!162 fix CVE-2024-12243

From: @xuraoqing 
Reviewed-by: @zcfsite 
Signed-off-by: @zcfsite

backport-CVE-2023-5981-auth-rsa_psk-side-step-potential-side-channel.patch

@@ -1,209 +0,0 @@
-From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001                                                                                                                 
-From: Daiki Ueno <ueno@gnu.org>
-Date: Mon, 23 Oct 2023 09:26:57 +0900
-Subject: [PATCH] auth/rsa_psk: side-step potential side-channel
-
-This removes branching that depends on secret data, porting changes
-for regular RSA key exchange from
-4804febddc2ed958e5ae774de2a8f85edeeff538 and
-80a6ce8ddb02477cd724cd5b2944791aaddb702a.  This also removes the
-allow_wrong_pms as it was used sorely to control debug output
-depending on the branching.
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
-
-Conflict::rsa_psk.c
-
----
- lib/auth/rsa.c     |  2 +-
- lib/auth/rsa_psk.c | 90 ++++++++++++++++++----------------------------
- lib/gnutls_int.h   |  4 ---
- lib/priority.c     |  1 -
- 4 files changed, 35 insertions(+), 62 deletions(-)
-
-diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
-index 492ec11..dd0fea1 100644
---- a/lib/auth/rsa.c
-+++ b/lib/auth/rsa.c
-@@ -206,7 +206,7 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, size_t _data_size)
- 				     session->key.key.size);
- 	/* After this point, any conditional on failure that cause differences
- 	 * in execution may create a timing or cache access pattern side
--	 * channel that can be used as an oracle, so treat very carefully */
-+	 * channel that can be used as an oracle, so tread carefully */
- 
- 	/* Error handling logic:
- 	 * In case decryption fails then don't inform the peer. Just use the
-diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
-index c1e9ac4..289ecbd 100644
---- a/lib/auth/rsa_psk.c
-+++ b/lib/auth/rsa_psk.c
-@@ -255,14 +255,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
- {
- 	gnutls_datum_t username;
- 	psk_auth_info_t info;
--	gnutls_datum_t plaintext;
- 	gnutls_datum_t ciphertext;
- 	gnutls_datum_t pwd_psk = { NULL, 0 };
- 	int ret, dsize;
--	int randomize_key = 0;
- 	ssize_t data_size = _data_size;
- 	gnutls_psk_server_credentials_t cred;
- 	gnutls_datum_t premaster_secret = { NULL, 0 };
-+	volatile uint8_t ver_maj, ver_min;
- 
- 	cred = (gnutls_psk_server_credentials_t)
- 	    _gnutls_get_cred(session, GNUTLS_CRD_PSK);
-@@ -320,68 +319,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
- 	}
- 	ciphertext.size = dsize;
- 
--	ret =
--	    gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
--					&ciphertext, &plaintext);
--	if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) {
--		/* In case decryption fails then don't inform
--		 * the peer. Just use a random key. (in order to avoid
--		 * attack against pkcs-1 formatting).
--		 */
-+	ver_maj = _gnutls_get_adv_version_major(session);
-+	ver_min = _gnutls_get_adv_version_minor(session);
-+
-+	premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
-+	if (premaster_secret.data == NULL) {
- 		gnutls_assert();
--		_gnutls_debug_log
--		    ("auth_rsa_psk: Possible PKCS #1 format attack\n");
--		if (ret >= 0) {
--			gnutls_free(plaintext.data);
--		}
--		randomize_key = 1;
--	} else {
--		/* If the secret was properly formatted, then
--		 * check the version number.
--		 */
--		if (_gnutls_get_adv_version_major(session) != plaintext.data[0]
--		    || (session->internals.allow_wrong_pms == 0
--			&& _gnutls_get_adv_version_minor(session) !=
--			plaintext.data[1])) {
--			/* No error is returned here, if the version number check
--			 * fails. We proceed normally.
--			 * That is to defend against the attack described in the paper
--			 * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
--			 * Ondej Pokorny and Tomas Rosa.
--			 */
--			gnutls_assert();
--			_gnutls_debug_log
--			    ("auth_rsa: Possible PKCS #1 version check format attack\n");
--		}
-+		return GNUTLS_E_MEMORY_ERROR;
- 	}
-+	premaster_secret.size = GNUTLS_MASTER_SIZE;
- 
--	if (randomize_key != 0) {
--		premaster_secret.size = GNUTLS_MASTER_SIZE;
--		premaster_secret.data = gnutls_malloc(premaster_secret.size);
--		if (premaster_secret.data == NULL) {
--			gnutls_assert();
--			return GNUTLS_E_MEMORY_ERROR;
--		}
--
--		/* we do not need strong random numbers here.
--		 */
--		ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
--				 premaster_secret.size);
--		if (ret < 0) {
--			gnutls_assert();
--			goto cleanup;
--		}
--	} else {
--		premaster_secret.data = plaintext.data;
--		premaster_secret.size = plaintext.size;
-+	/* Fallback value when decryption fails. Needs to be unpredictable. */
-+	ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
-+			 premaster_secret.size);
-+	if (ret < 0) {
-+		gnutls_assert();
-+		goto cleanup;
- 	}
- 
-+	gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
-+				     &ciphertext, premaster_secret.data,
-+				     premaster_secret.size);
-+	/* After this point, any conditional on failure that cause differences
-+	 * in execution may create a timing or cache access pattern side
-+	 * channel that can be used as an oracle, so tread carefully */
-+
-+	/* Error handling logic:
-+	 * In case decryption fails then don't inform the peer. Just use the
-+	 * random key previously generated. (in order to avoid attack against
-+	 * pkcs-1 formatting).
-+	 *
-+	 * If we get version mismatches no error is returned either. We
-+	 * proceed normally. This is to defend against the attack described
-+	 * in the paper "Attacking RSA-based sessions in SSL/TLS" by
-+	 * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
-+	 */
-+
- 	/* This is here to avoid the version check attack
- 	 * discussed above.
- 	 */
--
--	premaster_secret.data[0] = _gnutls_get_adv_version_major(session);
--	premaster_secret.data[1] = _gnutls_get_adv_version_minor(session);
-+	premaster_secret.data[0] = ver_maj;
-+	premaster_secret.data[1] = ver_min;
- 
- 	/* find the key of this username
- 	 */
-diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
-index 969454b..034059a 100644
---- a/lib/gnutls_int.h
-+++ b/lib/gnutls_int.h
-@@ -977,7 +977,6 @@ struct gnutls_priority_st {
- 	bool _no_etm;
- 	bool _no_ext_master_secret;
- 	bool _allow_key_usage_violation;
--	bool _allow_wrong_pms;
- 	bool _dumbfw;
- 	unsigned int _dh_prime_bits;	/* old (deprecated) variable */
- 
-@@ -995,7 +994,6 @@ struct gnutls_priority_st {
- 	      (x)->no_etm = 1; \
- 	      (x)->no_ext_master_secret = 1; \
- 	      (x)->allow_key_usage_violation = 1; \
--	      (x)->allow_wrong_pms = 1; \
- 	      (x)->dumbfw = 1
- 
- # define ENABLE_PRIO_COMPAT(x) \
-@@ -1004,7 +1002,6 @@ struct gnutls_priority_st {
- 	      (x)->_no_etm = 1; \
- 	      (x)->_no_ext_master_secret = 1; \
- 	      (x)->_allow_key_usage_violation = 1; \
--	      (x)->_allow_wrong_pms = 1; \
- 	      (x)->_dumbfw = 1
- 
- /* DH and RSA parameters types.
-@@ -1129,7 +1126,6 @@ typedef struct {
- 	bool no_etm;
- 	bool no_ext_master_secret;
- 	bool allow_key_usage_violation;
--	bool allow_wrong_pms;
- 	bool dumbfw;
- 
- 	/* old (deprecated) variable. This is used for both srp_prime_bits
-diff --git a/lib/priority.c b/lib/priority.c
-index 154929e..8dd9c42 100644
---- a/lib/priority.c
-+++ b/lib/priority.c
-@@ -725,7 +725,6 @@ int gnutls_priority_set(gnutls_session_t session, gnutls_priority_t priority)
- 	COPY_TO_INTERNALS(no_etm);
- 	COPY_TO_INTERNALS(no_ext_master_secret);
- 	COPY_TO_INTERNALS(allow_key_usage_violation);
--	COPY_TO_INTERNALS(allow_wrong_pms);
- 	COPY_TO_INTERNALS(dumbfw);
- 	COPY_TO_INTERNALS(dh_prime_bits);
- 
--- 
-2.33.0
-

backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch

@@ -10,24 +10,25 @@ decryption.  This also avoids an extra memcpy to session->key.key.
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 
 Reference: https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e
-Conflicts: lib/auth/rsa_psk.c
+Conflicts: NA
+
 ---
- lib/auth/rsa_psk.c | 70 ++++++++++++++++++++++++----------------------
- 1 file changed, 36 insertions(+), 34 deletions(-)
+ lib/auth/rsa_psk.c | 69 ++++++++++++++++++++++++----------------------
+ 1 file changed, 36 insertions(+), 33 deletions(-)
 
 diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
-index 289ecbd..4043a64 100644
+index 99f908460..399fb4da1 100644
 --- a/lib/auth/rsa_psk.c
 +++ b/lib/auth/rsa_psk.c
-@@ -260,7 +260,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+@@ -256,7 +256,6 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session,
  	int ret, dsize;
  	ssize_t data_size = _data_size;
  	gnutls_psk_server_credentials_t cred;
 -	gnutls_datum_t premaster_secret = { NULL, 0 };
  	volatile uint8_t ver_maj, ver_min;
  
- 	cred = (gnutls_psk_server_credentials_t)
-@@ -322,24 +321,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ 	cred = (gnutls_psk_server_credentials_t)_gnutls_get_cred(
+@@ -318,24 +317,49 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session,
  	ver_maj = _gnutls_get_adv_version_major(session);
  	ver_min = _gnutls_get_adv_version_minor(session);
  
@@ -37,7 +38,8 @@ index 289ecbd..4043a64 100644
 +	 * filled in if the key is not found.
 +	 */
 +	ret = _gnutls_psk_pwd_find_entry(session, info->username,
-+					 strlen(info->username), &pwd_psk);
++					 strlen(info->username), &pwd_psk,
++					 NULL);
 +	if (ret < 0)
 +		return gnutls_assert_val(ret);
 +
@@ -84,7 +86,7 @@ index 289ecbd..4043a64 100644
  	/* After this point, any conditional on failure that cause differences
  	 * in execution may create a timing or cache access pattern side
  	 * channel that can be used as an oracle, so tread carefully */
-@@ -358,31 +381,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+@@ -354,31 +378,10 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session,
  	/* This is here to avoid the version check attack
  	 * discussed above.
  	 */
@@ -93,14 +95,16 @@ index 289ecbd..4043a64 100644
 -
 -	/* find the key of this username
 -	 */
--	ret =
--	    _gnutls_psk_pwd_find_entry(session, info->username,
--				       strlen(info->username), &pwd_psk);
+-	ret = _gnutls_psk_pwd_find_entry(session, info->username,
+-					 strlen(info->username), &pwd_psk,
+-					 NULL);
 -	if (ret < 0) {
 -		gnutls_assert();
 -		goto cleanup;
 -	}
--
++	session->key.key.data[2] = ver_maj;
++	session->key.key.data[3] = ver_min;
+ 
 -	ret = set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
 -	if (ret < 0) {
 -		gnutls_assert();
@@ -108,18 +112,15 @@ index 289ecbd..4043a64 100644
 -	}
 -
 -	ret = 0;
-- cleanup:
+-cleanup:
 -	_gnutls_free_key_datum(&pwd_psk);
 -	_gnutls_free_temp_key_datum(&premaster_secret);
 -
 -	return ret;
-+	session->key.key.data[2] = ver_maj;
-+	session->key.key.data[3] = ver_min;
-+	
 +	return 0;
  }
  
- static int
+ static int _gnutls_proc_rsa_psk_server_kx(gnutls_session_t session,
 -- 
 2.33.0
 

backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch

@@ -17,18 +17,18 @@ manner.
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 
 Reference: https://gitlab.com/gnutls/gnutls/-/commit/9edbdaa84e38b1bfb53a7d72c1de44f8de373405
-Conflict:  tests/test-chains.h
+Conflict:  NA
 
 ---
  lib/x509/common.c   |   4 ++
- tests/test-chains.h | 124 ++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 128 insertions(+)
+ tests/test-chains.h | 125 ++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 129 insertions(+)
 
 diff --git a/lib/x509/common.c b/lib/x509/common.c
-index 2cc95c9..44317ba 100644
+index 861cace4c..d749a062c 100644
 --- a/lib/x509/common.c
 +++ b/lib/x509/common.c
-@@ -1771,6 +1771,10 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t * clist,
+@@ -1741,6 +1741,10 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
  			break;
  		}
  
@@ -40,10 +40,10 @@ index 2cc95c9..44317ba 100644
  		insorted[prev] = 1;
  	}
 diff --git a/tests/test-chains.h b/tests/test-chains.h
-index 6355f28..c11a097 100644
+index 9ce23764d..3e559fecd 100644
 --- a/tests/test-chains.h
 +++ b/tests/test-chains.h
-@@ -4263,6 +4263,129 @@ static const char *rsa_sha1_not_in_trusted_ca[] = {
+@@ -4260,6 +4260,129 @@ static const char *rsa_sha1_not_in_trusted_ca[] = {
  	NULL
  };
  
@@ -171,14 +171,15 @@ index 6355f28..c11a097 100644
 +};
 +
  #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
- #  pragma GCC diagnostic push
- #  pragma GCC diagnostic ignored "-Wunused-variable"
-@@ -4442,6 +4565,7 @@ static struct
-     rsa_sha1_not_in_trusted, rsa_sha1_not_in_trusted_ca,
-     GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
-     GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1},
-+  { "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0, 1704955300},
-   { NULL, NULL, NULL, 0, 0}
+ #pragma GCC diagnostic push
+ #pragma GCC diagnostic ignored "-Wunused-variable"
+@@ -4571,6 +4694,8 @@ static struct {
+ 	  GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
+ 	  GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL,
+ 	  1620118136, 1 },
++	{ "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0,
++	  1704955300 },
+ 	{ NULL, NULL, NULL, 0, 0 }
  };
  
 -- 

backport-fix-CVE-2024-28834-nettle-avoid-normalization-of-mpz_t-in-deterministic.patch

@@ -0,0 +1,422 @@
+From 1c4701ffc342259fc5965d5a0de90d87f780e3e5 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 12 Jan 2024 17:56:58 +0900
+Subject: [PATCH] nettle: avoid normalization of mpz_t in deterministic ECDSA
+
+This removes function calls that potentially leak bit-length of a
+private key used to calculate a nonce in deterministic ECDSA.  Namely:
+
+- _gnutls_dsa_compute_k has been rewritten to work on always
+  zero-padded mp_limb_t arrays instead of mpz_t
+- rnd_mpz_func has been replaced with rnd_datum_func, which is backed
+  by a byte array instead of an mpz_t value
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+Reference: https://gitlab.com/gnutls/gnutls/-/commit/1c4701ffc342259fc5965d5a0de90d87f780e3e5
+Conflict: NA
+
+---
+ lib/nettle/int/dsa-compute-k.c    | 70 +++++++++++++++++++++----------
+ lib/nettle/int/dsa-compute-k.h    | 23 +++++++++-
+ lib/nettle/int/ecdsa-compute-k.c  | 28 +++----------
+ lib/nettle/int/ecdsa-compute-k.h  |  4 +-
+ lib/nettle/pk.c                   | 65 +++++++++++++++++++++-------
+ tests/sign-verify-deterministic.c |  2 +-
+ 6 files changed, 127 insertions(+), 65 deletions(-)
+
+diff --git a/lib/nettle/int/dsa-compute-k.c b/lib/nettle/int/dsa-compute-k.c
+index 8ff5739c2..2fcb2bb80 100644
+--- a/lib/nettle/int/dsa-compute-k.c
++++ b/lib/nettle/int/dsa-compute-k.c
+@@ -31,19 +31,30 @@
+ #include "mpn-base256.h"
+ #include <string.h>
+ 
+-#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
++/* For mini-gmp */
++#ifndef GMP_LIMB_BITS
++#define GMP_LIMB_BITS GMP_NUMB_BITS
++#endif
+ 
+-/* The maximum size of q, chosen from the fact that we support
+- * 521-bit elliptic curve generator and 512-bit DSA subgroup at
+- * maximum. */
+-#define MAX_Q_BITS 521
+-#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
+-#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
++static inline int is_zero_limb(mp_limb_t x)
++{
++	x |= (x << 1);
++	return ((x >> 1) - 1) >> (GMP_LIMB_BITS - 1);
++}
++
++static int sec_zero_p(const mp_limb_t *ap, mp_size_t n)
++{
++	volatile mp_limb_t w;
++	mp_size_t i;
+ 
+-#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
+-#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
++	for (i = 0, w = 0; i < n; i++)
++		w |= ap[i];
+ 
+-int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
++	return is_zero_limb(w);
++}
++
++int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
++			  mp_size_t qn, mp_bitcnt_t q_bits,
+ 			  gnutls_mac_algorithm_t mac, const uint8_t *digest,
+ 			  size_t length)
+ {
+@@ -51,9 +62,6 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
+ 	uint8_t K[MAX_HASH_SIZE];
+ 	uint8_t xp[MAX_Q_SIZE];
+ 	uint8_t tp[MAX_Q_SIZE];
+-	mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)];
+-	mp_bitcnt_t q_bits = mpz_sizeinbase(q, 2);
+-	mp_size_t qn = mpz_size(q);
+ 	mp_bitcnt_t h_bits = length * 8;
+ 	mp_size_t hn = BITS_TO_LIMBS(h_bits);
+ 	size_t nbytes = (q_bits + 7) / 8;
+@@ -62,6 +70,7 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
+ 	mp_limb_t cy;
+ 	gnutls_hmac_hd_t hd;
+ 	int ret = 0;
++	mp_limb_t scratch[MAX_Q_LIMBS];
+ 
+ 	if (unlikely(q_bits > MAX_Q_BITS))
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+@@ -69,7 +78,7 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ 
+ 	/* int2octets(x) */
+-	mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn);
++	mpn_get_base256(xp, nbytes, x, qn);
+ 
+ 	/* bits2octets(h) */
+ 	mpn_set_base256(h, hn, digest, length);
+@@ -93,12 +102,12 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
+ 			mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS);
+ 	}
+ 
+-	cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn);
++	cy = mpn_sub_n(h, h, q, qn);
+ 	/* Fall back to addmul_1, if nettle is linked with mini-gmp. */
+ #ifdef mpn_cnd_add_n
+-	mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn);
++	mpn_cnd_add_n(cy, h, h, q, qn);
+ #else
+-	mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0);
++	mpn_addmul_1(h, q, qn, cy != 0);
+ #endif
+ 	mpn_get_base256(tp, nbytes, h, qn);
+ 
+@@ -174,12 +183,8 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
+ 		if (tlen * 8 > q_bits)
+ 			mpn_rshift(h, h, qn, tlen * 8 - q_bits);
+ 		/* Check if k is in [1,q-1] */
+-		if (!mpn_zero_p(h, qn) &&
+-		    mpn_cmp(h, mpz_limbs_read(q), qn) < 0) {
+-			mpn_copyi(mpz_limbs_write(k, qn), h, qn);
+-			mpz_limbs_finish(k, qn);
++		if (!sec_zero_p(h, qn) && mpn_sub_n(scratch, h, q, qn))
+ 			break;
+-		}
+ 
+ 		ret = gnutls_hmac_init(&hd, mac, K, length);
+ 		if (ret < 0)
+@@ -203,3 +208,24 @@ out:
+ 
+ 	return ret;
+ }
++
++/* cancel-out dsa_sign's addition of 1 to random data */
++void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
++				  mp_size_t n)
++{
++	/* Fall back to sub_1, if nettle is linked with mini-gmp. */
++#ifdef mpn_sec_sub_1
++	mp_limb_t t[MAX_Q_LIMBS];
++
++	mpn_sec_sub_1(h, h, n, 1, t);
++#else
++	mpn_sub_1(h, h, n, 1);
++#endif
++	mpn_get_base256(k, nbytes, h, n);
++}
++
++void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
++				    mp_size_t n)
++{
++	mpn_get_base256(k, nbytes, h, n);
++}
+diff --git a/lib/nettle/int/dsa-compute-k.h b/lib/nettle/int/dsa-compute-k.h
+index 49d243acb..2f0667a01 100644
+--- a/lib/nettle/int/dsa-compute-k.h
++++ b/lib/nettle/int/dsa-compute-k.h
+@@ -26,8 +26,29 @@
+ #include <gnutls/gnutls.h>
+ #include <nettle/bignum.h> /* includes gmp.h */
+ 
+-int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
++#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
++
++/* The maximum size of q, chosen from the fact that we support
++ * 521-bit elliptic curve generator and 512-bit DSA subgroup at
++ * maximum. */
++#define MAX_Q_BITS 521
++#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
++#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
++
++#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
++#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
++
++#define DSA_COMPUTE_K_ITCH MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)
++
++int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
++			  mp_size_t qn, mp_bitcnt_t q_bits,
+ 			  gnutls_mac_algorithm_t mac, const uint8_t *digest,
+ 			  size_t length);
+ 
++void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
++				  mp_size_t n);
++
++void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
++				    mp_size_t n);
++
+ #endif /* GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H */
+diff --git a/lib/nettle/int/ecdsa-compute-k.c b/lib/nettle/int/ecdsa-compute-k.c
+index 3b7f88616..4e25235c4 100644
+--- a/lib/nettle/int/ecdsa-compute-k.c
++++ b/lib/nettle/int/ecdsa-compute-k.c
+@@ -29,38 +29,38 @@
+ #include "dsa-compute-k.h"
+ #include "gnutls_int.h"
+ 
+-static inline int _gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
++int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve)
+ {
+ 	switch (curve) {
+ #ifdef ENABLE_NON_SUITEB_CURVES
+ 	case GNUTLS_ECC_CURVE_SECP192R1:
+-		mpz_init_set_str(*q,
++		mpz_init_set_str(q,
+ 				 "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836"
+ 				 "146BC9B1B4D22831",
+ 				 16);
+ 		return 0;
+ 	case GNUTLS_ECC_CURVE_SECP224R1:
+-		mpz_init_set_str(*q,
++		mpz_init_set_str(q,
+ 				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2"
+ 				 "E0B8F03E13DD29455C5C2A3D",
+ 				 16);
+ 		return 0;
+ #endif
+ 	case GNUTLS_ECC_CURVE_SECP256R1:
+-		mpz_init_set_str(*q,
++		mpz_init_set_str(q,
+ 				 "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
+ 				 "BCE6FAADA7179E84F3B9CAC2FC632551",
+ 				 16);
+ 		return 0;
+ 	case GNUTLS_ECC_CURVE_SECP384R1:
+-		mpz_init_set_str(*q,
++		mpz_init_set_str(q,
+ 				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ 				 "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
+ 				 "581A0DB248B0A77AECEC196ACCC52973",
+ 				 16);
+ 		return 0;
+ 	case GNUTLS_ECC_CURVE_SECP521R1:
+-		mpz_init_set_str(*q,
++		mpz_init_set_str(q,
+ 				 "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ 				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ 				 "FFA51868783BF2F966B7FCC0148F709A"
+@@ -73,19 +73,3 @@ static inline int _gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
+ 			GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
+ 	}
+ }
+-
+-int _gnutls_ecdsa_compute_k(mpz_t k, gnutls_ecc_curve_t curve, const mpz_t x,
+-			    gnutls_mac_algorithm_t mac, const uint8_t *digest,
+-			    size_t length)
+-{
+-	mpz_t q;
+-	int ret;
+-
+-	ret = _gnutls_ecc_curve_to_dsa_q(&q, curve);
+-	if (ret < 0)
+-		return gnutls_assert_val(ret);
+-
+-	ret = _gnutls_dsa_compute_k(k, q, x, mac, digest, length);
+-	mpz_clear(q);
+-	return ret;
+-}
+diff --git a/lib/nettle/int/ecdsa-compute-k.h b/lib/nettle/int/ecdsa-compute-k.h
+index be8beddb5..207685763 100644
+--- a/lib/nettle/int/ecdsa-compute-k.h
++++ b/lib/nettle/int/ecdsa-compute-k.h
+@@ -26,8 +26,6 @@
+ #include <gnutls/gnutls.h>
+ #include <nettle/bignum.h> /* includes gmp.h */
+ 
+-int _gnutls_ecdsa_compute_k(mpz_t k, gnutls_ecc_curve_t curve, const mpz_t x,
+-			    gnutls_mac_algorithm_t mac, const uint8_t *digest,
+-			    size_t length);
++int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve);
+ 
+ #endif /* GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H */
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index 305548f4d..dd6b9936a 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -103,10 +103,16 @@ static void rnd_nonce_func(void *_ctx, size_t length, uint8_t *data)
+ 	}
+ }
+ 
+-static void rnd_mpz_func(void *_ctx, size_t length, uint8_t *data)
++static void rnd_datum_func(void *ctx, size_t length, uint8_t *data)
+ {
+-	mpz_t *k = _ctx;
+-	nettle_mpz_get_str_256(length, data, *k);
++	gnutls_datum_t *d = ctx;
++
++	if (length > d->size) {
++		memset(data, 0, length - d->size);
++		memcpy(data + (length - d->size), d->data, d->size);
++	} else {
++		memcpy(data, d->data, length);
++	}
+ }
+ 
+ static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t *data)
+@@ -1403,7 +1409,10 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 		struct dsa_signature sig;
+ 		int curve_id = pk_params->curve;
+ 		const struct ecc_curve *curve;
+-		mpz_t k;
++		mpz_t q;
++		/* 521-bit elliptic curve generator at maximum */
++		uint8_t buf[(521 + 7) / 8];
++		gnutls_datum_t k = { NULL, 0 };
+ 		void *random_ctx;
+ 		nettle_random_func *random_func;
+ 
+@@ -1447,17 +1456,32 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 			not_approved = true;
+ 		}
+ 
+-		mpz_init(k);
++		mpz_init(q);
++
+ 		if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
+ 		    (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
+-			ret = _gnutls_ecdsa_compute_k(
+-				k, curve_id, pk_params->params[ECC_K],
++			mp_limb_t h[DSA_COMPUTE_K_ITCH];
++
++			ret = _gnutls_ecc_curve_to_dsa_q(q, curve_id);
++			if (ret < 0)
++				goto ecdsa_cleanup;
++
++			ret = _gnutls_dsa_compute_k(
++				h, mpz_limbs_read(q), priv.p,
++				ecc_size(priv.ecc), ecc_bit_size(priv.ecc),
+ 				DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
+ 				vdata->size);
+ 			if (ret < 0)
+ 				goto ecdsa_cleanup;
++
++			k.data = buf;
++			k.size = (ecc_bit_size(priv.ecc) + 7) / 8;
++
++			_gnutls_ecdsa_compute_k_finish(k.data, k.size, h,
++						       ecc_size(priv.ecc));
++
+ 			random_ctx = &k;
+-			random_func = rnd_mpz_func;
++			random_func = rnd_datum_func;
+ 		} else {
+ 			random_ctx = NULL;
+ 			random_func = rnd_nonce_func;
+@@ -1476,7 +1500,7 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 	ecdsa_cleanup:
+ 		dsa_signature_clear(&sig);
+ 		ecc_scalar_zclear(&priv);
+-		mpz_clear(k);
++		mpz_clear(q);
+ 
+ 		if (ret < 0) {
+ 			gnutls_assert();
+@@ -1488,7 +1512,9 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 		struct dsa_params pub;
+ 		bigint_t priv;
+ 		struct dsa_signature sig;
+-		mpz_t k;
++		/* 512-bit DSA subgroup at maximum */
++		uint8_t buf[(512 + 7) / 8];
++		gnutls_datum_t k = { NULL, 0 };
+ 		void *random_ctx;
+ 		nettle_random_func *random_func;
+ 
+@@ -1515,19 +1541,27 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 			hash_len = vdata->size;
+ 		}
+ 
+-		mpz_init(k);
+ 		if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
+ 		    (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
++			mp_limb_t h[DSA_COMPUTE_K_ITCH];
++
+ 			ret = _gnutls_dsa_compute_k(
+-				k, pub.q, TOMPZ(priv),
++				h, mpz_limbs_read(pub.q),
++				mpz_limbs_read(TOMPZ(priv)), mpz_size(pub.q),
++				mpz_sizeinbase(pub.q, 2),
+ 				DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
+ 				vdata->size);
+ 			if (ret < 0)
+ 				goto dsa_fail;
+-			/* cancel-out dsa_sign's addition of 1 to random data */
+-			mpz_sub_ui(k, k, 1);
++
++			k.data = buf;
++			k.size = (mpz_sizeinbase(pub.q, 2) + 7) / 8;
++
++			_gnutls_dsa_compute_k_finish(k.data, k.size, h,
++						     mpz_size(pub.q));
++
+ 			random_ctx = &k;
+-			random_func = rnd_mpz_func;
++			random_func = rnd_datum_func;
+ 		} else {
+ 			random_ctx = NULL;
+ 			random_func = rnd_nonce_func;
+@@ -1544,7 +1578,6 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 
+ 	dsa_fail:
+ 		dsa_signature_clear(&sig);
+-		mpz_clear(k);
+ 
+ 		if (ret < 0) {
+ 			gnutls_assert();
+diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c
+index 6969b57a1..bdd5a49c7 100644
+--- a/tests/sign-verify-deterministic.c
++++ b/tests/sign-verify-deterministic.c
+@@ -198,7 +198,7 @@ void doit(void)
+ 						 &tests[i].msg, &signature);
+ 		if (ret < 0)
+ 			testfail("gnutls_pubkey_verify_data2\n");
+-		success(" - pass");
++		success(" - pass\n");
+ 
+ 	next:
+ 		gnutls_free(signature.data);
+-- 
+2.33.0
+

backport-fix-CVE-2024-28835-gnutls_x509_trust_list_verify_crt2-remove-length-lim.patch

@@ -0,0 +1,414 @@
+From e369e67a62f44561d417cb233acc566cc696d82d Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 29 Jan 2024 13:52:46 +0900
+Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: remove length limit of
+ input
+
+Previously, if cert_list_size exceeded DEFAULT_MAX_VERIFY_DEPTH, the
+chain verification logic crashed with assertion failure.  This patch
+removes the restriction while keeping the maximum number of
+retrieved certificates being DEFAULT_MAX_VERIFY_DEPTH.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+Reference: https://gitlab.com/gnutls/gnutls/-/commit/e369e67a62f44561d417cb233acc566cc696d82d
+Conflict: NA
+
+---
+ lib/gnutls_int.h       |   5 +-
+ lib/x509/common.c      |  10 +-
+ lib/x509/verify-high.c |  51 ++++++----
+ tests/test-chains.h    | 211 ++++++++++++++++++++++++++++++++++++++++-
+ 4 files changed, 258 insertions(+), 19 deletions(-)
+
+diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
+index d8561ebe3..8cf9a8715 100644
+--- a/lib/gnutls_int.h
++++ b/lib/gnutls_int.h
+@@ -232,7 +232,10 @@ typedef enum record_send_state_t {
+ 
+ #define MAX_PK_PARAM_SIZE 2048
+ 
+-/* defaults for verification functions
++/* Defaults for verification functions.
++ *
++ * update many_icas in tests/test-chains.h when increasing
++ * DEFAULT_MAX_VERIFY_DEPTH.
+  */
+ #define DEFAULT_MAX_VERIFY_DEPTH 16
+ #define DEFAULT_MAX_VERIFY_BITS (MAX_PK_PARAM_SIZE * 8)
+diff --git a/lib/x509/common.c b/lib/x509/common.c
+index 2cc83c915..705aa868b 100644
+--- a/lib/x509/common.c
++++ b/lib/x509/common.c
+@@ -1725,7 +1725,15 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
+ 	bool insorted[DEFAULT_MAX_VERIFY_DEPTH]; /* non zero if clist[i] used in sorted list */
+ 	gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
+ 
+-	assert(clist_size <= DEFAULT_MAX_VERIFY_DEPTH);
++	/* Limit the number of certificates in the chain, to avoid DoS
++	 * because of the O(n^2) sorting below.  FIXME: Switch to a
++	 * topological sort algorithm which should be linear to the
++	 * number of certificates and subject-issuer relationships.
++	 */
++	if (clist_size > DEFAULT_MAX_VERIFY_DEPTH) {
++		_gnutls_debug_log("too many certificates; skipping sorting\n");
++		return 1;
++	}
+ 
+ 	for (i = 0; i < DEFAULT_MAX_VERIFY_DEPTH; i++) {
+ 		issuer[i] = -1;
+diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
+index 4e7361eb6..aacc24a7d 100644
+--- a/lib/x509/verify-high.c
++++ b/lib/x509/verify-high.c
+@@ -25,7 +25,7 @@
+ #include "errors.h"
+ #include <libtasn1.h>
+ #include "global.h"
+-#include "num.h" /* MAX */
++#include "num.h" /* MIN */
+ #include "tls-sig.h"
+ #include "str.h"
+ #include "datum.h"
+@@ -1361,7 +1361,8 @@ int gnutls_x509_trust_list_verify_crt2(
+ 	int ret = 0;
+ 	unsigned int i;
+ 	size_t hash;
+-	gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
++	gnutls_x509_crt_t *cert_list_copy = NULL;
++	unsigned int cert_list_max_size = 0;
+ 	gnutls_x509_crt_t retrieved[DEFAULT_MAX_VERIFY_DEPTH];
+ 	unsigned int retrieved_size = 0;
+ 	const char *hostname = NULL, *purpose = NULL, *email = NULL;
+@@ -1421,16 +1422,28 @@ int gnutls_x509_trust_list_verify_crt2(
+ 		}
+ 	}
+ 
+-	memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
+-	cert_list = sorted;
++	/* Allocate extra for retrieved certificates. */
++	if (!INT_ADD_OK(cert_list_size, DEFAULT_MAX_VERIFY_DEPTH,
++			&cert_list_max_size))
++		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++
++	cert_list_copy = _gnutls_reallocarray(NULL, cert_list_max_size,
++					      sizeof(gnutls_x509_crt_t));
++	if (!cert_list_copy)
++		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++
++	memcpy(cert_list_copy, cert_list,
++	       cert_list_size * sizeof(gnutls_x509_crt_t));
++	cert_list = cert_list_copy;
+ 
+ 	records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq,
+ 					  cert_hashcode, NULL, false);
+-	if (records == NULL)
+-		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++	if (records == NULL) {
++		ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++		goto cleanup;
++	}
+ 
+-	for (i = 0; i < cert_list_size &&
+-		    cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH;) {
++	for (i = 0; i < cert_list_size;) {
+ 		unsigned int sorted_size = 1;
+ 		unsigned int j, k;
+ 		gnutls_x509_crt_t issuer;
+@@ -1442,8 +1455,7 @@ int gnutls_x509_trust_list_verify_crt2(
+ 
+ 		assert(sorted_size > 0);
+ 
+-		/* Remove duplicates. Start with index 1, as the first element
+-		 * may be re-checked after issuer retrieval. */
++		/* Remove duplicates. */
+ 		for (j = 0; j < sorted_size; j++) {
+ 			if (gl_list_search(records, cert_list[i + j])) {
+ 				if (i + j < cert_list_size - 1) {
+@@ -1495,13 +1507,15 @@ int gnutls_x509_trust_list_verify_crt2(
+ 
+ 		ret = retrieve_issuers(
+ 			list, cert_list[i - 1], &retrieved[retrieved_size],
+-			DEFAULT_MAX_VERIFY_DEPTH -
+-				MAX(retrieved_size, cert_list_size));
++			MIN(DEFAULT_MAX_VERIFY_DEPTH - retrieved_size,
++			    cert_list_max_size - cert_list_size));
+ 		if (ret < 0) {
+ 			break;
+ 		} else if (ret > 0) {
+ 			assert((unsigned int)ret <=
+-			       DEFAULT_MAX_VERIFY_DEPTH - cert_list_size);
++			       DEFAULT_MAX_VERIFY_DEPTH - retrieved_size);
++			assert((unsigned int)ret <=
++			       cert_list_max_size - cert_list_size);
+ 			memmove(&cert_list[i + ret], &cert_list[i],
+ 				(cert_list_size - i) *
+ 					sizeof(gnutls_x509_crt_t));
+@@ -1517,8 +1531,10 @@ int gnutls_x509_trust_list_verify_crt2(
+ 	}
+ 
+ 	cert_list_size = shorten_clist(list, cert_list, cert_list_size);
+-	if (cert_list_size <= 0)
+-		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
++	if (cert_list_size <= 0) {
++		ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
++		goto cleanup;
++	}
+ 
+ 	hash = hash_pjw_bare(cert_list[cert_list_size - 1]->raw_issuer_dn.data,
+ 			     cert_list[cert_list_size - 1]->raw_issuer_dn.size);
+@@ -1661,10 +1677,13 @@ int gnutls_x509_trust_list_verify_crt2(
+ 	}
+ 
+ cleanup:
++	gnutls_free(cert_list_copy);
+ 	for (i = 0; i < retrieved_size; i++) {
+ 		gnutls_x509_crt_deinit(retrieved[i]);
+ 	}
+-	gl_list_free(records);
++	if (records) {
++		gl_list_free(records);
++	}
+ 	return ret;
+ }
+ 
+diff --git a/tests/test-chains.h b/tests/test-chains.h
+index 3e559fecd..a7fe1cdec 100644
+--- a/tests/test-chains.h
++++ b/tests/test-chains.h
+@@ -23,7 +23,7 @@
+ #ifndef GNUTLS_TESTS_TEST_CHAINS_H
+ #define GNUTLS_TESTS_TEST_CHAINS_H
+ 
+-#define MAX_CHAIN 10
++#define MAX_CHAIN 17
+ 
+ static const char *chain_with_no_subject_id_in_ca_ok[] = {
+ 	"-----BEGIN CERTIFICATE-----\n"
+@@ -4383,6 +4383,213 @@ static const char *cross_signed_ca[] = {
+ 	NULL
+ };
+ 
++/* This assumes DEFAULT_MAX_VERIFY_DEPTH to be 16 */
++static const char *many_icas[] = {
++	/* Server */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBqzCCAV2gAwIBAgIUIK3+SD3GmqJlRLZ/ESyhTzkSDL8wBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYD\n"
++	"VQQDEw90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQAWGjx45NIJiKFsNBxxRRjm\n"
++	"NxUT5KYK7xXr5HPVywwgLaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGC\n"
++	"D3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8E\n"
++	"BAMCB4AwHQYDVR0OBBYEFKgNAQWZPx76/vXqQOdIi5mTftsaMB8GA1UdIwQYMBaA\n"
++	"FDaPsY6WAGuRtrhYJE6Gk/bg5qbdMAUGAytlcANBAMIDh8aGcIIFDTUrzfV7tnkX\n"
++	"hHrxyFKBH/cApf6xcJQTfDXm23po627Ibp+WgLaWMY08Fn9Y2V6Ev8ADfqXNbQ8=\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA16 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUSnE0PKdm/dsnZSWBh5Ct4pS6DcwwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAxq9SI8vp0QH1dDBBuZW+t+bLLROppQbjSQ4O1BEonDOjYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2j7GOlgBrkba4\n"
++	"WCROhpP24Oam3TAfBgNVHSMEGDAWgBRvdUKX0aw3nfUIdvivXGSfRO7zyjAFBgMr\n"
++	"ZXADQQBsI2Hc7X5hXoHTvk01qMc5a1I27QHAFRARJnvIQ15wxNS2LVLzGk+AUmwr\n"
++	"sOhBKAcVfS55uWtYdjoWQ80h238H\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA15 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUQk4XkgQVImnp6OPZas7ctwgBza4wBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAs3yVKLJd3sKbNVmj6Bxy2j1x025rksyQpZZWnCx5a+CjYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRvdUKX0aw3nfUI\n"
++	"dvivXGSfRO7zyjAfBgNVHSMEGDAWgBRhGfUXYPh4YQsdtTWYUozLphGgfzAFBgMr\n"
++	"ZXADQQBXTtm56x6/pHXdW8dTvZLc/8RufNQrMlc23TCgX0apUnrZdTsNAb7OE4Uu\n"
++	"9PBuxK+CC9NL/BL2hXsKvAT+NWME\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA14 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUKfwz7UUYRvYlvqwmnLJlTOS9o1AwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAXbUetQ08t+F4+IcKL++HpeclqTxXZ7cG4mwqvHmTUEWjYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRhGfUXYPh4YQsd\n"
++	"tTWYUozLphGgfzAfBgNVHSMEGDAWgBQYRQqO+V1kefF7QvNnFU1fX5H9+jAFBgMr\n"
++	"ZXADQQAiSHNMTLPFP3oa6q13Dj8jSxF9trQDJGM1ArWffFcPZUt2U4/ODHdcMTHx\n"
++	"kGwhIj+ghBlu6ykgu6J2wewCUooC\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA13 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUUKOs59gyCPAZzoC7zMZQSh6AnQgwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAmvqhj5GYqsXIpsr1BXBfD+2mTP/m/TEpKIYSZHM62dijYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQYRQqO+V1kefF7\n"
++	"QvNnFU1fX5H9+jAfBgNVHSMEGDAWgBQ27HzvP5hl2xR+LOzRcPfmY5ndXjAFBgMr\n"
++	"ZXADQQBrB3NkrYC7EQ74qgeesVOE71rW012dPOOKPAV0laR+JLEgsv9sfus+AdBF\n"
++	"WBNwR3KeYBTi/MFDuecxBHU2m5gD\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA12 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUUQooGfH21+sR7/pSgCWm13gg2H4wBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAK2of/B4wMpk6k/KdugC5dMS+jo2fseUM7/PvXkE6HASjYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ27HzvP5hl2xR+\n"
++	"LOzRcPfmY5ndXjAfBgNVHSMEGDAWgBSJDHU0Mj1Xr0e8ErCnRK24w7XwTTAFBgMr\n"
++	"ZXADQQDY8d2bAZpj7oGhdl2dBsCE48jEWj49da0PbgN12koAj3gf4hjMPd8G7p5z\n"
++	"8RsURAwQmCkE8ShvdNw/Qr2tDL0E\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA11 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUW9Dw0hU2pfjXhb5Stip+mk9SndIwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAn5ISjLVV6RBWsnxDWHDicpye7SjFwGOTwzF01/psiJ2jYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSJDHU0Mj1Xr0e8\n"
++	"ErCnRK24w7XwTTAfBgNVHSMEGDAWgBSR9UU27RI0XohiEgHDxNo/9HP4djAFBgMr\n"
++	"ZXADQQCfQg6MDHk71vhyrEo4/5PcLb2Li5F/FKURyux7snv2TbkSdInloAqca9UR\n"
++	"DtqHSLCNLXCNdSPr5QwIt5p29rsE\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA10 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUR4uTedG8e6MibKViQ3eX7QzXG1swBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAnslX04kSVOL5LAf1e+Ze3ggNnDJcEAxLDk8I/IhyjTyjYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSR9UU27RI0Xohi\n"
++	"EgHDxNo/9HP4djAfBgNVHSMEGDAWgBRC7US5gJYnvd5F7EN+C4anMgd2NzAFBgMr\n"
++	"ZXADQQDo+jHt07Tvz3T5Lbz6apBrSln8xKYfJk2W1wP85XAnf7sZT9apM1bS4EyD\n"
++	"Kckw+KG+9x7myOZz6AXJgZB5OGAO\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA9 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUSIIIRjrNpE+kEPkiJMOqaNAazvQwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAZKy7p1Gn4W/reRxKJN99+QkHt2q9aELktCKe5PqrX5ejYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRC7US5gJYnvd5F\n"
++	"7EN+C4anMgd2NzAfBgNVHSMEGDAWgBSOhR7Ornis2x8g0J+bvTTwMnW60zAFBgMr\n"
++	"ZXADQQA0MEcC4FgKZEAfalVpApU2to0G158MVz/WTNcSc7fnl8ifJ/g56dVHL1jr\n"
++	"REvC/S28dn/CGAlbVXUAgxnHAbgE\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA8 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUGGFSgD95vOTSj7iFxfXA5vq6vsYwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAg3W/bTdW0fR32NeZEVMXICpa30d7rSdddLOYDvqqUO+jYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSOhR7Ornis2x8g\n"
++	"0J+bvTTwMnW60zAfBgNVHSMEGDAWgBT3zK8Hbn9aVTAOOFY6RSxJ2o5x2jAFBgMr\n"
++	"ZXADQQBl4gnzE463iMFg57gPvjHdVzA39sJBpiu0kUGfRcLnoRI/VOaLcx7WnJ9+\n"
++	"c3KxPZBec76EdIoQDkTmI6m2FIAM\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA7 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUGktMGXhNuaMhKyAlecymmLD+/GIwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEA/Z1oc76hOQ0Hi+2hePaGIntnMIDqBlb7RDMjRpYONP2jYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT3zK8Hbn9aVTAO\n"
++	"OFY6RSxJ2o5x2jAfBgNVHSMEGDAWgBSPae3JUN3jP0NgUJqDV3eYxcaM3DAFBgMr\n"
++	"ZXADQQBMkwKaUZlvG/hax8rv3nnDv8kJOr6KVHBnxSx3hZ+8HIBT7GFm1+YDeYOB\n"
++	"jhNg66kyeFPGXXBCe+mvNQFFjCEE\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA6 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUKn3gz5lAUpKqWlHKLKYDbOJ4rygwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAZ/eD4eTe91ddvHusm7YlLPxU4ByGFc6suAmlP1CxXkWjYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSPae3JUN3jP0Ng\n"
++	"UJqDV3eYxcaM3DAfBgNVHSMEGDAWgBT9f/qSI/jhxvGI7aMtkpraDcjBnjAFBgMr\n"
++	"ZXADQQAMRnkmRhnLGdmJaY8B42gfyaAsqCMyds/Tw4OHYy+N48XuAxRjKkhf3szC\n"
++	"0lY71oU043mNP1yx/dzAuCTrVSgI\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA5 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUEgEYbBXXEyGv3vOq10JQv1SBiUUwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAs2xEDPw8RVal53nX9GVwUd1blq1wjtVFC8S1V7up7MWjYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT9f/qSI/jhxvGI\n"
++	"7aMtkpraDcjBnjAfBgNVHSMEGDAWgBRBVkLu9BmCKz7HNI8md4vPpoE/7jAFBgMr\n"
++	"ZXADQQCCufAyLijtzzmeCuO3K50rBSbGvB3FQfep7g6kVsQKM3bw/olWK5/Ji0dD\n"
++	"ubJ0cFl1FmfAda7aVxLBtJOvO6MI\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA4 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIULj8GkaHw+92HuOTnXnXlxCy3VrEwBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAiedxh4dvtwDellMAHc/pZH0MAOXobRenTUgF1yj5l12jYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRBVkLu9BmCKz7H\n"
++	"NI8md4vPpoE/7jAfBgNVHSMEGDAWgBSDtNRgQ36KwW/ASaMyr6WeDt0STDAFBgMr\n"
++	"ZXADQQDL8U2ckzur7CktdrVUNvfLhVCOz33d/62F28vQFHUa8h/4h+Mi1MMbXOKT\n"
++	"1bL2TvpFpU7Fx/vcIPXDielVqr4C\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA3 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUQXl74TDDw6MQRMbQUSPa6Qrvba8wBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEA7l0jQ0f4fJRw7Qja/Hz2qn8y91SI7CokxhSf+FT+9M6jYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSDtNRgQ36KwW/A\n"
++	"SaMyr6WeDt0STDAfBgNVHSMEGDAWgBQ2inEK4KH6ATftmybxKE1dZUzOozAFBgMr\n"
++	"ZXADQQCnP7Oqx1epGnFnO7TrTJwcUukXDEYsINve2GeUsi8HEIeKKlMcLZ2Cnaj7\n"
++	"5v9NGuWh3QJpmmSGpEemiv8dJc4A\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA2 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBYTCCAROgAwIBAgIUP7Nmof8H2F1LyDkjqlYIUpGdXE8wBQYDK2VwMB0xGzAZ\n"
++	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
++	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
++	"K2VwAyEAkW9Rod3CXAnha6nlaHkDbCOegq94lgmjqclA9sOIt3yjYzBhMA8GA1Ud\n"
++	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2inEK4KH6ATft\n"
++	"mybxKE1dZUzOozAfBgNVHSMEGDAWgBRPq/CQlK/zuXkjZvTCibu+vejD+jAFBgMr\n"
++	"ZXADQQBU+A+uF0yrtO/yv9cRUdCoL3Y1NKM35INg8BQDnkv724cW9zk1x0q9Fuou\n"
++	"zvfSVb8S3vT8fF5ZDOxarQs6ZH0C\n"
++	"-----END CERTIFICATE-----\n",
++	/* ICA1 */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBXTCCAQ+gAwIBAgIUfUWP+AQHpdFTRKTf21mMzjaJsp0wBQYDK2VwMBkxFzAV\n"
++	"BgNVBAMTDkdudVRMUyB0ZXN0IENBMCAXDTI0MDMxMjIyNTMzOVoYDzk5OTkxMjMx\n"
++	"MjM1OTU5WjAdMRswGQYDVQQDDBJHbnVUTFMgdGVzdCBJQ0EgJGkwKjAFBgMrZXAD\n"
++	"IQAVmfBAvLbT+pTD24pQrr6S0jEIFIV/qOv93yYvAUzpzKNjMGEwDwYDVR0TAQH/\n"
++	"BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFE+r8JCUr/O5eSNm9MKJ\n"
++	"u7696MP6MB8GA1UdIwQYMBaAFAFpt5wrFsqCtHc4PpluPDvwcxQLMAUGAytlcANB\n"
++	"AC6+XZnthjlUD0TbBKRF3qT5if3Pp29Bgvutw8859unzUZW8FkHg5KeDBj9ncgJc\n"
++	"O2tFnNH2hV6LDPJzU0rtLQc=\n"
++	"-----END CERTIFICATE-----\n",
++	NULL
++};
++
++static const char *many_icas_ca[] = {
++	/* CA (self-signed) */
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIBNzCB6qADAgECAhRjaokcQwcrtW8tjuVFz3A33F8POjAFBgMrZXAwGTEXMBUG\n"
++	"A1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjQwMzEyMjI1MzM5WhgPOTk5OTEyMzEy\n"
++	"MzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMCowBQYDK2VwAyEAvoxP\n"
++	"TNdbWktxA8qQNNH+25Cx9rzP+DxLGeI/7ODwrQGjQjBAMA8GA1UdEwEB/wQFMAMB\n"
++	"Af8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQBabecKxbKgrR3OD6Zbjw78HMU\n"
++	"CzAFBgMrZXADQQCP5IUD74M7WrUx20uqzrzuj+s2jnBVmLQfWf/Ucetx+oTRFeq4\n"
++	"xZB/adWhycSeJUAB1zKqYUV9hgT8FWHbnHII\n"
++	"-----END CERTIFICATE-----\n",
++	NULL
++};
++
+ #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
+ #pragma GCC diagnostic push
+ #pragma GCC diagnostic ignored "-Wunused-variable"
+@@ -4696,6 +4903,8 @@ static struct {
+ 	  1620118136, 1 },
+ 	{ "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0,
+ 	  1704955300 },
++	{ "many intermediates - ok", many_icas, many_icas_ca, 0, 0, 0,
++	  1710284400 },
+ 	{ NULL, NULL, NULL, 0, 0 }
+ };
+ 
+-- 
+2.33.0
+

fix-ipv6-handshake-failed.patch

@@ -6,31 +6,32 @@ Subject: [PATCH] fix ipv6 handshake failed
 reason: fix ipv6 handshake failed
 
 Signed-off-by: lvying <lvying6@huawei.com>
+
 ---
- lib/ext/server_name.c      |   4 +++-
- lib/str.h                  |  10 ++++++++++
+ lib/ext/server_name.c |  4 +++-
+ lib/str.h             | 10 ++++++++++
  2 files changed, 13 insertions(+), 1 deletion(-)
 
 diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c
-index 259dc99..f61c1f2 100644
+index a7329d0..7be1ca1 100644
 --- a/lib/ext/server_name.c
 +++ b/lib/ext/server_name.c
-@@ -112,7 +112,9 @@ _gnutls_server_name_recv_params(gnutls_session_t session,
+@@ -108,7 +108,9 @@ static int _gnutls_server_name_recv_params(gnutls_session_t session,
  			DECR_LEN(data_size, len);
  
- 			if (type == 0) {	/* NAME_DNS */
+ 			if (type == 0) { /* NAME_DNS */
 -				if (!_gnutls_dnsname_is_valid((char *)p, len)) {
-+                                _gnutls_debug_log("HSK[%p]: recieve server name: '%.*s'\n", session, len, p);
-+                                /* fix ipv6 format server name invaild problem */
-+                                if (!_gnutls_dnsname_is_valid((char*)p, len) && !_gnutls_ipv6_is_valid((char*)p, len)) {
- 					_gnutls_handshake_log
- 					    ("HSK[%p]: Server name is not acceptable: '%.*s'\n",
- 					     session, (int)len, p);
++				_gnutls_debug_log("HSK[%p]: recieve server name: '%.*s'\n", session, len, p);
++				/* fix ipv6 format server name invaild problem */
++				if (!_gnutls_dnsname_is_valid((char*)p, len) && !_gnutls_ipv6_is_valid((char*)p, len)) {
+ 					_gnutls_handshake_log(
+ 						"HSK[%p]: Server name is not acceptable: '%.*s'\n",
+ 						session, (int)len, p);
 diff --git a/lib/str.h b/lib/str.h
-index 9f0e7d6..e0bca4b 100644
+index 1f670cd..aa4b5b2 100644
 --- a/lib/str.h
 +++ b/lib/str.h
-@@ -60,6 +60,16 @@ inline static unsigned _gnutls_str_is_print(const char *str, unsigned size)
+@@ -64,6 +64,16 @@ inline static unsigned _gnutls_str_is_print(const char *str, unsigned size)
  	return 1;
  }
  
@@ -48,5 +49,5 @@ index 9f0e7d6..e0bca4b 100644
  {
  	unsigned i;
 -- 
-2.19.1
+2.33.0
 

gnutls.spec

@@ -1,6 +1,6 @@
 Name: gnutls
-Version: 3.8.0
-Release: 3
+Version: 3.8.2
+Release: 5
 Summary: The GNU Secure Communication Protocol Library
 
 License: LGPLv2.1+ and GPLv3+
@@ -9,9 +9,11 @@ Source0: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.tar.xz
 Source1: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.tar.xz.sig
 
 Patch0: fix-ipv6-handshake-failed.patch
-Patch1: backport-CVE-2023-5981-auth-rsa_psk-side-step-potential-side-channel.patch
-Patch2: backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch
-Patch3: backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch
+Patch1: backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch
+Patch2: backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch
+Patch3: backport-fix-CVE-2024-28834-nettle-avoid-normalization-of-mpz_t-in-deterministic.patch
+Patch4: backport-fix-CVE-2024-28835-gnutls_x509_trust_list_verify_crt2-remove-length-lim.patch 
+Patch5: backport-CVE-2024-12243-x509-optimize-name-constraints-processing.patch
 
 %bcond_without dane
 %bcond_with guile
@@ -37,12 +39,8 @@ Requires: crypto-policies, p11-kit-trust, libtasn1, nettle
 Recommends: trousers >= 0.3.11.2
 
 Provides: bundled(gnulib) = 20130424
-Provides: gnutls-utils = %{version}-%{release}
 Provides: gnutls-c++ = %{version}-%{release}
-Provides: gnutls-dane = %{version}-%{release}
-Obsoletes: gnutls-utils < %{version}-%{release} 
-Obsoletes: gnutls-c++ < %{version}-%{release} 
-Obsoletes: gnutls-dane < %{version}-%{release}
+Obsoletes: gnutls-c++ < %{version}-%{release}
 
 %description
 GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
@@ -58,11 +56,47 @@ of application code.
 %package devel
 Summary: Development files for %{name}
 Requires: %{name}%{?_isa} = %{version}-%{release}
+%if %{with dane}
+Requires: %{name}-dane%{?_isa} = %{version}-%{release}
+%endif
 Requires: pkgconf
 
 %description devel
 This package contains files needed for developing applications with %{name}.
 
+%package utils
+License: GPL-3.0-or-later
+Summary: Command line tools for TLS protocol
+Requires: %{name}%{?_isa} = %{version}-%{release}
+%if %{with dane}
+Requires: %{name}-dane%{?_isa} = %{version}-%{release}
+%endif
+
+%description utils
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
+protocols and technologies around them. It provides a simple C language
+application programming interface (API) to access the secure communications
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
+other required structures.
+This package contains command line TLS client and server and certificate
+manipulation tools.
+
+%if %{with dane}
+%package dane
+Summary: A DANE protocol implementation for GnuTLS
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%description dane
+GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
+protocols and technologies around them. It provides a simple C language
+application programming interface (API) to access the secure communications
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
+other required structures.
+This package contains library that implements the DANE protocol for verifying
+TLS certificates through DNSSEC.
+
+%endif
+
 %package_help
 
 %if %{with guile}
@@ -90,8 +124,10 @@ echo "SYSTEM=NORMAL" >> tests/system.prio
 # via the crypto policies
 
 %build
+%if "%toolchain" != "clang"
 CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes"
 export CCASFLAGS
+%endif
 
 # These should be checked by m4/guile.m4 instead of configure.ac
 # taking into account of _guile_suffix
@@ -159,22 +195,31 @@ make check %{?_smp_mflags}
 %defattr(-,root,root)
 %doc README.md AUTHORS
 %license LICENSE doc/COPYING doc/COPYING.LESSER
-%{_bindir}/certtool
-%{_bindir}/tpmtool
-%{_bindir}/ocsptool
-%{_bindir}/psktool
-%{_bindir}/p11tool
-%{_bindir}/gnutls*
-%if %{with dane}
-%{_bindir}/danetool
-%{_libdir}/libgnutls-dane.so.*
-%endif
 %{_libdir}/libgnutls.so.30*
 %{_libdir}/libgnutlsxx.so.*
 %if %{with fips}
 %{_libdir}/.libgnutls.so.*.hmac
 %endif
 
+%files utils
+%{_bindir}/certtool
+%{_bindir}/tpmtool
+%{_bindir}/ocsptool
+%{_bindir}/psktool
+%{_bindir}/p11tool
+%if %{with dane}
+%{_bindir}/danetool
+%endif
+%{_bindir}/gnutls*
+%{_mandir}/man1/*
+%doc doc/certtool.cfg
+
+%if %{with dane}
+%files dane
+%{_libdir}/libgnutls-dane.so.*
+%endif
+
+
 %files devel
 %defattr(-,root,root)
 %{_libdir}/pkgconfig/*.pc
@@ -201,6 +246,34 @@ make check %{?_smp_mflags}
 %endif
 
 %changelog
+* Thu Feb 13 2025 xuraoqing <xuraoqing@huawei.com> - 3.8.2-5
+- fix CVE-2024-12243
+
+* Fri Mar 22 2024 wangyaoyong <yaoyong.oerv@isrc.iscas.ac.cn> - 3.8.2-4
+- support change CC to compile with clang
+
+* Fri Mar 22 2024 xuraoqing <xuraoqing@huawei.com> - 3.8.2-3
+- fix CVE-2024-28834 and CVE-2024-28835
+
+* Wed Feb 28 2024 duyiwei <duyiwei@kylinos.cn> - 3.8.2-2
+- detach the sub package gnutls-utils and gnutls-dane from gnutls
+
+* Mon Jan 29 2024 xuraoqing <xuraoqing@huawei.com> - 3.8.2-1
+- update to 3.8.2
+- some API and ABI modifications, see NEWS for details
+- New option --attime to specify current time
+- libgnutls: Add a mechanism to control whether to enforce extended master secret (RFC 7627)
+- libgnutls: Add additional PBKDF limit checks in FIPS mode as defined in SP 800-132
+- libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to %GNUTLS_NO_DEFAULT_EXTENSIONS.
+- libgnutls: Add support for RFC 9258 external PSK importer.
+- libgnutls: ClientHello extensions are randomized by default,
+             To make fingerprinting harder, TLS extensions in ClientHello messages are shuffled.
+- gnutls-cli: New option --starttls-name.
+- libgnutls: transparent KTLS support is extended to FreeBSD kernel.
+- libgnutls: Added support for AES-GCM-SIV ciphers (RFC 8452).
+- libgnutls: Add API functions to perform ECDH and DH key agreement.
+- libgnutls: Fix timing side-channel inside RSA-PSK key exchange(CVE-2023-5981).
+
 * Wed Jan 17 2024 xuraoqing <xuraoqing@huawei.com> - 3.8.0-3
 - fix CVE-2024-0553 and CVE-2024-0567