Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Nov 20 08:52:53 2025 +0900

    build: update symbols.last to include gnutls_audit_* functions
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Nov 18 09:05:29 2025 +0900

    Release 3.8.11
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Nov 18 13:17:55 2025 +0900

    pkcs11: avoid stack overwrite when initializing a token
    
    If gnutls_pkcs11_token_init is called with label longer than 32
    characters, the internal storage used to blank-fill it would
    overflow. This adds a guard to prevent that.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Nov 18 09:28:26 2025 +0900

    build: bump Nettle version requirement from 3.6 to 3.10
    
    Given Nettle 3.10 is ABI compatible with 3.6 and includes several
    security relevant fixes, this updates the library's minimum
    requirement of Nettle to 3.10. The bundled code will stay for the
    next couple of release cycles in case any downstream issues are found,
    as suggested in:
    https://lists.gnupg.org/pipermail/gnutls-help/2025-November/004905.html
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daniel P. Berrangé <berrange@redhat.com>
Date:   Wed Oct 29 13:29:34 2025 +0000

    lib: clarify docs for gnutls_credentials_set
    
    Make it explicit that only a single credentials object of a given
    type may be set against a session. Any further attempts to set
    credentials for a type will replace previously set crdentials.
    The act of replacement also allows the previously set credentials
    to be freed by the caller.
    
    Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

Author: Alistair Francis <alistair.francis@wdc.com>
Date:   Thu Oct 9 14:57:08 2025 +1000

    lib/kx: Only report file open error if there is an error
    
    Previously all attempts to open a `SSLKEYLOGFILE` would result in a
    "unable to open keylog file" regardless of if the file was opened or
    not. Instead let's only report the issue if the file fails to open.
    
    Signed-off-by: Alistair Francis <alistair.francis@wdc.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Wed Nov 19 11:02:53 2025 +0100

    .gitlab-ci.yml: run all the jobs untagged...
    
    ... to let them use either self-hosted runners
    or saas-linux-small-amd64 GitLab-hosted runners.
    
    Also revert `except: [tags]` resource preservation measure.
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Nov 6 12:38:30 2025 +0100

    .gitlab-ci.yml: move fedora-docdist to a doc image
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Tue Nov 11 20:53:06 2025 +0100

    .gitlab-ci.yml: register binfmt handlers only if missing
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Nov 6 10:58:52 2025 +0100

    .gitlab-ci.yml: remove bz2049401 workaround
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Nov 6 10:57:43 2025 +0100

    .gitlab-ci.yml: enable binfmt for mingw
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Nov 6 10:52:40 2025 +0100

    tests/suite/tls-interoperability: update submodule
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Nov 6 11:38:26 2025 +0100

    .gitlab-ci.yml: GIT_STRATEGY: clone for commit-check
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Nov 6 11:35:42 2025 +0100

    devel/check_if_signed: fix a condition
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Nov 18 08:57:43 2025 +0900

    tests/pkcs11-provider: match token with --provider when initializing
    
    Even if the "module-path" query attribute is given in the PKCS#11 URI,
    p11tool does not filter tokens based on that when called with
    --initialize. As this is not part of the pkcs11-provider
    functionality, use --provider option to specify the token.
    
    Also defer the settings of GNUTLS_SYSTEM_PRIORITY_FILE and
    GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID after the token initialization.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Alexander Sosedkin <asosedkin@redhat.com>
Date:   Thu Nov 6 19:06:55 2025 +0100

    lib/Makefile: remove audit_int.h reference
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Author: Karthik Das <kartheekdasari1998@gmail.com>
Date:   Sun Nov 16 08:31:29 2025 +0000

    Add missing parameter documentation in lib/audit.c
    
    Signed-off-by: Karthik Das <kartheekdasari1998@gmail.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Oct 29 12:45:00 2025 +0900

    build: ignore new functions at "make abi-check-latest"
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Oct 31 13:08:20 2025 +0900

    build: pacify GCC analyzer false-positive in src/ocsptool.c
    
    Without the guard (chain_size - 1), GCC analyzer spews the warning
    below, which should be a false-positive:
    
    ocsptool.c:532:32: warning: use of uninitialized value 'chain[1]' [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
      532 |                         signer = chain[1];
          |                         ~~~~~~~^~~~~~~~~~
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Samuel Zeter <samuelzeter@gmail.com>
Date:   Tue Oct 14 18:00:26 2025 +0200

    lib: Fix Wunterminated-string-initialization warnings
    
    Building on a newer gcc version (15) results in the following warnings:
    
    status_request.c: In function 'client_send':
    status_request.c:71:33: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (6 chars into 5 available) [-Wunterminated-string-initialization]
       71 |         const uint8_t data[5] = "\x01\x00\x00\x00\x00";
          |                                 ^~~~~~~~~~~~~~~~~~~~~~
    x86-common.c: In function 'check_phe_partial':
    x86-common.c:342:31: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (65 chars into 64 available) [-Wunterminated-string-initialization]
      342 |         const char text[64] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
          |
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Signed-off-by: Samuel Zeter <samuelzeter@gmail.com>
    Modified-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Oct 31 11:16:28 2025 +0900

    build: exclude duplicate entries in src/mech-list.h
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Oct 30 14:12:54 2025 +0900

    build: derive the location of default config file from $sysconfdir
    
    Previously we hard-coded "/etc" as part of the path of the default
    configuration file. It is more palatable to respect the --sysconfdir
    configure option and locate the file there.
    
    Per recommendation at [1], the path is expanded at "make" time, not at
    "configure" time.
    
    1. https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf-2.72/html_node/Installation-Directory-Variables.html
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Oct 24 15:33:45 2025 +0900

    build: fix compiler warnings with -Wstrict-prototypes
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Oct 20 16:42:36 2025 +0900

    x509: encode ECDSA private key in fixed length
    
    RFC 5915 section 3 says that the privateKey field of ECPrivateKey
    structure should be fixed length, though the library encoded it in
    variable length, depending on the leading byte. This patch enforces
    that the field is always encoded in fixed length, as well as
    consolidates the code paths for EdDSA and X25519/X448 keys.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Oct 14 14:32:33 2025 +0900

    audit: wrap crau interface and expose it partly as public API
    
    This adds 3 new functions: gnutls_audit_push_context,
    gnutls_audit_pop_context, and gnutls_audit_current_context, which
    would be useful when the applications define their own crypto-auditing
    probe points.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Oct 14 14:57:00 2025 +0900

    configure: disable crypto-auditing support by default
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Oct 9 09:21:29 2025 +0900

    configure: fix faketime detection
    
    This fixes the cache variable name (gnutls_cv_prog_faketime_works, not
    gnutls_cv_faketime_works), and avoids extraneous output from the
    configure.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Oct 9 09:11:06 2025 +0900

    po: ignore new files introduced by gettext
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Oct 9 09:09:59 2025 +0900

    m4/hooks.m4: check <sys/sdt.h> defines DTrace compatible macros
    
    On macOS, <sys/sdt.h> defines a different interface than on
    GNU/Linux. Check if DTRACE_PROBE* macros are actually usable.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Samuel Zeter <samuelzeter@gmail.com>
Date:   Fri Oct 3 01:20:58 2025 +1000

    x509: Remove misleading comments
    
    These comments were originally from an old function called
    check_schema() which has since been removed.
    
    Signed-off-by: Samuel Zeter <samuelzeter@gmail.com>

Author: Samuel Zeter <samuelzeter@gmail.com>
Date:   Fri Oct 3 01:06:30 2025 +1000

    x509: Remove extraneous asn1_delete
    
    No need for deletion given we already call asn1_delete_structure2.
    
    Signed-off-by: Samuel Zeter <samuelzeter@gmail.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Oct 2 14:11:42 2025 +0900

    tls-sig: instrument crypto-auditing probes
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Oct 2 17:56:37 2025 +0900

    _gnutls_handshake_sign_data: resolve signing algorithm only once
    
    This avoids unnecessary look up of algorithm entry.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Sep 24 13:23:09 2025 +0900

    key_share: instrument crypto-auditing probes
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Sep 24 10:38:07 2025 +0900

    handshake: instrument crypto-auditing probes
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Sep 2 17:45:27 2025 +0900

    pk: instrument crypto-auditing probes
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Oct 25 16:27:16 2022 +0900

    build: bundle crypto-auditing helper library as copylib
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>
    Co-authored-by: Zoltan Fridrich <zfridric@redhat.com>

Author: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Date:   Tue Aug 19 18:49:14 2025 +0000

    lib/nettle/int/drbg-aes-self-test: Replace free() with gnutls_free()
    
    Replace free() with gnutls_free() for consistent memory deallocation.
    
    Fixes: 1421e31ff ("Added DRBG submitted to nettle in gnutls.")
    Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>

Author: Alistair Francis <alistair.francis@wdc.com>
Date:   Mon May 26 14:41:46 2025 +1000

    tls13/key_update: Expose a manual KeyUpdate function
    
    As part of supporting KeyUpdate in ktls-utils and NVMe-OF we need to
    trigger an update of the local keys after the kernel has received a
    KeyUpdate message.
    
    This patch creates a new gnutls_handshake_update_receiving_key() function
    that allows updating the local keys without sending any KeyUpdate
    requests.
    
    Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
    Modified-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Sep 18 14:21:52 2025 +0900

    NEWS: mention configuration change of PKCS#11 provider
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Sep 16 18:45:45 2025 +0900

    tests: make pkcs11-provider test self-contained
    
    Use p11tool exclusively to avoid pkcs11-tool dependency.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Sep 16 17:57:24 2025 +0900

    pkcs11: use the same initialization code for provider
    
    This makes the pkcs11-provider code use the thread-safe module
    initialization code introduced in commit
    aa5f15a872e62e54abe58624ee393e68d1faf689. As the mechanism works over
    p11-kit managed modules, this switches the "path" config option to
    using PKCS#11 URI, through the "url" keyword.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Sep 16 15:15:23 2025 +0900

    pkcs11: use CRYPTOKI_GNU interface in the provider code
    
    This mass-rewrites the pkcs11-provider code to match the rest of
    PKCS#11 support in the library, to be able to share the same module
    initialization code everywhere.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Sep 2 06:53:34 2025 +0900

    pkcs11: try to initialize modules in thread-safe mode
    
    When modules are initialized without CKF_OS_LOCKING_OK nor custom
    locking functions, they may skip their internal locking assuming that
    the applications will take care of thread-safety, which is costly and
    GnuTLS currently doesn't do that.
    
    To mitigate this, this patch changes the module initialization code to
    tell the modules to guarantee thread-safety by themselves. If they are
    unable to do that, this falls back to the normal initialization
    without C_Initialize parameters. This also omits the custom_init flag,
    which indicated whether the module is initialized with
    p11_kit_module_initialize or a direct call to C_Initialize, now that
    modules are always initialized with C_Initialize.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Sep 9 15:22:43 2025 +0900

    build: unconditionally use zeroize_key/zrelease_mpi_key
    
    Since 39aaa63a1a4cb8432e090887f38241afb2b264a6, zeroize_temp_key is an
    alias to zeroize_key, and zrelease_temp_mpi_key is an alias to
    zrelease_mpi_key. Use the latter directly and also remove
    _gnutls_free_temp_key_datum.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Aug 21 07:03:38 2025 +0900

    pre_shared_key: fix memleak when retrying with different binder algo
    
    As the PSK entry is reallocated, free it upon retry. Also use
    _gnutls_free_key_datum instead of _gnutls_free_temp_key_datum
    consistently.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Wilfred Mallawa <wilfred.mallawa@wdc.com>
Date:   Tue Aug 19 14:59:21 2025 +1000

    tests/psk-file: Add testing for _credentials2 functions
    
    Adds testing for gnutls_psk_allocate_X_credentials2() functions for
    server and client.
    
    Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
    Modified-by: Daiki Ueno <ueno@gnu.org>

Author: Wilfred Mallawa <wilfred.mallawa@wdc.com>
Date:   Mon Aug 18 12:40:57 2025 +1000

    lib/psk: add null check for binder algo
    
    Currently, `pskcred->binder_algo` is used without checking first if it
    is valid. This can lead to a NULL pointer dereference in cases such as
    [1]. This patch adds NULL check `pskcred->binder_algo` before using it.
    
    This also makes it more explicit in
    gnutls_psk_allocate_server_credentials2() that `pskcred->binder_algo
    == NULL` indicates auto-detection, while avoiding the linear lookup
    for a NULL entry.
    
    [1] https://gitlab.com/gnutls/gnutls/-/issues/1729
    
    Fix Suggested by: Daiki Ueno <ueno@gnu.org>
    Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Dec 17 17:55:22 2024 +0900

    crypto-selftests-pk: skip negative tests by default
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Dec 17 17:54:54 2024 +0900

    fips: skip compat API tests in AES self-tests
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Dec 17 10:03:26 2024 +0900

    fips: only run the first test vector for each symmetric algorithm
    
    FIPS 140-3 doesn't require to run multiple test vectors for a single
    algorithm, and one of the test vector for PBKDF2, with an 80000
    iteration count is known to be too costly.  Therefore, this patch
    changes gnutls_*_self_test to pick only the first test from the test
    vectors, unless GNUTLS_SELF_TEST_FLAG_ALL is specified.  The existing
    test vectors have been reviewed and modified for the first element to
    use the sane parameters, namely: aes128_gcm_vectors to use non-zero
    key and non-empty AAD, aes256_gcm_vectors to use non-empty AAD, and
    pbkdf2_sha256_vectors to use iteration count greater than 1.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Dec 13 18:42:03 2024 +0900

    fips: run AES-256 self-tests with only a single mode
    
    Previously we ran FIPS power-on self-tests for AES-256-CBC,
    AES-256-GCM, AES-256-XTS, and AES-256-CFB8, though only one mode per
    key size suffices according to FIPS 140-3 IG. This omits AES-256-CBC,
    AES-256-XTS, and AES-256-CFB8, keeping AES-256-GCM for performance.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: chenjianhu <chenjianhu@kylinos.cn>
Date:   Fri Aug 1 17:18:23 2025 +0800

    x509: fix incorrect handling in name constraints merging
    
    As mentioned in commit ca573d65 ("x509: Fix asymmetry in name
    constraints intersection", 2016-07-29), the
    _gnutls_name_constraints_intersect function exhibited an
    asymmetry in name constraints intersection behavior, specifically
    manifested as:
    1. Nodes of unique types in PERMITTED (absent in PERMITTED2) were
       preserved
    2. Nodes of unique types in PERMITTED2 (absent in PERMITTED) were
       discarded
    
    A 'used' flag was introduced, where if a node from PERMITTED2 was
       not used for the intersection, it would be copied to PERMITTED.
    
    However,an unresolved edge case persisted:
    - When 'removed.size > 0', the 'used' flag was unconditionally set
    to 1
    - This prevented copying of PERMITTED2 nodes with unique types
    
    Signed-off-by: chenjianhu <chenjianhu@kylinos.cn>
    Modified-by: Daiki Ueno <ueno@gnu.org>

Author: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Date:   Tue Aug 5 14:21:19 2025 +0000

    tests/key-usage-ecdhe-rsa.c: Add gnutls_free() to avoid memory leak
    
    Add gnutls_free() to free p if error occurs to avoid memory leak.
    
    Fixes: b167cc373 ("tests: added checks on signature key usage violations")
    Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>

Author: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Date:   Tue Aug 5 14:12:38 2025 +0000

    Add check for memory allocation APIs to avoid NULL pointer dereference
    
    Add check for the return value of memory allocation APIs to avoid NULL
    pointer dereference.
    
    Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
    Modified-by: Daiki Ueno <ueno@gnu.org>

Author: Wilfred Mallawa <wilfred.mallawa@wdc.com>
Date:   Mon Jul 7 13:21:58 2025 +1000

    ext/max_record: add function to get max send size
    
    Adds a new function to max_record library to extract
    the endpoints maximum record send size. Which may have been negotiated
    through the record_size_limit or the max_fragment_length extensions.
    
    Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
    Modified-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Aug 4 20:22:39 2025 +0900

    .gitlab-ci.yml: bump cache version
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Date:   Sat Aug 2 23:10:32 2025 +0000

    tests/psk-importer.c: Add check for gnutls_malloc to avoid potential NULL pointer dereference
    
    Add check for the return value of gnutls_malloc() to avoid potential NULL pointer dereference.
    
    Fixes: 4fe788cc1 ("psk: Add basic support for RFC 9258 external PSK importer interface")
    Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>

Author: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Date:   Mon Aug 4 00:17:10 2025 +0000

    src/pkcs11.c: Add check for gnutls_malloc and gnutls_strdup
    
    Add check for the return value of gnutls_malloc() and gnutls_strdup() to avoid potential NULL pointer dereference.
    Fixes: 44541d17 ("p11tool: copy vendor query attributes when listing privkeys")
    
    Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>

Author: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Date:   Mon Aug 4 00:46:52 2025 +0000

    tests/suite/mini-record-timing.c: Add check for gnutls_malloc
    
    Add check for the return value of gnutls_malloc() to avoid potential NULL pointer dereference.
    
    Fixes: 75363e1f ("cbc-record-check.sh: introduced")
    Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>

Author: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Date:   Sat Aug 2 16:07:59 2025 +0000

    lib/pkcs11_privkey.c: Add check for gnutls_malloc
    
    Add check for the return value of gnutls_malloc() to avoid potential NULL pointer dereference.
    
    Fixes: be560a813 ("Added gnutls_pkcs11_privkey_t and gnutls_privkey_t types. Those are an abstract private key type that can be used to sign/encrypt any private key of pkcs11,x509 or openpgp types. Added support for PKCS11 in gnutls-cli/gnutls-serv.")
    Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>

Author: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Date:   Sat Aug 2 15:50:49 2025 +0000

    lib/x509/x509_dn.c: Add check for gnutls_calloc
    
    Add check for the return value of gnutls_calloc() to avoid potential NULL pointer dereference.
    
    Fixes: 6c9dadf6c ("Moved the gnutls_x509_dn API functions to x509_dn.c")
    Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>

Author: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Date:   Sat Aug 2 15:38:40 2025 +0000

    lib/anon_cred.c: Add check for gnutls_calloc
    
    According to the comment above, add check for the return value of gnutls_calloc() and return an error code if it fails.
    
    Fixes: 23efd9990 ("The Diffie Hellman parameters are now stored in the credentials structures. This will allow precomputation of signatures (for DHE cipher suites).")
    Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat Jul 19 07:08:24 2025 +0900

    key_update: rework the rekeying logic
    
    While RFC 8446 4.6.3 says that the sender of a KeyUpdate message
    should only update its sending key, the previous implementation
    updated both the sending and receiving keys, preventing that any
    application data interleaved being decrypted.
    
    This splits the key update logic into 2 phases: when sending a
    KeyUpdate, only update the sending key, and when receiving a
    KeyUpdate, only update the receiving key.  In both cases, KeyUpdate
    messages are encrypted/decrypted with the old keys.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Jul 31 15:34:48 2025 +0900

    constate: switch epoch lookup to linear search
    
    The previous logic of epoch lookup was utilizing the fact that epoch
    numbers are monotonically increasing and there are no gaps in between
    after garbarge collection. That is, however, no longer true when a TLS
    1.3 key update is happening in only one direction.
    
    This patch switches to using linear search instead, at the cost of
    approx MAX_EPOCH_INDEX * 2 (= 8) comparison.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jul 22 10:49:33 2025 +0900

    key_update: fix state transition in KTLS code path
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Karthik Das <kartheekdasari1998@gmail.com>
Date:   Wed Jul 30 12:42:14 2025 +0000

    build: check if Esys_SetCryptoCallbacks is available
    
    Signed-off-by: Karthik Das <kartheekdasari1998@gmail.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Feb 10 15:57:39 2025 +0900

    tests: do not assume RSAES-PKCS1-v1_5 is enabled in system config
    
    Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jan 27 16:36:41 2025 +0900

    fips: perform both PCTs for unrestricted RSA key
    
    As PKCS#1 v1.5-padding is no longer allowed, exercise PCT with both
    RSA-PSS and RSA-OAEP for unrestricted RSA keys. Note that, it is no
    longer possible to create 512-bit RSA key under FIPS mode, because
    there is a restriction of message size in RSA-OAEP based on the key
    size, i.e., mLen > k - 2hLen - 2.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Feb 12 12:13:47 2025 +0900

    pk: exercise decrypt2 in PCT
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Feb 12 07:23:59 2025 +0900

    pk: sprinkle SPKI over encryption functions
    
    Similarly to signing, the encrypt/decrypt/decrypt2 functions defined
    in gnutls_crypto_pk_st now take SPKI as an additional parameter, so
    the encryption/decryption behavior can be overridden.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Dec 17 16:55:47 2024 +0900

    fips: perform RSA self-tests using RSA-PSS instead of PKCS#1 v1.5
    
    Previously the RSA self-tests were using PKCS#1 v1.5, for both
    signature generation and encryption/decryption, which turned a bit
    problematic as GnuTLS now has a run-time option to disable that
    scheme.
    
    According to FIPS 140-3 IG 10.3.A, for each FIPS 186-4 and FIPS 186-5
    public key digital signature algorithm, a CAST shall be performed
    using at least one of the schemes approved for use in the approved
    mode. Similarly, the IG annex D.G mentions that if the RSA signature
    generation algorithm and RSA un-encapsulation scheme use the same
    implementation, only test for signature generation suffices.
    
    Therefore, this switches to using RSA-PSS only and drop the
    RSA encryption/decryption self-tests.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Dec 18 01:11:50 2024 +0900

    pk: use deterministic RNG for RSA-PSS in self-tests
    
    This ports the logic to use a specialized RNG with deterministic
    behavior from RSA PKCS#1 v1.5 signature creation.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: fundawang <fundawang@yeah.net>
Date:   Sun Jul 13 08:59:59 2025 +0000

    tests: only do sanity-lib test when tpm-tss is dlopened
    
    Signed-off-by: Funda Wang <fundawang@yeah.net>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jul 28 17:20:52 2025 +0900

    .gitlab-ci.yml: manual trigger fedora-cross/bootstrap
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Jul 10 05:58:52 2025 +0900

    tests: skip system-override-compress-cert.sh for missing libs
    
    The tls13/compress-cert-conf.c requires brotli and the test needs one
    other algorithm; assume zstd and skip if any of those are missing.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Jul 10 05:54:32 2025 +0900

    tests: distribute ktls_utils.h
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Jul 10 05:53:32 2025 +0900

    tests: make cert-tests/mldsa.sh work in VPATH build
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Maxim Cournoyer <maxim@guixotic.coop>
Date:   Fri Jul 18 12:05:31 2025 +0900

    tests: Remove dependency on `which' command.
    
    A POSIX equivalent (command) works just as well.
    
    * tests/pkcs11-tool.sh: Replace 'which' invocations with 'command'.
    * tests/tpm2.sh: Likewise.
    * tests/tpmtool_test.sh: Likewise.
    
    Signed-off-by: Maxim Cournoyer <maxim@guixotic.coop>

Author: Maxim Cournoyer <maxim@guixotic.coop>
Date:   Fri Jul 18 12:05:22 2025 +0900

    tests: Lookup softhsm tools from PATH.
    
    This is more portable, e.g. on non-FHS systems.
    
    * tests/testpkcs11.softhsm (init_card): Use POSIX's 'command' to test
    if softhsm2-util or softhsm is available from PATH.
    tests: Check softhsm2-util from PATH.
    * tests/pkcs11/softhsm.h (softhsm_bin): Check from PATH.
    
    Signed-off-by: Maxim Cournoyer <maxim@guixotic.coop>

Author: Maxim Cournoyer <maxim@guixotic.coop>
Date:   Fri Jul 18 12:05:15 2025 +0900

    Makefile.am: Hint at libdane requirement for distcheck target.
    
    Signed-off-by: Maxim Cournoyer <maxim@guixotic.coop>

Author: Maxim Cournoyer <maxim@guixotic.coop>
Date:   Fri Jul 18 12:05:00 2025 +0900

    scripts: Use /usr/bin/env for more portable shebangs.
    
    Lookup perl from PATH instead of from its fixed expected location,
    which may not exist on non-FHS systems like Guix System and NixOS.
    
    * doc/scripts/gdoc: Adjust shebang to use /usr/bin/env.
    * doc/scripts/getfuncs.pl: Likewise.
    
    Signed-off-by: Maxim Cournoyer <maxim@guixotic.coop>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jul 28 10:23:27 2025 +0900

    .gitlab-ci.yml: remove "texconfig rehash" invocation
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jul 28 10:14:20 2025 +0900

    .gitlab-ci.yml: exercise heartbeat and SRP support
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jul 28 10:11:46 2025 +0900

    .gitlab-ci.yml: reduce fedora/test matrix
    
    As PQC has nothing to do with KTLS, skip the pqc + ktls combination.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Date:   Sun Jul 20 21:11:46 2025 +0000

    Replace with statically allocated buffer
    
    Replace with statically allocated buffer to avoid potential NULL pointer
    dereference.
    
    Fixes: 1fb6d1b5 ("fips140-2: moved PCT-test in wrap_nettle_generate_keys")
    Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>

Author: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Date:   Fri Jul 11 22:24:41 2025 +0000

    lib/hello_ext.c: Add check for gnutls_strdup()
    
    Add check for the return value of gnutls_strdup() to avoid potential NULL pointer dereference.
    
    Fixes: 5bba569b4 ("gnutls_session_ext_register: keep track of extension name")
    Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>

Author: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Date:   Fri Jul 11 20:12:55 2025 +0000

    lib/file.c: Add check for gnutls_malloc()
    
    Add check for the return value of gnutls_malloc() to avoid potential NULL pointer dereference.
    
    Fixes: d1428c0f9 ("helper.c -> file.c")
    Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>

Author: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Date:   Thu Jul 10 19:53:19 2025 +0000

    lib/ext/srp.c: Add gnutls_free() to avoid memory leak
    
    Add gnutls_free() to free priv->username if the allocation of priv->password fails to avoid memory leak.
    Moreover, replace "return" with "goto" to avoid memory leak.
    
    Fixes: a1a15422 ("Fixes and memory leak elimination in SRP authentication.")
    Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>

Author: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Date:   Fri Jul 11 20:04:39 2025 +0000

    lib/ext/srp.c: Add gnutls_free() in the error path
    
    Add gnutls_free() in the error path to avoid potential memory leak if BUFFER_POP_DATUM fails.
    
    Fixes: 8b038ab97 ("The auth_ and ext_ files were moved to respective directories.")
    Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>

Author: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Date:   Fri Jul 11 19:18:15 2025 +0000

    lib/cert-cred-rawpk.c: Add gnutls_free() and gnutls_pcert_deinit() in the error paths
    
    Add gnutls_free() and gnutls_pcert_deinit() in the error paths to avoid potential memory leak.
    
    Fixes: 565efaeac ("Implemented support for raw public-key functionality (RFC7250).")
    Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>

Author: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Date:   Fri Jul 11 18:51:35 2025 +0000

    fuzz/gnutls_srp_server_fuzzer.c: Add check for gnutls_malloc()
    
    Add check for the return value of gnutls_malloc() to avoid potential NULL pointer dereference.
    
    Fixes: 5bb8a18b0 ("fuzzer: Initial check in for improved fuzzing")
    Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Fri Jul 25 07:47:09 2025 +0900

    .gitlab-ci.yml: point to the gnulib checkout
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Hannes Reinecke <hare@suse.de>
Date:   Fri Mar 14 12:31:13 2025 +0100

    lib/psk: Add gnutls_psk_allocate_{client,server}_credentials2
    
    Add new functions gnutls_psk_allocate_client_credentials2() and
    gnutls_psk_allocate_server_credentials2() which allow to specify
    the hash algorithm for the PSK. This fixes a bug in the current
    implementation where the binder is always calculated with SHA256.
    
    Signed-off-by: Hannes Reinecke <hare@suse.de>
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Thu Jul 24 15:33:45 2025 +0900

    tests: skip tlsfuzzer tests in FIPS mode
    
    Those tests are not expected to run in FIPS mode and may return
    different results than in non-FIPS mode.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Wed Jul 23 19:56:32 2025 +0900

    .gitlab-ci.yml: remove mingw-vista pipelines
    
    The Vista build is now the default in mingw, the build will result in
    the equivalent artifacts to non-Vista.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Author: Daiki Ueno <ueno@gnu.org>
Date:   Tue Jul 22 18:36:57 2025 +0900

    .gitlab-ci.yml: bump cache version
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

