Sync from SUSE:SLFO:1.1 gnutls revision 317a5dfe2310cddaae305cbb43987782

gnutls-3.5.11-skip-trust-store-tests.patch

@@ -15,11 +15,11 @@ need ca-certificates-mozilla to run.
 
 But this would create a build cycle. Skip test.
 
-Index: gnutls-3.8.9/tests/trust-store.c
+Index: gnutls-3.6.15/tests/trust-store.c
 ===================================================================
---- gnutls-3.8.9.orig/tests/trust-store.c
-+++ gnutls-3.8.9/tests/trust-store.c
-@@ -42,6 +42,9 @@ static void tls_log_func(int level, cons
+--- gnutls-3.6.15.orig/tests/trust-store.c	2020-09-08 10:24:24.018094247 +0200
++++ gnutls-3.6.15/tests/trust-store.c	2020-09-08 10:24:25.534104346 +0200
+@@ -44,6 +44,9 @@ static void tls_log_func(int level, cons
  
  void doit(void)
  {

gnutls-3.8.10-disable-ktls_test.patch

@@ -1,24 +0,0 @@
-Index: gnutls-3.8.10/tests/Makefile.am
-===================================================================
---- gnutls-3.8.10.orig/tests/Makefile.am
-+++ gnutls-3.8.10/tests/Makefile.am
-@@ -527,13 +527,13 @@ if !WINDOWS
- #
- 
- if ENABLE_KTLS
--indirect_tests += gnutls_ktls
--dist_check_SCRIPTS += ktls.sh
-+#indirect_tests += gnutls_ktls
-+#dist_check_SCRIPTS += ktls.sh
- 
--indirect_tests += ktls_keyupdate
--ktls_keyupdate_SOURCES = tls13/key_update.c
--ktls_keyupdate_CFLAGS = -DUSE_KTLS
--dist_check_SCRIPTS += ktls_keyupdate.sh
-+#indirect_tests += ktls_keyupdate
-+#ktls_keyupdate_SOURCES = tls13/key_update.c
-+#ktls_keyupdate_CFLAGS = -DUSE_KTLS
-+#dist_check_SCRIPTS += ktls_keyupdate.sh
- endif
- 
- dist_check_SCRIPTS += dtls/dtls.sh #dtls/dtls-resume.sh #dtls/dtls-nb

gnutls-CVE-2024-28834.patch

@@ -0,0 +1,418 @@
+From 1c4701ffc342259fc5965d5a0de90d87f780e3e5 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 12 Jan 2024 17:56:58 +0900
+Subject: [PATCH] nettle: avoid normalization of mpz_t in deterministic ECDSA
+
+This removes function calls that potentially leak bit-length of a
+private key used to calculate a nonce in deterministic ECDSA.  Namely:
+
+- _gnutls_dsa_compute_k has been rewritten to work on always
+  zero-padded mp_limb_t arrays instead of mpz_t
+- rnd_mpz_func has been replaced with rnd_datum_func, which is backed
+  by a byte array instead of an mpz_t value
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/nettle/int/dsa-compute-k.c    | 70 +++++++++++++++++++++----------
+ lib/nettle/int/dsa-compute-k.h    | 23 +++++++++-
+ lib/nettle/int/ecdsa-compute-k.c  | 28 +++----------
+ lib/nettle/int/ecdsa-compute-k.h  |  4 +-
+ lib/nettle/pk.c                   | 65 +++++++++++++++++++++-------
+ tests/sign-verify-deterministic.c |  2 +-
+ 6 files changed, 127 insertions(+), 65 deletions(-)
+
+diff --git a/lib/nettle/int/dsa-compute-k.c b/lib/nettle/int/dsa-compute-k.c
+index 8ff5739c2b..2fcb2bb80e 100644
+--- a/lib/nettle/int/dsa-compute-k.c
++++ b/lib/nettle/int/dsa-compute-k.c
+@@ -31,19 +31,30 @@
+ #include "mpn-base256.h"
+ #include <string.h>
+ 
+-#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
++/* For mini-gmp */
++#ifndef GMP_LIMB_BITS
++#define GMP_LIMB_BITS GMP_NUMB_BITS
++#endif
+ 
+-/* The maximum size of q, chosen from the fact that we support
+- * 521-bit elliptic curve generator and 512-bit DSA subgroup at
+- * maximum. */
+-#define MAX_Q_BITS 521
+-#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
+-#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
++static inline int is_zero_limb(mp_limb_t x)
++{
++	x |= (x << 1);
++	return ((x >> 1) - 1) >> (GMP_LIMB_BITS - 1);
++}
++
++static int sec_zero_p(const mp_limb_t *ap, mp_size_t n)
++{
++	volatile mp_limb_t w;
++	mp_size_t i;
+ 
+-#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
+-#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
++	for (i = 0, w = 0; i < n; i++)
++		w |= ap[i];
+ 
+-int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
++	return is_zero_limb(w);
++}
++
++int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
++			  mp_size_t qn, mp_bitcnt_t q_bits,
+ 			  gnutls_mac_algorithm_t mac, const uint8_t *digest,
+ 			  size_t length)
+ {
+@@ -51,9 +62,6 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
+ 	uint8_t K[MAX_HASH_SIZE];
+ 	uint8_t xp[MAX_Q_SIZE];
+ 	uint8_t tp[MAX_Q_SIZE];
+-	mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)];
+-	mp_bitcnt_t q_bits = mpz_sizeinbase(q, 2);
+-	mp_size_t qn = mpz_size(q);
+ 	mp_bitcnt_t h_bits = length * 8;
+ 	mp_size_t hn = BITS_TO_LIMBS(h_bits);
+ 	size_t nbytes = (q_bits + 7) / 8;
+@@ -62,6 +70,7 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
+ 	mp_limb_t cy;
+ 	gnutls_hmac_hd_t hd;
+ 	int ret = 0;
++	mp_limb_t scratch[MAX_Q_LIMBS];
+ 
+ 	if (unlikely(q_bits > MAX_Q_BITS))
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+@@ -69,7 +78,7 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ 
+ 	/* int2octets(x) */
+-	mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn);
++	mpn_get_base256(xp, nbytes, x, qn);
+ 
+ 	/* bits2octets(h) */
+ 	mpn_set_base256(h, hn, digest, length);
+@@ -93,12 +102,12 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
+ 			mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS);
+ 	}
+ 
+-	cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn);
++	cy = mpn_sub_n(h, h, q, qn);
+ 	/* Fall back to addmul_1, if nettle is linked with mini-gmp. */
+ #ifdef mpn_cnd_add_n
+-	mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn);
++	mpn_cnd_add_n(cy, h, h, q, qn);
+ #else
+-	mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0);
++	mpn_addmul_1(h, q, qn, cy != 0);
+ #endif
+ 	mpn_get_base256(tp, nbytes, h, qn);
+ 
+@@ -174,12 +183,8 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
+ 		if (tlen * 8 > q_bits)
+ 			mpn_rshift(h, h, qn, tlen * 8 - q_bits);
+ 		/* Check if k is in [1,q-1] */
+-		if (!mpn_zero_p(h, qn) &&
+-		    mpn_cmp(h, mpz_limbs_read(q), qn) < 0) {
+-			mpn_copyi(mpz_limbs_write(k, qn), h, qn);
+-			mpz_limbs_finish(k, qn);
++		if (!sec_zero_p(h, qn) && mpn_sub_n(scratch, h, q, qn))
+ 			break;
+-		}
+ 
+ 		ret = gnutls_hmac_init(&hd, mac, K, length);
+ 		if (ret < 0)
+@@ -203,3 +208,24 @@ out:
+ 
+ 	return ret;
+ }
++
++/* cancel-out dsa_sign's addition of 1 to random data */
++void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
++				  mp_size_t n)
++{
++	/* Fall back to sub_1, if nettle is linked with mini-gmp. */
++#ifdef mpn_sec_sub_1
++	mp_limb_t t[MAX_Q_LIMBS];
++
++	mpn_sec_sub_1(h, h, n, 1, t);
++#else
++	mpn_sub_1(h, h, n, 1);
++#endif
++	mpn_get_base256(k, nbytes, h, n);
++}
++
++void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
++				    mp_size_t n)
++{
++	mpn_get_base256(k, nbytes, h, n);
++}
+diff --git a/lib/nettle/int/dsa-compute-k.h b/lib/nettle/int/dsa-compute-k.h
+index 49d243acb4..2f0667a01e 100644
+--- a/lib/nettle/int/dsa-compute-k.h
++++ b/lib/nettle/int/dsa-compute-k.h
+@@ -26,8 +26,29 @@
+ #include <gnutls/gnutls.h>
+ #include <nettle/bignum.h> /* includes gmp.h */
+ 
+-int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
++#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
++
++/* The maximum size of q, chosen from the fact that we support
++ * 521-bit elliptic curve generator and 512-bit DSA subgroup at
++ * maximum. */
++#define MAX_Q_BITS 521
++#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
++#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
++
++#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
++#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
++
++#define DSA_COMPUTE_K_ITCH MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)
++
++int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
++			  mp_size_t qn, mp_bitcnt_t q_bits,
+ 			  gnutls_mac_algorithm_t mac, const uint8_t *digest,
+ 			  size_t length);
+ 
++void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
++				  mp_size_t n);
++
++void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
++				    mp_size_t n);
++
+ #endif /* GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H */
+diff --git a/lib/nettle/int/ecdsa-compute-k.c b/lib/nettle/int/ecdsa-compute-k.c
+index 3b7f886160..4e25235c40 100644
+--- a/lib/nettle/int/ecdsa-compute-k.c
++++ b/lib/nettle/int/ecdsa-compute-k.c
+@@ -29,38 +29,38 @@
+ #include "dsa-compute-k.h"
+ #include "gnutls_int.h"
+ 
+-static inline int _gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
++int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve)
+ {
+ 	switch (curve) {
+ #ifdef ENABLE_NON_SUITEB_CURVES
+ 	case GNUTLS_ECC_CURVE_SECP192R1:
+-		mpz_init_set_str(*q,
++		mpz_init_set_str(q,
+ 				 "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836"
+ 				 "146BC9B1B4D22831",
+ 				 16);
+ 		return 0;
+ 	case GNUTLS_ECC_CURVE_SECP224R1:
+-		mpz_init_set_str(*q,
++		mpz_init_set_str(q,
+ 				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2"
+ 				 "E0B8F03E13DD29455C5C2A3D",
+ 				 16);
+ 		return 0;
+ #endif
+ 	case GNUTLS_ECC_CURVE_SECP256R1:
+-		mpz_init_set_str(*q,
++		mpz_init_set_str(q,
+ 				 "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
+ 				 "BCE6FAADA7179E84F3B9CAC2FC632551",
+ 				 16);
+ 		return 0;
+ 	case GNUTLS_ECC_CURVE_SECP384R1:
+-		mpz_init_set_str(*q,
++		mpz_init_set_str(q,
+ 				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ 				 "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
+ 				 "581A0DB248B0A77AECEC196ACCC52973",
+ 				 16);
+ 		return 0;
+ 	case GNUTLS_ECC_CURVE_SECP521R1:
+-		mpz_init_set_str(*q,
++		mpz_init_set_str(q,
+ 				 "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ 				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ 				 "FFA51868783BF2F966B7FCC0148F709A"
+@@ -73,19 +73,3 @@ static inline int _gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
+ 			GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
+ 	}
+ }
+-
+-int _gnutls_ecdsa_compute_k(mpz_t k, gnutls_ecc_curve_t curve, const mpz_t x,
+-			    gnutls_mac_algorithm_t mac, const uint8_t *digest,
+-			    size_t length)
+-{
+-	mpz_t q;
+-	int ret;
+-
+-	ret = _gnutls_ecc_curve_to_dsa_q(&q, curve);
+-	if (ret < 0)
+-		return gnutls_assert_val(ret);
+-
+-	ret = _gnutls_dsa_compute_k(k, q, x, mac, digest, length);
+-	mpz_clear(q);
+-	return ret;
+-}
+diff --git a/lib/nettle/int/ecdsa-compute-k.h b/lib/nettle/int/ecdsa-compute-k.h
+index be8beddb5d..207685763f 100644
+--- a/lib/nettle/int/ecdsa-compute-k.h
++++ b/lib/nettle/int/ecdsa-compute-k.h
+@@ -26,8 +26,6 @@
+ #include <gnutls/gnutls.h>
+ #include <nettle/bignum.h> /* includes gmp.h */
+ 
+-int _gnutls_ecdsa_compute_k(mpz_t k, gnutls_ecc_curve_t curve, const mpz_t x,
+-			    gnutls_mac_algorithm_t mac, const uint8_t *digest,
+-			    size_t length);
++int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve);
+ 
+ #endif /* GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H */
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index 305548f4d1..dd6b9936a8 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -103,10 +103,16 @@ static void rnd_nonce_func(void *_ctx, size_t length, uint8_t *data)
+ 	}
+ }
+ 
+-static void rnd_mpz_func(void *_ctx, size_t length, uint8_t *data)
++static void rnd_datum_func(void *ctx, size_t length, uint8_t *data)
+ {
+-	mpz_t *k = _ctx;
+-	nettle_mpz_get_str_256(length, data, *k);
++	gnutls_datum_t *d = ctx;
++
++	if (length > d->size) {
++		memset(data, 0, length - d->size);
++		memcpy(data + (length - d->size), d->data, d->size);
++	} else {
++		memcpy(data, d->data, length);
++	}
+ }
+ 
+ static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t *data)
+@@ -1403,7 +1409,10 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 		struct dsa_signature sig;
+ 		int curve_id = pk_params->curve;
+ 		const struct ecc_curve *curve;
+-		mpz_t k;
++		mpz_t q;
++		/* 521-bit elliptic curve generator at maximum */
++		uint8_t buf[(521 + 7) / 8];
++		gnutls_datum_t k = { NULL, 0 };
+ 		void *random_ctx;
+ 		nettle_random_func *random_func;
+ 
+@@ -1447,17 +1456,32 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 			not_approved = true;
+ 		}
+ 
+-		mpz_init(k);
++		mpz_init(q);
++
+ 		if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
+ 		    (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
+-			ret = _gnutls_ecdsa_compute_k(
+-				k, curve_id, pk_params->params[ECC_K],
++			mp_limb_t h[DSA_COMPUTE_K_ITCH];
++
++			ret = _gnutls_ecc_curve_to_dsa_q(q, curve_id);
++			if (ret < 0)
++				goto ecdsa_cleanup;
++
++			ret = _gnutls_dsa_compute_k(
++				h, mpz_limbs_read(q), priv.p,
++				ecc_size(priv.ecc), ecc_bit_size(priv.ecc),
+ 				DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
+ 				vdata->size);
+ 			if (ret < 0)
+ 				goto ecdsa_cleanup;
++
++			k.data = buf;
++			k.size = (ecc_bit_size(priv.ecc) + 7) / 8;
++
++			_gnutls_ecdsa_compute_k_finish(k.data, k.size, h,
++						       ecc_size(priv.ecc));
++
+ 			random_ctx = &k;
+-			random_func = rnd_mpz_func;
++			random_func = rnd_datum_func;
+ 		} else {
+ 			random_ctx = NULL;
+ 			random_func = rnd_nonce_func;
+@@ -1476,7 +1500,7 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 	ecdsa_cleanup:
+ 		dsa_signature_clear(&sig);
+ 		ecc_scalar_zclear(&priv);
+-		mpz_clear(k);
++		mpz_clear(q);
+ 
+ 		if (ret < 0) {
+ 			gnutls_assert();
+@@ -1488,7 +1512,9 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 		struct dsa_params pub;
+ 		bigint_t priv;
+ 		struct dsa_signature sig;
+-		mpz_t k;
++		/* 512-bit DSA subgroup at maximum */
++		uint8_t buf[(512 + 7) / 8];
++		gnutls_datum_t k = { NULL, 0 };
+ 		void *random_ctx;
+ 		nettle_random_func *random_func;
+ 
+@@ -1515,19 +1541,27 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 			hash_len = vdata->size;
+ 		}
+ 
+-		mpz_init(k);
+ 		if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
+ 		    (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
++			mp_limb_t h[DSA_COMPUTE_K_ITCH];
++
+ 			ret = _gnutls_dsa_compute_k(
+-				k, pub.q, TOMPZ(priv),
++				h, mpz_limbs_read(pub.q),
++				mpz_limbs_read(TOMPZ(priv)), mpz_size(pub.q),
++				mpz_sizeinbase(pub.q, 2),
+ 				DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
+ 				vdata->size);
+ 			if (ret < 0)
+ 				goto dsa_fail;
+-			/* cancel-out dsa_sign's addition of 1 to random data */
+-			mpz_sub_ui(k, k, 1);
++
++			k.data = buf;
++			k.size = (mpz_sizeinbase(pub.q, 2) + 7) / 8;
++
++			_gnutls_dsa_compute_k_finish(k.data, k.size, h,
++						     mpz_size(pub.q));
++
+ 			random_ctx = &k;
+-			random_func = rnd_mpz_func;
++			random_func = rnd_datum_func;
+ 		} else {
+ 			random_ctx = NULL;
+ 			random_func = rnd_nonce_func;
+@@ -1544,7 +1578,6 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 
+ 	dsa_fail:
+ 		dsa_signature_clear(&sig);
+-		mpz_clear(k);
+ 
+ 		if (ret < 0) {
+ 			gnutls_assert();
+diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c
+index 6969b57a11..bdd5a49c7d 100644
+--- a/tests/sign-verify-deterministic.c
++++ b/tests/sign-verify-deterministic.c
+@@ -198,7 +198,7 @@ void doit(void)
+ 						 &tests[i].msg, &signature);
+ 		if (ret < 0)
+ 			testfail("gnutls_pubkey_verify_data2\n");
+-		success(" - pass");
++		success(" - pass\n");
+ 
+ 	next:
+ 		gnutls_free(signature.data);
+-- 
+GitLab
+

gnutls-CVE-2024-28835.patch

@@ -0,0 +1,410 @@
+From e369e67a62f44561d417cb233acc566cc696d82d Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 29 Jan 2024 13:52:46 +0900
+Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: remove length limit of
+ input
+
+Previously, if cert_list_size exceeded DEFAULT_MAX_VERIFY_DEPTH, the
+chain verification logic crashed with assertion failure.  This patch
+removes the restriction while keeping the maximum number of
+retrieved certificates being DEFAULT_MAX_VERIFY_DEPTH.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/gnutls_int.h       |   5 +-
+ lib/x509/common.c      |  10 +-
+ lib/x509/verify-high.c |  51 ++++++----
+ tests/test-chains.h    | 211 ++++++++++++++++++++++++++++++++++++++++-
+ 4 files changed, 258 insertions(+), 19 deletions(-)
+
+diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
+index d8561ebe3a..8cf9a87157 100644
+--- a/lib/gnutls_int.h
++++ b/lib/gnutls_int.h
+@@ -232,7 +232,10 @@ typedef enum record_send_state_t {
+ 
+ #define MAX_PK_PARAM_SIZE 2048
+ 
+-/* defaults for verification functions
++/* Defaults for verification functions.
++ *
++ * update many_icas in tests/test-chains.h when increasing
++ * DEFAULT_MAX_VERIFY_DEPTH.
+  */
+ #define DEFAULT_MAX_VERIFY_DEPTH 16
+ #define DEFAULT_MAX_VERIFY_BITS (MAX_PK_PARAM_SIZE * 8)
+diff --git a/lib/x509/common.c b/lib/x509/common.c
+index 2cc83c9155..705aa868bc 100644
+--- a/lib/x509/common.c
++++ b/lib/x509/common.c
+@@ -1725,7 +1725,15 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
+ 	bool insorted[DEFAULT_MAX_VERIFY_DEPTH]; /* non zero if clist[i] used in sorted list */
+ 	gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
+ 
+-	assert(clist_size <= DEFAULT_MAX_VERIFY_DEPTH);
++	/* Limit the number of certificates in the chain, to avoid DoS
++	 * because of the O(n^2) sorting below.  FIXME: Switch to a
++	 * topological sort algorithm which should be linear to the
++	 * number of certificates and subject-issuer relationships.
++	 */
++	if (clist_size > DEFAULT_MAX_VERIFY_DEPTH) {
++		_gnutls_debug_log("too many certificates; skipping sorting\n");
++		return 1;
++	}
+ 
+ 	for (i = 0; i < DEFAULT_MAX_VERIFY_DEPTH; i++) {
+ 		issuer[i] = -1;
+diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
+index 4e7361eb63..aacc24a7d8 100644
+--- a/lib/x509/verify-high.c
++++ b/lib/x509/verify-high.c
+@@ -25,7 +25,7 @@
+ #include "errors.h"
+ #include <libtasn1.h>
+ #include "global.h"
+-#include "num.h" /* MAX */
++#include "num.h" /* MIN */
+ #include "tls-sig.h"
+ #include "str.h"
+ #include "datum.h"
+@@ -1361,7 +1361,8 @@ int gnutls_x509_trust_list_verify_crt2(
+ 	int ret = 0;
+ 	unsigned int i;
+ 	size_t hash;
+-	gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
++	gnutls_x509_crt_t *cert_list_copy = NULL;
++	unsigned int cert_list_max_size = 0;
+ 	gnutls_x509_crt_t retrieved[DEFAULT_MAX_VERIFY_DEPTH];
+ 	unsigned int retrieved_size = 0;
+ 	const char *hostname = NULL, *purpose = NULL, *email = NULL;
+@@ -1421,16 +1422,28 @@ int gnutls_x509_trust_list_verify_crt2(
+ 		}
+ 	}
+ 
+-	memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
+-	cert_list = sorted;
++	/* Allocate extra for retrieved certificates. */
++	if (!INT_ADD_OK(cert_list_size, DEFAULT_MAX_VERIFY_DEPTH,
++			&cert_list_max_size))
++		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++
++	cert_list_copy = _gnutls_reallocarray(NULL, cert_list_max_size,
++					      sizeof(gnutls_x509_crt_t));
++	if (!cert_list_copy)
++		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++
++	memcpy(cert_list_copy, cert_list,
++	       cert_list_size * sizeof(gnutls_x509_crt_t));
++	cert_list = cert_list_copy;
+ 
+ 	records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq,
+ 					  cert_hashcode, NULL, false);
+-	if (records == NULL)
+-		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++	if (records == NULL) {
++		ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++		goto cleanup;
++	}
+ 
+-	for (i = 0; i < cert_list_size &&
+-		    cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH;) {
++	for (i = 0; i < cert_list_size;) {
+ 		unsigned int sorted_size = 1;
+ 		unsigned int j, k;
+ 		gnutls_x509_crt_t issuer;
+@@ -1442,8 +1455,7 @@ int gnutls_x509_trust_list_verify_crt2(
+ 
+ 		assert(sorted_size > 0);
+ 
+-		/* Remove duplicates. Start with index 1, as the first element
+-		 * may be re-checked after issuer retrieval. */
++		/* Remove duplicates. */
+ 		for (j = 0; j < sorted_size; j++) {
+ 			if (gl_list_search(records, cert_list[i + j])) {
+ 				if (i + j < cert_list_size - 1) {
+@@ -1495,13 +1507,15 @@ int gnutls_x509_trust_list_verify_crt2(
+ 
+ 		ret = retrieve_issuers(
+ 			list, cert_list[i - 1], &retrieved[retrieved_size],
+-			DEFAULT_MAX_VERIFY_DEPTH -
+-				MAX(retrieved_size, cert_list_size));
++			MIN(DEFAULT_MAX_VERIFY_DEPTH - retrieved_size,
++			    cert_list_max_size - cert_list_size));
+ 		if (ret < 0) {
+ 			break;
+ 		} else if (ret > 0) {
+ 			assert((unsigned int)ret <=
+-			       DEFAULT_MAX_VERIFY_DEPTH - cert_list_size);
++			       DEFAULT_MAX_VERIFY_DEPTH - retrieved_size);
++			assert((unsigned int)ret <=
++			       cert_list_max_size - cert_list_size);
+ 			memmove(&cert_list[i + ret], &cert_list[i],
+ 				(cert_list_size - i) *
+ 					sizeof(gnutls_x509_crt_t));
+@@ -1517,8 +1531,10 @@ int gnutls_x509_trust_list_verify_crt2(
+ 	}
+ 
+ 	cert_list_size = shorten_clist(list, cert_list, cert_list_size);
+-	if (cert_list_size <= 0)
+-		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
++	if (cert_list_size <= 0) {
++		ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
++		goto cleanup;
++	}
+ 
+ 	hash = hash_pjw_bare(cert_list[cert_list_size - 1]->raw_issuer_dn.data,
+ 			     cert_list[cert_list_size - 1]->raw_issuer_dn.size);
+@@ -1661,10 +1677,13 @@ int gnutls_x509_trust_list_verify_crt2(
+ 	}
+ 
+ cleanup:
++	gnutls_free(cert_list_copy);
+ 	for (i = 0; i < retrieved_size; i++) {
+ 		gnutls_x509_crt_deinit(retrieved[i]);
+ 	}
+-	gl_list_free(records);
++	if (records) {
++		gl_list_free(records);
++	}
+ 	return ret;
+ }
+ 
+diff --git a/tests/test-chains.h b/tests/test-chains.h
+index 3e559fecd5..a7fe1cdecc 100644
+--- a/tests/test-chains.h
++++ b/tests/test-chains.h
+@@ -23,7 +23,7 @@
+ #ifndef GNUTLS_TESTS_TEST_CHAINS_H
+ #define GNUTLS_TESTS_TEST_CHAINS_H
+ 
+-#define MAX_CHAIN 10
++#define MAX_CHAIN 17
+ 
+ static const char *chain_with_no_subject_id_in_ca_ok[] = {
+ 	"-----BEGIN CERTIFICATE-----\n"
+@@ -4383,6 +4383,213 @@ static const char *cross_signed_ca[] = {
+ 	NULL
+ };
+ 
++/* This assumes DEFAULT_MAX_VERIFY_DEPTH to be 16 */
++static const char *many_icas[] = {
++	/* Server */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBqzCCAV2gAwIBAgIUIK3+SD3GmqJlRLZ/ESyhTzkSDL8wBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYD\n"
++	"VQQDEw90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQAWGjx45NIJiKFsNBxxRRjm\n"
++	"NxUT5KYK7xXr5HPVywwgLaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGC\n"
++	"D3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8E\n"
++	"BAMCB4AwHQYDVR0OBBYEFKgNAQWZPx76/vXqQOdIi5mTftsaMB8GA1UdIwQYMBaA\n"
++	"FDaPsY6WAGuRtrhYJE6Gk/bg5qbdMAUGAytlcANBAMIDh8aGcIIFDTUrzfV7tnkX\n"
++	"hHrxyFKBH/cApf6xcJQTfDXm23po627Ibp+WgLaWMY08Fn9Y2V6Ev8ADfqXNbQ8=\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA16 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUSnE0PKdm/dsnZSWBh5Ct4pS6DcwwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAxq9SI8vp0QH1dDBBuZW+t+bLLROppQbjSQ4O1BEonDOjYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2j7GOlgBrkba4\n"
++	"WCROhpP24Oam3TAfBgNVHSMEGDAWgBRvdUKX0aw3nfUIdvivXGSfRO7zyjAFBgMr\n"
++	"ZXADQQBsI2Hc7X5hXoHTvk01qMc5a1I27QHAFRARJnvIQ15wxNS2LVLzGk+AUmwr\n"
++	"sOhBKAcVfS55uWtYdjoWQ80h238H\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA15 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUQk4XkgQVImnp6OPZas7ctwgBza4wBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAs3yVKLJd3sKbNVmj6Bxy2j1x025rksyQpZZWnCx5a+CjYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRvdUKX0aw3nfUI\n"
++	"dvivXGSfRO7zyjAfBgNVHSMEGDAWgBRhGfUXYPh4YQsdtTWYUozLphGgfzAFBgMr\n"
++	"ZXADQQBXTtm56x6/pHXdW8dTvZLc/8RufNQrMlc23TCgX0apUnrZdTsNAb7OE4Uu\n"
++	"9PBuxK+CC9NL/BL2hXsKvAT+NWME\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA14 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUKfwz7UUYRvYlvqwmnLJlTOS9o1AwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAXbUetQ08t+F4+IcKL++HpeclqTxXZ7cG4mwqvHmTUEWjYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRhGfUXYPh4YQsd\n"
++	"tTWYUozLphGgfzAfBgNVHSMEGDAWgBQYRQqO+V1kefF7QvNnFU1fX5H9+jAFBgMr\n"
++	"ZXADQQAiSHNMTLPFP3oa6q13Dj8jSxF9trQDJGM1ArWffFcPZUt2U4/ODHdcMTHx\n"
++	"kGwhIj+ghBlu6ykgu6J2wewCUooC\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA13 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUUKOs59gyCPAZzoC7zMZQSh6AnQgwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAmvqhj5GYqsXIpsr1BXBfD+2mTP/m/TEpKIYSZHM62dijYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQYRQqO+V1kefF7\n"
++	"QvNnFU1fX5H9+jAfBgNVHSMEGDAWgBQ27HzvP5hl2xR+LOzRcPfmY5ndXjAFBgMr\n"
++	"ZXADQQBrB3NkrYC7EQ74qgeesVOE71rW012dPOOKPAV0laR+JLEgsv9sfus+AdBF\n"
++	"WBNwR3KeYBTi/MFDuecxBHU2m5gD\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA12 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUUQooGfH21+sR7/pSgCWm13gg2H4wBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAK2of/B4wMpk6k/KdugC5dMS+jo2fseUM7/PvXkE6HASjYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ27HzvP5hl2xR+\n"
++	"LOzRcPfmY5ndXjAfBgNVHSMEGDAWgBSJDHU0Mj1Xr0e8ErCnRK24w7XwTTAFBgMr\n"
++	"ZXADQQDY8d2bAZpj7oGhdl2dBsCE48jEWj49da0PbgN12koAj3gf4hjMPd8G7p5z\n"
++	"8RsURAwQmCkE8ShvdNw/Qr2tDL0E\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA11 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUW9Dw0hU2pfjXhb5Stip+mk9SndIwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAn5ISjLVV6RBWsnxDWHDicpye7SjFwGOTwzF01/psiJ2jYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSJDHU0Mj1Xr0e8\n"
++	"ErCnRK24w7XwTTAfBgNVHSMEGDAWgBSR9UU27RI0XohiEgHDxNo/9HP4djAFBgMr\n"
++	"ZXADQQCfQg6MDHk71vhyrEo4/5PcLb2Li5F/FKURyux7snv2TbkSdInloAqca9UR\n"
++	"DtqHSLCNLXCNdSPr5QwIt5p29rsE\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA10 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUR4uTedG8e6MibKViQ3eX7QzXG1swBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAnslX04kSVOL5LAf1e+Ze3ggNnDJcEAxLDk8I/IhyjTyjYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSR9UU27RI0Xohi\n"
++	"EgHDxNo/9HP4djAfBgNVHSMEGDAWgBRC7US5gJYnvd5F7EN+C4anMgd2NzAFBgMr\n"
++	"ZXADQQDo+jHt07Tvz3T5Lbz6apBrSln8xKYfJk2W1wP85XAnf7sZT9apM1bS4EyD\n"
++	"Kckw+KG+9x7myOZz6AXJgZB5OGAO\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA9 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUSIIIRjrNpE+kEPkiJMOqaNAazvQwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAZKy7p1Gn4W/reRxKJN99+QkHt2q9aELktCKe5PqrX5ejYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRC7US5gJYnvd5F\n"
++	"7EN+C4anMgd2NzAfBgNVHSMEGDAWgBSOhR7Ornis2x8g0J+bvTTwMnW60zAFBgMr\n"
++	"ZXADQQA0MEcC4FgKZEAfalVpApU2to0G158MVz/WTNcSc7fnl8ifJ/g56dVHL1jr\n"
++	"REvC/S28dn/CGAlbVXUAgxnHAbgE\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA8 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUGGFSgD95vOTSj7iFxfXA5vq6vsYwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAg3W/bTdW0fR32NeZEVMXICpa30d7rSdddLOYDvqqUO+jYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSOhR7Ornis2x8g\n"
++	"0J+bvTTwMnW60zAfBgNVHSMEGDAWgBT3zK8Hbn9aVTAOOFY6RSxJ2o5x2jAFBgMr\n"
++	"ZXADQQBl4gnzE463iMFg57gPvjHdVzA39sJBpiu0kUGfRcLnoRI/VOaLcx7WnJ9+\n"
++	"c3KxPZBec76EdIoQDkTmI6m2FIAM\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA7 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUGktMGXhNuaMhKyAlecymmLD+/GIwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEA/Z1oc76hOQ0Hi+2hePaGIntnMIDqBlb7RDMjRpYONP2jYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT3zK8Hbn9aVTAO\n"
++	"OFY6RSxJ2o5x2jAfBgNVHSMEGDAWgBSPae3JUN3jP0NgUJqDV3eYxcaM3DAFBgMr\n"
++	"ZXADQQBMkwKaUZlvG/hax8rv3nnDv8kJOr6KVHBnxSx3hZ+8HIBT7GFm1+YDeYOB\n"
++	"jhNg66kyeFPGXXBCe+mvNQFFjCEE\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA6 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUKn3gz5lAUpKqWlHKLKYDbOJ4rygwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAZ/eD4eTe91ddvHusm7YlLPxU4ByGFc6suAmlP1CxXkWjYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSPae3JUN3jP0Ng\n"
++	"UJqDV3eYxcaM3DAfBgNVHSMEGDAWgBT9f/qSI/jhxvGI7aMtkpraDcjBnjAFBgMr\n"
++	"ZXADQQAMRnkmRhnLGdmJaY8B42gfyaAsqCMyds/Tw4OHYy+N48XuAxRjKkhf3szC\n"
++	"0lY71oU043mNP1yx/dzAuCTrVSgI\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA5 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUEgEYbBXXEyGv3vOq10JQv1SBiUUwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAs2xEDPw8RVal53nX9GVwUd1blq1wjtVFC8S1V7up7MWjYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT9f/qSI/jhxvGI\n"
++	"7aMtkpraDcjBnjAfBgNVHSMEGDAWgBRBVkLu9BmCKz7HNI8md4vPpoE/7jAFBgMr\n"
++	"ZXADQQCCufAyLijtzzmeCuO3K50rBSbGvB3FQfep7g6kVsQKM3bw/olWK5/Ji0dD\n"
++	"ubJ0cFl1FmfAda7aVxLBtJOvO6MI\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA4 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIULj8GkaHw+92HuOTnXnXlxCy3VrEwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAiedxh4dvtwDellMAHc/pZH0MAOXobRenTUgF1yj5l12jYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRBVkLu9BmCKz7H\n"
++	"NI8md4vPpoE/7jAfBgNVHSMEGDAWgBSDtNRgQ36KwW/ASaMyr6WeDt0STDAFBgMr\n"
++	"ZXADQQDL8U2ckzur7CktdrVUNvfLhVCOz33d/62F28vQFHUa8h/4h+Mi1MMbXOKT\n"
++	"1bL2TvpFpU7Fx/vcIPXDielVqr4C\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA3 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUQXl74TDDw6MQRMbQUSPa6Qrvba8wBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEA7l0jQ0f4fJRw7Qja/Hz2qn8y91SI7CokxhSf+FT+9M6jYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSDtNRgQ36KwW/A\n"
++	"SaMyr6WeDt0STDAfBgNVHSMEGDAWgBQ2inEK4KH6ATftmybxKE1dZUzOozAFBgMr\n"
++	"ZXADQQCnP7Oqx1epGnFnO7TrTJwcUukXDEYsINve2GeUsi8HEIeKKlMcLZ2Cnaj7\n"
++	"5v9NGuWh3QJpmmSGpEemiv8dJc4A\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA2 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUP7Nmof8H2F1LyDkjqlYIUpGdXE8wBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAkW9Rod3CXAnha6nlaHkDbCOegq94lgmjqclA9sOIt3yjYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2inEK4KH6ATft\n"
++	"mybxKE1dZUzOozAfBgNVHSMEGDAWgBRPq/CQlK/zuXkjZvTCibu+vejD+jAFBgMr\n"
++	"ZXADQQBU+A+uF0yrtO/yv9cRUdCoL3Y1NKM35INg8BQDnkv724cW9zk1x0q9Fuou\n"
++	"zvfSVb8S3vT8fF5ZDOxarQs6ZH0C\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA1 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBXTCCAQ+gAwIBAgIUfUWP+AQHpdFTRKTf21mMzjaJsp0wBQYDK2VwMBkxFzAV\n"
++	"BgNVBAMTDkdudVRMUyB0ZXN0IENBMCAXDTI0MDMxMjIyNTMzOVoYDzk5OTkxMjMx\n"
++	"MjM1OTU5WjAdMRswGQYDVQQDDBJHbnVUTFMgdGVzdCBJQ0EgJGkwKjAFBgMrZXAD\n"
++	"IQAVmfBAvLbT+pTD24pQrr6S0jEIFIV/qOv93yYvAUzpzKNjMGEwDwYDVR0TAQH/\n"
++	"BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFE+r8JCUr/O5eSNm9MKJ\n"
++	"u7696MP6MB8GA1UdIwQYMBaAFAFpt5wrFsqCtHc4PpluPDvwcxQLMAUGAytlcANB\n"
++	"AC6+XZnthjlUD0TbBKRF3qT5if3Pp29Bgvutw8859unzUZW8FkHg5KeDBj9ncgJc\n"
++	"O2tFnNH2hV6LDPJzU0rtLQc=\n"
++	"-----END CERTIFICATE-----\n",
++	NULL
++};
++
++static const char *many_icas_ca[] = {
++	/* CA (self-signed) */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBNzCB6qADAgECAhRjaokcQwcrtW8tjuVFz3A33F8POjAFBgMrZXAwGTEXMBUG\n"
++	"A1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjQwMzEyMjI1MzM5WhgPOTk5OTEyMzEy\n"
++	"MzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMCowBQYDK2VwAyEAvoxP\n"
++	"TNdbWktxA8qQNNH+25Cx9rzP+DxLGeI/7ODwrQGjQjBAMA8GA1UdEwEB/wQFMAMB\n"
++	"Af8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQBabecKxbKgrR3OD6Zbjw78HMU\n"
++	"CzAFBgMrZXADQQCP5IUD74M7WrUx20uqzrzuj+s2jnBVmLQfWf/Ucetx+oTRFeq4\n"
++	"xZB/adWhycSeJUAB1zKqYUV9hgT8FWHbnHII\n"
++	"-----END CERTIFICATE-----\n",
++	NULL
++};
++
+ #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
+ #pragma GCC diagnostic push
+ #pragma GCC diagnostic ignored "-Wunused-variable"
+@@ -4696,6 +4903,8 @@ static struct {
+ 	  1620118136, 1 },
+ 	{ "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0,
+ 	  1704955300 },
++	{ "many intermediates - ok", many_icas, many_icas_ca, 0, 0, 0,
++	  1710284400 },
+ 	{ NULL, NULL, NULL, 0, 0 }
+ };
+ 
+-- 
+GitLab
+

gnutls-CVE-2025-32988.patch

@@ -0,0 +1,41 @@
+From 608829769cbc247679ffe98841109fc73875e573 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 7 Jul 2025 10:44:12 +0900
+Subject: [PATCH] x509: avoid double free when exporting othernames in SAN
+
+Previously, the _gnutls_write_new_othername function, called by
+gnutls_x509_ext_export_subject_alt_names to export "otherName" in a
+certificate's SAN extension, freed the caller allocated ASN.1
+structure upon error, resulting in a potential double-free.
+
+Reported by OpenAI Security Research Team.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ NEWS                  | 5 +++++
+ lib/x509/extensions.c | 2 --
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c
+index 6c2da8fd10..e8be12eaf5 100644
+--- a/lib/x509/extensions.c
++++ b/lib/x509/extensions.c
+@@ -754,7 +754,6 @@ int _gnutls_write_new_othername(asn1_node ext, const char *ext_name,
+ 	result = asn1_write_value(ext, name2, oid, 1);
+ 	if (result != ASN1_SUCCESS) {
+ 		gnutls_assert();
+-		asn1_delete_structure(&ext);
+ 		return _gnutls_asn2err(result);
+ 	}
+ 
+@@ -763,7 +762,6 @@ int _gnutls_write_new_othername(asn1_node ext, const char *ext_name,
+ 	result = asn1_write_value(ext, name2, data, data_size);
+ 	if (result != ASN1_SUCCESS) {
+ 		gnutls_assert();
+-		asn1_delete_structure(&ext);
+ 		return _gnutls_asn2err(result);
+ 	}
+ 
+-- 
+GitLab
+

gnutls-CVE-2025-32989.patch

@@ -0,0 +1,35 @@
+From 8e5ca951257202089246fa37e93a99d210ee5ca2 Mon Sep 17 00:00:00 2001
+From: Andrew Hamilton <adhamilt@gmail.com>
+Date: Mon, 7 Jul 2025 10:23:59 +0900
+Subject: [PATCH] x509: fix read buffer overrun in SCT timestamps
+
+Prevent reading beyond heap buffer in call to _gnutls_parse_ct_sct
+when processing x509 Signed Certificate Timestamps with certain
+malformed data. Spotted by oss-fuzz at:
+https://issues.oss-fuzz.com/issues/42530513
+
+Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ NEWS                                             |   6 +++++-
+ .../04939b75417cc95b7372c6f208c4bda4579bdc34     | Bin 0 -> 1782 bytes
+ lib/x509/x509_ext.c                              |   2 +-
+ 3 files changed, 6 insertions(+), 2 deletions(-)
+ create mode 100644 fuzz/gnutls_x509_parser_fuzzer.repro/04939b75417cc95b7372c6f208c4bda4579bdc34
+
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index 0301a594c2..4b3e552536 100644
+--- a/lib/x509/x509_ext.c
++++ b/lib/x509/x509_ext.c
+@@ -3760,7 +3760,7 @@ int gnutls_x509_ext_ct_import_scts(const gnutls_datum_t *ext,
+ 	}
+ 
+ 	length = _gnutls_read_uint16(scts_content.data);
+-	if (length < 4) {
++	if (length < 4 || length > scts_content.size) {
+ 		gnutls_free(scts_content.data);
+ 		return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
+ 	}
+-- 
+GitLab
+

gnutls-CVE-2025-6395.patch

@@ -0,0 +1,279 @@
+From 23135619773e6ec087ff2abc65405bd4d5676bad Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 7 Jul 2025 11:15:45 +0900
+Subject: [PATCH] handshake: clear HSK_PSK_SELECTED is when resetting binders
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When a TLS 1.3 handshake involves HRR and resumption or PSK, and the
+second Client Hello omits PSK, the server would result in a NULL
+pointer dereference as the PSK binder information is cleared while the
+HSK_PSK_SELECTED flag is still set. This makes sure that
+HSK_PSK_SELECTED flag is always cleared when the PSK binders are
+reset. This also makes it clear the HSK_PSK_SELECTED flag is valid
+only during a handshake; after that, whether PSK is used can be
+checked with gnutls_auth_client_get_type.
+
+Reported by Stefan Bühler.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ .gitignore                            |   1 +
+ NEWS                                  |   4 +
+ lib/handshake.c                       |  25 +++-
+ lib/state.c                           |   4 +-
+ tests/Makefile.am                     |   2 +
+ tests/tls13/hello_retry_request_psk.c | 173 ++++++++++++++++++++++++++
+ 6 files changed, 205 insertions(+), 4 deletions(-)
+ create mode 100644 tests/tls13/hello_retry_request_psk.c
+
+Index: gnutls-3.8.3/lib/handshake.c
+===================================================================
+--- gnutls-3.8.3.orig/lib/handshake.c
++++ gnutls-3.8.3/lib/handshake.c
+@@ -589,9 +589,28 @@ static int set_auth_types(gnutls_session
+ 		/* Under TLS1.3 this returns a KX which matches the negotiated
+ 		 * groups from the key shares; if we are resuming then the KX seen
+ 		 * here doesn't match the original session. */
+-		if (!session->internals.resumed)
+-			kx = gnutls_kx_get(session);
+-		else
++		if (!session->internals.resumed) {
++			const gnutls_group_entry_st *group = get_group(session);
++
++			if (session->internals.hsk_flags & HSK_PSK_SELECTED) {
++				if (group) {
++					kx = group->pk == GNUTLS_PK_DH ?
++						     GNUTLS_KX_DHE_PSK :
++						     GNUTLS_KX_ECDHE_PSK;
++				} else {
++					kx = GNUTLS_KX_PSK;
++				}
++			} else if (group) {
++				/* Not necessarily be RSA, but just to
++				 * make _gnutls_map_kx_get_cred below
++				 * work.
++				 */
++				kx = group->pk == GNUTLS_PK_DH ?
++					     GNUTLS_KX_DHE_RSA :
++					     GNUTLS_KX_ECDHE_RSA;
++			} else
++				kx = GNUTLS_KX_UNKNOWN;
++		} else
+ 			kx = GNUTLS_KX_UNKNOWN;
+ 	} else {
+ 		/* TLS1.2 or earlier, kx is associated with ciphersuite */
+Index: gnutls-3.8.3/lib/state.c
+===================================================================
+--- gnutls-3.8.3.orig/lib/state.c
++++ gnutls-3.8.3/lib/state.c
+@@ -202,7 +202,8 @@ gnutls_kx_algorithm_t gnutls_kx_get(gnut
+ 		const gnutls_group_entry_st *group = get_group(session);
+ 
+ 		if (ver->tls13_sem) {
+-			if (session->internals.hsk_flags & HSK_PSK_SELECTED) {
++			if (gnutls_auth_client_get_type(session) ==
++			    GNUTLS_CRD_PSK) {
+ 				if (group) {
+ 					if (group->pk == GNUTLS_PK_DH)
+ 						return GNUTLS_KX_DHE_PSK;
+@@ -349,6 +350,7 @@ void reset_binders(gnutls_session_t sess
+ 	_gnutls_free_temp_key_datum(&session->key.binders[0].psk);
+ 	_gnutls_free_temp_key_datum(&session->key.binders[1].psk);
+ 	memset(session->key.binders, 0, sizeof(session->key.binders));
++	session->internals.hsk_flags &= ~HSK_PSK_SELECTED;
+ }
+ 
+ /* Check whether certificate credentials of type @cert_type are set
+Index: gnutls-3.8.3/tests/Makefile.am
+===================================================================
+--- gnutls-3.8.3.orig/tests/Makefile.am
++++ gnutls-3.8.3/tests/Makefile.am
+@@ -128,6 +128,8 @@ ctests += tls13/hello_retry_request
+ 
+ ctests += tls13/hello_retry_request_resume
+ 
++ctests += tls13/hello_retry_request_psk
++
+ ctests += tls13/psk-ext
+ 
+ ctests += tls13/key_update
+Index: gnutls-3.8.3/tests/tls13/hello_retry_request_psk.c
+===================================================================
+--- /dev/null
++++ gnutls-3.8.3/tests/tls13/hello_retry_request_psk.c
+@@ -0,0 +1,173 @@
++/*
++ * Copyright (C) 2017-2025 Red Hat, Inc.
++ *
++ * Author: Nikos Mavrogiannopoulos, Daiki Ueno
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <https://www.gnu.org/licenses/>
++ */
++
++#ifdef HAVE_CONFIG_H
++#include "config.h"
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <stdint.h>
++
++#include <string.h>
++#include <gnutls/gnutls.h>
++#include <assert.h>
++
++#include "cert-common.h"
++#include "utils.h"
++#include "tls13/ext-parse.h"
++#include "eagain-common.h"
++
++/* This program exercises the case where a TLS 1.3 handshake ends up
++ * with HRR, and the first CH includes PSK while the 2nd CH omits
++ * it */
++
++const char *testname = "hello entry request";
++
++const char *side = "";
++
++#define myfail(fmt, ...) fail("%s: " fmt, testname, ##__VA_ARGS__)
++
++static void tls_log_func(int level, const char *str)
++{
++	fprintf(stderr, "%s|<%d>| %s", side, level, str);
++}
++
++struct ctx_st {
++	unsigned hrr_seen;
++	unsigned hello_counter;
++};
++
++static int pskfunc(gnutls_session_t session, const char *username,
++		   gnutls_datum_t *key)
++{
++	if (debug)
++		printf("psk: username %s\n", username);
++	key->data = gnutls_malloc(4);
++	key->data[0] = 0xDE;
++	key->data[1] = 0xAD;
++	key->data[2] = 0xBE;
++	key->data[3] = 0xEF;
++	key->size = 4;
++	return 0;
++}
++
++static int hello_callback(gnutls_session_t session, unsigned int htype,
++			  unsigned post, unsigned int incoming,
++			  const gnutls_datum_t *msg)
++{
++	struct ctx_st *ctx = gnutls_session_get_ptr(session);
++	assert(ctx != NULL);
++
++	if (htype == GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST)
++		ctx->hrr_seen = 1;
++
++	if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO) {
++		if (post == GNUTLS_HOOK_POST)
++			ctx->hello_counter++;
++		else {
++			/* Unset the PSK credential to omit the extension */
++			gnutls_credentials_set(session, GNUTLS_CRD_PSK, NULL);
++		}
++	}
++
++	return 0;
++}
++
++void doit(void)
++{
++	int sret, cret;
++	gnutls_psk_server_credentials_t scred;
++	gnutls_psk_client_credentials_t ccred;
++	gnutls_certificate_credentials_t ccred2;
++	gnutls_session_t server, client;
++	/* Need to enable anonymous KX specifically. */
++	const gnutls_datum_t key = { (void *)"DEADBEEF", 8 };
++
++	struct ctx_st ctx;
++	memset(&ctx, 0, sizeof(ctx));
++
++	global_init();
++
++	gnutls_global_set_log_function(tls_log_func);
++	if (debug)
++		gnutls_global_set_log_level(9);
++
++	/* Init server */
++	assert(gnutls_psk_allocate_server_credentials(&scred) >= 0);
++	gnutls_psk_set_server_credentials_function(scred, pskfunc);
++
++	gnutls_init(&server, GNUTLS_SERVER);
++
++	assert(gnutls_priority_set_direct(
++		       server,
++		       "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+DHE-PSK",
++		       NULL) >= 0);
++
++	gnutls_credentials_set(server, GNUTLS_CRD_PSK, scred);
++	gnutls_transport_set_push_function(server, server_push);
++	gnutls_transport_set_pull_function(server, server_pull);
++	gnutls_transport_set_ptr(server, server);
++
++	/* Init client */
++	assert(gnutls_psk_allocate_client_credentials(&ccred) >= 0);
++	gnutls_psk_set_client_credentials(ccred, "test", &key,
++					  GNUTLS_PSK_KEY_HEX);
++	assert(gnutls_certificate_allocate_credentials(&ccred2) >= 0);
++
++	assert(gnutls_init(&client, GNUTLS_CLIENT | GNUTLS_KEY_SHARE_TOP) >= 0);
++
++	gnutls_session_set_ptr(client, &ctx);
++
++	cret = gnutls_priority_set_direct(
++		client,
++		"NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-X25519:+DHE-PSK",
++		NULL);
++	if (cret < 0)
++		myfail("cannot set TLS 1.3 priorities\n");
++
++	gnutls_credentials_set(client, GNUTLS_CRD_PSK, ccred);
++	gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, ccred2);
++	gnutls_transport_set_push_function(client, client_push);
++	gnutls_transport_set_pull_function(client, client_pull);
++	gnutls_transport_set_ptr(client, client);
++
++	gnutls_handshake_set_hook_function(client, GNUTLS_HANDSHAKE_ANY,
++					   GNUTLS_HOOK_BOTH, hello_callback);
++
++	HANDSHAKE_EXPECT(client, server, GNUTLS_E_AGAIN,
++			 GNUTLS_E_INSUFFICIENT_CREDENTIALS);
++
++	assert(ctx.hrr_seen != 0);
++
++	gnutls_bye(client, GNUTLS_SHUT_WR);
++	gnutls_bye(server, GNUTLS_SHUT_WR);
++
++	gnutls_deinit(client);
++	gnutls_deinit(server);
++
++	gnutls_psk_free_server_credentials(scred);
++	gnutls_psk_free_client_credentials(ccred);
++	gnutls_certificate_free_credentials(ccred2);
++
++	gnutls_global_deinit();
++	reset_buffers();
++}

gnutls-CVE-2025-9820.patch

@@ -0,0 +1,231 @@
+From 1d56f96f6ab5034d677136b9d50b5a75dff0faf5 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 18 Nov 2025 13:17:55 +0900
+Subject: [PATCH] pkcs11: avoid stack overwrite when initializing a token
+
+If gnutls_pkcs11_token_init is called with label longer than 32
+characters, the internal storage used to blank-fill it would
+overflow. This adds a guard to prevent that.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ .gitignore                |   2 +
+ NEWS                      |   4 +
+ lib/pkcs11_write.c        |   5 +-
+ tests/Makefile.am         |   2 +-
+ tests/pkcs11/long-label.c | 164 ++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 174 insertions(+), 3 deletions(-)
+ create mode 100644 tests/pkcs11/long-label.c
+
+Index: gnutls-3.8.3/lib/pkcs11_write.c
+===================================================================
+--- gnutls-3.8.3.orig/lib/pkcs11_write.c
++++ gnutls-3.8.3/lib/pkcs11_write.c
+@@ -28,6 +28,7 @@
+ #include "pkcs11x.h"
+ #include "x509/common.h"
+ #include "pk.h"
++#include "minmax.h"
+ 
+ static const ck_bool_t tval = 1;
+ static const ck_bool_t fval = 0;
+@@ -1170,7 +1171,7 @@ int gnutls_pkcs11_delete_url(const char
+  * gnutls_pkcs11_token_init:
+  * @token_url: A PKCS #11 URL specifying a token
+  * @so_pin: Security Officer's PIN
+- * @label: A name to be used for the token
++ * @label: A name to be used for the token, at most 32 characters
+  *
+  * This function will initialize (format) a token. If the token is
+  * at a factory defaults state the security officer's PIN given will be
+@@ -1208,7 +1209,7 @@ int gnutls_pkcs11_token_init(const char
+ 	/* so it seems memset has other uses than zeroing! */
+ 	memset(flabel, ' ', sizeof(flabel));
+ 	if (label != NULL)
+-		memcpy(flabel, label, strlen(label));
++		memcpy(flabel, label, MIN(sizeof(flabel), strlen(label)));
+ 
+ 	rv = pkcs11_init_token(module, slot, (uint8_t *)so_pin, strlen(so_pin),
+ 			       (uint8_t *)flabel);
+Index: gnutls-3.8.3/tests/Makefile.am
+===================================================================
+--- gnutls-3.8.3.orig/tests/Makefile.am
++++ gnutls-3.8.3/tests/Makefile.am
+@@ -495,7 +495,7 @@ pathbuf_CPPFLAGS = $(AM_CPPFLAGS) \
+ if ENABLE_PKCS11
+ if !WINDOWS
+ ctests += tls13/post-handshake-with-cert-pkcs11 pkcs11/tls-neg-pkcs11-no-key \
+-	global-init-override pkcs11/distrust-after
++	global-init-override pkcs11/distrust-after pkcs11/long-label
+ tls13_post_handshake_with_cert_pkcs11_DEPENDENCIES = libpkcs11mock2.la libutils.la
+ tls13_post_handshake_with_cert_pkcs11_LDADD = $(LDADD) $(LIBDL)
+ pkcs11_tls_neg_pkcs11_no_key_DEPENDENCIES = libpkcs11mock2.la libutils.la
+Index: gnutls-3.8.3/tests/pkcs11/long-label.c
+===================================================================
+--- /dev/null
++++ gnutls-3.8.3/tests/pkcs11/long-label.c
+@@ -0,0 +1,164 @@
++/*
++ * Copyright (C) 2025 Red Hat, Inc.
++ *
++ * Author: Daiki Ueno
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <https://www.gnu.org/licenses/>
++ */
++
++#ifdef HAVE_CONFIG_H
++#include "config.h"
++#endif
++
++#include <stdbool.h>
++#include <stdio.h>
++#include <stdlib.h>
++
++#if defined(_WIN32)
++
++int main(void)
++{
++	exit(77);
++}
++
++#else
++
++#include <string.h>
++#include <unistd.h>
++#include <gnutls/gnutls.h>
++
++#include "cert-common.h"
++#include "pkcs11/softhsm.h"
++#include "utils.h"
++
++/* This program tests that a token can be initialized with
++ * a label longer than 32 characters.
++ */
++
++static void tls_log_func(int level, const char *str)
++{
++	fprintf(stderr, "server|<%d>| %s", level, str);
++}
++
++#define PIN "1234"
++
++#define CONFIG_NAME "softhsm-long-label"
++#define CONFIG CONFIG_NAME ".config"
++
++static int pin_func(void *userdata, int attempt, const char *url,
++		    const char *label, unsigned flags, char *pin,
++		    size_t pin_max)
++{
++	if (attempt == 0) {
++		strcpy(pin, PIN);
++		return 0;
++	}
++	return -1;
++}
++
++static void test(const char *provider)
++{
++	int ret;
++	size_t i;
++
++	gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
++
++	success("test with %s\n", provider);
++
++	if (debug) {
++		gnutls_global_set_log_function(tls_log_func);
++		gnutls_global_set_log_level(4711);
++	}
++
++	/* point to SoftHSM token that libpkcs11mock4.so internally uses */
++	setenv(SOFTHSM_ENV, CONFIG, 1);
++
++	gnutls_pkcs11_set_pin_function(pin_func, NULL);
++
++	ret = gnutls_pkcs11_add_provider(provider, "trusted");
++	if (ret != 0) {
++		fail("gnutls_pkcs11_add_provider: %s\n", gnutls_strerror(ret));
++	}
++
++	/* initialize softhsm token */
++	ret = gnutls_pkcs11_token_init(
++		SOFTHSM_URL, PIN,
++		"this is a very long label whose length exceeds 32");
++	if (ret < 0) {
++		fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret));
++	}
++
++	for (i = 0;; i++) {
++		char *url = NULL;
++
++		ret = gnutls_pkcs11_token_get_url(i, 0, &url);
++		if (ret < 0)
++			break;
++		if (strstr(url,
++			   "token=this%20is%20a%20very%20long%20label%20whose"))
++			break;
++	}
++	if (ret < 0)
++		fail("gnutls_pkcs11_token_get_url: %s\n", gnutls_strerror(ret));
++
++	gnutls_pkcs11_deinit();
++}
++
++void doit(void)
++{
++	const char *bin;
++	const char *lib;
++	char buf[128];
++
++	if (gnutls_fips140_mode_enabled())
++		exit(77);
++
++	/* this must be called once in the program */
++	global_init();
++
++	/* we call gnutls_pkcs11_init manually */
++	gnutls_pkcs11_deinit();
++
++	/* check if softhsm module is loadable */
++	lib = softhsm_lib();
++
++	/* initialize SoftHSM token that libpkcs11mock4.so internally uses */
++	bin = softhsm_bin();
++
++	set_softhsm_conf(CONFIG);
++	snprintf(buf, sizeof(buf),
++		 "%s --init-token --slot 0 --label test --so-pin " PIN
++		 " --pin " PIN,
++		 bin);
++	system(buf);
++
++	test(lib);
++
++	lib = getenv("P11MOCKLIB4");
++	if (lib == NULL) {
++		fail("P11MOCKLIB4 is not set\n");
++	}
++
++	set_softhsm_conf(CONFIG);
++	snprintf(buf, sizeof(buf),
++		 "%s --init-token --slot 0 --label test --so-pin " PIN
++		 " --pin " PIN,
++		 bin);
++	system(buf);
++
++	test(lib);
++}
++#endif /* _WIN32 */

gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch

@@ -1,120 +1,112 @@
-Index: gnutls-3.8.8/lib/fips.c
+Index: gnutls-3.8.0/lib/fips.c
 ===================================================================
---- gnutls-3.8.8.orig/lib/fips.c
-+++ gnutls-3.8.8/lib/fips.c
-@@ -349,11 +349,90 @@ static int load_hmac_file(struct hmac_fi
- }
+--- gnutls-3.8.0.orig/lib/fips.c
++++ gnutls-3.8.0/lib/fips.c
+@@ -171,16 +171,28 @@ struct hmac_entry {
+ struct hmac_file {
+ 	int version;
+ 	struct hmac_entry gnutls;
++#if 0
++	/* Disable nettle, hogweed and gpm HMAC verification as
++	 * they are calculated during build of the respective
++	 * packages and can differ from the ones listed here.
++	 */
+ 	struct hmac_entry nettle;
+ 	struct hmac_entry hogweed;
+ 	struct hmac_entry gmp;
++#endif
+ };
+ 
+ struct lib_paths {
+ 	char gnutls[GNUTLS_PATH_MAX];
++#if 0
++	/* Disable nettle, hogweed and gpm HMAC verification as
++	 * they are calculated during build of the respective
++	 * packages and can differ from the ones listed here.
++	 */
+ 	char nettle[GNUTLS_PATH_MAX];
+ 	char hogweed[GNUTLS_PATH_MAX];
+ 	char gmp[GNUTLS_PATH_MAX];
++#endif
+ };
  
  /*
-+ * check_dep_lib_hmac:
-+ * @path: path to the library which hmac should be compared
-+ *
-+ * Verify that HMAC of a given library matches the hmac in the file
-+ * provided by the library, named: .<libname>.so.<soname>.hmac.
-+ *
-+ * Returns: 0 on successful HMAC verification, a negative error code otherwise
-+ */
-+static int check_dep_lib_hmac(const char *path)
-+{
-+	int ret;
-+	unsigned prev;
-+	uint8_t hmac[HMAC_SIZE];
-+	gnutls_datum_t data;
-+	char hmac_path[GNUTLS_PATH_MAX];
-+	uint8_t lib_hmac[HMAC_SIZE];
-+	size_t lib_hmac_size;
-+
-+	_gnutls_debug_log("Loading: %s\n", path);
-+	ret = gnutls_load_file(path, &data);
-+	if (ret < 0) {
-+		_gnutls_debug_log("Could not load %s: %s\n", path,
-+				  gnutls_strerror(ret));
-+		return gnutls_assert_val(ret);
-+	}
-+
-+	prev = _gnutls_get_lib_state();
-+	_gnutls_switch_lib_state(LIB_STATE_OPERATIONAL);
-+	ret = gnutls_hmac_fast(HMAC_ALGO, FIPS_KEY, sizeof(FIPS_KEY) - 1,
-+			       data.data, data.size, hmac);
-+	_gnutls_switch_lib_state(prev);
-+
-+	gnutls_free(data.data);
-+	if (ret < 0) {
-+		_gnutls_debug_log("Could not calculate HMAC for %s: %s\n", path,
-+				  gnutls_strerror(ret));
-+		return gnutls_assert_val(ret);
-+	}
-+
-+	/* Check now the integrity of the hmac provided by the library */
-+	ret = get_hmac_path(hmac_path, sizeof(hmac_path), path);
-+	if (ret < 0) {
-+		_gnutls_debug_log("Could not get hmac file path: %s\n",
-+							gnutls_strerror(ret));
-+		return ret;
-+	}
-+	_gnutls_debug_log("Loading: %s\n", hmac_path);
-+	ret = gnutls_load_file(hmac_path, &data);
-+	if (ret < 0) {
-+		_gnutls_debug_log("Could not load %s: %s\n", hmac_path,
-+							gnutls_strerror(ret));
-+		return gnutls_assert_val(ret);
-+	}
-+	lib_hmac_size = hex_data_size(data.size);
-+	/* trim eventual newlines from the end of the data read from file */
-+	while ((data.size > 0) && (data.data[data.size - 1] == '\n')) {
-+		data.data[data.size - 1] = 0;
-+		data.size--;
-+	}
-+	ret = gnutls_hex_decode(&data, lib_hmac, &lib_hmac_size);
-+	gnutls_free(data.data);
-+	if (ret < 0) {
-+		_gnutls_debug_log("Could not hex decode hmac\n");
-+		return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
-+	}
-+	ret = gnutls_memcmp(lib_hmac, hmac, HMAC_SIZE);
-+	if (ret){
-+		_gnutls_debug_log("Calculated MAC for %s does not match\n",
-+							path);
-+		gnutls_memset(hmac, 0, HMAC_SIZE);
-+		gnutls_memset(lib_hmac, 0, HMAC_SIZE);
-+		return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
-+	}
-+	_gnutls_debug_log("Successfully verified MAC for %s\n", path);
-+	gnutls_memset(hmac, 0, HMAC_SIZE);
-+	return 0;
-+}
-+
-+/*
-  * check_lib_hmac:
-  * @entry: hmac file entry
-  * @path: path to the library which hmac should be compared
-  *
-- * Verify that HMAC from hmac file entry matches HMAC of given library.
-+ * Verify that HMAC from hmac file entry matches HMAC of gnutls library.
-  *
-  * Returns: 0 on successful HMAC verification, a negative error code otherwise
-  */
-@@ -496,17 +575,20 @@ static int check_binary_integrity(void)
+@@ -241,12 +253,18 @@ static int handler(void *user, const cha
+ 		}
+ 	} else if (!strcmp(section, GNUTLS_LIBRARY_NAME)) {
+ 		return lib_handler(&p->gnutls, section, name, value);
++#if 0
++	/* Disable nettle, hogweed and gpm HMAC verification as
++	 * they are calculated during build of the respective
++	 * packages and can differ from the ones listed here.
++	 */
+ 	} else if (!strcmp(section, NETTLE_LIBRARY_NAME)) {
+ 		return lib_handler(&p->nettle, section, name, value);
+ 	} else if (!strcmp(section, HOGWEED_LIBRARY_NAME)) {
+ 		return lib_handler(&p->hogweed, section, name, value);
+ 	} else if (!strcmp(section, GMP_LIBRARY_NAME)) {
+ 		return lib_handler(&p->gmp, section, name, value);
++#endif
+ 	} else {
+ 		return 0;
+ 	}
+@@ -391,12 +409,18 @@ static int callback(struct dl_phdr_info
+ 
+ 	if (!strcmp(soname, GNUTLS_LIBRARY_SONAME))
+ 		_gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path);
++#if 0
++	/* Disable nettle, hogweed and gpm HMAC verification as
++	 * they are calculated during build of the respective
++	 * packages and can differ from the ones listed here.
++	 */
+ 	else if (!strcmp(soname, NETTLE_LIBRARY_SONAME))
+ 		_gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path);
+ 	else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
+ 		_gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path);
+ 	else if (!strcmp(soname, GMP_LIBRARY_SONAME))
+ 		_gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path);
++#endif
+ 	return 0;
+ }
+ 
+@@ -409,6 +433,11 @@ static int load_lib_paths(struct lib_pat
+ 		_gnutls_debug_log("Gnutls library path was not found\n");
+ 		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+ 	}
++#if 0
++	/* Disable nettle, hogweed and gpm HMAC verification as
++	 * they are calculated during build of the respective
++	 * packages and can differ from the ones listed here.
++	 */
+ 	if (paths->nettle[0] == '\0') {
+ 		_gnutls_debug_log("Nettle library path was not found\n");
+ 		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+@@ -421,7 +450,7 @@ static int load_lib_paths(struct lib_pat
+ 		_gnutls_debug_log("Gmp library path was not found\n");
+ 		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+ 	}
+-
++#endif
+ 	return GNUTLS_E_SUCCESS;
+ }
+ 
+@@ -467,6 +496,11 @@ static int check_binary_integrity(void)
+ 	ret = check_lib_hmac(&hmac.gnutls, paths.gnutls);
  	if (ret < 0)
  		return ret;
- #ifdef NETTLE_LIBRARY_SONAME
--	ret = check_lib_hmac(&hmac.nettle, paths.nettle);
-+	//ret = check_lib_hmac(&hmac.nettle, paths.nettle);
-+	ret = check_dep_lib_hmac(paths.nettle);
++# if 0
++	/* Disable nettle, hogweed and gpm HMAC verification as
++	 * they are calculated during build of the respective
++	 * packages and can differ from the ones listed here.
++	 */
+ 	ret = check_lib_hmac(&hmac.nettle, paths.nettle);
  	if (ret < 0)
  		return ret;
- #endif
- #ifdef HOGWEED_LIBRARY_SONAME
--	ret = check_lib_hmac(&hmac.hogweed, paths.hogweed);
-+	//ret = check_lib_hmac(&hmac.hogweed, paths.hogweed);
-+	ret = check_dep_lib_hmac(paths.hogweed);
+@@ -476,6 +510,7 @@ static int check_binary_integrity(void)
+ 	ret = check_lib_hmac(&hmac.gmp, paths.gmp);
  	if (ret < 0)
  		return ret;
- #endif
- #ifdef GMP_LIBRARY_SONAME
--	ret = check_lib_hmac(&hmac.gmp, paths.gmp);
-+	//ret = check_lib_hmac(&hmac.gmp, paths.gmp);
-+	ret = check_dep_lib_hmac(paths.gmp);
- 	if (ret < 0)
- 		return ret;
- #endif
++# endif
+ 
+ 	return 0;
+ }

gnutls-FIPS-HMAC-x86_64-v3-opt.patch

@@ -1,47 +0,0 @@
-Index: gnutls-3.8.9/lib/fips.c
-===================================================================
---- gnutls-3.8.9.orig/lib/fips.c
-+++ gnutls-3.8.9/lib/fips.c
-@@ -268,6 +268,28 @@ static int handler(void *user, const cha
- 	return 1;
- }
- 
-+
-+/* In case of x86_64-v3 optmizations, names might differ in version numbers.
-+ * @mac_file: buffer where the hmac file path will be written to
-+ * @lib_path: path to the dependent library, used to deduce hmac file path
-+ * @file_name: The file name of the library
-+ */
-+ static void get_hwcaps_lib_hmac_path(char *mac_file, const char *lib_path, char *file_name) {
-+	// Cut name short if more than SOVER is present 
-+	char *soname = strstr(file_name, ".so.");
-+	char correct_ext[256];
-+	memset(correct_ext, 0x0, 256);
-+	soname += strlen(".so.");
-+	for (uint32_t i = 0; i < strlen(soname); i++) {
-+		if (soname[i] == '.') {
-+			int proper_len = soname - file_name + i;
-+			strncpy(correct_ext, file_name, proper_len);
-+			snprintf(mac_file, 256, "%.*s/.%.*s.hmac",  (int)(file_name-lib_path),lib_path,proper_len,correct_ext);
-+			break;	
-+		}
-+	}
-+}
-+
- /*
-  * get_hmac_path:
-  * @mac_file: buffer where the hmac file path will be written to
-@@ -300,6 +322,13 @@ static int get_hmac_path(char *mac_file,
- 	if (ret == 0)
- 		return GNUTLS_E_SUCCESS;
- 
-+	if (strstr(gnutls_path, "glibc-hwcaps")) {
-+		get_hwcaps_lib_hmac_path(mac_file, gnutls_path, p + 1);
-+		ret = _gnutls_file_exists(mac_file);
-+		if (ret == 0)
-+			return GNUTLS_E_SUCCESS;
-+	}
-+		
- 	if (p == NULL)
- 		ret = snprintf(mac_file, mac_file_size, "fipscheck/.%s.hmac",
- 			       gnutls_path);

gnutls-FIPS-TLS_KDF_selftest.patch

@@ -1,8 +1,8 @@
-Index: gnutls-3.8.9/lib/fips.c
+Index: gnutls-3.7.7/lib/fips.c
 ===================================================================
---- gnutls-3.8.9.orig/lib/fips.c
-+++ gnutls-3.8.9/lib/fips.c
-@@ -621,6 +621,26 @@ int _gnutls_fips_perform_self_checks2(vo
+--- gnutls-3.7.7.orig/lib/fips.c
++++ gnutls-3.7.7/lib/fips.c
+@@ -517,6 +517,26 @@ int _gnutls_fips_perform_self_checks2(vo
  		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
  	}
  
@@ -27,5 +27,5 @@ Index: gnutls-3.8.9/lib/fips.c
 +	}
 +
  	/* PK */
- 	if (_gnutls_config_is_rsa_pkcs1_encrypt_allowed()) {
- 		ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA);
+ 	ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA);
+ 	if (ret < 0) {

gnutls-FIPS-disable-mac-sha1.patch

@@ -1,181 +0,0 @@
-commit c4eba74d4745e3a97b443abae1431658a826d2eb
-Author: Angel Yankov <angel.yankov@suse.com>
-Date:   Thu Nov 28 11:02:07 2024 +0200
-
-    SHA-1 is not allowed in FIPS-140-3 anymore after 2030. Mark it as
-    unapproved
-    
-    Signed-off-by: Angel Yankov <angel.yankov@suse.com>
-
-Index: gnutls-3.8.10/lib/crypto-api.c
-===================================================================
---- gnutls-3.8.10.orig/lib/crypto-api.c
-+++ gnutls-3.8.10/lib/crypto-api.c
-@@ -33,6 +33,7 @@
- #include "crypto-api.h"
- #include "iov.h"
- #include "intprops.h"
-+#include <gnutls/gnutls.h>
- 
- typedef struct api_cipher_hd_st {
- 	cipher_hd_st ctx_enc;
-@@ -597,7 +598,9 @@ int gnutls_hmac_init(gnutls_hmac_hd_t *d
- 	bool not_approved = false;
- 
- 	/* MD5 is only allowed internally for TLS */
--	if (!is_mac_algo_allowed(algorithm)) {
-+	if (algorithm == GNUTLS_MAC_SHA1) 
-+		not_approved = true;
-+	else if (!is_mac_algo_allowed(algorithm)) {
- 		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
- 		return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
- 	} else if (!is_mac_algo_approved_in_fips(algorithm)) {
-@@ -757,8 +760,9 @@ int gnutls_hmac_fast(gnutls_mac_algorith
- {
- 	int ret;
- 	bool not_approved = false;
--
--	if (!is_mac_algo_allowed(algorithm)) {
-+	if (algorithm == GNUTLS_MAC_SHA1) 
-+		not_approved = true;
-+	else if (!is_mac_algo_allowed(algorithm)) {
- 		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
- 		return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
- 	} else if (!is_mac_algo_approved_in_fips(algorithm)) {
-@@ -839,8 +843,9 @@ int gnutls_hash_init(gnutls_hash_hd_t *d
- {
- 	int ret;
- 	bool not_approved = false;
--
--	if (!is_mac_algo_allowed(DIG_TO_MAC(algorithm))) {
-+	if (algorithm == GNUTLS_MAC_SHA1) 
-+		not_approved = true;
-+	else if (!is_mac_algo_allowed(DIG_TO_MAC(algorithm))) {
- 		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
- 		return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
- 	} else if (!is_mac_algo_approved_in_fips(DIG_TO_MAC(algorithm))) {
-@@ -957,8 +962,9 @@ int gnutls_hash_fast(gnutls_digest_algor
- {
- 	int ret;
- 	bool not_approved = false;
--
--	if (!is_mac_algo_allowed(DIG_TO_MAC(algorithm))) {
-+	if (algorithm == GNUTLS_MAC_SHA1) 
-+		not_approved = true;
-+	else if (!is_mac_algo_allowed(DIG_TO_MAC(algorithm))) {
- 		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
- 		return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
- 	} else if (!is_mac_algo_approved_in_fips(DIG_TO_MAC(algorithm))) {
-@@ -2173,7 +2179,9 @@ int gnutls_pbkdf2(gnutls_mac_algorithm_t
- 	bool not_approved = false;
- 
- 	/* MD5 is only allowed internally for TLS */
--	if (!is_mac_algo_allowed(mac)) {
-+	if (mac == GNUTLS_MAC_SHA1) 
-+		not_approved = true;
-+	else if (!is_mac_algo_allowed(mac)) {
- 		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
- 		return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
- 	} else if (!is_mac_algo_hmac_approved_in_fips(mac)) {
-Index: gnutls-3.8.10/lib/crypto-selftests.c
-===================================================================
---- gnutls-3.8.10.orig/lib/crypto-selftests.c
-+++ gnutls-3.8.10/lib/crypto-selftests.c
-@@ -2891,7 +2891,7 @@ int gnutls_mac_self_test(unsigned flags,
- 	case GNUTLS_MAC_UNKNOWN:
- 		NON_FIPS_CASE(GNUTLS_MAC_MD5, test_mac, hmac_md5_vectors);
- 		FALLTHROUGH;
--		CASE(GNUTLS_MAC_SHA1, test_mac, hmac_sha1_vectors);
-+		NON_FIPS_CASE(GNUTLS_MAC_SHA1, test_mac, hmac_sha1_vectors);
- 		FALLTHROUGH;
- 		CASE(GNUTLS_MAC_SHA224, test_mac, hmac_sha224_vectors);
- 		FALLTHROUGH;
-Index: gnutls-3.8.10/lib/fips.h
-===================================================================
---- gnutls-3.8.10.orig/lib/fips.h
-+++ gnutls-3.8.10/lib/fips.h
-@@ -79,7 +79,6 @@ inline static bool
- is_mac_algo_hmac_approved_in_fips(gnutls_mac_algorithm_t algo)
- {
- 	switch (algo) {
--	case GNUTLS_MAC_SHA1:
- 	case GNUTLS_MAC_SHA256:
- 	case GNUTLS_MAC_SHA384:
- 	case GNUTLS_MAC_SHA512:
-Index: gnutls-3.8.10/tests/fips-test.c
-===================================================================
---- gnutls-3.8.10.orig/tests/fips-test.c
-+++ gnutls-3.8.10/tests/fips-test.c
-@@ -397,11 +397,12 @@ void doit(void)
- 	}
- 	FIPS_POP_CONTEXT(ERROR);
- 
-+	FIPS_PUSH_CONTEXT();
- 	ret = gnutls_hmac_init(&mh, GNUTLS_MAC_SHA1, key.data, key.size);
- 	if (ret < 0) {
--		fail("gnutls_hmac_init failed\n");
-+		fail("gnutls_hmac_init failed for sha1\n");
- 	}
--	gnutls_hmac_deinit(mh, NULL);
-+	FIPS_POP_CONTEXT(NOT_APPROVED);
- 
- 	ret = gnutls_hmac_init(&mh, GNUTLS_MAC_MD5, key.data, key.size);
- 	if (ret != GNUTLS_E_UNWANTED_ALGORITHM) {
-@@ -736,7 +737,7 @@ void doit(void)
- 	}
- 	hashed_data.data = hash;
- 	hashed_data.size = 20;
--	FIPS_POP_CONTEXT(APPROVED);
-+	FIPS_POP_CONTEXT(NOT_APPROVED);
- 
- 	/* Create a signature with ECDSA and SHA1 (2-pass API); not-approved */
- 	FIPS_PUSH_CONTEXT();
-Index: gnutls-3.8.10/tests/gnutls_hmac_fast.c
-===================================================================
---- gnutls-3.8.10.orig/tests/gnutls_hmac_fast.c
-+++ gnutls-3.8.10/tests/gnutls_hmac_fast.c
-@@ -42,6 +42,11 @@ void doit(void)
- 	if (debug)
- 		gnutls_global_set_log_level(4711);
- 
-+	/* enable MD5 and SHA1 usage  */
-+	if (gnutls_fips140_mode_enabled()) {
-+		gnutls_fips140_set_mode(GNUTLS_FIPS140_LOG, 0);
-+	}
-+
- 	err = gnutls_hmac_fast(GNUTLS_MAC_SHA1, "keykeykey", 9, "abcdefgh", 8,
- 			       digest);
- 	if (err < 0)
-@@ -59,11 +64,6 @@ void doit(void)
- 		}
- 	}
- 
--	/* enable MD5 usage */
--	if (gnutls_fips140_mode_enabled()) {
--		gnutls_fips140_set_mode(GNUTLS_FIPS140_LOG, 0);
--	}
--
- 	err = gnutls_hmac_fast(GNUTLS_MAC_MD5, "keykeykey", 9, "abcdefgh", 8,
- 			       digest);
- 	if (err < 0)
-Index: gnutls-3.8.10/tests/kdf-api.c
-===================================================================
---- gnutls-3.8.10.orig/tests/kdf-api.c
-+++ gnutls-3.8.10/tests/kdf-api.c
-@@ -108,7 +108,6 @@ inline static bool
- is_mac_algo_hmac_approved_in_fips(gnutls_mac_algorithm_t algo)
- {
- 	switch (algo) {
--	case GNUTLS_MAC_SHA1:
- 	case GNUTLS_MAC_SHA256:
- 	case GNUTLS_MAC_SHA384:
- 	case GNUTLS_MAC_SHA512:
-@@ -145,7 +144,7 @@ static void test_pbkdf2(gnutls_mac_algor
- 	assert(gnutls_hex_decode2(&hex, &salt) >= 0);
- 
- 	fips_push_context(fips_context);
--	assert(gnutls_pbkdf2(mac, &ikm, &salt, iter_count, buf, length) >= 0);
-+	gnutls_pbkdf2(mac, &ikm, &salt, iter_count, buf, length);
- 	fips_pop_context(fips_context, expected_state);
- 	gnutls_free(ikm.data);
- 	gnutls_free(salt.data);

gnutls-FIPS-jitterentropy-deinit-threads.patch

@@ -1,8 +1,8 @@
-Index: gnutls-3.8.4/lib/state.c
+Index: gnutls-3.7.3/lib/state.c
 ===================================================================
---- gnutls-3.8.4.orig/lib/state.c
-+++ gnutls-3.8.4/lib/state.c
-@@ -830,6 +830,12 @@ void gnutls_deinit(gnutls_session_t sess
+--- gnutls-3.7.3.orig/lib/state.c
++++ gnutls-3.7.3/lib/state.c
+@@ -794,6 +794,12 @@ void gnutls_deinit(gnutls_session_t sess
  	gnutls_mutex_deinit(&session->internals.post_negotiation_lock);
  	gnutls_mutex_deinit(&session->internals.epoch_lock);
  
@@ -15,11 +15,11 @@ Index: gnutls-3.8.4/lib/state.c
  	gnutls_free(session);
  }
  
-Index: gnutls-3.8.4/lib/nettle/rnd.c
+Index: gnutls-3.7.3/lib/nettle/rnd.c
 ===================================================================
---- gnutls-3.8.4.orig/lib/nettle/rnd.c
-+++ gnutls-3.8.4/lib/nettle/rnd.c
-@@ -79,6 +79,12 @@ struct generators_ctx_st {
+--- gnutls-3.7.3.orig/lib/nettle/rnd.c
++++ gnutls-3.7.3/lib/nettle/rnd.c
+@@ -75,6 +75,12 @@ struct generators_ctx_st {
  
  static void wrap_nettle_rnd_deinit(void *_ctx)
  {

gnutls-FIPS-jitterentropy.patch

@@ -1,7 +1,7 @@
-Index: gnutls-3.8.9/lib/nettle/sysrng-linux.c
+Index: gnutls-3.8.1/lib/nettle/sysrng-linux.c
 ===================================================================
---- gnutls-3.8.9.orig/lib/nettle/sysrng-linux.c
-+++ gnutls-3.8.9/lib/nettle/sysrng-linux.c
+--- gnutls-3.8.1.orig/lib/nettle/sysrng-linux.c
++++ gnutls-3.8.1/lib/nettle/sysrng-linux.c
 @@ -49,6 +49,15 @@
  get_entropy_func _rnd_get_system_entropy = NULL;
  
@@ -158,11 +158,11 @@ Index: gnutls-3.8.9/lib/nettle/sysrng-linux.c
 +#endif
  	return;
  }
-Index: gnutls-3.8.9/lib/nettle/Makefile.in
+Index: gnutls-3.8.1/lib/nettle/Makefile.in
 ===================================================================
---- gnutls-3.8.9.orig/lib/nettle/Makefile.in
-+++ gnutls-3.8.9/lib/nettle/Makefile.in
-@@ -521,7 +521,7 @@ am__v_CC_1 =
+--- gnutls-3.8.1.orig/lib/nettle/Makefile.in
++++ gnutls-3.8.1/lib/nettle/Makefile.in
+@@ -402,7 +402,7 @@ am__v_CC_1 =
  CCLD = $(CC)
  LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
  	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
@@ -171,10 +171,10 @@ Index: gnutls-3.8.9/lib/nettle/Makefile.in
  AM_V_CCLD = $(am__v_CCLD_@AM_V@)
  am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
  am__v_CCLD_0 = @echo "  CCLD    " $@;
-Index: gnutls-3.8.9/lib/nettle/Makefile.am
+Index: gnutls-3.8.1/lib/nettle/Makefile.am
 ===================================================================
---- gnutls-3.8.9.orig/lib/nettle/Makefile.am
-+++ gnutls-3.8.9/lib/nettle/Makefile.am
+--- gnutls-3.8.1.orig/lib/nettle/Makefile.am
++++ gnutls-3.8.1/lib/nettle/Makefile.am
 @@ -20,7 +20,7 @@
  
  include $(top_srcdir)/lib/common.mk
@@ -182,12 +182,12 @@ Index: gnutls-3.8.9/lib/nettle/Makefile.am
 -AM_CFLAGS += $(HOGWEED_CFLAGS) $(GMP_CFLAGS)
 +AM_CFLAGS += $(HOGWEED_CFLAGS) $(GMP_CFLAGS) -ljitterentropy
  
- AM_CPPFLAGS += \
+ AM_CPPFLAGS = \
  	-I$(srcdir)/int		\
-Index: gnutls-3.8.9/lib/nettle/rnd-fips.c
+Index: gnutls-3.8.1/lib/nettle/rnd-fips.c
 ===================================================================
---- gnutls-3.8.9.orig/lib/nettle/rnd-fips.c
-+++ gnutls-3.8.9/lib/nettle/rnd-fips.c
+--- gnutls-3.8.1.orig/lib/nettle/rnd-fips.c
++++ gnutls-3.8.1/lib/nettle/rnd-fips.c
 @@ -129,6 +129,10 @@ static int drbg_init(struct fips_ctx *fc
  	uint8_t buffer[DRBG_AES_SEED_SIZE];
  	int ret;
@@ -210,16 +210,16 @@ Index: gnutls-3.8.9/lib/nettle/rnd-fips.c
  	ret = get_entropy(fctx, buffer, sizeof(buffer));
  	if (ret < 0) {
  		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
-Index: gnutls-3.8.9/tests/Makefile.am
+Index: gnutls-3.8.1/tests/Makefile.am
 ===================================================================
---- gnutls-3.8.9.orig/tests/Makefile.am
-+++ gnutls-3.8.9/tests/Makefile.am
-@@ -212,7 +212,7 @@ ctests += mini-record-2 simple gnutls_hm
+--- gnutls-3.8.1.orig/tests/Makefile.am
++++ gnutls-3.8.1/tests/Makefile.am
+@@ -208,7 +208,7 @@ ctests += mini-record-2 simple gnutls_hm
  	 dtls12-cert-key-exchange dtls10-cert-key-exchange x509-cert-callback-legacy \
  	 keylog-env ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 dtls-session-ticket-lost \
  	 tlsfeature-crt dtls-rehandshake-cert-3 resume-with-false-start \
--	 set_x509_key_file_ocsp client-fastopen rng-sigint srp \
-+	 set_x509_key_file_ocsp client-fastopen srp \
+-	 set_x509_key_file_ocsp client-fastopen rng-sigint srp rng-pthread \
++	 set_x509_key_file_ocsp client-fastopen srp rng-pthread \
  	 safe-renegotiation/srn0 safe-renegotiation/srn1 safe-renegotiation/srn2 \
  	 safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 \
  	 rsa-illegal-import set_x509_ocsp_multi_invalid set_key set_x509_key_file_ocsp_multi2 \

gnutls-PSK-hash-NULL-check-pskcred.patch

@@ -0,0 +1,24 @@
+From acf67a4a68bc6d9ab7b882469c67f6cf28db56a0 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Thu, 29 Jan 2026 17:38:01 +0100
+Subject: [PATCH 699/713] pre_shared_key: add null check on pskcred
+
+Fixes: #1790
+Fixes: GNUTLS-SA-2026-02-09-1
+Fixes: CVE-2026-1584
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Index: gnutls-3.8.3/lib/ext/pre_shared_key.c
+===================================================================
+--- gnutls-3.8.3.orig/lib/ext/pre_shared_key.c
++++ gnutls-3.8.3/lib/ext/pre_shared_key.c
+@@ -983,7 +983,8 @@ retry_binder:
+ 		 * even for SHA384 PSKs, so we need to retry with SHA256
+ 		 * to calculate the correct binder value for those.
+ 		 */
+-		if (pskcred->binder_algo == NULL && mac == GNUTLS_MAC_SHA384) {
++		if (pskcred && pskcred->binder_algo == NULL &&
++		    mac == GNUTLS_MAC_SHA384) {
+ 			mac = GNUTLS_MAC_SHA256;
+ 			goto retry_binder;
+ 		}

gnutls-PSK-hash-NULL-check.patch

@@ -0,0 +1,67 @@
+From 33034a91c2c1f38bad19e747d3021885d54bfb44 Mon Sep 17 00:00:00 2001
+From: Wilfred Mallawa <wilfred.mallawa@wdc.com>
+Date: Mon, 18 Aug 2025 12:40:57 +1000
+Subject: [PATCH 2886/3000] lib/psk: add null check for binder algo
+
+Currently, `pskcred->binder_algo` is used without checking first if it
+is valid. This can lead to a NULL pointer dereference in cases such as
+[1]. This patch adds NULL check `pskcred->binder_algo` before using it.
+
+This also makes it more explicit in
+gnutls_psk_allocate_server_credentials2() that `pskcred->binder_algo
+== NULL` indicates auto-detection, while avoiding the linear lookup
+for a NULL entry.
+
+[1] https://gitlab.com/gnutls/gnutls/-/issues/1729
+
+Fix Suggested by: Daiki Ueno <ueno@gnu.org>
+Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
+
+diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c
+index d709efa74..82a16e02c 100644
+--- a/lib/ext/pre_shared_key.c
++++ b/lib/ext/pre_shared_key.c
+@@ -886,9 +886,9 @@ retry_binder:
+ 			gnutls_psk_key_flags flags;
+ 			uint8_t ipsk[MAX_HASH_SIZE];
+ 
+-			prf = pskcred->binder_algo;
+-			if (prf->id == GNUTLS_MAC_UNKNOWN)
+-				prf = _gnutls_mac_to_entry(mac);
++			prf = pskcred->binder_algo == NULL ?
++				      _gnutls_mac_to_entry(mac) :
++				      pskcred->binder_algo;
+ 
+ 			/* this fails only on configuration errors; as such we always
+ 			 * return its error code in that case */
+@@ -983,7 +983,7 @@ retry_binder:
+ 		 * even for SHA384 PSKs, so we need to retry with SHA256
+ 		 * to calculate the correct binder value for those.
+ 		 */
+-		if (prf->id == GNUTLS_MAC_UNKNOWN && mac == GNUTLS_MAC_SHA384) {
++		if (pskcred->binder_algo == NULL && mac == GNUTLS_MAC_SHA384) {
+ 			mac = GNUTLS_MAC_SHA256;
+ 			goto retry_binder;
+ 		}
+diff --git a/lib/psk.c b/lib/psk.c
+index 06cf5b03d..f851b3d44 100644
+--- a/lib/psk.c
++++ b/lib/psk.c
+@@ -256,8 +256,12 @@ int gnutls_psk_allocate_server_credentials2(gnutls_psk_server_credentials_t *sc,
+ 
+ 	if (*sc == NULL)
+ 		return GNUTLS_E_MEMORY_ERROR;
+-
+-	(*sc)->binder_algo = _gnutls_mac_to_entry(mac);
++	/*
++	 * For GNUTLS_MAC_UNKNOWN, setting binder_algo to NULL allows
++	 * for auto-detction.
++	 */
++	(*sc)->binder_algo =
++		(mac == GNUTLS_MAC_UNKNOWN ? NULL : _gnutls_mac_to_entry(mac));
+ 	return 0;
+ }
+ 
+-- 
+2.53.0
+

gnutls-PSK-hash-fix-memleak.patch

@@ -0,0 +1,57 @@
+From a29aa9cda32d3ab0de137d3815536db4b4289599 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 21 Aug 2025 07:03:38 +0900
+Subject: [PATCH 601/713] pre_shared_key: fix memleak when retrying with
+ different binder algo
+
+As the PSK entry is reallocated, free it upon retry. Also use
+_gnutls_free_key_datum instead of _gnutls_free_temp_key_datum
+consistently.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+Index: gnutls-3.8.3/lib/ext/pre_shared_key.c
+===================================================================
+--- gnutls-3.8.3.orig/lib/ext/pre_shared_key.c
++++ gnutls-3.8.3/lib/ext/pre_shared_key.c
+@@ -785,8 +785,8 @@ cleanup:
+ 	if (free_username)
+ 		_gnutls_free_datum(&username);
+ 
+-	_gnutls_free_temp_key_datum(&user_key);
+-	_gnutls_free_temp_key_datum(&rkey);
++	_gnutls_free_key_datum(&user_key);
++	_gnutls_free_key_datum(&rkey);
+ 
+ 	return ret;
+ }
+@@ -926,11 +926,11 @@ retry_binder:
+ 
+ 				ret = derive_ipsk(prf, &psk.identity, &key,
+ 						  ipsk);
+-				_gnutls_free_temp_key_datum(&key);
+ 				if (ret < 0) {
+ 					gnutls_assert();
+ 					goto fail;
+ 				}
++				_gnutls_free_key_datum(&key);
+ 				ret = _gnutls_set_datum(&key, ipsk,
+ 							prf->output_size);
+ 				zeroize_key(ipsk, sizeof(ipsk));
+@@ -986,6 +986,7 @@ retry_binder:
+ 		if (pskcred && pskcred->binder_algo == NULL &&
+ 		    mac == GNUTLS_MAC_SHA384) {
+ 			mac = GNUTLS_MAC_SHA256;
++			_gnutls_free_key_datum(&key);
+ 			goto retry_binder;
+ 		}
+ 		gnutls_assert();
+@@ -1086,7 +1087,7 @@ retry_binder:
+ 	}
+ 
+ fail:
+-	_gnutls_free_datum(&key);
++	_gnutls_free_key_datum(&key);
+ 	return ret;
+ }
+ 

gnutls-PSK-hash-tests.patch

@@ -0,0 +1,131 @@
+From bbce45d7b7fb94de46db9504b56800d70b1822d7 Mon Sep 17 00:00:00 2001
+From: Wilfred Mallawa <wilfred.mallawa@wdc.com>
+Date: Tue, 19 Aug 2025 14:59:21 +1000
+Subject: [PATCH] tests/psk-file: Add testing for _credentials2 functions
+
+Adds testing for gnutls_psk_allocate_X_credentials2() functions for
+server and client.
+
+Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
+Modified-by: Daiki Ueno <ueno@gnu.org>
+---
+ tests/psk-file.c | 49 ++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 41 insertions(+), 8 deletions(-)
+
+diff --git a/tests/psk-file.c b/tests/psk-file.c
+index 248928b8ea..f3a7121204 100644
+--- a/tests/psk-file.c
++++ b/tests/psk-file.c
+@@ -99,7 +99,8 @@ static void tls_log_func(int level, const char *str)
+ 
+ static void client(int sd, const char *prio, const gnutls_datum_t *user,
+ 		   const gnutls_datum_t *key, unsigned expect_hint,
+-		   int expect_fail, int exp_kx, unsigned binary_user)
++		   int expect_fail, int exp_kx, unsigned binary_user,
++		   gnutls_mac_algorithm_t mac)
+ {
+ 	int ret, ii, kx;
+ 	gnutls_session_t session;
+@@ -114,7 +115,12 @@ static void client(int sd, const char *prio, const gnutls_datum_t *user,
+ 
+ 	side = "client";
+ 
+-	gnutls_psk_allocate_client_credentials(&pskcred);
++	/* gnutls_psk_allocate_client_credentials calls _credentials2
++	 * with GNUTLS_MAC_SHA256 */
++	if (mac != GNUTLS_MAC_SHA256)
++		gnutls_psk_allocate_client_credentials2(&pskcred, mac);
++	else
++		gnutls_psk_allocate_client_credentials(&pskcred);
+ 
+ 	if (binary_user) {
+ 		gnutls_psk_set_client_credentials2(pskcred, user, key,
+@@ -214,7 +220,7 @@ end:
+ 
+ static void server(int sd, const char *prio, const gnutls_datum_t *user,
+ 		   bool no_cred, int expect_fail, int exp_kx,
+-		   unsigned binary_user)
++		   unsigned binary_user, gnutls_mac_algorithm_t mac)
+ {
+ 	gnutls_psk_server_credentials_t server_pskcred;
+ 	int ret, kx;
+@@ -237,7 +243,13 @@ static void server(int sd, const char *prio, const gnutls_datum_t *user,
+ 	if (psk_file == NULL)
+ 		psk_file = (char *)"psk.passwd";
+ 
+-	gnutls_psk_allocate_server_credentials(&server_pskcred);
++	/* gnutls_psk_allocate_server_credentials calls _credentials2
++	 * with GNUTLS_MAC_SHA256 */
++	if (mac != GNUTLS_MAC_SHA256)
++		gnutls_psk_allocate_server_credentials2(&server_pskcred, mac);
++	else
++		gnutls_psk_allocate_server_credentials(&server_pskcred);
++
+ 	gnutls_psk_set_server_credentials_hint(server_pskcred, "hint");
+ 	ret = gnutls_psk_set_server_credentials_file(server_pskcred, psk_file);
+ 	if (ret < 0) {
+@@ -378,11 +390,12 @@ static void print_user(const char *caption, const char *prio,
+ 			(const char *)user->data);
+ }
+ 
+-static void run_test3(const char *prio, const char *sprio,
++static void run_test4(const char *prio, const char *sprio,
+ 		      const gnutls_datum_t *user, const gnutls_datum_t *key,
+ 		      bool no_cred, unsigned expect_hint, int exp_kx,
+ 		      int expect_fail_cli, int expect_fail_serv,
+-		      unsigned binary_user)
++		      unsigned binary_user, gnutls_mac_algorithm_t mac_cli,
++		      gnutls_mac_algorithm_t mac_serv)
+ {
+ 	pid_t child;
+ 	int err;
+@@ -414,17 +427,28 @@ static void run_test3(const char *prio, const char *sprio,
+ 		int status;
+ 		/* parent */
+ 		server(sockets[0], sprio ? sprio : prio, user, no_cred,
+-		       expect_fail_serv, exp_kx, binary_user);
++		       expect_fail_serv, exp_kx, binary_user, mac_serv);
+ 		wait(&status);
+ 		check_wait_status(status);
+ 	} else {
+ 		close(sockets[0]);
+ 		client(sockets[1], prio, user, key, expect_hint,
+-		       expect_fail_cli, exp_kx, binary_user);
++		       expect_fail_cli, exp_kx, binary_user, mac_cli);
+ 		exit(0);
+ 	}
+ }
+ 
++static void run_test3(const char *prio, const char *sprio,
++		      const gnutls_datum_t *user, const gnutls_datum_t *key,
++		      bool no_cred, unsigned expect_hint, int exp_kx,
++		      int expect_fail_cli, int expect_fail_serv,
++		      unsigned binary_user)
++{
++	run_test4(prio, sprio, user, key, no_cred, expect_hint, exp_kx,
++		  expect_fail_cli, expect_fail_serv, binary_user,
++		  GNUTLS_MAC_SHA256, GNUTLS_MAC_SHA256);
++}
++
+ static void run_test2(const char *prio, const char *sprio,
+ 		      const gnutls_datum_t *user, const gnutls_datum_t *key,
+ 		      unsigned expect_hint, int exp_kx, int expect_fail_cli,
+@@ -714,6 +738,15 @@ void doit(void)
+ 	run_test3("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+DHE-PSK", NULL,
+ 		  &user_null_2, &key, 1, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED,
+ 		  GNUTLS_E_INSUFFICIENT_CREDENTIALS, 1);
++
++	/* try with different PSK binder algorithms, where the server
++	 * should auto-detect */
++	run_test4("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK", NULL, &user_jas, &key,
++		  0, 0, GNUTLS_KX_PSK, 0, 0, 0, GNUTLS_MAC_SHA256,
++		  GNUTLS_MAC_UNKNOWN);
++	run_test4("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK", NULL, &user_jas, &key,
++		  0, 0, GNUTLS_KX_PSK, 0, 0, 0, GNUTLS_MAC_SHA384,
++		  GNUTLS_MAC_UNKNOWN);
+ }
+ 
+ #endif /* _WIN32 */
+-- 
+GitLab
+

gnutls-PSK-hash.patch

@@ -0,0 +1,217 @@
+From e73b6bac7396db058ff408e6ae7e0b27cb432317 Mon Sep 17 00:00:00 2001
+From: Hannes Reinecke <hare@suse.de>
+Date: Fri, 14 Mar 2025 12:31:13 +0100
+Subject: [PATCH] lib/psk: Add gnutls_psk_allocate_{client,server}_credentials2
+
+Add new functions gnutls_psk_allocate_client_credentials2() and
+gnutls_psk_allocate_server_credentials2() which allow to specify
+the hash algorithm for the PSK. This fixes a bug in the current
+implementation where the binder is always calculated with SHA256.
+
+Signed-off-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ doc/Makefile.am                 |  4 +++
+ doc/manpages/Makefile.am        |  2 ++
+ lib/ext/pre_shared_key.c        | 13 ++++++++
+ lib/includes/gnutls/gnutls.h.in |  5 +++
+ lib/libgnutls.map               |  9 ++++++
+ lib/psk.c                       | 56 ++++++++++++++++++++++++++++++---
+
+Index: gnutls-3.8.3/doc/Makefile.am
+===================================================================
+--- gnutls-3.8.3.orig/doc/Makefile.am
++++ gnutls-3.8.3/doc/Makefile.am
+@@ -1774,8 +1774,12 @@ FUNCS += functions/gnutls_protocol_set_e
+ FUNCS += functions/gnutls_protocol_set_enabled.short
+ FUNCS += functions/gnutls_psk_allocate_client_credentials
+ FUNCS += functions/gnutls_psk_allocate_client_credentials.short
++FUNCS += functions/gnutls_psk_allocate_client_credentials2
++FUNCS += functions/gnutls_psk_allocate_client_credentials2.short
+ FUNCS += functions/gnutls_psk_allocate_server_credentials
+ FUNCS += functions/gnutls_psk_allocate_server_credentials.short
++FUNCS += functions/gnutls_psk_allocate_server_credentials2
++FUNCS += functions/gnutls_psk_allocate_server_credentials2.short
+ FUNCS += functions/gnutls_psk_client_get_hint
+ FUNCS += functions/gnutls_psk_client_get_hint.short
+ FUNCS += functions/gnutls_psk_format_imported_identity
+Index: gnutls-3.8.3/doc/manpages/Makefile.am
+===================================================================
+--- gnutls-3.8.3.orig/doc/manpages/Makefile.am
++++ gnutls-3.8.3/doc/manpages/Makefile.am
+@@ -733,7 +733,9 @@ APIMANS += gnutls_protocol_get_version.3
+ APIMANS += gnutls_protocol_list.3
+ APIMANS += gnutls_protocol_set_enabled.3
+ APIMANS += gnutls_psk_allocate_client_credentials.3
++APIMANS += gnutls_psk_allocate_client_credentials2.3
+ APIMANS += gnutls_psk_allocate_server_credentials.3
++APIMANS += gnutls_psk_allocate_server_credentials2.3
+ APIMANS += gnutls_psk_client_get_hint.3
+ APIMANS += gnutls_psk_format_imported_identity.3
+ APIMANS += gnutls_psk_free_client_credentials.3
+Index: gnutls-3.8.3/lib/ext/pre_shared_key.c
+===================================================================
+--- gnutls-3.8.3.orig/lib/ext/pre_shared_key.c
++++ gnutls-3.8.3/lib/ext/pre_shared_key.c
+@@ -827,7 +827,9 @@ static int server_recv_params(gnutls_ses
+ 	struct timespec ticket_creation_time = { 0, 0 };
+ 	enum binder_type binder_type;
+ 	bool refuse_early_data = false;
++	gnutls_mac_algorithm_t mac = GNUTLS_MAC_SHA384;
+ 
++retry_binder:
+ 	ret = _gnutls13_psk_ext_parser_init(&psk_parser, data, len);
+ 	if (ret < 0) {
+ 		/* No PSKs advertised by client */
+@@ -885,6 +887,8 @@ static int server_recv_params(gnutls_ses
+ 			uint8_t ipsk[MAX_HASH_SIZE];
+ 
+ 			prf = pskcred->binder_algo;
++			if (prf->id == GNUTLS_MAC_UNKNOWN)
++				prf = _gnutls_mac_to_entry(mac);
+ 
+ 			/* this fails only on configuration errors; as such we always
+ 			 * return its error code in that case */
+@@ -974,6 +978,15 @@ static int server_recv_params(gnutls_ses
+ 
+ 	if (_gnutls_mac_get_algo_len(prf) != binder_recvd.size ||
+ 	    gnutls_memcmp(binder_value, binder_recvd.data, binder_recvd.size)) {
++		/*
++		 * Older clients will always use SHA256 as binder algorithm
++		 * even for SHA384 PSKs, so we need to retry with SHA256
++		 * to calculate the correct binder value for those.
++		 */
++		if (prf->id == GNUTLS_MAC_UNKNOWN && mac == GNUTLS_MAC_SHA384) {
++			mac = GNUTLS_MAC_SHA256;
++			goto retry_binder;
++		}
+ 		gnutls_assert();
+ 		ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
+ 		goto fail;
+Index: gnutls-3.8.3/lib/includes/gnutls/gnutls.h.in
+===================================================================
+--- gnutls-3.8.3.orig/lib/includes/gnutls/gnutls.h.in
++++ gnutls-3.8.3/lib/includes/gnutls/gnutls.h.in
+@@ -2552,6 +2552,9 @@ typedef enum gnutls_psk_key_flags {
+ 
+ void gnutls_psk_free_client_credentials(gnutls_psk_client_credentials_t sc);
+ int gnutls_psk_allocate_client_credentials(gnutls_psk_client_credentials_t *sc);
++int gnutls_psk_allocate_client_credentials2(gnutls_psk_client_credentials_t *sc,
++					    gnutls_mac_algorithm_t mac);
++
+ int gnutls_psk_set_client_credentials(gnutls_psk_client_credentials_t res,
+ 				      const char *username,
+ 				      const gnutls_datum_t *key,
+@@ -2563,6 +2566,8 @@ int gnutls_psk_set_client_credentials2(g
+ 
+ void gnutls_psk_free_server_credentials(gnutls_psk_server_credentials_t sc);
+ int gnutls_psk_allocate_server_credentials(gnutls_psk_server_credentials_t *sc);
++int gnutls_psk_allocate_server_credentials2(gnutls_psk_server_credentials_t *sc,
++					    gnutls_mac_algorithm_t mac);
+ int gnutls_psk_set_server_credentials_file(gnutls_psk_server_credentials_t res,
+ 					   const char *password_file);
+ 
+Index: gnutls-3.8.3/lib/libgnutls.map
+===================================================================
+--- gnutls-3.8.3.orig/lib/libgnutls.map
++++ gnutls-3.8.3/lib/libgnutls.map
+@@ -1432,6 +1432,15 @@ GNUTLS_3_8_2
+ 	*;
+ } GNUTLS_3_8_1;
+ 
++GNUTLS_3_8_11
++{
++ global:
++	gnutls_psk_allocate_client_credentials2;
++	gnutls_psk_allocate_server_credentials2;
++ local:
++	*;
++} GNUTLS_3_8_2;
++
+ GNUTLS_FIPS140_3_4 {
+   global:
+ 	gnutls_cipher_self_test;
+Index: gnutls-3.8.3/lib/psk.c
+===================================================================
+--- gnutls-3.8.3.orig/lib/psk.c
++++ gnutls-3.8.3/lib/psk.c
+@@ -61,13 +61,34 @@ void gnutls_psk_free_client_credentials(
+  **/
+ int gnutls_psk_allocate_client_credentials(gnutls_psk_client_credentials_t *sc)
+ {
++	/* TLS 1.3 - Default binder HMAC algorithm is SHA-256 */
++	return gnutls_psk_allocate_client_credentials2(sc, GNUTLS_MAC_SHA256);
++}
++
++/**
++ * gnutls_psk_allocate_client_credentials2:
++ * @sc: is a pointer to a #gnutls_psk_client_credentials_t type.
++ * @mac: encryption algorithm to use
++ *
++ * Allocate a gnutls_psk_client_credentials_t structure and initializes
++ * the HMAC binder algorithm to @mac.
++ *
++ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
++ *   an error code is returned.
++ **/
++int gnutls_psk_allocate_client_credentials2(gnutls_psk_client_credentials_t *sc,
++					    gnutls_mac_algorithm_t mac)
++{
++	/* TLS 1.3 - Only SHA-256 and SHA-384 are allowed */
++	if (mac != GNUTLS_MAC_SHA256 && mac != GNUTLS_MAC_SHA384)
++		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++
+ 	*sc = gnutls_calloc(1, sizeof(psk_client_credentials_st));
+ 
+ 	if (*sc == NULL)
+ 		return GNUTLS_E_MEMORY_ERROR;
+ 
+-	/* TLS 1.3 - Default binder HMAC algorithm is SHA-256 */
+-	(*sc)->binder_algo = _gnutls_mac_to_entry(GNUTLS_MAC_SHA256);
++	(*sc)->binder_algo = _gnutls_mac_to_entry(mac);
+ 	return 0;
+ }
+ 
+@@ -203,13 +224,40 @@ void gnutls_psk_free_server_credentials(
+  **/
+ int gnutls_psk_allocate_server_credentials(gnutls_psk_server_credentials_t *sc)
+ {
++	/* TLS 1.3 - Default binder HMAC algorithm is SHA-256 */
++	return gnutls_psk_allocate_server_credentials2(sc, GNUTLS_MAC_SHA256);
++}
++
++/**
++ * gnutls_psk_allocate_server_credentials2:
++ * @sc: is a pointer to a #gnutls_psk_server_credentials_t type.
++ * @mac: encryption algorithm to use
++ *
++ * Allocate a gnutls_psk_server_credentials_t structure and initializes
++ * the HMAC binder algorithm to @mac. If @mac is set to GNUTLS_MAC_UNKNOWN
++ * both possible algorithms SHA384 and SHA256 are applied to find a matching
++ * binder value.
++ *
++ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
++ *   an error code is returned.
++ **/
++int gnutls_psk_allocate_server_credentials2(gnutls_psk_server_credentials_t *sc,
++					    gnutls_mac_algorithm_t mac)
++{
++	/*
++	 * TLS 1.3 - Only SHA-256 and SHA-384 are allowed;
++	 * additionally allow GNUTLS_MAC_UNKNOWN for autodetection.
++	 */
++	if (mac != GNUTLS_MAC_SHA256 && mac != GNUTLS_MAC_SHA384 &&
++	    mac != GNUTLS_MAC_UNKNOWN)
++		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++
+ 	*sc = gnutls_calloc(1, sizeof(psk_server_cred_st));
+ 
+ 	if (*sc == NULL)
+ 		return GNUTLS_E_MEMORY_ERROR;
+ 
+-	/* TLS 1.3 - Default binder HMAC algorithm is SHA-256 */
+-	(*sc)->binder_algo = _gnutls_mac_to_entry(GNUTLS_MAC_SHA256);
++	(*sc)->binder_algo = _gnutls_mac_to_entry(mac);
+ 	return 0;
+ }
+ 

gnutls-disable-flaky-test-dtls-resume.patch

@@ -1,10 +1,10 @@
-Index: gnutls-3.8.10/tests/Makefile.am
+Index: gnutls-3.7.8/tests/Makefile.am
 ===================================================================
---- gnutls-3.8.10.orig/tests/Makefile.am
-+++ gnutls-3.8.10/tests/Makefile.am
-@@ -536,7 +536,7 @@ ktls_keyupdate_CFLAGS = -DUSE_KTLS
- dist_check_SCRIPTS += ktls_keyupdate.sh
- endif
+--- gnutls-3.7.8.orig/tests/Makefile.am
++++ gnutls-3.7.8/tests/Makefile.am
+@@ -508,7 +508,7 @@ if !WINDOWS
+ # List of tests not available/functional under windows
+ #
  
 -dist_check_SCRIPTS += dtls/dtls.sh dtls/dtls-resume.sh #dtls/dtls-nb
 +dist_check_SCRIPTS += dtls/dtls.sh #dtls/dtls-resume.sh #dtls/dtls-nb

gnutls-fips-sonames-check.patch

@@ -1,27 +0,0 @@
-Index: gnutls-3.8.9/lib/fips.c
-===================================================================
---- gnutls-3.8.9.orig/lib/fips.c
-+++ gnutls-3.8.9/lib/fips.c
-@@ -484,18 +484,18 @@ static int callback(struct dl_phdr_info
- 	const char *soname = last_component(path);
- 	struct lib_paths *paths = (struct lib_paths *)data;
- 
--	if (!strcmp(soname, GNUTLS_LIBRARY_SONAME))
-+	if (!strncmp(soname, GNUTLS_LIBRARY_SONAME, strlen(GNUTLS_LIBRARY_SONAME)))
- 		_gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path);
- #ifdef NETTLE_LIBRARY_SONAME
--	else if (!strcmp(soname, NETTLE_LIBRARY_SONAME))
-+	else if (!strncmp(soname, NETTLE_LIBRARY_SONAME, strlen(NETTLE_LIBRARY_SONAME)))
- 		_gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path);
- #endif
- #ifdef HOGWEED_LIBRARY_SONAME
--	else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
-+	else if (!strncmp(soname, HOGWEED_LIBRARY_SONAME, strlen(HOGWEED_LIBRARY_SONAME)))
- 		_gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path);
- #endif
- #ifdef GMP_LIBRARY_SONAME
--	else if (!strcmp(soname, GMP_LIBRARY_SONAME))
-+	else if (!strncmp(soname, GMP_LIBRARY_SONAME, strlen(GMP_LIBRARY_SONAME)))
- 		_gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path);
- #endif
- 	return 0;

gnutls-set-cligen-python-interp.patch

@@ -1,10 +0,0 @@
-Index: gnutls-3.8.9/cligen/cli-docgen.py
-===================================================================
---- gnutls-3.8.9.orig/cligen/cli-docgen.py
-+++ gnutls-3.8.9/cligen/cli-docgen.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/python
-+#!/usr/bin/python3
- # Copyright (C) 2021-2022 Daiki Ueno
- # SPDX-License-Identifier: LGPL-2.1-or-later
- 

gnutls-skip-pqx-test.patch

@@ -1,34 +0,0 @@
-Index: gnutls-3.8.10/tests/Makefile.am
-===================================================================
---- gnutls-3.8.10.orig/tests/Makefile.am
-+++ gnutls-3.8.10/tests/Makefile.am
-@@ -628,8 +628,6 @@ ctests += win32-certopenstore
- 
- endif
- 
--dist_check_SCRIPTS += pqc-hybrid-kx.sh
--
- cpptests =
- if ENABLE_CXX
- if HAVE_CMOCKA
-Index: gnutls-3.8.10/tests/Makefile.in
-===================================================================
---- gnutls-3.8.10.orig/tests/Makefile.in
-+++ gnutls-3.8.10/tests/Makefile.in
-@@ -3293,7 +3293,7 @@ am__dist_check_SCRIPTS_DIST = rfc2253-es
- 	gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh \
- 	gnutls-cli-rawpk.sh dh-fips-approved.sh p11-kit-trust.sh \
- 	testpkcs11.sh certtool-pkcs11.sh pkcs11-tool.sh \
--	p11-kit-load.sh danetool.sh tpmtool_test.sh pqc-hybrid-kx.sh
-+	p11-kit-load.sh danetool.sh tpmtool_test.sh 
- AM_V_P = $(am__v_P_@AM_V@)
- am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
- am__v_P_0 = false
-@@ -7178,7 +7178,6 @@ dist_check_SCRIPTS = rfc2253-escape-test
- 	$(am__append_18) $(am__append_20) $(am__append_21) \
- 	$(am__append_23) $(am__append_25) $(am__append_26) \
- 	$(am__append_27) $(am__append_29) $(am__append_30) \
--	pqc-hybrid-kx.sh
- @ENABLE_KTLS_TRUE@@WINDOWS_FALSE@ktls_keyupdate_SOURCES = tls13/key_update.c
- @ENABLE_KTLS_TRUE@@WINDOWS_FALSE@ktls_keyupdate_CFLAGS = -DUSE_KTLS
- @WINDOWS_FALSE@dtls_stress_SOURCES = dtls/dtls-stress.c

gnutls-srp-test-SIGPIPE.patch

@@ -1,8 +1,8 @@
-Index: gnutls-3.8.9/tests/srp.c
+Index: gnutls-3.8.1/tests/srp.c
 ===================================================================
---- gnutls-3.8.9.orig/tests/srp.c
-+++ gnutls-3.8.9/tests/srp.c
-@@ -290,7 +290,7 @@ static void start(const char *name, cons
+--- gnutls-3.8.1.orig/tests/srp.c
++++ gnutls-3.8.1/tests/srp.c
+@@ -287,7 +289,7 @@ static void start(const char *name, cons
  	if (child) {
  		int status;
  		/* parent */
@@ -11,7 +11,7 @@ Index: gnutls-3.8.9/tests/srp.c
  		client(fd[1], prio, user, pass, exp_err);
  		if (exp_err < 0) {
  			kill(child, SIGTERM);
-@@ -300,7 +300,7 @@ static void start(const char *name, cons
+@@ -297,7 +299,7 @@ static void start(const char *name, cons
  			check_wait_status(status);
  		}
  	} else {

gnutls.spec

@@ -1,8 +1,7 @@
 #
 # spec file for package gnutls
 #
-# Copyright (c) 2025 SUSE LLC
-# Copyright (c) 2025 Andreas Stieger <Andreas.Stieger@gmx.de>
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -40,10 +39,8 @@
 %bcond_with kcapi
 %endif
 %bcond_with tpm
-%bcond_without tpm2
-%bcond_without leancrypto
 Name:           gnutls
-Version:        3.8.10
+Version:        3.8.3
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        GPL-3.0-or-later AND LGPL-2.1-or-later
@@ -72,15 +69,30 @@ Patch102:       gnutls-FIPS-jitterentropy.patch
 #PATCH-FIX-SUSE bsc#1221242 Fix memleak in gnutls' jitterentropy collector
 Patch103:       gnutls-FIPS-jitterentropy-deinit-threads.patch
 %endif
-Patch104:       gnutls-set-cligen-python-interp.patch
-Patch105:       gnutls-skip-pqx-test.patch
-Patch106:       gnutls-fips-sonames-check.patch
-# PATCH-FIX-SUSE jsc#jsc#PED-12224 FIPS: Mark SHA1 as unapproved in the SLI
-Patch107:       gnutls-FIPS-disable-mac-sha1.patch
-# PATCH-FIX-SUSE bsc#1237101 GNUTLS FIPS selfcheck is failing again on tumbleweed
-Patch108:       gnutls-FIPS-HMAC-x86_64-v3-opt.patch
-# PATCH-FIX-SUSE Disable test
-Patch109:       gnutls-3.8.10-disable-ktls_test.patch
+#PATCH-FIX-UPSTREAM bsc#1221746 CVE-2024-28834: gnutls: side-channel in the deterministic ECDSA
+Patch200:       gnutls-CVE-2024-28834.patch
+#PATCH-FIX-UPSTREAM bsc#1221747 CVE-2024-28835: gnutls: certtool crash when verifying a certificate chain
+Patch201:       gnutls-CVE-2024-28835.patch
+#PATCH-FIX-UPSTREAM bsc#1236974 CVE-2024-12243: gnutls: inefficient DER Decoding in libtasn1 could lead to remote DoS
+Patch202:     	gnutls-CVE-2024-12243.patch
+#PATCH-FIX-UPSTREAM: Fix heap buffer overread when handling the CT SCT extension during X.509 certificate parsing [bsc#1246233, CVE-2025-32989]
+Patch203:       gnutls-CVE-2025-32989.patch
+#PATCH-FIX-UPSTREAM: Fix double-free due to incorrect ownership handling in the export logic of SAN entries containing an otherName [bsc#1246232, CVE-2025-32988]
+Patch204:       gnutls-CVE-2025-32988.patch
+#PATCH-FIX-UPSTREAM: Fix 1-byte heap buffer overflow when parsing templates with certtool [bsc#1246267, CVE-2025-32990]
+Patch205:       gnutls-CVE-2025-32990.patch
+#PATCH-FIX-UPSTREAM: Fix NULL pointer dereference when 2nd Client Hello omits PSK [bsc#1246299, CVE-2025-6395]
+Patch206:       gnutls-CVE-2025-6395.patch
+# PATCH-FIX-UPSTREAM bsc#1254132 CVE-2025-9820 buffer overflow in gnutls_pkcs11_token_init
+Patch207:	gnutls-CVE-2025-9820.patch
+# PATCH-FIX-UPSTREAM bsc#1257960 CVE-2025-14831: DoS via excessive resource consumption during certificate verification
+Patch208:       gnutls-CVE-2025-14831.patch
+# PATCH-FIX-UPSTREAM bsc#1258083 lib/psk: Add gnutls_psk_allocate_{client,server}_credentials2
+Patch216:       gnutls-PSK-hash.patch
+Patch217:       gnutls-PSK-hash-tests.patch
+Patch218:       gnutls-PSK-hash-NULL-check.patch
+Patch219:       gnutls-PSK-hash-NULL-check-pskcred.patch
+Patch220:       gnutls-PSK-hash-fix-memleak.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@@ -99,16 +111,10 @@ BuildRequires:  p11-kit-devel >= 0.23.1
 BuildRequires:  pkgconfig
 BuildRequires:  xz
 BuildRequires:  pkgconfig(autoopts)
-BuildRequires:  pkgconfig(libbrotlidec)
-BuildRequires:  pkgconfig(libbrotlienc)
-BuildRequires:  pkgconfig(libzstd)
 BuildRequires:  pkgconfig(zlib)
 %if %{with kcapi}
 BuildRequires:  pkgconfig(libkcapi)
 %endif
-%if %{with leancrypto}
-BuildRequires:  pkgconfig(leancrypto)
-%endif
 %if 0%{?suse_version} <= 1320
 BuildRequires:  net-tools
 %else
@@ -117,9 +123,6 @@ BuildRequires:  net-tools-deprecated
 %if %{with tpm}
 BuildRequires:  trousers-devel
 %endif
-%if %{with tpm2}
-BuildRequires:  tpm2-0-tss-devel >= 3.0.3
-%endif
 %if %{with dane}
 Requires:       libgnutls-dane%{gnutls_dane_sover} = %{version}
 %if 0%{?suse_version} <= 1320
@@ -130,13 +133,10 @@ BuildRequires:  libunbound-devel
 %endif
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 BuildRequires:  crypto-policies
-BuildRequires:  jitterentropy-devel >= 3.4.0
 Requires:       crypto-policies
+BuildRequires:  jitterentropy-devel >= 3.4.0
 Requires:       libjitterentropy3 >= 3.4.0
 %endif
-%if %{with tpm}
-Recommends:     trousers
-%endif
 
 %description
 The GnuTLS library provides a secure layer over a reliable transport
@@ -158,6 +158,7 @@ The GnuTLS library provides a secure layer over a reliable transport
 layer. Currently the GnuTLS library implements the proposed standards
 of the IETF's TLS working group.
 
+%if %{with dane}
 %package -n libgnutls-dane%{gnutls_dane_sover}
 Summary:        DANE support for the GNU Transport Layer Security Library
 License:        LGPL-2.1-or-later
@@ -167,6 +168,7 @@ Group:          System/Libraries
 The GnuTLS project aims to develop a library that provides a secure
 layer over a reliable transport layer.
 This package contains the "DANE" part of gnutls.
+%endif
 
 %package -n libgnutlsxx%{gnutlsxx_sover}
 Summary:        C++ API for the GNU Transport Layer Security Library
@@ -196,6 +198,7 @@ Requires:       crypto-policies
 %description -n libgnutls-devel
 Files needed for software development using gnutls.
 
+%if %{with dane}
 %package -n libgnutls-dane-devel
 Summary:        Development package for GnuTLS DANE component
 License:        LGPL-2.1-or-later
@@ -204,14 +207,7 @@ Requires:       libgnutls-dane%{gnutls_dane_sover} = %{version}
 
 %description -n libgnutls-dane-devel
 Files needed for software development using gnutls.
-
-%package -n libgnutls-devel-doc
-Summary:        Manual and Info pages for libgnutls
-License:        LGPL-2.1-or-later
-BuildArch:      noarch
-
-%description -n libgnutls-devel-doc
-Manpages (troff) and GNU Info pages for libgnutls.
+%endif
 
 %package -n libgnutlsxx-devel
 Summary:        Development package for the GnuTLS C++ API
@@ -251,11 +247,6 @@ autoreconf -fiv
 %if %{without tpm}
         --without-tpm \
 %endif
-%if %{with tpm2}
-        --with-tpm2 \
-%else
-        --without-tpm2 \
-%endif
 %if %{with dane}
         --with-unbound-root-key-file=%{_localstatedir}/lib/unbound/root.key \
 %else
@@ -264,11 +255,6 @@ autoreconf -fiv
 %if %{with srp}
         --enable-srp-authentication \
 %endif
-%if %{with leancrypto}
-        --with-leancrypto \
-%else
-        --without-leancrypto \
-%endif
 %ifarch %{ix86} %{arm}
         --disable-year2038 \
 %endif
@@ -276,7 +262,6 @@ autoreconf -fiv
         --enable-fips140-mode \
         --with-fips140-module-name="GnuTLS version" \
         --with-fips140-module-version="%{version}-%{release}" \
-        --enable-ktls \
         %{nil}
 
 %make_build
@@ -337,12 +322,19 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 }
 %endif
 
-%ldconfig_scriptlets -n libgnutls%{gnutls_sover}
-%ldconfig_scriptlets -n libgnutls-dane%{gnutls_dane_sover}
-%ldconfig_scriptlets -n libgnutlsxx%{gnutlsxx_sover}
+%post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
+%postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
+
+%if %{with dane}
+%post -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
+%postun -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
+%endif
+
+%post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
+%postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
 
 %files -f libgnutls.lang
-%license COPYING COPYING.LESSERv2
+%license LICENSE
 %doc THANKS README.md NEWS ChangeLog AUTHORS doc/TODO
 %{_bindir}/certtool
 %{_bindir}/gnutls-cli
@@ -363,22 +355,22 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %{_mandir}/man1/*
 
 %files -n libgnutls%{gnutls_sover}
-%license COPYING COPYING.LESSERv2
+%license LICENSE
 %{_libdir}/libgnutls.so.%{gnutls_sover}*
 %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
 
 %if %{with dane}
 %files -n libgnutls-dane%{gnutls_dane_sover}
-%license COPYING COPYING.LESSERv2
+%license LICENSE
 %{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}*
 %endif
 
 %files -n libgnutlsxx%{gnutlsxx_sover}
-%license COPYING COPYING.LESSERv2
+%license LICENSE
 %{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}*
 
 %files -n libgnutls-devel
-%license COPYING COPYING.LESSERv2
+%license LICENSE
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/abstract.h
 %{_includedir}/%{name}/crypto.h
@@ -399,15 +391,13 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %{_includedir}/%{name}/urls.h
 %{_libdir}/libgnutls.so
 %{_libdir}/pkgconfig/gnutls.pc
-
-%files -n libgnutls-devel-doc
 %{_mandir}/man3/*
 %{_infodir}/*%{ext_info}
-%{_docdir}/libgnutls-devel
+%doc %{_docdir}/libgnutls-devel
 
 %if %{with dane}
 %files -n libgnutls-dane-devel
-%license COPYING COPYING.LESSERv2
+%license LICENSE
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/dane.h
 %{_libdir}/pkgconfig/gnutls-dane.pc
@@ -415,7 +405,7 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %endif
 
 %files -n libgnutlsxx-devel
-%license COPYING COPYING.LESSERv2
+%license LICENSE
 %{_libdir}/libgnutlsxx.so
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/gnutlsxx.h