Merge commit '744169a4a5421f3d0be72c70e63e7de479606ced'

# Conflicts:
#	devel/import-ecc-from-nettle.sh
#	src/list.h
#	tests/suite/tls-fuzzer/tlsfuzzer

.gitignore

@@ -287,7 +287,8 @@ src/danetool
 src/danetool-args.c
 src/danetool-args.h
 src/gaa.skel
-src/gl
+src/gl/*
+!src/gl/override
 src/gnutls-cli
 src/gnutls-cli-debug
 src/gnutls-serv

.gitlab-ci.yml

@@ -7,7 +7,7 @@ stages:
 # name to allow expiration of old caches.
 
 cache:
-  key: "$CI_JOB_NAME-ver16"
+  key: "$CI_JOB_NAME-ver18"
   paths:
     - cache/
 
@@ -35,13 +35,13 @@ after_script:
 
 variables:
   BUILD_IMAGES_PROJECT: gnutls/build-images
-  DEBIAN_BUILD: buildenv-debian
-  DEBIAN_CROSS_BUILD: buildenv-debian-cross
+  DEBIAN_BUILD: buildenv-debian-testing
+  DEBIAN_CROSS_BUILD: buildenv-debian-cross-testing
   DEBIAN_X86_CROSS_BUILD: buildenv-debian-x86-cross
   FEDORA28_BUILD: buildenv-f28
-  FEDORA_BUILD: buildenv-fedora31
-  MINGW_BUILD: buildenv-mingw
-  ALPINE_BASE_BUILD: buildenv-alpine-base
+  FEDORA_BUILD: buildenv-fedora33
+  MINGW_BUILD: buildenv-mingw-fedora33
+  ALPINE_BASE_BUILD: buildenv-alpine-base-nettle36
   CPPCHECK_OPTIONS: "--enable=warning --enable=style --enable=performance --enable=portability --std=c99 --suppressions-list=devel/cppcheck.suppressions --template='{id}:{file}:{line},{severity},{message}'"
   GET_SOURCES_ATTEMPTS: "3"
 
@@ -175,8 +175,9 @@ minimal.Fedora.x86_64:
 # with openssl 1.1.0, which include legacy algorithms like DSA.
 SSL-3.0.Fedora.x86_64:
   stage: stage1-testing
-  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA28_BUILD
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
   script:
+  - update-crypto-policies --set LEGACY
   - ./bootstrap
   - mkdir -p build
   - cd build
@@ -211,7 +212,10 @@ FIPS140-2.Fedora.x86_64:
   - make -j$BUILDJOBS
   - make -j$CHECKJOBS check
   - mkdir -p lib/.libs/fipscheck
-  - fipshmac -d lib/.libs/fipscheck/ -s .hmac lib/.libs/libgnutls.so*
+  - |
+    for i in lib/.libs/libgnutls.so*; do
+      openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP -hex $i | cut -f 2 -d ' ' > lib/.libs/fipscheck/$(basename $i).hmac
+    done
   - GNUTLS_FORCE_FIPS_MODE=1 make -j$CHECKJOBS check
   - cd ..
   tags:
@@ -316,6 +320,9 @@ MinGW32.DLLs:
   - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register
   - ./bootstrap
   - export CC="ccache i686-w64-mingw32-gcc"
+  - export CFLAGS="-fstack-protector"
+  - export CXXFLAGS="-fstack-protector"
+  - export LDFLAGS="-fstack-protector"
   - export WINEPATH=/usr/i686-w64-mingw32/sys-root/mingw/bin
   - dash ./configure --disable-gcc-warnings --host=i686-w64-mingw32 --target=i686-w64-mingw32 --cache-file cache/config.cache --with-included-libtasn1 --disable-nls --disable-guile --with-included-unistring --enable-local-libopts --disable-non-suiteb-curves --disable-full-test-suite --disable-doc
   - mingw32-make -j$BUILDJOBS
@@ -357,6 +364,55 @@ MinGW64.DLLs:
   - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register
   - ./bootstrap
   - export CC="ccache x86_64-w64-mingw32-gcc"
+  - export CFLAGS="-fstack-protector"
+  - export CXXFLAGS="-fstack-protector"
+  - export LDFLAGS="-fstack-protector"
+  - export WINEPATH=/usr/x86_64-w64-mingw32/sys-root/mingw/bin
+  - dash ./configure --disable-gcc-warnings --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --cache-file cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-non-suiteb-curves --disable-full-test-suite --disable-doc
+  - mingw64-make -j$BUILDJOBS
+  - mingw64-make -j$BUILDJOBS -C tests check
+# Combine generated apps and DLLs.
+#libwinpthread is required by libgcc
+#libffi is required by libp11-kit
+  - mkdir -p win64-build/bin win64-build/lib/includes
+  - cp lib/.libs/*.dll src/.libs/*.exe win64-build/bin
+  - x86_64-w64-mingw32-strip --strip-unneeded win64-build/bin/*.dll
+  - x86_64-w64-mingw32-strip win64-build/bin/*.exe
+  - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libp11-*.dll win64-build/bin
+  - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libnettle-*.dll win64-build/bin
+  - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libhogweed-*.dll win64-build/bin
+  - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libgmp-*.dll win64-build/bin
+  - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libgcc*.dll win64-build/bin
+  - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libwinpthread*.dll win64-build/bin
+  - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libidn2-*.dll win64-build/bin
+  - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libffi-*.dll win64-build/bin
+  - cp lib/.libs/*.a lib/*.def lib/gnutls.pc win64-build/lib
+  - cp lib/includes/gnutls/*.h win64-build/lib/includes
+  tags:
+  - shared
+  - docker
+  - linux
+  only:
+  - tags
+  artifacts:
+    name: "${CI_PROJECT_NAME}-${CI_JOB_NAME}-${CI_COMMIT_REF_NAME}"
+    paths:
+      - win64-build/
+  retry: 1
+
+MinGW64.DLLs.Vista+:
+  stage: stage1-testing
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD
+  script:
+  - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc
+  - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register
+  - ./bootstrap
+  - export CC="ccache x86_64-w64-mingw32-gcc"
+  - export CFLAGS="-fstack-protector"
+  - export CXXFLAGS="-fstack-protector"
+  - export LDFLAGS="-fstack-protector"
+ # Target Vista instead of XP, currently the default in mingw
+  - export CPPFLAGS="-D_WIN32_WINNT=0x600"
   - export WINEPATH=/usr/x86_64-w64-mingw32/sys-root/mingw/bin
   - dash ./configure --disable-gcc-warnings --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --cache-file cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-non-suiteb-curves --disable-full-test-suite --disable-doc
   - mingw64-make -j$BUILDJOBS
@@ -439,6 +495,9 @@ MinGW64.Vista+:
   script:
   - ./bootstrap
   - export CC="ccache x86_64-w64-mingw32-gcc"
+  - export CFLAGS="-fstack-protector"
+  - export CXXFLAGS="-fstack-protector"
+  - export LDFLAGS="-fstack-protector"
  # Target Vista instead of XP, currently the default in mingw
   - export CPPFLAGS="-D_WIN32_WINNT=0x600"
   - export WINEPATH=/usr/x86_64-w64-mingw32/sys-root/mingw/bin
@@ -475,6 +534,9 @@ MinGW64:
   script:
   - ./bootstrap
   - export CC="ccache x86_64-w64-mingw32-gcc"
+  - export CFLAGS="-fstack-protector"
+  - export CXXFLAGS="-fstack-protector"
+  - export LDFLAGS="-fstack-protector"
   - export WINEPATH=/usr/x86_64-w64-mingw32/sys-root/mingw/bin
   - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc
   - echo ':DOSWin:M::MZ::/usr/bin/wine64:' > /proc/sys/fs/binfmt_misc/register
@@ -509,6 +571,9 @@ MinGW32:
   script:
   - ./bootstrap
   - export CC="ccache i686-w64-mingw32-gcc"
+  - export CFLAGS="-fstack-protector"
+  - export CXXFLAGS="-fstack-protector"
+  - export LDFLAGS="-fstack-protector"
   - export WINEPATH=/usr/i686-w64-mingw32/sys-root/mingw/bin
   - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc
   - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register
@@ -540,12 +605,22 @@ FreeBSD.x86_64:
   image:
   script:
   - export CC="ccache clang"
+  - git clone --depth 1 --branch master https://gitlab.com/gnutls/nettle.git nettle-git
+  - export NETTLE_DIR=${PWD}/nettle
+  - cd nettle-git
+  - ./.bootstrap
+  - ./configure --enable-mini-gmp --disable-documentation --disable-openssl --prefix=$NETTLE_DIR
+  - gmake
+  - gmake install
+  - cd -
   - ./bootstrap
-  - export LDFLAGS="-L/usr/local/lib"
-  - ./configure --disable-full-test-suite
-    --cache-file cache/config.cache --disable-gcc-warnings --disable-guile --disable-doc
-  - gmake -j$(sysctl hw.ncpu | awk '{print $2}')
-  - gmake check -j$(sysctl hw.ncpu | awk '{print $2}')
+  - export LDFLAGS="-Wl,-rpath,$NETTLE_DIR/lib -L$NETTLE_DIR/lib -L/usr/local/lib"
+  - export PKG_CONFIG_PATH=$NETTLE_DIR/lib/pkgconfig
+  - export CPPFLAGS=`pkg-config hogweed --cflags-only-I`
+  - export LD_LIBRARY_PATH=$NETTLE_DIR/lib
+  - ./configure --disable-full-test-suite --cache-file cache/config.cache --disable-gcc-warnings --disable-guile --disable-doc --with-nettle-mini
+  - gmake V=1 2>&1 | tee make.log
+  - gmake check
   tags:
   - freebsd
   only:
@@ -686,7 +761,7 @@ Debian.cross.i686-linux-gnu:
   - export CC_FOR_BUILD="ccache gcc"
   - export CC="ccache $host-gcc"
   - ./bootstrap
-  - sed -i '/errno.==.EINVAL/d' gl/tests/test-strerror.c
+  - sed -i '/errno.==.EINVAL/d' src/gl/tests/test-strerror.c
   - mkdir -p build
   - cd build
   # Debian's softhsm package is not multiarch yet. Missing softhsm libraries
@@ -718,11 +793,9 @@ Debian.cross.i686-linux-gnu:
 Debian.cross.arm-linux-gnueabihf:
   <<: *Debian_cross_template
 
-Debian.cross.mips-linux-gnu:
-  <<: *Debian_cross_template
-
 Debian.cross.aarch64-linux-gnu:
   <<: *Debian_cross_template
+  allow_failure: true
 
 nettle-master.Fedora:
   stage: stage1-testing

.lgtm.yml

@@ -4,7 +4,14 @@ extraction:
       command:
       - sed 's/--with-tests/--without-tests/g' -i bootstrap.conf
       - "./bootstrap --no-git --skip-po --no-bootstrap-sync --gnulib-srcdir=gnulib"
-      - "./configure --disable-tests --disable-doc --disable-gtk-doc --disable-dependency-tracking"
-    index:
-      build_command:
+      - "wget -O nettle-master.zip https://git.lysator.liu.se/nettle/nettle/-/archive/master/nettle-master.zip?foo=`date +%Y%m%d`"
+      - "unzip nettle-master.zip"
+      - "mv nettle-master nettle"
+      - "cd nettle"
+      - "bash .bootstrap"
+      - "./configure --enable-mini-gmp --disable-documentation"
       - "make -j4"
+      - "cd .."
+      - "PKG_CONFIG_PATH=\"`pwd`/nettle\" LDFLAGS=\"-L`pwd`/nettle\" ./configure --disable-tests --disable-doc --disable-gtk-doc --disable-dependency-tracking"
+    index:
+      build_command: "LD_LIBRARY_PATH=\"`pwd`/nettle/.lib\" make -j4"

NEWS

@@ -5,6 +5,56 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc.
 Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
 See the end for copying conditions.
 
+* Version 3.7.0 (released 2020-12-02)
+
+** libgnutls: Depend on nettle 3.6 (!1322).
+
+** libgnutls: Added a new API that provides a callback function to
+   retrieve missing certificates from incomplete certificate chains
+   (#202, #968, #1100).
+
+** libgnutls: Added a new API that provides a callback function to
+   output the complete path to the trusted root during certificate
+   chain verification (#1012).
+
+** libgnutls: OIDs exposed as gnutls_datum_t no longer account for the
+   terminating null bytes, while the data field is null terminated.
+   The affected API functions are: gnutls_ocsp_req_get_extension,
+   gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension
+   (#805).
+
+** libgnutls: Added a new set of API to enable QUIC implementation (#826, #849,
+   #850).
+
+** libgnutls: The crypto implementation override APIs deprecated in 3.6.9 are
+   now no-op (#790).
+
+** libgnutls: Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161).
+
+** libgnutls: Support for padlock has been fixed to make it work with Zhaoxin
+   CPU (#1079).
+
+** libgnutls: The maximum PIN length for PKCS #11 has been increased from 31
+   bytes to 255 bytes (#932).
+
+** API and ABI modifications:
+gnutls_x509_trust_list_set_getissuer_function: Added
+gnutls_x509_trust_list_get_ptr: Added
+gnutls_x509_trust_list_set_ptr: Added
+gnutls_session_set_verify_output_function: Added
+gnutls_record_encryption_level_t: New enum
+gnutls_handshake_read_func: New callback type
+gnutls_handshake_set_read_function: New function
+gnutls_handshake_write: New function
+gnutls_handshake_secret_func: New callback type
+gnutls_handshake_set_secret_function: New function
+gnutls_alert_read_func: New callback type
+gnutls_alert_set_read_function: New function
+gnutls_crypto_register_cipher: Deprecated; no-op
+gnutls_crypto_register_aead_cipher: Deprecated; no-op
+gnutls_crypto_register_mac: Deprecated; no-op
+gnutls_crypto_register_digest: Deprecated; no-op
+
 * Version 3.6.15 (releases 2020-09-04)
 
 ** libgnutls: Fixed "no_renegotiation" alert handling at incorrect timing.
@@ -77,6 +127,8 @@ No changes since last version.
 GNUTLS_CIPHER_AES_128_SIV: Added
 GNUTLS_CIPHER_AES_256_SIV: Added
 GNUTLS_CIPHER_AES_192_GCM: Added
+GNUTLS_NO_AUTO_SEND_TICKET: Added
+gnutls_ext_get_name2: Added
 gnutls_pkcs7_print_signature_info: Added
 
 * Version 3.6.13 (released 2020-03-31)

RELEASES.md

@@ -14,31 +14,5 @@ cases change the API.
 
 |Branch|Version|Release interval|
 |:----:|:-----:|:--------------:|
-|stable|3.6.x  |bi-monthly      |
-|next  |-      |                |
-
-
-# Release process
-
- 0. Create a new 'milestone' for the next release and move all issues present in the
-    current release milestone.
- 1. Verification of release notes: ensure that release notes ([NEWS](NEWS)) exist
-    for this release, and include all significant changes since last release.
- 2. Update of release date in [NEWS](NEWS), and bump of version number in
-    [configure.ac](configure.ac) as well as soname numbers in [m4/hooks.m4](m4/hooks.m4).
- 3. make distcheck
- 4. git tag -s $(VERSION). The 3.6.12 was including both the 3.6.12 and
-    gnutls_3_6_12 tags, but it may make sense to only use the version from
-    now on.
- 5. git push && git push --tags
- 6. make dist && gpg --sign --detach gnutls-$(VERSION).tar.xz
- 7. scp gnutls-$(VERSION).tar.xz* trithemius.gnupg.org:/home/ftp/gcrypt/v3.6/
- 8. Create and send announcement email based on previously sent email to the list and
-    [NEWS](NEWS) file.
- 9. Create a NEWS entry at [web-pages repository](https://gitlab.com/gnutls/web-pages/-/tree/master/news-entries),
-    and/or [a security advisory entry](https://gitlab.com/gnutls/web-pages/-/tree/master/security-entries)
-    if necessary. The NEWS entry is usually pointing to the announcement email.
-    A commit auto-generates the [gnutls web site](https://gnutls.gitlab.io/web-pages/)
-    which is mirrored twice a day by www.gnutls.org.
-10. Use the @GnuTLS twitter account to announce the release.
-11. Close the current release milestone.
+|stable|3.6.x  |as needed       |
+|next  |3.7.x  |bi-monthly      |

bootstrap.conf

@@ -19,24 +19,26 @@ source_base=gl
 tests_base=gl/tests
 m4_base=m4
 gnulib_name=libgnu
-gnulib_tool_option_extras="--with-tests --avoid=alignof-tests --avoid=lock-tests --avoid=lseek-tests --lgpl=2"
+gnulib_tool_option_extras="--without-tests --avoid=alignof-tests --avoid=lock-tests --avoid=lseek-tests --lgpl=2"
 use_libtool=1
 checkout_only_file=
 local_gl_dir=gl/override/
 required_submodules="tests/suite/tls-fuzzer/python-ecdsa tests/suite/tls-fuzzer/tlsfuzzer tests/suite/tls-fuzzer/tlslite-ng devel/nettle devel/libtasn1"
 
-# Reproduce by: gnulib-tool --import --local-dir=gl/override --lib=libgnu --source-base=gl --m4-base=gl/m4 --doc-base=doc --tests-base=gl/tests --aux-dir=build-aux --with-tests --avoid=alignof-tests --avoid=lock-tests --avoid=lseek-tests --lgpl=2 --no-conditional-dependencies --libtool --macro-prefix=gl --no-vc-files alloca attribute byteswap c-ctype extensions fopen-gnu func gendocs getline gettext-h gettimeofday hash-pjw-bare havelib intprops ldd lib-msvc-compat lib-symbol-versions maintainer-makefile manywarnings memmem-simple minmax netdb netinet_in pmccabe2html read-file secure_getenv snprintf stdint strcase strndup strtok_r strverscmp sys_socket sys_stat threadlib time_r unistd vasprintf verify vsnprintf warnings
-
+# Those modules are common to lib/ and src/.
+common_modules="
+alloca attribute byteswap c-ctype c-strcase fopen-gnu func getline gettext-h gettimeofday hash hash-pjw-bare arpa_inet inet_ntop inet_pton intprops memmem-simple minmax netdb netinet_in read-file secure_getenv setsockopt snprintf stdint stpcpy strcase strdup-posix strndup strtok_r strverscmp sys_socket sys_stat sys_types threadlib time_r unistd valgrind-tests vasprintf verify vsnprintf
+"
 gnulib_modules="
-alloca attribute byteswap c-ctype c-strcase extensions fopen-gnu func gendocs getline gettext-h gettimeofday hash hash-pjw-bare havelib arpa_inet inet_ntop inet_pton intprops ldd lib-msvc-compat lib-symbol-versions maintainer-makefile manywarnings memmem-simple minmax netdb netinet_in pmccabe2html read-file secure_getenv setsockopt snprintf stdint strcase strdup-posix strndup strtok_r strverscmp sys_socket sys_stat sys_types threadlib time_r unistd valgrind-tests vasprintf verify vsnprintf warnings
+$common_modules extensions gendocs havelib ldd lib-msvc-compat lib-symbol-versions maintainer-makefile manywarnings pmccabe2html warnings
 "
 
 unistring_modules="
 unictype/category-all unictype/property-default-ignorable-code-point unictype/property-join-control unictype/property-not-a-character uninorm/nfc uninorm/nfkc uninorm/u16-normalize uninorm/u32-normalize uninorm/u8-normalize unistr/u16-to-u8 unistr/u32-to-u8 unistr/u8-check unistr/u8-to-u16 unistr/u8-to-u32
 "
 
 src_modules="
-accept bind close connect getaddrinfo getpass gettext-h arpa_inet inet_ntop inet_pton listen minmax parse-datetime progname read-file recv recvfrom select send sendto servent setsockopt shutdown socket sockets socklen inttypes
+$common_modules accept bind close close-stream connect getaddrinfo getpass inttypes listen linked-list parse-datetime progname read-file recv recvfrom select send sendto servent setsockopt shutdown socket sockets socklen xalloc xlist xsize
 "
 
 # Build prerequisites
@@ -95,14 +97,13 @@ bootstrap_post_import_hook ()
 
   ${GNULIB_SRCDIR}/gnulib-tool --import --local-dir=lib/unistring/override --lib=libunistring --source-base=lib/unistring --m4-base=lib/unistring/m4 --doc-base=doc --aux-dir=build-aux --lgpl=3orGPLv2 --no-conditional-dependencies --libtool --without-tests --macro-prefix=unistring ${unistring_modules}
 
-  ${GNULIB_SRCDIR}/gnulib-tool --import --local-dir=src/gl/override --lib=libgnu_gpl --source-base=src/gl --m4-base=src/gl/m4 --doc-base=doc --aux-dir=build-aux --no-conditional-dependencies --libtool --macro-prefix=ggl --without-tests --no-vc-files ${src_modules}
+  ${GNULIB_SRCDIR}/gnulib-tool --import --local-dir=src/gl/override --lib=libgnu_gpl --source-base=src/gl --m4-base=src/gl/m4 --doc-base=doc --tests-base=src/gl/tests --aux-dir=build-aux --no-conditional-dependencies --libtool --macro-prefix=ggl --with-tests --no-vc-files ${src_modules}
 
 #  git -C ${GNULIB_SRCDIR} reset --hard
 
   # Automake requires that ChangeLog exist.
   touch ChangeLog || return 1
 
-  devel/import-ecc-from-nettle.sh
   devel/import-from-nettle.sh
   devel/import-minitasn1.sh
 }