@@ -14,7 +14,7 @@ diff --git a/lib/Makefile.am b/lib/Makefile.am
index a50d311..193ea19 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
-@@ -272,8 +272,7 @@ hmac_file = .libs/.$(gnutls_so).hmac
+@@ -275,8 +275,7 @@ hmac_file = .libs/.$(gnutls_so).hmac
all-local: $(hmac_file)
new file mode 100644
@@ -0,0 +1,66 @@
+From 2bbae7644a2292410b53f98fd0035c40bf8750a5 Mon Sep 17 00:00:00 2001
+From: Julien Olivain <ju.o@free.fr>
+Date: Sun, 23 Nov 2025 18:17:19 +0100
+Subject: [PATCH] audit: crau: fix compilation with gcc < 11
+
+If the CRAU_MAYBE_UNUSED macro is unset, the crau.h file tries to
+automatically detect an appropriate value for it.
+
+This autodetection is using the cpp special operator
+`__has_c_attribute` [1], introduced in gcc 11 [2].
+
+When compiling with a gcc older than version 11, the compilation fails
+with the error:
+
+ In file included from audit.h:22,
+ from audit.c:26:
+ crau/crau.h:255:23: error: missing binary operator before token "("
+ __has_c_attribute (__maybe_unused__)
+ ^
+
+This has been observed, for example, in Rocky Linux 8.10, which
+contains a gcc v8.5.0.
+
+The issue happens because the test for the `__has_c_attribute`
+availability and the test for the `__maybe_unused__` attribute
+are in the same directive. Those tests should be separated in
+two different directives, following the same logic described in
+the `__has_builtin` documentation [3].
+
+This issue was found in Buildroot, after updating gnutls to
+version 3.8.11 in [4].
+
+This commit fixes the issue by splitting the test in two.
+
+[1] https://gcc.gnu.org/onlinedocs/cpp/_005f_005fhas_005fc_005fattribute.html
+[2] https://gcc.gnu.org/gcc-11/changes.html#c
+[3] https://gcc.gnu.org/onlinedocs/cpp/_005f_005fhas_005fbuiltin.html
+[4] https://gitlab.com/buildroot.org/buildroot/-/commit/81dbfe1c2ae848b4eb1f896198d13455df50e548
+
+Reported-by: Neal Frager <neal.frager@amd.com>
+Signed-off-by: Julien Olivain <ju.o@free.fr>
+
+Upstream-Status: Backport [https://github.com/gnutls/gnutls/commit/2bbae7644a2292410b53f98fd0035c40bf8750a5]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/crau/crau.h | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/lib/crau/crau.h b/lib/crau/crau.h
+index 0d4f9f13e..53d33555b 100644
+--- a/lib/crau/crau.h
++++ b/lib/crau/crau.h
+@@ -251,9 +251,10 @@ void crau_data(struct crau_context_stack_st *stack, ...)
+ # else
+
+ # ifndef CRAU_MAYBE_UNUSED
+-# if defined(__has_c_attribute) && \
+- __has_c_attribute (__maybe_unused__)
+-# define CRAU_MAYBE_UNUSED [[__maybe_unused__]]
++# if defined(__has_c_attribute)
++# if __has_c_attribute (__maybe_unused__)
++# define CRAU_MAYBE_UNUSED [[__maybe_unused__]]
++# endif
+ # elif defined(__GNUC__)
+ # define CRAU_MAYBE_UNUSED __attribute__((__unused__))
+ # endif
@@ -15,7 +15,7 @@ diff --git a/Makefile.am b/Makefile.am
index 843193f..816b09f 100644
--- a/Makefile.am
+++ b/Makefile.am
-@@ -194,6 +194,9 @@ dist-hook:
+@@ -197,6 +197,9 @@ dist-hook:
distcheck-hook:
@test -d "$(top_srcdir)/po/.reference" || { echo "PO files are not downloaded; run ./bootstrap without --skip-po"; exit 1; }
@@ -29,7 +29,7 @@ diff --git a/configure.ac b/configure.ac
index 1744813..efb9e34 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -1491,6 +1491,8 @@ AC_SUBST(LIBGNUTLS_CFLAGS)
+@@ -1447,6 +1447,8 @@ AC_SUBST(LIBGNUTLS_CFLAGS)
AM_CONDITIONAL(NEEDS_LIBRT, test "$gnutls_needs_librt" = "yes")
@@ -42,7 +42,7 @@ diff --git a/tests/Makefile.am b/tests/Makefile.am
index 189d068..8430b05 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
-@@ -678,6 +678,12 @@ SH_LOG_COMPILER = $(SHELL)
+@@ -719,6 +719,12 @@ SH_LOG_COMPILER = $(SHELL)
AM_VALGRINDFLAGS = --suppressions=$(srcdir)/suppressions.valgrind
LOG_COMPILER = $(LOG_VALGRIND)
deleted file mode 100644
@@ -1,233 +0,0 @@
-From 19ad448d0cc3dd6857b553a47728eead3ea8f445 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Tue, 18 Nov 2025 13:17:55 +0900
-Subject: [PATCH] pkcs11: avoid stack overwrite when initializing a token
-
-If gnutls_pkcs11_token_init is called with label longer than 32
-characters, the internal storage used to blank-fill it would
-overflow. This adds a guard to prevent that.
-
-CVE: CVE-2025-9820
-Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/1d56f96f6ab5034d677136b9d50b5a75dff0faf5]
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
-Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
----
- lib/pkcs11_write.c | 5 +-
- tests/Makefile.am | 2 +-
- tests/pkcs11/long-label.c | 164 ++++++++++++++++++++++++++++++++++++++
- 3 files changed, 168 insertions(+), 3 deletions(-)
- create mode 100644 tests/pkcs11/long-label.c
-
-diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
-index f5e9058e0..64b85a2df 100644
---- a/lib/pkcs11_write.c
-+++ b/lib/pkcs11_write.c
-@@ -28,6 +28,7 @@
- #include "pkcs11x.h"
- #include "x509/common.h"
- #include "pk.h"
-+#include "minmax.h"
-
- static const ck_bool_t tval = 1;
- static const ck_bool_t fval = 0;
-@@ -1172,7 +1173,7 @@ int gnutls_pkcs11_delete_url(const char *object_url, unsigned int flags)
- * gnutls_pkcs11_token_init:
- * @token_url: A PKCS #11 URL specifying a token
- * @so_pin: Security Officer's PIN
-- * @label: A name to be used for the token
-+ * @label: A name to be used for the token, at most 32 characters
- *
- * This function will initialize (format) a token. If the token is
- * at a factory defaults state the security officer's PIN given will be
-@@ -1210,7 +1211,7 @@ int gnutls_pkcs11_token_init(const char *token_url, const char *so_pin,
- /* so it seems memset has other uses than zeroing! */
- memset(flabel, ' ', sizeof(flabel));
- if (label != NULL)
-- memcpy(flabel, label, strlen(label));
-+ memcpy(flabel, label, MIN(sizeof(flabel), strlen(label)));
-
- rv = pkcs11_init_token(module, slot, (uint8_t *)so_pin, strlen(so_pin),
- (uint8_t *)flabel);
-diff --git a/tests/Makefile.am b/tests/Makefile.am
-index c8de4494b..f64f7b1c0 100644
---- a/tests/Makefile.am
-+++ b/tests/Makefile.am
-@@ -503,7 +503,7 @@ pathbuf_CPPFLAGS = $(AM_CPPFLAGS) \
- if ENABLE_PKCS11
- if !WINDOWS
- ctests += tls13/post-handshake-with-cert-pkcs11 pkcs11/tls-neg-pkcs11-no-key \
-- global-init-override pkcs11/distrust-after
-+ global-init-override pkcs11/distrust-after pkcs11/long-label
- tls13_post_handshake_with_cert_pkcs11_DEPENDENCIES = libpkcs11mock2.la libutils.la
- tls13_post_handshake_with_cert_pkcs11_LDADD = $(LDADD) $(LIBDL)
- pkcs11_tls_neg_pkcs11_no_key_DEPENDENCIES = libpkcs11mock2.la libutils.la
-diff --git a/tests/pkcs11/long-label.c b/tests/pkcs11/long-label.c
-new file mode 100644
-index 000000000..a70bc9728
---- /dev/null
-+++ b/tests/pkcs11/long-label.c
-@@ -0,0 +1,164 @@
-+/*
-+ * Copyright (C) 2025 Red Hat, Inc.
-+ *
-+ * Author: Daiki Ueno
-+ *
-+ * This file is part of GnuTLS.
-+ *
-+ * GnuTLS is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 3 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * GnuTLS is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public License
-+ * along with this program. If not, see <https://www.gnu.org/licenses/>
-+ */
-+
-+#ifdef HAVE_CONFIG_H
-+#include "config.h"
-+#endif
-+
-+#include <stdbool.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+
-+#if defined(_WIN32)
-+
-+int main(void)
-+{
-+ exit(77);
-+}
-+
-+#else
-+
-+#include <string.h>
-+#include <unistd.h>
-+#include <gnutls/gnutls.h>
-+
-+#include "cert-common.h"
-+#include "pkcs11/softhsm.h"
-+#include "utils.h"
-+
-+/* This program tests that a token can be initialized with
-+ * a label longer than 32 characters.
-+ */
-+
-+static void tls_log_func(int level, const char *str)
-+{
-+ fprintf(stderr, "server|<%d>| %s", level, str);
-+}
-+
-+#define PIN "1234"
-+
-+#define CONFIG_NAME "softhsm-long-label"
-+#define CONFIG CONFIG_NAME ".config"
-+
-+static int pin_func(void *userdata, int attempt, const char *url,
-+ const char *label, unsigned flags, char *pin,
-+ size_t pin_max)
-+{
-+ if (attempt == 0) {
-+ strcpy(pin, PIN);
-+ return 0;
-+ }
-+ return -1;
-+}
-+
-+static void test(const char *provider)
-+{
-+ int ret;
-+ size_t i;
-+
-+ gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
-+
-+ success("test with %s\n", provider);
-+
-+ if (debug) {
-+ gnutls_global_set_log_function(tls_log_func);
-+ gnutls_global_set_log_level(4711);
-+ }
-+
-+ /* point to SoftHSM token that libpkcs11mock4.so internally uses */
-+ setenv(SOFTHSM_ENV, CONFIG, 1);
-+
-+ gnutls_pkcs11_set_pin_function(pin_func, NULL);
-+
-+ ret = gnutls_pkcs11_add_provider(provider, "trusted");
-+ if (ret != 0) {
-+ fail("gnutls_pkcs11_add_provider: %s\n", gnutls_strerror(ret));
-+ }
-+
-+ /* initialize softhsm token */
-+ ret = gnutls_pkcs11_token_init(
-+ SOFTHSM_URL, PIN,
-+ "this is a very long label whose length exceeds 32");
-+ if (ret < 0) {
-+ fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret));
-+ }
-+
-+ for (i = 0;; i++) {
-+ char *url = NULL;
-+
-+ ret = gnutls_pkcs11_token_get_url(i, 0, &url);
-+ if (ret < 0)
-+ break;
-+ if (strstr(url,
-+ "token=this%20is%20a%20very%20long%20label%20whose"))
-+ break;
-+ }
-+ if (ret < 0)
-+ fail("gnutls_pkcs11_token_get_url: %s\n", gnutls_strerror(ret));
-+
-+ gnutls_pkcs11_deinit();
-+}
-+
-+void doit(void)
-+{
-+ const char *bin;
-+ const char *lib;
-+ char buf[128];
-+
-+ if (gnutls_fips140_mode_enabled())
-+ exit(77);
-+
-+ /* this must be called once in the program */
-+ global_init();
-+
-+ /* we call gnutls_pkcs11_init manually */
-+ gnutls_pkcs11_deinit();
-+
-+ /* check if softhsm module is loadable */
-+ lib = softhsm_lib();
-+
-+ /* initialize SoftHSM token that libpkcs11mock4.so internally uses */
-+ bin = softhsm_bin();
-+
-+ set_softhsm_conf(CONFIG);
-+ snprintf(buf, sizeof(buf),
-+ "%s --init-token --slot 0 --label test --so-pin " PIN
-+ " --pin " PIN,
-+ bin);
-+ system(buf);
-+
-+ test(lib);
-+
-+ lib = getenv("P11MOCKLIB4");
-+ if (lib == NULL) {
-+ fail("P11MOCKLIB4 is not set\n");
-+ }
-+
-+ set_softhsm_conf(CONFIG);
-+ snprintf(buf, sizeof(buf),
-+ "%s --init-token --slot 0 --label test --so-pin " PIN
-+ " --pin " PIN,
-+ bin);
-+ system(buf);
-+
-+ test(lib);
-+}
-+#endif /* _WIN32 */
similarity index 96%
rename from meta/recipes-support/gnutls/gnutls_3.8.10.bb
rename to meta/recipes-support/gnutls/gnutls_3.8.11.bb
@@ -21,12 +21,12 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
file://arm_eabi.patch \
file://0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch \
+ file://0001-audit-crau-fix-compilation-with-gcc-11.patch \
file://run-ptest \
file://Add-ptest-support.patch \
- file://CVE-2025-9820.patch \
"
-SRC_URI[sha256sum] = "db7fab7cce791e7727ebbef2334301c821d79a550ec55c9ef096b610b03eb6b7"
+SRC_URI[sha256sum] = "91bd23c4a86ebc6152e81303d20cf6ceaeb97bc8f84266d0faec6e29f17baa20"
inherit autotools texinfo pkgconfig gettext lib_package gtk-doc ptest