1Changes in release 0.32.2: 2* Fix auth handling for request-target of "*" (regressed since 0.31.x) 3 4Changes in release 0.32.1: 5* Fix configure CFLAGS handling in Kerberos detection. 6* Various spelling fixes. 7 8Changes in release 0.32.0: 9* Interface changes: 10 - API and ABI backwards-compatible with 0.27.x and later 11 - NE_AUTH_DIGEST now only enables RFC 2617/7616 auth by default; 12 to enable weaker RFC 2069 Digest, use NE_AUTH_LEGACY_DIGEST 13 (treated as a security enhancement, not an API/ABI break) 14* Interface clarifications: 15 - ne_auth.h: use of non-ASCII usernames with the ne_auth_creds 16 callback type is now rejected for Digest auth since the 17 encoding is not specified. ne_add_auth() can be used instead. 18 - ne_request.h: the ne_create_request_fn callback is passed the 19 request-target using RFC 7230 terminology 20* New interfaces and features: 21 - ne_string.h: added ne_strhash(), ne_vstrhash(), ne_strparam() 22 - ne_auth.h: added RFC 7616 (Digest authentication) support, 23 including userhash=, username*= and SHA-2 algorithms 24 (SHA-2 requires GnuTLS/OpenSSL). added NE_AUTH_LEGACY_DIGEST 25 - ne_auth.h: added ne_add_auth() unified auth callback interface, 26 accepts (only) UTF-8 usernames, uses a larger password buffer, 27 and has different/improved attempt counter semantics. 28 - RFC 7617 scoping rules are now applied for Basic authentication. 29 - ne_ssl.h: added ne_ssl_cert_hdigest() 30 - ne_socket.h: added ne_sock_shutdown() 31 - sendmsg()/send() are used with the MSG_NOSIGNAL flag to write to 32 sockets on Unix, rather than write()/writev(), avoiding SIGPIPE 33 - explicit_bzero() is used where available to clear credentials 34* Bug fixes: 35 - fixed TLS connection shutdown handling for OpenSSL 3 36 - fix various Coverity and cppcheck warnings (Sebastian Reschke) 37 - Kerberos library detection uses pkg-config where possible. 38 - fix some configure checks on Win32 (Christopher Degawa) 39 - fix some configure errors on MacOS (Ryan Schmidt) 40 41Changes in release 0.31.2: 42* Fix ne_md5_read_ctx() with OpenSSL on big-endian architectures. 43* Fix GCC 10 warning in PKCS#11 build. 44* Fix OpenSSL build w/o deprecated APIs (Rosen Penev). 45* Fix unnecessary MD5 test for non-Digest auth (Sebastian Reschke). 46* Fix hang on SSL connection close with IIS (issue #11). 47* Fix ar, ranlib detection when cross-compiling (Sergei Trofimovich). 48 49Changes in release 0.31.1: 50* ADMIN: The neon website has moved to https://notroj.github.io/neon/ 51* Restore ne_md5_read_ctx() in OpenSSL build. 52* Fix gcc warnings on Ubuntu (Jan-Marek Glogowski). 53* Fix various spelling mistakes in docs and headers (thanks to FOSSIES). 54* Fix ne_asctime_parse() (Eugenij-W). 55* Fix build with LibreSSL (Juan RP). 56 57Changes in release 0.31.0: 58* Interface changes: 59 - none, API and ABI backwards-compatible with 0.27.x and later 60* New interfaces and features: 61 - add more gcc "nonnull" attributes to ne_request_* functions. 62 - for OpenSSL builds, ne_md5 code uses the OpenSSL implementation 63 - add NE_SESSFLAG_SHAREPOINT session flag which enables workarounds 64 for RFC non-compliance issues in Sharepoint (thanks to 65 Jan-Marek Glogowski and Giuseppe Castagno) 66 - ne_uri.h: add ne_path_escapef() in support of above 67 - ne_207.h: add ne_207_set_flags() likewise in support of above 68* API clarification: 69 - ne_version_match() behaviour now matches actual 0.27+ ABI history 70* Bug fixes: 71 - fixes for OpenSSL 1.1.1 and TLSv1.3 support 72 - fix crash with GnuTLS in client cert support (Henrik Holst) 73 - fix possible crash in ne_set_request_flag() 74 - fix build with libxml2 2.9.10 and later 75 - fix handling lock timeouts >LONG_MAX (Giuseppe Castagno) 76 77Changes in release 0.30.2: 78* Add support for OpenSSL 1.1.x (Kurt Roeckx). 79* Fix PKCS#11 support under GnuTLS 3.x. 80 - PKCS#11 API no longer supported with GnuTLS 2.x 81 82Changes in release 0.30.1: 83* Fix memory leak with GnuTLS (Werner Baumann, Patrick Ohly). 84* Fix possible crash after DNS lookup errors on Windows (Olivier Goffart). 85* Don't fail if the SSL cert changes between connections with OpenSSL, 86 behaviour now matches that with GnuTLS. 87* Fix PKCS#11 support under OpenSSL with TLS 1.2. 88* Fix static linking with pkg-config file (Alan H). 89 90Changes in release 0.30.0: 91* Interface changes: 92 - none, API and ABI backwards-compatible with 0.27.x and later 93* New interfaces and features: 94 - ne_ssl.h: added ne_ssl_clicert_import, ne_ssl_context_get_flag 95 - ne_session.h: added ne_set_addrlist2 96 - ne_socket.h: added ne_addr_canonical 97 - ne_auth.h: added NE_AUTH_GSSAPI_ONLY, NE_AUTH_SSPI (Nathanael Rensen) 98 - ne_basic.h: added NE_CAP_EXT_MKCOL options test 99 - ne_request.h: support chunked bodies with negative length passed to 100 ne_set_request_body_provider (Julien Reichel) 101* Bug fixes: 102 - ne_path_escape: fix excessive memory allocation (Pierre Crokaert) 103 - SSPI auth: use canonical server hostname, clear SSPI context after 104 successful auth (Nathanael Rensen) 105 - build fixes for Open Watcom compiler (NormW) 106 - fix Win32 error code handling for local ne_sock_prebind bind failure 107 - Win32: support LFS, thread-safe OpenSSL (Diego Santa Cruz) 108 - GnuTLS: fix GnuTLS 3.x support (Matthias Petschick, Bartosz Brachaczek) 109 110Changes in release 0.29.6: 111* Don't abort SSL handshake with GnuTLS if a client cert is requested 112 but none is configured/available (thanks to Patrick Ohly) 113* Fix the method string passed to create_request hooks to have the same 114 lifetime as the request object (Patrick Ohly) 115* Docs updates. 116 117Changes in release 0.29.5: 118* Fix GnuTLS handshakes failures with 'TLS warning alert' (Bryan Cain) 119* Further fix for SSPI support on Win32 (Danil Shopyrin) 120 121Changes in release 0.29.4: 122* Fix SNI support (Tobias Gruetzmacher) 123* Fix possible Solaris linker errors if building static library 124* Win32: Fix Kerberos authentication support with SSPI (Danil Shopyrin) 125* Fix error handling when pulling a request body from an file 126 (thanks to Lou Montulli) 127* Fix ne_request_dispatch() return value for SOCKS proxy failure cases 128* Tighten SSL cert ID checks to deny a wildcard match against an IP address 129 130Changes in release 0.29.3: 131* Change ne_sock_close() to no longer wait for SSL closure alert: 132 - fixes possible hang with IIS servers when closing SSL connection 133 - this reverts the behaviour with OpenSSL to match 0.28.x, and 134 changes the behaviour with GnuTLS to match that with OpenSSL 135* Fix memory leak with GnuTLS 136* API clarification in ne_sock_close(): 137 - SSL closure handling now documented 138 - return value semantics fixed to describe the implementation 139 140Changes in release 0.29.2: 141* Fix spurious 'certificate verify failed' errors with OpenSSL (Tom C) 142* Fix unnecessary re-authentication with SSPI (Danil Shopyrin) 143 144Changes in release 0.29.1: 145* Fixes for (Unix) NTLM implementation: 146 - fix handling of session timeout (Kai Sommerfeld) 147 - fix possible crash (basic@mozdev.org) 148* Fix unnecessary re-authentication with SSPI (Danil Shopyrin) 149* Build fixes for Win32: 150 - fix use of socklen_t with recent SDKs (Stefan Kung) 151 - fix USE_GETADDRINFO on Win2K (Kai Sommerfeld) 152* Fix build with versions of GnuTLS older than 2.8.0. 153 154Changes in release 0.29.0: 155* Interface changes: 156 - none, API and ABI backwards-compatible with 0.28.x and 0.27.x 157* New interfaces and features: 158 - added NTLM auth support for Unix builds (Kai Sommerfeld, Daniel Stenberg) 159 - ne_auth.h: added NE_AUTH_GSSAPI and NE_AUTH_NTLM auth protocol codes 160 - added ne_acl3744.h, updated WebDAV ACL support (Henrik Holst) 161 - added built-in SOCKS v4/v4a/v5 support: ne_socket.h:ne_sock_proxy(), 162 and ne_session.h:ne_session_socks_proxy() 163 - added support for system-default proxies: ne_session_system_proxy(), 164 implemented using libproxy where available 165 - ne_session.h: added NE_SESSFLAG_EXPECT100 session flag, SSL verification 166 failure bits extended by NE_SSL_BADCHAIN and NE_SSL_REVOKED, better 167 handling of failures within the cert chain (thanks to Ludwig Nussel) 168 - ne_utils.h: added feature code NE_FEATURE_SYSPROXY 169 - ne_socket.h: ne_sock_writev() (Julien Reichel), ne_sock_set_error(), 170 ne_iaddr_raw(), ne_iaddr_parse() 171 - ne_string.h: ne_buffer_qappend(), ne_strnqdup() 172* Deprecated interfaces: 173 - ne_acl.h is obsoleted by ne_acl3744.h (but is still present) 174 - obsolete feature "NE_FEATURE_SOCKS" now never marked present 175* Other changes: 176 - fix handling of "stale" flag in RFC2069-style Digest auth challenge 177 - ne_free() implemented as a function on Win32 (thanks to Helge Hess) 178 - symbol versioning used for new symbols, where supported 179 - ensure SSL connections are closed cleanly with OpenSSL 180 - fix build with OpenSSL 1.0 beta 181 - updated Polish (pl) translation (Arfrever Frehtes Taifersar Arahesis) 182 183Changes in release 0.28.6: 184* SECURITY (CVE-2009-2473): Fix "billion laughs" attack against expat; 185 could allow a Denial of Service attack by a malicious server. 186* SECURITY (CVE-2009-2474): Fix handling of an embedded NUL byte in 187 a certificate subject name with OpenSSL; could allow an undetected 188 MITM attack against an SSL server if a trusted CA issues such a cert. 189 190Changes in release 0.28.5: 191* Enable support for X.509v1 CA certificates in GnuTLS. 192* Fix handling of EINTR in connect() calls. 193* Fix use of builds with SOCK_CLOEXEC support on older Linux kernels. 194 195Changes in release 0.28.4: 196* Fix ne_forget_auth (Kai Sommerfeld) 197* GnuTLS support fixes: 198 - fix handling of PKCS#12 client certs with multiple certs or keys 199 - fix crash with OpenPGP certificate 200 - use pkg-config data in configure, in preference to libgnutls-config 201* Add PKCS#11 support for OpenSSL builds (where pakchois is available) 202* Fix small memory leak in PKCS#11 code. 203* Fix build on Haiku (scott mc) 204 205Changes in release 0.28.3: 206* SECURITY (CVE-2008-3746): Fix potential NULL pointer dereference in 207 Digest domain parameter support; could allow a DoS by a malicious server 208* Fix parsing of *-Authenticate response header with LWS after quoted value 209* Fix ne_set_progress(, NULL, ) to match pre-0.27 behaviour (and not crash) 210* Fix to disable Nagle on Win32 with newer toolchain (thanks to Stefan K�ng) 211* Fix build on Netware (Guenter Knauf) 212* Document existing ne_uri_parse() API postcondition and ne_uri_resolve() 213 pre/postconditions regarding the ->path field in ne_uri structures 214* Mark ne_{,buffer_}concat with sentinel attribute for GCC >= 4. 215* Distinguish the error message for an SSL handshake which fails after a 216 client cert was requested. 217* Compile with PIC flags by default even for static library builds 218 219Changes in release 0.28.2: 220* Support "Proxy-Connection: Keep-Alive" for compatibility with HTTP/1.0 221 proxies which require persistent connections for NTLM authentication 222* Fix an fd leak in ne_ssl_{,cli}cert_read (GnuTLS only) 223* Enable fast initialization in GnuTLS. 224 225Changes in release 0.28.1: 226* Fix Win32 build 227* Fix build on SCO OpenServer 5.0.x (thanks to Nico Kadel-Garcia) 228* Fix handling of Digest domain parameter values without a trailing slash 229* Fix build against apr-util's bundled libexpat.la in Subversion 230* Add --without-pakchois to configure (Arfrever Frehtes Taifersar Arahesis) 231* zh message catalog renamed to zh_CN, translation updated (Dongsheng Song) 232 233Changes in release 0.28.0: 234* Interface changes: 235 - none, API and ABI backwards-compatible with 0.27.x 236* New interfaces: 237 - ne_pkcs11.h: added basic PKCS#11 support (requires GnuTLS and pakchois) 238 - ne_auth.h: added NE_AUTH_ALL and NE_AUTH_DEFAULT constants 239 - ne_socket.h: added ne_sock_peer(), ne_sock_prebind(), ne_sock_cipher() 240 - ne_session.h: NE_SESSFLAG_TLSSNI flag added; TLS SNI support is enabled 241 by default, where supported; ne_set_localaddr() added 242 - ne_request.h: added close_conn hooks (Robert J. van der Boon) 243 - ne_basic.h: added ne_options2() 244* Other changes: 245 - add Polish (pl) translation (Arfrever Frehtes Taifersar Arahesis) 246 - add support for the 'domain' parameter in Digest authentication 247 - fix fd leak in ne_sock_connect() error path (Andrew Teirney) 248 - the FD_CLOEXEC flag is set on socket fds 249 - fix timezone handling in ne_dates for more platforms (Alessandro Vesely) 250 - fix ne_simple_propfind() to print XML namespaces in flat property values 251 - fix ne_get_range() for unspecified end-range case (Henrik Holst) 252 - fix ne_strclean() to be locale-independent and avoid possible Win32 crash 253 - fix ne_get_error() to not "clean" localized error strings 254 - fix ne_ssl_clicert_read() to fail for client certs missing cert or key 255 - Win32: fix build with VS 2008 (Stefan Kueng) 256 - Win32: fix neon.mak to not double-quote $(MAKE) (Henrik Holst) 257 - improve strength of Digest cnonces in GnuTLS builds 258 259Changes in release 0.27.2: 260* Fix crash in GSSAPI Negotiate response header verification (regression 261 since 0.26.x) 262 263Changes in release 0.27.1: 264* Fix regression in response progress counter for notifier/progress callbacks 265* Fix interface description for ne_set_notifier() callback; sr.total 266 is set to -1 not 0 for an indeterminate response length 267 268Changes in release 0.27.0: 269* New interfaces: 270 - ne_session.h: ne_fill_proxy_uri() retrieves configured proxy, 271 ne_hook_post_headers() adds a hook after response headers are read, 272 ne_set_connect_timeout() sets session connection timeout, 273 NE_SESSFLAG_RFC4918, NE_SESSFLAG_CONNAUTH flags added 274 - ne_socket.h: ne_sock_connect_timeout() sets connection timeout, 275 ne_iaddr_reverse() performs reverse DNS lookup 276 - ne_string.h: ne_buffer_snprintf() prints to a buffer object 277 - ne_xml.h: ne_xml_resolve_nspace() resolves namespace prefixes 278* Interface changes: 279 - ne_set_notifier() replaces ne_set_status(); finer-grained and type-safe 280 connection status information now provided; obsoletes ne_set_progress() 281 - ne_xml_dispatch_request() now only invokes the XML parser for 282 response entities with an XML content-type, following RFC 3023 rules 283 - ne_acl_set() now takes a "const" entries array 284 - LFS compatibility functions *64 removed: all functions taking an 285 off_t now take an ne_off_t which is off64_t for LFS builds 286* GnuTLS support now mostly feature-complete with OpenSSL support: 287 - greatly improved SSL distinguished name handling with GnuTLS >= 1.7.8 288* Other changes: 289 - descriptive error messages for authentication failures 290 - SSPI support uses canonical DNS server name (Yves Martin) 291 - fixes for handling of "stale" parameter in Digest authentication 292 - added support for URIs in SSL server certificate subjectAltName field 293 - fix compiler warnings with expat 2.x 294 - fix handling of "Transfer-Encoding: identity" responses from privoxy 295 296Changes in release 0.26.4: 297* Fix Negotiate Authentication-Info response header verification with GSSAPI 298* Fix multiple handlers with ne_add_{server,proxy}_auth (Werner Baumann) 299* Fix SSPI build with some versions of MinGW (Gisle Vanem) 300* Fix for SSPI segfault in response header verification (Mike DiCuccio) 301* Fix error strings for CONNECT SSL proxy tunnel request failure 302* Fix install-nls for VPATH builds (Hans Meine) 303* Fix use of unencrypted client certs with GnuTLS 304* Fix ne_lock* If: header insertion to use CRLF-terminated headers 305* Fix test suite failures on QNX by working around send() length limit 306* Fix handling of POSIX strerror_r failure case in ne_strerror 307* Fix alignment issues in test suite MD5 code 308 309Changes in release 0.26.3: 310* Fix buffer under-read in URI parser (Laszlo Boszormenyi, CVE-2007-0157) 311* Fix regression in handling of "attempt" argument passed to auth callbacks; 312 ensure the value only increments for each invocation of the callback 313* Fix handling of "nextnonce" parameter in Digest authentication 314 315Changes in release 0.26.2: 316* Fix error reported for LOCK responses lacking a Lock-Token header. 317* Use Libs.private in neon.pc for newer versions of pkg-config. 318* Build fix for platforms without libintl.h. 319* Build fixes for MinGW. (Matthias Miller) 320* Build fix for h_errno detection on HP-UX 10. (Albert Chin) 321* Win32: enable debugging; build fixes with some SDKs. (Kiyo Kelvin Lee) 322 323Changes in release 0.26.1: 324* Build fixes for Win32 (D.J. Heap) and OS X. 325* Add Simplified Chinese translation (Dongsheng Song). 326 327Changes in release 0.26.0: 328* Added internationalization support: 329 - ne_i18n.h exposes ne_i18n_init(), a process-global initializer 330 which may be required for some applications 331 - (partial) message catalogs for cs, de, fr, ja, nn, ru and tr 332 - NE_FEATURE_I18N feature code added to indicate support 333* Added support for GnuTLS (thanks to Aleix Conchillo Flaque): 334 - pass --with-ssl=gnutls to configure; GnuTLS >= 1.0.22 required 335 - use --with-ca-bundle to specify a default SSL CA root bundle 336 - some remaining issues with PKCS#12 certs in current GnuTLS releases, 337 distinguished name handling is sub-standard relative to OpenSSL 338* Changes and additions to URI support: 339 - ne_uri structure: add query, fragment fields; authinfo renamed 340 to userinfo 341 - ne_uri_parse() now takes a URI-reference as input rather than 342 the previous pseudo-URI syntax; the query and fragment components 343 are now parsed out. Many malformed URIs are now rejected 344 - ne_uri_unparse() changed to respect the new fields 345 - ne_uri_resolve(): new function; resolves relative URI references 346 - ne_uri_copy(): new function, copies a URI structure 347* Changed results callbacks for ne_lock_discover, PROPFIND interfaces: 348 - take URI as parsed ne_uri * structure rather than char * 349* Added functions which give control over authentication protocol use: 350 - ne_add_server_auth(), ne_add_proxy_auth() 351* Added ne_unhook_* functions to remove hooks 352* Added ne_set_session_flags()/ne_get_session_flags() functions: 353 - flags to disable persistent connection support, enable "ICY" 354 protocol support, and to disable SSLv2 protocol support. 355 - replaces ne_set_persist() 356* Added ne_set_request_flags()/ne_get_request_flags() functions: 357 - flags to enable 100-continue support, mark requests as non-idempotent 358 - replaces ne_set_request_expect100() 359* Change ne_md5.h interface to make struct ne_md5_ctx opaque: 360 - added ne_md5_create_ctx(), ne_md5_destroy_ctx(), ne_md5_reset_ctx(), 361 ne_md5_finish_ascii(); removed ne_md5_init_ctx() 362 - fix alignment issues which could cause crashes in Digest code 363* Fixed ne_get_range(), added ne_get_range64() (thanks to Lennart Poettering) 364* Removed NE_FREE() macro from ne_alloc.h 365* Added ne_strcasecmp(), ne_strncasecmp(), ne_tolower() functions 366 to ne_string.h - locale-independent string comparison 367* Changed ne_sock_init()/ne_sock_exit() such that ne_sock_exit() 368 only has effect once called an equal number of times to _init(). 369* Added "--enable-threadsafe-ssl=posix" configure flag, to enable 370 thread-safe SSL support using POSIX threads in OpenSSL/GnuTLS 371 - NE_FEATURE_TS_SSL feature code added to indicate support 372* The manual is now licensed under the GPL rather than the GFDL 373 374Changes in release 0.25.5: 375* ne_ssl_clicert_decrypt(): catch and fail to load a client cert 376 with mismatched key/cert pair. 377* Fix build issue on AIX 5.1. 378* Fix warnings if built against OpenSSL >= 0.9.8. 379* Win32: fix issues in SSPI implementation (Stefan K�ng). 380 381Changes in release 0.25.4: 382* GSSAPI fixes for non-MIT implementations (Mikhail Teterin). 383* Fix ne_print_request_header() et al to use 8K buffer size on all 384 platforms (fixes issue with long Destination: URLs on Win32). 385* Win32 build fix for !USE_GETADDRINFO configuration. 386* Documentation updates. 387 388Changes in release 0.25.3: 389* ne_lock() and ne_unlock(): fix cases where NE_ERROR would be returned 390 instead of e.g. NE_AUTH on auth failure. 391* Prevent use of poll() on Darwin. 392* Fix gethostbyname-based resolver on LP64 platforms (Matthew Sanderson). 393 394Changes in release 0.25.2: 395* Really fix the Win32 build. 396 397Changes in release 0.25.1: 398* ne_get_content_type(): fix cases where the charset field was not set 399 to NULL after successful return (Johannes Schneider) 400* Compressed response handling fixes: 401 - fix double invocation of reader callback with len=0 402 - fix cases where the reader callback return value was ignored 403* Cache the new SSL session if the old one was expired (Robert Eiglmaier) 404* Win32: fix build issues. 405 406Changes in release 0.25.0: 407* New interfaces: 408 - ne_get_response_header() replaces ne_add_response_header_handler 409 - ne_read_response_to_fd() and ne_discard_response() for use with 410 ne_begin_request/ne_end_request style response handling 411 - ne_xmlreq.h: ne_xml_parse_response() and ne_xml_dispatch_request() 412 - ne_has_support() for feature detection, replaces ne_support_ssl() 413 - ne_set_addrlist() can be used to bypass normal DNS hostname resolver 414 - ne_buffer_czappend(), convenience wrapper for ne_buffer_append. 415 - ne_iaddr_typeof() returns type of a socket object 416 - ne_get_content_type() replaces ne_content_type_handler() 417 - ne_set_request_expect100() replaces ne_set_expect100() 418* New interfaces on LFS systems for large file support: 419 - ne_set_request_body_fd64() call for using an fd opened using O_LARGEFILE 420 - ne_set_request_body_provider64(), takes an off64_t length argument 421* Interface changes: 422 - ne_set_request_body_fd takes offset and length arguments and returns void 423 - ne_set_request_body_provider takes length as off_t rather than size_t; 424 provider callbacks now MUST set session error string if returning an error 425 - response body reader callback returns an integer and can abort the response 426 - ne_decompress_destroy() returns void; errors are caught earlier 427 - ne_xml_failed() replaces ne_xml_valid(), with different return value logic 428 - ne_xml_parse() can return an error; ne_xml_parse_v() aborts the response if 429 the parse either fails or is aborted by a handler returning NE_XML_ABORT 430 - ne_path_escape() now escapes all but unreserved characters 431 - ne_ssl_clicert_name() and ne_ssl_cert_identity() clarified to return UTF-8 432 - ne_ssl_clicert_name() clicert object argument is now const 433 - ne_uri_parse()/ne_uri_free() memory handling clarified 434 - removed the buffer length requirement for ne_read_response_block() 435* Bug fixes: 436 - properly handle multiple Authentication challenges per request 437 - fixes and improvements to the Negotiate auth implementation 438 - handle proxies which send a 401 auth challenge to a CONNECT request 439 - XML: handle the UTF-8 BOM even if the underlying parser does not 440 - Win32: Fix timezone handling (Jiang Lei) 441 - ne_lock_refresh() works and will update timeout of passed-in lock 442 - persistent connection timeout handling fixes for CygWin et al 443 - impose hard limit of 1024 props per resource in ne_props.h response parsing 444* New platform-specific features: 445 - Win32: Negotiate/NTLM support using SSPI (Vladimir Berezniker) 446 - Win32: Add IPv6 support using ENABLE_IPV6 neon.mak flag (Kai Sommerfeld) 447* Removed features: 448 - the cookies interface has been removed 449 - removed functions: ne_service_lookup(), ne_put_if_unmodified() 450 - "qop=auth-int" support removed from Digest auth implementation 451* Default XML parser search changed to check for expat before libxml2. 452 453Changes in release 0.24.7: 454* Compression interface fixes: 455 - fix issues handling content decoding and request retries from 456 authentication challenges (Justin Erenkrantz) 457 - fix places where reader callback would receive spurious size=0 calls 458 - fix to pass user-supplied userdata to user-supplied acceptance callback 459* Fix for RFC2617-style digest authentication (Hideaki Takahashi). 460* Fix to pick up gethostbyname() on QNX 6.2. 461 462Changes in release 0.24.6: 463* SECURITY (CVE CAN-2004-0398): Fix sscanf overflow in ne_rfc1036_parse, 464 thanks to Stefan Esser. 465* Link libneon against libexpat during Subversion build using bundled neon. 466* Win32 build script update (Jon Foster). 467 468Changes in release 0.24.5: 469* SECURITY (CVE CAN-2004-0179): Fix format string vulnerabilities in 470 XML/207 response handling, reported by greuff@void.at. 471* Performance fix: avoid seeding the SSL PRNG if not creating an SSL socket. 472* ne_ssl_readable_dname() is now defined to return UTF-8 strings. 473* Fix case where gssapi/gssapi_generic.h was included but not present. 474* Fix ne_utils.c build on platforms where zlib does "#define const". 475* Fix use of ne_proppatch_operation with some C++ compilers. 476* Update libtool for fix to --enable-shared on Darwin. 477* BeOS: check for gethostbyname in -lbind (David Reid). 478 479Changes in release 0.24.4: 480* Ignore unclean SSL closure when response body is delimited by EOF 481 ("Could not read response body: Secure connection truncated" errors 482 with some buggy SSL servers). 483* Fix test/ssl.c syntax errors with C89 compilers (Radu Greab). 484 485Changes in release 0.24.3: 486* Respect configure's --datadir argument (Max Bowsher). 487* Fix build on Windows when OpenSSL is not used. 488* Fix use of SSLv2 (spurious "Server did not present certificate" error). 489* When using SSL via a proxy, prevent leaking server auth credentials 490 to the proxy, or proxy auth credentials to the server. 491 492Changes in release 0.24.2: 493* Fix name resolver with some old versions of glibc. 494* Fix problems with configure's "time_t format string" detection. 495* Fix problems when a broken Kerberos installation is found. 496* When verifying SSL certificates, check iPaddress names in the 497 subjectAltName extension. 498 499Changes in release 0.24.1: 500* Add support for "GSS-Negotiate" Kerberos authentication scheme (from 501 Risko Gergely and Burjan Gabor). 502* Disable Nagle to improve performance of small requests (thanks to 503 Jim Whitehead and Teng Xu). 504* Fix compatibility with OpenSSL 0.9.6 (broken in 0.24.0). 505* Fix prototype mismatch in ne_207.c. 506* Define ssize_t from ne_request.h for Win32. 507* Prevent segfault on zlib initialization failures. 508* ne_sock_init does not fail if PRNG could not be seeded. 509* Fix segfault in cookies code (Markus Mueller). 510* Documentation updates. 511 512Changes in release 0.24.0: 513* Major changes to XML interface: 514 - have the start-element callback either accept, decline, abort, 515 or return a state integer. 516 - remove 'struct ne_xml_elm'; callbacks are passed {nspace, name} 517 strings along with a state integer. 518 - dropped "collect", "strip-leading-whitespace" modes 519 - push responsibility for accumulating cdata onto caller; drop 'cdata' 520 argument from end-element callback. 521 - don't abort if no handler accepts a particular element, just ignore 522 that branch of the tree. 523 - dropped support for libxml 1.x and expat < 1.95.0. 524 - guarantee that start_element callback is not passed attrs=NULL 525 - add ne_xml_doc_encoding() to retrieve encoding of parsed XML document. 526* Major changes to SSL interface: 527 - rewrite of interfaces for handling server and client certificates; 528 ne_ssl.h: many new functions available. 529 - only PKCS#12-encoded client certs are supported. 530 - changes to most names of SSL-related functions operating on an 531 ne_session, e.g. ne_ssl_load_cert->ne_ssl_trust_cert. 532 - client cert provider callback is passed the set of acceptable CA 533 names sent by the server 534 - the entire chain of certs presented by server is now accessible 535* Remove unused ne_register_progress() from socket layer. 536* Changes to resolver interface: ne_addr_first and _next return const; 537 ne_addr_print renamed to ne_iaddr_print; ne_iaddr_make and ne_iaddr_free 538 have been added. 539* ne_request_create() now duplicates the method string passed in. 540* ne_redirect_location() will now return NULL in some cases. 541* Split socket creation to ne_sock_create() from ne_sock_connect: 542 - should report connect() error messages properly on Win32. 543* Fix several memory leaks in error handling paths. 544* Add a pkg-config file, neon.pc.in. 545 546Changes in release 0.23.9: 547* Fix inability to connect on AIX 4.3. 548* neon-config exports includes needed for OpenSSL given by pkg-config. 549* ne_redirect_location will return NULL if redirect hooks have not 550 been registered for the session (Ralf Mattes <rm@fabula.de>). 551 552Changes in release 0.23.8: 553* SECURITY: Prevent control characters from being included in the 554 reason_phrase field filled in by ne_parse_statusline(), and in 555 the session error string. 556* Disable getaddrinfo() support on HP-UX; fix resolver for HP-UX 11.11. 557* Fix digest auth response verification for >9 responses in session 558 (bug manifests as "Server was not authenticated correctly" error). 559* On Linux, skip slow lookup for IPv6 addresses when IPv6 support is 560 not loaded in kernel (thanks to Daniel Stenberg for this technique). 561* Update to autoconf 2.57 and libtool 1.4.3. 562 563Changes in release 0.23.7: 564* Fix for handling EINTR during write() call (Sergey N Ushakov). 565* When available, use pkg-config to determine compiler flags needed to 566 use OpenSSL headers and libraries. 567 568Changes in release 0.23.6: 569* Fixes for error handling in socket layer on Win32 from Johan Lindh 570 and Sergey N Ushakov <ushakov@int.com.ru>: 571 - meaningful error messages rather than "No error" 572 - handle persistent connection timeouts properly 573* Fix to use RFC2617-style digest auth when possible (had reverted to 574 only using RFC2068-style in 0.16.1). 575* Fix NULL pointer dereference on certain ill-formed PROPFIND responses. 576* Allow ne_sock_init to re-initialize after ne_sock_finish has been called 577 (Sergey N Ushakov). 578 579Changes in release 0.23.5: 580* Fix rejection of SSL server certificates which had commonName as 581 the least specific attribute in the subject name. 582* Fix to dereference entities (e.g. "&") in attribute values with libxml. 583* Fix ne_socket.c build on HP-UX 10.20 (thanks to Branko �ibej) 584* Remove misguided insistence on "secure" versions of zlib/OpenSSL; 585 no checks for zlib version are now performed, only OpenSSL 0.9.6 is 586 required. --with-force-ssl, --with-force-zlib option removed. 587* Add --with-egd[=PATH] option, conditionally enable EGD support; either 588 using EGD socket at PATH, or fall back on system defaults. $EGDSOCKET 589 and $HOME/.entropy are no longer used. 590* Add support for `--la-file' argument to neon-config, which prints the 591 full path of the installed libneon.la file. 592 593Changes in release 0.23.4: 594* Ignore an unclean SSL shutdown on persistent connection timeout 595 (fixing spurious "Secure connection truncated" errors). 596* Fix a segfault on second and subsequent requests using a given 597 session, when the first fails with NE_LOOKUP. 598* Fix configure for gcc installations which produce warnings by default 599 (such as gcc on hppa2.0n-hp-hpux11.00 using native as) 600 601Changes in release 0.23.3: 602* Further build fixes for Win32 (Blair Zajac). 603* Another fix for use of SSL against Tomcat 3.2. 604 605Changes in release 0.23.2: 606* Build fix for Win32 (Blair Zajac). 607 608Changes in release 0.23.1: 609* Identify as correct version, not 0.22. 610 611Changes in release 0.23.0: 612* Improved address resolver (ne_addr_*) replacing ne_name_lookup(): 613 - use getaddrinfo() if found; include support for IPv6 (based on work 614 by Noriaki Takamiya <takamiya@po.ntts.co.jp>) 615* For a hostname with multiple addresses, each address is tried in turn 616 until a connection is made. 617* Support for seeding OpenSSL's PRNG via $EGDSOCKET or $HOME/.entropy, 618 to enable SSL on platforms which lack a /dev/random device. 619* RFC2818 compliance for certificate identity checks in SSL: 620 - use `dNSname' values in subjectAltName extension if present 621 - hostname comparison fixed to not be case-sensitive 622* Fix interop with buggy SSL implementation in Tomcat 3.2. 623* Added NE_DBG_SSL debug channel. 624* ne_strerror changed to return the passed-in buffer. 625* Added ne_strnzcpy macro to ne_string.h. 626* Win32 build fixes, improvements, and documentation updates, from 627 Blair Zajac <blair@orcaware.com>. 628* Fix ne_sock_init so SIGPIPE signals are ignored even if SSL library 629 initialization fails (e.g. platforms without /dev/random). 630* Added reference documentation: 631 - ne_sock_init, ne_addr_*. 632 633Changes in release 0.22.0: 634* Remove the const qualifier from the reason_phrase field in ne_status. 635 - ne_parse_statusline() now strdup's the reason_phrase 636* Remove the status_line argument from ne_207_end_propstat and _end_response 637* Change ne_session_create, ne_session_proxy, ne_sock_connect, and the 638 'port' field of the ne_uri structure to use an unsigned int for port numbers 639* ne_uri_defaultport returns unsigned and '0' on an unknown port (not -1). 640* Changes to hooks interface: 641 - pass an ne_request pointer to per-request hooks 642 - replace "accessor" hooks with ne_{get,set}_{request,session}_private 643* Authentication changes: 644 - the hooks changes fix a segfault if auth is enabled for an SSL session 645 through a proxy server 646 - fix ne_forget_auth segfault if either proxy or server auth are not used 647* Improvements to persistent connection retry logic and error handling 648 in request code; fixing some cases where some errors where incorrectly 649 treated as a persistent connection timeout 650 - a TCP RST at the appropriate time is now treated as a persistent 651 connection timeout. 652 - handle persistent connection timeouts on SSL connections 653* Changes to SSL support: 654 - improved error handling 655 - OpenSSL 0.9.6f or later is required for security fixes and functional 656 correctness; 0.9.6 or later required for functional correctness 657 - use --with-force-ssl to override OpenSSL version check 658 - fix for proxy CONNECT tunnelling with some proxies (e.g. Traffic-Server) 659 - fix potential segfault if client cert. provider callback is used 660 - fix to use supplied password callback for PEM-encoded client certificates 661 (Daniel Berlin <dberlin@dberlin.org>) 662* strerror_r is used if available for thread-safe error handling. 663* Remove ne_read_file(). 664* ne_version_match replaces ne_version_minimum (semantics changed slightly). 665* XML request bodies use a content-type of "application/xml" now; 666 applications can use NE_XML_MEDIA_TYPE from ne_xml.h 667* Fix decompress code on big-endian or 64-bit platforms. 668* Fix to build on Darwin 6 (aka Mac OS X 10.2) (Wilfredo S�nchez, 669 <wsanchez@mit.edu>) 670* Win32 changes: 671 - remove conflict between OpenSSL's X509_NAME and recent versions of 672 the Platform SDK (Branko �ibej) 673 - fix inverted debug/non-debug build logic (Branko �ibej) 674 - add NODAV and OPENSSL_STATIC flags to neon.mak (Gerald Richter) 675 676Changes in release 0.21.3: 677* Fix segfault if using proxy server with SSL session and server 678 certificate verification fails. 679* Fix leak of proxy hostname once per session (if a proxy is used). 680* Add --with-libs configure argument; e.g. --with-libs=/usr/local picks 681 up any support libraries in /usr/local/{lib,include} 682 683Changes in release 0.21.2: 684* Fix 'make install' for VPATH builds. 685* Use $(mandir) for installing man pages (Rodney Dawes). 686* Follow some simple (yet illegal) relativeURI redirects. 687* Always build ne_compress.obj in Win32 build (Branko �ibej). 688* Fix decompression logic bug (Justin Erenkrantz <jerenkrantz@apache.org>) 689 (could give a decompress failure for particular responses) 690* Fix ne_proppatch() to submit lock tokens for available locks. 691* More optimisation of ne_sock_readline. 692 693Changes in release 0.21.1: 694* Don't include default SSL port in Host request header, which can 695 help interoperability with misbehaving servers (thanks to Rodney Dawes 696 <dobey@ximian.com>). 697* Don't give a "truncated response" error from ne_decompress_destroy if 698 the acceptance function returns non-zero. 699* Fix for Win32 build (Sander Striker <striker@apache.org>). 700* Fix for cookie name/value being free()d (thanks to Dan Mullen). 701* Optimisation of ne_sock_readline. 702 703Changes in release 0.21.0: 704* Socket layer implements read buffering; efficiency and performance 705 improvement. Based on work by Jeff Johnson <jbj@redhat.com> 706* Cleanup of socket interface: 707 - renamed everything, s/sock_/ne_sock_/, s/SOCK_/NE_SOCK_/ 708 - removed unused and inappropriate interfaces. 709 - renaming done by Olof Oberg <mill@pedgr571.sn.umu.se> 710 - see src/ChangeLog for the gory details. 711* Fix typoed 'ne_destroy_fn' typedef (Olof Oberg). 712* Support OpenSSL/ENGINE branch. 713* Bogus ne_utf8_encode/decode functions removed. 714* ne_base64() moved to ne_string.[ch]. 715* ne_token drops 'quotes' parameter; ne_qtoken added. 716* ne_buffer_create_sized renamed to ne_buffer_ncreate. 717* ne_xml_get_attr takes extra arguments and can resolve namespaces. 718* ne_accept_response function type takes const ne_status pointer. 719* Drop support for automatically following redirects: 720 - ne_redirect_register just takes a session pointer 721 - ne_redirect_location returns an ne_uri pointer 722* configure changes: --with-ssl and --with-socks no longer take a directory 723 argument. To use SOCKS or SSL libraries/headers in non-system locations, 724 use ./configure CPPFLAGS=-I/... LDFLAGS=-L/... 725* Reference documentation included for most of ne_alloc.h and ne_string.h, 726 and parts of ne_session.h and ne_request.h. 727 - see installed man pages, HTML documentation. 728 729Changes in release 0.20.0: 730* Major changes to DAV lock handling interface (ne_locks.h): 731 - struct ne_lock uses a full URI structure to identify locked resource 732 - ne_lock() requires that owner/token fields are malloc-allocated (or NULL) 733 on entry 734 - introduce a "lock store" type, ne_lock_store, to replace the lock session; 735 accessor functions all renamed to ne_lockstore_*. 736 - ne_lock_iterate replaced with a first/next "cursor"-style interface 737 - If: headers use an absoluteURI (RFC2518 compliance fix). 738 - fix for handling shared locks on DAV servers which return many active locks 739 in the LOCK response (thanks to Keith Wannamaker) 740* Moved URI/path manipulation functions under ne_* namespace (ne_uri.h): 741 - path handling functions renamed to ne_path_* 742 - URI structure handling to ne_uri_*; struct uri becomes ne_uri. 743 - ne_uri_parse doesn't take a 'defaults' parameter any more 744 - if URI port is unspecified, ne_uri_parse sets port to 0 not -1. 745 - added ne_uri_unparse and ne_uri_defaultport functions. 746* New 'ne_fill_server_uri' function to initialize a URI structure with 747 the server details for a given session (useful with locks interface). 748* ne_decompress_{reader,destroy} are defined as passthrough-functions 749 if zlib support is not enabled. 750* API change: ne_ssl_provide_fn returns void not int. 751* Added NE_SSL_FAILMASK for verify failure sanity check. 752* Removed return codes NE_SERVERAUTH and and NE_AUTHPROXY; correct 753 documentation, NE_PROXYAUTH is given for proxy auth failure. 754* Require zlib >= 1.1.4 to avoid possible vulnerability in earlier versions. 755 See http://www.gzip.org/zlib/advisory-2002-03-11.txt for more details. 756 (version check can be skipped by passing --with-force-zlib to configure) 757* New 'ne_ssl_readable_dname' function to create a human-readable string 758 from an X509 distinguished name. 759* Fix support for newer versions of libxml2 (thanks to Jon Trowbridge 760 <trow@gnu.org>). 761* Fix corruption of reason_phrase in status object returned by 762 ne_propset_status. 763* More lenient handling of whitespace in response headers. 764* ne_content_type_handler will give a charset of "ISO-8859-1" if no charset 765 parameter is specified for a text/* media type (as per RFC2616). 766* Miscellaneous cleanups and fixes (Jeff Johnson <jbj@redhat.com>). 767 768Changes in release 0.19.4: 769* Support bundled build of expat 1.95.x (Branko �ibej). 770 771Changes in release 0.19.3: 772* For platforms lacking snprintf or vsnprintf in libc, require trio. 773* Add NE_FMT_OFF_T to fix Win32 build (Dan Berlin, Branko �ibej). 774* Fix SSL support in Win32 build (Branko �ibej). 775 776Changes in release 0.19.2: 777* Fix non-SSL build broken in 0.19.1. 778* Working SOCKSv5 support (thanks to Torsten Kalix <torsten.kalix@bredex.de>) 779 780Changes in release 0.19.1: 781* Add missing stubs for ne_ssl_* functions for non-SSL build. 782* Fix some error messages in new SSL code. 783 784Changes in release 0.19.0: 785* Major API change: ne_session_create now takes (scheme, hostname, port) 786 arguments: a session is clarified to be "a group of requests to a 787 certain server". 788 - removal of ne_session_server, ne_set_secure, and ne_set_proxy_decider 789 - ne_session_proxy returns void. 790 - DNS lookups are delayed until request dispatch time. 791* Significant improvements to TLS/SSL support: 792 - SSL is enabled if scheme passed to ne_session_create is "https" 793 - new interfaces to load CA certs and to load SSL library's bundled CA certs 794 - add server cert verification callback. An SSL connection to a server 795 with an unknown CA will now fail unless a verification callback is used. 796 - enable SSL session caching (performance improvement) 797 - support for wildcard server certs where commonName is "*.example.com". 798 - thanks to Tommi Komulainen for the contribution of code from mutt's 799 IMAP/SSL implementation under the LGPL, from which bits of this were derived. 800* Improved SSL client certificate support: 801 - far simpler interface, all done at ne_session.h level. 802 - supports PKCS#12 and PEM-encoded certificates. 803 - optional callback for only providing client when demanded by server. 804* Support for TLS upgrade is removed, since it isn't useful. 805* If NEON_SSL is defined, API extensions are available to: 806 - allow access to the SSL_CTX * to adjust session SSL options 807 - retrieve the server certificate (X509 *) 808* Decompress fixes: 809 - fix potential segfault in ne_decompress_destroy 810 - check the CRC of the deflated output (and fail if it doesn't match) 811 - fail appropriately on truncated responses, and trailing bytes in response. 812* Added ne_set_read_timeout to use configurable timeout on socket reads. 813* Malformed response headers will be ignored rather than failing the request. 814* ne_set_error takes printf-style vararg. 815* Fixes for ne_get_range and improve error handling. 816* Functions which append to an ne_buffer do not return a success value, 817 but they do use ne_realloc/ne_malloc under the hood now, so an OOM callback 818 will be used (with the usual caveats). 819* XML interface does not strip leading whitespace from cdata by default, 820 the NE_XML_STRIPWS flag is available to restore this feature if required. 821* Upgraded to libtool 1.4.2: 822 - should fix --enable-shared on Mac OS X 10.1 823* Test suite now contains over one hundred tests. 824 825Changes in release 0.18.5: 826* Removed old neon.dsp, neon.dsw. 827* Update Win32 build to add OpenSSL and zlib support (Branko �ibej). 828* Fix ne_compress.c to compile on Win32 (Branko �ibej). 829 830Changes in release 0.18.4: 831* Fixes for Content-Type parsing using ne_content_type_handler (Greg Stein) 832 - also now parses the charset parameter from header value. 833* Removed ne_concat() function, which didn't work and wasn't used. 834 835Changes in release 0.18.3: 836* Fix parsing lock timeout from server (Arun Garg). 837* Send Timeout headers in LOCK and refresh LOCK requests (Arun Garg). 838* Updated neon.mak and config.hw.in for Win32 build (patch from 839 Branko �ibej <brane@xbc.nu>). 840* Define XML_BYTE_ORDER for bundled expat build in support macro 841 NEON_XML_PARSER(). 842 843Changes in release 0.18.2: 844* Fix --with-neon=PATH in support macros. 845* Support DESTDIR in Makefile install targets (patch by 846 Pawel Golaszewski <blues@blysk.ds.pg.gda.pl>). 847* Portability fixes: 848 - fix configure check for time_t on some platforms (e.g Solaris 2.6). 849 - remove expect100_works bitfield in ne_session structure (thanks to 850 Yan Periard <yperiard@ems.net>). 851 852Changes in release 0.18.1: 853* Minor fix for authentication: "attempt" counter was not reset correctly 854 after authentication failed, so subsequent requests would not authenticate 855 correctly either. 856* API change: ne_session_destroy returns void (there was no error case). 857* Portability fixes (non-GCC compilers, 64-bit platforms, UnixWare 7) 858* Optimisations in string manipulation routines. 859* config.hw is included in the release tarball again. 860* Improvements in the autoconf support macros: 861 - check for neon-config in PATH if --with-neon is not given 862 - stop if --with-neon is used, and the check for external neon fails 863 - added NEON_WITHOUT_ACL to prevent build of ne_acl.o 864 865Changes in release 0.18.0: 866* API change: authentication callback is passed fixed-size username/password 867 buffers, and an 'attempt' counter. Authentication is retried *forever* 868 until either it succeeds, or the callback returns non-zero. 869* API clarifications: 870 - ne_propname may have a NULL nspace field, indicating the property has no 871 namespace. This holds for properties returned by the propfind interfaces. 872 - added NE_ELM_PROPS_UNUSED as the lowest element number which should 873 be used with handlers added to the XML parser returned by 874 ne_propfind_get_parser. 875* Fixes and cleanups of lock discovery interface. 876* Fix for short write handling in ne_get() (thanks to rado <dzusto@yahoo.com>). 877* Fix for XML namespace prefix handling where a prefix could be mapped to an 878 incorrect URI (e.g. in PROPFINDs against mod_dav with >10 namespaces used) 879* Add '--support <feature>' option to neon-config; the script exits with 880 success if given feature is supported. Known features are ssl, dav, zlib. 881* Support for SSL, DAV, zlib is exported by neon.m4 as shell variable 882 NEON_SUPPORTS_{SSL,DAV,ZLIB}={yes,no} for bundled and external builds. 883* `neon-config --cflags` won't include -I/usr/include for SSL build. 884* Fix to call progress callbacks while sending request bodies again. 885* Test changes: 886 - portability fixes, auth interface and progress tests. 887 888Changes in release 0.17.2: 889* Accept Status-Lines with no reason phrase (Jeremy Elson). 890* Fix handling of persistent connection timeout, and better error 891 handling if sending a request fails. 892* Fix crashes in locking code. 893* Return parse error on XML namespace prefix declaration with 894 an empty value. Thanks to Julian Reschke. 895* Allow passing property names with NULL namespace to ne_proppatch. 896* Fix for cross-compilation (Mo DeJong). 897* Moved ne_propname definition from ne_207.h to ne_props.h. 898* Test changes: 899 - updated for Status-Line parsing changes (Jeremy Elson) 900 - better persistent connection tests 901 - fixed for --disable-webdav build 902 903Changes in release 0.17.1: 904* Add support for ACL method (Arun Garg <arung@pspl.co.in>), 905 see ne_acl.h. 906* Fixes and clean up of libraries exported via `neon-config --libs' 907* Fix timezone handling when parsing dates (on some platforms). 908* Upgrade to autoconf 2.52 and libtool 1.4 (thanks to Mo DeJong). 909* Cleanup/simplification of request dispatching: 910 - better handling of error cases, including fix for a possible 911 infinite loop when the server closes the connection prematurely. 912* Add '--without-zlib' configure option. 913* Test changes: 914 - prettify output; imitate Perl test suite output. 915 - add tests for interim 1xx responses, persistent connections, more 916 unbounded operations. 917 918Changes in release 0.17.0: 919* Add support for decoding gzip Content-Encoding: see ne_compress.h. 920 - built if zlib is found; `neon-config --cflags' will define NEON_ZLIB if so. 921* Rewrite hooks interface to register individual callbacks. 922 - inspired by the Apache 2.0/APR hooks interface 923* Register cookies hooks using ne_cookie_register(). 924* Clean up configure scripts to enable use of autoconf 2.5x (Mo DeJong). 925* Use new endianess configure macro to allow cross-compiling (Mo DeJong). 926* Fix invalid C code in sock_init() in Win32 build (Mo DeJong). 927* Fix use of signal() on Win32 (Mo DeJong). 928* Workaround libxml 1.x string handling not being UTF-8. 929* Test changes: 930 - add tests for decompression interface. 931 932Changes in release 0.16.1: 933* Also handle write errors in ne_get_range. 934* Dump request body blocks in debugging mode. 935* Fix ne_shave() causing memory corruption when the result should 936 have been the empty string. 937* Refactor auth header parsing code; more efficient now. 938 - fixes digest auth RFC2617-style broken in 0.16.0 939 940Changes in release 0.16.0: 941* API change: ne_copy takes a depth parameter (thanks to Arun Garg, Medha Atre) 942* API change: validate callback to ne_xml also takes a userdata arg. 943* Added 'ne_lock_refresh' for performing lock refresh (Arun Garg). 944* Add SSL support to Win32 build (Peter Boos <PediB@colorfullife.com>) 945 (see INSTALL.win32 for details). Compile with USE_DAV_LOCKS also. 946* Remove Server header parser for 100-continue support in ne_options. 947 (and remove broken_expect100 from ne_server_capabilities). 948* Set SIGPIPE disposition to "ignored" in sock_init(). 949* On platforms with setvbuf(), turn off buffering for the debug log 950 stream. 951* Ignore repeated calls to sock_init(). 952* Fixes to error handling in ne_get_range. 953* Minor improvements to memory handling in auth code. 954* Fix for start_propstat callback being called with NULL response 955 argument when given invalid XML, causing a segfault in propfind code. 956* Test changes: 957 - add regression test for the propfind segfault. 958 - handle segfaults better (reap the child, flush the debug log). 959 960Changes in release 0.15.3: 961* Fix --with-expat=DIR build. 962 963Changes in release 0.15.2: 964* Fix Win32 for XML parser changes (Gerald Richter). 965* Substitute versions into config.hw at distribution time. 966* Add date parser for ISO8601-formatted dates as defined by RFC2518, e.g. 967 the creationdate property (Taisuke Yamada <tai@iij.ad.jp>). 968* Fix Y2K bug in RFC1036 date parsing algorithm. 969* Test changes: 970 - add tests for date parsing functions. 971 972Changes in release 0.15.1: 973* Win32 update from Gerald Richter <richter@ecos.de> 974 - new files neon.mak, INSTALL.win32 975* Fix for ne_socket.h includes (Mo DeJong). 976* More improvements for XML parser selection logic: 977 - if parser is required, be sure to fail configure if none is found. 978 - added --with-included-expat for bundled expat logic. 979* Rename --enable-debugging to --enable-debug (Mo DeJong). 980 - added NEON_DEBUG macro to exported autoconf macros. 981* Call progress callbacks for request bodies. 982* Test changes: 983 - check that reading response headers is a bounded operation. 984 - use a pipe between child and parent to avoid race condition and 985 tedious sleep(). 986 987Changes in release 0.15.0: 988* Major API renaming to use ne_/NE_ namespace: 989 - http_ to ne_, HTTP_ to NE_, dav_ to ne_, DAV_ to NE_, neon_ to ne_ 990 - hip_xml_ to ne_xml_, HIP_ELM_ to NE_ELM_, HIP_XML_ -> NE_XML_ 991 - sbuffer_ to ne_buffer_ 992 - DEBUG() to NE_DEBUG(), DEBUG_ to NE_DBG_ 993* Type renames: 994 - http_req to ne_request 995 - sbuffer to 'ne_buffer *' 996* Note, 'ne_buffer' is not an implicit pointer type, you must 997 specify the '*' now, e.g. 'ne_buffer *buf = ne_buffer_create();'. 998* ne_buffer is no longer opaque. 999 - ne_buffer_data() removed: use buf->data instead. 1000 - ne_buffer_size() is a macro. 1001* Header renames and additions: 1002 - http_request.h -> ne_request.h 1003 - Session code split into ne_session.h 1004 - hip_xml.h -> ne_xml.h, nsocket.h -> ne_socket.h, http_utils.h -> ne_utils.h 1005 - neon_md5.h -> ne_md5.h, dav_207.h -> ne_207.h 1006 - http_basic.h and dav_basic.h merged into ne_basic.h 1007* New functions: 1008 - ne_token and ne_shave, to obsolete split_string, shave_string. 1009* Removed: ne_get_request_headers(). 1010* autoconf changes: 1011 - disable building shared neon library by default. 1012 - option --enable-libxml is replaced by --with-libxml1 and 1013 --with-libxml2 to force use of a particular parser. 1014* Fix auth code to only take MD5 digests of response body blocks when 1015 necessary (thanks to Kai Sommerfeld). 1016* Fix alignment bug in MD5 code which could cause SIGBUS on Sparc 1017 architectures (Kai Sommerfeld). 1018* Rewrite of request body handling: 1019 - ne_set_request_body_fd replaces _stream, using an int fd rather than 1020 a FILE *. 1021 - added ne_set_request_body_provider to give a callback which is called 1022 to provide request body blocks. 1023 - removal of 'use_body' hook in favour of 'ne_pull_request_body' function 1024 to allow hooks to manually read the request body. 1025 - ne_{put,get,post,put_if_unmodified} all take an integer fd rather than a 1026 FILE * stream. 1027* Test changes: 1028 - added framework for testing "over the wire" (fork a server process) 1029 - added tests for response message length handling, chunked responses, 1030 header folding, sending request bodies. 1031 - start at listing RFC2616 requirements and whether they are met 1032 or not in test/STATUS. 1033 - test for MD5 alignment bug on Sparc (thanks to Kai Sommerfeld). 1034 1035Changes in release 0.14.0: 1036* Add C++ inclusion safety to http_auth.h (Kai Sommerfeld). 1037* Define ssize_t on Win32. (Kai Sommerfeld). 1038* Add C++ inclusion safety to dav_locks.h and ne_alloc.h (thanks to 1039 Gregor Bornemann <Gregor.Bornemann@germany.sun.com>). 1040* Significant API change to properties code, to allow use of allprop 1041 and complex properties: 1042 - dav_propfind_set_complex and _set_flat are removed. 1043 - add parameter to dav_propfind_named to take the list of property names 1044 to be fetched. 1045 - new function dav_propfind_set_private to set private callback. 1046 - all properties not handled by caller are stored as flat properties. 1047* Untested: add basic SOCKSv5 support: configure --with-socks. 1048 - please report success/failure to neon@webdav.org 1049* Win32/MSVC build files from Magnus Sirwi� <sirwio@hotmail.com>. 1050* Fix for expat detection from Shane Mayer <shanemayer42@yahoo.com>. 1051* Namespace-protect md5 code and more. 1052 - md5_* -> ne_md5_* 1053 - ascii_to_md5 -> ne_ascii_to_md5 (and moved to neon_md5.h) 1054* Parse authinfo segment in URIs (Johan Lindh <johan@link-Data.com>). 1055 - added 'authinfo' field to struct uri. 1056* New API: hip_xml_get_attr to retrieve attributes. 1057* Store language for properties, access with dav_propset_lang. 1058 - only if property is defined on the property element itself. 1059* Started a simple test suite (test/*). 1060 - includes some simple HTTP server tests. 1061* Remove "Content-Length: 0" header for request with no body, fixing 1062 interop with Squid 2.3-STABLE1 (thanks to Kai Sommerfeld). 1063* http_parse_statusline skips leading whitespace. (Johan Lindh). 1064* Partial fix for timezone/date parsing problems. 1065 1066Changes in release 0.13.0: 1067* Fix ne_strndup allocating one byte less than it should (Kai Sommerfeld) 1068 - if you use uri_parse, this bug may have caused subtle memory corruption 1069 in your application. 1070* Revert API changes in 0.12: property values are not UTF-8 encoded/decoded 1071 internally. (thanks to Greg Stein) 1072* Add another optional argument to NEON_BUNDLED macros, actions to 1073 be run if bundled build is *not* selected. 1074* API change: added argument to http_add_hooks to register cleanup function 1075 for the cookie. 1076* Removed dav_lock_unregister in favour of automatic cleanup when session 1077 is destroyed. 1078* Fixed leaks in redirect code (Kai Sommerfeld). 1079* Fixed crashes in hip_xml_destroy (Kai Sommerfeld). 1080* Redirects to a different hostname/port/scheme are never followed: the request 1081 will fail with HTTP_REDIRECT instead. Redirect notification callback is 1082 only called for *followed* redirects. 1083 New API: http_redirect_location() for retrieving location of last redirect. 1084* Authentication is now implemented as a hook, independently of http_request.c: 1085 - API change: removed 'hostname' argument from auth callbacks. 1086 - API change: you must now include http_auth.h from your application. 1087 - Also fixes case of using server and proxy authentication simultaneously 1088* Added 'http_forget_auth' to clear authentication session. 1089* New API: http_session_hook_private for retrieving private per-session cookie 1090 for hooks. 1091* API change: http_set_request_body_stream has a return error value. 1092* API change: http_set_request_body_buffer now takes the buffer length too. 1093* New API: caller-pulls interface for reading response body: 1094 http_begin_request, http_end_request, http_read_response_block. 1095 An alternative to using the (much simpler) http_request_dispatch. 1096* Make --disable-webdav build work. 1097* New API: dav_propnames for retrieving property names. 1098* New API: dav_propfind_get_request to access request object of handler. 1099* API change: progress and connection status callbacks implemented at 1100 http_request.h level. Socket-level status callbacks removed, progress 1101 callbacks made per-socket. 1102* Supports new expat (Sam TH <sam@uchicago.edu>) 1103* Supports libxml2 (in preference to libxml1). 1104* API change: added namespace protection to base64 and dates functions: 1105 all have ne_ prefix now. 1106* Fixed ranged GETs where a specific range is requested (Johan Lindh 1107 <johan@linkdata.se>). 1108* Limit number of response header fields to 100. 1109* Allow requests for the '*' URI even if a proxy server is in use. 1110* libxml: Get useful error messages for parse errors. 1111 1112Changes in release 0.12.0: 1113* Portability fixes to http_request.c and http_auth.c. 1114 - fixes digest auth on big-endian architectures. 1115* Fix warnings from stray tokens after #endif's in uri.h and string_utils.h. 1116* Add C++ inclusion safety to http_redirect.h (Kai Sommerfeld 1117 <kai.sommerfeld@germany.sun.com>). 1118* Make redirects to a different host work (Kai Sommerfeld). 1119* Fix reading response bodies when non-chunked and no Content-Length 1120 (Kai Sommerfeld). 1121* API change: 'http_add_hooks takes a 'const' request object. 1122* Fixed memory leaks in session hooks (thanks to Kai Sommerfeld). 1123* Fix passing NULL props argument to dav_simple_propfind, to support 1124 allprop requests. 1125**** MAJOR INTERFACE CHANGE **** 1126 - URIs passed to http_request_create() are NOT escaped by neon. You 1127 MUST do this yourself to remain HTTP compliant, using e.g. 1128 uri_abspath_escape. (Kai Sommerfeld) 1129* Added --disable-webdav flag to configure, to disable DAV support in 1130 the library. This allows building neon without an XML parser. 1131* Corresponding NEON_WITHOUT_WEBDAV macro for use in bundled builds. 1132* Fix Makefile dependancies. 1133* A bundled neon directory builds or doesn't build automatically 1134 (i.e. you recurse into it unconditionally). 1135* API clarification: 1136 - dav_propset_status may return NULL if the server does not return 1137 a response for the given property (issue is open for debate). 1138* API change up for debate: 1139 - Property values to dav_proppatch are UTF-8 encoded internally. 1140 - Property values in dav_propfind_* are UTF-8 decoded internally. 1141* API additions: ne_realloc, ne_utf8_encode. 1142 1143Changes in release 0.11.0: 1144* Added SSL client certificate support with 'sock_set_client_cert'. 1145 - Supports certs in PEM-encoded files. 1146 - Specify a callback for prompting the user for the password with 1147 sock_set_key_prompt. 1148* Added 'ne_oom_callback', to register a callback which is used if 1149 malloc() returns NULL. (Mike Rosellini <m@icopyright.com>) 1150* Register appropriate callback with libxml to handle <![CDATA blocks 1151 as normal character data (fixes PROPFINDs against sharemation.com). 1152* Added 'NEON_REQUIRE' macro to declare that you require a neon library 1153 of a given minimum version, e.g. NEON_REQUIRE(0,10) means "I need 1154 neon 0.11 or later". The _BUNDLED macros will fall back on the bundled 1155 copy if an external library is found which is not of a new enough version. 1156* Added neon_version_minimum() function call for run-time version detection. 1157* neon_config.h has been removed. 1158* Use closesocket() to close sockets on Win32 (Markus Fleck <fleck@isoc.de>). 1159 1160Changes in release 0.10.1: 1161* Default expect-100 to OFF. 1162 1163Changes in release 0.10.0: 1164* hip_xml API changes: 1165 - The search for a handler for a new child element begins at the 1166 handler of the parent element, and carries on up the stack. 1167 (previously, it always started from the base of the stack) 1168 - Documentation written: doc/parsing-xml.txt 1169* Remove memory leaks and tidy debugging output in new properties code. 1170* API changes to DAV locking interface: 1171 - New function: dav_lock_copy to copy a lock object. 1172 - Re-ordered arguments to callback of dav_lock_discover, and made the 1173 lock object passed back const. 1174 - Fix leaks and crashes due to vague interface definitions. 1175* API change to dav_propfind_set_complex: use a callback to return the 1176 'private' structure. 1177* NEON_NORMAL_BUILD and NEON_LIBTOOL_BUILD macros defined for setting 1178 up neon's Makefile in a bundled build: see macros/neon.m4. 1179* NEON_VPATH_BUNDLED macro added which takes separate srcdir and 1180 builddir arguments for supporting VPATH builds (thanks to Peter Moulder 1181 <pjm@bofh.asn.au>). 1182* Added optional final argument to NEON_(VPATH_)BUNDLED, which gives 1183 a set of actions to be run if the bundled build is chosen. 1184* NEON_SSL checks for OpenSSL in /usr too. 1185* API change: when using http_session_decide_proxy, it MUST be called 1186 before using http_session_server to prevent the DNS lookup on the origin 1187 server being optimised out. The real scheme in use is passed to the 1188 callback now. 1189* New function, dav_207_ignore_unknown, to ignore any unknown XML fragments 1190 in the 207 response. Used by properties layer. 1191 1192Changes in release 0.9.2: 1193* Fix using both dav_propfind_set_complex and dav_propfind_set_flat with the 1194 same propfind_handler. 1195 1196Changes in release 0.9.1: 1197* dav_propfind interface 1198 - Guarantee that the 'private' structure will be initialized to zero on 1199 creation. 1200 - Make it the *callers* responsibility to free() the private structure. 1201* Fix a few arguments/variables which mirrored globally declared symbols. 1202 1203Changes in release 0.9.0: 1204* Removed old dav_propfind_* interface, replaced with a better, more 1205 powerful, and easier to use interface: 1206 - 'dav_simple_propfind' interface for just fetching "flat" (byte-string) 1207 properties. 1208 - 'dav_propfind_*' interface for fetching flat and/or "complex" (structured 1209 XML) properties. 1210 - Lets you retrieve the 'status' information, to see what happened if 1211 fetching the property failed (e.g 404 Not Found). 1212* Fixes to doc/using-neon.txt (thanks to Greg Stein). 1213* Allow building when srcdir != builddir (Mo DeJong <mdejong@cygnus.com>) 1214 1215Changes in release 0.8.1: 1216* Fix segfault in PROPFIND code. 1217 1218Changes in release 0.8.0: 1219* Fix for using COPY/MOVE over SSL (thanks to David Sloat). 1220* Fix for using a proxy server and SSL. 1221* Added 'http_get_scheme' API call. 1222* Added 'http_redirect.h' to list of installed headers (thanks to everyone ;). 1223* Changes for building on Windows (Peter Boos <PediB@colorfullife.com>) 1224* Fixes for building on BeOS (Sam TH <sam@uchicago.edu> and David Reid 1225 <dreid@jetnet.co.uk>). 1226* Add buffering to socket code for pre-BONE BeOS systems (David Reid). 1227* Interface changes for hip_xml: 1228 - Renamed hip_xml_add_(mixed_)handler to hip_xml_push_(mixed_)handler 1229 - Documentation updates. 1230 - Added HIP_ELM_UNUSED for lowest element id which should be used. 1231*** MAJOR INTERFACE CHANGE *** 1232 - Removed 'http_status *' pointer from http_request_dispatch. 1233 - Added http_get_status(req) to retrieve the response-status information 1234 instead. You don't have to declare an http_status object yourself now. 1235* Similarly, added DAV_ELM_207_UNUSED for lowest element id which should 1236 be used by users of dav_207_* code (incl. use of dav_propfind_* 1237 code). 1238* New NEON_* autoconf macro interface: 1239 - Use NEON_BUNDLED if sources are bundled, otherwise NEON_LIBRARY. 1240 - The NEON_XML_PARSER macro is NOT called automatically. You must 1241 call this yourself if using NEON_BUNDLED; see doc/using-neon.txt 1242 for details. 1243* Fix use of 'socket' in nsocket.h function prototypes (Greg Stein). 1244* Remove extra backslash at line 69 of src/Makefile.incl (Dirk Bergstrom). 1245* Examples directory is now a separate package. 1246 1247Changes in release 0.7.7: 1248* Another fix for linking against a libtool-built expat (Greg Stein). 1249 1250Changes in release 0.7.6: 1251* Better check for closed SSL connection after doing SSL_peek. (thanks 1252 to Jeff Costlow <j.costlow@f5.com>). 1253* Attempt at correct sock_block() implementation for SSL. 1254* sock_peek() will return SOCK_CLOSED correctly. 1255 1256Changes in release 0.7.5: 1257* Fixed workaround for linking against a libtool-built expat (Greg Stein). 1258 1259Changes in release 0.7.4: 1260* Fix for fd leak on connect failure (David Sloat <d.sloat@f5.com>). 1261* Fix for Digest auth against IIS5 (David Sloat). 1262* Workaround for linking against a libtool-built libexpat.la (Greg Stein). 1263 1264Changes in release 0.7.3: 1265* Check for -lsocket and -linet in configure. 1266* Workaround for SSL problems. 1267 1268Changes in release 0.7.2: 1269* Define SHELL in Makefile (thanks to Eric Mumpower <nocturne@arepa.com>). 1270* Added 'all' target to Makefile (Greg Stein <gstein@lyra.org>) 1271* Added '--with-expat' argument to configure (Greg Stein) 1272* Added 'dav_propfind_destroy' function. 1273 1274Changes in release 0.7.1: 1275* Don't register response body/header authentication callbacks if no 1276 credentials-supplying callback has been registered (speed optimisation). 1277 1278Changes in release 0.7.0: 1279* Deprecated use of 'NULL' to http_add_response_header_handler. 1280 New interface, http_add_response_header_catcher, to register 1281 a callback which is passed ALL response headers regardless of name. 1282* Speed optimisation (~10%?): storing response-header handlers in a 1283 hash table for faster look. 1284* New SBUFFER_CAST() macro for getting to the 'char *' of an sbuffer 1285 as fast as possible. 1286 1287Changes in release 0.6.1: 1288* Fix for retrying request if connection is closed by server. 1289* Make redirect hook work for >1 request per session. 1290 1291Changes in release 0.6.0: 1292* New interface to allow following HTTP redirects (301/302 responses). 1293 A callback must be given to get user confirmation if the request method 1294 is not GET, HEAD, or PROPFIND. 1295* New interface to determine whether the proxy server should be used 1296 for a given request: http_session_decide_proxy. 1297* Fix nget build again. Support automatic redirects in 'nget'. 1298* Add --with-extra-includes and --with-extra-libs configure parameters 1299 to point configure at 1300 1301Changes in release 0.5.1: 1302* Prevent segfault if USE_DAV_LOCKS is defined, and a locking session 1303 is not registered (thanks to David Sloat). 1304 1305Changes in release 0.5.0: 1306* Rename xmalloc, xstrdup etc to ne_malloc, ne_strdup etc. 1307* Some speed optimisation in response-header reading. 1308* Use 'off_t' rather than 'size_t' in sock_progress callback, 1309 sock_readfile_blocked, and sock_transfer. 1310 1311Changes in release 0.4.2: 1312* Fix for sending request bodies after getting 100-continue response. 1313 1314Changes in release 0.4.1: 1315* Fix nget build. 1316 1317Changes in release 0.4.0: 1318* Install library headers into .../include/neon not .../include/libneon 1319* Install all necessary library headers. 1320* Compile support for WebDAV locking throughout the library 1321* Rename md5.h to neon_md5.h (avoids conflict with md5.h in OpenSSL) 1322* Rename socket.h to nsocket.h (avoids possible conflict with C library) 1323* Update licensing notice on macros/neon*.m4: note that these files are 1324 NOT under the LGPL, and can be used in other packages regardless of 1325 the license the package uses. 1326* Update NEON_LIBRARY m4 function to allow optional specification of 1327 names of bundled neon/expat source directories. 1328* Increase socket read timeout to 60 seconds. 1329* Added an POST method: from Sander Alberink <sander.alberink@cmg.nl>. 1330* Added 'http_get_request_headers' to return the sbuffer containing 1331 all request headers. 1332* Allow passing NULL as name to http_add_response_header_handler: 1333 the handler callback is passed the entire header string, of ALL 1334 response headers. 1335 1336Changes in release 0.3.1: 1337* Compile fix for dav_locks.c (thanks to Paul D'Anna) 1338 1339Changes in release 0.3.0: 1340* Rewrite of socket handling layer. All sock_* functions changed. 1341* Added basic SSL support: --with-ssl (requires OpenSSL). 1342 NOTE: Certificates are NOT presented for verification. 1343* 'nget' accepts URL's using the 'https' scheme. 1344* New example program, 'nserver', to display the Server: string, 1345 e.g. 'nserver https://www.eu.c2.net/' 1346* Fixed request re-send when persistent connection times out. 1347* "Hooks" support: allow external hooks into the HTTP request/ 1348 response dispatch loop. 1349* New printf-style interface for adding request headers. 1350* Make symbols used in header files C++-safe (Tom Bednarz). 1351* WebDAV locking support: lock discovery, LOCK (exclusive/shared) 1352 UNLOCK. "If:" headers are sent as appropriate. Simple interface 1353 for implementors of new methods to indicate which locks are 1354 required for the method. 1355* Primitive HTTP cookies support. 1356* Primitive hack at a GNOME-based GUI example program "nbrowse". 1357 Enable build with --enable-gnome-examples. It crashes, and 1358 not much else. Requires GNOME and POSIX threads. Example usage: 1359 'nbrowse dav.ics.uci.edu /msdav/' 1360 Many thanks to Lee Mallabone for Gtk help, and showing how to 1361 use Gtk and threads. 1362 1363Changes in release 0.2.0: 1364* Use libtool: new configure options to select whether to build 1365 shared and/or static libraries. Should build shared libraries 1366 portably now. 1367* Complete rewrite of the hip_xml interface to use opaque pointers. 1368 New functions: hip_xml_create, hip_xml_destroy: create parser. 1369 hip_xml_{set,get}_error: Access to error string. 1370 hip_xml_add_handler: Register callbacks for a set of elements. 1371 hip_xml_valid: Returns whether the parse was valid or not. 1372 Removed functions: hip_xml_init, hip_xml_finish. 1373* Removed functions made reduntant by above changes in dav_207. 1374* Don't include config.h in header files 1375* Fix PROPFIND allprop request body (Michael Sobolev) 1376* Added C++ safety macros around header files. 1377* Added neon-config script for getting correct CFLAGS and LIBS 1378 values for using libneon in applications. 1379 1380Changes in release 0.1.1: 1381* Fix for short writes in GET 1382 1383Changes in release 0.1.0: 1384* Initial release. 1385