Auto sync2gitlab import of gnutls-3.6.16-6.el8.src.rpm
This commit is contained in:
parent
90c90edd1c
commit
1550972a88
247
gnutls-3.6.16-cpuid.patch
Normal file
247
gnutls-3.6.16-cpuid.patch
Normal file
@ -0,0 +1,247 @@
|
|||||||
|
From 300c6315d2e644ae81b43fa2dd7bbf68b3afb5b2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daiki Ueno <ueno@gnu.org>
|
||||||
|
Date: Thu, 18 Nov 2021 19:02:03 +0100
|
||||||
|
Subject: [PATCH 1/2] accelerated: fix CPU feature detection for Intel CPUs
|
||||||
|
|
||||||
|
This fixes read_cpuid_vals to correctly read the CPUID quadruple, as
|
||||||
|
well as to set the bit the ustream CRYPTOGAMS uses to identify Intel
|
||||||
|
CPUs.
|
||||||
|
|
||||||
|
Suggested by Rafael Gieschke in:
|
||||||
|
https://gitlab.com/gnutls/gnutls/-/issues/1282
|
||||||
|
|
||||||
|
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||||
|
---
|
||||||
|
lib/accelerated/x86/x86-common.c | 91 +++++++++++++++++++++++++-------
|
||||||
|
1 file changed, 71 insertions(+), 20 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c
|
||||||
|
index 3845c6b4c9..cf615ef24f 100644
|
||||||
|
--- a/lib/accelerated/x86/x86-common.c
|
||||||
|
+++ b/lib/accelerated/x86/x86-common.c
|
||||||
|
@@ -81,15 +81,38 @@ unsigned int _gnutls_x86_cpuid_s[4];
|
||||||
|
# define bit_AVX 0x10000000
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-#ifndef OSXSAVE_MASK
|
||||||
|
-/* OSXSAVE|FMA|MOVBE */
|
||||||
|
-# define OSXSAVE_MASK (0x8000000|0x1000|0x400000)
|
||||||
|
+#ifndef bit_AVX2
|
||||||
|
+# define bit_AVX2 0x00000020
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+#ifndef bit_AVX512F
|
||||||
|
+# define bit_AVX512F 0x00010000
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+#ifndef bit_AVX512IFMA
|
||||||
|
+# define bit_AVX512IFMA 0x00200000
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+#ifndef bit_AVX512BW
|
||||||
|
+# define bit_AVX512BW 0x40000000
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+#ifndef bit_AVX512VL
|
||||||
|
+# define bit_AVX512VL 0x80000000
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+#ifndef bit_OSXSAVE
|
||||||
|
+# define bit_OSXSAVE 0x8000000
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifndef bit_MOVBE
|
||||||
|
# define bit_MOVBE 0x00400000
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#ifndef OSXSAVE_MASK
|
||||||
|
+# define OSXSAVE_MASK (bit_OSXSAVE|bit_MOVBE)
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#define via_bit_PADLOCK (0x3 << 6)
|
||||||
|
#define via_bit_PADLOCK_PHE (0x3 << 10)
|
||||||
|
#define via_bit_PADLOCK_PHE_SHA512 (0x3 << 25)
|
||||||
|
@@ -127,7 +150,7 @@ static unsigned read_cpuid_vals(unsigned int vals[4])
|
||||||
|
unsigned t1, t2, t3;
|
||||||
|
vals[0] = vals[1] = vals[2] = vals[3] = 0;
|
||||||
|
|
||||||
|
- if (!__get_cpuid(1, &t1, &vals[0], &vals[1], &t2))
|
||||||
|
+ if (!__get_cpuid(1, &t1, &t2, &vals[1], &vals[0]))
|
||||||
|
return 0;
|
||||||
|
/* suppress AVX512; it works conditionally on certain CPUs on the original code */
|
||||||
|
vals[1] &= 0xfffff7ff;
|
||||||
|
@@ -145,7 +168,7 @@ static unsigned check_4th_gen_intel_features(unsigned ecx)
|
||||||
|
{
|
||||||
|
uint32_t xcr0;
|
||||||
|
|
||||||
|
- if ((ecx & OSXSAVE_MASK) != OSXSAVE_MASK)
|
||||||
|
+ if ((ecx & bit_OSXSAVE) != bit_OSXSAVE)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
#if defined(_MSC_VER) && !defined(__clang__)
|
||||||
|
@@ -233,10 +256,7 @@ static unsigned check_sha(void)
|
||||||
|
#ifdef ASM_X86_64
|
||||||
|
static unsigned check_avx_movbe(void)
|
||||||
|
{
|
||||||
|
- if (check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1]) == 0)
|
||||||
|
- return 0;
|
||||||
|
-
|
||||||
|
- return ((_gnutls_x86_cpuid_s[1] & bit_AVX));
|
||||||
|
+ return (_gnutls_x86_cpuid_s[1] & bit_AVX);
|
||||||
|
}
|
||||||
|
|
||||||
|
static unsigned check_pclmul(void)
|
||||||
|
@@ -514,33 +534,47 @@ void register_x86_padlock_crypto(unsigned capabilities)
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-static unsigned check_intel_or_amd(void)
|
||||||
|
+enum x86_cpu_vendor {
|
||||||
|
+ X86_CPU_VENDOR_OTHER,
|
||||||
|
+ X86_CPU_VENDOR_INTEL,
|
||||||
|
+ X86_CPU_VENDOR_AMD,
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static enum x86_cpu_vendor check_x86_cpu_vendor(void)
|
||||||
|
{
|
||||||
|
unsigned int a, b, c, d;
|
||||||
|
|
||||||
|
- if (!__get_cpuid(0, &a, &b, &c, &d))
|
||||||
|
- return 0;
|
||||||
|
+ if (!__get_cpuid(0, &a, &b, &c, &d)) {
|
||||||
|
+ return X86_CPU_VENDOR_OTHER;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if ((memcmp(&b, "Genu", 4) == 0 &&
|
||||||
|
- memcmp(&d, "ineI", 4) == 0 &&
|
||||||
|
- memcmp(&c, "ntel", 4) == 0) ||
|
||||||
|
- (memcmp(&b, "Auth", 4) == 0 &&
|
||||||
|
- memcmp(&d, "enti", 4) == 0 && memcmp(&c, "cAMD", 4) == 0)) {
|
||||||
|
- return 1;
|
||||||
|
+ if (memcmp(&b, "Genu", 4) == 0 &&
|
||||||
|
+ memcmp(&d, "ineI", 4) == 0 &&
|
||||||
|
+ memcmp(&c, "ntel", 4) == 0) {
|
||||||
|
+ return X86_CPU_VENDOR_INTEL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- return 0;
|
||||||
|
+ if (memcmp(&b, "Auth", 4) == 0 &&
|
||||||
|
+ memcmp(&d, "enti", 4) == 0 &&
|
||||||
|
+ memcmp(&c, "cAMD", 4) == 0) {
|
||||||
|
+ return X86_CPU_VENDOR_AMD;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return X86_CPU_VENDOR_OTHER;
|
||||||
|
}
|
||||||
|
|
||||||
|
static
|
||||||
|
void register_x86_intel_crypto(unsigned capabilities)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
+ enum x86_cpu_vendor vendor;
|
||||||
|
|
||||||
|
memset(_gnutls_x86_cpuid_s, 0, sizeof(_gnutls_x86_cpuid_s));
|
||||||
|
|
||||||
|
- if (check_intel_or_amd() == 0)
|
||||||
|
+ vendor = check_x86_cpu_vendor();
|
||||||
|
+ if (vendor == X86_CPU_VENDOR_OTHER) {
|
||||||
|
return;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (capabilities == 0) {
|
||||||
|
if (!read_cpuid_vals(_gnutls_x86_cpuid_s))
|
||||||
|
@@ -549,6 +583,23 @@ void register_x86_intel_crypto(unsigned capabilities)
|
||||||
|
capabilities_to_intel_cpuid(capabilities);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* CRYPTOGAMS uses the (1 << 30) bit as an indicator of Intel CPUs */
|
||||||
|
+ if (vendor == X86_CPU_VENDOR_INTEL) {
|
||||||
|
+ _gnutls_x86_cpuid_s[0] |= 1 << 30;
|
||||||
|
+ } else {
|
||||||
|
+ _gnutls_x86_cpuid_s[0] &= ~(1 << 30);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1])) {
|
||||||
|
+ _gnutls_x86_cpuid_s[1] &= ~bit_AVX;
|
||||||
|
+
|
||||||
|
+ /* Clear AVX2 bits as well, according to what OpenSSL does.
|
||||||
|
+ * Should we clear bit_AVX512DQ, bit_AVX512PF, bit_AVX512ER, and
|
||||||
|
+ * bit_AVX512CD? */
|
||||||
|
+ _gnutls_x86_cpuid_s[2] &= ~(bit_AVX2|bit_AVX512F|bit_AVX512IFMA|
|
||||||
|
+ bit_AVX512BW|bit_AVX512BW);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (check_ssse3()) {
|
||||||
|
_gnutls_debug_log("Intel SSSE3 was detected\n");
|
||||||
|
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
||||||
|
|
||||||
|
From cd509dac9e6d1bf76fd12c72c1fd61f1708c254a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daiki Ueno <ueno@gnu.org>
|
||||||
|
Date: Mon, 15 Aug 2022 09:39:18 +0900
|
||||||
|
Subject: [PATCH 2/2] accelerated: clear AVX bits if it cannot be queried
|
||||||
|
through XSAVE
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
The algorithm to detect AVX is described in 14.3 of "Intel® 64 and IA-32
|
||||||
|
Architectures Software Developer’s Manual".
|
||||||
|
|
||||||
|
GnuTLS previously only followed that algorithm when registering the
|
||||||
|
crypto backend, while the CRYPTOGAMS derived SHA code assembly expects
|
||||||
|
that the extension bits are propagated to _gnutls_x86_cpuid_s.
|
||||||
|
|
||||||
|
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||||
|
---
|
||||||
|
lib/accelerated/x86/x86-common.c | 18 ++++++++++++++++--
|
||||||
|
1 file changed, 16 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c
|
||||||
|
index cf615ef24f..655d0c65f2 100644
|
||||||
|
--- a/lib/accelerated/x86/x86-common.c
|
||||||
|
+++ b/lib/accelerated/x86/x86-common.c
|
||||||
|
@@ -210,7 +210,8 @@ static void capabilities_to_intel_cpuid(unsigned capabilities)
|
||||||
|
}
|
||||||
|
|
||||||
|
if (capabilities & INTEL_AVX) {
|
||||||
|
- if ((a[1] & bit_AVX) && check_4th_gen_intel_features(a[1])) {
|
||||||
|
+ if ((a[1] & bit_AVX) && (a[1] & bit_MOVBE) &&
|
||||||
|
+ check_4th_gen_intel_features(a[1])) {
|
||||||
|
_gnutls_x86_cpuid_s[1] |= bit_AVX|bit_MOVBE;
|
||||||
|
} else {
|
||||||
|
_gnutls_debug_log
|
||||||
|
@@ -256,7 +257,7 @@ static unsigned check_sha(void)
|
||||||
|
#ifdef ASM_X86_64
|
||||||
|
static unsigned check_avx_movbe(void)
|
||||||
|
{
|
||||||
|
- return (_gnutls_x86_cpuid_s[1] & bit_AVX);
|
||||||
|
+ return (_gnutls_x86_cpuid_s[1] & (bit_AVX|bit_MOVBE)) == (bit_AVX|bit_MOVBE);
|
||||||
|
}
|
||||||
|
|
||||||
|
static unsigned check_pclmul(void)
|
||||||
|
@@ -579,6 +580,19 @@ void register_x86_intel_crypto(unsigned capabilities)
|
||||||
|
if (capabilities == 0) {
|
||||||
|
if (!read_cpuid_vals(_gnutls_x86_cpuid_s))
|
||||||
|
return;
|
||||||
|
+ if (!check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1])) {
|
||||||
|
+ _gnutls_x86_cpuid_s[1] &= ~bit_AVX;
|
||||||
|
+
|
||||||
|
+ /* Clear AVX2 bits as well, according to what
|
||||||
|
+ * OpenSSL does. Should we clear
|
||||||
|
+ * bit_AVX512DQ, bit_AVX512PF, bit_AVX512ER,
|
||||||
|
+ * and bit_AVX512CD? */
|
||||||
|
+ _gnutls_x86_cpuid_s[2] &= ~(bit_AVX2|
|
||||||
|
+ bit_AVX512F|
|
||||||
|
+ bit_AVX512IFMA|
|
||||||
|
+ bit_AVX512BW|
|
||||||
|
+ bit_AVX512BW);
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
capabilities_to_intel_cpuid(capabilities);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
@ -1,5 +1,5 @@
|
|||||||
Version: 3.6.16
|
Version: 3.6.16
|
||||||
Release: 5%{?dist}
|
Release: 6%{?dist}
|
||||||
Patch1: gnutls-3.2.7-rpath.patch
|
Patch1: gnutls-3.2.7-rpath.patch
|
||||||
Patch2: gnutls-3.6.4-no-now-guile.patch
|
Patch2: gnutls-3.6.4-no-now-guile.patch
|
||||||
Patch3: gnutls-3.6.13-enable-intel-cet.patch
|
Patch3: gnutls-3.6.13-enable-intel-cet.patch
|
||||||
@ -9,6 +9,7 @@ Patch12: gnutls-3.6.16-tls12-cert-type.patch
|
|||||||
Patch13: gnutls-3.6.16-trust-ca-sha1.patch
|
Patch13: gnutls-3.6.16-trust-ca-sha1.patch
|
||||||
Patch14: gnutls-3.6.16-doc-p11tool-ckaid.patch
|
Patch14: gnutls-3.6.16-doc-p11tool-ckaid.patch
|
||||||
Patch15: gnutls-3.6.16-pkcs7-verify.patch
|
Patch15: gnutls-3.6.16-pkcs7-verify.patch
|
||||||
|
Patch16: gnutls-3.6.16-cpuid.patch
|
||||||
%bcond_without dane
|
%bcond_without dane
|
||||||
%if 0%{?rhel}
|
%if 0%{?rhel}
|
||||||
%bcond_with guile
|
%bcond_with guile
|
||||||
@ -293,8 +294,11 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Dec 19 2022 Daiki Ueno <dueno@redhat.com> - 3.6.16-6
|
||||||
|
- Fix x86_64 CPU feature detection when AVX is not available (#2116610)
|
||||||
|
|
||||||
* Mon Aug 29 2022 Daiki Ueno <dueno@redhat.com> - 3.6.16-5
|
* Mon Aug 29 2022 Daiki Ueno <dueno@redhat.com> - 3.6.16-5
|
||||||
- Fix double-free in gnutls_pkcs7_verify (#2109787)
|
- Fix double-free in gnutls_pkcs7_verify (#2109788)
|
||||||
|
|
||||||
* Mon Jun 28 2021 Daiki Ueno <dueno@redhat.com> - 3.6.16-4
|
* Mon Jun 28 2021 Daiki Ueno <dueno@redhat.com> - 3.6.16-4
|
||||||
- p11tool: Document ID reuse behavior when importing certs (#1776250)
|
- p11tool: Document ID reuse behavior when importing certs (#1776250)
|
||||||
|
Loading…
Reference in New Issue
Block a user