Update to gnutls 3.7.6

Resolves: #2097327
Signed-off-by: Daiki Ueno <dueno@redhat.com>

.gitignore

@@ -137,3 +137,5 @@ gnutls-2.10.1-nosrp.tar.bz2
 /gnutls-3.7.2.tar.xz.sig
 /gnutls-3.7.3.tar.xz
 /gnutls-3.7.3.tar.xz.sig
+/gnutls-3.7.6.tar.xz
+/gnutls-3.7.6.tar.xz.sig

gnutls-3.7.3-fips-dsa-post.patch

@@ -1,30 +1,29 @@
-From fcef3404733e0839cc0f8d1fcdc5bc0f8edc7e76 Mon Sep 17 00:00:00 2001
+From 0a29639ad24072afbd79b2ceede9976e51b9e2af Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
-Date: Thu, 31 Mar 2022 11:20:28 +0200
+Date: Fri, 1 Jul 2022 16:46:07 +0900
 Subject: [PATCH] fips: don't run POST for DSA
 
-Signed-off-by: rpm-build <rpm-build>
+Signed-off-by: rpm-build <<rpm-build>>
 ---
- lib/fips.c | 6 ------
- 1 file changed, 6 deletions(-)
+ lib/fips.c | 5 -----
+ 1 file changed, 5 deletions(-)
 
 diff --git a/lib/fips.c b/lib/fips.c
-index 457a8c0..074e8e1 100644
+index 656d43e..c776690 100644
 --- a/lib/fips.c
 +++ b/lib/fips.c
-@@ -419,12 +419,6 @@ int _gnutls_fips_perform_self_checks2(void)
- 		goto error;
+@@ -523,11 +523,6 @@ int _gnutls_fips_perform_self_checks2(void)
+ 		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
  	}
  
 -	ret = gnutls_pk_self_test(0, GNUTLS_PK_DSA);
 -	if (ret < 0) {
--		gnutls_assert();
--		goto error;
+-		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 -	}
 -
  	ret = gnutls_pk_self_test(0, GNUTLS_PK_EC);
  	if (ret < 0) {
- 		gnutls_assert();
+ 		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 -- 
-2.34.1
+2.36.1
 

gnutls-3.7.6-fips-run-selftests.patch

@@ -0,0 +1,442 @@
+From 036fb360e5775f01ef25f5e712024a29930c462e Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 3 Jun 2022 15:43:00 +0900
+Subject: [PATCH] fips: provide function to manually run FIPS self-tests
+
+FIPS140-3 IG 10.3.E Periodic Self-Testing says:
+
+  At security levels 1 and 2, acceptable means for initiating the
+  periodic self-tests include a provided service, resetting, rebooting
+  or power cycling.
+
+Neither resetting, rebooting, nor power-cycling is suitable because
+those involve operations outside of the module.  Therefore this patch
+adds a new API to manually run the substance of FIPS140 self-tests.
+
+Suggeested by Richard Costa and Stephan Mueller in:
+https://gitlab.com/gnutls/gnutls/-/issues/1364
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ NEWS                            |   5 ++
+ devel/libgnutls.abignore        |   2 +
+ devel/symbols.last              |   2 +
+ doc/Makefile.am                 |   2 +
+ doc/manpages/Makefile.am        |   1 +
+ lib/fips.c                      | 139 ++++++++++++++++----------------
+ lib/global.c                    |  14 +++-
+ lib/includes/gnutls/gnutls.h.in |   2 +
+ lib/libgnutls.map               |   8 ++
+ tests/fips-test.c               |   7 ++
+ 10 files changed, 110 insertions(+), 72 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 70dd8a12b5..389be8acaa 100644
+--- a/NEWS
++++ b/NEWS
+@@ -5,6 +5,11 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc.
+ Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
+ See the end for copying conditions.
+ 
++* Version 3.7.7 (unreleased)
++
++** API and ABI modifications:
++gnutls_fips140_run_self_tests: New function
++
+ * Version 3.7.6 (released 2022-05-27)
+ 
+ ** libgnutls: Fixed invalid write when gnutls_realloc_zero()
+diff --git a/doc/Makefile.am b/doc/Makefile.am
+index d20a021d97..34ef43866c 100644
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -1096,6 +1096,8 @@ FUNCS += functions/gnutls_fips140_pop_context
+ FUNCS += functions/gnutls_fips140_pop_context.short
+ FUNCS += functions/gnutls_fips140_push_context
+ FUNCS += functions/gnutls_fips140_push_context.short
++FUNCS += functions/gnutls_fips140_run_self_tests
++FUNCS += functions/gnutls_fips140_run_self_tests.short
+ FUNCS += functions/gnutls_fips140_set_mode
+ FUNCS += functions/gnutls_fips140_set_mode.short
+ FUNCS += functions/gnutls_get_library_config
+diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
+index d8c5f2854d..90906b0574 100644
+--- a/doc/manpages/Makefile.am
++++ b/doc/manpages/Makefile.am
+@@ -380,6 +380,7 @@ APIMANS += gnutls_fips140_get_operation_state.3
+ APIMANS += gnutls_fips140_mode_enabled.3
+ APIMANS += gnutls_fips140_pop_context.3
+ APIMANS += gnutls_fips140_push_context.3
++APIMANS += gnutls_fips140_run_self_tests.3
+ APIMANS += gnutls_fips140_set_mode.3
+ APIMANS += gnutls_get_library_config.3
+ APIMANS += gnutls_get_system_config_file.3
+diff --git a/lib/fips.c b/lib/fips.c
+index e9c27f6df6..656d43e74a 100644
+--- a/lib/fips.c
++++ b/lib/fips.c
+@@ -419,8 +419,6 @@ int _gnutls_fips_perform_self_checks1(void)
+ {
+ 	int ret;
+ 
+-	_gnutls_switch_lib_state(LIB_STATE_SELFTEST);
+-
+ 	/* Tests the FIPS algorithms used by nettle internally.
+ 	 * In our case we test AES-CBC since nettle's AES is used by
+ 	 * the DRBG-AES.
+@@ -429,193 +427,153 @@ int _gnutls_fips_perform_self_checks1(void)
+ 	/* ciphers - one test per cipher */
+ 	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_128_CBC);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	return 0;
+-
+-error:
+-	_gnutls_switch_lib_state(LIB_STATE_ERROR);
+-	_gnutls_audit_log(NULL, "FIPS140-2 self testing part1 failed\n");
+-
+-	return GNUTLS_E_SELF_TEST_ERROR;
+ }
+ 
+ int _gnutls_fips_perform_self_checks2(void)
+ {
+ 	int ret;
+ 
+-	_gnutls_switch_lib_state(LIB_STATE_SELFTEST);
+-
+ 	/* Tests the FIPS algorithms */
+ 
+ 	/* ciphers - one test per cipher */
+ 	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_3DES_CBC);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_CBC);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_GCM);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_XTS);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_CFB8);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	/* Digest tests */
+ 	ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_224);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_256);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_384);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_digest_self_test(0, GNUTLS_DIG_SHA3_512);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	/* MAC (includes message digest test) */
+ 	ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA1);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA224);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA256);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA384);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_mac_self_test(0, GNUTLS_MAC_SHA512);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_mac_self_test(0, GNUTLS_MAC_AES_CMAC_256);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	/* PK */
+ 	ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_pk_self_test(0, GNUTLS_PK_DSA);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_pk_self_test(0, GNUTLS_PK_EC);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	ret = gnutls_pk_self_test(0, GNUTLS_PK_DH);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	/* HKDF */
+ 	ret = gnutls_hkdf_self_test(0, GNUTLS_MAC_SHA256);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	/* PBKDF2 */
+ 	ret = gnutls_pbkdf2_self_test(0, GNUTLS_MAC_SHA256);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	/* TLS-PRF */
+ 	ret = gnutls_tlsprf_self_test(0, GNUTLS_MAC_SHA256);
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	if (_gnutls_rnd_ops.self_test == NULL) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	/* this does not require rng initialization */
+ 	ret = _gnutls_rnd_ops.self_test();
+ 	if (ret < 0) {
+-		gnutls_assert();
+-		goto error;
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
+ 	if (_skip_integrity_checks == 0) {
+ 		ret = check_binary_integrity();
+ 		if (ret < 0) {
+-			gnutls_assert();
+-			goto error;
++			return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 		}
+ 	}
+ 
+ 	return 0;
+-
+-error:
+-	_gnutls_switch_lib_state(LIB_STATE_ERROR);
+-	_gnutls_audit_log(NULL, "FIPS140-2 self testing part 2 failed\n");
+-
+-	return GNUTLS_E_SELF_TEST_ERROR;
+ }
+ #endif
+ 
+@@ -894,3 +852,48 @@ _gnutls_switch_fips_state(gnutls_fips140_operation_state_t state)
+ 	(void)state;
+ #endif
+ }
++
++/**
++ * gnutls_fips140_run_self_tests:
++ *
++ * Manually perform the second round of the FIPS140 self-tests,
++ * including:
++ *
++ * - Known answer tests (KAT) for the selected set of symmetric
++ *   cipher, MAC, public key, KDF, and DRBG
++ * - Library integrity checks
++ *
++ * Upon failure with FIPS140 mode enabled, it makes the library
++ * unusable.  This function is not thread-safe.
++ *
++ * Returns: 0 upon success, a negative error code otherwise
++ *
++ * Since: 3.7.7
++ */
++int
++gnutls_fips140_run_self_tests(void)
++{
++#ifdef ENABLE_FIPS140
++	int ret;
++	unsigned prev_lib_state;
++
++	/* Temporarily switch to LIB_STATE_SELFTEST as some of the
++	 * algorithms are implemented using special constructs in
++	 * self-tests (such as deterministic variants) */
++	prev_lib_state = _gnutls_get_lib_state();
++	_gnutls_switch_lib_state(LIB_STATE_SELFTEST);
++
++	ret = _gnutls_fips_perform_self_checks2();
++	if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_DISABLED &&
++	    ret < 0) {
++		_gnutls_switch_lib_state(LIB_STATE_ERROR);
++		_gnutls_audit_log(NULL, "FIPS140-2 self testing part 2 failed\n");
++	} else {
++		/* Restore the previous library state */
++		_gnutls_switch_lib_state(prev_lib_state);
++	}
++	return ret;
++#else
++	return 0;
++#endif
++}
+diff --git a/lib/global.c b/lib/global.c
+index faa7f0afb2..1b372c15bd 100644
+--- a/lib/global.c
++++ b/lib/global.c
+@@ -336,9 +336,12 @@ static int _gnutls_global_init(unsigned constructor)
+ 
+ 		/* first round of self checks, these are done on the
+ 		 * nettle algorithms which are used internally */
++		_gnutls_switch_lib_state(LIB_STATE_SELFTEST);
+ 		ret = _gnutls_fips_perform_self_checks1();
+-		if (res != 2) {
+-			if (ret < 0) {
++		if (ret < 0) {
++			_gnutls_switch_lib_state(LIB_STATE_ERROR);
++			_gnutls_audit_log(NULL, "FIPS140-2 self testing part1 failed\n");
++			if (res != 2) {
+ 				gnutls_assert();
+ 				goto out;
+ 			}
+@@ -355,9 +358,12 @@ static int _gnutls_global_init(unsigned constructor)
+ 	 * (e.g., AESNI overridden AES). They are after _gnutls_register_accel_crypto()
+ 	 * intentionally */
+ 	if (res != 0) {
++		_gnutls_switch_lib_state(LIB_STATE_SELFTEST);
+ 		ret = _gnutls_fips_perform_self_checks2();
+-		if (res != 2) {
+-			if (ret < 0) {
++		if (ret < 0) {
++			_gnutls_switch_lib_state(LIB_STATE_ERROR);
++			_gnutls_audit_log(NULL, "FIPS140-2 self testing part 2 failed\n");
++			if (res != 2) {
+ 				gnutls_assert();
+ 				goto out;
+ 			}
+diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
+index f7fc5d114a..5840f331e9 100644
+--- a/lib/includes/gnutls/gnutls.h.in
++++ b/lib/includes/gnutls/gnutls.h.in
+@@ -3416,6 +3416,8 @@ gnutls_fips140_get_operation_state(gnutls_fips140_context_t context);
+ int gnutls_fips140_push_context(gnutls_fips140_context_t context);
+ int gnutls_fips140_pop_context(void);
+ 
++int gnutls_fips140_run_self_tests(void);
++
+   /* Gnutls error codes. The mapping to a TLS alert is also shown in
+    * comments.
+    */
+diff --git a/lib/libgnutls.map b/lib/libgnutls.map
+index 0241946c8a..f42d5f9fae 100644
+--- a/lib/libgnutls.map
++++ b/lib/libgnutls.map
+@@ -1399,6 +1399,14 @@ GNUTLS_3_7_5
+ 	*;
+ } GNUTLS_3_7_4;
+ 
++GNUTLS_3_7_7
++{
++ global:
++	gnutls_fips140_run_self_tests;
++ local:
++	*;
++} GNUTLS_3_7_5;
++
+ GNUTLS_FIPS140_3_4 {
+   global:
+ 	gnutls_cipher_self_test;
+diff --git a/tests/fips-test.c b/tests/fips-test.c
+index a6a283fa67..31a5e26111 100644
+--- a/tests/fips-test.c
++++ b/tests/fips-test.c
+@@ -525,6 +525,13 @@ void doit(void)
+ 	}
+ 
+ 	gnutls_fips140_context_deinit(fips_context);
++
++	/* run self-tests manually */
++	ret = gnutls_fips140_run_self_tests();
++	if (ret < 0) {
++		fail("gnutls_fips140_run_self_tests failed\n");
++	}
++
+ 	gnutls_global_deinit();
+ 	return;
+ }
+-- 
+2.36.1
+

gnutls-3.7.6-libgnutlsxx-const.patch

@@ -0,0 +1,105 @@
+From 4a64e35cdc5ad438ab3bd256e7a4f5e8f7d6f21f Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 4 Jul 2022 09:49:09 +0900
+Subject: [PATCH] libgnutlsxx: revert ABI incompatible change
+
+This reverts 67cab96c1d59fec2e2b85ee054ec0015195cc35c.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/gnutlsxx.cpp               |  4 ++--
+ lib/includes/gnutls/gnutlsxx.h | 14 +++++++-------
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/lib/gnutlsxx.cpp b/lib/gnutlsxx.cpp
+index f87490d371..3613502aba 100644
+--- a/lib/gnutlsxx.cpp
++++ b/lib/gnutlsxx.cpp
+@@ -397,7 +397,7 @@ namespace gnutls
+     gnutls_db_remove_session (s);
+   }
+ 
+-  bool server_session::db_check_entry (const gnutls_datum_t & session_data) const
++  bool server_session::db_check_entry (gnutls_datum_t & session_data) const
+   {
+     int ret = gnutls_db_check_entry (s, session_data);
+ 
+@@ -416,7 +416,7 @@ namespace gnutls
+     gnutls_credentials_clear (s);
+   }
+ 
+-  void session::set_credentials (const credentials & cred)
++  void session::set_credentials (credentials & cred)
+   {
+     RETWRAP (gnutls_credentials_set (s, cred.get_type (), cred.ptr ()));
+   }
+diff --git a/lib/includes/gnutls/gnutlsxx.h b/lib/includes/gnutls/gnutlsxx.h
+index 23bbd4ea36..eeefb798a3 100644
+--- a/lib/includes/gnutls/gnutlsxx.h
++++ b/lib/includes/gnutls/gnutlsxx.h
+@@ -42,7 +42,7 @@ namespace gnutls {
+ 
+ 	class exception:public std::exception {
+ 	      public:
+-		explicit exception(int x);
++		exception(int x);
+ 		const char *what() const throw();
+ 		int get_code();
+ 	      protected:
+@@ -104,7 +104,7 @@ namespace gnutls {
+ 	      protected:
+ 		gnutls_session_t s;
+ 	      public:
+-		explicit session(unsigned int);
++		session(unsigned int);
+ 		 virtual ~ session();
+ 
+ 		gnutls_session_t ptr();
+@@ -173,7 +173,7 @@ namespace gnutls {
+ 		void set_max_handshake_packet_length(size_t max);
+ 
+ 		void clear_credentials();
+-		void set_credentials(const class credentials & cred);
++		void set_credentials(class credentials & cred);
+ 
+ 		void set_transport_ptr(gnutls_transport_ptr_t ptr);
+ 		void set_transport_ptr(gnutls_transport_ptr_t recv_ptr,
+@@ -239,7 +239,7 @@ namespace gnutls {
+ 	class server_session:public session {
+ 	      public:
+ 		server_session();
+-		explicit server_session(int flags);
++		server_session(int flags);
+ 		~server_session();
+ 		void db_remove() const;
+ 
+@@ -247,7 +247,7 @@ namespace gnutls {
+ 		void set_db(const DB & db);
+ 
+ 		// returns true if session is expired
+-		bool db_check_entry(const gnutls_datum_t & session_data) const;
++		bool db_check_entry(gnutls_datum_t & session_data) const;
+ 
+ 		// server side only
+ 		const char *get_srp_username() const;
+@@ -264,7 +264,7 @@ namespace gnutls {
+ 	class client_session:public session {
+ 	      public:
+ 		client_session();
+-		explicit client_session(int flags);
++		client_session(int flags);
+ 		~client_session();
+ 
+ 		void set_verify_cert(const char *hostname, unsigned flags);
+@@ -281,7 +281,7 @@ namespace gnutls {
+ 		} gnutls_credentials_type_t get_type() const;
+ 	      protected:
+ 		friend class session;
+-		explicit credentials(gnutls_credentials_type_t t);
++		credentials(gnutls_credentials_type_t t);
+ 		void *ptr() const;
+ 		void set_ptr(void *ptr);
+ 		gnutls_credentials_type_t type;
+-- 
+2.36.1
+

gnutls.spec

@@ -12,24 +12,23 @@ sha256sum:close()
 print(string.sub(hash, 0, 16))
 }
 
-Version: 3.7.3
-Release: 10%{?dist}
-Patch1:	gnutls-3.6.7-no-now-guile.patch
-Patch2:	gnutls-3.2.7-rpath.patch
-Patch3:	gnutls-3.7.2-enable-intel-cet.patch
-Patch4: gnutls-3.7.2-no-explicit-init.patch
-Patch5: gnutls-3.7.3-fips-rsa-keygen.patch
-Patch6: gnutls-3.7.3-ktls-stub.patch
-Patch7: gnutls-3.7.3-fips-pkcs12.patch
-Patch8: gnutls-3.7.3-fix-tests-in-fips.patch
-Patch9: gnutls-3.7.3-gost-ifdef.patch
-Patch10: gnutls-3.7.3-max-algos.patch
-Patch11: gnutls-3.7.3-allowlist-api.patch
-Patch12: gnutls-3.7.3-libtss2-dlopen.patch
+Version: 3.7.6
+Release: 1%{?dist}
+# not upstreamed
+Patch: gnutls-3.6.7-no-now-guile.patch
+Patch: gnutls-3.2.7-rpath.patch
+Patch: gnutls-3.7.2-enable-intel-cet.patch
+Patch: gnutls-3.7.2-no-explicit-init.patch
+
+# upstreamed
+Patch: gnutls-3.7.6-fips-run-selftests.patch
 
 # not upstreamed
-Patch100: gnutls-3.7.3-disable-config-reload.patch
-Patch101: gnutls-3.7.3-fips-dsa-post.patch
+Patch: gnutls-3.7.3-disable-config-reload.patch
+Patch: gnutls-3.7.3-fips-dsa-post.patch
+
+# to prevent ABI break; will be reverted in %%install
+Patch: gnutls-3.7.6-libgnutlsxx-const.patch
 
 %bcond_without bootstrap
 %bcond_without dane
@@ -43,6 +42,7 @@ Patch101: gnutls-3.7.3-fips-dsa-post.patch
 %bcond_with tpm12
 %bcond_without tpm2
 %bcond_with gost
+%bcond_without tests
 
 Summary: A TLS protocol implementation
 Name: gnutls
@@ -65,9 +65,7 @@ BuildRequires: libidn2-devel
 BuildRequires: libunistring-devel
 BuildRequires: net-tools, datefudge, softhsm, gcc, gcc-c++
 BuildRequires: gnupg2
-%if %{with fips}
-BuildRequires: fipscheck
-%endif
+BuildRequires: git-core
 
 # for a sanity check on cert loading
 BuildRequires: p11-kit-trust, ca-certificates
@@ -89,7 +87,7 @@ BuildRequires: make
 URL: http://www.gnutls.org/
 Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz
 Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/%{name}-%{version}.tar.xz.sig
-Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
+Source2: gnutls-release-keyring.gpg
 
 # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
 Provides: bundled(gnulib) = 20130424
@@ -184,9 +182,8 @@ This package contains Guile bindings for the library.
 %prep
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 
-%autosetup -p1
+%autosetup -p1 -S git
 %if %{with bootstrap}
-rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h
 autoreconf -fi
 %endif
 
@@ -260,22 +257,23 @@ export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name"
            --disable-rpath \
            --with-default-priority-string="@SYSTEM"
 
-make %{?_smp_mflags} V=1
-
-%if %{with fips}
-%define __spec_install_post \
-	%{?__debug_package:%{__debug_install_post}} \
-	%{__arch_install_post} \
-	%{__os_install_post} \
-	rm -f $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.*.hmac \
-	fipshmac -d $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.* \
-	file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.hmac` && mv $RPM_BUILD_ROOT%{_libdir}/$file $RPM_BUILD_ROOT%{_libdir}/.$file && ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac \
-%{nil}
-%endif
+# build libgnutlsxx.so with older SONAME
+make %{?_smp_mflags} V=1 CXX_LT_CURRENT=29 CXX_LT_REVISION=0 CXX_LT_AGE=1
 
 %install
 make install DESTDIR=$RPM_BUILD_ROOT
+
+# build libgnutlsxx.so with newer SONAME
+git show | patch -p1 -R
+pushd lib
+rm -f libgnutlsxx.la
+make %{?_smp_mflags} V=1 CXX_LT_CURRENT=30 CXX_LT_REVISION=0 CXX_LT_AGE=0
+make install DESTDIR=$RPM_BUILD_ROOT
+popd
+touch doc/examples/ex-cxx
+
 make -C doc install-html DESTDIR=$RPM_BUILD_ROOT
+
 rm -f $RPM_BUILD_ROOT%{_infodir}/dir
 rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.2/guile-gnutls*.a
@@ -284,15 +282,33 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.2/guile-gnutls*.la
 rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc
 %endif
 
+%if %{with fips}
+# doing it twice should be a no-op the second time,
+# and this way we avoid redefining it and missing a future change
+%{__spec_install_post}
+./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac
+sed -i "s^$RPM_BUILD_ROOT/usr^^" $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac
+%endif
+
+%if %{with fips}
+%define __spec_install_post \
+	%{?__debug_package:%{__debug_install_post}} \
+	%{__arch_install_post} \
+	%{__os_install_post} \
+%{nil}
+%endif
+
 %find_lang gnutls
 
 %check
+%if %{with tests}
 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
+%endif
 
 %files -f gnutls.lang
 %{_libdir}/libgnutls.so.30*
 %if %{with fips}
-%{_libdir}/.libgnutls.so.30*.hmac
+%{_libdir}/.gnutls.hmac
 %endif
 %doc README.md AUTHORS NEWS THANKS
 %license LICENSE doc/COPYING doc/COPYING.LESSER
@@ -303,10 +319,6 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %files devel
 %{_includedir}/*
 %{_libdir}/libgnutls*.so
-%if %{with fips}
-%{_libdir}/.libgnutls.so.*.hmac
-%endif
-
 %{_libdir}/pkgconfig/*.pc
 %{_mandir}/man3/*
 %{_infodir}/gnutls*
@@ -344,6 +356,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %endif
 
 %changelog
+* Fri Jul  1 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-1
+- Update to gnutls 3.7.6 (#2097327)
+
 * Thu Mar 31 2022 Daiki Ueno <dueno@redhat.com> - 3.7.3-10
 - Use only the first component of VERSION from /etc/os-release (#2070249)
 - Don't run power-on self-tests on DSA (#2061325)

sources

@@ -1,3 +1,2 @@
-SHA512 (gnutls-3.7.3.tar.xz) = 3ace744affe23e284342658d6d2d2de49dd50065489cbc8be18fc7d38187253e5268ca54027ce5cd517056c249ac039a7481e4548cec04325de37ae85617d077
-SHA512 (gnutls-3.7.3.tar.xz.sig) = 93e62730570a6f65ec98538e812ed9c0bd35c25f0906b22f2ae3e762981b0e01bfb7ffcb747c64b42c586d6f0d5c90a7c3abfdc39088cc05f9975b865c309d50
-SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173
+SHA512 (gnutls-3.7.6.tar.xz) = f872339df80ec31d292821ff00eaafbe50e0bd4cdbb86e21e4f78541cd0a26d843596d5e69c91de4db8ce7d027fc639ae6462b57d89fb116162ae63c5a97486a
+SHA512 (gnutls-3.7.6.tar.xz.sig) = c969da9a938b9d29a70cea3b00cce337f9a4c4304aae7f501ef6263894f81a420395ddbe1b005f35dff2e900d3fac75e288f10bbfde0ebea034f7e257bb16d0e