summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--recipes-support/gnutls/gnutls-3.5.3/0001-_gnutls_rnd_check-call-_rnd_system_entropy_check-dir.patch105
-rw-r--r--recipes-support/gnutls/gnutls-3.5.3/0002-rng-split-initialization-in-preinit-and-init.patch261
-rw-r--r--recipes-support/gnutls/gnutls-3.5.3/0003-deprecated-_gnutls_rnd-in-favor-of-exported-gnutls_r.patch315
-rw-r--r--recipes-support/gnutls/gnutls_3.5.3.bbappend8
4 files changed, 689 insertions, 0 deletions
diff --git a/recipes-support/gnutls/gnutls-3.5.3/0001-_gnutls_rnd_check-call-_rnd_system_entropy_check-dir.patch b/recipes-support/gnutls/gnutls-3.5.3/0001-_gnutls_rnd_check-call-_rnd_system_entropy_check-dir.patch
new file mode 100644
index 0000000..91251cf
--- /dev/null
+++ b/recipes-support/gnutls/gnutls-3.5.3/0001-_gnutls_rnd_check-call-_rnd_system_entropy_check-dir.patch
@@ -0,0 +1,105 @@
+From 4d49e06e8850ed3ffb89f6856555a2435962fedd Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Mon, 31 Oct 2016 11:40:12 +0100
+Subject: [PATCH 1/3] _gnutls_rnd_check: call _rnd_system_entropy_check
+ directly
+
+Upstream-Status: Backport
+
+diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
+index 3d979d8..6f4b743 100644
+--- a/lib/crypto-backend.h
++++ b/lib/crypto-backend.h
+@@ -73,8 +73,7 @@ typedef struct {
+ } gnutls_crypto_digest_st;
+
+ typedef struct gnutls_crypto_rnd {
+- int (*init) (void **ctx);
+- int (*check) (void **ctx);
++ int (*init) (void **ctx); /* called prior to first usage of randomness */
+ int (*rnd) (void *ctx, int level, void *data, size_t datasize);
+ void (*rnd_refresh) (void *ctx);
+ void (*deinit) (void *ctx);
+diff --git a/lib/nettle/rnd-fips.c b/lib/nettle/rnd-fips.c
+index ef64649..59795a9 100644
+--- a/lib/nettle/rnd-fips.c
++++ b/lib/nettle/rnd-fips.c
+@@ -226,15 +226,6 @@ static void _rngfips_deinit(void *_ctx)
+ free(ctx);
+ }
+
+-/* This is called when gnutls_global_init() is called for second time.
+- * It must check whether any resources are still available.
+- * The particular problem it solves is to verify that the urandom fd is still
+- * open (for applications that for some reason closed all fds */
+-static int _rndfips_check(void **ctx)
+-{
+- return _rnd_system_entropy_check();
+-}
+-
+ static void _rngfips_refresh(void *_ctx)
+ {
+ /* this is predictable RNG. Don't refresh */
+@@ -260,7 +251,6 @@ static int selftest_kat(void)
+
+ gnutls_crypto_rnd_st _gnutls_fips_rnd_ops = {
+ .init = _rngfips_init,
+- .check = _rndfips_check,
+ .deinit = _rngfips_deinit,
+ .rnd = _rngfips_rnd,
+ .rnd_refresh = _rngfips_refresh,
+diff --git a/lib/nettle/rnd.c b/lib/nettle/rnd.c
+index 8a5a762..39b99e1 100644
+--- a/lib/nettle/rnd.c
++++ b/lib/nettle/rnd.c
+@@ -257,15 +257,6 @@ static int wrap_nettle_rnd_init(void **ctx)
+ return 0;
+ }
+
+-/* This is called when gnutls_global_init() is called for second time.
+- * It must check whether any resources are still available.
+- * The particular problem it solves is to verify that the urandom fd is still
+- * open (for applications that for some reason closed all fds */
+-static int wrap_nettle_rnd_check(void **ctx)
+-{
+- return _rnd_system_entropy_check();
+-}
+-
+ static int
+ wrap_nettle_rnd_nonce(void *_ctx, void *data, size_t datasize)
+ {
+@@ -373,7 +364,6 @@ int crypto_rnd_prio = INT_MAX;
+
+ gnutls_crypto_rnd_st _gnutls_rnd_ops = {
+ .init = wrap_nettle_rnd_init,
+- .check = wrap_nettle_rnd_check,
+ .deinit = wrap_nettle_rnd_deinit,
+ .rnd = wrap_nettle_rnd,
+ .rnd_refresh = wrap_nettle_rnd_refresh,
+diff --git a/lib/random.h b/lib/random.h
+index 59e3f3c..1538ec8 100644
+--- a/lib/random.h
++++ b/lib/random.h
+@@ -25,6 +25,7 @@
+
+ #include <gnutls/crypto.h>
+ #include <crypto-backend.h>
++#include "nettle/rnd-common.h"
+
+ extern int crypto_rnd_prio;
+ extern void *gnutls_rnd_ctx;
+@@ -50,10 +51,7 @@ int _gnutls_rnd_init(void);
+
+ inline static int _gnutls_rnd_check(void)
+ {
+- if (_gnutls_rnd_ops.check)
+- return _gnutls_rnd_ops.check(gnutls_rnd_ctx);
+- else
+- return 0;
++ return _rnd_system_entropy_check();
+ }
+
+ #ifndef _WIN32
+--
+2.6.6
+
diff --git a/recipes-support/gnutls/gnutls-3.5.3/0002-rng-split-initialization-in-preinit-and-init.patch b/recipes-support/gnutls/gnutls-3.5.3/0002-rng-split-initialization-in-preinit-and-init.patch
new file mode 100644
index 0000000..29bcf5f
--- /dev/null
+++ b/recipes-support/gnutls/gnutls-3.5.3/0002-rng-split-initialization-in-preinit-and-init.patch
@@ -0,0 +1,261 @@
+From 834e8fc03cb27ae437a2044cfaf265752c3e6a26 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Fri, 14 Oct 2016 14:16:51 +0200
+Subject: [PATCH 2/3] rng: split initialization in preinit and init
+
+This makes gnutls to initialize its random generator on the
+first call to gnutls_rnd(). That prevents blocking due to
+getrandom() on a constructor; that change allows to use gnutls-linked
+applications even in early boot in systems where getrandom() blocks
+waiting for entropy.
+
+Upstream-Status: Backport
+
+diff --git a/configure.ac b/configure.ac
+index 0ba2230..f842e26 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -186,6 +186,7 @@ AM_SUBST_NOTMAKE([DEFINE_IOVEC_T])
+
+ dnl Need netinet/tcp.h for TCP_FASTOPEN
+ AC_CHECK_HEADERS([netinet/tcp.h])
++AC_CHECK_HEADERS([stdatomic.h])
+
+ AC_ARG_ENABLE(padlock,
+ AS_HELP_STRING([--disable-padlock], [unconditionally disable padlock acceleration]),
+diff --git a/lib/global.c b/lib/global.c
+index d75cea8..bdc3c1f 100644
+--- a/lib/global.c
++++ b/lib/global.c
+@@ -304,7 +304,7 @@ static int _gnutls_global_init(unsigned constructor)
+ }
+
+ /* Initialize the random generator */
+- ret = _gnutls_rnd_init();
++ ret = _gnutls_rnd_preinit();
+ if (ret < 0) {
+ gnutls_assert();
+ goto out;
+diff --git a/lib/locks.h b/lib/locks.h
+index 5807754..b1efbb5 100644
+--- a/lib/locks.h
++++ b/lib/locks.h
+@@ -27,6 +27,10 @@
+ #include "gnutls_int.h"
+ #include <system.h>
+
++#ifdef HAVE_STDATOMIC_H
++# include <stdatomic.h>
++#endif
++
+ extern mutex_init_func gnutls_mutex_init;
+ extern mutex_deinit_func gnutls_mutex_deinit;
+ extern mutex_lock_func gnutls_mutex_lock;
+diff --git a/lib/nettle/rnd-fips.c b/lib/nettle/rnd-fips.c
+index 59795a9..0807701 100644
+--- a/lib/nettle/rnd-fips.c
++++ b/lib/nettle/rnd-fips.c
+@@ -172,10 +172,6 @@ static int _rngfips_init(void **_ctx)
+ struct fips_ctx *ctx;
+ int ret;
+
+- ret = _rnd_system_entropy_init();
+- if (ret < 0)
+- return gnutls_assert_val(ret);
+-
+ ctx = gnutls_calloc(1, sizeof(*ctx));
+ if (ctx == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+diff --git a/lib/nettle/rnd.c b/lib/nettle/rnd.c
+index 39b99e1..c4fbc48 100644
+--- a/lib/nettle/rnd.c
++++ b/lib/nettle/rnd.c
+@@ -218,12 +218,6 @@ static int wrap_nettle_rnd_init(void **ctx)
+ return ret;
+ }
+
+- ret = _rnd_system_entropy_init();
+- if (ret < 0) {
+- gnutls_assert();
+- return ret;
+- }
+-
+ /* initialize the main RNG */
+ yarrow256_init(&rnd_ctx.yctx, SOURCES, rnd_ctx.ysources);
+
+diff --git a/lib/random.c b/lib/random.c
+index d7f18f2..977d7aa 100644
+--- a/lib/random.c
++++ b/lib/random.c
+@@ -26,30 +26,80 @@
+ #include "gnutls_int.h"
+ #include "errors.h"
+ #include <random.h>
++#include "locks.h"
+ #include <fips.h>
+
+ void *gnutls_rnd_ctx;
++GNUTLS_STATIC_MUTEX(gnutls_rnd_init_mutex);
+
+-int _gnutls_rnd_init(void)
++#ifdef HAVE_STDATOMIC_H
++static atomic_uint rnd_initialized = 0;
++
++inline static int _gnutls_rnd_init(void)
++{
++ if (unlikely(!rnd_initialized)) {
++ if (_gnutls_rnd_ops.init == NULL) {
++ rnd_initialized = 1;
++ return 0;
++ }
++
++ GNUTLS_STATIC_MUTEX_LOCK(gnutls_rnd_init_mutex);
++ if (!rnd_initialized) {
++ if (_gnutls_rnd_ops.init(&gnutls_rnd_ctx) < 0) {
++ gnutls_assert();
++ GNUTLS_STATIC_MUTEX_UNLOCK(gnutls_rnd_init_mutex);
++ return GNUTLS_E_RANDOM_FAILED;
++ }
++ rnd_initialized = 1;
++ }
++ GNUTLS_STATIC_MUTEX_UNLOCK(gnutls_rnd_init_mutex);
++ }
++ return 0;
++}
++#else
++static unsigned rnd_initialized = 0;
++
++inline static int _gnutls_rnd_init(void)
++{
++ GNUTLS_STATIC_MUTEX_LOCK(gnutls_rnd_init_mutex);
++ if (unlikely(!rnd_initialized)) {
++ if (_gnutls_rnd_ops.init == NULL) {
++ rnd_initialized = 1;
++ GNUTLS_STATIC_MUTEX_UNLOCK(gnutls_rnd_init_mutex);
++ return 0;
++ }
++
++ if (_gnutls_rnd_ops.init(&gnutls_rnd_ctx) < 0) {
++ gnutls_assert();
++ GNUTLS_STATIC_MUTEX_UNLOCK(gnutls_rnd_init_mutex);
++ return GNUTLS_E_RANDOM_FAILED;
++ }
++ rnd_initialized = 1;
++ }
++ GNUTLS_STATIC_MUTEX_UNLOCK(gnutls_rnd_init_mutex);
++ return 0;
++}
++#endif
++
++int _gnutls_rnd_preinit(void)
+ {
++ int ret;
++
+ #ifdef ENABLE_FIPS140
+ /* The FIPS140 random generator is only enabled when we are compiled
+ * with FIPS support, _and_ the system requires FIPS140.
+ */
+ if (_gnutls_fips_mode_enabled() == 1) {
+- int ret;
+-
+ ret = gnutls_crypto_rnd_register(100, &_gnutls_fips_rnd_ops);
+ if (ret < 0)
+ return ret;
+ }
+ #endif
+
+- if (_gnutls_rnd_ops.init != NULL) {
+- if (_gnutls_rnd_ops.init(&gnutls_rnd_ctx) < 0) {
+- gnutls_assert();
+- return GNUTLS_E_RANDOM_FAILED;
+- }
++ ret = _rnd_system_entropy_init();
++ if (ret < 0) {
++ gnutls_assert();
++ return GNUTLS_E_RANDOM_FAILED;
+ }
+
+ return 0;
+@@ -57,9 +107,12 @@ int _gnutls_rnd_init(void)
+
+ void _gnutls_rnd_deinit(void)
+ {
+- if (_gnutls_rnd_ops.deinit != NULL) {
++ if (rnd_initialized && _gnutls_rnd_ops.deinit != NULL) {
+ _gnutls_rnd_ops.deinit(gnutls_rnd_ctx);
+ }
++ rnd_initialized = 0;
++
++ _rnd_system_entropy_deinit();
+
+ return;
+ }
+@@ -81,8 +134,17 @@ void _gnutls_rnd_deinit(void)
+ **/
+ int gnutls_rnd(gnutls_rnd_level_t level, void *data, size_t len)
+ {
++ int ret;
+ FAIL_IF_LIB_ERROR;
+- return _gnutls_rnd(level, data, len);
++
++ if (unlikely((ret=_gnutls_rnd_init()) < 0))
++ return gnutls_assert_val(ret);
++
++ if (likely(len > 0)) {
++ return _gnutls_rnd_ops.rnd(gnutls_rnd_ctx, level, data,
++ len);
++ }
++ return 0;
+ }
+
+ /**
+@@ -98,5 +160,6 @@ int gnutls_rnd(gnutls_rnd_level_t level, void *data, size_t len)
+ **/
+ void gnutls_rnd_refresh(void)
+ {
+- _gnutls_rnd_refresh();
++ if (rnd_initialized && _gnutls_rnd_ops.rnd_refresh)
++ _gnutls_rnd_ops.rnd_refresh(gnutls_rnd_ctx);
+ }
+diff --git a/lib/random.h b/lib/random.h
+index 1538ec8..2ef7bc4 100644
+--- a/lib/random.h
++++ b/lib/random.h
+@@ -31,31 +31,15 @@ extern int crypto_rnd_prio;
+ extern void *gnutls_rnd_ctx;
+ extern gnutls_crypto_rnd_st _gnutls_rnd_ops;
+
+-inline static int
+-_gnutls_rnd(gnutls_rnd_level_t level, void *data, size_t len)
+-{
+- if (len > 0) {
+- return _gnutls_rnd_ops.rnd(gnutls_rnd_ctx, level, data,
+- len);
+- }
+- return 0;
+-}
+-
+-inline static void _gnutls_rnd_refresh(void)
+-{
+- _gnutls_rnd_ops.rnd_refresh(gnutls_rnd_ctx);
+-}
++#define _gnutls_rnd gnutls_rnd
++#define _gnutls_rnd_refresh gnutls_rnd_refresh
+
+ void _gnutls_rnd_deinit(void);
+-int _gnutls_rnd_init(void);
++int _gnutls_rnd_preinit(void);
+
+ inline static int _gnutls_rnd_check(void)
+ {
+ return _rnd_system_entropy_check();
+ }
+
+-#ifndef _WIN32
+-extern int _gnutls_urandom_fd;
+-#endif
+-
+ #endif
+--
+2.6.6
+
diff --git a/recipes-support/gnutls/gnutls-3.5.3/0003-deprecated-_gnutls_rnd-in-favor-of-exported-gnutls_r.patch b/recipes-support/gnutls/gnutls-3.5.3/0003-deprecated-_gnutls_rnd-in-favor-of-exported-gnutls_r.patch
new file mode 100644
index 0000000..f6c4f84
--- /dev/null
+++ b/recipes-support/gnutls/gnutls-3.5.3/0003-deprecated-_gnutls_rnd-in-favor-of-exported-gnutls_r.patch
@@ -0,0 +1,315 @@
+From e146eedb13d94752609553bceb13c70cb7c05a4d Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Mon, 17 Oct 2016 14:10:08 +0200
+Subject: [PATCH 3/3] deprecated _gnutls_rnd() in favor of exported
+ gnutls_rnd()
+
+Conflict:
+code from lib/x509/privkey_pkcs8.c refactored into lib/x509/pkcs7-crypt.c
+
+Upstream-Status: Backport
+
+diff --git a/lib/auth/psk_passwd.c b/lib/auth/psk_passwd.c
+index 2ef2c9c..0412b04 100644
+--- a/lib/auth/psk_passwd.c
++++ b/lib/auth/psk_passwd.c
+@@ -94,7 +94,7 @@ static int _randomize_psk(gnutls_datum_t * psk)
+
+ psk->size = 16;
+
+- ret = _gnutls_rnd(GNUTLS_RND_NONCE, (char *) psk->data, 16);
++ ret = gnutls_rnd(GNUTLS_RND_NONCE, (char *) psk->data, 16);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
+index 505fbee..b54d415 100644
+--- a/lib/auth/rsa.c
++++ b/lib/auth/rsa.c
+@@ -178,7 +178,7 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+
+ /* we do not need strong random numbers here.
+ */
+- ret = _gnutls_rnd(GNUTLS_RND_NONCE, rndkey.data,
++ ret = gnutls_rnd(GNUTLS_RND_NONCE, rndkey.data,
+ rndkey.size);
+ if (ret < 0) {
+ gnutls_assert();
+@@ -265,7 +265,7 @@ _gnutls_gen_rsa_client_kx(gnutls_session_t session,
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+- ret = _gnutls_rnd(GNUTLS_RND_RANDOM, session->key.key.data,
++ ret = gnutls_rnd(GNUTLS_RND_RANDOM, session->key.key.data,
+ session->key.key.size);
+ if (ret < 0) {
+ gnutls_assert();
+diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
+index a14baa1..151e88d 100644
+--- a/lib/auth/rsa_psk.c
++++ b/lib/auth/rsa_psk.c
+@@ -156,7 +156,7 @@ _gnutls_gen_rsa_psk_client_kx(gnutls_session_t session,
+ }
+
+ /* Generate random */
+- ret = _gnutls_rnd(GNUTLS_RND_RANDOM, premaster_secret.data,
++ ret = gnutls_rnd(GNUTLS_RND_RANDOM, premaster_secret.data,
+ premaster_secret.size);
+ if (ret < 0) {
+ gnutls_assert();
+@@ -370,7 +370,7 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+
+ /* we do not need strong random numbers here.
+ */
+- ret = _gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
++ ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
+ premaster_secret.size);
+ if (ret < 0) {
+ gnutls_assert();
+diff --git a/lib/auth/srp_passwd.c b/lib/auth/srp_passwd.c
+index 4e00f88..8ebcdfa 100644
+--- a/lib/auth/srp_passwd.c
++++ b/lib/auth/srp_passwd.c
+@@ -400,7 +400,7 @@ static int _randomize_pwd_entry(SRP_PWD_ENTRY * entry,
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+- ret = _gnutls_rnd(GNUTLS_RND_RANDOM, entry->v.data, 20);
++ ret = gnutls_rnd(GNUTLS_RND_RANDOM, entry->v.data, 20);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+diff --git a/lib/cipher.c b/lib/cipher.c
+index 50096df..73e18ad 100644
+--- a/lib/cipher.c
++++ b/lib/cipher.c
+@@ -323,9 +323,9 @@ compressed_to_ciphertext(gnutls_session_t session,
+ /* Calculate the encrypted length (padding etc.)
+ */
+ if (algo_type == CIPHER_BLOCK) {
+- /* Call _gnutls_rnd() once. Get data used for the IV
++ /* Call gnutls_rnd() once. Get data used for the IV
+ */
+- ret = _gnutls_rnd(GNUTLS_RND_NONCE, nonce, blocksize);
++ ret = gnutls_rnd(GNUTLS_RND_NONCE, nonce, blocksize);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+diff --git a/lib/crypto-api.c b/lib/crypto-api.c
+index 7d3d5ed..71bf935 100644
+--- a/lib/crypto-api.c
++++ b/lib/crypto-api.c
+@@ -608,7 +608,7 @@ int gnutls_key_generate(gnutls_datum_t * key, unsigned int key_size)
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+- ret = _gnutls_rnd(GNUTLS_RND_RANDOM, key->data, key->size);
++ ret = gnutls_rnd(GNUTLS_RND_RANDOM, key->data, key->size);
+ if (ret < 0) {
+ gnutls_assert();
+ _gnutls_free_datum(key);
+diff --git a/lib/ext/heartbeat.c b/lib/ext/heartbeat.c
+index 180d59a..26a0928 100644
+--- a/lib/ext/heartbeat.c
++++ b/lib/ext/heartbeat.c
+@@ -194,7 +194,7 @@ gnutls_heartbeat_ping(gnutls_session_t session, size_t data_size,
+ return gnutls_assert_val(ret);
+
+ ret =
+- _gnutls_rnd(GNUTLS_RND_NONCE,
++ gnutls_rnd(GNUTLS_RND_NONCE,
+ session->internals.hb_local_data.data,
+ data_size);
+ if (ret < 0)
+diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c
+index 5a957f0..feb6507 100644
+--- a/lib/ext/session_ticket.c
++++ b/lib/ext/session_ticket.c
+@@ -234,7 +234,7 @@ encrypt_ticket(gnutls_session_t session, session_ticket_ext_st * priv,
+
+ t = gnutls_time(0);
+ memcpy(iv, &t, 4);
+- ret = _gnutls_rnd(GNUTLS_RND_NONCE, iv+4, IV_SIZE-4);
++ ret = gnutls_rnd(GNUTLS_RND_NONCE, iv+4, IV_SIZE-4);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+diff --git a/lib/handshake.c b/lib/handshake.c
+index 7dccae6..f8d7b2d 100644
+--- a/lib/handshake.c
++++ b/lib/handshake.c
+@@ -204,7 +204,7 @@ static int create_tls_random(uint8_t * dst)
+ _gnutls_write_uint32(tim, dst);
+
+ ret =
+- _gnutls_rnd(GNUTLS_RND_NONCE, &dst[3], GNUTLS_RANDOM_SIZE - 3);
++ gnutls_rnd(GNUTLS_RND_NONCE, &dst[3], GNUTLS_RANDOM_SIZE - 3);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+@@ -3349,7 +3349,7 @@ int _gnutls_generate_session_id(uint8_t * session_id, uint8_t * len)
+ *len = GNUTLS_MAX_SESSION_ID_SIZE;
+
+ ret =
+- _gnutls_rnd(GNUTLS_RND_NONCE, session_id,
++ gnutls_rnd(GNUTLS_RND_NONCE, session_id,
+ GNUTLS_MAX_SESSION_ID_SIZE);
+ if (ret < 0) {
+ gnutls_assert();
+diff --git a/lib/mpi.c b/lib/mpi.c
+index 828a0b8..491a8ef 100644
+--- a/lib/mpi.c
++++ b/lib/mpi.c
+@@ -60,7 +60,7 @@ _gnutls_mpi_random_modp(bigint_t r, bigint_t p,
+ buf_release = 1;
+ }
+
+- ret = _gnutls_rnd(level, buf, size);
++ ret = gnutls_rnd(level, buf, size);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index b41ebfb..34688d2 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -54,7 +54,7 @@ static inline const struct ecc_curve *get_supported_nist_curve(int curve);
+
+ static void rnd_func(void *_ctx, size_t length, uint8_t * data)
+ {
+- if (_gnutls_rnd(GNUTLS_RND_RANDOM, data, length) < 0) {
++ if (gnutls_rnd(GNUTLS_RND_RANDOM, data, length) < 0) {
+ #ifdef ENABLE_FIPS140
+ _gnutls_switch_lib_state(LIB_STATE_ERROR);
+ #else
+@@ -1454,7 +1454,7 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
+ goto fail;
+ }
+
+- ret = _gnutls_rnd(GNUTLS_RND_RANDOM, params->raw_priv.data, size);
++ ret = gnutls_rnd(GNUTLS_RND_RANDOM, params->raw_priv.data, size);
+ if (ret < 0) {
+ ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ goto fail;
+diff --git a/lib/opencdk/misc.c b/lib/opencdk/misc.c
+index 391bd09..7c41168 100644
+--- a/lib/opencdk/misc.c
++++ b/lib/opencdk/misc.c
+@@ -161,7 +161,7 @@ FILE *_cdk_tmpfile(void)
+ FILE *fp;
+ int fd, i;
+
+- _gnutls_rnd(GNUTLS_RND_NONCE, rnd, DIM(rnd));
++ gnutls_rnd(GNUTLS_RND_NONCE, rnd, DIM(rnd));
+ for (i = 0; i < DIM(rnd) - 1; i++) {
+ char c = letters[(unsigned char) rnd[i] % 26];
+ rnd[i] = c;
+diff --git a/lib/pkcs11_secret.c b/lib/pkcs11_secret.c
+index aa3e5ce..b9a8854 100644
+--- a/lib/pkcs11_secret.c
++++ b/lib/pkcs11_secret.c
+@@ -72,7 +72,7 @@ gnutls_pkcs11_copy_secret_key(const char *token_url, gnutls_datum_t * key,
+ }
+
+ /* generate a unique ID */
+- ret = _gnutls_rnd(GNUTLS_RND_NONCE, id, sizeof(id));
++ ret = gnutls_rnd(GNUTLS_RND_NONCE, id, sizeof(id));
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+diff --git a/lib/random.h b/lib/random.h
+index 2ef7bc4..e89efb9 100644
+--- a/lib/random.h
++++ b/lib/random.h
+@@ -31,9 +31,6 @@ extern int crypto_rnd_prio;
+ extern void *gnutls_rnd_ctx;
+ extern gnutls_crypto_rnd_st _gnutls_rnd_ops;
+
+-#define _gnutls_rnd gnutls_rnd
+-#define _gnutls_rnd_refresh gnutls_rnd_refresh
+-
+ void _gnutls_rnd_deinit(void);
+ int _gnutls_rnd_preinit(void);
+
+diff --git a/lib/srp.c b/lib/srp.c
+index 655b4a3..6d111e5 100644
+--- a/lib/srp.c
++++ b/lib/srp.c
+@@ -532,7 +532,7 @@ gnutls_srp_allocate_server_credentials(gnutls_srp_server_credentials_t *
+ goto cleanup;
+ }
+
+- ret = _gnutls_rnd(GNUTLS_RND_RANDOM, (*sc)->fake_salt_seed.data,
++ ret = gnutls_rnd(GNUTLS_RND_RANDOM, (*sc)->fake_salt_seed.data,
+ DEFAULT_FAKE_SALT_SEED_SIZE);
+
+ if (ret < 0) {
+diff --git a/lib/tpm.c b/lib/tpm.c
+index 4ec9a95..5f4c851 100644
+--- a/lib/tpm.c
++++ b/lib/tpm.c
+@@ -768,7 +768,7 @@ static int randomize_uuid(TSS_UUID * uuid)
+ uint8_t raw_uuid[16];
+ int ret;
+
+- ret = _gnutls_rnd(GNUTLS_RND_NONCE, raw_uuid, sizeof(raw_uuid));
++ ret = gnutls_rnd(GNUTLS_RND_NONCE, raw_uuid, sizeof(raw_uuid));
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+@@ -1391,7 +1391,7 @@ gnutls_tpm_privkey_generate(gnutls_pk_algorithm_t pk, unsigned int bits,
+ }
+
+
+- ret = _gnutls_rnd(GNUTLS_RND_RANDOM, buf, sizeof(buf));
++ ret = gnutls_rnd(GNUTLS_RND_RANDOM, buf, sizeof(buf));
+ if (ret < 0) {
+ gnutls_assert();
+ goto err_cc;
+diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
+index e39dcde..b3bd287 100644
+--- a/lib/x509/pkcs12.c
++++ b/lib/x509/pkcs12.c
+@@ -880,7 +880,7 @@ int gnutls_pkcs12_generate_mac2(gnutls_pkcs12_t pkcs12, gnutls_mac_algorithm_t m
+
+ /* Generate the salt.
+ */
+- result = _gnutls_rnd(GNUTLS_RND_NONCE, salt, sizeof(salt));
++ result = gnutls_rnd(GNUTLS_RND_NONCE, salt, sizeof(salt));
+ if (result < 0) {
+ gnutls_assert();
+ return result;
+diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c
+index f84d913..acacc91 100644
+--- a/lib/x509/privkey_pkcs8.c
++++ b/lib/x509/privkey_pkcs8.c
+@@ -2094,7 +2094,7 @@ generate_key(schema_id schema,
+ if (password)
+ pass_len = strlen(password);
+
+- ret = _gnutls_rnd(GNUTLS_RND_RANDOM, rnd, 2);
++ ret = gnutls_rnd(GNUTLS_RND_RANDOM, rnd, 2);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+@@ -2116,7 +2116,7 @@ generate_key(schema_id schema,
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+- ret = _gnutls_rnd(GNUTLS_RND_RANDOM, kdf_params->salt,
++ ret = gnutls_rnd(GNUTLS_RND_RANDOM, kdf_params->salt,
+ kdf_params->salt_size);
+ if (ret < 0) {
+ gnutls_assert();
+@@ -2145,7 +2145,7 @@ generate_key(schema_id schema,
+ kdf_params->key_size, key->data);
+
+ if (enc_params->iv_size) {
+- ret = _gnutls_rnd(GNUTLS_RND_NONCE,
++ ret = gnutls_rnd(GNUTLS_RND_NONCE,
+ enc_params->iv,
+ enc_params->iv_size);
+ if (ret < 0) {
+--
+2.6.6
+
diff --git a/recipes-support/gnutls/gnutls_3.5.3.bbappend b/recipes-support/gnutls/gnutls_3.5.3.bbappend
new file mode 100644
index 0000000..99ff422
--- /dev/null
+++ b/recipes-support/gnutls/gnutls_3.5.3.bbappend
@@ -0,0 +1,8 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}-${PV}:"
+
+# Backport commits in 3.5.6
+# https://bugzilla.redhat.com/show_bug.cgi?id=1387141
+SRC_URI_append = "file://0001-_gnutls_rnd_check-call-_rnd_system_entropy_check-dir.patch \
+ file://0002-rng-split-initialization-in-preinit-and-init.patch \
+ file://0003-deprecated-_gnutls_rnd-in-favor-of-exported-gnutls_r.patch \
+" \ No newline at end of file