Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Mon Mar 18 12:48:32 2024 +0100

    Release 3.8.4
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jan 12 17:56:58 2024 +0900

    nettle: avoid normalization of mpz_t in deterministic ECDSA
    
    This removes function calls that potentially leak bit-length of a
    private key used to calculate a nonce in deterministic ECDSA.  Namely:
    
    - _gnutls_dsa_compute_k has been rewritten to work on always
      zero-padded mp_limb_t arrays instead of mpz_t
    - rnd_mpz_func has been replaced with rnd_datum_func, which is backed
      by a byte array instead of an mpz_t value
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jan 29 13:52:46 2024 +0900

    gnutls_x509_trust_list_verify_crt2: remove length limit of input
    
    Previously, if cert_list_size exceeded DEFAULT_MAX_VERIFY_DEPTH, the
    chain verification logic crashed with assertion failure.  This patch
    removes the restriction while keeping the maximum number of
    retrieved certificates being DEFAULT_MAX_VERIFY_DEPTH.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
Date:   Sat Mar 16 13:48:01 2024 +0100

    Fix a few typos found by codespell
    
    Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>

Author: Stanislav Zidek <szidek@redhat.com>
Date:   Thu Mar 14 12:57:25 2024 +0100

    TLS interoperability: updated tests
    
    Signed-off-by: Stanislav Zidek <szidek@redhat.com>

Author: Stanislav Zidek <szidek@redhat.com>
Date:   Wed Mar 6 14:06:05 2024 +0100

    TLS interoperability: test actual compiled master
    
    Previously, system (fedora) version of GnuTLS was used in TLS
    interoperability tests.
    
    fedora-ktls/build was repurposed for native (as similar as possible)
    fedora build and both unit- and interop- tests are running with
    this build.
    
    Signed-off-by: Stanislav Zidek <szidek@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Mar 14 09:01:52 2024 +0900

    NEWS: Mention RSA-OAEP support [ci skip]
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Mar 10 06:58:46 2024 +0900

    x509: fix reading of MGF-1 OID
    
    asn1_read_value may return error code in a positive integer thus the
    previous code could lead to an access to uninitialized value.  This is
    a regression in the RSA-OAEP support.  Spotted by oss-fuzz:
    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67300
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Mar 8 12:48:09 2024 +0900

    tests: add test for RSA-OAEP cert generation with certtool
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Mon Mar 4 13:41:22 2024 +0100

    Fix mingw build on fedora
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Ramesh Adhikari <adhikari.resume@gmail.com>
Date:   Mon Mar 4 01:48:06 2024 +0000

    Fix typo in fallback _gnutls_no_log macro alias in errors.h
    
    Previously, when C99_MACROS is not defined, _gnutls_no_log was
    expanded to _gnutle_null_log and thus caused a compilation error.
    
    Reported by Andrew Lilley Brinker in:
    https://gitlab.com/gnutls/gnutls/-/issues/1530
    
    Signed-off-by: Ramesh <adhikari.resume@gmail.com>

Author: Sahil Siddiq <icegambit91@gmail.com>
Date:   Mon Mar 4 02:03:09 2024 +0530

    Remove duplicate line in eagain-common.h
    
    HANDSHAKE(c, s) has already been defined on line
    64. Hence, the macro on line 96 can be removed.
    
    Signed-off-by: Sahil Siddiq <icegambit91@gmail.com>

Author: Sahil Siddiq <icegambit91@gmail.com>
Date:   Mon Mar 4 01:46:37 2024 +0530

    tests: rewrite 'hello_retry_request' as single process
    
    Part of issue #1472.
    https://gitlab.com/gnutls/gnutls/-/issues/1472
    
    Signed-off-by: Sahil Siddiq <icegambit91@gmail.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Feb 18 07:10:53 2024 +0900

    crypto-selftests-pk: add test case for RSA-OAEP
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Feb 8 20:32:53 2024 +0900

    tests: add basic test for RSA-OAEP encryption
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Feb 8 18:40:00 2024 +0900

    certtool: support generating RSA-OAEP private key
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Feb 8 18:39:41 2024 +0900

    abstract: plumb RSA-OAEP in the abstract key types API
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Feb 8 18:39:23 2024 +0900

    x509: plumb RSA-OAEP in X.509 interface
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Feb 16 17:03:33 2024 +0900

    _gnutls_x509_decode_string: tolerate empty strings
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Feb 8 18:38:44 2024 +0900

    nettle: plumb RSA-OAEP in the Nettle crypto backend
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Feb 23 09:03:46 2024 +0900

    tests: support KAT in (EC)DH tests
    
    While the logic existed, known answer tests were omitted in
    tests/dh-compute, tests/dh-compute2, tests/ecdh-compute, and
    tests/ecdh-compute2.  This enables the support for it as well as fixes
    a couple of issues in the logic: avoid using `success` variable as it
    shadows the helper function with the same name defined in
    tests/utils.h, invert the memcmp condition, and properly use peer_x
    and peer_y in place of x and y in ecdh-compute2.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Feb 8 15:32:37 2024 +0900

    spki: support RSA-OAEP parameters
    
    This adds a new API gnutls_x509_spki_{get,set}_rsa_oaep_params to
    retrieve and store RSA-OAEP parameters embedded in
    SubjectPublicKeyInfo.
    
    As RSA-OAEP labels are allocated, this also adds copy and clear method
    on the gnutls_x509_spki_st struct and use them extensively instead of
    memcpy and memset.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Feb 8 17:07:39 2024 +0900

    algorithms: register RSA-OAEP
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Feb 8 20:38:33 2024 +0900

    nettle: vendor-in RSA-OAEP implementation
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Aug 19 12:32:27 2022 +0900

    build: allow GMP to be statically linked
    
    Even though we set the custom allocator[1] to zeroize sensitive data,
    it can be easily invalidated if the application sets its own custom
    allocator.  An approach to prevent that is to link against a static
    library of GMP, so the use of GMP is privatized and the custom
    allocator configuration is not shared with other applications.
    
    This patch allows libgnutls to be linked with the static library of
    GMP.  Note that, to this work libgmp.a needs to be compiled with -fPIC
    and libhogweed in Nettle is also linked to the static library of GMP.
    
    1. https://gitlab.com/gnutls/gnutls/-/merge_requests/1554
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Feb 15 13:29:46 2024 +0100

    tests: rename testdir of pkcs11-tool.sh
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Feb 14 12:25:25 2024 +0100

    tests: skip pkcs11-tool.sh in FIPS mode
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Xin Long <lucien.xin@gmail.com>
Date:   Thu Feb 1 17:21:05 2024 -0500

    lib: fix a potential segfault in _gnutls13_recv_finished
    
    In _gnutls13_recv_finished(), 'buf' is not initialized or set when
    _gnutls13_compute_finished() returns an err, and goto cleanup may
    cause a segfault crash as it frees the uninitialized buf.allocd in
    _gnutls_buffer_clear().
    
    So fix it by return if _gnutls13_compute_finished() returns an err
    in _gnutls13_recv_finished().
    
    Signed-off-by: Xin Long <lucien.xin@gmail.com>

Author: Xin Long <lucien.xin@gmail.com>
Date:   Thu Feb 1 16:50:22 2024 -0500

    lib: fix a segfault in _gnutls13_recv_end_of_early_data
    
    A crash occur in my app that uses gnutls13 early data, stack trace:
    
      #0  free (libc.so.6 + 0x97bf0)
      #1  _gnutls_buffer_clear (libgnutls.so.30 + 0x77c8c)
      #2  _gnutls13_recv_end_of_early_data (libgnutls.so.30 + 0xaf308)
      #3  _gnutls13_handshake_server (libgnutls.so.30 + 0x42d6c)
      #4  handshake_server (libgnutls.so.30 + 0x4ff6c)
    
    The root cause is that _gnutls_buffer_clear() was trying to free
    'buf' that is not initialized or set if GNUTLS_NO_END_OF_EARLY_DATA
    flag is set on server side.
    
    This patch fixes it by simply initializing buf at the begginning of
    _gnutls13_recv_end_of_early_data().
    
    Signed-off-by: Xin Long <lucien.xin@gmail.com>

Author: Avinash Sonawane <rootkea@gmail.com>
Date:   Tue Feb 13 22:39:49 2024 +0530

    lib/x509/x509.c: add missing argument to macro invokation
    
    Signed-off-by: Avinash Sonawane <rootkea@gmail.com>

Author: Avinash Sonawane <rootkea@gmail.com>
Date:   Tue Feb 13 15:07:32 2024 +0530

    lib/mpi.c: extract flag correctly
    
    Signed-off-by: Avinash Sonawane <rootkea@gmail.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat Jan 27 11:09:18 2024 +0900

    serv: fix memleak when a connected client disappears
    
    Reported by Hubert Kario.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jan 23 11:54:32 2024 +0900

    ktls: fix kernel version checking using utsname
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Fri Jan 19 14:22:35 2024 +0100

    Make compression libraries dynamically loadable
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jan 16 14:51:36 2024 +0900

    Release 3.8.3
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jan 10 19:13:17 2024 +0900

    rsa-psk: minimize branching after decryption
    
    This moves any non-trivial code between gnutls_privkey_decrypt_data2
    and the function return in _gnutls_proc_rsa_psk_client_kx up until the
    decryption.  This also avoids an extra memcpy to session->key.key.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Jan 11 15:45:11 2024 +0900

    x509: detect loop in certificate chain
    
    There can be a loop in a certificate chain, when multiple CA
    certificates are cross-signed with each other, such as A → B, B → C,
    and C → A.  Previously, the verification logic was not capable of
    handling this scenario while sorting the certificates in the chain in
    _gnutls_sort_clist, resulting in an assertion failure.  This patch
    properly detects such loop and aborts further processing in a graceful
    manner.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Clemens Lang <cllang@redhat.com>
Date:   Fri Jan 12 11:12:14 2024 +0100

    fips: Zeroize temporary values
    
    The standard says "temporary value(s) generated during the integrity
    test of the module's software […] shall be zeroised from the module upon
    completion of the integrity test".
    
    That includes the computed HMAC value, which is currently not zeroized
    after the test. Add explicit calls to gnutls_memset() to fix that.
    
    Signed-off-by: Clemens Lang <cllang@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jan 15 10:42:26 2024 +0900

    .gitlab-ci.yml: bump cache version
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Clemens Lang <cllang@redhat.com>
Date:   Fri Jan 12 11:32:22 2024 +0100

    .gitlab-ci.yml: Adjust to Alpine Linux' clang-format path change
    
    According to Alpine Linux' package database search functionality, the
    clang16-extra-tools package now installs clang-format in
    /usr/lib/llvm16/bin/clang-format.
    
    /usr/bin/clang-format is provided by clang17-extra-tools instead, but
    requires changes in formatting. Add /usr/lib/llvm16/bin to PATH for the
    formatting script to continue using the previous version.
    
    Signed-off-by: Clemens Lang <cllang@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Jan 14 16:53:15 2024 +0900

    tests: suppress leaks in libsofthsm2
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jan 1 14:26:08 2024 +0900

    tests/pkcs11-tool.sh: skip if neither p11tool nor certool is built
    
    When compiled with --disable-tools, we can't assume p11tool and
    certool are available.  This also switches to using create_testdir and
    locate any intermediate files under a temporary directory which is
    cleaned up at exit.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jan 1 12:51:16 2024 +0900

    Update year of copyright notices in doc/gnutls.texi
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Jakub Jelen <jjelen@redhat.com>
Date:   Fri Dec 1 18:16:05 2023 +0100

    tests: Reproducer for regression in parent (requires opensc installed)
    
    Signed-off-by: Jakub Jelen <jjelen@redhat.com>

Author: Jakub Jelen <jjelen@redhat.com>
Date:   Thu Nov 30 11:30:30 2023 +0100

    pkcs11: Unbreak importing EdDSA keys with curve name in parameters
    
    Fixes: #1515
    
    Signed-off-by: Jakub Jelen <jjelen@redhat.com>

Author: Mark Harfouche <mark.harfouche@gmail.com>
Date:   Mon Nov 27 12:20:23 2023 +0000

    specify osstatus_error takes in an OSStatus as its first argument
    
    Signed-off-by: Mark Harfouche <mark.harfouche@gmail.com>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Fri Oct 20 13:43:46 2023 +0200

    Release 3.8.2
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Oct 23 09:26:57 2023 +0900

    auth/rsa_psk: side-step potential side-channel
    
    This removes branching that depends on secret data, porting changes
    for regular RSA key exchange from
    4804febddc2ed958e5ae774de2a8f85edeeff538 and
    80a6ce8ddb02477cd724cd5b2944791aaddb702a.  This also removes the
    allow_wrong_pms as it was used sorely to control debug output
    depending on the branching.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Nov 10 15:54:01 2023 +0900

    tests: ktls.sh: skip if kernel version is older than 5.11
    
    The test assumes that CHACHA20-POLY1305 ciphersuites are available,
    though they were added in 5.11.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Nov 10 15:49:53 2023 +0900

    ktls: check Linux kernel version at run time
    
    When a GnuTLS application runs in a container guest and the host
    kernel is older than expected, it fails at initializing KTLS.  This
    adds a check at run time, using uname.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Nov 9 17:17:36 2023 +0900

    x509: clarify the calling convention of AIA callbacks
    
    This updates the documentation of
    gnutls_x509_trust_list_set_getissuer_function to explicitly mention
    that the callback shall initialize the output arguments upon
    successful call, even if the result is empty.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Nov 9 13:33:13 2023 +0900

    cli: fix --ca-auto-retrieve crash when no caIssuer is present in AIA
    
    Previously, when caIssuer URI is not present in the certificate's AIA
    extension, the callback successfully returned 0, but didn't initialize
    the output arguments, resulting in a segmentation fault in the caller.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Ajit Singh <ajeetsinghchahar2@gmail.com>
Date:   Mon Nov 6 15:45:10 2023 +0530

    handshake.c: Fixed a missing goto statement
    
    Signed-off-by: Ajit Singh <ajeetsinghchahar2@gmail.com>

Author: Frediano Ziglio <freddy77@gmail.com>
Date:   Sun Nov 5 17:47:44 2023 +0000

    lib: Use correct transport getting error number
    
    For write we need to use transport_send_ptr, not transport_recv_ptr.
    
    Signed-off-by: Frediano Ziglio <freddy77@gmail.com>

Author: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
Date:   Thu Oct 26 00:17:33 2023 +0200

    .lgtm.yml: remove LGTM.com configuration file
    
    LGTM.com has been deprecated and replaced by GitHub code analysis:
    https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/
    
    Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Oct 18 08:21:05 2023 +0900

    NEWS: mention KTLS support in FreeBSD [ci skip]
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Clemens Lang <cllang@redhat.com>
Date:   Wed Oct 18 10:50:08 2023 +0200

    CONTRIBUTING.md: Fix file name in reviewer checklist
    
    The coding guidelines are in CONTRIBUTING.md, not CONTRIBUTION.md (which
    does not exist).
    
    Signed-off-by: Clemens Lang <cllang@redhat.com>

Author: xuraoqing <xuraoqing@huawei.com>
Date:   Wed Aug 23 11:56:03 2023 +0800

    srptool: rework entry parsing without indexing
    
    This simplifies the loop matching and parsing an SRP entry,
    considering the buffer read with fgets is always NUL-terminated.
    
    Signed-off-by: xuraoqing <xuraoqing@huawei.com>
    Modified-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Oct 18 05:24:33 2023 +0900

    .gitlab-ci.yml: disable p11-kit for MinGW builds
    
    Currently, tests are failing with page fault in MinGW64 builds if
    p11-kit is enabled.  This temporarily disables it.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Oct 13 17:36:57 2023 +0900

    cli: add --starttls-name option
    
    Some deployment of application protocols, such as XMPP, require a
    different hostname than the host being connected.  This adds a new
    option, --starttls-name, to gnutls-cli to specify it separately.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat Oct 7 17:25:45 2023 +0900

    .gitlab-ci.yml: hook devel/check-headers.sh in .pre target
    
    This adds devel/check-headers.sh in the .pre target phase so any
    inconsistent header inclusion would be detected early in the CI.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat Oct 7 17:24:02 2023 +0900

    devel: make local header inclusion consistent
    
    This is the result of running devel/check-headers.sh --format on all
    .c and .h files under lib.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat Oct 7 17:17:39 2023 +0900

    devel: add script to fix header inclusion
    
    This adds check-headers.sh script which scans .c files and checks that
    local header files under lib/ are consistently included with #include
    "foo.h" instead of #include <foo.h>.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Yongye Zhu <zyy1102000@gmail.com>
Date:   Wed Oct 4 09:26:14 2023 +0000

    ktls: add support for FreeBSD
    
    This extend the KTLS support to FreeBSD, with the AES-GCM-128, AES-GCM-256, and ChaCha20-Poly1305 ciphersuites.
    
    Signed-off-by: Yongye Zhu <zyy1102000@gmail.com>
    Reviewed-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Sep 28 11:38:36 2023 +0900

    pkcs11: support Ed448 keys
    
    This adds support for Ed448 keys backed by PKCS#11.  To differentiate
    Ed448 keys from Ed25519 keys, this requires an extra logic to check
    CKA_EC_PARAMS when reading public keys.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Sep 28 11:37:15 2023 +0900

    tests: refactor pkcs11-privkey-generate
    
    This factors out key generation logic into a separate function so we
    can easily extend the test to cover more key types.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat Sep 23 15:37:03 2023 +0900

    pkcs11: fix key pair generation for EdDSA
    
    Previouly we used the CKM_EDDSA mechanism to generate key pair, though
    the mechanism can only be used for signing and verification as
    specified in PKCS#11 3.1 section 6.3.  For key generation, the
    CKM_EC_EDWARDS_KEY_PAIR_GEN mechanism (or
    CKM_EC_MONTGOMERY_KEY_PAIR_GEN, if the point is represented in the
    Montgomery form) needs to be used.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
Date:   Sun Sep 17 16:29:38 2023 +0200

    doc: fix typos found by codespell
    
    Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Sep 11 13:59:45 2023 +0900

    gnutls_privkey_generate2: allow missing Q for DH
    
    As the Q parameter is optional in the gnutls_dh_params_t, this allows
    generating Diffie-Hellman private key without that parameter.
    
    While it is mandatory in FIPS mode, it is ensured when generating the
    DH parameters or importing through gnutls_dh_params_import_raw3.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Sep 10 20:19:13 2023 +0900

    abstract: add gnutls_pubkey_export_dh_raw
    
    This adds gnutls_pubkey_export_dh_raw, a public key counterpart of
    gnutls_privkey_export_dh_raw.  This also replaces the P, Q, G
    parameters with gnutls_dh_params_t in the function signatures to avoid
    unnecessary serialization of bignums.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Miroslav Lichvar <mlichvar@redhat.com>
Date:   Mon Sep 11 10:45:39 2023 +0200

    cipher: fix AES-SIV-GCM key lengths
    
    Fix provided key lengths of AES-SIV-GCM ciphers, which have halved keys
    when compared to AES-SIV-CMAC.
    
    Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Sep 11 07:23:51 2023 +0900

    gnutls_pubkey_import_privkey: support GNUTLS_PK_DH
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Sep 6 14:55:10 2023 +0900

    NEWS: mention AES-GCM-SIV support
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Sep 6 14:02:43 2023 +0900

    nettle: expose SIV-GCM through the AEAD interface
    
    This adds a couple of new cipher algorithms GNUTLS_CIPHER_AES_128_SIV_GCM
    and GNUTLS_CIPHER_AES_256_SIV_GCM, exposing nettle_siv_gcm_aes{128,256}*
    functions.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Sep 6 13:34:27 2023 +0900

    nettle: vendor-in SIV-GCM implementation
    
    This imports SIV-GCM implementation from Nettle 3.9.1, while still
    assuming Nettle 3.6 as the baseline.  As such, only non-optimized
    implementation is imported.  Performance critical applications are
    advised to build GnuTLS with Nettle 3.9.1 or later.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Sep 5 09:39:28 2023 +0900

    devel: update nettle submodule
    
    This updates nettle submodule to the 3.9.1 release.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Apr 12 08:17:44 2022 +0200

    gnutls_privkey_derive_secret: new function
    
    This adds a new function gnutls_privkey_derive_secret, which can be
    used in conjunction with the other key import or key generation API to
    calculate shared secret.
    
    Key import can be done with gnutls_{pubkey,privkey}_import_ecc_raw for
    ECDH and gnutls_{pubkey,privkey}_import_dh_raw for FFDH, while key
    generation could be done with gnutls_privkey_generate2 with respective
    algorithms (e.g., GNUTLS_PK_ECDH_X25519) and key generation parameters
    in gnutls_keygen_data_st format.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Aug 31 13:55:58 2023 +0900

    abstract, x509: add functions to import and export DH keys
    
    This adds a couple of functions to import and export Diffie-Hellman
    private keys.  While it shares the structure as DSA, it differs in q
    parameter which is optional in Diffie-Hellman and the algorithm
    ID: GNUTLS_PK_DH vs GNUTLS_PK_DSA.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Sep 3 10:20:37 2023 +0900

    abstract, x509: refactor raw DSA key import logic
    
    This switches to using DSA_{P,Q,G,X,Y} instead of magic number, and
    adds check for required parameters.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Sep 3 10:36:13 2023 +0900

    mpi: remove unnecessary integer size conversion
    
    The following pattern:
    
    ```c
    size_t siz = prime->size;
    if (_gnutls_mpi_init_scan_nz(&tmp_prime, prime->data, siz)) {
      ...
    }
    ```
    
    was previously written as:
    
    ```c
    size_t siz = prime->size;
    if (_gnutls_mpi_scan_nz (&tmp_prime, prime->data, &siz))
      ...
    }
    ```
    
    Now that _gnutls_mpi_init_scan_nz takes an immediate integer instead
    of a pointer, we don't need to account for the integere size and thus
    no conversion should be necessary.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Aug 31 09:21:23 2023 +0900

    gnutls_privkey_generate2: accept DH parameters
    
    This adds a new GNUTLS_KEYGEN_DH type for gnutls_keygen_data_st, so
    gnutls_privkey_generate2 can use pre-generated DH parameters instead
    of newly generated ones.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Apr 12 08:28:22 2022 +0200

    gnutls_privkey_import_ecc_raw: allow X25519/X448 curves
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Apr 12 08:21:12 2022 +0200

    gnutls_pubkey_import_ecc_raw: allow X25519/X448 curves
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Aug 28 15:47:04 2023 +0900

    tests: ignore SIGPIPE in forking tests if the parent is TLS client
    
    If the tests are forking and the parent process is a client, care must
    be taken to handle SIGPIPE reported by the child process (server) when
    the client closes the connection.
    
    This hadn't been exposed until commit
    dd79ac9bcf90012e090726adf7c1940bcce8333f, thanks to the fact that the
    parent process kept the other pipe end which effectively prevented a
    "broken pipe".
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Aug 23 10:43:54 2023 +0900

    benchmark: use fallback gettime provided by Gnulib's timespec module
    
    If CLOCK_PROCESS_CPUTIME_ID is not defined, a fallback gettime
    function was defined as an inline function.  Given that "timespec.h"
    from Gnulib already defines such a fallback function with the same
    name, it's not necessary to redefine it.  This should fix the build
    issue with Clang:
    
      In file included from ../../gnutls-3.8.1/src/cli.c:65:
      ../../gnutls-3.8.1/src/benchmark.h:38:20: error: static declaration of 'gettime' follows non-static declaration
      inline static void gettime(struct timespec *ts)
                         ^
      ../../gnutls-3.8.1/src/gl/timespec.h:93:6: note: previous declaration is here
      void gettime (struct timespec *) _GL_ARG_NONNULL ((1));
           ^
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Aug 22 10:43:38 2023 +0900

    .gitlab-ci.yml: bundle libssp-0.dll in the Windows archive
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Sam James <sam@gentoo.org>
Date:   Mon Aug 7 08:23:50 2023 +0100

    configure.ac: Avoid noise when faketime is not available
    
    We already checked for whether faketime is installed, so don't try to call it
    if we couldn't find a path to it.
    
    This avoids noise like:
    ```
    checking for faketime... no
    checking for datefudge... no
    checking whether faketime program works... 1691391464
    /var/tmp/portage/net-libs/gnutls-3.8.1/work/gnutls-3.8.1/configure: line 11540: 2006-09-23 00:00:00: command not found
    /var/tmp/portage/net-libs/gnutls-3.8.1/work/gnutls-3.8.1/configure: line 11540: test: =: unary operator expected
    no
    ```
    
    Bug: https://bugs.gentoo.org/911833
    Signed-off-by: Sam James <sam@gentoo.org>

Author: Adrian Bunk <bunk@debian.org>
Date:   Sun Aug 6 22:46:22 2023 +0300

    Move the GNUTLS_NO_EXTENSIONS compatibility #define to gnutls.h
    
    Signed-off-by: Adrian Bunk <bunk@debian.org>

Author: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date:   Sun Aug 6 20:37:31 2023 +0200

    Fix build on GNU/Hurd
    
    GNU/Hurd does not define an arbitrary PATH_MAX limitation, so pathbuf
    can define its own abitrary limitation.
    
    Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Thu Aug 3 11:52:04 2023 +0200

    Release 3.8.1
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Thu Aug 3 14:09:33 2023 +0200

    Safeguard against overflow inside pkcs11_find_objects
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Tue Jul 25 16:23:49 2023 +0200

    Refactor pkcs11_find_objects to use p11-kit iterator
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jul 31 23:46:19 2023 +0900

    tests: propagate $CFLAGS in pkgconfig.sh
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jul 31 11:54:27 2023 +0900

    .gitlab-ci.yml: re-enable i686 cross build
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jul 31 17:38:02 2023 +0900

    doc: fix C++ example compilation on MinGW
    
    The examples under doc/examples/ are compiled with Gnulib, which
    overrides write if it's not available, as a macro.  This conflicts
    with the usage of std::iostream::write in ex-cxx.cpp.  To avoid the
    build issue, use a custom namespace to hide it, as suggested in:
    https://www.gnu.org/software/gnulib/manual/html_node/A-C_002b_002b-namespace-for-gnulib.html
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Thu Jul 27 10:36:48 2023 +0200

    Reduce the number of objects received per iteration in pkcs11_find_objects
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jul 24 09:14:20 2023 +0200

    .gitlab-ci.yml: drop use of Debian cross images
    
    Due to licensing concern, we had to remove the Debian-based CI images
    for cross compilation.  Some of them are already covered by the
    Fedora-based CI images, though it would be nice if the following are
    added back:
    
    - x86 (32-bit): maybe we could just use -m32 on Fedora image,
      similarly to mingw targets
    - Arm (32-bit)
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Jul 23 08:17:32 2023 +0200

    .gitlab-ci.yml: enable use of Fedora cross toolchain
