!153 fix CVE-2024-28835

From: @fangxiuning Reviewed-by: @zhujianwei001 Signed-off-by: @zhujianwei001
fix
2024-04-19 01:33:53 +00:00 · 2024-04-18 19:05:41 +08:00 · 2024-04-18 19:01:51 +08:00 · 2024-03-27 07:29:44 +00:00 · 2024-03-26 19:29:48 +08:00 · 2024-03-26 06:40:09 +00:00
10 changed files with 4698 additions and 1 deletions
--- a/backport-CVE-2023-5981-auth-rsa_psk-side-step-potential-side-channel.patch
+++ b/backport-CVE-2023-5981-auth-rsa_psk-side-step-potential-side-channel.patch
@ -0,0 +1,212 @@
 From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001                                                                                                                 
 From: Daiki Ueno <ueno@gnu.org>
 Date: Mon, 23 Oct 2023 09:26:57 +0900
 Subject: [PATCH] auth/rsa_psk: side-step potential side-channel
 This removes branching that depends on secret data, porting changes
 for regular RSA key exchange from
 4804febddc2ed958e5ae774de2a8f85edeeff538 and
 80a6ce8ddb02477cd724cd5b2944791aaddb702a.  This also removes the
 allow_wrong_pms as it was used sorely to control debug output
 depending on the branching.
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 Conflict::rsa.c,rsa_psk.c,gnutls_int.h
 ---
 lib/auth/rsa.c     |  2 +-
 lib/auth/rsa_psk.c | 93 +++++++++++++++++-----------------------------
 lib/gnutls_int.h   |  4 --
 lib/priority.c     |  1 -
 4 files changed, 35 insertions(+), 65 deletions(-)
 diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
 index d9635a9..8c87e66 100644
 --- a/lib/auth/rsa.c
 +++ b/lib/auth/rsa.c
@@ -207,7 +207,7 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
 			 session->key.key.size);
 	/* After this point, any conditional on failure that cause differences
 	 * in execution may create a timing or cache access pattern side
 -	 * channel that can be used as an oracle, so treat very carefully */
 +	 * channel that can be used as an oracle, so tread carefully */
 	/* Error handling logic:
 	 * In case decryption fails then don't inform the peer. Just use the
 diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
 index 1a9dab5..93c2dc9 100644
 --- a/lib/auth/rsa_psk.c
 +++ b/lib/auth/rsa_psk.c
@@ -264,14 +264,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
 {
 	gnutls_datum_t username;
 	psk_auth_info_t info;
 -	gnutls_datum_t plaintext;
 	gnutls_datum_t ciphertext;
 	gnutls_datum_t pwd_psk = { NULL, 0 };
 	int ret, dsize;
 -	int randomize_key = 0;
 	ssize_t data_size = _data_size;
 	gnutls_psk_server_credentials_t cred;
 	gnutls_datum_t premaster_secret = { NULL, 0 };
 +	volatile uint8_t ver_maj, ver_min;
 	cred = (gnutls_psk_server_credentials_t)
 	    _gnutls_get_cred(session, GNUTLS_CRD_PSK);
@@ -327,71 +326,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
 	}
 	ciphertext.size = dsize;
 -	ret =
 -	    gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
 -					&ciphertext, &plaintext);
 -	if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) {
 -		/* In case decryption fails then don't inform
 -		 * the peer. Just use a random key. (in order to avoid
 -		 * attack against pkcs-1 formatting).
 -		 */
 +	ver_maj = _gnutls_get_adv_version_major(session);
 +	ver_min = _gnutls_get_adv_version_minor(session);
 +
 +	premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
 +	if (premaster_secret.data == NULL) {
 		gnutls_assert();
 -		_gnutls_debug_log
 -		    ("auth_rsa_psk: Possible PKCS #1 format attack\n");
 -		if (ret >= 0) {
 -			gnutls_free(plaintext.data);
 -		}
 -		randomize_key = 1;
 -	} else {
 -		/* If the secret was properly formatted, then
 -		 * check the version number.
 -		 */
 -		if (_gnutls_get_adv_version_major(session) !=
 -		    plaintext.data[0]
 -		    || (session->internals.allow_wrong_pms == 0
 -			&& _gnutls_get_adv_version_minor(session) !=
 -			plaintext.data[1])) {
 -			/* No error is returned here, if the version number check
 -			 * fails. We proceed normally.
 -			 * That is to defend against the attack described in the paper
 -			 * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
 -			 * Ondej Pokorny and Tomas Rosa.
 -			 */
 -			gnutls_assert();
 -			_gnutls_debug_log
 -			    ("auth_rsa: Possible PKCS #1 version check format attack\n");
 -		}
 +		return GNUTLS_E_MEMORY_ERROR;
 	}
 +	premaster_secret.size = GNUTLS_MASTER_SIZE;
 -
 -	if (randomize_key != 0) {
 -		premaster_secret.size = GNUTLS_MASTER_SIZE;
 -		premaster_secret.data =
 -		    gnutls_malloc(premaster_secret.size);
 -		if (premaster_secret.data == NULL) {
 -			gnutls_assert();
 -			return GNUTLS_E_MEMORY_ERROR;
 -		}
 -
 -		/* we do not need strong random numbers here.
 -		 */
 -		ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
 -				  premaster_secret.size);
 -		if (ret < 0) {
 -			gnutls_assert();
 -			goto cleanup;
 -		}
 -	} else {
 -		premaster_secret.data = plaintext.data;
 -		premaster_secret.size = plaintext.size;
 +	/* Fallback value when decryption fails. Needs to be unpredictable. */
 +	ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
 +			 premaster_secret.size);
 +	if (ret < 0) {
 +		gnutls_assert();
 +		goto cleanup;
 	}
 +	gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
 +				     &ciphertext, premaster_secret.data,
 +				     premaster_secret.size);
 +	/* After this point, any conditional on failure that cause differences
 +	 * in execution may create a timing or cache access pattern side
 +	 * channel that can be used as an oracle, so tread carefully */
 +
 +	/* Error handling logic:
 +	 * In case decryption fails then don't inform the peer. Just use the
 +	 * random key previously generated. (in order to avoid attack against
 +	 * pkcs-1 formatting).
 +	 *
 +	 * If we get version mismatches no error is returned either. We
 +	 * proceed normally. This is to defend against the attack described
 +	 * in the paper "Attacking RSA-based sessions in SSL/TLS" by
 +	 * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
 +	 */
 +
 	/* This is here to avoid the version check attack
 	 * discussed above.
 	 */
 -
 -	premaster_secret.data[0] = _gnutls_get_adv_version_major(session);
 -	premaster_secret.data[1] = _gnutls_get_adv_version_minor(session);
 +	premaster_secret.data[0] = ver_maj;
 +	premaster_secret.data[1] = ver_min;
 	/* find the key of this username
 	 */
 diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
 index b9eace5..2eafc18 100644
 --- a/lib/gnutls_int.h
 +++ b/lib/gnutls_int.h
@@ -971,7 +971,6 @@ struct gnutls_priority_st {
 	bool _no_etm;
 	bool _no_ext_master_secret;
 	bool _allow_key_usage_violation;
 -	bool _allow_wrong_pms;
 	bool _dumbfw;
 	unsigned int _dh_prime_bits;	/* old (deprecated) variable */
@@ -989,7 +988,6 @@ struct gnutls_priority_st {
 	      (x)->no_etm = 1; \
 	      (x)->no_ext_master_secret = 1; \
 	      (x)->allow_key_usage_violation = 1; \
 -	      (x)->allow_wrong_pms = 1; \
 	      (x)->dumbfw = 1
 #define ENABLE_PRIO_COMPAT(x) \
@@ -998,7 +996,6 @@ struct gnutls_priority_st {
 	      (x)->_no_etm = 1; \
 	      (x)->_no_ext_master_secret = 1; \
 	      (x)->_allow_key_usage_violation = 1; \
 -	      (x)->_allow_wrong_pms = 1; \
 	      (x)->_dumbfw = 1
 /* DH and RSA parameters types.
@@ -1123,7 +1120,6 @@ typedef struct {
 	bool no_etm;
 	bool no_ext_master_secret;
 	bool allow_key_usage_violation;
 -	bool allow_wrong_pms;
 	bool dumbfw;
 	/* old (deprecated) variable. This is used for both srp_prime_bits
 diff --git a/lib/priority.c b/lib/priority.c
 index 0a284ae..67ec887 100644
 --- a/lib/priority.c
 +++ b/lib/priority.c
@@ -681,7 +681,6 @@ gnutls_priority_set(gnutls_session_t session, gnutls_priority_t priority)
 	COPY_TO_INTERNALS(no_etm);
 	COPY_TO_INTERNALS(no_ext_master_secret);
 	COPY_TO_INTERNALS(allow_key_usage_violation);
 -	COPY_TO_INTERNALS(allow_wrong_pms);
 	COPY_TO_INTERNALS(dumbfw);
 	COPY_TO_INTERNALS(dh_prime_bits);
 -- 
 2.33.0
--- a/backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch
+++ b/backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch
@ -0,0 +1,125 @@
 From 40dbbd8de499668590e8af51a15799fbc430595e Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <ueno@gnu.org>
 Date: Wed, 10 Jan 2024 19:13:17 +0900
 Subject: [PATCH] rsa-psk: minimize branching after decryption
 This moves any non-trivial code between gnutls_privkey_decrypt_data2
 and the function return in _gnutls_proc_rsa_psk_client_kx up until the
 decryption.  This also avoids an extra memcpy to session->key.key.
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 Reference: https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e
 Conflicts: lib/auth/rsa_psk.c
 ---
 lib/auth/rsa_psk.c | 68 ++++++++++++++++++++++++----------------------
 1 file changed, 35 insertions(+), 33 deletions(-)
 diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
 index 93c2dc9..a77aeb6 100644
 --- a/lib/auth/rsa_psk.c
 +++ b/lib/auth/rsa_psk.c
@@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
 	int ret, dsize;
 	ssize_t data_size = _data_size;
 	gnutls_psk_server_credentials_t cred;
 -	gnutls_datum_t premaster_secret = { NULL, 0 };
 	volatile uint8_t ver_maj, ver_min;
 	cred = (gnutls_psk_server_credentials_t)
@@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
 	ver_maj = _gnutls_get_adv_version_major(session);
 	ver_min = _gnutls_get_adv_version_minor(session);
 -	premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
 -	if (premaster_secret.data == NULL) {
 +	/* Find the key of this username. A random value will be
 +	 * filled in if the key is not found.
 +	 */
 +	ret = _gnutls_psk_pwd_find_entry(session, info->username,
 +					 strlen(info->username), &pwd_psk);
 +	if (ret < 0)
 +		return gnutls_assert_val(ret);
 +
 +	/* Allocate memory for premaster secret, and fill in the
 +	 * fields except the decryption result.
 +	 */
 +	session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size;
 +	session->key.key.data = gnutls_malloc(session->key.key.size);
 +	if (session->key.key.data == NULL) {
 		gnutls_assert();
 +		_gnutls_free_key_datum(&pwd_psk);
 +		/* No need to zeroize, as the secret is not copied in yet */
 +		_gnutls_free_datum(&session->key.key);
 		return GNUTLS_E_MEMORY_ERROR;
 	}
 -	premaster_secret.size = GNUTLS_MASTER_SIZE;
 	/* Fallback value when decryption fails. Needs to be unpredictable. */
 -	ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
 -			 premaster_secret.size);
 +	ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2,
 +			 GNUTLS_MASTER_SIZE);
 	if (ret < 0) {
 		gnutls_assert();
 -		goto cleanup;
 +		_gnutls_free_key_datum(&pwd_psk);
 +		/* No need to zeroize, as the secret is not copied in yet */
 +		_gnutls_free_datum(&session->key.key);
 +		return ret;
 	}
 +	_gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data);
 +	_gnutls_write_uint16(pwd_psk.size,
 +			     &session->key.key.data[2 + GNUTLS_MASTER_SIZE]);
 +	memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2], pwd_psk.data,
 +	       pwd_psk.size);
 +	_gnutls_free_key_datum(&pwd_psk);
 +
 	gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
 -				     &ciphertext, premaster_secret.data,
 -				     premaster_secret.size);
 +				     &ciphertext, session->key.key.data + 2,
 +				     GNUTLS_MASTER_SIZE);
 	/* After this point, any conditional on failure that cause differences
 	 * in execution may create a timing or cache access pattern side
 	 * channel that can be used as an oracle, so tread carefully */
@@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
 	/* This is here to avoid the version check attack
 	 * discussed above.
 	 */
 -	premaster_secret.data[0] = ver_maj;
 -	premaster_secret.data[1] = ver_min;
 +	session->key.key.data[2] = ver_maj;
 +	session->key.key.data[3] = ver_min;
 -	/* find the key of this username
 -	 */
 -	ret =
 -	    _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk);
 -	if (ret < 0) {
 -		gnutls_assert();
 -		goto cleanup;
 -	}
 -
 -	ret =
 -	    set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
 -	if (ret < 0) {
 -		gnutls_assert();
 -		goto cleanup;
 -	}
 -
 -	ret = 0;
 -      cleanup:
 -	_gnutls_free_key_datum(&pwd_psk);
 -	_gnutls_free_temp_key_datum(&premaster_secret);
 -
 -	return ret;
 +	return 0;
 }
 static int
 -- 
 2.33.0
--- a/backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch
+++ b/backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch
@ -0,0 +1,186 @@
 From 9edbdaa84e38b1bfb53a7d72c1de44f8de373405 Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <ueno@gnu.org>
 Date: Thu, 11 Jan 2024 15:45:11 +0900
 Subject: [PATCH] x509: detect loop in certificate chain
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 There can be a loop in a certificate chain, when multiple CA
 certificates are cross-signed with each other, such as A → B, B → C,
 and C → A.  Previously, the verification logic was not capable of
 handling this scenario while sorting the certificates in the chain in
 _gnutls_sort_clist, resulting in an assertion failure.  This patch
 properly detects such loop and aborts further processing in a graceful
 manner.
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 Reference: https://gitlab.com/gnutls/gnutls/-/commit/9edbdaa84e38b1bfb53a7d72c1de44f8de373405
 Conflicts: tests/test-chains.h
 ---
 lib/x509/common.c   |   4 ++
 tests/test-chains.h | 124 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 128 insertions(+)
 diff --git a/lib/x509/common.c b/lib/x509/common.c
 index c156bd9..96e7e7c 100644
 --- a/lib/x509/common.c
 +++ b/lib/x509/common.c
@@ -1787,6 +1787,10 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
 			break;
 		}
 +		if (insorted[prev]) { /* loop detected */
 +			break;
 +		}
 +
 		sorted[i] = clist[prev];
 		insorted[prev] = 1;
 	}
 diff --git a/tests/test-chains.h b/tests/test-chains.h
 index c3c499a..07e90bb 100644
 --- a/tests/test-chains.h
 +++ b/tests/test-chains.h
@@ -4263,6 +4263,129 @@ static const char *rsa_sha1_not_in_trusted_ca[] = {
 	NULL
 };
 +static const char *cross_signed[] = {
 +	/* server (signed by A1) */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBqDCCAVqgAwIBAgIUejlil+8DBffazcnMNwyOOP6yCCowBQYDK2VwMBoxGDAW\n"
 +	"BgNVBAMTD0ludGVybWVkaWF0ZSBBMTAgFw0yNDAxMTEwNjI3MjJaGA85OTk5MTIz\n"
 +	"MTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYDVQQD\n"
 +	"Ew90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQA1ZVS0PcNeTPQMZ+FuVz82AHrj\n"
 +	"qL5hWEpCDgpG4M4fxaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCD3Rl\n"
 +	"c3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMC\n"
 +	"B4AwHQYDVR0OBBYEFGtEUv+JSt+zPoO3lu0IiObZVoiNMB8GA1UdIwQYMBaAFPnY\n"
 +	"v6Pw0IvKSqIlb6ewHyEAmTA3MAUGAytlcANBAAS2lyc87kH/aOvNKzPjqDwUYxPA\n"
 +	"CfYjyaKea2d0DZLBM5+Bjnj/4aWwTKgVTJzWhLJcLtaSdVHrXqjr9NhEhQ0=\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* A1 (signed by A) */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBUjCCAQSgAwIBAgIUe/R+NVp04e74ySw2qgI6KZgFR20wBQYDK2VwMBExDzAN\n"
 +	"BgNVBAMTBlJvb3QgQTAgFw0yNDAxMTEwNjI1MDFaGA85OTk5MTIzMTIzNTk1OVow\n"
 +	"GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEExMCowBQYDK2VwAyEAlkTNqwz973sy\n"
 +	"u3whMjSiUMs77CZu5YA7Gi5KcakExrKjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n"
 +	"VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT52L+j8NCLykqiJW+nsB8hAJkwNzAfBgNV\n"
 +	"HSMEGDAWgBRbYgOkRGsd3Z74+CauX4htzLg0lzAFBgMrZXADQQBM0NBaFVPd3cTJ\n"
 +	"DSaZNT34fsHuJk4eagpn8mBxKQpghq4s8Ap+nYtp2KiXjcizss53PeLXVnkfyLi0\n"
 +	"TLVBHvUJ\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* A (signed by B) */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBSDCB+6ADAgECAhQtdJpg+qlPcLoRW8iiztJUD4xNvDAFBgMrZXAwETEPMA0G\n"
 +	"A1UEAxMGUm9vdCBCMCAXDTI0MDExMTA2MTk1OVoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
 +	"MQ8wDQYDVQQDEwZSb290IEEwKjAFBgMrZXADIQA0vDYyg3tgotSETL1Wq2hBs32p\n"
 +	"WbnINkmOSNmOiZlGHKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
 +	"AgQwHQYDVR0OBBYEFFtiA6REax3dnvj4Jq5fiG3MuDSXMB8GA1UdIwQYMBaAFJFA\n"
 +	"s2rg6j8w9AKItRnOOOjG2FG6MAUGAytlcANBAPv674p9ek5GjRcRfVQhgN+kQlHU\n"
 +	"u774wL3Vx3fWA1E7+WchdMzcHrPoa5OKtKmxjIKUTO4SeDZL/AVpvulrWwk=\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* A (signed by C) */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBSDCB+6ADAgECAhReNpCiVn7eFDUox3mvM5qE942AVzAFBgMrZXAwETEPMA0G\n"
 +	"A1UEAxMGUm9vdCBDMCAXDTI0MDExMTA2MjEyMVoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
 +	"MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7ReVifwM\n"
 +	"3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
 +	"AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBaAFEh/\n"
 +	"XKjIuMeEavX5QVoy39Q+GhnwMAUGAytlcANBAIwghH3gelXty8qtoTGIEJb0+EBv\n"
 +	"BH4YOUh7TamxjxkjvvIhDA7ZdheofFb7NrklJco7KBcTATUSOvxakYRP9Q8=\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* B1 (signed by B) */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBUjCCAQSgAwIBAgIUfpmrVDc1XBA5/7QYMyGBuB9mTtUwBQYDK2VwMBExDzAN\n"
 +	"BgNVBAMTBlJvb3QgQjAgFw0yNDAxMTEwNjI1MjdaGA85OTk5MTIzMTIzNTk1OVow\n"
 +	"GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEIxMCowBQYDK2VwAyEAh6ZTuJWsweVB\n"
 +	"a5fsye5iq89kWDC2Y/Hlc0htLmjzMP+jYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n"
 +	"VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBTMQu37PKyLjKfPODZgxYCaayff+jAfBgNV\n"
 +	"HSMEGDAWgBSRQLNq4Oo/MPQCiLUZzjjoxthRujAFBgMrZXADQQBblmguY+lnYvOK\n"
 +	"rAZJnqpEUGfm1tIFyu3rnlE7WOVcXRXMIoNApLH2iHIipQjlvNWuSBFBTC1qdewh\n"
 +	"/e+0cgQB\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* B (signed by A) */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBSDCB+6ADAgECAhRpEm+dWNX6DMZh/nottkFfFFrXXDAFBgMrZXAwETEPMA0G\n"
 +	"A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTcyNloYDzk5OTkxMjMxMjM1OTU5WjAR\n"
 +	"MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7ReVifwM\n"
 +	"3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
 +	"AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBaAFFti\n"
 +	"A6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAFvmcK3Ida5ViVYDzxKVLPcPsCHe\n"
 +	"3hxz99lBrerJC9iJSvRYTJoPBvjTxDYnBn5EFrQYMrUED+6i71lmGXNU9gs=\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* B (signed by C) */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBSDCB+6ADAgECAhReNpCiVn7eFDUox3mvM5qE942AVzAFBgMrZXAwETEPMA0G\n"
 +	"A1UEAxMGUm9vdCBDMCAXDTI0MDExMTA2MjEyMVoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
 +	"MQ8wDQYDVQQDEwZSb290IEIwKjAFBgMrZXADIQAYX92hS97OGKbMzwrD7ReVifwM\n"
 +	"3iz5tnfQHWQSkvvYMKNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
 +	"AgQwHQYDVR0OBBYEFJFAs2rg6j8w9AKItRnOOOjG2FG6MB8GA1UdIwQYMBaAFEh/\n"
 +	"XKjIuMeEavX5QVoy39Q+GhnwMAUGAytlcANBAIwghH3gelXty8qtoTGIEJb0+EBv\n"
 +	"BH4YOUh7TamxjxkjvvIhDA7ZdheofFb7NrklJco7KBcTATUSOvxakYRP9Q8=\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* C1 (signed by C) */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBUjCCAQSgAwIBAgIUSKsfY1wD3eD2VmaaK1wt5naPckMwBQYDK2VwMBExDzAN\n"
 +	"BgNVBAMTBlJvb3QgQzAgFw0yNDAxMTEwNjI1NDdaGA85OTk5MTIzMTIzNTk1OVow\n"
 +	"GjEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIEMxMCowBQYDK2VwAyEA/t7i1chZlKkV\n"
 +	"qxJOrmmyATn8XnpK+nV/iT4OMHSHfAyjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYD\n"
 +	"VR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRmpF3JjoP3NiBzE5J5ANT0bvfRmjAfBgNV\n"
 +	"HSMEGDAWgBRIf1yoyLjHhGr1+UFaMt/UPhoZ8DAFBgMrZXADQQAeRBXv6WCTOp0G\n"
 +	"3wgd8bbEGrrILfpi+qH7aj/MywgkPIlppDYRQ3jL6ASd+So/408dlE0DV9DXKBi0\n"
 +	"725XUUYO\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* C (signed by A) */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBSDCB+6ADAgECAhRvbZv3SRTjDOiAbyFWHH4y0yMZkjAFBgMrZXAwETEPMA0G\n"
 +	"A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTg1MVoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
 +	"MQ8wDQYDVQQDEwZSb290IEMwKjAFBgMrZXADIQDxm6Ubhsa0gSa1vBCIO5e+qZEH\n"
 +	"8Oocz+buNHfIJbh5NaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
 +	"AgQwHQYDVR0OBBYEFEh/XKjIuMeEavX5QVoy39Q+GhnwMB8GA1UdIwQYMBaAFFti\n"
 +	"A6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAPl+SyiOfXJnjSWx8hFMhJ7w92mn\n"
 +	"tkGifCFHBpUhYcBIMeMtLw0RBLXqaaN0EKlTFimiEkLClsU7DKYrpEEJegs=\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* C (signed by B) */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBSDCB+6ADAgECAhQU1OJWRVOLrGrgJiLwexd1/MwKkTAFBgMrZXAwETEPMA0G\n"
 +	"A1UEAxMGUm9vdCBCMCAXDTI0MDExMTA2MjAzMFoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
 +	"MQ8wDQYDVQQDEwZSb290IEMwKjAFBgMrZXADIQDxm6Ubhsa0gSa1vBCIO5e+qZEH\n"
 +	"8Oocz+buNHfIJbh5NaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
 +	"AgQwHQYDVR0OBBYEFEh/XKjIuMeEavX5QVoy39Q+GhnwMB8GA1UdIwQYMBaAFJFA\n"
 +	"s2rg6j8w9AKItRnOOOjG2FG6MAUGAytlcANBALXeyuj8vj6Q8j4l17VzZwmJl0gN\n"
 +	"bCGoKMl0J/0NiN/fQRIsdbwQDh0RUN/RN3I6DTtB20ER6f3VdnzAh8nXkQ4=\n"
 +	"-----END CERTIFICATE-----\n",
 +	NULL
 +};
 +
 +static const char *cross_signed_ca[] = {
 +	/* A (self-signed) */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBJzCB2qADAgECAhQs1Ur+gzPs1ISxs3Tbs700q0CZcjAFBgMrZXAwETEPMA0G\n"
 +	"A1UEAxMGUm9vdCBBMCAXDTI0MDExMTA2MTYwMFoYDzk5OTkxMjMxMjM1OTU5WjAR\n"
 +	"MQ8wDQYDVQQDEwZSb290IEEwKjAFBgMrZXADIQA0vDYyg3tgotSETL1Wq2hBs32p\n"
 +	"WbnINkmOSNmOiZlGHKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
 +	"AgQwHQYDVR0OBBYEFFtiA6REax3dnvj4Jq5fiG3MuDSXMAUGAytlcANBAHrVv7E9\n"
 +	"5scuOVCH9gNRRm8Z9SUoLakRHAPnySdg6z/kI3vOgA/OM7reArpnW8l1H2FapgpL\n"
 +	"bDeZ2XJH+BdVFwg=\n"
 +	"-----END CERTIFICATE-----\n",
 +	NULL
 +};
 +
 #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
 #  pragma GCC diagnostic push
 #  pragma GCC diagnostic ignored "-Wunused-variable"
@@ -4442,6 +4565,7 @@ static struct
     rsa_sha1_not_in_trusted, rsa_sha1_not_in_trusted_ca,
     GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
     GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1},
 +  { "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0, 1704955300},
   { NULL, NULL, NULL, 0, 0}
 };
 -- 
 2.33.0
--- a/backport-Fix-removal-of-duplicate-certs-during-verification.patch
+++ b/backport-Fix-removal-of-duplicate-certs-during-verification.patch
@ -0,0 +1,387 @@
 From e89378d5853d9bd0136b95aade37e23762ad9290 Mon Sep 17 00:00:00 2001                                                                   
 From: Zoltan Fridrich <zfridric@redhat.com>
 Date: Mon, 17 Oct 2022 15:27:37 +0200
 Subject: [PATCH] Fix removal of duplicate certs during verification
 Co-authored-by: Daiki Ueno <ueno@gnu.org>
 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
 Reference: https://gitlab.com/gnutls/gnutls/-/commit/e89378d5853d9bd0136b95aade37e23762ad9290
 Conflict: .gitignore
 ---
 lib/x509/verify-high.c        | 101 ++++---------------
 tests/Makefile.am             |   2 +-
 tests/x509-verify-duplicate.c | 181 ++++++++++++++++++++++++++++++++++
 3 files changed, 202 insertions(+), 82 deletions(-)
 create mode 100644 tests/x509-verify-duplicate.c
 diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
 index 5698d4f..2c070b0 100644
 --- a/lib/x509/verify-high.c
 +++ b/lib/x509/verify-high.c
@@ -35,6 +35,8 @@
 #include <gnutls/x509-ext.h>
 #include "verify-high.h"
 #include "intprops.h"
 +#include "gl_linkedhash_list.h"
 +#include "gl_list.h"
 struct named_cert_st {
 	gnutls_x509_crt_t cert;
@@ -68,82 +70,19 @@ struct gnutls_x509_trust_list_iter {
 #define DEFAULT_SIZE 127
 -struct cert_set_node_st {
 -	gnutls_x509_crt_t *certs;
 -	unsigned int size;
 -};
 -
 -struct cert_set_st {
 -	struct cert_set_node_st *node;
 -	unsigned int size;
 -};
 -
 -static int
 -cert_set_init(struct cert_set_st *set, unsigned int size)
 -{
 -	memset(set, 0, sizeof(*set));
 -
 -	set->size = size;
 -	set->node = gnutls_calloc(size, sizeof(*set->node));
 -	if (!set->node) {
 -		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
 -	}
 -
 -	return 0;
 -}
 -
 -static void
 -cert_set_deinit(struct cert_set_st *set)
 -{
 -	size_t i;
 -
 -	for (i = 0; i < set->size; i++) {
 -		gnutls_free(set->node[i].certs);
 -	}
 -
 -	gnutls_free(set->node);
 -}
 -
 static bool
 -cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert)
 +cert_eq(const void *cert1, const void *cert2)
 {
 -	size_t hash, i;
 -
 -	hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
 -	hash %= set->size;
 -
 -	for (i = 0; i < set->node[hash].size; i++) {
 -		if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) {
 -			return true;
 -		}
 -	}
 -
 -	return false;
 +	const gnutls_x509_crt_t c1 = (const gnutls_x509_crt_t)cert1;
 +	const gnutls_x509_crt_t c2 = (const gnutls_x509_crt_t)cert2;
 +	return gnutls_x509_crt_equals(c1, c2);
 }
 -static int
 -cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert)
 +static size_t
 +cert_hashcode(const void *cert)
 {
 -	size_t hash;
 -
 -	hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
 -	hash %= set->size;
 -
 -	if (unlikely(INT_ADD_OVERFLOW(set->node[hash].size, 1))) {
 -		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
 -	}
 -
 -	set->node[hash].certs =
 -		_gnutls_reallocarray_fast(set->node[hash].certs,
 -					  set->node[hash].size + 1,
 -					  sizeof(*set->node[hash].certs));
 -	if (!set->node[hash].certs) {
 -		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
 -	}
 -	set->node[hash].certs[set->node[hash].size] = cert;
 -	set->node[hash].size++;
 -
 -	return 0;
 +	const gnutls_x509_crt_t c = (const gnutls_x509_crt_t)cert;
 +	return hash_pjw_bare(c->raw_dn.data, c->raw_dn.size) % DEFAULT_MAX_VERIFY_DEPTH;
 }
 /**
@@ -1426,7 +1365,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 	unsigned have_set_name = 0;
 	unsigned saved_output;
 	gnutls_datum_t ip = {NULL, 0};
 -	struct cert_set_st cert_set = { NULL, 0 };
 +	gl_list_t records;
 	if (cert_list == NULL || cert_list_size < 1)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -1475,10 +1414,9 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 	memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
 	cert_list = sorted;
 -	ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH);
 -	if (ret < 0) {
 -		return ret;
 -	}
 +	records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq, cert_hashcode, NULL, false);
 +	if (records == NULL)
 +		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
 	for (i = 0; i < cert_list_size &&
 		     cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
@@ -1493,8 +1431,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 		/* Remove duplicates. Start with index 1, as the first element
 		 * may be re-checked after issuer retrieval. */
 -		for (j = 1; j < sorted_size; j++) {
 -			if (cert_set_contains(&cert_set, cert_list[i + j])) {
 +		for (j = 0; j < sorted_size; j++) {
 +			if (gl_list_search(records, cert_list[i + j])) {
 				if (i + j < cert_list_size - 1) {
 					memmove(&cert_list[i + j],
 						&cert_list[i + j + 1],
@@ -1511,8 +1449,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 		/* Record the certificates seen. */
 		for (j = 0; j < sorted_size; j++, i++) {
 -			ret = cert_set_add(&cert_set, cert_list[i]);
 -			if (ret < 0) {
 +			if (!gl_list_nx_add_last(records, cert_list[i])) {
 +				ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
 				goto cleanup;
 			}
 		}
@@ -1559,6 +1497,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 			/* Start again from the end of the previous segment. */
 			i--;
 +			gl_list_remove(records, cert_list[i]);
 		}
 	}
@@ -1718,7 +1657,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 	for (i = 0; i < retrieved_size; i++) {
 		gnutls_x509_crt_deinit(retrieved[i]);
 	}
 -	cert_set_deinit(&cert_set);
 +	gl_list_free(records);
 	return ret;
 }
 diff --git a/tests/Makefile.am b/tests/Makefile.am
 index b65fb65..f92a130 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
@@ -172,7 +172,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
 	 crlverify mini-dtls-discard mini-record-failure openconnect-dtls12 \
 	 tls12-rehandshake-cert-2 custom-urls set_x509_key_mem set_x509_key_file \
 	 tls12-rehandshake-cert-auto tls12-rehandshake-set-prio \
 -	 mini-chain-unsorted x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \
 +	 mini-chain-unsorted x509-verify-duplicate x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \
 	 mini-dtls-record-asym key-import-export priority-set priority-set2 \
 	 pubkey-import-export sign-is-secure spki spki-abstract rsa-rsa-pss \
 	 mini-dtls-fork dtls-pthread mini-key-material x509cert-invalid \
 diff --git a/tests/x509-verify-duplicate.c b/tests/x509-verify-duplicate.c
 new file mode 100644
 index 0000000..f47a8b2
 --- /dev/null
 +++ b/tests/x509-verify-duplicate.c
@@ -0,0 +1,181 @@
 +/*
 + * Copyright (C) 2022 Red Hat, Inc.
 + *
 + * Author: Zoltan Fridrich
 + *
 + * This file is part of GnuTLS.
 + *
 + * GnuTLS is free software: you can redistribute it and/or modify it
 + * under the terms of the GNU General Public License as published by
 + * the Free Software Foundation, either version 3 of the License, or
 + * (at your option) any later version.
 + *
 + * GnuTLS is distributed in the hope that it will be useful, but
 + * WITHOUT ANY WARRANTY; without even the implied warranty of
 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 + * General Public License for more details.
 + *
 + * You should have received a copy of the GNU General Public License
 + * along with GnuTLS. If not, see <https://www.gnu.org/licenses/>.
 + */
 +
 +#ifdef HAVE_CONFIG_H
 +#include <config.h>
 +#endif
 +
 +#include <gnutls/x509.h>
 +
 +#include "utils.h"
 +
 +#define CHECK(X)\
 +{\
 +	r = X;\
 +	if (r < 0)\
 +		fail("error in %d: %s\n", __LINE__, gnutls_strerror(r));\
 +}\
 +
 +static char cert_pem[] =
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIFLzCCBBegAwIBAgISAycvItcPAZ5yClzMOYYcod4cMA0GCSqGSIb3DQEBCwUA\n"
 +	"MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\n"
 +	"EwJSMzAeFw0yMjA4MjMwNjMzMjlaFw0yMjExMjEwNjMzMjhaMBcxFTATBgNVBAMT\n"
 +	"DHZvaWRwb2ludC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSt\n"
 +	"AazUWttuU/swyEdt70bpod6knYDJavnFUwicpT4ZfPh84Y2ci9Ay9oTVR8LzVq+o\n"
 +	"3FIGxXlBFhCtoGA5k5Soao/JB40+gsY+O8LgcNAdejU78m5W4e2qXq4eu/4tFUCw\n"
 +	"GkcRmqitnc5Jy0bEM+wCZKa42Lx0+WAhNRd/70yWIbzXOrXDnLgGc221JeYJ4it0\n"
 +	"ajYcf3AZuSHhL3qsTLLzuYorPqWmDy27psUiDDJOIjxVbBCRL+AY40TsQm7CZZhZ\n"
 +	"8sCkZU7rIvuDv7nf3QpUsF9Zqk9B3F4tTg0vsVuYeL1XCHGwpVeUS83MsZiLP8Zj\n"
 +	"XGQTM6GiWuOAZ9JJjrsCAwEAAaOCAlgwggJUMA4GA1UdDwEB/wQEAwIFoDAdBgNV\n"
 +	"HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E\n"
 +	"FgQUlw1h3ZwSMKRwkrQ+F4XT3QV/tn8wHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA\n"
 +	"5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu\n"
 +	"by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w\n"
 +	"JwYDVR0RBCAwHoIOKi52b2lkcG9pbnQuaW+CDHZvaWRwb2ludC5pbzBMBgNVHSAE\n"
 +	"RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw\n"
 +	"Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2\n"
 +	"AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABgsme4hAAAAQDAEcw\n"
 +	"RQIhAP6sPHv1PJez/VRMw5xmAAkNU/q9ydq1mTgp7j5uBB9AAiAxm+teG9utZCLP\n"
 +	"TTTv89FHwFV9omfZzDNAiNgg8METHwB3ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4\n"
 +	"+U1dJlwlXceEAAABgsme4gUAAAQDAEgwRgIhAPKWJ7WeuBUSnDqabTAVLKU+PpzA\n"
 +	"bJJ9sehaCKW9AicZAiEAqphpC0lF4/iz2Gkxgd/DEkl9SyyAmR/lEJ7cWDMFhz8w\n"
 +	"DQYJKoZIhvcNAQELBQADggEBAC0aCscObAdTerzGUrDsuQR5FuCTAmvdk3Isqjw1\n"
 +	"dG3WuiwW1Z4ecpqCdvDSIv3toQDWVk6g/oa3fHDnY0/tu//vCwdneDdjK3gCM6cj\n"
 +	"/q0cwj+rGFx/bEVz8PR5kc3DOHGKkmHPN1BNxeLBVpk4jxziXryAVbIvxq9JrGTE\n"
 +	"SfWbWcMkHHw/QzpUfyD3B/GI8qw6XhdaNNkLDEDNV0sCPCuZYc5FBZzU4ExB2vMG\n"
 +	"QVnPfxzKWmxHs10uxXyRZJlOrrbTGU8gi0vnOQZK290dtLzEyU2sdkic1ZSn+fCo\n"
 +	"k++37mNDkiTnIQa3olRqHkypWqGfj8OyqU4XBV2Mmu4UATc=\n"
 +	"-----END CERTIFICATE-----\n"
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIFLzCCBBegAwIBAgISAycvItcPAZ5yClzMOYYcod4cMA0GCSqGSIb3DQEBCwUA\n"
 +	"MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\n"
 +	"EwJSMzAeFw0yMjA4MjMwNjMzMjlaFw0yMjExMjEwNjMzMjhaMBcxFTATBgNVBAMT\n"
 +	"DHZvaWRwb2ludC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSt\n"
 +	"AazUWttuU/swyEdt70bpod6knYDJavnFUwicpT4ZfPh84Y2ci9Ay9oTVR8LzVq+o\n"
 +	"3FIGxXlBFhCtoGA5k5Soao/JB40+gsY+O8LgcNAdejU78m5W4e2qXq4eu/4tFUCw\n"
 +	"GkcRmqitnc5Jy0bEM+wCZKa42Lx0+WAhNRd/70yWIbzXOrXDnLgGc221JeYJ4it0\n"
 +	"ajYcf3AZuSHhL3qsTLLzuYorPqWmDy27psUiDDJOIjxVbBCRL+AY40TsQm7CZZhZ\n"
 +	"8sCkZU7rIvuDv7nf3QpUsF9Zqk9B3F4tTg0vsVuYeL1XCHGwpVeUS83MsZiLP8Zj\n"
 +	"XGQTM6GiWuOAZ9JJjrsCAwEAAaOCAlgwggJUMA4GA1UdDwEB/wQEAwIFoDAdBgNV\n"
 +	"HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E\n"
 +	"FgQUlw1h3ZwSMKRwkrQ+F4XT3QV/tn8wHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA\n"
 +	"5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu\n"
 +	"by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w\n"
 +	"JwYDVR0RBCAwHoIOKi52b2lkcG9pbnQuaW+CDHZvaWRwb2ludC5pbzBMBgNVHSAE\n"
 +	"RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw\n"
 +	"Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2\n"
 +	"AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABgsme4hAAAAQDAEcw\n"
 +	"RQIhAP6sPHv1PJez/VRMw5xmAAkNU/q9ydq1mTgp7j5uBB9AAiAxm+teG9utZCLP\n"
 +	"TTTv89FHwFV9omfZzDNAiNgg8METHwB3ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4\n"
 +	"+U1dJlwlXceEAAABgsme4gUAAAQDAEgwRgIhAPKWJ7WeuBUSnDqabTAVLKU+PpzA\n"
 +	"bJJ9sehaCKW9AicZAiEAqphpC0lF4/iz2Gkxgd/DEkl9SyyAmR/lEJ7cWDMFhz8w\n"
 +	"DQYJKoZIhvcNAQELBQADggEBAC0aCscObAdTerzGUrDsuQR5FuCTAmvdk3Isqjw1\n"
 +	"dG3WuiwW1Z4ecpqCdvDSIv3toQDWVk6g/oa3fHDnY0/tu//vCwdneDdjK3gCM6cj\n"
 +	"/q0cwj+rGFx/bEVz8PR5kc3DOHGKkmHPN1BNxeLBVpk4jxziXryAVbIvxq9JrGTE\n"
 +	"SfWbWcMkHHw/QzpUfyD3B/GI8qw6XhdaNNkLDEDNV0sCPCuZYc5FBZzU4ExB2vMG\n"
 +	"QVnPfxzKWmxHs10uxXyRZJlOrrbTGU8gi0vnOQZK290dtLzEyU2sdkic1ZSn+fCo\n"
 +	"k++37mNDkiTnIQa3olRqHkypWqGfj8OyqU4XBV2Mmu4UATc=\n"
 +	"-----END CERTIFICATE-----\n"
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\n"
 +	"TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n"
 +	"cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw\n"
 +	"WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\n"
 +	"RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n"
 +	"AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP\n"
 +	"R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx\n"
 +	"sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm\n"
 +	"NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg\n"
 +	"Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG\n"
 +	"/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC\n"
 +	"AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB\n"
 +	"Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA\n"
 +	"FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw\n"
 +	"AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw\n"
 +	"Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB\n"
 +	"gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W\n"
 +	"PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl\n"
 +	"ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz\n"
 +	"CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm\n"
 +	"lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4\n"
 +	"avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2\n"
 +	"yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O\n"
 +	"yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids\n"
 +	"hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+\n"
 +	"HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv\n"
 +	"MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\n"
 +	"nLRbwHOoq7hHwg==\n"
 +	"-----END CERTIFICATE-----\n"
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/\n"
 +	"MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\n"
 +	"DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow\n"
 +	"TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n"
 +	"cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB\n"
 +	"AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC\n"
 +	"ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL\n"
 +	"wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D\n"
 +	"LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK\n"
 +	"4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5\n"
 +	"bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y\n"
 +	"sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ\n"
 +	"Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4\n"
 +	"FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc\n"
 +	"SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql\n"
 +	"PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND\n"
 +	"TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n"
 +	"SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1\n"
 +	"c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx\n"
 +	"+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB\n"
 +	"ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu\n"
 +	"b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E\n"
 +	"U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu\n"
 +	"MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC\n"
 +	"5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW\n"
 +	"9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG\n"
 +	"WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O\n"
 +	"he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC\n"
 +	"Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5\n"
 +	"-----END CERTIFICATE-----\n";
 +
 +void doit(void)
 +{
 +	int r;
 +	unsigned i, certs_size, out;
 +	unsigned flags = GNUTLS_VERIFY_DO_NOT_ALLOW_SAME | GNUTLS_VERIFY_DISABLE_TIME_CHECKS;
 +	gnutls_x509_trust_list_t tl;
 +	gnutls_x509_crt_t *certs = NULL;
 +	gnutls_datum_t cert = { (unsigned char *)cert_pem, sizeof(cert_pem) - 1 };
 +
 +	CHECK(gnutls_x509_crt_list_import2(&certs, &certs_size, &cert, GNUTLS_X509_FMT_PEM, 0));
 +	CHECK(gnutls_x509_trust_list_init(&tl, 0));
 +	CHECK(gnutls_x509_trust_list_add_cas(tl, certs + certs_size - 1, 1, 0));
 +	CHECK(gnutls_x509_trust_list_verify_crt(tl, certs, certs_size, flags, &out, NULL));
 +
 +	if (out)
 +		fail("Not verified\n");
 +
 +	gnutls_x509_trust_list_deinit(tl, 0);
 +	for (i = 0; i < certs_size; ++i)
 +		gnutls_x509_crt_deinit(certs[i]);
 +	gnutls_free(certs);
 +}
 -- 
 2.33.0
--- a/backport-add-gnulib-files.patch
+++ b/backport-add-gnulib-files.patch
--- a/backport-fix-CVE-2024-28834-nettle-avoid-normalization-of-mpz_t-in-deterministic.patch
+++ b/backport-fix-CVE-2024-28834-nettle-avoid-normalization-of-mpz_t-in-deterministic.patch
@ -0,0 +1,456 @@
 From 1c4701ffc342259fc5965d5a0de90d87f780e3e5 Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <ueno@gnu.org>
 Date: Fri, 12 Jan 2024 17:56:58 +0900
 Subject: [PATCH] nettle: avoid normalization of mpz_t in deterministic ECDSA
 This removes function calls that potentially leak bit-length of a
 private key used to calculate a nonce in deterministic ECDSA.  Namely:
 - _gnutls_dsa_compute_k has been rewritten to work on always
  zero-padded mp_limb_t arrays instead of mpz_t
 - rnd_mpz_func has been replaced with rnd_datum_func, which is backed
  by a byte array instead of an mpz_t value
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 Reference: https://gitlab.com/gnutls/gnutls/-/commit/1c4701ffc342259fc5965d5a0de90d87f780e3e5
 Conflict: lib/nettle/pk.c,
          lib/nettle/int/ecdsa-compute-k.c,lib/nettle/int/ecdsa-compute-k.h,
          lib/nettle/int/dsa-compute-k.c,lib/nettle/int/dsa-compute-k.h
 ---
 lib/nettle/int/dsa-compute-k.c    | 82 ++++++++++++++++++++-----------
 lib/nettle/int/dsa-compute-k.h    | 31 +++++++++---
 lib/nettle/int/ecdsa-compute-k.c  | 33 +++----------
 lib/nettle/int/ecdsa-compute-k.h  |  8 +--
 lib/nettle/pk.c                   | 79 +++++++++++++++++++----------
 tests/sign-verify-deterministic.c |  2 +-
 6 files changed, 138 insertions(+), 97 deletions(-)
 diff --git a/lib/nettle/int/dsa-compute-k.c b/lib/nettle/int/dsa-compute-k.c
 index 17d6331..649a194 100644
 --- a/lib/nettle/int/dsa-compute-k.c
 +++ b/lib/nettle/int/dsa-compute-k.c
@@ -31,33 +31,37 @@
 #include "mpn-base256.h"
 #include <string.h>
 -#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
 -
 -/* The maximum size of q, choosen from the fact that we support
 - * 521-bit elliptic curve generator and 512-bit DSA subgroup at
 - * maximum. */
 -#define MAX_Q_BITS 521
 -#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
 -#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
 -
 -#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
 -#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
 -
 -int
 -_gnutls_dsa_compute_k(mpz_t k,
 -		      const mpz_t q,
 -		      const mpz_t x,
 -		      gnutls_mac_algorithm_t mac,
 -		      const uint8_t *digest,
 +/* For mini-gmp */
 +#ifndef GMP_LIMB_BITS
 +#define GMP_LIMB_BITS GMP_NUMB_BITS
 +#endif
 +
 +static inline int is_zero_limb(mp_limb_t x)
 +{
 +	x |= (x << 1);
 +	return ((x >> 1) - 1) >> (GMP_LIMB_BITS - 1);
 +}
 +
 +static int sec_zero_p(const mp_limb_t *ap, mp_size_t n)
 +{
 +	volatile mp_limb_t w;
 +	mp_size_t i;
 +
 +	for (i = 0, w = 0; i < n; i++)
 +		w |= ap[i];
 +
 +	return is_zero_limb(w);
 +}
 +
 +int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
 +			  mp_size_t qn, mp_bitcnt_t q_bits,
 +		      gnutls_mac_algorithm_t mac, const uint8_t *digest,
 		      size_t length)
 {
 	uint8_t V[MAX_HASH_SIZE];
 	uint8_t K[MAX_HASH_SIZE];
 	uint8_t xp[MAX_Q_SIZE];
 	uint8_t tp[MAX_Q_SIZE];
 -	mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)];
 -	mp_bitcnt_t q_bits = mpz_sizeinbase (q, 2);
 -	mp_size_t qn = mpz_size(q);
 	mp_bitcnt_t h_bits = length * 8;
 	mp_size_t hn = BITS_TO_LIMBS(h_bits);
 	size_t nbytes = (q_bits + 7) / 8;
@@ -66,6 +70,7 @@ _gnutls_dsa_compute_k(mpz_t k,
 	mp_limb_t cy;
 	gnutls_hmac_hd_t hd;
 	int ret = 0;
 +	mp_limb_t scratch[MAX_Q_LIMBS];
 	if (unlikely(q_bits > MAX_Q_BITS))
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -73,7 +78,7 @@ _gnutls_dsa_compute_k(mpz_t k,
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 	/* int2octets(x) */
 -	mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn);
 +	mpn_get_base256(xp, nbytes, x, qn);
 	/* bits2octets(h) */
 	mpn_set_base256(h, hn, digest, length);
@@ -97,12 +102,12 @@ _gnutls_dsa_compute_k(mpz_t k,
 			mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS);
 	}
 -	cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn);
 +	cy = mpn_sub_n(h, h, q, qn);
 	/* Fall back to addmul_1, if nettle is linked with mini-gmp. */
 #ifdef mpn_cnd_add_n
 -	mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn);
 +	mpn_cnd_add_n(cy, h, h, q, qn);
 #else
 -	mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0);
 +	mpn_addmul_1(h, q, qn, cy != 0);
 #endif
 	mpn_get_base256(tp, nbytes, h, qn);
@@ -178,12 +183,8 @@ _gnutls_dsa_compute_k(mpz_t k,
 		if (tlen * 8 > q_bits)
 			mpn_rshift (h, h, qn, tlen * 8 - q_bits);
 		/* Check if k is in [1,q-1] */
 -		if (!mpn_zero_p (h, qn) &&
 -		    mpn_cmp (h, mpz_limbs_read(q), qn) < 0) {
 -			mpn_copyi(mpz_limbs_write(k, qn), h, qn);
 -			mpz_limbs_finish(k, qn);
 +		if (!sec_zero_p(h, qn) && mpn_sub_n(scratch, h, q, qn))
 			break;
 -		}
 		ret = gnutls_hmac_init(&hd, mac, K, length);
 		if (ret < 0)
@@ -207,3 +208,24 @@ _gnutls_dsa_compute_k(mpz_t k,
 	return ret;
 }
 +
 +/* cancel-out dsa_sign's addition of 1 to random data */
 +void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
 +				  mp_size_t n)
 +{
 +	/* Fall back to sub_1, if nettle is linked with mini-gmp. */
 +#ifdef mpn_sec_sub_1
 +	mp_limb_t t[MAX_Q_LIMBS];
 +
 +	mpn_sec_sub_1(h, h, n, 1, t);
 +#else
 +	mpn_sub_1(h, h, n, 1);
 +#endif
 +	mpn_get_base256(k, nbytes, h, n);
 +}
 +
 +void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
 +				    mp_size_t n)
 +{
 +	mpn_get_base256(k, nbytes, h, n);
 +}
 diff --git a/lib/nettle/int/dsa-compute-k.h b/lib/nettle/int/dsa-compute-k.h
 index 64e90e0..12dc7d0 100644
 --- a/lib/nettle/int/dsa-compute-k.h
 +++ b/lib/nettle/int/dsa-compute-k.h
@@ -26,12 +26,29 @@
 #include <gnutls/gnutls.h>
 #include <nettle/bignum.h> /* includes gmp.h */
 -int
 -_gnutls_dsa_compute_k(mpz_t k,
 -		      const mpz_t q,
 -		      const mpz_t x,
 -		      gnutls_mac_algorithm_t mac,
 -		      const uint8_t *digest,
 -		      size_t length);
 +#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
 +
 +/* The maximum size of q, chosen from the fact that we support
 + * 521-bit elliptic curve generator and 512-bit DSA subgroup at
 + * maximum. */
 +#define MAX_Q_BITS 521
 +#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
 +#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
 +
 +#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
 +#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
 +
 +#define DSA_COMPUTE_K_ITCH MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)
 +
 +int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
 +						  mp_size_t qn, mp_bitcnt_t q_bits,
 +						  gnutls_mac_algorithm_t mac, const uint8_t *digest,
 +						  size_t length);
 +
 +void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
 +								  mp_size_t n);
 +
 +void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
 +									mp_size_t n);
 #endif /* GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H */
 diff --git a/lib/nettle/int/ecdsa-compute-k.c b/lib/nettle/int/ecdsa-compute-k.c
 index 94914eb..d98f246 100644
 --- a/lib/nettle/int/ecdsa-compute-k.c
 +++ b/lib/nettle/int/ecdsa-compute-k.c
@@ -29,39 +29,38 @@
 #include "dsa-compute-k.h"
 #include "gnutls_int.h"
 -static inline int
 -_gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
 +int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve)
 {
 	switch (curve) {
 #ifdef ENABLE_NON_SUITEB_CURVES
 	case GNUTLS_ECC_CURVE_SECP192R1:
 -		mpz_init_set_str(*q,
 +		mpz_init_set_str(q,
 				 "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836"
 				 "146BC9B1B4D22831",
 				 16);
 		return 0;
 	case GNUTLS_ECC_CURVE_SECP224R1:
 -		mpz_init_set_str(*q,
 +		mpz_init_set_str(q,
 				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2"
 				 "E0B8F03E13DD29455C5C2A3D",
 				 16);
 		return 0;
 #endif
 	case GNUTLS_ECC_CURVE_SECP256R1:
 -		mpz_init_set_str(*q,
 +		mpz_init_set_str(q,
 				 "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
 				 "BCE6FAADA7179E84F3B9CAC2FC632551",
 				 16);
 		return 0;
 	case GNUTLS_ECC_CURVE_SECP384R1:
 -		mpz_init_set_str(*q,
 +		mpz_init_set_str(q,
 				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
 				 "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
 				 "581A0DB248B0A77AECEC196ACCC52973",
 				 16);
 		return 0;
 	case GNUTLS_ECC_CURVE_SECP521R1:
 -		mpz_init_set_str(*q,
 +		mpz_init_set_str(q,
 				 "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
 				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
 				 "FFA51868783BF2F966B7FCC0148F709A"
@@ -73,23 +72,3 @@ _gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
 		return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
 	}
 }
 -
 -int
 -_gnutls_ecdsa_compute_k (mpz_t k,
 -			 gnutls_ecc_curve_t curve,
 -			 const mpz_t x,
 -			 gnutls_mac_algorithm_t mac,
 -			 const uint8_t *digest,
 -			 size_t length)
 -{
 -	mpz_t q;
 -	int ret;
 -
 -	ret = _gnutls_ecc_curve_to_dsa_q(&q, curve);
 -	if (ret < 0)
 -		return gnutls_assert_val(ret);
 -
 -	ret = _gnutls_dsa_compute_k (k, q, x, mac, digest, length);
 -	mpz_clear(q);
 -	return ret;
 -}
 diff --git a/lib/nettle/int/ecdsa-compute-k.h b/lib/nettle/int/ecdsa-compute-k.h
 index 7ca401d..a7e612b 100644
 --- a/lib/nettle/int/ecdsa-compute-k.h
 +++ b/lib/nettle/int/ecdsa-compute-k.h
@@ -26,12 +26,6 @@
 #include <gnutls/gnutls.h>
 #include <nettle/bignum.h> /* includes gmp.h */
 -int
 -_gnutls_ecdsa_compute_k (mpz_t k,
 -			 gnutls_ecc_curve_t curve,
 -			 const mpz_t x,
 -			 gnutls_mac_algorithm_t mac,
 -			 const uint8_t *digest,
 -			 size_t length);
 +int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve);
 #endif /* GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H */
 diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
 index ff8e3d1..bb9f2a0 100644
 --- a/lib/nettle/pk.c
 +++ b/lib/nettle/pk.c
@@ -97,10 +97,16 @@ static void rnd_nonce_func(void *_ctx, size_t length, uint8_t * data)
 	}
 }
 -static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data)
 +static void rnd_datum_func(void *ctx, size_t length, uint8_t *data)
 {
 -	mpz_t *k = _ctx;
 -	nettle_mpz_get_str_256 (length, data, *k);
 +	gnutls_datum_t *d = ctx;
 +
 +	if (length > d->size) {
 +		memset(data, 0, length - d->size);
 +		memcpy(data + (length - d->size), d->data, d->size);
 +	} else {
 +		memcpy(data, d->data, length);
 +	}
 }
 static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data)
@@ -979,7 +985,10 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 			struct dsa_signature sig;
 			int curve_id = pk_params->curve;
 			const struct ecc_curve *curve;
 -			mpz_t k;
 +			mpz_t q;
 +			/* 521-bit elliptic curve generator at maximum */
 +			uint8_t buf[(521 + 7) / 8];
 +			gnutls_datum_t k = { NULL, 0 };
 			void *random_ctx;
 			nettle_random_func *random_func;
@@ -1008,19 +1017,32 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 				hash_len = vdata->size;
 			}
 -			mpz_init(k);
 +			mpz_init(q);
 +
 			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
 			    (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
 -				ret = _gnutls_ecdsa_compute_k(k,
 -							      curve_id,
 -							      pk_params->params[ECC_K],
 -							      DIG_TO_MAC(sign_params->dsa_dig),
 -							      vdata->data,
 -							      vdata->size);
 +				mp_limb_t h[DSA_COMPUTE_K_ITCH];
 +
 +				ret = _gnutls_ecc_curve_to_dsa_q(q, curve_id);
 				if (ret < 0)
 					goto ecdsa_cleanup;
 +
 +				ret = _gnutls_dsa_compute_k(
 +					h, mpz_limbs_read(q), priv.p,
 +					ecc_size(priv.ecc), ecc_bit_size(priv.ecc),
 +					DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
 +					vdata->size);
 +				if (ret < 0)
 +					goto ecdsa_cleanup;
 +
 +				k.data = buf;
 +				k.size = (ecc_bit_size(priv.ecc) + 7) / 8;
 +
 +				_gnutls_ecdsa_compute_k_finish(k.data, k.size, h,
 +								ecc_size(priv.ecc));
 +
 				random_ctx = &k;
 -				random_func = rnd_mpz_func;
 +				random_func = rnd_datum_func;
 			} else {
 				random_ctx = NULL;
 				random_func = rnd_nonce_func;
@@ -1041,7 +1063,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
  ecdsa_cleanup:
 			dsa_signature_clear(&sig);
 			ecc_scalar_zclear(&priv);
 -			mpz_clear(k);
 +			mpz_clear(q);
 			if (ret < 0) {
 				gnutls_assert();
@@ -1054,7 +1076,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 			struct dsa_params pub;
 			bigint_t priv;
 			struct dsa_signature sig;
 -			mpz_t k;
 +			/* 512-bit DSA subgroup at maximum */
 +			uint8_t buf[(512 + 7) / 8];
 +			gnutls_datum_t k = { NULL, 0 };
 			void *random_ctx;
 			nettle_random_func *random_func;
@@ -1077,21 +1101,27 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 				hash_len = vdata->size;
 			}
 -			mpz_init(k);
 			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
 			    (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
 -				ret = _gnutls_dsa_compute_k(k,
 -							    pub.q,
 -							    TOMPZ(priv),
 -							    DIG_TO_MAC(sign_params->dsa_dig),
 -							    vdata->data,
 -							    vdata->size);
 +				mp_limb_t h[DSA_COMPUTE_K_ITCH];
 +
 +				ret = _gnutls_dsa_compute_k(
 +								h, mpz_limbs_read(pub.q),
 +								mpz_limbs_read(TOMPZ(priv)), mpz_size(pub.q),
 +								mpz_sizeinbase(pub.q, 2),
 +								DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
 +								vdata->size);
 				if (ret < 0)
 					goto dsa_fail;
 -				/* cancel-out dsa_sign's addition of 1 to random data */
 -				mpz_sub_ui (k, k, 1);
 +
 +				k.data = buf;
 +				k.size = (mpz_sizeinbase(pub.q, 2) + 7) / 8;
 +
 +				_gnutls_dsa_compute_k_finish(k.data, k.size, h,
 +								mpz_size(pub.q));
 +
 				random_ctx = &k;
 -				random_func = rnd_mpz_func;
 +				random_func = rnd_datum_func;
 			} else {
 				random_ctx = NULL;
 				random_func = rnd_nonce_func;
@@ -1111,7 +1141,6 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
  dsa_fail:
 			dsa_signature_clear(&sig);
 -			mpz_clear(k);
 			if (ret < 0) {
 				gnutls_assert();
 diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c
 index 6e90728..25aa553 100644
 --- a/tests/sign-verify-deterministic.c
 +++ b/tests/sign-verify-deterministic.c
@@ -197,7 +197,7 @@ void doit(void)
 					      &signature);
 		if (ret < 0)
 			testfail("gnutls_pubkey_verify_data2\n");
 -		success(" - pass");
 +		success(" - pass\n");
 	next:
 		gnutls_free(signature.data);
 -- 
 2.33.0
--- a/backport-fix-CVE-2024-28835-gnutls_x509_trust_list_verify_crt2-remove-length-lim.patch
+++ b/backport-fix-CVE-2024-28835-gnutls_x509_trust_list_verify_crt2-remove-length-lim.patch
@ -0,0 +1,419 @@
 From e369e67a62f44561d417cb233acc566cc696d82d Mon Sep 17 00:00:00 2001                                  
 From: Daiki Ueno <ueno@gnu.org>
 Date: Mon, 29 Jan 2024 13:52:46 +0900
 Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: remove length limit
 of
 input
 Previously, if cert_list_size exceeded DEFAULT_MAX_VERIFY_DEPTH, the
 chain verification logic crashed with assertion failure.  This patch
 removes the restriction while keeping the maximum number of
 retrieved certificates being DEFAULT_MAX_VERIFY_DEPTH.
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 Reference:
 https://gitlab.com/gnutls/gnutls/-/commit/e369e67a62f44561d417cb233acc566cc696d82d
 Conflict:lib/x509/verify-high.c,tests/test-chains.h
 ---
 lib/gnutls_int.h       |   5 +-
 lib/x509/common.c      |  10 +-
 lib/x509/verify-high.c |  56 +++++++----
 tests/test-chains.h    | 210 ++++++++++++++++++++++++++++++++++++++++-
 4 files changed, 258 insertions(+), 23 deletions(-)
 diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
 index a06d123..9706db3 100644
 --- a/lib/gnutls_int.h
 +++ b/lib/gnutls_int.h
@@ -218,7 +218,10 @@ typedef enum record_send_state_t {
 #define MAX_PK_PARAM_SIZE 2048
 -/* defaults for verification functions
 +/* Defaults for verification functions.
 + *
 + * update many_icas in tests/test-chains.h when increasing
 + * DEFAULT_MAX_VERIFY_DEPTH.
  */
 #define DEFAULT_MAX_VERIFY_DEPTH 16
 #define DEFAULT_MAX_VERIFY_BITS (MAX_PK_PARAM_SIZE*8)
 diff --git a/lib/x509/common.c b/lib/x509/common.c
 index 96e7e7c..10ee9c6 100644
 --- a/lib/x509/common.c
 +++ b/lib/x509/common.c
@@ -1746,7 +1746,15 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
 	bool insorted[DEFAULT_MAX_VERIFY_DEPTH]; /* non zero if clist[i] used in sorted list */
 	gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
 -	assert(clist_size <= DEFAULT_MAX_VERIFY_DEPTH);
 +	/* Limit the number of certificates in the chain, to avoid DoS
 +	 * because of the O(n^2) sorting below.  FIXME: Switch to a
 +	 * topological sort algorithm which should be linear to the
 +	 * number of certificates and subject-issuer relationships.
 +	 */
 +	if (clist_size > DEFAULT_MAX_VERIFY_DEPTH) {
 +		_gnutls_debug_log("too many certificates; skipping sorting\n");
 +		return 1;
 +	}
 	for (i = 0; i < DEFAULT_MAX_VERIFY_DEPTH; i++) {
 		issuer[i] = -1;
 diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
 index 02d2f0f..bbfb02e 100644
 --- a/lib/x509/verify-high.c
 +++ b/lib/x509/verify-high.c
@@ -25,7 +25,7 @@
 #include "errors.h"
 #include <libtasn1.h>
 #include <global.h>
 -#include <num.h>		/* MAX */
 +#include "num.h" /* MIN */
 #include <tls-sig.h>
 #include <str.h>
 #include <datum.h>
@@ -1357,7 +1357,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 	int ret = 0;
 	unsigned int i;
 	size_t hash;
 -	gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
 +	gnutls_x509_crt_t *cert_list_copy = NULL;
 +	unsigned int cert_list_max_size = 0;
 	gnutls_x509_crt_t retrieved[DEFAULT_MAX_VERIFY_DEPTH];
 	unsigned int retrieved_size = 0;
 	const char *hostname = NULL, *purpose = NULL, *email = NULL;
@@ -1411,15 +1412,27 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 		}
 	}
 -	memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
 -	cert_list = sorted;
 +	/* Allocate extra for retrieved certificates. */
 +	if (!INT_ADD_OK(cert_list_size, DEFAULT_MAX_VERIFY_DEPTH,
 +			&cert_list_max_size))
 +		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 -	records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq, cert_hashcode, NULL, false);
 -	if (records == NULL)
 +	cert_list_copy = _gnutls_reallocarray(NULL, cert_list_max_size,
 +					      sizeof(gnutls_x509_crt_t));
 +	if (!cert_list_copy)
 		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
 -	for (i = 0; i < cert_list_size &&
 -		     cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
 +	memcpy(cert_list_copy, cert_list,
 +	       cert_list_size * sizeof(gnutls_x509_crt_t));
 +	cert_list = cert_list_copy;
 +
 +	records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq, cert_hashcode, NULL, false);
 +	if (records == NULL) {
 +		ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
 +		goto cleanup;
 +	}
 +
 +	for (i = 0; i < cert_list_size;) {
 		unsigned int sorted_size = 1;
 		unsigned int j, k;
 		gnutls_x509_crt_t issuer;
@@ -1431,8 +1444,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 		assert(sorted_size > 0);
 -		/* Remove duplicates. Start with index 1, as the first element
 -		 * may be re-checked after issuer retrieval. */
 +		/* Remove duplicates. */
 		for (j = 0; j < sorted_size; j++) {
 			if (gl_list_search(records, cert_list[i + j])) {
 				if (i + j < cert_list_size - 1) {
@@ -1483,17 +1495,16 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 			continue;
 		}
 -		ret = retrieve_issuers(list,
 -				       cert_list[i - 1],
 -				       &retrieved[retrieved_size],
 -				       DEFAULT_MAX_VERIFY_DEPTH -
 -				       MAX(retrieved_size,
 -					   cert_list_size));
 +		ret = retrieve_issuers(list, cert_list[i - 1], &retrieved[retrieved_size],
 +			MIN(DEFAULT_MAX_VERIFY_DEPTH - retrieved_size,
 +				cert_list_max_size - cert_list_size));
 		if (ret < 0) {
 			break;
 		} else if (ret > 0) {
 			assert((unsigned int)ret <=
 -			       DEFAULT_MAX_VERIFY_DEPTH - cert_list_size);
 +			       DEFAULT_MAX_VERIFY_DEPTH - retrieved_size);
 +			assert((unsigned int)ret <=
 +			       cert_list_max_size - cert_list_size);
 			memmove(&cert_list[i + ret],
 				&cert_list[i],
 				(cert_list_size - i) *
@@ -1511,8 +1522,10 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 	}
 	cert_list_size = shorten_clist(list, cert_list, cert_list_size);
 -	if (cert_list_size <= 0)
 -		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
 +	if (cert_list_size <= 0) {
 +		ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
 +		goto cleanup;
 +	}
 	hash =
 	    hash_pjw_bare(cert_list[cert_list_size - 1]->raw_issuer_dn.
@@ -1663,10 +1676,13 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 	}
  cleanup:
 + 	gnutls_free(cert_list_copy);
 	for (i = 0; i < retrieved_size; i++) {
 		gnutls_x509_crt_deinit(retrieved[i]);
 	}
 -	gl_list_free(records);
 +	if (records) {
 +		gl_list_free(records);
 +	}
 	return ret;
 }
 diff --git a/tests/test-chains.h b/tests/test-chains.h
 index 07e90bb..2dbee07 100644
 --- a/tests/test-chains.h
 +++ b/tests/test-chains.h
@@ -25,7 +25,7 @@
 /* *INDENT-OFF* */
 -#define MAX_CHAIN 10
 +#define MAX_CHAIN 17
 static const char *chain_with_no_subject_id_in_ca_ok[] = {
 	"-----BEGIN CERTIFICATE-----\n"
@@ -4386,6 +4386,213 @@ static const char *cross_signed_ca[] = {
 	NULL
 };
 +/* This assumes DEFAULT_MAX_VERIFY_DEPTH to be 16 */
 +static const char *many_icas[] = {
 +	/* Server */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBqzCCAV2gAwIBAgIUIK3+SD3GmqJlRLZ/ESyhTzkSDL8wBQYDK2VwMB0xGzAZ\n"
 +	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
 +	"MTIzMTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYD\n"
 +	"VQQDEw90ZXN0LmdudXRscy5vcmcwKjAFBgMrZXADIQAWGjx45NIJiKFsNBxxRRjm\n"
 +	"NxUT5KYK7xXr5HPVywwgLaOBkjCBjzAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGC\n"
 +	"D3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8E\n"
 +	"BAMCB4AwHQYDVR0OBBYEFKgNAQWZPx76/vXqQOdIi5mTftsaMB8GA1UdIwQYMBaA\n"
 +	"FDaPsY6WAGuRtrhYJE6Gk/bg5qbdMAUGAytlcANBAMIDh8aGcIIFDTUrzfV7tnkX\n"
 +	"hHrxyFKBH/cApf6xcJQTfDXm23po627Ibp+WgLaWMY08Fn9Y2V6Ev8ADfqXNbQ8=\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* ICA16 */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBYTCCAROgAwIBAgIUSnE0PKdm/dsnZSWBh5Ct4pS6DcwwBQYDK2VwMB0xGzAZ\n"
 +	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
 +	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
 +	"K2VwAyEAxq9SI8vp0QH1dDBBuZW+t+bLLROppQbjSQ4O1BEonDOjYzBhMA8GA1Ud\n"
 +	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2j7GOlgBrkba4\n"
 +	"WCROhpP24Oam3TAfBgNVHSMEGDAWgBRvdUKX0aw3nfUIdvivXGSfRO7zyjAFBgMr\n"
 +	"ZXADQQBsI2Hc7X5hXoHTvk01qMc5a1I27QHAFRARJnvIQ15wxNS2LVLzGk+AUmwr\n"
 +	"sOhBKAcVfS55uWtYdjoWQ80h238H\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* ICA15 */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBYTCCAROgAwIBAgIUQk4XkgQVImnp6OPZas7ctwgBza4wBQYDK2VwMB0xGzAZ\n"
 +	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
 +	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
 +	"K2VwAyEAs3yVKLJd3sKbNVmj6Bxy2j1x025rksyQpZZWnCx5a+CjYzBhMA8GA1Ud\n"
 +	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRvdUKX0aw3nfUI\n"
 +	"dvivXGSfRO7zyjAfBgNVHSMEGDAWgBRhGfUXYPh4YQsdtTWYUozLphGgfzAFBgMr\n"
 +	"ZXADQQBXTtm56x6/pHXdW8dTvZLc/8RufNQrMlc23TCgX0apUnrZdTsNAb7OE4Uu\n"
 +	"9PBuxK+CC9NL/BL2hXsKvAT+NWME\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* ICA14 */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBYTCCAROgAwIBAgIUKfwz7UUYRvYlvqwmnLJlTOS9o1AwBQYDK2VwMB0xGzAZ\n"
 +	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
 +	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
 +	"K2VwAyEAXbUetQ08t+F4+IcKL++HpeclqTxXZ7cG4mwqvHmTUEWjYzBhMA8GA1Ud\n"
 +	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRhGfUXYPh4YQsd\n"
 +	"tTWYUozLphGgfzAfBgNVHSMEGDAWgBQYRQqO+V1kefF7QvNnFU1fX5H9+jAFBgMr\n"
 +	"ZXADQQAiSHNMTLPFP3oa6q13Dj8jSxF9trQDJGM1ArWffFcPZUt2U4/ODHdcMTHx\n"
 +	"kGwhIj+ghBlu6ykgu6J2wewCUooC\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* ICA13 */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBYTCCAROgAwIBAgIUUKOs59gyCPAZzoC7zMZQSh6AnQgwBQYDK2VwMB0xGzAZ\n"
 +	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
 +	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
 +	"K2VwAyEAmvqhj5GYqsXIpsr1BXBfD+2mTP/m/TEpKIYSZHM62dijYzBhMA8GA1Ud\n"
 +	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQYRQqO+V1kefF7\n"
 +	"QvNnFU1fX5H9+jAfBgNVHSMEGDAWgBQ27HzvP5hl2xR+LOzRcPfmY5ndXjAFBgMr\n"
 +	"ZXADQQBrB3NkrYC7EQ74qgeesVOE71rW012dPOOKPAV0laR+JLEgsv9sfus+AdBF\n"
 +	"WBNwR3KeYBTi/MFDuecxBHU2m5gD\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* ICA12 */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBYTCCAROgAwIBAgIUUQooGfH21+sR7/pSgCWm13gg2H4wBQYDK2VwMB0xGzAZ\n"
 +	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
 +	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
 +	"K2VwAyEAK2of/B4wMpk6k/KdugC5dMS+jo2fseUM7/PvXkE6HASjYzBhMA8GA1Ud\n"
 +	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ27HzvP5hl2xR+\n"
 +	"LOzRcPfmY5ndXjAfBgNVHSMEGDAWgBSJDHU0Mj1Xr0e8ErCnRK24w7XwTTAFBgMr\n"
 +	"ZXADQQDY8d2bAZpj7oGhdl2dBsCE48jEWj49da0PbgN12koAj3gf4hjMPd8G7p5z\n"
 +	"8RsURAwQmCkE8ShvdNw/Qr2tDL0E\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* ICA11 */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBYTCCAROgAwIBAgIUW9Dw0hU2pfjXhb5Stip+mk9SndIwBQYDK2VwMB0xGzAZ\n"
 +	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
 +	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
 +	"K2VwAyEAn5ISjLVV6RBWsnxDWHDicpye7SjFwGOTwzF01/psiJ2jYzBhMA8GA1Ud\n"
 +	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSJDHU0Mj1Xr0e8\n"
 +	"ErCnRK24w7XwTTAfBgNVHSMEGDAWgBSR9UU27RI0XohiEgHDxNo/9HP4djAFBgMr\n"
 +	"ZXADQQCfQg6MDHk71vhyrEo4/5PcLb2Li5F/FKURyux7snv2TbkSdInloAqca9UR\n"
 +	"DtqHSLCNLXCNdSPr5QwIt5p29rsE\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* ICA10 */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBYTCCAROgAwIBAgIUR4uTedG8e6MibKViQ3eX7QzXG1swBQYDK2VwMB0xGzAZ\n"
 +	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
 +	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
 +	"K2VwAyEAnslX04kSVOL5LAf1e+Ze3ggNnDJcEAxLDk8I/IhyjTyjYzBhMA8GA1Ud\n"
 +	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSR9UU27RI0Xohi\n"
 +	"EgHDxNo/9HP4djAfBgNVHSMEGDAWgBRC7US5gJYnvd5F7EN+C4anMgd2NzAFBgMr\n"
 +	"ZXADQQDo+jHt07Tvz3T5Lbz6apBrSln8xKYfJk2W1wP85XAnf7sZT9apM1bS4EyD\n"
 +	"Kckw+KG+9x7myOZz6AXJgZB5OGAO\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* ICA9 */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBYTCCAROgAwIBAgIUSIIIRjrNpE+kEPkiJMOqaNAazvQwBQYDK2VwMB0xGzAZ\n"
 +	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
 +	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
 +	"K2VwAyEAZKy7p1Gn4W/reRxKJN99+QkHt2q9aELktCKe5PqrX5ejYzBhMA8GA1Ud\n"
 +	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRC7US5gJYnvd5F\n"
 +	"7EN+C4anMgd2NzAfBgNVHSMEGDAWgBSOhR7Ornis2x8g0J+bvTTwMnW60zAFBgMr\n"
 +	"ZXADQQA0MEcC4FgKZEAfalVpApU2to0G158MVz/WTNcSc7fnl8ifJ/g56dVHL1jr\n"
 +	"REvC/S28dn/CGAlbVXUAgxnHAbgE\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* ICA8 */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBYTCCAROgAwIBAgIUGGFSgD95vOTSj7iFxfXA5vq6vsYwBQYDK2VwMB0xGzAZ\n"
 +	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
 +	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
 +	"K2VwAyEAg3W/bTdW0fR32NeZEVMXICpa30d7rSdddLOYDvqqUO+jYzBhMA8GA1Ud\n"
 +	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSOhR7Ornis2x8g\n"
 +	"0J+bvTTwMnW60zAfBgNVHSMEGDAWgBT3zK8Hbn9aVTAOOFY6RSxJ2o5x2jAFBgMr\n"
 +	"ZXADQQBl4gnzE463iMFg57gPvjHdVzA39sJBpiu0kUGfRcLnoRI/VOaLcx7WnJ9+\n"
 +	"c3KxPZBec76EdIoQDkTmI6m2FIAM\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* ICA7 */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBYTCCAROgAwIBAgIUGktMGXhNuaMhKyAlecymmLD+/GIwBQYDK2VwMB0xGzAZ\n"
 +	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
 +	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
 +	"K2VwAyEA/Z1oc76hOQ0Hi+2hePaGIntnMIDqBlb7RDMjRpYONP2jYzBhMA8GA1Ud\n"
 +	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT3zK8Hbn9aVTAO\n"
 +	"OFY6RSxJ2o5x2jAfBgNVHSMEGDAWgBSPae3JUN3jP0NgUJqDV3eYxcaM3DAFBgMr\n"
 +	"ZXADQQBMkwKaUZlvG/hax8rv3nnDv8kJOr6KVHBnxSx3hZ+8HIBT7GFm1+YDeYOB\n"
 +	"jhNg66kyeFPGXXBCe+mvNQFFjCEE\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* ICA6 */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBYTCCAROgAwIBAgIUKn3gz5lAUpKqWlHKLKYDbOJ4rygwBQYDK2VwMB0xGzAZ\n"
 +	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
 +	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
 +	"K2VwAyEAZ/eD4eTe91ddvHusm7YlLPxU4ByGFc6suAmlP1CxXkWjYzBhMA8GA1Ud\n"
 +	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSPae3JUN3jP0Ng\n"
 +	"UJqDV3eYxcaM3DAfBgNVHSMEGDAWgBT9f/qSI/jhxvGI7aMtkpraDcjBnjAFBgMr\n"
 +	"ZXADQQAMRnkmRhnLGdmJaY8B42gfyaAsqCMyds/Tw4OHYy+N48XuAxRjKkhf3szC\n"
 +	"0lY71oU043mNP1yx/dzAuCTrVSgI\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* ICA5 */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBYTCCAROgAwIBAgIUEgEYbBXXEyGv3vOq10JQv1SBiUUwBQYDK2VwMB0xGzAZ\n"
 +	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
 +	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
 +	"K2VwAyEAs2xEDPw8RVal53nX9GVwUd1blq1wjtVFC8S1V7up7MWjYzBhMA8GA1Ud\n"
 +	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBT9f/qSI/jhxvGI\n"
 +	"7aMtkpraDcjBnjAfBgNVHSMEGDAWgBRBVkLu9BmCKz7HNI8md4vPpoE/7jAFBgMr\n"
 +	"ZXADQQCCufAyLijtzzmeCuO3K50rBSbGvB3FQfep7g6kVsQKM3bw/olWK5/Ji0dD\n"
 +	"ubJ0cFl1FmfAda7aVxLBtJOvO6MI\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* ICA4 */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBYTCCAROgAwIBAgIULj8GkaHw+92HuOTnXnXlxCy3VrEwBQYDK2VwMB0xGzAZ\n"
 +	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
 +	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
 +	"K2VwAyEAiedxh4dvtwDellMAHc/pZH0MAOXobRenTUgF1yj5l12jYzBhMA8GA1Ud\n"
 +	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBRBVkLu9BmCKz7H\n"
 +	"NI8md4vPpoE/7jAfBgNVHSMEGDAWgBSDtNRgQ36KwW/ASaMyr6WeDt0STDAFBgMr\n"
 +	"ZXADQQDL8U2ckzur7CktdrVUNvfLhVCOz33d/62F28vQFHUa8h/4h+Mi1MMbXOKT\n"
 +	"1bL2TvpFpU7Fx/vcIPXDielVqr4C\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* ICA3 */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBYTCCAROgAwIBAgIUQXl74TDDw6MQRMbQUSPa6Qrvba8wBQYDK2VwMB0xGzAZ\n"
 +	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
 +	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
 +	"K2VwAyEA7l0jQ0f4fJRw7Qja/Hz2qn8y91SI7CokxhSf+FT+9M6jYzBhMA8GA1Ud\n"
 +	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBSDtNRgQ36KwW/A\n"
 +	"SaMyr6WeDt0STDAfBgNVHSMEGDAWgBQ2inEK4KH6ATftmybxKE1dZUzOozAFBgMr\n"
 +	"ZXADQQCnP7Oqx1epGnFnO7TrTJwcUukXDEYsINve2GeUsi8HEIeKKlMcLZ2Cnaj7\n"
 +	"5v9NGuWh3QJpmmSGpEemiv8dJc4A\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* ICA2 */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBYTCCAROgAwIBAgIUP7Nmof8H2F1LyDkjqlYIUpGdXE8wBQYDK2VwMB0xGzAZ\n"
 +	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
 +	"MTIzMTIzNTk1OVowHTEbMBkGA1UEAwwSR251VExTIHRlc3QgSUNBICRpMCowBQYD\n"
 +	"K2VwAyEAkW9Rod3CXAnha6nlaHkDbCOegq94lgmjqclA9sOIt3yjYzBhMA8GA1Ud\n"
 +	"EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQ2inEK4KH6ATft\n"
 +	"mybxKE1dZUzOozAfBgNVHSMEGDAWgBRPq/CQlK/zuXkjZvTCibu+vejD+jAFBgMr\n"
 +	"ZXADQQBU+A+uF0yrtO/yv9cRUdCoL3Y1NKM35INg8BQDnkv724cW9zk1x0q9Fuou\n"
 +	"zvfSVb8S3vT8fF5ZDOxarQs6ZH0C\n"
 +	"-----END CERTIFICATE-----\n",
 +	/* ICA1 */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBXTCCAQ+gAwIBAgIUfUWP+AQHpdFTRKTf21mMzjaJsp0wBQYDK2VwMBkxFzAV\n"
 +	"BgNVBAMTDkdudVRMUyB0ZXN0IENBMCAXDTI0MDMxMjIyNTMzOVoYDzk5OTkxMjMx\n"
 +	"MjM1OTU5WjAdMRswGQYDVQQDDBJHbnVUTFMgdGVzdCBJQ0EgJGkwKjAFBgMrZXAD\n"
 +	"IQAVmfBAvLbT+pTD24pQrr6S0jEIFIV/qOv93yYvAUzpzKNjMGEwDwYDVR0TAQH/\n"
 +	"BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFE+r8JCUr/O5eSNm9MKJ\n"
 +	"u7696MP6MB8GA1UdIwQYMBaAFAFpt5wrFsqCtHc4PpluPDvwcxQLMAUGAytlcANB\n"
 +	"AC6+XZnthjlUD0TbBKRF3qT5if3Pp29Bgvutw8859unzUZW8FkHg5KeDBj9ncgJc\n"
 +	"O2tFnNH2hV6LDPJzU0rtLQc=\n"
 +	"-----END CERTIFICATE-----\n",
 +	NULL
 +};
 +
 +static const char *many_icas_ca[] = {
 +	/* CA (self-signed) */
 +	"-----BEGIN CERTIFICATE-----\n"
 +	"MIIBNzCB6qADAgECAhRjaokcQwcrtW8tjuVFz3A33F8POjAFBgMrZXAwGTEXMBUG\n"
 +	"A1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjQwMzEyMjI1MzM5WhgPOTk5OTEyMzEy\n"
 +	"MzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMCowBQYDK2VwAyEAvoxP\n"
 +	"TNdbWktxA8qQNNH+25Cx9rzP+DxLGeI/7ODwrQGjQjBAMA8GA1UdEwEB/wQFMAMB\n"
 +	"Af8wDgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBQBabecKxbKgrR3OD6Zbjw78HMU\n"
 +	"CzAFBgMrZXADQQCP5IUD74M7WrUx20uqzrzuj+s2jnBVmLQfWf/Ucetx+oTRFeq4\n"
 +	"xZB/adWhycSeJUAB1zKqYUV9hgT8FWHbnHII\n"
 +	"-----END CERTIFICATE-----\n",
 +	NULL
 +};
 +
 #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
 #  pragma GCC diagnostic push
 #  pragma GCC diagnostic ignored "-Wunused-variable"
@@ -4566,6 +4773,7 @@ static struct
     GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM),
     GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1620118136, 1},
   { "cross signed - ok", cross_signed, cross_signed_ca, 0, 0, 0, 1704955300},
 +  { "many intermediates - ok", many_icas, many_icas_ca, 0, 0, 0, 1710284400},
   { NULL, NULL, NULL, 0, 0}
 };
 -- 
 2.33.0
--- a/backport-lib-suppress-false-positive-Wanalyzer-out-of-bounds.patch
+++ b/backport-lib-suppress-false-positive-Wanalyzer-out-of-bounds.patch
@ -0,0 +1,70 @@
 From 7e7b8ed89c93b5f95367eeab1b4f06fc2ac83581 Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <ueno@gnu.org>
 Date: Wed, 7 Jun 2023 16:44:00 +0200
 Subject: [PATCH] lib: suppress false-positive -Wanalyzer-out-of-bounds
 GCC analyzer from GCC 13 reports this:
  verify-high.c:1471:21: error: stack-based buffer over-read [CWE-126] [-Werror=analyzer-out-of-bounds]
   1471 |                 if (gnutls_x509_trust_list_get_issuer(
        |                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   1472 |                             list, cert_list[i - 1], &issuer,
 This is false-positive, as i is always in a range 0 < i < cert_list_size.
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 Reference: https://gitlab.com/gnutls/gnutls/-/commit/7e7b8ed89c93b5f95367eeab1b4f06fc2ac83581
 Conflict: NA
 ---
 lib/x509/verify-high.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)
 diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
 index 2c070b0..02d2f0f 100644
 --- a/lib/x509/verify-high.c
 +++ b/lib/x509/verify-high.c
@@ -1421,7 +1421,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 	for (i = 0; i < cert_list_size &&
 		     cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
 		unsigned int sorted_size = 1;
 -		unsigned int j;
 +		unsigned int j, k;
 		gnutls_x509_crt_t issuer;
 		if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
@@ -1429,6 +1429,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 							 cert_list_size - i);
 		}
 +		assert(sorted_size > 0);
 +
 		/* Remove duplicates. Start with index 1, as the first element
 		 * may be re-checked after issuer retrieval. */
 		for (j = 0; j < sorted_size; j++) {
@@ -1448,13 +1450,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 		}
 		/* Record the certificates seen. */
 -		for (j = 0; j < sorted_size; j++, i++) {
 +		for (k = 0; k < sorted_size; k++, i++) {
 			if (!gl_list_nx_add_last(records, cert_list[i])) {
 				ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
 				goto cleanup;
 			}
 		}
 +		/* Pacify GCC analyzer: the condition always holds
 +		 * true as sorted_size > 0 is checked above, and the
 +		 * following loop should iterate at least once so i++
 +		 * is called.
 +		 */
 +		assert(i > 0);
 +
 		/* If the issuer of the certificate is known, no need
 		 * for further processing. */
 		if (gnutls_x509_trust_list_get_issuer(list,
 -- 
 2.33.0
--- a/backport-x509-fix-thread-safety-in-gnutls_x509_trust_list_ver.patch
+++ b/backport-x509-fix-thread-safety-in-gnutls_x509_trust_list_ver.patch
@ -0,0 +1,49 @@
 From 22f837ba0bc7d13c3d738a8583566368fc12aee1 Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <ueno@gnu.org>
 Date: Sat, 30 Oct 2021 08:56:07 +0200
 Subject: [PATCH] x509: fix thread-safety in gnutls_x509_trust_list_verify_crt2
 This function previously used gnutls_x509_trust_list_get_issuer
 without GNUTLS_TL_GET_COPY flag, which is required when the function
 is called from multi-threaded application and PKCS #11 trust store is
 in use.
 Reported and the change suggested by Remi Gacogne in:
 https://gitlab.com/gnutls/gnutls/-/issues/1277
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 Reference: https://gitlab.com/gnutls/gnutls/-/commit/22f837ba0bc7d13c3d738a8583566368fc12aee1
 Conflict: NA
 ---
 lib/x509/verify-high.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
 index ab8e006ca..5698d4f37 100644
 --- a/lib/x509/verify-high.c
 +++ b/lib/x509/verify-high.c
@@ -1102,7 +1102,8 @@ int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list,
  * gnutls_x509_trust_list_get_issuer:
  * @list: The list
  * @cert: is the certificate to find issuer for
 - * @issuer: Will hold the issuer if any. Should be treated as constant.
 + * @issuer: Will hold the issuer if any. Should be treated as constant
 + *   unless %GNUTLS_TL_GET_COPY is set in @flags.
  * @flags: flags from %gnutls_trust_list_flags_t (%GNUTLS_TL_GET_COPY is applicable)
  *
  * This function will find the issuer of the given certificate.
@@ -1521,7 +1522,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 		if (gnutls_x509_trust_list_get_issuer(list,
 						      cert_list[i - 1],
 						      &issuer,
 -						      0) == 0) {
 +						      GNUTLS_TL_GET_COPY) == 0) {
 +			gnutls_x509_crt_deinit(issuer);
 			cert_list_size = i;
 			break;
 		}
 -- 
 2.33.0
--- a/gnutls.spec
+++ b/gnutls.spec
@ -1,6 +1,6 @@
 Name: gnutls
 Version: 3.7.2
-Release: 9
+Release: 15
 Summary: The GNU Secure Communication Protocol Library
 License: LGPLv2.1+ and GPLv3+
@ -14,6 +14,15 @@ Patch3: backport-CVE-2021-4209.patch
 Patch4: gnutls-3.7.2-sw.patch
 Patch5: backport-01-CVE-2023-0361.patch
 Patch6: backport-02-CVE-2023-0361.patch
 Patch7: backport-CVE-2023-5981-auth-rsa_psk-side-step-potential-side-channel.patch 
 Patch8: backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch
 Patch9: backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch
 Patch10: backport-fix-CVE-2024-28834-nettle-avoid-normalization-of-mpz_t-in-deterministic.patch
 Patch11: backport-add-gnulib-files.patch
 Patch12: backport-x509-fix-thread-safety-in-gnutls_x509_trust_list_ver.patch
 Patch13: backport-Fix-removal-of-duplicate-certs-during-verification.patch
 Patch14: backport-lib-suppress-false-positive-Wanalyzer-out-of-bounds.patch
 Patch15: backport-fix-CVE-2024-28835-gnutls_x509_trust_list_verify_crt2-remove-length-lim.patch
 %bcond_without dane
 %bcond_with guile
@ -220,6 +229,24 @@ make check %{?_smp_mflags}
 %endif
 %changelog
 * Thu Apr 18 2024 fangxiuning <fangxiuning@huawei.com> - 3.7.2-15
 - fix CVE-2024-28835
 * Thu Apr 18 2024 fangxiuning <fangxiuning@huawei.com> - 3.7.2-14
 - fix CVE-2024-28835
 * Tue Mar 26 2024 xuraoqing <xuraoqing@huawei.com> - 3.7.2-13
 - update patch to remove function declare in header file
 * Sat Mar 23 2024 xuraoqing <xuraoqing@huawei.com> - 3.7.2-12
 - fix CVE-2024-28834
 * Wed Jan 17 2024 xuraoqing <xuraoqing@huawei.com> - 3.7.2-11
 - fix CVE-2024-0553 and CVE-2024-0567
 * Mon Nov 20 2023 xuraoqing <xuraoqing@huawei.com> - 3.7.2-10
 - fix CVE-2023-5981
 * Thu Jun 29 2023 xuraoqing <609179072@qq.com> - 3.7.2-9
 - add nettle version restriction
Author	SHA1	Message	Date
openeuler-ci-bot	b67b69edf0	!153 fix CVE-2024-28835 From: @fangxiuning Reviewed-by: @zhujianwei001 Signed-off-by: @zhujianwei001	2024-04-19 01:33:53 +00:00
fangxiuning	eb5245a0a9	fix	2024-04-18 19:05:41 +08:00
fangxiuning	7f0c36aac1	fix	2024-04-18 19:01:51 +08:00
openeuler-ci-bot	1276eea055	!146 update patch to remove function declare in header file From: @xuraoqing Reviewed-by: @zcfsite Signed-off-by: @zcfsite	2024-03-27 07:29:44 +00:00
xuraoqing	09bc14916a	update patch to remove function declare in header file Signed-off-by: xuraoqing <xuraoqing@huawei.com>	2024-03-26 19:29:48 +08:00
openeuler-ci-bot	d09afe28be	!136 fix CVE-2024-28834 From: @xuraoqing Reviewed-by: @zcfsite Signed-off-by: @zcfsite	2024-03-26 06:40:09 +00:00
xuraoqing	a4089ce740	fix CVE-2024-28834 Signed-off-by: xuraoqing <xuraoqing@huawei.com>	2024-03-25 11:13:33 +08:00
openeuler-ci-bot	2eb4441d6c	!115 fix CVE-2024-0553 and CVE-2024-0567 From: @xuraoqing Reviewed-by: @zcfsite Signed-off-by: @zcfsite	2024-01-22 13:08:19 +00:00
xuraoqing	0365224fe2	fix CVE-2024-0553 and CVE-2024-0567 Signed-off-by: xuraoqing <xuraoqing@huawei.com>	2024-01-22 19:40:13 +08:00
openeuler-ci-bot	c35dc90605	!103 fix CVE-2023-5981 From: @xuraoqing Reviewed-by: @zcfsite Signed-off-by: @zcfsite	2023-11-22 07:02:41 +00:00
xuraoqing	49862a6024	fix CVE-2023-5981 Signed-off-by: xuraoqing <xuraoqing@huawei.com>	2023-11-20 15:12:51 +08:00