diff --git a/SOURCES/ghmac-gnutls.patch b/SOURCES/ghmac-gnutls.patch
index 6ba3313..3ed717f 100644
--- a/SOURCES/ghmac-gnutls.patch
+++ b/SOURCES/ghmac-gnutls.patch
@@ -1,7 +1,7 @@
-From 440a178c5aad19050a3d5b5d76881931138af680 Mon Sep 17 00:00:00 2001
+From 7ab93b8205093b4d176e63947039981515af1932 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 7 Jun 2019 18:44:43 +0000
-Subject: [PATCH 1/2] ghmac: Split off wrapper functions into ghmac-utils.c
+Subject: [PATCH 1/3] ghmac: Split off wrapper functions into ghmac-utils.c
Prep for adding a GnuTLS HMAC implementation; these are just
utility functions that call the "core" API.
@@ -14,7 +14,7 @@ utility functions that call the "core" API.
create mode 100644 glib/ghmac-utils.c
diff --git a/glib/Makefile.am b/glib/Makefile.am
-index 8da549c7f..c367b09ad 100644
+index c0c3b92f0..43fa17051 100644
--- a/glib/Makefile.am
+++ b/glib/Makefile.am
@@ -126,6 +126,7 @@ libglib_2_0_la_SOURCES = \
@@ -297,7 +297,7 @@ index 9b58fd81c..7db38e34a 100644
- (const guchar *) str, length);
-}
diff --git a/glib/meson.build b/glib/meson.build
-index 9df77b6f9..c7f28b5b6 100644
+index c81e99f9c..306a67f13 100644
--- a/glib/meson.build
+++ b/glib/meson.build
@@ -138,6 +138,7 @@ glib_sources = files(
@@ -309,13 +309,12 @@ index 9df77b6f9..c7f28b5b6 100644
'ghostutils.c',
'giochannel.c',
--
-2.21.0
+2.31.1
-
-From 423355787ba9133b310c0b72708024b1428d7d14 Mon Sep 17 00:00:00 2001
+From 1cc432d6e9080621e1f2822a14589b258f1f813c Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 7 Jun 2019 19:36:54 +0000
-Subject: [PATCH 2/2] Add a gnutls backend for GHmac
+Subject: [PATCH 2/3] Add a gnutls backend for GHmac
For RHEL we want apps to use FIPS-certified crypto libraries,
and HMAC apparently counts as "keyed" and hence needs to
@@ -329,26 +328,53 @@ Most distributors ship glib-networking built with GnuTLS, and
most apps use glib-networking, so this isn't a net-new library
in most cases.
-However, a fun wrinkle is that the GnuTLS HMAC API doesn't expose
-the necessary bits to implement `g_hmac_copy()`; OpenSSL does.
-I chose to just make that abort for now since I didn't find
-apps using it.
+=======================================================================
+
+mcatanzaro note:
+
+I've updated Colin's original patch with several enhancements:
+
+Implement g_hmac_copy() using gnutls_hmac_copy(), which didn't exist
+when Colin developed this patch.
+
+Removed use of GSlice
+
+Better error checking in g_hmac_new(). It is possible for
+gnutls_hmac_init() to fail if running in FIPS mode and an MD5 digest is
+requested. In this case, we should return NULL rather than returning a
+broken GHmac with a NULL gnutls_hmac_hd_t. This was leading to a later
+null pointer dereference inside gnutls_hmac_update(). Applications are
+responsible for checking to ensure the return value of g_hmac_new() is
+not NULL since it is annotated as nullable. Added documentation to
+indicate this possibility.
+
+Properly handle length -1 in g_hmac_update(). This means we've been
+given a NUL-terminated string and should use strlen(). GnuTLS doesn't
+accept -1, so let's call strlen() ourselves.
+
+Crash the application with g_error() if gnutls_hmac() fails for any
+reason. This is necessary because g_hmac_update() is not fallible, so we
+have no way to indicate error. Crashing seems better than returning the
+wrong result later when g_hmac_get_string() or g_hmac_get_digest() is
+later called. (Those functions are also not fallible.) Fortunately, I
+don't think this error should actually be hit in practice.
+
+https://gitlab.gnome.org/GNOME/glib/-/merge_requests/903
---
- glib/Makefile.am | 9 ++-
- glib/gchecksum.c | 9 +--
- glib/gchecksumprivate.h | 32 +++++++++
- glib/ghmac-gnutls.c | 151 ++++++++++++++++++++++++++++++++++++++++
- glib/ghmac.c | 1 +
+ glib/Makefile.am | 8 +-
+ glib/gchecksum.c | 9 +-
+ glib/gchecksumprivate.h | 32 +++++++
+ glib/ghmac-gnutls.c | 182 ++++++++++++++++++++++++++++++++++++++++
+ glib/ghmac.c | 13 +++
glib/meson.build | 10 ++-
- glib/tests/hmac.c | 6 ++
meson.build | 7 ++
meson_options.txt | 5 ++
- 9 files changed, 221 insertions(+), 9 deletions(-)
+ 8 files changed, 258 insertions(+), 8 deletions(-)
create mode 100644 glib/gchecksumprivate.h
create mode 100644 glib/ghmac-gnutls.c
diff --git a/glib/Makefile.am b/glib/Makefile.am
-index c367b09ad..b0a721ad0 100644
+index 43fa17051..1175bbe40 100644
--- a/glib/Makefile.am
+++ b/glib/Makefile.am
@@ -125,7 +125,7 @@ libglib_2_0_la_SOURCES = \
@@ -360,7 +386,7 @@ index c367b09ad..b0a721ad0 100644
ghmac-utils.c \
ghook.c \
ghostutils.c \
-@@ -352,11 +352,14 @@ pcre_lib = pcre/libpcre.la
+@@ -352,11 +352,15 @@ pcre_lib = pcre/libpcre.la
pcre_inc =
endif
@@ -372,8 +398,8 @@ index c367b09ad..b0a721ad0 100644
libglib_2_0_la_LIBADD = libcharset/libcharset.la $(printf_la) @GIO@ @GSPAWN@ @PLATFORMDEP@ @ICONV_LIBS@ @G_LIBS_EXTRA@ $(pcre_lib) $(G_THREAD_LIBS_EXTRA) $(G_THREAD_LIBS_FOR_GTHREAD) $(LIBSYSTEMD_LIBS)
libglib_2_0_la_DEPENDENCIES = libcharset/libcharset.la $(printf_la) @GIO@ @GSPAWN@ @PLATFORMDEP@ $(glib_win32_res) $(glib_def)
--libglib_2_0_la_LDFLAGS = $(GLIB_LINK_FLAGS) \
-+libglib_2_0_la_LDFLAGS = $(GLIB_LINK_FLAGS) $(gnutls_libs) \
+ libglib_2_0_la_LDFLAGS = $(GLIB_LINK_FLAGS) \
++ $(gnutls_libs) \
$(glib_win32_res_ldflag) \
-version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) \
-export-dynamic $(no_undefined)
@@ -452,10 +478,10 @@ index 000000000..86c7a3b61
\ No newline at end of file
diff --git a/glib/ghmac-gnutls.c b/glib/ghmac-gnutls.c
new file mode 100644
-index 000000000..3b4dfb872
+index 000000000..522b9b302
--- /dev/null
+++ b/glib/ghmac-gnutls.c
-@@ -0,0 +1,160 @@
+@@ -0,0 +1,182 @@
+/* ghmac.h - data hashing functions
+ *
+ * Copyright (C) 2011 Collabora Ltd.
@@ -506,9 +532,11 @@ index 000000000..3b4dfb872
+ gsize key_len)
+{
+ gnutls_mac_algorithm_t algo;
-+ GHmac *hmac = g_slice_new0 (GHmac);
++ GHmac *hmac = g_new0 (GHmac, 1);
++ int ret;
++
+ hmac->ref_count = 1;
-+ hmac->digest_type = digest_type;
++ hmac->digest_type = digest_type;
+
+ switch (digest_type)
+ {
@@ -531,7 +559,15 @@ index 000000000..3b4dfb872
+ g_return_val_if_reached (NULL);
+ }
+
-+ gnutls_hmac_init (&hmac->hmac, algo, key, key_len);
++ ret = gnutls_hmac_init (&hmac->hmac, algo, key, key_len);
++ if (ret != 0)
++ {
++ /* There is no way to report an error here, but one possible cause of
++ * failure is that the requested digest may be disabled by FIPS mode.
++ */
++ g_free (hmac->hmac);
++ return NULL;
++ }
+
+ return hmac;
+}
@@ -543,11 +579,15 @@ index 000000000..3b4dfb872
+
+ g_return_val_if_fail (hmac != NULL, NULL);
+
-+ copy = g_slice_new0 (GHmac);
++ copy = g_new0 (GHmac, 1);
+ copy->ref_count = 1;
+ copy->digest_type = hmac->digest_type;
+ copy->hmac = gnutls_hmac_copy (hmac->hmac);
+
++ /* g_hmac_copy is not allowed to fail, so we'll have to crash on error. */
++ if (!copy->hmac)
++ g_error ("gnutls_hmac_copy failed");
++
+ return copy;
+}
+
@@ -570,7 +610,7 @@ index 000000000..3b4dfb872
+ {
+ gnutls_hmac_deinit (hmac->hmac, NULL);
+ g_free (hmac->digest_str);
-+ g_slice_free (GHmac, hmac);
++ g_free (hmac);
+ }
+}
+
@@ -580,10 +620,18 @@ index 000000000..3b4dfb872
+ const guchar *data,
+ gssize length)
+{
++ int ret;
++
+ g_return_if_fail (hmac != NULL);
+ g_return_if_fail (length == 0 || data != NULL);
+
-+ gnutls_hmac (hmac->hmac, data, length);
++ if (length == -1)
++ length = strlen ((const char *)data);
++
++ /* g_hmac_update is not allowed to fail, so we'll have to crash on error. */
++ ret = gnutls_hmac (hmac->hmac, data, length);
++ if (ret != 0)
++ g_error ("gnutls_hmac failed: %s", gnutls_strerror (ret));
+}
+
+const gchar *
@@ -617,7 +665,7 @@ index 000000000..3b4dfb872
+ *digest_len = g_checksum_type_get_length (hmac->digest_type);
+}
diff --git a/glib/ghmac.c b/glib/ghmac.c
-index 7db38e34a..b12eb07c4 100644
+index 7db38e34a..b03a5aea7 100644
--- a/glib/ghmac.c
+++ b/glib/ghmac.c
@@ -33,6 +33,7 @@
@@ -628,11 +676,38 @@ index 7db38e34a..b12eb07c4 100644
/**
* SECTION:hmac
+@@ -84,6 +85,18 @@ struct _GHmac
+ * Support for digests of type %G_CHECKSUM_SHA512 has been added in GLib 2.42.
+ * Support for %G_CHECKSUM_SHA384 was added in GLib 2.52.
+ *
++ * Note that #GHmac creation may fail, in which case this function will
++ * return %NULL. Since there is no error parameter, it is not possible
++ * to indicate why.
++ *
++ * In Fedora, CentOS Stream, and Red Hat Enterprise Linux, GLib is
++ * configured to use GnuTLS to implement #GHmac in order to support FIPS
++ * compliance. This introduces additional failure possibilities that are
++ * not present in upstream GLib. For example, the creation of a #GHmac
++ * will fail if @digest_type is %G_CHECKSUM_MD5 and the system is
++ * running in FIPS mode. #GHmac creation may also fail if GLib is unable
++ * to load GnuTLS.
++ *
+ * Returns: the newly created #GHmac, or %NULL.
+ * Use g_hmac_unref() to free the memory allocated by it.
+ *
diff --git a/glib/meson.build b/glib/meson.build
-index c7f28b5b6..a2f9da81c 100644
+index 306a67f13..07d41456d 100644
--- a/glib/meson.build
+++ b/glib/meson.build
-@@ -137,7 +137,6 @@ glib_sources = files(
+@@ -127,6 +127,7 @@ glib_sources = files(
+ 'gbytes.c',
+ 'gcharset.c',
+ 'gchecksum.c',
++ 'gchecksumprivate.h',
+ 'gconvert.c',
+ 'gdataset.c',
+ 'gdate.c',
+@@ -137,7 +138,6 @@ glib_sources = files(
'gfileutils.c',
'ggettext.c',
'ghash.c',
@@ -640,15 +715,7 @@ index c7f28b5b6..a2f9da81c 100644
'ghmac-utils.c',
'ghook.c',
'ghostutils.c',
-@@ -185,6 +184,7 @@ glib_sources = files(
- 'gunidecomp.c',
- 'gurifuncs.c',
- 'gutils.c',
-+ 'gchecksumprivate.h',
- 'guuid.c',
- 'gvariant.c',
- 'gvariant-core.c',
-@@ -222,6 +222,12 @@ else
+@@ -223,6 +223,12 @@ else
glib_dtrace_hdr = []
endif
@@ -661,17 +728,17 @@ index c7f28b5b6..a2f9da81c 100644
pcre_static_args = []
if use_pcre_static_flag
-@@ -238,7 +244,7 @@ libglib = library('glib-2.0',
+@@ -239,7 +245,7 @@ libglib = library('glib-2.0',
link_args : platform_ldflags + noseh_link_args,
include_directories : configinc,
link_with : [charset_lib, gnulib_lib],
- dependencies : [pcre, thread_dep, libintl, librt] + libiconv + platform_deps,
-+ dependencies : [pcre, thread_dep, libintl, librt] + libiconv + platform_deps + libgnutls_dep,
++ dependencies : [pcre, thread_dep, libintl, librt] + libgnutls_dep + libiconv + platform_deps,
c_args : ['-DG_LOG_DOMAIN="GLib"', '-DGLIB_COMPILATION'] + pcre_static_args + glib_hidden_visibility_args
)
diff --git a/meson.build b/meson.build
-index 0cefee51d..81b16b004 100644
+index 0cefee51d..eaf8d3900 100644
--- a/meson.build
+++ b/meson.build
@@ -1596,6 +1596,13 @@ if host_system == 'linux' and get_option('libmount')
@@ -705,5 +772,209 @@ index 4504c6858..d18c42a36 100644
type : 'boolean',
value : false,
--
-2.21.0
+2.31.1
+
+From 20e550351e9914e78a73b4ca0e9866f1a39dca51 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Wed, 16 Jun 2021 20:46:24 -0500
+Subject: [PATCH 3/3] Add test for GHmac in FIPS mode
+
+This will test a few problems that we hit recently:
+
+g_hmac_copy() is broken, https://bugzilla.redhat.com/show_bug.cgi?id=1786538
+
+Crash in g_hmac_update() in FIPS mode, https://bugzilla.redhat.com/show_bug.cgi?id=1971533
+
+Crash when passing -1 length to g_hmac_update() (discovered in #1971533)
+
+We'll also test to ensure MD5 fails, and stop compiling the other MD5
+tests.
+---
+ glib/tests/hmac.c | 139 +++++++++++-----------------------------------
+ 1 file changed, 32 insertions(+), 107 deletions(-)
+
+diff --git a/glib/tests/hmac.c b/glib/tests/hmac.c
+index 3ac3206df..31a1c77d3 100644
+--- a/glib/tests/hmac.c
++++ b/glib/tests/hmac.c
+@@ -1,87 +1,9 @@
++#include "config.h"
++
+ #include <glib.h>
+ #include <string.h>
+ #include <stdlib.h>
+
+-/* HMAC-MD5 test vectors as per RFC 2202 */
+-
+-/* Test 1 */
+-guint8 key_md5_test1[] = {
+- 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+- 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b };
+-guint8 result_md5_test1[] = {
+- 0x92, 0x94, 0x72, 0x7a, 0x36, 0x38, 0xbb, 0x1c, 0x13, 0xf4,
+- 0x8e, 0xf8, 0x15, 0x8b, 0xfc, 0x9d };
+-
+-/* Test 2 */
+-guint8 result_md5_test2[] = {
+- 0x75, 0x0c, 0x78, 0x3e, 0x6a, 0xb0, 0xb5, 0x03, 0xea, 0xa8,
+- 0x6e, 0x31, 0x0a, 0x5d, 0xb7, 0x38 };
+-
+-/* Test 3 */
+-guint8 key_md5_test3[] = {
+- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa };
+-guint8 data_md5_test3[] = {
+- 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+- 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+- 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+- 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+- 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd };
+-guint8 result_md5_test3[] = {
+- 0x56, 0xbe, 0x34, 0x52, 0x1d, 0x14, 0x4c, 0x88, 0xdb, 0xb8,
+- 0xc7, 0x33, 0xf0, 0xe8, 0xb3, 0xf6 };
+-
+-/* Test 4 */
+-guint8 key_md5_test4[] = {
+- 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
+- 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14,
+- 0x15, 0x16, 0x17, 0x18, 0x19 };
+-guint8 data_md5_test4[] = {
+- 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+- 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+- 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+- 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+- 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd };
+-guint8 result_md5_test4[] = {
+- 0x69, 0x7e, 0xaf, 0x0a, 0xca, 0x3a, 0x3a, 0xea, 0x3a, 0x75,
+- 0x16, 0x47, 0x46, 0xff, 0xaa, 0x79 };
+-
+-/* Test 5 */
+-guint8 key_md5_test5[] = {
+- 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+- 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c};
+-guint8 result_md5_test5[] = {
+- 0x56, 0x46, 0x1e, 0xf2, 0x34, 0x2e, 0xdc, 0x00, 0xf9, 0xba,
+- 0xb9, 0x95, 0x69, 0x0e, 0xfd, 0x4c };
+-
+-/* Test 6 */
+-guint8 key_md5_test6[] = {
+- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa };
+-guint8 result_md5_test6[] = {
+- 0x6b, 0x1a, 0xb7, 0xfe, 0x4b, 0xd7, 0xbf, 0x8f, 0x0b, 0x62,
+- 0xe6, 0xce, 0x61, 0xb9, 0xd0, 0xcd };
+-
+-/* Test 6 */
+-guint8 key_md5_test7[] = {
+- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa };
+-guint8 result_md5_test7[] = {
+- 0x6f, 0x63, 0x0f, 0xad, 0x67, 0xcd, 0xa0, 0xee, 0x1f, 0xb1,
+- 0xf5, 0x62, 0xdb, 0x3a, 0xa5, 0x3e };
+-
+ /* HMAC-SHA1, HMAC-SHA256, HMAC-SHA384 and HMAC-SHA512 test vectors
+ * as per RFCs 2202 and 4868.
+ *
+@@ -299,25 +221,6 @@ typedef struct {
+ gconstpointer result;
+ } HmacCase;
+
+-HmacCase hmac_md5_tests[] = {
+- { G_CHECKSUM_MD5, key_md5_test1, 16, "Hi There", 8, result_md5_test1 },
+- { G_CHECKSUM_MD5, "Jefe", 4, "what do ya want for nothing?", 28,
+- result_md5_test2 },
+- { G_CHECKSUM_MD5, key_md5_test3, 16, data_md5_test3, 50,
+- result_md5_test3 },
+- { G_CHECKSUM_MD5, key_md5_test4, 25, data_md5_test4, 50,
+- result_md5_test4 },
+- { G_CHECKSUM_MD5, key_md5_test5, 16, "Test With Truncation", 20,
+- result_md5_test5 },
+- { G_CHECKSUM_MD5, key_md5_test6, 80,
+- "Test Using Larger Than Block-Size Key - Hash Key First", 54,
+- result_md5_test6 },
+- { G_CHECKSUM_MD5, key_md5_test7, 80,
+- "Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data",
+- 73, result_md5_test7 },
+- { -1, NULL, 0, NULL, 0, NULL },
+-};
+-
+ HmacCase hmac_sha1_tests[] = {
+ { G_CHECKSUM_SHA1, key_sha_test1, 20, "Hi There", 8, result_sha1_test1 },
+ { G_CHECKSUM_SHA1, "Jefe", 4, "what do ya want for nothing?", 28,
+@@ -493,11 +396,40 @@ test_hmac_for_bytes (void)
+ g_bytes_unref (data);
+ }
+
++static void
++test_gnutls_fips_mode (void)
++{
++ GHmac *hmac;
++ GHmac *copy;
++
++ /* No MD5 in FIPS mode. */
++ hmac = g_hmac_new (G_CHECKSUM_MD5, "abc123", sizeof ("abc123"));
++ g_assert_null (hmac);
++
++ /* SHA-256 should be good. */
++ hmac = g_hmac_new (G_CHECKSUM_SHA256, "abc123", sizeof ("abc123"));
++ g_assert_nonnull (hmac);
++
++ /* Ensure g_hmac_update() does not crash when called with -1. */
++ g_hmac_update (hmac, "You win again, gravity!", -1);
++
++ /* Ensure g_hmac_copy() does not crash. */
++ copy = g_hmac_copy (hmac);
++ g_assert_nonnull (hmac);
++ g_hmac_unref (hmac);
++
++ g_assert_cmpstr (g_hmac_get_string (copy), ==, "795ba6900bcb22e8ce65c2ec02db4e85697da921deb960ee3143bf88a4a60f83");
++ g_hmac_unref (copy);
++}
++
+ int
+ main (int argc,
+ char **argv)
+ {
+ int i;
++
++ g_setenv ("GNUTLS_FORCE_FIPS_MODE", "1", FALSE);
++
+ g_test_init (&argc, &argv, NULL);
+
+ for (i = 0 ; hmac_sha1_tests[i].key_len > 0 ; i++)
+@@ -532,19 +464,12 @@ main (int argc,
+ g_free (name);
+ }
+
+- for (i = 0 ; hmac_md5_tests[i].key_len > 0 ; i++)
+- {
+- gchar *name = g_strdup_printf ("/hmac/md5-%d", i + 1);
+- g_test_add_data_func (name, hmac_md5_tests + i,
+- (void (*)(const void *)) test_hmac);
+- g_free (name);
+- }
+-
+ g_test_add_func ("/hmac/ref-unref", test_hmac_ref_unref);
+ g_test_add_func ("/hmac/copy", test_hmac_copy);
+ g_test_add_func ("/hmac/for-data", test_hmac_for_data);
+ g_test_add_func ("/hmac/for-string", test_hmac_for_string);
+ g_test_add_func ("/hmac/for-bytes", test_hmac_for_bytes);
++ g_test_add_func ("/hmac/gnutls-fips-mode", test_gnutls_fips_mode);
+
+ return g_test_run ();
+ }
+--
+2.31.1
diff --git a/SPECS/glib2.spec b/SPECS/glib2.spec
index 081ea1b..201dfdc 100644
--- a/SPECS/glib2.spec
+++ b/SPECS/glib2.spec
@@ -5,7 +5,7 @@
Name: glib2
Version: 2.56.4
-Release: 13%{?dist}
+Release: 14%{?dist}
Summary: A library of handy utility functions
License: LGPLv2+
@@ -300,6 +300,10 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
%{_datadir}/installed-tests
%changelog
+* Wed Jun 23 2021 Michael Catanzaro <mcatanzaro@redhat.com> - 2.56.4-14
+- Refresh GHmac patchset
+- Resolves: #1971533
+
* Thu May 20 2021 Michael Catanzaro <mcatanzaro@redhat.com> - 2.56.4-13
- Rename and consolidate existing patches for better maintainability
- Refresh CVE-2021-27219 patcheset, using better-targeted fixes