diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-02-24 17:54:38 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-02-24 17:54:38 +0100 |
commit | 4ca034dab1e9e6323814da53d0edb4cdabbebb16 (patch) | |
tree | 919c44d3cd2942932633a835a5414dd5bb055fbc | |
parent | 786d7ec0a1c0967a671c5f9415f5a07c0cc6d787 (diff) | |
download | gnutls-4ca034dab1e9e6323814da53d0edb4cdabbebb16.tar.gz |
updated for 2.12
-rw-r--r-- | doc/announce.txt | 566 |
1 files changed, 226 insertions, 340 deletions
diff --git a/doc/announce.txt b/doc/announce.txt index 0e6b61f9ba..5a881d8062 100644 --- a/doc/announce.txt +++ b/doc/announce.txt @@ -1,7 +1,7 @@ To: help-gnutls@gnu.org, gnutls-devel@gnu.org, info-gnu@gnu.org -Subject: GnuTLS 2.10.0 released +Subject: GnuTLS 2.12.0 released <#part sign=pgpmime> -We are proud to announce a new stable GnuTLS release: Version 2.10.0. +We are proud to announce a new stable GnuTLS release: Version 2.12.0. GnuTLS is a modern C library that implements the standard network security protocol Transport Layer Security (TLS), for use by network @@ -22,301 +22,143 @@ The project page of the library is available at: What's New ========== -Version 2.10.0 is the first stable release on the 2.10.x branch and is -the result of 11 months of work on the experimental 2.9.x branch. The -GnuTLS 2.10.x branch replaces the GnuTLS 2.8.x branch as the supported -stable branch, although we will continue to support GnuTLS 2.8.x for +Version 2.12.0 is the first stable release on the 2.12.x branch and is +the result of 12 months of work on the experimental 2.11.x branch. The +GnuTLS 2.12.x branch replaces the GnuTLS 2.10.x branch as the supported +stable branch, although we will continue to support GnuTLS 2.10.x for some time. -** libgnutls: Time verification extended to trusted certificate list. -Unless new constant GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS flag is -specified. - -** certtool: Display postalCode and Name X.509 DN attributes correctly. -Based on patch by Pavan Konjarla. Adds new constant -GNUTLS_OID_X520_POSTALCODE and GNUTLS_OID_X520_NAME. - -** libgnutls: Added Steve Dispensa's patch for safe renegotiation (RFC 5746) -Solves the issue discussed in: -<http://www.ietf.org/mail-archive/web/tls/current/msg03928.html> and -<http://www.ietf.org/mail-archive/web/tls/current/msg03948.html>. -Note that to allow connecting to unpatched servers the full protection -is only enabled if the priority string %SAFE_RENEGOTIATION is -specified. You can check whether protection is in place by querying -gnutls_safe_renegotiation_status(). New error codes -GNUTLS_E_SAFE_RENEGOTIATION_FAILED and -GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED added. - -** libgnutls: When checking openpgp self signature also check the signatures -** of all subkeys. -Ilari Liusvaara noticed and reported the issue and provided test -vectors as well. +** libgnutls: Nettle is the default crypto back end. Use --with-libgcrypt +to use the libgcrypt back end. + +** libgnutls: Added PKCS #11 support and an API to access objects in +gnutls/pkcs11.h. Certificates and public keys can be +imported from tokens, and operations can be performed on private keys. + +** p11tool: Introduced. It allows manipulating pkcs 11 tokens. -** libgnutls: Added cryptodev support (/dev/crypto). -Tested with http://home.gna.org/cryptodev-linux/. Added -benchmark utility for AES. Adds new error codes -GNUTLS_E_CRYPTODEV_IOCTL_ERROR and GNUTLS_E_CRYPTODEV_DEVICE_ERROR. - -** libgnutls: Exported API to access encryption and hash algorithms. -The new API functions are gnutls_cipher_decrypt, gnutls_cipher_deinit, -gnutls_cipher_encrypt, gnutls_cipher_get_block_size, -gnutls_cipher_init, gnutls_hash, gnutls_hash_deinit, gnutls_hash_fast, -gnutls_hash_get_len, gnutls_hash_init, gnutls_hash_output, -gnutls_hmac, gnutls_hmac_deinit, gnutls_hmac_fast, -gnutls_hmac_get_len, gnutls_hmac_init, gnutls_hmac_output. New API -constants are GNUTLS_MAC_SHA224 and GNUTLS_DIG_SHA224. - -** libgnutls: Added gnutls_certificate_set_verify_function() to allow -verification of certificate upon receipt rather than waiting until the -end of the handshake. - -** libgnutls: Don't send alerts during handshake. -Instead new error code GNUTLS_E_UNKNOWN_SRP_USERNAME is added. - -** certtool: Corrected two issues that affected certificate request generation. -(1) Null padding is added on integers (found thanks to Wilankar Trupti), -(2) In optional SignatureAlgorithm parameters field for DSA keys the DSA -parameters were added. Those were rejected by Verisign. Gnutls no longer adds -those parameters there since other implementations don't do either and having -them does not seem to offer anything (anyway you need the signer's certificate -to verify thus public key will be available). Found thanks to Boyan Kasarov. -This however has the side-effect that public key IDs shown by certtool are -now different than previous gnutls releases. -(3) the option --pgp-certificate-info will verify self signatures - -** certtool: Allow exporting of Certificate requests on DER format. - -** certtool: New option --no-crq-extensions to avoid extensions in CSRs. - -** gnutls-cli: Handle reading binary data from server. -Reported by and tiny patch from Vitaly Mayatskikh -<v.mayatskih@gmail.com> in -<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/4096>. - -** minitasn1: Upgraded to libtasn1 version 2.6. - -** doc: The GTK-DOC manual is significantly improved. - -** libgnutls: Cleanups and several bug fixes. -Found by Steve Grubb and Tomas Mraz. - -** Link libgcrypt explicitly to certtool, gnutls-cli, gnutls-serv. - -** Fix --disable-valgrind-tests. -Reported by Ingmar Vanhassel in -<https://savannah.gnu.org/support/?107029>. - -** libgnutls: Fix for memory leaks on interrupted handshake. -Reported by Tang Tong. - -** libgnutls: Addition of support for TLS 1.2 signature algorithms -** extension and certificate verify field. -This requires changes for TLS 1.2 servers and clients that use -callbacks for certificate retrieval. They are now required to check -with gnutls_sign_algorithm_get_requested() whether the certificate -they send complies with the peer's preferences in signature -algorithms. - -** libgnutls: In server side when resuming a session do not overwrite the -** initial session data with the resumed session data. - -** libgnutls: Added support for AES-128, AES-192 and AES-256 in PKCS #8 -** encryption. -This affects also PKCS #12 encoded files. This adds the following new -enums: GNUTLS_CIPHER_AES_192_CBC, GNUTLS_PKCS_USE_PBES2_AES_128, -GNUTLS_PKCS_USE_PBES2_AES_192, GNUTLS_PKCS_USE_PBES2_AES_256. - -** libgnutls: Fix PKCS#12 encoding. -The error you would get was "The OID is not supported.". Problem -introduced for the v2.8.x branch in 2.7.6. - -** certtool: Added the --pkcs-cipher option. -To explicitely specify the encryption algorithm to use. - -** tests: Added "pkcs12_encode" self-test to check PKCS#12 functions. - -** tests: Fix time bomb in chainverify self-test. -Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in -<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3925>. - -** tests: Fix expired cert in chainverify self-test. - -** libgnutls: TLS 1.2 server mode fixes. -Now interoperates against Opera. Contributed by Daiki Ueno. - -** libgnutlsxx: Fix link problems. -Tiny patch from Boyan Kasarov <bkasarov@gmail.com>. - -** guile: Compatibility with guile 2.x. -By Ludovic Courtes <ludovic.courtes@laas.fr>. - -** libgnutls: Enable Camellia ciphers by default. - -** libgnutls: Add new functions to extract X.509 Issuer Alternative Names. -The new functions are gnutls_x509_crt_get_issuer_alt_name2, -gnutls_x509_crt_get_issuer_alt_name, and -gnutls_x509_crt_get_issuer_alt_othername_oid. Contributed by Brad -Hards <bradh@frogmouth.net>. - -** libgnutls: Client-side TLS 1.2 and SHA-256 ciphersuites now works. -The new supported ciphersuites are AES-128/256 in CBC mode with -ANON-DH/RSA/DHE-DSS/DHE-RSA. Contributed by Daiki Ueno. Further, -SHA-256 is now the preferred default MAC (however it is only used with -TLS 1.2). - -** libgnutls: Make OpenPGP hostname checking work again. -The patch to resolve the X.509 CN/SAN issue accidentally broken -OpenPGP hostname comparison. - -** libgnutls: When printing X.509 certificates, handle XMPP SANs better. -Reported by Howard Chu <hyc@symas.com> in -<https://savannah.gnu.org/support/?106975>. - -** Fix use of deprecated types internally. -Use of deprecated types in GnuTLS from now on will lead to a compile -error, to prevent this from happening again. - -** libgnutls: Support for TLS tickets was contributed by Daiki Ueno. -The new APIs are gnutls_session_ticket_enable_client, -gnutls_session_ticket_enable_server, and -gnutls_session_ticket_key_generate. - -** gnutls-cli, gnutls-serv: New parameter --noticket to disable TLS tickets. - -** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields. -By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS -into 1) not printing the entire CN/SAN field value when printing a -certificate and 2) cause incorrect positive matches when matching a -hostname against a certificate. Some CAs apparently have poor -checking of CN/SAN values and issue these (arguable invalid) -certificates. Combined, this can be used by attackers to become a -MITM on server-authenticated TLS sessions. The problem is mitigated -since attackers needs to get one certificate per site they want to -attack, and the attacker reveals his tracks by applying for a -certificate at the CA. It does not apply to client authenticated TLS -sessions. Research presented independently by Dan Kaminsky and Moxie -Marlinspike at BlackHat09. Thanks to Tomas Hoger <thoger@redhat.com> -for providing one part of the patch. [GNUTLS-SA-2009-4] [CVE-2009-2730]. - -** libgnutls: Fix rare failure in gnutls_x509_crt_import. -The function may fail incorrectly when an earlier certificate was -imported to the same gnutls_x509_crt_t structure. - -** libgnutls: Fix return value of gnutls_certificate_client_get_request_status. -Before it always returned false. Reported by Peter Hendrickson -<pdh@wiredyne.com> in -<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3668>. - -** libgnutls: Fix off-by-one size computation error in unknown DN printing. -The error resulted in truncated strings when printing unknown OIDs in -X.509 certificate DNs. Reported by Tim Kosse -<tim.kosse@filezilla-project.org> in -<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3651>. - -** libgnutls: Fix PKCS#12 decryption from password. -The encryption key derived from the password was incorrect for (on -average) 1 in every 128 input for random inputs. Reported by "Kukosa, -Tomas" <tomas.kukosa@siemens-enterprise.com> in -<http://permalink.gmane.org/gmane.network.gnutls.general/1663>. - -** libgnutls: Return correct bit lengths of some MPIs. -gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and -gnutls_dh_get_peers_public_bits. Before the reported value was -overestimated. Reported by Peter Hendrickson <pdh@wiredyne.com> in -<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3607>. - -** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN. -Report and patch by Tim Kosse <tim.kosse@filezilla-project.org> in -<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3671> -and -<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3670>. - -** libgnutls: Relax checking of required libtasn1/libgcrypt versions. -Before we required that the runtime library used the same (or more -recent) libgcrypt/libtasn1 as it was compiled with. Now we just check -that the runtime usage is above the minimum required. Reported by -Marco d'Itri <md@linux.it> via Andreas Metzler -<ametzler@downhill.at.eu.org> in <http://bugs.debian.org/540449>. - -** tests: Added new self-test pkcs12_s2k_pem to detect MPI bit length error. - -** tests: Improved test vectors in self-test pkcs12_s2k. - -** tests: Added new self-test dn2 to detect off-by-one size error. - -** tests: Fix failure in "chainverify" because a certificate have expired. - -** libgnutls: Fix crash in gnutls_global_init after earlier init/deinit cycle. -Forwarded by Martin von Gagern <Martin.vGagern@gmx.net> from -<http://bugs.gentoo.org/272388>. - -** Reduce stack usage for some CRQ functions. - -** Doc fixes for CRQ functions. - -TLS Renegotiation Attack -======================== - -This releases supports the new extension that hardens TLS -renegotiation, prompted by the recent discovery of a security flaw in -the protocol. We quote the manual which contains a discussion of the -problem and how the solution is implemented in GnuTLS: - -Some application protocols and implementations uses the TLS -renegotiation feature in a manner that enables attackers to insert -content of his choice in the beginning of a TLS session. - -The simplest example is HTTP. For HTTP one attack works by having the -attacker simulate a client and connect to a server, with server-only -authentication, and send some data intended to cause harm. When the -proper client attempts to contact the server, the attacker hijacks that -connection and uses the TLS renegotiation feature with the server and -splices in the client connection to the already established connection -between the client and server. The attacker will not be able to read -the data exchanged between the client and the server. However, some -server implementations will (incorrectly) assume that the data sent by -the attacker was sent by the now authenticated client. The result is a -prefix plain-text injection attack. - -While fixing these application protocols and implementations would be -one natural reaction, an extension to TLS has been designed that -cryptographically binds together any renegotiated handshakes with the -initial negotiation. When the extension is used, the attack is -detected and the session can be terminated. The extension is -specified in [RFC5746]. - -GnuTLS supports the safe renegotiation extension. By default, GnuTLS -clients will attempt to negotiate the safe renegotiation extension when -talking to servers. Also by default, GnuTLS servers will accept the -extension when presented by clients. However, by default GnuTLS client -and servers will not refuse renegotiation attempts when the extension -has not been negotiated, as this would break backwards compatibility -and cause too much operational problems. We will likely reconsider -these defaults in the future. - -To modify the default behaviour, we have introduced three new priority -strings. The priority strings can be used by applications -(gnutls_priority_set) and end users (e.g., `--priority' parameter to -`gnutls-cli' and `gnutls-serv'). - -The `%PARTIAL_RENEGOTIATION' priority string requests what is today the -default behaviour, i.e., that handshakes without the safe renegotiation -extension is permitted. To make more use of the extension, you may -provide the `%SAFE_RENEGOTIATION' priority string. In this mode, -clients and servers will require that the peer supports the extension for -the initial handshakes. To allow unsafe rengotiation the -`%UNSAFE_RENEGOTIATION' priority string is available. This will send -the extension if supported by peer but will never mandate it. -It is possible to disable use of the extension completely by using the -`%DISABLE_SAFE_RENEGOTIATION' priority string however this is -recommended against except for debugging. - -For applications we have introduced a new API related to safe -renegotiation. The gnutls_safe_renegotiation_status function is used -to check if the extension has been negotiated on a session, and can be -used both by clients and servers. - -API/ABI changes in GnuTLS 2.10 +** libgnutls: Added an abstract interface to access public keys +and private keys in gnutls/abstract.h. It allows easy handling +of private keys and public keys of all subsystems such as pkcs11, openpgp +and x509. + +** libgnutls: Added functions to ease selection of bit length in public +key algorithm key generation. Those are +gnutls_sec_param_to_pk_bits(), gnutls_pk_bits_to_sec_param(), +and gnutls_sec_param_get_name(). + +** libgnutls: Add new API gnutls_session_channel_binding. +The function is used to get the channel binding data. Currently only +the "tls-unique" (RFC 5929) channel binding type is supported, through +the GNUTLS_CB_TLS_UNIQUE type. See new section "Channel Bindings" in +the manual. + +** libgnutls: Added gnutls_global_set_mutex() to allow setting +alternative locking procedures. By default the system available +locking is used. In *NIX pthreads are used and in windows the +critical section API. This follows a different approach than the +previous versions that depended on libgcrypt initialization. The +locks are now set by default in systems that support it. Programs +that used gcry_control() to set thread locks should insert it into +a block of +#if GNUTLS_VERSION_NUMBER <= 0x020b00 + gcry_control(...) +#endif + +** libgnutls: Added support for reading DN from EV-certificates. +New DN values: +jurisdictionOfIncorporationLocalityName, +jurisdictionOfIncorporationStateOrProvinceName, +jurisdictionOfIncorporationCountryName + +** gnutls-cli, gnutls-serv: Print 'tls-unique' Channel Bindings. + +** libgnutls: Added RSA_NULL_SHA1 and SHA256 ciphersuites. + +** libgnutls: Is now more liberal in the PEM decoding. That is spaces and +tabs are being skipped. + +** libgnutls: The %COMPAT flag now allows larger records that violate the +TLS spec. + +** libgnutls: Corrected signature generation and verification +in the Certificate Verify message when in TLS 1.2. Reported +by Todd A. Ouska. + +** libgnutls: gnutls_x509_privkey_import() will fallback to +gnutls_x509_privkey_import_pkcs8() without a password, if it +is unable to decode the key. + +** libgnutls: HMAC-MD5 no longer used by default. + +** libgnutls: Corrected issue in DHE-PSK ciphersuites that ignored +the PSK callback. + +** libgnutls: SRP and PSK are no longer set on the default priorities. +They have to be explicitly set. + +** libgnutls: During TLS 1.2 handshake message verification using DSS +use the hash algorithm required by it. In TLS 1.0, 1.1 and SSL 3.0 +SHA-1 is used always. + +** libgnutls: gnutls_x509_privkey_sign_hash() is deprecated. +Use gnutls_privkey_sign_hash() instead. + +** libgnutls: gnutls_pubkey_verify_data, gnutls_pubkey_verify_hash, +gnutls_x509_privkey_verify_data, gnutls_x509_crt_verify_data, +gnutls_x509_crt_verify_hash return the negative error code +GNUTLS_E_PK_SIG_VERIFY_FAILED if verification fails to simplify error +checking. + +** libgnutls: Added helper functions for signature verification: +gnutls_pubkey_verify_data() and gnutls_pubkey_import_privkey(). + +** gnutls_x509_crl_privkey_sign2(), gnutls_x509_crq_sign2() +gnutls_x509_privkey_sign_hash(), gnutls_x509_privkey_sign_data(), +gnutls_x509_crt_verify_hash(), gnutls_x509_crt_verify_data(), were +deprecated for gnutls_x509_crl_privkey_sign(), +gnutls_x509_crq_privkey_sign(), gnutls_privkey_sign_hash(), +gnutls_privkey_sign_data(), gnutls_pubkey_verify_hash() +gnutls_pubkey_verify_data() respectively. + +** libgnutls: gnutls_*_export_raw() functions now add leading zero in +integers. + +** libgnutls: Added gnutls_transport_set_vec_push_function() that +can be used to specify a writev() like function. Using that gnutls +can provide more efficient writes to network layer in systems that +support it. + +** libgnutls: Record version of Client Hellos is now set by default to +SSL 3.0. To restore the previous default behavior use %LATEST_RECORD_VERSION +priority string. + +** libgnutls: Use ASN1_NULL when writing parameters for RSA signatures. +This makes us comply with RFC3279. Reported by Michael Rommel. + +** gnutls-serv: Corrected a buffer overflow. Reported and patch by Tomas Mraz. + +** libgnutls: Reverted default behavior for verification and +introduced GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT. Thus by default +V1 trusted CAs are allowed, unless the new flag is specified. + +** libgnutls: Correctly add leading zero to PKCS #8 encoded DSA key. +Reported by Jeffrey Walton. + +** libgnutls: Added SIGN-ALL, CTYPE-ALL, COMP-ALL, and VERS-TLS-ALL +as priority strings. Those allow to set all the supported algorithms +at once. + +** libgnutls: Added support for DSA signing/verifying with bit +length over 1024. + +** libgnutls-extra: When in FIPS mode gnutls_global_init_extra() +has to be called to register any required md5 handlers. + + + + +API/ABI changes in GnuTLS 2.12 ============================== No offically supported interfaces have been modified or removed. The @@ -325,56 +167,100 @@ and binary level. The following symbols have been added to the library: -gnutls_certificate_set_verify_function: ADDED. -gnutls_cipher_decrypt: ADDED. -gnutls_cipher_deinit: ADDED. -gnutls_cipher_encrypt: ADDED. -gnutls_cipher_get_block_size: ADDED. -gnutls_cipher_init: ADDED. -gnutls_hash: ADDED. -gnutls_hash_deinit: ADDED. -gnutls_hash_fast: ADDED. -gnutls_hash_get_len: ADDED. -gnutls_hash_init: ADDED. -gnutls_hash_output: ADDED. -gnutls_hmac: ADDED. -gnutls_hmac_deinit: ADDED. -gnutls_hmac_fast: ADDED. -gnutls_hmac_get_len: ADDED. -gnutls_hmac_init: ADDED. -gnutls_hmac_output: ADDED. -gnutls_safe_renegotiation_status: ADDED. -gnutls_sign_algorithm_get_requested: ADDED. - -gnutls_x509_crt_get_issuer_alt_name2: ADDED. -gnutls_x509_crt_get_issuer_alt_name: ADDED. -gnutls_x509_crt_get_issuer_alt_othername_oid: ADDED. - -gnutls_session_ticket_key_generate: ADDED. -gnutls_session_ticket_enable_client: ADDED. -gnutls_session_ticket_enable_server: ADDED. +gnutls_transport_set_push_function2: ADDED +gnutls_x509_crl_get_raw_issuer_dn: ADDED +gnutls_session_channel_binding: New function. +gnutls_channel_binding_t: New enumeration. +gnutls_pkcs11_token_init: New function +gnutls_pkcs11_token_set_pin: New function +gnutls_x509_crt_get_subject_unique_id: ADDED. +gnutls_x509_crt_get_issuer_unique_id: ADDED. +gnutls_x509_crt_get_preferred_hash_algorithm: ADDED +gnutls_x509_privkey_export_rsa_raw2: ADDED +gnutls_openpgp_privkey_sec_param: ADDED +gnutls_x509_privkey_sec_param: ADDED +gnutls_global_set_mutex: ADDED +gnutls_rnd: ADDED +gnutls_sec_param_to_pk_bits: ADDED +gnutls_pk_bits_to_sec_param: ADDED +gnutls_sec_param_get_name: ADDED +gnutls_certificate_set_retrieve_function: ADDED +gnutls_pkcs11_type_get_name: ADDED +gnutls_pkcs11_init: ADDED +gnutls_pkcs11_deinit: ADDED +gnutls_pkcs11_set_pin_function: ADDED +gnutls_pkcs11_set_token_function: ADDED +gnutls_pkcs11_add_provider: ADDED +gnutls_pkcs11_obj_init: ADDED +gnutls_pkcs11_obj_import_url: ADDED +gnutls_pkcs11_obj_export_url: ADDED +gnutls_pkcs11_obj_deinit: ADDED +gnutls_pkcs11_obj_export: ADDED +gnutls_pkcs11_obj_list_import_url: ADDED +gnutls_pkcs11_obj_export: ADDED +gnutls_pkcs11_obj_get_type: ADDED +gnutls_pkcs11_obj_get_info: ADDED +gnutls_pkcs11_token_get_info: ADDED +gnutls_pkcs11_token_get_url: ADDED +gnutls_pkcs11_privkey_init: ADDED +gnutls_pkcs11_privkey_deinit: ADDED +gnutls_pkcs11_privkey_get_pk_algorithm: ADDED +gnutls_pkcs11_privkey_get_info: ADDED +gnutls_pkcs11_privkey_import_url: ADDED +gnutls_pkcs11_privkey_sign_data: ADDED +gnutls_pkcs11_privkey_sign_hash: ADDED +gnutls_pkcs11_privkey_decrypt_data: ADDED +gnutls_x509_crt_import_pkcs11: ADDED +gnutls_x509_crt_list_import_pkcs11: ADDED +gnutls_x509_crt_import_pkcs11_url: ADDED +gnutls_privkey_init: ADDED +gnutls_privkey_sign_hash: ADDED +gnutls_privkey_sign_data: ADDED +gnutls_privkey_deinit: ADDED +gnutls_privkey_get_pk_algorithm: ADDED +gnutls_privkey_get_type: ADDED +gnutls_privkey_import_pkcs11: ADDED +gnutls_privkey_import_x509: ADDED +gnutls_privkey_import_openpgp: ADDED +gnutls_privkey_sign_data: ADDED +gnutls_privkey_sign_hash: ADDED +gnutls_privkey_decrypt_data: ADDED +gnutls_pkcs11_privkey_export_url: ADDED +gnutls_x509_crq_privkey_sign: ADDED +gnutls_x509_crl_privkey_sign: ADDED +gnutls_x509_crt_privkey_sign: ADDED +gnutls_pubkey_init: ADDED +gnutls_pubkey_import_privkey: ADDED +gnutls_pubkey_verify_data: ADDED +gnutls_pubkey_get_preferred_hash_algorithm: ADDED +gnutls_pubkey_deinit: ADDED +gnutls_pubkey_get_pk_algorithm: ADDED +gnutls_pubkey_import_x509: ADDED +gnutls_pubkey_import_openpgp: ADDED +gnutls_pubkey_get_pk_rsa_raw: ADDED +gnutls_pubkey_get_pk_dsa_raw: ADDED +gnutls_pubkey_export: ADDED +gnutls_pubkey_get_key_id: ADDED +gnutls_pubkey_get_key_usage: ADDED +gnutls_pubkey_verify_hash: ADDED +gnutls_pubkey_get_verify_algorithm: ADDED +gnutls_pkcs11_type_get_name: ADDED +gnutls_pubkey_import_pkcs11_url: ADDED +gnutls_pubkey_import: ADDED +gnutls_pubkey_import_pkcs11: ADDED +gnutls_pubkey_import_dsa_raw: ADDED +gnutls_pubkey_import_rsa_raw: ADDED +gnutls_x509_crt_set_pubkey: ADDED +gnutls_x509_crq_set_pubkey: ADDED +gnutls_pkcs11_copy_x509_crt: ADDED +gnutls_pkcs11_copy_x509_privkey: ADDED +gnutls_pkcs11_delete_url: ADDED In addition to the functions above, the following non-function definitions have been added to the header files: -GNUTLS_DIG_SHA224: ADDED. -GNUTLS_E_CRYPTODEV_DEVICE_ERROR: ADDED. -GNUTLS_E_CRYPTODEV_IOCTL_ERROR: ADDED. -GNUTLS_E_SAFE_RENEGOTIATION_FAILED: ADDED. -GNUTLS_E_UNKNOWN_SRP_USERNAME: ADDED. -GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED: ADDED. -GNUTLS_MAC_SHA224: ADDED. -GNUTLS_OID_X520_NAME: ADDED. -GNUTLS_OID_X520_POSTALCODE: ADDED. -GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS: ADDED. -GNUTLS_VERSION_MAX: ADDED. - -GNUTLS_CIPHER_AES_192_CBC: ADDED to gnutls/gnutls.h. -GNUTLS_PKCS_USE_PBES2_AES_128: ADDED to gnutls/x509.h. -GNUTLS_PKCS_USE_PBES2_AES_192: ADDED to gnutls/x509.h. -GNUTLS_PKCS_USE_PBES2_AES_256: ADDED to gnutls/x509.h. -GNUTLS_BAG_SECRET: ADDED to gnutls/pkcs12.h. -GNUTLS_DIG_UNKNOWN: ADDED to gnutls/gnutls.h. +GNUTLS_CB_TLS_UNIQUE: New gnutls_channel_binding_t enum member. +GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE: New error code. Getting the Software ==================== |