From f0bb07790fb8355794b4a7bd7a2d875bbbd2c473 Mon Sep 17 00:00:00 2001 From: Alexander Sosedkin Date: Wed, 14 Jan 2026 14:19:11 +0100 Subject: [PATCH] Reinstate and update the prematurely dropped rekeying patch Reported-by: Conor Tull Related: RHEL-125971 --- ...ate.patch => gnutls-3.8.10-keyupdate.patch | 20 +++++++++---------- gnutls.spec | 16 +++++++++++---- 2 files changed, 22 insertions(+), 14 deletions(-) rename gnutls-3.8.3-keyupdate.patch => gnutls-3.8.10-keyupdate.patch (96%) diff --git a/gnutls-3.8.3-keyupdate.patch b/gnutls-3.8.10-keyupdate.patch similarity index 96% rename from gnutls-3.8.3-keyupdate.patch rename to gnutls-3.8.10-keyupdate.patch index 6cc5176..b882686 100644 --- a/gnutls-3.8.3-keyupdate.patch +++ b/gnutls-3.8.10-keyupdate.patch @@ -1,4 +1,4 @@ -From 3f5dd79d8abd40193ab3ce9b3ee9a30bf77b34ba Mon Sep 17 00:00:00 2001 +From 5376a0cabf94314316005e6bf411ffcc7628b386 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 22 Jul 2025 10:49:33 +0900 Subject: [PATCH 1/3] key_update: fix state transition in KTLS code path @@ -22,10 +22,10 @@ index d37f79a550..ebc75addec 100644 session->internals.record_key_update_buffer.data, session->internals.record_key_update_buffer -- -2.50.1 +GitLab -From fee06c4ac19129e0f5f4b639919a4ff244bf174c Mon Sep 17 00:00:00 2001 +From 30c264b661d49d135ef342426c6c4cd853209c06 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Thu, 31 Jul 2025 15:34:48 +0900 Subject: [PATCH 2/3] constate: switch epoch lookup to linear search @@ -119,10 +119,10 @@ index ca253a2bea..b091d891ff 100644 _gnutls_record_log("REC[%p]: End of epoch cleanup\n", session); diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h -index e9ec36d585..cc5d965593 100644 +index 539486bc7d..e083520055 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h -@@ -860,9 +860,6 @@ typedef struct { +@@ -876,9 +876,6 @@ typedef struct { /* The epoch that the next handshake will initialize. */ uint16_t epoch_next; @@ -133,10 +133,10 @@ index e9ec36d585..cc5d965593 100644 * moved here from internals in order to be restored * on resume; -- -2.50.1 +GitLab -From 0d25525656d3bcf2d8ca9d17d5ebe7cb738ed4c2 Mon Sep 17 00:00:00 2001 +From 1d830baac2f8a08a40b13e9eecfcc64ad032e7b5 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sat, 19 Jul 2025 07:08:24 +0900 Subject: [PATCH 3/3] key_update: rework the rekeying logic @@ -158,10 +158,10 @@ Signed-off-by: Daiki Ueno 2 files changed, 47 insertions(+), 27 deletions(-) diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h -index cc5d965593..a7684f75c1 100644 +index e083520055..f3caea1170 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h -@@ -1652,7 +1652,7 @@ typedef struct { +@@ -1672,7 +1672,7 @@ typedef struct { } internals_st; /* Maximum number of epochs we keep around. */ @@ -291,5 +291,5 @@ index 41243651b5..beee1dc41a 100644 return gnutls_assert_val(ret); -- -2.50.1 +GitLab diff --git a/gnutls.spec b/gnutls.spec index d51fee8..a7ee9cd 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -13,7 +13,7 @@ print(string.sub(hash, 0, 16)) } Version: 3.8.10 -Release: 1%{?dist} +Release: 2%{?dist} # not upstreamed Patch: gnutls-3.2.7-rpath.patch Patch: gnutls-3.7.2-enable-intel-cet.patch @@ -22,6 +22,11 @@ Patch: gnutls-3.7.3-disable-config-reload.patch Patch: gnutls-3.7.6-drbg-reseed.patch # upstreamed +# * 5376a0cabf@3.8.11: key_update: fix state transition in KTLS code path +# * 30c264b661@3.8.11: constate: switch epoch lookup to linear search +# * 1d830baac2@3.8.11: key_update: rework the rekeying logic +Patch: gnutls-3.8.10-keyupdate.patch +# * 0992505881@3.8.11: tests: distribute ktls_utils.h Patch: gnutls-3.8.10-tests-ktls.patch # reverts @@ -474,10 +479,13 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null XFAIL_TESTS="$x %endif %changelog +* Wed Jan 14 2026 Alexander Sosedkin - 3.8.10-2 +- Reinstate and update the prematurely dropped rekeying patch + * Thu Nov 6 2025 Alexander Sosedkin - 3.8.10-1 -- rebase to 3.8.10 -- revert defaulting to PBMAC1 in FIPS mode -- revert unapproving 1024-, 1280-, 1536- and 1792-bit RSA verification +- Rebase to 3.8.10 +- Revert defaulting to PBMAC1 in FIPS mode +- Revert unapproving 1024-, 1280-, 1536- and 1792-bit RSA verification * Tue Aug 5 2025 Daiki Ueno - 3.8.3-9 - key_update: rework the rekeying logic (RHEL-107499)