gnutls package update

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>

SOURCES/gnutls-3.1.11-nosrp.patch

@@ -0,0 +1,12 @@
+diff -up gnutls-3.1.10/tests/srp/mini-srp.c.noecc gnutls-3.1.10/tests/srp/mini-srp.c
+--- gnutls-3.1.10/tests/srp/mini-srp.c.noecc	2013-03-21 21:42:28.000000000 +0100
++++ gnutls-3.1.10/tests/srp/mini-srp.c	2013-03-25 13:42:20.753422209 +0100
+@@ -27,7 +27,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ 
+-#if defined(_WIN32)
++#if defined(_WIN32) || !defined(ENABLE_SRP)
+ 
+ int main()
+ {

SOURCES/gnutls-3.2.7-rpath.patch

@@ -0,0 +1,12 @@
+diff -ur gnutls-3.2.7.orig/configure gnutls-3.2.7/configure
+--- gnutls-3.2.7.orig/configure	2013-11-23 11:09:49.000000000 +0100
++++ gnutls-3.2.7/configure	2013-11-25 16:53:05.559440656 +0100
+@@ -39652,7 +39652,7 @@
+ shlibpath_overrides_runpath=unknown
+ version_type=none
+ dynamic_linker="$host_os ld.so"
+-sys_lib_dlsearch_path_spec="/lib /usr/lib"
++sys_lib_dlsearch_path_spec="/lib /usr/lib /lib64 /usr/lib64"
+ need_lib_prefix=unknown
+ hardcode_into_libs=no
+ 

SOURCES/gnutls-3.3.22-eapp-data.patch

@@ -0,0 +1,27 @@
+diff --git b/lib/gnutls_handshake.c a/lib/gnutls_handshake.c
+index 5930941..e904f2e 100644
+--- b/lib/gnutls_handshake.c
++++ a/lib/gnutls_handshake.c
+@@ -2510,7 +2510,8 @@ static int _gnutls_recv_supplemental(gnutls_session_t session)
+  * are non fatal errors, only in the specific case of a rehandshake.
+  * Their meaning is that the client rejected the rehandshake request or
+  * in the case of %GNUTLS_E_GOT_APPLICATION_DATA it could also mean that
+- * some data were pending.
++ * some data were pending. A client may receive that error code if
++ * it initiates the handshake and the server doesn't agreed.
+  *
+  * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
+  **/
+diff --git b/lib/gnutls_record.c a/lib/gnutls_record.c
+index 157d12a..40c20fe 100644
+--- b/lib/gnutls_record.c
++++ a/lib/gnutls_record.c
+@@ -837,7 +837,7 @@ record_add_to_buffers(gnutls_session_t session,
+ 			 * reasons). Otherwise it is an unexpected packet
+ 			 */
+ 			if (type == GNUTLS_ALERT
+-			    || (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO
++			    || ((htype == GNUTLS_HANDSHAKE_SERVER_HELLO || htype == GNUTLS_HANDSHAKE_CLIENT_HELLO)
+ 				&& type == GNUTLS_HANDSHAKE)) {
+ 				/* even if data is unexpected put it into the buffer */
+ 				_gnutls_record_buffer_put(session, recv->type,

SOURCES/gnutls-3.3.26-cve-2017-7869.patch

@@ -0,0 +1,235 @@
+diff --git a/lib/opencdk/kbnode.c b/lib/opencdk/kbnode.c
+index c28cb34..f865b16 100644
+--- a/lib/opencdk/kbnode.c
++++ b/lib/opencdk/kbnode.c
+@@ -369,12 +369,14 @@ cdk_packet_t cdk_kbnode_get_packet(cdk_kbnode_t node)
+  * @armor: whether base64 or not
+  * @buf: the buffer which stores the key sequence
+  * @buflen: the length of the buffer
++ * @public: non-zero if reading a public key
+  *
+  * Tries to read a key node from the memory buffer @buf.
+  **/
+ cdk_error_t
+ cdk_kbnode_read_from_mem(cdk_kbnode_t * ret_node,
+-			 int armor, const byte * buf, size_t buflen)
++			 int armor, const byte * buf, size_t buflen,
++			 unsigned public)
+ {
+ 	cdk_stream_t inp;
+ 	cdk_error_t rc;
+@@ -393,7 +395,7 @@ cdk_kbnode_read_from_mem(cdk_kbnode_t * ret_node,
+ 	if (armor)
+ 		cdk_stream_set_armor_flag(inp, 0);
+ 
+-	rc = cdk_keydb_get_keyblock(inp, ret_node);
++	rc = cdk_keydb_get_keyblock(inp, ret_node, public);
+ 	if (rc)
+ 		gnutls_assert();
+ 	cdk_stream_close(inp);
+diff --git a/lib/opencdk/keydb.c b/lib/opencdk/keydb.c
+index 64eebf0..9112d9a 100644
+--- a/lib/opencdk/keydb.c
++++ b/lib/opencdk/keydb.c
+@@ -108,7 +108,7 @@ static cdk_error_t keydb_idx_build(const char *file)
+ 	while (!cdk_stream_eof(inp)) {
+ 		off_t pos = cdk_stream_tell(inp);
+ 
+-		rc = cdk_pkt_read(inp, pkt);
++		rc = cdk_pkt_read(inp, pkt, 1);
+ 		if (rc) {
+ 			_cdk_log_debug
+ 			    ("index build failed packet off=%lu\n",
+@@ -816,7 +816,7 @@ cdk_keydb_search(cdk_keydb_search_t st, cdk_keydb_hd_t hd,
+ 
+ 		pos = cdk_stream_tell(kr);
+ 
+-		rc = cdk_keydb_get_keyblock(kr, &knode);
++		rc = cdk_keydb_get_keyblock(kr, &knode, 1);
+ 
+ 		if (rc) {
+ 			if (rc == CDK_EOF)
+@@ -1679,7 +1679,7 @@ add_key_usage(cdk_kbnode_t knode, u32 keyid[2], unsigned int usage)
+ }
+ 
+ cdk_error_t
+-cdk_keydb_get_keyblock(cdk_stream_t inp, cdk_kbnode_t * r_knode)
++cdk_keydb_get_keyblock(cdk_stream_t inp, cdk_kbnode_t * r_knode, unsigned public)
+ {
+ 	cdk_packet_t pkt;
+ 	cdk_kbnode_t knode, node;
+@@ -1706,7 +1706,7 @@ cdk_keydb_get_keyblock(cdk_stream_t inp, cdk_kbnode_t * r_knode)
+ 	while (!cdk_stream_eof(inp)) {
+ 		cdk_pkt_new(&pkt);
+ 		old_off = cdk_stream_tell(inp);
+-		rc = cdk_pkt_read(inp, pkt);
++		rc = cdk_pkt_read(inp, pkt, public);
+ 		if (rc) {
+ 			cdk_pkt_release(pkt);
+ 			if (rc == CDK_EOF)
+@@ -2126,7 +2126,7 @@ cdk_error_t cdk_keydb_check_sk(cdk_keydb_hd_t hd, u32 * keyid)
+ 		return rc;
+ 	}
+ 	cdk_pkt_new(&pkt);
+-	while (!cdk_pkt_read(db, pkt)) {
++	while (!cdk_pkt_read(db, pkt, 0)) {
+ 		if (pkt->pkttype != CDK_PKT_SECRET_KEY &&
+ 		    pkt->pkttype != CDK_PKT_SECRET_SUBKEY) {
+ 			cdk_pkt_free(pkt);
+@@ -2241,14 +2241,14 @@ cdk_error_t cdk_listkey_next(cdk_listkey_t ctx, cdk_kbnode_t * ret_key)
+ 	}
+ 
+ 	if (ctx->type && ctx->u.patt[0] == '*')
+-		return cdk_keydb_get_keyblock(ctx->inp, ret_key);
++		return cdk_keydb_get_keyblock(ctx->inp, ret_key, 1);
+ 	else if (ctx->type) {
+ 		cdk_kbnode_t node;
+ 		struct cdk_keydb_search_s ks;
+ 		cdk_error_t rc;
+ 
+ 		for (;;) {
+-			rc = cdk_keydb_get_keyblock(ctx->inp, &node);
++			rc = cdk_keydb_get_keyblock(ctx->inp, &node, 1);
+ 			if (rc) {
+ 				gnutls_assert();
+ 				return rc;
+diff --git a/lib/opencdk/literal.c b/lib/opencdk/literal.c
+index 7b4baec..6996774 100644
+--- a/lib/opencdk/literal.c
++++ b/lib/opencdk/literal.c
+@@ -67,7 +67,7 @@ static cdk_error_t literal_decode(void *data, FILE * in, FILE * out)
+ 		return rc;
+ 
+ 	cdk_pkt_new(&pkt);
+-	rc = cdk_pkt_read(si, pkt);
++	rc = cdk_pkt_read(si, pkt, 1);
+ 	if (rc || pkt->pkttype != CDK_PKT_LITERAL) {
+ 		cdk_pkt_release(pkt);
+ 		cdk_stream_close(si);
+diff --git a/lib/opencdk/opencdk.h b/lib/opencdk/opencdk.h
+index c06b749..d95cc32 100644
+--- a/lib/opencdk/opencdk.h
++++ b/lib/opencdk/opencdk.h
+@@ -553,7 +553,7 @@ extern "C" {
+ 	void cdk_pkt_release(cdk_packet_t pkt);
+ 
+ /* Read or write the given output from or to the stream. */
+-	cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt);
++	cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt, unsigned public);
+ 	cdk_error_t cdk_pkt_write(cdk_stream_t out, cdk_packet_t pkt);
+ 
+ /* Sub packet routines */
+@@ -814,7 +814,8 @@ extern "C" {
+ /* Try to read the next key block from the given input stream.
+    The key will be returned in @RET_KEY on success. */
+ 	cdk_error_t cdk_keydb_get_keyblock(cdk_stream_t inp,
+-					   cdk_kbnode_t * ret_key);
++					   cdk_kbnode_t * ret_key,
++					   unsigned public);
+ 
+ /* Rebuild the key db index if possible. */
+ 	cdk_error_t cdk_keydb_idx_rebuild(cdk_keydb_hd_t db,
+@@ -848,7 +849,7 @@ extern "C" {
+ 	cdk_error_t cdk_kbnode_read_from_mem(cdk_kbnode_t * ret_node,
+ 					     int armor,
+ 					     const unsigned char *buf,
+-					     size_t buflen);
++					     size_t buflen, unsigned public);
+ 	cdk_error_t cdk_kbnode_write_to_mem(cdk_kbnode_t node,
+ 					    unsigned char *buf,
+ 					    size_t * r_nbytes);
+diff --git a/lib/opencdk/read-packet.c b/lib/opencdk/read-packet.c
+index 7a474ff..72624d0 100644
+--- a/lib/opencdk/read-packet.c
++++ b/lib/opencdk/read-packet.c
+@@ -571,6 +571,9 @@ read_user_id(cdk_stream_t inp, size_t pktlen, cdk_pkt_userid_t user_id)
+ }
+ 
+ 
++#define MAX_PACKET_LEN (1<<24)
++
++
+ static cdk_error_t
+ read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes)
+ {
+@@ -610,6 +613,10 @@ read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes)
+ 	else
+ 		return CDK_Inv_Packet;
+ 
++	if (size >= MAX_PACKET_LEN) {
++		return CDK_Inv_Packet;
++	}
++
+ 	node = cdk_subpkt_new(size);
+ 	if (!node)
+ 		return CDK_Out_Of_Core;
+@@ -958,7 +965,7 @@ static cdk_error_t skip_packet(cdk_stream_t inp, size_t pktlen)
+  *
+  * Parse the next packet on the @inp stream and return its contents in @pkt.
+  **/
+-cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt)
++cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt, unsigned public)
+ {
+ 	int ctb, is_newctb;
+ 	int pkttype;
+@@ -1058,6 +1065,10 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt)
+ 		break;
+ 
+ 	case CDK_PKT_SECRET_KEY:
++		if (public) {
++			/* read secret key when expecting public */
++			return gnutls_assert_val(CDK_Inv_Packet);
++		}
+ 		pkt->pkt.secret_key =
+ 		    cdk_calloc(1, sizeof *pkt->pkt.secret_key);
+ 		if (!pkt->pkt.secret_key)
+@@ -1073,6 +1084,10 @@ cdk_error_t cdk_pkt_read(cdk_stream_t inp, cdk_packet_t pkt)
+ 		break;
+ 
+ 	case CDK_PKT_SECRET_SUBKEY:
++		if (public) {
++			/* read secret key when expecting public */
++			return gnutls_assert_val(CDK_Inv_Packet);
++		}
+ 		pkt->pkt.secret_key =
+ 		    cdk_calloc(1, sizeof *pkt->pkt.secret_key);
+ 		if (!pkt->pkt.secret_key)
+diff --git a/lib/openpgp/gnutls_openpgp.c b/lib/openpgp/gnutls_openpgp.c
+index 7c05e1f..192737f 100644
+--- a/lib/openpgp/gnutls_openpgp.c
++++ b/lib/openpgp/gnutls_openpgp.c
+@@ -479,7 +479,7 @@ int gnutls_openpgp_count_key_names(const gnutls_datum_t * cert)
+ 		return 0;
+ 	}
+ 
+-	if (cdk_kbnode_read_from_mem(&knode, 0, cert->data, cert->size)) {
++	if (cdk_kbnode_read_from_mem(&knode, 0, cert->data, cert->size, 1)) {
+ 		gnutls_assert();
+ 		return 0;
+ 	}
+diff --git a/lib/openpgp/pgp.c b/lib/openpgp/pgp.c
+index d5ef272..77e57ab 100644
+--- a/lib/openpgp/pgp.c
++++ b/lib/openpgp/pgp.c
+@@ -99,7 +99,7 @@ gnutls_openpgp_crt_import(gnutls_openpgp_crt_t key,
+ 		armor = 1;
+ 
+ 	rc = cdk_kbnode_read_from_mem(&key->knode, armor, data->data,
+-				      data->size);
++				      data->size, 1);
+ 	if (rc) {
+ 		rc = _gnutls_map_cdk_rc(rc);
+ 		gnutls_assert();
+diff --git a/lib/openpgp/privkey.c b/lib/openpgp/privkey.c
+index 6aa6fb5..81ec3ab 100644
+--- a/lib/openpgp/privkey.c
++++ b/lib/openpgp/privkey.c
+@@ -186,7 +186,7 @@ gnutls_openpgp_privkey_import(gnutls_openpgp_privkey_t key,
+ 		armor = 1;
+ 
+ 	rc = cdk_kbnode_read_from_mem(&key->knode, armor, data->data,
+-				      data->size);
++				      data->size, 0);
+ 	if (rc != 0) {
+ 		rc = _gnutls_map_cdk_rc(rc);
+ 		gnutls_assert();

SOURCES/gnutls-3.3.26-dh-params-1024.patch

@@ -0,0 +1,31 @@
+diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
+index c5998ab..ffefce1 100644
+--- a/lib/gnutls_priority.c
++++ b/lib/gnutls_priority.c
+@@ -684,7 +684,7 @@ int check_level(const char *level, gnutls_priority_t priority_cache,
+ 		func(&priority_cache->supported_ecc, supported_ecc_normal);
+ 
+ 		SET_PROFILE(GNUTLS_PROFILE_LOW); /* set certificate level */
+-		SET_LEVEL(GNUTLS_SEC_PARAM_WEAK); /* set DH params level */
++		SET_LEVEL(GNUTLS_SEC_PARAM_LOW); /* set DH params level */
+ 		return 1;
+ 	} else if (strcasecmp(level, LEVEL_NORMAL) == 0) {
+ 		func(&priority_cache->cipher, cipher_priority_normal);
+@@ -694,7 +694,7 @@ int check_level(const char *level, gnutls_priority_t priority_cache,
+ 		func(&priority_cache->supported_ecc, supported_ecc_normal);
+ 
+ 		SET_PROFILE(GNUTLS_PROFILE_LOW);
+-		SET_LEVEL(GNUTLS_SEC_PARAM_WEAK);
++		SET_LEVEL(GNUTLS_SEC_PARAM_LOW);
+ 		return 1;
+ 	} else if (strcasecmp(level, LEVEL_PFS) == 0) {
+ 		func(&priority_cache->cipher, cipher_priority_normal);
+@@ -704,7 +704,7 @@ int check_level(const char *level, gnutls_priority_t priority_cache,
+ 		func(&priority_cache->supported_ecc, supported_ecc_normal);
+ 
+ 		SET_PROFILE(GNUTLS_PROFILE_LOW);
+-		SET_LEVEL(GNUTLS_SEC_PARAM_WEAK);
++		SET_LEVEL(GNUTLS_SEC_PARAM_LOW);
+ 		return 1;
+ 	} else if (strcasecmp(level, LEVEL_SECURE256) == 0
+ 		   || strcasecmp(level, LEVEL_SECURE192) == 0) {

SOURCES/gnutls-3.3.26-fips-rsa-keygen.patch

@@ -0,0 +1,56 @@
+diff --git a/lib/nettle/int/rsa-keygen-fips186.c b/lib/nettle/int/rsa-keygen-fips186.c
+index 624aa36..b064b45 100644
+--- a/lib/nettle/int/rsa-keygen-fips186.c
++++ b/lib/nettle/int/rsa-keygen-fips186.c
+@@ -27,7 +27,6 @@
+ #include "config.h"
+ #endif
+ 
+-#include <assert.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -337,10 +336,16 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub,
+ 
+ 	mpz_mul(pub->n, key->p, key->q);
+ 
+-	assert(mpz_sizeinbase(pub->n, 2) == n_size);
++	if (mpz_sizeinbase(pub->n, 2) != n_size) {
++		ret = 0;
++		goto cleanup;
++	}
+ 
+ 	/* c = q^{-1} (mod p) */
+-	assert(mpz_invert(key->c, key->q, key->p) != 0);
++	if (mpz_invert(key->c, key->q, key->p) == 0) {
++		ret = 0;
++		goto cleanup;
++	}
+ 
+ 	mpz_sub_ui(p1, key->p, 1);
+ 	mpz_sub_ui(q1, key->q, 1);
+@@ -352,6 +357,12 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub,
+ 		goto cleanup;
+ 	}
+ 
++	/* check whether d > 2^(nlen/2) -- FIPS186-4 5.3.1 */
++	if (mpz_sizeinbase(key->d, 2) < n_size/2) {
++		ret = 0;
++		goto cleanup;
++	}
++
+ 	/* Done! Almost, we must compute the auxillary private values. */
+ 	/* a = d % (p-1) */
+ 	mpz_fdiv_r(key->a, key->d, p1);
+@@ -362,7 +373,10 @@ _rsa_generate_fips186_4_keypair(struct rsa_public_key *pub,
+ 	/* c was computed earlier */
+ 
+ 	pub->size = key->size = (n_size + 7) / 8;
+-	assert(pub->size >= RSA_MINIMUM_N_OCTETS);
++	if (pub->size < RSA_MINIMUM_N_OCTETS) {
++		ret = 0;
++		goto cleanup;
++	}
+ 
+ 	ret = 1;
+  cleanup:

SOURCES/gnutls-3.3.26-fix-coverity-issues.patch

@@ -0,0 +1,15 @@
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index 56c0163..368598b 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -2021,7 +2021,9 @@ static int wrap_nettle_hash_algorithm(gnutls_pk_algorithm_t pk,
+ 			break;
+ 		}
+ 
+-		_rsa_params_to_pubkey(issuer_params, &pub);
++		ret = _rsa_params_to_pubkey(issuer_params, &pub);
++		if (ret < 0)
++			return gnutls_assert_val(ret);
+ 
+ 		digest_size = sizeof(digest);
+ 

SOURCES/gnutls-3.3.26-fix-uninitialized.patch

@@ -0,0 +1,12 @@
+diff --git a/lib/pkcs11.c b/lib/pkcs11.c
+index d99dedf..f5cf99d 100644
+--- a/lib/pkcs11.c
++++ b/lib/pkcs11.c
+@@ -3019,6 +3019,7 @@ gnutls_pkcs11_obj_list_import_url2(gnutls_pkcs11_obj_t ** p_list,
+ 	if (ret < 0) {
+ 		gnutls_assert();
+ 		if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
++			*p_list = NULL;
+ 			*n_list = 0;
+ 			ret = 0;
+ 		}

SOURCES/gnutls-3.3.26-pin-value.patch

@@ -0,0 +1,662 @@
+diff --git a/configure.ac b/configure.ac
+index 0840042..c9c9fdc 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -447,6 +447,9 @@ if test "$with_p11_kit" != "no"; then
+ 		if ! $PKG_CONFIG --atleast-version=0.22.0 p11-kit-1; then
+ 			with_buggy_p11_kit=yes
+ 		fi
++		if $PKG_CONFIG --atleast-version=0.23.1 p11-kit-1; then
++			AC_DEFINE([P11_KIT_HAS_PIN_VALUE], 1, [p11-kit supports p11_kit_uri_get_pin_value()])
++		fi
+ 	else
+ 	        with_p11_kit=no
+ 	        AC_MSG_WARN([[
+diff --git a/lib/pkcs11.c b/lib/pkcs11.c
+index f5cf99d..26d88e5 100644
+--- a/lib/pkcs11.c
++++ b/lib/pkcs11.c
+@@ -2367,6 +2367,25 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info,
+ 
+ 	*pin = NULL;
+ 
++#ifdef P11_KIT_HAS_PIN_VALUE
++	/* First check for pin-value field */
++	pinfile = p11_kit_uri_get_pin_value(info);
++	if (pinfile != NULL) {
++		_gnutls_debug_log("p11: Using pin-value to retrieve PIN\n");
++		*pin = p11_kit_pin_new_for_string(pinfile);
++		if (*pin != NULL)
++			ret = 0;
++	} else { /* try pin-source */
++		/* Check if a pinfile is specified, and use that if possible */
++		pinfile = p11_kit_uri_get_pin_source(info);
++		if (pinfile != NULL) {
++			_gnutls_debug_log("p11: Using pin-source to retrieve PIN\n");
++			ret =
++			    retrieve_pin_from_source(pinfile, token_info, attempts,
++						     user_type, pin);
++		}
++	}
++#else
+ 	/* Check if a pinfile is specified, and use that if possible */
+ 	pinfile = p11_kit_uri_get_pinfile(info);
+ 	if (pinfile != NULL) {
+@@ -2375,6 +2394,7 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info,
+ 		    retrieve_pin_from_source(pinfile, token_info, attempts,
+ 					     user_type, pin);
+ 	}
++#endif
+ 
+ 	/* The global gnutls pin callback */
+ 	if (ret < 0)
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 5b60899..20ed79c 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -36,7 +36,7 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h test-chains.h \
+ 	certs/cert-rsa-2432.pem certs/ecc384.pem certs/ecc.pem \
+ 	certs/ca-ecc.pem certs/cert-ecc384.pem certs/cert-ecc.pem certs/ecc256.pem \
+ 	certs/ecc521.pem certs/rsa-2432.pem x509cert-dir/ca.pem \
+-	cert-common.h pkcs11/softhsm.h
++	cert-common.h pkcs11/softhsm.h pkcs11/pkcs11-pubkey-import.c
+ 
+ AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS)
+ AM_CPPFLAGS = \
+@@ -113,7 +113,8 @@ pkcs11_import_url_privkey_LDADD = $(LDADD) $(LIBDL)
+ 
+ ctests += pkcs11-cert-import-url-exts pkcs11-get-exts pkcs11-get-raw-issuer-exts \
+ 	pkcs11/pkcs11-chainverify pkcs11/pkcs11-get-issuer pkcs11/pkcs11-is-known \
+-	pkcs11/pkcs11-combo pkcs11-import-url-privkey
++	pkcs11/pkcs11-combo pkcs11-import-url-privkey pkcs11/pkcs11-pubkey-import-rsa \
++	pkcs11/pkcs11-import-with-pin
+ 
+ endif
+ endif
+diff --git a/tests/pkcs11/pkcs11-import-with-pin.c b/tests/pkcs11/pkcs11-import-with-pin.c
+new file mode 100644
+index 0000000..e435919
+--- /dev/null
++++ b/tests/pkcs11/pkcs11-import-with-pin.c
+@@ -0,0 +1,198 @@
++/*
++ * Copyright (C) 2017 Red Hat, Inc.
++ *
++ * Author: Nikos Mavrogiannopoulos
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <assert.h>
++#include <unistd.h>
++
++#include <gnutls/gnutls.h>
++#include <gnutls/x509.h>
++#include <gnutls/abstract.h>
++
++#include "../utils.h"
++#include "softhsm.h"
++
++/* Tests whether a protected object is imported with PIN obtained using
++ * pin-value or pin-source. */
++
++#define CONFIG_NAME "softhsm-import-with-pin"
++#define CONFIG CONFIG_NAME".config"
++
++#include "../cert-common.h"
++
++#define PIN "1234"
++
++static const gnutls_datum_t testdata = {(void*)"test test", 9};
++
++static void tls_log_func(int level, const char *str)
++{
++	fprintf(stderr, "|<%d>| %s", level, str);
++}
++
++static
++int pin_func(void* userdata, int attempt, const char* url, const char *label,
++		unsigned flags, char *pin, size_t pin_max)
++{
++	if (attempt == 0) {
++		strcpy(pin, PIN);
++		return 0;
++	}
++	return -1;
++}
++
++static void write_pin(const char *file, const char *pin)
++{
++	FILE *fp = fopen(file, "w");
++	assert(fp != NULL);
++	fputs(pin, fp);
++	fclose(fp);
++}
++
++void doit()
++{
++	char buf[512];
++	int ret, pk;
++	const char *lib, *bin;
++	gnutls_x509_privkey_t key;
++	gnutls_datum_t tmp, sig;
++	gnutls_privkey_t pkey;
++	char file[TMPNAME_SIZE];
++
++#ifndef P11_KIT_HAS_PIN_VALUE
++	exit(77);
++#endif
++
++	bin = softhsm_bin();
++
++	lib = softhsm_lib();
++
++	ret = global_init();
++	if (ret != 0) {
++		fail("%d: %s\n", ret, gnutls_strerror(ret));
++		exit(1);
++	}
++
++	gnutls_pkcs11_set_pin_function(pin_func, NULL);
++	gnutls_global_set_log_function(tls_log_func);
++	if (debug)
++		gnutls_global_set_log_level(4711);
++
++	set_softhsm_conf(CONFIG);
++	snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin);
++	system(buf);
++
++	ret = gnutls_pkcs11_add_provider(lib, "trusted");
++	if (ret < 0) {
++		fprintf(stderr, "add_provider: %s\n",
++			gnutls_strerror(ret));
++		exit(1);
++	}
++
++	ret = gnutls_x509_privkey_init(&key);
++	if (ret < 0) {
++		fprintf(stderr,
++			"gnutls_x509_privkey_init: %s\n",
++			gnutls_strerror(ret));
++		exit(1);
++	}
++
++	ret =
++	    gnutls_x509_privkey_import(key, &server_key,
++				   GNUTLS_X509_FMT_PEM);
++	if (ret < 0) {
++		fprintf(stderr,
++			"gnutls_x509_privkey_import: %s\n",
++			gnutls_strerror(ret));
++			exit(1);
++	}
++
++	/* initialize softhsm token */
++	ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test");
++	if (ret < 0) {
++		fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret));
++		exit(1);
++	}
++
++	ret = gnutls_pkcs11_token_set_pin(SOFTHSM_URL, NULL, PIN, GNUTLS_PIN_USER);
++	if (ret < 0) {
++		fail("gnutls_pkcs11_token_set_pin: %s\n", gnutls_strerror(ret));
++		exit(1);
++	}
++
++	ret = gnutls_pkcs11_copy_x509_privkey(SOFTHSM_URL, key, "cert", GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT,
++					      GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE|GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE|GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
++	if (ret < 0) {
++		fail("gnutls_pkcs11_copy_x509_privkey: %s\n", gnutls_strerror(ret));
++		exit(1);
++	}
++
++	gnutls_x509_privkey_deinit(key);
++	gnutls_pkcs11_set_pin_function(NULL, NULL);
++
++	assert(gnutls_privkey_init(&pkey) == 0);
++
++	/* Test 1
++	 * Try importing with pin-value */
++	ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value="PIN);
++	if (ret < 0) {
++		fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret));
++		exit(1);
++	}
++
++	/* check whether privkey is operational by signing */
++	assert(gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA256, 0, &testdata, &sig) == 0);
++	gnutls_free(sig.data);
++	gnutls_privkey_deinit(pkey);
++
++	/* Test 2
++	 * Try importing with pin-source */
++	track_temp_files();
++	get_tmpname(file);
++
++	write_pin(file, PIN);
++
++
++	assert(gnutls_privkey_init(&pkey) == 0);
++	snprintf(buf, sizeof(buf), "%s;object=cert;object-type=private;pin-source=%s", SOFTHSM_URL, file);
++	ret = gnutls_privkey_import_pkcs11_url(pkey, buf);
++	if (ret < 0) {
++		fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret));
++		exit(1);
++	}
++
++	/* check whether privkey is operational by signing */
++	assert(gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA256, 0, &testdata, &sig) == 0);
++	gnutls_free(sig.data);
++	gnutls_privkey_deinit(pkey);
++
++	gnutls_global_deinit();
++	delete_temp_files();
++
++	remove(CONFIG);
++}
++
+diff --git a/tests/pkcs11/pkcs11-pubkey-import-rsa.c b/tests/pkcs11/pkcs11-pubkey-import-rsa.c
+new file mode 100644
+index 0000000..d304c4f
+--- /dev/null
++++ b/tests/pkcs11/pkcs11-pubkey-import-rsa.c
+@@ -0,0 +1,41 @@
++/*
++ * Copyright (C) 2015 Nikos Mavrogiannopoulos
++ *
++ * Author: Nikos Mavrogiannopoulos
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++
++#define CONFIG_NAME "softhsm-pubkey-import-rsa"
++#define CONFIG CONFIG_NAME".config"
++
++#include "pkcs11-pubkey-import.c"
++
++void doit(void)
++{
++	success("Testing RSA key\n");
++	try(1);
++}
+diff --git a/tests/pkcs11/pkcs11-pubkey-import.c b/tests/pkcs11/pkcs11-pubkey-import.c
+new file mode 100644
+index 0000000..7513aad
+--- /dev/null
++++ b/tests/pkcs11/pkcs11-pubkey-import.c
+@@ -0,0 +1,220 @@
++/*
++ * Copyright (C) 2015 Nikos Mavrogiannopoulos
++ *
++ * Author: Nikos Mavrogiannopoulos
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <assert.h>
++#include <unistd.h>
++
++#include <gnutls/gnutls.h>
++#include <gnutls/x509.h>
++#include <gnutls/abstract.h>
++
++#include "../utils.h"
++#include "softhsm.h"
++
++/* Tests whether gnutls_pubkey_import_privkey works well for 
++ * RSA keys under PKCS #11 */
++
++
++#include "../cert-common.h"
++
++#define PIN "1234"
++
++static const gnutls_datum_t testdata = {(void*)"test test", 9};
++
++static void tls_log_func(int level, const char *str)
++{
++	fprintf(stderr, "|<%d>| %s", level, str);
++}
++
++static
++int pin_func(void* userdata, int attempt, const char* url, const char *label,
++		unsigned flags, char *pin, size_t pin_max)
++{
++	if (attempt == 0) {
++		strcpy(pin, PIN);
++		return 0;
++	}
++	return -1;
++}
++
++static void try(int rsa)
++{
++	char buf[128];
++	int ret, pk;
++	const char *lib, *bin;
++	gnutls_x509_crt_t crt;
++	gnutls_x509_privkey_t key;
++	gnutls_datum_t tmp, sig;
++	gnutls_privkey_t pkey;
++	gnutls_pubkey_t pubkey;
++	gnutls_pubkey_t pubkey2;
++
++#ifndef P11_KIT_HAS_PIN_VALUE
++	exit(77);
++#endif
++
++	bin = softhsm_bin();
++
++	lib = softhsm_lib();
++
++	ret = global_init();
++	if (ret != 0) {
++		fail("%d: %s\n", ret, gnutls_strerror(ret));
++		exit(1);
++	}
++
++	gnutls_pkcs11_set_pin_function(pin_func, NULL);
++	gnutls_global_set_log_function(tls_log_func);
++	if (debug)
++		gnutls_global_set_log_level(4711);
++
++	set_softhsm_conf(CONFIG);
++	snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin);
++	system(buf);
++
++	ret = gnutls_pkcs11_add_provider(lib, "trusted");
++	if (ret < 0) {
++		fprintf(stderr, "gnutls_x509_crt_init: %s\n",
++			gnutls_strerror(ret));
++		exit(1);
++	}
++
++	ret = gnutls_x509_crt_init(&crt);
++	if (ret < 0) {
++		fprintf(stderr,
++			"gnutls_x509_crt_init: %s\n",
++			gnutls_strerror(ret));
++		exit(1);
++	}
++
++	ret =
++	    gnutls_x509_crt_import(crt, rsa?&server_cert:&server_ecc_cert,
++				   GNUTLS_X509_FMT_PEM);
++	if (ret < 0) {
++		fprintf(stderr,
++			"gnutls_x509_crt_import: %s\n",
++			gnutls_strerror(ret));
++			exit(1);
++	}
++
++	if (debug) {
++		gnutls_x509_crt_print(crt,
++			      GNUTLS_CRT_PRINT_ONELINE,
++			      &tmp);
++
++		printf("\tCertificate: %.*s\n",
++		       tmp.size, tmp.data);
++		gnutls_free(tmp.data);
++	}
++
++	ret = gnutls_x509_privkey_init(&key);
++	if (ret < 0) {
++		fprintf(stderr,
++			"gnutls_x509_privkey_init: %s\n",
++			gnutls_strerror(ret));
++		exit(1);
++	}
++
++	ret =
++	    gnutls_x509_privkey_import(key, rsa?&server_key:&server_ecc_key,
++				   GNUTLS_X509_FMT_PEM);
++	if (ret < 0) {
++		fprintf(stderr,
++			"gnutls_x509_privkey_import: %s\n",
++			gnutls_strerror(ret));
++			exit(1);
++	}
++
++	/* initialize softhsm token */
++	ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test");
++	if (ret < 0) {
++		fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret));
++		exit(1);
++	}
++
++	ret = gnutls_pkcs11_token_set_pin(SOFTHSM_URL, NULL, PIN, GNUTLS_PIN_USER);
++	if (ret < 0) {
++		fail("gnutls_pkcs11_token_set_pin: %s\n", gnutls_strerror(ret));
++		exit(1);
++	}
++
++	ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, crt, "cert",
++					  GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE|GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
++	if (ret < 0) {
++		fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret));
++		exit(1);
++	}
++
++	ret = gnutls_pkcs11_copy_x509_privkey(SOFTHSM_URL, key, "cert", GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT,
++					      GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE|GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE|GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
++	if (ret < 0) {
++		fail("gnutls_pkcs11_copy_x509_privkey: %s\n", gnutls_strerror(ret));
++		exit(1);
++	}
++
++	gnutls_x509_crt_deinit(crt);
++	gnutls_x509_privkey_deinit(key);
++	gnutls_pkcs11_set_pin_function(NULL, NULL);
++
++	assert(gnutls_privkey_init(&pkey) == 0);
++
++	ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value="PIN);
++	if (ret < 0) {
++		fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret));
++		exit(1);
++	}
++
++	assert(gnutls_pubkey_init(&pubkey) == 0);
++	assert(gnutls_pubkey_import_privkey(pubkey, pkey, 0, 0) == 0);
++
++	pk = gnutls_pubkey_get_pk_algorithm(pubkey, NULL);
++
++	/* check whether privkey and pubkey are operational
++	 * by signing and verifying */
++	assert(gnutls_privkey_sign_data(pkey, GNUTLS_DIG_SHA256, 0, &testdata, &sig) == 0);
++
++	/* verify against the raw pubkey */
++	assert(gnutls_pubkey_init(&pubkey2) == 0);
++	assert(gnutls_pubkey_import_x509_raw(pubkey2, rsa?&server_cert:&server_ecc_cert, GNUTLS_X509_FMT_PEM, 0) == 0);
++	assert(gnutls_pubkey_verify_data2(pubkey2, gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA256), 0, &testdata, &sig) >= 0);
++
++	/* verify against the pubkey in PKCS #11 */
++	assert(gnutls_pubkey_verify_data2(pubkey, gnutls_pk_to_sign(pk, GNUTLS_DIG_SHA256), 0, &testdata, &sig) >= 0);
++
++	gnutls_free(sig.data);
++
++	gnutls_pubkey_deinit(pubkey2);
++	gnutls_pubkey_deinit(pubkey);
++	gnutls_privkey_deinit(pkey);
++
++	gnutls_global_deinit();
++
++	remove(CONFIG);
++}
++
+diff --git a/tests/utils.c b/tests/utils.c
+index 65ceafd..37345a6 100644
+--- a/tests/utils.c
++++ b/tests/utils.c
+@@ -30,6 +30,7 @@
+ #include <time.h>
+ #include <unistd.h>
+ #include <errno.h>
++#include <assert.h>
+ #ifndef _WIN32
+ # include <netinet/in.h>
+ # include <sys/socket.h>
+@@ -39,6 +40,8 @@
+ # include <winbase.h>  
+ #endif
+ #endif
++#include <gnutls/gnutls.h>
++#include <gnutls/crypto.h>
+ 
+ #include "utils.h"
+ 
+@@ -183,3 +186,74 @@ int main(int argc, char *argv[])
+ 
+ 	return error_count ? 1 : 0;
+ }
++
++struct tmp_file_st {
++	char file[TMPNAME_SIZE];
++	struct tmp_file_st *next;
++};
++
++static struct tmp_file_st *temp_files = (void*)-1;
++
++static void append(const char *file)
++{
++	struct tmp_file_st *p;
++
++	if (temp_files == (void*)-1)
++		return;
++
++	p = calloc(1, sizeof(*p));
++
++	assert(p != NULL);
++	strcpy(p->file, file);
++	p->next = temp_files;
++	temp_files = p;
++}
++
++char *get_tmpname(char s[TMPNAME_SIZE])
++{
++	unsigned char rnd[6];
++	static char _s[TMPNAME_SIZE];
++	int ret;
++	char *p;
++	const char *path;
++
++	ret = gnutls_rnd(GNUTLS_RND_NONCE, rnd, sizeof(rnd));
++	if (ret < 0)
++		return NULL;
++
++	path = getenv("builddir");
++	if (path == NULL)
++		path = ".";
++
++	if (s == NULL)
++		p = _s;
++	else
++		p = s;
++
++	snprintf(p, TMPNAME_SIZE, "%s/tmpfile-%02x%02x%02x%02x%02x%02x.tmp", path, (unsigned)rnd[0], (unsigned)rnd[1],
++		(unsigned)rnd[2], (unsigned)rnd[3], (unsigned)rnd[4], (unsigned)rnd[5]);
++
++	append(p);
++
++	return p;
++}
++
++void track_temp_files(void)
++{
++	temp_files = NULL;
++}
++
++void delete_temp_files(void)
++{
++	struct tmp_file_st *p = temp_files;
++	struct tmp_file_st *next;
++
++	if (p == (void*)-1)
++		return;
++
++	while(p != NULL) {
++		next = p->next;
++		free(p);
++		p = next;
++	}
++}
+diff --git a/tests/utils.h b/tests/utils.h
+index 8f3ac3f..5c0afe7 100644
+--- a/tests/utils.h
++++ b/tests/utils.h
+@@ -61,4 +61,9 @@ extern void binprint(const void *str, size_t len);
+ extern void doit(void);
+ void sec_sleep(int sec);
+ 
++#define TMPNAME_SIZE 128
++char *get_tmpname(char s[TMPNAME_SIZE]);
++void track_temp_files(void);
++void delete_temp_files(void);
++
+ #endif				/* UTILS_H */

SOURCES/gnutls-3.3.26-remove-status-req-ext-parsing.patch

@@ -0,0 +1,110 @@
+diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c
+index 8cefc61..c7c065e 100644
+--- a/lib/ext/status_request.c
++++ b/lib/ext/status_request.c
+@@ -1,5 +1,6 @@
+ /*
+- * Copyright (C) 2012 Free Software Foundation, Inc.
++ * Copyright (C) 2012-2017 Free Software Foundation, Inc.
++ * Copyright (C) 2017 Red Hat, Inc.
+  *
+  * Author: Simon Josefsson, Nikos Mavrogiannopoulos
+  *
+@@ -66,18 +67,6 @@ typedef struct {
+       opaque Extensions<0..2^16-1>;
+ */
+ 
+-static void deinit_responder_id(status_request_ext_st *priv)
+-{
+-unsigned i;
+-
+-	for (i = 0; i < priv->responder_id_size; i++)
+-		gnutls_free(priv->responder_id[i].data);
+-
+-	gnutls_free(priv->responder_id);
+-	priv->responder_id = NULL;
+-	priv->responder_id_size = 0;
+-}
+-
+ 
+ static int
+ client_send(gnutls_session_t session,
+@@ -132,8 +121,8 @@ server_recv(gnutls_session_t session,
+ 	    status_request_ext_st * priv,
+ 	    const uint8_t * data, size_t size)
+ {
+-	size_t i;
+ 	ssize_t data_size = size;
++	unsigned rid_bytes = 0;
+ 
+ 	/* minimum message is type (1) + responder_id_list (2) +
+ 	   request_extension (2) = 5 */
+@@ -152,43 +141,17 @@ server_recv(gnutls_session_t session,
+ 	DECR_LEN(data_size, 1);
+ 	data++;
+ 
+-	priv->responder_id_size = _gnutls_read_uint16(data);
++	rid_bytes = _gnutls_read_uint16(data);
+ 
+ 	DECR_LEN(data_size, 2);
+-	data += 2;
++	/*data += 2;*/
+ 
+-	if (data_size <= (ssize_t) (priv->responder_id_size * 2))
++	/* sanity check only, we don't use any of the data below */
++
++	if (data_size < (ssize_t)rid_bytes)
+ 		return
+ 		    gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+ 
+-	if (priv->responder_id != NULL)
+-		deinit_responder_id(priv);
+-
+-	priv->responder_id = gnutls_calloc(1, priv->responder_id_size
+-					   * sizeof(*priv->responder_id));
+-	if (priv->responder_id == NULL)
+-		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+-
+-	for (i = 0; i < priv->responder_id_size; i++) {
+-		size_t l;
+-
+-		DECR_LEN(data_size, 2);
+-
+-		l = _gnutls_read_uint16(data);
+-		data += 2;
+-
+-		DECR_LEN(data_size, l);
+-
+-		priv->responder_id[i].data = gnutls_malloc(l);
+-		if (priv->responder_id[i].data == NULL)
+-			return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+-
+-		memcpy(priv->responder_id[i].data, data, l);
+-		priv->responder_id[i].size = l;
+-
+-		data += l;
+-	}
+-
+ 	return 0;
+ }
+ 
+@@ -472,11 +435,18 @@ gnutls_certificate_set_ocsp_status_request_file
+ static void _gnutls_status_request_deinit_data(extension_priv_data_t epriv)
+ {
+ 	status_request_ext_st *priv = epriv.ptr;
++	unsigned i;
+ 
+ 	if (priv == NULL)
+ 		return;
+ 
+-	deinit_responder_id(priv);
++	if (priv->responder_id != NULL) {
++		for (i = 0; i < priv->responder_id_size; i++)
++			gnutls_free(priv->responder_id[i].data);
++
++		gnutls_free(priv->responder_id);
++	}
++
+ 	gnutls_free(priv->request_extensions.data);
+ 	gnutls_free(priv->response.data);
+ 	gnutls_free(priv);

SOURCES/gnutls-3.3.26-set-unique-id-tests.patch

@@ -0,0 +1,316 @@
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 20ed79c..0d72707 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -88,7 +88,7 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid	\
+ 	 long-session-id mini-x509-callbacks-intr \
+ 	 crlverify init_fds mini-rehandshake-2 sign-md5-rep global-init-override \
+ 	 version-checks mini-server-name naked-alerts multi-alerts \
+-	 pkcs8-key-decode-encrypted pkcs8-key-decode
++	 pkcs8-key-decode-encrypted pkcs8-key-decode crt_apis
+ 
+ if ENABLE_PKCS11
+ if !HAVE_BUGGY_P11_KIT
+diff --git a/tests/crt_apis.c b/tests/crt_apis.c
+new file mode 100644
+index 0000000..ad183d7
+--- /dev/null
++++ b/tests/crt_apis.c
+@@ -0,0 +1,297 @@
++/*
++ * Copyright (C) 2008-2016 Free Software Foundation, Inc.
++ * Copyright (C) 2016 Red Hat, Inc.
++ *
++ * Author: Nikos Mavrogiannopoulos
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <stdlib.h>
++#include <stdio.h>
++#include <time.h>
++#include <string.h>
++#include <gnutls/gnutls.h>
++#include <gnutls/x509.h>
++#include <assert.h>
++
++#include "utils.h"
++
++#include "cert-common.h"
++
++static unsigned char saved_crt_pem[] =
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIICMTCCAZqgAwIBAgIDChEAMA0GCSqGSIb3DQEBCwUAMCsxDjAMBgNVBAMTBW5p\n"
++	"a29zMRkwFwYDVQQKExBub25lIHRvLCBtZW50aW9uMCAXDTA4MDMzMTIyMDAwMFoY\n"
++	"Dzk5OTkxMjMxMjM1OTU5WjArMQ4wDAYDVQQDEwVuaWtvczEZMBcGA1UEChMQbm9u\n"
++	"ZSB0bywgbWVudGlvbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAu2ZD9fLF\n"
++	"17aMzMXf9Yg7sclLag6hrSBQQAiAoU9co9D4bM/mPPfsBHYTF4tkiSJbwN1TfDvt\n"
++	"fAS7gLkovo6bxo6gpRLL9Vceoue7tzNJn+O7Sq5qTWj/yRHiMo3OPYALjXXv2ACB\n"
++	"jygEA6AijWEEB/q2N30hB0nSCWFpmJCjWKkCAwEAAYEFAAABAgOCBQAEAwIBo1Mw\n"
++	"UTAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHgAAwDgYDVR0RBAcwBYIDYXBh\n"
++	"MCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsF\n"
++	"AAOBgQAFhjKULYgLWW9TmfqIdyKf+kr5zFaQnIlF0tuUcE9lq4am9NKUVuxn4yo2\n"
++	"AFePiZWksrLN8PvujOK+duJ5nljF3xXwF0Z/J83NzNa1buMafuBonTJTFQQQkoGK\n"
++	"6sN+hxb6qWBjZcyQflMeG5eMJC2b57Lao4IDLSHx+mo91fvKuw==\n"
++	"-----END CERTIFICATE-----\n";
++
++const gnutls_datum_t saved_crt = { saved_crt_pem, sizeof(saved_crt_pem)-1 };
++
++static void tls_log_func(int level, const char *str)
++{
++	fprintf(stderr, "|<%d>| %s", level, str);
++}
++
++static time_t mytime(time_t * t)
++{
++	time_t then = 1207000800;
++
++	if (t)
++		*t = then;
++
++	return then;
++}
++
++void doit(void)
++{
++	gnutls_x509_privkey_t pkey;
++	gnutls_x509_crt_t crt;
++	gnutls_x509_crt_t crt2;
++	const char *err = NULL;
++	unsigned char buf[64];
++	gnutls_datum_t out;
++	size_t s = 0;
++	int ret;
++
++	ret = global_init();
++	if (ret < 0)
++		fail("global_init\n");
++
++	gnutls_global_set_time_function(mytime);
++	gnutls_global_set_log_function(tls_log_func);
++	if (debug)
++		gnutls_global_set_log_level(4711);
++
++	ret = gnutls_x509_crt_init(&crt);
++	if (ret != 0)
++		fail("gnutls_x509_crt_init\n");
++
++	ret = gnutls_x509_crt_init(&crt2);
++	if (ret != 0)
++		fail("gnutls_x509_crt_init\n");
++
++	ret = gnutls_x509_crt_import(crt2, &server_ecc_cert, GNUTLS_X509_FMT_PEM);
++	if (ret != 0)
++		fail("gnutls_x509_crt_import\n");
++
++	ret = gnutls_x509_privkey_init(&pkey);
++	if (ret != 0)
++		fail("gnutls_x509_privkey_init\n");
++
++	ret = gnutls_x509_privkey_import(pkey, &key_dat, GNUTLS_X509_FMT_PEM);
++	if (ret != 0)
++		fail("gnutls_x509_privkey_import\n");
++
++	/* Setup CRT */
++
++	ret = gnutls_x509_crt_set_version(crt, 3);
++	if (ret != 0)
++		fail("gnutls_x509_crt_set_version\n");
++
++	ret = gnutls_x509_crt_set_serial(crt, "\x0a\x11\x00", 3);
++	if (ret != 0)
++		fail("gnutls_x509_crt_set_serial\n");
++
++	ret = gnutls_x509_crt_set_expiration_time(crt, -1);
++	if (ret != 0)
++		fail("error\n");
++
++	ret = gnutls_x509_crt_set_activation_time(crt, mytime(0));
++	if (ret != 0)
++		fail("error\n");
++
++	ret = gnutls_x509_crt_set_key(crt, pkey);
++	if (ret != 0)
++		fail("gnutls_x509_crt_set_key\n");
++
++	ret = gnutls_x509_crt_set_basic_constraints(crt, 0, -1);
++	if (ret < 0) {
++		fail("error\n");
++	}
++
++	ret = gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_DIGITAL_SIGNATURE);
++	if (ret != 0)
++		fail("gnutls_x509_crt_set_key_usage %d\n", ret);
++
++	ret = gnutls_x509_crt_set_dn(crt, "cn = nikos,o = none to\\, mention", &err);
++	if (ret < 0) {
++		fail("gnutls_x509_crt_set_dn: %s, %s\n", gnutls_strerror(ret), err);
++	}
++
++
++	ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME,
++						   "foo", 3, 1);
++	if (ret != 0)
++		fail("gnutls_x509_crt_set_subject_alt_name\n");
++
++	ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME,
++						   "foo@bar.org", strlen("foo@bar.org"), 1);
++	if (ret != 0)
++		fail("gnutls_x509_crt_set_subject_alt_name\n");
++
++	ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS,
++						   "\xc1\x5c\x96\x3", 4, 1);
++	if (ret != 0)
++		fail("gnutls_x509_crt_set_subject_alt_name\n");
++
++	ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS,
++						   "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01", 16, 1);
++	if (ret != 0)
++		fail("gnutls_x509_crt_set_subject_alt_name\n");
++
++	ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME,
++						   "apa", 3, 0);
++	if (ret != 0)
++		fail("gnutls_x509_crt_set_subject_alt_name\n");
++
++	s = 0;
++	ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL);
++	if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
++		fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret);
++
++	s = 0;
++	ret =
++	    gnutls_x509_crt_set_key_purpose_oid(crt,
++						GNUTLS_KP_TLS_WWW_SERVER,
++						0);
++	if (ret != 0)
++		fail("gnutls_x509_crt_set_key_purpose_oid %d\n", ret);
++
++	s = 0;
++	ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL);
++	if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
++		fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret);
++
++	s = 0;
++	ret =
++	    gnutls_x509_crt_set_key_purpose_oid(crt,
++						GNUTLS_KP_TLS_WWW_CLIENT,
++						1);
++	if (ret != 0)
++		fail("gnutls_x509_crt_set_key_purpose_oid2 %d\n", ret);
++
++	/* in the end this will be ignored as the issuer will be set
++	 * by gnutls_x509_crt_sign2() */
++	ret = gnutls_x509_crt_set_issuer_dn(crt, "o = big\\, and one, cn = my CA", &err);
++	if (ret < 0) {
++		fail("gnutls_x509_crt_set_issuer_dn: %s, %s\n", gnutls_strerror(ret), err);
++	}
++
++#define ISSUER_UNIQUE_ID "\x00\x01\x02\x03"
++#define SUBJECT_UNIQUE_ID "\x04\x03\x02\x01"
++	ret = gnutls_x509_crt_set_issuer_unique_id(crt, ISSUER_UNIQUE_ID, sizeof(ISSUER_UNIQUE_ID)-1);
++	if (ret < 0)
++		fail("error: %s\n", gnutls_strerror(ret));
++
++	ret = gnutls_x509_crt_set_subject_unique_id(crt, SUBJECT_UNIQUE_ID, sizeof(SUBJECT_UNIQUE_ID)-1);
++	if (ret < 0)
++		fail("error: %s\n", gnutls_strerror(ret));
++
++	/* Sign and finalize the certificate */
++	ret = gnutls_x509_crt_sign2(crt, crt, pkey, GNUTLS_DIG_SHA256, 0);
++	if (ret < 0)
++		fail("gnutls_x509_crt_sign2: %s\n", gnutls_strerror(ret));
++
++
++	ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_FULL, &out);
++	if (ret != 0)
++		fail("gnutls_x509_crt_print\n");
++	if (debug)
++		printf("crt: %.*s\n", out.size, out.data);
++	gnutls_free(out.data);
++
++	/* Verify whether selected input is present */
++	s = 0;
++	ret = gnutls_x509_crt_get_extension_info(crt, 0, NULL, &s, NULL);
++	if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
++		fail("gnutls_x509_crt_get_extension_info2: %s\n", strerror(ret));
++
++	s = 0;
++	ret = gnutls_x509_crt_get_extension_data(crt, 0, NULL, &s);
++	if (ret != 0)
++		fail("gnutls_x509_crt_get_extension_data: %s\n", strerror(ret));
++
++	ret = gnutls_x509_crt_get_raw_issuer_dn(crt, &out);
++	if (ret < 0 || out.size == 0)
++		fail("gnutls_x509_crt_get_raw_issuer_dn: %s\n", gnutls_strerror(ret));
++
++	if (out.size != 45 ||
++	    memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) {
++		hexprint(out.data, out.size);
++		fail("issuer DN comparison failed\n");
++	}
++	gnutls_free(out.data);
++
++	s = sizeof(buf);
++	ret = gnutls_x509_crt_get_issuer_unique_id(crt, (void*)buf, &s);
++	if (ret < 0)
++		fail("error: %s\n", gnutls_strerror(ret));
++
++	if (s != sizeof(ISSUER_UNIQUE_ID)-1 ||
++		memcmp(buf, ISSUER_UNIQUE_ID, s) != 0) {
++		fail("issuer unique id comparison failed\n");
++	}
++
++	s = sizeof(buf);
++	ret = gnutls_x509_crt_get_subject_unique_id(crt, (void*)buf, &s);
++	if (ret < 0)
++		fail("error: %s\n", gnutls_strerror(ret));
++
++	if (s != sizeof(SUBJECT_UNIQUE_ID)-1 ||
++		memcmp(buf, SUBJECT_UNIQUE_ID, s) != 0) {
++		fail("subject unique id comparison failed\n");
++	}
++
++	ret = gnutls_x509_crt_get_raw_dn(crt, &out);
++	if (ret < 0 || out.size == 0)
++		fail("gnutls_x509_crt_get_raw_dn: %s\n", gnutls_strerror(ret));
++
++	if (out.size != 45 ||
++	    memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) {
++		fail("DN comparison failed\n");
++	}
++	gnutls_free(out.data);
++
++	assert(gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_PEM, &out) >= 0);
++
++	if (debug)
++		fprintf(stderr, "%s\n", out.data);
++	assert(out.size == saved_crt.size);
++	assert(memcmp(out.data, saved_crt.data, out.size)==0);
++
++	gnutls_free(out.data);
++
++	gnutls_x509_crt_deinit(crt);
++	gnutls_x509_crt_deinit(crt2);
++	gnutls_x509_privkey_deinit(pkey);
++
++	gnutls_global_deinit();
++}

SOURCES/gnutls-3.3.8-fips-key.patch

@@ -0,0 +1,12 @@
+diff -ur gnutls-3.3.8b1.orig/lib/fips.c gnutls-3.3.8b1/lib/fips.c
+--- gnutls-3.3.8b1.orig/lib/fips.c	2014-09-03 16:53:13.000000000 +0200
++++ gnutls-3.3.8b1/lib/fips.c	2014-09-04 17:11:26.825733730 +0200
+@@ -97,7 +97,7 @@
+ #define HOGWEED_LIBRARY_NAME "libhogweed.so.2"
+ #define GMP_LIBRARY_NAME "libgmp.so.10"
+ 
+-static const char fips_key[] = "I'd rather be skiing";
++static const char fips_key[] = "orboDeJITITejsirpADONivirpUkvarP";
+ 
+ #define HMAC_SUFFIX ".hmac"
+ #define HMAC_SIZE 32

SOURCES/gnutls-3.3.8-padlock-disable.patch

@@ -0,0 +1,22 @@
+diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c
+index cc67b08..e730ba0 100644
+--- a/lib/accelerated/x86/x86-common.c
++++ b/lib/accelerated/x86/x86-common.c
+@@ -37,6 +37,7 @@
+ # include <sha-padlock.h>
+ #endif
+ #include <aes-padlock.h>
++#include <fips.h>
+ 
+ /* ebx, ecx, edx 
+  * This is a format compatible with openssl's CPUID detection.
+@@ -581,7 +582,8 @@ void register_x86_crypto(void)
+ 	
+ 	register_x86_intel_crypto(capabilities);
+ #ifdef ENABLE_PADLOCK
+-	register_x86_padlock_crypto(capabilities);
++	if (_gnutls_fips_mode_enabled() != 1)
++		register_x86_padlock_crypto(capabilities);
+ #endif
+ }
+ 

SOURCES/hobble-gnutls

@@ -0,0 +1,15 @@
+#!/bin/sh
+set -x
+
+if [ "$1" = "-e" ] ; then
+    CMD="cat < /dev/null >"
+else
+    CMD="rm -f"
+fi
+
+# SRP
+for f in auth/srp_sb64.c auth/srp_passwd.c auth/srp_rsa.c \
+    gnutls_srp.c auth/srp.c ext/srp.c ; do
+    eval "$CMD lib/$f"
+done
+

SOURCES/libgnutls-config

@@ -0,0 +1,91 @@
+#!/bin/sh
+
+prefix=/usr
+exec_prefix=/usr
+exec_prefix_set=no
+
+name=`basename $0`
+name=${name#lib}
+name=${name%-config}
+
+libs=`pkg-config --libs $name`
+cflags=`pkg-config --cflags $name`
+version=`pkg-config --modversion $name`
+
+usage()
+{
+
+echo Usage: lib$name-config [OPTIONS]
+	cat <<EOF
+Options:
+	[--prefix[=DIR]]
+	[--exec-prefix[=DIR]]
+	[--version]
+	[--libs]
+	[--cflags]
+EOF
+	exit $1
+}
+
+if test $# -eq 0; then
+	usage 1 1>&2
+fi
+
+while test $# -gt 0; do
+  case "$1" in
+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  case $1 in
+    --prefix=*)
+      prefix=$optarg
+      if test $exec_prefix_set = no ; then
+	exec_prefix=$optarg
+      fi
+      ;;
+    --prefix)
+      echo_prefix=yes
+      ;;
+    --exec-prefix=*)
+      exec_prefix=$optarg
+      exec_prefix_set=yes
+      ;;
+    --exec-prefix)
+      echo_exec_prefix=yes
+      ;;
+    --version)
+      echo $version
+      exit 0
+      ;;
+    --cflags)
+      echo_cflags=yes
+      ;;
+    --libs)
+      echo_libs=yes
+      ;;
+    --help)
+      usage 0
+      ;;
+    *)
+      usage 1 1>&2
+      ;;
+  esac
+  shift
+done
+
+if test "$echo_prefix" = "yes"; then
+    echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+    echo $exec_prefix
+fi
+
+if test "$echo_cflags" = "yes"; then
+    echo $cflags
+fi
+
+if test "$echo_libs" = "yes"; then
+    echo $libs
+fi

SPECS/gnutls.spec

@@ -0,0 +1,790 @@
+%bcond_without dane
+%bcond_with guile
+Summary: A TLS protocol implementation
+Name: gnutls
+Version: 3.3.26
+Release: 9%{?dist}
+# The libraries are LGPLv2.1+, utilities are GPLv3+
+License: GPLv3+ and LGPLv2+
+Group: System Environment/Libraries
+BuildRequires: p11-kit-devel >= 0.23.1, gettext
+BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 3.8
+BuildRequires: libtool, automake, autoconf, texinfo
+BuildRequires: autogen-libopts-devel >= 5.18 autogen gettext-devel
+BuildRequires: nettle-devel >= 2.7.1
+BuildRequires: trousers-devel >= 0.3.11.2
+BuildRequires: libidn-devel
+BuildRequires: gperf
+BuildRequires: fipscheck
+BuildRequires: softhsm, net-tools
+Requires: p11-kit-trust
+# The automatic dependency on libtasn1 and p11-kit is insufficient,
+Requires: libtasn1 >= 3.9
+Requires: p11-kit >= 0.23.1
+Requires: trousers >= 0.3.11.2
+%if %{with dane}
+BuildRequires: unbound-devel unbound-libs
+%endif
+%if %{with guile}
+BuildRequires: guile-devel
+%endif
+URL: http://www.gnutls.org/
+#Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/%{name}-%{version}.tar.xz
+#Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/%{name}-%{version}.tar.xz.sig
+# XXX patent tainted code removed.
+Source0: %{name}-%{version}-hobbled.tar.xz
+Source1: libgnutls-config
+Source2: hobble-gnutls
+Patch1: gnutls-3.2.7-rpath.patch
+Patch2: gnutls-3.1.11-nosrp.patch
+Patch4: gnutls-3.3.8-fips-key.patch
+Patch5: gnutls-3.3.8-padlock-disable.patch
+# In 3.3.8 we were shipping an early backport of a fix in GNUTLS_E_APPLICATION_DATA
+# behavior, which was using 3.4.0 semantics. We continue shipping to support
+# any applications depending on that.
+Patch6: gnutls-3.3.22-eapp-data.patch
+Patch7: gnutls-3.3.26-dh-params-1024.patch
+# Reported on the gnutls ML affecting Fedora 25 (potentially RHEL7 as well)
+Patch8: gnutls-3.3.26-fix-uninitialized.patch
+Patch9: gnutls-3.3.26-fix-coverity-issues.patch
+Patch10: gnutls-3.3.26-pin-value.patch
+Patch11: gnutls-3.3.26-set-unique-id-tests.patch
+Patch12: gnutls-3.3.26-fips-rsa-keygen.patch
+Patch13: gnutls-3.3.26-cve-2017-7869.patch
+Patch14: gnutls-3.3.26-remove-status-req-ext-parsing.patch
+# Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
+Provides: bundled(gnulib) = 20130424
+
+%package c++
+Summary: The C++ interface to GnuTLS
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%package devel
+Summary: Development files for the %{name} package
+Group: Development/Libraries
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: %{name}-c++%{?_isa} = %{version}-%{release}
+%if %{with dane}
+Requires: %{name}-dane%{?_isa} = %{version}-%{release}
+%endif
+Requires: pkgconfig
+Requires(post): /sbin/install-info
+Requires(preun): /sbin/install-info
+
+%package utils
+License: GPLv3+
+Summary: Command line tools for TLS protocol
+Group: Applications/System
+Requires: %{name}%{?_isa} = %{version}-%{release}
+%if %{with dane}
+Requires: %{name}-dane%{?_isa} = %{version}-%{release}
+%endif
+
+%if %{with dane}
+%package dane
+Summary: A DANE protocol implementation for GnuTLS
+Requires: %{name}%{?_isa} = %{version}-%{release}
+%endif
+
+%if %{with guile}
+%package guile
+Summary: Guile bindings for the GNUTLS library
+Group: Development/Libraries
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: guile
+%endif
+
+%description
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS 
+protocols and technologies around them. It provides a simple C language 
+application programming interface (API) to access the secure communications 
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and 
+other required structures. 
+
+%description c++
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS 
+protocols and technologies around them. It provides a simple C language 
+application programming interface (API) to access the secure communications 
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and 
+other required structures. 
+This package contains the C++ interface for the GnuTLS library.
+
+%description devel
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS 
+protocols and technologies around them. It provides a simple C language 
+application programming interface (API) to access the secure communications 
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and 
+other required structures. 
+This package contains files needed for developing applications with
+the GnuTLS library.
+
+%description utils
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS 
+protocols and technologies around them. It provides a simple C language 
+application programming interface (API) to access the secure communications 
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and 
+other required structures. 
+This package contains command line TLS client and server and certificate
+manipulation tools.
+
+%if %{with dane}
+%description dane
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS 
+protocols and technologies around them. It provides a simple C language 
+application programming interface (API) to access the secure communications 
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and 
+other required structures. 
+This package contains library that implements the DANE protocol for verifying
+TLS certificates through DNSSEC.
+%endif
+
+%if %{with guile}
+%description guile
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS 
+protocols and technologies around them. It provides a simple C language 
+application programming interface (API) to access the secure communications 
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and 
+other required structures. 
+This package contains Guile bindings for the library.
+%endif
+
+%prep
+%setup -q
+
+%patch1 -p1 -b .rpath
+%patch2 -p1 -b .nosrp
+%patch4 -p1 -b .fips-key
+%patch5 -p1 -b .padlock-disable
+%patch6 -p1 -b .eapp-data
+%patch7 -p1 -b .dh-1024
+%patch8 -p1 -b .fix-uninit
+%patch9 -p1 -b .fix-coverity
+%patch10 -p1 -b .pin-value
+%patch11 -p1 -b .unique-id
+%patch12 -p1 -b .rsa-keygen
+%patch13 -p1 -b .openpgp-fixes
+%patch14 -p1 -b .ocsp-ext-parse
+
+sed 's/gnutls_srp.c//g' -i lib/Makefile.in
+sed 's/gnutls_srp.lo//g' -i lib/Makefile.in
+rm -f lib/minitasn1/*.c lib/minitasn1/*.h
+rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h 
+
+%{SOURCE2} -e
+autoreconf -if
+
+%build
+export LDFLAGS="-Wl,--no-add-needed"
+
+%configure --with-libtasn1-prefix=%{_prefix} \
+	   --with-default-trust-store-pkcs11="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit" \
+           --with-included-libcfg \
+	   --with-arcfour128 \
+	   --with-ssl3 \
+           --disable-static \
+           --disable-openssl-compatibility \
+           --disable-srp-authentication \
+	   --disable-non-suiteb-curves \
+	   --with-trousers-lib=%{_libdir}/libtspi.so.1 \
+	   --enable-fips140-mode \
+%if %{with guile}
+           --enable-guile \
+%ifarch %{arm}
+           --disable-largefile \
+%endif
+%else
+           --disable-guile \
+%endif
+%if %{with dane}
+	   --with-unbound-root-key-file=/var/lib/unbound/root.key \
+           --enable-dane \
+%else
+           --disable-dane \
+%endif
+           --disable-rpath
+# Note that the arm hack above is not quite right and the proper thing would
+# be to compile guile with largefile support.
+make %{?_smp_mflags}
+
+%define __spec_install_post \
+	%{?__debug_package:%{__debug_install_post}} \
+	%{__arch_install_post} \
+	%{__os_install_post} \
+	fipshmac -d $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.28.*.* \
+	file=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.28.*.hmac` && mv $RPM_BUILD_ROOT%{_libdir}/$file $RPM_BUILD_ROOT%{_libdir}/.$file && ln -s .$file $RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.28.hmac \
+%{nil}
+
+%install
+make install DESTDIR=$RPM_BUILD_ROOT
+rm -f $RPM_BUILD_ROOT%{_bindir}/srptool
+rm -f $RPM_BUILD_ROOT%{_bindir}/gnutls-srpcrypt
+cp -f %{SOURCE1} $RPM_BUILD_ROOT%{_bindir}/libgnutls-config
+rm -f $RPM_BUILD_ROOT%{_mandir}/man1/srptool.1
+rm -f $RPM_BUILD_ROOT%{_mandir}/man3/*srp*
+rm -f $RPM_BUILD_ROOT%{_infodir}/dir
+rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
+rm -f $RPM_BUILD_ROOT%{_libdir}/libguile*.a
+%if %{without dane}
+rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc
+%endif
+
+%find_lang gnutls
+
+%check
+make check %{?_smp_mflags}
+
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig
+
+%post c++ -p /sbin/ldconfig
+
+%postun c++ -p /sbin/ldconfig
+
+%post devel
+if [ -f %{_infodir}/gnutls.info.gz ]; then
+    /sbin/install-info %{_infodir}/gnutls.info.gz %{_infodir}/dir || :
+fi
+
+%preun devel
+if [ $1 = 0 -a -f %{_infodir}/gnutls.info.gz ]; then
+   /sbin/install-info --delete %{_infodir}/gnutls.info.gz %{_infodir}/dir || :
+fi
+
+%if %{with dane}
+%post dane -p /sbin/ldconfig
+
+%postun dane -p /sbin/ldconfig
+%endif
+
+%if %{with guile}
+%post guile -p /sbin/ldconfig
+
+%postun guile -p /sbin/ldconfig
+%endif
+
+%files -f gnutls.lang
+%defattr(-,root,root,-)
+%{_libdir}/libgnutls.so.28*
+%{_libdir}/.libgnutls.so.28*.hmac
+%doc COPYING COPYING.LESSER README AUTHORS NEWS THANKS
+
+%files c++
+%{_libdir}/libgnutlsxx.so.*
+
+%files devel
+%defattr(-,root,root,-)
+%{_bindir}/libgnutls*-config
+%{_includedir}/*
+%{_libdir}/libgnutls*.so
+%{_libdir}/.libgnutls.so.*.hmac
+%{_libdir}/pkgconfig/*.pc
+%{_mandir}/man3/*
+%{_infodir}/gnutls*
+%{_infodir}/pkcs11-vision*
+
+%files utils
+%defattr(-,root,root,-)
+%{_bindir}/certtool
+%{_bindir}/tpmtool
+%{_bindir}/ocsptool
+%{_bindir}/psktool
+%{_bindir}/p11tool
+%{_bindir}/crywrap
+%if %{with dane}
+%{_bindir}/danetool
+%endif
+%{_bindir}/gnutls*
+%{_mandir}/man1/*
+%doc doc/certtool.cfg
+
+%if %{with dane}
+%files dane
+%defattr(-,root,root,-)
+%{_libdir}/libgnutls-dane.so.*
+%endif
+
+%if %{with guile}
+%files guile
+%defattr(-,root,root,-)
+%{_libdir}/libguile*.so*
+%{_datadir}/guile/site/gnutls
+%{_datadir}/guile/site/gnutls.scm
+%endif
+
+%changelog
+* Fri May 26 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.26-9
+- Address crash in OCSP status request extension, by eliminating the
+  unneeded parsing (CVE-2017-7507, #1455828)
+
+* Wed Apr 26 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.26-7
+- Address interoperability issue with 3.5.x (#1388932)
+- Reject CAs which are both trusted and blacklisted in trust module (#1375303)
+- Added new functions to set issuer and subject ID in certificates (#1378373)
+- Reject connections with less than 1024-bit DH parameters (#1335931)
+- Fix issue that made GnuTLS parse only the first 32 extensions (#1383748)
+- Mention limitations of certtool in manpage (#1375463)
+- Read PKCS#8 files with HMAC-SHA256 -as generated by openssl 1.1 (#1380642)
+- Do not link directly to trousers but instead use dlopen (#1379739)
+- Fix incorrect OCSP validation (#1377569)
+- Added support for pin-value in PKCS#11 URIs (#1379283)
+- Added the --id option to p11tool (#1399232)
+- Improved sanity checks in RSA key generation (#1444780)
+- Addressed CVE-2017-5334, CVE-2017-5335, CVE-2017-5336, CVE-2017-5337,
+  CVE-2017-7869
+
+* Tue Jul 12 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.24-1
+- Addressed issue with DSA public keys smaller than 2^1024 (#1238279)
+- Addressed two-byte buffer overflow in the DTLS-0.9 protocol (#1209365)
+- When writing certificates to smart cards write the CKA_ISSUER and
+  CKA_SERIAL_NUMBER fields to allow NSS reading them (#1272179)
+- Use the shared system certificate store (#1110750)
+- Address MD5 transcript collision attacks in TLS key exchange (#1289888, 
+  CVE-2015-7575)
+- Allow hashing data over 2^32 bytes (#1306953)
+- Ensure written PKCS#11 public keys are not marked as private (#1339453)
+- Ensure secure_getenv() is called on all uses of environment variables
+  (#1344591).
+- Fix issues related to PKCS #11 private key listing on certain HSMs
+  (#1351389)
+
+* Fri Jun  5 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8-13
+- Corrected reseed and respect of max_number_of_bits_per_request in 
+  FIPS140-2 mode. Also enhanced the initial tests. (#1228199)
+
+* Mon Jan  5 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8-12
+- corrected fix of handshake buffer resets (#1153106)
+
+* Thu Dec 11 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8-11
+- Applied fix for urandom FD in FIPS140 mode (#1165047)
+- Applied fix for FIPS140-2 related regression (#1110696)
+
+* Tue Dec  2 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8-10
+- Amended fix for urandom FD to avoid regression in FIPS140 mode (#1165047)
+
+* Tue Nov 18 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8-9
+- Amended fix for FIPS enforcement issue (#1163848)
+- Fixed issue with applications that close all file descriptors (#1165047)
+
+* Thu Nov 13 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8-8
+- Applied fix for FIPS enforcement issue when only /etc/system-fips
+  existed (#1163848)
+
+* Fri Nov  7 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8-7
+- Applied fix for CVE-2014-8564 (#1161473)
+
+* Wed Oct 29 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8-6
+- when generating test DH keys, enforce the q_bits.
+
+* Tue Oct 21 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8-5
+- do not enforce FIPS140-2 policies in non-FIPS140 mode (#1154774)
+
+* Thu Oct 16 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8-4
+- reverted change to use the p11-kit certificate storage (#1110750)
+- added functions to test DH/ECDH in FIPS-140-2 mode and fixed
+  RSA key generation (#1110696)
+- added manual dependencies on libtasn1 3.8 as well as p11-kit 0.20.7
+- fixed SHA224 in SSSE3 optimized code
+- fixed issue with handshake buffer resets (#1153106)
+- fixed issue in RSA key generation with specific seeds in FIPS140-2 mode
+
+* Wed Oct 01 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8-3
+- added dependency on libtasn1 3.8 (#1110696)
+
+* Thu Sep 18 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8-2
+- disabled padlock CPU support in FIPS140-2 mode
+
+* Thu Sep 18 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8-1
+- updated to latest stable release
+
+* Fri Sep 05 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8-1.b2
+- updated with latest bug fixes for 3.3.x branch
+- delete bundled files
+
+* Thu Sep 04 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.8b1-1
+- updated with latest bug fixes for 3.3.x branch
+
+* Fri Aug 22 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.7-1
+- new upstream release (#1110696)
+- allow DSA/DH key generation with 1024 when not in FIPS140-2 mode (#1132705)
+
+* Fri Aug 15 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.7b1-1
+- updated with latest bug fixes for 3.3.x branch
+- utilize the p11-kit trust store (#1110750)
+
+* Tue Jul 29 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.6-2
+- correct path of fipscheck links
+
+* Wed Jul 23 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.3.6-1
+- rebased to 3.3.6 and enabled fips mode (#1110696)
+
+* Wed May 28 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.18-9
+- fix session ID length check (#1102027)
+- fixes null pointer dereference (#1101727)
+
+* Tue Feb 25 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.18-8
+- fixes CVE-2014-0092 (#1071815)
+
+* Fri Feb 14 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.18-7
+- fixes CVE-2014-1959
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 3.1.18-6
+- Mass rebuild 2014-01-24
+
+* Tue Jan 14 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.18-5
+- Fixed issue with gnutls.info not being available (#1053487)
+
+* Tue Jan 14 2014 Tomáš Mráz <tmraz@redhat.com> 3.1.18-4
+- build the crywrap tool
+
+* Thu Jan 02 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.1.18-3
+- fixes crash in gnutls_global_deinit (#1047037)
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 3.1.18-2
+- Mass rebuild 2013-12-27
+
+* Mon Dec 23 2013 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.1.18-1
+- new upstream release (#1040886)
+- Use the correct root key for unbound
+
+* Tue Nov  5 2013 Tomáš Mráz <tmraz@redhat.com> 3.1.16-1
+- new upstream release
+- fixes CVE-2013-4466 off-by-one in dane_query_tlsa()
+
+* Tue Oct 29 2013 Tomáš Mráz <tmraz@redhat.com> 3.1.15-1
+- new upstream release
+- fixes CVE-2013-4466 buffer overflow in handling DANE entries
+
+* Mon Jul 15 2013 Tomáš Mráz <tmraz@redhat.com> 3.1.13-1
+- new upstream release
+
+* Thu May 23 2013 Tomáš Mráz <tmraz@redhat.com> 3.1.11-1
+- new upstream release
+- enable ECC NIST Suite B curves
+
+* Mon Mar 25 2013 Tomas Mraz <tmraz@redhat.com> 3.1.10-1
+- new upstream release
+- license of the library is back to LGPLv2.1+
+
+* Fri Mar 15 2013 Tomas Mraz <tmraz@redhat.com> 3.1.9-1
+- new upstream release
+
+* Thu Mar  7 2013 Tomas Mraz <tmraz@redhat.com> 3.1.8-3
+- drop the temporary old library
+
+* Tue Feb 26 2013 Tomas Mraz <tmraz@redhat.com> 3.1.8-2
+- don't send ECC algos as supported (#913797)
+
+* Thu Feb 21 2013 Tomas Mraz <tmraz@redhat.com> 3.1.8-1
+- new upstream version
+
+* Wed Feb  6 2013 Tomas Mraz <tmraz@redhat.com> 3.1.7-1
+- new upstream version, requires rebuild of dependencies
+- this release temporarily includes old compatibility .so
+
+* Tue Feb  5 2013 Tomas Mraz <tmraz@redhat.com> 2.12.22-2
+- rebuilt with new libtasn1
+- make guile bindings optional - breaks i686 build and there is
+  no dependent package
+
+* Tue Jan  8 2013 Tomas Mraz <tmraz@redhat.com> 2.12.22-1
+- new upstream version
+
+* Wed Nov 28 2012 Tomas Mraz <tmraz@redhat.com> 2.12.21-2
+- use RSA bit sizes supported by libgcrypt in FIPS mode for security
+  levels (#879643)
+
+* Fri Nov  9 2012 Tomas Mraz <tmraz@redhat.com> 2.12.21-1
+- new upstream version
+
+* Thu Nov  1 2012 Tomas Mraz <tmraz@redhat.com> 2.12.20-4
+- negotiate only FIPS approved algorithms in the FIPS mode (#871826)
+
+* Wed Aug  8 2012 Tomas Mraz <tmraz@redhat.com> 2.12.20-3
+- fix the gnutls-cli-debug manpage - patch by Peter Schiffer
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.12.20-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Mon Jun 18 2012 Tomas Mraz <tmraz@redhat.com> 2.12.20-1
+- new upstream version
+
+* Fri May 18 2012 Tomas Mraz <tmraz@redhat.com> 2.12.19-1
+- new upstream version
+
+* Thu Mar 29 2012 Tomas Mraz <tmraz@redhat.com> 2.12.18-1
+- new upstream version
+
+* Thu Mar  8 2012 Tomas Mraz <tmraz@redhat.com> 2.12.17-1
+- new upstream version
+- fix leaks in key generation (#796302)
+
+* Fri Feb 03 2012 Kevin Fenzi <kevin@scrye.com> - 2.12.14-3
+- Disable largefile on arm arch. (#787287)
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.12.14-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Tue Nov  8 2011 Tomas Mraz <tmraz@redhat.com> 2.12.14-1
+- new upstream version
+
+* Mon Oct 24 2011 Tomas Mraz <tmraz@redhat.com> 2.12.12-1
+- new upstream version
+
+* Thu Sep 29 2011 Tomas Mraz <tmraz@redhat.com> 2.12.11-1
+- new upstream version
+
+* Fri Aug 26 2011 Tomas Mraz <tmraz@redhat.com> 2.12.9-1
+- new upstream version
+
+* Tue Aug 16 2011 Tomas Mraz <tmraz@redhat.com> 2.12.8-1
+- new upstream version
+
+* Mon Jul 25 2011 Tomas Mraz <tmraz@redhat.com> 2.12.7-2
+- fix problem when using new libgcrypt
+- split libgnutlsxx to a subpackage (#455146)
+- drop libgnutls-openssl (#460310)
+
+* Tue Jun 21 2011 Tomas Mraz <tmraz@redhat.com> 2.12.7-1
+- new upstream version
+
+* Mon May  9 2011 Tomas Mraz <tmraz@redhat.com> 2.12.4-1
+- new upstream version
+
+* Tue Apr 26 2011 Tomas Mraz <tmraz@redhat.com> 2.12.3-1
+- new upstream version
+
+* Mon Apr 18 2011 Tomas Mraz <tmraz@redhat.com> 2.12.2-1
+- new upstream version
+
+* Thu Mar  3 2011 Tomas Mraz <tmraz@redhat.com> 2.10.5-1
+- new upstream version
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.10.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Wed Dec  8 2010 Tomas Mraz <tmraz@redhat.com> 2.10.4-1
+- new upstream version
+
+* Thu Dec  2 2010 Tomas Mraz <tmraz@redhat.com> 2.10.3-2
+- fix buffer overflow in gnutls-serv (#659259)
+
+* Fri Nov 19 2010 Tomas Mraz <tmraz@redhat.com> 2.10.3-1
+- new upstream version
+
+* Thu Sep 30 2010 Tomas Mraz <tmraz@redhat.com> 2.10.2-1
+- new upstream version
+
+* Wed Sep 29 2010 jkeating - 2.10.1-4
+- Rebuilt for gcc bug 634757
+
+* Thu Sep 23 2010 Tomas Mraz <tmraz@redhat.com> 2.10.1-3
+- more patching for internal errors regression (#629858)
+  patch by Vivek Dasmohapatra
+
+* Tue Sep 21 2010 Tomas Mraz <tmraz@redhat.com> 2.10.1-2
+- backported patch from upstream git hopefully fixing internal errors
+  (#629858)
+
+* Wed Aug  4 2010 Tomas Mraz <tmraz@redhat.com> 2.10.1-1
+- new upstream version
+
+* Wed Jun  2 2010 Tomas Mraz <tmraz@redhat.com> 2.8.6-2
+- add support for safe renegotiation CVE-2009-3555 (#533125)
+
+* Wed May 12 2010 Tomas Mraz <tmraz@redhat.com> 2.8.6-1
+- upgrade to a new upstream version
+
+* Mon Feb 15 2010 Rex Dieter <rdieter@fedoraproject.org> 2.8.5-4
+- FTBFS gnutls-2.8.5-3.fc13: ImplicitDSOLinking (#564624)
+
+* Thu Jan 28 2010 Tomas Mraz <tmraz@redhat.com> 2.8.5-3
+- drop superfluous rpath from binaries
+- do not call autoreconf during build
+- specify the license on utils subpackage
+
+* Mon Jan 18 2010 Tomas Mraz <tmraz@redhat.com> 2.8.5-2
+- do not create static libraries (#556052)
+
+* Mon Nov  2 2009 Tomas Mraz <tmraz@redhat.com> 2.8.5-1
+- upgrade to a new upstream version
+
+* Wed Sep 23 2009 Tomas Mraz <tmraz@redhat.com> 2.8.4-1
+- upgrade to a new upstream version
+
+* Fri Aug 14 2009 Tomas Mraz <tmraz@redhat.com> 2.8.3-1
+- upgrade to a new upstream version
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.8.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Jun 10 2009 Tomas Mraz <tmraz@redhat.com> 2.8.1-1
+- upgrade to a new upstream version
+
+* Wed Jun  3 2009 Tomas Mraz <tmraz@redhat.com> 2.8.0-1
+- upgrade to a new upstream version
+
+* Mon May  4 2009 Tomas Mraz <tmraz@redhat.com> 2.6.6-1
+- upgrade to a new upstream version - security fixes
+
+* Tue Apr 14 2009 Tomas Mraz <tmraz@redhat.com> 2.6.5-1
+- upgrade to a new upstream version, minor bugfixes only
+
+* Fri Mar  6 2009 Tomas Mraz <tmraz@redhat.com> 2.6.4-1
+- upgrade to a new upstream version
+
+* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.6.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Mon Dec 15 2008 Tomas Mraz <tmraz@redhat.com> 2.6.3-1
+- upgrade to a new upstream version
+
+* Thu Dec  4 2008 Tomas Mraz <tmraz@redhat.com> 2.6.2-1
+- upgrade to a new upstream version
+
+* Tue Nov 11 2008 Tomas Mraz <tmraz@redhat.com> 2.4.2-3
+- fix chain verification issue CVE-2008-4989 (#470079)
+
+* Thu Sep 25 2008 Tomas Mraz <tmraz@redhat.com> 2.4.2-2
+- add guile subpackage (#463735)
+- force new libtool through autoreconf to drop unnecessary rpaths
+
+* Tue Sep 23 2008 Tomas Mraz <tmraz@redhat.com> 2.4.2-1
+- new upstream version
+
+* Tue Jul  1 2008 Tomas Mraz <tmraz@redhat.com> 2.4.1-1
+- new upstream version
+- correct the license tag
+- explicit --with-included-opencdk not needed
+- use external lzo library, internal not included anymore
+
+* Tue Jun 24 2008 Tomas Mraz <tmraz@redhat.com> 2.4.0-1
+- upgrade to latest upstream
+
+* Tue May 20 2008 Tomas Mraz <tmraz@redhat.com> 2.0.4-3
+- fix three security issues in gnutls handshake - GNUTLS-SA-2008-1
+  (#447461, #447462, #447463)
+
+* Mon Feb  4 2008 Joe Orton <jorton@redhat.com> 2.0.4-2
+- use system libtasn1
+
+* Tue Dec  4 2007 Tomas Mraz <tmraz@redhat.com> 2.0.4-1
+- upgrade to latest upstream
+
+* Tue Aug 21 2007 Tomas Mraz <tmraz@redhat.com> 1.6.3-2
+- license tag fix
+
+* Wed Jun  6 2007 Tomas Mraz <tmraz@redhat.com> 1.6.3-1
+- upgrade to latest upstream (#232445)
+
+* Tue Apr 10 2007 Tomas Mraz <tmraz@redhat.com> 1.4.5-2
+- properly require install-info (patch by Ville Skyttä)
+- standard buildroot and use dist tag
+- add COPYING and README to doc
+
+* Wed Feb  7 2007 Tomas Mraz <tmraz@redhat.com> 1.4.5-1
+- new upstream version
+- drop libtermcap-devel from buildrequires
+
+* Thu Sep 14 2006 Tomas Mraz <tmraz@redhat.com> 1.4.1-2
+- detect forged signatures - CVE-2006-4790 (#206411), patch
+  from upstream
+
+* Tue Jul 18 2006 Tomas Mraz <tmraz@redhat.com> - 1.4.1-1
+- upgrade to new upstream version, only minor changes
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.4.0-1.1
+- rebuild
+
+* Wed Jun 14 2006 Tomas Mraz <tmraz@redhat.com> - 1.4.0-1
+- upgrade to new upstream version (#192070), rebuild
+  of dependent packages required
+
+* Tue May 16 2006 Tomas Mraz <tmraz@redhat.com> - 1.2.10-2
+- added missing buildrequires
+
+* Mon Feb 13 2006 Tomas Mraz <tmraz@redhat.com> - 1.2.10-1
+- updated to new version (fixes CVE-2006-0645)
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.2.9-3.2
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.2.9-3.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Tue Jan  3 2006 Jesse Keating <jkeating@redhat.com> 1.2.9-3
+- rebuilt
+
+* Fri Dec  9 2005 Tomas Mraz <tmraz@redhat.com> 1.2.9-2
+- replaced *-config scripts with calls to pkg-config to
+  solve multilib conflicts
+
+* Wed Nov 23 2005 Tomas Mraz <tmraz@redhat.com> 1.2.9-1
+- upgrade to newest upstream
+- removed .la files (#172635)
+
+* Sun Aug  7 2005 Tomas Mraz <tmraz@redhat.com> 1.2.6-1
+- upgrade to newest upstream (rebuild of dependencies necessary)
+
+* Mon Jul  4 2005 Tomas Mraz <tmraz@redhat.com> 1.0.25-2
+- split the command line tools to utils subpackage
+
+* Sat Apr 30 2005 Tomas Mraz <tmraz@redhat.com> 1.0.25-1
+- new upstream version fixes potential DOS attack
+
+* Sat Apr 23 2005 Tomas Mraz <tmraz@redhat.com> 1.0.24-2
+- readd the version script dropped by upstream
+
+* Fri Apr 22 2005 Tomas Mraz <tmraz@redhat.com> 1.0.24-1
+- update to the latest upstream version on the 1.0 branch
+
+* Wed Mar  2 2005 Warren Togami <wtogami@redhat.com> 1.0.20-6
+- gcc4 rebuild
+
+* Tue Jan  4 2005 Ivana Varekova <varekova@redhat.com> 1.0.20-5
+- add gnutls Requires zlib-devel (#144069)
+
+* Mon Nov 08 2004 Colin Walters <walters@redhat.com> 1.0.20-4
+- Make gnutls-devel Require libgcrypt-devel
+
+* Tue Sep 21 2004 Jeff Johnson <jbj@redhat.com> 1.0.20-3
+- rebuild with release++, otherwise unchanged.
+
+* Tue Sep  7 2004 Jeff Johnson <jbj@redhat.com> 1.0.20-2
+- patent tainted SRP code removed.
+
+* Sun Sep  5 2004 Jeff Johnson <jbj@redhat.com> 1.0.20-1
+- update to 1.0.20.
+- add --with-included-opencdk --with-included-libtasn1
+- add --with-included-libcfg --with-included-lzo
+- add --disable-srp-authentication.
+- do "make check" after build.
+
+* Fri Mar 21 2003 Jeff Johnson <jbj@redhat.com> 0.9.2-1
+- upgrade to 0.9.2
+
+* Tue Jun 25 2002 Jeff Johnson <jbj@redhat.com> 0.4.4-1
+- update to 0.4.4.
+
+* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Sat May 25 2002 Jeff Johnson <jbj@redhat.com> 0.4.3-1
+- update to 0.4.3.
+
+* Tue May 21 2002 Jeff Johnson <jbj@redhat.com> 0.4.2-1
+- update to 0.4.2.
+- change license to LGPL.
+- include splint annotations patch.
+
+* Tue Apr  2 2002 Nalin Dahyabhai <nalin@redhat.com> 0.4.0-1
+- update to 0.4.0
+
+* Thu Jan 17 2002 Nalin Dahyabhai <nalin@redhat.com> 0.3.2-1
+- update to 0.3.2
+
+* Thu Jan 10 2002 Nalin Dahyabhai <nalin@redhat.com> 0.3.0-1
+- add a URL
+
+* Thu Dec 20 2001 Nalin Dahyabhai <nalin@redhat.com>
+- initial package