import gnutls-3.6.14-5.el8

.gitignore

@@ -0,0 +1,2 @@
+SOURCES/gnutls-3.6.14.tar.xz
+SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg

.gnutls.metadata

@@ -0,0 +1,2 @@
+bea1b5abcb691acf014e592f41d0a9580a41216a SOURCES/gnutls-3.6.14.tar.xz
+648ec46f9539fe756fb90131b85ae4759ed2ed21 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg

SOURCES/gnutls-3.2.7-rpath.patch

@@ -0,0 +1,12 @@
+diff -ur gnutls-3.2.7.orig/configure gnutls-3.2.7/configure
+--- gnutls-3.2.7.orig/configure	2013-11-23 11:09:49.000000000 +0100
++++ gnutls-3.2.7/configure	2013-11-25 16:53:05.559440656 +0100
+@@ -39652,7 +39652,7 @@
+ shlibpath_overrides_runpath=unknown
+ version_type=none
+ dynamic_linker="$host_os ld.so"
+-sys_lib_dlsearch_path_spec="/lib /usr/lib"
++sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
+ need_lib_prefix=unknown
+ hardcode_into_libs=no
+ 

SOURCES/gnutls-3.6.14-autogen-int.patch

@@ -0,0 +1,36 @@
+From cf1de82bedd01c01e70921699c84a473b08d0dab Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 1 Jun 2020 17:23:59 +0200
+Subject: [PATCH] serv: omit upper bound of --maxearlydata option definition
+
+It turned out that AutoGen treats numbers that exceed INT_MAX in a
+platform dependent way.  In this case, 4294967295 (UINT_MAX) is
+treated as is on 64-bit platforms, while it is interpreted as "-1" on
+32-bit platforms.  This causes a problem when the program
+documentation is compiled under multilib environment.
+
+Reported by Ivan Molodetskikh in:
+https://bugzilla.redhat.com/show_bug.cgi?id=1841844
+and the cause was identified by Anderson Toshiyuki Sasaki.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ src/serv-args.def | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/serv-args.def b/src/serv-args.def
+index 996fbe36b..a584085e2 100644
+--- a/src/serv-args.def
++++ b/src/serv-args.def
+@@ -51,7 +51,7 @@ flag = {
+ flag = {
+     name      = maxearlydata;
+     arg-type  = number;
+-    arg-range = "1->4294967295";
++    arg-range = "1->";
+     descrip   = "The maximum early data size to accept";
+     doc      = "";
+ };
+-- 
+2.26.2
+

SOURCES/gnutls-3.6.14-fips-dh-check.patch

@@ -0,0 +1,676 @@
+From bea53f1b46a64d6dcf5bbe4794740c4d4459f9bf Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 10 Jul 2020 09:35:49 +0200
+Subject: [PATCH 1/5] dh: check validity of Z before export
+
+SP800-56A rev3 section 5.7.1.1 step 2 mandates that the validity of the
+calculated shared secret is verified before the data is returned to the
+caller.  This patch adds the validation check.
+
+Suggested by Stephan Mueller.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/nettle/pk.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index 57a8560ed..08c7d4860 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -288,7 +288,7 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
+ 	switch (algo) {
+ 	case GNUTLS_PK_DH: {
+ 		bigint_t f, x, q, prime;
+-		bigint_t k = NULL, ff = NULL, r = NULL;
++		bigint_t k = NULL, primesub1 = NULL, r = NULL;
+ 		unsigned int bits;
+ 
+ 		if (nonce != NULL)
+@@ -299,21 +299,20 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
+ 		q = priv->params[DH_Q];
+ 		prime = priv->params[DH_P];
+ 
+-		ret = _gnutls_mpi_init_multi(&k, &ff, &r, NULL);
++		ret = _gnutls_mpi_init_multi(&k, &primesub1, &r, NULL);
+ 		if (ret < 0)
+ 			return gnutls_assert_val(ret);
+ 
+-		ret = _gnutls_mpi_add_ui(ff, f, 1);
++		ret = _gnutls_mpi_sub_ui(primesub1, prime, 1);
+ 		if (ret < 0) {
+ 			gnutls_assert();
+ 			goto dh_cleanup;
+ 		}
+ 
+-		/* check if f==0,1, or f >= p-1.
+-		 * or (ff=f+1) equivalently ff==1,2, ff >= p */
+-		if ((_gnutls_mpi_cmp_ui(ff, 2) == 0)
+-		    || (_gnutls_mpi_cmp_ui(ff, 1) == 0)
+-		    || (_gnutls_mpi_cmp(ff, prime) >= 0)) {
++		/* check if f==0,1, or f >= p-1 */
++		if ((_gnutls_mpi_cmp_ui(f, 1) == 0)
++		    || (_gnutls_mpi_cmp_ui(f, 0) == 0)
++		    || (_gnutls_mpi_cmp(f, primesub1) >= 0)) {
+ 			gnutls_assert();
+ 			ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
+ 			goto dh_cleanup;
+@@ -354,6 +353,15 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
+ 			goto dh_cleanup;
+ 		}
+ 
++		/* check if k==0,1, or k = p-1 */
++		if ((_gnutls_mpi_cmp_ui(k, 1) == 0)
++		    || (_gnutls_mpi_cmp_ui(k, 0) == 0)
++		    || (_gnutls_mpi_cmp(k, primesub1) == 0)) {
++			gnutls_assert();
++			ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
++			goto dh_cleanup;
++		}
++
+ 		if (flags & PK_DERIVE_TLS13) {
+ 			ret =
+ 			    _gnutls_mpi_dprint_size(k, out,
+@@ -370,7 +378,7 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
+ 		ret = 0;
+ dh_cleanup:
+ 		_gnutls_mpi_release(&r);
+-		_gnutls_mpi_release(&ff);
++		_gnutls_mpi_release(&primesub1);
+ 		zrelease_temp_mpi_key(&k);
+ 		if (ret < 0)
+ 			goto cleanup;
+-- 
+2.26.2
+
+
+From 13202600d3e42258d8758b05ff45a3e3d0f07e4e Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 10 Jul 2020 09:42:30 +0200
+Subject: [PATCH 2/5] ecdh: check validity of P before export
+
+SP800-56A rev3 section 5.7.1.2 step 2 mandates that the validity of
+the calculated shared secret is verified before the data is returned
+to the caller.  This patch adds the validation check.
+
+Suggested by Stephan Mueller.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/nettle/pk.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index 08c7d4860..7f0fa8e03 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -229,25 +229,38 @@ _gost_params_to_pubkey(const gnutls_pk_params_st * pk_params,
+ }
+ #endif
+ 
+-static void
++static int
+ ecc_shared_secret(struct ecc_scalar *private_key,
+ 		  struct ecc_point *public_key, void *out, unsigned size)
+ {
+ 	struct ecc_point r;
+-	mpz_t x;
++	mpz_t x, y;
++	int ret = 0;
+ 
+ 	mpz_init(x);
++	mpz_init(y);
+ 	ecc_point_init(&r, public_key->ecc);
+ 
+ 	ecc_point_mul(&r, private_key, public_key);
+ 
+-	ecc_point_get(&r, x, NULL);
++	ecc_point_get(&r, x, y);
++
++	/* Check if the point is not an identity element.  Note that this cannot
++	 * happen in nettle implementation, because it cannot represent an
++	 * infinity point. */
++	if (mpz_cmp_ui(x, 0) == 0 && mpz_cmp_ui(y, 0) == 0) {
++		ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
++		goto cleanup;
++	}
++
+ 	nettle_mpz_get_str_256(size, out, x);
+ 
++ cleanup:
+ 	mpz_clear(x);
++	mpz_clear(y);
+ 	ecc_point_clear(&r);
+ 
+-	return;
++	return ret;
+ }
+ 
+ #define MAX_DH_BITS DEFAULT_MAX_VERIFY_BITS
+@@ -423,8 +436,10 @@ dh_cleanup:
+ 				goto ecc_cleanup;
+ 			}
+ 
+-			ecc_shared_secret(&ecc_priv, &ecc_pub, out->data,
+-					  out->size);
++			ret = ecc_shared_secret(&ecc_priv, &ecc_pub, out->data,
++						out->size);
++			if (ret < 0)
++				gnutls_free(out->data);
+ 
+ 		      ecc_cleanup:
+ 			ecc_point_clear(&ecc_pub);
+-- 
+2.26.2
+
+
+From 245fb622e82bfa7b80d2cec7cafdbc65014ca3cb Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 17 Jul 2020 17:45:17 +0200
+Subject: [PATCH 3/5] dh-primes: make the FIPS approved check return Q value
+
+This is necessary for full public key validation in
+SP800-56A (revision 3), section 5.6.2.3.1.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/auth/dh_common.c |  2 +-
+ lib/dh-primes.c      | 38 +++++++++++++++++++++++---------------
+ lib/dh.h             | 10 ++++++----
+ 3 files changed, 30 insertions(+), 20 deletions(-)
+
+diff --git a/lib/auth/dh_common.c b/lib/auth/dh_common.c
+index 252eea0cb..fcd696d4d 100644
+--- a/lib/auth/dh_common.c
++++ b/lib/auth/dh_common.c
+@@ -259,7 +259,7 @@ _gnutls_proc_dh_common_server_kx(gnutls_session_t session,
+ 
+ #ifdef ENABLE_FIPS140
+ 	if (gnutls_fips140_mode_enabled() &&
+-	    !_gnutls_dh_prime_is_fips_approved(data_p, n_p, data_g, n_g)) {
++	    !_gnutls_dh_prime_match_fips_approved(data_p, n_p, data_g, n_g, NULL, NULL)) {
+ 		gnutls_assert();
+ 		return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
+ 	}
+diff --git a/lib/dh-primes.c b/lib/dh-primes.c
+index a43a8e5de..a440b5b98 100644
+--- a/lib/dh-primes.c
++++ b/lib/dh-primes.c
+@@ -1894,25 +1894,28 @@ const gnutls_datum_t gnutls_modp_8192_group_generator = {
+ const unsigned int gnutls_modp_8192_key_bits = 512;
+ 
+ unsigned
+-_gnutls_dh_prime_is_fips_approved(const uint8_t *prime,
+-				  size_t prime_size,
+-				  const uint8_t *generator,
+-				  size_t generator_size)
++_gnutls_dh_prime_match_fips_approved(const uint8_t *prime,
++				     size_t prime_size,
++				     const uint8_t *generator,
++				     size_t generator_size,
++				     uint8_t **q,
++				     size_t *q_size)
+ {
+ 	static const struct {
+ 		const gnutls_datum_t *prime;
+ 		const gnutls_datum_t *generator;
++		const gnutls_datum_t *q;
+ 	} primes[] = {
+-		{ &gnutls_ffdhe_8192_group_prime, &gnutls_ffdhe_8192_group_generator },
+-		{ &gnutls_ffdhe_6144_group_prime, &gnutls_ffdhe_6144_group_generator },
+-		{ &gnutls_ffdhe_4096_group_prime, &gnutls_ffdhe_4096_group_generator },
+-		{ &gnutls_ffdhe_3072_group_prime, &gnutls_ffdhe_3072_group_generator },
+-		{ &gnutls_ffdhe_2048_group_prime, &gnutls_ffdhe_2048_group_generator },
+-		{ &gnutls_modp_8192_group_prime, &gnutls_modp_8192_group_generator },
+-		{ &gnutls_modp_6144_group_prime, &gnutls_modp_6144_group_generator },
+-		{ &gnutls_modp_4096_group_prime, &gnutls_modp_4096_group_generator },
+-		{ &gnutls_modp_3072_group_prime, &gnutls_modp_3072_group_generator },
+-		{ &gnutls_modp_2048_group_prime, &gnutls_modp_2048_group_generator },
++		{ &gnutls_ffdhe_8192_group_prime, &gnutls_ffdhe_8192_group_generator, &gnutls_ffdhe_8192_group_q },
++		{ &gnutls_ffdhe_6144_group_prime, &gnutls_ffdhe_6144_group_generator, &gnutls_ffdhe_6144_group_q },
++		{ &gnutls_ffdhe_4096_group_prime, &gnutls_ffdhe_4096_group_generator, &gnutls_ffdhe_4096_group_q },
++		{ &gnutls_ffdhe_3072_group_prime, &gnutls_ffdhe_3072_group_generator, &gnutls_ffdhe_3072_group_q },
++		{ &gnutls_ffdhe_2048_group_prime, &gnutls_ffdhe_2048_group_generator, &gnutls_ffdhe_2048_group_q },
++		{ &gnutls_modp_8192_group_prime, &gnutls_modp_8192_group_generator, &gnutls_modp_8192_group_q },
++		{ &gnutls_modp_6144_group_prime, &gnutls_modp_6144_group_generator, &gnutls_modp_6144_group_q },
++		{ &gnutls_modp_4096_group_prime, &gnutls_modp_4096_group_generator, &gnutls_modp_4096_group_q },
++		{ &gnutls_modp_3072_group_prime, &gnutls_modp_3072_group_generator, &gnutls_modp_3072_group_q },
++		{ &gnutls_modp_2048_group_prime, &gnutls_modp_2048_group_generator, &gnutls_modp_2048_group_q },
+ 	};
+ 	size_t i;
+ 
+@@ -1920,8 +1923,13 @@ _gnutls_dh_prime_is_fips_approved(const uint8_t *prime,
+ 		if (primes[i].prime->size == prime_size &&
+ 		    memcmp(primes[i].prime->data, prime, primes[i].prime->size) == 0 &&
+ 		    primes[i].generator->size == generator_size &&
+-		    memcmp(primes[i].generator->data, generator, primes[i].generator->size) == 0)
++		    memcmp(primes[i].generator->data, generator, primes[i].generator->size) == 0) {
++			if (q) {
++				*q = primes[i].q->data;
++				*q_size = primes[i].q->size;
++			}
+ 			return 1;
++		}
+ 	}
+ 
+ 	return 0;
+diff --git a/lib/dh.h b/lib/dh.h
+index 672451947..f5c2c0924 100644
+--- a/lib/dh.h
++++ b/lib/dh.h
+@@ -61,9 +61,11 @@ extern const gnutls_datum_t gnutls_modp_2048_group_generator;
+ extern const unsigned int gnutls_modp_2048_key_bits;
+ 
+ unsigned
+-_gnutls_dh_prime_is_fips_approved(const uint8_t *prime,
+-				  size_t prime_size,
+-				  const uint8_t *generator,
+-				  size_t generator_size);
++_gnutls_dh_prime_match_fips_approved(const uint8_t *prime,
++				     size_t prime_size,
++				     const uint8_t *generator,
++				     size_t generator_size,
++				     uint8_t **q,
++				     size_t *q_size);
+ 
+ #endif /* GNUTLS_LIB_DH_H */
+-- 
+2.26.2
+
+
+From 8b575625614fbe5a22b68dc8d1877efb1d44dd37 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 17 Jul 2020 17:47:06 +0200
+Subject: [PATCH 4/5] dh: perform SP800-56A rev3 full pubkey validation on
+ keygen
+
+This implements full public key validation required in SP800-56A rev3,
+section 5.6.2.3.1.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/nettle/pk.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 90 insertions(+)
+
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index 7f0fa8e03..057836bc2 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -71,6 +71,7 @@
+ #include "int/dsa-compute-k.h"
+ #include <gnettle.h>
+ #include <fips.h>
++#include "dh.h"
+ 
+ static inline const struct ecc_curve *get_supported_nist_curve(int curve);
+ static inline const struct ecc_curve *get_supported_gost_curve(int curve);
+@@ -2131,6 +2132,53 @@ edwards_curve_mul_g(gnutls_pk_algorithm_t algo,
+ 	}
+ }
+ 
++static inline int
++dh_find_q(const gnutls_pk_params_st *pk_params, mpz_t q)
++{
++	gnutls_datum_t prime = { NULL, 0 };
++	gnutls_datum_t generator = { NULL, 0 };
++	uint8_t *data_q;
++	size_t n_q;
++	bigint_t _q;
++	int ret = 0;
++
++	ret = _gnutls_mpi_dprint(pk_params->params[DSA_P], &prime);
++	if (ret < 0) {
++		gnutls_assert();
++		goto cleanup;
++	}
++
++	ret = _gnutls_mpi_dprint(pk_params->params[DSA_G], &generator);
++	if (ret < 0) {
++		gnutls_assert();
++		goto cleanup;
++	}
++
++	if (!_gnutls_dh_prime_match_fips_approved(prime.data,
++						  prime.size,
++						  generator.data,
++						  generator.size,
++						  &data_q,
++						  &n_q)) {
++		ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++		goto cleanup;
++	}
++
++	if (_gnutls_mpi_init_scan_nz(&_q, data_q, n_q) != 0) {
++		ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
++		goto cleanup;
++	}
++
++	mpz_set(q, TOMPZ(_q));
++	_gnutls_mpi_release(&_q);
++
++ cleanup:
++	gnutls_free(prime.data);
++	gnutls_free(generator.data);
++
++	return ret;
++}
++
+ /* To generate a DH key either q must be set in the params or
+  * level should be set to the number of required bits.
+  */
+@@ -2212,6 +2260,9 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
+ 			mpz_t x, y;
+ 			int max_tries;
+ 			unsigned have_q = 0;
++			mpz_t q;
++			mpz_t primesub1;
++			mpz_t ypowq;
+ 
+ 			if (algo != params->algo)
+ 				return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+@@ -2229,6 +2280,10 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
+ 			mpz_init(x);
+ 			mpz_init(y);
+ 
++			mpz_init(q);
++			mpz_init(primesub1);
++			mpz_init(ypowq);
++
+ 			max_tries = 3;
+ 			do {
+ 				if (have_q) {
+@@ -2260,8 +2315,40 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
+ 					ret = GNUTLS_E_LIB_IN_ERROR_STATE;
+ 					goto dh_fail;
+ 				}
++
+ 			} while(mpz_cmp_ui(y, 1) == 0);
+ 
++#ifdef ENABLE_FIPS140
++			if (_gnutls_fips_mode_enabled()) {
++				/* Perform FFC full public key validation checks
++				 * according to SP800-56A (revision 3), 5.6.2.3.1.
++				 */
++
++				/* Step 1: 2 <= y <= p - 2 */
++				mpz_sub_ui(primesub1, pub.p, 1);
++
++				if (mpz_cmp_ui(y, 2) < 0 || mpz_cmp(y, primesub1) >= 0) {
++					ret = gnutls_assert_val(GNUTLS_E_RANDOM_FAILED);
++					goto dh_fail;
++				}
++
++				/* Step 2: 1 = y^q mod p */
++				if (have_q)
++					mpz_set(q, pub.q);
++				else {
++					ret = dh_find_q(params, q);
++					if (ret < 0)
++						goto dh_fail;
++				}
++
++				mpz_powm(ypowq, y, q, pub.p);
++				if (mpz_cmp_ui(ypowq, 1) != 0) {
++					ret = gnutls_assert_val(GNUTLS_E_RANDOM_FAILED);
++					goto dh_fail;
++				}
++			}
++#endif
++
+ 			ret = _gnutls_mpi_init_multi(&params->params[DSA_Y], &params->params[DSA_X], NULL);
+ 			if (ret < 0) {
+ 				gnutls_assert();
+@@ -2278,6 +2365,9 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
+ 			mpz_clear(r);
+ 			mpz_clear(x);
+ 			mpz_clear(y);
++			mpz_clear(q);
++			mpz_clear(primesub1);
++			mpz_clear(ypowq);
+ 
+ 			if (ret < 0)
+ 				goto fail;
+-- 
+2.26.2
+
+
+From 23756c8580dff99d0856adca49dd22a55352ad62 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Sat, 18 Jul 2020 08:26:48 +0200
+Subject: [PATCH 5/5] ecdh: perform SP800-56A rev3 full pubkey validation on
+ keygen
+
+This implements full public key validation required in
+SP800-56A rev3, section 5.6.2.3.3.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/nettle/pk.c | 182 +++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 180 insertions(+), 2 deletions(-)
+
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index 057836bc2..588e9df50 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -1552,6 +1552,80 @@ static inline const struct ecc_curve *get_supported_nist_curve(int curve)
+ 	}
+ }
+ 
++static inline const char *get_supported_nist_curve_order(int curve)
++{
++	static const struct {
++		int curve;
++		const char *order;
++	} orders[] = {
++#ifdef ENABLE_NON_SUITEB_CURVES
++		{ GNUTLS_ECC_CURVE_SECP192R1,
++		  "ffffffffffffffffffffffff99def836"
++		  "146bc9b1b4d22831" },
++		{ GNUTLS_ECC_CURVE_SECP224R1,
++		  "ffffffffffffffffffffffffffff16a2"
++		  "e0b8f03e13dd29455c5c2a3d" },
++#endif
++		{ GNUTLS_ECC_CURVE_SECP256R1,
++		  "ffffffff00000000ffffffffffffffff"
++		  "bce6faada7179e84f3b9cac2fc632551" },
++		{ GNUTLS_ECC_CURVE_SECP384R1,
++		  "ffffffffffffffffffffffffffffffff"
++		  "ffffffffffffffffc7634d81f4372ddf"
++		  "581a0db248b0a77aecec196accc52973" },
++		{ GNUTLS_ECC_CURVE_SECP521R1,
++		  "1fffffffffffffffffffffffffffffff"
++		  "ffffffffffffffffffffffffffffffff"
++		  "ffa51868783bf2f966b7fcc0148f709a"
++		  "5d03bb5c9b8899c47aebb6fb71e91386"
++		  "409" },
++	};
++	size_t i;
++
++	for (i = 0; i < sizeof(orders)/sizeof(orders[0]); i++) {
++		if (orders[i].curve == curve)
++			return orders[i].order;
++	}
++	return NULL;
++}
++
++static inline const char *get_supported_nist_curve_modulus(int curve)
++{
++	static const struct {
++		int curve;
++		const char *order;
++	} orders[] = {
++#ifdef ENABLE_NON_SUITEB_CURVES
++		{ GNUTLS_ECC_CURVE_SECP192R1,
++		  "fffffffffffffffffffffffffffffffe"
++		  "ffffffffffffffff" },
++		{ GNUTLS_ECC_CURVE_SECP224R1,
++		  "ffffffffffffffffffffffffffffffff"
++		  "000000000000000000000001" },
++#endif
++		{ GNUTLS_ECC_CURVE_SECP256R1,
++		  "ffffffff000000010000000000000000"
++		  "00000000ffffffffffffffffffffffff" },
++		{ GNUTLS_ECC_CURVE_SECP384R1,
++		  "ffffffffffffffffffffffffffffffff"
++		  "fffffffffffffffffffffffffffffffe"
++		  "ffffffff0000000000000000ffffffff" },
++		{ GNUTLS_ECC_CURVE_SECP521R1,
++		  "1ff"
++		  "ffffffffffffffffffffffffffffffff"
++		  "ffffffffffffffffffffffffffffffff"
++		  "ffffffffffffffffffffffffffffffff"
++		  "ffffffffffffffffffffffffffffffff" },
++	};
++	size_t i;
++
++	for (i = 0; i < sizeof(orders)/sizeof(orders[0]); i++) {
++		if (orders[i].curve == curve)
++			return orders[i].order;
++	}
++	return NULL;
++}
++
+ static inline const struct ecc_curve *get_supported_gost_curve(int curve)
+ {
+ 	switch (curve) {
+@@ -2507,6 +2581,10 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
+ 			struct ecc_scalar key;
+ 			struct ecc_point pub;
+ 			const struct ecc_curve *curve;
++			struct ecc_scalar n;
++			struct ecc_scalar m;
++			struct ecc_point r;
++			mpz_t x, y, xx, yy, nn, mm;
+ 
+ 			curve = get_supported_nist_curve(level);
+ 			if (curve == NULL)
+@@ -2514,8 +2592,18 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
+ 				    gnutls_assert_val
+ 				    (GNUTLS_E_ECC_UNSUPPORTED_CURVE);
+ 
++			mpz_init(x);
++			mpz_init(y);
++			mpz_init(xx);
++			mpz_init(yy);
++			mpz_init(nn);
++			mpz_init(mm);
++
+ 			ecc_scalar_init(&key, curve);
+ 			ecc_point_init(&pub, curve);
++			ecc_scalar_init(&n, curve);
++			ecc_scalar_init(&m, curve);
++			ecc_point_init(&r, curve);
+ 
+ 			ecdsa_generate_keypair(&pub, &key, NULL, rnd_func);
+ 			if (HAVE_LIB_ERROR()) {
+@@ -2533,15 +2621,105 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
+ 			params->curve = level;
+ 			params->params_nr = ECC_PRIVATE_PARAMS;
+ 
+-			ecc_point_get(&pub, TOMPZ(params->params[ECC_X]),
+-				      TOMPZ(params->params[ECC_Y]));
++			ecc_point_get(&pub, x, y);
++
++#ifdef ENABLE_FIPS140
++			if (_gnutls_fips_mode_enabled()) {
++				/* Perform ECC full public key validation checks
++				 * according to SP800-56A (revision 3), 5.6.2.3.3.
++				 */
++
++				const char *order, *modulus;
++
++				/* Step 1: verify that Q is not an identity
++				 * element (an infinity point).  Note that this
++				 * cannot happen in the nettle implementation,
++				 * because it cannot represent an infinity point
++				 * on curves. */
++				if (mpz_cmp_ui(x, 0) == 0 && mpz_cmp_ui(y, 0) == 0) {
++					ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
++					goto ecc_fail;
++				}
++
++				/* Step 2: verify that both coordinates of Q are
++				 * in the range [0, p - 1].
++				 *
++				 * Step 3: verify that Q lie on the curve
++				 *
++				 * Both checks are performed in nettle.  */
++				if (!ecc_point_set(&r, x, y)) {
++					ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
++					goto ecc_fail;
++				}
++
++				/* Step 4: verify that n * Q, where n is the
++				 * curve order, result in an identity element
++				 *
++				 * Since nettle internally cannot represent an
++				 * identity element on curves, we validate this
++				 * instead:
++				 *
++				 *   (n - 1) * Q = -Q
++				 *
++				 * That effectively means: n * Q = -Q + Q = O
++				 */
++				order = get_supported_nist_curve_order(level);
++				if (unlikely(order == NULL)) {
++					ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
++					goto ecc_fail;
++				}
++
++				ret = mpz_set_str(nn, order, 16);
++				if (unlikely(ret < 0)) {
++					ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
++					goto ecc_fail;
++				}
++
++				modulus = get_supported_nist_curve_modulus(level);
++				if (unlikely(modulus == NULL)) {
++					ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
++					goto ecc_fail;
++				}
++
++				ret = mpz_set_str(mm, modulus, 16);
++				if (unlikely(ret < 0)) {
++					ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED);
++					goto ecc_fail;
++				}
++
++				/* (n - 1) * Q = -Q */
++				mpz_sub_ui (nn, nn, 1);
++				ecc_scalar_set(&n, nn);
++				ecc_point_mul(&r, &n, &r);
++				ecc_point_get(&r, xx, yy);
++				mpz_sub (mm, mm, y);
++
++				if (mpz_cmp(xx, x) != 0 || mpz_cmp(yy, mm) != 0) {
++					ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
++					goto ecc_fail;
++				}
++			}
++#endif
++
++			mpz_set(TOMPZ(params->params[ECC_X]), x);
++			mpz_set(TOMPZ(params->params[ECC_Y]), y);
++
+ 			ecc_scalar_get(&key, TOMPZ(params->params[ECC_K]));
+ 
+ 			ret = 0;
+ 
+ 		      ecc_fail:
++			mpz_clear(x);
++			mpz_clear(y);
++			mpz_clear(xx);
++			mpz_clear(yy);
++			mpz_clear(nn);
++			mpz_clear(mm);
+ 			ecc_point_clear(&pub);
+ 			ecc_scalar_clear(&key);
++			ecc_point_clear(&r);
++			ecc_scalar_clear(&n);
++			ecc_scalar_clear(&m);
+ 
+ 			if (ret < 0)
+ 				goto fail;
+-- 
+2.26.2
+

SOURCES/gnutls-3.6.14-fips-mode-check.patch

@@ -0,0 +1,42 @@
+From d1dc655cd2c8ae417381e5f966941c75cfe287ee Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 4 Jun 2020 16:42:07 +0200
+Subject: [PATCH] _gnutls_fips_mode_enabled: treat selftest failure as FIPS
+ disabled
+
+Previously gnutls_fips140_mode_enabled() returned true, even after
+selftests have failed and the library state has switched to error.
+While later calls to crypto operations fails, it would be more
+convenient to have a function to detect that state.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/fips.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/lib/fips.c b/lib/fips.c
+index acdd2ec23..f8b10f750 100644
+--- a/lib/fips.c
++++ b/lib/fips.c
+@@ -491,8 +491,17 @@ unsigned gnutls_fips140_mode_enabled(void)
+ #ifdef ENABLE_FIPS140
+ 	unsigned ret = _gnutls_fips_mode_enabled();
+ 
+-	if (ret > GNUTLS_FIPS140_DISABLED)
++	if (ret > GNUTLS_FIPS140_DISABLED) {
++		/* If the previous run of selftests has failed, return as if
++		 * the FIPS mode is disabled. We could use HAVE_LIB_ERROR, if
++		 * we can assume that all the selftests run atomically from
++		 * the ELF constructor.
++		 */
++		if (_gnutls_get_lib_state() == LIB_STATE_ERROR)
++			return 0;
++
+ 		return ret;
++	}
+ #endif
+ 	return 0;
+ }
+-- 
+2.26.2
+

SOURCES/gnutls-3.6.14-memcmp.patch

@@ -0,0 +1,131 @@
+From 9acc0f68320db4c7c6dadacb974e77c7fbca72a7 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Sun, 21 Jun 2020 16:03:54 +0200
+Subject: [PATCH] safe_memcmp: remove in favor of gnutls_memcmp
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/accelerated/x86/aes-xts-x86-aesni.c | 2 +-
+ lib/ext/pre_shared_key.c                | 2 +-
+ lib/mem.h                               | 9 ---------
+ lib/nettle/cipher.c                     | 8 ++++----
+ lib/tls13/finished.c                    | 2 +-
+ lib/x509/x509.c                         | 3 ++-
+ 6 files changed, 9 insertions(+), 17 deletions(-)
+
+diff --git a/lib/accelerated/x86/aes-xts-x86-aesni.c b/lib/accelerated/x86/aes-xts-x86-aesni.c
+index 3371d0812..b904cbf00 100644
+--- a/lib/accelerated/x86/aes-xts-x86-aesni.c
++++ b/lib/accelerated/x86/aes-xts-x86-aesni.c
+@@ -72,7 +72,7 @@ x86_aes_xts_cipher_setkey(void *_ctx, const void *userkey, size_t keysize)
+ 
+ 	/* Check key block according to FIPS-140-2 IG A.9 */
+ 	if (_gnutls_fips_mode_enabled()){
+-		if (safe_memcmp(key, key + (keysize / 2), keysize / 2) == 0) {
++		if (gnutls_memcmp(key, key + (keysize / 2), keysize / 2) == 0) {
+ 			_gnutls_switch_lib_state(LIB_STATE_ERROR);
+ 			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ 		}
+diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c
+index fef67d341..240be2162 100644
+--- a/lib/ext/pre_shared_key.c
++++ b/lib/ext/pre_shared_key.c
+@@ -650,7 +650,7 @@ static int server_recv_params(gnutls_session_t session,
+ 	}
+ 
+ 	if (_gnutls_mac_get_algo_len(prf) != binder_recvd.size ||
+-	    safe_memcmp(binder_value, binder_recvd.data, binder_recvd.size)) {
++	    gnutls_memcmp(binder_value, binder_recvd.data, binder_recvd.size)) {
+ 		gnutls_assert();
+ 		ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
+ 		goto fail;
+diff --git a/lib/mem.h b/lib/mem.h
+index dc838a2b4..d3eea97a4 100644
+--- a/lib/mem.h
++++ b/lib/mem.h
+@@ -35,15 +35,6 @@ char *_gnutls_strdup(const char *);
+ 
+ unsigned _gnutls_mem_is_zero(const uint8_t *ptr, unsigned size);
+ 
+-/* To avoid undefined behavior when s1 or s2 are null and n = 0 */
+-inline static
+-int safe_memcmp(const void *s1, const void *s2, size_t n)
+-{
+-	if (n == 0)
+-		return 0;
+-	return memcmp(s1, s2, n);
+-}
+-
+ #define zrelease_mpi_key(mpi) if (*mpi!=NULL) { \
+ 		_gnutls_mpi_clear(*mpi); \
+ 		_gnutls_mpi_release(mpi); \
+diff --git a/lib/nettle/cipher.c b/lib/nettle/cipher.c
+index b0a52deb5..ec0c1ab04 100644
+--- a/lib/nettle/cipher.c
++++ b/lib/nettle/cipher.c
+@@ -482,7 +482,7 @@ _xts_aes128_set_encrypt_key(struct xts_aes128_key *xts_key,
+ 			    const uint8_t *key)
+ {
+ 	if (_gnutls_fips_mode_enabled() &&
+-	    safe_memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0)
++	    gnutls_memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0)
+ 		_gnutls_switch_lib_state(LIB_STATE_ERROR);
+ 
+ 	xts_aes128_set_encrypt_key(xts_key, key);
+@@ -493,7 +493,7 @@ _xts_aes128_set_decrypt_key(struct xts_aes128_key *xts_key,
+ 			    const uint8_t *key)
+ {
+ 	if (_gnutls_fips_mode_enabled() &&
+-	    safe_memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0)
++	    gnutls_memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0)
+ 		_gnutls_switch_lib_state(LIB_STATE_ERROR);
+ 
+ 	xts_aes128_set_decrypt_key(xts_key, key);
+@@ -504,7 +504,7 @@ _xts_aes256_set_encrypt_key(struct xts_aes256_key *xts_key,
+ 			    const uint8_t *key)
+ {
+ 	if (_gnutls_fips_mode_enabled() &&
+-	    safe_memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0)
++	    gnutls_memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0)
+ 		_gnutls_switch_lib_state(LIB_STATE_ERROR);
+ 
+ 	xts_aes256_set_encrypt_key(xts_key, key);
+@@ -515,7 +515,7 @@ _xts_aes256_set_decrypt_key(struct xts_aes256_key *xts_key,
+ 			    const uint8_t *key)
+ {
+ 	if (_gnutls_fips_mode_enabled() &&
+-	    safe_memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0)
++	    gnutls_memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0)
+ 		_gnutls_switch_lib_state(LIB_STATE_ERROR);
+ 
+ 	xts_aes256_set_decrypt_key(xts_key, key);
+diff --git a/lib/tls13/finished.c b/lib/tls13/finished.c
+index 68eab993e..ec646e673 100644
+--- a/lib/tls13/finished.c
++++ b/lib/tls13/finished.c
+@@ -112,7 +112,7 @@ int _gnutls13_recv_finished(gnutls_session_t session)
+ #if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
+ # warning This is unsafe for production builds
+ #else
+-	if (safe_memcmp(verifier, buf.data, buf.length) != 0) {
++	if (gnutls_memcmp(verifier, buf.data, buf.length) != 0) {
+ 		gnutls_assert();
+ 		ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
+ 		goto cleanup;
+diff --git a/lib/x509/x509.c b/lib/x509/x509.c
+index 2091f3ae6..2b68fe440 100644
+--- a/lib/x509/x509.c
++++ b/lib/x509/x509.c
+@@ -360,7 +360,8 @@ static int compare_sig_algorithm(gnutls_x509_crt_t cert)
+ 	}
+ 
+ 	if (empty1 != empty2 ||
+-	    sp1.size != sp2.size || safe_memcmp(sp1.data, sp2.data, sp1.size) != 0) {
++	    sp1.size != sp2.size ||
++	    (sp1.size > 0 && memcmp(sp1.data, sp2.data, sp1.size) != 0)) {
+ 		gnutls_assert();
+ 		ret = GNUTLS_E_CERTIFICATE_ERROR;
+ 		goto cleanup;
+-- 
+2.26.2
+

SOURCES/gnutls-3.6.4-no-now-guile.patch

@@ -0,0 +1,13 @@
+diff --git a/guile/src/Makefile.in b/guile/src/Makefile.in
+index 95e1e9c..1dfc88e 100644
+--- a/guile/src/Makefile.in
++++ b/guile/src/Makefile.in
+@@ -1483,7 +1483,7 @@ guileextension_LTLIBRARIES = guile-gnutls-v-2.la
+ # Use '-module' to build a "dlopenable module", in Libtool terms.
+ # Use '-undefined' to placate Libtool on Windows; see
+ # <https://lists.gnutls.org/pipermail/gnutls-devel/2014-December/007294.html>.
+-guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined
++guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined -Wl,-z,lazy
+ 
+ # Linking against GnuTLS.
+ GNUTLS_CORE_LIBS = $(top_builddir)/lib/libgnutls.la