.mailmap

+Andreas Metzler <ametzler@debian.org> <ametzler@bebt.de>
+Andreas Metzler <ametzler@debian.org> <ametzler@downhill.at.eu.org>
+Andreas Metzler <ametzler@debian.org> <gitlab@bebt.de>
+Daiki Ueno <ueno@gnu.org> <dueno@redhat.com>
+Daiki Ueno <ueno@gnu.org> <ueno@redhat.com>
+Daiki Ueno <ueno@gnu.org> <ueno@unixuser.org>
+David Woodhouse <dwmw2@infradead.org> <david.woodhouse@intel.com>
+František Krenželok <krenzelok.frantisek@gmail.com>
+Giuseppe Scrivano <gscrivano@gnu.org> <giuseppe@southpole.se>
+Ludovic Courtès <ludo@gnu.org>
+Ludovic Courtès <ludo@gnu.org> <ludo@chbouib.org>
+Nikos Mavrogiannopoulos <nmav@gnutls.org> <nikos@esat.kuleuven.be>
+Nikos Mavrogiannopoulos <nmav@gnutls.org> <nikos@thingfish.esat.kuleuven.be>
+Nikos Mavrogiannopoulos <nmav@gnutls.org> <nmav@crystal.(none)>
+Nikos Mavrogiannopoulos <nmav@gnutls.org> <nmav@redhat.com>
+Nikos Mavrogiannopoulos <nmav@gnutls.org> <n.mavrogiannopoulos@gmail.com>
+Nikos Mavrogiannopoulos <nmav@gnutls.org> <nmav@turtle.(none)>
+Simon Josefsson <jas@josefsson.org> <jas@mocca.josefsson.org>
+Simon Josefsson <jas@josefsson.org> <simon@josefsson.org>
+Stefan Berger <stefanb@linux.ibm.com> <stefanb@linux.vnet.ibm.com>
+Stef Walter <stefw@redhat.com> <stefw@collabora.co.uk>
+Tim Rühsen <tim.ruehsen@gmx.de> Tim Ruehsen <tim.ruehsen@gmx.de>
+Tom Vrancken <dev@tomvrancken.nl> <email@tomvrancken.nl>
+Dmitry Baryshkov <dbaryshkov@gmail.com>

AUTHORS

@@ -8,30 +8,33 @@ Tim Rühsen <tim.ruehsen at gmx.de>
 Ludovic Courtès <ludo at gnu.org>
 Timo Schulz <twoaday at gnutls.org>
 Jonathan Bastien-Filiatrault <joe at x2a.org>
-Alon Bar-Lev <alon.barlev at gmail.com>
 Andreas Metzler <ametzler at debian.org>
+Alon Bar-Lev <alon.barlev at gmail.com>
+Alexander Sosedkin <asosedkin at redhat.com>
+Daniel Kahn Gillmor <dkg at fifthhorseman.net>
 Tom Vrancken <dev at tomvrancken.nl>
+Zoltan Fridrich <zfridric at redhat.com>
 Martin Storsjo <martin at martin.st>
 Tim Kosse <tim.kosse at filezilla-project.org>
 Simo Sorce <simo at redhat.com>
-Daniel Kahn Gillmor <dkg at fifthhorseman.net>
 Fabian Keil <fk at fabiankeil.de>
 Fabio Fiorina <fiorinaf at gnutls.org>
 Stef Walter <stefw at redhat.com>
 Anderson Toshiyuki Sasaki <ansasaki at redhat.com>
 Armin Burgmeier <armin at arbur.net>
+František Krenželok <krenzelok.frantisek at gmail.com>
 Andrew McDonald <admcd at gnutls.org>
-Alex Gaynor <alex.gaynor at gmail.com>
 Fiona Klute <fiona.klute at gmx.de>
+Alex Gaynor <alex.gaynor at gmail.com>
+Ander Juaristi <a at juaristi.eus>
 Martin Ukrop <mukrop at redhat.com>
 Jaak Ristioja <jaak.ristioja at cyber.ee>
 Attila Molnar <attilamolnar at hush.com>
 Hugo Beauzée-Luyssen <hugo at beauzee.fr>
 Stefan Berger <stefanb at linux.ibm.com>
+Steve Lhomme <robux4 at ycbcr.xyz>
 Jakub Jelen <jjelen at redhat.com>
 Martin Sucha <anty.sk+git at gmail.com>
-Steve Lhomme <robux4 at ycbcr.xyz>
-Ander Juaristi <a at juaristi.eus>
 David Woodhouse <dwmw2 at infradead.org>
 Jan Vcelak <jan.vcelak at nic.cz>
 Kevin Cernekee <cernekee at gmail.com>
@@ -41,69 +44,80 @@ Michael Catanzaro <mcatanzaro at gnome.org>
 Daniel Lenski <dlenski at gmail.com>
 JonasZhou <JonasZhou at zhaoxin.com>
 Stefan Sørensen <stefan.sorensen at spectralink.com>
+Tobias Heider <tobias.heider at canonical.com>
 Adam Sampson <ats at offog.org>
 Alfredo Pironti <alfredo at pironti.eu>
 Brad Hards <bradh at frogmouth.net>
 Dimitri John Ledkov <xnox at ubuntu.com>
+Hubert Kario <hkario at redhat.com>
 Michael Weiser <michael.weiser at gmx.de>
 Patrick Pelletier <code at funwithsoftware.org>
 Rolf Eike Beer <eike at sf-mail.de>
+Ruslan N. Marchenko <me at ruff.mobi>
 Sjoerd Simons <sjoerd.simons at collabora.co.uk>
 Stefan Bühler <stbuehler at web.de>
 Thomas Klute <thomas2.klute at uni-dortmund.de>
 Wolfgang Meyer zu Bergsten <w.bergsten at sirrix.com>
-Andreas Metzler <gitlab at bebt.de>
 Christian Grothoff <christian at grothoff.org>
 Daniel P. Berrange <berrange at redhat.com>
+Evgeny Grin <k2k at narod.ru>
 Gustavo Zacarias <gustavo at zacarias.com.ar>
 James Bottomley <James.Bottomley at HansenPartnership.com>
 Jiří Klimeš <jklimes at redhat.com>
 Karsten Ohme <k_o_ at users.sourceforge.net>
 Kurt Roeckx <kurt at roeckx.be>
 Peter Wu <peter at lekensteyn.nl>
+Stanislav Zidek <szidek at redhat.com>
+Stephan Mueller <smueller at chronox.de>
 Thierry Quemerais <tquemerais at awox.com>
 Tom Carroll <incentivedesign at gmail.com>
 Vitezslav Cizek <vcizek at suse.com>
 Alessandro Ghedini <alessandro at ghedini.me>
 Alex Monk <krenair at gmail.com>
+Benjamin Herrenschmidt <benh at kernel.crashing.org>
 Bernhard M. Wiedemann <bwiedemann at suse.de>
+Craig Gallek <cgallek at gmail.com>
 David Caldwell <david at porkrind.org>
 Diego Elio Pettenò <flameeyes at flameeyes.eu>
 Elta Koepp <alexi_2019 at protonmail.com>
 Fabrice Fontaine <fontaine.fabrice at gmail.com>
 Giuseppe Scrivano <gscrivano at gnu.org>
-Hubert Kario <hkario at redhat.com>
 Ilya Tumaykin <itumaykin at gmail.com>
 Karl Tarbe <karl.tarbe at cyber.ee>
 Ke Zhao <kzhao at redhat.com>
+Leonardo Bras <leobras.c at gmail.com>
 Mark Brand <mabrand at mabrand.nl>
 Matthias-Christian Ott <ott at mirix.org>
 Maya Rashish <coypu at sdf.org>
 Michael Catanzaro <mcatanzaro at igalia.com>
 Michał Górny <mgorny at gentoo.org>
+Miroslav Lichvar <mlichvar at redhat.com>
+Pedro Monreal <pmgdeb at gmail.com>
+Pedro Monreal <pmonrealgonzalez at suse.de>
 Petr Písař <petr.pisar at atlas.cz>
 Pierre Ossman <ossman at cendio.se>
 Roman Bogorodskiy <bogorodskiy at gmail.com>
+Sam James <sam at gentoo.org>
+Simon South <simon at simonsouth.net>
 Steffen Jaeckel <jaeckel-floss at eyet-services.de>
-Stephan Mueller <smueller at chronox.de>
 Steve Dispensa <dispensa at phonefactor.com>
 nia <nia at NetBSD.org>
 raspa0 <raspa0 at protonmail.com>
-Airtower <fiona.klute at gmx.de>
 Alban Crequy <alban.crequy at collabora.co.uk>
 Albrecht Dreß <albrecht.dress at arcor.de>
 Aleksei Nikiforov <darktemplar at basealt.ru>
 Alexander Kanavin <alex.kanavin at gmail.com>
-Alexander Sosedkin <asosedkin at redhat.com>
 Alexandre Bique <bique.alexandre at gmail.com>
-Anderson Sasaki <ansasaki at redhat.com>
 Andreas Schneider <asn at samba.org>
 Andreas Schwab <schwab at suse.de>
+Asad Mehmood <asad78611 at googlemail.com>
 Avinash Sonawane <rootkea at gmail.com>
 Bas van Schaik <gitlab.com at s.traiectum.net>
 Bjoern Jacke <bjacke at samba.org>
 Björn Jacke <bjacke at samba.org>
 Bjørn Christensen <bhc at insight.dk>
+Brad Smith <brad at comstyle.com>
+Brian Wickman <bwickman97 at outlook.com>
 Carolin Latze <latze at angry-red-pla.net>
 Chen Hongzhi <hongzhi.chen at me.com>
 Chris Barry <chris at barry.im>
@@ -112,17 +126,21 @@ Dan Fandrich <dan at coneharvesters.com>
 Daniel Schaefer <git at danielschaefer.me>
 David Walker <david.walker at vcatechnology.com>
 David Weber <dave at veryflatcat.com>
+Dimitris Apostolou <dimitris.apostolou at icloud.com>
 Dmitriy Tsvettsikh <dmitrycvet at gmail.com>
 Dosenpfand <m at sad.bz>
+Doug Nazar <nazard at nazar.ca>
 Edward Stangler <estangler at bradmark.com>
 Elias Pipping <pipping at exherbo.org>
 Elta Koepp <elta_koepp at gmail.com>
-Evgeny Grin <k2k at narod.ru>
 Frank Morgner <morgner at informatik.hu-berlin.de>
+Gregor Jasny <gjasny at googlemail.com>
 Günther Deschner <gd at samba.org>
 Hani Benhabiles <kroosec at gmail.com>
+Hannes Reinecke <hare at suse.de>
 Hans Leidekker <hans at codeweavers.com>
 Ilya V. Matveychikov <i.matveychikov at securitycode.ru>
+Jan Palus <jpalus at fastmail.com>
 Jared Wong <jaredlwong at gmail.com>
 Jason Spafford <nullprogrammer at gmail.com>
 Jay Foad <jay.foad at gmail.com>
@@ -130,7 +148,6 @@ Jeffrey Walton <noloader at gmail.com>
 Jens Lechtenboerger <jens.lechtenboerger at fsfe.org>
 Jussi Kukkonen <jussi.kukkonen at intel.com>
 Kenneth J. Miller <ken at miller.ec>
-KrenzelokFrantisek <krenzelok.frantisek at gmail.com>
 Lei Maohui <leimaohui at cn.fujitsu.com>
 Lili Quan <13132239506 at 163.com>
 Lucas Fisher <lucas.fisher at gmail.com>
@@ -144,11 +161,13 @@ Marcus Meissner <meissner at suse.de>
 Marga Manterola <marga at google.com>
 Marius Bakke <mbakke at fastmail.com>
 Marti Raudsepp <marti at juffo.org>
+Marvin Scholz <epirat07 at gmail.com>
 Matt Turner <mattst88 at gmail.com>
 Matt Whitlock <matt at whitlock.name>
 Micah Anderson <micah at riseup.net>
-Miroslav Lichvar <mlichvar at redhat.com>
+Michael Catanzaro <mcatanzaro at redhat.com>
 Nick Alcock <nick.alcock at oracle.com>
+Nick Child <nick.child at ibm.com>
 Nicolas Dufresne <nicolas.dufresne at collabora.com>
 Nils Maier <maierman at web.de>
 Norbert Pocs <npocs at redhat.com>
@@ -162,6 +181,7 @@ Raj Raman <rajramanca at gmail.com>
 Remi Olivier <remi_8 at hotmail.com>
 Rical Jasan <ricaljasan at pacific.net>
 Ricardo M. Correia <rcorreia at wizy.org>
+Richard Costa <richard.costa at suse.com>
 Rickard Bellgrim <rickard at opendnssec.org>
 Robert Scheck <robert at fedoraproject.org>
 Roberto Newmon <robertonewmon at fake-box.com>
@@ -169,11 +189,11 @@ Ross Nicholson <phunkyfish at gmail.com>
 Rowan Thorpe <rowan at rowanthorpe.com>
 SUMIT AGGARWAL <aggarwal.s at samsung.com>
 Sadie Powell <sadie at witchery.services>
-Sahana Prasad <sahana.prasad07 at gmail.com>
 Saurav Babu <saurav.babu at samsung.com>
 Sebastian Dröge <sebastian at centricular.com>
+Seppo Yli-Olli <seppo.yliolli at gmail.com>
 Simon Arlott <sa.me.uk>
-Stanislav Zidek <szidek at redhat.com>
+Tatsuhiro Tsujikawa <tatsuhiro.t at gmail.com>
 Thomas Klausner <wiz at NetBSD.org>
 Tobias Polzer <tobias.polzer at fau.de>
 Tomas Hoger <thoger at redhat.com>
@@ -191,17 +211,19 @@ The translators list is autogenerated from po file history
 
 Anders Jonsson 
 Benno Schulenberg 
+Cristian Othón Martínez Vera 
 Felipe Castro 
-Francisco Javier Serrador 
 Jakub Bogusz 
 Jorma Karvonen 
+Mario Blättermann 
 Milo Casagrande 
 Mingye Wang (Arthur2e5) 
 Petr Pisar 
 Rafael Fontenelle 
-Roland Illig 
+Remus-Gabriel Chelu 
 Sharuzzaman Ahmat Raslan 
 Stéphane Aulery 
+Temuri Doghonadze 
 Trần Ngọc Quân 
 Yuri Chornoivan 
 Мирослав Николић 

CONTRIBUTING.md

@@ -157,8 +157,25 @@ As such, some questions to answer before adding a new API:
    13.0 is made available? Would it harm the addition of a new protocol?
 
 
-The make rule 'abi-check' verifies that the ABI remained compatible since
-the last tagged release. It relies on the git tree and abi-compliance-checker.
+The make rule 'abi-check' verifies that the ABI remained compatible
+since the last tagged release, which is maintained in a separate
+[abi-dump](https://gitlab.com/gnutls/abi-dump) repository. This
+repository shall be updated upon each release if any changes are
+introduced in the ABI.
+
+To add new API during development cycle, follow the steps below:
+
+0. If there is no section in [lib/libgnutls.map](lib/libgnutls.map),
+   corresponding to the next release, add it, deriving from the
+   previous interface
+1. Add new symbols in that section
+2. Run `make abi-check-latest`; this will report differences as
+   errors.  Edit the last section of
+   [devel/libgnutls.abignore](devel/libgnutls.abignore) to suppress
+   them.
+
+When a new version is released and the abi-dump repository is updated,
+the section will be cleared.
 
 The above do not apply to the C++ library; this library's ABI should not
 be considered stable.
@@ -403,6 +420,12 @@ or adding new command line options to tools you need to run 'make
 files-update', review the output (when feasible) and commit it separately,
 e.g., with a message: "auto-generated files update".
 
+ The 'files-update' rule also regenerates the ABI dump files (.abi), used by
+the 'abi-check' rule to ensure library ABI compatibility. To make it easier
+to track actual changes to be made in those files, a git external diff
+driver is provided as `devel/git-abidiff-gnutls`. See the comment in the
+file for the instruction.
+
 
 # Guile bindings:
 

GNUmakefile

@@ -5,7 +5,7 @@
 # It is necessary if you want to build targets usually of interest
 # only to the maintainer.
 
-# Copyright (C) 2001, 2003, 2006-2020 Free Software Foundation, Inc.
+# Copyright (C) 2001, 2003, 2006-2021 Free Software Foundation, Inc.
 
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

INSTALL.md

@@ -31,9 +31,10 @@ by running './configure --help'.
     sudo make install
 ```
 
-The commands above build and install the static archive (libgnutls.a),
-the shared object (libgnutls.so), and additional binaries such as certtool 
-and gnutls-cli.
+The commands above build and install the shared object (libgnutls.so),
+and additional binaries such as certtool and gnutls-cli. To build the
+static archive (libgnutls.a), add --enable-static to the `./configure`
+command.
 
 The library depends on libnettle and gmplib. 
 * gmplib: for big number arithmetic, https://gmplib.org/

Makefile.am

@@ -57,18 +57,20 @@ if ENABLE_DOC
 SUBDIRS += doc
 endif
 
-ACLOCAL_AMFLAGS = -I m4 -I src/libopts/m4 -I src/gl/m4 -I lib/unistring/m4 --install
+ACLOCAL_AMFLAGS = -I m4 -I src/gl/m4 -I lib/unistring/m4 --install
 
 EXTRA_DIST = cfg.mk maint.mk CONTRIBUTING.md README.md LICENSE AUTHORS NEWS \
-	ChangeLog THANKS INSTALL.md RELEASES.md
+	ChangeLog THANKS INSTALL.md RELEASES.md .mailmap
 
 DISTCLEANFILES = AUTHORS
 
-AUTHORS:
-	@echo -e "The authors list is autogenerated from the git history; sorted by number of commits\n" >AUTHORS
-	@git shortlog -sen| cut -f 2 | sed 's/@/ at /g' >> AUTHORS
-	@echo -e "\n\nThe translators list is autogenerated from po file history\n" >>AUTHORS
-	@sed -n 's/.*Last-Translator: *\(.*\) *<.*/\1/p' po/*.po | sort -u >>AUTHORS
+AUTHORS: Makefile.am .mailmap
+	$(AM_V_GEN) { \
+		echo -e "The authors list is autogenerated from the git history; sorted by number of commits\n"; \
+		git shortlog -sen --no-merges --group author --group trailer:co-authored-by | cut -f 2 | sed 's/@/ at /g'; \
+		echo -e "\n\nThe translators list is autogenerated from po file history\n"; \
+		sed -n 's/.*Last-Translator: *\(.*\) *<.*/\1/p' po/*.po | sort -u; \
+	} > $@-t && mv $@-t $@
 
 pic-check:
 	@echo "Checking for position dependent code"
@@ -77,18 +79,18 @@ pic-check:
 	false; \
 	fi
 
-ABIDW_COMMON = --no-show-locs --no-corpus-path
+ABIDW_COMMON = --drop-private-types --no-show-locs --no-corpus-path
 ABIGNORE_FILE = "$(top_srcdir)/devel/libgnutls.abignore"
 SYMBOLS_LAST_FILE = "$(top_srcdir)/devel/symbols.last"
-LIBGNUTLS_ABI_LAST_FILE = "$(top_srcdir)/devel/libgnutls-latest-$$(uname -m).abi"
-LIBDANE_ABI_LAST_FILE = "$(top_srcdir)/devel/libdane-latest-$$(uname -m).abi"
+LIBGNUTLS_ABI_LAST_FILE = "$(top_srcdir)/devel/abi-dump/libgnutls-latest-$$(uname -m).abi"
+LIBDANE_ABI_LAST_FILE = "$(top_srcdir)/devel/abi-dump/libdane-latest-$$(uname -m).abi"
 
 abi-dump-versioned: lib/libgnutls.la libdane/libgnutls-dane.la
 	@echo "**************************************************************************"
 	@echo "Generating versioned ABI files of current gnutls and gnutls-dane libraries"
 	@echo "**************************************************************************"
-	@abidw lib/.libs/libgnutls.so $(ABIDW_COMMON) --suppressions $(ABIGNORE_FILE) --out-file "$(srcdir)/devel/libgnutls-$(VERSION)-$$(uname -m).abi"
-	@abidw libdane/.libs/libgnutls-dane.so $(ABIDW_COMMON) --out-file "$(srcdir)/devel/libdane-$(VERSION)-$$(uname -m).abi"
+	@abidw lib/.libs/libgnutls.so $(ABIDW_COMMON) --suppressions $(ABIGNORE_FILE) --out-file "$(srcdir)/devel/abi-dump/libgnutls-$(VERSION)-$$(uname -m).abi"
+	@abidw libdane/.libs/libgnutls-dane.so $(ABIDW_COMMON) --out-file "$(srcdir)/devel/abi-dump/libdane-$(VERSION)-$$(uname -m).abi"
 
 abi-dump-latest: lib/libgnutls.la libdane/libgnutls-dane.la
 	@echo "****************************************************************"
@@ -121,7 +123,7 @@ abi-check-latest: lib/libgnutls.la libdane/libgnutls-dane.la
 
 ABICHECK_COMMON = --no-added-syms
 abi-check: lib/libgnutls.la libdane/libgnutls-dane.la
-	@for file in $$(echo $(srcdir)/devel/libgnutls-*-$$(uname -m).abi);do \
+	@for file in $$(echo $(srcdir)/devel/abi-dump/libgnutls-*-$$(uname -m).abi);do \
 		echo "Comparing libgnutls with $$file"; \
 		abidiff $${file} lib/.libs/libgnutls.so $(ABICHECK_COMMON) --suppressions $(ABIGNORE_FILE) --hd2 "$(srcdir)/lib/includes/gnutls/" --hd2 $(builddir)/lib/includes/gnutls/; \
 		if test $$? != 0;then \
@@ -131,7 +133,7 @@ abi-check: lib/libgnutls.la libdane/libgnutls-dane.la
 			exit 1; \
 		fi; \
 	done
-	@for file in $$(echo $(srcdir)/devel/libdane-*-$$(uname -m).abi);do \
+	@for file in $$(echo $(srcdir)/devel/abi-dump/libdane-*-$$(uname -m).abi);do \
 		echo "Comparing libgnutls-dane with $$file"; \
 		abidiff $${file} libdane/.libs/libgnutls-dane.so $(ABICHECK_COMMON) --hd2 "$(srcdir)/libdane/includes/gnutls/" --hd2 $(builddir)/lib/includes/gnutls/; \
 		if test $$? != 0;then \
@@ -178,14 +180,7 @@ distclean-local: code-coverage-dist-clean
 local-code-coverage-output: code-coverage-capture
 	cat GnuTLS-$(VERSION)-coverage/index.html|grep headerCovTableEntry|grep '%'|head -1|sed 's/^.*>\([0-9]\+\.[0-9]\+\s*%\)<.*$$/ coverage lines: \1/' || true
 
-libopts-check:
-	@echo "*****************************************************************"
-	@echo "Checking whether included libopts matches the system's. If the"
-	@echo "check fails upgrade the included libopts."
-	@echo "*****************************************************************"
-	test "`autoopts-config libsrc|awk -F '-' '{print $$NF}'|sed 's/.tar.gz//'`" = "`cat $(srcdir)/src/libopts/autoopts/options.h |grep OPTIONS_VERSION_STRING|cut -d '"' -f 2|sed 's/:/./g'`"
-
-files-update: libopts-check abi-dump-latest
+files-update:
 	$(MAKE) -C doc/ compare-makefile || mv doc/tmp-compare-makefile $(srcdir)/doc/Makefile.am
 	$(MAKE) -C doc/manpages compare-makefile || mv doc/manpages/tmp-compare-makefile $(srcdir)/doc/manpages/Makefile.am
 	$(MAKE) -C . symbol-check || mv symbols.last.tmp $(SYMBOLS_LAST_FILE)
@@ -193,7 +188,7 @@ files-update: libopts-check abi-dump-latest
 	@echo "updated auto-generated files; please use git diff to verify the correctness of the changes"
 	@echo "******************************************************************************************"
 
-dist-hook: libopts-check
+dist-hook:
 	$(PKG_CONFIG) --atleast-version=2.2.0 guile-2.2
 	if test -d "$(top_srcdir)/devel";then \
 		$(MAKE) -C $(top_srcdir) symbol-check && \
@@ -206,4 +201,7 @@ dist-hook: libopts-check
 	mv ChangeLog $(distdir)
 	touch -c $(distdir)/doc/*.html $(distdir)/doc/*.pdf $(distdir)/doc/*.info
 
-.PHONY: abi-check abi-dump-versioned abi-dump-latest pic-check symbol-check local-code-coverage-output files-update libopts-check AUTHORS
+.PHONY: abi-check abi-dump-versioned abi-dump-latest pic-check symbol-check local-code-coverage-output files-update AUTHORS
+
+include $(top_srcdir)/cligen/cligen.mk
+noinst_PYTHON = $(cligen_sources)

NEWS

@@ -5,6 +5,302 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc.
 Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
 See the end for copying conditions.
 
+* Version 3.7.9 (released 2023-02-09)
+
+** libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange.
+   Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin.
+   [GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361]
+
+** API and ABI modifications:
+No changes since last version.
+
+* Version 3.7.8 (released 2022-09-27)
+
+** libgnutls: In FIPS140 mode, RSA signature verification is an approved
+   operation if the key has modulus with known sizes (1024, 1280,
+   1536, and 1792 bits), in addition to any modulus sizes larger than
+   2048 bits, according to SP800-131A rev2.
+
+** libgnutls: gnutls_session_channel_binding performs additional checks when
+   GNUTLS_CB_TLS_EXPORTER is requested. According to RFC9622 4.2, the
+   "tls-exporter" channel binding is only usable when the handshake is
+   bound to a unique master secret (i.e., either TLS 1.3 or extended
+   master secret extension is negotiated). Otherwise the function now
+   returns error.
+
+** libgnutls: usage of the following functions, which are designed to
+   loosen restrictions imposed by allowlisting mode of configuration,
+   has been additionally restricted. Invoking them is now only allowed
+   if system-wide TLS priority string has not been initialized yet:
+gnutls_digest_set_secure
+gnutls_sign_set_secure
+gnutls_sign_set_secure_for_certs
+gnutls_protocol_set_enabled
+
+** API and ABI modifications:
+No changes since last version.
+
+* Version 3.7.7 (released 2022-07-28)
+
+** libgnutls: Fixed double free during verification of pkcs7 signatures.
+   Reported by Jaak Ristioja (#1383). [GNUTLS-SA-2022-07-07, CVSS: medium]
+   [CVE-2022-2509]
+
+** libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument less than or
+   equal to 255 times hash digest size, to comply with RFC 5869 2.3.
+
+** libgnutls: Length limit for TLS PSK usernames has been increased
+   from 128 to 65535 characters (#1323).
+
+** libgnutls: AES-GCM encryption function now limits plaintext
+   length to 2^39-256 bits, according to SP800-38D 5.2.1.1.
+
+** libgnutls: New block cipher functions have been added to transparently
+   handle padding.  gnutls_cipher_encrypt3 and gnutls_cipher_decrypt3 can be
+   used in combination of GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically
+   add/remove padding if the length of the original plaintext is not a multiple
+   of the block size.
+
+** libgnutls: New function for manual FIPS self-testing.
+
+** API and ABI modifications:
+gnutls_fips140_run_self_tests: New function
+gnutls_cipher_encrypt3: New function
+gnutls_cipher_decrypt3: New function
+gnutls_cipher_padding_flags_t: New enum
+
+** guile: Guile 1.8 is no longer supported
+
+** guile: Session record port treats premature termination as EOF
+   Previously, a ‘gnutls-error’ exception with the
+   ‘error/premature-termination’ value would be thrown while reading from a
+   session record port when the underlying session was terminated
+   prematurely.  This was inconvenient since users of the port may not be
+   prepared to handle such an exception.
+   Reading from the session record port now returns the end-of-file object
+   instead of throwing an exception, just like it would for a proper
+   session termination.
+
+** guile: Session record ports can have a ‘close’ procedure.
+   The ‘session-record-port’ procedure now takes an optional second
+   parameter, and a new ‘set-session-record-port-close!’ procedure is
+   provided to specify a ‘close’ procedure for a session record port.
+   This ‘close’ procedure lets users specify cleanup operations for when
+   the port is closed, such as closing the file descriptor or port that
+   backs the underlying session.
+
+* Version 3.7.6 (released 2022-05-27)
+
+** libgnutls: Fixed invalid write when gnutls_realloc_zero()
+   is called with new_size < old_size. This bug caused heap
+   corruption when gnutls_realloc_zero() has been set as gmp
+   reallocfunc (!1592, #1367, #1368, #1369).
+
+** API and ABI modifications:
+No changes since last version.
+
+* Version 3.7.5 (released 2022-05-15)
+
+** libgnutls: The GNUTLS_NO_TICKETS_TLS12 flag and %NO_TICKETS_TLS12 priority
+   modifier have been added to disable session ticket usage in TLS 1.2 because
+   it does not provide forward secrecy (#477).  On the other hand, since session
+   tickets in TLS 1.3 do provide forward secrecy, the PFS priority string now
+   only disables session tickets in TLS 1.2.  Future backward incompatibility:
+   in the next major release of GnuTLS, we plan to remove those flag and
+   modifier, and make GNUTLS_NO_TICKETS and %NO_TICKETS only affect TLS 1.2.
+
+** gnutls-cli, gnutls-serv: Channel binding for printing information
+   has been changed from tls-unique to tls-exporter as tls-unique is
+   not supported in TLS 1.3.
+
+** libgnutls: Certificate sanity checks has been enhanced to make
+   gnutls more RFC 5280 compliant (!1583).
+   Following changes were included:
+   - critical extensions are parsed when loading x509
+     certificate to prohibit any random octet strings.
+     Requires strict-x509 configure option to be enabled
+   - garbage bits in Key Usage extension are prohibited
+   - empty DirectoryStrings in Distinguished name structures
+     of Issuer and Subject name are prohibited
+
+** libgnutls: Removed 3DES from FIPS approved algorithms (#1353).
+   According to the section 2 of SP800-131A Rev.2, 3DES algorithm
+   will be disallowed for encryption after December 31, 2023:
+   https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final
+
+** libgnutls: Optimized support for AES-SIV-CMAC algorithms (#1217, #1312).
+   The existing AEAD API that works in a scatter-gather fashion
+   (gnutls_aead_cipher_encryptv2) has been extended to support AES-SIV-CMAC.
+   For further optimization, new function (gnutls_aead_cipher_set_key) has been
+   added to set key on the existing AEAD handle without re-allocation.
+
+** libgnutls: HKDF and AES-GCM algorithms are now approved in FIPS-140 mode
+   when used in TLS (#1311).
+
+** The configure arguments for Brotli and Zstandard (zstd) support
+   have changed to reflect the previous help text: they are now
+   --with-brotli/--with-zstd respectively (#1342).
+
+** Detecting the Zstandard (zstd) library in configure has been
+   fixed (#1343).
+
+** API and ABI modifications:
+GNUTLS_NO_TICKETS_TLS12: New flag
+gnutls_aead_cipher_set_key: New function
+
+* Version 3.7.4 (released 2022-03-17)
+
+** libgnutls: Added support for certificate compression as defined in RFC8879
+   (#1301). New API functions (gnutls_compress_certificate_get_selected_method
+   and gnutls_compress_certificate_set_methods) allow client and server to set
+   their preferences.
+
+** certtool: Added option --compress-cert that allows user to specify
+   compression methods for certificate compression.
+
+** libgnutls: GnuTLS can now be compiled with --enable-strict-x509 configure
+   option to enforce stricter certificate sanity checks that are compliant with
+   RFC5280.
+
+** libgnutls: Removed IA5String type from DirectoryString within issuer
+   and subject name to make DirectoryString RFC5280 compliant.
+
+** libgnutls: Added function (gnutls_record_send_file) to send file content from
+   open file descriptor (!1486). The implementation is optimized if KTLS (kernel
+   TLS) is enabled.
+
+** libgnutls: Added function (gnutls_ciphersuite_get) to retrieve the name of
+   current ciphersuite from TLS session (#1291).
+
+** libgnutls: The run-time dependency on tpm2-tss is now re-implemented using
+   dlopen, so GnuTLS does not indirectly link to other crypto libraries until
+   TPM2 functionality is utilized (!1544).
+
+** API and ABI modifications:
+GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member
+GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member
+gnutls_compress_certificate_get_selected_method: Added
+gnutls_compress_certificate_set_methods: Added
+gnutls_ciphersuite_get: New function
+gnutls_record_send_file: New function
+libgnutlsxx: Soname bumped due to ABI breakage introduced in 3.7.1
+
+* Version 3.7.3 (released 2022-01-17)
+
+** libgnutls: The allowlisting configuration mode has been added to the system-wide
+   settings. In this mode, all the algorithms are initially marked as insecure
+   or disabled, while the applications can re-enable them either through the
+   [overrides] section of the configuration file or the new API (#1172).
+
+** The build infrastructure no longer depends on GNU AutoGen for generating
+   command-line option handling, template file parsing in certtool, and
+   documentation generation (#773, #774). This change also removes run-time or
+   bundled dependency on the libopts library, and requires Python 3.6 or later
+   to regenerate the distribution tarball.
+
+   Note that this brings in known backward incompatibility in command-line
+   tools, such as long options are now case sensitive, while previously they
+   were treated in a case insensitive manner: for example --RSA is no longer a
+   valid option of certtool. The existing scripts using GnuTLS tools may need
+   adjustment for this change.
+
+** libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and
+   used as a gnutls_privkey_t (#594). The code was originally written for the
+   OpenConnect VPN project by David Woodhouse. To generate such blobs, use the
+   tpm2tss-genkey tool from tpm2-tss-engine:
+   https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
+   or the tpm2_encodeobject tool from unreleased tpm2-tools.
+
+** libgnutls: The library now transparently enables Linux KTLS
+   (kernel TLS) when the feature is compiled in with --enable-ktls configuration
+   option (#1113). If the KTLS initialization fails it automatically falls back
+   to the user space implementation.
+
+** certtool: The certtool command can now read the Certificate Transparency
+   (RFC 6962) SCT extension (#232).  New API functions are also provided to
+   access and manipulate the extension values.
+
+** certtool: The certtool command can now generate, manipulate, and evaluate
+   x25519 and x448 public keys, private keys, and certificates.
+
+** libgnutls: Disabling a hashing algorithm through "insecure-hash"
+   configuration directive now also disables TLS ciphersuites that use it as a
+   PRF algorithm.
+
+** libgnutls: PKCS#12 files are now created with modern algorithms by default
+   (!1499).  Previously certtool used PKCS12-3DES-SHA1 for key derivation and
+   HMAC-SHA1 as an integity measure in PKCS#12.  Now it uses AES-128-CBC with
+   PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the
+   default PBKDF2 iteration count has been increased to 600000.
+
+** libgnutls: PKCS#12 keys derived using GOST algorithm now uses
+   HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, to
+   conform with the latest TC-26 requirements (#1225).
+
+** libgnutls: The library now provides a means to report the status of approved
+   cryptographic operations (!1465). To adhere to the FIPS140-3 IG 2.4.C., this
+   complements the existing mechanism to prohibit the use of unapproved
+   algorithms by making the library unusable state.
+
+** gnutls-cli: The gnutls-cli command now provides a --list-config option to
+   print the library configuration (!1508).
+
+** libgnutls: Fixed possible race condition in
+   gnutls_x509_trust_list_verify_crt2 when a single trust list object is shared
+   among multiple threads (#1277). [GNUTLS-SA-2022-01-17, CVSS: low]
+
+** API and ABI modifications:
+GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t
+GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_certificate_verify_flags
+gnutls_ecc_curve_set_enabled: Added.
+gnutls_sign_set_secure: Added.
+gnutls_sign_set_secure_for_certs: Added.
+gnutls_digest_set_secure: Added.
+gnutls_protocol_set_enabled: Added.
+gnutls_fips140_context_init: New function
+gnutls_fips140_context_deinit: New function
+gnutls_fips140_push_context: New function
+gnutls_fips140_pop_context: New function
+gnutls_fips140_get_operation_state: New function
+gnutls_fips140_operation_state_t: New enum
+gnutls_transport_is_ktls_enabled: New function
+gnutls_get_library_configuration: New function
+
+* Version 3.7.2 (released 2021-05-29)
+
+** libgnutls: The priority string option %DISABLE_TLS13_COMPAT_MODE was added
+   to disable TLS 1.3 middlebox compatibility mode
+
+** libgnutls: The Linux kernel AF_ALG based acceleration has been added.
+   This can be enabled with --enable-afalg configure option, when libkcapi
+   package is installed (#308).
+
+** libgnutls: Fixed timing of early data exchange. Previously, the client was
+   sending early data after receiving Server Hello, which not only negates the
+   benefit of 0-RTT, but also works under certain assumptions hold (e.g., the
+   same ciphersuite is selected in initial and resumption handshake) (#1146).
+
+** certtool: When signing a CSR, CRL distribution point (CDP) is no longer
+   copied from the signing CA by default (#1126).
+
+** libgnutls: The GNUTLS_NO_EXPLICIT_INIT envvar has been renamed to
+   GNUTLS_NO_IMPLICIT_INIT to reflect the purpose (#1178). The former is now
+   deprecated and will be removed in the future releases.
+
+** certtool: When producing certificates and certificate requests, subject DN
+   components that are provided individually will now be ordered by
+   assumed scale (e.g. Country before State, Organization before
+   OrganizationalUnit).  This change also affects the order in which
+   certtool prompts interactively.  Please rely on the template
+   mechanism for automated use of certtool! (#1243)
+
+** API and ABI modifications:
+gnutls_early_cipher_get: Added
+gnutls_early_prf_hash_get: Added
+
+** guile: Writes to a session record port no longer throw an exception upon
+   GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED.
+
 * Version 3.7.1 (released 2021-03-10)
 
 ** libgnutls: Fixed potential use-after-free in sending "key_share"

aminclude_static.am

 
 # aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Wed Mar 10 12:51:43 CET 2021
+# from AX_AM_MACROS_STATIC on Thu Feb  9 15:04:43 CET 2023
 
 
 # Code coverage
@@ -60,7 +60,7 @@ CODE_COVERAGE_GENHTML_OPTIONS_DEFAULT ?=$(if $(CODE_COVERAGE_BRANCH_COVERAGE),--
 CODE_COVERAGE_GENHTML_OPTIONS ?= $(CODE_COVERAGE_GENHTML_OPTIONS_DEFAULT)
 CODE_COVERAGE_IGNORE_PATTERN ?=
 
-GITIGNOREFILES = $(GITIGNOREFILES) $(CODE_COVERAGE_OUTPUT_FILE) $(CODE_COVERAGE_OUTPUT_DIRECTORY)
+GITIGNOREFILES := $(GITIGNOREFILES) $(CODE_COVERAGE_OUTPUT_FILE) $(CODE_COVERAGE_OUTPUT_DIRECTORY)
 code_coverage_v_lcov_cap = $(code_coverage_v_lcov_cap_$(V))
 code_coverage_v_lcov_cap_ = $(code_coverage_v_lcov_cap_$(AM_DEFAULT_VERBOSITY))
 code_coverage_v_lcov_cap_0 = @echo "  LCOV   --capture" $(CODE_COVERAGE_OUTPUT_FILE);
@@ -97,7 +97,7 @@ code-coverage-clean:
 
 code-coverage-dist-clean:
 
-AM_DISTCHECK_CONFIGURE_FLAGS = $(AM_DISTCHECK_CONFIGURE_FLAGS) --disable-code-coverage
+AM_DISTCHECK_CONFIGURE_FLAGS := $(AM_DISTCHECK_CONFIGURE_FLAGS) --disable-code-coverage
  else # ifneq ($(abs_builddir), $(abs_top_builddir))
 check-code-coverage:
 

build-aux/ar-lib

@@ -4,7 +4,7 @@
 me=ar-lib
 scriptversion=2019-07-04.01; # UTC
 
-# Copyright (C) 2010-2020 Free Software Foundation, Inc.
+# Copyright (C) 2010-2021 Free Software Foundation, Inc.
 # Written by Peter Rosin <peda@lysator.liu.se>.
 #
 # This program is free software; you can redistribute it and/or modify