import gnutls-3.7.3-9.el9

.gitignore

@@ -0,0 +1,2 @@
+SOURCES/gnutls-3.7.3.tar.xz
+SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg

.gnutls.metadata

@@ -0,0 +1,2 @@
+552c337be97d2379ae7233ebf55e949010ef7837 SOURCES/gnutls-3.7.3.tar.xz
+648ec46f9539fe756fb90131b85ae4759ed2ed21 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg

SOURCES/gnutls-3.2.7-rpath.patch

@@ -0,0 +1,12 @@
+diff -ur gnutls-3.2.7.orig/configure gnutls-3.2.7/configure
+--- gnutls-3.2.7.orig/configure	2013-11-23 11:09:49.000000000 +0100
++++ gnutls-3.2.7/configure	2013-11-25 16:53:05.559440656 +0100
+@@ -39652,7 +39652,7 @@
+ shlibpath_overrides_runpath=unknown
+ version_type=none
+ dynamic_linker="$host_os ld.so"
+-sys_lib_dlsearch_path_spec="/lib /usr/lib"
++sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
+ need_lib_prefix=unknown
+ hardcode_into_libs=no
+ 

SOURCES/gnutls-3.6.7-no-now-guile.patch

@@ -0,0 +1,11 @@
+--- a/guile/src/Makefile.in	2019-03-27 11:51:55.984398001 +0100
++++ b/guile/src/Makefile.in	2019-03-27 11:52:27.259626076 +0100
+@@ -1472,7 +1472,7 @@
+ # Use '-module' to build a "dlopenable module", in Libtool terms.
+ # Use '-undefined' to placate Libtool on Windows; see
+ # <https://lists.gnutls.org/pipermail/gnutls-devel/2014-December/007294.html>.
+-guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined
++guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined -Wl,-z,lazy
+ 
+ # Linking against GnuTLS.
+ GNUTLS_CORE_LIBS = $(top_builddir)/lib/libgnutls.la

SOURCES/gnutls-3.7.2-no-explicit-init.patch

@@ -0,0 +1,32 @@
+From 36a92d984020df16296784a7ad613c9693469d23 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Tue, 21 Dec 2021 16:28:09 +0100
+Subject: [PATCH 1/2] Remove GNUTLS_NO_EXPLICIT_INIT compatibility
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ lib/global.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/lib/global.c b/lib/global.c
+index 3731418..1384045 100644
+--- a/lib/global.c
++++ b/lib/global.c
+@@ -500,14 +500,6 @@ static void _CONSTRUCTOR lib_init(void)
+ 			return;
+ 	}
+ 
+-	e = secure_getenv("GNUTLS_NO_EXPLICIT_INIT");
+-	if (e != NULL) {
+-		_gnutls_debug_log("GNUTLS_NO_EXPLICIT_INIT is deprecated; use GNUTLS_NO_IMPLICIT_INIT\n");
+-		ret = atoi(e);
+-		if (ret == 1)
+-			return;
+-	}
+-
+ 	ret = _gnutls_global_init(1);
+ 	if (ret < 0) {
+ 		fprintf(stderr, "Error in GnuTLS initialization: %s\n", gnutls_strerror(ret));
+-- 
+2.31.1
+

SOURCES/gnutls-3.7.3-disable-config-reload.patch

@@ -0,0 +1,26 @@
+diff --git a/lib/priority.c b/lib/priority.c
+index 9feec47fe2..40511710fd 100644
+--- a/lib/priority.c
++++ b/lib/priority.c
+@@ -2001,13 +2001,14 @@ char *_gnutls_resolve_priorities(const char* priorities)
+ 		additional++;
+ 	}
+ 
+-	/* Always try to refresh the cached data, to allow it to be
+-	 * updated without restarting all applications.
+-	 */
+-	ret = _gnutls_update_system_priorities(false /* defer_system_wide */);
+-	if (ret < 0) {
+-		_gnutls_debug_log("failed to update system priorities: %s\n",
+-				  gnutls_strerror(ret));
++	/* If priority string is not constructed yet, construct and finalize */
++	if (!system_wide_config.priority_string) {
++		ret = _gnutls_update_system_priorities(false
++		                                       /* defer_system_wide */);
++		if (ret < 0) {
++			_gnutls_debug_log("failed to update system priorities: "
++			                  " %s\n", gnutls_strerror(ret));
++		}
+ 	}
+ 
+ 	do {

SOURCES/gnutls-3.7.3-fips-pkcs12.patch

@@ -0,0 +1,471 @@
+From 7d8d8feb502ddb20a0d115fa3f63403c849a7168 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 10 Feb 2022 16:43:08 +0100
+Subject: [PATCH 1/2] pkcs12: mark MAC generation and verification as FIPS
+ non-approved
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/x509/pkcs12.c     | 39 +++++++++++++++++++++++++---
+ tests/pkcs12_encode.c | 59 +++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 94 insertions(+), 4 deletions(-)
+
+diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
+index a8f7d8f956..11b9da3ac9 100644
+--- a/lib/x509/pkcs12.c
++++ b/lib/x509/pkcs12.c
+@@ -286,13 +286,26 @@ gnutls_pkcs12_export(gnutls_pkcs12_t pkcs12,
+ 		     gnutls_x509_crt_fmt_t format, void *output_data,
+ 		     size_t * output_data_size)
+ {
++	int ret;
++
+ 	if (pkcs12 == NULL) {
+ 		gnutls_assert();
+ 		return GNUTLS_E_INVALID_REQUEST;
+ 	}
+ 
+-	return _gnutls_x509_export_int(pkcs12->pkcs12, format, PEM_PKCS12,
+-				       output_data, output_data_size);
++	ret = _gnutls_x509_export_int(pkcs12->pkcs12, format, PEM_PKCS12,
++				      output_data, output_data_size);
++
++	if (ret < 0) {
++		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
++	} else {
++		/* PKCS#12 export is always non-approved, because the MAC
++		 * calculation involves non-approved KDF (PKCS#12 KDF) and
++		 * without MAC the protection is insufficient.
++		 */
++		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
++	}
++	return ret;
+ }
+ 
+ /**
+@@ -317,13 +330,25 @@ int
+ gnutls_pkcs12_export2(gnutls_pkcs12_t pkcs12,
+ 		      gnutls_x509_crt_fmt_t format, gnutls_datum_t * out)
+ {
++	int ret;
++
+ 	if (pkcs12 == NULL) {
+ 		gnutls_assert();
+ 		return GNUTLS_E_INVALID_REQUEST;
+ 	}
+ 
+-	return _gnutls_x509_export_int2(pkcs12->pkcs12, format, PEM_PKCS12,
+-					out);
++	ret = _gnutls_x509_export_int2(pkcs12->pkcs12, format, PEM_PKCS12,
++				       out);
++	if (ret < 0) {
++		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
++	} else {
++		/* PKCS#12 export is always non-approved, because the MAC
++		 * calculation involves non-approved KDF (PKCS#12 KDF) and
++		 * without MAC the protection is insufficient.
++		 */
++		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
++	}
++	return ret;
+ }
+ 
+ static int oid2bag(const char *oid)
+@@ -1025,9 +1050,12 @@ int gnutls_pkcs12_generate_mac2(gnutls_pkcs12_t pkcs12, gnutls_mac_algorithm_t m
+ 		goto cleanup;
+ 	}
+ 
++	/* _gnutls_pkcs12_string_to_key is not a FIPS approved operation */
++	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
+ 	return 0;
+ 
+       cleanup:
++	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+ 	_gnutls_free_datum(&tmp);
+ 	return result;
+ }
+@@ -1203,8 +1231,11 @@ pkcs12_try_gost:
+ 		goto cleanup;
+ 	}
+ 
++	/* _gnutls_pkcs12_string_to_key is not a FIPS approved operation */
++	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
+ 	result = 0;
+  cleanup:
++	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+ 	_gnutls_free_datum(&tmp);
+ 	_gnutls_free_datum(&salt);
+ 	return result;
+diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c
+index 3b0e84ef13..b8f7d17267 100644
+--- a/tests/pkcs12_encode.c
++++ b/tests/pkcs12_encode.c
+@@ -70,6 +70,29 @@ static void tls_log_func(int level, const char *str)
+ 	fprintf(stderr, "|<%d>| %s", level, str);
+ }
+ 
++#define FIPS_PUSH_CONTEXT() do {					\
++	if (gnutls_fips140_mode_enabled()) {				\
++		ret = gnutls_fips140_push_context(fips_context);	\
++		if (ret < 0) {						\
++			fail("gnutls_fips140_push_context failed\n");	\
++		}							\
++	}								\
++} while (0)
++
++#define FIPS_POP_CONTEXT(state) do {					\
++	if (gnutls_fips140_mode_enabled()) {				\
++		ret = gnutls_fips140_pop_context();			\
++		if (ret < 0) {						\
++			fail("gnutls_fips140_context_pop failed\n");	\
++		}							\
++		fips_state = gnutls_fips140_get_operation_state(fips_context); \
++		if (fips_state != GNUTLS_FIPS140_OP_ ## state) {	\
++			fail("operation state is not " # state " (%d)\n", \
++			     fips_state);				\
++		}							\
++	}								\
++} while (0)
++
+ void doit(void)
+ {
+ 	gnutls_pkcs12_t pkcs12;
+@@ -82,6 +105,8 @@ void doit(void)
+ 	char outbuf[10240];
+ 	size_t size;
+ 	unsigned tests, i;
++	gnutls_fips140_context_t fips_context;
++	gnutls_fips140_operation_state_t fips_state;
+ 
+ 	ret = global_init();
+ 	if (ret < 0) {
+@@ -93,6 +118,11 @@ void doit(void)
+ 	if (debug)
+ 		gnutls_global_set_log_level(4711);
+ 
++	ret = gnutls_fips140_context_init(&fips_context);
++	if (ret < 0) {
++		fail("Cannot initialize FIPS context\n");
++	}
++
+ 	/* Read certs. */
+ 	ret = gnutls_x509_crt_init(&client);
+ 	if (ret < 0) {
+@@ -196,6 +226,8 @@ void doit(void)
+ 		gnutls_pkcs12_bag_deinit(bag);
+ 	}
+ 
++	FIPS_PUSH_CONTEXT();
++
+ 	/* MAC the structure, export and print. */
+ 	ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA1, "pass");
+ 	if (ret < 0) {
+@@ -203,36 +235,60 @@ void doit(void)
+ 		exit(1);
+ 	}
+ 
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
++	FIPS_PUSH_CONTEXT();
++
+ 	ret = gnutls_pkcs12_verify_mac(pkcs12, "pass");
+ 	if (ret < 0) {
+ 		fprintf(stderr, "verify_mac: %s (%d)\n", gnutls_strerror(ret), ret);
+ 		exit(1);
+ 	}
+ 
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
++	FIPS_PUSH_CONTEXT();
++
+ 	ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA256, "passwd");
+ 	if (ret < 0) {
+ 		fprintf(stderr, "generate_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
+ 		exit(1);
+ 	}
+ 
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
++	FIPS_PUSH_CONTEXT();
++
+ 	ret = gnutls_pkcs12_verify_mac(pkcs12, "passwd");
+ 	if (ret < 0) {
+ 		fprintf(stderr, "verify_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
+ 		exit(1);
+ 	}
+ 
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
++	FIPS_PUSH_CONTEXT();
++
+ 	ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA512, "passwd1");
+ 	if (ret < 0) {
+ 		fprintf(stderr, "generate_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
+ 		exit(1);
+ 	}
+ 
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
++	FIPS_PUSH_CONTEXT();
++
+ 	ret = gnutls_pkcs12_verify_mac(pkcs12, "passwd1");
+ 	if (ret < 0) {
+ 		fprintf(stderr, "verify_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
+ 		exit(1);
+ 	}
+ 
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
++	FIPS_PUSH_CONTEXT();
++
+ 	size = sizeof(outbuf);
+ 	ret =
+ 	    gnutls_pkcs12_export(pkcs12, GNUTLS_X509_FMT_PEM, outbuf,
+@@ -242,10 +298,13 @@ void doit(void)
+ 		exit(1);
+ 	}
+ 
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
+ 	if (debug)
+ 		fwrite(outbuf, size, 1, stdout);
+ 
+ 	/* Cleanup. */
++	gnutls_fips140_context_deinit(fips_context);
+ 	gnutls_pkcs12_deinit(pkcs12);
+ 	gnutls_x509_crt_deinit(client);
+ 	gnutls_x509_crt_deinit(ca);
+-- 
+2.34.1
+
+
+From e7f9267342bc2231149a640163c82b63c86f1dfd Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 10 Feb 2022 17:35:13 +0100
+Subject: [PATCH 2/2] _gnutls_pkcs_raw_{decrypt,encrypt}_data: use public
+ crypto API
+
+These functions previously used the internal crypto
+API (_gnutls_cipher_*) which does not have algorithm checks for FIPS.
+
+This change switches the code to use the public crypto
+API (gnutls_cipher_*) to trigger proper state transitions under FIPS
+mode.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/x509/pkcs7-crypt.c | 36 +++++++++++-----------------
+ tests/pkcs12_encode.c  | 54 +++++++++++++++++++++++++++---------------
+ 2 files changed, 49 insertions(+), 41 deletions(-)
+
+diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c
+index 4cce52ecf0..2dc5bc4df0 100644
+--- a/lib/x509/pkcs7-crypt.c
++++ b/lib/x509/pkcs7-crypt.c
+@@ -1130,8 +1130,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
+ 	gnutls_datum_t enc = { NULL, 0 };
+ 	uint8_t *key = NULL;
+ 	gnutls_datum_t dkey, d_iv;
+-	cipher_hd_st ch;
+-	int ch_init = 0;
++	gnutls_cipher_hd_t ch = NULL;
+ 	int key_size, ret;
+ 	unsigned int pass_len = 0;
+ 	const struct pkcs_cipher_schema_st *p;
+@@ -1237,8 +1236,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
+ 	d_iv.data = (uint8_t *) enc_params->iv;
+ 	d_iv.size = enc_params->iv_size;
+ 
+-	ret =
+-	    _gnutls_cipher_init(&ch, ce, &dkey, &d_iv, 0);
++	ret = gnutls_cipher_init(&ch, ce->id, &dkey, &d_iv);
+ 
+ 	gnutls_free(key);
+ 
+@@ -1247,9 +1245,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
+ 		goto error;
+ 	}
+ 
+-	ch_init = 1;
+-
+-	ret = _gnutls_cipher_decrypt(&ch, enc.data, enc.size);
++	ret = gnutls_cipher_decrypt(ch, enc.data, enc.size);
+ 	if (ret < 0) {
+ 		gnutls_assert();
+ 		ret = GNUTLS_E_DECRYPTION_FAILED;
+@@ -1281,7 +1277,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
+ 		decrypted_data->size = enc.size;
+ 	}
+ 
+-	_gnutls_cipher_deinit(&ch);
++	gnutls_cipher_deinit(ch);
+ 
+ 	ret = 0;
+ 
+@@ -1294,8 +1290,9 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
+ 	gnutls_free(password);
+ 	gnutls_free(enc.data);
+ 	gnutls_free(key);
+-	if (ch_init != 0)
+-		_gnutls_cipher_deinit(&ch);
++	if (ch) {
++		gnutls_cipher_deinit(ch);
++	}
+ 	return ret;
+ }
+ 
+@@ -1725,8 +1722,7 @@ _gnutls_pkcs_raw_encrypt_data(const gnutls_datum_t * plain,
+ 	int data_size;
+ 	uint8_t *data = NULL;
+ 	gnutls_datum_t d_iv;
+-	cipher_hd_st ch;
+-	int ch_init = 0;
++	gnutls_cipher_hd_t ch = NULL;
+ 	uint8_t pad, pad_size;
+ 	const cipher_entry_st *ce;
+ 
+@@ -1756,18 +1752,13 @@ _gnutls_pkcs_raw_encrypt_data(const gnutls_datum_t * plain,
+ 
+ 	d_iv.data = (uint8_t *) enc_params->iv;
+ 	d_iv.size = enc_params->iv_size;
+-	result =
+-	    _gnutls_cipher_init(&ch, cipher_to_entry(enc_params->cipher),
+-				key, &d_iv, 1);
+-
++	result = gnutls_cipher_init(&ch, enc_params->cipher, key, &d_iv);
+ 	if (result < 0) {
+ 		gnutls_assert();
+ 		goto error;
+ 	}
+ 
+-	ch_init = 1;
+-
+-	result = _gnutls_cipher_encrypt(&ch, data, data_size);
++	result = gnutls_cipher_encrypt(ch, data, data_size);
+ 	if (result < 0) {
+ 		gnutls_assert();
+ 		goto error;
+@@ -1776,13 +1767,14 @@ _gnutls_pkcs_raw_encrypt_data(const gnutls_datum_t * plain,
+ 	encrypted->data = data;
+ 	encrypted->size = data_size;
+ 
+-	_gnutls_cipher_deinit(&ch);
++	gnutls_cipher_deinit(ch);
+ 
+ 	return 0;
+ 
+  error:
+ 	gnutls_free(data);
+-	if (ch_init != 0)
+-		_gnutls_cipher_deinit(&ch);
++	if (ch) {
++		gnutls_cipher_deinit(ch);
++	}
+ 	return result;
+ }
+diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c
+index b8f7d17267..78f6f41b48 100644
+--- a/tests/pkcs12_encode.c
++++ b/tests/pkcs12_encode.c
+@@ -104,9 +104,17 @@ void doit(void)
+ 	int ret, indx;
+ 	char outbuf[10240];
+ 	size_t size;
+-	unsigned tests, i;
++	unsigned i;
+ 	gnutls_fips140_context_t fips_context;
+ 	gnutls_fips140_operation_state_t fips_state;
++	size_t n_tests = 0;
++	struct tests {
++		const char *name;
++		gnutls_x509_crt_t crt;
++		const char *friendly_name;
++		unsigned bag_encrypt_flags;
++		int bag_encrypt_expected;
++	} tests[2];
+ 
+ 	ret = global_init();
+ 	if (ret < 0) {
+@@ -157,21 +165,34 @@ void doit(void)
+ 		exit(1);
+ 	}
+ 
+-	/* Generate and add PKCS#12 cert bags. */
+-	if (!gnutls_fips140_mode_enabled()) {
+-		tests = 2; /* include RC2 */
++	tests[n_tests].name = "3DES";
++	tests[n_tests].crt = client;
++	tests[n_tests].friendly_name = "client";
++	tests[n_tests].bag_encrypt_flags = GNUTLS_PKCS8_USE_PKCS12_3DES;
++	tests[n_tests].bag_encrypt_expected = 0;
++	n_tests++;
++
++	tests[n_tests].name = "RC2-40";
++	tests[n_tests].crt = ca;
++	tests[n_tests].friendly_name = "ca";
++	tests[n_tests].bag_encrypt_flags = GNUTLS_PKCS_USE_PKCS12_RC2_40;
++	if (gnutls_fips140_mode_enabled()) {
++		tests[n_tests].bag_encrypt_expected =
++			GNUTLS_E_UNWANTED_ALGORITHM;
+ 	} else {
+-		tests = 1;
++		tests[n_tests].bag_encrypt_expected = 0;
+ 	}
++	n_tests++;
+ 
+-	for (i = 0; i < tests; i++) {
++	/* Generate and add PKCS#12 cert bags. */
++	for (i = 0; i < n_tests; i++) {
+ 		ret = gnutls_pkcs12_bag_init(&bag);
+ 		if (ret < 0) {
+ 			fprintf(stderr, "bag_init: %s (%d)\n", gnutls_strerror(ret), ret);
+ 			exit(1);
+ 		}
+ 
+-		ret = gnutls_pkcs12_bag_set_crt(bag, i == 0 ? client : ca);
++		ret = gnutls_pkcs12_bag_set_crt(bag, tests[i].crt);
+ 		if (ret < 0) {
+ 			fprintf(stderr, "set_crt: %s (%d)\n", gnutls_strerror(ret), ret);
+ 			exit(1);
+@@ -180,16 +201,14 @@ void doit(void)
+ 		indx = ret;
+ 
+ 		ret = gnutls_pkcs12_bag_set_friendly_name(bag, indx,
+-							  i ==
+-							  0 ? "client" :
+-							  "ca");
++							  tests[i].friendly_name);
+ 		if (ret < 0) {
+ 			fprintf(stderr, "set_friendly_name: %s (%d)\n", gnutls_strerror(ret), ret);
+ 			exit(1);
+ 		}
+ 
+ 		size = sizeof(key_id_buf);
+-		ret = gnutls_x509_crt_get_key_id(i == 0 ? client : ca, 0,
++		ret = gnutls_x509_crt_get_key_id(tests[i].crt, 0,
+ 						 key_id_buf, &size);
+ 		if (ret < 0) {
+ 			fprintf(stderr, "get_key_id: %s (%d)\n", gnutls_strerror(ret), ret);
+@@ -206,14 +225,11 @@ void doit(void)
+ 		}
+ 
+ 		ret = gnutls_pkcs12_bag_encrypt(bag, "pass",
+-						i ==
+-						0 ?
+-						GNUTLS_PKCS8_USE_PKCS12_3DES
+-						:
+-						GNUTLS_PKCS_USE_PKCS12_RC2_40);
+-		if (ret < 0) {
+-			fprintf(stderr, "bag_encrypt: %d: %s", ret,
+-				i == 0 ? "3DES" : "RC2-40");
++						tests[i].bag_encrypt_flags);
++		if (ret != tests[i].bag_encrypt_expected) {
++			fprintf(stderr, "bag_encrypt: returned %d, expected %d: %s", ret,
++				tests[i].bag_encrypt_expected,
++				tests[i].name);
+ 			exit(1);
+ 		}
+ 
+-- 
+2.34.1
+

SOURCES/gnutls-3.7.3-fips-rsa-keygen.patch

@@ -0,0 +1,182 @@
+From 9f5a60c1fe576f82bcd5c7998b2ca2b0d60e8e4f Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 27 Jan 2022 18:17:43 +0100
+Subject: [PATCH 1/2] rsa_generate_fips186_4_keypair: accept a few more modulus
+ sizes
+
+While _rsa_generate_fips186_4_keypair was modified to accept modulus
+sizes other than 2048 and 3076, rsa_generate_fips186_4_keypair, which
+calls that function, was not updated to accept such modulus sizes.
+
+Spotted by Alexander Sosedkin.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/nettle/int/rsa-keygen-fips186.c | 67 ++++++++++++++++-------------
+ 1 file changed, 36 insertions(+), 31 deletions(-)
+
+diff --git a/lib/nettle/int/rsa-keygen-fips186.c b/lib/nettle/int/rsa-keygen-fips186.c
+index 5b221a030a..c6f7e675af 100644
+--- a/lib/nettle/int/rsa-keygen-fips186.c
++++ b/lib/nettle/int/rsa-keygen-fips186.c
+@@ -27,6 +27,7 @@
+ #include "config.h"
+ #endif
+ 
++#include <assert.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -248,6 +249,33 @@ cleanup:
+ 	return ret;
+ }
+ 
++/* Return the pre-defined seed length for modulus size, or 0 when the
++ * modulus size is unsupported.
++ */
++static inline unsigned
++seed_length_for_modulus_size(unsigned modulus_size)
++{
++	switch (modulus_size) {
++	case 2048:      /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
++		return 14 * 2;
++	case 3072:      /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
++		return 16 * 2;
++	case 4096:      /* SP 800-56B rev 2 Appendix D */
++		return 19 * 2;
++	case 6144:      /* SP 800-56B rev 2 Appendix D */
++		return 22 * 2;
++	case 7680:      /* FIPS 140-2 IG 7.5 */
++		return 24 * 2;
++	case 8192:      /* SP 800-56B rev 2 Appendix D */
++		return 25 * 2;
++	case 15360:     /* FIPS 140-2 IG 7.5 */
++		return 32 * 2;
++	default:
++		return 0;
++	}
++
++}
++
+ /* This generates p,q params using the B.3.2.2 algorithm in FIPS 186-4.
+  * 
+  * The hash function used is SHA384.
+@@ -266,33 +294,15 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub,
+ 	int ret;
+ 	struct dss_params_validation_seeds cert;
+ 	unsigned l = n_size / 2;
++	unsigned s = seed_length_for_modulus_size(n_size);
+ 
+-	switch (n_size) {
+-	case 2048:      /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
+-		FIPS_RULE(seed_length != 14 * 2, 0, "seed length other than 28 bytes\n");
+-		break;
+-	case 3072:      /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
+-		FIPS_RULE(seed_length != 16 * 2, 0, "seed length other than 32 bytes\n");
+-		break;
+-	case 4096:      /* SP 800-56B rev 2 Appendix D */
+-		FIPS_RULE(seed_length != 19 * 2, 0, "seed length other than 38 bytes\n");
+-		break;
+-	case 6144:      /* SP 800-56B rev 2 Appendix D */
+-		FIPS_RULE(seed_length != 22 * 2, 0, "seed length other than 44 bytes\n");
+-		break;
+-	case 7680:      /* FIPS 140-2 IG 7.5 */
+-		FIPS_RULE(seed_length != 24 * 2, 0, "seed length other than 48 bytes\n");
+-		break;
+-	case 8192:      /* SP 800-56B rev 2 Appendix D */
+-		FIPS_RULE(seed_length != 25 * 2, 0, "seed length other than 50 bytes\n");
+-		break;
+-	case 15360:     /* FIPS 140-2 IG 7.5 */
+-		FIPS_RULE(seed_length != 32 * 2, 0, "seed length other than 64 bytes\n");
+-		break;
+-	default:
++	if (!s) {
+ 		FIPS_RULE(false, 0, "unsupported modulus size\n");
+ 	}
+ 
++	FIPS_RULE(seed_length != s, 0,
++		  "seed length other than %u bytes\n", s);
++
+ 	if (!mpz_tstbit(pub->e, 0)) {
+ 		_gnutls_debug_log("Unacceptable e (it is even)\n");
+ 		return 0;
+@@ -405,10 +415,6 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub,
+ 	return ret;
+ }
+ 
+-/* Not entirely accurate but a good precision
+- */
+-#define SEED_LENGTH(bits) (_gnutls_pk_bits_to_subgroup_bits(bits)/8)
+-
+ /* This generates p,q params using the B.3.2.2 algorithm in FIPS 186-4.
+  * 
+  * The hash function used is SHA384.
+@@ -429,11 +435,10 @@ rsa_generate_fips186_4_keypair(struct rsa_public_key *pub,
+ 	unsigned seed_length;
+ 	int ret;
+ 
+-	FIPS_RULE(n_size != 2048 && n_size != 3072, 0, "size of prime of other than 2048 or 3072\n");
++	seed_length = seed_length_for_modulus_size(n_size);
++	FIPS_RULE(!seed_length, 0, "unsupported modulus size\n");
+ 
+-	seed_length = SEED_LENGTH(n_size);
+-	if (seed_length > sizeof(seed))
+-		return 0;
++	assert(seed_length <= sizeof(seed));
+ 
+ 	random(random_ctx, seed_length, seed);
+ 
+-- 
+2.34.1
+
+
+From 46ae6160489151034bca19aa6c40ba0df6b53bcc Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 1 Feb 2022 15:19:52 +0100
+Subject: [PATCH 2/2] certtool --generate-privkey: update warnings on RSA key
+ sizes
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ src/certtool.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/src/certtool.c b/src/certtool.c
+index c128500614..71d4aff13e 100644
+--- a/src/certtool.c
++++ b/src/certtool.c
+@@ -206,8 +206,12 @@ generate_private_key_int(common_info_st * cinfo)
+ 			"Note that DSA keys with size over 1024 may cause incompatibility problems when used with earlier than TLS 1.2 versions.\n\n");
+ 
+ 	if ((HAVE_OPT(SEED) || provable) && GNUTLS_PK_IS_RSA(key_type)) {
+-		if (bits != 2048 && bits != 3072) {
+-			fprintf(stderr, "Note that the FIPS 186-4 key generation restricts keys to 2048 and 3072 bits\n");
++		/* Keep in sync with seed_length_for_modulus_size in
++		 * lib/nettle/int/rsa-keygen-fips186.c. */
++		if (bits != 2048 && bits != 3072 && bits != 4096 &&
++		    bits != 6144 && bits != 7680 && bits != 8192 &&
++		    bits != 15360) {
++			fprintf(stderr, "Note that the FIPS 186-4 key generation restricts keys to be of known lengths (2048, 3072, etc)\n");
+ 		}
+ 	}
+ 
+@@ -225,7 +229,15 @@ generate_private_key_int(common_info_st * cinfo)
+ 		kdata[kdata_size++].size = cinfo->seed_size;
+ 
+ 		if (GNUTLS_PK_IS_RSA(key_type)) {
+-			if ((bits == 3072 && cinfo->seed_size != 32) || (bits == 2048 && cinfo->seed_size != 28)) {
++			/* Keep in sync with seed_length_for_modulus_size in
++			 * lib/nettle/int/rsa-keygen-fips186.c. */
++			if ((bits == 2048 && cinfo->seed_size != 28) ||
++			    (bits == 3072 && cinfo->seed_size != 32) ||
++			    (bits == 4096 && cinfo->seed_size != 38) ||
++			    (bits == 6144 && cinfo->seed_size != 44) ||
++			    (bits == 7680 && cinfo->seed_size != 48) ||
++			    (bits == 8192 && cinfo->seed_size != 50) ||
++			    (bits == 15360 && cinfo->seed_size != 64)) {
+ 				fprintf(stderr, "The seed size (%d) doesn't match the size of the request security level; use -d 2 for more information.\n", (int)cinfo->seed_size);
+ 			}
+ 		} else if (key_type == GNUTLS_PK_DSA) {
+-- 
+2.34.1
+

SOURCES/gnutls-3.7.3-fix-tests-in-fips.patch

@@ -0,0 +1,70 @@
+From 2c33761787f6530cf3984310a5f3b7dd05a7b375 Mon Sep 17 00:00:00 2001
+From: Zoltan Fridrich <zfridric@redhat.com>
+Date: Thu, 17 Feb 2022 11:46:29 +0100
+Subject: [PATCH] Disable some tests in fips mode
+
+Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
+---
+ tests/pkcs11/pkcs11-eddsa-privkey-test.c | 5 +++++
+ tests/pkcs11/tls-neg-pkcs11-key.c        | 8 +++++++-
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/tests/pkcs11/pkcs11-eddsa-privkey-test.c b/tests/pkcs11/pkcs11-eddsa-privkey-test.c
+index 44515da3f..ebbfe5278 100644
+--- a/tests/pkcs11/pkcs11-eddsa-privkey-test.c
++++ b/tests/pkcs11/pkcs11-eddsa-privkey-test.c
+@@ -107,6 +107,11 @@ void doit(void)
+ 		fail("%d: %s\n", ret, gnutls_strerror(ret));
+ 	}
+ 
++	if (gnutls_fips140_mode_enabled()) {
++		gnutls_global_deinit();
++		return;
++	}
++
+ 	gnutls_pkcs11_set_pin_function(pin_func, NULL);
+ 	gnutls_global_set_log_function(tls_log_func);
+ 	if (debug)
+diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c
+index fc7c3dc4e..5cc1ae6e2 100644
+--- a/tests/pkcs11/tls-neg-pkcs11-key.c
++++ b/tests/pkcs11/tls-neg-pkcs11-key.c
+@@ -268,6 +268,7 @@ typedef struct test_st {
+ 	int exp_serv_err;
+ 	int needs_eddsa;
+ 	int needs_decryption;
++	int nofips;
+ 	unsigned requires_pkcs11_pss;
+ } test_st;
+ 
+@@ -340,6 +341,7 @@ static const test_st tests[] = {
+ 	 .cert = &server_ca3_eddsa_cert,
+ 	 .key = &server_ca3_eddsa_key,
+ 	 .exp_kx = GNUTLS_KX_ECDHE_RSA,
++	 .nofips = 1
+ 	},
+ 	{.name = "tls1.3: ecc key",
+ 	 .pk = GNUTLS_PK_ECDSA,
+@@ -392,7 +394,8 @@ static const test_st tests[] = {
+ 	 .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
+ 	 .cert = &server_ca3_eddsa_cert,
+ 	 .key = &server_ca3_eddsa_key,
+-	 .exp_kx = GNUTLS_KX_ECDHE_RSA
++	 .exp_kx = GNUTLS_KX_ECDHE_RSA,
++	 .nofips = 1
+ 	}
+ };
+ 
+@@ -448,6 +451,9 @@ void doit(void)
+ 	have_eddsa = verify_eddsa_presence();
+ 
+ 	for (i=0;i<sizeof(tests)/sizeof(tests[0]);i++) {
++		if (tests[i].nofips && gnutls_fips140_mode_enabled())
++			continue;
++
+ 		if (tests[i].needs_eddsa && !have_eddsa)
+ 			continue;
+ 
+-- 
+2.35.1
+

SOURCES/gnutls-3.7.3-gost-ifdef.patch

@@ -0,0 +1,259 @@
+From 85a881cbca6f8e8578af7a026163ac3075ea267c Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 21 Feb 2022 16:28:49 +0100
+Subject: [PATCH] priority: compile out GOST algorithms IDs if they are
+ disabled
+
+When compiled with --disable-gost, gnutls-cli --priority NORMAL --list
+still prints GOST algorithms for ciphers, MACs, and signatures.  This
+change adds compile time checks to suppress them.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/priority.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/priority.c b/lib/priority.c
+index 54d7b1bb45..0c7ac65d7b 100644
+--- a/lib/priority.c
++++ b/lib/priority.c
+@@ -309,7 +309,9 @@ static const int _kx_priority_secure[] = {
+ static const int* kx_priority_secure = _kx_priority_secure;
+ 
+ static const int _kx_priority_gost[] = {
++#ifdef ENABLE_GOST
+ 	GNUTLS_KX_VKO_GOST_12,
++#endif
+ 	0,
+ };
+ static const int* kx_priority_gost = _kx_priority_gost;
+@@ -507,9 +509,10 @@ static const int _sign_priority_secure192[] = {
+ static const int* sign_priority_secure192 = _sign_priority_secure192;
+ 
+ static const int _sign_priority_gost[] = {
++#ifdef ENABLE_GOST
+ 	GNUTLS_SIGN_GOST_256,
+ 	GNUTLS_SIGN_GOST_512,
+-
++#endif
+ 	0
+ };
+ static const int* sign_priority_gost = _sign_priority_gost;
+@@ -531,13 +534,17 @@ static const int *cipher_priority_normal = _cipher_priority_normal_default;
+ static const int *mac_priority_normal = mac_priority_normal_default;
+ 
+ static const int _cipher_priority_gost[] = {
++#ifdef ENABLE_GOST
+ 	GNUTLS_CIPHER_GOST28147_TC26Z_CNT,
++#endif
+ 	0
+ };
+ static const int *cipher_priority_gost = _cipher_priority_gost;
+ 
+ static const int _mac_priority_gost[] = {
++#ifdef ENABLE_GOST
+ 	GNUTLS_MAC_GOST28147_TC26Z_IMIT,
++#endif
+ 	0
+ };
+ static const int *mac_priority_gost = _mac_priority_gost;
+-- 
+2.34.1
+
+From f2bb30f68922d72f8bed29cc8b2a065087a0969f Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 22 Feb 2022 17:09:46 +0100
+Subject: [PATCH] algorithms: ensure _list() exclude non-existing algorithms
+
+This aligns the behavior of _list() function for sign/pk to the one
+for cipher/mac: the former previously returned all the algorithms
+defined, while the latter returns only algorithms compiled in.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/algorithms/publickey.c |  8 +++-
+ lib/algorithms/sign.c      |  4 +-
+ lib/crypto-backend.h       |  2 +
+ lib/nettle/pk.c            | 86 ++++++++++++++++++++++++++++++++++++++
+ lib/pk.h                   |  2 +
+ 5 files changed, 99 insertions(+), 3 deletions(-)
+
+diff --git a/lib/algorithms/publickey.c b/lib/algorithms/publickey.c
+index b4cd6b1df0..caf53972ab 100644
+--- a/lib/algorithms/publickey.c
++++ b/lib/algorithms/publickey.c
+@@ -24,6 +24,7 @@
+ #include <algorithms.h>
+ #include "errors.h"
+ #include <x509/common.h>
++#include "pk.h"
+ 
+ 
+ /* KX mappings to PK algorithms */
+@@ -203,8 +204,11 @@ const gnutls_pk_algorithm_t *gnutls_pk_list(void)
+ 		int i = 0;
+ 
+ 		GNUTLS_PK_LOOP(
+-			if (p->id != GNUTLS_PK_UNKNOWN && supported_pks[i > 0 ? (i - 1) : 0] != p->id)
+-				supported_pks[i++] = p->id
++			if (p->id != GNUTLS_PK_UNKNOWN &&
++			    supported_pks[i > 0 ? (i - 1) : 0] != p->id &&
++			    _gnutls_pk_exists(p->id)) {
++				supported_pks[i++] = p->id;
++			}
+ 		);
+ 		supported_pks[i++] = 0;
+ 	}
+diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c
+index 06abdb4cf8..4a5aaa75e1 100644
+--- a/lib/algorithms/sign.c
++++ b/lib/algorithms/sign.c
+@@ -27,6 +27,7 @@
+ #include <x509/common.h>
+ #include <assert.h>
+ #include "c-strcase.h"
++#include "pk.h"
+ 
+ /* signature algorithms;
+  */
+@@ -631,7 +632,8 @@ const gnutls_sign_algorithm_t *gnutls_sign_list(void)
+ 
+ 		GNUTLS_SIGN_LOOP(
+ 			/* list all algorithms, but not duplicates */
+-			if (supported_sign[i] != p->id) {
++			if (supported_sign[i] != p->id &&
++			    _gnutls_pk_sign_exists(p->id)) {
+ 				assert(i+1 < MAX_ALGOS);
+ 				supported_sign[i++] = p->id;
+ 				supported_sign[i+1] = 0;
+diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
+index 9874033221..f0f68c337e 100644
+--- a/lib/crypto-backend.h
++++ b/lib/crypto-backend.h
+@@ -418,6 +418,8 @@ typedef struct gnutls_crypto_pk {
+ 		       unsigned int flags);
+ 
+ 	int (*curve_exists) (gnutls_ecc_curve_t);	/* true/false */
++	int (*pk_exists) (gnutls_pk_algorithm_t);	/* true/false */
++	int (*sign_exists) (gnutls_sign_algorithm_t);	/* true/false */
+ } gnutls_crypto_pk_st;
+ 
+ /* priority: infinity for backend algorithms, 90 for kernel
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index a146568266..eba246f0b3 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -1883,6 +1883,90 @@ static int _wrap_nettle_pk_curve_exists(gnutls_ecc_curve_t curve)
+ 	}
+ }
+ 
++static int _wrap_nettle_pk_exists(gnutls_pk_algorithm_t pk)
++{
++	switch (pk) {
++	case GNUTLS_PK_RSA:
++	case GNUTLS_PK_DSA:
++	case GNUTLS_PK_DH:
++	case GNUTLS_PK_ECDSA:
++	case GNUTLS_PK_ECDH_X25519:
++	case GNUTLS_PK_RSA_PSS:
++	case GNUTLS_PK_EDDSA_ED25519:
++#if ENABLE_GOST
++	case GNUTLS_PK_GOST_01:
++	case GNUTLS_PK_GOST_12_256:
++	case GNUTLS_PK_GOST_12_512:
++#endif
++	case GNUTLS_PK_ECDH_X448:
++	case GNUTLS_PK_EDDSA_ED448:
++		return 1;
++	default:
++		return 0;
++	}
++}
++
++static int _wrap_nettle_pk_sign_exists(gnutls_sign_algorithm_t sign)
++{
++	switch (sign) {
++	case GNUTLS_SIGN_RSA_SHA1:
++	case GNUTLS_SIGN_DSA_SHA1:
++	case GNUTLS_SIGN_RSA_MD5:
++	case GNUTLS_SIGN_RSA_MD2:
++	case GNUTLS_SIGN_RSA_RMD160:
++	case GNUTLS_SIGN_RSA_SHA256:
++	case GNUTLS_SIGN_RSA_SHA384:
++	case GNUTLS_SIGN_RSA_SHA512:
++	case GNUTLS_SIGN_RSA_SHA224:
++	case GNUTLS_SIGN_DSA_SHA224:
++	case GNUTLS_SIGN_DSA_SHA256:
++	case GNUTLS_SIGN_ECDSA_SHA1:
++	case GNUTLS_SIGN_ECDSA_SHA224:
++	case GNUTLS_SIGN_ECDSA_SHA256:
++	case GNUTLS_SIGN_ECDSA_SHA384:
++	case GNUTLS_SIGN_ECDSA_SHA512:
++	case GNUTLS_SIGN_DSA_SHA384:
++	case GNUTLS_SIGN_DSA_SHA512:
++	case GNUTLS_SIGN_ECDSA_SHA3_224:
++	case GNUTLS_SIGN_ECDSA_SHA3_256:
++	case GNUTLS_SIGN_ECDSA_SHA3_384:
++	case GNUTLS_SIGN_ECDSA_SHA3_512:
++
++	case GNUTLS_SIGN_DSA_SHA3_224:
++	case GNUTLS_SIGN_DSA_SHA3_256:
++	case GNUTLS_SIGN_DSA_SHA3_384:
++	case GNUTLS_SIGN_DSA_SHA3_512:
++	case GNUTLS_SIGN_RSA_SHA3_224:
++	case GNUTLS_SIGN_RSA_SHA3_256:
++	case GNUTLS_SIGN_RSA_SHA3_384:
++	case GNUTLS_SIGN_RSA_SHA3_512:
++
++	case GNUTLS_SIGN_RSA_PSS_SHA256:
++	case GNUTLS_SIGN_RSA_PSS_SHA384:
++	case GNUTLS_SIGN_RSA_PSS_SHA512:
++	case GNUTLS_SIGN_EDDSA_ED25519:
++	case GNUTLS_SIGN_RSA_RAW:
++
++	case GNUTLS_SIGN_ECDSA_SECP256R1_SHA256:
++	case GNUTLS_SIGN_ECDSA_SECP384R1_SHA384:
++	case GNUTLS_SIGN_ECDSA_SECP521R1_SHA512:
++
++	case GNUTLS_SIGN_RSA_PSS_RSAE_SHA256:
++	case GNUTLS_SIGN_RSA_PSS_RSAE_SHA384:
++	case GNUTLS_SIGN_RSA_PSS_RSAE_SHA512:
++
++#if ENABLE_GOST
++	case GNUTLS_SIGN_GOST_94:
++	case GNUTLS_SIGN_GOST_256:
++	case GNUTLS_SIGN_GOST_512:
++#endif
++	case GNUTLS_SIGN_EDDSA_ED448:
++		return 1;
++	default:
++		return 0;
++	}
++}
++
+ /* Generates algorithm's parameters. That is:
+  *  For DSA: p, q, and g are generated.
+  *  For RSA: nothing
+@@ -3872,4 +3956,6 @@ gnutls_crypto_pk_st _gnutls_pk_ops = {
+ 	.pk_fixup_private_params = wrap_nettle_pk_fixup,
+ 	.derive = _wrap_nettle_pk_derive,
+ 	.curve_exists = _wrap_nettle_pk_curve_exists,
++	.pk_exists = _wrap_nettle_pk_exists,
++	.sign_exists = _wrap_nettle_pk_sign_exists
+ };
+diff --git a/lib/pk.h b/lib/pk.h
+index cc61e08cef..7f3c9995da 100644
+--- a/lib/pk.h
++++ b/lib/pk.h
+@@ -40,6 +40,8 @@ extern gnutls_crypto_pk_st _gnutls_pk_ops;
+ #define _gnutls_pk_generate_params( algo, bits, priv) _gnutls_pk_ops.generate_params( algo, bits, priv)
+ #define _gnutls_pk_hash_algorithm( pk, sig, params, hash) _gnutls_pk_ops.hash_algorithm(pk, sig, params, hash)
+ #define _gnutls_pk_curve_exists( curve) _gnutls_pk_ops.curve_exists(curve)
++#define _gnutls_pk_exists(algo) _gnutls_pk_ops.pk_exists(algo)
++#define _gnutls_pk_sign_exists(algo) _gnutls_pk_ops.sign_exists(algo)
+ 
+ inline static int
+ _gnutls_pk_fixup(gnutls_pk_algorithm_t algo, gnutls_direction_t direction,
+-- 
+2.34.1
+

SOURCES/gnutls-3.7.3-ktls-stub.patch

@@ -0,0 +1,33 @@
+From a97a93e23483aafc3508adee8e6399a2302e0fbc Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 15 Feb 2022 17:38:20 +0100
+Subject: [PATCH] gnutls_transport_is_ktls_enabled: fix return value of stub
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/system/ktls.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/lib/system/ktls.c b/lib/system/ktls.c
+index 7e3cb875ed..f156f08ab2 100644
+--- a/lib/system/ktls.c
++++ b/lib/system/ktls.c
+@@ -422,12 +422,11 @@ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type,
+ 
+ #else //ENABLE_KTLS
+ gnutls_transport_ktls_enable_flags_t
+-gnutls_transport_is_ktls_enabled(gnutls_session_t session){
+-	return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
++gnutls_transport_is_ktls_enabled(gnutls_session_t session) {
++	return 0;
+ }
+ 
+-void _gnutls_ktls_enable(gnutls_session_t session){
+-	return;
++void _gnutls_ktls_enable(gnutls_session_t session) {
+ }
+ 
+ int _gnutls_ktls_set_keys(gnutls_session_t session) {
+-- 
+2.34.1
+

SOURCES/gnutls-3.7.3-libtss2-dlopen.patch

@@ -0,0 +1,719 @@
+From f5e5ab910b8b1d69f962ca033d1295c3e1e1e131 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Wed, 23 Feb 2022 19:48:52 +0100
+Subject: [PATCH] tpm2: dynamically load tss2 libraries as needed
+
+libtss2-esys links to OpenSSL or mbed TLS for cryptography, which may
+cause packaging issues.  This instead dlopen's tss2 libraries as
+needed so non-TPM applications continue working without loading
+multiple crypto libraries.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ configure.ac        |  11 +-
+ lib/Makefile.am     |   6 +-
+ lib/tpm2.c          |   2 +-
+ lib/tpm2.h          |   2 +-
+ lib/tpm2_esys.c     | 273 ++++++++++++++++++++++++++++++++++++--------
+ tests/Makefile.am   |   3 +-
+ tests/sanity-lib.sh |  40 +++++++
+ tests/tpm2.sh       |  14 ++-
+ 8 files changed, 296 insertions(+), 55 deletions(-)
+ create mode 100644 tests/sanity-lib.sh
+
+diff --git a/configure.ac b/configure.ac
+index 53c3aefca1..721ff208f0 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -882,6 +882,8 @@ AM_CONDITIONAL(P11KIT_0_23_11_API, $PKG_CONFIG --atleast-version=0.23.11 p11-kit
+ 
+ AM_CONDITIONAL(ENABLE_PKCS11, test "$with_p11_kit" != "no")
+ 
++need_ltlibdl=no
++
+ AC_ARG_WITH(tpm2,
+ 	AS_HELP_STRING([--without-tpm2],
+ 		[Disable TPM2 support.]),
+@@ -892,6 +894,7 @@ if test "$with_tpm2" != "no"; then
+ 	if test "$have_tpm2" = "yes"; then
+ 		tss2lib="tss2-esys tss2-mu tss2-tctildr"
+ 		AC_DEFINE([HAVE_TSS2], 1, [Have TSS2])
++		need_ltlibdl=yes
+ 	elif test "$with_tpm2" = "yes"; then
+ 		AC_MSG_ERROR([[
+ ***
+@@ -920,7 +923,8 @@ if test "$with_tpm" != "no"; then
+ 		   AC_SUBST([TSS_LIBS], [-ltspi])
+ 		   AC_SUBST([TSS_CFLAGS], [])
+ 		   AC_DEFINE([HAVE_TROUSERS], 1, [Enable TPM])
+-		   with_tpm=yes],
++		   with_tpm=yes,
++		   need_ltlibdl=yes],
+ 		  [AC_MSG_RESULT(no)
+ 		   AC_MSG_WARN([[
+ *** 
+@@ -957,6 +961,9 @@ fi
+ AC_DEFINE_UNQUOTED([TROUSERS_LIB], ["$ac_trousers_lib"], [the location of the trousers library])
+ AC_SUBST(TROUSERS_LIB)
+ 
++
++AM_CONDITIONAL(NEED_LTLIBDL, test "$need_ltlibdl" = yes)
++
+ # For minitasn1.
+ AC_CHECK_SIZEOF(unsigned long int, 4)
+ AC_CHECK_SIZEOF(unsigned int, 4)
+@@ -1312,7 +1319,7 @@ AC_MSG_NOTICE([External hardware support:
+   Random gen. variant:  $rnd_variant
+   PKCS#11 support:      $with_p11_kit
+   TPM support:          $with_tpm
+-  TPM2 support:         $have_tpm2
++  TPM2 support:         $with_tpm2
+   KTLS support:         $enable_ktls
+ ])
+ 
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index 35df35ee8d..e61ee1b6ae 100644
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -44,7 +44,7 @@ AM_CPPFLAGS = \
+ 	-I$(srcdir)/x509			\
+ 	$(LIBTASN1_CFLAGS)			\
+ 	$(P11_KIT_CFLAGS)			\
+-	$(TPM2_CFLAGS)
++	$(TSS2_CFLAGS)
+ 
+ if !HAVE_LIBUNISTRING
+ SUBDIRS += unistring
+@@ -156,7 +156,7 @@ libgnutls_la_LIBADD = ../gl/libgnu.la x509/libgnutls_x509.la \
+ 	auth/libgnutls_auth.la algorithms/libgnutls_alg.la \
+ 	extras/libgnutls_extras.la
+ thirdparty_libadd = $(LTLIBZ) $(LTLIBINTL) $(LIBSOCKET) $(LTLIBNSL) \
+-	$(P11_KIT_LIBS) $(LIB_SELECT) $(TSS2_LIBS) $(GNUTLS_LIBS_PRIVATE)
++	$(P11_KIT_LIBS) $(LIB_SELECT) $(GNUTLS_LIBS_PRIVATE)
+ 
+ if HAVE_LIBIDN2
+ thirdparty_libadd += $(LIBIDN2_LIBS)
+@@ -203,7 +203,7 @@ all-local: $(hmac_files)
+ CLEANFILES = $(hmac_files)
+ endif
+ 
+-if ENABLE_TROUSERS
++if NEED_LTLIBDL
+ thirdparty_libadd += $(LTLIBDL)
+ endif
+ 
+diff --git a/lib/tpm2.c b/lib/tpm2.c
+index 076cc7f407..750eadc777 100644
+--- a/lib/tpm2.c
++++ b/lib/tpm2.c
+@@ -297,5 +297,5 @@ int _gnutls_load_tpm2_key(gnutls_privkey_t pkey, const gnutls_datum_t *fdata)
+ 
+ void _gnutls_tpm2_deinit(void)
+ {
+-	tpm2_tcti_deinit();
++	tpm2_esys_deinit();
+ }
+diff --git a/lib/tpm2.h b/lib/tpm2.h
+index e40dc01df7..7966e2d811 100644
+--- a/lib/tpm2.h
++++ b/lib/tpm2.h
+@@ -37,7 +37,7 @@ struct tpm2_info_st;
+ 
+ struct tpm2_info_st *tpm2_info_init(struct pin_info_st *pin);
+ 
+-void tpm2_tcti_deinit(void);
++void tpm2_esys_deinit(void);
+ 
+ void release_tpm2_ctx(struct tpm2_info_st *info);
+ 
+diff --git a/lib/tpm2_esys.c b/lib/tpm2_esys.c
+index 93e54413ba..4000c1b76e 100644
+--- a/lib/tpm2_esys.c
++++ b/lib/tpm2_esys.c
+@@ -72,6 +72,170 @@
+ #include <tss2/tss2_esys.h>
+ #include <tss2/tss2_tctildr.h>
+ 
++#include <dlfcn.h>
++
++/* We don't want to link to libtss2-esys, as it brings in other
++ * crypto libraries.  Instead, only dlopen it as needed.
++ */
++
++static void *_gnutls_tss2_esys_dlhandle;
++static void *_gnutls_tss2_mu_dlhandle;
++static void *_gnutls_tss2_tctildr_dlhandle;
++
++static TSS2_RC
++(*_gnutls_tss2_Esys_GetCapability)(ESYS_CONTEXT *esysContext,
++				   ESYS_TR shandle1,
++				   ESYS_TR shandle2,
++				   ESYS_TR shandle3,
++				   TPM2_CAP capability,
++				   UINT32 property,
++				   UINT32 propertyCount,
++				   TPMI_YES_NO *moreData,
++				   TPMS_CAPABILITY_DATA **capabilityData);
++static void (*_gnutls_tss2_Esys_Free)(void *__ptr);
++static TSS2_RC (*_gnutls_tss2_Esys_TR_SetAuth)(ESYS_CONTEXT *esysContext,
++					       ESYS_TR handle,
++					       TPM2B_AUTH const *authValue);
++static TSS2_RC
++(*_gnutls_tss2_Esys_CreatePrimary)(ESYS_CONTEXT *esysContext,
++				   ESYS_TR primaryHandle,
++				   ESYS_TR shandle1,
++				   ESYS_TR shandle2,
++				   ESYS_TR shandle3,
++				   const TPM2B_SENSITIVE_CREATE *inSensitive,
++				   const TPM2B_PUBLIC *inPublic,
++				   const TPM2B_DATA *outsideInfo,
++				   const TPML_PCR_SELECTION *creationPCR,
++				   ESYS_TR *objectHandle,
++				   TPM2B_PUBLIC **outPublic,
++				   TPM2B_CREATION_DATA **creationData,
++				   TPM2B_DIGEST **creationHash,
++				   TPMT_TK_CREATION **creationTicket);
++static TSS2_RC (*_gnutls_tss2_Esys_Initialize)(ESYS_CONTEXT **esys_context,
++					       TSS2_TCTI_CONTEXT *tcti,
++					       TSS2_ABI_VERSION *abiVersion);
++static TSS2_RC (*_gnutls_tss2_Esys_Startup)(ESYS_CONTEXT *esysContext,
++					    TPM2_SU startupType);
++static TSS2_RC (*_gnutls_tss2_Esys_TR_FromTPMPublic)(ESYS_CONTEXT *esysContext,
++						     TPM2_HANDLE tpm_handle,
++						     ESYS_TR optionalSession1,
++						     ESYS_TR optionalSession2,
++						     ESYS_TR optionalSession3,
++						     ESYS_TR *object);
++static TSS2_RC (*_gnutls_tss2_Esys_ReadPublic)(ESYS_CONTEXT *esysContext,
++					       ESYS_TR objectHandle,
++					       ESYS_TR shandle1,
++					       ESYS_TR shandle2,
++					       ESYS_TR shandle3,
++					       TPM2B_PUBLIC **outPublic,
++					       TPM2B_NAME **name,
++					       TPM2B_NAME **qualifiedName);
++static TSS2_RC (*_gnutls_tss2_Esys_Load)(ESYS_CONTEXT *esysContext,
++					 ESYS_TR parentHandle,
++					 ESYS_TR shandle1,
++					 ESYS_TR shandle2,
++					 ESYS_TR shandle3,
++					 const TPM2B_PRIVATE *inPrivate,
++					 const TPM2B_PUBLIC *inPublic,
++					 ESYS_TR *objectHandle);
++static TSS2_RC (*_gnutls_tss2_Esys_FlushContext)(ESYS_CONTEXT *esysContext,
++						 ESYS_TR flushHandle);
++static void (*_gnutls_tss2_Esys_Finalize)(ESYS_CONTEXT **context);
++static TSS2_RC
++(*_gnutls_tss2_Esys_RSA_Decrypt)(ESYS_CONTEXT *esysContext,
++				 ESYS_TR keyHandle,
++				 ESYS_TR shandle1,
++				 ESYS_TR shandle2,
++				 ESYS_TR shandle3,
++				 const TPM2B_PUBLIC_KEY_RSA *cipherText,
++				 const TPMT_RSA_DECRYPT *inScheme,
++				 const TPM2B_DATA *label,
++				 TPM2B_PUBLIC_KEY_RSA **message);
++static TSS2_RC (*_gnutls_tss2_Esys_Sign)(ESYS_CONTEXT *esysContext,
++					 ESYS_TR keyHandle,
++					 ESYS_TR shandle1,
++					 ESYS_TR shandle2,
++					 ESYS_TR shandle3,
++					 const TPM2B_DIGEST *digest,
++					 const TPMT_SIG_SCHEME *inScheme,
++					 const TPMT_TK_HASHCHECK *validation,
++					 TPMT_SIGNATURE **signature);
++
++static TSS2_RC
++(*_gnutls_tss2_Tss2_MU_TPM2B_PRIVATE_Unmarshal)(uint8_t const buffer[],
++						size_t buffer_size,
++						size_t *offset,
++						TPM2B_PRIVATE *dest);
++static TSS2_RC
++(*_gnutls_tss2_Tss2_MU_TPM2B_PUBLIC_Unmarshal)(uint8_t const buffer[],
++					       size_t buffer_size,
++					       size_t *offset,
++					       TPM2B_PUBLIC *dest);
++
++static TSS2_RC
++(*_gnutls_tss2_Tss2_TctiLdr_Initialize)(const char *nameConf,
++					TSS2_TCTI_CONTEXT **context);
++static void (*_gnutls_tss2_Tss2_TctiLdr_Finalize)(TSS2_TCTI_CONTEXT **context);
++
++#define DLSYM_TSS2(sys, sym)						\
++	_gnutls_tss2_##sym = dlsym(_gnutls_tss2_##sys##_dlhandle, #sym); \
++	if (!_gnutls_tss2_##sym) {					\
++		return -1;						\
++	}
++
++static int
++init_tss2_funcs(void)
++{
++	if (!_gnutls_tss2_esys_dlhandle) {
++		_gnutls_tss2_esys_dlhandle =
++			dlopen("libtss2-esys.so.0", RTLD_NOW | RTLD_GLOBAL);
++		if (!_gnutls_tss2_esys_dlhandle) {
++			_gnutls_debug_log("tpm2: unable to dlopen libtss2-esys\n");
++			return -1;
++		}
++	}
++
++	DLSYM_TSS2(esys, Esys_GetCapability)
++	DLSYM_TSS2(esys, Esys_Free)
++	DLSYM_TSS2(esys, Esys_TR_SetAuth)
++	DLSYM_TSS2(esys, Esys_CreatePrimary)
++	DLSYM_TSS2(esys, Esys_Initialize)
++	DLSYM_TSS2(esys, Esys_Startup)
++	DLSYM_TSS2(esys, Esys_TR_FromTPMPublic)
++	DLSYM_TSS2(esys, Esys_ReadPublic)
++	DLSYM_TSS2(esys, Esys_Load)
++	DLSYM_TSS2(esys, Esys_FlushContext)
++	DLSYM_TSS2(esys, Esys_Finalize)
++	DLSYM_TSS2(esys, Esys_RSA_Decrypt)
++	DLSYM_TSS2(esys, Esys_Sign)
++
++	if (!_gnutls_tss2_mu_dlhandle) {
++		_gnutls_tss2_mu_dlhandle =
++			dlopen("libtss2-mu.so.0", RTLD_NOW | RTLD_GLOBAL);
++		if (!_gnutls_tss2_mu_dlhandle) {
++			_gnutls_debug_log("tpm2: unable to dlopen libtss2-mu\n");
++			return -1;
++		}
++	}
++
++	DLSYM_TSS2(mu, Tss2_MU_TPM2B_PRIVATE_Unmarshal)
++	DLSYM_TSS2(mu, Tss2_MU_TPM2B_PUBLIC_Unmarshal)
++
++	if (!_gnutls_tss2_tctildr_dlhandle) {
++		_gnutls_tss2_tctildr_dlhandle =
++			dlopen("libtss2-tctildr.so.0", RTLD_NOW | RTLD_GLOBAL);
++		if (!_gnutls_tss2_tctildr_dlhandle) {
++			_gnutls_debug_log("tpm2: unable to dlopen libtss2-tctildr\n");
++			return -1;
++		}
++	}
++
++	DLSYM_TSS2(tctildr, Tss2_TctiLdr_Initialize)
++	DLSYM_TSS2(tctildr, Tss2_TctiLdr_Finalize)
++
++	return 0;
++}
++
+ struct tpm2_info_st {
+ 	TPM2B_PUBLIC pub;
+ 	TPM2B_PRIVATE priv;
+@@ -227,10 +391,10 @@ get_primary_template(ESYS_CONTEXT *ctx)
+ 	UINT32 i;
+ 	TSS2_RC rc;
+ 
+-	rc = Esys_GetCapability (ctx,
+-				 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
+-				 TPM2_CAP_ALGS, 0, TPM2_MAX_CAP_ALGS,
+-				 NULL, &capability_data);
++	rc = _gnutls_tss2_Esys_GetCapability(ctx,
++				ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
++				TPM2_CAP_ALGS, 0, TPM2_MAX_CAP_ALGS,
++				NULL, &capability_data);
+ 	if (rc) {
+ 		_gnutls_debug_log("tpm2: Esys_GetCapability failed: 0x%x\n", rc);
+ 		return NULL;
+@@ -239,7 +403,7 @@ get_primary_template(ESYS_CONTEXT *ctx)
+ 	for (i = 0; i < capability_data->data.algorithms.count; i++) {
+ 		if (capability_data->data.algorithms.algProperties[i].alg ==
+ 		    TPM2_ALG_ECC) {
+-			Esys_Free(capability_data);
++			_gnutls_tss2_Esys_Free(capability_data);
+ 			return &primary_template_ecc;
+ 		}
+ 	}
+@@ -247,12 +411,12 @@ get_primary_template(ESYS_CONTEXT *ctx)
+ 	for (i = 0; i < capability_data->data.algorithms.count; i++) {
+ 		if (capability_data->data.algorithms.algProperties[i].alg ==
+ 		    TPM2_ALG_RSA) {
+-			Esys_Free(capability_data);
++			_gnutls_tss2_Esys_Free(capability_data);
+ 			return &primary_template_rsa;
+ 		}
+         }
+ 
+-	Esys_Free(capability_data);
++	_gnutls_tss2_Esys_Free(capability_data);
+ 	_gnutls_debug_log("tpm2: unable to find primary template\n");
+ 	return NULL;
+ }
+@@ -320,7 +484,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info,
+ 		install_tpm_passphrase(&info->ownerauth, pass);
+ 		info->need_ownerauth = false;
+ 	}
+-	rc = Esys_TR_SetAuth(ctx, hierarchy, &info->ownerauth);
++	rc = _gnutls_tss2_Esys_TR_SetAuth(ctx, hierarchy, &info->ownerauth);
+ 	if (rc) {
+ 		_gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n", rc);
+ 		return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
+@@ -329,7 +493,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info,
+ 	if (!primary_template) {
+ 		return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
+ 	}
+-	rc = Esys_CreatePrimary(ctx, hierarchy,
++	rc = _gnutls_tss2_Esys_CreatePrimary(ctx, hierarchy,
+ 				ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
+ 				&primary_sensitive,
+ 				primary_template,
+@@ -359,14 +523,14 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
+ 
+ 	_gnutls_debug_log("tpm2: establishing connection with TPM\n");
+ 
+-	rc = Esys_Initialize(ctx, tcti_ctx, NULL);
++	rc = _gnutls_tss2_Esys_Initialize(ctx, tcti_ctx, NULL);
+ 	if (rc) {
+ 		gnutls_assert();
+ 		_gnutls_debug_log("tpm2: Esys_Initialize failed: 0x%x\n", rc);
+ 		goto error;
+ 	}
+ 
+-	rc = Esys_Startup(*ctx, TPM2_SU_CLEAR);
++	rc = _gnutls_tss2_Esys_Startup(*ctx, TPM2_SU_CLEAR);
+ 	if (rc == TPM2_RC_INITIALIZE) {
+ 		_gnutls_debug_log("tpm2: was already started up thus false positive failing in tpm2tss log\n");
+ 	} else if (rc) {
+@@ -381,7 +545,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
+ 			goto error;
+ 		}
+ 	} else {
+-		rc = Esys_TR_FromTPMPublic(*ctx, info->parent,
++		rc = _gnutls_tss2_Esys_TR_FromTPMPublic(*ctx, info->parent,
+ 					   ESYS_TR_NONE,
+ 					   ESYS_TR_NONE,
+ 					   ESYS_TR_NONE,
+@@ -399,7 +563,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
+ 		if (!info->did_ownerauth && !info->ownerauth.size) {
+ 			TPM2B_PUBLIC *pub = NULL;
+ 
+-			rc = Esys_ReadPublic(*ctx, parent_handle,
++			rc = _gnutls_tss2_Esys_ReadPublic(*ctx, parent_handle,
+ 					     ESYS_TR_NONE,
+ 					     ESYS_TR_NONE,
+ 					     ESYS_TR_NONE,
+@@ -408,7 +572,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
+ 			    !(pub->publicArea.objectAttributes & TPMA_OBJECT_NODA)) {
+ 				info->need_ownerauth = true;
+ 			}
+-			Esys_Free(pub);
++			_gnutls_tss2_Esys_Free(pub);
+ 		}
+ 	reauth:
+ 		if (info->need_ownerauth) {
+@@ -420,7 +584,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
+ 			install_tpm_passphrase(&info->ownerauth, pass);
+ 			info->need_ownerauth = false;
+ 		}
+-		rc = Esys_TR_SetAuth(*ctx, parent_handle, &info->ownerauth);
++		rc = _gnutls_tss2_Esys_TR_SetAuth(*ctx, parent_handle, &info->ownerauth);
+ 		if (rc) {
+ 			gnutls_assert();
+ 			_gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n",
+@@ -432,7 +596,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
+ 	_gnutls_debug_log("tpm2: loading TPM2 key blob, parent handle 0x%x\n",
+ 			  parent_handle);
+ 
+-	rc = Esys_Load(*ctx, parent_handle,
++	rc = _gnutls_tss2_Esys_Load(*ctx, parent_handle,
+ 		       ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
+ 		       &info->priv, &info->pub,
+ 		       key_handle);
+@@ -450,7 +614,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
+ 	info->did_ownerauth = true;
+ 
+ 	if (parent_is_generated(info->parent)) {
+-		rc = Esys_FlushContext(*ctx, parent_handle);
++		rc = _gnutls_tss2_Esys_FlushContext(*ctx, parent_handle);
+ 		if (rc) {
+ 			_gnutls_debug_log("tpm2: Esys_FlushContext for generated primary failed: 0x%x\n",
+ 					  rc);
+@@ -461,14 +625,14 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
+ 	return 0;
+  error:
+ 	if (parent_is_generated(info->parent) && parent_handle != ESYS_TR_NONE) {
+-		Esys_FlushContext(*ctx, parent_handle);
++		_gnutls_tss2_Esys_FlushContext(*ctx, parent_handle);
+ 	}
+ 	if (*key_handle != ESYS_TR_NONE) {
+-		Esys_FlushContext(*ctx, *key_handle);
++		_gnutls_tss2_Esys_FlushContext(*ctx, *key_handle);
+ 	}
+ 	*key_handle = ESYS_TR_NONE;
+ 
+-	Esys_Finalize(ctx);
++	_gnutls_tss2_Esys_Finalize(ctx);
+ 	return GNUTLS_E_TPM_ERROR;
+ }
+ 
+@@ -488,7 +652,7 @@ auth_tpm2_key(struct tpm2_info_st *info, ESYS_CONTEXT *ctx, ESYS_TR key_handle)
+ 		info->need_userauth = false;
+ 	}
+ 
+-	rc = Esys_TR_SetAuth(ctx, key_handle, &info->userauth);
++	rc = _gnutls_tss2_Esys_TR_SetAuth(ctx, key_handle, &info->userauth);
+ 	if (rc) {
+ 		_gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n", rc);
+ 		return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
+@@ -574,7 +738,7 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
+ 		goto out;
+ 	}
+ 
+-	rc = Esys_RSA_Decrypt(ectx, key_handle,
++	rc = _gnutls_tss2_Esys_RSA_Decrypt(ectx, key_handle,
+ 			      ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
+ 			      &digest, &in_scheme, &label, &tsig);
+ 	if (rc_is_key_auth_failed(rc)) {
+@@ -591,14 +755,14 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
+ 
+ 	ret = _gnutls_set_datum(sig, tsig->buffer, tsig->size);
+  out:
+-	Esys_Free(tsig);
++	_gnutls_tss2_Esys_Free(tsig);
+ 
+ 	if (key_handle != ESYS_TR_NONE) {
+-		Esys_FlushContext(ectx, key_handle);
++		_gnutls_tss2_Esys_FlushContext(ectx, key_handle);
+ 	}
+ 
+ 	if (ectx) {
+-		Esys_Finalize(&ectx);
++		_gnutls_tss2_Esys_Finalize(&ectx);
+ 	}
+ 
+ 	return ret;
+@@ -661,7 +825,7 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
+ 		goto out;
+ 	}
+ 
+-	rc = Esys_Sign(ectx, key_handle,
++	rc = _gnutls_tss2_Esys_Sign(ectx, key_handle,
+ 		       ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
+ 		       &digest, &in_scheme, &validation,
+ 		       &tsig);
+@@ -682,31 +846,23 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
+ 
+ 	ret = gnutls_encode_rs_value(sig, &sig_r, &sig_s);
+  out:
+-	Esys_Free(tsig);
++	_gnutls_tss2_Esys_Free(tsig);
+ 
+ 	if (key_handle != ESYS_TR_NONE) {
+-		Esys_FlushContext(ectx, key_handle);
++		_gnutls_tss2_Esys_FlushContext(ectx, key_handle);
+ 	}
+ 
+ 	if (ectx) {
+-		Esys_Finalize(&ectx);
++		_gnutls_tss2_Esys_Finalize(&ectx);
+ 	}
+ 
+ 	return ret;
+ }
+ 
+-GNUTLS_ONCE(tcti_once);
+-
+-void
+-tpm2_tcti_deinit(void)
+-{
+-	if (tcti_ctx) {
+-		Tss2_TctiLdr_Finalize(&tcti_ctx);
+-	}
+-}
++GNUTLS_ONCE(tpm2_esys_once);
+ 
+ static void
+-tcti_once_init(void)
++tpm2_esys_once_init(void)
+ {
+ 	const char *tcti;
+ 	const char * const tcti_vars[] = {
+@@ -718,6 +874,11 @@ tcti_once_init(void)
+ 	size_t i;
+ 	TSS2_RC rc;
+ 
++	if (init_tss2_funcs() < 0) {
++		_gnutls_debug_log("tpm2: unable to initialize TSS2 functions\n");
++		return;
++	}
++
+ 	for (i = 0; i < sizeof(tcti_vars) / sizeof(tcti_vars[0]); i++) {
+ 		tcti = secure_getenv(tcti_vars[i]);
+ 		if (tcti && *tcti != '\0') {
+@@ -727,7 +888,7 @@ tcti_once_init(void)
+ 		}
+ 	}
+ 	if (tcti && *tcti != '\0') {
+-		rc = Tss2_TctiLdr_Initialize(tcti, &tcti_ctx);
++		rc = _gnutls_tss2_Tss2_TctiLdr_Initialize(tcti, &tcti_ctx);
+ 		if (rc) {
+ 			_gnutls_debug_log("tpm2: TSS2_TctiLdr_Initialize failed: 0x%x\n",
+ 					  rc);
+@@ -735,13 +896,35 @@ tcti_once_init(void)
+ 	}
+ }
+ 
++/* called by the global destructor through _gnutls_tpm2_deinit */
++void
++tpm2_esys_deinit(void)
++{
++	if (tcti_ctx) {
++		_gnutls_tss2_Tss2_TctiLdr_Finalize(&tcti_ctx);
++		tcti_ctx = NULL;
++	}
++	if (_gnutls_tss2_esys_dlhandle) {
++		dlclose(_gnutls_tss2_esys_dlhandle);
++		_gnutls_tss2_esys_dlhandle = NULL;
++	}
++	if (_gnutls_tss2_mu_dlhandle) {
++		dlclose(_gnutls_tss2_mu_dlhandle);
++		_gnutls_tss2_mu_dlhandle = NULL;
++	}
++	if (_gnutls_tss2_tctildr_dlhandle) {
++		dlclose(_gnutls_tss2_tctildr_dlhandle);
++		_gnutls_tss2_tctildr_dlhandle = NULL;
++	}
++}
++
+ int install_tpm2_key(struct tpm2_info_st *info, gnutls_privkey_t pkey,
+ 		     unsigned int parent, bool emptyauth,
+ 		     gnutls_datum_t *privdata, gnutls_datum_t *pubdata)
+ {
+ 	TSS2_RC rc;
+ 
+-	(void)gnutls_once(&tcti_once, tcti_once_init);
++	(void)gnutls_once(&tpm2_esys_once, tpm2_esys_once_init);
+ 
+ 	if (!tcti_ctx) {
+ 		return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
+@@ -757,16 +940,16 @@ int install_tpm2_key(struct tpm2_info_st *info, gnutls_privkey_t pkey,
+ 
+ 	info->parent = parent;
+ 
+-	rc = Tss2_MU_TPM2B_PRIVATE_Unmarshal(privdata->data, privdata->size, NULL,
+-					     &info->priv);
++	rc = _gnutls_tss2_Tss2_MU_TPM2B_PRIVATE_Unmarshal(privdata->data, privdata->size, NULL,
++							     &info->priv);
+ 	if (rc) {
+ 		_gnutls_debug_log("tpm2: failed to import private key data: 0x%x\n",
+ 				  rc);
+ 		return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
+ 	}
+ 
+-	rc = Tss2_MU_TPM2B_PUBLIC_Unmarshal(pubdata->data, pubdata->size, NULL,
+-					    &info->pub);
++	rc = _gnutls_tss2_Tss2_MU_TPM2B_PUBLIC_Unmarshal(pubdata->data, pubdata->size, NULL,
++							    &info->pub);
+ 	if (rc) {
+ 		_gnutls_debug_log("tpm2: failed to import public key data: 0x%x\n",
+ 				  rc);
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 529f1cc077..64ce470a02 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -515,7 +515,8 @@ dist_check_SCRIPTS += fastopen.sh pkgconfig.sh starttls.sh starttls-ftp.sh start
+ 	psktool.sh ocsp-tests/ocsp-load-chain.sh gnutls-cli-save-data.sh gnutls-cli-debug.sh \
+ 	sni-resume.sh ocsp-tests/ocsptool.sh cert-reencoding.sh pkcs7-cat.sh long-crl.sh \
+ 	serv-udp.sh logfile-option.sh gnutls-cli-resume.sh profile-tests.sh \
+-	server-weak-keys.sh ocsp-tests/ocsp-signer-verify.sh cfg-test.sh
++	server-weak-keys.sh ocsp-tests/ocsp-signer-verify.sh cfg-test.sh \
++	sanity-lib.sh
+ 
+ if !DISABLE_SYSTEM_CONFIG
+ dist_check_SCRIPTS += system-override-sig.sh system-override-hash.sh \
+diff --git a/tests/sanity-lib.sh b/tests/sanity-lib.sh
+new file mode 100644
+index 0000000000..1e3612781b
+--- /dev/null
++++ b/tests/sanity-lib.sh
+@@ -0,0 +1,40 @@
++#!/bin/sh
++
++# Copyright (C) 2022 Red Hat, Inc.
++#
++# Author: Daiki Ueno
++#
++# This file is part of GnuTLS.
++#
++# GnuTLS is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 3 of the License, or (at
++# your option) any later version.
++#
++# GnuTLS is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++# General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with this program.  If not, see <https://www.gnu.org/licenses/>
++
++: ${top_builddir=..}
++: ${CLI_DEBUG=../src/gnutls-cli-debug${EXEEXT}}
++: ${LDD=ldd}
++: ${LIBTOOL=libtool}
++
++if ! test -x "${CLI_DEBUG}"; then
++	exit 77
++fi
++
++# ldd.sh doesn't check recursive dependencies
++${LDD} --version >/dev/null || exit 77
++
++# We use gnutls-cli-debug, as it has the fewest dependencies among our
++# commands (e.g., gnutls-cli pulls in OpenSSL through libunbound).
++if ${LIBTOOL} --mode=execute ${LDD} ${CLI_DEBUG} | \
++    grep '^[[:space:]]*\(libcrypto\.\|libssl\.\|libgcrypt\.\)'; then
++    echo "gnutls-cli-debug links to other crypto library"
++    exit 1
++fi
+diff --git a/tests/tpm2.sh b/tests/tpm2.sh
+index 854986c552..6f8e44c64b 100755
+--- a/tests/tpm2.sh
++++ b/tests/tpm2.sh
+@@ -21,8 +21,6 @@
+ # along with GnuTLS; if not, write to the Free Software Foundation,
+ # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ 
+-set +e
+-
+ : ${srcdir=.}
+ : ${CERTTOOL=../src/certtool${EXEEXT}}
+ KEYPEMFILE=tpmkey.$$.key.pem
+@@ -192,6 +190,10 @@ run_tests()
+ 
+ 	echo " - Generating ${KEYPEMFILE}"
+ 	tpm2tss-genkey -a ${kalg} -o ${OPASS} ${KEYPEMFILE}
++	if [ $? -ne 0 ]; then
++		echo "unable to generate key"
++		return 1
++	fi
+ 	cat ${KEYPEMFILE}
+ 
+ 	echo " - Generating certificate based on key"
+@@ -200,6 +202,10 @@ run_tests()
+ 	"${CERTTOOL}" --generate-self-signed -d 3 \
+ 		--load-privkey "${KEYPEMFILE}" \
+ 		--template "${srcdir}/cert-tests/templates/template-test.tmpl"
++	if [ $? -ne 0 ]; then
++		echo "unable to generate certificate"
++		return 1
++	fi
+ 
+ 	if test "${kalg}" = "rsa";then
+ 		echo " - Generating RSA-PSS certificate based on key"
+@@ -207,6 +213,10 @@ run_tests()
+ 			--load-privkey "${KEYPEMFILE}" \
+ 			--sign-params rsa-pss \
+ 			--template "${srcdir}/cert-tests/templates/template-test.tmpl"
++		if [ $? -ne 0 ]; then
++			echo "unable to generate certificate"
++			return 1
++		fi
+ 	fi
+ 
+ 	stop_swtpm
+-- 
+2.34.1
+

SOURCES/gnutls-3.7.3-max-algos.patch

@@ -0,0 +1,44 @@
+From b5a2cbce49d94a04a68acbbc31caaa0c5d7b3321 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Fri, 18 Feb 2022 11:05:15 +0100
+Subject: [PATCH] bump GNUTLS_MAX_ALGORITHM_NUM / MAX_ALGOS
+
+Fedora 36 LEGACY crypto-policy uses allowlisting format
+and is long enough to blow past the 64 priority string
+elements mark, causing, effectively, priority string truncation.
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+---
+ lib/includes/gnutls/gnutls.h.in | 2 +-
+ lib/priority.c                  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
+index 6359a0edb6..16140c8787 100644
+--- a/lib/includes/gnutls/gnutls.h.in
++++ b/lib/includes/gnutls/gnutls.h.in
+@@ -408,7 +408,7 @@ typedef enum {
+   /* exported for other gnutls headers. This is the maximum number of
+    * algorithms (ciphers, kx or macs).
+    */
+-#define GNUTLS_MAX_ALGORITHM_NUM 64
++#define GNUTLS_MAX_ALGORITHM_NUM 128
+ #define GNUTLS_MAX_SESSION_ID_SIZE 32
+ 
+ 
+diff --git a/lib/priority.c b/lib/priority.c
+index 54d7b1bb45..e7698ba7eb 100644
+--- a/lib/priority.c
++++ b/lib/priority.c
+@@ -43,7 +43,7 @@
+ #include "profiles.h"
+ #include "name_val_array.h"
+ 
+-#define MAX_ELEMENTS 64
++#define MAX_ELEMENTS GNUTLS_MAX_ALGORITHM_NUM
+ 
+ #define ENABLE_PROFILE(c, profile) do { \
+ 	c->additional_verify_flags &= 0x00ffffff; \
+-- 
+2.34.1
+