Update to 3.6.14-1.

.gitignore

@@ -124,3 +124,6 @@ gnutls-2.10.1-nosrp.tar.bz2
 /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
 /gnutls-3.6.13.tar.xz.sig
 /gnutls-3.6.13.tar.xz
+/gnutls-3.6.14.tar.xz
+/gnutls-3.6.14.tar.xz.sig
+/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg

gnutls-3.6.13-bump-linked-libs-soname-f33.patch

@@ -1,13 +0,0 @@
---- a/lib/fips.c	2020-01-01 21:10:19.000000000 +0100
-+++ b/lib/fips.c	2020-05-13 17:29:43.098868100 +0200
-@@ -136,8 +136,8 @@
- }
- 
- #define GNUTLS_LIBRARY_NAME "libgnutls.so.30"
--#define NETTLE_LIBRARY_NAME "libnettle.so.6"
--#define HOGWEED_LIBRARY_NAME "libhogweed.so.4"
-+#define NETTLE_LIBRARY_NAME "libnettle.so.8"
-+#define HOGWEED_LIBRARY_NAME "libhogweed.so.6"
- #define GMP_LIBRARY_NAME "libgmp.so.10"
- 
- #define HMAC_SUFFIX ".hmac"

gnutls-3.6.13-cli-wait-resumption.patch

@@ -1,87 +0,0 @@
-From f27358ecba654ef931c0a761a540dc9e2d2e67f0 Mon Sep 17 00:00:00 2001
-From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Date: Fri, 20 Mar 2020 16:37:33 +0100
-Subject: [PATCH] gnutls-cli: Add option to wait for resumption data
-
-This introduces the --waitresumption command line option which makes the
-client to wait for the resumption data until a ticket is received under
-TLS1.3.  The client will block if no ticket is received.  The new option
-has no effect if the option --resume is not provided.
-
-This is useful to force the client to wait for the resumption data when
-the server takes long to send the ticket, allowing the session
-resumption to be tested.  This is a common scenario in CI systems where
-the testing machines have limited resources.
-
-Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
----
- src/cli-args.def |  6 ++++++
- src/cli.c        | 21 +++++++++++++++------
- 2 files changed, 21 insertions(+), 6 deletions(-)
-
-diff --git a/src/cli-args.def b/src/cli-args.def
-index a8760fab9..56ae77b07 100644
---- a/src/cli-args.def
-+++ b/src/cli-args.def
-@@ -471,6 +471,12 @@ flag = {
-     doc      = "";
- };
- 
-+flag = {
-+    name     = waitresumption;
-+    descrip  = "Block waiting for the resumption data under TLS1.3";
-+    doc      = "This option makes the client to block waiting for the resumption data under TLS1.3. The option has effect only when --resume is provided.";
-+};
-+
- doc-section = {
-   ds-type   = 'SEE ALSO'; // or anything else
-   ds-format = 'texi';      // or texi or mdoc format
-diff --git a/src/cli.c b/src/cli.c
-index db072b930..c3d074f08 100644
---- a/src/cli.c
-+++ b/src/cli.c
-@@ -78,7 +78,7 @@
- 
- /* global stuff here */
- int resume, starttls, insecure, ranges, rehandshake, udp, mtu,
--    inline_commands;
-+    inline_commands, waitresumption;
- unsigned int global_vflags = 0;
- char *hostname = NULL;
- char service[32]="";
-@@ -992,11 +992,19 @@ static int try_resume(socket_st * hd)
- 	gnutls_datum_t edata = {NULL, 0};
- 
- 	if (gnutls_session_is_resumed(hd->session) == 0) {
--		/* not resumed - obtain the session data */
--		ret = gnutls_session_get_data2(hd->session, &rdata);
--		if (ret < 0) {
--			rdata.data = NULL;
--		}
-+		do {
-+			/* not resumed - obtain the session data */
-+			ret = gnutls_session_get_data2(hd->session, &rdata);
-+			if (ret < 0) {
-+				rdata.data = NULL;
-+			}
-+
-+			if ((gnutls_protocol_get_version(hd->session) != GNUTLS_TLS1_3) ||
-+					((gnutls_session_get_flags(hd->session) &
-+					 GNUTLS_SFLAGS_SESSION_TICKET))) {
-+				break;
-+			}
-+		} while (waitresumption);
- 	} else {
- 		/* resumed - try to reuse the previous session data */
- 		rdata.data = hd->rdata.data;
-@@ -1688,6 +1696,7 @@ static void cmd_parser(int argc, char **argv)
- 	rehandshake = HAVE_OPT(REHANDSHAKE);
- 	insecure = HAVE_OPT(INSECURE);
- 	ranges = HAVE_OPT(RANGES);
-+	waitresumption = HAVE_OPT(WAITRESUMPTION);
- 
- 	if (insecure || HAVE_OPT(VERIFY_ALLOW_BROKEN)) {
- 		global_vflags |= GNUTLS_VERIFY_ALLOW_BROKEN;
--- 
-2.25.4
-

gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch

@@ -1,124 +0,0 @@
-From 8f8615c4ef0b92b95e7bcb3bd1400124a203eef3 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Fri, 16 Aug 2019 17:01:05 +0200
-Subject: [PATCH] nettle: disable RSA blinding in FIPS selftests
-
-Nettle's RSA signing, encryption and decryption functions still
-require randomness for blinding, so fallback to use a fixed buffer in
-selftests where entropy might not be available.
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/nettle/pk.c | 37 +++++++++++++++++++++++++++++++++----
- 1 file changed, 33 insertions(+), 4 deletions(-)
-
-diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
-index 15ad4b4e9..ccf403b00 100644
---- a/lib/nettle/pk.c
-+++ b/lib/nettle/pk.c
-@@ -107,6 +107,15 @@ static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data)
- 	nettle_mpz_get_str_256 (length, data, *k);
- }
- 
-+static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data)
-+{
-+	if (unlikely(_gnutls_get_lib_state() != LIB_STATE_SELFTEST)) {
-+		_gnutls_switch_lib_state(LIB_STATE_ERROR);
-+	}
-+
-+	memset(data, 0xAA, length);
-+}
-+
- static void
- ecc_scalar_zclear (struct ecc_scalar *s)
- {
-@@ -526,6 +535,7 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,
- 	case GNUTLS_PK_RSA:
- 		{
- 			struct rsa_public_key pub;
-+			nettle_random_func *random_func;
- 
- 			ret = _rsa_params_to_pubkey(pk_params, &pub);
- 			if (ret < 0) {
-@@ -533,8 +543,12 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,
- 				goto cleanup;
- 			}
- 
-+			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
-+				random_func = rnd_nonce_func_fallback;
-+			else
-+				random_func = rnd_nonce_func;
- 			ret =
--			    rsa_encrypt(&pub, NULL, rnd_nonce_func,
-+			    rsa_encrypt(&pub, NULL, random_func,
- 					plaintext->size, plaintext->data,
- 					p);
- 			if (ret == 0 || HAVE_LIB_ERROR()) {
-@@ -587,6 +601,7 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,
- 			struct rsa_public_key pub;
- 			size_t length;
- 			bigint_t c;
-+			nettle_random_func *random_func;
- 
- 			_rsa_params_to_privkey(pk_params, &priv);
- 			ret = _rsa_params_to_pubkey(pk_params, &pub);
-@@ -617,8 +632,12 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,
- 				goto cleanup;
- 			}
- 
-+			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
-+				random_func = rnd_nonce_func_fallback;
-+			else
-+				random_func = rnd_nonce_func;
- 			ret =
--			    rsa_decrypt_tr(&pub, &priv, NULL, rnd_nonce_func,
-+			    rsa_decrypt_tr(&pub, &priv, NULL, random_func,
- 					   &length, plaintext->data,
- 					   TOMPZ(c));
- 			_gnutls_mpi_release(&c);
-@@ -664,6 +683,7 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,
- 	bigint_t c;
- 	uint32_t is_err;
- 	int ret;
-+	nettle_random_func *random_func;
- 
- 	if (algo != GNUTLS_PK_RSA || plaintext == NULL) {
- 		gnutls_assert();
-@@ -683,7 +703,11 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,
- 		return gnutls_assert_val (GNUTLS_E_MPI_SCAN_FAILED);
- 	}
- 
--	ret = rsa_sec_decrypt(&pub, &priv, NULL, rnd_nonce_func,
-+	if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
-+		random_func = rnd_nonce_func_fallback;
-+	else
-+		random_func = rnd_nonce_func;
-+	ret = rsa_sec_decrypt(&pub, &priv, NULL, random_func,
- 			     plaintext_size, plaintext, TOMPZ(c));
- 	/* after this point, any conditional on failure that cause differences
- 	 * in execution may create a timing or cache access pattern side
-@@ -1072,6 +1096,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
- 		{
- 			struct rsa_private_key priv;
- 			struct rsa_public_key pub;
-+			nettle_random_func *random_func;
- 			mpz_t s;
- 
- 			_rsa_params_to_privkey(pk_params, &priv);
-@@ -1082,8 +1107,12 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
- 
- 			mpz_init(s);
- 
-+			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
-+				random_func = rnd_nonce_func_fallback;
-+			else
-+				random_func = rnd_nonce_func;
- 			ret =
--			    rsa_pkcs1_sign_tr(&pub, &priv, NULL, rnd_nonce_func,
-+			    rsa_pkcs1_sign_tr(&pub, &priv, NULL, random_func,
- 					      vdata->size, vdata->data, s);
- 			if (ret == 0 || HAVE_LIB_ERROR()) {
- 				gnutls_assert();
--- 
-2.25.4
-

gnutls-3.6.13-superseding-chain.patch

@@ -1,391 +0,0 @@
-From 299bd4f113d0bd39fa1577a671a04ed7899eff3c Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Sun, 31 May 2020 12:39:14 +0200
-Subject: [PATCH 1/3] _gnutls_pkcs11_verify_crt_status: check validity against
- system cert
-
-To verify a certificate chain, this function replaces known
-certificates with the ones in the system trust store if possible.
-
-However, if it is found, the function checks the validity of the
-original certificate rather than the certificate found in the trust
-store.  That reveals a problem in a scenario that (1) a certificate is
-signed by multiple issuers and (2) one of the issuers' certificate has
-expired and included in the input chain.
-
-This patch makes it a little robuster by actually retrieving the
-certificate from the trust store and perform check against it.
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
----
- lib/pkcs11.c      | 98 +++++++++++++++++++++++++++++++++--------------
- lib/pkcs11_int.h  |  5 +++
- lib/x509/verify.c |  7 +++-
- 3 files changed, 80 insertions(+), 30 deletions(-)
-
-diff --git a/lib/pkcs11.c b/lib/pkcs11.c
-index fad16aaf4..d8d4a6511 100644
---- a/lib/pkcs11.c
-+++ b/lib/pkcs11.c
-@@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url,
- 	return ret;
- }
- 
--/**
-- * gnutls_pkcs11_crt_is_known:
-- * @url: A PKCS 11 url identifying a token
-- * @cert: is the certificate to find issuer for
-- * @issuer: Will hold the issuer if any in an allocated buffer.
-- * @fmt: The format of the exported issuer.
-- * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG.
-- *
-- * This function will check whether the provided certificate is stored
-- * in the specified token. This is useful in combination with 
-- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or
-- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,
-- * to check whether a CA is present or a certificate is blacklisted in
-- * a trust PKCS #11 module.
-- *
-- * This function can be used with a @url of "pkcs11:", and in that case all modules
-- * will be searched. To restrict the modules to the marked as trusted in p11-kit
-- * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.
-- *
-- * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is
-- * specific to p11-kit trust modules.
-- *
-- * Returns: If the certificate exists non-zero is returned, otherwise zero.
-- *
-- * Since: 3.3.0
-- **/
--unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
--				 unsigned int flags)
-+unsigned
-+_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
-+			    unsigned int flags,
-+			    gnutls_x509_crt_t *trusted_cert)
- {
- 	int ret;
- 	struct find_cert_st priv;
-@@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
- 
- 	memset(&priv, 0, sizeof(priv));
- 
-+	if (trusted_cert) {
-+		ret = gnutls_pkcs11_obj_init(&priv.obj);
-+		if (ret < 0) {
-+			gnutls_assert();
-+			goto cleanup;
-+		}
-+		priv.need_import = 1;
-+	}
-+
- 	if (url == NULL || url[0] == 0) {
- 		url = "pkcs11:";
- 	}
-@@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
- 		_gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n");
- 		/* attempt searching with the subject DN only */
- 		gnutls_assert();
-+		if (priv.obj)
-+			gnutls_pkcs11_obj_deinit(priv.obj);
- 		gnutls_free(priv.serial.data);
- 		memset(&priv, 0, sizeof(priv));
-+		if (trusted_cert) {
-+			ret = gnutls_pkcs11_obj_init(&priv.obj);
-+			if (ret < 0) {
-+				gnutls_assert();
-+				goto cleanup;
-+			}
-+			priv.need_import = 1;
-+		}
- 		priv.crt = cert;
- 		priv.flags = flags;
- 
-@@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
- 		goto cleanup;
- 	}
- 
-+	if (trusted_cert) {
-+		ret = gnutls_x509_crt_init(trusted_cert);
-+		if (ret < 0) {
-+			gnutls_assert();
-+			ret = 0;
-+			goto cleanup;
-+		}
-+		ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj);
-+		if (ret < 0) {
-+			gnutls_assert();
-+			gnutls_x509_crt_deinit(*trusted_cert);
-+			ret = 0;
-+			goto cleanup;
-+		}
-+	}
- 	ret = 1;
- 
-       cleanup:
-+	if (priv.obj)
-+		gnutls_pkcs11_obj_deinit(priv.obj);
- 	if (info)
- 		p11_kit_uri_free(info);
- 	gnutls_free(priv.serial.data);
-@@ -4660,6 +4672,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
- 	return ret;
- }
- 
-+/**
-+ * gnutls_pkcs11_crt_is_known:
-+ * @url: A PKCS 11 url identifying a token
-+ * @cert: is the certificate to find issuer for
-+ * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG.
-+ *
-+ * This function will check whether the provided certificate is stored
-+ * in the specified token. This is useful in combination with 
-+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or
-+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,
-+ * to check whether a CA is present or a certificate is blacklisted in
-+ * a trust PKCS #11 module.
-+ *
-+ * This function can be used with a @url of "pkcs11:", and in that case all modules
-+ * will be searched. To restrict the modules to the marked as trusted in p11-kit
-+ * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.
-+ *
-+ * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is
-+ * specific to p11-kit trust modules.
-+ *
-+ * Returns: If the certificate exists non-zero is returned, otherwise zero.
-+ *
-+ * Since: 3.3.0
-+ **/
-+unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
-+				 unsigned int flags)
-+{
-+	return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL);
-+}
-+
- /**
-  * gnutls_pkcs11_obj_get_flags:
-  * @obj: The pkcs11 object
-diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
-index 9d8880709..86cce0dee 100644
---- a/lib/pkcs11_int.h
-+++ b/lib/pkcs11_int.h
-@@ -460,6 +460,11 @@ inline static bool is_pkcs11_url_object(const char *url)
- 	return 0;
- }
- 
-+unsigned
-+_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
-+			    unsigned int flags,
-+			    gnutls_x509_crt_t *trusted_cert);
-+
- #endif				/* ENABLE_PKCS11 */
- 
- #endif /* GNUTLS_LIB_PKCS11_INT_H */
-diff --git a/lib/x509/verify.c b/lib/x509/verify.c
-index d20267019..fd7c6a164 100644
---- a/lib/x509/verify.c
-+++ b/lib/x509/verify.c
-@@ -34,6 +34,7 @@
- #include <tls-sig.h>
- #include <str.h>
- #include <datum.h>
-+#include <pkcs11_int.h>
- #include <x509_int.h>
- #include <common.h>
- #include <pk.h>
-@@ -1188,6 +1189,7 @@ _gnutls_pkcs11_verify_crt_status(const char* url,
- 
- 	for (; i < clist_size; i++) {
- 		unsigned vflags;
-+		gnutls_x509_crt_t trusted_cert;
- 
- 		if (i == 0) /* in the end certificate do full comparison */
- 			vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
-@@ -1196,9 +1198,10 @@ _gnutls_pkcs11_verify_crt_status(const char* url,
- 			vflags = GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
- 				GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED;
- 
--		if (gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags) != 0) {
-+		if (_gnutls_pkcs11_crt_is_known (url, certificate_list[i], vflags, &trusted_cert) != 0) {
- 
--			status |= check_ca_sanity(certificate_list[i], now, flags);
-+			status |= check_ca_sanity(trusted_cert, now, flags);
-+			gnutls_x509_crt_deinit(trusted_cert);
- 
- 			if (func)
- 				func(certificate_list[i],
--- 
-2.26.2
-
-
-From cdf075e7f54cb77f046ef3e7c2147f159941faca Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Sun, 31 May 2020 13:59:53 +0200
-Subject: [PATCH 2/3] x509: trigger fallback verification path when cert is
- expired
-
-gnutls_x509_trust_list_verify_crt2 use the macro SIGNER_OLD_OR_UNKNOWN
-to trigger the fallback verification path if the signer of the last
-certificate is not in the trust store.  Previously, it doesn't take
-into account of the condition where the certificate is expired.
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
----
- lib/x509/verify-high.c | 12 +++++++-----
- 1 file changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
-index b1421ef17..40638ad3a 100644
---- a/lib/x509/verify-high.c
-+++ b/lib/x509/verify-high.c
-@@ -1192,11 +1192,13 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list,
- 
- #define LAST_DN cert_list[cert_list_size-1]->raw_dn
- #define LAST_IDN cert_list[cert_list_size-1]->raw_issuer_dn
--/* This macro is introduced to detect a verification output
-- * which indicates an unknown signer, or a signer which uses
-- * an insecure algorithm (e.g., sha1), something that indicates
-- * a superseded signer */
--#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || (output & GNUTLS_CERT_INSECURE_ALGORITHM))
-+/* This macro is introduced to detect a verification output which
-+ * indicates an unknown signer, a signer which uses an insecure
-+ * algorithm (e.g., sha1), a signer has expired, or something that
-+ * indicates a superseded signer */
-+#define SIGNER_OLD_OR_UNKNOWN(output) ((output & GNUTLS_CERT_SIGNER_NOT_FOUND) || \
-+				       (output & GNUTLS_CERT_EXPIRED) || \
-+				       (output & GNUTLS_CERT_INSECURE_ALGORITHM))
- #define SIGNER_WAS_KNOWN(output) (!(output & GNUTLS_CERT_SIGNER_NOT_FOUND))
- 
- /**
--- 
-2.26.2
-
-
-From 9067bcbee8ff18badff1e829d22e63590dbd7a5c Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Sun, 31 May 2020 14:28:48 +0200
-Subject: [PATCH 3/3] tests: add test case for certificate chain superseding
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
----
- tests/test-chains.h | 97 +++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 97 insertions(+)
-
-diff --git a/tests/test-chains.h b/tests/test-chains.h
-index dd19e6a81..9b06b85f5 100644
---- a/tests/test-chains.h
-+++ b/tests/test-chains.h
-@@ -4010,6 +4010,102 @@ static const char *ed448[] = {
- 	NULL
- };
- 
-+/* This contains an expired intermediate CA, which should be superseded. */
-+static const char *superseding[] = {
-+	"-----BEGIN CERTIFICATE-----"
-+	"MIIDrzCCAmegAwIBAgIUcozIBhMJvM/rd1PVI7LOq7Kscs8wDQYJKoZIhvcNAQEL"
-+	"BQAwJjEkMCIGA1UEAxMbR251VExTIHRlc3QgaW50ZXJtZWRpYXRlIENBMCAXDTIw"
-+	"MDUzMTEyMTczN1oYDzk5OTkxMjMxMjM1OTU5WjA3MRgwFgYDVQQDEw90ZXN0Lmdu"
-+	"dXRscy5vcmcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCASAwCwYJKoZI"
-+	"hvcNAQEKA4IBDwAwggEKAoIBAQCd2PBnWn+b0FsIMbG+f/K+og2iK/BoLCsJD3j9"
-+	"yRNSHD6wTifYwNTbe1LF/8BzxcwVRCD0zpbpFQawbjxbmBSzrXqQlUFFG11DvNBa"
-+	"w58rgHGo3TYCrtFIBfLbziyB1w/vWeX0xHvv8MMJ1iRSdY+7Y36a2cV+s85PdO4B"
-+	"TpZlLfy8LPP6p6+dgVoC+9tTu2H1wARYOVog+jt9A3Hx0L1xxVWTedFoiK2sVouz"
-+	"fLRjfp5cOwuRHSD2qbpGOAeNVVaOE88Bv3pIGPguMw0qAdEDo20hRYH23LIyvBwB"
-+	"oCnyFNnAViMtLa2QlXSliV9a9BKOXYjWzAeso2SF4pdHcvd5AgMBAAGjgZMwgZAw"
-+	"DAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg90ZXN0LmdudXRscy5vcmcwEwYDVR0l"
-+	"BAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUan6mlccq"
-+	"Uy1Z64wvRv3xxg4h2ykwHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgw"
-+	"DQYJKoZIhvcNAQELBQADggExAKAOMyMLpk0u2UTwwFWtr1hfx7evo2J7dgco410I"
-+	"DN/QWoe2Xlcxcp1h5R9rX1I3KU2WGFtdXqiMsllCLnrDEKZmlks0uz76bCpKmM99"
-+	"/1MDlY7mGCr/2PPx53USK5J5JTiqgp6r7qAcDAnpYvrPH45kk7iqwh02DhAxRnGR"
-+	"CW7KWK8h7uu0Az9iBT2YfV372g4fRDK3fqYzJofQwbhSiUuJ7wyZCRhGOoxMMmDb"
-+	"KBbc1wAYXW+tlv2cSbfzRvSxMR+CzkyH2tGDxeN//aZUfGmQ8IzWUQ7UtK5z+Q0E"
-+	"fL6fZtm2SdGabGpV1UYoGpwOtOngK+m0i9SqrMD7g5+SMhc1VuvVuTtxjr5Cha8l"
-+	"X0HEZtxgFrkdfMD4yLAqiguaCBngtbRmELF5VpebmJbiLVU="
-+	"-----END CERTIFICATE-----",
-+	"-----BEGIN CERTIFICATE-----"
-+	"MIIDkTCCAkmgAwIBAgIUY9cJ4NLNFEaojJHdP1I4Q7OHNJwwDQYJKoZIhvcNAQEL"
-+	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMTgxMjMxMjMwMDAwWhcN"
-+	"MjAwNTMwMjIwMDAwWjAmMSQwIgYDVQQDExtHbnVUTFMgdGVzdCBpbnRlcm1lZGlh"
-+	"dGUgQ0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7K"
-+	"sH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8W"
-+	"yZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITc"
-+	"lg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7"
-+	"oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLy"
-+	"rXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+"
-+	"G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjeh"
-+	"KZ+Aeap1AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE"
-+	"ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUHncj"
-+	"bWcxH5EHm5Yv7PzIRv6M4QMwDQYJKoZIhvcNAQELBQADggExAHP1UAQ/nvuQtRZF"
-+	"Q4b96yxVwCjMjn7knLyLNtyYGE3466xvE/ofvx5lgaR06ez/G17XP+Ok5SLJNUVc"
-+	"mplTERCv5CgnX7R5VdGJkkD1repaYxaTtwyJz0AfYEMRUj3jfaeLaiUKJvEW5RRs"
-+	"I3solY18sy/m/xGrH2X0GTNfKM9BURENABsppt07jxH719nF9m9SynV/Z2hE5hlv"
-+	"5e5vyPt4wyRPIJLUI3TKAlvb1s40zz3ua7ZTgQL/cOxfY4f9pRKW9CMB3uF69OP9"
-+	"COAxrmHVZsImmDZ6qO1qQrbY1KN/cX5kG4pKg7Ium723aOlwcWzEDXKumD960fN1"
-+	"5g+HrjNs6kW+r9Q5QS8qV5s8maZNcxTrMvQ1fF2AKBNI3Z3U7vmtrSeqxIXp3rGH"
-+	"iJwOKIk="
-+	"-----END CERTIFICATE-----",
-+	NULL
-+};
-+
-+static const char *superseding_ca[] = {
-+	"-----BEGIN CERTIFICATE-----"
-+	"MIIDkzCCAkugAwIBAgIUIs7jB4Q4sFcdCmzWVHbJLESC3T4wDQYJKoZIhvcNAQEL"
-+	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMzEwWhgP"
-+	"OTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMTG0dudVRMUyB0ZXN0IGludGVybWVk"
-+	"aWF0ZSBDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/"
-+	"HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8"
-+	"vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqI"
-+	"hNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWl"
-+	"WDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQp"
-+	"kvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzkl"
-+	"zz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2"
-+	"N6Epn4B5qnUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD"
-+	"BwQAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQe"
-+	"dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAcF9R9VGQxTwW"
-+	"aOjeIeQ9ZJxybaj0BaXC8xR4b9uZloS9d/RBFTjgRbQ82yqaj7f80mgUtabKRfTA"
-+	"ltV2MgTbJdOjwGzEDtKGhClBbovnEGrYTbPBT9rgfYPt0q7SMBr6AzGAPt+ltwI7"
-+	"9yntV81qvTxvW5MEEo0j2MuA3NT3oqe+w1rUKNQCWhnN2TUhJGkTlaaMozcgNFaE"
-+	"Dplop4dtvCGtupxOjC3Nf6FWq1k7iZQxX70AFBYVMpuF7qGh6qDp+T1hmTCSVzxP"
-+	"SfDQIBjhKgy4clhkuR5SRxhN74RX+/5eiQyVLxzr+eIhqzJhPqUCmVnCLcqYdNRi"
-+	"hpHic4uJm0wGOKYTI7EG8rb4ZP4Jz6k4iN9CnL/+kiiW5otSl3YyCAuao5VKdDq9"
-+	"izchzb9eow=="
-+	"-----END CERTIFICATE-----",
-+	"-----BEGIN CERTIFICATE-----"
-+	"MIIDZTCCAh2gAwIBAgIULcrECQOBgPaePBfBHXcyZiU0IiYwDQYJKoZIhvcNAQEL"
-+	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMTQzWhgP"
-+	"OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN"
-+	"BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C"
-+	"qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ"
-+	"U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8"
-+	"vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW"
-+	"PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG"
-+	"VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7"
-+	"FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB"
-+	"o0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYE"
-+	"FB53I21nMR+RB5uWL+z8yEb+jOEDMA0GCSqGSIb3DQEBCwUAA4IBMQAeMSzMyuTy"
-+	"FjXTjxAUv010bsr6e6fI9txq/S1tXmWWJV/8aeARthuOFZO5Jjy3C5aMbac2HDV4"
-+	"Otu0+JLaoEMSXvorAhValVuq06i5cmaPzvJBcxMWzlEAXfavSwHv5Q+kqNU3z81S"
-+	"WnjEpMHcl9OyER7o9IhF55Xom2BXY5XL83QOzQ4C3bpKrNevZC7i7zS8NoYRGP+8"
-+	"w21JseXkWQW4o2hkFqbCcRE1dlMW02iJE28RZ5aBFDIm2Y6zuLaXZIkaO7E41CAw"
-+	"IUyhowm/S1HcmQnhruAGKJvQtB6jvnhZb7pgnuSkhIvAQgw93CLE985KEua1ifY2"
-+	"p1d/6ho2TWotHHqDnDkB8pC0Wzai8R+63z18Kt0gROX2QItCyFksjNJqYPbgwZgt"
-+	"eh1COrLsOJo+"
-+	"-----END CERTIFICATE-----",
-+	NULL
-+};
-+
- #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
- #  pragma GCC diagnostic push
- #  pragma GCC diagnostic ignored "-Wunused-variable"
-@@ -4178,6 +4274,7 @@ static struct
-     GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1},
-   { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA),
-     0, NULL, 1584352960, 1},
-+  { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 },
-   { NULL, NULL, NULL, 0, 0}
- };
- 
--- 
-2.26.2
-

gnutls.spec

@@ -1,12 +1,8 @@
 # This spec file has been automatically updated
-Version:	3.6.13
-Release: 6%{?dist}
+Version:	3.6.14
+Release: 1%{?dist}
 Patch1:	gnutls-3.6.7-no-now-guile.patch
 Patch2:	gnutls-3.2.7-rpath.patch
-Patch3:	gnutls-3.6.13-bump-linked-libs-soname-f33.patch
-Patch4:	gnutls-3.6.13-nettle-disable-RSA-blinding-in-FIPS-selftests.patch
-Patch5:	gnutls-3.6.13-cli-wait-resumption.patch
-Patch6:	gnutls-3.6.13-superseding-chain.patch
 %bcond_without dane
 %if 0%{?rhel}
 %bcond_with guile
@@ -51,7 +47,7 @@ BuildRequires: guile22-devel
 URL: http://www.gnutls.org/
 Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz
 Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig
-Source2: gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
 
 # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
 Provides: bundled(gnulib) = 20130424
@@ -147,7 +143,6 @@ This package contains Guile bindings for the library.
 gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
 
 %autosetup -p1
-autoreconf
 
 sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
 rm -f lib/minitasn1/*.c lib/minitasn1/*.h

sources

@@ -1,2 +1,3 @@
-SHA512 (gnutls-3.6.13.tar.xz.sig) = 130d6ee78da87087de0070a5a5ecb62dd0a2919c838796b3e4273d74b10c4c537b72e017f55b69df69ee7cc11257ebe392e3bd0ff25b35484ed78bb9bf9d3856
-SHA512 (gnutls-3.6.13.tar.xz) = 23581952cb72c9a34f378c002bb62413d5a1243b74b48ad8dc49eaea4020d33c550f8dc1dd374cf7fbfa4187b0ca1c5698c8a0430398268a8b8a863f8633305c
+SHA512 (gnutls-3.6.14.tar.xz) = b2d427b5542a4679117c011dffa8efb0e0bffa3ce9cebc319f8998d03f80f4168d08f9fda35df18dbeaaada59e479d325a6c1c77d5ca7f8ce221b44e42bfe604
+SHA512 (gnutls-3.6.14.tar.xz.sig) = 88e31d484ab2e2e9a6a080d1bb0e2219aa0ec85af9ea4abe8292bc8ae2d6784273414227142a2ebe0142b907a5ac6aa4d407388357f13d96b96eca8f8c61103a
+SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173