9 files changed, 582 insertions, 84 deletions

diff --git a/meta/recipes-support/gnutls/gnutls/0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch b/meta/recipes-support/gnutls/gnutls/0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch
new file mode 100644
index 0000000000..d13bfee8ef
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch
@@ -0,0 +1,26 @@
+From 7be8ec59a53e93c2bd453b3ba2d63d1b300ef11f Mon Sep 17 00:00:00 2001
+From: Lei Maohui <leimaohui@fujitsu.com>
+Date: Mon, 23 May 2022 10:44:43 +0900
+Subject: [PATCH] Creating .hmac file should be excuted in target environment,
+ so deleted it from build process.
+
+Upstream-Status: Inappropriate [https://gitlab.com/gnutls/gnutls/-/issues/1373]
+Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
+---
+ lib/Makefile.am | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index a50d311..193ea19 100644
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -198,8 +198,7 @@ hmac_file = .libs/.$(gnutls_so).hmac
+ 
+ all-local: $(hmac_file)
+ 
+-$(hmac_file): libgnutls.la fipshmac
+-       $(AM_V_GEN) $(builddir)/fipshmac > $@-t && mv $@-t $@
++.libs/.$(gnutls_so).hmac:
+ 
+ CLEANFILES = $(hmac_file)
+ endif
diff --git a/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch b/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch
new file mode 100644
index 0000000000..cc39f5c9a5
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch
@@ -0,0 +1,269 @@
+From 2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d Mon Sep 17 00:00:00 2001
+From: Zoltan Fridrich <zfridric@redhat.com>
+Date: Wed, 10 Apr 2024 12:51:33 +0200
+Subject: [PATCH] Fix RSAES-PKCS1-v1_5 system-wide configuration
+
+Upstream-Status: Backport [expected for  3.8.6 https://gitlab.com/gnutls/gnutls/-/merge_requests/1830?commit_id=2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d]
+
+Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
+Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
+---
+ lib/priority.c                                | 125 +++++++++++-------
+ ...system-override-allow-rsa-pkcs1-encrypt.sh |  27 +++-
+ 2 files changed, 96 insertions(+), 56 deletions(-)
+
+diff --git a/lib/priority.c b/lib/priority.c
+index 8abe00d1ff..3434619aad 100644
+--- a/lib/priority.c
++++ b/lib/priority.c
+@@ -1018,6 +1018,12 @@ struct cfg {
+        bool force_ext_master_secret_set;
+ };
+ 
++static inline void cfg_init(struct cfg *cfg)
++{
++       memset(cfg, 0, sizeof(*cfg));
++       cfg->allow_rsa_pkcs1_encrypt = true;
++}
++
+ static inline void cfg_deinit(struct cfg *cfg)
+ {
+        if (cfg->priority_strings) {
+@@ -1095,6 +1101,12 @@ struct ini_ctx {
+        size_t curves_size;
+ };
+ 
++static inline void ini_ctx_init(struct ini_ctx *ctx)
++{
++       memset(ctx, 0, sizeof(*ctx));
++       cfg_init(&ctx->cfg);
++}
++
+ static inline void ini_ctx_deinit(struct ini_ctx *ctx)
+ {
+        cfg_deinit(&ctx->cfg);
+@@ -1423,9 +1435,6 @@ static inline int cfg_apply(struct cfg *cfg, struct ini_ctx *ctx)
+                _gnutls_default_priority_string = cfg->default_priority_string;
+        }
+ 
+-       /* enable RSA-PKCS1-V1_5 by default */
+-       cfg->allow_rsa_pkcs1_encrypt = true;
+-
+        if (cfg->allowlisting) {
+                /* also updates `flags` of global `hash_algorithms[]` */
+                ret = cfg_hashes_set_array(cfg, ctx->hashes, ctx->hashes_size);
+@@ -2217,22 +2226,73 @@ update_system_wide_priority_string(void)
+        return 0;
+ }
+ 
++/* Returns false on parse error, otherwise true.
++ * The system_wide_config must be locked for writing.
++ */
++static inline bool load_system_priority_file(void)
++{
++       int err;
++       FILE *fp;
++       struct ini_ctx ctx;
++
++       cfg_init(&system_wide_config);
++
++       fp = fopen(system_priority_file, "re");
++       if (fp == NULL) {
++               _gnutls_debug_log("cfg: unable to open: %s: %d\n",
++                                 system_priority_file, errno);
++               return true;
++       }
++
++       /* Parsing the configuration file needs to be done in 2 phases:
++        * first parsing the [global] section
++        * and then the other sections,
++        * because the [global] section modifies the parsing behavior.
++        */
++       ini_ctx_init(&ctx);
++       err = ini_parse_file(fp, global_ini_handler, &ctx);
++       if (!err) {
++               if (fseek(fp, 0L, SEEK_SET) < 0) {
++                       _gnutls_debug_log("cfg: unable to rewind: %s\n",
++                                         system_priority_file);
++                       if (fail_on_invalid_config)
++                               exit(1);
++               }
++               err = ini_parse_file(fp, cfg_ini_handler, &ctx);
++       }
++       fclose(fp);
++       if (err) {
++               ini_ctx_deinit(&ctx);
++               _gnutls_debug_log("cfg: unable to parse: %s: %d\n",
++                                 system_priority_file, err);
++               return false;
++       }
++       cfg_apply(&system_wide_config, &ctx);
++       ini_ctx_deinit(&ctx);
++       return true;
++}
++
+ static int _gnutls_update_system_priorities(bool defer_system_wide)
+ {
+-       int ret, err = 0;
++       int ret;
++       bool config_parse_error = false;
+        struct stat sb;
+-       FILE *fp;
+        gnutls_buffer_st buf;
+-       struct ini_ctx ctx;
+ 
+        ret = gnutls_rwlock_rdlock(&system_wide_config_rwlock);
+-       if (ret < 0) {
++       if (ret < 0)
+                return gnutls_assert_val(ret);
+-       }
+ 
+        if (stat(system_priority_file, &sb) < 0) {
+                _gnutls_debug_log("cfg: unable to access: %s: %d\n",
+                                  system_priority_file, errno);
++
++               (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
++               ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
++               if (ret < 0)
++                       goto out;
++               /* If system-wide config is unavailable, apply the defaults */
++               cfg_init(&system_wide_config);
+                goto out;
+        }
+ 
+@@ -2240,63 +2300,27 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
+            system_priority_last_mod == sb.st_mtime) {
+                _gnutls_debug_log("cfg: system priority %s has not changed\n",
+                                  system_priority_file);
+-               if (system_wide_config.priority_string) {
++               if (system_wide_config.priority_string)
+                        goto out; /* nothing to do */
+-               }
+        }
+ 
+        (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
+ 
+        ret = gnutls_rwlock_wrlock(&system_wide_config_rwlock);
+-       if (ret < 0) {
++       if (ret < 0)
+                return gnutls_assert_val(ret);
+-       }
+ 
+        /* Another thread could have successfully re-read system-wide config,
+         * skip re-reading if the mtime it has used is exactly the same.
+         */
+-       if (system_priority_file_loaded) {
++       if (system_priority_file_loaded)
+                system_priority_file_loaded =
+                        (system_priority_last_mod == sb.st_mtime);
+-       }
+ 
+        if (!system_priority_file_loaded) {
+-               _name_val_array_clear(&system_wide_config.priority_strings);
+-
+-               gnutls_free(system_wide_config.priority_string);
+-               system_wide_config.priority_string = NULL;
+-
+-               fp = fopen(system_priority_file, "re");
+-               if (fp == NULL) {
+-                       _gnutls_debug_log("cfg: unable to open: %s: %d\n",
+-                                         system_priority_file, errno);
++               config_parse_error = !load_system_priority_file();
++               if (config_parse_error)
+                        goto out;
+-               }
+-               /* Parsing the configuration file needs to be done in 2 phases:
+-                * first parsing the [global] section
+-                * and then the other sections,
+-                * because the [global] section modifies the parsing behavior.
+-                */
+-               memset(&ctx, 0, sizeof(ctx));
+-               err = ini_parse_file(fp, global_ini_handler, &ctx);
+-               if (!err) {
+-                       if (fseek(fp, 0L, SEEK_SET) < 0) {
+-                               _gnutls_debug_log("cfg: unable to rewind: %s\n",
+-                                                 system_priority_file);
+-                               if (fail_on_invalid_config)
+-                                       exit(1);
+-                       }
+-                       err = ini_parse_file(fp, cfg_ini_handler, &ctx);
+-               }
+-               fclose(fp);
+-               if (err) {
+-                       ini_ctx_deinit(&ctx);
+-                       _gnutls_debug_log("cfg: unable to parse: %s: %d\n",
+-                                         system_priority_file, err);
+-                       goto out;
+-               }
+-               cfg_apply(&system_wide_config, &ctx);
+-               ini_ctx_deinit(&ctx);
+                _gnutls_debug_log("cfg: loaded system config %s mtime %lld\n",
+                                  system_priority_file,
+                                  (unsigned long long)sb.st_mtime);
+@@ -2332,9 +2356,8 @@ static int _gnutls_update_system_priorities(bool defer_system_wide)
+ out:
+        (void)gnutls_rwlock_unlock(&system_wide_config_rwlock);
+ 
+-       if (err && fail_on_invalid_config) {
++       if (config_parse_error && fail_on_invalid_config)
+                exit(1);
+-       }
+ 
+        return ret;
+ }
+diff --git a/tests/system-override-allow-rsa-pkcs1-encrypt.sh b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+index b7d477c96e..714d0af946 100755
+--- a/tests/system-override-allow-rsa-pkcs1-encrypt.sh
++++ b/tests/system-override-allow-rsa-pkcs1-encrypt.sh
+@@ -19,9 +19,8 @@
+ # You should have received a copy of the GNU Lesser General Public License
+ # along with this program.  If not, see <https://www.gnu.org/licenses/>
+ 
+-: ${srcdir=.}
+-TEST=${srcdir}/rsaes-pkcs1-v1_5
+-CONF=${srcdir}/config.$$.tmp
++TEST=${builddir}/rsaes-pkcs1-v1_5
++CONF=config.$$.tmp
+ export GNUTLS_SYSTEM_PRIORITY_FILE=${CONF}
+ export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+ 
+@@ -38,15 +37,33 @@ cat <<_EOF_ > ${CONF}
+ allow-rsa-pkcs1-encrypt = true
+ _EOF_
+ 
+-${TEST} && fail "RSAES-PKCS1-v1_5 expected to succeed"
++${TEST}
++if [ $? != 0 ]; then
++       echo "${TEST} expected to succeed"
++       exit 1
++fi
++echo "RSAES-PKCS1-v1_5 successfully enabled"
+ 
+ cat <<_EOF_ > ${CONF}
+ [overrides]
+ allow-rsa-pkcs1-encrypt = false
+ _EOF_
+ 
+-${TEST} || fail "RSAES-PKCS1-v1_5 expected to fail"
++${TEST}
++if [ $? = 0 ]; then
++       echo "${TEST} expected to fail"
++       exit 1
++fi
++echo "RSAES-PKCS1-v1_5 successfully disabled"
+ 
+ unset GNUTLS_SYSTEM_PRIORITY_FILE
+ unset GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID
++
++${TEST}
++if [ $? != 0 ]; then
++       echo "${TEST} expected to succeed by default"
++       exit 1
++fi
++echo "RSAES-PKCS1-v1_5 successfully enabled by default"
++
+ exit 0
+-- 
+GitLab
+
+
diff --git a/meta/recipes-support/gnutls/gnutls/Add-ptest-support.patch b/meta/recipes-support/gnutls/gnutls/Add-ptest-support.patch
new file mode 100644
index 0000000000..8edd31d6b9
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/Add-ptest-support.patch
@@ -0,0 +1,57 @@
+From bfa70adcbda4e505cf2e597907852e78e0439ee2 Mon Sep 17 00:00:00 2001
+From: Ravineet Singh <ravineet.a.singh@est.tech>
+Date: Tue, 10 Jan 2023 16:11:10 +0100
+Subject: [PATCH] gnutls: add ptest support
+
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Ravineet Singh <ravineet.a.singh@est.tech>
+---
+ Makefile.am       | 3 +++
+ configure.ac      | 2 ++
+ tests/Makefile.am | 6 ++++++
+ 3 files changed, 11 insertions(+)
+
+diff --git a/Makefile.am b/Makefile.am
+index 843193f..816b09f 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -191,6 +191,9 @@ dist-hook:
+        mv ChangeLog $(distdir)
+        touch -c $(distdir)/doc/*.html $(distdir)/doc/*.pdf $(distdir)/doc/*.info
+ 
++install-ptest:
++        $(MAKE) -C tests DESTDIR=$(DESTDIR)/tests $@
++
+ .PHONY: abi-check abi-dump-versioned abi-dump-latest pic-check symbol-check local-code-coverage-output files-update AUTHORS
+ 
+ include $(top_srcdir)/cligen/cligen.mk
+diff --git a/configure.ac b/configure.ac
+index 934377e..4406eae 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1213,6 +1213,8 @@ AC_SUBST(LIBGNUTLS_CFLAGS)
+ 
+ AM_CONDITIONAL(NEEDS_LIBRT, test "$gnutls_needs_librt" = "yes")
+ 
++AM_EXTRA_RECURSIVE_TARGETS([buildtest-TESTS])
++
+ AC_DEFINE([GNUTLS_INTERNAL_BUILD], 1, [We allow temporarily usage of deprecated functions - until they are removed.])
+ 
+ hw_features=
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index e39a3b3..861dd63 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -663,6 +663,12 @@ SH_LOG_COMPILER = $(SHELL)
+ AM_VALGRINDFLAGS = --suppressions=$(srcdir)/suppressions.valgrind
+ LOG_COMPILER = $(LOG_VALGRIND)
+ 
++install-ptest: $(check_PROGRAMS)
++       @$(INSTALL) -d $(DESTDIR)
++       @for file in $^; do \
++               $(INSTALL_PROGRAM) $$file $(DESTDIR) ; \
++       done
++
+ distclean-local:
+        rm -rf softhsm-*.db softhsm-*.config *.tmp tmp-* x509-crt-list-import-url.config.db port.lock.d
+ 
diff --git a/meta/recipes-support/gnutls/gnutls/arm_eabi.patch b/meta/recipes-support/gnutls/gnutls/arm_eabi.patch
index 6eb1edbdb1..883d0123db 100644
--- a/meta/recipes-support/gnutls/gnutls/arm_eabi.patch
+++ b/meta/recipes-support/gnutls/gnutls/arm_eabi.patch
@@ -1,4 +1,4 @@
-From 8a5c96057cf305bbeac0d6e0e59ee24fbb9497fe Mon Sep 17 00:00:00 2001
+From d17ae0ef31c3c186766a338e8c40c87d1b98820e Mon Sep 17 00:00:00 2001
 From: Joe Slater <jslater@windriver.com>
 Date: Wed, 25 Jan 2017 13:52:59 -0800
 Subject: [PATCH] gnutls: account for ARM_EABI
@@ -9,16 +9,15 @@ reference to them.
 Upstream-Status: Pending
 
 Signed-off-by: Joe Slater <jslater@windriver.com>
-
 ---
  tests/seccomp.c | 2 ++
  1 file changed, 2 insertions(+)
 
 diff --git a/tests/seccomp.c b/tests/seccomp.c
-index ed14d00..3c5b726 100644
+index 881f0bb..5f9204a 100644
 --- a/tests/seccomp.c
 +++ b/tests/seccomp.c
-@@ -53,7 +53,9 @@ int disable_system_calls(void)
+@@ -55,7 +55,9 @@ int disable_system_calls(void)
  
         ADD_SYSCALL(nanosleep, 0);
         ADD_SYSCALL(clock_nanosleep, 0);
diff --git a/meta/recipes-support/gnutls/gnutls/run-ptest b/meta/recipes-support/gnutls/gnutls/run-ptest
new file mode 100644
index 0000000000..17e26eae70
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/run-ptest
@@ -0,0 +1,100 @@
+#!/bin/sh
+
+rjob() {
+    local job=$1
+    local log=$2
+
+    # TODO: Output will be garbled
+    ./${job} >> ${log} 2>&1
+
+    ret=$?
+    case $ret in
+    0)
+        echo "PASS: $t" >> ${log}
+        echo "PASS: $t"
+        ;;
+    77)
+        echo "SKIP: $t" >> ${log}
+        echo "SKIP: $t"
+        ;;
+    *)
+        echo "FAIL: $t" >> ${log}
+        echo "FAIL: $t"
+        ;;
+    esac
+}
+
+is_disallowed() {
+    local key=$1
+    $(echo ${test_disallowlist} | grep -w -q ${key})
+    return $?
+}
+
+# TODO
+# This list should probably be in a external file
+# Testcases defined here either take very long time (dtls-stress)
+# or are dependent on local files (certs, etc) in local file system
+# currently not exported to target.
+
+test_disallowlist=""
+test_disallowlist="${test_disallowlist} dtls-stress"
+test_disallowlist="${test_disallowlist} handshake-large-cert"
+test_disallowlist="${test_disallowlist} id-on-xmppAddr"
+test_disallowlist="${test_disallowlist} mini-x509-cas"
+test_disallowlist="${test_disallowlist} pkcs12_simple"
+test_disallowlist="${test_disallowlist} protocol-set-allowlist"
+test_disallowlist="${test_disallowlist} psk-file"
+test_disallowlist="${test_disallowlist} rawpk-api"
+test_disallowlist="${test_disallowlist} set_pkcs12_cred"
+test_disallowlist="${test_disallowlist} system-override-curves-allowlist"
+test_disallowlist="${test_disallowlist} system-override-hash"
+test_disallowlist="${test_disallowlist} system-override-sig"
+test_disallowlist="${test_disallowlist} system-override-sig-tls"
+test_disallowlist="${test_disallowlist} system-prio-file"
+test_disallowlist="${test_disallowlist} x509cert-tl"
+
+LOG=${PWD}/tests.log
+cd tests
+max_njobs=$(grep -c ^processor /proc/cpuinfo)
+njobs=0
+
+set +e
+
+for t in *; do
+    [ -x $t ] || continue
+    [ -f $t ] || continue
+
+    is_disallowed ${t}
+    [ $? -eq 0 ] && continue
+
+    rjob ${t} ${LOG} &
+    one=1
+    njobs=$(expr ${njobs} + ${one})
+    if [ ${njobs} -eq ${max_njobs} ]; then
+        wait
+        njobs=0
+    fi
+done
+wait
+
+skipped=$(grep -c SKIP ${LOG})
+passed=$(grep -c PASS ${LOG})
+failed=$(grep -c FAIL ${LOG})
+total=$(expr ${passed} + ${failed} + ${skipped})
+
+if [ ${failed} -ne 0 ]; then
+    echo
+    echo "Tests failed for gnutls, log is:"
+    echo "--------------------"
+    cat ${LOG}
+    echo
+fi
+
+echo
+echo "gnutls test summary:"
+echo "--------------------"
+echo "total: ${total}"
+echo "pass : ${passed}"
+echo "fail : ${failed}"
+echo "skip : ${skipped}"
+echo
diff --git a/meta/recipes-support/gnutls/gnutls_3.7.0.bb b/meta/recipes-support/gnutls/gnutls_3.7.0.bb
deleted file mode 100644
index e3ca86b933..0000000000
--- a/meta/recipes-support/gnutls/gnutls_3.7.0.bb
+++ /dev/null
@@ -1,67 +0,0 @@
-SUMMARY = "GNU Transport Layer Security Library"
-HOMEPAGE = "http://www.gnu.org/software/gnutls/"
-BUGTRACKER = "https://savannah.gnu.org/support/?group=gnutls"
-
-LICENSE = "GPLv3+ & LGPLv2.1+"
-LICENSE_${PN} = "LGPLv2.1+"
-LICENSE_${PN}-xx = "LGPLv2.1+"
-LICENSE_${PN}-bin = "GPLv3+"
-LICENSE_${PN}-openssl = "GPLv3+"
-
-LIC_FILES_CHKSUM = "file://LICENSE;md5=71391c8e0c1cfe68077e7fce3b586283 \
-                    file://doc/COPYING;md5=c678957b0c8e964aa6c70fd77641a71e \
-                    file://doc/COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343"
-
-DEPENDS = "nettle gmp virtual/libiconv libunistring"
-DEPENDS_append_libc-musl = " argp-standalone"
-
-SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
-
-SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
-           file://arm_eabi.patch \
-           "
-
-SRC_URI[sha256sum] = "49e2a22691d252c9f24a9829b293a8f359095bc5a818351f05f1c0a5188a1df8"
-
-inherit autotools texinfo pkgconfig gettext lib_package gtk-doc
-
-PACKAGECONFIG ??= "libidn"
-
-# You must also have CONFIG_SECCOMP enabled in the kernel for
-# seccomp to work.
-PACKAGECONFIG[seccomp] = "ac_cv_libseccomp=yes,ac_cv_libseccomp=no,libseccomp"
-PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2"
-PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1"
-PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit"
-PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers"
-
-EXTRA_OECONF = " \
-    --enable-doc \
-    --disable-libdane \
-    --disable-guile \
-    --disable-rpath \
-    --enable-local-libopts \
-    --enable-openssl-compatibility \
-    --with-libpthread-prefix=${STAGING_DIR_HOST}${prefix} \
-    --with-librt-prefix=${STAGING_DIR_HOST}${prefix} \
-    --with-default-trust-store-file=${sysconfdir}/ssl/certs/ca-certificates.crt \
-"
-
-# Otherwise the tools try and use HOSTTOOLS_DIR/bash as a shell.
-export POSIX_SHELL="${base_bindir}/sh"
-
-LDFLAGS_append_libc-musl = " -largp"
-
-do_configure_prepend() {
-        for dir in . lib; do
-                rm -f ${dir}/aclocal.m4 ${dir}/m4/libtool.m4 ${dir}/m4/lt*.m4
-        done
-}
-
-PACKAGES =+ "${PN}-openssl ${PN}-xx"
-
-FILES_${PN}-dev += "${bindir}/gnutls-cli-debug"
-FILES_${PN}-openssl = "${libdir}/libgnutls-openssl.so.*"
-FILES_${PN}-xx = "${libdir}/libgnutlsxx.so.*"
-
-BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.5.bb b/meta/recipes-support/gnutls/gnutls_3.8.5.bb
new file mode 100644
index 0000000000..52a1c00c4a
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls_3.8.5.bb
@@ -0,0 +1,101 @@
+SUMMARY = "GNU Transport Layer Security Library"
+DESCRIPTION = "a secure communications library implementing the SSL, \
+TLS and DTLS protocols and technologies around them."
+HOMEPAGE = "https://gnutls.org/"
+BUGTRACKER = "https://savannah.gnu.org/support/?group=gnutls"
+
+LICENSE = "GPL-3.0-or-later & LGPL-2.1-or-later"
+LICENSE:${PN} = "LGPL-2.1-or-later"
+LICENSE:${PN}-xx = "LGPL-2.1-or-later"
+LICENSE:${PN}-bin = "GPL-3.0-or-later"
+LICENSE:${PN}-openssl = "GPL-3.0-or-later"
+
+LIC_FILES_CHKSUM = "file://LICENSE;md5=71391c8e0c1cfe68077e7fce3b586283 \
+                    file://doc/COPYING;md5=1ebbd3e34237af26da5dc08a4e440464 \
+                    file://doc/COPYING.LESSER;md5=4fbd65380cdd255951079008b364516c"
+
+DEPENDS = "nettle gmp virtual/libiconv libunistring"
+
+SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
+
+SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
+           file://arm_eabi.patch \
+           file://0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch \
+           file://0001-Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch \
+           file://run-ptest \
+           file://Add-ptest-support.patch \
+           "
+
+SRC_URI[sha256sum] = "66269a2cfe0e1c2dabec87bdbbd8ab656f396edd9a40dd006978e003cfa52bfc"
+
+inherit autotools texinfo pkgconfig gettext lib_package gtk-doc ptest
+
+PACKAGECONFIG ??= "libidn libtasn1 ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)}"
+
+# You must also have CONFIG_SECCOMP enabled in the kernel for
+# seccomp to work.
+PACKAGECONFIG[seccomp] = "--with-libseccomp-prefix=${STAGING_EXECPREFIXDIR},ac_cv_libseccomp=no,libseccomp"
+PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2"
+PACKAGECONFIG[libtasn1] = "--without-included-libtasn1,--with-included-libtasn1,libtasn1"
+PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit"
+PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers"
+PACKAGECONFIG[fips] = "--enable-fips140-mode --with-libdl-prefix=${STAGING_BASELIBDIR}"
+PACKAGECONFIG[dane] = "--enable-libdane,--disable-libdane,unbound"
+# Certificate compression
+PACKAGECONFIG[brotli] = "--with-brotli,--without-brotli,brotli"
+PACKAGECONFIG[zlib] = "--with-zlib,--without-zlib,zlib"
+PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd"
+
+EXTRA_OECONF = " \
+    --enable-doc \
+    --disable-rpath \
+    --enable-openssl-compatibility \
+    --with-libpthread-prefix=${STAGING_DIR_HOST}${prefix} \
+    --with-librt-prefix=${STAGING_DIR_HOST}${prefix} \
+    --with-default-trust-store-file=${sysconfdir}/ssl/certs/ca-certificates.crt \
+"
+
+# Otherwise the tools try and use HOSTTOOLS_DIR/bash as a shell.
+export POSIX_SHELL="${base_bindir}/sh"
+
+do_configure:prepend() {
+        for dir in . lib; do
+                rm -f ${dir}/aclocal.m4 ${dir}/m4/libtool.m4 ${dir}/m4/lt*.m4
+        done
+}
+
+do_compile_ptest() {
+    oe_runmake -C tests buildtest-TESTS
+}
+
+do_install:append:class-target() {
+        if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
+          install -d ${D}${bindir}/bin
+          install -m 0755 ${B}/lib/.libs/fipshmac ${D}/${bindir}/
+        fi
+}
+
+PACKAGES =+ "${PN}-dane ${PN}-openssl ${PN}-xx ${PN}-fips"
+
+FILES:${PN}-dev += "${bindir}/gnutls-cli-debug"
+
+FILES:${PN}-dane = "${libdir}/libgnutls-dane.so.*"
+FILES:${PN}-openssl = "${libdir}/libgnutls-openssl.so.*"
+FILES:${PN}-xx = "${libdir}/libgnutlsxx.so.*"
+FILES:${PN}-fips = "${bindir}/fipshmac"
+
+RDEPENDS:${PN}-ptest += "python3"
+
+BBCLASSEXTEND = "native nativesdk"
+
+pkg_postinst_ontarget:${PN}-fips () {
+    if test -x ${bindir}/fipshmac
+    then
+        mkdir ${sysconfdir}/gnutls
+        touch ${sysconfdir}/gnutls/config
+        ${bindir}/fipshmac ${libdir}/libgnutls.so.30.*.* > ${libdir}/.libgnutls.so.30.hmac
+        ${bindir}/fipshmac ${libdir}/libnettle.so.8.* > ${libdir}/.libnettle.so.8.hmac
+        ${bindir}/fipshmac ${libdir}/libgmp.so.10.*.* > ${libdir}/.libgmp.so.10.hmac
+        ${bindir}/fipshmac ${libdir}/libhogweed.so.6.* > ${libdir}/.libhogweed.so.6.hmac
+    fi
+}
diff --git a/meta/recipes-support/gnutls/libtasn1/dont-depend-on-help2man.patch b/meta/recipes-support/gnutls/libtasn1/dont-depend-on-help2man.patch
index 2ac89f3b32..216d636793 100644
--- a/meta/recipes-support/gnutls/libtasn1/dont-depend-on-help2man.patch
+++ b/meta/recipes-support/gnutls/libtasn1/dont-depend-on-help2man.patch
@@ -1,14 +1,26 @@
+From 629fc6427710e48b78f8b1f300dd698fe898cfd4 Mon Sep 17 00:00:00 2001
+From: Marko Lindqvist <cazfi74@gmail.com>
+Date: Mon, 7 Jan 2013 01:49:40 +0200
+Subject: [PATCH] libtasn1: remove help2man dependency
+
 Upstream-Status: Inappropriate
 
 Signed-off-by: Marko Lindqvist <cazfi74@gmail.com>
-diff -Nurd libtasn1-2.14/doc/Makefile.am libtasn1-2.14/doc/Makefile.am
---- libtasn1-2.14/doc/Makefile.am       2012-09-24 15:08:42.000000000 +0300
-+++ libtasn1-2.14/doc/Makefile.am       2013-01-03 07:35:26.702763403 +0200
-@@ -31,7 +31,7 @@
- AM_MAKEINFOHTMLFLAGS = $(AM_MAKEINFOFLAGS) \
-        --no-split --number-sections --css-include=texinfo.css
 
+---
+ doc/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/Makefile.am b/doc/Makefile.am
+index a0171a5..8aa4d3d 100644
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -28,7 +28,7 @@ libtasn1_TEXINFOS += asn1Coding-help.texi asn1Decoding-help.texi asn1Parser-help
+ 
+ AM_MAKEINFOHTMLFLAGS = --no-split $(AM_MAKEINFOFLAGS)
+ 
 -dist_man_MANS = $(gdoc_MANS) asn1Parser.1 asn1Coding.1 asn1Decoding.1
 +dist_man_MANS = $(gdoc_MANS)
-
+ 
  HELP2MAN_OPTS = --info-page libtasn1
+ 
diff --git a/meta/recipes-support/gnutls/libtasn1_4.16.0.bb b/meta/recipes-support/gnutls/libtasn1_4.19.0.bb
index 18dae6d0c9..5fb8b54c06 100644
--- a/meta/recipes-support/gnutls/libtasn1_4.16.0.bb
+++ b/meta/recipes-support/gnutls/libtasn1_4.19.0.bb
@@ -1,12 +1,14 @@
 SUMMARY = "Library for ASN.1 and DER manipulation"
+DESCRIPTION = "A highly portable C library that encodes and decodes \
+DER/BER data following an ASN.1 schema. "
 HOMEPAGE = "http://www.gnu.org/software/libtasn1/"
 
-LICENSE = "GPLv3+ & LGPLv2.1+"
-LICENSE_${PN}-bin = "GPLv3+"
-LICENSE_${PN} = "LGPLv2.1+"
+LICENSE = "GPL-3.0-or-later & LGPL-2.1-or-later"
+LICENSE:${PN}-bin = "GPL-3.0-or-later"
+LICENSE:${PN} = "LGPL-2.1-or-later"
 LIC_FILES_CHKSUM = "file://doc/COPYING;md5=d32239bcb673463ab874e80d47fae504 \
                     file://doc/COPYING.LESSER;md5=4fbd65380cdd255951079008b364516c \
-                    file://LICENSE;md5=75ac100ec923f959898182307970c360"
+                    file://COPYING;md5=75ac100ec923f959898182307970c360"
 
 SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \
            file://dont-depend-on-help2man.patch \
@@ -14,8 +16,7 @@ SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \
 
 DEPENDS = "bison-native"
 
-SRC_URI[md5sum] = "531208de3729d42e2af0a32890f08736"
-SRC_URI[sha256sum] = "0e0fb0903839117cb6e3b56e68222771bebf22ad7fc2295a0ed7d576e8d4329d"
+SRC_URI[sha256sum] = "1613f0ac1cf484d6ec0ce3b8c06d56263cc7242f1c23b30d82d23de345a63f7a"
 
 inherit autotools texinfo lib_package gtk-doc