bsc#1258083 Allow to define the HMAC in the PSK binder

gnutls-CVE-2025-9820.patch

@@ -0,0 +1,248 @@
+From 1d56f96f6ab5034d677136b9d50b5a75dff0faf5 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 18 Nov 2025 13:17:55 +0900
+Subject: [PATCH] pkcs11: avoid stack overwrite when initializing a token
+
+If gnutls_pkcs11_token_init is called with label longer than 32
+characters, the internal storage used to blank-fill it would
+overflow. This adds a guard to prevent that.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ .gitignore                |   2 +
+ NEWS                      |   4 +
+ lib/pkcs11_write.c        |   5 +-
+ tests/Makefile.am         |   2 +-
+ tests/pkcs11/long-label.c | 164 ++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 174 insertions(+), 3 deletions(-)
+ create mode 100644 tests/pkcs11/long-label.c
+
+Index: gnutls-3.8.10/NEWS
+===================================================================
+--- gnutls-3.8.10.orig/NEWS
++++ gnutls-3.8.10/NEWS
+@@ -5,6 +5,12 @@ Copyright (C) 2000-2016 Free Software Fo
+ Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
+ See the end for copying conditions.
+ 
++ * Version 3.8.11 (unreleased)
++ 
++** libgnutls: Fix stack overwrite in gnutls_pkcs11_token_init
++   Reported by Luigino Camastra from Aisle Research. [GNUTLS-SA-2025-11-18,
++   CVSS: low] [CVE-2025-9820]
++
+ * Version 3.8.10 (released 2025-07-08)
+ 
+ ** libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK
+Index: gnutls-3.8.10/lib/pkcs11_write.c
+===================================================================
+--- gnutls-3.8.10.orig/lib/pkcs11_write.c
++++ gnutls-3.8.10/lib/pkcs11_write.c
+@@ -28,6 +28,7 @@
+ #include "pkcs11x.h"
+ #include "x509/common.h"
+ #include "pk.h"
++#include "minmax.h"
+ 
+ static const ck_bool_t tval = 1;
+ static const ck_bool_t fval = 0;
+@@ -1172,7 +1173,7 @@ int gnutls_pkcs11_delete_url(const char
+  * gnutls_pkcs11_token_init:
+  * @token_url: A PKCS #11 URL specifying a token
+  * @so_pin: Security Officer's PIN
+- * @label: A name to be used for the token
++ * @label: A name to be used for the token, at most 32 characters
+  *
+  * This function will initialize (format) a token. If the token is
+  * at a factory defaults state the security officer's PIN given will be
+@@ -1210,7 +1211,7 @@ int gnutls_pkcs11_token_init(const char
+ 	/* so it seems memset has other uses than zeroing! */
+ 	memset(flabel, ' ', sizeof(flabel));
+ 	if (label != NULL)
+-		memcpy(flabel, label, strlen(label));
++		memcpy(flabel, label, MIN(sizeof(flabel), strlen(label)));
+ 
+ 	rv = pkcs11_init_token(module, slot, (uint8_t *)so_pin, strlen(so_pin),
+ 			       (uint8_t *)flabel);
+Index: gnutls-3.8.10/tests/Makefile.am
+===================================================================
+--- gnutls-3.8.10.orig/tests/Makefile.am
++++ gnutls-3.8.10/tests/Makefile.am
+@@ -503,7 +503,7 @@ pathbuf_CPPFLAGS = $(AM_CPPFLAGS) \
+ if ENABLE_PKCS11
+ if !WINDOWS
+ ctests += tls13/post-handshake-with-cert-pkcs11 pkcs11/tls-neg-pkcs11-no-key \
+-	global-init-override pkcs11/distrust-after
++	global-init-override pkcs11/distrust-after pkcs11/long-label
+ tls13_post_handshake_with_cert_pkcs11_DEPENDENCIES = libpkcs11mock2.la libutils.la
+ tls13_post_handshake_with_cert_pkcs11_LDADD = $(LDADD) $(LIBDL)
+ pkcs11_tls_neg_pkcs11_no_key_DEPENDENCIES = libpkcs11mock2.la libutils.la
+Index: gnutls-3.8.10/tests/pkcs11/long-label.c
+===================================================================
+--- /dev/null
++++ gnutls-3.8.10/tests/pkcs11/long-label.c
+@@ -0,0 +1,164 @@
++/*
++ * Copyright (C) 2025 Red Hat, Inc.
++ *
++ * Author: Daiki Ueno
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <https://www.gnu.org/licenses/>
++ */
++
++#ifdef HAVE_CONFIG_H
++#include "config.h"
++#endif
++
++#include <stdbool.h>
++#include <stdio.h>
++#include <stdlib.h>
++
++#if defined(_WIN32)
++
++int main(void)
++{
++	exit(77);
++}
++
++#else
++
++#include <string.h>
++#include <unistd.h>
++#include <gnutls/gnutls.h>
++
++#include "cert-common.h"
++#include "pkcs11/softhsm.h"
++#include "utils.h"
++
++/* This program tests that a token can be initialized with
++ * a label longer than 32 characters.
++ */
++
++static void tls_log_func(int level, const char *str)
++{
++	fprintf(stderr, "server|<%d>| %s", level, str);
++}
++
++#define PIN "1234"
++
++#define CONFIG_NAME "softhsm-long-label"
++#define CONFIG CONFIG_NAME ".config"
++
++static int pin_func(void *userdata, int attempt, const char *url,
++		    const char *label, unsigned flags, char *pin,
++		    size_t pin_max)
++{
++	if (attempt == 0) {
++		strcpy(pin, PIN);
++		return 0;
++	}
++	return -1;
++}
++
++static void test(const char *provider)
++{
++	int ret;
++	size_t i;
++
++	gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
++
++	success("test with %s\n", provider);
++
++	if (debug) {
++		gnutls_global_set_log_function(tls_log_func);
++		gnutls_global_set_log_level(4711);
++	}
++
++	/* point to SoftHSM token that libpkcs11mock4.so internally uses */
++	setenv(SOFTHSM_ENV, CONFIG, 1);
++
++	gnutls_pkcs11_set_pin_function(pin_func, NULL);
++
++	ret = gnutls_pkcs11_add_provider(provider, "trusted");
++	if (ret != 0) {
++		fail("gnutls_pkcs11_add_provider: %s\n", gnutls_strerror(ret));
++	}
++
++	/* initialize softhsm token */
++	ret = gnutls_pkcs11_token_init(
++		SOFTHSM_URL, PIN,
++		"this is a very long label whose length exceeds 32");
++	if (ret < 0) {
++		fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret));
++	}
++
++	for (i = 0;; i++) {
++		char *url = NULL;
++
++		ret = gnutls_pkcs11_token_get_url(i, 0, &url);
++		if (ret < 0)
++			break;
++		if (strstr(url,
++			   "token=this%20is%20a%20very%20long%20label%20whose"))
++			break;
++	}
++	if (ret < 0)
++		fail("gnutls_pkcs11_token_get_url: %s\n", gnutls_strerror(ret));
++
++	gnutls_pkcs11_deinit();
++}
++
++void doit(void)
++{
++	const char *bin;
++	const char *lib;
++	char buf[128];
++
++	if (gnutls_fips140_mode_enabled())
++		exit(77);
++
++	/* this must be called once in the program */
++	global_init();
++
++	/* we call gnutls_pkcs11_init manually */
++	gnutls_pkcs11_deinit();
++
++	/* check if softhsm module is loadable */
++	lib = softhsm_lib();
++
++	/* initialize SoftHSM token that libpkcs11mock4.so internally uses */
++	bin = softhsm_bin();
++
++	set_softhsm_conf(CONFIG);
++	snprintf(buf, sizeof(buf),
++		 "%s --init-token --slot 0 --label test --so-pin " PIN
++		 " --pin " PIN,
++		 bin);
++	system(buf);
++
++	test(lib);
++
++	lib = getenv("P11MOCKLIB4");
++	if (lib == NULL) {
++		fail("P11MOCKLIB4 is not set\n");
++	}
++
++	set_softhsm_conf(CONFIG);
++	snprintf(buf, sizeof(buf),
++		 "%s --init-token --slot 0 --label test --so-pin " PIN
++		 " --pin " PIN,
++		 bin);
++	system(buf);
++
++	test(lib);
++}
++#endif /* _WIN32 */

gnutls-PSK-hash-NULL-check-pskcred.patch

@@ -0,0 +1,24 @@
+From acf67a4a68bc6d9ab7b882469c67f6cf28db56a0 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Thu, 29 Jan 2026 17:38:01 +0100
+Subject: [PATCH 699/713] pre_shared_key: add null check on pskcred
+
+Fixes: #1790
+Fixes: GNUTLS-SA-2026-02-09-1
+Fixes: CVE-2026-1584
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Index: gnutls-3.8.3/lib/ext/pre_shared_key.c
+===================================================================
+--- gnutls-3.8.3.orig/lib/ext/pre_shared_key.c
++++ gnutls-3.8.3/lib/ext/pre_shared_key.c
+@@ -983,7 +983,8 @@ retry_binder:
+ 		 * even for SHA384 PSKs, so we need to retry with SHA256
+ 		 * to calculate the correct binder value for those.
+ 		 */
+-		if (pskcred->binder_algo == NULL && mac == GNUTLS_MAC_SHA384) {
++		if (pskcred && pskcred->binder_algo == NULL &&
++		    mac == GNUTLS_MAC_SHA384) {
+ 			mac = GNUTLS_MAC_SHA256;
+ 			goto retry_binder;
+ 		}

gnutls-PSK-hash-NULL-check.patch

@@ -0,0 +1,67 @@
+From 33034a91c2c1f38bad19e747d3021885d54bfb44 Mon Sep 17 00:00:00 2001
+From: Wilfred Mallawa <wilfred.mallawa@wdc.com>
+Date: Mon, 18 Aug 2025 12:40:57 +1000
+Subject: [PATCH 2886/3000] lib/psk: add null check for binder algo
+
+Currently, `pskcred->binder_algo` is used without checking first if it
+is valid. This can lead to a NULL pointer dereference in cases such as
+[1]. This patch adds NULL check `pskcred->binder_algo` before using it.
+
+This also makes it more explicit in
+gnutls_psk_allocate_server_credentials2() that `pskcred->binder_algo
+== NULL` indicates auto-detection, while avoiding the linear lookup
+for a NULL entry.
+
+[1] https://gitlab.com/gnutls/gnutls/-/issues/1729
+
+Fix Suggested by: Daiki Ueno <ueno@gnu.org>
+Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
+
+diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c
+index d709efa74..82a16e02c 100644
+--- a/lib/ext/pre_shared_key.c
++++ b/lib/ext/pre_shared_key.c
+@@ -886,9 +886,9 @@ retry_binder:
+ 			gnutls_psk_key_flags flags;
+ 			uint8_t ipsk[MAX_HASH_SIZE];
+ 
+-			prf = pskcred->binder_algo;
+-			if (prf->id == GNUTLS_MAC_UNKNOWN)
+-				prf = _gnutls_mac_to_entry(mac);
++			prf = pskcred->binder_algo == NULL ?
++				      _gnutls_mac_to_entry(mac) :
++				      pskcred->binder_algo;
+ 
+ 			/* this fails only on configuration errors; as such we always
+ 			 * return its error code in that case */
+@@ -983,7 +983,7 @@ retry_binder:
+ 		 * even for SHA384 PSKs, so we need to retry with SHA256
+ 		 * to calculate the correct binder value for those.
+ 		 */
+-		if (prf->id == GNUTLS_MAC_UNKNOWN && mac == GNUTLS_MAC_SHA384) {
++		if (pskcred->binder_algo == NULL && mac == GNUTLS_MAC_SHA384) {
+ 			mac = GNUTLS_MAC_SHA256;
+ 			goto retry_binder;
+ 		}
+diff --git a/lib/psk.c b/lib/psk.c
+index 06cf5b03d..f851b3d44 100644
+--- a/lib/psk.c
++++ b/lib/psk.c
+@@ -256,8 +256,12 @@ int gnutls_psk_allocate_server_credentials2(gnutls_psk_server_credentials_t *sc,
+ 
+ 	if (*sc == NULL)
+ 		return GNUTLS_E_MEMORY_ERROR;
+-
+-	(*sc)->binder_algo = _gnutls_mac_to_entry(mac);
++	/*
++	 * For GNUTLS_MAC_UNKNOWN, setting binder_algo to NULL allows
++	 * for auto-detction.
++	 */
++	(*sc)->binder_algo =
++		(mac == GNUTLS_MAC_UNKNOWN ? NULL : _gnutls_mac_to_entry(mac));
+ 	return 0;
+ }
+ 
+-- 
+2.53.0
+

gnutls-PSK-hash-fix-memleak.patch

@@ -0,0 +1,57 @@
+From a29aa9cda32d3ab0de137d3815536db4b4289599 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 21 Aug 2025 07:03:38 +0900
+Subject: [PATCH 601/713] pre_shared_key: fix memleak when retrying with
+ different binder algo
+
+As the PSK entry is reallocated, free it upon retry. Also use
+_gnutls_free_key_datum instead of _gnutls_free_temp_key_datum
+consistently.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+Index: gnutls-3.8.3/lib/ext/pre_shared_key.c
+===================================================================
+--- gnutls-3.8.3.orig/lib/ext/pre_shared_key.c
++++ gnutls-3.8.3/lib/ext/pre_shared_key.c
+@@ -785,8 +785,8 @@ cleanup:
+ 	if (free_username)
+ 		_gnutls_free_datum(&username);
+ 
+-	_gnutls_free_temp_key_datum(&user_key);
+-	_gnutls_free_temp_key_datum(&rkey);
++	_gnutls_free_key_datum(&user_key);
++	_gnutls_free_key_datum(&rkey);
+ 
+ 	return ret;
+ }
+@@ -926,11 +926,11 @@ retry_binder:
+ 
+ 				ret = derive_ipsk(prf, &psk.identity, &key,
+ 						  ipsk);
+-				_gnutls_free_temp_key_datum(&key);
+ 				if (ret < 0) {
+ 					gnutls_assert();
+ 					goto fail;
+ 				}
++				_gnutls_free_key_datum(&key);
+ 				ret = _gnutls_set_datum(&key, ipsk,
+ 							prf->output_size);
+ 				zeroize_key(ipsk, sizeof(ipsk));
+@@ -986,6 +986,7 @@ retry_binder:
+ 		if (pskcred && pskcred->binder_algo == NULL &&
+ 		    mac == GNUTLS_MAC_SHA384) {
+ 			mac = GNUTLS_MAC_SHA256;
++			_gnutls_free_key_datum(&key);
+ 			goto retry_binder;
+ 		}
+ 		gnutls_assert();
+@@ -1086,7 +1087,7 @@ retry_binder:
+ 	}
+ 
+ fail:
+-	_gnutls_free_datum(&key);
++	_gnutls_free_key_datum(&key);
+ 	return ret;
+ }
+ 

gnutls-PSK-hash-tests.patch

@@ -0,0 +1,131 @@
+From bbce45d7b7fb94de46db9504b56800d70b1822d7 Mon Sep 17 00:00:00 2001
+From: Wilfred Mallawa <wilfred.mallawa@wdc.com>
+Date: Tue, 19 Aug 2025 14:59:21 +1000
+Subject: [PATCH] tests/psk-file: Add testing for _credentials2 functions
+
+Adds testing for gnutls_psk_allocate_X_credentials2() functions for
+server and client.
+
+Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
+Modified-by: Daiki Ueno <ueno@gnu.org>
+---
+ tests/psk-file.c | 49 ++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 41 insertions(+), 8 deletions(-)
+
+diff --git a/tests/psk-file.c b/tests/psk-file.c
+index 248928b8ea..f3a7121204 100644
+--- a/tests/psk-file.c
++++ b/tests/psk-file.c
+@@ -99,7 +99,8 @@ static void tls_log_func(int level, const char *str)
+ 
+ static void client(int sd, const char *prio, const gnutls_datum_t *user,
+ 		   const gnutls_datum_t *key, unsigned expect_hint,
+-		   int expect_fail, int exp_kx, unsigned binary_user)
++		   int expect_fail, int exp_kx, unsigned binary_user,
++		   gnutls_mac_algorithm_t mac)
+ {
+ 	int ret, ii, kx;
+ 	gnutls_session_t session;
+@@ -114,7 +115,12 @@ static void client(int sd, const char *prio, const gnutls_datum_t *user,
+ 
+ 	side = "client";
+ 
+-	gnutls_psk_allocate_client_credentials(&pskcred);
++	/* gnutls_psk_allocate_client_credentials calls _credentials2
++	 * with GNUTLS_MAC_SHA256 */
++	if (mac != GNUTLS_MAC_SHA256)
++		gnutls_psk_allocate_client_credentials2(&pskcred, mac);
++	else
++		gnutls_psk_allocate_client_credentials(&pskcred);
+ 
+ 	if (binary_user) {
+ 		gnutls_psk_set_client_credentials2(pskcred, user, key,
+@@ -214,7 +220,7 @@ end:
+ 
+ static void server(int sd, const char *prio, const gnutls_datum_t *user,
+ 		   bool no_cred, int expect_fail, int exp_kx,
+-		   unsigned binary_user)
++		   unsigned binary_user, gnutls_mac_algorithm_t mac)
+ {
+ 	gnutls_psk_server_credentials_t server_pskcred;
+ 	int ret, kx;
+@@ -237,7 +243,13 @@ static void server(int sd, const char *prio, const gnutls_datum_t *user,
+ 	if (psk_file == NULL)
+ 		psk_file = (char *)"psk.passwd";
+ 
+-	gnutls_psk_allocate_server_credentials(&server_pskcred);
++	/* gnutls_psk_allocate_server_credentials calls _credentials2
++	 * with GNUTLS_MAC_SHA256 */
++	if (mac != GNUTLS_MAC_SHA256)
++		gnutls_psk_allocate_server_credentials2(&server_pskcred, mac);
++	else
++		gnutls_psk_allocate_server_credentials(&server_pskcred);
++
+ 	gnutls_psk_set_server_credentials_hint(server_pskcred, "hint");
+ 	ret = gnutls_psk_set_server_credentials_file(server_pskcred, psk_file);
+ 	if (ret < 0) {
+@@ -378,11 +390,12 @@ static void print_user(const char *caption, const char *prio,
+ 			(const char *)user->data);
+ }
+ 
+-static void run_test3(const char *prio, const char *sprio,
++static void run_test4(const char *prio, const char *sprio,
+ 		      const gnutls_datum_t *user, const gnutls_datum_t *key,
+ 		      bool no_cred, unsigned expect_hint, int exp_kx,
+ 		      int expect_fail_cli, int expect_fail_serv,
+-		      unsigned binary_user)
++		      unsigned binary_user, gnutls_mac_algorithm_t mac_cli,
++		      gnutls_mac_algorithm_t mac_serv)
+ {
+ 	pid_t child;
+ 	int err;
+@@ -414,17 +427,28 @@ static void run_test3(const char *prio, const char *sprio,
+ 		int status;
+ 		/* parent */
+ 		server(sockets[0], sprio ? sprio : prio, user, no_cred,
+-		       expect_fail_serv, exp_kx, binary_user);
++		       expect_fail_serv, exp_kx, binary_user, mac_serv);
+ 		wait(&status);
+ 		check_wait_status(status);
+ 	} else {
+ 		close(sockets[0]);
+ 		client(sockets[1], prio, user, key, expect_hint,
+-		       expect_fail_cli, exp_kx, binary_user);
++		       expect_fail_cli, exp_kx, binary_user, mac_cli);
+ 		exit(0);
+ 	}
+ }
+ 
++static void run_test3(const char *prio, const char *sprio,
++		      const gnutls_datum_t *user, const gnutls_datum_t *key,
++		      bool no_cred, unsigned expect_hint, int exp_kx,
++		      int expect_fail_cli, int expect_fail_serv,
++		      unsigned binary_user)
++{
++	run_test4(prio, sprio, user, key, no_cred, expect_hint, exp_kx,
++		  expect_fail_cli, expect_fail_serv, binary_user,
++		  GNUTLS_MAC_SHA256, GNUTLS_MAC_SHA256);
++}
++
+ static void run_test2(const char *prio, const char *sprio,
+ 		      const gnutls_datum_t *user, const gnutls_datum_t *key,
+ 		      unsigned expect_hint, int exp_kx, int expect_fail_cli,
+@@ -714,6 +738,15 @@ void doit(void)
+ 	run_test3("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+DHE-PSK", NULL,
+ 		  &user_null_2, &key, 1, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED,
+ 		  GNUTLS_E_INSUFFICIENT_CREDENTIALS, 1);
++
++	/* try with different PSK binder algorithms, where the server
++	 * should auto-detect */
++	run_test4("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK", NULL, &user_jas, &key,
++		  0, 0, GNUTLS_KX_PSK, 0, 0, 0, GNUTLS_MAC_SHA256,
++		  GNUTLS_MAC_UNKNOWN);
++	run_test4("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK", NULL, &user_jas, &key,
++		  0, 0, GNUTLS_KX_PSK, 0, 0, 0, GNUTLS_MAC_SHA384,
++		  GNUTLS_MAC_UNKNOWN);
+ }
+ 
+ #endif /* _WIN32 */
+-- 
+GitLab
+

gnutls-PSK-hash.patch

@@ -0,0 +1,217 @@
+From e73b6bac7396db058ff408e6ae7e0b27cb432317 Mon Sep 17 00:00:00 2001
+From: Hannes Reinecke <hare@suse.de>
+Date: Fri, 14 Mar 2025 12:31:13 +0100
+Subject: [PATCH] lib/psk: Add gnutls_psk_allocate_{client,server}_credentials2
+
+Add new functions gnutls_psk_allocate_client_credentials2() and
+gnutls_psk_allocate_server_credentials2() which allow to specify
+the hash algorithm for the PSK. This fixes a bug in the current
+implementation where the binder is always calculated with SHA256.
+
+Signed-off-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ doc/Makefile.am                 |  4 +++
+ doc/manpages/Makefile.am        |  2 ++
+ lib/ext/pre_shared_key.c        | 13 ++++++++
+ lib/includes/gnutls/gnutls.h.in |  5 +++
+ lib/libgnutls.map               |  9 ++++++
+ lib/psk.c                       | 56 ++++++++++++++++++++++++++++++---
+
+Index: gnutls-3.8.10/doc/Makefile.am
+===================================================================
+--- gnutls-3.8.10.orig/doc/Makefile.am
++++ gnutls-3.8.10/doc/Makefile.am
+@@ -1779,8 +1779,12 @@ FUNCS += functions/gnutls_protocol_set_e
+ FUNCS += functions/gnutls_protocol_set_enabled.short
+ FUNCS += functions/gnutls_psk_allocate_client_credentials
+ FUNCS += functions/gnutls_psk_allocate_client_credentials.short
++FUNCS += functions/gnutls_psk_allocate_client_credentials2
++FUNCS += functions/gnutls_psk_allocate_client_credentials2.short
+ FUNCS += functions/gnutls_psk_allocate_server_credentials
+ FUNCS += functions/gnutls_psk_allocate_server_credentials.short
++FUNCS += functions/gnutls_psk_allocate_server_credentials2
++FUNCS += functions/gnutls_psk_allocate_server_credentials2.short
+ FUNCS += functions/gnutls_psk_client_get_hint
+ FUNCS += functions/gnutls_psk_client_get_hint.short
+ FUNCS += functions/gnutls_psk_format_imported_identity
+Index: gnutls-3.8.10/doc/manpages/Makefile.am
+===================================================================
+--- gnutls-3.8.10.orig/doc/manpages/Makefile.am
++++ gnutls-3.8.10/doc/manpages/Makefile.am
+@@ -735,7 +735,9 @@ APIMANS += gnutls_protocol_get_version.3
+ APIMANS += gnutls_protocol_list.3
+ APIMANS += gnutls_protocol_set_enabled.3
+ APIMANS += gnutls_psk_allocate_client_credentials.3
++APIMANS += gnutls_psk_allocate_client_credentials2.3
+ APIMANS += gnutls_psk_allocate_server_credentials.3
++APIMANS += gnutls_psk_allocate_server_credentials2.3
+ APIMANS += gnutls_psk_client_get_hint.3
+ APIMANS += gnutls_psk_format_imported_identity.3
+ APIMANS += gnutls_psk_free_client_credentials.3
+Index: gnutls-3.8.10/lib/ext/pre_shared_key.c
+===================================================================
+--- gnutls-3.8.10.orig/lib/ext/pre_shared_key.c
++++ gnutls-3.8.10/lib/ext/pre_shared_key.c
+@@ -827,7 +827,9 @@ static int server_recv_params(gnutls_ses
+ 	struct timespec ticket_creation_time = { 0, 0 };
+ 	enum binder_type binder_type;
+ 	bool refuse_early_data = false;
++	gnutls_mac_algorithm_t mac = GNUTLS_MAC_SHA384;
+ 
++retry_binder:
+ 	ret = _gnutls13_psk_ext_parser_init(&psk_parser, data, len);
+ 	if (ret < 0) {
+ 		/* No PSKs advertised by client */
+@@ -885,6 +887,8 @@ static int server_recv_params(gnutls_ses
+ 			uint8_t ipsk[MAX_HASH_SIZE];
+ 
+ 			prf = pskcred->binder_algo;
++			if (prf->id == GNUTLS_MAC_UNKNOWN)
++				prf = _gnutls_mac_to_entry(mac);
+ 
+ 			/* this fails only on configuration errors; as such we always
+ 			 * return its error code in that case */
+@@ -974,6 +978,15 @@ static int server_recv_params(gnutls_ses
+ 
+ 	if (_gnutls_mac_get_algo_len(prf) != binder_recvd.size ||
+ 	    gnutls_memcmp(binder_value, binder_recvd.data, binder_recvd.size)) {
++		/*
++		 * Older clients will always use SHA256 as binder algorithm
++		 * even for SHA384 PSKs, so we need to retry with SHA256
++		 * to calculate the correct binder value for those.
++		 */
++		if (prf->id == GNUTLS_MAC_UNKNOWN && mac == GNUTLS_MAC_SHA384) {
++			mac = GNUTLS_MAC_SHA256;
++			goto retry_binder;
++		}
+ 		gnutls_assert();
+ 		ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
+ 		goto fail;
+Index: gnutls-3.8.10/lib/includes/gnutls/gnutls.h.in
+===================================================================
+--- gnutls-3.8.10.orig/lib/includes/gnutls/gnutls.h.in
++++ gnutls-3.8.10/lib/includes/gnutls/gnutls.h.in
+@@ -2589,6 +2589,9 @@ typedef enum gnutls_psk_key_flags {
+ 
+ void gnutls_psk_free_client_credentials(gnutls_psk_client_credentials_t sc);
+ int gnutls_psk_allocate_client_credentials(gnutls_psk_client_credentials_t *sc);
++int gnutls_psk_allocate_client_credentials2(gnutls_psk_client_credentials_t *sc,
++					    gnutls_mac_algorithm_t mac);
++
+ int gnutls_psk_set_client_credentials(gnutls_psk_client_credentials_t res,
+ 				      const char *username,
+ 				      const gnutls_datum_t *key,
+@@ -2600,6 +2603,8 @@ int gnutls_psk_set_client_credentials2(g
+ 
+ void gnutls_psk_free_server_credentials(gnutls_psk_server_credentials_t sc);
+ int gnutls_psk_allocate_server_credentials(gnutls_psk_server_credentials_t *sc);
++int gnutls_psk_allocate_server_credentials2(gnutls_psk_server_credentials_t *sc,
++					    gnutls_mac_algorithm_t mac);
+ int gnutls_psk_set_server_credentials_file(gnutls_psk_server_credentials_t res,
+ 					   const char *password_file);
+ 
+Index: gnutls-3.8.10/lib/libgnutls.map
+===================================================================
+--- gnutls-3.8.10.orig/lib/libgnutls.map
++++ gnutls-3.8.10/lib/libgnutls.map
+@@ -1450,6 +1450,15 @@ GNUTLS_3_8_6
+ 	*;
+ } GNUTLS_3_8_4;
+ 
++GNUTLS_3_8_11
++{
++ global:
++	gnutls_psk_allocate_client_credentials2;
++	gnutls_psk_allocate_server_credentials2;
++ local:
++	*;
++} GNUTLS_3_8_2;
++
+ GNUTLS_FIPS140_3_4 {
+   global:
+ 	gnutls_cipher_self_test;
+Index: gnutls-3.8.10/lib/psk.c
+===================================================================
+--- gnutls-3.8.10.orig/lib/psk.c
++++ gnutls-3.8.10/lib/psk.c
+@@ -61,13 +61,34 @@ void gnutls_psk_free_client_credentials(
+  **/
+ int gnutls_psk_allocate_client_credentials(gnutls_psk_client_credentials_t *sc)
+ {
++	/* TLS 1.3 - Default binder HMAC algorithm is SHA-256 */
++	return gnutls_psk_allocate_client_credentials2(sc, GNUTLS_MAC_SHA256);
++}
++
++/**
++ * gnutls_psk_allocate_client_credentials2:
++ * @sc: is a pointer to a #gnutls_psk_client_credentials_t type.
++ * @mac: encryption algorithm to use
++ *
++ * Allocate a gnutls_psk_client_credentials_t structure and initializes
++ * the HMAC binder algorithm to @mac.
++ *
++ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
++ *   an error code is returned.
++ **/
++int gnutls_psk_allocate_client_credentials2(gnutls_psk_client_credentials_t *sc,
++					    gnutls_mac_algorithm_t mac)
++{
++	/* TLS 1.3 - Only SHA-256 and SHA-384 are allowed */
++	if (mac != GNUTLS_MAC_SHA256 && mac != GNUTLS_MAC_SHA384)
++		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++
+ 	*sc = gnutls_calloc(1, sizeof(psk_client_credentials_st));
+ 
+ 	if (*sc == NULL)
+ 		return GNUTLS_E_MEMORY_ERROR;
+ 
+-	/* TLS 1.3 - Default binder HMAC algorithm is SHA-256 */
+-	(*sc)->binder_algo = _gnutls_mac_to_entry(GNUTLS_MAC_SHA256);
++	(*sc)->binder_algo = _gnutls_mac_to_entry(mac);
+ 	return 0;
+ }
+ 
+@@ -203,13 +224,40 @@ void gnutls_psk_free_server_credentials(
+  **/
+ int gnutls_psk_allocate_server_credentials(gnutls_psk_server_credentials_t *sc)
+ {
++	/* TLS 1.3 - Default binder HMAC algorithm is SHA-256 */
++	return gnutls_psk_allocate_server_credentials2(sc, GNUTLS_MAC_SHA256);
++}
++
++/**
++ * gnutls_psk_allocate_server_credentials2:
++ * @sc: is a pointer to a #gnutls_psk_server_credentials_t type.
++ * @mac: encryption algorithm to use
++ *
++ * Allocate a gnutls_psk_server_credentials_t structure and initializes
++ * the HMAC binder algorithm to @mac. If @mac is set to GNUTLS_MAC_UNKNOWN
++ * both possible algorithms SHA384 and SHA256 are applied to find a matching
++ * binder value.
++ *
++ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
++ *   an error code is returned.
++ **/
++int gnutls_psk_allocate_server_credentials2(gnutls_psk_server_credentials_t *sc,
++					    gnutls_mac_algorithm_t mac)
++{
++	/*
++	 * TLS 1.3 - Only SHA-256 and SHA-384 are allowed;
++	 * additionally allow GNUTLS_MAC_UNKNOWN for autodetection.
++	 */
++	if (mac != GNUTLS_MAC_SHA256 && mac != GNUTLS_MAC_SHA384 &&
++	    mac != GNUTLS_MAC_UNKNOWN)
++		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++
+ 	*sc = gnutls_calloc(1, sizeof(psk_server_cred_st));
+ 
+ 	if (*sc == NULL)
+ 		return GNUTLS_E_MEMORY_ERROR;
+ 
+-	/* TLS 1.3 - Default binder HMAC algorithm is SHA-256 */
+-	(*sc)->binder_algo = _gnutls_mac_to_entry(GNUTLS_MAC_SHA256);
++	(*sc)->binder_algo = _gnutls_mac_to_entry(mac);
+ 	return 0;
+ }
+ 

gnutls.changes

@@ -1,3 +1,37 @@
+-------------------------------------------------------------------
+Tue Feb 24 14:30:27 UTC 2026 - Pedro Monreal <pmonreal@suse.com>
+
+- Add the functionality to allow to specify the hash algorithm for
+  the PSK. This fixes a bug in the current implementation where the
+  binder is always calculated with SHA256.
+  * (bsc#1258083, jsc#PED-15752, jsc#PED-15753)
+  * lib/psk: Add gnutls_psk_allocate_{client,server}_credentials2
+  * tests/psk-file: Add testing for _credentials2 functions
+  * lib/psk: add null check for binder algo
+  * pre_shared_key: fix memleak when retrying with different binder algo
+  * pre_shared_key: add null check on pskcred
+  * Add patches:
+    - gnutls-PSK-hash.patch
+    - gnutls-PSK-hash-tests.patch
+    - gnutls-PSK-hash-NULL-check.patch
+    - gnutls-PSK-hash-NULL-check-pskcred.patch
+    - gnutls-PSK-hash-fix-memleak.patch
+
+-------------------------------------------------------------------
+Tue Feb 10 12:07:34 UTC 2026 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fix:
+  * CVE-2025-14831: DoS via excessive resource consumption during
+    certificate verification (bsc#1257960)
+  * Add gnutls-CVE-2025-14831.patch
+
+-------------------------------------------------------------------
+Mon Nov 24 10:23:30 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
+
+- Security fix bsc#1254132 CVE-2025-9820
+  * Fix buffer overflow in gnutls_pkcs11_token_init 
+  * Added gnutls-CVE-2025-9820.patch
+
 -------------------------------------------------------------------
 Tue Jul 15 08:12:29 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
 

gnutls.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package gnutls
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC
 # Copyright (c) 2025 Andreas Stieger <Andreas.Stieger@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
@@ -81,6 +81,16 @@ Patch107:       gnutls-FIPS-disable-mac-sha1.patch
 Patch108:       gnutls-FIPS-HMAC-x86_64-v3-opt.patch
 # PATCH-FIX-SUSE Disable test
 Patch109:       gnutls-3.8.10-disable-ktls_test.patch
+# PATCH-FIX-UPSTREAM bsc#1254132 CVE-2025-9820 buffer overflow in gnutls_pkcs11_token_init
+Patch110:	gnutls-CVE-2025-9820.patch
+# PATCH-FIX-UPSTREAM bsc#1257960 CVE-2025-14831: DoS via excessive resource consumption during certificate verification
+Patch111:       gnutls-CVE-2025-14831.patch
+# PATCH-FIX-UPSTREAM bsc#1258083 lib/psk: Add gnutls_psk_allocate_{client,server}_credentials2
+Patch112:       gnutls-PSK-hash.patch
+Patch113:       gnutls-PSK-hash-tests.patch
+Patch114:       gnutls-PSK-hash-NULL-check.patch
+Patch115:       gnutls-PSK-hash-NULL-check-pskcred.patch
+Patch116:       gnutls-PSK-hash-fix-memleak.patch
 BuildRequires:  autogen
 BuildRequires:  automake
 BuildRequires:  datefudge