Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Aug 15 09:45:04 2024 +0900

    Release 3.8.7
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Aug 15 10:01:10 2024 +0900

    doc: fix menu entry for RSAES-PKCS1-v1_5 system wide configuration
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Aug 15 09:43:41 2024 +0900

    liboqs: avoid uninitialized value in pk_ops.verify_priv_params
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Aug 14 09:12:58 2024 +0900

    build: change Nettle library link order to support static linking
    
    As libhogweed uses libnettle functions such as nettle_cnd_memcpy,
    libhogweed should come before libnettle in $(LIBADD), when linked
    statically.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Aug 14 01:17:29 2024 +0900

    compress-cert: don't send bad_certificate alert manually
    
    The library API is not designed to proactively send alert by itself,
    but it is rather a responsibility of the application to decide to
    which alert to be sent when.  This removes the manual call to
    gnutls_alert_send in the code handling TLS 1.3 Certificate message
    when a decompression error happens.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Andreas Metzler <ametzler@debian.org>
Date:   Sun Aug 11 15:43:45 2024 +0200

    Use openssl's -attime option instead of faketime/datefudge
    
    Signed-off-by: Andreas Metzler <ametzler@bebt.de>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Aug 12 05:54:07 2024 +0900

    tests: testdane.sh: ignore torproject.org for now
    
    danetool --check returns an error when tested against the host.  This
    temporarily disables it.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Aug 9 07:07:05 2024 +0900

    .gitlab-ci.yml: add fedora-no-liboqs/test
    
    The new fedora-no-liboqs/test exercises fedora/test without liboqs. In
    that case the hybrid-pqc-kx.sh test should be safely skipped.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Aug 9 07:04:25 2024 +0900

    dlwrap: don't assume dlopen/dlsym sets errno
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Aug 1 20:17:15 2024 +0900

    pkcs12: enable PBMAC1 by default in FIPS mode
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Aug 1 20:15:31 2024 +0900

    pkcs12: use gnutls_hmac API for MAC calculation
    
    Instead of the internal _gnutls_mac API, this switches to using
    gnutls_hmac API, which has checks on whether the algorithm is FIPS
    approved.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Aug 1 20:11:00 2024 +0900

    pkcs12: don't switch FIPS indicator upon export
    
    Now that we have a FIPS compliant MAC calculation using PBMAC1.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jul 31 09:40:44 2024 +0900

    gnutls_group_list: take into account of public key algorithms
    
    Previously the function only checked if the ECC curves are
    supported. Now that hybrid key exchange with KEM is supported, it
    should also check public key systems.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jul 23 09:01:01 2024 +0900

    tpm2: switch to using dlwrap for loading TSS2 libraries
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jul 26 11:25:22 2024 +0900

    NEWS: mention 3.8.7 changes
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jul 30 07:53:18 2024 +0900

    .github/workflows: use macos-latest runner
    
    This also does:
    - update checkout action to v4
    - manually supply CFLAGS and LDFLAGS of GMP
    - point to the homebrew version of bison executable
    - supply CFLAGS and LDFLAGS of libunistring
    - install coreutils for "timeout"
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jul 30 15:15:30 2024 +0900

    tests: gnutls-cli-debug.sh: make timeout program configurable
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jul 30 13:51:55 2024 +0900

    tests: pkgconfig.sh: respect LDFLAGS
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jul 30 09:19:28 2024 +0900

    build: set CFLAGS as necessary
    
    When header files of optional libraries are installed on a non-default
    locations, e.g., with homebrew, CFLAGS must be set so the compiler can
    find them at build time for the definition of data types and macros.
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jul 29 14:13:36 2024 +0900

    .gitlab-ci.yml: bump cache version
    
    To update the Debian CI image from bullseye to bookworm.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jul 26 21:48:23 2024 +0900

    .gitlab-ci.yml: use Python implementation of gnulib-tool
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jul 29 09:01:21 2024 +0900

    dlwrap: regenerate zlib wrapper
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jul 29 08:40:34 2024 +0900

    liboqs: check whether Kyber768 is compiled in
    
    In the default build configuration of liboqs 0.10.1, Kyber768 is
    disabled. This adds a guard against it and skip tests if not
    available.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jul 26 11:30:03 2024 +0900

    gnulib: update gnulib submodule
    
    Also make sure to include "config.h"; otherwise overriding headers
    from Gnulib will complain:
     In file included from inih/ini.c:14:
     ./../gl/stdio.h:71:3: error: #error "Please include config.h first."
        71 |  #error "Please include config.h first."
           |   ^~~~~
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat Jul 27 09:15:10 2024 +0900

    build: ignore -Wmissing-variable-declarations for now
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jul 26 23:08:06 2024 +0900

    randomart: avoid using u_int
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jul 26 22:35:35 2024 +0900

    tests: sanity-cpp: don't use <minmax.h> from Gnulib
    
    Adding Gnulib include directory causes some conflict through indirect
    include of <pthread.h>. As sanity-cpp.cpp only uses MIN macro, we can
    simply define it by ourselves instead of including <minmax.h>.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jul 26 09:33:03 2024 +0900

    build: do not print liboqs enablement status
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jul 24 12:55:58 2024 +0900

    build: update cligen submodule
    
    This is to respect SOURCE_DATE_EPOCH and to stop using the "error"
    function from <error.h>.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jul 23 20:48:26 2024 +0900

    liboqs: defer loading of liboqs at run-time
    
    Instead of loading liboqs at startup, this defers it until the liboqs
    functions are actually used.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jul 24 14:42:02 2024 +0900

    nettle: run pairwise consistency test only in FIPS mode
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jul 23 16:08:16 2024 +0900

    build: avoid multiple definition if mpn_cnd_add_n
    
    When Nettle is built with mini-gmp, mpn_cnd_add_n is always defined in
    libhogweed and thus causes a symbol clash when linking with both
    libgnutls and the latest libgmp.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jul 23 16:04:56 2024 +0900

    build: link against libhogweed when checking nettle_rsa_oaep_*
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jul 22 14:07:28 2024 +0900

    tests: pkcs12-pbmac1: exercise extended/truncated MAC values
    
    This adds a couple of new test vectors embedding
    PFX.macData.mac.digest with extended/truncated MAC values, both of
    which should fail MAC verification.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>
    Co-authored-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jul 23 09:50:04 2024 +0900

    tests: pqc-hybrid-kx: use key and certificate in distribution
    
    The Ed25519 key and certificate in doc/credentials/x509/ are currently
    not included in the distribution.  Use the ECDSA ones in the test to
    make the test work.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jul 23 15:12:11 2024 +0900

    liboqs: manually load liboqs.so at startup
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jul 23 11:25:18 2024 +0900

    dlwrap: use different macro for library soname in generated code
    
    As GnuTLS opt in for manual initialization of dlopen'ed libraries,
    config.h shouldn't define the SONAME macro used in the generated code.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jul 22 10:30:11 2024 +0900

    tests: hash-large: exercise gnutls_hash_output(..., NULL)
    
    This adds a call to gnutls_hash_output with DIGEST argument as NULL to
    exercise the context reset behavior added in commit
    eced4c0c2b3d3ee6a35dab99616a25910b623f79.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jul 22 10:16:31 2024 +0900

    crypto-selftests-pk: only define dsa_2048_privkey if DSA is enabled
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jul 22 10:33:11 2024 +0900

    tests: assign unique names to temporary directories
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jul 17 12:15:06 2024 +0900

    tests: iov: fix printing of error
    
    This fixes an incorrect usage of a printf format specifier and adds
    extra length check before calling memcmp.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jul 17 12:14:24 2024 +0900

    privkey_openssl: avoid deinitializing cipher context on error path
    
    When gnutls_cipher_init returns error, the cipher handle is not
    initialized and thus shouldn't be deinitialized.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jul 8 15:46:13 2024 +0900

    .gitlab-ci.yml: use --with-liboqs in fedora/build
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Jun 2 07:19:14 2024 +0900

    key_share: support X25519Kyber768Draft00
    
    This implements X25519Kyber768Draft00 hybrid post-quantum key exchange
    in TLS 1.3, based on the draft:
    https://datatracker.ietf.org/doc/draft-tls-westerbaan-xyber768d00/
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri May 31 09:18:27 2024 +0900

    build: plumb liboqs as an optional dependency
    
    This exposes OQS functions necessary to implement Kyber768 through
    dlopen with stub implementation for lower-level cryptographic
    primitives, such as SHA3 and DRBG.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Mon Jul 8 16:13:40 2024 +0200

    Add configuration option to disable/enable DSA signing and verification
    
    DSA signing and verification is enabled by default
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jul 2 07:53:02 2024 +0900

    .gitlab-ci.yml: don't disable compression support in fedora/build
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat Jun 29 13:36:58 2024 +0900

    build: switch to using dlwrap for loading compression libraries
    
    This switches the logic to load compression libraries from the
    hand-written code to the automatically generated code by the dlwrap
    tool[1], which enables to select whether to use dlopen or link to the
    library at build time.
    
    1. https://crates.io/crates/dlwrap
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat Jun 29 13:34:36 2024 +0900

    build: detect SONAME for compression libraries at configure
    
    Instead of hard-coding the SONAMEs for zlib, libzstd, libbrotlienc,
    and libbrotlidec, this checks the actual SONAMEs at configure time, so
    the first argument of dlopen is more acurate when a SONAME is bumped.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat Jul 6 11:59:08 2024 +0900

    build: check if dlopen(SONAME) works in configure
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat Jun 29 09:52:55 2024 +0900

    m4: factor out soname check into a separate macro
    
    This moves the SONAME detection from configure.ac to m4/hooks.m4 as
    the LIBGNUTLS_CHECK_SONAME macro. The new macro doesn't implicitly
    set *_LIBRARY_SONAME to "none", so the callers need to adjust
    themselves depending on whether the macro is defined.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Tue Jul 2 16:00:40 2024 +0200

    Release 3.8.6
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Tue Jul 2 17:13:21 2024 +0200

    Make asm-sources
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Bill Roberts <bill.roberts@arm.com>
Date:   Thu Jun 20 09:00:49 2024 -0500

    aarch64: no lint asm block
    
    For clang-format, have it ignore the asm block in the header.
    
    Fixes:
    clang-format --dry-run lib/accelerated/aarch64/aarch64-common.h
    lib/accelerated/aarch64/aarch64-common.h:109:13: warning: code should be clang-formatted [-Wclang-format-violations]
    .pushsection .note.gnu.property, "a";
    
    Signed-off-by: Bill Roberts <bill.roberts@arm.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Jun 19 14:40:23 2024 +0200

    test/cert-tests: use --attime in more tests
    
    With this change, building should be fine until 2049
    on platforms with 64-bit time_t.
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Jun 19 14:39:53 2024 +0200

    tests: use --attime in more tests
    
    With this change, building should build fine until 2039
    on platforms with 64-bit time_t.
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Jun 20 14:37:01 2024 +0200

    tests/Makefile: expose ac_cv_sizeof_time_t
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Stanislav Zidek <szidek@redhat.com>
Date:   Tue Jun 11 17:23:11 2024 +0200

    tls-interoperability: workaround for openssl CCM8
    
    CCM8 moved to SECLEVEL=0 in openssl
    
    Signed-off-by: Stanislav Zidek <szidek@redhat.com>

Author: Stanislav Zidek <szidek@redhat.com>
Date:   Fri May 31 10:50:42 2024 +0200

    remove obsolete testcompat-openssl-* tests
    
    These tests are superseded by tls-interoperability/ test suite
    with the exception of 0-RTT (--earlydata) tests.
    
    Signed-off-by: Stanislav Zidek <szidek@redhat.com>

Author: Bill Roberts <bill.roberts@arm.com>
Date:   Mon Jun 10 12:16:53 2024 -0500

    lib/accelerated: add CFLAGS to aarch64/elf
    
    When building with certain cflags, like -mbranch-protection=standard,
    the assembly generation needs to get the CFLAGS to enable assembler
    level features. Without this, closing PAC/BTI feature support will not
    be completed.
    
    Example:
    export CFLAGS='-mbranch-protection=standard'
    export CPPFLAGS='-mbranch-protection=standard'
    \# not needed, just for error reporting
    export LDFLAGS='-Wl,-zforce-bti,--fatal-warnings'
    ./bootstrap
    ./configure --with-included-libtasn1 --with-included-unistring
    make asm-sources
    make -j4
    readelf -n ./lib/.libs/libgnutls.so
    
    Displaying notes found in: .note.gnu.property
      Owner                Data size        Description
      GNU                  0x00000010       NT_GNU_PROPERTY_TYPE_0
          Properties: AArch64 feature: BTI, PAC
    <snip>
    
    readelf -n ./lib/.libs/libgnutlsxx.so
    
    Displaying notes found in: .note.gnu.property
      Owner                Data size        Description
      GNU                  0x00000010       NT_GNU_PROPERTY_TYPE_0
          Properties: AArch64 feature: BTI, PAC
    <snip>
    
    Related to: #1517
    
    Signed-off-by: Bill Roberts <bill.roberts@arm.com>

Author: Bill Roberts <bill.roberts@arm.com>
Date:   Mon Jun 10 12:46:09 2024 -0500

    lib/accelerated: add missing space on pushsection
    
    Missing a space between pushsection and the section name.
    
    Results in this error:
    lib/accelerated/aarch64/aarch64-common.h:109: Error: unknown pseudo-op: `.pushsection.note.gnu.property'
    
    Signed-off-by: Bill Roberts <bill.roberts@arm.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Jun 6 10:51:56 2024 +0900

    tls-fuzzer: move SSL3 specific tests to gnutls-nocert-ssl3.json
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Jun 6 09:30:13 2024 +0900

    tests: skip pthreads tests when cross compiling
    
    These tests hangs under qemu-user-static on Fedora 40.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jun 5 16:33:16 2024 +0900

    tests: testcompat-openssl-tls13: explicitly allow CCM8 ciphersuites
    
    Since OpenSSL 3.2, CCM8 is only allowed in security level 0. This
    tweaks test scripts to explicitly enable this level but only enable
    TLS 1.3 to exclude any TLS 1.2 ciphersuites.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jun 5 10:48:38 2024 +0900

    build: indent code using Clang 18
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jun 5 10:43:02 2024 +0900

    tests: dtls/dtls-stress: silence -Wcalloc-transposed-args warning
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jun 5 10:39:38 2024 +0900

    tests: mini-global-init: include <stdlib.h> for exit on Windows
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jun 5 06:50:27 2024 +0900

    .gitlab-ci.yml: switch to using Fedora 40
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jun 4 09:31:31 2024 +0900

    tests: add missing global_init/gnutls_global_deinit for MinGW
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jun 4 11:29:50 2024 +0900

    .gitlab-ci.yml: restore MinGW tweaks
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jun 4 10:37:40 2024 +0900

    .gitlab-ci.yml: bump cache version
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Bill Roberts <bill.roberts@arm.com>
Date:   Fri Feb 2 14:05:55 2024 -0600

    lib/accellerated: update asm and enable PAC/BTI
    
    Update the asm sources generated from devel/openssl which have the BTI
    and PAC support. Add the -mbranch-protection=standard build flag to the
    generated sources. On older machines that don't have support, the
    options are in the NOP space and will be NOP'd, on architectures with
    support the instructions are executed as expected.
    
    Note that this updates the ELF GNU NOTES section to indicate that BTI
    and PAC are enabled. For BTI this must be in all the ELF files loaded
    and linked or the feature is disabled as all execution segments need it.
    
    After updating the asm sources via make asm-sources, you can build and
    get a PAC/BTI enabled binary and test via the testsuite to verify.
    
    readelf -n ./lib/.libs/libgnutls.so
    
    Displaying notes found in: .note.gnu.property
      Owner                Data size        Description
      GNU                  0x00000010       NT_GNU_PROPERTY_TYPE_0
          Properties: AArch64 feature: BTI, PAC
    
    Signed-off-by: Bill Roberts <bill.roberts@arm.com>

Author: Bill Roberts <bill.roberts@arm.com>
Date:   Fri Feb 2 14:04:29 2024 -0600

    cfg.mk: add common headers used for asm gen
    
    The common headers are needed when generating the assembly, so make them
    depencies of the build target.
    
    Signed-off-by: Bill Roberts <bill.roberts@arm.com>

Author: Bill Roberts <bill.roberts@arm.com>
Date:   Fri Feb 2 12:39:25 2024 -0600

    openssl: update 3.2.1
    
    Signed-off-by: Bill Roberts <bill.roberts@arm.com>

Author: Bill Roberts <bill.roberts@arm.com>
Date:   Tue Feb 6 08:11:33 2024 -0600

    ci: ignore parse errors from gcovr
    
    The documentation for gcovr suggests this as a work around to a bug in gcovr
    that cause negative hit values, which is impossible, and is not accepted by
    default and will cause the CI to fail:
      -  https://gcovr.com/en/stable/guide/gcov_parser.html
    
    To correct this, add option:
      -gcov-ignore-parse-errors=negative_hits.warn_once_per_file
    
    Signed-off-by: Bill Roberts <bill.roberts@arm.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Jun 2 16:50:06 2024 +0900

    nettle: add a way to reset hash context
    
    This makes gnutls_hash_output just reset the hash context without
    calling out Nettle's hash digest function if DIGEST argument is NULL.
    That is particularly useful when used with SHAKE, as its _shake_output
    function marks ctx->index in a special way indicating incremental
    output is in progress.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jan 1 12:51:38 2024 +0900

    .gitlab-ci.yml: switch to using Fedora 39
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jan 15 09:02:47 2024 +0900

    .gitlab-ci.yml: temporarily disable implicit library init on MinGW64
    
    This doesn't seem to work on the latest Wine 8.19.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jan 1 12:57:55 2024 +0900

    .gitlab-ci.yml: indent code using Clang 17
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Jan 14 16:57:11 2024 +0900

    tests: update tlslite-ng submodule for Python asyncore deprecation
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Jun 2 09:12:15 2024 +0900

    nettle: avoid symbol clash in sha3-shake.h
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed May 29 17:41:36 2024 +0900

    algorithms: expose SHAKE from public API
    
    This adds a new function gnutls_hash_squeeze, which works similarly to
    gnutls_hash_output but enables to retrieve output of arbitrary length.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed May 29 17:40:55 2024 +0900

    nettle: vendor-in SHAKE implementation
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed May 29 10:13:53 2024 +0900

    devel: update nettle submodule
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri May 17 10:34:46 2024 +0900

    shuffle_exts: avoid theoretical wrap around of unsigned integer
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Apr 30 22:28:29 2024 +0900

    load_dir_certs: avoid memleak
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed May 15 10:17:41 2024 +0900

    nettle: utilize nettle_cbc_aes*_encrypt for performance
    
    While CBC encryption is inherently slow for lack of parallelisim,
    Nettle >= 3.8 provides specialized AES-CBC encryption functions to
    improve performance by avoiding multiple calls to block cipher
    initialization. This patch makes GnuTLS use those functions if
    available.
    
    Here are the results of benchmark:
    
    * GNUTLS_CPUID_OVERRIDE=0x1, without nettle_cbc_aes*_encrypt:
    
      Checking cipher-MAC combinations, payload size: 16384
              AES-128-CBC-SHA1 0.90 GB/sec
              AES-128-CBC-SHA256 0.88 GB/sec
    
      Checking ciphers, payload size: 16384
                   AES-128-CBC 1.56 GB/sec
    
    * GNUTLS_CPUID_OVERRIDE=0x1, with nettle_cbc_aes*_encrypt:
    
      Checking cipher-MAC combinations, payload size: 16384
              AES-128-CBC-SHA1 1.08 GB/sec
              AES-128-CBC-SHA256 1.05 GB/sec
    
      Checking ciphers, payload size: 16384
                   AES-128-CBC 2.16 GB/sec
    
    * GNUTLS_CPUID_OVERRIDE unset:
    
      Checking cipher-MAC combinations, payload size: 16384
              AES-128-CBC-SHA1 1.13 GB/sec
              AES-128-CBC-SHA256 1.05 GB/sec
    
      Checking ciphers, payload size: 16384
                   AES-128-CBC 2.24 GB/sec
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Apr 30 10:17:37 2024 +0900

    Support PBMAC1 usage in PKCS#12
    
    This allows usage of PBMAC1 as the MAC to verify a PKCS#12 structure,
    following draft-ietf-lamps-pkcs12-pbmac1[1]. While the MAC
    verification is transparent, the generation requires a new API
    gnutls_pkcs12_generate_mac3 to be used with the
    GNUTLS_PKCS12_USE_PBMAC1 flag.
    
    certtool has also been extended with the --pbmac1 option, which can be
    used in combination with --to-p12.
    
    1. https://datatracker.ietf.org/doc/draft-ietf-lamps-pkcs12-pbmac1/
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue May 14 12:40:38 2024 +0900

    gnutls_pkcs12_generate_mac2: factor out mac generation logic
    
    This would allow us to easily implement PBMAC1 usage in PKCS#12.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue May 14 11:09:21 2024 +0900

    pkcs7-crypt: output keyLength in PBKDF2 only if it is greater than 0
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue May 14 10:48:43 2024 +0900

    pkcs7-crypt: use _gnutls_x509_write_uint32 as possible
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue May 14 10:24:03 2024 +0900

    _gnutls_x509_read_uint: accept values greater than 0x7FFFFFFF
    
    _gnutls_x509_read_uint previously only accepted integer values encoded
    in 4 bytes without checking if the first byte indicates a negative
    integer in 2's complement format.  This adds the check and also avoid
    unnecessary memory allocation.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri May 10 14:57:32 2024 +0900

    .gitlab-ci.yml: run fedora-threadsan/build without ASLR
    
    ThreadSanitizer doesn't cope well with newer kernel (>= 6.6.x) when
    ASLR is enabled:
    https://github.com/google/sanitizers/issues/1716
    
    This disables ASLR locally around the fedora-threadsan tasks.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri May 10 09:05:01 2024 +0900

    .gitlab-ci.yml: Bump cache version
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu May 9 23:29:30 2024 +0900

    .gitlab-ci.yml: use correct tag for GitLab 1.70 deployment
    
    The "shared", "linux", and "docker" tags we use to select shared CI
    runners are consolidated into "saas-linux-small-amd64" in GitLab 1.70:
    https://docs.gitlab.com/ee/update/deprecations.html#removal-of-tags-from-small-saas-runners-on-linux
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon May 6 07:46:29 2024 +0900

    build: fix confusions between libtasn1 and GnuTLS error codes
    
    libtasn1 error codes returned from asn1_{read,write}_value are always
    positive. Check against ASN1_SUCCESS instead.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Kai Pastor <dg0yt@darc.de>
Date:   Wed Apr 24 07:36:22 2024 +0200

    Fix configuration with multi-word GMP_LIBS.
    
    Signed-off-by: Kai Pastor <dg0yt@darc.de>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Thu Apr 11 17:53:06 2024 +0200

    Prevent GCOVR from returning NegativeHits exception
    
    see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68080
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Wed Apr 10 12:51:33 2024 +0200

    Fix RSAES-PKCS1-v1_5 system-wide configuration
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Wed Apr 3 13:03:21 2024 +0200

    Release 3.8.5
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Zoltan Fridrich <zfridric@redhat.com>
Date:   Tue Mar 26 11:48:58 2024 +0100

    Add option to disable RSAES-PKCS1-v1_5
    
    A new option `allow-rsa-pkcs1-encrypt` has been added into the
    system-wide library configuration which allows to enable/disable
    the RSAES-PKCS1-v1_5. Currently, the RSAES-PKCS1-v1_5 is enabled
    by default.
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Alyssa Ross <hi@alyssa.is>
Date:   Mon Mar 25 10:17:29 2024 +0000

    Mangle/hide GNUTLS-built nettle_rsa_compute_root_tr()
    
