2017-03-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am: Makefile.am: Added missing file Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-03-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2017-03-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: execute initialization stage
	unconditionally This step is required both in tags and commit runs.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-03-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS, configure.ac, m4/hooks.m4: bumped version Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-03-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/datum.c: _gnutls_set_strdatum: always return an allocated
	string on success That prevents returning NULL to functions which require a string.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-03-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-03-05  Alex Gaynor <alex.gaynor@gmail.com>

	* lib/opencdk/read-packet.c, tests/cert-tests/openpgp-cert-parser: 
	Enforce the max packet length for OpenPGP subpackets as well This addresses:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>

2017-03-05  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-cert-auth2.texi: doc: corrected typo [ci skip] It was pointed out by morozov@eags.ru.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-03-04  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: NEWS: added links to GNUTLS-SA-2017-3

2017-03-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: run tests under a FIPS140 mode
	simulation That is, in FIPS140-2/Fedora/x86_64 build, run tests under a normal
	run (when library is compiled with FIPS140-2 support but not enabled
	on run time), and also run tests under a run-time that simulates
	FIPS140-2 support.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-03-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/crypto-selftests.c: crypto-self-tests: modified exported
	functions to work under fips140-2 mode Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-03-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/dtls1-2-mtu-check.c, tests/key-tests/Makefile.am,
	tests/set_x509_pkcs12_key.c, tests/x509sign-verify2.c: tests: skip
	tests which cannot be run in FIPS140-2 mode This allows the test suite to be run in FIPS140-2 mode.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-03-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pk.c: _gnutls_pk_params_copy: copy the provable algorithm used This is affected utilization of generated RSA keys under FIPS140-2
	mode which utilizes provable generation.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-03-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/priorities.c: tests: priorities: skip test in FIPS140-2 mode Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-03-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/session_ticket.c: gnutls_session_ticket_key_generate:
	fixed operation under FIPS140-2 mode Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-03-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2017-03-01  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/cert-tests/Makefile.am,
	tests/cert-tests/openpgp-cert-parser: tests: added test cases with
	invalid openpgp certs These certificates contain invalid secret key sub-packets.  These
	  trigger invalid memory accesses:
	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-03-01  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/opencdk/kbnode.c, lib/opencdk/keydb.c, lib/opencdk/literal.c,
	lib/opencdk/opencdk.h, lib/opencdk/read-packet.c,
	lib/openpgp/openpgp.c, lib/openpgp/pgp.c, lib/openpgp/privkey.c: 
	opencdk: do not parse any secret keys in packet when reading a
	certificate This reduces the attack surface on the parsers, and prevents any
	bugs in the secret key parser to be exploitable by inserting secret
	key sub-packets into an openpgp certificate.  This addresses:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-02-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: x509/output: Cleanup in IDNA name printing That also removes the incorrect mapping to IDNA punycode when the
	input is not printable.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-28  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-cfg.c: certtool: increased buffer for reading from
	user This allows reading longer than 128-byte fields interactively.  The
	new limit is 512-bytes.  Relates #179 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-27  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-cfg.c: certtool: store critical extensions even if no
	other extension are present That is, fix a bug which prevented critical extensions to be stored
	if no other free-form extensions were specified.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2017-02-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/ocsp.c: gnutls_ocsp_resp_verify_direct,
	gnutls_ocsp_resp_verify: defined flags argument That was defined to be gnutls_certificate_verify_flags, and it
	allows passing verification flags, such as flags to allow broken
	algorithms.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/verify.c: is_level_acceptable: no longer checks for
	broken algorithms This is done at is_broken_allowed(), and in fact checking them in
	is_level_acceptable() creates a conflict when overrides like flag
	GNUTLS_VERIFY_ALLOW_BROKEN is used.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/gnutls.h.in, lib/verify-tofu.c: 
	gnutls_store_commitment: introduced flag
	GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN This flag allows operation of the function even with broken
	algorithms.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-24  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/verify.c: verify: is_broken_allowed: account for "new"
	flag GNUTLS_VERIFY_ALLOW_BROKEN Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2017-02-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am,
	tests/cert-tests/openpgp-cert-parser: tests: added test case with
	invalid openpgp cert This triggers an invalid memory access:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/opencdk/read-packet.c: opencdk: read_attribute: account buffer
	size That ensures that there is no read past the end of buffer.  Resolves the oss-fuzz found bug:
	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391 Relates: #159 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/socket.c: gnutls-cli-debug: fixed protocol to port discovery That is, if --starttls-proto is provided the default port selected
	will be converted to host byte order as expected.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: NEWS: fix typo [ci skip]

2017-02-22  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, tests/Makefile.am, tests/scripts/Makefile.am,
	tests/scripts/starttls-common.sh, tests/starttls-ftp.sh,
	tests/starttls-lmtp.sh, tests/starttls-nntp.sh,
	tests/starttls-pop3.sh, tests/starttls-sieve.sh,
	tests/starttls-smtp.sh, tests/starttls.sh: tests: split starttls.sh
	into multiple scripts Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-02-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2017-02-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/data/aki-cert.pem,
	tests/cert-tests/data/arb-extensions.csr,
	tests/cert-tests/data/bmpstring.pem,
	tests/cert-tests/data/ca-no-pathlen.pem,
	tests/cert-tests/data/complex-cert.pem,
	tests/cert-tests/data/long-oids.pem,
	tests/cert-tests/data/multi-value-dn.pem,
	tests/cert-tests/data/name-constraints-ip2.pem,
	tests/cert-tests/data/no-ca-or-pathlen.pem,
	tests/cert-tests/data/template-tlsfeature.csr,
	tests/cert-tests/data/very-long-dn.pem,
	tests/cert-tests/data/xmpp-othername.pem: tests: updated to include
	the pin-sha256 in output Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/dn2.c: tests: updated to take into account the pin-sha256
	oneline output Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: x509/output: print key PIN on oneline output That is, instead of the public key ID. The key PIN due to HPKP is
	now more widely used than hex-based key IDs.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/str.c, lib/str.h, lib/x509/output.c: x509/output: print the
	public key PIN of a certificate That is, print the value used by the HPKP protocol as per RFC7469.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-22  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/pkcs11/pkcs11-import-with-pin.c: tests:
	pkcs11-import-with-pin: removed invalid conditional macro

2017-02-22  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/pkcs11/pkcs11-import-with-pin.c: tests:
	added PKCS#11 test for pin input This introduces a test on PIN input to retrieve an object using
	pin-value and pin-source (file).  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-22  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: ubsan build: fixed artifacts path Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-02-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-cfg.c: certtool: don't warn when 'uri' is specified
	on template Reported at: https://bugzilla.redhat.com/show_bug.cgi?id=1425884 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/pk.c: nettle/pk: corrected memcpy of Q in DSA params Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: backported from master branch Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac: configure: no longer use -Wframe-larger-than We do not require a specific stack size, and there is legacy code
	which utilizes large stack sizes. As such remove the warnings to
	allow for a warning free compilation.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-02-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/pkcs11.c: pkcs11: avoid calling memcpy will null options Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-02-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7.c: pkcs7: corrected error checking in
	write_signer_id Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/common.c: make_printable_string: allow operation with
	null input Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_int.h: gnutls_int.h: include assert.h Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2017-02-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am,
	tests/cert-tests/data/openpgp-invalid5.pub,
	tests/cert-tests/openpgp-cert-parser: tests: added test case with
	invalid openpgp cert That triggers a heap buffer overflow:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/opencdk/read-packet.c: opencdk/read-packet.c: corrected typo
	in type cast Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/opencdk/read-packet.c: cdk_pkt_read: enforce packet limits That ensures that there are no overflows in the subsequent
	calculations.  Resolves the oss-fuzz found bug:
	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 Relates: #159 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2017-02-19  Robert Scheck <robert@fedoraproject.org>

	* src/cli-args.def, src/cli-debug-args.def, src/danetool-args.def,
	src/socket.c, tests/Makefile.am, tests/starttls-lmtp.txt,
	tests/starttls-nntp.txt, tests/starttls-pop3.txt,
	tests/starttls-sieve.txt, tests/starttls.sh: Add LMTP, POP3, NNTP,
	Sieve and PostgreSQL support to gnutls-cli Add LMTP (RFC 2033), POP3 (RFC 2595), NNTP (RFC 4642), Sieve (RFC
	5804) and PostgreSQL support to gnutls-cli ("--starttls-proto").  Signed-off-by: Robert Scheck <robert@fedoraproject.org>

2017-02-17  Rical Jasan <ricaljasan@pacific.net>

	* tests/scripts/common.sh: tests: Improve port-checking
	infrastructure.  The test suite unnecessarily failed on systems without netstat
	because it was assumed to be present.  Instead of simply checking
	for its presence and indicating an unsupported test, however, the ss
	utility can be used as a drop-in replacement.  When
	netstat/net-tools is not present, the ss utility from iproute2 still
	stands a fair chance of existing, and they also have similar enough
	semantics that they can be used interchangeably in the test suite.  The functions in tests/scripts/common.sh that used netstat (wait_for_port, wait_for_free_port) now use new functions,
	check_if_port_in_use and check_if_port_listening, to abstract the
	call to netstat/ss.  The eval'd variable GETPORT also used netstat,
	and has been updated accordingly.  The new port-checking functions use another new function,
	have_port_finder, which takes care of the details of selecting ss (preferred) or netstat, or fails otherwise.  Signed-off-by: Rical Jasan <ricaljasan@pacific.net> Signed-off-by:
	Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-12  Alon Bar-Lev <alon.barlev@gmail.com>

	* doc/Makefile.am: build: doc: install images also into htmldir images are required also by the html documentation.  Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2017-02-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2017-02-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, lib/gnutls.pc.in: gnutls.pc: do not include libidn2
	in Requires.private The libidn2 versions available do not include libidn2.pc, thus the
	inclusion was causing problems when using pkg-config.  Instead we
	include -lidn2 in Libs.private.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-02-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/x509.c, lib/x509/x509_int.h,
	tests/certs-interesting/cert5.der.err: x509: optimize subject
	alternative name access That reads SAN and IAN early on import, significantly reducing the
	running time of functions which iterate over the alternative names
	of a certificate, e.g., gnutls_x509_crt_check_hostname().  Relates #165 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-02-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2017-02-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/gnutls.h.in: gnutls.h: corrected typo

2017-01-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/Makefile.am, doc/doc.mk, doc/manpages/Makefile.am: doc:
	removed references to OpenPGP functions and enumerations Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/gnutls-guile.texi: doc: removed documentation related to
	OpenPGP and guile Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-01-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/openpgp.h: openpgp.h: all openpgp
	functionality was marked as deprecated This is to prevent new applications using that functionality.  As
	the OpenPGP certificate for HTTPS (or TLS in general) never got any
	traction, GnuTLS is the only implementation supporting it, and the
	quality of the OpenPGP supporting code is questionable, we deprecate
	that code with the intention to drop it completely when an
	opportunity is given.  Relates #102 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-gtls-app.texi: doc: document the intention of the priority
	string usage [ci skip] This documents the gnutls_set_default_priority() function, and how
	it is intended to be combined with an application that utilizes
	priority strings.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, m4/hooks.m4: bumped version

2017-02-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .travis.yml: .travis.yml: list all logs on failure Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert_verify_inv_utf8.c, tests/crq_apis.c, tests/crt_apis.c,
	tests/hostname-check-utf8.c, tests/mini-server-name.c,
	tests/set_key_utf8.c, tests/set_x509_key_utf8.c: tests: enable all
	IDNA tests when compiled with libidn2 Keep IDNA2003-only tests on the ifdef HAVE_LIBIDN.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .travis.yml: .travis.yml: updated instructions for travis builds Removed unbound and other minor fixes.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/extras/hex.h: extras/hex.h: do not use strlen as variable name That is, do not utilize a standard C function name as variable name.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: gnutls_pkcs11_obj_list_import_url4: always return an
	initialized pointer When returning success, but no elements,
	gnutls_pkcs11_obj_list_import_url4, could have returned zero number
	of elements with a pointer that was uninitialized.  Ensure that an
	initialized (i.e., null in that case), pointer is always returned.
	Reported by Jeremy Harris.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-02-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: use libidn2 on windows builds Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-02-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/pkcs7: Address test suite failure due to timezone
	differences.  Reported by Thorsten Glaser and Andreas Metzler.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/str-idna.c: _idn2_to_unicode_8z8z: do not err on mixed IDNA
	domains That is allow domains of the form 'großes.xn--fa-hia.de'. The
	drawback is that we may not err early on invalid formatted names. We
	however delegate any such decisions to libidn2.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-01-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2017-01-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/Makefile.am, doc/manpages/Makefile.am, symbols.last: Updated
	auto-generated files Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/str-idna.c: str-idna: improved error handling In addition to detecting input with invalid characters in
	_idn2_to_unicode_8z8z(), we also add support for case insensitive
	punycode header.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/str-idna.c: str-idna: cleanups in IDNA handling Ensure safe operation even with broken libidn2, and make sure that
	we properly allocate memory to caller, even on complex library
	configuration.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-01-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/Makefile.am, lib/str-idna.c, lib/str-unicode.c: Move IDNA
	functionality to str-idna.c from str-unicode.c Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-01-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/str-idna.c: tests: use the exported API for IDNA testing In addition group together the tests which require libidn2 >= 0.14.
	This allows the tests to succeed.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-01-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/socket.c: tools: depend on gnutls_idna_map() instead of using
	directly libidn/libidn2 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-01-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/includes/gnutls/gnutls.h.in, lib/libgnutls.map,
	lib/str-unicode.c, lib/str.h, lib/x509/output.c: Exported
	gnutls_idna_map() and gnutls_idna_reverse_map() Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-01-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: added run with IDNA2003 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-01-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/str-idna.c: tests: simplified str-idna This separates the directions that are tested (utf-8 -> punycode and
	vice versa).  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-01-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac: configure: added flag to force IDNA2003 That allows to compile with libidn even if libidn2 is present, and
	can be used to check IDNA2003 support.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-01-21  Tim Rühsen <tim.ruehsen@gmx.de>

	* INSTALL.md, README.md, configure.ac, lib/Makefile.am,
	lib/str-unicode.c, lib/str.h, src/socket.c, tests/str-idna.c: Add
	support for libidn2 (IDNA 2008 + TR46) Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

2017-01-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/heartbeat.c: heartbeat extension: doc update Document how to calculate the total TLS data transmitted.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-20  Alon Bar-Lev <alon.barlev@gmail.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: add Fedora/x86_64/no-tools Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2017-01-20  Alon Bar-Lev <alon.barlev@gmail.com>

	* .gitignore, configure.ac, gl/m4/valgrind-tests.m4,
	gl/override/m4/valgrind-tests.m4.diff: valgrind: support separate
	builddir for suppressions.valgrind Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2017-01-20  Alon Bar-Lev <alon.barlev@gmail.com>

	* configure.ac: configure: remove void statement Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2017-01-20  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/key-tests/illegal-rsa: tests: skip tests that requires tools
	if tools are disabled building with --disable-tools should not cause test failure.  Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2017-01-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/pkcs7-crypt.c: pkcs7 decryption: addressed memory leak in
	PBES1-DES-CBC-MD5 handling Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-01-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac: configure: do not disable valgrind tests unless
	explicitly specified ... or unless we are in release build.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-01-25  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-01-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testpkcs11.sh: tests: verify that a written
	certificate will inherit its ID from privkey That is, whether p11tool will do the right thing and figure the
	proper ID to use for a certificate object, if the public key is
	available.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/pkcs11.c: p11tool: re-use ID from corresponding objects when
	writing certificates That is when writing a certificate which has a corresponding public
	key, or private key in the token, ensure that we use the same ID for
	the objects. That eases the work of someone writing objects to
	certificates, and does not require him to manually detect the object
	IDs.  Resolves #160 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-22  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi, lib/dh.c: doc: improved documentation on DH
	parameters [ci skip]

2017-01-05  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/cert-tests/openpgp-certs, tests/danetool.sh,
	tests/fastopen.sh, tests/key-tests/dsa,
	tests/ocsp-tests/ocsp-must-staple-connection,
	tests/ocsp-tests/ocsp-tls-connection, tests/scripts/common.sh,
	tests/starttls.sh, tests/suite/eagain.sh,
	tests/suite/testcompat-main-openssl,
	tests/suite/testcompat-main-polarssl, tests/suite/testdane.sh,
	tests/suite/testpkcs11.sh, tests/suite/testrng.sh,
	tests/suite/testsrn.sh: tests: remove bash usage Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2017-01-05  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/suite/chain.sh: tests: suite: chain: support separate
	builddir Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2017-01-05  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/cert-tests/crq, tests/cert-tests/krb5-test,
	tests/cert-tests/md5-test, tests/cert-tests/name-constraints,
	tests/cert-tests/othername-test, tests/cert-tests/pkcs1-pad,
	tests/cert-tests/pkcs7, tests/cert-tests/pkcs7-cat,
	tests/cert-tests/pkcs7-constraints,
	tests/cert-tests/pkcs7-constraints2, tests/cert-tests/sha3-test,
	tests/cert-tests/template-exts-test,
	tests/cert-tests/template-test, tests/cert-tests/tlsfeature-test,
	tests/ocsp-tests/ocsp-must-staple-connection,
	tests/ocsp-tests/ocsp-test, tests/ocsp-tests/ocsp-tls-connection,
	tests/rsa-md5-collision/rsa-md5-collision.sh,
	tests/suite/testcompat-main-openssl,
	tests/suite/testcompat-main-polarssl: tests: skip tests that
	requires tools if tools are disabled building with --disable-tools should not cause test failure.  Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2016-12-31  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/cert-tests/aki, tests/cert-tests/certtool,
	tests/cert-tests/certtool-long-cn,
	tests/cert-tests/certtool-long-oids, tests/cert-tests/crl,
	tests/cert-tests/email, tests/cert-tests/openpgp-certs,
	tests/cert-tests/openpgp-selfsigs, tests/cert-tests/pathlen,
	tests/cert-tests/pem-decoding, tests/cert-tests/pkcs12,
	tests/cert-tests/pkcs12-utf8, tests/cert-tests/pkcs7-broken-sigs,
	tests/cert-tests/privkey-import, tests/cert-tests/provable-dh,
	tests/cert-tests/provable-dh-default,
	tests/cert-tests/provable-privkey,
	tests/cert-tests/provable-privkey-dsa2048,
	tests/cert-tests/provable-privkey-gen-default,
	tests/cert-tests/provable-privkey-rsa2048,
	tests/cert-tests/sha2-dsa-test, tests/cert-tests/sha2-test,
	tests/cert-tests/userid, tests/fastopen.sh, tests/key-tests/dsa,
	tests/key-tests/ecdsa, tests/key-tests/key-id,
	tests/key-tests/key-invalid, tests/key-tests/pkcs8,
	tests/key-tests/pkcs8-decode, tests/key-tests/pkcs8-invalid,
	tests/rfc2253-escape-test, tests/starttls.sh, tests/suite/chain.sh,
	tests/suite/crl-test, tests/suite/eagain.sh,
	tests/suite/invalid-cert.sh, tests/suite/pkcs7-cat,
	tests/suite/testdane.sh, tests/suite/testpkcs11.sh,
	tests/suite/testrandom.sh, tests/suite/testsrn.sh: tests: skip tests
	that requires tools if tools are disabled building with --disable-tools should not cause test failure.  Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2017-01-03  Alon Bar-Lev <alon.barlev@gmail.com>

	* tests/cert-tests/pkcs12, tests/cert-tests/pkcs12-utf8: tests:
	cert-tests: pkcs12 drop builddir usage sync with other tests Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2017-01-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2017-01-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/accelerated/x86/x86-common.c: Disable AVX support when it is
	not supported by the CPU This mostly affects virtual systems. Reported by Frank Chen.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2017-01-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/Makefile.am, doc/cha-cert-auth.texi, doc/cha-functions.texi,
	doc/cha-gtls-app.texi, doc/cha-tokens.texi, doc/gnutls-pgp.eps,
	doc/latex/Makefile.am: doc: removed documentation related to OpenPGP Also added section explaining why OpenPGP is being deprecated.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/opencdk/read-packet.c: opencdk: improved error code checking
	in the stream reading functions This ammends 49be4f7b82eba2363bb8d4090950dad976a77a3a Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update [ci skip]

2017-01-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/key-tests/Makefile.am: tests: added missing file

2017-01-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS, m4/hooks.m4: bumped version

2017-01-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update [ci skip]

2017-01-06  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2017-01-03  Alon Bar-Lev <alon.barlev@gmail.com>

	* .gitignore: gitignore: update Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2017-01-03  Alon Bar-Lev <alon.barlev@gmail.com>

	* .gitignore: gitignore: sort() Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

2017-01-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/opencdk/read-packet.c: opencdk: added error checking in the
	stream reading functions This addresses an out of memory error. Issue found using oss-fuzz:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=337 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/data/openpgp-invalid4.pub,
	tests/cert-tests/openpgp-cert-parser: tests: added test case with
	invalid openpgp cert This triggers an out of memory error. Issue found using oss-fuzz:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=337 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/opencdk/pubkey.c: opencdk: cdk_pk_get_keyid: fix stack
	overflow Issue found using oss-fuzz:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=340 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am,
	tests/cert-tests/openpgp-cert-parser: tests: added test case with
	invalid openpgp cert This triggers a memory error. Issue found using oss-fuzz:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=340 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am,
	tests/cert-tests/openpgp-cert-parser: tests: added test case with
	invalid openpgp cert This triggers a memory error. Issue found using oss-fuzz:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=346 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/opencdk/read-packet.c: opencdk: read_attribute: added more
	precise checks when reading stream That addresses heap read overflows found using oss-fuzz:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=338   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=346 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am,
	tests/cert-tests/openpgp-cert-parser: tests: added test case with
	invalid openpgp cert This triggers a memory error. Issue found using oss-fuzz:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=338 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/openpgp-cert-parser: tests: openpgp-cert-parser:
	simplified

2017-01-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2017-01-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs12_encr.c: _gnutls_pkcs12_string_to_key: avoid
	division by zero when salt_size = 0 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509_ext.c: gnutls_x509_ext_import_policies: fixed memory
	leak on error path Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am: tests: added test case with invalid X.509 cert This triggers a memory leak. Issue found using oss-fuzz:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=294 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am: tests: added test case with invalid X.509 cert Issue found using oss-fuzz:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=300 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: x509 output: fixed memory leak in AIA extension
	printing Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/auth/dh_common.c: proc_server_kx: eliminated leak on error
	path Issue found using oss-fuzz:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=272 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/key-tests/Makefile.am: tests: do not run key-tests under
	leak sanitizer The reason is that we cannot distinguish between a memory leak on
	application failure (which is followed by exit- thus should be
	ignored) and an address sanitizer issue (which should never be
	ignored).  As such we disable leak detection with asan and rely on
	valgrind.  Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/key-tests/illegal-rsa: tests: illegal-rsa: don't hide stderr

2017-01-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/common.c: _gnutls_x509_get_signature: fix memory leak on
	error path

2017-01-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am: tests: added test case with invalid X.509
	certificate This certificate causes a memory leak while printing.  Issue found using oss-fuzz:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=280 Relates #156

2017-01-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: x509: address leak in print_altname - cert
	printing

2017-01-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am: tests: added certificate to reproduce memory
	leak Found by oss-fuzz project:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=299 Relates #156

2017-01-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/status_request.c: status_request: eliminated leak on error
	path Issue found using oss-fuzz:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=269 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2016-12-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitmodules: submodules: use the github mirror of openssl

2017-01-04  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/auth/rsa.c: auth rsa: eliminated memory leak on pkcs-1
	formatting attack path Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2017-01-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update [ci skip]

2017-01-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* gl/m4/valgrind-tests.m4, gl/override/m4/valgrind-tests.m4.diff: 
	valgrind: use different exit code to signify error This allows the test suite to differentiate between valgrind and
	expected errors from tools.

2017-01-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am: tests: cert-tests: force asan to
	return an error code other than one on failure

2017-01-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey_pkcs8.c: gnutls_pkcs8_info: addressed memory leak
	on error path

2017-01-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: pkcs8_info_int: fix memory leak

2017-01-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/mpi.c: wrap_nettle_mpi_modm: bail on a modulus that is
	zero Relates #156

2017-01-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/key-tests/Makefile.am, tests/key-tests/key-invalid: tests:
	added test for invalid private keys Also force asan to return an error code other than one (the normally
	expected for invalid keys).

2017-01-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/key-tests/Makefile.am, tests/key-tests/pkcs8-invalid: tests:
	added test case with invalid PKCS#8 data Issue found using oss-fuzz:   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=363 Relates #156

2017-01-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7-crypt.c: pkcs7 decrypt: require a valid IV size on
	all ciphers That is, do not accept the IV size present in the structure as valid
	without checking.  Relates #156

2017-01-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: don't print PKCS#8 information when
	outputting DER data

2017-01-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey_pkcs8.c: pkcs8: pkcs8_key_info() will correctly
	detect non-encrypted files

2017-01-01  Alex Gaynor <alex.gaynor@gmail.com>

	* lib/opencdk/read-packet.c, tests/cert-tests/data/subpkt-leak.pub,
	tests/cert-tests/openpgp-cert-parser: Corrected a leak in OpenPGP
	sub-packet parsing.  Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>

2016-12-30  Alex Gaynor <alex.gaynor@gmail.com>

	* lib/opencdk/read-packet.c, tests/cert-tests/openpgp-cert-parser: 
	Attempt to fix a leak in OpenPGP cert parsing.

2016-12-26  Alex Gaynor <alex.gaynor@gmail.com>

	* lib/opencdk/read-packet.c, tests/cert-tests/Makefile.am,
	tests/cert-tests/data/truncated.pub,
	tests/cert-tests/openpgp-cert-parser: Do not infinite loop if an EOF
	occurs while skipping a PGP packet Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>

2017-01-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/gnutls.texi: doc: fixed copyright date in gnutls.texi

2017-01-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/random.c: gnutls_rnd: document the available values of level
	[ci skip] This enables using the function by only checking the man page.

2016-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testcompat-main-openssl: tests: enable all the
	ciphersuite in openssl cli for DSS checks

2016-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testcompat-main-openssl: tests: don't check against
	3DES if disabled in openssl

2016-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testcompat-main-openssl: tests: do not pass the
	-dhparams to openssl 1.1.0; it doesn't work

2016-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/params.dh: tests: simplified DH params format Also switch to RFC7919 DH params.

2016-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testcompat-common,
	tests/suite/testcompat-main-openssl,
	tests/suite/testcompat-main-polarssl: tests: added common variable
	for DH parameters

2016-12-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testcompat-common: tests: fixed paths in compat tests

2016-12-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/testcompat-main-openssl,
	tests/suite/testcompat-main-polarssl: tests: better termination
	checking in compat tests This ensures that the exit code of all spawned processes is checked.

2016-12-31  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: improved error reporting on file error

2016-12-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: changed buildroot to fedora25

2016-12-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/certtool.c: certtool: properly report unencrypted PKCS#8 keys
	in --p8-info

2016-12-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-12-21  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, lib/priority.c: configure: introduced
	--with-priority-string option This allows specifying the priority string to be used with
	gnutls_set_default_priority() on configure time.

2016-12-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-12-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/auto-verify.c, lib/gnutls_int.h, lib/priority.c: priorities:
	reset the profile flags when appending new flags That is, to avoid causing issues to applications calling
	gnutls_*priority_set() multiple times with different parameters. In
	that case if multiple profiles are used the outcome could be
	undefined. Now, the last call will prevail.

2016-12-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/auto-verify.c: gnutls_session_set_verify_cert: doc update

2016-12-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/priority.c: Revert "priorities: set the additional verify
	flags instead of appending them" This reverts commit aaf49747f981f6c17cdc9ea7495a8948a5015ae2.

2016-12-19  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* : commit 6c22fa8349384267e7c2ab99edea8bd43420e823 Author: Nikos
	Mavrogiannopoulos <nmav@gnutls.org> Date:   Mon Dec 19 11:09:41 2016
	+0000

2016-12-17  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* : commit 82f132aa61edf1e663b005f8305b8e82dd028fab Author: Nikos
	Mavrogiannopoulos <nmav@gnutls.org> Date:   Fri Dec 16 16:19:29 2016
	+0000

2016-12-15  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* : commit 3debe362faa62e5b381b880e3ba23aee07c85f6e Author:
	Alexander Kanavin <alex.kanavin@gmail.com> Date:   Wed Dec 14
	17:42:45 2016 +0200

2016-12-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs7-crypt.c: _gnutls_pkcs_raw_decrypt_data: merge all
	errors during decryption to GNUTLS_E_DECRYPTION_FAILED This makes the function's return values simpler to handle.

2016-12-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS, configure.ac: bumped version and doc update [ci skip]

2016-12-14  Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

	* configure.ac: configure.ac: remove autogen'erated files only if
	necessary Currently autogen'erated files will be removed on each call to
	configure. However this would break the build if one of previous
	make invocations have created corresponding stamp files.  Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

2016-12-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/pkcs8-key-decode-encrypted.c,
	tests/pkcs8-key-decode.c: tests: added test for PKCS#8 encrypted key
	decoding This also verifies that the return value when attempting to decrypt
	without a password is GNUTLS_E_DECRYPTION_FAILED.

2016-12-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/privkey_pkcs8.c: pkcs8: ensure that the correct error
	code is returned on decryption failure

2016-12-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi, doc/cha-tokens.texi: doc update [ci skip]

2016-12-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool-args.def: doc: updated to documentation of certtool
	[ci skip] This corrects options which incorrectly mentioned they support URLs.

2016-12-09  Nikos Mavrogiannopoulos <nmav@redhat.com>

