Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Tue Jul 2 16:00:40 2024 +0200

    Release 3.8.6
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Tue Jul 2 17:13:21 2024 +0200

    Make asm-sources
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Bill Roberts <bill.roberts@arm.com>
Date:   Thu Jun 20 09:00:49 2024 -0500

    aarch64: no lint asm block
    
    For clang-format, have it ignore the asm block in the header.
    
    Fixes:
    clang-format --dry-run lib/accelerated/aarch64/aarch64-common.h
    lib/accelerated/aarch64/aarch64-common.h:109:13: warning: code should be clang-formatted [-Wclang-format-violations]
    .pushsection .note.gnu.property, "a";
    
    Signed-off-by: Bill Roberts <bill.roberts@arm.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Jun 19 14:40:23 2024 +0200

    test/cert-tests: use --attime in more tests
    
    With this change, building should be fine until 2049
    on platforms with 64-bit time_t.
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Jun 19 14:39:53 2024 +0200

    tests: use --attime in more tests
    
    With this change, building should build fine until 2039
    on platforms with 64-bit time_t.
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Jun 20 14:37:01 2024 +0200

    tests/Makefile: expose ac_cv_sizeof_time_t
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Stanislav Zidek <szidek@redhat.com>
Date:   Tue Jun 11 17:23:11 2024 +0200

    tls-interoperability: workaround for openssl CCM8
    
    CCM8 moved to SECLEVEL=0 in openssl
    
    Signed-off-by: Stanislav Zidek <szidek@redhat.com>

Author: Stanislav Zidek <szidek@redhat.com>
Date:   Fri May 31 10:50:42 2024 +0200

    remove obsolete testcompat-openssl-* tests
    
    These tests are superseded by tls-interoperability/ test suite
    with the exception of 0-RTT (--earlydata) tests.
    
    Signed-off-by: Stanislav Zidek <szidek@redhat.com>

Author: Bill Roberts <bill.roberts@arm.com>
Date:   Mon Jun 10 12:16:53 2024 -0500

    lib/accelerated: add CFLAGS to aarch64/elf
    
    When building with certain cflags, like -mbranch-protection=standard,
    the assembly generation needs to get the CFLAGS to enable assembler
    level features. Without this, closing PAC/BTI feature support will not
    be completed.
    
    Example:
    export CFLAGS='-mbranch-protection=standard'
    export CPPFLAGS='-mbranch-protection=standard'
    \# not needed, just for error reporting
    export LDFLAGS='-Wl,-zforce-bti,--fatal-warnings'
    ./bootstrap
    ./configure --with-included-libtasn1 --with-included-unistring
    make asm-sources
    make -j4
    readelf -n ./lib/.libs/libgnutls.so
    
    Displaying notes found in: .note.gnu.property
      Owner                Data size        Description
      GNU                  0x00000010       NT_GNU_PROPERTY_TYPE_0
          Properties: AArch64 feature: BTI, PAC
    <snip>
    
    readelf -n ./lib/.libs/libgnutlsxx.so
    
    Displaying notes found in: .note.gnu.property
      Owner                Data size        Description
      GNU                  0x00000010       NT_GNU_PROPERTY_TYPE_0
          Properties: AArch64 feature: BTI, PAC
    <snip>
    
    Related to: #1517
    
    Signed-off-by: Bill Roberts <bill.roberts@arm.com>

Author: Bill Roberts <bill.roberts@arm.com>
Date:   Mon Jun 10 12:46:09 2024 -0500

    lib/accelerated: add missing space on pushsection
    
    Missing a space between pushsection and the section name.
    
    Results in this error:
    lib/accelerated/aarch64/aarch64-common.h:109: Error: unknown pseudo-op: `.pushsection.note.gnu.property'
    
    Signed-off-by: Bill Roberts <bill.roberts@arm.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Jun 6 10:51:56 2024 +0900

    tls-fuzzer: move SSL3 specific tests to gnutls-nocert-ssl3.json
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Jun 6 09:30:13 2024 +0900

    tests: skip pthreads tests when cross compiling
    
    These tests hangs under qemu-user-static on Fedora 40.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jun 5 16:33:16 2024 +0900

    tests: testcompat-openssl-tls13: explicitly allow CCM8 ciphersuites
    
    Since OpenSSL 3.2, CCM8 is only allowed in security level 0. This
    tweaks test scripts to explicitly enable this level but only enable
    TLS 1.3 to exclude any TLS 1.2 ciphersuites.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jun 5 10:48:38 2024 +0900

    build: indent code using Clang 18
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jun 5 10:43:02 2024 +0900

    tests: dtls/dtls-stress: silence -Wcalloc-transposed-args warning
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jun 5 10:39:38 2024 +0900

    tests: mini-global-init: include <stdlib.h> for exit on Windows
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jun 5 06:50:27 2024 +0900

    .gitlab-ci.yml: switch to using Fedora 40
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jun 4 09:31:31 2024 +0900

    tests: add missing global_init/gnutls_global_deinit for MinGW
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jun 4 11:29:50 2024 +0900

    .gitlab-ci.yml: restore MinGW tweaks
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jun 4 10:37:40 2024 +0900

    .gitlab-ci.yml: bump cache version
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Bill Roberts <bill.roberts@arm.com>
Date:   Fri Feb 2 14:05:55 2024 -0600

    lib/accellerated: update asm and enable PAC/BTI
    
    Update the asm sources generated from devel/openssl which have the BTI
    and PAC support. Add the -mbranch-protection=standard build flag to the
    generated sources. On older machines that don't have support, the
    options are in the NOP space and will be NOP'd, on architectures with
    support the instructions are executed as expected.
    
    Note that this updates the ELF GNU NOTES section to indicate that BTI
    and PAC are enabled. For BTI this must be in all the ELF files loaded
    and linked or the feature is disabled as all execution segments need it.
    
    After updating the asm sources via make asm-sources, you can build and
    get a PAC/BTI enabled binary and test via the testsuite to verify.
    
    readelf -n ./lib/.libs/libgnutls.so
    
    Displaying notes found in: .note.gnu.property
      Owner                Data size        Description
      GNU                  0x00000010       NT_GNU_PROPERTY_TYPE_0
          Properties: AArch64 feature: BTI, PAC
    
    Signed-off-by: Bill Roberts <bill.roberts@arm.com>

Author: Bill Roberts <bill.roberts@arm.com>
Date:   Fri Feb 2 14:04:29 2024 -0600

    cfg.mk: add common headers used for asm gen
    
    The common headers are needed when generating the assembly, so make them
    depencies of the build target.
    
    Signed-off-by: Bill Roberts <bill.roberts@arm.com>

Author: Bill Roberts <bill.roberts@arm.com>
Date:   Fri Feb 2 12:39:25 2024 -0600

    openssl: update 3.2.1
    
    Signed-off-by: Bill Roberts <bill.roberts@arm.com>

Author: Bill Roberts <bill.roberts@arm.com>
Date:   Tue Feb 6 08:11:33 2024 -0600

    ci: ignore parse errors from gcovr
    
    The documentation for gcovr suggests this as a work around to a bug in gcovr
    that cause negative hit values, which is impossible, and is not accepted by
    default and will cause the CI to fail:
      -  https://gcovr.com/en/stable/guide/gcov_parser.html
    
    To correct this, add option:
      -gcov-ignore-parse-errors=negative_hits.warn_once_per_file
    
    Signed-off-by: Bill Roberts <bill.roberts@arm.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Jun 2 16:50:06 2024 +0900

    nettle: add a way to reset hash context
    
    This makes gnutls_hash_output just reset the hash context without
    calling out Nettle's hash digest function if DIGEST argument is NULL.
    That is particularly useful when used with SHAKE, as its _shake_output
    function marks ctx->index in a special way indicating incremental
    output is in progress.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jan 1 12:51:38 2024 +0900

    .gitlab-ci.yml: switch to using Fedora 39
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jan 15 09:02:47 2024 +0900

    .gitlab-ci.yml: temporarily disable implicit library init on MinGW64
    
    This doesn't seem to work on the latest Wine 8.19.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jan 1 12:57:55 2024 +0900

    .gitlab-ci.yml: indent code using Clang 17
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Jan 14 16:57:11 2024 +0900

    tests: update tlslite-ng submodule for Python asyncore deprecation
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Jun 2 09:12:15 2024 +0900

    nettle: avoid symbol clash in sha3-shake.h
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed May 29 17:41:36 2024 +0900

    algorithms: expose SHAKE from public API
    
    This adds a new function gnutls_hash_squeeze, which works similarly to
    gnutls_hash_output but enables to retrieve output of arbitrary length.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed May 29 17:40:55 2024 +0900

    nettle: vendor-in SHAKE implementation
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed May 29 10:13:53 2024 +0900

    devel: update nettle submodule
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri May 17 10:34:46 2024 +0900

    shuffle_exts: avoid theoretical wrap around of unsigned integer
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Apr 30 22:28:29 2024 +0900

    load_dir_certs: avoid memleak
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed May 15 10:17:41 2024 +0900

    nettle: utilize nettle_cbc_aes*_encrypt for performance
    
    While CBC encryption is inherently slow for lack of parallelisim,
    Nettle >= 3.8 provides specialized AES-CBC encryption functions to
    improve performance by avoiding multiple calls to block cipher
    initialization. This patch makes GnuTLS use those functions if
    available.
    
    Here are the results of benchmark:
    
    * GNUTLS_CPUID_OVERRIDE=0x1, without nettle_cbc_aes*_encrypt:
    
      Checking cipher-MAC combinations, payload size: 16384
              AES-128-CBC-SHA1 0.90 GB/sec
              AES-128-CBC-SHA256 0.88 GB/sec
    
      Checking ciphers, payload size: 16384
                   AES-128-CBC 1.56 GB/sec
    
    * GNUTLS_CPUID_OVERRIDE=0x1, with nettle_cbc_aes*_encrypt:
    
      Checking cipher-MAC combinations, payload size: 16384
              AES-128-CBC-SHA1 1.08 GB/sec
              AES-128-CBC-SHA256 1.05 GB/sec
    
      Checking ciphers, payload size: 16384
                   AES-128-CBC 2.16 GB/sec
    
    * GNUTLS_CPUID_OVERRIDE unset:
    
      Checking cipher-MAC combinations, payload size: 16384
              AES-128-CBC-SHA1 1.13 GB/sec
              AES-128-CBC-SHA256 1.05 GB/sec
    
      Checking ciphers, payload size: 16384
                   AES-128-CBC 2.24 GB/sec
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Apr 30 10:17:37 2024 +0900

    Support PBMAC1 usage in PKCS#12
    
    This allows usage of PBMAC1 as the MAC to verify a PKCS#12 structure,
    following draft-ietf-lamps-pkcs12-pbmac1[1]. While the MAC
    verification is transparent, the generation requires a new API
    gnutls_pkcs12_generate_mac3 to be used with the
    GNUTLS_PKCS12_USE_PBMAC1 flag.
    
    certtool has also been extended with the --pbmac1 option, which can be
    used in combination with --to-p12.
    
    1. https://datatracker.ietf.org/doc/draft-ietf-lamps-pkcs12-pbmac1/
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue May 14 12:40:38 2024 +0900

    gnutls_pkcs12_generate_mac2: factor out mac generation logic
    
    This would allow us to easily implement PBMAC1 usage in PKCS#12.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue May 14 11:09:21 2024 +0900

    pkcs7-crypt: output keyLength in PBKDF2 only if it is greater than 0
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue May 14 10:48:43 2024 +0900

    pkcs7-crypt: use _gnutls_x509_write_uint32 as possible
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue May 14 10:24:03 2024 +0900

    _gnutls_x509_read_uint: accept values greater than 0x7FFFFFFF
    
    _gnutls_x509_read_uint previously only accepted integer values encoded
    in 4 bytes without checking if the first byte indicates a negative
    integer in 2's complement format.  This adds the check and also avoid
    unnecessary memory allocation.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri May 10 14:57:32 2024 +0900

    .gitlab-ci.yml: run fedora-threadsan/build without ASLR
    
    ThreadSanitizer doesn't cope well with newer kernel (>= 6.6.x) when
    ASLR is enabled:
    https://github.com/google/sanitizers/issues/1716
    
    This disables ASLR locally around the fedora-threadsan tasks.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri May 10 09:05:01 2024 +0900

    .gitlab-ci.yml: Bump cache version
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu May 9 23:29:30 2024 +0900

    .gitlab-ci.yml: use correct tag for GitLab 1.70 deployment
    
    The "shared", "linux", and "docker" tags we use to select shared CI
    runners are consolidated into "saas-linux-small-amd64" in GitLab 1.70:
    https://docs.gitlab.com/ee/update/deprecations.html#removal-of-tags-from-small-saas-runners-on-linux
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon May 6 07:46:29 2024 +0900

    build: fix confusions between libtasn1 and GnuTLS error codes
    
    libtasn1 error codes returned from asn1_{read,write}_value are always
    positive. Check against ASN1_SUCCESS instead.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Kai Pastor <dg0yt@darc.de>
Date:   Wed Apr 24 07:36:22 2024 +0200

    Fix configuration with multi-word GMP_LIBS.
    
    Signed-off-by: Kai Pastor <dg0yt@darc.de>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Thu Apr 11 17:53:06 2024 +0200

    Prevent GCOVR from returning NegativeHits exception
    
    see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68080
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Wed Apr 10 12:51:33 2024 +0200

    Fix RSAES-PKCS1-v1_5 system-wide configuration
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Wed Apr 3 13:03:21 2024 +0200

    Release 3.8.5
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Tue Mar 26 11:48:58 2024 +0100

    Add option to disable RSAES-PKCS1-v1_5
    
    A new option `allow-rsa-pkcs1-encrypt` has been added into the
    system-wide library configuration which allows to enable/disable
    the RSAES-PKCS1-v1_5. Currently, the RSAES-PKCS1-v1_5 is enabled
    by default.
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Alyssa Ross <hi@alyssa.is>
Date:   Mon Mar 25 10:17:29 2024 +0000

    Mangle/hide GNUTLS-built nettle_rsa_compute_root_tr()
    
    Since bfb326f6e ("nettle: plumb RSA-OAEP in the Nettle crypto backend"),
    building gnutls statically fails due to a duplicate definition of
    nettle_rsa_compute_root_tr (which comes from "rsa_compute_root_tr" being
    replaced by a preprocessor macro).
    
    This patch fixes this by renaming the GNUTLS version by redefining the
    value of the rsa_compute_root_tr macro.
    
    Signed-off-by: Alyssa Ross <hi@alyssa.is>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Mar 22 12:47:00 2024 +0900

    x509: support PBES1-DES-SHA1
    
    PBES1 with single DES backed by SHA-1 hash is used to parse legacy
    PKCS#8 file in GCR.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Mar 26 20:18:08 2024 +0900

    nettle: avoid potential memleak with GMP older than 6.2.0
    
    As GMP 6.1.0 or ealier eagerly allocates memory at mpz_init_set_str,
    if the operand is already initialized, it will cause a small leak.
    
    See also: https://gmplib.org/repo/gmp/rev/f049e75390fc
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Mar 25 06:45:39 2024 +0900

    gnutls_privkey_decrypt_data: don't free plaintext on failure
    
    As _wrap_nettle_pk_decrypt uses a locally allocated buffer for the
    plaintext, it doesn't need to free the plaintext given by the caller.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Mar 22 10:48:02 2024 +0900

    nettle: plumb RIPEMD160
    
    RIPEMD160 is still used by GnuTLS to calculate fingerprint for an
    OpenPGP key when displaying it:
    
    - https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=g10/keyid.c;h=7e4c50b59de8c25756c5ce890deecab233f19b53;hb=refs/heads/master#l800
    - https://gitlab.gnome.org/GNOME/gcr/-/blob/f3c95db45099dff288986aa367007da1e855a3d0/gcr/gcr-openpgp.c#L268
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Mon Mar 18 12:48:32 2024 +0100

    Release 3.8.4
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jan 12 17:56:58 2024 +0900

    nettle: avoid normalization of mpz_t in deterministic ECDSA
    
    This removes function calls that potentially leak bit-length of a
    private key used to calculate a nonce in deterministic ECDSA.  Namely:
    
    - _gnutls_dsa_compute_k has been rewritten to work on always
      zero-padded mp_limb_t arrays instead of mpz_t
    - rnd_mpz_func has been replaced with rnd_datum_func, which is backed
      by a byte array instead of an mpz_t value
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jan 29 13:52:46 2024 +0900

    gnutls_x509_trust_list_verify_crt2: remove length limit of input
    
    Previously, if cert_list_size exceeded DEFAULT_MAX_VERIFY_DEPTH, the
    chain verification logic crashed with assertion failure.  This patch
    removes the restriction while keeping the maximum number of
    retrieved certificates being DEFAULT_MAX_VERIFY_DEPTH.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
Date:   Sat Mar 16 13:48:01 2024 +0100

    Fix a few typos found by codespell
    
    Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>

Author: Stanislav Zidek <szidek@redhat.com>
Date:   Thu Mar 14 12:57:25 2024 +0100

    TLS interoperability: updated tests
    
    Signed-off-by: Stanislav Zidek <szidek@redhat.com>

Author: Stanislav Zidek <szidek@redhat.com>
Date:   Wed Mar 6 14:06:05 2024 +0100

    TLS interoperability: test actual compiled master
    
    Previously, system (fedora) version of GnuTLS was used in TLS
    interoperability tests.
    
    fedora-ktls/build was repurposed for native (as similar as possible)
    fedora build and both unit- and interop- tests are running with
    this build.
    
    Signed-off-by: Stanislav Zidek <szidek@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Mar 14 09:01:52 2024 +0900

    NEWS: Mention RSA-OAEP support [ci skip]
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Mar 10 06:58:46 2024 +0900

    x509: fix reading of MGF-1 OID
    
    asn1_read_value may return error code in a positive integer thus the
    previous code could lead to an access to uninitialized value.  This is
    a regression in the RSA-OAEP support.  Spotted by oss-fuzz:
    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67300
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Mar 8 12:48:09 2024 +0900

    tests: add test for RSA-OAEP cert generation with certtool
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Mon Mar 4 13:41:22 2024 +0100

    Fix mingw build on fedora
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Ramesh Adhikari <adhikari.resume@gmail.com>
Date:   Mon Mar 4 01:48:06 2024 +0000

    Fix typo in fallback _gnutls_no_log macro alias in errors.h
    
    Previously, when C99_MACROS is not defined, _gnutls_no_log was
    expanded to _gnutle_null_log and thus caused a compilation error.
    
    Reported by Andrew Lilley Brinker in:
    https://gitlab.com/gnutls/gnutls/-/issues/1530
    
    Signed-off-by: Ramesh <adhikari.resume@gmail.com>

Author: Sahil Siddiq <icegambit91@gmail.com>
Date:   Mon Mar 4 02:03:09 2024 +0530

    Remove duplicate line in eagain-common.h
    
    HANDSHAKE(c, s) has already been defined on line
    64. Hence, the macro on line 96 can be removed.
    
    Signed-off-by: Sahil Siddiq <icegambit91@gmail.com>

Author: Sahil Siddiq <icegambit91@gmail.com>
Date:   Mon Mar 4 01:46:37 2024 +0530

    tests: rewrite 'hello_retry_request' as single process
    
    Part of issue #1472.
    https://gitlab.com/gnutls/gnutls/-/issues/1472
    
    Signed-off-by: Sahil Siddiq <icegambit91@gmail.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Feb 18 07:10:53 2024 +0900

    crypto-selftests-pk: add test case for RSA-OAEP
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Feb 8 20:32:53 2024 +0900

    tests: add basic test for RSA-OAEP encryption
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Feb 8 18:40:00 2024 +0900

    certtool: support generating RSA-OAEP private key
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Feb 8 18:39:41 2024 +0900

    abstract: plumb RSA-OAEP in the abstract key types API
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Feb 8 18:39:23 2024 +0900

    x509: plumb RSA-OAEP in X.509 interface
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Feb 16 17:03:33 2024 +0900

    _gnutls_x509_decode_string: tolerate empty strings
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Feb 8 18:38:44 2024 +0900

    nettle: plumb RSA-OAEP in the Nettle crypto backend
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Feb 23 09:03:46 2024 +0900

    tests: support KAT in (EC)DH tests
    
    While the logic existed, known answer tests were omitted in
    tests/dh-compute, tests/dh-compute2, tests/ecdh-compute, and
    tests/ecdh-compute2.  This enables the support for it as well as fixes
    a couple of issues in the logic: avoid using `success` variable as it
    shadows the helper function with the same name defined in
    tests/utils.h, invert the memcmp condition, and properly use peer_x
    and peer_y in place of x and y in ecdh-compute2.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Feb 8 15:32:37 2024 +0900

    spki: support RSA-OAEP parameters
    
    This adds a new API gnutls_x509_spki_{get,set}_rsa_oaep_params to
    retrieve and store RSA-OAEP parameters embedded in
    SubjectPublicKeyInfo.
    
    As RSA-OAEP labels are allocated, this also adds copy and clear method
    on the gnutls_x509_spki_st struct and use them extensively instead of
    memcpy and memset.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Feb 8 17:07:39 2024 +0900

    algorithms: register RSA-OAEP
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Feb 8 20:38:33 2024 +0900

    nettle: vendor-in RSA-OAEP implementation
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Aug 19 12:32:27 2022 +0900

    build: allow GMP to be statically linked
    
    Even though we set the custom allocator[1] to zeroize sensitive data,
    it can be easily invalidated if the application sets its own custom
    allocator.  An approach to prevent that is to link against a static
    library of GMP, so the use of GMP is privatized and the custom
    allocator configuration is not shared with other applications.
    
    This patch allows libgnutls to be linked with the static library of
    GMP.  Note that, to this work libgmp.a needs to be compiled with -fPIC
    and libhogweed in Nettle is also linked to the static library of GMP.
    
    1. https://gitlab.com/gnutls/gnutls/-/merge_requests/1554
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Feb 15 13:29:46 2024 +0100

    tests: rename testdir of pkcs11-tool.sh
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Feb 14 12:25:25 2024 +0100

    tests: skip pkcs11-tool.sh in FIPS mode
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Xin Long <lucien.xin@gmail.com>
Date:   Thu Feb 1 17:21:05 2024 -0500

    lib: fix a potential segfault in _gnutls13_recv_finished
    
    In _gnutls13_recv_finished(), 'buf' is not initialized or set when
    _gnutls13_compute_finished() returns an err, and goto cleanup may
    cause a segfault crash as it frees the uninitialized buf.allocd in
    _gnutls_buffer_clear().
    
    So fix it by return if _gnutls13_compute_finished() returns an err
    in _gnutls13_recv_finished().
    
    Signed-off-by: Xin Long <lucien.xin@gmail.com>

Author: Xin Long <lucien.xin@gmail.com>
Date:   Thu Feb 1 16:50:22 2024 -0500

    lib: fix a segfault in _gnutls13_recv_end_of_early_data
    
    A crash occur in my app that uses gnutls13 early data, stack trace:
    
      #0  free (libc.so.6 + 0x97bf0)
      #1  _gnutls_buffer_clear (libgnutls.so.30 + 0x77c8c)
      #2  _gnutls13_recv_end_of_early_data (libgnutls.so.30 + 0xaf308)
      #3  _gnutls13_handshake_server (libgnutls.so.30 + 0x42d6c)
      #4  handshake_server (libgnutls.so.30 + 0x4ff6c)
    
    The root cause is that _gnutls_buffer_clear() was trying to free
    'buf' that is not initialized or set if GNUTLS_NO_END_OF_EARLY_DATA
    flag is set on server side.
    
    This patch fixes it by simply initializing buf at the begginning of
    _gnutls13_recv_end_of_early_data().
    
    Signed-off-by: Xin Long <lucien.xin@gmail.com>

Author: Avinash Sonawane <rootkea@gmail.com>
Date:   Tue Feb 13 22:39:49 2024 +0530

    lib/x509/x509.c: add missing argument to macro invokation
    
    Signed-off-by: Avinash Sonawane <rootkea@gmail.com>

Author: Avinash Sonawane <rootkea@gmail.com>
Date:   Tue Feb 13 15:07:32 2024 +0530

    lib/mpi.c: extract flag correctly
    
    Signed-off-by: Avinash Sonawane <rootkea@gmail.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat Jan 27 11:09:18 2024 +0900

    serv: fix memleak when a connected client disappears
    
    Reported by Hubert Kario.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jan 23 11:54:32 2024 +0900

    ktls: fix kernel version checking using utsname
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Fri Jan 19 14:22:35 2024 +0100

    Make compression libraries dynamically loadable
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jan 16 14:51:36 2024 +0900

    Release 3.8.3
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jan 10 19:13:17 2024 +0900

    rsa-psk: minimize branching after decryption
    
    This moves any non-trivial code between gnutls_privkey_decrypt_data2
    and the function return in _gnutls_proc_rsa_psk_client_kx up until the
    decryption.  This also avoids an extra memcpy to session->key.key.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Jan 11 15:45:11 2024 +0900

    x509: detect loop in certificate chain
    
    There can be a loop in a certificate chain, when multiple CA
    certificates are cross-signed with each other, such as A → B, B → C,
    and C → A.  Previously, the verification logic was not capable of
    handling this scenario while sorting the certificates in the chain in
    _gnutls_sort_clist, resulting in an assertion failure.  This patch
    properly detects such loop and aborts further processing in a graceful
    manner.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Clemens Lang <cllang@redhat.com>
Date:   Fri Jan 12 11:12:14 2024 +0100

    fips: Zeroize temporary values
    
    The standard says "temporary value(s) generated during the integrity
    test of the module's software […] shall be zeroised from the module upon
    completion of the integrity test".
    
    That includes the computed HMAC value, which is currently not zeroized
    after the test. Add explicit calls to gnutls_memset() to fix that.
    
    Signed-off-by: Clemens Lang <cllang@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jan 15 10:42:26 2024 +0900

    .gitlab-ci.yml: bump cache version
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Clemens Lang <cllang@redhat.com>
Date:   Fri Jan 12 11:32:22 2024 +0100

    .gitlab-ci.yml: Adjust to Alpine Linux' clang-format path change
    
    According to Alpine Linux' package database search functionality, the
    clang16-extra-tools package now installs clang-format in
    /usr/lib/llvm16/bin/clang-format.
    
    /usr/bin/clang-format is provided by clang17-extra-tools instead, but
    requires changes in formatting. Add /usr/lib/llvm16/bin to PATH for the
    formatting script to continue using the previous version.
    
    Signed-off-by: Clemens Lang <cllang@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Jan 14 16:53:15 2024 +0900

    tests: suppress leaks in libsofthsm2
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jan 1 14:26:08 2024 +0900

    tests/pkcs11-tool.sh: skip if neither p11tool nor certool is built
    
    When compiled with --disable-tools, we can't assume p11tool and
    certool are available.  This also switches to using create_testdir and
    locate any intermediate files under a temporary directory which is
    cleaned up at exit.
    
