diff --git a/SOURCES/gnutls-3.7.6-fips-ccm-taglen.patch b/SOURCES/gnutls-3.7.6-fips-ccm-taglen.patch
new file mode 100644
index 0000000..2ec015b
--- /dev/null
+++ b/SOURCES/gnutls-3.7.6-fips-ccm-taglen.patch
@@ -0,0 +1,331 @@
+From 26b2caef673aba8bfd10db3b1b8117f941c18e58 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 21 Oct 2022 15:48:39 +0900
+Subject: [PATCH] cipher: add restriction on CCM tag length under FIPS mode
+
+This change prohibits any use of tag length other than 4, 6, 8, 10,
+12, 14, and 16 bytes in CCM used under FIPS mode, in accordance with
+SP800-38C A.1.  While use of tag lengths smaller than 8 bytes is not
+recommended, we simply allow 4 and 6 bytes tags for now.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/accelerated/aarch64/aes-ccm-aarch64.c | 39 ++++++++++
+ lib/accelerated/x86/aes-ccm-x86-aesni.c   | 39 ++++++++++
+ lib/nettle/cipher.c                       | 55 ++++++++++++++
+ tests/fips-test.c                         | 87 ++++++++++++++++++++++-
+ 4 files changed, 218 insertions(+), 2 deletions(-)
+
+diff --git a/lib/accelerated/aarch64/aes-ccm-aarch64.c b/lib/accelerated/aarch64/aes-ccm-aarch64.c
+index a2ba259e99..b415d4ddfb 100644
+--- a/lib/accelerated/aarch64/aes-ccm-aarch64.c
++++ b/lib/accelerated/aarch64/aes-ccm-aarch64.c
+@@ -36,6 +36,7 @@
+ #include <byteswap.h>
+ #include <nettle/ccm.h>
+ #include <aes-aarch64.h>
++#include <fips.h>
+ 
+ typedef struct ccm_aarch64_aes_ctx {
+ 	AES_KEY key;
+@@ -103,6 +104,25 @@ aes_ccm_aead_encrypt(void *_ctx,
+ 	if (unlikely(encr_size < plain_size + tag_size))
+ 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ 
++	/* SP800-38C A.1 says Tlen must be a multiple of 16 between 32
++	 * and 128.
++	 */
++	switch (tag_size) {
++	case 4: case 6:
++		/* SP800-38C B.2 says Tlen smaller than 64 should not be used
++		 * under sufficient restriction. We simply allow those for now.
++		 */
++		FALLTHROUGH;
++	case 8: case 10: case 12: case 14: case 16:
++		break;
++	default:
++		if (_gnutls_fips_mode_enabled()) {
++			_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
++			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++		}
++		break;
++	}
++
+ 	ccm_encrypt_message(&ctx->key, aarch64_aes_encrypt,
+ 			    nonce_size, nonce,
+ 			    auth_size, auth,
+@@ -129,6 +149,25 @@ aes_ccm_aead_decrypt(void *_ctx,
+ 	if (unlikely(plain_size < encr_size - tag_size))
+ 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ 
++	/* SP800-38C A.1 says Tlen must be a multiple of 16 between 32
++	 * and 128.
++	 */
++	switch (tag_size) {
++	case 4: case 6:
++		/* SP800-38C B.2 says Tlen smaller than 64 should not be used
++		 * under sufficient restriction. We simply allow those for now.
++		 */
++		FALLTHROUGH;
++	case 8: case 10: case 12: case 14: case 16:
++		break;
++	default:
++		if (_gnutls_fips_mode_enabled()) {
++			_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
++			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++		}
++		break;
++	}
++
+ 	ret = ccm_decrypt_message(&ctx->key, aarch64_aes_encrypt,
+ 				  nonce_size, nonce,
+ 				  auth_size, auth,
+diff --git a/lib/accelerated/x86/aes-ccm-x86-aesni.c b/lib/accelerated/x86/aes-ccm-x86-aesni.c
+index 701c0f992a..9ebbdd7b2a 100644
+--- a/lib/accelerated/x86/aes-ccm-x86-aesni.c
++++ b/lib/accelerated/x86/aes-ccm-x86-aesni.c
+@@ -37,6 +37,7 @@
+ #include <byteswap.h>
+ #include <nettle/ccm.h>
+ #include <aes-x86.h>
++#include <fips.h>
+ 
+ typedef struct ccm_x86_aes_ctx {
+ 	AES_KEY key;
+@@ -95,6 +96,25 @@ aes_ccm_aead_encrypt(void *_ctx,
+ 	if (unlikely(encr_size < plain_size + tag_size))
+ 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ 
++	/* SP800-38C A.1 says Tlen must be a multiple of 16 between 32
++	 * and 128.
++	 */
++	switch (tag_size) {
++	case 4: case 6:
++		/* SP800-38C B.2 says Tlen smaller than 64 should not be used
++		 * under sufficient restriction. We simply allow those for now.
++		 */
++		FALLTHROUGH;
++	case 8: case 10: case 12: case 14: case 16:
++		break;
++	default:
++		if (_gnutls_fips_mode_enabled()) {
++			_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
++			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++		}
++		break;
++	}
++
+ 	ccm_encrypt_message(&ctx->key, x86_aes_encrypt,
+ 			    nonce_size, nonce,
+ 			    auth_size, auth,
+@@ -121,6 +141,25 @@ aes_ccm_aead_decrypt(void *_ctx,
+ 	if (unlikely(plain_size < encr_size - tag_size))
+ 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ 
++	/* SP800-38C A.1 says Tlen must be a multiple of 16 between 32
++	 * and 128.
++	 */
++	switch (tag_size) {
++	case 4: case 6:
++		/* SP800-38C B.2 says Tlen smaller than 64 should not be used
++		 * under sufficient restriction. We simply allow those for now.
++		 */
++		FALLTHROUGH;
++	case 8: case 10: case 12: case 14: case 16:
++		break;
++	default:
++		if (_gnutls_fips_mode_enabled()) {
++			_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
++			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++		}
++		break;
++	}
++
+ 	ret = ccm_decrypt_message(&ctx->key, x86_aes_encrypt,
+ 				  nonce_size, nonce,
+ 				  auth_size, auth,
+diff --git a/lib/nettle/cipher.c b/lib/nettle/cipher.c
+index 9c2ce19e7e..8c23d11252 100644
+--- a/lib/nettle/cipher.c
++++ b/lib/nettle/cipher.c
+@@ -1253,6 +1253,34 @@ wrap_nettle_cipher_aead_encrypt(void *_ctx,
+ 		ctx->cipher->tag(ctx->ctx_ptr, tag_size, ((uint8_t*)encr) + plain_size);
+ 	} else {
+ 		/* CCM-style cipher */
++
++		switch (ctx->cipher->algo) {
++		case GNUTLS_CIPHER_AES_128_CCM:
++		case GNUTLS_CIPHER_AES_256_CCM:
++			/* SP800-38C A.1 says Tlen must be a multiple of 16
++			 * between 32 and 128.
++			 */
++			switch (tag_size) {
++			case 4: case 6:
++				/* SP800-38C B.2 says Tlen smaller than 64
++				 * should not be used under sufficient
++				 * restriction. We simply allow those for now.
++				 */
++				FALLTHROUGH;
++			case 8: case 10: case 12: case 14: case 16:
++				break;
++			default:
++				if (_gnutls_fips_mode_enabled()) {
++					_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
++					return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++				}
++				break;
++			}
++			break;
++		default:
++			break;
++		}
++
+ 		ctx->cipher->aead_encrypt(ctx,
+ 					  nonce_size, nonce,
+ 					  auth_size, auth,
+@@ -1302,6 +1330,33 @@ wrap_nettle_cipher_aead_decrypt(void *_ctx,
+ 		if (unlikely(plain_size < encr_size))
+ 			return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ 
++		switch (ctx->cipher->algo) {
++		case GNUTLS_CIPHER_AES_128_CCM:
++		case GNUTLS_CIPHER_AES_256_CCM:
++			/* SP800-38C A.1 says Tlen must be a multiple of 16
++			 * between 32 and 128.
++			 */
++			switch (tag_size) {
++			case 4: case 6:
++				/* SP800-38C B.2 says Tlen smaller than 64
++				 * should not be used under sufficient
++				 * restriction. We simply allow those for now.
++				 */
++				FALLTHROUGH;
++			case 8: case 10: case 12: case 14: case 16:
++				break;
++			default:
++				if (_gnutls_fips_mode_enabled()) {
++					_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
++					return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++				}
++				break;
++			}
++			break;
++		default:
++			break;
++		}
++
+ 		ret = ctx->cipher->aead_decrypt(ctx,
+ 						nonce_size, nonce,
+ 						auth_size, auth,
+diff --git a/tests/fips-test.c b/tests/fips-test.c
+index f7556d7bbb..c43503fba0 100644
+--- a/tests/fips-test.c
++++ b/tests/fips-test.c
+@@ -1,4 +1,5 @@
+ #include <config.h>
++#include <stdbool.h>
+ #include <stdint.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -213,14 +214,96 @@ test_cipher_disallowed(gnutls_cipher_algorithm_t cipher)
+ 	FIPS_POP_CONTEXT(ERROR);
+ }
+ 
++static void
++test_ccm_cipher(gnutls_cipher_algorithm_t cipher, size_t tag_length,
++		bool expect_encryption_fail,
++		gnutls_fips140_operation_state_t expected_state)
++{
++	int ret;
++	unsigned key_size = gnutls_cipher_get_key_size(cipher);
++	gnutls_aead_cipher_hd_t h;
++	gnutls_datum_t key = { key_data, key_size };
++	unsigned char buffer[256];
++	size_t length;
++	gnutls_memset(key_data, 0, key_size);
++
++	FIPS_PUSH_CONTEXT();
++	ret = gnutls_aead_cipher_init(&h, cipher, &key);
++	if (ret < 0) {
++		fail("gnutls_aead_cipher_init failed for %s\n",
++		     gnutls_cipher_get_name(cipher));
++	}
++	FIPS_POP_CONTEXT(APPROVED);
++
++	fips_push_context(fips_context);
++	memset(buffer, 0, sizeof(buffer));
++	length = sizeof(buffer);
++	ret = gnutls_aead_cipher_encrypt(h, iv_data,
++					 gnutls_cipher_get_iv_size(cipher),
++					 NULL, 0, tag_length,
++					 buffer, length - tag_length,
++					 buffer, &length);
++	if (expect_encryption_fail) {
++		if (ret != GNUTLS_E_INVALID_REQUEST) {
++			fail("gnutls_aead_cipher_encrypt(%s) returned %d "
++			     "while %d is expected\n",
++			     gnutls_cipher_get_name(cipher),
++			     ret, GNUTLS_E_INVALID_REQUEST);
++		}
++	} else if (ret < 0) {
++		fail("gnutls_aead_cipher_encrypt failed for %s\n",
++		     gnutls_cipher_get_name(cipher));
++	}
++	fips_pop_context(fips_context, expected_state);
++
++	fips_push_context(fips_context);
++	length = sizeof(buffer);
++	ret = gnutls_aead_cipher_decrypt(h, iv_data,
++					 gnutls_cipher_get_iv_size(cipher),
++					 NULL, 0, tag_length,
++					 buffer, length,
++					 buffer, &length);
++	if (expect_encryption_fail) {
++		if (ret != GNUTLS_E_INVALID_REQUEST) {
++			fail("gnutls_aead_cipher_decrypt(%s) returned %d "
++			     "while %d is expected\n",
++			     gnutls_cipher_get_name(cipher),
++			     ret, GNUTLS_E_INVALID_REQUEST);
++		}
++	} else if (ret < 0) {
++		fail("gnutls_aead_cipher_decrypt failed for %s\n",
++		     gnutls_cipher_get_name(cipher));
++	}
++	fips_pop_context(fips_context, expected_state);
++
++	gnutls_aead_cipher_deinit(h);
++}
++
+ static inline void
+ test_ciphers(void)
+ {
++	size_t i;
++
+ 	test_cipher_approved(GNUTLS_CIPHER_AES_128_CBC);
+ 	test_cipher_approved(GNUTLS_CIPHER_AES_192_CBC);
+ 	test_cipher_approved(GNUTLS_CIPHER_AES_256_CBC);
+-	test_aead_cipher_approved(GNUTLS_CIPHER_AES_128_CCM);
+-	test_aead_cipher_approved(GNUTLS_CIPHER_AES_256_CCM);
++
++	/* Check for all allowed Tlen */
++	for (i = 4; i <= 16; i += 2) {
++		test_ccm_cipher(GNUTLS_CIPHER_AES_128_CCM, i,
++				false, GNUTLS_FIPS140_OP_APPROVED);
++		test_ccm_cipher(GNUTLS_CIPHER_AES_256_CCM, i,
++				false, GNUTLS_FIPS140_OP_APPROVED);
++	}
++	test_ccm_cipher(GNUTLS_CIPHER_AES_128_CCM, 3,
++			true, GNUTLS_FIPS140_OP_ERROR);
++	test_ccm_cipher(GNUTLS_CIPHER_AES_256_CCM, 3,
++			true, GNUTLS_FIPS140_OP_ERROR);
++	test_ccm_cipher(GNUTLS_CIPHER_AES_128_CCM, 5,
++			true, GNUTLS_FIPS140_OP_ERROR);
++	test_ccm_cipher(GNUTLS_CIPHER_AES_256_CCM, 5,
++			true, GNUTLS_FIPS140_OP_ERROR);
++
+ 	test_aead_cipher_approved(GNUTLS_CIPHER_AES_128_CCM_8);
+ 	test_aead_cipher_approved(GNUTLS_CIPHER_AES_256_CCM_8);
+ 	test_cipher_approved(GNUTLS_CIPHER_AES_128_CFB8);
+-- 
+2.38.1
+
diff --git a/SOURCES/gnutls-3.7.6-fips-rsa-pss-saltlen.patch b/SOURCES/gnutls-3.7.6-fips-rsa-pss-saltlen.patch
new file mode 100644
index 0000000..a6af4d5
--- /dev/null
+++ b/SOURCES/gnutls-3.7.6-fips-rsa-pss-saltlen.patch
@@ -0,0 +1,163 @@
+From 3bd42dc88ff062bf9ede2b593e1ad1afa6f68f62 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Wed, 16 Nov 2022 23:02:13 +0900
+Subject: [PATCH] nettle: mark non-compliant RSA-PSS salt length to be
+ not-approved
+
+According to FIPS 186-5 5.4, the salt length must be in the range
+between 0 and the hash length inclusive.  While the use of those salt
+lengths is still allowed for compatibility, it is reported as
+non-approved operation through FIPS service indicator.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/nettle/pk.c     |  9 ++++++++
+ tests/rsa-rsa-pss.c | 54 ++++++++++++++++++++++++++++++++++++---------
+ 2 files changed, 53 insertions(+), 10 deletions(-)
+
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index c098e2aa45..7732e90542 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -1316,6 +1316,15 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 
+ 			mpz_init(s);
+ 
++			me = hash_to_entry(sign_params->rsa_pss_dig);
++
++			/* According to FIPS 186-5 5.4, the salt length must be
++			 * in the range between 0 and the hash length inclusive.
++			 */
++			if (sign_params->salt_size > _gnutls_mac_get_algo_len(me)) {
++				not_approved = true;
++			}
++
+ 			ret =
+ 			    _rsa_pss_sign_digest_tr(sign_params->rsa_pss_dig,
+ 						    &pub, &priv,
+diff --git a/tests/rsa-rsa-pss.c b/tests/rsa-rsa-pss.c
+index 19a175b722..d7799c1961 100644
+--- a/tests/rsa-rsa-pss.c
++++ b/tests/rsa-rsa-pss.c
+@@ -46,6 +46,8 @@ const gnutls_datum_t raw_data = {
+ 	11
+ };
+ 
++static gnutls_fips140_context_t fips_context;
++
+ static void inv_sign_check(unsigned sigalgo,
+ 			   gnutls_privkey_t privkey, int exp_error)
+ {
+@@ -86,13 +88,16 @@ static void inv_encryption_check(gnutls_pk_algorithm_t algorithm,
+ 
+ static void sign_verify_data(unsigned sigalgo, gnutls_privkey_t privkey,
+ 			     unsigned int sign_flags, unsigned int verify_flags,
+-			     int sign_exp_error, int verify_exp_error)
++			     int sign_exp_error, int verify_exp_error,
++			     gnutls_fips140_operation_state_t sign_exp_state)
+ {
+ 	int ret;
+ 	gnutls_datum_t signature = { NULL, 0 };
+ 
++	fips_push_context(fips_context);
+ 	ret = gnutls_privkey_sign_data2(privkey, sigalgo, sign_flags,
+ 					&raw_data, &signature);
++	fips_pop_context(fips_context, sign_exp_state);
+ 	if (ret != sign_exp_error)
+ 		fail("gnutls_x509_privkey_sign_data returned unexpected error: %s\n",
+ 		     gnutls_strerror(ret));
+@@ -180,11 +185,16 @@ void doit(void)
+ 	if (debug)
+ 		gnutls_global_set_log_level(4711);
+ 
++	assert(gnutls_fips140_context_init(&fips_context) >= 0);
++
+ 	prepare_keys(&pkey_rsa_pss, &pkey_rsa, GNUTLS_DIG_SHA256, 32);
+ 
+-	sign_verify_data(GNUTLS_SIGN_RSA_PSS_SHA256, pkey_rsa_pss, 0, 0, 0, 0);
+-	sign_verify_data(GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, pkey_rsa, 0, 0, 0, 0);
+-	sign_verify_data(GNUTLS_SIGN_RSA_PSS_SHA256, pkey_rsa, 0, 0, 0, 0);
++	sign_verify_data(GNUTLS_SIGN_RSA_PSS_SHA256, pkey_rsa_pss, 0, 0, 0, 0,
++			 GNUTLS_FIPS140_OP_APPROVED);
++	sign_verify_data(GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, pkey_rsa, 0, 0, 0, 0,
++			 GNUTLS_FIPS140_OP_APPROVED);
++	sign_verify_data(GNUTLS_SIGN_RSA_PSS_SHA256, pkey_rsa, 0, 0, 0, 0,
++			 GNUTLS_FIPS140_OP_APPROVED);
+ 
+ 	if (debug)
+ 		success("success signing with RSA-PSS-SHA256\n");
+@@ -213,41 +223,65 @@ void doit(void)
+ 	gnutls_privkey_deinit(pkey_rsa_pss);
+ 	gnutls_privkey_deinit(pkey_rsa);
+ 
++	/* Restrict key to use salt length larger than hash output
++	 * length (not approved in FIPS).
++	 */
++	prepare_keys(&pkey_rsa_pss, &pkey_rsa, GNUTLS_DIG_SHA256, 33);
++
++	sign_verify_data(GNUTLS_SIGN_RSA_PSS_SHA256, pkey_rsa_pss, 0, 0, 0, 0,
++			 GNUTLS_FIPS140_OP_NOT_APPROVED);
++
++	gnutls_privkey_deinit(pkey_rsa_pss);
++	gnutls_privkey_deinit(pkey_rsa);
++
+ 	/* Use the mismatched salt length with the digest length */
+ 	prepare_keys(&pkey_rsa_pss, &pkey_rsa, GNUTLS_DIG_SHA256, 48);
+ 
+ 	sign_verify_data(GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, pkey_rsa_pss,
+-			 0, 0, 0, 0);
++			 0, 0, 0, 0, GNUTLS_FIPS140_OP_NOT_APPROVED);
+ 	sign_verify_data(GNUTLS_SIGN_RSA_PSS_SHA256, pkey_rsa_pss,
+ 			 GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH,
+ 			 0,
+ 			 GNUTLS_E_CONSTRAINT_ERROR,
+-			 0);
++			 0,
++			 /* The error is caught before calling the actual
++			  * signing operation.
++			  */
++			 GNUTLS_FIPS140_OP_INITIAL);
+ 	sign_verify_data(GNUTLS_SIGN_RSA_PSS_SHA256, pkey_rsa_pss,
+ 			 0,
+ 			 GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH,
+ 			 0,
+-			 GNUTLS_E_PK_SIG_VERIFY_FAILED);
++			 GNUTLS_E_PK_SIG_VERIFY_FAILED,
++			 GNUTLS_FIPS140_OP_NOT_APPROVED);
+ 
+ 	assert(gnutls_x509_spki_init(&spki)>=0);
+ 	gnutls_x509_spki_set_rsa_pss_params(spki, GNUTLS_DIG_SHA256, 48);
+ 	assert(gnutls_privkey_set_spki(pkey_rsa, spki, 0)>=0);
+ 
+-	sign_verify_data(GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, pkey_rsa, 0, 0, 0, 0);
++	sign_verify_data(GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, pkey_rsa, 0, 0, 0, 0,
++			 GNUTLS_FIPS140_OP_NOT_APPROVED);
+ 	sign_verify_data(GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, pkey_rsa,
+ 			 GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH,
+ 			 0,
+ 			 GNUTLS_E_CONSTRAINT_ERROR,
+-			 0);
++			 0,
++			 /* The error is caught before calling the actual
++			  * signing operation.
++			  */
++			 GNUTLS_FIPS140_OP_INITIAL);
+ 	sign_verify_data(GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, pkey_rsa,
+ 			 0,
+ 			 GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH,
+ 			 0,
+-			 GNUTLS_E_PK_SIG_VERIFY_FAILED);
++			 GNUTLS_E_PK_SIG_VERIFY_FAILED,
++			 GNUTLS_FIPS140_OP_NOT_APPROVED);
+ 
+ 	gnutls_privkey_deinit(pkey_rsa_pss);
+ 	gnutls_privkey_deinit(pkey_rsa);
+ 	gnutls_x509_spki_deinit(spki);
+ 
++	gnutls_fips140_context_deinit(fips_context);
++
+ 	gnutls_global_deinit();
+ }
+-- 
+2.38.1
+
diff --git a/SOURCES/gnutls-3.7.6-fips-service-indicator-test-functions.patch b/SOURCES/gnutls-3.7.6-fips-service-indicator-test-functions.patch
new file mode 100644
index 0000000..99bd913
--- /dev/null
+++ b/SOURCES/gnutls-3.7.6-fips-service-indicator-test-functions.patch
@@ -0,0 +1,407 @@
+From e8b35d31817d207d8b4b87ccf104d3b93aa446e0 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 17 Oct 2022 11:11:43 +0900
+Subject: [PATCH] tests: move FIPS service indicator functions to common file
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ tests/dh-compute.c     | 36 +++++---------------------
+ tests/fips-rsa-sizes.c | 24 -----------------
+ tests/fips-test.c      | 27 +++-----------------
+ tests/kdf-api.c        | 27 +-------------------
+ tests/pkcs12_encode.c  | 24 -----------------
+ tests/privkey-keygen.c | 24 -----------------
+ tests/utils.h          | 58 ++++++++++++++++++++++++++++++++++++++++++
+ 7 files changed, 69 insertions(+), 151 deletions(-)
+
+diff --git a/tests/dh-compute.c b/tests/dh-compute.c
+index 828fb05e9c..6c1d5328f6 100644
+--- a/tests/dh-compute.c
++++ b/tests/dh-compute.c
+@@ -156,34 +156,10 @@ void doit(void)
+ 		{ NULL }
+ 	};
+ 
+-#define FIPS_PUSH_CONTEXT() do {					\
+-	if (gnutls_fips140_mode_enabled()) {				\
+-		ret = gnutls_fips140_push_context(fips_context);	\
+-		if (ret < 0) {						\
+-			fail("gnutls_fips140_push_context failed\n");	\
+-		}							\
+-	}								\
+-} while (0)
+-
+-#define FIPS_POP_CONTEXT(state) do {					\
+-	if (gnutls_fips140_mode_enabled()) {				\
+-		ret = gnutls_fips140_pop_context();			\
+-		if (ret < 0) {						\
+-			fail("gnutls_fips140_context_pop failed\n");	\
+-		}							\
+-		fips_state = gnutls_fips140_get_operation_state(fips_context); \
+-		if (fips_state != state) {				\
+-			fail("operation state is not %d (%d)\n",	\
+-			     state, fips_state);			\
+-		}							\
+-	}								\
+-} while (0)
+-
+ 	for (int i = 0; test_data[i].name != NULL; i++) {
+ 		gnutls_datum_t priv_key, pub_key;
+ 		gnutls_dh_params_t dh_params;
+ 		gnutls_fips140_context_t fips_context;
+-		gnutls_fips140_operation_state_t fips_state;
+ 		int ret;
+ 
+ 		if (gnutls_fips140_mode_enabled()) {
+@@ -193,24 +169,24 @@ void doit(void)
+ 			}
+ 		}
+ 
+-		FIPS_PUSH_CONTEXT();
++		fips_push_context(fips_context);
+ 		params(&dh_params, &test_data[i].prime, &test_data[i].q,
+ 		       &test_data[i].generator);
+-		FIPS_POP_CONTEXT(GNUTLS_FIPS140_OP_INITIAL);
++		fips_pop_context(fips_context, GNUTLS_FIPS140_OP_INITIAL);
+ 
+ 		success("%s genkey\n", test_data[i].name);
+ 
+-		FIPS_PUSH_CONTEXT();
++		fips_push_context(fips_context);
+ 		genkey(dh_params, &priv_key, &pub_key);
+-		FIPS_POP_CONTEXT(test_data[i].fips_state_genkey);
++		fips_pop_context(fips_context, test_data[i].fips_state_genkey);
+ 
+ 		success("%s compute_key\n", test_data[i].name);
+ 		
+-		FIPS_PUSH_CONTEXT();
++		fips_push_context(fips_context);
+ 		compute_key(test_data[i].name, dh_params, &priv_key,
+ 			    &pub_key, &test_data[i].peer_key,
+ 			    test_data[i].expected_error, NULL, 0);
+-		FIPS_POP_CONTEXT(test_data[i].fips_state_compute_key);
++		fips_pop_context(fips_context, test_data[i].fips_state_compute_key);
+ 
+ 		gnutls_dh_params_deinit(dh_params);
+ 		gnutls_free(priv_key.data);
+diff --git a/tests/fips-rsa-sizes.c b/tests/fips-rsa-sizes.c
+index 84b9affabb..5feb284503 100644
+--- a/tests/fips-rsa-sizes.c
++++ b/tests/fips-rsa-sizes.c
+@@ -27,25 +27,6 @@
+ #include <gnutls/abstract.h>
+ #include <gnutls/x509.h>
+ 
+-#define FIPS_PUSH_CONTEXT() do {				\
+-	ret = gnutls_fips140_push_context(fips_context);	\
+-	if (ret < 0) {						\
+-		fail("gnutls_fips140_push_context failed\n");	\
+-	}							\
+-} while (0)
+-
+-#define FIPS_POP_CONTEXT(state) do {					\
+-	ret = gnutls_fips140_pop_context();				\
+-	if (ret < 0) {							\
+-		fail("gnutls_fips140_context_pop failed\n");		\
+-	}								\
+-	fips_state = gnutls_fips140_get_operation_state(fips_context);	\
+-	if (fips_state != GNUTLS_FIPS140_OP_ ## state) {		\
+-		fail("operation state is not " # state " (%d)\n",	\
+-		     fips_state);					\
+-	}								\
+-} while (0)
+-
+ 
+ void generate_successfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey,
+                            unsigned int size);
+@@ -63,7 +44,6 @@ void generate_successfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey,
+ 	int ret;
+ 	gnutls_x509_privkey_t xprivkey;
+ 	gnutls_fips140_context_t fips_context;
+-	gnutls_fips140_operation_state_t fips_state;
+ 	assert(gnutls_fips140_context_init(&fips_context) == 0);
+ 
+ 	fprintf(stderr, "%d-bit\n", size);
+@@ -102,7 +82,6 @@ void generate_unsuccessfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey,
+ 	int ret;
+ 	gnutls_x509_privkey_t xprivkey;
+ 	gnutls_fips140_context_t fips_context;
+-	gnutls_fips140_operation_state_t fips_state;
+ 	assert(gnutls_fips140_context_init(&fips_context) == 0);
+ 
+ 	fprintf(stderr, "%d-bit\n", size);
+@@ -156,7 +135,6 @@ void generate_unsuccessfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey,
+ void sign_verify_successfully(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey) {
+ 	int ret;
+ 	gnutls_fips140_context_t fips_context;
+-	gnutls_fips140_operation_state_t fips_state;
+ 
+ 	gnutls_datum_t signature;
+ 	gnutls_datum_t plaintext = {
+@@ -190,7 +168,6 @@ void sign_verify_unsuccessfully(gnutls_privkey_t privkey,
+                                 gnutls_pubkey_t pubkey) {
+ 	int ret;
+ 	gnutls_fips140_context_t fips_context;
+-	gnutls_fips140_operation_state_t fips_state;
+ 
+ 	gnutls_datum_t signature;
+ 	gnutls_datum_t plaintext = {
+@@ -225,7 +202,6 @@ void sign_verify_unsuccessfully(gnutls_privkey_t privkey,
+ void nosign_verify(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey) {
+ 	int ret;
+ 	gnutls_fips140_context_t fips_context;
+-	gnutls_fips140_operation_state_t fips_state;
+ 
+ 	gnutls_datum_t signature;
+ 	gnutls_datum_t plaintext = {
+diff --git a/tests/fips-test.c b/tests/fips-test.c
+index f789afb107..b0bae4ef9f 100644
+--- a/tests/fips-test.c
++++ b/tests/fips-test.c
+@@ -12,25 +12,6 @@
+ /* This does check the FIPS140 support.
+  */
+ 
+-#define FIPS_PUSH_CONTEXT() do {				\
+-	ret = gnutls_fips140_push_context(fips_context);	\
+-	if (ret < 0) {						\
+-		fail("gnutls_fips140_push_context failed\n");	\
+-	}							\
+-} while (0)
+-
+-#define FIPS_POP_CONTEXT(state) do {					\
+-	ret = gnutls_fips140_pop_context();				\
+-	if (ret < 0) {							\
+-		fail("gnutls_fips140_context_pop failed\n");		\
+-	}								\
+-	fips_state = gnutls_fips140_get_operation_state(fips_context);	\
+-	if (fips_state != GNUTLS_FIPS140_OP_ ## state) {		\
+-		fail("operation state is not " # state " (%d)\n",	\
+-		     fips_state);					\
+-	}								\
+-} while (0)
+-
+ void _gnutls_lib_simulate_error(void);
+ 
+ static void tls_log_func(int level, const char *str)
+@@ -40,10 +21,9 @@ static void tls_log_func(int level, const char *str)
+ 
+ static uint8_t key16[16];
+ static uint8_t iv16[16];
+-uint8_t key_data[64];
+-uint8_t iv_data[16];
+-gnutls_fips140_context_t fips_context;
+-gnutls_fips140_operation_state_t fips_state;
++static uint8_t key_data[64];
++static uint8_t iv_data[16];
++static gnutls_fips140_context_t fips_context;
+ 
+ static const gnutls_datum_t data = { .data = (unsigned char *)"foo", 3 };
+ static const uint8_t rsa2342_sha1_sig_data[] = {
+@@ -276,6 +256,7 @@ test_ciphers(void)
+ void doit(void)
+ {
+ 	int ret;
++	gnutls_fips140_operation_state_t fips_state;
+ 	unsigned int mode;
+ 	gnutls_cipher_hd_t ch;
+ 	gnutls_hmac_hd_t mh;
+diff --git a/tests/kdf-api.c b/tests/kdf-api.c
+index 9724502005..a28ce82a62 100644
+--- a/tests/kdf-api.c
++++ b/tests/kdf-api.c
+@@ -33,30 +33,7 @@
+ #define MAX_BUF 1024
+ 
+ static gnutls_fips140_context_t fips_context;
+-static gnutls_fips140_operation_state_t fips_state;
+-
+-#define FIPS_PUSH_CONTEXT() do {					\
+-	if (gnutls_fips140_mode_enabled()) {				\
+-		ret = gnutls_fips140_push_context(fips_context);	\
+-		if (ret < 0) {						\
+-			fail("gnutls_fips140_push_context failed\n");	\
+-		}							\
+-	}								\
+-} while (0)
+-
+-#define FIPS_POP_CONTEXT(state) do {					\
+-	if (gnutls_fips140_mode_enabled()) {				\
+-		ret = gnutls_fips140_pop_context();			\
+-		if (ret < 0) {						\
+-			fail("gnutls_fips140_context_pop failed\n");	\
+-		}							\
+-		fips_state = gnutls_fips140_get_operation_state(fips_context); \
+-		if (fips_state != GNUTLS_FIPS140_OP_ ## state) {	\
+-			fail("operation state is not " # state " (%d)\n", \
+-			     fips_state);				\
+-		}							\
+-	}								\
+-} while (0)
++
+ 
+ static void
+ test_hkdf(gnutls_mac_algorithm_t mac,
+@@ -74,7 +51,6 @@ test_hkdf(gnutls_mac_algorithm_t mac,
+ 	gnutls_datum_t prk;
+ 	gnutls_datum_t okm;
+ 	uint8_t buf[MAX_BUF];
+-	int ret;
+ 
+ 	success("HKDF test with %s\n", gnutls_mac_get_name(mac));
+ 
+@@ -144,7 +120,6 @@ test_pbkdf2(gnutls_mac_algorithm_t mac,
+ 	gnutls_datum_t salt;
+ 	gnutls_datum_t okm;
+ 	uint8_t buf[MAX_BUF];
+-	int ret;
+ 
+ 	success("PBKDF2 test with %s\n", gnutls_mac_get_name(mac));
+ 
+diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c
+index ea39f3d69e..dc55daccde 100644
+--- a/tests/pkcs12_encode.c
++++ b/tests/pkcs12_encode.c
+@@ -70,29 +70,6 @@ static void tls_log_func(int level, const char *str)
+ 	fprintf(stderr, "|<%d>| %s", level, str);
+ }
+ 
+-#define FIPS_PUSH_CONTEXT() do {					\
+-	if (gnutls_fips140_mode_enabled()) {				\
+-		ret = gnutls_fips140_push_context(fips_context);	\
+-		if (ret < 0) {						\
+-			fail("gnutls_fips140_push_context failed\n");	\
+-		}							\
+-	}								\
+-} while (0)
+-
+-#define FIPS_POP_CONTEXT(state) do {					\
+-	if (gnutls_fips140_mode_enabled()) {				\
+-		ret = gnutls_fips140_pop_context();			\
+-		if (ret < 0) {						\
+-			fail("gnutls_fips140_context_pop failed\n");	\
+-		}							\
+-		fips_state = gnutls_fips140_get_operation_state(fips_context); \
+-		if (fips_state != GNUTLS_FIPS140_OP_ ## state) {	\
+-			fail("operation state is not " # state " (%d)\n", \
+-			     fips_state);				\
+-		}							\
+-	}								\
+-} while (0)
+-
+ void doit(void)
+ {
+ 	gnutls_pkcs12_t pkcs12;
+@@ -106,7 +83,6 @@ void doit(void)
+ 	size_t size;
+ 	unsigned i;
+ 	gnutls_fips140_context_t fips_context;
+-	gnutls_fips140_operation_state_t fips_state;
+ 	size_t n_tests = 0;
+ 	struct tests {
+ 		const char *name;
+diff --git a/tests/privkey-keygen.c b/tests/privkey-keygen.c
+index 2766afee08..2531906d71 100644
+--- a/tests/privkey-keygen.c
++++ b/tests/privkey-keygen.c
+@@ -119,30 +119,6 @@ void doit(void)
+ 	gnutls_x509_privkey_t pkey, dst;
+ 	int ret, algorithm, i;
+ 	gnutls_fips140_context_t fips_context;
+-	gnutls_fips140_operation_state_t fips_state;
+-
+-#define FIPS_PUSH_CONTEXT() do {					\
+-	if (gnutls_fips140_mode_enabled()) {				\
+-		ret = gnutls_fips140_push_context(fips_context);	\
+-		if (ret < 0) {						\
+-			fail("gnutls_fips140_push_context failed\n");	\
+-		}							\
+-	}								\
+-} while (0)
+-
+-#define FIPS_POP_CONTEXT(state) do {					\
+-	if (gnutls_fips140_mode_enabled()) {				\
+-		ret = gnutls_fips140_pop_context();			\
+-		if (ret < 0) {						\
+-			fail("gnutls_fips140_context_pop failed\n");	\
+-		}							\
+-		fips_state = gnutls_fips140_get_operation_state(fips_context); \
+-		if (fips_state != GNUTLS_FIPS140_OP_ ## state) {	\
+-			fail("operation state is not " # state " (%d)\n", \
+-			     fips_state);				\
+-		}							\
+-	}								\
+-} while (0)
+ 
+ 	ret = global_init();
+ 	if (ret < 0)
+diff --git a/tests/utils.h b/tests/utils.h
+index d3a2ba8d16..4433a07057 100644
+--- a/tests/utils.h
++++ b/tests/utils.h
+@@ -210,4 +210,62 @@ inline static unsigned int get_dtls_retransmit_timeout(void) {
+ 	return (unsigned int) ul;
+ }
+ 
++static inline const char *
++fips_operation_state_to_string(gnutls_fips140_operation_state_t state)
++{
++	switch (state) {
++	case GNUTLS_FIPS140_OP_INITIAL:
++		return "INITIAL";
++	case GNUTLS_FIPS140_OP_APPROVED:
++		return "APPROVED";
++	case GNUTLS_FIPS140_OP_NOT_APPROVED:
++		return "NOT_APPROVED";
++	case GNUTLS_FIPS140_OP_ERROR:
++		return "ERROR";
++	default:
++		/*NOTREACHED*/
++		assert(0);
++		return NULL;
++	}
++}
++
++static inline void
++fips_push_context(gnutls_fips140_context_t context)
++{
++	if (gnutls_fips140_mode_enabled()) {
++		int ret;
++
++		ret = gnutls_fips140_push_context(context);
++		if (ret < 0) {
++			fail("gnutls_fips140_push_context failed\n");
++		}
++	}
++}
++
++static inline void
++fips_pop_context(gnutls_fips140_context_t context,
++		 gnutls_fips140_operation_state_t expected_state)
++{
++	gnutls_fips140_operation_state_t state;
++
++	if (gnutls_fips140_mode_enabled()) {
++		int ret;
++
++		ret = gnutls_fips140_pop_context();
++		if (ret < 0) {
++			fail("gnutls_fips140_context_pop failed\n");
++		}
++		state = gnutls_fips140_get_operation_state(context);
++		if (state != expected_state) {
++			fail("operation state is not %s (%s)\n",
++			     fips_operation_state_to_string(expected_state),
++			     fips_operation_state_to_string(state));
++		}
++	}
++}
++
++/* To use those convenient macros, define fips_context variable. */
++#define FIPS_PUSH_CONTEXT() fips_push_context(fips_context)
++#define FIPS_POP_CONTEXT(state) fips_pop_context(fips_context, GNUTLS_FIPS140_OP_ ## state)
++
+ #endif /* GNUTLS_TESTS_UTILS_H */
+-- 
+2.38.1
+
diff --git a/SOURCES/gnutls-3.7.6-gmp-static.patch b/SOURCES/gnutls-3.7.6-gmp-static.patch
index 6d4bba4..df74247 100644
--- a/SOURCES/gnutls-3.7.6-gmp-static.patch
+++ b/SOURCES/gnutls-3.7.6-gmp-static.patch
@@ -1,4 +1,3 @@
-From 88808f0b8906bdc32579c144a2c44401ee97798a Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <ueno@gnu.org>
 Date: Fri, 19 Aug 2022 12:32:27 +0900
 Subject: [PATCH] build: allow GMP to be statically linked
@@ -17,17 +16,10 @@ and libhogweed in Nettle is also linked to the static library of GMP.
 
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 ---
- configure.ac   | 14 +++++++++++++-
- lib/fips.c     | 10 ++++++++++
- lib/fipshmac.c |  5 ++++-
- lib/global.c   |  2 ++
- 4 files changed, 29 insertions(+), 2 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 96894b0be3..e4cf5eab81 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -742,6 +742,8 @@ AC_CHECK_FUNCS(nettle_cmac_kuznyechik_update)
+diff --color -ruNp a/configure.ac b/configure.ac
+--- a/configure.ac	2022-12-15 11:06:16.782726043 +0100
++++ b/configure.ac	2022-12-15 11:08:35.603451427 +0100
+@@ -744,6 +744,8 @@ AC_CHECK_FUNCS(nettle_cmac_kuznyechik_up
  LIBS=$save_LIBS
  
  # Check sonames of the linked libraries needed for FIPS selftests.
@@ -36,7 +28,7 @@ index 96894b0be3..e4cf5eab81 100644
  save_LIBS=$LIBS
  LIBS="$LIBS $GMP_LIBS"
  AC_MSG_CHECKING([gmp soname])
-@@ -755,9 +757,14 @@ if test -z "$gmp_so"; then
+@@ -757,9 +759,14 @@ if test -z "$gmp_so"; then
  	gmp_so=none
  fi
  AC_MSG_RESULT($gmp_so)
@@ -52,7 +44,7 @@ index 96894b0be3..e4cf5eab81 100644
  save_LIBS=$LIBS
  LIBS="$LIBS $NETTLE_LIBS"
  AC_MSG_CHECKING([nettle soname])
-@@ -773,7 +780,11 @@ fi
+@@ -775,7 +782,11 @@ fi
  AC_MSG_RESULT($nettle_so)
  AC_DEFINE_UNQUOTED([NETTLE_LIBRARY_SONAME], ["$nettle_so"], [The soname of nettle library])
  LIBS=$save_LIBS
@@ -64,7 +56,7 @@ index 96894b0be3..e4cf5eab81 100644
  save_LIBS=$LIBS
  LIBS="$LIBS $HOGWEED_LIBS"
  AC_MSG_CHECKING([hogweed soname])
-@@ -789,6 +800,7 @@ fi
+@@ -791,6 +802,7 @@ fi
  AC_MSG_RESULT($hogweed_so)
  AC_DEFINE_UNQUOTED([HOGWEED_LIBRARY_SONAME], ["$hogweed_so"], [The soname of hogweed library])
  LIBS=$save_LIBS
@@ -72,33 +64,42 @@ index 96894b0be3..e4cf5eab81 100644
  
  gnutls_so=libgnutls.so.`expr "$LT_CURRENT" - "$LT_AGE"`
  AC_DEFINE_UNQUOTED([GNUTLS_LIBRARY_SONAME], ["$gnutls_so"], [The soname of gnutls library])
-diff --git a/lib/fips.c b/lib/fips.c
-index 54eb4a37d4..42124ecf4e 100644
---- a/lib/fips.c
-+++ b/lib/fips.c
-@@ -149,7 +149,11 @@ void _gnutls_fips_mode_reset_zombie(void)
+diff --color -ruNp a/lib/fips.c b/lib/fips.c
+--- a/lib/fips.c	2022-12-15 11:06:16.868727731 +0100
++++ b/lib/fips.c	2022-12-15 11:12:42.744303409 +0100
+@@ -155,7 +155,11 @@ void _gnutls_fips_mode_reset_zombie(void
  #define GNUTLS_LIBRARY_NAME GNUTLS_LIBRARY_SONAME
  #define NETTLE_LIBRARY_NAME NETTLE_LIBRARY_SONAME
  #define HOGWEED_LIBRARY_NAME HOGWEED_LIBRARY_SONAME
 +
-+/* GMP can be statically linked. */
++/* GMP can be statically linked */
 +#ifdef GMP_LIBRARY_SONAME
  #define GMP_LIBRARY_NAME GMP_LIBRARY_SONAME
 +#endif
  
  #define HMAC_SIZE 32
  #define HMAC_ALGO GNUTLS_MAC_SHA256
-@@ -168,7 +172,9 @@ typedef struct
+@@ -173,7 +177,9 @@ struct hmac_file
  	struct hmac_entry gnutls;
  	struct hmac_entry nettle;
  	struct hmac_entry hogweed;
 +#ifdef GMP_LIBRARY_SONAME
  	struct hmac_entry gmp;
 +#endif
- } hmac_file;
+ };
+ 
+ struct lib_paths
+@@ -181,7 +187,9 @@ struct lib_paths
+ 	char gnutls[GNUTLS_PATH_MAX];
+ 	char nettle[GNUTLS_PATH_MAX];
+ 	char hogweed[GNUTLS_PATH_MAX];
++#ifdef GMP_LIBRARY_SONAME
+ 	char gmp[GNUTLS_PATH_MAX];
++#endif
+ };
  
- static int get_library_path(const char* lib, const char* symbol, char* path, size_t path_size)
-@@ -259,8 +265,10 @@ static int handler(void *user, const char *section, const char *name, const char
+ /*
+@@ -245,8 +253,10 @@ static int handler(void *user, const cha
  		return lib_handler(&p->nettle, section, name, value);
  	} else if (!strcmp(section, HOGWEED_LIBRARY_NAME)) {
  		return lib_handler(&p->hogweed, section, name, value);
@@ -109,42 +110,60 @@ index 54eb4a37d4..42124ecf4e 100644
  	} else {
  		return 0;
  	}
-@@ -408,9 +416,11 @@ static int check_binary_integrity(void)
- 	ret = check_lib_hmac(&file.hogweed, HOGWEED_LIBRARY_NAME, "nettle_mpz_sizeinbase_256_u");
+@@ -389,8 +399,10 @@ static int callback(struct dl_phdr_info
+ 		_gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path);
+ 	else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
+ 		_gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path);
++#ifdef GMP_LIBRARY_SONAME
+ 	else if (!strcmp(soname, GMP_LIBRARY_SONAME))
+ 		_gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path);
++#endif
+ 	return 0;
+ }
+ 
+@@ -411,10 +423,12 @@ static int load_lib_paths(struct lib_pat
+ 		_gnutls_debug_log("Hogweed library path was not found\n");
+ 		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+ 	}
++#ifdef GMP_LIBRARY_SONAME
+ 	if (paths->gmp[0] == '\0') {
+ 		_gnutls_debug_log("Gmp library path was not found\n");
+ 		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+ 	}
++#endif
+ 
+ 	return GNUTLS_E_SUCCESS;
+ }
+@@ -467,9 +481,11 @@ static int check_binary_integrity(void)
+ 	ret = check_lib_hmac(&hmac.hogweed, paths.hogweed);
  	if (ret < 0)
  		return ret;
 +#ifdef GMP_LIBRARY_SONAME
- 	ret = check_lib_hmac(&file.gmp, GMP_LIBRARY_NAME, "__gmpz_init");
+ 	ret = check_lib_hmac(&hmac.gmp, paths.gmp);
  	if (ret < 0)
  		return ret;
 +#endif
  
  	return 0;
  }
-diff --git a/lib/fipshmac.c b/lib/fipshmac.c
-index b091572bdf..363077f3e2 100644
---- a/lib/fipshmac.c
-+++ b/lib/fipshmac.c
-@@ -159,10 +159,13 @@ int main(int argc, char **argv)
- 	ret = print_lib_dl(HOGWEED_LIBRARY_SONAME, "nettle_mpz_sizeinbase_256_u");
- 	if (ret < 0)
- 		return EXIT_FAILURE;
--	
-+
-+	/* GMP can be statically linked. */
+diff --color -ruNp a/lib/fipshmac.c b/lib/fipshmac.c
+--- a/lib/fipshmac.c	2022-12-15 11:06:16.785726102 +0100
++++ b/lib/fipshmac.c	2022-12-15 11:13:34.533320156 +0100
+@@ -107,8 +107,10 @@ static int callback(struct dl_phdr_info
+ 		return print_lib(path, soname);
+ 	if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
+ 		return print_lib(path, soname);
 +#ifdef GMP_LIBRARY_SONAME
- 	ret = print_lib_dl(GMP_LIBRARY_SONAME, "__gmpz_init");
- 	if (ret < 0)
- 		return EXIT_FAILURE;
+ 	if (!strcmp(soname, GMP_LIBRARY_SONAME))
+ 		return print_lib(path, soname);
 +#endif
- 
- 	return EXIT_SUCCESS;
+         return 0;
  }
-diff --git a/lib/global.c b/lib/global.c
-index 1b372c15bd..9f3c7b22bd 100644
---- a/lib/global.c
-+++ b/lib/global.c
-@@ -548,7 +548,9 @@ static const struct gnutls_library_config_st _gnutls_library_config[] = {
+ 
+diff --color -ruNp a/lib/global.c b/lib/global.c
+--- a/lib/global.c	2022-12-15 11:06:16.061711888 +0100
++++ b/lib/global.c	2022-12-15 11:08:35.604451446 +0100
+@@ -540,7 +540,9 @@ static const struct gnutls_library_confi
  	{ "libgnutls-soname", GNUTLS_LIBRARY_SONAME },
  	{ "libnettle-soname", NETTLE_LIBRARY_SONAME },
  	{ "libhogweed-soname", HOGWEED_LIBRARY_SONAME },
@@ -154,6 +173,3 @@ index 1b372c15bd..9f3c7b22bd 100644
  	{ "hardware-features", HW_FEATURES },
  	{ "tls-features", TLS_FEATURES },
  	{ NULL, NULL }
--- 
-2.37.1
-
diff --git a/SOURCES/gnutls-3.7.8-fips-pct-dh.patch b/SOURCES/gnutls-3.7.8-fips-pct-dh.patch
new file mode 100644
index 0000000..c38132e
--- /dev/null
+++ b/SOURCES/gnutls-3.7.8-fips-pct-dh.patch
@@ -0,0 +1,58 @@
+From 51b721b69fd08ef1c4c4989f5e12b643e170ff56 Mon Sep 17 00:00:00 2001
+From: Pedro Monreal <pmgdeb@gmail.com>
+Date: Thu, 16 Feb 2023 17:02:38 +0100
+Subject: [PATCH] pk: extend pair-wise consistency to cover DH key generation
+
+Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance of Pair-wise
+Consistency check, even if we only support ephemeral DH, as it is
+required by FIPS 140-3 IG 10.3.A.
+
+Signed-off-by: Pedro Monreal <pmgdeb@gmail.com>
+Co-authored-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/nettle/pk.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index d30bca594f..bd9c1b4c74 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -2642,6 +2642,35 @@ static int pct_test(gnutls_pk_algorithm_t algo,
+ 		}
+ 		break;
+ 	case GNUTLS_PK_DH:
++		{
++			mpz_t y;
++
++			/* Perform SP800 56A (rev 3) 5.6.2.1.4 Owner Assurance
++			 * of Pair-wise Consistency check, even if we only
++			 * support ephemeral DH, as it is required by FIPS
++			 * 140-3 IG 10.3.A.
++			 *
++			 * Use the private key, x, along with the generator g
++			 * and prime modulus p included in the domain
++			 * parameters associated with the key pair to compute
++			 * g^x mod p. Compare the result to the public key, y.
++			 */
++			mpz_init(y);
++			mpz_powm(y,
++				 TOMPZ(params->params[DSA_G]),
++				 TOMPZ(params->params[DSA_X]),
++				 TOMPZ(params->params[DSA_P]));
++			if (unlikely
++			    (mpz_cmp(y, TOMPZ(params->params[DSA_Y])) != 0)) {
++				ret =
++				    gnutls_assert_val
++				    (GNUTLS_E_PK_GENERATION_ERROR);
++				mpz_clear(y);
++				goto cleanup;
++			}
++			mpz_clear(y);
++			break;
++		}
+ 	case GNUTLS_PK_ECDH_X25519:
+ 	case GNUTLS_PK_ECDH_X448:
+ 		ret = 0;
+-- 
+2.39.2
+
diff --git a/SOURCES/gnutls-3.7.8-integrity-check.patch b/SOURCES/gnutls-3.7.8-integrity-check.patch
new file mode 100644
index 0000000..8ff5fb0
--- /dev/null
+++ b/SOURCES/gnutls-3.7.8-integrity-check.patch
@@ -0,0 +1,54 @@
+diff --color -ruNp a/lib/fips.c b/lib/fips.c
+--- a/lib/fips.c	2022-11-15 16:10:56.183185457 +0100
++++ b/lib/fips.c	2022-11-15 16:10:23.488530716 +0100
+@@ -360,11 +360,6 @@ static int check_lib_hmac(struct hmac_en
+ 		return gnutls_assert_val(ret);
+ 	}
+ 
+-	if (strncmp(entry->path, path, GNUTLS_PATH_MAX)) {
+-		_gnutls_debug_log("Library path for %s does not match with HMAC file\n", lib);
+-		return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
+-	}
+-
+ 	_gnutls_debug_log("Loading: %s\n", path);
+ 	ret = gnutls_load_file(path, &data);
+ 	if (ret < 0) {
+diff --color -ruNp a/lib/fipshmac.c b/lib/fipshmac.c
+--- a/lib/fipshmac.c	2022-11-15 16:10:56.183185457 +0100
++++ b/lib/fipshmac.c	2022-11-15 16:10:23.489530737 +0100
+@@ -102,20 +102,30 @@ static int get_hmac(const char *path, ch
+ static int print_lib_path(const char *path)
+ {
+ 	int ret;
++	char *real_path = NULL;
+ 	char hmac[HMAC_STR_SIZE];
+ 
+-	ret = get_hmac(path, hmac, sizeof(hmac));
++	real_path = canonicalize_file_name(path);
++	if (real_path == NULL) {
++		fprintf(stderr, "Could not get realpath from %s\n", path);
++		ret = GNUTLS_E_FILE_ERROR;
++		goto cleanup;
++	}
++
++	ret = get_hmac(real_path, hmac, sizeof(hmac));
+ 	if (ret < 0) {
+ 		fprintf(stderr, "Could not calculate HMAC for %s: %s\n",
+-                        last_component(path), gnutls_strerror(ret));
+-		return ret;
++                        last_component(real_path), gnutls_strerror(ret));
++		goto cleanup;
+ 	}
+ 
+ 	printf("[%s]\n", last_component(path));
+-	printf("path = %s\n", path);
++	printf("path = %s\n", real_path);
+ 	printf("hmac = %s\n", hmac);
+ 
+-	return 0;
++cleanup:
++	free(real_path);
++	return ret;
+ }
+ 
+ static int print_lib_dl(const char *lib, const char *sym)
diff --git a/SOURCES/gnutls-3.7.8-revert-hmac-name.patch b/SOURCES/gnutls-3.7.8-revert-hmac-name.patch
new file mode 100644
index 0000000..fa1a672
--- /dev/null
+++ b/SOURCES/gnutls-3.7.8-revert-hmac-name.patch
@@ -0,0 +1,534 @@
+diff --color -ruNp a/configure.ac b/configure.ac
+--- a/configure.ac	2022-05-27 09:17:26.000000000 +0200
++++ b/configure.ac	2022-12-15 11:00:18.830698584 +0100
+@@ -619,6 +619,8 @@ if [ test "$enable_fips" = "yes" ];then
+     if test "x$fips_module_version" != xnone; then
+        AC_DEFINE_UNQUOTED([FIPS_MODULE_VERSION], ["$fips_module_version"], [The FIPS140 module version])
+     fi
++
++    AC_CHECK_FUNCS(dl_iterate_phdr)
+   else
+     enable_fips=no
+     AC_MSG_WARN([[
+diff --color -ruNp a/lib/fips.c b/lib/fips.c
+--- a/lib/fips.c	2022-12-15 10:59:57.460279029 +0100
++++ b/lib/fips.c	2022-12-15 11:00:18.831698604 +0100
+@@ -23,9 +23,11 @@
+ #include <gnutls/gnutls.h>
+ #include <gnutls/crypto.h>
+ #include <unistd.h>
++#include "dirname.h"
+ #include "errors.h"
+ #include "file.h"
+ #include "inih/ini.h"
++#include "str.h"
+ #include <fips.h>
+ #include <gnutls/self-test.h>
+ #include <stdio.h>
+@@ -34,6 +36,10 @@
+ 
+ #include "gthreads.h"
+ 
++#ifdef HAVE_DL_ITERATE_PHDR
++#include <link.h>
++#endif
++
+ unsigned int _gnutls_lib_state = LIB_STATE_POWERON;
+ 
+ struct gnutls_fips140_context_st {
+@@ -153,7 +159,6 @@ void _gnutls_fips_mode_reset_zombie(void
+ 
+ #define HMAC_SIZE 32
+ #define HMAC_ALGO GNUTLS_MAC_SHA256
+-#define HMAC_FILE_NAME ".gnutls.hmac"
+ #define HMAC_FORMAT_VERSION 1
+ 
+ struct hmac_entry
+@@ -162,51 +167,32 @@ struct hmac_entry
+ 	uint8_t hmac[HMAC_SIZE];
+ };
+ 
+-typedef struct
++struct hmac_file
+ {
+ 	int version;
+ 	struct hmac_entry gnutls;
+ 	struct hmac_entry nettle;
+ 	struct hmac_entry hogweed;
+ 	struct hmac_entry gmp;
+-} hmac_file;
++};
+ 
+-static int get_library_path(const char* lib, const char* symbol, char* path, size_t path_size)
++struct lib_paths
+ {
+-	int ret;
+-	void *dl, *sym;
+-	Dl_info info;
+-
+-	dl = dlopen(lib, RTLD_LAZY);
+-	if (dl == NULL)
+-		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+-
+-	sym = dlsym(dl, symbol);
+-	if (sym == NULL) {
+-		ret = gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+-		goto cleanup;
+-	}
+-
+-	ret = dladdr(sym, &info);
+-	if (ret == 0) {
+-		ret = gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+-		goto cleanup;
+-	}
+-
+-	ret = snprintf(path, path_size, "%s", info.dli_fname);
+-	if ((size_t)ret >= path_size) {
+-		ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+-		goto cleanup;
+-	}
+-
+-	ret = 0;
+-cleanup:
+-	dlclose(dl);
+-	return ret;
+-}
++	char gnutls[GNUTLS_PATH_MAX];
++	char nettle[GNUTLS_PATH_MAX];
++	char hogweed[GNUTLS_PATH_MAX];
++	char gmp[GNUTLS_PATH_MAX];
++};
+ 
+-/* Parses hmac data and copies hex value into dest.
++/*
++ * get_hmac:
++ * @dest: buffer for the hex value
++ * @value: hmac value
++ *
++ * Parses hmac data and copies hex value into dest.
+  * dest must point to at least HMAC_SIZE amount of memory
++ *
++ * Returns: 0 on success, a negative error code otherwise
+  */
+ static int get_hmac(uint8_t *dest, const char *value)
+ {
+@@ -245,7 +231,7 @@ lib_handler(struct hmac_entry *entry,
+ 
+ static int handler(void *user, const char *section, const char *name, const char *value)
+ {
+-	hmac_file *p = (hmac_file *)user;
++	struct hmac_file *p = (struct hmac_file *)user;
+ 
+ 	if (!strcmp(section, "global")) {
+ 		if (!strcmp(name, "format-version")) {
+@@ -267,24 +253,29 @@ static int handler(void *user, const cha
+ 	return 1;
+ }
+ 
+-static int get_hmac_path(char *mac_file, size_t mac_file_size)
++/*
++ * get_hmac_path:
++ * @mac_file: buffer where the hmac file path will be written to
++ * @mac_file_size: size of the mac_file buffer
++ * @gnutls_path: path to the gnutls library, used to deduce hmac file path
++ * 
++ * Deduces hmac file path from the gnutls library path.
++ *
++ * Returns: 0 on success, a negative error code otherwise
++ */
++static int get_hmac_path(char *mac_file, size_t mac_file_size, const char *gnutls_path)
+ {
+ 	int ret;
+ 	char *p;
+-	char file[GNUTLS_PATH_MAX];
+ 
+-	ret = get_library_path(GNUTLS_LIBRARY_NAME, "gnutls_global_init",
+-			       file, sizeof(file));
+-	if (ret < 0)
+-		return ret;
+-
+-	p = strrchr(file, '/');
++	p = strrchr(gnutls_path, '/');
+ 
+ 	if (p == NULL)
+-		ret = snprintf(mac_file, mac_file_size, HMAC_FILE_NAME);
++		ret = snprintf(mac_file, mac_file_size, ".%s.hmac", gnutls_path);
+ 	else
+-		ret = snprintf(mac_file, mac_file_size,
+-			       "%.*s/"HMAC_FILE_NAME, (int)(p - file), file);
++		ret = snprintf(mac_file, mac_file_size, "%.*s/.%s.hmac",
++			       (int)(p - gnutls_path), gnutls_path, p + 1);
++
+ 	if ((size_t)ret >= mac_file_size)
+ 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ 
+@@ -293,10 +284,11 @@ static int get_hmac_path(char *mac_file,
+ 		return GNUTLS_E_SUCCESS;
+ 
+ 	if (p == NULL)
+-		ret = snprintf(mac_file, mac_file_size, "fipscheck/"HMAC_FILE_NAME);
++		ret = snprintf(mac_file, mac_file_size, "fipscheck/.%s.hmac", gnutls_path);
+ 	else
+-		ret = snprintf(mac_file, mac_file_size,
+-			       "%.*s/fipscheck/"HMAC_FILE_NAME, (int)(p - file), file);
++		ret = snprintf(mac_file, mac_file_size, "%.*s/fipscheck/.%s.hmac",
++			       (int)(p - gnutls_path), gnutls_path, p + 1);
++
+ 	if ((size_t)ret >= mac_file_size)
+ 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ 
+@@ -307,51 +299,52 @@ static int get_hmac_path(char *mac_file,
+ 	return GNUTLS_E_FILE_ERROR;
+ }
+ 
+-static int load_hmac_file(hmac_file *p)
++/*
++ * load_hmac_file:
++ * @hmac_file: hmac file structure
++ * @hmac_path: path to the hmac file
++ *
++ * Loads the hmac file into the hmac file structure.
++ *
++ * Returns: 0 on success, a negative error code otherwise
++ */
++static int load_hmac_file(struct hmac_file *hmac_file, const char *hmac_path)
+ {
+ 	int ret;
+ 	FILE *stream;
+-	char hmac_path[GNUTLS_PATH_MAX];
+-
+-	ret = get_hmac_path(hmac_path, sizeof(hmac_path));
+-	if (ret < 0)
+-		return gnutls_assert_val(ret);
+ 
+ 	stream = fopen(hmac_path, "r");
+ 	if (stream == NULL)
+ 		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+ 
+-	gnutls_memset(p, 0, sizeof(*p));
+-	ret = ini_parse_file(stream, handler, p);
++	gnutls_memset(hmac_file, 0, sizeof(*hmac_file));
++	ret = ini_parse_file(stream, handler, hmac_file);
+ 	fclose(stream);
+ 	if (ret < 0)
+ 		return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
+ 
+-	if (p->version != HMAC_FORMAT_VERSION)
++	if (hmac_file->version != HMAC_FORMAT_VERSION)
+ 		return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
+ 
+ 	return 0;
+ }
+ 
+-/* Run an HMAC using the key above on the library binary data.
+- * Returns 0 on success and negative value on error.
++/*
++ * check_lib_hmac:
++ * @entry: hmac file entry
++ * @path: path to the library which hmac should be compared
++ *
++ * Verify that HMAC from hmac file entry matches HMAC of given library.
++ *
++ * Returns: 0 on successful HMAC verification, a negative error code otherwise
+  */
+-static int check_lib_hmac(struct hmac_entry *entry,
+-			  const char *lib, const char *sym)
++static int check_lib_hmac(struct hmac_entry *entry, const char *path)
+ {
+ 	int ret;
+ 	unsigned prev;
+-	char path[GNUTLS_PATH_MAX];
+ 	uint8_t hmac[HMAC_SIZE];
+ 	gnutls_datum_t data;
+ 
+-	ret = get_library_path(lib, sym, path, sizeof(path));
+-	if (ret < 0) {
+-		_gnutls_debug_log("Could not get lib path for %s: %s\n",
+-				  lib, gnutls_strerror(ret));
+-		return gnutls_assert_val(ret);
+-	}
+-
+ 	_gnutls_debug_log("Loading: %s\n", path);
+ 	ret = gnutls_load_file(path, &data);
+ 	if (ret < 0) {
+@@ -382,28 +375,99 @@ static int check_lib_hmac(struct hmac_en
+ 	return 0;
+ }
+ 
++#ifdef HAVE_DL_ITERATE_PHDR
++
++static int callback(struct dl_phdr_info *info, size_t size, void *data)
++{
++	const char *path = info->dlpi_name;
++	const char *soname = last_component(path);
++	struct lib_paths *paths = (struct lib_paths *)data;
++
++	if (!strcmp(soname, GNUTLS_LIBRARY_SONAME))
++		_gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path);
++	else if (!strcmp(soname, NETTLE_LIBRARY_SONAME))
++		_gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path);
++	else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
++		_gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path);
++	else if (!strcmp(soname, GMP_LIBRARY_SONAME))
++		_gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path);
++	return 0;
++}
++
++static int load_lib_paths(struct lib_paths *paths)
++{
++	memset(paths, 0, sizeof(*paths));
++	dl_iterate_phdr(callback, paths);
++	
++	if (paths->gnutls[0] == '\0') {
++		_gnutls_debug_log("Gnutls library path was not found\n");
++		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
++	}
++	if (paths->nettle[0] == '\0') {
++		_gnutls_debug_log("Nettle library path was not found\n");
++		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
++	}
++	if (paths->hogweed[0] == '\0') {
++		_gnutls_debug_log("Hogweed library path was not found\n");
++		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
++	}
++	if (paths->gmp[0] == '\0') {
++		_gnutls_debug_log("Gmp library path was not found\n");
++		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
++	}
++
++	return GNUTLS_E_SUCCESS;
++}
++
++#else
++
++static int load_lib_paths(struct lib_paths *paths)
++{
++	(void)paths;
++	_gnutls_debug_log("Function dl_iterate_phdr is missing\n");
++	return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
++}
++
++#endif /* HAVE_DL_ITERATE_PHDR */
++
+ static int check_binary_integrity(void)
+ {
+ 	int ret;
+-	hmac_file file;
++	struct lib_paths paths;
++	struct hmac_file hmac;
++	char hmac_path[GNUTLS_PATH_MAX];
++
++	ret = load_lib_paths(&paths);
++	if (ret < 0) {
++		_gnutls_debug_log("Could not load library paths: %s\n",
++				  gnutls_strerror(ret));
++		return ret;
++	}
++
++	ret = get_hmac_path(hmac_path, sizeof(hmac_path), paths.gnutls);
++	if (ret < 0) {
++		_gnutls_debug_log("Could not get hmac file path: %s\n",
++				  gnutls_strerror(ret));
++		return ret;
++	}
+ 
+-	ret = load_hmac_file(&file);
++	ret = load_hmac_file(&hmac, hmac_path);
+ 	if (ret < 0) {
+ 		_gnutls_debug_log("Could not load hmac file: %s\n",
+ 				  gnutls_strerror(ret));
+ 		return ret;
+ 	}
+ 
+-	ret = check_lib_hmac(&file.gnutls, GNUTLS_LIBRARY_NAME, "gnutls_global_init");
++	ret = check_lib_hmac(&hmac.gnutls, paths.gnutls);
+ 	if (ret < 0)
+ 		return ret;
+-	ret = check_lib_hmac(&file.nettle, NETTLE_LIBRARY_NAME, "nettle_aes_set_encrypt_key");
++	ret = check_lib_hmac(&hmac.nettle, paths.nettle);
+ 	if (ret < 0)
+ 		return ret;
+-	ret = check_lib_hmac(&file.hogweed, HOGWEED_LIBRARY_NAME, "nettle_mpz_sizeinbase_256_u");
++	ret = check_lib_hmac(&hmac.hogweed, paths.hogweed);
+ 	if (ret < 0)
+ 		return ret;
+-	ret = check_lib_hmac(&file.gmp, GMP_LIBRARY_NAME, "__gmpz_init");
++	ret = check_lib_hmac(&hmac.gmp, paths.gmp);
+ 	if (ret < 0)
+ 		return ret;
+ 
+diff --color -ruNp a/lib/fipshmac.c b/lib/fipshmac.c
+--- a/lib/fipshmac.c	2022-12-15 10:59:57.461279049 +0100
++++ b/lib/fipshmac.c	2022-12-15 11:00:18.832698623 +0100
+@@ -22,12 +22,14 @@
+ 
+ #include "config.h"
+ 
+-#include <gnutls/gnutls.h>
+-#include <gnutls/crypto.h>
+-#include <dlfcn.h>
+-#include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++
++#ifdef HAVE_DL_ITERATE_PHDR
++
++#include <gnutls/gnutls.h>
++#include <gnutls/crypto.h>
++#include <link.h>
+ #include "dirname.h"
+ #include "errors.h"
+ 
+@@ -36,40 +38,6 @@
+ #define HMAC_ALGO GNUTLS_MAC_SHA256
+ #define HMAC_STR_SIZE (2 * HMAC_SIZE + 1)
+ 
+-static int get_path(const char *lib, const char *symbol, char *path, size_t path_size)
+-{
+-	int ret;
+-	void *dl, *sym;
+-	Dl_info info;
+-
+-	dl = dlopen(lib, RTLD_LAZY);
+-	if (dl == NULL)
+-		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+-
+-	sym = dlsym(dl, symbol);
+-	if (sym == NULL) {
+-		ret = gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+-		goto cleanup;
+-	}
+-
+-	ret = dladdr(sym, &info);
+-	if (ret == 0) {
+-		ret = gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+-		goto cleanup;
+-	}
+-
+-	ret = snprintf(path, path_size, "%s", info.dli_fname);
+-	if ((size_t)ret >= path_size) {
+-		ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+-		goto cleanup;
+-	}
+-
+-	ret = 0;
+-cleanup:
+-	dlclose(dl);
+-	return ret;
+-}
+-
+ static int get_hmac(const char *path, char *hmac, size_t hmac_size)
+ {
+ 	int ret;
+@@ -99,7 +67,7 @@ static int get_hmac(const char *path, ch
+ 	return 0;
+ }
+ 
+-static int print_lib_path(const char *path)
++static int print_lib(const char *path, const char *soname)
+ {
+ 	int ret;
+ 	char *real_path = NULL;
+@@ -119,7 +87,7 @@ static int print_lib_path(const char *pa
+ 		goto cleanup;
+ 	}
+ 
+-	printf("[%s]\n", last_component(path));
++	printf("[%s]\n", soname);
+ 	printf("path = %s\n", real_path);
+ 	printf("hmac = %s\n", hmac);
+ 
+@@ -128,25 +96,24 @@ cleanup:
+ 	return ret;
+ }
+ 
+-static int print_lib_dl(const char *lib, const char *sym)
++static int callback(struct dl_phdr_info *info, size_t size, void *data)
+ {
+-	int ret;
+-	char path[GNUTLS_PATH_MAX];
+-
+-	ret = get_path(lib, sym, path, sizeof(path));
+-	if (ret < 0) {
+-		fprintf(stderr, "Could not get lib path for %s: %s\n",
+-                        lib, gnutls_strerror(ret));
+-		return ret;
+-	}
++	const char *path = info->dlpi_name;
++	const char *soname = last_component(path);
+ 
+-	return print_lib_path(path);
++	if (!strcmp(soname, GNUTLS_LIBRARY_SONAME))
++		return print_lib(data ? data : path, soname);
++	if (!strcmp(soname, NETTLE_LIBRARY_SONAME))
++		return print_lib(path, soname);
++	if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
++		return print_lib(path, soname);
++	if (!strcmp(soname, GMP_LIBRARY_SONAME))
++		return print_lib(path, soname);
++        return 0;
+ }
+ 
+ int main(int argc, char **argv)
+ {
+-	int ret;
+-
+ 	if (argc != 1 && argc != 2) {
+ 		fprintf(stderr, "Usage: %s [gnutls_so_path]\n", last_component(argv[0]));
+ 		return EXIT_FAILURE;
+@@ -155,24 +122,15 @@ int main(int argc, char **argv)
+ 	printf("[global]\n");
+ 	printf("format-version = %d\n", FORMAT_VERSION);
+ 
+-	if (argc == 2)
+-		ret = print_lib_path(argv[1]);
+-	else
+-		ret = print_lib_dl(GNUTLS_LIBRARY_SONAME, "gnutls_global_init");
+-	if (ret < 0)
+-		return EXIT_FAILURE;
++	return dl_iterate_phdr(callback, argc == 2 ? argv[1] : NULL);
++}
+ 
+-	ret = print_lib_dl(NETTLE_LIBRARY_SONAME, "nettle_aes_set_encrypt_key");
+-	if (ret < 0)
+-		return EXIT_FAILURE;
+-	
+-	ret = print_lib_dl(HOGWEED_LIBRARY_SONAME, "nettle_mpz_sizeinbase_256_u");
+-	if (ret < 0)
+-		return EXIT_FAILURE;
+-	
+-	ret = print_lib_dl(GMP_LIBRARY_SONAME, "__gmpz_init");
+-	if (ret < 0)
+-		return EXIT_FAILURE;
++#else
+ 
+-	return EXIT_SUCCESS;
++int main(void)
++{
++	fprintf(stderr, "Function dl_iterate_phdr is missing\n");
++	return EXIT_FAILURE;
+ }
++
++#endif /* HAVE_DL_ITERATE_PHDR */
+diff --color -ruNp a/lib/Makefile.am b/lib/Makefile.am
+--- a/lib/Makefile.am	2022-05-18 16:46:00.000000000 +0200
++++ b/lib/Makefile.am	2022-12-15 11:00:18.789697779 +0100
+@@ -202,14 +202,14 @@ noinst_PROGRAMS = fipshmac
+ fipshmac_SOURCES = fipshmac.c
+ fipshmac_LDADD = libgnutls.la ../gl/libgnu.la
+ 
+-hmac_files = .libs/.gnutls.hmac
++hmac_file = .libs/.$(gnutls_so).hmac
+ 
+-all-local: $(hmac_files)
++all-local: $(hmac_file)
+ 
+-.libs/.gnutls.hmac: libgnutls.la fipshmac
++$(hmac_file): libgnutls.la fipshmac
+ 	$(AM_V_GEN) $(builddir)/fipshmac > $@-t && mv $@-t $@
+ 
+-CLEANFILES = $(hmac_files)
++CLEANFILES = $(hmac_file)
+ endif
+ 
+ if NEED_LTLIBDL
diff --git a/SOURCES/gnutls-3.7.8-rsa-kx-timing.patch b/SOURCES/gnutls-3.7.8-rsa-kx-timing.patch
new file mode 100644
index 0000000..9107321
--- /dev/null
+++ b/SOURCES/gnutls-3.7.8-rsa-kx-timing.patch
@@ -0,0 +1,114 @@
+From c149dd0767f32789e391280cb1eb06b7eb7c6bce Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Tue, 9 Aug 2022 16:05:53 +0200
+Subject: [PATCH 1/2] auth/rsa: side-step potential side-channel
+
+Remove branching that depends on secret data.
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+Signed-off-by: Hubert Kario <hkario@redhat.com>
+Tested-by: Hubert Kario <hkario@redhat.com>
+---
+ lib/auth/rsa.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
+index 8108ee841d..6b158bacb2 100644
+--- a/lib/auth/rsa.c
++++ b/lib/auth/rsa.c
+@@ -155,7 +155,6 @@ static int
+ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 		   size_t _data_size)
+ {
+-	const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n";
+ 	gnutls_datum_t ciphertext;
+ 	int ret, dsize;
+ 	ssize_t data_size = _data_size;
+@@ -235,15 +234,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 	ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
+ 	        CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
+ 
+-	if (ok) {
+-		/* call logging function unconditionally so all branches are
+-		 * indistinguishable for timing and cache access when debug
+-		 * logging is disabled */
+-		_gnutls_no_log("%s", attack_error);
+-	} else {
+-		_gnutls_debug_log("%s", attack_error);
+-	}
+-
+ 	/* This is here to avoid the version check attack
+ 	 * discussed above.
+ 	 */
+-- 
+2.39.1
+
+
+From 7c963102ec2119eecc1789b993aabe5edfd75f3b Mon Sep 17 00:00:00 2001
+From: Hubert Kario <hkario@redhat.com>
+Date: Wed, 8 Feb 2023 14:32:09 +0100
+Subject: [PATCH 2/2] rsa: remove dead code
+
+since the `ok` variable isn't used any more, we can remove all code
+used to calculate it
+
+Signed-off-by: Hubert Kario <hkario@redhat.com>
+---
+ lib/auth/rsa.c | 20 +++-----------------
+ 1 file changed, 3 insertions(+), 17 deletions(-)
+
+diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
+index 6b158bacb2..858701fe6e 100644
+--- a/lib/auth/rsa.c
++++ b/lib/auth/rsa.c
+@@ -159,8 +159,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 	int ret, dsize;
+ 	ssize_t data_size = _data_size;
+ 	volatile uint8_t ver_maj, ver_min;
+-	volatile uint8_t check_ver_min;
+-	volatile uint32_t ok;
+ 
+ #ifdef ENABLE_SSL3
+ 	if (get_num_version(session) == GNUTLS_SSL3) {
+@@ -186,7 +184,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 
+ 	ver_maj = _gnutls_get_adv_version_major(session);
+ 	ver_min = _gnutls_get_adv_version_minor(session);
+-	check_ver_min = (session->internals.allow_wrong_pms == 0);
+ 
+ 	session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+ 	if (session->key.key.data == NULL) {
+@@ -205,10 +202,9 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 		return ret;
+ 	}
+ 
+-	ret =
+-	    gnutls_privkey_decrypt_data2(session->internals.selected_key,
+-					 0, &ciphertext, session->key.key.data,
+-					 session->key.key.size);
++	gnutls_privkey_decrypt_data2(session->internals.selected_key,
++				     0, &ciphertext, session->key.key.data,
++				     session->key.key.size);
+ 	/* After this point, any conditional on failure that cause differences
+ 	 * in execution may create a timing or cache access pattern side
+ 	 * channel that can be used as an oracle, so treat very carefully */
+@@ -224,16 +220,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 	 * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
+ 	 */
+ 
+-	/* ok is 0 in case of error and 1 in case of success. */
+-
+-	/* if ret < 0 */
+-	ok = CONSTCHECK_EQUAL(ret, 0);
+-	/* session->key.key.data[0] must equal ver_maj */
+-	ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj);
+-	/* if check_ver_min then session->key.key.data[1] must equal ver_min */
+-	ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
+-	        CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
+-
+ 	/* This is here to avoid the version check attack
+ 	 * discussed above.
+ 	 */
+-- 
+2.39.1
+
diff --git a/SPECS/gnutls.spec b/SPECS/gnutls.spec
index e6fab98..b20da97 100644
--- a/SPECS/gnutls.spec
+++ b/SPECS/gnutls.spec
@@ -13,7 +13,7 @@ print(string.sub(hash, 0, 16))
 }
 
 Version: 3.7.6
-Release: 12%{?dist}
+Release: 18%{?dist}
 # not upstreamed
 Patch: gnutls-3.6.7-no-now-guile.patch
 Patch: gnutls-3.2.7-rpath.patch
@@ -30,6 +30,13 @@ Patch: gnutls-3.7.6-fips-pkcs12-des-cbc.patch
 Patch: gnutls-3.7.6-fips-rsa-key-sizes.patch
 Patch: gnutls-3.7.6-fips-symkey-limit.patch
 Patch: gnutls-3.7.6-fips-ecdsa-hash-check.patch
+Patch: gnutls-3.7.6-fips-service-indicator-test-functions.patch
+Patch: gnutls-3.7.6-fips-ccm-taglen.patch
+Patch: gnutls-3.7.6-fips-rsa-pss-saltlen.patch
+Patch: gnutls-3.7.8-integrity-check.patch
+Patch: gnutls-3.7.8-revert-hmac-name.patch
+Patch: gnutls-3.7.8-rsa-kx-timing.patch
+Patch: gnutls-3.7.8-fips-pct-dh.patch
 
 # not upstreamed
 Patch: gnutls-3.7.3-disable-config-reload.patch
@@ -327,8 +334,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc
 # doing it twice should be a no-op the second time,
 # and this way we avoid redefining it and missing a future change
 %{__spec_install_post}
-./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac
-sed -i "s^$RPM_BUILD_ROOT/usr^^" $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac
+fname=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.*`
+./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac"
+sed -i "s^$RPM_BUILD_ROOT/usr^^" "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac"
+ln -s ".$fname.hmac" "$RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac"
 %endif
 
 %if %{with fips}
@@ -349,7 +358,7 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %files -f gnutls.lang
 %{_libdir}/libgnutls.so.30*
 %if %{with fips}
-%{_libdir}/.gnutls.hmac
+%{_libdir}/.libgnutls.so.30*.hmac
 %endif
 %doc README.md AUTHORS NEWS THANKS
 %license LICENSE doc/COPYING doc/COPYING.LESSER
@@ -397,6 +406,23 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %endif
 
 %changelog
+* Tue Feb 28 2023 Daiki Ueno <dueno@redhat.com> - 3.7.6-18
+- Update gnutls-3.7.8-fips-pct-dh.patch to the upstream version (#2168610)
+
+* Fri Feb 10 2023 Daiki Ueno <dueno@redhat.com> - 3.7.6-17
+- Fix timing side-channel in TLS RSA key exchange (#2162600)
+
+* Fri Feb 10 2023 Daiki Ueno <dueno@redhat.com> - 3.7.6-16
+- fips: extend PCT to DH key generation (#2168610)
+
+* Thu Dec 15 2022 Zoltan Fridrich <zfridric@redhat.com> - 3.7.6-14
+- fips: remove library path checking from FIPS integrity check (#2149638)
+- fips: rename hmac file to its previous name (#2149640)
+
+* Tue Nov 22 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-13
+- cipher: add restriction on CCM tag length under FIPS mode (#2144535)
+- nettle: mark non-compliant RSA-PSS salt length to be not-approved (#2144537)
+
 * Tue Sep 27 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-12
 - fips: mark PBKDF2 with short key and output sizes non-approved
 - fips: only mark HMAC as approved in PBKDF2
@@ -421,31 +447,31 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 - Update gnutls-3.7.6-cpuid-fixes.patch
 
 * Sat Aug 20 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-6
-- Mark RSA SigVer operation approved for known modulus sizes (#2119770)
+- Mark RSA SigVer operation approved for known modulus sizes (#2091903)
 - accelerated: clear AVX bits if it cannot be queried through XSAVE
 
 * Thu Aug  4 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-5
-- Block DES-CBC usage in decrypting PKCS#12 bag under FIPS (#2115314)
+- Block DES-CBC usage in decrypting PKCS#12 bag under FIPS (#2115244)
 - sysrng: reseed source DRBG for prediction resistance
 
 * Fri Jul 29 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-4
 - Make gnutls-cli work with KTLS for testing
-- Fix double-free in gnutls_pkcs7_verify (#2109789)
+- Fix double-free in gnutls_pkcs7_verify (#2109790)
 
 * Mon Jul 25 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-3
-- Limit input size for AES-GCM according to SP800-38D (#2108635)
+- Limit input size for AES-GCM according to SP800-38D (#2095251)
 - Do not treat GPG verification errors as fatal
 - Remove gnutls-3.7.6-libgnutlsxx-const.patch
 
 * Tue Jul 19 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-2
-- Allow enabling KTLS with config file (#2108532)
+- Allow enabling KTLS with config file (#2042009)
 
 * Fri Jul  1 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-1
-- Update to gnutls 3.7.6 (#2102591)
+- Update to gnutls 3.7.6 (#2097327)
 
 * Thu Mar 31 2022 Daiki Ueno <dueno@redhat.com> - 3.7.3-10
-- Use only the first component of VERSION from /etc/os-release (#2076626)
-- Don't run power-on self-tests on DSA (#2076627)
+- Use only the first component of VERSION from /etc/os-release (#2070249)
+- Don't run power-on self-tests on DSA (#2061325)
 
 * Fri Feb 25 2022 Daiki Ueno <dueno@redhat.com> - 3.7.3-9
 - Stop using typeof keyword for tss2 function prototypes (#2057490)