import gnutls-3.7.2-4.el9

.gitignore

@@ -0,0 +1,2 @@
+SOURCES/gnutls-3.7.2.tar.xz
+SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg

.gnutls.metadata

@@ -0,0 +1,2 @@
+02e12259680b6ad3ec973e0df6bf2cf0c5ef1100 SOURCES/gnutls-3.7.2.tar.xz
+648ec46f9539fe756fb90131b85ae4759ed2ed21 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg

SOURCES/gnutls-3.2.7-rpath.patch

@@ -0,0 +1,12 @@
+diff -ur gnutls-3.2.7.orig/configure gnutls-3.2.7/configure
+--- gnutls-3.2.7.orig/configure	2013-11-23 11:09:49.000000000 +0100
++++ gnutls-3.2.7/configure	2013-11-25 16:53:05.559440656 +0100
+@@ -39652,7 +39652,7 @@
+ shlibpath_overrides_runpath=unknown
+ version_type=none
+ dynamic_linker="$host_os ld.so"
+-sys_lib_dlsearch_path_spec="/lib /usr/lib"
++sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
+ need_lib_prefix=unknown
+ hardcode_into_libs=no
+ 

SOURCES/gnutls-3.6.7-no-now-guile.patch

@@ -0,0 +1,11 @@
+--- a/guile/src/Makefile.in	2019-03-27 11:51:55.984398001 +0100
++++ b/guile/src/Makefile.in	2019-03-27 11:52:27.259626076 +0100
+@@ -1472,7 +1472,7 @@
+ # Use '-module' to build a "dlopenable module", in Libtool terms.
+ # Use '-undefined' to placate Libtool on Windows; see
+ # <https://lists.gnutls.org/pipermail/gnutls-devel/2014-December/007294.html>.
+-guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined
++guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined -Wl,-z,lazy
+ 
+ # Linking against GnuTLS.
+ GNUTLS_CORE_LIBS = $(top_builddir)/lib/libgnutls.la

SOURCES/gnutls-3.7.2-key-share-ecdhx.patch

@@ -0,0 +1,92 @@
+From c9e072236c4e1c290f38aee819ecaff8398e2a16 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 25 Jun 2021 08:39:12 +0200
+Subject: [PATCH] key_share: treat X25519 and X448 as same PK type when
+ advertising
+
+Previously, if both X25519 and X448 groups were enabled in the
+priority string, the client sent both algorithms in a key_share
+extension, while it was only capable of handling one algorithm from
+the same (Edwards curve) category.  This adds an extra check so the
+client should send either X25519 or X448.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/ext/key_share.c     | 24 +++++++++++++++++++++---
+ tests/tls13/key_share.c |  3 +++
+ 2 files changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
+index a8c4bb5cf..a4db3af95 100644
+--- a/lib/ext/key_share.c
++++ b/lib/ext/key_share.c
+@@ -656,6 +656,18 @@ key_share_recv_params(gnutls_session_t session,
+ 	return 0;
+ }
+ 
++static inline bool
++pk_type_is_ecdhx(gnutls_pk_algorithm_t pk)
++{
++	return pk == GNUTLS_PK_ECDH_X25519 || pk == GNUTLS_PK_ECDH_X448;
++}
++
++static inline bool
++pk_type_equal(gnutls_pk_algorithm_t a, gnutls_pk_algorithm_t b)
++{
++	return a == b || (pk_type_is_ecdhx(a) && pk_type_is_ecdhx(b));
++}
++
+ /* returns data_size or a negative number on failure
+  */
+ static int
+@@ -710,12 +722,18 @@ key_share_send_params(gnutls_session_t session,
+ 			/* generate key shares for out top-(max_groups) groups
+ 			 * if they are of different PK type. */
+ 			for (i = 0; i < session->internals.priorities->groups.size; i++) {
++				unsigned int j;
++
+ 				group = session->internals.priorities->groups.entry[i];
+ 
+-				if (generated == 1 && group->pk == selected_groups[0])
+-					continue;
+-				else if (generated == 2 && (group->pk == selected_groups[1] || group->pk == selected_groups[0]))
++				for (j = 0; j < generated; j++) {
++					if (pk_type_equal(group->pk, selected_groups[j])) {
++						break;
++					}
++				}
++				if (j < generated) {
+ 					continue;
++				}
+ 
+ 				selected_groups[generated] = group->pk;
+ 
+diff --git a/tests/tls13/key_share.c b/tests/tls13/key_share.c
+index 7f8f6295c..816a7d9b5 100644
+--- a/tests/tls13/key_share.c
++++ b/tests/tls13/key_share.c
+@@ -124,6 +124,7 @@ unsigned int tls_id_to_group[] = {
+ 	[23] = GNUTLS_GROUP_SECP256R1,
+ 	[24] = GNUTLS_GROUP_SECP384R1,
+ 	[29] = GNUTLS_GROUP_X25519,
++	[30] = GNUTLS_GROUP_X448,
+ 	[0x100] = GNUTLS_GROUP_FFDHE2048,
+ 	[0x101] = GNUTLS_GROUP_FFDHE3072
+ };
+@@ -315,11 +316,13 @@ void doit(void)
+ 	start("two groups: default secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_SECP256R1, 2);
+ 	start("two groups: secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_SECP256R1, 2);
+ 	start("two groups: x25519", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_X25519, 2);
++	start("two groups: x448", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X448:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_X448, 2);
+ 	start("two groups: ffdhe2048", "NORMAL:-KX-ALL:+DHE-RSA:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE3072", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_FFDHE2048, 2);
+ 
+ 	start("three groups: default secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_SECP256R1, 3);
+ 	start("three groups: secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_SECP256R1, 3);
+ 	start("three groups: x25519", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_X25519, 3);
++	start("three groups: x448", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X448:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_X448, 3);
+ 	start("three groups: ffdhe2048", "NORMAL:-KX-ALL:+DHE-RSA:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE3072", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_FFDHE2048, 3);
+ 
+ 	/* test default behavior */
+-- 
+2.31.1
+