!141 update patch to remove function declare in header file

From: @xuraoqing 
Reviewed-by: @zcfsite 
Signed-off-by: @zcfsite

backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch

@@ -0,0 +1,125 @@
+From 40dbbd8de499668590e8af51a15799fbc430595e Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Wed, 10 Jan 2024 19:13:17 +0900
+Subject: [PATCH] rsa-psk: minimize branching after decryption
+
+This moves any non-trivial code between gnutls_privkey_decrypt_data2
+and the function return in _gnutls_proc_rsa_psk_client_kx up until the
+decryption.  This also avoids an extra memcpy to session->key.key.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+Reference: https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e
+Conflicts: lib/auth/rsa_psk.c
+
+---
+ lib/auth/rsa_psk.c | 68 ++++++++++++++++++++++++----------------------
+ 1 file changed, 35 insertions(+), 33 deletions(-)
+
+diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
+index 93c2dc9..a77aeb6 100644
+--- a/lib/auth/rsa_psk.c
++++ b/lib/auth/rsa_psk.c
+@@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ 	int ret, dsize;
+ 	ssize_t data_size = _data_size;
+ 	gnutls_psk_server_credentials_t cred;
+-	gnutls_datum_t premaster_secret = { NULL, 0 };
+ 	volatile uint8_t ver_maj, ver_min;
+ 
+ 	cred = (gnutls_psk_server_credentials_t)
+@@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ 	ver_maj = _gnutls_get_adv_version_major(session);
+ 	ver_min = _gnutls_get_adv_version_minor(session);
+ 
+-	premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+-	if (premaster_secret.data == NULL) {
++	/* Find the key of this username. A random value will be
++	 * filled in if the key is not found.
++	 */
++	ret = _gnutls_psk_pwd_find_entry(session, info->username,
++					 strlen(info->username), &pwd_psk);
++	if (ret < 0)
++		return gnutls_assert_val(ret);
++
++	/* Allocate memory for premaster secret, and fill in the
++	 * fields except the decryption result.
++	 */
++	session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size;
++	session->key.key.data = gnutls_malloc(session->key.key.size);
++	if (session->key.key.data == NULL) {
+ 		gnutls_assert();
++		_gnutls_free_key_datum(&pwd_psk);
++		/* No need to zeroize, as the secret is not copied in yet */
++		_gnutls_free_datum(&session->key.key);
+ 		return GNUTLS_E_MEMORY_ERROR;
+ 	}
+-	premaster_secret.size = GNUTLS_MASTER_SIZE;
+ 
+ 	/* Fallback value when decryption fails. Needs to be unpredictable. */
+-	ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
+-			 premaster_secret.size);
++	ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2,
++			 GNUTLS_MASTER_SIZE);
+ 	if (ret < 0) {
+ 		gnutls_assert();
+-		goto cleanup;
++		_gnutls_free_key_datum(&pwd_psk);
++		/* No need to zeroize, as the secret is not copied in yet */
++		_gnutls_free_datum(&session->key.key);
++		return ret;
+ 	}
+ 
++	_gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data);
++	_gnutls_write_uint16(pwd_psk.size,
++			     &session->key.key.data[2 + GNUTLS_MASTER_SIZE]);
++	memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2], pwd_psk.data,
++	       pwd_psk.size);
++	_gnutls_free_key_datum(&pwd_psk);
++
+ 	gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
+-				     &ciphertext, premaster_secret.data,
+-				     premaster_secret.size);
++				     &ciphertext, session->key.key.data + 2,
++				     GNUTLS_MASTER_SIZE);
+ 	/* After this point, any conditional on failure that cause differences
+ 	 * in execution may create a timing or cache access pattern side
+ 	 * channel that can be used as an oracle, so tread carefully */
+@@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ 	/* This is here to avoid the version check attack
+ 	 * discussed above.
+ 	 */
+-	premaster_secret.data[0] = ver_maj;
+-	premaster_secret.data[1] = ver_min;
++	session->key.key.data[2] = ver_maj;
++	session->key.key.data[3] = ver_min;
+ 
+-	/* find the key of this username
+-	 */
+-	ret =
+-	    _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk);
+-	if (ret < 0) {
+-		gnutls_assert();
+-		goto cleanup;
+-	}
+-
+-	ret =
+-	    set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
+-	if (ret < 0) {
+-		gnutls_assert();
+-		goto cleanup;
+-	}
+-
+-	ret = 0;
+-      cleanup:
+-	_gnutls_free_key_datum(&pwd_psk);
+-	_gnutls_free_temp_key_datum(&premaster_secret);
+-
+-	return ret;
++	return 0;
+ }
+ 
+ static int
+-- 
+2.33.0
+

backport-fix-CVE-2024-28834-nettle-avoid-normalization-of-mpz_t-in-deterministic.patch

@@ -0,0 +1,456 @@
+From 1c4701ffc342259fc5965d5a0de90d87f780e3e5 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 12 Jan 2024 17:56:58 +0900
+Subject: [PATCH] nettle: avoid normalization of mpz_t in deterministic ECDSA
+
+This removes function calls that potentially leak bit-length of a
+private key used to calculate a nonce in deterministic ECDSA.  Namely:
+
+- _gnutls_dsa_compute_k has been rewritten to work on always
+  zero-padded mp_limb_t arrays instead of mpz_t
+- rnd_mpz_func has been replaced with rnd_datum_func, which is backed
+  by a byte array instead of an mpz_t value
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+Reference: https://gitlab.com/gnutls/gnutls/-/commit/1c4701ffc342259fc5965d5a0de90d87f780e3e5
+Conflict: lib/nettle/pk.c,
+          lib/nettle/int/ecdsa-compute-k.c,lib/nettle/int/ecdsa-compute-k.h,
+          lib/nettle/int/dsa-compute-k.c,lib/nettle/int/dsa-compute-k.h
+
+---
+ lib/nettle/int/dsa-compute-k.c    | 82 ++++++++++++++++++++-----------
+ lib/nettle/int/dsa-compute-k.h    | 31 +++++++++---
+ lib/nettle/int/ecdsa-compute-k.c  | 33 +++----------
+ lib/nettle/int/ecdsa-compute-k.h  |  8 +--
+ lib/nettle/pk.c                   | 79 +++++++++++++++++++----------
+ tests/sign-verify-deterministic.c |  2 +-
+ 6 files changed, 138 insertions(+), 97 deletions(-)
+
+diff --git a/lib/nettle/int/dsa-compute-k.c b/lib/nettle/int/dsa-compute-k.c
+index 17d6331..649a194 100644
+--- a/lib/nettle/int/dsa-compute-k.c
++++ b/lib/nettle/int/dsa-compute-k.c
+@@ -31,33 +31,37 @@
+ #include "mpn-base256.h"
+ #include <string.h>
+ 
+-#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
+-
+-/* The maximum size of q, choosen from the fact that we support
+- * 521-bit elliptic curve generator and 512-bit DSA subgroup at
+- * maximum. */
+-#define MAX_Q_BITS 521
+-#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
+-#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
+-
+-#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
+-#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
+-
+-int
+-_gnutls_dsa_compute_k(mpz_t k,
+-		      const mpz_t q,
+-		      const mpz_t x,
+-		      gnutls_mac_algorithm_t mac,
+-		      const uint8_t *digest,
++/* For mini-gmp */
++#ifndef GMP_LIMB_BITS
++#define GMP_LIMB_BITS GMP_NUMB_BITS
++#endif
++
++static inline int is_zero_limb(mp_limb_t x)
++{
++	x |= (x << 1);
++	return ((x >> 1) - 1) >> (GMP_LIMB_BITS - 1);
++}
++
++static int sec_zero_p(const mp_limb_t *ap, mp_size_t n)
++{
++	volatile mp_limb_t w;
++	mp_size_t i;
++
++	for (i = 0, w = 0; i < n; i++)
++		w |= ap[i];
++
++	return is_zero_limb(w);
++}
++
++int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
++			  mp_size_t qn, mp_bitcnt_t q_bits,
++		      gnutls_mac_algorithm_t mac, const uint8_t *digest,
+ 		      size_t length)
+ {
+ 	uint8_t V[MAX_HASH_SIZE];
+ 	uint8_t K[MAX_HASH_SIZE];
+ 	uint8_t xp[MAX_Q_SIZE];
+ 	uint8_t tp[MAX_Q_SIZE];
+-	mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)];
+-	mp_bitcnt_t q_bits = mpz_sizeinbase (q, 2);
+-	mp_size_t qn = mpz_size(q);
+ 	mp_bitcnt_t h_bits = length * 8;
+ 	mp_size_t hn = BITS_TO_LIMBS(h_bits);
+ 	size_t nbytes = (q_bits + 7) / 8;
+@@ -66,6 +70,7 @@ _gnutls_dsa_compute_k(mpz_t k,
+ 	mp_limb_t cy;
+ 	gnutls_hmac_hd_t hd;
+ 	int ret = 0;
++	mp_limb_t scratch[MAX_Q_LIMBS];
+ 
+ 	if (unlikely(q_bits > MAX_Q_BITS))
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+@@ -73,7 +78,7 @@ _gnutls_dsa_compute_k(mpz_t k,
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ 
+ 	/* int2octets(x) */
+-	mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn);
++	mpn_get_base256(xp, nbytes, x, qn);
+ 
+ 	/* bits2octets(h) */
+ 	mpn_set_base256(h, hn, digest, length);
+@@ -97,12 +102,12 @@ _gnutls_dsa_compute_k(mpz_t k,
+ 			mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS);
+ 	}
+ 
+-	cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn);
++	cy = mpn_sub_n(h, h, q, qn);
+ 	/* Fall back to addmul_1, if nettle is linked with mini-gmp. */
+ #ifdef mpn_cnd_add_n
+-	mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn);
++	mpn_cnd_add_n(cy, h, h, q, qn);
+ #else
+-	mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0);
++	mpn_addmul_1(h, q, qn, cy != 0);
+ #endif
+ 	mpn_get_base256(tp, nbytes, h, qn);
+ 
+@@ -178,12 +183,8 @@ _gnutls_dsa_compute_k(mpz_t k,
+ 		if (tlen * 8 > q_bits)
+ 			mpn_rshift (h, h, qn, tlen * 8 - q_bits);
+ 		/* Check if k is in [1,q-1] */
+-		if (!mpn_zero_p (h, qn) &&
+-		    mpn_cmp (h, mpz_limbs_read(q), qn) < 0) {
+-			mpn_copyi(mpz_limbs_write(k, qn), h, qn);
+-			mpz_limbs_finish(k, qn);
++		if (!sec_zero_p(h, qn) && mpn_sub_n(scratch, h, q, qn))
+ 			break;
+-		}
+ 
+ 		ret = gnutls_hmac_init(&hd, mac, K, length);
+ 		if (ret < 0)
+@@ -207,3 +208,24 @@ _gnutls_dsa_compute_k(mpz_t k,
+ 
+ 	return ret;
+ }
++
++/* cancel-out dsa_sign's addition of 1 to random data */
++void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
++				  mp_size_t n)
++{
++	/* Fall back to sub_1, if nettle is linked with mini-gmp. */
++#ifdef mpn_sec_sub_1
++	mp_limb_t t[MAX_Q_LIMBS];
++
++	mpn_sec_sub_1(h, h, n, 1, t);
++#else
++	mpn_sub_1(h, h, n, 1);
++#endif
++	mpn_get_base256(k, nbytes, h, n);
++}
++
++void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
++				    mp_size_t n)
++{
++	mpn_get_base256(k, nbytes, h, n);
++}
+diff --git a/lib/nettle/int/dsa-compute-k.h b/lib/nettle/int/dsa-compute-k.h
+index 64e90e0..12dc7d0 100644
+--- a/lib/nettle/int/dsa-compute-k.h
++++ b/lib/nettle/int/dsa-compute-k.h
+@@ -26,12 +26,29 @@
+ #include <gnutls/gnutls.h>
+ #include <nettle/bignum.h> /* includes gmp.h */
+ 
+-int
+-_gnutls_dsa_compute_k(mpz_t k,
+-		      const mpz_t q,
+-		      const mpz_t x,
+-		      gnutls_mac_algorithm_t mac,
+-		      const uint8_t *digest,
+-		      size_t length);
++#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
++
++/* The maximum size of q, chosen from the fact that we support
++ * 521-bit elliptic curve generator and 512-bit DSA subgroup at
++ * maximum. */
++#define MAX_Q_BITS 521
++#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
++#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
++
++#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
++#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
++
++#define DSA_COMPUTE_K_ITCH MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)
++
++int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
++						  mp_size_t qn, mp_bitcnt_t q_bits,
++						  gnutls_mac_algorithm_t mac, const uint8_t *digest,
++						  size_t length);
++
++void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
++								  mp_size_t n);
++
++void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
++									mp_size_t n);
+ 
+ #endif /* GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H */
+diff --git a/lib/nettle/int/ecdsa-compute-k.c b/lib/nettle/int/ecdsa-compute-k.c
+index 94914eb..d98f246 100644
+--- a/lib/nettle/int/ecdsa-compute-k.c
++++ b/lib/nettle/int/ecdsa-compute-k.c
+@@ -29,39 +29,38 @@
+ #include "dsa-compute-k.h"
+ #include "gnutls_int.h"
+ 
+-static inline int
+-_gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
++int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve)
+ {
+ 	switch (curve) {
+ #ifdef ENABLE_NON_SUITEB_CURVES
+ 	case GNUTLS_ECC_CURVE_SECP192R1:
+-		mpz_init_set_str(*q,
++		mpz_init_set_str(q,
+ 				 "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836"
+ 				 "146BC9B1B4D22831",
+ 				 16);
+ 		return 0;
+ 	case GNUTLS_ECC_CURVE_SECP224R1:
+-		mpz_init_set_str(*q,
++		mpz_init_set_str(q,
+ 				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2"
+ 				 "E0B8F03E13DD29455C5C2A3D",
+ 				 16);
+ 		return 0;
+ #endif
+ 	case GNUTLS_ECC_CURVE_SECP256R1:
+-		mpz_init_set_str(*q,
++		mpz_init_set_str(q,
+ 				 "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
+ 				 "BCE6FAADA7179E84F3B9CAC2FC632551",
+ 				 16);
+ 		return 0;
+ 	case GNUTLS_ECC_CURVE_SECP384R1:
+-		mpz_init_set_str(*q,
++		mpz_init_set_str(q,
+ 				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ 				 "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
+ 				 "581A0DB248B0A77AECEC196ACCC52973",
+ 				 16);
+ 		return 0;
+ 	case GNUTLS_ECC_CURVE_SECP521R1:
+-		mpz_init_set_str(*q,
++		mpz_init_set_str(q,
+ 				 "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ 				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ 				 "FFA51868783BF2F966B7FCC0148F709A"
+@@ -73,23 +72,3 @@ _gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
+ 		return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
+ 	}
+ }
+-
+-int
+-_gnutls_ecdsa_compute_k (mpz_t k,
+-			 gnutls_ecc_curve_t curve,
+-			 const mpz_t x,
+-			 gnutls_mac_algorithm_t mac,
+-			 const uint8_t *digest,
+-			 size_t length)
+-{
+-	mpz_t q;
+-	int ret;
+-
+-	ret = _gnutls_ecc_curve_to_dsa_q(&q, curve);
+-	if (ret < 0)
+-		return gnutls_assert_val(ret);
+-
+-	ret = _gnutls_dsa_compute_k (k, q, x, mac, digest, length);
+-	mpz_clear(q);
+-	return ret;
+-}
+diff --git a/lib/nettle/int/ecdsa-compute-k.h b/lib/nettle/int/ecdsa-compute-k.h
+index 7ca401d..a7e612b 100644
+--- a/lib/nettle/int/ecdsa-compute-k.h
++++ b/lib/nettle/int/ecdsa-compute-k.h
+@@ -26,12 +26,6 @@
+ #include <gnutls/gnutls.h>
+ #include <nettle/bignum.h> /* includes gmp.h */
+ 
+-int
+-_gnutls_ecdsa_compute_k (mpz_t k,
+-			 gnutls_ecc_curve_t curve,
+-			 const mpz_t x,
+-			 gnutls_mac_algorithm_t mac,
+-			 const uint8_t *digest,
+-			 size_t length);
++int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve);
+ 
+ #endif /* GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H */
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index ccf403b..9cadf39 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -101,10 +101,16 @@ static void rnd_nonce_func(void *_ctx, size_t length, uint8_t * data)
+ 	}
+ }
+ 
+-static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data)
++static void rnd_datum_func(void *ctx, size_t length, uint8_t *data)
+ {
+-	mpz_t *k = _ctx;
+-	nettle_mpz_get_str_256 (length, data, *k);
++	gnutls_datum_t *d = ctx;
++
++	if (length > d->size) {
++		memset(data, 0, length - d->size);
++		memcpy(data + (length - d->size), d->data, d->size);
++	} else {
++		memcpy(data, d->data, length);
++	}
+ }
+ 
+ static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data)
+@@ -952,7 +958,10 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 			struct dsa_signature sig;
+ 			int curve_id = pk_params->curve;
+ 			const struct ecc_curve *curve;
+-			mpz_t k;
++			mpz_t q;
++			/* 521-bit elliptic curve generator at maximum */
++			uint8_t buf[(521 + 7) / 8];
++			gnutls_datum_t k = { NULL, 0 };
+ 			void *random_ctx;
+ 			nettle_random_func *random_func;
+ 
+@@ -981,19 +990,32 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 				hash_len = vdata->size;
+ 			}
+ 
+-			mpz_init(k);
++			mpz_init(q);
++
+ 			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
+ 			    (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
+-				ret = _gnutls_ecdsa_compute_k(k,
+-							      curve_id,
+-							      pk_params->params[ECC_K],
+-							      sign_params->dsa_dig,
+-							      vdata->data,
+-							      vdata->size);
++				mp_limb_t h[DSA_COMPUTE_K_ITCH];
++
++				ret = _gnutls_ecc_curve_to_dsa_q(q, curve_id);
++				if (ret < 0)
++					goto ecdsa_cleanup;
++
++				ret = _gnutls_dsa_compute_k(
++					h, mpz_limbs_read(q), priv.p,
++					ecc_size(priv.ecc), ecc_bit_size(priv.ecc),
++					sign_params->dsa_dig, vdata->data,
++					vdata->size);
+ 				if (ret < 0)
+ 					goto ecdsa_cleanup;
++
++				k.data = buf;
++				k.size = (ecc_bit_size(priv.ecc) + 7) / 8;
++
++				_gnutls_ecdsa_compute_k_finish(k.data, k.size, h,
++								ecc_size(priv.ecc));
++
+ 				random_ctx = &k;
+-				random_func = rnd_mpz_func;
++				random_func = rnd_datum_func;
+ 			} else {
+ 				random_ctx = NULL;
+ 				random_func = rnd_nonce_func;
+@@ -1014,7 +1036,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+  ecdsa_cleanup:
+ 			dsa_signature_clear(&sig);
+ 			ecc_scalar_zclear(&priv);
+-			mpz_clear(k);
++			mpz_clear(q);
+ 
+ 			if (ret < 0) {
+ 				gnutls_assert();
+@@ -1027,7 +1049,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 			struct dsa_params pub;
+ 			bigint_t priv;
+ 			struct dsa_signature sig;
+-			mpz_t k;
++			/* 512-bit DSA subgroup at maximum */
++			uint8_t buf[(512 + 7) / 8];
++			gnutls_datum_t k = { NULL, 0 };
+ 			void *random_ctx;
+ 			nettle_random_func *random_func;
+ 
+@@ -1050,21 +1074,27 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 				hash_len = vdata->size;
+ 			}
+ 
+-			mpz_init(k);
+ 			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
+ 			    (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
+-				ret = _gnutls_dsa_compute_k(k,
+-							    pub.q,
+-							    TOMPZ(priv),
+-							    sign_params->dsa_dig,
+-							    vdata->data,
+-							    vdata->size);
++				mp_limb_t h[DSA_COMPUTE_K_ITCH];
++
++				ret = _gnutls_dsa_compute_k(
++								h, mpz_limbs_read(pub.q),
++								mpz_limbs_read(TOMPZ(priv)), mpz_size(pub.q),
++								mpz_sizeinbase(pub.q, 2),
++								sign_params->dsa_dig, vdata->data,
++								vdata->size);
+ 				if (ret < 0)
+ 					goto dsa_fail;
+-				/* cancel-out dsa_sign's addition of 1 to random data */
+-				mpz_sub_ui (k, k, 1);
++
++				k.data = buf;
++				k.size = (mpz_sizeinbase(pub.q, 2) + 7) / 8;
++
++				_gnutls_dsa_compute_k_finish(k.data, k.size, h,
++								mpz_size(pub.q));
++
+ 				random_ctx = &k;
+-				random_func = rnd_mpz_func;
++				random_func = rnd_datum_func;
+ 			} else {
+ 				random_ctx = NULL;
+ 				random_func = rnd_nonce_func;
+@@ -1084,7 +1114,6 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 
+  dsa_fail:
+ 			dsa_signature_clear(&sig);
+-			mpz_clear(k);
+ 
+ 			if (ret < 0) {
+ 				gnutls_assert();
+diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c
+index 6e90728..25aa553 100644
+--- a/tests/sign-verify-deterministic.c
++++ b/tests/sign-verify-deterministic.c
+@@ -197,7 +197,7 @@ void doit(void)
+ 					      &signature);
+ 		if (ret < 0)
+ 			testfail("gnutls_pubkey_verify_data2\n");
+-		success(" - pass");
++		success(" - pass\n");
+ 
+ 	next:
+ 		gnutls_free(signature.data);
+-- 
+2.33.0
+

backport-x86-add-detection-of-instruction-set-on-Zhaoxin-CPU.patch

@@ -0,0 +1,660 @@
+From 2c5ca0a8c771ed952c432dd5ba271719896d0d54 Mon Sep 17 00:00:00 2001
+From: JonasZhou <JonasZhou@zhaoxin.com>
+Date: Tue, 15 Sep 2020 16:36:57 +0800
+Subject: [PATCH] x86:add detection of instruction set on Zhaoxin CPU
+
+Add detection of extended instruction set on Zhaoxin cpu,e.g:ssse3,sha,
+etc. Set the priority of the algorithm according to the benchmark
+test result on Zhaoxin cpu.
+
+Signed-off-by: JonasZhou <JonasZhou@zhaoxin.com>
+---
+ lib/accelerated/x86/hmac-padlock.c |   2 +-
+ lib/accelerated/x86/sha-padlock.c  |   2 +-
+ lib/accelerated/x86/sha-padlock.h  |   4 +-
+ lib/accelerated/x86/x86-common.c   | 406 +++++++++++++++++++++++++----
+ 4 files changed, 361 insertions(+), 53 deletions(-)
+
+diff --git a/lib/accelerated/x86/hmac-padlock.c b/lib/accelerated/x86/hmac-padlock.c
+index be6c55bc3..fd81f5c5f 100644
+--- a/lib/accelerated/x86/hmac-padlock.c
++++ b/lib/accelerated/x86/hmac-padlock.c
+@@ -357,7 +357,7 @@ const gnutls_crypto_mac_st _gnutls_hmac_sha_padlock = {
+ 	.fast = wrap_padlock_hmac_fast
+ };
+ 
+-const gnutls_crypto_mac_st _gnutls_hmac_sha_padlock_nano = {
++const gnutls_crypto_mac_st _gnutls_hmac_sha_padlock_enhance = {
+ 	.init = wrap_padlock_hmac_init,
+ 	.setkey = wrap_padlock_hmac_setkey,
+ 	.setnonce = NULL,
+diff --git a/lib/accelerated/x86/sha-padlock.c b/lib/accelerated/x86/sha-padlock.c
+index 1030d4f63..c40a3e805 100644
+--- a/lib/accelerated/x86/sha-padlock.c
++++ b/lib/accelerated/x86/sha-padlock.c
+@@ -383,7 +383,7 @@ const gnutls_crypto_digest_st _gnutls_sha_padlock = {
+ 	.fast = wrap_padlock_hash_fast
+ };
+ 
+-const gnutls_crypto_digest_st _gnutls_sha_padlock_nano = {
++const gnutls_crypto_digest_st _gnutls_sha_padlock_enhance = {
+ 	.init = wrap_padlock_hash_init,
+ 	.hash = wrap_padlock_hash_update,
+ 	.output = wrap_padlock_hash_output,
+diff --git a/lib/accelerated/x86/sha-padlock.h b/lib/accelerated/x86/sha-padlock.h
+index af67a07dd..f626f17e1 100644
+--- a/lib/accelerated/x86/sha-padlock.h
++++ b/lib/accelerated/x86/sha-padlock.h
+@@ -30,7 +30,7 @@ extern const struct nettle_hash padlock_sha256;
+ extern const struct nettle_hash padlock_sha384;
+ extern const struct nettle_hash padlock_sha512;
+ 
+-extern const gnutls_crypto_mac_st _gnutls_hmac_sha_padlock_nano;
+-extern const gnutls_crypto_digest_st _gnutls_sha_padlock_nano;
++extern const gnutls_crypto_mac_st _gnutls_hmac_sha_padlock_enhance;
++extern const gnutls_crypto_digest_st _gnutls_sha_padlock_enhance;
+ 
+ #endif /* GNUTLS_LIB_ACCELERATED_X86_SHA_PADLOCK_H */
+diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c
+index 29410e51f..33fa40d4a 100644
+--- a/lib/accelerated/x86/x86-common.c
++++ b/lib/accelerated/x86/x86-common.c
+@@ -90,9 +90,9 @@ unsigned int _gnutls_x86_cpuid_s[4];
+ # define bit_MOVBE 0x00400000
+ #endif
+ 
+-#define via_bit_PADLOCK (0x3 << 6)
+-#define via_bit_PADLOCK_PHE (0x3 << 10)
+-#define via_bit_PADLOCK_PHE_SHA512 (0x3 << 25)
++#define bit_PADLOCK (0x3 << 6)
++#define bit_PADLOCK_PHE (0x3 << 10)
++#define bit_PADLOCK_PHE_SHA512 (0x3 << 25)
+ 
+ /* Our internal bit-string for cpu capabilities. Should be set
+  * in GNUTLS_CPUID_OVERRIDE */
+@@ -102,9 +102,9 @@ unsigned int _gnutls_x86_cpuid_s[4];
+ #define INTEL_PCLMUL (1<<3)
+ #define INTEL_AVX (1<<4)
+ #define INTEL_SHA (1<<5)
+-#define VIA_PADLOCK (1<<20)
+-#define VIA_PADLOCK_PHE (1<<21)
+-#define VIA_PADLOCK_PHE_SHA512 (1<<22)
++#define PADLOCK (1<<20)
++#define PADLOCK_PHE (1<<21)
++#define PADLOCK_PHE_SHA512 (1<<22)
+ 
+ #ifndef HAVE_GET_CPUID_COUNT
+ static inline void
+@@ -246,39 +246,37 @@ static unsigned check_pclmul(void)
+ #endif
+ 
+ #ifdef ENABLE_PADLOCK
+-static unsigned capabilities_to_via_edx(unsigned capabilities)
++static unsigned capabilities_to_zhaoxin_edx(unsigned capabilities)
+ {
+ 	unsigned a,b,c,t;
+ 
+-	memset(_gnutls_x86_cpuid_s, 0, sizeof(_gnutls_x86_cpuid_s));
+-
+ 	if (capabilities & EMPTY_SET) {
+ 		return 0;
+ 	}
+ 
+ 	if (!__get_cpuid(1, &t, &a, &b, &c))
+ 		return 0;
+-	if (capabilities & VIA_PADLOCK) {
+-		if (c & via_bit_PADLOCK) {
+-			_gnutls_x86_cpuid_s[2] |= via_bit_PADLOCK;
++	if (capabilities & PADLOCK) {
++		if (c & bit_PADLOCK) {
++			_gnutls_x86_cpuid_s[2] |= bit_PADLOCK;
+ 		} else {
+ 			_gnutls_debug_log
+ 			    ("Padlock acceleration requested but not available\n");
+ 		}
+ 	}
+ 
+-	if (capabilities & VIA_PADLOCK_PHE) {
+-		if (c & via_bit_PADLOCK_PHE) {
+-			_gnutls_x86_cpuid_s[2] |= via_bit_PADLOCK_PHE;
++	if (capabilities & PADLOCK_PHE) {
++		if (c & bit_PADLOCK_PHE) {
++			_gnutls_x86_cpuid_s[2] |= bit_PADLOCK_PHE;
+ 		} else {
+ 			_gnutls_debug_log
+ 			    ("Padlock-PHE acceleration requested but not available\n");
+ 		}
+ 	}
+ 
+-	if (capabilities & VIA_PADLOCK_PHE_SHA512) {
+-		if (c & via_bit_PADLOCK_PHE_SHA512) {
+-			_gnutls_x86_cpuid_s[2] |= via_bit_PADLOCK_PHE_SHA512;
++	if (capabilities & PADLOCK_PHE_SHA512) {
++		if (c & bit_PADLOCK_PHE_SHA512) {
++			_gnutls_x86_cpuid_s[2] |= bit_PADLOCK_PHE_SHA512;
+ 		} else {
+ 			_gnutls_debug_log
+ 			    ("Padlock-PHE-SHA512 acceleration requested but not available\n");
+@@ -290,18 +288,36 @@ static unsigned capabilities_to_via_edx(unsigned capabilities)
+ 
+ static int check_padlock(unsigned edx)
+ {
+-	return ((edx & via_bit_PADLOCK) == via_bit_PADLOCK);
++	return ((edx & bit_PADLOCK) == bit_PADLOCK);
+ }
+ 
+ static int check_phe(unsigned edx)
+ {
+-	return ((edx & via_bit_PADLOCK_PHE) == via_bit_PADLOCK_PHE);
++	return ((edx & bit_PADLOCK_PHE) == bit_PADLOCK_PHE);
+ }
+ 
+ /* We are actually checking for SHA512 */
+ static int check_phe_sha512(unsigned edx)
+ {
+-	return ((edx & via_bit_PADLOCK_PHE_SHA512) == via_bit_PADLOCK_PHE_SHA512);
++	return ((edx & bit_PADLOCK_PHE_SHA512) == bit_PADLOCK_PHE_SHA512);
++}
++
++/* On some of the Zhaoxin CPUs, pclmul has a faster acceleration effect */
++static int check_fast_pclmul(void)
++{
++	unsigned int a,b,c,d;
++	a = b = c = d = 0;
++	if (__get_cpuid(1, &a, &b, &c, &d))
++		return 0;
++
++	unsigned int family = ((a >> 8) & 0x0F);
++	unsigned int model = ((a >> 4) & 0x0F) + ((a >> 12) & 0xF0);
++
++	if(((family == 0x6) && (model == 0xf || model == 0x19)) ||
++		((family == 0x7) && (model == 0x1B || model == 0x3B)))
++		return 1;
++	else
++		return 0;
+ }
+ 
+ static int check_phe_partial(void)
+@@ -326,7 +342,7 @@ static int check_phe_partial(void)
+ 		return 0;
+ }
+ 
+-static unsigned check_via(void)
++static unsigned check_zhaoxin(void)
+ {
+ 	unsigned int a, b, c, d;
+ 
+@@ -334,7 +350,10 @@ static unsigned check_via(void)
+ 		return 0;
+ 
+ 	if ((memcmp(&b, "Cent", 4) == 0 &&
+-	     memcmp(&d, "aurH", 4) == 0 && memcmp(&c, "auls", 4) == 0)) {
++	     memcmp(&d, "aurH", 4) == 0 &&
++         memcmp(&c, "auls", 4) == 0) ||
++        (memcmp(&b, "  Sh", 4) == 0 &&
++         memcmp(&d, "angh", 4) == 0 && memcmp(&c, "ai  ", 4) == 0)) {
+ 		return 1;
+ 	}
+ 
+@@ -347,13 +366,301 @@ void register_x86_padlock_crypto(unsigned capabilities)
+ 	int ret, phe;
+ 	unsigned edx;
+ 
+-	if (check_via() == 0)
++	memset(_gnutls_x86_cpuid_s, 0, sizeof(_gnutls_x86_cpuid_s));
++	if (check_zhaoxin() == 0)
+ 		return;
+ 
+-	if (capabilities == 0)
++	if (capabilities == 0){
++        if(!read_cpuid_vals(_gnutls_x86_cpuid_s))
++            return;
+ 		edx = padlock_capability();
+-	else
+-		edx = capabilities_to_via_edx(capabilities);
++	} else{
++		capabilities_to_intel_cpuid(capabilities);
++		edx = capabilities_to_zhaoxin_edx(capabilities);
++	}
++
++	if (check_ssse3()) {
++		_gnutls_debug_log("Zhaoxin SSSE3 was detected\n");
++
++		ret =
++		    gnutls_crypto_single_cipher_register
++		    (GNUTLS_CIPHER_AES_128_GCM, 90,
++		     &_gnutls_aes_gcm_x86_ssse3, 0);
++			if (ret < 0) {
++				gnutls_assert();
++			}
++
++		ret =
++		    gnutls_crypto_single_cipher_register
++		    (GNUTLS_CIPHER_AES_192_GCM, 90,
++		     &_gnutls_aes_gcm_x86_ssse3, 0);
++			if (ret < 0) {
++				gnutls_assert();
++			}
++
++		ret =
++		    gnutls_crypto_single_cipher_register
++		    (GNUTLS_CIPHER_AES_256_GCM, 90,
++		     &_gnutls_aes_gcm_x86_ssse3, 0);
++		if (ret < 0) {
++			gnutls_assert();
++		}
++
++		ret =
++		    gnutls_crypto_single_cipher_register
++		    (GNUTLS_CIPHER_AES_128_CBC, 90, &_gnutls_aes_ssse3, 0);
++		if (ret < 0) {
++			gnutls_assert();
++		}
++
++		ret =
++		    gnutls_crypto_single_cipher_register
++		    (GNUTLS_CIPHER_AES_192_CBC, 90, &_gnutls_aes_ssse3, 0);
++		if (ret < 0) {
++			gnutls_assert();
++		}
++
++		ret =
++		    gnutls_crypto_single_cipher_register
++		    (GNUTLS_CIPHER_AES_256_CBC, 90, &_gnutls_aes_ssse3, 0);
++		if (ret < 0) {
++			gnutls_assert();
++		}
++	}
++
++	if (check_sha() || check_ssse3()) {
++		if (check_sha())
++			_gnutls_debug_log("Zhaoxin SHA was detected\n");
++
++		ret =
++		    gnutls_crypto_single_digest_register(GNUTLS_DIG_SHA1,
++							 80,
++							 &_gnutls_sha_x86_ssse3, 0);
++		if (ret < 0) {
++			gnutls_assert();
++		}
++
++		ret =
++		    gnutls_crypto_single_digest_register(GNUTLS_DIG_SHA224,
++							 80,
++							 &_gnutls_sha_x86_ssse3, 0);
++		if (ret < 0) {
++			gnutls_assert();
++		}
++
++		ret =
++		    gnutls_crypto_single_digest_register(GNUTLS_DIG_SHA256,
++							 80,
++							 &_gnutls_sha_x86_ssse3, 0);
++		if (ret < 0) {
++			gnutls_assert();
++		}
++
++
++		ret =
++		    gnutls_crypto_single_mac_register(GNUTLS_MAC_SHA1,
++							 80,
++							 &_gnutls_hmac_sha_x86_ssse3, 0);
++		if (ret < 0)
++			gnutls_assert();
++
++		ret =
++		    gnutls_crypto_single_mac_register(GNUTLS_MAC_SHA224,
++							 80,
++							 &_gnutls_hmac_sha_x86_ssse3, 0);
++		if (ret < 0)
++			gnutls_assert();
++
++		ret =
++		    gnutls_crypto_single_mac_register(GNUTLS_MAC_SHA256,
++							 80,
++							 &_gnutls_hmac_sha_x86_ssse3, 0);
++		if (ret < 0)
++			gnutls_assert();
++
++		ret =
++		    gnutls_crypto_single_digest_register(GNUTLS_DIG_SHA384,
++							 80,
++							 &_gnutls_sha_x86_ssse3, 0);
++		if (ret < 0)
++			gnutls_assert();
++
++		ret =
++		    gnutls_crypto_single_digest_register(GNUTLS_DIG_SHA512,
++							 80,
++							 &_gnutls_sha_x86_ssse3, 0);
++		if (ret < 0)
++			gnutls_assert();
++		ret =
++		    gnutls_crypto_single_mac_register(GNUTLS_MAC_SHA384,
++							 80,
++							 &_gnutls_hmac_sha_x86_ssse3, 0);
++		if (ret < 0)
++			gnutls_assert();
++
++		ret =
++		    gnutls_crypto_single_mac_register(GNUTLS_MAC_SHA512,
++							 80,
++							 &_gnutls_hmac_sha_x86_ssse3, 0);
++		if (ret < 0)
++			gnutls_assert();
++	}
++
++	if (check_optimized_aes()) {
++		_gnutls_debug_log("Zhaoxin AES accelerator was detected\n");
++		ret =
++		    gnutls_crypto_single_cipher_register
++		    (GNUTLS_CIPHER_AES_128_CBC, 80, &_gnutls_aesni_x86, 0);
++		if (ret < 0) {
++			gnutls_assert();
++		}
++
++		ret =
++		    gnutls_crypto_single_cipher_register
++		    (GNUTLS_CIPHER_AES_192_CBC, 80, &_gnutls_aesni_x86, 0);
++		if (ret < 0) {
++			gnutls_assert();
++		}
++
++		ret =
++		    gnutls_crypto_single_cipher_register
++		    (GNUTLS_CIPHER_AES_256_CBC, 80, &_gnutls_aesni_x86, 0);
++		if (ret < 0) {
++			gnutls_assert();
++		}
++
++		ret =
++		    gnutls_crypto_single_cipher_register
++		    (GNUTLS_CIPHER_AES_128_CCM, 80,
++		     &_gnutls_aes_ccm_x86_aesni, 0);
++		if (ret < 0) {
++			gnutls_assert();
++		}
++
++		ret =
++		    gnutls_crypto_single_cipher_register
++		    (GNUTLS_CIPHER_AES_256_CCM, 80,
++		     &_gnutls_aes_ccm_x86_aesni, 0);
++		if (ret < 0) {
++			gnutls_assert();
++		}
++
++		ret =
++		    gnutls_crypto_single_cipher_register
++		    (GNUTLS_CIPHER_AES_128_CCM_8, 80,
++		     &_gnutls_aes_ccm_x86_aesni, 0);
++		if (ret < 0) {
++			gnutls_assert();
++		}
++
++		ret =
++		    gnutls_crypto_single_cipher_register
++		    (GNUTLS_CIPHER_AES_256_CCM_8, 80,
++		     &_gnutls_aes_ccm_x86_aesni, 0);
++		if (ret < 0) {
++			gnutls_assert();
++		}
++
++		ret =
++		    gnutls_crypto_single_cipher_register
++		    (GNUTLS_CIPHER_AES_128_XTS, 80,
++		     &_gnutls_aes_xts_x86_aesni, 0);
++		if (ret < 0) {
++			gnutls_assert();
++		}
++
++		ret =
++		    gnutls_crypto_single_cipher_register
++		    (GNUTLS_CIPHER_AES_256_XTS, 80,
++		     &_gnutls_aes_xts_x86_aesni, 0);
++		if (ret < 0) {
++			gnutls_assert();
++		}
++
++#ifdef ASM_X86_64
++		if (check_pclmul()) {
++			/* register GCM ciphers */
++			_gnutls_debug_log
++				("Zhaoxin GCM accelerator was detected\n");
++			if (check_avx_movbe() && !check_fast_pclmul()) {
++				_gnutls_debug_log
++				    ("Zhaoxin GCM accelerator (AVX) was detected\n");
++				ret =
++				    gnutls_crypto_single_cipher_register
++				    (GNUTLS_CIPHER_AES_128_GCM, 80,
++				     &_gnutls_aes_gcm_pclmul_avx, 0);
++				if (ret < 0) {
++					gnutls_assert();
++				}
++
++				ret =
++				    gnutls_crypto_single_cipher_register
++				    (GNUTLS_CIPHER_AES_192_GCM, 80,
++				     &_gnutls_aes_gcm_pclmul_avx, 0);
++				if (ret < 0) {
++					gnutls_assert();
++				}
++
++				ret =
++				    gnutls_crypto_single_cipher_register
++				    (GNUTLS_CIPHER_AES_256_GCM, 80,
++				     &_gnutls_aes_gcm_pclmul_avx, 0);
++				if (ret < 0) {
++					gnutls_assert();
++				}
++			} else {
++				ret =
++					gnutls_crypto_single_cipher_register
++					(GNUTLS_CIPHER_AES_128_GCM, 80,
++					&_gnutls_aes_gcm_pclmul, 0);
++				if (ret < 0) {
++					gnutls_assert();
++				}
++
++				ret =
++					gnutls_crypto_single_cipher_register
++					(GNUTLS_CIPHER_AES_192_GCM, 80,
++					&_gnutls_aes_gcm_pclmul, 0);
++				if (ret < 0) {
++					gnutls_assert();
++				}
++
++				ret =
++					gnutls_crypto_single_cipher_register
++					(GNUTLS_CIPHER_AES_256_GCM, 80,
++					&_gnutls_aes_gcm_pclmul, 0);
++				if (ret < 0) {
++					gnutls_assert();
++				}
++			}
++		} else
++#endif
++		{
++			ret =
++			    gnutls_crypto_single_cipher_register
++			    (GNUTLS_CIPHER_AES_128_GCM, 80,
++			     &_gnutls_aes_gcm_x86_aesni, 0);
++			if (ret < 0) {
++				gnutls_assert();
++			}
++
++			ret =
++			    gnutls_crypto_single_cipher_register
++			    (GNUTLS_CIPHER_AES_192_GCM, 80,
++			     &_gnutls_aes_gcm_x86_aesni, 0);
++			if (ret < 0) {
++				gnutls_assert();
++			}
++
++			ret =
++			    gnutls_crypto_single_cipher_register
++			    (GNUTLS_CIPHER_AES_256_GCM, 80,
++			     &_gnutls_aes_gcm_x86_aesni, 0);
++			if (ret < 0) {
++				gnutls_assert();
++			}
++		}
++	}
+ 
+ 	if (check_padlock(edx)) {
+ 		_gnutls_debug_log
+@@ -368,7 +675,7 @@ void register_x86_padlock_crypto(unsigned capabilities)
+ 		/* register GCM ciphers */
+ 		ret =
+ 		    gnutls_crypto_single_cipher_register
+-		    (GNUTLS_CIPHER_AES_128_GCM, 80,
++		    (GNUTLS_CIPHER_AES_128_GCM, 90,
+ 		     &_gnutls_aes_gcm_padlock, 0);
+ 		if (ret < 0) {
+ 			gnutls_assert();
+@@ -383,15 +690,16 @@ void register_x86_padlock_crypto(unsigned capabilities)
+ 
+ 		ret =
+ 		    gnutls_crypto_single_cipher_register
+-		    (GNUTLS_CIPHER_AES_256_GCM, 80,
++		    (GNUTLS_CIPHER_AES_256_GCM, 90,
+ 		     &_gnutls_aes_gcm_padlock, 0);
+ 		if (ret < 0) {
+ 			gnutls_assert();
+ 		}
+-	} else {
+-		_gnutls_priority_update_non_aesni();
+ 	}
+ 
++	if(!check_optimized_aes() && !check_padlock(edx))
++		_gnutls_priority_update_non_aesni();
++
+ #ifdef HAVE_LIBNETTLE
+ 	phe = check_phe(edx);
+ 
+@@ -404,7 +712,7 @@ void register_x86_padlock_crypto(unsigned capabilities)
+ 			ret =
+ 			    gnutls_crypto_single_digest_register
+ 			    (GNUTLS_DIG_SHA384, 80,
+-			     &_gnutls_sha_padlock_nano, 0);
++			     &_gnutls_sha_padlock_enhance, 0);
+ 			if (ret < 0) {
+ 				gnutls_assert();
+ 			}
+@@ -412,7 +720,7 @@ void register_x86_padlock_crypto(unsigned capabilities)
+ 			ret =
+ 			    gnutls_crypto_single_digest_register
+ 			    (GNUTLS_DIG_SHA512, 80,
+-			     &_gnutls_sha_padlock_nano, 0);
++			     &_gnutls_sha_padlock_enhance, 0);
+ 			if (ret < 0) {
+ 				gnutls_assert();
+ 			}
+@@ -420,7 +728,7 @@ void register_x86_padlock_crypto(unsigned capabilities)
+ 			ret =
+ 			    gnutls_crypto_single_mac_register
+ 			    (GNUTLS_MAC_SHA384, 80,
+-			     &_gnutls_hmac_sha_padlock_nano, 0);
++			     &_gnutls_hmac_sha_padlock_enhance, 0);
+ 			if (ret < 0) {
+ 				gnutls_assert();
+ 			}
+@@ -428,7 +736,7 @@ void register_x86_padlock_crypto(unsigned capabilities)
+ 			ret =
+ 			    gnutls_crypto_single_mac_register
+ 			    (GNUTLS_MAC_SHA512, 80,
+-			     &_gnutls_hmac_sha_padlock_nano, 0);
++			     &_gnutls_hmac_sha_padlock_enhance, 0);
+ 			if (ret < 0) {
+ 				gnutls_assert();
+ 			}
+@@ -436,32 +744,32 @@ void register_x86_padlock_crypto(unsigned capabilities)
+ 
+ 		ret =
+ 		    gnutls_crypto_single_digest_register(GNUTLS_DIG_SHA1,
+-							 80,
+-							 &_gnutls_sha_padlock_nano, 0);
++							 90,
++							 &_gnutls_sha_padlock_enhance, 0);
+ 		if (ret < 0) {
+ 			gnutls_assert();
+ 		}
+ 
+ 		ret =
+ 		    gnutls_crypto_single_digest_register(GNUTLS_DIG_SHA224,
+-							 80,
+-							 &_gnutls_sha_padlock_nano, 0);
++							 90,
++							 &_gnutls_sha_padlock_enhance, 0);
+ 		if (ret < 0) {
+ 			gnutls_assert();
+ 		}
+ 
+ 		ret =
+ 		    gnutls_crypto_single_digest_register(GNUTLS_DIG_SHA256,
+-							 80,
+-							 &_gnutls_sha_padlock_nano, 0);
++							 90,
++							 &_gnutls_sha_padlock_enhance, 0);
+ 		if (ret < 0) {
+ 			gnutls_assert();
+ 		}
+ 
+ 		ret =
+ 		    gnutls_crypto_single_mac_register(GNUTLS_MAC_SHA1,
+-						      80,
+-						      &_gnutls_hmac_sha_padlock_nano, 0);
++						      90,
++						      &_gnutls_hmac_sha_padlock_enhance, 0);
+ 		if (ret < 0) {
+ 			gnutls_assert();
+ 		}
+@@ -470,8 +778,8 @@ void register_x86_padlock_crypto(unsigned capabilities)
+ 
+ 		ret =
+ 		    gnutls_crypto_single_mac_register(GNUTLS_MAC_SHA256,
+-						      80,
+-						      &_gnutls_hmac_sha_padlock_nano, 0);
++						      90,
++						      &_gnutls_hmac_sha_padlock_enhance, 0);
+ 		if (ret < 0) {
+ 			gnutls_assert();
+ 		}
+@@ -482,7 +790,7 @@ void register_x86_padlock_crypto(unsigned capabilities)
+ 		    ("Padlock SHA1 and SHA256 accelerator was detected\n");
+ 		ret =
+ 		    gnutls_crypto_single_digest_register(GNUTLS_DIG_SHA1,
+-							 80,
++							 90,
+ 							 &_gnutls_sha_padlock, 0);
+ 		if (ret < 0) {
+ 			gnutls_assert();
+@@ -490,7 +798,7 @@ void register_x86_padlock_crypto(unsigned capabilities)
+ 
+ 		ret =
+ 		    gnutls_crypto_single_digest_register(GNUTLS_DIG_SHA256,
+-							 80,
++							 90,
+ 							 &_gnutls_sha_padlock, 0);
+ 		if (ret < 0) {
+ 			gnutls_assert();
+@@ -498,7 +806,7 @@ void register_x86_padlock_crypto(unsigned capabilities)
+ 
+ 		ret =
+ 		    gnutls_crypto_single_mac_register(GNUTLS_MAC_SHA1,
+-						      80,
++						      90,
+ 						      &_gnutls_hmac_sha_padlock, 0);
+ 		if (ret < 0) {
+ 			gnutls_assert();
+@@ -506,7 +814,7 @@ void register_x86_padlock_crypto(unsigned capabilities)
+ 
+ 		ret =
+ 		    gnutls_crypto_single_mac_register(GNUTLS_MAC_SHA256,
+-						      80,
++						      90,
+ 						      &_gnutls_hmac_sha_padlock, 0);
+ 		if (ret < 0) {
+ 			gnutls_assert();
+-- 
+2.27.0
+

gnutls.spec

@@ -1,6 +1,6 @@
 Name: gnutls
 Version: 3.6.14
-Release: 11
+Release: 16
 Summary: The GNU Secure Communication Protocol Library
 
 License: LGPLv2.1+ and GPLv3+
@@ -20,6 +20,9 @@ Patch9: backport-CVE-2021-4209.patch
 Patch10: backport-01-CVE-2023-0361.patch
 Patch11: backport-02-CVE-2023-0361.patch
 Patch12: backport-CVE-2023-5981-auth-rsa_psk-side-step-potential-side-channel.patch
+Patch13: backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch
+Patch14: backport-x86-add-detection-of-instruction-set-on-Zhaoxin-CPU.patch
+Patch15: backport-fix-CVE-2024-28834-nettle-avoid-normalization-of-mpz_t-in-deterministic.patch
 
 %bcond_without dane
 %bcond_with guile
@@ -45,10 +48,8 @@ Requires: crypto-policies, p11-kit-trust, libtasn1, nettle
 Recommends: trousers >= 0.3.11.2
 
 Provides: bundled(gnulib) = 20130424
-Provides: gnutls-utils = %{version}-%{release}
 Provides: gnutls-c++ = %{version}-%{release}
 Provides: gnutls-dane = %{version}-%{release}
-Obsoletes: gnutls-utils < %{version}-%{release} 
 Obsoletes: gnutls-c++ < %{version}-%{release} 
 Obsoletes: gnutls-dane < %{version}-%{release}
 
@@ -71,6 +72,19 @@ Requires: pkgconf
 %description devel
 This package contains files needed for developing applications with %{name}.
 
+%package utils
+License: GPLv3+
+Summary: Command line tools for TLS protocol
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Provides: gnutls-utils
+Obsoletes:gnutls-utils
+
+%description utils
+GnuTLS is a secure communications library implementing the SSL,TLS and DTLS protocols and technologies around them. 
+It provides a simple C language application programming interface(API) to access the secure communications protocols 
+as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures.
+This package contains command line TLS clinet and server and certificate manipulation tools.
+
 %package_help
 
 %if %{with guile}
@@ -167,15 +181,7 @@ make check %{?_smp_mflags}
 %defattr(-,root,root)
 %doc README.md AUTHORS
 %license LICENSE doc/COPYING doc/COPYING.LESSER
-%{_bindir}/certtool
-%{_bindir}/tpmtool
-%{_bindir}/ocsptool
-%{_bindir}/psktool
-%{_bindir}/p11tool
-%{_bindir}/srptool
-%{_bindir}/gnutls*
 %if %{with dane}
-%{_bindir}/danetool
 %{_libdir}/libgnutls-dane.so.*
 %endif
 %{_libdir}/libgnutls.so.30*
@@ -190,6 +196,18 @@ make check %{?_smp_mflags}
 %{_libdir}/libgnutls*.so
 %{_includedir}/*
 
+%files utils
+%{_bindir}/certtool
+%{_bindir}/tpmtool
+%{_bindir}/ocsptool
+%{_bindir}/psktool
+%{_bindir}/p11tool
+%{_bindir}/srptool
+%{_bindir}/gnutls*
+%if %{with dane}
+%{_bindir}/danetool
+%endif
+
 %files help
 %defattr(-,root,root)
 %doc NEWS THANKS doc/certtool.cfg
@@ -210,6 +228,21 @@ make check %{?_smp_mflags}
 %endif
 
 %changelog
+* Tue Mar 26 2024 xuraoqing <xuraoqing@huawei.com> - 3.6.14-16
+- update patch to remove function declare in header file
+
+* Sat Mar 23 2024 xuraoqing <xuraoqing@huawei.com> - 3.6.14-15
+- fix CVE-2024-28834
+
+* Thu Jan 25 2024 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 3.6.14-14
+- x86 add detection of instruction set on Zhaoxin CPU
+
+* Thu Jan 25 2024 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 3.6.14-13
+- Detach the sub package gnutls-utils from gnutls
+
+* Wed Jan 17 2024 xuraoqing <xuraoqing@huawei.com> - 3.6.14-12
+- fix CVE-2024-0553
+
 * Mon Nov 20 2023 xuraoqing <xuraoqing@huawei.com> - 3.6.14-11
 - fix CVE-2023-5981