Reinstate and update the prematurely dropped rekeying patch

Reported-by: Conor Tull <ctull@redhat.com>
Related: RHEL-125971

gnutls-3.8.10-keyupdate.patch

@@ -1,4 +1,4 @@
-From 3f5dd79d8abd40193ab3ce9b3ee9a30bf77b34ba Mon Sep 17 00:00:00 2001
+From 5376a0cabf94314316005e6bf411ffcc7628b386 Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <ueno@gnu.org>
 Date: Tue, 22 Jul 2025 10:49:33 +0900
 Subject: [PATCH 1/3] key_update: fix state transition in KTLS code path
@@ -22,10 +22,10 @@ index d37f79a550..ebc75addec 100644
  				session->internals.record_key_update_buffer.data,
  				session->internals.record_key_update_buffer
 -- 
-2.50.1
+GitLab
 
 
-From fee06c4ac19129e0f5f4b639919a4ff244bf174c Mon Sep 17 00:00:00 2001
+From 30c264b661d49d135ef342426c6c4cd853209c06 Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <ueno@gnu.org>
 Date: Thu, 31 Jul 2025 15:34:48 +0900
 Subject: [PATCH 2/3] constate: switch epoch lookup to linear search
@@ -119,10 +119,10 @@ index ca253a2bea..b091d891ff 100644
  
  	_gnutls_record_log("REC[%p]: End of epoch cleanup\n", session);
 diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
-index e9ec36d585..cc5d965593 100644
+index 539486bc7d..e083520055 100644
 --- a/lib/gnutls_int.h
 +++ b/lib/gnutls_int.h
-@@ -860,9 +860,6 @@ typedef struct {
+@@ -876,9 +876,6 @@ typedef struct {
  	/* The epoch that the next handshake will initialize. */
  	uint16_t epoch_next;
  
@@ -133,10 +133,10 @@ index e9ec36d585..cc5d965593 100644
  	 * moved here from internals in order to be restored
  	 * on resume;
 -- 
-2.50.1
+GitLab
 
 
-From 0d25525656d3bcf2d8ca9d17d5ebe7cb738ed4c2 Mon Sep 17 00:00:00 2001
+From 1d830baac2f8a08a40b13e9eecfcc64ad032e7b5 Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <ueno@gnu.org>
 Date: Sat, 19 Jul 2025 07:08:24 +0900
 Subject: [PATCH 3/3] key_update: rework the rekeying logic
@@ -158,10 +158,10 @@ Signed-off-by: Daiki Ueno <ueno@gnu.org>
  2 files changed, 47 insertions(+), 27 deletions(-)
 
 diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
-index cc5d965593..a7684f75c1 100644
+index e083520055..f3caea1170 100644
 --- a/lib/gnutls_int.h
 +++ b/lib/gnutls_int.h
-@@ -1652,7 +1652,7 @@ typedef struct {
+@@ -1672,7 +1672,7 @@ typedef struct {
  } internals_st;
  
  /* Maximum number of epochs we keep around. */
@@ -291,5 +291,5 @@ index 41243651b5..beee1dc41a 100644
  		return gnutls_assert_val(ret);
  
 -- 
-2.50.1
+GitLab
 

gnutls.spec

@@ -13,7 +13,7 @@ print(string.sub(hash, 0, 16))
 }
 
 Version: 3.8.10
-Release: 1%{?dist}
+Release: 2%{?dist}
 # not upstreamed
 Patch: gnutls-3.2.7-rpath.patch
 Patch: gnutls-3.7.2-enable-intel-cet.patch
@@ -22,6 +22,11 @@ Patch: gnutls-3.7.3-disable-config-reload.patch
 Patch: gnutls-3.7.6-drbg-reseed.patch
 
 # upstreamed
+# * 5376a0cabf@3.8.11: key_update: fix state transition in KTLS code path
+# * 30c264b661@3.8.11: constate: switch epoch lookup to linear search
+# * 1d830baac2@3.8.11: key_update: rework the rekeying logic
+Patch: gnutls-3.8.10-keyupdate.patch
+# * 0992505881@3.8.11: tests: distribute ktls_utils.h
 Patch: gnutls-3.8.10-tests-ktls.patch
 
 # reverts
@@ -474,10 +479,13 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null XFAIL_TESTS="$x
 %endif
 
 %changelog
+* Wed Jan 14 2026 Alexander Sosedkin <asosedkin@redhat.com> - 3.8.10-2
+- Reinstate and update the prematurely dropped rekeying patch
+
 * Thu Nov  6 2025 Alexander Sosedkin <asosedkin@redhat.com> - 3.8.10-1
-- rebase to 3.8.10
-- revert defaulting to PBMAC1 in FIPS mode
-- revert unapproving 1024-, 1280-, 1536- and 1792-bit RSA verification
+- Rebase to 3.8.10
+- Revert defaulting to PBMAC1 in FIPS mode
+- Revert unapproving 1024-, 1280-, 1536- and 1792-bit RSA verification
 
 * Tue Aug  5 2025 Daiki Ueno <dueno@redhat.com> - 3.8.3-9
 - key_update: rework the rekeying logic (RHEL-107499)