.gitignore

@@ -1,2 +1,3 @@
 SOURCES/gnutls-3.6.16.tar.xz
+SOURCES/gnutls-3.6.16.tar.xz.sig
 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg

.gnutls.metadata

@@ -1,2 +1,3 @@
 6ba8fb898dcf4b4046b60662ba97df835593e687 SOURCES/gnutls-3.6.16.tar.xz
+b41ac56ff6cca4539c8b084db2c84e8bc21d60ac SOURCES/gnutls-3.6.16.tar.xz.sig
 648ec46f9539fe756fb90131b85ae4759ed2ed21 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg

SOURCES/gnutls-3.6.16-cpuid.patch

@@ -0,0 +1,247 @@
+From 300c6315d2e644ae81b43fa2dd7bbf68b3afb5b2 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 18 Nov 2021 19:02:03 +0100
+Subject: [PATCH 1/2] accelerated: fix CPU feature detection for Intel CPUs
+
+This fixes read_cpuid_vals to correctly read the CPUID quadruple, as
+well as to set the bit the ustream CRYPTOGAMS uses to identify Intel
+CPUs.
+
+Suggested by Rafael Gieschke in:
+https://gitlab.com/gnutls/gnutls/-/issues/1282
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/accelerated/x86/x86-common.c | 91 +++++++++++++++++++++++++-------
+ 1 file changed, 71 insertions(+), 20 deletions(-)
+
+diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c
+index 3845c6b4c9..cf615ef24f 100644
+--- a/lib/accelerated/x86/x86-common.c
++++ b/lib/accelerated/x86/x86-common.c
+@@ -81,15 +81,38 @@ unsigned int _gnutls_x86_cpuid_s[4];
+ # define bit_AVX 0x10000000
+ #endif
+ 
+-#ifndef OSXSAVE_MASK
+-/* OSXSAVE|FMA|MOVBE */
+-# define OSXSAVE_MASK (0x8000000|0x1000|0x400000)
++#ifndef bit_AVX2
++# define bit_AVX2 0x00000020
++#endif
++
++#ifndef bit_AVX512F
++# define bit_AVX512F 0x00010000
++#endif
++
++#ifndef bit_AVX512IFMA
++# define bit_AVX512IFMA 0x00200000
++#endif
++
++#ifndef bit_AVX512BW
++# define bit_AVX512BW 0x40000000
++#endif
++
++#ifndef bit_AVX512VL
++# define bit_AVX512VL 0x80000000
++#endif
++
++#ifndef bit_OSXSAVE
++# define bit_OSXSAVE 0x8000000
+ #endif
+ 
+ #ifndef bit_MOVBE
+ # define bit_MOVBE 0x00400000
+ #endif
+ 
++#ifndef OSXSAVE_MASK
++# define OSXSAVE_MASK (bit_OSXSAVE|bit_MOVBE)
++#endif
++
+ #define via_bit_PADLOCK (0x3 << 6)
+ #define via_bit_PADLOCK_PHE (0x3 << 10)
+ #define via_bit_PADLOCK_PHE_SHA512 (0x3 << 25)
+@@ -127,7 +150,7 @@ static unsigned read_cpuid_vals(unsigned int vals[4])
+ 	unsigned t1, t2, t3;
+ 	vals[0] = vals[1] = vals[2] = vals[3] = 0;
+ 
+-	if (!__get_cpuid(1, &t1, &vals[0], &vals[1], &t2))
++	if (!__get_cpuid(1, &t1, &t2, &vals[1], &vals[0]))
+ 		return 0;
+ 	/* suppress AVX512; it works conditionally on certain CPUs on the original code */
+ 	vals[1] &= 0xfffff7ff;
+@@ -145,7 +168,7 @@ static unsigned check_4th_gen_intel_features(unsigned ecx)
+ {
+ 	uint32_t xcr0;
+ 
+-	if ((ecx & OSXSAVE_MASK) != OSXSAVE_MASK)
++	if ((ecx & bit_OSXSAVE) != bit_OSXSAVE)
+ 		return 0;
+ 
+ #if defined(_MSC_VER) && !defined(__clang__)
+@@ -233,10 +256,7 @@ static unsigned check_sha(void)
+ #ifdef ASM_X86_64
+ static unsigned check_avx_movbe(void)
+ {
+-	if (check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1]) == 0)
+-		return 0;
+-
+-	return ((_gnutls_x86_cpuid_s[1] & bit_AVX));
++	return (_gnutls_x86_cpuid_s[1] & bit_AVX);
+ }
+ 
+ static unsigned check_pclmul(void)
+@@ -514,33 +534,47 @@ void register_x86_padlock_crypto(unsigned capabilities)
+ }
+ #endif
+ 
+-static unsigned check_intel_or_amd(void)
++enum x86_cpu_vendor {
++	X86_CPU_VENDOR_OTHER,
++	X86_CPU_VENDOR_INTEL,
++	X86_CPU_VENDOR_AMD,
++};
++
++static enum x86_cpu_vendor check_x86_cpu_vendor(void)
+ {
+ 	unsigned int a, b, c, d;
+ 
+-	if (!__get_cpuid(0, &a, &b, &c, &d))
+-		return 0;
++	if (!__get_cpuid(0, &a, &b, &c, &d)) {
++		return X86_CPU_VENDOR_OTHER;
++	}
+ 
+-	if ((memcmp(&b, "Genu", 4) == 0 &&
+-	     memcmp(&d, "ineI", 4) == 0 &&
+-	     memcmp(&c, "ntel", 4) == 0) ||
+-	    (memcmp(&b, "Auth", 4) == 0 &&
+-	     memcmp(&d, "enti", 4) == 0 && memcmp(&c, "cAMD", 4) == 0)) {
+-		return 1;
++	if (memcmp(&b, "Genu", 4) == 0 &&
++	    memcmp(&d, "ineI", 4) == 0 &&
++	    memcmp(&c, "ntel", 4) == 0) {
++		return X86_CPU_VENDOR_INTEL;
+ 	}
+ 
+-	return 0;
++	if (memcmp(&b, "Auth", 4) == 0 &&
++	    memcmp(&d, "enti", 4) == 0 &&
++	    memcmp(&c, "cAMD", 4) == 0) {
++		return X86_CPU_VENDOR_AMD;
++	}
++
++	return X86_CPU_VENDOR_OTHER;
+ }
+ 
+ static
+ void register_x86_intel_crypto(unsigned capabilities)
+ {
+ 	int ret;
++	enum x86_cpu_vendor vendor;
+ 
+ 	memset(_gnutls_x86_cpuid_s, 0, sizeof(_gnutls_x86_cpuid_s));
+ 
+-	if (check_intel_or_amd() == 0)
++	vendor = check_x86_cpu_vendor();
++	if (vendor == X86_CPU_VENDOR_OTHER) {
+ 		return;
++	}
+ 
+ 	if (capabilities == 0) {
+ 		if (!read_cpuid_vals(_gnutls_x86_cpuid_s))
+@@ -549,6 +583,23 @@ void register_x86_intel_crypto(unsigned capabilities)
+ 		capabilities_to_intel_cpuid(capabilities);
+ 	}
+ 
++	/* CRYPTOGAMS uses the (1 << 30) bit as an indicator of Intel CPUs */
++	if (vendor == X86_CPU_VENDOR_INTEL) {
++		_gnutls_x86_cpuid_s[0] |= 1 << 30;
++	} else {
++		_gnutls_x86_cpuid_s[0] &= ~(1 << 30);
++	}
++
++	if (!check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1])) {
++		_gnutls_x86_cpuid_s[1] &= ~bit_AVX;
++
++		/* Clear AVX2 bits as well, according to what OpenSSL does.
++		 * Should we clear bit_AVX512DQ, bit_AVX512PF, bit_AVX512ER, and
++		 * bit_AVX512CD? */
++		_gnutls_x86_cpuid_s[2] &= ~(bit_AVX2|bit_AVX512F|bit_AVX512IFMA|
++					    bit_AVX512BW|bit_AVX512BW);
++	}
++
+ 	if (check_ssse3()) {
+ 		_gnutls_debug_log("Intel SSSE3 was detected\n");
+ 
+-- 
+2.37.3
+
+
+From cd509dac9e6d1bf76fd12c72c1fd61f1708c254a Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 15 Aug 2022 09:39:18 +0900
+Subject: [PATCH 2/2] accelerated: clear AVX bits if it cannot be queried
+ through XSAVE
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The algorithm to detect AVX is described in 14.3 of "Intel® 64 and IA-32
+Architectures Software Developer’s Manual".
+
+GnuTLS previously only followed that algorithm when registering the
+crypto backend, while the CRYPTOGAMS derived SHA code assembly expects
+that the extension bits are propagated to _gnutls_x86_cpuid_s.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/accelerated/x86/x86-common.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c
+index cf615ef24f..655d0c65f2 100644
+--- a/lib/accelerated/x86/x86-common.c
++++ b/lib/accelerated/x86/x86-common.c
+@@ -210,7 +210,8 @@ static void capabilities_to_intel_cpuid(unsigned capabilities)
+ 	}
+ 
+ 	if (capabilities & INTEL_AVX) {
+-		if ((a[1] & bit_AVX) && check_4th_gen_intel_features(a[1])) {
++		if ((a[1] & bit_AVX) && (a[1] & bit_MOVBE) &&
++		    check_4th_gen_intel_features(a[1])) {
+ 			_gnutls_x86_cpuid_s[1] |= bit_AVX|bit_MOVBE;
+ 		} else {
+ 			_gnutls_debug_log
+@@ -256,7 +257,7 @@ static unsigned check_sha(void)
+ #ifdef ASM_X86_64
+ static unsigned check_avx_movbe(void)
+ {
+-	return (_gnutls_x86_cpuid_s[1] & bit_AVX);
++	return (_gnutls_x86_cpuid_s[1] & (bit_AVX|bit_MOVBE)) == (bit_AVX|bit_MOVBE);
+ }
+ 
+ static unsigned check_pclmul(void)
+@@ -579,6 +580,19 @@ void register_x86_intel_crypto(unsigned capabilities)
+ 	if (capabilities == 0) {
+ 		if (!read_cpuid_vals(_gnutls_x86_cpuid_s))
+ 			return;
++		if (!check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1])) {
++			_gnutls_x86_cpuid_s[1] &= ~bit_AVX;
++
++			/* Clear AVX2 bits as well, according to what
++			 * OpenSSL does.  Should we clear
++			 * bit_AVX512DQ, bit_AVX512PF, bit_AVX512ER,
++			 * and bit_AVX512CD? */
++			_gnutls_x86_cpuid_s[2] &= ~(bit_AVX2|
++						    bit_AVX512F|
++						    bit_AVX512IFMA|
++						    bit_AVX512BW|
++						    bit_AVX512BW);
++		}
+ 	} else {
+ 		capabilities_to_intel_cpuid(capabilities);
+ 	}
+-- 
+2.37.3
+

SOURCES/gnutls-3.6.16-deterministic-ecdsa-fixes.patch

@@ -0,0 +1,474 @@
+From 0d39e4120bc5ece53c86c5802c546259b8ca286a Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 12 Jan 2024 17:56:58 +0900
+Subject: [PATCH] nettle: avoid normalization of mpz_t in deterministic ECDSA
+
+This removes function calls that potentially leak bit-length of a
+private key used to calculate a nonce in deterministic ECDSA.  Namely:
+
+- _gnutls_dsa_compute_k has been rewritten to work on always
+  zero-padded mp_limb_t arrays instead of mpz_t
+- rnd_mpz_func has been replaced with rnd_datum_func, which is backed
+  by a byte array instead of an mpz_t value
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/nettle/int/dsa-compute-k.c    | 84 +++++++++++++++++++------------
+ lib/nettle/int/dsa-compute-k.h    | 31 +++++++++---
+ lib/nettle/int/ecdsa-compute-k.c  | 71 +++++++++-----------------
+ lib/nettle/int/ecdsa-compute-k.h  |  8 +--
+ lib/nettle/pk.c                   | 79 ++++++++++++++++++++---------
+ tests/sign-verify-deterministic.c |  2 +-
+ 6 files changed, 158 insertions(+), 117 deletions(-)
+
+diff --git a/lib/nettle/int/dsa-compute-k.c b/lib/nettle/int/dsa-compute-k.c
+index 17d63318c4..ddeb6f6d1e 100644
+--- a/lib/nettle/int/dsa-compute-k.c
++++ b/lib/nettle/int/dsa-compute-k.c
+@@ -31,33 +31,37 @@
+ #include "mpn-base256.h"
+ #include <string.h>
+ 
+-#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
+-
+-/* The maximum size of q, choosen from the fact that we support
+- * 521-bit elliptic curve generator and 512-bit DSA subgroup at
+- * maximum. */
+-#define MAX_Q_BITS 521
+-#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
+-#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
+-
+-#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
+-#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
+-
+-int
+-_gnutls_dsa_compute_k(mpz_t k,
+-		      const mpz_t q,
+-		      const mpz_t x,
+-		      gnutls_mac_algorithm_t mac,
+-		      const uint8_t *digest,
+-		      size_t length)
++/* For mini-gmp */
++#ifndef GMP_LIMB_BITS
++#define GMP_LIMB_BITS GMP_NUMB_BITS
++#endif
++
++static inline int is_zero_limb(mp_limb_t x)
++{
++	x |= (x << 1);
++	return ((x >> 1) - 1) >> (GMP_LIMB_BITS - 1);
++}
++
++static int sec_zero_p(const mp_limb_t *ap, mp_size_t n)
++{
++	volatile mp_limb_t w;
++	mp_size_t i;
++
++	for (i = 0, w = 0; i < n; i++)
++		w |= ap[i];
++
++	return is_zero_limb(w);
++}
++
++int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
++			  mp_size_t qn, mp_bitcnt_t q_bits,
++			  gnutls_mac_algorithm_t mac, const uint8_t *digest,
++			  size_t length)
+ {
+ 	uint8_t V[MAX_HASH_SIZE];
+ 	uint8_t K[MAX_HASH_SIZE];
+ 	uint8_t xp[MAX_Q_SIZE];
+ 	uint8_t tp[MAX_Q_SIZE];
+-	mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)];
+-	mp_bitcnt_t q_bits = mpz_sizeinbase (q, 2);
+-	mp_size_t qn = mpz_size(q);
+ 	mp_bitcnt_t h_bits = length * 8;
+ 	mp_size_t hn = BITS_TO_LIMBS(h_bits);
+ 	size_t nbytes = (q_bits + 7) / 8;
+@@ -66,6 +70,7 @@ _gnutls_dsa_compute_k(mpz_t k,
+ 	mp_limb_t cy;
+ 	gnutls_hmac_hd_t hd;
+ 	int ret = 0;
++	mp_limb_t scratch[MAX_Q_LIMBS];
+ 
+ 	if (unlikely(q_bits > MAX_Q_BITS))
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+@@ -73,7 +78,7 @@ _gnutls_dsa_compute_k(mpz_t k,
+ 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ 
+ 	/* int2octets(x) */
+-	mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn);
++	mpn_get_base256(xp, nbytes, x, qn);
+ 
+ 	/* bits2octets(h) */
+ 	mpn_set_base256(h, hn, digest, length);
+@@ -97,12 +102,12 @@ _gnutls_dsa_compute_k(mpz_t k,
+ 			mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS);
+ 	}
+ 
+-	cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn);
++	cy = mpn_sub_n(h, h, q, qn);
+ 	/* Fall back to addmul_1, if nettle is linked with mini-gmp. */
+ #ifdef mpn_cnd_add_n
+-	mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn);
++	mpn_cnd_add_n(cy, h, h, q, qn);
+ #else
+-	mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0);
++	mpn_addmul_1(h, q, qn, cy != 0);
+ #endif
+ 	mpn_get_base256(tp, nbytes, h, qn);
+ 
+@@ -178,12 +183,8 @@ _gnutls_dsa_compute_k(mpz_t k,
+ 		if (tlen * 8 > q_bits)
+ 			mpn_rshift (h, h, qn, tlen * 8 - q_bits);
+ 		/* Check if k is in [1,q-1] */
+-		if (!mpn_zero_p (h, qn) &&
+-		    mpn_cmp (h, mpz_limbs_read(q), qn) < 0) {
+-			mpn_copyi(mpz_limbs_write(k, qn), h, qn);
+-			mpz_limbs_finish(k, qn);
++		if (!sec_zero_p(h, qn) && mpn_sub_n(scratch, h, q, qn))
+ 			break;
+-		}
+ 
+ 		ret = gnutls_hmac_init(&hd, mac, K, length);
+ 		if (ret < 0)
+@@ -207,3 +208,24 @@ _gnutls_dsa_compute_k(mpz_t k,
+ 
+ 	return ret;
+ }
++
++/* cancel-out dsa_sign's addition of 1 to random data */
++void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
++				  mp_size_t n)
++{
++	/* Fall back to sub_1, if nettle is linked with mini-gmp. */
++#ifdef mpn_sec_sub_1
++	mp_limb_t t[MAX_Q_LIMBS];
++
++	mpn_sec_sub_1(h, h, n, 1, t);
++#else
++	mpn_sub_1(h, h, n, 1);
++#endif
++	mpn_get_base256(k, nbytes, h, n);
++}
++
++void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
++				    mp_size_t n)
++{
++	mpn_get_base256(k, nbytes, h, n);
++}
+diff --git a/lib/nettle/int/dsa-compute-k.h b/lib/nettle/int/dsa-compute-k.h
+index 64e90e0ca2..e88fce0a6d 100644
+--- a/lib/nettle/int/dsa-compute-k.h
++++ b/lib/nettle/int/dsa-compute-k.h
+@@ -26,12 +26,29 @@
+ #include <gnutls/gnutls.h>
+ #include <nettle/bignum.h> /* includes gmp.h */
+ 
+-int
+-_gnutls_dsa_compute_k(mpz_t k,
+-		      const mpz_t q,
+-		      const mpz_t x,
+-		      gnutls_mac_algorithm_t mac,
+-		      const uint8_t *digest,
+-		      size_t length);
++#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
++
++/* The maximum size of q, chosen from the fact that we support
++ * 521-bit elliptic curve generator and 512-bit DSA subgroup at
++ * maximum. */
++#define MAX_Q_BITS 521
++#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
++#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
++
++#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
++#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
++
++#define DSA_COMPUTE_K_ITCH MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)
++
++int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
++			  mp_size_t qn, mp_bitcnt_t q_bits,
++			  gnutls_mac_algorithm_t mac, const uint8_t *digest,
++			  size_t length);
++
++void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
++				  mp_size_t n);
++
++void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
++				    mp_size_t n);
+ 
+ #endif /* GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H */
+diff --git a/lib/nettle/int/ecdsa-compute-k.c b/lib/nettle/int/ecdsa-compute-k.c
+index 94914ebdfa..819302c1c7 100644
+--- a/lib/nettle/int/ecdsa-compute-k.c
++++ b/lib/nettle/int/ecdsa-compute-k.c
+@@ -29,67 +29,46 @@
+ #include "dsa-compute-k.h"
+ #include "gnutls_int.h"
+ 
+-static inline int
+-_gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
++int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve)
+ {
+ 	switch (curve) {
+ #ifdef ENABLE_NON_SUITEB_CURVES
+ 	case GNUTLS_ECC_CURVE_SECP192R1:
+-		mpz_init_set_str(*q,
+-				 "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836"
+-				 "146BC9B1B4D22831",
+-				 16);
++		mpz_set_str(q,
++			    "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836"
++			    "146BC9B1B4D22831",
++			    16);
+ 		return 0;
+ 	case GNUTLS_ECC_CURVE_SECP224R1:
+-		mpz_init_set_str(*q,
+-				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2"
+-				 "E0B8F03E13DD29455C5C2A3D",
+-				 16);
++		mpz_set_str(q,
++			    "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2"
++			    "E0B8F03E13DD29455C5C2A3D",
++			    16);
+ 		return 0;
+ #endif
+ 	case GNUTLS_ECC_CURVE_SECP256R1:
+-		mpz_init_set_str(*q,
+-				 "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
+-				 "BCE6FAADA7179E84F3B9CAC2FC632551",
+-				 16);
++		mpz_set_str(q,
++			    "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
++			    "BCE6FAADA7179E84F3B9CAC2FC632551",
++			    16);
+ 		return 0;
+ 	case GNUTLS_ECC_CURVE_SECP384R1:
+-		mpz_init_set_str(*q,
+-				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+-				 "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
+-				 "581A0DB248B0A77AECEC196ACCC52973",
+-				 16);
++		mpz_set_str(q,
++			    "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
++			    "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
++			    "581A0DB248B0A77AECEC196ACCC52973",
++			    16);
+ 		return 0;
+ 	case GNUTLS_ECC_CURVE_SECP521R1:
+-		mpz_init_set_str(*q,
+-				 "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+-				 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+-				 "FFA51868783BF2F966B7FCC0148F709A"
+-				 "5D03BB5C9B8899C47AEBB6FB71E91386"
+-				 "409",
+-				 16);
++		mpz_set_str(q,
++			    "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
++			    "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
++			    "FFA51868783BF2F966B7FCC0148F709A"
++			    "5D03BB5C9B8899C47AEBB6FB71E91386"
++			    "409",
++			    16);
+ 		return 0;
+ 	default:
+ 		return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
+ 	}
+ }
+-
+-int
+-_gnutls_ecdsa_compute_k (mpz_t k,
+-			 gnutls_ecc_curve_t curve,
+-			 const mpz_t x,
+-			 gnutls_mac_algorithm_t mac,
+-			 const uint8_t *digest,
+-			 size_t length)
+-{
+-	mpz_t q;
+-	int ret;
+-
+-	ret = _gnutls_ecc_curve_to_dsa_q(&q, curve);
+-	if (ret < 0)
+-		return gnutls_assert_val(ret);
+-
+-	ret = _gnutls_dsa_compute_k (k, q, x, mac, digest, length);
+-	mpz_clear(q);
+-	return ret;
+-}
+diff --git a/lib/nettle/int/ecdsa-compute-k.h b/lib/nettle/int/ecdsa-compute-k.h
+index 7ca401d6e4..a7e612bcab 100644
+--- a/lib/nettle/int/ecdsa-compute-k.h
++++ b/lib/nettle/int/ecdsa-compute-k.h
+@@ -26,12 +26,6 @@
+ #include <gnutls/gnutls.h>
+ #include <nettle/bignum.h> /* includes gmp.h */
+ 
+-int
+-_gnutls_ecdsa_compute_k (mpz_t k,
+-			 gnutls_ecc_curve_t curve,
+-			 const mpz_t x,
+-			 gnutls_mac_algorithm_t mac,
+-			 const uint8_t *digest,
+-			 size_t length);
++int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve);
+ 
+ #endif /* GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H */
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index 588e9df502..b19fe3804a 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -102,10 +102,16 @@ static void rnd_nonce_func(void *_ctx, size_t length, uint8_t * data)
+ 	}
+ }
+ 
+-static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data)
++static void rnd_datum_func(void *ctx, size_t length, uint8_t *data)
+ {
+-	mpz_t *k = _ctx;
+-	nettle_mpz_get_str_256 (length, data, *k);
++	gnutls_datum_t *d = ctx;
++
++	if (length > d->size) {
++		memset(data, 0, length - d->size);
++		memcpy(data + (length - d->size), d->data, d->size);
++	} else {
++		memcpy(data, d->data, length);
++	}
+ }
+ 
+ static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data)
+@@ -976,7 +982,10 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 			struct dsa_signature sig;
+ 			int curve_id = pk_params->curve;
+ 			const struct ecc_curve *curve;
+-			mpz_t k;
++			mpz_t q;
++			/* 521-bit elliptic curve generator at maximum */
++			uint8_t buf[(521 + 7) / 8];
++			gnutls_datum_t k = { NULL, 0 };
+ 			void *random_ctx;
+ 			nettle_random_func *random_func;
+ 
+@@ -1005,19 +1014,32 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 				hash_len = vdata->size;
+ 			}
+ 
+-			mpz_init(k);
++			mpz_init(q);
++
+ 			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
+ 			    (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
+-				ret = _gnutls_ecdsa_compute_k(k,
+-							      curve_id,
+-							      pk_params->params[ECC_K],
+-							      DIG_TO_MAC(sign_params->dsa_dig),
+-							      vdata->data,
+-							      vdata->size);
++				mp_limb_t h[DSA_COMPUTE_K_ITCH];
++
++				ret = _gnutls_ecc_curve_to_dsa_q(q, curve_id);
+ 				if (ret < 0)
+ 					goto ecdsa_cleanup;
++
++				ret = _gnutls_dsa_compute_k(
++					h, mpz_limbs_read(q), priv.p,
++					ecc_size(priv.ecc), ecc_bit_size(priv.ecc),
++					DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
++					vdata->size);
++				if (ret < 0)
++					goto ecdsa_cleanup;
++
++				k.data = buf;
++				k.size = (ecc_bit_size(priv.ecc) + 7) / 8;
++
++				_gnutls_ecdsa_compute_k_finish(k.data, k.size, h,
++							       ecc_size(priv.ecc));
++
+ 				random_ctx = &k;
+-				random_func = rnd_mpz_func;
++				random_func = rnd_datum_func;
+ 			} else {
+ 				random_ctx = NULL;
+ 				random_func = rnd_nonce_func;
+@@ -1038,7 +1060,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+  ecdsa_cleanup:
+ 			dsa_signature_clear(&sig);
+ 			ecc_scalar_zclear(&priv);
+-			mpz_clear(k);
++			mpz_clear(q);
+ 
+ 			if (ret < 0) {
+ 				gnutls_assert();
+@@ -1051,7 +1073,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 			struct dsa_params pub;
+ 			bigint_t priv;
+ 			struct dsa_signature sig;
+-			mpz_t k;
++			/* 512-bit DSA subgroup at maximum */
++			uint8_t buf[(512 + 7) / 8];
++			gnutls_datum_t k = { NULL, 0 };
+ 			void *random_ctx;
+ 			nettle_random_func *random_func;
+ 
+@@ -1074,21 +1098,27 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 				hash_len = vdata->size;
+ 			}
+ 
+-			mpz_init(k);
+ 			if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
+ 			    (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
+-				ret = _gnutls_dsa_compute_k(k,
+-							    pub.q,
+-							    TOMPZ(priv),
+-							    DIG_TO_MAC(sign_params->dsa_dig),
+-							    vdata->data,
+-							    vdata->size);
++				mp_limb_t h[DSA_COMPUTE_K_ITCH];
++
++				ret = _gnutls_dsa_compute_k(
++					h, mpz_limbs_read(pub.q),
++					mpz_limbs_read(TOMPZ(priv)), mpz_size(pub.q),
++					mpz_sizeinbase(pub.q, 2),
++					DIG_TO_MAC(sign_params->dsa_dig), vdata->data,
++					vdata->size);
+ 				if (ret < 0)
+ 					goto dsa_fail;
+-				/* cancel-out dsa_sign's addition of 1 to random data */
+-				mpz_sub_ui (k, k, 1);
++
++				k.data = buf;
++				k.size = (mpz_sizeinbase(pub.q, 2) + 7) / 8;
++
++				_gnutls_dsa_compute_k_finish(k.data, k.size, h,
++							     mpz_size(pub.q));
++
+ 				random_ctx = &k;
+-				random_func = rnd_mpz_func;
++				random_func = rnd_datum_func;
+ 			} else {
+ 				random_ctx = NULL;
+ 				random_func = rnd_nonce_func;
+@@ -1108,7 +1138,6 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
+ 
+  dsa_fail:
+ 			dsa_signature_clear(&sig);
+-			mpz_clear(k);
+ 
+ 			if (ret < 0) {
+ 				gnutls_assert();
+diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c
+index 6e907288ee..25aa553a59 100644
+--- a/tests/sign-verify-deterministic.c
++++ b/tests/sign-verify-deterministic.c
+@@ -197,7 +197,7 @@ void doit(void)
+ 					      &signature);
+ 		if (ret < 0)
+ 			testfail("gnutls_pubkey_verify_data2\n");
+-		success(" - pass");
++		success(" - pass\n");
+ 
+ 	next:
+ 		gnutls_free(signature.data);
+-- 
+2.44.0
+

SOURCES/gnutls-3.6.16-rehandshake-tickets.patch

@@ -0,0 +1,242 @@
+From 9b50d94bf1c8e749d7dfc593c89e689a161444ae Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 26 Jun 2023 09:30:03 +0200
+Subject: [PATCH] gnutls-3.6.16-rehandshake-tickets.patch
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ lib/ext/session_ticket.c         |   6 ++
+ lib/ext/session_ticket.h         |   1 +
+ lib/libgnutls.map                |   2 +
+ lib/state.c                      |   1 +
+ tests/Makefile.am                |   3 +-
+ tests/tls12-rehandshake-ticket.c | 152 +++++++++++++++++++++++++++++++
+ 6 files changed, 164 insertions(+), 1 deletion(-)
+ create mode 100644 tests/tls12-rehandshake-ticket.c
+
+diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c
+index 8f22462..8d83a6c 100644
+--- a/lib/ext/session_ticket.c
++++ b/lib/ext/session_ticket.c
+@@ -618,6 +618,12 @@ gnutls_session_ticket_enable_server(gnutls_session_t session,
+ 	return 0;
+ }
+ 
++void
++_gnutls_session_ticket_disable_server(gnutls_session_t session)
++{
++	session->internals.flags |= GNUTLS_NO_TICKETS;
++}
++
+ /*
+  * Return zero if session tickets haven't been enabled.
+  */
+diff --git a/lib/ext/session_ticket.h b/lib/ext/session_ticket.h
+index da804ec..660c9d3 100644
+--- a/lib/ext/session_ticket.h
++++ b/lib/ext/session_ticket.h
+@@ -36,5 +36,6 @@ int _gnutls_encrypt_session_ticket(gnutls_session_t session,
+ int _gnutls_decrypt_session_ticket(gnutls_session_t session,
+ 				   const gnutls_datum_t *ticket_data,
+ 				   gnutls_datum_t *state);
++void _gnutls_session_ticket_disable_server(gnutls_session_t session);
+ 
+ #endif /* GNUTLS_LIB_EXT_SESSION_TICKET_H */
+diff --git a/lib/libgnutls.map b/lib/libgnutls.map
+index d2f7c0a..6748b3a 100644
+--- a/lib/libgnutls.map
++++ b/lib/libgnutls.map
+@@ -1432,4 +1432,6 @@ GNUTLS_PRIVATE_3_4 {
+ 	_gnutls_buffer_unescape;
+ 	_gnutls_buffer_pop_datum;
+ 	_gnutls_buffer_clear;
++	# needed by tests/tls12-rehandshake-cert-ticket
++	_gnutls_session_ticket_disable_server;
+ } GNUTLS_3_4;
+diff --git a/lib/state.c b/lib/state.c
+index 817a7b8..f1e9daa 100644
+--- a/lib/state.c
++++ b/lib/state.c
+@@ -452,6 +452,7 @@ void _gnutls_handshake_internal_state_clear(gnutls_session_t session)
+ 	session->internals.tfo.connect_addrlen = 0;
+ 	session->internals.tfo.connect_only = 0;
+ 	session->internals.early_data_received = 0;
++	session->internals.session_ticket_renew = 0;
+ }
+ 
+ /**
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 0563d3c..7c5f5c4 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -221,7 +221,8 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
+ 	 tls13-without-timeout-func buffer status-request-revoked \
+ 	 set_x509_ocsp_multi_cli kdf-api keylog-func \
+ 	 dtls_hello_random_value tls_hello_random_value x509cert-dntypes \
+-	 pkcs7-verify-double-free
++	 pkcs7-verify-double-free \
++	 tls12-rehandshake-ticket
+ 
+ if HAVE_SECCOMP_TESTS
+ ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
+diff --git a/tests/tls12-rehandshake-ticket.c b/tests/tls12-rehandshake-ticket.c
+new file mode 100644
+index 0000000..f96e46e
+--- /dev/null
++++ b/tests/tls12-rehandshake-ticket.c
+@@ -0,0 +1,152 @@
++/*
++ * Copyright (C) 2022 Red Hat, Inc.
++ *
++ * Author: Daiki Ueno
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <https://www.gnu.org/licenses/>
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <gnutls/gnutls.h>
++#include <assert.h>
++#include "cert-common.h"
++
++#include "utils.h"
++#include "eagain-common.h"
++
++const char *side = "";
++
++static void tls_log_func(int level, const char *str)
++{
++	fprintf(stderr, "%s|<%d>| %s", side, level, str);
++}
++
++#define MAX_BUF 1024
++
++void _gnutls_session_ticket_disable_server(gnutls_session_t session);
++
++static void run(void)
++{
++	char buffer[MAX_BUF + 1];
++	/* Server stuff. */
++	gnutls_certificate_credentials_t scred;
++	gnutls_session_t server;
++	gnutls_datum_t session_ticket_key = { NULL, 0 };
++	int sret;
++	/* Client stuff. */
++	gnutls_certificate_credentials_t ccred;
++	gnutls_session_t client;
++	int cret;
++
++	/* General init. */
++	global_init();
++	gnutls_global_set_log_function(tls_log_func);
++	if (debug)
++		gnutls_global_set_log_level(9);
++
++	/* Init server */
++	assert(gnutls_certificate_allocate_credentials(&scred) >= 0);
++	assert(gnutls_certificate_set_x509_key_mem(scred,
++						   &server_ca3_localhost_cert,
++						   &server_ca3_key,
++						   GNUTLS_X509_FMT_PEM) >= 0);
++	assert(gnutls_certificate_set_x509_trust_mem(scred,
++						     &ca3_cert,
++						     GNUTLS_X509_FMT_PEM) >= 0);
++
++	assert(gnutls_init(&server, GNUTLS_SERVER) >= 0);
++	gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);
++	assert(gnutls_priority_set_direct(server,
++					  "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1:+VERS-TLS1.2",
++					  NULL) >= 0);
++
++	gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred);
++	gnutls_transport_set_push_function(server, server_push);
++	gnutls_transport_set_pull_function(server, server_pull);
++	gnutls_transport_set_ptr(server, server);
++
++	gnutls_session_ticket_key_generate(&session_ticket_key);
++	gnutls_session_ticket_enable_server(server, &session_ticket_key);
++
++	/* Init client */
++	assert(gnutls_certificate_allocate_credentials(&ccred) >= 0);
++	assert(gnutls_certificate_set_x509_key_mem
++	       (ccred, &cli_ca3_cert_chain, &cli_ca3_key, GNUTLS_X509_FMT_PEM) >= 0);
++	assert(gnutls_certificate_set_x509_trust_mem
++	       (ccred, &ca3_cert, GNUTLS_X509_FMT_PEM) >= 0);
++
++	gnutls_init(&client, GNUTLS_CLIENT);
++	assert(gnutls_priority_set_direct(client,
++					  "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1:+VERS-TLS1.2",
++					  NULL) >= 0);
++
++	assert(gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, ccred) >= 0);
++
++	gnutls_transport_set_push_function(client, client_push);
++	gnutls_transport_set_pull_function(client, client_pull);
++	gnutls_transport_set_ptr(client, client);
++
++	HANDSHAKE(client, server);
++
++	/* Server initiates rehandshake */
++	switch_side("server");
++	sret = gnutls_rehandshake(server);
++	if (sret < 0) {
++		fail("Error sending %d byte packet: %s\n",
++		     (int)sizeof(buffer), gnutls_strerror(sret));
++	} else if (debug)
++		success("server: starting rehandshake\n");
++
++	/* Stop sending session ticket */
++	_gnutls_session_ticket_disable_server(server);
++
++	/* Client gets notified with rehandshake */
++	switch_side("client");
++	do {
++		do {
++			cret = gnutls_record_recv(client, buffer, MAX_BUF);
++		} while (cret == GNUTLS_E_AGAIN || cret == GNUTLS_E_INTERRUPTED);
++	} while (cret > 0);
++
++	if (cret != GNUTLS_E_REHANDSHAKE) {
++		fail("client: Error receiving rehandshake: %s\n",
++		     gnutls_strerror(cret));
++	}
++
++	HANDSHAKE(client, server);
++
++	gnutls_bye(client, GNUTLS_SHUT_WR);
++	gnutls_bye(server, GNUTLS_SHUT_WR);
++
++	gnutls_deinit(client);
++	gnutls_deinit(server);
++
++	gnutls_certificate_free_credentials(scred);
++	gnutls_certificate_free_credentials(ccred);
++
++	gnutls_free(session_ticket_key.data);
++
++	gnutls_global_deinit();
++	reset_buffers();
++}
++
++void doit(void)
++{
++	run();
++}
+-- 
+2.41.0
+

SOURCES/gnutls-3.6.16-rsa-psk-timing-followup.patch

@@ -0,0 +1,121 @@
+From fe912c5dba49dcecbd5c32bf8184e60a949af452 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Wed, 10 Jan 2024 19:13:17 +0900
+Subject: [PATCH] rsa-psk: minimize branching after decryption
+
+This moves any non-trivial code between gnutls_privkey_decrypt_data2
+and the function return in _gnutls_proc_rsa_psk_client_kx up until the
+decryption.  This also avoids an extra memcpy to session->key.key.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/auth/rsa_psk.c | 68 ++++++++++++++++++++++++----------------------
+ 1 file changed, 35 insertions(+), 33 deletions(-)
+
+diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
+index 93c2dc9998..8f3fe5a4bd 100644
+--- a/lib/auth/rsa_psk.c
++++ b/lib/auth/rsa_psk.c
+@@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ 	int ret, dsize;
+ 	ssize_t data_size = _data_size;
+ 	gnutls_psk_server_credentials_t cred;
+-	gnutls_datum_t premaster_secret = { NULL, 0 };
+ 	volatile uint8_t ver_maj, ver_min;
+ 
+ 	cred = (gnutls_psk_server_credentials_t)
+@@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ 	ver_maj = _gnutls_get_adv_version_major(session);
+ 	ver_min = _gnutls_get_adv_version_minor(session);
+ 
+-	premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+-	if (premaster_secret.data == NULL) {
++	/* Find the key of this username. A random value will be
++	 * filled in if the key is not found.
++	 */
++	ret =
++	    _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk);
++	if (ret < 0)
++		return gnutls_assert_val(ret);
++
++	/* Allocate memory for premaster secret, and fill in the
++	 * fields except the decryption result.
++	 */
++	session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size;
++	session->key.key.data = gnutls_malloc(session->key.key.size);
++	if (session->key.key.data == NULL) {
+ 		gnutls_assert();
++		_gnutls_free_key_datum(&pwd_psk);
++		/* No need to zeroize, as the secret is not copied in yet */
++		_gnutls_free_datum(&session->key.key);
+ 		return GNUTLS_E_MEMORY_ERROR;
+ 	}
+-	premaster_secret.size = GNUTLS_MASTER_SIZE;
+ 
+ 	/* Fallback value when decryption fails. Needs to be unpredictable. */
+-	ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
+-			 premaster_secret.size);
++	ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2,
++			 GNUTLS_MASTER_SIZE);
+ 	if (ret < 0) {
+ 		gnutls_assert();
+-		goto cleanup;
++		_gnutls_free_key_datum(&pwd_psk);
++		/* No need to zeroize, as the secret is not copied in yet */
++		_gnutls_free_datum(&session->key.key);
++		return ret;
+ 	}
+ 
++	_gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data);
++	_gnutls_write_uint16(pwd_psk.size,
++			     &session->key.key.data[2 + GNUTLS_MASTER_SIZE]);
++	memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2],
++	       pwd_psk.data, pwd_psk.size);
++	_gnutls_free_key_datum(&pwd_psk);
++
+ 	gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
+-				     &ciphertext, premaster_secret.data,
+-				     premaster_secret.size);
++				     &ciphertext, session->key.key.data + 2,
++				     GNUTLS_MASTER_SIZE);
+ 	/* After this point, any conditional on failure that cause differences
+ 	 * in execution may create a timing or cache access pattern side
+ 	 * channel that can be used as an oracle, so tread carefully */
+@@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ 	/* This is here to avoid the version check attack
+ 	 * discussed above.
+ 	 */
+-	premaster_secret.data[0] = ver_maj;
+-	premaster_secret.data[1] = ver_min;
+-
+-	/* find the key of this username
+-	 */
+-	ret =
+-	    _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk);
+-	if (ret < 0) {
+-		gnutls_assert();
+-		goto cleanup;
+-	}
+-
+-	ret =
+-	    set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
+-	if (ret < 0) {
+-		gnutls_assert();
+-		goto cleanup;
+-	}
++	session->key.key.data[2] = ver_maj;
++	session->key.key.data[3] = ver_min;
+ 
+-	ret = 0;
+-      cleanup:
+-	_gnutls_free_key_datum(&pwd_psk);
+-	_gnutls_free_temp_key_datum(&premaster_secret);
+-
+-	return ret;
++	return 0;
+ }
+ 
+ static int
+-- 
+2.43.0
+

SOURCES/gnutls-3.6.16-rsa-psk-timing.patch

@@ -0,0 +1,202 @@
+From e007a54432c98618bde500649817d153225abf6b Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 7 Dec 2023 11:52:08 +0900
+Subject: [PATCH] gnutls-3.6.16-rsa-psk-timing.patch
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ lib/auth/rsa.c     |  2 +-
+ lib/auth/rsa_psk.c | 93 +++++++++++++++++-----------------------------
+ lib/gnutls_int.h   |  4 --
+ lib/priority.c     |  1 -
+ 4 files changed, 35 insertions(+), 65 deletions(-)
+
+diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
+index 858701f..02b6a34 100644
+--- a/lib/auth/rsa.c
++++ b/lib/auth/rsa.c
+@@ -207,7 +207,7 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 				     session->key.key.size);
+ 	/* After this point, any conditional on failure that cause differences
+ 	 * in execution may create a timing or cache access pattern side
+-	 * channel that can be used as an oracle, so treat very carefully */
++	 * channel that can be used as an oracle, so tread carefully */
+ 
+ 	/* Error handling logic:
+ 	 * In case decryption fails then don't inform the peer. Just use the
+diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
+index 1a9dab5..93c2dc9 100644
+--- a/lib/auth/rsa_psk.c
++++ b/lib/auth/rsa_psk.c
+@@ -264,14 +264,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ {
+ 	gnutls_datum_t username;
+ 	psk_auth_info_t info;
+-	gnutls_datum_t plaintext;
+ 	gnutls_datum_t ciphertext;
+ 	gnutls_datum_t pwd_psk = { NULL, 0 };
+ 	int ret, dsize;
+-	int randomize_key = 0;
+ 	ssize_t data_size = _data_size;
+ 	gnutls_psk_server_credentials_t cred;
+ 	gnutls_datum_t premaster_secret = { NULL, 0 };
++	volatile uint8_t ver_maj, ver_min;
+ 
+ 	cred = (gnutls_psk_server_credentials_t)
+ 	    _gnutls_get_cred(session, GNUTLS_CRD_PSK);
+@@ -327,71 +326,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ 	}
+ 	ciphertext.size = dsize;
+ 
+-	ret =
+-	    gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
+-					&ciphertext, &plaintext);
+-	if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) {
+-		/* In case decryption fails then don't inform
+-		 * the peer. Just use a random key. (in order to avoid
+-		 * attack against pkcs-1 formatting).
+-		 */
++	ver_maj = _gnutls_get_adv_version_major(session);
++	ver_min = _gnutls_get_adv_version_minor(session);
++
++	premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
++	if (premaster_secret.data == NULL) {
+ 		gnutls_assert();
+-		_gnutls_debug_log
+-		    ("auth_rsa_psk: Possible PKCS #1 format attack\n");
+-		if (ret >= 0) {
+-			gnutls_free(plaintext.data);
+-		}
+-		randomize_key = 1;
+-	} else {
+-		/* If the secret was properly formatted, then
+-		 * check the version number.
+-		 */
+-		if (_gnutls_get_adv_version_major(session) !=
+-		    plaintext.data[0]
+-		    || (session->internals.allow_wrong_pms == 0
+-			&& _gnutls_get_adv_version_minor(session) !=
+-			plaintext.data[1])) {
+-			/* No error is returned here, if the version number check
+-			 * fails. We proceed normally.
+-			 * That is to defend against the attack described in the paper
+-			 * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
+-			 * Ondej Pokorny and Tomas Rosa.
+-			 */
+-			gnutls_assert();
+-			_gnutls_debug_log
+-			    ("auth_rsa: Possible PKCS #1 version check format attack\n");
+-		}
++		return GNUTLS_E_MEMORY_ERROR;
+ 	}
++	premaster_secret.size = GNUTLS_MASTER_SIZE;
+ 
+-
+-	if (randomize_key != 0) {
+-		premaster_secret.size = GNUTLS_MASTER_SIZE;
+-		premaster_secret.data =
+-		    gnutls_malloc(premaster_secret.size);
+-		if (premaster_secret.data == NULL) {
+-			gnutls_assert();
+-			return GNUTLS_E_MEMORY_ERROR;
+-		}
+-
+-		/* we do not need strong random numbers here.
+-		 */
+-		ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
+-				  premaster_secret.size);
+-		if (ret < 0) {
+-			gnutls_assert();
+-			goto cleanup;
+-		}
+-	} else {
+-		premaster_secret.data = plaintext.data;
+-		premaster_secret.size = plaintext.size;
++	/* Fallback value when decryption fails. Needs to be unpredictable. */
++	ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
++			 premaster_secret.size);
++	if (ret < 0) {
++		gnutls_assert();
++		goto cleanup;
+ 	}
+ 
++	gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
++				     &ciphertext, premaster_secret.data,
++				     premaster_secret.size);
++	/* After this point, any conditional on failure that cause differences
++	 * in execution may create a timing or cache access pattern side
++	 * channel that can be used as an oracle, so tread carefully */
++
++	/* Error handling logic:
++	 * In case decryption fails then don't inform the peer. Just use the
++	 * random key previously generated. (in order to avoid attack against
++	 * pkcs-1 formatting).
++	 *
++	 * If we get version mismatches no error is returned either. We
++	 * proceed normally. This is to defend against the attack described
++	 * in the paper "Attacking RSA-based sessions in SSL/TLS" by
++	 * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
++	 */
++
+ 	/* This is here to avoid the version check attack
+ 	 * discussed above.
+ 	 */
+-
+-	premaster_secret.data[0] = _gnutls_get_adv_version_major(session);
+-	premaster_secret.data[1] = _gnutls_get_adv_version_minor(session);
++	premaster_secret.data[0] = ver_maj;
++	premaster_secret.data[1] = ver_min;
+ 
+ 	/* find the key of this username
+ 	 */
+diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
+index 31cec5c..815f69b 100644
+--- a/lib/gnutls_int.h
++++ b/lib/gnutls_int.h
+@@ -971,7 +971,6 @@ struct gnutls_priority_st {
+ 	bool _no_etm;
+ 	bool _no_ext_master_secret;
+ 	bool _allow_key_usage_violation;
+-	bool _allow_wrong_pms;
+ 	bool _dumbfw;
+ 	unsigned int _dh_prime_bits;	/* old (deprecated) variable */
+ 
+@@ -989,7 +988,6 @@ struct gnutls_priority_st {
+ 	      (x)->no_etm = 1; \
+ 	      (x)->no_ext_master_secret = 1; \
+ 	      (x)->allow_key_usage_violation = 1; \
+-	      (x)->allow_wrong_pms = 1; \
+ 	      (x)->dumbfw = 1
+ 
+ #define ENABLE_PRIO_COMPAT(x) \
+@@ -998,7 +996,6 @@ struct gnutls_priority_st {
+ 	      (x)->_no_etm = 1; \
+ 	      (x)->_no_ext_master_secret = 1; \
+ 	      (x)->_allow_key_usage_violation = 1; \
+-	      (x)->_allow_wrong_pms = 1; \
+ 	      (x)->_dumbfw = 1
+ 
+ /* DH and RSA parameters types.
+@@ -1123,7 +1120,6 @@ typedef struct {
+ 	bool no_etm;
+ 	bool no_ext_master_secret;
+ 	bool allow_key_usage_violation;
+-	bool allow_wrong_pms;
+ 	bool dumbfw;
+ 
+ 	/* old (deprecated) variable. This is used for both srp_prime_bits
+diff --git a/lib/priority.c b/lib/priority.c
+index 0a284ae..67ec887 100644
+--- a/lib/priority.c
++++ b/lib/priority.c
+@@ -681,7 +681,6 @@ gnutls_priority_set(gnutls_session_t session, gnutls_priority_t priority)
+ 	COPY_TO_INTERNALS(no_etm);
+ 	COPY_TO_INTERNALS(no_ext_master_secret);
+ 	COPY_TO_INTERNALS(allow_key_usage_violation);
+-	COPY_TO_INTERNALS(allow_wrong_pms);
+ 	COPY_TO_INTERNALS(dumbfw);
+ 	COPY_TO_INTERNALS(dh_prime_bits);
+ 
+-- 
+2.43.0
+

SOURCES/gnutls-3.7.8-rsa-kx-timing.patch

@@ -0,0 +1,114 @@
+From c149dd0767f32789e391280cb1eb06b7eb7c6bce Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Tue, 9 Aug 2022 16:05:53 +0200
+Subject: [PATCH 1/2] auth/rsa: side-step potential side-channel
+
+Remove branching that depends on secret data.
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+Signed-off-by: Hubert Kario <hkario@redhat.com>
+Tested-by: Hubert Kario <hkario@redhat.com>
+---
+ lib/auth/rsa.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
+index 8108ee841d..6b158bacb2 100644
+--- a/lib/auth/rsa.c
++++ b/lib/auth/rsa.c
+@@ -155,7 +155,6 @@ static int
+ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 		   size_t _data_size)
+ {
+-	const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n";
+ 	gnutls_datum_t ciphertext;
+ 	int ret, dsize;
+ 	ssize_t data_size = _data_size;
+@@ -235,15 +234,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 	ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
+ 	        CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
+ 
+-	if (ok) {
+-		/* call logging function unconditionally so all branches are
+-		 * indistinguishable for timing and cache access when debug
+-		 * logging is disabled */
+-		_gnutls_no_log("%s", attack_error);
+-	} else {
+-		_gnutls_debug_log("%s", attack_error);
+-	}
+-
+ 	/* This is here to avoid the version check attack
+ 	 * discussed above.
+ 	 */
+-- 
+2.39.1
+
+
+From 7c963102ec2119eecc1789b993aabe5edfd75f3b Mon Sep 17 00:00:00 2001
+From: Hubert Kario <hkario@redhat.com>
+Date: Wed, 8 Feb 2023 14:32:09 +0100
+Subject: [PATCH 2/2] rsa: remove dead code
+
+since the `ok` variable isn't used any more, we can remove all code
+used to calculate it
+
+Signed-off-by: Hubert Kario <hkario@redhat.com>
+---
+ lib/auth/rsa.c | 20 +++-----------------
+ 1 file changed, 3 insertions(+), 17 deletions(-)
+
+diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
+index 6b158bacb2..858701fe6e 100644
+--- a/lib/auth/rsa.c
++++ b/lib/auth/rsa.c
+@@ -159,8 +159,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 	int ret, dsize;
+ 	ssize_t data_size = _data_size;
+ 	volatile uint8_t ver_maj, ver_min;
+-	volatile uint8_t check_ver_min;
+-	volatile uint32_t ok;
+ 
+ #ifdef ENABLE_SSL3
+ 	if (get_num_version(session) == GNUTLS_SSL3) {
+@@ -186,7 +184,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 
+ 	ver_maj = _gnutls_get_adv_version_major(session);
+ 	ver_min = _gnutls_get_adv_version_minor(session);
+-	check_ver_min = (session->internals.allow_wrong_pms == 0);
+ 
+ 	session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+ 	if (session->key.key.data == NULL) {
+@@ -205,10 +202,9 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 		return ret;
+ 	}
+ 
+-	ret =
+-	    gnutls_privkey_decrypt_data2(session->internals.selected_key,
+-					 0, &ciphertext, session->key.key.data,
+-					 session->key.key.size);
++	gnutls_privkey_decrypt_data2(session->internals.selected_key,
++				     0, &ciphertext, session->key.key.data,
++				     session->key.key.size);
+ 	/* After this point, any conditional on failure that cause differences
+ 	 * in execution may create a timing or cache access pattern side
+ 	 * channel that can be used as an oracle, so treat very carefully */
+@@ -224,16 +220,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 	 * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
+ 	 */
+ 
+-	/* ok is 0 in case of error and 1 in case of success. */
+-
+-	/* if ret < 0 */
+-	ok = CONSTCHECK_EQUAL(ret, 0);
+-	/* session->key.key.data[0] must equal ver_maj */
+-	ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj);
+-	/* if check_ver_min then session->key.key.data[1] must equal ver_min */
+-	ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
+-	        CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
+-
+ 	/* This is here to avoid the version check attack
+ 	 * discussed above.
+ 	 */
+-- 
+2.39.1
+

SPECS/gnutls.spec

@@ -1,5 +1,5 @@
 Version:	3.6.16
-Release: 5%{?dist}
+Release: 8%{?dist}.3
 Patch1:	gnutls-3.2.7-rpath.patch
 Patch2:	gnutls-3.6.4-no-now-guile.patch
 Patch3:	gnutls-3.6.13-enable-intel-cet.patch
@@ -9,6 +9,12 @@ Patch12:	gnutls-3.6.16-tls12-cert-type.patch
 Patch13:	gnutls-3.6.16-trust-ca-sha1.patch
 Patch14:	gnutls-3.6.16-doc-p11tool-ckaid.patch
 Patch15:	gnutls-3.6.16-pkcs7-verify.patch
+Patch16:	gnutls-3.6.16-cpuid.patch
+Patch17:	gnutls-3.7.8-rsa-kx-timing.patch
+Patch18:	gnutls-3.6.16-rehandshake-tickets.patch
+Patch19:	gnutls-3.6.16-rsa-psk-timing.patch
+Patch20:	gnutls-3.6.16-rsa-psk-timing-followup.patch
+Patch21:	gnutls-3.6.16-deterministic-ecdsa-fixes.patch
 %bcond_without dane
 %if 0%{?rhel}
 %bcond_with guile
@@ -154,7 +160,7 @@ This package contains Guile bindings for the library.
 %prep
 gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
 
-%autosetup -p1
+%autosetup -p1 -S git
 
 sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
 rm -f lib/minitasn1/*.c lib/minitasn1/*.h
@@ -293,8 +299,27 @@ fi
 %endif
 
 %changelog
+* Tue Mar 26 2024 Daiki Ueno <dueno@redhat.com> - 3.6.16-8.3
+- Fix memleak with older GMP (RHEL-28957)
+
+* Mon Mar 25 2024 Daiki Ueno <dueno@redhat.com> - 3.6.16-8.2
+- Fix timing side-channel in deterministic ECDSA (RHEL-28957)
+
+* Thu Jan 18 2024 Daiki Ueno <dueno@redhat.com> - 3.6.16-8.1
+- auth/rsa-psk: minimize branching after decryption (RHEL-21586)
+
+* Wed Dec  6 2023 Daiki Ueno <dueno@redhat.com> - 3.6.16-8
+- auth/rsa_psk: side-step potential side-channel (RHEL-16753)
+
+* Mon Jun 26 2023 Daiki Ueno <dueno@redhat.com> - 3.6.16-7
+- Clear server's session ticket indication at rehandshake (#2089817)
+
+* Thu Feb 23 2023 Zoltan Fridrich <zfridric@redhat.com> - 3.6.16-6
+- Fix x86_64 CPU feature detection when AVX is not available (#2131152)
+- Fix timing side-channel in TLS RSA key exchange (#2162598)
+
 * Mon Aug 29 2022 Daiki Ueno <dueno@redhat.com> - 3.6.16-5
-- Fix double-free in gnutls_pkcs7_verify (#2109787)
+- Fix double-free in gnutls_pkcs7_verify (#2109788)
 
 * Mon Jun 28 2021 Daiki Ueno <dueno@redhat.com> - 3.6.16-4
 - p11tool: Document ID reuse behavior when importing certs (#1776250)