.gitignore

@@ -1,2 +1,2 @@
 SOURCES/gmp-6.2.1.tar.xz
-SOURCES/nettle-3.8-hobbled.tar.xz
+SOURCES/nettle-3.10-hobbled.tar.xz

.nettle.metadata

@@ -1,2 +1,2 @@
 0578d48607ec0e272177d175fd1807c30b00fdf2 SOURCES/gmp-6.2.1.tar.xz
-c809f048a71b322453c18e30986a18e600306d77 SOURCES/nettle-3.8-hobbled.tar.xz
+762cc3c0a8cf735353927607a147d7bb802b5aad SOURCES/nettle-3.10-hobbled.tar.xz

SOURCES/nettle-3.4-annocheck.patch

@@ -1,13 +0,0 @@
-Index: nettle-3.7/Makefile.in
-===================================================================
---- nettle-3.7.orig/Makefile.in
-+++ nettle-3.7/Makefile.in
-@@ -291,7 +291,7 @@ libhogweed.a: $(hogweed_OBJS)
- 
- %.$(OBJEXT): %.asm $(srcdir)/m4-utils.m4 $(srcdir)/asm.m4 config.m4 machine.m4
- 	$(M4) $(srcdir)/m4-utils.m4 $(srcdir)/asm.m4 config.m4 machine.m4 $< >$*.s
--	$(COMPILE) -c $*.s
-+	$(COMPILE) -c -Wa,--generate-missing-build-notes=yes $*.s
- 
- %.$(OBJEXT): %.c
- 	$(COMPILE) -c $< \

SOURCES/nettle-3.8-zeroize-stack.patch

@@ -1,4 +1,4 @@
-From 894b22e6d851512776bd62e85e749d6950ce16fc Mon Sep 17 00:00:00 2001
+From 24a4cb910a51f35dff89842e8cce27f88e8e78c3 Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <dueno@redhat.com>
 Date: Wed, 24 Aug 2022 17:19:57 +0900
 Subject: [PATCH] Clear any intermediate data allocate on stack
@@ -212,10 +212,10 @@ index 892c0742..a7e0c21d 100644
 +  TMP_CLEAR (k, size + ECC_GOSTDSA_SIGN_ITCH (size));
  }
 diff --git a/hmac.c b/hmac.c
-index 6ac5e11a..0ac33bed 100644
+index ea356970..6a55551b 100644
 --- a/hmac.c
 +++ b/hmac.c
-@@ -55,6 +55,8 @@ hmac_set_key(void *outer, void *inner, void *state,
+@@ -53,6 +53,8 @@ hmac_set_key(void *outer, void *inner, void *state,
  {
    TMP_DECL(pad, uint8_t, NETTLE_MAX_HASH_BLOCK_SIZE);
    TMP_ALLOC(pad, hash->block_size);
@@ -224,7 +224,7 @@ index 6ac5e11a..0ac33bed 100644
    
    hash->init(outer);
    hash->init(inner);
-@@ -64,9 +66,6 @@ hmac_set_key(void *outer, void *inner, void *state,
+@@ -62,9 +64,6 @@ hmac_set_key(void *outer, void *inner, void *state,
        /* Reduce key to the algorithm's hash size. Use the area pointed
         * to by state for the temporary state. */
  
@@ -234,7 +234,7 @@ index 6ac5e11a..0ac33bed 100644
        hash->init(state);
        hash->update(state, key_length, key);
        hash->digest(state, hash->digest_size, digest);
-@@ -88,6 +87,9 @@ hmac_set_key(void *outer, void *inner, void *state,
+@@ -86,6 +85,9 @@ hmac_set_key(void *outer, void *inner, void *state,
    hash->update(inner, hash->block_size, pad);
  
    memcpy(state, inner, hash->context_size);
@@ -244,7 +244,7 @@ index 6ac5e11a..0ac33bed 100644
  }
  
  void
-@@ -114,4 +116,6 @@ hmac_digest(const void *outer, const void *inner, void *state,
+@@ -112,4 +114,6 @@ hmac_digest(const void *outer, const void *inner, void *state,
    hash->digest(state, length, dst);
  
    memcpy(state, inner, hash->context_size);
@@ -252,10 +252,10 @@ index 6ac5e11a..0ac33bed 100644
 +  TMP_CLEAR(digest, hash->digest_size);
  }
 diff --git a/nettle-internal.h b/nettle-internal.h
-index ddc483de..9fc55514 100644
+index c41f3ee0..62b89e11 100644
 --- a/nettle-internal.h
 +++ b/nettle-internal.h
-@@ -72,6 +72,11 @@
+@@ -76,6 +76,11 @@
    do { assert((size_t)(size) <= (sizeof(name))); } while (0)
  #endif 
  
@@ -264,8 +264,8 @@ index ddc483de..9fc55514 100644
 +#define TMP_CLEAR(name, size) (explicit_bzero (name, sizeof (*name) * (size)))
 +#define TMP_CLEAR_ALIGN(name, size) (explicit_bzero (name, size))
 +
- /* Arbitrary limits which apply to systems that don't have alloca */
- #define NETTLE_MAX_HASH_BLOCK_SIZE 128
+ /* Limits that apply to systems that don't have alloca */
+ #define NETTLE_MAX_HASH_BLOCK_SIZE 144  /* For sha3_224*/
  #define NETTLE_MAX_HASH_DIGEST_SIZE 64
 diff --git a/pbkdf2.c b/pbkdf2.c
 index 291d138a..a8ecba5b 100644
@@ -330,5 +330,5 @@ index d28e7b13..8106ebf2 100644
    return ret;
  }
 -- 
-2.37.2
+2.41.0
 

SPECS/nettle.spec

@@ -1,3 +1,13 @@
+## START: Set by rpmautospec
+## (rpmautospec version 0.6.5)
+## RPMAUTOSPEC: autorelease, autochangelog
+%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
+    release_number = 1;
+    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
+    print(release_number + base_release_number - 1);
+}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
+## END: Set by rpmautospec
+
 # Recent so-version, so we do not bump accidentally.
 %global nettle_so_ver 8
 %global hogweed_so_ver 6
@@ -11,14 +21,25 @@
 %global hogweed_so_ver_old 5
 %endif
 
-%bcond_without fips
+%if %{defined rhel}
+# * RHEL 9 and later include nettle in the gnutls module boundary,
+#   and HMAC is calculated there with its own tool.
+# * RHEL 9 and later statically links to gmp to ensure zeroization of CSP.
+%if 0%{?rhel} < 9
+%bcond_without fipshmac
+%bcond_with bundle_gmp
+%else
+%bcond_with fipshmac
+%bcond_without bundle_gmp
+%endif
+%endif
 
 Name:           nettle
-Version:        3.8
-Release:        3%{?dist}
+Version:        3.10
+Release:        %{?autorelease}%{!?autorelease:1%{?dist}}
 Summary:        A low-level cryptographic library
 
-License:        LGPLv3+ or GPLv2+
+License:        LGPL-3.0-or-later OR GPL-2.0-or-later
 URL:            http://www.lysator.liu.se/~nisse/nettle/
 Source0:	%{name}-%{version}-hobbled.tar.xz
 #Source0:        http://www.lysator.liu.se/~nisse/archive/%%{name}-%%{version}.tar.gz
@@ -26,7 +47,6 @@ Source0:	%{name}-%{version}-hobbled.tar.xz
 Source1:	%{name}-%{version_old}-hobbled.tar.xz
 Source2:	nettle-3.5-remove-ecc-testsuite.patch
 %endif
-Patch:		nettle-3.4-annocheck.patch
 Patch:		nettle-3.8-zeroize-stack.patch
 
 Source100:	gmp-6.2.1.tar.xz
@@ -36,12 +56,12 @@ Source102:	gmp-6.2.1-zeroize-allocator.patch
 
 BuildRequires: make
 BuildRequires:  gcc
-%if !%{with fips}
+%if !%{with bundle_gmp}
 BuildRequires:  gmp-devel
 %endif
 BuildRequires:  m4
 BuildRequires:	libtool, automake, autoconf, gettext-devel
-%if %{with fips}
+%if %{with fipshmac}
 BuildRequires:  fipscheck
 %endif
 
@@ -67,7 +87,7 @@ applications with nettle.
 %prep
 %autosetup -Tb 0 -p1
 
-%if %{with fips}
+%if %{with bundle_gmp}
 mkdir -p bundled_gmp
 pushd bundled_gmp
 tar --strip-components=1 -xf %{SOURCE100}
@@ -98,7 +118,7 @@ sed 's/ecc-secp192r1.c//g' -i Makefile.in
 sed 's/ecc-secp224r1.c//g' -i Makefile.in
 
 %build
-%if %{with fips}
+%if %{with bundle_gmp}
 pushd bundled_gmp
 autoreconf -ifv
 %configure --disable-cxx --disable-shared --enable-fat --with-pic
@@ -107,13 +127,13 @@ popd
 %endif
 
 autoreconf -ifv
-
+# For annocheck
+export ASM_FLAGS="-Wa,--generate-missing-build-notes=yes"
 %configure --enable-shared --enable-fat \
-%if %{with fips}
+%if %{with bundle_gmp}
 --with-include-path=$PWD/bundled_gmp --with-lib-path=$PWD/bundled_gmp/.libs \
 %endif
 %{nil}
-
 %make_build
 
 %if 0%{?bootstrap}
@@ -124,7 +144,7 @@ autoconf
 popd
 %endif
 
-%if %{with fips}
+%if %{with fipshmac}
 %define fipshmac() \
 	fipshmac -d $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libdir}/%1.* \
 	file=`basename $RPM_BUILD_ROOT%{_libdir}/%1.*.hmac` && \
@@ -188,7 +208,7 @@ make check
 %{_libdir}/libhogweed.so.%{hogweed_so_ver_old}
 %{_libdir}/libhogweed.so.%{hogweed_so_ver_old}.*
 %endif
-%if %{with fips}
+%if %{with fipshmac}
 %{_libdir}/.libhogweed.so.*.hmac
 %{_libdir}/.libnettle.so.*.hmac
 %endif
@@ -205,25 +225,57 @@ make check
 
 
 %changelog
-* Thu Aug 25 2022 Daiki Ueno <dueno@redhat.com> - 3.8-3
-- Rebuild in new side-tag
+## START: Generated by rpmautospec
+* Fri Jul 26 2024 Daiki Ueno <dueno@redhat.com> - 3.10-1
+- Update to nettle 3.10
 
-* Thu Aug 18 2022 Daiki Ueno <dueno@redhat.com> - 3.8-2
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.9.1-11
+- Bump release for June 2024 mass rebuild
+
+* Thu Jun 20 2024 Daiki Ueno <dueno@redhat.com> - 3.9.1-10
+- Split "fips" bcond into "fipshmac" and "bundle_gmp"
+
+* Tue Jun 18 2024 Daiki Ueno <dueno@redhat.com> - 3.9.1-9
+- Update hobble-nettle to disable SM4 again
+
+* Fri Jun 07 2024 Daiki Ueno <dueno@redhat.com> - 3.9.1-8
 - Bundle GMP to privatize memory functions
-- Zeroize stack allocated intermediate data
 
-* Tue Jun 28 2022 Daiki Ueno <dueno@redhat.com> - 3.8-1
-- Update to nettle 3.8 (#2100350)
+* Thu Feb 15 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 3.9.1-7
+- Disable HMAC in RHEL 9+
+
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.9.1-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.7.3-2
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.9.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 
-* Wed Jul 28 2021 Daiki Ueno <dueno@redhat.com> - 3.7.3-1
-- Update to nettle 3.7.3 (#1986712)
+* Thu Aug 24 2023 Daiki Ueno <dueno@redhat.com> - 3.9.1-4
+- Migrate License field to SPDX license identifier
 
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.7.2-2
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.9.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Mon Jun  5 2023 Daiki Ueno <dueno@redhat.com> - 3.9.1-1
+- Update to nettle 3.9.1
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Fri Jun  3 2022 Daiki Ueno <dueno@redhat.com> - 3.8-1
+- Update to nettle 3.8
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Mon Jun  7 2021 Daiki Ueno <dueno@redhat.com> - 3.7.3-1
+- Update to nettle 3.7.3
 
 * Sun Mar 21 2021 Daiki Ueno <dueno@redhat.com> - 3.7.2-1
 - Update to nettle 3.7.2
@@ -408,3 +460,5 @@ make check
 
 * Fri Feb 08 2008 Ian Weller <ianweller@gmail.com> 1.15-1
 - First package build.
+
+## END: Generated by rpmautospec