Accepting request 1248196 from security:tls

OBS-URL: https://build.opensuse.org/request/show/1248196
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=160

gnutls-3.5.11-skip-trust-store-tests.patch

@@ -15,11 +15,11 @@ need ca-certificates-mozilla to run.
 
 But this would create a build cycle. Skip test.
 
-Index: gnutls-3.6.15/tests/trust-store.c
+Index: gnutls-3.8.9/tests/trust-store.c
 ===================================================================
---- gnutls-3.6.15.orig/tests/trust-store.c	2020-09-08 10:24:24.018094247 +0200
+--- gnutls-3.8.9.orig/tests/trust-store.c
-+++ gnutls-3.6.15/tests/trust-store.c	2020-09-08 10:24:25.534104346 +0200
++++ gnutls-3.8.9/tests/trust-store.c
-@@ -44,6 +44,9 @@ static void tls_log_func(int level, cons
+@@ -42,6 +42,9 @@ static void tls_log_func(int level, cons
  
  void doit(void)
  {

gnutls-3.8.9.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:69e113d802d1670c4d5ac1b99040b1f2d5c7c05daec5003813c049b5184820ed
+size 6847364

gnutls-FIPS-140-3-references.patch

@@ -1,8 +1,8 @@
-Index: gnutls-3.8.8/configure.ac
+Index: gnutls-3.8.9/configure.ac
 ===================================================================
---- gnutls-3.8.8.orig/configure.ac
+--- gnutls-3.8.9.orig/configure.ac
-+++ gnutls-3.8.8/configure.ac
++++ gnutls-3.8.9/configure.ac
-@@ -624,19 +624,19 @@ LT_INIT([disable-static,win32-dll,shared
+@@ -665,19 +665,19 @@ LT_INIT([disable-static,win32-dll,shared
  AC_LIB_HAVE_LINKFLAGS(dl,, [#include <dlfcn.h>], [dladdr (0, 0);])
  
  AC_ARG_ENABLE(fips140-mode,
@@ -25,10 +25,10 @@ Index: gnutls-3.8.8/configure.ac
  
      AC_ARG_WITH(fips140-module-name, AS_HELP_STRING([--with-fips140-module-name],
                                   [specify the FIPS140 module name]),
-Index: gnutls-3.8.8/doc/cha-gtls-app.texi
+Index: gnutls-3.8.9/doc/cha-gtls-app.texi
 ===================================================================
---- gnutls-3.8.8.orig/doc/cha-gtls-app.texi
+--- gnutls-3.8.9.orig/doc/cha-gtls-app.texi
-+++ gnutls-3.8.8/doc/cha-gtls-app.texi
++++ gnutls-3.8.9/doc/cha-gtls-app.texi
 @@ -222,7 +222,7 @@ CPU. The currently available options are
  @end itemize
  
@@ -38,10 +38,10 @@ Index: gnutls-3.8.8/doc/cha-gtls-app.texi
  if set to one it will force the FIPS mode enablement.
  
  @end multitable
-Index: gnutls-3.8.8/doc/cha-internals.texi
+Index: gnutls-3.8.9/doc/cha-internals.texi
 ===================================================================
---- gnutls-3.8.8.orig/doc/cha-internals.texi
+--- gnutls-3.8.9.orig/doc/cha-internals.texi
-+++ gnutls-3.8.8/doc/cha-internals.texi
++++ gnutls-3.8.9/doc/cha-internals.texi
 @@ -14,7 +14,7 @@ happens inside the black box.
  * TLS Hello Extension Handling::
  * Cryptographic Backend::
@@ -162,11 +162,11 @@ Index: gnutls-3.8.8/doc/cha-internals.texi
  operation.  It can be attached to the current execution thread with
  @funcref{gnutls_fips140_push_context} and its internal state will be
  updated until it is detached with
-Index: gnutls-3.8.8/doc/enums.texi
+Index: gnutls-3.8.9/doc/enums.texi
 ===================================================================
---- gnutls-3.8.8.orig/doc/enums.texi
+--- gnutls-3.8.9.orig/doc/enums.texi
-+++ gnutls-3.8.8/doc/enums.texi
++++ gnutls-3.8.9/doc/enums.texi
-@@ -1210,7 +1210,7 @@ application traffic secret is installed
+@@ -1230,7 +1230,7 @@ application traffic secret is installed
  @c gnutls_fips_mode_t
  @table @code
  @item GNUTLS_@-FIPS140_@-DISABLED
@@ -175,7 +175,7 @@ Index: gnutls-3.8.8/doc/enums.texi
  @item GNUTLS_@-FIPS140_@-STRICT
  The default mode; all forbidden operations will cause an
  operation failure via error code.
-@@ -1218,8 +1218,8 @@ operation failure via error code.
+@@ -1238,8 +1238,8 @@ operation failure via error code.
  A transient state during library initialization. That state
  cannot be set or seen by applications.
  @item GNUTLS_@-FIPS140_@-LAX
@@ -186,10 +186,10 @@ Index: gnutls-3.8.8/doc/enums.texi
  application is aware of the followed security policy, and needs
  to utilize disallowed operations for other reasons (e.g., compatibility).
  @item GNUTLS_@-FIPS140_@-LOG
-Index: gnutls-3.8.8/doc/functions/gnutls_fips140_set_mode
+Index: gnutls-3.8.9/doc/functions/gnutls_fips140_set_mode
 ===================================================================
---- gnutls-3.8.8.orig/doc/functions/gnutls_fips140_set_mode
+--- gnutls-3.8.9.orig/doc/functions/gnutls_fips140_set_mode
-+++ gnutls-3.8.8/doc/functions/gnutls_fips140_set_mode
++++ gnutls-3.8.9/doc/functions/gnutls_fips140_set_mode
 @@ -3,7 +3,7 @@
  
  
@@ -215,10 +215,10 @@ Index: gnutls-3.8.8/doc/functions/gnutls_fips140_set_mode
  values for  @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS}  mode, the library
  switches to @code{GNUTLS_FIPS140_STRICT}  mode.
  
-Index: gnutls-3.8.8/doc/gnutls.html
+Index: gnutls-3.8.9/doc/gnutls.html
 ===================================================================
---- gnutls-3.8.8.orig/doc/gnutls.html
+--- gnutls-3.8.9.orig/doc/gnutls.html
-+++ gnutls-3.8.8/doc/gnutls.html
++++ gnutls-3.8.9/doc/gnutls.html
 @@ -485,7 +485,7 @@ Documentation License&rdquo;.
      <li><a id="toc-TLS-Extension-Handling" href="#TLS-Hello-Extension-Handling">11.4 TLS Extension Handling</a></li>
      <li><a id="toc-Cryptographic-Backend-1" href="#Cryptographic-Backend">11.5 Cryptographic Backend</a></li>
@@ -439,10 +439,10 @@ Index: gnutls-3.8.8/doc/gnutls.html
  <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fget_005foperation_005fstate-1"><code>gnutls_fips140_get_operation_state</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
  <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fmode_005fenabled"><code>gnutls_fips140_mode_enabled</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
  <tr><td></td><td class="printindex-index-entry"><a href="#index-gnutls_005ffips140_005fpop_005fcontext"><code>gnutls_fips140_pop_context</code></a></td><td class="printindex-index-section"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
-Index: gnutls-3.8.8/doc/gnutls.info-3
+Index: gnutls-3.8.9/doc/gnutls.info-3
 ===================================================================
---- gnutls-3.8.8.orig/doc/gnutls.info-3
+--- gnutls-3.8.9.orig/doc/gnutls.info-3
-+++ gnutls-3.8.8/doc/gnutls.info-3
++++ gnutls-3.8.9/doc/gnutls.info-3
 @@ -2108,7 +2108,7 @@ to ‘more’.  Both will exit with a st
              --inline-commands-prefix=str Change the default delimiter for inline commands
              --provider=file        Specify the PKCS #11 provider library
@@ -521,10 +521,10 @@ Index: gnutls-3.8.8/doc/gnutls.info-3
  
       FLAGS: should be zero or ‘GNUTLS_FIPS140_SET_MODE_THREAD’
  
-Index: gnutls-3.8.8/doc/invoke-gnutls-cli.texi
+Index: gnutls-3.8.9/doc/invoke-gnutls-cli.texi
 ===================================================================
---- gnutls-3.8.8.orig/doc/invoke-gnutls-cli.texi
+--- gnutls-3.8.9.orig/doc/invoke-gnutls-cli.texi
-+++ gnutls-3.8.8/doc/invoke-gnutls-cli.texi
++++ gnutls-3.8.9/doc/invoke-gnutls-cli.texi
 @@ -102,7 +102,7 @@ None:
         --inline-commands-prefix=str Change the default delimiter for inline commands
         --provider=file        Specify the PKCS #11 provider library
@@ -534,10 +534,10 @@ Index: gnutls-3.8.8/doc/invoke-gnutls-cli.texi
         --list-config          Reports the configuration of the library
         --logfile=str          Redirect informational messages to a specific file
         --keymatexport=str     Label used for exporting keying material
-Index: gnutls-3.8.8/doc/manpages/gnutls-cli.1
+Index: gnutls-3.8.9/doc/manpages/gnutls-cli.1
 ===================================================================
---- gnutls-3.8.8.orig/doc/manpages/gnutls-cli.1
+--- gnutls-3.8.9.orig/doc/manpages/gnutls-cli.1
-+++ gnutls-3.8.8/doc/manpages/gnutls-cli.1
++++ gnutls-3.8.9/doc/manpages/gnutls-cli.1
 @@ -398,7 +398,7 @@ Specify the PKCS #11 provider library.
  This will override the default options in /etc/gnutls/pkcs11.conf
  .TP
@@ -547,10 +547,10 @@ Index: gnutls-3.8.8/doc/manpages/gnutls-cli.1
  .sp
  .TP
  .NOP \f\*[B-Font]\-\-list\-config\f[]
-Index: gnutls-3.8.8/doc/reference/html/gnutls-gnutls.html
+Index: gnutls-3.8.9/doc/reference/html/gnutls-gnutls.html
 ===================================================================
---- gnutls-3.8.8.orig/doc/reference/html/gnutls-gnutls.html
+--- gnutls-3.8.9.orig/doc/reference/html/gnutls-gnutls.html
-+++ gnutls-3.8.8/doc/reference/html/gnutls-gnutls.html
++++ gnutls-3.8.9/doc/reference/html/gnutls-gnutls.html
 @@ -20874,12 +20874,12 @@ gnutls_fips140_set_mode (<em class="para
  (globally), and should be called prior to creating any threads. Its
  behavior with no flags after threads are created is undefined.</p>
@@ -575,7 +575,7 @@ Index: gnutls-3.8.8/doc/reference/html/gnutls-gnutls.html
  <td class="parameter_annotations"> </td>
  </tr>
  <tr>
-@@ -25969,7 +25969,7 @@ encryption</p>
+@@ -26035,7 +26035,7 @@ encryption</p>
  <hr>
  <div class="refsect2">
  <a name="gnutls-fips-mode-t"></a><h3>enum gnutls_fips_mode_t</h3>
@@ -584,7 +584,7 @@ Index: gnutls-3.8.8/doc/reference/html/gnutls-gnutls.html
  <div class="refsect3">
  <a name="gnutls-fips-mode-t.members"></a><h4>Members</h4>
  <div class="informaltable"><table class="informaltable" width="100%" border="0">
-@@ -25982,7 +25982,7 @@ encryption</p>
+@@ -26048,7 +26048,7 @@ encryption</p>
  <tr>
  <td class="enum_member_name"><p><a name="GNUTLS-FIPS140-DISABLED:CAPS"></a>GNUTLS_FIPS140_DISABLED</p></td>
  <td class="enum_member_description">
@@ -593,7 +593,7 @@ Index: gnutls-3.8.8/doc/reference/html/gnutls-gnutls.html
  </td>
  <td class="enum_member_annotations"> </td>
  </tr>
-@@ -26005,8 +26005,8 @@ operation failure via error code.</p>
+@@ -26071,8 +26071,8 @@ operation failure via error code.</p>
  <tr>
  <td class="enum_member_name"><p><a name="GNUTLS-FIPS140-LAX:CAPS"></a>GNUTLS_FIPS140_LAX</p></td>
  <td class="enum_member_description">
@@ -604,17 +604,17 @@ Index: gnutls-3.8.8/doc/reference/html/gnutls-gnutls.html
  application is aware of the followed security policy, and needs
  to utilize disallowed operations for other reasons (e.g., compatibility).</p>
  </td>
-@@ -27646,4 +27646,4 @@ This is used by <a class="link" href="gn
+@@ -27712,4 +27712,4 @@ This is used by <a class="link" href="gn
  <div class="footer">
  <hr>Generated by GTK-Doc V1.34.0</div>
  </body>
 -</html>
 \ No newline at end of file
 +</html>
-Index: gnutls-3.8.8/lib/fips.c
+Index: gnutls-3.8.9/lib/fips.c
 ===================================================================
---- gnutls-3.8.8.orig/lib/fips.c
+--- gnutls-3.8.9.orig/lib/fips.c
-+++ gnutls-3.8.8/lib/fips.c
++++ gnutls-3.8.9/lib/fips.c
 @@ -121,7 +121,7 @@ unsigned _gnutls_fips_mode_enabled(void)
  	}
  
@@ -633,7 +633,7 @@ Index: gnutls-3.8.8/lib/fips.c
  		ret = GNUTLS_FIPS140_SELFTESTS;
  		goto exit;
  	}
-@@ -740,7 +740,7 @@ unsigned gnutls_fips140_mode_enabled(voi
+@@ -745,7 +745,7 @@ unsigned gnutls_fips140_mode_enabled(voi
  
  /**
   * gnutls_fips140_set_mode:
@@ -642,7 +642,7 @@ Index: gnutls-3.8.8/lib/fips.c
   * @flags: should be zero or %GNUTLS_FIPS140_SET_MODE_THREAD
   *
   * That function is not thread-safe when changing the mode with no flags
-@@ -748,13 +748,13 @@ unsigned gnutls_fips140_mode_enabled(voi
+@@ -753,13 +753,13 @@ unsigned gnutls_fips140_mode_enabled(voi
   * behavior with no flags after threads are created is undefined.
   *
   * When the flag %GNUTLS_FIPS140_SET_MODE_THREAD is specified
@@ -658,7 +658,7 @@ Index: gnutls-3.8.8/lib/fips.c
   * values for @mode or to %GNUTLS_FIPS140_SELFTESTS mode, the library
   * switches to %GNUTLS_FIPS140_STRICT mode.
   *
-@@ -766,10 +766,10 @@ void gnutls_fips140_set_mode(gnutls_fips
+@@ -771,10 +771,10 @@ void gnutls_fips140_set_mode(gnutls_fips
  	gnutls_fips_mode_t prev = _gnutls_fips_mode_enabled();
  	if (prev == GNUTLS_FIPS140_DISABLED ||
  	    prev == GNUTLS_FIPS140_SELFTESTS) {
@@ -671,7 +671,7 @@ Index: gnutls-3.8.8/lib/fips.c
  		return;
  	}
  
-@@ -782,7 +782,7 @@ void gnutls_fips140_set_mode(gnutls_fips
+@@ -787,7 +787,7 @@ void gnutls_fips140_set_mode(gnutls_fips
  	case GNUTLS_FIPS140_SELFTESTS:
  		_gnutls_audit_log(
  			NULL,
@@ -680,7 +680,7 @@ Index: gnutls-3.8.8/lib/fips.c
  		mode = GNUTLS_FIPS140_STRICT;
  		break;
  	default:
-@@ -958,7 +958,7 @@ void _gnutls_switch_fips_state(gnutls_fi
+@@ -963,7 +963,7 @@ void _gnutls_switch_fips_state(gnutls_fi
  	}
  
  	if (!_tfips_context) {
@@ -689,7 +689,7 @@ Index: gnutls-3.8.8/lib/fips.c
  		return;
  	}
  
-@@ -972,7 +972,7 @@ void _gnutls_switch_fips_state(gnutls_fi
+@@ -977,7 +977,7 @@ void _gnutls_switch_fips_state(gnutls_fi
  		if (mode != GNUTLS_FIPS140_LAX) {
  			_gnutls_audit_log(
  				NULL,
@@ -698,7 +698,7 @@ Index: gnutls-3.8.8/lib/fips.c
  				operation_state_to_string(state));
  		}
  		_tfips_context->state = state;
-@@ -983,7 +983,7 @@ void _gnutls_switch_fips_state(gnutls_fi
+@@ -988,7 +988,7 @@ void _gnutls_switch_fips_state(gnutls_fi
  			if (mode != GNUTLS_FIPS140_LAX) {
  				_gnutls_audit_log(
  					NULL,
@@ -707,7 +707,7 @@ Index: gnutls-3.8.8/lib/fips.c
  					operation_state_to_string(state));
  			}
  			_tfips_context->state = state;
-@@ -995,7 +995,7 @@ void _gnutls_switch_fips_state(gnutls_fi
+@@ -1000,7 +1000,7 @@ void _gnutls_switch_fips_state(gnutls_fi
  		if (mode != GNUTLS_FIPS140_LAX) {
  			_gnutls_audit_log(
  				NULL,
@@ -716,7 +716,7 @@ Index: gnutls-3.8.8/lib/fips.c
  				operation_state_to_string(
  					_tfips_context->state),
  				operation_state_to_string(state));
-@@ -1057,7 +1057,7 @@ int gnutls_fips140_run_self_tests(void)
+@@ -1062,7 +1062,7 @@ int gnutls_fips140_run_self_tests(void)
  	    ret < 0) {
  		_gnutls_switch_lib_state(LIB_STATE_ERROR);
  		_gnutls_audit_log(NULL,
@@ -725,7 +725,7 @@ Index: gnutls-3.8.8/lib/fips.c
  	} else {
  		/* Restore the previous library state */
  		_gnutls_switch_lib_state(prev_lib_state);
-@@ -1069,7 +1069,7 @@ int gnutls_fips140_run_self_tests(void)
+@@ -1074,7 +1074,7 @@ int gnutls_fips140_run_self_tests(void)
  		if (gnutls_fips140_pop_context() < 0) {
  			_gnutls_switch_lib_state(LIB_STATE_ERROR);
  			_gnutls_audit_log(
@@ -734,10 +734,10 @@ Index: gnutls-3.8.8/lib/fips.c
  		}
  		gnutls_fips140_context_deinit(fips_context);
  	}
-Index: gnutls-3.8.8/lib/fips.h
+Index: gnutls-3.8.9/lib/fips.h
 ===================================================================
---- gnutls-3.8.8.orig/lib/fips.h
+--- gnutls-3.8.9.orig/lib/fips.h
-+++ gnutls-3.8.8/lib/fips.h
++++ gnutls-3.8.9/lib/fips.h
 @@ -163,7 +163,7 @@ is_cipher_algo_allowed_in_fips(gnutls_ci
  }
  
@@ -778,10 +778,10 @@ Index: gnutls-3.8.8/lib/fips.h
  					  gnutls_cipher_get_name(algo));
  			FALLTHROUGH;
  		case GNUTLS_FIPS140_DISABLED:
-Index: gnutls-3.8.8/lib/global.c
+Index: gnutls-3.8.9/lib/global.c
 ===================================================================
---- gnutls-3.8.8.orig/lib/global.c
+--- gnutls-3.8.9.orig/lib/global.c
-+++ gnutls-3.8.8/lib/global.c
++++ gnutls-3.8.9/lib/global.c
 @@ -339,12 +339,12 @@ static int _gnutls_global_init(unsigned
  
  #ifdef ENABLE_FIPS140
@@ -815,11 +815,11 @@ Index: gnutls-3.8.8/lib/global.c
  			if (res != 2) {
  				gnutls_assert();
  				goto out;
-Index: gnutls-3.8.8/lib/includes/gnutls/gnutls.h.in
+Index: gnutls-3.8.9/lib/includes/gnutls/gnutls.h.in
 ===================================================================
---- gnutls-3.8.8.orig/lib/includes/gnutls/gnutls.h.in
+--- gnutls-3.8.9.orig/lib/includes/gnutls/gnutls.h.in
-+++ gnutls-3.8.8/lib/includes/gnutls/gnutls.h.in
++++ gnutls-3.8.9/lib/includes/gnutls/gnutls.h.in
-@@ -3216,16 +3216,16 @@ typedef int (*gnutls_alert_read_func)(gn
+@@ -3236,16 +3236,16 @@ typedef int (*gnutls_alert_read_func)(gn
  void gnutls_alert_set_read_function(gnutls_session_t session,
  				    gnutls_alert_read_func func);
  
@@ -840,7 +840,7 @@ Index: gnutls-3.8.8/lib/includes/gnutls/gnutls.h.in
   *                      application is aware of the followed security policy, and needs
   *                      to utilize disallowed operations for other reasons (e.g., compatibility).
   * @GNUTLS_FIPS140_LOG: Similarly to %GNUTLS_FIPS140_LAX, it allows forbidden operations; any use of them results
-@@ -3233,7 +3233,7 @@ unsigned gnutls_fips140_mode_enabled(voi
+@@ -3253,7 +3253,7 @@ unsigned gnutls_fips140_mode_enabled(voi
   * @GNUTLS_FIPS140_SELFTESTS: A transient state during library initialization. That state
   *			cannot be set or seen by applications.
   *
@@ -849,10 +849,10 @@ Index: gnutls-3.8.8/lib/includes/gnutls/gnutls.h.in
   */
  typedef enum gnutls_fips_mode_t {
  	GNUTLS_FIPS140_DISABLED = 0,
-Index: gnutls-3.8.8/src/cli.c
+Index: gnutls-3.8.9/src/cli.c
 ===================================================================
---- gnutls-3.8.8.orig/src/cli.c
+--- gnutls-3.8.9.orig/src/cli.c
-+++ gnutls-3.8.8/src/cli.c
++++ gnutls-3.8.9/src/cli.c
 @@ -1635,10 +1635,10 @@ static void cmd_parser(int argc, char **
  
  	if (HAVE_OPT(FIPS140_MODE)) {
@@ -866,10 +866,10 @@ Index: gnutls-3.8.8/src/cli.c
  		exit(1);
  	}
  
-Index: gnutls-3.8.8/src/gnutls-cli-options.c
+Index: gnutls-3.8.9/src/gnutls-cli-options.c
 ===================================================================
---- gnutls-3.8.8.orig/src/gnutls-cli-options.c
+--- gnutls-3.8.9.orig/src/gnutls-cli-options.c
-+++ gnutls-3.8.8/src/gnutls-cli-options.c
++++ gnutls-3.8.9/src/gnutls-cli-options.c
 @@ -843,7 +843,7 @@ usage (FILE *out, int status)
      "       --inline-commands-prefix=str Change the default delimiter for inline commands\n"
      "       --provider=file        Specify the PKCS #11 provider library\n"
@@ -879,10 +879,10 @@ Index: gnutls-3.8.8/src/gnutls-cli-options.c
      "       --list-config          Reports the configuration of the library\n"
      "       --logfile=str          Redirect informational messages to a specific file\n"
      "       --keymatexport=str     Label used for exporting keying material\n"
-Index: gnutls-3.8.8/tests/cert-tests/gost.sh
+Index: gnutls-3.8.9/tests/cert-tests/gost.sh
 ===================================================================
---- gnutls-3.8.8.orig/tests/cert-tests/gost.sh
+--- gnutls-3.8.9.orig/tests/cert-tests/gost.sh
-+++ gnutls-3.8.8/tests/cert-tests/gost.sh
++++ gnutls-3.8.9/tests/cert-tests/gost.sh
 @@ -38,7 +38,7 @@ if ! test -x "${CERTTOOL}"; then
  fi
  
@@ -892,10 +892,10 @@ Index: gnutls-3.8.8/tests/cert-tests/gost.sh
  	exit 77
  fi
  
-Index: gnutls-3.8.8/tests/cert-tests/pkcs12-corner-cases.sh
+Index: gnutls-3.8.9/tests/cert-tests/pkcs12-corner-cases.sh
 ===================================================================
---- gnutls-3.8.8.orig/tests/cert-tests/pkcs12-corner-cases.sh
+--- gnutls-3.8.9.orig/tests/cert-tests/pkcs12-corner-cases.sh
-+++ gnutls-3.8.8/tests/cert-tests/pkcs12-corner-cases.sh
++++ gnutls-3.8.9/tests/cert-tests/pkcs12-corner-cases.sh
 @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
  fi
  
@@ -905,10 +905,10 @@ Index: gnutls-3.8.8/tests/cert-tests/pkcs12-corner-cases.sh
  	exit 77
  fi
  
-Index: gnutls-3.8.8/tests/cert-tests/pkcs12-encode.sh
+Index: gnutls-3.8.9/tests/cert-tests/pkcs12-encode.sh
 ===================================================================
---- gnutls-3.8.8.orig/tests/cert-tests/pkcs12-encode.sh
+--- gnutls-3.8.9.orig/tests/cert-tests/pkcs12-encode.sh
-+++ gnutls-3.8.8/tests/cert-tests/pkcs12-encode.sh
++++ gnutls-3.8.9/tests/cert-tests/pkcs12-encode.sh
 @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
  fi
  
@@ -918,10 +918,10 @@ Index: gnutls-3.8.8/tests/cert-tests/pkcs12-encode.sh
  	exit 77
  fi
  
-Index: gnutls-3.8.8/tests/cert-tests/pkcs12-gost.sh
+Index: gnutls-3.8.9/tests/cert-tests/pkcs12-gost.sh
 ===================================================================
---- gnutls-3.8.8.orig/tests/cert-tests/pkcs12-gost.sh
+--- gnutls-3.8.9.orig/tests/cert-tests/pkcs12-gost.sh
-+++ gnutls-3.8.8/tests/cert-tests/pkcs12-gost.sh
++++ gnutls-3.8.9/tests/cert-tests/pkcs12-gost.sh
 @@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
  fi
  
@@ -931,10 +931,10 @@ Index: gnutls-3.8.8/tests/cert-tests/pkcs12-gost.sh
  	exit 77
  fi
  
-Index: gnutls-3.8.8/tests/cert-tests/pkcs12.sh
+Index: gnutls-3.8.9/tests/cert-tests/pkcs12.sh
 ===================================================================
---- gnutls-3.8.8.orig/tests/cert-tests/pkcs12.sh
+--- gnutls-3.8.9.orig/tests/cert-tests/pkcs12.sh
-+++ gnutls-3.8.8/tests/cert-tests/pkcs12.sh
++++ gnutls-3.8.9/tests/cert-tests/pkcs12.sh
 @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
  fi
  
@@ -944,10 +944,10 @@ Index: gnutls-3.8.8/tests/cert-tests/pkcs12.sh
  	exit 77
  fi
  
-Index: gnutls-3.8.8/tests/cert-tests/pkcs8-decode.sh
+Index: gnutls-3.8.9/tests/cert-tests/pkcs8-decode.sh
 ===================================================================
---- gnutls-3.8.8.orig/tests/cert-tests/pkcs8-decode.sh
+--- gnutls-3.8.9.orig/tests/cert-tests/pkcs8-decode.sh
-+++ gnutls-3.8.8/tests/cert-tests/pkcs8-decode.sh
++++ gnutls-3.8.9/tests/cert-tests/pkcs8-decode.sh
 @@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
  fi
  
@@ -957,10 +957,10 @@ Index: gnutls-3.8.8/tests/cert-tests/pkcs8-decode.sh
  	exit 77
  fi
  
-Index: gnutls-3.8.8/tests/cert-tests/pkcs8-eddsa.sh
+Index: gnutls-3.8.9/tests/cert-tests/pkcs8-eddsa.sh
 ===================================================================
---- gnutls-3.8.8.orig/tests/cert-tests/pkcs8-eddsa.sh
+--- gnutls-3.8.9.orig/tests/cert-tests/pkcs8-eddsa.sh
-+++ gnutls-3.8.8/tests/cert-tests/pkcs8-eddsa.sh
++++ gnutls-3.8.9/tests/cert-tests/pkcs8-eddsa.sh
 @@ -29,7 +29,7 @@ if ! test -x "${CERTTOOL}"; then
  fi
  
@@ -970,10 +970,10 @@ Index: gnutls-3.8.8/tests/cert-tests/pkcs8-eddsa.sh
  	exit 77
  fi
  
-Index: gnutls-3.8.8/tests/cert-tests/pkcs8-gost.sh
+Index: gnutls-3.8.9/tests/cert-tests/pkcs8-gost.sh
 ===================================================================
---- gnutls-3.8.8.orig/tests/cert-tests/pkcs8-gost.sh
+--- gnutls-3.8.9.orig/tests/cert-tests/pkcs8-gost.sh
-+++ gnutls-3.8.8/tests/cert-tests/pkcs8-gost.sh
++++ gnutls-3.8.9/tests/cert-tests/pkcs8-gost.sh
 @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
  fi
  
@@ -983,10 +983,10 @@ Index: gnutls-3.8.8/tests/cert-tests/pkcs8-gost.sh
  	exit 77
  fi
  
-Index: gnutls-3.8.8/tests/cert-tests/pkcs8.sh
+Index: gnutls-3.8.9/tests/cert-tests/pkcs8.sh
 ===================================================================
---- gnutls-3.8.8.orig/tests/cert-tests/pkcs8.sh
+--- gnutls-3.8.9.orig/tests/cert-tests/pkcs8.sh
-+++ gnutls-3.8.8/tests/cert-tests/pkcs8.sh
++++ gnutls-3.8.9/tests/cert-tests/pkcs8.sh
 @@ -28,7 +28,7 @@ if ! test -x "${CERTTOOL}"; then
  fi
  
@@ -996,10 +996,10 @@ Index: gnutls-3.8.8/tests/cert-tests/pkcs8.sh
  	exit 77
  fi
  
-Index: gnutls-3.8.8/tests/cipher-listings.sh
+Index: gnutls-3.8.9/tests/cipher-listings.sh
 ===================================================================
---- gnutls-3.8.8.orig/tests/cipher-listings.sh
+--- gnutls-3.8.9.orig/tests/cipher-listings.sh
-+++ gnutls-3.8.8/tests/cipher-listings.sh
++++ gnutls-3.8.9/tests/cipher-listings.sh
 @@ -63,7 +63,7 @@ check()
  
  ${CLI} --fips140-mode
@@ -1009,10 +1009,10 @@ Index: gnutls-3.8.8/tests/cipher-listings.sh
  	exit 77
  fi
  
-Index: gnutls-3.8.8/tests/testpkcs11.sh
+Index: gnutls-3.8.9/tests/testpkcs11.sh
 ===================================================================
---- gnutls-3.8.8.orig/tests/testpkcs11.sh
+--- gnutls-3.8.9.orig/tests/testpkcs11.sh
-+++ gnutls-3.8.8/tests/testpkcs11.sh
++++ gnutls-3.8.9/tests/testpkcs11.sh
 @@ -26,7 +26,7 @@
  RETCODE=0
  
@@ -1022,10 +1022,10 @@ Index: gnutls-3.8.8/tests/testpkcs11.sh
  	exit 77
  fi
  
-Index: gnutls-3.8.8/doc/enums/gnutls_fips_mode_t
+Index: gnutls-3.8.9/doc/enums/gnutls_fips_mode_t
 ===================================================================
---- gnutls-3.8.8.orig/doc/enums/gnutls_fips_mode_t
+--- gnutls-3.8.9.orig/doc/enums/gnutls_fips_mode_t
-+++ gnutls-3.8.8/doc/enums/gnutls_fips_mode_t
++++ gnutls-3.8.9/doc/enums/gnutls_fips_mode_t
 @@ -3,7 +3,7 @@
  @c gnutls_fips_mode_t
  @table @code
@@ -1046,10 +1046,10 @@ Index: gnutls-3.8.8/doc/enums/gnutls_fips_mode_t
  application is aware of the followed security policy, and needs
  to utilize disallowed operations for other reasons (e.g., compatibility).
  @item GNUTLS_@-FIPS140_@-LOG
-Index: gnutls-3.8.8/doc/gnutls-api.texi
+Index: gnutls-3.8.9/doc/gnutls-api.texi
 ===================================================================
---- gnutls-3.8.8.orig/doc/gnutls-api.texi
+--- gnutls-3.8.9.orig/doc/gnutls-api.texi
-+++ gnutls-3.8.8/doc/gnutls-api.texi
++++ gnutls-3.8.9/doc/gnutls-api.texi
 @@ -3279,7 +3279,7 @@ unusable.  This function is not thread-s
  @subheading gnutls_fips140_set_mode
  @anchor{gnutls_fips140_set_mode}
@@ -1075,10 +1075,10 @@ Index: gnutls-3.8.8/doc/gnutls-api.texi
  values for  @code{mode} or to @code{GNUTLS_FIPS140_SELFTESTS}  mode, the library
  switches to @code{GNUTLS_FIPS140_STRICT}  mode.
  
-Index: gnutls-3.8.8/lib/ext/session_ticket.c
+Index: gnutls-3.8.9/lib/ext/session_ticket.c
 ===================================================================
---- gnutls-3.8.8.orig/lib/ext/session_ticket.c
+--- gnutls-3.8.9.orig/lib/ext/session_ticket.c
-+++ gnutls-3.8.8/lib/ext/session_ticket.c
++++ gnutls-3.8.9/lib/ext/session_ticket.c
 @@ -517,7 +517,7 @@ int gnutls_session_ticket_key_generate(g
  {
  	if (_gnutls_fips_mode_enabled()) {
@@ -1088,10 +1088,10 @@ Index: gnutls-3.8.8/lib/ext/session_ticket.c
  		 * some limits on allowed key size, thus it is not
  		 * used. These limits do not affect this function as
  		 * it does not generate a "key" but rather key material
-Index: gnutls-3.8.8/lib/libgnutls.map
+Index: gnutls-3.8.9/lib/libgnutls.map
 ===================================================================
---- gnutls-3.8.8.orig/lib/libgnutls.map
+--- gnutls-3.8.9.orig/lib/libgnutls.map
-+++ gnutls-3.8.8/lib/libgnutls.map
++++ gnutls-3.8.9/lib/libgnutls.map
 @@ -1459,7 +1459,7 @@ GNUTLS_FIPS140_3_4 {
  	gnutls_hkdf_self_test;
  	gnutls_pbkdf2_self_test;
@@ -1101,10 +1101,10 @@ Index: gnutls-3.8.8/lib/libgnutls.map
  	drbg_aes_reseed;
  	drbg_aes_init;
  	drbg_aes_generate;
-Index: gnutls-3.8.8/lib/nettle/mac.c
+Index: gnutls-3.8.9/lib/nettle/mac.c
 ===================================================================
---- gnutls-3.8.8.orig/lib/nettle/mac.c
+--- gnutls-3.8.9.orig/lib/nettle/mac.c
-+++ gnutls-3.8.8/lib/nettle/mac.c
++++ gnutls-3.8.9/lib/nettle/mac.c
 @@ -292,7 +292,7 @@ static void _wrap_gmac_digest(void *_ctx
  static int _mac_ctx_init(gnutls_mac_algorithm_t algo,
  			 struct nettle_mac_ctx *ctx)
@@ -1123,10 +1123,10 @@ Index: gnutls-3.8.8/lib/nettle/mac.c
  	 * gnutls_hash_init() and gnutls_hmac_init() */
  
  	ctx->finished = NULL;
-Index: gnutls-3.8.8/config.h.in
+Index: gnutls-3.8.9/config.h.in
 ===================================================================
---- gnutls-3.8.8.orig/config.h.in
+--- gnutls-3.8.9.orig/config.h.in
-+++ gnutls-3.8.8/config.h.in
++++ gnutls-3.8.9/config.h.in
 @@ -104,7 +104,7 @@
  /* enable DHE */
  #undef ENABLE_ECDHE
@@ -1145,11 +1145,11 @@ Index: gnutls-3.8.8/config.h.in
  #undef FIPS_KEY
  
  /* The FIPS140 module name */
-Index: gnutls-3.8.8/configure
+Index: gnutls-3.8.9/configure
 ===================================================================
---- gnutls-3.8.8.orig/configure
+--- gnutls-3.8.9.orig/configure
-+++ gnutls-3.8.8/configure
++++ gnutls-3.8.9/configure
-@@ -4455,7 +4455,7 @@ Optional Features:
+@@ -4493,7 +4493,7 @@ Optional Features:
    --enable-fast-install[=PKGS]
                            optimize for fast installation [default=yes]
    --disable-libtool-lock  avoid locking (might break parallel builds)
@@ -1158,10 +1158,10 @@ Index: gnutls-3.8.8/configure
    --enable-strict-x509    enable stricter sanity checks for x509 certificates
    --disable-non-suiteb-curves
                            disable curves not in SuiteB
-Index: gnutls-3.8.8/doc/cha-support.texi
+Index: gnutls-3.8.9/doc/cha-support.texi
 ===================================================================
---- gnutls-3.8.8.orig/doc/cha-support.texi
+--- gnutls-3.8.9.orig/doc/cha-support.texi
-+++ gnutls-3.8.8/doc/cha-support.texi
++++ gnutls-3.8.9/doc/cha-support.texi
 @@ -134,5 +134,5 @@ There are certifications from national o
  to an auditor that the crypto component follows some best practices, such
  as unit testing and reliance on well known crypto primitives.
@@ -1170,10 +1170,10 @@ Index: gnutls-3.8.8/doc/cha-support.texi
 -See @ref{FIPS140-2 mode} for more information.
 +GnuTLS has support for the FIPS 140-3 certification under Red Hat Enterprise Linux.
 +See @ref{FIPS140-3 mode} for more information.
-Index: gnutls-3.8.8/src/gnutls-cli-options.json
+Index: gnutls-3.8.9/src/gnutls-cli-options.json
 ===================================================================
---- gnutls-3.8.8.orig/src/gnutls-cli-options.json
+--- gnutls-3.8.9.orig/src/gnutls-cli-options.json
-+++ gnutls-3.8.8/src/gnutls-cli-options.json
++++ gnutls-3.8.9/src/gnutls-cli-options.json
 @@ -384,7 +384,7 @@
          },
          {
@@ -1183,10 +1183,10 @@ Index: gnutls-3.8.8/src/gnutls-cli-options.json
          },
          {
            "long-option": "list-config",
-Index: gnutls-3.8.8/tests/pkcs11-tool.sh
+Index: gnutls-3.8.9/tests/pkcs11-tool.sh
 ===================================================================
---- gnutls-3.8.8.orig/tests/pkcs11-tool.sh
+--- gnutls-3.8.9.orig/tests/pkcs11-tool.sh
-+++ gnutls-3.8.8/tests/pkcs11-tool.sh
++++ gnutls-3.8.9/tests/pkcs11-tool.sh
 @@ -30,7 +30,7 @@ set -x
  : ${DIFF=diff}
  
@@ -1196,10 +1196,10 @@ Index: gnutls-3.8.8/tests/pkcs11-tool.sh
  	exit 77
  fi
  
-Index: gnutls-3.8.8/doc/manpages/gnutls_fips140_set_mode.3
+Index: gnutls-3.8.9/doc/manpages/gnutls_fips140_set_mode.3
 ===================================================================
---- gnutls-3.8.8.orig/doc/manpages/gnutls_fips140_set_mode.3
+--- gnutls-3.8.9.orig/doc/manpages/gnutls_fips140_set_mode.3
-+++ gnutls-3.8.8/doc/manpages/gnutls_fips140_set_mode.3
++++ gnutls-3.8.9/doc/manpages/gnutls_fips140_set_mode.3
 @@ -8,7 +8,7 @@ gnutls_fips140_set_mode \- API function
  .BI "void gnutls_fips140_set_mode(gnutls_fips_mode_t " mode ", unsigned " flags ");"
  .SH ARGUMENTS
@@ -1225,16 +1225,16 @@ Index: gnutls-3.8.8/doc/manpages/gnutls_fips140_set_mode.3
  values for  \fImode\fP or to \fBGNUTLS_FIPS140_SELFTESTS\fP mode, the library
  switches to \fBGNUTLS_FIPS140_STRICT\fP mode.
  .SH "SINCE"
-Index: gnutls-3.8.8/doc/gnutls.info
+Index: gnutls-3.8.9/doc/gnutls.info
 ===================================================================
---- gnutls-3.8.8.orig/doc/gnutls.info
+--- gnutls-3.8.9.orig/doc/gnutls.info
-+++ gnutls-3.8.8/doc/gnutls.info
++++ gnutls-3.8.9/doc/gnutls.info
-@@ -619,7 +619,7 @@ Ref: fig-crypto-layers743655
+@@ -619,7 +619,7 @@ Ref: fig-crypto-layers743671
- Ref: Cryptographic Backend-Footnote-1746962
+ Ref: Cryptographic Backend-Footnote-1746978
- Ref: Cryptographic Backend-Footnote-2747047
+ Ref: Cryptographic Backend-Footnote-2747063
- Node: Random Number Generators-internals747159
+ Node: Random Number Generators-internals747175
--Node: FIPS140-2 mode754615
+-Node: FIPS140-2 mode754631
-+Node: FIPS140-3 mode754615
++Node: FIPS140-3 mode754631
- Ref: gnutls_fips_mode_t757279
+ Ref: gnutls_fips_mode_t757295
- Node: Upgrading from previous versions760947
+ Node: Upgrading from previous versions760963
- Node: Support775185
+ Node: Support775201

gnutls-FIPS-TLS_KDF_selftest.patch

@@ -1,8 +1,8 @@
-Index: gnutls-3.8.5/lib/fips.c
+Index: gnutls-3.8.9/lib/fips.c
 ===================================================================
---- gnutls-3.8.5.orig/lib/fips.c
+--- gnutls-3.8.9.orig/lib/fips.c
-+++ gnutls-3.8.5/lib/fips.c
++++ gnutls-3.8.9/lib/fips.c
-@@ -593,6 +593,26 @@ int _gnutls_fips_perform_self_checks2(vo
+@@ -621,6 +621,26 @@ int _gnutls_fips_perform_self_checks2(vo
  		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
  	}
  

gnutls-FIPS-jitterentropy.patch

@@ -1,7 +1,7 @@
-Index: gnutls-3.8.6/lib/nettle/sysrng-linux.c
+Index: gnutls-3.8.9/lib/nettle/sysrng-linux.c
 ===================================================================
---- gnutls-3.8.6.orig/lib/nettle/sysrng-linux.c
+--- gnutls-3.8.9.orig/lib/nettle/sysrng-linux.c
-+++ gnutls-3.8.6/lib/nettle/sysrng-linux.c
++++ gnutls-3.8.9/lib/nettle/sysrng-linux.c
 @@ -49,6 +49,15 @@
  get_entropy_func _rnd_get_system_entropy = NULL;
  
@@ -158,11 +158,11 @@ Index: gnutls-3.8.6/lib/nettle/sysrng-linux.c
 +#endif
  	return;
  }
-Index: gnutls-3.8.6/lib/nettle/Makefile.in
+Index: gnutls-3.8.9/lib/nettle/Makefile.in
 ===================================================================
---- gnutls-3.8.6.orig/lib/nettle/Makefile.in
+--- gnutls-3.8.9.orig/lib/nettle/Makefile.in
-+++ gnutls-3.8.6/lib/nettle/Makefile.in
++++ gnutls-3.8.9/lib/nettle/Makefile.in
-@@ -497,7 +497,7 @@ am__v_CC_1 =
+@@ -521,7 +521,7 @@ am__v_CC_1 =
  CCLD = $(CC)
  LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
  	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
@@ -171,10 +171,10 @@ Index: gnutls-3.8.6/lib/nettle/Makefile.in
  AM_V_CCLD = $(am__v_CCLD_@AM_V@)
  am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
  am__v_CCLD_0 = @echo "  CCLD    " $@;
-Index: gnutls-3.8.6/lib/nettle/Makefile.am
+Index: gnutls-3.8.9/lib/nettle/Makefile.am
 ===================================================================
---- gnutls-3.8.6.orig/lib/nettle/Makefile.am
+--- gnutls-3.8.9.orig/lib/nettle/Makefile.am
-+++ gnutls-3.8.6/lib/nettle/Makefile.am
++++ gnutls-3.8.9/lib/nettle/Makefile.am
 @@ -20,7 +20,7 @@
  
  include $(top_srcdir)/lib/common.mk
@@ -182,12 +182,12 @@ Index: gnutls-3.8.6/lib/nettle/Makefile.am
 -AM_CFLAGS += $(HOGWEED_CFLAGS) $(GMP_CFLAGS)
 +AM_CFLAGS += $(HOGWEED_CFLAGS) $(GMP_CFLAGS) -ljitterentropy
  
- AM_CPPFLAGS = \
+ AM_CPPFLAGS += \
  	-I$(srcdir)/int		\
-Index: gnutls-3.8.6/lib/nettle/rnd-fips.c
+Index: gnutls-3.8.9/lib/nettle/rnd-fips.c
 ===================================================================
---- gnutls-3.8.6.orig/lib/nettle/rnd-fips.c
+--- gnutls-3.8.9.orig/lib/nettle/rnd-fips.c
-+++ gnutls-3.8.6/lib/nettle/rnd-fips.c
++++ gnutls-3.8.9/lib/nettle/rnd-fips.c
 @@ -129,6 +129,10 @@ static int drbg_init(struct fips_ctx *fc
  	uint8_t buffer[DRBG_AES_SEED_SIZE];
  	int ret;
@@ -210,11 +210,11 @@ Index: gnutls-3.8.6/lib/nettle/rnd-fips.c
  	ret = get_entropy(fctx, buffer, sizeof(buffer));
  	if (ret < 0) {
  		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
-Index: gnutls-3.8.6/tests/Makefile.am
+Index: gnutls-3.8.9/tests/Makefile.am
 ===================================================================
---- gnutls-3.8.6.orig/tests/Makefile.am
+--- gnutls-3.8.9.orig/tests/Makefile.am
-+++ gnutls-3.8.6/tests/Makefile.am
++++ gnutls-3.8.9/tests/Makefile.am
-@@ -209,7 +209,7 @@ ctests += mini-record-2 simple gnutls_hm
+@@ -212,7 +212,7 @@ ctests += mini-record-2 simple gnutls_hm
  	 dtls12-cert-key-exchange dtls10-cert-key-exchange x509-cert-callback-legacy \
  	 keylog-env ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 dtls-session-ticket-lost \
  	 tlsfeature-crt dtls-rehandshake-cert-3 resume-with-false-start \

gnutls-disable-flaky-test-dtls-resume.patch

@@ -1,8 +1,8 @@
-Index: gnutls-3.7.8/tests/Makefile.am
+Index: gnutls-3.8.9/tests/Makefile.am
 ===================================================================
---- gnutls-3.7.8.orig/tests/Makefile.am
+--- gnutls-3.8.9.orig/tests/Makefile.am
-+++ gnutls-3.7.8/tests/Makefile.am
++++ gnutls-3.8.9/tests/Makefile.am
-@@ -508,7 +508,7 @@ if !WINDOWS
+@@ -530,7 +530,7 @@ if !WINDOWS
  # List of tests not available/functional under windows
  #
  

gnutls-set-cligen-python-interp.patch

@@ -0,0 +1,10 @@
+Index: gnutls-3.8.9/cligen/cli-docgen.py
+===================================================================
+--- gnutls-3.8.9.orig/cligen/cli-docgen.py
++++ gnutls-3.8.9/cligen/cli-docgen.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/python
++#!/usr/bin/python3
+ # Copyright (C) 2021-2022 Daiki Ueno
+ # SPDX-License-Identifier: LGPL-2.1-or-later
+ 

gnutls-skip-pqx-test.patch

@@ -0,0 +1,34 @@
+Index: gnutls-3.8.9/tests/Makefile.am
+===================================================================
+--- gnutls-3.8.9.orig/tests/Makefile.am
++++ gnutls-3.8.9/tests/Makefile.am
+@@ -603,8 +603,6 @@ ctests += win32-certopenstore
+ 
+ endif
+ 
+-dist_check_SCRIPTS += pqc-hybrid-kx.sh
+-
+ cpptests =
+ if ENABLE_CXX
+ if HAVE_CMOCKA
+Index: gnutls-3.8.9/tests/Makefile.in
+===================================================================
+--- gnutls-3.8.9.orig/tests/Makefile.in
++++ gnutls-3.8.9/tests/Makefile.in
+@@ -3236,7 +3236,7 @@ am__dist_check_SCRIPTS_DIST = rfc2253-es
+ 	gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh \
+ 	gnutls-cli-rawpk.sh dh-fips-approved.sh p11-kit-trust.sh \
+ 	testpkcs11.sh certtool-pkcs11.sh pkcs11-tool.sh \
+-	p11-kit-load.sh danetool.sh tpmtool_test.sh pqc-hybrid-kx.sh
++	p11-kit-load.sh danetool.sh tpmtool_test.sh 
+ AM_V_P = $(am__v_P_@AM_V@)
+ am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+ am__v_P_0 = false
+@@ -7106,7 +7106,6 @@ dist_check_SCRIPTS = rfc2253-escape-test
+ 	$(am__append_18) $(am__append_20) $(am__append_21) \
+ 	$(am__append_23) $(am__append_25) $(am__append_26) \
+ 	$(am__append_27) $(am__append_29) $(am__append_30) \
+-	pqc-hybrid-kx.sh
+ @WINDOWS_FALSE@dtls_stress_SOURCES = dtls/dtls-stress.c
+ @WINDOWS_FALSE@dtls_stress_LDADD = $(COMMON_GNUTLS_LDADD) \
+ @WINDOWS_FALSE@	$(COMMON_DEPS_LDADD)

gnutls-srp-test-SIGPIPE.patch

@@ -1,8 +1,8 @@
-Index: gnutls-3.8.1/tests/srp.c
+Index: gnutls-3.8.9/tests/srp.c
 ===================================================================
---- gnutls-3.8.1.orig/tests/srp.c
+--- gnutls-3.8.9.orig/tests/srp.c
-+++ gnutls-3.8.1/tests/srp.c
++++ gnutls-3.8.9/tests/srp.c
-@@ -287,7 +289,7 @@ static void start(const char *name, cons
+@@ -290,7 +290,7 @@ static void start(const char *name, cons
  	if (child) {
  		int status;
  		/* parent */
@@ -11,7 +11,7 @@ Index: gnutls-3.8.1/tests/srp.c
  		client(fd[1], prio, user, pass, exp_err);
  		if (exp_err < 0) {
  			kill(child, SIGTERM);
-@@ -297,7 +299,7 @@ static void start(const char *name, cons
+@@ -300,7 +300,7 @@ static void start(const char *name, cons
  			check_wait_status(status);
  		}
  	} else {

gnutls.changes

@@ -1,3 +1,38 @@
+-------------------------------------------------------------------
+Mon Feb 24 11:15:52 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
+
+- Update to 3.8.9 
+  - libgnutls: leancrypto was added as an interim option for PQC
+    The library can now be built with leancrypto instead of liboqs for
+    post-quantum cryptography (PQC), when configured with
+    --with-leancrypto option instead of --with-liboqs.
+  - libgnutls: Experimental support for ML-DSA signature algorithm
+    The library and certtool now support ML-DSA signature algorithm as
+    defined in FIPS 204 and based on
+    draft-ietf-lamps-dilithium-certificates-04. This feature is
+    currently marked as experimental and can only be enabled when
+    compiled with --with-leancrypto or --with-liboqs.
+    Contributed by David Dudas.
+  - libgnutls: Support for ML-KEM-1024 key encapsulation mechanism
+    The support for ML-KEM post-quantum key encapsulation mechanisms
+    has been extended to cover ML-KEM-1024, in addition to ML-KEM-768.
+    MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per
+    draft-kwiatkowski-tls-ecdhe-mlkem-03.
+  - libgnutls: Fix potential DoS in handling certificates with numerous name
+    constraints, as a follow-up of CVE-2024-12133 in libtasn1. The
+    bundled copy of libtasn1 has also been updated to the latest 4.20.0
+    release to complete the fix.  Reported by Bing Shi (#1553).
+    [GNUTLS-SA-2025-02-07, CVSS: medium] [bsc#1236974, CVE-2024-12243
+  - Licensing information moved to REAMDE.md, COPYING, COPYING.LESSERv2
+  * Rebased gnutls-FIPS-140-3-references.patch
+  * Rebased gnutls-FIPS-TLS_KDF_selftest.patch
+  * Rebased gnutls-FIPS-jitterentropy.patch
+  * Rebased gnutls-disable-flaky-test-dtls-resume.patch
+  * Rebased gnutls-srp-test-SIGPIPE.patch
+  * Rebased gnutls-3.5.11-skip-trust-store-tests.patch
+  * Add gnutls-set-cligen-python-interp.patch
+  * Add gnutls-skip-pqx-test.patch
+
 -------------------------------------------------------------------
 Mon Nov 11 10:04:31 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
 

gnutls.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package gnutls
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -42,7 +42,7 @@
 %endif
 %bcond_with tpm
 Name:           gnutls
-Version:        3.8.8
+Version:        3.8.9
 Release:        0
 Summary:        The GNU Transport Layer Security Library
 License:        GPL-3.0-or-later AND LGPL-2.1-or-later
@@ -71,6 +71,8 @@ Patch102:       gnutls-FIPS-jitterentropy.patch
 #PATCH-FIX-SUSE bsc#1221242 Fix memleak in gnutls' jitterentropy collector
 Patch103:       gnutls-FIPS-jitterentropy-deinit-threads.patch
 %endif
+Patch104:       gnutls-set-cligen-python-interp.patch
+Patch105:       gnutls-skip-pqx-test.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge
@@ -318,7 +320,7 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
 
 %files -f libgnutls.lang
-%license LICENSE
+%license COPYING COPYING.LESSERv2
 %doc THANKS README.md NEWS ChangeLog AUTHORS doc/TODO
 %{_bindir}/certtool
 %{_bindir}/gnutls-cli
@@ -339,22 +341,22 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %{_mandir}/man1/*
 
 %files -n libgnutls%{gnutls_sover}
-%license LICENSE
+%license COPYING COPYING.LESSERv2
 %{_libdir}/libgnutls.so.%{gnutls_sover}*
 %{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
 
 %if %{with dane}
 %files -n libgnutls-dane%{gnutls_dane_sover}
-%license LICENSE
+%license COPYING COPYING.LESSERv2
 %{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}*
 %endif
 
 %files -n libgnutlsxx%{gnutlsxx_sover}
-%license LICENSE
+%license COPYING COPYING.LESSERv2
 %{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}*
 
 %files -n libgnutls-devel
-%license LICENSE
+%license COPYING COPYING.LESSERv2
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/abstract.h
 %{_includedir}/%{name}/crypto.h
@@ -383,7 +385,7 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 
 %if %{with dane}
 %files -n libgnutls-dane-devel
-%license LICENSE
+%license COPYING COPYING.LESSERv2
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/dane.h
 %{_libdir}/pkgconfig/gnutls-dane.pc
@@ -391,7 +393,7 @@ GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=
 %endif
 
 %files -n libgnutlsxx-devel
-%license LICENSE
+%license COPYING COPYING.LESSERv2
 %{_libdir}/libgnutlsxx.so
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/gnutlsxx.h