,
	lib/x509/x509_int.h: pkcs8: cleaned up PKCS#8 decoding from common
	code with PKCS#7

2016-08-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/x509.h, lib/pkix.asn, lib/pkix_asn1_tab.c,
	lib/x509/Makefile.am, lib/x509/privkey_pkcs8.c,
	lib/x509/privkey_pkcs8_pbes1.c, lib/x509/x509_int.h: pkcs8: added
	support for decryption with PBES1-DES-CBC-MD5 While this is a legacy (and insecure) cipher combination it is the
	default output of openssl up until the 1.0.2 version. We introduce
	this option to allow decrypting private keys from these versions of
	openssl.

2016-08-25  raspa0 <raspa0@protonmail.com>

	* src/pkcs11.c: fix memleak in pkcs11_get_random

2016-08-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/ocsptool-common.c, src/ocsptool.c: ocsptool: reduce memory
	leaks on execution

2016-08-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/ocsp-tests/Makefile.am,
	tests/ocsp-tests/ocsp-must-staple-connection,
	tests/ocsp-tests/ocsp-tls-connection: tests: enable
	ocsp-must-staple-connection check

2016-08-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/global.c: doc: be more explicit about the usage of
	gnutls_global_init/deinit [ci skip]

2016-08-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/key-tests/pkcs8-decode: tests: don't use piped tee in
	pkcs8-decode It would prevent error codes from being detected in the tests.

2016-08-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/socket.c: ocsptool: corrected bug in session establishment

2016-08-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/ocsp-tests/ocsp-tls-connection: tests: ocsp-tls-connection:
	no longer check for netcat; it was not needed

2016-08-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/key-tests/Makefile.am,
	tests/key-tests/data/pkcs8-pbes2-sha256.pem,
	tests/key-tests/pkcs8-decode: tests: added decoding of key with
	pbes2 and SHA256 PRF

2016-08-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS, lib/algorithms.h, lib/algorithms/mac.c, lib/gnutls_int.h,
	lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map,
	lib/x509/pkcs12.c, lib/x509/privkey_pkcs8.c, lib/x509/x509_int.h: 
	Added support for decrypting PKCS#8 files which use HMAC-SHA256 as
	PRF This improves compatibility with new openssl versions.

2016-08-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey_openssl.c: Ported openssl format fix from
	openconnect Patch by David Woodhouse

2016-08-24  raspa0 <raspa0@protonmail.com>

	* src/pkcs11.c: src/pkcs11.c: fix mech_list out-of-bounds check

2016-08-15  Philippe Proulx <eeppeliteloop@gmail.com>

	* lib/record.c: gnutls_record_recv(): doc: push -> pull Signed-off-by: Philippe Proulx <eeppeliteloop@gmail.com>

2016-08-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/rnd-linux.c: rnd-linux: added check for SYS_getrandom
	being defined This allows to compile the getrandom() code in old Linux systems
	which do not have the system call defined.

2016-08-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* libdane/Makefile.am: libdane: include minitasn1 headers

2016-08-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli.c: gnutls-cli: do not exit if fast open is not supported

2016-08-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/socket.c: gnutls-cli: added bufferring in starttls read of
	packets

2016-08-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/starttls-ftp.txt, tests/starttls.sh: 
	tests: added basic test of STARTTLS over FTP for gnutls-cli

2016-08-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README.md, tests/Makefile.am, tests/starttls-smtp.txt,
	tests/starttls.sh: tests: added basic starttls functionality testing
	on gnutls-cli

2016-08-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/socket.c: gnutls-cli: exit with error code 2 on starttls
	errors

2016-08-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/fastopen.sh: tests: fixed fastopen.sh to operate from cmd

2016-08-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-08-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli.c, src/socket.c, src/socket.h: gnutls-cli: fixed the
	behavior when --starttls or --starttls-proto is given The change of moving the handshake process as part of the socket
	establishment broke the starttls functionality in gnutls-cli. This
	change fixes that functionality.  Reported by Andreas Metzler.

2016-08-19  SUMIT AGGARWAL <aggarwal.s@samsung.com>

	* src/benchmark-cipher.c, src/srptool.c: Fix HANDLE_LEAK and memory
	leak issues.

2016-08-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli.c, src/socket.c: gnutls-cli: print 'Handshake was
	completed' The change of moving the handshake process as part of the socket
	establishment, prevented the text 'Handshake was completed' from
	being printed as part of a successful handshake. That message was
	used by applications like gnus which use gnutls-cli. This patch
	reverts that change and prints that message on successful
	handshakes.

2016-08-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, tests/Makefile.am, tests/cert-tests/Makefile.am,
	tests/{openpgp-certs => cert-tests/data}/ca-public.gpg,
	tests/{openpgp-certs => cert-tests/data}/ca-secret.gpg,
	tests/{openpgp-certs =>
	cert-tests/data}/srv-public-127.0.0.1-signed.gpg,
	tests/{openpgp-certs => cert-tests/data}/srv-public-all-signed.gpg,
	tests/{openpgp-certs =>
	cert-tests/data}/srv-public-localhost-signed.gpg,
	tests/{openpgp-certs => cert-tests/data}/srv-public.gpg,
	tests/{openpgp-certs => cert-tests/data}/srv-secret.gpg,
	tests/{openpgp-certs/testcerts => cert-tests/openpgp-certs},
	tests/{openpgp-certs/testselfsigs => cert-tests/openpgp-selfsigs},
	tests/openpgp-certs/Makefile.am: tests: openpgp-certs tests were
	moved to cert-tests

2016-08-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-api.c: gnutls_key_generate: fail if the state of the
	library is invalid Suggested by Stephan Mueller.

2016-08-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-dtls-hello-verify.c: tests: mini-dtls-hello-verify:
	ignore SIGPIPE to avoid unexpected crashes Resolves: #119

2016-08-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/safe_renegotiation.c, lib/includes/gnutls/gnutls.h.in: 
	gnutls_safe_renegotiation_status: changed return type to unsigned

2016-08-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-08-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/long-session-id.c, tests/pkcs11/pkcs11-combo.c,
	tests/pkcs12_simple.c: tests: removed unused variables from tests

2016-08-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-06-23  Martin Ukrop <mukrop@redhat.com>

	* .gitignore, tests/Makefile.am, tests/name-constraints-ip.c,
	tests/test-chains.h: tests: Add tests for X509 IP constraints - Add dedicated test file name-constraints-ip for IP tests.  - Test the following:   * Generation and saving of valid name constraints.    * Trying to save invalid IP constraints.    * Reading the saved constraints.    * constraints_check() calls for both IPv4 and IPv6.    * IP constraints intersection (simple, empty, mediocre,
	  complicated).  * IPv4/IPv6 constraints interaction and various corner cases.  - IPs/CIDRs are printed in logs in case of failure.  - Add 2 new chain tests (positive, negative).  - Add generated test executable to ignored files.  Signed-off-by: Martin Ukrop <mukrop@redhat.com>

2016-06-29  Martin Ukrop <mukrop@redhat.com>

	* lib/x509/ip.c, lib/x509/name_constraints.c: x509: Add support for
	IP constraints - IP constraints are now checked against the subject alternative   name field.  - Implemented IP name constraints merging.  - Added IP constraints validity checking during loading and getting   the name constraints object from the user.  - Add a convenience function name_constraints_node_new that
	  allocates a name constraints node and sets its fields. Use this new
	  function where applicable.  - Add documentation for is_nc_empty,
	  _gnutls_name_constraints_node_free,
	_gnutls_name_constraints_intersect.  - Small improvements elsewhere (polishing).  Signed-off-by: Martin Ukrop <mukrop@redhat.com>

2016-08-03  Martin Ukrop <mukrop@redhat.com>

	* .gitignore, tests/Makefile.am, tests/{ip-in-cidr.c => ip-utils.c}: 
	tests: Add more IP conversion unit tests - Renamed ip-in-cidr test to ip-utils.  - Added built binary to .gitignore.  - Added new tests for gnutls_x509_cidr_to_rfc5280.  Signed-off-by: Martin Ukrop <mukrop@redhat.com>

2016-08-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/ip-in-cidr.c: tests: added unit test for
	ip_in_cidr function

2016-06-29  Martin Ukrop <mukrop@redhat.com>

	* lib/errors.c, lib/includes/gnutls/gnutls.h.in,
	lib/includes/gnutls/x509.h, lib/libgnutls.map,
	lib/x509/Makefile.am, lib/x509/ip-in-cidr.h, lib/x509/ip.c,
	lib/x509/ip.h, lib/x509/name_constraints.c, lib/x509/output.c,
	src/certtool-cfg.c: x509: Separate out IP handling functions - Moved IP/CIDR to string conversion functions into separate   header and export privately for the use in tests.  - Placed ip_in_cidr() into separate header for easy testing - Add publicly available function to convert text CIDR to RFC5280   format for the use in name constraints extension.  - certtool: Use GnuTLS exported CIDR functions instead of local
	ones.  - Export mask_to_prefix, mask_ip for internal GnuTLS use.  - Introduce new error value (malformed cidr) and add to description   functions in errors.c.  Signed-off-by: Martin Ukrop <mukrop@redhat.com>

2016-06-23  Martin Ukrop <mukrop@redhat.com>

	* tests/name-constraints.c, tests/test-chains.h: tests: Add corner
	case tests for name constraints, improve doc - Added corner case test suite for DNS name constraints.  - Documentation update in chain tests.  Signed-off-by: Martin Ukrop <mukrop@redhat.com>

2016-07-08  Martin Ukrop <mukrop@redhat.com>

	* .gitignore: Add more ignored files * .tmp and .swp for text editor files * Makefile.user created by Qt Creator * gl/tests/ctype.h as it is generated from ctype.h.in Signed-off-by: Martin Ukrop <mukrop@redhat.com>

2016-08-08  Stefan Sørensen <stefan.sorensen@spectralink.com>

	* tests/cert-common.h, tests/keylog-env.c,
	tests/send-client-cert.c, tests/set_x509_key.c,
	tests/set_x509_key_file_der.c, tests/set_x509_key_file_ocsp.c,
	tests/set_x509_key_mem.c, tests/x509-cert-callback-legacy.c,
	tests/x509-cert-callback.c, tests/x509cert.c: Change ca3 and related
	certificate to include an intermediate CA in the chain.  Also update a bunch of test-cases to support chains with an
	intermediate CA.  Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>

2016-08-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-common.h, tests/x509cert.c: Revert "tests: check
	gnutls_certificate_get_x509_crt with more than one certificates" This reverts commit f7d884720b128ef86f6b9dc9fc498be89faf1732.

2016-08-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/srp.c: tests: do not run srp test when no SRP support is
	compiled in

2016-08-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/alpn-server-prec.c, tests/client-fastopen.c,
	tests/custom-urls-override.c, tests/custom-urls.c,
	tests/dtls-client-with-seccomp.c, tests/dtls-rehandshake-anon.c,
	tests/dtls-rehandshake-cert-2.c, tests/dtls-rehandshake-cert-3.c,
	tests/dtls-rehandshake-cert.c, tests/dtls-with-seccomp.c,
	tests/fallback-scsv.c, tests/key-material-dtls.c,
	tests/key-material-set-dtls.c, tests/long-session-id.c,
	tests/mini-alpn.c, tests/mini-cert-status.c,
	tests/mini-chain-unsorted.c, tests/mini-dtls-discard.c,
	tests/mini-dtls-fork.c, tests/mini-dtls-heartbeat.c,
	tests/mini-dtls-hello-verify-48.c, tests/mini-dtls-hello-verify.c,
	tests/mini-dtls-large.c, tests/mini-dtls-lowmtu.c,
	tests/mini-dtls-mtu.c, tests/mini-dtls-pthread.c,
	tests/mini-dtls-record-asym.c, tests/mini-dtls-record.c,
	tests/mini-dtls-srtp.c, tests/mini-dtls0-9.c, tests/mini-etm.c,
	tests/mini-handshake-timeout.c, tests/mini-key-material.c,
	tests/mini-loss-time.c, tests/mini-overhead.c,
	tests/mini-record-2.c, tests/mini-record-failure.c,
	tests/mini-record-range.c, tests/mini-record-retvals.c,
	tests/mini-record.c, tests/mini-server-name.c,
	tests/mini-termination.c, tests/mini-tls-nonblock.c,
	tests/no-signal.c, tests/openpgp-auth.c, tests/openpgp-auth2.c,
	tests/openpgp-callback.c, tests/prf.c, tests/resume-dtls.c,
	tests/resume.c, tests/sign-md5-rep.c, tests/srp.c,
	tests/status-request-missing.c, tests/status-request-ok.c,
	tests/status-request.c, tests/tls-client-with-seccomp.c,
	tests/tls-rehandshake-cert-2.c, tests/tls-with-seccomp.c,
	tests/tlsext-decoding.c, tests/utils.h, tests/x509dn.c: tests: moved
	child status error checking code in utils.h

2016-08-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/latex/Makefile.am, doc/latex/macros.tex: latex: updated
	sources for new functions

2016-08-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
	auto-generated files

2016-08-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: released 3.5.3

2016-08-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/socket.h, lib/system/fastopen.c, src/cli.c,
	tests/client-fastopen.c: gnutls_transport_set_fastopen: added flags
	options This will allow minor modifications to the semantics of the function
	in the future, without introducing a new API.

2016-08-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-08-08  Stefan Sørensen <stefan.sorensen@spectralink.com>

	* lib/x509/pkcs12.c: Fix gnutls_pkcs12_simple_parse to always
	extract the complete chain gnutls_pkcs12_simple_parse was only collecting extra certificates
	that was possible elements of the certificate chain when the
	extra_certs argument was not NULL. Fix by allways collecting all the
	certificates, any unneeded certificates are released before
	returning if extra_certs is NULL anyway.  Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>

2016-08-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-common.h, tests/x509cert.c: tests: check
	gnutls_certificate_get_x509_crt with more than one certificates This would detect the issue in the "Fix invalid pointer operation in
	gnutls_certificate_get_x509_crt"

2016-08-08  Stefan Sørensen <stefan.sorensen@spectralink.com>

	* tests/x509cert.c, tests/x509dn.c, tests/x509self.c: tests: Use
	common ca3 test certificates in x509cert, x509dn and x509self tests.  Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>

2016-08-08  Stefan Sørensen <stefan.sorensen@spectralink.com>

	* tests/cert-common.h: tests: Remove zero-termination of
	gnutls_datum encapsulated certificates This allows for memcmp comparison with certificates after
	processing.  Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>

2016-08-08  Stefan Sørensen <stefan.sorensen@spectralink.com>

	* lib/x509.c: Fix invalid pointer operation in
	gnutls_certificate_get_x509_crt The access to the allocated crt_list variable was missing a pointer
	dereference, leading to memory corruption for any certificate list
	with more than one element.  Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>

2016-08-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, tests/Makefile.am, tests/key-tests/Makefile.am,
	tests/key-tests/data/key-illegal.pem,
	tests/key-tests/data/p8key-illegal.pem,
	tests/key-tests/illegal-rsa, tests/rsa-illegal-import.c: tests:
	added check for errors when importing illegal RSA keys

2016-08-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/privkey.c, lib/x509/privkey_pkcs8.c: x509: call the fixup
	functions after loading private keys That way we can better report errors which relate to illegal
	parameters being detected.

2016-08-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/nettle/pk.c: nettle: use rsa_*_key_prepare on key import Previously we calculated the size of the key directly, but by using
	the rsa_*_key_prepare we benefit from any checks that may be
	introduced in the future. Specifically any checks for invalid public
	keys (e.g., keys that may crash the underlying gmp functions).  This patch avoids calling rsa_private_key_prepare every time we
	construct a nettle private key struct, because this function
	requires a bigint multiplication. We call that function once on
	private key import.

2016-08-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/key-tests/Makefile.am: tests: added missing backslash in
	key-tests Makefile

2016-08-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/pk.c: Revert "nettle: use rsa_*_key_prepare" This reverts commit c801a15bca9ea8f3f7abd4be48bebd36c54eeba2.

2016-08-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/gnutls.h.in: gnutls.h: moved all compatibility
	defines outside the enum

2016-08-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, m4/hooks.m4: prepared for release 3.5.3

2016-08-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-record-2.c, tests/mini-record-failure.c,
	tests/mini-record-retvals.c: tests: use gnutls_record_set_timeout
	instead of kill child processes That way we avoid issues like #118 which are caused by killing the
	child process, and we also avoid deadlocks by making sure that recv
	will terminate after a long delay.

2016-08-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-record.c: tests: mini-record modify in a way to be more
	fail safe That is, do not kill the child, but instead switch the roles of
	child and parent, and add a timeout on recv to avoid infinite
	delays.  Relates: #118

2016-08-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11_int.h, lib/x509/verify-high2.c: pkcs11:
	is_object_pkcs11_url -> is_pkcs11_url_object Renamed function for clarity.

2016-08-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-record.c: tests: ignore sigpipe in mini-record

2016-08-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/fips.c, lib/includes/gnutls/gnutls.h.in: 
	gnutls_fips140_mode_enabled: changed return type to unsigned

2016-08-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* CONTRIBUTING.md: doc: updated contribution guide with more info on
	test suite [ci skip]

2016-08-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: 
	gnutls_pkcs11_privkey_status: return type changed to unsigned

2016-08-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-bib.texi, doc/cha-gtls-app.texi: doc: added section on
	SCTP protocol [ci skip]

2016-08-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/client-fastopen.c: tests: client-fastopen: removed seccomp
	conditional

2016-08-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system/fastopen.c: fastopen: improved error checking at
	connect()

2016-08-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/pk.c: nettle: use rsa_*_key_prepare Previously we calculated the size of the key directly, but by using
	the rsa_*_key_prepare we benefit from any checks that may be
	introduced in the future. Specifically any checks for invalid public
	keys (e.g., keys that may crash the underlying gmp functions).

2016-07-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system/fastopen.c: gnutls_transport_set_fastopen: doc update

2016-07-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-07-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/rnd-linux.c: getrandom: use SYS_getrandom instead of
	__NR_getrandom These are identical definitions, but according to syscall()
	SYS_getrandom is the expected value.

2016-07-27  Martin Ukrop <mukrop@redhat.com>

	* lib/x509/name_constraints.c: x059: Fix asymmetry in name
	constraints intersection - In _gnutls_name_constraints_intersect, if *_nc had a node of some
	type not present in _nc2, this was preserved. However, if it was
	vice versa (_nc2 having a type not present in *_nc), this node was
	discarded.  - This is now fixed.  - Removed redundant return value check that was accidentally left
	when refactoring from set_datum to explicit NULL setting.  Signed-off-by: Martin Ukrop <mukrop@redhat.com>

2016-07-26  Martin Ukrop <mukrop@redhat.com>

	* tests/test-chains.h: tests: Add and improve chain tests - Add a new chaintest testing the symmetry of merging name
	constraints of different types.  - Rename old name_constraints_but_no_name test to match other name
	constraints tests.  - Improve chain description of older name constraints tests.  Signed-off-by: Martin Ukrop <mukrop@redhat.com>

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update [ci skip]

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac: configure: do not generate makefiles in removed dirs

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/set_pkcs12_cred.c: tests: updated paths
	for new location of p12 files

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/safe-renegotiation/Makefile.am,
	tests/safe-renegotiation/suppressions.valgrind: tests: safe
	renegotiation tests are run from top dir

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/{srp/mini-srp.c => srp.c},
	tests/srp/Makefile.am: tests: srp tests moved outside subdir

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/cert-tests/Makefile.am, tests/{sha2 =>
	cert-tests/data}/key-ca-dsa.pem, tests/{sha2 =>
	cert-tests/data}/key-ca.pem, tests/{sha2 =>
	cert-tests/data}/key-dsa.pem, tests/{sha2 =>
	cert-tests/data}/key-subca-dsa.pem, tests/{sha2 =>
	cert-tests/data}/key-subca.pem, tests/{sha2 =>
	cert-tests/data}/key-subsubca.pem, tests/{sha2 =>
	cert-tests/data}/key-user.pem, tests/cert-tests/sha2-dsa-test,
	tests/cert-tests/sha2-test, tests/sha2/Makefile.am,
	tests/sha2/sha2, tests/sha2/sha2-dsa: tests: moved sha2 tests into
	cert-tests/

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/ecdsa/Makefile.am, tests/ecdsa/ecdsa,
	tests/key-tests/Makefile.am, tests/{ecdsa =>
	key-tests/data}/bad-key.pem, tests/key-tests/ecdsa: tests: moved
	ecdsa tests to key-tests/

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/dsa/Makefile.am,
	tests/key-tests/Makefile.am, tests/{dsa =>
	key-tests/data}/cert.dsa.1024.pem, tests/{dsa =>
	key-tests/data}/cert.dsa.2048.pem, tests/{dsa =>
	key-tests/data}/cert.dsa.3072.pem, tests/{dsa =>
	key-tests/data}/dsa-pubkey-1018.pem, tests/{dsa =>
	key-tests/data}/dsa.1024.pem, tests/{dsa =>
	key-tests/data}/dsa.2048.pem, tests/{dsa =>
	key-tests/data}/dsa.3072.pem, tests/{dsa/testdsa => key-tests/dsa}: 
	tests: moved dsa tests into key-tests/

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/key-tests/Makefile.am,
	tests/{pkcs8-decode => key-tests/data}/enc2pkcs8.pem,
	tests/{pkcs8-decode => key-tests/data}/encpkcs8.pem,
	tests/{pkcs8-decode => key-tests/data}/openssl-3des.p8,
	tests/{pkcs8-decode => key-tests/data}/openssl-3des.p8.txt,
	tests/{pkcs8-decode => key-tests/data}/openssl-aes128.p8,
	tests/{pkcs8-decode => key-tests/data}/openssl-aes128.p8.txt,
	tests/{pkcs8-decode => key-tests/data}/openssl-aes256.p8,
	tests/{pkcs8-decode => key-tests/data}/openssl-aes256.p8.txt,
	tests/{pkcs8-decode => key-tests/data}/unencpkcs8.pem,
	tests/{pkcs8-decode/pkcs8 => key-tests/pkcs8-decode},
	tests/pkcs8-decode/Makefile.am,
	tests/pkcs8-decode/suppressions.valgrind: tests: moved pkcs8 tests
	to key-tests/

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/key-tests/Makefile.am, tests/key-tests/{ =>
	data}/ca-gnutls-keyid.pem, tests/key-tests/{ =>
	data}/ca-no-keyid.pem, tests/key-tests/{ =>
	data}/ca-weird-keyid.pem, tests/key-tests/{ =>
	data}/key-ca-1234.p8, tests/key-tests/{ => data}/key-ca-empty.p8,
	tests/key-tests/{ => data}/key-ca-null.p8, tests/key-tests/{ =>
	data}/key-ca.pem, tests/key-tests/{ => data}/key-ecc.p8,
	tests/key-tests/{ => data}/key-ecc.pem, tests/key-tests/{ =>
	data}/key-user.pem, tests/key-tests/{ => data}/openssl-key-ecc.p8,
	tests/key-tests/key-id, tests/key-tests/pkcs8: tests: key-tests:
	moved data files into data/ subdir

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/cert-tests/Makefile.am,
	tests/{pkcs12-decode => cert-tests}/pkcs12,
	tests/pkcs12-decode/Makefile.am,
	tests/pkcs12-decode/suppressions.valgrind: tests: moved pkcs12 tests
	into cert-certs/ subdir

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitignore: more files to ignore

2016-07-28  Tim Rühsen <tim.ruehsen@gmx.de>

	* configure.ac: Require compiler to support C99

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-07-09  Tim Kosse <tim.kosse@filezilla-project.org>

	* tests/chainverify-unsorted.c: Add test for
	gnutls_x509_crt_list_import2 with flag
	GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED.

2016-07-09  Tim Kosse <tim.kosse@filezilla-project.org>

	* lib/x509/crl.c: gnutls_x509_crl_list_import2 was ignoring the
	passed flags if all CTLs in the list fit within the initially
	allocated memory.

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/cert-session.c: gnutls_certificate_get_peers may return an
	unsorted list

2016-07-09  Tim Kosse <tim.kosse@filezilla-project.org>

	* lib/x509/x509.c: gnutls_x509_crt_list_import2 was ignoring the
	passed flags if all certificates in the list fit within the
	initially allocated memory.

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509_ext.c: x509: parse_tlsfeatures: move limit check at
	the point of addition This prevents appending failures when verifying chains on
	certificates which use the maximum allowed number of features.
	Suggested by Tim Kosse.

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/tlsfeature-ext.c: tests: removed irrelevant comment

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/tls_features.c: correct the sign type of integers in
	debug message Suggested by Tim Kosse

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/verify.c: verify_crt: simplified error setting based on suggestion by Tim Kosse.

2016-07-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/verify.c: verify_crt: removed text on parameter no longer
	being present

2016-07-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/name_constraints.c: x509: avoid using int declaration
	within a for-loop This addresses compilation problem with old compilers, and brings
	consistency as this type of declaration is not used in gnutls' code.

2016-07-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/global.c: gnutls_global_init/deinit: don't use any locking
	during constructor This ensures that there is no deadlock on unexpected errors, such as
	missing symbols (e.g., on lazy linking). Reported by Ludovic
	Courtès.

2016-07-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/nettle/rnd-linux.c: rnd-linux: use better define check for
	linux systems

2016-07-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/prf.c: gnutls_prf: document when its output matches
	gnutls_prf_rfc5705

2016-07-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/session.c: doc: gnutls_session_set_id: added since

2016-07-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: keep the guile logs as artifacts
	on test suite failure

2016-07-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-07-20  David Walker <david.walker@vcatechnology.com>

	* lib/common.mk: Add extra dependency flags This fixes the build when the dependencies are split up during a
	cross-compile Resolves: #113

2016-07-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/Makefile.am, lib/{system-keys-dummy.c =>
	system/keys-dummy.c}, lib/{system-keys-win.c => system/keys-win.c}: 
	moved system-keys-win.c and system-key-dummy.c under system/

2016-07-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/Makefile.am, lib/system.c, lib/system.h, lib/system/certs.c,
	lib/system/iconv.c, lib/{ => system}/inet_ntop.c, lib/{ =>
	system}/inet_pton.c, lib/system/sockets.c, lib/system/threads.c,
	lib/{ => system}/vasprintf.c: split system.c to various files under
	system/

2016-07-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, lib/includes/gnutls/gnutls.h.in: gnutls.h: giovec_t
	is a typedef to iovec where that is available

2016-07-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, lib/nettle/rnd-linux.c, tests/Makefile.am,
	tests/rng-sigint.c: tests: added unit test for linux
	_rnd_get_system_entropy This tests whether the function can operate as expected while being
	interrupted by signals.

2016-07-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/rnd-linux.c: getrandom: loop around getrandom to get
	the requested number of bytes This simplifies and enhanced the previous error handling code.

2016-07-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* devel/README.ci-runners: README.ci-runners: document asan and
	ubsan tags

2016-07-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am: tests: removed pkcs1-padding from subdirs

2016-07-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitignore: .gitignore: more tests files to ignore

2016-07-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac: configure.ac: don't generate makefiles of moved
	tests

2016-07-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/{pkcs1-padding =>
	cert-tests/data}/pkcs1-pad-broken.pem, tests/{pkcs1-padding =>
	cert-tests/data}/pkcs1-pad-broken2.pem, tests/{pkcs1-padding =>
	cert-tests/data}/pkcs1-pad-broken3.pem, tests/{pkcs1-padding =>
	cert-tests/data}/pkcs1-pad-ok.pem, tests/{pkcs1-padding =>
	cert-tests/data}/pkcs1-pad-ok2.pem, tests/{pkcs1-padding =>
	cert-tests}/pkcs1-pad, tests/pkcs1-padding/Makefile.am: tests:
	pkcs1-pad: moved to cert-tests

2016-07-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/cert-tests/Makefile.am, tests/{userid =>
	cert-tests/data}/userid.pem, tests/{userid => cert-tests}/userid,
	tests/userid/Makefile.am: tests: userid test moved to cert-tests/

2016-07-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/rsa-md5-collision/Makefile.am,
	tests/rsa-md5-collision/{rsa-md5-collision => rsa-md5-collision.sh}: 
	tests: rsa-md5-collision: run from top-level

2016-07-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/record.c: doc: updated documentation for
	gnutls_transport_set_int*

2016-07-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/Makefile.am, doc/cha-bib.texi, doc/cha-functions.texi,
	doc/cha-gtls-app.texi, doc/doc.mk, doc/manpages/Makefile.am: doc:
	added section on reducing round-trips That discusses TCP fast open with gnutls_transport_set_fastopen(),
	and false start.

2016-07-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/client-fastopen.c: tests: added test of
	gnutls_transport_set_fastopen

2016-07-25  Tim Ruehsen <tim.ruehsen@gmx.de>

	* tests/Makefile.am, tests/fastopen.sh: tests: added test of TCP
	fast open using gnutls-cli and gnutls-serv

2016-07-25  Tim Ruehsen <tim.ruehsen@gmx.de>

	* NEWS: doc update

2016-07-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/Makefile.am, src/cli-debug.c, src/cli.c, src/common.c,
	src/common.h, src/danetool.c, src/ocsptool-common.c,
	src/ocsptool.c, src/socket.c, src/socket.h: tools: TLS handling has
	been incorporated into socket_open() This is of particular usage to the server IP address loop, since we
	can detect fast open errors and retry handshake to the next IP
	address.

2016-07-25  Tim Ruehsen <tim.ruehsen@gmx.de>

	* src/cli-args.def, src/cli.c, src/socket.c, src/socket.h: 
	gnutls-cli: added example usage of TCP fastopen It is enabled with the new --fastopen option.

2016-07-25  Tim Ruehsen <tim.ruehsen@gmx.de>

	* configure.ac, doc/Makefile.am, doc/manpages/Makefile.am,
	lib/Makefile.am, lib/buffers.c, lib/gnutls_int.h,
	lib/includes/Makefile.am, lib/includes/gnutls/socket.h,
	lib/libgnutls.map, lib/state.c, lib/system.c, lib/system.h,
	lib/system/fastopen.c: Support TCP Fast Open This introduces a new function gnutls_transport_set_fastopen().  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
	Signed-off-by: Tim Ruehsen <tim.ruehsen@gmx.de>

2016-07-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: added asan tag for builds which
	require asan

2016-07-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/pkcs11/pkcs11-privkey-fork.c, tests/suppressions.valgrind: 
	tests: pkcs11-privkey-fork: added explicit pkcs11 deinitialization Also ignore known leaks for p11-kit.

2016-07-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README.md: mention ubsan in README [ci skip]

2016-07-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-07-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/keylog-env.c, tests/set_x509_key.c,
	tests/set_x509_key_file.c, tests/set_x509_key_file_der.c,
	tests/set_x509_key_file_ocsp.c, tests/set_x509_key_mem.c,
	tests/set_x509_pkcs12_key.c, tests/utils-adv.c, tests/utils.h: 
	tests: added checks for OCSP response file support That is, check the usability of the APIs for setting and using an
	ocsp response. This improves and makes more generic the test suite
	API and test_cli_serv() in particular.

2016-07-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/dtls.c: dtls: added a null pointer check in record_overhead According to my reading this check is unnecessary as in no case a
	null pointer can be encountered. However gcc6 warns about a null
	pointer derefence and thus adding it, to be safe.

2016-07-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/x509.h, lib/x509/hostname-verify.c: 
	gnutls_x509_crt_check_hostname*: use unsigned a return value This is to prevent issues to callers who may check for negative
	error values.

2016-07-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update [ci skip]

2016-07-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/errors.c, lib/includes/gnutls/gnutls.h.in,
	lib/session_pack.c, tests/resume-with-false-start.c: introduced:
	GNUTLS_E_UNAVAILABLE_DURING_HANDSHAKE This error code is returned when the session resumption parameters
	are requested during a handshake. That is, to increase the clarity
	when requesting these parameters while false start is active and the
	handshake is not complete even if gnutls_handshake() has returned.  Relates #114

2016-07-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/resume-with-false-start.c: tests: added
	check of the return values of resumption data functions during false
	start Relates #114

2016-07-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/session.c: doc: mention that the session data functions will
	fail prior to handshake completion

2016-07-20  Martin Ukrop <mukrop@redhat.com>

	* lib/includes/gnutls/gnutls.h.in, lib/x509/name_constraints.c: 
	x509: Fix DNS name constraints checking - If the intersection of name constraints of the given type was
	empty, the results allowed all names instead of none.  - Fixed by adding an universal excluded name constraint in case the
	intersection for the particular type is empty.  - Moved the logic of creating a name constraint node copy from
	_gnutls_name_constraints_intersect to
	name_constraints_intersect_nodes (previously
	name_constraints_match), as intersecting IP addresses will require
	further processing (not just taking one of the compared nodes as was
	the implementation till now).  - GNUTLS_SAN_MAX added in order to comfortably iterate over SAN type
	enum.

2016-07-20  Martin Ukrop <mukrop@redhat.com>

	* tests/name-constraints-merge.c, tests/test-chains.h: tests: Add
	DNS name constraints tests - One chaintest with empty permitted intersection.  - Merge testset with 2 permitted constraints with empty intersection
	(intersected list is completely empty).  - Merge testset with 3 permitted constraints, 2 of which have empty
	intersection.  - Merge testset with 2 permitted constraints with empty intersection
	and one constraints of different type that remains (intersected list
	is not empty).  - Enhance failing function with suite number for easier
	comprehension.

2016-07-20  Martin Ukrop <mukrop@redhat.com>

	* tests/name-constraints-merge.c, tests/name-constraints.c: tests:
	Tidy up old X509 name constraints tests - Use convenience functions for error checking and failure
	reporting.  - Drop explicit (de)initialization (prevents some not reed reachable
	memory due to PKCS11 subsystem not being deinitialized in the
	destructor).  - Use variables to count set permitted/excluded constraints instead
	of hard-coded numbers.

2016-07-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/cert.c: doc: clarify return codes in verification functions
	[ci skip]

2016-07-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/cert.c: gnutls_certificate_verify_peers2: document that
	hostname comparison follows RFC6125

2016-07-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/rnd-getentropy.c: rnd-getentropy: better handling of
	error printing with errno

2016-07-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/rnd-linux.c: rnd-linux: make getrandom back-end robust
	against EINTR failures

2016-07-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/state.c: gnutls_init: doc update

2016-07-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-tls-nonblock.c: tests: verify that GNUTLS_NONBLOCK is
	available as a definition

2016-07-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/gnutls.h.in: gnutls.h: define elements of
	gnutls_init_flags_t That is, define all the elements that were available prior the move
	from #define to enum, to allow code relying on

2016-07-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/gnutls.h.in: gnutls.h: documented the version
	various gnutls_init flags were introduced

2016-07-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/dn.c, lib/x509/x509.c, lib/x509/x509_dn.c: Moved the
	gnutls_x509_dn API functions to x509_dn.c

2016-07-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/x509-dn-decode.c: tests: enhanced DN decoding tests with
	complex encoding

2016-07-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509_dn.c: RFC4514 DN decoding: allow decoding of raw
	('#') items In addition allow escaping prefix or suffix spaces as well as the
	hash.

2016-07-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-07-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/x509-dn-decode.c: tests: enhanced DN decoding tests with
	encoding This adds unit tests for gnutls_x509_dn_set_str().

2016-07-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/x509/dn.c,
	lib/x509/x509_dn.c: Added gnutls_x509_dn_set_str() This allows initializing a gnutls_x509_dn_t structure via a DN
	string.

2016-07-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/utils.c: tests: utils: use vasprintf() where available This allows printing long strings.

2016-07-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/x509-dn-decode.c, tests/{moredn.c =>
	x509-dn.c}: tests: added checks for the RFC4514 decoding via
	gnutls_x509_dn_get_str()

2016-07-19  Tim Rühsen <tim.ruehsen@gmx.de>

	* tests/mini-loss-time.c: Remove redundant if expression from
	tests/mini-loss-time.c

2016-07-19  Tim Rühsen <tim.ruehsen@gmx.de>

	* tests/slow/cipher-openssl-compat.c: Fix
	tests/slow/cipher-openssl-compat.c for OpenSSL 1.1.0

2016-07-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* cfg.mk: cfg.mk: no longer save config.rpath

2016-07-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitignore, build-aux/ar-lib, build-aux/config.rpath,
	build-aux/test-driver, build-aux/ylwrap: removed auto-generated
	files from the repository

2016-07-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/pkcs11/pkcs11-chainverify.c, tests/pkcs11/pkcs11-is-known.c: 
	tests: removed an skipped failures due to bugs in softhsm 2.0.0 These are no longer an issue as the CI has been updated to softhsm
	2.1.0, which addresses them, and they prevented catching the
	GNUTLS-SA-2016-2 regression.

2016-07-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-07-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/nettle/Makefile.am, lib/nettle/egd.c, lib/nettle/egd.h,
	lib/nettle/rnd-linux.c: Dropped support for EGD random generator This removes rarely tested code for systems which no longer exist
	and simplifies code for Linux random generator.  Resolves #112

2016-07-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac: configure: prevent a version of getentropy() in a
	linux libc to be used For now, we auto-detect and switch between getrandom() and
	/dev/urandom when the former is not available. With the complexity
	of dealing with libc's that have the feature but kernel not
	supporting it, or vice versa it is best keep things simple.

2016-07-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/nettle/rnd-linux.c: rnd-linux: added sanity check in getrandom
	output

2016-07-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, lib/nettle/Makefile.am, lib/nettle/rnd-common.c,
	lib/nettle/rnd-getentropy.c, lib/nettle/rnd-linux.c,
	lib/nettle/rnd-windows.c: nettle: split the rnd-common to
	rnd-windows, rnd-getentropy, and rnd-linux That is, to the windows random generator as well as the getentropy()
	generator in BSDs, as well as the getrandom(), /dev/urandom, and EGD
	generators on Linux systems.

2016-07-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/nettle/rnd-common.c: rnd-common: added faster detection of
	getrandom based on GRND_NONBLOCK

2016-07-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-07-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/rnd-common.c: urandom: use st_ino and st_rdev to
	determine device uniqueness

2016-07-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/rnd-common.c: Added auto-detection of getrandom()
	system call in Linux systems In addition use getrandom() via the syscall interface if it doesn't
	exist in Libc. The reason for the latter is that getrandom() support
	for glibc is in limbo for several years, and for auto-detection is
	that even if it is going to be present in libc we will not be able
	to guarrantee that the system call is available just because it is
	present in glibc.  For that we detect on initialization whether
	getrandom() can obtain random data, and if yes, we continue using
	that.

2016-07-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/dtls-client-with-seccomp.c, tests/dtls-with-seccomp.c,
	tests/tls-client-with-seccomp.c, tests/tls-with-seccomp.c: tests:
	seccomp examples: use cert-common.h

2016-07-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/data/arb-extensions.csr,
	tests/cert-tests/data/arb-extensions.pem,
	tests/cert-tests/templates/arb-extensions.tmpl: tests: enhanced
	arbitrary extension tests with octet_string encoding

2016-07-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/Makefile.am, src/certtool-args.def, src/certtool-cfg.c: 
	certtool: added the ability to encode arbitrary extensions That is, added the ability to encode as an octet string any
	specified extension data.

2016-07-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: added expiration time of a week
	for failure artifacts

2016-07-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-07-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/crq_apis.c: tests: added basic testing of
	gnutls_x509_crq_set_extension_by_oid()

2016-07-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am,
	tests/cert-tests/data/arb-extensions.csr,
	tests/cert-tests/data/arb-extensions.pem,
	tests/cert-tests/template-exts-test,
	tests/cert-tests/templates/arb-extensions.tmpl: tests: added checks
	on certificate and request generation with arbitrary extensions This tests the add_extension and add_critical_extension options of
	certtool.

2016-07-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def, src/certtool-cfg.c, src/certtool-cfg.h,
	src/certtool.c: certtool: added options to set arbitrary extensions
	to certificates and requests This allows setting arbitrary extensions using the following new
	template options: add_extension = "5.6.7.8 0x0001020304050607AAABCD"
	add_critical_extension = "9.10.11.12.13.14.15.16.17.1.5 0xCAFE" The "0x" prefix can be omitted.

2016-07-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/x509/crq.c,
	lib/x509/x509_write.c: added gnutls_x509_crq_set_extension_by_oid() This is a function to add an arbitrary extension into a certificate
	request.

2016-07-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README.md: doc: mention the need of libtasn1-tools in Fedora based
	systems [ci skip]

2016-07-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update [ci skip]

2016-07-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README.md: doc: mention libcmocka dependency

2016-07-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, tests/Makefile.am, tests/dtls-sliding-window.c: 
	tests: added unit testing for DTLS sliding window implementation This was taken from the unit testing of AF_KTLS.

2016-06-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/Makefile.am, lib/constate.c, lib/dtls-sw.c,
	lib/dtls-window.c, lib/dtls.h, lib/gnutls_int.h, lib/record.c,
	lib/state.c: dtls: imported Fridolin's DTLS sliding window
	implementation This simplifies the current code, and reduces the memory needed.

2016-06-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/Makefile.am, lib/dtls-window.c, lib/dtls.c: dtls: moved DTLS
	window handling to separate file

2016-07-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/examples/ex-client-x509.c: ex-client-x509: removed unused call
	to gnutls_session_set_ptr()

2016-07-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/minitasn1/coding.c, lib/minitasn1/decoding.c,
	lib/minitasn1/int.h, lib/minitasn1/parser_aux.c,
	lib/minitasn1/parser_aux.h: libtasn1: updated to allow large OIDs to
	be used even on 32-bit systems

2016-07-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* CONTRIBUTING.md: doc: updated contribution guide

2016-07-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* CONTRIBUTING.md: doc: updated contribution guide

2016-07-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am: tests: link the resume tests to gnulib due to
	their missing memmem() This fixes compilation of gnutls in solaris. Reported by Dagobert
	Michelsen.

2016-07-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: NEWS: corrected release date [ci skip]

2016-07-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: keep the artifacts on failure

2016-07-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/kx.c: write_nss_key_log: write the premaster secret while it
	is still valid

2016-07-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/minitasn1/coding.c: updated libtasn1

2016-07-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: released 3.5.2

2016-07-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* cfg.mk: cfg.mk: reduced the generated changelog size

2016-07-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, m4/hooks.m4: bumped version

2016-07-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/slow/Makefile.am, tests/slow/gnutls-asan.supp: tests: ignore
	any memory leaks from libcrypto

2016-07-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-07-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* cfg.mk, devel/perlasm/aesni-gcm-x86_64.pl,
	devel/perlasm/aesni-gcm-x86_64.pl.license,
	devel/perlasm/license.txt, doc/cha-gtls-app.texi,
	lib/accelerated/x86/Makefile.am,
	lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c,
	lib/accelerated/x86/aes-x86.h,
	lib/accelerated/x86/coff/aes-ssse3-x86_64.s,
	lib/accelerated/x86/coff/aesni-gcm-x86_64.s,
	lib/accelerated/x86/coff/aesni-x86.s,
	lib/accelerated/x86/coff/aesni-x86_64.s,
	lib/accelerated/x86/coff/ghash-x86_64.s,
	lib/accelerated/x86/elf/aes-ssse3-x86.s,
	lib/accelerated/x86/elf/aes-ssse3-x86_64.s,
	lib/accelerated/x86/elf/aesni-gcm-x86_64.s,
	lib/accelerated/x86/elf/aesni-x86.s,
	lib/accelerated/x86/elf/aesni-x86_64.s,
	lib/accelerated/x86/elf/cpuid-x86.s,
	lib/accelerated/x86/elf/ghash-x86_64.s,
	lib/accelerated/x86/files.mk,
	lib/accelerated/x86/macosx/aes-ssse3-x86_64.s,
	lib/accelerated/x86/macosx/aesni-gcm-x86_64.s,
	lib/accelerated/x86/macosx/aesni-x86.s,
	lib/accelerated/x86/macosx/aesni-x86_64.s,
	lib/accelerated/x86/macosx/ghash-x86_64.s,
	lib/accelerated/x86/x86-common.c, tests/slow/test-ciphers-common.sh: 
	asm: updated openssl and the asm sources for AES-GCM from openssl
	1.0.2h This improves the performance of AES-GCM significantly by taking
	advantage of AVX and MOVBE instructions where available. This
	utilizes Andy Polyakov's code under BSD license.

2016-07-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/slow/Makefile.am: tests: when testing with openssl disallow
	any CPU optimizations This ensures that we test our optimized code (which is mostly
	openssl based), with code that is not identical.

2016-07-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitignore, README.md, configure.ac, tests/slow/Makefile.am,
	tests/slow/cipher-openssl-compat.c, tests/slow/{test-ciphers =>
	test-ciphers-common.sh}, tests/slow/test-ciphers-openssl.sh,
	tests/slow/test-ciphers.sh: tests: added openssl compatibility tests
	for AES-GCM cipher

2016-07-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* libdane/errors.c, libdane/includes/gnutls/dane.h: dane: corrected
	the license of libdane files The license was always LGPL version 2.1, and these files mentioned
	LGPL version 3. Reported by Thomas Petazzoni.

2016-07-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/gnutls-asan.supp: tests: ignore leaks due
	to p11-kit in test suite This addresses issue in "pkcs11-privkey-fork" which failed when
	compiled under asan due to leaks in p11-kit after fork.

2016-07-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/pkcs11/pkcs11-mock.c,
	tests/pkcs11/pkcs11-mock.h, tests/pkcs11/pkcs11-privkey-fork.c: 
	tests: added check to ensure that pkcs11 objects will be reopened on
	fork This checks whether C_Initialize() and C_OpenSession() will be
	called again when using a PKCS#11 module.  Resolves #95

2016-07-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11_privkey.c: pkcs11: on object import always check for a
	support public key algorithm

2016-07-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-api.c, lib/crypto-selftests.c: 
	gnutls_aead_cipher_decrypt: corrected the return value of ptext_len That is, do not account the tag_size into the plaintext.

2016-06-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-06-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac: configure: check for libdl irrespective of FIPS140
	configuration This allows to link to libdl for the tests that require it.

2016-06-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am: tests: account pkcs11/pkcs11-mock-ext.h in
	Makefile

2016-06-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am: tests: link pkcs11-import-url-privkey with
	libdl That is because it uses dlopen().

2016-06-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitignore: more files to ignore

2016-06-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/pkcs11/pkcs11-pubkey-import.c: tests: avoid compiler warning
	from pkcs11-pubkey-import

2016-06-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/pkcs11/pkcs11-import-url-privkey.c,
	tests/pkcs11/pkcs11-mock-ext.h, tests/pkcs11/pkcs11-mock.c: tests:
	added check to verify the tolerance of broken C_GetAttributes That is, test gnutls_pkcs11_obj_list_import_url4() when importing
	private keys from tokens that return CKR_OK on sensitive objects,
	and tokens that return CKR_ATTRIBUTE_SENSTIVE.  Relates #108

2016-06-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11_int.c: pkcs11_get_attribute_avalue: correctly handle a
	-1 value length from C_GetAttributeValue That is, work-around modules which do not return an error on
	sensitive objects.  Relates #108

2016-06-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11_int.c: pkcs11_get_attribute_avalue: do not assign
	values on failure When C_GetAttributeValue() returns size but does not return data
	then pkcs11_get_attribute_avalue() would set the return data pointer
	to a free'd value. This is against the convention expected by
	callers, i.e, set data to NULL. Reported by Anthony Alba in #108.

2016-06-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/name-constraints: tests: use datefudge in
	name-constraints test This avoids the expiration of the used certificate to affect the
	test.

2016-06-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am: tests: link libpkcs11mock1 with gnulib This allows it to use gnulib for strndup where it is needed.

2016-06-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/pkcs11.c: p11tool: do not return from void functions This fixes a compilation issue with solaris compiler. Reported by
	Peter Eriksson.

2016-06-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-gtls-app.texi: doc: mention the boolean functions in the
	gnutls API

2016-06-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/Makefile.am: tests: removed remainders of pkcs11 tests
	from suite/

2016-06-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h, lib/pkcs11.c: 
	gnutls_pkcs11_crt_is_known: changed to unsigned type

2016-06-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/pkcs11/pkcs11-is-known.c: tests: pkcs11-is-known: check that
	no flags enforce compare

2016-06-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: gnutls_pkcs11_crt_is_known: always assume
	GNUTLS_PKCS11_OBJ_FLAG_COMPARE unless
	GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is given

2016-06-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/{suite => pkcs11}/pkcs11-chainverify.c,
	tests/{suite => pkcs11}/pkcs11-combo.c, tests/{suite =>
	pkcs11}/pkcs11-get-issuer.c, tests/{suite =>
	pkcs11}/pkcs11-is-known.c, tests/{suite =>
	pkcs11}/pkcs11-privkey.c, tests/{suite =>
	pkcs11}/pkcs11-pubkey-import-ecdsa.c, tests/{suite =>
	pkcs11}/pkcs11-pubkey-import-rsa.c, tests/{suite =>
	pkcs11}/pkcs11-pubkey-import.c, tests/{suite => pkcs11}/softhsm.h,
	tests/suite/Makefile.am: tests: moved pkcs11-softhsm test suite into
	pkcs11/

2016-06-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: find_cert_cb: minor cleanups in find_cert_cb

2016-06-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/pkcs11-is-known.c: tests: added more unit tests for
	gnutls_pkcs11_crt_is_known()

2016-06-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/dn2.c: dn2: updated to account for serial number being
	printed

2016-06-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/certs/create-chain.sh: tests: corrected
	create-chain.sh to remove the ocsp_signing_key from generated certs

2016-06-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/test-chains.h: tests: replaced tls feature extension checks The previous checks had incorrect key purpose check on the final (root) certificate.

2016-06-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c, lib/x509/verify.c: enhanced debugging messages for
	cert verification

2016-06-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: x509: print serial number in compact output

2016-06-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/Makefile.am: tests: include softhsm.h into dist files

2016-06-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: pkcs11: correctly encode the serial number when
	searching for certificate In gnutls_pkcs11_crt_is_known() corrected the encoding of the serial
	number to TLV DER from LV DER. This is the encoding we use when
	storing that number.

2016-06-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: pkcs11: correctly account check_found_cert()

2016-06-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-debug.c: gnutls-cli-debug: replaced
	draft-ietf-tls-chacha20-poly1305-04 with RFC7905

2016-06-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/benchmark-cipher.c, src/benchmark.c, src/benchmark.h: 
	gnutls-cli: benchmark the memcpy performance to compare with ciphers Also ensure that we use different memory areas for each operation to
	avoid measuring better performance due to caching.

2016-06-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update [ci skip]

2016-06-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/prf.c: doc: corrected typo

2016-06-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* po/LINGUAS: Sync with TP.

2016-06-18  Andreas Metzler <ametzler@bebt.de>

	* lib/x509/crq.c, lib/x509/tls_features.c, lib/x509/x509.c,
	lib/x509/x509_ext.c: Typo fixes (found by lintian): extention,
	reencode

2016-06-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/dtls-rehandshake-cert-3.c: tests: added
	check for handshake packet reconstruction This tests whether a split handshake packet is properly
	reconstructed if the parts are switched.

2016-06-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/buffers.c: dtls: corrected reconstruction of handshake packets
	received out of order That is, when the handshake packet is split into multiple different
	chunks and received out of order, make sure that reconstruction
	occurs properly. Reported by Guillaume Roguez.

2016-06-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11_write.c: Corrected the writing of serial number in
	PKCS#11 modules That is previously the serial number was written in raw format, but
	in PKCS#11 the serial number must be set encoded as integer. Report
	and fix by Stanislav Zidek.

2016-06-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/ecc.c: ext: ecc: replaced SUPPORTED ECC POINT FORMATS with
	better formatted name

2016-06-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/srpbase64.c: tests: disable SRP-base64 encode/decoded tests
	when SRP is disabled

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: restrict windows build checks to
	tests/ subdir [ci skip] That is because there is an issue with the gnulib self tests when
	run under windows.

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: released 3.5.1

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/dtls/Makefile.am: tests: added missing files

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
	auto-generated files

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am: tests: fixed the path of cert-tests
	files and added missing files in Makefile.am

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitignore: more files to ignore

2016-06-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/tlsfeature-ext.c: tests: verify the resilience of the
	TLSFeature handling functions on large number of features

2016-06-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/tls_features.c, lib/x509/x509_ext.c, lib/x509/x509_int.h: 
	tlsfeature: impose a maximum number of supported TLS features This avoids many allocations and simplifies handling of the
	features.  The currently set maximum number of TLS features aligns
	with the maximum number of supported TLS extensions.

2016-06-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/tlsfeature-crt.c: tests: added unit test
	for gnutls_x509_tlsfeatures_check_crt

2016-05-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/x509.c,
	lib/x509/Makefile.am, lib/x509/crq.c, lib/x509/name_constraints.c,
	lib/x509/tls_features.c, lib/x509/verify.c, lib/x509/x509.c,
	lib/x509/x509_ext.c, lib/x509/x509_write.c: During PKIX chain
	verification check the TLSFeatures compliance This verifies whether a chain complies with RFC7366 p.4.2.2
	requirements.  That is whether the issuer's features are a superset
	of the certificate under verification.  This enhances gnutls_x509_crt_get_tlsfeatures() to allow appending
	of TLSFeatures, and introduces gnutls_x509_tlsfeatures_check_crt().

2016-05-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/verify.c: verify_crt: moved all verification state into a
	common structure This allows for easier extension of state.

2016-05-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/test-chains.h: tests: added chain verification with TLS
	features That adds checks for the RFC7633 requirements for intermediate and
	CA certificates (p. 4.2.2).

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, m4/hooks.m4: bumped version

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am, tests/cert-tests/crq,
	tests/cert-tests/data/template-crq.pem,
	tests/cert-tests/templates/template-crq.tmpl: tests: verify the
	operation of honor_crq_ext template option

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/scripts/common.sh: tests: common.sh will export the required
	TZ for datefudge tests

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/ocsptool.c, src/tests.c: tools: avoid using deprecated types

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-args.def, src/certtool-cfg.c, src/certtool-cfg.h,
	src/certtool.c: certtool: allow copying specific certificate request
	extensions to certificate This introduces the honor_crq_extension multi-line template option.

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/crq_apis.c: tests: added check on
	gnutls_x509_crt_set_crq_extension_by_oid()

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/x509.h, lib/libgnutls.map,
	lib/x509/x509_write.c: Added
	gnutls_x509_crt_set_crq_extension_by_oid() This allows copying specific OIDs from a certificate request to the
	certificate.

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/certtool, tests/cert-tests/krb5-test,
	tests/cert-tests/md5-test, tests/cert-tests/othername-test,
	tests/cert-tests/sha3-test, tests/cert-tests/template-test,
	tests/cert-tests/tlsfeature-test, tests/scripts/common.sh: tests:
	moved check for datefudge in scripts/common.sh

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/cert-tests/Makefile.am,
	tests/cert-tests/aki, tests/cert-tests/certtool,
	tests/cert-tests/certtool-long-cn, tests/cert-tests/certtool-utf8,
	tests/cert-tests/crl, tests/cert-tests/crq, tests/cert-tests/dane,
	tests/cert-tests/{ => data}/aki-cert.pem, tests/cert-tests/{ =>
	data}/bmpstring.pem, tests/cert-tests/{ => data}/ca-certs.pem,
	tests/cert-tests/{ => data}/ca-no-pathlen.pem, tests/cert-tests/{
	=> data}/cert-ecc256.pem, tests/cert-tests/{ =>
	data}/chain-md5.pem, tests/cert-tests/{ => data}/complex-cert.pem,
	tests/cert-tests/{ => data}/dane-test.rr, tests/cert-tests/{ =>
	data}/full.p7b.out, tests/cert-tests/{ => data}/funny-spacing.pem,
	tests/cert-tests/{ => data}/gost-cert.pem, tests/cert-tests/{ =>
	data}/invalid-sig.pem, tests/cert-tests/{ =>
	data}/invalid-sig2.pem, tests/cert-tests/{ =>
	data}/invalid-sig3.pem, tests/cert-tests/{ =>
	data}/name-constraints-ip.pem, tests/cert-tests/{ =>
	data}/name-constraints-ip2.pem, tests/cert-tests/{ =>
	data}/no-ca-or-pathlen.pem, tests/cert-tests/{ =>
	data}/p7-combined.out, tests/cert-tests/{ =>
	data}/pkcs7-detached.txt, tests/cert-tests/{ => data}/privkey1.pem,
	tests/cert-tests/{ => data}/privkey2.pem, tests/cert-tests/{ =>
	data}/privkey3.pem, tests/cert-tests/{ =>
	data}/provable-dsa2048-fips.pem, tests/cert-tests/{ =>
	data}/provable-dsa2048.pem, tests/cert-tests/{ =>
	data}/provable2048.pem, tests/cert-tests/{ =>
	data}/provable3072.pem, tests/cert-tests/{ =>
	data}/single-ca.p7b.out, tests/cert-tests/{ =>
	data}/template-date.pem, tests/cert-tests/{ =>
	data}/template-dn.pem, tests/cert-tests/{ =>
	data}/template-generalized.pem, tests/cert-tests/{ =>
	data}/template-krb5name-full.pem, tests/cert-tests/{ =>
	data}/template-krb5name.pem, tests/cert-tests/{ =>
	data}/template-nc.pem, tests/cert-tests/{ =>
	data}/template-othername-xmpp.pem, tests/cert-tests/{ =>
	data}/template-othername.pem, tests/cert-tests/{ =>
	data}/template-overflow.pem, tests/cert-tests/{ =>
	data}/template-overflow2.pem, tests/cert-tests/{ =>
	data}/template-rsa-sha3-224.pem, tests/cert-tests/{ =>
	data}/template-rsa-sha3-256.pem, tests/cert-tests/{ =>
	data}/template-rsa-sha3-384.pem, tests/cert-tests/{ =>
	data}/template-rsa-sha3-512.pem, tests/cert-tests/{ =>
	data}/template-test-ecc.key, tests/cert-tests/{ =>
	data}/template-test.key, tests/cert-tests/{ =>
	data}/template-test.pem, tests/cert-tests/{ =>
	data}/template-tlsfeature.csr, tests/cert-tests/{ =>
	data}/template-tlsfeature.pem, tests/cert-tests/{ =>
	data}/template-unique.pem, tests/cert-tests/{ =>
	data}/template-utf8.pem, tests/cert-tests/{ =>
	data}/very-long-dn.pem, tests/cert-tests/{ =>
	data}/xmpp-othername.pem, tests/cert-tests/invalid-sig,
	tests/cert-tests/krb5-test, tests/cert-tests/md5-test,
	tests/cert-tests/name-constraints, tests/cert-tests/othername-test,
	tests/cert-tests/pathlen, tests/cert-tests/pem-decoding,
	tests/cert-tests/pkcs7, tests/cert-tests/pkcs7-broken-sigs,
	tests/cert-tests/privkey-import, tests/cert-tests/provable-privkey,
	tests/cert-tests/sha3-test, tests/cert-tests/template-test,
	tests/cert-tests/tlsfeature-test: tests: cert-tests: moved all data
	files in separate subdir

2016-06-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am, tests/cert-tests/krb5-test,
	tests/cert-tests/othername-test, tests/cert-tests/sha3-test,
	tests/cert-tests/template-test, tests/cert-tests/{ =>
	templates}/template-date.tmpl, tests/cert-tests/{ =>
	templates}/template-dn-err.tmpl, tests/cert-tests/{ =>
	templates}/template-dn.tmpl, tests/cert-tests/{ =>
	templates}/template-generalized.tmpl, tests/cert-tests/{ =>
	templates}/template-krb5name.tmpl, tests/cert-tests/{ =>
	templates}/template-nc.tmpl, tests/cert-tests/{ =>
	templates}/template-othername-xmpp.tmpl, tests/cert-tests/{ =>
	templates}/template-othername.tmpl, tests/cert-tests/{ =>
	templates}/template-overflow.tmpl, tests/cert-tests/{ =>
	templates}/template-overflow2.tmpl, tests/cert-tests/{ =>
	templates}/template-test.tmpl, tests/cert-tests/{ =>
	templates}/template-tlsfeature-crq.tmpl, tests/cert-tests/{ =>
	templates}/template-tlsfeature.tmpl, tests/cert-tests/{ =>
	templates}/template-unique.tmpl, tests/cert-tests/{ =>
	templates}/template-utf8.tmpl, tests/cert-tests/tlsfeature-test: 
	tests: cert-tests: moved templates into subdir

2016-06-10  Daniel P. Berrange <berrange@redhat.com>

	* tests/system-prio-file.c: tests: test trailing comma in system
	priorities Add tests which verify behaviour when the list of system priorities
	has a trailing ','. Avoid crash in test suite if the test
	unexpectedly succeeds when expected_str is NULL.  Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

2016-06-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/dtls-rehandshake-cert-2.c: tests: added
	check of DTLS rehandshake for upgrade That is check whether anon -> cert renegotiation works.

2016-06-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/dtls-rehandshake-cert.c: tests: added
	check of DTLS rehandshake when using PKIX certs This complements the existing DTLS rehandshake test using anonymous
	ciphersuites.

2016-06-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/system-prio-file.c: tests: document some details in
	system-prio-file [ci skip]

2016-06-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/priority.c: doc: mention the usage of the
	_gnutls_resolve_priorities function in testsuite

2016-06-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi: doc: mention the fallback keyword support
	in manual

2016-06-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/system-prio-file.c: tests: added checks for system priority
	file fallback mechanism

2016-06-03  Daniel P. Berrange <berrange@redhat.com>

	* lib/priority.c: gnutls_priority_init: multiple @KEYWORD lookups
	with fallback The support for using "@KEYWORD" as a priority string is very useful
	to separate selection of priorities from application specific code
	or config files. It is, however, not general enough to fully serve
	all reasonable use cases.  For example, consider an application sets   gnutls_priority_set_direct(session, "@SYSTEM", NULL); The system administrator can modify the global priorities file to
	change what "@SYSTEM" resolves to for all apps using GNUTLS. As soon
	as one application wishes to have a slightly different configuration
	from others on the host, you have to go back and start modifying
	application specific configuration files once more. This is bad for
	the system administrator as it means there's no longer one single
	place where they can see the priority configuration for all apps.  They may try to get around this problem by configuring the app to
	use a different keyword, instead of a full priority string, eg
	"@LIBVIRT". So the global priorities file can now define entries for
	both "SYSTEM" and "LIBVIRT". This has still placed a burden on the
	administrator change the config in two places - both libvirt config
	files and the global priorities file.  What is more desirable is if applications were able to provide a
	list of keywords that would be tried in order, picking the first
	that existed. For example, libvirt could be written to request the
	following by default   gnutls_priority_set_direct(session, "@LIBVIRT,SYSTEM", NULL); With this, gnutls would first try to find the "LIBVIRT" keyword in
	the global configuration file, and if that is not present, then it
	would fallback to trying to find the "SYSTEM" keyword.  This provides nice "out of the box" behaviour for system
	administrators, whereby the app would be using "SYSTEM" initially
	and if the admin wishes to give the app a custom configuration, they
	can simply modify the global priorities file to add in the
	application specific keyword "LIBVIRT". There is never a need for
	the sysadmin to modify any application specific configuration files
	any more. It is exclusively controlled in one place via the global
	priorities file.  Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

2016-06-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/system-prio-file.c: tests: enhanced system priority file
	testing This checks whether appending to system priority options work.

2016-06-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/priority.c: doc update

2016-06-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/Makefile.am, doc/cha-gtls-examples.texi: doc: remove all
	references to openpgp auth example

2016-06-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-06-03  Daniel P. Berrange <berrange@redhat.com>

	* lib/priority.c: _gnutls_resolve_priorities: always try to re-read
	sys priority file Previously if the system priority file was edited, that would take
	effect on the very next TLS session an application created.  As of:   commit 006b89d4464ae1bb6d545ea5716998654124df45   Author: Nikos Mavrogiannopoulos <nmav@redhat.com>   Date:   Fri Apr 1 10:46:12 2016 +0200     priorities: preload the system priorities on library loading
	    time It is required to restart every application after changing the
	system priority file to get changes to take effect.  Further, for applications running in a chroot, it will no longer
	honour a system priority file that may exist inside the chroot,
	always using the originally cached data from outside the chroot.  This patch changes the caching so that we always try to reload the
	cache of system priorities. A mtime check is used to avoid actually
	re-reading the file unless its content has obviously changed. If the
	file no longer exists, the cache will not be invalidated. This
	ensures that the current priority file is always honoured, whether
	inside a chroot or not, while at the same time allowing apps to work
	in a chroot when no system priority file is present.  Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

2016-06-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi: doc: remove references to GNUTLS_KEYLOGFILE

2016-06-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/{mini-dtls-rehandshake.c =>
	dtls-rehandshake-anon.c}, tests/{mini-rehandshake-2.c =>
	tls-rehandshake-cert-2.c}, tests/{mini-rehandshake.c =>
	tls-rehandshake-cert.c}: tests: renamed rehandshake checks for
	clarity

2016-06-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-06-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/global.c, lib/global.h, lib/kx.c, tests/keylog-env.c: 
	keylogfile: only consider the SSLKEYLOGFILE variable In addition do not check the environment in the constructor but
	instead use static variables to save the key file name.  The
	GNUTLS_KEYLOGFILE environment variable is no longer used since there
	is no reason to have a separate one.

2016-06-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/auth/cert.c, lib/ext/server_name.c, lib/x509/common.c,
	lib/x509/crq.c, lib/x509/key_encode.c, lib/x509/krb5.c,
	lib/x509/krb5.h, lib/x509/privkey.c: lib: eliminated the use of
	deprecated variables

2016-06-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-examples.texi, doc/examples/Makefile.am,
	doc/examples/ex-serv-pgp.c: doc: removed OpenPGP examples Relates #102

2016-06-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/pkcs12.h, lib/x509/pkcs12_bag.c: pkcs12:
	corrected return type of gnutls_pkcs12_bag_get_type()

2016-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am: tests: move pkcs11-cert-import-url4-exts with
	the other pkcs11 tests This prevents a build failure in windows.

2016-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: doc clarify the version since when
	GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT is accepted

2016-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/crl-test: tests: corrected typo in crl-test

2016-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/pkcs11/pkcs11-cert-import-url4-exts.c: 
	tests: check gnutls_pkcs11_obj_list_import_url4() with
	GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT

2016-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: gnutls_pkcs11_obj_list_import_url4: accepts the
	GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag

2016-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: gnutls_pkcs11_obj_list_import_url3: rewritten to use
	gnutls_pkcs11_obj_list_import_url4

2016-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c, lib/pkcs11_int.c, lib/pkcs11_privkey.c,
	lib/pkcs11_secret.c, lib/pkcs11_write.c: pkcs11: use ctx as variable
	name for ck_object_handle_t for clarity

2016-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: pkcs11: doc update

2016-06-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update [ci skip]

2016-06-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/verify.c: _gnutls_check_key_purpose: in CA certificates
	treat the SGC key purpose as GNUTLS_KP_TLS_WWW_SERVER This is a hack for certain very old CA certificates lurking around
	which instead of having the GNUTLS_KP_TLS_WWW_SERVER have some old
	OIDs for that purpose. Consider these OIDs equivalent to
	GNUTLS_KP_TLS_WWW_SERVER in marked as CA certificates.

2016-06-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli.c: gnutls-cli: --save-ocsp will work even if verification
	fails That is, allow saving the response even if the OCSP response caused
	a verification error. That way the response can be examined for
	possible issues.

2016-06-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509.c: ocsp: attempt harder to figure an OCSP staple issuer That is, check initially against the trust list set on the
	credentials, and if verification is not possible attempt with all
	certificates in the chain as possible issuers. The reason of this
	enhancement is the few servers have an OCSP response signed not by
	their direct CA but rather by one of the higher level CAs.

2016-06-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/ocsp-tests/Makefile.am,
	tests/ocsp-tests/ocsp-must-staple-connection: tests: added
	comprehensive OCSP test suite with MUST-staple PKIX extension This includes the tests:  - Server with valid certificate - no staple  - Server with valid certificate - valid staple  - Server with valid certificate - invalid staple  - Server with valid certificate - unrelated cert staple  - Server with valid certificate - expired staple  - Server with valid certificate - old staple

2016-06-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/utils.c, tests/utils.h: tests: utils: added c_print()

2016-06-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/status_request.c,
	tests/cert-tests/template-tlsfeature.csr: ext: status_request: added
	more descriptive name

2016-06-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509.c: ocsp: fail certificate verification on expired or too
	old revocation data info

2016-06-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/cert.c, lib/includes/gnutls/gnutls.h.in, lib/x509.c: ocsp:
	Introduced GNUTLS_CERT_INVALID_OCSP_STATUS This verification status flag indicates an OCSP status response
	being stapled but it being invalid for some reason (e.g., unable to
	parse or doesn't contain the expected certificate).

2016-06-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-bib.texi, doc/cha-cert-auth2.texi, doc/cha-intro-tls.texi: 
	doc: improved OCSP description and mention RFC7633

2016-05-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/urls.c: tests: added basic check for
	gnutls_url_is_supported

2016-05-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/gnutls.h.in, lib/urls.c: 
	gnutls_url_is_supported: type changed to unsigned In addition function documentation was updated.

2016-05-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs12_bag.c, lib/x509/x509_ext.c: doc update

2016-05-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/abstract_int.h, lib/pubkey.c: pubkey_to_bits: return type was
	changed to unsigned This function did not return signed data, so the "int" return type
	was confusing.

2016-05-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-selftests.c: crypto-selftests: removed unneeded cast

2016-05-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms/ciphers.c, lib/crypto-api.c,
	lib/includes/gnutls/crypto.h, lib/includes/gnutls/pkcs12.h,
	lib/includes/gnutls/pkcs7.h, lib/includes/gnutls/x509.h,
	lib/x509/crl.c, lib/x509/crq.c, lib/x509/dn.c, lib/x509/pkcs12.c,
	lib/x509/pkcs12_bag.c, lib/x509/pkcs7.c, lib/x509/verify-high.c,
	lib/x509/verify.c, lib/x509/x509.c, lib/x509/x509_int.h: several
	sign-related API changes This replaces the usage of "int" in functions which could only have
	accepted an "unsigned" value. Also functions which return unsigned
	values are explicitly tagged as such. The ABI remains the same with
	these changes.  This allows easier catching of sign/unsigned related errors from the
	calling applications.

2016-05-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/sign.c: x509: simplified _gnutls_x509_get_tbs()

2016-05-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/common.c, lib/x509/common.h, lib/x509/verify.c: x509:
	replace the bool type with the unsigned type This allows to rely on gcc warnings for improper checks and
	conversions. Unfortunately gcc does warn on invalid checks for the
	bool type (e.g., b<0).

2016-05-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac: configure: enable the type-limits gcc warnings In addition remove the unsafe-loop-optimizations warning as they
	were not helpful.

2016-05-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def: certtool: doc update

2016-05-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* devel/DCO/people-dco.txt: DCO: added Tim Kosse [ci skip]

2016-05-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/socket.c: tools: modify canonicalize_host to not depend on
	in6_addr

2016-05-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/tlsfeature-ext.c: tests: added unit tests
	for gnutls_x509_tlsfeatures_t handling funcs This includes DER import/export as well as feature appending.

2016-05-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/tlsfeature-test: tests: tlsfeature-test will
	ignore the 'Algorithm Security Level' line in comparisons That is to allow depending on the certificate output validation
	without relying on "moving" parameters such as the Algorithm
	Security Level.

2016-05-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am,
	tests/cert-tests/template-tlsfeature-crq.tmpl,
	tests/cert-tests/tlsfeature-test: tests: verify whether the
	TLSFeatures extension is copied Verify whether the TLSFeatures extension is copied from the
	certificate request to the generated certificate.

2016-05-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS, lib/x509/crq.c, lib/x509/x509.c, lib/x509/x509_ext.c,
	lib/x509/x509_write.c: doc: updated since version of tlsfeature
	functionality and documented new functions

2016-01-15  Tim Kosse <tim.kosse@filezilla-project.org>

	* tests/Makefile.am, tests/status-request-missing.c: tests: add
	testcase to check for missing status request That is verify whether the OCSP MUST-staple extension, as can be
	deduced from RFC7633, is accounted during handshake.

2016-01-15  Tim Kosse <tim.kosse@filezilla-project.org>

	* lib/extensions.c, lib/handshake.c, lib/state.c: Reset
	extensions_sent_size only at start of handshake That is, do not reset it when completing it so that we can use the
	negotiated extensions even after the handshake is complete.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2015-12-20  Tim Kosse <tim.kosse@filezilla-project.org>

	* lib/cert.c, lib/extensions.c, lib/extensions.h,
	lib/includes/gnutls/gnutls.h.in, lib/x509.c: Account the TLSFeature
	certificate extension in certificate verification That is, account for the OCSP-Must staple extension. If we have sent
	an OCSP status request and have not gotten anything, but the
	certificate has the Status Request TLSFeature extension present,
	fail to verify the certificate.

2016-05-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-debug.c, src/cli.c, src/socket.c, src/socket.h: tools:
	allow specifying a hostname with a port attached That is: gnutls-cli www.example.com:443 is equivalent to gnutls-cli
	www.example.com -p 443

2016-05-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am,
	tests/cert-tests/template-tlsfeature.csr,
	tests/cert-tests/template-tlsfeature.pem,
	tests/cert-tests/template-tlsfeature.tmpl,
	tests/cert-tests/tlsfeature-test: tests: check the generation and
	printing of TLS feature PKIX extension

2016-05-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def: doc: document tls_feature option in the
	sample template

2016-05-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/cert_type.c, lib/ext/dumbfw.c, lib/ext/ecc.c,
	lib/ext/etm.c, lib/ext/ext_master_secret.c, lib/ext/heartbeat.c,
	lib/ext/max_record.c, lib/ext/safe_renegotiation.c,
	lib/ext/server_name.c, lib/ext/session_ticket.c,
	lib/ext/signature.c, lib/ext/status_request.c: TLS extensions: use
	more human-friendly names This is required to provide better output to gnutls_ext_get_name()

2016-05-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/extensions.c, lib/extensions.h,
	lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map,
	lib/x509/output.c: exported function to convert TLS extension
	numbers to strings The exported function is gnutls_ext_get_name()

2016-05-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/extensions.c, lib/extensions.h, lib/x509/output.c: 
	x509/output: print the extension name of TLSFeatures

2016-01-07  Tim Kosse <tim.kosse@filezilla-project.org>

	* doc/certtool.cfg, src/certtool-cfg.c, src/certtool-cfg.h,
	src/certtool.c: Implement setting the TLS features extension on
	certificates via certtool's template file.

2016-05-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/libgnutls.map: libgnutls.map: exported the tlsfeatures-related
	functions

2016-01-15  Tim Kosse <tim.kosse@filezilla-project.org>

	* lib/includes/gnutls/x509.h, lib/x509/crq.c: Add functions to
	get/set the tlsfeatures to certificate requests.

2016-05-30  Tim Kosse <tim.kosse@filezilla-project.org>

	* lib/includes/gnutls/x509.h, lib/x509/x509.c,
	lib/x509/x509_write.c: Added gnutls_x509_crt_set_tlsfeatures Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2016-05-30  Tim Kosse <tim.kosse@filezilla-project.org>

	* lib/includes/gnutls/x509-ext.h, lib/x509/x509_ext.c: Added
	functions to add features and convert tlsfeatures back to DER That adds:   gnutls_x509_ext_export_tlsfeatures   gnutls_x509_tlsfeatures_add Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2016-01-15  Tim Kosse <tim.kosse@filezilla-project.org>

	* tests/sign-md5-rep.c, tests/status-request-ok.c,
	tests/status-request.c: Move call to terminate() until after
	printing the error message.

2016-01-15  Tim Kosse <tim.kosse@filezilla-project.org>

	* tests/status-request-ok.c, tests/status-request.c: Fix the
	description of two testcases.

2016-05-30  Tim Kosse <tim.kosse@filezilla-project.org>

	* lib/includes/gnutls/x509-ext.h, lib/includes/gnutls/x509.h,
	lib/pkix.asn, lib/pkix_asn1_tab.c, lib/x509/output.c,
	lib/x509/x509.c, lib/x509/x509_ext.c, lib/x509/x509_int.h: Added
	functions to parse the TLSFeatures X.509 extension.  In addition provide function to enumerate the features it lists, and
	output information with the output functions.  This adds:   gnutls_x509_tlsfeatures_init   gnutls_x509_tlsfeatures_deinit   gnutls_x509_tlsfeatures_get   gnutls_x509_ext_import_tlsfeatures   gnutls_x509_crt_get_tlsfeatures Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2016-05-29  Andreas Metzler <ametzler@bebt.de>

	* src/certtool-args.def: Typo fix: auxilary -> auxiliary [ci skip]

2016-05-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-dtls0-9.c: tests: added DTLS 0.9 check with AES-128-GCM

2016-05-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* gl/secure_getenv.c: gl: secure_getenv() will behave as getenv on
	windows

2016-05-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/windows/crypt32.c: tests: corrected definition of
	CryptSignHash in mock crypt32

2016-05-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* gl/Makefile.am, gl/alloca.in.h, gl/asnprintf.c, gl/asprintf.c,
	gl/byteswap.in.h, gl/c-ctype.c, gl/c-ctype.h, gl/errno.in.h,
	gl/float+.h, gl/float.c, gl/float.in.h, gl/fstat.c, gl/ftell.c,
	gl/ftello.c, gl/getdelim.c, gl/getline.c, gl/gettext.h,
	gl/gettimeofday.c, gl/hash-pjw-bare.c, gl/hash-pjw-bare.h,
	gl/intprops.h, gl/itold.c, gl/lseek.c, gl/m4/00gnulib.m4,
	gl/m4/absolute-header.m4, gl/m4/alloca.m4, gl/m4/byteswap.m4,
	gl/m4/ctype.m4, gl/m4/errno_h.m4, gl/m4/exponentd.m4,
	gl/m4/extensions.m4, gl/m4/extern-inline.m4, gl/m4/fcntl-o.m4,
	gl/m4/fcntl_h.m4, gl/m4/fdopen.m4, gl/m4/float_h.m4,
	gl/m4/fpieee.m4, gl/m4/fseeko.m4, gl/m4/fstat.m4, gl/m4/ftell.m4,
	gl/m4/ftello.m4, gl/m4/func.m4, gl/m4/getdelim.m4,
	gl/m4/getline.m4, gl/m4/getpagesize.m4, gl/m4/gettimeofday.m4,
	gl/m4/gnulib-cache.m4, gl/m4/gnulib-common.m4,
	gl/m4/gnulib-comp.m4, gl/m4/gnulib-tool.m4, gl/m4/include_next.m4,
	gl/m4/intmax_t.m4, gl/m4/inttypes-pri.m4, gl/m4/inttypes.m4,
	gl/m4/inttypes_h.m4, gl/m4/largefile.m4, gl/m4/ld-output-def.m4,
	gl/m4/ld-version-script.m4, gl/m4/lib-ld.m4, gl/m4/lib-link.m4,
	gl/m4/lib-prefix.m4, gl/m4/longlong.m4, gl/m4/lseek.m4,
	gl/m4/malloc.m4, gl/m4/manywarnings.m4, gl/m4/math_h.m4,
	gl/m4/memchr.m4, gl/m4/memmem.m4, gl/m4/minmax.m4,
	gl/m4/mmap-anon.m4, gl/m4/msvc-inval.m4, gl/m4/msvc-nothrow.m4,
	gl/m4/multiarch.m4, gl/m4/netdb_h.m4, gl/m4/netinet_in_h.m4,
	gl/m4/off_t.m4, gl/m4/printf.m4, gl/m4/read-file.m4,
	gl/m4/realloc.m4, gl/m4/secure_getenv.m4, gl/m4/size_max.m4,
	gl/m4/snprintf.m4, gl/m4/socklen.m4, gl/m4/sockpfaf.m4,
	gl/m4/ssize_t.m4, gl/m4/stdalign.m4, gl/m4/stdbool.m4,
	gl/m4/stddef_h.m4, gl/m4/stdint.m4, gl/m4/stdint_h.m4,
	gl/m4/stdio_h.m4, gl/m4/stdlib_h.m4, gl/m4/strcase.m4,
	gl/m4/string_h.m4, gl/m4/strings_h.m4, gl/m4/strndup.m4,
	gl/m4/strnlen.m4, gl/m4/strtok_r.m4, gl/m4/strverscmp.m4,
	gl/m4/sys_socket_h.m4, gl/m4/sys_stat_h.m4, gl/m4/sys_time_h.m4,
	gl/m4/sys_types_h.m4, gl/m4/sys_uio_h.m4, gl/m4/time_h.m4,
	gl/m4/time_r.m4, gl/m4/ungetc.m4, gl/m4/unistd_h.m4,
	gl/m4/valgrind-tests.m4, gl/m4/vasnprintf.m4, gl/m4/vasprintf.m4,
	gl/m4/vsnprintf.m4, gl/m4/warn-on-use.m4, gl/m4/warnings.m4,
	gl/m4/wchar_h.m4, gl/m4/wchar_t.m4, gl/m4/wint_t.m4,
	gl/m4/xsize.m4, gl/malloc.c, gl/memchr.c, gl/memmem.c, gl/minmax.h,
	gl/msvc-inval.c, gl/msvc-inval.h, gl/msvc-nothrow.c,
	gl/msvc-nothrow.h, gl/netdb.in.h, gl/netinet_in.in.h,
	gl/printf-args.c, gl/printf-args.h, gl/printf-parse.c,
	gl/printf-parse.h, gl/read-file.c, gl/read-file.h, gl/realloc.c,
	gl/secure_getenv.c, gl/size_max.h, gl/snprintf.c, gl/stdalign.in.h,
	gl/stdbool.in.h, gl/stddef.in.h, gl/stdint.in.h, gl/stdio-impl.h,
	gl/stdio.in.h, gl/stdlib.in.h, gl/str-two-way.h, gl/strcasecmp.c,
	gl/string.in.h, gl/strings.in.h, gl/strncasecmp.c, gl/strndup.c,
	gl/strnlen.c, gl/strtok_r.c, gl/strverscmp.c, gl/sys_socket.c,
	gl/sys_socket.in.h, gl/sys_stat.in.h, gl/sys_time.in.h,
	gl/sys_types.in.h, gl/sys_uio.in.h, gl/tests/Makefile.am,
	gl/tests/binary-io.c, gl/tests/binary-io.h, gl/tests/ctype.in.h,
	gl/tests/fcntl.in.h, gl/tests/fdopen.c, gl/tests/fpucw.h,
	gl/tests/getpagesize.c, gl/tests/init.sh, gl/tests/inttypes.in.h,
	gl/tests/macros.h, gl/tests/signature.h,
	gl/tests/test-alloca-opt.c, gl/tests/test-binary-io.c,
	gl/tests/test-byteswap.c, gl/tests/test-c-ctype.c,
	gl/tests/test-ctype.c, gl/tests/test-errno.c,
	gl/tests/test-fcntl-h.c, gl/tests/test-fdopen.c,
	gl/tests/test-fgetc.c, gl/tests/test-float.c,
	gl/tests/test-fputc.c, gl/tests/test-fread.c,
	gl/tests/test-fstat.c, gl/tests/test-ftell.c,
	gl/tests/test-ftell3.c, gl/tests/test-ftello.c,
	gl/tests/test-ftello3.c, gl/tests/test-ftello4.c,
	gl/tests/test-func.c, gl/tests/test-fwrite.c,
	gl/tests/test-getdelim.c, gl/tests/test-getline.c,
	gl/tests/test-gettimeofday.c, gl/tests/test-iconv.c,
	gl/tests/test-init.sh, gl/tests/test-intprops.c,
	gl/tests/test-inttypes.c, gl/tests/test-memchr.c,
	gl/tests/test-netdb.c, gl/tests/test-netinet_in.c,
	gl/tests/test-read-file.c, gl/tests/test-snprintf.c,
	gl/tests/test-stdalign.c, gl/tests/test-stdbool.c,
	gl/tests/test-stddef.c, gl/tests/test-stdint.c,
	gl/tests/test-stdio.c, gl/tests/test-stdlib.c,
	gl/tests/test-string.c, gl/tests/test-strings.c,
	gl/tests/test-strnlen.c, gl/tests/test-strverscmp.c,
	gl/tests/test-sys_socket.c, gl/tests/test-sys_stat.c,
	gl/tests/test-sys_time.c, gl/tests/test-sys_types.c,
	gl/tests/test-sys_uio.c, gl/tests/test-sys_wait.h,
	gl/tests/test-time.c, gl/tests/test-unistd.c,
	gl/tests/test-vasnprintf.c, gl/tests/test-vasprintf.c,
	gl/tests/test-vc-list-files-cvs.sh,
	gl/tests/test-vc-list-files-git.sh, gl/tests/test-verify.c,
	gl/tests/test-vsnprintf.c, gl/tests/test-wchar.c,
	gl/tests/zerosize-ptr.h, gl/time.in.h, gl/time_r.c, gl/unistd.c,
	gl/unistd.in.h, gl/vasnprintf.c, gl/vasnprintf.h, gl/vasprintf.c,
	gl/verify.h, gl/vsnprintf.c, gl/wchar.in.h, gl/xsize.h, lib/mem.h: 
	Rely on gnulib's secure_getenv()

2016-05-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/accelerated/x86/x86-common.c: x86-common: use secure_getenv()

2016-05-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac: configure.ac: check for secure_getenv where
	available and always enable system extensions

2016-05-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/keylog-env.c: tests: keylog-env will check for SSLKEYLOGFILE
	as well

2016-05-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/fips.c, lib/global.c, lib/mem.h, lib/priority.c, lib/system.c: 
	env: use secure_getenv when reading environment variables

2016-05-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-05-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi, lib/global.c, lib/global.h, lib/kx.c: 
	Append keys on keylogfile Also consider the SSLKEYLOGFILE variable, since the format is
	identical and we are always appending keys.

2016-05-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/ssl2-hello.c: tests: ssl2-hello check is made conditional It is only run if ENABLE_SSL2 is defined.

2016-05-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitignore: .gitignore: more files to ignore

2016-05-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/ssl2-hello.c: tests: added SSL2.0 client
	hello parsing check

2016-05-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-common.h: tests: added small text clarifying the
	purpose of the cert-common.h header

2016-05-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testcompat-openssl.sh,
	tests/suite/testcompat-polarssl.sh: tests: add an upper limit in the
	run of compat tests This allows the test suite to recover from the case of DTLS
	implementations that do not properly retransmit and block on lost
	packets.

2016-05-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-tokens.texi: doc: advise against using the TPM-specific
	API It is restricted to TPM 1.2, and there are fine PKCS#11 wrappers
	that will provide identifical functionality.  Relates #101

2016-05-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: corrected typo preventing the
	no-SSL 3.0 test part to be properly run Also test the --disable-ssl2-support option.

2016-05-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/kx.c: Amend the "Allow for conditional compilation of SSL 3.0
	protocol patch" That is fix bug introduced by an incorrect #ifdef, and
	unconditionally provide access to certificate callbacks.  This amends 89faab9e9e9123f39e8c0c6f8da1f67de423254a

2016-05-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-bib.texi, doc/cha-gtls-app.texi, doc/latex/gnutls.bib: 
	doc: updated text on priority strings Refer to RFC7685 for the TLS padding extension (%DUMBFW), and
	mention the default behavior for the TLS client hello record
	version.

2016-05-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: pkcs11: added sanity check to find_obj_url_cb() for
	object validity Also avoid unnecessary recursion.

2016-05-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testcompat-main-openssl,
	tests/suite/testcompat-main-polarssl: tests: run compatibility
	checks in parallel for various modifiers That is, the various %NO_ETM, %COMPAT, ... modifiers are checked in
	parallel in the testcompat suite, reducing the overall running time
	significantly.

2016-05-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/version-checks.c: tests: enhance TLS version checks with
	DTLS That is we check whether DTLS-1.0 and DTLS-1.2 can be negotiated
	using the NORMAL priority string. We also add a custom check for
	DTLS-0.9 as this is not fully supported for negotiation.

2016-05-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/danetool.sh, tests/scripts/common.sh,
	tests/suite/eagain.sh, tests/suite/testcompat-main-openssl,
	tests/suite/testcompat-main-polarssl, tests/suite/testdane.sh,
	tests/suite/testpkcs11.sh, tests/suite/testrng.sh,
	tests/suite/testsrn.sh: tests: use /bin/bash in tests which require
	common.sh

2016-05-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: minimal build disables SSL2 client
	hello

2016-05-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-05-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, lib/buffers.c, lib/debug.c, lib/handshake.c,
	lib/record.c, lib/sslv2_compat.c, m4/hooks.m4: Allow for conditional
	compilation of SSL 2.0 client hello support This allows to completely remove SSL 2.0 support by calling
	configure with the '--disable-ssl2-support' option.  Relates #97

2016-05-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/cipher.c, lib/cipher_int.c, lib/cipher_int.h, lib/constate.c,
	lib/kx.c, lib/range.c: Amend: Allow for conditional compilation of
	SSL 3.0 protocol This patch makes conditional several more SSL 3.0-only parts of
	codebase.

2016-05-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* CONTRIBUTING.md: CONTRIBUTING.md: link to milestones instead of
	all issues

2016-05-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-x509-cas.c: tests: mini-x509-cas: use cert-common.h

2016-05-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* CONTRIBUTING.md: CONTRIBUTING.md: doc update

2016-05-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am: tests: do not use pkglib to generate
	libpkcs11mock1.so This resulted in the test library being installed. Install we use
	noinst for the library, but pass -rpath to LDFLAGS as a hack to for
	libtool to generate the shared version.

2016-05-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac: configure.ac: increased stack size usage to reduce
	warnings Also remove gcc flags from the banned list that no longer pose and
	issue.

2016-05-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/announce.txt: announce.txt:  updated list email address

2016-05-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/priority.c: priority: CCM ciphersuites was promoted over the
	CBC ones Also make explicit the prioritization rules for the default set of
	ciphers.

2016-05-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli.c, src/socket.c, src/socket.h: gnutls-cli: allow operation
	with stdin input That is once commands from stdin are given, they are not only sent
	to server, but we also wait for a response prior to exiting.  Resolves #96

2016-05-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README.md: doc update

2016-05-18  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/ocsp-tests/ocsp-tls-connection: tests: ocsp-tls-connection:
	use /bin/bash since we rely on the $RANDOM variable

2016-05-18  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/keylog-env.c: tests: use _putenv() for setting environment
	on windows

2016-05-18  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/keylog-env.c: tests: added check to
	verify that keylog file is being written

2016-05-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS, doc/cha-gtls-app.texi: doc: documented the GNUTLS_KEYLOGFILE
	environment variable

2016-05-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/kx.c: Write session keys into a file when GNUTLS_KEYLOGFILE is
	exported That is the file pointed from the variable is written to, and
	contain the session parameters in the following format (identical to
	NSS key log format): CLIENT_RANDOM <space> <64 bytes of hex encoded client_random>
	<space> <96 bytes of hex encoded master secret> and for the old RSA ciphersuites also in the format: RSA <space> <16
	bytes of hex encoded encrypted pre master secret> <space> <96 bytes
	of hex encoded master secret> Resolves #64

2016-05-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/systemkey-args.def, src/systemkey.c: systemkey: corrected help
	output

2016-05-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-tokens.texi: doc: document the systems supported via
	systemkeys API

2016-05-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/cert.c, lib/x509/verify-high.c: doc update [ci skip]

2016-05-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli.c: gnutls-cli: corrected check for OCSP verification
	success

2016-04-29  Thomas Klute <thomas2.klute@uni-dortmund.de>

	* tests/ocsp-tests/Makefile.am, tests/ocsp-tests/{ =>
	certs}/ca.key, tests/ocsp-tests/{ => certs}/ca.pem,
	tests/ocsp-tests/{ => certs}/ocsp-server.key, tests/ocsp-tests/{ =>
	certs}/ocsp-server.pem, tests/ocsp-tests/certs/ocsp_index.txt,
	tests/ocsp-tests/certs/ocsp_index.txt.attr,
	tests/ocsp-tests/certs/server_bad.key,
	tests/ocsp-tests/certs/server_bad.template,
	tests/ocsp-tests/certs/server_good.key,
	tests/ocsp-tests/certs/server_good.template,
	tests/ocsp-tests/ocsp-test, tests/ocsp-tests/ocsp-tls-connection: 
	Test case for gnutls-cli --ocsp This new test case checks if gnutls-cli accepts OCSP responses for a
	valid and a revoked server certificate when establishing TLS
	connections. Uses the OpenSSL OCSP responder.  Signed-off-by: Thomas Klute <thomas2.klute@uni-dortmund.de>
	Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2016-05-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* INSTALL.md: INSTALL.md: no longer reference libgcrypt

2016-05-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README-install.md => INSTALL.md, Makefile.am, README-alpha.md =>
	README.md: doc: updated README files This makes the names a bit more reasonable, drops the very generic
	INSTALL file, and also allows the github repository to print the
	correct README file.  README -> INSTALL.md README-alpha.md -> README.md

2016-05-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/{mini-x509-cert-callback-legacy.c =>
	x509-cert-callback-legacy.c}, tests/{mini-x509-cert-callback.c =>
	x509-cert-callback.c}: tests: renamed cert-callback checks for
	simplicity

2016-05-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/mini-x509-cert-callback-legacy.c: tests:
	added check with the legacy cert verification callback

2016-05-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/auth/cert.c: doc update

2016-05-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-x509-cert-callback.c: tests: cert-callbacks check now
	checks the server-side callback operation as well

2016-05-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/dtls/dtls-stress.c: tests: dtls-stress: fix debug argument
	accounting It was not being considered when it was not the last argument.

2016-05-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/dtls/Makefile.am: tests: re-disabled dtls-nb check; it had
	random failures This was disabled for quite long time already, and needs to be
	investigated.

2016-05-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/dtls/Makefile.am, tests/dtls/dtls-resume,
	tests/dtls/dtls-stress.c: tests: added DTLS test suite when in
	session resumption While there is already a test suite for DTLS lost packets/rearranges
	it does not cover the session resumption flights. This patch
	enhances the test suite with these checks.

2016-05-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/dtls/dtls-stress.c: dtls-stress: added session resumption
	option This allows to perform tests on DTLS resumed sessions for
	retransmitions due to lost packets.

2016-05-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/dtls/dtls: tests: dtls: removed excessive debugging output
	from test

2016-05-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/dtls/dtls-stress.c: tests: dtls-stress: corrected parsing of
	-d option

2016-05-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/record.c: record.c: removed superfluous debugging

2016-05-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/errors.h: gnutls_assert_val: corrected regression from
	78ee98e06c7862df38131b12083adc1a0c5eea4a

2016-05-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/errors.h: gnutls_assert_val: was modified to be in line with
	gnutls_assert()

2016-05-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: added new build target without SSL
	3.0 Also disable SSL3.0 in the minimal library compilation.

2016-05-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitignore: .gitignore: more files to ignore

2016-05-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/common-cert-key-exchange.c,
	tests/common-cert-key-exchange.h,
	tests/dtls1.0-cert-key-exchange.c,
	tests/dtls1.2-cert-key-exchange.c: tests: added key exchange checks
	for all DTLS protocols

2016-05-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi: doc: prefer the usage of VERS-ALL in
	documentation

2016-05-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/ext/ext_master_secret.c: ext master secret: don't enable when
	SSL 3.0 is the only protocol That is on server side only. On client side this logic was already
	present.

2016-05-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/common-cert-key-exchange.c,
	tests/common-cert-key-exchange.h, tests/ssl3.0-cert-key-exchange.c,
	tests/tls1.0-cert-key-exchange.c, tests/tls1.1-cert-key-exchange.c,
	tests/tls1.2-cert-key-exchange.c: tests: separated the key exchange
	checks That is introduce separate checks for each key exchange on every TLS
	version.

2016-05-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/ext/signature.c: doc: mention the TLS 1.2 restriction of sign
	algo functions

2016-05-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS, configure.ac, lib/algorithms/ciphersuites.c,
	lib/algorithms/protocols.c, lib/auth/rsa.c, lib/cipher_int.c,
	lib/cipher_int.h, lib/constate.c, lib/ext/ext_master_secret.c,
	lib/gnutls_int.h, lib/handshake.c, lib/hash_int.c, lib/hash_int.h,
	lib/kx.c, lib/tls-sig.c, m4/hooks.m4, tests/suite/Makefile.am,
	tests/suite/testcompat-main-openssl,
	tests/suite/testcompat-main-polarssl, tests/version-checks.c: Allow
	for conditional compilation of SSL 3.0 protocol This allows to completely remove SSL 3.0 support by calling
	configure with the '--disable-ssl3' option.  Resolves #93

2016-05-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* Makefile.am, NEWS, configure.ac, doc/Makefile.am: Makefile.am:
	include renamed files into distribution

2016-05-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* README-alpha.md: README-alpha.md: refer to CONTRIBUTING.md [ci
	skip]

2016-05-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* LICENSE: LICENSE: mention that documentation is under GNU FDL

2016-05-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* LICENSE, COPYING => doc/COPYING, COPYING.LESSER =>
	doc/COPYING.LESSER: Leave only LICENSE in the root directory and
	move licenses to doc/

2016-05-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* LICENSE, README-install.md: Added a LICENSE file [ci skip]

2016-05-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* CONTRIBUTING.md, doc/README.CODING_STYLE: Moved coding style and
	contribution guide to CONTRIBUTION.md This aligns with gitlab's web interface.

2016-05-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/slow/cipher-test.c, tests/slow/hash-large.c: tests: include
	unistd.h in tests which call _exit()

2016-05-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/dsa/testdsa, tests/openpgp-certs/testcerts,
	tests/scripts/common.sh, tests/suite/eagain.sh,
	tests/suite/mini-eagain2.c, tests/suite/testcompat-main-openssl,
	tests/suite/testcompat-main-polarssl, tests/suite/testpkcs11.sh,
	tests/suite/testsrn.sh: tests: simplified server launching process Also attempt to use a new port on every started server and added a
	waiting period for the port to become re-usable.

2016-05-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/no-signal.c, tests/slow/cipher-test.c,
	tests/slow/hash-large.c: tests: avoid calling exit() from signal
	handlers

2016-05-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* gl/m4/memmem.m4: memmem.m4: don't call exit() from signal handler

2016-05-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-server-name.c: tests: enhance SNI checking with invalid
	UTF8 and embedded NULL case

2016-05-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/server_name.c, lib/libgnutls.map: Introduce
	_gnutls_server_name_set_raw This is an internal function intended for testing, which performs
	the same as gnutls_server_name_set() but without any UTF8
	conversions or other checks in the input. It is intended to be used
	with raw data.

2016-05-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/errors.c: errors: include GNUTLS_E_IDNA_ERROR to the list

2016-05-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/server_name.c: server_name: only save the supported server
	names in the session Invalid server names with embedded nulls and unsupported types are
	not saved.

2016-05-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/server_name.c: gnutls_server_name_get: mention
	GNUTLS_E_IDNA_ERROR being returned

2016-05-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-crypto.texi: doc: clarify that 'hmac' in the name of
	functions is only for legacy reasons

2016-05-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testsrn.sh: tests: introduce delay between server
	restarts in testsrn.sh This is to reduce test suite random failures on CI.

2016-05-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/crl: tests: CRL test will separate stderr output
	from stdout This addresses CI failures due to "Merge mismatch for function"
	messages from gcov being inserted into stdout output and messing the
	base64 encoding.

2016-05-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/crl: Revert "tests: CRL test will not push stderr
	into output files" This reverts commit bf1ee75f78cd81ea8309bdfb50f63ed0ab61a23a.

2016-05-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7-output.c: gnutls_pkcs7_print: avoid warning for
	signed/unsigned comparison by making everything signed

2016-05-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/crl: tests: CRL test will not push stderr into
	output files This addresses CI failures due to "Merge mismatch for function"
	messages from gcov being inserted into output and messing the base64
	encoding.

2016-05-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/session_pack.c: pack_srp_auth_info: corrected check for
	uninitialized username

2016-05-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/auth/cert.c: call_get_cert_callback: removed dead code

2016-05-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11.c: pkcs11: added error check in
	_gnutls_buffer_append_data()

2016-05-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pubkey.c: gnutls_pubkey_verify_data2: simplified return logic

2016-05-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/pkcs7-output.c: gnutls_pkcs7_print: corrected type of
	unsigned count variable

2016-05-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/krb5.c: _gnutls_krb5_der_to_principal: fixed invalid
	deinitialization on cleanup

2016-05-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/slow/hash-large.c: tests: don't run hash-large on freebsd

2016-05-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/slow/hash-large.c: tests: fix mmap usage of hash-large to
	correctly detect failures

2016-05-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509.c: doc: updated documentation for
	gnutls_x509_crt_get_*_dn

2016-05-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: handle empty CNs on verification That is, handle GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if returned
	from gnutls_x509_crt_get_dn() on the end certificate.

2016-05-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/crl.c, lib/x509/crq.c, lib/x509/dn.c, lib/x509/ocsp.c,
	lib/x509/x509.c, lib/x509/x509_int.h: Revert "x509: allow empty DNs
	on parsing for subject DNs" This reverts commit 1641ea943079765d601cf418dc2c89c1c93f0ecf.

2016-05-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509.c: cert cred: add the CN to the list of known hostnames
	only if no dns_names That is, follow rfc6125 and support CN as a fallback only.

2016-05-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/cert-common.h, tests/set_x509_key.c,
	tests/set_x509_key_file.c, tests/set_x509_key_file_der.c,
	tests/set_x509_key_mem.c, tests/set_x509_pkcs12_key.c,
	tests/utils-adv.c, tests/utils.h: tests: enhanced set_x509*_key to
	verify that connections succeed with creds That is the tests no only verify that credentials are set as
	expected but also whether sessions are established with the
	credentials provided.

2016-05-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509.c: gnutls_certificate_set_key: import the DNS names of
	the certificates That is, only when no (NULL) names are provided.

2016-05-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system.c: reset the global time func on init/deinit

2016-05-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/auth/cert.c: auth/cert: log the server name requested by
	client

2016-05-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/errors.h: improved output of gnutls_assert()

2016-05-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/crl.c, lib/x509/crq.c, lib/x509/dn.c, lib/x509/ocsp.c,
	lib/x509/x509.c, lib/x509/x509_int.h: x509: allow empty DNs on
	parsing for subject DNs

2016-05-09  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/windows/cng-windows.c: build: tests/windows/cng-windows.c:
	fix implicit decleration of exit Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2016-05-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: enable openssl compat library in
	minimal build

2016-05-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* extra/openssl_compat.c: openssl_compat: removed unneeded headers These headers have been renamed, but they were not necessary for
	this module's compilation. Report/Patch by Andreas Metzler.

2016-05-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: added build for windows DLLs This creates the windows DLLs on every tagged release.

2016-05-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-05-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* m4/hooks.m4: bumped soversion

2016-05-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
	auto-generated files

2016-05-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509.c, lib/x509/verify-high.c, lib/x509/x509.c,
	lib/x509/x509_int.h: x509: use the modified flag in
	gnutls_x509_crt_t That will avoid re-encoding or decoding in common operations.

2016-05-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/extensions.c, lib/x509/x509_int.h, lib/x509/x509_write.c: 
	x509: added flag to indicate modification in gnutls_x509_crt_t

2016-05-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509.c: gnutls_x509_crt_equals*: modified to allow
	operation with certificates that are not imported This allows it operating with certificates that are generated from
	scratch.

2016-05-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/crt_apis.c: tests: added checks for
	certificate generation APIs

2016-05-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509_write.c: doc: fixed documentation of
	gnutls_x509_crt_set_subject_alternative_name The previous version could not be parsed by gdoc.

2016-05-06  Hubert Kario <hkario@redhat.com>

	* src/serv-args.def, src/serv.c: gnutls-serv: sending alerts on
	mismatched SNI names Extend serv utility to be able to send alerts when the name
	advertised by client does not match the name expected by server.

2016-05-06  Hubert Kario <hkario@redhat.com>

	* lib/alert.c, lib/errors.c, lib/includes/gnutls/gnutls.h.in: Add
	support for sending unrecognized name alerts To better test support for server_name extension in TLS, it's
	necessary to be able to differentiate between name being rejected
	because it is unknown to the server and it being malformed.

2016-05-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/TODO: doc: TODO list references to gitlab

2016-05-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-05-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/accelerated/x86/x86-common.c, lib/gnutls_int.h,
	lib/priority.c: priorities: when without AES acceleration prefer
	stream ciphers (i.e., CHACHA20)

2016-05-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi: doc: updated documentation on rehandshake
	and GNUTLS_ALLOW_ID_CHANGE [ci skip]

2016-05-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/set_x509_key_file_der.c: tests: use the 'b' modifier for
	writing binary data in set_x509_key_file_der This allows the test to operate properly on windows systems.

2016-05-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/set_x509_key_file.c,
	tests/set_x509_key_file_der.c, tests/set_x509_pkcs12_key.c,
	tests/utils.c, tests/utils.h: tests: avoid the usage of tmpnam() Use a simpler version which is confined within the testsuite build
	directories.

2016-05-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/set_x509_key_file_der.c, tests/set_x509_pkcs12_key.c: tests:
	disable checks with tmpnam() on windows

2016-05-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-x509.c: tests: fixed 64-bit check for time_t in
	mini-x509

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/cert-common.h,
	tests/set_x509_pkcs12_key.c: tests: added check for
	gnutls_certificate_set_x509_simple_pkcs12_file

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitignore: .gitignore: more files to ignore

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/set_x509_key_file_der.c: tests: added
	check of gnutls_certificate_set_x509_key_file2 with DER input

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/set_x509_key_file.c: tests: enhanced set_x509_key_file check That now verifies that the input is the same as the data stored in
	the credentials as well checks for valid operation.

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-x509.c: tests: mini-x509: include the legacy
	verification functions into the check

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/set_x509_key.c: tests: added check for
	gnutls_certificate_set_key()

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509.c: gnutls_certificate_set_key: duplicate the provided
	memory That is, do not assume that a heap allocated value is provided.

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: enabled coverage run in the x86
	build

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/dsa/testdsa: tests: do not block server errors in testdsa
	from being printed out Also added a delay prior to launching next server instance.

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitignore: .gitignore: more test files to ignore

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11x.c: pkcs11: find_ext_cb: eliminated memory leak

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: pkcs11: find_cert_cb: do not use C_FindObjectsInit()
	when another is already running While some modules implicitly terminated the previous run, this is
	not something that PKCS#11 modules are expected to typically do.

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: pkcs11: the flag
	GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT will be respected by
	imported certificates That is, certificates imported with gnutls_pkcs11_obj_import_url()
	or gnutls_x509_crt_import_url() will be able to be extracted with
	their extensions overriden. Previously that was available only on
	gnutls_pkcs11_get_raw_issuer() and friends.

2016-05-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/pkcs11/pkcs11-cert-import-url-exts.c,
	tests/pkcs11/pkcs11-get-exts.c,
	tests/pkcs11/pkcs11-get-raw-issuer-exts.c,
	tests/pkcs11/pkcs11-mock.c, tests/pkcs11/pkcs11-mock.h: tests: added
	a basic PKCS#11 mock module This is used to test gnutls_pkcs11_obj_get_exts(),
	gnutls_x509_crt_import_url(), and gnutls_pkcs11_get_raw_issuer()
	with the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag.

2016-05-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-05-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509.c, lib/x509/verify-high.c, lib/x509/x509.c,
	lib/x509/x509_int.h: _gnutls_x509_crt_cpy: optimized and simplified

2016-05-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/pkcs11.c,
	lib/x509/common.h, lib/x509/ocsp.c, lib/x509/verify-high.c,
	lib/x509/verify.c, lib/x509/x509.c: exported
	gnutls_x509_crt_equals() and gnutls_x509_crt_equals2() These functions provide a way to compare parsed certificates. They
	were used internally and they are quite useful to be made available.

2016-05-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11x.c: gnutls_pkcs11_obj_get_exts: updated documentation

2016-05-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509.c: gnutls_x509_crt_import_url: updated documentation
	for new function name

2016-05-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: gnutls_pkcs11_add_provider: clarified params
	description

2016-05-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/pkcs1-digest-info.c: tests: added checks
	on PKCS#1 digest info encoding/decoding

2016-05-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pk.c: gnutls_decode_ber_digest_info: return more precise error
	code on unknown hash That is instead of returning GNUTLS_E_UNKNOWN_ALGORITHM on unknown
	hash, return GNUTLS_E_UNKNOWN_HASH_ALGORITHM.

2016-05-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/errors.h: errors.h: removed terminating colon on
	gnutls_assert() output

2016-05-01  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-tokens.texi, lib/pkcs11.c: doc: updated PKCS #11
	documentation

2016-04-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/cert.c: gnutls_certificate_get_crt_raw: doc update

2016-04-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-04-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509_b64.c: doc: mention the version after which
	gnutls_pem_base64_en/decode2() are available

2016-04-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/crl: tests: use one-time files in crl

2016-04-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/scripts/common.sh: tests: check whether the randomly
	generate port is used

2016-04-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: enabled the code coverage checks
	in the valgrind and ubsan targets

2016-04-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/key-import-export.c: tests: enhanced the key-import-export
	tests This check now includes the abstract privkey import/export
	interfaces.

2016-04-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/privkey_raw.c: corrected import issue in
	gnutls_privkey_import_ecc_raw

2016-04-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/privkey.c: x509/privkey: in raw import functions set the
	parameter's algorithm type

2016-04-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/auth/srp_sb64.c: srp base64: return proper gnutls errors codes
	on error rather than -1

2016-04-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/base64.c, tests/srpbase64.c: tests: added
	checks for base64 functions

2016-04-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml, Makefile.am: .gitlab-ci.yml: added code coverage
	run This enhances a test to print the code coverage of the test suite,
	which in turn is being used/reported by gitlab CI interface.

2016-04-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* m4/ax_code_coverage.m4: ax_code_coverage.m4: updated to latest
	version

2016-04-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/minitasn1/coding.c, lib/minitasn1/decoding.c,
	lib/minitasn1/element.c: libtasn1: updated to latest version

2016-04-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-04-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/errors.h: errors.h: gnutls_assert() will log the function name
	in addition to filename/line This is quite necessary after the filenames were simplified and we
	have filenames with identical names in the directory structure.

2016-04-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/rehandshake-switch-srp-id.c: tests: added
	check for SRP ID change during rehandshake The tests make sure that username changes are allowed if the flag
	GNUTLS_ALLOW_ID_CHANGE is specified, and prohibited otherwise.

2016-04-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/rehandshake-switch-psk-id.c: tests: added
	check for PSK ID change during rehandshake The tests make sure that username changes are allowed if the flag
	GNUTLS_ALLOW_ID_CHANGE is specified, and prohibited otherwise.

2016-04-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS, lib/Makefile.am, lib/alert.c, lib/errors.c,
	lib/gnutls_int.h, lib/handshake-checks.c, lib/handshake.c,
	lib/handshake.h, lib/includes/gnutls/gnutls.h.in,
	tests/rehandshake-switch-cert-allow.c,
	tests/rehandshake-switch-cert-client-allow.c,
	tests/rehandshake-switch-cert-client.c,
	tests/rehandshake-switch-cert.c: handshake: enhance same certificate
	checks to apply to PSK/SRP username That is, unless GNUTLS_ALLOW_ID_CHANGE is specified, during a
	rehandshake clients will not be allowed to present another
	certificate than the original, or change their username for PSK or
	SRP ciphersuites.

2016-04-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/priorities.c: tests: added 'PFS' and 'SUITEB128' into the
	list of checked priority strings

2016-04-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/utils.c, tests/utils.h: tests: fail() function will also
	print function and line information

2016-04-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/str.c: _gnutls_hex2bin: refuse to decode odd-sized hex data

2016-04-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/hex.c: tests: added unit tests on the HEX
	encoding/decoding functions

2016-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-common.c, src/certtool-common.h, src/certtool.c: 
	certtool: eliminated memory leaks in DH parameter
	printing/generation.

2016-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-common.c, src/certtool-common.h, src/certtool.c: 
	certtool: combined all the seed decoding methods to a single one That not only simplifies the code, but also allows decoding hex
	strings which contain not hex chars (and that allows decoding hex of
	the form XX:XX:XX)

2016-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/provable-privkey: Revert "tests: ensure the seed
	is provided in plain hex" This reverts commit 0ea7206e12f52f6ed50c4a76ea0a23f5470115b2.

2016-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/provable-dh: tests:
	check certtool dh-parameter generation with --provable option

2016-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/provable-privkey: tests: ensure the seed is
	provided in plain hex

2016-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-common.c, src/certtool-common.h, src/certtool.c: 
	certtool: allow specifying seed size when generating provable DH
	parameters

2016-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/custom-urls.c: tests: simplified custom-urls check

2016-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/custom-urls-override.c: tests: added
	check on whether builtin URLs cannot be overriden

2016-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/privkey.c, lib/pubkey.c, lib/urls.c, lib/x509/x509.c: keys:
	custom URLs take precedence over pre-defined URLs This allows applications to define the own 'system:' or 'pkcs11:'
	URLs.  Resolves #89

2016-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/pk.c: x25519: ensure that a valid private key is
	present on key derivation

2016-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/send-client-cert.c: tests: added check for
	GNUTLS_FORCE_CLIENT_CERT init flag

2016-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/auth/cert.c, lib/dtls.c, lib/dtls.h,
	lib/ext/ext_master_secret.c, lib/gnutls_int.h, lib/handshake.c,
	lib/record.c, lib/state.c: instead of assigning a variable per flag
	use the init flags directly That is store the flags provided in gnutls_init() in the session
	structure and use these flags directly when required.

2016-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/auth/cert.c, lib/gnutls_int.h,
	lib/includes/gnutls/gnutls.h.in, lib/state.c: added flag in session
	to force sending a client certificate This handles the use case of a client connecting to a server which
	incorrectly lists the CA certificates it supports. Without that
	change the only option was to avoid using the "automatic" client
	certificate functions, but rather utilize callbacks.  With that
	approach this use case is handled by the "automatic" certificate
	selection functions.

2016-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: do not load submodules on CI since
	they are not used This reduces the CI running time.

2016-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/cert-common.h, tests/send-client-cert.c: 
	tests: check client behavior of sending CA certificates

2016-04-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc: removed news about feature already backported in 3.4.6

2016-04-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/examples/ex-cert-select-pkcs11.c,
	doc/examples/ex-cert-select.c, doc/examples/ex-client-dtls.c,
	doc/examples/ex-client-psk.c, doc/examples/ex-serv-x509.c,
	doc/examples/ex-verify-ssh.c: examples: introduced basic error
	checking in more examples

2016-04-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/examples/ex-client-x509.c: examples: simplified the basic
	client example

2016-04-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/examples/ex-client-x509-3.1.c, doc/examples/ex-client-x509.c: 
	examples: introduced basic error checking in main client examples

2016-04-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/examples/ex-client-x509.c: examples: corrected the required
	version of example

2016-04-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/dane.c: tests: enhanced dane testing with offline
	verification checks

2016-04-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* libdane/dane.c: dane: verification will not fail if a CA entry is
	encountered but cannot be verified That addresses the issue of verifying a single certificate against a
	list of TLSA entries that contain an entry with CA usage (cert usage
	0). With the previous behavior verification would have failed, while
	now this entry will be skipped.

2016-04-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/cert.c, libdane/dane.c: doc: improved documentation on
	certificate and DANE verification functions

2016-04-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* libdane/dane.c: dane: updated documentation of dane_verify_crt_raw

2016-04-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-gtls-app.texi, libdane/dane.c: doc: added clarifications
	on documentation for dane_state_t

2016-04-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/manpages/Makefile.am: manpages: include the dane functions
	into the distributed pages

2016-04-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/auth/ecdhe.c: ecdhe: eliminated unneeded checks for zero of
	public parameters There were not required by either draft-ietf-tls-rfc4492bis-07 or
	rfc7748.

2016-04-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-examples.texi, doc/examples/Makefile.am,
	doc/examples/ex-client-x509-3.1.c: doc: added example client
	application utilizing the 3.1.x APIs

2016-04-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/examples/ex-client-x509.c: examples: added explicit 3.5.0
	dependency in ex-client-x509

2016-04-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/examples/ex-verify.c: examples: added error checks and updated
	verify_certificate_chain()

2016-04-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: made the linux tag explicit for
	our runners

2016-04-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-04-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi: doc: document curve X25519

2016-04-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi: doc: clarify what catch all means in all
	scenarios

2016-04-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: added
	tests for supported curves

2016-04-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-key-exchange.c, tests/handshake-false-start.c,
	tests/suite/testcompat-main-openssl: tests: include self tests with
	CURVE-X25519

2016-04-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/benchmark-tls.c: gnutls-cli: enhanced KX benchmark with X25519

2016-04-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms.h, lib/algorithms/ecc.c,
	lib/algorithms/publickey.c, lib/algorithms/secparams.c,
	lib/auth/ecdhe.c, lib/crypto-backend.h, lib/ecc.c, lib/ecc.h,
	lib/gnutls_int.h, lib/includes/gnutls/gnutls.h.in,
	lib/libgnutls.map, lib/mem.c, lib/mem.h, lib/nettle/pk.c, lib/pk.c,
	lib/state.c: handshake: added support for ECDH with curve X25519 This follows draft-ietf-tls-rfc4492bis-07 and rfc7748

2016-04-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testcompat-main-openssl: tests: updated the openssl
	compat check to make explicit the used curves

2016-04-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/auth/ecdhe.c: ecdhe: print the received curve from the server
	on debug mode

2016-04-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: added
	CHACHA20-POLY1305 detection

2016-04-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/slow/hash-large.c: tests: on out of memory conditions do not
	fail the hash-large test This test may require a large amount of memory which some CI systems
	cannot provide. When an out-of-memory-error is detected skip the
	test instead of failing.

2016-04-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_int.h, lib/state.c: session: removed unused parameters
	from RSA-EXPORT era

2016-04-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* README-alpha.md: README-alpha.md: updated badges with the new
	gitlab URLs

2016-04-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-tokens.texi: doc: document the TPM 1.2 limitation

2016-04-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-tokens.texi: doc: tpm: include short instructions on
	initializing the TPM chip

2016-04-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/slow/hash-large.c: tests: hash-large: use private mmap() This reduces the memory usage of the test significantly on Linux.

2016-04-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, tests/slow/hash-large.c: tests: use mmap() for large
	memory allocations in systems that support it That allows the hash-large test to run on systems which its calloc()
	is attempting to allocate an impossible amount of memory.

2016-04-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/dsa/testdsa, tests/openpgp-certs/testcerts: tests: use
	/bin/bash for tests that use bashisms

2016-04-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/danetool.sh: tests: don't run danetool.sh if danetool is not
	present That prevents test suite failure in systems without libunbound.

2016-04-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_int.h: gnutls_int.h: allow compiling with system
	(gnutls) headers

2016-04-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: added build rule on freebsd

2016-04-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-args.def: certtool: document sha3 functions in
	manpage [ci skip]

2016-04-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/danetool-args.def: doc: added missing @end example in danetool
	documentation

2016-04-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-intro-tls.texi: doc: updated documentation on false start

2016-04-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-04-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-debug.c: gnutls-cli-debug: enable socket verbosity when
	--verbose is given

2016-04-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/socket.c: tools: explicitly initialize socket struct to zero That resolves issue where verbose was enabled by default.

2016-04-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-debug.c, src/danetool.c: tools: avoid extracting the value
	of the app-proto alias Instead always extract the starttls-proto value, as it seems that
	libopts doesn't report any value for the former. This corrects the
	starttls capability of danetool and gnutls-cli-debug.

2016-04-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-args.def, src/cli-debug-args.def, src/socket.c: tools:
	document the starttls capability

2016-04-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am: tests: do not run danetool.sh on windows The test fails due to CRLF.

2016-04-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-debug.c, src/cli.c, src/danetool-args.def, src/danetool.c: 
	tools: avoid relying on static buffers for service name

2016-04-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/danetool.sh: tests: added basic check on
	danetool --tlsa-rr option

2016-04-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/danetool-args.def, src/danetool.c, src/socket.c: danetool:
	Allow specifying a service name into port option This makes the tool similar to gnutls-cli.

2016-04-18  Kevin Cernekee <cernekee@gmail.com>

	* lib/x509/verify-high2.c: Fix library build on Chrome Native Client
	(NaCl) Some supported toolchains define DT_UNKNOWN but do not define
	_DIRENT_HAVE_D_TYPE (and do not have the d_type field).  On other
	platforms GnuTLS may need to second-guess what the library is
	reporting, but on NaCl this is unsafe.

2016-04-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/serv.c: gnutls-serv: don't send closure messages in failed
	handshakes

2016-04-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/auth/dh_common.c, lib/auth/ecdhe.c: client key exchange: fail
	if the client KX message is padded with additional bytes

2016-04-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/pk.c: _wrap_nettle_pk_derive: reject values of public
	key that are over the prime That is do not canonicalise the value we get from the network, but
	rather check it for validity. This saves a modular reduction on
	handshake and performs a sanity check on the peer's (client)
	parameters.  Reported by Hubert Kario.  Resolves #84

2016-04-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/Makefile.am: tests: suite: disable any openssl cpu
	optimizations This prevents from valgrind failures on softhsm usage due to any new
	instruction optimizations which are not supported by valgrind.

2016-04-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-intro-tls.texi: doc: further updated documentation on
	false start [ci skip]

2016-04-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS, doc/cha-intro-tls.texi: doc: updated documentation on false
	start

2016-04-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/handshake-false-start.c: tests: enhanced the false start
	checks These now check whether sending and receiving is performed as
	expected after handshake, DTLS, as well as test explicit handshake
	called by the application.

2016-04-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/errors.c, lib/gnutls_int.h, lib/handshake.c,
	lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map, lib/record.c,
	lib/state.c: Updated false start support to be transparent to
	applications.  That is, an additional flag GNUTLS_ENABLE_FALSE_START is introduced
	for gnutls_init(), and that enables support for false start. At this
	point false start will be performed by the handshake if possible,
	and gnutls_record_recv() will handle handshake completion.

2016-04-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-04-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/privkey.c, lib/x509/privkey.c, src/certtool-args.def: doc:
	updated docs related to private key generation

2016-04-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: do not allow combining --provable with
	--ecc in key generation There is no such support in the library.

2016-04-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
	auto-generated files for new APIs

2016-04-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml, .gitmodules, doc/cha-gtls-app.texi,
	doc/examples/Makefile.am, doc/examples/tlsproxy: doc: added tlsproxy
	example reference into documentation

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/pem-decoding: tests: pem-decoding: fixed issue
	preventing out-of-tree checks

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/pem-decoding: tests: pem-decoding: use unique
	temp files

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/{mini-x509-kx.c => cert-key-exchange.c}: 
	tests: enhanced mini-x509-kx with ECDHE-ECDSA ciphersuite testing Also renamed it to cert-key-exchange for easier tracking.

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/tls-sig.c: handshake: do not overwrite the server's signature
	algorithm That is, correct a bug under which a client sending a certificate
	would overwrite the server's idea about the used signature
	algorithm.  Reported by Hubert Kario.

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-x509-kx.c: tests: enhanced mini-x509-kx with client
	auth scenarios

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-x509-kx.c: tests: verify that the output of
	gnutls_sign_algorithm_get() is the expected one

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/ocsp.c: ocsp: increased the preallocated space in
	check_ocsp_purpose to account for null terminator This relates to gnutls_x509_crt_get_key_purpose_oid() change to
	return null-terminated OIDs.

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/sha3-test,
	tests/cert-tests/template-ecdsa-sha3-256.pem,
	tests/cert-tests/template-ecdsa-sha3-512.pem,
	tests/cert-tests/template-rsa-sha3-224.pem,
	tests/cert-tests/template-rsa-sha3-384.pem: tests: enhanced and
	simplified SHA3 tests Included checks about SHA3-224 and SHA3-384.

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/gost-cert.pem,
	tests/cert-tests/pem-decoding: tests: added check of GOST cert
	decoding/printing This verifies whether our printing functions print the OID on
	unknown/unsupported algorithms.

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: x509 output: print the OID of
	certificates/CRLs/CRQs with unknown algorithms That is, if any unknown signature or subject public key algorithm is
	encountered the OID will be printed instead.

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/crq-basic.c: tests: added basic tests for
	CSR parsing This mainly includes tests on the new
	gnutls_x509_crq_get_signature_oid() and
	gnutls_x509_crt_get_algorithm_oid().

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/crl-basic.c: tests: added basic tests on
	CRL parsing That includes testing on the new gnutls_x509_crl_get_signature_oid()

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/x509cert-tl.c: tests: added basic functionality tests for
	gnutls_x509_crt_get_*_oid

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/x509/crl.c: 
	Added gnutls_x509_crl_get_signature_oid

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/x509/crq.c: 
	Added gnutls_x509_crq_get_signature_oid and
	gnutls_x509_crq_get_pk_oid

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/x509/x509.c: 
	Added gnutls_x509_crt_get_signature_oid and
	gnutls_x509_crt_get_pk_oid These functions can directly provide the textual object identifier
	of their corresponding fields.

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509.c: gnutls_x509_crt_get_key_purpose_oid: copy the OID
	as a null-terminated string

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms/sign.c, tests/cert-tests/template-rsa-sha3-256.pem: 
	sign: corrected digest in SHA3-224 OID mapping

2016-04-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac: configure: corrected regression which prevented the
	build of tests/suite This regression was introduced at
	8b97662c40c67a6d4087ce6e1f0c6fb6ea4a8b2c

2016-04-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/x509_ext.c: gnutls_x509_ext_import_policies: initialize
	value to avoid compiler warnings

2016-04-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* README-alpha.md: README: removed inexistent package

2016-04-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/Makefile.am, lib/common.mk, libdane/Makefile.am: common.mk:
	corrected typo on LDFLAGS for coverage

2016-04-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/danetool-args.def: danetool: corrected typo in manual [ci
	skip]

2016-04-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/record.c: gnutls_packet_get: avoid null pointer dereference on
	NULL input That is, still allow the function to handle a NULL packet input but
	reset the data contents.

2016-04-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey.c: gnutls_x509_privkey_verify_seed: corrected
	typo that made the function always return true

2016-04-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/errors.h: _gnutls_asn2err: declared as constant function

2016-04-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/verify-high2.c: load_dir_certs: use readdir() in all
	platforms According to glibc documentation readdir_r() is deprecated and the
	use of readdir() is recommended. As such we switch to it on all
	platforms.

2016-04-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/resume-psk.c, tests/resume.c: tests:
	combined the resume checks for Anonymous and PSK ciphersuites In addition enhanced it to check the resumption on the certificate
	ciphersuites as well.

2016-04-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* Makefile.am, README-alpha.md, configure.ac, lib/Makefile.am,
	lib/common.mk, libdane/Makefile.am, m4/ax_code_coverage.m4: 
	configure: Add a code coverage option Configure with:   ./configure --enable-code-coverage Show coverage output with:   make && make check && make code-coverage-capture

2016-04-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/Makefile.am, lib/accelerated/Makefile.am,
	lib/accelerated/x86/Makefile.am, lib/algorithms/Makefile.am,
	lib/auth/Makefile.am, lib/common.mk, lib/ext/Makefile.am,
	lib/extras/Makefile.am, lib/minitasn1/Makefile.am,
	lib/nettle/Makefile.am, lib/opencdk/Makefile.am,
	lib/openpgp/Makefile.am, lib/x509/Makefile.am: Makefile.am: moved
	common rules (AM_CFLAGS) to common.mk

2016-04-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/ocsp.c: gnutls_ocsp_resp_get_single: fail if thisUpdate
	is not available or unparsable That is because this field is not optional, and a failure on its
	parsing is always fatal. Reported by Yuan Jochen Kang.

2016-04-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey.c: gnutls_x509_privkey_import2: document an
	intentional fall through

2016-04-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README-alpha.md: README: add abi-compliance-checker into install
	instructions

2016-04-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pubkey.c, lib/x509/verify.c: gnutls_x509_crt_get_key_usage:
	ensure that its returned value is properly handled Reported by Yuan Jochen Kang.

2016-04-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac: tests: do not enable valgrind in non-git builds

2016-04-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/algorithms/mac.c: hash: corrected the textual description of
	hashes

2016-04-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/algorithms/sign.c, tests/cert-tests/template-rsa-sha3-256.pem: 
	corrected SHA3-224 OID

2016-04-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/ocsp_output.c, lib/x509/output.c: x509 output: don't warn
	about insecure algorithm when unknown

2016-04-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/ecore/src/include/eina_file.h,
	tests/suite/ecore/src/lib/eina_cpu.c: tests: remove any system
	specific code of ecore This was causing issues with certain builds and was not used for the
	purpose of testing.

2016-04-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/Makefile.am, tests/suite/testcompat-openssl.sh: tests:
	disable unsupported curves from compatibility checks This allows running make check even when compiling with
	disable-suiteb-curves.

2016-04-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testcompat-openssl, tests/suite/testcompat-polarssl: 
	tests: removed unused scripts

2016-04-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: combined C99 and undefined
	sanitizer builds

2016-04-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-04-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, src/Makefile.am, src/crywrap/Makefile.am,
	src/crywrap/README, src/crywrap/crywrap.c, src/crywrap/crywrap.h,
	src/crywrap/primes.h: crywrap: was removed from gnutls tools Its inclusion did not increase the attention paid to this tool, not
	provided any significant advantage to gnutls' users thus it was
	unbundled from the main library. The tool can be found at
	https://github.com/nmav/crywrap

2016-04-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/minitasn1/coding.c, lib/minitasn1/decoding.c,
	lib/minitasn1/element.c, lib/minitasn1/element.h,
	lib/minitasn1/int.h, lib/minitasn1/libtasn1.h,
	lib/minitasn1/parser_aux.c, lib/minitasn1/parser_aux.h,
	lib/minitasn1/structure.c: minitasn1: updated to latest git version

2016-04-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi: doc: Replace references to select with poll
	and other fixes

2016-04-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi: doc: replace inaccurate sentence with
	reference to gnutls_record_discard_queued [ci skip]

2016-04-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/state.c: gnutls_record_get_direction: doc update [ci skip]

2016-04-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/x509sign-verify2.c: tests: reduce the number of loops in
	x509sign-verify2 This enables running the test in reasonable time under valgrind.

2016-04-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkix.asn, lib/pkix_asn1_tab.c: pkix.asn: corrected byKey
	definition OCSP is defined in an EXPLICIT tags module, and as such we must tag
	explicitly all of its tags.

2016-04-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/template-nc.pem,
	tests/cert-tests/template-nc.tmpl: tests: check the generation of IP
	name constraints with certtool

2016-04-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def, src/certtool-cfg.c: certtool: allow
	generating IP name constraints Relates #83

2016-04-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/common.c, lib/x509/common.h, lib/x509/x509.c: 
	_gnutls_parse_general_name2: allow parsing empty names This allows parsing empty general names such as an empty DNSname
	used in name constraints.

2016-04-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/name_constraints.c: name constraints: enforce the rules
	for IP constraints when adding This will prevent gnutls from generating badly formed certificates.

2016-04-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-04-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitignore: .gitignore: more files to ignore

2016-03-16  Daiki Ueno <ueno@gnu.org>

	* lib/libgnutls.map, lib/x509/name_constraints.c,
	lib/x509/x509_ext.c, lib/x509/x509_int.h, tests/Makefile.am,
	tests/name-constraints-merge.c, tests/test-chains.h: name
	constraints: compute permitted set strictly RFC 5280 6.1.4. states that the permitted_subtrees variable is
	constructed as an intersection of its previous value.  Co-authored-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2016-04-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: added C99 target for the library This compiles the library using gcc options for the C99 standard.

2016-04-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README-alpha.md: README: updated libtasn1 URL [ci skip]

2016-04-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/accelerated/x86/x86-common.c: x86-common: increase the size of
	_gnutls_x86_cpuid_s to match the size of assembly files This resolves issue on certain platforms (e.g., windows) where ld
	would simply fail, instead of allocate the largest size of the
	variable.

2016-04-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/ocsptool-common.c: ocsptool: use HTTP/1.0 for requests This avoids issue with servers serving chunk encoding which ocsptool
	doesn't support. Reported by Thomas Klute.

2016-04-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/gnutls.h.in, lib/state.c: gnutls_init(): refer
	to gnutls_init_flags_t for the documentation of available flags

2016-04-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/README.CODING_STYLE: README.CODING_STYLE: set C99 as the C
	dialect of choice

2016-04-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-04-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/system-prio-file.c, tests/system.prio: 
	tests: added check for system priority file loading and parsing This checks whether the file is properly loaded and its contents are
	parsed as expected.

2016-04-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, lib/global.c, lib/global.h, lib/libgnutls.map,
	lib/priority.c: priorities: preload the system priorities on library
	loading time This allows to rely on the system priorities even in the case of
	applications that chroot(). This also introduces the environment
	variable GNUTLS_SYSTEM_PRIORITY_FILE which can be used to override
	the global priority file.

2016-03-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-03-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/chain-md5.pem,
	tests/cert-tests/md5-test: tests: added check of verification using
	MD5 with and without --verify-allow-broken This tests certtool and whether it fails verification of MD5 chains
	with no --verify-allow-broken, or whether it succeeds if given.

2016-03-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/pkcs7-broken-sigs: 
	tests: added PKCS #7 signing/verification test with broken sigs
	(MD5) This tests whether we can sign structures using broken algorithms
	(MD5), and verify structures signed with broken algoritms if
	--verify-allow-broken is given to certtool.

2016-03-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def, src/certtool.c: certtool: added flag to
	allow verification using broken algorithms

2016-03-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-03-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/resume.c: tests: check whether resumption data from resumed
	session work

2016-03-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_int.h, lib/session.c, lib/state.c: session resumption:
	lift the limitation of calling gnutls_session_get_data*() on
	non-resumed sessions This allows of obtaining the session data required for proper
	session resumption from any available session. This brings the API
	in par with expectations of its users.  Resolves #79

2016-03-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/state.c: dtls: added missing dtls.h to state.c

2016-03-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/key-material-set-dtls.c: tests: added
	check for gnutls_record_set_state() under DTLS

2016-03-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/dtls.c, lib/dtls.h, lib/state.c: dtls: reset the record number
	sliding window on gnutls_record_set_state() This addresses issue where gnutls_record_set_state() was called with
	a new state but the sliding window information was not updated, thus
	blocking any incoming packets.  Resolves #82

2016-03-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: x509/output: simplified cidr_to_string()

2016-03-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitignore: .gitignore: more files to ignore

2016-03-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/key-material-dtls.c: tests: check
	gnutls_record_get_state() with DTLS Since in DTLS we relied on a sliding window to keep track of the
	sequence numbers we didn't provide a sensible value to application
	via gnutls_record_get_state(). This test makes sure that we report
	the "correct" value when asked. Correct being the next number after
	the last received packet.

2016-03-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/record.c: DTLS: save last valid record sequence number This will allow to report a valid number to
	gnutls_record_get_state() callers in case of DTLS. Reported by
	Fridolin Pokorny.

2016-03-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/certtool-long-cn: tests: delete outfile in
	certtool-long-cn

2016-03-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/name-constraints,
	tests/cert-tests/name-constraints-ip2.pem: tests: verify the output
	of name constraints IP decoding

2016-03-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: x509/output: print RFC5280 CIDRs in name
	constraints

2016-03-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-key-material.c: tests: check the sequence numbers
	produced by gnutls_record_get_state()

2016-03-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/state.c: gnutls_record_get_state: Allow for NULL parameters

2016-03-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/ocsptool.c: ocsptool: eliminated memory leaks in
	verify-response option

2016-03-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/ocsptool.c: ocsptool: don't exit with error code on
	verification failures when --ignore-errors is given

2016-03-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, tests/Makefile.am, tests/ocsp-tests/Makefile.am,
	tests/ocsp-tests/ca.key, tests/ocsp-tests/ca.pem,
	tests/ocsp-tests/ocsp-server.key, tests/ocsp-tests/ocsp-server.pem,
	tests/ocsp-tests/ocsp-test: tests: added OCSP related checks

2016-03-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/ocsptool.c: ocsptool: exit with error on verification failures

2016-03-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/ocsp.c: ocsp: gnutls_ocsp_resp_verify_direct will skip
	additional checks for certificates matching issuer That eliminates issue with ocsptool rejecting OCSP responses signed
	by the same CA that signed the certificate. Reported by Thomas
	Klute.

2016-03-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/ocsptool-args.def, src/ocsptool.c: ocsptool: Allow saving
	responses even if verification fails In addition do not enter a spurious newline to responses.

2016-03-23  Maya Rashish <coypu@sdf.org>

	* tests/dtls/dtls-stress.c: Avoid using strerror in dtls stress test Using it results in build failure on NetBSD: undefined reference to
	`rpl_strerror'

2016-03-23  Maya Rashish <coypu@sdf.org>

	* tests/utils.h: Add missing header to testsuite This causes a problem for NetBSD+clang tests, because SIGTERM and
	kill are undefined.  Resolves #80 Signed-off-by: Maya Rashish <coypu@sdf.org>

2016-03-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/ext/session_ticket.c, lib/gnutls_int.h: session tickets: avoid
	GCM for session tickets and rely on CBC and HMAC The latter is more resilient against non-key renewal.

2016-02-15  Jaak Ristioja <jaak.ristioja@cyber.ee>

	* lib/ext/heartbeat.c, lib/handshake.c, lib/record.c, lib/record.h: 
	Broke apart _gnutls_recv_int() to the packet and non-packet cases.  Only gnutls_record_recv_packet() called _gnutls_recv_int() with
	(packet != NULL). I refactored this logic directly downstream into
	gnutls_record_recv_packet(). The _gnutls_recv_int() function now
	only handles non-packet specific logic. The check_session_status()
	function was created to deduplicate common code which would
	otherwise have ended up in both functions.  The rationale behind this change is to optimize what were previously
	calls of _gnutls_recv_int(). First of all _gnutls_recv_int() now has
	only 6 parameters, which according to the x86_64 System V
	Application Binary Interface should now fit into CPU registers and
	no longer use the stack. Secondly this change avoids a number of
	branching checks for both packet and non-packet cases.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2016-03-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli.c, src/socket.c, src/socket.h: gnutls-cli: corrected usage
	of gnutls_session_get_data() This is no longer called on resumed sessions, allowing more than one
	resumption in servers which use tickets and don't resend the ticket
	on subsequent connections.

2016-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testcompat-main-openssl: testcompat-openssl: enable
	TLS 1.2 tests with openssl 1.0.1+

2016-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-x509-callbacks.c: tests: verify that the
	post-client-hello callback has access to ALPN data

2016-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: don't use git submodule update,
	not needed for our testsuite

2016-03-15  Yuriy M. Kaminskiy <yumkam@gmail.com>

	* lib/ext/alpn.c: alpn: ALPN state is per-connection, it should not
	be saved with session data In addition the extension was moved to the mandatory to parse to
	ensure it is always parsed when sessions are resumed.  rfc7301:     Unlike many other TLS extensions, this extension does not
	    establish properties of the session, only of the connection.
	    When session resumption or session tickets [RFC5077] are used, the
	    previous contents of this extension are irrelevant, and only the
	    values in the new handshake messages are considered.  Signed-off-by: Yuriy M. Kaminskiy <yumkam@gmail.com> Signed-off-by:
	Nikos Mavrogiannopoulos <nmav@gnutls.org>

2016-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/resume.c: tests: added checks for session resumption and
	ALPN This checks whether the ALPN extension is re-read on resumption and
	is negotiated.

2016-03-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/accelerated/x86/x86-common.c: x86-common: CPUID override will
	only work if CPU has already the capability present This resolves test suite failure on CPUs with limited capabilities.
	Reported by Andreas Metzler.

2016-02-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS, lib/errors.c, lib/includes/gnutls/gnutls.h.in,
	lib/x509/common.c: Introduced GNUTLS_E_ASN1_EMBEDDED_NULL_IN_STRING This error code is returned when an embedded NULL is detected in a
	string.

2016-03-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/ext/server_name.c: gnutls_server_name_set: accept non-null
	terminated hostnames The introduction of IDNA support introduced a regression and this
	function does not operate correctly when given non-null terminated
	strings. Reported by Tim Ruehsen.  Relates #78

2016-03-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-server-name.c: tests: added check for non-null
	terminated server name This checks whether a non-null terminated server name, but with
	correct length is correctly accepted by gnutls_server_name_set().  Relates #78

2016-03-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/template-nc.pem: tests: template-test was updated
	for OCSP key purpose reordering

2016-03-14  Ludovic Courtès <ludo@gnu.org>

	* doc/gnutls-guile.texi: guile: doc: Mention bytevectors.  * doc/gnutls-guile.texi (Representation of Binary Data): Mention
	bytevectors.  (Input and Output): Likewise.

2016-03-14  Ludovic Courtès <ludo@gnu.org>

	* doc/gnutls-guile.texi: guile: doc: Explain "Application Data"
	packets and 'session-record-port'.  * doc/gnutls-guile.texi (Input and Output): Mention "Application
	Data" packets and buffering.

2016-03-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: do not require a CA for OCSP signing This follows the recommendations in RFC6960 in 4.2.2.2 which allow a
	CA to delegate OCSP signing to another certificate without requiring
	it to be a CA.  Reported by Thomas Klute.

2016-03-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/status_request.c: doc: updated text for
	gnutls_ocsp_status_request_is_checked() Relates #75

2016-03-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-gtls-app.texi: doc: clarified expectations on
	gnutls_datum_t Relates #77

2016-03-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/handshake.c: doc update:
	gnutls_handshake_set_false_start_function() [ci skip]

2016-03-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* devel/ABI-x86_64.dump, devel/abi-unchecked-symbols,
	devel/abi-unchecked-symbols.txt: abi-check: corrected type of
	gnutls_x509_crl_get_issuer_dn That will avoid any accidental ABI breakage on that symbol.

2016-03-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: added abi-checker rule This allows to test ABI incompatibilities as soon as possible.

2016-03-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* Makefile.am, devel/ABI-dane-x86_64.dump, devel/ABI-x86_64.dump,
	devel/abi-unchecked-symbols, devel/abi-unchecked-symbols.txt,
	devel/abi.xml, devel/abi3.2.xml, devel/abi3.4.xml: Makefile: made
	abi-checks self-contained That is, they no longer assume a given directory structure to exist
	outside git. It now includes a static dump of the symbols in 3.4.0
	for x86_64 and we compare with it.

2016-03-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-common.c: certtool: better error handling in
	file_size()

2016-03-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli.c: gnutls-cli: fix invalid initialization in
	cert_verify_ocsp()

2016-03-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/serv.c: gnutls-serv: human_addr always returns a non-null
	argument This addresses issue with libc's which don't support printf() with a
	NULL argument.

2016-03-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testpkcs11.sh: tests: testpkcs11: the test will always
	fail in code path failures

2016-03-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README-alpha.md: README: list the main branches build status [ci
	skip]

2016-03-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system.c: gnutls_system_recv_timeout: restore poll on EINTR

2016-03-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/status_request.c: doc: corrected typo [ci skip]

2016-03-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/status_request.c: gnutls_ocsp_status_request_is_checked:
	document the version the flag was introduced at Relates: #75

2016-03-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/doc.mk: doc: generate manpages for all functions That addresses issue where certain manpages were created empty.  See
	https://bugzilla.redhat.com/show_bug.cgi?id=1306800

2016-03-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-gtls-app.texi: doc: mention
	gnutls_certificate_set_x509_trust_dir() It was not mentioned in the "Client or server certificate
	verification" section.  Resolves #76

2016-03-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-loss-time.c: tests: mini-loss-time: improved timeout
	detection

2016-03-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509.c: corrected typo in comment [ci skip]

2016-03-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac: configure: silence clang's warnings

2016-03-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/version-checks.c: tests: added check for
	version negotiation default prio string That verifies whether the support versions are negotiated.

2016-03-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/slow/Makefile.am: tests: include test-hash-large into dist

2016-03-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* po/LINGUAS, po/zh_CN.po.in: Sync with TP [ci skip]

2016-03-02  Ludovic Courtès <ludo@gnu.org>

	* NEWS: Update NEWS.

2016-03-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/global.c: Disable weak symbols for _gnutls_global_init_skip()
	under windows That is to avoid an issue with running gnutls under windows; that
	renders GNUTLS_SKIP_GLOBAL_INIT a no-op under windows.  Relates #74

2016-03-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: asan, clang and valgrind builds
	were made arch-independent

2016-02-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/pkcs12-decode/pkcs12: tests: pkcs12: allow multiple in-place
	builds

2016-02-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/pkcs1-padding/pkcs1-pad,
	tests/rsa-md5-collision/rsa-md5-collision: tests:
	pkcs1-pad,rsa-md5-collision: allow multiple in-place builds

2016-02-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-02-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/cli.c: gnutls-cli: fail if gnutls is not compiled with DANE
	support and --dane is provided Suggested by Bjorn Jacke.

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/ecore/src/lib/eina_hash.c: tests: always used the slow
	(portable) version of get16bits This prevents issues with misaligned addresses and undefined
	sanitizer.

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/state.c: timespec_sub_ms: fixed operation in 32-bit systems

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: don't use the internal libtasn1
	when compiling with libubsan This prevents build failures due to issues in libtasn1

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/ecore/src/lib/eina_hash.c: tests: Fixes to prevent
	undefined behavior (found with libubsan)

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c, lib/pkcs11_int.h: pkcs11: Fixes to prevent undefined
	behavior (found with libubsan)

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/cipher.c: cipher.c: Fixes to prevent undefined behavior
	(found with libubsan)

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/ecc.c: ecc: optimized extension parsing

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/opencdk/misc.c: opencdk: Fixes to prevent undefined behavior
	(found with libubsan)

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/gnutls.h.in: gnutls.h: Fixes to prevent
	undefined behavior (found with libubsan)

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/mem.h, lib/x509/x509.c: x509: Fixes to prevent undefined
	behavior (found with libubsan)

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey.c: x509: cleanup in privkey.c

2016-02-28  Andreas Metzler <ametzler@bebt.de>

	* src/p11tool-args.def: Let p11tool --provider option accept
	filenames.  Drop 'file-exists = yes;' to allow specifying either an absolute
	pathname or a file in P11_MODULE_PATH.

2016-02-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: abort on ubsan errors

2016-02-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/pkcs11.c: p11tool: addressed memory leaks

2016-02-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/krb5-test, tests/cert-tests/othername-test,
	tests/cert-tests/sha3-test, tests/cert-tests/template-test: tests:
	use 'datefudge -s' to avoid loops This avoids repeated loops of the same test as well as random
	failures in the test suite.

2016-02-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/krb5-test: tests: krb5-test: increased the number
	of loops This should prevent random failures in the test suite.

2016-02-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: asan and ubsan include the suite/

2016-02-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitignore: .gitignore: more files to ignore

2016-02-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-intro-tls.texi: doc: documented false start functionality

2016-02-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-02-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/cert-common.h,
	tests/handshake-false-start.c, tests/utils.c, tests/utils.h: tests:
	Added checks for false start operation

2016-02-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms.h, lib/algorithms/kx.c,
	lib/algorithms/protocols.c, lib/gnutls_int.h, lib/handshake.c,
	lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map, lib/state.c: 
	Added gnutls_handshake_set_false_start_function() This function allows to use TLS False-start, by using the provided
	function to send data just after finished message.

2016-02-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-is-known.c,
	tests/suite/softhsm.h, tests/suite/testpkcs11.softhsm,
	tests/utils.c, tests/utils.h: tests: enable softhsmv2 test suite by
	default Also do not fatally fail with known softhsmv2 bugs.

2016-02-26  Jan Vcelak <jan.vcelak@nic.cz>

	* tests/suite/testpkcs11.sh: pkcs11: tests for RSA, ECC, DSA private
	key import Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>

2016-02-26  Jan Vcelak <jan.vcelak@nic.cz>

	* tests/suite/testpkcs11.sh: pkcs11: tests for DSA key generating Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>

2016-02-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi, tests/seccomp.c: added getpid() to the list
	of system calls used

2016-02-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: added compilation rule with
	libubsan

2016-02-25  Jan Vcelak <jan.vcelak@nic.cz>

	* lib/x509/privkey_pkcs8.c: gnutls_x509_privkey_import: add missing
	algorithm setting for DSA keys The algorithm number was set only in the private key structure, not
	in the nested structure with parameters. This made certain
	operations to fail (e.g., copying the key into a PKCS #11 token).  Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>

2016-02-25  Jan Vcelak <jan.vcelak@nic.cz>

	* lib/pkcs11_privkey.c: pkcs11: implement correct DSA key pair
	generating Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>

2016-02-25  Jan Vcelak <jan.vcelak@nic.cz>

	* lib/pkcs11_int.c, lib/pkcs11_int.h: pkcs11: add interface for
	C_GenerateKey Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>

2016-02-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms/sign.c: better match with unknown_tls_aid

2016-02-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/Makefile.am, lib/x509/common.c, lib/x509/time.c: x509:
	moved time-specific functions to time.c

2016-02-24  Sebastian Dröge <sebastian@centricular.com>

	* configure.ac: configure: Android is ELF too Without this, compiling Android for x86 or x86-64 fails because the
	assembly optimizations are not compiled in.

2016-02-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README-alpha.md: mentioned the public git URL for cloning [ci
	skip]

2016-02-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update [ci skip]

2016-02-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-02-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/session-export-funcs.c: tests: check
	functions which export session parameters That is gnutls_session_get_random() and
	gnutls_session_get_master_secret().

2016-02-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map, lib/state.c: 
	Added gnutls_session_get_master_secret This provides the ability to export all session parameters in
	various formats.  Resolves #64

2016-02-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/rehandshake-ext-secret.c: tests: gnutls_session_get_flags()
	is checked for extended master secret

2016-02-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-etm.c: tests: check gnutls_session_get_flags() for EtM

2016-02-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/safe-renegotiation/srn0.c, tests/safe-renegotiation/srn1.c,
	tests/safe-renegotiation/srn2.c, tests/safe-renegotiation/srn3.c,
	tests/safe-renegotiation/srn4.c, tests/safe-renegotiation/srn5.c: 
	tests: check gnutls_session_get_flags() for safe renegotiation

2016-02-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map, lib/state.c: 
	Added gnutls_session_get_flags() This function would allow to simplify handling of future flags which
	we may want to indicate, and would not require API additions for new
	flags.

2016-02-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: Revert ".gitlab-ci.yml: disable guile tests" This reverts commit 50ce516eebaf011f041002ecbfdb61b113159282.

2016-02-21  Ludovic Courtès <ludo@gnu.org>

	* guile/Makefile.am: guile: Fix out-of-tree builds.  This fixes a regression introduced in 3045a96.  * guile/Makefile.am (.in.scm): Make the parent directory of $@.

2016-02-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/common.c: Improved documentation in _gnutls_sort_clist

2016-02-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509.c: gnutls_x509_crt_list_import: corrected memory
	leak This was triggered if GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED was
	specified and a failure occurred.

2016-02-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/common.c: _gnutls_sort_clist: fixed issues when used with
	func option This function would incorrectly call func() on elements that were
	included in the list, and would not call func() if the size of the
	final chain was one.

2016-02-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/pcert-list.c: tests: added tests for
	gnutls_pcert_list_import_x509_raw()

2016-02-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/ext_master_secret.c: ext master secret: ensure we disable
	ext master secret if requested That is, on rehandshakes, as on the standard handshakes it is
	disabled by default.

2016-02-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/rehandshake-ext-secret.c: tests: verify
	that we do not allow rehandshakes without ext master That is, if we have an initial session which uses the extended
	master secret do not allow subsequent rehandshakes to skip it.

2016-02-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/sha3-test: tests: sha3-test: use different dates
	for generation and validation

2016-02-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: eliminated memory leaks

2016-02-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/gnutls.h.in: bumped the version of max
	algorithm num to account for new signing algorithms

2016-02-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/Makefile.am: src: added systemkey-args to BUILT_SOURCES

2016-02-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/sha3-test: tests: simplified sha3-test

2016-02-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* cross.mk: cross.mk: updated for gnutls 3.4.9, nettle 3.2, gmp
	6.1.0 and p11-kit 0.23.2 [ci skip]

2016-02-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: disable guile tests This prevents the test suite from failing.

2016-02-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update [ci skip]

2016-02-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-02-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/resume.c: tests: resume: check whether the server does not
	resume in ext master secret mismatch Relates #69

2016-02-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/db.c, lib/db.h, lib/ext/session_ticket.c, lib/handshake.c: 
	Ensure that session resumption does not occur when ext master secret
	status changes That is we make sure the server doesn't resume when: 1. Original session had extended master secret but not advertised in
	resumed 2. Original session did not have extended master secret but is
	advertised in resumed Relates #69

2016-02-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/resume.c: tests: resume: simplified structure assignment
	using C99 syntax

2016-02-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/sha3-test,
	tests/cert-tests/template-ecdsa-sha3-256.pem,
	tests/cert-tests/template-ecdsa-sha3-512.pem,
	tests/cert-tests/template-rsa-sha3-256.pem,
	tests/cert-tests/template-rsa-sha3-512.pem,
	tests/cert-tests/template-test-ecc.key: tests: added certification
	generation tests with SHA-3 tests

2016-02-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms/sign.c, lib/includes/gnutls/gnutls.h.in,
	lib/x509/common.h, src/certtool.c: Added NIST's OIDs for SHA3
	signature algorithms This allows to generate certificates signed with SHA3.

2016-02-11  Ludovic Courtès <ludo@gnu.org>

	* guile/modules/gnutls.in: guile: Work around lack of 'eval-when' on
	1.8.  * guile/modules/gnutls.in (eval-when) [!guile-2]: New macro.

2016-02-11  Ludovic Courtès <ludo@gnu.org>

	* configure.ac: guile: Install modules in versioned directory by
	default.  * configure.ac: Change default 'GUILE_SITE' value to include
	$guile_effective_version.

2016-02-11  Ludovic Courtès <ludo@gnu.org>

	* guile/Makefile.am, guile/src/Makefile.am: guile: build: Make
	silent rules actually quiet.  * guile/Makefile.am (.in.scm): Use $(AM_V_GEN) and $(AM_V_at).  * guile/src/Makefile.am (enums.h, enum-map.i.c) (smobs.h, smob-types.i.c, %.x): Likewise.

2016-02-11  Ludovic Courtès <ludo@gnu.org>

	* configure.ac, guile/Makefile.am, guile/modules/Makefile.am,
	guile/tests/Makefile.am: guile: Build and install .go files on Guile
	2.x.  * configure.ac: Check for 'guild' and substitute 'GUILD'.  Define
	'HAVE_GUILD'.  Substitute 'guileobjectdir'.  Don't output
	guile/modules/Makefile and guile/tests/Makefile.  * guile/modules/Makefile.am, guile/tests/Makefile.am: Remove.  Move
	contents to...  * guile/Makefile.am: ... here.  (SUBDIRS): Remove 'modules' and 'tests'.

2016-02-11  Ludovic Courtès <ludo@gnu.org>

	* doc/gnutls-guile.texi: guile: doc: Change prompt in examples.  * doc/gnutls-guile.texi (Guile Preparations): Use the prompt found
	in 2.0.  Change "libguile-gnutls-v-0" to "guile-gnutls-v-2".

2016-02-11  Ludovic Courtès <ludo@gnu.org>

	* doc/gnutls-guile.texi, guile/modules/gnutls/build/tests.scm: 
	guile: tests: Add Guile 2.2 compatibility layer.  This allows tests to run with Guile 2.1/2.2.  * guile/modules/gnutls/build/tests.scm (define-replacement)
	[guile-2]: New macro.  (uniform-vector-read!, uniform-vector-write)
	[guile-2]: New procedures.  * doc/gnutls-guile.texi (Guile Preparations): Mention 2.2.

2016-02-11  Ludovic Courtès <ludo@gnu.org>

	* guile/tests/anonymous-auth.scm, guile/tests/openpgp-auth.scm,
	guile/tests/session-record-port.scm, guile/tests/x509-auth.scm: 
	guile: tests: Make sure no processes are left behind.  Before that, child processes would be left behind and become
	zombies.  * guile/tests/anonymous-auth.scm, guile/tests/openpgp-auth.scm,
	guile/tests/session-record-port.scm, guile/tests/x509-auth.scm: Add
	(waitpid pid) call on the server side.

2016-02-11  Ludovic Courtès <ludo@gnu.org>

	* guile/.dir-locals.el, guile/Makefile.am,
	guile/modules/gnutls/build/tests.scm,
	guile/tests/anonymous-auth.scm, guile/tests/openpgp-auth.scm,
	guile/tests/session-record-port.scm, guile/tests/x509-auth.scm: 
	guile: tests: Add 'with-child-process'.  This makes sure that child processes always exit no matter what.  * guile/modules/gnutls/build/tests.scm (define-syntax-rule)
	[!guile-2]: New macro.  (call-with-child-process): New procedure.  (with-child-process): New macro.  * guile/tests/anonymous-auth.scm, guile/tests/openpgp-auth.scm,
	guile/tests/session-record-port.scm, guile/tests/x509-auth.scm: Use
	it instead of an explicit 'primitive-fork' call.  * guile/.dir-locals.el: New file.  * guile/Makefile.am (EXTRA_DIST): New variable.

2016-02-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-loss-time.c: tests: mini-loss-time: ensure client
	timeouts after the server is This addresses issue with the server detecting the client
	disconnection prior to its timeout. Reported by Steven Chamberlain,
	Andreas Metzler.

2016-02-12  Jaak Ristioja <jaak.ristioja@cyber.ee>

	* lib/ext/heartbeat.c, lib/handshake.c, lib/record.c, lib/record.h: 
	Removed the invariant htype parameter of _gnutls_recv_int() All uses of _gnutls_recv_int() passed -1 as the htype argument of
	type gnutls_handshake_description_t, which had been used for SSLv2
	client hellos. Introduced in 2001 with dc1122e7b6.

2016-02-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/nettle/int/rsa-keygen-fips186.c: provable RSA key generation:
	adjust the seed size based on N size

2016-02-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/nettle/int/rsa-keygen-fips186.c: provable RSA key generation:
	allow non-2048 and non-3072 keys That is enforce the 2048 and 3072-bit limit to FIPS when in
	FIPS140-2 mode.

2016-02-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/algorithms/secparams.c: DH/DSA: allow the generation of larger
	than 15360 bit parameters

2016-02-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/slow/hash-large.c: tests: eliminated mem leak in hash-large

2016-02-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/slow/Makefile.am, tests/slow/hash-large.c,
	tests/slow/test-hash-large: tests: check whether large buffer hashes
	and MAC work as expected

2016-02-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/accelerated/x86/hmac-padlock.c,
	lib/accelerated/x86/hmac-x86-ssse3.c,
	lib/accelerated/x86/sha-padlock.c,
	lib/accelerated/x86/sha-padlock.h,
	lib/accelerated/x86/sha-x86-ssse3.c, lib/nettle/mac.c: nettle: use
	the correct type for hash and MAC functions

2016-02-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/nettle/int/dsa-keygen-fips186.c,
	lib/nettle/int/rsa-keygen-fips186.c: provable prime generation:
	arbitrary seed lengths are accepted in non-FIPS mode

2016-02-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/benchmark-cipher.c: gnutls-cli: improved indentation in
	benchmark output

2016-02-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-cfg.c: certtool: removed unused variable

2016-02-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/Makefile.am, src/certtool-common.c, src/certtool-common.h,
	src/certtool.c, src/common.h: certtool: the --generate-dh-params
	option can be combined with --provable This however, will generate provable DSA parameters and import them
	as DH parameters.  Resolves #72

2016-02-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-common.c: certtool: the --dh-info option will
	retrieve DH parameters from DSA keys

2016-02-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/cert-common.h, tests/dh-params.c: tests:
	added check for gnutls_dh_params_import_dsa

2016-02-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-02-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/dh.c, lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: 
	Added gnutls_dh_params_import_dsa() which allows to import DSA
	parameters into DH ones This simplifies importing DSA private keys into DH parameters.

2016-02-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/set_pkcs12_cred.c: tests: set_pkcs12_cred: existing tests
	are disabled when in FIPS140-2 mode The tests require access to the RC4 cipher which is not available.

2016-02-10  Attila Molnar <attilamolnar@hush.com>

	* lib/ext/status_request.c, tests/Makefile.am,
	tests/ocsp-filename-memleak.c: Fix memory leak in
	gnutls_certificate_set_ocsp_status_request_file() Signed-off-by: Attila Molnar <attilamolnar@hush.com>

2016-02-06  Attila Molnar <attilamolnar@hush.com>

	* lib/anon_cred.c, lib/cert.c, lib/psk.c, lib/srp.c: doc: Update
	description of credential alloc/dealloc functions Get rid of "This structure is complex enough to manipulate
	directly..." text which suggests that these functions are optional,
	"helper" functions when in fact their usage is required for
	encapsulation reasons.

2016-02-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-02-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/alpn.c, lib/includes/gnutls/gnutls.h.in,
	tests/Makefile.am, tests/alpn-server-prec.c: ALPN: added the
	GNUTLS_ALPN_SERVER_PRECEDENCE flag This allows the server to set precedence on the protocols it
	supports, rather than following the client's order.  Resolves #71

2016-02-09  Andreas Metzler <ametzler@bebt.de>

	* doc/cha-gtls-app.texi: improve doc on special keywords in priority
	string Special keywords in priority strings like %COMPAT may not be
	prefixed with +, - or !, "NORMAL:+%COMPAT is invalid.

2016-02-06  Attila Molnar <attilamolnar@hush.com>

	* doc/cha-cert-auth.texi, doc/cha-gtls-app.texi,
	doc/cha-tokens.texi, lib/auth.c, lib/dtls.c, lib/extensions.c,
	src/tpmtool-args.def: doc: Fix some typos

2016-02-06  Attila Molnar <attilamolnar@hush.com>

	* doc/cha-gtls-app.texi, src/certtool-cfg.c, src/serv-args.def: 
	Remove remaining RSA-EXPORT support leftovers from doc and messages

2016-02-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/pkcs11-pubkey-import-ecdsa.c: tests:
	pkcs11-pubkey-import-ecdsa will only work under softhsmv2

2016-01-31  Andreas Metzler <ametzler@bebt.de>

	* lib/openpgp/openpgp.c, lib/pubkey.c, lib/x509/pkcs12_bag.c,
	lib/x509/x509.c, lib/x509/x509_ext.c, src/certtool-cfg.c: Fix some
	more typos.  certifcate, funtion, withing, missmatch

2016-01-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/template-krb5name.pem,
	tests/cert-tests/template-othername-xmpp.pem,
	tests/cert-tests/template-othername.pem: tests: updated check to
	account for revert in 7d3caedb8df9d04eee9513cb5b3b417ae29927f5

2016-01-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/template-date.pem,
	tests/cert-tests/template-dn.pem,
	tests/cert-tests/template-generalized.pem,
	tests/cert-tests/template-nc.pem,
	tests/cert-tests/template-overflow.pem,
	tests/cert-tests/template-overflow2.pem,
	tests/cert-tests/template-test.pem,
	tests/cert-tests/template-unique.pem: Revert "tests: updated to
	account for cert generation after
	2adb9b2bfb31afebbdd9f990e2b74c9a3d4e5c57 fix" This reverts commit 735dbde324be6c8785a3dea5f09c82b6a8ad298b.

2016-01-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509_ext.c: Revert "Fix out-of-bounds read in
	gnutls_x509_ext_export_key_usage" This was not really an out-of-bounds check. Added documentation to
	make that clear.  This reverts commit ffbc9aaea7dcf29c03784d128b83f0682357858d.

2016-01-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def: certtool: corrected email escaping in
	texinfo

2016-01-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS, doc/cha-gtls-app.texi, lib/system.c, tests/seccomp.c: 
	Replaced select() system call with poll() on POSIX systems This allows to use the default gnutls functions with file
	descriptors over the maximum supported by select.

2016-01-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/windows/Makefile.am: tests: windows: fixed check-output call

2016-01-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/windows/crypt32.c: tests: added dummy functions used by
	CAPI32 implementation

2016-01-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/windows/Makefile.am, tests/windows/check-output: tests:
	better checking for failure in windows cng check

2016-01-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system-keys-win.c: system-key-win: call
	CertFreeCertificateContext()

2016-01-22  Bjørn Christensen <bhc@insight.dk>

	* lib/system-keys-win.c: system-key-win: added interface to  CAPI,
	old style crypto api on windows

2016-01-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def: certtool: corrected texinfo output for
	krb5_principal

2016-01-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/priorities.c: tests: priorities: account for the addition of
	CHACHA20-POLY1305

2016-01-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/priority.c: CHACHA20_POLY1305 was added to the default
	priority strings That is the NORMAL and PERFORMANCE priority strings now will enable
	CHACHA20-POLY1305 by default.

2016-01-18  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/global.c: gnutls_global_init: log gnutls' version on
	initialization

2016-01-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-gtls-app.texi: doc: corrected typo [ci skip]

2016-01-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* README-alpha.md: README: added trousers to list of dependencies
	[ci skip]

2016-01-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am, tests/cert-tests/pem-decoding,
	tests/cert-tests/template-krb5name-full.pem: tests: added check for
	KRB5Principal output Resolves #67

2016-01-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* Makefile.am, README.md => README-alpha.md: README.md ->
	README-alpha.md

2016-01-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/output.c: updated copyright info

2016-01-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* Makefile.am, README => README-install.md: README: auto-generated
	from README-install.md

2016-01-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_int.h: gnutls_int.h: increased MAX_SERVER_NAME_SIZE to
	256 bytes

2016-01-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pubkey.c: gnutls_pubkey_import_x509_raw: fixed memory leak

2016-01-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am, tests/cert-tests/krb5-test,
	tests/cert-tests/template-krb5name.pem,
	tests/cert-tests/template-krb5name.tmpl: tests: added check for the
	krb5_principal template option

2016-01-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def, src/certtool-cfg.c: certtool: introduced
	the krb5_principal template option

2016-01-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls.asn, lib/gnutls_asn1_tab.c,
	lib/includes/gnutls/gnutls.h.in, lib/x509/Makefile.am,
	lib/x509/common.h, lib/x509/krb5.c, lib/x509/krb5.h,
	lib/x509/output.c, lib/x509/virt-san.c: x509: introduced
	GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL That allows to print and write KRB5PrincipalName othernames in
	subject alternative name.

2016-01-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: x509: place newline when printing unsupported
	othernames

2016-01-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/Makefile.am, lib/x509/common.c, lib/x509/common.h,
	lib/x509/virt-san.c, lib/x509/virt-san.h, lib/x509/x509_ext.c,
	lib/x509/x509_ext_int.h: x509: moved virtual subject alternative
	name othername support to virt-san.c

2016-01-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/x509_write.c: gnutls_x509_crt_set_subject_alt_name:
	documented the version after which GNUTLS_SAN_OTHERNAME_XMPP is
	available

2016-01-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am, tests/cert-tests/othername-test,
	tests/cert-tests/template-othername-xmpp.pem,
	tests/cert-tests/template-othername-xmpp.tmpl: tests: added check
	for XMPP othername generation

2016-01-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-args.def, src/certtool-cfg.c: certtool: allow writing
	xmpp_name

2016-01-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/common.c, lib/x509/common.h, lib/x509/crq.c,
	lib/x509/x509_ext.c, lib/x509/x509_write.c: Allow assigning
	'virtual' SAN types via *_set_subject_alt_name()

2016-01-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: NEWS: document newly added functions

2016-01-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/ext/alpn.c: alpn: when parsing the list of protocols return at
	the first mutually common That resolves an issue where the server wouldn't select the first
	mutually supported.  Resolves #63

2016-01-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-alpn.c: tests: mini-alpn: corrected protocol selection
	order

2016-01-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-alpn.c: tests: alpn: enhance the testing of ALPN
	negotiation

2016-01-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/ext/alpn.c: alpn: document how the selected protocol is
	selected [ci skip]

2016-01-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-alpn.c: tests: verify that the selected ALPN protocol
	is the first advertised

2016-01-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/crypto-api.c: gnutls_aead_cipher_decrypt: removed misleading
	text Reported by Fridolin Pokorny.

2016-01-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am, tests/cert-tests/othername-test,
	tests/cert-tests/template-othername.pem,
	tests/cert-tests/template-othername.tmpl: tests: added check for
	certtool's othername writing functionality

2016-01-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-args.def, src/certtool-cfg.c, src/certtool-cfg.h,
	src/certtool.c: certtool: added ability to generate othernames via
	template files Relates #62

2016-01-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/x509.h, lib/x509/crq.c, lib/x509/x509_int.h,
	lib/x509/x509_write.c: x509: added flags to enable the encoding of
	othername data

2016-01-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/x509/crq.c,
	lib/x509/extensions.c, lib/x509/x509_ext.c, lib/x509/x509_int.h,
	lib/x509/x509_write.c: x509: introduced functions to set an
	othername alternative name That is, added, gnutls_x509_crt_set_subject_alt_othername,
	gnutls_x509_crt_set_issuer_alt_othername,
	gnutls_x509_crq_set_subject_alt_othername Relates #62

2016-01-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/verify-high.c: trust_list_get_issuer_by_dn: fixed check
	for DN or SPKI

2016-01-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac: configure: no longer distribute lzip tarballs

2016-01-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* Makefile.am: symbols.last: don't include internal symbols into
	exported list

2016-01-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/template-date.pem,
	tests/cert-tests/template-dn.pem,
	tests/cert-tests/template-generalized.pem,
	tests/cert-tests/template-nc.pem,
	tests/cert-tests/template-overflow.pem,
	tests/cert-tests/template-overflow2.pem,
	tests/cert-tests/template-test.pem,
	tests/cert-tests/template-unique.pem: tests: updated to account for
	cert generation after 2adb9b2bfb31afebbdd9f990e2b74c9a3d4e5c57 fix

2016-01-04  Tim Kosse <tim.kosse@filezilla-project.org>

	* lib/x509/x509_ext.c: Fix out-of-bounds read in
	gnutls_x509_ext_export_key_usage

2015-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: optimized build process That is, in slow asan and valgrind builds don't check the full test
	suite.

2015-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11_write.c: gnutls_pkcs11_copy_x509_privkey2: corrected
	the writing of ECC private key

2015-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/Makefile.am,
	tests/suite/pkcs11-pubkey-import-ecdsa.c,
	tests/suite/pkcs11-pubkey-import-rsa.c,
	tests/suite/pkcs11-pubkey-import.c: tests: pkcs11-pubkey-import will
	check both RSA and ECDSA keys

2015-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11_write.c: gnutls_pkcs11_copy_x509_privkey2: corrected
	the type of the written object Previously only RSA objects were correctly written.

2015-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-common.h: tests: added ECDSA key in cert-common.h

2015-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11_privkey.c: pkcs11: moved default RSA public exponent
	out of stack

2015-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11_privkey.c: pkcs11: import public keys from any
	available object That is, load public keys from the public key object, or the
	certificate object if they are present. That affects non-RSA public
	keys which do not contain all required fields on the private key
	object.

2015-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/db.h: session DB: made the magic number depending on gnutls'
	version That will make sure that sessions not stored by this version of
	gnutls will not be resumed by another (which may be incompatible).

2015-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/Makefile.am, lib/{ui.c => fingerprint.c}: ui.c ->
	fingerprint.c

2015-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/ext/status_request.c, lib/ui.c: split OCSP functionality from
	ui.c

2015-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/anon_cred.c, lib/ui.c: split anon credentials functionality
	from ui.c

2015-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/psk.c, lib/ui.c: split psk functionality from ui.c

2015-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/session.c, lib/ui.c: split session info functions from ui.c

2015-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/Makefile.am, lib/cert-session.c, lib/ui.c: split certificate
	credentials functions from ui.c

2015-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/Makefile.am, lib/cert.c, lib/dh-session.c, lib/ui.c: split dh
	API functions from ui.c

2015-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/Makefile.am, lib/randomart.c, lib/ui.c: split randomart
	functionality from ui.c

2015-12-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/Makefile.am, lib/file.c, lib/{helper.h => file.h},
	lib/helper.c, lib/psk.c, lib/srp.c, lib/ui.c: helper.c -> file.c

2015-12-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-args.def: certtool: doc update [skip ci]

2015-12-26  Andreas Metzler <ametzler@bebt.de>

	* README, lib/ext/srtp.c, lib/locks.c, lib/opencdk/keydb.c,
	lib/priority.c, lib/x509/pkcs7.c, tests/mini-handshake-timeout.c: 
	Fix some typos [ci skip]

2015-12-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: NEWS: doc update [ci skip]

2015-12-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/dtls.c, lib/gnutls_int.h: respect the max-record extension
	under DTLS This resolves issue with max-record being negotiated but ignored.
	Resolves #61

2015-12-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/tls-max-record.c: tests: added check for
	max-record extension in TLS

2015-12-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/dtls-max-record.c, tests/eagain-common.h: 
	tests: check whether the max-record extension is usable with DTLS

2015-12-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/dtls.c: dtls: print the MTU in debugging messages

2015-12-22  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-crypto.texi, lib/includes/gnutls/gnutls.h.in: updated
	documentation on supported algorithms [ci skip]

2015-12-22  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-intro-tls.texi: Added SHA384 to the list of TLS support
	MAC algorithms

2015-12-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* devel/README.ci-runners: documented the gitlab ci runner tags

2015-12-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testcompat-openssl, tests/suite/testcompat-polarssl: 
	tests: added timeout in long-running checks

2015-12-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: eliminated various memory leaks

2015-12-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: prevented memory leak in pkcs8-info cmd

2015-12-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: do not use signal() under win32

2015-12-18  Alon Bar-Lev <alon.barlev@gmail.com>

	* configure.ac: build: configure.ac: manpages cleanups Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2015-12-18  Alon Bar-Lev <alon.barlev@gmail.com>

	* .gitignore, Makefile.am, configure.ac, doc/Makefile.am,
	doc/manpages/Makefile.am: build: allow installing man(1) even with
	--disable-doc Currently these man pages are installed only if --enable-doc is
	provided, while these are not actually docs, do not require any
	special dependency, nor consume large space.  This adds --enable-manpages to enable/disable manpages installation,
	and install the man(1) regardless of --disable-doc.  Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Signed-off-by:
	Nikos Mavrogiannopoulos <nmav@redhat.com>

2015-12-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: ignore sigpipe This signal was observed under certain cirquimstances

2015-12-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: don't close stdout on exit

2015-12-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7-output.c: pkcs7: eliminated leak in
	gnutls_pkcs7_print

2015-12-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pubkey.c: gnutls_pubkey_import_privkey: document that this
	operation is not possible in certain keys

2015-12-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS, doc/cha-gtls-app.texi: doc: replace writev with sendmsg in
	the list of system calls

2015-12-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/no-signal.c: tests: don't run the no-signal test in systems
	which MSG_NOSIGNAL is not available

2015-12-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system.c, tests/seccomp.c: Reduce the number of used syscalls
	by using sendmsg() instead of writev() We relied on sendmsg() anyway for the MSG_NO_SIGNAL version of the
	calls, thus it is a good idea to avoid calling writev() and use
	sendmsg(). That way we reduce the number of calls required for
	seccomp.

2015-12-17  Alon Bar-Lev <alon.barlev@gmail.com>

	* doc/manpages/tpmtool.1: doc: manpages: remove generated tpmtool.1
	page Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2015-12-17  Alon Bar-Lev <alon.barlev@gmail.com>

	* .gitignore: .gitignore: add m4/extern-inline.m4

2015-12-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/pkcs7: tests: added check to verify that the
	PKCS#7 embedded data are recovered as expected

2015-12-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def, src/certtool.c: certtool: introduced the
	--p7-show-data option This option allows printing the embedded data in a PKCS#7 signed
	structure.

2015-12-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs7.h, lib/libgnutls.map, lib/x509/pkcs7.c: 
	gnutls_pkcs7_get_embedded_data: added function This function allows extracting the embedded data from a PKCS#7
	signed structure.

2015-12-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/pkcs7-gen.c: tests: updated pkcs7-gen to account for
	content-type attribute

2015-12-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/pkcs7: tests: check whether the content-type
	attribute is set if we sign using time

2015-12-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7.c: pkcs7: set by default the content type attribute That is a requirement of rfc5652. Relates #59

2015-12-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/crq.c, lib/x509/mpi.c, lib/x509/pkcs7.c,
	lib/x509/sign.c, lib/x509/x509_int.h: pkcs7: use the
	PK_PKIX1_RSA_OID when writing RSA signature OIDs for PKCS#7
	structures That is because there are implementations which cannot cope with the
	normal RSA signature OIDs. Relates #59

2015-12-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7.c, tests/cert-tests/p7-combined.out: pkcs7: Disable
	the optional fields prior to generating the PKCS#7 structure This resolves issue with our PKCS#7 structures not being parsed by
	MacOSX' tools. Relates #59

2015-12-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: corrected invalid free

2015-12-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: warn if an ECDSA key is marked for
	encryption

2015-12-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* Makefile.am, src/Makefile.am: build: fix make distclean by
	including src/gl only once

2015-12-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/session_pack.c, lib/state.c, lib/ui.c: make sure gnutls_assert
	is present at the cases where GNUTLS_E_INTERNAL_ERROR is returned

2015-12-14  Gustavo Zacarias <gustavo@zacarias.com.ar>

	* configure.ac: configure: really make --disable-crywrap work The crywrap variable is set regardless of the state of
	enable_crywrap, hence --disable-crywrap never works.  Just put the
	tests for crywrap deps inside the enable_crywrap conditional.  Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>

2015-12-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def, src/certtool.c: certtool: the --p7-time
	option was made an enable/disable option It remains disabled by default.

2015-12-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-12-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/dtls-handshake-versions.c,
	tests/handshake-versions.c: tests: check whether server returns the
	correct error code if presented with invalid versions That is gnutls_handshake() will return
	GNUTLS_E_UNSUPPORTED_VERSION_PACKET in server side, if the client
	presents a very old TLS version which is not supported.  Relates #42

2015-12-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms.h, lib/algorithms/protocols.c, lib/handshake.c,
	lib/handshake.h, lib/sslv2_compat.c: handshake: when receiving a TLS
	version which is too low fail That is, don't treat all unsupported version as being to high. Treat
	versions which are not known and lower than the highest as a
	protocol error.  Resolves #42

2015-12-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: valgrind build was moved at the
	end as it is the slowest build

2015-12-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-args.def, src/certtool.c: certtool: the
	--p7-include-cert option is enabled by default This allows to generate PKCS#7 structures by default that can be
	read by iOS.

2015-12-13  sskaje <sskaje@gmail.com>

	* src/certtool-args.def, src/certtool.c: #56 Feature: certtool
	--p7-sign support GNUTLS_PKCS7_INCLUDE_CERT

2015-12-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/cli-debug.c: gnutls-cli-debug: rephrased inappropriate
	fallback test description to match the rest

2015-12-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-12-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11_privkey.c: Do not allow importing public keys from PKCS
	#11 private keys for DSA and ECDSA This prevents the reading of the public key when non-RSA keys are
	available. This is a much cleaner approach than
	5a4e692511dc3a829eda0d7c5a87e56cbc2055f0.

2015-12-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c,
	lib/pubkey.c: Revert "Do not allow importing public keys from PKCS
	#11 private keys for DSA and ECDSA" This reverts commit 5a4e692511dc3a829eda0d7c5a87e56cbc2055f0.

2015-12-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/cert-common.h,
	tests/rehandshake-switch-cert-allow.c,
	tests/rehandshake-switch-cert-client-allow.c,
	tests/rehandshake-switch-cert-client.c,
	tests/rehandshake-switch-cert.c: tests: check whether a peer
	changing certificate is detected

2015-12-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-rehandshake-2.c, tests/mini-rehandshake.c: tests: doc
	update

2015-12-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/errors.c, lib/gnutls_int.h, lib/handshake.c,
	lib/includes/gnutls/gnutls.h.in, lib/state.c: Do not allow
	certificate change during a rehandshake That is require that the certificate of the peer remains the same
	and return GNUTLS_E_SESSION_CERTIFICATE_CHANGED otherwise. To revert
	to the previous behavior the GNUTLS_ALLOW_CERT_CHANGE flag was
	introduced.

2015-12-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/Makefile.am, tests/suite/pkcs11-pubkey-import.c: 
	tests: check whether gnutls_pubkey_import_privkey() operates well
	for PKCS#11 RSA keys

2015-12-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c,
	lib/pubkey.c: Do not allow importing public keys from PKCS #11
	private keys for DSA and ECDSA That is, because they do not contain all the required parameters for
	a direct import. Reported by Jan Vcelak.

2015-12-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11_privkey.c: pkcs11: avoid setting a variable which isn't
	used

2015-12-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_int.h, lib/pkcs11.c: MAX_PK_PARAM_SIZE was moved to
	gnutls_int.h

2015-12-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11.c, lib/pkcs11_int.h, lib/pkcs11_privkey.c: pkcs11:
	deinitialize gnutls_pkcs11_obj_t's pubkey on deinit

2015-12-06  Jan Vcelak <jan.vcelak@nic.cz>

	* lib/pkcs11_privkey.c: pkcs11: fix passing of incorrect variable in
	privkey_get_pubkey The code worked for RSA because the content of the variables
	matched.  But it doesn't match for ECC.  CKM_RSA_PKCS_KEY_PAIR_GEN (0x0) == CKK_RSA (0x0)
	CKM_ECDSA_KEY_PAIR_GEN (0x1040) != CKK_ECDSA (0x3) Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>

2015-12-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/benchmark-tls.c: gnutls-cli: don't use RSA ciphersuites to
	test chacha20 as they are not defined

2015-12-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509.c: documented bug in
	gnutls_x509_crt_get_*_unique_id()

2015-12-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/Makefile.am: tools: don't compile tpmtool if PKCS11 is
	disabled That is because GnuTLS' TPM code makes use of the PKCS11 PIN
	callbacks.

2015-11-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/extensions.c: Amend "When decoding extensions do not ignore
	decoding errors" Do not treat an error the fact that no extensions field is present.

2015-11-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509.c: allow specifying NULL buffer in
	gnutls_x509_crt_get_*_unique_id()

2015-11-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: NEWS: removed functions that were part of 3.4.x releases

2015-11-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-11-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitignore, tests/Makefile.am, tests/cert-common.h,
	tests/tlsext-decoding.c: tests: added check for TLS extension
	decoding error propagation Relates #40

2015-11-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/alert.c, lib/errors.c, lib/extensions.c,
	lib/includes/gnutls/gnutls.h.in: When decoding extensions do not
	ignore decoding errors That is, move from a parsing error tolerance to a more strict
	decoding approach.  Relates #40

2015-11-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitignore: .gitignore: more files to ignore

2015-11-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/ocsp_output.c: ocsp_output: when next update is not
	present don't print error message That is because this field is optional.  Resolves #53

2015-11-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/slow/Makefile.am, tests/slow/override-ciphers: tests:
	override-ciphers will not run mac tests on windows There is some issue with symbols for self tests not being exported.

2015-11-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: removed separate builddir build
	from x86-64 targets to reduce builds

2015-11-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/certtool: tests:
	updates for certtool test to run under windows

2015-11-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: minimal library no longer requires
	x86-64 for compilation

2015-11-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: in windows build skip the gnulib
	tests

2015-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: added windows build

2015-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/aki,
	tests/cert-tests/certtool, tests/cert-tests/certtool-long-cn,
	tests/cert-tests/pathlen, tests/cert-tests/pem-decoding,
	tests/cert-tests/pkcs7, tests/pkcs8-decode/pkcs8: tests: changes for
	running tests under windows

2015-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/slow/override-ciphers, tests/slow/test-ciphers: tests:
	cipher-test will forward the prog exit code as the script exit code

2015-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README.md: README: added information for windows build

2015-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/libopts/text_mmap.c: libopts: use the O_BINARY flag in windows
	for files

2015-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/libopts/COPYING.gplv3, src/libopts/COPYING.lgplv3,
	src/libopts/COPYING.mbsd, src/libopts/Makefile.am,
	src/libopts/README, src/libopts/ag-char-map.h, src/libopts/alias.c,
	src/libopts/ao-strs.c, src/libopts/ao-strs.h,
	src/libopts/autoopts.c, src/libopts/autoopts.h,
	src/libopts/autoopts/options.h, src/libopts/autoopts/project.h,
	src/libopts/autoopts/usage-txt.h, src/libopts/boolean.c,
	src/libopts/check.c, src/libopts/compat/compat.h,
	src/libopts/compat/pathfind.c, src/libopts/compat/windows-config.h,
	src/libopts/configfile.c, src/libopts/cook.c, src/libopts/enum.c,
	src/libopts/env.c, src/libopts/file.c, src/libopts/find.c,
	src/libopts/genshell.c, src/libopts/genshell.h,
	src/libopts/gettext.h, src/libopts/init.c, src/libopts/intprops.h,
	src/libopts/libopts.c, src/libopts/load.c,
	src/libopts/m4/libopts.m4, src/libopts/m4/liboptschk.m4,
	src/libopts/m4/stdnoreturn.m4, src/libopts/makeshell.c,
	src/libopts/nested.c, src/libopts/numeric.c,
	src/libopts/option-value-type.c,
	src/libopts/option-xat-attribute.c, src/libopts/parse-duration.c,
	src/libopts/parse-duration.h, src/libopts/pgusage.c,
	src/libopts/proto.h, src/libopts/putshell.c, src/libopts/reset.c,
	src/libopts/restore.c, src/libopts/save.c, src/libopts/sort.c,
	src/libopts/stack.c, src/libopts/stdnoreturn.in.h,
	src/libopts/streqvcmp.c, src/libopts/text_mmap.c,
	src/libopts/time.c, src/libopts/tokenize.c, src/libopts/usage.c,
	src/libopts/version.c: libopts: updated to 5.18.6

2015-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system.c: use consistent terms in system.c and
	system-keys-win.c

2015-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, tests/Makefile.am, tests/cert-common.h,
	tests/seccomp.c, tests/windows/Makefile.am,
	tests/windows/cng-windows.c, tests/windows/crypt32.c,
	tests/windows/ncrypt-int.h, tests/windows/ncrypt.c: tests: added
	basic functionality testing for system-keys in windows

2015-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/crypto.h, lib/libgnutls.map, lib/pk.c,
	lib/pk.h: Added gnutls_encode_ber_digest_info and
	gnutls_decode_ber_digest_info

2015-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* cross.mk: cross.mk: allow building with mingw64

2015-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/slow/Makefile.am: tests: use gnulib where needed

2015-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* cross.mk: cross.mk: updated windows cross compile makefile

2015-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/global-init-override.c: tests: disable global-init-override
	test in windows Gcc does not support weak symbols on this platform.

2015-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/socket.c: tools: don't call endservent in windows

2015-11-22  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/nettle/cipher.c: added cast to silence gcc warning

2015-11-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-extension.c: tests: added check for multiple extension
	registering

2015-11-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/extensions.c, lib/extensions.h: statically initialize
	extensions instead of using the lib constructor

2015-11-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/ext/alpn.c, lib/ext/alpn.h, lib/ext/cert_type.c,
	lib/ext/cert_type.h, lib/ext/dumbfw.c, lib/ext/dumbfw.h,
	lib/ext/ecc.c, lib/ext/ecc.h, lib/ext/etm.c, lib/ext/etm.h,
	lib/ext/ext_master_secret.c, lib/ext/ext_master_secret.h,
	lib/ext/heartbeat.c, lib/ext/heartbeat.h, lib/ext/max_record.c,
	lib/ext/max_record.h, lib/ext/safe_renegotiation.c,
	lib/ext/safe_renegotiation.h, lib/ext/server_name.c,
	lib/ext/server_name.h, lib/ext/session_ticket.c,
	lib/ext/session_ticket.h, lib/ext/signature.c, lib/ext/signature.h,
	lib/ext/srp.c, lib/ext/srp.h, lib/ext/srtp.c, lib/ext/srtp.h,
	lib/ext/status_request.c, lib/ext/status_request.h,
	lib/extensions.c: marked all extensions structures as constant

2015-11-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/system-keys-win.c: system-keys-win: allow reinitialization of
	the library after a deinitialization

2015-11-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/scripts/getfuncs.pl: getfuncs.pl: don't consider functions
	with _gnutls prefix

2015-11-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/global.c, lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: 
	gnutls_global_init_skip: prefixed with an underscore

2015-11-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: added clang compilation target

2015-11-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: check fread_file() for errors in all
	situations This caused certtool to crash on invalid input on stdin.  Reported
	by Christoph Biedl.

2015-11-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509_write.c: doc update

2015-11-18  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/ui.c: gnutls_certificate_set_flags: Added since

2015-11-18  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/set_x509_key_mem.c: tests: check gnutls_certificate_flags

2015-11-18  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/auth/cert.h, lib/cert.c, lib/includes/gnutls/gnutls.h.in,
	lib/libgnutls.map, lib/ui.c: Added gnutls_certificate_flags() and
	GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH That allows a user of the credentials to disable the certificate
	matching action. That is, to disable the calls to sign and verify on
	initialization.

2015-11-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/Makefile.am: link with libdl when trousers is enabled;
	reported by Andreas Schneider

2015-11-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-selftests.c: enhanced cipher selftests with variable
	key sizes on arcfour

2015-11-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/cipher.c: Do not enforce a maximum key size on ARCFOUR That makes the library consistent with the behavior of previous
	versions (3.3.x)

2015-11-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/tests.c: gnutls-cli-debug: make TLS 1.6 fallback check more
	reliable

2015-11-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pubkey.c, lib/x509/x509_write.c: doc update

2015-11-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* README.md: README: added non-interactive versions of commands

2015-11-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: disable non-suiteb curves in all
	systems as we have multiple which are fedoras

2015-11-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/global-init-override.c, tests/global-init.c: tests:
	corrected copyright info

2015-11-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-gtls-app.texi: documented GNUTLS_SKIP_GLOBAL_INIT macro

2015-11-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/global-init-override.c: tests: added
	check for overriding global initialization

2015-11-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/global.c, lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: 
	Added GNUTLS_SKIP_GLOBAL_INIT macro to allow programs skip implicit
	global initialization

2015-11-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/utils.c: tests: utils.c: simplify windows check

2015-11-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: added build and check in FIPS140-2
	mode

2015-11-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/dtls-client-with-seccomp.c, tests/dtls-with-seccomp.c,
	tests/tls-client-with-seccomp.c, tests/tls-with-seccomp.c: tests:
	made seccomp tests more reliable by waiting for each side to
	terminate

2015-11-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi: doc: document how to use gnutls with
	seccomp

2015-11-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: reorganized and added a simple
	build and check on x86-64 rule The latter also enables the seccomp checks.

2015-11-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, tests/Makefile.am,
	tests/dtls-client-with-seccomp.c, tests/dtls-with-seccomp.c,
	tests/seccomp.c, tests/tls-client-with-seccomp.c,
	tests/tls-with-seccomp.c, tests/utils.h: tests: check operation of
	TLS and DTLS under seccomp when configured with
	--enable-seccomp-tests

2015-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509_write.c: 
	gnutls_x509_crt_set_subject/issuer_unique_id: added Since in doc

2015-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pubkey.c: doc update

2015-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-crypto.texi, lib/includes/gnutls/pkcs7.h,
	lib/x509/pkcs7.c: Added documentation on PKCS #7 signing

2015-11-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms/ciphersuites.c: updated chacha20 ciphers to conform
	to latest draft

2015-11-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/Makefile.am, tests/suite/{eagain => eagain.sh},
	tests/suite/{invalid-cert => invalid-cert.sh},
	tests/suite/testcompat-openssl.sh,
	tests/suite/testcompat-polarssl.sh, tests/suite/{testdane =>
	testdane.sh}, tests/suite/{testrandom => testrandom.sh},
	tests/suite/{testrng => testrng.sh}, tests/suite/{testsrn =>
	testsrn.sh}: tests: suite: more shell scripts were given the .sh
	suffix and simplified makefile

2015-11-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/template-test,
	tests/cert-tests/template-unique.pem,
	tests/cert-tests/template-unique.tmpl: tests: verify that unique IDs
	are generated as expected

2015-11-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def, src/certtool-cfg.c, src/certtool-cfg.h,
	src/certtool.c: certtool: Allow writing unique IDs in generated
	certificates

2015-11-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/x509.h, lib/libgnutls.map,
	lib/x509/x509_write.c: Added gnutls_x509_crt_set_issuer_unique_id()
	and gnutls_x509_crt_set_subject_unique_id()

2015-11-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: properly indent unique IDs

2015-11-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/mini-x509-kx.c: tests: added check with
	the various X.509 key exchanges

2015-11-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-x509-dual.c: tests: check rehandshake from anon to DHE

2015-11-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-gtls-app.texi: documented the GNUTLS_NO_EXPLICIT_INIT
	environment variable

2015-11-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-api.c: crypto-api: doc update

2015-11-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/auth/dhe.c, lib/auth/ecdhe.c: Allow switching a ciphersuite to
	DHE and ECDHE on a rehandshake

2015-11-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/eagain-common.h, tests/mini-x509-dual.c: 
	tests: added check for ciphersuite switch from anonymous to
	certificate

2015-11-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: disable guile in asan builds

2015-11-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/Makefile.am, tests/suite/{chain => chain.sh},
	tests/suite/{test-ciphersuite-names => test-ciphersuite-names.sh},
	tests/suite/{testpkcs11 => testpkcs11.sh}: tests: suite: don't run
	shell scripts with valgrind

2015-11-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testsrn: tests: testsrn: output errors on stderr

2015-11-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/state.c: deinitialize all handshake keys when handshake is
	over

2015-11-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testdane: testdane: improved error detection in sites

2015-11-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/Makefile.am, tests/suite/chain,
	tests/suite/pkcs11-is-known.c, tests/suite/suppressions.valgrind,
	tests/suite/testsrn, tests/suite/x509paths/suppressions.valgrind: 
	tests: suite: eliminate many leaks in the tests and run them under
	valgrind

2015-11-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: eliminate leaks in _verify_x509_mem()

2015-11-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/openpgp-certs/Makefile.am,
	tests/openpgp-certs/suppressions.valgrind,
	tests/openpgp-certs/testcerts: tests: openpgp-certs: use valgrind

2015-11-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/openpgp/extras.c: openpgp: eliminate leaks in
	gnutls_openpgp_keyring_import()

2015-11-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/mini-eagain2.c: tests: eliminate leaks in
	mini-eagain2.c

2015-11-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: eliminate memory leaks in certificate
	generation

2015-11-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/key-tests/Makefile.am, tests/key-tests/key-id,
	tests/key-tests/pkcs8, tests/key-tests/suppressions.valgrind: tests:
	key-tests: use valgrind

2015-11-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pubkey.c: gnutls_x509_crt_set_pubkey: clarify usage

2015-11-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/pkcs12.c, lib/x509/privkey_pkcs8.c: pkcs12: correctly set
	salt size in gnutls_pkcs12_mac_info Also eliminate leaks in PKCS #12 parsing.

2015-11-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/pkcs12-decode/Makefile.am, tests/pkcs12-decode/pkcs12,
	tests/pkcs12-decode/suppressions.valgrind: tests: run the PKCS #12
	tests under valgrind

2015-11-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: make sure that pkcs12 structures are
	deinitialized

2015-11-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am,
	tests/cert-tests/provable-dsa2048-fips.pem,
	tests/cert-tests/provable-privkey: tests: provable-privkey: fixed
	DSA test on FIPS140 enabled systems

2015-11-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/int/dsa-keygen-fips186.c,
	lib/nettle/int/rsa-keygen-fips186.c: nettle: be more specific in
	seed size mismatches

2015-11-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-backend.c: crypto-backend: ensure there are no leaks on
	deinitialization

2015-11-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms/ciphersuites.c, tests/mini-etm.c,
	tests/mini-record.c: Require TLS 1.2 for all the ciphersuites which
	are defined for it only This solves an interoperability issue with openssl. Reported by
	Viktor Dukhovni.

2015-11-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-common.h, src/p11tool-args.def, src/p11tool.c,
	src/pkcs11.c: p11tool: introduced --only-urls option This option allows printing a compact listing containing only of
	URLs.

2015-11-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/algorithms/ciphers.c, lib/algorithms/ciphersuites.c,
	lib/cipher.c, lib/constate.c, lib/dtls.c, lib/gnutls_int.h: Modified
	the CHACHA20 cipher to conform to
	draft-ietf-tls-chacha20-poly1305-02

2015-11-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: use static libasan This prevents issues with tests which use LD_PRELOAD.

2015-11-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: disable non-suiteb curves on build
	on Fedora system

2015-11-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/socket.c: tools: better ftp auth tls negotiation

2015-11-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/mini-x509-default-prio.c: tests: added
	check for gnutls_priority_set_default

2015-11-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/socket.c: tools: only check for status code in FTP starttls
	negotiation

2015-11-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/socket.c: tools: print more info in starttls negotiation when
	--verbose is given

2015-11-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls.pc.in: gnutls.pc: don't use the libtool version of the
	link options Reported by Dan Kegel.  Resolves #49

2015-11-01  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-dtls-hello-verify-48.c: tests: simplified
	mini-dtls-hello-verify-48

2015-10-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/mini-dtls-hello-verify-48.c: tests: added
	check for blocking on invalid DTLS cookie Relates to #48

2015-10-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/heartbeat.c: removed inacurate text

2015-10-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/cipher_int.c: doc update

2015-10-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms/kx.c: doc update

2015-10-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms/ciphers.c: doc update

2015-10-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/privkey.c: doc: document the sign function requirements in
	gnutls_privkey_import_ext

2015-10-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-internals.texi: Mention key protection through isolation
	in crypto backend section

2015-10-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-bib.texi, doc/cha-intro-tls.texi, doc/latex/gnutls.bib: 
	doc: updated supplemental data documentation

2015-10-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testdane: tests: testdane will not check hosts which
	are unreachable

2015-10-20  Andreas Metzler <ametzler@bebt.de>

	* lib/auto-verify.c, lib/state.c: Documentation update The new simple verification functions were backported to 3.4.6,
	correct "Since:" to reflect this.

2015-10-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-gtls-app.texi: doc: documented future level

2015-10-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h: pkcs11.h: relocated
	gnutls_pkcs11_copy_pubkey to allow discovery by buggy doc scripts

2015-10-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* m4/hooks.m4: bumped version to distinguish from 3.4 branch

2015-10-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/ext_master_secret.c: ext master secret: extension is
	marked as mandatory This forces the extension to be sent even where resuming sessions.
	Resolves #45

2015-10-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/resume.c: tests: Check whether a resumed session contains
	the ext master secret extension Relates #45

2015-10-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/ext/alpn.c: alpn: avoid warning on signed/unsigned

2015-10-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* README.md: README: updated CI link

2015-10-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/Makefile.am: doc: set a path which includes new binaries when
	running autogen That makes sure that autogen will discover the binaries to obtain
	the --help output.

2015-10-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/cli-debug-args.def: gnutls-cli-debug: updated doc

2015-10-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/cli-debug-args.def, src/cli-debug.c, src/cli.c,
	src/danetool-args.def, src/danetool.c, src/socket.c, src/socket.h: 
	tools: when the starttls-proto is specified automatically detect the
	port if not given

2015-10-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testpkcs11, tests/suite/testpkcs11.softhsm: tests:
	verify that public keys are properly written Also disable parts of the suite that softhsm2 cannot properly work
	with, to allow running parts of the suite even with broken softhsm.

2015-10-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pubkey.c: cleanup in gnutls_pubkey_import_rsa_raw

2015-10-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: pkcs11_read_pubkey: make input type more clear

2015-10-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/pkcs11.c: p11tool: Allow writing a PKCS #11 pubkey object

2015-10-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-common.c: tools: allow importing a pubkey from a
	certificate

2015-10-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c,
	lib/pkcs11_int.h, lib/pkcs11_privkey.c, lib/pkcs11_write.c: pkcs11:
	introduced gnutls_pkcs11_copy_pubkey That allows copying a public key to a PKCS #11 module.

2015-10-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: combined the slow build with the
	separate build dir

2015-10-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/algorithms/ciphers.c, lib/cipher_int.c, lib/priority.c: 
	Disable the NULL cipher on runtime when FIPS140 mode is enabled
	instead of statically That way the NULL cipher can be used when not in FIPS140 mode.

2015-10-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/algorithms/kx.c, lib/priority.c: re-enable NULL ciphersuites They were accidentally disabled by
	b237b37d4d17ee4f98629aae9d72aec87f434cb8

2015-10-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/priorities.c: tests: check whether the RSA-EXPORT and
	ARCFOUR-40 legacy strings are accepted

2015-10-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms.h, lib/algorithms/ciphers.c, lib/algorithms/kx.c,
	lib/gnutls_int.h, lib/priority.c: Tolerate priority strings with
	names of legacy ciphers and key exchanges That enables better backwards compatibility with old applications
	which disable or enable algorithms which no longer are supported.
	Relates #44

2015-10-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11_write.c: pkcs11: write CKA_ISSUER and CKA_SERIAL_NUMBER
	when writing on a certificate That allows NSS to read and use the written certificate.  Relates
	#43

2015-10-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/sec-params.c: tests: enhanced sec-params check to account
	for future sec-param

2015-10-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-common.c: certtool: recognize the future sec-param

2015-10-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/algorithms/secparams.c, lib/includes/gnutls/gnutls.h.in: 
	Introduced the security parameter future (256) and switched ultra to
	192 bits For ultra, this was its documented strength, and now follows RFC3766
	recommendations for sizes.

2015-10-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-common.c: certtool: be more specific on the help
	message for --sec-param when --bits are given

2015-10-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-10-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/record-timeouts.c: tests: added test case
	for record timeout values

2015-10-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/buffers.c, lib/dtls.c, lib/handshake.c,
	lib/includes/gnutls/gnutls.h.in, lib/record.c, lib/system.c,
	lib/system_override.c: Introduced GNUTLS_INDEFINITE_TIMEOUT This allows to specify an indefinite timeout to
	gnutls_record_set_timeout().  In addition this flag is accepted by
	gnutls_handshake_set_timeout() and cancels out a previously set
	timeout.  Resolves #41

2015-10-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testpkcs11.softhsm: tests: better detection of softhsm
	library

2015-10-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/pk.c: added text on _gnutls_dh_compute_key

2015-10-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/record.c: gnutls_record_recv: simplified text on
	GNUTLS_E_REHANDSHAKE

2015-09-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-common.c: certtool: print 16-bytes of hex values per
	line Also avoid a colon on the end of the line.

2015-09-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, lib/fips.c: fips140: set the key via a configure
	argument

2015-09-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/slow/cipher-test.c, tests/slow/mac-override.c: tests:
	disable cipher-test on windows platform; they don't seem to work

2015-09-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README.md: README.md: added build instructions for Fedora/RHEL

2015-09-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/priority.c: priorities: sort algorithms by security strength
	unless performance is requested That is prioritize 256-bit ciphers over 128-bit ciphers. This would
	protect secrecy of current data even after a PQ future.

2015-09-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: reduce the number of CPUs used in
	slow on make check

2015-09-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_int.h: use time_t for internal type to avoid warnings
	on signed/unsigned comparison

2015-09-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/nettle/int/dsa-keygen-fips186.c: DSA FIPS186-4 key generation:
	print the required seed length on mismatch

2015-09-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: added more friendly error on seed_size
	mismatch That prints more useful information when generating provable private
	keys.

2015-09-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/provable-privkey: tests: use the corrected seed
	for default provable private key

2015-09-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-09-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-common.c: certtool: switched the default level to
	HIGH for key generation That requires 3072 bits for RSA and DSA keys.

2015-09-18  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/cli-args.def, src/cli-debug-args.def, src/danetool-args.def,
	src/socket.c: tools: added xmpp into the starttls-proto options

2015-09-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-args.def, src/cli-debug-args.def, src/danetool-args.def,
	src/socket.c: tools: added ldap into the starttls-proto options

2015-09-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system.c: system.c: simplify gnutls_system_recv_timeout

2015-09-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-debug.c: gnutls-cli-debug: use RFC7627 instead of
	draft-ietf-tls-session-hash

2015-09-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/auto-verify.c, lib/includes/gnutls/gnutls.h.in: updated
	documentation on gnutls_vdata_types_t based on DKG's suggestions

2015-09-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-09-16  Daniel Kahn Gillmor <dkg@fifthhorseman.net>

	* lib/cert.c: improve docs for gnutls_certificate_verify_peers*() The gnutls_certificate_verify_peers{,2,3}() functions all return
	GNUTLS_E_SUCCESS (0) even in situations when the peer's certificate
	was not verified.  This is explained in the first paragraphs ("i.e.
	failure to trust a certificate does not imply a negative return
	value"), but the Returns: line isn't comparably clear.

2015-09-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: increased seed size to allow for DSA
	seeds

2015-09-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/str.c: _gnutls_hex2bin: avoid overrun in the provided buffer

2015-09-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: don't output PKCS #8 on key-info option

2015-09-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/privkey.c: better error checking in seed decoding

2015-09-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/privkey.c: gnutls_x509_privkey_verify_seed: fail on keys
	without seed information

2015-09-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: on provable keys always print the legacy
	format

2015-09-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls.asn, lib/gnutls_asn1_tab.c,
	lib/includes/gnutls/abstract.h, lib/includes/gnutls/x509.h,
	lib/libgnutls.map, lib/privkey.c, lib/x509/key_encode.c,
	lib/x509/privkey.c, lib/x509/privkey_pkcs8.c, lib/x509/x509_int.h,
	tests/cert-tests/provable-dsa2048.pem,
	tests/cert-tests/provable2048.pem,
	tests/cert-tests/provable3072.pem: Use separate PEM headers for
	provable private keys Also introduce GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT to allow exporting
	provable private keys in the old compatibility format.

2015-09-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-09-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-args.def, src/certtool-common.h, src/certtool.c,
	tests/cert-tests/Makefile.am,
	tests/cert-tests/provable-dsa2048.pem,
	tests/cert-tests/provable-privkey: certtool: provable key generation
	was moved to a separate flag that can be combined with
	--generate-privkey Also enhanced the test suite with DSA provable key
	generation/verification.

2015-09-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls.asn, lib/gnutls_asn1_tab.c, lib/nettle/Makefile.am,
	lib/nettle/int/dsa-fips.h, lib/nettle/int/dsa-keygen-fips186.c,
	lib/nettle/pk.c, lib/x509/key_encode.c, lib/x509/privkey.c: Allow
	verifying and generating provable DSA keys

2015-09-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am, tests/cert-tests/provable-privkey,
	tests/cert-tests/provable2048.pem,
	tests/cert-tests/provable3072.pem: tests: added checks for provable
	key generation and verification

2015-09-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-args.def, src/certtool.c: certtool: added provable
	key verification

2015-09-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/abstract.h, lib/includes/gnutls/x509.h,
	lib/nettle/pk.c, lib/privkey.c, lib/x509/privkey.c: Made the new key
	generation API flexible to allow extensions in the future

2015-09-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/errors.c, lib/includes/gnutls/abstract.h,
	lib/includes/gnutls/gnutls.h.in, lib/includes/gnutls/x509.h,
	lib/libgnutls.map, lib/privkey.c, lib/x509/privkey.c: Added API to
	verify private keys generated with seed

2015-09-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_asn1_tab.c: gnutls_asn1_tab: updated auto-generated
	file

2015-09-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-09-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-args.def, src/certtool.c: certtool: allow the
	generation of "provable" private keys Relates to #34

2015-09-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/crypto-backend.h, lib/gnutls.asn, lib/gnutls_int.h,
	lib/includes/gnutls/abstract.h, lib/includes/gnutls/x509.h,
	lib/libgnutls.map, lib/nettle/Makefile.am,
	lib/nettle/int/dsa-fips.h, lib/nettle/int/rsa-fips.h,
	lib/nettle/int/rsa-keygen-fips186.c, lib/nettle/pk.c, lib/pk.c,
	lib/privkey.c, lib/x509/key_encode.c, lib/x509/privkey.c: Added API
	to generate private keys from a given seed Currently it is restricted to RSA and FIPS 186-4 key generation with
	SHA384.  Relates to #34

2015-09-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/Makefile.am, lib/gnutls_asn1_tab.c: properly generate
	asn1_tab.c

2015-09-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: Don't use formatted output for fixed strings Resolves #35

2015-09-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* README.md: README.md: updated information

2015-09-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-cert-auth.texi, doc/cha-gtls-app.texi,
	doc/examples/ex-client-x509.c, lib/auto-verify.c,
	lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map,
	tests/auto-verify.c: renamed the auto-verification functions The names are more consistent with the rest of the library.

2015-09-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11_privkey.c: pkcs11: when storing public keys, make sure
	they are marked as not private

2015-08-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README.md: README.md: mention the testsuite

2015-08-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* README.md: README.md: print build status

2015-08-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* README.md: README.md: refer to files using markdown

2015-08-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/README.CODING_STYLE: Updated coding style

2015-08-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/tests.c: gnutls-cli-debug: corrected typo in inappropriate
	fallback check

2015-08-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: use the same number of CPUs in all
	the checks

2015-08-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: added
	check for inappropriate fallback support

2015-08-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/alert.c, lib/auto-verify.c, lib/errors.c,
	lib/includes/gnutls/gnutls.h.in, tests/auto-verify.c: Introduced
	GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR to be returned by the
	auto-verification functions

2015-08-26  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/crypto-selftests.c, lib/nettle/mac.c: nettle: simplified SHA3
	checks for nettle nettle 3.1 doesn't have the functions nettle for runtime version
	checking.

2015-08-26  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/libgnutls.map: export _gnutls_digest_exists for self tests

2015-08-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: x509: tolerate missing subject or issuer fields

2015-08-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: added support for sha3

2015-08-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms/mac.c: gnutls_oid_to_digest(): don't return
	supported but disabled algorithms

2015-08-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms/mac.c, lib/crypto-selftests.c,
	lib/includes/gnutls/gnutls.h.in, lib/nettle/mac.c,
	lib/x509/x509_int.h: Added support for the SHA3 digest algorithm

2015-08-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/examples/ex-serv-anon.c: corrected typo in ex-server-anon

2015-08-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/auto-verify.c: Define more precisely the auto verification
	function semantics.

2015-08-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/auto-verify.c, lib/cert.c, lib/gnutls_int.h, lib/priority.c,
	lib/x509.c: Allow overriding the verification flags from the
	auto-verification functions

2015-08-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-08-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-cert-auth.texi, doc/cha-gtls-app.texi, lib/auto-verify.c: 
	Document the new verification functions

2015-08-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/examples/ex-client-x509.c: examples: simplify the X.509 client
	example by using the new verification API

2015-08-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/auto-verify.c: tests: check the
	auto-verification functionality

2015-08-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/Makefile.am, lib/auto-verify.c, lib/gnutls_int.h,
	lib/handshake.c, lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: 
	Added simpler verification functions for clients The major use-case for the TLS protocol is verification of PKIX
	certificates. However, certificate verification support while is
	similar for almost all projects it requires around 100 lines of code
	(a callback) to be duplicated to all applications. That patch set
	gets rid of the callback and simplifies certificate verification
	support, by introducing a very simple API; one that would accept the
	session and the hostname only.  Resolves #27

2015-08-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/eagain-common.h,
	tests/mini-session-verify-function.c: tests: added test for
	gnutls_session_set_verify_function

2015-08-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_int.h, lib/handshake.c,
	lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map, lib/state.c: 
	Added gnutls_session_set_verify_function That allows to set a verification callback per session rather than
	only globally on the credentials structure.

2015-08-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/scripts/getfuncs.pl: getfuncs.pl: ignore defines in headers

2015-08-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/Makefile.am, doc/latex/Makefile.am, extra/gnutls_openssl.c,
	lib/Makefile.am, lib/openpgp/Makefile.am, po/POTFILES.in: Makefiles:
	updated for new filenames

2015-08-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pk.c, lib/pk.h, lib/tls-sig.c, lib/tls-sig.h: Moved pk_*
	functions to pk.c

2015-08-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/Makefile.am, lib/accelerated/cryptodev-gcm.c,
	lib/accelerated/cryptodev.c,
	lib/accelerated/x86/aes-cbc-x86-aesni.c,
	lib/accelerated/x86/aes-cbc-x86-ssse3.c,
	lib/accelerated/x86/aes-ccm-x86-aesni.c,
	lib/accelerated/x86/aes-gcm-padlock.c,
	lib/accelerated/x86/aes-gcm-x86-aesni.c,
	lib/accelerated/x86/aes-gcm-x86-pclmul.c,
	lib/accelerated/x86/aes-gcm-x86-ssse3.c,
	lib/accelerated/x86/aes-padlock.c,
	lib/accelerated/x86/aes-padlock.h, lib/accelerated/x86/aes-x86.h,
	lib/accelerated/x86/hmac-padlock.c,
	lib/accelerated/x86/hmac-x86-ssse3.c,
	lib/accelerated/x86/sha-padlock.c,
	lib/accelerated/x86/sha-x86-ssse3.c,
	lib/accelerated/x86/x86-common.c, lib/{gnutls_alert.c => alert.c},
	lib/algorithms.h, lib/algorithms/cert_types.c,
	lib/algorithms/ciphers.c, lib/algorithms/ciphersuites.c,
	lib/algorithms/ecc.c, lib/algorithms/kx.c, lib/algorithms/mac.c,
	lib/algorithms/protocols.c, lib/algorithms/publickey.c,
	lib/algorithms/secparams.c, lib/algorithms/sign.c,
	lib/{gnutls_anon_cred.c => anon_cred.c}, lib/{gnutls_asn1_tab.c =>
	asn1_tab.c}, lib/atfork.c, lib/atfork.h, lib/{gnutls_auth.c =>
	auth.c}, lib/{gnutls_auth.h => auth.h}, lib/auth/Makefile.am,
	lib/auth/anon.c, lib/auth/anon.h, lib/auth/anon_ecdh.c,
	lib/auth/cert.c, lib/auth/cert.h, lib/auth/dh_common.c,
	lib/auth/dh_common.h, lib/auth/dhe.c, lib/auth/dhe_psk.c,
	lib/auth/ecdhe.c, lib/auth/ecdhe.h, lib/auth/psk.c, lib/auth/psk.h,
	lib/auth/psk_passwd.c, lib/auth/rsa.c, lib/auth/rsa_psk.c,
	lib/auth/{srp.c => srp_kx.c}, lib/auth/{srp.h => srp_kx.h},
	lib/auth/srp_passwd.c, lib/auth/srp_rsa.c, lib/auth/srp_sb64.c,
	lib/{gnutls_buffers.c => buffers.c}, lib/{gnutls_buffers.h =>
	buffers.h}, lib/{gnutls_cert.c => cert.c}, lib/{gnutls_cipher.c =>
	cipher.c}, lib/{gnutls_cipher.h => cipher.h},
	lib/{gnutls_cipher_int.c => cipher_int.c}, lib/{gnutls_cipher_int.h
	=> cipher_int.h}, lib/{gnutls_compress.c => compress.c},
	lib/{gnutls_compress.h => compress.h}, lib/{gnutls_constate.c =>
	constate.c}, lib/{gnutls_constate.h => constate.h},
	lib/crypto-api.c, lib/crypto-backend.c, lib/crypto-selftests-pk.c,
	lib/crypto-selftests.c, lib/{gnutls_datum.c => datum.c},
	lib/{gnutls_datum.h => datum.h}, lib/{gnutls_db.c => db.c},
	lib/{gnutls_db.h => db.h}, lib/debug.c, lib/{gnutls_dh.c => dh.c},
	lib/{gnutls_dh.h => dh.h}, lib/{gnutls_dtls.c => dtls.c},
	lib/{gnutls_dtls.h => dtls.h}, lib/{gnutls_ecc.c => ecc.c},
	lib/{gnutls_ecc.h => ecc.h}, lib/{gnutls_errors.c => errors.c},
	lib/{gnutls_errors.h => errors.h}, lib/ext/alpn.c, lib/ext/alpn.h,
	lib/ext/cert_type.c, lib/ext/cert_type.h, lib/ext/dumbfw.c,
	lib/ext/dumbfw.h, lib/ext/ecc.c, lib/ext/ecc.h, lib/ext/etm.c,
	lib/ext/etm.h, lib/ext/ext_master_secret.c,
	lib/ext/ext_master_secret.h, lib/ext/heartbeat.c,
	lib/ext/heartbeat.h, lib/ext/max_record.c, lib/ext/max_record.h,
	lib/ext/safe_renegotiation.c, lib/ext/safe_renegotiation.h,
	lib/ext/server_name.c, lib/ext/server_name.h,
	lib/ext/session_ticket.c, lib/ext/session_ticket.h,
	lib/ext/signature.c, lib/ext/signature.h, lib/ext/srp.c,
	lib/ext/srp.h, lib/ext/srtp.c, lib/ext/srtp.h,
	lib/ext/status_request.c, lib/ext/status_request.h,
	lib/{gnutls_extensions.c => extensions.c}, lib/{gnutls_extensions.h
	=> extensions.h}, lib/extras/randomart.c, lib/fips.c, lib/fips.h,
	lib/{gnutls_global.c => global.c}, lib/{gnutls_global.h =>
	global.h}, lib/gnutls_int.h, lib/{gnutls_handshake.c =>
	handshake.c}, lib/{gnutls_handshake.h => handshake.h},
	lib/{gnutls_hash_int.c => hash_int.c}, lib/{gnutls_hash_int.h =>
	hash_int.h}, lib/{gnutls_helper.c => helper.c},
	lib/{gnutls_helper.h => helper.h}, lib/{gnutls_kx.c => kx.c},
	lib/{gnutls_kx.h => kx.h}, lib/locks.c, lib/locks.h,
	lib/{gnutls_mbuffers.c => mbuffers.c}, lib/{gnutls_mbuffers.h =>
	mbuffers.h}, lib/{gnutls_mem.c => mem.c}, lib/{gnutls_mem.h =>
	mem.h}, lib/{gnutls_mpi.c => mpi.c}, lib/{gnutls_mpi.h => mpi.h},
	lib/nettle/cipher.c, lib/nettle/egd.c, lib/nettle/init.c,
	lib/nettle/int/drbg-aes-self-test.c, lib/nettle/mac.c,
	lib/nettle/mpi.c, lib/nettle/pk.c, lib/nettle/rnd-common.c,
	lib/nettle/rnd-common.h, lib/nettle/rnd-fips.c, lib/nettle/rnd.c,
	lib/{gnutls_num.c => num.c}, lib/{gnutls_num.h => num.h},
	lib/opencdk/literal.c, lib/opencdk/misc.c, lib/opencdk/opencdk.h,
	lib/opencdk/pubkey.c, lib/opencdk/read-packet.c,
	lib/opencdk/sig-check.c, lib/openpgp/Makefile.am,
	lib/openpgp/compat.c, lib/openpgp/extras.c,
	lib/openpgp/{gnutls_openpgp.c => openpgp.c},
	lib/openpgp/{gnutls_openpgp.h => openpgp.h}, lib/openpgp/output.c,
	lib/openpgp/pgp.c, lib/openpgp/pgpverify.c, lib/openpgp/privkey.c,
	lib/{gnutls_pcert.c => pcert.c}, lib/pin.c, lib/{gnutls_pk.c =>
	pk.c}, lib/{gnutls_pk.h => pk.h}, lib/pkcs11.c, lib/pkcs11_int.c,
	lib/pkcs11_privkey.c, lib/pkcs11_secret.c, lib/pkcs11_write.c,
	lib/pkcs11x.c, lib/prf.c, lib/{gnutls_priority.c => priority.c},
	lib/{gnutls_privkey.c => privkey.c}, lib/{gnutls_privkey_raw.c =>
	privkey_raw.c}, lib/{gnutls_psk.c => psk.c}, lib/{gnutls_pubkey.c
	=> pubkey.c}, lib/random.c, lib/{gnutls_range.c => range.c},
	lib/{gnutls_record.c => record.c}, lib/{gnutls_record.h =>
	record.h}, lib/safe-memfuncs.c, lib/{gnutls_session.c =>
	session.c}, lib/{gnutls_session_pack.c => session_pack.c},
	lib/{gnutls_session_pack.h => session_pack.h}, lib/{gnutls_srp.c =>
	srp.c}, lib/{gnutls_srp.h => srp.h}, lib/{gnutls_v2_compat.c =>
	sslv2_compat.c}, lib/{gnutls_v2_compat.h => sslv2_compat.h},
	lib/{gnutls_state.c => state.c}, lib/{gnutls_state.h => state.h},
	lib/{gnutls_str.c => str.c}, lib/{gnutls_str.h => str.h},
	lib/{gnutls_str_array.h => str_array.h}, lib/{gnutls_supplemental.c
	=> supplemental.c}, lib/{gnutls_supplemental.h => supplemental.h},
	lib/system-keys-dummy.c, lib/system-keys-win.c, lib/system.c,
	lib/system.h, lib/system_override.c, lib/{gnutls_sig.c =>
	tls-sig.c}, lib/{gnutls_sig.h => tls-sig.h}, lib/tpm.c,
	lib/{gnutls_ui.c => ui.c}, lib/urls.c, lib/verify-tofu.c,
	lib/{gnutls_x509.c => x509.c}, lib/{gnutls_x509.h => x509.h},
	lib/x509/common.c, lib/x509/crl.c, lib/x509/crl_write.c,
	lib/x509/crq.c, lib/x509/dn.c, lib/x509/email-verify.c,
	lib/x509/extensions.c, lib/x509/hostname-verify.c,
	lib/x509/key_decode.c, lib/x509/key_encode.c, lib/x509/mpi.c,
	lib/x509/name_constraints.c, lib/x509/ocsp.c,
	lib/x509/ocsp_output.c, lib/x509/output.c, lib/x509/pkcs12.c,
	lib/x509/pkcs12_bag.c, lib/x509/pkcs12_encr.c,
	lib/x509/pkcs7-attrs.c, lib/x509/pkcs7-output.c, lib/x509/pkcs7.c,
	lib/x509/privkey.c, lib/x509/privkey_openssl.c,
	lib/x509/privkey_pkcs8.c, lib/x509/sign.c, lib/x509/verify-high.c,
	lib/x509/verify-high2.c, lib/x509/verify.c, lib/x509/x509.c,
	lib/x509/x509_dn.c, lib/x509/x509_ext.c, lib/x509/x509_write.c,
	lib/x509_b64.c, tests/gc.c, tests/mpi.c, tests/openpgp_test.c: 
	Removed the 'gnutls_' prefix from files to simplify file naming

2015-08-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/Makefile.am, lib/gnutls_state.c, lib/prf.c: Moved the PRF
	functions to prf.c

2015-08-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_str.c: hex decoding: more reasonable error codes That is, return GNUTLS_E_PARSING_ERROR instead of base64 decoding
	error, and document that fact.

2015-08-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/resume-psk.c: tests: Added resumption
	tests for PSK ciphersuites

2015-08-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/ext_master_secret.c, lib/gnutls_db.c: Set the extended
	master secret status based on resumption data only That is, don't require a new negotiation with extensions.

2015-08-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/resume-dtls.c, tests/resume.c: tests: corrected resumption
	tests to disable tickets when needed That is, perform the tests that require no tickets, with tickets
	disabled.

2015-08-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_session_pack.c: session packing: corrected issue in PSK
	session unpack

2015-08-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/auth/psk.c: PSK: save the username in client side in the auth
	structure

2015-08-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_hash_int.h: _gnutls_hash() returns error code if any.  Ideally we would like to eliminate any return codes from that
	function. However, since that's on exported API we cannot easily do
	without breaking the ABI. Reported by Benedikt Klotz.  Resolves #28

2015-08-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/verify-high.c, lib/x509/verify-high2.c: x509: when
	appending CRLs to a trust list ensure that we don't have duplicates That is, overwrite CRLs if they have been obsoleted.

2015-08-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: allow exporting very long CRLs

2015-08-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/key-usage.c: tests: verify that a key
	usage violation is detected That is that the certificate key usage flags are respected by either
	the client side or the server side.

2015-08-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/auth/rsa.c: Enable key usage checks in the client side of RSA
	ciphersuites

2015-08-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_cert.c, lib/gnutls_int.h, lib/gnutls_priority.c,
	lib/priority_options.gperf: priorities: Added internal option to
	allow key usage violations in server side

2015-08-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_cert.c: fix typo in comment

2015-08-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_int.h, lib/gnutls_sig.c: Re-enable the certificate key
	usage checks for compliance with ciphersuite There is a new attack on the TLS protocol which relies on using
	certificates for ECDSA as certificates for ECDH ciphersuites. That
	attack while it doesn't affect gnutls, which doesn't support static
	ECDH, assumes that implementations ignore the key usage bits in the
	certificate. We have done it since 3.1.0 for compatibility reasons
	(see http://www.gnutls.org/faq.html#key-usage-violation), but that
	clearly opens the door for real attacks in the future.  For this reason the key usage bits will no longer be ignored.  Resolves #24

2015-08-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/crl: tests: verify whether CRL date setting works
	as expected

2015-08-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def, src/certtool-cfg.c, src/certtool-cfg.h,
	src/certtool.c: certtool: Allow specifying CRL dates as fixed dates

2015-08-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/crl: tests: verify CRL appending effectiveness

2015-08-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/crl_write.c: gnutls_x509_crl_set_authority_key_id,
	gnutls_x509_crl_set_number allow overwritting That allows them to overwrite values which were previously set
	(e.g., on an imported CRL).

2015-08-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def, src/certtool.c: certtool: allow appending
	certificates to a CRL

2015-08-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: removed limit on maximum imported
	certificates in the -i option

2015-08-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am, tests/cert-tests/crl: tests: check
	whether the CRL generation code works as expected

2015-08-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-common.c, src/certtool.c: certtool: eliminated memory
	leaks due to new cert loading code

2015-08-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-common.c, src/certtool-common.h: certtool: lifted
	limits on file size to load

2015-08-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* Makefile.am: before dist ensure that included libopts matches
	autogen

2015-08-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac: configure: use ':' instead of /bin/true for programs
	not found

2015-08-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* AUTHORS: doc update

2015-08-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am: tests: include all cert-tests into
	dist

2015-08-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/TODO: doc update

2015-08-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-08-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/simple.c: tests: check gnutls_check_version_numeric()

2015-08-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_global.c, lib/includes/gnutls/gnutls.h.in: gnutls.h:
	added macro gnutls_check_version_numeric This simplifies version checking, and allows the compiler to
	optimize out. It can only accept numerals.  Patch by David Woodhouse.

2015-08-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/crypto.h, lib/includes/gnutls/gnutls.h.in: use
	pure and const gcc attributes in headers

2015-08-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/TODO: mention version macro

2015-08-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/pkcs11.c: p11tool: test-sign will not fail if a pubkey is not
	found

2015-08-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/privkey.c: key decoding: set key to null for consistency

2015-08-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey.c: key decoding: simplify decoding logic by
	removing the fallback

2015-08-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey.c: key decoding: corrected regression with PKCS
	#8 key decoding Reported by Daniel Berrange.

2015-08-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/pkcs8-key-decode.c: tests: added check
	for decoding of a PKCS #8 key as fallback

2015-08-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: pkcs11: set
	the CKA_TOKEN attribute on generated public keys That also introduces the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY
	flag, to simulate the previous behavior.

2015-08-01  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/fallback-scsv.c: tests: added check for
	the fallback SCSV

2015-08-01  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_handshake.c: handshake: check inappropriate fallback
	against the configured max version That allows to operate on a server which is explicitly configured to
	utilize earlier than TLS 1.2 versions.

2015-08-01  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/gnutls.h.in: corrected
	GNUTLS_E_INAPPROPRIATE_FALLBACK error code

2015-08-01  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* devel/DCO/people-dco.txt: DCO: added Alessandro Ghedini

2015-08-01  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_handshake.c: copy_ciphersuites: use definition for
	reserved ciphersuites

2015-08-01  Alessandro Ghedini <alessandro@ghedini.me>

	* doc/cha-gtls-app.texi, lib/gnutls_handshake.c, lib/gnutls_int.h,
	lib/gnutls_priority.c, lib/priority_options.gperf: handshake: add
	FALLBACK_SCSV priority option This allows clients to enable the TLS_FALLBACK_SCSV mechanism during
	the handshake, as defined in RFC7507.

2015-08-01  Alessandro Ghedini <alessandro@ghedini.me>

	* lib/algorithms.h, lib/gnutls_alert.c, lib/gnutls_errors.c,
	lib/gnutls_handshake.c, lib/includes/gnutls/gnutls.h.in: handshake:
	check for TLS_FALLBACK_SCSV If TLS_FALLBACK_SCSV was sent by the client during the handshake,
	and the advertised protocol version is lower than
	GNUTLS_TLS_VERSION_MAX, send the "Inappropriate fallback" fatal
	alert and abort the handshake.  This mechanism was defined in RFC7507.

2015-08-01  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* cfg.mk: cfg.mk: fix order of arguments in gnulib-tool

2015-08-01  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* gl/Makefile.am, gl/m4/codeset.m4, gl/m4/gettext.m4,
	gl/m4/glibc2.m4, gl/m4/glibc21.m4, gl/m4/gnulib-cache.m4,
	gl/m4/gnulib-comp.m4, gl/m4/intdiv0.m4, gl/m4/intl.m4,
	gl/m4/intldir.m4, gl/m4/intlmacosx.m4, gl/m4/intmax.m4,
	gl/m4/lcmessage.m4, gl/m4/lock.m4, gl/m4/nls.m4, gl/m4/po.m4,
	gl/m4/printf-posix.m4, gl/m4/progtest.m4, gl/m4/sys_time_h.m4,
	gl/m4/threadlib.m4, gl/m4/time_h.m4, gl/m4/uintmax_t.m4,
	gl/m4/visibility.m4, gl/time.in.h, src/gl/Makefile.am,
	src/gl/error.c, src/gl/error.h, src/gl/fseeko.c,
	src/gl/m4/extern-inline.m4, src/gl/m4/gnulib-cache.m4,
	src/gl/m4/gnulib-common.m4, src/gl/m4/stdio_h.m4,
	src/gl/m4/sys_time_h.m4, src/gl/m4/time_h.m4, src/gl/stddef.in.h,
	src/gl/stdio.in.h, src/gl/string.in.h, src/gl/time.in.h,
	src/gl/wchar.in.h, src/gl/xalloc.h: use gettext-h gnulib module

2015-08-01  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/certtool-long-cn: tests: added missing
	certtool-long-cn

2015-07-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/ext/safe_renegotiation.c: safe renegotiation: simulate
	receiving the extension on receival of SCSV

2015-07-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/common.c: made data2hex() safer, and eliminated mem leak

2015-07-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am, tests/cert-tests/very-long-dn.pem: 
	tests: added check for proper handling of very long CNs

2015-07-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac: updated the required gettext version to match the
	macros from gnulib

2015-07-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/safe_renegotiation.c: safe renegotiation: handle case
	where client didn't send any extension That was affected by the "don't try to send extensions we didn't
	receive".

2015-07-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/tpm.c: tpm: avoid warning

2015-07-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_extensions.c, lib/gnutls_handshake.c, lib/gnutls_int.h: 
	As server don't try to send extensions we didn't receive.

2015-07-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/status-request-ok.c,
	tests/status-request.c: tests: added check for server sending (or
	not) status request messages

2015-07-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/fips.c: fips140: corrected hex decoding

2015-07-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac: bumped version

2015-07-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-07-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/verify-tofu.c: verify-tofu: use nettle's base64 functions

2015-07-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* build-aux/gendocs.sh, gl/Makefile.am, gl/base64.c, gl/base64.h,
	gl/m4/base64.m4, gl/m4/codeset.m4, gl/m4/extern-inline.m4,
	gl/m4/gettext.m4, gl/m4/gnulib-cache.m4, gl/m4/gnulib-common.m4,
	gl/m4/gnulib-comp.m4, gl/m4/iconv.m4, gl/m4/intl.m4,
	gl/m4/intldir.m4, gl/m4/intlmacosx.m4, gl/m4/lcmessage.m4,
	gl/m4/manywarnings.m4, gl/m4/nls.m4, gl/m4/po.m4, gl/m4/stdio_h.m4,
	gl/m4/valgrind-tests.m4, gl/stddef.in.h, gl/stdio.in.h,
	gl/string.in.h, gl/tests/Makefile.am, gl/tests/init.sh,
	gl/tests/inttypes.in.h, gl/tests/test-base64.c,
	gl/tests/test-read-file.c, gl/tests/test-stddef.c, gl/wchar.in.h: 
	gnulib: removed base64 implementation

2015-07-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/opencdk/armor.c: openpgp: use nettle's base64 functions

2015-07-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509_b64.c: x509_b64: switch to nettle's base64 functions

2015-07-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/psk-file.c, tests/psk.passwd: tests:
	added check for PSK file parsing

2015-07-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/fips.c: fips: use gnutls_hex_decode for MAC decoding

2015-07-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/tpm.c: tpm: use gnutls_hex_decode for uuid decoding

2015-07-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/auth/psk_passwd.c: psk: use gnutls_hex_decode2 for key
	decoding

2015-07-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/system-keys-win.c: system-keys-win: use gnutls_hex_decode for
	ID decoding

2015-07-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/openpgp/gnutls_openpgp.c: openpgp: use gnutls_hex_decode for
	keyid decoding

2015-07-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/common.c: DN decoding: use gnutls_hex_encode

2015-07-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/extras/Makefile.am, lib/extras/hex.c, lib/extras/hex.h,
	lib/extras/licenses/CC0, lib/gnutls_str.c,
	lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: Introduced
	gnutls_hex_encode2() and gnutls_hex_decode2() These also use safer hex decoding functions which don't skip invalid
	input.

2015-07-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-07-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/common.c: x509: simplified data to hex conversion in
	unknown DN names

2015-07-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_state.c, tests/prf.c: gnutls_prf_rfc5705: Allow for
	non-null context and zero context length

2015-07-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS, configure.ac, m4/hooks.m4: bumped version

2015-07-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/prf.c: tests: added cross-check between gnutls_prf_rfc5705()
	and gnutls_prf()

2015-07-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/safe-renegotiation/Makefile.am,
	tests/suite/Makefile.am: removed legacy libgcrypt flags

2015-07-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_state.c, tests/prf.c: gnutls_prf_rfc5705: optimize in
	the common use case, by avoiding malloc Also don't handle specially the case of non-NULL context and
	context_size of zero.

2015-07-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitignore: ignore more files

2015-07-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/p11tool-args.def: p11tool: fix documentation for
	--generate-ecc and generate-dsa

2015-07-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_state.c: gnutls_prf_rfc5705: mention the version it was
	introduced at

2015-07-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-07-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/prf.c: tests: added check for
	gnutls_prf() and gnutls_prf_rfc5705

2015-07-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_state.c, lib/includes/gnutls/gnutls.h.in,
	lib/libgnutls.map: gnutls_prf_rfc5705: added That includes support for RFC5705 when the context field is used.
	Initial patch by Rick van Rein.

2015-07-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-tokens.texi: doc update: explain more about PKCS #11 and
	fork

2015-07-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac: configure: print the trousers lib only when set

2015-07-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/tpmtool-args.def, src/tpmtool.c: tpmtool: Added --test-sign
	parameter

2015-07-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_global.c, lib/tpm.c: Deinitialize the TPM subsystem
	only when trousers support is enabled

2015-07-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, lib/Makefile.am, lib/gnutls_errors.c,
	lib/gnutls_global.c, lib/gnutls_global.h,
	lib/includes/gnutls/gnutls.h.in, lib/tpm.c: TPM: don't link to
	trousers, use dlopen() That introduces --with-trousers-lib which can be used to specify the
	library to dlopen().  Resolves #18

2015-07-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
	auto-generated files

2015-07-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS, configure.ac, m4/hooks.m4: bumped version

2015-07-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/pkcs11.h: pkcs11: mention the version
	GNUTLS_PKCS11_TOKEN_MODNAME is available from

2015-07-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-07-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/auth/dhe_psk.c: PSK: set the hint in DHE-PSK and ECDHE-PSK
	ciphersuites

2015-07-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/pskself.c: tests: updated pskself to check the hint in all
	PSK ciphersuites

2015-07-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-07-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/pkcs11.c: p11tool: be more compact in token URL printing

2015-07-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/p11tool-args.def: p11tool: group the provided options for
	readability

2015-07-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/p11tool-args.def, src/p11tool.c: p11tool: keep backwards
	compatibility by introducing --list-token-urls That is, the output of --list-tokens remains the same.

2015-07-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/pkcs11.c: p11tool: print the module name of a token in verbose
	mode

2015-07-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/pkcs11_int.h,
	lib/pkcs11_write.c, lib/pkcs11x.c: Added GNUTLS_PKCS11_TOKEN_MODNAME
	for gnutls_pkcs11_token_get_info That allows to obtain the shared module name of a token URL.

2015-07-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h: pkcs11.h: doc  update

2015-07-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/p11tool-args.def, src/p11tool.c: p11tool: less verbose output
	in --list-tokens unless --verbose is specified

2015-07-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suppressions.valgrind: tests: added suppression for bash mem
	leak

2015-07-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, tests/Makefile.am, tests/cert-tests/Makefile.am: 
	tests: don't run certtool-utf8 when libidn is 1.30 or less This avoids test suite failures due to libidn.

2015-07-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-args.def: gnutls-cli: doc update

2015-07-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/dumbfw.c: dumbfw: don't append a size prefix in the pad Reported by Hannes Mehnert.

2015-07-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* gl/m4/valgrind-tests.m4: gl: use /bin/true to run valgrind during
	configure Bash has memory leaks, which prevents the valgrind check to operate
	using the SHELL variable.

2015-07-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/certtool-utf8: 
	tests: added check for invalid UTF8 encoded string

2015-07-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac: Revert "libidn support is disabled by default" This reverts commit 5fdffb2c177cb990480fb8b93c9257ccc5dfcaad.

2015-07-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* : commit d63c088edd15f20318b396f2298744cbf9e1a392 Author: Daniel
	Kahn Gillmor <dkg@fifthhorseman.net> Date:   Thu Jul 2 14:28:32 2015
	-0400

2015-07-01  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-07-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_pubkey.c: DSA: the numeric number of bits returned from
	public key should depend on P not Y That allows to do the proper evaluation to check certificate
	strength.  Reported by Hubert Kario.

2015-07-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/dsa/Makefile.am, tests/dsa/dsa-pubkey-1018.pem,
	tests/dsa/testdsa: tests: check whether we print the prime size in
	DSA keys

2015-07-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/name_constraints.c: name constraints: simplified
	gnutls_x509_name_constraints_check_crt()

2015-07-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/name-constraints,
	tests/cert-tests/name-constraints-ip.pem: tests: verify that
	unsupported name constraints are properly handled

2015-07-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/name_constraints.c: name constraints: don't reject
	certificates if a CA has the URI or IPADDRESS constraints Don't reject certificates if a CA has the URI or IPADDRESS
	constraints, and the end certificate doesn't have an IPaddress name
	or a URI set.

2015-06-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* po/ms.po.in: Sync with TP.

2015-06-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac: libidn support is disabled by default That is until the issues with libidn get resolves.  Relates #10

2015-06-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-06-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/atfork.c: tests: added a test for the
	fork detection interface

2015-06-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/resume-dtls.c: tests: resume-dtls: increased timeouts

2015-06-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, lib/atfork.c, lib/atfork.h: Don't use
	pthread_atfork(), it is not safe to use with dlopen() http://austingroupbugs.net/view.php?id=851

2015-06-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/atfork.c, lib/atfork.h: atfork: added underscore to
	gnutls_forkid

2015-06-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/atfork.c, lib/atfork.h, lib/nettle/rnd-fips.c,
	lib/nettle/rnd.c, lib/pkcs11.c: simplified fork detection

2015-06-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey.c: enhanced header matching code for private keys
	to skip unrelated data

2015-06-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/privkey-import,
	tests/cert-tests/privkey1.pem, tests/cert-tests/privkey2.pem,
	tests/cert-tests/privkey3.pem: tests: added private key import
	checks

2015-06-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey.c: gnutls_x509_privkey_import: optimized private
	key loading

2015-06-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey.c: gnutls_x509_privkey_import2: better behavior
	when provided with an unencrypted file That is, it will attempt to decode it first as plain file prior to
	trying all encrypted options.

2015-06-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/key-openssl.c: tests: added check to verify that
	gnutls_x509_privkey_import2 works for plain keys That is, when a password is provided and the key is non encrypted.

2015-06-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/key_decode.c, lib/x509/mpi.c: _gnutls_get_asn_mpis() will
	release any data on failure Resolves #15

2015-06-21  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/cert-tests/aki, tests/cert-tests/certtool,
	tests/cert-tests/crq, tests/cert-tests/dane,
	tests/cert-tests/email, tests/cert-tests/invalid-sig,
	tests/cert-tests/pathlen, tests/cert-tests/pem-decoding,
	tests/cert-tests/pkcs7, tests/cert-tests/template-test,
	tests/dsa/testdsa, tests/dtls/dtls, tests/dtls/dtls-nb,
	tests/ecdsa/ecdsa, tests/key-tests/key-id, tests/key-tests/pkcs8,
	tests/nist-pkits/gnutls_test_entry, tests/nist-pkits/pkits_crl,
	tests/nist-pkits/pkits_crt, tests/nist-pkits/pkits_pkcs12,
	tests/nist-pkits/pkits_smime, tests/nist-pkits/pkits_test,
	tests/openpgp-certs/testcerts, tests/openpgp-certs/testselfsigs,
	tests/pkcs1-padding/pkcs1-pad, tests/pkcs12-decode/pkcs12,
	tests/pkcs8-decode/pkcs8, tests/rfc2253-escape-test,
	tests/rsa-md5-collision/rsa-md5-collision, tests/sha2/sha2,
	tests/sha2/sha2-dsa, tests/slow/override-ciphers,
	tests/slow/test-ciphers, tests/suite/certs/create-chain.sh,
	tests/suite/chain, tests/suite/crl-test, tests/suite/eagain,
	tests/suite/invalid-cert, tests/suite/testcompat-main-openssl,
	tests/suite/testcompat-main-polarssl,
	tests/suite/testcompat-openssl, tests/suite/testcompat-polarssl,
	tests/suite/testdane, tests/suite/testpkcs11,
	tests/suite/testpkcs11.pkcs15, tests/suite/testpkcs11.sc-hsm,
	tests/suite/testpkcs11.softhsm, tests/suite/testrandom,
	tests/suite/testrng, tests/suite/testsrn, tests/userid/userid: 
	tests: tab indent + minor style changes Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2015-06-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/ciphersuite/scan-gnutls.sh: tests: modified
	test-ciphersuite-names to work with cpp 5.1.1

2015-06-22  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/test-ciphersuite-names: tests: test-ciphersuite-names:
	create any needed dirs

2015-06-22  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/Makefile.am, tests/suite/ciphersuite/scan-gnutls.sh,
	tests/suite/{ciphersuite/test-ciphersuites.sh =>
	test-ciphersuite-names}: tests: moved test-ciphersuites.sh one level
	up That simplifies running the script outside make check.

2015-06-21  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/suite/ciphersuite/scan-gnutls.sh,
	tests/suite/ciphersuite/test-ciphers.js,
	tests/suite/ciphersuite/test-ciphersuites.sh: tests: suite:
	ciphersuite: fixups fix separate builddir issue, without modifying locations, quite
	ugly.  re-indent using tab.  fix shebang.  Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2015-06-21  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/pkcs1-padding/pkcs1-pad, tests/suite/testcompat-openssl,
	tests/suite/testcompat-polarssl: tests: enforce UTC timezone in
	datefudge tests Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2015-06-21  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/cert-tests/aki, tests/cert-tests/certtool,
	tests/cert-tests/crq, tests/cert-tests/dane,
	tests/cert-tests/email, tests/cert-tests/invalid-sig,
	tests/cert-tests/pathlen, tests/cert-tests/pem-decoding,
	tests/cert-tests/pkcs7, tests/cert-tests/template-test,
	tests/ecdsa/ecdsa, tests/key-tests/key-id, tests/key-tests/pkcs8,
	tests/openpgp-certs/testselfsigs: tests: misc: shell cleanup leftovers minor sync.  Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2015-06-21  Alon Bar-Lev <alon.barlev@gmail.com>

	* configure.ac, tests/suite/certs/create-chain.sh,
	tests/suite/chain, tests/suite/crl-test, tests/suite/eagain,
	tests/suite/invalid-cert, tests/suite/testcompat-common,
	tests/suite/testcompat-main-openssl,
	tests/suite/testcompat-main-polarssl,
	tests/suite/testcompat-openssl, tests/suite/testcompat-polarssl,
	tests/suite/testdane, tests/suite/testpkcs11,
	tests/suite/testpkcs11.pkcs15, tests/suite/testpkcs11.sc-hsm,
	tests/suite/testpkcs11.softhsm, tests/suite/testrandom,
	tests/suite/testrng, tests/suite/testsrn: tests: suite: cleanup
	shell usage Add quotes for most usages of variables.  Added ${} for variables.  Cleanup indentation to be consistent with other tests.  Fix separate builddir issues.  Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2015-06-21  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/pkcs1-padding/pkcs1-pad, tests/pkcs12-decode/pkcs12,
	tests/pkcs8-decode/pkcs8, tests/rfc2253-escape-test,
	tests/rsa-md5-collision/rsa-md5-collision, tests/sha2/sha2,
	tests/sha2/sha2-dsa, tests/slow/override-ciphers,
	tests/slow/test-ciphers, tests/userid/userid: tests: misc: cleanup
	shell usage Add quotes for most usages of variables.  Added ${} for variables.  Cleanup indentation to be consistent with other tests.  Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2015-06-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am: tests: fixed includes

2015-06-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_alert.c, lib/gnutls_cert.c, lib/gnutls_errors.c,
	lib/gnutls_global.c, lib/gnutls_str.h, lib/x509/ocsp_output.c: move
	all gettext definitions in gnutls_str.h

2015-06-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* cross.mk: cross.mk: updated for 3.4.2

2015-06-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_str.h: gnutls_str: include gettext.h when dgettext is
	available

2015-06-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/mini-dtls-fork.c, tests/mini-dtls-mtu.c,
	tests/mini-dtls-pthread.c, tests/mini-dtls-record-asym.c,
	tests/openpgp-auth.c, tests/openpgp-auth2.c, tests/pkcs12_simple.c,
	tests/rsa-encrypt-decrypt.c, tests/utils.c, tests/utils.h,
	tests/x509sign-verify.c, tests/x509sign-verify2.c: tests: don't
	depend on gnulib That dependency unfortunately causes many portability problems on
	platforms where it should have worked out of the box.

2015-06-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-06-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* devel/perlasm/cpuid-x86.pl, doc/scripts/cleanup-autogen.pl,
	doc/scripts/gdoc, doc/scripts/getfuncs-map.pl,
	doc/scripts/getfuncs.pl, doc/scripts/sort1.pl,
	doc/scripts/sort2.pl, doc/scripts/split-texi.pl,
	doc/scripts/split.pl, tests/nist-pkits/build-chain: use the same
	shebang for perl

2015-06-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/certtool: tests: added a verify-chain test case

2015-06-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/scripts/common.sh: tests: don't quote provider in common.sh That caused testpkcs11 to fail.

2015-06-18  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-alignment.c: tests: don't enforce alignment rules for
	caller buffers

2015-06-17  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/cert-tests/aki, tests/cert-tests/certtool,
	tests/cert-tests/crq, tests/cert-tests/dane,
	tests/cert-tests/email, tests/cert-tests/invalid-sig,
	tests/cert-tests/pathlen, tests/cert-tests/pem-decoding,
	tests/cert-tests/pkcs7, tests/cert-tests/template-test: tests:
	cert-tests: cleanup shell usage Add quotes for most usages of variables.  Added ${} for variables.  Cleanup trailing spaces.  Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2015-06-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: Added gitlab-ci.yml

2015-06-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/libgnutls.map: reduced the exported functions to the minimum
	needed

2015-06-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_extensions.c: _gnutls_ext_register was made static

2015-06-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/libgnutls.map: libgnutls.map: use a 3.4 related name for
	private functions This eliminates any collisions with functions from 3.3.x

2015-06-18  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/nist-pkits/build-chain, tests/nist-pkits/gnutls_test_entry,
	tests/nist-pkits/pkits, tests/nist-pkits/pkits_crl,
	tests/nist-pkits/pkits_crt, tests/nist-pkits/pkits_pkcs12,
	tests/nist-pkits/pkits_smime, tests/nist-pkits/pkits_test: tests:
	nist-pkits: cleanup shell/perl usage Add quotes for most usages of variables.  Added ${} for variables.  Consistent indent.  Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2015-06-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am: tests: force link with nettle of mini-alignment

2015-06-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/oids.c: tests: Check the OID functions

2015-06-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-06-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms.h, lib/algorithms/ecc.c, lib/algorithms/mac.c,
	lib/algorithms/publickey.c, lib/algorithms/sign.c, lib/gnutls_pk.c,
	lib/gnutls_priority.c, lib/includes/gnutls/gnutls.h.in,
	lib/libgnutls.map, lib/x509/common.c, lib/x509/crl.c,
	lib/x509/key_decode.c, lib/x509/key_encode.c, lib/x509/mpi.c,
	lib/x509/ocsp.c, lib/x509/pkcs7.c, lib/x509/privkey.c,
	lib/x509/privkey_pkcs8.c: Exported functions to convert from and to
	OIDs

2015-06-18  Saurav Babu <saurav.babu@samsung.com>

	* src/cli.c: gnutls-cli: Fixed Possible Memory Leak This patch fixes possible memory leak in psk_callback() function,
	rawkey is allocated memory by gnutls_malloc() and is not freed when
	gnutls_hex_decode() returns with error Signed-off-by: Saurav Babu <saurav.babu@samsung.com>

2015-06-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7.c: pkcs7: corrected write_signer_id() when
	GNUTLS_PKCS7_WRITE_SPKI was used

2015-06-18  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/openpgp-certs/testcerts, tests/openpgp-certs/testselfsigs: 
	tests: openpgp-certs: cleanup shell usage Add quotes for most usages of variables.  Added ${} for variables.  Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2015-06-18  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/key-tests/key-id, tests/key-tests/pkcs8: tests: key-tests:
	cleanup shell usage Add quotes for most usages of variables.  Added ${} for variables.  Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2015-06-18  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/ecdsa/ecdsa: tests: ecdsa: cleanup shell usage Add quotes for most usages of variables.  Added ${} for variables.  Cleanup trailing spaces.  Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2015-06-18  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/dsa/testdsa, tests/scripts/common.sh: tests: dsa: cleanup
	shell usage Add quotes for most usages of variables.  Added ${} for variables.  Cleanup trailing spaces.  Removal of unneeded ';'.  Minor fix in tests/scripts/common.sh at trap to pass message and
	avoid killing.  Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2015-06-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_mbuffers.c: indentation fix

2015-06-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_int.h: Always align in 16-byte boundary our input to
	crypto That allows faster operations in almost all instruction sets.

2015-06-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/mini-alignment.c: tests: added check for
	memory alignment

2015-06-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/template-test: tests: only run test with long
	dates in 64-bit systems

2015-06-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/template-date.pem,
	tests/cert-tests/template-dn.pem,
	tests/cert-tests/template-generalized.pem,
	tests/cert-tests/template-nc.pem,
	tests/cert-tests/template-overflow.pem,
	tests/cert-tests/template-overflow2.pem,
	tests/cert-tests/template-test, tests/cert-tests/template-test.pem,
	tests/cert-tests/template-utf8.pem: tests: regenerate the results in
	template-test using UTC times

2015-06-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_pubkey.c: ensure that gnutls_pubkey_verify_data2
	returns 0 on success

2015-06-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs7.h, lib/libgnutls.map, lib/x509/pkcs7.c: 
	Added gnutls_pkcs7_get_signature_count

2015-06-17  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/suite/Makefile.am: tests: suite: run testpkcs11 if PKCS#11
	is enabled Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2015-06-17  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/nist-pkits/gnutls_test_entry,
	tests/suite/certs/create-chain.sh: tests: remove bash usage Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2015-06-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-06-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/template-date.pem,
	tests/cert-tests/template-dn.pem,
	tests/cert-tests/template-generalized.pem,
	tests/cert-tests/template-generalized.tmpl,
	tests/cert-tests/template-nc.pem,
	tests/cert-tests/template-overflow.pem,
	tests/cert-tests/template-overflow2.pem,
	tests/cert-tests/template-test, tests/cert-tests/template-test.pem,
	tests/cert-tests/template-utf8.pem: tests: verify that we generate
	dates with UTCTime prior to 2050 Also that we generate dates with GeneralizedTime format after 2050.

2015-06-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/common.c, lib/x509/common.h: When writing the Time ASN.1
	structure follow the RFC5280 recommendations

2015-06-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/common.c: Set time in PKCS #7 structures properly (in
	UTCTime format).

2015-06-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-06-16  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/cert-tests/pkcs7: tests: cert-tests: pkcs7: support separate
	builddir Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2015-06-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* symbols.last: account new symbols

2015-06-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/Makefile.am, doc/doc.mk, doc/manpages/Makefile.am: updated
	makefiles for the new functions

2015-06-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/pkcs7.c, lib/x509/x509_ext.c: doc update

2015-06-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/Makefile.am, lib/x509/{pkcs7_output.c => pkcs7-output.c}: 
	use common base for pkcs7 files

2015-06-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS, lib/libgnutls.map: added missing symbol

2015-06-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: released 3.4.2

2015-06-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def, src/certtool.c, tests/cert-tests/pkcs7: 
	certtool: made explicit the inclusion of time in PKCS #7 signatures

2015-06-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/common.c, lib/x509/common.h, lib/x509/pkcs7.c: pkcs7:
	write the DER encoded time

2015-06-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: include the signature time in PKCS #7
	signatures

2015-06-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7.c: pkcs7: corrected usage of
	GNUTLS_PKCS7_INCLUDE_TIME flag

2015-06-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/full.p7b.out, tests/cert-tests/single-ca.p7b.out: 
	tests: minor updates in pkcs7 output checks to match new certtool

2015-06-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: rely on gnutls_pkcs7_print() even more

2015-06-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7_output.c: pkcs7: print certificates and CRLs in
	FULL mode

2015-06-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-06-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: use gnutls_pkcs7_print() - partially

2015-06-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs7.h, lib/libgnutls.map,
	lib/x509/Makefile.am, lib/x509/pkcs7.c, lib/x509/pkcs7_output.c: 
	Added gnutls_pkcs7_print()

2015-06-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, m4/hooks.m4: bumped version

2015-06-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/x509sign-verify2.c: tests: added
	signature/verification stress test

2015-06-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testcompat-main-openssl,
	tests/suite/testcompat-main-polarssl: tests: check also individual
	ciphers for interoperability

2015-06-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/fips.c: fips140: better debug messages when verifying MAC

2015-06-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/tpmtool.c: tpmtool: added newline in error messages

2015-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/int/drbg-aes-self-test.c: fips140: added check for
	reseed detection

2015-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/rng-fork.c: tests: check random generator for long outputs
	as well

2015-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/fips.c: fips140: when GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS is
	setup do not perform integrity tests

2015-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/int/drbg-aes.c: fips140: reset the reseed counter only
	on reseed

2015-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/rnd-fips.c: fips140: when reseeding only reseed the
	required context not all

2015-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/int/drbg-aes-self-test.c: fips140: added more checks on
	the reseed and generate function

2015-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/int/drbg-aes.c, lib/nettle/int/drbg-aes.h: fips140:
	enforce the max_number_of_bits_per_request

2015-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/full.p7b.out, tests/cert-tests/pkcs7,
	tests/cert-tests/single-ca.p7b.out: tests: do not include times in
	the PKCS #7 checks as they depend on local timezone

2015-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7.c: pkcs7: addressed memory leaks

2015-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7-attrs.c: doc update

2015-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/pkcs7-gen.c: tests: Added PKCS #7
	attribute generation check

2015-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/full.p7b.out, tests/cert-tests/single-ca.p7b.out: 
	tests: updated for new certtool output

2015-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: print signed and unsigned PKCS #7
	attributes

2015-06-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs7.h, lib/libgnutls.map, lib/pkix.asn,
	lib/pkix_asn1_tab.c, lib/x509/Makefile.am, lib/x509/pkcs7-attrs.c,
	lib/x509/pkcs7.c, lib/x509/x509_int.h: Added code to parse and set
	PKCS #7 attributes

2015-06-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/pkcs7: tests: added PKCS #7 verification check
	with MD5

2015-06-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_errors.c, lib/gnutls_pubkey.c,
	lib/includes/gnutls/abstract.h, lib/includes/gnutls/gnutls.h.in,
	lib/includes/gnutls/x509.h, lib/x509/pkcs7.c, lib/x509/x509.c: use
	the same flags in all verification functions

2015-06-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/pkcs7.c: _decode_pkcs7_signed_data: fixed mem leaks

2015-06-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/common.h, lib/x509/x509.c, lib/x509/x509_int.h: 
	Initialization of gnutls_x509_dn_t was modified to allow
	deinitialization after failure Part2: made gnutls_x509_crt_get_subject() and
	gnutls_x509_crt_get_issuer() return a constant value and avoid
	leaks.

2015-06-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/Makefile.am, doc/cha-functions.texi, doc/doc.mk: doc:
	Separated the PKCS #7 in manual

2015-06-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-06-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/pkcs7: tests: check PKCS #7 structure signature
	generation

2015-06-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am, tests/cert-tests/p7-combined.out,
	tests/cert-tests/pkcs7: tests: check PKCS #7 bundle generation

2015-06-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-args.def, src/certtool-common.c,
	src/certtool-common.h, src/certtool.c: certtool: added
	--p7-generate, --p7-sign and --p7-detached-sign

2015-06-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/pkcs7.h, lib/libgnutls.map,
	lib/x509/common.c, lib/x509/pkcs7.c: Added gnutls_pkcs7_sign()

2015-06-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/pkcs7.h, lib/libgnutls.map, lib/x509/pkcs7.c: 
	Added gnutls_pkcs7_get_crl_raw2

2015-06-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: print the signing time when available

2015-06-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/pkcs7.h, lib/x509/common.c, lib/x509/pkcs7.c: 
	pkcs7 verification: parse the signing time

2015-06-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/pkcs7.c: on PKCS #7 verification check the the content
	type matches the signed data

2015-06-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: print more info about the PKCS #7 struct

2015-06-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-args.def, src/certtool-common.c, src/certtool.c: 
	certtool: allow verification against a direct PKCS #7 signer

2015-06-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am, tests/cert-tests/pkcs7,
	tests/cert-tests/pkcs7-detached.txt: tests: added checks with PKCS
	#7 detached data

2015-06-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/pkcs7.c: pkcs7 verification: return
	GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when no encapsulated data
	exist

2015-06-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-args.def, src/certtool-common.h, src/certtool.c: 
	certtool: allow verifying PKCS #7 with detached data

2015-06-01  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-args.def, src/certtool.c: certtool: improved PKCS #7
	verification output

2015-06-01  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/pkcs7: tests: check the key purpose in PKCS #7
	verification

2015-06-01  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am, tests/cert-tests/full.p7b.out,
	tests/cert-tests/pkcs7: tests: added PKCS #7 test with more than 1
	certs

2015-06-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def, src/certtool-common.h, src/certtool.c: 
	certtool: allow verification of PKCS #7 structures

2015-06-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/x509.h, lib/x509/common.h, lib/x509/dn.c,
	lib/x509/x509.c: Initialization of gnutls_x509_dn_t was modified to
	allow deinitialization after failure

2015-06-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/Makefile.am, lib/includes/gnutls/pkcs7.h,
	lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/pkix.asn,
	lib/pkix_asn1_tab.c, lib/x509/dn.c, lib/x509/pkcs7.c: Added PKCS #7
	signature(s) verification

2015-06-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c,
	lib/x509/verify-high.c: Added
	gnutls_pkcs11_get_raw_issuer_by_subject_key_id and
	gnutls_x509_trust_list_get_issuer_by_subject_key_id

2015-06-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/dn.c: tests: added check for gnutls_x509_dn_get_str

2015-06-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/libgnutls.map, lib/x509/x509.c: added gnutls_x509_dn_get_str

2015-06-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_privkey.c: doc update

2015-06-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/compat.h, lib/includes/gnutls/x509.h,
	lib/x509/privkey.c, lib/x509/x509.c: Added
	gnutls_x509_crt_verify_data2() and kept gnutls_privkey_sign_data()

2015-06-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkix.asn, lib/pkix_asn1_tab.c, lib/x509/pkcs7.c: verify PKCS
	#7 signed data

2015-05-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7.c, lib/x509/x509_int.h: updated PKCS #7 code to
	cache signed_data

2015-06-01  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11.c: When manual PKCS #11 configuration is requested
	don't initialize other providers

2015-05-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: deinitialize PKCS #7 resources

2015-05-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am, tests/cert-tests/pkcs7,
	tests/cert-tests/single-ca.p7b.out: tests: Added tests for PKCS7
	cert extraction

2015-05-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* gl/m4/codeset.m4, gl/m4/extern-inline.m4, gl/m4/gettext.m4,
	gl/m4/iconv.m4, gl/m4/intl.m4, gl/m4/intldir.m4,
	gl/m4/intlmacosx.m4, gl/m4/lcmessage.m4, gl/m4/manywarnings.m4,
	gl/m4/nls.m4, gl/m4/po.m4, gl/m4/stdio_h.m4, gl/stddef.in.h,
	gl/string.in.h, gl/tests/inttypes.in.h, gl/tests/test-read-file.c,
	gl/tests/test-stddef.c, src/gl/error.h, src/gl/fseeko.c,
	src/gl/m4/extern-inline.m4, src/gl/m4/stdio_h.m4,
	src/gl/stddef.in.h, src/gl/string.in.h, src/gl/xalloc.h: Revert
	"updated gnulib" This reverts commit c040ce6dd05b48b971d8dcc8fc8f23957ed15f9c.

2015-05-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac: silence format-signness warnings in gcc5

2015-05-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* gl/m4/codeset.m4, gl/m4/extern-inline.m4, gl/m4/gettext.m4,
	gl/m4/iconv.m4, gl/m4/intl.m4, gl/m4/intldir.m4,
	gl/m4/intlmacosx.m4, gl/m4/lcmessage.m4, gl/m4/manywarnings.m4,
	gl/m4/nls.m4, gl/m4/po.m4, gl/m4/stdio_h.m4, gl/stddef.in.h,
	gl/string.in.h, gl/tests/inttypes.in.h, gl/tests/test-read-file.c,
	gl/tests/test-stddef.c, src/gl/error.h, src/gl/fseeko.c,
	src/gl/m4/extern-inline.m4, src/gl/m4/stdio_h.m4,
	src/gl/stddef.in.h, src/gl/string.in.h, src/gl/xalloc.h: updated
	gnulib

2015-05-26  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/ocsp_output.c: Check the OID size for match when
	comparing for the OCSP nonce extension Reported by Hanno Böck.

2015-05-23  Armin Burgmeier <armin@arbur.net>

	* lib/gnutls_ui.c: gnutls_dh_get_prime_bits: return 0 if DH is not
	used Before, the number of bits of a zero-length number was attempted to
	be extracted, resulting in an error. The changed behaviour is
	consistent with the documentation which explicitly states that 0
	should be returned if no DH key exchange was performed.

2015-05-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_ui.c: gnutls_dh_get_group: mention that the values may
	include a leading zero

2015-05-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_ui.c: gnutls_dh_set_prime_bits: warn when overriding
	the DH max prime size with 1007 bits or less

2015-05-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/verify-tofu.c: cleanup unused variable

2015-05-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/verify-tofu.c: corrected allocation check

2015-05-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: removed useless check

2015-05-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_pubkey.c: document intentional fallthrough in switch

2015-05-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/ecc.c: ecc ext: check return code of
	_gnutls_buffer_append_data

2015-05-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/no-signal.c: tests: enhance the no-signal check to include
	proper data sending

2015-05-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-05-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/no-signal.c: tests: check the operation
	of GNUTLS_NO_SIGNAL

2015-05-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_state.c, lib/includes/gnutls/gnutls.h.in,
	lib/system.c, lib/system.h: Allow the usage of MSG_NOSIGNAL in send
	functions That introduces the GNUTLS_NO_SIGNAL flag for gnutls_init(), which
	is available in systems that support the MSG_NOSIGNAL flag to
	send(). That eases the usage of the library within other libraries.
	Resolves #11

2015-05-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/accelerated/x86/aes-gcm-x86-pclmul.c,
	lib/accelerated/x86/hmac-padlock.c: include nettle/memxor when
	needed

2015-05-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/serv.c: gnutls-serv: send alert when wrong data have been
	received from client

2015-05-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-05-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/cipher.c: camellia256-gcm: corrected regression Reported by Manuel Pegourie-Gonnard.

2015-05-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_x509.c: doc update

2015-05-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-bib.texi, doc/cha-cert-auth.texi, doc/latex/gnutls.bib: 
	doc: added section about subject alternative names

2015-05-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_dtls.c, lib/gnutls_dtls.h, lib/gnutls_handshake.c,
	lib/gnutls_int.h: handshake_start_time was moved out of the
	DTLS-specific variables

2015-05-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_handshake.c: apply default timeout for DTLS in
	gnutls_handshake_set_timeout

2015-05-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/hostname-check.c: tests: do not perform internationalized
	name checks without libidn

2015-05-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/sign-md5-rep.c: tests: updated sign-md5-rep to reduce false
	failures

2015-05-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-loss-time.c: tests: eliminate mem leaks in
	mini-loss-time

2015-05-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testdane: tests: testdane: remove dane.nox.su from the
	list of known to be good hosts

2015-05-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-05-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-loss-time.c: tests: mini-loss-time enhanced to check
	proper timeouts in both client and server

2015-05-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_dtls.c, lib/gnutls_dtls.h, lib/gnutls_int.h,
	lib/gnutls_state.c: dtls: combined the total timeouts of DTLS and
	TLS handshake That also makes the waits for packets more robust against blocking.

2015-05-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/compat.h: define
	GNUTLS_SUPPLEMENTAL_USER_MAPPING_DATA

2015-05-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-tokens.texi: doc: updated text to account for pkcs11-url
	standardization

2015-05-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-dtls-mtu.c: tests: mini-dtls-mtu: compile in windows

2015-05-04  Jaak Ristioja <jaak.ristioja@cyber.ee>

	* doc/cha-intro-tls.texi: doc: Fixed typo in heartbeat
	documentation.

2015-05-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* cross.mk: cross.mk: updated for 3.4.1

2015-05-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* devel/abi3.4.xml: updated abi base for 3.4

2015-05-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: NEWS: updated

2015-05-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS, configure.ac, m4/hooks.m4: released 3.4.1

2015-04-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_dtls.c: doc: updated gnutls_dtls_set_timeouts

2015-04-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/examples/ex-client-dtls.c: doc: fixed example with DTLS
	timeouts

2015-04-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_state.c: use
	macro for DTLS default timeout

2015-04-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_handshake.c: gnutls_handshake_set_timeout will properly
	work with DTLS

2015-04-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-04-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_handshake.c, lib/gnutls_record.c: document the need for
	gnutls_transport_set_pull_timeout_function

2015-04-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-gtls-app.texi: doc: updated async operation text

2015-04-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_handshake.c, lib/gnutls_state.c: disable default
	handshake timeout It caused issues with non-blocking TLS clients and servers which may
	not want to block while the pull timeout function waits.

2015-04-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/mini-tls-nonblock.c: tests: added check
	to verify that pull timeout is not called on non-blocking sessions

2015-04-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_dtls.c, lib/gnutls_dtls.h, lib/gnutls_handshake.c,
	lib/gnutls_int.h, lib/gnutls_record.c, lib/gnutls_state.c,
	lib/includes/gnutls/gnutls.h.in, lib/system_override.c: 
	GNUTLS_NONBLOCK can be used for non-DTLS sessions as well

2015-04-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system_override.c: doc update

2015-04-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms/ciphersuites.c: doc update

2015-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/{slow => }/keygen.c,
	tests/slow/Makefile.am: tests: key generation test was moved to main
	checks This will allow to catch memory leaks with valgrind.

2015-04-28  Jan Vcelak <jan.vcelak@nic.cz>

	* lib/nettle/pk.c: fix memory leak in ECDSA key parameters
	verification Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>

2015-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/minitasn1/decoding.c, lib/minitasn1/libtasn1.h: updated
	minitasn1

2015-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/name_constraints.c, tests/name-constraints.c: Handle DNS
	name constraints with leading dot Patch by Fotis Loukos.  Resolves 3 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2015-04-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-upgrade.texi: doc update

2015-04-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: updated text for gnutls_pkcs11_init

2015-04-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-tokens.texi: updated pkcs11 loading documentation

2015-04-26  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-etm.c: tests: mini-etm: use TLS as the transport layer

2015-04-26  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/sign-md5-rep.c: tests: added comment for sign-md5-rep

2015-04-26  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitignore: more files to ignore

2015-04-26  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* po/fr.po.in: Sync with TP.

2015-04-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-04-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/sign-md5-rep.c: tests: added reproducer
	for the MD5 acceptance issue Reported by Karthikeyan Bhargavan.

	http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007572.html

2015-04-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/ext/signature.c: before falling back to SHA1 as signature
	algorithm in TLS 1.2 check if it is enabled

2015-04-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/ext/signature.c: _gnutls_session_sign_algo_enabled: do not
	consider any values from the extension data to decide acceptable
	algorithms

2015-04-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-04-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-x509-cert-callback.c: tests: added unit tests for
	gnutls_certificate_client_get_request_status

2015-04-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/auth/cert.c: set the value used by
	gnutls_certificate_client_get_request_status prior to selecting
	certificate That allows gnutls_certificate_client_get_request_status() to be
	properly operating from the callback. Reported by Anton Lavrentiev.

2015-04-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_cert.c: updated doc for retrieve function

2015-04-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-bib.texi, doc/latex/gnutls.bib: updated PKCS #11 URL
	references to rfc7512

2015-04-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_cert.c: doc update

2015-04-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/x509self.c: tests: added check for gnutls_credentials_get

2015-04-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_auth.c, lib/gnutls_cert.c: doc update

2015-04-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_cert.c: fixed doc: reported by Anton Lavrentiev

2015-04-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-upgrade.texi: doc: corrected typo

2015-04-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/resume-dtls.c: tests: resume-dtls: remove global variables

2015-04-21  Andreas Metzler <ametzler@bebt.de>

	* doc/cha-gtls-app.texi: List all certificate type priority strings.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2015-04-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/auth/rsa.c: tls-rsa: keep a common code path when doing RSA
	decryption Suggested by Nimrod Aviram.

2015-04-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-dtls-rehandshake.c, tests/mini-handshake-timeout.c,
	tests/mini-key-material.c, tests/mini-loss-time.c,
	tests/mini-record-retvals.c, tests/mini-rehandshake-2.c: tests:
	initialize status where needed

2015-04-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/openpgp-auth2.c: tests: cleanup openpgp-auth2

2015-04-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-dtls-rehandshake.c: tests: cleanup
	mini-dtls-rehandshake

2015-04-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/resume-dtls.c, tests/resume.c: tests: resume: check for
	signals

2015-04-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-04-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-04-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/certificate_set_x509_crl.c, tests/mini-record-range.c,
	tests/mini-x509-callbacks.c, tests/openpgp-auth2.c,
	tests/record-sizes-range.c, tests/resume.c: tests: reduced compiler
	warnings

2015-04-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-x509.c: tests: verify the return value of
	gnutls_certificate_get_ours when no cert is sent

2015-04-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/resume-dtls.c, tests/resume.c: tests: close unused file
	descriptors in resume checks

2015-04-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, src/Makefile.am: libopts: fixed the reading of the
	--enable-local-libopts flag

2015-04-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli.c, src/common.c, src/common.h: gnutls-cli: when no
	certificate is sent, notify the user

2015-04-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/mini-x509-cert-callback.c: tests: added
	check with X.509 certificates and callbacks That corresponds to functionality checked in openpgp-callback.c

2015-04-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/openpgp-callback.c: tests: added check for
	gnutls_certificate_get_ours() when used in combination with
	callbacks

2015-04-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/x509dn.c: tests: improved x509dn check

2015-04-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_ui.c: gnutls_certificate_get_ours: will return the
	certificate even if a callback was used This corrects a bug where this function would not work, when
	gnutls_certificate_set_retrieve_function2() was used.

2015-04-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-args.def: gnutls-cli: when a certificate is specified
	require the corresponding private key

2015-04-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509.c: ensure that the X.509 version number is one byte
	only

2015-04-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509.c: Check for invalid length in the X.509 version
	field If such an invalid length is detected, reject the certificate.
	Reported by Hanno Böck.

2015-04-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/ocsp.c: ocsp: initialize certs to NULL

2015-04-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/serv.c: gnutls-serv: print when the peer's certificate is not
	verified

2015-04-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* po/fr.po.in: Sync with TP.

2015-04-18  Tim Kosse <tim.kosse@filezilla-project.org>

	* lib/system-keys-win.c: ncrypt.h lacks some defines with some
	versions of MinGW.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2015-04-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
	auto-generated files

2015-04-18  Tim Kosse <tim.kosse@filezilla-project.org>

	* lib/system-keys-win.c: Fix a preprocessor warning about mismatched
	quotes.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2015-04-18  Tim Kosse <tim.kosse@filezilla-project.org>

	* lib/system-keys-win.c: Set _WIN32_WINNT to 0x600, at least with
	some MinGW versions ncrypt.h checks this define to be at least
	0x600.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2015-04-18  Tim Kosse <tim.kosse@filezilla-project.org>

	* lib/gnutls_supplemental.c: Fix include order, include gnutls_int.h
	before gnutls.h, otherwise undefined external references to
	gnutls_free and gnutls_strdup are the result when statically linking
	against GnuTLS built by MinGW.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2015-04-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/benchmark-cipher.c: gnutls-cli: removed CCM from the ciphers
	tested with the old API That prevents a crash of the benchmark. Reported by James Cloos.

2015-04-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_cipher_int.c: refuse to use the old cipher API with
	AEAD-only ciphers

2015-04-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-termination.c, tests/resume-dtls.c, tests/resume.c: 
	tests: ignore sigpipe in resume and termination tests

2015-04-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-internals.texi: doc: added error check in example

2015-04-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-internals.texi: doc update

2015-04-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-internals.texi: doc: removed stray @end

2015-04-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_pubkey.c: doc update

2015-04-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS, lib/x509/x509.c: doc update

2015-04-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/output.c: x509: when printing the keyid of a certificate
	use the curve name for randomart

2015-04-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/x509.c: gnutls_x509_crt_get_pk_* are based on
	gnutls_pubkey_export_*

2015-04-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_pubkey.c: gnutls_pubkey_export_* are tolerable in null
	input

2015-04-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_pubkey.c, lib/includes/gnutls/x509.h,
	lib/libgnutls.map, lib/x509/x509.c: Added
	gnutls_x509_crt_get_pk_ecc_raw()

2015-04-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/extras/randomart.c: randomart: corrected usage of snprintf

2015-04-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: when generating an ECDSA key use the
	curve name in random art

2015-04-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/extras/randomart.c: randomart: only print key size if it is
	non-zero

2015-04-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* cross.mk: cross.mk: updated for 3.4.0

2015-04-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/utils.c: Remove SOCK_CLOEXEC from socket() call.  That allows compilation in systems where this flag doesn't exist.
	Resolves #7

2015-04-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi: document the recommended re-handshake
	process

2015-04-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/manpages/Makefile.am: remove duplicate entries from manpages
	Makefile

2015-04-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-04-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/certtool: tests: enhanced cert tests with SHA256
	key IDs

2015-04-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: modified to allow different key ID
	algorithms

2015-04-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_pubkey.c, lib/includes/gnutls/x509.h,
	lib/x509/common.h, lib/x509/crq.c, lib/x509/privkey.c,
	lib/x509/x509.c: Added flags which modify the algorithm used for key
	ID calculation

2015-04-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def: doc update

2015-04-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_record.c: doc update

2015-04-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_record.c: gnutls_record_discard_queued() is both for
	TLS and DTLS

2015-04-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-internals.texi: document the new crypto register functions

2015-04-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/cli-args.def: doc update

2015-04-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-tokens.texi: doc: avoid spaces in showfunc

2015-04-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/slow/Makefile.am: tests: added files into dist

2015-04-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* m4/hooks.m4: configure: ask for nettle 3.1

2015-04-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: released 3.4.0

2015-04-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/cli-args.def: gnutls-cli: document the method to override the
	detected ciphers

2015-04-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/accelerated/x86/aes-ccm-x86-aesni.c: fixed AESNI CCM
	encryption

2015-04-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/accelerated/x86/aes-ccm-x86-aesni.c: cleanups in CCM-aesni

2015-04-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testcompat-main-polarssl: tests: test CCM-8 against
	polarssl

2015-04-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: test
	for AES-CCM

2015-04-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* README.md: doc: added 'git submodule update' to clone steps

2015-04-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS, doc/announce.txt: doc update

2015-04-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/announce.txt: doc update

2015-04-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/crypto-backend.c: removed unused functions

2015-04-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-backend.c, lib/gnutls_cipher_int.c: extend the fallback
	to setkey in addition to init

2015-04-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-backend.c: doc update

2015-04-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/slow/Makefile.am, tests/slow/cipher-override2.c,
	tests/slow/override-ciphers: tests: verify the behavior of
	GNUTLS_E_NEED_FALLBACK

2015-04-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-backend.c, lib/gnutls_cipher_int.c,
	lib/includes/gnutls/gnutls.h.in: introduced GNUTLS_E_NEED_FALLBACK
	to allow falling back from registered ciphers That allows a registered cipher to indicate that it cannot operate (e.g., due to memory constraints, or internal limits), and gnutls
	should proceed with the default algorithms.

2015-04-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms/ciphersuites.c: ciphersuites: moved CCM
	ciphersuites in the appropriate ifdefs

2015-04-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/ciphersuite/test-ciphers.js: tests: ciphersuite test
	will ignore the invalid names of TLS_DHE_PSK_WITH_AES_128_CCM_8 That is because the names in rfc6655 are for some reason different
	than the expected.

2015-04-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-intro-tls.texi: document CCM and CCM-8

2015-04-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-04-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-record-2.c, tests/mini-record-failure.c,
	tests/mini-record.c: tests: added CCM and CCM_8 into ciphersuite
	tests

2015-04-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/accelerated/x86/aes-ccm-x86-aesni.c,
	lib/accelerated/x86/x86-common.c, lib/algorithms/ciphers.c,
	lib/algorithms/ciphersuites.c, lib/includes/gnutls/gnutls.h.in,
	lib/nettle/cipher.c: Added CCM-8 ciphersuites

2015-04-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/announce.txt: updated announce text

2015-04-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* symbols.last: symbols: added the new supplemental functions

2015-04-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-upgrade.texi: doc update

2015-04-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/template-test: tests: delay tests that depend on
	timing when they fail That often prevents failures on busy systems.

2015-04-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/nettle/cipher.c: don't enforce iv_size > block_size; it is no
	longer true for all ciphers

2015-04-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_cipher.c: simplified calc_enc_length_stream

2015-04-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-04-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-supplementaldata.c: tests: updated supplemental API

2015-04-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_extensions.c: gnutls_ext_register will fail on double
	registration

2015-04-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_supplemental.c, lib/includes/gnutls/gnutls.h.in: 
	gnutls_supplemental_register will fail on double registration

2015-04-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS, symbols.last: symbols: added new exported functions

2015-04-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/Makefile.am, doc/manpages/Makefile.am,
	doc/scripts/getfuncs-map.pl: doc: updated makefiles to include new
	functions

2015-04-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/libgnutls.map: libgnutls.map: remove
	gnutls_record_set_max_empty_records

2015-04-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/libgnutls.map: account for the renamed
	gnutls_supplemental_recv/send

2015-04-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-internals.texi: document the export supplemental data API

2015-04-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_supplemental.c, lib/includes/gnutls/gnutls.h.in: 
	gnutls_do_recv/send_supplemental -> gnutls_supplemental_recv/send Also added the gnutls_ prefix to new types.

2015-04-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_supplemental.c, lib/includes/gnutls/gnutls.h.in: Added
	documentation for gnutls_do_send/recv_supplemental

2015-04-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/crypto-api.c, lib/gnutls_mem.c, lib/gnutls_privkey.c,
	lib/gnutls_pubkey.c, lib/includes/gnutls/abstract.h,
	lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c,
	lib/pkcs11_write.c, lib/safe-memfuncs.c, lib/tpm.c: doc updates

2015-04-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-shared-key.texi, lib/auth/srp_sb64.c,
	lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map, lib/pkcs11.c,
	lib/tpm.c, lib/x509_b64.c: the base64 xxx_alloc functions were
	renamed to xxx2 That brings them in par with the rest of the allocation functions.

2015-04-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-common.h, src/p11tool-args.def, src/p11tool.c,
	src/pkcs11.c: p11tool: use the key usage flags to set PKCS #11
	properties

2015-04-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/pkcs11.h, lib/pkcs11_int.h,
	lib/pkcs11_privkey.c, lib/pkcs11_write.c: pkcs11: use key_usage to
	set the appropriate flags

2015-04-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_supplemental.c, lib/includes/gnutls/gnutls.h.in: 
	cleanups in supplemental data support

2015-04-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/auth/dh_common.c: DH: do not warn on zero q_bits

2015-04-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: NEWS: rearrange entries

2015-04-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-common.c: certtool: certtool --generate-dh-params
	will account for --outder Resolves #5

2015-04-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms/ciphersuites.c: chacha20-poly1305: ciphersuite
	numbers correspond to the latest draft

2015-04-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/pkcs11.c: p11tool: improved output message

2015-04-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/pkcs11.c: removed unecessary warning

2015-04-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-tokens.texi, lib/includes/gnutls/abstract.h,
	lib/includes/gnutls/compat.h: doc update: account for new functions

2015-04-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/pkcs11.c: p11tool: better output text

2015-04-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_pubkey.c, lib/pkcs11.c, lib/pkcs11_int.h: pkcs11: added
	GNUTLS_PKCS11_OBJ_FLAG_EXPECT_PUBKEY Also enforce the expected flags despite any given flags in the URL.

2015-04-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: 
	p11tool: added the --test-sign parameter That allows to check an existing key for signing/verification.

2015-04-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_privkey.c, lib/gnutls_pubkey.c,
	lib/includes/gnutls/abstract.h, lib/libgnutls.map: 
	gnutls_priv/pubkey_import_url replace:
	gnutls_privkey_import_pkcs11_url and gnutls_pubkey_import_pkcs11_url

2015-04-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: corrected import of pubkey in DER format

2015-04-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/mini-etm.c: tests: added check for EtM
	negotiation

2015-04-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms.h, lib/algorithms/ciphers.c, lib/ext/etm.c,
	lib/gnutls_int.h, lib/gnutls_priority.c: only send EtM extension if
	we have CBC ciphersuites

2015-04-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-upgrade.texi: mention gnutls_privkey_sign_raw_data in
	upgrade section

2015-04-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_privkey.c, lib/includes/gnutls/compat.h,
	lib/libgnutls.map: gnutls_privkey_sign_raw_data: converted to macro
	over gnutls_privkey_sign_hash

2015-04-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/x509sign-verify.c: tests: added check for the legacy
	gnutls_privkey_sign_raw_data

2015-03-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-selftests.c: avoid compilation warnings in self checks
	(take 2)

2015-03-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-selftests.c: Revert "selftests: avoid compilatio
	warnings" This reverts commit 196477d68f32b30d0de8e203a5c1c405af429603.

2015-03-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-03-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testpkcs11: tests: check whether PKCS #11 ID set on
	copy/generation is correct

2015-03-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: 
	p11tool: allow setting the CKA_ID on object
	initialization/generation

2015-03-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/libgnutls.map: exported new functions

2015-03-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c: pkcs11:
	enhanced key generation functions to allow specifying a CKA_ID

2015-03-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-selftests.c: selftests: avoid compilatio warnings

2015-03-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h, lib/pkcs11_write.c: enhanced copy
	functions to allow specifying a CKA_ID

2015-03-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-server-name.c: tests: mini-server-name: ignore sigpipe

2015-03-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suppressions.valgrind: tests: added more libidn-related
	valgrind suppressions

2015-03-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/texinfo.css: doc: increase border spacing in HTML tables

2015-03-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-intro-tls.texi: doc: list chacha20-poly1305 to the list of
	ciphers

2015-03-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-03-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/manpages/Makefile.am: manpages: automatically adjust the
	copyright year on generated pages

2015-03-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/mini-server-name.c: tests: added check
	for gnutls_server_name_get and gnutls_server_name_set

2015-03-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/ciphersuite/test-ciphers.js: test-ciphers.js: improved
	ciphersuite checks

2015-03-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/algorithms/ciphersuites.c: corrected
	GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305

2015-03-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/ciphersuite/scan-gnutls.sh: updated
	test-ciphersuite.sh for new types

2015-03-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-03-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/x509_ext.c: Better fix for the double free in dist point
	parsing

2015-03-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/minitasn1/parser_aux.c, lib/minitasn1/parser_aux.h: updated
	minitasn1

2015-03-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11_write.c: gnutls_pkcs11_copy_x509_privkey: increase size
	for attributes

2015-03-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/algorithms/ciphersuites.c: moved chacha20-poly1305
	ciphersuites to the 0xCD space

2015-03-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/crypto-api.c: doc update: replace cryptographic algorithm by
	encryption algorithm

2015-03-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_datum.c, lib/gnutls_datum.h, lib/x509/gnutls-idna.c,
	lib/x509/x509_ext.c: gnutls_subject_alt_names_set and
	gnutls_x509_aki_set_cert_issuer will set null-terminated strings

2015-03-27  Jiří Klimeš <jklimes@redhat.com>

	* lib/crypto-api.c: doc: be consistent in the function descriptions Signed-off-by: Jiří Klimeš <jklimes@redhat.com>

2015-03-27  Jiří Klimeš <jklimes@redhat.com>

	* lib/crypto-api.c: doc: correct the description of crypto API
	functions Signed-off-by: Jiří Klimeš <jklimes@redhat.com>

2015-03-27  Jiří Klimeš <jklimes@redhat.com>

	* doc/examples/ex-client-x509.c, lib/ext/server_name.c,
	lib/x509/output.c: Fix a few compiler warnings about unused
	variables [-Wunused-variable] Signed-off-by: Jiří Klimeš <jklimes@redhat.com>

2015-03-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_cipher.c: fixed CHACHA20-POLY1305 in DTLS

2015-03-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/benchmark-cipher.c, src/benchmark-tls.c: gnutls-cli: added
	chacha-poly1305 into benchmarks

2015-03-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_dtls.c: when calculating record overhead account for
	chacha20 which doesn't send the nonce on the wire

2015-03-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-record-2.c, tests/mini-record.c: tests: include
	chacha20 into transfer tests

2015-03-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/algorithms.h, lib/algorithms/ciphersuites.c,
	lib/gnutls_cipher.c, lib/gnutls_constate.c, lib/gnutls_int.h: Added
	the CHACHA20-POLY1305 ciphersuites (with random IDs)

2015-03-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/algorithms/ciphers.c, lib/crypto-selftests.c,
	lib/includes/gnutls/gnutls.h.in, lib/nettle/cipher.c: added
	chacha20-poly1305 as cipher

2015-03-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-record-retvals.c: tests: check retvals in block ciphers

2015-03-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_int.h: do not penalize CBC ciphers with the maximum
	send data size That reduced the maximum send size for CBC ciphers from 16384 to
	16384-(block size), which was unnecessary and was causing issues:
	https://bugs.winehq.org/show_bug.cgi?id=37500

2015-03-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-03-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_int.h, lib/gnutls_priority.c, lib/gnutls_record.c,
	lib/includes/gnutls/gnutls.h.in: 
	gnutls_record_set_max_empty_records: removed

2015-03-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/x509_ext.c: eliminated double-free in the parsing of dist
	points Reported by Robert Święcki.

2015-03-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_buffers.c: Added a tight loop around the legacy push
	function That reduces the need for more expensive outer loops.  Originally
	suggested by Anton Lavrentiev.

2015-03-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/gl/Makefile.am, src/gl/fseeko.c, src/gl/m4/dup2.m4,
	src/gl/m4/printf.m4, src/gl/m4/stdio_h.m4, src/gl/m4/time_h.m4,
	src/gl/signal.in.h, src/gl/stdio-impl.h, src/gl/stdio.in.h,
	src/gl/time.in.h, src/gl/vasnprintf.c, src/gl/xalloc.h: updated
	gnulib

2015-03-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/p11tool-args.def: p11tool: more precise documentation of
	--set-id parameter

2015-03-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* m4/hooks.m4: depend on nettle 3.1 or later

2015-03-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/email: tests: updated email check for renamed
	--verify-email option

2015-03-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11_privkey.c: gnutls_pkcs11_privkey_generate2: increased
	the size of ck_attributes

2015-03-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11_privkey.c: pkcs11: check gnutls_rnd() for error
	condition

2015-03-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11_privkey.c: gnutls_pkcs11_privkey_generate2: set a
	CKA_ID on key generation

2015-03-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/p11tool.c: p11tool: reduced debugging output

2015-03-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-03-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def, src/certtool.c: certtool: --purpose,
	--hostname were renamed to --verify-purpose, --verify-hostname

2015-03-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/p11tool-args.def, src/p11tool.c: p11tool: added --mark-no-sign
	and --mark-no-decrypt options

2015-03-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h, lib/pkcs11_privkey.c,
	lib/pkcs11_write.c: pkcs11: added flags to mark keys as not-being
	signable or decryptable That adds GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_DECRYPT and
	GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN which can be set during
	generation or write of keys.

2015-03-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11_write.c: pkcs11: set the CKA_SIGN and CKA_DECRYPT flags
	when writing a private key

2015-03-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/resume-dtls.c: tests: cleanups in resume-dtls

2015-03-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/server_name.c: ext: server_name: move name length check
	prior to IDN convertion

2015-03-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/server_name.c: When an application calls
	gnutls_server_name_set() with a name of zero size disable the
	extension Resolves #2

2015-03-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/hostname-verify.c: gnutls_x509_crt_check_hostname2: check
	CN for match only if certificate would have been acceptable for
	GNUTLS_KP_TLS_WWW_SERVER

2015-03-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/name_constraints.c: Apply DNS name constraints on CN
	field only on certificates acceptable for TLS WWW SERVER purpose Suggested by Fotis Loukos.

2015-03-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-loss-time.c: tests: mini-loss-time is less prone to
	timeouts

2015-03-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/suppressions.valgrind: tests: added valgrind
	suppressions in cert-tests for libidn

2015-03-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: eliminated memory leaks on verification

2015-03-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-03-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/email,
	tests/cert-tests/email-certs/chain.exclude.test.example.com,
	tests/cert-tests/email-certs/chain.invalid.example.com,
	tests/cert-tests/email-certs/chain.test.example.com,
	tests/cert-tests/email-certs/chain.test.example.com-2: tests: Added
	email verification tests with certtool

2015-03-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def, src/certtool.c: certtool: added the --email
	option, to use in verification

2015-03-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-03-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_cert.c, lib/includes/gnutls/gnutls.h.in,
	lib/includes/gnutls/openpgp.h, lib/includes/gnutls/x509.h,
	lib/libgnutls.map, lib/openpgp/compat.c,
	lib/openpgp/gnutls_openpgp.h, lib/openpgp/pgp.c,
	lib/x509/Makefile.am, lib/x509/email-verify.c,
	lib/x509/verify-high.c: Added gnutls_x509_crt_check_email(),
	gnutls_openpgp_crt_check_email() and GNUTLS_DT_RFC822NAME

2015-03-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/test-chains.h: tests: verify that we accept a certificate
	with no name even if its CA has nameconstraints

2015-03-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/name_constraints.c: name constraints: when no name of the
	type is found, accept the certificate This follows RFC5280 advice closely. Reported by Fotis Loukos.

2015-03-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/resume-dtls.c: tests: increase the timeout in resume-dtls

2015-03-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: gnutls_pkcs11_obj_export3: allow operation when
	raw.data is NULL and we have a public key

2015-03-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: pkcs11: simplified export of objects That also allows to export public keys, even when a CKA_VALUE with
	the public key is not present. For that we use the key parameters,
	which we encode into a key. Issue reported by Frank Leavis.

2015-03-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* GNUmakefile, build-aux/config.rpath, build-aux/gendocs.sh,
	build-aux/pmccabe2html, build-aux/snippet/arg-nonnull.h,
	build-aux/snippet/c++defs.h, build-aux/snippet/warn-on-use.h,
	build-aux/useless-if-before-free, build-aux/vc-list-files,
	doc/gendocs_template, gl/Makefile.am, gl/m4/gnulib-cache.m4,
	gl/m4/gnulib-comp.m4, gl/m4/ld-version-script.m4, gl/m4/printf.m4,
	gl/m4/stdio_h.m4, gl/m4/time_h.m4, gl/m4/ungetc.m4,
	gl/stdio-impl.h, gl/stdio.in.h, gl/tests/Makefile.am,
	gl/tests/init.sh, gl/tests/test-u64.c, gl/time.in.h, gl/u64.c,
	gl/u64.h, gl/vasnprintf.c, maint.mk: gnulib: removed u64 module

2015-03-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/accelerated/x86/aes-gcm-x86-pclmul.c, lib/gnutls_int.h: drop
	support for gnulib's u64

2015-03-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testcompat-main-openssl: tests: check legacy RC4 in
	testcompat That would prevent losing compatibility without detecting it.  That
	is currently the case since it is no longer enabled by default.

2015-03-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/mini-record-retvals.c: tests: added check
	to verify the correctness of the record function return values

2015-03-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/common.c, src/crywrap/crywrap.c, src/tests.c: tools: enable
	compilation with all options disabled

2015-03-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_auth.c, lib/gnutls_ui.c: enable compilation with
	several options disabled

2015-03-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-03-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_auth.c, lib/gnutls_state.c, lib/pkcs11.c,
	lib/pkcs11_privkey.c, lib/x509/crq.c, lib/x509/pkcs7.c: doc: avoid
	mentioning pointers when not needed

2015-03-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac: increase the maximum stack frame the compiler will
	warn for

2015-03-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms/ciphersuites.c, lib/crypto-api.c, lib/ext/alpn.c,
	lib/ext/etm.c, lib/ext/ext_master_secret.c, lib/ext/heartbeat.c,
	lib/ext/max_record.c, lib/ext/safe_renegotiation.c,
	lib/ext/server_name.c, lib/ext/session_ticket.c,
	lib/ext/signature.c, lib/ext/srtp.c, lib/ext/status_request.c,
	lib/gnutls_alert.c, lib/gnutls_anon_cred.c, lib/gnutls_auth.c,
	lib/gnutls_buffers.c, lib/gnutls_cert.c, lib/gnutls_db.c,
	lib/gnutls_dh.c, lib/gnutls_dtls.c, lib/gnutls_handshake.c,
	lib/gnutls_pcert.c, lib/gnutls_priority.c, lib/gnutls_privkey.c,
	lib/gnutls_privkey_raw.c, lib/gnutls_psk.c, lib/gnutls_pubkey.c,
	lib/gnutls_range.c, lib/gnutls_record.c, lib/gnutls_session.c,
	lib/gnutls_session_pack.c, lib/gnutls_srp.c, lib/gnutls_state.c,
	lib/gnutls_ui.c, lib/gnutls_x509.c, lib/openpgp/extras.c,
	lib/openpgp/gnutls_openpgp.c, lib/openpgp/pgp.c,
	lib/openpgp/privkey.c, lib/pkcs11.c, lib/pkcs11_privkey.c,
	lib/pkcs11x.c, lib/system-keys-win.c, lib/system_override.c,
	lib/tpm.c, lib/verify-tofu.c, lib/x509/crl.c, lib/x509/crl_write.c,
	lib/x509/crq.c, lib/x509/dn.c, lib/x509/extensions.c,
	lib/x509/hostname-verify.c, lib/x509/name_constraints.c,
	lib/x509/ocsp.c, lib/x509/ocsp_output.c, lib/x509/output.c,
	lib/x509/pkcs12.c, lib/x509/pkcs12_bag.c, lib/x509/pkcs7.c,
	lib/x509/privkey.c, lib/x509/privkey_openssl.c,
	lib/x509/privkey_pkcs8.c, lib/x509/verify-high.c,
	lib/x509/verify-high2.c, lib/x509/x509.c, lib/x509/x509_ext.c,
	lib/x509/x509_write.c: doc: avoid using structure for opaque types

2015-03-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-extension.c: tests: include gnutls_ext_s/get_data into
	tests of mini-extension

2015-03-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_extensions.c: updated documentation on non-return value
	of gnutls_ext_set_data

2015-03-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-dtls0-9.c: tests: fixed buffers in mini-dtls0-9

2015-03-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_handshake.c: avoid overflow when receiving DTLS 0.9 CCS

2015-03-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/auth/srp.c, lib/ext/alpn.c, lib/ext/etm.c,
	lib/ext/heartbeat.c, lib/ext/max_record.c,
	lib/ext/safe_renegotiation.c, lib/ext/server_name.c,
	lib/ext/session_ticket.c, lib/ext/signature.c, lib/ext/srp.c,
	lib/ext/srtp.c, lib/ext/status_request.c, lib/gnutls_extensions.c,
	lib/gnutls_extensions.h, lib/gnutls_int.h, lib/gnutls_str.h,
	lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: added
	gnutls_ext_set_data() and gnutls_ext_get_data() As a side effect the type which holds private data was reduced from
	union to void * pointer. That simplifies the exported API without
	reducing the options in the internal API.

2015-03-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitignore: more files to ignore

2015-03-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/gnutls.h.in: set GNUTLS_DTLS_VERSION_MIN to be
	DTLS0.9 That allows standard DTLS ciphersuites to be used with DTLS0.9

2015-03-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/mini-dtls0-9.c: tests: added test for
	DTLS 0.9

2015-03-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-extension.c: tests: updated mini-extension

2015-03-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-03-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-internals.texi: mention the new functionality briefly in
	documentation

2015-03-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_extensions.c, lib/gnutls_supplemental.c: mention that
	the registration functions are not thread safe

2015-03-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_extensions.c, lib/gnutls_extensions.h: store a copy of
	the extensions name

2015-03-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_global.c: deinitialize supplemental data on deinit

2015-03-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_extensions.c, lib/gnutls_extensions.h,
	lib/gnutls_handshake.c, lib/includes/gnutls/gnutls.h.in: removed
	unused epoch change callback

2015-03-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_global.c, lib/gnutls_supplemental.c,
	lib/gnutls_supplemental.h: deinitialize supplemental data on deinit

2015-03-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_hash_int.h, lib/gnutls_supplemental.c: reduce warnings

2015-03-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_extensions.c, lib/gnutls_str.c, lib/gnutls_str.h,
	lib/gnutls_supplemental.c: added documentation for the new functions

2015-03-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-supplementaldata.c: tests: remove warnings in
	mini-supplementaldata.c

2015-03-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/gnutls.h.in, tests/mini-supplementaldata.c: 
	updated types

2015-03-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitignore: more files to ignore

2015-03-19  Thierry Quemerais <tquemerais@awox.com>

	* lib/gnutls_supplemental.c, lib/includes/gnutls/gnutls.h.in,
	lib/libgnutls.map, tests/Makefile.am, tests/mini-supplementaldata.c: 
	Added a way to add custom supplemental data from public API.  Signed-off-by: Thierry Quemerais <tquemerais@awox.com>

2015-03-19  Thierry Quemerais <tquemerais@awox.com>

	* tests/mini-extension.c: Fixed extension test.  Signed-off-by: Thierry Quemerais <tquemerais@awox.com>

2015-03-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_str.h, lib/includes/gnutls/gnutls.h.in,
	tests/Makefile.am, tests/mini-extension.c: renamed gnutls_buffer_st
	-> gnutls_buffer_t

2015-03-19  Thierry Quemerais <tquemerais@awox.com>

	* lib/gnutls_extensions.c, lib/gnutls_extensions.h,
	lib/gnutls_int.h, lib/gnutls_str.c, lib/gnutls_str.h,
	lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map,
	tests/mini-extension.c: Added a way to add custom extensions from
	public API.  Signed-off-by: Thierry Quemerais <tquemerais@awox.com>

2015-03-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitignore: more files to ignore

2015-03-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h, lib/includes/gnutls/x509.h: 
	gnutls_x509_crt_import_pkcs11_url moved to pkcs11.h as it was always
	defined there

2015-03-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/inet_ntop.c: inet_ntop replacement: include sys/socket.h

2015-03-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/inet_ntop.c, lib/system.h: inet_ntop replacement: do not
	depend on socklen_t

2015-03-18  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/slow/Makefile.am: tests: link cipher tests directly with
	nettle when needed

2015-03-18  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-dtls-record.c: tests: mini-dtls-record: increase
	timeouts to avoid failure of test due to slow system

2015-03-18  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-dtls-record.c: tests: mini-dtls-record: removed the
	need for 64-bit number

2015-03-18  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-dtls-record.c: tests: increase verbosity of
	mini-dtls-record

2015-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-crypto.texi: document the cipher override API

2015-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/slow/Makefile.am, tests/slow/mac-override.c,
	tests/slow/override-ciphers: added test suite for overriden digests
	and MACs

2015-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/accelerated/cryptodev.c, lib/accelerated/x86/x86-common.c,
	lib/crypto-backend.c, lib/crypto-backend.h,
	lib/includes/gnutls/crypto.h, lib/libgnutls.map: Added API to
	register MAC and digest algorithms.

2015-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/slow/Makefile.am, tests/slow/cipher-override.c,
	tests/slow/override-ciphers: added test suite for overriden ciphers

2015-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/accelerated/cryptodev-gcm.c, lib/accelerated/cryptodev.c,
	lib/accelerated/x86/x86-common.c, lib/crypto-backend.c,
	lib/crypto-backend.h, lib/includes/gnutls/crypto.h,
	lib/libgnutls.map: Added API to register AEAD and legacy ciphers.

2015-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/accelerated/cryptodev-gcm.c: cryptodev: provide the new AEAD
	API

2015-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_global.c: Added environment variable which can override
	automatic global initialization

2015-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-backend.c, lib/crypto-backend.h: removed unused
	functions

2015-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* m4/hooks.m4: configure: fail compilation if the minimum required
	libtasn1 is not present

2015-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-03-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/long-session-id.c: tests: long-session-id uses the test
	framework

2015-03-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-03-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, lib/pkcs11.c: depend on p11-kit 0.23.1 to conform to
	draft-pechanec-pkcs11uri-21

2015-03-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-dtls-record.c: tests: fixed shadowed variable in
	mini-dtls-record

2015-03-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/long-session-id.c, tests/mini-dtls-fork.c,
	tests/mini-dtls-pthread.c, tests/mini-dtls-rehandshake.c,
	tests/mini-handshake-timeout.c, tests/utils.c, tests/utils.h: tests:
	use nanosleep for sleeping

2015-03-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* README.md: README-alpha: move valgrind to testing tools

2015-03-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* README.md: updated README-alpha

2015-03-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_supplemental.c: Fixed handling of supplemental data
	with types > 255.  Patch by Thierry Quemerais.

2015-03-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_priority.c: doc update

2015-03-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_priority.c: gnutls_priority_init: document that
	priorities can be NULL

2015-03-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testpkcs11.softhsm: testpkcs11: disallow softhsm
	2.0.0b1 from being used to test PKCS #11

2015-03-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/mini-eagain2.c: tests: mini-eagain2: call
	gnutls_handshake_set_timeout() at the proper time

2015-03-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README.md: added libasan as dependency

2015-03-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-selftests.c: corrected self test for 3DES

2015-03-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11.c: pkcs11: correctly set the size of type

2015-03-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11.c: pkcs11: combined the fill for object attributes set

2015-03-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11.c: pkcs11: only set ID and label when both size and
	data are set

2015-03-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-03-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-03-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/pkcs11.c: p11tool: exit with non-zero reason if no objects are
	found

2015-03-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testpkcs11: tests: added checks for p11tool --set-id
	and --set-label

2015-03-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/p11tool-args.def, src/p11tool.c, src/p11tool.h, src/pkcs11.c: 
	p11tool: added --set-id and --set-label options

2015-03-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c,
	lib/pkcs11_int.c, lib/pkcs11_int.h: added
	gnutls_pkcs11_obj_set_info() This function allows setting information such as the CKA_ID and the
	CKA_LABEL of an object.  Resolves #1

2015-03-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am, tests/cert-tests/invalid-sig,
	tests/cert-tests/invalid-sig.pem: Added check for GNUTLS-SA-2015-1

2015-03-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/test-chains.h: tests: removed test with invalid DER encoding
	in chainverify These certificates are now rejected earlier.

2015-03-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/strict-der.c: tests: added a check for
	certificates with invalid DER encodings

2015-03-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/common.c, lib/x509/common.h, lib/x509/crl.c,
	lib/x509/crq.c, lib/x509/dn.c, lib/x509/extensions.c,
	lib/x509/mpi.c, lib/x509/ocsp.c, lib/x509/privkey.c,
	lib/x509/privkey_pkcs8.c, lib/x509/x509.c, lib/x509/x509_ext.c: 
	x509: use libtasn1's strict DER decoding rules in network obtained
	structures

2015-03-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/common.c, m4/hooks.m4: depend on libtasn1 4.3

2015-03-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/minitasn1/decoding.c, lib/minitasn1/libtasn1.h,
	lib/minitasn1/parser_aux.c: minitasn1: updated to libtasn1 4.3

2015-03-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-internals.texi: rearranged internal documentation

2015-03-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-args.def, src/cli-debug-args.def, src/danetool-args.def,
	src/socket.c: tools: added ftp as a starttls protocol

2015-03-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-args.def: gnutls-cli: starttls and starttls-proto can't
	mix

2015-03-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi: expand on SECURE256 being an alias to
	SECURE192

2015-03-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testcompat-polarssl: tests: do not run polarssl
	interop test on VIA

2015-03-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testcompat-common: use common license in all
	testcompat scripts

2015-03-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/nettle/pk.c: removed unused function

2015-03-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/TODO: doc update

2015-03-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* Makefile.am, README-alpha => README.md: README-alpha is README.md
	on repository It contains information for developers.

2015-03-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* Makefile.am, README.md => README: Revert "auto-generate README
	from README.md" This reverts commit aff4b2151b42c6a59e490c3714d3e1e64d2921dd.

2015-03-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README.md: cleaned up licensing

2015-03-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* Makefile.am, README => README.md: auto-generate README from
	README.md

2015-03-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README.md: Revert "added README.md as link to README" This reverts commit 041d4f947eb6937d4af62eb35055668825c36833.

2015-03-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README.md: added README.md as link to README

2015-03-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README.md => README, README-alpha.md => README-alpha: Revert
	"renamed README files" This reverts commit 05b4fa46667d3f5972f6de6ac61ff959382c67a5.

2015-03-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README-alpha => README-alpha.md, README => README.md: renamed
	README files

2015-03-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README, README-alpha: README: converted to mark-down

2015-03-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/tests.c: gnutls-cli-debug: corrected check of certificate
	chain order

2015-03-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/x509cert.c: tests: added small test to verify that
	GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED succeeds with a single cert

2015-03-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-debug.c, src/tests.c: gnutls-cli-debug: disable
	unsupported TLS protocols as soon

2015-03-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/socket.c: cli sockets: check for a digit prior using atoi

2015-03-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/tests.c: gnutls-cli-debug: a cert list of size 1 is always
	sorted

2015-03-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/socket.c: gnutls-cli-debug: do not warn multiple times about
	unknown protocols

2015-03-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-support.texi: updated documentation on FIPS140-2

2015-03-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testcompat-main-openssl,
	tests/suite/testcompat-main-polarssl: tests: speed up testcompat
	check by remove less important options

2015-03-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/softhsm.h: tests: updated paths for softhsm detection

2015-03-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* README-alpha: README: mention nodejs

2015-03-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac: configure: check for /usr/share/dns/root.key as well
	for dns root key

2015-03-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* README-alpha: README: mention dependency on dns-root-data

2015-03-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/template-test: tests: don't perform the overflow
	check in 32-bit systems

2015-03-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/template-date.pem,
	tests/cert-tests/template-date.tmpl: tests: date parsing test was
	modified to work in 32-bit systems

2015-03-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-cfg.c: certtool: in 32-bit systems use PRIu64 to
	print 64-bit values

2015-03-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-cfg.c: certtool: exit when there is an overflow in
	parsing days

2015-03-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* README-alpha: README: mention that openssl and polarssl will be
	used for interop testing

2015-03-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/template-test: Revert "tests: increased the
	retries with datefudge cert generation" This reverts commit a381fd148d2e181e19aad9ab9a9c5993080ce869.

2015-03-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am,
	tests/cert-tests/template-basic.pem,
	tests/cert-tests/template-basic.tmpl,
	tests/cert-tests/template-test: Revert "tests: template-test: added
	a baseline check to detect slow systems" This reverts commit b7ef1265810ec55d0912db2e3fa4204d8c412377.

2015-03-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am,
	tests/cert-tests/template-basic.pem,
	tests/cert-tests/template-basic.tmpl,
	tests/cert-tests/template-test: tests: template-test: added a
	baseline check to detect slow systems

2015-03-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/template-test: tests: increased the retries with
	datefudge cert generation There are slow systems that are not always capable of generating the
	certificate within a single second.

2015-03-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* README-alpha: add bison as a dependency

2015-03-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* Makefile.am: build documentation last That allows the examples to depend on libgnu_gpl.la

2015-03-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* README-alpha: list unbound dependency for DANE

2015-03-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testdane: tests: removed dane hosts which don't behave
	well

2015-03-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* README-alpha: updated instructions for installed packages

2015-03-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/latex/cover.tex: latex doc: updated copyright dates

2015-03-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/gnutls.texi: updated copyright date

2015-03-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_pubkey.c, lib/tpm.c, lib/x509/common.c,
	lib/x509/common.h, lib/x509/dn.c, lib/x509/ocsp.c,
	lib/x509/pkcs12.c, lib/x509/pkcs12_bag.c, lib/x509/x509_ext.c,
	m4/hooks.m4: use asn1_decode_simple_ber if available

2015-03-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-library.texi: corrected typo

2015-03-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-library.texi: mention libidn

2015-03-04  Ilya V. Matveychikov <i.matveychikov@securitycode.ru>

	* tests/suite/asn1random.pl: asn1random.pl: generate simple tags
	only Do not emit tags with numbers greater than or equal 31 as they must
	be encoded an octet sequence (ref X.690-0207 # 8.1.2.4) Signed-off-by: Ilya V. Matveychikov <i.matveychikov@securitycode.ru>

2015-03-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_priority.c: doc update

2015-02-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am, tests/cert-tests/invalid-sig,
	tests/cert-tests/invalid-sig2.pem,
	tests/cert-tests/invalid-sig3.pem: tests: added checks for invalid
	X.509 certificate signatures

2015-03-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-upgrade.texi: added the change of priority string NORMAL
	in documentation

2015-03-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-library.texi: document the usage of a PKCS #11 trust
	module for verification

2015-03-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testcompat-main-openssl: tests: updated the suite to
	account for the removal of DSA by default

2015-03-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/dsa/testdsa, tests/openpgp-callback.c, tests/openpgpself.c,
	tests/priorities.c: tests: updated the suite to account for the
	removal of DSA by default

2015-03-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-03-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testcompat-main-openssl,
	tests/suite/testcompat-main-polarssl,
	tests/suite/testcompat-openssl, tests/suite/testcompat-polarssl: 
	cross-implementation test suite was relicensed to 3-clause BSD That way the suite can be used by projects with other licenses.

2015-03-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-03-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_priority.c: DSA signatures and DHE-DSS are disabled by
	default DSA was an algorithm that was never deployed on the Internet and
	had, until very recently, several limitations such as restriction of
	its keys to 1024 bits, SHA1-only etc. Given that there are literally
	0 internet (HTTPS) certificates using DSA, there is no point to
	enable it by default and increase our attack surface.

2015-03-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/benchmark-cipher.c: gnutls-cli: include AES_128_CCM in
	benchmark-ciphers

2015-02-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_session.c: doc update

2015-02-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-02-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_privkey.c: doc update

2015-02-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/Makefile.am, lib/inet_ntop.c, lib/system.c, lib/system.h,
	lib/x509/output.c: bundle inet_ntop in systems that don't have it

2015-02-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: updated
	auto-generated files

2015-02-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/abstract.h: removed
	gnutls_pubkey_get_verify_algorithm from abstract.h

2015-02-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_handshake.c: corrected typo in gnutls_handshake(),
	spotted by Andris Mednis

2015-02-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_session.c: doc update: document that session_get_data()
	must be used in non-resumed sessions

2015-02-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-tokens.texi: doc update

2015-02-22  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/algorithms/ciphersuites.c, lib/gnutls_handshake.c: added
	comments

2015-02-22  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, lib/pkcs11.c: Use p11_kit_uri_get_pin_value() if
	available in p11-kit

2015-02-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_buffers.c: fixed handling of GNUTLS_E_INT_CHECK_AGAIN

2015-02-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/algorithms/ciphersuites.c: removed unnecessary check and
	optimized function

2015-02-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/algorithms/ciphersuites.c: corrected check which prevented
	client to sent an unacceptable for the version ciphersuite

2015-02-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-02-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-key-material.c: tests: mini-key-material: avoid memory
	leak

2015-02-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-dtls-lowmtu.c, tests/mini-overhead.c,
	tests/mini-record.c: tests: require DTLS 1.2 when using GCM

2015-02-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_buffers.c: handle GNUTLS_E_INT_CHECK_AGAIN

2015-02-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/algorithms.h, lib/algorithms/ciphersuites.c,
	lib/gnutls_handshake.c: check the negotiated TLS/DTLS version prior
	to offering a ciphersuite a server

2015-02-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_priority.c: remove unnecessary assert

2015-02-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-upgrade.texi: doc update

2015-02-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cve-2009-1415.c, tests/x509sign-verify.c: tests: modified
	tests with obsolete APIs with their replacement API

2015-02-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-upgrade.texi: doc: added deprecated functions into upgrade
	plan

2015-02-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/x509cert-tl.c: tests: added checks for
	gnutls_x509_crt_get_signature_algorithm and
	gnutls_x509_crt_get_preferred_hash_algorithm

2015-02-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2015-02-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/crypto-backend.h, lib/gnutls_pk.c, lib/gnutls_pk.h,
	lib/gnutls_pubkey.c, lib/libgnutls.map, lib/nettle/pk.c,
	lib/x509/verify.c, lib/x509/x509.c: removed
	gnutls_pubkey_get_verify_algorithm() and unnecessary internal APIs

2015-02-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/compat.h, lib/libgnutls.map, lib/x509/x509.c: 
	removed gnutls_x509_crt_get_verify_algorithm()

2015-02-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_pubkey.c, lib/includes/gnutls/abstract.h,
	lib/libgnutls.map: removed gnutls_pubkey_verify_hash() and
	gnutls_pubkey_verify_data()

2015-02-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-common.h: certtool: use unsigned for bits

2015-02-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c, src/p11tool.c: certtool/p11tool: avoid cast to
	function call

2015-02-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-args.def, src/certtool.c: certtool: allow specifying
	a purpose and a hostname for chain verification

2015-02-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/x509cert-invalid.c: tests: added check
	for invalid X.509 certificate

2015-02-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/mini-key-material.c: tests: added check
	for gnutls_record_get_state()

2015-02-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_constate.c: removed unused constants

2015-02-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_state.c: memcpy fix in gnutls_record_get_state

2015-02-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* ltmain.sh: removed ltmain.sh from root

2015-02-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-02-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_state.c, lib/includes/gnutls/gnutls.h.in,
	lib/libgnutls.map: Added gnutls_record_get_state() and
	gnutls_record_set_state() These functions allow to export the key material and sequence
	numbers.  That allows offloading the sending and receiving of
	individual records.

2015-02-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_record.c: fixed sequence number copy

2015-02-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-02-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_handshake.c, lib/includes/gnutls/gnutls.h.in: 
	gnutls_handshake_set_hook_function: will provide the raw handshake
	data

2015-02-18  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/gnutls.h.in: use explicit casts to unsigned
	int in the CURVE_TO_BITS et al

2015-02-18  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/pkcs12_encr.c: use cast in _gnutls_hash_fast

2015-02-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509.c: when importing a certificate ensure that the
	signature parameters match

2015-02-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/accelerated/x86/x86-common.c: Allow AESNI GCM accelaration in
	x86

2015-02-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/cli-args.def, src/cli.c: gnutls-cli: added --save-cert option

2015-02-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/gnutls.h.in: added missing prototypes

2015-02-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/cli.c: handle differently OCSP responses that are revoked and
	of unknown status

2015-02-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/common.c: compilation fix with return on void function;
	reported by David Marx

2015-01-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_state.c: doc update

2015-01-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_buffers.c: set the appropriate direction when
	_gnutls_io_write_flush() is called

2015-01-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/mini-dtls-pthread.c: tests: added check
	for operation under different threads and DTLS

2015-01-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/mini-dtls-fork.c: tests: added check for
	operation under different processes and DTLS

2015-01-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: Revert "doc update" This reverts commit eabf1f27d255577bad60d302abf46a969848fcd7.

2015-01-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_record.c, lib/includes/gnutls/gnutls.h.in,
	lib/libgnutls.map: Revert "Added gnutls_record_is_async()" This reverts commit 2232822aabe473d124f924d64ff52981d685fd41.

2015-01-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-gtls-app.texi: documented using a session with fork or
	multiple threads

2015-01-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-01-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_record.c, lib/includes/gnutls/gnutls.h.in,
	lib/libgnutls.map: Added gnutls_record_is_async() That function indicates whether gnutls_record_recv() and
	gnutls_record_send() can be used independently and in parallel.

2015-01-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_buffers.c: print errno in a more uniform way

2015-01-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS, lib/system.c: doc update

2015-01-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_buffers.c, lib/gnutls_handshake.c, lib/gnutls_state.c,
	lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map, lib/system.c,
	lib/system.h, lib/system_override.c: exported
	gnutls_system_recv_timeout()

2015-01-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_buffers.c: simplified _gnutls_writev() by requiring the
	total length

2015-01-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/opencdk/kbnode.c, lib/opencdk/read-packet.c: opencdk: small
	fixed to reduce warnings

2015-01-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_ui.c: doc update

2015-01-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli.c, src/ocsptool-common.c, src/ocsptool-common.h: don't be
	so verbose about the OCSP nonce; it is universally unsupported

2015-01-17  Tim Ruehsen <tim.ruehsen@gmx.de>

	* src/cli.c, src/ocsptool-common.c: OCSP check the whole cert chain Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2015-01-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509.c: on certificate import check whether the two
	signature algorithms match

2015-01-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* cross.mk: cross.mk: use 3.3.12

2015-01-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/key_decode.c: doc update

2015-01-12  Luke Dashjr <luke-jr+git@utopios.org>

	* Makefile.am, configure.ac, doc/manpages/Makefile.am: Added
	configure option --disable-tools

2015-01-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* libdane/errors.c: corrected typos Reported by Guido Kroon.

2015-01-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms/protocols.c, lib/gnutls_int.h: Added the notion of
	obsolete versions That prevents using these versions as record version numbers, unless
	they are the only protocol supported. This avoids the issues with
	servers that have banned SSL 3.0 record versions.

2015-01-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/ocsptool-common.c: ocsptool: follow the documented process for
	gnutls_x509_crt_get_authority_info_access

2015-01-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509.c: gnutls_x509_crt_get_authority_info_access: doc
	update

2015-01-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/ocsptool-common.c: ocsptool-common: iterate through all AIA
	items prior to decidig the OCSP server

2015-01-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/fips.c: use a FIPS key that agree's with fedora's fipshmac

2015-01-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* devel/DCO/people-dco.txt: DCO: Added Luke Dashjr

2015-01-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/cli-args.def: simplified text for inline-commands-prefix

2015-01-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/cli-args.def, src/cli.c, src/socket.c: gnutls-cli: added
	--starttls-proto option

2015-01-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: pkcs11: cleanup the name of types

2015-01-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/softhsm.h: tests: updates in softhsm detection

2015-01-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: pkcs11: when importing a public key, import it's
	data as well (version 2 fix)

2015-01-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/verify.c: doc update

2015-01-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testpkcs11: testpkcs11: do not ignore the failure to
	write a trusted CA

2015-01-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/libgnutls.map: removed gnutls_pubkey_get_pk_* from the
	exported function list

2015-01-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/key-import-export.c: tests: key-import-export: enhanced to
	test gnutls_pubkey_*_ecc_x962

2015-01-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_pubkey.c: gnutls_pubkey_t: allow the import of another
	parameter set without a leak

2015-01-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_pubkey.c: removed ABI-compatibility functions

2015-01-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def: doc update

2015-01-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testpkcs11.softhsm: testpkcs11: modified to support
	both softhsmv1 and v2

2015-01-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11.c: pkcs11: when importing a public key, import it's
	data as well

2015-01-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/key-import-export.c: tests: enhanced key-import-export to
	check output of pubkeys

2015-01-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/openpgp-callback.c: tests: eliminated leaks

2015-01-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_cert.c: doc update

2015-01-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/key-import-export.c: tests: added checks
	for private key import/export functions

2015-01-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/TODO: doc update

2015-01-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/openpgp-callback.c: tests: Added test
	case for openpgp keys loaded by callback

2015-01-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_state.c: When setting up TLS with cert-type OpenPGP
	from a client, the server verifies if it supports the extension’s
	contents in _gnutls_session_cert_type_supported().  This function
	checks for cred->get_cert_callback but not cred->get_cert_callback2.
	As a result, servers setup for OpenPGP certificate credential
	callback with gnutls_certificate_set_retrieve_function2() are unable
	to use the OpenPGP certificate type.  The solution is to consider cred->get_cert_callback2 alongside
	cred->get_cert_callback in _gnutls_session_cert_type_supported().  Patch by Rick van Rein.

2015-01-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_privkey.c: gnutls_privkey_import_openpgp_raw: do not
	release the cached value

2015-01-08  Ludovic Courtès <ludo@gnu.org>

	* NEWS, guile/modules/gnutls.in: guile: Call 'load-extension' both
	during expansion and at run time.  Fixes <https://bugzilla.redhat.com/show_bug.cgi?id=1177847>.  * guile/modules/gnutls.in: Wrap '%libdir' definition and   'load-extension' call in 'eval-when'.

2015-01-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_buffers.c, lib/gnutls_errors.h: When receiving a TLS
	record with multiple handshake packets, parse them in one go That resolves: https://savannah.gnu.org/support/?108712

2015-01-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-dtls-record-asym.c: tests: updated
	mini-dtls-record-asym

2015-01-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-dtls-record-asym.c: tests: better documentation of
	mini-dtls-record-asym purpose

2015-01-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-dtls-mtu.c, tests/utils.c, tests/utils.h: tests: moved
	udp_socketpair to utils

2015-01-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-dtls-record-asym.c: tests: corrected asymmetric MTU
	test for DTLS and added caching

2015-01-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/mini-dtls-record-asym.c: Added test case
	for DTLS handshake packet reconstruction when it exceeds MTU https://savannah.gnu.org/support/?108712

2015-01-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_buffers.c: simplified _gnutls_dgram_read()

2015-01-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/Makefile.am: danetool: only compile when dane is enabled

2015-01-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_buffers.c: in DTLS don't combine multiple packets which
	exceed MTU Resolves: https://savannah.gnu.org/support/?108715

2015-01-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_buffers.c: Added more precise check of push functions
	availability

2015-01-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_buffers.c, lib/gnutls_state.c, lib/system.c,
	lib/system.h: Revert "in DTLS don't use writev() when multiple
	packets which exceed MTU are queued" This reverts commit 43082a67c7514d65301d157fb567a133138a85ab.

2015-01-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_buffers.c: Revert "Give precedence to vector push
	function" This reverts commit cb4ea413569803cbbf291abb27d30d14bfa971c5.

2015-01-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_buffers.c: Give precedence to vector push function

2015-01-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_buffers.c, lib/gnutls_state.c, lib/system.c,
	lib/system.h: in DTLS don't use writev() when multiple packets which
	exceed MTU are queued That change requires the system_write() to be registered
	unconditionally, even when writev() is available.  Resolves:
	https://savannah.gnu.org/support/?108715

2015-01-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/mini-dtls-mtu.c: tests: added check to
	ensure that DTLS handshake packets will not exceed MTU

2015-01-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: warn when setting a certificate's
	expiration longer than the CA's expiration

2015-01-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testpkcs11: testpkcs11: detect softhsm2

2015-01-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-global-load.c, tests/mini-x509.c, tests/priorities.c,
	tests/record-sizes.c: tests: account for disabling of ARCFOUR where
	needed

2015-01-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-cfg.c: certtool: modified check for READ_NUMERIC

2015-01-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-cfg.c: certtool: use 64-bit type for CRL serial
	number

2015-01-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-cfg.c: certtool: check for overflows when reading
	serial numbers

2015-01-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-cfg.c, src/certtool-cfg.h: certtool: use int64_t as
	type for integers read

2015-01-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/socket.c: gnutls-cli-debug: more precise handling of SMTP
	protocol Patch by Andreas Metzler.

2015-01-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* gl/Makefile.am, gl/alloca.in.h, gl/asnprintf.c, gl/asprintf.c,
	gl/base64.c, gl/base64.h, gl/byteswap.in.h, gl/c-ctype.c,
	gl/c-ctype.h, gl/errno.in.h, gl/float+.h, gl/float.c,
	gl/float.in.h, gl/fstat.c, gl/ftell.c, gl/ftello.c, gl/getdelim.c,
	gl/getline.c, gl/gettext.h, gl/gettimeofday.c, gl/hash-pjw-bare.c,
	gl/hash-pjw-bare.h, gl/intprops.h, gl/itold.c, gl/lseek.c,
	gl/m4/00gnulib.m4, gl/m4/absolute-header.m4, gl/m4/alloca.m4,
	gl/m4/base64.m4, gl/m4/byteswap.m4, gl/m4/codeset.m4,
	gl/m4/errno_h.m4, gl/m4/exponentd.m4, gl/m4/extensions.m4,
	gl/m4/extern-inline.m4, gl/m4/fcntl-o.m4, gl/m4/fcntl_h.m4,
	gl/m4/fdopen.m4, gl/m4/float_h.m4, gl/m4/fpieee.m4,
	gl/m4/fseeko.m4, gl/m4/fstat.m4, gl/m4/ftell.m4, gl/m4/ftello.m4,
	gl/m4/func.m4, gl/m4/getdelim.m4, gl/m4/getline.m4,
	gl/m4/getpagesize.m4, gl/m4/gettext.m4, gl/m4/gettimeofday.m4,
	gl/m4/glibc2.m4, gl/m4/glibc21.m4, gl/m4/gnulib-cache.m4,
	gl/m4/gnulib-common.m4, gl/m4/gnulib-comp.m4, gl/m4/gnulib-tool.m4,
	gl/m4/iconv.m4, gl/m4/include_next.m4, gl/m4/intdiv0.m4,
	gl/m4/intl.m4, gl/m4/intldir.m4, gl/m4/intlmacosx.m4,
	gl/m4/intmax.m4, gl/m4/intmax_t.m4, gl/m4/inttypes-pri.m4,
	gl/m4/inttypes.m4, gl/m4/inttypes_h.m4, gl/m4/largefile.m4,
	gl/m4/lcmessage.m4, gl/m4/ld-output-def.m4,
	gl/m4/ld-version-script.m4, gl/m4/lib-ld.m4, gl/m4/lib-link.m4,
	gl/m4/lib-prefix.m4, gl/m4/lock.m4, gl/m4/longlong.m4,
	gl/m4/lseek.m4, gl/m4/malloc.m4, gl/m4/manywarnings.m4,
	gl/m4/math_h.m4, gl/m4/memchr.m4, gl/m4/memmem.m4, gl/m4/minmax.m4,
	gl/m4/mmap-anon.m4, gl/m4/msvc-inval.m4, gl/m4/msvc-nothrow.m4,
	gl/m4/multiarch.m4, gl/m4/netdb_h.m4, gl/m4/netinet_in_h.m4,
	gl/m4/nls.m4, gl/m4/off_t.m4, gl/m4/po.m4, gl/m4/printf-posix.m4,
	gl/m4/printf.m4, gl/m4/progtest.m4, gl/m4/read-file.m4,
	gl/m4/realloc.m4, gl/m4/size_max.m4, gl/m4/snprintf.m4,
	gl/m4/socklen.m4, gl/m4/sockpfaf.m4, gl/m4/ssize_t.m4,
	gl/m4/stdalign.m4, gl/m4/stdbool.m4, gl/m4/stddef_h.m4,
	gl/m4/stdint.m4, gl/m4/stdint_h.m4, gl/m4/stdio_h.m4,
	gl/m4/stdlib_h.m4, gl/m4/strcase.m4, gl/m4/string_h.m4,
	gl/m4/strings_h.m4, gl/m4/strndup.m4, gl/m4/strnlen.m4,
	gl/m4/strtok_r.m4, gl/m4/strverscmp.m4, gl/m4/sys_socket_h.m4,
	gl/m4/sys_stat_h.m4, gl/m4/sys_time_h.m4, gl/m4/sys_types_h.m4,
	gl/m4/sys_uio_h.m4, gl/m4/threadlib.m4, gl/m4/time_h.m4,
	gl/m4/time_r.m4, gl/m4/uintmax_t.m4, gl/m4/ungetc.m4,
	gl/m4/unistd_h.m4, gl/m4/valgrind-tests.m4, gl/m4/vasnprintf.m4,
	gl/m4/vasprintf.m4, gl/m4/visibility.m4, gl/m4/vsnprintf.m4,
	gl/m4/warn-on-use.m4, gl/m4/warnings.m4, gl/m4/wchar_h.m4,
	gl/m4/wchar_t.m4, gl/m4/wint_t.m4, gl/m4/xsize.m4, gl/malloc.c,
	gl/memchr.c, gl/memmem.c, gl/minmax.h, gl/msvc-inval.c,
	gl/msvc-inval.h, gl/msvc-nothrow.c, gl/msvc-nothrow.h,
	gl/netdb.in.h, gl/netinet_in.in.h, gl/printf-args.c,
	gl/printf-args.h, gl/printf-parse.c, gl/printf-parse.h,
	gl/read-file.c, gl/read-file.h, gl/realloc.c, gl/size_max.h,
	gl/snprintf.c, gl/stdalign.in.h, gl/stdbool.in.h, gl/stddef.in.h,
	gl/stdint.in.h, gl/stdio-impl.h, gl/stdio.in.h, gl/stdlib.in.h,
	gl/str-two-way.h, gl/strcasecmp.c, gl/string.in.h, gl/strings.in.h,
	gl/strncasecmp.c, gl/strndup.c, gl/strnlen.c, gl/strtok_r.c,
	gl/strverscmp.c, gl/sys_socket.in.h, gl/sys_stat.in.h,
	gl/sys_time.in.h, gl/sys_types.in.h, gl/sys_uio.in.h,
	gl/tests/Makefile.am, gl/tests/binary-io.h, gl/tests/fcntl.in.h,
	gl/tests/fdopen.c, gl/tests/fpucw.h, gl/tests/getpagesize.c,
	gl/tests/init.sh, gl/tests/inttypes.in.h, gl/tests/macros.h,
	gl/tests/signature.h, gl/tests/test-alloca-opt.c,
	gl/tests/test-base64.c, gl/tests/test-binary-io.c,
	gl/tests/test-byteswap.c, gl/tests/test-c-ctype.c,
	gl/tests/test-errno.c, gl/tests/test-fcntl-h.c,
	gl/tests/test-fdopen.c, gl/tests/test-fgetc.c,
	gl/tests/test-float.c, gl/tests/test-fputc.c,
	gl/tests/test-fread.c, gl/tests/test-fstat.c,
	gl/tests/test-ftell.c, gl/tests/test-ftell3.c,
	gl/tests/test-ftello.c, gl/tests/test-ftello3.c,
	gl/tests/test-ftello4.c, gl/tests/test-func.c,
	gl/tests/test-fwrite.c, gl/tests/test-getdelim.c,
	gl/tests/test-getline.c, gl/tests/test-gettimeofday.c,
	gl/tests/test-iconv.c, gl/tests/test-init.sh,
	gl/tests/test-intprops.c, gl/tests/test-inttypes.c,
	gl/tests/test-memchr.c, gl/tests/test-netdb.c,
	gl/tests/test-netinet_in.c, gl/tests/test-read-file.c,
	gl/tests/test-snprintf.c, gl/tests/test-stdalign.c,
	gl/tests/test-stdbool.c, gl/tests/test-stddef.c,
	gl/tests/test-stdint.c, gl/tests/test-stdio.c,
	gl/tests/test-stdlib.c, gl/tests/test-string.c,
	gl/tests/test-strings.c, gl/tests/test-strnlen.c,
	gl/tests/test-strverscmp.c, gl/tests/test-sys_socket.c,
	gl/tests/test-sys_stat.c, gl/tests/test-sys_time.c,
	gl/tests/test-sys_types.c, gl/tests/test-sys_uio.c,
	gl/tests/test-sys_wait.h, gl/tests/test-time.c,
	gl/tests/test-u64.c, gl/tests/test-unistd.c,
	gl/tests/test-vasnprintf.c, gl/tests/test-vasprintf.c,
	gl/tests/test-vc-list-files-cvs.sh,
	gl/tests/test-vc-list-files-git.sh, gl/tests/test-verify.c,
	gl/tests/test-vsnprintf.c, gl/tests/test-wchar.c,
	gl/tests/zerosize-ptr.h, gl/time.in.h, gl/time_r.c, gl/u64.h,
	gl/unistd.in.h, gl/vasnprintf.c, gl/vasnprintf.h, gl/vasprintf.c,
	gl/verify.h, gl/vsnprintf.c, gl/wchar.in.h, gl/xsize.h,
	src/gl/Makefile.am, src/gl/accept.c, src/gl/alloca.in.h,
	src/gl/arpa_inet.in.h, src/gl/asnprintf.c, src/gl/bind.c,
	src/gl/c-ctype.c, src/gl/c-ctype.h, src/gl/close.c,
	src/gl/connect.c, src/gl/dup2.c, src/gl/errno.in.h, src/gl/error.c,
	src/gl/error.h, src/gl/exitfail.c, src/gl/exitfail.h,
	src/gl/fd-hook.c, src/gl/fd-hook.h, src/gl/float+.h,
	src/gl/float.c, src/gl/float.in.h, src/gl/fseek.c, src/gl/fseeko.c,
	src/gl/fstat.c, src/gl/ftell.c, src/gl/ftello.c,
	src/gl/gai_strerror.c, src/gl/getaddrinfo.c, src/gl/getdelim.c,
	src/gl/getline.c, src/gl/getpass.c, src/gl/getpass.h,
	src/gl/getpeername.c, src/gl/gettext.h, src/gl/gettime.c,
	src/gl/gettimeofday.c, src/gl/inet_ntop.c, src/gl/inet_pton.c,
	src/gl/intprops.h, src/gl/itold.c, src/gl/listen.c, src/gl/lseek.c,
	src/gl/m4/00gnulib.m4, src/gl/m4/absolute-header.m4,
	src/gl/m4/alloca.m4, src/gl/m4/arpa_inet_h.m4, src/gl/m4/bison.m4,
	src/gl/m4/clock_time.m4, src/gl/m4/close.m4, src/gl/m4/dup2.m4,
	src/gl/m4/eealloc.m4, src/gl/m4/environ.m4, src/gl/m4/errno_h.m4,
	src/gl/m4/error.m4, src/gl/m4/exponentd.m4,
	src/gl/m4/extensions.m4, src/gl/m4/extern-inline.m4,
	src/gl/m4/float_h.m4, src/gl/m4/fseek.m4, src/gl/m4/fseeko.m4,
	src/gl/m4/fstat.m4, src/gl/m4/ftell.m4, src/gl/m4/ftello.m4,
	src/gl/m4/getaddrinfo.m4, src/gl/m4/getdelim.m4,
	src/gl/m4/getline.m4, src/gl/m4/getpass.m4, src/gl/m4/gettime.m4,
	src/gl/m4/gettimeofday.m4, src/gl/m4/gnulib-cache.m4,
	src/gl/m4/gnulib-common.m4, src/gl/m4/gnulib-comp.m4,
	src/gl/m4/gnulib-tool.m4, src/gl/m4/hostent.m4,
	src/gl/m4/include_next.m4, src/gl/m4/inet_ntop.m4,
	src/gl/m4/inet_pton.m4, src/gl/m4/intmax_t.m4,
	src/gl/m4/inttypes_h.m4, src/gl/m4/largefile.m4,
	src/gl/m4/longlong.m4, src/gl/m4/lseek.m4, src/gl/m4/malloc.m4,
	src/gl/m4/malloca.m4, src/gl/m4/math_h.m4, src/gl/m4/memchr.m4,
	src/gl/m4/minmax.m4, src/gl/m4/mktime.m4, src/gl/m4/mmap-anon.m4,
	src/gl/m4/msvc-inval.m4, src/gl/m4/msvc-nothrow.m4,
	src/gl/m4/multiarch.m4, src/gl/m4/netdb_h.m4,
	src/gl/m4/netinet_in_h.m4, src/gl/m4/off_t.m4,
	src/gl/m4/parse-datetime.m4, src/gl/m4/printf.m4,
	src/gl/m4/read-file.m4, src/gl/m4/realloc.m4, src/gl/m4/select.m4,
	src/gl/m4/servent.m4, src/gl/m4/setenv.m4, src/gl/m4/signal_h.m4,
	src/gl/m4/size_max.m4, src/gl/m4/snprintf.m4,
	src/gl/m4/socketlib.m4, src/gl/m4/sockets.m4, src/gl/m4/socklen.m4,
	src/gl/m4/sockpfaf.m4, src/gl/m4/ssize_t.m4, src/gl/m4/stdalign.m4,
	src/gl/m4/stdbool.m4, src/gl/m4/stddef_h.m4, src/gl/m4/stdint.m4,
	src/gl/m4/stdint_h.m4, src/gl/m4/stdio_h.m4, src/gl/m4/stdlib_h.m4,
	src/gl/m4/strdup.m4, src/gl/m4/strerror.m4, src/gl/m4/string_h.m4,
	src/gl/m4/sys_select_h.m4, src/gl/m4/sys_socket_h.m4,
	src/gl/m4/sys_stat_h.m4, src/gl/m4/sys_time_h.m4,
	src/gl/m4/sys_types_h.m4, src/gl/m4/sys_uio_h.m4,
	src/gl/m4/time_h.m4, src/gl/m4/time_r.m4, src/gl/m4/timespec.m4,
	src/gl/m4/tm_gmtoff.m4, src/gl/m4/unistd_h.m4,
	src/gl/m4/vasnprintf.m4, src/gl/m4/warn-on-use.m4,
	src/gl/m4/wchar_h.m4, src/gl/m4/wchar_t.m4, src/gl/m4/wint_t.m4,
	src/gl/m4/xalloc.m4, src/gl/m4/xsize.m4, src/gl/malloc.c,
	src/gl/malloca.c, src/gl/malloca.h, src/gl/memchr.c,
	src/gl/minmax.h, src/gl/mktime.c, src/gl/msvc-inval.c,
	src/gl/msvc-inval.h, src/gl/msvc-nothrow.c, src/gl/msvc-nothrow.h,
	src/gl/netdb.in.h, src/gl/netinet_in.in.h, src/gl/parse-datetime.h,
	src/gl/parse-datetime.y, src/gl/printf-args.c,
	src/gl/printf-args.h, src/gl/printf-parse.c, src/gl/printf-parse.h,
	src/gl/progname.c, src/gl/progname.h, src/gl/read-file.c,
	src/gl/read-file.h, src/gl/realloc.c, src/gl/recv.c,
	src/gl/recvfrom.c, src/gl/select.c, src/gl/send.c, src/gl/sendto.c,
	src/gl/setenv.c, src/gl/setsockopt.c, src/gl/shutdown.c,
	src/gl/signal.in.h, src/gl/size_max.h, src/gl/snprintf.c,
	src/gl/socket.c, src/gl/sockets.c, src/gl/sockets.h,
	src/gl/stdalign.in.h, src/gl/stdbool.in.h, src/gl/stddef.in.h,
	src/gl/stdint.in.h, src/gl/stdio-impl.h, src/gl/stdio.in.h,
	src/gl/stdlib.in.h, src/gl/strdup.c, src/gl/strerror-override.c,
	src/gl/strerror-override.h, src/gl/strerror.c, src/gl/string.in.h,
	src/gl/sys_select.in.h, src/gl/sys_socket.in.h,
	src/gl/sys_stat.in.h, src/gl/sys_time.in.h, src/gl/sys_types.in.h,
	src/gl/sys_uio.in.h, src/gl/time.in.h, src/gl/time_r.c,
	src/gl/timespec.h, src/gl/unistd.in.h, src/gl/unsetenv.c,
	src/gl/vasnprintf.c, src/gl/vasnprintf.h, src/gl/verify.h,
	src/gl/w32sock.h, src/gl/wchar.in.h, src/gl/xalloc-die.c,
	src/gl/xalloc-oversized.h, src/gl/xalloc.h, src/gl/xmalloc.c,
	src/gl/xsize.h: updated gnulib

2015-01-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/cli-debug.c: gnutls-cli-debug: corrected the skip of ignored
	checks

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/output.c: use explicit casts in the dummy ip conversion
	functions

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi, doc/cha-intro-tls.texi,
	lib/gnutls_priority.c: ARCFOUR-128 is disabled by default

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/system-keys-win.c: system-keys-win: use LoadLibraryA to load
	ncrypt.dll

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* Makefile.am, devel/abi3.4.xml: Updated abi-compliance-checker for
	3.4 API

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* Makefile.am, symbols.last: updated export symbols list (due to ABI
	breakage)

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/Makefile.am: doc: updated auto-generated files

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/doc.mk, doc/manpages/Makefile.am: generate manpages for urls.h
	and system-keys.h

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/pkcs11-get-issuer.c: tests: added check for
	gnutls_x509_trust_list_get_issuer_by_dn()

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/libgnutls.map: updated libgnutls.map for new functions

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/Makefile.am, doc/doc.mk, doc/manpages/Makefile.am: doc:
	updated auto-generated files and added urls.h

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am, tests/cert-tests/certtool: tests:
	added checks for the new --key-id and --fingerprint certtool options

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-args.def, src/certtool.c: certtool: Added
	--fingerprint and --key-id options

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: --pubkey-info will load a public key
	from stdin

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/system.h: include netinet/in.h if present to access ipv6
	related structures Based on patch by Rumko.  https://savannah.gnu.org/support/?108713

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_priority.c: VERS-ALL adds all protocols if used with
	'+'

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi, lib/gnutls_priority.c: priority strings
	VERS-TLS-ALL and VERS-DTLS-ALL are restricted to the corresponding
	protocols That introduces VERS-ALL which behaves as VERS-TLS-ALL previously.

2014-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/gnutls.h.in: gnutls.h: made DTLS protocol
	version numbering distinct

2014-12-30  Matthias-Christian Ott <ott@mirix.org>

	* lib/gnutls_cipher_int.c: Don't call _gnutls_cipher_encrypt2 with
	textlen = 0 in _gnutls_auth_cipher_encrypt2_tag If the plaintext is shorter than the block size of the used cipher,
	_gnutls_auth_cipher_encrypt2_tag calls _gnutls_cipher_encrypt2 with
	textlen = 0. By definition _gnutls_cipher_encrypt2 does nothing in
	this case and thus does not need to be called.

2014-12-30  Matthias-Christian Ott <ott@mirix.org>

	* lib/accelerated/x86/aes-gcm-padlock.c,
	lib/accelerated/x86/aes-padlock.c: Handle zero length plaintext for
	VIA PadLock functions If the plaintext is shorter than the block size of the used cipher,
	_gnutls_auth_cipher_encrypt2_tag calls _gnutls_cipher_encrypt2 with
	textlen = 0. padlock_ecb_encrypt and padlock_cbc_encrypt assume that
	the plaintext length (last parameter) is greater than zero and
	segfault otherwise. The assembler code for both functions is
	automatically generated and imported from OpenSSL, so to ease
	maintenance the length should be validated in the functions that
	call padlock_ecb_encrypt or padlock_cbc_encrypt.

2014-12-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/system.c: use backslashes in windows path

2014-12-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/openpgp-keyring.c: tests: enhanced openpgp-keyring test

2014-12-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/openpgp/output.c: openpgp: properly print names in oneline
	output as well

2014-12-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/openpgp/output.c: updates in openpgp DSA key printing

2014-12-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/openpgp/output.c: properly print openpgp names

2014-12-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/opencdk/Makefile.am: opencdk: print all warnings on
	compilation

2014-12-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/opencdk/armor.c: opencdk: eliminated warning from armor.c

2014-12-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/opencdk/keydb.c: removed cache support for opencdk's keydb It's implementation looked buggy.

2014-12-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: updated guile comments

2014-12-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/cli-debug.c, src/common.c, src/tests.c: tools: use OCSP
	functions only when OCSP is enabled

2014-12-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_pubkey.c: Corrected encoding and decoding of ANSI X9.62 That affects gnutls_pubkey_export_ecc_x962() and
	gnutls_pubkey_import_ecc_x962().

2014-12-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-args.def, src/p11tool-args.def: tools: document the
	available curves

2014-12-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-combo.c,
	tests/suite/pkcs11-get-issuer.c, tests/suite/pkcs11-is-known.c,
	tests/suite/pkcs11-privkey.c, tests/suite/softhsm.h,
	tests/suite/testpkcs11.softhsm: PKCS #11 tests: ported to softhsmv2 The C programs still rely on softhsmv1 since there are issues with
	softhsmv2 and CKA_TRUSTED.
	https://bugzilla.redhat.com/show_bug.cgi?id=1177086

2014-12-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/safe-memfuncs.c: updated documentation of gnutls_memcmp()

2014-12-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-tokens.texi, lib/x509/x509.c: use everywhere the new name
	of gnutls_x509_crt_import_pkcs11_url

2014-12-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11_privkey.c: better cleanup in
	gnutls_pkcs11_privkey_import_url and allow reuse

2014-12-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/examples/Makefile.am, src/Makefile.am, src/gl/Makefile.am,
	src/gl/m4/gnulib-cache.m4, src/gl/m4/gnulib-comp.m4: completely
	separated the two gnulibs to avoid conflicts

2014-12-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* gl/Makefile.am, gl/m4/extensions.m4, gl/m4/extern-inline.m4,
	gl/m4/gnulib-comp.m4, gl/m4/iconv.m4, gl/m4/printf.m4,
	gl/m4/stdalign.m4, gl/m4/stddef_h.m4, gl/m4/stdio_h.m4,
	gl/stdalign.in.h, gl/stddef.in.h, gl/tests/test-fcntl-h.c,
	gl/tests/test-stddef.c, gl/unistd.in.h, gl/vasnprintf.c,
	src/gl/Makefile.am, src/gl/m4/extensions.m4,
	src/gl/m4/extern-inline.m4, src/gl/m4/gnulib-comp.m4,
	src/gl/m4/printf.m4, src/gl/m4/stdalign.m4, src/gl/m4/stddef_h.m4,
	src/gl/m4/stdio_h.m4, src/gl/parse-datetime.y,
	src/gl/stdalign.in.h, src/gl/stddef.in.h, src/gl/timespec.h,
	src/gl/unistd.in.h, src/gl/vasnprintf.c: updated gnulib

2014-12-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_privkey.c, lib/pkcs11_privkey.c, lib/urls.c,
	lib/urls.h, lib/x509/x509.c: dropped the sanitize URL approach

2014-12-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/pkcs11_int.h,
	lib/pkcs11_privkey.c, lib/pkcs11_secret.c, lib/pkcs11_write.c: 
	Instead of sanitizing URLs, use hints to support incomplete PKCS#11
	URIs

2014-12-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/x509/x509.c: 
	gnutls_x509_crt_import_url replaces
	gnutls_x509_crt_import_pkcs11_url

2014-12-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11.c: use p11_kit_uri_get_pin_source instead of
	p11_kit_uri_get_pinfile

2014-12-22  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2014-12-22  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/examples/ex-pkcs11-list.c: ex-pkcs11-list.c: updated for new
	API

2014-12-22  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/pkcs11.h, lib/libgnutls.map, lib/pkcs11.c,
	lib/x509/verify-high.c, lib/x509/verify-high2.c: combined
	gnutls_pkcs11_obj_attr_t with gnutls_pkcs11_obj_flags That was done in an API-backwards compatible way. That introduces
	gnutls_pkcs11_obj_list_import_url3() and
	gnutls_pkcs11_obj_list_import_url4().

2014-12-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/pkcs11.h, lib/pkcs11.c,
	lib/x509/verify-high2.c: first attempt to unify obj_attrs with
	obj_flags

2014-12-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/pkcs11-is-known.c: tests: pkcs11-is-known checks
	whether the import of PKCS #11 objects as trusted certs works

2014-12-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-combo.c,
	tests/suite/pkcs11-get-issuer.c, tests/suite/pkcs11-is-known.c,
	tests/suite/pkcs11-privkey.c, tests/suite/softhsm.h,
	tests/suite/testpkcs11.softhsm: Added softhsm.h to share code in
	softhsm detection

2014-12-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11_int.h, lib/x509/verify-high2.c: Directly import PKCS
	#11 object URLs as trusted certificates That is, don't treat them as trusted modules, because they aren't a
	token URL, but rather a direct reference to specific objects.

2014-12-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_psk.c: PSK: added sanity check on PSK key size set

2014-12-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/tests.c: gnutls-cli-debug: removed ARCFOUR-40 from the ciphers
	to use It is no longer supported.

2014-12-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_str.c: _gnutls_buffer_append_data returns zero on
	success

2014-12-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_buffers.c, lib/gnutls_record.c: corrected documentation
	for the cork/uncork functions Reported by Jaak Ristioja.

2014-12-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_record.c: doc update

2014-12-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/algorithms/protocols.c: Added more precise version check in
	_gnutls_version_lowest

2014-12-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_record.c: corrected documentation of gnutls_cork()

2014-12-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_str.c: Added 32-bit overflow protection in
	_gnutls_buffer_append_data()

2014-12-17  Jaak Ristioja <jaak.ristioja@cyber.ee>

	* lib/gnutls_str.c: Remove redundant condition in
	align_allocd_with_data().  At all call-sites of align_allocd_with_data() dest->data is
	non-NULL.  Signed-off-by: Jaak Ristioja <jaak.ristioja@cyber.ee>

2014-12-17  Jaak Ristioja <jaak.ristioja@cyber.ee>

	* lib/gnutls_str.c: Deduplicated some code in
	_gnutls_buffer_append_data().  Signed-off-by: Jaak Ristioja <jaak.ristioja@cyber.ee>

2014-12-17  Jaak Ristioja <jaak.ristioja@cyber.ee>

	* lib/gnutls_str.c: Explicitly marked some variables const in
	_gnutls_buffer_append_data().  Signed-off-by: Jaak Ristioja <jaak.ristioja@cyber.ee>

2014-12-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* devel/DCO/people-dco.txt: DCO: added Jaak Ristioja

2014-12-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/slow/cipher-test.c: test-ciphers: do not fail on processor
	which don't have the AES-NI instructions

2014-12-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_str.c: _gnutls_buffer_*: moved common operations to
	function

2014-12-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_str.c: _gnutls_buffer_append_data: moved common code
	outside the if-clause

2014-12-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testcompat-main-polarssl: tests: disable SSL 3.0
	checks with polarssl It seems that SSL 3.0 is disabled in Debian's polarssl.

2014-12-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testdane: testdane: removed www.vulcano.cl from good
	hosts

2014-12-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/x509cert-tl.c: tests: enhanced x509cert-tl Verify gnutls_x509_trust_list_verify_crt2() in combination with
	gnutls_x509_trust_list_add_named_crt().

2014-12-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/verify-high.c: use
	gnutls_x509_trust_list_verify_named_crt in
	gnutls_x509_trust_list_verify_crt2

2014-12-12  Ludovic Courtès <ludo@gnu.org>

	* NEWS: Update 'NEWS'.

2014-12-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/random.c: gnutls_rnd: doc update

2014-12-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/pkcs12.c: gnutls_pkcs12_simple_parse: doc update

2014-12-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* libdane/dane.c: improved documentation on dane

2014-12-11  Ludovic Courtès <ludo@gnu.org>

	* guile/tests/openpgp-keyring.scm: guile: Open binary file in binary
	mode, for the sake of MinGW.  Reported by Eli Zaretskii <eliz@gnu.org>.  * guile/tests/openpgp-keyring.scm: Use 'open-file' with "rb" instead
	  of 'open-input-file'.

2014-12-11  Ludovic Courtès <ludo@gnu.org>

	* guile/src/Makefile.am: guile: Link with '-no-undefined'.  Fixes builds on MinGW.  Reported by Eli Zaretskii <eliz@gnu.org>.  * guile/src/Makefile.am (guile_gnutls_v_2_la_LDFLAGS): Add   -no-undefined.

2014-12-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/pkcs11.c: p11tool: use Sleep() in windows

2014-12-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-cfg.c: certtool: ensure that default_serial_int is
	64-bits or more

2014-12-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/socket.c: use select() instead of alarm for better portability Based on patch by Eli Zaretskii.

2014-12-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* cross.mk: cross.mk: updated for 3.3.11

2014-12-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-backend.c: Allow a random generator with the same
	priority to re-register That corrects an issue where the library is deinitialized, and
	reinitialization wouldn't register the same rnd module.  Reported by
	Stanislav Zidek.

2014-12-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/x509cert.c: tests: x509cert: verify that length returned
	from gnutls_x509_crt_get_dn matches strlen

2014-12-11  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testcompat-main-openssl: testcompat: corrected usage
	of null cipher

2014-12-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/rnd-fips.c: added the .check function in FIPS140-2 code

2014-12-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/common.c: corrected typo

2014-12-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac: configure: added option --without-idn

2014-12-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/accelerated/x86/aes-gcm-padlock.c,
	lib/accelerated/x86/aes-gcm-x86-aesni.c,
	lib/accelerated/x86/aes-gcm-x86-ssse3.c: accelerated: added required
	casts

2014-12-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2014-12-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi, lib/gnutls_priority.c: the priority string
	EXPORT is no more

2014-12-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/accelerated/x86/aes-ccm-x86-aesni.c: aesni-ccm: removed unused
	struct entries

2014-12-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/accelerated/x86/Makefile.am,
	lib/accelerated/x86/aes-ccm-x86-aesni.c,
	lib/accelerated/x86/aes-x86.h, lib/accelerated/x86/x86-common.c: 
	added AESNI accelerated CCM

2014-12-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/accelerated/x86/aes-gcm-padlock.c,
	lib/accelerated/x86/aes-gcm-x86-aesni.c,
	lib/accelerated/x86/aes-gcm-x86-ssse3.c: more nettle3 related
	changes

2014-12-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* libdane/dane.c: dane: use the new _gnutls_buffer_to_datum

2014-12-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/ocsp.c: tests: corrected the expected lengths in ocsp

2014-12-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_cert.c, lib/gnutls_session_pack.c, lib/gnutls_str.c,
	lib/gnutls_str.h, lib/openpgp/output.c, lib/pkcs11.c, lib/tpm.c,
	lib/x509/dn.c, lib/x509/ocsp_output.c, lib/x509/output.c: 
	_gnutls_buffer_to_datum: includes code for exporting strings

2014-12-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/verify-high.c: when the trusted list contains a non-CA
	certificate warn via the audit log

2014-12-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms/ciphersuites.c: modified the CCM ciphersuite's name
	to match the one in the IANA registry

2014-12-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/ciphersuite/scan-gnutls.sh,
	tests/suite/ciphersuite/test-ciphers.js: ciphersuite test: enhanced
	check for correct ciphersuites

2014-12-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/ciphersuite/scan-gnutls.sh: ciphersuites tests: add
	missing includes

2014-12-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/ciphersuite/scan-gnutls.sh: ciphersuite tests: define
	HAVE_CONFIG_H

2014-12-04  Ludovic Courtès <ludo@gnu.org>

	* guile/src/Makefile.am: guile: Build with warnings.  * guile/src/Makefile.am (AM_CFLAGS) [HAVE_GCC]: Add -Wall -Wextra   -Wno-unused-parameter.

2014-12-04  Ludovic Courtès <ludo@gnu.org>

	* guile/modules/Makefile.am, guile/modules/gnutls.in,
	guile/modules/gnutls/build/priorities.scm, guile/src/Makefile.am,
	guile/src/core.c, guile/src/make-session-priorities.scm,
	guile/tests/session-record-port.scm, guile/tests/x509-auth.scm: 
	guile: Remove the deprecated priority API.  * guile/modules/gnutls/build/priorities.scm: Remove.  * guile/src/make-session-priorities.scm: Remove.  * guile/modules/Makefile.am (EXTRA_DIST): Adjust accordingly.  * guile/src/Makefile.am (EXTRA_DIST): Likewise.    (GENERATED_BINDINGS): Remove 'priorities.i.c'.    (priorities.i.c): Remove target.  * guile/src/core.c: Don't include it.    (scm_gnutls_set_default_priority_x): Remove.  * guile/modules/gnutls.in (gnutls): Adjust export list.  * guile/tests/session-record-port.scm: Use
	'set-session-priorities!'.  * guile/tests/x509-auth.scm: Likewise.

2014-12-04  Ludovic Courtès <ludo@gnu.org>

	* doc/gnutls-guile.texi, guile/modules/gnutls.in,
	guile/modules/gnutls/build/smobs.scm, guile/src/core.c,
	guile/tests/openpgp-auth.scm, guile/tests/x509-auth.scm: guile:
	Remove RSA parameters and related procedures.  * guile/modules/gnutls/build/smobs.scm (%rsa-parameters-smob):
	  Remove.  (%gnutls-smobs): Remove it.  * guile/src/core.c (scm_gnutls_make_rsa_parameters,   scm_gnutls_pkcs1_import_rsa_parameters,   scm_gnutls_pkcs1_export_rsa_parameters,   scm_gnutls_set_certificate_credentials_rsa_export_params_x):
	  Remove.  * guile/modules/gnutls.in: Adjust export list.  * guile/tests/openpgp-auth.scm (import-rsa-params): Remove.    Remove references to it and to   'set-certificate-credentials-rsa-export-parameters!'.  * guile/tests/x509-auth.scm: Likewise.  * doc/gnutls-guile.texi (Representation of Binary Data): Remove   references to RSA parameters.  Adjust example accordingly.    (OpenPGP Authentication Guile Example): Likewise.

2014-12-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/TODO: updated TODO list

2014-12-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/libgnutls.map: removed several of the unneeded exported
	internal symbols

2014-12-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2014-12-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-upgrade.texi: doc: corrected typo

2014-11-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/nettle/cipher.c: use unsigned long in gcm_cast_st

2014-11-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/cipher.c: corrected issue in AES-256-GCM

2014-11-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/slow/Makefile.am, tests/slow/test-ciphers: tests: enhanced
	cipher check to include all ciphers.

2014-11-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/cipher.c: simplified abstractions over nettle based on
	Niels' comments.

2014-11-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-api.c: API doc update

2014-11-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-selftests.c: Added test vectors for CCM mode

2014-11-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/cipher.c: CCM: corrected AEAD decryption

2014-11-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_priority.c: CCM mode moved to the lowest priority

2014-11-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/accelerated/x86/aes-gcm-aead.h: aes-gcm-aead.h: generalized

2014-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/benchmark-tls.c: gnutls-cli: added benchmark for CCM

2014-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/priorities.c, tests/suite/testcompat-main-polarssl: tests:
	updated for AES-128-CCM ciphersuites

2014-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_cipher.c: use the new AEAD API in gnutls_cipher.c

2014-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms/ciphers.c, lib/algorithms/ciphersuites.c,
	lib/gnutls_priority.c, lib/includes/gnutls/gnutls.h.in,
	lib/nettle/cipher.c: Added definitions for CCM ciphersuites

2014-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS, doc/cha-crypto.texi, lib/accelerated/x86/Makefile.am,
	lib/accelerated/x86/aes-gcm-aead.h,
	lib/accelerated/x86/aes-gcm-padlock.c,
	lib/accelerated/x86/aes-gcm-x86-aesni.c,
	lib/accelerated/x86/aes-gcm-x86-pclmul.c,
	lib/accelerated/x86/aes-gcm-x86-ssse3.c, lib/crypto-api.c,
	lib/crypto-backend.h, lib/crypto-selftests.c,
	lib/gnutls_cipher_int.c, lib/gnutls_cipher_int.h,
	lib/includes/gnutls/crypto.h, lib/libgnutls.map,
	lib/nettle/cipher.c: Modified crypto backend to accomodate for the
	CCM ciphersuites

2014-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/int/dsa-fips.h, lib/nettle/int/dsa-keygen-fips186.c,
	lib/nettle/int/dsa-validate.c, lib/nettle/pk.c: More nettle2 updates
	(in FIPS140-2 mode)

2014-11-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/accelerated/x86/aes-gcm-padlock.c,
	lib/accelerated/x86/aes-gcm-x86-aesni.c,
	lib/accelerated/x86/aes-gcm-x86-ssse3.c,
	lib/accelerated/x86/aes-padlock.c,
	lib/accelerated/x86/aes-padlock.h, lib/accelerated/x86/aes-x86.h,
	lib/accelerated/x86/sha-padlock.c,
	lib/accelerated/x86/sha-x86-ssse3.c, lib/nettle/Makefile.am,
	lib/nettle/cipher.c, lib/nettle/int/gcm-camellia.c,
	lib/nettle/int/gcm-camellia.h, lib/nettle/pk.c, m4/hooks.m4,
	tests/dsa/testdsa: ported to nettle 3.0

2014-12-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* m4/hooks.m4: reduced current soversion

2014-12-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS, doc/cha-upgrade.texi, lib/libgnutls.map: documented the
	removal of deprecated functions

2014-12-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_priority.c: corrected comparison

2014-12-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/auth/cert.c, lib/auth/cert.h, lib/gnutls_cert.c,
	lib/gnutls_priority.c, lib/gnutls_state.c,
	lib/includes/gnutls/compat.h: removed the old gnutls_retr_st
	compatibility functions

2014-12-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, lib/Makefile.am, lib/gnutls_rsa_export.c,
	lib/gnutls_ui.c, lib/includes/gnutls/compat.h, m4/hooks.m4: Removed
	binary compatibility with RSA-EXPORT using applications

2014-12-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_priority.c, lib/includes/gnutls/compat.h: removed the
	old priority functions That is: gnutls_cipher_set_priority gnutls_mac_set_priority
	gnutls_compression_set_priority gnutls_kx_set_priority
	gnutls_protocol_set_priority gnutls_certificate_type_set_priority

2014-12-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/compat.h, lib/x509/x509.c: removed
	gnutls_x509_crt_verify_hash() and gnutls_x509_crt_verify_data()

2014-12-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_cert.c, lib/gnutls_int.h, lib/gnutls_sig.c,
	lib/includes/gnutls/compat.h: gnutls_sign_callback_set() and
	gnutls_sign_callback_get() were removed

2014-12-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/gnutls.h.in: renumbered fields in gnutls.h

2014-12-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/libgnutls.map, m4/hooks.m4: increased gnutls' soversion

2014-12-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/random.h: if the rnd structure doesn't provide check,
	_gnutls_rnd_check() will succeed

2014-11-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/x509-verify-with-crl.c: tests: Added
	check for verification using CRLs

2014-11-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/x509.c: Reorganized, and eliminated memory leak in
	_gnutls_x509_crt_check_revocation() Reported by Tim Rühsen.

2014-11-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/systemkey.c: systemkey: updated for new
	gnutls_system_key_iter_get_info

2014-11-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/system-keys.h, lib/system-keys-dummy.c,
	lib/system-keys-win.c: gnutls_system_key_iter_get_info() allows
	restricting results to a specific certificate type

2014-11-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_x509.c: removed unneeded variable

2014-11-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/gnutls.h.in, lib/includes/gnutls/pkcs11.h: doc
	update

2014-11-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-gtls-app.texi: doc: added recommendation to use the higher
	level functions to load keys

2014-11-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-cfg.c: certtool: avoid gcc warnings

2014-11-25  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: Added
	check for whether %NO_EXTENSIONS is required

2014-11-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_ui.c: gnutls_session_get_desc: allow proper printing of
	the NULL KX

2014-11-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_ui.c: gnutls_session_get_desc will return NULL if
	initial negotiation is not complete

2014-11-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2014-11-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-chain-unsorted.c: tests: small fix in
	mini-chain-unsorted

2014-11-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_pcert.c, lib/gnutls_x509.c, lib/x509/common.c,
	lib/x509/common.h, lib/x509/x509.c: 
	GNUTLS_E_CERTIFICATE_LIST_UNSORTED can be returned from
	gnutls_pcert_import_x509_list That is when it cannot sort the list and GNUTLS_X509_CRT_LIST_SORT
	is specified.

2014-11-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_pcert.c: gnutls_pcert_import_x509_list: only sort the
	lists it can sort

2014-11-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2014-11-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system-keys-win.c: simplified windows URLs

2014-11-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system-keys-win.c: system-keys-win: include urls.h

2014-11-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/mini-cert-status.c,
	tests/mini-chain-unsorted.c: tests: added mini-chain-unsorted

2014-11-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_pcert.c, lib/gnutls_x509.c,
	lib/includes/gnutls/abstract.h, lib/includes/gnutls/x509.h,
	lib/libgnutls.map, lib/x509/common.c, lib/x509/common.h,
	lib/x509/verify-high.c, lib/x509/x509.c: Added flag
	GNUTLS_X509_CRT_LIST_SORT for gnutls_x509_crt_list_import* That also allows automatically sorting input chains to the
	gnutls_certificate_credentials_t structure.

2014-11-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/set_x509_key_file.c: tests: Added check
	for memory leaks when a file cannot be loaded.

2014-11-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_x509.c: gnutls_certificate_set_x509_key_*: eliminated
	memory leak when certificate could not be parsed Reported by Georg Richter.

2014-11-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* libdane/dane.c: libdane: undef gnutls_assert() before redefining
	it

2014-11-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/socket.c: gnutls-cli-debug: do not print error on unknown
	protocols

2014-11-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/set_x509_key_mem.c: tests: added leak
	check for gnutls_set_x509_key_mem2()

2014-11-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_x509.c: documented the limitations of the loading
	functions

2014-11-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_x509.c: corrected memleak in read_key_mem() Patch by Georg Richter.

2014-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: Added
	check for sorted certificate chain

2014-11-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_db.c: do not allow the resumption of a session which
	switches the state of ext_master_secret

2014-11-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/rfc2253-escape-test: tests: run rfc2253-escape-test under
	valgrind

2014-11-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/custom-urls.c: tests: enhanced custom-url check

2014-11-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_privkey.c, lib/gnutls_x509.c: sanitize URLs at the
	proper place

2014-11-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/x509.c: corrected freeing of custom URL

2014-11-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-tokens.texi, lib/includes/gnutls/urls.h: doc update

2014-11-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/suppressions.valgrind, tests/suppressions.valgrind: 
	Added memxor_different_alignment into suppressions

2014-11-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-tokens.texi, lib/gnutls_x509.c,
	lib/includes/gnutls/urls.h, lib/urls.c, lib/urls.h: Allow the
	construction of chains with custom URLs

2014-11-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitignore: updated ignored files

2014-11-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/Makefile.am, src/{systemkey-tool.c => systemkey.c}: renamed
	systemkey-tool to systemkey, and don't install it by default

2014-11-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2014-11-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/custom-urls.c: tests: added check for
	registration of custom URLs

2014-11-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/urls.h, lib/libgnutls.map, lib/urls.c: export
	gnutls_register_custom_url

2014-11-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_x509.c: correctly handle non-pkcs11 URLs in
	read_cert_url

2014-11-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitignore: more files to ignore

2014-11-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/Makefile.am, doc/cha-tokens.texi, lib/gnutls_privkey.c,
	lib/gnutls_pubkey.c, lib/gnutls_x509.c, lib/gnutls_x509.h,
	lib/includes/Makefile.am, lib/includes/gnutls/urls.h,
	lib/system-keys-win.c, lib/urls.c, lib/urls.h, lib/x509/x509.c: 
	Added the ability to register application specific URLs for keys and
	certs

2014-11-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/system-keys-win.c: system-keys-win: use macros for the URL

2014-11-22  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_handshake.c: doc update

2014-11-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/mini-rehandshake-2.c: tests: added test
	for GNUTLS_E_GOT_APPLICATION_DATA on rehandshake

2014-11-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_handshake.c, lib/gnutls_record.c: treat
	GNUTLS_E_GOT_APPLICATION_DATA as non-fatal if initial negotiation is
	complete This corrects a regression introduced in
	b5a0de2e6da98866cafb770c3141b7353d030ab2 Reported by Dan Winship.
	https://savannah.gnu.org/support/?108690

2014-11-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: removed old news

2014-11-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/algorithms.h, lib/algorithms/protocols.c,
	lib/gnutls_handshake.c, lib/gnutls_int.h, lib/gnutls_priority.c: The
	record version in the client Hello will be set to the lowest
	supported protocol There should have been no harm in keeping it SSL 3.0 but
	unfortunately in draft-thomson-sslv3-diediedie-00 it has been marked
	as MUST NOT do that. That will be fixed in a later revision but
	since then there are servers not accepting SSL 3.0 as a valid record
	version (note that this is about the record version, which describes
	the format of the packet, nothing to do with the negotiated
	version).

2014-11-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_priority.c: Revert "The priority modifier
	%LATEST_RECORD_VERSION is now the default" This reverts commit 66c419cc6336ea9a2747574588ffee77458b838f.

2014-11-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/ocsp.c: deinitialize the OCSP response der data That also makes sure that reinitialization of ASN1 structures are
	done when it is required only.

2014-11-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/Makefile.am, lib/gnutls_priority.c,
	lib/includes/gnutls/gnutls.h.in, src/cli.c: 
	gnutls_priority_string_list: allow printing the special keywords as
	well.

2014-11-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/rnd-common.c: simplified code involving getrandom() and
	getentropy()

2014-11-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac: configure: detect android system and define a
	variable

2014-11-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/Makefile.am, lib/system-keys-dummy.c, lib/{system-keys.c =>
	system-keys-win.c}: separated system-keys implementations

2014-11-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/libgnutls.map: removed redundant local

2014-11-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testpkcs11: tests: added check for the abbreviated
	URLs which don't contain object information

2014-11-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/Makefile.am, lib/gnutls_x509.c, lib/pkcs11_privkey.c,
	lib/urls.c, lib/urls.h, lib/x509/x509.c: prior to importing objects
	with URLs sanitize them That allows to use out of band information to complete missing parts
	in URLs (e.g., object-type=cert, when there is a certificate).

2014-11-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/system-keys.c: compilation fixes

2014-11-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2014-11-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/Makefile.am, lib/gnutls_errors.c, lib/gnutls_global.c,
	lib/gnutls_privkey.c, lib/gnutls_sig.c, lib/gnutls_sig.h,
	lib/gnutls_str.c, lib/gnutls_str.h, lib/gnutls_x509.c,
	lib/includes/gnutls/abstract.h, lib/includes/gnutls/gnutls.h.in,
	lib/includes/gnutls/pkcs11.h, lib/includes/gnutls/system-keys.h,
	lib/includes/gnutls/x509.h, lib/libgnutls.map, lib/pkcs11.c,
	lib/pkcs11_int.h, lib/system-keys.c, lib/system-keys.h,
	lib/x509/Makefile.am, lib/x509/x509.c, src/Makefile.am,
	src/systemkey-args.def, src/systemkey-tool.c: Added API to
	read/write/delete key-cert pairs (limited to windows for now)

2014-11-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_priority.c: NORMAL priority: prioritize the less than
	256-bits curves at the lowest level

2014-11-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-args.def, src/certtool-cfg.c, src/certtool-cfg.h,
	src/certtool.c: certtool: Allow to set the nonRepudiation,
	keyAgreement and dataEncipherment flags

2014-11-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool-args.def: list the OIDs in the certtool cfg file
	documentation

2014-11-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/fips.c, lib/fips.h, lib/gnutls_global.c: properly reset the
	zombie mode in FIPS mode This amends 9158f590f4a18c84fc9eb41877b29d73b30af879

2014-11-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/TODO: doc update

2014-11-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2014-11-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_x509.c: partially reverted
	999d221fd2241ff73f884bf33d8cbe6eb8299184 That change allows to use the intermediate certificates in chains as
	OCSP anchors.

2014-11-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: print message when the system trust is
	used

2014-11-14  David Weber <dave@veryflatcat.com>

	* src/cli.c, src/serv.c: Fixed SRTP profile configuration in cli.c
	and serv.c.  I have tested the fix in 3.3.10. This commit is UNTESTED as i am
	unable to compile gnutls (./configure complains about gl_INIT and
	ggl_INIT).  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2014-11-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/ocsp.c: tests: ocsp: added the signature in check

2014-11-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/ocsp_output.c: only print about additional certificates
	if they are present

2014-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/ocsp.c: ocsp: fix DN decoding in
	gnutls_ocsp_resp_get_responder_raw_id

2014-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/ocsp.c: tests: ocsp: added check with a long response

2014-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/ocsp.c: use the original DER/BER data when verifying an
	OCSP response

2014-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_pubkey.c: _pkcs1_rsa_verify_sig() simplify hashing

2014-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/ocsp.c: ocsp: eliminated duplicate code

2014-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def: clarified the multiple paths printing of
	the verify options

2014-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli.c: gnutls-cli: allow printing the certificates in OCSP
	responses when --print-cert is specified

2014-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_x509.c, lib/x509/ocsp.c: updated OCSP verification code
	to better use the trust list, and the KeyHash

2014-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/ocsp_output.c: OCSP printing: Add header in front of
	certificates

2014-11-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h, lib/includes/gnutls/x509.h,
	lib/pkcs11.c, lib/x509/verify-high.c: added
	gnutls_pkcs11_get_raw_issuer_by_dn and
	gnutls_x509_trust_list_get_issuer_by_dn

2014-11-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/cli-debug.c, src/tests.c, src/tests.h: gnutls-cli-debug: check
	for OCSP status response

2014-11-14  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/crq: corrected crq test case; reported by Andreas
	Metzler

2014-11-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11.c: set the GNUTLS_PIN_CONTEXT_SPECIFIC flag on PIN
	callback

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/ocsp.h, lib/libgnutls.map, lib/x509/ocsp.c,
	lib/x509/ocsp_output.c, tests/ocsp.c: replaced
	gnutls_ocsp_resp_get_responder_by_key with
	gnutls_ocsp_resp_get_responder_raw_id In addition reverted gnutls_ocsp_resp_get_responder() to the old
	buggy behavior of returning 0 if the element was missing.

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: make sure that GNUTLS_PKCS_PLAIN is set
	when no password should be asked

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey.c: gnutls_x509_privkey_import2: will not use a
	callback if GNUTLS_PKCS_PLAIN is specified

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/fips.c: the FIPS140-2 testing mode is disabled after
	self-checks

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/ocsp.c: updated OCSP tests to account for the new key ID

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/ocsp.c: doc update and gnutls_ocsp_resp_get_responder()
	will always initialized output data

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/rnd-common.c: _rnd_get_event: use memset to avoid
	valgrind complaints

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli.c: gnutls-cli: print the OCSP response in verbose mode

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/ocsp.c: corrected documentation of OCSP response
	verification

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/ocsp.h, lib/libgnutls.map, lib/x509/ocsp.c,
	lib/x509/ocsp_output.c: Added
	gnutls_ocsp_resp_get_responder_by_key()

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/dn.c: dn parsing: return
	GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when DN is not available

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-args.def, src/cli.c, src/common.c: gnutls-cli: added
	option to save the OCSP response

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/abstract_int.h, lib/gnutls_privkey.c, lib/gnutls_sig.c,
	lib/includes/gnutls/abstract.h: added the notion of preferred sign
	algorithm in a private key This can be set for keys imported with gnutls_privkey_import_ext3()
	with the info callback. It is only considered for client side keys
	in TLS sessions.

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-gtls-app.texi, lib/ext/ext_master_secret.c,
	lib/gnutls_int.h, lib/gnutls_priority.c, lib/priority_options.gperf: 
	Added priority string %NO_SESSION_HASH to prevent advertising the
	extended master secret extension

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/status_request.c: certificate status requestion response
	is optional according to RFC6066

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_ui.c, lib/includes/gnutls/gnutls.h.in, src/common.c: 
	Added flag GNUTLS_OCSP_SR_IS_AVAIL for
	gnutls_ocsp_status_request_is_checked

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/rnd-common.h: rnd: removed the packed attribute from
	event_st That prevents a SIGBUS on solaris sparc systems.  Reported by Thomas
	Thorberger.

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_priority.c: The priority modifier
	%LATEST_RECORD_VERSION is now the default This works-around issue with servers that forbit the SSL 3.0 version
	number from the first packet of the record protocol.

2014-11-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-debug.c, src/tests.c, src/tests.h: added check for servers
	that disallow the SSL 3.0 record version

2014-11-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/common.c: gnutls-cli: print whether status request has been
	checked

2014-11-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_x509.c: doc update

2014-11-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_privkey.c, lib/includes/gnutls/x509.h,
	lib/libgnutls.map, lib/pin.c, lib/pin.h, lib/pkcs11.c, lib/tpm.c,
	lib/x509/privkey.c, lib/x509/x509_int.h: Enable PIN support to
	gnutls_x509_privkey_t

2014-11-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system.c, lib/system.h, lib/x509/common.c,
	lib/x509/x509_ext.c: _gnutls_ucs2_to_utf8() can handle little endian
	strings.

2014-11-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2014-11-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/Makefile.am, lib/crypto-api.c, lib/ext/session_ticket.c,
	lib/gnutls_cipher.c, lib/includes/gnutls/gnutls.h.in,
	lib/libgnutls.map, lib/{safe-memset.c => safe-memfuncs.c}: Added
	gnutls_memcmp() and exported it.

2014-11-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/abstract.h: indentation fix

2014-11-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2014-11-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs12.h, lib/libgnutls.map,
	lib/x509/pkcs12_bag.c: added gnutls_pkcs12_bag_set_privkey() Conflicts:         lib/libgnutls.map

2014-11-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/abstract_int.h, lib/gnutls_privkey.c,
	lib/includes/gnutls/abstract.h: dropped unused copy_func

2014-11-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/gnutls-idna.h: silence warning

2014-10-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* configure.ac, tests/cert-tests/Makefile.am, tests/cert-tests/crq: 
	Added check with the invalid crq sent by Sean Burford

2014-10-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_ecc.c: when exporting curve coordinates to X9.63
	format, perform additional sanity checks on input Reported by Sean Burford.

2014-11-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2014-11-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-intro-tls.texi: doc update

2014-11-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS, lib/ext/session_ticket.c, lib/gnutls_mem.h,
	lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map: exported
	gnutls_memset()

2014-11-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi, doc/cha-intro-tls.texi: doc: updated text
	on session tickets

2014-11-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/socket.c: tools: include arpa/inet.h in socket.c

2014-11-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/examples/ex-serv-dtls.c: doc: use the same port for DTLS
	client and server

2014-11-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11.c: pkcs11: pass the correct user type to protected
	authentication login

2014-11-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-gtls-app.texi: doc: corrected values for INSECURE level

2014-11-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/pkcs11_write.c: 
	pkcs11: support the CKA_EXTRACTABLE and CKA_NEVER_EXTRACTABLE flags

2014-11-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/pkcs11.h, lib/pkcs11.c, lib/pkcs11_write.c: 
	pkcs11: added the flag GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH

2014-11-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11_privkey.c: pkcs11: perform reauth at the appropriate
	state

2014-11-07  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* pkcs11_login: set the correct user type on reauthentication

	-----

	Copyright (C) 2005-2012 Free Software Foundation, Inc.

	Copying and distribution of this file, with or without
	modification, are permitted provided the copyright notice
	and this notice are preserved.
