GnuTLS NEWS -- History of user-visible changes. -*- outline -*- Copyright (C) 2000-2016 Free Software Foundation, Inc. Copyright (C) 2013-2016 Nikos Mavrogiannopoulos See the end for copying conditions. * Version 3.4.17 (released 2016-12-8) ** libgnutls: Introduced time and constraints checks in the end certificate in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct() functions. ** libgnutls: Set limits on the maximum number of alerts handled. That is, applications using gnutls could be tricked into an busy loop if the peer sends continuously alert messages. Applications which set a maximum handshake time (via gnutls_handshake_set_timeout) will eventually recover but others may remain in a busy loops indefinitely. This is related but not identical to CVE-2016-8610, due to the difference in alert handling of the libraries (gnutls delegates that handling to applications). ** libgnutls: Enhanced the PKCS#7 parser to allow decoding old (pre-rfc5652) structures with arbitrary encapsulated content. ** libgnutls: Backported cipher priorities order from 3.5.x branch. That adds CHACHA20-POLY1305 ciphersuite to SECURE priority strings. ** certtool: When exporting a CRQ in DER format ensure no text data are intermixed. Patch by Dmitry Eremin-Solenikov. ** API and ABI modifications: gnutls_pkcs7_get_embedded_data_oid: Added * Version 3.4.16 (released 2016-10-09) ** libgnutls: Ensure proper cleanups on gnutls_certificate_set_*key() failures due to key mismatch. This prevents leaks or double freeing on such failures. ** libgnutls: Increased the maximum size of the handshake message hash. This will allow the library to cope better with larger packets, as the ones offered by current TLS 1.3 drafts. ** libgnutls: Allow to use client certificates despite them containing disallowed algorithms for a session. That allows for example a client to use DSA-SHA1 due to his old DSA certificate, without requiring him to enable DSA-SHA1 (and thus make it acceptable for the server's certificate). ** guile: Backported all improvements from 3.5.x branch. ** guile: Update code to the I/O port API of Guile >= 2.1.4 This makes sure the GnuTLS bindings will work with the forthcoming 2.2 stable series of Guile, of which 2.1 is a preview. ** API and ABI modifications: No changes since last version. * Version 3.4.15 (released 2016-09-08) ** libgnutls: Corrected the comparison of the serial size in OCSP response. Previously the OCSP certificate check wouldn't verify the serial length and could succeed in cases it shouldn't (GNUTLS-SA-2016-3). Reported by Stefan Buehler. ** libgnutls: Fixes in gnutls_x509_crt_list_import2, which was ignoring flags if all certificates in the list fit within the initially allocated memory. ** libgnutls: Corrected issue which made gnutls_certificate_get_x509_crt() to return invalid pointers when returned more than a single certificate. Report and fix by Stefan Sørensen. ** libgnutls: Fix gnutls_pkcs12_simple_parse to always extract the complete chain. Report and fix by Stefan Sørensen. ** libgnutls: Added support for decrypting PKCS#8 files which use the HMAC-SHA256 as PRF. ** libgnutls: Addressed issue with PKCS#11 signature generation on ECDSA keys. The signature is now written as unsigned integers into the DSASignatureValue structure. Previously signed integers could be written depending on what the underlying module would produce. Addresses #122. ** API and ABI modifications: No changes since last version. * Version 3.4.14 (released 2016-07-06) ** libgnutls: Address issue when utilizing the p11-kit trust store for certificate verification (GNUTLS-SA-2016-2). ** libgnutls: Fixed DTLS handshake packet reconstruction. Reported by Guillaume Roguez. ** libgnutls: Fixed issues with PKCS#11 reading of sensitive objects from SafeNet Network HSM. Reported by Anthony Alba. ** libgnutls: Corrected the writing of PKCS#11 CKA_SERIAL_NUMBER. Report and fix by Stanislav Židek. ** API and ABI modifications: No changes since last version. * Version 3.4.13 (released 2016-06-06) ** libgnutls: Consider the SSLKEYLOGFILE environment to be compatible with NSS instead of using a separate variable; in addition append any keys to the file instead of overwriting it. ** libgnutls: use secure_getenv() where available to obtain environment variables. Addresses GNUTLS-SA-2016-1. ** API and ABI modifications: No changes since last version. * Version 3.4.12 (released 2016-05-20) ** libgnutls: The CHACHA20-POLY1305 ciphersuite is enabled by default. This cipher is prioritized after AES-GCM. ** libgnutls: Fixes in gnutls_privkey_import_ecc_raw(). ** libgnutls: Fixed gnutls_pkcs11_get_raw_issuer() usage with the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag. Previously that operation could fail on certain PKCS#11 modules. ** libgnutls: gnutls_pkcs11_obj_import_url() and gnutls_x509_crt_import_url() can accept the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag. ** libgnutls: gnutls_certificate_set_key() was enhanced to import the DNS name of the certificates if the provided names are NULL. ** libgnutls: when receiving SNI names, only save and expose to application the supported DNS names. ** libgnutls: when importing the certificate names at the gnutls_certificate_set* functions, only consider the CN as a fallback if DNS names are provided via the alternative name extension. ** gnutls-cli: on OCSP verification do not fail if we have a single valid reply. Report and reproducer by Thomas Klute. ** libgnutls: The GNUTLS_KEYLOGFILE environment variable can be used to log session keys in client side. These session keys are compatible with the NSS Key Log Format and can be used to decrypt the session for debugging using wireshark. ** API and ABI modifications: No changes since last version. * Version 3.4.11 (released 2016-04-11) ** libgnutls: Fixes in gnutls_record_get/set_state() with DTLS. Reported by Fridolin Pokorny. ** libgnutls: Fixes in DSA key generation under PKCS #11. Report and patches by Jan Vcelak. ** libgnutls: Corrected behavior of ALPN extension parsing during session resumption. Report and patches by Yuriy M. Kaminskiy. ** libgnutls: Corrected regression (since 3.4.0) in gnutls_server_name_set() which caused it not to accept non-null-terminated hostnames. Reported by Tim Ruehsen. ** libgnutls: Corrected printing of the IP Adress name constraints. ** ocsptool: use HTTP/1.0 for requests. This avoids issue with servers serving chunk encoding which ocsptool doesn't support. Reported by Thomas Klute. ** certtool: do not require a CA for OCSP signing tag. This follows the recommendations in RFC6960 in 4.2.2.2 which allow a CA to delegate OCSP signing to another certificate without requiring it to be a CA. Reported by Thomas Klute. ** API and ABI modifications: No changes since last version. * Version 3.4.10 (released 2016-03-03) ** libgnutls: Eliminated issues preventing buffers more than 2^32 bytes to be used with hashing functions. ** libgnutls: Corrected leaks and other issues in gnutls_x509_crt_list_import(). ** libgnutls: Fixes in DSA key handling for PKCS #11. Report and patches by Jan Vcelak. ** libgnutls: Several fixes to prevent relying on undefined behavior of C (found with libubsan). ** API and ABI modifications: No changes since last version. * Version 3.4.9 (released 2016-02-03) ** libgnutls: Corrected ALPN protocol negotiation. Before GnuTLS would negotiate the last commonly supported protocol, rather than the first. Reported by Remi Denis-Courmont (#63). ** libgnutls: Tolerate empty DN fields in informational output functions. ** libgnutls: Corrected regression causes by incorrect fix in gnutls_x509_ext_export_key_usage() at 3.4.8 release. ** API and ABI modifications: No changes since last version. * Version 3.4.8 (released 2016-01-08) ** libgnutls: Corrected memory leak in gnutls_pubkey_import_privkey() when used with PKCS #11 keys. ** libgnutls: For DSA and ECDSA keys in PKCS #11 objects, import their public keys from either a public key object or a certificate. That is, because private keys do not contain all the required parameters for a direct import. Reported by Jan Vcelak. ** libgnutls: Fixed issue when writing ECDSA private keys in PKCS #11 tokens. ** libgnutls: Fixed out-of-bounds read in gnutls_x509_ext_export_key_usage(), report and patch by Tim Kosse. ** libgnutls: The CHACHA20-POLY1305 ciphersuites were updated to conform to draft-ietf-tls-chacha20-poly1305-02. ** libgnutls: Several fixes in PKCS #7 signing which improve compatibility with the MacOSX tools. Reported by sskaje (#59). ** libgnutls: The max-record extension not negotiated on DTLS. This resolves issue with the max-record being negotiated but ignored. ** certtool: Added the --p7-include-cert and --p7-show-data options. ** API and ABI modifications: gnutls_pkcs7_get_embedded_data: Added * Version 3.4.7 (released 2015-11-22) ** libgnutls: Properly require TLS 1.2 in all CBC-SHA256 and CBC-SHA384 ciphersuites. This solves an interoperability issue with openssl. Reported by Viktor Dukhovni. ** libgnutls: Corrected the setting of salt size in gnutls_pkcs12_mac_info(). ** libgnutls: On a rehandshake allow switching from anonymous to ECDHE and DHE ciphersuites. ** libgnutls: Corrected regression from 3.3.x which prevented ARCFOUR128 from using arbitrary key sizes. Reported by Andreas Schneider. ** libgnutls: Added GNUTLS_SKIP_GLOBAL_INIT macro to allow programs skipping the implicit global initialization. ** gnutls.pc: Don't include libtool specific options to link flags. Reported by Dan Kegel. ** tools: Better support for FTP AUTH TLS negotiation ** API and ABI modifications: gnutls_x509_crt_set_issuer_unique_id: Added gnutls_x509_crt_set_subject_unique_id: Added gnutls_certificate_set_flags: Added GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH: Added * Version 3.4.6 (released 2015-10-20) ** libgnutls: Added new simple verification functions. That avoids the need to install a callback to perform certificate verification. See doc/examples/ex-client-x509.c for usage. ** libgnutls: Introduced the security parameter 'future' which is at the 256-bit level of security, and 'ultra' was aligned to its documented size at 192-bits. ** libgnutls: When writing a certificate into a PKCS #11 token, ensure that CKA_SERIAL_NUMBER and CKA_ISSUER are written. Reported by Sumit Bose. ** libgnutls: Allow the presence of legacy ciphers and key exchanges in priority strings and consider them a no-op. ** libgnutls: Handle the extended master secret as a mandatory extension. That fixes incompatibility issues with Chromium (#45). Reported by Hubert Kario. ** libgnutls: Added the ability to copy a public key into a PKCS #11 token. ** tools: Added support for LDAP and XMPP negotiation for STARTTLS. ** p11tool: Allow writing a public key into a PKCS #11 token. ** certtool: Key generation security level was switched to HIGH. That is, by default the tool generates 3072 bit keys for RSA and DSA. ** API and ABI modifications: gnutls_session_set_verify_function: Added gnutls_session_set_verify_cert: Added gnutls_session_set_verify_cert2: Added gnutls_session_get_verify_cert_status: Added gnutls_pkcs11_copy_pubkey: Added * Version 3.4.5 (released 2015-09-12) ** libgnutls: When re-importing CRLs to a trust list ensure that there no duplicate entries. ** certtool: Removed any arbitrary limits imposed on input file sizes and maximum number of certificates imported. ** certtool: Allow specifying fixed dates on CRL generation. ** gnutls-cli-debug: Added check for inappropriate fallback support (RFC7507). ** API and ABI modifications: No changes since last version. * Version 3.4.4 (released 2015-08-10) ** libgnutls: added high level API (gnutls_prf_rfc5705) to access the PRF as specified by RFC5705. Suggestion and original patch by Rick van Rein. ** libgnutls: Link to trousers (TPM library) dynamically when this functionality is requested. ** libgnutls: Fix issue with server side sending the status request extension even when not requested. Reported by Jeremy Harris. ** libgnutls: Added support for RFC7507 by introducing the %FALLBACK_SCSV priority string option. Patch by Alessandro Ghedini. ** libgnutls: gnutls_pkcs11_privkey_generate2() will store the generated public key, unless the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY flag is specified. ** libgnutls: Corrected regression from 3.4.3 in loading PKCS #8 keys as fallback. Reported by Daniel Berrange. ** libgnutls: Allow the parsing of very long DNs. Also fixes double free in DN decoding [GNUTLS-SA-2015-3]. ** API and ABI modifications: gnutls_prf_rfc5705: Added gnutls_hex_encode2: Added gnutls_hex_decode2: Added * Version 3.4.3 (released 2015-07-12) ** libgnutls: Follow closely RFC5280 recommendations and use UTCTime for dates prior to 2050. ** libgnutls: Force 16-byte alignment to all input to ciphers (previously it was done only when cryptodev was enabled). ** libgnutls: Removed support for pthread_atfork() as it has undefined semantics when used with dlopen(), and may lead to a crash. ** libgnutls: corrected failure when importing plain files with gnutls_x509_privkey_import2(), and a password was provided. ** libgnutls: Don't reject certificates if a CA has the URI or IP address name constraints, and the end certificate doesn't have an IP address name or a URI set. ** libgnutls: set and read the hint in DHE-PSK and ECDHE-PSK ciphersuites. ** p11tool: Added --list-token-urls option, and print the token module name in list-tokens. ** API and ABI modifications: gnutls_ecc_curve_get_oid: Added gnutls_digest_get_oid: Added gnutls_pk_get_oid: Added gnutls_sign_get_oid: Added gnutls_ecc_curve_get_id: Added gnutls_oid_to_digest: Added gnutls_oid_to_pk: Added gnutls_oid_to_sign: Added gnutls_oid_to_ecc_curve: Added gnutls_pkcs7_get_signature_count: Added * Version 3.4.2 (released 2015-06-16) ** libgnutls: DTLS blocking API is more robust against infinite blocking, and will notify of more possible timeouts. ** libgnutls: corrected regression with Camellia-256-GCM cipher. Reported by Manuel Pegourie-Gonnard. ** libgnutls: Introduced the GNUTLS_NO_SIGNAL flag to gnutls_init(). That allows to disable SIGPIPE for writes done within gnutls. ** libgnutls: Enhanced the PKCS #7 API to allow signing and verification of structures. API moved to gnutls/pkcs7.h header. ** certtool: Added options to generate PKCS #7 bundles and signed structures. ** API and ABI modifications: gnutls_x509_dn_get_str: Added gnutls_pkcs11_get_raw_issuer_by_subject_key_id: Added gnutls_x509_trust_list_get_issuer_by_subject_key_id: Added gnutls_x509_crt_verify_data2: Added gnutls_pkcs7_get_crt_raw2: Added gnutls_pkcs7_signature_info_deinit: Added gnutls_pkcs7_get_signature_info: Added gnutls_pkcs7_verify_direct: Added gnutls_pkcs7_verify: Added gnutls_pkcs7_get_crl_raw2: Added gnutls_pkcs7_sign: Added gnutls_pkcs7_attrs_deinit: Added gnutls_pkcs7_add_attr: Added gnutls_pkcs7_get_attr: Added gnutls_pkcs7_print: Added * Version 3.4.1 (released 2015-05-03) ** libgnutls: gnutls_certificate_get_ours: will return the certificate even if a callback was used to send it. ** libgnutls: Check for invalid length in the X.509 version field. Without the check certificates with invalid length would be detected as having an arbitrary version. Reported by Hanno Böck. ** libgnutls: Handle DNS name constraints with a leading dot. Patch by Fotis Loukos. ** libgnutls: Updated system-keys support for windows to compile in more versions of mingw. Patch by Tim Kosse. ** libgnutls: Fix for MD5 downgrade in TLS 1.2 signatures. Reported by Karthikeyan Bhargavan [GNUTLS-SA-2015-2]. ** libgnutls: Reverted: The gnutls_handshake() process will enforce a timeout by default. That caused issues with non-blocking programs. ** certtool: It can generate SHA256 key IDs. ** gnutls-cli: fixed crash in --benchmark-ciphers. Reported by James Cloos. ** configure: re-enabled the --enable-local-libopts flag ** API and ABI modifications: gnutls_x509_crt_get_pk_ecc_raw: Added * Version 3.4.0 (released 2015-04-08) ** libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and RFC7251) ciphersuites. The former are enabled by default, the latter need to be explicitly enabled, since they reduce the overall security level. ** libgnutls: Added support for Chacha20-Poly1305 ciphersuites following draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10. That is currently provided as technology preview and is not enabled by default, since there are no assigned ciphersuite points by IETF and there is no guarrantee of compatibility between draft versions. The ciphersuite priority string to enable it is "+CHACHA20-POLY1305". ** libgnutls: Added support for encrypt-then-authenticate in CBC ciphersuites (RFC7366 -taking into account its errata text). This is enabled by default and can be disabled using the %NO_ETM priority string. ** libgnutls: Added support for the extended master secret (triple-handshake fix) following draft-ietf-tls-session-hash-02. ** libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h). ** libgnutls: SSL 3.0 is no longer included in the default priorities list. It has to be explicitly enabled, e.g., with a string like "NORMAL:+VERS-SSL3.0". ** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities list. It has to be explicitly enabled, e.g., with a string like "NORMAL:+ARCFOUR-128". ** libgnutls: DSA signatures and DHE-DSS are no longer included in the default priorities list. They have to be explicitly enabled, e.g., with a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The DSA ciphersuites were dropped because they had no deployment at all on the internet, to justify their inclusion. ** libgnutls: The priority string EXPORT was completely removed. The string was already defunc as support for the EXPORT ciphersuites was removed in GnuTLS 3.2.0. ** libgnutls: Added API to utilize system specific private keys in "gnutls/system-keys.h". It is currently provided as technology preview and is restricted to windows CNG keys. ** libgnutls: gnutls_x509_crt_check_hostname() and friends will use RFC6125 comparison of hostnames. That introduces a dependency on libidn. ** libgnutls: Depend on p11-kit 0.23.1 to comply with the final PKCS #11 URLs draft (draft-pechanec-pkcs11uri-21). ** libgnutls: Depend on nettle 3.1. ** libgnutls: Use getrandom() or getentropy() when available. That avoids the complexity of file descriptor handling and issues with applications closing all open file descriptors on startup. ** libgnutls: Use pthread_atfork() to detect fork when available. ** libgnutls: If a key purpose (extended key usage) is specified for verification, it is applied into intermediate certificates. The verification result GNUTLS_CERT_PURPOSE_MISMATCH is also introduced. ** libgnutls: When gnutls_certificate_set_x509_key_file2() is used in combination with PKCS #11, or TPM URLs, it will utilize the provided password as PIN if required. That removes the requirement for the application to set a callback for PINs in that case. ** libgnutls: priority strings VERS-TLS-ALL and VERS-DTLS-ALL are restricted to the corresponding protocols only, and the VERS-ALL string is introduced to catch all possible protocols. ** libgnutls: Added helper functions to obtain information on PKCS #8 structures. ** libgnutls: Certificate chains which are provided to gnutls_certificate_credentials_t will automatically be sorted instead of failing with GNUTLS_E_CERTIFICATE_LIST_UNSORTED. ** libgnutls: Added functions to export and set the record state. That allows for gnutls_record_send() and recv() to be offloaded (to kernel, hardware or any other subsystem). ** libgnutls: Added the ability to register application specific URL types, which express certificates and keys using gnutls_register_custom_url(). ** libgnutls: Added API to override existing ciphers, digests and MACs, e.g., to override AES-GCM using a system-specific accelerator. That is, (crypto.h) gnutls_crypto_register_cipher(), gnutls_crypto_register_aead_cipher(), gnutls_crypto_register_mac(), and gnutls_crypto_register_digest(). ** libgnutls: Added gnutls_ext_register() to register custom extensions. Contributed by Thierry Quemerais. ** libgnutls: Added gnutls_supplemental_register() to register custom supplemental data handshake messages. Contributed by Thierry Quemerais. ** libgnutls-openssl: it is no longer built by default. ** certtool: Added --p8-info option, which will print PKCS #8 information even if the password is not available. ** certtool: --key-info option will print PKCS #8 encryption information when available. ** certtool: Added the --key-id and --fingerprint options. ** certtool: Added the --verify-hostname, --verify-email and --verify-purpose options to be used in certificate chain verification, to simulate verification for specific hostname and key purpose (extended key usage). ** certtool: --p12-info option will print PKCS #12 MAC and cipher information when available. ** certtool: it will print the A-label (ACE) names in addition to UTF-8. ** p11tool: added options --set-id and --set-label. ** gnutls-cli: added options --priority-list and --save-cert. ** guile: Deprecated priority API has been removed. The old priority API, which had been deprecated for some time, is now gone; use 'set-session-priorities!' instead. ** guile: Remove RSA parameters and related procedures. This API had been deprecated. ** guile: Fix compilation on MinGW. Previously only the static version of the 'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile. ** API and ABI modifications: gnutls_record_get_state: Added gnutls_record_set_state: Added gnutls_aead_cipher_init: Added gnutls_aead_cipher_decrypt: Added gnutls_aead_cipher_encrypt: Added gnutls_aead_cipher_deinit: Added gnutls_pkcs12_generate_mac2: Added gnutls_pkcs12_mac_info: Added gnutls_pkcs12_bag_enc_info: Added gnutls_pkcs8_info: Added gnutls_pkcs_schema_get_name: Added gnutls_pkcs_schema_get_oid: Added gnutls_pcert_export_x509: Added gnutls_pcert_export_openpgp: Added gnutls_pcert_import_x509_list: Added gnutls_pkcs11_privkey_cpy: Added gnutls_x509_crq_get_signature_algorithm: Added gnutls_x509_trust_list_iter_get_ca: Added gnutls_x509_trust_list_iter_deinit: Added gnutls_x509_trust_list_get_issuer_by_dn: Added gnutls_pkcs11_get_raw_issuer_by_dn: Added gnutls_certificate_get_trust_list: Added gnutls_privkey_export_x509: Added gnutls_privkey_export_pkcs11: Added gnutls_privkey_export_openpgp: Added gnutls_privkey_import_ext3: Added gnutls_certificate_get_x509_key: Added gnutls_certificate_get_x509_crt: Added gnutls_certificate_get_openpgp_key: Added gnutls_certificate_get_openpgp_crt: Added gnutls_record_discard_queued: Added gnutls_session_ext_master_secret_status: Added gnutls_priority_string_list: Added gnutls_dh_params_import_raw2: Added gnutls_memset: Added gnutls_memcmp: Added gnutls_pkcs12_bag_set_privkey: Added gnutls_ocsp_resp_get_responder_raw_id: Added gnutls_system_key_iter_deinit: Added gnutls_system_key_iter_get_info: Added gnutls_system_key_delete: Added gnutls_system_key_add_x509: Added gnutls_system_recv_timeout: Added gnutls_register_custom_url: Added gnutls_pkcs11_obj_list_import_url3: Added gnutls_pkcs11_obj_list_import_url4: Added gnutls_pkcs11_obj_set_info: Added gnutls_crypto_register_cipher: Added gnutls_crypto_register_aead_cipher: Added gnutls_crypto_register_mac: Added gnutls_crypto_register_digest: Added gnutls_ext_register: Added gnutls_supplemental_register: Added gnutls_supplemental_recv: Added gnutls_supplemental_send: Added gnutls_openpgp_crt_check_email: Added gnutls_x509_crt_check_email: Added gnutls_handshake_set_hook_function: Modified gnutls_pkcs11_privkey_generate3: Added gnutls_pkcs11_copy_x509_crt2: Added gnutls_pkcs11_copy_x509_privkey2: Added gnutls_pkcs11_obj_list_import_url: Removed gnutls_pkcs11_obj_list_import_url2: Removed gnutls_certificate_client_set_retrieve_function: Removed gnutls_certificate_server_set_retrieve_function: Removed gnutls_certificate_set_rsa_export_params: Removed gnutls_certificate_type_set_priority: Removed gnutls_cipher_set_priority: Removed gnutls_compression_set_priority: Removed gnutls_kx_set_priority: Removed gnutls_mac_set_priority: Removed gnutls_protocol_set_priority: Removed gnutls_rsa_export_get_modulus_bits: Removed gnutls_rsa_export_get_pubkey: Removed gnutls_rsa_params_cpy: Removed gnutls_rsa_params_deinit: R ...