From 8e77a600bec98da1ae0524bad220e6375910a751 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Fri, 16 Feb 2018 12:58:33 +0100
Subject: [PATCH] Update to 3.6.2-1

- Update to upstream 3.6.2 release
---
 .gitignore                                    |   3 +
 gnutls-3.6.1-disable-pss-tests.patch          |  20 ++
 gnutls-3.6.1-pkcs11-loading.patch             | 284 -----------------
 gnutls-3.6.1-pkcs11-loading2.patch            | 289 ------------------
 gnutls-3.6.1-pkcs11-tests.patch               |  69 -----
 gnutls.spec                                   |  13 +-
 ...42418905D8206AA754CCDC29EE58B996865171.gpg | Bin 56226 -> 58697 bytes
 sources                                       |   6 +-
 8 files changed, 32 insertions(+), 652 deletions(-)
 create mode 100644 gnutls-3.6.1-disable-pss-tests.patch
 delete mode 100644 gnutls-3.6.1-pkcs11-loading.patch
 delete mode 100644 gnutls-3.6.1-pkcs11-loading2.patch
 delete mode 100644 gnutls-3.6.1-pkcs11-tests.patch

diff --git a/.gitignore b/.gitignore
index c9a0673..acb937a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -89,3 +89,6 @@ gnutls-2.10.1-nosrp.tar.bz2
 /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
 /gnutls-3.6.1.tar.xz.sig
 /gnutls-3.6.1.tar.xz
+/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+/gnutls-3.6.2.tar.xz.sig
+/gnutls-3.6.2.tar.xz
diff --git a/gnutls-3.6.1-disable-pss-tests.patch b/gnutls-3.6.1-disable-pss-tests.patch
new file mode 100644
index 0000000..2f3fc42
--- /dev/null
+++ b/gnutls-3.6.1-disable-pss-tests.patch
@@ -0,0 +1,20 @@
+diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c
+index c85d878..614fcea 100644
+--- a/tests/pkcs11/tls-neg-pkcs11-key.c
++++ b/tests/pkcs11/tls-neg-pkcs11-key.c
+@@ -261,6 +261,7 @@ static const test_st tests[] = {
+ 	 .key = &server_ca3_key,
+ 	 .exp_kx = GNUTLS_KX_ECDHE_RSA
+ 	},
++#if 0
+ 	{.name = "tls1.2: rsa-sign key with rsa-pss sigs prioritized",
+ 	 .pk = GNUTLS_PK_RSA,
+ 	 .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:-VERS-TLS-ALL:+VERS-TLS1.2",
+@@ -292,6 +293,7 @@ static const test_st tests[] = {
+ 	 .exp_kx = GNUTLS_KX_ECDHE_RSA,
+ 	 .exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES
+ 	},
++#endif
+ 	{.name = "tls1.2: ed25519 cert, ed25519 key", /* we cannot import that key */
+ 	 .pk = GNUTLS_PK_EDDSA_ED25519,
+ 	 .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
diff --git a/gnutls-3.6.1-pkcs11-loading.patch b/gnutls-3.6.1-pkcs11-loading.patch
deleted file mode 100644
index ede3c2a..0000000
--- a/gnutls-3.6.1-pkcs11-loading.patch
+++ /dev/null
@@ -1,284 +0,0 @@
-diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h
-index c3db2181a..52f7898b4 100644
---- a/lib/includes/gnutls/pkcs11.h
-+++ b/lib/includes/gnutls/pkcs11.h
-@@ -65,6 +65,7 @@ typedef struct gnutls_pkcs11_obj_st *gnutls_pkcs11_obj_t;
- 
- #define GNUTLS_PKCS11_FLAG_MANUAL 0	/* Manual loading of libraries */
- #define GNUTLS_PKCS11_FLAG_AUTO 1	/* Automatically load libraries by reading /etc/gnutls/pkcs11.conf */
-+#define GNUTLS_PKCS11_FLAG_AUTO_TRUSTED (1<<1)	/* Automatically load trusted libraries by reading /etc/gnutls/pkcs11.conf */
- 
- /* pkcs11.conf format:
-  * load = /lib/xxx-pkcs11.so
-diff --git a/lib/libgnutls.map b/lib/libgnutls.map
-index 43a6b1321..16c582c6f 100644
---- a/lib/libgnutls.map
-+++ b/lib/libgnutls.map
-@@ -1241,6 +1241,7 @@ GNUTLS_PRIVATE_3_4 {
- 	_gnutls_mpi_log;
- 	_gnutls_mpi_release;
- 	# Internal symbols needed by tests/:
-+	_gnutls_pkcs11_token_get_url;
- 	_gnutls_pkcs12_string_to_key;
- 	_gnutls_bin2hex;
- 	_gnutls_mac_to_entry;
-diff --git a/lib/pkcs11.c b/lib/pkcs11.c
-index e014a6b5f..e6e37c60c 100644
---- a/lib/pkcs11.c
-+++ b/lib/pkcs11.c
-@@ -108,7 +108,8 @@ struct find_cert_st {
- 
- static struct gnutls_pkcs11_provider_st providers[MAX_PROVIDERS];
- static unsigned int active_providers = 0;
--static unsigned int providers_initialized = 0;
-+
-+static init_level_t providers_initialized = PROV_UNINITIALIZED;
- static unsigned int pkcs11_forkid = 0;
- 
- static int _gnutls_pkcs11_reinit(void);
-@@ -116,6 +117,8 @@ static int _gnutls_pkcs11_reinit(void);
- gnutls_pkcs11_token_callback_t _gnutls_token_func;
- void *_gnutls_token_data;
- 
-+static int auto_load(unsigned trusted);
-+
- int pkcs11_rv_to_err(ck_rv_t rv)
- {
- 	switch (rv) {
-@@ -232,7 +235,8 @@ pkcs11_add_module(const char* name, struct ck_function_list *module, unsigned cu
- 	/* initially check if this module is a duplicate */
- 	for (i = 0; i < active_providers; i++) {
- 		/* already loaded, skip the rest */
--		if (module == providers[i].module) {
-+		if (module == providers[i].module ||
-+		    memcmp(&info, &providers[i].info, sizeof(info)) == 0) {
- 			_gnutls_debug_log("p11: module %s is already loaded.\n", name);
- 			return GNUTLS_E_INT_RET_0;
- 		}
-@@ -261,7 +265,7 @@ pkcs11_add_module(const char* name, struct ck_function_list *module, unsigned cu
-  * The output value of the callback will be returned if it is
-  * a negative one (indicating failure).
- */
--int _gnutls_pkcs11_check_init(void *priv, pkcs11_reinit_function cb)
-+int _gnutls_pkcs11_check_init(init_level_t req_level, void *priv, pkcs11_reinit_function cb)
- {
- 	int ret;
- 
-@@ -269,7 +273,7 @@ int _gnutls_pkcs11_check_init(void *priv, pkcs11_reinit_function cb)
- 	if (ret != 0)
- 		return gnutls_assert_val(GNUTLS_E_LOCKING_ERROR);
- 
--	if (providers_initialized != 0) {
-+	if (providers_initialized >= req_level) {
- 		ret = 0;
- 
- 		if (_gnutls_detect_fork(pkcs11_forkid)) {
-@@ -288,10 +292,16 @@ int _gnutls_pkcs11_check_init(void *priv, pkcs11_reinit_function cb)
- 
- 		gnutls_mutex_unlock(&_gnutls_pkcs11_mutex);
- 		return ret;
--	}
-+	} else if (providers_initialized < req_level &&
-+		   (req_level == PROV_INIT_TRUSTED)) {
-+		_gnutls_debug_log("Initializing needed PKCS #11 modules\n");
-+		ret = auto_load(1);
- 
--	_gnutls_debug_log("Initializing PKCS #11 modules\n");
--	ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_AUTO, NULL);
-+		providers_initialized = PROV_INIT_TRUSTED;
-+	} else {
-+		_gnutls_debug_log("Initializing all PKCS #11 modules\n");
-+		ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_AUTO, NULL);
-+	}
- 
- 	gnutls_mutex_unlock(&_gnutls_pkcs11_mutex);
- 
-@@ -742,13 +752,13 @@ static void compat_load(const char *configfile)
- 	return;
- }
- 
--static int auto_load(void)
-+static int auto_load(unsigned trusted)
- {
- 	struct ck_function_list **modules;
- 	int i, ret;
- 	char* name;
- 
--	modules = p11_kit_modules_load_and_initialize(0);
-+	modules = p11_kit_modules_load_and_initialize(trusted?P11_KIT_MODULE_TRUSTED:0);
- 	if (modules == NULL) {
- 		gnutls_assert();
- 		_gnutls_debug_log
-@@ -817,15 +827,21 @@ gnutls_pkcs11_init(unsigned int flags, const char *deprecated_config_file)
- 	if (flags == GNUTLS_PKCS11_FLAG_MANUAL) {
- 		/* if manual configuration is requested then don't
- 		 * bother loading any other providers */
--		providers_initialized = 1;
-+		providers_initialized = PROV_INIT_MANUAL;
- 		return 0;
- 	 } else if (flags & GNUTLS_PKCS11_FLAG_AUTO) {
- 		if (deprecated_config_file == NULL)
--			ret = auto_load();
-+			ret = auto_load(0);
- 
- 		compat_load(deprecated_config_file);
- 
--		providers_initialized = 1;
-+		providers_initialized = PROV_INIT_ALL;
-+
-+		return ret;
-+	} else if (flags & GNUTLS_PKCS11_FLAG_AUTO_TRUSTED) {
-+		ret = auto_load(1);
-+
-+		providers_initialized = PROV_INIT_TRUSTED;
- 
- 		return ret;
- 	}
-@@ -918,7 +934,7 @@ void gnutls_pkcs11_deinit(void)
- 		p11_kit_module_release(providers[i].module);
- 	}
- 	active_providers = 0;
--	providers_initialized = 0;
-+	providers_initialized = PROV_UNINITIALIZED;
- 
- 	gnutls_pkcs11_set_pin_function(NULL, NULL);
- 	gnutls_pkcs11_set_token_function(NULL, NULL);
-@@ -2177,11 +2193,18 @@ find_token_modname_cb(struct ck_function_list *module, struct pkcs11_session_inf
- 	return 0;
- }
- 
-+/* Internal symbol used by tests */
-+int
-+_gnutls_pkcs11_token_get_url(unsigned int seq,
-+			     gnutls_pkcs11_url_type_t detailed, char **url,
-+			     unsigned flags);
-+
- /**
-- * gnutls_pkcs11_token_get_url:
-+ * _gnutls_pkcs11_token_get_url:
-  * @seq: sequence number starting from 0
-  * @detailed: non zero if a detailed URL is required
-  * @url: will contain an allocated url
-+ * @flags: zero or 1. When 1 no initialization is performed.
-  *
-  * This function will return the URL for each token available
-  * in system. The url has to be released using gnutls_free()
-@@ -2190,16 +2213,18 @@ find_token_modname_cb(struct ck_function_list *module, struct pkcs11_session_inf
-  * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if the sequence number
-  * exceeds the available tokens, otherwise a negative error value.
-  *
-- * Since: 2.12.0
-  **/
- int
--gnutls_pkcs11_token_get_url(unsigned int seq,
--			    gnutls_pkcs11_url_type_t detailed, char **url)
-+_gnutls_pkcs11_token_get_url(unsigned int seq,
-+			     gnutls_pkcs11_url_type_t detailed, char **url,
-+			     unsigned flags)
- {
- 	int ret;
- 	struct find_token_num tn;
- 
--	PKCS11_CHECK_INIT;
-+	if (!(flags & 1)) {
-+		PKCS11_CHECK_INIT;
-+	}
- 
- 	memset(&tn, 0, sizeof(tn));
- 	tn.seq = seq;
-@@ -2224,6 +2249,28 @@ gnutls_pkcs11_token_get_url(unsigned int seq,
- }
- 
- /**
-+ * gnutls_pkcs11_token_get_url:
-+ * @seq: sequence number starting from 0
-+ * @detailed: non zero if a detailed URL is required
-+ * @url: will contain an allocated url
-+ *
-+ * This function will return the URL for each token available
-+ * in system. The url has to be released using gnutls_free()
-+ *
-+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
-+ * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if the sequence number
-+ * exceeds the available tokens, otherwise a negative error value.
-+ *
-+ * Since: 2.12.0
-+ **/
-+int
-+gnutls_pkcs11_token_get_url(unsigned int seq,
-+			    gnutls_pkcs11_url_type_t detailed, char **url)
-+{
-+	return _gnutls_pkcs11_token_get_url(seq, detailed, url, 0);
-+}
-+
-+/**
-  * gnutls_pkcs11_token_get_info:
-  * @url: should contain a PKCS 11 URL
-  * @ttype: Denotes the type of information requested
-@@ -3173,7 +3220,11 @@ gnutls_pkcs11_obj_list_import_url4(gnutls_pkcs11_obj_t ** p_list,
- 	int ret;
- 	struct find_obj_data_st priv;
- 
--	PKCS11_CHECK_INIT;
-+	if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED) {
-+		PKCS11_CHECK_INIT_TRUSTED;
-+	} else {
-+		PKCS11_CHECK_INIT;
-+	}
- 
- 	memset(&priv, 0, sizeof(priv));
- 
-diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
-index 2c2de3463..de9afbdee 100644
---- a/lib/pkcs11_int.h
-+++ b/lib/pkcs11_int.h
-@@ -82,7 +82,15 @@ struct gnutls_pkcs11_privkey_st {
-  * directly. It can be provided a callback function to run when a reinitialization
-  * occurs. */
- typedef int (*pkcs11_reinit_function)(void *priv);
--int _gnutls_pkcs11_check_init(void *priv, pkcs11_reinit_function cb);
-+
-+typedef enum init_level_t {
-+	PROV_UNINITIALIZED = 0,
-+	PROV_INIT_MANUAL,
-+	PROV_INIT_TRUSTED,
-+	PROV_INIT_ALL
-+} init_level_t;
-+
-+int _gnutls_pkcs11_check_init(init_level_t req_level, void *priv, pkcs11_reinit_function cb);
- 
- #define FIX_KEY_USAGE(pk, usage) \
- 	if (usage == 0) { \
-@@ -93,12 +101,17 @@ int _gnutls_pkcs11_check_init(void *priv, pkcs11_reinit_function cb);
- 	}
- 
- #define PKCS11_CHECK_INIT \
--	ret = _gnutls_pkcs11_check_init(NULL, NULL); \
-+	ret = _gnutls_pkcs11_check_init(PROV_INIT_MANUAL, NULL, NULL); \
-+	if (ret < 0) \
-+		return gnutls_assert_val(ret)
-+
-+#define PKCS11_CHECK_INIT_TRUSTED \
-+	ret = _gnutls_pkcs11_check_init(PROV_INIT_TRUSTED, NULL, NULL); \
- 	if (ret < 0) \
- 		return gnutls_assert_val(ret)
- 
- #define PKCS11_CHECK_INIT_RET(x) \
--	ret = _gnutls_pkcs11_check_init(NULL, NULL); \
-+	ret = _gnutls_pkcs11_check_init(PROV_INIT_MANUAL, NULL, NULL); \
- 	if (ret < 0) \
- 		return gnutls_assert_val(x)
- 
-diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
-index 34fe47a38..afe831ee9 100644
---- a/lib/pkcs11_privkey.c
-+++ b/lib/pkcs11_privkey.c
-@@ -36,7 +36,7 @@
- /* In case of a fork, it will invalidate the open session
-  * in the privkey and start another */
- #define PKCS11_CHECK_INIT_PRIVKEY(k) \
--	ret = _gnutls_pkcs11_check_init(k, reopen_privkey_session); \
-+	ret = _gnutls_pkcs11_check_init(PROV_INIT_MANUAL, k, reopen_privkey_session); \
- 	if (ret < 0) \
- 		return gnutls_assert_val(ret)
- 
diff --git a/gnutls-3.6.1-pkcs11-loading2.patch b/gnutls-3.6.1-pkcs11-loading2.patch
deleted file mode 100644
index bc45834..0000000
--- a/gnutls-3.6.1-pkcs11-loading2.patch
+++ /dev/null
@@ -1,289 +0,0 @@
-diff --git a/lib/pkcs11.c b/lib/pkcs11.c
-index e6e37c60c..e1aa64f19 100644
---- a/lib/pkcs11.c
-+++ b/lib/pkcs11.c
-@@ -267,20 +267,20 @@ pkcs11_add_module(const char* name, struct ck_function_list *module, unsigned cu
- */
- int _gnutls_pkcs11_check_init(init_level_t req_level, void *priv, pkcs11_reinit_function cb)
- {
--	int ret;
-+	int ret, sret = 0;
- 
- 	ret = gnutls_mutex_lock(&_gnutls_pkcs11_mutex);
- 	if (ret != 0)
- 		return gnutls_assert_val(GNUTLS_E_LOCKING_ERROR);
- 
--	if (providers_initialized >= req_level) {
-+	if (providers_initialized > PROV_UNINITIALIZED) {
- 		ret = 0;
- 
- 		if (_gnutls_detect_fork(pkcs11_forkid)) {
- 			/* if we are initialized but a fork is detected */
- 			ret = _gnutls_pkcs11_reinit();
- 			if (ret == 0) {
--				ret = 1;
-+				sret = 1;
- 				if (cb) {
- 					int ret2 = cb(priv);
- 					if (ret2 < 0)
-@@ -290,25 +290,60 @@ int _gnutls_pkcs11_check_init(init_level_t req_level, void *priv, pkcs11_reinit_
- 			}
- 		}
- 
--		gnutls_mutex_unlock(&_gnutls_pkcs11_mutex);
--		return ret;
--	} else if (providers_initialized < req_level &&
--		   (req_level == PROV_INIT_TRUSTED)) {
--		_gnutls_debug_log("Initializing needed PKCS #11 modules\n");
--		ret = auto_load(1);
-+		if (ret < 0) {
-+			gnutls_assert();
-+			goto cleanup;
-+		}
-+	}
- 
--		providers_initialized = PROV_INIT_TRUSTED;
--	} else {
--		_gnutls_debug_log("Initializing all PKCS #11 modules\n");
--		ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_AUTO, NULL);
-+	/* Possible Transitions: PROV_UNINITIALIZED -> PROV_INIT_MANUAL -> PROV_INIT_MANUAL_TRUSTED
-+	 * PROV_UNINITIALIZED -> PROV_INIT_TRUSTED -> PROV_INIT_ALL
-+	 *
-+	 * request for PROV_INIT_TRUSTED may result to PROV_INIT_MANUAL_TRUSTED
-+	 * request for PROV_INIT_ALL may result to PROV_INIT_MANUAL or PROV_INIT_MANUAL_TRUSTED
-+	 */
-+	switch(req_level) {
-+		case PROV_UNINITIALIZED:
-+		case PROV_INIT_MANUAL:
-+			break;
-+		case PROV_INIT_TRUSTED:
-+		case PROV_INIT_MANUAL_TRUSTED:
-+			if (providers_initialized < PROV_INIT_MANUAL_TRUSTED) {
-+				_gnutls_debug_log("Initializing needed PKCS #11 modules\n");
-+				ret = auto_load(1);
-+				if (ret < 0) {
-+					gnutls_assert();
-+				}
-+
-+				if (providers_initialized == PROV_INIT_MANUAL)
-+					providers_initialized = PROV_INIT_MANUAL_TRUSTED;
-+				else
-+					providers_initialized = PROV_INIT_TRUSTED;
-+
-+				goto cleanup;
-+			}
-+			break;
-+		case PROV_INIT_ALL:
-+			if (providers_initialized == PROV_INIT_TRUSTED ||
-+			    providers_initialized == PROV_UNINITIALIZED) {
-+				_gnutls_debug_log("Initializing all PKCS #11 modules\n");
-+				ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_AUTO, NULL);
-+				if (ret < 0) {
-+					gnutls_assert();
-+				}
-+
-+				providers_initialized = PROV_INIT_ALL;
-+				goto cleanup;
-+			}
-+			break;
- 	}
- 
--	gnutls_mutex_unlock(&_gnutls_pkcs11_mutex);
-+	ret = sret;
- 
--	if (ret < 0)
--		return gnutls_assert_val(ret);
-+ cleanup:
-+	gnutls_mutex_unlock(&_gnutls_pkcs11_mutex);
- 
--	return 0;
-+	return ret;
- }
- 
- 
-@@ -3220,11 +3255,7 @@ gnutls_pkcs11_obj_list_import_url4(gnutls_pkcs11_obj_t ** p_list,
- 	int ret;
- 	struct find_obj_data_st priv;
- 
--	if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED) {
--		PKCS11_CHECK_INIT_TRUSTED;
--	} else {
--		PKCS11_CHECK_INIT;
--	}
-+	PKCS11_CHECK_INIT_FLAGS(flags);
- 
- 	memset(&priv, 0, sizeof(priv));
- 
-@@ -3965,7 +3996,7 @@ int gnutls_pkcs11_get_raw_issuer(const char *url, gnutls_x509_crt_t cert,
- 	size_t id_size;
- 	struct p11_kit_uri *info = NULL;
- 
--	PKCS11_CHECK_INIT;
-+	PKCS11_CHECK_INIT_FLAGS(flags);
- 
- 	memset(&priv, 0, sizeof(priv));
- 
-@@ -4057,7 +4088,7 @@ int gnutls_pkcs11_get_raw_issuer_by_dn (const char *url, const gnutls_datum_t *d
- 	struct find_cert_st priv;
- 	struct p11_kit_uri *info = NULL;
- 
--	PKCS11_CHECK_INIT;
-+	PKCS11_CHECK_INIT_FLAGS(flags);
- 
- 	memset(&priv, 0, sizeof(priv));
- 
-@@ -4144,7 +4175,7 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url,
- 	struct find_cert_st priv;
- 	struct p11_kit_uri *info = NULL;
- 
--	PKCS11_CHECK_INIT;
-+	PKCS11_CHECK_INIT_FLAGS(flags);
- 
- 	memset(&priv, 0, sizeof(priv));
- 
-@@ -4238,7 +4269,7 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
- 	size_t serial_size;
- 	struct p11_kit_uri *info = NULL;
- 
--	PKCS11_CHECK_INIT_RET(0);
-+	PKCS11_CHECK_INIT_FLAGS_RET(flags, 0);
- 
- 	memset(&priv, 0, sizeof(priv));
- 
-diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
-index de9afbdee..3ba9c5501 100644
---- a/lib/pkcs11_int.h
-+++ b/lib/pkcs11_int.h
-@@ -86,10 +86,14 @@ typedef int (*pkcs11_reinit_function)(void *priv);
- typedef enum init_level_t {
- 	PROV_UNINITIALIZED = 0,
- 	PROV_INIT_MANUAL,
-+	PROV_INIT_MANUAL_TRUSTED,
- 	PROV_INIT_TRUSTED,
- 	PROV_INIT_ALL
- } init_level_t;
- 
-+/* See _gnutls_pkcs11_check_init() for possible Transitions.
-+ */
-+
- int _gnutls_pkcs11_check_init(init_level_t req_level, void *priv, pkcs11_reinit_function cb);
- 
- #define FIX_KEY_USAGE(pk, usage) \
-@@ -101,20 +105,26 @@ int _gnutls_pkcs11_check_init(init_level_t req_level, void *priv, pkcs11_reinit_
- 	}
- 
- #define PKCS11_CHECK_INIT \
--	ret = _gnutls_pkcs11_check_init(PROV_INIT_MANUAL, NULL, NULL); \
-+	ret = _gnutls_pkcs11_check_init(PROV_INIT_ALL, NULL, NULL); \
- 	if (ret < 0) \
- 		return gnutls_assert_val(ret)
- 
--#define PKCS11_CHECK_INIT_TRUSTED \
--	ret = _gnutls_pkcs11_check_init(PROV_INIT_TRUSTED, NULL, NULL); \
-+#define PKCS11_CHECK_INIT_RET(x) \
-+	ret = _gnutls_pkcs11_check_init(PROV_INIT_ALL, NULL, NULL); \
-+	if (ret < 0) \
-+		return gnutls_assert_val(x)
-+
-+#define PKCS11_CHECK_INIT_FLAGS(f) \
-+	ret = _gnutls_pkcs11_check_init((f & GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE)?PROV_INIT_TRUSTED:PROV_INIT_ALL, NULL, NULL); \
- 	if (ret < 0) \
- 		return gnutls_assert_val(ret)
- 
--#define PKCS11_CHECK_INIT_RET(x) \
--	ret = _gnutls_pkcs11_check_init(PROV_INIT_MANUAL, NULL, NULL); \
-+#define PKCS11_CHECK_INIT_FLAGS_RET(f, x) \
-+	ret = _gnutls_pkcs11_check_init((f & GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE)?PROV_INIT_TRUSTED:PROV_INIT_ALL, NULL, NULL); \
- 	if (ret < 0) \
- 		return gnutls_assert_val(x)
- 
-+
- /* thus function is called for every token in the traverse_tokens
-  * function. Once everything is traversed it is called with NULL tinfo.
-  * It should return 0 if found what it was looking for.
-diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
-index afe831ee9..fd1997c8c 100644
---- a/lib/pkcs11_privkey.c
-+++ b/lib/pkcs11_privkey.c
-@@ -36,7 +36,7 @@
- /* In case of a fork, it will invalidate the open session
-  * in the privkey and start another */
- #define PKCS11_CHECK_INIT_PRIVKEY(k) \
--	ret = _gnutls_pkcs11_check_init(PROV_INIT_MANUAL, k, reopen_privkey_session); \
-+	ret = _gnutls_pkcs11_check_init(PROV_INIT_ALL, k, reopen_privkey_session); \
- 	if (ret < 0) \
- 		return gnutls_assert_val(ret)
- 
-diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
-index 69fc0f2e6..7b375d61f 100644
---- a/lib/x509/verify-high.c
-+++ b/lib/x509/verify-high.c
-@@ -367,7 +367,7 @@ advance_iter(gnutls_x509_trust_list_t list,
- 	if (list->pkcs11_token != NULL) {
- 		if (iter->pkcs11_list == NULL) {
- 			ret = gnutls_pkcs11_obj_list_import_url2(&iter->pkcs11_list, &iter->pkcs11_size,
--			    list->pkcs11_token, (GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED), 0);
-+			    list->pkcs11_token, (GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED), 0);
- 			if (ret < 0)
- 				return gnutls_assert_val(ret);
- 
-@@ -972,7 +972,7 @@ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list,
- 		gnutls_datum_t der = {NULL, 0};
- 		/* use the token for verification */
- 		ret = gnutls_pkcs11_get_raw_issuer(list->pkcs11_token, cert, &der,
--			GNUTLS_X509_FMT_DER, 0);
-+			GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE);
- 		if (ret < 0) {
- 			gnutls_assert();
- 			return ret;
-@@ -1044,7 +1044,7 @@ int gnutls_x509_trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list,
- 		gnutls_datum_t der = {NULL, 0};
- 		/* use the token for verification */
- 		ret = gnutls_pkcs11_get_raw_issuer_by_dn(list->pkcs11_token, dn, &der,
--			GNUTLS_X509_FMT_DER, 0);
-+			GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE);
- 		if (ret < 0) {
- 			gnutls_assert();
- 			return ret;
-@@ -1105,7 +1105,7 @@ int gnutls_x509_trust_list_get_issuer_by_subject_key_id(gnutls_x509_trust_list_t
- 		gnutls_datum_t der = {NULL, 0};
- 		/* use the token for verification */
- 		ret = gnutls_pkcs11_get_raw_issuer_by_subject_key_id(list->pkcs11_token, dn, spki, &der,
--			GNUTLS_X509_FMT_DER, 0);
-+			GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE);
- 		if (ret < 0) {
- 			gnutls_assert();
- 			return ret;
-diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c
-index fb9f9ce10..8c75b2641 100644
---- a/lib/x509/verify-high2.c
-+++ b/lib/x509/verify-high2.c
-@@ -188,6 +188,10 @@ int add_trust_list_pkcs11_object_url(gnutls_x509_trust_list_t list, const char *
- 	gnutls_pkcs11_obj_t *pcrt_list = NULL;
- 	unsigned int pcrt_list_size = 0, i;
- 	int ret;
-+
-+	/* here we don't use the flag GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE,
-+	 * as we want to explicitly load from any module available in the system.
-+	 */
- 	ret =
- 	    gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size,
- 					       url,
-@@ -323,7 +327,7 @@ gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,
- 			 */
- 			if (is_pkcs11_url_object(ca_file) != 0) {
- 				return add_trust_list_pkcs11_object_url(list, ca_file, tl_flags);
--			} else { /* token */
-+			} else { /* trusted token */
- 				if (list->pkcs11_token != NULL)
- 					return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
- 				list->pkcs11_token = gnutls_strdup(ca_file);
-@@ -331,7 +335,7 @@ gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,
- 				/* enumerate the certificates */
- 				ret = gnutls_pkcs11_obj_list_import_url(NULL, &pcrt_list_size,
- 					ca_file, 
--					(GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED),
-+					(GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED),
- 					0);
- 				if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
- 					return gnutls_assert_val(ret);
diff --git a/gnutls-3.6.1-pkcs11-tests.patch b/gnutls-3.6.1-pkcs11-tests.patch
deleted file mode 100644
index bcbe6d3..0000000
--- a/gnutls-3.6.1-pkcs11-tests.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c
-index ca16600130..c85d8789df 100644
---- a/tests/pkcs11/tls-neg-pkcs11-key.c
-+++ b/tests/pkcs11/tls-neg-pkcs11-key.c
-@@ -247,45 +247,52 @@ typedef struct test_st {
- } test_st;
- 
- static const test_st tests[] = {
--	{.name = "ecc key",
-+	{.name = "tls1.2: ecc key",
- 	 .pk = GNUTLS_PK_ECDSA,
--	 .prio = "NORMAL:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA",
-+	 .prio = "NORMAL:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
- 	 .cert = &server_ca3_localhost_ecc_cert,
- 	 .key = &server_ca3_ecc_key,
- 	 .exp_kx = GNUTLS_KX_ECDHE_ECDSA
- 	},
--	{.name = "rsa-sign key",
-+	{.name = "tls1.2: rsa-sign key",
- 	 .pk = GNUTLS_PK_RSA,
--	 .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
-+	 .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
- 	 .cert = &server_ca3_localhost_cert,
- 	 .key = &server_ca3_key,
- 	 .exp_kx = GNUTLS_KX_ECDHE_RSA
- 	},
--	{.name = "rsa-sign key with rsa-pss sigs prioritized",
-+	{.name = "tls1.2: rsa-sign key with rsa-pss sigs prioritized",
- 	 .pk = GNUTLS_PK_RSA,
--	 .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512",
-+	 .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:-VERS-TLS-ALL:+VERS-TLS1.2",
- 	 .cert = &server_ca3_localhost_cert,
- 	 .key = &server_ca3_key,
- 	 .exp_kx = GNUTLS_KX_ECDHE_RSA
- 	},
--	{.name = "rsa-pss-sign key",
-+	{.name = "tls1.2: rsa-pss-sign key",
- 	 .pk = GNUTLS_PK_RSA_PSS,
--	 .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
-+	 .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
- 	 .cert = &server_ca3_rsa_pss2_cert,
- 	 .key = &server_ca3_rsa_pss2_key,
- 	 .exp_kx = GNUTLS_KX_ECDHE_RSA,
- 	 .requires_pkcs11_pss = 1,
--	 .exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES
- 	},
--	{.name = "rsa-pss cert, rsa-sign key", /* we expect the server to refuse negotiating */
-+	{.name = "tls1.2: rsa-pss cert, rsa-sign key",
- 	 .pk = GNUTLS_PK_RSA,
--	 .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
-+	 .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",
-+	 .cert = &server_ca3_rsa_pss_cert,
-+	 .key = &server_ca3_rsa_pss_key,
-+	 .exp_kx = GNUTLS_KX_ECDHE_RSA,
-+	 .requires_pkcs11_pss = 1,
-+	},
-+	{.name = "tls1.2: rsa-pss cert, rsa-sign key no PSS signatures",
-+	 .pk = GNUTLS_PK_RSA,
-+	 .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2:-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-SHA512",
- 	 .cert = &server_ca3_rsa_pss_cert,
- 	 .key = &server_ca3_rsa_pss_key,
- 	 .exp_kx = GNUTLS_KX_ECDHE_RSA,
- 	 .exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES
- 	},
--	{.name = "ed25519 cert, ed25519 key", /* we cannot import that key */
-+	{.name = "tls1.2: ed25519 cert, ed25519 key", /* we cannot import that key */
- 	 .pk = GNUTLS_PK_EDDSA_ED25519,
- 	 .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
- 	 .cert = &server_ca3_eddsa_cert,
diff --git a/gnutls.spec b/gnutls.spec
index 70664c9..f8dbac5 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -1,11 +1,9 @@
 # This spec file has been automatically updated
-Version:	3.6.1
-Release: 5%{?dist}
+Version:	3.6.2
+Release: 1%{?dist}
 Patch1:	gnutls-3.2.7-rpath.patch
 Patch2:	gnutls-3.4.2-no-now-guile.patch
-Patch3: gnutls-3.6.1-pkcs11-loading.patch
-Patch4: gnutls-3.6.1-pkcs11-loading2.patch
-Patch5: gnutls-3.6.1-pkcs11-tests.patch
+Patch3:	gnutls-3.6.1-disable-pss-tests.patch
 %bcond_without dane
 %bcond_without guile
 Summary: A TLS protocol implementation
@@ -142,8 +140,6 @@ gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
-%patch4 -p1
-%patch5 -p1
 
 sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
 rm -f lib/minitasn1/*.c lib/minitasn1/*.h
@@ -274,6 +270,9 @@ fi
 %endif
 
 %changelog
+* Fri Feb 16 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 3.6.2-1
+- Update to upstream 3.6.2 release
+
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.6.1-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 
diff --git a/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg b/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
index 1f9a40cc96ea43f54ea9dc0f1873971a85535c2f..b1ee43c60379c783e5f3457c480d6a7ecc2447c5 100644
GIT binary patch
delta 2201
zcmai!c{~%0AIG<ud+yxk$`SJ*SMFo(Xfz~3ZV?K(a;##`p9&eVBu7@x2{ZP1+*dXl
zB4;_~$efic_4K@Y_4n`J@8|XY=kxk}-=zeG!6Alv+7wqhXaFn(1Od1hK~_+j@*BnX
z8bFkz9Yn&%BkQYx(-)2nNr1JIp?;K;wdQ^HQ<4$>Fw&m~CP<wqNxk1(qab~gfN~%7
z=k@CDBJUj;2o-;S3C|r#985?TFlJSQyP>K1&IdwEJkRr%`N7)EU|mEgMP-ZFkmY94
zkl^ERd1;%H=i1`~G?OmyuGEiHXHX5aLRG4EmHiWmT;`K8Z{Bb+{y4PdJ)eE*;CGgs
z<kN*p6f0`YR~*}|g=8_6dp&>6nR6~N`nYA|p5#ilWx!s`lH~C96Qml8Wp3=nX>WYI
zB>9j7fOd$g$jDdOw?hfa;kG_>MUvC^lu|aKsXc3)dNp6gE2pOC_<-lR^;2$Tp=j}h
zFymZ-rc2lFwCwkZ4v*WdqdLt{Bv=S8(AiiVT~PaUCePpG`{pS2@9cf*?K{9m#h40f
zZZ1B9@mN^(^rs5r=eZp)sf^xeyje?|l$Tf>odS}N-vqHRXZo*dt`GHj0luZ0JJ&P&
z*!hNl47{)S0hJ>9cdla$r2U)N<+AcrdgG>X!8xUGXj3E*iU{NYyT%%?16cs|A7Xf~
z=2E63f<%Y-Lmh<)<^gbt)<8HrEKMOaH-At^y5wbRp6ji4(0!&V1kdqV+qWV{Rs25H
z`2)BhyS$WS`f~J|otjDvTBopKR%Ol8ia={fCCl8}x1Z$WQo+gW!nr#|`AHphOni?q
zbQlr-m4MQ~%DNc12|PwF!MseU3`PFV6BPV#DuOag3xHVHd{plz+J@8gLb&|)bl7KC
z1<cV*aJ41U#H3-@215${gmg2H`naFh`mL4*)CX>vq;Bo0;U2iCUxn*k3Hv%$yFgIt
zZRI<6CZSN1zFt%o{3Ug??3u9_Mx{$jopE;+1^Z}x0uF~K%`zMg69GIx05Bc&?bmKu
z0CECSU<tTMI^&dNP^IJWtisk+A|~Z>7$fMvzCfZNMpoWo1_02QmHSWBaYqs?{0oKt
zLS0Up+$#5RRS^3N5mRDTsk;G%e!o!w8!Pvp3rg!I^N(|hN)8|}cK*o0N{_Ft=(Oat
zmlP!?4}T46m$E6ux5FwfMZ<GS55MDXHB>m?D_#1W-aV<3XR#dHfOdJmHE5#g{!P2b
z0;#EyDArz7j;JGwVtRjWErNHLt^9MtT;_Zucc0hU(}^pYhCga_mc3^xq7a^A37APY
zlze9uyt<@0U|Hx@3;ahnlM@LkbQ+Q!lwTqpt0n=Ag2kU?6ecXxL*G19qV@};*_cwZ
z9l&=s7le`%=j8<_oNa(gYO4>%h<1p)EO!1_c&IWi<b~bZNPfi=X%&j%WeWJxHCc}E
zMc$PgP3%>OLyMa3dBa$_x22)Bt9Uh(sI<357JZ5zB8evT%%r^i#wX0<u;q^3cEpHl
z>5OWT^B3WdBsnvvbZ&3DSWZaaPvgQsOZktPTpXb0kg^3KnW>k{F?ZN1aHQx?kGPC|
zypw^;tMTgtp4+eksW7NO4(p9Ew(Qks1&U*;$Dc+V>8a94#s=~pwd${#BT3YLoiGR{
zJ0s#K_VkP%K6pIib^65LR~UM@@apZ!CmqTb_HN#@d!bGP9cYnbYo;h}dy!{SjH8O4
zuUpcbvah%{EG6lAEbt&Ng}2Q#AC24(harkx3$)W8R{Hj*s9VIev<d0fbSd>|N~ymu
zJ|?YzYY$W{>&b)8YQ&80?~y2{Pi&EEQ+rh5eui2yb4V9+0|#w3edi_*^q(Drg_Aw1
zN93ZTd=6#J`5I{=%KBY|Lh86<Am%p1Fl_)h=EwATcO8w>IJhC9d$$-=FOYQCcWt5p
z@7Y=|aK&s)g-`e$DwbK2_3%-gGBPdHP~-$#3VvZ@6)c`siZA;%;DpMY^OEY5R{wx*
zH)mZLil3<aEd&#`Uo&n(e8u)e5eWOPn>}o&GH*0n6lcb4A`P2m6Y)*Nm!RiR+X^1T
zY=Pjqc>#33*acif)`ZR|ai|}2(f{Ix=`=TLQuYW-mZ}olr>&J^^WPHqNlU_*w9TqB
z>|&}vyQ#vqDB`Nfcv-po*>V=cq)EFBFDcP!gQG+Hez6V;wE0HL#+iy{cE-C}-PcSD
zT9MuYuC_l|IUsRZ>+6Pno0cYxlPNr$MVa=0p{uV<>@z7>m8n!BZIbytyPv&^;(ZXc
zcDCfHT&X8Xi<bzxS+G(gq5Z^&0D&@k*DP%}L>skZP_a*@nF`%y)GjM=LC(!bZ1*xd
zYxovZ=01D4HtNp(76P#2{|do`4I~QrErkEx`;QRJS0Um`QOddo5owE9tQy&GI{H^#
zS%Kk~tPa>VKEInp$;meD(EW&h=%XEkn9~DZiLJ2y)OQ|49%ZIa7c2$M;!L>pvl`Q9
za>^7%-#_5K(N=2XsrN4IQAa6T&1$_#ai^c^|D5nfoM{guTzgxyOU3}Q*UWV;y2Q@{
z&gt&b`1vkMA0Esl4Ayj8DX(josslq!<1Ks4ez=kluYIphq0ZayIwHlh3qkT3aOq5k
z*gS0gDLJNK7xCd9-PQ$JGkDppj}1n(00x;#Cs%9GK6-A@mPHII-dn#EC-h{!QWLFj
zVGJ3(HnDoof+E~LGSLN!BO-`cBSy$AubH2w)!Mg9oB=P)b?N0-_qfLd;qW=I7JHJ7
zQ`?M-*7*m4!N*$?TG~OX+c}U<Xg7m69~9lCn~zy%VO@tNo9H*%?)^0P!Y3azo+f>%
zo#YgLRxnbkP&}Gn$|9kludslbHBT`Okmc-Sy&Bi`S$PPMfGZBRofgl71d?VBj|2}t
NHP}L{11QR2{{nR^3U&Yh

delta 14
WcmX?kih0p?<_*toY~FZ#4-)`B(Fk4u

diff --git a/sources b/sources
index 964528d..622c52d 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 7eccc70fb763cf8a6525228230c1f537224809cf553efb3ad6bc88ad96f01122c30a5cd9d8328fa3a97b242d59e00bc9966589a24b1e65dd4a27eb71393f097c
-SHA512 (gnutls-3.6.1.tar.xz.sig) = 6639c1a43202786345a0ac0daa47c5b0fb5c49c25d0d853a718d22dc4234c31201b5052508af7203751792426d949d7b3617064665bd2bd3b6a132c2cec36878
-SHA512 (gnutls-3.6.1.tar.xz) = 1f2bd3203ea96844c531be700b44623b79f46743143edf97011aab07895ca18d62f1659c7fafc5e1c4b0686fde490836f00358bdd60d6ac0b842526db002da23
+SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad
+SHA512 (gnutls-3.6.2.tar.xz.sig) = a1fc8acd0b48d046eda505b774e5e1a85dce8c8b2122069e6d257a50436e989cfdbc68aa294d14f98e3fec1ade129e8bd9b67b1d02f93a7a3fde5f5acb4b70d3
+SHA512 (gnutls-3.6.2.tar.xz) = 6a574d355226bdff6198ab3f70633ff2a3cff4b5d06793bdaf19d007063bd4dd515d1bd3f331a9eb1a9ad01f83007801cfa55e5fd16c1cd3461ac33d1813fb06