Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Wed Mar 27 07:21:31 2019 +0100

    released 3.6.7
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Daiki Ueno <dueno@redhat.com>
Date:   Mon Mar 25 16:06:39 2019 +0100

    handshake: add missing initialization of local variable
    
    Resolves: #704
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Mon Mar 25 15:47:51 2019 +0100

    fuzz: added fuzzer for certificate verification
    
    This also adds a reproducer for CVE-2019-3829.
    
    Resolves: #694
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Tue Mar 26 16:11:42 2019 +0100

    bumped version
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date:   Tue Mar 26 11:05:06 2019 +0100

    fips140: Perform SHA-3 self tests
    
    It is required to perform the self tests to validate SHA-3
    implementation.
    
    Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sun Mar 24 08:37:05 2019 +0100

    tools: removed unused code
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Ke Zhao <kzhao@redhat.com>
Date:   Thu Mar 21 11:27:24 2019 -0400

    gnutls-cli: Fix output with option "--logfile"
    
    The X.509 connection would still print informational message to the
    stdout by default. Move that output to logfile and add x509 functionality
    test in the test suite.
    
    Signed-off-by: Ke Zhao <kzhao@redhat.com>

Author: Alon Bar-Lev <alon.barlev@gmail.com>
Date:   Sat Mar 23 00:38:17 2019 +0200

    configure.ac: remove --with-guile-site-dir
    
    The hack of distcheck is not known and should not be the default as the
    GUILE_SITE_DIR macro is the default expected behavior.
    
    There is little value in specifying any other location of the site-dir as it
    is out of the guile configuration so best to remove.
    
    Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Wed Mar 20 11:40:15 2019 +0100

    _x509_en/decode_provable_seed: clarified purpose of functions [ci skip]
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Fri Mar 1 11:15:47 2019 +0100

    handshake: increase the default number of tickets we send to 2
    
    This makes it easier for clients which perform multiple connections
    to the server to use the tickets sent by a default server. That's
    because 2 tickets allow for 2 new connections (if one is using each
    ticket once as recommended), which in turn lead to 4 new and so on.
    
    Resolves: #596
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sat Feb 23 21:02:56 2019 +0100

    Improved estimation of wait in gnutls_session_get_data2
    
    Previously we would wait an arbitrary value of 50ms for the
    server to send session tickets. This change makes the client
    wait for the estimated single trip time + 60 ms for the server
    to calculate the session tickets. This improves the chance
    to obtain tickets from internet servers during the call of
    gnutls_session_get_data2().
    
    Resolves: #706
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sat Mar 16 19:59:07 2019 +0100

    doc update
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Ke Zhao <kzhao@redhat.com>
Date:   Wed Mar 6 13:23:24 2019 -0500

    gnutls-cli: Add option "--logfile" to redirect information message output
    
    First, add an option "--logfile" so user could choose a specific file to
    store all the informational messages. In some cases, informational
    messages may cause unexpected result if the output is standard output.
    
    With this option, user could redirect these messages to a specific
    file. This will be helpful in testing and tracking.
    
    Second, replace printf() function with log_msg() function
    
    This log_msg() function is used when "--logfile" is enabled.
    
    Third, add a functionality test for "--logfile" option
    
    Add a test script to test if "--logfile" option works as it should be.
    
    Signed-off-by: Ke Zhao <kzhao@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Fri Mar 15 17:00:17 2019 +0100

    Removed all FIXME comments in code [ci skip]
    
    We expand informational comments on limitations, but with removing
    FIXME (keyword didn't help fixing these), and remove completely unhelpful
    comments, obsolete ones, or comments about ideas.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Wed Mar 13 15:14:37 2019 +0100

    pkcs11: security officer login implies writable session
    
    According to the PKCS#11 v2.30, 6.7.1 there are no read-only Security Officer
    sessions.
    
    Resolves: #721
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Steve Lhomme <robux4@ycbcr.xyz>
Date:   Wed Mar 13 14:54:28 2019 +0000

    inet_ntop is available in Windows but not via arpa/inet.h
    
    It's found in ws2tcpip.h which is already included in gnutls_int.h
    
    arpa/inet.h doesn't exist on Windows, so add arpa_inet to the list of headers
    replaced by gnulib if not found.
    
    Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Thu Mar 7 10:16:46 2019 +0100

    Update the GNU Free Documentation License (FDL)
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Mon Feb 25 10:36:36 2019 +0100

    Fix URL of ABI compliance checker
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Mon Feb 25 10:32:24 2019 +0100

    Fix URLs of p11-kit
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Tue Feb 5 17:00:41 2019 +0100

    Use https:// in lib/, src/, and m4/
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Tue Feb 5 16:56:08 2019 +0100

    Use https:// for arbitrary files #1
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Tue Feb 5 16:44:37 2019 +0100

    Use https:// for www.iana.org
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Tue Feb 5 16:25:25 2019 +0100

    Use https:// for csrc.nist.gov
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Tue Feb 5 16:22:43 2019 +0100

    Use https:// for www.gnu.org and www.example.com
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Wed Mar 13 09:03:39 2019 +0100

    .gitlab-ci.yml: updated cache key name
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sun Mar 10 13:59:32 2019 +0100

    tests: verify that 'certtool -i --outder' does not output text
    
    A common regression in the past, was certtool outputting text while
    writing raw DER data. Ensure that the certificate-info option does not
    regress.
    
    Resolves: #627
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sat Mar 9 21:50:46 2019 +0100

    SECURITY.md: updated to reflect the current practice [ci skip]
    
    This change updates the SECURITY guidelines to reflect the current
    practice (no special security releases), and thus refer directly
    to the upcoming or following release. Furthermore, it removes
    any mention of absolute time, as the release cadence is already
    fixed to bi-monthly.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sat Mar 9 21:14:39 2019 +0100

    doc: removed cyclo subdir
    
    This directory had a makefile which was intended to calculate the cyclomatic
    complexity, however that was not functional, and not related with gnutls'
    documentation.
    
    Resolves: #727
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Fri Mar 8 20:17:49 2019 +0100

    NEWS: fix NEWS entries [ci skip]
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Daiki Ueno <dueno@redhat.com>
Date:   Mon Mar 4 17:17:47 2019 +0100

    tls13/certificate: utilize "certificate_required" alert
    
    This could make errors more distinguishable when the client sends no
    certificates or a bad certificate.
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <dueno@redhat.com>
Date:   Wed Feb 27 18:38:09 2019 +0100

    alert: recognize "certificate_required"
    
    This may be sent if the server received an empty Certificate message.
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date:   Fri Jan 18 13:17:46 2019 +0100

    .gitlab-ci.yml: Test FIPS HMAC self-test
    
    This enables the integrity self-tests in FIPS140 test build.
    
    Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

Author: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date:   Fri Jan 11 11:23:21 2019 +0100

    fips140: Ignore newlines read at the end of HMAC file
    
    This makes the integrity check to ignore newlines appended after the
    HMAC value.
    
    Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

Author: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date:   Thu Jan 10 14:04:02 2019 +0100

    fips140: Fix the names of files used in integrity checks
    
    The names of the libraries haven't been updated when the soname version
    were bumped.
    
    Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

Author: Bas van Schaik <gitlab.com@s.traiectum.net>
Date:   Thu Feb 28 22:15:26 2019 +0000

    Create .lgtm.yml for LGTM.com C/C++ analysis
    
    Signed-off-by: Bas van Schaik <gitlab.com@s.traiectum.net>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Mon Feb 25 14:41:24 2019 +0100

    .gitlab-ci.yml: added thread sanitizer run
    
    This checks for unsafe uses of variables in our included threaded
    tests.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Mon Feb 25 14:35:16 2019 +0100

    Protected _gnutls_epoch_get from _gnutls_epoch_gc on false start
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Mon Feb 25 15:11:19 2019 +0100

    gnutls_record_send2: try to ensure integrity of operations on false and early start
    
    This adds a double check in the sanity check of gnutls_record_send2()
    for the initial_negotiation_completed value, making sure that the
    check will be successful even in parallel operation of send/recv.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sun Feb 24 21:13:27 2019 +0100

    mini-dtls-pthread: renamed and fixed several shortcomings
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sun Feb 24 00:19:21 2019 +0100

    Make false start and early start multi-thread recv/send safe
    
    An application that is sending and receiving from different threads
    after handshake is complete cannot take advantage of false start because
    gnutls_record_send2() detects operations during the handshake process
    as invalid.
    
    Because in early start and false start the remaining handshake process needs
    only to receive data, and the sending side is already set-up, this error
    detection is bogus. With this patch we remove it.
    
    Resolves: #713
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sat Feb 23 18:57:09 2019 +0100

    doc: added more information on operation under multiple threads
    
    Relates: #713
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Fri Mar 1 20:13:38 2019 +0100

    Update ./bootstrap from latest gnulib
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Wed Feb 27 10:01:47 2019 +0100

    Clarifications on AEAD ciphers
    
    Relates: #716
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Wed Feb 27 09:29:04 2019 +0100

    Improve documentation for gnutls_cipher_get_iv_size
    
    This clarifies what is returned and what is to be expected on algorithms
    with variable IV sizes.
    
    Resolves: #717
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Tue Feb 26 15:42:01 2019 +0100

    pkcs11: clarify GNUTLS_PKCS11_TOKEN_MODNAME presence [ci skip]
    
    Resolves: #633
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Tue Feb 26 15:21:48 2019 +0100

    cppcheck: suppress warning on nettle code [ci skip]
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Andreas Metzler <ametzler@bebt.de>
Date:   Sat Feb 23 18:43:49 2019 +0100

    gnutls-cli: fix --benchmark-ciphers type overflow
    
    Signed-off-by: Andreas Metzler <ametzler@bebt.de>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sat Feb 23 21:19:06 2019 +0100

    _gnutls_recv_handshake: added explicit sanity checks
    
    Although, this function acts on the message provided as expected and thus
    it should never call a message parsing function on unexpected
    messages, we make a more explicit sanity check. This unifies the
    sanity checks existing within the involved functions.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Tue Feb 12 15:20:23 2019 +0100

    gnutls_x509_crt_init: Fix dereference of NULL pointer
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Tue Feb 12 15:14:07 2019 +0100

    Remove redundant resets of variables after free()
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Tue Feb 12 15:09:11 2019 +0100

    Automatically NULLify after gnutls_free()
    
    This method prevents direct use-after-free and
    double-free issues.
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Daiki Ueno <dueno@redhat.com>
Date:   Tue Feb 19 13:56:35 2019 +0100

    tlsfuzzer: update to the latest upstream for downgrade protection tests
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <dueno@redhat.com>
Date:   Sat Feb 9 10:26:56 2019 +0100

    ext/supported_versions: regenerate server random
    
    This adds a call to _gnutls_gen_server_random() in handling the
    "supported_versions" extension, so that the TLS 1.3 downgrade sentinel
    is set only when the earlier versions are selected.
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Tue Feb 5 11:01:20 2019 +0100

    Update ax_code_coverage.m4 to latest release of autoconf-archive
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Hugo Beauzée-Luyssen <hugo@beauzee.fr>
Date:   Thu Feb 21 14:49:36 2019 +0100

    lib: x509: Minor directory browsing simplification
    
    Signed-off-by: Hugo Beauzée-Luyssen <hugo@beauzee.fr>

Author: Hugo Beauzée-Luyssen <hugo@beauzee.fr>
Date:   Mon Feb 18 14:41:56 2019 +0100

    Revert "Revert "verify-high2: Fix cert dir iteration on Win32""
    
    This reverts commit 681330882da19099eea360fab141cab937c45677.
    
    Signed-off-by: Hugo Beauzée-Luyssen <hugo@beauzee.fr>
    
    This revert also contains the fix to the original commit (invalid
    utf8->utf16 conversion) and a minor simplification of the _treaddir loop.

Author: Hugo Beauzée-Luyssen <hugo@beauzee.fr>
Date:   Mon Feb 18 17:12:54 2019 +0100

    iconv: Allow _gnutls_utf8_to_ucs2 to output little endian
    
    Signed-off-by: Hugo Beauzée-Luyssen <hugo@beauzee.fr>

Author: Hugo Beauzée-Luyssen <hugo@beauzee.fr>
Date:   Mon Feb 18 09:37:04 2019 +0100

    lib: Provide _Thread_local on MSVC
    
    Signed-off-by: Hugo Beauzée-Luyssen <hugo@beauzee.fr>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Mon Feb 18 21:38:38 2019 +0100

    Add test for starttls XMPP
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Wed Feb 6 11:30:06 2019 +0100

    gnutls-cli: Fix --starttls-proto=xmpp
    
    Fixes two issues with gnutls-cli --starttls-proto=xmpp:
    1. Print 'Timeout' on timeout instead of random errno message
    2. Do not wait for linefeed when using XMPP (XML)
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Mon Feb 18 15:38:56 2019 +0100

    check_if_signed: Get source branch if not set
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: R. Andrew Bailey <bailey@akamai.com>
Date:   Thu Feb 14 09:38:33 2019 -0500

    tests: wrap ADD_SYSCALL for getrandom in test for SYS_getrandom
    
    Signed-off-by: R. Andrew Bailey <bailey@akamai.com>

Author: Daiki Ueno <dueno@redhat.com>
Date:   Fri Feb 8 14:46:33 2019 +0100

    gnutls_record_set_max_size: make it work on server side
    
    The record_size_limit extension can also be specified by the server to
    indicate the maximum plaintext.  Also add test cases for asymmetric
    settings between server and client.
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <dueno@redhat.com>
Date:   Thu Jan 31 13:39:35 2019 +0100

    tlsfuzzer: update to the latest upstream for record_size_limit test
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <dueno@redhat.com>
Date:   Fri Feb 8 13:22:13 2019 +0100

    ext/record_size_limit: account for content type octet in TLS 1.3
    
    In TLS 1.3, the protocol maximum of plaintext size is 2^14+1, while
    it is 2^14 in TLS 1.2.  To accommodate that, this introduces the
    following invariant:
    - when the maximum is set by the user with
      gnutls_record_set_max_size(), store it as is.  The value range is
      [511, 16834].
    - when the maximum is negotiated through record_size_limit extension,
      it can be [512, 16385].  In TLS 1.3, subtract by 1 to fit in [511,
      16384].
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <dueno@redhat.com>
Date:   Thu Jan 31 16:56:55 2019 +0100

    decrypt_packet_tls13: add check for max plaintext size
    
    There is check in _gnutls_recv_in_buffers already, but for TLS 1.3 we
    need to take account of the padding.
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <dueno@redhat.com>
Date:   Fri Jan 25 17:00:44 2019 +0100

    record: reject too large plaintext after decryption
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <dueno@redhat.com>
Date:   Wed Jan 30 16:45:08 2019 +0100

    constate: reset max_record_recv_size upon renegotiation
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <dueno@redhat.com>
Date:   Wed Jan 30 10:21:07 2019 +0100

    session_pack: reset max_record_recv_size when packing
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <dueno@redhat.com>
Date:   Thu Jan 17 11:53:35 2019 +0100

    ext/record_size_limit: don't confuse with negotiated/user-supplied maximum
    
    As documented in gnutls_int.h, max_record_send_size is for tracking
    the user-supplied maximum, while max_record_recv_size for the
    protocol negotiated maximum.
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <dueno@redhat.com>
Date:   Sun Jan 20 09:18:21 2019 +0100

    ext/max_record: server shouldn't send it with record_size_limit
    
    Otherwise, the connection will be disconnected by the client, as
    suggested in RFC: A client MUST treat receipt of both
    "max_fragment_length" and "record_size_limit" as a fatal error, and it
    SHOULD generate an "illegal_parameter" alert.
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <dueno@redhat.com>
Date:   Thu Feb 7 16:28:52 2019 +0100

    _gnutls_hello_ext_is_present: don't ignore max_fragment_length
    
    The extension is assigned the internal ID 0.
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <dueno@redhat.com>
Date:   Fri Jan 25 17:04:40 2019 +0100

    .dir-locals.el: disable indent-tabs-mode in js-mode
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Thu Feb 14 13:01:34 2019 +0100

    bootstrap.conf: do not override GNULIB_SRCDIR
    
    This was not set in all of our CI platforms, and was causing
    issues in MacOSX.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Mon Feb 11 09:18:46 2019 +0100

    x509: corrected issue in the algorithm parameters comparison
    
    Each certificate has two fields to set the signature algorithm
    and parameters used for the digital signature. One of the fields is
    authenticated and the other is not. It is required from RFC5280 to
    enforce the equality of these fields, but currently due to an issue
    we wouldn't enforce the equality of the parameters fields. This
    fix corrects the issue.
    
    We also move an RSA-PSS certificate in chainverify that was relying
    on invalid parameters, to this set of invalid certificates.
    
    Resolves: #698
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Wed Feb 13 07:54:59 2019 +0000

    tests: added further checks for gnutls_pkcs11_token_get_info
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Tue Jan 29 16:10:59 2019 +0100

    Fix uninitialized warning in pkcs11.c
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Wed Feb 13 17:22:21 2019 +0100

    Cleanup lib/auth/cert.c as suggested by cppcheck
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Mon Feb 11 10:41:47 2019 +0100

    Fix 32bit overflow issue in src/serv-args.def
    
    Fixing this warning seen on 32bit architectures:
    
    serv-args.c: In function 'doOptMaxearlydata':
    serv-args.c:1431:14: warning: overflow in conversion from 'long long int' to 'long int' changes value from '4294967296' to '0' [-Woverflow]
             { 1, 4294967296 } };
                  ^~~~~~~~~~
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Fri Feb 8 13:03:30 2019 +0100

    Remove typedef'ing ssize_t in gnutls.h
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Wed Feb 6 20:54:45 2019 +0100

    Use inet_pton() from gnulib
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Sat Feb 9 10:52:29 2019 +0100

    bootstrap: refuse to bootstrap if any dependencies bring gnulib's network stack
    
    If gnulib's network stack is brought (due to a dependency) in the library
    it will make the library unusable to non-gnulib using applications. This
    prevents windows applications for example to use gnutls, and so on. Even
    more it is quite hard to catch that issue because our testsuite uses
    gnulib as well. Instead we try to catch the these modules at import time.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Wed Feb 6 20:35:11 2019 +0100

    Use inet_ntop() from gnulib
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Sun Feb 3 12:18:30 2019 +0100

    _gnutls_gen_rawpk_crt: corrected the use of assert
    
    The API could return 0 or 1 matching certificates. The case of zero
    can only happen in client side.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Sun Feb 3 08:47:50 2019 +0100

    raw public keys: apply the key usage bits the same way as X.509
    
    That is, we require a signing certificate when negotiating
    TLS1.3, or when sending a client certificate (on all cases).
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Sat Feb 2 09:13:40 2019 +0100

    Fallback to TLS 1.2 when incompatible with signature certs are provided
    
    This only takes into account certificates in the credentials structure.
    If certificates are provided in a callback, these must be checked by
    the provider. For that we assume that the credentials structure is
    filled when associated with a session; if not then the fallback mechanism
    will not work and the handshake will fail.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Sat Feb 2 07:10:10 2019 +0100

    Enforce the certificate key usage restrictions on all cases
    
    That is, we require a signing certificate when negotiating
    TLS1.3, or when sending a client certificate (on all cases).
    
    Before we would not perform any checks under TLS1.3 or when client
    certificates are sent, assuming that the certificates used will always
    be signing ones. However if the user sets up incorrectly a decryption
    certificate we would use it for signing. This fix makes sure that an
    error is returned early when these scenarios are detected.
    
    Resolves: #690
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Mon Jan 21 12:54:58 2019 +0100

    Fetch OSS-Fuzz corpora much faster [skip ci]
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Mon Feb 4 15:10:19 2019 +0100

    .triage-policies.yml: added [ci skip]
    
    This adds a set of policies regarding issues and merge requests
    to be enforced by the gitlab-triage bot. That is:
     - Issues without any label for more than a month are marked
       with needs attention label
     - Issues with needinfo label are closed if they are not updated
       within a month
     - Merge requests marked as WIP with no update within 5 months
       are closed.
    
    These rules are not enforced automatically; we have to schedule
    a run of the gitlab-triage bot.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Sat Feb 2 17:47:48 2019 +0300

    build: do not generate mech-list.h if p11-kit is not available
    
    Compiling GnuTLS with no p11-kit installed will result in a serie of
    warnings during build time because mech-list.h will be generated even if
    pkcs11 tool compilation is disabled. Move mech-list.h generation to
    happen only if pkcs11 is enabled, thus removing these warnings.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Sat Feb 2 17:32:01 2019 +0300

    build: pass NETTLE_LIBS together with HOGWEED_LIBS
    
    libhogweed might depend on exact non-system-wide nettle, so let's pass
    NETTLE_LIBS flags together when using HOGWEED_LIBS.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Sat Jan 26 21:44:28 2019 +0100

    Add GNUTLS_E_RECEIVED_DISALLOWED_NAME for illegal SNI names
    
    An illegal/disallowed SNI server name previously generated
    the misleading message "An illegal parameter has been received.".
    
    This commit changes it to
      "A disallowed SNI server name has been received.".
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date:   Wed Jan 30 21:58:34 2019 +0300

    lib/nettle: replace nettle-stdint.h with just stdint.h
    
    Nettle library is going to drop nettle-stdint.h. Replace this include
    with with just <stdint.h>.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Mon Jan 28 15:25:30 2019 +0100

    Fix 'make glimport' and update CONTRIBUTING.md
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Alon Bar-Lev <alon.barlev@gmail.com>
Date:   Sun Jan 27 13:59:56 2019 +0200

    .gitignore: add test files
    
    Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

Author: Alon Bar-Lev <alon.barlev@gmail.com>
Date:   Sun Jan 27 13:17:35 2019 +0200

    build: detect previous supported guile
    
    A recent change in the m4 macro of guile enforces latest guile:
    ---
    AC_DEFUN([GUILE_PROGS],
     [_guile_required_version="m4_default([$1], [$GUILE_EFFECTIVE_VERSION])"
      if test -z "$_guile_required_version"; then
        _guile_required_version=2.2
      fi
    ---
    
    The result:
    ---
    checking for guile-snarf... /usr/bin/guile-snarf
    checking for guild... /usr/bin/guild
    checking for guile-2.2... no
    checking for guile2.2... no
    checking for guile-2... no
    checking for guile2... no
    checking for guile... /usr/bin/guile
    checking for Guile version >= 2.2... configure: error: Guile 2.2 required, but 2.0.14 found
    ---
    
    Probably best to specify the supported version explicitly when calling
    GUILE_PROGS, to keep existing behavior calling the GUILE_PKG detects the
    existing packages.
    
    Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Fri Jan 25 11:51:56 2019 +0100

    Fix unused var warning in guile/src/core.c
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Fri Jan 25 12:26:46 2019 +0100

    Fix abi-check failure
    
    Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Fri Jan 25 08:32:17 2019 +0100

    NEWS: updated
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Fri Jan 25 08:24:21 2019 +0100

    src/Makefile.am: remove .bak files before autogenerating
    
    This avoids errors due to files pre-existing but not being
    writable.
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Fri Jan 25 08:18:01 2019 +0100

    bumped versions
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Fri Jan 25 08:13:26 2019 +0100

    Makefile.am: require guile-2.2 for release
    
    That's because guile.m4 from previous releases has issues
    with the latest version.
    
    Resolves: #631
    
    Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
