Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat May 29 07:18:17 2021 +0200

    Release 3.7.2
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat May 29 07:09:07 2021 +0200

    release-steps: remove unnecessary steps
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat May 29 06:56:57 2021 +0200

    AUTHORS: take into account of Co-authored-by:
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat May 29 06:52:42 2021 +0200

    .mailmap: update
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date:   Tue May 18 16:32:55 2021 -0400

    certtool: order DN components by scale.
    
    DN components are expected to be ordered by scale, with the wire format
    representing larger-scale components (like country or organization) before
    smaller-scale components (like state or organizationalUnit).
    
    The bulk of the changes here of course are changes to the target
    certificates in the test suite.
    
    Note that a change was necessary in tests/cert-tests/crq.sh because it
    tests the "interactive" mode of certtool.  If any user is scripting
    certtool in this way, this change will cause a backwards-incompatible
    break.  However, I think this is OK -- the supported scripted/batch
    mode for certtool should use a template file, and I don't think it's
    important to maintain a strict api on the interactive mode.
    
    The main change here is to order the DN from least-specific-to-most,
    in particular:
    
        country, state, locality, org, orgunit, cn, uid
    
    But I've also made an additional arbitrary choice, which is that DC
    (domain component) comes *after* uid.  This was already the case in
    certificate generation, but in *request* generation, it was the other
    way around.  I've changed request generation to match this ordering
    from certificate generation.
    
    Closes: #1243
    
    Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu May 27 10:00:22 2021 +0200

    build: fix interface version dependencies in libgnutls.map
    
    Previously, the predecessor of GNUTLS_3_7_0 was mistakenly set to
    GNUTLS_3_4 instead of GNUTLS_3_6_14.  This fix shouldn't have any
    impact on ABI, given the dynamic loader doesn't take into account of
    ordering of versions.  See also the first paragraph on:
    https://www.akkadia.org/drepper/dsohowto.pdf#page=38
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu May 27 09:34:50 2021 +0200

    build: require libkcapi 1.3.0 or later if --enable-afalg
    
    The libkcapi 1.3.0 brings a couple of changes needed for GnuTLS:
    
     * fix: remove prctl PR_SET_DUMPABLE to allow library to be debugged
     * fix: ensure that sendmsg is always used as fallback when vmsplice cannot be used
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri May 28 17:05:56 2021 +0200

    tlsfuzzer: update git submodules
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri May 28 08:51:27 2021 +0200

    nettle: update git submodule to 3.7.2 release
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri May 28 08:50:19 2021 +0200

    gnulib: update git submodule
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu May 27 08:10:30 2021 +0200

    devel: update libtasn1 submodule
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Leonardo Bras <leobras.c@gmail.com>
Date:   Fri May 21 03:40:03 2021 -0300

    guile: Fix implicit conversion warning
    
    When building, the following warning may be printing:
    
      CC       guile_gnutls_v_2_la-utils.lo
    core.c: In function 'scm_gnutls_set_server_session_certificate_request_x':
    core.c:545:13: warning: implicit conversion from 'gnutls_certificate_request_t' to 'gnutls_certificate_status_t' [-Wenum-conversion]
      545 |   c_request = scm_to_gnutls_certificate_request (request, 2, FUNC_NAME);
          |             ^
    core.c:547:53: warning: implicit conversion from 'gnutls_certificate_status_t' to 'gnutls_certificate_request_t' [-Wenum-conversion]
      547 |   gnutls_certificate_server_set_request (c_session, c_request);
          |
    
    Fix this warning by changing c_request type to gnutls_certificate_request_t.
    
    Signed-off-by: Leonardo Bras <leobras.c@gmail.com>

Author: Leonardo Bras <leobras.c@gmail.com>
Date:   Fri May 21 03:11:29 2021 -0300

    ASN1 : Remove warnings related to old libtasn1 namings
    
    While compiling gnutls, some warnings related to deprecated names can be
    printed, such as:
    
    ./../x509/x509_int.h:392:13: warning: 'ASN1_TYPE' macro is deprecated, use 'asn1_node' instead.
      392 | int _gnutls_x509_write_key_int_le(ASN1_TYPE node, const char *value,
          |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    To avoid that, rename types as show in devel/libtasn1/NEWS (release 3.1):
    
    ASN1_DATA_NODE -> asn1_data_node_st
    ASN1_ARRAY_TYPE -> asn1_static_node (was asn1_static_node_t)
    ASN1_TYPE -> asn1_node
    ASN1_TYPE_EMPTY -> NULL
    static_struct_asn -> asn1_static_node_st
    node_asn_struct -> asn1_node_st
    node_asn -> asn1_node_st
    
    Signed-off-by: Leonardo Bras <leobras.c@gmail.com>

Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date:   Mon May 17 13:33:28 2021 -0400

    git: Do not ignore certtool templates.
    
    This effectively reverts part of
    dc85966364994006f9337e4749d1487e4b8e16a1 in order to ensure that
    tests/cert-tests/templates/*.tmpl are not ignored by git.
    
    Closes: #1242
    
    Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date:   Mon May 17 13:20:26 2021 -0400

    tests/cert-tests: test a policy without any policyQualifiers.
    
    Ensure that a policy without policyQualifiers gets created with an
    omitted sequence of qualifiers, rather than an empty sequence of
    qualifiers.
    
    We use NIST's test policy OID for this test.
    
    This tests the fix for #1238.
    
    Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date:   Fri May 14 17:57:54 2021 -0400

    x509: Omit empty sequences of policyQualifiers.
    
    When a certificate has a policy attached but no policyQualifiers,
    `certtool` should omit the policyQualifiers sequence entirely, rather
    than emitting an empty sequence.
    
    Closes: #1238
    
    Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri May 14 15:59:37 2021 +0200

    cert auth: filter out unsupported cert types from TLS 1.2 CR
    
    When the server is advertising signature algorithms in TLS 1.2
    CertificateRequest, it shouldn't send certificate_types not backed by
    any of those algorithms.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon May 17 07:58:43 2021 +0200

    pre_shared_key: limit 0-RTT to resumption connections
    
    While RFC 8446 allows 0-RTT data in a non-resumption connection
    established with external PSK, it requires a mechanism to associate
    encryption parameters with PSK.  Until we provide a new API for that,
    let's limit the 0-RTT use to resumption connections only.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date:   Wed May 12 20:49:20 2021 -0400

    x509: Write keyUsage extension with minimal BIT STRING
    
    Avoid embedding trailing cleared bits in the BIT STRING for the
    keyUsage extension.
    
    The overwhelming majority of this changeset is correcting the
    artifacts in the test suite, most of which had keyUsage with a
    non-minimal encoding.  The only functional code change is in
    lib/x509/x509_ext.c.
    
    Closes: #1236
    
    Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri May 14 08:48:24 2021 +0200

    .gitlab-ci.yml: add bootstrap stage
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri May 14 08:26:37 2021 +0200

    serv: stop setting AI_ADDRCONFIG on getaddrinfo
    
    AI_ADDRCONFIG is only useful when the NODE argument is given in the
    getaddrinfo call, as described in RFC 3493 6.1.  Suggested by Andreas
    Metzler in:
    https://gitlab.com/gnutls/gnutls/-/issues/1007#note_356637206
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu May 13 15:03:10 2021 +0200

    configure.ac: specify -ladvapi32 in mingw builds
    
    This library needs to be linked for CryptAcquireContextW, used in
    lib/system/keys-win.c.  Suggested by Tim Kosse in:
    https://gitlab.com/gnutls/gnutls/-/issues/1232
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue May 11 09:50:22 2021 +0200

    tests: don't install crypt32.dll and ncrypt.dll replacement
    
    Reported by Tim Kosse in:
    https://gitlab.com/gnutls/gnutls/-/issues/1232
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Apr 29 18:44:28 2021 +0200

    gnutls_early_{cipher,prf_hash}_get: new functions
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Apr 29 11:50:00 2021 +0200

    tests: rework tls13-early-data to check key scheduling
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Apr 29 18:25:55 2021 +0200

    tests: tls13-early-data: use TLS_CHACHA20_POLY1305_SHA256
    
    When resuming in TLS 1.3, the negotiated PRF hash must match the one
    used in the initial handshake.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Apr 29 18:09:01 2021 +0200

    tests: remove shell-script wrapper for tls13/prf-early
    
    The wrapper (tls13/prf-early.sh) was merely for running
    tls13/prf-early under datefudge.  The same thing can now be done with
    virt_time_init_at.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Apr 29 17:56:37 2021 +0200

    tests: virt-time: add virt_time_init_at
    
    This allows the tests to set the current time to arbitrary point,
    instead of the current time; useful for the tests checking the traces
    such as tls13/prf-early.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Apr 29 08:35:02 2021 +0200

    gnutls_init: add flag to omit EndOfEarlyData messages
    
    The message is prohibited in QUIC:
    https://tools.ietf.org/html/draft-ietf-quic-tls-34#section-8.3
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Apr 29 08:26:46 2021 +0200

    gnutls_init: redefine GNUTLS_ENABLE_EARLY_DATA flag for client
    
    The flag was only for the server, but it turned out to be useful for
    client to explicitly indicate early data, when 0-RTT is handled
    out-of-band as in QUIC.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Apr 29 08:23:15 2021 +0200

    state: call secret_func on early write key change as well
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu May 13 08:38:20 2021 +0200

    .gitlab-ci.yml: doc-dist.Fedora: invoke "texconfig rehash"
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu May 13 08:01:27 2021 +0200

    systemkey: remove unused --inder and --infile options
    
    While those options have no effect, the command previously tried to
    open a file for reading and leaked file descriptor.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed May 12 16:55:37 2021 +0200

    keylog: suppress -Wanalyzer-file-leak warnings
    
    This workarounds the following warnings with gcc analyzer:
    
      kx.c:156:69: error: leak of FILE '<unknown>' [CWE-775] [-Werror=analyzer-file-leak]
        156 |                         _gnutls_bin2hex(session->security_parameters.
            |                                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
        157 |                                         client_random, GNUTLS_RANDOM_SIZE,
            |                                         ~~~~~~~~~~~~~
    
    This should be harmless because the keylog file pointer is closed in
    the ELF destructor.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed May 12 14:46:56 2021 +0200

    .gitlab-ci.yml: update build images to Fedora 34 and Alpine 3.13
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed May 12 14:44:37 2021 +0200

    devel: regenerate abidw dump files
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue May 11 15:29:03 2021 +0200

    .gitlab-ci.yml: bump cache version
    
    This should fix the nettle_streebog512_update detection.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue May 11 14:25:38 2021 +0200

    srptool: add missing fclose on error path
    
    Spotted by gcc analyzer:
      srptool.c:113:32: warning: leak of FILE 'fp' [CWE-775] [-Wanalyzer-file-leak]
        113 |                         return -1;
            |                                ^
    also:
      srptool.c:560:32: warning: leak of FILE 'fp' [CWE-775] [-Wanalyzer-file-leak]
        560 |                         return -1;
            |                                ^
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu May 13 08:40:59 2021 +0200

    tests: _check_wait_status: use only async-thread-safe function
    
    As this function shall be called in a signal handler, it shouldn't use
    'exit' as it's not async-thread-safe.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue May 11 14:23:45 2021 +0200

    gnutls-serv: use only async-signal-safe functions in signal handler
    
    Spotted by gcc analyzer:
      serv.c:1138:9: warning: call to 'exit' from within signal handler [CWE-479] [-Wanalyzer-unsafe-call-within-signal-handler]
       1138 |         exit(1);
            |         ^~~~~~~
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue May 11 14:13:45 2021 +0200

    certtool: tighten allocation check
    
    Spotted by gcc analyzer:
      certtool-cfg.c:856:24: warning: use of possibly-NULL 'copy' where non-null expected [CWE-690] [-Wanalyzer-possible-null-argument]
        856 |                 while (strcmp(pass, copy) != 0
            |                        ^~~~~~~~~~~~~~~~~~
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue May 11 14:08:33 2021 +0200

    psktool: tighten allocation check
    
    Spotted by gcc analyzer:
      psk.c:275:21: warning: use of possibly-NULL '_username.data' where non-null expected [CWE-690] [-Wanalyzer-possible-null-argument]
        275 |                 if (strncmp(p, (const char *) _username.data,
            |                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue May 11 13:16:51 2021 +0200

    .gitignore: ignore more files
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue May 11 11:08:59 2021 +0200

    _tls13_{derive,expand}_secret2: fix array parameter mismatch
    
    This suppresses the warning with -Warray-parameter
      secrets.c:85:40: warning: argument 6 of type 'const uint8_t[64]' {aka 'const unsigned char[64]'} with mismatched bound [-Warray-parameter=]
         85 |                          const uint8_t secret[MAX_HASH_SIZE],
            |                          ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~
      In file included from secrets.c:28:
      secrets.h:43:41: note: previously declared as 'const uint8_t[32]' {aka 'const unsigned char[32]'}
         43 |                           const uint8_t secret[MAX_CIPHER_KEY_SIZE],
            |                           ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue May 11 11:04:54 2021 +0200

    _gnutls_retrieve_pin: remove array declarator in function argument
    
    This was originally to eliminate the warnings with -Warray-parameter:
    
      pin.c:70:27: warning: argument 5 of type 'char[256]' with mismatched bound [-Warray-parameter=]
         70 |                      char pin[GNUTLS_PKCS11_MAX_PIN_LEN], unsigned pin_size)
            |                      ~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      In file included from pin.c:23:
      ./pin.h:9:48: note: previously declared as 'char *'
          9 |                      unsigned pin_flags, char *pin, unsigned pin_size);
            |                                          ~~~~~~^~~
    
    though it turned out to be unnecessary because the function merely
    delegate the call to the user-supplied callbacks.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date:   Wed May 5 18:05:29 2021 -0400

    spelling: The possessive pronoun "its" has no apostrophe.
    
    "it's" is for contractions like "it is" or "it has".  "its" is a
    possessive pronoun, like "his" or "hers" or "theirs", none of which
    have an apostrophe in them either.
    
    Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date:   Tue May 4 15:08:08 2021 -0400

    certtool: Align warning about --provable with actual code
    
    If I try to generate an ed25519 key, it is *not* an ECDSA key.  But I
    see this warning:
    
        0 dkg@host:~$ certtool --generate-privkey --provable --key-type ed25519
        Generating a 256 bit EdDSA (Ed25519) private key ...
        The --provable parameter cannot be used with ECDSA keys.
        1 dkg@host:~$
    
    Looking at the code and documentation, it's clear that --provable only
    works for RSA and DSA.  This fix aligns the warning message with the
    underlying mechanism.
    
    Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon May 3 16:35:43 2021 +0200

    x509/verify: treat SHA-1 signed CA in the trusted set differently
    
    Suppose there is a certificate chain ending with an intermediate CA:
    EE → ICA1 → ICA2.  If the system trust store contains a root CA
    generated with the same key as ICA2 but signed with a prohibited
    algorithm, such as SHA-1, the library previously reported a
    verification failure, though the situation is not uncommon during a
    transition period of root CA.
    
    This changes the library behavior such that the check on signature
    algorithm will be skipped when examining the trusted root CA.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon May 3 17:27:56 2021 +0200

    global: rename GNUTLS_NO_EXPLICIT_INIT to GNUTLS_NO_IMPLICIT_INIT
    
    The old envvar still has effect but has been marked as deprecated.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon May 3 14:19:22 2021 +0200

    certtool: fix parsing of --verify-profile option
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Ruslan N. Marchenko <me@ruff.mobi>
Date:   Sun May 2 23:29:39 2021 +0200

    Add tests for call gnutls_session_channel_binding
    
     Add test unit which executes positive and negative test scenarios
     using standard gnutls testing framework.
    
    Signed-off-by: Ruslan N. Marchenko <me@ruff.mobi>

Author: Ruslan N. Marchenko <me@ruff.mobi>
Date:   Sat May 1 23:05:54 2021 +0200

    Add tls-server-end-point tls channel binding implementation.
    
     Add server-end-point tls channel binding into gnutls_session_channel_binding
     method. The implementation extracts session's certificate, its signature
     algorithm, and calculates digest of the extracted certificate using
     the function based on extracted algorithm, as per RFC5929.
    
    Signed-off-by: Ruslan N. Marchenko <me@ruff.mobi>

Author: Ruslan N. Marchenko <me@ruff.mobi>
Date:   Sat May 1 10:16:37 2021 +0200

    Restructure gnutls_session_channel_binding and add tls-exporter
    
     The restructure removes explicit pre-check for supported binding
     type(s) and instead relies now on catch-all return which returns
     UNIMPLEMENTED_FEATURE if no type was handled. In addition to that
     it returns UNIMPLEMENTED_FEATURE for tls-unique request on TLSv1.3
     session, since that is not supposed to work hence requires explicit
     error. Finally new binding type tls-exporter implementation is
     added.
    
    Signed-off-by: Ruslan N. Marchenko <me@ruff.mobi>

Author: Ruslan N. Marchenko <me@ruff.mobi>
Date:   Sat May 1 10:22:14 2021 +0200

    Introduce new tls channel binding types into gnutls_channel_binding_t
    
     This commit adds two new tls channel binding types into enum
     gnutls_channel_binding_t:
     * tls-server-end-point
     * tls-exporter
    
    Signed-off-by: Ruslan N. Marchenko <me@ruff.mobi>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Apr 28 11:04:20 2021 +0200

    certtool: don't copy CRL distribution point from CA cert
    
    Suggested by Thomas Karlsson in:
    https://gitlab.com/gnutls/gnutls/-/issues/1126
    
    While this changes the default behavior, CDP can always be set through
    the template or interactive input.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Apr 25 17:04:46 2021 +0200

    gnutls_x509_crt_get_dn: clarify null-termination of the output
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Apr 25 10:48:09 2021 +0200

    build: do not install .hmac files
    
    It turned out that distro package building process might perform
    post-processing (e.g., strip) of the shared libraries after install,
    and that may cause inconsistency with the installed .hmac files.
    
    Let's not try too hard on this but defer the final hmac calculation to
    distributions.  It is still useful to keep our own fipshmac as it
    makes it easier to run FIPS tests.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Apr 25 06:51:20 2021 +0200

    tests: fix test script file name in distribution
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Apr 25 06:50:03 2021 +0200

    .gitignore: ignore ctags, etags, and GNU global files
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Apr 23 15:36:37 2021 +0200

    handshake: fix timing of sending early data
    
    Previously, the client was sending early data after receiving a Server
    Hello message, which not only negates the benefit of 0-RTT, but also
    was a logic error as it can only be decrypted by the server when the
    initial handshake and the resuming handshake agree on the same
    ciphersuites.  This fixes that behavior in the following ways:
    
    - extend the session data format to include the selected ciphersuites,
      even in TLS 1.3
    - setup the epoch for early data, right before the client sending
      early data (also right after the server deciding to accept early
      data).
    - extend the test case to use different ciphersuites in the initial
      and resuming handshakes
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Ludovic Courtès <ludo@gnu.org>
Date:   Fri Apr 23 09:44:20 2021 +0200

    guile: Tests show their PID upon uncaught exceptions.
    
    * guile/modules/gnutls/build/tests.scm (run-test): Display the PID when
    throwing an exception.
    
    Signed-off-by: Ludovic Courtès <ludo@gnu.org>

Author: Ludovic Courtès <ludo@gnu.org>
Date:   Fri Feb 5 12:28:35 2021 +0100

    guile: Avoid the deprecated 'scm_t_uint8' type.
    
    * guile/src/core.c: Use 'uint8_t' instead of 'scm_t_uint8', which is
    deprecated in Guile 3.0.
    
    Signed-off-by: Ludovic Courtès <ludo@gnu.org>

Author: Ludovic Courtès <ludo@gnu.org>
Date:   Tue Dec 22 10:30:43 2020 +0100

    guile: Avoid potentially missed reference.
    
    There's one case where 'register_weak_reference' is called several times
    on the same object, in 'set-certificate-credentials-x509-keys!', where
    PRIVKEY could have been GC'd before CRED.
    
    * guile/src/core.c (register_weak_reference): Add TO to the weak
    references of FROM instead of overriding them.
    
    Signed-off-by: Ludovic Courtès <ludo@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Apr 23 10:28:03 2021 +0200

    afalg: use pkg-config to detect libkcapi
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Apr 23 10:03:47 2021 +0200

    afalg: support AES-XTS algorithms
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Apr 23 09:56:40 2021 +0200

    afalg: cleanup header inclusion
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Ludovic Courtès <ludo@gnu.org>
Date:   Mon Dec 21 18:22:14 2020 +0100

    guile: Remove leftover comment about allocation routines.
    
    This is a followup to 872409857351f28b1e3c21526bfa6606c918b176.
    
    * guile/src/core.c (scm_init_gnutls): Remove leftover comment.
    
    Signed-off-by: Ludovic Courtès <ludo@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Apr 23 09:50:16 2021 +0200

    afalg: remove unnecessary initialization
    
    That would make it easier to spot any uninitialized memory access with
    valgrind.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Apr 23 09:45:51 2021 +0200

    afalg: assert IV size returned from the kernel is in the range
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Apr 23 09:42:03 2021 +0200

    NEWS: mention AF_ALG support
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Apr 14 17:27:43 2021 +0200

    crypto-selftests: tolerate errors of gnutls_{hash,hmac}_copy
    
    Some hardware accelerated implementations, such as afalg, cannot
    support the copy operation.  This patch turns it a soft-error, as the
    code below is already checking if the copy is non-NULL, before
    performing any operation on it.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Apr 22 16:42:01 2021 +0200

    handshake: don't regenerate legacy_session_id in second CH after HRR
    
    According to RFC 8446 4.1.2, the client must send the same Client
    Hello after Hello Retry Request, except for the certain extensions,
    and thus legacy_session_id must be preserved.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Apr 14 16:50:28 2021 +0200

    _gnutls_cipher_init: fallback if setiv is not implemented for AEAD
    
    The _gnutls_cipher_init function currently assumes that all the cipher
    implementations have .setiv method.  This is not the case for
    AEAD-only implementations such as afalg.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Stephan Mueller <smueller@chronox.de>
Date:   Sat Oct 14 20:46:09 2017 +0200

    Add AF_ALG acceleration
    
    The patch set adds the backend implementation to use the Linux kernel
    crypto API via the AF_ALG interface. The GnuTLS AF_ALG extension uses
    libkcapi [1] as the backend library which implements the actual kernel
    communication.
    
    [1] http://www.chronox.de/libkcapi.html
    
    The symmetric cipher support, the hashing and the MAC support are
    validated to work correctly using NIST CAVS test vectors.
    
    The AEAD cipher support was tested by connecting to a remote host using
    gnutls-cli (the following log strips out unrelated information):
    
    Processed 143 CA certificate(s).
    ...
    - Certificate type: X.509
    - Got a certificate list of 1 certificates.
    - Certificate[0] info:
    ...
    - Description: (TLS1.2)-(ECDHE-SECP384R1)-(RSA-SHA512)-(AES-256-GCM)
    - Session ID: 9E:5E:FC:09:2A:4E:2A:3D:22:44:68:42:C3:F6:2D:AB:F9:67:08:CE:6D:EE:E4:A2:EF:80:43:FE:3B:D9:1E:FE
    - Ephemeral EC Diffie-Hellman parameters
     - Using curve: SECP384R1
     - Curve size: 384 bits
    - Version: TLS1.2
    - Key Exchange: ECDHE-RSA
    - Server Signature: RSA-SHA512
    - Cipher: AES-256-GCM
    - MAC: AEAD
    - Options: extended master secret, safe renegotiation,
    - Handshake was completed
    
    - Simple Client Mode:
    
    Signed-off-by: Stephan Mueller <smueller@chronox.de>
    
    Co-authored-by: Daiki Ueno <ueno@gnu.org>
    Co-authored-by: Hedgehog5040 <krenzelok.frantisek@gmail.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Apr 16 13:56:40 2021 +0200

    priority: add option to disable TLS 1.3 middlebox compatibility mode
    
    This adds a new option %DISABLE_TLS13_COMPAT_MODE to disable TLS 1.3
    compatibility mode at run-time.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Mar 30 13:39:46 2021 +0200

    _gnutls_calloc: remove unused function
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Mar 29 14:09:51 2021 +0200

    keys-win: free certificate context in gnutls_system_key_iter_deinit
    
    Suggested by Bjørn Christensen in:
    https://gitlab.com/gnutls/gnutls/-/issues/1197
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Mar 29 11:06:37 2021 +0200

    build: avoid integer overflow in additions
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Feb 21 08:43:26 2021 +0100

    build: avoid potential integer overflow in array allocation
    
    This relies on _gnutls_reallocarray for all occasions of array
    allocations, so that they can benefit from the built-in overflow
    checks.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Mar 29 13:08:23 2021 +0200

    pkcs11x: find_ext_cb: fix error propagation
    
    Use explicit error value, as rv is not set in this code path.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Feb 21 08:42:23 2021 +0100

    mem: add _gnutls_reallocarray and _gnutls_reallocarray_fast
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Feb 21 08:34:13 2021 +0100

    bootstrap: pull in 'xalloc-oversized' module from Gnulib
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Andreas Metzler <ametzler@debian.org>
Date:   Sat Mar 20 13:52:25 2021 +0100

    build: doc: install missing image file gnutls-crypto-layers.png
    
    Signed-off-by: Andreas Metzler <ametzler@bebt.de>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Mar 15 11:03:44 2021 +0100

    examples: avoid memory leak in ex-verify
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Mar 15 11:03:22 2021 +0100

    examples: avoid memory leak in tlsproxy
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Mar 15 10:56:46 2021 +0100

    src: avoid file descriptor leak in socket_open2
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Mar 15 10:48:49 2021 +0100

    gnutls-cli-debug: avoid resource leak in saving DHE params
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Mar 15 10:47:50 2021 +0100

    srptool: avoid FILE pointer leak on error
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Mar 15 09:55:20 2021 +0100

    gnulib: update git submodule
    
    This brings in the fix for parse-datetime test failures on NetBSD:
    https://lists.gnu.org/archive/html/bug-gnulib/2021-03/msg00069.html
    https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commit;h=35f8ff2e1162bf3ee60d99b6812f2ae10f3f2898
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Mar 10 16:12:23 2021 +0100

    str: suppress -Wunused-function if AGGRESSIVE_REALLOC is defined
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Mar 10 16:11:29 2021 +0100

    _gnutls_buffer_resize: account for unused area if AGGRESSIVE_REALLOC
    
