configure.ac | 3 3 + 0 - 0 !
lib/global.c | 2 1 + 1 - 0 !
lib/str.h | 2 1 + 1 - 0 !
libdane/errors.c | 2 1 + 1 - 0 !
po/Makevars | 2 1 + 1 - 0 !
5 files changed, 7 insertions(+), 4 deletions(-)

 version filename of locale data (gnutls30.mo instead of
 gnutls.mo) This is necessary to make e.g. libgnutls26 and libgnutls28
 co-installable.

guile/src/Makefile.am | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 work around guile-snarf hardcoding the at-build default compiler
 which breaks when it changes ion Debian.

lib/str.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch 1/2] _gnutls_buffer_resize: account for unused area if
 AGGRESSIVE_REALLOC

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/str.c | 18 9 + 9 - 0 !
1 file changed, 9 insertions(+), 9 deletions(-)

 [patch 2/2] str: suppress -wunused-function if aggressive_realloc is
 defined

Signed-off-by: Daiki Ueno <ueno@gnu.org>

src/srptool.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch 1/5] srptool: avoid file pointer leak on error

Signed-off-by: Daiki Ueno <ueno@gnu.org>

src/tests.c | 15 12 + 3 - 0 !
1 file changed, 12 insertions(+), 3 deletions(-)

 [patch 2/5] gnutls-cli-debug: avoid resource leak in saving dhe
 params

Signed-off-by: Daiki Ueno <ueno@gnu.org>

src/socket.c | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 [patch 3/5] src: avoid file descriptor leak in socket_open2

Signed-off-by: Daiki Ueno <ueno@gnu.org>

doc/examples/tlsproxy/tlsproxy.c | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 [patch 4/5] examples: avoid memory leak in tlsproxy

Signed-off-by: Daiki Ueno <ueno@gnu.org>

doc/examples/ex-verify.c | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 [patch 5/5] examples: avoid memory leak in ex-verify

Signed-off-by: Daiki Ueno <ueno@gnu.org>

doc/Makefile.am | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] build: doc: install missing image file
 gnutls-crypto-layers.png

Signed-off-by: Andreas Metzler <ametzler@bebt.de>

lib/mem.c | 24 24 + 0 - 0 !
lib/mem.h | 7 5 + 2 - 0 !
2 files changed, 29 insertions(+), 2 deletions(-)

 [patch 1/5] mem: add _gnutls_reallocarray and
 _gnutls_reallocarray_fast

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/pkcs11x.c | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 [patch 2/5] pkcs11x: find_ext_cb: fix error propagation

Use explicit error value, as rv is not set in this code path.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/cert-cred-x509.c | 23 15 + 8 - 0 !
lib/cert-cred.c | 18 10 + 8 - 0 !
lib/hello_ext.c | 4 3 + 1 - 0 !
lib/pcert.c | 3 2 + 1 - 0 !
lib/pkcs11.c | 11 7 + 4 - 0 !
lib/pkcs11x.c | 5 4 + 1 - 0 !
lib/supplemental.c | 4 2 + 2 - 0 !
lib/x509/crl.c | 7 3 + 4 - 0 !
lib/x509/ocsp.c | 11 6 + 5 - 0 !
lib/x509/pkcs12.c | 15 6 + 9 - 0 !
lib/x509/verify-high.c | 43 18 + 25 - 0 !
lib/x509/verify-high2.c | 6 4 + 2 - 0 !
lib/x509/x509.c | 9 4 + 5 - 0 !
lib/x509/x509_ext.c | 12 6 + 6 - 0 !
14 files changed, 90 insertions(+), 81 deletions(-)

 [patch 3/5] build: avoid potential integer overflow in array
 allocation

This relies on _gnutls_reallocarray for all occasions of array
allocations, so that they can benefit from the built-in overflow
checks.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/cert-cred.c | 5 5 + 0 - 0 !
lib/hello_ext.c | 5 5 + 0 - 0 !
lib/pkcs11.c | 6 6 + 0 - 0 !
lib/pkcs11x.c | 6 6 + 0 - 0 !
lib/supplemental.c | 5 5 + 0 - 0 !
lib/x509/ocsp.c | 11 11 + 0 - 0 !
lib/x509/pkcs12.c | 10 10 + 0 - 0 !
lib/x509/verify-high.c | 40 35 + 5 - 0 !
lib/x509/x509_ext.c | 16 16 + 0 - 0 !
9 files changed, 99 insertions(+), 5 deletions(-)

 [patch 4/5] build: avoid integer overflow in additions

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/mem.c | 11 0 + 11 - 0 !
lib/mem.h | 1 0 + 1 - 0 !
2 files changed, 12 deletions(-)

 [patch 5/5] _gnutls_calloc: remove unused function

Signed-off-by: Daiki Ueno <ueno@gnu.org>

NEWS | 5 5 + 0 - 0 !
doc/cha-gtls-app.texi | 4 4 + 0 - 0 !
lib/gnutls_int.h | 1 1 + 0 - 0 !
lib/handshake-tls13.c | 23 14 + 9 - 0 !
lib/handshake.c | 4 3 + 1 - 0 !
lib/priority.c | 9 9 + 0 - 0 !
lib/priority_options.gperf | 1 1 + 0 - 0 !
tests/Makefile.am | 2 1 + 1 - 0 !
tests/tls13-compat-mode.c | 140 140 + 0 - 0 !
9 files changed, 178 insertions(+), 11 deletions(-)

 [patch] priority: add option to disable tls 1.3 middlebox
 compatibility mode

This adds a new option %DISABLE_TLS13_COMPAT_MODE to disable TLS 1.3
compatibility mode at run-time.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/handshake.c | 20 11 + 9 - 0 !
tests/tls13/hello_retry_request.c | 20 20 + 0 - 0 !
2 files changed, 31 insertions(+), 9 deletions(-)

 [patch] handshake: don't regenerate legacy_session_id in second ch
 after HRR

According to RFC 8446 4.1.2, the client must send the same Client
Hello after Hello Retry Request, except for the certain extensions,
and thus legacy_session_id must be preserved.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

NEWS | 5 5 + 0 - 0 !
lib/cipher.c | 6 5 + 1 - 0 !
lib/constate.c | 46 39 + 7 - 0 !
lib/handshake-tls13.c | 92 33 + 59 - 0 !
lib/handshake.c | 70 70 + 0 - 0 !
lib/record.c | 2 1 + 1 - 0 !
lib/session_pack.c | 14 7 + 7 - 0 !
tests/tls13-early-data.c | 16 12 + 4 - 0 !
tests/tls13/prf-early.c | 8 4 + 4 - 0 !
9 files changed, 176 insertions(+), 83 deletions(-)

 [patch] handshake: fix timing of sending early data

Previously, the client was sending early data after receiving a Server
Hello message, which not only negates the benefit of 0-RTT, but also
was a logic error as it can only be decrypted by the server when the
initial handshake and the resuming handshake agree on the same
ciphersuites.  This fixes that behavior in the following ways:

- extend the session data format to include the selected ciphersuites,
  even in TLS 1.3
- setup the epoch for early data, right before the client sending
  early data (also right after the server deciding to accept early
  data).

lib/x509/verify.c | 26 17 + 9 - 0 !
tests/test-chains.h | 165 165 + 0 - 0 !
2 files changed, 182 insertions(+), 9 deletions(-)

 [patch 47/94] x509/verify: treat sha-1 signed ca in the trusted set

src/serv.c | 6 1 + 5 - 0 !
1 file changed, 1 insertion(+), 5 deletions(-)

 [patch 74/94] serv: stop setting ai_addrconfig on getaddrinfo

AI_ADDRCONFIG is only useful when the NODE argument is given in the
getaddrinfo call, as described in RFC 3493 6.1.  Suggested by Andreas
Metzler in:
https://gitlab.com/gnutls/gnutls/-/issues/1007#note_356637206

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/accelerated/x86/sha-x86-ssse3.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] fix ssse3 sha384 to work more than once

The output function called sha512_digest() instead of sha384_digest(),
which caused the hash context to be reinitialized for SHA512 instead of
SHA384 and all following digests using the hash handle were wrong.

Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>

lib/nettle/mac.c | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 [patch] wrap_nettle_hash_fast: avoid calling _update with zero-length
 input

As Nettle's hash update functions internally call memcpy, providing
zero-length input may cause undefined behavior.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/x509/pkcs7.c | 3 2 + 1 - 0 !
tests/Makefile.am | 2 1 + 1 - 0 !
tests/pkcs7-verify-double-free.c | 215 215 + 0 - 0 !
3 files changed, 218 insertions(+), 2 deletions(-)

 fix double free during gnutls_pkcs7_verify

lib/auth/rsa.c | 10 0 + 10 - 0 !
1 file changed, 10 deletions(-)

 [patch 1/3] auth/rsa: side-step potential side-channel

Remove branching that depends on secret data.

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
Signed-off-by: Hubert Kario <hkario@redhat.com>
Tested-by: Hubert Kario <hkario@redhat.com>

lib/auth/rsa.c | 20 3 + 17 - 0 !
1 file changed, 3 insertions(+), 17 deletions(-)

 [patch 2/3] rsa: remove dead code

since the `ok` variable isn't used any more, we can remove all code
used to calculate it

Signed-off-by: Hubert Kario <hkario@redhat.com>

lib/auth/rsa.c | 2 1 + 1 - 0 !
lib/auth/rsa_psk.c | 95 36 + 59 - 0 !
lib/gnutls_int.h | 4 0 + 4 - 0 !
lib/priority.c | 1 0 + 1 - 0 !
4 files changed, 37 insertions(+), 65 deletions(-)

 [patch] auth/rsa_psk: side-step potential side-channel

This removes branching that depends on secret data, porting changes
for regular RSA key exchange from
4804febddc2ed958e5ae774de2a8f85edeeff538 and
80a6ce8ddb02477cd724cd5b2944791aaddb702a.  This also removes the
allow_wrong_pms as it was used sorely to control debug output
depending on the branching.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/x509/common.c | 4 4 + 0 - 0 !
tests/test-chains.h | 125 125 + 0 - 0 !
2 files changed, 129 insertions(+)

 [patch 1/2] x509: detect loop in certificate chain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

There can be a loop in a certificate chain, when multiple CA
certificates are cross-signed with each other, such as A  B, B  C,
and C  A.  Previously, the verification logic was not capable of
handling this scenario while sorting the certificates in the chain in
_gnutls_sort_clist, resulting in an assertion failure.  This patch
properly detects such loop and aborts further processing in a graceful
manner.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/auth/rsa_psk.c | 69 35 + 34 - 0 !
1 file changed, 35 insertions(+), 34 deletions(-)

 [patch 2/2] rsa-psk: minimize branching after decryption

This moves any non-trivial code between gnutls_privkey_decrypt_data2
and the function return in _gnutls_proc_rsa_psk_client_kx up until the
decryption.  This also avoids an extra memcpy to session->key.key.

Signed-off-by: Daiki Ueno <ueno@gnu.org>