2016-06-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS, configure.ac, m4/hooks.m4: bumped versions

2016-06-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-06-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/Makefile.am, tests/cert-common.h, tests/keylog-env.c,
	tests/utils-adv.c, tests/utils.c, tests/utils.h: tests: backported
	keylog test

2016-06-06  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_global.c, lib/gnutls_global.h, lib/gnutls_kx.c: 
	keylogfile: only consider the SSLKEYLOGFILE variable In addition do not check the environment in the constructor but
	instead use static variables to save the key file name.  The
	GNUTLS_KEYLOGFILE environment variable is no longer used since there
	is no reason to have a separate one.

2016-05-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/pkcs12_bag.c, lib/x509/x509_ext.c: doc update [ci skip]

2016-05-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* GNUmakefile, build-aux/config.rpath, build-aux/gendocs.sh,
	build-aux/pmccabe2html, build-aux/snippet/arg-nonnull.h,
	build-aux/snippet/c++defs.h, build-aux/snippet/warn-on-use.h,
	build-aux/useless-if-before-free, build-aux/vc-list-files,
	doc/gendocs_template, gl/Makefile.am, gl/alloca.in.h,
	gl/asnprintf.c, gl/asprintf.c, gl/base64.c, gl/base64.h,
	gl/byteswap.in.h, gl/c-ctype.c, gl/c-ctype.h, gl/errno.in.h,
	gl/float+.h, gl/float.c, gl/float.in.h, gl/fstat.c, gl/ftell.c,
	gl/ftello.c, gl/getdelim.c, gl/getline.c, gl/gettext.h,
	gl/gettimeofday.c, gl/hash-pjw-bare.c, gl/hash-pjw-bare.h,
	gl/intprops.h, gl/itold.c, gl/lseek.c, gl/m4/00gnulib.m4,
	gl/m4/absolute-header.m4, gl/m4/alloca.m4, gl/m4/base64.m4,
	gl/m4/byteswap.m4, gl/m4/ctype.m4, gl/m4/errno_h.m4,
	gl/m4/exponentd.m4, gl/m4/extensions.m4, gl/m4/extern-inline.m4,
	gl/m4/fcntl-o.m4, gl/m4/fcntl_h.m4, gl/m4/fdopen.m4,
	gl/m4/float_h.m4, gl/m4/fpieee.m4, gl/m4/fseeko.m4, gl/m4/fstat.m4,
	gl/m4/ftell.m4, gl/m4/ftello.m4, gl/m4/func.m4, gl/m4/getdelim.m4,
	gl/m4/getline.m4, gl/m4/getpagesize.m4, gl/m4/gettimeofday.m4,
	gl/m4/gnulib-cache.m4, gl/m4/gnulib-common.m4,
	gl/m4/gnulib-comp.m4, gl/m4/gnulib-tool.m4, gl/m4/include_next.m4,
	gl/m4/intmax_t.m4, gl/m4/inttypes-pri.m4, gl/m4/inttypes.m4,
	gl/m4/inttypes_h.m4, gl/m4/largefile.m4, gl/m4/ld-output-def.m4,
	gl/m4/ld-version-script.m4, gl/m4/lib-ld.m4, gl/m4/lib-link.m4,
	gl/m4/lib-prefix.m4, gl/m4/longlong.m4, gl/m4/lseek.m4,
	gl/m4/malloc.m4, gl/m4/manywarnings.m4, gl/m4/math_h.m4,
	gl/m4/memchr.m4, gl/m4/memmem.m4, gl/m4/minmax.m4,
	gl/m4/mmap-anon.m4, gl/m4/msvc-inval.m4, gl/m4/msvc-nothrow.m4,
	gl/m4/multiarch.m4, gl/m4/netdb_h.m4, gl/m4/netinet_in_h.m4,
	gl/m4/off_t.m4, gl/m4/printf.m4, gl/m4/read-file.m4,
	gl/m4/realloc.m4, gl/m4/secure_getenv.m4, gl/m4/size_max.m4,
	gl/m4/snprintf.m4, gl/m4/socklen.m4, gl/m4/sockpfaf.m4,
	gl/m4/ssize_t.m4, gl/m4/stdalign.m4, gl/m4/stdbool.m4,
	gl/m4/stddef_h.m4, gl/m4/stdint.m4, gl/m4/stdint_h.m4,
	gl/m4/stdio_h.m4, gl/m4/stdlib_h.m4, gl/m4/strcase.m4,
	gl/m4/string_h.m4, gl/m4/strings_h.m4, gl/m4/strndup.m4,
	gl/m4/strnlen.m4, gl/m4/strtok_r.m4, gl/m4/strverscmp.m4,
	gl/m4/sys_socket_h.m4, gl/m4/sys_stat_h.m4, gl/m4/sys_time_h.m4,
	gl/m4/sys_types_h.m4, gl/m4/sys_uio_h.m4, gl/m4/time_h.m4,
	gl/m4/time_r.m4, gl/m4/ungetc.m4, gl/m4/unistd_h.m4,
	gl/m4/valgrind-tests.m4, gl/m4/vasnprintf.m4, gl/m4/vasprintf.m4,
	gl/m4/vsnprintf.m4, gl/m4/warn-on-use.m4, gl/m4/warnings.m4,
	gl/m4/wchar_h.m4, gl/m4/wchar_t.m4, gl/m4/wint_t.m4,
	gl/m4/xsize.m4, gl/malloc.c, gl/memchr.c, gl/memmem.c, gl/minmax.h,
	gl/msvc-inval.c, gl/msvc-inval.h, gl/msvc-nothrow.c,
	gl/msvc-nothrow.h, gl/netdb.in.h, gl/netinet_in.in.h,
	gl/printf-args.c, gl/printf-args.h, gl/printf-parse.c,
	gl/printf-parse.h, gl/read-file.c, gl/read-file.h, gl/realloc.c,
	gl/secure_getenv.c, gl/size_max.h, gl/snprintf.c, gl/stdalign.in.h,
	gl/stdbool.in.h, gl/stddef.in.h, gl/stdint.in.h, gl/stdio-impl.h,
	gl/stdio.in.h, gl/stdlib.in.h, gl/str-two-way.h, gl/strcasecmp.c,
	gl/string.in.h, gl/strings.in.h, gl/strncasecmp.c, gl/strndup.c,
	gl/strnlen.c, gl/strtok_r.c, gl/strverscmp.c, gl/sys_socket.c,
	gl/sys_socket.in.h, gl/sys_stat.in.h, gl/sys_time.in.h,
	gl/sys_types.in.h, gl/sys_uio.in.h, gl/tests/Makefile.am,
	gl/tests/binary-io.c, gl/tests/binary-io.h, gl/tests/ctype.in.h,
	gl/tests/fcntl.in.h, gl/tests/fdopen.c, gl/tests/fpucw.h,
	gl/tests/getpagesize.c, gl/tests/init.sh, gl/tests/inttypes.in.h,
	gl/tests/macros.h, gl/tests/signature.h,
	gl/tests/test-alloca-opt.c, gl/tests/test-base64.c,
	gl/tests/test-binary-io.c, gl/tests/test-byteswap.c,
	gl/tests/test-c-ctype.c, gl/tests/test-ctype.c,
	gl/tests/test-errno.c, gl/tests/test-fcntl-h.c,
	gl/tests/test-fdopen.c, gl/tests/test-fgetc.c,
	gl/tests/test-float.c, gl/tests/test-fputc.c,
	gl/tests/test-fread.c, gl/tests/test-fstat.c,
	gl/tests/test-ftell.c, gl/tests/test-ftell3.c,
	gl/tests/test-ftello.c, gl/tests/test-ftello3.c,
	gl/tests/test-ftello4.c, gl/tests/test-func.c,
	gl/tests/test-fwrite.c, gl/tests/test-getdelim.c,
	gl/tests/test-getline.c, gl/tests/test-gettimeofday.c,
	gl/tests/test-iconv.c, gl/tests/test-init.sh,
	gl/tests/test-intprops.c, gl/tests/test-inttypes.c,
	gl/tests/test-memchr.c, gl/tests/test-netdb.c,
	gl/tests/test-netinet_in.c, gl/tests/test-read-file.c,
	gl/tests/test-snprintf.c, gl/tests/test-stdalign.c,
	gl/tests/test-stdbool.c, gl/tests/test-stddef.c,
	gl/tests/test-stdint.c, gl/tests/test-stdio.c,
	gl/tests/test-stdlib.c, gl/tests/test-string.c,
	gl/tests/test-strings.c, gl/tests/test-strnlen.c,
	gl/tests/test-strverscmp.c, gl/tests/test-sys_socket.c,
	gl/tests/test-sys_stat.c, gl/tests/test-sys_time.c,
	gl/tests/test-sys_types.c, gl/tests/test-sys_uio.c,
	gl/tests/test-sys_wait.h, gl/tests/test-time.c,
	gl/tests/test-unistd.c, gl/tests/test-vasnprintf.c,
	gl/tests/test-vasprintf.c, gl/tests/test-vc-list-files-cvs.sh,
	gl/tests/test-vc-list-files-git.sh, gl/tests/test-verify.c,
	gl/tests/test-vsnprintf.c, gl/tests/test-wchar.c,
	gl/tests/zerosize-ptr.h, gl/time.in.h, gl/time_r.c, gl/unistd.c,
	gl/unistd.in.h, gl/vasnprintf.c, gl/vasnprintf.h, gl/vasprintf.c,
	gl/verify.h, gl/vsnprintf.c, gl/wchar.in.h, gl/xsize.h,
	lib/gnutls_mem.h, maint.mk: Rely on gnulib's secure_getenv()

2016-05-28  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/accelerated/x86/x86-common.c: x86-common: use secure_getenv()

2016-05-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac: configure.ac: check for secure_getenv where
	available and always enable system extensions

2016-05-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-05-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/fips.c, lib/gnutls_global.c, lib/gnutls_mem.h, lib/system.c: 
	env: use secure_getenv when reading environment variables

2016-05-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi, lib/gnutls_global.c, lib/gnutls_global.h,
	lib/gnutls_kx.c: Append keys on keylogfile Also consider the SSLKEYLOGFILE variable, since the format is
	identical and we are always appending keys.

2016-05-23  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: pkcs11: added sanity check to find_obj_url_cb() for
	object validity Also avoid unnecessary recursion.

2016-05-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/scripts/common.sh, tests/suite/eagain.sh,
	tests/suite/testcompat-main-openssl,
	tests/suite/testcompat-main-polarssl, tests/suite/testdane.sh,
	tests/suite/testpkcs11.sh, tests/suite/testrng.sh,
	tests/suite/testsrn.sh: tests: use /bin/bash in tests which require
	common.sh

2016-05-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/dsa/testdsa, tests/openpgp-certs/testcerts,
	tests/scripts/common.sh, tests/suite/eagain.sh,
	tests/suite/mini-eagain2.c, tests/suite/testcompat-main-openssl,
	tests/suite/testcompat-main-polarssl, tests/suite/testpkcs11.sh,
	tests/suite/testsrn.sh: tests: simplified server launching process Also attempt to use a new port on every started server and added a
	waiting period for the port to become re-usable.

2016-05-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: restrict windows build checks to
	tests/ subdir That is because there is an issue with the gnulib self tests when
	run under windows.

2016-05-20  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am: tests: do not use pkglib to generate
	libpkcs11mock1.so This resulted in the test library being installed. Install we use
	noinst for the library, but pass -rpath to LDFLAGS as a hack to for
	libtool to generate the shared version.

2016-05-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* .gitlab-ci.yml: .gitlab-ci.yml: added windows DLL build for 3.4.x
	branch

2016-05-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/manpages/Makefile.am: updated auto-generated files

2016-05-20  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS, configure.ac, m4/hooks.m4: released 3.4.12

2016-05-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/priorities.c: tests: priorities: account for the addition of
	CHACHA20-POLY1305

2016-01-21  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_priority.c: CHACHA20_POLY1305 was added to the default
	priority strings That is the NORMAL and PERFORMANCE priority strings now will enable
	CHACHA20-POLY1305 by default.

2016-05-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli.c, src/socket.c, src/socket.h: gnutls-cli: allow operation
	with stdin input That is once commands from stdin are given, they are not only sent
	to server, but we also wait for a response prior to exiting.  Resolves #96

2016-05-18  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-05-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_kx.c: Write session keys into a file when
	GNUTLS_KEYLOGFILE is exported That is the file pointed from the variable is written to, and
	contain the session parameters in the following format (identical to
	NSS key log format): CLIENT_RANDOM <space> <64 bytes of hex encoded client_random>
	<space> <96 bytes of hex encoded master secret> and for the old RSA ciphersuites also in the format: RSA <space> <16
	bytes of hex encoded encrypted pre master secret> <space> <96 bytes
	of hex encoded master secret> Resolves #64

2016-05-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-05-17  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli.c: gnutls-cli: corrected check for OCSP verification
	success

2016-05-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-05-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_errors.c: errors: include GNUTLS_E_IDNA_ERROR to the
	list

2016-05-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/server_name.c: server_name: only save the supported server
	names in the session Invalid server names with embedded nulls and unsupported types are
	not saved.

2016-05-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_pubkey.c: gnutls_pubkey_verify_data2: simplified return
	logic

2016-05-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/pkcs7-output.c: gnutls_pkcs7_print: corrected type of
	unsigned count variable

2016-05-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-05-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_x509.c: cert cred: add the CN to the list of known
	hostnames only if no dns_names That is, follow rfc6125 and support CN as a fallback only.

2016-05-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_x509.c: gnutls_certificate_set_key: import the DNS
	names of the certificates That is, only when no (NULL) names are provided.

2016-05-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/system.c: reset the global time func on init/deinit

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_x509.c: gnutls_certificate_set_key: duplicate the
	provided memory That is, do not assume that a heap allocated value is provided.

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-05-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/pkcs11/pkcs11-cert-import-url-exts.c,
	tests/pkcs11/pkcs11-get-exts.c,
	tests/pkcs11/pkcs11-get-raw-issuer-exts.c,
	tests/pkcs11/pkcs11-mock.c, tests/pkcs11/pkcs11-mock.h: tests: added
	a basic PKCS#11 mock module This is used to test gnutls_pkcs11_obj_get_exts(),
	gnutls_x509_crt_import_url(), and gnutls_pkcs11_get_raw_issuer()
	with the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag.

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: pkcs11: find_cert_cb: do not use C_FindObjectsInit()
	when another is already running While some modules implicitly terminated the previous run, this is
	not something that PKCS#11 modules are expected to typically do.

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c: pkcs11: the flag
	GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT will be respected by
	imported certificates That is, certificates imported with gnutls_pkcs11_obj_import_url()
	or gnutls_x509_crt_import_url() will be able to be extracted with
	their extensions overriden. Previously that was available only on
	gnutls_pkcs11_get_raw_issuer() and friends.

2016-05-03  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11x.c: pkcs11: find_ext_cb: eliminated memory leak

2016-05-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11x.c: gnutls_pkcs11_obj_get_exts: updated documentation

2016-05-02  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509.c: gnutls_x509_crt_import_url: updated documentation
	for new function name

2016-04-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update [ci skip]

2016-04-30  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509_b64.c: doc: mention the version after which
	gnutls_pem_base64_en/decode2() are available

2016-04-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_privkey_raw.c: corrected import issue in
	gnutls_privkey_import_ecc_raw

2016-04-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/privkey.c: x509/privkey: in raw import functions set the
	parameter's algorithm type

2016-04-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/examples/ex-client-x509.c: examples: backported main client
	example [ci skip]

2016-04-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/dane.c: tests: enhanced dane testing with offline
	verification checks

2016-04-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* libdane/dane.c: dane: verification will not fail if a CA entry is
	encountered but cannot be verified That addresses the issue of verifying a single certificate against a
	list of TLSA entries that contain an entry with CA usage (cert usage
	0). With the previous behavior verification would have failed, while
	now this entry will be skipped.

2016-04-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_cert.c, libdane/dane.c: doc: improved documentation on
	certificate and DANE verification functions

2016-04-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* libdane/dane.c: dane: updated documentation of dane_verify_crt_raw
	[ci skip]

2016-04-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/manpages/Makefile.am: manpages: include the dane functions
	into the distributed pages

2016-04-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-debug.c: gnutls-cli-debug: enable socket verbosity when
	--verbose is given

2016-04-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/socket.c: tools: explicitly initialize socket struct to zero That resolves issue where verbose was enabled by default.

2016-04-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-debug.c, src/danetool.c: tools: avoid extracting the value
	of the app-proto alias Instead always extract the starttls-proto value, as it seems that
	libopts doesn't report any value for the former. This corrects the
	starttls capability of danetool and gnutls-cli-debug.

2016-04-19  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli-args.def, src/cli-debug-args.def, src/socket.c: tools:
	document the starttls capability

2016-04-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/pk.c: _wrap_nettle_pk_derive: reject values of public
	key that are over the prime That is do not canonicalise the value we get from the network, but
	rather check it for validity. This saves a modular reduction on
	handshake and performs a sanity check on the peer's (client)
	parameters.  Reported by Hubert Kario.  Resolves #84

2016-04-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_sig.c: handshake: do not overwrite the server's
	signature algorithm That is, correct a bug under which a client sending a certificate
	would overwrite the server's idea about the used signature
	algorithm.  Reported by Hubert Kario.

2016-04-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac: configure: corrected regression which prevented the
	build of tests/suite This regression was introduced at
	8b97662c40c67a6d4087ce6e1f0c6fb6ea4a8b2c

2016-04-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_record.c: gnutls_packet_get: avoid null pointer
	dereference on NULL input That is, still allow the function to handle a NULL packet input but
	reset the data contents.

2016-04-12  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/ocsp.c: gnutls_ocsp_resp_get_single: fail if thisUpdate
	is not available or unparsable That is because this field is not optional, and a failure on its
	parsing is always fatal. Reported by Yuan Jochen Kang.

2016-04-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: released 3.4.11

2016-04-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac: tests: do not enable valgrind in non-git builds

2016-04-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/ocsp_output.c, lib/x509/output.c: x509 output: don't warn
	about insecure algorithm when unknown

2016-04-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/Makefile.am, tests/suite/testcompat-openssl.sh: tests:
	disable unsupported curves from compatibility checks This allows running make check even when compiling with
	disable-suiteb-curves.

2016-03-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_state.c: dtls: added missing dtls.h to state.c

2016-04-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, m4/hooks.m4: bumped version

2016-04-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-04-09  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/minitasn1/coding.c, lib/minitasn1/decoding.c,
	lib/minitasn1/element.c, lib/minitasn1/element.h,
	lib/minitasn1/int.h, lib/minitasn1/libtasn1.h,
	lib/minitasn1/parser_aux.c, lib/minitasn1/parser_aux.h,
	lib/minitasn1/structure.c: minitasn1: updated to latest git version

2016-04-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi: doc: Replace references to select with poll
	and other fixes

2016-04-08  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi: doc: replace inaccurate sentence with
	reference to gnutls_record_discard_queued [ci skip]

2016-04-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_state.c: gnutls_record_get_direction: doc update [ci
	skip]

2016-04-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/x509sign-verify2.c: tests: reduce the number of loops in
	x509sign-verify2 This enables running the test in reasonable time under valgrind.

2016-04-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkix.asn, lib/pkix_asn1_tab.c: pkix.asn: corrected byKey
	definition OCSP is defined in an EXPLICIT tags module, and as such we must tag
	explicitly all of its tags.

2016-04-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/name_constraints.c: name constraints: enforce the rules
	for IP constraints when adding This will prevent gnutls from generating badly formed certificates.

2016-04-05  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/common.c, lib/x509/common.h, lib/x509/x509.c: 
	_gnutls_parse_general_name2: allow parsing empty names This allows parsing empty general names such as an empty DNSname
	used in name constraints.

2016-04-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-04-02  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/ocsptool-common.c: ocsptool: use HTTP/1.0 for requests This avoids issue with servers serving chunk encoding which ocsptool
	doesn't support. Reported by Thomas Klute.

2016-03-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-03-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/certtool-long-cn: tests: delete outfile in
	certtool-long-cn

2016-03-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/Makefile.am, tests/cert-tests/name-constraints,
	tests/cert-tests/name-constraints-ip2.pem: tests: verify the output
	of name constraints IP decoding

2016-03-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: x509/output: simplified cidr_to_string()

2016-03-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: x509/output: print RFC5280 CIDRs in name
	constraints

2016-03-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-03-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_dtls.c, lib/gnutls_dtls.h, lib/gnutls_state.c: dtls:
	reset the record number sliding window on gnutls_record_set_state() This addresses issue where gnutls_record_set_state() was called with
	a new state but the sliding window information was not updated, thus
	blocking any incoming packets.  Resolves #82

2016-03-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_record.c: DTLS: save last valid record sequence number This will allow to report a valid number to
	gnutls_record_get_state() callers in case of DTLS. Reported by
	Fridolin Pokorny.

2016-03-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_state.c: gnutls_record_get_state: Allow for NULL
	parameters

2016-03-24  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/ocsptool.c: ocsptool: don't exit with error code on
	verification failures when --ignore-errors is given

2016-03-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/ocsptool.c: ocsptool: exit with error on verification failures

2016-03-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/x509/ocsp.c: ocsp: gnutls_ocsp_resp_verify_direct will skip
	additional checks for certificates matching issuer That eliminates issue with ocsptool rejecting OCSP responses signed
	by the same CA that signed the certificate. Reported by Thomas
	Klute.

2016-03-23  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* src/ocsptool-args.def, src/ocsptool.c: ocsptool: Allow saving
	responses even if verification fails In addition do not enter a spurious newline to responses.

2016-03-23  Maya Rashish <coypu@sdf.org>

	* tests/dtls/dtls-stress.c: Avoid using strerror in dtls stress test Using it results in build failure on NetBSD: undefined reference to
	`rpl_strerror'

2016-03-23  Maya Rashish <coypu@sdf.org>

	* tests/utils.h: Add missing header to testsuite This causes a problem for NetBSD+clang tests, because SIGTERM and
	kill are undefined.  Resolves #80 Signed-off-by: Maya Rashish <coypu@sdf.org>

2016-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update [ci skip]

2016-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-x509-callbacks.c: tests: verify that the
	post-client-hello callback has access to ALPN data

2016-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_handshake.c: handshake: parse the mandatory to parse
	extension prior to any callback call This relates to the change of ALPN extension to mandatory to parse,
	and allows applications to get ALPN data prior to handshake
	completion.

2016-03-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/resume.c: tests: added checks for session resumption and
	ALPN This checks whether the ALPN extension is re-read on resumption and
	is negotiated.

2016-02-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/resume.c: tests: resume: simplified structure assignment
	using C99 syntax

2016-03-15  Yuriy M. Kaminskiy <yumkam@gmail.com>

	* lib/ext/alpn.c: alpn: ALPN state is per-connection, it should not
	be saved with session data In addition the extension was moved to the mandatory to parse to
	ensure it is always parsed when sessions are resumed.  rfc7301:     Unlike many other TLS extensions, this extension does not
	    establish properties of the session, only of the connection.
	    When session resumption or session tickets [RFC5077] are used, the
	    previous contents of this extension are irrelevant, and only the
	    values in the new handshake messages are considered.  Signed-off-by: Yuriy M. Kaminskiy <yumkam@gmail.com> Signed-off-by:
	Nikos Mavrogiannopoulos <nmav@gnutls.org>

2016-03-16  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/accelerated/x86/x86-common.c: x86-common: CPUID override will
	only work if CPU has already the capability present This resolves test suite failure on CPUs with limited capabilities.
	Reported by Andreas Metzler.

2016-03-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-03-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/ext/server_name.c: gnutls_server_name_set: accept non-null
	terminated hostnames The introduction of IDNA support introduced a regression and this
	function does not operate correctly when given non-null terminated
	strings. Reported by Tim Ruehsen.  Relates #78

2016-03-16  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-server-name.c: tests: added check for non-null
	terminated server name This checks whether a non-null terminated server name, but with
	correct length is correctly accepted by gnutls_server_name_set().  Relates #78

2016-03-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/template-nc.pem: tests: template-test was updated
	for OCSP key purpose reordering

2016-03-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-03-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/certtool.c: certtool: do not require a CA for OCSP signing This follows the recommendations in RFC6960 in 4.2.2.2 which allow a
	CA to delegate OCSP signing to another certificate without requiring
	it to be a CA.  Reported by Thomas Klute.

2016-03-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* devel/ABI-x86_64.dump, devel/abi-unchecked-symbols,
	devel/abi-unchecked-symbols.txt: abi-check: corrected type of
	gnutls_x509_crl_get_issuer_dn That will avoid any accidental ABI breakage on that symbol.

2016-03-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* .gitlab-ci.yml: .gitlab-ci.yml: added abi-checker rule This allows to test ABI incompatibilities as soon as possible.

2016-03-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* Makefile.am, devel/ABI-dane-x86_64.dump, devel/ABI-x86_64.dump,
	devel/abi-unchecked-symbols, devel/abi-unchecked-symbols.txt,
	devel/abi.xml, devel/abi3.2.xml, devel/abi3.4.xml: Makefile: made
	abi-checks self-contained That is, they no longer assume a given directory structure to exist
	outside git. It now includes a static dump of the symbols in 3.4.0
	for x86_64 and we compare with it.

2016-03-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/cli.c: gnutls-cli: fix invalid initialization in
	cert_verify_ocsp()

2016-03-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-03-08  Jan Vcelak <jan.vcelak@nic.cz>

	* lib/pkcs11_privkey.c: pkcs11: implement correct DSA key pair
	generating Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>

2016-02-25  Jan Vcelak <jan.vcelak@nic.cz>

	* lib/pkcs11_int.c, lib/pkcs11_int.h: pkcs11: add interface for
	C_GenerateKey Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>

2016-03-08  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/suite/testpkcs11.sh: tests: testpkcs11: the test will always
	fail in code path failures

2016-03-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-loss-time.c: tests: mini-loss-time: improved timeout
	detection

2016-02-15  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/mini-loss-time.c: tests: mini-loss-time: ensure client
	timeouts after the server is This addresses issue with the server detecting the client
	disconnection prior to its timeout. Reported by Steven Chamberlain,
	Andreas Metzler.

2016-03-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_ui.c: gnutls_ocsp_status_request_is_checked: document
	the version the flag was introduced at

2016-03-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/doc.mk: doc: generate manpages for all functions That addresses issue where certain manpages were created empty.  See
	https://bugzilla.redhat.com/show_bug.cgi?id=1306800

2016-03-07  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-gtls-app.texi: doc: mention
	gnutls_certificate_set_x509_trust_dir() It was not mentioned in the "Client or server certificate
	verification" section.  Resolves #76

2016-03-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/slow/Makefile.am: tests: include test-hash-large into dist

2016-03-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-03-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* po/zh_CN.po.in: Sync with TP [ci skip]

2016-03-01  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_global.c: Disable weak symbols for
	_gnutls_global_init_skip() under windows That is to avoid an issue with running gnutls under windows; that
	renders GNUTLS_SKIP_GLOBAL_INIT a no-op under windows.  Relates #74

2016-02-29  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* configure.ac, m4/hooks.m4: bumped version [ci skip]

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/ext/ecc.c: ecc: optimized extension parsing

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update [ci skip]

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_state.c: timespec_sub_ms: fixed operation in 32-bit
	systems

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/pkcs11.c, lib/pkcs11_int.h: pkcs11: Fixes to prevent undefined
	behavior (found with libubsan)

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/nettle/cipher.c: cipher.c: Fixes to prevent undefined behavior
	(found with libubsan)

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/opencdk/misc.c: opencdk: Fixes to prevent undefined behavior
	(found with libubsan)

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/includes/gnutls/gnutls.h.in: gnutls.h: Fixes to prevent
	undefined behavior (found with libubsan)

2016-02-29  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_mem.h, lib/x509/x509.c: x509: Fixes to prevent
	undefined behavior (found with libubsan)

2016-02-28  Andreas Metzler <ametzler@bebt.de>

	* src/p11tool-args.def: Let p11tool --provider option accept
	filenames.  Drop 'file-exists = yes;' to allow specifying either an absolute
	pathname or a file in P11_MODULE_PATH.

2016-02-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/pkcs11-chainverify.c, tests/suite/pkcs11-is-known.c,
	tests/suite/softhsm.h, tests/suite/testpkcs11.softhsm,
	tests/utils.c, tests/utils.h: tests: enable softhsmv2 test suite by
	default Also do not fatally fail with known softhsmv2 bugs.

2016-02-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update

2016-02-26  Jan Vcelak <jan.vcelak@nic.cz>

	* tests/suite/testpkcs11.sh: pkcs11: tests for RSA, ECC, DSA private
	key import Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>

2016-02-26  Jan Vcelak <jan.vcelak@nic.cz>

	* tests/suite/testpkcs11.sh: pkcs11: tests for DSA key generating Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>

2016-02-27  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* doc/cha-gtls-app.texi: added getpid() to the list of system calls
	used

2016-02-25  Jan Vcelak <jan.vcelak@nic.cz>

	* lib/x509/privkey_pkcs8.c: gnutls_x509_privkey_import: add missing
	algorithm setting for DSA keys The algorithm number was set only in the private key structure, not
	in the nested structure with parameters. This made certain
	operations to fail (e.g., copying the key into a PKCS #11 token).  Signed-off-by: Jan Vcelak <jan.vcelak@nic.cz>

2016-02-24  Sebastian Dröge <sebastian@centricular.com>

	* configure.ac: configure: Android is ELF too Without this, compiling Android for x86 or x86-64 fails because the
	assembly optimizations are not compiled in.

2016-02-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2016-02-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/Makefile.am, tests/pcert-list.c: tests: added tests for
	gnutls_pcert_list_import_x509_raw()

2016-02-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509.c: gnutls_x509_crt_list_import: corrected memory
	leak This was triggered if GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED was
	specified and a failure occurred.

2016-02-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/common.c: _gnutls_sort_clist: fixed issues when used with
	func option This function would incorrectly call func() on elements that were
	included in the list, and would not call func() if the size of the
	final chain was one.

2016-02-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/algorithms/secparams.c: DH/DSA: allow the generation of larger
	than 15360 bit parameters

2016-02-13  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/slow/hash-large.c: tests: eliminated mem leak in hash-large

2016-02-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update [ci skip]

2016-02-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/slow/Makefile.am, tests/slow/hash-large.c,
	tests/slow/test-hash-large: tests: check whether large buffer hashes
	and MAC work as expected

2016-02-12  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/accelerated/x86/hmac-padlock.c,
	lib/accelerated/x86/hmac-x86-ssse3.c,
	lib/accelerated/x86/sha-padlock.c,
	lib/accelerated/x86/sha-padlock.h,
	lib/accelerated/x86/sha-x86-ssse3.c, lib/nettle/mac.c: nettle: use
	the correct type for hash and MAC functions

2016-02-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* src/benchmark-cipher.c: gnutls-cli: improved indentation in
	benchmark output

2016-02-10  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/set_pkcs12_cred.c: tests: set_pkcs12_cred: existing tests
	are disabled when in FIPS140-2 mode The tests require access to the RC4 cipher which is not available.

2016-02-09  Andreas Metzler <ametzler@bebt.de>

	* doc/cha-gtls-app.texi: improve doc on special keywords in priority
	string Special keywords in priority strings like %COMPAT may not be
	prefixed with +, - or !, "NORMAL:+%COMPAT is invalid.

2016-02-06  Attila Molnar <attilamolnar@hush.com>

	* doc/cha-cert-auth.texi, doc/cha-gtls-app.texi,
	doc/cha-tokens.texi, lib/gnutls_auth.c, lib/gnutls_dtls.c,
	lib/gnutls_extensions.c, src/tpmtool-args.def: doc: Fix some typos

2016-02-06  Attila Molnar <attilamolnar@hush.com>

	* doc/cha-gtls-app.texi, src/certtool-cfg.c, src/serv-args.def: 
	Remove remaining RSA-EXPORT support leftovers from doc and messages

2016-02-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/suite/pkcs11-pubkey-import-ecdsa.c: tests:
	pkcs11-pubkey-import-ecdsa will only work under softhsmv2

2016-02-03  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS, configure.ac, m4/hooks.m4: bumped version

2016-01-31  Andreas Metzler <ametzler@bebt.de>

	* lib/gnutls_pubkey.c, lib/openpgp/gnutls_openpgp.c,
	lib/x509/pkcs12_bag.c, lib/x509/x509.c, lib/x509/x509_ext.c,
	src/certtool-cfg.c: Fix some more typos.  certifcate, funtion, withing, missmatch

2016-01-31  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update [ci skip]

2016-01-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* tests/cert-tests/template-date.pem,
	tests/cert-tests/template-dn.pem,
	tests/cert-tests/template-generalized.pem,
	tests/cert-tests/template-nc.pem,
	tests/cert-tests/template-overflow.pem,
	tests/cert-tests/template-overflow2.pem,
	tests/cert-tests/template-test.pem,
	tests/cert-tests/template-unique.pem: Revert "tests: updated to
	account for cert generation after
	2adb9b2bfb31afebbdd9f990e2b74c9a3d4e5c57 fix" This reverts commit 735dbde324be6c8785a3dea5f09c82b6a8ad298b.

2016-01-30  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/x509_ext.c: Revert "Fix out-of-bounds read in
	gnutls_x509_ext_export_key_usage" This was not really an out-of-bounds check. Added documentation to
	make that clear.  This reverts commit ffbc9aaea7dcf29c03784d128b83f0682357858d.

2016-01-18  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/gnutls_global.c: gnutls_global_init: log gnutls' version on
	initialization

2016-01-18  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* doc/cha-gtls-app.texi: doc: corrected typo [ci skip]

2016-01-14  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* NEWS: doc update

2015-08-26  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: x509: tolerate missing subject or issuer fields

2016-01-13  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/gnutls_pubkey.c: gnutls_pubkey_import_x509_raw: fixed memory
	leak

2016-01-11  Nikos Mavrogiannopoulos <nmav@redhat.com>

	* lib/x509/output.c: x509: place newline when printing unsupported
	othernames

2016-01-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* NEWS: doc update [ci skip]

2016-01-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* lib/ext/alpn.c: alpn: when parsing the list of protocols return at
	the first mutually common That resolves an issue where the server wouldn't select the first
	mutually supported.  Resolves #63

2016-01-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

	* tests/mini-alpn.c: tests: mini-alpn: corrected protocol selection
	order

2016-01-10  Nikos Mavrogiannopoulos <nmav@gnutls.org>

