import gnutls-3.7.6-12.el9_0

.gitignore

@@ -1,2 +1,3 @@
-SOURCES/gnutls-3.7.3.tar.xz
-SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
+SOURCES/gmp-6.2.1.tar.xz
+SOURCES/gnutls-3.7.6.tar.xz
+SOURCES/gnutls-release-keyring.gpg

.gnutls.metadata

@@ -1,2 +1,3 @@
-552c337be97d2379ae7233ebf55e949010ef7837 SOURCES/gnutls-3.7.3.tar.xz
-648ec46f9539fe756fb90131b85ae4759ed2ed21 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
+0578d48607ec0e272177d175fd1807c30b00fdf2 SOURCES/gmp-6.2.1.tar.xz
+47591374259451fe2cd86c5fe7c345e769a6c79b SOURCES/gnutls-3.7.6.tar.xz
+befcf25b9dcd1d36b8bdb754c80c639eca45baa0 SOURCES/gnutls-release-keyring.gpg

SOURCES/gnutls-3.7.3-fips-dsa-post.patch

@@ -0,0 +1,29 @@
+From 0a29639ad24072afbd79b2ceede9976e51b9e2af Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Fri, 1 Jul 2022 16:46:07 +0900
+Subject: [PATCH] fips: don't run POST for DSA
+
+Signed-off-by: rpm-build <<rpm-build>>
+---
+ lib/fips.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/lib/fips.c b/lib/fips.c
+index 656d43e..c776690 100644
+--- a/lib/fips.c
++++ b/lib/fips.c
+@@ -523,11 +523,6 @@ int _gnutls_fips_perform_self_checks2(void)
+ 		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+-	ret = gnutls_pk_self_test(0, GNUTLS_PK_DSA);
+-	if (ret < 0) {
+-		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+-	}
+-
+ 	ret = gnutls_pk_self_test(0, GNUTLS_PK_EC);
+ 	if (ret < 0) {
+ 		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+-- 
+2.36.1
+

SOURCES/gnutls-3.7.3-fips-pkcs12.patch

@@ -1,471 +0,0 @@
-From 7d8d8feb502ddb20a0d115fa3f63403c849a7168 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Thu, 10 Feb 2022 16:43:08 +0100
-Subject: [PATCH 1/2] pkcs12: mark MAC generation and verification as FIPS
- non-approved
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
----
- lib/x509/pkcs12.c     | 39 +++++++++++++++++++++++++---
- tests/pkcs12_encode.c | 59 +++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 94 insertions(+), 4 deletions(-)
-
-diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
-index a8f7d8f956..11b9da3ac9 100644
---- a/lib/x509/pkcs12.c
-+++ b/lib/x509/pkcs12.c
-@@ -286,13 +286,26 @@ gnutls_pkcs12_export(gnutls_pkcs12_t pkcs12,
- 		     gnutls_x509_crt_fmt_t format, void *output_data,
- 		     size_t * output_data_size)
- {
-+	int ret;
-+
- 	if (pkcs12 == NULL) {
- 		gnutls_assert();
- 		return GNUTLS_E_INVALID_REQUEST;
- 	}
- 
--	return _gnutls_x509_export_int(pkcs12->pkcs12, format, PEM_PKCS12,
--				       output_data, output_data_size);
-+	ret = _gnutls_x509_export_int(pkcs12->pkcs12, format, PEM_PKCS12,
-+				      output_data, output_data_size);
-+
-+	if (ret < 0) {
-+		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
-+	} else {
-+		/* PKCS#12 export is always non-approved, because the MAC
-+		 * calculation involves non-approved KDF (PKCS#12 KDF) and
-+		 * without MAC the protection is insufficient.
-+		 */
-+		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
-+	}
-+	return ret;
- }
- 
- /**
-@@ -317,13 +330,25 @@ int
- gnutls_pkcs12_export2(gnutls_pkcs12_t pkcs12,
- 		      gnutls_x509_crt_fmt_t format, gnutls_datum_t * out)
- {
-+	int ret;
-+
- 	if (pkcs12 == NULL) {
- 		gnutls_assert();
- 		return GNUTLS_E_INVALID_REQUEST;
- 	}
- 
--	return _gnutls_x509_export_int2(pkcs12->pkcs12, format, PEM_PKCS12,
--					out);
-+	ret = _gnutls_x509_export_int2(pkcs12->pkcs12, format, PEM_PKCS12,
-+				       out);
-+	if (ret < 0) {
-+		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
-+	} else {
-+		/* PKCS#12 export is always non-approved, because the MAC
-+		 * calculation involves non-approved KDF (PKCS#12 KDF) and
-+		 * without MAC the protection is insufficient.
-+		 */
-+		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
-+	}
-+	return ret;
- }
- 
- static int oid2bag(const char *oid)
-@@ -1025,9 +1050,12 @@ int gnutls_pkcs12_generate_mac2(gnutls_pkcs12_t pkcs12, gnutls_mac_algorithm_t m
- 		goto cleanup;
- 	}
- 
-+	/* _gnutls_pkcs12_string_to_key is not a FIPS approved operation */
-+	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
- 	return 0;
- 
-       cleanup:
-+	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
- 	_gnutls_free_datum(&tmp);
- 	return result;
- }
-@@ -1203,8 +1231,11 @@ pkcs12_try_gost:
- 		goto cleanup;
- 	}
- 
-+	/* _gnutls_pkcs12_string_to_key is not a FIPS approved operation */
-+	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
- 	result = 0;
-  cleanup:
-+	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
- 	_gnutls_free_datum(&tmp);
- 	_gnutls_free_datum(&salt);
- 	return result;
-diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c
-index 3b0e84ef13..b8f7d17267 100644
---- a/tests/pkcs12_encode.c
-+++ b/tests/pkcs12_encode.c
-@@ -70,6 +70,29 @@ static void tls_log_func(int level, const char *str)
- 	fprintf(stderr, "|<%d>| %s", level, str);
- }
- 
-+#define FIPS_PUSH_CONTEXT() do {					\
-+	if (gnutls_fips140_mode_enabled()) {				\
-+		ret = gnutls_fips140_push_context(fips_context);	\
-+		if (ret < 0) {						\
-+			fail("gnutls_fips140_push_context failed\n");	\
-+		}							\
-+	}								\
-+} while (0)
-+
-+#define FIPS_POP_CONTEXT(state) do {					\
-+	if (gnutls_fips140_mode_enabled()) {				\
-+		ret = gnutls_fips140_pop_context();			\
-+		if (ret < 0) {						\
-+			fail("gnutls_fips140_context_pop failed\n");	\
-+		}							\
-+		fips_state = gnutls_fips140_get_operation_state(fips_context); \
-+		if (fips_state != GNUTLS_FIPS140_OP_ ## state) {	\
-+			fail("operation state is not " # state " (%d)\n", \
-+			     fips_state);				\
-+		}							\
-+	}								\
-+} while (0)
-+
- void doit(void)
- {
- 	gnutls_pkcs12_t pkcs12;
-@@ -82,6 +105,8 @@ void doit(void)
- 	char outbuf[10240];
- 	size_t size;
- 	unsigned tests, i;
-+	gnutls_fips140_context_t fips_context;
-+	gnutls_fips140_operation_state_t fips_state;
- 
- 	ret = global_init();
- 	if (ret < 0) {
-@@ -93,6 +118,11 @@ void doit(void)
- 	if (debug)
- 		gnutls_global_set_log_level(4711);
- 
-+	ret = gnutls_fips140_context_init(&fips_context);
-+	if (ret < 0) {
-+		fail("Cannot initialize FIPS context\n");
-+	}
-+
- 	/* Read certs. */
- 	ret = gnutls_x509_crt_init(&client);
- 	if (ret < 0) {
-@@ -196,6 +226,8 @@ void doit(void)
- 		gnutls_pkcs12_bag_deinit(bag);
- 	}
- 
-+	FIPS_PUSH_CONTEXT();
-+
- 	/* MAC the structure, export and print. */
- 	ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA1, "pass");
- 	if (ret < 0) {
-@@ -203,36 +235,60 @@ void doit(void)
- 		exit(1);
- 	}
- 
-+	FIPS_POP_CONTEXT(NOT_APPROVED);
-+
-+	FIPS_PUSH_CONTEXT();
-+
- 	ret = gnutls_pkcs12_verify_mac(pkcs12, "pass");
- 	if (ret < 0) {
- 		fprintf(stderr, "verify_mac: %s (%d)\n", gnutls_strerror(ret), ret);
- 		exit(1);
- 	}
- 
-+	FIPS_POP_CONTEXT(NOT_APPROVED);
-+
-+	FIPS_PUSH_CONTEXT();
-+
- 	ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA256, "passwd");
- 	if (ret < 0) {
- 		fprintf(stderr, "generate_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
- 		exit(1);
- 	}
- 
-+	FIPS_POP_CONTEXT(NOT_APPROVED);
-+
-+	FIPS_PUSH_CONTEXT();
-+
- 	ret = gnutls_pkcs12_verify_mac(pkcs12, "passwd");
- 	if (ret < 0) {
- 		fprintf(stderr, "verify_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
- 		exit(1);
- 	}
- 
-+	FIPS_POP_CONTEXT(NOT_APPROVED);
-+
-+	FIPS_PUSH_CONTEXT();
-+
- 	ret = gnutls_pkcs12_generate_mac2(pkcs12, GNUTLS_MAC_SHA512, "passwd1");
- 	if (ret < 0) {
- 		fprintf(stderr, "generate_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
- 		exit(1);
- 	}
- 
-+	FIPS_POP_CONTEXT(NOT_APPROVED);
-+
-+	FIPS_PUSH_CONTEXT();
-+
- 	ret = gnutls_pkcs12_verify_mac(pkcs12, "passwd1");
- 	if (ret < 0) {
- 		fprintf(stderr, "verify_mac2: %s (%d)\n", gnutls_strerror(ret), ret);
- 		exit(1);
- 	}
- 
-+	FIPS_POP_CONTEXT(NOT_APPROVED);
-+
-+	FIPS_PUSH_CONTEXT();
-+
- 	size = sizeof(outbuf);
- 	ret =
- 	    gnutls_pkcs12_export(pkcs12, GNUTLS_X509_FMT_PEM, outbuf,
-@@ -242,10 +298,13 @@ void doit(void)
- 		exit(1);
- 	}
- 
-+	FIPS_POP_CONTEXT(NOT_APPROVED);
-+
- 	if (debug)
- 		fwrite(outbuf, size, 1, stdout);
- 
- 	/* Cleanup. */
-+	gnutls_fips140_context_deinit(fips_context);
- 	gnutls_pkcs12_deinit(pkcs12);
- 	gnutls_x509_crt_deinit(client);
- 	gnutls_x509_crt_deinit(ca);
--- 
-2.34.1
-
-
-From e7f9267342bc2231149a640163c82b63c86f1dfd Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Thu, 10 Feb 2022 17:35:13 +0100
-Subject: [PATCH 2/2] _gnutls_pkcs_raw_{decrypt,encrypt}_data: use public
- crypto API
-
-These functions previously used the internal crypto
-API (_gnutls_cipher_*) which does not have algorithm checks for FIPS.
-
-This change switches the code to use the public crypto
-API (gnutls_cipher_*) to trigger proper state transitions under FIPS
-mode.
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
----
- lib/x509/pkcs7-crypt.c | 36 +++++++++++-----------------
- tests/pkcs12_encode.c  | 54 +++++++++++++++++++++++++++---------------
- 2 files changed, 49 insertions(+), 41 deletions(-)
-
-diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c
-index 4cce52ecf0..2dc5bc4df0 100644
---- a/lib/x509/pkcs7-crypt.c
-+++ b/lib/x509/pkcs7-crypt.c
-@@ -1130,8 +1130,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
- 	gnutls_datum_t enc = { NULL, 0 };
- 	uint8_t *key = NULL;
- 	gnutls_datum_t dkey, d_iv;
--	cipher_hd_st ch;
--	int ch_init = 0;
-+	gnutls_cipher_hd_t ch = NULL;
- 	int key_size, ret;
- 	unsigned int pass_len = 0;
- 	const struct pkcs_cipher_schema_st *p;
-@@ -1237,8 +1236,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
- 	d_iv.data = (uint8_t *) enc_params->iv;
- 	d_iv.size = enc_params->iv_size;
- 
--	ret =
--	    _gnutls_cipher_init(&ch, ce, &dkey, &d_iv, 0);
-+	ret = gnutls_cipher_init(&ch, ce->id, &dkey, &d_iv);
- 
- 	gnutls_free(key);
- 
-@@ -1247,9 +1245,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
- 		goto error;
- 	}
- 
--	ch_init = 1;
--
--	ret = _gnutls_cipher_decrypt(&ch, enc.data, enc.size);
-+	ret = gnutls_cipher_decrypt(ch, enc.data, enc.size);
- 	if (ret < 0) {
- 		gnutls_assert();
- 		ret = GNUTLS_E_DECRYPTION_FAILED;
-@@ -1281,7 +1277,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
- 		decrypted_data->size = enc.size;
- 	}
- 
--	_gnutls_cipher_deinit(&ch);
-+	gnutls_cipher_deinit(ch);
- 
- 	ret = 0;
- 
-@@ -1294,8 +1290,9 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
- 	gnutls_free(password);
- 	gnutls_free(enc.data);
- 	gnutls_free(key);
--	if (ch_init != 0)
--		_gnutls_cipher_deinit(&ch);
-+	if (ch) {
-+		gnutls_cipher_deinit(ch);
-+	}
- 	return ret;
- }
- 
-@@ -1725,8 +1722,7 @@ _gnutls_pkcs_raw_encrypt_data(const gnutls_datum_t * plain,
- 	int data_size;
- 	uint8_t *data = NULL;
- 	gnutls_datum_t d_iv;
--	cipher_hd_st ch;
--	int ch_init = 0;
-+	gnutls_cipher_hd_t ch = NULL;
- 	uint8_t pad, pad_size;
- 	const cipher_entry_st *ce;
- 
-@@ -1756,18 +1752,13 @@ _gnutls_pkcs_raw_encrypt_data(const gnutls_datum_t * plain,
- 
- 	d_iv.data = (uint8_t *) enc_params->iv;
- 	d_iv.size = enc_params->iv_size;
--	result =
--	    _gnutls_cipher_init(&ch, cipher_to_entry(enc_params->cipher),
--				key, &d_iv, 1);
--
-+	result = gnutls_cipher_init(&ch, enc_params->cipher, key, &d_iv);
- 	if (result < 0) {
- 		gnutls_assert();
- 		goto error;
- 	}
- 
--	ch_init = 1;
--
--	result = _gnutls_cipher_encrypt(&ch, data, data_size);
-+	result = gnutls_cipher_encrypt(ch, data, data_size);
- 	if (result < 0) {
- 		gnutls_assert();
- 		goto error;
-@@ -1776,13 +1767,14 @@ _gnutls_pkcs_raw_encrypt_data(const gnutls_datum_t * plain,
- 	encrypted->data = data;
- 	encrypted->size = data_size;
- 
--	_gnutls_cipher_deinit(&ch);
-+	gnutls_cipher_deinit(ch);
- 
- 	return 0;
- 
-  error:
- 	gnutls_free(data);
--	if (ch_init != 0)
--		_gnutls_cipher_deinit(&ch);
-+	if (ch) {
-+		gnutls_cipher_deinit(ch);
-+	}
- 	return result;
- }
-diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c
-index b8f7d17267..78f6f41b48 100644
---- a/tests/pkcs12_encode.c
-+++ b/tests/pkcs12_encode.c
-@@ -104,9 +104,17 @@ void doit(void)
- 	int ret, indx;
- 	char outbuf[10240];
- 	size_t size;
--	unsigned tests, i;
-+	unsigned i;
- 	gnutls_fips140_context_t fips_context;
- 	gnutls_fips140_operation_state_t fips_state;
-+	size_t n_tests = 0;
-+	struct tests {
-+		const char *name;
-+		gnutls_x509_crt_t crt;
-+		const char *friendly_name;
-+		unsigned bag_encrypt_flags;
-+		int bag_encrypt_expected;
-+	} tests[2];
- 
- 	ret = global_init();
- 	if (ret < 0) {
-@@ -157,21 +165,34 @@ void doit(void)
- 		exit(1);
- 	}
- 
--	/* Generate and add PKCS#12 cert bags. */
--	if (!gnutls_fips140_mode_enabled()) {
--		tests = 2; /* include RC2 */
-+	tests[n_tests].name = "3DES";
-+	tests[n_tests].crt = client;
-+	tests[n_tests].friendly_name = "client";
-+	tests[n_tests].bag_encrypt_flags = GNUTLS_PKCS8_USE_PKCS12_3DES;
-+	tests[n_tests].bag_encrypt_expected = 0;
-+	n_tests++;
-+
-+	tests[n_tests].name = "RC2-40";
-+	tests[n_tests].crt = ca;
-+	tests[n_tests].friendly_name = "ca";
-+	tests[n_tests].bag_encrypt_flags = GNUTLS_PKCS_USE_PKCS12_RC2_40;
-+	if (gnutls_fips140_mode_enabled()) {
-+		tests[n_tests].bag_encrypt_expected =
-+			GNUTLS_E_UNWANTED_ALGORITHM;
- 	} else {
--		tests = 1;
-+		tests[n_tests].bag_encrypt_expected = 0;
- 	}
-+	n_tests++;
- 
--	for (i = 0; i < tests; i++) {
-+	/* Generate and add PKCS#12 cert bags. */
-+	for (i = 0; i < n_tests; i++) {
- 		ret = gnutls_pkcs12_bag_init(&bag);
- 		if (ret < 0) {
- 			fprintf(stderr, "bag_init: %s (%d)\n", gnutls_strerror(ret), ret);
- 			exit(1);
- 		}
- 
--		ret = gnutls_pkcs12_bag_set_crt(bag, i == 0 ? client : ca);
-+		ret = gnutls_pkcs12_bag_set_crt(bag, tests[i].crt);
- 		if (ret < 0) {
- 			fprintf(stderr, "set_crt: %s (%d)\n", gnutls_strerror(ret), ret);
- 			exit(1);
-@@ -180,16 +201,14 @@ void doit(void)
- 		indx = ret;
- 
- 		ret = gnutls_pkcs12_bag_set_friendly_name(bag, indx,
--							  i ==
--							  0 ? "client" :
--							  "ca");
-+							  tests[i].friendly_name);
- 		if (ret < 0) {
- 			fprintf(stderr, "set_friendly_name: %s (%d)\n", gnutls_strerror(ret), ret);
- 			exit(1);
- 		}
- 
- 		size = sizeof(key_id_buf);
--		ret = gnutls_x509_crt_get_key_id(i == 0 ? client : ca, 0,
-+		ret = gnutls_x509_crt_get_key_id(tests[i].crt, 0,
- 						 key_id_buf, &size);
- 		if (ret < 0) {
- 			fprintf(stderr, "get_key_id: %s (%d)\n", gnutls_strerror(ret), ret);
-@@ -206,14 +225,11 @@ void doit(void)
- 		}
- 
- 		ret = gnutls_pkcs12_bag_encrypt(bag, "pass",
--						i ==
--						0 ?
--						GNUTLS_PKCS8_USE_PKCS12_3DES
--						:
--						GNUTLS_PKCS_USE_PKCS12_RC2_40);
--		if (ret < 0) {
--			fprintf(stderr, "bag_encrypt: %d: %s", ret,
--				i == 0 ? "3DES" : "RC2-40");
-+						tests[i].bag_encrypt_flags);
-+		if (ret != tests[i].bag_encrypt_expected) {
-+			fprintf(stderr, "bag_encrypt: returned %d, expected %d: %s", ret,
-+				tests[i].bag_encrypt_expected,
-+				tests[i].name);
- 			exit(1);
- 		}
- 
--- 
-2.34.1
-

SOURCES/gnutls-3.7.3-fips-rsa-keygen.patch

@@ -1,182 +0,0 @@
-From 9f5a60c1fe576f82bcd5c7998b2ca2b0d60e8e4f Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Thu, 27 Jan 2022 18:17:43 +0100
-Subject: [PATCH 1/2] rsa_generate_fips186_4_keypair: accept a few more modulus
- sizes
-
-While _rsa_generate_fips186_4_keypair was modified to accept modulus
-sizes other than 2048 and 3076, rsa_generate_fips186_4_keypair, which
-calls that function, was not updated to accept such modulus sizes.
-
-Spotted by Alexander Sosedkin.
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
----
- lib/nettle/int/rsa-keygen-fips186.c | 67 ++++++++++++++++-------------
- 1 file changed, 36 insertions(+), 31 deletions(-)
-
-diff --git a/lib/nettle/int/rsa-keygen-fips186.c b/lib/nettle/int/rsa-keygen-fips186.c
-index 5b221a030a..c6f7e675af 100644
---- a/lib/nettle/int/rsa-keygen-fips186.c
-+++ b/lib/nettle/int/rsa-keygen-fips186.c
-@@ -27,6 +27,7 @@
- #include "config.h"
- #endif
- 
-+#include <assert.h>
- #include <stdlib.h>
- #include <stdio.h>
- #include <string.h>
-@@ -248,6 +249,33 @@ cleanup:
- 	return ret;
- }
- 
-+/* Return the pre-defined seed length for modulus size, or 0 when the
-+ * modulus size is unsupported.
-+ */
-+static inline unsigned
-+seed_length_for_modulus_size(unsigned modulus_size)
-+{
-+	switch (modulus_size) {
-+	case 2048:      /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
-+		return 14 * 2;
-+	case 3072:      /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
-+		return 16 * 2;
-+	case 4096:      /* SP 800-56B rev 2 Appendix D */
-+		return 19 * 2;
-+	case 6144:      /* SP 800-56B rev 2 Appendix D */
-+		return 22 * 2;
-+	case 7680:      /* FIPS 140-2 IG 7.5 */
-+		return 24 * 2;
-+	case 8192:      /* SP 800-56B rev 2 Appendix D */
-+		return 25 * 2;
-+	case 15360:     /* FIPS 140-2 IG 7.5 */
-+		return 32 * 2;
-+	default:
-+		return 0;
-+	}
-+
-+}
-+
- /* This generates p,q params using the B.3.2.2 algorithm in FIPS 186-4.
-  * 
-  * The hash function used is SHA384.
-@@ -266,33 +294,15 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub,
- 	int ret;
- 	struct dss_params_validation_seeds cert;
- 	unsigned l = n_size / 2;
-+	unsigned s = seed_length_for_modulus_size(n_size);
- 
--	switch (n_size) {
--	case 2048:      /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
--		FIPS_RULE(seed_length != 14 * 2, 0, "seed length other than 28 bytes\n");
--		break;
--	case 3072:      /* SP 800-56B rev 2 Appendix D and FIPS 140-2 IG 7.5 */
--		FIPS_RULE(seed_length != 16 * 2, 0, "seed length other than 32 bytes\n");
--		break;
--	case 4096:      /* SP 800-56B rev 2 Appendix D */
--		FIPS_RULE(seed_length != 19 * 2, 0, "seed length other than 38 bytes\n");
--		break;
--	case 6144:      /* SP 800-56B rev 2 Appendix D */
--		FIPS_RULE(seed_length != 22 * 2, 0, "seed length other than 44 bytes\n");
--		break;
--	case 7680:      /* FIPS 140-2 IG 7.5 */
--		FIPS_RULE(seed_length != 24 * 2, 0, "seed length other than 48 bytes\n");
--		break;
--	case 8192:      /* SP 800-56B rev 2 Appendix D */
--		FIPS_RULE(seed_length != 25 * 2, 0, "seed length other than 50 bytes\n");
--		break;
--	case 15360:     /* FIPS 140-2 IG 7.5 */
--		FIPS_RULE(seed_length != 32 * 2, 0, "seed length other than 64 bytes\n");
--		break;
--	default:
-+	if (!s) {
- 		FIPS_RULE(false, 0, "unsupported modulus size\n");
- 	}
- 
-+	FIPS_RULE(seed_length != s, 0,
-+		  "seed length other than %u bytes\n", s);
-+
- 	if (!mpz_tstbit(pub->e, 0)) {
- 		_gnutls_debug_log("Unacceptable e (it is even)\n");
- 		return 0;
-@@ -405,10 +415,6 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub,
- 	return ret;
- }
- 
--/* Not entirely accurate but a good precision
-- */
--#define SEED_LENGTH(bits) (_gnutls_pk_bits_to_subgroup_bits(bits)/8)
--
- /* This generates p,q params using the B.3.2.2 algorithm in FIPS 186-4.
-  * 
-  * The hash function used is SHA384.
-@@ -429,11 +435,10 @@ rsa_generate_fips186_4_keypair(struct rsa_public_key *pub,
- 	unsigned seed_length;
- 	int ret;
- 
--	FIPS_RULE(n_size != 2048 && n_size != 3072, 0, "size of prime of other than 2048 or 3072\n");
-+	seed_length = seed_length_for_modulus_size(n_size);
-+	FIPS_RULE(!seed_length, 0, "unsupported modulus size\n");
- 
--	seed_length = SEED_LENGTH(n_size);
--	if (seed_length > sizeof(seed))
--		return 0;
-+	assert(seed_length <= sizeof(seed));
- 
- 	random(random_ctx, seed_length, seed);
- 
--- 
-2.34.1
-
-
-From 46ae6160489151034bca19aa6c40ba0df6b53bcc Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Tue, 1 Feb 2022 15:19:52 +0100
-Subject: [PATCH 2/2] certtool --generate-privkey: update warnings on RSA key
- sizes
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
----
- src/certtool.c | 18 +++++++++++++++---
- 1 file changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/src/certtool.c b/src/certtool.c
-index c128500614..71d4aff13e 100644
---- a/src/certtool.c
-+++ b/src/certtool.c
-@@ -206,8 +206,12 @@ generate_private_key_int(common_info_st * cinfo)
- 			"Note that DSA keys with size over 1024 may cause incompatibility problems when used with earlier than TLS 1.2 versions.\n\n");
- 
- 	if ((HAVE_OPT(SEED) || provable) && GNUTLS_PK_IS_RSA(key_type)) {
--		if (bits != 2048 && bits != 3072) {
--			fprintf(stderr, "Note that the FIPS 186-4 key generation restricts keys to 2048 and 3072 bits\n");
-+		/* Keep in sync with seed_length_for_modulus_size in
-+		 * lib/nettle/int/rsa-keygen-fips186.c. */
-+		if (bits != 2048 && bits != 3072 && bits != 4096 &&
-+		    bits != 6144 && bits != 7680 && bits != 8192 &&
-+		    bits != 15360) {
-+			fprintf(stderr, "Note that the FIPS 186-4 key generation restricts keys to be of known lengths (2048, 3072, etc)\n");
- 		}
- 	}
- 
-@@ -225,7 +229,15 @@ generate_private_key_int(common_info_st * cinfo)
- 		kdata[kdata_size++].size = cinfo->seed_size;
- 
- 		if (GNUTLS_PK_IS_RSA(key_type)) {
--			if ((bits == 3072 && cinfo->seed_size != 32) || (bits == 2048 && cinfo->seed_size != 28)) {
-+			/* Keep in sync with seed_length_for_modulus_size in
-+			 * lib/nettle/int/rsa-keygen-fips186.c. */
-+			if ((bits == 2048 && cinfo->seed_size != 28) ||
-+			    (bits == 3072 && cinfo->seed_size != 32) ||
-+			    (bits == 4096 && cinfo->seed_size != 38) ||
-+			    (bits == 6144 && cinfo->seed_size != 44) ||
-+			    (bits == 7680 && cinfo->seed_size != 48) ||
-+			    (bits == 8192 && cinfo->seed_size != 50) ||
-+			    (bits == 15360 && cinfo->seed_size != 64)) {
- 				fprintf(stderr, "The seed size (%d) doesn't match the size of the request security level; use -d 2 for more information.\n", (int)cinfo->seed_size);
- 			}
- 		} else if (key_type == GNUTLS_PK_DSA) {
--- 
-2.34.1
-

SOURCES/gnutls-3.7.3-fix-tests-in-fips.patch

@@ -1,70 +0,0 @@
-From 2c33761787f6530cf3984310a5f3b7dd05a7b375 Mon Sep 17 00:00:00 2001
-From: Zoltan Fridrich <zfridric@redhat.com>
-Date: Thu, 17 Feb 2022 11:46:29 +0100
-Subject: [PATCH] Disable some tests in fips mode
-
-Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
----
- tests/pkcs11/pkcs11-eddsa-privkey-test.c | 5 +++++
- tests/pkcs11/tls-neg-pkcs11-key.c        | 8 +++++++-
- 2 files changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/tests/pkcs11/pkcs11-eddsa-privkey-test.c b/tests/pkcs11/pkcs11-eddsa-privkey-test.c
-index 44515da3f..ebbfe5278 100644
---- a/tests/pkcs11/pkcs11-eddsa-privkey-test.c
-+++ b/tests/pkcs11/pkcs11-eddsa-privkey-test.c
-@@ -107,6 +107,11 @@ void doit(void)
- 		fail("%d: %s\n", ret, gnutls_strerror(ret));
- 	}
- 
-+	if (gnutls_fips140_mode_enabled()) {
-+		gnutls_global_deinit();
-+		return;
-+	}
-+
- 	gnutls_pkcs11_set_pin_function(pin_func, NULL);
- 	gnutls_global_set_log_function(tls_log_func);
- 	if (debug)
-diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c
-index fc7c3dc4e..5cc1ae6e2 100644
---- a/tests/pkcs11/tls-neg-pkcs11-key.c
-+++ b/tests/pkcs11/tls-neg-pkcs11-key.c
-@@ -268,6 +268,7 @@ typedef struct test_st {
- 	int exp_serv_err;
- 	int needs_eddsa;
- 	int needs_decryption;
-+	int nofips;
- 	unsigned requires_pkcs11_pss;
- } test_st;
- 
-@@ -340,6 +341,7 @@ static const test_st tests[] = {
- 	 .cert = &server_ca3_eddsa_cert,
- 	 .key = &server_ca3_eddsa_key,
- 	 .exp_kx = GNUTLS_KX_ECDHE_RSA,
-+	 .nofips = 1
- 	},
- 	{.name = "tls1.3: ecc key",
- 	 .pk = GNUTLS_PK_ECDSA,
-@@ -392,7 +394,8 @@ static const test_st tests[] = {
- 	 .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
- 	 .cert = &server_ca3_eddsa_cert,
- 	 .key = &server_ca3_eddsa_key,
--	 .exp_kx = GNUTLS_KX_ECDHE_RSA
-+	 .exp_kx = GNUTLS_KX_ECDHE_RSA,
-+	 .nofips = 1
- 	}
- };
- 
-@@ -448,6 +451,9 @@ void doit(void)
- 	have_eddsa = verify_eddsa_presence();
- 
- 	for (i=0;i<sizeof(tests)/sizeof(tests[0]);i++) {
-+		if (tests[i].nofips && gnutls_fips140_mode_enabled())
-+			continue;
-+
- 		if (tests[i].needs_eddsa && !have_eddsa)
- 			continue;
- 
--- 
-2.35.1
-

SOURCES/gnutls-3.7.3-gost-ifdef.patch

@@ -1,259 +0,0 @@
-From 85a881cbca6f8e8578af7a026163ac3075ea267c Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Mon, 21 Feb 2022 16:28:49 +0100
-Subject: [PATCH] priority: compile out GOST algorithms IDs if they are
- disabled
-
-When compiled with --disable-gost, gnutls-cli --priority NORMAL --list
-still prints GOST algorithms for ciphers, MACs, and signatures.  This
-change adds compile time checks to suppress them.
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
----
- lib/priority.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/lib/priority.c b/lib/priority.c
-index 54d7b1bb45..0c7ac65d7b 100644
---- a/lib/priority.c
-+++ b/lib/priority.c
-@@ -309,7 +309,9 @@ static const int _kx_priority_secure[] = {
- static const int* kx_priority_secure = _kx_priority_secure;
- 
- static const int _kx_priority_gost[] = {
-+#ifdef ENABLE_GOST
- 	GNUTLS_KX_VKO_GOST_12,
-+#endif
- 	0,
- };
- static const int* kx_priority_gost = _kx_priority_gost;
-@@ -507,9 +509,10 @@ static const int _sign_priority_secure192[] = {
- static const int* sign_priority_secure192 = _sign_priority_secure192;
- 
- static const int _sign_priority_gost[] = {
-+#ifdef ENABLE_GOST
- 	GNUTLS_SIGN_GOST_256,
- 	GNUTLS_SIGN_GOST_512,
--
-+#endif
- 	0
- };
- static const int* sign_priority_gost = _sign_priority_gost;
-@@ -531,13 +534,17 @@ static const int *cipher_priority_normal = _cipher_priority_normal_default;
- static const int *mac_priority_normal = mac_priority_normal_default;
- 
- static const int _cipher_priority_gost[] = {
-+#ifdef ENABLE_GOST
- 	GNUTLS_CIPHER_GOST28147_TC26Z_CNT,
-+#endif
- 	0
- };
- static const int *cipher_priority_gost = _cipher_priority_gost;
- 
- static const int _mac_priority_gost[] = {
-+#ifdef ENABLE_GOST
- 	GNUTLS_MAC_GOST28147_TC26Z_IMIT,
-+#endif
- 	0
- };
- static const int *mac_priority_gost = _mac_priority_gost;
--- 
-2.34.1
-
-From f2bb30f68922d72f8bed29cc8b2a065087a0969f Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Tue, 22 Feb 2022 17:09:46 +0100
-Subject: [PATCH] algorithms: ensure _list() exclude non-existing algorithms
-
-This aligns the behavior of _list() function for sign/pk to the one
-for cipher/mac: the former previously returned all the algorithms
-defined, while the latter returns only algorithms compiled in.
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
----
- lib/algorithms/publickey.c |  8 +++-
- lib/algorithms/sign.c      |  4 +-
- lib/crypto-backend.h       |  2 +
- lib/nettle/pk.c            | 86 ++++++++++++++++++++++++++++++++++++++
- lib/pk.h                   |  2 +
- 5 files changed, 99 insertions(+), 3 deletions(-)
-
-diff --git a/lib/algorithms/publickey.c b/lib/algorithms/publickey.c
-index b4cd6b1df0..caf53972ab 100644
---- a/lib/algorithms/publickey.c
-+++ b/lib/algorithms/publickey.c
-@@ -24,6 +24,7 @@
- #include <algorithms.h>
- #include "errors.h"
- #include <x509/common.h>
-+#include "pk.h"
- 
- 
- /* KX mappings to PK algorithms */
-@@ -203,8 +204,11 @@ const gnutls_pk_algorithm_t *gnutls_pk_list(void)
- 		int i = 0;
- 
- 		GNUTLS_PK_LOOP(
--			if (p->id != GNUTLS_PK_UNKNOWN && supported_pks[i > 0 ? (i - 1) : 0] != p->id)
--				supported_pks[i++] = p->id
-+			if (p->id != GNUTLS_PK_UNKNOWN &&
-+			    supported_pks[i > 0 ? (i - 1) : 0] != p->id &&
-+			    _gnutls_pk_exists(p->id)) {
-+				supported_pks[i++] = p->id;
-+			}
- 		);
- 		supported_pks[i++] = 0;
- 	}
-diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c
-index 06abdb4cf8..4a5aaa75e1 100644
---- a/lib/algorithms/sign.c
-+++ b/lib/algorithms/sign.c
-@@ -27,6 +27,7 @@
- #include <x509/common.h>
- #include <assert.h>
- #include "c-strcase.h"
-+#include "pk.h"
- 
- /* signature algorithms;
-  */
-@@ -631,7 +632,8 @@ const gnutls_sign_algorithm_t *gnutls_sign_list(void)
- 
- 		GNUTLS_SIGN_LOOP(
- 			/* list all algorithms, but not duplicates */
--			if (supported_sign[i] != p->id) {
-+			if (supported_sign[i] != p->id &&
-+			    _gnutls_pk_sign_exists(p->id)) {
- 				assert(i+1 < MAX_ALGOS);
- 				supported_sign[i++] = p->id;
- 				supported_sign[i+1] = 0;
-diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
-index 9874033221..f0f68c337e 100644
---- a/lib/crypto-backend.h
-+++ b/lib/crypto-backend.h
-@@ -418,6 +418,8 @@ typedef struct gnutls_crypto_pk {
- 		       unsigned int flags);
- 
- 	int (*curve_exists) (gnutls_ecc_curve_t);	/* true/false */
-+	int (*pk_exists) (gnutls_pk_algorithm_t);	/* true/false */
-+	int (*sign_exists) (gnutls_sign_algorithm_t);	/* true/false */
- } gnutls_crypto_pk_st;
- 
- /* priority: infinity for backend algorithms, 90 for kernel
-diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
-index a146568266..eba246f0b3 100644
---- a/lib/nettle/pk.c
-+++ b/lib/nettle/pk.c
-@@ -1883,6 +1883,90 @@ static int _wrap_nettle_pk_curve_exists(gnutls_ecc_curve_t curve)
- 	}
- }
- 
-+static int _wrap_nettle_pk_exists(gnutls_pk_algorithm_t pk)
-+{
-+	switch (pk) {
-+	case GNUTLS_PK_RSA:
-+	case GNUTLS_PK_DSA:
-+	case GNUTLS_PK_DH:
-+	case GNUTLS_PK_ECDSA:
-+	case GNUTLS_PK_ECDH_X25519:
-+	case GNUTLS_PK_RSA_PSS:
-+	case GNUTLS_PK_EDDSA_ED25519:
-+#if ENABLE_GOST
-+	case GNUTLS_PK_GOST_01:
-+	case GNUTLS_PK_GOST_12_256:
-+	case GNUTLS_PK_GOST_12_512:
-+#endif
-+	case GNUTLS_PK_ECDH_X448:
-+	case GNUTLS_PK_EDDSA_ED448:
-+		return 1;
-+	default:
-+		return 0;
-+	}
-+}
-+
-+static int _wrap_nettle_pk_sign_exists(gnutls_sign_algorithm_t sign)
-+{
-+	switch (sign) {
-+	case GNUTLS_SIGN_RSA_SHA1:
-+	case GNUTLS_SIGN_DSA_SHA1:
-+	case GNUTLS_SIGN_RSA_MD5:
-+	case GNUTLS_SIGN_RSA_MD2:
-+	case GNUTLS_SIGN_RSA_RMD160:
-+	case GNUTLS_SIGN_RSA_SHA256:
-+	case GNUTLS_SIGN_RSA_SHA384:
-+	case GNUTLS_SIGN_RSA_SHA512:
-+	case GNUTLS_SIGN_RSA_SHA224:
-+	case GNUTLS_SIGN_DSA_SHA224:
-+	case GNUTLS_SIGN_DSA_SHA256:
-+	case GNUTLS_SIGN_ECDSA_SHA1:
-+	case GNUTLS_SIGN_ECDSA_SHA224:
-+	case GNUTLS_SIGN_ECDSA_SHA256:
-+	case GNUTLS_SIGN_ECDSA_SHA384:
-+	case GNUTLS_SIGN_ECDSA_SHA512:
-+	case GNUTLS_SIGN_DSA_SHA384:
-+	case GNUTLS_SIGN_DSA_SHA512:
-+	case GNUTLS_SIGN_ECDSA_SHA3_224:
-+	case GNUTLS_SIGN_ECDSA_SHA3_256:
-+	case GNUTLS_SIGN_ECDSA_SHA3_384:
-+	case GNUTLS_SIGN_ECDSA_SHA3_512:
-+
-+	case GNUTLS_SIGN_DSA_SHA3_224:
-+	case GNUTLS_SIGN_DSA_SHA3_256:
-+	case GNUTLS_SIGN_DSA_SHA3_384:
-+	case GNUTLS_SIGN_DSA_SHA3_512:
-+	case GNUTLS_SIGN_RSA_SHA3_224:
-+	case GNUTLS_SIGN_RSA_SHA3_256:
-+	case GNUTLS_SIGN_RSA_SHA3_384:
-+	case GNUTLS_SIGN_RSA_SHA3_512:
-+
-+	case GNUTLS_SIGN_RSA_PSS_SHA256:
-+	case GNUTLS_SIGN_RSA_PSS_SHA384:
-+	case GNUTLS_SIGN_RSA_PSS_SHA512:
-+	case GNUTLS_SIGN_EDDSA_ED25519:
-+	case GNUTLS_SIGN_RSA_RAW:
-+
-+	case GNUTLS_SIGN_ECDSA_SECP256R1_SHA256:
-+	case GNUTLS_SIGN_ECDSA_SECP384R1_SHA384:
-+	case GNUTLS_SIGN_ECDSA_SECP521R1_SHA512:
-+
-+	case GNUTLS_SIGN_RSA_PSS_RSAE_SHA256:
-+	case GNUTLS_SIGN_RSA_PSS_RSAE_SHA384:
-+	case GNUTLS_SIGN_RSA_PSS_RSAE_SHA512:
-+
-+#if ENABLE_GOST
-+	case GNUTLS_SIGN_GOST_94:
-+	case GNUTLS_SIGN_GOST_256:
-+	case GNUTLS_SIGN_GOST_512:
-+#endif
-+	case GNUTLS_SIGN_EDDSA_ED448:
-+		return 1;
-+	default:
-+		return 0;
-+	}
-+}
-+
- /* Generates algorithm's parameters. That is:
-  *  For DSA: p, q, and g are generated.
-  *  For RSA: nothing
-@@ -3872,4 +3956,6 @@ gnutls_crypto_pk_st _gnutls_pk_ops = {
- 	.pk_fixup_private_params = wrap_nettle_pk_fixup,
- 	.derive = _wrap_nettle_pk_derive,
- 	.curve_exists = _wrap_nettle_pk_curve_exists,
-+	.pk_exists = _wrap_nettle_pk_exists,
-+	.sign_exists = _wrap_nettle_pk_sign_exists
- };
-diff --git a/lib/pk.h b/lib/pk.h
-index cc61e08cef..7f3c9995da 100644
---- a/lib/pk.h
-+++ b/lib/pk.h
-@@ -40,6 +40,8 @@ extern gnutls_crypto_pk_st _gnutls_pk_ops;
- #define _gnutls_pk_generate_params( algo, bits, priv) _gnutls_pk_ops.generate_params( algo, bits, priv)
- #define _gnutls_pk_hash_algorithm( pk, sig, params, hash) _gnutls_pk_ops.hash_algorithm(pk, sig, params, hash)
- #define _gnutls_pk_curve_exists( curve) _gnutls_pk_ops.curve_exists(curve)
-+#define _gnutls_pk_exists(algo) _gnutls_pk_ops.pk_exists(algo)
-+#define _gnutls_pk_sign_exists(algo) _gnutls_pk_ops.sign_exists(algo)
- 
- inline static int
- _gnutls_pk_fixup(gnutls_pk_algorithm_t algo, gnutls_direction_t direction,
--- 
-2.34.1
-

SOURCES/gnutls-3.7.3-ktls-stub.patch

@@ -1,33 +0,0 @@
-From a97a93e23483aafc3508adee8e6399a2302e0fbc Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Tue, 15 Feb 2022 17:38:20 +0100
-Subject: [PATCH] gnutls_transport_is_ktls_enabled: fix return value of stub
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
----
- lib/system/ktls.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/lib/system/ktls.c b/lib/system/ktls.c
-index 7e3cb875ed..f156f08ab2 100644
---- a/lib/system/ktls.c
-+++ b/lib/system/ktls.c
-@@ -422,12 +422,11 @@ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type,
- 
- #else //ENABLE_KTLS
- gnutls_transport_ktls_enable_flags_t
--gnutls_transport_is_ktls_enabled(gnutls_session_t session){
--	return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
-+gnutls_transport_is_ktls_enabled(gnutls_session_t session) {
-+	return 0;
- }
- 
--void _gnutls_ktls_enable(gnutls_session_t session){
--	return;
-+void _gnutls_ktls_enable(gnutls_session_t session) {
- }
- 
- int _gnutls_ktls_set_keys(gnutls_session_t session) {
--- 
-2.34.1
-

SOURCES/gnutls-3.7.3-libtss2-dlopen.patch

@@ -1,719 +0,0 @@
-From f5e5ab910b8b1d69f962ca033d1295c3e1e1e131 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Wed, 23 Feb 2022 19:48:52 +0100
-Subject: [PATCH] tpm2: dynamically load tss2 libraries as needed
-
-libtss2-esys links to OpenSSL or mbed TLS for cryptography, which may
-cause packaging issues.  This instead dlopen's tss2 libraries as
-needed so non-TPM applications continue working without loading
-multiple crypto libraries.
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
----
- configure.ac        |  11 +-
- lib/Makefile.am     |   6 +-
- lib/tpm2.c          |   2 +-
- lib/tpm2.h          |   2 +-
- lib/tpm2_esys.c     | 273 ++++++++++++++++++++++++++++++++++++--------
- tests/Makefile.am   |   3 +-
- tests/sanity-lib.sh |  40 +++++++
- tests/tpm2.sh       |  14 ++-
- 8 files changed, 296 insertions(+), 55 deletions(-)
- create mode 100644 tests/sanity-lib.sh
-
-diff --git a/configure.ac b/configure.ac
-index 53c3aefca1..721ff208f0 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -882,6 +882,8 @@ AM_CONDITIONAL(P11KIT_0_23_11_API, $PKG_CONFIG --atleast-version=0.23.11 p11-kit
- 
- AM_CONDITIONAL(ENABLE_PKCS11, test "$with_p11_kit" != "no")
- 
-+need_ltlibdl=no
-+
- AC_ARG_WITH(tpm2,
- 	AS_HELP_STRING([--without-tpm2],
- 		[Disable TPM2 support.]),
-@@ -892,6 +894,7 @@ if test "$with_tpm2" != "no"; then
- 	if test "$have_tpm2" = "yes"; then
- 		tss2lib="tss2-esys tss2-mu tss2-tctildr"
- 		AC_DEFINE([HAVE_TSS2], 1, [Have TSS2])
-+		need_ltlibdl=yes
- 	elif test "$with_tpm2" = "yes"; then
- 		AC_MSG_ERROR([[
- ***
-@@ -920,7 +923,8 @@ if test "$with_tpm" != "no"; then
- 		   AC_SUBST([TSS_LIBS], [-ltspi])
- 		   AC_SUBST([TSS_CFLAGS], [])
- 		   AC_DEFINE([HAVE_TROUSERS], 1, [Enable TPM])
--		   with_tpm=yes],
-+		   with_tpm=yes,
-+		   need_ltlibdl=yes],
- 		  [AC_MSG_RESULT(no)
- 		   AC_MSG_WARN([[
- *** 
-@@ -957,6 +961,9 @@ fi
- AC_DEFINE_UNQUOTED([TROUSERS_LIB], ["$ac_trousers_lib"], [the location of the trousers library])
- AC_SUBST(TROUSERS_LIB)
- 
-+
-+AM_CONDITIONAL(NEED_LTLIBDL, test "$need_ltlibdl" = yes)
-+
- # For minitasn1.
- AC_CHECK_SIZEOF(unsigned long int, 4)
- AC_CHECK_SIZEOF(unsigned int, 4)
-@@ -1312,7 +1319,7 @@ AC_MSG_NOTICE([External hardware support:
-   Random gen. variant:  $rnd_variant
-   PKCS#11 support:      $with_p11_kit
-   TPM support:          $with_tpm
--  TPM2 support:         $have_tpm2
-+  TPM2 support:         $with_tpm2
-   KTLS support:         $enable_ktls
- ])
- 
-diff --git a/lib/Makefile.am b/lib/Makefile.am
-index 35df35ee8d..e61ee1b6ae 100644
---- a/lib/Makefile.am
-+++ b/lib/Makefile.am
-@@ -44,7 +44,7 @@ AM_CPPFLAGS = \
- 	-I$(srcdir)/x509			\
- 	$(LIBTASN1_CFLAGS)			\
- 	$(P11_KIT_CFLAGS)			\
--	$(TPM2_CFLAGS)
-+	$(TSS2_CFLAGS)
- 
- if !HAVE_LIBUNISTRING
- SUBDIRS += unistring
-@@ -156,7 +156,7 @@ libgnutls_la_LIBADD = ../gl/libgnu.la x509/libgnutls_x509.la \
- 	auth/libgnutls_auth.la algorithms/libgnutls_alg.la \
- 	extras/libgnutls_extras.la
- thirdparty_libadd = $(LTLIBZ) $(LTLIBINTL) $(LIBSOCKET) $(LTLIBNSL) \
--	$(P11_KIT_LIBS) $(LIB_SELECT) $(TSS2_LIBS) $(GNUTLS_LIBS_PRIVATE)
-+	$(P11_KIT_LIBS) $(LIB_SELECT) $(GNUTLS_LIBS_PRIVATE)
- 
- if HAVE_LIBIDN2
- thirdparty_libadd += $(LIBIDN2_LIBS)
-@@ -203,7 +203,7 @@ all-local: $(hmac_files)
- CLEANFILES = $(hmac_files)
- endif
- 
--if ENABLE_TROUSERS
-+if NEED_LTLIBDL
- thirdparty_libadd += $(LTLIBDL)
- endif
- 
-diff --git a/lib/tpm2.c b/lib/tpm2.c
-index 076cc7f407..750eadc777 100644
---- a/lib/tpm2.c
-+++ b/lib/tpm2.c
-@@ -297,5 +297,5 @@ int _gnutls_load_tpm2_key(gnutls_privkey_t pkey, const gnutls_datum_t *fdata)
- 
- void _gnutls_tpm2_deinit(void)
- {
--	tpm2_tcti_deinit();
-+	tpm2_esys_deinit();
- }
-diff --git a/lib/tpm2.h b/lib/tpm2.h
-index e40dc01df7..7966e2d811 100644
---- a/lib/tpm2.h
-+++ b/lib/tpm2.h
-@@ -37,7 +37,7 @@ struct tpm2_info_st;
- 
- struct tpm2_info_st *tpm2_info_init(struct pin_info_st *pin);
- 
--void tpm2_tcti_deinit(void);
-+void tpm2_esys_deinit(void);
- 
- void release_tpm2_ctx(struct tpm2_info_st *info);
- 
-diff --git a/lib/tpm2_esys.c b/lib/tpm2_esys.c
-index 93e54413ba..4000c1b76e 100644
---- a/lib/tpm2_esys.c
-+++ b/lib/tpm2_esys.c
-@@ -72,6 +72,170 @@
- #include <tss2/tss2_esys.h>
- #include <tss2/tss2_tctildr.h>
- 
-+#include <dlfcn.h>
-+
-+/* We don't want to link to libtss2-esys, as it brings in other
-+ * crypto libraries.  Instead, only dlopen it as needed.
-+ */
-+
-+static void *_gnutls_tss2_esys_dlhandle;
-+static void *_gnutls_tss2_mu_dlhandle;
-+static void *_gnutls_tss2_tctildr_dlhandle;
-+
-+static TSS2_RC
-+(*_gnutls_tss2_Esys_GetCapability)(ESYS_CONTEXT *esysContext,
-+				   ESYS_TR shandle1,
-+				   ESYS_TR shandle2,
-+				   ESYS_TR shandle3,
-+				   TPM2_CAP capability,
-+				   UINT32 property,
-+				   UINT32 propertyCount,
-+				   TPMI_YES_NO *moreData,
-+				   TPMS_CAPABILITY_DATA **capabilityData);
-+static void (*_gnutls_tss2_Esys_Free)(void *__ptr);
-+static TSS2_RC (*_gnutls_tss2_Esys_TR_SetAuth)(ESYS_CONTEXT *esysContext,
-+					       ESYS_TR handle,
-+					       TPM2B_AUTH const *authValue);
-+static TSS2_RC
-+(*_gnutls_tss2_Esys_CreatePrimary)(ESYS_CONTEXT *esysContext,
-+				   ESYS_TR primaryHandle,
-+				   ESYS_TR shandle1,
-+				   ESYS_TR shandle2,
-+				   ESYS_TR shandle3,
-+				   const TPM2B_SENSITIVE_CREATE *inSensitive,
-+				   const TPM2B_PUBLIC *inPublic,
-+				   const TPM2B_DATA *outsideInfo,
-+				   const TPML_PCR_SELECTION *creationPCR,
-+				   ESYS_TR *objectHandle,
-+				   TPM2B_PUBLIC **outPublic,
-+				   TPM2B_CREATION_DATA **creationData,
-+				   TPM2B_DIGEST **creationHash,
-+				   TPMT_TK_CREATION **creationTicket);
-+static TSS2_RC (*_gnutls_tss2_Esys_Initialize)(ESYS_CONTEXT **esys_context,
-+					       TSS2_TCTI_CONTEXT *tcti,
-+					       TSS2_ABI_VERSION *abiVersion);
-+static TSS2_RC (*_gnutls_tss2_Esys_Startup)(ESYS_CONTEXT *esysContext,
-+					    TPM2_SU startupType);
-+static TSS2_RC (*_gnutls_tss2_Esys_TR_FromTPMPublic)(ESYS_CONTEXT *esysContext,
-+						     TPM2_HANDLE tpm_handle,
-+						     ESYS_TR optionalSession1,
-+						     ESYS_TR optionalSession2,
-+						     ESYS_TR optionalSession3,
-+						     ESYS_TR *object);
-+static TSS2_RC (*_gnutls_tss2_Esys_ReadPublic)(ESYS_CONTEXT *esysContext,
-+					       ESYS_TR objectHandle,
-+					       ESYS_TR shandle1,
-+					       ESYS_TR shandle2,
-+					       ESYS_TR shandle3,
-+					       TPM2B_PUBLIC **outPublic,
-+					       TPM2B_NAME **name,
-+					       TPM2B_NAME **qualifiedName);
-+static TSS2_RC (*_gnutls_tss2_Esys_Load)(ESYS_CONTEXT *esysContext,
-+					 ESYS_TR parentHandle,
-+					 ESYS_TR shandle1,
-+					 ESYS_TR shandle2,
-+					 ESYS_TR shandle3,
-+					 const TPM2B_PRIVATE *inPrivate,
-+					 const TPM2B_PUBLIC *inPublic,
-+					 ESYS_TR *objectHandle);
-+static TSS2_RC (*_gnutls_tss2_Esys_FlushContext)(ESYS_CONTEXT *esysContext,
-+						 ESYS_TR flushHandle);
-+static void (*_gnutls_tss2_Esys_Finalize)(ESYS_CONTEXT **context);
-+static TSS2_RC
-+(*_gnutls_tss2_Esys_RSA_Decrypt)(ESYS_CONTEXT *esysContext,
-+				 ESYS_TR keyHandle,
-+				 ESYS_TR shandle1,
-+				 ESYS_TR shandle2,
-+				 ESYS_TR shandle3,
-+				 const TPM2B_PUBLIC_KEY_RSA *cipherText,
-+				 const TPMT_RSA_DECRYPT *inScheme,
-+				 const TPM2B_DATA *label,
-+				 TPM2B_PUBLIC_KEY_RSA **message);
-+static TSS2_RC (*_gnutls_tss2_Esys_Sign)(ESYS_CONTEXT *esysContext,
-+					 ESYS_TR keyHandle,
-+					 ESYS_TR shandle1,
-+					 ESYS_TR shandle2,
-+					 ESYS_TR shandle3,
-+					 const TPM2B_DIGEST *digest,
-+					 const TPMT_SIG_SCHEME *inScheme,
-+					 const TPMT_TK_HASHCHECK *validation,
-+					 TPMT_SIGNATURE **signature);
-+
-+static TSS2_RC
-+(*_gnutls_tss2_Tss2_MU_TPM2B_PRIVATE_Unmarshal)(uint8_t const buffer[],
-+						size_t buffer_size,
-+						size_t *offset,
-+						TPM2B_PRIVATE *dest);
-+static TSS2_RC
-+(*_gnutls_tss2_Tss2_MU_TPM2B_PUBLIC_Unmarshal)(uint8_t const buffer[],
-+					       size_t buffer_size,
-+					       size_t *offset,
-+					       TPM2B_PUBLIC *dest);
-+
-+static TSS2_RC
-+(*_gnutls_tss2_Tss2_TctiLdr_Initialize)(const char *nameConf,
-+					TSS2_TCTI_CONTEXT **context);
-+static void (*_gnutls_tss2_Tss2_TctiLdr_Finalize)(TSS2_TCTI_CONTEXT **context);
-+
-+#define DLSYM_TSS2(sys, sym)						\
-+	_gnutls_tss2_##sym = dlsym(_gnutls_tss2_##sys##_dlhandle, #sym); \
-+	if (!_gnutls_tss2_##sym) {					\
-+		return -1;						\
-+	}
-+
-+static int
-+init_tss2_funcs(void)
-+{
-+	if (!_gnutls_tss2_esys_dlhandle) {
-+		_gnutls_tss2_esys_dlhandle =
-+			dlopen("libtss2-esys.so.0", RTLD_NOW | RTLD_GLOBAL);
-+		if (!_gnutls_tss2_esys_dlhandle) {
-+			_gnutls_debug_log("tpm2: unable to dlopen libtss2-esys\n");
-+			return -1;
-+		}
-+	}
-+
-+	DLSYM_TSS2(esys, Esys_GetCapability)
-+	DLSYM_TSS2(esys, Esys_Free)
-+	DLSYM_TSS2(esys, Esys_TR_SetAuth)
-+	DLSYM_TSS2(esys, Esys_CreatePrimary)
-+	DLSYM_TSS2(esys, Esys_Initialize)
-+	DLSYM_TSS2(esys, Esys_Startup)
-+	DLSYM_TSS2(esys, Esys_TR_FromTPMPublic)
-+	DLSYM_TSS2(esys, Esys_ReadPublic)
-+	DLSYM_TSS2(esys, Esys_Load)
-+	DLSYM_TSS2(esys, Esys_FlushContext)
-+	DLSYM_TSS2(esys, Esys_Finalize)
-+	DLSYM_TSS2(esys, Esys_RSA_Decrypt)
-+	DLSYM_TSS2(esys, Esys_Sign)
-+
-+	if (!_gnutls_tss2_mu_dlhandle) {
-+		_gnutls_tss2_mu_dlhandle =
-+			dlopen("libtss2-mu.so.0", RTLD_NOW | RTLD_GLOBAL);
-+		if (!_gnutls_tss2_mu_dlhandle) {
-+			_gnutls_debug_log("tpm2: unable to dlopen libtss2-mu\n");
-+			return -1;
-+		}
-+	}
-+
-+	DLSYM_TSS2(mu, Tss2_MU_TPM2B_PRIVATE_Unmarshal)
-+	DLSYM_TSS2(mu, Tss2_MU_TPM2B_PUBLIC_Unmarshal)
-+
-+	if (!_gnutls_tss2_tctildr_dlhandle) {
-+		_gnutls_tss2_tctildr_dlhandle =
-+			dlopen("libtss2-tctildr.so.0", RTLD_NOW | RTLD_GLOBAL);
-+		if (!_gnutls_tss2_tctildr_dlhandle) {
-+			_gnutls_debug_log("tpm2: unable to dlopen libtss2-tctildr\n");
-+			return -1;
-+		}
-+	}
-+
-+	DLSYM_TSS2(tctildr, Tss2_TctiLdr_Initialize)
-+	DLSYM_TSS2(tctildr, Tss2_TctiLdr_Finalize)
-+
-+	return 0;
-+}
-+
- struct tpm2_info_st {
- 	TPM2B_PUBLIC pub;
- 	TPM2B_PRIVATE priv;
-@@ -227,10 +391,10 @@ get_primary_template(ESYS_CONTEXT *ctx)
- 	UINT32 i;
- 	TSS2_RC rc;
- 
--	rc = Esys_GetCapability (ctx,
--				 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
--				 TPM2_CAP_ALGS, 0, TPM2_MAX_CAP_ALGS,
--				 NULL, &capability_data);
-+	rc = _gnutls_tss2_Esys_GetCapability(ctx,
-+				ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
-+				TPM2_CAP_ALGS, 0, TPM2_MAX_CAP_ALGS,
-+				NULL, &capability_data);
- 	if (rc) {
- 		_gnutls_debug_log("tpm2: Esys_GetCapability failed: 0x%x\n", rc);
- 		return NULL;
-@@ -239,7 +403,7 @@ get_primary_template(ESYS_CONTEXT *ctx)
- 	for (i = 0; i < capability_data->data.algorithms.count; i++) {
- 		if (capability_data->data.algorithms.algProperties[i].alg ==
- 		    TPM2_ALG_ECC) {
--			Esys_Free(capability_data);
-+			_gnutls_tss2_Esys_Free(capability_data);
- 			return &primary_template_ecc;
- 		}
- 	}
-@@ -247,12 +411,12 @@ get_primary_template(ESYS_CONTEXT *ctx)
- 	for (i = 0; i < capability_data->data.algorithms.count; i++) {
- 		if (capability_data->data.algorithms.algProperties[i].alg ==
- 		    TPM2_ALG_RSA) {
--			Esys_Free(capability_data);
-+			_gnutls_tss2_Esys_Free(capability_data);
- 			return &primary_template_rsa;
- 		}
-         }
- 
--	Esys_Free(capability_data);
-+	_gnutls_tss2_Esys_Free(capability_data);
- 	_gnutls_debug_log("tpm2: unable to find primary template\n");
- 	return NULL;
- }
-@@ -320,7 +484,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info,
- 		install_tpm_passphrase(&info->ownerauth, pass);
- 		info->need_ownerauth = false;
- 	}
--	rc = Esys_TR_SetAuth(ctx, hierarchy, &info->ownerauth);
-+	rc = _gnutls_tss2_Esys_TR_SetAuth(ctx, hierarchy, &info->ownerauth);
- 	if (rc) {
- 		_gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n", rc);
- 		return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
-@@ -329,7 +493,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info,
- 	if (!primary_template) {
- 		return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
- 	}
--	rc = Esys_CreatePrimary(ctx, hierarchy,
-+	rc = _gnutls_tss2_Esys_CreatePrimary(ctx, hierarchy,
- 				ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
- 				&primary_sensitive,
- 				primary_template,
-@@ -359,14 +523,14 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
- 
- 	_gnutls_debug_log("tpm2: establishing connection with TPM\n");
- 
--	rc = Esys_Initialize(ctx, tcti_ctx, NULL);
-+	rc = _gnutls_tss2_Esys_Initialize(ctx, tcti_ctx, NULL);
- 	if (rc) {
- 		gnutls_assert();
- 		_gnutls_debug_log("tpm2: Esys_Initialize failed: 0x%x\n", rc);
- 		goto error;
- 	}
- 
--	rc = Esys_Startup(*ctx, TPM2_SU_CLEAR);
-+	rc = _gnutls_tss2_Esys_Startup(*ctx, TPM2_SU_CLEAR);
- 	if (rc == TPM2_RC_INITIALIZE) {
- 		_gnutls_debug_log("tpm2: was already started up thus false positive failing in tpm2tss log\n");
- 	} else if (rc) {
-@@ -381,7 +545,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
- 			goto error;
- 		}
- 	} else {
--		rc = Esys_TR_FromTPMPublic(*ctx, info->parent,
-+		rc = _gnutls_tss2_Esys_TR_FromTPMPublic(*ctx, info->parent,
- 					   ESYS_TR_NONE,
- 					   ESYS_TR_NONE,
- 					   ESYS_TR_NONE,
-@@ -399,7 +563,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
- 		if (!info->did_ownerauth && !info->ownerauth.size) {
- 			TPM2B_PUBLIC *pub = NULL;
- 
--			rc = Esys_ReadPublic(*ctx, parent_handle,
-+			rc = _gnutls_tss2_Esys_ReadPublic(*ctx, parent_handle,
- 					     ESYS_TR_NONE,
- 					     ESYS_TR_NONE,
- 					     ESYS_TR_NONE,
-@@ -408,7 +572,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
- 			    !(pub->publicArea.objectAttributes & TPMA_OBJECT_NODA)) {
- 				info->need_ownerauth = true;
- 			}
--			Esys_Free(pub);
-+			_gnutls_tss2_Esys_Free(pub);
- 		}
- 	reauth:
- 		if (info->need_ownerauth) {
-@@ -420,7 +584,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
- 			install_tpm_passphrase(&info->ownerauth, pass);
- 			info->need_ownerauth = false;
- 		}
--		rc = Esys_TR_SetAuth(*ctx, parent_handle, &info->ownerauth);
-+		rc = _gnutls_tss2_Esys_TR_SetAuth(*ctx, parent_handle, &info->ownerauth);
- 		if (rc) {
- 			gnutls_assert();
- 			_gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n",
-@@ -432,7 +596,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
- 	_gnutls_debug_log("tpm2: loading TPM2 key blob, parent handle 0x%x\n",
- 			  parent_handle);
- 
--	rc = Esys_Load(*ctx, parent_handle,
-+	rc = _gnutls_tss2_Esys_Load(*ctx, parent_handle,
- 		       ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
- 		       &info->priv, &info->pub,
- 		       key_handle);
-@@ -450,7 +614,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
- 	info->did_ownerauth = true;
- 
- 	if (parent_is_generated(info->parent)) {
--		rc = Esys_FlushContext(*ctx, parent_handle);
-+		rc = _gnutls_tss2_Esys_FlushContext(*ctx, parent_handle);
- 		if (rc) {
- 			_gnutls_debug_log("tpm2: Esys_FlushContext for generated primary failed: 0x%x\n",
- 					  rc);
-@@ -461,14 +625,14 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
- 	return 0;
-  error:
- 	if (parent_is_generated(info->parent) && parent_handle != ESYS_TR_NONE) {
--		Esys_FlushContext(*ctx, parent_handle);
-+		_gnutls_tss2_Esys_FlushContext(*ctx, parent_handle);
- 	}
- 	if (*key_handle != ESYS_TR_NONE) {
--		Esys_FlushContext(*ctx, *key_handle);
-+		_gnutls_tss2_Esys_FlushContext(*ctx, *key_handle);
- 	}
- 	*key_handle = ESYS_TR_NONE;
- 
--	Esys_Finalize(ctx);
-+	_gnutls_tss2_Esys_Finalize(ctx);
- 	return GNUTLS_E_TPM_ERROR;
- }
- 
-@@ -488,7 +652,7 @@ auth_tpm2_key(struct tpm2_info_st *info, ESYS_CONTEXT *ctx, ESYS_TR key_handle)
- 		info->need_userauth = false;
- 	}
- 
--	rc = Esys_TR_SetAuth(ctx, key_handle, &info->userauth);
-+	rc = _gnutls_tss2_Esys_TR_SetAuth(ctx, key_handle, &info->userauth);
- 	if (rc) {
- 		_gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n", rc);
- 		return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
-@@ -574,7 +738,7 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
- 		goto out;
- 	}
- 
--	rc = Esys_RSA_Decrypt(ectx, key_handle,
-+	rc = _gnutls_tss2_Esys_RSA_Decrypt(ectx, key_handle,
- 			      ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
- 			      &digest, &in_scheme, &label, &tsig);
- 	if (rc_is_key_auth_failed(rc)) {
-@@ -591,14 +755,14 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
- 
- 	ret = _gnutls_set_datum(sig, tsig->buffer, tsig->size);
-  out:
--	Esys_Free(tsig);
-+	_gnutls_tss2_Esys_Free(tsig);
- 
- 	if (key_handle != ESYS_TR_NONE) {
--		Esys_FlushContext(ectx, key_handle);
-+		_gnutls_tss2_Esys_FlushContext(ectx, key_handle);
- 	}
- 
- 	if (ectx) {
--		Esys_Finalize(&ectx);
-+		_gnutls_tss2_Esys_Finalize(&ectx);
- 	}
- 
- 	return ret;
-@@ -661,7 +825,7 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
- 		goto out;
- 	}
- 
--	rc = Esys_Sign(ectx, key_handle,
-+	rc = _gnutls_tss2_Esys_Sign(ectx, key_handle,
- 		       ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
- 		       &digest, &in_scheme, &validation,
- 		       &tsig);
-@@ -682,31 +846,23 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
- 
- 	ret = gnutls_encode_rs_value(sig, &sig_r, &sig_s);
-  out:
--	Esys_Free(tsig);
-+	_gnutls_tss2_Esys_Free(tsig);
- 
- 	if (key_handle != ESYS_TR_NONE) {
--		Esys_FlushContext(ectx, key_handle);
-+		_gnutls_tss2_Esys_FlushContext(ectx, key_handle);
- 	}
- 
- 	if (ectx) {
--		Esys_Finalize(&ectx);
-+		_gnutls_tss2_Esys_Finalize(&ectx);
- 	}
- 
- 	return ret;
- }
- 
--GNUTLS_ONCE(tcti_once);
--
--void
--tpm2_tcti_deinit(void)
--{
--	if (tcti_ctx) {
--		Tss2_TctiLdr_Finalize(&tcti_ctx);
--	}
--}
-+GNUTLS_ONCE(tpm2_esys_once);
- 
- static void
--tcti_once_init(void)
-+tpm2_esys_once_init(void)
- {
- 	const char *tcti;
- 	const char * const tcti_vars[] = {
-@@ -718,6 +874,11 @@ tcti_once_init(void)
- 	size_t i;
- 	TSS2_RC rc;
- 
-+	if (init_tss2_funcs() < 0) {
-+		_gnutls_debug_log("tpm2: unable to initialize TSS2 functions\n");
-+		return;
-+	}
-+
- 	for (i = 0; i < sizeof(tcti_vars) / sizeof(tcti_vars[0]); i++) {
- 		tcti = secure_getenv(tcti_vars[i]);
- 		if (tcti && *tcti != '\0') {
-@@ -727,7 +888,7 @@ tcti_once_init(void)
- 		}
- 	}
- 	if (tcti && *tcti != '\0') {
--		rc = Tss2_TctiLdr_Initialize(tcti, &tcti_ctx);
-+		rc = _gnutls_tss2_Tss2_TctiLdr_Initialize(tcti, &tcti_ctx);
- 		if (rc) {
- 			_gnutls_debug_log("tpm2: TSS2_TctiLdr_Initialize failed: 0x%x\n",
- 					  rc);
-@@ -735,13 +896,35 @@ tcti_once_init(void)
- 	}
- }
- 
-+/* called by the global destructor through _gnutls_tpm2_deinit */
-+void
-+tpm2_esys_deinit(void)
-+{
-+	if (tcti_ctx) {
-+		_gnutls_tss2_Tss2_TctiLdr_Finalize(&tcti_ctx);
-+		tcti_ctx = NULL;
-+	}
-+	if (_gnutls_tss2_esys_dlhandle) {
-+		dlclose(_gnutls_tss2_esys_dlhandle);
-+		_gnutls_tss2_esys_dlhandle = NULL;
-+	}
-+	if (_gnutls_tss2_mu_dlhandle) {
-+		dlclose(_gnutls_tss2_mu_dlhandle);
-+		_gnutls_tss2_mu_dlhandle = NULL;
-+	}
-+	if (_gnutls_tss2_tctildr_dlhandle) {
-+		dlclose(_gnutls_tss2_tctildr_dlhandle);
-+		_gnutls_tss2_tctildr_dlhandle = NULL;
-+	}
-+}
-+
- int install_tpm2_key(struct tpm2_info_st *info, gnutls_privkey_t pkey,
- 		     unsigned int parent, bool emptyauth,
- 		     gnutls_datum_t *privdata, gnutls_datum_t *pubdata)
- {
- 	TSS2_RC rc;
- 
--	(void)gnutls_once(&tcti_once, tcti_once_init);
-+	(void)gnutls_once(&tpm2_esys_once, tpm2_esys_once_init);
- 
- 	if (!tcti_ctx) {
- 		return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
-@@ -757,16 +940,16 @@ int install_tpm2_key(struct tpm2_info_st *info, gnutls_privkey_t pkey,
- 
- 	info->parent = parent;
- 
--	rc = Tss2_MU_TPM2B_PRIVATE_Unmarshal(privdata->data, privdata->size, NULL,
--					     &info->priv);
-+	rc = _gnutls_tss2_Tss2_MU_TPM2B_PRIVATE_Unmarshal(privdata->data, privdata->size, NULL,
-+							     &info->priv);
- 	if (rc) {
- 		_gnutls_debug_log("tpm2: failed to import private key data: 0x%x\n",
- 				  rc);
- 		return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
- 	}
- 
--	rc = Tss2_MU_TPM2B_PUBLIC_Unmarshal(pubdata->data, pubdata->size, NULL,
--					    &info->pub);
-+	rc = _gnutls_tss2_Tss2_MU_TPM2B_PUBLIC_Unmarshal(pubdata->data, pubdata->size, NULL,
-+							    &info->pub);
- 	if (rc) {
- 		_gnutls_debug_log("tpm2: failed to import public key data: 0x%x\n",
- 				  rc);
-diff --git a/tests/Makefile.am b/tests/Makefile.am
-index 529f1cc077..64ce470a02 100644
---- a/tests/Makefile.am
-+++ b/tests/Makefile.am
-@@ -515,7 +515,8 @@ dist_check_SCRIPTS += fastopen.sh pkgconfig.sh starttls.sh starttls-ftp.sh start
- 	psktool.sh ocsp-tests/ocsp-load-chain.sh gnutls-cli-save-data.sh gnutls-cli-debug.sh \
- 	sni-resume.sh ocsp-tests/ocsptool.sh cert-reencoding.sh pkcs7-cat.sh long-crl.sh \
- 	serv-udp.sh logfile-option.sh gnutls-cli-resume.sh profile-tests.sh \
--	server-weak-keys.sh ocsp-tests/ocsp-signer-verify.sh cfg-test.sh
-+	server-weak-keys.sh ocsp-tests/ocsp-signer-verify.sh cfg-test.sh \
-+	sanity-lib.sh
- 
- if !DISABLE_SYSTEM_CONFIG
- dist_check_SCRIPTS += system-override-sig.sh system-override-hash.sh \
-diff --git a/tests/sanity-lib.sh b/tests/sanity-lib.sh
-new file mode 100644
-index 0000000000..1e3612781b
---- /dev/null
-+++ b/tests/sanity-lib.sh
-@@ -0,0 +1,40 @@
-+#!/bin/sh
-+
-+# Copyright (C) 2022 Red Hat, Inc.
-+#
-+# Author: Daiki Ueno
-+#
-+# This file is part of GnuTLS.
-+#
-+# GnuTLS is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License as published by the
-+# Free Software Foundation; either version 3 of the License, or (at
-+# your option) any later version.
-+#
-+# GnuTLS is distributed in the hope that it will be useful, but
-+# WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+# General Public License for more details.
-+#
-+# You should have received a copy of the GNU Lesser General Public License
-+# along with this program.  If not, see <https://www.gnu.org/licenses/>
-+
-+: ${top_builddir=..}
-+: ${CLI_DEBUG=../src/gnutls-cli-debug${EXEEXT}}
-+: ${LDD=ldd}
-+: ${LIBTOOL=libtool}
-+
-+if ! test -x "${CLI_DEBUG}"; then
-+	exit 77
-+fi
-+
-+# ldd.sh doesn't check recursive dependencies
-+${LDD} --version >/dev/null || exit 77
-+
-+# We use gnutls-cli-debug, as it has the fewest dependencies among our
-+# commands (e.g., gnutls-cli pulls in OpenSSL through libunbound).
-+if ${LIBTOOL} --mode=execute ${LDD} ${CLI_DEBUG} | \
-+    grep '^[[:space:]]*\(libcrypto\.\|libssl\.\|libgcrypt\.\)'; then
-+    echo "gnutls-cli-debug links to other crypto library"
-+    exit 1
-+fi
-diff --git a/tests/tpm2.sh b/tests/tpm2.sh
-index 854986c552..6f8e44c64b 100755
---- a/tests/tpm2.sh
-+++ b/tests/tpm2.sh
-@@ -21,8 +21,6 @@
- # along with GnuTLS; if not, write to the Free Software Foundation,
- # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- 
--set +e
--
- : ${srcdir=.}
- : ${CERTTOOL=../src/certtool${EXEEXT}}
- KEYPEMFILE=tpmkey.$$.key.pem
-@@ -192,6 +190,10 @@ run_tests()
- 
- 	echo " - Generating ${KEYPEMFILE}"
- 	tpm2tss-genkey -a ${kalg} -o ${OPASS} ${KEYPEMFILE}
-+	if [ $? -ne 0 ]; then
-+		echo "unable to generate key"
-+		return 1
-+	fi
- 	cat ${KEYPEMFILE}
- 
- 	echo " - Generating certificate based on key"
-@@ -200,6 +202,10 @@ run_tests()
- 	"${CERTTOOL}" --generate-self-signed -d 3 \
- 		--load-privkey "${KEYPEMFILE}" \
- 		--template "${srcdir}/cert-tests/templates/template-test.tmpl"
-+	if [ $? -ne 0 ]; then
-+		echo "unable to generate certificate"
-+		return 1
-+	fi
- 
- 	if test "${kalg}" = "rsa";then
- 		echo " - Generating RSA-PSS certificate based on key"
-@@ -207,6 +213,10 @@ run_tests()
- 			--load-privkey "${KEYPEMFILE}" \
- 			--sign-params rsa-pss \
- 			--template "${srcdir}/cert-tests/templates/template-test.tmpl"
-+		if [ $? -ne 0 ]; then
-+			echo "unable to generate certificate"
-+			return 1
-+		fi
- 	fi
- 
- 	stop_swtpm
--- 
-2.34.1
-

SOURCES/gnutls-3.7.3-max-algos.patch

@@ -1,44 +0,0 @@
-From b5a2cbce49d94a04a68acbbc31caaa0c5d7b3321 Mon Sep 17 00:00:00 2001
-From: Alexander Sosedkin <asosedkin@redhat.com>
-Date: Fri, 18 Feb 2022 11:05:15 +0100
-Subject: [PATCH] bump GNUTLS_MAX_ALGORITHM_NUM / MAX_ALGOS
-
-Fedora 36 LEGACY crypto-policy uses allowlisting format
-and is long enough to blow past the 64 priority string
-elements mark, causing, effectively, priority string truncation.
-
-Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
----
- lib/includes/gnutls/gnutls.h.in | 2 +-
- lib/priority.c                  | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
-index 6359a0edb6..16140c8787 100644
---- a/lib/includes/gnutls/gnutls.h.in
-+++ b/lib/includes/gnutls/gnutls.h.in
-@@ -408,7 +408,7 @@ typedef enum {
-   /* exported for other gnutls headers. This is the maximum number of
-    * algorithms (ciphers, kx or macs).
-    */
--#define GNUTLS_MAX_ALGORITHM_NUM 64
-+#define GNUTLS_MAX_ALGORITHM_NUM 128
- #define GNUTLS_MAX_SESSION_ID_SIZE 32
- 
- 
-diff --git a/lib/priority.c b/lib/priority.c
-index 54d7b1bb45..e7698ba7eb 100644
---- a/lib/priority.c
-+++ b/lib/priority.c
-@@ -43,7 +43,7 @@
- #include "profiles.h"
- #include "name_val_array.h"
- 
--#define MAX_ELEMENTS 64
-+#define MAX_ELEMENTS GNUTLS_MAX_ALGORITHM_NUM
- 
- #define ENABLE_PROFILE(c, profile) do { \
- 	c->additional_verify_flags &= 0x00ffffff; \
--- 
-2.34.1
-

SOURCES/gnutls-3.7.6-aes-gcm-pt-limit.patch

@@ -0,0 +1,720 @@
+From 2f61f102169e4d6652c9b82246353cd276366809 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 27 Jun 2022 11:14:50 +0900
+Subject: [PATCH] cipher: limit plaintext length supplied to AES-GCM
+
+According to SP800-38D 5.2.1.1, input data length of AES-GCM
+encryption function must be less than or equal to 2^39-256 bits.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ NEWS                                         |  3 +
+ lib/accelerated/aarch64/aes-aarch64.h        | 15 ++++
+ lib/accelerated/aarch64/aes-gcm-aarch64.c    |  9 +++
+ lib/accelerated/x86/aes-gcm-padlock.c        | 29 ++++---
+ lib/accelerated/x86/aes-gcm-x86-aesni.c      | 30 +++++---
+ lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c |  9 +++
+ lib/accelerated/x86/aes-gcm-x86-pclmul.c     |  9 +++
+ lib/accelerated/x86/aes-gcm-x86-ssse3.c      | 30 +++++---
+ lib/accelerated/x86/aes-x86.h                | 15 ++++
+ lib/nettle/cipher.c                          | 41 ++++++++++
+ tests/slow/cipher-api-test.c                 | 79 ++++++++++++++++++++
+ 11 files changed, 240 insertions(+), 29 deletions(-)
+
+diff --git a/lib/accelerated/aarch64/aes-aarch64.h b/lib/accelerated/aarch64/aes-aarch64.h
+index 692d8620d7..0e64f4ed8d 100644
+--- a/lib/accelerated/aarch64/aes-aarch64.h
++++ b/lib/accelerated/aarch64/aes-aarch64.h
+@@ -20,6 +20,21 @@ typedef struct {
+ 	if (s != 16 && s != 24 && s != 32) \
+ 		return GNUTLS_E_INVALID_REQUEST
+ 
++#include <intprops.h>
++#define AES_GCM_ENCRYPT_MAX_BYTES ((1ULL << 36) - 32)
++static inline int
++record_aes_gcm_encrypt_size(size_t *counter, size_t size) {
++	size_t sum;
++
++	if (!INT_ADD_OK(*counter, size, &sum) ||
++	    sum > AES_GCM_ENCRYPT_MAX_BYTES) {
++		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++	}
++	*counter = sum;
++
++	return 0;
++}
++
+ int aes_v8_set_encrypt_key(const unsigned char *userKey, int bits, AES_KEY *key);  
+ int aes_v8_set_decrypt_key(const unsigned char *userKey, int bits, AES_KEY *key);
+ void aes_v8_cbc_encrypt(const unsigned char *in, unsigned char *out,
+diff --git a/lib/accelerated/aarch64/aes-gcm-aarch64.c b/lib/accelerated/aarch64/aes-gcm-aarch64.c
+index 901bd9f60f..be1e69c784 100644
+--- a/lib/accelerated/aarch64/aes-gcm-aarch64.c
++++ b/lib/accelerated/aarch64/aes-gcm-aarch64.c
+@@ -62,6 +62,7 @@ struct aes_gcm_ctx {
+ 	struct gcm128_context gcm;
+ 	unsigned finished;
+ 	unsigned auth_finished;
++	size_t rekey_counter;
+ };
+ 
+ void gcm_init_v8(u128 Htable[16], const uint64_t Xi[2]);
+@@ -116,6 +117,7 @@ aes_gcm_cipher_setkey(void *_ctx, const void *userkey, size_t keysize)
+ 	ctx->gcm.H.u[1] = bswap_64(ctx->gcm.H.u[1]);
+ 
+ 	gcm_init_v8(ctx->gcm.Htable, ctx->gcm.H.u);
++	ctx->rekey_counter = 0;
+ 
+ 	return 0;
+ }
+@@ -141,6 +143,7 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size)
+ 	ctx->gcm.Yi.c[GCM_BLOCK_SIZE - 1] = 2;
+ 	ctx->finished = 0;
+ 	ctx->auth_finished = 0;
++	ctx->rekey_counter = 0;
+ 	return 0;
+ }
+ 
+@@ -229,6 +232,7 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
+ 	int exp_blocks = blocks * GCM_BLOCK_SIZE;
+ 	int rest = src_size - (exp_blocks);
+ 	uint32_t counter;
++	int ret;
+ 
+ 	if (unlikely(ctx->finished))
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+@@ -236,6 +240,11 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
+ 	if (unlikely(length < src_size))
+ 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ 
++	ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size);
++	if (ret < 0) {
++		return gnutls_assert_val(ret);
++	}
++
+ 	if (blocks > 0) {
+ 		ctr32_encrypt_blocks(src, dst,
+ 				     blocks,
+diff --git a/lib/accelerated/x86/aes-gcm-padlock.c b/lib/accelerated/x86/aes-gcm-padlock.c
+index a9c7441d65..739883ab1b 100644
+--- a/lib/accelerated/x86/aes-gcm-padlock.c
++++ b/lib/accelerated/x86/aes-gcm-padlock.c
+@@ -43,7 +43,10 @@
+  * Actually padlock doesn't include GCM mode. We just use
+  * the ECB part of padlock and nettle for everything else.
+  */
+-struct gcm_padlock_aes_ctx GCM_CTX(struct padlock_ctx);
++struct gcm_padlock_aes_ctx {
++	struct GCM_CTX(struct padlock_ctx) inner;
++	size_t rekey_counter;
++};
+ 
+ static void padlock_aes_encrypt(const void *_ctx,
+ 				size_t length, uint8_t * dst,
+@@ -78,7 +81,7 @@ static void padlock_aes256_set_encrypt_key(struct padlock_ctx *_ctx,
+ 
+ static void aes_gcm_deinit(void *_ctx)
+ {
+-	struct padlock_ctx *ctx = _ctx;
++	struct gcm_padlock_aes_ctx *ctx = _ctx;
+ 
+ 	zeroize_temp_key(ctx, sizeof(*ctx));
+ 	gnutls_free(ctx);
+@@ -108,14 +111,15 @@ aes_gcm_cipher_setkey(void *_ctx, const void *key, size_t keysize)
+ 	struct gcm_padlock_aes_ctx *ctx = _ctx;
+ 
+ 	if (keysize == 16) {
+-		GCM_SET_KEY(ctx, padlock_aes128_set_encrypt_key, padlock_aes_encrypt,
++		GCM_SET_KEY(&ctx->inner, padlock_aes128_set_encrypt_key, padlock_aes_encrypt,
+ 			    key);
+ 	} else if (keysize == 32) {
+-		GCM_SET_KEY(ctx, padlock_aes256_set_encrypt_key, padlock_aes_encrypt,
++		GCM_SET_KEY(&ctx->inner, padlock_aes256_set_encrypt_key, padlock_aes_encrypt,
+ 			    key);
+ 	} else
+ 		return GNUTLS_E_INVALID_REQUEST;
+ 
++	ctx->rekey_counter = 0;
+ 	return 0;
+ }
+ 
+@@ -126,8 +130,9 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size)
+ 	if (iv_size != GCM_BLOCK_SIZE - 4)
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ 
+-	GCM_SET_IV(ctx, iv_size, iv);
++	GCM_SET_IV(&ctx->inner, iv_size, iv);
+ 
++	ctx->rekey_counter = 0;
+ 	return 0;
+ }
+ 
+@@ -136,11 +141,17 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
+ 		void *dst, size_t length)
+ {
+ 	struct gcm_padlock_aes_ctx *ctx = _ctx;
++	int ret;
+ 
+ 	if (unlikely(length < src_size))
+ 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ 
+-	GCM_ENCRYPT(ctx, padlock_aes_encrypt, src_size, dst, src);
++	ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size);
++	if (ret < 0) {
++		return gnutls_assert_val(ret);
++	}
++
++	GCM_ENCRYPT(&ctx->inner, padlock_aes_encrypt, src_size, dst, src);
+ 
+ 	return 0;
+ }
+@@ -154,7 +165,7 @@ aes_gcm_decrypt(void *_ctx, const void *src, size_t src_size,
+ 	if (unlikely(dst_size < src_size))
+ 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ 
+-	GCM_DECRYPT(ctx, padlock_aes_encrypt, src_size, dst, src);
++	GCM_DECRYPT(&ctx->inner, padlock_aes_encrypt, src_size, dst, src);
+ 	return 0;
+ }
+ 
+@@ -162,7 +173,7 @@ static int aes_gcm_auth(void *_ctx, const void *src, size_t src_size)
+ {
+ 	struct gcm_padlock_aes_ctx *ctx = _ctx;
+ 
+-	GCM_UPDATE(ctx, src_size, src);
++	GCM_UPDATE(&ctx->inner, src_size, src);
+ 
+ 	return 0;
+ }
+@@ -171,7 +182,7 @@ static void aes_gcm_tag(void *_ctx, void *tag, size_t tagsize)
+ {
+ 	struct gcm_padlock_aes_ctx *ctx = _ctx;
+ 
+-	GCM_DIGEST(ctx, padlock_aes_encrypt, tagsize, tag);
++	GCM_DIGEST(&ctx->inner, padlock_aes_encrypt, tagsize, tag);
+ }
+ 
+ #include "aes-gcm-aead.h"
+diff --git a/lib/accelerated/x86/aes-gcm-x86-aesni.c b/lib/accelerated/x86/aes-gcm-x86-aesni.c
+index b0edaebfba..3be63ddd97 100644
+--- a/lib/accelerated/x86/aes-gcm-x86-aesni.c
++++ b/lib/accelerated/x86/aes-gcm-x86-aesni.c
+@@ -36,12 +36,14 @@
+ #include <x86-common.h>
+ #include <byteswap.h>
+ #include <nettle/gcm.h>
+-#include <aes-x86.h>
+ 
+ /* GCM mode 
+  * It is used when the CPU doesn't include the PCLMUL instructions.
+  */
+-struct gcm_x86_aes_ctx GCM_CTX(AES_KEY);
++struct gcm_x86_aes_ctx {
++	struct GCM_CTX(AES_KEY) inner;
++	size_t rekey_counter;
++};
+ 
+ static void x86_aes_encrypt(const void *_ctx,
+ 				size_t length, uint8_t * dst,
+@@ -101,17 +103,18 @@ aes_gcm_cipher_setkey(void *_ctx, const void *key, size_t length)
+ 	struct gcm_x86_aes_ctx *ctx = _ctx;
+ 
+ 	if (length == 16) {
+-		GCM_SET_KEY(ctx, x86_aes128_set_encrypt_key, x86_aes_encrypt,
++		GCM_SET_KEY(&ctx->inner, x86_aes128_set_encrypt_key, x86_aes_encrypt,
+ 			    key);
+ 	} else if (length == 24) {
+-		GCM_SET_KEY(ctx, x86_aes192_set_encrypt_key, x86_aes_encrypt,
++		GCM_SET_KEY(&ctx->inner, x86_aes192_set_encrypt_key, x86_aes_encrypt,
+ 			    key);
+ 	} else if (length == 32) {
+-		GCM_SET_KEY(ctx, x86_aes256_set_encrypt_key, x86_aes_encrypt,
++		GCM_SET_KEY(&ctx->inner, x86_aes256_set_encrypt_key, x86_aes_encrypt,
+ 			    key);
+ 	} else
+ 		return GNUTLS_E_INVALID_REQUEST;
+ 
++	ctx->rekey_counter = 0;
+ 	return 0;
+ }
+ 
+@@ -122,8 +125,9 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size)
+ 	if (iv_size != GCM_BLOCK_SIZE - 4)
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ 
+-	GCM_SET_IV(ctx, iv_size, iv);
++	GCM_SET_IV(&ctx->inner, iv_size, iv);
+ 
++	ctx->rekey_counter = 0;
+ 	return 0;
+ }
+ 
+@@ -132,11 +136,17 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
+ 		void *dst, size_t length)
+ {
+ 	struct gcm_x86_aes_ctx *ctx = _ctx;
++	int ret;
+ 
+ 	if (unlikely(length < src_size))
+ 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ 
+-	GCM_ENCRYPT(ctx, x86_aes_encrypt, src_size, dst, src);
++	ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size);
++	if (ret < 0) {
++		return gnutls_assert_val(ret);
++	}
++
++	GCM_ENCRYPT(&ctx->inner, x86_aes_encrypt, src_size, dst, src);
+ 
+ 	return 0;
+ }
+@@ -150,7 +160,7 @@ aes_gcm_decrypt(void *_ctx, const void *src, size_t src_size,
+ 	if (unlikely(dst_size < src_size))
+ 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ 
+-	GCM_DECRYPT(ctx, x86_aes_encrypt, src_size, dst, src);
++	GCM_DECRYPT(&ctx->inner, x86_aes_encrypt, src_size, dst, src);
+ 	return 0;
+ }
+ 
+@@ -158,7 +168,7 @@ static int aes_gcm_auth(void *_ctx, const void *src, size_t src_size)
+ {
+ 	struct gcm_x86_aes_ctx *ctx = _ctx;
+ 
+-	GCM_UPDATE(ctx, src_size, src);
++	GCM_UPDATE(&ctx->inner, src_size, src);
+ 
+ 	return 0;
+ }
+@@ -167,7 +177,7 @@ static void aes_gcm_tag(void *_ctx, void *tag, size_t tagsize)
+ {
+ 	struct gcm_x86_aes_ctx *ctx = _ctx;
+ 
+-	GCM_DIGEST(ctx, x86_aes_encrypt, tagsize, tag);
++	GCM_DIGEST(&ctx->inner, x86_aes_encrypt, tagsize, tag);
+ }
+ 
+ static void aes_gcm_deinit(void *_ctx)
+diff --git a/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c b/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c
+index 21aef94440..fbefe432f4 100644
+--- a/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c
++++ b/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c
+@@ -61,6 +61,7 @@ struct aes_gcm_ctx {
+ 	struct gcm128_context gcm;
+ 	unsigned finished;
+ 	unsigned auth_finished;
++	size_t rekey_counter;
+ };
+ 
+ void gcm_init_avx(u128 Htable[16], const uint64_t Xi[2]);
+@@ -116,6 +117,7 @@ aes_gcm_cipher_setkey(void *_ctx, const void *userkey, size_t keysize)
+ 
+ 	gcm_init_avx(ctx->gcm.Htable, ctx->gcm.H.u);
+ 
++	ctx->rekey_counter = 0;
+ 	return 0;
+ }
+ 
+@@ -140,6 +142,7 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size)
+ 	ctx->gcm.Yi.c[GCM_BLOCK_SIZE - 1] = 2;
+ 	ctx->finished = 0;
+ 	ctx->auth_finished = 0;
++	ctx->rekey_counter = 0;
+ 	return 0;
+ }
+ 
+@@ -184,6 +187,7 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
+ 	int exp_blocks = blocks * GCM_BLOCK_SIZE;
+ 	int rest = src_size - (exp_blocks);
+ 	uint32_t counter;
++	int ret;
+ 
+ 	if (unlikely(ctx->finished))
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+@@ -191,6 +195,11 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
+ 	if (unlikely(length < src_size))
+ 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ 
++	ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size);
++	if (ret < 0) {
++		return gnutls_assert_val(ret);
++	}
++
+ 	if (blocks > 0) {
+ 		aesni_ctr32_encrypt_blocks(src, dst,
+ 					   blocks,
+diff --git a/lib/accelerated/x86/aes-gcm-x86-pclmul.c b/lib/accelerated/x86/aes-gcm-x86-pclmul.c
+index e6b4990cbf..5385acbb6b 100644
+--- a/lib/accelerated/x86/aes-gcm-x86-pclmul.c
++++ b/lib/accelerated/x86/aes-gcm-x86-pclmul.c
+@@ -60,6 +60,7 @@ struct aes_gcm_ctx {
+ 	struct gcm128_context gcm;
+ 	unsigned finished;
+ 	unsigned auth_finished;
++	size_t rekey_counter;
+ };
+ 
+ void gcm_init_clmul(u128 Htable[16], const uint64_t Xi[2]);
+@@ -116,6 +117,7 @@ aes_gcm_cipher_setkey(void *_ctx, const void *userkey, size_t keysize)
+ 
+ 	gcm_init_clmul(ctx->gcm.Htable, ctx->gcm.H.u);
+ 
++	ctx->rekey_counter = 0;
+ 	return 0;
+ }
+ 
+@@ -140,6 +142,7 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size)
+ 	ctx->gcm.Yi.c[GCM_BLOCK_SIZE - 1] = 2;
+ 	ctx->finished = 0;
+ 	ctx->auth_finished = 0;
++	ctx->rekey_counter = 0;
+ 	return 0;
+ }
+ 
+@@ -184,6 +187,7 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
+ 	int exp_blocks = blocks * GCM_BLOCK_SIZE;
+ 	int rest = src_size - (exp_blocks);
+ 	uint32_t counter;
++	int ret;
+ 
+ 	if (unlikely(ctx->finished))
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+@@ -191,6 +195,11 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
+ 	if (unlikely(length < src_size))
+ 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ 
++	ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size);
++	if (ret < 0) {
++		return gnutls_assert_val(ret);
++	}
++
+ 	if (blocks > 0) {
+ 		aesni_ctr32_encrypt_blocks(src, dst,
+ 					   blocks,
+diff --git a/lib/accelerated/x86/aes-gcm-x86-ssse3.c b/lib/accelerated/x86/aes-gcm-x86-ssse3.c
+index 7a2ac50869..f074cb1096 100644
+--- a/lib/accelerated/x86/aes-gcm-x86-ssse3.c
++++ b/lib/accelerated/x86/aes-gcm-x86-ssse3.c
+@@ -36,13 +36,15 @@
+ #include <x86-common.h>
+ #include <byteswap.h>
+ #include <nettle/gcm.h>
+-#include <aes-x86.h>
+ #include <assert.h>
+ 
+ /* GCM mode 
+  * It is used when the CPU doesn't include the PCLMUL instructions.
+  */
+-struct gcm_x86_aes_ctx GCM_CTX(AES_KEY);
++struct gcm_x86_aes_ctx {
++	struct GCM_CTX(AES_KEY) inner;
++	size_t rekey_counter;
++};
+ 
+ static void x86_aes_encrypt(const void *_ctx,
+ 				size_t length, uint8_t * dst,
+@@ -110,17 +112,18 @@ aes_gcm_cipher_setkey(void *_ctx, const void *key, size_t keysize)
+ 	struct gcm_x86_aes_ctx *ctx = _ctx;
+ 
+ 	if (keysize == 16) {
+-		GCM_SET_KEY(ctx, x86_aes_128_set_encrypt_key, x86_aes_encrypt,
++		GCM_SET_KEY(&ctx->inner, x86_aes_128_set_encrypt_key, x86_aes_encrypt,
+ 			    key);
+ 	} else if (keysize == 24) {
+-		GCM_SET_KEY(ctx, x86_aes_192_set_encrypt_key, x86_aes_encrypt,
++		GCM_SET_KEY(&ctx->inner, x86_aes_192_set_encrypt_key, x86_aes_encrypt,
+ 			    key);
+ 	} else if (keysize == 32) {
+-		GCM_SET_KEY(ctx, x86_aes_256_set_encrypt_key, x86_aes_encrypt,
++		GCM_SET_KEY(&ctx->inner, x86_aes_256_set_encrypt_key, x86_aes_encrypt,
+ 			    key);
+ 	} else
+ 		return GNUTLS_E_INVALID_REQUEST;
+ 
++	ctx->rekey_counter = 0;
+ 	return 0;
+ }
+ 
+@@ -131,8 +134,9 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size)
+ 	if (iv_size != GCM_BLOCK_SIZE - 4)
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ 
+-	GCM_SET_IV(ctx, iv_size, iv);
++	GCM_SET_IV(&ctx->inner, iv_size, iv);
+ 
++	ctx->rekey_counter = 0;
+ 	return 0;
+ }
+ 
+@@ -141,11 +145,17 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
+ 		void *dst, size_t length)
+ {
+ 	struct gcm_x86_aes_ctx *ctx = _ctx;
++	int ret;
+ 
+ 	if (unlikely(length < src_size))
+ 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ 
+-	GCM_ENCRYPT(ctx, x86_aes_encrypt, src_size, dst, src);
++	ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size);
++	if (ret < 0) {
++		return gnutls_assert_val(ret);
++	}
++
++	GCM_ENCRYPT(&ctx->inner, x86_aes_encrypt, src_size, dst, src);
+ 
+ 	return 0;
+ }
+@@ -159,7 +169,7 @@ aes_gcm_decrypt(void *_ctx, const void *src, size_t src_size,
+ 	if (unlikely(dst_size < src_size))
+ 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ 
+-	GCM_DECRYPT(ctx, x86_aes_encrypt, src_size, dst, src);
++	GCM_DECRYPT(&ctx->inner, x86_aes_encrypt, src_size, dst, src);
+ 	return 0;
+ }
+ 
+@@ -167,7 +177,7 @@ static int aes_gcm_auth(void *_ctx, const void *src, size_t src_size)
+ {
+ 	struct gcm_x86_aes_ctx *ctx = _ctx;
+ 
+-	GCM_UPDATE(ctx, src_size, src);
++	GCM_UPDATE(&ctx->inner, src_size, src);
+ 
+ 	return 0;
+ }
+@@ -176,7 +186,7 @@ static void aes_gcm_tag(void *_ctx, void *tag, size_t tagsize)
+ {
+ 	struct gcm_x86_aes_ctx *ctx = _ctx;
+ 
+-	GCM_DIGEST(ctx, x86_aes_encrypt, tagsize, tag);
++	GCM_DIGEST(&ctx->inner, x86_aes_encrypt, tagsize, tag);
+ }
+ 
+ static void aes_gcm_deinit(void *_ctx)
+diff --git a/lib/accelerated/x86/aes-x86.h b/lib/accelerated/x86/aes-x86.h
+index 023b5f7be6..349d3d5d9c 100644
+--- a/lib/accelerated/x86/aes-x86.h
++++ b/lib/accelerated/x86/aes-x86.h
+@@ -22,6 +22,21 @@ typedef struct {
+ 	if (s != 16 && s != 24 && s != 32) \
+ 		return GNUTLS_E_INVALID_REQUEST
+ 
++#include <intprops.h>
++#define AES_GCM_ENCRYPT_MAX_BYTES ((1ULL << 36) - 32)
++static inline int
++record_aes_gcm_encrypt_size(size_t *counter, size_t size) {
++	size_t sum;
++
++	if (!INT_ADD_OK(*counter, size, &sum) ||
++	    sum > AES_GCM_ENCRYPT_MAX_BYTES) {
++		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++	}
++	*counter = sum;
++
++	return 0;
++}
++
+ void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out,
+ 		       size_t len, const AES_KEY * key, int enc);
+ 
+diff --git a/lib/nettle/cipher.c b/lib/nettle/cipher.c
+index ab4c46d2d0..b41862d1ea 100644
+--- a/lib/nettle/cipher.c
++++ b/lib/nettle/cipher.c
+@@ -63,6 +63,7 @@
+ #include <nettle/xts.h>
+ #include <nettle/siv-cmac.h>
+ #include <fips.h>
++#include <intprops.h>
+ 
+ struct nettle_cipher_ctx;
+ 
+@@ -120,8 +121,23 @@ struct nettle_cipher_ctx {
+ 	unsigned iv_size;
+ 
+ 	bool enc;
++	size_t rekey_counter;
+ };
+ 
++#define AES_GCM_ENCRYPT_MAX_BYTES ((1ULL << 36) - 32)
++static inline int
++record_aes_gcm_encrypt_size(size_t *counter, size_t size) {
++	size_t sum;
++
++	if (!INT_ADD_OK(*counter, size, &sum) ||
++	    sum > AES_GCM_ENCRYPT_MAX_BYTES) {
++		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++	}
++	*counter = sum;
++
++	return 0;
++}
++
+ static void
+ _stream_encrypt(struct nettle_cipher_ctx *ctx, size_t length, uint8_t * dst,
+ 		const uint8_t * src)
+@@ -1133,6 +1149,16 @@ wrap_nettle_cipher_setkey(void *_ctx, const void *key, size_t keysize)
+ 	else
+ 		ctx->cipher->set_decrypt_key(ctx->ctx_ptr, key);
+ 
++	switch (ctx->cipher->algo) {
++	case GNUTLS_CIPHER_AES_128_GCM:
++	case GNUTLS_CIPHER_AES_192_GCM:
++	case GNUTLS_CIPHER_AES_256_GCM:
++		ctx->rekey_counter = 0;
++		break;
++	default:
++		break;
++	}
++
+ 	return 0;
+ }
+ 
+@@ -1147,6 +1173,7 @@ wrap_nettle_cipher_setiv(void *_ctx, const void *iv, size_t iv_size)
+ 	case GNUTLS_CIPHER_AES_192_GCM:
+ 	case GNUTLS_CIPHER_AES_256_GCM:
+ 		FIPS_RULE(iv_size < GCM_IV_SIZE, GNUTLS_E_INVALID_REQUEST, "access to short GCM nonce size\n");
++		ctx->rekey_counter = 0;
+ 		break;
+ 	case GNUTLS_CIPHER_SALSA20_256:
+ 	case GNUTLS_CIPHER_ESTREAM_SALSA20_256:
+@@ -1207,10 +1234,24 @@ wrap_nettle_cipher_encrypt(void *_ctx, const void *plain, size_t plain_size,
+ 			   void *encr, size_t encr_size)
+ {
+ 	struct nettle_cipher_ctx *ctx = _ctx;
++	int ret;
+ 
+ 	if (unlikely(ctx->cipher->encrypt == NULL))
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ 
++	switch (ctx->cipher->algo) {
++	case GNUTLS_CIPHER_AES_128_GCM:
++	case GNUTLS_CIPHER_AES_192_GCM:
++	case GNUTLS_CIPHER_AES_256_GCM:
++		ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, plain_size);
++		if (ret < 0) {
++			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++		}
++		break;
++	default:
++		break;
++	}
++
+ 	ctx->cipher->encrypt(ctx, plain_size, encr, plain);
+ 
+ 	return 0;
+diff --git a/tests/slow/cipher-api-test.c b/tests/slow/cipher-api-test.c
+index fc880bcc9f..1d267ce312 100644
+--- a/tests/slow/cipher-api-test.c
++++ b/tests/slow/cipher-api-test.c
+@@ -21,6 +21,7 @@
+  */
+ 
+ #include <config.h>
++#include <limits.h>
+ #include <stdint.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -48,6 +49,11 @@ int main(int argc, char **argv)
+ #include <assert.h>
+ #include <utils.h>
+ 
++#define AES_GCM_ENCRYPT_PLAINTEXT_MAX ((1ULL << 36) - 32)
++#if SIZE_MAX >= AES_GCM_ENCRYPT_PLAINTEXT_MAX
++#define TEST_AES_GCM_ENCRYPT_PLAINTEXT_SIZE 1
++#endif
++
+ static void tls_log_func(int level, const char *str)
+ {
+ 	fprintf(stderr, "<%d>| %s", level, str);
+@@ -401,6 +407,74 @@ static void test_aead_invalid_short_decrypt(int algo)
+ 	return;
+ }
+ 
++#ifdef TEST_AES_GCM_ENCRYPT_PLAINTEXT_SIZE
++/* Test whether an invalid call to gnutls_cipher_encrypt() with too
++ * long message is caught */
++static void test_aead_invalid_too_long_encrypt(int algo)
++{
++	int ret;
++	gnutls_cipher_hd_t ch;
++	uint8_t key16[64];
++	uint8_t iv16[32];
++	uint8_t data[128];
++	gnutls_datum_t key, iv;
++
++	if (algo != GNUTLS_CIPHER_AES_128_GCM &&
++	    algo != GNUTLS_CIPHER_AES_192_GCM &&
++	    algo != GNUTLS_CIPHER_AES_256_GCM) {
++		return;
++	}
++
++	key.data = key16;
++	key.size = gnutls_cipher_get_key_size(algo);
++	assert(key.size <= sizeof(key16));
++
++	iv.data = iv16;
++	iv.size = gnutls_cipher_get_iv_size(algo);
++	assert(iv.size <= sizeof(iv16));
++
++	memset(iv.data, 0xff, iv.size);
++	memset(key.data, 0xfe, key.size);
++	memset(data, 0xfa, sizeof(data));
++
++	gnutls_global_set_log_function(tls_log_func);
++	if (debug)
++		gnutls_global_set_log_level(4711);
++
++	ret = global_init();
++	if (ret < 0) {
++		fail("Cannot initialize library\n"); /*errcode 1 */
++	}
++
++	ret = gnutls_cipher_init(&ch, algo, &key, &iv);
++	if (ret < 0)
++		fail("gnutls_cipher_init failed\n"); /*errcode 1 */
++
++	/* Test exceeding AES-GCM plaintext limit */
++	ret = gnutls_cipher_encrypt(ch, data, sizeof(data));
++	if (ret < 0)
++		fail("could not encrypt data\n");
++
++	/* A few blocks larger than AES_GCM_ENCRYPT_PLAINTEXT_MAX combined with
++	 * the previous call.  Use NULL for PLAINTEXT so the access to the first
++	 * block always results in page fault (in case the limit is not
++	 * enforced).
++	 */
++	ret = gnutls_cipher_encrypt(ch, NULL, AES_GCM_ENCRYPT_PLAINTEXT_MAX);
++	if (ret >= 0)
++		fail("succeeded in encrypting too long data\n");
++	if (ret != GNUTLS_E_INVALID_REQUEST)
++		fail("wrong kind of error on encrypting too long data,"
++		     "%s instead of GNUTLS_E_INVALID_REQUEST\n",
++		     gnutls_strerror_name(ret));
++
++	gnutls_cipher_deinit(ch);
++
++	gnutls_global_deinit();
++	return;
++}
++#endif
++
+ static void check_status(int status)
+ {
+ 	if (WEXITSTATUS(status) != 0 ||
+@@ -464,6 +538,11 @@ void start(const char *name, int algo, unsigned aead)
+ 
+ 		success("trying %s: test_aead_invalid_short_decrypt\n", name);
+ 		fork_subtest(test_aead_invalid_short_decrypt, algo);
++
++#if TEST_AES_GCM_ENCRYPT_PLAINTEXT_SIZE
++		success("trying %s: test_aead_invalid_too_long_encrypt\n", name);
++		fork_subtest(test_aead_invalid_too_long_encrypt, algo);
++#endif
+ 	}
+ }
+ 
+-- 
+2.37.1
+

SOURCES/gnutls-3.7.6-cpuid-fixes.patch

@@ -0,0 +1,119 @@
+From 8ff391fa011e02c88b0d099061ca62e88ab68011 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 15 Aug 2022 09:39:18 +0900
+Subject: [PATCH] accelerated: clear AVX bits if it cannot be queried through
+ XSAVE
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The algorithm to detect AVX is described in 14.3 of "Intel® 64 and IA-32
+Architectures Software Developer’s Manual".
+
+GnuTLS previously only followed that algorithm when registering the
+crypto backend, while the CRYPTOGAMS derived SHA code assembly expects
+that the extension bits are propagated to _gnutls_x86_cpuid_s.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/accelerated/x86/x86-common.c | 49 +++++++++++++++++++++++++-------
+ 1 file changed, 38 insertions(+), 11 deletions(-)
+
+diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c
+index 7ddaa594e6..b7a88ddeca 100644
+--- a/lib/accelerated/x86/x86-common.c
++++ b/lib/accelerated/x86/x86-common.c
+@@ -81,6 +81,26 @@ unsigned int _gnutls_x86_cpuid_s[4];
+ # define bit_AVX 0x10000000
+ #endif
+ 
++#ifndef bit_AVX2
++# define bit_AVX2 0x00000020
++#endif
++
++#ifndef bit_AVX512F
++# define bit_AVX512F 0x00010000
++#endif
++
++#ifndef bit_AVX512IFMA
++# define bit_AVX512IFMA 0x00200000
++#endif
++
++#ifndef bit_AVX512BW
++# define bit_AVX512BW 0x40000000
++#endif
++
++#ifndef bit_AVX512VL
++# define bit_AVX512VL 0x80000000
++#endif
++
+ #ifndef bit_OSXSAVE
+ # define bit_OSXSAVE 0x8000000
+ #endif
+@@ -89,10 +109,6 @@ unsigned int _gnutls_x86_cpuid_s[4];
+ # define bit_MOVBE 0x00400000
+ #endif
+ 
+-#ifndef OSXSAVE_MASK
+-# define OSXSAVE_MASK (bit_OSXSAVE|bit_MOVBE)
+-#endif
+-
+ #define bit_PADLOCK (0x3 << 6)
+ #define bit_PADLOCK_PHE (0x3 << 10)
+ #define bit_PADLOCK_PHE_SHA512 (0x3 << 25)
+@@ -148,7 +164,7 @@ static unsigned check_4th_gen_intel_features(unsigned ecx)
+ {
+ 	uint32_t xcr0;
+ 
+-	if ((ecx & OSXSAVE_MASK) != OSXSAVE_MASK)
++	if ((ecx & bit_OSXSAVE) != bit_OSXSAVE)
+ 		return 0;
+ 
+ #if defined(_MSC_VER) && !defined(__clang__)
+@@ -190,8 +206,9 @@ static void capabilities_to_intel_cpuid(unsigned capabilities)
+ 	}
+ 
+ 	if (capabilities & INTEL_AVX) {
+-		if ((a[1] & bit_AVX) && check_4th_gen_intel_features(a[1])) {
+-			_gnutls_x86_cpuid_s[1] |= bit_AVX|OSXSAVE_MASK;
++		if ((a[1] & bit_AVX) && (a[1] & bit_MOVBE) &&
++		    check_4th_gen_intel_features(a[1])) {
++			_gnutls_x86_cpuid_s[1] |= bit_AVX|bit_MOVBE;
+ 		} else {
+ 			_gnutls_debug_log
+ 			    ("AVX acceleration requested but not available\n");
+@@ -236,10 +253,7 @@ static unsigned check_sha(void)
+ #ifdef ASM_X86_64
+ static unsigned check_avx_movbe(void)
+ {
+-	if (check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1]) == 0)
+-		return 0;
+-
+-	return ((_gnutls_x86_cpuid_s[1] & bit_AVX));
++	return (_gnutls_x86_cpuid_s[1] & (bit_AVX|bit_MOVBE)) == (bit_AVX|bit_MOVBE);
+ }
+ 
+ static unsigned check_pclmul(void)
+@@ -884,6 +898,19 @@ void register_x86_intel_crypto(unsigned capabilities)
+ 	if (capabilities == 0) {
+ 		if (!read_cpuid_vals(_gnutls_x86_cpuid_s))
+ 			return;
++		if (!check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1])) {
++			_gnutls_x86_cpuid_s[1] &= ~bit_AVX;
++
++			/* Clear AVX2 bits as well, according to what
++			 * OpenSSL does.  Should we clear
++			 * bit_AVX512DQ, bit_AVX512PF, bit_AVX512ER,
++			 * and bit_AVX512CD? */
++			_gnutls_x86_cpuid_s[2] &= ~(bit_AVX2|
++						    bit_AVX512F|
++						    bit_AVX512IFMA|
++						    bit_AVX512BW|
++						    bit_AVX512BW);
++		}
+ 	} else {
+ 		capabilities_to_intel_cpuid(capabilities);
+ 	}
+-- 
+2.37.2
+

SOURCES/gnutls-3.7.6-drbg-reseed.patch

@@ -0,0 +1,41 @@
+From 3035e884b3abc68bcebff5adec5bd8819bbc6d7b Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Fri, 5 Aug 2022 16:16:42 +0900
+Subject: [PATCH] gnutls-3.7.6-drbg-reseed.patch
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ lib/nettle/sysrng-linux.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/lib/nettle/sysrng-linux.c b/lib/nettle/sysrng-linux.c
+index 6b3971c..dae9061 100644
+--- a/lib/nettle/sysrng-linux.c
++++ b/lib/nettle/sysrng-linux.c
+@@ -31,6 +31,9 @@
+ # include <num.h>
+ # include <errno.h>
+ # include <rnd-common.h>
++# include "fips.h"
++#else
++# define _gnutls_fips_mode_enabled() 0
+ #endif
+ 
+ #include <sys/types.h>
+@@ -103,7 +106,12 @@ static int force_getrandom(void *buf, size_t buflen, unsigned int flags)
+ static int _rnd_get_system_entropy_getrandom(void* _rnd, size_t size)
+ {
+ 	int ret;
+-	ret = force_getrandom(_rnd, size, 0);
++	unsigned int flags = 0;
++
++	if (_gnutls_fips_mode_enabled()) {
++		flags |= 2/*GRND_RANDOM*/;
++	}
++	ret = force_getrandom(_rnd, size, flags);
+ 	if (ret == -1) {
+ 		int e = errno;
+ 		gnutls_assert();
+-- 
+2.37.1
+

SOURCES/gnutls-3.7.6-fips-ecdsa-hash-check.patch

@@ -0,0 +1,427 @@
+From 171b934a8c054e98b110892cae4130e1db64e656 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 29 Sep 2022 21:28:19 +0900
+Subject: [PATCH] gnutls-3.7.6-fips-ecdsa-hash-check.patch
+
+---
+ lib/crypto-backend.h |  12 ++--
+ lib/nettle/pk.c      |  33 +++++-----
+ lib/privkey.c        |  42 ++++++++----
+ lib/pubkey.c         |   5 +-
+ tests/fips-test.c    | 150 ++++++++++++++++++++++++++++++++++++++++++-
+ 5 files changed, 205 insertions(+), 37 deletions(-)
+
+diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
+index f0f68c3..4dd1ae2 100644
+--- a/lib/crypto-backend.h
++++ b/lib/crypto-backend.h
+@@ -247,11 +247,13 @@ typedef enum {
+ 	GNUTLS_PK_FLAG_RSA_PSS_FIXED_SALT_LENGTH = 4
+ } gnutls_pk_flag_t;
+ 
+-#define FIX_SIGN_PARAMS(params, flags, dig) do {		\
+-	if ((flags) & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) {	\
+-		(params).flags |= GNUTLS_PK_FLAG_REPRODUCIBLE;	\
+-		(params).dsa_dig = (dig);			\
+-	}							\
++#define FIX_SIGN_PARAMS(params, flags, dig) do {			\
++	if ((flags) & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) {		\
++		(params).flags |= GNUTLS_PK_FLAG_REPRODUCIBLE;		\
++	}								\
++	if ((params).pk == GNUTLS_PK_DSA || (params).pk == GNUTLS_PK_ECDSA) { \
++		(params).dsa_dig = (dig);				\
++	}								\
+ } while (0)
+ 
+ void gnutls_pk_params_release(gnutls_pk_params_st * p);
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index f38016b..c098e2a 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -1104,8 +1104,16 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 			me = _gnutls_dsa_q_to_hash(pk_params,
+ 						   &hash_len);
+ 
++			if (hash_len > vdata->size) {
++				gnutls_assert();
++				_gnutls_debug_log
++				    ("Security level of algorithm requires hash %s(%d) or better\n",
++				     _gnutls_mac_get_name(me), hash_len);
++				hash_len = vdata->size;
++			}
++
+ 			/* Only SHA-2 is allowed in FIPS 140-3 */
+-			switch (me->id) {
++			switch (DIG_TO_MAC(sign_params->dsa_dig)) {
+ 			case GNUTLS_MAC_SHA256:
+ 			case GNUTLS_MAC_SHA384:
+ 			case GNUTLS_MAC_SHA512:
+@@ -1115,14 +1123,6 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 				not_approved = true;
+ 			}
+ 
+-			if (hash_len > vdata->size) {
+-				gnutls_assert();
+-				_gnutls_debug_log
+-				    ("Security level of algorithm requires hash %s(%d) or better\n",
+-				     _gnutls_mac_get_name(me), hash_len);
+-				hash_len = vdata->size;
+-			}
+-
+ 			mpz_init(k);
+ 			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
+ 			    (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
+@@ -1545,7 +1545,6 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
+ 			struct dsa_signature sig;
+ 			int curve_id = pk_params->curve;
+ 			const struct ecc_curve *curve;
+-			const mac_entry_st *me;
+ 
+ 			curve = get_supported_nist_curve(curve_id);
+ 			if (curve == NULL) {
+@@ -1571,11 +1570,14 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
+ 			memcpy(sig.r, tmp[0], SIZEOF_MPZT);
+ 			memcpy(sig.s, tmp[1], SIZEOF_MPZT);
+ 
+-			me = _gnutls_dsa_q_to_hash(pk_params, &hash_len);
++			(void)_gnutls_dsa_q_to_hash(pk_params, &hash_len);
++
++			if (hash_len > vdata->size)
++				hash_len = vdata->size;
+ 
+ 			/* SHA-1 is allowed for SigVer in FIPS 140-3 in legacy
+ 			 * mode */
+-			switch (me->id) {
++			switch (DIG_TO_MAC(sign_params->dsa_dig)) {
+ 			case GNUTLS_MAC_SHA1:
+ 			case GNUTLS_MAC_SHA256:
+ 			case GNUTLS_MAC_SHA384:
+@@ -1586,9 +1588,6 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
+ 				not_approved = true;
+ 			}
+ 
+-			if (hash_len > vdata->size)
+-				hash_len = vdata->size;
+-
+ 			ret =
+ 			    ecdsa_verify(&pub, hash_len, vdata->data,
+ 					 &sig);
+@@ -2390,8 +2389,10 @@ static int pct_test(gnutls_pk_algorithm_t algo, const gnutls_pk_params_st* param
+ 
+ 	if (algo == GNUTLS_PK_DSA || algo == GNUTLS_PK_EC) {
+ 		unsigned hash_len;
++		const mac_entry_st *me;
+ 
+-		_gnutls_dsa_q_to_hash(params, &hash_len);
++		me = _gnutls_dsa_q_to_hash(params, &hash_len);
++		spki.dsa_dig = MAC_TO_DIG(me->id);
+ 		gen_data = gnutls_malloc(hash_len);
+ 		gnutls_rnd(GNUTLS_RND_NONCE, gen_data, hash_len);
+ 
+diff --git a/lib/privkey.c b/lib/privkey.c
+index 0b77443..2069fc0 100644
+--- a/lib/privkey.c
++++ b/lib/privkey.c
+@@ -1251,27 +1251,36 @@ gnutls_privkey_sign_hash2(gnutls_privkey_t signer,
+ 		se = _gnutls_sign_to_entry(GNUTLS_SIGN_RSA_RAW);
+ 	} else {
+ 		se = _gnutls_sign_to_entry(algo);
+-		if (unlikely(se == NULL))
+-			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+-
++		if (unlikely(se == NULL)) {
++			ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++			goto cleanup;
++		}
+ 	}
+ 
+ 	ret = _gnutls_privkey_get_spki_params(signer, &params);
+ 	if (ret < 0) {
+ 		gnutls_assert();
+-		return ret;
++		goto cleanup;
+ 	}
+ 
+ 	ret = _gnutls_privkey_update_spki_params(signer, se->pk, se->hash,
+ 					         flags, &params);
+ 	if (ret < 0) {
+ 		gnutls_assert();
+-		return ret;
++		goto cleanup;
+ 	}
+ 
+ 	FIX_SIGN_PARAMS(params, flags, se->hash);
+ 
+-	return privkey_sign_prehashed(signer, se, hash_data, signature, &params);
++	ret = privkey_sign_prehashed(signer, se, hash_data, signature, &params);
++
++ cleanup:
++	if (ret < 0) {
++		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
++	} else {
++		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
++	}
++	return ret;
+ }
+ 
+ int
+@@ -1366,14 +1375,14 @@ gnutls_privkey_sign_hash(gnutls_privkey_t signer,
+ 	ret = _gnutls_privkey_get_spki_params(signer, &params);
+ 	if (ret < 0) {
+ 		gnutls_assert();
+-		return ret;
++		goto cleanup;
+ 	}
+ 
+ 	ret = _gnutls_privkey_update_spki_params(signer, signer->pk_algorithm,
+ 					       hash_algo, flags, &params);
+ 	if (ret < 0) {
+ 		gnutls_assert();
+-		return ret;
++		goto cleanup;
+ 	}
+ 
+ 	/* legacy callers of this API could use a hash algorithm of 0 (unknown)
+@@ -1391,13 +1400,22 @@ gnutls_privkey_sign_hash(gnutls_privkey_t signer,
+ 		se = _gnutls_pk_to_sign_entry(params.pk, hash_algo);
+ 	}
+ 
+-	if (unlikely(se == NULL))
+-		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++	if (unlikely(se == NULL)) {
++		ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++		goto cleanup;
++	}
+ 
+ 	FIX_SIGN_PARAMS(params, flags, hash_algo);
+ 
+-	return privkey_sign_prehashed(signer, se,
+-				      hash_data, signature, &params);
++	ret = privkey_sign_prehashed(signer, se,
++				     hash_data, signature, &params);
++ cleanup:
++	if (ret < 0) {
++		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
++	} else {
++		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
++	}
++	return ret;
+ }
+ 
+ static int
+diff --git a/lib/pubkey.c b/lib/pubkey.c
+index eba1f5b..35126f3 100644
+--- a/lib/pubkey.c
++++ b/lib/pubkey.c
+@@ -1985,7 +1985,7 @@ gnutls_pubkey_import_dsa_raw(gnutls_pubkey_t key,
+  * parameters (if any) with the signature algorithm */
+ static
+ int fixup_spki_params(const gnutls_pk_params_st *key_params, const gnutls_sign_entry_st *se,
+-		       const mac_entry_st *me, gnutls_x509_spki_st *params)
++		      const mac_entry_st *me, gnutls_x509_spki_st *params)
+ {
+ 	unsigned bits;
+ 
+@@ -2018,6 +2018,9 @@ int fixup_spki_params(const gnutls_pk_params_st *key_params, const gnutls_sign_e
+ 
+ 		if (params->rsa_pss_dig != se->hash)
+ 			return gnutls_assert_val(GNUTLS_E_CONSTRAINT_ERROR);
++	} else if (params->pk == GNUTLS_PK_DSA ||
++		   params->pk == GNUTLS_PK_ECDSA) {
++		params->dsa_dig = se->hash;
+ 	}
+ 
+ 	return 0;
+diff --git a/tests/fips-test.c b/tests/fips-test.c
+index 788f4ab..ec0f4b4 100644
+--- a/tests/fips-test.c
++++ b/tests/fips-test.c
+@@ -80,8 +80,22 @@ static const gnutls_datum_t rsa2342_sha1_sig = {
+ 	.size = sizeof(rsa2342_sha1_sig_data),
+ };
+ 
++static const uint8_t ecc256_sha1_sig_data[] = {
++	0x30, 0x45, 0x02, 0x21, 0x00, 0x9a, 0x28, 0xc9, 0xbf, 0xc8, 0x70, 0x4f, 
++	0x27, 0x2d, 0xe1, 0x66, 0xc4, 0xa5, 0xc6, 0xf2, 0xdc, 0x33, 0xb9, 0x41, 
++	0xdf, 0x78, 0x98, 0x8a, 0x22, 0x4d, 0x29, 0x37, 0xa0, 0x0f, 0x6f, 0xd4, 
++	0xed, 0x02, 0x20, 0x0b, 0x15, 0xca, 0x30, 0x09, 0x2d, 0x55, 0x44, 0xb4, 
++	0x1d, 0x3f, 0x48, 0x7a, 0xc3, 0xd1, 0x2a, 0xc1, 0x0e, 0x47, 0xfa, 0xe6, 
++	0xe9, 0x0f, 0x03, 0xe2, 0x01, 0x4e, 0xe4, 0x73, 0x37, 0xa7, 0x90, 
++};
++
++static const gnutls_datum_t ecc256_sha1_sig = {
++	.data = (unsigned char *)ecc256_sha1_sig_data,
++	.size = sizeof(ecc256_sha1_sig_data),
++};
++
+ static void
+-rsa_import_keypair(gnutls_privkey_t *privkey, gnutls_pubkey_t *pubkey,
++import_keypair(gnutls_privkey_t *privkey, gnutls_pubkey_t *pubkey,
+ 		   const char *filename)
+ {
+ 	const char *srcdir;
+@@ -274,6 +288,8 @@ void doit(void)
+ 	gnutls_datum_t signature;
+ 	unsigned int bits;
+ 	uint8_t hmac[64];
++	uint8_t hash[64];
++	gnutls_datum_t hashed_data;
+ 	uint8_t pbkdf2[64];
+ 	gnutls_datum_t temp_key = { NULL, 0 };
+ 
+@@ -473,7 +489,7 @@ void doit(void)
+ 
+ 	/* Import 2432-bit RSA key; not a security function */
+ 	FIPS_PUSH_CONTEXT();
+-	rsa_import_keypair(&privkey, &pubkey, "rsa-2432.pem");
++	import_keypair(&privkey, &pubkey, "rsa-2432.pem");
+ 	FIPS_POP_CONTEXT(INITIAL);
+ 
+ 	/* Create a signature with 2432-bit RSA and SHA256; approved */
+@@ -519,7 +535,7 @@ void doit(void)
+ 
+ 	/* Import 512-bit RSA key; not a security function */
+ 	FIPS_PUSH_CONTEXT();
+-	rsa_import_keypair(&privkey, &pubkey, "rsa-512.pem");
++	import_keypair(&privkey, &pubkey, "rsa-512.pem");
+ 	FIPS_POP_CONTEXT(INITIAL);
+ 
+ 	/* Create a signature with 512-bit RSA and SHA256; not approved */
+@@ -543,6 +559,134 @@ void doit(void)
+ 	gnutls_pubkey_deinit(pubkey);
+ 	gnutls_privkey_deinit(privkey);
+ 
++	/* Import ECDSA key; not a security function */
++	FIPS_PUSH_CONTEXT();
++	import_keypair(&privkey, &pubkey, "ecc256.pem");
++	FIPS_POP_CONTEXT(INITIAL);
++
++	/* Create a signature with ECDSA and SHA256; approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_privkey_sign_data2(privkey, GNUTLS_SIGN_ECDSA_SHA256, 0,
++					&data, &signature);
++	if (ret < 0) {
++		fail("gnutls_privkey_sign_data2 failed\n");
++	}
++	FIPS_POP_CONTEXT(APPROVED);
++
++	/* Verify a signature with ECDSA and SHA256; approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_ECDSA_SHA256, 0,
++					 &data, &signature);
++	if (ret < 0) {
++		fail("gnutls_pubkey_verify_data2 failed\n");
++	}
++	FIPS_POP_CONTEXT(APPROVED);
++	gnutls_free(signature.data);
++
++	/* Create a signature with ECDSA and SHA256 (old API); approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA256, 0,
++				       &data, &signature);
++	if (ret < 0) {
++		fail("gnutls_privkey_sign_data failed\n");
++	}
++	FIPS_POP_CONTEXT(APPROVED);
++
++	/* Create a SHA256 hashed data for 2-pass signature API; not a
++	 * crypto operation */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_hash_fast(GNUTLS_DIG_SHA256, data.data, data.size, hash);
++	if (ret < 0) {
++		fail("gnutls_hash_fast failed\n");
++	}
++	hashed_data.data = hash;
++	hashed_data.size = 32;
++	FIPS_POP_CONTEXT(INITIAL);
++
++	/* Create a signature with ECDSA and SHA256 (2-pass API); not-approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_privkey_sign_hash2(privkey, GNUTLS_SIGN_ECDSA_SHA256, 0,
++					&hashed_data, &signature);
++	if (ret < 0) {
++		fail("gnutls_privkey_sign_hash2 failed\n");
++	}
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++	gnutls_free(signature.data);
++
++	/* Create a signature with ECDSA and SHA256 (2-pass old API); not-approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_privkey_sign_hash(privkey, GNUTLS_DIG_SHA256, 0,
++					&hashed_data, &signature);
++	if (ret < 0) {
++		fail("gnutls_privkey_sign_hash failed\n");
++	}
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++	gnutls_free(signature.data);
++
++	/* Create a signature with ECDSA and SHA-1; not approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_privkey_sign_data2(privkey, GNUTLS_SIGN_ECDSA_SHA1, 0,
++					&data, &signature);
++	if (ret < 0) {
++		fail("gnutls_privkey_sign_data2 failed\n");
++	}
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
++	/* Verify a signature created with ECDSA and SHA-1; approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_ECDSA_SHA1,
++					 GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, &data,
++					 &ecc256_sha1_sig);
++	if (ret < 0) {
++		fail("gnutls_pubkey_verify_data2 failed\n");
++	}
++	FIPS_POP_CONTEXT(APPROVED);
++	gnutls_free(signature.data);
++
++	/* Create a signature with ECDSA and SHA-1 (old API); not approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA1, 0,
++					&data, &signature);
++	if (ret < 0) {
++		fail("gnutls_privkey_sign_data failed\n");
++	}
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++	gnutls_free(signature.data);
++
++	/* Create a SHA1 hashed data for 2-pass signature API; not a
++	 * crypto operation */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_hash_fast(GNUTLS_DIG_SHA1, data.data, data.size, hash);
++	if (ret < 0) {
++		fail("gnutls_hash_fast failed\n");
++	}
++	hashed_data.data = hash;
++	hashed_data.size = 20;
++	FIPS_POP_CONTEXT(INITIAL);
++
++	/* Create a signature with ECDSA and SHA1 (2-pass API); not-approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_privkey_sign_hash2(privkey, GNUTLS_SIGN_ECDSA_SHA1, 0,
++					&hashed_data, &signature);
++	if (ret < 0) {
++		fail("gnutls_privkey_sign_hash2 failed\n");
++	}
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++	gnutls_free(signature.data);
++
++	/* Create a signature with ECDSA and SHA1 (2-pass old API); not-approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_privkey_sign_hash(privkey, GNUTLS_DIG_SHA1, 0,
++					&hashed_data, &signature);
++	if (ret < 0) {
++		fail("gnutls_privkey_sign_hash failed\n");
++	}
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++	gnutls_free(signature.data);
++
++	gnutls_pubkey_deinit(pubkey);
++	gnutls_privkey_deinit(privkey);
++
+         /* Test RND functions */
+ 	FIPS_PUSH_CONTEXT();
+ 	ret = gnutls_rnd(GNUTLS_RND_RANDOM, key16, sizeof(key16));
+-- 
+2.37.3
+

SOURCES/gnutls-3.7.6-fips-pkcs12-des-cbc.patch

@@ -0,0 +1,58 @@
+From de09280b2a8314eb98ec9a2b84eebe3eec2f49bd Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 4 Aug 2022 16:37:51 +0900
+Subject: [PATCH] _gnutls_decrypt_pbes1_des_md5_data: use public crypto API
+
+This is a follow-up of e7f9267342bc2231149a640163c82b63c86f1dfd.  In
+the decryption code path with PBES1, algorithm checks for FIPS was not
+applied, because it used internal functions that bypass those checks.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/x509/privkey_pkcs8_pbes1.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/lib/x509/privkey_pkcs8_pbes1.c b/lib/x509/privkey_pkcs8_pbes1.c
+index c296807974..983530e46a 100644
+--- a/lib/x509/privkey_pkcs8_pbes1.c
++++ b/lib/x509/privkey_pkcs8_pbes1.c
+@@ -140,7 +140,7 @@ _gnutls_decrypt_pbes1_des_md5_data(const char *password,
+ {
+ 	int result;
+ 	gnutls_datum_t dkey, d_iv;
+-	cipher_hd_st ch;
++	gnutls_cipher_hd_t ch;
+ 	uint8_t key[16];
+ 	const unsigned block_size = 8;
+ 
+@@ -158,16 +158,14 @@ _gnutls_decrypt_pbes1_des_md5_data(const char *password,
+ 	dkey.size = 8;
+ 	d_iv.data = &key[8];
+ 	d_iv.size = 8;
+-	result =
+-	    _gnutls_cipher_init(&ch, cipher_to_entry(GNUTLS_CIPHER_DES_CBC),
+-				&dkey, &d_iv, 0);
++	result = gnutls_cipher_init(&ch, GNUTLS_CIPHER_DES_CBC, &dkey, &d_iv);
+ 	if (result < 0) {
+ 		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+ 		return gnutls_assert_val(result);
+ 	}
+ 	_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
+ 
+-	result = _gnutls_cipher_decrypt(&ch, encrypted_data->data, encrypted_data->size);
++	result = gnutls_cipher_decrypt(ch, encrypted_data->data, encrypted_data->size);
+ 	if (result < 0) {
+ 		gnutls_assert();
+ 		goto error;
+@@ -184,7 +182,7 @@ _gnutls_decrypt_pbes1_des_md5_data(const char *password,
+ 
+ 	result = 0;
+  error:
+-	_gnutls_cipher_deinit(&ch);
++	gnutls_cipher_deinit(ch);
+ 
+ 	return result;
+ }
+-- 
+2.37.1
+

SOURCES/gnutls-3.7.6-fips-rsa-key-sizes.patch

@@ -0,0 +1,476 @@
+From 237695d30c9f716333cfa077554a6e1ae0d2c589 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Sat, 20 Aug 2022 09:52:08 +0900
+Subject: [PATCH] gnutls-3.7.6-fips-rsa-key-sizes.patch
+
+---
+ lib/nettle/pk.c        |  54 ++++---
+ tests/Makefile.am      |   3 +-
+ tests/fips-rsa-sizes.c | 328 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 361 insertions(+), 24 deletions(-)
+ create mode 100644 tests/fips-rsa-sizes.c
+
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index eba246f..f38016b 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -1247,20 +1247,20 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 
+ 			_rsa_params_to_privkey(pk_params, &priv);
+ 
+-			/* RSA key size should be 2048-bit or larger in FIPS
+-			 * 140-3.  In addition to this, only SHA-2 is allowed
+-			 * for SigGen; it is checked in pk_prepare_hash lib/pk.c
+-			 */
+-			if (unlikely(priv.size < 256)) {
+-				not_approved = true;
+-			}
+-
+ 			ret = _rsa_params_to_pubkey(pk_params, &pub);
+ 			if (ret < 0) {
+ 				gnutls_assert();
+ 				goto cleanup;
+ 			}
+ 
++			/* RSA modulus size should be 2048-bit or larger in FIPS
++			 * 140-3.  In addition to this, only SHA-2 is allowed
++			 * for SigGen; it is checked in pk_prepare_hash lib/pk.c
++			 */
++			if (unlikely(mpz_sizeinbase(pub.n, 2) < 2048)) {
++				not_approved = true;
++			}
++
+ 			mpz_init(s);
+ 
+ 			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
+@@ -1298,22 +1298,22 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 
+ 			_rsa_params_to_privkey(pk_params, &priv);
+ 
+-			/* RSA key size should be 2048-bit or larger in FIPS
++			ret = _rsa_params_to_pubkey(pk_params, &pub);
++			if (ret < 0) {
++				gnutls_assert();
++				goto cleanup;
++			}
++
++			/* RSA modulus size should be 2048-bit or larger in FIPS
+ 			 * 140-3.  In addition to this, only SHA-2 is allowed
+ 			 * for SigGen; however, Nettle only support SHA256,
+ 			 * SHA384, and SHA512 for RSA-PSS (see
+ 			 * _rsa_pss_sign_digest_tr in this file for details).
+ 			 */
+-			if (unlikely(priv.size < 256)) {
++			if (unlikely(mpz_sizeinbase(pub.n, 2) < 2048)) {
+ 				not_approved = true;
+ 			}
+ 
+-			ret = _rsa_params_to_pubkey(pk_params, &pub);
+-			if (ret < 0) {
+-				gnutls_assert();
+-				goto cleanup;
+-			}
+-
+ 			mpz_init(s);
+ 
+ 			ret =
+@@ -1643,6 +1643,7 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
+ 	case GNUTLS_PK_RSA:
+ 		{
+ 			struct rsa_public_key pub;
++			size_t bits;
+ 
+ 			ret = _rsa_params_to_pubkey(pk_params, &pub);
+ 			if (ret < 0) {
+@@ -1650,12 +1651,19 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
+ 				goto cleanup;
+ 			}
+ 
+-			/* RSA key size should be 2048-bit or larger in FIPS
+-			 * 140-3.  In addition to this, only SHA-1 and SHA-2 are
+-			 * allowed for SigVer; it is checked in
+-			 * _pkcs1_rsa_verify_sig in lib/pubkey.c
++			bits = mpz_sizeinbase(pub.n, 2);
++
++			/* In FIPS 140-3, RSA key size should be larger than
++			 * 2048-bit or one of the known lengths (1024, 1280,
++			 * 1536, 1792; i.e., multiple of 256-bits).
++			 *
++			 * In addition to this, only SHA-1 and SHA-2 are allowed
++			 * for SigVer; it is checked in _pkcs1_rsa_verify_sig in
++			 * lib/pubkey.c.
+ 			 */
+-			if (unlikely(pub.size < 256)) {
++			if (unlikely(bits < 2048 &&
++				     bits != 1024 && bits != 1280 &&
++				     bits != 1536 && bits != 1792)) {
+ 				not_approved = true;
+ 			}
+ 
+@@ -1701,13 +1709,13 @@ _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
+ 				goto cleanup;
+ 			}
+ 
+-			/* RSA key size should be 2048-bit or larger in FIPS
++			/* RSA modulus size should be 2048-bit or larger in FIPS
+ 			 * 140-3.  In addition to this, only SHA-1 and SHA-2 are
+ 			 * allowed for SigVer, while Nettle only supports
+ 			 * SHA256, SHA384, and SHA512 for RSA-PSS (see
+ 			 * _rsa_pss_verify_digest in this file for the details).
+ 			 */
+-			if (unlikely(pub.size < 256)) {
++			if (unlikely(mpz_sizeinbase(pub.n, 2) < 2048)) {
+ 				not_approved = true;
+ 			}
+ 
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 7a7a4af..dd21e45 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -233,7 +233,8 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
+ 	 tls13-without-timeout-func buffer status-request-revoked \
+ 	 set_x509_ocsp_multi_cli kdf-api keylog-func handshake-write \
+ 	 x509cert-dntypes id-on-xmppAddr tls13-compat-mode ciphersuite-name \
+-	 x509-upnconstraint pkcs7-verify-double-free
++	 x509-upnconstraint pkcs7-verify-double-free \
++	 fips-rsa-sizes
+ 
+ ctests += tls-channel-binding
+ 
+diff --git a/tests/fips-rsa-sizes.c b/tests/fips-rsa-sizes.c
+new file mode 100644
+index 0000000..84b9aff
+--- /dev/null
++++ b/tests/fips-rsa-sizes.c
+@@ -0,0 +1,328 @@
++/*
++ * Copyright (C) 2022 Red Hat, Inc.
++ *
++ * Author: Alexander Sosedkin
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++#include <assert.h>
++#include <stdio.h>
++#include <utils.h>
++#include <gnutls/gnutls.h>
++#include <gnutls/abstract.h>
++#include <gnutls/x509.h>
++
++#define FIPS_PUSH_CONTEXT() do {				\
++	ret = gnutls_fips140_push_context(fips_context);	\
++	if (ret < 0) {						\
++		fail("gnutls_fips140_push_context failed\n");	\
++	}							\
++} while (0)
++
++#define FIPS_POP_CONTEXT(state) do {					\
++	ret = gnutls_fips140_pop_context();				\
++	if (ret < 0) {							\
++		fail("gnutls_fips140_context_pop failed\n");		\
++	}								\
++	fips_state = gnutls_fips140_get_operation_state(fips_context);	\
++	if (fips_state != GNUTLS_FIPS140_OP_ ## state) {		\
++		fail("operation state is not " # state " (%d)\n",	\
++		     fips_state);					\
++	}								\
++} while (0)
++
++
++void generate_successfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey,
++                           unsigned int size);
++void generate_unsuccessfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey,
++                             unsigned int size);
++void sign_verify_successfully(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey);
++void sign_verify_unsuccessfully(gnutls_privkey_t privkey,
++                                gnutls_pubkey_t pubkey);
++void nosign_verify(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey);
++
++
++void generate_successfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey,
++                           unsigned int size)
++{
++	int ret;
++	gnutls_x509_privkey_t xprivkey;
++	gnutls_fips140_context_t fips_context;
++	gnutls_fips140_operation_state_t fips_state;
++	assert(gnutls_fips140_context_init(&fips_context) == 0);
++
++	fprintf(stderr, "%d-bit\n", size);
++
++	/* x509 generation as well just because why not */
++	FIPS_PUSH_CONTEXT();
++	assert(gnutls_x509_privkey_init(&xprivkey) == 0);
++	ret = gnutls_x509_privkey_generate(xprivkey, GNUTLS_PK_RSA, size, 0);
++	if (ret != GNUTLS_E_SUCCESS)
++		fail("%d-bit x509_privkey_init (%d)\n", size, ret);
++	FIPS_POP_CONTEXT(APPROVED);
++	gnutls_x509_privkey_deinit(xprivkey);
++
++	FIPS_PUSH_CONTEXT();
++	assert(gnutls_privkey_init(privkey) == 0);
++	ret = gnutls_privkey_generate(*privkey, GNUTLS_PK_RSA, size, 0);
++	if (ret != GNUTLS_E_SUCCESS)
++		fail("%d-bit privkey_init (%d)\n", size, ret);
++	FIPS_POP_CONTEXT(APPROVED);
++
++	assert(gnutls_pubkey_init(pubkey) == 0);
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_pubkey_import_privkey(*pubkey, *privkey,
++					   GNUTLS_KEY_DIGITAL_SIGNATURE, 0);
++	if (ret != GNUTLS_E_SUCCESS)
++		fail("%d-bit pubkey_import_privkey (%d)\n", size, ret);
++	FIPS_POP_CONTEXT(INITIAL);
++
++	gnutls_fips140_context_deinit(fips_context);
++}
++
++
++void generate_unsuccessfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey,
++                             unsigned int size)
++{
++	int ret;
++	gnutls_x509_privkey_t xprivkey;
++	gnutls_fips140_context_t fips_context;
++	gnutls_fips140_operation_state_t fips_state;
++	assert(gnutls_fips140_context_init(&fips_context) == 0);
++
++	fprintf(stderr, "%d-bit\n", size);
++
++	/* short x509 generation: ERROR, blocked */
++	FIPS_PUSH_CONTEXT();
++	assert(gnutls_x509_privkey_init(&xprivkey) == 0);
++	ret = gnutls_x509_privkey_generate(xprivkey, GNUTLS_PK_RSA, size, 0);
++	if (ret != GNUTLS_E_PK_GENERATION_ERROR)
++		fail("%d-bit x509_privkey_init (%d)\n", size, ret);
++	FIPS_POP_CONTEXT(ERROR);
++	gnutls_x509_privkey_deinit(xprivkey);
++
++	/* short key generation: ERROR, blocked */
++	FIPS_PUSH_CONTEXT();
++	assert(gnutls_privkey_init(privkey) == 0);
++	ret = gnutls_privkey_generate(*privkey, GNUTLS_PK_RSA, size, 0);
++	if (ret != GNUTLS_E_PK_GENERATION_ERROR)
++		fail("%d-bit privkey_init (%d)\n", size, ret);
++	FIPS_POP_CONTEXT(ERROR);
++	gnutls_privkey_deinit(*privkey);
++
++	/* Disable FIPS to generate them anyway */
++	gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
++	assert(gnutls_fips140_mode_enabled() == GNUTLS_FIPS140_LAX);
++
++	assert(gnutls_x509_privkey_init(&xprivkey) == 0);
++	ret = gnutls_x509_privkey_generate(xprivkey, GNUTLS_PK_RSA, size, 0);
++	if (ret != GNUTLS_E_SUCCESS)
++		fail("%d-bit x509_privkey_init (%d)\n", size, ret);
++	gnutls_x509_privkey_deinit(xprivkey);
++
++	assert(gnutls_privkey_init(privkey) == 0);
++	ret = gnutls_privkey_generate(*privkey, GNUTLS_PK_RSA, size, 0);
++	if (ret != GNUTLS_E_SUCCESS)
++		fail("%d-bit privkey_init (%d)\n", size, ret);
++
++	assert(gnutls_pubkey_init(pubkey) == 0);
++	ret = gnutls_pubkey_import_privkey(*pubkey, *privkey,
++					   GNUTLS_KEY_DIGITAL_SIGNATURE, 0);
++	if (ret != GNUTLS_E_SUCCESS)
++		fail("%d-bit pubkey_import_privkey (%d)\n", size, ret);
++
++	gnutls_fips140_set_mode(GNUTLS_FIPS140_STRICT, 0);
++	assert(gnutls_fips140_mode_enabled());
++
++	gnutls_fips140_context_deinit(fips_context);
++}
++
++
++void sign_verify_successfully(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey) {
++	int ret;
++	gnutls_fips140_context_t fips_context;
++	gnutls_fips140_operation_state_t fips_state;
++
++	gnutls_datum_t signature;
++	gnutls_datum_t plaintext = {
++		.data = (unsigned char* const) "Hello world!",
++		.size = 12
++	};
++	assert(gnutls_fips140_context_init(&fips_context) == 0);
++
++	/* RSA sign: approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA256, 0,
++	                               &plaintext, &signature);
++	if (ret < 0)
++		fail("gnutls_privkey_sign_data failed\n");
++	FIPS_POP_CONTEXT(APPROVED);
++
++	/* RSA verify: approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA256, 0,
++	                                 &plaintext, &signature);
++	if (ret < 0)
++		fail("gnutls_pubkey_verify_data2 failed\n");
++	FIPS_POP_CONTEXT(APPROVED);
++
++	gnutls_free(signature.data);
++	gnutls_fips140_context_deinit(fips_context);
++}
++
++
++void sign_verify_unsuccessfully(gnutls_privkey_t privkey,
++                                gnutls_pubkey_t pubkey) {
++	int ret;
++	gnutls_fips140_context_t fips_context;
++	gnutls_fips140_operation_state_t fips_state;
++
++	gnutls_datum_t signature;
++	gnutls_datum_t plaintext = {
++		.data = (unsigned char* const) "Hello world!",
++		.size = 12
++	};
++	assert(gnutls_fips140_context_init(&fips_context) == 0);
++
++	/* small key RSA sign: not approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA256, 0,
++	                               &plaintext, &signature);
++	if (ret < 0)
++		fail("gnutls_privkey_sign_data failed\n");
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
++	/* small key RSA verify: not approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA256, 0,
++	                                 &plaintext, &signature);
++	if (ret < 0)
++		fail("gnutls_pubkey_verify_data2 failed\n");
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
++	gnutls_free(signature.data);
++	gnutls_pubkey_deinit(pubkey);
++	gnutls_privkey_deinit(privkey);
++	gnutls_fips140_context_deinit(fips_context);
++}
++
++
++void nosign_verify(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey) {
++	int ret;
++	gnutls_fips140_context_t fips_context;
++	gnutls_fips140_operation_state_t fips_state;
++
++	gnutls_datum_t signature;
++	gnutls_datum_t plaintext = {
++		.data = (unsigned char* const) "Hello world!",
++		.size = 12
++	};
++	assert(gnutls_fips140_context_init(&fips_context) == 0);
++
++	/* 1024, 1280, 1536, 1792 key RSA sign: not approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA256, 0,
++	                               &plaintext, &signature);
++	if (ret < 0)
++		fail("gnutls_privkey_sign_data failed\n");
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
++	/* Disable FIPS to sign them anyway */
++	gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
++	assert(gnutls_fips140_mode_enabled() == GNUTLS_FIPS140_LAX);
++
++	ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA256, 0,
++	                               &plaintext, &signature);
++	if (ret < 0)
++		fail("gnutls_privkey_sign_data failed\n");
++
++	gnutls_fips140_set_mode(GNUTLS_FIPS140_STRICT, 0);
++	assert(gnutls_fips140_mode_enabled());
++
++	/* 1024, 1280, 1536, 1792 key RSA verify: approved (exception) */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA256, 0,
++	                                 &plaintext, &signature);
++	if (ret < 0)
++		fail("gnutls_pubkey_verify_data2 failed\n");
++	FIPS_POP_CONTEXT(APPROVED);
++
++	gnutls_free(signature.data);
++	gnutls_pubkey_deinit(pubkey);
++	gnutls_privkey_deinit(privkey);
++	gnutls_fips140_context_deinit(fips_context);
++}
++
++
++void doit(void)
++{
++	gnutls_fips140_context_t fips_context;
++	gnutls_privkey_t privkey;
++	gnutls_pubkey_t pubkey;
++
++	if (gnutls_fips140_mode_enabled() == 0) {
++		success("We are not in FIPS140 mode\n");
++		exit(77);  /* SKIP */
++	}
++
++	assert(gnutls_fips140_context_init(&fips_context) == 0);
++
++	/* 512-bit RSA: no generate, no sign, no verify */
++	generate_unsuccessfully(&privkey, &pubkey, 512);
++	sign_verify_unsuccessfully(privkey, pubkey);
++	/* 512-bit RSA again (to be safer about going in and out of FIPS) */
++	generate_unsuccessfully(&privkey, &pubkey, 512);
++	sign_verify_unsuccessfully(privkey, pubkey);
++	/* 600-bit RSA: no generate, no sign, no verify */
++	generate_unsuccessfully(&privkey, &pubkey, 600);
++	sign_verify_unsuccessfully(privkey, pubkey);
++
++	/* 768-bit RSA not-an-exception: nogenerate, nosign, verify */
++	generate_unsuccessfully(&privkey, &pubkey, 768);
++	sign_verify_unsuccessfully(privkey, pubkey);
++	/* 1024-bit RSA exception: nogenerate, nosign, verify */
++	generate_unsuccessfully(&privkey, &pubkey, 1024);
++	nosign_verify(privkey, pubkey);
++	/* 1280-bit RSA exception: nogenerate, nosign, verify */
++	generate_unsuccessfully(&privkey, &pubkey, 1280);
++	nosign_verify(privkey, pubkey);
++	/* 1500-bit RSA not-an-exception: nogenerate, nosign, noverify */
++	generate_unsuccessfully(&privkey, &pubkey, 1500);
++	sign_verify_unsuccessfully(privkey, pubkey);
++	/* 1536-bit RSA exception: nogenerate, nosign, verify */
++	generate_unsuccessfully(&privkey, &pubkey, 1536);
++	nosign_verify(privkey, pubkey);
++	/* 1792-bit RSA exception: nogenerate, nosign, verify */
++	generate_unsuccessfully(&privkey, &pubkey, 1792);
++	nosign_verify(privkey, pubkey);
++	/* 2000-bit RSA not-an-exception: nogenerate, nosign, noverify */
++	generate_unsuccessfully(&privkey, &pubkey, 2000);
++	sign_verify_unsuccessfully(privkey, pubkey);
++
++	/* 2048-bit RSA: generate, sign, verify */
++	generate_successfully(&privkey, &pubkey, 2048);
++	sign_verify_successfully(privkey, pubkey);
++	/* 2432-bit RSA: nogenerate, sign, verify */
++	generate_unsuccessfully(&privkey, &pubkey, 2432);
++	sign_verify_successfully(privkey, pubkey);
++	/* 3072-bit RSA: generate, sign, verify */
++	generate_successfully(&privkey, &pubkey, 3072);
++	sign_verify_successfully(privkey, pubkey);
++
++	gnutls_fips140_context_deinit(fips_context);
++}
+-- 
+2.37.2
+

SOURCES/gnutls-3.7.6-fips-run-selftests.patch

@@ -0,0 +1,640 @@
+From 036fb360e5775f01ef25f5e712024a29930c462e Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 3 Jun 2022 15:43:00 +0900
+Subject: [PATCH] fips: provide function to manually run FIPS self-tests
+
+FIPS140-3 IG 10.3.E Periodic Self-Testing says:
+
+  At security levels 1 and 2, acceptable means for initiating the
+  periodic self-tests include a provided service, resetting, rebooting
+  or power cycling.
+
+Neither resetting, rebooting, nor power-cycling is suitable because
+those involve operations outside of the module.  Therefore this patch
+adds a new API to manually run the substance of FIPS140 self-tests.
+
+Suggeested by Richard Costa and Stephan Mueller in:
+https://gitlab.com/gnutls/gnutls/-/issues/1364
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ NEWS                            |   5 ++
+ devel/libgnutls.abignore        |   2 +
+ devel/symbols.last              |   2 +
+ doc/Makefile.am                 |   2 +
+ doc/manpages/Makefile.am        |   1 +
+ lib/fips.c                      | 139 ++++++++++++++++----------------
+ lib/global.c                    |  14 +++-
+ lib/includes/gnutls/gnutls.h.in |   2 +
+ lib/libgnutls.map               |   8 ++
+ tests/fips-test.c               |   7 ++
+ 10 files changed, 110 insertions(+), 72 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 70dd8a12b5..389be8acaa 100644
+--- a/NEWS
++++ b/NEWS
+@@ -5,6 +5,11 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc.
+ Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
+ See the end for copying conditions.
+ 
++* Version 3.7.7 (unreleased)
++
++** API and ABI modifications:
++gnutls_fips140_run_self_tests: New function
++
+ * Version 3.7.6 (released 2022-05-27)
+ 
+ ** libgnutls: Fixed invalid write when gnutls_realloc_zero()
+diff --git a/doc/Makefile.am b/doc/Makefile.am
+index d20a021d97..34ef43866c 100644
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -1096,6 +1096,8 @@ FUNCS += functions/gnutls_fips140_pop_context
+ FUNCS += functions/gnutls_fips140_pop_context.short
+ FUNCS += functions/gnutls_fips140_push_context
+ FUNCS += functions/gnutls_fips140_push_context.short
++FUNCS += functions/gnutls_fips140_run_self_tests
++FUNCS += functions/gnutls_fips140_run_self_tests.short
+ FUNCS += functions/gnutls_fips140_set_mode
+ FUNCS += functions/gnutls_fips140_set_mode.short
+ FUNCS += functions/gnutls_get_library_config
+diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
+index d8c5f2854d..90906b0574 100644
+--- a/doc/manpages/Makefile.am
++++ b/doc/manpages/Makefile.am
+@@ -380,6 +380,7 @@ APIMANS += gnutls_fips140_get_operation_state.3
+ APIMANS += gnutls_fips140_mode_enabled.3
+ APIMANS += gnutls_fips140_pop_context.3
+ APIMANS += gnutls_fips140_push_context.3
++APIMANS += gnutls_fips140_run_self_tests.3
+ APIMANS += gnutls_fips140_set_mode.3
+ APIMANS += gnutls_get_library_config.3
+ APIMANS += gnutls_get_system_config_file.3
+diff --git a/lib/fips.c b/lib/fips.c
+index e9c27f6df6..656d43e74a 100644
+--- a/lib/fips.c
++++ b/lib/fips.c
+@@ -419,8 +419,6 @@ int _gnutls_fips_perform_self_checks1(void)
+ {
+ 	int ret;
+ 
+-	_gnutls_switch_lib_state(LIB_STATE_SELFTEST);
+-
+ 	/* Tests the FIPS algorithms used by nettle internally.
+ 	 * In our case we test AES-CBC since nettle's AES is used by
+ 	 * the DRBG-AES.
+@@ -429,193 +427,153 @@ int _gnutls_fips_perform_self_checks1(void)
+ 	/* ciphers - one test per cipher */
+ 	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_128_CBC);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	return 0;
+-
+-error:
+-	_gnutls_switch_lib_state(LIB_STATE_ERROR);
+-	_gnutls_audit_log(NULL, "FIPS140-2 self testing part1 failed\n");
+-
+-	return GNUTLS_E_SELF_TEST_ERROR;
+ }
+ 
+ int _gnutls_fips_perform_self_checks2(void)
+ {
+ 	int ret;
+ 
+-	_gnutls_switch_lib_state(LIB_STATE_SELFTEST);
+-
+ 	/* Tests the FIPS algorithms */
+ 
+ 	/* ciphers - one test per cipher */
+ 	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_3DES_CBC);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_CBC);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_GCM);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_XTS);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_CFB8);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	/* Digest tests */
+ 	ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_224);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_256);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_384);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_512);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	/* MAC (includes message digest test) */
+ 	ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA1);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA224);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA256);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA384);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA512);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_mac_self_test(0, GNUTLS_MAC_AES_CMAC_256);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	/* PK */
+ 	ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_pk_self_test(0, GNUTLS_PK_DSA);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_pk_self_test(0, GNUTLS_PK_EC);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_pk_self_test(0, GNUTLS_PK_DH);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	/* HKDF */
+ 	ret = gnutls_hkdf_self_test(0, GNUTLS_MAC_SHA256);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	/* PBKDF2 */
+ 	ret = gnutls_pbkdf2_self_test(0, GNUTLS_MAC_SHA256);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	/* TLS-PRF */
+ 	ret = gnutls_tlsprf_self_test(0, GNUTLS_MAC_SHA256);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	if (_gnutls_rnd_ops.self_test == NULL) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	/* this does not require rng initialization */
+ 	ret = _gnutls_rnd_ops.self_test();
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	if (_skip_integrity_checks == 0) {
+ 		ret = check_binary_integrity();
+ 		if (ret < 0) {
+-			gnutls_assert();
+-			goto error;
++			return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 		}
+ 	}
+ 
+ 	return 0;
+-
+-error:
+-	_gnutls_switch_lib_state(LIB_STATE_ERROR);
+-	_gnutls_audit_log(NULL, "FIPS140-2 self testing part 2 failed\n");
+-
+-	return GNUTLS_E_SELF_TEST_ERROR;
+ }
+ #endif
+ 
+@@ -894,3 +852,48 @@ _gnutls_switch_fips_state(gnutls_fips140_operation_state_t state)
+ 	(void)state;
+ #endif
+ }
++
++/**
++ * gnutls_fips140_run_self_tests:
++ *
++ * Manually perform the second round of the FIPS140 self-tests,
++ * including:
++ *
++ * - Known answer tests (KAT) for the selected set of symmetric
++ *   cipher, MAC, public key, KDF, and DRBG
++ * - Library integrity checks
++ *
++ * Upon failure with FIPS140 mode enabled, it makes the library
++ * unusable.  This function is not thread-safe.
++ *
++ * Returns: 0 upon success, a negative error code otherwise
++ *
++ * Since: 3.7.7
++ */
++int
++gnutls_fips140_run_self_tests(void)
++{
++#ifdef ENABLE_FIPS140
++	int ret;
++	unsigned prev_lib_state;
++
++	/* Temporarily switch to LIB_STATE_SELFTEST as some of the
++	 * algorithms are implemented using special constructs in
++	 * self-tests (such as deterministic variants) */
++	prev_lib_state = _gnutls_get_lib_state();
++	_gnutls_switch_lib_state(LIB_STATE_SELFTEST);
++
++	ret = _gnutls_fips_perform_self_checks2();
++	if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_DISABLED &&
++	    ret < 0) {
++		_gnutls_switch_lib_state(LIB_STATE_ERROR);
++		_gnutls_audit_log(NULL, "FIPS140-2 self testing part 2 failed\n");
++	} else {
++		/* Restore the previous library state */
++		_gnutls_switch_lib_state(prev_lib_state);
++	}
++	return ret;
++#else
++	return 0;
++#endif
++}
+diff --git a/lib/global.c b/lib/global.c
+index faa7f0afb2..1b372c15bd 100644
+--- a/lib/global.c
++++ b/lib/global.c
+@@ -336,9 +336,12 @@ static int _gnutls_global_init(unsigned constructor)
+ 
+ 		/* first round of self checks, these are done on the
+ 		 * nettle algorithms which are used internally */
++		_gnutls_switch_lib_state(LIB_STATE_SELFTEST);
+ 		ret = _gnutls_fips_perform_self_checks1();
+-		if (res != 2) {
+-			if (ret < 0) {
++		if (ret < 0) {
++			_gnutls_switch_lib_state(LIB_STATE_ERROR);
++			_gnutls_audit_log(NULL, "FIPS140-2 self testing part1 failed\n");
++			if (res != 2) {
+ 				gnutls_assert();
+ 				goto out;
+ 			}
+@@ -355,9 +358,12 @@ static int _gnutls_global_init(unsigned constructor)
+ 	 * (e.g., AESNI overridden AES). They are after _gnutls_register_accel_crypto()
+ 	 * intentionally */
+ 	if (res != 0) {
++		_gnutls_switch_lib_state(LIB_STATE_SELFTEST);
+ 		ret = _gnutls_fips_perform_self_checks2();
+-		if (res != 2) {
+-			if (ret < 0) {
++		if (ret < 0) {
++			_gnutls_switch_lib_state(LIB_STATE_ERROR);
++			_gnutls_audit_log(NULL, "FIPS140-2 self testing part 2 failed\n");
++			if (res != 2) {
+ 				gnutls_assert();
+ 				goto out;
+ 			}
+diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
+index f7fc5d114a..5840f331e9 100644
+--- a/lib/includes/gnutls/gnutls.h.in
++++ b/lib/includes/gnutls/gnutls.h.in
+@@ -3416,6 +3416,8 @@ gnutls_fips140_get_operation_state(gnutls_fips140_context_t context);
+ int gnutls_fips140_push_context(gnutls_fips140_context_t context);
+ int gnutls_fips140_pop_context(void);
+ 
++int gnutls_fips140_run_self_tests(void);
++
+   /* Gnutls error codes. The mapping to a TLS alert is also shown in
+    * comments.
+    */
+diff --git a/lib/libgnutls.map b/lib/libgnutls.map
+index 0241946c8a..f42d5f9fae 100644
+--- a/lib/libgnutls.map
++++ b/lib/libgnutls.map
+@@ -1399,6 +1399,14 @@ GNUTLS_3_7_5
+ 	*;
+ } GNUTLS_3_7_4;
+ 
++GNUTLS_3_7_7
++{
++ global:
++	gnutls_fips140_run_self_tests;
++ local:
++	*;
++} GNUTLS_3_7_5;
++
+ GNUTLS_FIPS140_3_4 {
+   global:
+ 	gnutls_cipher_self_test;
+diff --git a/tests/fips-test.c b/tests/fips-test.c
+index a6a283fa67..31a5e26111 100644
+--- a/tests/fips-test.c
++++ b/tests/fips-test.c
+@@ -525,6 +525,13 @@ void doit(void)
+ 	}
+ 
+ 	gnutls_fips140_context_deinit(fips_context);
++
++	/* run self-tests manually */
++	ret = gnutls_fips140_run_self_tests();
++	if (ret < 0) {
++		fail("gnutls_fips140_run_self_tests failed\n");
++	}
++
+ 	gnutls_global_deinit();
+ 	return;
+ }
+-- 
+2.36.1
+
+From 354027c0c09db60d3083fa48ae791046d336957b Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Tue, 28 Jun 2022 17:22:36 +0200
+Subject: [PATCH] tests/fips-test: minor extension
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+---
+ tests/fips-test.c | 36 +++++++++++++++++++++++++++---------
+ 1 file changed, 27 insertions(+), 9 deletions(-)
+
+diff --git a/tests/fips-test.c b/tests/fips-test.c
+index 31a5e26111..f9bd34586a 100644
+--- a/tests/fips-test.c
++++ b/tests/fips-test.c
+@@ -427,34 +427,43 @@ void doit(void)
+ 	rsa_import_keypair(&privkey, &pubkey, "rsa-2432.pem");
+ 	FIPS_POP_CONTEXT(INITIAL);
+ 
+-	/* Create a signature with SHA256; approved */
++	/* Create a signature with 2432-bit RSA and SHA256; approved */
+ 	FIPS_PUSH_CONTEXT();
+ 	ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA256, 0,
+ 				       &data, &signature);
+ 	if (ret < 0) {
+ 		fail("gnutls_privkey_sign_data failed\n");
+ 	}
+-	gnutls_free(signature.data);
+ 	FIPS_POP_CONTEXT(APPROVED);
+ 
+-	/* Create a signature with SHA-1; not approved */
++	/* Verify a signature with 2432-bit RSA and SHA256; approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA256, 0,
++	                                 &data, &signature);
++	if (ret < 0) {
++		fail("gnutls_pubkey_verify_data2 failed\n");
++	}
++	FIPS_POP_CONTEXT(APPROVED);
++	gnutls_free(signature.data);
++
++	/* Create a signature with 2432-bit RSA and SHA-1; not approved */
+ 	FIPS_PUSH_CONTEXT();
+ 	ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA1, 0,
+ 				       &data, &signature);
+ 	if (ret < 0) {
+ 		fail("gnutls_privkey_sign_data failed\n");
+ 	}
+-	gnutls_free(signature.data);
+ 	FIPS_POP_CONTEXT(NOT_APPROVED);
+ 
+-	/* Verify a signature created with SHA-1; approved */
++	/* Verify a signature created with 2432-bit RSA and SHA-1; approved */
+ 	FIPS_PUSH_CONTEXT();
+-	ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0, &data,
+-					 &rsa2342_sha1_sig);
++	ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0,
++	                                 &data, &rsa2342_sha1_sig);
+ 	if (ret < 0) {
+ 		fail("gnutls_pubkey_verify_data2 failed\n");
+ 	}
+ 	FIPS_POP_CONTEXT(APPROVED);
++	gnutls_free(signature.data);
+ 	gnutls_pubkey_deinit(pubkey);
+ 	gnutls_privkey_deinit(privkey);
+ 
+@@ -463,15 +472,24 @@ void doit(void)
+ 	rsa_import_keypair(&privkey, &pubkey, "rsa-512.pem");
+ 	FIPS_POP_CONTEXT(INITIAL);
+ 
+-	/* Create a signature; not approved */
++	/* Create a signature with 512-bit RSA and SHA256; not approved */
+ 	FIPS_PUSH_CONTEXT();
+ 	ret = gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA256, 0,
+ 				       &data, &signature);
+ 	if (ret < 0) {
+ 		fail("gnutls_privkey_sign_data failed\n");
+ 	}
+-	gnutls_free(signature.data);
+ 	FIPS_POP_CONTEXT(NOT_APPROVED);
++
++	/* Verify a signature with 512-bit RSA and SHA256; not approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA256, 0,
++	                                 &data, &signature);
++	if (ret < 0) {
++		fail("gnutls_pubkey_verify_data2 failed\n");
++	}
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++	gnutls_free(signature.data);
+ 	gnutls_pubkey_deinit(pubkey);
+ 	gnutls_privkey_deinit(privkey);
+ 
+-- 
+2.37.3
+
+From 5a745120148861d873f47c1428c8c6dcadcf109b Mon Sep 17 00:00:00 2001
+From: Richard Costa <richard.costa@suse.com>
+Date: Sat, 9 Jul 2022 00:50:21 +0000
+Subject: [PATCH] Add self-test code inside a FIPS context
+
+Self-test code exercise lots of different FIPS-related code with
+side-effects. So, in order to prevent it from losing information when
+executing inside another context, we create an appropriated one.
+
+If the self-test fails, then the library is placed in error state, so it
+doesn't matter for other contexts.
+
+Signed-off-by: Richard Maciel Costa <richard.costa@suse.com>
+---
+ lib/fips.c        | 19 +++++++++++++++++++
+ tests/fips-test.c | 20 ++++++++++++--------
+ 2 files changed, 31 insertions(+), 8 deletions(-)
+
+diff --git a/lib/fips.c b/lib/fips.c
+index 31a52a990f..7d143e608e 100644
+--- a/lib/fips.c
++++ b/lib/fips.c
+@@ -902,6 +902,16 @@ gnutls_fips140_run_self_tests(void)
+ #ifdef ENABLE_FIPS140
+ 	int ret;
+ 	unsigned prev_lib_state;
++	gnutls_fips140_context_t fips_context = NULL;
++
++	/* Save the FIPS context, because self tests change it */
++	if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_DISABLED) {
++		if (gnutls_fips140_context_init(&fips_context) < 0 ||
++		    gnutls_fips140_push_context(fips_context) < 0) {
++			gnutls_fips140_context_deinit(fips_context);
++			fips_context = NULL;
++		}
++	}
+ 
+ 	/* Temporarily switch to LIB_STATE_SELFTEST as some of the
+ 	 * algorithms are implemented using special constructs in
+@@ -918,6 +928,15 @@ gnutls_fips140_run_self_tests(void)
+ 		/* Restore the previous library state */
+ 		_gnutls_switch_lib_state(prev_lib_state);
+ 	}
++
++	/* Restore the previous FIPS context */
++	if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_DISABLED && fips_context) {
++		if (gnutls_fips140_pop_context() < 0) {
++			_gnutls_switch_lib_state(LIB_STATE_ERROR);
++			_gnutls_audit_log(NULL, "FIPS140-2 context restoration failed\n");
++		}
++		gnutls_fips140_context_deinit(fips_context);
++	}
+ 	return ret;
+ #else
+ 	return 0;
+diff --git a/tests/fips-test.c b/tests/fips-test.c
+index f9bd34586a..475b739197 100644
+--- a/tests/fips-test.c
++++ b/tests/fips-test.c
+@@ -457,8 +457,9 @@ void doit(void)
+ 
+ 	/* Verify a signature created with 2432-bit RSA and SHA-1; approved */
+ 	FIPS_PUSH_CONTEXT();
+-	ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1, 0,
+-	                                 &data, &rsa2342_sha1_sig);
++	ret = gnutls_pubkey_verify_data2(pubkey, GNUTLS_SIGN_RSA_SHA1,
++					 GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, &data,
++					 &rsa2342_sha1_sig);
+ 	if (ret < 0) {
+ 		fail("gnutls_pubkey_verify_data2 failed\n");
+ 	}
+@@ -501,6 +502,15 @@ void doit(void)
+ 	}
+ 	FIPS_POP_CONTEXT(APPROVED);
+ 
++        /* run self-tests manually */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_rnd(GNUTLS_RND_RANDOM, key16, sizeof(key16));
++	ret = gnutls_fips140_run_self_tests();
++	if (ret < 0) {
++		fail("gnutls_fips140_run_self_tests failed\n");
++	}
++	FIPS_POP_CONTEXT(APPROVED);
++
+ 	/* Test when FIPS140 is set to error state */
+ 	_gnutls_lib_simulate_error();
+ 
+@@ -544,12 +554,6 @@ void doit(void)
+ 
+ 	gnutls_fips140_context_deinit(fips_context);
+ 
+-	/* run self-tests manually */
+-	ret = gnutls_fips140_run_self_tests();
+-	if (ret < 0) {
+-		fail("gnutls_fips140_run_self_tests failed\n");
+-	}
+-
+ 	gnutls_global_deinit();
+ 	return;
+ }
+-- 
+2.37.3
+

SOURCES/gnutls-3.7.6-fips-symkey-limit.patch

@@ -0,0 +1,310 @@
+From f8a8961cfa176fc74c153cb6e1e68aff5e2d42f2 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Tue, 27 Sep 2022 10:52:19 +0900
+Subject: [PATCH] gnutls-3.7.6-fips-symkey-limit.patch
+
+---
+ lib/crypto-api.c  | 26 ++++++++++++++++++++++---
+ tests/fips-test.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++
+ tests/kdf-api.c   |  9 ++++++++-
+ 3 files changed, 80 insertions(+), 4 deletions(-)
+
+diff --git a/lib/crypto-api.c b/lib/crypto-api.c
+index b3e1eec..35200fb 100644
+--- a/lib/crypto-api.c
++++ b/lib/crypto-api.c
+@@ -896,6 +896,7 @@ gnutls_hash_hd_t gnutls_hash_copy(gnutls_hash_hd_t handle)
+ int gnutls_key_generate(gnutls_datum_t * key, unsigned int key_size)
+ {
+ 	int ret;
++	bool not_approved = false;
+ 
+ 	FAIL_IF_LIB_ERROR;
+ 
+@@ -912,17 +913,31 @@ int gnutls_key_generate(gnutls_datum_t * key, unsigned int key_size)
+ 	key->data = gnutls_malloc(key->size);
+ 	if (!key->data) {
+ 		gnutls_assert();
+-		return GNUTLS_E_MEMORY_ERROR;
++		ret = GNUTLS_E_MEMORY_ERROR;
++		goto error;
++	}
++
++	/* Key lengths of less than 112 bits are not approved */
++	if (key_size < 14) {
++		not_approved = true;
+ 	}
+ 
+ 	ret = gnutls_rnd(GNUTLS_RND_RANDOM, key->data, key->size);
+ 	if (ret < 0) {
+ 		gnutls_assert();
+ 		_gnutls_free_datum(key);
+-		return ret;
++		goto error;
+ 	}
+ 
+-	return 0;
++ error:
++	if (ret < 0) {
++		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
++	} else if (not_approved) {
++		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_NOT_APPROVED);
++	} else {
++		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_APPROVED);
++	}
++	return ret;
+ }
+ 
+ /* AEAD API */
+@@ -2058,6 +2073,11 @@ gnutls_pbkdf2(gnutls_mac_algorithm_t mac,
+ 		not_approved = true;
+ 	}
+ 
++	/* Key lengths and output sizes of less than 112 bits are not approved */
++	if (key->size < 14 || length < 14) {
++		not_approved = true;
++	}
++
+ 	ret = _gnutls_kdf_ops.pbkdf2(mac, key->data, key->size,
+ 				     salt->data, salt->size, iter_count,
+ 				     output, length);
+diff --git a/tests/fips-test.c b/tests/fips-test.c
+index 31a5e26..27da414 100644
+--- a/tests/fips-test.c
++++ b/tests/fips-test.c
+@@ -274,6 +274,8 @@ void doit(void)
+ 	gnutls_datum_t signature;
+ 	unsigned int bits;
+ 	uint8_t hmac[64];
++	uint8_t pbkdf2[64];
++	gnutls_datum_t temp_key = { NULL, 0 };
+ 
+ 	fprintf(stderr,
+ 		"Please note that if in FIPS140 mode, you need to assure the library's integrity prior to running this test\n");
+@@ -371,11 +373,58 @@ void doit(void)
+ 	}
+ 	FIPS_POP_CONTEXT(NOT_APPROVED);
+ 
++	/* PBKDF2 with key equal to or longer than 112 bits: approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 100,
++			    &pbkdf2, sizeof(pbkdf2));
++	if (ret < 0) {
++		fail("gnutls_pbkdf2 failed\n");
++	}
++	FIPS_POP_CONTEXT(APPROVED);
++
++	/* PBKDF2 with key shorter than 112 bits: not approved */
++	FIPS_PUSH_CONTEXT();
++	key.size = 13;
++	ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 100,
++			    &pbkdf2, sizeof(pbkdf2));
++	if (ret < 0) {
++		fail("gnutls_pbkdf2 failed\n");
++	}
++	key.size = sizeof(key16);
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
++	/* PBKDF2 with output shorter than 112 bits: not approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_pbkdf2(GNUTLS_MAC_SHA256, &key, &iv, 100,
++			    &pbkdf2, 13);
++	if (ret < 0) {
++		fail("gnutls_pbkdf2 failed\n");
++	}
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
+ 	ret = gnutls_rnd(GNUTLS_RND_NONCE, key16, sizeof(key16));
+ 	if (ret < 0) {
+ 		fail("gnutls_rnd failed\n");
+ 	}
+ 
++	/* Symmetric key generation equal to or longer than 112 bits: approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_key_generate(&temp_key, 14);
++	if (ret < 0) {
++		fail("gnutls_key_generate failed\n");
++	}
++	gnutls_free(temp_key.data);
++	FIPS_POP_CONTEXT(APPROVED);
++
++	/* Symmetric key generation shorter than 112 bits: not approved */
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_key_generate(&temp_key, 13);
++	if (ret < 0) {
++		fail("gnutls_key_generate failed\n");
++	}
++	gnutls_free(temp_key.data);
++	FIPS_POP_CONTEXT(NOT_APPROVED);
++
+ 	ret = gnutls_pubkey_init(&pubkey);
+ 	if (ret < 0) {
+ 		fail("gnutls_pubkey_init failed\n");
+diff --git a/tests/kdf-api.c b/tests/kdf-api.c
+index 25fbc6a..8a4677c 100644
+--- a/tests/kdf-api.c
++++ b/tests/kdf-api.c
+@@ -89,6 +89,7 @@ test_hkdf(gnutls_mac_algorithm_t mac,
+ 
+ 	FIPS_PUSH_CONTEXT();
+ 	assert(gnutls_hkdf_extract(mac, &ikm, &salt, buf) >= 0);
++	/* HKDF outside of TLS usage is not approved */
+ 	FIPS_POP_CONTEXT(NOT_APPROVED);
+ 	gnutls_free(ikm.data);
+ 	gnutls_free(salt.data);
+@@ -110,6 +111,7 @@ test_hkdf(gnutls_mac_algorithm_t mac,
+ 
+ 	FIPS_PUSH_CONTEXT();
+ 	assert(gnutls_hkdf_expand(mac, &prk, &info, buf, length) >= 0);
++	/* HKDF outside of TLS usage is not approved */
+ 	FIPS_POP_CONTEXT(NOT_APPROVED);
+ 	gnutls_free(info.data);
+ 
+@@ -151,7 +153,12 @@ test_pbkdf2(gnutls_mac_algorithm_t mac,
+ 
+ 	FIPS_PUSH_CONTEXT();
+ 	assert(gnutls_pbkdf2(mac, &ikm, &salt, iter_count, buf, length) >= 0);
+-	FIPS_POP_CONTEXT(APPROVED);
++	/* Key sizes and output sizes less than 112-bit are not approved.  */
++	if (ikm.size < 14 || length < 14) {
++		FIPS_POP_CONTEXT(NOT_APPROVED);
++	} else {
++		FIPS_POP_CONTEXT(APPROVED);
++	}
+ 	gnutls_free(ikm.data);
+ 	gnutls_free(salt.data);
+ 
+-- 
+2.37.3
+
+From 86eded166f77612c70201c0d85d3abe711edd77d Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 29 Sep 2022 21:19:26 +0900
+Subject: [PATCH] fips: only mark HMAC as approved in PBKDF2
+
+As ACVP only allows HMAC used with PBKDF2[1], this change marks other
+hash algorithms not-approved.
+
+1. https://pages.nist.gov/ACVP/draft-celi-acvp-pbkdf.html
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/crypto-api.c |  5 ++++-
+ lib/fips.h       | 16 +++++++++++++++-
+ tests/kdf-api.c  | 30 +++++++++++++++++++++++++++++-
+ 3 files changed, 48 insertions(+), 3 deletions(-)
+
+diff --git a/lib/crypto-api.c b/lib/crypto-api.c
+index d3e601ab3a..9f7e18db11 100644
+--- a/lib/crypto-api.c
++++ b/lib/crypto-api.c
+@@ -2229,7 +2229,10 @@ gnutls_pbkdf2(gnutls_mac_algorithm_t mac,
+ 	if (!is_mac_algo_allowed(mac)) {
+ 		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+ 		return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
+-	} else if (!is_mac_algo_approved_in_fips(mac)) {
++	} else if (!is_mac_algo_hmac_approved_in_fips(mac)) {
++		/* ACVP only allows HMAC used with PBKDF2:
++		 * https://pages.nist.gov/ACVP/draft-celi-acvp-pbkdf.html
++		 */
+ 		not_approved = true;
+ 	}
+ 
+diff --git a/lib/fips.h b/lib/fips.h
+index 3a74f254e7..bf61b36741 100644
+--- a/lib/fips.h
++++ b/lib/fips.h
+@@ -76,7 +76,7 @@ void _gnutls_lib_simulate_error(void);
+ void _gnutls_lib_force_operational(void);
+ 
+ inline static bool
+-is_mac_algo_approved_in_fips(gnutls_mac_algorithm_t algo)
++is_mac_algo_hmac_approved_in_fips(gnutls_mac_algorithm_t algo)
+ {
+ 	switch (algo) {
+ 	case GNUTLS_MAC_SHA1:
+@@ -88,6 +88,20 @@ is_mac_algo_approved_in_fips(gnutls_mac_algorithm_t algo)
+ 	case GNUTLS_MAC_SHA3_256:
+ 	case GNUTLS_MAC_SHA3_384:
+ 	case GNUTLS_MAC_SHA3_512:
++		return true;
++	default:
++		return false;
++	}
++}
++
++inline static bool
++is_mac_algo_approved_in_fips(gnutls_mac_algorithm_t algo)
++{
++	if (is_mac_algo_hmac_approved_in_fips(algo)) {
++		return true;
++	}
++
++	switch (algo) {
+ 	case GNUTLS_MAC_AES_CMAC_128:
+ 	case GNUTLS_MAC_AES_CMAC_256:
+ 	case GNUTLS_MAC_AES_GMAC_128:
+diff --git a/tests/kdf-api.c b/tests/kdf-api.c
+index 577cbf7a17..4feb22688b 100644
+--- a/tests/kdf-api.c
++++ b/tests/kdf-api.c
+@@ -26,6 +26,7 @@
+ #include <gnutls/crypto.h>
+ 
+ #include <assert.h>
++#include <stdbool.h>
+ #include <stdint.h>
+ 
+ #include "utils.h"
+@@ -133,6 +134,25 @@ test_hkdf(gnutls_mac_algorithm_t mac,
+ 	gnutls_free(hex.data);
+ }
+ 
++inline static bool
++is_mac_algo_hmac_approved_in_fips(gnutls_mac_algorithm_t algo)
++{
++	switch (algo) {
++	case GNUTLS_MAC_SHA1:
++	case GNUTLS_MAC_SHA256:
++	case GNUTLS_MAC_SHA384:
++	case GNUTLS_MAC_SHA512:
++	case GNUTLS_MAC_SHA224:
++	case GNUTLS_MAC_SHA3_224:
++	case GNUTLS_MAC_SHA3_256:
++	case GNUTLS_MAC_SHA3_384:
++	case GNUTLS_MAC_SHA3_512:
++		return true;
++	default:
++		return false;
++	}
++}
++
+ static void
+ test_pbkdf2(gnutls_mac_algorithm_t mac,
+ 	    const char *ikm_hex,
+@@ -161,7 +181,8 @@ test_pbkdf2(gnutls_mac_algorithm_t mac,
+ 	FIPS_PUSH_CONTEXT();
+ 	assert(gnutls_pbkdf2(mac, &ikm, &salt, iter_count, buf, length) >= 0);
+ 	/* Key sizes and output sizes less than 112-bit are not approved.  */
+-	if (ikm.size < 14 || length < 14) {
++	if (ikm.size < 14 || length < 14 ||
++	    !is_mac_algo_hmac_approved_in_fips(mac)) {
+ 		FIPS_POP_CONTEXT(NOT_APPROVED);
+ 	} else {
+ 		FIPS_POP_CONTEXT(APPROVED);
+@@ -208,5 +229,12 @@ doit(void)
+ 		    20,
+ 		    "4b007901b765489abead49d926f721d065a429c1");
+ 
++	test_pbkdf2(GNUTLS_MAC_AES_CMAC_128,
++		    "70617373776f726470617373776f7264", /* "passwordpassword" */
++		    "73616c74",		/* "salt" */
++		    4096,
++		    20,
++		    "c4c112c6e1e3b8757640603dec78825ff87605a7");
++
+ 	gnutls_fips140_context_deinit(fips_context);
+ }
+-- 
+2.37.3
+

SOURCES/gnutls-3.7.6-gmp-static.patch

@@ -0,0 +1,159 @@
+From 88808f0b8906bdc32579c144a2c44401ee97798a Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 19 Aug 2022 12:32:27 +0900
+Subject: [PATCH] build: allow GMP to be statically linked
+
+Even though we set the custom allocator[1] to zeroize sensitive data,
+it can be easily invalidated if the application sets its own custom
+allocator.  An approach to prevent that is to link against a static
+library of GMP, so the use of GMP is privatized and the custom
+allocator configuration is not shared with other applications.
+
+This patch allows libgnutls to be linked with the static library of
+GMP.  Note that, to this work libgmp.a needs to be compiled with -fPIC
+and libhogweed in Nettle is also linked to the static library of GMP.
+
+1. https://gitlab.com/gnutls/gnutls/-/merge_requests/1554
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ configure.ac   | 14 +++++++++++++-
+ lib/fips.c     | 10 ++++++++++
+ lib/fipshmac.c |  5 ++++-
+ lib/global.c   |  2 ++
+ 4 files changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 96894b0be3..e4cf5eab81 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -742,6 +742,8 @@ AC_CHECK_FUNCS(nettle_cmac_kuznyechik_update)
+ LIBS=$save_LIBS
+ 
+ # Check sonames of the linked libraries needed for FIPS selftests.
++save_CFLAGS=$CFLAGS
++CFLAGS="$CFLAGS $GMP_CFLAGS"
+ save_LIBS=$LIBS
+ LIBS="$LIBS $GMP_LIBS"
+ AC_MSG_CHECKING([gmp soname])
+@@ -755,9 +757,14 @@ if test -z "$gmp_so"; then
+ 	gmp_so=none
+ fi
+ AC_MSG_RESULT($gmp_so)
+-AC_DEFINE_UNQUOTED([GMP_LIBRARY_SONAME], ["$gmp_so"], [The soname of gmp library])
++if test "$gmp_so" != none; then
++	AC_DEFINE_UNQUOTED([GMP_LIBRARY_SONAME], ["$gmp_so"], [The soname of gmp library])
++fi
+ LIBS=$save_LIBS
++CFLAGS=$save_CFLAGS
+ 
++save_CFLAGS=$CFLAGS
++CFLAGS="$CFLAGS $NETTLE_CFLAGS"
+ save_LIBS=$LIBS
+ LIBS="$LIBS $NETTLE_LIBS"
+ AC_MSG_CHECKING([nettle soname])
+@@ -773,7 +780,11 @@ fi
+ AC_MSG_RESULT($nettle_so)
+ AC_DEFINE_UNQUOTED([NETTLE_LIBRARY_SONAME], ["$nettle_so"], [The soname of nettle library])
+ LIBS=$save_LIBS
++CFLAGS=$save_CFLAGS
+ 
++save_CFLAGS=$CFLAGS
++# <nettle/bignum.h> includes <gmp.h>
++CFLAGS="$CFLAGS $HOGWEED_CFLAGS $GMP_CFLAGS"
+ save_LIBS=$LIBS
+ LIBS="$LIBS $HOGWEED_LIBS"
+ AC_MSG_CHECKING([hogweed soname])
+@@ -789,6 +800,7 @@ fi
+ AC_MSG_RESULT($hogweed_so)
+ AC_DEFINE_UNQUOTED([HOGWEED_LIBRARY_SONAME], ["$hogweed_so"], [The soname of hogweed library])
+ LIBS=$save_LIBS
++CFLAGS=$save_CFLAGS
+ 
+ gnutls_so=libgnutls.so.`expr "$LT_CURRENT" - "$LT_AGE"`
+ AC_DEFINE_UNQUOTED([GNUTLS_LIBRARY_SONAME], ["$gnutls_so"], [The soname of gnutls library])
+diff --git a/lib/fips.c b/lib/fips.c
+index 54eb4a37d4..42124ecf4e 100644
+--- a/lib/fips.c
++++ b/lib/fips.c
+@@ -149,7 +149,11 @@ void _gnutls_fips_mode_reset_zombie(void)
+ #define GNUTLS_LIBRARY_NAME GNUTLS_LIBRARY_SONAME
+ #define NETTLE_LIBRARY_NAME NETTLE_LIBRARY_SONAME
+ #define HOGWEED_LIBRARY_NAME HOGWEED_LIBRARY_SONAME
++
++/* GMP can be statically linked. */
++#ifdef GMP_LIBRARY_SONAME
+ #define GMP_LIBRARY_NAME GMP_LIBRARY_SONAME
++#endif
+ 
+ #define HMAC_SIZE 32
+ #define HMAC_ALGO GNUTLS_MAC_SHA256
+@@ -168,7 +172,9 @@ typedef struct
+ 	struct hmac_entry gnutls;
+ 	struct hmac_entry nettle;
+ 	struct hmac_entry hogweed;
++#ifdef GMP_LIBRARY_SONAME
+ 	struct hmac_entry gmp;
++#endif
+ } hmac_file;
+ 
+ static int get_library_path(const char* lib, const char* symbol, char* path, size_t path_size)
+@@ -259,8 +265,10 @@ static int handler(void *user, const char *section, const char *name, const char
+ 		return lib_handler(&p->nettle, section, name, value);
+ 	} else if (!strcmp(section, HOGWEED_LIBRARY_NAME)) {
+ 		return lib_handler(&p->hogweed, section, name, value);
++#ifdef GMP_LIBRARY_SONAME
+ 	} else if (!strcmp(section, GMP_LIBRARY_NAME)) {
+ 		return lib_handler(&p->gmp, section, name, value);
++#endif
+ 	} else {
+ 		return 0;
+ 	}
+@@ -408,9 +416,11 @@ static int check_binary_integrity(void)
+ 	ret = check_lib_hmac(&file.hogweed, HOGWEED_LIBRARY_NAME, "nettle_mpz_sizeinbase_256_u");
+ 	if (ret < 0)
+ 		return ret;
++#ifdef GMP_LIBRARY_SONAME
+ 	ret = check_lib_hmac(&file.gmp, GMP_LIBRARY_NAME, "__gmpz_init");
+ 	if (ret < 0)
+ 		return ret;
++#endif
+ 
+ 	return 0;
+ }
+diff --git a/lib/fipshmac.c b/lib/fipshmac.c
+index b091572bdf..363077f3e2 100644
+--- a/lib/fipshmac.c
++++ b/lib/fipshmac.c
+@@ -159,10 +159,13 @@ int main(int argc, char **argv)
+ 	ret = print_lib_dl(HOGWEED_LIBRARY_SONAME, "nettle_mpz_sizeinbase_256_u");
+ 	if (ret < 0)
+ 		return EXIT_FAILURE;
+-	
++
++	/* GMP can be statically linked. */
++#ifdef GMP_LIBRARY_SONAME
+ 	ret = print_lib_dl(GMP_LIBRARY_SONAME, "__gmpz_init");
+ 	if (ret < 0)
+ 		return EXIT_FAILURE;
++#endif
+ 
+ 	return EXIT_SUCCESS;
+ }
+diff --git a/lib/global.c b/lib/global.c
+index 1b372c15bd..9f3c7b22bd 100644
+--- a/lib/global.c
++++ b/lib/global.c
+@@ -548,7 +548,9 @@ static const struct gnutls_library_config_st _gnutls_library_config[] = {
+ 	{ "libgnutls-soname", GNUTLS_LIBRARY_SONAME },
+ 	{ "libnettle-soname", NETTLE_LIBRARY_SONAME },
+ 	{ "libhogweed-soname", HOGWEED_LIBRARY_SONAME },
++#ifdef GMP_LIBRARY_SONAME
+ 	{ "libgmp-soname", GMP_LIBRARY_SONAME },
++#endif
+ 	{ "hardware-features", HW_FEATURES },
+ 	{ "tls-features", TLS_FEATURES },
+ 	{ NULL, NULL }
+-- 
+2.37.1
+

SOURCES/gnutls-3.7.6-ktls-disable-by-default.patch

@@ -0,0 +1,124 @@
+From f41151c8a218f255af08362b74cd6ee0dfd45c00 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Franti=C5=A1ek=20Kren=C5=BEelok?=
+ <krenzelok.frantisek@gmail.com>
+Date: Tue, 14 Jun 2022 16:16:11 +0200
+Subject: [PATCH] KTLS: disable by default enable by config
+
+KTLS will be disabled by default when build with `--enable-ktls` to
+enable it, use config file option `ktls = true` in [global] section.
+
+Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
+---
+ doc/cha-config.texi | 18 ++++++++----------
+ lib/gnutls_int.h    |  2 +-
+ lib/handshake.c     |  2 +-
+ lib/priority.c      | 12 ++++++------
+ 4 files changed, 16 insertions(+), 18 deletions(-)
+
+diff --git a/doc/cha-config.texi b/doc/cha-config.texi
+index e550f2e4b1..eaab7fd799 100644
+--- a/doc/cha-config.texi
++++ b/doc/cha-config.texi
+@@ -26,7 +26,7 @@ used can be queried using @funcref{gnutls_get_system_config_file}.
+ * Querying for disabled algorithms and protocols::
+ * Overriding the parameter verification profile::
+ * Overriding the default priority string::
+-* Disabling system/acceleration protocols::
++* Enabling/Disabling system/acceleration protocols::
+ @end menu
+ 
+ @node Application-specific priority strings
+@@ -253,16 +253,14 @@ default-priority-string = SECURE128:-VERS-TLS-ALL:+VERS-TLS1.3
+ @end example
+ 
+ 
+-@node Disabling system/acceleration protocols
+-@section Disabling system/acceleration protocols
+-When system/acceleration protocol is enabled during build, it is usually
+-enabled by default. The following options can overwrite this behavior
+-system-wide.
++@node Enabling/Disabling system/acceleration protocols
++@section Enabling/Disabling system/acceleration protocols
++The following options can overwrite default behavior of protocols system-wide.
+ @example
+ [global]
+-ktls = false
++ktls = true
+ 
+ @end example
+-@subsection Disabling KTLS
+-When GnuTLS is build with -–enable-ktls configuration, it uses KTLS by default.
+-This can be overwritten by setting @code{ktls = false} in @code{[global]} section.
++@subsection Enabling KTLS
++When GnuTLS is build with -–enable-ktls configuration, KTLS is disabled by default.
++This can be enabled by setting @code{ktls = true} in @code{[global]} section.
+diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
+index 872188696b..8c7bdaa1db 100644
+--- a/lib/gnutls_int.h
++++ b/lib/gnutls_int.h
+@@ -1649,6 +1649,6 @@ get_certificate_type(gnutls_session_t session,
+ 
+ extern unsigned int _gnutls_global_version;
+ 
+-bool _gnutls_config_is_ktls_disabled(void);
++bool _gnutls_config_is_ktls_enabled(void);
+ 
+ #endif /* GNUTLS_LIB_GNUTLS_INT_H */
+diff --git a/lib/handshake.c b/lib/handshake.c
+index f3edbbdacb..4dd457bf22 100644
+--- a/lib/handshake.c
++++ b/lib/handshake.c
+@@ -2815,7 +2815,7 @@ int gnutls_handshake(gnutls_session_t session)
+ 
+ 	session->internals.ktls_enabled = 0;
+ #ifdef ENABLE_KTLS
+-	if (_gnutls_config_is_ktls_disabled() == false)
++	if (_gnutls_config_is_ktls_enabled() == true)
+ 		_gnutls_ktls_enable(session);
+ #endif
+ 
+diff --git a/lib/priority.c b/lib/priority.c
+index 7279c03c88..d163d8169f 100644
+--- a/lib/priority.c
++++ b/lib/priority.c
+@@ -1027,7 +1027,7 @@ static void dummy_func(gnutls_priority_t c)
+ 
+ struct cfg {
+ 	bool allowlisting;
+-	bool ktls_disabled;
++	bool ktls_enabled;
+ 
+ 	name_val_array_t priority_strings;
+ 	char *priority_string;
+@@ -1140,7 +1140,7 @@ cfg_steal(struct cfg *dst, struct cfg *src)
+ 	src->default_priority_string = NULL;
+ 
+ 	dst->allowlisting = src->allowlisting;
+-	dst->ktls_disabled = src->ktls_disabled;
++	dst->ktls_enabled = src->ktls_enabled;
+ 	memcpy(dst->ciphers, src->ciphers, sizeof(src->ciphers));
+ 	memcpy(dst->macs, src->macs, sizeof(src->macs));
+ 	memcpy(dst->groups, src->groups, sizeof(src->groups));
+@@ -1268,8 +1268,8 @@ static int global_ini_handler(void *ctx, const char *section, const char *name,
+ 			}
+ 		} else if (c_strcasecmp(name, "ktls") == 0) {
+ 			p = clear_spaces(value, str);
+-			if (c_strcasecmp(p, "false") == 0) {
+-				cfg->ktls_disabled = true;
++			if (c_strcasecmp(p, "true") == 0) {
++				cfg->ktls_enabled = true;
+ 			} else {
+ 				_gnutls_debug_log("cfg: unknown ktls mode %s\n",
+ 					p);
+@@ -3490,6 +3490,6 @@ gnutls_priority_string_list(unsigned iter, unsigned int flags)
+ 	return NULL;
+ }
+ 
+-bool _gnutls_config_is_ktls_disabled(void){
+-	return system_wide_config.ktls_disabled;
++bool _gnutls_config_is_ktls_enabled(void){
++	return system_wide_config.ktls_enabled;
+ }
+-- 
+2.36.1
+

SOURCES/gnutls-3.7.6-ktls-fixes.patch

@@ -0,0 +1,348 @@
+From 7b700dbcd5907944a7dd2f74cd26ad8586cd4bac Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 28 Jun 2022 09:37:22 +0900
+Subject: [PATCH 1/3] tests: enable KTLS config while running gnutls_ktls test
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ tests/Makefile.am   |  9 +++++----
+ tests/gnutls_ktls.c |  4 ++--
+ tests/ktls.sh       | 46 +++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 53 insertions(+), 6 deletions(-)
+ create mode 100755 tests/ktls.sh
+
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 4deeb6462b..cba67e8db8 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -441,10 +441,6 @@ ctests += x509self x509dn anonself pskself pskself2 dhepskself	\
+ 	resume-with-record-size-limit
+ endif
+ 
+-if ENABLE_KTLS
+-ctests += gnutls_ktls
+-endif
+-
+ ctests += record-sendfile
+ 
+ gc_CPPFLAGS = $(AM_CPPFLAGS) \
+@@ -500,6 +496,11 @@ if ENABLE_TPM2
+ dist_check_SCRIPTS += tpm2.sh
+ endif
+ 
++if ENABLE_KTLS
++indirect_tests += gnutls_ktls
++dist_check_SCRIPTS += ktls.sh
++endif
++
+ if !WINDOWS
+ 
+ #
+diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c
+index 3966e2b10a..8f9c5fa36e 100644
+--- a/tests/gnutls_ktls.c
++++ b/tests/gnutls_ktls.c
+@@ -84,7 +84,7 @@ static void client(int fd, const char *prio)
+ 
+ 	ret = gnutls_transport_is_ktls_enabled(session);
+ 	if (!(ret & GNUTLS_KTLS_RECV)){
+-		fail("client: KTLS was not properly inicialized\n");
++		fail("client: KTLS was not properly initialized\n");
+ 		goto end;
+ 	}
+ 
+@@ -208,7 +208,7 @@ static void server(int fd, const char *prio)
+ 
+ 	ret = gnutls_transport_is_ktls_enabled(session);
+ 	if (!(ret & GNUTLS_KTLS_SEND)){
+-		fail("server: KTLS was not properly inicialized\n");
++		fail("server: KTLS was not properly initialized\n");
+ 		goto end;
+ 	}
+ 	do {
+diff --git a/tests/ktls.sh b/tests/ktls.sh
+new file mode 100755
+index 0000000000..ba52bd5775
+--- /dev/null
++++ b/tests/ktls.sh
+@@ -0,0 +1,46 @@
++#!/bin/sh
++
++# Copyright (C) 2022 Red Hat, Inc.
++#
++# Author: Daiki Ueno
++#
++# This file is part of GnuTLS.
++#
++# GnuTLS is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 3 of the License, or (at
++# your option) any later version.
++#
++# GnuTLS is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++# General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with GnuTLS; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
++
++: ${builddir=.}
++
++. "$srcdir/scripts/common.sh"
++
++if ! grep '^tls ' /proc/modules 2>1 >& /dev/null; then
++    exit 77
++fi
++
++testdir=`create_testdir ktls`
++
++cfg="$testdir/config"
++
++cat <<EOF > "$cfg"
++[global]
++ktls = true
++EOF
++
++GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 \
++GNUTLS_SYSTEM_PRIORITY_FILE="$cfg" \
++"$builddir/gnutls_ktls" "$@"
++rc=$?
++
++rm -rf "$testdir"
++exit $rc
+-- 
+2.36.1
+
+
+From 4a492462535a7f3a831685d3cf420b50ef219511 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 28 Jun 2022 10:23:33 +0900
+Subject: [PATCH 2/3] handshake: do not reset KTLS enablement in
+ gnutls_handshake
+
+As gnutls_handshake can be repeatedly called upon non-blocking setup,
+we shouldn't try to call setsockopt for KTLS upon every call.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/handshake.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/lib/handshake.c b/lib/handshake.c
+index 4dd457bf22..3886306eb4 100644
+--- a/lib/handshake.c
++++ b/lib/handshake.c
+@@ -2813,12 +2813,6 @@ int gnutls_handshake(gnutls_session_t session)
+ 	const version_entry_st *vers = get_version(session);
+ 	int ret;
+ 
+-	session->internals.ktls_enabled = 0;
+-#ifdef ENABLE_KTLS
+-	if (_gnutls_config_is_ktls_enabled() == true)
+-		_gnutls_ktls_enable(session);
+-#endif
+-
+ 	if (unlikely(session->internals.initial_negotiation_completed)) {
+ 		if (vers->tls13_sem) {
+ 			if (session->security_parameters.entity == GNUTLS_CLIENT) {
+@@ -2864,6 +2858,12 @@ int gnutls_handshake(gnutls_session_t session)
+ 			end->tv_nsec =
+ 				(start->tv_nsec + tmo_ms * 1000000LL) % 1000000000LL;
+ 		}
++
++#ifdef ENABLE_KTLS
++		if (_gnutls_config_is_ktls_enabled()) {
++			_gnutls_ktls_enable(session);
++		}
++#endif
+ 	}
+ 
+ 	if (session->internals.recv_state == RECV_STATE_FALSE_START) {
+-- 
+2.36.1
+
+
+From ce13208e13b5dec73993c583d4c64ab7714e4a7a Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 28 Jun 2022 10:53:55 +0900
+Subject: [PATCH 3/3] ktls: _gnutls_ktls_enable: fix GNUTLS_KTLS_SEND
+ calculation
+
+Previously, if the first setsockopt for GNUTLS_KTLS_RECV fails and the
+same socket is used for both sending and receiving, GNUTLS_KTLS_SEND
+was unconditionally set.  This fixes the conditions and also adds more
+logging.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/system/ktls.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/lib/system/ktls.c b/lib/system/ktls.c
+index b9f7a73fb5..ddf27fac76 100644
+--- a/lib/system/ktls.c
++++ b/lib/system/ktls.c
+@@ -47,7 +47,7 @@
+ gnutls_transport_ktls_enable_flags_t
+ gnutls_transport_is_ktls_enabled(gnutls_session_t session){
+ 	if (unlikely(!session->internals.initial_negotiation_completed)){
+-		_gnutls_debug_log("Initial negotiation is not yet complete");
++		_gnutls_debug_log("Initial negotiation is not yet complete\n");
+ 		return 0;
+ 	}
+ 
+@@ -57,16 +57,27 @@ gnutls_transport_is_ktls_enabled(gnutls_session_t session){
+ void _gnutls_ktls_enable(gnutls_session_t session)
+ {
+ 	int sockin, sockout;
++
+ 	gnutls_transport_get_int2(session, &sockin, &sockout);
+ 
+-	if (setsockopt(sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0)
++	if (setsockopt(sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) {
+ 		session->internals.ktls_enabled |= GNUTLS_KTLS_RECV;
++		if (sockin == sockout) {
++			session->internals.ktls_enabled |= GNUTLS_KTLS_SEND;
++		}
++	} else {
++		_gnutls_record_log("Unable to set TCP_ULP for read socket: %d\n",
++				   errno);
++	}
+ 
+ 	if (sockin != sockout) {
+-		if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0)
++		if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) {
+ 			session->internals.ktls_enabled |= GNUTLS_KTLS_SEND;
+-	} else
+-		session->internals.ktls_enabled |= GNUTLS_KTLS_SEND;
++		} else {
++			_gnutls_record_log("Unable to set TCP_ULP for write socket: %d\n",
++					   errno);
++		}
++	}
+ }
+ 
+ int _gnutls_ktls_set_keys(gnutls_session_t session)
+-- 
+2.36.1
+
+From 2d3cba6bb21acb40141180298f3924c73c7de8f8 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 26 Jul 2022 11:38:41 +0900
+Subject: [PATCH 1/2] handshake: do not enable KTLS if custom pull/push
+ functions are set
+
+If gnutls_transport_set_pull_function or
+gnutls_transport_set_push_function is used, we can't assume the
+underlying transport handle is an FD.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/handshake.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/handshake.c b/lib/handshake.c
+index 3886306eb4..cf025a84f6 100644
+--- a/lib/handshake.c
++++ b/lib/handshake.c
+@@ -2861,7 +2861,14 @@ int gnutls_handshake(gnutls_session_t session)
+ 
+ #ifdef ENABLE_KTLS
+ 		if (_gnutls_config_is_ktls_enabled()) {
+-			_gnutls_ktls_enable(session);
++			if (session->internals.pull_func ||
++			    session->internals.push_func) {
++				_gnutls_audit_log(session,
++						  "Not enabling KTLS with "
++						  "custom pull/push function\n");
++			} else {
++				_gnutls_ktls_enable(session);
++			}
+ 		}
+ #endif
+ 	}
+-- 
+2.37.1
+
+
+From f7160e4fb970b4ba6f96e85e21f8395eae735d95 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 26 Jul 2022 11:39:57 +0900
+Subject: [PATCH 2/2] socket: only set pull/push functions when --save-*-trace
+ is used
+
+This allows gnutls-cli to use KTLS for the transport, unless either
+--save-client-trace or --save-server-trace is used.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ src/socket.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/src/socket.c b/src/socket.c
+index 39f18dbe18..36ac292700 100644
+--- a/src/socket.c
++++ b/src/socket.c
+@@ -586,16 +586,16 @@ socket_open2(socket_st * hd, const char *hostname, const char *service,
+ 				gnutls_session_set_data(hd->session, hd->rdata.data, hd->rdata.size);
+ 			}
+ 
+-			if (server_trace)
++			if (client_trace || server_trace) {
+ 				hd->server_trace = server_trace;
+-
+-			if (client_trace)
+ 				hd->client_trace = client_trace;
+-
+-			gnutls_transport_set_push_function(hd->session, wrap_push);
+-			gnutls_transport_set_pull_function(hd->session, wrap_pull);
+-			gnutls_transport_set_pull_timeout_function(hd->session, wrap_pull_timeout_func);
+-			gnutls_transport_set_ptr(hd->session, hd);
++				gnutls_transport_set_push_function(hd->session, wrap_push);
++				gnutls_transport_set_pull_function(hd->session, wrap_pull);
++				gnutls_transport_set_pull_timeout_function(hd->session, wrap_pull_timeout_func);
++				gnutls_transport_set_ptr(hd->session, hd);
++			} else {
++				gnutls_transport_set_int(hd->session, hd->fd);
++			}
+ 		}
+ 
+ 		if (!(flags & SOCKET_FLAG_RAW) && !(flags & SOCKET_FLAG_SKIP_INIT)) {
+-- 
+2.37.1
+
+From a5b671fc9105cb5dbe6e6a1c0f39fa787d862076 Mon Sep 17 00:00:00 2001
+From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
+Date: Fri, 29 Jul 2022 10:38:42 +0200
+Subject: [PATCH] KTLS: hotfix
+
+session->internals.pull_func is set to system_read during gnutls_init()
+so check for user set pull/push function added in commit mentioned
+bellow will never pass.
+
+source: 2d3cba6bb21acb40141180298f3924c73c7de8f8
+
+Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
+---
+ lib/handshake.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/handshake.c b/lib/handshake.c
+index cf025a84f6..21edc5ece9 100644
+--- a/lib/handshake.c
++++ b/lib/handshake.c
+@@ -2861,7 +2861,8 @@ int gnutls_handshake(gnutls_session_t session)
+ 
+ #ifdef ENABLE_KTLS
+ 		if (_gnutls_config_is_ktls_enabled()) {
+-			if (session->internals.pull_func ||
++			if ((session->internals.pull_func &&
++				session->internals.pull_func != system_read) ||
+ 			    session->internals.push_func) {
+ 				_gnutls_audit_log(session,
+ 						  "Not enabling KTLS with "
+-- 
+2.37.1
+

SOURCES/gnutls-3.7.6-pkcs7-verify.patch

@@ -0,0 +1,263 @@
+From 57afc290cd3ce2e9752a0ce5cba41ecc78fdc1bd Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Sun, 31 Jul 2022 10:39:53 +0900
+Subject: [PATCH] gnutls-3.7.6-pkcs7-verify.patch
+
+---
+ lib/x509/pkcs7.c                 |   3 +-
+ tests/Makefile.am                |   2 +-
+ tests/pkcs7-verify-double-free.c | 215 +++++++++++++++++++++++++++++++
+ 3 files changed, 218 insertions(+), 2 deletions(-)
+ create mode 100644 tests/pkcs7-verify-double-free.c
+
+diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
+index 1f35fab..d5be7f4 100644
+--- a/lib/x509/pkcs7.c
++++ b/lib/x509/pkcs7.c
+@@ -1318,7 +1318,8 @@ gnutls_x509_crt_t find_signer(gnutls_pkcs7_t pkcs7, gnutls_x509_trust_list_t tl,
+ 				issuer = find_verified_issuer_of(pkcs7, issuer, purpose, vflags);
+ 
+ 				if (issuer != NULL && gnutls_x509_crt_check_issuer(issuer, issuer)) {
+-					if (prev) gnutls_x509_crt_deinit(prev);
++					if (prev && prev != signer)
++						gnutls_x509_crt_deinit(prev);
+ 					prev = issuer;
+ 					break;
+ 				}
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 26e39fb..7a7a4af 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -233,7 +233,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
+ 	 tls13-without-timeout-func buffer status-request-revoked \
+ 	 set_x509_ocsp_multi_cli kdf-api keylog-func handshake-write \
+ 	 x509cert-dntypes id-on-xmppAddr tls13-compat-mode ciphersuite-name \
+-	 x509-upnconstraint
++	 x509-upnconstraint pkcs7-verify-double-free
+ 
+ ctests += tls-channel-binding
+ 
+diff --git a/tests/pkcs7-verify-double-free.c b/tests/pkcs7-verify-double-free.c
+new file mode 100644
+index 0000000..fadf307
+--- /dev/null
++++ b/tests/pkcs7-verify-double-free.c
+@@ -0,0 +1,215 @@
++/*
++ * Copyright (C) 2022 Red Hat, Inc.
++ *
++ * Author: Zoltan Fridrich
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation, either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS. If not, see <https://www.gnu.org/licenses/>.
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <stdio.h>
++#include <gnutls/pkcs7.h>
++#include <gnutls/x509.h>
++
++#include "utils.h"
++
++static char rca_pem[] =
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIDCjCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n"
++	"cGxlIENBMCAXDTE3MDcyMTE0NDMzNloYDzIyMjIwNzIxMTQ0MzM2WjAVMRMwEQYD\n"
++	"VQQKDApFeGFtcGxlIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n"
++	"v8hnKPJ/IA0SQB/A/a0Uh+npZ67vsgIMrtTQo0r0kJkmkBz5323xO3DVuJfB3QmX\n"
++	"v9zvoeCQLuDvWar5Aixfxgm6s5Q+yPvJj9t3NebDrU+Y4+qyewBIJUF8EF/5iBPC\n"
++	"ZHONmzbfIRWvQWGGgb2CRcOHp2J7AY/QLB6LsWPaLjs/DHva28Q13JaTTHIpdu8v\n"
++	"t6vHr0nXf66DN4MvtoF3N+o+v3snJCMsfXOqASi4tbWR7gtOfCfiz9uBjh0W2Dut\n"
++	"/jclBQkJkLe6esNSM+f4YiOpctVDjmfj8yoHCp394vt0wFqhG38wsTFAyVP6qIcf\n"
++	"5zoSu9ovEt2cTkhnZHjiiwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud\n"
++	"DwEB/wQEAwIBBjAdBgNVHQ4EFgQUhjeO6Uc5imbjOl2I2ltVA27Hu9YwHwYDVR0j\n"
++	"BBgwFoAUhjeO6Uc5imbjOl2I2ltVA27Hu9YwDQYJKoZIhvcNAQELBQADggEBAD+r\n"
++	"i/7FsbG0OFKGF2+JOnth6NjJQcMfM8LiglqAuBUijrv7vltoZ0Z3FJH1Vi4OeMXn\n"
++	"l7X/9tWUve0uFl75MfjDrf0+lCEdYRY1LCba2BrUgpbbkLywVUdnbsvndehegCgS\n"
++	"jss2/zys3Hlo3ZaHlTMQ/NQ4nrxcxkjOvkZSEOqgxJTLpzm6pr7YUts4k6c6lNiB\n"
++	"FSiJiDzsJCmWR9C3fBbUlfDfTJYGN3JwqX270KchXDElo8gNoDnF7jBMpLFFSEKm\n"
++	"MyfbNLX/srh+CEfZaN/OZV4A3MQ0L8vQEp6M4CJhvRLIuMVabZ2coJ0AzystrOMU\n"
++	"LirBWjg89RoAjFQ7bTE=\n"
++	"-----END CERTIFICATE-----\n";
++
++static char ca_pem[] =
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n"
++	"cGxlIENBMCAXDTE3MDcyMTE0NDQzNFoYDzIyMjIwNzIxMTQ0NDM0WjAiMSAwHgYD\n"
++	"VQQKDBdFeGFtcGxlIGludGVybWVkaWF0ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD\n"
++	"ggEPADCCAQoCggEBAKb9ACB8u//sP6MfNU1OsVw68xz3eTPLgKxS0vpqexm6iGVg\n"
++	"ug/o9uYRLzqiEukv/eyz9WzHmY7sqlOJjOFdv92+SaNg79Jc51WHPFXgea4/qyfr\n"
++	"4y14PGs0SNxm6T44sXurUs7cXydQVUgnq2VCaWFOTUdxXoAWkV8r8GaUoPD/klVz\n"
++	"RqxSZVETmX1XBKhsMnnov41kRwVph2C+VfUspsbaUZaz/o/S1/nokhXRACzKsMBr\n"
++	"obqiGxbY35uVzsmbAW5ErhQz98AWJL3Bub1fsEMXg6OEMmPH4AtX888dTIYZNw0E\n"
++	"bUIESspz1kjJQTtVQDHTprhwz16YiSVeUonlLgMCAwEAAaNjMGEwDwYDVR0TAQH/\n"
++	"BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPBjxDWjMhjXERirKF9O\n"
++	"o/5Cllc5MB8GA1UdIwQYMBaAFIY3julHOYpm4zpdiNpbVQNux7vWMA0GCSqGSIb3\n"
++	"DQEBCwUAA4IBAQCTm+vv3hBa6lL5IT+Fw8aTxQ2Ne7mZ5oyazhvXYwwfKNMX3SML\n"
++	"W2JdPaL64ZwbxxxYvW401o5Z0CEgru3YFrsqB/hEdl0Uf8UWWJmE1rRa+miTmbjt\n"
++	"lrLNCWdrs6CiwvsPITTHg7jevB4KyZYsTSxQFcyr3N3xF+6EmOTC4IkhPPnXYXcp\n"
++	"248ih+WOavSYoRvzgB/Dip1WnPYU2mfIV3O8JReRryngA0TzWCLPLUoWR3R4jwtC\n"
++	"+1uSLoqaenz3qv3F1WEbke37az9YJuXx/5D8CqFQiZ62TUUtI6fYd8mkMBM4Qfh6\n"
++	"NW9XrCkI9wlpL5K9HllhuW0BhKeJkuPpyQ2p\n"
++	"-----END CERTIFICATE-----\n";
++
++static char ee_pem[] =
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdFeGFt\n"
++	"cGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzdaGA8yMjIyMDcyMTE0\n"
++	"NDUzN1owFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEBBQAD\n"
++	"ggEPADCCAQoCggEBAMb1uuxppBFY+WVD45iyHUq7DkIJNNOI/JRaybVJfPktWq2E\n"
++	"eNe7XhV05KKnqZTbDO2iYqNHqGhZ8pz/IstDRTZP3z/q1vXTG0P9Gx28rEy5TaUY\n"
++	"QjtD+ZoFUQm0ORMDBjd8jikqtJ87hKeuOPMH4rzdydotMaPQSm7KLzHBGBr6gg7z\n"
++	"g1IxPWkhMyHapoMqqrhjwjzoTY97UIXpZTEoIA+KpEC8f9CciBtL0i1MPBjWozB6\n"
++	"Jma9q5iEwZXuRr3cnPYeIPlK2drgDZCMuSFcYiT8ApLw5OhKqY1m2EvfZ2ox2s9R\n"
++	"68/HzYdPi3kZwiNEtlBvMlpt5yKBJAflp76d7DkCAwEAAaNuMGwwCwYDVR0PBAQD\n"
++	"AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQUc+Mi\n"
++	"kr8WMCk00SQo+P2iggp/oQkwHwYDVR0jBBgwFoAU8GPENaMyGNcRGKsoX06j/kKW\n"
++	"VzkwDQYJKoZIhvcNAQELBQADggEBAKU9+CUR0Jcfybd1+8Aqgh1RH96yQygnVuyt\n"
++	"Na9rFz4fM3ij9tGXDHXrkZw8bW1dWLU9quu8zeTxKxc3aiDIw739Alz0tukttDo7\n"
++	"dW7YqIb77zsIsWB9p7G9dlxT6ieUy+5IKk69BbeK8KR0vAciAG4KVQxPhuPy/LGX\n"
++	"PzqlJIJ4h61s3UOroReHPB1keLZgpORqrvtpClOmABH9TLFRJA/WFg8Q2XYB/p0x\n"
++	"l/pWiaoBC+8wK9cDoMUK5yOwXeuCLffCb+UlAD0+z/qxJ2pisE8E9X8rRKRrWI+i\n"
++	"G7LtJCEn86EQK8KuRlJxKgj8lClZhoULB0oL4jbblBuNow9WRmM=\n"
++	"-----END CERTIFICATE-----\n";
++
++static char msg_pem[] =
++	"-----BEGIN PKCS7-----\n"
++	"MIIK2QYJKoZIhvcNAQcCoIIKyjCCCsYCAQExDTALBglghkgBZQMEAgEwCwYJKoZI\n"
++	"hvcNAQcBoIIJTzCCAwowggHyoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwFTETMBEG\n"
++	"A1UECgwKRXhhbXBsZSBDQTAgFw0xNzA3MjExNDQzMjFaGA8yMjIyMDcyMTE0NDMy\n"
++	"MVowFTETMBEGA1UECgwKRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP\n"
++	"ADCCAQoCggEBAL51eyE4j8wAKQKMGlO9HEY2iaGvsdPSJmidSdmCi1jnNK39Lx4Y\n"
++	"31h279hSHF5wtI6VM91HHfeLf1mjEZHlKrXXJQzBPLpbHWapD778drHBitOP8e56\n"
++	"fDMIfofLV4tkMk8690vPe4cJH1UHGspMyz6EQF9kPRaW80XtMV/6dalgL/9Esmaw\n"
++	"XBNPJAS1VutDuXQkJ/3/rWFLmkpYHHtGPjX782YRmT1s+VOVTsLqmKx0TEL8A381\n"
++	"bbElHPUAMjPcyWR5qqA8KWnS5Dwqk3LwI0AvuhQytCq0S7Xl4DXauvxwTRXv0UU7\n"
++	"W8r3MLAw9DnlnJiD/RFjw5rbGO3wMePk/qUCAwEAAaNjMGEwDwYDVR0TAQH/BAUw\n"
++	"AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIh2KRoKJoe2VtpOwWMkRAkR\n"
++	"mLWKMB8GA1UdIwQYMBaAFIh2KRoKJoe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEB\n"
++	"CwUAA4IBAQBovvlOjoy0MCT5U0eWfcPQQjY4Ssrn3IiPNlVkqSNo+FHX+2baTLVQ\n"
++	"5QTHxwXwzdIJiwtjFWDdGEQXqmuIvnFG+u/whGbeg6oQygfnQ5Y+q6epOxCsPgLQ\n"
++	"mKKEaF7mvh8DauUx4QSbYCNGCctOZuB1vlN9bJ3/5QbH+2pFPOfCr5CAyPDwHo6S\n"
++	"qO3yPcutRwT9xS7gXEHM9HhLp+DmdCGh4eVBPiFilyZm1d92lWxU8oxoSfXgzDT/\n"
++	"GCzlMykNZNs4JD9QmiRClP/3U0dQbOhah/Fda+N+L90xaqEgGcvwKKZa3pzo59pl\n"
++	"BbkcIP4YPyHeinwkgAn5UVJg9DOxNCS0MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG\n"
++	"9w0BAQsFADAVMRMwEQYDVQQKDApFeGFtcGxlIENBMCAXDTE3MDcyMTE0NDQxM1oY\n"
++	"DzIyMjIwNzIxMTQ0NDEzWjAiMSAwHgYDVQQKDBdFeGFtcGxlIGludGVybWVkaWF0\n"
++	"ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPFDEvDANwvhviu\n"
++	"pwXTvaKyxyX94jVu1wgAhIRyQBVRiMbrn8MEufLG8oA0vKd8s92gv/lWe1jFb2rn\n"
++	"91jMkZWsjWjiJFD6SzqFfBo+XxOGikEqO1MAf92UqavmSGlXVRG1Vy7T7dWibZP0\n"
++	"WODhHYWayR0Y6owSz5IqNfrHXzDME+lSJxHgRFI7pK+b0OgiVmvyXDKFPvyU6GrP\n"
++	"lxXDi/XbjyPvC5gpiwtTgm+s8KERwmdlfZUNjkh2PpHx1g1joijHT3wIvO/Pek1E\n"
++	"C+Xs6w3XxGgL6TTL7FDuv4AjZVX9KK66/yBhX3aN8bkqAg+hs9XNk3zzWC0XEFOS\n"
++	"Qoh2va0CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n"
++	"HQYDVR0OBBYEFHwi/7dUWGjkMWJctOm7MCjjQj1cMB8GA1UdIwQYMBaAFIh2KRoK\n"
++	"Joe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEBCwUAA4IBAQCF6sHCBdYRwBwvfCve\n"
++	"og9cPnmPqZrG4AtmSvtoSsMvgvKb/4z3/gG8oPtTBkeRcAHoMoEp/oA+B2ylwIAc\n"
++	"S5U7jx+lYH/Pqih0X/OcOLbaMv8uzGSGQxk+L9LuuIT6E/THfRRIPEvkDkzC+/uk\n"
++	"7vUbG17bSEWeF0o/6sjzAY2aH1jnbCDyu0UC78GXkc6bZ5QlH98uLMDMrOmqcZjS\n"
++	"JFfvuRDQyKV5yBdBkYaobsIWSQDsgYxJzf/2y8c3r+HXqT+jhrXPWJ3btgMPxpu7\n"
++	"E8KmoFgp9EM+48oYlXJ66rk08/KjaVmgN7R+Hm3e2+MFT2kme4fBKalLjcazTe3x\n"
++	"0FisMIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdF\n"
++	"eGFtcGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzBaGA8yMjIyMDcy\n"
++	"MTE0NDUzMVowFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEB\n"
++	"BQADggEPADCCAQoCggEBAMjhSqhdD5RjmOm6W3hG7zkgKBP9whRN/SipcdEMlkgc\n"
++	"F/U3QMu66qIfKwheNdWalC1JLtruLDWP92ysa6Vw+CCG8aSax1AgB//RKQB7kgPA\n"
++	"9js9hi/oCdBmCv2HJxhWSLz+MVoxgzW4C7S9FenI+btxe/99Uw4nOw7kwjsYDLKr\n"
++	"tMw8myv7aCW/63CuBYGtohiZupM3RI3kKFcZots+KRPLlZpjv+I2h9xSln8VxKNb\n"
++	"XiMrYwGfHB7iX7ghe1TvFjKatEUhsqa7AvIq7nfe/cyq97f0ODQO814njgZtk5iQ\n"
++	"JVavXHdhTVaypt1HdAFMuHX5UATylHxx9tRCgSIijUsCAwEAAaNuMGwwCwYDVR0P\n"
++	"BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQU\n"
++	"31+vHl4E/2Jpnwinbzf+d7usshcwHwYDVR0jBBgwFoAUfCL/t1RYaOQxYly06bsw\n"
++	"KONCPVwwDQYJKoZIhvcNAQELBQADggEBAAWe63DcNwmleQ3INFGDJZ/m2I/R/cBa\n"
++	"nnrxgR5Ey1ljHdA/x1z1JLTGmGVwqGExs5DNG9Q//Pmc9pZ1yPa8J4Xf8AvFcmkY\n"
++	"mWoH1HvW0xu/RF1UN5SAoD2PRQ+Vq4OSPD58IlEu/u4o1wZV7Wl91Cv6VNpiAb63\n"
++	"j9PA1YacOpOtcRqG59Vuj9HFm9f30ejHVo2+KJcpo290cR3Zg4fOm8mtjeMdt/QS\n"
++	"Atq+RqPAQ7yxqvEEv8zPIZj2kAOQm3mh/yYqBrR68lQUD/dBTP7ApIZkhUK3XK6U\n"
++	"nf9JvoF6Fn2+Cnqb//FLBgHSnoeqeQNwDLUXTsD02iYxHzJrhokSY4YxggFQMIIB\n"
++	"TAIBATAnMCIxIDAeBgNVBAoMF0V4YW1wbGUgaW50ZXJtZWRpYXRlIENBAgEBMAsG\n"
++	"CWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQATHg6wNsBcs/Ub1GQfKwTpKCk5\n"
++	"8QXuNnZ0u7b6mKgrSY2Gf47fpL2aRgaR+BAQncbctu5EH/IL38pWjaGtOhFAj/5q\n"
++	"7luVQW11kuyJN3Bd/dtLqawWOwMmAIEigw6X50l5ZHnEVzFfxt+RKTNhk4XWVtbi\n"
++	"2iIlITOplW0rnvxYAwCxKL9ocaB7etK8au7ixMxbFp75Ts4iLX8dhlAFdCuFCk8k\n"
++	"B8mi9HHuwr3QYRqMPW61hu1wBL3yB8eoZNOwPXb0gkIh6ZvgptxgQzm/cc+Iw9fP\n"
++	"QkR0fTM7ElJ5QZmSV98AUbZDHmDvpmcjcUxfSPMc3IoT8T300usRu7QHqKJi\n"
++	"-----END PKCS7-----\n";
++
++const gnutls_datum_t rca_datum = { (void *)rca_pem, sizeof(rca_pem) - 1 };
++const gnutls_datum_t ca_datum = { (void *)ca_pem, sizeof(ca_pem) - 1 };
++const gnutls_datum_t ee_datum = { (void *)ee_pem, sizeof(ee_pem) - 1 };
++const gnutls_datum_t msg_datum = { (void *)msg_pem, sizeof(msg_pem) - 1 };
++
++static void tls_log_func(int level, const char *str)
++{
++	fprintf(stderr, "%s |<%d>| %s", "err", level, str);
++}
++
++#define CHECK(X)\
++{\
++	r = X;\
++	if (r < 0)\
++		fail("error in %d: %s\n", __LINE__, gnutls_strerror(r));\
++}\
++
++void doit(void)
++{
++	int r;
++	gnutls_x509_crt_t rca_cert = NULL;
++	gnutls_x509_crt_t ca_cert = NULL;
++	gnutls_x509_crt_t ee_cert = NULL;
++	gnutls_x509_trust_list_t tlist = NULL;
++	gnutls_pkcs7_t pkcs7 = NULL;
++	gnutls_datum_t data = { (unsigned char *)"xxx", 3 };
++
++	if (debug) {
++		gnutls_global_set_log_function(tls_log_func);
++		gnutls_global_set_log_level(4711);
++	}
++
++	// Import certificates
++	CHECK(gnutls_x509_crt_init(&rca_cert));
++	CHECK(gnutls_x509_crt_import(rca_cert, &rca_datum, GNUTLS_X509_FMT_PEM));
++	CHECK(gnutls_x509_crt_init(&ca_cert));
++	CHECK(gnutls_x509_crt_import(ca_cert, &ca_datum, GNUTLS_X509_FMT_PEM));
++	CHECK(gnutls_x509_crt_init(&ee_cert));
++	CHECK(gnutls_x509_crt_import(ee_cert, &ee_datum, GNUTLS_X509_FMT_PEM));
++
++	// Setup trust store
++	CHECK(gnutls_x509_trust_list_init(&tlist, 0));
++	CHECK(gnutls_x509_trust_list_add_named_crt(tlist, rca_cert, "rca", 3, 0));
++	CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ca_cert, "ca", 2, 0));
++	CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ee_cert, "ee", 2, 0));
++
++	// Setup pkcs7 structure
++	CHECK(gnutls_pkcs7_init(&pkcs7));
++	CHECK(gnutls_pkcs7_import(pkcs7, &msg_datum, GNUTLS_X509_FMT_PEM));
++
++	// Signature verification
++	gnutls_pkcs7_verify(pkcs7, tlist, NULL, 0, 0, &data, 0);
++
++	gnutls_x509_crt_deinit(rca_cert);
++	gnutls_x509_crt_deinit(ca_cert);
++	gnutls_x509_crt_deinit(ee_cert);
++	gnutls_x509_trust_list_deinit(tlist, 0);
++	gnutls_pkcs7_deinit(pkcs7);
++}
+-- 
+2.37.1
+

SPECS/gnutls.spec

@@ -12,23 +12,31 @@ sha256sum:close()
 print(string.sub(hash, 0, 16))
 }
 
-Version: 3.7.3
-Release: 9%{?dist}
-Patch1:	gnutls-3.6.7-no-now-guile.patch
-Patch2:	gnutls-3.2.7-rpath.patch
-Patch3:	gnutls-3.7.2-enable-intel-cet.patch
-Patch4: gnutls-3.7.2-no-explicit-init.patch
-Patch5: gnutls-3.7.3-fips-rsa-keygen.patch
-Patch6: gnutls-3.7.3-ktls-stub.patch
-Patch7: gnutls-3.7.3-fips-pkcs12.patch
-Patch8: gnutls-3.7.3-fix-tests-in-fips.patch
-Patch9: gnutls-3.7.3-gost-ifdef.patch
-Patch10: gnutls-3.7.3-max-algos.patch
-Patch11: gnutls-3.7.3-allowlist-api.patch
-Patch12: gnutls-3.7.3-libtss2-dlopen.patch
+Version: 3.7.6
+Release: 12%{?dist}
+# not upstreamed
+Patch: gnutls-3.6.7-no-now-guile.patch
+Patch: gnutls-3.2.7-rpath.patch
+Patch: gnutls-3.7.2-enable-intel-cet.patch
+Patch: gnutls-3.7.2-no-explicit-init.patch
+
+# upstreamed
+Patch: gnutls-3.7.6-fips-run-selftests.patch
+Patch: gnutls-3.7.6-ktls-disable-by-default.patch
+Patch: gnutls-3.7.6-ktls-fixes.patch
+Patch: gnutls-3.7.6-aes-gcm-pt-limit.patch
+Patch: gnutls-3.7.6-pkcs7-verify.patch
+Patch: gnutls-3.7.6-fips-pkcs12-des-cbc.patch
+Patch: gnutls-3.7.6-fips-rsa-key-sizes.patch
+Patch: gnutls-3.7.6-fips-symkey-limit.patch
+Patch: gnutls-3.7.6-fips-ecdsa-hash-check.patch
 
 # not upstreamed
-Patch100: gnutls-3.7.3-disable-config-reload.patch
+Patch: gnutls-3.7.3-disable-config-reload.patch
+Patch: gnutls-3.7.3-fips-dsa-post.patch
+Patch: gnutls-3.7.6-drbg-reseed.patch
+Patch: gnutls-3.7.6-cpuid-fixes.patch
+Patch: gnutls-3.7.6-gmp-static.patch
 
 %bcond_without bootstrap
 %bcond_without dane
@@ -42,13 +50,18 @@ Patch100: gnutls-3.7.3-disable-config-reload.patch
 %bcond_with tpm12
 %bcond_without tpm2
 %bcond_with gost
+%bcond_with certificate_compression
+%bcond_without tests
 
 Summary: A TLS protocol implementation
 Name: gnutls
 # The libraries are LGPLv2.1+, utilities are GPLv3+
 License: GPLv3+ and LGPLv2+
 BuildRequires: p11-kit-devel >= 0.21.3, gettext-devel
-BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 4.3
+BuildRequires: readline-devel, libtasn1-devel >= 4.3
+%if %{with certificate_compression}
+BuildRequires: zlib-devel, brotli-devel, libzstd-devel
+%endif
 %if %{with bootstrap}
 BuildRequires: automake, autoconf, gperf, libtool
 %endif
@@ -64,9 +77,7 @@ BuildRequires: libidn2-devel
 BuildRequires: libunistring-devel
 BuildRequires: net-tools, datefudge, softhsm, gcc, gcc-c++
 BuildRequires: gnupg2
-%if %{with fips}
-BuildRequires: fipscheck
-%endif
+BuildRequires: git-core
 
 # for a sanity check on cert loading
 BuildRequires: p11-kit-trust, ca-certificates
@@ -88,7 +99,11 @@ BuildRequires: make
 URL: http://www.gnutls.org/
 Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz
 Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz.sig
-Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
+Source2: gnutls-release-keyring.gpg
+
+Source100:	gmp-6.2.1.tar.xz
+# Taken from the main gmp package
+Source101:	gmp-6.2.1-intel-cet.patch
 
 # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
 Provides: bundled(gnulib) = 20130424
@@ -181,11 +196,38 @@ This package contains Guile bindings for the library.
 %endif
 
 %prep
-%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+# Workaround: to allow building the package under FIPS, do not treat
+# errors in the GPG check as fatal, where EdDSA signature verification
+# is not allowed:
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' || :
+
+%autosetup -p1 -S git
+
+%if %{with fips}
+mkdir -p bundled_gmp
+pushd bundled_gmp
+tar --strip-components=1 -xf %{SOURCE100}
+patch -p1 < %{SOURCE101}
+popd
+%endif
+
+%build
+%ifarch aarch64 ppc64le
+%define _lto_cflags %{nil}
+%endif
+
+%if %{with fips}
+pushd bundled_gmp
+autoreconf -ifv
+%configure --disable-cxx --disable-shared --enable-fat --with-pic
+%make_build
+popd
+
+export GMP_CFLAGS="-I$PWD/bundled_gmp"
+export GMP_LIBS="$PWD/bundled_gmp/.libs/libgmp.a"
+%endif
 
-%autosetup -p1
 %if %{with bootstrap}
-rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h
 autoreconf -fi
 %endif
 
@@ -194,14 +236,6 @@ rm -f lib/minitasn1/*.c lib/minitasn1/*.h
 
 echo "SYSTEM=NORMAL" >> tests/system.prio
 
-# Note that we explicitly enable SHA1, as SHA1 deprecation is handled
-# via the crypto policies
-
-%build
-%ifarch aarch64 ppc64le
-%define _lto_cflags %{nil}
-%endif
-
 %if %{with guile}
 # These should be checked by m4/guile.m4 instead of configure.ac
 # taking into account of _guile_suffix
@@ -213,7 +247,7 @@ export GUILD
 
 %if %{with fips}
 eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release)
-export FIPS_MODULE_NAME="$OS_NAME $OS_VERSION_ID %name"
+export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name"
 %endif
 
 %configure \
@@ -243,6 +277,7 @@ export FIPS_MODULE_NAME="$OS_NAME $OS_VERSION_ID %name"
 %else
            --without-tpm2 \
 %endif
+           --enable-ktls \
            --htmldir=%{_docdir}/manual \
 %if %{with guile}
            --enable-guile \
@@ -255,26 +290,31 @@ export FIPS_MODULE_NAME="$OS_NAME $OS_VERSION_ID %name"
            --enable-libdane \
 %else
            --disable-libdane \
+%endif
+%if %{with certificate_compression}
+	   --with-zlib --with-brotli --with-zstd \
+%else
+	   --without-zlib --without-brotli --without-zstd \
 %endif
            --disable-rpath \
            --with-default-priority-string="@SYSTEM"
 
-make %{?_smp_mflags} V=1
-
-%if %{with fips}
-%define __spec_install_post \
-	%{?__debug_package:%{__debug_install_post}} \
-	%{__arch_install_post} \
-	%{__os_install_post} \
-	rm -f $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.*.hmac \
-	fipshmac -d $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.* \
-	file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.hmac` && mv $RPM_BUILD_ROOT%{_libdir}/$file $RPM_BUILD_ROOT%{_libdir}/.$file && ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac \
-%{nil}
-%endif
+# build libgnutlsxx.so with older SONAME
+make %{?_smp_mflags} V=1 CXX_LT_CURRENT=29 CXX_LT_REVISION=0 CXX_LT_AGE=1
 
 %install
 make install DESTDIR=$RPM_BUILD_ROOT
+
+# build libgnutlsxx.so with newer SONAME
+pushd lib
+rm -f libgnutlsxx.la
+make %{?_smp_mflags} V=1
+make install DESTDIR=$RPM_BUILD_ROOT
+popd
+touch doc/examples/ex-cxx
+
 make -C doc install-html DESTDIR=$RPM_BUILD_ROOT
+
 rm -f $RPM_BUILD_ROOT%{_infodir}/dir
 rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.2/guile-gnutls*.a
@@ -283,15 +323,33 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.2/guile-gnutls*.la
 rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc
 %endif
 
+%if %{with fips}
+# doing it twice should be a no-op the second time,
+# and this way we avoid redefining it and missing a future change
+%{__spec_install_post}
+./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac
+sed -i "s^$RPM_BUILD_ROOT/usr^^" $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac
+%endif
+
+%if %{with fips}
+%define __spec_install_post \
+	%{?__debug_package:%{__debug_install_post}} \
+	%{__arch_install_post} \
+	%{__os_install_post} \
+%{nil}
+%endif
+
 %find_lang gnutls
 
 %check
+%if %{with tests}
 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
+%endif
 
 %files -f gnutls.lang
 %{_libdir}/libgnutls.so.30*
 %if %{with fips}
-%{_libdir}/.libgnutls.so.30*.hmac
+%{_libdir}/.gnutls.hmac
 %endif
 %doc README.md AUTHORS NEWS THANKS
 %license LICENSE doc/COPYING doc/COPYING.LESSER
@@ -302,10 +360,6 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %files devel
 %{_includedir}/*
 %{_libdir}/libgnutls*.so
-%if %{with fips}
-%{_libdir}/.libgnutls.so.*.hmac
-%endif
-
 %{_libdir}/pkgconfig/*.pc
 %{_mandir}/man3/*
 %{_infodir}/gnutls*
@@ -343,6 +397,56 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %endif
 
 %changelog
+* Tue Sep 27 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-12
+- fips: mark PBKDF2 with short key and output sizes non-approved
+- fips: only mark HMAC as approved in PBKDF2
+- fips: mark gnutls_key_generate with short key sizes non-approved
+- fips: fix checking on hash algorithm used in ECDSA
+- fips: preserve operation context around FIPS selftests API
+
+* Fri Aug 26 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-11
+- Supply --with{,out}-{zlib,brotli,zstd} explicitly
+
+* Thu Aug 25 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-10
+- Revert nettle version pinning as it doesn't work well in side-tag
+
+* Thu Aug 25 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-9
+- Pin nettle version in Requires when compiled with FIPS
+
+* Tue Aug 23 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-8
+- Bundle GMP to privatize memory functions
+- Disable certificate compression support by default
+
+* Tue Aug 23 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-7
+- Update gnutls-3.7.6-cpuid-fixes.patch
+
+* Sat Aug 20 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-6
+- Mark RSA SigVer operation approved for known modulus sizes (#2119770)
+- accelerated: clear AVX bits if it cannot be queried through XSAVE
+
+* Thu Aug  4 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-5
+- Block DES-CBC usage in decrypting PKCS#12 bag under FIPS (#2115314)
+- sysrng: reseed source DRBG for prediction resistance
+
+* Fri Jul 29 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-4
+- Make gnutls-cli work with KTLS for testing
+- Fix double-free in gnutls_pkcs7_verify (#2109789)
+
+* Mon Jul 25 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-3
+- Limit input size for AES-GCM according to SP800-38D (#2108635)
+- Do not treat GPG verification errors as fatal
+- Remove gnutls-3.7.6-libgnutlsxx-const.patch
+
+* Tue Jul 19 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-2
+- Allow enabling KTLS with config file (#2108532)
+
+* Fri Jul  1 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-1
+- Update to gnutls 3.7.6 (#2102591)
+
+* Thu Mar 31 2022 Daiki Ueno <dueno@redhat.com> - 3.7.3-10
+- Use only the first component of VERSION from /etc/os-release (#2076626)
+- Don't run power-on self-tests on DSA (#2076627)
+
 * Fri Feb 25 2022 Daiki Ueno <dueno@redhat.com> - 3.7.3-9
 - Stop using typeof keyword for tss2 function prototypes (#2057490)
 - Ensure allowlist API is called before priority string construction (#1975421)