Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sat Feb 1 23:02:55 2020 +0100

    NEWS: fixed issue number for 448
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sat Feb 1 22:54:13 2020 +0100

    NEWS: refactored for release
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sat Feb 1 22:44:41 2020 +0100

    hooks.m4: bumped so-version
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Dmitry Baryshkov <dbaryshkov@gmail.com>
Date:   Wed Jan 29 20:00:53 2020 +0300

    nettle/gost: support use GOST DSA support from master branch
    
    Use GOST DSA and GOST curves provided by Nettle's master branch.
    
    Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>

Author: Dmitry Baryshkov <dbaryshkov@gmail.com>
Date:   Tue Jan 28 13:05:14 2020 +0300

    pkcs12: do not go try calculating pbkdf2 with 0 iterations
    
    Nettle will abort on a call to pbkdf2 if iterations is 0. Add check to
    GnuTLS PKCS12 GOST code to check that iter is not 0.
    
    Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>

Author: Bjoern Jacke <bjacke@samba.org>
Date:   Mon Jan 27 19:40:53 2020 +0100

    add support for local threads with studio and ibm compilers
    
    Signed-off-by: Bjoern Jacke <bjacke@samba.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sun Jan 26 21:45:29 2020 +0100

    tlsfuzzer: optimized tests for CI and enabled x448
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sun Jan 26 21:32:18 2020 +0100

    tlsfuzzer: fix test-tls13-large-number-of-extensions.py
    
    This test requires a TLS-1.3-only server as its tests clash with
    extensions supported by a TLS-1.2 server. Ensure that the extensions
    that overlap with TLS-1.2 are not manipulated as we don't have
    a pure TLS-1.3-only implementation.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Andreas Metzler <ametzler@debian.org>
Date:   Sun Jan 26 18:39:18 2020 +0100

    Avoid pushd/popd bashism in testsuite
    
    Signed-off-by: Andreas Metzler <ametzler@bebt.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Mon Jan 20 11:48:50 2020 +0100

    tests/key-material-dtls.c: Try again on GNUTLS_E_AGAIN and GNUTLS_E_INTERRUPTED
    
    This fixes issues on the CI cross-runners with 'make -jN', N > 1.
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Sat Jan 4 14:37:46 2020 +0100

    Use make with crafted -j for CI builds and tests
    
    This speeds up the Gitlab CI runners. E.g. measured timings of the
    Debian.x86_64 runner show ~40% speedup (down from 38 to 23 minutes).
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sat Jan 25 22:28:32 2020 +0100

    tests: updated tlsfuzzer tests to latest version
    
    This adds new tests, reduces running time, and removes test-tls13-obsolete-curves.py.
    The latter introduced too pendantic tests on curves we don't implement,
    and requires significant changes to passing with limited benefit. For example
    it requires the server to error on mismatching entries (and we simply ignore
    them). As its value is low (we do not target to be a reference implementation
    for testing broken clients), it was removed.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sat Jan 25 22:02:48 2020 +0100

    key shares: avoid using internal errors
    
    On unknown curves or illegal parameters, make sure we return the
    right error code which will translate to the appropriate alert.
    
    Resolves: #907
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Fri Jan 24 23:12:07 2020 +0100

    fuzz: fixed Ed448 fuzzer traces
    
    The fuzzer files for ed448 were the reverse for client and server.
    Enhanced the fuzzer tools to run a single fuzzer, and added more
    clear documentation on how to generate and manually test the fuzzer
    outputs.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Fri Jan 24 23:11:34 2020 +0100

    README-adding-traces.md: updated with more precise information
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Fri Jan 24 22:57:49 2020 +0100

    fuzzers: added ed448 keys
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Sat Jan 25 11:18:09 2020 +0100

    Create files in gl/ licenced lgpl2+ instead of lgpl3+
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Fri Jan 24 22:53:50 2020 +0100

    fuzzers: when provided with a parameter they will run on a single file
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Dmitry Baryshkov <dbaryshkov@gmail.com>
Date:   Fri Jan 24 22:04:41 2020 +0300

    .gitlab-ci.yml: remove --disable-gost from nettle-master test
    
    Remove --disable-gost switch from the test using Nettle's master branch
    as GnuTLS is now compatible again with nettle/master.
    
    Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>

Author: Dmitry Baryshkov <dbaryshkov@gmail.com>
Date:   Thu Jan 23 13:07:23 2020 +0300

    lib/nettle/gost: restore compatibility with nettle master
    
    Use newer format of ecc curve data if curve448 support is detected.
    
    Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Fri Jan 24 16:38:15 2020 +0100

    .gitlab-ci.yml: force running jobs on linux runners
    
    There are shared windows runners in gitlab, that will fail
    running our jobs.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Jan 23 16:25:43 2020 +0100

    fuzz: import key, certificate, and traces using Ed448
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jan 22 05:25:19 2020 +0100

    tlsfuzzer: enable tests for X448
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jan 20 11:17:51 2020 +0100

    .gitlab-ci.yml: set WINEPATH to allow eccdata run under Wine
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Jan 19 12:13:48 2020 +0100

    .gitlab-ci.yml: export LDFLAGS throughout the FreeBSD build
    
    Otherwise the build process wouldn't be able to find -lgmp.
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jan 13 11:35:15 2020 +0100

    .gitlab-ci.yml: add target to build against nettle master
    
    This is similar to the build/gnutls target in nettle's own gitlab CI.
    The only difference is that this will build/test all branches of
    GnuTLS against the master branch of nettle.
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Apr 22 08:27:43 2019 +0200

    algorithms: implement X448 key exchange and Ed448 signature scheme
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Apr 21 21:13:30 2019 +0200

    nettle: vendor in Curve448 and Ed448 implementation
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Wed Jan 15 11:05:31 2020 +0100

    tls13: request OCSP responses as a server
    
    The TLS1.3 protocol requires the server to advertise an empty
    OCSP status request extension on its certificate verify message
    for an OCSP response to be sent by the client. We now always
    send this extension to allow clients attaching those responses.
    
    Resolves: #876
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Dmitry Baryshkov <dbaryshkov@gmail.com>
Date:   Mon Jan 20 15:08:04 2020 +0300

    x509: add OGRNIP DN entry definition used by qualified GOST certificates
    
    Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Wed Nov 6 15:14:48 2019 +0300

    x509: include digestParamSet into GOST 512-bit curves A and B params
    
    Old implementations do not understand PublicKeyParams with omitted
    digestParamSet. So include the field for old 512-bit curves to improve
    compatibility with old implementations.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Baryshkov <dbaryshkov@gmail.com>
Date:   Mon Jan 20 03:16:56 2020 +0300

    fuzz in gost pkcs7/8/12 files
    
    Add several examples of PKCS#7/#8/#12 files using GOST keys, ciphers and
    digest functions.
    
    Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>

Author: Dmitry Baryshkov <dbaryshkov@gmail.com>
Date:   Mon Jan 20 03:11:08 2020 +0300

    pkcs12: use correct key length when using STREEBOG-512
    
    PKCS#12 files using GOST HMAC (GOST R 34.11-94 and Streebog) use special
    function to generate MAC key. Pass correct key length (fixed to be 32)
    when generating PKCS#12 files protected with Streebog (currently it
    incorrectly uses 64 there).
    
    Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Fri Jan 17 21:34:45 2020 +0100

    gnutls-cli-debug: ignore tests when algorithms are unavailable
    
    When gnutls-cli-debug is run on systems where a particular algorithm
    is disabled, ensure that we don't stop the testing; in that case
    we ignore the test.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Wed Jan 15 14:44:22 2020 +0100

    doc update [ci skip]
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Wed Jan 15 09:46:38 2020 +0100

    tls13: do not send OCSP responses as client without server requesting
    
    In client side ensure we see a request for OCSP from servers before
    sending one.
    
    Relates: #876
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Dimitri John Ledkov <xnox@ubuntu.com>
Date:   Tue Jan 7 11:32:37 2020 +0000

    libgnutls: Add system-wide default-priority-string override.
    
    Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Mon Jan 13 01:20:28 2020 +0300

    lib: fix _kx_priority_gost termination item
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Sun Jan 12 19:24:51 2020 +0300

    tests/priorities: add tests for GOST ciphersuites enablement
    
    Add test counting GOST ciphersuites and ciphers available.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Fiona Klute <fiona.klute@gmx.de>
Date:   Sat Jan 11 21:16:50 2020 +0100

    gnutls-cli: Log all stapled OCSP responses when running with --verbose
    
    Signed-off-by: Fiona Klute <fiona.klute@gmx.de>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Fri Jan 10 14:17:44 2020 +0300

    pk: set generated key algo before calling pct_test
    
    In wrap_nettle_pk_generate_keys() set params->algo before calling
    pct_test() as GOST sign/verify use that field.
    
    Reported-by: Daiki Ueno
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Fri Jan 10 14:16:56 2020 +0300

    CI: FIPS140-2 run make check without enforcing FIPS mode
    
    Some distributions might enable --enable-fips140-mode, without actually
    enabling/enforcing FIPS at runtime. Catch issues in such configurations
    (reported by Daiki Ueno).
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jan 7 11:24:01 2020 +0100

    tests: add test for revoked OCSP response
    
    This adds a test that exercises a failed handshake upon receipt of an
    OCSP response with the "revoked" status.
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jan 8 16:01:38 2020 +0100

    ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation
    
    This makes the OCSP based certificate verification adhere to the
    convention used throughout the library: "The 'GNUTLS_CERT_INVALID'
    flag is always set on a verification error and more detailed flags
    will also be set when appropriate."
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Wed Jan 8 22:17:55 2020 +0300

    NEWS: expand documentation for GOST priority strings
    
    Use +GOST-ALL shortcut to enable GOST ciphersuites. Also document newly
    added GOST shortcuts.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Wed Jan 8 22:11:51 2020 +0300

    priority: make priority matching less error-prone
    
    To remove possibility of using wrong length or using strncasecmp()
    instead of c_strncasecmp() define PRIO_MATCH(name) macro taking care
    about all details.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Wed Jan 8 22:07:19 2020 +0300

    priority: add new GOST-ALL shortcut
    
    Add GOST-ALL as an alias for CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL,
    SIGN-GOST-ALL and GROUP-GOST-ALL.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Wed Jan 8 22:03:44 2020 +0300

    priority: add more GOST shortcuts
    
    Add shortcuts for GOST ciphers, MACs and KXes. For now they contain only
    one item, but this list will be expanded as support for GOST-CTR-ACPKM
    ciphersuites will be added.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Wed Jan 8 21:10:55 2020 +0300

    lib/priority: add SIGN-GOST-ALL keyword
    
    Add SIGN-GOST-ALL keyword containing all defined GOST signature
    algorithms.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Thu Jan 9 13:03:10 2020 +0100

    doc: clarify thread safeness in gnutls_global_init()
    
    This documents and clarifies the thread safeness of gnutls_global_init()
    and its constraints.
    
    Resolves: #900
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Wed Jan 8 20:22:11 2020 +0300

    lib/priority: use c_strncasecmp() for string comparison
    
    Use c_strncasecmp() instead of just strncasecmp() which can be affected
    by locale.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Wed Jan 8 21:31:32 2020 +0300

    doc: document GOST priority options
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Wed Jan 8 21:37:28 2020 +0300

    doc: document GOST cipher and MAC algorithms
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Wed Jan 8 22:08:14 2020 +0300

    priority: fix GROUP-GOST-ALL comparison length
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sat Jan 4 13:38:01 2020 +0100

    tests: replace invalid extension OIDs with valid ones
    
    libtasn1 4.15.0 or earlier allow encoding and decoding
    of invalid OIDs, but more recent versions may stop
    accepting them. Ensure that our test suite includes
    OIDs which can be decoded by all versions of libtasn1.
    
    Relates:
    https://gitlab.com/gnutls/libtasn1/issues/25
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Dimitri John Ledkov <xnox@ubuntu.com>
Date:   Mon Jan 6 09:41:27 2020 +0000

    tests/Makefile.am: use absolute top_srcdir for GNUTLS_PRIORITY_FILE
    
    Some tests, e.g. in suite/tls-fuzzer execute scripts from
    sub-directories, making the relative path to system.prio in the
    environment pointing to a non-existent file. Export system.prio
    testsuite file as an absolute path to avoid this issue.
    
    Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Fri Jan 3 20:21:07 2020 +0100

    doc: updated epub.texi from gnutls.texi
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Fri Jan 3 16:58:04 2020 +0100

    .gitlab-ci.yml: identify on runtime to db2epub directory
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Fri Jan 3 13:17:28 2020 +0100

    Remove && command concatenation in .gitlab-ci.yml
    
    As it turns out, `set -e` doesn't work if one of the commands fail,
    maybe except the last command.
    Seen, tested and reproduced on Fedora28 image.
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Fri Jan 3 13:55:09 2020 +0100

    .gitlab-ci.yml: merged ASAN and UBSAN runs
    
    This in addition to merging the two CI runs, it also attempts
    to run the fuzz code under SHANI for CI.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Edward Stangler <estangler@bradmark.com>
Date:   Fri Jan 3 10:36:21 2020 +0000

    Fixes dummy getrandom() when errno = EAGAIN.
    
    Fixes #892.
    
    Signed-off-by: Edward Stangler <estangler@bradmark.com>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Thu Jan 2 16:15:15 2020 +0100

    Fix '-Werror=unused-const-variable=' in fuzz/
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Sun Dec 22 13:20:03 2019 +0100

    Fix NULL ptr access in _gnutls_iov_iter_next()
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Sat Dec 21 19:21:55 2019 +0100

    Use check_for_datefudge in tests
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Fri Dec 20 11:00:53 2019 +0100

    Fix "left shift cannot be represented in type 'int'" in hello_ext.[ch]
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Thu Dec 19 12:33:34 2019 +0100

    Fix 2x -Wunused-function in tests/
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Thu Dec 19 12:23:34 2019 +0100

    certtool-cfg.c: Silence -Wunused-variable if HAVE_IPV6 not set
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Thu Dec 19 11:48:47 2019 +0100

    status_request.c: Silence -Wsign-compare
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Thu Dec 19 11:46:23 2019 +0100

    rnd-fuzzer.c: Suppress shift sanitization check
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Thu Dec 19 11:17:43 2019 +0100

    handshake.c: Suppress warning in fuzzing build
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Wed Dec 18 19:44:10 2019 +0100

    Fix implicit value change in verify-high.c
    
    verify-high.c:284:7: runtime error: implicit conversion from type 'size_t'
    (aka 'unsigned long') of value 15421545260338 418178 (64-bit, unsigned) to
    type 'uint32_t' (aka 'unsigned int') changed the value to 437555714 (32-bit,
    unsigned)
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Wed Dec 18 16:39:38 2019 +0100

    UBSAN: Fail tests if UB detected
    
    Suppressions are in devel/ubsan.supp.
    Suppressions only work on recoverable checks.
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sun Dec 29 21:53:32 2019 +0100

    gnutls_x509_crt_get_extension_info: optimize when critical equals NULL
    
    That is, do not perform the look ups necessary to calculate the value
    when it will not be used.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Mon Dec 30 05:35:45 2019 +0100

    fuzz: import certificate with and without sanity checks
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sun Dec 29 22:33:07 2019 +0100

    x509: reject certificates having duplicate extensions
    
    According to RFC5280 a certificate must not include more than
    one instance of a particular extension. We were previously printing
    warnings when such extensions were found, but that is insufficient
    to flag such certificates. Instead, refuse to import them.
    
    Resolves: #887
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Fri Jan 3 08:53:55 2020 +0100

    tests/suite: do not include scripts into dist
    
    This part of the test suite is only run on CI.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Thu Jan 2 14:09:50 2020 +0100

    ecore cli: updated and rewritten to use libev
    
    That removes a lot of code that was not necessary in the gnutls test
    suite.
    
    Resolves: #884
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Thu Jan 2 22:32:43 2020 +0100

    .gitlab-ci.yml: use separate images for mingw and fedora builds
    
    This should result to faster image loading for CI builds.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Thu Jan 2 14:55:11 2020 +0100

    tests: use newer nettle APIs in cipher-override.c
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Wed Jan 1 21:37:01 2020 +0100

    doc: updated copyrights for 2020
    
    This updates the copyright year for documentation
    and excludes gnulib files from the copyright check.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Sun Dec 29 12:52:21 2019 +0300

    cli: fix building with GOST disabled
    
    Fix building gnutls-cli (benchmark part) with GOST keys support being
    disabled.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Sun Dec 29 12:49:16 2019 +0300

    cli: support building with OCSP and ANON disabled
    
    Support gnutls-cli when building GnuTLS with OCSP and ANON
    authentication API disabled.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Sun Dec 29 12:49:16 2019 +0300

    serv: support building with OCSP disabled
    
    Support gnutls-serv when building GnuTLS with OCSP API disabled.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Sat Nov 9 02:29:19 2019 +0300

    tls12-server-kx-neg: add tests without GOST signature algorithms
    
    Add tests mimicking SChannel clients which are unable to send proper
    SignatureAlgorithms extension.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Sat Nov 9 02:01:22 2019 +0300

    SignatureAlgorithms: force-enable GOST signatures for GOST KX
    
    SChannel-based clients can not send GOST identifiers as a part of
    SignatureAlgorithms extension. To mitigate this forcefully enable GOST
    signature algorithms if client sends GOST ciphersuite.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Tue Dec 24 16:26:27 2019 +0300

    benchmark: enable benchmarking of GOST CNT ciphersuite/KX
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Tue Dec 24 02:33:26 2019 +0300

    benchmark: support benchmarking GOST ciphers/MACs
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Tue Dec 24 02:32:17 2019 +0300

    benchmark: use mac key size instead of block size
    
    Use newly added gnutls_hmac_get_key_size() to get key size instead of
    assuming that key size = block size (incorrect for GOST 28147 IMIT).
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Tue Dec 24 02:31:30 2019 +0300

    crypto-api: add gnutls_hmac_get_key_size() function
    
    Add gnutls_hmac_get_key_size() to retrieve MAC key size.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Tue Dec 24 01:20:24 2019 +0300

    nettle/gost: remove gost28147_imit_init
    
    Rewrite gost28147 imit code to clean up state and index on key setup to
    be sure that imit context is properly cleaned.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Ludovic Courtès <ludo@gnu.org>
Date:   Wed Nov 20 16:10:11 2019 +0100

    guile: Arrange to make 'gnutls.scm' architecture-independent.
    
    Fixes #838.
    Reported by Andreas Metzler.
    
    * configure.ac: Define and substitute 'maybe_guileextensiondir'.
    * guile/Makefile.am (.in.scm): Substitute 'maybe_guileextensiondir'.
    * guile/modules/gnutls.in <top level>: Use @maybe_guileextensiondir@.
    Check if %LIBDIR is true.
    
    Signed-off-by: Ludovic Courtès <ludo@gnu.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Mon Dec 23 20:20:58 2019 +0100

    x509: do not tolerate invalid DER time
    
    This effectively reverts !400 and ensures that we no longer tolerate
    invalid DER time. This complements the previous commit by Lili Quan
    and ensures we provide the --disable-strict-der-time backwards compatibility
    option.
    
    Resolves: #207
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sat Dec 14 10:51:48 2019 +0100

    certtool: always set extensions from template
    
    Previously we would only set these extensions specific with add_extension
    when generating using --generate-certificate. The change makes sure these
    options are considered even when generating an extension from a certificate
    request. Issue reported on the mailing list.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sat Dec 14 10:44:16 2019 +0100

    tests: check certificate generation from certificate request
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Fri Dec 20 20:37:32 2019 +0100

    tests: ensure test suite does not apply global config
    
    When running the test suite we do not apply the global
    gnutls configration as it may change options that are
    tested.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Thu Dec 5 11:40:31 2019 +0100

    gnutls-cli: improved output of --benchmark-tls-kx
    
    It is now printed in a way that separates the tests. Example:
    ```
    (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)
     - 179.19 transactions/sec
     - avg. handshake time: 5.57 ms
     - standard deviation: 0.57
    
    (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)
     - 182.24 transactions/sec
     - avg. handshake time: 5.48 ms
     - standard deviation: 0.64
    ```
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Wed Dec 4 13:58:21 2019 +0100

    gnutls-cli: benchmark-tls-kx can work with sub-ms accuracy
    
    This allows micro and nanoseconds to be reported if necessary,
    and it changes reporting of sample variance to standard deviation
    giving a possibly better overview as it is in the same units as
    the average.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Thu Jul 19 15:40:46 2018 +0300

    gnutls-cli-debug: add GOST_CNT-related KX/cipher/MAC tests
    
    Add test for VKO-GOST-12, GOST28147-TC26Z-CNT and GOST28147-TC26Z-IMIT
    support by the server.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Thu Dec 19 21:13:15 2019 +0100

    README.md: updated to list fuzz coverage results [ci skip]
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Dimitri John Ledkov <xnox@ubuntu.com>
Date:   Sun Dec 15 20:32:02 2019 +0000

    doc: update reference to the default configuration file
    
    Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Thu Dec 19 20:28:50 2019 +0100

    updated auto-generated files
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Thu Dec 19 09:37:34 2019 +0100

    _gnutls_verify_crt_status: apply algorithm checks to trusted CAs
    
    If a CA is found in the trusted list, check in addition to
    time validity, whether the algorithms comply to the expected
    level. This addresses the problem of accepting CAs which would
    have been marked as insecure otherwise.
    
    Resolves: #877
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Wed Dec 18 14:38:32 2019 +0100

    certtool: added option to apply a certificate verification profile
    
    This applies to the --verify and --verify-chain commands.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Wed Dec 18 14:29:21 2019 +0100

    Export profile ID/name handling functions
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Wed Dec 18 14:04:35 2019 +0100

    is_level_acceptable: apply the system-wide profile in all verifications
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Lili Quan <13132239506@163.com>
Date:   Thu Dec 19 17:14:20 2019 +0100

    Introduced check to reject certificates with non-digits in time field
    
    According to RFC5280 we should reject such certificates.
    
    Resolves: #870
    
    Signed-off-by: Lili Quan <13132239506@163.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Wed Nov 13 23:47:16 2019 +0300

    abi-check: fix include paths
    
    If GnuTLS is built outside of source tree, abicheck will miss gnutls.h
    header which is generated in the build tree. Expand arguments to include
    it.
