gnutls:gnutls.git
2 years agoAdded support for RFC7366 (encrypt then authenticate) etm
Nikos Mavrogiannopoulos [Fri, 24 Oct 2014 13:28:14 +0000 (15:28 +0200)]
Added support for RFC7366 (encrypt then authenticate)

It is not interoperable with public servers as it seems they
are implementing the protocol wrongly. That seems to be
noticed by NSS too: https://bugzilla.mozilla.org/show_bug.cgi?id=972145

2 years agoeliminate IV size usage in TLS encryption/decryption; it was a remnant of salsa20
Nikos Mavrogiannopoulos [Fri, 24 Oct 2014 12:45:15 +0000 (14:45 +0200)]
eliminate IV size usage in TLS encryption/decryption; it was a remnant of salsa20

2 years agocorrected likely macro usage
Nikos Mavrogiannopoulos [Fri, 24 Oct 2014 09:12:10 +0000 (11:12 +0200)]
corrected likely macro usage

Spotted by Manuel Pégourié-Gonnard.

2 years agoremoved support for SALSA20 and for stream ciphers with IV
Nikos Mavrogiannopoulos [Fri, 24 Oct 2014 08:41:04 +0000 (10:41 +0200)]
removed support for SALSA20 and for stream ciphers with IV

The proposal was not adopted by the TLS WG, and the AEAD path
will be used.

2 years agoAdded priority string %NO_TICKETS that disables session ticket support
Nikos Mavrogiannopoulos [Fri, 24 Oct 2014 08:27:20 +0000 (10:27 +0200)]
Added priority string %NO_TICKETS that disables session ticket support

This is implied by the priority string PFS.

2 years agodo not negotiate nor use the 'extended master secret' in SSL 3.0
Nikos Mavrogiannopoulos [Thu, 23 Oct 2014 21:42:45 +0000 (23:42 +0200)]
do not negotiate nor use the 'extended master secret' in SSL 3.0

According to Alfredo Pironti support for that protocol will be dropped
from the draft.

2 years agocompile 3.3.9 by default
Nikos Mavrogiannopoulos [Wed, 22 Oct 2014 20:18:10 +0000 (22:18 +0200)]
compile 3.3.9 by default

2 years agoalways send the mandatory extensions (even in SSL 3.0)
Nikos Mavrogiannopoulos [Thu, 23 Oct 2014 08:44:23 +0000 (10:44 +0200)]
always send the mandatory extensions (even in SSL 3.0)

The only way to force no extensions and usage of SCSVs is the
%NO_EXTENSIONS priority string.

2 years agoEXT MASTER SECRET moved to mandatory extensions
Nikos Mavrogiannopoulos [Thu, 23 Oct 2014 08:40:42 +0000 (10:40 +0200)]
EXT MASTER SECRET moved to mandatory extensions

2 years agocheck and use libnsl (used in solaris)
Nikos Mavrogiannopoulos [Thu, 23 Oct 2014 07:52:36 +0000 (09:52 +0200)]
check and use libnsl (used in solaris)

2 years agoupdated asm sources
Nikos Mavrogiannopoulos [Thu, 23 Oct 2014 07:41:36 +0000 (09:41 +0200)]
updated asm sources

2 years agoupdated perl asm sources
Nikos Mavrogiannopoulos [Thu, 23 Oct 2014 07:40:31 +0000 (09:40 +0200)]
updated perl asm sources

2 years agouse the GNU-stack note in linux systems
Nikos Mavrogiannopoulos [Thu, 23 Oct 2014 07:36:05 +0000 (09:36 +0200)]
use the GNU-stack note in linux systems

2 years agoupdated gnulib
Nikos Mavrogiannopoulos [Thu, 23 Oct 2014 07:18:23 +0000 (09:18 +0200)]
updated gnulib

2 years agotests: check the issuer value validity of gnutls_x509_trust_list_get_issuer
Nikos Mavrogiannopoulos [Thu, 23 Oct 2014 06:49:20 +0000 (08:49 +0200)]
tests: check the issuer value validity of gnutls_x509_trust_list_get_issuer

2 years agocorrected bug in gnutls_x509_trust_list_get_issuer() when used without the GNUTLS_TL_...
Nikos Mavrogiannopoulos [Thu, 23 Oct 2014 06:47:27 +0000 (08:47 +0200)]
corrected bug in gnutls_x509_trust_list_get_issuer() when used without the GNUTLS_TL_GET_COPY flag

2 years agotests: include minitasn1 when needed
Nikos Mavrogiannopoulos [Wed, 22 Oct 2014 20:15:30 +0000 (22:15 +0200)]
tests: include minitasn1 when needed

2 years agouse HAVE_DANE ifdef for unused functions
Nikos Mavrogiannopoulos [Wed, 22 Oct 2014 20:05:16 +0000 (22:05 +0200)]
use HAVE_DANE ifdef for unused functions

2 years agoexported gnutls_fd_in_use
Nikos Mavrogiannopoulos [Wed, 22 Oct 2014 19:44:23 +0000 (21:44 +0200)]
exported gnutls_fd_in_use

2 years agodocument gnutls_fd_in_use()
Nikos Mavrogiannopoulos [Wed, 22 Oct 2014 14:35:42 +0000 (16:35 +0200)]
document gnutls_fd_in_use()

2 years agognutls_fd_in_use: mention version
Nikos Mavrogiannopoulos [Wed, 22 Oct 2014 14:31:49 +0000 (16:31 +0200)]
gnutls_fd_in_use: mention version

2 years agocorrected FIND_OBJECT loop when the token func is used
Nikos Mavrogiannopoulos [Wed, 22 Oct 2014 14:31:20 +0000 (16:31 +0200)]
corrected FIND_OBJECT loop when the token func is used

2 years agoadded gnutls_fd_in_use() to check whether a file descriptor is in use
Nikos Mavrogiannopoulos [Wed, 22 Oct 2014 10:19:25 +0000 (12:19 +0200)]
added gnutls_fd_in_use() to check whether a file descriptor is in use

2 years agoadded prototype to avoid compiler warning
Nikos Mavrogiannopoulos [Tue, 21 Oct 2014 18:02:23 +0000 (20:02 +0200)]
added prototype to avoid compiler warning

2 years agofips140-2: limit the FIPS code in fips mode
Nikos Mavrogiannopoulos [Tue, 21 Oct 2014 18:00:54 +0000 (20:00 +0200)]
fips140-2: limit the FIPS code in fips mode

2 years agofips140-2: use the FIPS algorithms only when in FIPS140-2 mode
Nikos Mavrogiannopoulos [Tue, 21 Oct 2014 06:50:29 +0000 (08:50 +0200)]
fips140-2: use the FIPS algorithms only when in FIPS140-2 mode

2 years agodtls-stress: reindented code
Nikos Mavrogiannopoulos [Mon, 20 Oct 2014 13:02:03 +0000 (15:02 +0200)]
dtls-stress: reindented code

2 years agotests: dtls-stress: only replay when send succeeds
Nikos Mavrogiannopoulos [Mon, 20 Oct 2014 12:55:52 +0000 (14:55 +0200)]
tests: dtls-stress: only replay when send succeeds

2 years agotestsrn: do not assume that SSL 3.0 is enabled by default
Nikos Mavrogiannopoulos [Fri, 17 Oct 2014 12:11:26 +0000 (14:11 +0200)]
testsrn: do not assume that SSL 3.0 is enabled by default

2 years agognutls-cli-debug: added test that checks the fallback from TLS 1.6
Nikos Mavrogiannopoulos [Fri, 17 Oct 2014 11:46:10 +0000 (13:46 +0200)]
gnutls-cli-debug: added test that checks the fallback from TLS 1.6

2 years agoadded _gnutls_hello_set_default_version() which allows to override the clienthello...
Nikos Mavrogiannopoulos [Fri, 17 Oct 2014 11:45:40 +0000 (13:45 +0200)]
added _gnutls_hello_set_default_version() which allows to override the clienthello version

2 years agognutls-cli: prevent the combination of the -p and --list options
Nikos Mavrogiannopoulos [Fri, 17 Oct 2014 11:20:30 +0000 (13:20 +0200)]
gnutls-cli: prevent the combination of the -p and --list options

As -p may be mistaken for --priority that would prevent wrong outputs.

2 years agoavoid d from getting out of scope
Nikos Mavrogiannopoulos [Fri, 17 Oct 2014 10:11:02 +0000 (12:11 +0200)]
avoid d from getting out of scope

2 years agognutls-serv: avoid possible buffer overrun
Nikos Mavrogiannopoulos [Fri, 17 Oct 2014 10:05:56 +0000 (12:05 +0200)]
gnutls-serv: avoid possible buffer overrun

2 years agoavoid memory leak on gnutls_x509_privkey_generate() failure
Nikos Mavrogiannopoulos [Fri, 17 Oct 2014 07:45:07 +0000 (09:45 +0200)]
avoid memory leak on gnutls_x509_privkey_generate() failure

2 years agodoc update
Nikos Mavrogiannopoulos [Thu, 16 Oct 2014 11:55:12 +0000 (13:55 +0200)]
doc update

2 years agognutls-cli: added option --priority-list
Nikos Mavrogiannopoulos [Thu, 16 Oct 2014 11:54:42 +0000 (13:54 +0200)]
gnutls-cli: added option --priority-list

2 years agoadded gnutls_priority_string_list(), a function to iterate all priority strings
Nikos Mavrogiannopoulos [Thu, 16 Oct 2014 11:54:24 +0000 (13:54 +0200)]
added gnutls_priority_string_list(), a function to iterate all priority strings

2 years agoput all priority strings into a table
Nikos Mavrogiannopoulos [Thu, 16 Oct 2014 11:39:50 +0000 (13:39 +0200)]
put all priority strings into a table

2 years agoupdated documentation for SSL 3.0 removal
Nikos Mavrogiannopoulos [Wed, 15 Oct 2014 13:21:27 +0000 (15:21 +0200)]
updated documentation for SSL 3.0 removal

2 years agodoc update
Nikos Mavrogiannopoulos [Wed, 15 Oct 2014 13:18:25 +0000 (15:18 +0200)]
doc update

2 years agoSSL 3.0 is no longer on the default priorities list
Nikos Mavrogiannopoulos [Wed, 15 Oct 2014 13:17:22 +0000 (15:17 +0200)]
SSL 3.0 is no longer on the default priorities list

2 years agoin FIPS140-2 mode only disable 1024-bit DSA parameters when generating
Nikos Mavrogiannopoulos [Wed, 15 Oct 2014 12:20:40 +0000 (14:20 +0200)]
in FIPS140-2 mode only disable 1024-bit DSA parameters when generating

2 years agoguile: Remove trailing zero in 'gnutls_server_name_set' call.
Ludovic Courtès [Tue, 14 Oct 2014 20:33:10 +0000 (22:33 +0200)]
guile: Remove trailing zero in 'gnutls_server_name_set' call.

In GnuTLS 3.2.19 (and possibly 3.3.9 and 3.1.17),
'set-session-server-name!' would pass a trailing nul character on the
wire after the server name, which would thus be rejected by servers.

2 years agocorrected libopt's Makefile.am
Nikos Mavrogiannopoulos [Tue, 14 Oct 2014 19:05:34 +0000 (21:05 +0200)]
corrected libopt's Makefile.am

reported by Marius Schamschula.

2 years agouse _gnutls_hash_fast() in DSA/ECDSA verification
Nikos Mavrogiannopoulos [Tue, 14 Oct 2014 14:29:23 +0000 (16:29 +0200)]
use _gnutls_hash_fast() in DSA/ECDSA verification

2 years agoFIPS140-2 RSA key generation changes to account for seed starting with null byte
Nikos Mavrogiannopoulos [Tue, 14 Oct 2014 11:57:33 +0000 (13:57 +0200)]
FIPS140-2 RSA key generation changes to account for seed starting with null byte

2 years agocorrected the SSSE3 optimized SHA224
Nikos Mavrogiannopoulos [Tue, 14 Oct 2014 09:05:20 +0000 (11:05 +0200)]
corrected the SSSE3 optimized SHA224

2 years agosimplified getrusage code; the failure check code wasn't needed
Nikos Mavrogiannopoulos [Tue, 14 Oct 2014 07:21:14 +0000 (09:21 +0200)]
simplified getrusage code; the failure check code wasn't needed

2 years agouse lcm(p-1,q-1) instead of phi(n) for RSA key generation in FIPS-140-2 mode
Nikos Mavrogiannopoulos [Fri, 10 Oct 2014 11:29:43 +0000 (13:29 +0200)]
use lcm(p-1,q-1) instead of phi(n) for RSA key generation in FIPS-140-2 mode

2 years agotests: added check for import failure of v1 certificate with extensions
Nikos Mavrogiannopoulos [Mon, 13 Oct 2014 13:12:21 +0000 (15:12 +0200)]
tests: added check for import failure of v1 certificate with extensions

2 years agodo not allow importing X.509 certificates with version < 3 and extensions present
Nikos Mavrogiannopoulos [Mon, 13 Oct 2014 13:05:47 +0000 (15:05 +0200)]
do not allow importing X.509 certificates with version < 3 and extensions present

2 years agoupdate the guile manual along the C one
Nikos Mavrogiannopoulos [Mon, 13 Oct 2014 07:02:02 +0000 (09:02 +0200)]
update the guile manual along the C one

2 years agoupdated to libopts 5.18.4
Nikos Mavrogiannopoulos [Sat, 11 Oct 2014 21:04:04 +0000 (23:04 +0200)]
updated to libopts 5.18.4

2 years agoplace all rusage variables into HAVE_GETRUSAGE block
Nikos Mavrogiannopoulos [Sat, 11 Oct 2014 17:42:56 +0000 (19:42 +0200)]
place all rusage variables into HAVE_GETRUSAGE block

2 years agornd: if RUSAGE_THREAD fails try RUSAGE_SELF
Nikos Mavrogiannopoulos [Sat, 11 Oct 2014 12:34:02 +0000 (14:34 +0200)]
rnd: if RUSAGE_THREAD fails try RUSAGE_SELF

2 years agotests: removed last remnants of GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE
Nikos Mavrogiannopoulos [Fri, 10 Oct 2014 07:30:57 +0000 (09:30 +0200)]
tests: removed last remnants of GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE

2 years agotests: pkcs11-combo: use unique db file
Nikos Mavrogiannopoulos [Fri, 10 Oct 2014 07:29:58 +0000 (09:29 +0200)]
tests: pkcs11-combo: use unique db file

2 years agoforbid heartbeat messages during a handshake
Nikos Mavrogiannopoulos [Thu, 25 Sep 2014 10:04:32 +0000 (12:04 +0200)]
forbid heartbeat messages during a handshake

2 years agoadded internal variable to track handshake status
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 16:15:01 +0000 (18:15 +0200)]
added internal variable to track handshake status

2 years agoocsptool: avoid shadowing a global variable
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 13:56:41 +0000 (15:56 +0200)]
ocsptool: avoid shadowing a global variable

2 years agoremoved flag GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 13:53:47 +0000 (15:53 +0200)]
removed flag GNUTLS_VERIFY_KEY_PURPOSE_ON_INTERMEDIATE

2 years agomore files to ignore
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 12:22:56 +0000 (14:22 +0200)]
more files to ignore

2 years agotests: updated time in pkcs11-is-known
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 12:09:01 +0000 (14:09 +0200)]
tests: updated time in pkcs11-is-known

2 years agopkcs11: handle errors from override_cert_exts as fatal
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 11:16:32 +0000 (13:16 +0200)]
pkcs11: handle errors from override_cert_exts as fatal

2 years agotests: allow running specific chainverify tests on fixed dates
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 10:34:46 +0000 (12:34 +0200)]
tests: allow running specific chainverify tests on fixed dates

2 years ago_gnutls_check_valid_key_id: corrected activation/expiration check
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 10:28:34 +0000 (12:28 +0200)]
_gnutls_check_valid_key_id: corrected activation/expiration check

2 years agopkcs11: simplified and optimized loop
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 10:09:52 +0000 (12:09 +0200)]
pkcs11: simplified and optimized loop

2 years agomention nettle as the recommended crypto backend
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 09:35:10 +0000 (11:35 +0200)]
mention nettle as the recommended crypto backend

2 years agotests: Added check to ensure that trust list combination with extra certificates...
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 09:10:15 +0000 (11:10 +0200)]
tests: Added check to ensure that trust list combination with extra certificates works

2 years agowhen both a trust module and additional CAs are present account the latter as well
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 08:41:57 +0000 (10:41 +0200)]
when both a trust module and additional CAs are present account the latter as well

That solves an issue in openconnect which used the system trust module,
plus additional certificates.

2 years agosimplify the handling of trust_list_get_issuer() when GNUTLS_TL_GET_COPY is not given
Nikos Mavrogiannopoulos [Thu, 9 Oct 2014 08:13:48 +0000 (10:13 +0200)]
simplify the handling of trust_list_get_issuer() when GNUTLS_TL_GET_COPY is not given

2 years agodoc update
Nikos Mavrogiannopoulos [Wed, 8 Oct 2014 21:17:14 +0000 (23:17 +0200)]
doc update

2 years agodoc update
Nikos Mavrogiannopoulos [Wed, 8 Oct 2014 12:41:08 +0000 (14:41 +0200)]
doc update

2 years agotools: print the status of safe renegotiation and extended master secret
Nikos Mavrogiannopoulos [Mon, 29 Sep 2014 14:02:42 +0000 (16:02 +0200)]
tools: print the status of safe renegotiation and extended master secret

2 years agotests: check whether the extended master secret is negotiated by default
Nikos Mavrogiannopoulos [Mon, 29 Sep 2014 14:00:16 +0000 (16:00 +0200)]
tests: check whether the extended master secret is negotiated by default

2 years agoAdded support for the extended master secret calculation
Nikos Mavrogiannopoulos [Wed, 8 Oct 2014 12:09:30 +0000 (14:09 +0200)]
Added support for the extended master secret calculation

That is performed implicitly unless GNUTLS_NO_EXTENSIONS is specified.
The implementation follows draft-ietf-tls-session-hash-02.

2 years agocorrected assignment
Nikos Mavrogiannopoulos [Wed, 8 Oct 2014 09:47:49 +0000 (11:47 +0200)]
corrected assignment

2 years agocorrected the name of exported function
Nikos Mavrogiannopoulos [Wed, 8 Oct 2014 08:22:04 +0000 (10:22 +0200)]
corrected the name of exported function

2 years agodoc update
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 16:25:09 +0000 (18:25 +0200)]
doc update

2 years agotests: added check for gnutls_record_discard_queued()
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 16:24:29 +0000 (18:24 +0200)]
tests: added check for gnutls_record_discard_queued()

2 years agoAdded gnutls_record_discard_queued()
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 16:03:25 +0000 (18:03 +0200)]
Added gnutls_record_discard_queued()

That function allows to discard queued data in DTLS.

2 years agotests: corrected test for v1 cert signing (removed bogus authorityIdentifier)
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 14:50:05 +0000 (16:50 +0200)]
tests: corrected test for v1 cert signing (removed bogus authorityIdentifier)

2 years agocerttool: only set the authority key identifier, if there is a corresponding subject...
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 14:44:26 +0000 (16:44 +0200)]
certtool: only set the authority key identifier, if there is a corresponding subject key identifier

2 years agopkcs11: do not shortcut checks when GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY is specified
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 14:28:19 +0000 (16:28 +0200)]
pkcs11: do not shortcut checks when GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY is specified

2 years agopkcs11: always check for a valid subjectKeyIdentifier match
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 14:20:18 +0000 (16:20 +0200)]
pkcs11: always check for a valid subjectKeyIdentifier match

That way, expired certificates can co-exist with their replacements.

2 years agoAdd a test for PKCS11 CA iteration
Armin Burgmeier [Mon, 6 Oct 2014 21:28:46 +0000 (17:28 -0400)]
Add a test for PKCS11 CA iteration

Signed-off-by: Armin Burgmeier <armin@arbur.net>
2 years agoAlso iterate over the CA certificates in a PKCS11 token
Armin Burgmeier [Mon, 6 Oct 2014 21:24:11 +0000 (17:24 -0400)]
Also iterate over the CA certificates in a PKCS11 token

Signed-off-by: Armin Burgmeier <armin@arbur.net>
2 years agoReturn an error if multiple PKCS11 URLs are added to a trust list
Armin Burgmeier [Mon, 6 Oct 2014 21:22:28 +0000 (17:22 -0400)]
Return an error if multiple PKCS11 URLs are added to a trust list

Before, the new URL would overwrite the old URL, and the memory of theold URL
would be leaked. It is documented that only one URL can be used, so it should
be safe to reject any attempt to add another one.

Signed-off-by: Armin Burgmeier <armin@arbur.net>
2 years agopkcs11: when no CKA_ID can be relied on fallback on checking the SubjectKeyIdentifier
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 13:14:34 +0000 (15:14 +0200)]
pkcs11: when no CKA_ID can be relied on fallback on checking the SubjectKeyIdentifier

Patch by David Woodhouse.

2 years agoadded FIPS140-2 ECDH verification functions
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 11:40:50 +0000 (13:40 +0200)]
added FIPS140-2 ECDH verification functions

2 years agoremoved unused definition
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 09:19:39 +0000 (11:19 +0200)]
removed unused definition

2 years agoadded FIPS140-2 DH verification functions
Nikos Mavrogiannopoulos [Tue, 7 Oct 2014 08:02:56 +0000 (10:02 +0200)]
added FIPS140-2 DH verification functions

2 years agotests: corrected check with gnutls_x509_trust_list_get_issuer
Nikos Mavrogiannopoulos [Mon, 6 Oct 2014 22:12:37 +0000 (00:12 +0200)]
tests: corrected check with gnutls_x509_trust_list_get_issuer

2 years agocorrected remove_pkcs11_url()
Nikos Mavrogiannopoulos [Mon, 6 Oct 2014 21:22:45 +0000 (23:22 +0200)]
corrected remove_pkcs11_url()

2 years agoaddress memory leak in gnutls_pkcs11_crt_is_known()
Nikos Mavrogiannopoulos [Mon, 6 Oct 2014 17:50:39 +0000 (19:50 +0200)]
address memory leak in gnutls_pkcs11_crt_is_known()

2 years agotests: check gnutls_pkcs11_crt_is_known() when multiple same DNs are present
Nikos Mavrogiannopoulos [Mon, 6 Oct 2014 21:18:08 +0000 (23:18 +0200)]
tests: check gnutls_pkcs11_crt_is_known() when multiple same DNs are present

2 years agopkcs11: when checking for presence do not give up on the first mismatch
Nikos Mavrogiannopoulos [Mon, 6 Oct 2014 21:17:29 +0000 (23:17 +0200)]
pkcs11: when checking for presence do not give up on the first mismatch

2 years agodoc update: clarifications in gnutls_x509_trust_list_add_trust_file
Nikos Mavrogiannopoulos [Sun, 5 Oct 2014 08:09:22 +0000 (10:09 +0200)]
doc update: clarifications in gnutls_x509_trust_list_add_trust_file

2 years agocorrected compilation for non-pkcs11; reported by David Woodhouse.
Nikos Mavrogiannopoulos [Thu, 2 Oct 2014 14:24:41 +0000 (16:24 +0200)]
corrected compilation for non-pkcs11; reported by David Woodhouse.