Accepting request 1248196 from security:tls

OBS-URL: https://build.opensuse.org/request/show/1248196 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=160
2025-02-25 15:40:09 +00:00 · 2025-02-25 15:40:09 +00:00 · f7915feb05
commit f7915feb05
parent 1c06047e0c 67ef93e3e1
14 changed files with 274 additions and 193 deletions
--- a/gnutls-3.5.11-skip-trust-store-tests.patch
+++ b/gnutls-3.5.11-skip-trust-store-tests.patch
@ -15,11 +15,11 @@ need ca-certificates-mozilla to run.

 But this would create a build cycle. Skip test.

-Index: gnutls-3.6.15/tests/trust-store.c
+Index: gnutls-3.8.9/tests/trust-store.c
 ===================================================================
--- gnutls-3.6.15.orig/tests/trust-store.c	2020-09-08 10:24:24.018094247 +0200
-+++ gnutls-3.6.15/tests/trust-store.c	2020-09-08 10:24:25.534104346 +0200
-@@ -44,6 +44,9 @@ static void tls_log_func(int level, cons
+--- gnutls-3.8.9.orig/tests/trust-store.c
+++ gnutls-3.8.9/tests/trust-store.c
+@@ -42,6 +42,9 @@ static void tls_log_func(int level, cons
 
 void doit(void)
 {
--- a/gnutls-3.8.8.tar.xz
+++ b/gnutls-3.8.8.tar.xz
--- a/gnutls-3.8.8.tar.xz.sig
+++ b/gnutls-3.8.8.tar.xz.sig
--- a/gnutls-3.8.9.tar.xz
+++ b/gnutls-3.8.9.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:69e113d802d1670c4d5ac1b99040b1f2d5c7c05daec5003813c049b5184820ed
+size 6847364
--- a/gnutls-3.8.9.tar.xz.sig
+++ b/gnutls-3.8.9.tar.xz.sig
--- a/gnutls-FIPS-140-3-references.patch
+++ b/gnutls-FIPS-140-3-references.patch
@ -1,8 +1,8 @@
-Index: gnutls-3.8.8/configure.ac
+Index: gnutls-3.8.9/configure.ac
 ===================================================================
--- gnutls-3.8.8.orig/configure.ac
-+++ gnutls-3.8.8/configure.ac
-@@ -624,19 +624,19 @@ LT_INIT([disable-static,win32-dll,shared
+--- gnutls-3.8.9.orig/configure.ac
+++ gnutls-3.8.9/configure.ac
+@@ -665,19 +665,19 @@ LT_INIT([disable-static,win32-dll,shared
 AC_LIB_HAVE_LINKFLAGS(dl,, [#include <dlfcn.h>], [dladdr (0, 0);])
 
 AC_ARG_ENABLE(fips140-mode,
@ -25,10 +25,10 @@ Index: gnutls-3.8.8/configure.ac
 
     AC_ARG_WITH(fips140-module-name, AS_HELP_STRING([--with-fips140-module-name],
                                  [specify the FIPS140 module name]),
-Index: gnutls-3.8.8/doc/cha-gtls-app.texi
+Index: gnutls-3.8.9/doc/cha-gtls-app.texi
 ===================================================================
--- gnutls-3.8.8.orig/doc/cha-gtls-app.texi
-+++ gnutls-3.8.8/doc/cha-gtls-app.texi
+--- gnutls-3.8.9.orig/doc/cha-gtls-app.texi
+++ gnutls-3.8.9/doc/cha-gtls-app.texi
@@ -222,7 +222,7 @@ CPU. The currently available options are
 @end itemize
 
@ -38,10 +38,10 @@ Index: gnutls-3.8.8/doc/cha-gtls-app.texi
 if set to one it will force the FIPS mode enablement.
 
 @end multitable
-Index: gnutls-3.8.8/doc/cha-internals.texi
+Index: gnutls-3.8.9/doc/cha-internals.texi
 ===================================================================
--- gnutls-3.8.8.orig/doc/cha-internals.texi
-+++ gnutls-3.8.8/doc/cha-internals.texi
+--- gnutls-3.8.9.orig/doc/cha-internals.texi
+++ gnutls-3.8.9/doc/cha-internals.texi
@@ -14,7 +14,7 @@ happens inside the black box.
 * TLS Hello Extension Handling::
 * Cryptographic Backend::
@ -162,11 +162,11 @@ Index: gnutls-3.8.8/doc/cha-internals.texi
 operation.  It can be attached to the current execution thread with
 @funcref{gnutls_fips140_push_context} and its internal state will be
 updated until it is detached with
-Index: gnutls-3.8.8/doc/enums.texi
+Index: gnutls-3.8.9/doc/enums.texi
 ===================================================================
--- gnutls-3.8.8.orig/doc/enums.texi
-+++ gnutls-3.8.8/doc/enums.texi
-@@ -1210,7 +1210,7 @@ application traffic secret is installed
+--- gnutls-3.8.9.orig/doc/enums.texi
+++ gnutls-3.8.9/doc/enums.texi
+@@ -1230,7 +1230,7 @@ application traffic secret is installed
 @c gnutls_fips_mode_t
 @table @code
 @item GNUTLS_@-FIPS140_@-DISABLED
@ -175,7 +175,7 @@ Index: gnutls-3.8.8/doc/enums.texi
 @item GNUTLS_@-FIPS140_@-STRICT
 The default mode; all forbidden operations will cause an
 operation failure via error code.
-@@ -1218,8 +1218,8 @@ operation failure via error code.
+@@ -1238,8 +1238,8 @@ operation failure via error code.
 A transient state during library initialization. That state
 cannot be set or seen by applications.
 @item GNUTLS_@-FIPS140_@-LAX
@ -186,10 +186,10 @@ Index: gnutls-3.8.8/doc/enums.texi
 application is aware of the followed security policy, and needs
 to utilize disallowed operations for other reasons (e.g., compatibility).
 @item GNUTLS_@-FIPS140_@-LOG
-Index: gnutls-3.8.8/doc/functions/gnutls_fips140_set_mode
+Index: gnutls-3.8.9/doc/functions/gnutls_fips140_set_mode
 ===================================================================
--- gnutls-3.8.8.orig/doc/functions/gnutls_fips140_set_mode
-+++ gnutls-3.8.8/doc/functions/gnutls_fips140_set_mode
+--- gnutls-3.8.9.orig/doc/functions/gnutls_fips140_set_mode
+++ gnutls-3.8.9/doc/functions/gnutls_fips140_set_mode
@@ -3,7 +3,7 @@
 
 
@ -215,10 +215,10 @@ Index: gnutls-3.8.8/doc/functions/gnutls_fips140_set_mode
 values for  @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS}  mode, the library
 switches to @code{GNUTLS_FIPS140_STRICT}  mode.
 
-Index: gnutls-3.8.8/doc/gnutls.html
+Index: gnutls-3.8.9/doc/gnutls.html
 ===================================================================
--- gnutls-3.8.8.orig/doc/gnutls.html
-+++ gnutls-3.8.8/doc/gnutls.html
+--- gnutls-3.8.9.orig/doc/gnutls.html
+++ gnutls-3.8.9/doc/gnutls.html
@@ -485,7 +485,7 @@ Documentation License&rdquo;.
     <li><a id="toc-TLS-Extension-Handling" href="#TLS-Hello-Extension-Handling">11.4 TLS Extension Handling</a></li>
     <li><a id="toc-Cryptographic-Backend-1" href="#Cryptographic-Backend">11.5 Cryptographic Backend</a></li>
@ -439,10 +439,10 @@ Index: gnutls-3.8.8/doc/gnutls.html
 <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate-1"><code>gnutls_fips140_get_operation_state</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
 <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fmode_005fenabled"><code>gnutls_fips140_mode_enabled</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
 <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fpop_005fcontext"><code>gnutls_fips140_pop_context</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
-Index: gnutls-3.8.8/doc/gnutls.info-3
+Index: gnutls-3.8.9/doc/gnutls.info-3
 ===================================================================
--- gnutls-3.8.8.orig/doc/gnutls.info-3
-+++ gnutls-3.8.8/doc/gnutls.info-3
+--- gnutls-3.8.9.orig/doc/gnutls.info-3
+++ gnutls-3.8.9/doc/gnutls.info-3
@@ -2108,7 +2108,7 @@ to ‘more’.  Both will exit with a st
             --inline-commands-prefix=str Change the default delimiter for inline commands
             --provider=file        Specify the PKCS #11 provider library
@ -521,10 +521,10 @@ Index: gnutls-3.8.8/doc/gnutls.info-3
 
      FLAGS: should be zero or ‘GNUTLS_FIPS140_SET_MODE_THREAD’
 
-Index: gnutls-3.8.8/doc/invoke-gnutls-cli.texi
+Index: gnutls-3.8.9/doc/invoke-gnutls-cli.texi
 ===================================================================
--- gnutls-3.8.8.orig/doc/invoke-gnutls-cli.texi
-+++ gnutls-3.8.8/doc/invoke-gnutls-cli.texi
+--- gnutls-3.8.9.orig/doc/invoke-gnutls-cli.texi
+++ gnutls-3.8.9/doc/invoke-gnutls-cli.texi
@@ -102,7 +102,7 @@ None:
        --inline-commands-prefix=str Change the default delimiter for inline commands
        --provider=file        Specify the PKCS #11 provider library
@ -534,10 +534,10 @@ Index: gnutls-3.8.8/doc/invoke-gnutls-cli.texi
        --list-config          Reports the configuration of the library
        --logfile=str          Redirect informational messages to a specific file
        --keymatexport=str     Label used for exporting keying material
-Index: gnutls-3.8.8/doc/manpages/gnutls-cli.1
+Index: gnutls-3.8.9/doc/manpages/gnutls-cli.1
 ===================================================================
--- gnutls-3.8.8.orig/doc/manpages/gnutls-cli.1
-+++ gnutls-3.8.8/doc/manpages/gnutls-cli.1
+--- gnutls-3.8.9.orig/doc/manpages/gnutls-cli.1
+++ gnutls-3.8.9/doc/manpages/gnutls-cli.1
@@ -398,7 +398,7 @@ Specify the PKCS #11 provider library.
 This will override the default options in /etc/gnutls/pkcs11.conf
 .TP
@ -547,10 +547,10 @@ Index: gnutls-3.8.8/doc/manpages/gnutls-cli.1
 .sp
 .TP
 .NOP \f\*[B-Font]\-\-list\-config\f[]
-Index: gnutls-3.8.8/doc/reference/html/gnutls-gnutls.html
+Index: gnutls-3.8.9/doc/reference/html/gnutls-gnutls.html
 ===================================================================
--- gnutls-3.8.8.orig/doc/reference/html/gnutls-gnutls.html
-+++ gnutls-3.8.8/doc/reference/html/gnutls-gnutls.html
+--- gnutls-3.8.9.orig/doc/reference/html/gnutls-gnutls.html
+++ gnutls-3.8.9/doc/reference/html/gnutls-gnutls.html
@@ -20874,12 +20874,12 @@ gnutls_fips140_set_mode (<em class="para
 (globally), and should be called prior to creating any threads. Its
 behavior with no flags after threads are created is undefined.</p>
@ -575,7 +575,7 @@ Index: gnutls-3.8.8/doc/reference/html/gnutls-gnutls.html
 <td class="parameter_annotations"> </td>
 </tr>
 <tr>
-@@ -25969,7 +25969,7 @@ encryption</p>
+@@ -26035,7 +26035,7 @@ encryption</p>
 <hr>
 <div class="refsect2">
 <a name="gnutls-fips-mode-t"></a><h3>enum gnutls_fips_mode_t</h3>
@ -584,7 +584,7 @@ Index: gnutls-3.8.8/doc/reference/html/gnutls-gnutls.html
 <div class="refsect3">
 <a name="gnutls-fips-mode-t.members"></a><h4>Members</h4>
 <div class="informaltable"><table class="informaltable" width="100%" border="0">
-@@ -25982,7 +25982,7 @@ encryption</p>
+@@ -26048,7 +26048,7 @@ encryption</p>
 <tr>
 <td class="enum_member_name"><p><a name="GNUTLS-FIPS140-DISABLED:CAPS"></a>GNUTLS_FIPS140_DISABLED</p></td>
 <td class="enum_member_description">
@ -593,7 +593,7 @@ Index: gnutls-3.8.8/doc/reference/html/gnutls-gnutls.html
 </td>
 <td class="enum_member_annotations"> </td>
 </tr>
-@@ -26005,8 +26005,8 @@ operation failure via error code.</p>
+@@ -26071,8 +26071,8 @@ operation failure via error code.</p>
 <tr>
 <td class="enum_member_name"><p><a name="GNUTLS-FIPS140-LAX:CAPS"></a>GNUTLS_FIPS140_LAX</p></td>
 <td class="enum_member_description">
@ -604,17 +604,17 @@ Index: gnutls-3.8.8/doc/reference/html/gnutls-gnutls.html
 application is aware of the followed security policy, and needs
 to utilize disallowed operations for other reasons (e.g., compatibility).</p>
 </td>
-@@ -27646,4 +27646,4 @@ This is used by <a class="link" href="gn
+@@ -27712,4 +27712,4 @@ This is used by <a class="link" href="gn
 <div class="footer">
 <hr>Generated by GTK-Doc V1.34.0</div>
 </body>
 -</html>
 \ No newline at end of file
 +</html>
-Index: gnutls-3.8.8/lib/fips.c
+Index: gnutls-3.8.9/lib/fips.c
 ===================================================================
--- gnutls-3.8.8.orig/lib/fips.c
-+++ gnutls-3.8.8/lib/fips.c
+--- gnutls-3.8.9.orig/lib/fips.c
+++ gnutls-3.8.9/lib/fips.c
@@ -121,7 +121,7 @@ unsigned _gnutls_fips_mode_enabled(void)
 	}
 
@ -633,7 +633,7 @@ Index: gnutls-3.8.8/lib/fips.c
 		ret = GNUTLS_FIPS140_SELFTESTS;
 		goto exit;
 	}
-@@ -740,7 +740,7 @@ unsigned gnutls_fips140_mode_enabled(voi
+@@ -745,7 +745,7 @@ unsigned gnutls_fips140_mode_enabled(voi
 
 /**
  * gnutls_fips140_set_mode:
@ -642,7 +642,7 @@ Index: gnutls-3.8.8/lib/fips.c
  * @flags: should be zero or %GNUTLS_FIPS140_SET_MODE_THREAD
  *
  * That function is not thread-safe when changing the mode with no flags
-@@ -748,13 +748,13 @@ unsigned gnutls_fips140_mode_enabled(voi
+@@ -753,13 +753,13 @@ unsigned gnutls_fips140_mode_enabled(voi
  * behavior with no flags after threads are created is undefined.
  *
  * When the flag %GNUTLS_FIPS140_SET_MODE_THREAD is specified
@ -658,7 +658,7 @@ Index: gnutls-3.8.8/lib/fips.c
  * values for @mode or to %GNUTLS_FIPS140_SELFTESTS mode, the library
  * switches to %GNUTLS_FIPS140_STRICT mode.
  *
-@@ -766,10 +766,10 @@ void gnutls_fips140_set_mode(gnutls_fips
+@@ -771,10 +771,10 @@ void gnutls_fips140_set_mode(gnutls_fips
 	gnutls_fips_mode_t prev = _gnutls_fips_mode_enabled();
 	if (prev == GNUTLS_FIPS140_DISABLED ||
 	    prev == GNUTLS_FIPS140_SELFTESTS) {
@ -671,7 +671,7 @@ Index: gnutls-3.8.8/lib/fips.c
 		return;
 	}
 
-@@ -782,7 +782,7 @@ void gnutls_fips140_set_mode(gnutls_fips
+@@ -787,7 +787,7 @@ void gnutls_fips140_set_mode(gnutls_fips
 	case GNUTLS_FIPS140_SELFTESTS:
 		_gnutls_audit_log(
 			NULL,
@ -680,7 +680,7 @@ Index: gnutls-3.8.8/lib/fips.c
 		mode = GNUTLS_FIPS140_STRICT;
 		break;
 	default:
-@@ -958,7 +958,7 @@ void _gnutls_switch_fips_state(gnutls_fi
+@@ -963,7 +963,7 @@ void _gnutls_switch_fips_state(gnutls_fi
 	}
 
 	if (!_tfips_context) {
@ -689,7 +689,7 @@ Index: gnutls-3.8.8/lib/fips.c
 		return;
 	}
 
-@@ -972,7 +972,7 @@ void _gnutls_switch_fips_state(gnutls_fi
+@@ -977,7 +977,7 @@ void _gnutls_switch_fips_state(gnutls_fi
 		if (mode != GNUTLS_FIPS140_LAX) {
 			_gnutls_audit_log(
 				NULL,
@ -698,7 +698,7 @@ Index: gnutls-3.8.8/lib/fips.c
 				operation_state_to_string(state));
 		}
 		_tfips_context->state = state;
-@@ -983,7 +983,7 @@ void _gnutls_switch_fips_state(gnutls_fi
+@@ -988,7 +988,7 @@ void _gnutls_switch_fips_state(gnutls_fi
 			if (mode != GNUTLS_FIPS140_LAX) {
 				_gnutls_audit_log(
 					NULL,
@ -707,7 +707,7 @@ Index: gnutls-3.8.8/lib/fips.c
 					operation_state_to_string(state));
 			}
 			_tfips_context->state = state;
-@@ -995,7 +995,7 @@ void _gnutls_switch_fips_state(gnutls_fi
+@@ -1000,7 +1000,7 @@ void _gnutls_switch_fips_state(gnutls_fi
 		if (mode != GNUTLS_FIPS140_LAX) {
 			_gnutls_audit_log(
 				NULL,
@ -716,7 +716,7 @@ Index: gnutls-3.8.8/lib/fips.c
 				operation_state_to_string(
 					_tfips_context->state),
 				operation_state_to_string(state));
-@@ -1057,7 +1057,7 @@ int gnutls_fips140_run_self_tests(void)
+@@ -1062,7 +1062,7 @@ int gnutls_fips140_run_self_tests(void)
 	    ret < 0) {
 		_gnutls_switch_lib_state(LIB_STATE_ERROR);
 		_gnutls_audit_log(NULL,
@ -725,7 +725,7 @@ Index: gnutls-3.8.8/lib/fips.c
 	} else {
 		/* Restore the previous library state */
 		_gnutls_switch_lib_state(prev_lib_state);
-@@ -1069,7 +1069,7 @@ int gnutls_fips140_run_self_tests(void)
+@@ -1074,7 +1074,7 @@ int gnutls_fips140_run_self_tests(void)
 		if (gnutls_fips140_pop_context() < 0) {
 			_gnutls_switch_lib_state(LIB_STATE_ERROR);
 			_gnutls_audit_log(
@ -734,10 +734,10 @@ Index: gnutls-3.8.8/lib/fips.c
 		}
 		gnutls_fips140_context_deinit(fips_context);
 	}
-Index: gnutls-3.8.8/lib/fips.h
+Index: gnutls-3.8.9/lib/fips.h
 ===================================================================
--- gnutls-3.8.8.orig/lib/fips.h
-+++ gnutls-3.8.8/lib/fips.h
+--- gnutls-3.8.9.orig/lib/fips.h
+++ gnutls-3.8.9/lib/fips.h
@@ -163,7 +163,7 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
 }
 
@ -778,10 +778,10 @@ Index: gnutls-3.8.8/lib/fips.h
 					  gnutls_cipher_get_name(algo));
 			FALLTHROUGH;
 		case GNUTLS_FIPS140_DISABLED:
-Index: gnutls-3.8.8/lib/global.c
+Index: gnutls-3.8.9/lib/global.c
 ===================================================================
--- gnutls-3.8.8.orig/lib/global.c
-+++ gnutls-3.8.8/lib/global.c
+--- gnutls-3.8.9.orig/lib/global.c
+++ gnutls-3.8.9/lib/global.c
@@ -339,12 +339,12 @@ static int _gnutls_global_init(unsigned
 
 #ifdef ENABLE_FIPS140
@ -815,11 +815,11 @@ Index: gnutls-3.8.8/lib/global.c
 			if (res != 2) {
 				gnutls_assert();
 				goto out;
-Index: gnutls-3.8.8/lib/includes/gnutls/gnutls.h.in
+Index: gnutls-3.8.9/lib/includes/gnutls/gnutls.h.in
 ===================================================================
--- gnutls-3.8.8.orig/lib/includes/gnutls/gnutls.h.in
-+++ gnutls-3.8.8/lib/includes/gnutls/gnutls.h.in
-@@ -3216,16 +3216,16 @@ typedef int (*gnutls_alert_read_func)(gn
+--- gnutls-3.8.9.orig/lib/includes/gnutls/gnutls.h.in
+++ gnutls-3.8.9/lib/includes/gnutls/gnutls.h.in
+@@ -3236,16 +3236,16 @@ typedef int (*gnutls_alert_read_func)(gn
 void gnutls_alert_set_read_function(gnutls_session_t session,
 				    gnutls_alert_read_func func);
 
@ -840,7 +840,7 @@ Index: gnutls-3.8.8/lib/includes/gnutls/gnutls.h.in
  *                      application is aware of the followed security policy, and needs
  *                      to utilize disallowed operations for other reasons (e.g., compatibility).
  * @GNUTLS_FIPS140_LOG: Similarly to %GNUTLS_FIPS140_LAX, it allows forbidden operations; any use of them results
-@@ -3233,7 +3233,7 @@ unsigned gnutls_fips140_mode_enabled(voi
+@@ -3253,7 +3253,7 @@ unsigned gnutls_fips140_mode_enabled(voi
  * @GNUTLS_FIPS140_SELFTESTS: A transient state during library initialization. That state
  *			cannot be set or seen by applications.
  *
@ -849,10 +849,10 @@ Index: gnutls-3.8.8/lib/includes/gnutls/gnutls.h.in
  */
 typedef enum gnutls_fips_mode_t {
 	GNUTLS_FIPS140_DISABLED = 0,
-Index: gnutls-3.8.8/src/cli.c
+Index: gnutls-3.8.9/src/cli.c
 ===================================================================
--- gnutls-3.8.8.orig/src/cli.c
-+++ gnutls-3.8.8/src/cli.c
+--- gnutls-3.8.9.orig/src/cli.c
+++ gnutls-3.8.9/src/cli.c
@@ -1635,10 +1635,10 @@ static void cmd_parser(int argc, char **
 
 	if (HAVE_OPT(FIPS140_MODE)) {
@ -866,10 +866,10 @@ Index: gnutls-3.8.8/src/cli.c
 		exit(1);
 	}
 
-Index: gnutls-3.8.8/src/gnutls-cli-options.c
+Index: gnutls-3.8.9/src/gnutls-cli-options.c
 ===================================================================
--- gnutls-3.8.8.orig/src/gnutls-cli-options.c
-+++ gnutls-3.8.8/src/gnutls-cli-options.c
+--- gnutls-3.8.9.orig/src/gnutls-cli-options.c
+++ gnutls-3.8.9/src/gnutls-cli-options.c
@@ -843,7 +843,7 @@ usage (FILE *out, int status)
     "       --inline-commands-prefix=str Change the default delimiter for inline commands\n"
     "       --provider=file        Specify the PKCS #11 provider library\n"
@ -879,10 +879,10 @@ Index: gnutls-3.8.8/src/gnutls-cli-options.c
     "       --list-config          Reports the configuration of the library\n"
     "       --logfile=str          Redirect informational messages to a specific file\n"
     "       --keymatexport=str     Label used for exporting keying material\n"
-Index: gnutls-3.8.8/tests/cert-tests/gost.sh
+Index: gnutls-3.8.9/tests/cert-tests/gost.sh
 ===================================================================
--- gnutls-3.8.8.orig/tests/cert-tests/gost.sh
-+++ gnutls-3.8.8/tests/cert-tests/gost.sh
+--- gnutls-3.8.9.orig/tests/cert-tests/gost.sh
+++ gnutls-3.8.9/tests/cert-tests/gost.sh
@@ -38,7 +38,7 @@ if ! test -x "${CERTTOOL}"; then
 fi
 
@ -892,10 +892,10 @@ Index: gnutls-3.8.8/tests/cert-tests/gost.sh
 	exit 77
 fi
 
-Index: gnutls-3.8.8/tests/cert-tests/pkcs12-corner-cases.sh
+Index: gnutls-3.8.9/tests/cert-tests/pkcs12-corner-cases.sh
 ===================================================================
--- gnutls-3.8.8.orig/tests/cert-tests/pkcs12-corner-cases.sh
-+++ gnutls-3.8.8/tests/cert-tests/pkcs12-corner-cases.sh
+--- gnutls-3.8.9.orig/tests/cert-tests/pkcs12-corner-cases.sh
+++ gnutls-3.8.9/tests/cert-tests/pkcs12-corner-cases.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
 fi
 
@ -905,10 +905,10 @@ Index: gnutls-3.8.8/tests/cert-tests/pkcs12-corner-cases.sh
 	exit 77
 fi
 
-Index: gnutls-3.8.8/tests/cert-tests/pkcs12-encode.sh
+Index: gnutls-3.8.9/tests/cert-tests/pkcs12-encode.sh
 ===================================================================
--- gnutls-3.8.8.orig/tests/cert-tests/pkcs12-encode.sh
-+++ gnutls-3.8.8/tests/cert-tests/pkcs12-encode.sh
+--- gnutls-3.8.9.orig/tests/cert-tests/pkcs12-encode.sh
+++ gnutls-3.8.9/tests/cert-tests/pkcs12-encode.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
 fi
 
@ -918,10 +918,10 @@ Index: gnutls-3.8.8/tests/cert-tests/pkcs12-encode.sh
 	exit 77
 fi
 
-Index: gnutls-3.8.8/tests/cert-tests/pkcs12-gost.sh
+Index: gnutls-3.8.9/tests/cert-tests/pkcs12-gost.sh
 ===================================================================
--- gnutls-3.8.8.orig/tests/cert-tests/pkcs12-gost.sh
-+++ gnutls-3.8.8/tests/cert-tests/pkcs12-gost.sh
+--- gnutls-3.8.9.orig/tests/cert-tests/pkcs12-gost.sh
+++ gnutls-3.8.9/tests/cert-tests/pkcs12-gost.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
 fi
 
@ -931,10 +931,10 @@ Index: gnutls-3.8.8/tests/cert-tests/pkcs12-gost.sh
 	exit 77
 fi
 
-Index: gnutls-3.8.8/tests/cert-tests/pkcs12.sh
+Index: gnutls-3.8.9/tests/cert-tests/pkcs12.sh
 ===================================================================
--- gnutls-3.8.8.orig/tests/cert-tests/pkcs12.sh
-+++ gnutls-3.8.8/tests/cert-tests/pkcs12.sh
+--- gnutls-3.8.9.orig/tests/cert-tests/pkcs12.sh
+++ gnutls-3.8.9/tests/cert-tests/pkcs12.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
 fi
 
@ -944,10 +944,10 @@ Index: gnutls-3.8.8/tests/cert-tests/pkcs12.sh
 	exit 77
 fi
 
-Index: gnutls-3.8.8/tests/cert-tests/pkcs8-decode.sh
+Index: gnutls-3.8.9/tests/cert-tests/pkcs8-decode.sh
 ===================================================================
--- gnutls-3.8.8.orig/tests/cert-tests/pkcs8-decode.sh
-+++ gnutls-3.8.8/tests/cert-tests/pkcs8-decode.sh
+--- gnutls-3.8.9.orig/tests/cert-tests/pkcs8-decode.sh
+++ gnutls-3.8.9/tests/cert-tests/pkcs8-decode.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
 fi
 
@ -957,10 +957,10 @@ Index: gnutls-3.8.8/tests/cert-tests/pkcs8-decode.sh
 	exit 77
 fi
 
-Index: gnutls-3.8.8/tests/cert-tests/pkcs8-eddsa.sh
+Index: gnutls-3.8.9/tests/cert-tests/pkcs8-eddsa.sh
 ===================================================================
--- gnutls-3.8.8.orig/tests/cert-tests/pkcs8-eddsa.sh
-+++ gnutls-3.8.8/tests/cert-tests/pkcs8-eddsa.sh
+--- gnutls-3.8.9.orig/tests/cert-tests/pkcs8-eddsa.sh
+++ gnutls-3.8.9/tests/cert-tests/pkcs8-eddsa.sh
@@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
 fi
 
@ -970,10 +970,10 @@ Index: gnutls-3.8.8/tests/cert-tests/pkcs8-eddsa.sh
 	exit 77
 fi
 
-Index: gnutls-3.8.8/tests/cert-tests/pkcs8-gost.sh
+Index: gnutls-3.8.9/tests/cert-tests/pkcs8-gost.sh
 ===================================================================
--- gnutls-3.8.8.orig/tests/cert-tests/pkcs8-gost.sh
-+++ gnutls-3.8.8/tests/cert-tests/pkcs8-gost.sh
+--- gnutls-3.8.9.orig/tests/cert-tests/pkcs8-gost.sh
+++ gnutls-3.8.9/tests/cert-tests/pkcs8-gost.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
 fi
 
@ -983,10 +983,10 @@ Index: gnutls-3.8.8/tests/cert-tests/pkcs8-gost.sh
 	exit 77
 fi
 
-Index: gnutls-3.8.8/tests/cert-tests/pkcs8.sh
+Index: gnutls-3.8.9/tests/cert-tests/pkcs8.sh
 ===================================================================
--- gnutls-3.8.8.orig/tests/cert-tests/pkcs8.sh
-+++ gnutls-3.8.8/tests/cert-tests/pkcs8.sh
+--- gnutls-3.8.9.orig/tests/cert-tests/pkcs8.sh
+++ gnutls-3.8.9/tests/cert-tests/pkcs8.sh
@@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
 fi
 
@ -996,10 +996,10 @@ Index: gnutls-3.8.8/tests/cert-tests/pkcs8.sh
 	exit 77
 fi
 
-Index: gnutls-3.8.8/tests/cipher-listings.sh
+Index: gnutls-3.8.9/tests/cipher-listings.sh
 ===================================================================
--- gnutls-3.8.8.orig/tests/cipher-listings.sh
-+++ gnutls-3.8.8/tests/cipher-listings.sh
+--- gnutls-3.8.9.orig/tests/cipher-listings.sh
+++ gnutls-3.8.9/tests/cipher-listings.sh
@@ -63,7 +63,7 @@ check()
 
 ${CLI} --fips140-mode
@ -1009,10 +1009,10 @@ Index: gnutls-3.8.8/tests/cipher-listings.sh
 	exit 77
 fi
 
-Index: gnutls-3.8.8/tests/testpkcs11.sh
+Index: gnutls-3.8.9/tests/testpkcs11.sh
 ===================================================================
--- gnutls-3.8.8.orig/tests/testpkcs11.sh
-+++ gnutls-3.8.8/tests/testpkcs11.sh
+--- gnutls-3.8.9.orig/tests/testpkcs11.sh
+++ gnutls-3.8.9/tests/testpkcs11.sh
@@ -26,7 +26,7 @@
 RETCODE=0
 
@ -1022,10 +1022,10 @@ Index: gnutls-3.8.8/tests/testpkcs11.sh
 	exit 77
 fi
 
-Index: gnutls-3.8.8/doc/enums/gnutls_fips_mode_t
+Index: gnutls-3.8.9/doc/enums/gnutls_fips_mode_t
 ===================================================================
--- gnutls-3.8.8.orig/doc/enums/gnutls_fips_mode_t
-+++ gnutls-3.8.8/doc/enums/gnutls_fips_mode_t
+--- gnutls-3.8.9.orig/doc/enums/gnutls_fips_mode_t
+++ gnutls-3.8.9/doc/enums/gnutls_fips_mode_t
@@ -3,7 +3,7 @@
 @c gnutls_fips_mode_t
 @table @code
@ -1046,10 +1046,10 @@ Index: gnutls-3.8.8/doc/enums/gnutls_fips_mode_t
 application is aware of the followed security policy, and needs
 to utilize disallowed operations for other reasons (e.g., compatibility).
 @item GNUTLS_@-FIPS140_@-LOG
-Index: gnutls-3.8.8/doc/gnutls-api.texi
+Index: gnutls-3.8.9/doc/gnutls-api.texi
 ===================================================================
--- gnutls-3.8.8.orig/doc/gnutls-api.texi
-+++ gnutls-3.8.8/doc/gnutls-api.texi
+--- gnutls-3.8.9.orig/doc/gnutls-api.texi
+++ gnutls-3.8.9/doc/gnutls-api.texi
@@ -3279,7 +3279,7 @@ unusable.  This function is not thread-s
 @subheading gnutls_fips140_set_mode
 @anchor{gnutls_fips140_set_mode}
@ -1075,10 +1075,10 @@ Index: gnutls-3.8.8/doc/gnutls-api.texi
 values for  @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS}  mode, the library
 switches to @code{GNUTLS_FIPS140_STRICT}  mode.
 
-Index: gnutls-3.8.8/lib/ext/session_ticket.c
+Index: gnutls-3.8.9/lib/ext/session_ticket.c
 ===================================================================
--- gnutls-3.8.8.orig/lib/ext/session_ticket.c
-+++ gnutls-3.8.8/lib/ext/session_ticket.c
+--- gnutls-3.8.9.orig/lib/ext/session_ticket.c
+++ gnutls-3.8.9/lib/ext/session_ticket.c
@@ -517,7 +517,7 @@ int gnutls_session_ticket_key_generate(g
 {
 	if (_gnutls_fips_mode_enabled()) {
@ -1088,10 +1088,10 @@ Index: gnutls-3.8.8/lib/ext/session_ticket.c
 		 * some limits on allowed key size, thus it is not
 		 * used. These limits do not affect this function as
 		 * it does not generate a "key" but rather key material
-Index: gnutls-3.8.8/lib/libgnutls.map
+Index: gnutls-3.8.9/lib/libgnutls.map
 ===================================================================
--- gnutls-3.8.8.orig/lib/libgnutls.map
-+++ gnutls-3.8.8/lib/libgnutls.map
+--- gnutls-3.8.9.orig/lib/libgnutls.map
+++ gnutls-3.8.9/lib/libgnutls.map
@@ -1459,7 +1459,7 @@ GNUTLS_FIPS140_3_4 {
 	gnutls_hkdf_self_test;
 	gnutls_pbkdf2_self_test;
@ -1101,10 +1101,10 @@ Index: gnutls-3.8.8/lib/libgnutls.map
 	drbg_aes_reseed;
 	drbg_aes_init;
 	drbg_aes_generate;
-Index: gnutls-3.8.8/lib/nettle/mac.c
+Index: gnutls-3.8.9/lib/nettle/mac.c
 ===================================================================
--- gnutls-3.8.8.orig/lib/nettle/mac.c
-+++ gnutls-3.8.8/lib/nettle/mac.c
+--- gnutls-3.8.9.orig/lib/nettle/mac.c
+++ gnutls-3.8.9/lib/nettle/mac.c
@@ -292,7 +292,7 @@ static void _wrap_gmac_digest(void *_ctx
 static int _mac_ctx_init(gnutls_mac_algorithm_t algo,
 			 struct nettle_mac_ctx *ctx)
@ -1123,10 +1123,10 @@ Index: gnutls-3.8.8/lib/nettle/mac.c
 	 * gnutls_hash_init() and gnutls_hmac_init() */
 
 	ctx->finished = NULL;
-Index: gnutls-3.8.8/config.h.in
+Index: gnutls-3.8.9/config.h.in
 ===================================================================
--- gnutls-3.8.8.orig/config.h.in
-+++ gnutls-3.8.8/config.h.in
+--- gnutls-3.8.9.orig/config.h.in
+++ gnutls-3.8.9/config.h.in
@@ -104,7 +104,7 @@
 /* enable DHE */
 #undef ENABLE_ECDHE
@ -1145,11 +1145,11 @@ Index: gnutls-3.8.8/config.h.in
 #undef FIPS_KEY
 
 /* The FIPS140 module name */
-Index: gnutls-3.8.8/configure
+Index: gnutls-3.8.9/configure
 ===================================================================
--- gnutls-3.8.8.orig/configure
-+++ gnutls-3.8.8/configure
-@@ -4455,7 +4455,7 @@ Optional Features:
+--- gnutls-3.8.9.orig/configure
+++ gnutls-3.8.9/configure
+@@ -4493,7 +4493,7 @@ Optional Features:
   --enable-fast-install[=PKGS]
                           optimize for fast installation [default=yes]
   --disable-libtool-lock  avoid locking (might break parallel builds)
@ -1158,10 +1158,10 @@ Index: gnutls-3.8.8/configure
   --enable-strict-x509    enable stricter sanity checks for x509 certificates
   --disable-non-suiteb-curves
                           disable curves not in SuiteB
-Index: gnutls-3.8.8/doc/cha-support.texi
+Index: gnutls-3.8.9/doc/cha-support.texi
 ===================================================================
--- gnutls-3.8.8.orig/doc/cha-support.texi
-+++ gnutls-3.8.8/doc/cha-support.texi
+--- gnutls-3.8.9.orig/doc/cha-support.texi
+++ gnutls-3.8.9/doc/cha-support.texi
@@ -134,5 +134,5 @@ There are certifications from national o
 to an auditor that the crypto component follows some best practices, such
 as unit testing and reliance on well known crypto primitives.
@ -1170,10 +1170,10 @@ Index: gnutls-3.8.8/doc/cha-support.texi
 -See @ref{FIPS140-2 mode} for more information.
 +GnuTLS has support for the FIPS 140-3 certification under Red Hat Enterprise Linux.
 +See @ref{FIPS140-3 mode} for more information.
-Index: gnutls-3.8.8/src/gnutls-cli-options.json
+Index: gnutls-3.8.9/src/gnutls-cli-options.json
 ===================================================================
--- gnutls-3.8.8.orig/src/gnutls-cli-options.json
-+++ gnutls-3.8.8/src/gnutls-cli-options.json
+--- gnutls-3.8.9.orig/src/gnutls-cli-options.json
+++ gnutls-3.8.9/src/gnutls-cli-options.json
@@ -384,7 +384,7 @@
         },
         {
@ -1183,10 +1183,10 @@ Index: gnutls-3.8.8/src/gnutls-cli-options.json
         },
         {
           "long-option": "list-config",
-Index: gnutls-3.8.8/tests/pkcs11-tool.sh
+Index: gnutls-3.8.9/tests/pkcs11-tool.sh
 ===================================================================
--- gnutls-3.8.8.orig/tests/pkcs11-tool.sh
-+++ gnutls-3.8.8/tests/pkcs11-tool.sh
+--- gnutls-3.8.9.orig/tests/pkcs11-tool.sh
+++ gnutls-3.8.9/tests/pkcs11-tool.sh
@@ -30,7 +30,7 @@ set -x
 : ${DIFF=diff}
 
@ -1196,10 +1196,10 @@ Index: gnutls-3.8.8/tests/pkcs11-tool.sh
 	exit 77
 fi
 
-Index: gnutls-3.8.8/doc/manpages/gnutls_fips140_set_mode.3
+Index: gnutls-3.8.9/doc/manpages/gnutls_fips140_set_mode.3
 ===================================================================
--- gnutls-3.8.8.orig/doc/manpages/gnutls_fips140_set_mode.3
-+++ gnutls-3.8.8/doc/manpages/gnutls_fips140_set_mode.3
+--- gnutls-3.8.9.orig/doc/manpages/gnutls_fips140_set_mode.3
+++ gnutls-3.8.9/doc/manpages/gnutls_fips140_set_mode.3
@@ -8,7 +8,7 @@ gnutls_fips140_set_mode \- API function
 .BI "void gnutls_fips140_set_mode(gnutls_fips_mode_t " mode ", unsigned " flags ");"
 .SH ARGUMENTS
@ -1225,16 +1225,16 @@ Index: gnutls-3.8.8/doc/manpages/gnutls_fips140_set_mode.3
 values for  \fImode\fP or to \fBGNUTLS_FIPS140_SELFTESTS\fP mode, the library
 switches to \fBGNUTLS_FIPS140_STRICT\fP mode.
 .SH "SINCE"
-Index: gnutls-3.8.8/doc/gnutls.info
+Index: gnutls-3.8.9/doc/gnutls.info
 ===================================================================
--- gnutls-3.8.8.orig/doc/gnutls.info
-+++ gnutls-3.8.8/doc/gnutls.info
-@@ -619,7 +619,7 @@ Ref: fig-crypto-layers743655
- Ref: Cryptographic Backend-Footnote-1746962
- Ref: Cryptographic Backend-Footnote-2747047
- Node: Random Number Generators-internals747159
-Node: FIPS140-2 mode754615
-+Node: FIPS140-3 mode754615
- Ref: gnutls_fips_mode_t757279
- Node: Upgrading from previous versions760947
- Node: Support775185
+--- gnutls-3.8.9.orig/doc/gnutls.info
+++ gnutls-3.8.9/doc/gnutls.info
+@@ -619,7 +619,7 @@ Ref: fig-crypto-layers743671
+ Ref: Cryptographic Backend-Footnote-1746978
+ Ref: Cryptographic Backend-Footnote-2747063
+ Node: Random Number Generators-internals747175
+-Node: FIPS140-2 mode754631
+Node: FIPS140-3 mode754631
+ Ref: gnutls_fips_mode_t757295
+ Node: Upgrading from previous versions760963
+ Node: Support775201
--- a/gnutls-FIPS-TLS_KDF_selftest.patch
+++ b/gnutls-FIPS-TLS_KDF_selftest.patch
@ -1,8 +1,8 @@
-Index: gnutls-3.8.5/lib/fips.c
+Index: gnutls-3.8.9/lib/fips.c
 ===================================================================
--- gnutls-3.8.5.orig/lib/fips.c
-+++ gnutls-3.8.5/lib/fips.c
-@@ -593,6 +593,26 @@ int _gnutls_fips_perform_self_checks2(vo
+--- gnutls-3.8.9.orig/lib/fips.c
+++ gnutls-3.8.9/lib/fips.c
+@@ -621,6 +621,26 @@ int _gnutls_fips_perform_self_checks2(vo
 		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
 	}
 
--- a/gnutls-FIPS-jitterentropy.patch
+++ b/gnutls-FIPS-jitterentropy.patch
@ -1,7 +1,7 @@
-Index: gnutls-3.8.6/lib/nettle/sysrng-linux.c
+Index: gnutls-3.8.9/lib/nettle/sysrng-linux.c
 ===================================================================
--- gnutls-3.8.6.orig/lib/nettle/sysrng-linux.c
-+++ gnutls-3.8.6/lib/nettle/sysrng-linux.c
+--- gnutls-3.8.9.orig/lib/nettle/sysrng-linux.c
+++ gnutls-3.8.9/lib/nettle/sysrng-linux.c
@@ -49,6 +49,15 @@
 get_entropy_func _rnd_get_system_entropy = NULL;
 
@ -158,11 +158,11 @@ Index: gnutls-3.8.6/lib/nettle/sysrng-linux.c
 +#endif
 	return;
 }
-Index: gnutls-3.8.6/lib/nettle/Makefile.in
+Index: gnutls-3.8.9/lib/nettle/Makefile.in
 ===================================================================
--- gnutls-3.8.6.orig/lib/nettle/Makefile.in
-+++ gnutls-3.8.6/lib/nettle/Makefile.in
-@@ -497,7 +497,7 @@ am__v_CC_1 =
+--- gnutls-3.8.9.orig/lib/nettle/Makefile.in
+++ gnutls-3.8.9/lib/nettle/Makefile.in
+@@ -521,7 +521,7 @@ am__v_CC_1 =
 CCLD = $(CC)
 LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
@ -171,10 +171,10 @@ Index: gnutls-3.8.6/lib/nettle/Makefile.in
 AM_V_CCLD = $(am__v_CCLD_@AM_V@)
 am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
-Index: gnutls-3.8.6/lib/nettle/Makefile.am
+Index: gnutls-3.8.9/lib/nettle/Makefile.am
 ===================================================================
--- gnutls-3.8.6.orig/lib/nettle/Makefile.am
-+++ gnutls-3.8.6/lib/nettle/Makefile.am
+--- gnutls-3.8.9.orig/lib/nettle/Makefile.am
+++ gnutls-3.8.9/lib/nettle/Makefile.am
@@ -20,7 +20,7 @@
 
 include $(top_srcdir)/lib/common.mk
@ -182,12 +182,12 @@ Index: gnutls-3.8.6/lib/nettle/Makefile.am
 -AM_CFLAGS += $(HOGWEED_CFLAGS) $(GMP_CFLAGS)
 +AM_CFLAGS += $(HOGWEED_CFLAGS) $(GMP_CFLAGS) -ljitterentropy
 
- AM_CPPFLAGS = \
+ AM_CPPFLAGS += \
 	-I$(srcdir)/int		\
-Index: gnutls-3.8.6/lib/nettle/rnd-fips.c
+Index: gnutls-3.8.9/lib/nettle/rnd-fips.c
 ===================================================================
--- gnutls-3.8.6.orig/lib/nettle/rnd-fips.c
-+++ gnutls-3.8.6/lib/nettle/rnd-fips.c
+--- gnutls-3.8.9.orig/lib/nettle/rnd-fips.c
+++ gnutls-3.8.9/lib/nettle/rnd-fips.c
@@ -129,6 +129,10 @@ static int drbg_init(struct fips_ctx *fc
 	uint8_t buffer[DRBG_AES_SEED_SIZE];
 	int ret;
@ -210,11 +210,11 @@ Index: gnutls-3.8.6/lib/nettle/rnd-fips.c
 	ret = get_entropy(fctx, buffer, sizeof(buffer));
 	if (ret < 0) {
 		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
-Index: gnutls-3.8.6/tests/Makefile.am
+Index: gnutls-3.8.9/tests/Makefile.am
 ===================================================================
--- gnutls-3.8.6.orig/tests/Makefile.am
-+++ gnutls-3.8.6/tests/Makefile.am
-@@ -209,7 +209,7 @@ ctests += mini-record-2 simple gnutls_hm
+--- gnutls-3.8.9.orig/tests/Makefile.am
+++ gnutls-3.8.9/tests/Makefile.am
+@@ -212,7 +212,7 @@ ctests += mini-record-2 simple gnutls_hm
 	 dtls12-cert-key-exchange dtls10-cert-key-exchange x509-cert-callback-legacy \
 	 keylog-env ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 dtls-session-ticket-lost \
 	 tlsfeature-crt dtls-rehandshake-cert-3 resume-with-false-start \
--- a/gnutls-disable-flaky-test-dtls-resume.patch
+++ b/gnutls-disable-flaky-test-dtls-resume.patch
@ -1,8 +1,8 @@
-Index: gnutls-3.7.8/tests/Makefile.am
+Index: gnutls-3.8.9/tests/Makefile.am
 ===================================================================
--- gnutls-3.7.8.orig/tests/Makefile.am
-+++ gnutls-3.7.8/tests/Makefile.am
-@@ -508,7 +508,7 @@ if !WINDOWS
+--- gnutls-3.8.9.orig/tests/Makefile.am
+++ gnutls-3.8.9/tests/Makefile.am
+@@ -530,7 +530,7 @@ if !WINDOWS
 # List of tests not available/functional under windows
 #
 
--- a/gnutls-set-cligen-python-interp.patch
+++ b/gnutls-set-cligen-python-interp.patch
@ -0,0 +1,10 @@
+Index: gnutls-3.8.9/cligen/cli-docgen.py
+===================================================================
+--- gnutls-3.8.9.orig/cligen/cli-docgen.py
+++ gnutls-3.8.9/cligen/cli-docgen.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/python
+#!/usr/bin/python3
+ # Copyright (C) 2021-2022 Daiki Ueno
+ # SPDX-License-Identifier: LGPL-2.1-or-later
+ 
--- a/gnutls-skip-pqx-test.patch
+++ b/gnutls-skip-pqx-test.patch
@ -0,0 +1,34 @@
+Index: gnutls-3.8.9/tests/Makefile.am
+===================================================================
+--- gnutls-3.8.9.orig/tests/Makefile.am
+++ gnutls-3.8.9/tests/Makefile.am
+@@ -603,8 +603,6 @@ ctests += win32-certopenstore
+ 
+ endif
+ 
+-dist_check_SCRIPTS += pqc-hybrid-kx.sh
+-
+ cpptests =
+ if ENABLE_CXX
+ if HAVE_CMOCKA
+Index: gnutls-3.8.9/tests/Makefile.in
+===================================================================
+--- gnutls-3.8.9.orig/tests/Makefile.in
+++ gnutls-3.8.9/tests/Makefile.in
+@@ -3236,7 +3236,7 @@ am__dist_check_SCRIPTS_DIST = rfc2253-es
+ 	gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh \
+ 	gnutls-cli-rawpk.sh dh-fips-approved.sh p11-kit-trust.sh \
+ 	testpkcs11.sh certtool-pkcs11.sh pkcs11-tool.sh \
+-	p11-kit-load.sh danetool.sh tpmtool_test.sh pqc-hybrid-kx.sh
+	p11-kit-load.sh danetool.sh tpmtool_test.sh 
+ AM_V_P = $(am__v_P_@AM_V@)
+ am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+ am__v_P_0 = false
+@@ -7106,7 +7106,6 @@ dist_check_SCRIPTS = rfc2253-escape-test
+ 	$(am__append_18) $(am__append_20) $(am__append_21) \
+ 	$(am__append_23) $(am__append_25) $(am__append_26) \
+ 	$(am__append_27) $(am__append_29) $(am__append_30) \
+-	pqc-hybrid-kx.sh
+ @WINDOWS_FALSE@dtls_stress_SOURCES = dtls/dtls-stress.c
+ @WINDOWS_FALSE@dtls_stress_LDADD = $(COMMON_GNUTLS_LDADD) \
+ @WINDOWS_FALSE@	$(COMMON_DEPS_LDADD)
--- a/gnutls-srp-test-SIGPIPE.patch
+++ b/gnutls-srp-test-SIGPIPE.patch
@ -1,8 +1,8 @@
-Index: gnutls-3.8.1/tests/srp.c
+Index: gnutls-3.8.9/tests/srp.c
 ===================================================================
--- gnutls-3.8.1.orig/tests/srp.c
-+++ gnutls-3.8.1/tests/srp.c
-@@ -287,7 +289,7 @@ static void start(const char *name, cons
+--- gnutls-3.8.9.orig/tests/srp.c
+++ gnutls-3.8.9/tests/srp.c
+@@ -290,7 +290,7 @@ static void start(const char *name, cons
 	if (child) {
 		int status;
 		/* parent */
@ -11,7 +11,7 @@ Index: gnutls-3.8.1/tests/srp.c
 		client(fd[1], prio, user, pass, exp_err);
 		if (exp_err < 0) {
 			kill(child, SIGTERM);
-@@ -297,7 +299,7 @@ static void start(const char *name, cons
+@@ -300,7 +300,7 @@ static void start(const char *name, cons
 			check_wait_status(status);
 		}
 	} else {
--- a/gnutls.changes
+++ b/gnutls.changes
@ -1,3 +1,38 @@
+-------------------------------------------------------------------
+Mon Feb 24 11:15:52 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
+
+- Update to 3.8.9 
+  - libgnutls: leancrypto was added as an interim option for PQC
+    The library can now be built with leancrypto instead of liboqs for
+    post-quantum cryptography (PQC), when configured with
+    --with-leancrypto option instead of --with-liboqs.
+  - libgnutls: Experimental support for ML-DSA signature algorithm
+    The library and certtool now support ML-DSA signature algorithm as
+    defined in FIPS 204 and based on
+    draft-ietf-lamps-dilithium-certificates-04. This feature is
+    currently marked as experimental and can only be enabled when
+    compiled with --with-leancrypto or --with-liboqs.
+    Contributed by David Dudas.
+  - libgnutls: Support for ML-KEM-1024 key encapsulation mechanism
+    The support for ML-KEM post-quantum key encapsulation mechanisms
+    has been extended to cover ML-KEM-1024, in addition to ML-KEM-768.
+    MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per
+    draft-kwiatkowski-tls-ecdhe-mlkem-03.
+  - libgnutls: Fix potential DoS in handling certificates with numerous name
+    constraints, as a follow-up of CVE-2024-12133 in libtasn1. The
+    bundled copy of libtasn1 has also been updated to the latest 4.20.0
+    release to complete the fix.  Reported by Bing Shi (#1553).
+    [GNUTLS-SA-2025-02-07, CVSS: medium] [bsc#1236974, CVE-2024-12243
+  - Licensing information moved to REAMDE.md, COPYING, COPYING.LESSERv2
+  * Rebased gnutls-FIPS-140-3-references.patch
+  * Rebased gnutls-FIPS-TLS_KDF_selftest.patch
+  * Rebased gnutls-FIPS-jitterentropy.patch
+  * Rebased gnutls-disable-flaky-test-dtls-resume.patch
+  * Rebased gnutls-srp-test-SIGPIPE.patch
+  * Rebased gnutls-3.5.11-skip-trust-store-tests.patch
+  * Add gnutls-set-cligen-python-interp.patch
+  * Add gnutls-skip-pqx-test.patch
+
 -------------------------------------------------------------------
 Mon Nov 11 10:04:31 UTC 2024 - Pedro Monreal <pmonreal@suse.com>

--- a/gnutls.spec
+++ b/gnutls.spec
@ -1,7 +1,7 @@
 #
 # spec file for package gnutls
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -42,7 +42,7 @@
 %endif
 %bcond_with tpm
 Name:           gnutls
-Version:        3.8.8
+Version:        3.8.9
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        GPL-3.0-or-later AND LGPL-2.1-or-later
@ -71,6 +71,8 @@ Patch102:       gnutls-FIPS-jitterentropy.patch
 #PATCH-FIX-SUSE bsc#1221242 Fix memleak in gnutls' jitterentropy collector
 Patch103:       gnutls-FIPS-jitterentropy-deinit-threads.patch
 %endif
+Patch104:       gnutls-set-cligen-python-interp.patch
+Patch105:       gnutls-skip-pqx-test.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@ -318,7 +320,7 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig

 %files -f libgnutls.lang
-%license LICENSE
+%license COPYING COPYING.LESSERv2
 %doc THANKS README.md NEWS ChangeLog AUTHORS doc/TODO
 %{_bindir}/certtool
 %{_bindir}/gnutls-cli
@ -339,22 +341,22 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %{_mandir}/man1/*

 %files -n libgnutls%{gnutls_sover}
-%license LICENSE
+%license COPYING COPYING.LESSERv2
 %{_libdir}/libgnutls.so.%{gnutls_sover}*
 %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac

 %if %{with dane}
 %files -n libgnutls-dane%{gnutls_dane_sover}
-%license LICENSE
+%license COPYING COPYING.LESSERv2
 %{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}*
 %endif

 %files -n libgnutlsxx%{gnutlsxx_sover}
-%license LICENSE
+%license COPYING COPYING.LESSERv2
 %{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}*

 %files -n libgnutls-devel
-%license LICENSE
+%license COPYING COPYING.LESSERv2
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/abstract.h
 %{_includedir}/%{name}/crypto.h
@ -383,7 +385,7 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=

 %if %{with dane}
 %files -n libgnutls-dane-devel
-%license LICENSE
+%license COPYING COPYING.LESSERv2
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/dane.h
 %{_libdir}/pkgconfig/gnutls-dane.pc
@ -391,7 +393,7 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %endif

 %files -n libgnutlsxx-devel
-%license LICENSE
+%license COPYING COPYING.LESSERv2
 %{_libdir}/libgnutlsxx.so
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/gnutlsxx.h