Auto sync2gitlab import of gnutls-3.6.16-4.el8.src.rpm

2022-05-26 07:51:32 -04:00 · 2022-05-26 07:51:32 -04:00 · f1f19751c5
commit f1f19751c5
parent f115cb50da
12 changed files with 10281 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,3 @@
 /gnutls-3.6.16.tar.xz
 /gnutls-3.6.16.tar.xz.sig
 /gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
--- a/1
+++ b/1
@ -1 +0,0 @@
--- a/gnutls-3.2.7-rpath.patch
+++ b/gnutls-3.2.7-rpath.patch
@ -0,0 +1,12 @@
 diff -ur gnutls-3.2.7.orig/configure gnutls-3.2.7/configure
 --- gnutls-3.2.7.orig/configure	2013-11-23 11:09:49.000000000 +0100
 +++ gnutls-3.2.7/configure	2013-11-25 16:53:05.559440656 +0100
@@ -39652,7 +39652,7 @@
 shlibpath_overrides_runpath=unknown
 version_type=none
 dynamic_linker="$host_os ld.so"
 -sys_lib_dlsearch_path_spec="/lib /usr/lib"
 +sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
 need_lib_prefix=unknown
 hardcode_into_libs=no
--- a/gnutls-3.6.13-enable-intel-cet.patch
+++ b/gnutls-3.6.13-enable-intel-cet.patch
--- a/gnutls-3.6.14-fips-dh-selftests.patch
+++ b/gnutls-3.6.14-fips-dh-selftests.patch
@ -0,0 +1,204 @@
 From f09b7627a63defb1c55e9965fb05e0bbddb90247 Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <ueno@gnu.org>
 Date: Tue, 6 Oct 2020 11:54:21 +0200
 Subject: [PATCH] fips: use larger prime for DH self-tests
 According to FIPS140-2 IG 7.5, the minimum key size of FFC through
 2030 is defined as 2048 bits.  This updates the relevant self-test
 using ffdhe3072 defined in RFC 7919.
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 ---
 lib/crypto-selftests-pk.c | 142 ++++++++++++++++++++++++++++++++++----
 lib/dh-primes.c           |   4 --
 2 files changed, 130 insertions(+), 16 deletions(-)
 diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
 index 70b0f618f..9b7c692a8 100644
 --- a/lib/crypto-selftests-pk.c
 +++ b/lib/crypto-selftests-pk.c
@@ -620,32 +620,150 @@ static int test_dh(void)
 	gnutls_pk_params_st priv;
 	gnutls_pk_params_st pub;
 	gnutls_datum_t out = {NULL, 0};
 +
 +	/* FFDHE 3072 test vector provided by Stephan Mueller in:
 +	 * https://gitlab.com/gnutls/gnutls/-/merge_requests/1342#note_424430996
 +	 */
 	static const uint8_t known_dh_k[] = {
 -		0x10, 0x25, 0x04, 0xb5, 0xc6, 0xc2, 0xcb, 
 -		0x0c, 0xe9, 0xc5, 0x58, 0x0d, 0x22, 0x62};
 -	static const uint8_t test_p[] = {
 -		0x24, 0x85, 0xdd, 0x3a, 0x74, 0x42, 0xe4, 
 -		0xb3, 0xf1, 0x0b, 0x13, 0xf9, 0x17, 0x4d };
 -	static const uint8_t test_g[] = { 0x02 };
 +		0xec, 0xb3, 0x85, 0x0c, 0x72, 0x55, 0x55, 0xc2, 0x98, 0x36,
 +		0xbe, 0x75, 0x9e, 0xc9, 0x9d, 0x8b, 0x16, 0xa6, 0xe6, 0x84,
 +		0x33, 0x12, 0x80, 0x1d, 0xac, 0xde, 0x6a, 0xd7, 0x3b, 0x1e,
 +		0x15, 0xca, 0x5d, 0x26, 0xb3, 0x0a, 0x35, 0xf4, 0xbb, 0xad,
 +		0x71, 0xcb, 0x03, 0x1a, 0xcb, 0xfb, 0x83, 0xf0, 0xa8, 0xde,
 +		0xed, 0x5e, 0x3d, 0x98, 0xd2, 0xb0, 0xef, 0xad, 0xdf, 0x32,
 +		0xa0, 0x16, 0x7d, 0x0e, 0x29, 0xd8, 0x85, 0xca, 0x12, 0x97,
 +		0x56, 0xab, 0x6a, 0x26, 0xa4, 0x46, 0x3d, 0x87, 0xd7, 0xe0,
 +		0xb4, 0x3e, 0x28, 0x75, 0xac, 0x59, 0xc5, 0x71, 0x3a, 0x24,
 +		0x15, 0x76, 0x98, 0x72, 0x94, 0x2d, 0xd0, 0x0e, 0xbc, 0x9a,
 +		0x77, 0xd4, 0xe2, 0xb2, 0x76, 0x54, 0x4a, 0x56, 0xbe, 0x0b,
 +		0x43, 0xf8, 0x21, 0x6f, 0x54, 0x32, 0xde, 0xb7, 0xd5, 0xb7,
 +		0x08, 0x00, 0xd2, 0x57, 0x8c, 0x0b, 0x8b, 0x02, 0x3e, 0xdb,
 +		0x72, 0x54, 0x3a, 0xc0, 0x50, 0x66, 0xbc, 0xc9, 0x67, 0xf5,
 +		0x22, 0x28, 0xf2, 0x3c, 0x51, 0x94, 0x61, 0x26, 0x9a, 0xc6,
 +		0x42, 0x0e, 0x8b, 0x42, 0xad, 0x79, 0x40, 0xa9, 0x0b, 0xdc,
 +		0x84, 0xd5, 0x71, 0x83, 0x94, 0xd9, 0x83, 0x2f, 0x08, 0x74,
 +		0xbc, 0x37, 0x6a, 0x3e, 0x1e, 0xbc, 0xcc, 0x09, 0x23, 0x30,
 +		0x79, 0x01, 0x39, 0xf6, 0xe3, 0xa8, 0xc0, 0xfa, 0x7e, 0xdb,
 +		0x0b, 0x71, 0x3e, 0x4f, 0x1f, 0x69, 0x84, 0xa6, 0x58, 0x6c,
 +		0x36, 0x2c, 0xcc, 0xb4, 0x7c, 0x94, 0xec, 0x06, 0x0b, 0x11,
 +		0x53, 0x95, 0xe6, 0x05, 0x43, 0xa4, 0xe4, 0xea, 0x1d, 0x4f,
 +		0xdc, 0xd0, 0x38, 0x0e, 0x32, 0xa1, 0xde, 0xd9, 0x8d, 0xd8,
 +		0x20, 0xac, 0x04, 0x83, 0xf8, 0x1b, 0x55, 0x52, 0x16, 0x20,
 +		0xe3, 0x2e, 0x6d, 0x11, 0x15, 0x29, 0x2f, 0x3a, 0x7c, 0x80,
 +		0x0a, 0x71, 0x3d, 0x31, 0x9c, 0x1b, 0x73, 0x59, 0xe1, 0x0d,
 +		0x27, 0xc5, 0xc0, 0x6a, 0x72, 0x3a, 0x5b, 0xd6, 0xf6, 0x50,
 +		0xe6, 0x69, 0x48, 0x1e, 0xfd, 0xeb, 0x4a, 0x47, 0x73, 0xfb,
 +		0x88, 0x14, 0xea, 0x6d, 0x36, 0xe1, 0x4c, 0x2c, 0xf9, 0x04,
 +		0xc1, 0xb7, 0x29, 0xfc, 0x5d, 0x02, 0x5d, 0x1c, 0x4d, 0x31,
 +		0x4a, 0x51, 0x3f, 0xa4, 0x45, 0x19, 0x29, 0xc4, 0x32, 0xa6,
 +		0x45, 0xdb, 0x94, 0x3a, 0xbd, 0x76, 0x2c, 0xd6, 0x1a, 0xb1,
 +		0xff, 0xe7, 0x62, 0x75, 0x16, 0xe5, 0x0b, 0xa3, 0x3a, 0x93,
 +		0x84, 0xd6, 0xad, 0xc2, 0x24, 0x68, 0x3d, 0xd6, 0x07, 0xe4,
 +		0xbe, 0x5a, 0x49, 0x31, 0x06, 0xad, 0x3f, 0x31, 0x4a, 0x1c,
 +		0xf7, 0x58, 0xdf, 0x34, 0xcb, 0xc8, 0xa9, 0x07, 0x24, 0x42,
 +		0x63, 0xa5, 0x8e, 0xdd, 0x37, 0x78, 0x92, 0x68, 0x3f, 0xd8,
 +		0x2f, 0xea, 0x8c, 0xf1, 0x8e, 0xd4, 0x8b, 0xa7, 0x3f, 0xa0,
 +		0xfa, 0xaf, 0xf0, 0x35,
 +	};
 	static const uint8_t test_x[] = {
 -		0x06, 0x2c, 0x96, 0xae, 0x0e, 0x9e, 0x9b, 
 -		0xbb, 0x41, 0x51, 0x7a, 0xa7, 0xc5, 0xfe };
 +		0x16, 0x5c, 0xa6, 0xe0, 0x9b, 0x87, 0xfa, 0x2d, 0xbc, 0x13,
 +		0x20, 0xcd, 0xac, 0x4e, 0xcc, 0x60, 0x1e, 0x48, 0xec, 0xbe,
 +		0x73, 0x0c, 0xa8, 0x6b, 0x6e, 0x2a, 0xee, 0xdd, 0xd8, 0xf3,
 +		0x2d, 0x5f, 0x75, 0xf3, 0x07, 0x94, 0x88, 0x3d, 0xb1, 0x38,
 +		0xcf, 0xae, 0x4a, 0xcc, 0xcb, 0x6a, 0x80, 0xbc, 0xeb, 0x3b,
 +		0xaa, 0x0b, 0x18, 0x74, 0x58, 0x7c, 0x3e, 0x74, 0xef, 0xb6,
 +		0xd3, 0x15, 0xee, 0x73, 0x29, 0x88, 0x7b, 0x65, 0x02, 0x39,
 +		0x33, 0xec, 0x22, 0x06, 0x8c, 0x5b, 0xd6, 0x2f, 0x4c, 0xf7,
 +		0xe0, 0x97, 0x6d, 0x2a, 0x90, 0x36, 0xfe, 0x1a, 0x44, 0x4d,
 +		0x9d, 0x41, 0x4b, 0xcb, 0xec, 0x25, 0xf4, 0xc3, 0xa5, 0x91,
 +		0xd0, 0x90, 0xc9, 0x34, 0x7b, 0xba, 0x27, 0x30, 0x5a, 0xa2,
 +		0x21, 0x58, 0xce, 0x88, 0x25, 0x39, 0xaf, 0xf1, 0x17, 0x02,
 +		0x12, 0xf8, 0x55, 0xdc, 0xd2, 0x08, 0x5b, 0xd3, 0xc7, 0x8e,
 +		0xcf, 0x29, 0x85, 0x85, 0xdb, 0x5c, 0x08, 0xc2, 0xd7, 0xb0,
 +		0x33, 0x0e, 0xe3, 0xb9, 0x2c, 0x1a, 0x1d, 0x4b, 0xe5, 0x76,
 +		0x8f, 0xd3, 0x14, 0xb6, 0x8c, 0xdc, 0x9a, 0xe8, 0x15, 0x60,
 +		0x60, 0x5e, 0xaa, 0xf9, 0xfa, 0xa6, 0xb2, 0x4f, 0xff, 0x46,
 +		0xc1, 0x5e, 0x93, 0x50, 0x90, 0x7e, 0x4c, 0x26, 0xd7, 0xbb,
 +		0x21, 0x05, 0x3d, 0x27, 0xc5, 0x9b, 0x0d, 0x46, 0x69, 0xe4,
 +		0x74, 0x87, 0x74, 0x55, 0xee, 0x5f, 0xe5, 0x72, 0x04, 0x46,
 +		0x1f, 0x2e, 0x55, 0xc7, 0xcc, 0x2b, 0x2b, 0x39, 0x6d, 0x90,
 +		0x60, 0x31, 0x37, 0x5b, 0x44, 0xde, 0xfd, 0xf2, 0xd1, 0xc6,
 +		0x9c, 0x12, 0x82, 0xcc, 0x7c, 0xb1, 0x0e, 0xa9, 0x95, 0x9d,
 +		0xe0, 0xa8, 0x3e, 0xc1, 0xa3, 0x4a, 0x6a, 0x37, 0x59, 0x17,
 +		0x93, 0x63, 0x1e, 0xbf, 0x04, 0xa3, 0xaa, 0xc0, 0x1d, 0xc4,
 +		0x6d, 0x7a, 0xdc, 0x69, 0x9c, 0xb0, 0x22, 0x56, 0xd9, 0x76,
 +		0x92, 0x2d, 0x1e, 0x62, 0xae, 0xfd, 0xd6, 0x9b, 0xfd, 0x08,
 +		0x2c, 0x95, 0xec, 0xe7, 0x02, 0x43, 0x62, 0x68, 0x1a, 0xaf,
 +		0x46, 0x59, 0xb7, 0xce, 0x8e, 0x42, 0x24, 0xae, 0xf7, 0x0e,
 +		0x9a, 0x3b, 0xf8, 0x77, 0xdf, 0x26, 0x85, 0x9f, 0x45, 0xad,
 +		0x8c, 0xa9, 0x54, 0x9c, 0x46, 0x44, 0xd5, 0x8a, 0xe9, 0xcc,
 +		0x34, 0x5e, 0xc5, 0xd1, 0x42, 0x6f, 0x44, 0xf3, 0x0f, 0x90,
 +		0x3a, 0x32, 0x1a, 0x9c, 0x2a, 0x63, 0xec, 0x21, 0xb4, 0xfc,
 +		0xfa, 0xa5, 0xcf, 0xe7, 0x9e, 0x43, 0xc7, 0x49, 0x56, 0xbc,
 +		0x50, 0xc5, 0x84, 0xf0, 0x42, 0xc8, 0x6a, 0xf1, 0x78, 0xe4,
 +		0xaa, 0x06, 0x37, 0xe1, 0x30, 0xf7, 0x65, 0x97, 0xca, 0xfd,
 +		0x35, 0xfa, 0xeb, 0x48, 0x6d, 0xaa, 0x45, 0x46, 0x9d, 0xbc,
 +		0x1d, 0x98, 0x17, 0x45, 0xa3, 0xee, 0x21, 0xa0, 0x97, 0x38,
 +		0x80, 0xc5, 0x28, 0x1f,
 +	};
 	static const uint8_t test_y[] = { /* y=g^x mod p */
 -		0x1e, 0xca, 0x23, 0x2a, 0xfd, 0x34, 0xe1, 
 -		0x10, 0x7a, 0xff, 0xaf, 0x2d, 0xaa, 0x53 };
 +		0x93, 0xeb, 0x5c, 0x37, 0x1d, 0x3c, 0x06, 0x6f, 0xbf, 0xbe,
 +		0x96, 0x51, 0x26, 0x58, 0x81, 0x36, 0xc6, 0x4f, 0x9a, 0x34,
 +		0xc4, 0xc5, 0xa8, 0xa3, 0x2c, 0x41, 0x76, 0xa8, 0xc6, 0xc0,
 +		0xa0, 0xc8, 0x51, 0x36, 0xc4, 0x40, 0x4e, 0x2c, 0x69, 0xf7,
 +		0x51, 0xbb, 0xb0, 0xd6, 0xf5, 0xdb, 0x40, 0x29, 0x50, 0x3b,
 +		0x8a, 0xf9, 0xf3, 0x53, 0x78, 0xfc, 0x86, 0xe9, 0xf1, 0xe9,
 +		0xac, 0x85, 0x13, 0x65, 0x62, 0x22, 0x04, 0x1b, 0x14, 0x2a,
 +		0xf4, 0x8f, 0x2f, 0xf1, 0x2f, 0x81, 0xd6, 0x18, 0x0e, 0x76,
 +		0x91, 0x43, 0xb2, 0xfc, 0x7c, 0x6f, 0x0c, 0x45, 0x37, 0x31,
 +		0x31, 0x58, 0x5c, 0xdf, 0x42, 0x24, 0x7a, 0xba, 0x8b, 0x7f,
 +		0x79, 0x06, 0x07, 0xef, 0xd6, 0x06, 0xeb, 0xcb, 0x3c, 0xbd,
 +		0xbc, 0xe5, 0xff, 0xfd, 0x62, 0x15, 0x0c, 0x40, 0x46, 0x37,
 +		0xef, 0xd0, 0xa1, 0xde, 0x63, 0x4f, 0x20, 0x0b, 0x45, 0x7d,
 +		0x06, 0x77, 0xfd, 0x23, 0xc1, 0x32, 0x8a, 0x89, 0x65, 0x16,
 +		0xe8, 0x48, 0x12, 0x1c, 0x25, 0x33, 0x2d, 0xbd, 0xd8, 0x9f,
 +		0x1c, 0x9d, 0xbc, 0xe3, 0x08, 0x60, 0x87, 0x1a, 0xc6, 0x06,
 +		0x36, 0xd2, 0xac, 0x09, 0x6d, 0x99, 0x02, 0x89, 0xc6, 0x12,
 +		0x93, 0x8c, 0x4b, 0xd0, 0x7e, 0x36, 0x8a, 0xd6, 0xa0, 0x97,
 +		0x4f, 0x97, 0x3f, 0x97, 0x0b, 0xfe, 0x05, 0xfc, 0xc8, 0xef,
 +		0x21, 0x4d, 0x4a, 0x06, 0x6e, 0xb4, 0xa6, 0x4f, 0xe1, 0xdd,
 +		0x44, 0x06, 0xfa, 0xd5, 0x0e, 0x54, 0xf5, 0x54, 0x3e, 0x8c,
 +		0xb9, 0x85, 0x86, 0x00, 0x40, 0x98, 0xe7, 0x01, 0xdd, 0x93,
 +		0x9d, 0x95, 0xea, 0xf0, 0xd3, 0x99, 0x4b, 0xeb, 0xd5, 0x79,
 +		0x47, 0xa4, 0xad, 0x2a, 0xe0, 0x4d, 0x36, 0x3b, 0x46, 0x10,
 +		0x96, 0xbb, 0x48, 0xe9, 0xa1, 0x78, 0x01, 0x35, 0x0a, 0x5c,
 +		0x7b, 0x3f, 0xf5, 0xf7, 0xb1, 0xe3, 0x97, 0x17, 0x4d, 0x76,
 +		0x10, 0x8d, 0x68, 0x4c, 0x94, 0x7d, 0xee, 0x0e, 0x20, 0x8b,
 +		0xce, 0x7d, 0x0a, 0xa3, 0x51, 0xfb, 0xe6, 0xcf, 0xf0, 0x0e,
 +		0x7f, 0x3c, 0xd4, 0xef, 0x56, 0x31, 0xb2, 0x95, 0xf0, 0x5f,
 +		0x4b, 0x9c, 0x03, 0x9e, 0xae, 0xb1, 0xc1, 0x46, 0xd7, 0xc0,
 +		0x4f, 0xb0, 0xf6, 0x6c, 0xe1, 0xe9, 0x2a, 0x97, 0xe0, 0x3f,
 +		0x3a, 0x93, 0x04, 0xcd, 0x41, 0x7d, 0x45, 0x03, 0xb3, 0x40,
 +		0x20, 0xe6, 0xad, 0x2d, 0xd3, 0xf7, 0x32, 0x7b, 0xcc, 0x4f,
 +		0x81, 0x18, 0x4c, 0x50, 0x77, 0xc4, 0xb7, 0x6a, 0x4d, 0x05,
 +		0xd8, 0x6d, 0xbf, 0x6f, 0xba, 0x1d, 0x38, 0x78, 0x87, 0xd2,
 +		0x8e, 0xc2, 0x6d, 0xb6, 0xed, 0x66, 0x61, 0xa8, 0xb9, 0x19,
 +		0x0e, 0x93, 0xd1, 0xcd, 0x5b, 0xbe, 0x19, 0x05, 0x52, 0x43,
 +		0xd6, 0xc1, 0x07, 0x3c, 0x6a, 0x62, 0xbd, 0x33, 0x9b, 0x1b,
 +		0x02, 0x42, 0x61, 0x14,
 +	};
 	gnutls_pk_params_init(&priv);
 	gnutls_pk_params_init(&pub);
 	priv.algo = pub.algo = GNUTLS_PK_DH;
 -	ret = _gnutls_mpi_init_scan(&priv.params[DH_P], test_p, sizeof(test_p));
 +	ret = _gnutls_mpi_init_scan(&priv.params[DH_P],
 +				    gnutls_ffdhe_3072_group_prime.data,
 +				    gnutls_ffdhe_3072_group_prime.size);
 	if (ret < 0) {
 		gnutls_assert();
 		goto cleanup;
 	}
 -	ret = _gnutls_mpi_init_scan(&priv.params[DH_G], test_g, sizeof(test_g));
 +	ret = _gnutls_mpi_init_scan(&priv.params[DH_G],
 +				    gnutls_ffdhe_3072_group_generator.data,
 +				    gnutls_ffdhe_3072_group_generator.size);
 	if (ret < 0) {
 		gnutls_assert();
 		goto cleanup;
 diff --git a/lib/dh-primes.c b/lib/dh-primes.c
 index a440b5b98..94b69e345 100644
 --- a/lib/dh-primes.c
 +++ b/lib/dh-primes.c
@@ -23,8 +23,6 @@
 #include "gnutls_int.h"
 #include <gnutls/gnutls.h>
 -#if defined(ENABLE_DHE) || defined(ENABLE_ANON)
 -
 #include "dh.h"
 static const unsigned char ffdhe_generator = 0x02;
@@ -1934,5 +1932,3 @@ _gnutls_dh_prime_match_fips_approved(const uint8_t *prime,
 	return 0;
 }
 -
 -#endif
 -- 
 2.26.2
--- a/gnutls-3.6.14-fips-kdf-selftests.patch
+++ b/gnutls-3.6.14-fips-kdf-selftests.patch
@ -0,0 +1,713 @@
 From 93c0e3ba4d2cfee86b32f28f33303a2193c4133c Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <ueno@gnu.org>
 Date: Mon, 5 Oct 2020 16:12:46 +0200
 Subject: [PATCH 1/4] fips: add self-tests for HKDF
 FIPS140-2 IG D.8 mandates self-test on approved KDF algorithms.  As
 the guidance only requires running a single instance of each KDF
 mechanism, this only exercises HKDF-Extract and HKDF-Expand operations
 with HMAC-SHA-256 as the underlying MAC.
 Although HKDF is non-approved, it would be sensible to do that as it
 will be approved in FIPS140-3.
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 ---
 devel/libgnutls-latest-x86_64.abi |   1 +
 lib/crypto-selftests.c            | 159 ++++++++++++++++++++++++++++++
 lib/fips.c                        |   7 ++
 lib/includes/gnutls/self-test.h   |   1 +
 lib/libgnutls.map                 |   1 +
 5 files changed, 169 insertions(+)
 diff --git a/lib/crypto-selftests.c b/lib/crypto-selftests.c
 index 7a1c7729c..bd148b6af 100644
 --- a/lib/crypto-selftests.c
 +++ b/lib/crypto-selftests.c
@@ -2917,3 +2917,162 @@ int gnutls_digest_self_test(unsigned flags, gnutls_digest_algorithm_t digest)
 	return 0;
 }
 +
 +struct hkdf_vectors_st {
 +	const uint8_t *ikm;
 +	unsigned int ikm_size;
 +	const uint8_t *salt;
 +	unsigned int salt_size;
 +	const uint8_t *prk;
 +	unsigned int prk_size;
 +	const uint8_t *info;
 +	unsigned int info_size;
 +	const uint8_t *okm;
 +	unsigned int okm_size;
 +};
 +
 +const struct hkdf_vectors_st hkdf_sha256_vectors[] = {
 +	/* RFC 5869: A.1. Test Case 1: Basic test case with SHA-256 */
 +	{
 +		STR(ikm, ikm_size,
 +		    "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
 +		    "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"),
 +		STR(salt, salt_size,
 +		    "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c"),
 +		STR(prk, prk_size,
 +		    "\x07\x77\x09\x36\x2c\x2e\x32\xdf\x0d\xdc\x3f\x0d\xc4\x7b"
 +		    "\xba\x63\x90\xb6\xc7\x3b\xb5\x0f\x9c\x31\x22\xec\x84\x4a"
 +		    "\xd7\xc2\xb3\xe5"),
 +		STR(info, info_size,
 +		    "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9"),
 +		STR(okm, okm_size,
 +		    "\x3c\xb2\x5f\x25\xfa\xac\xd5\x7a\x90\x43\x4f\x64\xd0\x36"
 +		    "\x2f\x2a\x2d\x2d\x0a\x90\xcf\x1a\x5a\x4c\x5d\xb0\x2d\x56"
 +		    "\xec\xc4\xc5\xbf\x34\x00\x72\x08\xd5\xb8\x87\x18\x58\x65"),
 +	},
 +	/* RFC 5869: A.2. Test Case 2: Test with SHA-256 and longer inputs/outputs */
 +	{
 +		STR(ikm, ikm_size,
 +		    "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d"
 +		    "\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b"
 +		    "\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29"
 +		    "\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37"
 +		    "\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45"
 +		    "\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f"),
 +		STR(salt, salt_size,
 +		    "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d"
 +		    "\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b"
 +		    "\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89"
 +		    "\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97"
 +		    "\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5"
 +		    "\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf"),
 +		STR(prk, prk_size,
 +		    "\x06\xa6\xb8\x8c\x58\x53\x36\x1a\x06\x10\x4c\x9c\xeb\x35"
 +		    "\xb4\x5c\xef\x76\x00\x14\x90\x46\x71\x01\x4a\x19\x3f\x40"
 +		    "\xc1\x5f\xc2\x44"),
 +		STR(info, info_size,
 +		    "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd"
 +		    "\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb"
 +		    "\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9"
 +		    "\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7"
 +		    "\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5"
 +		    "\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"),
 +		STR(okm, okm_size,
 +		    "\xb1\x1e\x39\x8d\xc8\x03\x27\xa1\xc8\xe7\xf7\x8c\x59\x6a"
 +		    "\x49\x34\x4f\x01\x2e\xda\x2d\x4e\xfa\xd8\xa0\x50\xcc\x4c"
 +		    "\x19\xaf\xa9\x7c\x59\x04\x5a\x99\xca\xc7\x82\x72\x71\xcb"
 +		    "\x41\xc6\x5e\x59\x0e\x09\xda\x32\x75\x60\x0c\x2f\x09\xb8"
 +		    "\x36\x77\x93\xa9\xac\xa3\xdb\x71\xcc\x30\xc5\x81\x79\xec"
 +		    "\x3e\x87\xc1\x4c\x01\xd5\xc1\xf3\x43\x4f\x1d\x87"),
 +	},
 +};
 +
 +static int test_hkdf(gnutls_mac_algorithm_t mac,
 +		     const struct hkdf_vectors_st *vectors,
 +		     size_t vectors_size, unsigned flags)
 +{
 +	unsigned int i;
 +
 +	for (i = 0; i < vectors_size; i++) {
 +		gnutls_datum_t ikm, prk, salt, info;
 +		uint8_t output[4096];
 +		int ret;
 +
 +		ikm.data = (void *) vectors[i].ikm;
 +		ikm.size = vectors[i].ikm_size;
 +		salt.data = (void *) vectors[i].salt;
 +		salt.size = vectors[i].salt_size;
 +
 +		ret = gnutls_hkdf_extract(mac, &ikm, &salt, output);
 +		if (ret < 0) {
 +			_gnutls_debug_log("error extracting HKDF: MAC-%s\n",
 +					  gnutls_mac_get_name(mac));
 +			return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 +		}
 +
 +		if (memcmp(output, vectors[i].prk, vectors[i].prk_size) != 0) {
 +			_gnutls_debug_log
 +			    ("HKDF extract: MAC-%s test vector failed!\n",
 +			     gnutls_mac_get_name(mac));
 +
 +			return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 +		}
 +
 +		prk.data = (void *) vectors[i].prk;
 +		prk.size = vectors[i].prk_size;
 +		info.data = (void *) vectors[i].info;
 +		info.size = vectors[i].info_size;
 +
 +		ret = gnutls_hkdf_expand(mac, &prk, &info,
 +					 output, vectors[i].okm_size);
 +		if (ret < 0) {
 +			_gnutls_debug_log("error extracting HKDF: MAC-%s\n",
 +					  gnutls_mac_get_name(mac));
 +			return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 +		}
 +
 +		if (memcmp(output, vectors[i].okm, vectors[i].okm_size) != 0) {
 +			_gnutls_debug_log
 +			    ("HKDF expand: MAC-%s test vector failed!\n",
 +			     gnutls_mac_get_name(mac));
 +
 +			return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 +		}
 +	}
 +
 +	_gnutls_debug_log
 +	    ("HKDF: MAC-%s self check succeeded\n",
 +	     gnutls_mac_get_name(mac));
 +
 +	return 0;
 +}
 +
 +/*-
 + * gnutls_hkdf_self_test:
 + * @flags: GNUTLS_SELF_TEST_FLAG flags
 + * @mac: the message authentication algorithm to use
 + *
 + * This function will run self tests on HKDF with the provided mac.
 + *
 + * Returns: Zero or a negative error code on error.
 + *
 + * Since: 3.3.0-FIPS140
 + -*/
 +int gnutls_hkdf_self_test(unsigned flags, gnutls_mac_algorithm_t mac)
 +{
 +	int ret;
 +
 +	if (flags & GNUTLS_SELF_TEST_FLAG_ALL)
 +		mac = GNUTLS_MAC_UNKNOWN;
 +
 +	switch (mac) {
 +	case GNUTLS_MAC_UNKNOWN:
 +		CASE(GNUTLS_MAC_SHA256, test_hkdf, hkdf_sha256_vectors);
 +
 +		break;
 +	default:
 +		return gnutls_assert_val(GNUTLS_E_NO_SELF_TEST);
 +	}
 +
 +	return 0;
 +}
 diff --git a/lib/fips.c b/lib/fips.c
 index f8b10f750..48891ed57 100644
 --- a/lib/fips.c
 +++ b/lib/fips.c
@@ -423,6 +423,13 @@ int _gnutls_fips_perform_self_checks2(void)
 		goto error;
 	}
 +	/* HKDF */
 +	ret = gnutls_hkdf_self_test(0, GNUTLS_MAC_SHA256);
 +	if (ret < 0) {
 +		gnutls_assert();
 +		goto error;
 +	}
 +
 	if (_gnutls_rnd_ops.self_test == NULL) {
 		gnutls_assert();
 		goto error;
 diff --git a/lib/includes/gnutls/self-test.h b/lib/includes/gnutls/self-test.h
 index aacbe94ca..9b7be8159 100644
 --- a/lib/includes/gnutls/self-test.h
 +++ b/lib/includes/gnutls/self-test.h
@@ -34,5 +34,6 @@ int gnutls_cipher_self_test(unsigned flags, gnutls_cipher_algorithm_t cipher);
 int gnutls_mac_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
 int gnutls_digest_self_test(unsigned flags, gnutls_digest_algorithm_t digest);
 int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk);
 +int gnutls_hkdf_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
 #endif
 diff --git a/lib/libgnutls.map b/lib/libgnutls.map
 index 61276e534..386b66f83 100644
 --- a/lib/libgnutls.map
 +++ b/lib/libgnutls.map
@@ -1347,6 +1347,7 @@ GNUTLS_FIPS140_3_4 {
 	gnutls_pk_self_test;
 	gnutls_mac_self_test;
 	gnutls_digest_self_test;
 +	gnutls_hkdf_self_test;
 	#for FIPS140-2 validation
 	drbg_aes_reseed;
 	drbg_aes_init;
 -- 
 2.26.2
 From 31cc94275cd267f4e0db60999cc932fd76d43d5a Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <ueno@gnu.org>
 Date: Mon, 5 Oct 2020 16:59:50 +0200
 Subject: [PATCH 2/4] fips: add self-tests for PBKDF2
 FIPS140-2 IG D.8 mandates self-tests on approved KDF algorithms.  As
 the guidance only requires running a single instance of each KDF
 mechanism, this only exercises PBKDF2 with HMAC-SHA-256 as the
 underlying MAC algorithm.
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 ---
 devel/libgnutls-latest-x86_64.abi |   1 +
 lib/crypto-selftests.c            | 107 ++++++++++++++++++++++++++++++
 lib/fips.c                        |   7 ++
 lib/includes/gnutls/self-test.h   |   1 +
 lib/libgnutls.map                 |   1 +
 5 files changed, 117 insertions(+)
 diff --git a/lib/crypto-selftests.c b/lib/crypto-selftests.c
 index bd148b6af..c4b0bd207 100644
 --- a/lib/crypto-selftests.c
 +++ b/lib/crypto-selftests.c
@@ -3076,3 +3076,110 @@ int gnutls_hkdf_self_test(unsigned flags, gnutls_mac_algorithm_t mac)
 	return 0;
 }
 +
 +struct pbkdf2_vectors_st {
 +	const uint8_t *key;
 +	size_t key_size;
 +	const uint8_t *salt;
 +	size_t salt_size;
 +	unsigned iter_count;
 +	const uint8_t *output;
 +	size_t output_size;
 +};
 +
 +const struct pbkdf2_vectors_st pbkdf2_sha256_vectors[] = {
 +	/* RFC 7914: 11. Test Vectors for PBKDF2 with HMAC-SHA-256 */
 +	{
 +		STR(key, key_size, "passwd"),
 +		STR(salt, salt_size, "salt"),
 +		.iter_count = 1,
 +		STR(output, output_size,
 +		    "\x55\xac\x04\x6e\x56\xe3\x08\x9f\xec\x16\x91\xc2\x25\x44"
 +		    "\xb6\x05\xf9\x41\x85\x21\x6d\xde\x04\x65\xe6\x8b\x9d\x57"
 +		    "\xc2\x0d\xac\xbc\x49\xca\x9c\xcc\xf1\x79\xb6\x45\x99\x16"
 +		    "\x64\xb3\x9d\x77\xef\x31\x7c\x71\xb8\x45\xb1\xe3\x0b\xd5"
 +		    "\x09\x11\x20\x41\xd3\xa1\x97\x83"),
 +	},
 +	/* RFC 7914: 11. Test Vectors for PBKDF2 with HMAC-SHA-256 */
 +	{
 +		STR(key, key_size, "Password"),
 +		STR(salt, salt_size, "NaCl"),
 +		.iter_count = 80000,
 +		STR(output, output_size,
 +		    "\x4d\xdc\xd8\xf6\x0b\x98\xbe\x21\x83\x0c\xee\x5e\xf2\x27"
 +		    "\x01\xf9\x64\x1a\x44\x18\xd0\x4c\x04\x14\xae\xff\x08\x87"
 +		    "\x6b\x34\xab\x56\xa1\xd4\x25\xa1\x22\x58\x33\x54\x9a\xdb"
 +		    "\x84\x1b\x51\xc9\xb3\x17\x6a\x27\x2b\xde\xbb\xa1\xd0\x78"
 +		    "\x47\x8f\x62\xb3\x97\xf3\x3c\x8d"),
 +	},
 +};
 +
 +static int test_pbkdf2(gnutls_mac_algorithm_t mac,
 +		       const struct pbkdf2_vectors_st *vectors,
 +		       size_t vectors_size, unsigned flags)
 +{
 +	unsigned int i;
 +
 +	for (i = 0; i < vectors_size; i++) {
 +		gnutls_datum_t key, salt;
 +		uint8_t output[4096];
 +		int ret;
 +
 +		key.data = (void *) vectors[i].key;
 +		key.size = vectors[i].key_size;
 +		salt.data = (void *) vectors[i].salt;
 +		salt.size = vectors[i].salt_size;
 +
 +		ret = gnutls_pbkdf2(mac, &key, &salt, vectors[i].iter_count,
 +				    output, vectors[i].output_size);
 +		if (ret < 0) {
 +			_gnutls_debug_log("error calculating PBKDF2: MAC-%s\n",
 +					  gnutls_mac_get_name(mac));
 +			return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 +		}
 +
 +		if (memcmp(output, vectors[i].output, vectors[i].output_size) != 0) {
 +			_gnutls_debug_log
 +			    ("PBKDF2: MAC-%s test vector failed!\n",
 +			     gnutls_mac_get_name(mac));
 +
 +			return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 +		}
 +	}
 +
 +	_gnutls_debug_log
 +	    ("PBKDF2: MAC-%s self check succeeded\n",
 +	     gnutls_mac_get_name(mac));
 +
 +	return 0;
 +}
 +
 +/*-
 + * gnutls_pbkdf2_self_test:
 + * @flags: GNUTLS_SELF_TEST_FLAG flags
 + * @mac: the message authentication algorithm to use
 + *
 + * This function will run self tests on PBKDF2 with the provided mac.
 + *
 + * Returns: Zero or a negative error code on error.
 + *
 + * Since: 3.3.0-FIPS140
 + -*/
 +int gnutls_pbkdf2_self_test(unsigned flags, gnutls_mac_algorithm_t mac)
 +{
 +	int ret;
 +
 +	if (flags & GNUTLS_SELF_TEST_FLAG_ALL)
 +		mac = GNUTLS_MAC_UNKNOWN;
 +
 +	switch (mac) {
 +	case GNUTLS_MAC_UNKNOWN:
 +		CASE(GNUTLS_MAC_SHA256, test_pbkdf2, pbkdf2_sha256_vectors);
 +
 +		break;
 +	default:
 +		return gnutls_assert_val(GNUTLS_E_NO_SELF_TEST);
 +	}
 +
 +	return 0;
 +}
 diff --git a/lib/fips.c b/lib/fips.c
 index 48891ed57..7cfab1049 100644
 --- a/lib/fips.c
 +++ b/lib/fips.c
@@ -430,6 +430,13 @@ int _gnutls_fips_perform_self_checks2(void)
 		goto error;
 	}
 +	/* PBKDF2 */
 +	ret = gnutls_pbkdf2_self_test(0, GNUTLS_MAC_SHA256);
 +	if (ret < 0) {
 +		gnutls_assert();
 +		goto error;
 +	}
 +
 	if (_gnutls_rnd_ops.self_test == NULL) {
 		gnutls_assert();
 		goto error;
 diff --git a/lib/includes/gnutls/self-test.h b/lib/includes/gnutls/self-test.h
 index 9b7be8159..958c0da8f 100644
 --- a/lib/includes/gnutls/self-test.h
 +++ b/lib/includes/gnutls/self-test.h
@@ -35,5 +35,6 @@ int gnutls_mac_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
 int gnutls_digest_self_test(unsigned flags, gnutls_digest_algorithm_t digest);
 int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk);
 int gnutls_hkdf_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
 +int gnutls_pbkdf2_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
 #endif
 diff --git a/lib/libgnutls.map b/lib/libgnutls.map
 index 386b66f83..f5537a386 100644
 --- a/lib/libgnutls.map
 +++ b/lib/libgnutls.map
@@ -1348,6 +1348,7 @@ GNUTLS_FIPS140_3_4 {
 	gnutls_mac_self_test;
 	gnutls_digest_self_test;
 	gnutls_hkdf_self_test;
 +	gnutls_pbkdf2_self_test;
 	#for FIPS140-2 validation
 	drbg_aes_reseed;
 	drbg_aes_init;
 -- 
 2.26.2
 From d1a3235e8c829855969d00364d8b5456fce2c78c Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <ueno@gnu.org>
 Date: Mon, 5 Oct 2020 17:44:30 +0200
 Subject: [PATCH 3/4] fips: add self-tests for TLS-PRF
 FIPS140-2 IG D.8 mandates self-tests on approved KDF algorithms.  As
 the guidance only requires to run a single instance of each KDF
 mechanism, this only exercises TLS1.2 PRF with HMAC-SHA-256 as the
 underlying MAC algorithm.
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 ---
 devel/libgnutls-latest-x86_64.abi |   1 +
 lib/crypto-selftests.c            | 196 ++++++++++++++++++++++++++++++
 lib/fips.c                        |   7 ++
 lib/includes/gnutls/self-test.h   |   1 +
 lib/libgnutls.map                 |   1 +
 5 files changed, 206 insertions(+)
 diff --git a/lib/crypto-selftests.c b/lib/crypto-selftests.c
 index c4b0bd207..b740936d6 100644
 --- a/lib/crypto-selftests.c
 +++ b/lib/crypto-selftests.c
@@ -3183,3 +3183,199 @@ int gnutls_pbkdf2_self_test(unsigned flags, gnutls_mac_algorithm_t mac)
 	return 0;
 }
 +
 +struct tlsprf_vectors_st {
 +	const uint8_t *key;
 +	size_t key_size;
 +	const uint8_t *label;
 +	size_t label_size;
 +	const uint8_t *seed;
 +	size_t seed_size;
 +	const uint8_t *output;
 +	size_t output_size;
 +};
 +
 +const struct tlsprf_vectors_st tls10prf_vectors[] = {
 +	/* tests/tls10-prf.c: test1 */
 +	{
 +		STR(key, key_size,
 +		    "\x26\x3b\xdb\xbb\x6f\x6d\x4c\x66\x4e\x05\x8d\x0a\xa9\xd3"
 +		    "\x21\xbe"),
 +		STR(label, label_size,
 +		    "test label"),
 +		STR(seed, seed_size,
 +		    "\xb9\x20\x57\x3b\x19\x96\x01\x02\x4f\x04\xd6\xdc\x61\x96"
 +		    "\x6e\x65"),
 +		STR(output, output_size,
 +		    "\x66\x17\x99\x37\x65\xfa\x6c\xa7\x03\xd1\x9e\xc7\x0d\xd5"
 +		    "\xdd\x16\x0f\xfc\xc0\x77\x25\xfa\xfb\x71\x4a\x9f\x81\x5a"
 +		    "\x2a\x30\xbf\xb7\xe3\xbb\xfb\x7e\xee\x57\x4b\x3b\x61\x3e"
 +		    "\xb7\xfe\x80\xee\xc9\x69\x1d\x8c\x1b\x0e\x2d\x9b\x3c\x8b"
 +		    "\x4b\x02\xb6\xb6\xd6\xdb\x88\xe2\x09\x46\x23\xef\x62\x40"
 +		    "\x60\x7e\xda\x7a\xbe\x3c\x84\x6e\x82\xa3"),
 +	},
 +};
 +
 +const struct tlsprf_vectors_st tls12prf_sha256_vectors[] = {
 +	/* tests/tls12-prf.c: sha256_test1 */
 +	{
 +		STR(key, key_size,
 +		    "\x04\x50\xb0\xea\x9e\xcd\x36\x02\xee\x0d\x76\xc5\xc3\xc8"
 +		    "\x6f\x4a"),
 +		STR(label, label_size,
 +		    "test label"),
 +		STR(seed, seed_size,
 +		    "\x20\x7a\xcc\x02\x54\xb8\x67\xf5\xb9\x25\xb4\x5a\x33\x60"
 +		    "\x1d\x8b"),
 +		STR(output, output_size,
 +		    "\xae\x67\x9e\x0e\x71\x4f\x59\x75\x76\x37\x68\xb1\x66\x97"
 +		    "\x9e\x1d"),
 +	},
 +	/* tests/tls12-prf.c: sha256_test2 */
 +	{
 +		STR(key, key_size,
 +		    "\x34\x20\x4a\x9d\xf0\xbe\x6e\xb4\xe9\x25\xa8\x02\x7c\xf6"
 +		    "\xc6\x02"),
 +		STR(label, label_size,
 +		    "test label"),
 +		STR(seed, seed_size,
 +		    "\x98\xb2\xc4\x0b\xcd\x66\x4c\x83\xbb\x92\x0c\x18\x20\x1a"
 +		    "\x63\x95"),
 +		STR(output, output_size,
 +		    "\xaf\xa9\x31\x24\x53\xc2\x2f\xa8\x3d\x2b\x51\x1b\x37\x2d"
 +		    "\x73\xa4\x02\xa2\xa6\x28\x73\x23\x9a\x51\xfa\xde\x45\x08"
 +		    "\x2f\xaf\x3f\xd2\xbb\x7f\xfb\x3e\x9b\xf3\x6e\x28\xb3\x14"
 +		    "\x1a\xab\xa4\x84\x00\x53\x32\xa9\xf9\xe3\x88\xa4\xd3\x29"
 +		    "\xf1\x58\x7a\x4b\x31\x7d\xa0\x77\x08\xea\x1b\xa9\x5a\x53"
 +		    "\xf8\x78\x67\x24\xbd\x83\xce\x4b\x03\xaf"),
 +	},
 +	/* tests/tls12-prf.c: sha256_test3 */
 +	{
 +		STR(key, key_size,
 +		    "\xa3\x69\x1a\xa1\xf6\x81\x4b\x80\x59\x2b\xf1\xcf\x2a\xcf"
 +		    "\x16\x97"),
 +		STR(label, label_size,
 +		    "test label"),
 +		STR(seed, seed_size,
 +		    "\x55\x23\xd4\x1e\x32\x0e\x69\x4d\x0c\x1f\xf5\x73\x4d\x83"
 +		    "\x0b\x93\x3e\x46\x92\x70\x71\xc9\x26\x21"),
 +		STR(output, output_size,
 +		    "\x6a\xd0\x98\x4f\xa0\x6f\x78\xfe\x16\x1b\xd4\x6d\x7c\x26"
 +		    "\x1d\xe4\x33\x40\xd7\x28\xdd\xdc\x3d\x0f\xf0\xdd\x7e\x0d"),
 +	},
 +	/* tests/tls12-prf.c: sha256_test4 */
 +	{
 +		STR(key, key_size,
 +		    "\x21\x0e\xc9\x37\x06\x97\x07\xe5\x46\x5b\xc4\x6b\xf7\x79"
 +		    "\xe1\x04\x10\x8b\x18\xfd\xb7\x93\xbe\x7b\x21\x8d\xbf\x14"
 +		    "\x5c\x86\x41\xf3"),
 +		STR(label, label_size,
 +		    "test label"),
 +		STR(seed, seed_size,
 +		    "\x1e\x35\x1a\x0b\xaf\x35\xc7\x99\x45\x92\x43\x94\xb8\x81"
 +		    "\xcf\xe3\x1d\xae\x8f\x1c\x1e\xd5\x4d\x3b"),
 +		STR(output, output_size,
 +		    "\x76\x53\xfa\x80\x9c\xde\x3b\x55\x3c\x4a\x17\xe2\xcd\xbc"
 +		    "\xc9\x18\xf3\x65\x27\xf2\x22\x19\xa7\xd7\xf9\x5d\x97\x24"
 +		    "\x3f\xf2\xd5\xde\xe8\x26\x5e\xf0\xaf\x03"),
 +	},
 +};
 +
 +const struct tlsprf_vectors_st tls12prf_sha384_vectors[] = {
 +	/* tests/tls12-prf.c: sha384_test1
 +	 * https://www.ietf.org/mail-archive/web/tls/current/msg03416.html
 +	 */
 +	{
 +		STR(key, key_size,
 +		    "\xb8\x0b\x73\x3d\x6c\xee\xfc\xdc\x71\x56\x6e\xa4\x8e\x55"
 +		    "\x67\xdf"),
 +		STR(label, label_size,
 +		    "test label"),
 +		STR(seed, seed_size,
 +		    "\xcd\x66\x5c\xf6\xa8\x44\x7d\xd6\xff\x8b\x27\x55\x5e\xdb"
 +		    "\x74\x65"),
 +		STR(output, output_size,
 +		    "\x7b\x0c\x18\xe9\xce\xd4\x10\xed\x18\x04\xf2\xcf\xa3\x4a"
 +		    "\x33\x6a\x1c\x14\xdf\xfb\x49\x00\xbb\x5f\xd7\x94\x21\x07"
 +		    "\xe8\x1c\x83\xcd\xe9\xca\x0f\xaa\x60\xbe\x9f\xe3\x4f\x82"
 +		    "\xb1\x23\x3c\x91\x46\xa0\xe5\x34\xcb\x40\x0f\xed\x27\x00"
 +		    "\x88\x4f\x9d\xc2\x36\xf8\x0e\xdd\x8b\xfa\x96\x11\x44\xc9"
 +		    "\xe8\xd7\x92\xec\xa7\x22\xa7\xb3\x2f\xc3\xd4\x16\xd4\x73"
 +		    "\xeb\xc2\xc5\xfd\x4a\xbf\xda\xd0\x5d\x91\x84\x25\x9b\x5b"
 +		    "\xf8\xcd\x4d\x90\xfa\x0d\x31\xe2\xde\xc4\x79\xe4\xf1\xa2"
 +		    "\x60\x66\xf2\xee\xa9\xa6\x92\x36\xa3\xe5\x26\x55\xc9\xe9"
 +		    "\xae\xe6\x91\xc8\xf3\xa2\x68\x54\x30\x8d\x5e\xaa\x3b\xe8"
 +		    "\x5e\x09\x90\x70\x3d\x73\xe5\x6f"),
 +	},
 +};
 +
 +static int test_tlsprf(gnutls_mac_algorithm_t mac,
 +		       const struct tlsprf_vectors_st *vectors,
 +		       size_t vectors_size, unsigned flags)
 +{
 +	unsigned int i;
 +
 +	for (i = 0; i < vectors_size; i++) {
 +		char output[4096];
 +		int ret;
 +
 +		ret = _gnutls_prf_raw(mac,
 +				      vectors[i].key_size, vectors[i].key,
 +				      vectors[i].label_size, (const char *)vectors[i].label,
 +				      vectors[i].seed_size, vectors[i].seed,
 +				      vectors[i].output_size, output);
 +		if (ret < 0) {
 +			_gnutls_debug_log("error calculating TLS-PRF: MAC-%s\n",
 +					  gnutls_mac_get_name(mac));
 +			return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 +		}
 +
 +		if (memcmp(output, vectors[i].output, vectors[i].output_size) != 0) {
 +			_gnutls_debug_log
 +			    ("TLS-PRF: MAC-%s test vector failed!\n",
 +			     gnutls_mac_get_name(mac));
 +
 +			return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 +		}
 +	}
 +
 +	_gnutls_debug_log
 +	    ("TLS-PRF: MAC-%s self check succeeded\n",
 +	     gnutls_mac_get_name(mac));
 +
 +	return 0;
 +}
 +
 +/*-
 + * gnutls_tlsprf_self_test:
 + * @flags: GNUTLS_SELF_TEST_FLAG flags
 + * @mac: the message authentication algorithm to use
 + *
 + * This function will run self tests on TLS-PRF with the provided mac.
 + *
 + * Returns: Zero or a negative error code on error.
 + *
 + * Since: 3.3.0-FIPS140
 + -*/
 +int gnutls_tlsprf_self_test(unsigned flags, gnutls_mac_algorithm_t mac)
 +{
 +	int ret;
 +
 +	if (flags & GNUTLS_SELF_TEST_FLAG_ALL)
 +		mac = GNUTLS_MAC_UNKNOWN;
 +
 +	switch (mac) {
 +	case GNUTLS_MAC_UNKNOWN:
 +		NON_FIPS_CASE(GNUTLS_MAC_MD5_SHA1, test_tlsprf, tls10prf_vectors);
 +		FALLTHROUGH;
 +		CASE(GNUTLS_MAC_SHA256, test_tlsprf, tls12prf_sha256_vectors);
 +		FALLTHROUGH;
 +		CASE(GNUTLS_MAC_SHA384, test_tlsprf, tls12prf_sha384_vectors);
 +
 +		break;
 +	default:
 +		return gnutls_assert_val(GNUTLS_E_NO_SELF_TEST);
 +	}
 +
 +	return 0;
 +}
 diff --git a/lib/fips.c b/lib/fips.c
 index 7cfab1049..30d396b2c 100644
 --- a/lib/fips.c
 +++ b/lib/fips.c
@@ -437,6 +437,13 @@ int _gnutls_fips_perform_self_checks2(void)
 		goto error;
 	}
 +	/* TLS-PRF */
 +	ret = gnutls_tlsprf_self_test(0, GNUTLS_MAC_SHA256);
 +	if (ret < 0) {
 +		gnutls_assert();
 +		goto error;
 +	}
 +
 	if (_gnutls_rnd_ops.self_test == NULL) {
 		gnutls_assert();
 		goto error;
 diff --git a/lib/includes/gnutls/self-test.h b/lib/includes/gnutls/self-test.h
 index 958c0da8f..88b5a8dbf 100644
 --- a/lib/includes/gnutls/self-test.h
 +++ b/lib/includes/gnutls/self-test.h
@@ -36,5 +36,6 @@ int gnutls_digest_self_test(unsigned flags, gnutls_digest_algorithm_t digest);
 int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk);
 int gnutls_hkdf_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
 int gnutls_pbkdf2_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
 +int gnutls_tlsprf_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
 #endif
 diff --git a/lib/libgnutls.map b/lib/libgnutls.map
 index f5537a386..643d400a1 100644
 --- a/lib/libgnutls.map
 +++ b/lib/libgnutls.map
@@ -1349,6 +1349,7 @@ GNUTLS_FIPS140_3_4 {
 	gnutls_digest_self_test;
 	gnutls_hkdf_self_test;
 	gnutls_pbkdf2_self_test;
 +	gnutls_tlsprf_self_test;
 	#for FIPS140-2 validation
 	drbg_aes_reseed;
 	drbg_aes_init;
 -- 
 2.26.2
 From af3df0102fc377591a6de3112b034d4a492fc92c Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <ueno@gnu.org>
 Date: Mon, 5 Oct 2020 17:59:46 +0200
 Subject: [PATCH 4/4] fips: run CMAC self-tests
 FIPS140-2 IG D.8 mandates self-tests on CMAC.
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 ---
 lib/fips.c | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/lib/fips.c b/lib/fips.c
 index 30d396b2c..51567953d 100644
 --- a/lib/fips.c
 +++ b/lib/fips.c
@@ -398,6 +398,12 @@ int _gnutls_fips_perform_self_checks2(void)
 		goto error;
 	}
 +	ret = gnutls_mac_self_test(0, GNUTLS_MAC_AES_CMAC_256);
 +	if (ret < 0) {
 +		gnutls_assert();
 +		goto error;
 +	}
 +
 	/* PK */
 	ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA);
 	if (ret < 0) {
 -- 
 2.26.2
--- a/gnutls-3.6.16-doc-p11tool-ckaid.patch
+++ b/gnutls-3.6.16-doc-p11tool-ckaid.patch
@ -0,0 +1,14 @@
 --- gnutls-3.7.2/doc/manpages/p11tool.1	2021-05-29 10:15:22.000000000 +0200
 +++ gnutls-3.7.2-bootstrapped/doc/manpages/p11tool.1	2021-06-28 09:35:23.000000000 +0200
@@ -230,8 +230,9 @@
 .NOP \f\*[B-Font]\-\-write\f[]
 Writes the loaded objects to a PKCS #11 token.
 .sp
 -It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
 -    one of \--load-privkey, \--load-pubkey, \--load-certificate option.
 +It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of \--load-privkey, \--load-pubkey, \--load-certificate option.
 +.sp
 +When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.
 .TP
 .NOP \f\*[B-Font]\-\-delete\f[]
 Deletes the objects matching the given PKCS #11 URL.
--- a/gnutls-3.6.16-tls12-cert-type.patch
+++ b/gnutls-3.6.16-tls12-cert-type.patch
@ -0,0 +1,125 @@
 From 339bef12f478b3a12c59571c53645e31280baf7e Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <ueno@gnu.org>
 Date: Fri, 14 May 2021 15:59:37 +0200
 Subject: [PATCH] cert auth: filter out unsupported cert types from TLS 1.2 CR
 When the server is advertising signature algorithms in TLS 1.2
 CertificateRequest, it shouldn't send certificate_types not backed by
 any of those algorithms.
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 ---
 lib/auth/cert.c                         | 76 +++++++++++++++++++++++--
 tests/suite/tls-fuzzer/gnutls-cert.json | 19 +++++++
 2 files changed, 89 insertions(+), 6 deletions(-)
 diff --git a/lib/auth/cert.c b/lib/auth/cert.c
 index 3073a33d3..0b0f04b2b 100644
 --- a/lib/auth/cert.c
 +++ b/lib/auth/cert.c
@@ -64,6 +64,16 @@ typedef enum CertificateSigType { RSA_SIGN = 1, DSA_SIGN = 2, ECDSA_SIGN = 64,
 #endif
 } CertificateSigType;
 +enum CertificateSigTypeFlags {
 +	RSA_SIGN_FLAG = 1,
 +	DSA_SIGN_FLAG = 1 << 1,
 +	ECDSA_SIGN_FLAG = 1 << 2,
 +#ifdef ENABLE_GOST
 +	GOSTR34102012_256_SIGN_FLAG = 1 << 3,
 +	GOSTR34102012_512_SIGN_FLAG = 1 << 4
 +#endif
 +};
 +
 /* Moves data from an internal certificate struct (gnutls_pcert_st) to
  * another internal certificate struct (cert_auth_info_t), and deinitializes
  * the former.
@@ -1281,6 +1291,7 @@ _gnutls_gen_cert_server_cert_req(gnutls_session_t session,
 	uint8_t tmp_data[CERTTYPE_SIZE];
 	const version_entry_st *ver = get_version(session);
 	unsigned init_pos = data->length;
 +	enum CertificateSigTypeFlags flags;
 	if (unlikely(ver == NULL))
 		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
@@ -1297,18 +1308,71 @@ _gnutls_gen_cert_server_cert_req(gnutls_session_t session,
 		return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
 	}
 -	i = 1;
 +	if (_gnutls_version_has_selectable_sighash(ver)) {
 +		size_t j;
 +
 +		flags = 0;
 +		for (j = 0; j < session->internals.priorities->sigalg.size; j++) {
 +			const gnutls_sign_entry_st *se =
 +				session->internals.priorities->sigalg.entry[j];
 +			switch (se->pk) {
 +			case GNUTLS_PK_RSA:
 +			case GNUTLS_PK_RSA_PSS:
 +				flags |= RSA_SIGN_FLAG;
 +				break;
 +			case GNUTLS_PK_DSA:
 +				flags |= DSA_SIGN_FLAG;
 +				break;
 +			case GNUTLS_PK_ECDSA:
 +				flags |= ECDSA_SIGN_FLAG;
 +				break;
 #ifdef ENABLE_GOST
 -	if (_gnutls_kx_is_vko_gost(session->security_parameters.cs->kx_algorithm)) {
 -		tmp_data[i++] = GOSTR34102012_256_SIGN;
 -		tmp_data[i++] = GOSTR34102012_512_SIGN;
 -	} else
 +			case GNUTLS_PK_GOST_12_256:
 +				flags |= GOSTR34102012_256_SIGN_FLAG;
 +				break;
 +			case GNUTLS_PK_GOST_12_512:
 +				flags |= GOSTR34102012_512_SIGN_FLAG;
 +				break;
 +#endif
 +			default:
 +				gnutls_assert();
 +				_gnutls_debug_log(
 +					"%s is unsupported for cert request\n",
 +					gnutls_pk_get_name(se->pk));
 +			}
 +		}
 +
 +	} else {
 +#ifdef ENABLE_GOST
 +		if (_gnutls_kx_is_vko_gost(session->security_parameters.
 +					   cs->kx_algorithm)) {
 +			flags = GOSTR34102012_256_SIGN_FLAG |
 +				GOSTR34102012_512_SIGN_FLAG;
 +		} else
 #endif
 -	{
 +		{
 +			flags = RSA_SIGN_FLAG | DSA_SIGN_FLAG | ECDSA_SIGN_FLAG;
 +		}
 +	}
 +
 +	i = 1;
 +	if (flags & RSA_SIGN_FLAG) {
 		tmp_data[i++] = RSA_SIGN;
 +	}
 +	if (flags & DSA_SIGN_FLAG) {
 		tmp_data[i++] = DSA_SIGN;
 +	}
 +	if (flags & ECDSA_SIGN_FLAG) {
 		tmp_data[i++] = ECDSA_SIGN;
 	}
 +#ifdef ENABLE_GOST
 +	if (flags & GOSTR34102012_256_SIGN_FLAG) {
 +		tmp_data[i++] = GOSTR34102012_256_SIGN;
 +	}
 +	if (flags & GOSTR34102012_512_SIGN_FLAG) {
 +		tmp_data[i++] = GOSTR34102012_512_SIGN;
 +	}
 +#endif
 	tmp_data[0] = i - 1;
 	ret = _gnutls_buffer_append_data(data, tmp_data, i);
 -- 
 2.31.1
--- a/gnutls-3.6.16-trust-ca-sha1.patch
+++ b/gnutls-3.6.16-trust-ca-sha1.patch
@ -0,0 +1,283 @@
 From c2409e479df41620bceac314c76cabb1d35a4075 Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <ueno@gnu.org>
 Date: Mon, 3 May 2021 16:35:43 +0200
 Subject: [PATCH] x509/verify: treat SHA-1 signed CA in the trusted set
 differently
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Suppose there is a certificate chain ending with an intermediate CA:
 EE → ICA1 → ICA2.  If the system trust store contains a root CA
 generated with the same key as ICA2 but signed with a prohibited
 algorithm, such as SHA-1, the library previously reported a
 verification failure, though the situation is not uncommon during a
 transition period of root CA.
 This changes the library behavior such that the check on signature
 algorithm will be skipped when examining the trusted root CA.
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 ---
 lib/x509/verify.c   |  26 ++++---
 tests/test-chains.h | 165 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 182 insertions(+), 9 deletions(-)
 diff --git a/lib/x509/verify.c b/lib/x509/verify.c
 index fd7c6a164..a50b5ea44 100644
 --- a/lib/x509/verify.c
 +++ b/lib/x509/verify.c
@@ -415,14 +415,19 @@ unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, unsigned
 #define CASE_SEC_PARAM(profile, level) \
 	case profile: \
 		sym_bits = gnutls_sec_param_to_symmetric_bits(level); \
 -		hash = gnutls_sign_get_hash_algorithm(sigalg); \
 -		entry = mac_to_entry(hash); \
 -		if (hash <= 0 || entry == NULL) { \
 +		se = _gnutls_sign_to_entry(sigalg); \
 +		if (unlikely(se == NULL)) { \
 +			_gnutls_cert_log("cert", crt); \
 +			_gnutls_debug_log(#level": certificate's signature algorithm is unknown\n"); \
 +			return gnutls_assert_val(0); \
 +		} \
 +		if (unlikely(se->hash == GNUTLS_DIG_UNKNOWN)) {	\
 			_gnutls_cert_log("cert", crt); \
 			_gnutls_debug_log(#level": certificate's signature hash is unknown\n"); \
 			return gnutls_assert_val(0); \
 		} \
 -		if (_gnutls_sign_get_hash_strength(sigalg) < sym_bits) { \
 +		if (!trusted && \
 +		    _gnutls_sign_get_hash_strength(sigalg) < sym_bits) { \
 			_gnutls_cert_log("cert", crt); \
 			_gnutls_debug_log(#level": certificate's signature hash strength is unacceptable (is %u bits, needed %u)\n", _gnutls_sign_get_hash_strength(sigalg), sym_bits); \
 			return gnutls_assert_val(0); \
@@ -449,19 +454,22 @@ unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, unsigned
  * @crt: a certificate
  * @issuer: the certificates issuer (allowed to be NULL)
  * @sigalg: the signature algorithm used
 + * @trusted: whether @crt is treated as trusted (e.g., present in the system
 + *           trust list); if it is true, the check on signature algorithm will
 + *           be skipped
  * @flags: the specified verification flags
  */
 static unsigned is_level_acceptable(
 	gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
 -	gnutls_sign_algorithm_t sigalg, unsigned flags)
 +	gnutls_sign_algorithm_t sigalg, bool trusted,
 +	unsigned flags)
 {
 	gnutls_certificate_verification_profiles_t profile = GNUTLS_VFLAGS_TO_PROFILE(flags);
 -	const mac_entry_st *entry;
 	int issuer_pkalg = 0, pkalg, ret;
 	unsigned bits = 0, issuer_bits = 0, sym_bits = 0;
 	gnutls_pk_params_st params;
 	gnutls_sec_param_t sp;
 -	int hash;
 +	const gnutls_sign_entry_st *se;
 	gnutls_certificate_verification_profiles_t min_profile;
 	min_profile = _gnutls_get_system_wide_verification_profile();
@@ -798,7 +806,7 @@ verify_crt(gnutls_x509_crt_t cert,
 	}
 	if (sigalg >= 0 && se) {
 -		if (is_level_acceptable(cert, issuer, sigalg, flags) == 0) {
 +		if (is_level_acceptable(cert, issuer, sigalg, false, flags) == 0) {
 			MARK_INVALID(GNUTLS_CERT_INSECURE_ALGORITHM);
 		}
@@ -893,7 +901,7 @@ unsigned check_ca_sanity(const gnutls_x509_crt_t issuer,
 	/* we explicitly allow CAs which we do not support their self-algorithms
 	 * to pass. */
 -	if (ret >= 0 && !is_level_acceptable(issuer, NULL, sigalg, flags)) {
 +	if (ret >= 0 && !is_level_acceptable(issuer, NULL, sigalg, true, flags)) {
 		status |= GNUTLS_CERT_INSECURE_ALGORITHM|GNUTLS_CERT_INVALID;
 	}
 diff --git a/tests/test-chains.h b/tests/test-chains.h
 index 9b06b85f5..64f50fabf 100644
 --- a/tests/test-chains.h
 +++ b/tests/test-chains.h
@@ -4106,6 +4106,163 @@ static const char *superseding_ca[] = {
 	NULL
 };
 +static const char *rsa_sha1_in_trusted[] = {
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIID0jCCAoqgAwIBAgIUezaBB7f4TW75oc3UV57oJvXmbBYwDQYJKoZIhvcNAQEL\n"
 +	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTAzMTQyNzIxWhcN\n"
 +	"MjIwNTAzMTQyNzIxWjA3MRgwFgYDVQQDEw90ZXN0LmdudXRscy5vcmcxGzAZBgNV\n"
 +	"BAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCC\n"
 +	"AToCggExALRrJ5glr8H/HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUEL\n"
 +	"dl8jvoqf/nlLczsux0s8vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkb\n"
 +	"Kk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3\n"
 +	"mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm\n"
 +	"+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWS\n"
 +	"CAwuYcBYfJqZ4dasgzklzz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxG\n"
 +	"ojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUCAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAA\n"
 +	"MBoGA1UdEQQTMBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD\n"
 +	"ATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0r\n"
 +	"GDAfBgNVHSMEGDAWgBQedyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsF\n"
 +	"AAOCATEAXs8lOV231HQerhSGEjZJz0vBuA3biKYlu3cwCTKvF6EOyYMSWOnfqqD0\n"
 +	"eDhpo1pzGtUa2zYLHagb+sU2NSTe0sqP+PK1giUg8X8/tRtWKk1p/m76yK/3iaty\n"
 +	"flgz+eMai4xQu2FvAJzIASFjM9R+Pgpcf/zdvkiUPv8Rdm9FieyAZnJSo9hJHLxN\n"
 +	"x60tfC5yyswdbGGW0GbJ2kr+xMfVZvxgO/x6AXlOaUGQ+jZAu9eJwFQMDW5h5/S1\n"
 +	"PJkIt7f7jkU33cG+BawcjhT0GzxuvDnnCG0L7/z7bR+Sw2kNKqHbHorzv91R20Oh\n"
 +	"CIISJPkiiP+mYcglTp1d9gw09GwSkGbldb9ibfc0hKyxiImFfIiTqDbXJcpKH98o\n"
 +	"W8hWkb20QURlY+QM5MD49znfhPKMTQ==\n"
 +	"-----END CERTIFICATE-----\n",
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIID2TCCAkGgAwIBAgIUWsb4DATcefXbo0WrBfgqVMvPGawwDQYJKoZIhvcNAQEL\n"
 +	"BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDMxNDI2\n"
 +	"MzVaFw0yMjA1MDMxNDI2MzVaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIB\n"
 +	"UjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduI\n"
 +	"g/3CqVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6W\n"
 +	"EhuJU95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcI\n"
 +	"cRQ8vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AA\n"
 +	"sYwWPJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo3\n"
 +	"67vGVYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0ol\n"
 +	"CMo7FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewID\n"
 +	"AQABo2QwYjAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0O\n"
 +	"BBYEFB53I21nMR+RB5uWL+z8yEb+jOEDMB8GA1UdIwQYMBaAFCApU0Q1pxZL+AW3\n"
 +	"GctysPWxl+SfMA0GCSqGSIb3DQEBCwUAA4IBgQBbboeDr/rLT1tZWrdHq8FvflGm\n"
 +	"EpxZIRU4DdDD/SUCWSPQvjBq0MvuKxs5FfJCKrDf2kS2qlZ1rO0AuWwREoDeTOEc\n"
 +	"arjFoCry+JQ+USqS5F4gsp4XlYvli27iMp3dlnhFXEQQy7/y+gM5c9wnMi8v/LUz\n"
 +	"AV6QHX0fkb4XeazeJ+Nq0EkjqiYxylN6mP+5LAEMBG/wGviAoviQ5tN9zdoQs/nT\n"
 +	"3jTw3cOauuPjdcOTfo71+/MtBzhPchgNIyQo4aB40XVWsLAoruL/3CFFlTniihtd\n"
 +	"zA2zA7JvbuuKx6BOv2IbWOUweb732ZpYbDgEcXp/6Cj/SIUGxidpEgdCJGqyqdC7\n"
 +	"b58ujxclC6QTcicw+SX5LBox8WGLfj+x+V3uVBz9+EK608xphTj4kLh9peII9v3n\n"
 +	"vBUoZRTiUTCvH4AJJgAfa3mYrSxzueuqBOwXcvZ+8OJ0J1CP21pmK5nxR7f1nm9Q\n"
 +	"sYA1VHfC2dtyAYlByeF5iHl5hFR6vy1jJyzxg2M=\n"
 +	"-----END CERTIFICATE-----\n",
 +	NULL
 +};
 +
 +static const char *rsa_sha1_in_trusted_ca[] = {
 +	/* This CA is generated with the same key as rsa_sha1_in_trusted[1], but
 +	 * self-signed using SHA-1.
 +	 */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIDYzCCAhugAwIBAgIUahO8CvYPHTAltKCC2rAIcXUiLlAwDQYJKoZIhvcNAQEF\n"
 +	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTAzMTQyMDM1WhcN\n"
 +	"MjIwNTAzMTQyMDM1WjAZMRcwFQYDVQQDEw5HbnVUTFMgdGVzdCBDQTCCAVIwDQYJ\n"
 +	"KoZIhvcNAQEBBQADggE/ADCCAToCggExAJzkQrF9bp5f/38tnddOeF3biIP9wqlQ\n"
 +	"Wk9x3GuuUhKA8IdCoj7UKDoGS3SmNnKGxrP6I2LTo3LNCp5T2HZrYxIelhIbiVPe\n"
 +	"b+E0HQuDizIhOeniBqtudoWQGx6Ey/OENeA8UFhrs0CvN9Ippe328NlnCHEUPLxR\n"
 +	"rPEs318Ot/jCOhauojAECKj9PFsxpkUcy+cLwoj4QlZKz5sG16AAbm+gALGMFjyQ\n"
 +	"fdTPf5ceYBR+ZPf4j34t7NioNxfDDnKaahWI8Q0p7H4s+njIdfm2FSAKN+u7xlWB\n"
 +	"4oFzBGQthXs5cCB2mc6RKBZWN2uyxSdNMq40PddK/FBPghDE2MxONA9KJQjKOxQP\n"
 +	"UQo3jt21CKGGiHVU1BlhBh1knqMRnovRpJurvgEo/H/otI8XQ9ql7HsCAwEAAaND\n"
 +	"MEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBQe\n"
 +	"dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQUFAAOCATEAYLm/4DfUp+mA\n"
 +	"S/23a2bwybJoPCMzKZpi+veXkqoq/a/BCUkFpqnjpVjz0ujVKK121oeOPBAa/mG1\n"
 +	"Y3fJYP+b3PloL/6xj/8680TveGirCr0Rp/8XWa8lt+Ge8DM3mfTGWFTWHa0lD9VK\n"
 +	"gjV1oNZNLe5SKA6dJLAp/NjCxc/vuOkThQPeaoO5Iy/Z6m7CpTLO7T4syJFtDmSn\n"
 +	"Pa/yFUDTgJYFlGVM+KC1r8bhZ6Ao1CAXTcT5Lcbe/aCcyk6B3J2AnYsqPMVNEVhb\n"
 +	"9eMGO/WG24hMLy6eb1r/yL8uQ/uGi2rRlNJN8GTg09YR7l5fHrHxuHc/sme0jsnJ\n"
 +	"wtqGLCJsrh7Ae1fKVUueO00Yx9BGuzLswMvnT5f0oYs0jrXgMrTbIWS/DjOcYIHb\n"
 +	"w3SV1ZRcNg==\n"
 +	"-----END CERTIFICATE-----\n",
 +	NULL
 +};
 +
 +static const char *rsa_sha1_not_in_trusted[] = {
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIID0jCCAoqgAwIBAgIUNCvPV9OvyuVMtnkC3ZAvh959h4MwDQYJKoZIhvcNAQEL\n"
 +	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTA0MDg0NzAzWhcN\n"
 +	"MjIwNTA0MDg0NzAzWjA3MRgwFgYDVQQDEw90ZXN0LmdudXRscy5vcmcxGzAZBgNV\n"
 +	"BAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCC\n"
 +	"AToCggExALRrJ5glr8H/HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUEL\n"
 +	"dl8jvoqf/nlLczsux0s8vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkb\n"
 +	"Kk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3\n"
 +	"mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm\n"
 +	"+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWS\n"
 +	"CAwuYcBYfJqZ4dasgzklzz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxG\n"
 +	"ojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUCAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAA\n"
 +	"MBoGA1UdEQQTMBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD\n"
 +	"ATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0r\n"
 +	"GDAfBgNVHSMEGDAWgBQedyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsF\n"
 +	"AAOCATEAWs/Qa1Ebydwo4Ke2KEdy5cUTSZjnoz93XpbrP9W60MJ4d2DIQPcYUcLF\n"
 +	"+glez+mRtVXDRtH5V/4yZX1EdgrPVQGeVlO5HbNiYyYw/Yj3H6kzWtUbBxdOAOE/\n"
 +	"/ul8RCKKMfvYBHCBgjBMW0aFm31Q1Z8m8nanBusyJ0DG1scBHu4/3vTCZthZAxc5\n"
 +	"3l3t/jjsNRS+k5t6Ay8nEY1tAZSGVqN8qufzO2NBO06sQagp09FTfDh581OBcVtF\n"
 +	"X7O0cffAWHk3JoywzEWFEAhVPqFlk07wG2O+k+fYZfavsJko5q+yWkxu8RDh4wAx\n"
 +	"7UzKudGOQ+NhfYJ7N7V1/RFg1z75gE3GTUX7qmGZEVDOsMyiuUeYg8znyYpBV55Q\n"
 +	"4BNr0ukwmwOdvUf+ksCu6PdOGaqThA==\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* ICA with SHA1 signature */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIID2TCCAkGgAwIBAgIUYaKJkQft87M1TF+Jd30py3yIq4swDQYJKoZIhvcNAQEF\n"
 +	"BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDQwODQ1\n"
 +	"NDdaFw0yMjA1MDQwODQ1NDdaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIB\n"
 +	"UjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduI\n"
 +	"g/3CqVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6W\n"
 +	"EhuJU95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcI\n"
 +	"cRQ8vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AA\n"
 +	"sYwWPJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo3\n"
 +	"67vGVYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0ol\n"
 +	"CMo7FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewID\n"
 +	"AQABo2QwYjAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0O\n"
 +	"BBYEFB53I21nMR+RB5uWL+z8yEb+jOEDMB8GA1UdIwQYMBaAFCApU0Q1pxZL+AW3\n"
 +	"GctysPWxl+SfMA0GCSqGSIb3DQEBBQUAA4IBgQAewBcAGUGX28I5PDtuJkxoHonD\n"
 +	"muHdXpYnrz1YXN4b7odNXockz++Xovgj126fo+PeWgmaaCic98ZcGnyVTi9+3oqN\n"
 +	"2Bf4NNfyzSccgZZTphzbwjMcnc983HLQgsLSAOVivPHj5GEN58EWWamc9yA0VjGn\n"
 +	"cuYmFN2dlFA8/ClEbVGu3UXBe6OljR5zUr+6oiSp2J+Rl7SerVSHlst07iU2tkeB\n"
 +	"dlfOD5CquUGSka3SKvEfvu5SwYrCQVfYB6eMLInm7A0/ca0Jn3Oh4fMf2rIg/E3K\n"
 +	"qsopxsu8BXrLoGK4MxbxPA65JpczhZgilQQi3e3RIvxrvyD2qamjaNbyG5cr8mW4\n"
 +	"VOLf3vUORbkTi5sE7uRMu2B3z3N7ajsuQM8RHB17hOCB2FO/8rermq/oeJNtx57L\n"
 +	"5s5NxCHYTksQ4gkpR4gfTIO/zwXJSwGa/Zi2y2wIi/1qr7lppBsKV2rDWX7QiIeA\n"
 +	"PxOxyJA2eSeqCorz9vk3aHXleSpxsWGgKiJVmV0=\n"
 +	"-----END CERTIFICATE-----\n",
 +	NULL
 +};
 +
 +static const char *rsa_sha1_not_in_trusted_ca[] = {
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIEDTCCAnWgAwIBAgIUd5X8NZput+aNPEd9h92r4KAu16MwDQYJKoZIhvcNAQEL\n"
 +	"BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDMxNDI1\n"
 +	"MDNaFw0yMjA1MDMxNDI1MDNaMB4xHDAaBgNVBAMTE0dudVRMUyB0ZXN0IHJvb3Qg\n"
 +	"Q0EwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCsFAaMb/iRN+OFqQNh\n"
 +	"OkkXGZlb+eLerLuB9ELnYwyLIh4MTXh0RjFZdCQLsQHfY/YFv0C50rmoXTA/d3Ef\n"
 +	"K/P243KjX0XBWjO9TBuN0zth50eq94zf69yxA/a+kmT+O5YLfhi2ELM5F3IjOUoZ\n"
 +	"lL0IGlFJwauAkaNylp/Evd5nW7g5DUJvMm4A3RXNfZt9gAD4lPRwryQq9jxT48Xu\n"
 +	"fB0kAPEG/l/Izbz2rYin5+nySL+a0CSNuEbITxidtMhveB747oR0QS2sMQKji1ur\n"
 +	"pRJ945SHiYJIgVuFAJc9StikSyIrxZgK45kAzcQAyRWWKiMNH5PprGFYJp+ypwhm\n"
 +	"1t8Bphj2RFJAG3XRRZF/9uJIYc5mEHCsZFZ/IFRaKqyN30kAUijgNt+lW5mZXVFU\n"
 +	"aqzV2zHjSG8jsGdia3cfBP46Z1q2eAh5jOCucTq1F7qZdVhOFmP9jFE6Uy5Kbwgc\n"
 +	"kNAnsEllQeJQL2odVa7woKkZZ4M/c72X5tpBU38Rs3krn3sCAwEAAaNDMEEwDwYD\n"
 +	"VR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBQgKVNENacW\n"
 +	"S/gFtxnLcrD1sZfknzANBgkqhkiG9w0BAQsFAAOCAYEAaZMV71mZ9FYoVdpho61h\n"
 +	"WWPs5GppQLJ1w70DNtGZ+lFrk/KopeDvOu1i61QLWRzcZCZMl+npiX1KH5kjVo3v\n"
 +	"C9G8kdMW6EVRk5p6qCJMPFN2U+grMMp50aY5kmw+/v+Lhk5T/VG93l63P91FkUre\n"
 +	"o8qhOudJExoUnR1uB9M6HMAxVn8Lm/N1LGPiP6A6Pboo716H7mg/A7pv9zoZ6jUp\n"
 +	"7x693mA/b3I/QpDx/nJcmcdqxgEuW+aRlFXgnYZRFAawxi+5M9EwCWbkSTO4OMHP\n"
 +	"Qlvak3tJO+wb92b0cICOOtzIPgQ+caiLg9d0FvesALmQzDmNmtqynoO85+Ia2Ywh\n"
 +	"nxKPlpeImhLN9nGl9sOeW2m4mnA5r0h1vgML4v/MWL4TQhXallc31uFNj5HyFaTh\n"
 +	"6Mr0g3GeQgN0jpT+aIOiKuW9fLts54+Ntj1NN40slqi3Y+/Yd6xhj+NgmbRvybZu\n"
 +	"tnYFXKC0Q+QUf38horqG2Mc3/uh8MOm0eYUXwGJOdXYD\n"
 +	"-----END CERTIFICATE-----\n",
 +	NULL
 +};
 +
 #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
 #  pragma GCC diagnostic push
 #  pragma GCC diagnostic ignored "-Wunused-variable"
@@ -4275,6 +4432,14 @@ static struct
   { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA),
     0, NULL, 1584352960, 1},
   { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 },
 +  { "rsa-sha1 in trusted - ok",
 +    rsa_sha1_in_trusted, rsa_sha1_in_trusted_ca,
 +    GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
 +    0, NULL, 1620052390, 1},
 +  { "rsa-sha1 not in trusted - not ok",
 +    rsa_sha1_not_in_trusted, rsa_sha1_not_in_trusted_ca,
 +    GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
 +    GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1},
   { NULL, NULL, NULL, 0, 0}
 };
 -- 
 2.31.1
--- a/gnutls-3.6.4-no-now-guile.patch
+++ b/gnutls-3.6.4-no-now-guile.patch
@ -0,0 +1,13 @@
 diff --git a/guile/src/Makefile.in b/guile/src/Makefile.in
 index 95e1e9c..1dfc88e 100644
 --- a/guile/src/Makefile.in
 +++ b/guile/src/Makefile.in
@@ -1483,7 +1483,7 @@ guileextension_LTLIBRARIES = guile-gnutls-v-2.la
 # Use '-module' to build a "dlopenable module", in Libtool terms.
 # Use '-undefined' to placate Libtool on Windows; see
 # <https://lists.gnutls.org/pipermail/gnutls-devel/2014-December/007294.html>.
 -guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined
 +guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined -Wl,-z,lazy
 # Linking against GnuTLS.
 GNUTLS_CORE_LIBS = $(top_builddir)/lib/libgnutls.la
--- a/gnutls.spec
+++ b/gnutls.spec
--- a/3
+++ b/3
@ -0,0 +1,3 @@
 SHA512 (gnutls-3.6.16.tar.xz) = 72c78d7fcb024393c1d15f2a1856608ae4460ba43cc5bbbb4c29b80508cae6cb822df4638029de2363437d110187e0a3cc19a7288c3b2f44b2f648399a028438
 SHA512 (gnutls-3.6.16.tar.xz.sig) = 1345c94efd8cbcc5df334ba685d0e5f9b87287888f392d14698c8eadbc07a57cc2f34f82e9298e9539636dde6f2cb25fca414972e5f5090e553808ba4d7c9c23
 SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173