20 changed files with 10981 additions and 1179 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
-SOURCES/gnutls-3.6.8.tar.xz
-SOURCES/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+SOURCES/gnutls-3.6.16.tar.xz
+SOURCES/gnutls-3.6.16.tar.xz.sig
+SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
--- a/.gnutls.metadata
+++ b/.gnutls.metadata
@ -1,2 +1,3 @@
-e1243188791af409bca118d31faf3ec3d5f0a5ab SOURCES/gnutls-3.6.8.tar.xz
-e6f8a1400839ce7b4021cdd0f8d08d71b0693486 SOURCES/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+6ba8fb898dcf4b4046b60662ba97df835593e687 SOURCES/gnutls-3.6.16.tar.xz
+b41ac56ff6cca4539c8b084db2c84e8bc21d60ac SOURCES/gnutls-3.6.16.tar.xz.sig
+648ec46f9539fe756fb90131b85ae4759ed2ed21 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
--- a/SOURCES/gnutls-3.6.13-enable-intel-cet.patch
+++ b/SOURCES/gnutls-3.6.13-enable-intel-cet.patch
--- a/SOURCES/gnutls-3.6.14-fips-dh-selftests.patch
+++ b/SOURCES/gnutls-3.6.14-fips-dh-selftests.patch
@ -0,0 +1,204 @@
+From f09b7627a63defb1c55e9965fb05e0bbddb90247 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 6 Oct 2020 11:54:21 +0200
+Subject: [PATCH] fips: use larger prime for DH self-tests
+
+According to FIPS140-2 IG 7.5, the minimum key size of FFC through
+2030 is defined as 2048 bits.  This updates the relevant self-test
+using ffdhe3072 defined in RFC 7919.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/crypto-selftests-pk.c | 142 ++++++++++++++++++++++++++++++++++----
+ lib/dh-primes.c           |   4 --
+ 2 files changed, 130 insertions(+), 16 deletions(-)
+
+diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
+index 70b0f618f..9b7c692a8 100644
+--- a/lib/crypto-selftests-pk.c
+++ b/lib/crypto-selftests-pk.c
+@@ -620,32 +620,150 @@ static int test_dh(void)
+ 	gnutls_pk_params_st priv;
+ 	gnutls_pk_params_st pub;
+ 	gnutls_datum_t out = {NULL, 0};
+
+	/* FFDHE 3072 test vector provided by Stephan Mueller in:
+	 * https://gitlab.com/gnutls/gnutls/-/merge_requests/1342#note_424430996
+	 */
+ 	static const uint8_t known_dh_k[] = {
+-		0x10, 0x25, 0x04, 0xb5, 0xc6, 0xc2, 0xcb, 
+-		0x0c, 0xe9, 0xc5, 0x58, 0x0d, 0x22, 0x62};
+-	static const uint8_t test_p[] = {
+-		0x24, 0x85, 0xdd, 0x3a, 0x74, 0x42, 0xe4, 
+-		0xb3, 0xf1, 0x0b, 0x13, 0xf9, 0x17, 0x4d };
+-	static const uint8_t test_g[] = { 0x02 };
+		0xec, 0xb3, 0x85, 0x0c, 0x72, 0x55, 0x55, 0xc2, 0x98, 0x36,
+		0xbe, 0x75, 0x9e, 0xc9, 0x9d, 0x8b, 0x16, 0xa6, 0xe6, 0x84,
+		0x33, 0x12, 0x80, 0x1d, 0xac, 0xde, 0x6a, 0xd7, 0x3b, 0x1e,
+		0x15, 0xca, 0x5d, 0x26, 0xb3, 0x0a, 0x35, 0xf4, 0xbb, 0xad,
+		0x71, 0xcb, 0x03, 0x1a, 0xcb, 0xfb, 0x83, 0xf0, 0xa8, 0xde,
+		0xed, 0x5e, 0x3d, 0x98, 0xd2, 0xb0, 0xef, 0xad, 0xdf, 0x32,
+		0xa0, 0x16, 0x7d, 0x0e, 0x29, 0xd8, 0x85, 0xca, 0x12, 0x97,
+		0x56, 0xab, 0x6a, 0x26, 0xa4, 0x46, 0x3d, 0x87, 0xd7, 0xe0,
+		0xb4, 0x3e, 0x28, 0x75, 0xac, 0x59, 0xc5, 0x71, 0x3a, 0x24,
+		0x15, 0x76, 0x98, 0x72, 0x94, 0x2d, 0xd0, 0x0e, 0xbc, 0x9a,
+		0x77, 0xd4, 0xe2, 0xb2, 0x76, 0x54, 0x4a, 0x56, 0xbe, 0x0b,
+		0x43, 0xf8, 0x21, 0x6f, 0x54, 0x32, 0xde, 0xb7, 0xd5, 0xb7,
+		0x08, 0x00, 0xd2, 0x57, 0x8c, 0x0b, 0x8b, 0x02, 0x3e, 0xdb,
+		0x72, 0x54, 0x3a, 0xc0, 0x50, 0x66, 0xbc, 0xc9, 0x67, 0xf5,
+		0x22, 0x28, 0xf2, 0x3c, 0x51, 0x94, 0x61, 0x26, 0x9a, 0xc6,
+		0x42, 0x0e, 0x8b, 0x42, 0xad, 0x79, 0x40, 0xa9, 0x0b, 0xdc,
+		0x84, 0xd5, 0x71, 0x83, 0x94, 0xd9, 0x83, 0x2f, 0x08, 0x74,
+		0xbc, 0x37, 0x6a, 0x3e, 0x1e, 0xbc, 0xcc, 0x09, 0x23, 0x30,
+		0x79, 0x01, 0x39, 0xf6, 0xe3, 0xa8, 0xc0, 0xfa, 0x7e, 0xdb,
+		0x0b, 0x71, 0x3e, 0x4f, 0x1f, 0x69, 0x84, 0xa6, 0x58, 0x6c,
+		0x36, 0x2c, 0xcc, 0xb4, 0x7c, 0x94, 0xec, 0x06, 0x0b, 0x11,
+		0x53, 0x95, 0xe6, 0x05, 0x43, 0xa4, 0xe4, 0xea, 0x1d, 0x4f,
+		0xdc, 0xd0, 0x38, 0x0e, 0x32, 0xa1, 0xde, 0xd9, 0x8d, 0xd8,
+		0x20, 0xac, 0x04, 0x83, 0xf8, 0x1b, 0x55, 0x52, 0x16, 0x20,
+		0xe3, 0x2e, 0x6d, 0x11, 0x15, 0x29, 0x2f, 0x3a, 0x7c, 0x80,
+		0x0a, 0x71, 0x3d, 0x31, 0x9c, 0x1b, 0x73, 0x59, 0xe1, 0x0d,
+		0x27, 0xc5, 0xc0, 0x6a, 0x72, 0x3a, 0x5b, 0xd6, 0xf6, 0x50,
+		0xe6, 0x69, 0x48, 0x1e, 0xfd, 0xeb, 0x4a, 0x47, 0x73, 0xfb,
+		0x88, 0x14, 0xea, 0x6d, 0x36, 0xe1, 0x4c, 0x2c, 0xf9, 0x04,
+		0xc1, 0xb7, 0x29, 0xfc, 0x5d, 0x02, 0x5d, 0x1c, 0x4d, 0x31,
+		0x4a, 0x51, 0x3f, 0xa4, 0x45, 0x19, 0x29, 0xc4, 0x32, 0xa6,
+		0x45, 0xdb, 0x94, 0x3a, 0xbd, 0x76, 0x2c, 0xd6, 0x1a, 0xb1,
+		0xff, 0xe7, 0x62, 0x75, 0x16, 0xe5, 0x0b, 0xa3, 0x3a, 0x93,
+		0x84, 0xd6, 0xad, 0xc2, 0x24, 0x68, 0x3d, 0xd6, 0x07, 0xe4,
+		0xbe, 0x5a, 0x49, 0x31, 0x06, 0xad, 0x3f, 0x31, 0x4a, 0x1c,
+		0xf7, 0x58, 0xdf, 0x34, 0xcb, 0xc8, 0xa9, 0x07, 0x24, 0x42,
+		0x63, 0xa5, 0x8e, 0xdd, 0x37, 0x78, 0x92, 0x68, 0x3f, 0xd8,
+		0x2f, 0xea, 0x8c, 0xf1, 0x8e, 0xd4, 0x8b, 0xa7, 0x3f, 0xa0,
+		0xfa, 0xaf, 0xf0, 0x35,
+	};
+ 	static const uint8_t test_x[] = {
+-		0x06, 0x2c, 0x96, 0xae, 0x0e, 0x9e, 0x9b, 
+-		0xbb, 0x41, 0x51, 0x7a, 0xa7, 0xc5, 0xfe };
+		0x16, 0x5c, 0xa6, 0xe0, 0x9b, 0x87, 0xfa, 0x2d, 0xbc, 0x13,
+		0x20, 0xcd, 0xac, 0x4e, 0xcc, 0x60, 0x1e, 0x48, 0xec, 0xbe,
+		0x73, 0x0c, 0xa8, 0x6b, 0x6e, 0x2a, 0xee, 0xdd, 0xd8, 0xf3,
+		0x2d, 0x5f, 0x75, 0xf3, 0x07, 0x94, 0x88, 0x3d, 0xb1, 0x38,
+		0xcf, 0xae, 0x4a, 0xcc, 0xcb, 0x6a, 0x80, 0xbc, 0xeb, 0x3b,
+		0xaa, 0x0b, 0x18, 0x74, 0x58, 0x7c, 0x3e, 0x74, 0xef, 0xb6,
+		0xd3, 0x15, 0xee, 0x73, 0x29, 0x88, 0x7b, 0x65, 0x02, 0x39,
+		0x33, 0xec, 0x22, 0x06, 0x8c, 0x5b, 0xd6, 0x2f, 0x4c, 0xf7,
+		0xe0, 0x97, 0x6d, 0x2a, 0x90, 0x36, 0xfe, 0x1a, 0x44, 0x4d,
+		0x9d, 0x41, 0x4b, 0xcb, 0xec, 0x25, 0xf4, 0xc3, 0xa5, 0x91,
+		0xd0, 0x90, 0xc9, 0x34, 0x7b, 0xba, 0x27, 0x30, 0x5a, 0xa2,
+		0x21, 0x58, 0xce, 0x88, 0x25, 0x39, 0xaf, 0xf1, 0x17, 0x02,
+		0x12, 0xf8, 0x55, 0xdc, 0xd2, 0x08, 0x5b, 0xd3, 0xc7, 0x8e,
+		0xcf, 0x29, 0x85, 0x85, 0xdb, 0x5c, 0x08, 0xc2, 0xd7, 0xb0,
+		0x33, 0x0e, 0xe3, 0xb9, 0x2c, 0x1a, 0x1d, 0x4b, 0xe5, 0x76,
+		0x8f, 0xd3, 0x14, 0xb6, 0x8c, 0xdc, 0x9a, 0xe8, 0x15, 0x60,
+		0x60, 0x5e, 0xaa, 0xf9, 0xfa, 0xa6, 0xb2, 0x4f, 0xff, 0x46,
+		0xc1, 0x5e, 0x93, 0x50, 0x90, 0x7e, 0x4c, 0x26, 0xd7, 0xbb,
+		0x21, 0x05, 0x3d, 0x27, 0xc5, 0x9b, 0x0d, 0x46, 0x69, 0xe4,
+		0x74, 0x87, 0x74, 0x55, 0xee, 0x5f, 0xe5, 0x72, 0x04, 0x46,
+		0x1f, 0x2e, 0x55, 0xc7, 0xcc, 0x2b, 0x2b, 0x39, 0x6d, 0x90,
+		0x60, 0x31, 0x37, 0x5b, 0x44, 0xde, 0xfd, 0xf2, 0xd1, 0xc6,
+		0x9c, 0x12, 0x82, 0xcc, 0x7c, 0xb1, 0x0e, 0xa9, 0x95, 0x9d,
+		0xe0, 0xa8, 0x3e, 0xc1, 0xa3, 0x4a, 0x6a, 0x37, 0x59, 0x17,
+		0x93, 0x63, 0x1e, 0xbf, 0x04, 0xa3, 0xaa, 0xc0, 0x1d, 0xc4,
+		0x6d, 0x7a, 0xdc, 0x69, 0x9c, 0xb0, 0x22, 0x56, 0xd9, 0x76,
+		0x92, 0x2d, 0x1e, 0x62, 0xae, 0xfd, 0xd6, 0x9b, 0xfd, 0x08,
+		0x2c, 0x95, 0xec, 0xe7, 0x02, 0x43, 0x62, 0x68, 0x1a, 0xaf,
+		0x46, 0x59, 0xb7, 0xce, 0x8e, 0x42, 0x24, 0xae, 0xf7, 0x0e,
+		0x9a, 0x3b, 0xf8, 0x77, 0xdf, 0x26, 0x85, 0x9f, 0x45, 0xad,
+		0x8c, 0xa9, 0x54, 0x9c, 0x46, 0x44, 0xd5, 0x8a, 0xe9, 0xcc,
+		0x34, 0x5e, 0xc5, 0xd1, 0x42, 0x6f, 0x44, 0xf3, 0x0f, 0x90,
+		0x3a, 0x32, 0x1a, 0x9c, 0x2a, 0x63, 0xec, 0x21, 0xb4, 0xfc,
+		0xfa, 0xa5, 0xcf, 0xe7, 0x9e, 0x43, 0xc7, 0x49, 0x56, 0xbc,
+		0x50, 0xc5, 0x84, 0xf0, 0x42, 0xc8, 0x6a, 0xf1, 0x78, 0xe4,
+		0xaa, 0x06, 0x37, 0xe1, 0x30, 0xf7, 0x65, 0x97, 0xca, 0xfd,
+		0x35, 0xfa, 0xeb, 0x48, 0x6d, 0xaa, 0x45, 0x46, 0x9d, 0xbc,
+		0x1d, 0x98, 0x17, 0x45, 0xa3, 0xee, 0x21, 0xa0, 0x97, 0x38,
+		0x80, 0xc5, 0x28, 0x1f,
+	};
+ 	static const uint8_t test_y[] = { /* y=g^x mod p */
+-		0x1e, 0xca, 0x23, 0x2a, 0xfd, 0x34, 0xe1, 
+-		0x10, 0x7a, 0xff, 0xaf, 0x2d, 0xaa, 0x53 };
+		0x93, 0xeb, 0x5c, 0x37, 0x1d, 0x3c, 0x06, 0x6f, 0xbf, 0xbe,
+		0x96, 0x51, 0x26, 0x58, 0x81, 0x36, 0xc6, 0x4f, 0x9a, 0x34,
+		0xc4, 0xc5, 0xa8, 0xa3, 0x2c, 0x41, 0x76, 0xa8, 0xc6, 0xc0,
+		0xa0, 0xc8, 0x51, 0x36, 0xc4, 0x40, 0x4e, 0x2c, 0x69, 0xf7,
+		0x51, 0xbb, 0xb0, 0xd6, 0xf5, 0xdb, 0x40, 0x29, 0x50, 0x3b,
+		0x8a, 0xf9, 0xf3, 0x53, 0x78, 0xfc, 0x86, 0xe9, 0xf1, 0xe9,
+		0xac, 0x85, 0x13, 0x65, 0x62, 0x22, 0x04, 0x1b, 0x14, 0x2a,
+		0xf4, 0x8f, 0x2f, 0xf1, 0x2f, 0x81, 0xd6, 0x18, 0x0e, 0x76,
+		0x91, 0x43, 0xb2, 0xfc, 0x7c, 0x6f, 0x0c, 0x45, 0x37, 0x31,
+		0x31, 0x58, 0x5c, 0xdf, 0x42, 0x24, 0x7a, 0xba, 0x8b, 0x7f,
+		0x79, 0x06, 0x07, 0xef, 0xd6, 0x06, 0xeb, 0xcb, 0x3c, 0xbd,
+		0xbc, 0xe5, 0xff, 0xfd, 0x62, 0x15, 0x0c, 0x40, 0x46, 0x37,
+		0xef, 0xd0, 0xa1, 0xde, 0x63, 0x4f, 0x20, 0x0b, 0x45, 0x7d,
+		0x06, 0x77, 0xfd, 0x23, 0xc1, 0x32, 0x8a, 0x89, 0x65, 0x16,
+		0xe8, 0x48, 0x12, 0x1c, 0x25, 0x33, 0x2d, 0xbd, 0xd8, 0x9f,
+		0x1c, 0x9d, 0xbc, 0xe3, 0x08, 0x60, 0x87, 0x1a, 0xc6, 0x06,
+		0x36, 0xd2, 0xac, 0x09, 0x6d, 0x99, 0x02, 0x89, 0xc6, 0x12,
+		0x93, 0x8c, 0x4b, 0xd0, 0x7e, 0x36, 0x8a, 0xd6, 0xa0, 0x97,
+		0x4f, 0x97, 0x3f, 0x97, 0x0b, 0xfe, 0x05, 0xfc, 0xc8, 0xef,
+		0x21, 0x4d, 0x4a, 0x06, 0x6e, 0xb4, 0xa6, 0x4f, 0xe1, 0xdd,
+		0x44, 0x06, 0xfa, 0xd5, 0x0e, 0x54, 0xf5, 0x54, 0x3e, 0x8c,
+		0xb9, 0x85, 0x86, 0x00, 0x40, 0x98, 0xe7, 0x01, 0xdd, 0x93,
+		0x9d, 0x95, 0xea, 0xf0, 0xd3, 0x99, 0x4b, 0xeb, 0xd5, 0x79,
+		0x47, 0xa4, 0xad, 0x2a, 0xe0, 0x4d, 0x36, 0x3b, 0x46, 0x10,
+		0x96, 0xbb, 0x48, 0xe9, 0xa1, 0x78, 0x01, 0x35, 0x0a, 0x5c,
+		0x7b, 0x3f, 0xf5, 0xf7, 0xb1, 0xe3, 0x97, 0x17, 0x4d, 0x76,
+		0x10, 0x8d, 0x68, 0x4c, 0x94, 0x7d, 0xee, 0x0e, 0x20, 0x8b,
+		0xce, 0x7d, 0x0a, 0xa3, 0x51, 0xfb, 0xe6, 0xcf, 0xf0, 0x0e,
+		0x7f, 0x3c, 0xd4, 0xef, 0x56, 0x31, 0xb2, 0x95, 0xf0, 0x5f,
+		0x4b, 0x9c, 0x03, 0x9e, 0xae, 0xb1, 0xc1, 0x46, 0xd7, 0xc0,
+		0x4f, 0xb0, 0xf6, 0x6c, 0xe1, 0xe9, 0x2a, 0x97, 0xe0, 0x3f,
+		0x3a, 0x93, 0x04, 0xcd, 0x41, 0x7d, 0x45, 0x03, 0xb3, 0x40,
+		0x20, 0xe6, 0xad, 0x2d, 0xd3, 0xf7, 0x32, 0x7b, 0xcc, 0x4f,
+		0x81, 0x18, 0x4c, 0x50, 0x77, 0xc4, 0xb7, 0x6a, 0x4d, 0x05,
+		0xd8, 0x6d, 0xbf, 0x6f, 0xba, 0x1d, 0x38, 0x78, 0x87, 0xd2,
+		0x8e, 0xc2, 0x6d, 0xb6, 0xed, 0x66, 0x61, 0xa8, 0xb9, 0x19,
+		0x0e, 0x93, 0xd1, 0xcd, 0x5b, 0xbe, 0x19, 0x05, 0x52, 0x43,
+		0xd6, 0xc1, 0x07, 0x3c, 0x6a, 0x62, 0xbd, 0x33, 0x9b, 0x1b,
+		0x02, 0x42, 0x61, 0x14,
+	};
+ 
+ 	gnutls_pk_params_init(&priv);
+ 	gnutls_pk_params_init(&pub);
+ 	
+ 	priv.algo = pub.algo = GNUTLS_PK_DH;
+ 	
+-	ret = _gnutls_mpi_init_scan(&priv.params[DH_P], test_p, sizeof(test_p));
+	ret = _gnutls_mpi_init_scan(&priv.params[DH_P],
+				    gnutls_ffdhe_3072_group_prime.data,
+				    gnutls_ffdhe_3072_group_prime.size);
+ 	if (ret < 0) {
+ 		gnutls_assert();
+ 		goto cleanup;
+ 	}
+ 
+-	ret = _gnutls_mpi_init_scan(&priv.params[DH_G], test_g, sizeof(test_g));
+	ret = _gnutls_mpi_init_scan(&priv.params[DH_G],
+				    gnutls_ffdhe_3072_group_generator.data,
+				    gnutls_ffdhe_3072_group_generator.size);
+ 	if (ret < 0) {
+ 		gnutls_assert();
+ 		goto cleanup;
+diff --git a/lib/dh-primes.c b/lib/dh-primes.c
+index a440b5b98..94b69e345 100644
+--- a/lib/dh-primes.c
+++ b/lib/dh-primes.c
+@@ -23,8 +23,6 @@
+ #include "gnutls_int.h"
+ #include <gnutls/gnutls.h>
+ 
+-#if defined(ENABLE_DHE) || defined(ENABLE_ANON)
+-
+ #include "dh.h"
+ 
+ static const unsigned char ffdhe_generator = 0x02;
+@@ -1934,5 +1932,3 @@ _gnutls_dh_prime_match_fips_approved(const uint8_t *prime,
+ 
+ 	return 0;
+ }
+-
+-#endif
+-- 
+2.26.2
+
--- a/SOURCES/gnutls-3.6.14-fips-kdf-selftests.patch
+++ b/SOURCES/gnutls-3.6.14-fips-kdf-selftests.patch
@ -0,0 +1,713 @@
+From 93c0e3ba4d2cfee86b32f28f33303a2193c4133c Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 5 Oct 2020 16:12:46 +0200
+Subject: [PATCH 1/4] fips: add self-tests for HKDF
+
+FIPS140-2 IG D.8 mandates self-test on approved KDF algorithms.  As
+the guidance only requires running a single instance of each KDF
+mechanism, this only exercises HKDF-Extract and HKDF-Expand operations
+with HMAC-SHA-256 as the underlying MAC.
+
+Although HKDF is non-approved, it would be sensible to do that as it
+will be approved in FIPS140-3.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ devel/libgnutls-latest-x86_64.abi |   1 +
+ lib/crypto-selftests.c            | 159 ++++++++++++++++++++++++++++++
+ lib/fips.c                        |   7 ++
+ lib/includes/gnutls/self-test.h   |   1 +
+ lib/libgnutls.map                 |   1 +
+ 5 files changed, 169 insertions(+)
+
+diff --git a/lib/crypto-selftests.c b/lib/crypto-selftests.c
+index 7a1c7729c..bd148b6af 100644
+--- a/lib/crypto-selftests.c
+++ b/lib/crypto-selftests.c
+@@ -2917,3 +2917,162 @@ int gnutls_digest_self_test(unsigned flags, gnutls_digest_algorithm_t digest)
+ 
+ 	return 0;
+ }
+
+struct hkdf_vectors_st {
+	const uint8_t *ikm;
+	unsigned int ikm_size;
+	const uint8_t *salt;
+	unsigned int salt_size;
+	const uint8_t *prk;
+	unsigned int prk_size;
+	const uint8_t *info;
+	unsigned int info_size;
+	const uint8_t *okm;
+	unsigned int okm_size;
+};
+
+const struct hkdf_vectors_st hkdf_sha256_vectors[] = {
+	/* RFC 5869: A.1. Test Case 1: Basic test case with SHA-256 */
+	{
+		STR(ikm, ikm_size,
+		    "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+		    "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"),
+		STR(salt, salt_size,
+		    "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c"),
+		STR(prk, prk_size,
+		    "\x07\x77\x09\x36\x2c\x2e\x32\xdf\x0d\xdc\x3f\x0d\xc4\x7b"
+		    "\xba\x63\x90\xb6\xc7\x3b\xb5\x0f\x9c\x31\x22\xec\x84\x4a"
+		    "\xd7\xc2\xb3\xe5"),
+		STR(info, info_size,
+		    "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9"),
+		STR(okm, okm_size,
+		    "\x3c\xb2\x5f\x25\xfa\xac\xd5\x7a\x90\x43\x4f\x64\xd0\x36"
+		    "\x2f\x2a\x2d\x2d\x0a\x90\xcf\x1a\x5a\x4c\x5d\xb0\x2d\x56"
+		    "\xec\xc4\xc5\xbf\x34\x00\x72\x08\xd5\xb8\x87\x18\x58\x65"),
+	},
+	/* RFC 5869: A.2. Test Case 2: Test with SHA-256 and longer inputs/outputs */
+	{
+		STR(ikm, ikm_size,
+		    "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d"
+		    "\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b"
+		    "\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29"
+		    "\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37"
+		    "\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45"
+		    "\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f"),
+		STR(salt, salt_size,
+		    "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d"
+		    "\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b"
+		    "\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89"
+		    "\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97"
+		    "\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5"
+		    "\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf"),
+		STR(prk, prk_size,
+		    "\x06\xa6\xb8\x8c\x58\x53\x36\x1a\x06\x10\x4c\x9c\xeb\x35"
+		    "\xb4\x5c\xef\x76\x00\x14\x90\x46\x71\x01\x4a\x19\x3f\x40"
+		    "\xc1\x5f\xc2\x44"),
+		STR(info, info_size,
+		    "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd"
+		    "\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb"
+		    "\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9"
+		    "\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7"
+		    "\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5"
+		    "\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"),
+		STR(okm, okm_size,
+		    "\xb1\x1e\x39\x8d\xc8\x03\x27\xa1\xc8\xe7\xf7\x8c\x59\x6a"
+		    "\x49\x34\x4f\x01\x2e\xda\x2d\x4e\xfa\xd8\xa0\x50\xcc\x4c"
+		    "\x19\xaf\xa9\x7c\x59\x04\x5a\x99\xca\xc7\x82\x72\x71\xcb"
+		    "\x41\xc6\x5e\x59\x0e\x09\xda\x32\x75\x60\x0c\x2f\x09\xb8"
+		    "\x36\x77\x93\xa9\xac\xa3\xdb\x71\xcc\x30\xc5\x81\x79\xec"
+		    "\x3e\x87\xc1\x4c\x01\xd5\xc1\xf3\x43\x4f\x1d\x87"),
+	},
+};
+
+static int test_hkdf(gnutls_mac_algorithm_t mac,
+		     const struct hkdf_vectors_st *vectors,
+		     size_t vectors_size, unsigned flags)
+{
+	unsigned int i;
+
+	for (i = 0; i < vectors_size; i++) {
+		gnutls_datum_t ikm, prk, salt, info;
+		uint8_t output[4096];
+		int ret;
+
+		ikm.data = (void *) vectors[i].ikm;
+		ikm.size = vectors[i].ikm_size;
+		salt.data = (void *) vectors[i].salt;
+		salt.size = vectors[i].salt_size;
+
+		ret = gnutls_hkdf_extract(mac, &ikm, &salt, output);
+		if (ret < 0) {
+			_gnutls_debug_log("error extracting HKDF: MAC-%s\n",
+					  gnutls_mac_get_name(mac));
+			return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+		}
+
+		if (memcmp(output, vectors[i].prk, vectors[i].prk_size) != 0) {
+			_gnutls_debug_log
+			    ("HKDF extract: MAC-%s test vector failed!\n",
+			     gnutls_mac_get_name(mac));
+
+			return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+		}
+
+		prk.data = (void *) vectors[i].prk;
+		prk.size = vectors[i].prk_size;
+		info.data = (void *) vectors[i].info;
+		info.size = vectors[i].info_size;
+
+		ret = gnutls_hkdf_expand(mac, &prk, &info,
+					 output, vectors[i].okm_size);
+		if (ret < 0) {
+			_gnutls_debug_log("error extracting HKDF: MAC-%s\n",
+					  gnutls_mac_get_name(mac));
+			return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+		}
+
+		if (memcmp(output, vectors[i].okm, vectors[i].okm_size) != 0) {
+			_gnutls_debug_log
+			    ("HKDF expand: MAC-%s test vector failed!\n",
+			     gnutls_mac_get_name(mac));
+
+			return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+		}
+	}
+
+	_gnutls_debug_log
+	    ("HKDF: MAC-%s self check succeeded\n",
+	     gnutls_mac_get_name(mac));
+
+	return 0;
+}
+
+/*-
+ * gnutls_hkdf_self_test:
+ * @flags: GNUTLS_SELF_TEST_FLAG flags
+ * @mac: the message authentication algorithm to use
+ *
+ * This function will run self tests on HKDF with the provided mac.
+ *
+ * Returns: Zero or a negative error code on error.
+ *
+ * Since: 3.3.0-FIPS140
+ -*/
+int gnutls_hkdf_self_test(unsigned flags, gnutls_mac_algorithm_t mac)
+{
+	int ret;
+
+	if (flags & GNUTLS_SELF_TEST_FLAG_ALL)
+		mac = GNUTLS_MAC_UNKNOWN;
+
+	switch (mac) {
+	case GNUTLS_MAC_UNKNOWN:
+		CASE(GNUTLS_MAC_SHA256, test_hkdf, hkdf_sha256_vectors);
+
+		break;
+	default:
+		return gnutls_assert_val(GNUTLS_E_NO_SELF_TEST);
+	}
+
+	return 0;
+}
+diff --git a/lib/fips.c b/lib/fips.c
+index f8b10f750..48891ed57 100644
+--- a/lib/fips.c
+++ b/lib/fips.c
+@@ -423,6 +423,13 @@ int _gnutls_fips_perform_self_checks2(void)
+ 		goto error;
+ 	}
+ 
+	/* HKDF */
+	ret = gnutls_hkdf_self_test(0, GNUTLS_MAC_SHA256);
+	if (ret < 0) {
+		gnutls_assert();
+		goto error;
+	}
+
+ 	if (_gnutls_rnd_ops.self_test == NULL) {
+ 		gnutls_assert();
+ 		goto error;
+diff --git a/lib/includes/gnutls/self-test.h b/lib/includes/gnutls/self-test.h
+index aacbe94ca..9b7be8159 100644
+--- a/lib/includes/gnutls/self-test.h
+++ b/lib/includes/gnutls/self-test.h
+@@ -34,5 +34,6 @@ int gnutls_cipher_self_test(unsigned flags, gnutls_cipher_algorithm_t cipher);
+ int gnutls_mac_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
+ int gnutls_digest_self_test(unsigned flags, gnutls_digest_algorithm_t digest);
+ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk);
+int gnutls_hkdf_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
+ 
+ #endif
+diff --git a/lib/libgnutls.map b/lib/libgnutls.map
+index 61276e534..386b66f83 100644
+--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
+@@ -1347,6 +1347,7 @@ GNUTLS_FIPS140_3_4 {
+ 	gnutls_pk_self_test;
+ 	gnutls_mac_self_test;
+ 	gnutls_digest_self_test;
+	gnutls_hkdf_self_test;
+ 	#for FIPS140-2 validation
+ 	drbg_aes_reseed;
+ 	drbg_aes_init;
+-- 
+2.26.2
+
+
+From 31cc94275cd267f4e0db60999cc932fd76d43d5a Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 5 Oct 2020 16:59:50 +0200
+Subject: [PATCH 2/4] fips: add self-tests for PBKDF2
+
+FIPS140-2 IG D.8 mandates self-tests on approved KDF algorithms.  As
+the guidance only requires running a single instance of each KDF
+mechanism, this only exercises PBKDF2 with HMAC-SHA-256 as the
+underlying MAC algorithm.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ devel/libgnutls-latest-x86_64.abi |   1 +
+ lib/crypto-selftests.c            | 107 ++++++++++++++++++++++++++++++
+ lib/fips.c                        |   7 ++
+ lib/includes/gnutls/self-test.h   |   1 +
+ lib/libgnutls.map                 |   1 +
+ 5 files changed, 117 insertions(+)
+
+diff --git a/lib/crypto-selftests.c b/lib/crypto-selftests.c
+index bd148b6af..c4b0bd207 100644
+--- a/lib/crypto-selftests.c
+++ b/lib/crypto-selftests.c
+@@ -3076,3 +3076,110 @@ int gnutls_hkdf_self_test(unsigned flags, gnutls_mac_algorithm_t mac)
+ 
+ 	return 0;
+ }
+
+struct pbkdf2_vectors_st {
+	const uint8_t *key;
+	size_t key_size;
+	const uint8_t *salt;
+	size_t salt_size;
+	unsigned iter_count;
+	const uint8_t *output;
+	size_t output_size;
+};
+
+const struct pbkdf2_vectors_st pbkdf2_sha256_vectors[] = {
+	/* RFC 7914: 11. Test Vectors for PBKDF2 with HMAC-SHA-256 */
+	{
+		STR(key, key_size, "passwd"),
+		STR(salt, salt_size, "salt"),
+		.iter_count = 1,
+		STR(output, output_size,
+		    "\x55\xac\x04\x6e\x56\xe3\x08\x9f\xec\x16\x91\xc2\x25\x44"
+		    "\xb6\x05\xf9\x41\x85\x21\x6d\xde\x04\x65\xe6\x8b\x9d\x57"
+		    "\xc2\x0d\xac\xbc\x49\xca\x9c\xcc\xf1\x79\xb6\x45\x99\x16"
+		    "\x64\xb3\x9d\x77\xef\x31\x7c\x71\xb8\x45\xb1\xe3\x0b\xd5"
+		    "\x09\x11\x20\x41\xd3\xa1\x97\x83"),
+	},
+	/* RFC 7914: 11. Test Vectors for PBKDF2 with HMAC-SHA-256 */
+	{
+		STR(key, key_size, "Password"),
+		STR(salt, salt_size, "NaCl"),
+		.iter_count = 80000,
+		STR(output, output_size,
+		    "\x4d\xdc\xd8\xf6\x0b\x98\xbe\x21\x83\x0c\xee\x5e\xf2\x27"
+		    "\x01\xf9\x64\x1a\x44\x18\xd0\x4c\x04\x14\xae\xff\x08\x87"
+		    "\x6b\x34\xab\x56\xa1\xd4\x25\xa1\x22\x58\x33\x54\x9a\xdb"
+		    "\x84\x1b\x51\xc9\xb3\x17\x6a\x27\x2b\xde\xbb\xa1\xd0\x78"
+		    "\x47\x8f\x62\xb3\x97\xf3\x3c\x8d"),
+	},
+};
+
+static int test_pbkdf2(gnutls_mac_algorithm_t mac,
+		       const struct pbkdf2_vectors_st *vectors,
+		       size_t vectors_size, unsigned flags)
+{
+	unsigned int i;
+
+	for (i = 0; i < vectors_size; i++) {
+		gnutls_datum_t key, salt;
+		uint8_t output[4096];
+		int ret;
+
+		key.data = (void *) vectors[i].key;
+		key.size = vectors[i].key_size;
+		salt.data = (void *) vectors[i].salt;
+		salt.size = vectors[i].salt_size;
+
+		ret = gnutls_pbkdf2(mac, &key, &salt, vectors[i].iter_count,
+				    output, vectors[i].output_size);
+		if (ret < 0) {
+			_gnutls_debug_log("error calculating PBKDF2: MAC-%s\n",
+					  gnutls_mac_get_name(mac));
+			return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+		}
+
+		if (memcmp(output, vectors[i].output, vectors[i].output_size) != 0) {
+			_gnutls_debug_log
+			    ("PBKDF2: MAC-%s test vector failed!\n",
+			     gnutls_mac_get_name(mac));
+
+			return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+		}
+	}
+
+	_gnutls_debug_log
+	    ("PBKDF2: MAC-%s self check succeeded\n",
+	     gnutls_mac_get_name(mac));
+
+	return 0;
+}
+
+/*-
+ * gnutls_pbkdf2_self_test:
+ * @flags: GNUTLS_SELF_TEST_FLAG flags
+ * @mac: the message authentication algorithm to use
+ *
+ * This function will run self tests on PBKDF2 with the provided mac.
+ *
+ * Returns: Zero or a negative error code on error.
+ *
+ * Since: 3.3.0-FIPS140
+ -*/
+int gnutls_pbkdf2_self_test(unsigned flags, gnutls_mac_algorithm_t mac)
+{
+	int ret;
+
+	if (flags & GNUTLS_SELF_TEST_FLAG_ALL)
+		mac = GNUTLS_MAC_UNKNOWN;
+
+	switch (mac) {
+	case GNUTLS_MAC_UNKNOWN:
+		CASE(GNUTLS_MAC_SHA256, test_pbkdf2, pbkdf2_sha256_vectors);
+
+		break;
+	default:
+		return gnutls_assert_val(GNUTLS_E_NO_SELF_TEST);
+	}
+
+	return 0;
+}
+diff --git a/lib/fips.c b/lib/fips.c
+index 48891ed57..7cfab1049 100644
+--- a/lib/fips.c
+++ b/lib/fips.c
+@@ -430,6 +430,13 @@ int _gnutls_fips_perform_self_checks2(void)
+ 		goto error;
+ 	}
+ 
+	/* PBKDF2 */
+	ret = gnutls_pbkdf2_self_test(0, GNUTLS_MAC_SHA256);
+	if (ret < 0) {
+		gnutls_assert();
+		goto error;
+	}
+
+ 	if (_gnutls_rnd_ops.self_test == NULL) {
+ 		gnutls_assert();
+ 		goto error;
+diff --git a/lib/includes/gnutls/self-test.h b/lib/includes/gnutls/self-test.h
+index 9b7be8159..958c0da8f 100644
+--- a/lib/includes/gnutls/self-test.h
+++ b/lib/includes/gnutls/self-test.h
+@@ -35,5 +35,6 @@ int gnutls_mac_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
+ int gnutls_digest_self_test(unsigned flags, gnutls_digest_algorithm_t digest);
+ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk);
+ int gnutls_hkdf_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
+int gnutls_pbkdf2_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
+ 
+ #endif
+diff --git a/lib/libgnutls.map b/lib/libgnutls.map
+index 386b66f83..f5537a386 100644
+--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
+@@ -1348,6 +1348,7 @@ GNUTLS_FIPS140_3_4 {
+ 	gnutls_mac_self_test;
+ 	gnutls_digest_self_test;
+ 	gnutls_hkdf_self_test;
+	gnutls_pbkdf2_self_test;
+ 	#for FIPS140-2 validation
+ 	drbg_aes_reseed;
+ 	drbg_aes_init;
+-- 
+2.26.2
+
+
+From d1a3235e8c829855969d00364d8b5456fce2c78c Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 5 Oct 2020 17:44:30 +0200
+Subject: [PATCH 3/4] fips: add self-tests for TLS-PRF
+
+FIPS140-2 IG D.8 mandates self-tests on approved KDF algorithms.  As
+the guidance only requires to run a single instance of each KDF
+mechanism, this only exercises TLS1.2 PRF with HMAC-SHA-256 as the
+underlying MAC algorithm.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ devel/libgnutls-latest-x86_64.abi |   1 +
+ lib/crypto-selftests.c            | 196 ++++++++++++++++++++++++++++++
+ lib/fips.c                        |   7 ++
+ lib/includes/gnutls/self-test.h   |   1 +
+ lib/libgnutls.map                 |   1 +
+ 5 files changed, 206 insertions(+)
+
+diff --git a/lib/crypto-selftests.c b/lib/crypto-selftests.c
+index c4b0bd207..b740936d6 100644
+--- a/lib/crypto-selftests.c
+++ b/lib/crypto-selftests.c
+@@ -3183,3 +3183,199 @@ int gnutls_pbkdf2_self_test(unsigned flags, gnutls_mac_algorithm_t mac)
+ 
+ 	return 0;
+ }
+
+struct tlsprf_vectors_st {
+	const uint8_t *key;
+	size_t key_size;
+	const uint8_t *label;
+	size_t label_size;
+	const uint8_t *seed;
+	size_t seed_size;
+	const uint8_t *output;
+	size_t output_size;
+};
+
+const struct tlsprf_vectors_st tls10prf_vectors[] = {
+	/* tests/tls10-prf.c: test1 */
+	{
+		STR(key, key_size,
+		    "\x26\x3b\xdb\xbb\x6f\x6d\x4c\x66\x4e\x05\x8d\x0a\xa9\xd3"
+		    "\x21\xbe"),
+		STR(label, label_size,
+		    "test label"),
+		STR(seed, seed_size,
+		    "\xb9\x20\x57\x3b\x19\x96\x01\x02\x4f\x04\xd6\xdc\x61\x96"
+		    "\x6e\x65"),
+		STR(output, output_size,
+		    "\x66\x17\x99\x37\x65\xfa\x6c\xa7\x03\xd1\x9e\xc7\x0d\xd5"
+		    "\xdd\x16\x0f\xfc\xc0\x77\x25\xfa\xfb\x71\x4a\x9f\x81\x5a"
+		    "\x2a\x30\xbf\xb7\xe3\xbb\xfb\x7e\xee\x57\x4b\x3b\x61\x3e"
+		    "\xb7\xfe\x80\xee\xc9\x69\x1d\x8c\x1b\x0e\x2d\x9b\x3c\x8b"
+		    "\x4b\x02\xb6\xb6\xd6\xdb\x88\xe2\x09\x46\x23\xef\x62\x40"
+		    "\x60\x7e\xda\x7a\xbe\x3c\x84\x6e\x82\xa3"),
+	},
+};
+
+const struct tlsprf_vectors_st tls12prf_sha256_vectors[] = {
+	/* tests/tls12-prf.c: sha256_test1 */
+	{
+		STR(key, key_size,
+		    "\x04\x50\xb0\xea\x9e\xcd\x36\x02\xee\x0d\x76\xc5\xc3\xc8"
+		    "\x6f\x4a"),
+		STR(label, label_size,
+		    "test label"),
+		STR(seed, seed_size,
+		    "\x20\x7a\xcc\x02\x54\xb8\x67\xf5\xb9\x25\xb4\x5a\x33\x60"
+		    "\x1d\x8b"),
+		STR(output, output_size,
+		    "\xae\x67\x9e\x0e\x71\x4f\x59\x75\x76\x37\x68\xb1\x66\x97"
+		    "\x9e\x1d"),
+	},
+	/* tests/tls12-prf.c: sha256_test2 */
+	{
+		STR(key, key_size,
+		    "\x34\x20\x4a\x9d\xf0\xbe\x6e\xb4\xe9\x25\xa8\x02\x7c\xf6"
+		    "\xc6\x02"),
+		STR(label, label_size,
+		    "test label"),
+		STR(seed, seed_size,
+		    "\x98\xb2\xc4\x0b\xcd\x66\x4c\x83\xbb\x92\x0c\x18\x20\x1a"
+		    "\x63\x95"),
+		STR(output, output_size,
+		    "\xaf\xa9\x31\x24\x53\xc2\x2f\xa8\x3d\x2b\x51\x1b\x37\x2d"
+		    "\x73\xa4\x02\xa2\xa6\x28\x73\x23\x9a\x51\xfa\xde\x45\x08"
+		    "\x2f\xaf\x3f\xd2\xbb\x7f\xfb\x3e\x9b\xf3\x6e\x28\xb3\x14"
+		    "\x1a\xab\xa4\x84\x00\x53\x32\xa9\xf9\xe3\x88\xa4\xd3\x29"
+		    "\xf1\x58\x7a\x4b\x31\x7d\xa0\x77\x08\xea\x1b\xa9\x5a\x53"
+		    "\xf8\x78\x67\x24\xbd\x83\xce\x4b\x03\xaf"),
+	},
+	/* tests/tls12-prf.c: sha256_test3 */
+	{
+		STR(key, key_size,
+		    "\xa3\x69\x1a\xa1\xf6\x81\x4b\x80\x59\x2b\xf1\xcf\x2a\xcf"
+		    "\x16\x97"),
+		STR(label, label_size,
+		    "test label"),
+		STR(seed, seed_size,
+		    "\x55\x23\xd4\x1e\x32\x0e\x69\x4d\x0c\x1f\xf5\x73\x4d\x83"
+		    "\x0b\x93\x3e\x46\x92\x70\x71\xc9\x26\x21"),
+		STR(output, output_size,
+		    "\x6a\xd0\x98\x4f\xa0\x6f\x78\xfe\x16\x1b\xd4\x6d\x7c\x26"
+		    "\x1d\xe4\x33\x40\xd7\x28\xdd\xdc\x3d\x0f\xf0\xdd\x7e\x0d"),
+	},
+	/* tests/tls12-prf.c: sha256_test4 */
+	{
+		STR(key, key_size,
+		    "\x21\x0e\xc9\x37\x06\x97\x07\xe5\x46\x5b\xc4\x6b\xf7\x79"
+		    "\xe1\x04\x10\x8b\x18\xfd\xb7\x93\xbe\x7b\x21\x8d\xbf\x14"
+		    "\x5c\x86\x41\xf3"),
+		STR(label, label_size,
+		    "test label"),
+		STR(seed, seed_size,
+		    "\x1e\x35\x1a\x0b\xaf\x35\xc7\x99\x45\x92\x43\x94\xb8\x81"
+		    "\xcf\xe3\x1d\xae\x8f\x1c\x1e\xd5\x4d\x3b"),
+		STR(output, output_size,
+		    "\x76\x53\xfa\x80\x9c\xde\x3b\x55\x3c\x4a\x17\xe2\xcd\xbc"
+		    "\xc9\x18\xf3\x65\x27\xf2\x22\x19\xa7\xd7\xf9\x5d\x97\x24"
+		    "\x3f\xf2\xd5\xde\xe8\x26\x5e\xf0\xaf\x03"),
+	},
+};
+
+const struct tlsprf_vectors_st tls12prf_sha384_vectors[] = {
+	/* tests/tls12-prf.c: sha384_test1
+	 * https://www.ietf.org/mail-archive/web/tls/current/msg03416.html
+	 */
+	{
+		STR(key, key_size,
+		    "\xb8\x0b\x73\x3d\x6c\xee\xfc\xdc\x71\x56\x6e\xa4\x8e\x55"
+		    "\x67\xdf"),
+		STR(label, label_size,
+		    "test label"),
+		STR(seed, seed_size,
+		    "\xcd\x66\x5c\xf6\xa8\x44\x7d\xd6\xff\x8b\x27\x55\x5e\xdb"
+		    "\x74\x65"),
+		STR(output, output_size,
+		    "\x7b\x0c\x18\xe9\xce\xd4\x10\xed\x18\x04\xf2\xcf\xa3\x4a"
+		    "\x33\x6a\x1c\x14\xdf\xfb\x49\x00\xbb\x5f\xd7\x94\x21\x07"
+		    "\xe8\x1c\x83\xcd\xe9\xca\x0f\xaa\x60\xbe\x9f\xe3\x4f\x82"
+		    "\xb1\x23\x3c\x91\x46\xa0\xe5\x34\xcb\x40\x0f\xed\x27\x00"
+		    "\x88\x4f\x9d\xc2\x36\xf8\x0e\xdd\x8b\xfa\x96\x11\x44\xc9"
+		    "\xe8\xd7\x92\xec\xa7\x22\xa7\xb3\x2f\xc3\xd4\x16\xd4\x73"
+		    "\xeb\xc2\xc5\xfd\x4a\xbf\xda\xd0\x5d\x91\x84\x25\x9b\x5b"
+		    "\xf8\xcd\x4d\x90\xfa\x0d\x31\xe2\xde\xc4\x79\xe4\xf1\xa2"
+		    "\x60\x66\xf2\xee\xa9\xa6\x92\x36\xa3\xe5\x26\x55\xc9\xe9"
+		    "\xae\xe6\x91\xc8\xf3\xa2\x68\x54\x30\x8d\x5e\xaa\x3b\xe8"
+		    "\x5e\x09\x90\x70\x3d\x73\xe5\x6f"),
+	},
+};
+
+static int test_tlsprf(gnutls_mac_algorithm_t mac,
+		       const struct tlsprf_vectors_st *vectors,
+		       size_t vectors_size, unsigned flags)
+{
+	unsigned int i;
+
+	for (i = 0; i < vectors_size; i++) {
+		char output[4096];
+		int ret;
+
+		ret = _gnutls_prf_raw(mac,
+				      vectors[i].key_size, vectors[i].key,
+				      vectors[i].label_size, (const char *)vectors[i].label,
+				      vectors[i].seed_size, vectors[i].seed,
+				      vectors[i].output_size, output);
+		if (ret < 0) {
+			_gnutls_debug_log("error calculating TLS-PRF: MAC-%s\n",
+					  gnutls_mac_get_name(mac));
+			return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+		}
+
+		if (memcmp(output, vectors[i].output, vectors[i].output_size) != 0) {
+			_gnutls_debug_log
+			    ("TLS-PRF: MAC-%s test vector failed!\n",
+			     gnutls_mac_get_name(mac));
+
+			return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+		}
+	}
+
+	_gnutls_debug_log
+	    ("TLS-PRF: MAC-%s self check succeeded\n",
+	     gnutls_mac_get_name(mac));
+
+	return 0;
+}
+
+/*-
+ * gnutls_tlsprf_self_test:
+ * @flags: GNUTLS_SELF_TEST_FLAG flags
+ * @mac: the message authentication algorithm to use
+ *
+ * This function will run self tests on TLS-PRF with the provided mac.
+ *
+ * Returns: Zero or a negative error code on error.
+ *
+ * Since: 3.3.0-FIPS140
+ -*/
+int gnutls_tlsprf_self_test(unsigned flags, gnutls_mac_algorithm_t mac)
+{
+	int ret;
+
+	if (flags & GNUTLS_SELF_TEST_FLAG_ALL)
+		mac = GNUTLS_MAC_UNKNOWN;
+
+	switch (mac) {
+	case GNUTLS_MAC_UNKNOWN:
+		NON_FIPS_CASE(GNUTLS_MAC_MD5_SHA1, test_tlsprf, tls10prf_vectors);
+		FALLTHROUGH;
+		CASE(GNUTLS_MAC_SHA256, test_tlsprf, tls12prf_sha256_vectors);
+		FALLTHROUGH;
+		CASE(GNUTLS_MAC_SHA384, test_tlsprf, tls12prf_sha384_vectors);
+
+		break;
+	default:
+		return gnutls_assert_val(GNUTLS_E_NO_SELF_TEST);
+	}
+
+	return 0;
+}
+diff --git a/lib/fips.c b/lib/fips.c
+index 7cfab1049..30d396b2c 100644
+--- a/lib/fips.c
+++ b/lib/fips.c
+@@ -437,6 +437,13 @@ int _gnutls_fips_perform_self_checks2(void)
+ 		goto error;
+ 	}
+ 
+	/* TLS-PRF */
+	ret = gnutls_tlsprf_self_test(0, GNUTLS_MAC_SHA256);
+	if (ret < 0) {
+		gnutls_assert();
+		goto error;
+	}
+
+ 	if (_gnutls_rnd_ops.self_test == NULL) {
+ 		gnutls_assert();
+ 		goto error;
+diff --git a/lib/includes/gnutls/self-test.h b/lib/includes/gnutls/self-test.h
+index 958c0da8f..88b5a8dbf 100644
+--- a/lib/includes/gnutls/self-test.h
+++ b/lib/includes/gnutls/self-test.h
+@@ -36,5 +36,6 @@ int gnutls_digest_self_test(unsigned flags, gnutls_digest_algorithm_t digest);
+ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk);
+ int gnutls_hkdf_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
+ int gnutls_pbkdf2_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
+int gnutls_tlsprf_self_test(unsigned flags, gnutls_mac_algorithm_t mac);
+ 
+ #endif
+diff --git a/lib/libgnutls.map b/lib/libgnutls.map
+index f5537a386..643d400a1 100644
+--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
+@@ -1349,6 +1349,7 @@ GNUTLS_FIPS140_3_4 {
+ 	gnutls_digest_self_test;
+ 	gnutls_hkdf_self_test;
+ 	gnutls_pbkdf2_self_test;
+	gnutls_tlsprf_self_test;
+ 	#for FIPS140-2 validation
+ 	drbg_aes_reseed;
+ 	drbg_aes_init;
+-- 
+2.26.2
+
+
+From af3df0102fc377591a6de3112b034d4a492fc92c Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 5 Oct 2020 17:59:46 +0200
+Subject: [PATCH 4/4] fips: run CMAC self-tests
+
+FIPS140-2 IG D.8 mandates self-tests on CMAC.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/fips.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/fips.c b/lib/fips.c
+index 30d396b2c..51567953d 100644
+--- a/lib/fips.c
+++ b/lib/fips.c
+@@ -398,6 +398,12 @@ int _gnutls_fips_perform_self_checks2(void)
+ 		goto error;
+ 	}
+ 
+	ret = gnutls_mac_self_test(0, GNUTLS_MAC_AES_CMAC_256);
+	if (ret < 0) {
+		gnutls_assert();
+		goto error;
+	}
+
+ 	/* PK */
+ 	ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA);
+ 	if (ret < 0) {
+-- 
+2.26.2
+
--- a/SOURCES/gnutls-3.6.16-cpuid.patch
+++ b/SOURCES/gnutls-3.6.16-cpuid.patch
@ -0,0 +1,247 @@
+From 300c6315d2e644ae81b43fa2dd7bbf68b3afb5b2 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 18 Nov 2021 19:02:03 +0100
+Subject: [PATCH 1/2] accelerated: fix CPU feature detection for Intel CPUs
+
+This fixes read_cpuid_vals to correctly read the CPUID quadruple, as
+well as to set the bit the ustream CRYPTOGAMS uses to identify Intel
+CPUs.
+
+Suggested by Rafael Gieschke in:
+https://gitlab.com/gnutls/gnutls/-/issues/1282
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/accelerated/x86/x86-common.c | 91 +++++++++++++++++++++++++-------
+ 1 file changed, 71 insertions(+), 20 deletions(-)
+
+diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c
+index 3845c6b4c9..cf615ef24f 100644
+--- a/lib/accelerated/x86/x86-common.c
+++ b/lib/accelerated/x86/x86-common.c
+@@ -81,15 +81,38 @@ unsigned int _gnutls_x86_cpuid_s[4];
+ # define bit_AVX 0x10000000
+ #endif
+ 
+-#ifndef OSXSAVE_MASK
+-/* OSXSAVE|FMA|MOVBE */
+-# define OSXSAVE_MASK (0x8000000|0x1000|0x400000)
+#ifndef bit_AVX2
+# define bit_AVX2 0x00000020
+#endif
+
+#ifndef bit_AVX512F
+# define bit_AVX512F 0x00010000
+#endif
+
+#ifndef bit_AVX512IFMA
+# define bit_AVX512IFMA 0x00200000
+#endif
+
+#ifndef bit_AVX512BW
+# define bit_AVX512BW 0x40000000
+#endif
+
+#ifndef bit_AVX512VL
+# define bit_AVX512VL 0x80000000
+#endif
+
+#ifndef bit_OSXSAVE
+# define bit_OSXSAVE 0x8000000
+ #endif
+ 
+ #ifndef bit_MOVBE
+ # define bit_MOVBE 0x00400000
+ #endif
+ 
+#ifndef OSXSAVE_MASK
+# define OSXSAVE_MASK (bit_OSXSAVE|bit_MOVBE)
+#endif
+
+ #define via_bit_PADLOCK (0x3 << 6)
+ #define via_bit_PADLOCK_PHE (0x3 << 10)
+ #define via_bit_PADLOCK_PHE_SHA512 (0x3 << 25)
+@@ -127,7 +150,7 @@ static unsigned read_cpuid_vals(unsigned int vals[4])
+ 	unsigned t1, t2, t3;
+ 	vals[0] = vals[1] = vals[2] = vals[3] = 0;
+ 
+-	if (!__get_cpuid(1, &t1, &vals[0], &vals[1], &t2))
+	if (!__get_cpuid(1, &t1, &t2, &vals[1], &vals[0]))
+ 		return 0;
+ 	/* suppress AVX512; it works conditionally on certain CPUs on the original code */
+ 	vals[1] &= 0xfffff7ff;
+@@ -145,7 +168,7 @@ static unsigned check_4th_gen_intel_features(unsigned ecx)
+ {
+ 	uint32_t xcr0;
+ 
+-	if ((ecx & OSXSAVE_MASK) != OSXSAVE_MASK)
+	if ((ecx & bit_OSXSAVE) != bit_OSXSAVE)
+ 		return 0;
+ 
+ #if defined(_MSC_VER) && !defined(__clang__)
+@@ -233,10 +256,7 @@ static unsigned check_sha(void)
+ #ifdef ASM_X86_64
+ static unsigned check_avx_movbe(void)
+ {
+-	if (check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1]) == 0)
+-		return 0;
+-
+-	return ((_gnutls_x86_cpuid_s[1] & bit_AVX));
+	return (_gnutls_x86_cpuid_s[1] & bit_AVX);
+ }
+ 
+ static unsigned check_pclmul(void)
+@@ -514,33 +534,47 @@ void register_x86_padlock_crypto(unsigned capabilities)
+ }
+ #endif
+ 
+-static unsigned check_intel_or_amd(void)
+enum x86_cpu_vendor {
+	X86_CPU_VENDOR_OTHER,
+	X86_CPU_VENDOR_INTEL,
+	X86_CPU_VENDOR_AMD,
+};
+
+static enum x86_cpu_vendor check_x86_cpu_vendor(void)
+ {
+ 	unsigned int a, b, c, d;
+ 
+-	if (!__get_cpuid(0, &a, &b, &c, &d))
+-		return 0;
+	if (!__get_cpuid(0, &a, &b, &c, &d)) {
+		return X86_CPU_VENDOR_OTHER;
+	}
+ 
+-	if ((memcmp(&b, "Genu", 4) == 0 &&
+-	     memcmp(&d, "ineI", 4) == 0 &&
+-	     memcmp(&c, "ntel", 4) == 0) ||
+-	    (memcmp(&b, "Auth", 4) == 0 &&
+-	     memcmp(&d, "enti", 4) == 0 && memcmp(&c, "cAMD", 4) == 0)) {
+-		return 1;
+	if (memcmp(&b, "Genu", 4) == 0 &&
+	    memcmp(&d, "ineI", 4) == 0 &&
+	    memcmp(&c, "ntel", 4) == 0) {
+		return X86_CPU_VENDOR_INTEL;
+ 	}
+ 
+-	return 0;
+	if (memcmp(&b, "Auth", 4) == 0 &&
+	    memcmp(&d, "enti", 4) == 0 &&
+	    memcmp(&c, "cAMD", 4) == 0) {
+		return X86_CPU_VENDOR_AMD;
+	}
+
+	return X86_CPU_VENDOR_OTHER;
+ }
+ 
+ static
+ void register_x86_intel_crypto(unsigned capabilities)
+ {
+ 	int ret;
+	enum x86_cpu_vendor vendor;
+ 
+ 	memset(_gnutls_x86_cpuid_s, 0, sizeof(_gnutls_x86_cpuid_s));
+ 
+-	if (check_intel_or_amd() == 0)
+	vendor = check_x86_cpu_vendor();
+	if (vendor == X86_CPU_VENDOR_OTHER) {
+ 		return;
+	}
+ 
+ 	if (capabilities == 0) {
+ 		if (!read_cpuid_vals(_gnutls_x86_cpuid_s))
+@@ -549,6 +583,23 @@ void register_x86_intel_crypto(unsigned capabilities)
+ 		capabilities_to_intel_cpuid(capabilities);
+ 	}
+ 
+	/* CRYPTOGAMS uses the (1 << 30) bit as an indicator of Intel CPUs */
+	if (vendor == X86_CPU_VENDOR_INTEL) {
+		_gnutls_x86_cpuid_s[0] |= 1 << 30;
+	} else {
+		_gnutls_x86_cpuid_s[0] &= ~(1 << 30);
+	}
+
+	if (!check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1])) {
+		_gnutls_x86_cpuid_s[1] &= ~bit_AVX;
+
+		/* Clear AVX2 bits as well, according to what OpenSSL does.
+		 * Should we clear bit_AVX512DQ, bit_AVX512PF, bit_AVX512ER, and
+		 * bit_AVX512CD? */
+		_gnutls_x86_cpuid_s[2] &= ~(bit_AVX2|bit_AVX512F|bit_AVX512IFMA|
+					    bit_AVX512BW|bit_AVX512BW);
+	}
+
+ 	if (check_ssse3()) {
+ 		_gnutls_debug_log("Intel SSSE3 was detected\n");
+ 
+-- 
+2.37.3
+
+
+From cd509dac9e6d1bf76fd12c72c1fd61f1708c254a Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 15 Aug 2022 09:39:18 +0900
+Subject: [PATCH 2/2] accelerated: clear AVX bits if it cannot be queried
+ through XSAVE
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The algorithm to detect AVX is described in 14.3 of "Intel® 64 and IA-32
+Architectures Software Developer’s Manual".
+
+GnuTLS previously only followed that algorithm when registering the
+crypto backend, while the CRYPTOGAMS derived SHA code assembly expects
+that the extension bits are propagated to _gnutls_x86_cpuid_s.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/accelerated/x86/x86-common.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c
+index cf615ef24f..655d0c65f2 100644
+--- a/lib/accelerated/x86/x86-common.c
+++ b/lib/accelerated/x86/x86-common.c
+@@ -210,7 +210,8 @@ static void capabilities_to_intel_cpuid(unsigned capabilities)
+ 	}
+ 
+ 	if (capabilities & INTEL_AVX) {
+-		if ((a[1] & bit_AVX) && check_4th_gen_intel_features(a[1])) {
+		if ((a[1] & bit_AVX) && (a[1] & bit_MOVBE) &&
+		    check_4th_gen_intel_features(a[1])) {
+ 			_gnutls_x86_cpuid_s[1] |= bit_AVX|bit_MOVBE;
+ 		} else {
+ 			_gnutls_debug_log
+@@ -256,7 +257,7 @@ static unsigned check_sha(void)
+ #ifdef ASM_X86_64
+ static unsigned check_avx_movbe(void)
+ {
+-	return (_gnutls_x86_cpuid_s[1] & bit_AVX);
+	return (_gnutls_x86_cpuid_s[1] & (bit_AVX|bit_MOVBE)) == (bit_AVX|bit_MOVBE);
+ }
+ 
+ static unsigned check_pclmul(void)
+@@ -579,6 +580,19 @@ void register_x86_intel_crypto(unsigned capabilities)
+ 	if (capabilities == 0) {
+ 		if (!read_cpuid_vals(_gnutls_x86_cpuid_s))
+ 			return;
+		if (!check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1])) {
+			_gnutls_x86_cpuid_s[1] &= ~bit_AVX;
+
+			/* Clear AVX2 bits as well, according to what
+			 * OpenSSL does.  Should we clear
+			 * bit_AVX512DQ, bit_AVX512PF, bit_AVX512ER,
+			 * and bit_AVX512CD? */
+			_gnutls_x86_cpuid_s[2] &= ~(bit_AVX2|
+						    bit_AVX512F|
+						    bit_AVX512IFMA|
+						    bit_AVX512BW|
+						    bit_AVX512BW);
+		}
+ 	} else {
+ 		capabilities_to_intel_cpuid(capabilities);
+ 	}
+-- 
+2.37.3
+
--- a/SOURCES/gnutls-3.6.16-deterministic-ecdsa-fixes.patch
+++ b/SOURCES/gnutls-3.6.16-deterministic-ecdsa-fixes.patch
@ -0,0 +1,474 @@
+From 0d39e4120bc5ece53c86c5802c546259b8ca286a Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 12 Jan 2024 17:56:58 +0900
+Subject: [PATCH] nettle: avoid normalization of mpz_t in deterministic ECDSA
+
+This removes function calls that potentially leak bit-length of a
+private key used to calculate a nonce in deterministic ECDSA.  Namely:
+
+- _gnutls_dsa_compute_k has been rewritten to work on always
+  zero-padded mp_limb_t arrays instead of mpz_t
+- rnd_mpz_func has been replaced with rnd_datum_func, which is backed
+  by a byte array instead of an mpz_t value
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/nettle/int/dsa-compute-k.c    | 84 +++++++++++++++++++------------
+ lib/nettle/int/dsa-compute-k.h    | 31 +++++++++---
+ lib/nettle/int/ecdsa-compute-k.c  | 71 +++++++++-----------------
+ lib/nettle/int/ecdsa-compute-k.h  |  8 +--
+ lib/nettle/pk.c                   | 79 ++++++++++++++++++++---------
+ tests/sign-verify-deterministic.c |  2 +-
+ 6 files changed, 158 insertions(+), 117 deletions(-)
+
+diff --git a/lib/nettle/int/dsa-compute-k.c b/lib/nettle/int/dsa-compute-k.c
+index 17d63318c4..ddeb6f6d1e 100644
+--- a/lib/nettle/int/dsa-compute-k.c
+++ b/lib/nettle/int/dsa-compute-k.c
+@@ -31,33 +31,37 @@
+ #include "mpn-base256.h"
+ #include <string.h>
+ 
+-#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
+-
+-/* The maximum size of q, choosen from the fact that we support
+- * 521-bit elliptic curve generator and 512-bit DSA subgroup at
+- * maximum. */
+-#define MAX_Q_BITS 521
+-#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
+-#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
+-
+-#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
+-#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
+-
+-int
+-_gnutls_dsa_compute_k(mpz_t k,
+-		      const mpz_t q,
+-		      const mpz_t x,
+-		      gnutls_mac_algorithm_t mac,
+-		      const uint8_t *digest,
+-		      size_t length)
+/* For mini-gmp */
+#ifndef GMP_LIMB_BITS
+#define GMP_LIMB_BITS GMP_NUMB_BITS
+#endif
+
+static inline int is_zero_limb(mp_limb_t x)
+{
+	x |= (x << 1);
+	return ((x >> 1) - 1) >> (GMP_LIMB_BITS - 1);
+}
+
+static int sec_zero_p(const mp_limb_t *ap, mp_size_t n)
+{
+	volatile mp_limb_t w;
+	mp_size_t i;
+
+	for (i = 0, w = 0; i < n; i++)
+		w |= ap[i];
+
+	return is_zero_limb(w);
+}
+
+int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
+			  mp_size_t qn, mp_bitcnt_t q_bits,
+			  gnutls_mac_algorithm_t mac, const uint8_t *digest,
+			  size_t length)
+ {
+ 	uint8_t V[MAX_HASH_SIZE];
+ 	uint8_t K[MAX_HASH_SIZE];
+ 	uint8_t xp[MAX_Q_SIZE];
+ 	uint8_t tp[MAX_Q_SIZE];
+-	mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)];
+-	mp_bitcnt_t q_bits = mpz_sizeinbase (q, 2);
+-	mp_size_t qn = mpz_size(q);
+ 	mp_bitcnt_t h_bits = length * 8;
+ 	mp_size_t hn = BITS_TO_LIMBS(h_bits);
+ 	size_t nbytes = (q_bits + 7) / 8;
+@@ -66,6 +70,7 @@ _gnutls_dsa_compute_k(mpz_t k,
+ 	mp_limb_t cy;
+ 	gnutls_hmac_hd_t hd;
+ 	int ret = 0;
+	mp_limb_t scratch[MAX_Q_LIMBS];
+ 
+ 	if (unlikely(q_bits > MAX_Q_BITS))
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+@@ -73,7 +78,7 @@ _gnutls_dsa_compute_k(mpz_t k,
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ 
+ 	/* int2octets(x) */
+-	mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn);
+	mpn_get_base256(xp, nbytes, x, qn);
+ 
+ 	/* bits2octets(h) */
+ 	mpn_set_base256(h, hn, digest, length);
+@@ -97,12 +102,12 @@ _gnutls_dsa_compute_k(mpz_t k,
+ 			mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS);
+ 	}
+ 
+-	cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn);
+	cy = mpn_sub_n(h, h, q, qn);
+ 	/* Fall back to addmul_1, if nettle is linked with mini-gmp. */
+ #ifdef mpn_cnd_add_n
+-	mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn);
+	mpn_cnd_add_n(cy, h, h, q, qn);
+ #else
+-	mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0);
+	mpn_addmul_1(h, q, qn, cy != 0);
+ #endif
+ 	mpn_get_base256(tp, nbytes, h, qn);
+ 
+@@ -178,12 +183,8 @@ _gnutls_dsa_compute_k(mpz_t k,
+ 		if (tlen * 8 > q_bits)
+ 			mpn_rshift (h, h, qn, tlen * 8 - q_bits);
+ 		/* Check if k is in [1,q-1] */
+-		if (!mpn_zero_p (h, qn) &&
+-		    mpn_cmp (h, mpz_limbs_read(q), qn) < 0) {
+-			mpn_copyi(mpz_limbs_write(k, qn), h, qn);
+-			mpz_limbs_finish(k, qn);
+		if (!sec_zero_p(h, qn) && mpn_sub_n(scratch, h, q, qn))
+ 			break;
+-		}
+ 
+ 		ret = gnutls_hmac_init(&hd, mac, K, length);
+ 		if (ret < 0)
+@@ -207,3 +208,24 @@ _gnutls_dsa_compute_k(mpz_t k,
+ 
+ 	return ret;
+ }
+
+/* cancel-out dsa_sign's addition of 1 to random data */
+void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
+				  mp_size_t n)
+{
+	/* Fall back to sub_1, if nettle is linked with mini-gmp. */
+#ifdef mpn_sec_sub_1
+	mp_limb_t t[MAX_Q_LIMBS];
+
+	mpn_sec_sub_1(h, h, n, 1, t);
+#else
+	mpn_sub_1(h, h, n, 1);
+#endif
+	mpn_get_base256(k, nbytes, h, n);
+}
+
+void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
+				    mp_size_t n)
+{
+	mpn_get_base256(k, nbytes, h, n);
+}
+diff --git a/lib/nettle/int/dsa-compute-k.h b/lib/nettle/int/dsa-compute-k.h
+index 64e90e0ca2..e88fce0a6d 100644
+--- a/lib/nettle/int/dsa-compute-k.h
+++ b/lib/nettle/int/dsa-compute-k.h
+@@ -26,12 +26,29 @@
+ #include <gnutls/gnutls.h>
+ #include <nettle/bignum.h> /* includes gmp.h */
+ 
+-int
+-_gnutls_dsa_compute_k(mpz_t k,
+-		      const mpz_t q,
+-		      const mpz_t x,
+-		      gnutls_mac_algorithm_t mac,
+-		      const uint8_t *digest,
+-		      size_t length);
+#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
+
+/* The maximum size of q, chosen from the fact that we support
+ * 521-bit elliptic curve generator and 512-bit DSA subgroup at
+ * maximum. */
+#define MAX_Q_BITS 521
+#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
+#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
+
+#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
+#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
+
+#define DSA_COMPUTE_K_ITCH MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)
+
+int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
+			  mp_size_t qn, mp_bitcnt_t q_bits,
+			  gnutls_mac_algorithm_t mac, const uint8_t *digest,
+			  size_t length);
+
+void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
+				  mp_size_t n);
+
+void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
+				    mp_size_t n);
+ 
+ #endif /* GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H */
+diff --git a/lib/nettle/int/ecdsa-compute-k.c b/lib/nettle/int/ecdsa-compute-k.c
+index 94914ebdfa..819302c1c7 100644
+--- a/lib/nettle/int/ecdsa-compute-k.c
+++ b/lib/nettle/int/ecdsa-compute-k.c
+@@ -29,67 +29,46 @@
+ #include "dsa-compute-k.h"
+ #include "gnutls_int.h"
+ 
+-static inline int
+-_gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
+int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve)
+ {
+ 	switch (curve) {
+ #ifdef ENABLE_NON_SUITEB_CURVES
+ 	case GNUTLS_ECC_CURVE_SECP192R1:
+-		mpz_init_set_str(*q,
+-				 "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836"
+-				 "146BC9B1B4D22831",
+-				 16);
+		mpz_set_str(q,
+			    "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836"
+			    "146BC9B1B4D22831",
+			    16);
+ 		return 0;
+ 	case GNUTLS_ECC_CURVE_SECP224R1:
+-		mpz_init_set_str(*q,
+-				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2"
+-				 "E0B8F03E13DD29455C5C2A3D",
+-				 16);
+		mpz_set_str(q,
+			    "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2"
+			    "E0B8F03E13DD29455C5C2A3D",
+			    16);
+ 		return 0;
+ #endif
+ 	case GNUTLS_ECC_CURVE_SECP256R1:
+-		mpz_init_set_str(*q,
+-				 "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
+-				 "BCE6FAADA7179E84F3B9CAC2FC632551",
+-				 16);
+		mpz_set_str(q,
+			    "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
+			    "BCE6FAADA7179E84F3B9CAC2FC632551",
+			    16);
+ 		return 0;
+ 	case GNUTLS_ECC_CURVE_SECP384R1:
+-		mpz_init_set_str(*q,
+-				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+-				 "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
+-				 "581A0DB248B0A77AECEC196ACCC52973",
+-				 16);
+		mpz_set_str(q,
+			    "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+			    "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
+			    "581A0DB248B0A77AECEC196ACCC52973",
+			    16);
+ 		return 0;
+ 	case GNUTLS_ECC_CURVE_SECP521R1:
+-		mpz_init_set_str(*q,
+-				 "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+-				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+-				 "FFA51868783BF2F966B7FCC0148F709A"
+-				 "5D03BB5C9B8899C47AEBB6FB71E91386"
+-				 "409",
+-				 16);
+		mpz_set_str(q,
+			    "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+			    "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+			    "FFA51868783BF2F966B7FCC0148F709A"
+			    "5D03BB5C9B8899C47AEBB6FB71E91386"
+			    "409",
+			    16);
+ 		return 0;
+ 	default:
+ 		return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
+ 	}
+ }
+-
+-int
+-_gnutls_ecdsa_compute_k (mpz_t k,
+-			 gnutls_ecc_curve_t curve,
+-			 const mpz_t x,
+-			 gnutls_mac_algorithm_t mac,
+-			 const uint8_t *digest,
+-			 size_t length)
+-{
+-	mpz_t q;
+-	int ret;
+-
+-	ret = _gnutls_ecc_curve_to_dsa_q(&q, curve);
+-	if (ret < 0)
+-		return gnutls_assert_val(ret);
+-
+-	ret = _gnutls_dsa_compute_k (k, q, x, mac, digest, length);
+-	mpz_clear(q);
+-	return ret;
+-}
+diff --git a/lib/nettle/int/ecdsa-compute-k.h b/lib/nettle/int/ecdsa-compute-k.h
+index 7ca401d6e4..a7e612bcab 100644
+--- a/lib/nettle/int/ecdsa-compute-k.h
+++ b/lib/nettle/int/ecdsa-compute-k.h
+@@ -26,12 +26,6 @@
+ #include <gnutls/gnutls.h>
+ #include <nettle/bignum.h> /* includes gmp.h */
+ 
+-int
+-_gnutls_ecdsa_compute_k (mpz_t k,
+-			 gnutls_ecc_curve_t curve,
+-			 const mpz_t x,
+-			 gnutls_mac_algorithm_t mac,
+-			 const uint8_t *digest,
+-			 size_t length);
+int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve);
+ 
+ #endif /* GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H */
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index 588e9df502..b19fe3804a 100644
+--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
+@@ -102,10 +102,16 @@ static void rnd_nonce_func(void *_ctx, size_t length, uint8_t * data)
+ 	}
+ }
+ 
+-static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data)
+static void rnd_datum_func(void *ctx, size_t length, uint8_t *data)
+ {
+-	mpz_t *k = _ctx;
+-	nettle_mpz_get_str_256 (length, data, *k);
+	gnutls_datum_t *d = ctx;
+
+	if (length > d->size) {
+		memset(data, 0, length - d->size);
+		memcpy(data + (length - d->size), d->data, d->size);
+	} else {
+		memcpy(data, d->data, length);
+	}
+ }
+ 
+ static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data)
+@@ -976,7 +982,10 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 			struct dsa_signature sig;
+ 			int curve_id = pk_params->curve;
+ 			const struct ecc_curve *curve;
+-			mpz_t k;
+			mpz_t q;
+			/* 521-bit elliptic curve generator at maximum */
+			uint8_t buf[(521 + 7) / 8];
+			gnutls_datum_t k = { NULL, 0 };
+ 			void *random_ctx;
+ 			nettle_random_func *random_func;
+ 
+@@ -1005,19 +1014,32 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 				hash_len = vdata->size;
+ 			}
+ 
+-			mpz_init(k);
+			mpz_init(q);
+
+ 			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
+ 			    (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
+-				ret = _gnutls_ecdsa_compute_k(k,
+-							      curve_id,
+-							      pk_params->params[ECC_K],
+-							      DIG_TO_MAC(sign_params->dsa_dig),
+-							      vdata->data,
+-							      vdata->size);
+				mp_limb_t h[DSA_COMPUTE_K_ITCH];
+
+				ret = _gnutls_ecc_curve_to_dsa_q(q, curve_id);
+ 				if (ret < 0)
+ 					goto ecdsa_cleanup;
+
+				ret = _gnutls_dsa_compute_k(
+					h, mpz_limbs_read(q), priv.p,
+					ecc_size(priv.ecc), ecc_bit_size(priv.ecc),
+					DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
+					vdata->size);
+				if (ret < 0)
+					goto ecdsa_cleanup;
+
+				k.data = buf;
+				k.size = (ecc_bit_size(priv.ecc) + 7) / 8;
+
+				_gnutls_ecdsa_compute_k_finish(k.data, k.size, h,
+							       ecc_size(priv.ecc));
+
+ 				random_ctx = &k;
+-				random_func = rnd_mpz_func;
+				random_func = rnd_datum_func;
+ 			} else {
+ 				random_ctx = NULL;
+ 				random_func = rnd_nonce_func;
+@@ -1038,7 +1060,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+  ecdsa_cleanup:
+ 			dsa_signature_clear(&sig);
+ 			ecc_scalar_zclear(&priv);
+-			mpz_clear(k);
+			mpz_clear(q);
+ 
+ 			if (ret < 0) {
+ 				gnutls_assert();
+@@ -1051,7 +1073,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 			struct dsa_params pub;
+ 			bigint_t priv;
+ 			struct dsa_signature sig;
+-			mpz_t k;
+			/* 512-bit DSA subgroup at maximum */
+			uint8_t buf[(512 + 7) / 8];
+			gnutls_datum_t k = { NULL, 0 };
+ 			void *random_ctx;
+ 			nettle_random_func *random_func;
+ 
+@@ -1074,21 +1098,27 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 				hash_len = vdata->size;
+ 			}
+ 
+-			mpz_init(k);
+ 			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
+ 			    (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
+-				ret = _gnutls_dsa_compute_k(k,
+-							    pub.q,
+-							    TOMPZ(priv),
+-							    DIG_TO_MAC(sign_params->dsa_dig),
+-							    vdata->data,
+-							    vdata->size);
+				mp_limb_t h[DSA_COMPUTE_K_ITCH];
+
+				ret = _gnutls_dsa_compute_k(
+					h, mpz_limbs_read(pub.q),
+					mpz_limbs_read(TOMPZ(priv)), mpz_size(pub.q),
+					mpz_sizeinbase(pub.q, 2),
+					DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
+					vdata->size);
+ 				if (ret < 0)
+ 					goto dsa_fail;
+-				/* cancel-out dsa_sign's addition of 1 to random data */
+-				mpz_sub_ui (k, k, 1);
+
+				k.data = buf;
+				k.size = (mpz_sizeinbase(pub.q, 2) + 7) / 8;
+
+				_gnutls_dsa_compute_k_finish(k.data, k.size, h,
+							     mpz_size(pub.q));
+
+ 				random_ctx = &k;
+-				random_func = rnd_mpz_func;
+				random_func = rnd_datum_func;
+ 			} else {
+ 				random_ctx = NULL;
+ 				random_func = rnd_nonce_func;
+@@ -1108,7 +1138,6 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 
+  dsa_fail:
+ 			dsa_signature_clear(&sig);
+-			mpz_clear(k);
+ 
+ 			if (ret < 0) {
+ 				gnutls_assert();
+diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c
+index 6e907288ee..25aa553a59 100644
+--- a/tests/sign-verify-deterministic.c
+++ b/tests/sign-verify-deterministic.c
+@@ -197,7 +197,7 @@ void doit(void)
+ 					      &signature);
+ 		if (ret < 0)
+ 			testfail("gnutls_pubkey_verify_data2\n");
+-		success(" - pass");
+		success(" - pass\n");
+ 
+ 	next:
+ 		gnutls_free(signature.data);
+-- 
+2.44.0
+
--- a/SOURCES/gnutls-3.6.16-doc-p11tool-ckaid.patch
+++ b/SOURCES/gnutls-3.6.16-doc-p11tool-ckaid.patch
@ -0,0 +1,14 @@
+--- gnutls-3.7.2/doc/manpages/p11tool.1	2021-05-29 10:15:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/p11tool.1	2021-06-28 09:35:23.000000000 +0200
+@@ -230,8 +230,9 @@
+ .NOP \f\*[B-Font]\-\-write\f[]
+ Writes the loaded objects to a PKCS #11 token.
+ .sp
+-It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
+-    one of \--load-privkey, \--load-pubkey, \--load-certificate option.
+It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of \--load-privkey, \--load-pubkey, \--load-certificate option.
+.sp
+When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.
+ .TP
+ .NOP \f\*[B-Font]\-\-delete\f[]
+ Deletes the objects matching the given PKCS #11 URL.
--- a/SOURCES/gnutls-3.6.16-pkcs7-verify.patch
+++ b/SOURCES/gnutls-3.6.16-pkcs7-verify.patch
@ -0,0 +1,266 @@
+From e5dc27d1a457d1b3abc0582cd133910dff0fc309 Mon Sep 17 00:00:00 2001
+From: Zoltan Fridrich <zfridric@redhat.com>
+Date: Fri, 22 Jul 2022 12:00:11 +0200
+Subject: [PATCH] Fix double free during gnutls_pkcs7_verify
+
+Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
+---
+ .gitignore                       |   1 +
+ lib/x509/pkcs7.c                 |   3 +-
+ tests/Makefile.am                |   3 +-
+ tests/pkcs7-verify-double-free.c | 215 +++++++++++++++++++++++++++++++
+ 4 files changed, 220 insertions(+), 2 deletions(-)
+ create mode 100644 tests/pkcs7-verify-double-free.c
+
+diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
+index 0ff55ba04b..878f867862 100644
+--- a/lib/x509/pkcs7.c
+++ b/lib/x509/pkcs7.c
+@@ -1318,7 +1318,8 @@ gnutls_x509_crt_t find_signer(gnutls_pkcs7_t pkcs7, gnutls_x509_trust_list_t tl,
+ 				issuer = find_verified_issuer_of(pkcs7, issuer, purpose, vflags);
+ 
+ 				if (issuer != NULL && gnutls_x509_crt_check_issuer(issuer, issuer)) {
+-					if (prev) gnutls_x509_crt_deinit(prev);
+					if (prev && prev != signer)
+						gnutls_x509_crt_deinit(prev);
+ 					prev = issuer;
+ 					break;
+ 				}
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index b04cb081b4..0563d3c754 100644
+--- a/tests/Makefile.am
+++ b/tests/Makefile.am
+@@ -220,7 +220,8 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
+ 	 sign-verify-newapi sign-verify-deterministic iov aead-cipher-vec \
+ 	 tls13-without-timeout-func buffer status-request-revoked \
+ 	 set_x509_ocsp_multi_cli kdf-api keylog-func \
+-	 dtls_hello_random_value tls_hello_random_value x509cert-dntypes
+	 dtls_hello_random_value tls_hello_random_value x509cert-dntypes \
+	 pkcs7-verify-double-free
+ 
+ if HAVE_SECCOMP_TESTS
+ ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
+diff --git a/tests/pkcs7-verify-double-free.c b/tests/pkcs7-verify-double-free.c
+new file mode 100644
+index 0000000000..fadf307829
+--- /dev/null
+++ b/tests/pkcs7-verify-double-free.c
+@@ -0,0 +1,215 @@
+/*
+ * Copyright (C) 2022 Red Hat, Inc.
+ *
+ * Author: Zoltan Fridrich
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <gnutls/pkcs7.h>
+#include <gnutls/x509.h>
+
+#include "utils.h"
+
+static char rca_pem[] =
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIDCjCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n"
+	"cGxlIENBMCAXDTE3MDcyMTE0NDMzNloYDzIyMjIwNzIxMTQ0MzM2WjAVMRMwEQYD\n"
+	"VQQKDApFeGFtcGxlIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n"
+	"v8hnKPJ/IA0SQB/A/a0Uh+npZ67vsgIMrtTQo0r0kJkmkBz5323xO3DVuJfB3QmX\n"
+	"v9zvoeCQLuDvWar5Aixfxgm6s5Q+yPvJj9t3NebDrU+Y4+qyewBIJUF8EF/5iBPC\n"
+	"ZHONmzbfIRWvQWGGgb2CRcOHp2J7AY/QLB6LsWPaLjs/DHva28Q13JaTTHIpdu8v\n"
+	"t6vHr0nXf66DN4MvtoF3N+o+v3snJCMsfXOqASi4tbWR7gtOfCfiz9uBjh0W2Dut\n"
+	"/jclBQkJkLe6esNSM+f4YiOpctVDjmfj8yoHCp394vt0wFqhG38wsTFAyVP6qIcf\n"
+	"5zoSu9ovEt2cTkhnZHjiiwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud\n"
+	"DwEB/wQEAwIBBjAdBgNVHQ4EFgQUhjeO6Uc5imbjOl2I2ltVA27Hu9YwHwYDVR0j\n"
+	"BBgwFoAUhjeO6Uc5imbjOl2I2ltVA27Hu9YwDQYJKoZIhvcNAQELBQADggEBAD+r\n"
+	"i/7FsbG0OFKGF2+JOnth6NjJQcMfM8LiglqAuBUijrv7vltoZ0Z3FJH1Vi4OeMXn\n"
+	"l7X/9tWUve0uFl75MfjDrf0+lCEdYRY1LCba2BrUgpbbkLywVUdnbsvndehegCgS\n"
+	"jss2/zys3Hlo3ZaHlTMQ/NQ4nrxcxkjOvkZSEOqgxJTLpzm6pr7YUts4k6c6lNiB\n"
+	"FSiJiDzsJCmWR9C3fBbUlfDfTJYGN3JwqX270KchXDElo8gNoDnF7jBMpLFFSEKm\n"
+	"MyfbNLX/srh+CEfZaN/OZV4A3MQ0L8vQEp6M4CJhvRLIuMVabZ2coJ0AzystrOMU\n"
+	"LirBWjg89RoAjFQ7bTE=\n"
+	"-----END CERTIFICATE-----\n";
+
+static char ca_pem[] =
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n"
+	"cGxlIENBMCAXDTE3MDcyMTE0NDQzNFoYDzIyMjIwNzIxMTQ0NDM0WjAiMSAwHgYD\n"
+	"VQQKDBdFeGFtcGxlIGludGVybWVkaWF0ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD\n"
+	"ggEPADCCAQoCggEBAKb9ACB8u//sP6MfNU1OsVw68xz3eTPLgKxS0vpqexm6iGVg\n"
+	"ug/o9uYRLzqiEukv/eyz9WzHmY7sqlOJjOFdv92+SaNg79Jc51WHPFXgea4/qyfr\n"
+	"4y14PGs0SNxm6T44sXurUs7cXydQVUgnq2VCaWFOTUdxXoAWkV8r8GaUoPD/klVz\n"
+	"RqxSZVETmX1XBKhsMnnov41kRwVph2C+VfUspsbaUZaz/o/S1/nokhXRACzKsMBr\n"
+	"obqiGxbY35uVzsmbAW5ErhQz98AWJL3Bub1fsEMXg6OEMmPH4AtX888dTIYZNw0E\n"
+	"bUIESspz1kjJQTtVQDHTprhwz16YiSVeUonlLgMCAwEAAaNjMGEwDwYDVR0TAQH/\n"
+	"BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPBjxDWjMhjXERirKF9O\n"
+	"o/5Cllc5MB8GA1UdIwQYMBaAFIY3julHOYpm4zpdiNpbVQNux7vWMA0GCSqGSIb3\n"
+	"DQEBCwUAA4IBAQCTm+vv3hBa6lL5IT+Fw8aTxQ2Ne7mZ5oyazhvXYwwfKNMX3SML\n"
+	"W2JdPaL64ZwbxxxYvW401o5Z0CEgru3YFrsqB/hEdl0Uf8UWWJmE1rRa+miTmbjt\n"
+	"lrLNCWdrs6CiwvsPITTHg7jevB4KyZYsTSxQFcyr3N3xF+6EmOTC4IkhPPnXYXcp\n"
+	"248ih+WOavSYoRvzgB/Dip1WnPYU2mfIV3O8JReRryngA0TzWCLPLUoWR3R4jwtC\n"
+	"+1uSLoqaenz3qv3F1WEbke37az9YJuXx/5D8CqFQiZ62TUUtI6fYd8mkMBM4Qfh6\n"
+	"NW9XrCkI9wlpL5K9HllhuW0BhKeJkuPpyQ2p\n"
+	"-----END CERTIFICATE-----\n";
+
+static char ee_pem[] =
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdFeGFt\n"
+	"cGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzdaGA8yMjIyMDcyMTE0\n"
+	"NDUzN1owFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEBBQAD\n"
+	"ggEPADCCAQoCggEBAMb1uuxppBFY+WVD45iyHUq7DkIJNNOI/JRaybVJfPktWq2E\n"
+	"eNe7XhV05KKnqZTbDO2iYqNHqGhZ8pz/IstDRTZP3z/q1vXTG0P9Gx28rEy5TaUY\n"
+	"QjtD+ZoFUQm0ORMDBjd8jikqtJ87hKeuOPMH4rzdydotMaPQSm7KLzHBGBr6gg7z\n"
+	"g1IxPWkhMyHapoMqqrhjwjzoTY97UIXpZTEoIA+KpEC8f9CciBtL0i1MPBjWozB6\n"
+	"Jma9q5iEwZXuRr3cnPYeIPlK2drgDZCMuSFcYiT8ApLw5OhKqY1m2EvfZ2ox2s9R\n"
+	"68/HzYdPi3kZwiNEtlBvMlpt5yKBJAflp76d7DkCAwEAAaNuMGwwCwYDVR0PBAQD\n"
+	"AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQUc+Mi\n"
+	"kr8WMCk00SQo+P2iggp/oQkwHwYDVR0jBBgwFoAU8GPENaMyGNcRGKsoX06j/kKW\n"
+	"VzkwDQYJKoZIhvcNAQELBQADggEBAKU9+CUR0Jcfybd1+8Aqgh1RH96yQygnVuyt\n"
+	"Na9rFz4fM3ij9tGXDHXrkZw8bW1dWLU9quu8zeTxKxc3aiDIw739Alz0tukttDo7\n"
+	"dW7YqIb77zsIsWB9p7G9dlxT6ieUy+5IKk69BbeK8KR0vAciAG4KVQxPhuPy/LGX\n"
+	"PzqlJIJ4h61s3UOroReHPB1keLZgpORqrvtpClOmABH9TLFRJA/WFg8Q2XYB/p0x\n"
+	"l/pWiaoBC+8wK9cDoMUK5yOwXeuCLffCb+UlAD0+z/qxJ2pisE8E9X8rRKRrWI+i\n"
+	"G7LtJCEn86EQK8KuRlJxKgj8lClZhoULB0oL4jbblBuNow9WRmM=\n"
+	"-----END CERTIFICATE-----\n";
+
+static char msg_pem[] =
+	"-----BEGIN PKCS7-----\n"
+	"MIIK2QYJKoZIhvcNAQcCoIIKyjCCCsYCAQExDTALBglghkgBZQMEAgEwCwYJKoZI\n"
+	"hvcNAQcBoIIJTzCCAwowggHyoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwFTETMBEG\n"
+	"A1UECgwKRXhhbXBsZSBDQTAgFw0xNzA3MjExNDQzMjFaGA8yMjIyMDcyMTE0NDMy\n"
+	"MVowFTETMBEGA1UECgwKRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP\n"
+	"ADCCAQoCggEBAL51eyE4j8wAKQKMGlO9HEY2iaGvsdPSJmidSdmCi1jnNK39Lx4Y\n"
+	"31h279hSHF5wtI6VM91HHfeLf1mjEZHlKrXXJQzBPLpbHWapD778drHBitOP8e56\n"
+	"fDMIfofLV4tkMk8690vPe4cJH1UHGspMyz6EQF9kPRaW80XtMV/6dalgL/9Esmaw\n"
+	"XBNPJAS1VutDuXQkJ/3/rWFLmkpYHHtGPjX782YRmT1s+VOVTsLqmKx0TEL8A381\n"
+	"bbElHPUAMjPcyWR5qqA8KWnS5Dwqk3LwI0AvuhQytCq0S7Xl4DXauvxwTRXv0UU7\n"
+	"W8r3MLAw9DnlnJiD/RFjw5rbGO3wMePk/qUCAwEAAaNjMGEwDwYDVR0TAQH/BAUw\n"
+	"AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIh2KRoKJoe2VtpOwWMkRAkR\n"
+	"mLWKMB8GA1UdIwQYMBaAFIh2KRoKJoe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEB\n"
+	"CwUAA4IBAQBovvlOjoy0MCT5U0eWfcPQQjY4Ssrn3IiPNlVkqSNo+FHX+2baTLVQ\n"
+	"5QTHxwXwzdIJiwtjFWDdGEQXqmuIvnFG+u/whGbeg6oQygfnQ5Y+q6epOxCsPgLQ\n"
+	"mKKEaF7mvh8DauUx4QSbYCNGCctOZuB1vlN9bJ3/5QbH+2pFPOfCr5CAyPDwHo6S\n"
+	"qO3yPcutRwT9xS7gXEHM9HhLp+DmdCGh4eVBPiFilyZm1d92lWxU8oxoSfXgzDT/\n"
+	"GCzlMykNZNs4JD9QmiRClP/3U0dQbOhah/Fda+N+L90xaqEgGcvwKKZa3pzo59pl\n"
+	"BbkcIP4YPyHeinwkgAn5UVJg9DOxNCS0MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG\n"
+	"9w0BAQsFADAVMRMwEQYDVQQKDApFeGFtcGxlIENBMCAXDTE3MDcyMTE0NDQxM1oY\n"
+	"DzIyMjIwNzIxMTQ0NDEzWjAiMSAwHgYDVQQKDBdFeGFtcGxlIGludGVybWVkaWF0\n"
+	"ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPFDEvDANwvhviu\n"
+	"pwXTvaKyxyX94jVu1wgAhIRyQBVRiMbrn8MEufLG8oA0vKd8s92gv/lWe1jFb2rn\n"
+	"91jMkZWsjWjiJFD6SzqFfBo+XxOGikEqO1MAf92UqavmSGlXVRG1Vy7T7dWibZP0\n"
+	"WODhHYWayR0Y6owSz5IqNfrHXzDME+lSJxHgRFI7pK+b0OgiVmvyXDKFPvyU6GrP\n"
+	"lxXDi/XbjyPvC5gpiwtTgm+s8KERwmdlfZUNjkh2PpHx1g1joijHT3wIvO/Pek1E\n"
+	"C+Xs6w3XxGgL6TTL7FDuv4AjZVX9KK66/yBhX3aN8bkqAg+hs9XNk3zzWC0XEFOS\n"
+	"Qoh2va0CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n"
+	"HQYDVR0OBBYEFHwi/7dUWGjkMWJctOm7MCjjQj1cMB8GA1UdIwQYMBaAFIh2KRoK\n"
+	"Joe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEBCwUAA4IBAQCF6sHCBdYRwBwvfCve\n"
+	"og9cPnmPqZrG4AtmSvtoSsMvgvKb/4z3/gG8oPtTBkeRcAHoMoEp/oA+B2ylwIAc\n"
+	"S5U7jx+lYH/Pqih0X/OcOLbaMv8uzGSGQxk+L9LuuIT6E/THfRRIPEvkDkzC+/uk\n"
+	"7vUbG17bSEWeF0o/6sjzAY2aH1jnbCDyu0UC78GXkc6bZ5QlH98uLMDMrOmqcZjS\n"
+	"JFfvuRDQyKV5yBdBkYaobsIWSQDsgYxJzf/2y8c3r+HXqT+jhrXPWJ3btgMPxpu7\n"
+	"E8KmoFgp9EM+48oYlXJ66rk08/KjaVmgN7R+Hm3e2+MFT2kme4fBKalLjcazTe3x\n"
+	"0FisMIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdF\n"
+	"eGFtcGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzBaGA8yMjIyMDcy\n"
+	"MTE0NDUzMVowFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEB\n"
+	"BQADggEPADCCAQoCggEBAMjhSqhdD5RjmOm6W3hG7zkgKBP9whRN/SipcdEMlkgc\n"
+	"F/U3QMu66qIfKwheNdWalC1JLtruLDWP92ysa6Vw+CCG8aSax1AgB//RKQB7kgPA\n"
+	"9js9hi/oCdBmCv2HJxhWSLz+MVoxgzW4C7S9FenI+btxe/99Uw4nOw7kwjsYDLKr\n"
+	"tMw8myv7aCW/63CuBYGtohiZupM3RI3kKFcZots+KRPLlZpjv+I2h9xSln8VxKNb\n"
+	"XiMrYwGfHB7iX7ghe1TvFjKatEUhsqa7AvIq7nfe/cyq97f0ODQO814njgZtk5iQ\n"
+	"JVavXHdhTVaypt1HdAFMuHX5UATylHxx9tRCgSIijUsCAwEAAaNuMGwwCwYDVR0P\n"
+	"BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQU\n"
+	"31+vHl4E/2Jpnwinbzf+d7usshcwHwYDVR0jBBgwFoAUfCL/t1RYaOQxYly06bsw\n"
+	"KONCPVwwDQYJKoZIhvcNAQELBQADggEBAAWe63DcNwmleQ3INFGDJZ/m2I/R/cBa\n"
+	"nnrxgR5Ey1ljHdA/x1z1JLTGmGVwqGExs5DNG9Q//Pmc9pZ1yPa8J4Xf8AvFcmkY\n"
+	"mWoH1HvW0xu/RF1UN5SAoD2PRQ+Vq4OSPD58IlEu/u4o1wZV7Wl91Cv6VNpiAb63\n"
+	"j9PA1YacOpOtcRqG59Vuj9HFm9f30ejHVo2+KJcpo290cR3Zg4fOm8mtjeMdt/QS\n"
+	"Atq+RqPAQ7yxqvEEv8zPIZj2kAOQm3mh/yYqBrR68lQUD/dBTP7ApIZkhUK3XK6U\n"
+	"nf9JvoF6Fn2+Cnqb//FLBgHSnoeqeQNwDLUXTsD02iYxHzJrhokSY4YxggFQMIIB\n"
+	"TAIBATAnMCIxIDAeBgNVBAoMF0V4YW1wbGUgaW50ZXJtZWRpYXRlIENBAgEBMAsG\n"
+	"CWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQATHg6wNsBcs/Ub1GQfKwTpKCk5\n"
+	"8QXuNnZ0u7b6mKgrSY2Gf47fpL2aRgaR+BAQncbctu5EH/IL38pWjaGtOhFAj/5q\n"
+	"7luVQW11kuyJN3Bd/dtLqawWOwMmAIEigw6X50l5ZHnEVzFfxt+RKTNhk4XWVtbi\n"
+	"2iIlITOplW0rnvxYAwCxKL9ocaB7etK8au7ixMxbFp75Ts4iLX8dhlAFdCuFCk8k\n"
+	"B8mi9HHuwr3QYRqMPW61hu1wBL3yB8eoZNOwPXb0gkIh6ZvgptxgQzm/cc+Iw9fP\n"
+	"QkR0fTM7ElJ5QZmSV98AUbZDHmDvpmcjcUxfSPMc3IoT8T300usRu7QHqKJi\n"
+	"-----END PKCS7-----\n";
+
+const gnutls_datum_t rca_datum = { (void *)rca_pem, sizeof(rca_pem) - 1 };
+const gnutls_datum_t ca_datum = { (void *)ca_pem, sizeof(ca_pem) - 1 };
+const gnutls_datum_t ee_datum = { (void *)ee_pem, sizeof(ee_pem) - 1 };
+const gnutls_datum_t msg_datum = { (void *)msg_pem, sizeof(msg_pem) - 1 };
+
+static void tls_log_func(int level, const char *str)
+{
+	fprintf(stderr, "%s |<%d>| %s", "err", level, str);
+}
+
+#define CHECK(X)\
+{\
+	r = X;\
+	if (r < 0)\
+		fail("error in %d: %s\n", __LINE__, gnutls_strerror(r));\
+}\
+
+void doit(void)
+{
+	int r;
+	gnutls_x509_crt_t rca_cert = NULL;
+	gnutls_x509_crt_t ca_cert = NULL;
+	gnutls_x509_crt_t ee_cert = NULL;
+	gnutls_x509_trust_list_t tlist = NULL;
+	gnutls_pkcs7_t pkcs7 = NULL;
+	gnutls_datum_t data = { (unsigned char *)"xxx", 3 };
+
+	if (debug) {
+		gnutls_global_set_log_function(tls_log_func);
+		gnutls_global_set_log_level(4711);
+	}
+
+	// Import certificates
+	CHECK(gnutls_x509_crt_init(&rca_cert));
+	CHECK(gnutls_x509_crt_import(rca_cert, &rca_datum, GNUTLS_X509_FMT_PEM));
+	CHECK(gnutls_x509_crt_init(&ca_cert));
+	CHECK(gnutls_x509_crt_import(ca_cert, &ca_datum, GNUTLS_X509_FMT_PEM));
+	CHECK(gnutls_x509_crt_init(&ee_cert));
+	CHECK(gnutls_x509_crt_import(ee_cert, &ee_datum, GNUTLS_X509_FMT_PEM));
+
+	// Setup trust store
+	CHECK(gnutls_x509_trust_list_init(&tlist, 0));
+	CHECK(gnutls_x509_trust_list_add_named_crt(tlist, rca_cert, "rca", 3, 0));
+	CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ca_cert, "ca", 2, 0));
+	CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ee_cert, "ee", 2, 0));
+
+	// Setup pkcs7 structure
+	CHECK(gnutls_pkcs7_init(&pkcs7));
+	CHECK(gnutls_pkcs7_import(pkcs7, &msg_datum, GNUTLS_X509_FMT_PEM));
+
+	// Signature verification
+	gnutls_pkcs7_verify(pkcs7, tlist, NULL, 0, 0, &data, 0);
+
+	gnutls_x509_crt_deinit(rca_cert);
+	gnutls_x509_crt_deinit(ca_cert);
+	gnutls_x509_crt_deinit(ee_cert);
+	gnutls_x509_trust_list_deinit(tlist, 0);
+	gnutls_pkcs7_deinit(pkcs7);
+}
+-- 
+2.37.2
+
--- a/SOURCES/gnutls-3.6.16-rehandshake-tickets.patch
+++ b/SOURCES/gnutls-3.6.16-rehandshake-tickets.patch
@ -0,0 +1,242 @@
+From 9b50d94bf1c8e749d7dfc593c89e689a161444ae Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 26 Jun 2023 09:30:03 +0200
+Subject: [PATCH] gnutls-3.6.16-rehandshake-tickets.patch
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ lib/ext/session_ticket.c         |   6 ++
+ lib/ext/session_ticket.h         |   1 +
+ lib/libgnutls.map                |   2 +
+ lib/state.c                      |   1 +
+ tests/Makefile.am                |   3 +-
+ tests/tls12-rehandshake-ticket.c | 152 +++++++++++++++++++++++++++++++
+ 6 files changed, 164 insertions(+), 1 deletion(-)
+ create mode 100644 tests/tls12-rehandshake-ticket.c
+
+diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c
+index 8f22462..8d83a6c 100644
+--- a/lib/ext/session_ticket.c
+++ b/lib/ext/session_ticket.c
+@@ -618,6 +618,12 @@ gnutls_session_ticket_enable_server(gnutls_session_t session,
+ 	return 0;
+ }
+ 
+void
+_gnutls_session_ticket_disable_server(gnutls_session_t session)
+{
+	session->internals.flags |= GNUTLS_NO_TICKETS;
+}
+
+ /*
+  * Return zero if session tickets haven't been enabled.
+  */
+diff --git a/lib/ext/session_ticket.h b/lib/ext/session_ticket.h
+index da804ec..660c9d3 100644
+--- a/lib/ext/session_ticket.h
+++ b/lib/ext/session_ticket.h
+@@ -36,5 +36,6 @@ int _gnutls_encrypt_session_ticket(gnutls_session_t session,
+ int _gnutls_decrypt_session_ticket(gnutls_session_t session,
+ 				   const gnutls_datum_t *ticket_data,
+ 				   gnutls_datum_t *state);
+void _gnutls_session_ticket_disable_server(gnutls_session_t session);
+ 
+ #endif /* GNUTLS_LIB_EXT_SESSION_TICKET_H */
+diff --git a/lib/libgnutls.map b/lib/libgnutls.map
+index d2f7c0a..6748b3a 100644
+--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
+@@ -1432,4 +1432,6 @@ GNUTLS_PRIVATE_3_4 {
+ 	_gnutls_buffer_unescape;
+ 	_gnutls_buffer_pop_datum;
+ 	_gnutls_buffer_clear;
+	# needed by tests/tls12-rehandshake-cert-ticket
+	_gnutls_session_ticket_disable_server;
+ } GNUTLS_3_4;
+diff --git a/lib/state.c b/lib/state.c
+index 817a7b8..f1e9daa 100644
+--- a/lib/state.c
+++ b/lib/state.c
+@@ -452,6 +452,7 @@ void _gnutls_handshake_internal_state_clear(gnutls_session_t session)
+ 	session->internals.tfo.connect_addrlen = 0;
+ 	session->internals.tfo.connect_only = 0;
+ 	session->internals.early_data_received = 0;
+	session->internals.session_ticket_renew = 0;
+ }
+ 
+ /**
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 0563d3c..7c5f5c4 100644
+--- a/tests/Makefile.am
+++ b/tests/Makefile.am
+@@ -221,7 +221,8 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
+ 	 tls13-without-timeout-func buffer status-request-revoked \
+ 	 set_x509_ocsp_multi_cli kdf-api keylog-func \
+ 	 dtls_hello_random_value tls_hello_random_value x509cert-dntypes \
+-	 pkcs7-verify-double-free
+	 pkcs7-verify-double-free \
+	 tls12-rehandshake-ticket
+ 
+ if HAVE_SECCOMP_TESTS
+ ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
+diff --git a/tests/tls12-rehandshake-ticket.c b/tests/tls12-rehandshake-ticket.c
+new file mode 100644
+index 0000000..f96e46e
+--- /dev/null
+++ b/tests/tls12-rehandshake-ticket.c
+@@ -0,0 +1,152 @@
+/*
+ * Copyright (C) 2022 Red Hat, Inc.
+ *
+ * Author: Daiki Ueno
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <gnutls/gnutls.h>
+#include <assert.h>
+#include "cert-common.h"
+
+#include "utils.h"
+#include "eagain-common.h"
+
+const char *side = "";
+
+static void tls_log_func(int level, const char *str)
+{
+	fprintf(stderr, "%s|<%d>| %s", side, level, str);
+}
+
+#define MAX_BUF 1024
+
+void _gnutls_session_ticket_disable_server(gnutls_session_t session);
+
+static void run(void)
+{
+	char buffer[MAX_BUF + 1];
+	/* Server stuff. */
+	gnutls_certificate_credentials_t scred;
+	gnutls_session_t server;
+	gnutls_datum_t session_ticket_key = { NULL, 0 };
+	int sret;
+	/* Client stuff. */
+	gnutls_certificate_credentials_t ccred;
+	gnutls_session_t client;
+	int cret;
+
+	/* General init. */
+	global_init();
+	gnutls_global_set_log_function(tls_log_func);
+	if (debug)
+		gnutls_global_set_log_level(9);
+
+	/* Init server */
+	assert(gnutls_certificate_allocate_credentials(&scred) >= 0);
+	assert(gnutls_certificate_set_x509_key_mem(scred,
+						   &server_ca3_localhost_cert,
+						   &server_ca3_key,
+						   GNUTLS_X509_FMT_PEM) >= 0);
+	assert(gnutls_certificate_set_x509_trust_mem(scred,
+						     &ca3_cert,
+						     GNUTLS_X509_FMT_PEM) >= 0);
+
+	assert(gnutls_init(&server, GNUTLS_SERVER) >= 0);
+	gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);
+	assert(gnutls_priority_set_direct(server,
+					  "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1:+VERS-TLS1.2",
+					  NULL) >= 0);
+
+	gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred);
+	gnutls_transport_set_push_function(server, server_push);
+	gnutls_transport_set_pull_function(server, server_pull);
+	gnutls_transport_set_ptr(server, server);
+
+	gnutls_session_ticket_key_generate(&session_ticket_key);
+	gnutls_session_ticket_enable_server(server, &session_ticket_key);
+
+	/* Init client */
+	assert(gnutls_certificate_allocate_credentials(&ccred) >= 0);
+	assert(gnutls_certificate_set_x509_key_mem
+	       (ccred, &cli_ca3_cert_chain, &cli_ca3_key, GNUTLS_X509_FMT_PEM) >= 0);
+	assert(gnutls_certificate_set_x509_trust_mem
+	       (ccred, &ca3_cert, GNUTLS_X509_FMT_PEM) >= 0);
+
+	gnutls_init(&client, GNUTLS_CLIENT);
+	assert(gnutls_priority_set_direct(client,
+					  "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1:+VERS-TLS1.2",
+					  NULL) >= 0);
+
+	assert(gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, ccred) >= 0);
+
+	gnutls_transport_set_push_function(client, client_push);
+	gnutls_transport_set_pull_function(client, client_pull);
+	gnutls_transport_set_ptr(client, client);
+
+	HANDSHAKE(client, server);
+
+	/* Server initiates rehandshake */
+	switch_side("server");
+	sret = gnutls_rehandshake(server);
+	if (sret < 0) {
+		fail("Error sending %d byte packet: %s\n",
+		     (int)sizeof(buffer), gnutls_strerror(sret));
+	} else if (debug)
+		success("server: starting rehandshake\n");
+
+	/* Stop sending session ticket */
+	_gnutls_session_ticket_disable_server(server);
+
+	/* Client gets notified with rehandshake */
+	switch_side("client");
+	do {
+		do {
+			cret = gnutls_record_recv(client, buffer, MAX_BUF);
+		} while (cret == GNUTLS_E_AGAIN || cret == GNUTLS_E_INTERRUPTED);
+	} while (cret > 0);
+
+	if (cret != GNUTLS_E_REHANDSHAKE) {
+		fail("client: Error receiving rehandshake: %s\n",
+		     gnutls_strerror(cret));
+	}
+
+	HANDSHAKE(client, server);
+
+	gnutls_bye(client, GNUTLS_SHUT_WR);
+	gnutls_bye(server, GNUTLS_SHUT_WR);
+
+	gnutls_deinit(client);
+	gnutls_deinit(server);
+
+	gnutls_certificate_free_credentials(scred);
+	gnutls_certificate_free_credentials(ccred);
+
+	gnutls_free(session_ticket_key.data);
+
+	gnutls_global_deinit();
+	reset_buffers();
+}
+
+void doit(void)
+{
+	run();
+}
+-- 
+2.41.0
+
--- a/SOURCES/gnutls-3.6.16-rsa-psk-timing-followup.patch
+++ b/SOURCES/gnutls-3.6.16-rsa-psk-timing-followup.patch
@ -0,0 +1,121 @@
+From fe912c5dba49dcecbd5c32bf8184e60a949af452 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Wed, 10 Jan 2024 19:13:17 +0900
+Subject: [PATCH] rsa-psk: minimize branching after decryption
+
+This moves any non-trivial code between gnutls_privkey_decrypt_data2
+and the function return in _gnutls_proc_rsa_psk_client_kx up until the
+decryption.  This also avoids an extra memcpy to session->key.key.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/auth/rsa_psk.c | 68 ++++++++++++++++++++++++----------------------
+ 1 file changed, 35 insertions(+), 33 deletions(-)
+
+diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
+index 93c2dc9998..8f3fe5a4bd 100644
+--- a/lib/auth/rsa_psk.c
+++ b/lib/auth/rsa_psk.c
+@@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ 	int ret, dsize;
+ 	ssize_t data_size = _data_size;
+ 	gnutls_psk_server_credentials_t cred;
+-	gnutls_datum_t premaster_secret = { NULL, 0 };
+ 	volatile uint8_t ver_maj, ver_min;
+ 
+ 	cred = (gnutls_psk_server_credentials_t)
+@@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ 	ver_maj = _gnutls_get_adv_version_major(session);
+ 	ver_min = _gnutls_get_adv_version_minor(session);
+ 
+-	premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+-	if (premaster_secret.data == NULL) {
+	/* Find the key of this username. A random value will be
+	 * filled in if the key is not found.
+	 */
+	ret =
+	    _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk);
+	if (ret < 0)
+		return gnutls_assert_val(ret);
+
+	/* Allocate memory for premaster secret, and fill in the
+	 * fields except the decryption result.
+	 */
+	session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size;
+	session->key.key.data = gnutls_malloc(session->key.key.size);
+	if (session->key.key.data == NULL) {
+ 		gnutls_assert();
+		_gnutls_free_key_datum(&pwd_psk);
+		/* No need to zeroize, as the secret is not copied in yet */
+		_gnutls_free_datum(&session->key.key);
+ 		return GNUTLS_E_MEMORY_ERROR;
+ 	}
+-	premaster_secret.size = GNUTLS_MASTER_SIZE;
+ 
+ 	/* Fallback value when decryption fails. Needs to be unpredictable. */
+-	ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
+-			 premaster_secret.size);
+	ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2,
+			 GNUTLS_MASTER_SIZE);
+ 	if (ret < 0) {
+ 		gnutls_assert();
+-		goto cleanup;
+		_gnutls_free_key_datum(&pwd_psk);
+		/* No need to zeroize, as the secret is not copied in yet */
+		_gnutls_free_datum(&session->key.key);
+		return ret;
+ 	}
+ 
+	_gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data);
+	_gnutls_write_uint16(pwd_psk.size,
+			     &session->key.key.data[2 + GNUTLS_MASTER_SIZE]);
+	memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2],
+	       pwd_psk.data, pwd_psk.size);
+	_gnutls_free_key_datum(&pwd_psk);
+
+ 	gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
+-				     &ciphertext, premaster_secret.data,
+-				     premaster_secret.size);
+				     &ciphertext, session->key.key.data + 2,
+				     GNUTLS_MASTER_SIZE);
+ 	/* After this point, any conditional on failure that cause differences
+ 	 * in execution may create a timing or cache access pattern side
+ 	 * channel that can be used as an oracle, so tread carefully */
+@@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ 	/* This is here to avoid the version check attack
+ 	 * discussed above.
+ 	 */
+-	premaster_secret.data[0] = ver_maj;
+-	premaster_secret.data[1] = ver_min;
+-
+-	/* find the key of this username
+-	 */
+-	ret =
+-	    _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk);
+-	if (ret < 0) {
+-		gnutls_assert();
+-		goto cleanup;
+-	}
+-
+-	ret =
+-	    set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
+-	if (ret < 0) {
+-		gnutls_assert();
+-		goto cleanup;
+-	}
+	session->key.key.data[2] = ver_maj;
+	session->key.key.data[3] = ver_min;
+ 
+-	ret = 0;
+-      cleanup:
+-	_gnutls_free_key_datum(&pwd_psk);
+-	_gnutls_free_temp_key_datum(&premaster_secret);
+-
+-	return ret;
+	return 0;
+ }
+ 
+ static int
+-- 
+2.43.0
+
--- a/SOURCES/gnutls-3.6.16-rsa-psk-timing.patch
+++ b/SOURCES/gnutls-3.6.16-rsa-psk-timing.patch
@ -0,0 +1,202 @@
+From e007a54432c98618bde500649817d153225abf6b Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 7 Dec 2023 11:52:08 +0900
+Subject: [PATCH] gnutls-3.6.16-rsa-psk-timing.patch
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ lib/auth/rsa.c     |  2 +-
+ lib/auth/rsa_psk.c | 93 +++++++++++++++++-----------------------------
+ lib/gnutls_int.h   |  4 --
+ lib/priority.c     |  1 -
+ 4 files changed, 35 insertions(+), 65 deletions(-)
+
+diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
+index 858701f..02b6a34 100644
+--- a/lib/auth/rsa.c
+++ b/lib/auth/rsa.c
+@@ -207,7 +207,7 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 				     session->key.key.size);
+ 	/* After this point, any conditional on failure that cause differences
+ 	 * in execution may create a timing or cache access pattern side
+-	 * channel that can be used as an oracle, so treat very carefully */
+	 * channel that can be used as an oracle, so tread carefully */
+ 
+ 	/* Error handling logic:
+ 	 * In case decryption fails then don't inform the peer. Just use the
+diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
+index 1a9dab5..93c2dc9 100644
+--- a/lib/auth/rsa_psk.c
+++ b/lib/auth/rsa_psk.c
+@@ -264,14 +264,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ {
+ 	gnutls_datum_t username;
+ 	psk_auth_info_t info;
+-	gnutls_datum_t plaintext;
+ 	gnutls_datum_t ciphertext;
+ 	gnutls_datum_t pwd_psk = { NULL, 0 };
+ 	int ret, dsize;
+-	int randomize_key = 0;
+ 	ssize_t data_size = _data_size;
+ 	gnutls_psk_server_credentials_t cred;
+ 	gnutls_datum_t premaster_secret = { NULL, 0 };
+	volatile uint8_t ver_maj, ver_min;
+ 
+ 	cred = (gnutls_psk_server_credentials_t)
+ 	    _gnutls_get_cred(session, GNUTLS_CRD_PSK);
+@@ -327,71 +326,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ 	}
+ 	ciphertext.size = dsize;
+ 
+-	ret =
+-	    gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
+-					&ciphertext, &plaintext);
+-	if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) {
+-		/* In case decryption fails then don't inform
+-		 * the peer. Just use a random key. (in order to avoid
+-		 * attack against pkcs-1 formatting).
+-		 */
+	ver_maj = _gnutls_get_adv_version_major(session);
+	ver_min = _gnutls_get_adv_version_minor(session);
+
+	premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+	if (premaster_secret.data == NULL) {
+ 		gnutls_assert();
+-		_gnutls_debug_log
+-		    ("auth_rsa_psk: Possible PKCS #1 format attack\n");
+-		if (ret >= 0) {
+-			gnutls_free(plaintext.data);
+-		}
+-		randomize_key = 1;
+-	} else {
+-		/* If the secret was properly formatted, then
+-		 * check the version number.
+-		 */
+-		if (_gnutls_get_adv_version_major(session) !=
+-		    plaintext.data[0]
+-		    || (session->internals.allow_wrong_pms == 0
+-			&& _gnutls_get_adv_version_minor(session) !=
+-			plaintext.data[1])) {
+-			/* No error is returned here, if the version number check
+-			 * fails. We proceed normally.
+-			 * That is to defend against the attack described in the paper
+-			 * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
+-			 * Ondej Pokorny and Tomas Rosa.
+-			 */
+-			gnutls_assert();
+-			_gnutls_debug_log
+-			    ("auth_rsa: Possible PKCS #1 version check format attack\n");
+-		}
+		return GNUTLS_E_MEMORY_ERROR;
+ 	}
+	premaster_secret.size = GNUTLS_MASTER_SIZE;
+ 
+-
+-	if (randomize_key != 0) {
+-		premaster_secret.size = GNUTLS_MASTER_SIZE;
+-		premaster_secret.data =
+-		    gnutls_malloc(premaster_secret.size);
+-		if (premaster_secret.data == NULL) {
+-			gnutls_assert();
+-			return GNUTLS_E_MEMORY_ERROR;
+-		}
+-
+-		/* we do not need strong random numbers here.
+-		 */
+-		ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
+-				  premaster_secret.size);
+-		if (ret < 0) {
+-			gnutls_assert();
+-			goto cleanup;
+-		}
+-	} else {
+-		premaster_secret.data = plaintext.data;
+-		premaster_secret.size = plaintext.size;
+	/* Fallback value when decryption fails. Needs to be unpredictable. */
+	ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
+			 premaster_secret.size);
+	if (ret < 0) {
+		gnutls_assert();
+		goto cleanup;
+ 	}
+ 
+	gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
+				     &ciphertext, premaster_secret.data,
+				     premaster_secret.size);
+	/* After this point, any conditional on failure that cause differences
+	 * in execution may create a timing or cache access pattern side
+	 * channel that can be used as an oracle, so tread carefully */
+
+	/* Error handling logic:
+	 * In case decryption fails then don't inform the peer. Just use the
+	 * random key previously generated. (in order to avoid attack against
+	 * pkcs-1 formatting).
+	 *
+	 * If we get version mismatches no error is returned either. We
+	 * proceed normally. This is to defend against the attack described
+	 * in the paper "Attacking RSA-based sessions in SSL/TLS" by
+	 * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
+	 */
+
+ 	/* This is here to avoid the version check attack
+ 	 * discussed above.
+ 	 */
+-
+-	premaster_secret.data[0] = _gnutls_get_adv_version_major(session);
+-	premaster_secret.data[1] = _gnutls_get_adv_version_minor(session);
+	premaster_secret.data[0] = ver_maj;
+	premaster_secret.data[1] = ver_min;
+ 
+ 	/* find the key of this username
+ 	 */
+diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
+index 31cec5c..815f69b 100644
+--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
+@@ -971,7 +971,6 @@ struct gnutls_priority_st {
+ 	bool _no_etm;
+ 	bool _no_ext_master_secret;
+ 	bool _allow_key_usage_violation;
+-	bool _allow_wrong_pms;
+ 	bool _dumbfw;
+ 	unsigned int _dh_prime_bits;	/* old (deprecated) variable */
+ 
+@@ -989,7 +988,6 @@ struct gnutls_priority_st {
+ 	      (x)->no_etm = 1; \
+ 	      (x)->no_ext_master_secret = 1; \
+ 	      (x)->allow_key_usage_violation = 1; \
+-	      (x)->allow_wrong_pms = 1; \
+ 	      (x)->dumbfw = 1
+ 
+ #define ENABLE_PRIO_COMPAT(x) \
+@@ -998,7 +996,6 @@ struct gnutls_priority_st {
+ 	      (x)->_no_etm = 1; \
+ 	      (x)->_no_ext_master_secret = 1; \
+ 	      (x)->_allow_key_usage_violation = 1; \
+-	      (x)->_allow_wrong_pms = 1; \
+ 	      (x)->_dumbfw = 1
+ 
+ /* DH and RSA parameters types.
+@@ -1123,7 +1120,6 @@ typedef struct {
+ 	bool no_etm;
+ 	bool no_ext_master_secret;
+ 	bool allow_key_usage_violation;
+-	bool allow_wrong_pms;
+ 	bool dumbfw;
+ 
+ 	/* old (deprecated) variable. This is used for both srp_prime_bits
+diff --git a/lib/priority.c b/lib/priority.c
+index 0a284ae..67ec887 100644
+--- a/lib/priority.c
+++ b/lib/priority.c
+@@ -681,7 +681,6 @@ gnutls_priority_set(gnutls_session_t session, gnutls_priority_t priority)
+ 	COPY_TO_INTERNALS(no_etm);
+ 	COPY_TO_INTERNALS(no_ext_master_secret);
+ 	COPY_TO_INTERNALS(allow_key_usage_violation);
+-	COPY_TO_INTERNALS(allow_wrong_pms);
+ 	COPY_TO_INTERNALS(dumbfw);
+ 	COPY_TO_INTERNALS(dh_prime_bits);
+ 
+-- 
+2.43.0
+
--- a/SOURCES/gnutls-3.6.16-tls12-cert-type.patch
+++ b/SOURCES/gnutls-3.6.16-tls12-cert-type.patch
@ -0,0 +1,125 @@
+From 339bef12f478b3a12c59571c53645e31280baf7e Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 14 May 2021 15:59:37 +0200
+Subject: [PATCH] cert auth: filter out unsupported cert types from TLS 1.2 CR
+
+When the server is advertising signature algorithms in TLS 1.2
+CertificateRequest, it shouldn't send certificate_types not backed by
+any of those algorithms.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/auth/cert.c                         | 76 +++++++++++++++++++++++--
+ tests/suite/tls-fuzzer/gnutls-cert.json | 19 +++++++
+ 2 files changed, 89 insertions(+), 6 deletions(-)
+
+diff --git a/lib/auth/cert.c b/lib/auth/cert.c
+index 3073a33d3..0b0f04b2b 100644
+--- a/lib/auth/cert.c
+++ b/lib/auth/cert.c
+@@ -64,6 +64,16 @@ typedef enum CertificateSigType { RSA_SIGN = 1, DSA_SIGN = 2, ECDSA_SIGN = 64,
+ #endif
+ } CertificateSigType;
+ 
+enum CertificateSigTypeFlags {
+	RSA_SIGN_FLAG = 1,
+	DSA_SIGN_FLAG = 1 << 1,
+	ECDSA_SIGN_FLAG = 1 << 2,
+#ifdef ENABLE_GOST
+	GOSTR34102012_256_SIGN_FLAG = 1 << 3,
+	GOSTR34102012_512_SIGN_FLAG = 1 << 4
+#endif
+};
+
+ /* Moves data from an internal certificate struct (gnutls_pcert_st) to
+  * another internal certificate struct (cert_auth_info_t), and deinitializes
+  * the former.
+@@ -1281,6 +1291,7 @@ _gnutls_gen_cert_server_cert_req(gnutls_session_t session,
+ 	uint8_t tmp_data[CERTTYPE_SIZE];
+ 	const version_entry_st *ver = get_version(session);
+ 	unsigned init_pos = data->length;
+	enum CertificateSigTypeFlags flags;
+ 
+ 	if (unlikely(ver == NULL))
+ 		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+@@ -1297,18 +1308,71 @@ _gnutls_gen_cert_server_cert_req(gnutls_session_t session,
+ 		return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
+ 	}
+ 
+-	i = 1;
+	if (_gnutls_version_has_selectable_sighash(ver)) {
+		size_t j;
+
+		flags = 0;
+		for (j = 0; j < session->internals.priorities->sigalg.size; j++) {
+			const gnutls_sign_entry_st *se =
+				session->internals.priorities->sigalg.entry[j];
+			switch (se->pk) {
+			case GNUTLS_PK_RSA:
+			case GNUTLS_PK_RSA_PSS:
+				flags |= RSA_SIGN_FLAG;
+				break;
+			case GNUTLS_PK_DSA:
+				flags |= DSA_SIGN_FLAG;
+				break;
+			case GNUTLS_PK_ECDSA:
+				flags |= ECDSA_SIGN_FLAG;
+				break;
+ #ifdef ENABLE_GOST
+-	if (_gnutls_kx_is_vko_gost(session->security_parameters.cs->kx_algorithm)) {
+-		tmp_data[i++] = GOSTR34102012_256_SIGN;
+-		tmp_data[i++] = GOSTR34102012_512_SIGN;
+-	} else
+			case GNUTLS_PK_GOST_12_256:
+				flags |= GOSTR34102012_256_SIGN_FLAG;
+				break;
+			case GNUTLS_PK_GOST_12_512:
+				flags |= GOSTR34102012_512_SIGN_FLAG;
+				break;
+#endif
+			default:
+				gnutls_assert();
+				_gnutls_debug_log(
+					"%s is unsupported for cert request\n",
+					gnutls_pk_get_name(se->pk));
+			}
+		}
+
+	} else {
+#ifdef ENABLE_GOST
+		if (_gnutls_kx_is_vko_gost(session->security_parameters.
+					   cs->kx_algorithm)) {
+			flags = GOSTR34102012_256_SIGN_FLAG |
+				GOSTR34102012_512_SIGN_FLAG;
+		} else
+ #endif
+-	{
+		{
+			flags = RSA_SIGN_FLAG | DSA_SIGN_FLAG | ECDSA_SIGN_FLAG;
+		}
+	}
+
+	i = 1;
+	if (flags & RSA_SIGN_FLAG) {
+ 		tmp_data[i++] = RSA_SIGN;
+	}
+	if (flags & DSA_SIGN_FLAG) {
+ 		tmp_data[i++] = DSA_SIGN;
+	}
+	if (flags & ECDSA_SIGN_FLAG) {
+ 		tmp_data[i++] = ECDSA_SIGN;
+ 	}
+#ifdef ENABLE_GOST
+	if (flags & GOSTR34102012_256_SIGN_FLAG) {
+		tmp_data[i++] = GOSTR34102012_256_SIGN;
+	}
+	if (flags & GOSTR34102012_512_SIGN_FLAG) {
+		tmp_data[i++] = GOSTR34102012_512_SIGN;
+	}
+#endif
+ 	tmp_data[0] = i - 1;
+ 
+ 	ret = _gnutls_buffer_append_data(data, tmp_data, i);
+-- 
+2.31.1
+
--- a/SOURCES/gnutls-3.6.16-trust-ca-sha1.patch
+++ b/SOURCES/gnutls-3.6.16-trust-ca-sha1.patch
@ -0,0 +1,283 @@
+From c2409e479df41620bceac314c76cabb1d35a4075 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 3 May 2021 16:35:43 +0200
+Subject: [PATCH] x509/verify: treat SHA-1 signed CA in the trusted set
+ differently
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Suppose there is a certificate chain ending with an intermediate CA:
+EE → ICA1 → ICA2.  If the system trust store contains a root CA
+generated with the same key as ICA2 but signed with a prohibited
+algorithm, such as SHA-1, the library previously reported a
+verification failure, though the situation is not uncommon during a
+transition period of root CA.
+
+This changes the library behavior such that the check on signature
+algorithm will be skipped when examining the trusted root CA.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/x509/verify.c   |  26 ++++---
+ tests/test-chains.h | 165 ++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 182 insertions(+), 9 deletions(-)
+
+diff --git a/lib/x509/verify.c b/lib/x509/verify.c
+index fd7c6a164..a50b5ea44 100644
+--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
+@@ -415,14 +415,19 @@ unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, unsigned
+ #define CASE_SEC_PARAM(profile, level) \
+ 	case profile: \
+ 		sym_bits = gnutls_sec_param_to_symmetric_bits(level); \
+-		hash = gnutls_sign_get_hash_algorithm(sigalg); \
+-		entry = mac_to_entry(hash); \
+-		if (hash <= 0 || entry == NULL) { \
+		se = _gnutls_sign_to_entry(sigalg); \
+		if (unlikely(se == NULL)) { \
+			_gnutls_cert_log("cert", crt); \
+			_gnutls_debug_log(#level": certificate's signature algorithm is unknown\n"); \
+			return gnutls_assert_val(0); \
+		} \
+		if (unlikely(se->hash == GNUTLS_DIG_UNKNOWN)) {	\
+ 			_gnutls_cert_log("cert", crt); \
+ 			_gnutls_debug_log(#level": certificate's signature hash is unknown\n"); \
+ 			return gnutls_assert_val(0); \
+ 		} \
+-		if (_gnutls_sign_get_hash_strength(sigalg) < sym_bits) { \
+		if (!trusted && \
+		    _gnutls_sign_get_hash_strength(sigalg) < sym_bits) { \
+ 			_gnutls_cert_log("cert", crt); \
+ 			_gnutls_debug_log(#level": certificate's signature hash strength is unacceptable (is %u bits, needed %u)\n", _gnutls_sign_get_hash_strength(sigalg), sym_bits); \
+ 			return gnutls_assert_val(0); \
+@@ -449,19 +454,22 @@ unsigned _gnutls_is_broken_sig_allowed(const gnutls_sign_entry_st *se, unsigned
+  * @crt: a certificate
+  * @issuer: the certificates issuer (allowed to be NULL)
+  * @sigalg: the signature algorithm used
+ * @trusted: whether @crt is treated as trusted (e.g., present in the system
+ *           trust list); if it is true, the check on signature algorithm will
+ *           be skipped
+  * @flags: the specified verification flags
+  */
+ static unsigned is_level_acceptable(
+ 	gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
+-	gnutls_sign_algorithm_t sigalg, unsigned flags)
+	gnutls_sign_algorithm_t sigalg, bool trusted,
+	unsigned flags)
+ {
+ 	gnutls_certificate_verification_profiles_t profile = GNUTLS_VFLAGS_TO_PROFILE(flags);
+-	const mac_entry_st *entry;
+ 	int issuer_pkalg = 0, pkalg, ret;
+ 	unsigned bits = 0, issuer_bits = 0, sym_bits = 0;
+ 	gnutls_pk_params_st params;
+ 	gnutls_sec_param_t sp;
+-	int hash;
+	const gnutls_sign_entry_st *se;
+ 	gnutls_certificate_verification_profiles_t min_profile;
+ 
+ 	min_profile = _gnutls_get_system_wide_verification_profile();
+@@ -798,7 +806,7 @@ verify_crt(gnutls_x509_crt_t cert,
+ 	}
+ 
+ 	if (sigalg >= 0 && se) {
+-		if (is_level_acceptable(cert, issuer, sigalg, flags) == 0) {
+		if (is_level_acceptable(cert, issuer, sigalg, false, flags) == 0) {
+ 			MARK_INVALID(GNUTLS_CERT_INSECURE_ALGORITHM);
+ 		}
+ 
+@@ -893,7 +901,7 @@ unsigned check_ca_sanity(const gnutls_x509_crt_t issuer,
+ 
+ 	/* we explicitly allow CAs which we do not support their self-algorithms
+ 	 * to pass. */
+-	if (ret >= 0 && !is_level_acceptable(issuer, NULL, sigalg, flags)) {
+	if (ret >= 0 && !is_level_acceptable(issuer, NULL, sigalg, true, flags)) {
+ 		status |= GNUTLS_CERT_INSECURE_ALGORITHM|GNUTLS_CERT_INVALID;
+ 	}
+ 
+diff --git a/tests/test-chains.h b/tests/test-chains.h
+index 9b06b85f5..64f50fabf 100644
+--- a/tests/test-chains.h
+++ b/tests/test-chains.h
+@@ -4106,6 +4106,163 @@ static const char *superseding_ca[] = {
+ 	NULL
+ };
+ 
+static const char *rsa_sha1_in_trusted[] = {
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIID0jCCAoqgAwIBAgIUezaBB7f4TW75oc3UV57oJvXmbBYwDQYJKoZIhvcNAQEL\n"
+	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTAzMTQyNzIxWhcN\n"
+	"MjIwNTAzMTQyNzIxWjA3MRgwFgYDVQQDEw90ZXN0LmdudXRscy5vcmcxGzAZBgNV\n"
+	"BAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCC\n"
+	"AToCggExALRrJ5glr8H/HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUEL\n"
+	"dl8jvoqf/nlLczsux0s8vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkb\n"
+	"Kk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3\n"
+	"mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm\n"
+	"+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWS\n"
+	"CAwuYcBYfJqZ4dasgzklzz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxG\n"
+	"ojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUCAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAA\n"
+	"MBoGA1UdEQQTMBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD\n"
+	"ATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0r\n"
+	"GDAfBgNVHSMEGDAWgBQedyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsF\n"
+	"AAOCATEAXs8lOV231HQerhSGEjZJz0vBuA3biKYlu3cwCTKvF6EOyYMSWOnfqqD0\n"
+	"eDhpo1pzGtUa2zYLHagb+sU2NSTe0sqP+PK1giUg8X8/tRtWKk1p/m76yK/3iaty\n"
+	"flgz+eMai4xQu2FvAJzIASFjM9R+Pgpcf/zdvkiUPv8Rdm9FieyAZnJSo9hJHLxN\n"
+	"x60tfC5yyswdbGGW0GbJ2kr+xMfVZvxgO/x6AXlOaUGQ+jZAu9eJwFQMDW5h5/S1\n"
+	"PJkIt7f7jkU33cG+BawcjhT0GzxuvDnnCG0L7/z7bR+Sw2kNKqHbHorzv91R20Oh\n"
+	"CIISJPkiiP+mYcglTp1d9gw09GwSkGbldb9ibfc0hKyxiImFfIiTqDbXJcpKH98o\n"
+	"W8hWkb20QURlY+QM5MD49znfhPKMTQ==\n"
+	"-----END CERTIFICATE-----\n",
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIID2TCCAkGgAwIBAgIUWsb4DATcefXbo0WrBfgqVMvPGawwDQYJKoZIhvcNAQEL\n"
+	"BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDMxNDI2\n"
+	"MzVaFw0yMjA1MDMxNDI2MzVaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIB\n"
+	"UjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduI\n"
+	"g/3CqVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6W\n"
+	"EhuJU95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcI\n"
+	"cRQ8vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AA\n"
+	"sYwWPJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo3\n"
+	"67vGVYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0ol\n"
+	"CMo7FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewID\n"
+	"AQABo2QwYjAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0O\n"
+	"BBYEFB53I21nMR+RB5uWL+z8yEb+jOEDMB8GA1UdIwQYMBaAFCApU0Q1pxZL+AW3\n"
+	"GctysPWxl+SfMA0GCSqGSIb3DQEBCwUAA4IBgQBbboeDr/rLT1tZWrdHq8FvflGm\n"
+	"EpxZIRU4DdDD/SUCWSPQvjBq0MvuKxs5FfJCKrDf2kS2qlZ1rO0AuWwREoDeTOEc\n"
+	"arjFoCry+JQ+USqS5F4gsp4XlYvli27iMp3dlnhFXEQQy7/y+gM5c9wnMi8v/LUz\n"
+	"AV6QHX0fkb4XeazeJ+Nq0EkjqiYxylN6mP+5LAEMBG/wGviAoviQ5tN9zdoQs/nT\n"
+	"3jTw3cOauuPjdcOTfo71+/MtBzhPchgNIyQo4aB40XVWsLAoruL/3CFFlTniihtd\n"
+	"zA2zA7JvbuuKx6BOv2IbWOUweb732ZpYbDgEcXp/6Cj/SIUGxidpEgdCJGqyqdC7\n"
+	"b58ujxclC6QTcicw+SX5LBox8WGLfj+x+V3uVBz9+EK608xphTj4kLh9peII9v3n\n"
+	"vBUoZRTiUTCvH4AJJgAfa3mYrSxzueuqBOwXcvZ+8OJ0J1CP21pmK5nxR7f1nm9Q\n"
+	"sYA1VHfC2dtyAYlByeF5iHl5hFR6vy1jJyzxg2M=\n"
+	"-----END CERTIFICATE-----\n",
+	NULL
+};
+
+static const char *rsa_sha1_in_trusted_ca[] = {
+	/* This CA is generated with the same key as rsa_sha1_in_trusted[1], but
+	 * self-signed using SHA-1.
+	 */
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIDYzCCAhugAwIBAgIUahO8CvYPHTAltKCC2rAIcXUiLlAwDQYJKoZIhvcNAQEF\n"
+	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTAzMTQyMDM1WhcN\n"
+	"MjIwNTAzMTQyMDM1WjAZMRcwFQYDVQQDEw5HbnVUTFMgdGVzdCBDQTCCAVIwDQYJ\n"
+	"KoZIhvcNAQEBBQADggE/ADCCAToCggExAJzkQrF9bp5f/38tnddOeF3biIP9wqlQ\n"
+	"Wk9x3GuuUhKA8IdCoj7UKDoGS3SmNnKGxrP6I2LTo3LNCp5T2HZrYxIelhIbiVPe\n"
+	"b+E0HQuDizIhOeniBqtudoWQGx6Ey/OENeA8UFhrs0CvN9Ippe328NlnCHEUPLxR\n"
+	"rPEs318Ot/jCOhauojAECKj9PFsxpkUcy+cLwoj4QlZKz5sG16AAbm+gALGMFjyQ\n"
+	"fdTPf5ceYBR+ZPf4j34t7NioNxfDDnKaahWI8Q0p7H4s+njIdfm2FSAKN+u7xlWB\n"
+	"4oFzBGQthXs5cCB2mc6RKBZWN2uyxSdNMq40PddK/FBPghDE2MxONA9KJQjKOxQP\n"
+	"UQo3jt21CKGGiHVU1BlhBh1knqMRnovRpJurvgEo/H/otI8XQ9ql7HsCAwEAAaND\n"
+	"MEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBQe\n"
+	"dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQUFAAOCATEAYLm/4DfUp+mA\n"
+	"S/23a2bwybJoPCMzKZpi+veXkqoq/a/BCUkFpqnjpVjz0ujVKK121oeOPBAa/mG1\n"
+	"Y3fJYP+b3PloL/6xj/8680TveGirCr0Rp/8XWa8lt+Ge8DM3mfTGWFTWHa0lD9VK\n"
+	"gjV1oNZNLe5SKA6dJLAp/NjCxc/vuOkThQPeaoO5Iy/Z6m7CpTLO7T4syJFtDmSn\n"
+	"Pa/yFUDTgJYFlGVM+KC1r8bhZ6Ao1CAXTcT5Lcbe/aCcyk6B3J2AnYsqPMVNEVhb\n"
+	"9eMGO/WG24hMLy6eb1r/yL8uQ/uGi2rRlNJN8GTg09YR7l5fHrHxuHc/sme0jsnJ\n"
+	"wtqGLCJsrh7Ae1fKVUueO00Yx9BGuzLswMvnT5f0oYs0jrXgMrTbIWS/DjOcYIHb\n"
+	"w3SV1ZRcNg==\n"
+	"-----END CERTIFICATE-----\n",
+	NULL
+};
+
+static const char *rsa_sha1_not_in_trusted[] = {
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIID0jCCAoqgAwIBAgIUNCvPV9OvyuVMtnkC3ZAvh959h4MwDQYJKoZIhvcNAQEL\n"
+	"BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMjEwNTA0MDg0NzAzWhcN\n"
+	"MjIwNTA0MDg0NzAzWjA3MRgwFgYDVQQDEw90ZXN0LmdudXRscy5vcmcxGzAZBgNV\n"
+	"BAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCC\n"
+	"AToCggExALRrJ5glr8H/HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUEL\n"
+	"dl8jvoqf/nlLczsux0s8vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkb\n"
+	"Kk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3\n"
+	"mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm\n"
+	"+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWS\n"
+	"CAwuYcBYfJqZ4dasgzklzz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxG\n"
+	"ojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUCAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAA\n"
+	"MBoGA1UdEQQTMBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD\n"
+	"ATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0r\n"
+	"GDAfBgNVHSMEGDAWgBQedyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsF\n"
+	"AAOCATEAWs/Qa1Ebydwo4Ke2KEdy5cUTSZjnoz93XpbrP9W60MJ4d2DIQPcYUcLF\n"
+	"+glez+mRtVXDRtH5V/4yZX1EdgrPVQGeVlO5HbNiYyYw/Yj3H6kzWtUbBxdOAOE/\n"
+	"/ul8RCKKMfvYBHCBgjBMW0aFm31Q1Z8m8nanBusyJ0DG1scBHu4/3vTCZthZAxc5\n"
+	"3l3t/jjsNRS+k5t6Ay8nEY1tAZSGVqN8qufzO2NBO06sQagp09FTfDh581OBcVtF\n"
+	"X7O0cffAWHk3JoywzEWFEAhVPqFlk07wG2O+k+fYZfavsJko5q+yWkxu8RDh4wAx\n"
+	"7UzKudGOQ+NhfYJ7N7V1/RFg1z75gE3GTUX7qmGZEVDOsMyiuUeYg8znyYpBV55Q\n"
+	"4BNr0ukwmwOdvUf+ksCu6PdOGaqThA==\n"
+	"-----END CERTIFICATE-----\n",
+	/* ICA with SHA1 signature */
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIID2TCCAkGgAwIBAgIUYaKJkQft87M1TF+Jd30py3yIq4swDQYJKoZIhvcNAQEF\n"
+	"BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDQwODQ1\n"
+	"NDdaFw0yMjA1MDQwODQ1NDdaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIB\n"
+	"UjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduI\n"
+	"g/3CqVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6W\n"
+	"EhuJU95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcI\n"
+	"cRQ8vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AA\n"
+	"sYwWPJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo3\n"
+	"67vGVYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0ol\n"
+	"CMo7FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewID\n"
+	"AQABo2QwYjAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0O\n"
+	"BBYEFB53I21nMR+RB5uWL+z8yEb+jOEDMB8GA1UdIwQYMBaAFCApU0Q1pxZL+AW3\n"
+	"GctysPWxl+SfMA0GCSqGSIb3DQEBBQUAA4IBgQAewBcAGUGX28I5PDtuJkxoHonD\n"
+	"muHdXpYnrz1YXN4b7odNXockz++Xovgj126fo+PeWgmaaCic98ZcGnyVTi9+3oqN\n"
+	"2Bf4NNfyzSccgZZTphzbwjMcnc983HLQgsLSAOVivPHj5GEN58EWWamc9yA0VjGn\n"
+	"cuYmFN2dlFA8/ClEbVGu3UXBe6OljR5zUr+6oiSp2J+Rl7SerVSHlst07iU2tkeB\n"
+	"dlfOD5CquUGSka3SKvEfvu5SwYrCQVfYB6eMLInm7A0/ca0Jn3Oh4fMf2rIg/E3K\n"
+	"qsopxsu8BXrLoGK4MxbxPA65JpczhZgilQQi3e3RIvxrvyD2qamjaNbyG5cr8mW4\n"
+	"VOLf3vUORbkTi5sE7uRMu2B3z3N7ajsuQM8RHB17hOCB2FO/8rermq/oeJNtx57L\n"
+	"5s5NxCHYTksQ4gkpR4gfTIO/zwXJSwGa/Zi2y2wIi/1qr7lppBsKV2rDWX7QiIeA\n"
+	"PxOxyJA2eSeqCorz9vk3aHXleSpxsWGgKiJVmV0=\n"
+	"-----END CERTIFICATE-----\n",
+	NULL
+};
+
+static const char *rsa_sha1_not_in_trusted_ca[] = {
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIEDTCCAnWgAwIBAgIUd5X8NZput+aNPEd9h92r4KAu16MwDQYJKoZIhvcNAQEL\n"
+	"BQAwHjEcMBoGA1UEAxMTR251VExTIHRlc3Qgcm9vdCBDQTAeFw0yMTA1MDMxNDI1\n"
+	"MDNaFw0yMjA1MDMxNDI1MDNaMB4xHDAaBgNVBAMTE0dudVRMUyB0ZXN0IHJvb3Qg\n"
+	"Q0EwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCsFAaMb/iRN+OFqQNh\n"
+	"OkkXGZlb+eLerLuB9ELnYwyLIh4MTXh0RjFZdCQLsQHfY/YFv0C50rmoXTA/d3Ef\n"
+	"K/P243KjX0XBWjO9TBuN0zth50eq94zf69yxA/a+kmT+O5YLfhi2ELM5F3IjOUoZ\n"
+	"lL0IGlFJwauAkaNylp/Evd5nW7g5DUJvMm4A3RXNfZt9gAD4lPRwryQq9jxT48Xu\n"
+	"fB0kAPEG/l/Izbz2rYin5+nySL+a0CSNuEbITxidtMhveB747oR0QS2sMQKji1ur\n"
+	"pRJ945SHiYJIgVuFAJc9StikSyIrxZgK45kAzcQAyRWWKiMNH5PprGFYJp+ypwhm\n"
+	"1t8Bphj2RFJAG3XRRZF/9uJIYc5mEHCsZFZ/IFRaKqyN30kAUijgNt+lW5mZXVFU\n"
+	"aqzV2zHjSG8jsGdia3cfBP46Z1q2eAh5jOCucTq1F7qZdVhOFmP9jFE6Uy5Kbwgc\n"
+	"kNAnsEllQeJQL2odVa7woKkZZ4M/c72X5tpBU38Rs3krn3sCAwEAAaNDMEEwDwYD\n"
+	"VR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBQgKVNENacW\n"
+	"S/gFtxnLcrD1sZfknzANBgkqhkiG9w0BAQsFAAOCAYEAaZMV71mZ9FYoVdpho61h\n"
+	"WWPs5GppQLJ1w70DNtGZ+lFrk/KopeDvOu1i61QLWRzcZCZMl+npiX1KH5kjVo3v\n"
+	"C9G8kdMW6EVRk5p6qCJMPFN2U+grMMp50aY5kmw+/v+Lhk5T/VG93l63P91FkUre\n"
+	"o8qhOudJExoUnR1uB9M6HMAxVn8Lm/N1LGPiP6A6Pboo716H7mg/A7pv9zoZ6jUp\n"
+	"7x693mA/b3I/QpDx/nJcmcdqxgEuW+aRlFXgnYZRFAawxi+5M9EwCWbkSTO4OMHP\n"
+	"Qlvak3tJO+wb92b0cICOOtzIPgQ+caiLg9d0FvesALmQzDmNmtqynoO85+Ia2Ywh\n"
+	"nxKPlpeImhLN9nGl9sOeW2m4mnA5r0h1vgML4v/MWL4TQhXallc31uFNj5HyFaTh\n"
+	"6Mr0g3GeQgN0jpT+aIOiKuW9fLts54+Ntj1NN40slqi3Y+/Yd6xhj+NgmbRvybZu\n"
+	"tnYFXKC0Q+QUf38horqG2Mc3/uh8MOm0eYUXwGJOdXYD\n"
+	"-----END CERTIFICATE-----\n",
+	NULL
+};
+
+ #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
+ #  pragma GCC diagnostic push
+ #  pragma GCC diagnostic ignored "-Wunused-variable"
+@@ -4275,6 +4432,14 @@ static struct
+   { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA),
+     0, NULL, 1584352960, 1},
+   { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 },
+  { "rsa-sha1 in trusted - ok",
+    rsa_sha1_in_trusted, rsa_sha1_in_trusted_ca,
+    GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
+    0, NULL, 1620052390, 1},
+  { "rsa-sha1 not in trusted - not ok",
+    rsa_sha1_not_in_trusted, rsa_sha1_not_in_trusted_ca,
+    GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
+    GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1},
+   { NULL, NULL, NULL, 0, 0}
+ };
+ 
+-- 
+2.31.1
+
--- a/SOURCES/gnutls-3.6.5-fix-fips-signature-post.patch
+++ b/SOURCES/gnutls-3.6.5-fix-fips-signature-post.patch
@ -1,846 +0,0 @@
-From 2c44e9f8b2e7a1ebc65caeb03f9f106d31e30822 Mon Sep 17 00:00:00 2001
-From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Date: Wed, 3 Apr 2019 13:40:04 +0200
-Subject: [PATCH 1/7] crypto-selftests-pk.c: Move hardcoded values to the top
-
-The objective of moving these values to the top is to allow them to be
-used by other functions, in particular test_sig().
-
-Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
- lib/crypto-selftests-pk.c | 224 +++++++++++++++++++-------------------
- 1 file changed, 112 insertions(+), 112 deletions(-)
-
-diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
-index 1aa53ea29..4fadd4161 100644
--- a/lib/crypto-selftests-pk.c
-+++ b/lib/crypto-selftests-pk.c
-@@ -107,6 +107,118 @@ static const char gost12_512_key[] =
-  "KjL7CLBERDm7Yvlv\n"
-  "-----END PRIVATE KEY-----\n";
- 
-+/* A precomputed RSA-SHA256 signature using the rsa_key2048 */
-+static const char rsa_sig[] =
-+    "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb";
-+
-+/* ECDSA key and signature */
-+static const char ecdsa_secp256r1_privkey[] =
-+    "-----BEGIN EC PRIVATE KEY-----\n"
-+    "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n"
-+    "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n"
-+    "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n"
-+    "-----END EC PRIVATE KEY-----\n";
-+
-+static const char ecdsa_secp256r1_sig[] =
-+    "\x30\x45\x02\x21\x00\x9b\x8f\x60\xed\x9e\x40\x8d\x74\x82\x73\xab\x20\x1a\x69\xfc\xf9\xee\x3c\x41\x80\xc0\x39\xdd\x21\x1a\x64\xfd\xbf\x7e\xaa\x43\x70\x02\x20\x44\x28\x05\xdd\x30\x47\x58\x96\x18\x39\x94\x18\xba\xe7\x7a\xf6\x1e\x2d\xba\xb1\xe0\x7d\x73\x9e\x2f\x58\xee\x0c\x2a\x89\xe8\x35";
-+
-+#ifdef ENABLE_NON_SUITEB_CURVES
-+/* sha256 */
-+static const char ecdsa_secp192r1_privkey[] =
-+    "-----BEGIN EC PRIVATE KEY-----"
-+    "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA"
-+    "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL"
-+    "Fg==" "-----END EC PRIVATE KEY-----";
-+
-+static const char ecdsa_secp192r1_sig[] =
-+    "\x30\x34\x02\x18\x5f\xb3\x10\x4b\x4d\x44\x48\x29\x4b\xfd\xa7\x8e\xce\x57\xac\x36\x38\x54\xab\x73\xdb\xed\xb8\x5f\x02\x18\x0b\x8b\xf3\xae\x49\x50\x0e\x47\xca\x89\x1a\x00\xca\x23\xf5\x8d\xd6\xe3\xce\x9a\xff\x2e\x4f\x5c";
-+
-+static const char ecdsa_secp224r1_privkey[] =
-+    "-----BEGIN EC PRIVATE KEY-----"
-+    "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6"
-+    "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9"
-+    "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----";
-+
-+static const char ecdsa_secp224r1_sig[] =
-+    "\x30\x3d\x02\x1c\x76\x03\x8d\x74\xf4\xd3\x09\x2a\xb5\xdf\x6b\x5b\xf4\x4b\x86\xb8\x62\x81\x5d\x7b\x7a\xbb\x37\xfc\xf1\x46\x1c\x2b\x02\x1d\x00\xa0\x98\x5d\x80\x43\x89\xe5\xee\x1a\xec\x46\x08\x04\x55\xbc\x50\xfa\x2a\xd5\xa6\x18\x92\x19\xdb\x68\xa0\x2a\xda";
-+#endif
-+
-+static const char ecdsa_secp384r1_privkey[] =
-+    "-----BEGIN EC PRIVATE KEY-----"
-+    "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS"
-+    "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH"
-+    "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n"
-+    "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----";
-+
-+static const char ecdsa_secp384r1_sig[] =
-+    "\x30\x66\x02\x31\x00\xbb\x4d\x25\x30\x13\x1b\x3b\x75\x60\x07\xed\x53\x8b\x52\xee\xd8\x6e\xf1\x9d\xa8\x36\x0e\x2e\x20\x31\x51\x11\x48\x78\xdd\xaf\x24\x38\x64\x81\x71\x6b\xa6\xb7\x29\x58\x28\x82\x32\xba\x29\x29\xd9\x02\x31\x00\xeb\x70\x09\x87\xac\x7b\x78\x0d\x4c\x4f\x08\x2b\x86\x27\xe2\x60\x1f\xc9\x11\x9f\x1d\xf5\x82\x4c\xc7\x3d\xb0\x27\xc8\x93\x29\xc7\xd0\x0e\x88\x02\x09\x93\xc2\x72\xce\xa5\x74\x8c\x3d\xe0\x8c\xad";
-+
-+static const char ecdsa_secp521r1_privkey[] =
-+    "-----BEGIN EC PRIVATE KEY-----"
-+    "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w"
-+    "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo"
-+    "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R"
-+    "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t"
-+    "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV"
-+    "-----END EC PRIVATE KEY-----";
-+
-+static const char ecdsa_secp521r1_sig[] =
-+    "\x30\x81\x87\x02\x42\x01\xb8\xcb\x52\x9e\x10\xa8\x49\x3f\xe1\x9e\x14\x0a\xcf\x96\xed\x7e\xab\x7d\x0c\xe1\x9b\xa4\x97\xdf\x01\xf5\x35\x42\x5f\x5b\x28\x15\x24\x33\x6e\x59\x6c\xaf\x10\x8b\x98\x8e\xe9\x4c\x23\x0d\x76\x92\x03\xdd\x6d\x8d\x08\x47\x15\x5b\xf8\x66\x75\x75\x40\xe8\xf4\xa0\x52\x02\x41\x15\x27\x7c\x5f\xa6\x33\xa6\x29\x68\x3f\x55\x8d\x7f\x1d\x4f\x88\xc6\x61\x6e\xac\x21\xdf\x2b\x7b\xde\x76\x9a\xdc\xe6\x3b\x94\x3f\x03\x9c\xa2\xa6\xa3\x63\x39\x48\xbd\x79\x70\x21\xf2\x6b\xff\x58\x66\xf1\x58\xc2\x58\xad\x4f\x84\x14\x5d\x05\x12\x83\xd0\x87\xbd\xf3";
-+
-+/* DSA key and signature */
-+static const char dsa_privkey[] =
-+ "-----BEGIN DSA PRIVATE KEY-----\n"
-+ "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n"
-+ "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n"
-+ "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n"
-+ "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n"
-+ "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n"
-+ "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n"
-+ "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n"
-+ "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n"
-+ "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n"
-+ "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n"
-+ "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n"
-+ "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n"
-+ "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n"
-+ "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n"
-+ "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n"
-+ "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n"
-+ "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n"
-+ "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n"
-+ "-----END DSA PRIVATE KEY-----\n";
-+
-+static const char dsa_sig[] =
-+    "\x30\x3d\x02\x1c\x2e\x40\x14\xb3\x7a\x3f\xc0\x4f\x06\x74\x4f\xa6\x5f\xc2\x0a\x46\x35\x38\x88\xb4\x1a\xcf\x94\x02\x40\x42\x7c\x7f\x02\x1d\x00\x98\xfc\xf1\x08\x66\xf1\x86\x28\xc9\x73\x9e\x2b\x5d\xce\x57\xe8\xb5\xeb\xcf\xa3\xf6\x60\xf6\x63\x16\x0e\xc0\x42";
-+
-+static const char gost01_privkey[] =
-+ "-----BEGIN PRIVATE KEY-----\n"
-+ "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n"
-+ "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n"
-+ "-----END PRIVATE KEY-----\n";
-+
-+static const char gost01_sig[] =
-+    "\xc5\xc8\xf8\xdc\x22\x51\xb0\x72\xe9\xa2\xbb\x84\x6c\xe2\x24\xd5\x72\x39\x2a\x5a\x0e\x7a\x43\xfc\x9c\xc3\x5d\x32\x92\xbb\xab\xc0\x4b\x99\xbd\xc8\x47\x24\x70\x06\x7e\xa1\xc6\xe3\xa0\xdc\x42\xed\xa0\x66\xf0\xcc\x50\x97\xe9\x5a\x7d\x3f\x65\x2d\x7b\x1b\x03\xcb";
-+
-+static const char gost12_256_privkey[] =
-+ "-----BEGIN PRIVATE KEY-----\n"
-+ "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n"
-+ "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n"
-+ "-----END PRIVATE KEY-----\n";
-+
-+static const char gost12_256_sig[] =
-+    "\xb2\x51\x5a\x1a\xbd\x95\x4e\x71\x55\xad\x74\x74\x81\xa6\xca\x6c\x14\x01\xe0\x18\xda\xe4\x0d\x02\x4f\x14\xd2\x39\xd6\x3c\xb5\x85\xa8\x37\xfd\x7f\x2b\xfa\xe4\xf5\xbc\xbc\x15\x20\x8b\x83\x4b\x84\x0d\x5d\x02\x21\x8c\x0d\xb9\xc4\x2b\xc0\x3e\xfd\x42\x55\x1d\xb0";
-+
-+static const char gost12_512_privkey[] =
-+ "-----BEGIN PRIVATE KEY-----\n"
-+ "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n"
-+ "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n"
-+ "hsQ3JCCy4xnd5jWT\n"
-+ "-----END PRIVATE KEY-----\n";
-+
-+static const char gost12_512_sig[] =
-+    "\x52\x4f\xa2\x77\x51\xd2\xc5\xef\xd3\xa3\x99\x4e\xec\xff\xc6\xe9\xfc\x2f\xc0\x28\x42\x03\x95\x6c\x9a\x38\xee\xea\x89\x79\xae\x1a\xc3\x68\x5e\xe4\x15\x15\x4b\xec\x0f\xf1\x7e\x0f\xba\x01\xc7\x84\x16\xc7\xb5\xac\x9d\x0c\x22\xdd\x31\xf7\xb0\x9b\x59\x4b\xf0\x02\xa8\x7d\xfd\x6d\x02\x43\xc7\x4f\x65\xbd\x84\x5c\x54\x91\xba\x75\x9f\x5a\x61\x19\x5c\x9a\x10\x78\x34\xa0\xa6\xf6\xdc\xb6\xb0\x50\x22\x38\x5f\xb0\x16\x66\xf1\xd5\x46\x00\xd5\xe2\xa8\xe5\xd2\x11\x5f\xd1\xbe\x6e\xac\xb2\x9c\x14\x34\x96\xe7\x58\x94\xb8\xf4\x5f";
-+
- static int test_rsa_enc(gnutls_pk_algorithm_t pk,
- 			unsigned bits, gnutls_digest_algorithm_t ign)
- {
-@@ -302,118 +414,6 @@ static int test_sig(gnutls_pk_algorithm_t pk,
- 	return ret;
- }
- 
-/* A precomputed RSA-SHA1 signature using the rsa_key2048 */
-static const char rsa_sig[] =
-    "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb";
-
-/* ECDSA key and signature */
-static const char ecdsa_secp256r1_privkey[] =
-    "-----BEGIN EC PRIVATE KEY-----\n"
-    "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n"
-    "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n"
-    "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n"
-    "-----END EC PRIVATE KEY-----\n";
-
-static const char ecdsa_secp256r1_sig[] =
-    "\x30\x45\x02\x21\x00\x9b\x8f\x60\xed\x9e\x40\x8d\x74\x82\x73\xab\x20\x1a\x69\xfc\xf9\xee\x3c\x41\x80\xc0\x39\xdd\x21\x1a\x64\xfd\xbf\x7e\xaa\x43\x70\x02\x20\x44\x28\x05\xdd\x30\x47\x58\x96\x18\x39\x94\x18\xba\xe7\x7a\xf6\x1e\x2d\xba\xb1\xe0\x7d\x73\x9e\x2f\x58\xee\x0c\x2a\x89\xe8\x35";
-
-#ifdef ENABLE_NON_SUITEB_CURVES
-/* sha256 */
-static const char ecdsa_secp192r1_privkey[] =
-    "-----BEGIN EC PRIVATE KEY-----"
-    "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA"
-    "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL"
-    "Fg==" "-----END EC PRIVATE KEY-----";
-
-static const char ecdsa_secp192r1_sig[] =
-    "\x30\x34\x02\x18\x5f\xb3\x10\x4b\x4d\x44\x48\x29\x4b\xfd\xa7\x8e\xce\x57\xac\x36\x38\x54\xab\x73\xdb\xed\xb8\x5f\x02\x18\x0b\x8b\xf3\xae\x49\x50\x0e\x47\xca\x89\x1a\x00\xca\x23\xf5\x8d\xd6\xe3\xce\x9a\xff\x2e\x4f\x5c";
-
-static const char ecdsa_secp224r1_privkey[] =
-    "-----BEGIN EC PRIVATE KEY-----"
-    "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6"
-    "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9"
-    "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----";
-
-static const char ecdsa_secp224r1_sig[] =
-    "\x30\x3d\x02\x1c\x76\x03\x8d\x74\xf4\xd3\x09\x2a\xb5\xdf\x6b\x5b\xf4\x4b\x86\xb8\x62\x81\x5d\x7b\x7a\xbb\x37\xfc\xf1\x46\x1c\x2b\x02\x1d\x00\xa0\x98\x5d\x80\x43\x89\xe5\xee\x1a\xec\x46\x08\x04\x55\xbc\x50\xfa\x2a\xd5\xa6\x18\x92\x19\xdb\x68\xa0\x2a\xda";
-#endif
-
-static const char ecdsa_secp384r1_privkey[] =
-    "-----BEGIN EC PRIVATE KEY-----"
-    "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS"
-    "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH"
-    "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n"
-    "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----";
-
-static const char ecdsa_secp384r1_sig[] =
-    "\x30\x66\x02\x31\x00\xbb\x4d\x25\x30\x13\x1b\x3b\x75\x60\x07\xed\x53\x8b\x52\xee\xd8\x6e\xf1\x9d\xa8\x36\x0e\x2e\x20\x31\x51\x11\x48\x78\xdd\xaf\x24\x38\x64\x81\x71\x6b\xa6\xb7\x29\x58\x28\x82\x32\xba\x29\x29\xd9\x02\x31\x00\xeb\x70\x09\x87\xac\x7b\x78\x0d\x4c\x4f\x08\x2b\x86\x27\xe2\x60\x1f\xc9\x11\x9f\x1d\xf5\x82\x4c\xc7\x3d\xb0\x27\xc8\x93\x29\xc7\xd0\x0e\x88\x02\x09\x93\xc2\x72\xce\xa5\x74\x8c\x3d\xe0\x8c\xad";
-
-static const char ecdsa_secp521r1_privkey[] =
-    "-----BEGIN EC PRIVATE KEY-----"
-    "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w"
-    "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo"
-    "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R"
-    "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t"
-    "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV"
-    "-----END EC PRIVATE KEY-----";
-
-static const char ecdsa_secp521r1_sig[] =
-    "\x30\x81\x87\x02\x42\x01\xb8\xcb\x52\x9e\x10\xa8\x49\x3f\xe1\x9e\x14\x0a\xcf\x96\xed\x7e\xab\x7d\x0c\xe1\x9b\xa4\x97\xdf\x01\xf5\x35\x42\x5f\x5b\x28\x15\x24\x33\x6e\x59\x6c\xaf\x10\x8b\x98\x8e\xe9\x4c\x23\x0d\x76\x92\x03\xdd\x6d\x8d\x08\x47\x15\x5b\xf8\x66\x75\x75\x40\xe8\xf4\xa0\x52\x02\x41\x15\x27\x7c\x5f\xa6\x33\xa6\x29\x68\x3f\x55\x8d\x7f\x1d\x4f\x88\xc6\x61\x6e\xac\x21\xdf\x2b\x7b\xde\x76\x9a\xdc\xe6\x3b\x94\x3f\x03\x9c\xa2\xa6\xa3\x63\x39\x48\xbd\x79\x70\x21\xf2\x6b\xff\x58\x66\xf1\x58\xc2\x58\xad\x4f\x84\x14\x5d\x05\x12\x83\xd0\x87\xbd\xf3";
-
-/* DSA key and signature */
-static const char dsa_privkey[] =
- "-----BEGIN DSA PRIVATE KEY-----\n"
- "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n"
- "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n"
- "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n"
- "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n"
- "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n"
- "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n"
- "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n"
- "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n"
- "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n"
- "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n"
- "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n"
- "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n"
- "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n"
- "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n"
- "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n"
- "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n"
- "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n"
- "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n"
- "-----END DSA PRIVATE KEY-----\n";
-
-static const char dsa_sig[] =
-    "\x30\x3d\x02\x1c\x2e\x40\x14\xb3\x7a\x3f\xc0\x4f\x06\x74\x4f\xa6\x5f\xc2\x0a\x46\x35\x38\x88\xb4\x1a\xcf\x94\x02\x40\x42\x7c\x7f\x02\x1d\x00\x98\xfc\xf1\x08\x66\xf1\x86\x28\xc9\x73\x9e\x2b\x5d\xce\x57\xe8\xb5\xeb\xcf\xa3\xf6\x60\xf6\x63\x16\x0e\xc0\x42";
-
-static const char gost01_privkey[] =
- "-----BEGIN PRIVATE KEY-----\n"
- "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n"
- "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n"
- "-----END PRIVATE KEY-----\n";
-
-static const char gost01_sig[] =
-    "\xc5\xc8\xf8\xdc\x22\x51\xb0\x72\xe9\xa2\xbb\x84\x6c\xe2\x24\xd5\x72\x39\x2a\x5a\x0e\x7a\x43\xfc\x9c\xc3\x5d\x32\x92\xbb\xab\xc0\x4b\x99\xbd\xc8\x47\x24\x70\x06\x7e\xa1\xc6\xe3\xa0\xdc\x42\xed\xa0\x66\xf0\xcc\x50\x97\xe9\x5a\x7d\x3f\x65\x2d\x7b\x1b\x03\xcb";
-
-static const char gost12_256_privkey[] =
- "-----BEGIN PRIVATE KEY-----\n"
- "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n"
- "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n"
- "-----END PRIVATE KEY-----\n";
-
-static const char gost12_256_sig[] =
-    "\xb2\x51\x5a\x1a\xbd\x95\x4e\x71\x55\xad\x74\x74\x81\xa6\xca\x6c\x14\x01\xe0\x18\xda\xe4\x0d\x02\x4f\x14\xd2\x39\xd6\x3c\xb5\x85\xa8\x37\xfd\x7f\x2b\xfa\xe4\xf5\xbc\xbc\x15\x20\x8b\x83\x4b\x84\x0d\x5d\x02\x21\x8c\x0d\xb9\xc4\x2b\xc0\x3e\xfd\x42\x55\x1d\xb0";
-
-static const char gost12_512_privkey[] =
- "-----BEGIN PRIVATE KEY-----\n"
- "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n"
- "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n"
- "hsQ3JCCy4xnd5jWT\n"
- "-----END PRIVATE KEY-----\n";
-
-static const char gost12_512_sig[] =
-    "\x52\x4f\xa2\x77\x51\xd2\xc5\xef\xd3\xa3\x99\x4e\xec\xff\xc6\xe9\xfc\x2f\xc0\x28\x42\x03\x95\x6c\x9a\x38\xee\xea\x89\x79\xae\x1a\xc3\x68\x5e\xe4\x15\x15\x4b\xec\x0f\xf1\x7e\x0f\xba\x01\xc7\x84\x16\xc7\xb5\xac\x9d\x0c\x22\xdd\x31\xf7\xb0\x9b\x59\x4b\xf0\x02\xa8\x7d\xfd\x6d\x02\x43\xc7\x4f\x65\xbd\x84\x5c\x54\x91\xba\x75\x9f\x5a\x61\x19\x5c\x9a\x10\x78\x34\xa0\xa6\xf6\xdc\xb6\xb0\x50\x22\x38\x5f\xb0\x16\x66\xf1\xd5\x46\x00\xd5\xe2\xa8\xe5\xd2\x11\x5f\xd1\xbe\x6e\xac\xb2\x9c\x14\x34\x96\xe7\x58\x94\xb8\xf4\x5f";
-
- static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
- 			  gnutls_digest_algorithm_t dig,
- 			  const void *privkey, size_t privkey_size,
-- 
-2.20.1
-
-
-From 4b04d899849ea566ae33862289276d9b297cd493 Mon Sep 17 00:00:00 2001
-From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Date: Wed, 3 Apr 2019 13:44:56 +0200
-Subject: [PATCH 2/7] crypto-selftests-pk.c: Add a comparison with a known
- signature
-
-For RSA, compare the generated signature with a stored known value in
-test_sig().
-
-Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
- lib/crypto-selftests-pk.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
-index 4fadd4161..0233e6b9f 100644
--- a/lib/crypto-selftests-pk.c
-+++ b/lib/crypto-selftests-pk.c
-@@ -313,6 +313,7 @@ static int test_sig(gnutls_pk_algorithm_t pk,
- {
- 	int ret;
- 	gnutls_datum_t sig = { NULL, 0 };
-+	gnutls_datum_t known_sig = { NULL, 0 };
- 	gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 };
- 	gnutls_datum_t raw_dsa_key = { (void*)dsa_key, sizeof(dsa_key)-1 };
- 	gnutls_datum_t raw_ecc_key = { (void*)ecc_key, sizeof(ecc_key)-1 };
-@@ -343,6 +344,8 @@ static int test_sig(gnutls_pk_algorithm_t pk,
- 	}
- 
- 	if (pk == GNUTLS_PK_RSA) {
-+		known_sig.data = (void *)rsa_sig;
-+		known_sig.size = sizeof(rsa_sig) - 1;
- 		ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0);
- 	} else if (pk == GNUTLS_PK_RSA_PSS) {
- 		ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0);
-@@ -378,6 +381,16 @@ static int test_sig(gnutls_pk_algorithm_t pk,
- 		goto cleanup;
- 	}
- 
-+	/* Compare with a stored known signature */
-+	if (known_sig.data != NULL) {
-+		if (sig.size != known_sig.size
-+			|| memcmp(sig.data, known_sig.data, sig.size) != 0) {
-+			ret = GNUTLS_E_SELF_TEST_ERROR;
-+			gnutls_assert();
-+			goto cleanup;
-+		}
-+	}
-+
- 	ret =
- 	    gnutls_pubkey_verify_data2(pub, sigalgo, 0,
- 				       &signed_data, &sig);
-- 
-2.20.1
-
-
-From 2123049ab9b963ef0ba108ed1cb180016bd672ab Mon Sep 17 00:00:00 2001
-From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Date: Wed, 17 Apr 2019 17:22:40 +0200
-Subject: [PATCH 3/7] nettle/pk.c: Do not call gnutls_rnd() during self tests
-
-When the library state is LIB_STATE_SELFTEST, use constant data instead
-of calling gnutls_rnd().  This prevents the library to block if there is
-insufficient entropy during FIPS self tests.
-
-Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
- lib/nettle/pk.c | 41 ++++++++++++++++++++++++++++++++++-------
- 1 file changed, 34 insertions(+), 7 deletions(-)
-
-diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
-index 08117c2d8..64633cc73 100644
--- a/lib/nettle/pk.c
-+++ b/lib/nettle/pk.c
-@@ -60,6 +60,33 @@
- static inline const struct ecc_curve *get_supported_nist_curve(int curve);
- static inline const struct ecc_curve *get_supported_gost_curve(int curve);
- 
-+/* Fill the buffer with data for testing purposes.
-+ * This should be called only during self tests.
-+ */
-+static int _pk_fill_buffer(void *buffer, size_t length)
-+{
-+	if (_gnutls_get_lib_state() != LIB_STATE_SELFTEST) {
-+		return gnutls_assert_val(GNUTLS_E_RANDOM_FAILED);
-+	}
-+
-+	memset(buffer, 0xAA, length);
-+
-+	return 0;
-+}
-+
-+static int _pk_rnd(gnutls_rnd_level_t level, void *data, size_t len)
-+{
-+	int ret;
-+
-+	if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) {
-+		ret = _pk_fill_buffer(data, len);
-+	} else {
-+		ret = gnutls_rnd(level, data, len);
-+	}
-+
-+	return ret;
-+}
-+
- /* When these callbacks are used for a nettle operation, the
-  * caller must check the macro HAVE_LIB_ERROR() after the operation
-  * is complete. If the macro is true, the operation is to be considered
-@@ -67,21 +94,21 @@ static inline const struct ecc_curve *get_supported_gost_curve(int curve);
-  */
- static void rnd_key_func(void *_ctx, size_t length, uint8_t * data)
- {
-	if (gnutls_rnd(GNUTLS_RND_KEY, data, length) < 0) {
-+	if (_pk_rnd(GNUTLS_RND_KEY, data, length) < 0) {
- 		_gnutls_switch_lib_state(LIB_STATE_ERROR);
- 	}
- }
- 
- static void rnd_tmpkey_func(void *_ctx, size_t length, uint8_t * data)
- {
-	if (gnutls_rnd(GNUTLS_RND_RANDOM, data, length) < 0) {
-+	if (_pk_rnd(GNUTLS_RND_RANDOM, data, length) < 0) {
- 		_gnutls_switch_lib_state(LIB_STATE_ERROR);
- 	}
- }
- 
- static void rnd_nonce_func(void *_ctx, size_t length, uint8_t * data)
- {
-	if (gnutls_rnd(GNUTLS_RND_NONCE, data, length) < 0) {
-+	if (_pk_rnd(GNUTLS_RND_NONCE, data, length) < 0) {
- 		_gnutls_switch_lib_state(LIB_STATE_ERROR);
- 	}
- }
-@@ -650,7 +677,7 @@ _rsa_pss_sign_digest_tr(gnutls_digest_algorithm_t dig,
- 		if (salt == NULL)
- 			return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
- 
-		ret = gnutls_rnd(GNUTLS_RND_NONCE, salt, salt_size);
-+		ret = _pk_rnd(GNUTLS_RND_NONCE, salt, salt_size);
- 		if (ret < 0) {
- 			gnutls_assert();
- 			goto cleanup;
-@@ -1732,7 +1759,7 @@ gnutls_x509_spki_st spki;
- 
- 		_gnutls_dsa_q_to_hash(params, &hash_len);
- 		gen_data = gnutls_malloc(hash_len);
-		gnutls_rnd(GNUTLS_RND_NONCE, gen_data, hash_len);
-+		_pk_rnd(GNUTLS_RND_NONCE, gen_data, hash_len);
- 
- 		ddata.data = (void*)gen_data;
- 		ddata.size = hash_len;
-@@ -2101,7 +2128,7 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
- 				goto fail;
- 			}
- 
-			ret = gnutls_rnd(rnd_level, params->raw_priv.data, size);
-+			ret = _pk_rnd(rnd_level, params->raw_priv.data, size);
- 			if (ret < 0) {
- 				ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
- 				goto fail;
-@@ -2240,7 +2267,7 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
- 				goto fail;
- 			}
- 
-			ret = gnutls_rnd(rnd_level, params->raw_priv.data, size);
-+			ret = _pk_rnd(rnd_level, params->raw_priv.data, size);
- 			if (ret < 0) {
- 				ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
- 				goto fail;
-- 
-2.20.1
-
-
-From db2b308fdbe98420b722eaf678c1a911bc51b0a5 Mon Sep 17 00:00:00 2001
-From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Date: Thu, 18 Apr 2019 17:22:18 +0200
-Subject: [PATCH 4/7] tests: Run rng-no-onload test in FIPS mode
-
-This changes the function used in the test to override gnutls_rnd() to
-fill the given buffer with a different value each time it is called.
-This allows the test to run when FIPS mode is enabled.
-
-Previously the rng-no-onload test could get stuck if FIPS mode was
-enabled.  This happened if gnutls_rnd() function was called during
-global_init() in a loop that checks the generated value (e.g. if ECDSA
-signature generation is called during self tests).
-
-Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
- tests/rng-no-onload.c | 12 +++++++-----
- 1 file changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/tests/rng-no-onload.c b/tests/rng-no-onload.c
-index ac01be214..a485a440d 100644
--- a/tests/rng-no-onload.c
-+++ b/tests/rng-no-onload.c
-@@ -50,18 +50,20 @@ static int _rnd_called = 0;
- int __attribute__ ((visibility ("protected")))
- gnutls_rnd(gnutls_rnd_level_t level, void *data, size_t len)
- {
-+	static unsigned int value = 0;
-+
- 	_rnd_called = 1;
- 
-	memset(data, 0xff, len);
-+	/* Increment 'value' in each call up to 255, then start again from 0 */
-+	value = (value + 1) & 0xFF;
-+
-+	memset(data, value, len);
-+
- 	return 0;
- }
- 
- void doit(void)
- {
-	if (gnutls_fips140_mode_enabled()) {
-		exit(77);
-	}
-
- 	global_init();
- 
- 	if (_rnd_called != 0)
-- 
-2.20.1
-
-
-From fc926cd65f1de06f359315c6693c1a9c9899ba8c Mon Sep 17 00:00:00 2001
-From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Date: Thu, 4 Apr 2019 15:45:02 +0200
-Subject: [PATCH 5/7] crypto-selftests-pk.c: Fix test_known_sig
-
-Previously a new signature was generated only for deterministic
-algorithms (i.e. only RSA).  With this, a new signature is always
-generated (and compared with a stored signature for deterministic
-algorithms).  The signature verification is tested for both generated
-and stored signatures.
-
-Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
- lib/crypto-selftests-pk.c | 31 ++++++++++++++++++++-----------
- 1 file changed, 20 insertions(+), 11 deletions(-)
-
-diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
-index 0233e6b9f..ba8f5e376 100644
--- a/lib/crypto-selftests-pk.c
-+++ b/lib/crypto-selftests-pk.c
-@@ -475,19 +475,17 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
- 		goto cleanup;
- 	}
- 
-	/* Test if the signature we generate matches the stored */
-+	ret = gnutls_privkey_sign_data(key, dig, 0, &signed_data, &sig);
-+	if (ret < 0) {
-+		gnutls_assert();
-+		goto cleanup;
-+	}
-+
-+	/* Test if the generated signature matches the stored */
- 	ssig.data = (void *) stored_sig;
- 	ssig.size = stored_sig_size;
- 
- 	if (deterministic_sigs != 0) {	/* do not compare against stored signature if not provided */
-		ret =
-		    gnutls_privkey_sign_data(key, dig, 0, &signed_data,
-					     &sig);
-		if (ret < 0) {
-			gnutls_assert();
-			goto cleanup;
-		}
-
- 		if (sig.size != ssig.size
- 		    || memcmp(sig.data, ssig.data, sig.size) != 0) {
- 			ret = GNUTLS_E_SELF_TEST_ERROR;
-@@ -507,7 +505,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
- 		}
- 	}
- 
-	/* Test if we can verify the signature */
-+	/* Test if we can verify the generated signature */
- 
- 	ret = gnutls_pubkey_import_privkey(pub, key, 0, 0);
- 	if (ret < 0) {
-@@ -515,6 +513,17 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
- 		goto cleanup;
- 	}
- 
-+	ret =
-+	    gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0,
-+				       &signed_data, &sig);
-+	if (ret < 0) {
-+		ret = GNUTLS_E_SELF_TEST_ERROR;
-+		gnutls_assert();
-+		goto cleanup;
-+	}
-+
-+	/* Test if we can verify the stored signature */
-+
- 	ret =
- 	    gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0,
- 				       &signed_data, &ssig);
-@@ -528,7 +537,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
- 
- 	ret =
- 	    gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0,
-				       &bad_data, &ssig);
-+				       &bad_data, &sig);
- 
- 	if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) {
- 		ret = GNUTLS_E_SELF_TEST_ERROR;
-- 
-2.20.1
-
-
-From 7e49999db264556ac73ff498bd8f7edce401cdd1 Mon Sep 17 00:00:00 2001
-From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Date: Thu, 4 Apr 2019 17:22:04 +0200
-Subject: [PATCH 6/7] crypto-selftests-pk.c: Fix PK_KNOWN_TEST and PK_TEST
-
-Remove the flag check from the end of the macros.  This change allows
-more than one test to run in sequence when GNUTLS_SELF_TEST_FLAG_ALL is
-not set.  Move the flags checks to run the minimal set of tests required
-for FIPS and keep the previous behaviour for GOST (run the first test
-for each algorithm).
-
-Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
- lib/crypto-selftests-pk.c | 37 ++++++++++++++++++++-----------------
- 1 file changed, 20 insertions(+), 17 deletions(-)
-
-diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
-index ba8f5e376..fc8ee2525 100644
--- a/lib/crypto-selftests-pk.c
-+++ b/lib/crypto-selftests-pk.c
-@@ -568,18 +568,14 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
- 			if (ret < 0) { \
- 				gnutls_assert(); \
- 				goto cleanup; \
-			} \
-			if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \
-				return 0
-+			}
- 
- #define PK_KNOWN_TEST(pk, det, bits, dig, pkey, sig) \
- 			ret = test_known_sig(pk, bits, dig, pkey, sizeof(pkey)-1, sig, sizeof(sig)-1, det); \
- 			if (ret < 0) { \
- 				gnutls_assert(); \
- 				goto cleanup; \
-			} \
-			if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \
-				return 0
-+			}
- 
- 
- /* This file is also included by the test app in tests/slow/cipher-test, so in that
-@@ -812,11 +808,12 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
- 		PK_KNOWN_TEST(GNUTLS_PK_RSA, 1, 2048, GNUTLS_DIG_SHA256,
- 			      rsa_key2048, rsa_sig);
- 		PK_TEST(GNUTLS_PK_RSA, test_rsa_enc, 2048, 0);
-		PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_SIGN_RSA_SHA256);
- 
- 		if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
- 			return 0;
- 
-+		PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_SIGN_RSA_SHA256);
-+
- 		FALLTHROUGH;
- 	case GNUTLS_PK_RSA_PSS:
- 		PK_TEST(GNUTLS_PK_RSA_PSS, test_sig, 2048, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256);
-@@ -828,11 +825,12 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
- 	case GNUTLS_PK_DSA:
- 		PK_KNOWN_TEST(GNUTLS_PK_DSA, 0, 2048, GNUTLS_DIG_SHA256,
- 			      dsa_privkey, dsa_sig);
-		PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256);
- 
- 		if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
- 			return 0;
- 
-+		PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256);
-+
- 		FALLTHROUGH;
- 	case GNUTLS_PK_EC:
- 		/* Test ECDH and ECDSA */
-@@ -850,13 +848,14 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
- 			      (GNUTLS_ECC_CURVE_SECP256R1),
- 			      GNUTLS_DIG_SHA256, ecdsa_secp256r1_privkey,
- 			      ecdsa_secp256r1_sig);
-		PK_TEST(GNUTLS_PK_EC, test_sig,
-			GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1),
-			GNUTLS_SIGN_ECDSA_SHA256);
- 
- 		if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
- 			return 0;
- 
-+		PK_TEST(GNUTLS_PK_EC, test_sig,
-+			GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1),
-+			GNUTLS_SIGN_ECDSA_SHA256);
-+
- 		PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
- 			      GNUTLS_CURVE_TO_BITS
- 			      (GNUTLS_ECC_CURVE_SECP384R1),
-@@ -900,31 +899,35 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
- 	case GNUTLS_PK_GOST_01:
- 		PK_KNOWN_TEST(GNUTLS_PK_GOST_01, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_GOSTR_94,
- 			      gost01_privkey, gost01_sig);
-		PK_TEST(GNUTLS_PK_GOST_01, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA),
-			GNUTLS_SIGN_GOST_94);
- 
- 		if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
- 			return 0;
- 
-+		PK_TEST(GNUTLS_PK_GOST_01, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA),
-+			GNUTLS_SIGN_GOST_94);
-+
- 		FALLTHROUGH;
- 	case GNUTLS_PK_GOST_12_256:
- 		PK_KNOWN_TEST(GNUTLS_PK_GOST_12_256, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_STREEBOG_256,
- 			      gost12_256_privkey, gost12_256_sig);
-		PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA),
-			GNUTLS_SIGN_GOST_256);
- 
- 		if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
- 			return 0;
- 
-+		PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA),
-+			GNUTLS_SIGN_GOST_256);
-+
- 		FALLTHROUGH;
- 	case GNUTLS_PK_GOST_12_512:
- 		PK_KNOWN_TEST(GNUTLS_PK_GOST_12_512, 0, GNUTLS_ECC_CURVE_GOST512A, GNUTLS_DIG_STREEBOG_512,
- 			      gost12_512_privkey, gost12_512_sig);
-		PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A),
-			GNUTLS_SIGN_GOST_512);
- 
- 		if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
- 			return 0;
-+
-+		PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A),
-+			GNUTLS_SIGN_GOST_512);
-+
- #endif
- 
- 		break;
-- 
-2.20.1
-
-
-From c2e83d2110b98d93588f1b6187bc932feb958ca4 Mon Sep 17 00:00:00 2001
-From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Date: Mon, 8 Apr 2019 14:21:57 +0200
-Subject: [PATCH 7/7] crypto-selftests-pk.c: Cleanup self tests
-
-test_sig() always uses the same key for RSA, DSA, and ECDSA regardless
-of the value provided in the "bits" parameter.  Therefore, avoid
-printing specific information (number of bits or name of the curve).
-
-Changes test_sig() to use 2048 bits key for DSA; deleted hardcoded 512
-bits DSA key;
-
-Avoid calling test_sig() multiple times for ECDSA: the same key is
-used regardless of the curve provided in the parameters.
-
-Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
- lib/crypto-selftests-pk.c | 42 +++++++++------------------------------
- 1 file changed, 9 insertions(+), 33 deletions(-)
-
-diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
-index fc8ee2525..3d665b723 100644
--- a/lib/crypto-selftests-pk.c
-+++ b/lib/crypto-selftests-pk.c
-@@ -78,16 +78,6 @@ static const char ecc_key[] =
-  "MSHpe5vd0TQz+/GAa1zxle8mB/Cdh0JaTrA=\n"
-  "-----END EC PRIVATE KEY-----\n";
- 
-static const char dsa_key[] =
- "-----BEGIN DSA PRIVATE KEY-----\n"
- "MIH4AgEAAkEA6KUOSXfFNcInFLPdOlLlKNCe79zJrkxnsQN+lllxuk1ifZrE07r2\n"
- "3edTrc4riQNnZ2nZ372tYUAMJg+5jM6IIwIVAOa58exwZ+42Tl+p3b4Kbpyu2Ron\n"
- "AkBocj7gkiBYHtv6HMIIzooaxn4vpGR0Ns6wBfroBUGvrnSAgfT3WyiNaHkIF28e\n"
- "quWcEeOJjUgFvatcM8gcY288AkEAyKWlgzBurIYST8TM3j4PuQJDTvdHDaGoAUAa\n"
- "EfjmOw2UXKwqTmwPiT5BYKgCo2ILS87ttlTpd8vndH37pmnmVQIUQIVuKpZ8y9Bw\n"
- "VzO8qcrLCFvTOXY=\n"
- "-----END DSA PRIVATE KEY-----\n";
-
- static const char gost01_key[] =
-  "-----BEGIN PRIVATE KEY-----\n"
-  "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICJAAGByqFAwICHgEEIgQgR1lBLIr4WBpn\n"
-@@ -315,22 +305,20 @@ static int test_sig(gnutls_pk_algorithm_t pk,
- 	gnutls_datum_t sig = { NULL, 0 };
- 	gnutls_datum_t known_sig = { NULL, 0 };
- 	gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 };
-	gnutls_datum_t raw_dsa_key = { (void*)dsa_key, sizeof(dsa_key)-1 };
-+	gnutls_datum_t raw_dsa_key = { (void*)dsa_privkey, sizeof(dsa_privkey)-1 };
- 	gnutls_datum_t raw_ecc_key = { (void*)ecc_key, sizeof(ecc_key)-1 };
- 	gnutls_datum_t raw_gost01_key = { (void*)gost01_key, sizeof(gost01_key)-1 };
- 	gnutls_datum_t raw_gost12_256_key = { (void*)gost12_256_key, sizeof(gost12_256_key)-1 };
- 	gnutls_datum_t raw_gost12_512_key = { (void*)gost12_512_key, sizeof(gost12_512_key)-1 };
- 	gnutls_privkey_t key;
- 	gnutls_pubkey_t pub = NULL;
-	char param_name[32];
-+	char param_name[32] = "";
- 
-	if (pk == GNUTLS_PK_EC || pk == GNUTLS_PK_GOST_01 ||
-	    pk == GNUTLS_PK_GOST_12_256 || pk == GNUTLS_PK_GOST_12_512) {
-		snprintf(param_name, sizeof(param_name), "%s",
-+	if (pk == GNUTLS_PK_GOST_01 || pk == GNUTLS_PK_GOST_12_256 ||
-+	    pk == GNUTLS_PK_GOST_12_512) {
-+		snprintf(param_name, sizeof(param_name), "-%s",
- 			 gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE
- 						   (bits)));
-	} else {
-		snprintf(param_name, sizeof(param_name), "%u", bits);
- 	}
- 
- 	ret = gnutls_privkey_init(&key);
-@@ -418,10 +406,10 @@ static int test_sig(gnutls_pk_algorithm_t pk,
- 	gnutls_free(sig.data);
- 
- 	if (ret == 0)
-		_gnutls_debug_log("%s-%s-sig self test succeeded\n",
-+		_gnutls_debug_log("%s%s-sig self test succeeded\n",
- 				  gnutls_pk_get_name(pk), param_name);
- 	else
-		_gnutls_debug_log("%s-%s-sig self test failed\n",
-+		_gnutls_debug_log("%s%s-sig self test failed\n",
- 				  gnutls_pk_get_name(pk), param_name);
- 
- 	return ret;
-@@ -812,7 +800,7 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
- 		if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
- 			return 0;
- 
-		PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_SIGN_RSA_SHA256);
-+		PK_TEST(GNUTLS_PK_RSA, test_sig, 2048, GNUTLS_SIGN_RSA_SHA256);
- 
- 		FALLTHROUGH;
- 	case GNUTLS_PK_RSA_PSS:
-@@ -829,7 +817,7 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
- 		if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
- 			return 0;
- 
-		PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256);
-+		PK_TEST(GNUTLS_PK_DSA, test_sig, 2048, GNUTLS_SIGN_DSA_SHA256);
- 
- 		FALLTHROUGH;
- 	case GNUTLS_PK_EC:
-@@ -861,18 +849,12 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
- 			      (GNUTLS_ECC_CURVE_SECP384R1),
- 			      GNUTLS_DIG_SHA256, ecdsa_secp384r1_privkey,
- 			      ecdsa_secp384r1_sig);
-		PK_TEST(GNUTLS_PK_EC, test_sig,
-			GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1),
-			GNUTLS_SIGN_ECDSA_SHA384);
- 
- 		PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
- 			      GNUTLS_CURVE_TO_BITS
- 			      (GNUTLS_ECC_CURVE_SECP521R1),
- 			      GNUTLS_DIG_SHA512, ecdsa_secp521r1_privkey,
- 			      ecdsa_secp521r1_sig);
-		PK_TEST(GNUTLS_PK_EC, test_sig,
-			GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1),
-			GNUTLS_SIGN_ECDSA_SHA512);
- 
- #ifdef ENABLE_NON_SUITEB_CURVES
- 		PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
-@@ -880,18 +862,12 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
- 			      (GNUTLS_ECC_CURVE_SECP192R1),
- 			      GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey,
- 			      ecdsa_secp192r1_sig);
-		PK_TEST(GNUTLS_PK_EC, test_sig,
-			GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1),
-			GNUTLS_SIGN_ECDSA_SHA256);
- 
- 		PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
- 			      GNUTLS_CURVE_TO_BITS
- 			      (GNUTLS_ECC_CURVE_SECP224R1),
- 			      GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey,
- 			      ecdsa_secp224r1_sig);
-		PK_TEST(GNUTLS_PK_EC, test_sig,
-			GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1),
-			GNUTLS_SIGN_ECDSA_SHA256);
- #endif
- 
- #if ENABLE_GOST
-- 
-2.20.1
-
--- a/SOURCES/gnutls-3.6.8-fips-aes-cbc-kat.patch
+++ b/SOURCES/gnutls-3.6.8-fips-aes-cbc-kat.patch
@ -1,36 +0,0 @@
-From facea2b7659e11efce7014bda8800574d35dd05d Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Wed, 12 Jun 2019 14:02:05 +0200
-Subject: [PATCH] fips: run selftests over overridden AES-CBC algorithm
-
-Previously, we only tested nettle's AES-CBC in
-_gnutls_fips_perform_self_checks1(), which is called before the
-implementation is overridden.  This adds an AES-CBC self-test in
-_gnutls_fips_perform_self_checks2() so it can test the actual
-implementation.
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
- lib/fips.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/lib/fips.c b/lib/fips.c
-index b92edbbd7..902af5674 100644
--- a/lib/fips.c
-+++ b/lib/fips.c
-@@ -317,6 +317,12 @@ int _gnutls_fips_perform_self_checks2(void)
- 		goto error;
- 	}
- 
-+	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_CBC);
-+	if (ret < 0) {
-+		gnutls_assert();
-+		goto error;
-+	}
-+
- 	ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_GCM);
- 	if (ret < 0) {
- 		gnutls_assert();
-- 
-2.20.1
-
--- a/SOURCES/gnutls-3.6.8-multiple-key-updates.patch
+++ b/SOURCES/gnutls-3.6.8-multiple-key-updates.patch
@ -1,286 +0,0 @@
-From 6023c69c616d866e19ab1c0bb87931e5143c79d3 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Wed, 5 Jun 2019 16:48:39 +0200
-Subject: [PATCH] tls13/key_update: ignore multiple key updates instead of
- error
-
-This fixes the multiple KeyUpdate messages handling in commit
-65e2aa80d114d4bef095d129c2eda475e473244a, where illegal_parameter is
-sent even if the limit doesn't exceed.
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
- .gitignore                        |   1 +
- lib/tls13/key_update.c            |   2 -
- tests/Makefile.am                 |   2 +
- tests/tls13/key_update_multiple.c | 232 ++++++++++++++++++++++++++++++
- 4 files changed, 235 insertions(+), 2 deletions(-)
- create mode 100644 tests/tls13/key_update_multiple.c
-
-diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c
-index d542a214b..c6f6e0aa1 100644
--- a/lib/tls13/key_update.c
-+++ b/lib/tls13/key_update.c
-@@ -117,8 +117,6 @@ int _gnutls13_recv_key_update(gnutls_session_t session, gnutls_buffer_st *buf)
- 			session->internals.rsend_state = RECORD_SEND_KEY_UPDATE_1;
- 		else if (session->internals.rsend_state == RECORD_SEND_CORKED)
- 			session->internals.rsend_state = RECORD_SEND_CORKED_TO_KU;
-		else
-			return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
- 
- 		break;
- 	default:
-diff --git a/tests/Makefile.am b/tests/Makefile.am
-index ca0481879..4ffa69825 100644
--- a/tests/Makefile.am
-+++ b/tests/Makefile.am
-@@ -119,6 +119,8 @@ ctests += tls13/psk-ext
- 
- ctests += tls13/key_update
- 
-+ctests += tls13/key_update_multiple
-+
- ctests += tls13/key_limits
- 
- ctests += tls13/multi-ocsp
-diff --git a/tests/tls13/key_update_multiple.c b/tests/tls13/key_update_multiple.c
-new file mode 100644
-index 000000000..8b2c2db4b
--- /dev/null
-+++ b/tests/tls13/key_update_multiple.c
-@@ -0,0 +1,232 @@
-+/*
-+ * Copyright (C) 2017-2019 Red Hat, Inc.
-+ *
-+ * Author: Daiki Ueno
-+ *
-+ * This file is part of GnuTLS.
-+ *
-+ * GnuTLS is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 3 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * GnuTLS is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+ * General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public License
-+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
-+ */
-+
-+#ifdef HAVE_CONFIG_H
-+#include <config.h>
-+#endif
-+
-+#include <stdbool.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <errno.h>
-+#include <gnutls/gnutls.h>
-+#include <gnutls/crypto.h>
-+#include <assert.h>
-+#include "cert-common.h"
-+
-+#include "utils.h"
-+#include "virt-time.h"
-+#define RANDOMIZE
-+#include "eagain-common.h"
-+
-+const char *side = "";
-+
-+/* This program tests whether multiple key update messages are handled
-+ * properly with rate-limit. */
-+
-+static void tls_log_func(int level, const char *str)
-+{
-+	fprintf(stderr, "%s|<%d>| %s", side, level, str);
-+}
-+
-+#define MAX_BUF 1024
-+#define MSG "Hello TLS, and hi and how are you and more data here... and more... and even more and even more more data..."
-+
-+/* These must match the definitions in lib/tls13/key_update.c. */
-+#define KEY_UPDATES_WINDOW 1000
-+#define KEY_UPDATES_PER_WINDOW 8
-+
-+static unsigned key_update_msg_inc = 0;
-+static unsigned key_update_msg_out = 0;
-+
-+static int hsk_callback(gnutls_session_t session, unsigned int htype,
-+			unsigned post, unsigned int incoming, const gnutls_datum_t *msg)
-+{
-+	assert(post == GNUTLS_HOOK_PRE);
-+
-+	assert(msg->size == 1);
-+
-+	if (htype == GNUTLS_HANDSHAKE_KEY_UPDATE) {
-+		if (incoming)
-+			key_update_msg_inc++;
-+		else
-+			key_update_msg_out++;
-+	}
-+
-+	return 0;
-+}
-+
-+static void run(const char *name, bool exceed_limit)
-+{
-+	/* Server stuff. */
-+	gnutls_certificate_credentials_t ccred;
-+	gnutls_certificate_credentials_t scred;
-+	gnutls_session_t server;
-+	int sret, cret;
-+	/* Client stuff. */
-+	gnutls_session_t client;
-+	/* Need to enable anonymous KX specifically. */
-+	char buffer[MAX_BUF + 1];
-+	int ret, transferred = 0;
-+	size_t i;
-+
-+	success("%s\n", name);
-+
-+	/* General init. */
-+	global_init();
-+	gnutls_global_set_log_function(tls_log_func);
-+	if (debug)
-+		gnutls_global_set_log_level(9);
-+
-+	/* Init server */
-+	assert(gnutls_certificate_allocate_credentials(&scred) >= 0);
-+	assert(gnutls_certificate_set_x509_key_mem(scred,
-+						   &server_ca3_localhost_cert,
-+						   &server_ca3_key,
-+						   GNUTLS_X509_FMT_PEM) >= 0);
-+
-+	assert(gnutls_init(&server, GNUTLS_SERVER) >= 0);
-+	ret =
-+	    gnutls_priority_set_direct(server,
-+				       "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3",
-+				       NULL);
-+	if (ret < 0)
-+		exit(1);
-+
-+	gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred);
-+	gnutls_transport_set_push_function(server, server_push);
-+	gnutls_transport_set_pull_function(server, server_pull);
-+	gnutls_transport_set_ptr(server, server);
-+
-+	/* Init client */
-+	assert(gnutls_certificate_allocate_credentials(&ccred) >= 0);
-+	assert(gnutls_certificate_set_x509_trust_mem
-+	       (ccred, &ca3_cert, GNUTLS_X509_FMT_PEM) >= 0);
-+
-+	gnutls_init(&client, GNUTLS_CLIENT);
-+	ret =
-+	    gnutls_priority_set_direct(client,
-+				       "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3",
-+				       NULL);
-+	assert(ret >= 0);
-+
-+	ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, ccred);
-+	if (ret < 0)
-+		exit(1);
-+
-+	gnutls_transport_set_push_function(client, client_push);
-+	gnutls_transport_set_pull_function(client, client_pull);
-+	gnutls_transport_set_ptr(client, client);
-+
-+
-+	HANDSHAKE(client, server);
-+	if (debug)
-+		success("Handshake established\n");
-+
-+	key_update_msg_inc = 0;
-+	key_update_msg_out = 0;
-+
-+	gnutls_handshake_set_hook_function(client, -1, GNUTLS_HOOK_PRE, hsk_callback);
-+
-+	/* schedule multiple key updates */
-+	for (i = 0; i < KEY_UPDATES_PER_WINDOW; i++) {
-+		do {
-+			ret = gnutls_session_key_update(client, 1);
-+		} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
-+		if (ret < 0)
-+			fail("error in key update: %s\n", gnutls_strerror(ret));
-+	}
-+
-+	/* server receives the client key update and sends data */
-+	TRANSFER(client, server, MSG, strlen(MSG), buffer, MAX_BUF);
-+	TRANSFER(server, client, MSG, strlen(MSG), buffer, MAX_BUF);
-+	EMPTY_BUF(server, client, buffer, MAX_BUF);
-+
-+	if (key_update_msg_out != KEY_UPDATES_PER_WINDOW)
-+		fail("unexpected number of key updates are sent: %d\n",
-+			key_update_msg_out);
-+	else {
-+		if (debug)
-+			success("successfully sent %d key updates\n",
-+				KEY_UPDATES_PER_WINDOW);
-+	}
-+	if (key_update_msg_inc != 1)
-+		fail("unexpected number of key updates received: %d\n",
-+			key_update_msg_inc);
-+	else {
-+		if (debug)
-+			success("successfully received 1 key update\n");
-+	}
-+
-+	if (exceed_limit) {
-+		/* excessive key update in the same time window should
-+		 * be rejected by the peer */
-+		do {
-+			ret = gnutls_session_key_update(client, 1);
-+		} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
-+
-+		/* server receives the client key update and sends data */
-+		ret = record_send_loop(client, MSG, strlen(MSG), 0);
-+		assert(ret == strlen(MSG));
-+		ret = gnutls_record_recv(server, buffer, MAX_BUF);
-+		if (ret != GNUTLS_E_TOO_MANY_HANDSHAKE_PACKETS)
-+			fail("server didn't reject excessive number of key updates\n");
-+		else {
-+			if (debug)
-+				success("server rejected excessive number of key updates\n");
-+		}
-+	} else {
-+		virt_sec_sleep(KEY_UPDATES_WINDOW / 1000 + 1);
-+
-+		/* the time window should be rolled over now */
-+		do {
-+			ret = gnutls_session_key_update(client, 1);
-+		} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
-+		if (ret < 0)
-+			fail("error in key update: %s\n", gnutls_strerror(ret));
-+
-+		/* server receives the client key update and sends data */
-+		TRANSFER(client, server, MSG, strlen(MSG), buffer, MAX_BUF);
-+		TRANSFER(server, client, MSG, strlen(MSG), buffer, MAX_BUF);
-+		EMPTY_BUF(server, client, buffer, MAX_BUF);
-+	}
-+
-+	gnutls_bye(client, GNUTLS_SHUT_WR);
-+	gnutls_bye(server, GNUTLS_SHUT_WR);
-+
-+	gnutls_deinit(client);
-+	gnutls_deinit(server);
-+
-+	gnutls_certificate_free_credentials(scred);
-+	gnutls_certificate_free_credentials(ccred);
-+
-+	gnutls_global_deinit();
-+	reset_buffers();
-+}
-+
-+void doit(void)
-+{
-+	virt_time_init();
-+
-+	run("not exceeding limit", 0);
-+	run("exceeding limit", 1);
-+}
-- 
-2.20.1
-
--- a/SOURCES/gnutls-3.6.8.tar.xz.sig
+++ b/SOURCES/gnutls-3.6.8.tar.xz.sig
--- a/SOURCES/gnutls-3.7.8-rsa-kx-timing.patch
+++ b/SOURCES/gnutls-3.7.8-rsa-kx-timing.patch
@ -0,0 +1,114 @@
+From c149dd0767f32789e391280cb1eb06b7eb7c6bce Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Tue, 9 Aug 2022 16:05:53 +0200
+Subject: [PATCH 1/2] auth/rsa: side-step potential side-channel
+
+Remove branching that depends on secret data.
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+Signed-off-by: Hubert Kario <hkario@redhat.com>
+Tested-by: Hubert Kario <hkario@redhat.com>
+---
+ lib/auth/rsa.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
+index 8108ee841d..6b158bacb2 100644
+--- a/lib/auth/rsa.c
+++ b/lib/auth/rsa.c
+@@ -155,7 +155,6 @@ static int
+ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 		   size_t _data_size)
+ {
+-	const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n";
+ 	gnutls_datum_t ciphertext;
+ 	int ret, dsize;
+ 	ssize_t data_size = _data_size;
+@@ -235,15 +234,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 	ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
+ 	        CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
+ 
+-	if (ok) {
+-		/* call logging function unconditionally so all branches are
+-		 * indistinguishable for timing and cache access when debug
+-		 * logging is disabled */
+-		_gnutls_no_log("%s", attack_error);
+-	} else {
+-		_gnutls_debug_log("%s", attack_error);
+-	}
+-
+ 	/* This is here to avoid the version check attack
+ 	 * discussed above.
+ 	 */
+-- 
+2.39.1
+
+
+From 7c963102ec2119eecc1789b993aabe5edfd75f3b Mon Sep 17 00:00:00 2001
+From: Hubert Kario <hkario@redhat.com>
+Date: Wed, 8 Feb 2023 14:32:09 +0100
+Subject: [PATCH 2/2] rsa: remove dead code
+
+since the `ok` variable isn't used any more, we can remove all code
+used to calculate it
+
+Signed-off-by: Hubert Kario <hkario@redhat.com>
+---
+ lib/auth/rsa.c | 20 +++-----------------
+ 1 file changed, 3 insertions(+), 17 deletions(-)
+
+diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
+index 6b158bacb2..858701fe6e 100644
+--- a/lib/auth/rsa.c
+++ b/lib/auth/rsa.c
+@@ -159,8 +159,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 	int ret, dsize;
+ 	ssize_t data_size = _data_size;
+ 	volatile uint8_t ver_maj, ver_min;
+-	volatile uint8_t check_ver_min;
+-	volatile uint32_t ok;
+ 
+ #ifdef ENABLE_SSL3
+ 	if (get_num_version(session) == GNUTLS_SSL3) {
+@@ -186,7 +184,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 
+ 	ver_maj = _gnutls_get_adv_version_major(session);
+ 	ver_min = _gnutls_get_adv_version_minor(session);
+-	check_ver_min = (session->internals.allow_wrong_pms == 0);
+ 
+ 	session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+ 	if (session->key.key.data == NULL) {
+@@ -205,10 +202,9 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 		return ret;
+ 	}
+ 
+-	ret =
+-	    gnutls_privkey_decrypt_data2(session->internals.selected_key,
+-					 0, &ciphertext, session->key.key.data,
+-					 session->key.key.size);
+	gnutls_privkey_decrypt_data2(session->internals.selected_key,
+				     0, &ciphertext, session->key.key.data,
+				     session->key.key.size);
+ 	/* After this point, any conditional on failure that cause differences
+ 	 * in execution may create a timing or cache access pattern side
+ 	 * channel that can be used as an oracle, so treat very carefully */
+@@ -224,16 +220,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 	 * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
+ 	 */
+ 
+-	/* ok is 0 in case of error and 1 in case of success. */
+-
+-	/* if ret < 0 */
+-	ok = CONSTCHECK_EQUAL(ret, 0);
+-	/* session->key.key.data[0] must equal ver_maj */
+-	ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj);
+-	/* if check_ver_min then session->key.key.data[1] must equal ver_min */
+-	ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
+-	        CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
+-
+ 	/* This is here to avoid the version check attack
+ 	 * discussed above.
+ 	 */
+-- 
+2.39.1
+
--- a/SPECS/gnutls.spec
+++ b/SPECS/gnutls.spec
@ -1,10 +1,20 @@
-Version:	3.6.8
-Release: 3%{?dist}
+Version:	3.6.16
+Release: 8%{?dist}.3
 Patch1:	gnutls-3.2.7-rpath.patch
 Patch2:	gnutls-3.6.4-no-now-guile.patch
-Patch3:	gnutls-3.6.5-fix-fips-signature-post.patch
-Patch4: gnutls-3.6.8-fips-aes-cbc-kat.patch
-Patch5: gnutls-3.6.8-multiple-key-updates.patch
+Patch3:	gnutls-3.6.13-enable-intel-cet.patch
+Patch10:	gnutls-3.6.14-fips-dh-selftests.patch
+Patch11:	gnutls-3.6.14-fips-kdf-selftests.patch
+Patch12:	gnutls-3.6.16-tls12-cert-type.patch
+Patch13:	gnutls-3.6.16-trust-ca-sha1.patch
+Patch14:	gnutls-3.6.16-doc-p11tool-ckaid.patch
+Patch15:	gnutls-3.6.16-pkcs7-verify.patch
+Patch16:	gnutls-3.6.16-cpuid.patch
+Patch17:	gnutls-3.7.8-rsa-kx-timing.patch
+Patch18:	gnutls-3.6.16-rehandshake-tickets.patch
+Patch19:	gnutls-3.6.16-rsa-psk-timing.patch
+Patch20:	gnutls-3.6.16-rsa-psk-timing-followup.patch
+Patch21:	gnutls-3.6.16-deterministic-ecdsa-fixes.patch
 %bcond_without dane
 %if 0%{?rhel}
 %bcond_with guile
@ -50,7 +60,7 @@ BuildRequires: guile-devel
 URL: http://www.gnutls.org/
 Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz
 Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig
-Source2: gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg

 # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
 Provides: bundled(gnulib) = 20130424
@ -150,7 +160,7 @@ This package contains Guile bindings for the library.
 %prep
 gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}

-%autosetup -p1
+%autosetup -p1 -S git

 sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
 rm -f lib/minitasn1/*.c lib/minitasn1/*.h
@ -162,6 +172,7 @@ echo "SYSTEM=NORMAL" >> tests/system.prio
 # via the crypto policies

 %build
+autoreconf -fi
 CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes"
 export CCASFLAGS
 %configure --with-libtasn1-prefix=%{_prefix} \
@ -288,6 +299,109 @@ fi
 %endif

 %changelog
+* Tue Mar 26 2024 Daiki Ueno <dueno@redhat.com> - 3.6.16-8.3
+- Fix memleak with older GMP (RHEL-28957)
+
+* Mon Mar 25 2024 Daiki Ueno <dueno@redhat.com> - 3.6.16-8.2
+- Fix timing side-channel in deterministic ECDSA (RHEL-28957)
+
+* Thu Jan 18 2024 Daiki Ueno <dueno@redhat.com> - 3.6.16-8.1
+- auth/rsa-psk: minimize branching after decryption (RHEL-21586)
+
+* Wed Dec  6 2023 Daiki Ueno <dueno@redhat.com> - 3.6.16-8
+- auth/rsa_psk: side-step potential side-channel (RHEL-16753)
+
+* Mon Jun 26 2023 Daiki Ueno <dueno@redhat.com> - 3.6.16-7
+- Clear server's session ticket indication at rehandshake (#2089817)
+
+* Thu Feb 23 2023 Zoltan Fridrich <zfridric@redhat.com> - 3.6.16-6
+- Fix x86_64 CPU feature detection when AVX is not available (#2131152)
+- Fix timing side-channel in TLS RSA key exchange (#2162598)
+
+* Mon Aug 29 2022 Daiki Ueno <dueno@redhat.com> - 3.6.16-5
+- Fix double-free in gnutls_pkcs7_verify (#2109788)
+
+* Mon Jun 28 2021 Daiki Ueno <dueno@redhat.com> - 3.6.16-4
+- p11tool: Document ID reuse behavior when importing certs (#1776250)
+
+* Mon Jun  7 2021 Daiki Ueno <dueno@redhat.com> - 3.6.16-3
+- Treat SHA-1 signed CA in the trusted set differently (#1965445)
+
+* Wed May 26 2021 Daiki Ueno <dueno@redhat.com> - 3.6.16-2
+- Filter certificate_types in TLS 1.2 CR based on signature algorithms (#1942216)
+
+* Mon May 24 2021 Daiki Ueno <dueno@redhat.com> - 3.6.16-1
+- Update to upstream 3.6.16 release (#1956783)
+- Fix potential use-after-free in key_share handling (#1927597)
+- Fix potential use-after-free in pre_shared_key handling (#1927593)
+- Stop gnutls-serv relying on AI_ADDRCONFIG to decide listening address (#1908334)
+- Fix cert expiration issue in tests (#1908110)
+
+* Thu Apr  1 2021 Daiki Ueno <dueno@redhat.com> - 3.6.14-10
+- Port fixes for potential miscalculation in ecdsa_verify (#1942931)
+
+* Tue Nov 24 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-9
+- Revert the previous change
+
+* Wed Nov 11 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-8
+- Depend on specific NVR of gmp and nettle (#1812933)
+
+* Tue Nov  3 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-7
+- Increase DH key bits to >= 2048 in self-tests (#1879506)
+- Implement self-tests for KDF and CMAC (#1890870)
+- Fix CVE-2020-24659: heap buffer-overflow when "no_renegotiation" alert is received (#1873959)
+
+* Mon Aug 24 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-6
+- Fix memory leak when serializing iovec_t (#1844112)
+
+* Sat Jul 18 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-5
+- Perform validation checks on (EC)DH public keys and share secrets (#1855803)
+
+* Mon Jun 29 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-4
+- Tighten FIPS DH primes check according to SP800-56A (rev 3) (#1849079)
+
+* Fri Jun  5 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-3
+- Update gnutls-3.6.14-fips-mode-check.patch
+
+* Thu Jun  4 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-2
+- Return false from gnutls_fips140_mode_enabled() if selftests failed (#1827687)
+
+* Thu Jun  4 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-1
+- Update to upstream 3.6.14 release
+
+* Mon May 25 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.13-3
+- Add an option to gnutls-cli to wait for resumption under TLS 1.3 (#1677754)
+
+* Wed May 20 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.13-2
+- Enable Intel CET (#1838476)
+
+* Tue May  5 2020 Daiki Ueno <dueno@redhat.com> - 3.6.13-1
+- Update to upstream 3.6.13 release
+
+* Tue Apr 21 2020 Daiki Ueno <dueno@redhat.com> - 3.6.8-10
+- Fix CVE-2020-11501 (#1822005)
+
+* Wed Nov  6 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-9
+- Fix CFB8 decryption when repeatedly called (#1757848)
+- Fix gnutls_aead_cipher_{en,de}cryptv2 with input not multiple of block size (#1757856)
+
+* Fri Aug 16 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-8
+- Use fallback random function for RSA blinding in FIPS selftests
+
+* Fri Aug 16 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-7
+- Fix deterministic signature creation in selftests
+
+* Fri Aug 16 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-6
+- Treat login error more gracefully when enumerating PKCS#11 tokens (#1705478)
+- Use deterministic ECDSA/DSA in FIPS selftests (#1716560)
+- Add gnutls_aead_cipher_{encrypt,decrypt}v2 functions (#1684461)
+
+* Fri Aug  9 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-5
+- Avoid UB when encrypting session tickets
+
+* Tue Jul  2 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-4
+- Add RNG continuous test under FIPS
+
 * Fri Jun 14 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-3
 - Follow-up fix on multiple key updates handling (#1673975)