configure.ac | 3 3 + 0 - 0 !
lib/global.c | 2 1 + 1 - 0 !
lib/str.h | 2 1 + 1 - 0 !
libdane/errors.c | 2 1 + 1 - 0 !
po/Makevars | 2 1 + 1 - 0 !
5 files changed, 7 insertions(+), 4 deletions(-)

 version filename of locale data (gnutls30.mo instead of
 gnutls.mo) This is necessary to make e.g. libgnutls26 and libgnutls28
 co-installable.

guile/src/Makefile.am | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 work around guile-snarf hardcoding the at-build default compiler
 which breaks when it changes ion Debian.

tests/srp.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 increase timeout for srp test, fixing build error on mipsel

lib/x509/verify-high.c | 101 20 + 81 - 0 !
tests/Makefile.am | 2 1 + 1 - 0 !
tests/x509-verify-duplicate.c | 181 181 + 0 - 0 !
3 files changed, 202 insertions(+), 82 deletions(-)

 [patch] fix removal of duplicate certs during verification

Co-authored-by: Daiki Ueno <ueno@gnu.org>
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

gl/Makefile.am | 13 13 + 0 - 0 !
gl/gl_anyhash1.h | 31 31 + 0 - 0 !
gl/gl_anyhash2.h | 82 82 + 0 - 0 !
gl/gl_anyhash_primes.h | 87 87 + 0 - 0 !
gl/gl_anylinked_list1.h | 48 48 + 0 - 0 !
gl/gl_anylinked_list2.h | 1215 1215 + 0 - 0 !
gl/gl_linkedhash_list.c | 114 114 + 0 - 0 !
gl/gl_linkedhash_list.h | 34 34 + 0 - 0 !
gl/gl_list.c | 3 3 + 0 - 0 !
gl/gl_list.h | 914 914 + 0 - 0 !
m4/gnulib-comp.m4 | 11 11 + 0 - 0 !
11 files changed, 2552 insertions(+)

 result of rebootstrapping with linkedhash-list module
 Needed for 50_Fix-removal-of-duplicate-certs-during-verification.patch
 .
 Add linkedhash-list to gnulib_modules= in bootstrap.conf and run
 ./bootstrap

lib/crypto-backend.h | 12 7 + 5 - 0 !
lib/nettle/pk.c | 33 17 + 16 - 0 !
lib/pubkey.c | 5 4 + 1 - 0 !
tests/fips-test.c | 86 83 + 3 - 0 !
4 files changed, 111 insertions(+), 25 deletions(-)

 [patch 08/29] fips: fix checking on hash algorithm used in ecdsa

Previously we checked against the "preferred" hash algorithm based on
the curve, instead of the one actually used.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/privkey.c | 42 30 + 12 - 0 !
tests/fips-test.c | 64 64 + 0 - 0 !
2 files changed, 94 insertions(+), 12 deletions(-)

 [patch 09/29] fips: mark composite signature api not-approved

This makes the FIPS service indicator to transit to not-approved when
gnutls_privkey_sign_hash* is used.  In FIPS, single-shot
API (gnutls_privkey_sign_data*) is preferred over composite API.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/auth/rsa.c | 2 1 + 1 - 0 !
lib/auth/rsa_psk.c | 95 35 + 60 - 0 !
lib/gnutls_int.h | 4 0 + 4 - 0 !
lib/priority.c | 1 0 + 1 - 0 !
4 files changed, 36 insertions(+), 66 deletions(-)

 [patch 11/29] auth/rsa_psk: side-step potential side-channel

This removes branching that depends on secret data, porting changes
for regular RSA key exchange from
4804febddc2ed958e5ae774de2a8f85edeeff538 and
80a6ce8ddb02477cd724cd5b2944791aaddb702a.  This also removes the
allow_wrong_pms as it was used sorely to control debug output
depending on the branching.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/x509/common.c | 4 4 + 0 - 0 !
tests/test-chains.h | 124 124 + 0 - 0 !
2 files changed, 128 insertions(+)

 [patch 12/29] x509: detect loop in certificate chain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

There can be a loop in a certificate chain, when multiple CA
certificates are cross-signed with each other, such as A  B, B  C,
and C  A.  Previously, the verification logic was not capable of
handling this scenario while sorting the certificates in the chain in
_gnutls_sort_clist, resulting in an assertion failure.  This patch
properly detects such loop and aborts further processing in a graceful
manner.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/auth/rsa_psk.c | 70 36 + 34 - 0 !
1 file changed, 36 insertions(+), 34 deletions(-)

 [patch 13/29] rsa-psk: minimize branching after decryption

This moves any non-trivial code between gnutls_privkey_decrypt_data2
and the function return in _gnutls_proc_rsa_psk_client_kx up until the
decryption.  This also avoids an extra memcpy to session->key.key.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/gnutls_int.h | 5 4 + 1 - 0 !
lib/x509/common.c | 10 9 + 1 - 0 !
lib/x509/verify-high.c | 73 46 + 27 - 0 !
tests/test-chains.h | 212 209 + 3 - 0 !
4 files changed, 268 insertions(+), 32 deletions(-)

 [patch 1/5] gnutls_x509_trust_list_verify_crt2: remove length limit
 of input

Previously, if cert_list_size exceeded DEFAULT_MAX_VERIFY_DEPTH, the
chain verification logic crashed with assertion failure.  This patch
removes the restriction while keeping the maximum number of
retrieved certificates being DEFAULT_MAX_VERIFY_DEPTH.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/nettle/int/dsa-compute-k.c | 82 52 + 30 - 0 !
lib/nettle/int/dsa-compute-k.h | 31 24 + 7 - 0 !
lib/nettle/int/ecdsa-compute-k.c | 33 6 + 27 - 0 !
lib/nettle/int/ecdsa-compute-k.h | 8 1 + 7 - 0 !
lib/nettle/pk.c | 79 54 + 25 - 0 !
tests/sign-verify-deterministic.c | 2 1 + 1 - 0 !
6 files changed, 138 insertions(+), 97 deletions(-)

 [patch 2/5] nettle: avoid normalization of mpz_t in deterministic
 ECDSA

This removes function calls that potentially leak bit-length of a
private key used to calculate a nonce in deterministic ECDSA.  Namely:

- _gnutls_dsa_compute_k has been rewritten to work on always
  zero-padded mp_limb_t arrays instead of mpz_t
- rnd_mpz_func has been replaced with rnd_datum_func, which is backed
  by a byte array instead of an mpz_t value

Signed-off-by: Daiki Ueno <ueno@gnu.org>

src/serv.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch 3/5] serv: fix memleak when a connected client disappears

Reported by Hubert Kario.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/tls13/early_data.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch 4/5] lib: fix a segfault in _gnutls13_recv_end_of_early_data

A crash occur in my app that uses gnutls13 early data, stack trace:

  #0  free (libc.so.6 + 0x97bf0)
  #1  _gnutls_buffer_clear (libgnutls.so.30 + 0x77c8c)
  #2  _gnutls13_recv_end_of_early_data (libgnutls.so.30 + 0xaf308)
  #3  _gnutls13_handshake_server (libgnutls.so.30 + 0x42d6c)
  #4  handshake_server (libgnutls.so.30 + 0x4ff6c)

The root cause is that _gnutls_buffer_clear() was trying to free
'buf' that is not initialized or set if GNUTLS_NO_END_OF_EARLY_DATA
flag is set on server side.

This patch fixes it by simply initializing buf at the begginning of
_gnutls13_recv_end_of_early_data().

Signed-off-by: Xin Long <lucien.xin@gmail.com>

lib/tls13/finished.c | 6 2 + 4 - 0 !
1 file changed, 2 insertions(+), 4 deletions(-)

 [patch 5/5] lib: fix a potential segfault in _gnutls13_recv_finished

In _gnutls13_recv_finished(), 'buf' is not initialized or set when
_gnutls13_compute_finished() returns an err, and goto cleanup may
cause a segfault crash as it frees the uninitialized buf.allocd in
_gnutls_buffer_clear().

So fix it by return if _gnutls13_compute_finished() returns an err
in _gnutls13_recv_finished().

Signed-off-by: Xin Long <lucien.xin@gmail.com>

lib/datum.c | 7 6 + 1 - 0 !
lib/x509/name_constraints.c | 663 386 + 277 - 0 !
lib/x509/x509_ext.c | 93 41 + 52 - 0 !
lib/x509/x509_ext_int.h | 5 5 + 0 - 0 !
lib/x509/x509_int.h | 21 7 + 14 - 0 !
5 files changed, 445 insertions(+), 344 deletions(-)

 [patch] x509: optimize name constraints processing

This switches the representation name constraints from linked lists to
array lists to optimize the lookup performance from O(n) to O(1), also
enforces a limit of name constraint checks against subject alternative
names.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/x509/x509_ext.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [patch] lib/x509/x509_ext.c: add gnutls_free() to avoid memory leak

Add gnutls_free() to free ooc if subject_alt_names_set() fails to avoid memory leak.

Fixes: 2bd323f72 ("Added new API to handle X.509 extensions.")
Signed-off-by: JiashengJiang <jiasheng@purdue.edu>

lib/hello_ext.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] lib/hello_ext.c: add gnutls_free() to avoid memory leak

Add gnutls_free() to free tmp_mod.name in the error handling to avoid memory leak.

Fixes: 5bba569b4 ("gnutls_session_ext_register: keep track of extension name")
Signed-off-by: JiashengJiang <jiasheng@purdue.edu>

lib/x509/x509_ext.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 1/6] x509: fix read buffer overrun in sct timestamps

Prevent reading beyond heap buffer in call to _gnutls_parse_ct_sct
when processing x509 Signed Certificate Timestamps with certain
malformed data. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42530513

Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/ext/pre_shared_key.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch 2/6] psk: fix read buffer overrun in the "pre_shared_key"
 extension

While processing the "pre_shared_key" extension in TLS 1.3, if there
are certain malformed data in the extension headers, then the code may
read uninitialized memory (2 bytes) beyond the received TLS extension
buffer. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42513990

Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/x509/crq.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 [patch 3/6] x509: reject zero-length version in certificate request

Ensure zero size asn1 values are considered invalid in
gnutls_x509_crq_get_version, this ensures crq version is not used
uninitialized. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42536706

Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/x509/extensions.c | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 [patch 4/6] x509: avoid double free when exporting othernames in san

Previously, the _gnutls_write_new_othername function, called by
gnutls_x509_ext_export_subject_alt_names to export "otherName" in a
certificate's SAN extension, freed the caller allocated ASN.1
structure upon error, resulting in a potential double-free.

Reported by OpenAI Security Research Team.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

src/certtool-cfg.c | 4 2 + 2 - 0 !
tests/cert-tests/Makefile.am | 3 2 + 1 - 0 !
tests/cert-tests/template-test.sh | 13 13 + 0 - 0 !
tests/cert-tests/templates/template-too-many-othernames.tmpl | 2003 2003 + 0 - 0 !
4 files changed, 2020 insertions(+), 3 deletions(-)

 [patch 5/6] certtool: avoid 1-byte write buffer overrun when parsing
 template

Previously, when parsing a template file with a number of key value
pairs, certtool could write a NUL byte after the heap buffer, causing
a memory corruption. This fixes the issue by allocating the NUL byte.
Reported by David Aitel.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/handshake.c | 25 22 + 3 - 0 !
lib/state.c | 4 3 + 1 - 0 !
tests/Makefile.am | 2 2 + 0 - 0 !
tests/tls13/hello_retry_request_psk.c | 173 173 + 0 - 0 !
4 files changed, 200 insertions(+), 4 deletions(-)

 [patch 6/6] handshake: clear hsk_psk_selected is when resetting
 binders
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When a TLS 1.3 handshake involves HRR and resumption or PSK, and the
second Client Hello omits PSK, the server would result in a NULL
pointer dereference as the PSK binder information is cleared while the
HSK_PSK_SELECTED flag is still set. This makes sure that
HSK_PSK_SELECTED flag is always cleared when the PSK binders are
reset. This also makes it clear the HSK_PSK_SELECTED flag is valid
only during a handshake; after that, whether PSK is used can be
checked with gnutls_auth_client_get_type.

Reported by Stefan Bhler.

Signed-off-by: Daiki Ueno <ueno@gnu.org>