Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon May 24 09:20:58 2021 +0200

    Release 3.6.16
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon May 24 09:37:30 2021 +0200

    devel: regenerate abidw dump files
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri May 14 08:26:37 2021 +0200

    serv: stop setting AI_ADDRCONFIG on getaddrinfo
    
    AI_ADDRCONFIG is only useful when the NODE argument is given in the
    getaddrinfo call, as described in RFC 3493 6.1.  Suggested by Andreas
    Metzler in:
    https://gitlab.com/gnutls/gnutls/-/issues/1007#note_356637206
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Apr 2 16:01:21 2021 +0200

    nettle: port upstream hardening of EC point multiplication
    
    Some internal functions used in point multiplications are known to
    misbehave if the scaler is out-of-range.  This performs canonical
    reduction on scalers, before point multiplication.
    
    This ports the fixes from Nettle upstream to the bundled EC code.
    See the Nettle 3.7.2 release announcement for details:
    https://lists.lysator.liu.se/pipermail/nettle-bugs/2021/009458.html
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Mar 10 16:12:23 2021 +0100

    str: suppress -Wunused-function if AGGRESSIVE_REALLOC is defined
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Mar 10 16:11:29 2021 +0100

    _gnutls_buffer_resize: account for unused area if AGGRESSIVE_REALLOC
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jan 29 14:06:50 2021 +0100

    pre_shared_key: avoid use-after-free around realloc
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jan 29 14:06:32 2021 +0100

    key_share: avoid use-after-free around realloc
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Mar 9 13:41:59 2021 +0100

    _gnutls_buffer_resize: add option to use allocation simpler logic
    
    This helps detect common mistakes[1] in realloc usage with valgrind,
    where the caller assumes that the original ptr is always returned.
    
    1. https://bugzilla.mozilla.org/show_bug.cgi?id=1377618
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>
    Co-authored-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Mar 9 13:07:26 2021 +0100

    gnutls_buffer_append_data: remove duplicated code
    
    The function shared the same logic as in _gnutls_buffer_resize.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat Apr 3 06:27:50 2021 +0200

    gnulib: parse-datetime: port build fixes from upstream gnulib
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Fiona Klute <fiona.klute@gmx.de>
Date:   Thu Jan 7 20:29:54 2021 +0100

    Update year of copyright notices in doc/gnutls.texi
    
    Static analysis in CI checks if this is up to date, and fails if
    not. This fixes the failure.
    
    Signed-off-by: Fiona Klute <fiona.klute@gmx.de>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Dec 28 16:16:53 2020 +0100

    testpkcs11: use datefudge to trick certificate expiry
    
    The certificates stored in tests/testpkcs11-certs expired on
    2020-12-13.  To avoid verification failure due to that, use datefudge
    to set custom date when calling gnutls-cli, gnutls-serv, and certtool.
    
    Based on the patch by Andreas Metzler:
    https://gitlab.com/gnutls/gnutls/-/issues/1135#note_469682121
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Stefan Berger <stefanb@linux.ibm.com>
Date:   Mon Dec 21 09:36:47 2020 -0500

    tests: Fix tpmtool_test due to changes in trousers
    
    Recent changes to trousers now require an ownership of root:tss for
    the tcsd config file, older ones requires tss:tss. So, start tcsd
    using trial and error with either one of these ownership configurations
    until one works.
    
    Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Sep 4 08:39:00 2020 +0200

    Release 3.6.15
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat Aug 22 17:19:39 2020 +0200

    handshake: reject no_renegotiation alert if handshake is incomplete
    
    If the initial handshake is incomplete and the server sends a
    no_renegotiation alert, the client should treat it as a fatal error
    even if its level is warning.  Otherwise the same handshake
    state (e.g., DHE parameters) are reused in the next gnutls_handshake
    call, if it is called in the loop idiom:
    
      do {
              ret = gnutls_handshake(session);
      } while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Sep 3 09:51:16 2020 +0200

    NEWS: Mention 3.6.15 changes
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Aug 16 11:43:35 2020 +0200

    handshake: check TLS version against modified server priorities
    
    The server needs to take into account of multiple factors when
    determining the TLS protocol version actually being used:
    - the legacy version
    - "supported_versions" extension
    - user_hello_func that may modify the server's priorities
    
    Only after that it can check whether the TLS version is enabled in the
    server's priorities.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Aug 13 18:17:08 2020 +0200

    gnutls_aead_cipher_decrypt: check output buffer size before writing
    
    While the documentation of gnutls_aead_cipher_decrypt indicates that
    the inout argument ptext_len initially holds the size that
    sufficiently fits the expected output size, there was no runtime check
    on that.  This makes the interface robuster against misuses.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Aug 16 18:23:24 2020 +0200

    gnutls_x509_crt_export2: return 0 instead of the length
    
    This aligns the behavior to the documentation.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Aug 13 15:56:20 2020 +0200

    minitasn1: move WARN_CFLAGS setting to configure.ac
    
    Some compilers don't support -Wno-type-limits, while they support
    -Wtype-limits.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Jun 4 16:42:07 2020 +0200

    _gnutls_fips_mode_enabled: treat selftest failure as FIPS disabled
    
    Previously gnutls_fips140_mode_enabled() returned true, even after
    selftests have failed and the library state has switched to error.
    While later calls to crypto operations fails, it would be more
    convenient to have a function to detect that state.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Aug 12 08:10:51 2020 +0200

    doc: assorted typo fixes
    
    Spotted by codespell.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Aug 12 07:29:30 2020 +0200

    serv, cli: ensure that invalid flag is always set
    
    According to the documentation, the GNUTLS_CERT_INVALID flag must
    always be set in case of verification failure, together with the flag
    indicating the actual error cause.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Aug 12 07:27:17 2020 +0200

    cert-session: fail hard if mandatory stapling is not honored
    
    According to the documentation, the GNUTLS_CERT_INVALID flag must
    always be set in case of verification failure, together with the flag
    indicating the actual error cause.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Steve Lhomme <robux4@ycbcr.xyz>
Date:   Wed Jul 15 09:34:19 2020 +0200

    mangle gnutls-built ecc_scalar_random
    
    GNUTLS builds ecc-random.c but ecc_scalar_random() is a public API. So we
    mangle the internal version we build.
    
    ecc_mod_random is unaffected as it's an internal API that is mangled by GNUTLS.
    
    Fixes #1016
    
    Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>

Author: Petr Pavlu <petr.pavlu@suse.com>
Date:   Wed Jul 8 10:12:30 2020 +0200

    pubkey: avoid spurious audit messages from _gnutls_pubkey_compatible_with_sig()
    
    When checking in _gnutls_pubkey_compatible_with_sig() whether a public
    key is compatible with a signature algorithm, run first
    pubkey_supports_sig() before performing weaker checks that can accept
    the given algorithm but with an audit-log warning. This avoids an issue
    when a weaker check would log an audit message for some signature
    algorithm that would then be determined as incompatible by the
    pubkey_supports_sig() check anyway.
    
    For instance, a GnuTLS server might have a certificate with a SECP384R1
    public key and a client can report that it supports
    ECDSA-SECP256R1-SHA256 and ECDSA-SECP384R1-SHA384. In such a case, the
    GnuTLS server will eventually find that it must use
    ECDSA-SECP384R1-SHA384 with this public key. However, the code would
    first run _gnutls_pubkey_compatible_with_sig() to check if SECP384R1 is
    compatible with ECDSA-SECP256R1-SHA256. The function would report the
    audit warning "The hash size used in signature (32) is less than the
    expected (48)" but then reject the signature algorithm in
    pubkey_supports_sig() as incompatible because it has a different curve.
    Since the algorithm gets rejected it is not necessary to inform about
    its hash size difference in the audit log.
    
    Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat Jul 18 08:26:48 2020 +0200

    ecdh: perform SP800-56A rev3 full pubkey validation on keygen
    
    This implements full public key validation required in
    SP800-56A rev3, section 5.6.2.3.3.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jul 17 17:47:06 2020 +0200

    dh: perform SP800-56A rev3 full pubkey validation on keygen
    
    This implements full public key validation required in SP800-56A rev3,
    section 5.6.2.3.1.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jul 17 17:45:17 2020 +0200

    dh-primes: make the FIPS approved check return Q value
    
    This is necessary for full public key validation in
    SP800-56A (revision 3), section 5.6.2.3.1.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jul 10 09:42:30 2020 +0200

    ecdh: check validity of P before export
    
    SP800-56A rev3 section 5.7.1.2 step 2 mandates that the validity of
    the calculated shared secret is verified before the data is returned
    to the caller.  This patch adds the validation check.
    
    Suggested by Stephan Mueller.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jul 10 09:35:49 2020 +0200

    dh: check validity of Z before export
    
    SP800-56A rev3 section 5.7.1.1 step 2 mandates that the validity of the
    calculated shared secret is verified before the data is returned to the
    caller.  This patch adds the validation check.
    
    Suggested by Stephan Mueller.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: James Bottomley <James.Bottomley@HansenPartnership.com>
Date:   Sun Jun 28 21:33:09 2020 +0200

    build: use $(LIBPTHREAD) rather than non-existent $(LTLIBPTHREAD)
    
    On a very recent openSUSE build, libgnutls is getting built without
    libpthread. This caused a thread related error when trying to load a
    pkcs11 module that uses threading. The reason is rather convoluted:
    glibc actually controls all the pthread_ function calls, but it
    returns success without doing anything unless -lpthread is in the link
    list. What's happening is that gnutls_system_mutex_init() is being
    called on _gnutls_pkcs11_mutex before library pthreading is
    initialized, so the pthread_mutex_init ends up being a nop. Then, when
    the pkcs11 module is loaded, pthreads get initialized and the call to
    pthread_mutex_lock is real, but errors out on the uninitialized mutex.
    
    The problem seems to be that nothing in the gnulib macros gnutls
    relies on for threading support detection actually sets LTLIBPTHREAD,
    they only set LIBPTHREAD. The fix is to use LIBPTHREAD in
    lib/Makefile.in
    
    Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

Author: Dmitry Baryshkov <dbaryshkov@gmail.com>
Date:   Sun Jun 14 23:31:27 2020 +0300

    .gitlab-ci: disable config.cache for nettle-master builds
    
    Disable usage of config.cache for nettle-master builds. Such
    config.cache files can easily become stale, thus resulting in build
    failures.
    
    Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Fri Jul 3 14:54:17 2020 +0200

    tests: split up system-override-sig-hash.sh
    
    Split up system-override-sig-hash.sh
    so that the errors won't get swallowed or conflated.
    Also correct unused `srcdir` to `builddir`,
    which I believe was meant to be set there.
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Steve Lhomme <robux4@ycbcr.xyz>
Date:   Mon Jun 22 09:09:05 2020 +0200

    fix connectx not available on older macOS SDK
    
    Fixes this compilation error:
    system/fastopen.c:134:9: error: 'connectx' is only available on macOS 10.11 or newer [-Werror,-Wunguarded-availability]
                    ret = connectx(fd, &endpoints, SAE_ASSOCID_ANY, CONNECT_RESUME_ON_READ_WRITE | CONNECT_DATA_IDEMPOTENT, NULL, 0, NULL, NULL);
                          ^~~~~~~~
    /Applications/Xcode9.2.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk/usr/include/sys/socket.h:713:5: note: 'connectx' has been marked as being introduced in macOS 10.11 here, but the deployment target is macOS 10.7.0
    
    The detection is the same as found in curl [1].
    
    If HAVE_BUILTIN_AVAILABLE is not available we fallback to the code without
    TCP_FASTOPEN_OSX.
    
    The OS values match exactly the values found in
    https://opensource.apple.com/source/xnu/xnu-4570.41.2/bsd/sys/socket.h
    
    [1] https://github.com/curl/curl/commit/870d849d48a26b8eeb0d4bb1f4655367a4a191ca
    
    Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun Jun 21 16:03:54 2020 +0200

    safe_memcmp: remove in favor of gnutls_memcmp
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jun 26 10:21:26 2020 +0200

    dhe: check if DH params in SKE match the FIPS approved algorithms
    
    SP800-56A rev. 3 restricts the FIPS compliant clients to use only
    approved DH parameters, defined in RFC 7919 and RFC 3526.  This adds a
    check in the handling of ServerKeyExchange if DHE is negotiated.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jun 26 09:43:02 2020 +0200

    dh-primes: add MODP primes from RFC 3526
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Fiona Klute <fiona.klute@gmx.de>
Date:   Sun Jun 14 12:52:46 2020 +0200

    Wipe session ticket keys before releasing the session structure
    
    This includes both a copy of the master key and one or two derived
    keys, all of which could be used to decrypt session tickets if
    stolen. The derived keys could only be used for tickets issued within
    a certain time frame (by default several hours).
    
    The documentation for gnutls_session_ticket_enable_server() already
    states that the master key should be wiped before releasing it, and
    the same should apply to internal copies.
    
    Signed-off-by: Fiona Klute <fiona.klute@gmx.de>

Author: Lei Maohui <leimaohui@cn.fujitsu.com>
Date:   Mon Jun 8 16:15:07 2020 +0900

    Modied the license to GPLv2.1+ to keep with LICENSE file.
    
    Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>

Author: Fiona Klute <fiona.klute@gmx.de>
Date:   Tue Jun 16 21:23:14 2020 +0200

    Update tlsfuzzer to get Python interpreter detection
    
    Tlsfuzzer also assumed the Python interpreter would be called
    "python", this update is necessary to get a fixed version (see
    https://github.com/tomato42/tlsfuzzer/pull/671).
    
    Signed-off-by: Fiona Klute <fiona.klute@gmx.de>

Author: Fiona Klute <fiona.klute@gmx.de>
Date:   Tue Jun 16 20:48:44 2020 +0200

    Detect Python interpreter instead of assuming "python"
    
    This makes the extended test suite work one Debian(-ish) systems
    without Python 2, where the Python 3 interpreter is called "python3".
    
    Signed-off-by: Fiona Klute <fiona.klute@gmx.de>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jun 12 16:50:14 2020 +0200

    .gitlab-ci.yml: bump configure cache version
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jun 12 11:34:38 2020 +0200

    .gitignore: ignore more files
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jun 12 11:32:58 2020 +0200

    build: avoid -Wenum-conversion warnings with GCC 10
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daniel Lenski <dlenski@gmail.com>
Date:   Sun May 17 14:50:47 2020 -0700

    refine tests for ancient servers which support both SSL 3.0 and TLS 1.0, but both only with %NO_EXTENSIONS
    
    This is a follow-up to !1221.
    
    See #958 and https://gitlab.com/openconnect/openconnect/-/issues/145 for a
    real-world example of ancient Cisco servers with these deficiencies.
    
    With !1221 only, gnutls-cli-debug reports that these ancient servers only support
    SSL 3.0 (but without extensions). Information after this point is
    largely erroneous:
    
        $ gnutls-cli-debug ***vpn.***.com
        GnuTLS debug client 3.6.12
        Checking ***vpn.***.com:443
        whether the server accepts default record size (512 bytes)... no
                          whether %ALLOW_SMALL_RECORDS is required... no
                                     for SSL 3.0 (RFC6101) support... yes
                                       for SSL 3.0 with extensions... no
    
    With this additional change, gnutls-cli-debug correctly reports that such a
    server also supports TLS 1.0 (but again with extensions disabled). Below
    I've marked some of the significant fields that have changed:
    
        $ gnutls-cli-debug ***vpn.***.com
        GnuTLS debug client 3.6.12
        Checking ***vpn.***.com:443
        whether the server accepts default record size (512 bytes)... no
                          whether %ALLOW_SMALL_RECORDS is required... no
                                     for SSL 3.0 (RFC6101) support... yes
                                       for SSL 3.0 with extensions... no
                                whether we need to disable TLS 1.2... yes
                                whether we need to disable TLS 1.1... yes
        # This is now correct:
                                whether we need to disable TLS 1.0... no
        # This is now correct:
                                whether %NO_EXTENSIONS is required... yes
        # This is now correct:
                                     for TLS 1.0 (RFC2246) support... yes
                                     for TLS 1.1 (RFC4346) support... no
                                          fallback from TLS 1.1 to... failed
                                     for TLS 1.2 (RFC5246) support... no
        # This is now correct:
                            for known TLS or SSL protocols support... yes
                               TLS1.2 neg fallback from TLS 1.6 to... failed (server requires fallback dance)
                      for inappropriate fallback (RFC7507) support... no
                                             for HTTPS server name... ******
                                       for certificate chain order... sorted
                             for Safe renegotiation support (SCSV)... no
                               for version rollback bug in RSA PMS... no
                          for version rollback bug in Client Hello... no
                    whether the server ignores the RSA PMS version... no
        whether small records (512 bytes) are tolerated on handshake... yes
            whether cipher suites not in SSL 3.0 spec are accepted... yes
        whether a bogus TLS record version in the client hello is accepted... yes
                 whether the server understands TLS closure alerts... partially
                    whether the server supports session resumption... yes
                              for anonymous authentication support... no
                              for ephemeral Diffie-Hellman support... no
                                for RFC7919 Diffie-Hellman support... no
                              for AES-GCM cipher (RFC5288) support... no
                              for AES-CCM cipher (RFC6655) support... no
                            for AES-CCM-8 cipher (RFC6655) support... no
                              for AES-CBC cipher (RFC3268) support... no
                         for CAMELLIA-GCM cipher (RFC6367) support... no
                         for CAMELLIA-CBC cipher (RFC5932) support... no
        # This is now correct:
                             for 3DES-CBC cipher (RFC2246) support... yes
        # This is now correct:
                          for ARCFOUR 128 cipher (RFC2246) support... yes
                    for CHACHA20-POLY1305 cipher (RFC7905) support... no
        for GOST28147-CNT cipher (draft-smyshlyaev-tls12-gost-suites) support... no
                                               for MD5 MAC support... yes
                                              for SHA1 MAC support... yes
                                            for SHA256 MAC support... no
        for GOST28147-IMIT MAC (draft-smyshlyaev-tls12-gost-suites) support... no
    
    Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jun 9 10:44:57 2020 +0200

    tests/cert-test/invalid-sig: use datefudge to test expired certs
    
    Suggested by Andreas Metzler in:
    https://gitlab.com/gnutls/gnutls/-/issues/1021
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jun 9 10:41:18 2020 +0200

    tests: check_for_datefudge: don't exit the test programs
    
    This makes check_for_datefudge not to immediately exit the program,
    but to return non-zero to allow the tests by themselves to control the
    behavior when "datefudge" is not found.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jun 8 06:45:24 2020 +0200

    configure.ac: prefer the latest version of build infrastructure
    
    AM_GNU_GETTEXT_REQUIRE_VERSION tells autopoint to copy the latest
    possible build infrastructure installed on the system, rather than the
    fixed version from the archive.dir.tar.xz.  This makes the
    bootstrapping slightly faster and allows us not to stick with the
    ancient gettext version.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Vitezslav Cizek <vcizek@suse.com>
Date:   Tue Jun 9 13:54:04 2020 +0200

    configure: improve nettle, gmp, and hogweed soname detection
    
    Some linkers might optimize away the libraries passed on the
    command line if they aren't actually needed, such as gnu ld with
    --as-needed.
    The ldd output then won't list the shared libraries and the
    detection will fail.
    Make sure nettle and others are really used.
    
    Signed-off-by: Vitezslav Cizek <vcizek@suse.com>

Author: KrenzelokFrantisek <krenzelok.frantisek@gmail.com>
Date:   Thu Jun 4 16:59:33 2020 +0200

    tests: updated tlsfuzzer tests to latest version
    excluded some tests from test-certificate-malformed.py
    
    Signed-off-by: KrenzelokFrantisek <krenzelok.frantisek@gmail.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jun 2 05:38:28 2020 +0200

    gnutls_cipher_init: fix potential memleak
    
    Upon failure this function returns without freeing memory allocated
    internally.  This makes sure that it is released and do not touch the
    output handle argument.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jun 2 05:34:29 2020 +0200

    gnutls_aead_cipher_init: fix potential memleak
    
    When _gnutls_aead_cipher_init() fails, the function returns without
    freeing the allocted handle.  This was once fixed in commit
    502be130493e8ce802cdf60fffdbb5f1885352a5 but regressed after a code
    reorganization in commit 2eef509ce5f2d250f8dcaeffa46444dd2b694e91.
    
    Reported by Miroslav Lichvar.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jun 1 17:23:59 2020 +0200

    serv: omit upper bound of --maxearlydata option definition
    
    It turned out that AutoGen treats numbers that exceed INT_MAX in a
    platform dependent way.  In this case, 4294967295 (UINT_MAX) is
    treated as is on 64-bit platforms, while it is interpreted as "-1" on
    32-bit platforms.  This causes a problem when the program
    documentation is compiled under multilib environment.
    
    Reported by Ivan Molodetskikh in:
    https://bugzilla.redhat.com/show_bug.cgi?id=1841844
    and the cause was identified by Anderson Toshiyuki Sasaki.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Steve Lhomme <robux4@ycbcr.xyz>
Date:   Mon Jun 15 13:42:50 2020 +0000

    CI: fix typo in the Vista target
    
    This resulted in the MinGW64.Vista+ target doing the same thing as the MinGW64
    target.
    
    Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jun 5 16:26:33 2020 +0200

    crypto-api: always allocate memory when serializing iovec_t
    
    The AEAD iov interface falls back to serializing the input buffers if
    the low-level cipher doesn't support scatter/gather encryption.
    However, there was a bug in the functions used for the serialization,
    which causes memory leaks under a certain condition (i.e. the number
    of input buffers is 1).
    
    This patch makes the logic of the functions simpler, by removing a
    micro-optimization that tries to minimize the number of calls to
    malloc/free.
    
    The original problem was reported by Marius Steffen in:
    https://bugzilla.samba.org/show_bug.cgi?id=14399
    and the cause was investigated by Alexander Haase in:
    https://gitlab.com/gnutls/gnutls/-/merge_requests/1277
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Steve Lhomme <robux4@ycbcr.xyz>
Date:   Sat Jun 6 14:05:16 2020 +0200

    Merge the extra libraries to link dynamically in GNUTLS_LIBS_PRIVATE
    
    This should fix #1020 where bcrypt is missing from thirdparty_libadd.
    
    Ultimately it would be good to add libraries that always need to be linked in
    one variable that is shared between the Makefile and the pkg-config file.
    
    Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jun 1 14:18:03 2020 +0200

    Release 3.6.14 [ci skip]
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jun 2 21:45:17 2020 +0200

    valgrind: check if session ticket key is used without initialization
    
    This adds a valgrind client request for
    session->key.session_ticket_key to make sure that it is not used
    without initialization.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jun 2 20:53:11 2020 +0200

    stek: differentiate initial state from valid time window of TOTP
    
    There was a confusion in the TOTP implementation in stek.c.  When the
    mechanism is initialized at the first time, it records the timestamp
    but doesn't initialize the key.  This removes the timestamp recording
    at the initialization phase, so the key is properly set later.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun May 31 14:28:48 2020 +0200

    tests: add test case for certificate chain superseding
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun May 31 13:59:53 2020 +0200

    x509: trigger fallback verification path when cert is expired
    
    gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN
    to trigger the fallback verification path if the signer of the last
    certificate is not in the trust store.  Previously, it doesn't take
    into account of the condition where the certificate is expired.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sun May 31 12:39:14 2020 +0200

    _gnutls_pkcs11_verify_crt_status: check validity against system cert
    
    To verify a certificate chain, this function replaces known
    certificates with the ones in the system trust store if possible.
    
    However, if it is found, the function checks the validity of the
    original certificate rather than the certificate found in the trust
    store.  That reveals a problem in a scenario that (1) a certificate is
    signed by multiple issuers and (2) one of the issuers' certificate has
    expired and included in the input chain.
    
    This patch makes it a little robuster by actually retrieving the
    certificate from the trust store and perform check against it.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat May 30 11:06:57 2020 +0200

    build: write "FILE *fp" instead of "FILE *fd"
    
    This makes it clear that "fd" is not a file descriptor but a FILE
    pointer.  Suggested by Tim Rühsen.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon May 25 15:33:49 2020 +0200

    gnutls_load_file: document limitation regarding partial failure
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon May 25 11:21:38 2020 +0200

    cert-cred: clear private key data loaded from file
    
    This makes use of the RF_SENSITIVE flag newly added to read_file
    function when reading potentially senstive information from a file.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon May 25 10:09:28 2020 +0200

    lib: avoid file descriptor leak when application forks
    
    This makes use of the "e" flag of fopen, provided by the Gnulib's
    fopen-gnu module.
    
    Reported by Remi Denis-Courmont in:
    https://gitlab.com/gnutls/gnutls/-/issues/985
    and fix suggested by Tim Rühsen.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon May 25 18:37:51 2020 +0200

    gnulib: update git submodule
    
    This brings in the new fopen-gnu module and the RF_SENSITIVE flag for
    fread_file and read_file.  This also adds the following changes to be
    consistent with the latest changes in Gnulib:
    - the callers of fread_file and read_file to be adjusted for the FLAGS
      argument
    - "attribute.h" needs to be used extensively
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Steve Lhomme <robux4@ycbcr.xyz>
Date:   Wed Apr 29 10:32:08 2020 +0200

    win32: use bcrypt instead of CryptoAPI on Vista+ for random numbers
    
    CryptoAPI is a deprecated API [1] that is forbidden in UWP builds.
    
    Rewrite the CryptoAPI calls in bcrypt.
    
    bcrypt is used instead of CryptoAPI when targeting Windows Vista and above.
    
    https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptdecrypt
    
    Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>

Author: Dmitry Baryshkov <dbaryshkov@gmail.com>
Date:   Thu May 28 03:15:55 2020 +0300

    .travis.yml: use several different OSX versions
    
    Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>

Author: Steve Lhomme <robux4@ycbcr.xyz>
Date:   Wed May 27 21:14:50 2020 +0000

    win32: move the NCRYPT key import into a function
    
    No functional change. The has been simply moved.
    
    Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>

Author: Steve Lhomme <robux4@ycbcr.xyz>
Date:   Wed May 27 21:13:43 2020 +0000

    configure.ac: determine if the Vista APIs can be linked statically
    
    If _WIN32_WINNT is higher or equal to 0x0600, Vista API's are allowed during
    the build. We can assume that the minimum platform the code will run on is
    Vista [1]
    
    In that case there's no need to call API's (ncrypt) dynamically when it can be
    done statically.
    
    [1] https://docs.microsoft.com/en-us/cpp/porting/modifying-winver-and-win32-winnt
    
    Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>

Author: Dmitry Baryshkov <dbaryshkov@gmail.com>
Date:   Wed May 27 00:34:02 2020 +0300

    lib: add support for AES-192-GCM
    
    Add support for AES-192 in GCM mode.
    
    Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>

Author: Dmitry Baryshkov <dbaryshkov@gmail.com>
Date:   Tue May 26 16:19:59 2020 +0300

    configure: check that -no_weak_links works with FD_SET
    
    Several Xcode/SDK versions provide FD_SET implementation that does not
    work with -no_weak_links. Check that this option does not break FD_SET
    usage.
    
    Fixes #966
    
    Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>

Author: Dmitry Baryshkov <dbaryshkov@gmail.com>
Date:   Tue May 26 13:12:24 2020 +0300

    tests: build datefudge-check during make all
    
    Most of the tests depend on datefudge-check. Let's make it during 'make
    all' stage to allow running individual tests w/o requiring to build it
    separately.
    
    Fixes #920
    
    Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>

Author: Dmitry Baryshkov <dbaryshkov@gmail.com>
Date:   Tue May 26 13:06:03 2020 +0300

    configure.ac: add -fno-builtin-strcmp if valgrind is enabled
    
    Recent GCC provides strcmp which makes Valgrind assume that it accesses
    uninitialized data. Disable this optimization if Valgrind tests are
    enabled.
    
    Fixes #944
    
    Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>

Author: rrivers2 <5981058-rrivers2@users.noreply.gitlab.com>
Date:   Sun May 24 23:11:01 2020 +0000

    Update session_ticket.c to add support for zero length session tickets returned from the server
    
    check that ticket_len > 0 prior to calling gnutls_realloc_fast
    
    Signed-off-by: Rod Rivers <5981058-rrivers2@users.noreply.gitlab.com>

Author: Dmitry Baryshkov <dbaryshkov@gmail.com>
Date:   Thu May 14 05:54:58 2020 +0300

    build: vendor in libtasn1 code
    
    Instead of keeping the minitasn1 source in Git, vendor in it during
    bootstrap as we do with Nettle code. This also upgrades included
    minitasn1 to latest version (4.16.0).
    
    Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>

Author: Steve Lhomme <robux4@ycbcr.xyz>
Date:   Tue May 19 16:23:40 2020 +0200

    win32: link with crypt32
    
    Since 5d03564cccd2c10c41252ea468d4a098bd08e9c1 we use CertOpenStore().
    To properly link it needs to be linked with the crypt32.dll.
    https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certopenstore
    
    This library was missing from the pkg-config library. It exists in
    thirdparty_libadd to link gnutls as a DLL.
    
    Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue May 19 16:18:39 2020 +0200

    fips: remove FIPS_STARTUP_ONLY_TEST_CASE macro
    
    The macro was intended to avoid non-recoverable errors during library
    initialization, but the code path has been removed in commit
    3963518d067a64412bbe0aa9ce5fc33ae729c15f.
    
    Signed-off-by: Daiki Ueno <dueno@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon May 18 12:25:42 2020 +0200
