diff --git a/.gitignore b/.gitignore
index 190b97a..14960ad 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/gnutls-3.6.8.tar.xz
-SOURCES/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+SOURCES/gnutls-3.6.14.tar.xz
+SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
diff --git a/.gnutls.metadata b/.gnutls.metadata
index af466d6..b23acfd 100644
--- a/.gnutls.metadata
+++ b/.gnutls.metadata
@@ -1,2 +1,2 @@
-e1243188791af409bca118d31faf3ec3d5f0a5ab SOURCES/gnutls-3.6.8.tar.xz
-e6f8a1400839ce7b4021cdd0f8d08d71b0693486 SOURCES/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+bea1b5abcb691acf014e592f41d0a9580a41216a SOURCES/gnutls-3.6.14.tar.xz
+648ec46f9539fe756fb90131b85ae4759ed2ed21 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
diff --git a/SOURCES/gnutls-3.6.13-enable-intel-cet.patch b/SOURCES/gnutls-3.6.13-enable-intel-cet.patch
new file mode 100644
index 0000000..ca16882
--- /dev/null
+++ b/SOURCES/gnutls-3.6.13-enable-intel-cet.patch
@@ -0,0 +1,7849 @@
+From 7d969e296f4a8c39a8bdc642a3234b0957531201 Mon Sep 17 00:00:00 2001
+From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Date: Wed, 20 May 2020 10:51:37 +0200
+Subject: [PATCH] accelerated: Enable Intel CET
+
+Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+---
+ lib/accelerated/x86/coff/aes-ssse3-x86.s | 13 +
+ lib/accelerated/x86/coff/aes-ssse3-x86_64.s | 5 +
+ lib/accelerated/x86/coff/aesni-gcm-x86_64.s | 8 +
+ lib/accelerated/x86/coff/aesni-x86.s | 22 ++
+ lib/accelerated/x86/coff/aesni-x86_64.s | 29 +-
+ lib/accelerated/x86/coff/e_padlock-x86.s | 276 +++++++++-------
+ lib/accelerated/x86/coff/e_padlock-x86_64.s | 218 ++++++++-----
+ lib/accelerated/x86/coff/ghash-x86_64.s | 6 +
+ lib/accelerated/x86/coff/sha1-ssse3-x86.s | 1 +
+ lib/accelerated/x86/coff/sha1-ssse3-x86_64.s | 2 +-
+ lib/accelerated/x86/coff/sha256-ssse3-x86.s | 1 +
+ .../x86/coff/sha256-ssse3-x86_64.s | 18 +-
+ lib/accelerated/x86/coff/sha512-ssse3-x86.s | 1 +
+ .../x86/coff/sha512-ssse3-x86_64.s | 20 +-
+ lib/accelerated/x86/elf/aes-ssse3-x86.s | 30 ++
+ lib/accelerated/x86/elf/aes-ssse3-x86_64.s | 26 ++
+ lib/accelerated/x86/elf/aesni-gcm-x86_64.s | 29 ++
+ lib/accelerated/x86/elf/aesni-x86.s | 39 +++
+ lib/accelerated/x86/elf/aesni-x86_64.s | 50 ++-
+ lib/accelerated/x86/elf/e_padlock-x86.s | 306 ++++++++++--------
+ lib/accelerated/x86/elf/e_padlock-x86_64.s | 242 +++++++++-----
+ lib/accelerated/x86/elf/ghash-x86_64.s | 27 ++
+ lib/accelerated/x86/elf/sha1-ssse3-x86.s | 18 ++
+ lib/accelerated/x86/elf/sha1-ssse3-x86_64.s | 23 +-
+ lib/accelerated/x86/elf/sha256-ssse3-x86.s | 18 ++
+ lib/accelerated/x86/elf/sha256-ssse3-x86_64.s | 51 ++-
+ lib/accelerated/x86/elf/sha512-ssse3-x86.s | 18 ++
+ lib/accelerated/x86/elf/sha512-ssse3-x86_64.s | 49 ++-
+ lib/accelerated/x86/macosx/aes-ssse3-x86.s | 13 +
+ lib/accelerated/x86/macosx/aes-ssse3-x86_64.s | 5 +
+ lib/accelerated/x86/macosx/aesni-gcm-x86_64.s | 8 +
+ lib/accelerated/x86/macosx/aesni-x86.s | 22 ++
+ lib/accelerated/x86/macosx/aesni-x86_64.s | 29 +-
+ lib/accelerated/x86/macosx/e_padlock-x86.s | 288 +++++++++--------
+ lib/accelerated/x86/macosx/e_padlock-x86_64.s | 218 ++++++++-----
+ lib/accelerated/x86/macosx/ghash-x86_64.s | 6 +
+ lib/accelerated/x86/macosx/sha1-ssse3-x86.s | 1 +
+ .../x86/macosx/sha1-ssse3-x86_64.s | 2 +-
+ lib/accelerated/x86/macosx/sha256-ssse3-x86.s | 1 +
+ .../x86/macosx/sha256-ssse3-x86_64.s | 30 +-
+ lib/accelerated/x86/macosx/sha512-ssse3-x86.s | 1 +
+ .../x86/macosx/sha512-ssse3-x86_64.s | 28 +-
+ 42 files changed, 1541 insertions(+), 657 deletions(-)
+
+diff --git a/lib/accelerated/x86/coff/aes-ssse3-x86.s b/lib/accelerated/x86/coff/aes-ssse3-x86.s
+index c58ea2359..1dced3b2a 100644
+--- a/lib/accelerated/x86/coff/aes-ssse3-x86.s
++++ b/lib/accelerated/x86/coff/aes-ssse3-x86.s
+@@ -71,6 +71,7 @@
+ .def __vpaes_preheat; .scl 3; .type 32; .endef
+ .align 16
+ __vpaes_preheat:
++.byte 243,15,30,251
+ addl (%esp),%ebp
+ movdqa -48(%ebp),%xmm7
+ movdqa -16(%ebp),%xmm6
+@@ -78,6 +79,7 @@ __vpaes_preheat:
+ .def __vpaes_encrypt_core; .scl 3; .type 32; .endef
+ .align 16
+ __vpaes_encrypt_core:
++.byte 243,15,30,251
+ movl $16,%ecx
+ movl 240(%edx),%eax
+ movdqa %xmm6,%xmm1
+@@ -154,6 +156,7 @@ __vpaes_encrypt_core:
+ .def __vpaes_decrypt_core; .scl 3; .type 32; .endef
+ .align 16
+ __vpaes_decrypt_core:
++.byte 243,15,30,251
+ leal 608(%ebp),%ebx
+ movl 240(%edx),%eax
+ movdqa %xmm6,%xmm1
+@@ -241,6 +244,7 @@ __vpaes_decrypt_core:
+ .def __vpaes_schedule_core; .scl 3; .type 32; .endef
+ .align 16
+ __vpaes_schedule_core:
++.byte 243,15,30,251
+ addl (%esp),%ebp
+ movdqu (%esi),%xmm0
+ movdqa 320(%ebp),%xmm2
+@@ -334,6 +338,7 @@ __vpaes_schedule_core:
+ .def __vpaes_schedule_192_smear; .scl 3; .type 32; .endef
+ .align 16
+ __vpaes_schedule_192_smear:
++.byte 243,15,30,251
+ pshufd $128,%xmm6,%xmm1
+ pshufd $254,%xmm7,%xmm0
+ pxor %xmm1,%xmm6
+@@ -345,6 +350,7 @@ __vpaes_schedule_192_smear:
+ .def __vpaes_schedule_round; .scl 3; .type 32; .endef
+ .align 16
+ __vpaes_schedule_round:
++.byte 243,15,30,251
+ movdqa 8(%esp),%xmm2
+ pxor %xmm1,%xmm1
+ .byte 102,15,58,15,202,15
+@@ -393,6 +399,7 @@ __vpaes_schedule_round:
+ .def __vpaes_schedule_transform; .scl 3; .type 32; .endef
+ .align 16
+ __vpaes_schedule_transform:
++.byte 243,15,30,251
+ movdqa -16(%ebp),%xmm2
+ movdqa %xmm2,%xmm1
+ pandn %xmm0,%xmm1
+@@ -407,6 +414,7 @@ __vpaes_schedule_transform:
+ .def __vpaes_schedule_mangle; .scl 3; .type 32; .endef
+ .align 16
+ __vpaes_schedule_mangle:
++.byte 243,15,30,251
+ movdqa %xmm0,%xmm4
+ movdqa 128(%ebp),%xmm5
+ testl %edi,%edi
+@@ -467,6 +475,7 @@ __vpaes_schedule_mangle:
+ .align 16
+ _vpaes_set_encrypt_key:
+ .L_vpaes_set_encrypt_key_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -499,6 +508,7 @@ _vpaes_set_encrypt_key:
+ .align 16
+ _vpaes_set_decrypt_key:
+ .L_vpaes_set_decrypt_key_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -536,6 +546,7 @@ _vpaes_set_decrypt_key:
+ .align 16
+ _vpaes_encrypt:
+ .L_vpaes_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -564,6 +575,7 @@ _vpaes_encrypt:
+ .align 16
+ _vpaes_decrypt:
+ .L_vpaes_decrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -592,6 +604,7 @@ _vpaes_decrypt:
+ .align 16
+ _vpaes_cbc_encrypt:
+ .L_vpaes_cbc_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+diff --git a/lib/accelerated/x86/coff/aes-ssse3-x86_64.s b/lib/accelerated/x86/coff/aes-ssse3-x86_64.s
+index 150c9921d..f3fee5629 100644
+--- a/lib/accelerated/x86/coff/aes-ssse3-x86_64.s
++++ b/lib/accelerated/x86/coff/aes-ssse3-x86_64.s
+@@ -643,6 +643,7 @@ vpaes_set_encrypt_key:
+ movq %r8,%rdx
+
+
++.byte 243,15,30,250
+ leaq -184(%rsp),%rsp
+ movaps %xmm6,16(%rsp)
+ movaps %xmm7,32(%rsp)
+@@ -695,6 +696,7 @@ vpaes_set_decrypt_key:
+ movq %r8,%rdx
+
+
++.byte 243,15,30,250
+ leaq -184(%rsp),%rsp
+ movaps %xmm6,16(%rsp)
+ movaps %xmm7,32(%rsp)
+@@ -752,6 +754,7 @@ vpaes_encrypt:
+ movq %r8,%rdx
+
+
++.byte 243,15,30,250
+ leaq -184(%rsp),%rsp
+ movaps %xmm6,16(%rsp)
+ movaps %xmm7,32(%rsp)
+@@ -799,6 +802,7 @@ vpaes_decrypt:
+ movq %r8,%rdx
+
+
++.byte 243,15,30,250
+ leaq -184(%rsp),%rsp
+ movaps %xmm6,16(%rsp)
+ movaps %xmm7,32(%rsp)
+@@ -848,6 +852,7 @@ vpaes_cbc_encrypt:
+ movq 48(%rsp),%r9
+
+
++.byte 243,15,30,250
+ xchgq %rcx,%rdx
+ subq $16,%rcx
+ jc .Lcbc_abort
+diff --git a/lib/accelerated/x86/coff/aesni-gcm-x86_64.s b/lib/accelerated/x86/coff/aesni-gcm-x86_64.s
+index 7988004cb..5784e4bcf 100644
+--- a/lib/accelerated/x86/coff/aesni-gcm-x86_64.s
++++ b/lib/accelerated/x86/coff/aesni-gcm-x86_64.s
+@@ -42,6 +42,8 @@
+ .def _aesni_ctr32_ghash_6x; .scl 3; .type 32; .endef
+ .p2align 5
+ _aesni_ctr32_ghash_6x:
++
++.byte 243,15,30,250
+ vmovdqu 32(%r11),%xmm2
+ subq $6,%rdx
+ vpxor %xmm4,%xmm4,%xmm4
+@@ -350,6 +352,7 @@ _aesni_ctr32_ghash_6x:
+
+ .byte 0xf3,0xc3
+
++
+ .globl aesni_gcm_decrypt
+ .def aesni_gcm_decrypt; .scl 2; .type 32; .endef
+ .p2align 5
+@@ -366,6 +369,7 @@ aesni_gcm_decrypt:
+ movq 48(%rsp),%r9
+
+
++.byte 243,15,30,250
+ xorq %r10,%r10
+ cmpq $0x60,%rdx
+ jb .Lgcm_dec_abort
+@@ -490,6 +494,8 @@ aesni_gcm_decrypt:
+ .def _aesni_ctr32_6x; .scl 3; .type 32; .endef
+ .p2align 5
+ _aesni_ctr32_6x:
++
++.byte 243,15,30,250
+ vmovdqu 0-128(%rcx),%xmm4
+ vmovdqu 32(%r11),%xmm2
+ leaq -1(%rbp),%r13
+@@ -578,6 +584,7 @@ _aesni_ctr32_6x:
+ jmp .Loop_ctr32
+
+
++
+ .globl aesni_gcm_encrypt
+ .def aesni_gcm_encrypt; .scl 2; .type 32; .endef
+ .p2align 5
+@@ -594,6 +601,7 @@ aesni_gcm_encrypt:
+ movq 48(%rsp),%r9
+
+
++.byte 243,15,30,250
+ xorq %r10,%r10
+ cmpq $288,%rdx
+ jb .Lgcm_enc_abort
+diff --git a/lib/accelerated/x86/coff/aesni-x86.s b/lib/accelerated/x86/coff/aesni-x86.s
+index c6aa1a1e2..577dc4af2 100644
+--- a/lib/accelerated/x86/coff/aesni-x86.s
++++ b/lib/accelerated/x86/coff/aesni-x86.s
+@@ -43,6 +43,7 @@
+ .align 16
+ _aesni_encrypt:
+ .L_aesni_encrypt_begin:
++.byte 243,15,30,251
+ movl 4(%esp),%eax
+ movl 12(%esp),%edx
+ movups (%eax),%xmm2
+@@ -69,6 +70,7 @@ _aesni_encrypt:
+ .align 16
+ _aesni_decrypt:
+ .L_aesni_decrypt_begin:
++.byte 243,15,30,251
+ movl 4(%esp),%eax
+ movl 12(%esp),%edx
+ movups (%eax),%xmm2
+@@ -93,6 +95,7 @@ _aesni_decrypt:
+ .def __aesni_encrypt2; .scl 3; .type 32; .endef
+ .align 16
+ __aesni_encrypt2:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ shll $4,%ecx
+ movups 16(%edx),%xmm1
+@@ -119,6 +122,7 @@ __aesni_encrypt2:
+ .def __aesni_decrypt2; .scl 3; .type 32; .endef
+ .align 16
+ __aesni_decrypt2:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ shll $4,%ecx
+ movups 16(%edx),%xmm1
+@@ -145,6 +149,7 @@ __aesni_decrypt2:
+ .def __aesni_encrypt3; .scl 3; .type 32; .endef
+ .align 16
+ __aesni_encrypt3:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ shll $4,%ecx
+ movups 16(%edx),%xmm1
+@@ -176,6 +181,7 @@ __aesni_encrypt3:
+ .def __aesni_decrypt3; .scl 3; .type 32; .endef
+ .align 16
+ __aesni_decrypt3:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ shll $4,%ecx
+ movups 16(%edx),%xmm1
+@@ -207,6 +213,7 @@ __aesni_decrypt3:
+ .def __aesni_encrypt4; .scl 3; .type 32; .endef
+ .align 16
+ __aesni_encrypt4:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ movups 16(%edx),%xmm1
+ shll $4,%ecx
+@@ -244,6 +251,7 @@ __aesni_encrypt4:
+ .def __aesni_decrypt4; .scl 3; .type 32; .endef
+ .align 16
+ __aesni_decrypt4:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ movups 16(%edx),%xmm1
+ shll $4,%ecx
+@@ -281,6 +289,7 @@ __aesni_decrypt4:
+ .def __aesni_encrypt6; .scl 3; .type 32; .endef
+ .align 16
+ __aesni_encrypt6:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ shll $4,%ecx
+ movups 16(%edx),%xmm1
+@@ -334,6 +343,7 @@ __aesni_encrypt6:
+ .def __aesni_decrypt6; .scl 3; .type 32; .endef
+ .align 16
+ __aesni_decrypt6:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ shll $4,%ecx
+ movups 16(%edx),%xmm1
+@@ -389,6 +399,7 @@ __aesni_decrypt6:
+ .align 16
+ _aesni_ecb_encrypt:
+ .L_aesni_ecb_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -623,6 +634,7 @@ _aesni_ecb_encrypt:
+ .align 16
+ _aesni_ccm64_encrypt_blocks:
+ .L_aesni_ccm64_encrypt_blocks_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -710,6 +722,7 @@ _aesni_ccm64_encrypt_blocks:
+ .align 16
+ _aesni_ccm64_decrypt_blocks:
+ .L_aesni_ccm64_decrypt_blocks_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -832,6 +845,7 @@ _aesni_ccm64_decrypt_blocks:
+ .align 16
+ _aesni_ctr32_encrypt_blocks:
+ .L_aesni_ctr32_encrypt_blocks_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -1069,6 +1083,7 @@ _aesni_ctr32_encrypt_blocks:
+ .align 16
+ _aesni_xts_encrypt:
+ .L_aesni_xts_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -1428,6 +1443,7 @@ _aesni_xts_encrypt:
+ .align 16
+ _aesni_xts_decrypt:
+ .L_aesni_xts_decrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -1817,6 +1833,7 @@ _aesni_xts_decrypt:
+ .align 16
+ _aesni_ocb_encrypt:
+ .L_aesni_ocb_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -2211,6 +2228,7 @@ _aesni_ocb_encrypt:
+ .align 16
+ _aesni_ocb_decrypt:
+ .L_aesni_ocb_decrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -2605,6 +2623,7 @@ _aesni_ocb_decrypt:
+ .align 16
+ _aesni_cbc_encrypt:
+ .L_aesni_cbc_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -2863,6 +2882,7 @@ _aesni_cbc_encrypt:
+ .def __aesni_set_encrypt_key; .scl 3; .type 32; .endef
+ .align 16
+ __aesni_set_encrypt_key:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ testl %eax,%eax
+@@ -3197,6 +3217,7 @@ __aesni_set_encrypt_key:
+ .align 16
+ _aesni_set_encrypt_key:
+ .L_aesni_set_encrypt_key_begin:
++.byte 243,15,30,251
+ movl 4(%esp),%eax
+ movl 8(%esp),%ecx
+ movl 12(%esp),%edx
+@@ -3207,6 +3228,7 @@ _aesni_set_encrypt_key:
+ .align 16
+ _aesni_set_decrypt_key:
+ .L_aesni_set_decrypt_key_begin:
++.byte 243,15,30,251
+ movl 4(%esp),%eax
+ movl 8(%esp),%ecx
+ movl 12(%esp),%edx
+diff --git a/lib/accelerated/x86/coff/aesni-x86_64.s b/lib/accelerated/x86/coff/aesni-x86_64.s
+index 4e8de065f..ba2992903 100644
+--- a/lib/accelerated/x86/coff/aesni-x86_64.s
++++ b/lib/accelerated/x86/coff/aesni-x86_64.s
+@@ -44,6 +44,7 @@
+ .p2align 4
+ aesni_encrypt:
+
++.byte 243,15,30,250
+ movups (%rcx),%xmm2
+ movl 240(%r8),%eax
+ movups (%r8),%xmm0
+@@ -70,6 +71,7 @@ aesni_encrypt:
+ .p2align 4
+ aesni_decrypt:
+
++.byte 243,15,30,250
+ movups (%rcx),%xmm2
+ movl 240(%r8),%eax
+ movups (%r8),%xmm0
+@@ -567,6 +569,7 @@ aesni_ecb_encrypt:
+ movq 40(%rsp),%r8
+
+
++.byte 243,15,30,250
+ leaq -88(%rsp),%rsp
+ movaps %xmm6,(%rsp)
+ movaps %xmm7,16(%rsp)
+@@ -939,6 +942,8 @@ aesni_ccm64_encrypt_blocks:
+ movq 40(%rsp),%r8
+ movq 48(%rsp),%r9
+
++
++.byte 243,15,30,250
+ leaq -88(%rsp),%rsp
+ movaps %xmm6,(%rsp)
+ movaps %xmm7,16(%rsp)
+@@ -1015,6 +1020,7 @@ aesni_ccm64_encrypt_blocks:
+ movq 8(%rsp),%rdi
+ movq 16(%rsp),%rsi
+ .byte 0xf3,0xc3
++
+ .LSEH_end_aesni_ccm64_encrypt_blocks:
+ .globl aesni_ccm64_decrypt_blocks
+ .def aesni_ccm64_decrypt_blocks; .scl 2; .type 32; .endef
+@@ -1031,6 +1037,8 @@ aesni_ccm64_decrypt_blocks:
+ movq 40(%rsp),%r8
+ movq 48(%rsp),%r9
+
++
++.byte 243,15,30,250
+ leaq -88(%rsp),%rsp
+ movaps %xmm6,(%rsp)
+ movaps %xmm7,16(%rsp)
+@@ -1141,6 +1149,7 @@ aesni_ccm64_decrypt_blocks:
+ movq 8(%rsp),%rdi
+ movq 16(%rsp),%rsi
+ .byte 0xf3,0xc3
++
+ .LSEH_end_aesni_ccm64_decrypt_blocks:
+ .globl aesni_ctr32_encrypt_blocks
+ .def aesni_ctr32_encrypt_blocks; .scl 2; .type 32; .endef
+@@ -1157,6 +1166,7 @@ aesni_ctr32_encrypt_blocks:
+ movq 40(%rsp),%r8
+
+
++.byte 243,15,30,250
+ cmpq $1,%rdx
+ jne .Lctr32_bulk
+
+@@ -1769,6 +1779,7 @@ aesni_xts_encrypt:
+ movq 48(%rsp),%r9
+
+
++.byte 243,15,30,250
+ leaq (%rsp),%r11
+
+ pushq %rbp
+@@ -2273,6 +2284,7 @@ aesni_xts_decrypt:
+ movq 48(%rsp),%r9
+
+
++.byte 243,15,30,250
+ leaq (%rsp),%r11
+
+ pushq %rbp
+@@ -2814,6 +2826,7 @@ aesni_ocb_encrypt:
+ movq 48(%rsp),%r9
+
+
++.byte 243,15,30,250
+ leaq (%rsp),%rax
+ pushq %rbx
+
+@@ -3046,6 +3059,7 @@ aesni_ocb_encrypt:
+ .def __ocb_encrypt6; .scl 3; .type 32; .endef
+ .p2align 5
+ __ocb_encrypt6:
++
+ pxor %xmm9,%xmm15
+ movdqu (%rbx,%r12,1),%xmm11
+ movdqa %xmm10,%xmm12
+@@ -3145,9 +3159,11 @@ __ocb_encrypt6:
+ .byte 0xf3,0xc3
+
+
++
+ .def __ocb_encrypt4; .scl 3; .type 32; .endef
+ .p2align 5
+ __ocb_encrypt4:
++
+ pxor %xmm9,%xmm15
+ movdqu (%rbx,%r12,1),%xmm11
+ movdqa %xmm10,%xmm12
+@@ -3214,9 +3230,11 @@ __ocb_encrypt4:
+ .byte 0xf3,0xc3
+
+
++
+ .def __ocb_encrypt1; .scl 3; .type 32; .endef
+ .p2align 5
+ __ocb_encrypt1:
++
+ pxor %xmm15,%xmm7
+ pxor %xmm9,%xmm7
+ pxor %xmm2,%xmm8
+@@ -3249,6 +3267,7 @@ __ocb_encrypt1:
+ .byte 0xf3,0xc3
+
+
++
+ .globl aesni_ocb_decrypt
+ .def aesni_ocb_decrypt; .scl 2; .type 32; .endef
+ .p2align 5
+@@ -3265,6 +3284,7 @@ aesni_ocb_decrypt:
+ movq 48(%rsp),%r9
+
+
++.byte 243,15,30,250
+ leaq (%rsp),%rax
+ pushq %rbx
+
+@@ -3519,6 +3539,7 @@ aesni_ocb_decrypt:
+ .def __ocb_decrypt6; .scl 3; .type 32; .endef
+ .p2align 5
+ __ocb_decrypt6:
++
+ pxor %xmm9,%xmm15
+ movdqu (%rbx,%r12,1),%xmm11
+ movdqa %xmm10,%xmm12
+@@ -3612,9 +3633,11 @@ __ocb_decrypt6:
+ .byte 0xf3,0xc3
+
+
++
+ .def __ocb_decrypt4; .scl 3; .type 32; .endef
+ .p2align 5
+ __ocb_decrypt4:
++
+ pxor %xmm9,%xmm15
+ movdqu (%rbx,%r12,1),%xmm11
+ movdqa %xmm10,%xmm12
+@@ -3677,9 +3700,11 @@ __ocb_decrypt4:
+ .byte 0xf3,0xc3
+
+
++
+ .def __ocb_decrypt1; .scl 3; .type 32; .endef
+ .p2align 5
+ __ocb_decrypt1:
++
+ pxor %xmm15,%xmm7
+ pxor %xmm9,%xmm7
+ pxor %xmm7,%xmm2
+@@ -3710,6 +3735,7 @@ __ocb_decrypt1:
+ .byte 102,15,56,223,215
+ .byte 0xf3,0xc3
+
++
+ .globl aesni_cbc_encrypt
+ .def aesni_cbc_encrypt; .scl 2; .type 32; .endef
+ .p2align 4
+@@ -3726,6 +3752,7 @@ aesni_cbc_encrypt:
+ movq 48(%rsp),%r9
+
+
++.byte 243,15,30,250
+ testq %rdx,%rdx
+ jz .Lcbc_ret
+
+@@ -4687,7 +4714,6 @@ __aesni_set_encrypt_key:
+ addq $8,%rsp
+
+ .byte 0xf3,0xc3
+-
+ .LSEH_end_set_encrypt_key:
+
+ .p2align 4
+@@ -4760,6 +4786,7 @@ __aesni_set_encrypt_key:
+ .byte 0xf3,0xc3
+
+
++
+ .p2align 6
+ .Lbswap_mask:
+ .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0
+diff --git a/lib/accelerated/x86/coff/e_padlock-x86.s b/lib/accelerated/x86/coff/e_padlock-x86.s
+index 41f87b117..9e27b9324 100644
+--- a/lib/accelerated/x86/coff/e_padlock-x86.s
++++ b/lib/accelerated/x86/coff/e_padlock-x86.s
+@@ -1,4 +1,4 @@
+-# Copyright (c) 2011-2013, Andy Polyakov <appro@openssl.org>
++# Copyright (c) 2011-2016, Andy Polyakov <appro@openssl.org>
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without
+@@ -37,13 +37,13 @@
+ #
+ # *** This file is auto-generated ***
+ #
+-.file "devel/perlasm/e_padlock-x86.s"
+ .text
+ .globl _padlock_capability
+ .def _padlock_capability; .scl 2; .type 32; .endef
+ .align 16
+ _padlock_capability:
+ .L_padlock_capability_begin:
++.byte 243,15,30,251
+ pushl %ebx
+ pushfl
+ popl %eax
+@@ -60,11 +60,20 @@ _padlock_capability:
+ .byte 0x0f,0xa2
+ xorl %eax,%eax
+ cmpl $0x746e6543,%ebx
+- jne .L000noluck
++ jne .L001zhaoxin
+ cmpl $0x48727561,%edx
+ jne .L000noluck
+ cmpl $0x736c7561,%ecx
+ jne .L000noluck
++ jmp .L002zhaoxinEnd
++.L001zhaoxin:
++ cmpl $0x68532020,%ebx
++ jne .L000noluck
++ cmpl $0x68676e61,%edx
++ jne .L000noluck
++ cmpl $0x20206961,%ecx
++ jne .L000noluck
++.L002zhaoxinEnd:
+ movl $3221225472,%eax
+ .byte 0x0f,0xa2
+ movl %eax,%edx
+@@ -94,38 +103,41 @@ _padlock_capability:
+ .align 16
+ _padlock_key_bswap:
+ .L_padlock_key_bswap_begin:
++.byte 243,15,30,251
+ movl 4(%esp),%edx
+ movl 240(%edx),%ecx
+-.L001bswap_loop:
++.L003bswap_loop:
+ movl (%edx),%eax
+ bswap %eax
+ movl %eax,(%edx)
+ leal 4(%edx),%edx
+ subl $1,%ecx
+- jnz .L001bswap_loop
++ jnz .L003bswap_loop
+ ret
+ .globl _padlock_verify_context
+ .def _padlock_verify_context; .scl 2; .type 32; .endef
+ .align 16
+ _padlock_verify_context:
+ .L_padlock_verify_context_begin:
++.byte 243,15,30,251
+ movl 4(%esp),%edx
+ leal .Lpadlock_saved_context,%eax
+ pushfl
+ call __padlock_verify_ctx
+-.L002verify_pic_point:
++.L004verify_pic_point:
+ leal 4(%esp),%esp
+ ret
+ .def __padlock_verify_ctx; .scl 3; .type 32; .endef
+ .align 16
+ __padlock_verify_ctx:
++.byte 243,15,30,251
+ btl $30,4(%esp)
+- jnc .L003verified
++ jnc .L005verified
+ cmpl (%eax),%edx
+- je .L003verified
++ je .L005verified
+ pushfl
+ popfl
+-.L003verified:
++.L005verified:
+ movl %edx,(%eax)
+ ret
+ .globl _padlock_reload_key
+@@ -133,6 +145,7 @@ __padlock_verify_ctx:
+ .align 16
+ _padlock_reload_key:
+ .L_padlock_reload_key_begin:
++.byte 243,15,30,251
+ pushfl
+ popfl
+ ret
+@@ -141,6 +154,7 @@ _padlock_reload_key:
+ .align 16
+ _padlock_aes_block:
+ .L_padlock_aes_block_begin:
++.byte 243,15,30,251
+ pushl %edi
+ pushl %esi
+ pushl %ebx
+@@ -160,6 +174,7 @@ _padlock_aes_block:
+ .align 16
+ _padlock_ecb_encrypt:
+ .L_padlock_ecb_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -169,25 +184,25 @@ _padlock_ecb_encrypt:
+ movl 28(%esp),%edx
+ movl 32(%esp),%ecx
+ testl $15,%edx
+- jnz .L004ecb_abort
++ jnz .L006ecb_abort
+ testl $15,%ecx
+- jnz .L004ecb_abort
++ jnz .L006ecb_abort
+ leal .Lpadlock_saved_context,%eax
+ pushfl
+ cld
+ call __padlock_verify_ctx
+-.L005ecb_pic_point:
++.L007ecb_pic_point:
+ leal 16(%edx),%edx
+ xorl %eax,%eax
+ xorl %ebx,%ebx
+ testl $32,(%edx)
+- jnz .L006ecb_aligned
++ jnz .L008ecb_aligned
+ testl $15,%edi
+ setz %al
+ testl $15,%esi
+ setz %bl
+ testl %ebx,%eax
+- jnz .L006ecb_aligned
++ jnz .L008ecb_aligned
+ negl %eax
+ movl $512,%ebx
+ notl %eax
+@@ -206,7 +221,7 @@ _padlock_ecb_encrypt:
+ andl $-16,%esp
+ movl %eax,16(%ebp)
+ cmpl %ebx,%ecx
+- ja .L007ecb_loop
++ ja .L009ecb_loop
+ movl %esi,%eax
+ cmpl %esp,%ebp
+ cmovel %edi,%eax
+@@ -217,10 +232,10 @@ _padlock_ecb_encrypt:
+ movl $-128,%eax
+ cmovael %ebx,%eax
+ andl %eax,%ebx
+- jz .L008ecb_unaligned_tail
+- jmp .L007ecb_loop
++ jz .L010ecb_unaligned_tail
++ jmp .L009ecb_loop
+ .align 16
+-.L007ecb_loop:
++.L009ecb_loop:
+ movl %edi,(%ebp)
+ movl %esi,4(%ebp)
+ movl %ecx,8(%ebp)
+@@ -229,13 +244,13 @@ _padlock_ecb_encrypt:
+ testl $15,%edi
+ cmovnzl %esp,%edi
+ testl $15,%esi
+- jz .L009ecb_inp_aligned
++ jz .L011ecb_inp_aligned
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+ movl %ebx,%ecx
+ movl %edi,%esi
+-.L009ecb_inp_aligned:
++.L011ecb_inp_aligned:
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+@@ -243,23 +258,23 @@ _padlock_ecb_encrypt:
+ movl (%ebp),%edi
+ movl 12(%ebp),%ebx
+ testl $15,%edi
+- jz .L010ecb_out_aligned
++ jz .L012ecb_out_aligned
+ movl %ebx,%ecx
+ leal (%esp),%esi
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+-.L010ecb_out_aligned:
++.L012ecb_out_aligned:
+ movl 4(%ebp),%esi
+ movl 8(%ebp),%ecx
+ addl %ebx,%edi
+ addl %ebx,%esi
+ subl %ebx,%ecx
+ movl $512,%ebx
+- jz .L011ecb_break
++ jz .L013ecb_break
+ cmpl %ebx,%ecx
+- jae .L007ecb_loop
+-.L008ecb_unaligned_tail:
++ jae .L009ecb_loop
++.L010ecb_unaligned_tail:
+ xorl %eax,%eax
+ cmpl %ebp,%esp
+ cmovel %ecx,%eax
+@@ -272,24 +287,24 @@ _padlock_ecb_encrypt:
+ movl %esp,%esi
+ movl %eax,%edi
+ movl %ebx,%ecx
+- jmp .L007ecb_loop
++ jmp .L009ecb_loop
+ .align 16
+-.L011ecb_break:
++.L013ecb_break:
+ cmpl %ebp,%esp
+- je .L012ecb_done
++ je .L014ecb_done
+ pxor %xmm0,%xmm0
+ leal (%esp),%eax
+-.L013ecb_bzero:
++.L015ecb_bzero:
+ movaps %xmm0,(%eax)
+ leal 16(%eax),%eax
+ cmpl %eax,%ebp
+- ja .L013ecb_bzero
+-.L012ecb_done:
++ ja .L015ecb_bzero
++.L014ecb_done:
+ movl 16(%ebp),%ebp
+ leal 24(%ebp),%esp
+- jmp .L014ecb_exit
++ jmp .L016ecb_exit
+ .align 16
+-.L006ecb_aligned:
++.L008ecb_aligned:
+ leal (%esi,%ecx,1),%ebp
+ negl %ebp
+ andl $4095,%ebp
+@@ -299,14 +314,14 @@ _padlock_ecb_encrypt:
+ cmovael %eax,%ebp
+ andl %ecx,%ebp
+ subl %ebp,%ecx
+- jz .L015ecb_aligned_tail
++ jz .L017ecb_aligned_tail
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+ .byte 243,15,167,200
+ testl %ebp,%ebp
+- jz .L014ecb_exit
+-.L015ecb_aligned_tail:
++ jz .L016ecb_exit
++.L017ecb_aligned_tail:
+ movl %ebp,%ecx
+ leal -24(%esp),%ebp
+ movl %ebp,%esp
+@@ -323,11 +338,11 @@ _padlock_ecb_encrypt:
+ movl %esp,%esi
+ movl %eax,%edi
+ movl %ebx,%ecx
+- jmp .L007ecb_loop
+-.L014ecb_exit:
++ jmp .L009ecb_loop
++.L016ecb_exit:
+ movl $1,%eax
+ leal 4(%esp),%esp
+-.L004ecb_abort:
++.L006ecb_abort:
+ popl %edi
+ popl %esi
+ popl %ebx
+@@ -338,6 +353,7 @@ _padlock_ecb_encrypt:
+ .align 16
+ _padlock_cbc_encrypt:
+ .L_padlock_cbc_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -347,25 +363,25 @@ _padlock_cbc_encrypt:
+ movl 28(%esp),%edx
+ movl 32(%esp),%ecx
+ testl $15,%edx
+- jnz .L016cbc_abort
++ jnz .L018cbc_abort
+ testl $15,%ecx
+- jnz .L016cbc_abort
++ jnz .L018cbc_abort
+ leal .Lpadlock_saved_context,%eax
+ pushfl
+ cld
+ call __padlock_verify_ctx
+-.L017cbc_pic_point:
++.L019cbc_pic_point:
+ leal 16(%edx),%edx
+ xorl %eax,%eax
+ xorl %ebx,%ebx
+ testl $32,(%edx)
+- jnz .L018cbc_aligned
++ jnz .L020cbc_aligned
+ testl $15,%edi
+ setz %al
+ testl $15,%esi
+ setz %bl
+ testl %ebx,%eax
+- jnz .L018cbc_aligned
++ jnz .L020cbc_aligned
+ negl %eax
+ movl $512,%ebx
+ notl %eax
+@@ -384,7 +400,7 @@ _padlock_cbc_encrypt:
+ andl $-16,%esp
+ movl %eax,16(%ebp)
+ cmpl %ebx,%ecx
+- ja .L019cbc_loop
++ ja .L021cbc_loop
+ movl %esi,%eax
+ cmpl %esp,%ebp
+ cmovel %edi,%eax
+@@ -395,10 +411,10 @@ _padlock_cbc_encrypt:
+ movl $-64,%eax
+ cmovael %ebx,%eax
+ andl %eax,%ebx
+- jz .L020cbc_unaligned_tail
+- jmp .L019cbc_loop
++ jz .L022cbc_unaligned_tail
++ jmp .L021cbc_loop
+ .align 16
+-.L019cbc_loop:
++.L021cbc_loop:
+ movl %edi,(%ebp)
+ movl %esi,4(%ebp)
+ movl %ecx,8(%ebp)
+@@ -407,13 +423,13 @@ _padlock_cbc_encrypt:
+ testl $15,%edi
+ cmovnzl %esp,%edi
+ testl $15,%esi
+- jz .L021cbc_inp_aligned
++ jz .L023cbc_inp_aligned
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+ movl %ebx,%ecx
+ movl %edi,%esi
+-.L021cbc_inp_aligned:
++.L023cbc_inp_aligned:
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+@@ -423,23 +439,23 @@ _padlock_cbc_encrypt:
+ movl (%ebp),%edi
+ movl 12(%ebp),%ebx
+ testl $15,%edi
+- jz .L022cbc_out_aligned
++ jz .L024cbc_out_aligned
+ movl %ebx,%ecx
+ leal (%esp),%esi
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+-.L022cbc_out_aligned:
++.L024cbc_out_aligned:
+ movl 4(%ebp),%esi
+ movl 8(%ebp),%ecx
+ addl %ebx,%edi
+ addl %ebx,%esi
+ subl %ebx,%ecx
+ movl $512,%ebx
+- jz .L023cbc_break
++ jz .L025cbc_break
+ cmpl %ebx,%ecx
+- jae .L019cbc_loop
+-.L020cbc_unaligned_tail:
++ jae .L021cbc_loop
++.L022cbc_unaligned_tail:
+ xorl %eax,%eax
+ cmpl %ebp,%esp
+ cmovel %ecx,%eax
+@@ -452,24 +468,24 @@ _padlock_cbc_encrypt:
+ movl %esp,%esi
+ movl %eax,%edi
+ movl %ebx,%ecx
+- jmp .L019cbc_loop
++ jmp .L021cbc_loop
+ .align 16
+-.L023cbc_break:
++.L025cbc_break:
+ cmpl %ebp,%esp
+- je .L024cbc_done
++ je .L026cbc_done
+ pxor %xmm0,%xmm0
+ leal (%esp),%eax
+-.L025cbc_bzero:
++.L027cbc_bzero:
+ movaps %xmm0,(%eax)
+ leal 16(%eax),%eax
+ cmpl %eax,%ebp
+- ja .L025cbc_bzero
+-.L024cbc_done:
++ ja .L027cbc_bzero
++.L026cbc_done:
+ movl 16(%ebp),%ebp
+ leal 24(%ebp),%esp
+- jmp .L026cbc_exit
++ jmp .L028cbc_exit
+ .align 16
+-.L018cbc_aligned:
++.L020cbc_aligned:
+ leal (%esi,%ecx,1),%ebp
+ negl %ebp
+ andl $4095,%ebp
+@@ -479,7 +495,7 @@ _padlock_cbc_encrypt:
+ cmovael %eax,%ebp
+ andl %ecx,%ebp
+ subl %ebp,%ecx
+- jz .L027cbc_aligned_tail
++ jz .L029cbc_aligned_tail
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+@@ -487,8 +503,8 @@ _padlock_cbc_encrypt:
+ movaps (%eax),%xmm0
+ movaps %xmm0,-16(%edx)
+ testl %ebp,%ebp
+- jz .L026cbc_exit
+-.L027cbc_aligned_tail:
++ jz .L028cbc_exit
++.L029cbc_aligned_tail:
+ movl %ebp,%ecx
+ leal -24(%esp),%ebp
+ movl %ebp,%esp
+@@ -505,11 +521,11 @@ _padlock_cbc_encrypt:
+ movl %esp,%esi
+ movl %eax,%edi
+ movl %ebx,%ecx
+- jmp .L019cbc_loop
+-.L026cbc_exit:
++ jmp .L021cbc_loop
++.L028cbc_exit:
+ movl $1,%eax
+ leal 4(%esp),%esp
+-.L016cbc_abort:
++.L018cbc_abort:
+ popl %edi
+ popl %esi
+ popl %ebx
+@@ -520,6 +536,7 @@ _padlock_cbc_encrypt:
+ .align 16
+ _padlock_cfb_encrypt:
+ .L_padlock_cfb_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -529,25 +546,25 @@ _padlock_cfb_encrypt:
+ movl 28(%esp),%edx
+ movl 32(%esp),%ecx
+ testl $15,%edx
+- jnz .L028cfb_abort
++ jnz .L030cfb_abort
+ testl $15,%ecx
+- jnz .L028cfb_abort
++ jnz .L030cfb_abort
+ leal .Lpadlock_saved_context,%eax
+ pushfl
+ cld
+ call __padlock_verify_ctx
+-.L029cfb_pic_point:
++.L031cfb_pic_point:
+ leal 16(%edx),%edx
+ xorl %eax,%eax
+ xorl %ebx,%ebx
+ testl $32,(%edx)
+- jnz .L030cfb_aligned
++ jnz .L032cfb_aligned
+ testl $15,%edi
+ setz %al
+ testl $15,%esi
+ setz %bl
+ testl %ebx,%eax
+- jnz .L030cfb_aligned
++ jnz .L032cfb_aligned
+ negl %eax
+ movl $512,%ebx
+ notl %eax
+@@ -565,9 +582,9 @@ _padlock_cfb_encrypt:
+ andl $-16,%ebp
+ andl $-16,%esp
+ movl %eax,16(%ebp)
+- jmp .L031cfb_loop
++ jmp .L033cfb_loop
+ .align 16
+-.L031cfb_loop:
++.L033cfb_loop:
+ movl %edi,(%ebp)
+ movl %esi,4(%ebp)
+ movl %ecx,8(%ebp)
+@@ -576,13 +593,13 @@ _padlock_cfb_encrypt:
+ testl $15,%edi
+ cmovnzl %esp,%edi
+ testl $15,%esi
+- jz .L032cfb_inp_aligned
++ jz .L034cfb_inp_aligned
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+ movl %ebx,%ecx
+ movl %edi,%esi
+-.L032cfb_inp_aligned:
++.L034cfb_inp_aligned:
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+@@ -592,45 +609,45 @@ _padlock_cfb_encrypt:
+ movl (%ebp),%edi
+ movl 12(%ebp),%ebx
+ testl $15,%edi
+- jz .L033cfb_out_aligned
++ jz .L035cfb_out_aligned
+ movl %ebx,%ecx
+ leal (%esp),%esi
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+-.L033cfb_out_aligned:
++.L035cfb_out_aligned:
+ movl 4(%ebp),%esi
+ movl 8(%ebp),%ecx
+ addl %ebx,%edi
+ addl %ebx,%esi
+ subl %ebx,%ecx
+ movl $512,%ebx
+- jnz .L031cfb_loop
++ jnz .L033cfb_loop
+ cmpl %ebp,%esp
+- je .L034cfb_done
++ je .L036cfb_done
+ pxor %xmm0,%xmm0
+ leal (%esp),%eax
+-.L035cfb_bzero:
++.L037cfb_bzero:
+ movaps %xmm0,(%eax)
+ leal 16(%eax),%eax
+ cmpl %eax,%ebp
+- ja .L035cfb_bzero
+-.L034cfb_done:
++ ja .L037cfb_bzero
++.L036cfb_done:
+ movl 16(%ebp),%ebp
+ leal 24(%ebp),%esp
+- jmp .L036cfb_exit
++ jmp .L038cfb_exit
+ .align 16
+-.L030cfb_aligned:
++.L032cfb_aligned:
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+ .byte 243,15,167,224
+ movaps (%eax),%xmm0
+ movaps %xmm0,-16(%edx)
+-.L036cfb_exit:
++.L038cfb_exit:
+ movl $1,%eax
+ leal 4(%esp),%esp
+-.L028cfb_abort:
++.L030cfb_abort:
+ popl %edi
+ popl %esi
+ popl %ebx
+@@ -641,6 +658,7 @@ _padlock_cfb_encrypt:
+ .align 16
+ _padlock_ofb_encrypt:
+ .L_padlock_ofb_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -650,25 +668,25 @@ _padlock_ofb_encrypt:
+ movl 28(%esp),%edx
+ movl 32(%esp),%ecx
+ testl $15,%edx
+- jnz .L037ofb_abort
++ jnz .L039ofb_abort
+ testl $15,%ecx
+- jnz .L037ofb_abort
++ jnz .L039ofb_abort
+ leal .Lpadlock_saved_context,%eax
+ pushfl
+ cld
+ call __padlock_verify_ctx
+-.L038ofb_pic_point:
++.L040ofb_pic_point:
+ leal 16(%edx),%edx
+ xorl %eax,%eax
+ xorl %ebx,%ebx
+ testl $32,(%edx)
+- jnz .L039ofb_aligned
++ jnz .L041ofb_aligned
+ testl $15,%edi
+ setz %al
+ testl $15,%esi
+ setz %bl
+ testl %ebx,%eax
+- jnz .L039ofb_aligned
++ jnz .L041ofb_aligned
+ negl %eax
+ movl $512,%ebx
+ notl %eax
+@@ -686,9 +704,9 @@ _padlock_ofb_encrypt:
+ andl $-16,%ebp
+ andl $-16,%esp
+ movl %eax,16(%ebp)
+- jmp .L040ofb_loop
++ jmp .L042ofb_loop
+ .align 16
+-.L040ofb_loop:
++.L042ofb_loop:
+ movl %edi,(%ebp)
+ movl %esi,4(%ebp)
+ movl %ecx,8(%ebp)
+@@ -697,13 +715,13 @@ _padlock_ofb_encrypt:
+ testl $15,%edi
+ cmovnzl %esp,%edi
+ testl $15,%esi
+- jz .L041ofb_inp_aligned
++ jz .L043ofb_inp_aligned
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+ movl %ebx,%ecx
+ movl %edi,%esi
+-.L041ofb_inp_aligned:
++.L043ofb_inp_aligned:
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+@@ -713,45 +731,45 @@ _padlock_ofb_encrypt:
+ movl (%ebp),%edi
+ movl 12(%ebp),%ebx
+ testl $15,%edi
+- jz .L042ofb_out_aligned
++ jz .L044ofb_out_aligned
+ movl %ebx,%ecx
+ leal (%esp),%esi
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+-.L042ofb_out_aligned:
++.L044ofb_out_aligned:
+ movl 4(%ebp),%esi
+ movl 8(%ebp),%ecx
+ addl %ebx,%edi
+ addl %ebx,%esi
+ subl %ebx,%ecx
+ movl $512,%ebx
+- jnz .L040ofb_loop
++ jnz .L042ofb_loop
+ cmpl %ebp,%esp
+- je .L043ofb_done
++ je .L045ofb_done
+ pxor %xmm0,%xmm0
+ leal (%esp),%eax
+-.L044ofb_bzero:
++.L046ofb_bzero:
+ movaps %xmm0,(%eax)
+ leal 16(%eax),%eax
+ cmpl %eax,%ebp
+- ja .L044ofb_bzero
+-.L043ofb_done:
++ ja .L046ofb_bzero
++.L045ofb_done:
+ movl 16(%ebp),%ebp
+ leal 24(%ebp),%esp
+- jmp .L045ofb_exit
++ jmp .L047ofb_exit
+ .align 16
+-.L039ofb_aligned:
++.L041ofb_aligned:
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+ .byte 243,15,167,232
+ movaps (%eax),%xmm0
+ movaps %xmm0,-16(%edx)
+-.L045ofb_exit:
++.L047ofb_exit:
+ movl $1,%eax
+ leal 4(%esp),%esp
+-.L037ofb_abort:
++.L039ofb_abort:
+ popl %edi
+ popl %esi
+ popl %ebx
+@@ -762,6 +780,7 @@ _padlock_ofb_encrypt:
+ .align 16
+ _padlock_ctr32_encrypt:
+ .L_padlock_ctr32_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -771,14 +790,14 @@ _padlock_ctr32_encrypt:
+ movl 28(%esp),%edx
+ movl 32(%esp),%ecx
+ testl $15,%edx
+- jnz .L046ctr32_abort
++ jnz .L048ctr32_abort
+ testl $15,%ecx
+- jnz .L046ctr32_abort
++ jnz .L048ctr32_abort
+ leal .Lpadlock_saved_context,%eax
+ pushfl
+ cld
+ call __padlock_verify_ctx
+-.L047ctr32_pic_point:
++.L049ctr32_pic_point:
+ leal 16(%edx),%edx
+ xorl %eax,%eax
+ movq -16(%edx),%mm0
+@@ -798,9 +817,9 @@ _padlock_ctr32_encrypt:
+ andl $-16,%ebp
+ andl $-16,%esp
+ movl %eax,16(%ebp)
+- jmp .L048ctr32_loop
++ jmp .L050ctr32_loop
+ .align 16
+-.L048ctr32_loop:
++.L050ctr32_loop:
+ movl %edi,(%ebp)
+ movl %esi,4(%ebp)
+ movl %ecx,8(%ebp)
+@@ -809,7 +828,7 @@ _padlock_ctr32_encrypt:
+ movl -4(%edx),%ecx
+ xorl %edi,%edi
+ movl -8(%edx),%eax
+-.L049ctr32_prepare:
++.L051ctr32_prepare:
+ movl %ecx,12(%esp,%edi,1)
+ bswap %ecx
+ movq %mm0,(%esp,%edi,1)
+@@ -818,7 +837,7 @@ _padlock_ctr32_encrypt:
+ bswap %ecx
+ leal 16(%edi),%edi
+ cmpl %ebx,%edi
+- jb .L049ctr32_prepare
++ jb .L051ctr32_prepare
+ movl %ecx,-4(%edx)
+ leal (%esp),%esi
+ leal (%esp),%edi
+@@ -831,33 +850,33 @@ _padlock_ctr32_encrypt:
+ movl 12(%ebp),%ebx
+ movl 4(%ebp),%esi
+ xorl %ecx,%ecx
+-.L050ctr32_xor:
++.L052ctr32_xor:
+ movups (%esi,%ecx,1),%xmm1
+ leal 16(%ecx),%ecx
+ pxor -16(%esp,%ecx,1),%xmm1
+ movups %xmm1,-16(%edi,%ecx,1)
+ cmpl %ebx,%ecx
+- jb .L050ctr32_xor
++ jb .L052ctr32_xor
+ movl 8(%ebp),%ecx
+ addl %ebx,%edi
+ addl %ebx,%esi
+ subl %ebx,%ecx
+ movl $512,%ebx
+- jnz .L048ctr32_loop
++ jnz .L050ctr32_loop
+ pxor %xmm0,%xmm0
+ leal (%esp),%eax
+-.L051ctr32_bzero:
++.L053ctr32_bzero:
+ movaps %xmm0,(%eax)
+ leal 16(%eax),%eax
+ cmpl %eax,%ebp
+- ja .L051ctr32_bzero
+-.L052ctr32_done:
++ ja .L053ctr32_bzero
++.L054ctr32_done:
+ movl 16(%ebp),%ebp
+ leal 24(%ebp),%esp
+ movl $1,%eax
+ leal 4(%esp),%esp
+ emms
+-.L046ctr32_abort:
++.L048ctr32_abort:
+ popl %edi
+ popl %esi
+ popl %ebx
+@@ -868,6 +887,7 @@ _padlock_ctr32_encrypt:
+ .align 16
+ _padlock_xstore:
+ .L_padlock_xstore_begin:
++.byte 243,15,30,251
+ pushl %edi
+ movl 8(%esp),%edi
+ movl 12(%esp),%edx
+@@ -877,20 +897,22 @@ _padlock_xstore:
+ .def __win32_segv_handler; .scl 3; .type 32; .endef
+ .align 16
+ __win32_segv_handler:
++.byte 243,15,30,251
+ movl $1,%eax
+ movl 4(%esp),%edx
+ movl 12(%esp),%ecx
+ cmpl $3221225477,(%edx)
+- jne .L053ret
++ jne .L055ret
+ addl $4,184(%ecx)
+ movl $0,%eax
+-.L053ret:
++.L055ret:
+ ret
+ .globl _padlock_sha1_oneshot
+ .def _padlock_sha1_oneshot; .scl 2; .type 32; .endef
+ .align 16
+ _padlock_sha1_oneshot:
+ .L_padlock_sha1_oneshot_begin:
++.byte 243,15,30,251
+ pushl %edi
+ pushl %esi
+ xorl %eax,%eax
+@@ -926,6 +948,7 @@ _padlock_sha1_oneshot:
+ .align 16
+ _padlock_sha1_blocks:
+ .L_padlock_sha1_blocks_begin:
++.byte 243,15,30,251
+ pushl %edi
+ pushl %esi
+ movl 12(%esp),%edi
+@@ -955,6 +978,7 @@ _padlock_sha1_blocks:
+ .align 16
+ _padlock_sha256_oneshot:
+ .L_padlock_sha256_oneshot_begin:
++.byte 243,15,30,251
+ pushl %edi
+ pushl %esi
+ xorl %eax,%eax
+@@ -990,6 +1014,7 @@ _padlock_sha256_oneshot:
+ .align 16
+ _padlock_sha256_blocks:
+ .L_padlock_sha256_blocks_begin:
++.byte 243,15,30,251
+ pushl %edi
+ pushl %esi
+ movl 12(%esp),%edi
+@@ -1019,6 +1044,7 @@ _padlock_sha256_blocks:
+ .align 16
+ _padlock_sha512_blocks:
+ .L_padlock_sha512_blocks_begin:
++.byte 243,15,30,251
+ pushl %edi
+ pushl %esi
+ movl 12(%esp),%edi
+diff --git a/lib/accelerated/x86/coff/e_padlock-x86_64.s b/lib/accelerated/x86/coff/e_padlock-x86_64.s
+index 7edee19f5..71c9e1aea 100644
+--- a/lib/accelerated/x86/coff/e_padlock-x86_64.s
++++ b/lib/accelerated/x86/coff/e_padlock-x86_64.s
+@@ -1,4 +1,4 @@
+-# Copyright (c) 2011-2013, Andy Polyakov <appro@openssl.org>
++# Copyright (c) 2011-2016, Andy Polyakov <appro@openssl.org>
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without
+@@ -42,36 +42,50 @@
+ .def padlock_capability; .scl 2; .type 32; .endef
+ .p2align 4
+ padlock_capability:
++
++.byte 243,15,30,250
+ movq %rbx,%r8
+ xorl %eax,%eax
+ cpuid
+ xorl %eax,%eax
+- cmpl $1953391939,%ebx
++ cmpl $0x746e6543,%ebx
++ jne .Lzhaoxin
++ cmpl $0x48727561,%edx
++ jne .Lnoluck
++ cmpl $0x736c7561,%ecx
++ jne .Lnoluck
++ jmp .LzhaoxinEnd
++.Lzhaoxin:
++ cmpl $0x68532020,%ebx
+ jne .Lnoluck
+- cmpl $1215460705,%edx
++ cmpl $0x68676e61,%edx
+ jne .Lnoluck
+- cmpl $1936487777,%ecx
++ cmpl $0x20206961,%ecx
+ jne .Lnoluck
+- movl $3221225472,%eax
++.LzhaoxinEnd:
++ movl $0xC0000000,%eax
+ cpuid
+ movl %eax,%edx
+ xorl %eax,%eax
+- cmpl $3221225473,%edx
++ cmpl $0xC0000001,%edx
+ jb .Lnoluck
+- movl $3221225473,%eax
++ movl $0xC0000001,%eax
+ cpuid
+ movl %edx,%eax
+- andl $4294967279,%eax
+- orl $16,%eax
++ andl $0xffffffef,%eax
++ orl $0x10,%eax
+ .Lnoluck:
+ movq %r8,%rbx
+ .byte 0xf3,0xc3
+
+
++
+ .globl padlock_key_bswap
+ .def padlock_key_bswap; .scl 2; .type 32; .endef
+ .p2align 4
+ padlock_key_bswap:
++
++.byte 243,15,30,250
+ movl 240(%rcx),%edx
+ .Lbswap_loop:
+ movl (%rcx),%eax
+@@ -83,10 +97,13 @@ padlock_key_bswap:
+ .byte 0xf3,0xc3
+
+
++
+ .globl padlock_verify_context
+ .def padlock_verify_context; .scl 2; .type 32; .endef
+ .p2align 4
+ padlock_verify_context:
++
++.byte 243,15,30,250
+ movq %rcx,%rdx
+ pushf
+ leaq .Lpadlock_saved_context(%rip),%rax
+@@ -95,9 +112,12 @@ padlock_verify_context:
+ .byte 0xf3,0xc3
+
+
++
+ .def _padlock_verify_ctx; .scl 3; .type 32; .endef
+ .p2align 4
+ _padlock_verify_ctx:
++
++.byte 243,15,30,250
+ movq 8(%rsp),%r8
+ btq $30,%r8
+ jnc .Lverified
+@@ -110,15 +130,19 @@ _padlock_verify_ctx:
+ .byte 0xf3,0xc3
+
+
++
+ .globl padlock_reload_key
+ .def padlock_reload_key; .scl 2; .type 32; .endef
+ .p2align 4
+ padlock_reload_key:
++
++.byte 243,15,30,250
+ pushf
+ popf
+ .byte 0xf3,0xc3
+
+
++
+ .globl padlock_aes_block
+ .def padlock_aes_block; .scl 2; .type 32; .endef
+ .p2align 4
+@@ -131,15 +155,18 @@ padlock_aes_block:
+ movq %rdx,%rsi
+ movq %r8,%rdx
+
++
++.byte 243,15,30,250
+ movq %rbx,%r8
+ movq $1,%rcx
+ leaq 32(%rdx),%rbx
+ leaq 16(%rdx),%rdx
+-.byte 0xf3,0x0f,0xa7,0xc8
++.byte 0xf3,0x0f,0xa7,0xc8
+ movq %r8,%rbx
+ movq 8(%rsp),%rdi
+ movq 16(%rsp),%rsi
+ .byte 0xf3,0xc3
++
+ .LSEH_end_padlock_aes_block:
+
+ .globl padlock_xstore
+@@ -153,11 +180,14 @@ padlock_xstore:
+ movq %rcx,%rdi
+ movq %rdx,%rsi
+
++
++.byte 243,15,30,250
+ movl %esi,%edx
+-.byte 0x0f,0xa7,0xc0
++.byte 0x0f,0xa7,0xc0
+ movq 8(%rsp),%rdi
+ movq 16(%rsp),%rsi
+ .byte 0xf3,0xc3
++
+ .LSEH_end_padlock_xstore:
+
+ .globl padlock_sha1_oneshot
+@@ -172,6 +202,8 @@ padlock_sha1_oneshot:
+ movq %rdx,%rsi
+ movq %r8,%rdx
+
++
++.byte 243,15,30,250
+ movq %rdx,%rcx
+ movq %rdi,%rdx
+ movups (%rdi),%xmm0
+@@ -181,7 +213,7 @@ padlock_sha1_oneshot:
+ movq %rsp,%rdi
+ movl %eax,16(%rsp)
+ xorq %rax,%rax
+-.byte 0xf3,0x0f,0xa6,0xc8
++.byte 0xf3,0x0f,0xa6,0xc8
+ movaps (%rsp),%xmm0
+ movl 16(%rsp),%eax
+ addq $128+8,%rsp
+@@ -190,6 +222,7 @@ padlock_sha1_oneshot:
+ movq 8(%rsp),%rdi
+ movq 16(%rsp),%rsi
+ .byte 0xf3,0xc3
++
+ .LSEH_end_padlock_sha1_oneshot:
+
+ .globl padlock_sha1_blocks
+@@ -204,6 +237,8 @@ padlock_sha1_blocks:
+ movq %rdx,%rsi
+ movq %r8,%rdx
+
++
++.byte 243,15,30,250
+ movq %rdx,%rcx
+ movq %rdi,%rdx
+ movups (%rdi),%xmm0
+@@ -213,7 +248,7 @@ padlock_sha1_blocks:
+ movq %rsp,%rdi
+ movl %eax,16(%rsp)
+ movq $-1,%rax
+-.byte 0xf3,0x0f,0xa6,0xc8
++.byte 0xf3,0x0f,0xa6,0xc8
+ movaps (%rsp),%xmm0
+ movl 16(%rsp),%eax
+ addq $128+8,%rsp
+@@ -222,6 +257,7 @@ padlock_sha1_blocks:
+ movq 8(%rsp),%rdi
+ movq 16(%rsp),%rsi
+ .byte 0xf3,0xc3
++
+ .LSEH_end_padlock_sha1_blocks:
+
+ .globl padlock_sha256_oneshot
+@@ -236,6 +272,8 @@ padlock_sha256_oneshot:
+ movq %rdx,%rsi
+ movq %r8,%rdx
+
++
++.byte 243,15,30,250
+ movq %rdx,%rcx
+ movq %rdi,%rdx
+ movups (%rdi),%xmm0
+@@ -245,7 +283,7 @@ padlock_sha256_oneshot:
+ movq %rsp,%rdi
+ movaps %xmm1,16(%rsp)
+ xorq %rax,%rax
+-.byte 0xf3,0x0f,0xa6,0xd0
++.byte 0xf3,0x0f,0xa6,0xd0
+ movaps (%rsp),%xmm0
+ movaps 16(%rsp),%xmm1
+ addq $128+8,%rsp
+@@ -254,6 +292,7 @@ padlock_sha256_oneshot:
+ movq 8(%rsp),%rdi
+ movq 16(%rsp),%rsi
+ .byte 0xf3,0xc3
++
+ .LSEH_end_padlock_sha256_oneshot:
+
+ .globl padlock_sha256_blocks
+@@ -268,6 +307,8 @@ padlock_sha256_blocks:
+ movq %rdx,%rsi
+ movq %r8,%rdx
+
++
++.byte 243,15,30,250
+ movq %rdx,%rcx
+ movq %rdi,%rdx
+ movups (%rdi),%xmm0
+@@ -277,7 +318,7 @@ padlock_sha256_blocks:
+ movq %rsp,%rdi
+ movaps %xmm1,16(%rsp)
+ movq $-1,%rax
+-.byte 0xf3,0x0f,0xa6,0xd0
++.byte 0xf3,0x0f,0xa6,0xd0
+ movaps (%rsp),%xmm0
+ movaps 16(%rsp),%xmm1
+ addq $128+8,%rsp
+@@ -286,6 +327,7 @@ padlock_sha256_blocks:
+ movq 8(%rsp),%rdi
+ movq 16(%rsp),%rsi
+ .byte 0xf3,0xc3
++
+ .LSEH_end_padlock_sha256_blocks:
+
+ .globl padlock_sha512_blocks
+@@ -300,6 +342,8 @@ padlock_sha512_blocks:
+ movq %rdx,%rsi
+ movq %r8,%rdx
+
++
++.byte 243,15,30,250
+ movq %rdx,%rcx
+ movq %rdi,%rdx
+ movups (%rdi),%xmm0
+@@ -312,7 +356,7 @@ padlock_sha512_blocks:
+ movaps %xmm1,16(%rsp)
+ movaps %xmm2,32(%rsp)
+ movaps %xmm3,48(%rsp)
+-.byte 0xf3,0x0f,0xa6,0xe0
++.byte 0xf3,0x0f,0xa6,0xe0
+ movaps (%rsp),%xmm0
+ movaps 16(%rsp),%xmm1
+ movaps 32(%rsp),%xmm2
+@@ -325,6 +369,7 @@ padlock_sha512_blocks:
+ movq 8(%rsp),%rdi
+ movq 16(%rsp),%rsi
+ .byte 0xf3,0xc3
++
+ .LSEH_end_padlock_sha512_blocks:
+ .globl padlock_ecb_encrypt
+ .def padlock_ecb_encrypt; .scl 2; .type 32; .endef
+@@ -339,6 +384,8 @@ padlock_ecb_encrypt:
+ movq %r8,%rdx
+ movq %r9,%rcx
+
++
++.byte 243,15,30,250
+ pushq %rbp
+ pushq %rbx
+
+@@ -356,9 +403,9 @@ padlock_ecb_encrypt:
+ xorl %ebx,%ebx
+ testl $32,(%rdx)
+ jnz .Lecb_aligned
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ setz %al
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ setz %bl
+ testl %ebx,%eax
+ jnz .Lecb_aligned
+@@ -382,7 +429,7 @@ padlock_ecb_encrypt:
+ cmoveq %rdi,%rax
+ addq %rcx,%rax
+ negq %rax
+- andq $4095,%rax
++ andq $0xfff,%rax
+ cmpq $128,%rax
+ movq $-128,%rax
+ cmovaeq %rbx,%rax
+@@ -398,12 +445,12 @@ padlock_ecb_encrypt:
+ movq %rcx,%r10
+ movq %rbx,%rcx
+ movq %rbx,%r11
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ cmovnzq %rsp,%rdi
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ jz .Lecb_inp_aligned
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ movq %rbx,%rcx
+ movq %rdi,%rsi
+@@ -411,15 +458,15 @@ padlock_ecb_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,200
++.byte 0xf3,0x0f,0xa7,200
+ movq %r8,%rdi
+ movq %r11,%rbx
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ jz .Lecb_out_aligned
+ movq %rbx,%rcx
+ leaq (%rsp),%rsi
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ .Lecb_out_aligned:
+ movq %r9,%rsi
+@@ -440,7 +487,7 @@ padlock_ecb_encrypt:
+ subq %rax,%rsp
+ shrq $3,%rcx
+ leaq (%rsp),%rdi
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ movq %rsp,%rsi
+ movq %r8,%rdi
+ movq %rbx,%rcx
+@@ -466,7 +513,7 @@ padlock_ecb_encrypt:
+ .Lecb_aligned:
+ leaq (%rsi,%rcx,1),%rbp
+ negq %rbp
+- andq $4095,%rbp
++ andq $0xfff,%rbp
+ xorl %eax,%eax
+ cmpq $128,%rbp
+ movq $128-1,%rbp
+@@ -477,7 +524,7 @@ padlock_ecb_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,200
++.byte 0xf3,0x0f,0xa7,200
+ testq %rbp,%rbp
+ jz .Lecb_exit
+
+@@ -489,7 +536,7 @@ padlock_ecb_encrypt:
+ subq %rcx,%rsp
+ shrq $3,%rcx
+ leaq (%rsp),%rdi
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ leaq (%r8),%rdi
+ leaq (%rsp),%rsi
+ movq %rbx,%rcx
+@@ -503,6 +550,7 @@ padlock_ecb_encrypt:
+ movq 8(%rsp),%rdi
+ movq 16(%rsp),%rsi
+ .byte 0xf3,0xc3
++
+ .LSEH_end_padlock_ecb_encrypt:
+ .globl padlock_cbc_encrypt
+ .def padlock_cbc_encrypt; .scl 2; .type 32; .endef
+@@ -517,6 +565,8 @@ padlock_cbc_encrypt:
+ movq %r8,%rdx
+ movq %r9,%rcx
+
++
++.byte 243,15,30,250
+ pushq %rbp
+ pushq %rbx
+
+@@ -534,9 +584,9 @@ padlock_cbc_encrypt:
+ xorl %ebx,%ebx
+ testl $32,(%rdx)
+ jnz .Lcbc_aligned
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ setz %al
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ setz %bl
+ testl %ebx,%eax
+ jnz .Lcbc_aligned
+@@ -560,7 +610,7 @@ padlock_cbc_encrypt:
+ cmoveq %rdi,%rax
+ addq %rcx,%rax
+ negq %rax
+- andq $4095,%rax
++ andq $0xfff,%rax
+ cmpq $64,%rax
+ movq $-64,%rax
+ cmovaeq %rbx,%rax
+@@ -576,12 +626,12 @@ padlock_cbc_encrypt:
+ movq %rcx,%r10
+ movq %rbx,%rcx
+ movq %rbx,%r11
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ cmovnzq %rsp,%rdi
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ jz .Lcbc_inp_aligned
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ movq %rbx,%rcx
+ movq %rdi,%rsi
+@@ -589,17 +639,17 @@ padlock_cbc_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,208
++.byte 0xf3,0x0f,0xa7,208
+ movdqa (%rax),%xmm0
+ movdqa %xmm0,-16(%rdx)
+ movq %r8,%rdi
+ movq %r11,%rbx
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ jz .Lcbc_out_aligned
+ movq %rbx,%rcx
+ leaq (%rsp),%rsi
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ .Lcbc_out_aligned:
+ movq %r9,%rsi
+@@ -620,7 +670,7 @@ padlock_cbc_encrypt:
+ subq %rax,%rsp
+ shrq $3,%rcx
+ leaq (%rsp),%rdi
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ movq %rsp,%rsi
+ movq %r8,%rdi
+ movq %rbx,%rcx
+@@ -646,7 +696,7 @@ padlock_cbc_encrypt:
+ .Lcbc_aligned:
+ leaq (%rsi,%rcx,1),%rbp
+ negq %rbp
+- andq $4095,%rbp
++ andq $0xfff,%rbp
+ xorl %eax,%eax
+ cmpq $64,%rbp
+ movq $64-1,%rbp
+@@ -657,7 +707,7 @@ padlock_cbc_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,208
++.byte 0xf3,0x0f,0xa7,208
+ movdqa (%rax),%xmm0
+ movdqa %xmm0,-16(%rdx)
+ testq %rbp,%rbp
+@@ -671,7 +721,7 @@ padlock_cbc_encrypt:
+ subq %rcx,%rsp
+ shrq $3,%rcx
+ leaq (%rsp),%rdi
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ leaq (%r8),%rdi
+ leaq (%rsp),%rsi
+ movq %rbx,%rcx
+@@ -685,6 +735,7 @@ padlock_cbc_encrypt:
+ movq 8(%rsp),%rdi
+ movq 16(%rsp),%rsi
+ .byte 0xf3,0xc3
++
+ .LSEH_end_padlock_cbc_encrypt:
+ .globl padlock_cfb_encrypt
+ .def padlock_cfb_encrypt; .scl 2; .type 32; .endef
+@@ -699,6 +750,8 @@ padlock_cfb_encrypt:
+ movq %r8,%rdx
+ movq %r9,%rcx
+
++
++.byte 243,15,30,250
+ pushq %rbp
+ pushq %rbx
+
+@@ -716,9 +769,9 @@ padlock_cfb_encrypt:
+ xorl %ebx,%ebx
+ testl $32,(%rdx)
+ jnz .Lcfb_aligned
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ setz %al
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ setz %bl
+ testl %ebx,%eax
+ jnz .Lcfb_aligned
+@@ -745,12 +798,12 @@ padlock_cfb_encrypt:
+ movq %rcx,%r10
+ movq %rbx,%rcx
+ movq %rbx,%r11
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ cmovnzq %rsp,%rdi
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ jz .Lcfb_inp_aligned
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ movq %rbx,%rcx
+ movq %rdi,%rsi
+@@ -758,17 +811,17 @@ padlock_cfb_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,224
++.byte 0xf3,0x0f,0xa7,224
+ movdqa (%rax),%xmm0
+ movdqa %xmm0,-16(%rdx)
+ movq %r8,%rdi
+ movq %r11,%rbx
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ jz .Lcfb_out_aligned
+ movq %rbx,%rcx
+ leaq (%rsp),%rsi
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ .Lcfb_out_aligned:
+ movq %r9,%rsi
+@@ -798,7 +851,7 @@ padlock_cfb_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,224
++.byte 0xf3,0x0f,0xa7,224
+ movdqa (%rax),%xmm0
+ movdqa %xmm0,-16(%rdx)
+ .Lcfb_exit:
+@@ -810,6 +863,7 @@ padlock_cfb_encrypt:
+ movq 8(%rsp),%rdi
+ movq 16(%rsp),%rsi
+ .byte 0xf3,0xc3
++
+ .LSEH_end_padlock_cfb_encrypt:
+ .globl padlock_ofb_encrypt
+ .def padlock_ofb_encrypt; .scl 2; .type 32; .endef
+@@ -824,6 +878,8 @@ padlock_ofb_encrypt:
+ movq %r8,%rdx
+ movq %r9,%rcx
+
++
++.byte 243,15,30,250
+ pushq %rbp
+ pushq %rbx
+
+@@ -841,9 +897,9 @@ padlock_ofb_encrypt:
+ xorl %ebx,%ebx
+ testl $32,(%rdx)
+ jnz .Lofb_aligned
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ setz %al
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ setz %bl
+ testl %ebx,%eax
+ jnz .Lofb_aligned
+@@ -870,12 +926,12 @@ padlock_ofb_encrypt:
+ movq %rcx,%r10
+ movq %rbx,%rcx
+ movq %rbx,%r11
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ cmovnzq %rsp,%rdi
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ jz .Lofb_inp_aligned
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ movq %rbx,%rcx
+ movq %rdi,%rsi
+@@ -883,17 +939,17 @@ padlock_ofb_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,232
++.byte 0xf3,0x0f,0xa7,232
+ movdqa (%rax),%xmm0
+ movdqa %xmm0,-16(%rdx)
+ movq %r8,%rdi
+ movq %r11,%rbx
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ jz .Lofb_out_aligned
+ movq %rbx,%rcx
+ leaq (%rsp),%rsi
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ .Lofb_out_aligned:
+ movq %r9,%rsi
+@@ -923,7 +979,7 @@ padlock_ofb_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,232
++.byte 0xf3,0x0f,0xa7,232
+ movdqa (%rax),%xmm0
+ movdqa %xmm0,-16(%rdx)
+ .Lofb_exit:
+@@ -935,6 +991,7 @@ padlock_ofb_encrypt:
+ movq 8(%rsp),%rdi
+ movq 16(%rsp),%rsi
+ .byte 0xf3,0xc3
++
+ .LSEH_end_padlock_ofb_encrypt:
+ .globl padlock_ctr32_encrypt
+ .def padlock_ctr32_encrypt; .scl 2; .type 32; .endef
+@@ -949,6 +1006,8 @@ padlock_ctr32_encrypt:
+ movq %r8,%rdx
+ movq %r9,%rcx
+
++
++.byte 243,15,30,250
+ pushq %rbp
+ pushq %rbx
+
+@@ -966,9 +1025,9 @@ padlock_ctr32_encrypt:
+ xorl %ebx,%ebx
+ testl $32,(%rdx)
+ jnz .Lctr32_aligned
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ setz %al
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ setz %bl
+ testl %ebx,%eax
+ jnz .Lctr32_aligned
+@@ -1003,7 +1062,7 @@ padlock_ctr32_encrypt:
+ cmoveq %rdi,%rax
+ addq %rcx,%rax
+ negq %rax
+- andq $4095,%rax
++ andq $0xfff,%rax
+ cmpq $32,%rax
+ movq $-32,%rax
+ cmovaeq %rbx,%rax
+@@ -1019,12 +1078,12 @@ padlock_ctr32_encrypt:
+ movq %rcx,%r10
+ movq %rbx,%rcx
+ movq %rbx,%r11
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ cmovnzq %rsp,%rdi
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ jz .Lctr32_inp_aligned
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ movq %rbx,%rcx
+ movq %rdi,%rsi
+@@ -1032,23 +1091,23 @@ padlock_ctr32_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,216
++.byte 0xf3,0x0f,0xa7,216
+ movl -4(%rdx),%eax
+- testl $4294901760,%eax
++ testl $0xffff0000,%eax
+ jnz .Lctr32_no_carry
+ bswapl %eax
+- addl $65536,%eax
++ addl $0x10000,%eax
+ bswapl %eax
+ movl %eax,-4(%rdx)
+ .Lctr32_no_carry:
+ movq %r8,%rdi
+ movq %r11,%rbx
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ jz .Lctr32_out_aligned
+ movq %rbx,%rcx
+ leaq (%rsp),%rsi
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ .Lctr32_out_aligned:
+ movq %r9,%rsi
+@@ -1066,7 +1125,7 @@ padlock_ctr32_encrypt:
+ cmoveq %rdi,%rax
+ addq %rcx,%rax
+ negq %rax
+- andq $4095,%rax
++ andq $0xfff,%rax
+ cmpq $32,%rax
+ movq $-32,%rax
+ cmovaeq %rbx,%rax
+@@ -1081,7 +1140,7 @@ padlock_ctr32_encrypt:
+ subq %rax,%rsp
+ shrq $3,%rcx
+ leaq (%rsp),%rdi
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ movq %rsp,%rsi
+ movq %r8,%rdi
+ movq %rbx,%rcx
+@@ -1108,7 +1167,7 @@ padlock_ctr32_encrypt:
+ movl -4(%rdx),%eax
+ bswapl %eax
+ negl %eax
+- andl $65535,%eax
++ andl $0xffff,%eax
+ movq $1048576,%rbx
+ shll $4,%eax
+ cmovzq %rbx,%rax
+@@ -1125,11 +1184,11 @@ padlock_ctr32_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,216
++.byte 0xf3,0x0f,0xa7,216
+
+ movl -4(%rdx),%eax
+ bswapl %eax
+- addl $65536,%eax
++ addl $0x10000,%eax
+ bswapl %eax
+ movl %eax,-4(%rdx)
+
+@@ -1143,7 +1202,7 @@ padlock_ctr32_encrypt:
+ .Lctr32_aligned_skip:
+ leaq (%rsi,%rcx,1),%rbp
+ negq %rbp
+- andq $4095,%rbp
++ andq $0xfff,%rbp
+ xorl %eax,%eax
+ cmpq $32,%rbp
+ movq $32-1,%rbp
+@@ -1154,7 +1213,7 @@ padlock_ctr32_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,216
++.byte 0xf3,0x0f,0xa7,216
+ testq %rbp,%rbp
+ jz .Lctr32_exit
+
+@@ -1166,7 +1225,7 @@ padlock_ctr32_encrypt:
+ subq %rcx,%rsp
+ shrq $3,%rcx
+ leaq (%rsp),%rdi
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ leaq (%r8),%rdi
+ leaq (%rsp),%rsi
+ movq %rbx,%rcx
+@@ -1180,6 +1239,7 @@ padlock_ctr32_encrypt:
+ movq 8(%rsp),%rdi
+ movq 16(%rsp),%rsi
+ .byte 0xf3,0xc3
++
+ .LSEH_end_padlock_ctr32_encrypt:
+ .byte 86,73,65,32,80,97,100,108,111,99,107,32,120,56,54,95,54,52,32,109,111,100,117,108,101,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
+ .p2align 4
+diff --git a/lib/accelerated/x86/coff/ghash-x86_64.s b/lib/accelerated/x86/coff/ghash-x86_64.s
+index de207e400..cfe24252f 100644
+--- a/lib/accelerated/x86/coff/ghash-x86_64.s
++++ b/lib/accelerated/x86/coff/ghash-x86_64.s
+@@ -52,6 +52,7 @@ gcm_gmult_4bit:
+ movq %rdx,%rsi
+
+
++.byte 243,15,30,250
+ pushq %rbx
+
+ pushq %rbp
+@@ -168,6 +169,7 @@ gcm_ghash_4bit:
+ movq %r9,%rcx
+
+
++.byte 243,15,30,250
+ pushq %rbx
+
+ pushq %rbp
+@@ -918,6 +920,7 @@ gcm_init_clmul:
+ .p2align 4
+ gcm_gmult_clmul:
+
++.byte 243,15,30,250
+ .L_gmult_clmul:
+ movdqu (%rcx),%xmm0
+ movdqa .Lbswap_mask(%rip),%xmm5
+@@ -971,6 +974,7 @@ gcm_gmult_clmul:
+ .p2align 5
+ gcm_ghash_clmul:
+
++.byte 243,15,30,250
+ .L_ghash_clmul:
+ leaq -136(%rsp),%rax
+ .LSEH_begin_gcm_ghash_clmul:
+@@ -1498,6 +1502,7 @@ gcm_init_avx:
+ .p2align 5
+ gcm_gmult_avx:
+
++.byte 243,15,30,250
+ jmp .L_gmult_clmul
+
+
+@@ -1506,6 +1511,7 @@ gcm_gmult_avx:
+ .p2align 5
+ gcm_ghash_avx:
+
++.byte 243,15,30,250
+ leaq -136(%rsp),%rax
+ .LSEH_begin_gcm_ghash_avx:
+
+diff --git a/lib/accelerated/x86/coff/sha1-ssse3-x86.s b/lib/accelerated/x86/coff/sha1-ssse3-x86.s
+index 30f9ded21..34b33601e 100644
+--- a/lib/accelerated/x86/coff/sha1-ssse3-x86.s
++++ b/lib/accelerated/x86/coff/sha1-ssse3-x86.s
+@@ -43,6 +43,7 @@
+ .align 16
+ _sha1_block_data_order:
+ .L_sha1_block_data_order_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+diff --git a/lib/accelerated/x86/coff/sha1-ssse3-x86_64.s b/lib/accelerated/x86/coff/sha1-ssse3-x86_64.s
+index cdfc88254..79f841f1a 100644
+--- a/lib/accelerated/x86/coff/sha1-ssse3-x86_64.s
++++ b/lib/accelerated/x86/coff/sha1-ssse3-x86_64.s
+@@ -1490,10 +1490,10 @@ _shaext_shortcut:
+ movaps -8-16(%rax),%xmm9
+ movq %rax,%rsp
+ .Lepilogue_shaext:
+-
+ movq 8(%rsp),%rdi
+ movq 16(%rsp),%rsi
+ .byte 0xf3,0xc3
++
+ .LSEH_end_sha1_block_data_order_shaext:
+ .def sha1_block_data_order_ssse3; .scl 3; .type 32; .endef
+ .p2align 4
+diff --git a/lib/accelerated/x86/coff/sha256-ssse3-x86.s b/lib/accelerated/x86/coff/sha256-ssse3-x86.s
+index 05cd61d1b..8109c6b51 100644
+--- a/lib/accelerated/x86/coff/sha256-ssse3-x86.s
++++ b/lib/accelerated/x86/coff/sha256-ssse3-x86.s
+@@ -43,6 +43,7 @@
+ .align 16
+ _sha256_block_data_order:
+ .L_sha256_block_data_order_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+diff --git a/lib/accelerated/x86/coff/sha256-ssse3-x86_64.s b/lib/accelerated/x86/coff/sha256-ssse3-x86_64.s
+index d2fc1957e..78fae2a62 100644
+--- a/lib/accelerated/x86/coff/sha256-ssse3-x86_64.s
++++ b/lib/accelerated/x86/coff/sha256-ssse3-x86_64.s
+@@ -1832,6 +1832,7 @@ sha256_block_data_order_shaext:
+ movq %r8,%rdx
+
+ _shaext_shortcut:
++
+ leaq -88(%rsp),%rsp
+ movaps %xmm6,-8-80(%rax)
+ movaps %xmm7,-8-64(%rax)
+@@ -2050,6 +2051,7 @@ _shaext_shortcut:
+ movq 8(%rsp),%rdi
+ movq 16(%rsp),%rsi
+ .byte 0xf3,0xc3
++
+ .LSEH_end_sha256_block_data_order_shaext:
+ .def sha256_block_data_order_ssse3; .scl 3; .type 32; .endef
+ .p2align 6
+@@ -5501,6 +5503,8 @@ sha256_block_data_order_avx2:
+
+ leaq 448(%rsp),%rsp
+
++
++
+ addl 0(%rdi),%eax
+ addl 4(%rdi),%ebx
+ addl 8(%rdi),%ecx
+@@ -5526,15 +5530,17 @@ sha256_block_data_order_avx2:
+ jbe .Loop_avx2
+ leaq (%rsp),%rbp
+
++
++
++
+ .Ldone_avx2:
+- leaq (%rbp),%rsp
+- movq 88(%rsp),%rsi
++ movq 88(%rbp),%rsi
+
+ vzeroupper
+- movaps 64+32(%rsp),%xmm6
+- movaps 64+48(%rsp),%xmm7
+- movaps 64+64(%rsp),%xmm8
+- movaps 64+80(%rsp),%xmm9
++ movaps 64+32(%rbp),%xmm6
++ movaps 64+48(%rbp),%xmm7
++ movaps 64+64(%rbp),%xmm8
++ movaps 64+80(%rbp),%xmm9
+ movq -48(%rsi),%r15
+
+ movq -40(%rsi),%r14
+diff --git a/lib/accelerated/x86/coff/sha512-ssse3-x86.s b/lib/accelerated/x86/coff/sha512-ssse3-x86.s
+index 72a7f73d7..321a18541 100644
+--- a/lib/accelerated/x86/coff/sha512-ssse3-x86.s
++++ b/lib/accelerated/x86/coff/sha512-ssse3-x86.s
+@@ -43,6 +43,7 @@
+ .align 16
+ _sha512_block_data_order:
+ .L_sha512_block_data_order_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+diff --git a/lib/accelerated/x86/coff/sha512-ssse3-x86_64.s b/lib/accelerated/x86/coff/sha512-ssse3-x86_64.s
+index 419fa2a98..836e0cf66 100644
+--- a/lib/accelerated/x86/coff/sha512-ssse3-x86_64.s
++++ b/lib/accelerated/x86/coff/sha512-ssse3-x86_64.s
+@@ -5494,6 +5494,8 @@ sha512_block_data_order_avx2:
+
+ leaq 1152(%rsp),%rsp
+
++
++
+ addq 0(%rdi),%rax
+ addq 8(%rdi),%rbx
+ addq 16(%rdi),%rcx
+@@ -5519,17 +5521,19 @@ sha512_block_data_order_avx2:
+ jbe .Loop_avx2
+ leaq (%rsp),%rbp
+
++
++
++
+ .Ldone_avx2:
+- leaq (%rbp),%rsp
+- movq 152(%rsp),%rsi
++ movq 152(%rbp),%rsi
+
+ vzeroupper
+- movaps 128+32(%rsp),%xmm6
+- movaps 128+48(%rsp),%xmm7
+- movaps 128+64(%rsp),%xmm8
+- movaps 128+80(%rsp),%xmm9
+- movaps 128+96(%rsp),%xmm10
+- movaps 128+112(%rsp),%xmm11
++ movaps 128+32(%rbp),%xmm6
++ movaps 128+48(%rbp),%xmm7
++ movaps 128+64(%rbp),%xmm8
++ movaps 128+80(%rbp),%xmm9
++ movaps 128+96(%rbp),%xmm10
++ movaps 128+112(%rbp),%xmm11
+ movq -48(%rsi),%r15
+
+ movq -40(%rsi),%r14
+diff --git a/lib/accelerated/x86/elf/aes-ssse3-x86.s b/lib/accelerated/x86/elf/aes-ssse3-x86.s
+index 265e28a7e..7be53059f 100644
+--- a/lib/accelerated/x86/elf/aes-ssse3-x86.s
++++ b/lib/accelerated/x86/elf/aes-ssse3-x86.s
+@@ -71,6 +71,7 @@
+ .type _vpaes_preheat,@function
+ .align 16
+ _vpaes_preheat:
++.byte 243,15,30,251
+ addl (%esp),%ebp
+ movdqa -48(%ebp),%xmm7
+ movdqa -16(%ebp),%xmm6
+@@ -79,6 +80,7 @@ _vpaes_preheat:
+ .type _vpaes_encrypt_core,@function
+ .align 16
+ _vpaes_encrypt_core:
++.byte 243,15,30,251
+ movl $16,%ecx
+ movl 240(%edx),%eax
+ movdqa %xmm6,%xmm1
+@@ -156,6 +158,7 @@ _vpaes_encrypt_core:
+ .type _vpaes_decrypt_core,@function
+ .align 16
+ _vpaes_decrypt_core:
++.byte 243,15,30,251
+ leal 608(%ebp),%ebx
+ movl 240(%edx),%eax
+ movdqa %xmm6,%xmm1
+@@ -244,6 +247,7 @@ _vpaes_decrypt_core:
+ .type _vpaes_schedule_core,@function
+ .align 16
+ _vpaes_schedule_core:
++.byte 243,15,30,251
+ addl (%esp),%ebp
+ movdqu (%esi),%xmm0
+ movdqa 320(%ebp),%xmm2
+@@ -338,6 +342,7 @@ _vpaes_schedule_core:
+ .type _vpaes_schedule_192_smear,@function
+ .align 16
+ _vpaes_schedule_192_smear:
++.byte 243,15,30,251
+ pshufd $128,%xmm6,%xmm1
+ pshufd $254,%xmm7,%xmm0
+ pxor %xmm1,%xmm6
+@@ -350,6 +355,7 @@ _vpaes_schedule_192_smear:
+ .type _vpaes_schedule_round,@function
+ .align 16
+ _vpaes_schedule_round:
++.byte 243,15,30,251
+ movdqa 8(%esp),%xmm2
+ pxor %xmm1,%xmm1
+ .byte 102,15,58,15,202,15
+@@ -399,6 +405,7 @@ _vpaes_schedule_round:
+ .type _vpaes_schedule_transform,@function
+ .align 16
+ _vpaes_schedule_transform:
++.byte 243,15,30,251
+ movdqa -16(%ebp),%xmm2
+ movdqa %xmm2,%xmm1
+ pandn %xmm0,%xmm1
+@@ -414,6 +421,7 @@ _vpaes_schedule_transform:
+ .type _vpaes_schedule_mangle,@function
+ .align 16
+ _vpaes_schedule_mangle:
++.byte 243,15,30,251
+ movdqa %xmm0,%xmm4
+ movdqa 128(%ebp),%xmm5
+ testl %edi,%edi
+@@ -475,6 +483,7 @@ _vpaes_schedule_mangle:
+ .align 16
+ vpaes_set_encrypt_key:
+ .L_vpaes_set_encrypt_key_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -508,6 +517,7 @@ vpaes_set_encrypt_key:
+ .align 16
+ vpaes_set_decrypt_key:
+ .L_vpaes_set_decrypt_key_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -546,6 +556,7 @@ vpaes_set_decrypt_key:
+ .align 16
+ vpaes_encrypt:
+ .L_vpaes_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -575,6 +586,7 @@ vpaes_encrypt:
+ .align 16
+ vpaes_decrypt:
+ .L_vpaes_decrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -604,6 +616,7 @@ vpaes_decrypt:
+ .align 16
+ vpaes_cbc_encrypt:
+ .L_vpaes_cbc_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -671,4 +684,21 @@ vpaes_cbc_encrypt:
+ ret
+ .size vpaes_cbc_encrypt,.-.L_vpaes_cbc_encrypt_begin
+
++ .section ".note.gnu.property", "a"
++ .p2align 2
++ .long 1f - 0f
++ .long 4f - 1f
++ .long 5
++0:
++ .asciz "GNU"
++1:
++ .p2align 2
++ .long 0xc0000002
++ .long 3f - 2f
++2:
++ .long 3
++3:
++ .p2align 2
++4:
++
+ .section .note.GNU-stack,"",%progbits
+diff --git a/lib/accelerated/x86/elf/aes-ssse3-x86_64.s b/lib/accelerated/x86/elf/aes-ssse3-x86_64.s
+index ea1216baf..5a3f336f2 100644
+--- a/lib/accelerated/x86/elf/aes-ssse3-x86_64.s
++++ b/lib/accelerated/x86/elf/aes-ssse3-x86_64.s
+@@ -635,6 +635,7 @@ _vpaes_schedule_mangle:
+ .align 16
+ vpaes_set_encrypt_key:
+ .cfi_startproc
++.byte 243,15,30,250
+ movl %esi,%eax
+ shrl $5,%eax
+ addl $5,%eax
+@@ -653,6 +654,7 @@ vpaes_set_encrypt_key:
+ .align 16
+ vpaes_set_decrypt_key:
+ .cfi_startproc
++.byte 243,15,30,250
+ movl %esi,%eax
+ shrl $5,%eax
+ addl $5,%eax
+@@ -676,6 +678,7 @@ vpaes_set_decrypt_key:
+ .align 16
+ vpaes_encrypt:
+ .cfi_startproc
++.byte 243,15,30,250
+ movdqu (%rdi),%xmm0
+ call _vpaes_preheat
+ call _vpaes_encrypt_core
+@@ -689,6 +692,7 @@ vpaes_encrypt:
+ .align 16
+ vpaes_decrypt:
+ .cfi_startproc
++.byte 243,15,30,250
+ movdqu (%rdi),%xmm0
+ call _vpaes_preheat
+ call _vpaes_decrypt_core
+@@ -701,6 +705,7 @@ vpaes_decrypt:
+ .align 16
+ vpaes_cbc_encrypt:
+ .cfi_startproc
++.byte 243,15,30,250
+ xchgq %rcx,%rdx
+ subq $16,%rcx
+ jc .Lcbc_abort
+@@ -863,5 +868,26 @@ _vpaes_consts:
+ .byte 86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105,111,110,32,65,69,83,32,102,111,114,32,120,56,54,95,54,52,47,83,83,83,69,51,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0
+ .align 64
+ .size _vpaes_consts,.-_vpaes_consts
++ .section ".note.gnu.property", "a"
++ .p2align 3
++ .long 1f - 0f
++ .long 4f - 1f
++ .long 5
++0:
++ # "GNU" encoded with .byte, since .asciz isn't supported
++ # on Solaris.
++ .byte 0x47
++ .byte 0x4e
++ .byte 0x55
++ .byte 0
++1:
++ .p2align 3
++ .long 0xc0000002
++ .long 3f - 2f
++2:
++ .long 3
++3:
++ .p2align 3
++4:
+
+ .section .note.GNU-stack,"",%progbits
+diff --git a/lib/accelerated/x86/elf/aesni-gcm-x86_64.s b/lib/accelerated/x86/elf/aesni-gcm-x86_64.s
+index e26d18d69..1a11222e7 100644
+--- a/lib/accelerated/x86/elf/aesni-gcm-x86_64.s
++++ b/lib/accelerated/x86/elf/aesni-gcm-x86_64.s
+@@ -42,6 +42,8 @@
+ .type _aesni_ctr32_ghash_6x,@function
+ .align 32
+ _aesni_ctr32_ghash_6x:
++.cfi_startproc
++.byte 243,15,30,250
+ vmovdqu 32(%r11),%xmm2
+ subq $6,%rdx
+ vpxor %xmm4,%xmm4,%xmm4
+@@ -349,12 +351,14 @@ _aesni_ctr32_ghash_6x:
+ vpxor %xmm4,%xmm8,%xmm8
+
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size _aesni_ctr32_ghash_6x,.-_aesni_ctr32_ghash_6x
+ .globl aesni_gcm_decrypt
+ .type aesni_gcm_decrypt,@function
+ .align 32
+ aesni_gcm_decrypt:
+ .cfi_startproc
++.byte 243,15,30,250
+ xorq %r10,%r10
+ cmpq $0x60,%rdx
+ jb .Lgcm_dec_abort
+@@ -455,6 +459,8 @@ aesni_gcm_decrypt:
+ .type _aesni_ctr32_6x,@function
+ .align 32
+ _aesni_ctr32_6x:
++.cfi_startproc
++.byte 243,15,30,250
+ vmovdqu 0-128(%rcx),%xmm4
+ vmovdqu 32(%r11),%xmm2
+ leaq -1(%rbp),%r13
+@@ -541,6 +547,7 @@ _aesni_ctr32_6x:
+ vpshufb %xmm0,%xmm1,%xmm1
+ vpxor %xmm4,%xmm14,%xmm14
+ jmp .Loop_ctr32
++.cfi_endproc
+ .size _aesni_ctr32_6x,.-_aesni_ctr32_6x
+
+ .globl aesni_gcm_encrypt
+@@ -548,6 +555,7 @@ _aesni_ctr32_6x:
+ .align 32
+ aesni_gcm_encrypt:
+ .cfi_startproc
++.byte 243,15,30,250
+ xorq %r10,%r10
+ cmpq $288,%rdx
+ jb .Lgcm_enc_abort
+@@ -822,5 +830,26 @@ aesni_gcm_encrypt:
+ .byte 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
+ .byte 65,69,83,45,78,73,32,71,67,77,32,109,111,100,117,108,101,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
+ .align 64
++ .section ".note.gnu.property", "a"
++ .p2align 3
++ .long 1f - 0f
++ .long 4f - 1f
++ .long 5
++0:
++ # "GNU" encoded with .byte, since .asciz isn't supported
++ # on Solaris.
++ .byte 0x47
++ .byte 0x4e
++ .byte 0x55
++ .byte 0
++1:
++ .p2align 3
++ .long 0xc0000002
++ .long 3f - 2f
++2:
++ .long 3
++3:
++ .p2align 3
++4:
+
+ .section .note.GNU-stack,"",%progbits
+diff --git a/lib/accelerated/x86/elf/aesni-x86.s b/lib/accelerated/x86/elf/aesni-x86.s
+index 6e4860209..f41d5f9ef 100644
+--- a/lib/accelerated/x86/elf/aesni-x86.s
++++ b/lib/accelerated/x86/elf/aesni-x86.s
+@@ -43,6 +43,7 @@
+ .align 16
+ aesni_encrypt:
+ .L_aesni_encrypt_begin:
++.byte 243,15,30,251
+ movl 4(%esp),%eax
+ movl 12(%esp),%edx
+ movups (%eax),%xmm2
+@@ -70,6 +71,7 @@ aesni_encrypt:
+ .align 16
+ aesni_decrypt:
+ .L_aesni_decrypt_begin:
++.byte 243,15,30,251
+ movl 4(%esp),%eax
+ movl 12(%esp),%edx
+ movups (%eax),%xmm2
+@@ -95,6 +97,7 @@ aesni_decrypt:
+ .type _aesni_encrypt2,@function
+ .align 16
+ _aesni_encrypt2:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ shll $4,%ecx
+ movups 16(%edx),%xmm1
+@@ -122,6 +125,7 @@ _aesni_encrypt2:
+ .type _aesni_decrypt2,@function
+ .align 16
+ _aesni_decrypt2:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ shll $4,%ecx
+ movups 16(%edx),%xmm1
+@@ -149,6 +153,7 @@ _aesni_decrypt2:
+ .type _aesni_encrypt3,@function
+ .align 16
+ _aesni_encrypt3:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ shll $4,%ecx
+ movups 16(%edx),%xmm1
+@@ -181,6 +186,7 @@ _aesni_encrypt3:
+ .type _aesni_decrypt3,@function
+ .align 16
+ _aesni_decrypt3:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ shll $4,%ecx
+ movups 16(%edx),%xmm1
+@@ -213,6 +219,7 @@ _aesni_decrypt3:
+ .type _aesni_encrypt4,@function
+ .align 16
+ _aesni_encrypt4:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ movups 16(%edx),%xmm1
+ shll $4,%ecx
+@@ -251,6 +258,7 @@ _aesni_encrypt4:
+ .type _aesni_decrypt4,@function
+ .align 16
+ _aesni_decrypt4:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ movups 16(%edx),%xmm1
+ shll $4,%ecx
+@@ -289,6 +297,7 @@ _aesni_decrypt4:
+ .type _aesni_encrypt6,@function
+ .align 16
+ _aesni_encrypt6:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ shll $4,%ecx
+ movups 16(%edx),%xmm1
+@@ -343,6 +352,7 @@ _aesni_encrypt6:
+ .type _aesni_decrypt6,@function
+ .align 16
+ _aesni_decrypt6:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ shll $4,%ecx
+ movups 16(%edx),%xmm1
+@@ -399,6 +409,7 @@ _aesni_decrypt6:
+ .align 16
+ aesni_ecb_encrypt:
+ .L_aesni_ecb_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -634,6 +645,7 @@ aesni_ecb_encrypt:
+ .align 16
+ aesni_ccm64_encrypt_blocks:
+ .L_aesni_ccm64_encrypt_blocks_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -722,6 +734,7 @@ aesni_ccm64_encrypt_blocks:
+ .align 16
+ aesni_ccm64_decrypt_blocks:
+ .L_aesni_ccm64_decrypt_blocks_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -845,6 +858,7 @@ aesni_ccm64_decrypt_blocks:
+ .align 16
+ aesni_ctr32_encrypt_blocks:
+ .L_aesni_ctr32_encrypt_blocks_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -1083,6 +1097,7 @@ aesni_ctr32_encrypt_blocks:
+ .align 16
+ aesni_xts_encrypt:
+ .L_aesni_xts_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -1443,6 +1458,7 @@ aesni_xts_encrypt:
+ .align 16
+ aesni_xts_decrypt:
+ .L_aesni_xts_decrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -1833,6 +1849,7 @@ aesni_xts_decrypt:
+ .align 16
+ aesni_ocb_encrypt:
+ .L_aesni_ocb_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -2228,6 +2245,7 @@ aesni_ocb_encrypt:
+ .align 16
+ aesni_ocb_decrypt:
+ .L_aesni_ocb_decrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -2623,6 +2641,7 @@ aesni_ocb_decrypt:
+ .align 16
+ aesni_cbc_encrypt:
+ .L_aesni_cbc_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -2882,6 +2901,7 @@ aesni_cbc_encrypt:
+ .type _aesni_set_encrypt_key,@function
+ .align 16
+ _aesni_set_encrypt_key:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ testl %eax,%eax
+@@ -3217,6 +3237,7 @@ _aesni_set_encrypt_key:
+ .align 16
+ aesni_set_encrypt_key:
+ .L_aesni_set_encrypt_key_begin:
++.byte 243,15,30,251
+ movl 4(%esp),%eax
+ movl 8(%esp),%ecx
+ movl 12(%esp),%edx
+@@ -3228,6 +3249,7 @@ aesni_set_encrypt_key:
+ .align 16
+ aesni_set_decrypt_key:
+ .L_aesni_set_decrypt_key_begin:
++.byte 243,15,30,251
+ movl 4(%esp),%eax
+ movl 8(%esp),%ecx
+ movl 12(%esp),%edx
+@@ -3275,4 +3297,21 @@ aesni_set_decrypt_key:
+ .byte 115,108,46,111,114,103,62,0
+ .comm _gnutls_x86_cpuid_s,16,4
+
++ .section ".note.gnu.property", "a"
++ .p2align 2
++ .long 1f - 0f
++ .long 4f - 1f
++ .long 5
++0:
++ .asciz "GNU"
++1:
++ .p2align 2
++ .long 0xc0000002
++ .long 3f - 2f
++2:
++ .long 3
++3:
++ .p2align 2
++4:
++
+ .section .note.GNU-stack,"",%progbits
+diff --git a/lib/accelerated/x86/elf/aesni-x86_64.s b/lib/accelerated/x86/elf/aesni-x86_64.s
+index 43cf4e68d..e3f9d5a99 100644
+--- a/lib/accelerated/x86/elf/aesni-x86_64.s
++++ b/lib/accelerated/x86/elf/aesni-x86_64.s
+@@ -44,6 +44,7 @@
+ .align 16
+ aesni_encrypt:
+ .cfi_startproc
++.byte 243,15,30,250
+ movups (%rdi),%xmm2
+ movl 240(%rdx),%eax
+ movups (%rdx),%xmm0
+@@ -70,6 +71,7 @@ aesni_encrypt:
+ .align 16
+ aesni_decrypt:
+ .cfi_startproc
++.byte 243,15,30,250
+ movups (%rdi),%xmm2
+ movl 240(%rdx),%eax
+ movups (%rdx),%xmm0
+@@ -557,6 +559,7 @@ _aesni_decrypt8:
+ .align 16
+ aesni_ecb_encrypt:
+ .cfi_startproc
++.byte 243,15,30,250
+ andq $-16,%rdx
+ jz .Lecb_ret
+
+@@ -900,6 +903,8 @@ aesni_ecb_encrypt:
+ .type aesni_ccm64_encrypt_blocks,@function
+ .align 16
+ aesni_ccm64_encrypt_blocks:
++.cfi_startproc
++.byte 243,15,30,250
+ movl 240(%rcx),%eax
+ movdqu (%r8),%xmm6
+ movdqa .Lincrement64(%rip),%xmm9
+@@ -958,11 +963,14 @@ aesni_ccm64_encrypt_blocks:
+ pxor %xmm8,%xmm8
+ pxor %xmm6,%xmm6
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size aesni_ccm64_encrypt_blocks,.-aesni_ccm64_encrypt_blocks
+ .globl aesni_ccm64_decrypt_blocks
+ .type aesni_ccm64_decrypt_blocks,@function
+ .align 16
+ aesni_ccm64_decrypt_blocks:
++.cfi_startproc
++.byte 243,15,30,250
+ movl 240(%rcx),%eax
+ movups (%r8),%xmm6
+ movdqu (%r9),%xmm3
+@@ -1055,12 +1063,14 @@ aesni_ccm64_decrypt_blocks:
+ pxor %xmm8,%xmm8
+ pxor %xmm6,%xmm6
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size aesni_ccm64_decrypt_blocks,.-aesni_ccm64_decrypt_blocks
+ .globl aesni_ctr32_encrypt_blocks
+ .type aesni_ctr32_encrypt_blocks,@function
+ .align 16
+ aesni_ctr32_encrypt_blocks:
+ .cfi_startproc
++.byte 243,15,30,250
+ cmpq $1,%rdx
+ jne .Lctr32_bulk
+
+@@ -1639,6 +1649,7 @@ aesni_ctr32_encrypt_blocks:
+ .align 16
+ aesni_xts_encrypt:
+ .cfi_startproc
++.byte 243,15,30,250
+ leaq (%rsp),%r11
+ .cfi_def_cfa_register %r11
+ pushq %rbp
+@@ -2109,6 +2120,7 @@ aesni_xts_encrypt:
+ .align 16
+ aesni_xts_decrypt:
+ .cfi_startproc
++.byte 243,15,30,250
+ leaq (%rsp),%r11
+ .cfi_def_cfa_register %r11
+ pushq %rbp
+@@ -2616,6 +2628,7 @@ aesni_xts_decrypt:
+ .align 32
+ aesni_ocb_encrypt:
+ .cfi_startproc
++.byte 243,15,30,250
+ leaq (%rsp),%rax
+ pushq %rbx
+ .cfi_adjust_cfa_offset 8
+@@ -2829,6 +2842,7 @@ aesni_ocb_encrypt:
+ .type __ocb_encrypt6,@function
+ .align 32
+ __ocb_encrypt6:
++.cfi_startproc
+ pxor %xmm9,%xmm15
+ movdqu (%rbx,%r12,1),%xmm11
+ movdqa %xmm10,%xmm12
+@@ -2926,11 +2940,13 @@ __ocb_encrypt6:
+ .byte 102,65,15,56,221,246
+ .byte 102,65,15,56,221,255
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size __ocb_encrypt6,.-__ocb_encrypt6
+
+ .type __ocb_encrypt4,@function
+ .align 32
+ __ocb_encrypt4:
++.cfi_startproc
+ pxor %xmm9,%xmm15
+ movdqu (%rbx,%r12,1),%xmm11
+ movdqa %xmm10,%xmm12
+@@ -2995,11 +3011,13 @@ __ocb_encrypt4:
+ .byte 102,65,15,56,221,228
+ .byte 102,65,15,56,221,237
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size __ocb_encrypt4,.-__ocb_encrypt4
+
+ .type __ocb_encrypt1,@function
+ .align 32
+ __ocb_encrypt1:
++.cfi_startproc
+ pxor %xmm15,%xmm7
+ pxor %xmm9,%xmm7
+ pxor %xmm2,%xmm8
+@@ -3030,6 +3048,7 @@ __ocb_encrypt1:
+
+ .byte 102,15,56,221,215
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size __ocb_encrypt1,.-__ocb_encrypt1
+
+ .globl aesni_ocb_decrypt
+@@ -3037,6 +3056,7 @@ __ocb_encrypt1:
+ .align 32
+ aesni_ocb_decrypt:
+ .cfi_startproc
++.byte 243,15,30,250
+ leaq (%rsp),%rax
+ pushq %rbx
+ .cfi_adjust_cfa_offset 8
+@@ -3272,6 +3292,7 @@ aesni_ocb_decrypt:
+ .type __ocb_decrypt6,@function
+ .align 32
+ __ocb_decrypt6:
++.cfi_startproc
+ pxor %xmm9,%xmm15
+ movdqu (%rbx,%r12,1),%xmm11
+ movdqa %xmm10,%xmm12
+@@ -3363,11 +3384,13 @@ __ocb_decrypt6:
+ .byte 102,65,15,56,223,246
+ .byte 102,65,15,56,223,255
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size __ocb_decrypt6,.-__ocb_decrypt6
+
+ .type __ocb_decrypt4,@function
+ .align 32
+ __ocb_decrypt4:
++.cfi_startproc
+ pxor %xmm9,%xmm15
+ movdqu (%rbx,%r12,1),%xmm11
+ movdqa %xmm10,%xmm12
+@@ -3428,11 +3451,13 @@ __ocb_decrypt4:
+ .byte 102,65,15,56,223,228
+ .byte 102,65,15,56,223,237
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size __ocb_decrypt4,.-__ocb_decrypt4
+
+ .type __ocb_decrypt1,@function
+ .align 32
+ __ocb_decrypt1:
++.cfi_startproc
+ pxor %xmm15,%xmm7
+ pxor %xmm9,%xmm7
+ pxor %xmm7,%xmm2
+@@ -3462,12 +3487,14 @@ __ocb_decrypt1:
+
+ .byte 102,15,56,223,215
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size __ocb_decrypt1,.-__ocb_decrypt1
+ .globl aesni_cbc_encrypt
+ .type aesni_cbc_encrypt,@function
+ .align 16
+ aesni_cbc_encrypt:
+ .cfi_startproc
++.byte 243,15,30,250
+ testq %rdx,%rdx
+ jz .Lcbc_ret
+
+@@ -4400,7 +4427,6 @@ __aesni_set_encrypt_key:
+ addq $8,%rsp
+ .cfi_adjust_cfa_offset -8
+ .byte 0xf3,0xc3
+-.cfi_endproc
+ .LSEH_end_set_encrypt_key:
+
+ .align 16
+@@ -4471,6 +4497,7 @@ __aesni_set_encrypt_key:
+ shufps $170,%xmm1,%xmm1
+ xorps %xmm1,%xmm2
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size aesni_set_encrypt_key,.-aesni_set_encrypt_key
+ .size __aesni_set_encrypt_key,.-__aesni_set_encrypt_key
+ .align 64
+@@ -4495,5 +4522,26 @@ __aesni_set_encrypt_key:
+
+ .byte 65,69,83,32,102,111,114,32,73,110,116,101,108,32,65,69,83,45,78,73,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
+ .align 64
++ .section ".note.gnu.property", "a"
++ .p2align 3
++ .long 1f - 0f
++ .long 4f - 1f
++ .long 5
++0:
++ # "GNU" encoded with .byte, since .asciz isn't supported
++ # on Solaris.
++ .byte 0x47
++ .byte 0x4e
++ .byte 0x55
++ .byte 0
++1:
++ .p2align 3
++ .long 0xc0000002
++ .long 3f - 2f
++2:
++ .long 3
++3:
++ .p2align 3
++4:
+
+ .section .note.GNU-stack,"",%progbits
+diff --git a/lib/accelerated/x86/elf/e_padlock-x86.s b/lib/accelerated/x86/elf/e_padlock-x86.s
+index ed8681ee4..dd56518f6 100644
+--- a/lib/accelerated/x86/elf/e_padlock-x86.s
++++ b/lib/accelerated/x86/elf/e_padlock-x86.s
+@@ -1,4 +1,4 @@
+-# Copyright (c) 2011-2013, Andy Polyakov <appro@openssl.org>
++# Copyright (c) 2011-2016, Andy Polyakov <appro@openssl.org>
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without
+@@ -37,13 +37,13 @@
+ #
+ # *** This file is auto-generated ***
+ #
+-.file "devel/perlasm/e_padlock-x86.s"
+ .text
+ .globl padlock_capability
+ .type padlock_capability,@function
+ .align 16
+ padlock_capability:
+ .L_padlock_capability_begin:
++.byte 243,15,30,251
+ pushl %ebx
+ pushfl
+ popl %eax
+@@ -60,11 +60,20 @@ padlock_capability:
+ .byte 0x0f,0xa2
+ xorl %eax,%eax
+ cmpl $0x746e6543,%ebx
+- jne .L000noluck
++ jne .L001zhaoxin
+ cmpl $0x48727561,%edx
+ jne .L000noluck
+ cmpl $0x736c7561,%ecx
+ jne .L000noluck
++ jmp .L002zhaoxinEnd
++.L001zhaoxin:
++ cmpl $0x68532020,%ebx
++ jne .L000noluck
++ cmpl $0x68676e61,%edx
++ jne .L000noluck
++ cmpl $0x20206961,%ecx
++ jne .L000noluck
++.L002zhaoxinEnd:
+ movl $3221225472,%eax
+ .byte 0x0f,0xa2
+ movl %eax,%edx
+@@ -95,15 +104,16 @@ padlock_capability:
+ .align 16
+ padlock_key_bswap:
+ .L_padlock_key_bswap_begin:
++.byte 243,15,30,251
+ movl 4(%esp),%edx
+ movl 240(%edx),%ecx
+-.L001bswap_loop:
++.L003bswap_loop:
+ movl (%edx),%eax
+ bswap %eax
+ movl %eax,(%edx)
+ leal 4(%edx),%edx
+ subl $1,%ecx
+- jnz .L001bswap_loop
++ jnz .L003bswap_loop
+ ret
+ .size padlock_key_bswap,.-.L_padlock_key_bswap_begin
+ .globl padlock_verify_context
+@@ -111,25 +121,27 @@ padlock_key_bswap:
+ .align 16
+ padlock_verify_context:
+ .L_padlock_verify_context_begin:
++.byte 243,15,30,251
+ movl 4(%esp),%edx
+- leal .Lpadlock_saved_context-.L002verify_pic_point,%eax
++ leal .Lpadlock_saved_context-.L004verify_pic_point,%eax
+ pushfl
+ call _padlock_verify_ctx
+-.L002verify_pic_point:
++.L004verify_pic_point:
+ leal 4(%esp),%esp
+ ret
+ .size padlock_verify_context,.-.L_padlock_verify_context_begin
+ .type _padlock_verify_ctx,@function
+ .align 16
+ _padlock_verify_ctx:
++.byte 243,15,30,251
+ addl (%esp),%eax
+ btl $30,4(%esp)
+- jnc .L003verified
++ jnc .L005verified
+ cmpl (%eax),%edx
+- je .L003verified
++ je .L005verified
+ pushfl
+ popfl
+-.L003verified:
++.L005verified:
+ movl %edx,(%eax)
+ ret
+ .size _padlock_verify_ctx,.-_padlock_verify_ctx
+@@ -138,6 +150,7 @@ _padlock_verify_ctx:
+ .align 16
+ padlock_reload_key:
+ .L_padlock_reload_key_begin:
++.byte 243,15,30,251
+ pushfl
+ popfl
+ ret
+@@ -147,6 +160,7 @@ padlock_reload_key:
+ .align 16
+ padlock_aes_block:
+ .L_padlock_aes_block_begin:
++.byte 243,15,30,251
+ pushl %edi
+ pushl %esi
+ pushl %ebx
+@@ -167,6 +181,7 @@ padlock_aes_block:
+ .align 16
+ padlock_ecb_encrypt:
+ .L_padlock_ecb_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -176,25 +191,25 @@ padlock_ecb_encrypt:
+ movl 28(%esp),%edx
+ movl 32(%esp),%ecx
+ testl $15,%edx
+- jnz .L004ecb_abort
++ jnz .L006ecb_abort
+ testl $15,%ecx
+- jnz .L004ecb_abort
+- leal .Lpadlock_saved_context-.L005ecb_pic_point,%eax
++ jnz .L006ecb_abort
++ leal .Lpadlock_saved_context-.L007ecb_pic_point,%eax
+ pushfl
+ cld
+ call _padlock_verify_ctx
+-.L005ecb_pic_point:
++.L007ecb_pic_point:
+ leal 16(%edx),%edx
+ xorl %eax,%eax
+ xorl %ebx,%ebx
+ testl $32,(%edx)
+- jnz .L006ecb_aligned
++ jnz .L008ecb_aligned
+ testl $15,%edi
+ setz %al
+ testl $15,%esi
+ setz %bl
+ testl %ebx,%eax
+- jnz .L006ecb_aligned
++ jnz .L008ecb_aligned
+ negl %eax
+ movl $512,%ebx
+ notl %eax
+@@ -213,7 +228,7 @@ padlock_ecb_encrypt:
+ andl $-16,%esp
+ movl %eax,16(%ebp)
+ cmpl %ebx,%ecx
+- ja .L007ecb_loop
++ ja .L009ecb_loop
+ movl %esi,%eax
+ cmpl %esp,%ebp
+ cmovel %edi,%eax
+@@ -224,10 +239,10 @@ padlock_ecb_encrypt:
+ movl $-128,%eax
+ cmovael %ebx,%eax
+ andl %eax,%ebx
+- jz .L008ecb_unaligned_tail
+- jmp .L007ecb_loop
++ jz .L010ecb_unaligned_tail
++ jmp .L009ecb_loop
+ .align 16
+-.L007ecb_loop:
++.L009ecb_loop:
+ movl %edi,(%ebp)
+ movl %esi,4(%ebp)
+ movl %ecx,8(%ebp)
+@@ -236,13 +251,13 @@ padlock_ecb_encrypt:
+ testl $15,%edi
+ cmovnzl %esp,%edi
+ testl $15,%esi
+- jz .L009ecb_inp_aligned
++ jz .L011ecb_inp_aligned
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+ movl %ebx,%ecx
+ movl %edi,%esi
+-.L009ecb_inp_aligned:
++.L011ecb_inp_aligned:
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+@@ -250,23 +265,23 @@ padlock_ecb_encrypt:
+ movl (%ebp),%edi
+ movl 12(%ebp),%ebx
+ testl $15,%edi
+- jz .L010ecb_out_aligned
++ jz .L012ecb_out_aligned
+ movl %ebx,%ecx
+ leal (%esp),%esi
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+-.L010ecb_out_aligned:
++.L012ecb_out_aligned:
+ movl 4(%ebp),%esi
+ movl 8(%ebp),%ecx
+ addl %ebx,%edi
+ addl %ebx,%esi
+ subl %ebx,%ecx
+ movl $512,%ebx
+- jz .L011ecb_break
++ jz .L013ecb_break
+ cmpl %ebx,%ecx
+- jae .L007ecb_loop
+-.L008ecb_unaligned_tail:
++ jae .L009ecb_loop
++.L010ecb_unaligned_tail:
+ xorl %eax,%eax
+ cmpl %ebp,%esp
+ cmovel %ecx,%eax
+@@ -279,24 +294,24 @@ padlock_ecb_encrypt:
+ movl %esp,%esi
+ movl %eax,%edi
+ movl %ebx,%ecx
+- jmp .L007ecb_loop
++ jmp .L009ecb_loop
+ .align 16
+-.L011ecb_break:
++.L013ecb_break:
+ cmpl %ebp,%esp
+- je .L012ecb_done
++ je .L014ecb_done
+ pxor %xmm0,%xmm0
+ leal (%esp),%eax
+-.L013ecb_bzero:
++.L015ecb_bzero:
+ movaps %xmm0,(%eax)
+ leal 16(%eax),%eax
+ cmpl %eax,%ebp
+- ja .L013ecb_bzero
+-.L012ecb_done:
++ ja .L015ecb_bzero
++.L014ecb_done:
+ movl 16(%ebp),%ebp
+ leal 24(%ebp),%esp
+- jmp .L014ecb_exit
++ jmp .L016ecb_exit
+ .align 16
+-.L006ecb_aligned:
++.L008ecb_aligned:
+ leal (%esi,%ecx,1),%ebp
+ negl %ebp
+ andl $4095,%ebp
+@@ -306,14 +321,14 @@ padlock_ecb_encrypt:
+ cmovael %eax,%ebp
+ andl %ecx,%ebp
+ subl %ebp,%ecx
+- jz .L015ecb_aligned_tail
++ jz .L017ecb_aligned_tail
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+ .byte 243,15,167,200
+ testl %ebp,%ebp
+- jz .L014ecb_exit
+-.L015ecb_aligned_tail:
++ jz .L016ecb_exit
++.L017ecb_aligned_tail:
+ movl %ebp,%ecx
+ leal -24(%esp),%ebp
+ movl %ebp,%esp
+@@ -330,11 +345,11 @@ padlock_ecb_encrypt:
+ movl %esp,%esi
+ movl %eax,%edi
+ movl %ebx,%ecx
+- jmp .L007ecb_loop
+-.L014ecb_exit:
++ jmp .L009ecb_loop
++.L016ecb_exit:
+ movl $1,%eax
+ leal 4(%esp),%esp
+-.L004ecb_abort:
++.L006ecb_abort:
+ popl %edi
+ popl %esi
+ popl %ebx
+@@ -346,6 +361,7 @@ padlock_ecb_encrypt:
+ .align 16
+ padlock_cbc_encrypt:
+ .L_padlock_cbc_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -355,25 +371,25 @@ padlock_cbc_encrypt:
+ movl 28(%esp),%edx
+ movl 32(%esp),%ecx
+ testl $15,%edx
+- jnz .L016cbc_abort
++ jnz .L018cbc_abort
+ testl $15,%ecx
+- jnz .L016cbc_abort
+- leal .Lpadlock_saved_context-.L017cbc_pic_point,%eax
++ jnz .L018cbc_abort
++ leal .Lpadlock_saved_context-.L019cbc_pic_point,%eax
+ pushfl
+ cld
+ call _padlock_verify_ctx
+-.L017cbc_pic_point:
++.L019cbc_pic_point:
+ leal 16(%edx),%edx
+ xorl %eax,%eax
+ xorl %ebx,%ebx
+ testl $32,(%edx)
+- jnz .L018cbc_aligned
++ jnz .L020cbc_aligned
+ testl $15,%edi
+ setz %al
+ testl $15,%esi
+ setz %bl
+ testl %ebx,%eax
+- jnz .L018cbc_aligned
++ jnz .L020cbc_aligned
+ negl %eax
+ movl $512,%ebx
+ notl %eax
+@@ -392,7 +408,7 @@ padlock_cbc_encrypt:
+ andl $-16,%esp
+ movl %eax,16(%ebp)
+ cmpl %ebx,%ecx
+- ja .L019cbc_loop
++ ja .L021cbc_loop
+ movl %esi,%eax
+ cmpl %esp,%ebp
+ cmovel %edi,%eax
+@@ -403,10 +419,10 @@ padlock_cbc_encrypt:
+ movl $-64,%eax
+ cmovael %ebx,%eax
+ andl %eax,%ebx
+- jz .L020cbc_unaligned_tail
+- jmp .L019cbc_loop
++ jz .L022cbc_unaligned_tail
++ jmp .L021cbc_loop
+ .align 16
+-.L019cbc_loop:
++.L021cbc_loop:
+ movl %edi,(%ebp)
+ movl %esi,4(%ebp)
+ movl %ecx,8(%ebp)
+@@ -415,13 +431,13 @@ padlock_cbc_encrypt:
+ testl $15,%edi
+ cmovnzl %esp,%edi
+ testl $15,%esi
+- jz .L021cbc_inp_aligned
++ jz .L023cbc_inp_aligned
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+ movl %ebx,%ecx
+ movl %edi,%esi
+-.L021cbc_inp_aligned:
++.L023cbc_inp_aligned:
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+@@ -431,23 +447,23 @@ padlock_cbc_encrypt:
+ movl (%ebp),%edi
+ movl 12(%ebp),%ebx
+ testl $15,%edi
+- jz .L022cbc_out_aligned
++ jz .L024cbc_out_aligned
+ movl %ebx,%ecx
+ leal (%esp),%esi
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+-.L022cbc_out_aligned:
++.L024cbc_out_aligned:
+ movl 4(%ebp),%esi
+ movl 8(%ebp),%ecx
+ addl %ebx,%edi
+ addl %ebx,%esi
+ subl %ebx,%ecx
+ movl $512,%ebx
+- jz .L023cbc_break
++ jz .L025cbc_break
+ cmpl %ebx,%ecx
+- jae .L019cbc_loop
+-.L020cbc_unaligned_tail:
++ jae .L021cbc_loop
++.L022cbc_unaligned_tail:
+ xorl %eax,%eax
+ cmpl %ebp,%esp
+ cmovel %ecx,%eax
+@@ -460,24 +476,24 @@ padlock_cbc_encrypt:
+ movl %esp,%esi
+ movl %eax,%edi
+ movl %ebx,%ecx
+- jmp .L019cbc_loop
++ jmp .L021cbc_loop
+ .align 16
+-.L023cbc_break:
++.L025cbc_break:
+ cmpl %ebp,%esp
+- je .L024cbc_done
++ je .L026cbc_done
+ pxor %xmm0,%xmm0
+ leal (%esp),%eax
+-.L025cbc_bzero:
++.L027cbc_bzero:
+ movaps %xmm0,(%eax)
+ leal 16(%eax),%eax
+ cmpl %eax,%ebp
+- ja .L025cbc_bzero
+-.L024cbc_done:
++ ja .L027cbc_bzero
++.L026cbc_done:
+ movl 16(%ebp),%ebp
+ leal 24(%ebp),%esp
+- jmp .L026cbc_exit
++ jmp .L028cbc_exit
+ .align 16
+-.L018cbc_aligned:
++.L020cbc_aligned:
+ leal (%esi,%ecx,1),%ebp
+ negl %ebp
+ andl $4095,%ebp
+@@ -487,7 +503,7 @@ padlock_cbc_encrypt:
+ cmovael %eax,%ebp
+ andl %ecx,%ebp
+ subl %ebp,%ecx
+- jz .L027cbc_aligned_tail
++ jz .L029cbc_aligned_tail
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+@@ -495,8 +511,8 @@ padlock_cbc_encrypt:
+ movaps (%eax),%xmm0
+ movaps %xmm0,-16(%edx)
+ testl %ebp,%ebp
+- jz .L026cbc_exit
+-.L027cbc_aligned_tail:
++ jz .L028cbc_exit
++.L029cbc_aligned_tail:
+ movl %ebp,%ecx
+ leal -24(%esp),%ebp
+ movl %ebp,%esp
+@@ -513,11 +529,11 @@ padlock_cbc_encrypt:
+ movl %esp,%esi
+ movl %eax,%edi
+ movl %ebx,%ecx
+- jmp .L019cbc_loop
+-.L026cbc_exit:
++ jmp .L021cbc_loop
++.L028cbc_exit:
+ movl $1,%eax
+ leal 4(%esp),%esp
+-.L016cbc_abort:
++.L018cbc_abort:
+ popl %edi
+ popl %esi
+ popl %ebx
+@@ -529,6 +545,7 @@ padlock_cbc_encrypt:
+ .align 16
+ padlock_cfb_encrypt:
+ .L_padlock_cfb_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -538,25 +555,25 @@ padlock_cfb_encrypt:
+ movl 28(%esp),%edx
+ movl 32(%esp),%ecx
+ testl $15,%edx
+- jnz .L028cfb_abort
++ jnz .L030cfb_abort
+ testl $15,%ecx
+- jnz .L028cfb_abort
+- leal .Lpadlock_saved_context-.L029cfb_pic_point,%eax
++ jnz .L030cfb_abort
++ leal .Lpadlock_saved_context-.L031cfb_pic_point,%eax
+ pushfl
+ cld
+ call _padlock_verify_ctx
+-.L029cfb_pic_point:
++.L031cfb_pic_point:
+ leal 16(%edx),%edx
+ xorl %eax,%eax
+ xorl %ebx,%ebx
+ testl $32,(%edx)
+- jnz .L030cfb_aligned
++ jnz .L032cfb_aligned
+ testl $15,%edi
+ setz %al
+ testl $15,%esi
+ setz %bl
+ testl %ebx,%eax
+- jnz .L030cfb_aligned
++ jnz .L032cfb_aligned
+ negl %eax
+ movl $512,%ebx
+ notl %eax
+@@ -574,9 +591,9 @@ padlock_cfb_encrypt:
+ andl $-16,%ebp
+ andl $-16,%esp
+ movl %eax,16(%ebp)
+- jmp .L031cfb_loop
++ jmp .L033cfb_loop
+ .align 16
+-.L031cfb_loop:
++.L033cfb_loop:
+ movl %edi,(%ebp)
+ movl %esi,4(%ebp)
+ movl %ecx,8(%ebp)
+@@ -585,13 +602,13 @@ padlock_cfb_encrypt:
+ testl $15,%edi
+ cmovnzl %esp,%edi
+ testl $15,%esi
+- jz .L032cfb_inp_aligned
++ jz .L034cfb_inp_aligned
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+ movl %ebx,%ecx
+ movl %edi,%esi
+-.L032cfb_inp_aligned:
++.L034cfb_inp_aligned:
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+@@ -601,45 +618,45 @@ padlock_cfb_encrypt:
+ movl (%ebp),%edi
+ movl 12(%ebp),%ebx
+ testl $15,%edi
+- jz .L033cfb_out_aligned
++ jz .L035cfb_out_aligned
+ movl %ebx,%ecx
+ leal (%esp),%esi
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+-.L033cfb_out_aligned:
++.L035cfb_out_aligned:
+ movl 4(%ebp),%esi
+ movl 8(%ebp),%ecx
+ addl %ebx,%edi
+ addl %ebx,%esi
+ subl %ebx,%ecx
+ movl $512,%ebx
+- jnz .L031cfb_loop
++ jnz .L033cfb_loop
+ cmpl %ebp,%esp
+- je .L034cfb_done
++ je .L036cfb_done
+ pxor %xmm0,%xmm0
+ leal (%esp),%eax
+-.L035cfb_bzero:
++.L037cfb_bzero:
+ movaps %xmm0,(%eax)
+ leal 16(%eax),%eax
+ cmpl %eax,%ebp
+- ja .L035cfb_bzero
+-.L034cfb_done:
++ ja .L037cfb_bzero
++.L036cfb_done:
+ movl 16(%ebp),%ebp
+ leal 24(%ebp),%esp
+- jmp .L036cfb_exit
++ jmp .L038cfb_exit
+ .align 16
+-.L030cfb_aligned:
++.L032cfb_aligned:
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+ .byte 243,15,167,224
+ movaps (%eax),%xmm0
+ movaps %xmm0,-16(%edx)
+-.L036cfb_exit:
++.L038cfb_exit:
+ movl $1,%eax
+ leal 4(%esp),%esp
+-.L028cfb_abort:
++.L030cfb_abort:
+ popl %edi
+ popl %esi
+ popl %ebx
+@@ -651,6 +668,7 @@ padlock_cfb_encrypt:
+ .align 16
+ padlock_ofb_encrypt:
+ .L_padlock_ofb_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -660,25 +678,25 @@ padlock_ofb_encrypt:
+ movl 28(%esp),%edx
+ movl 32(%esp),%ecx
+ testl $15,%edx
+- jnz .L037ofb_abort
++ jnz .L039ofb_abort
+ testl $15,%ecx
+- jnz .L037ofb_abort
+- leal .Lpadlock_saved_context-.L038ofb_pic_point,%eax
++ jnz .L039ofb_abort
++ leal .Lpadlock_saved_context-.L040ofb_pic_point,%eax
+ pushfl
+ cld
+ call _padlock_verify_ctx
+-.L038ofb_pic_point:
++.L040ofb_pic_point:
+ leal 16(%edx),%edx
+ xorl %eax,%eax
+ xorl %ebx,%ebx
+ testl $32,(%edx)
+- jnz .L039ofb_aligned
++ jnz .L041ofb_aligned
+ testl $15,%edi
+ setz %al
+ testl $15,%esi
+ setz %bl
+ testl %ebx,%eax
+- jnz .L039ofb_aligned
++ jnz .L041ofb_aligned
+ negl %eax
+ movl $512,%ebx
+ notl %eax
+@@ -696,9 +714,9 @@ padlock_ofb_encrypt:
+ andl $-16,%ebp
+ andl $-16,%esp
+ movl %eax,16(%ebp)
+- jmp .L040ofb_loop
++ jmp .L042ofb_loop
+ .align 16
+-.L040ofb_loop:
++.L042ofb_loop:
+ movl %edi,(%ebp)
+ movl %esi,4(%ebp)
+ movl %ecx,8(%ebp)
+@@ -707,13 +725,13 @@ padlock_ofb_encrypt:
+ testl $15,%edi
+ cmovnzl %esp,%edi
+ testl $15,%esi
+- jz .L041ofb_inp_aligned
++ jz .L043ofb_inp_aligned
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+ movl %ebx,%ecx
+ movl %edi,%esi
+-.L041ofb_inp_aligned:
++.L043ofb_inp_aligned:
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+@@ -723,45 +741,45 @@ padlock_ofb_encrypt:
+ movl (%ebp),%edi
+ movl 12(%ebp),%ebx
+ testl $15,%edi
+- jz .L042ofb_out_aligned
++ jz .L044ofb_out_aligned
+ movl %ebx,%ecx
+ leal (%esp),%esi
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+-.L042ofb_out_aligned:
++.L044ofb_out_aligned:
+ movl 4(%ebp),%esi
+ movl 8(%ebp),%ecx
+ addl %ebx,%edi
+ addl %ebx,%esi
+ subl %ebx,%ecx
+ movl $512,%ebx
+- jnz .L040ofb_loop
++ jnz .L042ofb_loop
+ cmpl %ebp,%esp
+- je .L043ofb_done
++ je .L045ofb_done
+ pxor %xmm0,%xmm0
+ leal (%esp),%eax
+-.L044ofb_bzero:
++.L046ofb_bzero:
+ movaps %xmm0,(%eax)
+ leal 16(%eax),%eax
+ cmpl %eax,%ebp
+- ja .L044ofb_bzero
+-.L043ofb_done:
++ ja .L046ofb_bzero
++.L045ofb_done:
+ movl 16(%ebp),%ebp
+ leal 24(%ebp),%esp
+- jmp .L045ofb_exit
++ jmp .L047ofb_exit
+ .align 16
+-.L039ofb_aligned:
++.L041ofb_aligned:
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+ .byte 243,15,167,232
+ movaps (%eax),%xmm0
+ movaps %xmm0,-16(%edx)
+-.L045ofb_exit:
++.L047ofb_exit:
+ movl $1,%eax
+ leal 4(%esp),%esp
+-.L037ofb_abort:
++.L039ofb_abort:
+ popl %edi
+ popl %esi
+ popl %ebx
+@@ -773,6 +791,7 @@ padlock_ofb_encrypt:
+ .align 16
+ padlock_ctr32_encrypt:
+ .L_padlock_ctr32_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -782,14 +801,14 @@ padlock_ctr32_encrypt:
+ movl 28(%esp),%edx
+ movl 32(%esp),%ecx
+ testl $15,%edx
+- jnz .L046ctr32_abort
++ jnz .L048ctr32_abort
+ testl $15,%ecx
+- jnz .L046ctr32_abort
+- leal .Lpadlock_saved_context-.L047ctr32_pic_point,%eax
++ jnz .L048ctr32_abort
++ leal .Lpadlock_saved_context-.L049ctr32_pic_point,%eax
+ pushfl
+ cld
+ call _padlock_verify_ctx
+-.L047ctr32_pic_point:
++.L049ctr32_pic_point:
+ leal 16(%edx),%edx
+ xorl %eax,%eax
+ movq -16(%edx),%mm0
+@@ -809,9 +828,9 @@ padlock_ctr32_encrypt:
+ andl $-16,%ebp
+ andl $-16,%esp
+ movl %eax,16(%ebp)
+- jmp .L048ctr32_loop
++ jmp .L050ctr32_loop
+ .align 16
+-.L048ctr32_loop:
++.L050ctr32_loop:
+ movl %edi,(%ebp)
+ movl %esi,4(%ebp)
+ movl %ecx,8(%ebp)
+@@ -820,7 +839,7 @@ padlock_ctr32_encrypt:
+ movl -4(%edx),%ecx
+ xorl %edi,%edi
+ movl -8(%edx),%eax
+-.L049ctr32_prepare:
++.L051ctr32_prepare:
+ movl %ecx,12(%esp,%edi,1)
+ bswap %ecx
+ movq %mm0,(%esp,%edi,1)
+@@ -829,7 +848,7 @@ padlock_ctr32_encrypt:
+ bswap %ecx
+ leal 16(%edi),%edi
+ cmpl %ebx,%edi
+- jb .L049ctr32_prepare
++ jb .L051ctr32_prepare
+ movl %ecx,-4(%edx)
+ leal (%esp),%esi
+ leal (%esp),%edi
+@@ -842,33 +861,33 @@ padlock_ctr32_encrypt:
+ movl 12(%ebp),%ebx
+ movl 4(%ebp),%esi
+ xorl %ecx,%ecx
+-.L050ctr32_xor:
++.L052ctr32_xor:
+ movups (%esi,%ecx,1),%xmm1
+ leal 16(%ecx),%ecx
+ pxor -16(%esp,%ecx,1),%xmm1
+ movups %xmm1,-16(%edi,%ecx,1)
+ cmpl %ebx,%ecx
+- jb .L050ctr32_xor
++ jb .L052ctr32_xor
+ movl 8(%ebp),%ecx
+ addl %ebx,%edi
+ addl %ebx,%esi
+ subl %ebx,%ecx
+ movl $512,%ebx
+- jnz .L048ctr32_loop
++ jnz .L050ctr32_loop
+ pxor %xmm0,%xmm0
+ leal (%esp),%eax
+-.L051ctr32_bzero:
++.L053ctr32_bzero:
+ movaps %xmm0,(%eax)
+ leal 16(%eax),%eax
+ cmpl %eax,%ebp
+- ja .L051ctr32_bzero
+-.L052ctr32_done:
++ ja .L053ctr32_bzero
++.L054ctr32_done:
+ movl 16(%ebp),%ebp
+ leal 24(%ebp),%esp
+ movl $1,%eax
+ leal 4(%esp),%esp
+ emms
+-.L046ctr32_abort:
++.L048ctr32_abort:
+ popl %edi
+ popl %esi
+ popl %ebx
+@@ -880,6 +899,7 @@ padlock_ctr32_encrypt:
+ .align 16
+ padlock_xstore:
+ .L_padlock_xstore_begin:
++.byte 243,15,30,251
+ pushl %edi
+ movl 8(%esp),%edi
+ movl 12(%esp),%edx
+@@ -890,14 +910,15 @@ padlock_xstore:
+ .type _win32_segv_handler,@function
+ .align 16
+ _win32_segv_handler:
++.byte 243,15,30,251
+ movl $1,%eax
+ movl 4(%esp),%edx
+ movl 12(%esp),%ecx
+ cmpl $3221225477,(%edx)
+- jne .L053ret
++ jne .L055ret
+ addl $4,184(%ecx)
+ movl $0,%eax
+-.L053ret:
++.L055ret:
+ ret
+ .size _win32_segv_handler,.-_win32_segv_handler
+ .globl padlock_sha1_oneshot
+@@ -905,6 +926,7 @@ _win32_segv_handler:
+ .align 16
+ padlock_sha1_oneshot:
+ .L_padlock_sha1_oneshot_begin:
++.byte 243,15,30,251
+ pushl %edi
+ pushl %esi
+ xorl %eax,%eax
+@@ -936,6 +958,7 @@ padlock_sha1_oneshot:
+ .align 16
+ padlock_sha1_blocks:
+ .L_padlock_sha1_blocks_begin:
++.byte 243,15,30,251
+ pushl %edi
+ pushl %esi
+ movl 12(%esp),%edi
+@@ -966,6 +989,7 @@ padlock_sha1_blocks:
+ .align 16
+ padlock_sha256_oneshot:
+ .L_padlock_sha256_oneshot_begin:
++.byte 243,15,30,251
+ pushl %edi
+ pushl %esi
+ xorl %eax,%eax
+@@ -997,6 +1021,7 @@ padlock_sha256_oneshot:
+ .align 16
+ padlock_sha256_blocks:
+ .L_padlock_sha256_blocks_begin:
++.byte 243,15,30,251
+ pushl %edi
+ pushl %esi
+ movl 12(%esp),%edi
+@@ -1027,6 +1052,7 @@ padlock_sha256_blocks:
+ .align 16
+ padlock_sha512_blocks:
+ .L_padlock_sha512_blocks_begin:
++.byte 243,15,30,251
+ pushl %edi
+ pushl %esi
+ movl 12(%esp),%edi
+@@ -1069,7 +1095,21 @@ padlock_sha512_blocks:
+ .Lpadlock_saved_context:
+ .long 0
+
++ .section ".note.gnu.property", "a"
++ .p2align 2
++ .long 1f - 0f
++ .long 4f - 1f
++ .long 5
++0:
++ .asciz "GNU"
++1:
++ .p2align 2
++ .long 0xc0000002
++ .long 3f - 2f
++2:
++ .long 3
++3:
++ .p2align 2
++4:
+
+ .section .note.GNU-stack,"",%progbits
+-
+-
+diff --git a/lib/accelerated/x86/elf/e_padlock-x86_64.s b/lib/accelerated/x86/elf/e_padlock-x86_64.s
+index c161f0a73..f92da756c 100644
+--- a/lib/accelerated/x86/elf/e_padlock-x86_64.s
++++ b/lib/accelerated/x86/elf/e_padlock-x86_64.s
+@@ -1,4 +1,4 @@
+-# Copyright (c) 2011-2013, Andy Polyakov <appro@openssl.org>
++# Copyright (c) 2011-2016, Andy Polyakov <appro@openssl.org>
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without
+@@ -42,36 +42,50 @@
+ .type padlock_capability,@function
+ .align 16
+ padlock_capability:
++.cfi_startproc
++.byte 243,15,30,250
+ movq %rbx,%r8
+ xorl %eax,%eax
+ cpuid
+ xorl %eax,%eax
+- cmpl $1953391939,%ebx
++ cmpl $0x746e6543,%ebx
++ jne .Lzhaoxin
++ cmpl $0x48727561,%edx
+ jne .Lnoluck
+- cmpl $1215460705,%edx
++ cmpl $0x736c7561,%ecx
+ jne .Lnoluck
+- cmpl $1936487777,%ecx
++ jmp .LzhaoxinEnd
++.Lzhaoxin:
++ cmpl $0x68532020,%ebx
+ jne .Lnoluck
+- movl $3221225472,%eax
++ cmpl $0x68676e61,%edx
++ jne .Lnoluck
++ cmpl $0x20206961,%ecx
++ jne .Lnoluck
++.LzhaoxinEnd:
++ movl $0xC0000000,%eax
+ cpuid
+ movl %eax,%edx
+ xorl %eax,%eax
+- cmpl $3221225473,%edx
++ cmpl $0xC0000001,%edx
+ jb .Lnoluck
+- movl $3221225473,%eax
++ movl $0xC0000001,%eax
+ cpuid
+ movl %edx,%eax
+- andl $4294967279,%eax
+- orl $16,%eax
++ andl $0xffffffef,%eax
++ orl $0x10,%eax
+ .Lnoluck:
+ movq %r8,%rbx
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size padlock_capability,.-padlock_capability
+
+ .globl padlock_key_bswap
+ .type padlock_key_bswap,@function
+ .align 16
+ padlock_key_bswap:
++.cfi_startproc
++.byte 243,15,30,250
+ movl 240(%rdi),%edx
+ .Lbswap_loop:
+ movl (%rdi),%eax
+@@ -81,23 +95,29 @@ padlock_key_bswap:
+ subl $1,%edx
+ jnz .Lbswap_loop
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size padlock_key_bswap,.-padlock_key_bswap
+
+ .globl padlock_verify_context
+ .type padlock_verify_context,@function
+ .align 16
+ padlock_verify_context:
++.cfi_startproc
++.byte 243,15,30,250
+ movq %rdi,%rdx
+ pushf
+ leaq .Lpadlock_saved_context(%rip),%rax
+ call _padlock_verify_ctx
+ leaq 8(%rsp),%rsp
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size padlock_verify_context,.-padlock_verify_context
+
+ .type _padlock_verify_ctx,@function
+ .align 16
+ _padlock_verify_ctx:
++.cfi_startproc
++.byte 243,15,30,250
+ movq 8(%rsp),%r8
+ btq $30,%r8
+ jnc .Lverified
+@@ -108,43 +128,55 @@ _padlock_verify_ctx:
+ .Lverified:
+ movq %rdx,(%rax)
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size _padlock_verify_ctx,.-_padlock_verify_ctx
+
+ .globl padlock_reload_key
+ .type padlock_reload_key,@function
+ .align 16
+ padlock_reload_key:
++.cfi_startproc
++.byte 243,15,30,250
+ pushf
+ popf
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size padlock_reload_key,.-padlock_reload_key
+
+ .globl padlock_aes_block
+ .type padlock_aes_block,@function
+ .align 16
+ padlock_aes_block:
++.cfi_startproc
++.byte 243,15,30,250
+ movq %rbx,%r8
+ movq $1,%rcx
+ leaq 32(%rdx),%rbx
+ leaq 16(%rdx),%rdx
+-.byte 0xf3,0x0f,0xa7,0xc8
++.byte 0xf3,0x0f,0xa7,0xc8
+ movq %r8,%rbx
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size padlock_aes_block,.-padlock_aes_block
+
+ .globl padlock_xstore
+ .type padlock_xstore,@function
+ .align 16
+ padlock_xstore:
++.cfi_startproc
++.byte 243,15,30,250
+ movl %esi,%edx
+-.byte 0x0f,0xa7,0xc0
++.byte 0x0f,0xa7,0xc0
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size padlock_xstore,.-padlock_xstore
+
+ .globl padlock_sha1_oneshot
+ .type padlock_sha1_oneshot,@function
+ .align 16
+ padlock_sha1_oneshot:
++.cfi_startproc
++.byte 243,15,30,250
+ movq %rdx,%rcx
+ movq %rdi,%rdx
+ movups (%rdi),%xmm0
+@@ -154,19 +186,22 @@ padlock_sha1_oneshot:
+ movq %rsp,%rdi
+ movl %eax,16(%rsp)
+ xorq %rax,%rax
+-.byte 0xf3,0x0f,0xa6,0xc8
++.byte 0xf3,0x0f,0xa6,0xc8
+ movaps (%rsp),%xmm0
+ movl 16(%rsp),%eax
+ addq $128+8,%rsp
+ movups %xmm0,(%rdx)
+ movl %eax,16(%rdx)
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size padlock_sha1_oneshot,.-padlock_sha1_oneshot
+
+ .globl padlock_sha1_blocks
+ .type padlock_sha1_blocks,@function
+ .align 16
+ padlock_sha1_blocks:
++.cfi_startproc
++.byte 243,15,30,250
+ movq %rdx,%rcx
+ movq %rdi,%rdx
+ movups (%rdi),%xmm0
+@@ -176,19 +211,22 @@ padlock_sha1_blocks:
+ movq %rsp,%rdi
+ movl %eax,16(%rsp)
+ movq $-1,%rax
+-.byte 0xf3,0x0f,0xa6,0xc8
++.byte 0xf3,0x0f,0xa6,0xc8
+ movaps (%rsp),%xmm0
+ movl 16(%rsp),%eax
+ addq $128+8,%rsp
+ movups %xmm0,(%rdx)
+ movl %eax,16(%rdx)
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size padlock_sha1_blocks,.-padlock_sha1_blocks
+
+ .globl padlock_sha256_oneshot
+ .type padlock_sha256_oneshot,@function
+ .align 16
+ padlock_sha256_oneshot:
++.cfi_startproc
++.byte 243,15,30,250
+ movq %rdx,%rcx
+ movq %rdi,%rdx
+ movups (%rdi),%xmm0
+@@ -198,19 +236,22 @@ padlock_sha256_oneshot:
+ movq %rsp,%rdi
+ movaps %xmm1,16(%rsp)
+ xorq %rax,%rax
+-.byte 0xf3,0x0f,0xa6,0xd0
++.byte 0xf3,0x0f,0xa6,0xd0
+ movaps (%rsp),%xmm0
+ movaps 16(%rsp),%xmm1
+ addq $128+8,%rsp
+ movups %xmm0,(%rdx)
+ movups %xmm1,16(%rdx)
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size padlock_sha256_oneshot,.-padlock_sha256_oneshot
+
+ .globl padlock_sha256_blocks
+ .type padlock_sha256_blocks,@function
+ .align 16
+ padlock_sha256_blocks:
++.cfi_startproc
++.byte 243,15,30,250
+ movq %rdx,%rcx
+ movq %rdi,%rdx
+ movups (%rdi),%xmm0
+@@ -220,19 +261,22 @@ padlock_sha256_blocks:
+ movq %rsp,%rdi
+ movaps %xmm1,16(%rsp)
+ movq $-1,%rax
+-.byte 0xf3,0x0f,0xa6,0xd0
++.byte 0xf3,0x0f,0xa6,0xd0
+ movaps (%rsp),%xmm0
+ movaps 16(%rsp),%xmm1
+ addq $128+8,%rsp
+ movups %xmm0,(%rdx)
+ movups %xmm1,16(%rdx)
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size padlock_sha256_blocks,.-padlock_sha256_blocks
+
+ .globl padlock_sha512_blocks
+ .type padlock_sha512_blocks,@function
+ .align 16
+ padlock_sha512_blocks:
++.cfi_startproc
++.byte 243,15,30,250
+ movq %rdx,%rcx
+ movq %rdi,%rdx
+ movups (%rdi),%xmm0
+@@ -245,7 +289,7 @@ padlock_sha512_blocks:
+ movaps %xmm1,16(%rsp)
+ movaps %xmm2,32(%rsp)
+ movaps %xmm3,48(%rsp)
+-.byte 0xf3,0x0f,0xa6,0xe0
++.byte 0xf3,0x0f,0xa6,0xe0
+ movaps (%rsp),%xmm0
+ movaps 16(%rsp),%xmm1
+ movaps 32(%rsp),%xmm2
+@@ -256,11 +300,14 @@ padlock_sha512_blocks:
+ movups %xmm2,32(%rdx)
+ movups %xmm3,48(%rdx)
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size padlock_sha512_blocks,.-padlock_sha512_blocks
+ .globl padlock_ecb_encrypt
+ .type padlock_ecb_encrypt,@function
+ .align 16
+ padlock_ecb_encrypt:
++.cfi_startproc
++.byte 243,15,30,250
+ pushq %rbp
+ pushq %rbx
+
+@@ -278,9 +325,9 @@ padlock_ecb_encrypt:
+ xorl %ebx,%ebx
+ testl $32,(%rdx)
+ jnz .Lecb_aligned
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ setz %al
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ setz %bl
+ testl %ebx,%eax
+ jnz .Lecb_aligned
+@@ -304,7 +351,7 @@ padlock_ecb_encrypt:
+ cmoveq %rdi,%rax
+ addq %rcx,%rax
+ negq %rax
+- andq $4095,%rax
++ andq $0xfff,%rax
+ cmpq $128,%rax
+ movq $-128,%rax
+ cmovaeq %rbx,%rax
+@@ -320,12 +367,12 @@ padlock_ecb_encrypt:
+ movq %rcx,%r10
+ movq %rbx,%rcx
+ movq %rbx,%r11
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ cmovnzq %rsp,%rdi
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ jz .Lecb_inp_aligned
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ movq %rbx,%rcx
+ movq %rdi,%rsi
+@@ -333,15 +380,15 @@ padlock_ecb_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,200
++.byte 0xf3,0x0f,0xa7,200
+ movq %r8,%rdi
+ movq %r11,%rbx
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ jz .Lecb_out_aligned
+ movq %rbx,%rcx
+ leaq (%rsp),%rsi
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ .Lecb_out_aligned:
+ movq %r9,%rsi
+@@ -362,7 +409,7 @@ padlock_ecb_encrypt:
+ subq %rax,%rsp
+ shrq $3,%rcx
+ leaq (%rsp),%rdi
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ movq %rsp,%rsi
+ movq %r8,%rdi
+ movq %rbx,%rcx
+@@ -388,7 +435,7 @@ padlock_ecb_encrypt:
+ .Lecb_aligned:
+ leaq (%rsi,%rcx,1),%rbp
+ negq %rbp
+- andq $4095,%rbp
++ andq $0xfff,%rbp
+ xorl %eax,%eax
+ cmpq $128,%rbp
+ movq $128-1,%rbp
+@@ -399,7 +446,7 @@ padlock_ecb_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,200
++.byte 0xf3,0x0f,0xa7,200
+ testq %rbp,%rbp
+ jz .Lecb_exit
+
+@@ -411,7 +458,7 @@ padlock_ecb_encrypt:
+ subq %rcx,%rsp
+ shrq $3,%rcx
+ leaq (%rsp),%rdi
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ leaq (%r8),%rdi
+ leaq (%rsp),%rsi
+ movq %rbx,%rcx
+@@ -423,11 +470,14 @@ padlock_ecb_encrypt:
+ popq %rbx
+ popq %rbp
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size padlock_ecb_encrypt,.-padlock_ecb_encrypt
+ .globl padlock_cbc_encrypt
+ .type padlock_cbc_encrypt,@function
+ .align 16
+ padlock_cbc_encrypt:
++.cfi_startproc
++.byte 243,15,30,250
+ pushq %rbp
+ pushq %rbx
+
+@@ -445,9 +495,9 @@ padlock_cbc_encrypt:
+ xorl %ebx,%ebx
+ testl $32,(%rdx)
+ jnz .Lcbc_aligned
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ setz %al
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ setz %bl
+ testl %ebx,%eax
+ jnz .Lcbc_aligned
+@@ -471,7 +521,7 @@ padlock_cbc_encrypt:
+ cmoveq %rdi,%rax
+ addq %rcx,%rax
+ negq %rax
+- andq $4095,%rax
++ andq $0xfff,%rax
+ cmpq $64,%rax
+ movq $-64,%rax
+ cmovaeq %rbx,%rax
+@@ -487,12 +537,12 @@ padlock_cbc_encrypt:
+ movq %rcx,%r10
+ movq %rbx,%rcx
+ movq %rbx,%r11
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ cmovnzq %rsp,%rdi
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ jz .Lcbc_inp_aligned
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ movq %rbx,%rcx
+ movq %rdi,%rsi
+@@ -500,17 +550,17 @@ padlock_cbc_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,208
++.byte 0xf3,0x0f,0xa7,208
+ movdqa (%rax),%xmm0
+ movdqa %xmm0,-16(%rdx)
+ movq %r8,%rdi
+ movq %r11,%rbx
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ jz .Lcbc_out_aligned
+ movq %rbx,%rcx
+ leaq (%rsp),%rsi
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ .Lcbc_out_aligned:
+ movq %r9,%rsi
+@@ -531,7 +581,7 @@ padlock_cbc_encrypt:
+ subq %rax,%rsp
+ shrq $3,%rcx
+ leaq (%rsp),%rdi
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ movq %rsp,%rsi
+ movq %r8,%rdi
+ movq %rbx,%rcx
+@@ -557,7 +607,7 @@ padlock_cbc_encrypt:
+ .Lcbc_aligned:
+ leaq (%rsi,%rcx,1),%rbp
+ negq %rbp
+- andq $4095,%rbp
++ andq $0xfff,%rbp
+ xorl %eax,%eax
+ cmpq $64,%rbp
+ movq $64-1,%rbp
+@@ -568,7 +618,7 @@ padlock_cbc_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,208
++.byte 0xf3,0x0f,0xa7,208
+ movdqa (%rax),%xmm0
+ movdqa %xmm0,-16(%rdx)
+ testq %rbp,%rbp
+@@ -582,7 +632,7 @@ padlock_cbc_encrypt:
+ subq %rcx,%rsp
+ shrq $3,%rcx
+ leaq (%rsp),%rdi
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ leaq (%r8),%rdi
+ leaq (%rsp),%rsi
+ movq %rbx,%rcx
+@@ -594,11 +644,14 @@ padlock_cbc_encrypt:
+ popq %rbx
+ popq %rbp
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size padlock_cbc_encrypt,.-padlock_cbc_encrypt
+ .globl padlock_cfb_encrypt
+ .type padlock_cfb_encrypt,@function
+ .align 16
+ padlock_cfb_encrypt:
++.cfi_startproc
++.byte 243,15,30,250
+ pushq %rbp
+ pushq %rbx
+
+@@ -616,9 +669,9 @@ padlock_cfb_encrypt:
+ xorl %ebx,%ebx
+ testl $32,(%rdx)
+ jnz .Lcfb_aligned
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ setz %al
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ setz %bl
+ testl %ebx,%eax
+ jnz .Lcfb_aligned
+@@ -645,12 +698,12 @@ padlock_cfb_encrypt:
+ movq %rcx,%r10
+ movq %rbx,%rcx
+ movq %rbx,%r11
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ cmovnzq %rsp,%rdi
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ jz .Lcfb_inp_aligned
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ movq %rbx,%rcx
+ movq %rdi,%rsi
+@@ -658,17 +711,17 @@ padlock_cfb_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,224
++.byte 0xf3,0x0f,0xa7,224
+ movdqa (%rax),%xmm0
+ movdqa %xmm0,-16(%rdx)
+ movq %r8,%rdi
+ movq %r11,%rbx
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ jz .Lcfb_out_aligned
+ movq %rbx,%rcx
+ leaq (%rsp),%rsi
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ .Lcfb_out_aligned:
+ movq %r9,%rsi
+@@ -698,7 +751,7 @@ padlock_cfb_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,224
++.byte 0xf3,0x0f,0xa7,224
+ movdqa (%rax),%xmm0
+ movdqa %xmm0,-16(%rdx)
+ .Lcfb_exit:
+@@ -708,11 +761,14 @@ padlock_cfb_encrypt:
+ popq %rbx
+ popq %rbp
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size padlock_cfb_encrypt,.-padlock_cfb_encrypt
+ .globl padlock_ofb_encrypt
+ .type padlock_ofb_encrypt,@function
+ .align 16
+ padlock_ofb_encrypt:
++.cfi_startproc
++.byte 243,15,30,250
+ pushq %rbp
+ pushq %rbx
+
+@@ -730,9 +786,9 @@ padlock_ofb_encrypt:
+ xorl %ebx,%ebx
+ testl $32,(%rdx)
+ jnz .Lofb_aligned
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ setz %al
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ setz %bl
+ testl %ebx,%eax
+ jnz .Lofb_aligned
+@@ -759,12 +815,12 @@ padlock_ofb_encrypt:
+ movq %rcx,%r10
+ movq %rbx,%rcx
+ movq %rbx,%r11
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ cmovnzq %rsp,%rdi
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ jz .Lofb_inp_aligned
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ movq %rbx,%rcx
+ movq %rdi,%rsi
+@@ -772,17 +828,17 @@ padlock_ofb_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,232
++.byte 0xf3,0x0f,0xa7,232
+ movdqa (%rax),%xmm0
+ movdqa %xmm0,-16(%rdx)
+ movq %r8,%rdi
+ movq %r11,%rbx
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ jz .Lofb_out_aligned
+ movq %rbx,%rcx
+ leaq (%rsp),%rsi
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ .Lofb_out_aligned:
+ movq %r9,%rsi
+@@ -812,7 +868,7 @@ padlock_ofb_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,232
++.byte 0xf3,0x0f,0xa7,232
+ movdqa (%rax),%xmm0
+ movdqa %xmm0,-16(%rdx)
+ .Lofb_exit:
+@@ -822,11 +878,14 @@ padlock_ofb_encrypt:
+ popq %rbx
+ popq %rbp
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size padlock_ofb_encrypt,.-padlock_ofb_encrypt
+ .globl padlock_ctr32_encrypt
+ .type padlock_ctr32_encrypt,@function
+ .align 16
+ padlock_ctr32_encrypt:
++.cfi_startproc
++.byte 243,15,30,250
+ pushq %rbp
+ pushq %rbx
+
+@@ -844,9 +903,9 @@ padlock_ctr32_encrypt:
+ xorl %ebx,%ebx
+ testl $32,(%rdx)
+ jnz .Lctr32_aligned
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ setz %al
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ setz %bl
+ testl %ebx,%eax
+ jnz .Lctr32_aligned
+@@ -881,7 +940,7 @@ padlock_ctr32_encrypt:
+ cmoveq %rdi,%rax
+ addq %rcx,%rax
+ negq %rax
+- andq $4095,%rax
++ andq $0xfff,%rax
+ cmpq $32,%rax
+ movq $-32,%rax
+ cmovaeq %rbx,%rax
+@@ -897,12 +956,12 @@ padlock_ctr32_encrypt:
+ movq %rcx,%r10
+ movq %rbx,%rcx
+ movq %rbx,%r11
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ cmovnzq %rsp,%rdi
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ jz .Lctr32_inp_aligned
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ movq %rbx,%rcx
+ movq %rdi,%rsi
+@@ -910,23 +969,23 @@ padlock_ctr32_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,216
++.byte 0xf3,0x0f,0xa7,216
+ movl -4(%rdx),%eax
+- testl $4294901760,%eax
++ testl $0xffff0000,%eax
+ jnz .Lctr32_no_carry
+ bswapl %eax
+- addl $65536,%eax
++ addl $0x10000,%eax
+ bswapl %eax
+ movl %eax,-4(%rdx)
+ .Lctr32_no_carry:
+ movq %r8,%rdi
+ movq %r11,%rbx
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ jz .Lctr32_out_aligned
+ movq %rbx,%rcx
+ leaq (%rsp),%rsi
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ .Lctr32_out_aligned:
+ movq %r9,%rsi
+@@ -944,7 +1003,7 @@ padlock_ctr32_encrypt:
+ cmoveq %rdi,%rax
+ addq %rcx,%rax
+ negq %rax
+- andq $4095,%rax
++ andq $0xfff,%rax
+ cmpq $32,%rax
+ movq $-32,%rax
+ cmovaeq %rbx,%rax
+@@ -959,7 +1018,7 @@ padlock_ctr32_encrypt:
+ subq %rax,%rsp
+ shrq $3,%rcx
+ leaq (%rsp),%rdi
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ movq %rsp,%rsi
+ movq %r8,%rdi
+ movq %rbx,%rcx
+@@ -986,7 +1045,7 @@ padlock_ctr32_encrypt:
+ movl -4(%rdx),%eax
+ bswapl %eax
+ negl %eax
+- andl $65535,%eax
++ andl $0xffff,%eax
+ movq $1048576,%rbx
+ shll $4,%eax
+ cmovzq %rbx,%rax
+@@ -1003,11 +1062,11 @@ padlock_ctr32_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,216
++.byte 0xf3,0x0f,0xa7,216
+
+ movl -4(%rdx),%eax
+ bswapl %eax
+- addl $65536,%eax
++ addl $0x10000,%eax
+ bswapl %eax
+ movl %eax,-4(%rdx)
+
+@@ -1021,7 +1080,7 @@ padlock_ctr32_encrypt:
+ .Lctr32_aligned_skip:
+ leaq (%rsi,%rcx,1),%rbp
+ negq %rbp
+- andq $4095,%rbp
++ andq $0xfff,%rbp
+ xorl %eax,%eax
+ cmpq $32,%rbp
+ movq $32-1,%rbp
+@@ -1032,7 +1091,7 @@ padlock_ctr32_encrypt:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,216
++.byte 0xf3,0x0f,0xa7,216
+ testq %rbp,%rbp
+ jz .Lctr32_exit
+
+@@ -1044,7 +1103,7 @@ padlock_ctr32_encrypt:
+ subq %rcx,%rsp
+ shrq $3,%rcx
+ leaq (%rsp),%rdi
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ leaq (%r8),%rdi
+ leaq (%rsp),%rsi
+ movq %rbx,%rcx
+@@ -1056,6 +1115,7 @@ padlock_ctr32_encrypt:
+ popq %rbx
+ popq %rbp
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size padlock_ctr32_encrypt,.-padlock_ctr32_encrypt
+ .byte 86,73,65,32,80,97,100,108,111,99,107,32,120,56,54,95,54,52,32,109,111,100,117,108,101,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
+ .align 16
+@@ -1063,8 +1123,26 @@ padlock_ctr32_encrypt:
+ .align 8
+ .Lpadlock_saved_context:
+ .quad 0
+-
++ .section ".note.gnu.property", "a"
++ .p2align 3
++ .long 1f - 0f
++ .long 4f - 1f
++ .long 5
++0:
++ # "GNU" encoded with .byte, since .asciz isn't supported
++ # on Solaris.
++ .byte 0x47
++ .byte 0x4e
++ .byte 0x55
++ .byte 0
++1:
++ .p2align 3
++ .long 0xc0000002
++ .long 3f - 2f
++2:
++ .long 3
++3:
++ .p2align 3
++4:
+
+ .section .note.GNU-stack,"",%progbits
+-
+-
+diff --git a/lib/accelerated/x86/elf/ghash-x86_64.s b/lib/accelerated/x86/elf/ghash-x86_64.s
+index 1e4d18b34..8da3f294c 100644
+--- a/lib/accelerated/x86/elf/ghash-x86_64.s
++++ b/lib/accelerated/x86/elf/ghash-x86_64.s
+@@ -45,6 +45,7 @@
+ .align 16
+ gcm_gmult_4bit:
+ .cfi_startproc
++.byte 243,15,30,250
+ pushq %rbx
+ .cfi_adjust_cfa_offset 8
+ .cfi_offset %rbx,-16
+@@ -156,6 +157,7 @@ gcm_gmult_4bit:
+ .align 16
+ gcm_ghash_4bit:
+ .cfi_startproc
++.byte 243,15,30,250
+ pushq %rbx
+ .cfi_adjust_cfa_offset 8
+ .cfi_offset %rbx,-16
+@@ -903,6 +905,7 @@ gcm_init_clmul:
+ .align 16
+ gcm_gmult_clmul:
+ .cfi_startproc
++.byte 243,15,30,250
+ .L_gmult_clmul:
+ movdqu (%rdi),%xmm0
+ movdqa .Lbswap_mask(%rip),%xmm5
+@@ -956,6 +959,7 @@ gcm_gmult_clmul:
+ .align 32
+ gcm_ghash_clmul:
+ .cfi_startproc
++.byte 243,15,30,250
+ .L_ghash_clmul:
+ movdqa .Lbswap_mask(%rip),%xmm10
+
+@@ -1450,6 +1454,7 @@ gcm_init_avx:
+ .align 32
+ gcm_gmult_avx:
+ .cfi_startproc
++.byte 243,15,30,250
+ jmp .L_gmult_clmul
+ .cfi_endproc
+ .size gcm_gmult_avx,.-gcm_gmult_avx
+@@ -1458,6 +1463,7 @@ gcm_gmult_avx:
+ .align 32
+ gcm_ghash_avx:
+ .cfi_startproc
++.byte 243,15,30,250
+ vzeroupper
+
+ vmovdqu (%rdi),%xmm10
+@@ -1884,5 +1890,26 @@ gcm_ghash_avx:
+
+ .byte 71,72,65,83,72,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
+ .align 64
++ .section ".note.gnu.property", "a"
++ .p2align 3
++ .long 1f - 0f
++ .long 4f - 1f
++ .long 5
++0:
++ # "GNU" encoded with .byte, since .asciz isn't supported
++ # on Solaris.
++ .byte 0x47
++ .byte 0x4e
++ .byte 0x55
++ .byte 0
++1:
++ .p2align 3
++ .long 0xc0000002
++ .long 3f - 2f
++2:
++ .long 3
++3:
++ .p2align 3
++4:
+
+ .section .note.GNU-stack,"",%progbits
+diff --git a/lib/accelerated/x86/elf/sha1-ssse3-x86.s b/lib/accelerated/x86/elf/sha1-ssse3-x86.s
+index 8bfbcb6b3..57b6ba58f 100644
+--- a/lib/accelerated/x86/elf/sha1-ssse3-x86.s
++++ b/lib/accelerated/x86/elf/sha1-ssse3-x86.s
+@@ -43,6 +43,7 @@
+ .align 16
+ sha1_block_data_order:
+ .L_sha1_block_data_order_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -1417,4 +1418,21 @@ sha1_block_data_order:
+ .byte 89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112
+ .byte 114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
+
++ .section ".note.gnu.property", "a"
++ .p2align 2
++ .long 1f - 0f
++ .long 4f - 1f
++ .long 5
++0:
++ .asciz "GNU"
++1:
++ .p2align 2
++ .long 0xc0000002
++ .long 3f - 2f
++2:
++ .long 3
++3:
++ .p2align 2
++4:
++
+ .section .note.GNU-stack,"",%progbits
+diff --git a/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s b/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s
+index 1e6546e11..54095050c 100644
+--- a/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s
++++ b/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s
+@@ -1460,8 +1460,8 @@ _shaext_shortcut:
+ pshufd $27,%xmm1,%xmm1
+ movdqu %xmm0,(%rdi)
+ movd %xmm1,16(%rdi)
+-.cfi_endproc
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size sha1_block_data_order_shaext,.-sha1_block_data_order_shaext
+ .type sha1_block_data_order_ssse3,@function
+ .align 16
+@@ -5487,5 +5487,26 @@ K_XX_XX:
+ .byte 0xf,0xe,0xd,0xc,0xb,0xa,0x9,0x8,0x7,0x6,0x5,0x4,0x3,0x2,0x1,0x0
+ .byte 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
+ .align 64
++ .section ".note.gnu.property", "a"
++ .p2align 3
++ .long 1f - 0f
++ .long 4f - 1f
++ .long 5
++0:
++ # "GNU" encoded with .byte, since .asciz isn't supported
++ # on Solaris.
++ .byte 0x47
++ .byte 0x4e
++ .byte 0x55
++ .byte 0
++1:
++ .p2align 3
++ .long 0xc0000002
++ .long 3f - 2f
++2:
++ .long 3
++3:
++ .p2align 3
++4:
+
+ .section .note.GNU-stack,"",%progbits
+diff --git a/lib/accelerated/x86/elf/sha256-ssse3-x86.s b/lib/accelerated/x86/elf/sha256-ssse3-x86.s
+index 8d9aaa4a8..6d16b9140 100644
+--- a/lib/accelerated/x86/elf/sha256-ssse3-x86.s
++++ b/lib/accelerated/x86/elf/sha256-ssse3-x86.s
+@@ -43,6 +43,7 @@
+ .align 16
+ sha256_block_data_order:
+ .L_sha256_block_data_order_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -3384,4 +3385,21 @@ sha256_block_data_order:
+ ret
+ .size sha256_block_data_order,.-.L_sha256_block_data_order_begin
+
++ .section ".note.gnu.property", "a"
++ .p2align 2
++ .long 1f - 0f
++ .long 4f - 1f
++ .long 5
++0:
++ .asciz "GNU"
++1:
++ .p2align 2
++ .long 0xc0000002
++ .long 3f - 2f
++2:
++ .long 3
++3:
++ .p2align 2
++4:
++
+ .section .note.GNU-stack,"",%progbits
+diff --git a/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s b/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s
+index 4b08e0c85..1514ee45c 100644
+--- a/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s
++++ b/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s
+@@ -1814,6 +1814,7 @@ K256:
+ .align 64
+ sha256_block_data_order_shaext:
+ _shaext_shortcut:
++.cfi_startproc
+ leaq K256+128(%rip),%rcx
+ movdqu (%rdi),%xmm1
+ movdqu 16(%rdi),%xmm2
+@@ -2016,6 +2017,7 @@ _shaext_shortcut:
+ movdqu %xmm1,(%rdi)
+ movdqu %xmm2,16(%rdi)
+ .byte 0xf3,0xc3
++.cfi_endproc
+ .size sha256_block_data_order_shaext,.-sha256_block_data_order_shaext
+ .type sha256_block_data_order_ssse3,@function
+ .align 64
+@@ -4277,7 +4279,15 @@ sha256_block_data_order_avx2:
+ vmovdqa %ymm4,0(%rsp)
+ xorl %r14d,%r14d
+ vmovdqa %ymm5,32(%rsp)
++
++ movq 88(%rsp),%rdi
++.cfi_def_cfa %rdi,8
+ leaq -64(%rsp),%rsp
++
++
++
++ movq %rdi,-8(%rsp)
++.cfi_escape 0x0f,0x05,0x77,0x78,0x06,0x23,0x08
+ movl %ebx,%edi
+ vmovdqa %ymm6,0(%rsp)
+ xorl %ecx,%edi
+@@ -4289,6 +4299,12 @@ sha256_block_data_order_avx2:
+ .align 16
+ .Lavx2_00_47:
+ leaq -64(%rsp),%rsp
++.cfi_escape 0x0f,0x05,0x77,0x38,0x06,0x23,0x08
++
++ pushq 64-8(%rsp)
++.cfi_escape 0x0f,0x05,0x77,0x00,0x06,0x23,0x08
++ leaq 8(%rsp),%rsp
++.cfi_escape 0x0f,0x05,0x77,0x78,0x06,0x23,0x08
+ vpalignr $4,%ymm0,%ymm1,%ymm4
+ addl 0+128(%rsp),%r11d
+ andl %r8d,%r12d
+@@ -4544,6 +4560,12 @@ sha256_block_data_order_avx2:
+ movl %r9d,%r12d
+ vmovdqa %ymm6,32(%rsp)
+ leaq -64(%rsp),%rsp
++.cfi_escape 0x0f,0x05,0x77,0x38,0x06,0x23,0x08
++
++ pushq 64-8(%rsp)
++.cfi_escape 0x0f,0x05,0x77,0x00,0x06,0x23,0x08
++ leaq 8(%rsp),%rsp
++.cfi_escape 0x0f,0x05,0x77,0x78,0x06,0x23,0x08
+ vpalignr $4,%ymm2,%ymm3,%ymm4
+ addl 0+128(%rsp),%r11d
+ andl %r8d,%r12d
+@@ -5419,6 +5441,8 @@ sha256_block_data_order_avx2:
+
+ leaq 448(%rsp),%rsp
+
++.cfi_escape 0x0f,0x06,0x77,0xd8,0x00,0x06,0x23,0x08
++
+ addl 0(%rdi),%eax
+ addl 4(%rdi),%ebx
+ addl 8(%rdi),%ecx
+@@ -5444,9 +5468,11 @@ sha256_block_data_order_avx2:
+ jbe .Loop_avx2
+ leaq (%rsp),%rbp
+
++
++.cfi_escape 0x0f,0x06,0x76,0xd8,0x00,0x06,0x23,0x08
++
+ .Ldone_avx2:
+- leaq (%rbp),%rsp
+- movq 88(%rsp),%rsi
++ movq 88(%rbp),%rsi
+ .cfi_def_cfa %rsi,8
+ vzeroupper
+ movq -48(%rsi),%r15
+@@ -5467,5 +5493,26 @@ sha256_block_data_order_avx2:
+ .byte 0xf3,0xc3
+ .cfi_endproc
+ .size sha256_block_data_order_avx2,.-sha256_block_data_order_avx2
++ .section ".note.gnu.property", "a"
++ .p2align 3
++ .long 1f - 0f
++ .long 4f - 1f
++ .long 5
++0:
++ # "GNU" encoded with .byte, since .asciz isn't supported
++ # on Solaris.
++ .byte 0x47
++ .byte 0x4e
++ .byte 0x55
++ .byte 0
++1:
++ .p2align 3
++ .long 0xc0000002
++ .long 3f - 2f
++2:
++ .long 3
++3:
++ .p2align 3
++4:
+
+ .section .note.GNU-stack,"",%progbits
+diff --git a/lib/accelerated/x86/elf/sha512-ssse3-x86.s b/lib/accelerated/x86/elf/sha512-ssse3-x86.s
+index 481c77715..afca4eae7 100644
+--- a/lib/accelerated/x86/elf/sha512-ssse3-x86.s
++++ b/lib/accelerated/x86/elf/sha512-ssse3-x86.s
+@@ -43,6 +43,7 @@
+ .align 16
+ sha512_block_data_order:
+ .L_sha512_block_data_order_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -602,4 +603,21 @@ sha512_block_data_order:
+ .byte 112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103
+ .byte 62,0
+
++ .section ".note.gnu.property", "a"
++ .p2align 2
++ .long 1f - 0f
++ .long 4f - 1f
++ .long 5
++0:
++ .asciz "GNU"
++1:
++ .p2align 2
++ .long 0xc0000002
++ .long 3f - 2f
++2:
++ .long 3
++3:
++ .p2align 2
++4:
++
+ .section .note.GNU-stack,"",%progbits
+diff --git a/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s b/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s
+index e384d7e9e..a7be2cd44 100644
+--- a/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s
++++ b/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s
+@@ -4204,7 +4204,15 @@ sha512_block_data_order_avx2:
+ vmovdqa %ymm10,64(%rsp)
+ vpaddq 64(%rbp),%ymm6,%ymm10
+ vmovdqa %ymm11,96(%rsp)
++
++ movq 152(%rsp),%rdi
++.cfi_def_cfa %rdi,8
+ leaq -128(%rsp),%rsp
++
++
++
++ movq %rdi,-8(%rsp)
++.cfi_escape 0x0f,0x05,0x77,0x78,0x06,0x23,0x08
+ vpaddq 96(%rbp),%ymm7,%ymm11
+ vmovdqa %ymm8,0(%rsp)
+ xorq %r14,%r14
+@@ -4220,6 +4228,12 @@ sha512_block_data_order_avx2:
+ .align 16
+ .Lavx2_00_47:
+ leaq -128(%rsp),%rsp
++.cfi_escape 0x0f,0x06,0x77,0xf8,0x00,0x06,0x23,0x08
++
++ pushq 128-8(%rsp)
++.cfi_escape 0x0f,0x05,0x77,0x00,0x06,0x23,0x08
++ leaq 8(%rsp),%rsp
++.cfi_escape 0x0f,0x05,0x77,0x78,0x06,0x23,0x08
+ vpalignr $8,%ymm0,%ymm1,%ymm8
+ addq 0+256(%rsp),%r11
+ andq %r8,%r12
+@@ -4513,6 +4527,12 @@ sha512_block_data_order_avx2:
+ movq %r9,%r12
+ vmovdqa %ymm10,96(%rsp)
+ leaq -128(%rsp),%rsp
++.cfi_escape 0x0f,0x06,0x77,0xf8,0x00,0x06,0x23,0x08
++
++ pushq 128-8(%rsp)
++.cfi_escape 0x0f,0x05,0x77,0x00,0x06,0x23,0x08
++ leaq 8(%rsp),%rsp
++.cfi_escape 0x0f,0x05,0x77,0x78,0x06,0x23,0x08
+ vpalignr $8,%ymm4,%ymm5,%ymm8
+ addq 0+256(%rsp),%r11
+ andq %r8,%r12
+@@ -5426,6 +5446,8 @@ sha512_block_data_order_avx2:
+
+ leaq 1152(%rsp),%rsp
+
++.cfi_escape 0x0f,0x06,0x77,0x98,0x01,0x06,0x23,0x08
++
+ addq 0(%rdi),%rax
+ addq 8(%rdi),%rbx
+ addq 16(%rdi),%rcx
+@@ -5451,9 +5473,11 @@ sha512_block_data_order_avx2:
+ jbe .Loop_avx2
+ leaq (%rsp),%rbp
+
++
++.cfi_escape 0x0f,0x06,0x76,0x98,0x01,0x06,0x23,0x08
++
+ .Ldone_avx2:
+- leaq (%rbp),%rsp
+- movq 152(%rsp),%rsi
++ movq 152(%rbp),%rsi
+ .cfi_def_cfa %rsi,8
+ vzeroupper
+ movq -48(%rsi),%r15
+@@ -5474,5 +5498,26 @@ sha512_block_data_order_avx2:
+ .byte 0xf3,0xc3
+ .cfi_endproc
+ .size sha512_block_data_order_avx2,.-sha512_block_data_order_avx2
++ .section ".note.gnu.property", "a"
++ .p2align 3
++ .long 1f - 0f
++ .long 4f - 1f
++ .long 5
++0:
++ # "GNU" encoded with .byte, since .asciz isn't supported
++ # on Solaris.
++ .byte 0x47
++ .byte 0x4e
++ .byte 0x55
++ .byte 0
++1:
++ .p2align 3
++ .long 0xc0000002
++ .long 3f - 2f
++2:
++ .long 3
++3:
++ .p2align 3
++4:
+
+ .section .note.GNU-stack,"",%progbits
+diff --git a/lib/accelerated/x86/macosx/aes-ssse3-x86.s b/lib/accelerated/x86/macosx/aes-ssse3-x86.s
+index 4be899281..6cc2b0390 100644
+--- a/lib/accelerated/x86/macosx/aes-ssse3-x86.s
++++ b/lib/accelerated/x86/macosx/aes-ssse3-x86.s
+@@ -70,12 +70,14 @@ L_vpaes_consts:
+ .align 6,0x90
+ .align 4
+ __vpaes_preheat:
++.byte 243,15,30,251
+ addl (%esp),%ebp
+ movdqa -48(%ebp),%xmm7
+ movdqa -16(%ebp),%xmm6
+ ret
+ .align 4
+ __vpaes_encrypt_core:
++.byte 243,15,30,251
+ movl $16,%ecx
+ movl 240(%edx),%eax
+ movdqa %xmm6,%xmm1
+@@ -151,6 +153,7 @@ L000enc_entry:
+ ret
+ .align 4
+ __vpaes_decrypt_core:
++.byte 243,15,30,251
+ leal 608(%ebp),%ebx
+ movl 240(%edx),%eax
+ movdqa %xmm6,%xmm1
+@@ -237,6 +240,7 @@ L002dec_entry:
+ ret
+ .align 4
+ __vpaes_schedule_core:
++.byte 243,15,30,251
+ addl (%esp),%ebp
+ movdqu (%esi),%xmm0
+ movdqa 320(%ebp),%xmm2
+@@ -329,6 +333,7 @@ L013schedule_mangle_last_dec:
+ ret
+ .align 4
+ __vpaes_schedule_192_smear:
++.byte 243,15,30,251
+ pshufd $128,%xmm6,%xmm1
+ pshufd $254,%xmm7,%xmm0
+ pxor %xmm1,%xmm6
+@@ -339,6 +344,7 @@ __vpaes_schedule_192_smear:
+ ret
+ .align 4
+ __vpaes_schedule_round:
++.byte 243,15,30,251
+ movdqa 8(%esp),%xmm2
+ pxor %xmm1,%xmm1
+ .byte 102,15,58,15,202,15
+@@ -386,6 +392,7 @@ L_vpaes_schedule_low_round:
+ ret
+ .align 4
+ __vpaes_schedule_transform:
++.byte 243,15,30,251
+ movdqa -16(%ebp),%xmm2
+ movdqa %xmm2,%xmm1
+ pandn %xmm0,%xmm1
+@@ -399,6 +406,7 @@ __vpaes_schedule_transform:
+ ret
+ .align 4
+ __vpaes_schedule_mangle:
++.byte 243,15,30,251
+ movdqa %xmm0,%xmm4
+ movdqa 128(%ebp),%xmm5
+ testl %edi,%edi
+@@ -458,6 +466,7 @@ L015schedule_mangle_both:
+ .align 4
+ _vpaes_set_encrypt_key:
+ L_vpaes_set_encrypt_key_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -489,6 +498,7 @@ L016pic_point:
+ .align 4
+ _vpaes_set_decrypt_key:
+ L_vpaes_set_decrypt_key_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -525,6 +535,7 @@ L017pic_point:
+ .align 4
+ _vpaes_encrypt:
+ L_vpaes_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -552,6 +563,7 @@ L018pic_point:
+ .align 4
+ _vpaes_decrypt:
+ L_vpaes_decrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -579,6 +591,7 @@ L019pic_point:
+ .align 4
+ _vpaes_cbc_encrypt:
+ L_vpaes_cbc_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+diff --git a/lib/accelerated/x86/macosx/aes-ssse3-x86_64.s b/lib/accelerated/x86/macosx/aes-ssse3-x86_64.s
+index 3d5c65226..c2e2f2e02 100644
+--- a/lib/accelerated/x86/macosx/aes-ssse3-x86_64.s
++++ b/lib/accelerated/x86/macosx/aes-ssse3-x86_64.s
+@@ -635,6 +635,7 @@ L$schedule_mangle_both:
+ .p2align 4
+ _vpaes_set_encrypt_key:
+
++.byte 243,15,30,250
+ movl %esi,%eax
+ shrl $5,%eax
+ addl $5,%eax
+@@ -653,6 +654,7 @@ _vpaes_set_encrypt_key:
+ .p2align 4
+ _vpaes_set_decrypt_key:
+
++.byte 243,15,30,250
+ movl %esi,%eax
+ shrl $5,%eax
+ addl $5,%eax
+@@ -676,6 +678,7 @@ _vpaes_set_decrypt_key:
+ .p2align 4
+ _vpaes_encrypt:
+
++.byte 243,15,30,250
+ movdqu (%rdi),%xmm0
+ call _vpaes_preheat
+ call _vpaes_encrypt_core
+@@ -689,6 +692,7 @@ _vpaes_encrypt:
+ .p2align 4
+ _vpaes_decrypt:
+
++.byte 243,15,30,250
+ movdqu (%rdi),%xmm0
+ call _vpaes_preheat
+ call _vpaes_decrypt_core
+@@ -701,6 +705,7 @@ _vpaes_decrypt:
+ .p2align 4
+ _vpaes_cbc_encrypt:
+
++.byte 243,15,30,250
+ xchgq %rcx,%rdx
+ subq $16,%rcx
+ jc L$cbc_abort
+diff --git a/lib/accelerated/x86/macosx/aesni-gcm-x86_64.s b/lib/accelerated/x86/macosx/aesni-gcm-x86_64.s
+index d540930b5..be6d885d8 100644
+--- a/lib/accelerated/x86/macosx/aesni-gcm-x86_64.s
++++ b/lib/accelerated/x86/macosx/aesni-gcm-x86_64.s
+@@ -42,6 +42,8 @@
+
+ .p2align 5
+ _aesni_ctr32_ghash_6x:
++
++.byte 243,15,30,250
+ vmovdqu 32(%r11),%xmm2
+ subq $6,%rdx
+ vpxor %xmm4,%xmm4,%xmm4
+@@ -350,11 +352,13 @@ L$6x_done:
+
+ .byte 0xf3,0xc3
+
++
+ .globl _aesni_gcm_decrypt
+
+ .p2align 5
+ _aesni_gcm_decrypt:
+
++.byte 243,15,30,250
+ xorq %r10,%r10
+ cmpq $0x60,%rdx
+ jb L$gcm_dec_abort
+@@ -455,6 +459,8 @@ L$gcm_dec_abort:
+
+ .p2align 5
+ _aesni_ctr32_6x:
++
++.byte 243,15,30,250
+ vmovdqu 0-128(%rcx),%xmm4
+ vmovdqu 32(%r11),%xmm2
+ leaq -1(%rbp),%r13
+@@ -543,11 +549,13 @@ L$handle_ctr32_2:
+ jmp L$oop_ctr32
+
+
++
+ .globl _aesni_gcm_encrypt
+
+ .p2align 5
+ _aesni_gcm_encrypt:
+
++.byte 243,15,30,250
+ xorq %r10,%r10
+ cmpq $288,%rdx
+ jb L$gcm_enc_abort
+diff --git a/lib/accelerated/x86/macosx/aesni-x86.s b/lib/accelerated/x86/macosx/aesni-x86.s
+index ee5008914..64e4e52fc 100644
+--- a/lib/accelerated/x86/macosx/aesni-x86.s
++++ b/lib/accelerated/x86/macosx/aesni-x86.s
+@@ -42,6 +42,7 @@
+ .align 4
+ _aesni_encrypt:
+ L_aesni_encrypt_begin:
++.byte 243,15,30,251
+ movl 4(%esp),%eax
+ movl 12(%esp),%edx
+ movups (%eax),%xmm2
+@@ -67,6 +68,7 @@ L000enc1_loop_1:
+ .align 4
+ _aesni_decrypt:
+ L_aesni_decrypt_begin:
++.byte 243,15,30,251
+ movl 4(%esp),%eax
+ movl 12(%esp),%edx
+ movups (%eax),%xmm2
+@@ -90,6 +92,7 @@ L001dec1_loop_2:
+ ret
+ .align 4
+ __aesni_encrypt2:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ shll $4,%ecx
+ movups 16(%edx),%xmm1
+@@ -115,6 +118,7 @@ L002enc2_loop:
+ ret
+ .align 4
+ __aesni_decrypt2:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ shll $4,%ecx
+ movups 16(%edx),%xmm1
+@@ -140,6 +144,7 @@ L003dec2_loop:
+ ret
+ .align 4
+ __aesni_encrypt3:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ shll $4,%ecx
+ movups 16(%edx),%xmm1
+@@ -170,6 +175,7 @@ L004enc3_loop:
+ ret
+ .align 4
+ __aesni_decrypt3:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ shll $4,%ecx
+ movups 16(%edx),%xmm1
+@@ -200,6 +206,7 @@ L005dec3_loop:
+ ret
+ .align 4
+ __aesni_encrypt4:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ movups 16(%edx),%xmm1
+ shll $4,%ecx
+@@ -236,6 +243,7 @@ L006enc4_loop:
+ ret
+ .align 4
+ __aesni_decrypt4:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ movups 16(%edx),%xmm1
+ shll $4,%ecx
+@@ -272,6 +280,7 @@ L007dec4_loop:
+ ret
+ .align 4
+ __aesni_encrypt6:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ shll $4,%ecx
+ movups 16(%edx),%xmm1
+@@ -324,6 +333,7 @@ L_aesni_encrypt6_enter:
+ ret
+ .align 4
+ __aesni_decrypt6:
++.byte 243,15,30,251
+ movups (%edx),%xmm0
+ shll $4,%ecx
+ movups 16(%edx),%xmm1
+@@ -378,6 +388,7 @@ L_aesni_decrypt6_enter:
+ .align 4
+ _aesni_ecb_encrypt:
+ L_aesni_ecb_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -611,6 +622,7 @@ L012ecb_ret:
+ .align 4
+ _aesni_ccm64_encrypt_blocks:
+ L_aesni_ccm64_encrypt_blocks_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -697,6 +709,7 @@ L031ccm64_enc2_loop:
+ .align 4
+ _aesni_ccm64_decrypt_blocks:
+ L_aesni_ccm64_decrypt_blocks_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -818,6 +831,7 @@ L036enc1_loop_6:
+ .align 4
+ _aesni_ctr32_encrypt_blocks:
+ L_aesni_ctr32_encrypt_blocks_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -1054,6 +1068,7 @@ L040ctr32_ret:
+ .align 4
+ _aesni_xts_encrypt:
+ L_aesni_xts_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -1412,6 +1427,7 @@ L056xts_enc_ret:
+ .align 4
+ _aesni_xts_decrypt:
+ L_aesni_xts_decrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -1800,6 +1816,7 @@ L069xts_dec_ret:
+ .align 4
+ _aesni_ocb_encrypt:
+ L_aesni_ocb_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -2193,6 +2210,7 @@ L078done:
+ .align 4
+ _aesni_ocb_decrypt:
+ L_aesni_ocb_decrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -2586,6 +2604,7 @@ L088done:
+ .align 4
+ _aesni_cbc_encrypt:
+ L_aesni_cbc_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -2843,6 +2862,7 @@ L094cbc_abort:
+ ret
+ .align 4
+ __aesni_set_encrypt_key:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ testl %eax,%eax
+@@ -3176,6 +3196,7 @@ L115bad_keybits:
+ .align 4
+ _aesni_set_encrypt_key:
+ L_aesni_set_encrypt_key_begin:
++.byte 243,15,30,251
+ movl 4(%esp),%eax
+ movl 8(%esp),%ecx
+ movl 12(%esp),%edx
+@@ -3185,6 +3206,7 @@ L_aesni_set_encrypt_key_begin:
+ .align 4
+ _aesni_set_decrypt_key:
+ L_aesni_set_decrypt_key_begin:
++.byte 243,15,30,251
+ movl 4(%esp),%eax
+ movl 8(%esp),%ecx
+ movl 12(%esp),%edx
+diff --git a/lib/accelerated/x86/macosx/aesni-x86_64.s b/lib/accelerated/x86/macosx/aesni-x86_64.s
+index f6145f166..484122c5e 100644
+--- a/lib/accelerated/x86/macosx/aesni-x86_64.s
++++ b/lib/accelerated/x86/macosx/aesni-x86_64.s
+@@ -44,6 +44,7 @@
+ .p2align 4
+ _aesni_encrypt:
+
++.byte 243,15,30,250
+ movups (%rdi),%xmm2
+ movl 240(%rdx),%eax
+ movups (%rdx),%xmm0
+@@ -70,6 +71,7 @@ L$oop_enc1_1:
+ .p2align 4
+ _aesni_decrypt:
+
++.byte 243,15,30,250
+ movups (%rdi),%xmm2
+ movl 240(%rdx),%eax
+ movups (%rdx),%xmm0
+@@ -557,6 +559,7 @@ L$dec_loop8_enter:
+ .p2align 4
+ _aesni_ecb_encrypt:
+
++.byte 243,15,30,250
+ andq $-16,%rdx
+ jz L$ecb_ret
+
+@@ -900,6 +903,8 @@ L$ecb_ret:
+
+ .p2align 4
+ _aesni_ccm64_encrypt_blocks:
++
++.byte 243,15,30,250
+ movl 240(%rcx),%eax
+ movdqu (%r8),%xmm6
+ movdqa L$increment64(%rip),%xmm9
+@@ -959,10 +964,13 @@ L$ccm64_enc2_loop:
+ pxor %xmm6,%xmm6
+ .byte 0xf3,0xc3
+
++
+ .globl _aesni_ccm64_decrypt_blocks
+
+ .p2align 4
+ _aesni_ccm64_decrypt_blocks:
++
++.byte 243,15,30,250
+ movl 240(%rcx),%eax
+ movups (%r8),%xmm6
+ movdqu (%r9),%xmm3
+@@ -1056,11 +1064,13 @@ L$oop_enc1_6:
+ pxor %xmm6,%xmm6
+ .byte 0xf3,0xc3
+
++
+ .globl _aesni_ctr32_encrypt_blocks
+
+ .p2align 4
+ _aesni_ctr32_encrypt_blocks:
+
++.byte 243,15,30,250
+ cmpq $1,%rdx
+ jne L$ctr32_bulk
+
+@@ -1639,6 +1649,7 @@ L$ctr32_epilogue:
+ .p2align 4
+ _aesni_xts_encrypt:
+
++.byte 243,15,30,250
+ leaq (%rsp),%r11
+
+ pushq %rbp
+@@ -2109,6 +2120,7 @@ L$xts_enc_epilogue:
+ .p2align 4
+ _aesni_xts_decrypt:
+
++.byte 243,15,30,250
+ leaq (%rsp),%r11
+
+ pushq %rbp
+@@ -2616,6 +2628,7 @@ L$xts_dec_epilogue:
+ .p2align 5
+ _aesni_ocb_encrypt:
+
++.byte 243,15,30,250
+ leaq (%rsp),%rax
+ pushq %rbx
+
+@@ -2824,6 +2837,7 @@ L$ocb_enc_epilogue:
+
+ .p2align 5
+ __ocb_encrypt6:
++
+ pxor %xmm9,%xmm15
+ movdqu (%rbx,%r12,1),%xmm11
+ movdqa %xmm10,%xmm12
+@@ -2924,8 +2938,10 @@ L$ocb_enc_loop6:
+
+
+
++
+ .p2align 5
+ __ocb_encrypt4:
++
+ pxor %xmm9,%xmm15
+ movdqu (%rbx,%r12,1),%xmm11
+ movdqa %xmm10,%xmm12
+@@ -2993,8 +3009,10 @@ L$ocb_enc_loop4:
+
+
+
++
+ .p2align 5
+ __ocb_encrypt1:
++
+ pxor %xmm15,%xmm7
+ pxor %xmm9,%xmm7
+ pxor %xmm2,%xmm8
+@@ -3027,11 +3045,13 @@ L$ocb_enc_loop1:
+ .byte 0xf3,0xc3
+
+
++
+ .globl _aesni_ocb_decrypt
+
+ .p2align 5
+ _aesni_ocb_decrypt:
+
++.byte 243,15,30,250
+ leaq (%rsp),%rax
+ pushq %rbx
+
+@@ -3262,6 +3282,7 @@ L$ocb_dec_epilogue:
+
+ .p2align 5
+ __ocb_decrypt6:
++
+ pxor %xmm9,%xmm15
+ movdqu (%rbx,%r12,1),%xmm11
+ movdqa %xmm10,%xmm12
+@@ -3356,8 +3377,10 @@ L$ocb_dec_loop6:
+
+
+
++
+ .p2align 5
+ __ocb_decrypt4:
++
+ pxor %xmm9,%xmm15
+ movdqu (%rbx,%r12,1),%xmm11
+ movdqa %xmm10,%xmm12
+@@ -3421,8 +3444,10 @@ L$ocb_dec_loop4:
+
+
+
++
+ .p2align 5
+ __ocb_decrypt1:
++
+ pxor %xmm15,%xmm7
+ pxor %xmm9,%xmm7
+ pxor %xmm7,%xmm2
+@@ -3453,11 +3478,13 @@ L$ocb_dec_loop1:
+ .byte 102,15,56,223,215
+ .byte 0xf3,0xc3
+
++
+ .globl _aesni_cbc_encrypt
+
+ .p2align 4
+ _aesni_cbc_encrypt:
+
++.byte 243,15,30,250
+ testq %rdx,%rdx
+ jz L$cbc_ret
+
+@@ -4390,7 +4417,6 @@ L$enc_key_ret:
+ addq $8,%rsp
+
+ .byte 0xf3,0xc3
+-
+ L$SEH_end_set_encrypt_key:
+
+ .p2align 4
+@@ -4463,6 +4489,7 @@ L$key_expansion_256b:
+ .byte 0xf3,0xc3
+
+
++
+ .p2align 6
+ L$bswap_mask:
+ .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0
+diff --git a/lib/accelerated/x86/macosx/e_padlock-x86.s b/lib/accelerated/x86/macosx/e_padlock-x86.s
+index 367962c7c..9a72938fe 100644
+--- a/lib/accelerated/x86/macosx/e_padlock-x86.s
++++ b/lib/accelerated/x86/macosx/e_padlock-x86.s
+@@ -1,4 +1,4 @@
+-# Copyright (c) 2011-2013, Andy Polyakov <appro@openssl.org>
++# Copyright (c) 2011-2016, Andy Polyakov <appro@openssl.org>
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without
+@@ -37,12 +37,12 @@
+ #
+ # *** This file is auto-generated ***
+ #
+-.file "devel/perlasm/e_padlock-x86.s"
+ .text
+ .globl _padlock_capability
+ .align 4
+ _padlock_capability:
+ L_padlock_capability_begin:
++.byte 243,15,30,251
+ pushl %ebx
+ pushfl
+ popl %eax
+@@ -59,11 +59,20 @@ L_padlock_capability_begin:
+ .byte 0x0f,0xa2
+ xorl %eax,%eax
+ cmpl $0x746e6543,%ebx
+- jne L000noluck
++ jne L001zhaoxin
+ cmpl $0x48727561,%edx
+ jne L000noluck
+ cmpl $0x736c7561,%ecx
+ jne L000noluck
++ jmp L002zhaoxinEnd
++L001zhaoxin:
++ cmpl $0x68532020,%ebx
++ jne L000noluck
++ cmpl $0x68676e61,%edx
++ jne L000noluck
++ cmpl $0x20206961,%ecx
++ jne L000noluck
++L002zhaoxinEnd:
+ movl $3221225472,%eax
+ .byte 0x0f,0xa2
+ movl %eax,%edx
+@@ -92,43 +101,47 @@ L000noluck:
+ .align 4
+ _padlock_key_bswap:
+ L_padlock_key_bswap_begin:
++.byte 243,15,30,251
+ movl 4(%esp),%edx
+ movl 240(%edx),%ecx
+-L001bswap_loop:
++L003bswap_loop:
+ movl (%edx),%eax
+ bswap %eax
+ movl %eax,(%edx)
+ leal 4(%edx),%edx
+ subl $1,%ecx
+- jnz L001bswap_loop
++ jnz L003bswap_loop
+ ret
+ .globl _padlock_verify_context
+ .align 4
+ _padlock_verify_context:
+ L_padlock_verify_context_begin:
++.byte 243,15,30,251
+ movl 4(%esp),%edx
+- leal Lpadlock_saved_context-L002verify_pic_point,%eax
++ leal Lpadlock_saved_context-L004verify_pic_point,%eax
+ pushfl
+ call __padlock_verify_ctx
+-L002verify_pic_point:
++L004verify_pic_point:
+ leal 4(%esp),%esp
+ ret
+ .align 4
+ __padlock_verify_ctx:
++.byte 243,15,30,251
+ addl (%esp),%eax
+ btl $30,4(%esp)
+- jnc L003verified
++ jnc L005verified
+ cmpl (%eax),%edx
+- je L003verified
++ je L005verified
+ pushfl
+ popfl
+-L003verified:
++L005verified:
+ movl %edx,(%eax)
+ ret
+ .globl _padlock_reload_key
+ .align 4
+ _padlock_reload_key:
+ L_padlock_reload_key_begin:
++.byte 243,15,30,251
+ pushfl
+ popfl
+ ret
+@@ -136,6 +149,7 @@ L_padlock_reload_key_begin:
+ .align 4
+ _padlock_aes_block:
+ L_padlock_aes_block_begin:
++.byte 243,15,30,251
+ pushl %edi
+ pushl %esi
+ pushl %ebx
+@@ -154,6 +168,7 @@ L_padlock_aes_block_begin:
+ .align 4
+ _padlock_ecb_encrypt:
+ L_padlock_ecb_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -163,25 +178,25 @@ L_padlock_ecb_encrypt_begin:
+ movl 28(%esp),%edx
+ movl 32(%esp),%ecx
+ testl $15,%edx
+- jnz L004ecb_abort
++ jnz L006ecb_abort
+ testl $15,%ecx
+- jnz L004ecb_abort
+- leal Lpadlock_saved_context-L005ecb_pic_point,%eax
++ jnz L006ecb_abort
++ leal Lpadlock_saved_context-L007ecb_pic_point,%eax
+ pushfl
+ cld
+ call __padlock_verify_ctx
+-L005ecb_pic_point:
++L007ecb_pic_point:
+ leal 16(%edx),%edx
+ xorl %eax,%eax
+ xorl %ebx,%ebx
+ testl $32,(%edx)
+- jnz L006ecb_aligned
++ jnz L008ecb_aligned
+ testl $15,%edi
+ setz %al
+ testl $15,%esi
+ setz %bl
+ testl %ebx,%eax
+- jnz L006ecb_aligned
++ jnz L008ecb_aligned
+ negl %eax
+ movl $512,%ebx
+ notl %eax
+@@ -200,7 +215,7 @@ L005ecb_pic_point:
+ andl $-16,%esp
+ movl %eax,16(%ebp)
+ cmpl %ebx,%ecx
+- ja L007ecb_loop
++ ja L009ecb_loop
+ movl %esi,%eax
+ cmpl %esp,%ebp
+ cmovel %edi,%eax
+@@ -211,10 +226,10 @@ L005ecb_pic_point:
+ movl $-128,%eax
+ cmovael %ebx,%eax
+ andl %eax,%ebx
+- jz L008ecb_unaligned_tail
+- jmp L007ecb_loop
++ jz L010ecb_unaligned_tail
++ jmp L009ecb_loop
+ .align 4,0x90
+-L007ecb_loop:
++L009ecb_loop:
+ movl %edi,(%ebp)
+ movl %esi,4(%ebp)
+ movl %ecx,8(%ebp)
+@@ -223,13 +238,13 @@ L007ecb_loop:
+ testl $15,%edi
+ cmovnzl %esp,%edi
+ testl $15,%esi
+- jz L009ecb_inp_aligned
++ jz L011ecb_inp_aligned
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+ movl %ebx,%ecx
+ movl %edi,%esi
+-L009ecb_inp_aligned:
++L011ecb_inp_aligned:
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+@@ -237,23 +252,23 @@ L009ecb_inp_aligned:
+ movl (%ebp),%edi
+ movl 12(%ebp),%ebx
+ testl $15,%edi
+- jz L010ecb_out_aligned
++ jz L012ecb_out_aligned
+ movl %ebx,%ecx
+ leal (%esp),%esi
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+-L010ecb_out_aligned:
++L012ecb_out_aligned:
+ movl 4(%ebp),%esi
+ movl 8(%ebp),%ecx
+ addl %ebx,%edi
+ addl %ebx,%esi
+ subl %ebx,%ecx
+ movl $512,%ebx
+- jz L011ecb_break
++ jz L013ecb_break
+ cmpl %ebx,%ecx
+- jae L007ecb_loop
+-L008ecb_unaligned_tail:
++ jae L009ecb_loop
++L010ecb_unaligned_tail:
+ xorl %eax,%eax
+ cmpl %ebp,%esp
+ cmovel %ecx,%eax
+@@ -266,24 +281,24 @@ L008ecb_unaligned_tail:
+ movl %esp,%esi
+ movl %eax,%edi
+ movl %ebx,%ecx
+- jmp L007ecb_loop
++ jmp L009ecb_loop
+ .align 4,0x90
+-L011ecb_break:
++L013ecb_break:
+ cmpl %ebp,%esp
+- je L012ecb_done
++ je L014ecb_done
+ pxor %xmm0,%xmm0
+ leal (%esp),%eax
+-L013ecb_bzero:
++L015ecb_bzero:
+ movaps %xmm0,(%eax)
+ leal 16(%eax),%eax
+ cmpl %eax,%ebp
+- ja L013ecb_bzero
+-L012ecb_done:
++ ja L015ecb_bzero
++L014ecb_done:
+ movl 16(%ebp),%ebp
+ leal 24(%ebp),%esp
+- jmp L014ecb_exit
++ jmp L016ecb_exit
+ .align 4,0x90
+-L006ecb_aligned:
++L008ecb_aligned:
+ leal (%esi,%ecx,1),%ebp
+ negl %ebp
+ andl $4095,%ebp
+@@ -293,14 +308,14 @@ L006ecb_aligned:
+ cmovael %eax,%ebp
+ andl %ecx,%ebp
+ subl %ebp,%ecx
+- jz L015ecb_aligned_tail
++ jz L017ecb_aligned_tail
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+ .byte 243,15,167,200
+ testl %ebp,%ebp
+- jz L014ecb_exit
+-L015ecb_aligned_tail:
++ jz L016ecb_exit
++L017ecb_aligned_tail:
+ movl %ebp,%ecx
+ leal -24(%esp),%ebp
+ movl %ebp,%esp
+@@ -317,11 +332,11 @@ L015ecb_aligned_tail:
+ movl %esp,%esi
+ movl %eax,%edi
+ movl %ebx,%ecx
+- jmp L007ecb_loop
+-L014ecb_exit:
++ jmp L009ecb_loop
++L016ecb_exit:
+ movl $1,%eax
+ leal 4(%esp),%esp
+-L004ecb_abort:
++L006ecb_abort:
+ popl %edi
+ popl %esi
+ popl %ebx
+@@ -331,6 +346,7 @@ L004ecb_abort:
+ .align 4
+ _padlock_cbc_encrypt:
+ L_padlock_cbc_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -340,25 +356,25 @@ L_padlock_cbc_encrypt_begin:
+ movl 28(%esp),%edx
+ movl 32(%esp),%ecx
+ testl $15,%edx
+- jnz L016cbc_abort
++ jnz L018cbc_abort
+ testl $15,%ecx
+- jnz L016cbc_abort
+- leal Lpadlock_saved_context-L017cbc_pic_point,%eax
++ jnz L018cbc_abort
++ leal Lpadlock_saved_context-L019cbc_pic_point,%eax
+ pushfl
+ cld
+ call __padlock_verify_ctx
+-L017cbc_pic_point:
++L019cbc_pic_point:
+ leal 16(%edx),%edx
+ xorl %eax,%eax
+ xorl %ebx,%ebx
+ testl $32,(%edx)
+- jnz L018cbc_aligned
++ jnz L020cbc_aligned
+ testl $15,%edi
+ setz %al
+ testl $15,%esi
+ setz %bl
+ testl %ebx,%eax
+- jnz L018cbc_aligned
++ jnz L020cbc_aligned
+ negl %eax
+ movl $512,%ebx
+ notl %eax
+@@ -377,7 +393,7 @@ L017cbc_pic_point:
+ andl $-16,%esp
+ movl %eax,16(%ebp)
+ cmpl %ebx,%ecx
+- ja L019cbc_loop
++ ja L021cbc_loop
+ movl %esi,%eax
+ cmpl %esp,%ebp
+ cmovel %edi,%eax
+@@ -388,10 +404,10 @@ L017cbc_pic_point:
+ movl $-64,%eax
+ cmovael %ebx,%eax
+ andl %eax,%ebx
+- jz L020cbc_unaligned_tail
+- jmp L019cbc_loop
++ jz L022cbc_unaligned_tail
++ jmp L021cbc_loop
+ .align 4,0x90
+-L019cbc_loop:
++L021cbc_loop:
+ movl %edi,(%ebp)
+ movl %esi,4(%ebp)
+ movl %ecx,8(%ebp)
+@@ -400,13 +416,13 @@ L019cbc_loop:
+ testl $15,%edi
+ cmovnzl %esp,%edi
+ testl $15,%esi
+- jz L021cbc_inp_aligned
++ jz L023cbc_inp_aligned
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+ movl %ebx,%ecx
+ movl %edi,%esi
+-L021cbc_inp_aligned:
++L023cbc_inp_aligned:
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+@@ -416,23 +432,23 @@ L021cbc_inp_aligned:
+ movl (%ebp),%edi
+ movl 12(%ebp),%ebx
+ testl $15,%edi
+- jz L022cbc_out_aligned
++ jz L024cbc_out_aligned
+ movl %ebx,%ecx
+ leal (%esp),%esi
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+-L022cbc_out_aligned:
++L024cbc_out_aligned:
+ movl 4(%ebp),%esi
+ movl 8(%ebp),%ecx
+ addl %ebx,%edi
+ addl %ebx,%esi
+ subl %ebx,%ecx
+ movl $512,%ebx
+- jz L023cbc_break
++ jz L025cbc_break
+ cmpl %ebx,%ecx
+- jae L019cbc_loop
+-L020cbc_unaligned_tail:
++ jae L021cbc_loop
++L022cbc_unaligned_tail:
+ xorl %eax,%eax
+ cmpl %ebp,%esp
+ cmovel %ecx,%eax
+@@ -445,24 +461,24 @@ L020cbc_unaligned_tail:
+ movl %esp,%esi
+ movl %eax,%edi
+ movl %ebx,%ecx
+- jmp L019cbc_loop
++ jmp L021cbc_loop
+ .align 4,0x90
+-L023cbc_break:
++L025cbc_break:
+ cmpl %ebp,%esp
+- je L024cbc_done
++ je L026cbc_done
+ pxor %xmm0,%xmm0
+ leal (%esp),%eax
+-L025cbc_bzero:
++L027cbc_bzero:
+ movaps %xmm0,(%eax)
+ leal 16(%eax),%eax
+ cmpl %eax,%ebp
+- ja L025cbc_bzero
+-L024cbc_done:
++ ja L027cbc_bzero
++L026cbc_done:
+ movl 16(%ebp),%ebp
+ leal 24(%ebp),%esp
+- jmp L026cbc_exit
++ jmp L028cbc_exit
+ .align 4,0x90
+-L018cbc_aligned:
++L020cbc_aligned:
+ leal (%esi,%ecx,1),%ebp
+ negl %ebp
+ andl $4095,%ebp
+@@ -472,7 +488,7 @@ L018cbc_aligned:
+ cmovael %eax,%ebp
+ andl %ecx,%ebp
+ subl %ebp,%ecx
+- jz L027cbc_aligned_tail
++ jz L029cbc_aligned_tail
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+@@ -480,8 +496,8 @@ L018cbc_aligned:
+ movaps (%eax),%xmm0
+ movaps %xmm0,-16(%edx)
+ testl %ebp,%ebp
+- jz L026cbc_exit
+-L027cbc_aligned_tail:
++ jz L028cbc_exit
++L029cbc_aligned_tail:
+ movl %ebp,%ecx
+ leal -24(%esp),%ebp
+ movl %ebp,%esp
+@@ -498,11 +514,11 @@ L027cbc_aligned_tail:
+ movl %esp,%esi
+ movl %eax,%edi
+ movl %ebx,%ecx
+- jmp L019cbc_loop
+-L026cbc_exit:
++ jmp L021cbc_loop
++L028cbc_exit:
+ movl $1,%eax
+ leal 4(%esp),%esp
+-L016cbc_abort:
++L018cbc_abort:
+ popl %edi
+ popl %esi
+ popl %ebx
+@@ -512,6 +528,7 @@ L016cbc_abort:
+ .align 4
+ _padlock_cfb_encrypt:
+ L_padlock_cfb_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -521,25 +538,25 @@ L_padlock_cfb_encrypt_begin:
+ movl 28(%esp),%edx
+ movl 32(%esp),%ecx
+ testl $15,%edx
+- jnz L028cfb_abort
++ jnz L030cfb_abort
+ testl $15,%ecx
+- jnz L028cfb_abort
+- leal Lpadlock_saved_context-L029cfb_pic_point,%eax
++ jnz L030cfb_abort
++ leal Lpadlock_saved_context-L031cfb_pic_point,%eax
+ pushfl
+ cld
+ call __padlock_verify_ctx
+-L029cfb_pic_point:
++L031cfb_pic_point:
+ leal 16(%edx),%edx
+ xorl %eax,%eax
+ xorl %ebx,%ebx
+ testl $32,(%edx)
+- jnz L030cfb_aligned
++ jnz L032cfb_aligned
+ testl $15,%edi
+ setz %al
+ testl $15,%esi
+ setz %bl
+ testl %ebx,%eax
+- jnz L030cfb_aligned
++ jnz L032cfb_aligned
+ negl %eax
+ movl $512,%ebx
+ notl %eax
+@@ -557,9 +574,9 @@ L029cfb_pic_point:
+ andl $-16,%ebp
+ andl $-16,%esp
+ movl %eax,16(%ebp)
+- jmp L031cfb_loop
++ jmp L033cfb_loop
+ .align 4,0x90
+-L031cfb_loop:
++L033cfb_loop:
+ movl %edi,(%ebp)
+ movl %esi,4(%ebp)
+ movl %ecx,8(%ebp)
+@@ -568,13 +585,13 @@ L031cfb_loop:
+ testl $15,%edi
+ cmovnzl %esp,%edi
+ testl $15,%esi
+- jz L032cfb_inp_aligned
++ jz L034cfb_inp_aligned
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+ movl %ebx,%ecx
+ movl %edi,%esi
+-L032cfb_inp_aligned:
++L034cfb_inp_aligned:
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+@@ -584,45 +601,45 @@ L032cfb_inp_aligned:
+ movl (%ebp),%edi
+ movl 12(%ebp),%ebx
+ testl $15,%edi
+- jz L033cfb_out_aligned
++ jz L035cfb_out_aligned
+ movl %ebx,%ecx
+ leal (%esp),%esi
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+-L033cfb_out_aligned:
++L035cfb_out_aligned:
+ movl 4(%ebp),%esi
+ movl 8(%ebp),%ecx
+ addl %ebx,%edi
+ addl %ebx,%esi
+ subl %ebx,%ecx
+ movl $512,%ebx
+- jnz L031cfb_loop
++ jnz L033cfb_loop
+ cmpl %ebp,%esp
+- je L034cfb_done
++ je L036cfb_done
+ pxor %xmm0,%xmm0
+ leal (%esp),%eax
+-L035cfb_bzero:
++L037cfb_bzero:
+ movaps %xmm0,(%eax)
+ leal 16(%eax),%eax
+ cmpl %eax,%ebp
+- ja L035cfb_bzero
+-L034cfb_done:
++ ja L037cfb_bzero
++L036cfb_done:
+ movl 16(%ebp),%ebp
+ leal 24(%ebp),%esp
+- jmp L036cfb_exit
++ jmp L038cfb_exit
+ .align 4,0x90
+-L030cfb_aligned:
++L032cfb_aligned:
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+ .byte 243,15,167,224
+ movaps (%eax),%xmm0
+ movaps %xmm0,-16(%edx)
+-L036cfb_exit:
++L038cfb_exit:
+ movl $1,%eax
+ leal 4(%esp),%esp
+-L028cfb_abort:
++L030cfb_abort:
+ popl %edi
+ popl %esi
+ popl %ebx
+@@ -632,6 +649,7 @@ L028cfb_abort:
+ .align 4
+ _padlock_ofb_encrypt:
+ L_padlock_ofb_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -641,25 +659,25 @@ L_padlock_ofb_encrypt_begin:
+ movl 28(%esp),%edx
+ movl 32(%esp),%ecx
+ testl $15,%edx
+- jnz L037ofb_abort
++ jnz L039ofb_abort
+ testl $15,%ecx
+- jnz L037ofb_abort
+- leal Lpadlock_saved_context-L038ofb_pic_point,%eax
++ jnz L039ofb_abort
++ leal Lpadlock_saved_context-L040ofb_pic_point,%eax
+ pushfl
+ cld
+ call __padlock_verify_ctx
+-L038ofb_pic_point:
++L040ofb_pic_point:
+ leal 16(%edx),%edx
+ xorl %eax,%eax
+ xorl %ebx,%ebx
+ testl $32,(%edx)
+- jnz L039ofb_aligned
++ jnz L041ofb_aligned
+ testl $15,%edi
+ setz %al
+ testl $15,%esi
+ setz %bl
+ testl %ebx,%eax
+- jnz L039ofb_aligned
++ jnz L041ofb_aligned
+ negl %eax
+ movl $512,%ebx
+ notl %eax
+@@ -677,9 +695,9 @@ L038ofb_pic_point:
+ andl $-16,%ebp
+ andl $-16,%esp
+ movl %eax,16(%ebp)
+- jmp L040ofb_loop
++ jmp L042ofb_loop
+ .align 4,0x90
+-L040ofb_loop:
++L042ofb_loop:
+ movl %edi,(%ebp)
+ movl %esi,4(%ebp)
+ movl %ecx,8(%ebp)
+@@ -688,13 +706,13 @@ L040ofb_loop:
+ testl $15,%edi
+ cmovnzl %esp,%edi
+ testl $15,%esi
+- jz L041ofb_inp_aligned
++ jz L043ofb_inp_aligned
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+ movl %ebx,%ecx
+ movl %edi,%esi
+-L041ofb_inp_aligned:
++L043ofb_inp_aligned:
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+@@ -704,45 +722,45 @@ L041ofb_inp_aligned:
+ movl (%ebp),%edi
+ movl 12(%ebp),%ebx
+ testl $15,%edi
+- jz L042ofb_out_aligned
++ jz L044ofb_out_aligned
+ movl %ebx,%ecx
+ leal (%esp),%esi
+ shrl $2,%ecx
+ .byte 243,165
+ subl %ebx,%edi
+-L042ofb_out_aligned:
++L044ofb_out_aligned:
+ movl 4(%ebp),%esi
+ movl 8(%ebp),%ecx
+ addl %ebx,%edi
+ addl %ebx,%esi
+ subl %ebx,%ecx
+ movl $512,%ebx
+- jnz L040ofb_loop
++ jnz L042ofb_loop
+ cmpl %ebp,%esp
+- je L043ofb_done
++ je L045ofb_done
+ pxor %xmm0,%xmm0
+ leal (%esp),%eax
+-L044ofb_bzero:
++L046ofb_bzero:
+ movaps %xmm0,(%eax)
+ leal 16(%eax),%eax
+ cmpl %eax,%ebp
+- ja L044ofb_bzero
+-L043ofb_done:
++ ja L046ofb_bzero
++L045ofb_done:
+ movl 16(%ebp),%ebp
+ leal 24(%ebp),%esp
+- jmp L045ofb_exit
++ jmp L047ofb_exit
+ .align 4,0x90
+-L039ofb_aligned:
++L041ofb_aligned:
+ leal -16(%edx),%eax
+ leal 16(%edx),%ebx
+ shrl $4,%ecx
+ .byte 243,15,167,232
+ movaps (%eax),%xmm0
+ movaps %xmm0,-16(%edx)
+-L045ofb_exit:
++L047ofb_exit:
+ movl $1,%eax
+ leal 4(%esp),%esp
+-L037ofb_abort:
++L039ofb_abort:
+ popl %edi
+ popl %esi
+ popl %ebx
+@@ -752,6 +770,7 @@ L037ofb_abort:
+ .align 4
+ _padlock_ctr32_encrypt:
+ L_padlock_ctr32_encrypt_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+@@ -761,14 +780,14 @@ L_padlock_ctr32_encrypt_begin:
+ movl 28(%esp),%edx
+ movl 32(%esp),%ecx
+ testl $15,%edx
+- jnz L046ctr32_abort
++ jnz L048ctr32_abort
+ testl $15,%ecx
+- jnz L046ctr32_abort
+- leal Lpadlock_saved_context-L047ctr32_pic_point,%eax
++ jnz L048ctr32_abort
++ leal Lpadlock_saved_context-L049ctr32_pic_point,%eax
+ pushfl
+ cld
+ call __padlock_verify_ctx
+-L047ctr32_pic_point:
++L049ctr32_pic_point:
+ leal 16(%edx),%edx
+ xorl %eax,%eax
+ movq -16(%edx),%mm0
+@@ -788,9 +807,9 @@ L047ctr32_pic_point:
+ andl $-16,%ebp
+ andl $-16,%esp
+ movl %eax,16(%ebp)
+- jmp L048ctr32_loop
++ jmp L050ctr32_loop
+ .align 4,0x90
+-L048ctr32_loop:
++L050ctr32_loop:
+ movl %edi,(%ebp)
+ movl %esi,4(%ebp)
+ movl %ecx,8(%ebp)
+@@ -799,7 +818,7 @@ L048ctr32_loop:
+ movl -4(%edx),%ecx
+ xorl %edi,%edi
+ movl -8(%edx),%eax
+-L049ctr32_prepare:
++L051ctr32_prepare:
+ movl %ecx,12(%esp,%edi,1)
+ bswap %ecx
+ movq %mm0,(%esp,%edi,1)
+@@ -808,7 +827,7 @@ L049ctr32_prepare:
+ bswap %ecx
+ leal 16(%edi),%edi
+ cmpl %ebx,%edi
+- jb L049ctr32_prepare
++ jb L051ctr32_prepare
+ movl %ecx,-4(%edx)
+ leal (%esp),%esi
+ leal (%esp),%edi
+@@ -821,33 +840,33 @@ L049ctr32_prepare:
+ movl 12(%ebp),%ebx
+ movl 4(%ebp),%esi
+ xorl %ecx,%ecx
+-L050ctr32_xor:
++L052ctr32_xor:
+ movups (%esi,%ecx,1),%xmm1
+ leal 16(%ecx),%ecx
+ pxor -16(%esp,%ecx,1),%xmm1
+ movups %xmm1,-16(%edi,%ecx,1)
+ cmpl %ebx,%ecx
+- jb L050ctr32_xor
++ jb L052ctr32_xor
+ movl 8(%ebp),%ecx
+ addl %ebx,%edi
+ addl %ebx,%esi
+ subl %ebx,%ecx
+ movl $512,%ebx
+- jnz L048ctr32_loop
++ jnz L050ctr32_loop
+ pxor %xmm0,%xmm0
+ leal (%esp),%eax
+-L051ctr32_bzero:
++L053ctr32_bzero:
+ movaps %xmm0,(%eax)
+ leal 16(%eax),%eax
+ cmpl %eax,%ebp
+- ja L051ctr32_bzero
+-L052ctr32_done:
++ ja L053ctr32_bzero
++L054ctr32_done:
+ movl 16(%ebp),%ebp
+ leal 24(%ebp),%esp
+ movl $1,%eax
+ leal 4(%esp),%esp
+ emms
+-L046ctr32_abort:
++L048ctr32_abort:
+ popl %edi
+ popl %esi
+ popl %ebx
+@@ -857,6 +876,7 @@ L046ctr32_abort:
+ .align 4
+ _padlock_xstore:
+ L_padlock_xstore_begin:
++.byte 243,15,30,251
+ pushl %edi
+ movl 8(%esp),%edi
+ movl 12(%esp),%edx
+@@ -865,19 +885,21 @@ L_padlock_xstore_begin:
+ ret
+ .align 4
+ __win32_segv_handler:
++.byte 243,15,30,251
+ movl $1,%eax
+ movl 4(%esp),%edx
+ movl 12(%esp),%ecx
+ cmpl $3221225477,(%edx)
+- jne L053ret
++ jne L055ret
+ addl $4,184(%ecx)
+ movl $0,%eax
+-L053ret:
++L055ret:
+ ret
+ .globl _padlock_sha1_oneshot
+ .align 4
+ _padlock_sha1_oneshot:
+ L_padlock_sha1_oneshot_begin:
++.byte 243,15,30,251
+ pushl %edi
+ pushl %esi
+ xorl %eax,%eax
+@@ -907,6 +929,7 @@ L_padlock_sha1_oneshot_begin:
+ .align 4
+ _padlock_sha1_blocks:
+ L_padlock_sha1_blocks_begin:
++.byte 243,15,30,251
+ pushl %edi
+ pushl %esi
+ movl 12(%esp),%edi
+@@ -935,6 +958,7 @@ L_padlock_sha1_blocks_begin:
+ .align 4
+ _padlock_sha256_oneshot:
+ L_padlock_sha256_oneshot_begin:
++.byte 243,15,30,251
+ pushl %edi
+ pushl %esi
+ xorl %eax,%eax
+@@ -964,6 +988,7 @@ L_padlock_sha256_oneshot_begin:
+ .align 4
+ _padlock_sha256_blocks:
+ L_padlock_sha256_blocks_begin:
++.byte 243,15,30,251
+ pushl %edi
+ pushl %esi
+ movl 12(%esp),%edi
+@@ -992,6 +1017,7 @@ L_padlock_sha256_blocks_begin:
+ .align 4
+ _padlock_sha512_blocks:
+ L_padlock_sha512_blocks_begin:
++.byte 243,15,30,251
+ pushl %edi
+ pushl %esi
+ movl 12(%esp),%edi
+diff --git a/lib/accelerated/x86/macosx/e_padlock-x86_64.s b/lib/accelerated/x86/macosx/e_padlock-x86_64.s
+index a73d7a6c1..64aff29fe 100644
+--- a/lib/accelerated/x86/macosx/e_padlock-x86_64.s
++++ b/lib/accelerated/x86/macosx/e_padlock-x86_64.s
+@@ -1,4 +1,4 @@
+-# Copyright (c) 2011-2013, Andy Polyakov <appro@openssl.org>
++# Copyright (c) 2011-2016, Andy Polyakov <appro@openssl.org>
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without
+@@ -42,36 +42,50 @@
+
+ .p2align 4
+ _padlock_capability:
++
++.byte 243,15,30,250
+ movq %rbx,%r8
+ xorl %eax,%eax
+ cpuid
+ xorl %eax,%eax
+- cmpl $1953391939,%ebx
++ cmpl $0x746e6543,%ebx
++ jne L$zhaoxin
++ cmpl $0x48727561,%edx
++ jne L$noluck
++ cmpl $0x736c7561,%ecx
++ jne L$noluck
++ jmp L$zhaoxinEnd
++L$zhaoxin:
++ cmpl $0x68532020,%ebx
+ jne L$noluck
+- cmpl $1215460705,%edx
++ cmpl $0x68676e61,%edx
+ jne L$noluck
+- cmpl $1936487777,%ecx
++ cmpl $0x20206961,%ecx
+ jne L$noluck
+- movl $3221225472,%eax
++L$zhaoxinEnd:
++ movl $0xC0000000,%eax
+ cpuid
+ movl %eax,%edx
+ xorl %eax,%eax
+- cmpl $3221225473,%edx
++ cmpl $0xC0000001,%edx
+ jb L$noluck
+- movl $3221225473,%eax
++ movl $0xC0000001,%eax
+ cpuid
+ movl %edx,%eax
+- andl $4294967279,%eax
+- orl $16,%eax
++ andl $0xffffffef,%eax
++ orl $0x10,%eax
+ L$noluck:
+ movq %r8,%rbx
+ .byte 0xf3,0xc3
+
+
++
+ .globl _padlock_key_bswap
+
+ .p2align 4
+ _padlock_key_bswap:
++
++.byte 243,15,30,250
+ movl 240(%rdi),%edx
+ L$bswap_loop:
+ movl (%rdi),%eax
+@@ -83,10 +97,13 @@ L$bswap_loop:
+ .byte 0xf3,0xc3
+
+
++
+ .globl _padlock_verify_context
+
+ .p2align 4
+ _padlock_verify_context:
++
++.byte 243,15,30,250
+ movq %rdi,%rdx
+ pushf
+ leaq L$padlock_saved_context(%rip),%rax
+@@ -96,8 +113,11 @@ _padlock_verify_context:
+
+
+
++
+ .p2align 4
+ _padlock_verify_ctx:
++
++.byte 243,15,30,250
+ movq 8(%rsp),%r8
+ btq $30,%r8
+ jnc L$verified
+@@ -110,41 +130,53 @@ L$verified:
+ .byte 0xf3,0xc3
+
+
++
+ .globl _padlock_reload_key
+
+ .p2align 4
+ _padlock_reload_key:
++
++.byte 243,15,30,250
+ pushf
+ popf
+ .byte 0xf3,0xc3
+
+
++
+ .globl _padlock_aes_block
+
+ .p2align 4
+ _padlock_aes_block:
++
++.byte 243,15,30,250
+ movq %rbx,%r8
+ movq $1,%rcx
+ leaq 32(%rdx),%rbx
+ leaq 16(%rdx),%rdx
+-.byte 0xf3,0x0f,0xa7,0xc8
++.byte 0xf3,0x0f,0xa7,0xc8
+ movq %r8,%rbx
+ .byte 0xf3,0xc3
+
+
++
+ .globl _padlock_xstore
+
+ .p2align 4
+ _padlock_xstore:
++
++.byte 243,15,30,250
+ movl %esi,%edx
+-.byte 0x0f,0xa7,0xc0
++.byte 0x0f,0xa7,0xc0
+ .byte 0xf3,0xc3
+
+
++
+ .globl _padlock_sha1_oneshot
+
+ .p2align 4
+ _padlock_sha1_oneshot:
++
++.byte 243,15,30,250
+ movq %rdx,%rcx
+ movq %rdi,%rdx
+ movups (%rdi),%xmm0
+@@ -154,7 +186,7 @@ _padlock_sha1_oneshot:
+ movq %rsp,%rdi
+ movl %eax,16(%rsp)
+ xorq %rax,%rax
+-.byte 0xf3,0x0f,0xa6,0xc8
++.byte 0xf3,0x0f,0xa6,0xc8
+ movaps (%rsp),%xmm0
+ movl 16(%rsp),%eax
+ addq $128+8,%rsp
+@@ -163,10 +195,13 @@ _padlock_sha1_oneshot:
+ .byte 0xf3,0xc3
+
+
++
+ .globl _padlock_sha1_blocks
+
+ .p2align 4
+ _padlock_sha1_blocks:
++
++.byte 243,15,30,250
+ movq %rdx,%rcx
+ movq %rdi,%rdx
+ movups (%rdi),%xmm0
+@@ -176,7 +211,7 @@ _padlock_sha1_blocks:
+ movq %rsp,%rdi
+ movl %eax,16(%rsp)
+ movq $-1,%rax
+-.byte 0xf3,0x0f,0xa6,0xc8
++.byte 0xf3,0x0f,0xa6,0xc8
+ movaps (%rsp),%xmm0
+ movl 16(%rsp),%eax
+ addq $128+8,%rsp
+@@ -185,10 +220,13 @@ _padlock_sha1_blocks:
+ .byte 0xf3,0xc3
+
+
++
+ .globl _padlock_sha256_oneshot
+
+ .p2align 4
+ _padlock_sha256_oneshot:
++
++.byte 243,15,30,250
+ movq %rdx,%rcx
+ movq %rdi,%rdx
+ movups (%rdi),%xmm0
+@@ -198,7 +236,7 @@ _padlock_sha256_oneshot:
+ movq %rsp,%rdi
+ movaps %xmm1,16(%rsp)
+ xorq %rax,%rax
+-.byte 0xf3,0x0f,0xa6,0xd0
++.byte 0xf3,0x0f,0xa6,0xd0
+ movaps (%rsp),%xmm0
+ movaps 16(%rsp),%xmm1
+ addq $128+8,%rsp
+@@ -207,10 +245,13 @@ _padlock_sha256_oneshot:
+ .byte 0xf3,0xc3
+
+
++
+ .globl _padlock_sha256_blocks
+
+ .p2align 4
+ _padlock_sha256_blocks:
++
++.byte 243,15,30,250
+ movq %rdx,%rcx
+ movq %rdi,%rdx
+ movups (%rdi),%xmm0
+@@ -220,7 +261,7 @@ _padlock_sha256_blocks:
+ movq %rsp,%rdi
+ movaps %xmm1,16(%rsp)
+ movq $-1,%rax
+-.byte 0xf3,0x0f,0xa6,0xd0
++.byte 0xf3,0x0f,0xa6,0xd0
+ movaps (%rsp),%xmm0
+ movaps 16(%rsp),%xmm1
+ addq $128+8,%rsp
+@@ -229,10 +270,13 @@ _padlock_sha256_blocks:
+ .byte 0xf3,0xc3
+
+
++
+ .globl _padlock_sha512_blocks
+
+ .p2align 4
+ _padlock_sha512_blocks:
++
++.byte 243,15,30,250
+ movq %rdx,%rcx
+ movq %rdi,%rdx
+ movups (%rdi),%xmm0
+@@ -245,7 +289,7 @@ _padlock_sha512_blocks:
+ movaps %xmm1,16(%rsp)
+ movaps %xmm2,32(%rsp)
+ movaps %xmm3,48(%rsp)
+-.byte 0xf3,0x0f,0xa6,0xe0
++.byte 0xf3,0x0f,0xa6,0xe0
+ movaps (%rsp),%xmm0
+ movaps 16(%rsp),%xmm1
+ movaps 32(%rsp),%xmm2
+@@ -257,10 +301,13 @@ _padlock_sha512_blocks:
+ movups %xmm3,48(%rdx)
+ .byte 0xf3,0xc3
+
++
+ .globl _padlock_ecb_encrypt
+
+ .p2align 4
+ _padlock_ecb_encrypt:
++
++.byte 243,15,30,250
+ pushq %rbp
+ pushq %rbx
+
+@@ -278,9 +325,9 @@ _padlock_ecb_encrypt:
+ xorl %ebx,%ebx
+ testl $32,(%rdx)
+ jnz L$ecb_aligned
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ setz %al
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ setz %bl
+ testl %ebx,%eax
+ jnz L$ecb_aligned
+@@ -304,7 +351,7 @@ _padlock_ecb_encrypt:
+ cmoveq %rdi,%rax
+ addq %rcx,%rax
+ negq %rax
+- andq $4095,%rax
++ andq $0xfff,%rax
+ cmpq $128,%rax
+ movq $-128,%rax
+ cmovaeq %rbx,%rax
+@@ -320,12 +367,12 @@ L$ecb_loop:
+ movq %rcx,%r10
+ movq %rbx,%rcx
+ movq %rbx,%r11
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ cmovnzq %rsp,%rdi
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ jz L$ecb_inp_aligned
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ movq %rbx,%rcx
+ movq %rdi,%rsi
+@@ -333,15 +380,15 @@ L$ecb_inp_aligned:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,200
++.byte 0xf3,0x0f,0xa7,200
+ movq %r8,%rdi
+ movq %r11,%rbx
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ jz L$ecb_out_aligned
+ movq %rbx,%rcx
+ leaq (%rsp),%rsi
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ L$ecb_out_aligned:
+ movq %r9,%rsi
+@@ -362,7 +409,7 @@ L$ecb_unaligned_tail:
+ subq %rax,%rsp
+ shrq $3,%rcx
+ leaq (%rsp),%rdi
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ movq %rsp,%rsi
+ movq %r8,%rdi
+ movq %rbx,%rcx
+@@ -388,7 +435,7 @@ L$ecb_done:
+ L$ecb_aligned:
+ leaq (%rsi,%rcx,1),%rbp
+ negq %rbp
+- andq $4095,%rbp
++ andq $0xfff,%rbp
+ xorl %eax,%eax
+ cmpq $128,%rbp
+ movq $128-1,%rbp
+@@ -399,7 +446,7 @@ L$ecb_aligned:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,200
++.byte 0xf3,0x0f,0xa7,200
+ testq %rbp,%rbp
+ jz L$ecb_exit
+
+@@ -411,7 +458,7 @@ L$ecb_aligned_tail:
+ subq %rcx,%rsp
+ shrq $3,%rcx
+ leaq (%rsp),%rdi
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ leaq (%r8),%rdi
+ leaq (%rsp),%rsi
+ movq %rbx,%rcx
+@@ -424,10 +471,13 @@ L$ecb_abort:
+ popq %rbp
+ .byte 0xf3,0xc3
+
++
+ .globl _padlock_cbc_encrypt
+
+ .p2align 4
+ _padlock_cbc_encrypt:
++
++.byte 243,15,30,250
+ pushq %rbp
+ pushq %rbx
+
+@@ -445,9 +495,9 @@ _padlock_cbc_encrypt:
+ xorl %ebx,%ebx
+ testl $32,(%rdx)
+ jnz L$cbc_aligned
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ setz %al
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ setz %bl
+ testl %ebx,%eax
+ jnz L$cbc_aligned
+@@ -471,7 +521,7 @@ _padlock_cbc_encrypt:
+ cmoveq %rdi,%rax
+ addq %rcx,%rax
+ negq %rax
+- andq $4095,%rax
++ andq $0xfff,%rax
+ cmpq $64,%rax
+ movq $-64,%rax
+ cmovaeq %rbx,%rax
+@@ -487,12 +537,12 @@ L$cbc_loop:
+ movq %rcx,%r10
+ movq %rbx,%rcx
+ movq %rbx,%r11
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ cmovnzq %rsp,%rdi
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ jz L$cbc_inp_aligned
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ movq %rbx,%rcx
+ movq %rdi,%rsi
+@@ -500,17 +550,17 @@ L$cbc_inp_aligned:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,208
++.byte 0xf3,0x0f,0xa7,208
+ movdqa (%rax),%xmm0
+ movdqa %xmm0,-16(%rdx)
+ movq %r8,%rdi
+ movq %r11,%rbx
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ jz L$cbc_out_aligned
+ movq %rbx,%rcx
+ leaq (%rsp),%rsi
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ L$cbc_out_aligned:
+ movq %r9,%rsi
+@@ -531,7 +581,7 @@ L$cbc_unaligned_tail:
+ subq %rax,%rsp
+ shrq $3,%rcx
+ leaq (%rsp),%rdi
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ movq %rsp,%rsi
+ movq %r8,%rdi
+ movq %rbx,%rcx
+@@ -557,7 +607,7 @@ L$cbc_done:
+ L$cbc_aligned:
+ leaq (%rsi,%rcx,1),%rbp
+ negq %rbp
+- andq $4095,%rbp
++ andq $0xfff,%rbp
+ xorl %eax,%eax
+ cmpq $64,%rbp
+ movq $64-1,%rbp
+@@ -568,7 +618,7 @@ L$cbc_aligned:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,208
++.byte 0xf3,0x0f,0xa7,208
+ movdqa (%rax),%xmm0
+ movdqa %xmm0,-16(%rdx)
+ testq %rbp,%rbp
+@@ -582,7 +632,7 @@ L$cbc_aligned_tail:
+ subq %rcx,%rsp
+ shrq $3,%rcx
+ leaq (%rsp),%rdi
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ leaq (%r8),%rdi
+ leaq (%rsp),%rsi
+ movq %rbx,%rcx
+@@ -595,10 +645,13 @@ L$cbc_abort:
+ popq %rbp
+ .byte 0xf3,0xc3
+
++
+ .globl _padlock_cfb_encrypt
+
+ .p2align 4
+ _padlock_cfb_encrypt:
++
++.byte 243,15,30,250
+ pushq %rbp
+ pushq %rbx
+
+@@ -616,9 +669,9 @@ _padlock_cfb_encrypt:
+ xorl %ebx,%ebx
+ testl $32,(%rdx)
+ jnz L$cfb_aligned
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ setz %al
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ setz %bl
+ testl %ebx,%eax
+ jnz L$cfb_aligned
+@@ -645,12 +698,12 @@ L$cfb_loop:
+ movq %rcx,%r10
+ movq %rbx,%rcx
+ movq %rbx,%r11
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ cmovnzq %rsp,%rdi
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ jz L$cfb_inp_aligned
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ movq %rbx,%rcx
+ movq %rdi,%rsi
+@@ -658,17 +711,17 @@ L$cfb_inp_aligned:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,224
++.byte 0xf3,0x0f,0xa7,224
+ movdqa (%rax),%xmm0
+ movdqa %xmm0,-16(%rdx)
+ movq %r8,%rdi
+ movq %r11,%rbx
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ jz L$cfb_out_aligned
+ movq %rbx,%rcx
+ leaq (%rsp),%rsi
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ L$cfb_out_aligned:
+ movq %r9,%rsi
+@@ -698,7 +751,7 @@ L$cfb_aligned:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,224
++.byte 0xf3,0x0f,0xa7,224
+ movdqa (%rax),%xmm0
+ movdqa %xmm0,-16(%rdx)
+ L$cfb_exit:
+@@ -709,10 +762,13 @@ L$cfb_abort:
+ popq %rbp
+ .byte 0xf3,0xc3
+
++
+ .globl _padlock_ofb_encrypt
+
+ .p2align 4
+ _padlock_ofb_encrypt:
++
++.byte 243,15,30,250
+ pushq %rbp
+ pushq %rbx
+
+@@ -730,9 +786,9 @@ _padlock_ofb_encrypt:
+ xorl %ebx,%ebx
+ testl $32,(%rdx)
+ jnz L$ofb_aligned
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ setz %al
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ setz %bl
+ testl %ebx,%eax
+ jnz L$ofb_aligned
+@@ -759,12 +815,12 @@ L$ofb_loop:
+ movq %rcx,%r10
+ movq %rbx,%rcx
+ movq %rbx,%r11
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ cmovnzq %rsp,%rdi
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ jz L$ofb_inp_aligned
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ movq %rbx,%rcx
+ movq %rdi,%rsi
+@@ -772,17 +828,17 @@ L$ofb_inp_aligned:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,232
++.byte 0xf3,0x0f,0xa7,232
+ movdqa (%rax),%xmm0
+ movdqa %xmm0,-16(%rdx)
+ movq %r8,%rdi
+ movq %r11,%rbx
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ jz L$ofb_out_aligned
+ movq %rbx,%rcx
+ leaq (%rsp),%rsi
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ L$ofb_out_aligned:
+ movq %r9,%rsi
+@@ -812,7 +868,7 @@ L$ofb_aligned:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,232
++.byte 0xf3,0x0f,0xa7,232
+ movdqa (%rax),%xmm0
+ movdqa %xmm0,-16(%rdx)
+ L$ofb_exit:
+@@ -823,10 +879,13 @@ L$ofb_abort:
+ popq %rbp
+ .byte 0xf3,0xc3
+
++
+ .globl _padlock_ctr32_encrypt
+
+ .p2align 4
+ _padlock_ctr32_encrypt:
++
++.byte 243,15,30,250
+ pushq %rbp
+ pushq %rbx
+
+@@ -844,9 +903,9 @@ _padlock_ctr32_encrypt:
+ xorl %ebx,%ebx
+ testl $32,(%rdx)
+ jnz L$ctr32_aligned
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ setz %al
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ setz %bl
+ testl %ebx,%eax
+ jnz L$ctr32_aligned
+@@ -881,7 +940,7 @@ L$ctr32_reenter:
+ cmoveq %rdi,%rax
+ addq %rcx,%rax
+ negq %rax
+- andq $4095,%rax
++ andq $0xfff,%rax
+ cmpq $32,%rax
+ movq $-32,%rax
+ cmovaeq %rbx,%rax
+@@ -897,12 +956,12 @@ L$ctr32_loop:
+ movq %rcx,%r10
+ movq %rbx,%rcx
+ movq %rbx,%r11
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ cmovnzq %rsp,%rdi
+- testq $15,%rsi
++ testq $0x0f,%rsi
+ jz L$ctr32_inp_aligned
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ movq %rbx,%rcx
+ movq %rdi,%rsi
+@@ -910,23 +969,23 @@ L$ctr32_inp_aligned:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,216
++.byte 0xf3,0x0f,0xa7,216
+ movl -4(%rdx),%eax
+- testl $4294901760,%eax
++ testl $0xffff0000,%eax
+ jnz L$ctr32_no_carry
+ bswapl %eax
+- addl $65536,%eax
++ addl $0x10000,%eax
+ bswapl %eax
+ movl %eax,-4(%rdx)
+ L$ctr32_no_carry:
+ movq %r8,%rdi
+ movq %r11,%rbx
+- testq $15,%rdi
++ testq $0x0f,%rdi
+ jz L$ctr32_out_aligned
+ movq %rbx,%rcx
+ leaq (%rsp),%rsi
+ shrq $3,%rcx
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ subq %rbx,%rdi
+ L$ctr32_out_aligned:
+ movq %r9,%rsi
+@@ -944,7 +1003,7 @@ L$ctr32_out_aligned:
+ cmoveq %rdi,%rax
+ addq %rcx,%rax
+ negq %rax
+- andq $4095,%rax
++ andq $0xfff,%rax
+ cmpq $32,%rax
+ movq $-32,%rax
+ cmovaeq %rbx,%rax
+@@ -959,7 +1018,7 @@ L$ctr32_unaligned_tail:
+ subq %rax,%rsp
+ shrq $3,%rcx
+ leaq (%rsp),%rdi
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ movq %rsp,%rsi
+ movq %r8,%rdi
+ movq %rbx,%rcx
+@@ -986,7 +1045,7 @@ L$ctr32_aligned:
+ movl -4(%rdx),%eax
+ bswapl %eax
+ negl %eax
+- andl $65535,%eax
++ andl $0xffff,%eax
+ movq $1048576,%rbx
+ shll $4,%eax
+ cmovzq %rbx,%rax
+@@ -1003,11 +1062,11 @@ L$ctr32_aligned_loop:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,216
++.byte 0xf3,0x0f,0xa7,216
+
+ movl -4(%rdx),%eax
+ bswapl %eax
+- addl $65536,%eax
++ addl $0x10000,%eax
+ bswapl %eax
+ movl %eax,-4(%rdx)
+
+@@ -1021,7 +1080,7 @@ L$ctr32_aligned_loop:
+ L$ctr32_aligned_skip:
+ leaq (%rsi,%rcx,1),%rbp
+ negq %rbp
+- andq $4095,%rbp
++ andq $0xfff,%rbp
+ xorl %eax,%eax
+ cmpq $32,%rbp
+ movq $32-1,%rbp
+@@ -1032,7 +1091,7 @@ L$ctr32_aligned_skip:
+ leaq -16(%rdx),%rax
+ leaq 16(%rdx),%rbx
+ shrq $4,%rcx
+-.byte 0xf3,0x0f,0xa7,216
++.byte 0xf3,0x0f,0xa7,216
+ testq %rbp,%rbp
+ jz L$ctr32_exit
+
+@@ -1044,7 +1103,7 @@ L$ctr32_aligned_tail:
+ subq %rcx,%rsp
+ shrq $3,%rcx
+ leaq (%rsp),%rdi
+-.byte 0xf3,0x48,0xa5
++.byte 0xf3,0x48,0xa5
+ leaq (%r8),%rdi
+ leaq (%rsp),%rsi
+ movq %rbx,%rcx
+@@ -1057,6 +1116,7 @@ L$ctr32_abort:
+ popq %rbp
+ .byte 0xf3,0xc3
+
++
+ .byte 86,73,65,32,80,97,100,108,111,99,107,32,120,56,54,95,54,52,32,109,111,100,117,108,101,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
+ .p2align 4
+ .data
+diff --git a/lib/accelerated/x86/macosx/ghash-x86_64.s b/lib/accelerated/x86/macosx/ghash-x86_64.s
+index 5fd321675..974d34dc7 100644
+--- a/lib/accelerated/x86/macosx/ghash-x86_64.s
++++ b/lib/accelerated/x86/macosx/ghash-x86_64.s
+@@ -45,6 +45,7 @@
+ .p2align 4
+ _gcm_gmult_4bit:
+
++.byte 243,15,30,250
+ pushq %rbx
+
+ pushq %rbp
+@@ -150,6 +151,7 @@ L$gmult_epilogue:
+ .p2align 4
+ _gcm_ghash_4bit:
+
++.byte 243,15,30,250
+ pushq %rbx
+
+ pushq %rbp
+@@ -891,6 +893,7 @@ L$_init_clmul:
+ .p2align 4
+ _gcm_gmult_clmul:
+
++.byte 243,15,30,250
+ L$_gmult_clmul:
+ movdqu (%rdi),%xmm0
+ movdqa L$bswap_mask(%rip),%xmm5
+@@ -944,6 +947,7 @@ L$_gmult_clmul:
+ .p2align 5
+ _gcm_ghash_clmul:
+
++.byte 243,15,30,250
+ L$_ghash_clmul:
+ movdqa L$bswap_mask(%rip),%xmm10
+
+@@ -1438,6 +1442,7 @@ L$init_start_avx:
+ .p2align 5
+ _gcm_gmult_avx:
+
++.byte 243,15,30,250
+ jmp L$_gmult_clmul
+
+
+@@ -1446,6 +1451,7 @@ _gcm_gmult_avx:
+ .p2align 5
+ _gcm_ghash_avx:
+
++.byte 243,15,30,250
+ vzeroupper
+
+ vmovdqu (%rdi),%xmm10
+diff --git a/lib/accelerated/x86/macosx/sha1-ssse3-x86.s b/lib/accelerated/x86/macosx/sha1-ssse3-x86.s
+index 985d4af8d..f51c5a318 100644
+--- a/lib/accelerated/x86/macosx/sha1-ssse3-x86.s
++++ b/lib/accelerated/x86/macosx/sha1-ssse3-x86.s
+@@ -42,6 +42,7 @@
+ .align 4
+ _sha1_block_data_order:
+ L_sha1_block_data_order_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+diff --git a/lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s b/lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s
+index a576acc25..7b5d9dfc9 100644
+--- a/lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s
++++ b/lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s
+@@ -1460,10 +1460,10 @@ L$oop_shaext:
+ pshufd $27,%xmm1,%xmm1
+ movdqu %xmm0,(%rdi)
+ movd %xmm1,16(%rdi)
+-
+ .byte 0xf3,0xc3
+
+
++
+ .p2align 4
+ sha1_block_data_order_ssse3:
+ _ssse3_shortcut:
+diff --git a/lib/accelerated/x86/macosx/sha256-ssse3-x86.s b/lib/accelerated/x86/macosx/sha256-ssse3-x86.s
+index 8d257109c..36781d480 100644
+--- a/lib/accelerated/x86/macosx/sha256-ssse3-x86.s
++++ b/lib/accelerated/x86/macosx/sha256-ssse3-x86.s
+@@ -42,6 +42,7 @@
+ .align 4
+ _sha256_block_data_order:
+ L_sha256_block_data_order_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+diff --git a/lib/accelerated/x86/macosx/sha256-ssse3-x86_64.s b/lib/accelerated/x86/macosx/sha256-ssse3-x86_64.s
+index fd0c24735..9fed36b9c 100644
+--- a/lib/accelerated/x86/macosx/sha256-ssse3-x86_64.s
++++ b/lib/accelerated/x86/macosx/sha256-ssse3-x86_64.s
+@@ -1814,6 +1814,7 @@ K256:
+ .p2align 6
+ sha256_block_data_order_shaext:
+ _shaext_shortcut:
++
+ leaq K256+128(%rip),%rcx
+ movdqu (%rdi),%xmm1
+ movdqu 16(%rdi),%xmm2
+@@ -2018,6 +2019,7 @@ L$oop_shaext:
+ .byte 0xf3,0xc3
+
+
++
+ .p2align 6
+ sha256_block_data_order_ssse3:
+
+@@ -4277,7 +4279,15 @@ L$oop_avx2:
+ vmovdqa %ymm4,0(%rsp)
+ xorl %r14d,%r14d
+ vmovdqa %ymm5,32(%rsp)
++
++ movq 88(%rsp),%rdi
++
+ leaq -64(%rsp),%rsp
++
++
++
++ movq %rdi,-8(%rsp)
++
+ movl %ebx,%edi
+ vmovdqa %ymm6,0(%rsp)
+ xorl %ecx,%edi
+@@ -4289,6 +4299,12 @@ L$oop_avx2:
+ .p2align 4
+ L$avx2_00_47:
+ leaq -64(%rsp),%rsp
++
++
++ pushq 64-8(%rsp)
++
++ leaq 8(%rsp),%rsp
++
+ vpalignr $4,%ymm0,%ymm1,%ymm4
+ addl 0+128(%rsp),%r11d
+ andl %r8d,%r12d
+@@ -4544,6 +4560,12 @@ L$avx2_00_47:
+ movl %r9d,%r12d
+ vmovdqa %ymm6,32(%rsp)
+ leaq -64(%rsp),%rsp
++
++
++ pushq 64-8(%rsp)
++
++ leaq 8(%rsp),%rsp
++
+ vpalignr $4,%ymm2,%ymm3,%ymm4
+ addl 0+128(%rsp),%r11d
+ andl %r8d,%r12d
+@@ -5419,6 +5441,8 @@ L$ower_avx2:
+
+ leaq 448(%rsp),%rsp
+
++
++
+ addl 0(%rdi),%eax
+ addl 4(%rdi),%ebx
+ addl 8(%rdi),%ecx
+@@ -5444,9 +5468,11 @@ L$ower_avx2:
+ jbe L$oop_avx2
+ leaq (%rsp),%rbp
+
++
++
++
+ L$done_avx2:
+- leaq (%rbp),%rsp
+- movq 88(%rsp),%rsi
++ movq 88(%rbp),%rsi
+
+ vzeroupper
+ movq -48(%rsi),%r15
+diff --git a/lib/accelerated/x86/macosx/sha512-ssse3-x86.s b/lib/accelerated/x86/macosx/sha512-ssse3-x86.s
+index 4e60bb45f..248a35ee1 100644
+--- a/lib/accelerated/x86/macosx/sha512-ssse3-x86.s
++++ b/lib/accelerated/x86/macosx/sha512-ssse3-x86.s
+@@ -42,6 +42,7 @@
+ .align 4
+ _sha512_block_data_order:
+ L_sha512_block_data_order_begin:
++.byte 243,15,30,251
+ pushl %ebp
+ pushl %ebx
+ pushl %esi
+diff --git a/lib/accelerated/x86/macosx/sha512-ssse3-x86_64.s b/lib/accelerated/x86/macosx/sha512-ssse3-x86_64.s
+index 8bf161601..e78d90f2d 100644
+--- a/lib/accelerated/x86/macosx/sha512-ssse3-x86_64.s
++++ b/lib/accelerated/x86/macosx/sha512-ssse3-x86_64.s
+@@ -4204,7 +4204,15 @@ L$oop_avx2:
+ vmovdqa %ymm10,64(%rsp)
+ vpaddq 64(%rbp),%ymm6,%ymm10
+ vmovdqa %ymm11,96(%rsp)
++
++ movq 152(%rsp),%rdi
++
+ leaq -128(%rsp),%rsp
++
++
++
++ movq %rdi,-8(%rsp)
++
+ vpaddq 96(%rbp),%ymm7,%ymm11
+ vmovdqa %ymm8,0(%rsp)
+ xorq %r14,%r14
+@@ -4220,6 +4228,12 @@ L$oop_avx2:
+ .p2align 4
+ L$avx2_00_47:
+ leaq -128(%rsp),%rsp
++
++
++ pushq 128-8(%rsp)
++
++ leaq 8(%rsp),%rsp
++
+ vpalignr $8,%ymm0,%ymm1,%ymm8
+ addq 0+256(%rsp),%r11
+ andq %r8,%r12
+@@ -4513,6 +4527,12 @@ L$avx2_00_47:
+ movq %r9,%r12
+ vmovdqa %ymm10,96(%rsp)
+ leaq -128(%rsp),%rsp
++
++
++ pushq 128-8(%rsp)
++
++ leaq 8(%rsp),%rsp
++
+ vpalignr $8,%ymm4,%ymm5,%ymm8
+ addq 0+256(%rsp),%r11
+ andq %r8,%r12
+@@ -5426,6 +5446,8 @@ L$ower_avx2:
+
+ leaq 1152(%rsp),%rsp
+
++
++
+ addq 0(%rdi),%rax
+ addq 8(%rdi),%rbx
+ addq 16(%rdi),%rcx
+@@ -5451,9 +5473,11 @@ L$ower_avx2:
+ jbe L$oop_avx2
+ leaq (%rsp),%rbp
+
++
++
++
+ L$done_avx2:
+- leaq (%rbp),%rsp
+- movq 152(%rsp),%rsi
++ movq 152(%rbp),%rsi
+
+ vzeroupper
+ movq -48(%rsi),%r15
+--
+2.25.4
+
diff --git a/SOURCES/gnutls-3.6.14-autogen-int.patch b/SOURCES/gnutls-3.6.14-autogen-int.patch
new file mode 100644
index 0000000..6723acb
--- /dev/null
+++ b/SOURCES/gnutls-3.6.14-autogen-int.patch
@@ -0,0 +1,36 @@
+From cf1de82bedd01c01e70921699c84a473b08d0dab Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 1 Jun 2020 17:23:59 +0200
+Subject: [PATCH] serv: omit upper bound of --maxearlydata option definition
+
+It turned out that AutoGen treats numbers that exceed INT_MAX in a
+platform dependent way. In this case, 4294967295 (UINT_MAX) is
+treated as is on 64-bit platforms, while it is interpreted as "-1" on
+32-bit platforms. This causes a problem when the program
+documentation is compiled under multilib environment.
+
+Reported by Ivan Molodetskikh in:
+https://bugzilla.redhat.com/show_bug.cgi?id=1841844
+and the cause was identified by Anderson Toshiyuki Sasaki.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ src/serv-args.def | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/serv-args.def b/src/serv-args.def
+index 996fbe36b..a584085e2 100644
+--- a/src/serv-args.def
++++ b/src/serv-args.def
+@@ -51,7 +51,7 @@ flag = {
+ flag = {
+ name = maxearlydata;
+ arg-type = number;
+- arg-range = "1->4294967295";
++ arg-range = "1->";
+ descrip = "The maximum early data size to accept";
+ doc = "";
+ };
+--
+2.26.2
+
diff --git a/SOURCES/gnutls-3.6.14-fips-mode-check.patch b/SOURCES/gnutls-3.6.14-fips-mode-check.patch
new file mode 100644
index 0000000..af9862f
--- /dev/null
+++ b/SOURCES/gnutls-3.6.14-fips-mode-check.patch
@@ -0,0 +1,42 @@
+From d1dc655cd2c8ae417381e5f966941c75cfe287ee Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 4 Jun 2020 16:42:07 +0200
+Subject: [PATCH] _gnutls_fips_mode_enabled: treat selftest failure as FIPS
+ disabled
+
+Previously gnutls_fips140_mode_enabled() returned true, even after
+selftests have failed and the library state has switched to error.
+While later calls to crypto operations fails, it would be more
+convenient to have a function to detect that state.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/fips.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/lib/fips.c b/lib/fips.c
+index acdd2ec23..f8b10f750 100644
+--- a/lib/fips.c
++++ b/lib/fips.c
+@@ -491,8 +491,17 @@ unsigned gnutls_fips140_mode_enabled(void)
+ #ifdef ENABLE_FIPS140
+ unsigned ret = _gnutls_fips_mode_enabled();
+
+- if (ret > GNUTLS_FIPS140_DISABLED)
++ if (ret > GNUTLS_FIPS140_DISABLED) {
++ /* If the previous run of selftests has failed, return as if
++ * the FIPS mode is disabled. We could use HAVE_LIB_ERROR, if
++ * we can assume that all the selftests run atomically from
++ * the ELF constructor.
++ */
++ if (_gnutls_get_lib_state() == LIB_STATE_ERROR)
++ return 0;
++
+ return ret;
++ }
+ #endif
+ return 0;
+ }
+--
+2.26.2
+
diff --git a/SOURCES/gnutls-3.6.14.tar.xz.sig b/SOURCES/gnutls-3.6.14.tar.xz.sig
new file mode 100644
index 0000000..3e8c890
Binary files /dev/null and b/SOURCES/gnutls-3.6.14.tar.xz.sig differ
diff --git a/SOURCES/gnutls-3.6.5-fix-fips-signature-post.patch b/SOURCES/gnutls-3.6.5-fix-fips-signature-post.patch
deleted file mode 100644
index ce51cad..0000000
--- a/SOURCES/gnutls-3.6.5-fix-fips-signature-post.patch
+++ /dev/null
@@ -1,728 +0,0 @@
-From 2c44e9f8b2e7a1ebc65caeb03f9f106d31e30822 Mon Sep 17 00:00:00 2001
-From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Date: Wed, 3 Apr 2019 13:40:04 +0200
-Subject: [PATCH 1/7] crypto-selftests-pk.c: Move hardcoded values to the top
-
-The objective of moving these values to the top is to allow them to be
-used by other functions, in particular test_sig().
-
-Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
----
- lib/crypto-selftests-pk.c | 224 +++++++++++++++++++-------------------
- 1 file changed, 112 insertions(+), 112 deletions(-)
-
-diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
-index 1aa53ea29..4fadd4161 100644
---- a/lib/crypto-selftests-pk.c
-+++ b/lib/crypto-selftests-pk.c
-@@ -107,6 +107,118 @@ static const char gost12_512_key[] =
- "KjL7CLBERDm7Yvlv\n"
- "-----END PRIVATE KEY-----\n";
-
-+/* A precomputed RSA-SHA256 signature using the rsa_key2048 */
-+static const char rsa_sig[] =
-+ "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb";
-+
-+/* ECDSA key and signature */
-+static const char ecdsa_secp256r1_privkey[] =
-+ "-----BEGIN EC PRIVATE KEY-----\n"
-+ "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n"
-+ "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n"
-+ "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n"
-+ "-----END EC PRIVATE KEY-----\n";
-+
-+static const char ecdsa_secp256r1_sig[] =
-+ "\x30\x45\x02\x21\x00\x9b\x8f\x60\xed\x9e\x40\x8d\x74\x82\x73\xab\x20\x1a\x69\xfc\xf9\xee\x3c\x41\x80\xc0\x39\xdd\x21\x1a\x64\xfd\xbf\x7e\xaa\x43\x70\x02\x20\x44\x28\x05\xdd\x30\x47\x58\x96\x18\x39\x94\x18\xba\xe7\x7a\xf6\x1e\x2d\xba\xb1\xe0\x7d\x73\x9e\x2f\x58\xee\x0c\x2a\x89\xe8\x35";
-+
-+#ifdef ENABLE_NON_SUITEB_CURVES
-+/* sha256 */
-+static const char ecdsa_secp192r1_privkey[] =
-+ "-----BEGIN EC PRIVATE KEY-----"
-+ "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA"
-+ "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL"
-+ "Fg==" "-----END EC PRIVATE KEY-----";
-+
-+static const char ecdsa_secp192r1_sig[] =
-+ "\x30\x34\x02\x18\x5f\xb3\x10\x4b\x4d\x44\x48\x29\x4b\xfd\xa7\x8e\xce\x57\xac\x36\x38\x54\xab\x73\xdb\xed\xb8\x5f\x02\x18\x0b\x8b\xf3\xae\x49\x50\x0e\x47\xca\x89\x1a\x00\xca\x23\xf5\x8d\xd6\xe3\xce\x9a\xff\x2e\x4f\x5c";
-+
-+static const char ecdsa_secp224r1_privkey[] =
-+ "-----BEGIN EC PRIVATE KEY-----"
-+ "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6"
-+ "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9"
-+ "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----";
-+
-+static const char ecdsa_secp224r1_sig[] =
-+ "\x30\x3d\x02\x1c\x76\x03\x8d\x74\xf4\xd3\x09\x2a\xb5\xdf\x6b\x5b\xf4\x4b\x86\xb8\x62\x81\x5d\x7b\x7a\xbb\x37\xfc\xf1\x46\x1c\x2b\x02\x1d\x00\xa0\x98\x5d\x80\x43\x89\xe5\xee\x1a\xec\x46\x08\x04\x55\xbc\x50\xfa\x2a\xd5\xa6\x18\x92\x19\xdb\x68\xa0\x2a\xda";
-+#endif
-+
-+static const char ecdsa_secp384r1_privkey[] =
-+ "-----BEGIN EC PRIVATE KEY-----"
-+ "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS"
-+ "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH"
-+ "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n"
-+ "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----";
-+
-+static const char ecdsa_secp384r1_sig[] =
-+ "\x30\x66\x02\x31\x00\xbb\x4d\x25\x30\x13\x1b\x3b\x75\x60\x07\xed\x53\x8b\x52\xee\xd8\x6e\xf1\x9d\xa8\x36\x0e\x2e\x20\x31\x51\x11\x48\x78\xdd\xaf\x24\x38\x64\x81\x71\x6b\xa6\xb7\x29\x58\x28\x82\x32\xba\x29\x29\xd9\x02\x31\x00\xeb\x70\x09\x87\xac\x7b\x78\x0d\x4c\x4f\x08\x2b\x86\x27\xe2\x60\x1f\xc9\x11\x9f\x1d\xf5\x82\x4c\xc7\x3d\xb0\x27\xc8\x93\x29\xc7\xd0\x0e\x88\x02\x09\x93\xc2\x72\xce\xa5\x74\x8c\x3d\xe0\x8c\xad";
-+
-+static const char ecdsa_secp521r1_privkey[] =
-+ "-----BEGIN EC PRIVATE KEY-----"
-+ "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w"
-+ "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo"
-+ "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R"
-+ "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t"
-+ "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV"
-+ "-----END EC PRIVATE KEY-----";
-+
-+static const char ecdsa_secp521r1_sig[] =
-+ "\x30\x81\x87\x02\x42\x01\xb8\xcb\x52\x9e\x10\xa8\x49\x3f\xe1\x9e\x14\x0a\xcf\x96\xed\x7e\xab\x7d\x0c\xe1\x9b\xa4\x97\xdf\x01\xf5\x35\x42\x5f\x5b\x28\x15\x24\x33\x6e\x59\x6c\xaf\x10\x8b\x98\x8e\xe9\x4c\x23\x0d\x76\x92\x03\xdd\x6d\x8d\x08\x47\x15\x5b\xf8\x66\x75\x75\x40\xe8\xf4\xa0\x52\x02\x41\x15\x27\x7c\x5f\xa6\x33\xa6\x29\x68\x3f\x55\x8d\x7f\x1d\x4f\x88\xc6\x61\x6e\xac\x21\xdf\x2b\x7b\xde\x76\x9a\xdc\xe6\x3b\x94\x3f\x03\x9c\xa2\xa6\xa3\x63\x39\x48\xbd\x79\x70\x21\xf2\x6b\xff\x58\x66\xf1\x58\xc2\x58\xad\x4f\x84\x14\x5d\x05\x12\x83\xd0\x87\xbd\xf3";
-+
-+/* DSA key and signature */
-+static const char dsa_privkey[] =
-+ "-----BEGIN DSA PRIVATE KEY-----\n"
-+ "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n"
-+ "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n"
-+ "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n"
-+ "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n"
-+ "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n"
-+ "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n"
-+ "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n"
-+ "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n"
-+ "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n"
-+ "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n"
-+ "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n"
-+ "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n"
-+ "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n"
-+ "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n"
-+ "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n"
-+ "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n"
-+ "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n"
-+ "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n"
-+ "-----END DSA PRIVATE KEY-----\n";
-+
-+static const char dsa_sig[] =
-+ "\x30\x3d\x02\x1c\x2e\x40\x14\xb3\x7a\x3f\xc0\x4f\x06\x74\x4f\xa6\x5f\xc2\x0a\x46\x35\x38\x88\xb4\x1a\xcf\x94\x02\x40\x42\x7c\x7f\x02\x1d\x00\x98\xfc\xf1\x08\x66\xf1\x86\x28\xc9\x73\x9e\x2b\x5d\xce\x57\xe8\xb5\xeb\xcf\xa3\xf6\x60\xf6\x63\x16\x0e\xc0\x42";
-+
-+static const char gost01_privkey[] =
-+ "-----BEGIN PRIVATE KEY-----\n"
-+ "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n"
-+ "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n"
-+ "-----END PRIVATE KEY-----\n";
-+
-+static const char gost01_sig[] =
-+ "\xc5\xc8\xf8\xdc\x22\x51\xb0\x72\xe9\xa2\xbb\x84\x6c\xe2\x24\xd5\x72\x39\x2a\x5a\x0e\x7a\x43\xfc\x9c\xc3\x5d\x32\x92\xbb\xab\xc0\x4b\x99\xbd\xc8\x47\x24\x70\x06\x7e\xa1\xc6\xe3\xa0\xdc\x42\xed\xa0\x66\xf0\xcc\x50\x97\xe9\x5a\x7d\x3f\x65\x2d\x7b\x1b\x03\xcb";
-+
-+static const char gost12_256_privkey[] =
-+ "-----BEGIN PRIVATE KEY-----\n"
-+ "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n"
-+ "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n"
-+ "-----END PRIVATE KEY-----\n";
-+
-+static const char gost12_256_sig[] =
-+ "\xb2\x51\x5a\x1a\xbd\x95\x4e\x71\x55\xad\x74\x74\x81\xa6\xca\x6c\x14\x01\xe0\x18\xda\xe4\x0d\x02\x4f\x14\xd2\x39\xd6\x3c\xb5\x85\xa8\x37\xfd\x7f\x2b\xfa\xe4\xf5\xbc\xbc\x15\x20\x8b\x83\x4b\x84\x0d\x5d\x02\x21\x8c\x0d\xb9\xc4\x2b\xc0\x3e\xfd\x42\x55\x1d\xb0";
-+
-+static const char gost12_512_privkey[] =
-+ "-----BEGIN PRIVATE KEY-----\n"
-+ "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n"
-+ "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n"
-+ "hsQ3JCCy4xnd5jWT\n"
-+ "-----END PRIVATE KEY-----\n";
-+
-+static const char gost12_512_sig[] =
-+ "\x52\x4f\xa2\x77\x51\xd2\xc5\xef\xd3\xa3\x99\x4e\xec\xff\xc6\xe9\xfc\x2f\xc0\x28\x42\x03\x95\x6c\x9a\x38\xee\xea\x89\x79\xae\x1a\xc3\x68\x5e\xe4\x15\x15\x4b\xec\x0f\xf1\x7e\x0f\xba\x01\xc7\x84\x16\xc7\xb5\xac\x9d\x0c\x22\xdd\x31\xf7\xb0\x9b\x59\x4b\xf0\x02\xa8\x7d\xfd\x6d\x02\x43\xc7\x4f\x65\xbd\x84\x5c\x54\x91\xba\x75\x9f\x5a\x61\x19\x5c\x9a\x10\x78\x34\xa0\xa6\xf6\xdc\xb6\xb0\x50\x22\x38\x5f\xb0\x16\x66\xf1\xd5\x46\x00\xd5\xe2\xa8\xe5\xd2\x11\x5f\xd1\xbe\x6e\xac\xb2\x9c\x14\x34\x96\xe7\x58\x94\xb8\xf4\x5f";
-+
- static int test_rsa_enc(gnutls_pk_algorithm_t pk,
- unsigned bits, gnutls_digest_algorithm_t ign)
- {
-@@ -302,118 +414,6 @@ static int test_sig(gnutls_pk_algorithm_t pk,
- return ret;
- }
-
--/* A precomputed RSA-SHA1 signature using the rsa_key2048 */
--static const char rsa_sig[] =
-- "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb";
--
--/* ECDSA key and signature */
--static const char ecdsa_secp256r1_privkey[] =
-- "-----BEGIN EC PRIVATE KEY-----\n"
-- "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n"
-- "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n"
-- "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n"
-- "-----END EC PRIVATE KEY-----\n";
--
--static const char ecdsa_secp256r1_sig[] =
-- "\x30\x45\x02\x21\x00\x9b\x8f\x60\xed\x9e\x40\x8d\x74\x82\x73\xab\x20\x1a\x69\xfc\xf9\xee\x3c\x41\x80\xc0\x39\xdd\x21\x1a\x64\xfd\xbf\x7e\xaa\x43\x70\x02\x20\x44\x28\x05\xdd\x30\x47\x58\x96\x18\x39\x94\x18\xba\xe7\x7a\xf6\x1e\x2d\xba\xb1\xe0\x7d\x73\x9e\x2f\x58\xee\x0c\x2a\x89\xe8\x35";
--
--#ifdef ENABLE_NON_SUITEB_CURVES
--/* sha256 */
--static const char ecdsa_secp192r1_privkey[] =
-- "-----BEGIN EC PRIVATE KEY-----"
-- "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA"
-- "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL"
-- "Fg==" "-----END EC PRIVATE KEY-----";
--
--static const char ecdsa_secp192r1_sig[] =
-- "\x30\x34\x02\x18\x5f\xb3\x10\x4b\x4d\x44\x48\x29\x4b\xfd\xa7\x8e\xce\x57\xac\x36\x38\x54\xab\x73\xdb\xed\xb8\x5f\x02\x18\x0b\x8b\xf3\xae\x49\x50\x0e\x47\xca\x89\x1a\x00\xca\x23\xf5\x8d\xd6\xe3\xce\x9a\xff\x2e\x4f\x5c";
--
--static const char ecdsa_secp224r1_privkey[] =
-- "-----BEGIN EC PRIVATE KEY-----"
-- "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6"
-- "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9"
-- "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----";
--
--static const char ecdsa_secp224r1_sig[] =
-- "\x30\x3d\x02\x1c\x76\x03\x8d\x74\xf4\xd3\x09\x2a\xb5\xdf\x6b\x5b\xf4\x4b\x86\xb8\x62\x81\x5d\x7b\x7a\xbb\x37\xfc\xf1\x46\x1c\x2b\x02\x1d\x00\xa0\x98\x5d\x80\x43\x89\xe5\xee\x1a\xec\x46\x08\x04\x55\xbc\x50\xfa\x2a\xd5\xa6\x18\x92\x19\xdb\x68\xa0\x2a\xda";
--#endif
--
--static const char ecdsa_secp384r1_privkey[] =
-- "-----BEGIN EC PRIVATE KEY-----"
-- "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS"
-- "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH"
-- "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n"
-- "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----";
--
--static const char ecdsa_secp384r1_sig[] =
-- "\x30\x66\x02\x31\x00\xbb\x4d\x25\x30\x13\x1b\x3b\x75\x60\x07\xed\x53\x8b\x52\xee\xd8\x6e\xf1\x9d\xa8\x36\x0e\x2e\x20\x31\x51\x11\x48\x78\xdd\xaf\x24\x38\x64\x81\x71\x6b\xa6\xb7\x29\x58\x28\x82\x32\xba\x29\x29\xd9\x02\x31\x00\xeb\x70\x09\x87\xac\x7b\x78\x0d\x4c\x4f\x08\x2b\x86\x27\xe2\x60\x1f\xc9\x11\x9f\x1d\xf5\x82\x4c\xc7\x3d\xb0\x27\xc8\x93\x29\xc7\xd0\x0e\x88\x02\x09\x93\xc2\x72\xce\xa5\x74\x8c\x3d\xe0\x8c\xad";
--
--static const char ecdsa_secp521r1_privkey[] =
-- "-----BEGIN EC PRIVATE KEY-----"
-- "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w"
-- "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo"
-- "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R"
-- "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t"
-- "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV"
-- "-----END EC PRIVATE KEY-----";
--
--static const char ecdsa_secp521r1_sig[] =
-- "\x30\x81\x87\x02\x42\x01\xb8\xcb\x52\x9e\x10\xa8\x49\x3f\xe1\x9e\x14\x0a\xcf\x96\xed\x7e\xab\x7d\x0c\xe1\x9b\xa4\x97\xdf\x01\xf5\x35\x42\x5f\x5b\x28\x15\x24\x33\x6e\x59\x6c\xaf\x10\x8b\x98\x8e\xe9\x4c\x23\x0d\x76\x92\x03\xdd\x6d\x8d\x08\x47\x15\x5b\xf8\x66\x75\x75\x40\xe8\xf4\xa0\x52\x02\x41\x15\x27\x7c\x5f\xa6\x33\xa6\x29\x68\x3f\x55\x8d\x7f\x1d\x4f\x88\xc6\x61\x6e\xac\x21\xdf\x2b\x7b\xde\x76\x9a\xdc\xe6\x3b\x94\x3f\x03\x9c\xa2\xa6\xa3\x63\x39\x48\xbd\x79\x70\x21\xf2\x6b\xff\x58\x66\xf1\x58\xc2\x58\xad\x4f\x84\x14\x5d\x05\x12\x83\xd0\x87\xbd\xf3";
--
--/* DSA key and signature */
--static const char dsa_privkey[] =
-- "-----BEGIN DSA PRIVATE KEY-----\n"
-- "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n"
-- "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n"
-- "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n"
-- "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n"
-- "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n"
-- "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n"
-- "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n"
-- "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n"
-- "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n"
-- "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n"
-- "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n"
-- "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n"
-- "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n"
-- "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n"
-- "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n"
-- "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n"
-- "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n"
-- "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n"
-- "-----END DSA PRIVATE KEY-----\n";
--
--static const char dsa_sig[] =
-- "\x30\x3d\x02\x1c\x2e\x40\x14\xb3\x7a\x3f\xc0\x4f\x06\x74\x4f\xa6\x5f\xc2\x0a\x46\x35\x38\x88\xb4\x1a\xcf\x94\x02\x40\x42\x7c\x7f\x02\x1d\x00\x98\xfc\xf1\x08\x66\xf1\x86\x28\xc9\x73\x9e\x2b\x5d\xce\x57\xe8\xb5\xeb\xcf\xa3\xf6\x60\xf6\x63\x16\x0e\xc0\x42";
--
--static const char gost01_privkey[] =
-- "-----BEGIN PRIVATE KEY-----\n"
-- "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n"
-- "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n"
-- "-----END PRIVATE KEY-----\n";
--
--static const char gost01_sig[] =
-- "\xc5\xc8\xf8\xdc\x22\x51\xb0\x72\xe9\xa2\xbb\x84\x6c\xe2\x24\xd5\x72\x39\x2a\x5a\x0e\x7a\x43\xfc\x9c\xc3\x5d\x32\x92\xbb\xab\xc0\x4b\x99\xbd\xc8\x47\x24\x70\x06\x7e\xa1\xc6\xe3\xa0\xdc\x42\xed\xa0\x66\xf0\xcc\x50\x97\xe9\x5a\x7d\x3f\x65\x2d\x7b\x1b\x03\xcb";
--
--static const char gost12_256_privkey[] =
-- "-----BEGIN PRIVATE KEY-----\n"
-- "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n"
-- "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n"
-- "-----END PRIVATE KEY-----\n";
--
--static const char gost12_256_sig[] =
-- "\xb2\x51\x5a\x1a\xbd\x95\x4e\x71\x55\xad\x74\x74\x81\xa6\xca\x6c\x14\x01\xe0\x18\xda\xe4\x0d\x02\x4f\x14\xd2\x39\xd6\x3c\xb5\x85\xa8\x37\xfd\x7f\x2b\xfa\xe4\xf5\xbc\xbc\x15\x20\x8b\x83\x4b\x84\x0d\x5d\x02\x21\x8c\x0d\xb9\xc4\x2b\xc0\x3e\xfd\x42\x55\x1d\xb0";
--
--static const char gost12_512_privkey[] =
-- "-----BEGIN PRIVATE KEY-----\n"
-- "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n"
-- "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n"
-- "hsQ3JCCy4xnd5jWT\n"
-- "-----END PRIVATE KEY-----\n";
--
--static const char gost12_512_sig[] =
-- "\x52\x4f\xa2\x77\x51\xd2\xc5\xef\xd3\xa3\x99\x4e\xec\xff\xc6\xe9\xfc\x2f\xc0\x28\x42\x03\x95\x6c\x9a\x38\xee\xea\x89\x79\xae\x1a\xc3\x68\x5e\xe4\x15\x15\x4b\xec\x0f\xf1\x7e\x0f\xba\x01\xc7\x84\x16\xc7\xb5\xac\x9d\x0c\x22\xdd\x31\xf7\xb0\x9b\x59\x4b\xf0\x02\xa8\x7d\xfd\x6d\x02\x43\xc7\x4f\x65\xbd\x84\x5c\x54\x91\xba\x75\x9f\x5a\x61\x19\x5c\x9a\x10\x78\x34\xa0\xa6\xf6\xdc\xb6\xb0\x50\x22\x38\x5f\xb0\x16\x66\xf1\xd5\x46\x00\xd5\xe2\xa8\xe5\xd2\x11\x5f\xd1\xbe\x6e\xac\xb2\x9c\x14\x34\x96\xe7\x58\x94\xb8\xf4\x5f";
--
- static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
- gnutls_digest_algorithm_t dig,
- const void *privkey, size_t privkey_size,
---
-2.20.1
-
-
-From 4b04d899849ea566ae33862289276d9b297cd493 Mon Sep 17 00:00:00 2001
-From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Date: Wed, 3 Apr 2019 13:44:56 +0200
-Subject: [PATCH 2/7] crypto-selftests-pk.c: Add a comparison with a known
- signature
-
-For RSA, compare the generated signature with a stored known value in
-test_sig().
-
-Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
----
- lib/crypto-selftests-pk.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
-index 4fadd4161..0233e6b9f 100644
---- a/lib/crypto-selftests-pk.c
-+++ b/lib/crypto-selftests-pk.c
-@@ -313,6 +313,7 @@ static int test_sig(gnutls_pk_algorithm_t pk,
- {
- int ret;
- gnutls_datum_t sig = { NULL, 0 };
-+ gnutls_datum_t known_sig = { NULL, 0 };
- gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 };
- gnutls_datum_t raw_dsa_key = { (void*)dsa_key, sizeof(dsa_key)-1 };
- gnutls_datum_t raw_ecc_key = { (void*)ecc_key, sizeof(ecc_key)-1 };
-@@ -343,6 +344,8 @@ static int test_sig(gnutls_pk_algorithm_t pk,
- }
-
- if (pk == GNUTLS_PK_RSA) {
-+ known_sig.data = (void *)rsa_sig;
-+ known_sig.size = sizeof(rsa_sig) - 1;
- ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0);
- } else if (pk == GNUTLS_PK_RSA_PSS) {
- ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0);
-@@ -378,6 +381,16 @@ static int test_sig(gnutls_pk_algorithm_t pk,
- goto cleanup;
- }
-
-+ /* Compare with a stored known signature */
-+ if (known_sig.data != NULL) {
-+ if (sig.size != known_sig.size
-+ || memcmp(sig.data, known_sig.data, sig.size) != 0) {
-+ ret = GNUTLS_E_SELF_TEST_ERROR;
-+ gnutls_assert();
-+ goto cleanup;
-+ }
-+ }
-+
- ret =
- gnutls_pubkey_verify_data2(pub, sigalgo, 0,
- &signed_data, &sig);
---
-2.20.1
-
-
-From db2b308fdbe98420b722eaf678c1a911bc51b0a5 Mon Sep 17 00:00:00 2001
-From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Date: Thu, 18 Apr 2019 17:22:18 +0200
-Subject: [PATCH 4/7] tests: Run rng-no-onload test in FIPS mode
-
-This changes the function used in the test to override gnutls_rnd() to
-fill the given buffer with a different value each time it is called.
-This allows the test to run when FIPS mode is enabled.
-
-Previously the rng-no-onload test could get stuck if FIPS mode was
-enabled. This happened if gnutls_rnd() function was called during
-global_init() in a loop that checks the generated value (e.g. if ECDSA
-signature generation is called during self tests).
-
-Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
----
- tests/rng-no-onload.c | 12 +++++++-----
- 1 file changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/tests/rng-no-onload.c b/tests/rng-no-onload.c
-index ac01be214..a485a440d 100644
---- a/tests/rng-no-onload.c
-+++ b/tests/rng-no-onload.c
-@@ -50,18 +50,20 @@ static int _rnd_called = 0;
- int __attribute__ ((visibility ("protected")))
- gnutls_rnd(gnutls_rnd_level_t level, void *data, size_t len)
- {
-+ static unsigned int value = 0;
-+
- _rnd_called = 1;
-
-- memset(data, 0xff, len);
-+ /* Increment 'value' in each call up to 255, then start again from 0 */
-+ value = (value + 1) & 0xFF;
-+
-+ memset(data, value, len);
-+
- return 0;
- }
-
- void doit(void)
- {
-- if (gnutls_fips140_mode_enabled()) {
-- exit(77);
-- }
--
- global_init();
-
- if (_rnd_called != 0)
---
-2.20.1
-
-
-From fc926cd65f1de06f359315c6693c1a9c9899ba8c Mon Sep 17 00:00:00 2001
-From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Date: Thu, 4 Apr 2019 15:45:02 +0200
-Subject: [PATCH 5/7] crypto-selftests-pk.c: Fix test_known_sig
-
-Previously a new signature was generated only for deterministic
-algorithms (i.e. only RSA). With this, a new signature is always
-generated (and compared with a stored signature for deterministic
-algorithms). The signature verification is tested for both generated
-and stored signatures.
-
-Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
----
- lib/crypto-selftests-pk.c | 31 ++++++++++++++++++++-----------
- 1 file changed, 20 insertions(+), 11 deletions(-)
-
-diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
-index 0233e6b9f..ba8f5e376 100644
---- a/lib/crypto-selftests-pk.c
-+++ b/lib/crypto-selftests-pk.c
-@@ -475,19 +475,17 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
- goto cleanup;
- }
-
-- /* Test if the signature we generate matches the stored */
-+ ret = gnutls_privkey_sign_data(key, dig, 0, &signed_data, &sig);
-+ if (ret < 0) {
-+ gnutls_assert();
-+ goto cleanup;
-+ }
-+
-+ /* Test if the generated signature matches the stored */
- ssig.data = (void *) stored_sig;
- ssig.size = stored_sig_size;
-
- if (deterministic_sigs != 0) { /* do not compare against stored signature if not provided */
-- ret =
-- gnutls_privkey_sign_data(key, dig, 0, &signed_data,
-- &sig);
-- if (ret < 0) {
-- gnutls_assert();
-- goto cleanup;
-- }
--
- if (sig.size != ssig.size
- || memcmp(sig.data, ssig.data, sig.size) != 0) {
- ret = GNUTLS_E_SELF_TEST_ERROR;
-@@ -507,7 +505,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
- }
- }
-
-- /* Test if we can verify the signature */
-+ /* Test if we can verify the generated signature */
-
- ret = gnutls_pubkey_import_privkey(pub, key, 0, 0);
- if (ret < 0) {
-@@ -515,6 +513,17 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
- goto cleanup;
- }
-
-+ ret =
-+ gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0,
-+ &signed_data, &sig);
-+ if (ret < 0) {
-+ ret = GNUTLS_E_SELF_TEST_ERROR;
-+ gnutls_assert();
-+ goto cleanup;
-+ }
-+
-+ /* Test if we can verify the stored signature */
-+
- ret =
- gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0,
- &signed_data, &ssig);
-@@ -528,7 +537,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
-
- ret =
- gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0,
-- &bad_data, &ssig);
-+ &bad_data, &sig);
-
- if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) {
- ret = GNUTLS_E_SELF_TEST_ERROR;
---
-2.20.1
-
-
-From 7e49999db264556ac73ff498bd8f7edce401cdd1 Mon Sep 17 00:00:00 2001
-From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Date: Thu, 4 Apr 2019 17:22:04 +0200
-Subject: [PATCH 6/7] crypto-selftests-pk.c: Fix PK_KNOWN_TEST and PK_TEST
-
-Remove the flag check from the end of the macros. This change allows
-more than one test to run in sequence when GNUTLS_SELF_TEST_FLAG_ALL is
-not set. Move the flags checks to run the minimal set of tests required
-for FIPS and keep the previous behaviour for GOST (run the first test
-for each algorithm).
-
-Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
----
- lib/crypto-selftests-pk.c | 37 ++++++++++++++++++++-----------------
- 1 file changed, 20 insertions(+), 17 deletions(-)
-
-diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
-index ba8f5e376..fc8ee2525 100644
---- a/lib/crypto-selftests-pk.c
-+++ b/lib/crypto-selftests-pk.c
-@@ -568,18 +568,14 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits,
- if (ret < 0) { \
- gnutls_assert(); \
- goto cleanup; \
-- } \
-- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \
-- return 0
-+ }
-
- #define PK_KNOWN_TEST(pk, det, bits, dig, pkey, sig) \
- ret = test_known_sig(pk, bits, dig, pkey, sizeof(pkey)-1, sig, sizeof(sig)-1, det); \
- if (ret < 0) { \
- gnutls_assert(); \
- goto cleanup; \
-- } \
-- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \
-- return 0
-+ }
-
-
- /* This file is also included by the test app in tests/slow/cipher-test, so in that
-@@ -812,11 +808,12 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
- PK_KNOWN_TEST(GNUTLS_PK_RSA, 1, 2048, GNUTLS_DIG_SHA256,
- rsa_key2048, rsa_sig);
- PK_TEST(GNUTLS_PK_RSA, test_rsa_enc, 2048, 0);
-- PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_SIGN_RSA_SHA256);
-
- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
- return 0;
-
-+ PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_SIGN_RSA_SHA256);
-+
- FALLTHROUGH;
- case GNUTLS_PK_RSA_PSS:
- PK_TEST(GNUTLS_PK_RSA_PSS, test_sig, 2048, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256);
-@@ -828,11 +825,12 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
- case GNUTLS_PK_DSA:
- PK_KNOWN_TEST(GNUTLS_PK_DSA, 0, 2048, GNUTLS_DIG_SHA256,
- dsa_privkey, dsa_sig);
-- PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256);
-
- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
- return 0;
-
-+ PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256);
-+
- FALLTHROUGH;
- case GNUTLS_PK_EC:
- /* Test ECDH and ECDSA */
-@@ -850,13 +848,14 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
- (GNUTLS_ECC_CURVE_SECP256R1),
- GNUTLS_DIG_SHA256, ecdsa_secp256r1_privkey,
- ecdsa_secp256r1_sig);
-- PK_TEST(GNUTLS_PK_EC, test_sig,
-- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1),
-- GNUTLS_SIGN_ECDSA_SHA256);
-
- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
- return 0;
-
-+ PK_TEST(GNUTLS_PK_EC, test_sig,
-+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1),
-+ GNUTLS_SIGN_ECDSA_SHA256);
-+
- PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
- GNUTLS_CURVE_TO_BITS
- (GNUTLS_ECC_CURVE_SECP384R1),
-@@ -900,31 +899,35 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
- case GNUTLS_PK_GOST_01:
- PK_KNOWN_TEST(GNUTLS_PK_GOST_01, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_GOSTR_94,
- gost01_privkey, gost01_sig);
-- PK_TEST(GNUTLS_PK_GOST_01, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA),
-- GNUTLS_SIGN_GOST_94);
-
- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
- return 0;
-
-+ PK_TEST(GNUTLS_PK_GOST_01, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA),
-+ GNUTLS_SIGN_GOST_94);
-+
- FALLTHROUGH;
- case GNUTLS_PK_GOST_12_256:
- PK_KNOWN_TEST(GNUTLS_PK_GOST_12_256, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_STREEBOG_256,
- gost12_256_privkey, gost12_256_sig);
-- PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA),
-- GNUTLS_SIGN_GOST_256);
-
- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
- return 0;
-
-+ PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA),
-+ GNUTLS_SIGN_GOST_256);
-+
- FALLTHROUGH;
- case GNUTLS_PK_GOST_12_512:
- PK_KNOWN_TEST(GNUTLS_PK_GOST_12_512, 0, GNUTLS_ECC_CURVE_GOST512A, GNUTLS_DIG_STREEBOG_512,
- gost12_512_privkey, gost12_512_sig);
-- PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A),
-- GNUTLS_SIGN_GOST_512);
-
- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
- return 0;
-+
-+ PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A),
-+ GNUTLS_SIGN_GOST_512);
-+
- #endif
-
- break;
---
-2.20.1
-
-
-From c2e83d2110b98d93588f1b6187bc932feb958ca4 Mon Sep 17 00:00:00 2001
-From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Date: Mon, 8 Apr 2019 14:21:57 +0200
-Subject: [PATCH 7/7] crypto-selftests-pk.c: Cleanup self tests
-
-test_sig() always uses the same key for RSA, DSA, and ECDSA regardless
-of the value provided in the "bits" parameter. Therefore, avoid
-printing specific information (number of bits or name of the curve).
-
-Changes test_sig() to use 2048 bits key for DSA; deleted hardcoded 512
-bits DSA key;
-
-Avoid calling test_sig() multiple times for ECDSA: the same key is
-used regardless of the curve provided in the parameters.
-
-Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
----
- lib/crypto-selftests-pk.c | 42 +++++++++------------------------------
- 1 file changed, 9 insertions(+), 33 deletions(-)
-
-diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c
-index fc8ee2525..3d665b723 100644
---- a/lib/crypto-selftests-pk.c
-+++ b/lib/crypto-selftests-pk.c
-@@ -78,16 +78,6 @@ static const char ecc_key[] =
- "MSHpe5vd0TQz+/GAa1zxle8mB/Cdh0JaTrA=\n"
- "-----END EC PRIVATE KEY-----\n";
-
--static const char dsa_key[] =
-- "-----BEGIN DSA PRIVATE KEY-----\n"
-- "MIH4AgEAAkEA6KUOSXfFNcInFLPdOlLlKNCe79zJrkxnsQN+lllxuk1ifZrE07r2\n"
-- "3edTrc4riQNnZ2nZ372tYUAMJg+5jM6IIwIVAOa58exwZ+42Tl+p3b4Kbpyu2Ron\n"
-- "AkBocj7gkiBYHtv6HMIIzooaxn4vpGR0Ns6wBfroBUGvrnSAgfT3WyiNaHkIF28e\n"
-- "quWcEeOJjUgFvatcM8gcY288AkEAyKWlgzBurIYST8TM3j4PuQJDTvdHDaGoAUAa\n"
-- "EfjmOw2UXKwqTmwPiT5BYKgCo2ILS87ttlTpd8vndH37pmnmVQIUQIVuKpZ8y9Bw\n"
-- "VzO8qcrLCFvTOXY=\n"
-- "-----END DSA PRIVATE KEY-----\n";
--
- static const char gost01_key[] =
- "-----BEGIN PRIVATE KEY-----\n"
- "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICJAAGByqFAwICHgEEIgQgR1lBLIr4WBpn\n"
-@@ -315,22 +305,20 @@ static int test_sig(gnutls_pk_algorithm_t pk,
- gnutls_datum_t sig = { NULL, 0 };
- gnutls_datum_t known_sig = { NULL, 0 };
- gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 };
-- gnutls_datum_t raw_dsa_key = { (void*)dsa_key, sizeof(dsa_key)-1 };
-+ gnutls_datum_t raw_dsa_key = { (void*)dsa_privkey, sizeof(dsa_privkey)-1 };
- gnutls_datum_t raw_ecc_key = { (void*)ecc_key, sizeof(ecc_key)-1 };
- gnutls_datum_t raw_gost01_key = { (void*)gost01_key, sizeof(gost01_key)-1 };
- gnutls_datum_t raw_gost12_256_key = { (void*)gost12_256_key, sizeof(gost12_256_key)-1 };
- gnutls_datum_t raw_gost12_512_key = { (void*)gost12_512_key, sizeof(gost12_512_key)-1 };
- gnutls_privkey_t key;
- gnutls_pubkey_t pub = NULL;
-- char param_name[32];
-+ char param_name[32] = "";
-
-- if (pk == GNUTLS_PK_EC || pk == GNUTLS_PK_GOST_01 ||
-- pk == GNUTLS_PK_GOST_12_256 || pk == GNUTLS_PK_GOST_12_512) {
-- snprintf(param_name, sizeof(param_name), "%s",
-+ if (pk == GNUTLS_PK_GOST_01 || pk == GNUTLS_PK_GOST_12_256 ||
-+ pk == GNUTLS_PK_GOST_12_512) {
-+ snprintf(param_name, sizeof(param_name), "-%s",
- gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE
- (bits)));
-- } else {
-- snprintf(param_name, sizeof(param_name), "%u", bits);
- }
-
- ret = gnutls_privkey_init(&key);
-@@ -418,10 +406,10 @@ static int test_sig(gnutls_pk_algorithm_t pk,
- gnutls_free(sig.data);
-
- if (ret == 0)
-- _gnutls_debug_log("%s-%s-sig self test succeeded\n",
-+ _gnutls_debug_log("%s%s-sig self test succeeded\n",
- gnutls_pk_get_name(pk), param_name);
- else
-- _gnutls_debug_log("%s-%s-sig self test failed\n",
-+ _gnutls_debug_log("%s%s-sig self test failed\n",
- gnutls_pk_get_name(pk), param_name);
-
- return ret;
-@@ -812,7 +800,7 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
- return 0;
-
-- PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_SIGN_RSA_SHA256);
-+ PK_TEST(GNUTLS_PK_RSA, test_sig, 2048, GNUTLS_SIGN_RSA_SHA256);
-
- FALLTHROUGH;
- case GNUTLS_PK_RSA_PSS:
-@@ -829,7 +817,7 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL))
- return 0;
-
-- PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256);
-+ PK_TEST(GNUTLS_PK_DSA, test_sig, 2048, GNUTLS_SIGN_DSA_SHA256);
-
- FALLTHROUGH;
- case GNUTLS_PK_EC:
-@@ -861,18 +849,12 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
- (GNUTLS_ECC_CURVE_SECP384R1),
- GNUTLS_DIG_SHA256, ecdsa_secp384r1_privkey,
- ecdsa_secp384r1_sig);
-- PK_TEST(GNUTLS_PK_EC, test_sig,
-- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1),
-- GNUTLS_SIGN_ECDSA_SHA384);
-
- PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
- GNUTLS_CURVE_TO_BITS
- (GNUTLS_ECC_CURVE_SECP521R1),
- GNUTLS_DIG_SHA512, ecdsa_secp521r1_privkey,
- ecdsa_secp521r1_sig);
-- PK_TEST(GNUTLS_PK_EC, test_sig,
-- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1),
-- GNUTLS_SIGN_ECDSA_SHA512);
-
- #ifdef ENABLE_NON_SUITEB_CURVES
- PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
-@@ -880,18 +862,12 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk)
- (GNUTLS_ECC_CURVE_SECP192R1),
- GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey,
- ecdsa_secp192r1_sig);
-- PK_TEST(GNUTLS_PK_EC, test_sig,
-- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1),
-- GNUTLS_SIGN_ECDSA_SHA256);
-
- PK_KNOWN_TEST(GNUTLS_PK_EC, 0,
- GNUTLS_CURVE_TO_BITS
- (GNUTLS_ECC_CURVE_SECP224R1),
- GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey,
- ecdsa_secp224r1_sig);
-- PK_TEST(GNUTLS_PK_EC, test_sig,
-- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1),
-- GNUTLS_SIGN_ECDSA_SHA256);
- #endif
-
- #if ENABLE_GOST
---
-2.20.1
diff --git a/SOURCES/gnutls-3.6.8-aead-cipher-encryptv2.patch b/SOURCES/gnutls-3.6.8-aead-cipher-encryptv2.patch
deleted file mode 100644
index 8ed9aa6..0000000
--- a/SOURCES/gnutls-3.6.8-aead-cipher-encryptv2.patch
+++ /dev/null
@@ -1,1296 +0,0 @@
-From 38c8dc4317296624cba5b2c8ddba6e9047048180 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Thu, 1 Aug 2019 17:41:45 +0200
-Subject: [PATCH 1/3] iov: add iterator interface for giovec_t
-
-This adds an iterator interface over giovec_t array, extracting a
-fixed sized block.
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- .gitignore | 1 +
- lib/Makefile.am | 3 +-
- lib/iov.c | 120 ++++++++++++++++++++++++++++++++
- lib/iov.h | 46 +++++++++++++
- lib/libgnutls.map | 3 +
- tests/Makefile.am | 6 +-
- tests/iov.c | 170 ++++++++++++++++++++++++++++++++++++++++++++++
- 7 files changed, 347 insertions(+), 2 deletions(-)
- create mode 100644 lib/iov.c
- create mode 100644 lib/iov.h
- create mode 100644 tests/iov.c
-
-diff --git a/lib/Makefile.am b/lib/Makefile.am
-index ffc72e4c2..9fe78afbd 100644
---- a/lib/Makefile.am
-+++ b/lib/Makefile.am
-@@ -80,7 +80,8 @@ COBJECTS = range.c record.c compress.c debug.c cipher.c gthreads.h handshake-tls
- system-keys.h urls.c urls.h prf.c auto-verify.c dh-session.c \
- cert-session.c handshake-checks.c dtls-sw.c dh-primes.c openpgp_compat.c \
- crypto-selftests.c crypto-selftests-pk.c secrets.c extv.c extv.h \
-- hello_ext_lib.c hello_ext_lib.h ocsp-api.c stek.c cert-cred-rawpk.c
-+ hello_ext_lib.c hello_ext_lib.h ocsp-api.c stek.c cert-cred-rawpk.c \
-+ iov.c iov.h
-
- if WINDOWS
- COBJECTS += system/keys-win.c
-diff --git a/lib/iov.c b/lib/iov.c
-new file mode 100644
-index 000000000..5dc29c54b
---- /dev/null
-+++ b/lib/iov.c
-@@ -0,0 +1,120 @@
-+/*
-+ * Copyright (C) 2019 Red Hat, Inc.
-+ *
-+ * Author: Daiki Ueno
-+ *
-+ * This file is part of GnuTLS.
-+ *
-+ * The GnuTLS is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU Lesser General Public License
-+ * as published by the Free Software Foundation; either version 2.1 of
-+ * the License, or (at your option) any later version.
-+ *
-+ * This library is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * Lesser General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public License
-+ * along with this program. If not, see <https://www.gnu.org/licenses/>
-+ *
-+ */
-+
-+#include "gnutls_int.h"
-+#include "iov.h"
-+
-+/**
-+ * _gnutls_iov_iter_init:
-+ * @iter: the iterator
-+ * @iov: the data buffers
-+ * @iov_count: the number of data buffers
-+ * @block_size: block size to iterate
-+ *
-+ * Initialize the iterator.
-+ *
-+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
-+ * an error code is returned
-+ */
-+int
-+_gnutls_iov_iter_init(struct iov_iter_st *iter,
-+ const giovec_t *iov, size_t iov_count,
-+ size_t block_size)
-+{
-+ if (unlikely(block_size > MAX_CIPHER_BLOCK_SIZE))
-+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+
-+ iter->iov = iov;
-+ iter->iov_count = iov_count;
-+ iter->iov_index = 0;
-+ iter->iov_offset = 0;
-+ iter->block_size = block_size;
-+ iter->block_offset = 0;
-+ return 0;
-+}
-+
-+/**
-+ * _gnutls_iov_iter_next:
-+ * @iter: the iterator
-+ * @data: the return location of extracted data
-+ *
-+ * Retrieve block(s) pointed by @iter and advance it to the next
-+ * position. It returns the number of consecutive blocks in @data.
-+ * At the end of iteration, 0 is returned.
-+ *
-+ * If the data stored in @iter is not multiple of the block size, the
-+ * remaining data is stored in the "block" field of @iter with the
-+ * size stored in the "block_offset" field.
-+ *
-+ * Returns: On success, a value greater than or equal to zero is
-+ * returned, otherwise a negative error code is returned
-+ */
-+ssize_t
-+_gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data)
-+{
-+ while (iter->iov_index < iter->iov_count) {
-+ const giovec_t *iov = &iter->iov[iter->iov_index];
-+ uint8_t *p = iov->iov_base;
-+ size_t len = iov->iov_len;
-+ size_t block_left;
-+
-+ if (unlikely(len < iter->iov_offset))
-+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
-+ len -= iter->iov_offset;
-+ p += iter->iov_offset;
-+
-+ /* We have at least one full block, return a whole set
-+ * of full blocks immediately. */
-+ if (iter->block_offset == 0 && len >= iter->block_size) {
-+ if ((len % iter->block_size) == 0) {
-+ iter->iov_index++;
-+ iter->iov_offset = 0;
-+ } else
-+ iter->iov_offset +=
-+ len - (len % iter->block_size);
-+
-+ /* Return the blocks. */
-+ *data = p;
-+ return len / iter->block_size;
-+ }
-+
-+ /* We can complete one full block to return. */
-+ block_left = iter->block_size - iter->block_offset;
-+ if (len >= block_left) {
-+ memcpy(iter->block + iter->block_offset, p, block_left);
-+ iter->iov_offset += block_left;
-+ iter->block_offset = 0;
-+
-+ /* Return the filled block. */
-+ *data = iter->block;
-+ return 1;
-+ }
-+
-+ /* Not enough data for a full block, store in temp
-+ * memory and continue. */
-+ memcpy(iter->block + iter->block_offset, p, len);
-+ iter->block_offset += len;
-+ iter->iov_index++;
-+ iter->iov_offset = 0;
-+ }
-+ return 0;
-+}
-diff --git a/lib/iov.h b/lib/iov.h
-new file mode 100644
-index 000000000..47fba559a
---- /dev/null
-+++ b/lib/iov.h
-@@ -0,0 +1,46 @@
-+/*
-+ * Copyright (C) 2019 Red Hat, Inc.
-+ *
-+ * Author: Daiki Ueno
-+ *
-+ * This file is part of GnuTLS.
-+ *
-+ * The GnuTLS is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU Lesser General Public License
-+ * as published by the Free Software Foundation; either version 2.1 of
-+ * the License, or (at your option) any later version.
-+ *
-+ * This library is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * Lesser General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public License
-+ * along with this program. If not, see <https://www.gnu.org/licenses/>
-+ *
-+ */
-+
-+#ifndef GNUTLS_LIB_IOV_H
-+#define GNUTLS_LIB_IOV_H
-+
-+#include "gnutls_int.h"
-+
-+struct iov_iter_st {
-+ const giovec_t *iov;
-+ size_t iov_count; /* the number of iov */
-+ size_t iov_index; /* index of the current buffer */
-+ size_t iov_offset; /* byte offset in the current buffer */
-+
-+ uint8_t block[MAX_CIPHER_BLOCK_SIZE]; /* incomplete block for reading */
-+ size_t block_size; /* actual block size of the cipher */
-+ size_t block_offset; /* offset in block */
-+
-+};
-+
-+int _gnutls_iov_iter_init(struct iov_iter_st *iter,
-+ const giovec_t *iov, size_t iov_count,
-+ size_t block_size);
-+
-+ssize_t _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data);
-+
-+#endif /* GNUTLS_LIB_IOV_H */
-diff --git a/lib/libgnutls.map b/lib/libgnutls.map
-index 0f31f4aef..fc93c0857 100644
---- a/lib/libgnutls.map
-+++ b/lib/libgnutls.map
-@@ -1374,4 +1374,7 @@ GNUTLS_PRIVATE_3_4 {
- _gnutls_global_set_gettime_function;
- # Internal symbols needed by tests/tls13/anti_replay.c
- _gnutls_anti_replay_check;
-+ # needed by tests/iov:
-+ _gnutls_iov_iter_init;
-+ _gnutls_iov_iter_next;
- } GNUTLS_3_4;
-diff --git a/tests/Makefile.am b/tests/Makefile.am
-index a8c2d152e..a2883570f 100644
---- a/tests/Makefile.am
-+++ b/tests/Makefile.am
-@@ -212,7 +212,7 @@ ctests += mini-record-2 simple gnutls_hm
- null_retrieve_function tls-record-size-limit tls-crt_type-neg \
- resume-with-stek-expiration resume-with-previous-stek rawpk-api \
- tls-record-size-limit-asym dh-compute ecdh-compute \
-- sign-verify-deterministic
-+ sign-verify-deterministic iov
-
- if HAVE_SECCOMP_TESTS
- ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
-@@ -460,6 +460,10 @@ tls13_anti_replay_CPPFLAGS = $(AM_CPPFLAGS) \
- -I$(top_builddir)/gl \
- $(NETTLE_CFLAGS)
-
-+iov_CPPFLAGS = $(AM_CPPFLAGS) \
-+ -I$(top_srcdir)/gl \
-+ -I$(top_builddir)/gl
-+
- if ENABLE_PKCS11
- if !WINDOWS
- ctests += tls13/post-handshake-with-cert-pkcs11 pkcs11/tls-neg-pkcs11-no-key
-diff --git a/tests/iov.c b/tests/iov.c
-new file mode 100644
-index 000000000..eda5583a7
---- /dev/null
-+++ b/tests/iov.c
-@@ -0,0 +1,170 @@
-+/*
-+ * Copyright (C) 2019 Red Hat, Inc.
-+ *
-+ * Author: Daiki Ueno
-+ *
-+ * This file is part of GnuTLS.
-+ *
-+ * GnuTLS is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 3 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * GnuTLS is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public License
-+ * along with this program. If not, see <https://www.gnu.org/licenses/>
-+ */
-+
-+#ifdef HAVE_CONFIG_H
-+#include <config.h>
-+#endif
-+
-+#include "gnutls_int.h"
-+#include "../lib/iov.h"
-+
-+#include "utils.h"
-+
-+struct exp_st {
-+ ssize_t ret;
-+ size_t iov_index;
-+ size_t iov_offset;
-+ size_t block_offset;
-+};
-+
-+struct test_st {
-+ const char *name;
-+ const giovec_t *iov;
-+ size_t iovcnt;
-+ size_t block_size;
-+ const struct exp_st *exp;
-+ size_t expcnt;
-+ size_t remaining;
-+};
-+
-+static const giovec_t iov16[] = {
-+ {(void *) "0123456789abcdef", 16},
-+ {(void *) "0123456789abcdef", 16},
-+ {(void *) "0123456789abcdef", 16},
-+ {(void *) "0123456789abcdef", 16}
-+};
-+
-+static const struct exp_st exp16_64[] = {
-+ {1, 3, 16, 0},
-+ {0, 0, 0, 0}
-+};
-+
-+static const struct exp_st exp16_32[] = {
-+ {1, 1, 16, 0},
-+ {1, 3, 16, 0},
-+ {0, 0, 0, 0}
-+};
-+
-+static const struct exp_st exp16_16[] = {
-+ {1, 1, 0, 0},
-+ {1, 2, 0, 0},
-+ {1, 3, 0, 0},
-+ {1, 4, 0, 0},
-+ {0, 0, 0, 0}
-+};
-+
-+static const struct exp_st exp16_4[] = {
-+ {4, 1, 0, 0},
-+ {4, 2, 0, 0},
-+ {4, 3, 0, 0},
-+ {4, 4, 0, 0},
-+ {0, 0, 0, 0}
-+};
-+
-+static const struct exp_st exp16_3[] = {
-+ {5, 0, 15, 0},
-+ {1, 1, 2, 0},
-+ {4, 1, 14, 0},
-+ {1, 2, 1, 0},
-+ {5, 3, 0, 0},
-+ {5, 3, 15, 0},
-+ {0, 0, 0, 1}
-+};
-+
-+static const giovec_t iov8[] = {
-+ {(void *) "01234567", 8},
-+ {(void *) "01234567", 8},
-+ {(void *) "01234567", 8},
-+ {(void *) "01234567", 8}
-+};
-+
-+static const struct exp_st exp8_64[] = {
-+ {0, 0, 0, 32}
-+};
-+
-+static const struct test_st tests[] = {
-+ { "16/64", iov16, sizeof(iov16)/sizeof(iov16[0]), 64,
-+ exp16_64, sizeof(exp16_64)/sizeof(exp16_64[0]), 0 },
-+ { "16/32", iov16, sizeof(iov16)/sizeof(iov16[0]), 32,
-+ exp16_32, sizeof(exp16_32)/sizeof(exp16_32[0]), 0 },
-+ { "16/16", iov16, sizeof(iov16)/sizeof(iov16[0]), 16,
-+ exp16_16, sizeof(exp16_16)/sizeof(exp16_16[0]), 0 },
-+ { "16/4", iov16, sizeof(iov16)/sizeof(iov16[0]), 4,
-+ exp16_4, sizeof(exp16_4)/sizeof(exp16_4[0]), 0 },
-+ { "16/3", iov16, sizeof(iov16)/sizeof(iov16[0]), 3,
-+ exp16_3, sizeof(exp16_3)/sizeof(exp16_3[0]), 1 },
-+ { "8/64", iov8, sizeof(iov8)/sizeof(iov8[0]), 64,
-+ exp8_64, sizeof(exp8_64)/sizeof(exp8_64[0]), 32 }
-+};
-+
-+void
-+doit (void)
-+{
-+ size_t i;
-+
-+ for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) {
-+ struct iov_iter_st iter;
-+ const struct exp_st *exp = tests[i].exp;
-+ uint8_t *data;
-+ size_t j;
-+
-+ success("%s\n", tests[i].name);
-+ assert(_gnutls_iov_iter_init(&iter,
-+ tests[i].iov, tests[i].iovcnt,
-+ tests[i].block_size) == 0);
-+ for (j = 0; j < tests[i].expcnt; j++) {
-+ ssize_t ret;
-+
-+ ret = _gnutls_iov_iter_next(&iter, &data);
-+ if (ret != exp[j].ret)
-+ fail("iov_iter_next: %d != %d\n",
-+ (int) ret, (int) exp[j].ret);
-+ else if (debug)
-+ success("iov_iter_next: %d == %d\n",
-+ (int) ret, (int) exp[j].ret);
-+ if (ret == 0)
-+ break;
-+ if (ret > 0) {
-+ if (iter.iov_index != exp[j].iov_index)
-+ fail("iter.iov_index: %u != %u\n",
-+ (unsigned) iter.iov_index, (unsigned) exp[j].iov_index);
-+ else if (debug)
-+ success("iter.iov_index: %u == %u\n",
-+ (unsigned) iter.iov_index, (unsigned) exp[j].iov_index);
-+ if (iter.iov_offset != exp[j].iov_offset)
-+ fail("iter.iov_offset: %u != %u\n",
-+ (unsigned) iter.iov_offset, (unsigned) exp[j].iov_offset);
-+ else if (debug)
-+ success("iter.iov_offset: %u == %u\n",
-+ (unsigned) iter.iov_offset, (unsigned) exp[j].iov_offset);
-+ if (iter.block_offset != exp[j].block_offset)
-+ fail("iter.block_offset: %u != %u\n",
-+ (unsigned) iter.block_offset, (unsigned) exp[j].block_offset);
-+ else if (debug)
-+ success("iter.block_offset: %u == %u\n",
-+ (unsigned) iter.block_offset, (unsigned) exp[j].block_offset);
-+ }
-+ }
-+ if (iter.block_offset != tests[i].remaining)
-+ fail("remaining: %u != %u\n",
-+ (unsigned) iter.block_offset, (unsigned) tests[i].remaining);
-+ }
-+}
---
-2.21.0
-
-
-From 9ca7a2b42168d356126e306e25211d43ea3c2e7d Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Thu, 1 Aug 2019 18:13:38 +0200
-Subject: [PATCH 2/3] crypto-api: use giovec_t iterator interface for
- aead_encryptv
-
-This replaces the macros AUTH_UPDATE and ENCRYPT used in
-gnutls_aead_cipher_encryptv() with the iov_iter interface.
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/crypto-api.c | 167 ++++++++++++++++-------------------------------
- 1 file changed, 57 insertions(+), 110 deletions(-)
-
-diff --git a/lib/crypto-api.c b/lib/crypto-api.c
-index 8af3f3b7d..70107fed0 100644
---- a/lib/crypto-api.c
-+++ b/lib/crypto-api.c
-@@ -31,6 +31,7 @@
- #include <crypto.h>
- #include <fips.h>
- #include "crypto-api.h"
-+#include "iov.h"
-
- typedef struct api_cipher_hd_st {
- cipher_hd_st ctx_enc;
-@@ -916,98 +917,6 @@ static int copy_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt)
- }
- }
-
--#define AUTH_UPDATE_FINAL(ctx) do { \
-- if (index) { \
-- ret = _gnutls_cipher_auth(ctx, cache, index); \
-- if (unlikely(ret < 0)) \
-- return gnutls_assert_val(ret); \
-- } \
-- } while(0)
--
--#define AUTH_UPDATE(ctx, data, length) do { \
-- if (index) { \
-- ssize_t left = blocksize - index; \
-- if (length < left) { \
-- memcpy(cache+index, data, \
-- length); \
-- index += length; \
-- goto __update_done; \
-- } else { \
-- memcpy(cache+index, data, left); \
-- ret = _gnutls_cipher_auth(ctx, cache, blocksize); \
-- if (unlikely(ret < 0)) \
-- return gnutls_assert_val(ret); \
-- data += left; \
-- length -= left; \
-- } \
-- } \
-- if (length >= blocksize) { \
-- ssize_t to_proc = (length/blocksize)*blocksize; \
-- ret = _gnutls_cipher_auth(ctx, data, to_proc); \
-- if (unlikely(ret < 0)) \
-- return gnutls_assert_val(ret); \
-- data += to_proc; \
-- length -= to_proc; \
-- } \
-- if (length) \
-- memcpy(cache, data, length); \
-- index = length; \
-- __update_done: \
-- ; \
-- } while(0)
--
--#define ENCRYPT_FINAL(ctx, dst, dst_size) do { \
-- if (index) { \
-- if (unlikely(dst_size < (ssize_t)index)) \
-- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); \
-- ret = _gnutls_cipher_encrypt2(ctx, cache, index, dst, dst_size); \
-- if (unlikely(ret < 0)) \
-- return gnutls_assert_val(ret); \
-- dst += index; \
-- dst_size -= index; \
-- } \
-- } while(0)
--
--#define ENCRYPT(ctx, data, length, dst, dst_size) do { \
-- if (index) { \
-- ssize_t left = blocksize - index; \
-- if (length < left) { \
-- memcpy(cache+index, data, \
-- length); \
-- index += length; \
-- goto __encrypt_done; \
-- } else { \
-- if (unlikely(dst_size < blocksize)) \
-- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); \
-- memcpy(cache+index, data, left); \
-- ret = _gnutls_cipher_encrypt2(ctx, cache, blocksize, dst, dst_size); \
-- if (unlikely(ret < 0)) \
-- return gnutls_assert_val(ret); \
-- data += left; \
-- length -= left; \
-- dst += blocksize; \
-- dst_size -= blocksize; \
-- } \
-- } \
-- if (length >= blocksize) { \
-- ssize_t to_proc = (length/blocksize)*blocksize; \
-- if (unlikely(dst_size < to_proc)) \
-- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); \
-- ret = _gnutls_cipher_encrypt2(ctx, data, to_proc, dst, dst_size); \
-- if (unlikely(ret < 0)) \
-- return gnutls_assert_val(ret); \
-- data += to_proc; \
-- length -= to_proc; \
-- dst += to_proc; \
-- dst_size -= to_proc; \
-- } \
-- if (length) \
-- memcpy(cache, data, length); \
-- index = length; \
-- __encrypt_done: \
-- ; \
-- } while(0)
--
-
- /**
- * gnutls_aead_cipher_encryptv:
-@@ -1039,14 +948,13 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
- void *ctext, size_t *ctext_len)
- {
- api_aead_cipher_hd_st *h = handle;
-- int ret;
-+ ssize_t ret;
- uint8_t *dst;
-- ssize_t dst_size, total = 0, len;
-+ ssize_t dst_size, total = 0;
- uint8_t *p;
-- unsigned i;
-- uint8_t cache[MAX_CIPHER_BLOCK_SIZE];
-- unsigned index;
- ssize_t blocksize = handle->ctx_enc.e->blocksize;
-+ struct iov_iter_st iter;
-+ size_t blocks;
-
- /* Limitation: this function provides an optimization under the internally registered
- * AEAD ciphers. When an AEAD cipher is used registered with gnutls_crypto_register_aead_cipher(),
-@@ -1088,25 +996,64 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
- if (unlikely(ret < 0))
- return gnutls_assert_val(ret);
-
-- index = 0;
-- for (i = 0; i < (unsigned)auth_iovcnt; i++) {
-- p = auth_iov[i].iov_base;
-- len = auth_iov[i].iov_len;
-- AUTH_UPDATE(&handle->ctx_enc, p, len);
-+ ret = _gnutls_iov_iter_init(&iter, auth_iov, auth_iovcnt, blocksize);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ while (1) {
-+ ret = _gnutls_iov_iter_next(&iter, &p);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ if (ret == 0)
-+ break;
-+ blocks = ret;
-+ ret = _gnutls_cipher_auth(&handle->ctx_enc, p,
-+ blocksize * blocks);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ }
-+ if (iter.block_offset > 0) {
-+ ret = _gnutls_cipher_auth(&handle->ctx_enc,
-+ iter.block, iter.block_offset);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
- }
-- AUTH_UPDATE_FINAL(&handle->ctx_enc);
-
- dst = ctext;
- dst_size = *ctext_len;
-
-- index = 0;
-- for (i = 0; i < (unsigned)iovcnt; i++) {
-- p = iov[i].iov_base;
-- len = iov[i].iov_len;
-- ENCRYPT(&handle->ctx_enc, p, len, dst, dst_size);
-- total += iov[i].iov_len;
-+ ret = _gnutls_iov_iter_init(&iter, iov, iovcnt, blocksize);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ while (1) {
-+ ret = _gnutls_iov_iter_next(&iter, &p);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ if (ret == 0)
-+ break;
-+ blocks = ret;
-+ if (unlikely((size_t) dst_size < blocksize * blocks))
-+ return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
-+ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p,
-+ blocksize * blocks,
-+ dst, dst_size);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ DECR_LEN(dst_size, blocksize * blocks);
-+ dst += blocksize * blocks;
-+ total += blocksize * blocks;
-+ }
-+ if (iter.block_offset > 0) {
-+ if (unlikely((size_t) dst_size < iter.block_offset))
-+ return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
-+ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc,
-+ iter.block, iter.block_offset,
-+ dst, dst_size);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ DECR_LEN(dst_size, iter.block_offset);
-+ dst += iter.block_offset;
-+ total += iter.block_offset;
- }
-- ENCRYPT_FINAL(&handle->ctx_enc, dst, dst_size);
-
- if ((size_t)dst_size < tag_size)
- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
---
-2.21.0
-
-
-From d230011cdbbe55f429b43d818c75c8f6687cbc78 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Fri, 2 Aug 2019 07:40:44 +0200
-Subject: [PATCH 3/3] crypto-api: add gnutls_aead_cipher_{en,de}cryptv2
-
-This adds an in-place equivalent of gnutls_aead_cipher_encrypt() and
-gnutls_aead_cipher_decrypt(), that works on data buffers.
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- .gitignore | 1 +
- NEWS | 7 +
- devel/libgnutls-latest-x86_64.abi | 26 +++
- devel/symbols.last | 3 +
- doc/Makefile.am | 4 +
- doc/manpages/Makefile.am | 2 +
- lib/crypto-api.c | 356 +++++++++++++++++++++++++++++-
- lib/includes/gnutls/crypto.h | 14 ++
- lib/libgnutls.map | 7 +
- tests/Makefile.am | 2 +-
- tests/aead-cipher-vec.c | 123 +++++++++++
- 11 files changed, 541 insertions(+), 4 deletions(-)
- create mode 100644 tests/aead-cipher-vec.c
-
-diff --git a/doc/Makefile.am b/doc/Makefile.am
-index 6d21d7482..add63c23d 100644
---- a/doc/Makefile.am
-+++ b/doc/Makefile.am
-@@ -635,12 +635,16 @@ FUNCS += functions/dane_verify_session_crt
- FUNCS += functions/dane_verify_session_crt.short
- FUNCS += functions/gnutls_aead_cipher_decrypt
- FUNCS += functions/gnutls_aead_cipher_decrypt.short
-+FUNCS += functions/gnutls_aead_cipher_decryptv2
-+FUNCS += functions/gnutls_aead_cipher_decryptv2.short
- FUNCS += functions/gnutls_aead_cipher_deinit
- FUNCS += functions/gnutls_aead_cipher_deinit.short
- FUNCS += functions/gnutls_aead_cipher_encrypt
- FUNCS += functions/gnutls_aead_cipher_encrypt.short
- FUNCS += functions/gnutls_aead_cipher_encryptv
- FUNCS += functions/gnutls_aead_cipher_encryptv.short
-+FUNCS += functions/gnutls_aead_cipher_encryptv2
-+FUNCS += functions/gnutls_aead_cipher_encryptv2.short
- FUNCS += functions/gnutls_aead_cipher_init
- FUNCS += functions/gnutls_aead_cipher_init.short
- FUNCS += functions/gnutls_alert_get
-diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
-index d06c18013..ee855adf3 100644
---- a/doc/manpages/Makefile.am
-+++ b/doc/manpages/Makefile.am
-@@ -119,9 +119,11 @@ APIMANS += dane_verify_crt.3
- APIMANS += dane_verify_crt_raw.3
- APIMANS += dane_verify_session_crt.3
- APIMANS += gnutls_aead_cipher_decrypt.3
-+APIMANS += gnutls_aead_cipher_decryptv2.3
- APIMANS += gnutls_aead_cipher_deinit.3
- APIMANS += gnutls_aead_cipher_encrypt.3
- APIMANS += gnutls_aead_cipher_encryptv.3
-+APIMANS += gnutls_aead_cipher_encryptv2.3
- APIMANS += gnutls_aead_cipher_init.3
- APIMANS += gnutls_alert_get.3
- APIMANS += gnutls_alert_get_name.3
-diff --git a/lib/crypto-api.c b/lib/crypto-api.c
-index 70107fed0..2834c0199 100644
---- a/lib/crypto-api.c
-+++ b/lib/crypto-api.c
-@@ -885,7 +885,26 @@ static void iov_store_free(struct iov_store_st *s)
- }
- }
-
--static int copy_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt)
-+static int iov_store_grow(struct iov_store_st *s, size_t length)
-+{
-+ if (s->allocated || s->data == NULL) {
-+ s->size += length;
-+ s->data = gnutls_realloc(s->data, s->size);
-+ if (s->data == NULL)
-+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
-+ s->allocated = 1;
-+ } else {
-+ void *data = s->data;
-+ size_t size = s->size + length;
-+ s->data = gnutls_malloc(size);
-+ memcpy(s->data, data, s->size);
-+ s->size += length;
-+ }
-+ return 0;
-+}
-+
-+static int
-+copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt)
- {
- memset(dst, 0, sizeof(*dst));
- if (iovcnt == 0) {
-@@ -917,6 +936,27 @@ static int copy_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt)
- }
- }
-
-+static int
-+copy_to_iov(struct iov_store_st *src, size_t size,
-+ const giovec_t *iov, int iovcnt)
-+{
-+ size_t offset = 0;
-+ int i;
-+
-+ if (unlikely(src->size < size))
-+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+
-+ for (i = 0; i < iovcnt && size > 0; i++) {
-+ size_t to_copy = MIN(size, iov[i].iov_len);
-+ memcpy(iov[i].iov_base, (uint8_t *) src->data + offset, to_copy);
-+ offset += to_copy;
-+ size -= to_copy;
-+ }
-+ if (size > 0)
-+ return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
-+ return 0;
-+}
-+
-
- /**
- * gnutls_aead_cipher_encryptv:
-@@ -971,11 +1011,11 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
- struct iov_store_st auth;
- struct iov_store_st ptext;
-
-- ret = copy_iov(&auth, auth_iov, auth_iovcnt);
-+ ret = copy_from_iov(&auth, auth_iov, auth_iovcnt);
- if (ret < 0)
- return gnutls_assert_val(ret);
-
-- ret = copy_iov(&ptext, iov, iovcnt);
-+ ret = copy_from_iov(&ptext, iov, iovcnt);
- if (ret < 0) {
- iov_store_free(&auth);
- return gnutls_assert_val(ret);
-@@ -1066,6 +1106,316 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
- return 0;
- }
-
-+/**
-+ * gnutls_aead_cipher_encryptv2:
-+ * @handle: is a #gnutls_aead_cipher_hd_t type.
-+ * @nonce: the nonce to set
-+ * @nonce_len: The length of the nonce
-+ * @auth_iov: additional data to be authenticated
-+ * @auth_iovcnt: The number of buffers in @auth_iov
-+ * @iov: the data to be encrypted
-+ * @iovcnt: The number of buffers in @iov
-+ * @tag: The authentication tag
-+ * @tag_size: The size of the tag to use (use zero for the default)
-+ *
-+ * This is similar to gnutls_aead_cipher_encrypt(), but it performs
-+ * in-place encryption on the provided data buffers.
-+ *
-+ * Returns: Zero or a negative error code on error.
-+ *
-+ * Since: 3.6.10
-+ **/
-+int
-+gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle,
-+ const void *nonce, size_t nonce_len,
-+ const giovec_t *auth_iov, int auth_iovcnt,
-+ const giovec_t *iov, int iovcnt,
-+ void *tag, size_t *tag_size)
-+{
-+ api_aead_cipher_hd_st *h = handle;
-+ ssize_t ret;
-+ uint8_t *p;
-+ ssize_t blocksize = handle->ctx_enc.e->blocksize;
-+ struct iov_iter_st iter;
-+ size_t blocks;
-+ size_t _tag_size;
-+
-+ if (tag_size == NULL || *tag_size == 0)
-+ _tag_size = _gnutls_cipher_get_tag_size(h->ctx_enc.e);
-+ else
-+ _tag_size = *tag_size;
-+
-+ if (_tag_size > (unsigned)_gnutls_cipher_get_tag_size(h->ctx_enc.e))
-+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+
-+ /* Limitation: this function provides an optimization under the internally registered
-+ * AEAD ciphers. When an AEAD cipher is used registered with gnutls_crypto_register_aead_cipher(),
-+ * then this becomes a convenience function as it missed the lower-level primitives
-+ * necessary for piecemeal encryption. */
-+ if (handle->ctx_enc.e->only_aead || handle->ctx_enc.encrypt == NULL) {
-+ /* ciphertext cannot be produced in a piecemeal approach */
-+ struct iov_store_st auth;
-+ struct iov_store_st ptext;
-+ size_t ptext_size;
-+
-+ ret = copy_from_iov(&auth, auth_iov, auth_iovcnt);
-+ if (ret < 0)
-+ return gnutls_assert_val(ret);
-+
-+ ret = copy_from_iov(&ptext, iov, iovcnt);
-+ if (ret < 0) {
-+ gnutls_assert();
-+ goto fallback_fail;
-+ }
-+
-+ ptext_size = ptext.size;
-+
-+ /* append space for tag */
-+ ret = iov_store_grow(&ptext, _tag_size);
-+ if (ret < 0) {
-+ gnutls_assert();
-+ goto fallback_fail;
-+ }
-+
-+ ret = gnutls_aead_cipher_encrypt(handle, nonce, nonce_len,
-+ auth.data, auth.size,
-+ _tag_size,
-+ ptext.data, ptext_size,
-+ ptext.data, &ptext.size);
-+ if (ret < 0) {
-+ gnutls_assert();
-+ goto fallback_fail;
-+ }
-+
-+ ret = copy_to_iov(&ptext, ptext_size, iov, iovcnt);
-+ if (ret < 0) {
-+ gnutls_assert();
-+ goto fallback_fail;
-+ }
-+
-+ if (tag != NULL)
-+ memcpy(tag,
-+ (uint8_t *) ptext.data + ptext_size,
-+ _tag_size);
-+ if (tag_size != NULL)
-+ *tag_size = _tag_size;
-+
-+ fallback_fail:
-+ iov_store_free(&auth);
-+ iov_store_free(&ptext);
-+
-+ return ret;
-+ }
-+
-+ ret = _gnutls_cipher_setiv(&handle->ctx_enc, nonce, nonce_len);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+
-+ ret = _gnutls_iov_iter_init(&iter, auth_iov, auth_iovcnt, blocksize);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ while (1) {
-+ ret = _gnutls_iov_iter_next(&iter, &p);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ if (ret == 0)
-+ break;
-+ blocks = ret;
-+ ret = _gnutls_cipher_auth(&handle->ctx_enc, p,
-+ blocksize * blocks);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ }
-+ if (iter.block_offset > 0) {
-+ ret = _gnutls_cipher_auth(&handle->ctx_enc,
-+ iter.block, iter.block_offset);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ }
-+
-+ ret = _gnutls_iov_iter_init(&iter, iov, iovcnt, blocksize);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ while (1) {
-+ ret = _gnutls_iov_iter_next(&iter, &p);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ if (ret == 0)
-+ break;
-+ blocks = ret;
-+ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc,
-+ p, blocksize * blocks,
-+ p, blocksize * blocks);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ }
-+ if (iter.block_offset > 0) {
-+ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc,
-+ iter.block, iter.block_offset,
-+ iter.block, iter.block_offset);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ }
-+
-+ if (tag != NULL)
-+ _gnutls_cipher_tag(&handle->ctx_enc, tag, _tag_size);
-+ if (tag_size != NULL)
-+ *tag_size = _tag_size;
-+
-+ return 0;
-+}
-+
-+/**
-+ * gnutls_aead_cipher_decryptv2:
-+ * @handle: is a #gnutls_aead_cipher_hd_t type.
-+ * @nonce: the nonce to set
-+ * @nonce_len: The length of the nonce
-+ * @auth_iov: additional data to be authenticated
-+ * @auth_iovcnt: The number of buffers in @auth_iov
-+ * @iov: the data to decrypt
-+ * @iovcnt: The number of buffers in @iov
-+ * @tag: The authentication tag
-+ * @tag_size: The size of the tag to use (use zero for the default)
-+ *
-+ * This is similar to gnutls_aead_cipher_decrypt(), but it performs
-+ * in-place encryption on the provided data buffers.
-+ *
-+ * Returns: Zero or a negative error code on error.
-+ *
-+ * Since: 3.6.10
-+ **/
-+int
-+gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle,
-+ const void *nonce, size_t nonce_len,
-+ const giovec_t *auth_iov, int auth_iovcnt,
-+ const giovec_t *iov, int iovcnt,
-+ void *tag, size_t tag_size)
-+{
-+ api_aead_cipher_hd_st *h = handle;
-+ ssize_t ret;
-+ uint8_t *p;
-+ ssize_t blocksize = handle->ctx_enc.e->blocksize;
-+ struct iov_iter_st iter;
-+ size_t blocks;
-+ uint8_t _tag[MAX_HASH_SIZE];
-+
-+ if (tag_size == 0)
-+ tag_size = _gnutls_cipher_get_tag_size(h->ctx_enc.e);
-+ else if (tag_size > (unsigned)_gnutls_cipher_get_tag_size(h->ctx_enc.e))
-+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+
-+ /* Limitation: this function provides an optimization under the internally registered
-+ * AEAD ciphers. When an AEAD cipher is used registered with gnutls_crypto_register_aead_cipher(),
-+ * then this becomes a convenience function as it missed the lower-level primitives
-+ * necessary for piecemeal encryption. */
-+ if (handle->ctx_enc.e->only_aead || handle->ctx_enc.encrypt == NULL) {
-+ /* ciphertext cannot be produced in a piecemeal approach */
-+ struct iov_store_st auth;
-+ struct iov_store_st ctext;
-+ size_t ctext_size;
-+
-+ ret = copy_from_iov(&auth, auth_iov, auth_iovcnt);
-+ if (ret < 0)
-+ return gnutls_assert_val(ret);
-+
-+ ret = copy_from_iov(&ctext, iov, iovcnt);
-+ if (ret < 0) {
-+ gnutls_assert();
-+ goto fallback_fail;
-+ }
-+
-+ ctext_size = ctext.size;
-+
-+ /* append tag */
-+ ret = iov_store_grow(&ctext, tag_size);
-+ if (ret < 0) {
-+ gnutls_assert();
-+ goto fallback_fail;
-+ }
-+ memcpy((uint8_t *) ctext.data + ctext_size, tag, tag_size);
-+
-+ ret = gnutls_aead_cipher_decrypt(handle, nonce, nonce_len,
-+ auth.data, auth.size,
-+ tag_size,
-+ ctext.data, ctext.size,
-+ ctext.data, &ctext_size);
-+ if (ret < 0) {
-+ gnutls_assert();
-+ goto fallback_fail;
-+ }
-+
-+ ret = copy_to_iov(&ctext, ctext_size, iov, iovcnt);
-+ if (ret < 0) {
-+ gnutls_assert();
-+ goto fallback_fail;
-+ }
-+
-+ fallback_fail:
-+ iov_store_free(&auth);
-+ iov_store_free(&ctext);
-+
-+ return ret;
-+ }
-+
-+ ret = _gnutls_cipher_setiv(&handle->ctx_enc, nonce, nonce_len);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+
-+ ret = _gnutls_iov_iter_init(&iter, auth_iov, auth_iovcnt, blocksize);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ while (1) {
-+ ret = _gnutls_iov_iter_next(&iter, &p);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ if (ret == 0)
-+ break;
-+ blocks = ret;
-+ ret = _gnutls_cipher_auth(&handle->ctx_enc, p,
-+ blocksize * blocks);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ }
-+ if (iter.block_offset > 0) {
-+ ret = _gnutls_cipher_auth(&handle->ctx_enc,
-+ iter.block, iter.block_offset);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ }
-+
-+ ret = _gnutls_iov_iter_init(&iter, iov, iovcnt, blocksize);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ while (1) {
-+ ret = _gnutls_iov_iter_next(&iter, &p);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ if (ret == 0)
-+ break;
-+ blocks = ret;
-+ ret = _gnutls_cipher_decrypt2(&handle->ctx_enc,
-+ p, blocksize * blocks,
-+ p, blocksize * blocks);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ }
-+ if (iter.block_offset > 0) {
-+ ret = _gnutls_cipher_decrypt2(&handle->ctx_enc,
-+ iter.block, iter.block_offset,
-+ iter.block, iter.block_offset);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+ }
-+
-+ if (tag != NULL) {
-+ _gnutls_cipher_tag(&handle->ctx_enc, _tag, tag_size);
-+ if (gnutls_memcmp(_tag, tag, tag_size) != 0)
-+ return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
-+ }
-+
-+ return 0;
-+}
-+
- /**
- * gnutls_aead_cipher_deinit:
- * @handle: is a #gnutls_aead_cipher_hd_t type.
-diff --git a/lib/includes/gnutls/crypto.h b/lib/includes/gnutls/crypto.h
-index d2b8cae8f..4d4926c86 100644
---- a/lib/includes/gnutls/crypto.h
-+++ b/lib/includes/gnutls/crypto.h
-@@ -92,6 +92,20 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
- const giovec_t *iov, int iovcnt,
- void *ctext, size_t *ctext_len);
-
-+int
-+gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle,
-+ const void *nonce, size_t nonce_len,
-+ const giovec_t *auth_iov, int auth_iovcnt,
-+ const giovec_t *iov, int iovcnt,
-+ void *tag, size_t *tag_size);
-+
-+int
-+gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle,
-+ const void *nonce, size_t nonce_len,
-+ const giovec_t *auth_iov, int auth_iovcnt,
-+ const giovec_t *iov, int iovcnt,
-+ void *tag, size_t tag_size);
-+
- void gnutls_aead_cipher_deinit(gnutls_aead_cipher_hd_t handle);
-
- /* Hash - MAC API */
-diff --git a/lib/libgnutls.map b/lib/libgnutls.map
-index fc93c0857..f83a21e9b 100644
---- a/lib/libgnutls.map
-+++ b/lib/libgnutls.map
-@@ -1286,6 +1286,13 @@ GNUTLS_3_6_8
- gnutls_ffdhe_8192_group_q;
- } GNUTLS_3_6_6;
-
-+GNUTLS_3_6_10
-+{
-+ global:
-+ gnutls_aead_cipher_encryptv2;
-+ gnutls_aead_cipher_decryptv2;
-+} GNUTLS_3_6_8;
-+
- GNUTLS_FIPS140_3_4 {
- global:
- gnutls_cipher_self_test;
-diff --git a/tests/Makefile.am b/tests/Makefile.am
-index a2883570f..075c2728f 100644
---- a/tests/Makefile.am
-+++ b/tests/Makefile.am
-@@ -212,7 +212,7 @@ ctests += mini-record-2 simple gnutls_hm
- null_retrieve_function tls-record-size-limit tls-crt_type-neg \
- resume-with-stek-expiration resume-with-previous-stek rawpk-api \
- tls-record-size-limit-asym dh-compute ecdh-compute \
-- sign-verify-deterministic iov
-+ sign-verify-deterministic iov aead-cipher-vec
-
- if HAVE_SECCOMP_TESTS
- ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
-diff --git a/tests/aead-cipher-vec.c b/tests/aead-cipher-vec.c
-new file mode 100644
-index 000000000..6c2542cf1
---- /dev/null
-+++ b/tests/aead-cipher-vec.c
-@@ -0,0 +1,123 @@
-+/*
-+ * Copyright (C) 2019 Red Hat, Inc.
-+ *
-+ * Author: Daiki Ueno
-+ *
-+ * This file is part of GnuTLS.
-+ *
-+ * GnuTLS is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 3 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * GnuTLS is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public License
-+ * along with this program. If not, see <https://www.gnu.org/licenses/>
-+ */
-+
-+#ifdef HAVE_CONFIG_H
-+#include <config.h>
-+#endif
-+
-+#include <gnutls/crypto.h>
-+
-+#include <assert.h>
-+#include <stdint.h>
-+#include <string.h>
-+#include "utils.h"
-+
-+static void tls_log_func(int level, const char *str)
-+{
-+ fprintf(stderr, "<%d>| %s", level, str);
-+}
-+
-+/* Test whether gnutls_aead_cipher_{en,de}crypt_vec works */
-+static void start(const char *name, int algo)
-+{
-+ int ret;
-+ gnutls_aead_cipher_hd_t ch;
-+ uint8_t key16[64];
-+ uint8_t iv16[32];
-+ uint8_t auth[128];
-+ uint8_t data[128+64];
-+ gnutls_datum_t key, iv;
-+ giovec_t iov[2];
-+ giovec_t auth_iov[2];
-+ uint8_t tag[64];
-+ size_t tag_size = 0;
-+
-+ key.data = key16;
-+ key.size = gnutls_cipher_get_key_size(algo);
-+ assert(key.size <= sizeof(key16));
-+
-+ iv.data = iv16;
-+ iv.size = gnutls_cipher_get_iv_size(algo);
-+ assert(iv.size <= sizeof(iv16));
-+
-+ memset(iv.data, 0xff, iv.size);
-+ memset(key.data, 0xfe, key.size);
-+ memset(data, 0xfa, 128);
-+ memset(auth, 0xaa, sizeof(auth));
-+
-+ iov[0].iov_base = data;
-+ iov[0].iov_len = 64;
-+ iov[1].iov_base = data + 64;
-+ iov[1].iov_len = 64;
-+
-+ auth_iov[0].iov_base = auth;
-+ auth_iov[0].iov_len = 64;
-+ auth_iov[1].iov_base = auth + 64;
-+ auth_iov[1].iov_len = 64;
-+
-+ success("trying %s\n", name);
-+
-+ ret =
-+ gnutls_aead_cipher_init(&ch, algo, &key);
-+ if (ret < 0)
-+ fail("gnutls_cipher_init: %s\n", gnutls_strerror(ret));
-+
-+ ret = gnutls_aead_cipher_encryptv2(ch,
-+ iv.data, iv.size,
-+ auth_iov, 2,
-+ iov, 2,
-+ tag, &tag_size);
-+ if (ret < 0)
-+ fail("could not encrypt data: %s\n", gnutls_strerror(ret));
-+
-+ ret = gnutls_aead_cipher_decryptv2(ch,
-+ iv.data, iv.size,
-+ auth_iov, 2,
-+ iov, 2,
-+ tag, tag_size);
-+ if (ret < 0)
-+ fail("could not decrypt data: %s\n", gnutls_strerror(ret));
-+
-+ gnutls_aead_cipher_deinit(ch);
-+}
-+
-+void
-+doit(void)
-+{
-+ int ret;
-+
-+ gnutls_global_set_log_function(tls_log_func);
-+ if (debug)
-+ gnutls_global_set_log_level(4711);
-+
-+ ret = global_init();
-+ if (ret < 0) {
-+ fail("Cannot initialize library\n"); /*errcode 1 */
-+ }
-+
-+ start("aes-128-gcm", GNUTLS_CIPHER_AES_128_GCM);
-+ start("aes-256-gcm", GNUTLS_CIPHER_AES_256_GCM);
-+ start("aes-128-ccm", GNUTLS_CIPHER_AES_128_CCM);
-+ if (!gnutls_fips140_mode_enabled())
-+ start("chacha20-poly1305", GNUTLS_CIPHER_CHACHA20_POLY1305);
-+
-+ gnutls_global_deinit();
-+}
---
-2.21.0
-
diff --git a/SOURCES/gnutls-3.6.8-decr-len.patch b/SOURCES/gnutls-3.6.8-decr-len.patch
deleted file mode 100644
index 30272a1..0000000
--- a/SOURCES/gnutls-3.6.8-decr-len.patch
+++ /dev/null
@@ -1,687 +0,0 @@
-From e0fe31f1fc2ba13ada1d6bc35231847b75be4ee9 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Thu, 8 Aug 2019 18:02:08 +0200
-Subject: [PATCH 1/2] gnutls_int.h: make DECR_LEN neutral to signedness
-
-DECR_LEN was previously implemented in a way that it first decrements
-the given length and then checks whether the result is negative. This
-requires the caller to properly coerce the length argument to a signed
-integer, before invoking the macro.
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/gnutls_int.h | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
-index 179d71b4a..7f7b6a7c9 100644
---- a/lib/gnutls_int.h
-+++ b/lib/gnutls_int.h
-@@ -256,14 +256,15 @@ typedef enum record_send_state_t {
-
- #define MEMSUB(x,y) ((ssize_t)((ptrdiff_t)x-(ptrdiff_t)y))
-
--#define DECR_LEN(len, x) do { len-=x; if (len<0) {gnutls_assert(); return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;} } while (0)
-+#define DECR_LEN(len, x) DECR_LENGTH_RET(len, x, GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
- #define DECR_LEN_FINAL(len, x) do { \
-- len-=x; \
-- if (len != 0) \
-+ if (len != x) \
- return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); \
-+ else \
-+ len = 0; \
- } while (0)
--#define DECR_LENGTH_RET(len, x, RET) do { len-=x; if (len<0) {gnutls_assert(); return RET;} } while (0)
--#define DECR_LENGTH_COM(len, x, COM) do { len-=x; if (len<0) {gnutls_assert(); COM;} } while (0)
-+#define DECR_LENGTH_RET(len, x, RET) DECR_LENGTH_COM(len, x, return RET)
-+#define DECR_LENGTH_COM(len, x, COM) do { if (len<x) {gnutls_assert(); COM;} else len-=x; } while (0)
-
- #define GNUTLS_POINTER_TO_INT(_) ((int) GNUTLS_POINTER_TO_INT_CAST (_))
- #define GNUTLS_INT_TO_POINTER(_) ((void*) GNUTLS_POINTER_TO_INT_CAST (_))
---
-2.21.0
-
-
-From 5e9b2ec29449c76b1b938a0ebf0dc9b92cae7057 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Thu, 8 Aug 2019 18:04:18 +0200
-Subject: [PATCH 2/2] lib/*: remove unnecessary cast to ssize_t
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/crypto-api.c | 10 +++++-----
- lib/ext/alpn.c | 3 +--
- lib/ext/client_cert_type.c | 9 ++++-----
- lib/ext/cookie.c | 5 ++---
- lib/ext/ec_point_formats.c | 7 +++----
- lib/ext/key_share.c | 5 ++---
- lib/ext/max_record.c | 3 +--
- lib/ext/psk_ke_modes.c | 3 +--
- lib/ext/record_size_limit.c | 3 +--
- lib/ext/safe_renegotiation.c | 3 +--
- lib/ext/server_cert_type.c | 9 ++++-----
- lib/ext/server_name.c | 3 +--
- lib/ext/session_ticket.c | 5 ++---
- lib/ext/signature.c | 3 +--
- lib/ext/srp.c | 3 +--
- lib/ext/srtp.c | 5 ++---
- lib/ext/status_request.c | 3 +--
- lib/ext/supported_groups.c | 3 +--
- lib/ext/supported_versions.c | 5 ++---
- lib/extv.c | 8 ++++----
- lib/sslv2_compat.c | 3 +--
- lib/supplemental.c | 4 ++--
- lib/tls13/certificate.c | 21 +++++++++++----------
- lib/tls13/psk_ext_parser.c | 4 +---
- lib/tls13/psk_ext_parser.h | 4 ++--
- lib/tls13/session_ticket.c | 2 +-
- 26 files changed, 58 insertions(+), 78 deletions(-)
-
-diff --git a/lib/crypto-api.c b/lib/crypto-api.c
-index 2834c0199..09b3d7bfc 100644
---- a/lib/crypto-api.c
-+++ b/lib/crypto-api.c
-@@ -990,9 +990,9 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
- api_aead_cipher_hd_st *h = handle;
- ssize_t ret;
- uint8_t *dst;
-- ssize_t dst_size, total = 0;
-+ size_t dst_size, total = 0;
- uint8_t *p;
-- ssize_t blocksize = handle->ctx_enc.e->blocksize;
-+ size_t blocksize = handle->ctx_enc.e->blocksize;
- struct iov_iter_st iter;
- size_t blocks;
-
-@@ -1071,7 +1071,7 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
- if (ret == 0)
- break;
- blocks = ret;
-- if (unlikely((size_t) dst_size < blocksize * blocks))
-+ if (unlikely(dst_size < blocksize * blocks))
- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
- ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p,
- blocksize * blocks,
-@@ -1083,7 +1083,7 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
- total += blocksize * blocks;
- }
- if (iter.block_offset > 0) {
-- if (unlikely((size_t) dst_size < iter.block_offset))
-+ if (unlikely(dst_size < iter.block_offset))
- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
- ret = _gnutls_cipher_encrypt2(&handle->ctx_enc,
- iter.block, iter.block_offset,
-@@ -1095,7 +1095,7 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
- total += iter.block_offset;
- }
-
-- if ((size_t)dst_size < tag_size)
-+ if (dst_size < tag_size)
- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
-
- _gnutls_cipher_tag(&handle->ctx_enc, dst, tag_size);
-diff --git a/lib/ext/alpn.c b/lib/ext/alpn.c
-index 34f6ce09d..b9991f0a1 100644
---- a/lib/ext/alpn.c
-+++ b/lib/ext/alpn.c
-@@ -51,13 +51,12 @@ const hello_ext_entry_st ext_mod_alpn = {
-
- static int
- _gnutls_alpn_recv_params(gnutls_session_t session,
-- const uint8_t * data, size_t _data_size)
-+ const uint8_t * data, size_t data_size)
- {
- unsigned int i;
- int ret;
- const uint8_t *p = data;
- unsigned len1, len;
-- ssize_t data_size = _data_size;
- alpn_ext_st *priv;
- gnutls_ext_priv_data_t epriv;
- int selected_protocol_index;
-diff --git a/lib/ext/client_cert_type.c b/lib/ext/client_cert_type.c
-index 471d42c5f..b627b71f9 100644
---- a/lib/ext/client_cert_type.c
-+++ b/lib/ext/client_cert_type.c
-@@ -73,7 +73,6 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session,
- gnutls_certificate_type_t cert_type;
-
- uint8_t i, found = 0;
-- ssize_t len = data_size;
- const uint8_t* pdata = data;
-
- /* Only activate this extension if we have cert credentials set
-@@ -86,7 +85,7 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session,
-
- /* Compare packet length with expected packet length. For the
- * client this is a single byte. */
-- if (len != 1) {
-+ if (data_size != 1) {
- return
- gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
- }
-@@ -136,8 +135,8 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session,
-
- } else { // server mode
- // Compare packet length with expected packet length.
-- DECR_LEN(len, 1);
-- if (data[0] != len) {
-+ DECR_LEN(data_size, 1);
-+ if (data[0] != data_size) {
- return
- gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
- }
-@@ -145,7 +144,7 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session,
-
- // Assign the contents of our data buffer to a gnutls_datum_t
- cert_types.data = (uint8_t*)pdata; // Need casting to get rid of 'discards const qualifier' warning
-- cert_types.size = len;
-+ cert_types.size = data_size;
-
- // Store the client certificate types in our session
- _gnutls_hello_ext_set_datum(session,
-diff --git a/lib/ext/cookie.c b/lib/ext/cookie.c
-index 1e66c3d49..0feb2f0e5 100644
---- a/lib/ext/cookie.c
-+++ b/lib/ext/cookie.c
-@@ -53,10 +53,9 @@ const hello_ext_entry_st ext_mod_cookie = {
- /* Only client sends this extension. */
- static int
- cookie_recv_params(gnutls_session_t session,
-- const uint8_t * data, size_t _data_size)
-+ const uint8_t * data, size_t data_size)
- {
-- ssize_t data_size = _data_size;
-- ssize_t csize;
-+ size_t csize;
- int ret;
- gnutls_datum_t tmp;
-
-diff --git a/lib/ext/ec_point_formats.c b/lib/ext/ec_point_formats.c
-index eb59ec139..c702d434c 100644
---- a/lib/ext/ec_point_formats.c
-+++ b/lib/ext/ec_point_formats.c
-@@ -57,11 +57,10 @@ const hello_ext_entry_st ext_mod_supported_ec_point_formats = {
- static int
- _gnutls_supported_ec_point_formats_recv_params(gnutls_session_t session,
- const uint8_t * data,
-- size_t _data_size)
-+ size_t data_size)
- {
-- int len, i;
-+ size_t len, i;
- int uncompressed = 0;
-- int data_size = _data_size;
-
- if (session->security_parameters.entity == GNUTLS_CLIENT) {
- if (data_size < 1)
-@@ -91,7 +90,7 @@ _gnutls_supported_ec_point_formats_recv_params(gnutls_session_t session,
- /* only sanity check here. We only support uncompressed points
- * and a client must support it thus nothing to check.
- */
-- if (_data_size < 1)
-+ if (data_size < 1)
- return
- gnutls_assert_val
- (GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION);
-diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
-index 599eff8fb..8f0912e69 100644
---- a/lib/ext/key_share.c
-+++ b/lib/ext/key_share.c
-@@ -504,11 +504,10 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
-
- static int
- key_share_recv_params(gnutls_session_t session,
-- const uint8_t * data, size_t _data_size)
-+ const uint8_t * data, size_t data_size)
- {
- int ret;
-- ssize_t data_size = _data_size;
-- ssize_t size;
-+ size_t size;
- unsigned gid;
- const version_entry_st *ver;
- const gnutls_group_entry_st *group;
-diff --git a/lib/ext/max_record.c b/lib/ext/max_record.c
-index dbb98cf62..3cada69be 100644
---- a/lib/ext/max_record.c
-+++ b/lib/ext/max_record.c
-@@ -65,10 +65,9 @@ const hello_ext_entry_st ext_mod_max_record_size = {
-
- static int
- _gnutls_max_record_recv_params(gnutls_session_t session,
-- const uint8_t * data, size_t _data_size)
-+ const uint8_t * data, size_t data_size)
- {
- ssize_t new_size;
-- ssize_t data_size = _data_size;
-
- if (session->internals.hsk_flags & HSK_RECORD_SIZE_LIMIT_NEGOTIATED)
- return 0;
-diff --git a/lib/ext/psk_ke_modes.c b/lib/ext/psk_ke_modes.c
-index da7a55098..8d8effb43 100644
---- a/lib/ext/psk_ke_modes.c
-+++ b/lib/ext/psk_ke_modes.c
-@@ -106,10 +106,9 @@ psk_ke_modes_send_params(gnutls_session_t session,
- */
- static int
- psk_ke_modes_recv_params(gnutls_session_t session,
-- const unsigned char *data, size_t _len)
-+ const unsigned char *data, size_t len)
- {
- uint8_t ke_modes_len;
-- ssize_t len = _len;
- const version_entry_st *vers = get_version(session);
- gnutls_psk_server_credentials_t cred;
- int dhpsk_pos = MAX_POS;
-diff --git a/lib/ext/record_size_limit.c b/lib/ext/record_size_limit.c
-index e9fe6a1d8..0e94fece3 100644
---- a/lib/ext/record_size_limit.c
-+++ b/lib/ext/record_size_limit.c
-@@ -48,10 +48,9 @@ const hello_ext_entry_st ext_mod_record_size_limit = {
-
- static int
- _gnutls_record_size_limit_recv_params(gnutls_session_t session,
-- const uint8_t * data, size_t _data_size)
-+ const uint8_t * data, size_t data_size)
- {
- ssize_t new_size;
-- ssize_t data_size = _data_size;
- const version_entry_st *vers;
-
- DECR_LEN(data_size, 2);
-diff --git a/lib/ext/safe_renegotiation.c b/lib/ext/safe_renegotiation.c
-index 6424f45b5..bb4a57e45 100644
---- a/lib/ext/safe_renegotiation.c
-+++ b/lib/ext/safe_renegotiation.c
-@@ -265,10 +265,9 @@ int _gnutls_ext_sr_send_cs(gnutls_session_t session)
-
- static int
- _gnutls_sr_recv_params(gnutls_session_t session,
-- const uint8_t * data, size_t _data_size)
-+ const uint8_t * data, size_t data_size)
- {
- unsigned int len;
-- ssize_t data_size = _data_size;
- sr_ext_st *priv;
- gnutls_ext_priv_data_t epriv;
- int set = 0, ret;
-diff --git a/lib/ext/server_cert_type.c b/lib/ext/server_cert_type.c
-index dbcb3971b..864a44bbc 100644
---- a/lib/ext/server_cert_type.c
-+++ b/lib/ext/server_cert_type.c
-@@ -73,7 +73,6 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session,
- gnutls_certificate_type_t cert_type;
-
- uint8_t i, found = 0;
-- ssize_t len = data_size;
- const uint8_t* pdata = data;
-
- /* Only activate this extension if we have cert credentials set
-@@ -86,7 +85,7 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session,
-
- /* Compare packet length with expected packet length. For the
- * client this is a single byte. */
-- if (len != 1) {
-+ if (data_size != 1) {
- return
- gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
- }
-@@ -135,8 +134,8 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session,
-
- } else { // server mode
- // Compare packet length with expected packet length.
-- DECR_LEN(len, 1);
-- if (data[0] != len) {
-+ DECR_LEN(data_size, 1);
-+ if (data[0] != data_size) {
- return
- gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
- }
-@@ -144,7 +143,7 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session,
-
- // Assign the contents of our data buffer to a gnutls_datum_t
- cert_types.data = (uint8_t*)pdata; // Need casting to get rid of 'discards const qualifier' warning
-- cert_types.size = len;
-+ cert_types.size = data_size;
-
- // Store the server certificate types in our session
- _gnutls_hello_ext_set_datum(session,
-diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c
-index 259dc998e..0c6331569 100644
---- a/lib/ext/server_name.c
-+++ b/lib/ext/server_name.c
-@@ -66,11 +66,10 @@ const hello_ext_entry_st ext_mod_server_name = {
- */
- static int
- _gnutls_server_name_recv_params(gnutls_session_t session,
-- const uint8_t * data, size_t _data_size)
-+ const uint8_t * data, size_t data_size)
- {
- const unsigned char *p;
- uint16_t len, type;
-- ssize_t data_size = _data_size;
- gnutls_datum_t name;
-
- if (session->security_parameters.entity == GNUTLS_SERVER) {
-diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c
-index 98db39ff8..263273fa2 100644
---- a/lib/ext/session_ticket.c
-+++ b/lib/ext/session_ticket.c
-@@ -78,7 +78,7 @@ static int
- unpack_ticket(const gnutls_datum_t *ticket_data, struct ticket_st *ticket)
- {
- const uint8_t * data = ticket_data->data;
-- ssize_t data_size = ticket_data->size;
-+ size_t data_size = ticket_data->size;
- const uint8_t *encrypted_state;
-
- /* Format:
-@@ -371,11 +371,10 @@ unpack_session(gnutls_session_t session, const gnutls_datum_t *state)
-
- static int
- session_ticket_recv_params(gnutls_session_t session,
-- const uint8_t * data, size_t _data_size)
-+ const uint8_t * data, size_t data_size)
- {
- gnutls_datum_t ticket_data;
- gnutls_datum_t state;
-- ssize_t data_size = _data_size;
- int ret;
-
- if (session->internals.flags & GNUTLS_NO_TICKETS)
-diff --git a/lib/ext/signature.c b/lib/ext/signature.c
-index e734d2c7d..a90f58d53 100644
---- a/lib/ext/signature.c
-+++ b/lib/ext/signature.c
-@@ -187,9 +187,8 @@ _gnutls_sign_algorithm_parse_data(gnutls_session_t session,
- static int
- _gnutls_signature_algorithm_recv_params(gnutls_session_t session,
- const uint8_t * data,
-- size_t _data_size)
-+ size_t data_size)
- {
-- ssize_t data_size = _data_size;
- int ret;
-
- if (session->security_parameters.entity == GNUTLS_CLIENT) {
-diff --git a/lib/ext/srp.c b/lib/ext/srp.c
-index 8b58222e0..07f6e6883 100644
---- a/lib/ext/srp.c
-+++ b/lib/ext/srp.c
-@@ -59,10 +59,9 @@ const hello_ext_entry_st ext_mod_srp = {
-
- static int
- _gnutls_srp_recv_params(gnutls_session_t session, const uint8_t * data,
-- size_t _data_size)
-+ size_t data_size)
- {
- uint8_t len;
-- ssize_t data_size = _data_size;
- gnutls_ext_priv_data_t epriv;
- srp_ext_st *priv;
-
-diff --git a/lib/ext/srtp.c b/lib/ext/srtp.c
-index 3fc7ed35a..412e26d45 100644
---- a/lib/ext/srtp.c
-+++ b/lib/ext/srtp.c
-@@ -162,13 +162,12 @@ const char *gnutls_srtp_get_profile_name(gnutls_srtp_profile_t profile)
-
- static int
- _gnutls_srtp_recv_params(gnutls_session_t session,
-- const uint8_t * data, size_t _data_size)
-+ const uint8_t * data, size_t data_size)
- {
- unsigned int i;
- int ret;
- const uint8_t *p = data;
-- int len;
-- ssize_t data_size = _data_size;
-+ size_t len;
- srtp_ext_st *priv;
- gnutls_ext_priv_data_t epriv;
- uint16_t profile;
-diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c
-index d8779e8cf..cf9d5bd03 100644
---- a/lib/ext/status_request.c
-+++ b/lib/ext/status_request.c
-@@ -86,9 +86,8 @@ client_send(gnutls_session_t session,
- static int
- server_recv(gnutls_session_t session,
- status_request_ext_st * priv,
-- const uint8_t * data, size_t size)
-+ const uint8_t * data, size_t data_size)
- {
-- ssize_t data_size = size;
- unsigned rid_bytes = 0;
-
- /* minimum message is type (1) + responder_id_list (2) +
-diff --git a/lib/ext/supported_groups.c b/lib/ext/supported_groups.c
-index 952d3bb0c..ef7859f73 100644
---- a/lib/ext/supported_groups.c
-+++ b/lib/ext/supported_groups.c
-@@ -93,10 +93,9 @@ static unsigned get_min_dh(gnutls_session_t session)
- */
- static int
- _gnutls_supported_groups_recv_params(gnutls_session_t session,
-- const uint8_t * data, size_t _data_size)
-+ const uint8_t * data, size_t data_size)
- {
- int i;
-- ssize_t data_size = _data_size;
- uint16_t len;
- const uint8_t *p = data;
- const gnutls_group_entry_st *group = NULL;
-diff --git a/lib/ext/supported_versions.c b/lib/ext/supported_versions.c
-index 52828ee37..8d52fad5c 100644
---- a/lib/ext/supported_versions.c
-+++ b/lib/ext/supported_versions.c
-@@ -54,12 +54,11 @@ const hello_ext_entry_st ext_mod_supported_versions = {
-
- static int
- supported_versions_recv_params(gnutls_session_t session,
-- const uint8_t * data, size_t _data_size)
-+ const uint8_t * data, size_t data_size)
- {
- const version_entry_st *vers;
-- ssize_t data_size = _data_size;
- uint8_t major, minor;
-- ssize_t bytes;
-+ size_t bytes;
- int ret;
-
- if (session->security_parameters.entity == GNUTLS_SERVER) {
-diff --git a/lib/extv.c b/lib/extv.c
-index bfdfdf974..0c0c46f32 100644
---- a/lib/extv.c
-+++ b/lib/extv.c
-@@ -105,7 +105,7 @@ int gnutls_ext_raw_parse(void *ctx, gnutls_ext_raw_process_func cb,
- const gnutls_datum_t *data, unsigned int flags)
- {
- if (flags & GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO) {
-- ssize_t size = data->size;
-+ size_t size = data->size;
- size_t len;
- uint8_t *p = data->data;
-
-@@ -137,12 +137,12 @@ int gnutls_ext_raw_parse(void *ctx, gnutls_ext_raw_process_func cb,
- DECR_LEN(size, len);
- p += len;
-
-- if (size <= 0)
-+ if (size == 0)
- return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
-
- return _gnutls_extv_parse(ctx, cb, p, size);
- } else if (flags & GNUTLS_EXT_RAW_FLAG_DTLS_CLIENT_HELLO) {
-- ssize_t size = data->size;
-+ size_t size = data->size;
- size_t len;
- uint8_t *p = data->data;
-
-@@ -181,7 +181,7 @@ int gnutls_ext_raw_parse(void *ctx, gnutls_ext_raw_process_func cb,
- DECR_LEN(size, len);
- p += len;
-
-- if (size <= 0)
-+ if (size == 0)
- return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
-
- return _gnutls_extv_parse(ctx, cb, p, size);
-diff --git a/lib/sslv2_compat.c b/lib/sslv2_compat.c
-index 6122d1098..9d247ba4c 100644
---- a/lib/sslv2_compat.c
-+++ b/lib/sslv2_compat.c
-@@ -87,14 +87,13 @@ _gnutls_handshake_select_v2_suite(gnutls_session_t session,
- */
- int
- _gnutls_read_client_hello_v2(gnutls_session_t session, uint8_t * data,
-- unsigned int datalen)
-+ unsigned int len)
- {
- uint16_t session_id_len = 0;
- int pos = 0;
- int ret = 0, sret = 0;
- uint16_t sizeOfSuites;
- uint8_t rnd[GNUTLS_RANDOM_SIZE], major, minor;
-- int len = datalen;
- int neg_version;
- const version_entry_st *vers;
- uint16_t challenge;
-diff --git a/lib/supplemental.c b/lib/supplemental.c
-index cd90fa1fb..07b38cc93 100644
---- a/lib/supplemental.c
-+++ b/lib/supplemental.c
-@@ -192,14 +192,14 @@ _gnutls_parse_supplemental(gnutls_session_t session,
- const uint8_t * data, int datalen)
- {
- const uint8_t *p = data;
-- ssize_t dsize = datalen;
-+ size_t dsize = datalen;
- size_t total_size;
-
- DECR_LEN(dsize, 3);
- total_size = _gnutls_read_uint24(p);
- p += 3;
-
-- if (dsize != (ssize_t) total_size) {
-+ if (dsize != total_size) {
- gnutls_assert();
- return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
- }
-diff --git a/lib/tls13/certificate.c b/lib/tls13/certificate.c
-index bd257237f..8a1a11872 100644
---- a/lib/tls13/certificate.c
-+++ b/lib/tls13/certificate.c
-@@ -360,11 +360,12 @@ static int parse_cert_extension(void *_ctx, unsigned tls_id, const uint8_t *data
- static int
- parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size)
- {
-- int len, ret;
-+ int ret;
-+ size_t len;
- uint8_t *p = data;
- cert_auth_info_t info;
- gnutls_certificate_credentials_t cred;
-- ssize_t dsize = data_size, size;
-+ size_t size;
- int i;
- unsigned npeer_certs, npeer_ocsp, j;
- crt_cert_ctx_st ctx;
-@@ -395,31 +396,31 @@ parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size)
- if (info == NULL)
- return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
-
-- DECR_LEN(dsize, 3);
-+ DECR_LEN(data_size, 3);
- size = _gnutls_read_uint24(p);
- p += 3;
-
-- if (size != dsize)
-+ if (size != data_size)
- return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
-
- if (size == 0)
- return gnutls_assert_val(GNUTLS_E_NO_CERTIFICATE_FOUND);
-
-- i = dsize;
-+ i = data_size;
-
- while (i > 0) {
-- DECR_LEN(dsize, 3);
-+ DECR_LEN(data_size, 3);
- len = _gnutls_read_uint24(p);
- if (len == 0)
- return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
-
-- DECR_LEN(dsize, len);
-+ DECR_LEN(data_size, len);
- p += len + 3;
- i -= len + 3;
-
-- DECR_LEN(dsize, 2);
-+ DECR_LEN(data_size, 2);
- len = _gnutls_read_uint16(p);
-- DECR_LEN(dsize, len);
-+ DECR_LEN(data_size, len);
-
- i -= len + 2;
- p += len + 2;
-@@ -427,7 +428,7 @@ parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size)
- nentries++;
- }
-
-- if (dsize != 0)
-+ if (data_size != 0)
- return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
-
- /* this is unnecessary - keeping to avoid a regression due to a re-org
-diff --git a/lib/tls13/psk_ext_parser.c b/lib/tls13/psk_ext_parser.c
-index 6e3a12f90..33ebc0461 100644
---- a/lib/tls13/psk_ext_parser.c
-+++ b/lib/tls13/psk_ext_parser.c
-@@ -28,10 +28,8 @@
- * are present, or 0, on success.
- */
- int _gnutls13_psk_ext_parser_init(psk_ext_parser_st *p,
-- const unsigned char *data, size_t _len)
-+ const unsigned char *data, size_t len)
- {
-- ssize_t len = _len;
--
- if (!p || !data || !len)
- return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
-
-diff --git a/lib/tls13/psk_ext_parser.h b/lib/tls13/psk_ext_parser.h
-index 30b47e904..f46b211e0 100644
---- a/lib/tls13/psk_ext_parser.h
-+++ b/lib/tls13/psk_ext_parser.h
-@@ -25,10 +25,10 @@
-
- struct psk_ext_parser_st {
- const unsigned char *identities_data;
-- ssize_t identities_len;
-+ size_t identities_len;
-
- const unsigned char *binders_data;
-- ssize_t binders_len;
-+ size_t binders_len;
- };
-
- typedef struct psk_ext_parser_st psk_ext_parser_st;
-diff --git a/lib/tls13/session_ticket.c b/lib/tls13/session_ticket.c
-index 146aee9b1..072a56d9c 100644
---- a/lib/tls13/session_ticket.c
-+++ b/lib/tls13/session_ticket.c
-@@ -105,7 +105,7 @@ unpack_ticket(gnutls_session_t session, gnutls_datum_t *packed, tls13_ticket_st
- gnutls_mac_algorithm_t kdf;
- const mac_entry_st *prf;
- uint8_t *p;
-- ssize_t len;
-+ size_t len;
- uint64_t v;
- int ret;
-
---
-2.21.0
-
diff --git a/SOURCES/gnutls-3.6.8-fips-aes-cbc-kat.patch b/SOURCES/gnutls-3.6.8-fips-aes-cbc-kat.patch
deleted file mode 100644
index 016a6bf..0000000
--- a/SOURCES/gnutls-3.6.8-fips-aes-cbc-kat.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From facea2b7659e11efce7014bda8800574d35dd05d Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Wed, 12 Jun 2019 14:02:05 +0200
-Subject: [PATCH] fips: run selftests over overridden AES-CBC algorithm
-
-Previously, we only tested nettle's AES-CBC in
-_gnutls_fips_perform_self_checks1(), which is called before the
-implementation is overridden. This adds an AES-CBC self-test in
-_gnutls_fips_perform_self_checks2() so it can test the actual
-implementation.
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/fips.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/lib/fips.c b/lib/fips.c
-index b92edbbd7..902af5674 100644
---- a/lib/fips.c
-+++ b/lib/fips.c
-@@ -317,6 +317,12 @@ int _gnutls_fips_perform_self_checks2(void)
- goto error;
- }
-
-+ ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_CBC);
-+ if (ret < 0) {
-+ gnutls_assert();
-+ goto error;
-+ }
-+
- ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_GCM);
- if (ret < 0) {
- gnutls_assert();
---
-2.20.1
-
diff --git a/SOURCES/gnutls-3.6.8-fips-deterministic-ecdsa.patch b/SOURCES/gnutls-3.6.8-fips-deterministic-ecdsa.patch
deleted file mode 100644
index 5be6209..0000000
--- a/SOURCES/gnutls-3.6.8-fips-deterministic-ecdsa.patch
+++ /dev/null
@@ -1,1352 +0,0 @@
-From e94ab6b703ee50ea020565e1b8729a9b1d524d84 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Mon, 29 Jul 2019 14:00:30 +0200
-Subject: [PATCH 1/6] nettle: add functions for deterministic ECDSA/DSA
-
-This adds functions to perform deterministic ECDSA/DSA, namely
-_gnutls_{ecdsa,dsa}_compute_k(), which computes the k value according
-to RFC 6979. The retrieved k value can be given to
-nettle_{ecdsa,dsa}_sign() through a wrapper random function.
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/nettle/Makefile.am | 5 +-
- lib/nettle/int/dsa-compute-k.c | 209 +++++++++++++++++++++++++++++++
- lib/nettle/int/dsa-compute-k.h | 37 ++++++
- lib/nettle/int/ecdsa-compute-k.c | 95 ++++++++++++++
- lib/nettle/int/ecdsa-compute-k.h | 37 ++++++
- lib/nettle/int/mpn-base256.c | 97 ++++++++++++++
- lib/nettle/int/mpn-base256.h | 48 +++++++
- 7 files changed, 527 insertions(+), 1 deletion(-)
- create mode 100644 lib/nettle/int/dsa-compute-k.c
- create mode 100644 lib/nettle/int/dsa-compute-k.h
- create mode 100644 lib/nettle/int/ecdsa-compute-k.c
- create mode 100644 lib/nettle/int/ecdsa-compute-k.h
- create mode 100644 lib/nettle/int/mpn-base256.c
- create mode 100644 lib/nettle/int/mpn-base256.h
-
-diff --git a/lib/nettle/Makefile.am b/lib/nettle/Makefile.am
-index 1c60d3244..bd9dd753a 100644
---- a/lib/nettle/Makefile.am
-+++ b/lib/nettle/Makefile.am
-@@ -45,7 +45,10 @@ libcrypto_la_SOURCES = pk.c mpi.c mac.c cipher.c init.c \
- backport/xts.c backport/xts.h \
- rnd.c int/rsa-fips.h int/rsa-keygen-fips186.c int/provable-prime.c \
- int/dsa-fips.h int/dsa-keygen-fips186.c int/dsa-validate.c \
-- int/tls1-prf.c int/tls1-prf.h
-+ int/tls1-prf.c int/tls1-prf.h \
-+ int/dsa-compute-k.c int/dsa-compute-k.h \
-+ int/ecdsa-compute-k.c int/ecdsa-compute-k.h \
-+ int/mpn-base256.c int/mpn-base256.h
-
- if WINDOWS
- libcrypto_la_SOURCES += sysrng-windows.c
-diff --git a/lib/nettle/int/dsa-compute-k.c b/lib/nettle/int/dsa-compute-k.c
-new file mode 100644
-index 000000000..17d63318c
---- /dev/null
-+++ b/lib/nettle/int/dsa-compute-k.c
-@@ -0,0 +1,209 @@
-+/*
-+ * Copyright (C) 2019 Red Hat, Inc.
-+ *
-+ * Author: Daiki Ueno
-+ *
-+ * This file is part of GNUTLS.
-+ *
-+ * The GNUTLS library is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU Lesser General Public License
-+ * as published by the Free Software Foundation; either version 2.1 of
-+ * the License, or (at your option) any later version.
-+ *
-+ * This library is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * Lesser General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public License
-+ * along with this program. If not, see <https://www.gnu.org/licenses/>
-+ *
-+ */
-+
-+#if HAVE_CONFIG_H
-+# include "config.h"
-+#endif
-+
-+#include "dsa-compute-k.h"
-+
-+#include "gnutls_int.h"
-+#include "mem.h"
-+#include "mpn-base256.h"
-+#include <string.h>
-+
-+#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
-+
-+/* The maximum size of q, choosen from the fact that we support
-+ * 521-bit elliptic curve generator and 512-bit DSA subgroup at
-+ * maximum. */
-+#define MAX_Q_BITS 521
-+#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
-+#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
-+
-+#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
-+#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
-+
-+int
-+_gnutls_dsa_compute_k(mpz_t k,
-+ const mpz_t q,
-+ const mpz_t x,
-+ gnutls_mac_algorithm_t mac,
-+ const uint8_t *digest,
-+ size_t length)
-+{
-+ uint8_t V[MAX_HASH_SIZE];
-+ uint8_t K[MAX_HASH_SIZE];
-+ uint8_t xp[MAX_Q_SIZE];
-+ uint8_t tp[MAX_Q_SIZE];
-+ mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)];
-+ mp_bitcnt_t q_bits = mpz_sizeinbase (q, 2);
-+ mp_size_t qn = mpz_size(q);
-+ mp_bitcnt_t h_bits = length * 8;
-+ mp_size_t hn = BITS_TO_LIMBS(h_bits);
-+ size_t nbytes = (q_bits + 7) / 8;
-+ const uint8_t c0 = 0x00;
-+ const uint8_t c1 = 0x01;
-+ mp_limb_t cy;
-+ gnutls_hmac_hd_t hd;
-+ int ret = 0;
-+
-+ if (unlikely(q_bits > MAX_Q_BITS))
-+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+ if (unlikely(length > MAX_HASH_SIZE))
-+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+
-+ /* int2octets(x) */
-+ mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn);
-+
-+ /* bits2octets(h) */
-+ mpn_set_base256(h, hn, digest, length);
-+
-+ if (hn < qn)
-+ /* qlen > blen: add zero bits to the left */
-+ mpn_zero(&h[hn], qn - hn);
-+ else if (h_bits > q_bits) {
-+ /* qlen < blen: keep the leftmost qlen bits. We do this in 2
-+ * steps because mpn_rshift only accepts shift count in the
-+ * range 1 to mp_bits_per_limb-1.
-+ */
-+ mp_bitcnt_t shift = h_bits - q_bits;
-+
-+ if (shift / GMP_NUMB_BITS > 0) {
-+ mpn_copyi(h, &h[shift / GMP_NUMB_BITS], qn);
-+ hn -= shift / GMP_NUMB_BITS;
-+ }
-+
-+ if (shift % GMP_NUMB_BITS > 0)
-+ mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS);
-+ }
-+
-+ cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn);
-+ /* Fall back to addmul_1, if nettle is linked with mini-gmp. */
-+#ifdef mpn_cnd_add_n
-+ mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn);
-+#else
-+ mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0);
-+#endif
-+ mpn_get_base256(tp, nbytes, h, qn);
-+
-+ /* Step b */
-+ memset(V, c1, length);
-+
-+ /* Step c */
-+ memset(K, c0, length);
-+
-+ /* Step d */
-+ ret = gnutls_hmac_init(&hd, mac, K, length);
-+ if (ret < 0)
-+ goto out;
-+ ret = gnutls_hmac(hd, V, length);
-+ if (ret < 0)
-+ goto out;
-+ ret = gnutls_hmac(hd, &c0, 1);
-+ if (ret < 0)
-+ goto out;
-+ ret = gnutls_hmac(hd, xp, nbytes);
-+ if (ret < 0)
-+ goto out;
-+ ret = gnutls_hmac(hd, tp, nbytes);
-+ if (ret < 0)
-+ goto out;
-+ gnutls_hmac_deinit(hd, K);
-+
-+ /* Step e */
-+ ret = gnutls_hmac_fast(mac, K, length, V, length, V);
-+ if (ret < 0)
-+ goto out;
-+
-+ /* Step f */
-+ ret = gnutls_hmac_init(&hd, mac, K, length);
-+ if (ret < 0)
-+ goto out;
-+ ret = gnutls_hmac(hd, V, length);
-+ if (ret < 0)
-+ goto out;
-+ ret = gnutls_hmac(hd, &c1, 1);
-+ if (ret < 0)
-+ goto out;
-+ ret = gnutls_hmac(hd, xp, nbytes);
-+ if (ret < 0)
-+ goto out;
-+ ret = gnutls_hmac(hd, tp, nbytes);
-+ if (ret < 0)
-+ goto out;
-+ gnutls_hmac_deinit(hd, K);
-+
-+ /* Step g */
-+ ret = gnutls_hmac_fast(mac, K, length, V, length, V);
-+ if (ret < 0)
-+ goto out;
-+
-+ /* Step h */
-+ for (;;) {
-+ /* Step 1 */
-+ size_t tlen = 0;
-+
-+ /* Step 2 */
-+ while (tlen < nbytes) {
-+ size_t remaining = MIN(nbytes - tlen, length);
-+ ret = gnutls_hmac_fast(mac, K, length, V, length, V);
-+ if (ret < 0)
-+ goto out;
-+ memcpy (&tp[tlen], V, remaining);
-+ tlen += remaining;
-+ }
-+
-+ /* Step 3 */
-+ mpn_set_base256 (h, qn, tp, tlen);
-+ if (tlen * 8 > q_bits)
-+ mpn_rshift (h, h, qn, tlen * 8 - q_bits);
-+ /* Check if k is in [1,q-1] */
-+ if (!mpn_zero_p (h, qn) &&
-+ mpn_cmp (h, mpz_limbs_read(q), qn) < 0) {
-+ mpn_copyi(mpz_limbs_write(k, qn), h, qn);
-+ mpz_limbs_finish(k, qn);
-+ break;
-+ }
-+
-+ ret = gnutls_hmac_init(&hd, mac, K, length);
-+ if (ret < 0)
-+ goto out;
-+ ret = gnutls_hmac(hd, V, length);
-+ if (ret < 0)
-+ goto out;
-+ ret = gnutls_hmac(hd, &c0, 1);
-+ if (ret < 0)
-+ goto out;
-+ gnutls_hmac_deinit(hd, K);
-+
-+ ret = gnutls_hmac_fast(mac, K, length, V, length, V);
-+ if (ret < 0)
-+ goto out;
-+ }
-+
-+ out:
-+ zeroize_key(xp, sizeof(xp));
-+ zeroize_key(tp, sizeof(tp));
-+
-+ return ret;
-+}
-diff --git a/lib/nettle/int/dsa-compute-k.h b/lib/nettle/int/dsa-compute-k.h
-new file mode 100644
-index 000000000..64e90e0ca
---- /dev/null
-+++ b/lib/nettle/int/dsa-compute-k.h
-@@ -0,0 +1,37 @@
-+/*
-+ * Copyright (C) 2019 Red Hat, Inc.
-+ *
-+ * Author: Daiki Ueno
-+ *
-+ * This file is part of GnuTLS.
-+ *
-+ * The GnuTLS is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU Lesser General Public License
-+ * as published by the Free Software Foundation; either version 2.1 of
-+ * the License, or (at your option) any later version.
-+ *
-+ * This library is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * Lesser General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public License
-+ * along with this program. If not, see <http://www.gnu.org/licenses/>
-+ *
-+ */
-+
-+#ifndef GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H
-+#define GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H
-+
-+#include <gnutls/gnutls.h>
-+#include <nettle/bignum.h> /* includes gmp.h */
-+
-+int
-+_gnutls_dsa_compute_k(mpz_t k,
-+ const mpz_t q,
-+ const mpz_t x,
-+ gnutls_mac_algorithm_t mac,
-+ const uint8_t *digest,
-+ size_t length);
-+
-+#endif /* GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H */
-diff --git a/lib/nettle/int/ecdsa-compute-k.c b/lib/nettle/int/ecdsa-compute-k.c
-new file mode 100644
-index 000000000..94914ebdf
---- /dev/null
-+++ b/lib/nettle/int/ecdsa-compute-k.c
-@@ -0,0 +1,95 @@
-+/*
-+ * Copyright (C) 2019 Red Hat, Inc.
-+ *
-+ * Author: Daiki Ueno
-+ *
-+ * This file is part of GNUTLS.
-+ *
-+ * The GNUTLS library is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU Lesser General Public License
-+ * as published by the Free Software Foundation; either version 2.1 of
-+ * the License, or (at your option) any later version.
-+ *
-+ * This library is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * Lesser General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public License
-+ * along with this program. If not, see <https://www.gnu.org/licenses/>
-+ *
-+ */
-+
-+#if HAVE_CONFIG_H
-+# include "config.h"
-+#endif
-+
-+#include "ecdsa-compute-k.h"
-+
-+#include "dsa-compute-k.h"
-+#include "gnutls_int.h"
-+
-+static inline int
-+_gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
-+{
-+ switch (curve) {
-+#ifdef ENABLE_NON_SUITEB_CURVES
-+ case GNUTLS_ECC_CURVE_SECP192R1:
-+ mpz_init_set_str(*q,
-+ "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836"
-+ "146BC9B1B4D22831",
-+ 16);
-+ return 0;
-+ case GNUTLS_ECC_CURVE_SECP224R1:
-+ mpz_init_set_str(*q,
-+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2"
-+ "E0B8F03E13DD29455C5C2A3D",
-+ 16);
-+ return 0;
-+#endif
-+ case GNUTLS_ECC_CURVE_SECP256R1:
-+ mpz_init_set_str(*q,
-+ "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
-+ "BCE6FAADA7179E84F3B9CAC2FC632551",
-+ 16);
-+ return 0;
-+ case GNUTLS_ECC_CURVE_SECP384R1:
-+ mpz_init_set_str(*q,
-+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
-+ "FFFFFFFFFFFFFFFFC7634D81F4372DDF"
-+ "581A0DB248B0A77AECEC196ACCC52973",
-+ 16);
-+ return 0;
-+ case GNUTLS_ECC_CURVE_SECP521R1:
-+ mpz_init_set_str(*q,
-+ "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
-+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
-+ "FFA51868783BF2F966B7FCC0148F709A"
-+ "5D03BB5C9B8899C47AEBB6FB71E91386"
-+ "409",
-+ 16);
-+ return 0;
-+ default:
-+ return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
-+ }
-+}
-+
-+int
-+_gnutls_ecdsa_compute_k (mpz_t k,
-+ gnutls_ecc_curve_t curve,
-+ const mpz_t x,
-+ gnutls_mac_algorithm_t mac,
-+ const uint8_t *digest,
-+ size_t length)
-+{
-+ mpz_t q;
-+ int ret;
-+
-+ ret = _gnutls_ecc_curve_to_dsa_q(&q, curve);
-+ if (ret < 0)
-+ return gnutls_assert_val(ret);
-+
-+ ret = _gnutls_dsa_compute_k (k, q, x, mac, digest, length);
-+ mpz_clear(q);
-+ return ret;
-+}
-diff --git a/lib/nettle/int/ecdsa-compute-k.h b/lib/nettle/int/ecdsa-compute-k.h
-new file mode 100644
-index 000000000..7ca401d6e
---- /dev/null
-+++ b/lib/nettle/int/ecdsa-compute-k.h
-@@ -0,0 +1,37 @@
-+/*
-+ * Copyright (C) 2019 Red Hat, Inc.
-+ *
-+ * Author: Daiki Ueno
-+ *
-+ * This file is part of GnuTLS.
-+ *
-+ * The GnuTLS is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU Lesser General Public License
-+ * as published by the Free Software Foundation; either version 2.1 of
-+ * the License, or (at your option) any later version.
-+ *
-+ * This library is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * Lesser General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public License
-+ * along with this program. If not, see <http://www.gnu.org/licenses/>
-+ *
-+ */
-+
-+#ifndef GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H
-+#define GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H
-+
-+#include <gnutls/gnutls.h>
-+#include <nettle/bignum.h> /* includes gmp.h */
-+
-+int
-+_gnutls_ecdsa_compute_k (mpz_t k,
-+ gnutls_ecc_curve_t curve,
-+ const mpz_t x,
-+ gnutls_mac_algorithm_t mac,
-+ const uint8_t *digest,
-+ size_t length);
-+
-+#endif /* GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H */
-diff --git a/lib/nettle/int/mpn-base256.c b/lib/nettle/int/mpn-base256.c
-new file mode 100644
-index 000000000..88dd00bd2
---- /dev/null
-+++ b/lib/nettle/int/mpn-base256.c
-@@ -0,0 +1,97 @@
-+/* gmp-glue.c
-+
-+ Copyright (C) 2013 Niels Möller
-+ Copyright (C) 2013 Red Hat
-+
-+ This file is part of GNU Nettle.
-+
-+ GNU Nettle is free software: you can redistribute it and/or
-+ modify it under the terms of either:
-+
-+ * the GNU Lesser General Public License as published by the Free
-+ Software Foundation; either version 3 of the License, or (at your
-+ option) any later version.
-+
-+ or
-+
-+ * the GNU General Public License as published by the Free
-+ Software Foundation; either version 2 of the License, or (at your
-+ option) any later version.
-+
-+ or both in parallel, as here.
-+
-+ GNU Nettle is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ General Public License for more details.
-+
-+ You should have received copies of the GNU General Public License and
-+ the GNU Lesser General Public License along with this program. If
-+ not, see http://www.gnu.org/licenses/.
-+*/
-+
-+#if HAVE_CONFIG_H
-+# include "config.h"
-+#endif
-+
-+#include "mpn-base256.h"
-+
-+void
-+mpn_set_base256 (mp_limb_t *rp, mp_size_t rn,
-+ const uint8_t *xp, size_t xn)
-+{
-+ size_t xi;
-+ mp_limb_t out;
-+ unsigned bits;
-+ for (xi = xn, out = bits = 0; xi > 0 && rn > 0; )
-+ {
-+ mp_limb_t in = xp[--xi];
-+ out |= (in << bits) & GMP_NUMB_MASK;
-+ bits += 8;
-+ if (bits >= GMP_NUMB_BITS)
-+ {
-+ *rp++ = out;
-+ rn--;
-+
-+ bits -= GMP_NUMB_BITS;
-+ out = in >> (8 - bits);
-+ }
-+ }
-+ if (rn > 0)
-+ {
-+ *rp++ = out;
-+ if (--rn > 0)
-+ mpn_zero (rp, rn);
-+ }
-+}
-+
-+void
-+mpn_get_base256 (uint8_t *rp, size_t rn,
-+ const mp_limb_t *xp, mp_size_t xn)
-+{
-+ unsigned bits;
-+ mp_limb_t in;
-+ for (bits = in = 0; xn > 0 && rn > 0; )
-+ {
-+ if (bits >= 8)
-+ {
-+ rp[--rn] = in;
-+ in >>= 8;
-+ bits -= 8;
-+ }
-+ else
-+ {
-+ uint8_t old = in;
-+ in = *xp++;
-+ xn--;
-+ rp[--rn] = old | (in << bits);
-+ in >>= (8 - bits);
-+ bits += GMP_NUMB_BITS - 8;
-+ }
-+ }
-+ while (rn > 0)
-+ {
-+ rp[--rn] = in;
-+ in >>= 8;
-+ }
-+}
-diff --git a/lib/nettle/int/mpn-base256.h b/lib/nettle/int/mpn-base256.h
-new file mode 100644
-index 000000000..b5ca4af03
---- /dev/null
-+++ b/lib/nettle/int/mpn-base256.h
-@@ -0,0 +1,48 @@
-+/* gmp-glue.h
-+
-+ Copyright (C) 2013 Niels Möller
-+ Copyright (C) 2013 Red Hat
-+
-+ This file is part of GNU Nettle.
-+
-+ GNU Nettle is free software: you can redistribute it and/or
-+ modify it under the terms of either:
-+
-+ * the GNU Lesser General Public License as published by the Free
-+ Software Foundation; either version 3 of the License, or (at your
-+ option) any later version.
-+
-+ or
-+
-+ * the GNU General Public License as published by the Free
-+ Software Foundation; either version 2 of the License, or (at your
-+ option) any later version.
-+
-+ or both in parallel, as here.
-+
-+ GNU Nettle is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ General Public License for more details.
-+
-+ You should have received copies of the GNU General Public License and
-+ the GNU Lesser General Public License along with this program. If
-+ not, see http://www.gnu.org/licenses/.
-+*/
-+
-+#ifndef NETTLE_GMP_GLUE_H_INCLUDED
-+#define NETTLE_GMP_GLUE_H_INCLUDED
-+
-+#include <nettle/bignum.h>
-+
-+/* Like mpn_set_str, but always writes rn limbs. If input is larger,
-+ higher bits are ignored. */
-+void
-+mpn_set_base256 (mp_limb_t *rp, mp_size_t rn,
-+ const uint8_t *xp, size_t xn);
-+
-+void
-+mpn_get_base256 (uint8_t *rp, size_t rn,
-+ const mp_limb_t *xp, mp_size_t xn);
-+
-+#endif /* NETTLE_GMP_GLUE_H_INCLUDED */
---
-2.21.0
-
-
-From f42d96451a654ccc3523b0a0086e18f19ba3fecc Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Mon, 29 Jul 2019 15:10:51 +0200
-Subject: [PATCH 2/6] privkey_sign_raw_data: remove unnecessary local variable
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/privkey.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/lib/privkey.c b/lib/privkey.c
-index 8e353c5e5..2fee8777a 100644
---- a/lib/privkey.c
-+++ b/lib/privkey.c
-@@ -1492,8 +1492,6 @@ privkey_sign_raw_data(gnutls_privkey_t key,
- 0,
- data, signature);
- } else if (key->key.ext.sign_hash_func) {
-- unsigned int flags = 0;
--
- if (se->pk == GNUTLS_PK_RSA) {
- se = _gnutls_sign_to_entry(GNUTLS_SIGN_RSA_RAW);
- assert(se != NULL);
-@@ -1502,7 +1500,7 @@ privkey_sign_raw_data(gnutls_privkey_t key,
- /* se may not be set here if we are doing legacy RSA */
- return key->key.ext.sign_hash_func(key, se->id,
- key->key.ext.userdata,
-- flags,
-+ 0,
- data, signature);
- } else {
- if (!PK_IS_OK_FOR_EXT2(se->pk))
---
-2.21.0
-
-
-From 3dd0df9e1a499c7b31bf7b4a315e797d2195c1ba Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Wed, 7 Aug 2019 14:37:00 +0200
-Subject: [PATCH 3/6] privkey_sign_prehashed: remove unused argument
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/privkey.c | 9 ++++-----
- 1 file changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/lib/privkey.c b/lib/privkey.c
-index 2fee8777a..8683b4e20 100644
---- a/lib/privkey.c
-+++ b/lib/privkey.c
-@@ -43,7 +43,7 @@ privkey_sign_prehashed(gnutls_privkey_t signer,
- const gnutls_sign_entry_st *se,
- const gnutls_datum_t * hash_data,
- gnutls_datum_t * signature,
-- gnutls_x509_spki_st * params, unsigned flags);
-+ gnutls_x509_spki_st * params);
-
- /**
- * gnutls_privkey_get_type:
-@@ -1253,7 +1253,7 @@ gnutls_privkey_sign_hash2(gnutls_privkey_t signer,
- return ret;
- }
-
-- return privkey_sign_prehashed(signer, se, hash_data, signature, ¶ms, flags);
-+ return privkey_sign_prehashed(signer, se, hash_data, signature, ¶ms);
- }
-
- int
-@@ -1377,7 +1377,7 @@ gnutls_privkey_sign_hash(gnutls_privkey_t signer,
- return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-
- return privkey_sign_prehashed(signer, se,
-- hash_data, signature, ¶ms, flags);
-+ hash_data, signature, ¶ms);
- }
-
- static int
-@@ -1385,8 +1385,7 @@ privkey_sign_prehashed(gnutls_privkey_t signer,
- const gnutls_sign_entry_st *se,
- const gnutls_datum_t * hash_data,
- gnutls_datum_t * signature,
-- gnutls_x509_spki_st * params,
-- unsigned flags)
-+ gnutls_x509_spki_st * params)
- {
- int ret;
- gnutls_datum_t digest;
---
-2.21.0
-
-
-From 8eb3a29336ea11f6b417ce7e25d53513509bdd87 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Mon, 29 Jul 2019 14:01:11 +0200
-Subject: [PATCH 4/6] pk: implement deterministic ECDSA/DSA
-
-This exposes the deterministic ECDSA/DSA functionality through the
-GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag.
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- .gitignore | 1 +
- NEWS | 7 ++
- lib/crypto-backend.h | 16 ++-
- lib/includes/gnutls/abstract.h | 5 +-
- lib/nettle/pk.c | 54 +++++++-
- lib/privkey.c | 8 ++
- lib/x509/crq.c | 2 +
- lib/x509/pkcs7.c | 2 +
- lib/x509/sign.c | 2 +
- tests/Makefile.am | 2 +-
- tests/sign-verify-deterministic.c | 196 ++++++++++++++++++++++++++++++
- 11 files changed, 290 insertions(+), 5 deletions(-)
- create mode 100644 tests/sign-verify-deterministic.c
-
-diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
-index 43124abaf..33eca6031 100644
---- a/lib/crypto-backend.h
-+++ b/lib/crypto-backend.h
-@@ -187,6 +187,13 @@ typedef struct gnutls_x509_spki_st {
- /* if non-zero, the legacy value for PKCS#7 signatures will be
- * written for RSA signatures. */
- unsigned int legacy;
-+
-+ /* the digest used by ECDSA/DSA */
-+ gnutls_digest_algorithm_t dsa_dig;
-+
-+ /* flags may include GNUTLS_PK_FLAG_REPRODUCIBLE for
-+ * deterministic ECDSA/DSA */
-+ unsigned int flags;
- } gnutls_x509_spki_st;
-
- #define GNUTLS_MAX_PK_PARAMS 16
-@@ -219,9 +226,16 @@ typedef struct {
- */
- typedef enum {
- GNUTLS_PK_FLAG_NONE = 0,
-- GNUTLS_PK_FLAG_PROVABLE = 1
-+ GNUTLS_PK_FLAG_PROVABLE = 1,
-+ GNUTLS_PK_FLAG_REPRODUCIBLE = 2
- } gnutls_pk_flag_t;
-
-+#define FIX_SIGN_PARAMS(params, flags, dig) do { \
-+ if ((flags) & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) { \
-+ (params).flags |= GNUTLS_PK_FLAG_REPRODUCIBLE; \
-+ (params).dsa_dig = (dig); \
-+ } \
-+} while (0)
-
- void gnutls_pk_params_release(gnutls_pk_params_st * p);
- void gnutls_pk_params_clear(gnutls_pk_params_st * p);
-diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h
-index d4b7da68b..d8805681a 100644
---- a/lib/includes/gnutls/abstract.h
-+++ b/lib/includes/gnutls/abstract.h
-@@ -371,7 +371,10 @@ int gnutls_privkey_status(gnutls_privkey_t key);
- * gnutls_privkey_flags:
- * @GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA: Make an RSA signature on the hashed data as in the TLS protocol.
- * @GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS: Make an RSA signature on the hashed data with the PSS padding.
-- * @GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE: Make an RSA-PSS signature on the hashed data with reproducible parameters (zero salt).
-+ * @GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE: Make a signature on the hashed data with reproducible parameters.
-+ * For RSA-PSS, that means to use empty salt instead of random value. For ECDSA/DSA, it uses the deterministic
-+ * construction of random parameter according to RFC 6979. Note that
-+ * this only supports the NIST curves and DSA subgroup bits up to 512.
- * @GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE: When importing a private key, automatically
- * release it when the structure it was imported is released.
- * @GNUTLS_PRIVKEY_IMPORT_COPY: Copy required values during import.
-diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
-index 08117c2d8..ebd6481cf 100644
---- a/lib/nettle/pk.c
-+++ b/lib/nettle/pk.c
-@@ -54,6 +54,8 @@
- #include "gost/gostdsa.h"
- #include "gost/ecc-gost-curve.h"
- #endif
-+#include "int/ecdsa-compute-k.h"
-+#include "int/dsa-compute-k.h"
- #include <gnettle.h>
- #include <fips.h>
-
-@@ -86,6 +88,12 @@ static void rnd_nonce_func(void *_ctx, size_t length, uint8_t * data)
- }
- }
-
-+static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data)
-+{
-+ mpz_t *k = _ctx;
-+ nettle_mpz_get_str_256 (length, data, *k);
-+}
-+
- static void
- ecc_scalar_zclear (struct ecc_scalar *s)
- {
-@@ -782,6 +790,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
- struct dsa_signature sig;
- int curve_id = pk_params->curve;
- const struct ecc_curve *curve;
-+ mpz_t k;
-+ void *random_ctx;
-+ nettle_random_func *random_func;
-
- curve = get_supported_nist_curve(curve_id);
- if (curve == NULL)
-@@ -808,7 +819,23 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
- hash_len = vdata->size;
- }
-
-- ecdsa_sign(&priv, NULL, rnd_nonce_func, hash_len,
-+ mpz_init(k);
-+ if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) {
-+ ret = _gnutls_ecdsa_compute_k(k,
-+ curve_id,
-+ pk_params->params[ECC_K],
-+ sign_params->dsa_dig,
-+ vdata->data,
-+ vdata->size);
-+ if (ret < 0)
-+ goto ecdsa_cleanup;
-+ random_ctx = &k;
-+ random_func = rnd_mpz_func;
-+ } else {
-+ random_ctx = NULL;
-+ random_func = rnd_nonce_func;
-+ }
-+ ecdsa_sign(&priv, random_ctx, random_func, hash_len,
- vdata->data, &sig);
-
- /* prevent memory leaks */
-@@ -824,6 +851,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
- ecdsa_cleanup:
- dsa_signature_clear(&sig);
- ecc_scalar_zclear(&priv);
-+ mpz_clear(k);
-
- if (ret < 0) {
- gnutls_assert();
-@@ -836,6 +864,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
- struct dsa_params pub;
- bigint_t priv;
- struct dsa_signature sig;
-+ mpz_t k;
-+ void *random_ctx;
-+ nettle_random_func *random_func;
-
- memset(&priv, 0, sizeof(priv));
- memset(&pub, 0, sizeof(pub));
-@@ -856,8 +887,26 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
- hash_len = vdata->size;
- }
-
-+ mpz_init(k);
-+ if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) {
-+ ret = _gnutls_dsa_compute_k(k,
-+ pub.q,
-+ TOMPZ(priv),
-+ sign_params->dsa_dig,
-+ vdata->data,
-+ vdata->size);
-+ if (ret < 0)
-+ goto dsa_fail;
-+ /* cancel-out dsa_sign's addition of 1 to random data */
-+ mpz_sub_ui (k, k, 1);
-+ random_ctx = &k;
-+ random_func = rnd_mpz_func;
-+ } else {
-+ random_ctx = NULL;
-+ random_func = rnd_nonce_func;
-+ }
- ret =
-- dsa_sign(&pub, TOMPZ(priv), NULL, rnd_nonce_func,
-+ dsa_sign(&pub, TOMPZ(priv), random_ctx, random_func,
- hash_len, vdata->data, &sig);
- if (ret == 0 || HAVE_LIB_ERROR()) {
- gnutls_assert();
-@@ -871,6 +920,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
-
- dsa_fail:
- dsa_signature_clear(&sig);
-+ mpz_clear(k);
-
- if (ret < 0) {
- gnutls_assert();
-diff --git a/lib/privkey.c b/lib/privkey.c
-index 8683b4e20..4ef07c8b0 100644
---- a/lib/privkey.c
-+++ b/lib/privkey.c
-@@ -1134,6 +1134,8 @@ gnutls_privkey_sign_data(gnutls_privkey_t signer,
- return ret;
- }
-
-+ FIX_SIGN_PARAMS(params, flags, hash);
-+
- return privkey_sign_and_hash_data(signer, _gnutls_pk_to_sign_entry(params.pk, hash), data, signature, ¶ms);
- }
-
-@@ -1186,6 +1188,8 @@ gnutls_privkey_sign_data2(gnutls_privkey_t signer,
- return ret;
- }
-
-+ FIX_SIGN_PARAMS(params, flags, se->hash);
-+
- return privkey_sign_and_hash_data(signer, se, data, signature, ¶ms);
- }
-
-@@ -1253,6 +1257,8 @@ gnutls_privkey_sign_hash2(gnutls_privkey_t signer,
- return ret;
- }
-
-+ FIX_SIGN_PARAMS(params, flags, se->hash);
-+
- return privkey_sign_prehashed(signer, se, hash_data, signature, ¶ms);
- }
-
-@@ -1376,6 +1382,8 @@ gnutls_privkey_sign_hash(gnutls_privkey_t signer,
- if (unlikely(se == NULL))
- return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-
-+ FIX_SIGN_PARAMS(params, flags, hash_algo);
-+
- return privkey_sign_prehashed(signer, se,
- hash_data, signature, ¶ms);
- }
-diff --git a/lib/x509/crq.c b/lib/x509/crq.c
-index c8899f81a..4ca67535d 100644
---- a/lib/x509/crq.c
-+++ b/lib/x509/crq.c
-@@ -2642,6 +2642,8 @@ gnutls_x509_crq_privkey_sign(gnutls_x509_crq_t crq, gnutls_privkey_t key,
- if (se == NULL)
- return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-
-+ FIX_SIGN_PARAMS(params, flags, dig);
-+
- result = privkey_sign_and_hash_data(key, se,
- &tbs, &signature, ¶ms);
- gnutls_free(tbs.data);
-diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
-index 21fff7b07..98669e887 100644
---- a/lib/x509/pkcs7.c
-+++ b/lib/x509/pkcs7.c
-@@ -2532,6 +2532,8 @@ int gnutls_pkcs7_sign(gnutls_pkcs7_t pkcs7,
- goto cleanup;
- }
-
-+ FIX_SIGN_PARAMS(params, flags, dig);
-+
- ret = privkey_sign_and_hash_data(signer_key, se,
- &sigdata, &signature, ¶ms);
- if (ret < 0) {
-diff --git a/lib/x509/sign.c b/lib/x509/sign.c
-index 8f7a96f21..461524f5b 100644
---- a/lib/x509/sign.c
-+++ b/lib/x509/sign.c
-@@ -175,6 +175,8 @@ _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name,
- return result;
- }
-
-+ FIX_SIGN_PARAMS(params, flags, dig);
-+
- if (_gnutls_pk_is_not_prehashed(params.pk)) {
- result = privkey_sign_raw_data(issuer_key, se, &tbs, &signature, ¶ms);
- } else {
-diff --git a/tests/Makefile.am b/tests/Makefile.am
-index 7970ad6b3..a8c2d152e 100644
---- a/tests/Makefile.am
-+++ b/tests/Makefile.am
-@@ -211,7 +211,8 @@ ctests += mini-record-2 simple gnutls_hm
- tls13-server-kx-neg gnutls_ext_raw_parse_dtls key-export-pkcs8 \
- null_retrieve_function tls-record-size-limit tls-crt_type-neg \
- resume-with-stek-expiration resume-with-previous-stek rawpk-api \
-- tls-record-size-limit-asym dh-compute ecdh-compute
-+ tls-record-size-limit-asym dh-compute ecdh-compute \
-+ sign-verify-deterministic
-
- if HAVE_SECCOMP_TESTS
- ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
-diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c
-new file mode 100644
-index 000000000..fe4873fc8
---- /dev/null
-+++ b/tests/sign-verify-deterministic.c
-@@ -0,0 +1,196 @@
-+/*
-+ * Copyright (C) 2017-2019 Red Hat, Inc.
-+ *
-+ * Author: Nikos Mavrogiannopoulos, Daiki Ueno
-+ *
-+ * This file is part of GnuTLS.
-+ *
-+ * GnuTLS is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 3 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * GnuTLS is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with GnuTLS; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
-+ */
-+
-+#ifdef HAVE_CONFIG_H
-+#include <config.h>
-+#endif
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <sys/types.h>
-+#ifndef _WIN32
-+# include <netinet/in.h>
-+# include <sys/socket.h>
-+# include <arpa/inet.h>
-+#endif
-+#include <unistd.h>
-+#include <gnutls/gnutls.h>
-+#include <gnutls/x509.h>
-+#include <gnutls/abstract.h>
-+#include "utils.h"
-+
-+/* verifies whether the sign-data and verify-data APIs
-+ * operate as expected with deterministic ECDSA/DSA (RFC 6979) */
-+
-+static void tls_log_func(int level, const char *str)
-+{
-+ fprintf(stderr, "<%d> %s", level, str);
-+}
-+
-+struct _key_tests_st {
-+ const char *name;
-+ gnutls_datum_t key;
-+ gnutls_datum_t msg;
-+ gnutls_datum_t sig;
-+ gnutls_pk_algorithm_t pk;
-+ gnutls_digest_algorithm_t digest;
-+ gnutls_sign_algorithm_t sigalgo;
-+ unsigned int sign_flags;
-+};
-+
-+/* Test vectors from RFC 6979 */
-+static const char dsa_privkey_rfc6979[] =
-+ "-----BEGIN DSA PRIVATE KEY-----\n"
-+ "MIIBugIBAAKBgQCG9coD3P6yJQY/+DCgx2m53Z1hU62R184n94fEMni0R+ZTO4ax\n"
-+ "i+1uiki3hKFMJSxb4Nv2C4bWOFvS8S+3Y+2Ic6v9P1ui4KjApZCC6sBWk15Sna98\n"
-+ "YQRniZx3re38hGyIGHC3sZsrWPm+BSGhcALjvda4ZoXukLPZobAreCsXeQIVAJlv\n"
-+ "ln9sjjiNnijQHiBfupV6VpixAoGAB7D5JUYVC2JRS7dx4qDAzjh/A72mxWtQUgn/\n"
-+ "Jf08Ez2Ju82X6QTgkRTZp9796t/JB46lRNLkAa7sxAu5+794/YeZWhChwny3eJtZ\n"
-+ "S6fvtcQyap/lmgcOE223cXVGStykF75dzi9A0QpGo6OUPyarf9nAOY/4x27gpWgm\n"
-+ "qKiPHb0CgYBd9eAd7THQKX4nThaRwZL+WGj++eGahHdkVLEAzxb2U5IZWji5BSPi\n"
-+ "VC7mGHHARAy4fDIvxLTS7F4efsdm4b6NTOk1Q33BHDyP1CYziTPr/nOcs0ZfTTZo\n"
-+ "xeRzUIJTseaC9ly9xPrpPC6iEjkOVJBahuIiMXC0Tqp9pd2f/Pt/OwIUQRYCyxmm\n"
-+ "zMNElNedmO8eftWvJfc=\n"
-+ "-----END DSA PRIVATE KEY-----\n";
-+
-+static const char ecdsa_secp256r1_privkey_rfc6979[] =
-+ "-----BEGIN EC PRIVATE KEY-----\n"
-+ "MHgCAQEEIQDJr6nYRbp1FmtcIVdnsdaTTlDD2zbomxJ7imIrEg9nIaAKBggqhkjO\n"
-+ "PQMBB6FEA0IABGD+1LolWp0xyWHrdMY1bWjASbiSO2H6bOZpYi5g8p+2eQP+EAi4\n"
-+ "vJmkGunpVii8ZPLxsgwtfp9Rd6PClNRGIpk=\n"
-+ "-----END EC PRIVATE KEY-----\n";
-+
-+static const char sample[] = "sample";
-+
-+static const
-+struct _key_tests_st tests[] = {
-+ {
-+ .name = "dsa key",
-+ .key = {(void *) dsa_privkey_rfc6979, sizeof(dsa_privkey_rfc6979)-1},
-+ .msg = {(void *) sample, sizeof(sample)-1},
-+ .sig = {(void *) "\x30\x2d\x02\x15\x00\x81\xf2\xf5\x85\x0b\xe5\xbc\x12\x3c\x43\xf7\x1a\x30\x33\xe9\x38\x46\x11\xc5\x45\x02\x14\x4c\xdd\x91\x4b\x65\xeb\x6c\x66\xa8\xaa\xad\x27\x29\x9b\xee\x6b\x03\x5f\x5e\x89", 47},
-+ .pk = GNUTLS_PK_DSA,
-+ .digest = GNUTLS_DIG_SHA256,
-+ .sigalgo = GNUTLS_SIGN_DSA_SHA256,
-+ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
-+ },
-+ {
-+ .name = "ecdsa key",
-+ .key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1},
-+ .msg = {(void *) sample, sizeof(sample)-1},
-+ .sig = {(void *) "\x30\x46\x02\x21\x00\xef\xd4\x8b\x2a\xac\xb6\xa8\xfd\x11\x40\xdd\x9c\xd4\x5e\x81\xd6\x9d\x2c\x87\x7b\x56\xaa\xf9\x91\xc3\x4d\x0e\xa8\x4e\xaf\x37\x16\x02\x21\x00\xf7\xcb\x1c\x94\x2d\x65\x7c\x41\xd4\x36\xc7\xa1\xb6\xe2\x9f\x65\xf3\xe9\x00\xdb\xb9\xaf\xf4\x06\x4d\xc4\xab\x2f\x84\x3a\xcd\xa8", 72},
-+ .pk = GNUTLS_PK_ECDSA,
-+ .digest = GNUTLS_DIG_SHA256,
-+ .sigalgo = GNUTLS_SIGN_ECDSA_SECP256R1_SHA256,
-+ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
-+ },
-+ {
-+ .name = "ecdsa key",
-+ .key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1},
-+ .msg = {(void *) sample, sizeof(sample)-1},
-+ .sig = {(void *) "\x30\x46\x02\x21\x00\xef\xd4\x8b\x2a\xac\xb6\xa8\xfd\x11\x40\xdd\x9c\xd4\x5e\x81\xd6\x9d\x2c\x87\x7b\x56\xaa\xf9\x91\xc3\x4d\x0e\xa8\x4e\xaf\x37\x16\x02\x21\x00\xf7\xcb\x1c\x94\x2d\x65\x7c\x41\xd4\x36\xc7\xa1\xb6\xe2\x9f\x65\xf3\xe9\x00\xdb\xb9\xaf\xf4\x06\x4d\xc4\xab\x2f\x84\x3a\xcd\xa8", 72},
-+ .pk = GNUTLS_PK_ECDSA,
-+ .digest = GNUTLS_DIG_SHA256,
-+ .sigalgo = GNUTLS_SIGN_ECDSA_SHA256,
-+ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
-+ },
-+ {
-+ .name = "ecdsa key (q bits < h bits)",
-+ .key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1},
-+ .msg = {(void *) sample, sizeof(sample)-1},
-+ .sig = {(void *) "\x30\x44\x02\x20\x0e\xaf\xea\x03\x9b\x20\xe9\xb4\x23\x09\xfb\x1d\x89\xe2\x13\x05\x7c\xbf\x97\x3d\xc0\xcf\xc8\xf1\x29\xed\xdd\xc8\x00\xef\x77\x19\x02\x20\x48\x61\xf0\x49\x1e\x69\x98\xb9\x45\x51\x93\xe3\x4e\x7b\x0d\x28\x4d\xdd\x71\x49\xa7\x4b\x95\xb9\x26\x1f\x13\xab\xde\x94\x09\x54", 70},
-+ .pk = GNUTLS_PK_ECDSA,
-+ .digest = GNUTLS_DIG_SHA384,
-+ .sigalgo = GNUTLS_SIGN_ECDSA_SHA384,
-+ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
-+ },
-+ {
-+ .name = "ecdsa key (q bits > h bits)",
-+ .key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1},
-+ .msg = {(void *) sample, sizeof(sample)-1},
-+ .sig = {(void *) "\x30\x45\x02\x20\x53\xb2\xff\xf5\xd1\x75\x2b\x2c\x68\x9d\xf2\x57\xc0\x4c\x40\xa5\x87\xfa\xba\xbb\x3f\x6f\xc2\x70\x2f\x13\x43\xaf\x7c\xa9\xaa\x3f\x02\x21\x00\xb9\xaf\xb6\x4f\xdc\x03\xdc\x1a\x13\x1c\x7d\x23\x86\xd1\x1e\x34\x9f\x07\x0a\xa4\x32\xa4\xac\xc9\x18\xbe\xa9\x88\xbf\x75\xc7\x4c", 71},
-+ .pk = GNUTLS_PK_ECDSA,
-+ .digest = GNUTLS_DIG_SHA224,
-+ .sigalgo = GNUTLS_SIGN_ECDSA_SHA224,
-+ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE
-+ }
-+};
-+
-+#define testfail(fmt, ...) \
-+ fail("%s: "fmt, tests[i].name, ##__VA_ARGS__)
-+
-+void doit(void)
-+{
-+ gnutls_pubkey_t pubkey;
-+ gnutls_privkey_t privkey;
-+ gnutls_datum_t signature;
-+ int ret;
-+ size_t i;
-+
-+ global_init();
-+
-+ gnutls_global_set_log_function(tls_log_func);
-+ if (debug)
-+ gnutls_global_set_log_level(6);
-+
-+ for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
-+ success("testing: %s - %s\n", tests[i].name, gnutls_sign_algorithm_get_name(tests[i].sigalgo));
-+
-+ ret = gnutls_privkey_init(&privkey);
-+ if (ret < 0)
-+ testfail("gnutls_privkey_init\n");
-+
-+ ret = gnutls_privkey_import_x509_raw(privkey, &tests[i].key, GNUTLS_X509_FMT_PEM, NULL, 0);
-+ if (ret < 0)
-+ testfail("gnutls_privkey_import_x509_raw\n");
-+
-+ ret = gnutls_privkey_sign_data(privkey, tests[i].digest, tests[i].sign_flags,
-+ &tests[i].msg, &signature);
-+ if (ret < 0)
-+ testfail("gnutls_privkey_sign_data\n");
-+
-+ if (signature.size != tests[i].sig.size ||
-+ memcmp(signature.data, tests[i].sig.data, signature.size) != 0)
-+ testfail("signature does not match");
-+
-+ ret = gnutls_pubkey_init(&pubkey);
-+ if (ret < 0)
-+ testfail("gnutls_pubkey_init\n");
-+
-+ ret = gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0);
-+ if (ret < 0)
-+ testfail("gnutls_pubkey_import_privkey\n");
-+
-+ ret =
-+ gnutls_pubkey_verify_data2(pubkey, tests[i].sigalgo, 0, &tests[i].msg,
-+ &signature);
-+ if (ret < 0)
-+ testfail("gnutls_pubkey_verify_data2\n");
-+
-+ gnutls_free(signature.data);
-+ gnutls_privkey_deinit(privkey);
-+ gnutls_pubkey_deinit(pubkey);
-+ }
-+
-+ gnutls_global_deinit();
-+}
---
-2.21.0
-
-
-From 1adee9e136176a8fe26bae036ebb275fe4c26f64 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Mon, 5 Aug 2019 15:21:55 +0200
-Subject: [PATCH 5/6] nettle: enable deterministic ECDSA/DSA during FIPS
- selftests
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/nettle/pk.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
-index ebd6481cf..1f8e7f931 100644
---- a/lib/nettle/pk.c
-+++ b/lib/nettle/pk.c
-@@ -820,7 +820,8 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
- }
-
- mpz_init(k);
-- if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) {
-+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
-+ (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
- ret = _gnutls_ecdsa_compute_k(k,
- curve_id,
- pk_params->params[ECC_K],
-@@ -888,7 +889,8 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
- }
-
- mpz_init(k);
-- if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) {
-+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST ||
-+ (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) {
- ret = _gnutls_dsa_compute_k(k,
- pub.q,
- TOMPZ(priv),
---
-2.21.0
-
-
-From 3beaa23ef5852e2d8aaa610aac9cde9b46be4f77 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Wed, 7 Aug 2019 15:55:44 +0200
-Subject: [PATCH 6/6] nettle: prohibit deterministic ECDSA/DSA under FIPS
- except selftests
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/nettle/pk.c | 8 ++++++++
- tests/sign-verify-deterministic.c | 27 ++++++++++++++++++++-------
- 2 files changed, 28 insertions(+), 7 deletions(-)
-
-diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
-index 1f8e7f931..b2d27cf74 100644
---- a/lib/nettle/pk.c
-+++ b/lib/nettle/pk.c
-@@ -703,6 +703,14 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
- return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
- }
-
-+ /* deterministic ECDSA/DSA is prohibited under FIPS except in
-+ * the selftests */
-+ if (_gnutls_fips_mode_enabled() &&
-+ _gnutls_get_lib_state() != LIB_STATE_SELFTEST &&
-+ (algo == GNUTLS_PK_DSA || algo == GNUTLS_PK_ECDSA) &&
-+ (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE))
-+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+
- switch (algo) {
- case GNUTLS_PK_EDDSA_ED25519: /* we do EdDSA */
- {
-diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c
-index fe4873fc8..6e907288e 100644
---- a/tests/sign-verify-deterministic.c
-+++ b/tests/sign-verify-deterministic.c
-@@ -154,29 +154,40 @@ void doit(void)
- gnutls_global_set_log_level(6);
-
- for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
-- success("testing: %s - %s\n", tests[i].name, gnutls_sign_algorithm_get_name(tests[i].sigalgo));
-+ success("testing: %s - %s", tests[i].name, gnutls_sign_algorithm_get_name(tests[i].sigalgo));
-+
-+ ret = gnutls_pubkey_init(&pubkey);
-+ if (ret < 0)
-+ testfail("gnutls_pubkey_init\n");
-
- ret = gnutls_privkey_init(&privkey);
- if (ret < 0)
- testfail("gnutls_privkey_init\n");
-
-+ signature.data = NULL;
-+ signature.size = 0;
-+
- ret = gnutls_privkey_import_x509_raw(privkey, &tests[i].key, GNUTLS_X509_FMT_PEM, NULL, 0);
- if (ret < 0)
- testfail("gnutls_privkey_import_x509_raw\n");
-
- ret = gnutls_privkey_sign_data(privkey, tests[i].digest, tests[i].sign_flags,
- &tests[i].msg, &signature);
-- if (ret < 0)
-- testfail("gnutls_privkey_sign_data\n");
-+ if (gnutls_fips140_mode_enabled()) {
-+ /* deterministic ECDSA/DSA is prohibited under FIPS */
-+ if (ret != GNUTLS_E_INVALID_REQUEST)
-+ testfail("gnutls_privkey_sign_data unexpectedly succeeds\n");
-+ success(" - skipping\n");
-+ goto next;
-+ } else {
-+ if (ret < 0)
-+ testfail("gnutls_privkey_sign_data\n");
-+ }
-
- if (signature.size != tests[i].sig.size ||
- memcmp(signature.data, tests[i].sig.data, signature.size) != 0)
- testfail("signature does not match");
-
-- ret = gnutls_pubkey_init(&pubkey);
-- if (ret < 0)
-- testfail("gnutls_pubkey_init\n");
--
- ret = gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0);
- if (ret < 0)
- testfail("gnutls_pubkey_import_privkey\n");
-@@ -186,7 +197,9 @@ void doit(void)
- &signature);
- if (ret < 0)
- testfail("gnutls_pubkey_verify_data2\n");
-+ success(" - pass");
-
-+ next:
- gnutls_free(signature.data);
- gnutls_privkey_deinit(privkey);
- gnutls_pubkey_deinit(pubkey);
---
-2.21.0
-
-From 6cb58f18280bedfec9d7c8ac411574b868b3d758 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Fri, 16 Aug 2019 14:59:03 +0200
-Subject: [PATCH] crypto-backend: always set sign_params.dsa_sig when ECDSA/DSA
-
-In FIPS selftests we create deterministic signature and the
-information about the digest algorithm is necessary.
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/crypto-backend.h | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
-index 33eca6031..664ba4377 100644
---- a/lib/crypto-backend.h
-+++ b/lib/crypto-backend.h
-@@ -233,6 +233,9 @@ typedef enum {
- #define FIX_SIGN_PARAMS(params, flags, dig) do { \
- if ((flags) & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) { \
- (params).flags |= GNUTLS_PK_FLAG_REPRODUCIBLE; \
-+ } \
-+ if ((params).pk == GNUTLS_PK_DSA || \
-+ (params).pk == GNUTLS_PK_ECDSA) { \
- (params).dsa_dig = (dig); \
- } \
- } while (0)
---
-2.21.0
-
diff --git a/SOURCES/gnutls-3.6.8-fips-rng-continuous.patch b/SOURCES/gnutls-3.6.8-fips-rng-continuous.patch
deleted file mode 100644
index 6a88e65..0000000
--- a/SOURCES/gnutls-3.6.8-fips-rng-continuous.patch
+++ /dev/null
@@ -1,203 +0,0 @@
-From c7a419e7868fd9342c1799a04d21c2ff6292c405 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Fri, 21 Jun 2019 15:49:26 +0200
-Subject: [PATCH] nettle/rnd-fips: add FIPS 140-2 continuous RNG test
-
-This adds a continuous random number generator test as defined in FIPS
-140-2 4.9.2, by iteratively fetching fixed sized block from the system
-and comparing consecutive blocks.
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/nettle/rnd-fips.c | 102 +++++++++++++++++++++++++++++++++---------
- 1 file changed, 81 insertions(+), 21 deletions(-)
-
-diff --git a/lib/nettle/rnd-fips.c b/lib/nettle/rnd-fips.c
-index ee68cf68d..ccb92d25a 100644
---- a/lib/nettle/rnd-fips.c
-+++ b/lib/nettle/rnd-fips.c
-@@ -27,12 +27,13 @@
-
- #include "gnutls_int.h"
- #include "errors.h"
--#include <nettle/aes.h>
--#include <nettle/memxor.h>
--#include <locks.h>
-+#include <nettle/sha2.h>
- #include <atfork.h>
- #include <rnd-common.h>
-
-+/* The block size is chosen arbitrarily */
-+#define ENTROPY_BLOCK_SIZE SHA256_DIGEST_SIZE
-+
- /* This provides a random generator for gnutls. It uses
- * two instances of the DRBG-AES-CTR generator, one for
- * nonce level and another for the other levels of randomness.
-@@ -41,11 +42,13 @@ struct fips_ctx {
- struct drbg_aes_ctx nonce_context;
- struct drbg_aes_ctx normal_context;
- unsigned int forkid;
-+ uint8_t entropy_hash[SHA256_DIGEST_SIZE];
- };
-
- static int _rngfips_ctx_reinit(struct fips_ctx *fctx);
- static int _rngfips_ctx_init(struct fips_ctx *fctx);
--static int drbg_reseed(struct drbg_aes_ctx *ctx);
-+static int drbg_reseed(struct fips_ctx *fctx, struct drbg_aes_ctx *ctx);
-+static int get_entropy(struct fips_ctx *fctx, uint8_t *buffer, size_t length);
-
- static int get_random(struct drbg_aes_ctx *ctx, struct fips_ctx *fctx,
- void *buffer, size_t length)
-@@ -59,7 +62,7 @@ static int get_random(struct drbg_aes_ctx *ctx, struct fips_ctx *fctx,
- }
-
- if (ctx->reseed_counter > DRBG_AES_RESEED_TIME) {
-- ret = drbg_reseed(ctx);
-+ ret = drbg_reseed(fctx, ctx);
- if (ret < 0)
- return gnutls_assert_val(ret);
- }
-@@ -71,54 +74,111 @@ static int get_random(struct drbg_aes_ctx *ctx, struct fips_ctx *fctx,
- return 0;
- }
-
-+static int get_entropy(struct fips_ctx *fctx, uint8_t *buffer, size_t length)
-+{
-+ int ret;
-+ uint8_t block[ENTROPY_BLOCK_SIZE];
-+ uint8_t hash[SHA256_DIGEST_SIZE];
-+ struct sha256_ctx ctx;
-+ size_t total = 0;
-+
-+ /* For FIPS 140-2 4.9.2 continuous random number generator
-+ * test, iteratively fetch fixed sized block from the system
-+ * RNG and compare consecutive blocks.
-+ *
-+ * Note that we store the hash of the entropy block rather
-+ * than the block itself for backward secrecy.
-+ */
-+ while (total < length) {
-+ ret = _rnd_get_system_entropy(block, ENTROPY_BLOCK_SIZE);
-+ if (ret < 0)
-+ return gnutls_assert_val(ret);
-+
-+ sha256_init(&ctx);
-+ sha256_update(&ctx, sizeof(block), block);
-+ sha256_digest(&ctx, sizeof(hash), hash);
-+
-+ if (memcmp(hash, fctx->entropy_hash, sizeof(hash)) == 0) {
-+ _gnutls_switch_lib_state(LIB_STATE_ERROR);
-+ return gnutls_assert_val(GNUTLS_E_RANDOM_FAILED);
-+ }
-+ memcpy(fctx->entropy_hash, hash, sizeof(hash));
-+
-+ memcpy(buffer, block, MIN(length - total, sizeof(block)));
-+ total += sizeof(block);
-+ buffer += sizeof(block);
-+ }
-+ zeroize_key(block, sizeof(block));
-+
-+ return 0;
-+}
-+
- #define PSTRING "gnutls-rng"
- #define PSTRING_SIZE (sizeof(PSTRING)-1)
--static int drbg_init(struct drbg_aes_ctx *ctx)
-+static int drbg_init(struct fips_ctx *fctx, struct drbg_aes_ctx *ctx)
- {
- uint8_t buffer[DRBG_AES_SEED_SIZE];
- int ret;
-
-- /* Get a key from the standard RNG or from the entropy source. */
-- ret = _rnd_get_system_entropy(buffer, sizeof(buffer));
-+ ret = get_entropy(fctx, buffer, sizeof(buffer));
- if (ret < 0)
- return gnutls_assert_val(ret);
-
-- ret = drbg_aes_init(ctx, sizeof(buffer), buffer, PSTRING_SIZE, (void*)PSTRING);
-+ ret = drbg_aes_init(ctx, sizeof(buffer), buffer,
-+ PSTRING_SIZE, (void*)PSTRING);
-+ zeroize_key(buffer, sizeof(buffer));
- if (ret == 0)
- return gnutls_assert_val(GNUTLS_E_RANDOM_FAILED);
-
-- zeroize_key(buffer, sizeof(buffer));
--
-- return 0;
-+ return GNUTLS_E_SUCCESS;
- }
-
- /* Reseed a generator. */
--static int drbg_reseed(struct drbg_aes_ctx *ctx)
-+static int drbg_reseed(struct fips_ctx *fctx, struct drbg_aes_ctx *ctx)
- {
- uint8_t buffer[DRBG_AES_SEED_SIZE];
- int ret;
-
-- /* The other two generators are seeded from /dev/random. */
-- ret = _rnd_get_system_entropy(buffer, sizeof(buffer));
-+ ret = get_entropy(fctx, buffer, sizeof(buffer));
- if (ret < 0)
- return gnutls_assert_val(ret);
-
-- drbg_aes_reseed(ctx, sizeof(buffer), buffer, 0, NULL);
-+ ret = drbg_aes_reseed(ctx, sizeof(buffer), buffer, 0, NULL);
-+ zeroize_key(buffer, sizeof(buffer));
-+ if (ret == 0)
-+ return gnutls_assert_val(GNUTLS_E_RANDOM_FAILED);
-
-- return 0;
-+ return GNUTLS_E_SUCCESS;
- }
-
- static int _rngfips_ctx_init(struct fips_ctx *fctx)
- {
-+ uint8_t block[ENTROPY_BLOCK_SIZE];
-+ struct sha256_ctx ctx;
- int ret;
-
-+ /* For FIPS 140-2 4.9.2 continuous random number generator
-+ * test, get the initial entropy from the system RNG and keep
-+ * it for comparison.
-+ *
-+ * Note that we store the hash of the entropy block rather
-+ * than the block itself for backward secrecy.
-+ */
-+ ret = _rnd_get_system_entropy(block, sizeof(block));
-+ if (ret < 0)
-+ return gnutls_assert_val(ret);
-+ sha256_init(&ctx);
-+ sha256_update(&ctx, sizeof(block), block);
-+ zeroize_key(block, sizeof(block));
-+ sha256_digest(&ctx, sizeof(fctx->entropy_hash), fctx->entropy_hash);
-+
- /* normal */
-- ret = drbg_init(&fctx->normal_context);
-+ ret = drbg_init(fctx, &fctx->normal_context);
- if (ret < 0)
- return gnutls_assert_val(ret);
-
- /* nonce */
-- ret = drbg_init(&fctx->nonce_context);
-+ ret = drbg_init(fctx, &fctx->nonce_context);
- if (ret < 0)
- return gnutls_assert_val(ret);
-
-@@ -132,12 +192,12 @@ static int _rngfips_ctx_reinit(struct fips_ctx *fctx)
- int ret;
-
- /* normal */
-- ret = drbg_reseed(&fctx->normal_context);
-+ ret = drbg_reseed(fctx, &fctx->normal_context);
- if (ret < 0)
- return gnutls_assert_val(ret);
-
- /* nonce */
-- ret = drbg_reseed(&fctx->nonce_context);
-+ ret = drbg_reseed(fctx, &fctx->nonce_context);
- if (ret < 0)
- return gnutls_assert_val(ret);
-
---
-2.21.0
-
diff --git a/SOURCES/gnutls-3.6.8-fips-rsa-random-selftests.patch b/SOURCES/gnutls-3.6.8-fips-rsa-random-selftests.patch
deleted file mode 100644
index 93fdfe3..0000000
--- a/SOURCES/gnutls-3.6.8-fips-rsa-random-selftests.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From fbb6dd2a65c6fc7a2e9bd82fe66fde54f6cf2952 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Fri, 16 Aug 2019 17:01:05 +0200
-Subject: [PATCH] nettle: disable RSA blinding in FIPS selftests
-
-Nettle's RSA signing, encryption and decryption functions still
-require randomness for blinding, so fallback to use a fixed buffer in
-selftests where entropy might not be available.
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/nettle/pk.c | 37 +++++++++++++++++++++++++++++++++----
- 1 file changed, 33 insertions(+), 4 deletions(-)
-
-diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
-index b2d27cf74..772fcdc21 100644
---- a/lib/nettle/pk.c
-+++ b/lib/nettle/pk.c
-@@ -94,6 +94,15 @@ static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data)
- nettle_mpz_get_str_256 (length, data, *k);
- }
-
-+static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data)
-+{
-+ if (unlikely(_gnutls_get_lib_state() != LIB_STATE_SELFTEST)) {
-+ _gnutls_switch_lib_state(LIB_STATE_ERROR);
-+ }
-+
-+ memset(data, 0xAA, length);
-+}
-+
- static void
- ecc_scalar_zclear (struct ecc_scalar *s)
- {
-@@ -435,6 +444,7 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,
- case GNUTLS_PK_RSA:
- {
- struct rsa_public_key pub;
-+ nettle_random_func *random_func;
-
- ret = _rsa_params_to_pubkey(pk_params, &pub);
- if (ret < 0) {
-@@ -442,8 +452,12 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,
- goto cleanup;
- }
-
-+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
-+ random_func = rnd_nonce_func_fallback;
-+ else
-+ random_func = rnd_nonce_func;
- ret =
-- rsa_encrypt(&pub, NULL, rnd_nonce_func,
-+ rsa_encrypt(&pub, NULL, random_func,
- plaintext->size, plaintext->data,
- p);
- if (ret == 0 || HAVE_LIB_ERROR()) {
-@@ -496,6 +510,7 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,
- struct rsa_public_key pub;
- size_t length;
- bigint_t c;
-+ nettle_random_func *random_func;
-
- _rsa_params_to_privkey(pk_params, &priv);
- ret = _rsa_params_to_pubkey(pk_params, &pub);
-@@ -526,8 +541,12 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo,
- goto cleanup;
- }
-
-+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
-+ random_func = rnd_nonce_func_fallback;
-+ else
-+ random_func = rnd_nonce_func;
- ret =
-- rsa_decrypt_tr(&pub, &priv, NULL, rnd_nonce_func,
-+ rsa_decrypt_tr(&pub, &priv, NULL, random_func,
- &length, plaintext->data,
- TOMPZ(c));
- _gnutls_mpi_release(&c);
-@@ -573,6 +592,7 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,
- bigint_t c;
- uint32_t is_err;
- int ret;
-+ nettle_random_func *random_func;
-
- if (algo != GNUTLS_PK_RSA || plaintext == NULL) {
- gnutls_assert();
-@@ -592,7 +612,11 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo,
- return gnutls_assert_val (GNUTLS_E_MPI_SCAN_FAILED);
- }
-
-- ret = rsa_sec_decrypt(&pub, &priv, NULL, rnd_nonce_func,
-+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
-+ random_func = rnd_nonce_func_fallback;
-+ else
-+ random_func = rnd_nonce_func;
-+ ret = rsa_sec_decrypt(&pub, &priv, NULL, random_func,
- plaintext_size, plaintext, TOMPZ(c));
- /* after this point, any conditional on failure that cause differences
- * in execution may create a timing or cache access pattern side
-@@ -942,6 +966,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
- {
- struct rsa_private_key priv;
- struct rsa_public_key pub;
-+ nettle_random_func *random_func;
- mpz_t s;
-
- _rsa_params_to_privkey(pk_params, &priv);
-@@ -952,8 +977,12 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
-
- mpz_init(s);
-
-+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST)
-+ random_func = rnd_nonce_func_fallback;
-+ else
-+ random_func = rnd_nonce_func;
- ret =
-- rsa_pkcs1_sign_tr(&pub, &priv, NULL, rnd_nonce_func,
-+ rsa_pkcs1_sign_tr(&pub, &priv, NULL, random_func,
- vdata->size, vdata->data, s);
- if (ret == 0 || HAVE_LIB_ERROR()) {
- gnutls_assert();
---
-2.21.0
-
diff --git a/SOURCES/gnutls-3.6.8-fix-aead-cipher-encryptv2.patch b/SOURCES/gnutls-3.6.8-fix-aead-cipher-encryptv2.patch
deleted file mode 100644
index 0194c6c..0000000
--- a/SOURCES/gnutls-3.6.8-fix-aead-cipher-encryptv2.patch
+++ /dev/null
@@ -1,767 +0,0 @@
-From bbb312749780928cc10b45662c6d7eadcaa98f0b Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Thu, 3 Oct 2019 10:34:18 +0200
-Subject: [PATCH 1/3] iov: _gnutls_iov_iter_next: return bytes instead of
- blocks
-
-This eliminates the need of special handling of final block. Also
-adds more tests in exceptional cases.
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/crypto-api.c | 82 +++++-------------------------
- lib/iov.c | 31 +++++++++---
- tests/iov.c | 126 ++++++++++++++++++++++++++++++++---------------
- 3 files changed, 121 insertions(+), 118 deletions(-)
-
-diff --git a/lib/crypto-api.c b/lib/crypto-api.c
-index 09b3d7bfc..41e759b74 100644
---- a/lib/crypto-api.c
-+++ b/lib/crypto-api.c
-@@ -992,9 +992,9 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
- uint8_t *dst;
- size_t dst_size, total = 0;
- uint8_t *p;
-+ size_t len;
- size_t blocksize = handle->ctx_enc.e->blocksize;
- struct iov_iter_st iter;
-- size_t blocks;
-
- /* Limitation: this function provides an optimization under the internally registered
- * AEAD ciphers. When an AEAD cipher is used registered with gnutls_crypto_register_aead_cipher(),
-@@ -1045,15 +1045,7 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
- return gnutls_assert_val(ret);
- if (ret == 0)
- break;
-- blocks = ret;
-- ret = _gnutls_cipher_auth(&handle->ctx_enc, p,
-- blocksize * blocks);
-- if (unlikely(ret < 0))
-- return gnutls_assert_val(ret);
-- }
-- if (iter.block_offset > 0) {
-- ret = _gnutls_cipher_auth(&handle->ctx_enc,
-- iter.block, iter.block_offset);
-+ ret = _gnutls_cipher_auth(&handle->ctx_enc, p, ret);
- if (unlikely(ret < 0))
- return gnutls_assert_val(ret);
- }
-@@ -1070,29 +1062,15 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
- return gnutls_assert_val(ret);
- if (ret == 0)
- break;
-- blocks = ret;
-- if (unlikely(dst_size < blocksize * blocks))
-- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
-- ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p,
-- blocksize * blocks,
-- dst, dst_size);
-- if (unlikely(ret < 0))
-- return gnutls_assert_val(ret);
-- DECR_LEN(dst_size, blocksize * blocks);
-- dst += blocksize * blocks;
-- total += blocksize * blocks;
-- }
-- if (iter.block_offset > 0) {
-- if (unlikely(dst_size < iter.block_offset))
-- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
-+ len = ret;
- ret = _gnutls_cipher_encrypt2(&handle->ctx_enc,
-- iter.block, iter.block_offset,
-+ p, len,
- dst, dst_size);
- if (unlikely(ret < 0))
- return gnutls_assert_val(ret);
-- DECR_LEN(dst_size, iter.block_offset);
-- dst += iter.block_offset;
-- total += iter.block_offset;
-+ DECR_LEN(dst_size, len);
-+ dst += len;
-+ total += len;
- }
-
- if (dst_size < tag_size)
-@@ -1137,7 +1115,6 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle,
- uint8_t *p;
- ssize_t blocksize = handle->ctx_enc.e->blocksize;
- struct iov_iter_st iter;
-- size_t blocks;
- size_t _tag_size;
-
- if (tag_size == NULL || *tag_size == 0)
-@@ -1220,15 +1197,7 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle,
- return gnutls_assert_val(ret);
- if (ret == 0)
- break;
-- blocks = ret;
-- ret = _gnutls_cipher_auth(&handle->ctx_enc, p,
-- blocksize * blocks);
-- if (unlikely(ret < 0))
-- return gnutls_assert_val(ret);
-- }
-- if (iter.block_offset > 0) {
-- ret = _gnutls_cipher_auth(&handle->ctx_enc,
-- iter.block, iter.block_offset);
-+ ret = _gnutls_cipher_auth(&handle->ctx_enc, p, ret);
- if (unlikely(ret < 0))
- return gnutls_assert_val(ret);
- }
-@@ -1242,17 +1211,7 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle,
- return gnutls_assert_val(ret);
- if (ret == 0)
- break;
-- blocks = ret;
-- ret = _gnutls_cipher_encrypt2(&handle->ctx_enc,
-- p, blocksize * blocks,
-- p, blocksize * blocks);
-- if (unlikely(ret < 0))
-- return gnutls_assert_val(ret);
-- }
-- if (iter.block_offset > 0) {
-- ret = _gnutls_cipher_encrypt2(&handle->ctx_enc,
-- iter.block, iter.block_offset,
-- iter.block, iter.block_offset);
-+ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p, ret, p, ret);
- if (unlikely(ret < 0))
- return gnutls_assert_val(ret);
- }
-@@ -1296,7 +1255,6 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle,
- uint8_t *p;
- ssize_t blocksize = handle->ctx_enc.e->blocksize;
- struct iov_iter_st iter;
-- size_t blocks;
- uint8_t _tag[MAX_HASH_SIZE];
-
- if (tag_size == 0)
-@@ -1370,15 +1328,7 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle,
- return gnutls_assert_val(ret);
- if (ret == 0)
- break;
-- blocks = ret;
-- ret = _gnutls_cipher_auth(&handle->ctx_enc, p,
-- blocksize * blocks);
-- if (unlikely(ret < 0))
-- return gnutls_assert_val(ret);
-- }
-- if (iter.block_offset > 0) {
-- ret = _gnutls_cipher_auth(&handle->ctx_enc,
-- iter.block, iter.block_offset);
-+ ret = _gnutls_cipher_auth(&handle->ctx_enc, p, ret);
- if (unlikely(ret < 0))
- return gnutls_assert_val(ret);
- }
-@@ -1392,17 +1342,7 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle,
- return gnutls_assert_val(ret);
- if (ret == 0)
- break;
-- blocks = ret;
-- ret = _gnutls_cipher_decrypt2(&handle->ctx_enc,
-- p, blocksize * blocks,
-- p, blocksize * blocks);
-- if (unlikely(ret < 0))
-- return gnutls_assert_val(ret);
-- }
-- if (iter.block_offset > 0) {
-- ret = _gnutls_cipher_decrypt2(&handle->ctx_enc,
-- iter.block, iter.block_offset,
-- iter.block, iter.block_offset);
-+ ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, p, ret, p, ret);
- if (unlikely(ret < 0))
- return gnutls_assert_val(ret);
- }
-diff --git a/lib/iov.c b/lib/iov.c
-index 5dc29c54b..17272886c 100644
---- a/lib/iov.c
-+++ b/lib/iov.c
-@@ -58,8 +58,8 @@ _gnutls_iov_iter_init(struct iov_iter_st *iter,
- * @data: the return location of extracted data
- *
- * Retrieve block(s) pointed by @iter and advance it to the next
-- * position. It returns the number of consecutive blocks in @data.
-- * At the end of iteration, 0 is returned.
-+ * position. It returns the number of bytes in @data. At the end of
-+ * iteration, 0 is returned.
- *
- * If the data stored in @iter is not multiple of the block size, the
- * remaining data is stored in the "block" field of @iter with the
-@@ -88,25 +88,30 @@ _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data)
- if ((len % iter->block_size) == 0) {
- iter->iov_index++;
- iter->iov_offset = 0;
-- } else
-- iter->iov_offset +=
-- len - (len % iter->block_size);
-+ } else {
-+ len -= (len % iter->block_size);
-+ iter->iov_offset += len;
-+ }
-
- /* Return the blocks. */
- *data = p;
-- return len / iter->block_size;
-+ return len;
- }
-
- /* We can complete one full block to return. */
- block_left = iter->block_size - iter->block_offset;
- if (len >= block_left) {
- memcpy(iter->block + iter->block_offset, p, block_left);
-- iter->iov_offset += block_left;
-+ if (len == block_left) {
-+ iter->iov_index++;
-+ iter->iov_offset = 0;
-+ } else
-+ iter->iov_offset += block_left;
- iter->block_offset = 0;
-
- /* Return the filled block. */
- *data = iter->block;
-- return 1;
-+ return iter->block_size;
- }
-
- /* Not enough data for a full block, store in temp
-@@ -116,5 +121,15 @@ _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data)
- iter->iov_index++;
- iter->iov_offset = 0;
- }
-+
-+ if (iter->block_offset > 0) {
-+ size_t len = iter->block_offset;
-+
-+ /* Return the incomplete block. */
-+ *data = iter->block;
-+ iter->block_offset = 0;
-+ return len;
-+ }
-+
- return 0;
- }
-diff --git a/tests/iov.c b/tests/iov.c
-index eda5583a7..3d116b471 100644
---- a/tests/iov.c
-+++ b/tests/iov.c
-@@ -32,7 +32,6 @@ struct exp_st {
- ssize_t ret;
- size_t iov_index;
- size_t iov_offset;
-- size_t block_offset;
- };
-
- struct test_st {
-@@ -42,7 +41,6 @@ struct test_st {
- size_t block_size;
- const struct exp_st *exp;
- size_t expcnt;
-- size_t remaining;
- };
-
- static const giovec_t iov16[] = {
-@@ -53,40 +51,41 @@ static const giovec_t iov16[] = {
- };
-
- static const struct exp_st exp16_64[] = {
-- {1, 3, 16, 0},
-- {0, 0, 0, 0}
-+ {64, 4, 0},
-+ {0, 0, 0}
- };
-
- static const struct exp_st exp16_32[] = {
-- {1, 1, 16, 0},
-- {1, 3, 16, 0},
-- {0, 0, 0, 0}
-+ {32, 2, 0},
-+ {32, 4, 0},
-+ {0, 0, 0}
- };
-
- static const struct exp_st exp16_16[] = {
-- {1, 1, 0, 0},
-- {1, 2, 0, 0},
-- {1, 3, 0, 0},
-- {1, 4, 0, 0},
-- {0, 0, 0, 0}
-+ {16, 1, 0},
-+ {16, 2, 0},
-+ {16, 3, 0},
-+ {16, 4, 0},
-+ {0, 0, 0}
- };
-
- static const struct exp_st exp16_4[] = {
-- {4, 1, 0, 0},
-- {4, 2, 0, 0},
-- {4, 3, 0, 0},
-- {4, 4, 0, 0},
-- {0, 0, 0, 0}
-+ {16, 1, 0},
-+ {16, 2, 0},
-+ {16, 3, 0},
-+ {16, 4, 0},
-+ {0, 0, 0}
- };
-
- static const struct exp_st exp16_3[] = {
-- {5, 0, 15, 0},
-- {1, 1, 2, 0},
-- {4, 1, 14, 0},
-- {1, 2, 1, 0},
-- {5, 3, 0, 0},
-- {5, 3, 15, 0},
-- {0, 0, 0, 1}
-+ {15, 0, 15},
-+ {3, 1, 2},
-+ {12, 1, 14},
-+ {3, 2, 1},
-+ {15, 3, 0},
-+ {15, 3, 15},
-+ {1, 4, 0},
-+ {0, 0, 0}
- };
-
- static const giovec_t iov8[] = {
-@@ -97,22 +96,74 @@ static const giovec_t iov8[] = {
- };
-
- static const struct exp_st exp8_64[] = {
-- {0, 0, 0, 32}
-+ {32, 4, 0},
-+ {0, 0, 0}
-+};
-+
-+static const giovec_t iov_odd[] = {
-+ {(void *) "0", 1},
-+ {(void *) "012", 3},
-+ {(void *) "01234", 5},
-+ {(void *) "0123456", 7},
-+ {(void *) "012345678", 9},
-+ {(void *) "01234567890", 11},
-+ {(void *) "0123456789012", 13},
-+ {(void *) "012345678901234", 15}
-+};
-+
-+static const struct exp_st exp_odd_16[] = {
-+ {16, 4, 0},
-+ {16, 5, 7},
-+ {16, 6, 12},
-+ {16, 8, 0},
-+ {0, 0, 0}
-+};
-+
-+static const giovec_t iov_skip[] = {
-+ {(void *) "0123456789012345", 16},
-+ {(void *) "01234567", 8},
-+ {(void *) "", 0},
-+ {(void *) "", 0},
-+ {(void *) "0123456789012345", 16}
-+};
-+
-+static const struct exp_st exp_skip_16[] = {
-+ {16, 1, 0},
-+ {16, 4, 8},
-+ {8, 5, 0},
-+ {0, 0, 0}
-+};
-+
-+static const giovec_t iov_empty[] = {
-+ {(void *) "", 0},
-+ {(void *) "", 0},
-+ {(void *) "", 0},
-+ {(void *) "", 0}
-+};
-+
-+static const struct exp_st exp_empty_16[] = {
-+ {0, 0, 0}
- };
-
- static const struct test_st tests[] = {
- { "16/64", iov16, sizeof(iov16)/sizeof(iov16[0]), 64,
-- exp16_64, sizeof(exp16_64)/sizeof(exp16_64[0]), 0 },
-+ exp16_64, sizeof(exp16_64)/sizeof(exp16_64[0]) },
- { "16/32", iov16, sizeof(iov16)/sizeof(iov16[0]), 32,
-- exp16_32, sizeof(exp16_32)/sizeof(exp16_32[0]), 0 },
-+ exp16_32, sizeof(exp16_32)/sizeof(exp16_32[0]) },
- { "16/16", iov16, sizeof(iov16)/sizeof(iov16[0]), 16,
-- exp16_16, sizeof(exp16_16)/sizeof(exp16_16[0]), 0 },
-+ exp16_16, sizeof(exp16_16)/sizeof(exp16_16[0]) },
- { "16/4", iov16, sizeof(iov16)/sizeof(iov16[0]), 4,
-- exp16_4, sizeof(exp16_4)/sizeof(exp16_4[0]), 0 },
-+ exp16_4, sizeof(exp16_4)/sizeof(exp16_4[0]) },
- { "16/3", iov16, sizeof(iov16)/sizeof(iov16[0]), 3,
-- exp16_3, sizeof(exp16_3)/sizeof(exp16_3[0]), 1 },
-+ exp16_3, sizeof(exp16_3)/sizeof(exp16_3[0]) },
- { "8/64", iov8, sizeof(iov8)/sizeof(iov8[0]), 64,
-- exp8_64, sizeof(exp8_64)/sizeof(exp8_64[0]), 32 }
-+ exp8_64, sizeof(exp8_64)/sizeof(exp8_64[0]) },
-+ { "odd/16", iov_odd, sizeof(iov_odd)/sizeof(iov_odd[0]), 16,
-+ exp_odd_16, sizeof(exp_odd_16)/sizeof(exp_odd_16[0]) },
-+ { "skip/16", iov_skip, sizeof(iov_skip)/sizeof(iov_skip[0]), 16,
-+ exp_skip_16, sizeof(exp_skip_16)/sizeof(exp_skip_16[0]) },
-+ { "empty/16", iov_empty, sizeof(iov_empty)/sizeof(iov_empty[0]), 16,
-+ exp_empty_16, sizeof(exp_empty_16)/sizeof(exp_empty_16[0]) },
- };
-
- void
-@@ -155,16 +206,13 @@ doit (void)
- else if (debug)
- success("iter.iov_offset: %u == %u\n",
- (unsigned) iter.iov_offset, (unsigned) exp[j].iov_offset);
-- if (iter.block_offset != exp[j].block_offset)
-- fail("iter.block_offset: %u != %u\n",
-- (unsigned) iter.block_offset, (unsigned) exp[j].block_offset);
-+ if (iter.block_offset != 0)
-+ fail("iter.block_offset: %u != 0\n",
-+ (unsigned) iter.block_offset);
- else if (debug)
-- success("iter.block_offset: %u == %u\n",
-- (unsigned) iter.block_offset, (unsigned) exp[j].block_offset);
-+ success("iter.block_offset: %u == 0\n",
-+ (unsigned) iter.block_offset);
- }
- }
-- if (iter.block_offset != tests[i].remaining)
-- fail("remaining: %u != %u\n",
-- (unsigned) iter.block_offset, (unsigned) tests[i].remaining);
- }
- }
---
-2.21.0
-
-
-From c684814cc456a9792a9183ce77d32d435f29e6b7 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Tue, 1 Oct 2019 18:14:48 +0200
-Subject: [PATCH 2/3] iov: add _gnutls_iov_iter_sync to write back cached data
- to iov
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/iov.c | 59 +++++++++++++++++++++++++++++++++++++++++++++
- lib/iov.h | 4 +++-
- lib/libgnutls.map | 1 +
- tests/iov.c | 61 +++++++++++++++++++++++++++++++++++++++++++----
- 4 files changed, 119 insertions(+), 6 deletions(-)
-
-diff --git a/lib/iov.c b/lib/iov.c
-index 17272886c..1cd8d46dd 100644
---- a/lib/iov.c
-+++ b/lib/iov.c
-@@ -133,3 +133,62 @@ _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data)
-
- return 0;
- }
-+
-+/**
-+ * _gnutls_iov_iter_sync:
-+ * @iter: the iterator
-+ * @data: data returned by _gnutls_iov_iter_next
-+ * @data_size: size of @data
-+ *
-+ * Flush the content of temp buffer (if any) to the data buffer.
-+ */
-+int
-+_gnutls_iov_iter_sync(struct iov_iter_st *iter, const uint8_t *data,
-+ size_t data_size)
-+{
-+ size_t iov_index;
-+ size_t iov_offset;
-+
-+ /* We didn't return the cached block. */
-+ if (data != iter->block)
-+ return 0;
-+
-+ iov_index = iter->iov_index;
-+ iov_offset = iter->iov_offset;
-+
-+ /* When syncing a cache block we walk backwards because we only have a
-+ * pointer to were the block ends in the iovec, walking backwards is
-+ * fine as we are always writing a full block, so the whole content
-+ * is written in the right places:
-+ * iovec: |--0--|---1---|--2--|-3-|
-+ * block: |-----------------------|
-+ * 1st write |---|
-+ * 2nd write |-----
-+ * 3rd write |-------
-+ * last write |-----
-+ */
-+ while (data_size > 0) {
-+ const giovec_t *iov;
-+ uint8_t *p;
-+ size_t to_write;
-+
-+ while (iov_offset == 0) {
-+ if (unlikely(iov_index == 0))
-+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
-+
-+ iov_index--;
-+ iov_offset = iter->iov[iov_index].iov_len;
-+ }
-+
-+ iov = &iter->iov[iov_index];
-+ p = iov->iov_base;
-+ to_write = MIN(data_size, iov_offset);
-+
-+ iov_offset -= to_write;
-+ data_size -= to_write;
-+
-+ memcpy(p + iov_offset, &iter->block[data_size], to_write);
-+ }
-+
-+ return 0;
-+}
-diff --git a/lib/iov.h b/lib/iov.h
-index 47fba559a..5b9903460 100644
---- a/lib/iov.h
-+++ b/lib/iov.h
-@@ -34,7 +34,6 @@ struct iov_iter_st {
- uint8_t block[MAX_CIPHER_BLOCK_SIZE]; /* incomplete block for reading */
- size_t block_size; /* actual block size of the cipher */
- size_t block_offset; /* offset in block */
--
- };
-
- int _gnutls_iov_iter_init(struct iov_iter_st *iter,
-@@ -43,4 +42,7 @@ int _gnutls_iov_iter_init(struct iov_iter_st *iter,
-
- ssize_t _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data);
-
-+int _gnutls_iov_iter_sync(struct iov_iter_st *iter, const uint8_t *data,
-+ size_t data_size);
-+
- #endif /* GNUTLS_LIB_IOV_H */
-diff --git a/lib/libgnutls.map b/lib/libgnutls.map
-index f83a21e9b..d6973f72e 100644
---- a/lib/libgnutls.map
-+++ b/lib/libgnutls.map
-@@ -1394,4 +1394,5 @@ GNUTLS_PRIVATE_3_4 {
- # needed by tests/iov:
- _gnutls_iov_iter_init;
- _gnutls_iov_iter_next;
-+ _gnutls_iov_iter_sync;
- } GNUTLS_3_4;
-diff --git a/tests/iov.c b/tests/iov.c
-index 3d116b471..2acd2b5f5 100644
---- a/tests/iov.c
-+++ b/tests/iov.c
-@@ -44,10 +44,10 @@ struct test_st {
- };
-
- static const giovec_t iov16[] = {
-- {(void *) "0123456789abcdef", 16},
-- {(void *) "0123456789abcdef", 16},
-- {(void *) "0123456789abcdef", 16},
-- {(void *) "0123456789abcdef", 16}
-+ {(void *) "0123456789012345", 16},
-+ {(void *) "0123456789012345", 16},
-+ {(void *) "0123456789012345", 16},
-+ {(void *) "0123456789012345", 16}
- };
-
- static const struct exp_st exp16_64[] = {
-@@ -166,20 +166,53 @@ static const struct test_st tests[] = {
- exp_empty_16, sizeof(exp_empty_16)/sizeof(exp_empty_16[0]) },
- };
-
-+static void
-+copy(giovec_t *dst, uint8_t *buffer, const giovec_t *src, size_t iovcnt)
-+{
-+ uint8_t *p = buffer;
-+ size_t i;
-+
-+ for (i = 0; i < iovcnt; i++) {
-+ dst[i].iov_base = p;
-+ dst[i].iov_len = src[i].iov_len;
-+ memcpy(dst[i].iov_base, src[i].iov_base, src[i].iov_len);
-+ p += src[i].iov_len;
-+ }
-+}
-+
-+static void
-+translate(uint8_t *data, size_t len)
-+{
-+ for (; len > 0; len--) {
-+ uint8_t *p = &data[len - 1];
-+ if (*p >= '0' && *p <= '9')
-+ *p = 'A' + *p - '0';
-+ else if (*p >= 'A' && *p <= 'Z')
-+ *p = '0' + *p - 'A';
-+ }
-+}
-+
-+#define MAX_BUF 1024
-+#define MAX_IOV 16
-+
- void
- doit (void)
- {
-+ uint8_t buffer[MAX_BUF];
- size_t i;
-
- for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) {
-+ giovec_t iov[MAX_IOV];
- struct iov_iter_st iter;
- const struct exp_st *exp = tests[i].exp;
- uint8_t *data;
- size_t j;
-
-+ copy(iov, buffer, tests[i].iov, tests[i].iovcnt);
-+
- success("%s\n", tests[i].name);
- assert(_gnutls_iov_iter_init(&iter,
-- tests[i].iov, tests[i].iovcnt,
-+ iov, tests[i].iovcnt,
- tests[i].block_size) == 0);
- for (j = 0; j < tests[i].expcnt; j++) {
- ssize_t ret;
-@@ -212,7 +245,25 @@ doit (void)
- else if (debug)
- success("iter.block_offset: %u == 0\n",
- (unsigned) iter.block_offset);
-+
-+ translate(data, ret);
-+
-+ ret = _gnutls_iov_iter_sync(&iter, data, ret);
-+ if (ret < 0)
-+ fail("sync failed\n");
- }
- }
-+
-+ for (j = 0; j < tests[i].iovcnt; j++) {
-+ translate(iov[j].iov_base, iov[j].iov_len);
-+
-+ if (memcmp(iov[j].iov_base, tests[i].iov[j].iov_base,
-+ iov[j].iov_len) != 0)
-+ fail("iov doesn't match: %*s != %*s\n",
-+ (int)iov[j].iov_len,
-+ (char *)iov[j].iov_base,
-+ (int)tests[i].iov[j].iov_len,
-+ (char *)tests[i].iov[j].iov_len);
-+ }
- }
- }
---
-2.21.0
-
-
-From 6df0cf1c0ec727fc237a9b429684c8f2ef5d34b7 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Tue, 1 Oct 2019 18:15:19 +0200
-Subject: [PATCH 3/3] gnutls_aead_cipher_{en,de}cryptv2: write back cached data
- to buffers
-
-Previously, those functions failed to write the output to the buffers
-if the buffer length is not multiple of cipher block size. This makes
-sure that the cached data is always flushed.
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/crypto-api.c | 18 ++++++++++++++++--
- tests/aead-cipher-vec.c | 14 ++++++++------
- 2 files changed, 24 insertions(+), 8 deletions(-)
-
-diff --git a/lib/crypto-api.c b/lib/crypto-api.c
-index 41e759b74..7308d7e7b 100644
---- a/lib/crypto-api.c
-+++ b/lib/crypto-api.c
-@@ -1113,6 +1113,7 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle,
- api_aead_cipher_hd_st *h = handle;
- ssize_t ret;
- uint8_t *p;
-+ size_t len;
- ssize_t blocksize = handle->ctx_enc.e->blocksize;
- struct iov_iter_st iter;
- size_t _tag_size;
-@@ -1211,7 +1212,13 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle,
- return gnutls_assert_val(ret);
- if (ret == 0)
- break;
-- ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p, ret, p, ret);
-+
-+ len = ret;
-+ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p, len, p, len);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+
-+ ret = _gnutls_iov_iter_sync(&iter, p, len);
- if (unlikely(ret < 0))
- return gnutls_assert_val(ret);
- }
-@@ -1253,6 +1260,7 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle,
- api_aead_cipher_hd_st *h = handle;
- ssize_t ret;
- uint8_t *p;
-+ size_t len;
- ssize_t blocksize = handle->ctx_enc.e->blocksize;
- struct iov_iter_st iter;
- uint8_t _tag[MAX_HASH_SIZE];
-@@ -1342,7 +1350,13 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle,
- return gnutls_assert_val(ret);
- if (ret == 0)
- break;
-- ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, p, ret, p, ret);
-+
-+ len = ret;
-+ ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, p, len, p, len);
-+ if (unlikely(ret < 0))
-+ return gnutls_assert_val(ret);
-+
-+ ret = _gnutls_iov_iter_sync(&iter, p, len);
- if (unlikely(ret < 0))
- return gnutls_assert_val(ret);
- }
-diff --git a/tests/aead-cipher-vec.c b/tests/aead-cipher-vec.c
-index 6c2542cf1..10e3db862 100644
---- a/tests/aead-cipher-vec.c
-+++ b/tests/aead-cipher-vec.c
-@@ -43,9 +43,9 @@ static void start(const char *name, int algo)
- uint8_t key16[64];
- uint8_t iv16[32];
- uint8_t auth[128];
-- uint8_t data[128+64];
-+ uint8_t data[64+56+36];
- gnutls_datum_t key, iv;
-- giovec_t iov[2];
-+ giovec_t iov[3];
- giovec_t auth_iov[2];
- uint8_t tag[64];
- size_t tag_size = 0;
-@@ -60,13 +60,15 @@ static void start(const char *name, int algo)
-
- memset(iv.data, 0xff, iv.size);
- memset(key.data, 0xfe, key.size);
-- memset(data, 0xfa, 128);
-+ memset(data, 0xfa, sizeof(data));
- memset(auth, 0xaa, sizeof(auth));
-
- iov[0].iov_base = data;
- iov[0].iov_len = 64;
- iov[1].iov_base = data + 64;
-- iov[1].iov_len = 64;
-+ iov[1].iov_len = 56;
-+ iov[2].iov_base = data + 64 + 56;
-+ iov[2].iov_len = 36;
-
- auth_iov[0].iov_base = auth;
- auth_iov[0].iov_len = 64;
-@@ -83,7 +85,7 @@ static void start(const char *name, int algo)
- ret = gnutls_aead_cipher_encryptv2(ch,
- iv.data, iv.size,
- auth_iov, 2,
-- iov, 2,
-+ iov, 3,
- tag, &tag_size);
- if (ret < 0)
- fail("could not encrypt data: %s\n", gnutls_strerror(ret));
-@@ -91,7 +93,7 @@ static void start(const char *name, int algo)
- ret = gnutls_aead_cipher_decryptv2(ch,
- iv.data, iv.size,
- auth_iov, 2,
-- iov, 2,
-+ iov, 3,
- tag, tag_size);
- if (ret < 0)
- fail("could not decrypt data: %s\n", gnutls_strerror(ret));
---
-2.21.0
-
diff --git a/SOURCES/gnutls-3.6.8-fix-cfb8-decrypt.patch b/SOURCES/gnutls-3.6.8-fix-cfb8-decrypt.patch
deleted file mode 100644
index 738069b..0000000
--- a/SOURCES/gnutls-3.6.8-fix-cfb8-decrypt.patch
+++ /dev/null
@@ -1,204 +0,0 @@
-From 1c2135506825ae80966fe2797613806916b7e3c0 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Wed, 6 Nov 2019 12:07:24 +0100
-Subject: [PATCH 1/2] nettle: backport fixes to cfb8_decrypt
-
-cfb8: don't truncate output IV if input is shorter than block size:
-https://git.lysator.liu.se/nettle/nettle/commit/f4a9c842621baf5d71aa9cc3989851f44dc46861
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/nettle/backport/cfb8.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/lib/nettle/backport/cfb8.c b/lib/nettle/backport/cfb8.c
-index e9816feb7..1762192f4 100644
---- a/lib/nettle/backport/cfb8.c
-+++ b/lib/nettle/backport/cfb8.c
-@@ -110,10 +110,12 @@ cfb8_decrypt(const void *ctx, nettle_cipher_func *f,
- src += i;
- dst += i;
-
-- memcpy(buffer, buffer + block_size, block_size);
-- memcpy(buffer + block_size, src,
-- length < block_size ? length : block_size);
--
-+ if (i == block_size)
-+ {
-+ memcpy(buffer, buffer + block_size, block_size);
-+ memcpy(buffer + block_size, src,
-+ length < block_size ? length : block_size);
-+ }
- }
-
- memcpy(iv, buffer + i, block_size);
---
-2.21.0
-
-
-From cc01347302678719f0bcfb4f3383fe0f1e905ed8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 6 Nov 2019 13:17:57 +0100
-Subject: [PATCH 2/2] crypto-selftests: test CFB8 ciphers with different
- chunksizes
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/crypto-selftests.c | 124 +++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 118 insertions(+), 6 deletions(-)
-
-diff --git a/lib/crypto-selftests.c b/lib/crypto-selftests.c
-index 6caf817e8..5f0a4ec8b 100644
---- a/lib/crypto-selftests.c
-+++ b/lib/crypto-selftests.c
-@@ -710,6 +710,107 @@ static int test_cipher(gnutls_cipher_algorithm_t cipher,
- return 0;
- }
-
-+static int test_cipher_all_block_sizes(gnutls_cipher_algorithm_t cipher,
-+ const struct cipher_vectors_st *vectors,
-+ size_t vectors_size, unsigned flags)
-+{
-+ gnutls_cipher_hd_t hd;
-+ int ret;
-+ unsigned int i;
-+ uint8_t tmp[384];
-+ gnutls_datum_t key, iv = {NULL, 0};
-+ size_t block;
-+ size_t offset;
-+
-+ for (i = 0; i < vectors_size; i++) {
-+ for (block = 1; block <= vectors[i].plaintext_size; block++) {
-+ key.data = (void *) vectors[i].key;
-+ key.size = vectors[i].key_size;
-+
-+ iv.data = (void *) vectors[i].iv;
-+ iv.size = gnutls_cipher_get_iv_size(cipher);
-+
-+ if (iv.size != vectors[i].iv_size)
-+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
-+
-+ ret = gnutls_cipher_init(&hd, cipher, &key, &iv);
-+ if (ret < 0) {
-+ _gnutls_debug_log("error initializing: %s\n",
-+ gnutls_cipher_get_name(cipher));
-+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
-+ }
-+
-+ for (offset = 0;
-+ offset < vectors[i].plaintext_size;
-+ offset += block) {
-+ ret =
-+ gnutls_cipher_encrypt2(hd,
-+ vectors[i].plaintext + offset,
-+ MIN(block, vectors[i].plaintext_size - offset),
-+ tmp + offset,
-+ sizeof(tmp) - offset);
-+ if (ret < 0)
-+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
-+ }
-+
-+ if (memcmp
-+ (tmp, vectors[i].ciphertext,
-+ vectors[i].plaintext_size) != 0) {
-+ _gnutls_debug_log("%s encryption of test vector %d failed with block size %d/%d!\n",
-+ gnutls_cipher_get_name(cipher),
-+ i, (int)block, (int)vectors[i].plaintext_size);
-+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
-+ }
-+
-+ gnutls_cipher_deinit(hd);
-+ }
-+ }
-+
-+ for (i = 0; i < vectors_size; i++) {
-+ for (block = 1; block <= vectors[i].plaintext_size; block++) {
-+ key.data = (void *) vectors[i].key;
-+ key.size = vectors[i].key_size;
-+
-+ iv.data = (void *) vectors[i].iv;
-+ iv.size = gnutls_cipher_get_iv_size(cipher);
-+
-+ ret = gnutls_cipher_init(&hd, cipher, &key, &iv);
-+ if (ret < 0)
-+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
-+
-+ for (offset = 0;
-+ offset + block <= vectors[i].plaintext_size;
-+ offset += block) {
-+ ret =
-+ gnutls_cipher_decrypt2(hd,
-+ vectors[i].ciphertext + offset,
-+ MIN(block, vectors[i].plaintext_size - offset),
-+ tmp + offset,
-+ sizeof(tmp) - offset);
-+ if (ret < 0)
-+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
-+ }
-+
-+ if (memcmp
-+ (tmp, vectors[i].plaintext,
-+ vectors[i].plaintext_size) != 0) {
-+ _gnutls_debug_log("%s decryption of test vector %d failed with block size %d!\n",
-+ gnutls_cipher_get_name(cipher),
-+ i, (int)block);
-+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
-+ }
-+
-+ gnutls_cipher_deinit(hd);
-+ }
-+ }
-+
-+ _gnutls_debug_log
-+ ("%s self check succeeded\n",
-+ gnutls_cipher_get_name(cipher));
-+
-+ return 0;
-+}
-+
- /* AEAD modes (compat APIs) */
- static int test_cipher_aead_compat(gnutls_cipher_algorithm_t cipher,
- const struct cipher_aead_vectors_st *vectors,
-@@ -1721,6 +1822,14 @@ static int test_mac(gnutls_mac_algorithm_t mac,
- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL) || ret < 0) \
- return ret
-
-+#define CASE2(x, func, func2, vectors) case x: \
-+ ret = func(x, V(vectors), flags); \
-+ if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL) || ret < 0) \
-+ return ret; \
-+ ret = func2(x, V(vectors), flags); \
-+ if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL) || ret < 0) \
-+ return ret
-+
- #define NON_FIPS_CASE(x, func, vectors) case x: \
- if (_gnutls_fips_mode_enabled() == 0) { \
- ret = func(x, V(vectors), flags); \
-@@ -1786,14 +1895,17 @@ int gnutls_cipher_self_test(unsigned flags, gnutls_cipher_algorithm_t cipher)
- NON_FIPS_CASE(GNUTLS_CIPHER_CHACHA20_POLY1305, test_cipher_aead,
- chacha_poly1305_vectors);
- FALLTHROUGH;
-- CASE(GNUTLS_CIPHER_AES_128_CFB8, test_cipher,
-- aes128_cfb8_vectors);
-+ CASE2(GNUTLS_CIPHER_AES_128_CFB8, test_cipher,
-+ test_cipher_all_block_sizes,
-+ aes128_cfb8_vectors);
- FALLTHROUGH;
-- CASE(GNUTLS_CIPHER_AES_192_CFB8, test_cipher,
-- aes192_cfb8_vectors);
-+ CASE2(GNUTLS_CIPHER_AES_192_CFB8, test_cipher,
-+ test_cipher_all_block_sizes,
-+ aes192_cfb8_vectors);
- FALLTHROUGH;
-- CASE(GNUTLS_CIPHER_AES_256_CFB8, test_cipher,
-- aes256_cfb8_vectors);
-+ CASE2(GNUTLS_CIPHER_AES_256_CFB8, test_cipher,
-+ test_cipher_all_block_sizes,
-+ aes256_cfb8_vectors);
- FALLTHROUGH;
- CASE(GNUTLS_CIPHER_AES_128_XTS, test_cipher,
- aes128_xts_vectors);
---
-2.21.0
-
diff --git a/SOURCES/gnutls-3.6.8-multiple-key-updates.patch b/SOURCES/gnutls-3.6.8-multiple-key-updates.patch
deleted file mode 100644
index 720ada3..0000000
--- a/SOURCES/gnutls-3.6.8-multiple-key-updates.patch
+++ /dev/null
@@ -1,286 +0,0 @@
-From 6023c69c616d866e19ab1c0bb87931e5143c79d3 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Wed, 5 Jun 2019 16:48:39 +0200
-Subject: [PATCH] tls13/key_update: ignore multiple key updates instead of
- error
-
-This fixes the multiple KeyUpdate messages handling in commit
-65e2aa80d114d4bef095d129c2eda475e473244a, where illegal_parameter is
-sent even if the limit doesn't exceed.
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- .gitignore | 1 +
- lib/tls13/key_update.c | 2 -
- tests/Makefile.am | 2 +
- tests/tls13/key_update_multiple.c | 232 ++++++++++++++++++++++++++++++
- 4 files changed, 235 insertions(+), 2 deletions(-)
- create mode 100644 tests/tls13/key_update_multiple.c
-
-diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c
-index d542a214b..c6f6e0aa1 100644
---- a/lib/tls13/key_update.c
-+++ b/lib/tls13/key_update.c
-@@ -117,8 +117,6 @@ int _gnutls13_recv_key_update(gnutls_session_t session, gnutls_buffer_st *buf)
- session->internals.rsend_state = RECORD_SEND_KEY_UPDATE_1;
- else if (session->internals.rsend_state == RECORD_SEND_CORKED)
- session->internals.rsend_state = RECORD_SEND_CORKED_TO_KU;
-- else
-- return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
-
- break;
- default:
-diff --git a/tests/Makefile.am b/tests/Makefile.am
-index ca0481879..4ffa69825 100644
---- a/tests/Makefile.am
-+++ b/tests/Makefile.am
-@@ -119,6 +119,8 @@ ctests += tls13/psk-ext
-
- ctests += tls13/key_update
-
-+ctests += tls13/key_update_multiple
-+
- ctests += tls13/key_limits
-
- ctests += tls13/multi-ocsp
-diff --git a/tests/tls13/key_update_multiple.c b/tests/tls13/key_update_multiple.c
-new file mode 100644
-index 000000000..8b2c2db4b
---- /dev/null
-+++ b/tests/tls13/key_update_multiple.c
-@@ -0,0 +1,232 @@
-+/*
-+ * Copyright (C) 2017-2019 Red Hat, Inc.
-+ *
-+ * Author: Daiki Ueno
-+ *
-+ * This file is part of GnuTLS.
-+ *
-+ * GnuTLS is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 3 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * GnuTLS is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public License
-+ * along with this program. If not, see <https://www.gnu.org/licenses/>
-+ */
-+
-+#ifdef HAVE_CONFIG_H
-+#include <config.h>
-+#endif
-+
-+#include <stdbool.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <errno.h>
-+#include <gnutls/gnutls.h>
-+#include <gnutls/crypto.h>
-+#include <assert.h>
-+#include "cert-common.h"
-+
-+#include "utils.h"
-+#include "virt-time.h"
-+#define RANDOMIZE
-+#include "eagain-common.h"
-+
-+const char *side = "";
-+
-+/* This program tests whether multiple key update messages are handled
-+ * properly with rate-limit. */
-+
-+static void tls_log_func(int level, const char *str)
-+{
-+ fprintf(stderr, "%s|<%d>| %s", side, level, str);
-+}
-+
-+#define MAX_BUF 1024
-+#define MSG "Hello TLS, and hi and how are you and more data here... and more... and even more and even more more data..."
-+
-+/* These must match the definitions in lib/tls13/key_update.c. */
-+#define KEY_UPDATES_WINDOW 1000
-+#define KEY_UPDATES_PER_WINDOW 8
-+
-+static unsigned key_update_msg_inc = 0;
-+static unsigned key_update_msg_out = 0;
-+
-+static int hsk_callback(gnutls_session_t session, unsigned int htype,
-+ unsigned post, unsigned int incoming, const gnutls_datum_t *msg)
-+{
-+ assert(post == GNUTLS_HOOK_PRE);
-+
-+ assert(msg->size == 1);
-+
-+ if (htype == GNUTLS_HANDSHAKE_KEY_UPDATE) {
-+ if (incoming)
-+ key_update_msg_inc++;
-+ else
-+ key_update_msg_out++;
-+ }
-+
-+ return 0;
-+}
-+
-+static void run(const char *name, bool exceed_limit)
-+{
-+ /* Server stuff. */
-+ gnutls_certificate_credentials_t ccred;
-+ gnutls_certificate_credentials_t scred;
-+ gnutls_session_t server;
-+ int sret, cret;
-+ /* Client stuff. */
-+ gnutls_session_t client;
-+ /* Need to enable anonymous KX specifically. */
-+ char buffer[MAX_BUF + 1];
-+ int ret, transferred = 0;
-+ size_t i;
-+
-+ success("%s\n", name);
-+
-+ /* General init. */
-+ global_init();
-+ gnutls_global_set_log_function(tls_log_func);
-+ if (debug)
-+ gnutls_global_set_log_level(9);
-+
-+ /* Init server */
-+ assert(gnutls_certificate_allocate_credentials(&scred) >= 0);
-+ assert(gnutls_certificate_set_x509_key_mem(scred,
-+ &server_ca3_localhost_cert,
-+ &server_ca3_key,
-+ GNUTLS_X509_FMT_PEM) >= 0);
-+
-+ assert(gnutls_init(&server, GNUTLS_SERVER) >= 0);
-+ ret =
-+ gnutls_priority_set_direct(server,
-+ "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3",
-+ NULL);
-+ if (ret < 0)
-+ exit(1);
-+
-+ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred);
-+ gnutls_transport_set_push_function(server, server_push);
-+ gnutls_transport_set_pull_function(server, server_pull);
-+ gnutls_transport_set_ptr(server, server);
-+
-+ /* Init client */
-+ assert(gnutls_certificate_allocate_credentials(&ccred) >= 0);
-+ assert(gnutls_certificate_set_x509_trust_mem
-+ (ccred, &ca3_cert, GNUTLS_X509_FMT_PEM) >= 0);
-+
-+ gnutls_init(&client, GNUTLS_CLIENT);
-+ ret =
-+ gnutls_priority_set_direct(client,
-+ "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3",
-+ NULL);
-+ assert(ret >= 0);
-+
-+ ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, ccred);
-+ if (ret < 0)
-+ exit(1);
-+
-+ gnutls_transport_set_push_function(client, client_push);
-+ gnutls_transport_set_pull_function(client, client_pull);
-+ gnutls_transport_set_ptr(client, client);
-+
-+
-+ HANDSHAKE(client, server);
-+ if (debug)
-+ success("Handshake established\n");
-+
-+ key_update_msg_inc = 0;
-+ key_update_msg_out = 0;
-+
-+ gnutls_handshake_set_hook_function(client, -1, GNUTLS_HOOK_PRE, hsk_callback);
-+
-+ /* schedule multiple key updates */
-+ for (i = 0; i < KEY_UPDATES_PER_WINDOW; i++) {
-+ do {
-+ ret = gnutls_session_key_update(client, 1);
-+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
-+ if (ret < 0)
-+ fail("error in key update: %s\n", gnutls_strerror(ret));
-+ }
-+
-+ /* server receives the client key update and sends data */
-+ TRANSFER(client, server, MSG, strlen(MSG), buffer, MAX_BUF);
-+ TRANSFER(server, client, MSG, strlen(MSG), buffer, MAX_BUF);
-+ EMPTY_BUF(server, client, buffer, MAX_BUF);
-+
-+ if (key_update_msg_out != KEY_UPDATES_PER_WINDOW)
-+ fail("unexpected number of key updates are sent: %d\n",
-+ key_update_msg_out);
-+ else {
-+ if (debug)
-+ success("successfully sent %d key updates\n",
-+ KEY_UPDATES_PER_WINDOW);
-+ }
-+ if (key_update_msg_inc != 1)
-+ fail("unexpected number of key updates received: %d\n",
-+ key_update_msg_inc);
-+ else {
-+ if (debug)
-+ success("successfully received 1 key update\n");
-+ }
-+
-+ if (exceed_limit) {
-+ /* excessive key update in the same time window should
-+ * be rejected by the peer */
-+ do {
-+ ret = gnutls_session_key_update(client, 1);
-+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
-+
-+ /* server receives the client key update and sends data */
-+ ret = record_send_loop(client, MSG, strlen(MSG), 0);
-+ assert(ret == strlen(MSG));
-+ ret = gnutls_record_recv(server, buffer, MAX_BUF);
-+ if (ret != GNUTLS_E_TOO_MANY_HANDSHAKE_PACKETS)
-+ fail("server didn't reject excessive number of key updates\n");
-+ else {
-+ if (debug)
-+ success("server rejected excessive number of key updates\n");
-+ }
-+ } else {
-+ virt_sec_sleep(KEY_UPDATES_WINDOW / 1000 + 1);
-+
-+ /* the time window should be rolled over now */
-+ do {
-+ ret = gnutls_session_key_update(client, 1);
-+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
-+ if (ret < 0)
-+ fail("error in key update: %s\n", gnutls_strerror(ret));
-+
-+ /* server receives the client key update and sends data */
-+ TRANSFER(client, server, MSG, strlen(MSG), buffer, MAX_BUF);
-+ TRANSFER(server, client, MSG, strlen(MSG), buffer, MAX_BUF);
-+ EMPTY_BUF(server, client, buffer, MAX_BUF);
-+ }
-+
-+ gnutls_bye(client, GNUTLS_SHUT_WR);
-+ gnutls_bye(server, GNUTLS_SHUT_WR);
-+
-+ gnutls_deinit(client);
-+ gnutls_deinit(server);
-+
-+ gnutls_certificate_free_credentials(scred);
-+ gnutls_certificate_free_credentials(ccred);
-+
-+ gnutls_global_deinit();
-+ reset_buffers();
-+}
-+
-+void doit(void)
-+{
-+ virt_time_init();
-+
-+ run("not exceeding limit", 0);
-+ run("exceeding limit", 1);
-+}
---
-2.20.1
-
diff --git a/SOURCES/gnutls-3.6.8-pkcs11-login-error.patch b/SOURCES/gnutls-3.6.8-pkcs11-login-error.patch
deleted file mode 100644
index 6135dca..0000000
--- a/SOURCES/gnutls-3.6.8-pkcs11-login-error.patch
+++ /dev/null
@@ -1,265 +0,0 @@
-From fa5147c86941512921282b84819b896a0d4f29bb Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Wed, 19 Jun 2019 17:21:16 +0200
-Subject: [PATCH] pkcs11: ignore login error when traversing tokens
-
-If a token is a general access device, it is expected that login
-attempt to that token returns error:
-https://github.com/p11-glue/p11-kit/blob/master/trust/module.c#L852
-
-On the other hand, _pkcs11_traverse_tokens treats the error as fatal
-and stops iteration. This behavior prevents object search without
-token specifier if such tokens are registered in the system.
-
-Reported by Stanislav Zidek in
-https://bugzilla.redhat.com/show_bug.cgi?id=1705478
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- .gitignore | 1 +
- lib/pkcs11.c | 8 +-
- tests/Makefile.am | 2 +-
- tests/p11-kit-load.sh | 23 ++++++
- tests/pkcs11/list-objects.c | 150 ++++++++++++++++++++++++++++++++++++
- 5 files changed, 182 insertions(+), 2 deletions(-)
- create mode 100644 tests/pkcs11/list-objects.c
-
-diff --git a/lib/pkcs11.c b/lib/pkcs11.c
-index de5309b29..2ef0e3e02 100644
---- a/lib/pkcs11.c
-+++ b/lib/pkcs11.c
-@@ -1617,7 +1617,13 @@ _pkcs11_traverse_tokens(find_func_t find_func, void *input,
- info, flags);
- if (ret < 0) {
- gnutls_assert();
-- return ret;
-+ pkcs11_close_session(&sinfo);
-+
-+ /* treat the error as fatal only if
-+ * the token requires login */
-+ if (l_tinfo.flags & CKF_LOGIN_REQUIRED)
-+ return ret;
-+ continue;
- }
-
- ret =
-diff --git a/tests/Makefile.am b/tests/Makefile.am
-index a67f1549c..7fe954f63 100644
---- a/tests/Makefile.am
-+++ b/tests/Makefile.am
-@@ -496,7 +496,7 @@ dist_check_SCRIPTS += p11-kit-trust.sh testpkcs11.sh certtool-pkcs11.sh
- if HAVE_PKCS11_TRUST_STORE
- if P11KIT_0_23_11_API
- dist_check_SCRIPTS += p11-kit-load.sh
--indirect_tests += pkcs11/list-tokens
-+indirect_tests += pkcs11/list-tokens pkcs11/list-objects
- endif
- endif
-
-diff --git a/tests/p11-kit-load.sh b/tests/p11-kit-load.sh
-index 3201a2c5f..419900f6a 100755
---- a/tests/p11-kit-load.sh
-+++ b/tests/p11-kit-load.sh
-@@ -22,6 +22,7 @@
- srcdir="${srcdir:-.}"
- builddir="${builddir:-.}"
- CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}"
-+P11TOOL="${P11TOOL:-../src/p11tool${EXEEXT}}"
- DIFF="${DIFF:-diff}"
- PKGCONFIG="${PKG_CONFIG:-$(which pkg-config)}"
- TMP_SOFTHSM_DIR="./softhsm-load.$$.tmp"
-@@ -90,6 +91,12 @@ if test $? != 0; then
- exit 1
- fi
-
-+GNUTLS_PIN="${PIN}" ${P11TOOL} --login --label GnuTLS-Test-RSA --generate-privkey rsa --provider "${SOFTHSM_MODULE}" pkcs11: --outfile /dev/null
-+if test $? != 0; then
-+ echo "failed to generate privkey"
-+ exit 1
-+fi
-+
- FILTERTOKEN="sed s/token=.*//g"
-
- # Check whether both are listed
-@@ -175,6 +182,22 @@ if test "$nr" != 2;then
- exit 1
- fi
-
-+# Check whether public key and privkey are listed.
-+nr=$(GNUTLS_PIN="${PIN}" ${builddir}/pkcs11/list-objects -o ${P11DIR} -t all pkcs11:token=GnuTLS-Test|sort -u|wc -l)
-+if test "$nr" != 2;then
-+ echo "Error in test 8: did not find all objects"
-+ ${builddir}/pkcs11/list-objects -o ${P11DIR} -t all pkcs11:token=GnuTLS-Test
-+ exit 1
-+fi
-+
-+# Check whether all privkeys are listed even if trust module is registered.
-+nr=$(GNUTLS_PIN="${PIN}" ${builddir}/pkcs11/list-objects -o ${P11DIR} -t privkey pkcs11:|sort -u|wc -l)
-+if test "$nr" != 1;then
-+ echo "Error in test 9: did not find privkey objects"
-+ ${builddir}/pkcs11/list-objects -o ${P11DIR} -t privkey pkcs11:
-+ exit 1
-+fi
-+
- rm -f ${P11DIR}/*
- rm -rf ${TMP_SOFTHSM_DIR}
-
-diff --git a/tests/pkcs11/list-objects.c b/tests/pkcs11/list-objects.c
-new file mode 100644
-index 000000000..ab30cd568
---- /dev/null
-+++ b/tests/pkcs11/list-objects.c
-@@ -0,0 +1,150 @@
-+/*
-+ * Copyright (C) 2016-2017 Red Hat, Inc.
-+ *
-+ * Author: Nikos Mavrogiannopoulos
-+ *
-+ * This file is part of GnuTLS.
-+ *
-+ * GnuTLS is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 3 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * GnuTLS is distributed in the hope that it will be useful, but
-+ * WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public License
-+ * along with this program. If not, see <https://www.gnu.org/licenses/>
-+ */
-+
-+#ifdef HAVE_CONFIG_H
-+#include <config.h>
-+#endif
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <unistd.h>
-+#include <sys/types.h>
-+#include <sys/wait.h>
-+
-+#include <gnutls/gnutls.h>
-+#include <gnutls/x509.h>
-+#include <gnutls/abstract.h>
-+#include <getopt.h>
-+#define P11_KIT_FUTURE_UNSTABLE_API
-+#include <p11-kit/p11-kit.h>
-+#include "cert-common.h"
-+
-+/* lists the registered PKCS#11 modules by p11-kit.
-+ */
-+
-+static void tls_log_func(int level, const char *str)
-+{
-+ fprintf(stderr, "|<%d>| %s", level, str);
-+}
-+
-+static const char *opt_pin;
-+
-+static
-+int pin_func(void* userdata, int attempt, const char* url, const char *label,
-+ unsigned flags, char *pin, size_t pin_max)
-+{
-+ if (attempt == 0) {
-+ strcpy(pin, opt_pin);
-+ return 0;
-+ }
-+ return -1;
-+}
-+
-+int main(int argc, char **argv)
-+{
-+ int ret;
-+ unsigned i;
-+ int opt;
-+ char *url, *mod;
-+ unsigned flags;
-+ unsigned obj_flags = 0;
-+ int attrs = GNUTLS_PKCS11_OBJ_ATTR_ALL;
-+ gnutls_pkcs11_obj_t *crt_list;
-+ unsigned int crt_list_size = 0;
-+ const char *envvar;
-+
-+ ret = gnutls_global_init();
-+ if (ret != 0) {
-+ fprintf(stderr, "error at %d: %s\n", __LINE__, gnutls_strerror(ret));
-+ exit(1);
-+ }
-+
-+ gnutls_global_set_log_function(tls_log_func);
-+
-+ while((opt = getopt(argc, argv, "o:t:")) != -1) {
-+ switch(opt) {
-+ case 'o':
-+ mod = strdup(optarg);
-+ p11_kit_override_system_files(NULL, NULL, mod, mod, NULL);
-+ break;
-+ case 't':
-+ /* specify the object type to list */
-+ if (strcmp(optarg, "all") == 0)
-+ attrs = GNUTLS_PKCS11_OBJ_ATTR_ALL;
-+ else if (strcmp(optarg, "privkey") == 0)
-+ attrs = GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY;
-+ else {
-+ fprintf(stderr, "Unknown object type %s\n", optarg);
-+ exit(1);
-+ }
-+ break;
-+ default:
-+ fprintf(stderr, "Unknown option %c\n", (char)opt);
-+ exit(1);
-+ }
-+ }
-+
-+ if (optind == argc) {
-+ fprintf(stderr, "specify URL\n");
-+ exit(1);
-+ }
-+ url = argv[optind];
-+
-+ envvar = getenv("GNUTLS_PIN");
-+ if (envvar && *envvar != '\0') {
-+ opt_pin = envvar;
-+ obj_flags |= GNUTLS_PKCS11_OBJ_FLAG_LOGIN;
-+ gnutls_pkcs11_set_pin_function(pin_func, NULL);
-+ }
-+
-+ ret = gnutls_pkcs11_token_get_flags(url, &flags);
-+ if (ret < 0) {
-+ flags = 0;
-+ }
-+
-+ ret =
-+ gnutls_pkcs11_obj_list_import_url2(&crt_list, &crt_list_size,
-+ url, attrs, obj_flags);
-+ if (ret != 0) {
-+ fprintf(stderr, "error at %d: %s\n", __LINE__, gnutls_strerror(ret));
-+ exit(1);
-+ }
-+
-+ for (i = 0; i < crt_list_size; i++) {
-+ char *output;
-+
-+ ret =
-+ gnutls_pkcs11_obj_export_url(crt_list[i], 0,
-+ &output);
-+ if (ret != 0) {
-+ fprintf(stderr, "error at %d: %s\n", __LINE__, gnutls_strerror(ret));
-+ exit(1);
-+ }
-+
-+ fprintf(stdout, "%s\n", output);
-+ gnutls_free(output);
-+ gnutls_pkcs11_obj_deinit(crt_list[i]);
-+ }
-+ gnutls_free(crt_list);
-+
-+ gnutls_global_deinit();
-+}
---
-2.21.0
-
diff --git a/SOURCES/gnutls-3.6.8-session-ticket-ub.patch b/SOURCES/gnutls-3.6.8-session-ticket-ub.patch
deleted file mode 100644
index 96e11f7..0000000
--- a/SOURCES/gnutls-3.6.8-session-ticket-ub.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 1f6bbceeeeb613cf4d790874bdd1e917a7071159 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Mon, 8 Jul 2019 16:54:56 +0200
-Subject: [PATCH] ext/session_ticket: avoid calling memcpy on overlapping
- memory areas
-
-In _gnutls_encrypt_session_ticket, ticket.encrypted_state is allocated
-from ticket_data->data, thus those memory areas may overlap. Using
-memcpy here leads to undefined behavior.
-
-Spotted by valgrind run on ppc64le.
-
-==95231== Source and destination overlap in memcpy(0x47ce3a2, 0x47ce3a2, 160)
-==95231== at 0x408A840: memcpy (vg_replace_strmem.c:1023)
-==95231== by 0x424EE9F: pack_ticket (session_ticket.c:139)
-==95231== by 0x424FA4F: _gnutls_encrypt_session_ticket (session_ticket.c:335)
-==95231== by 0x4199E3B: generate_session_ticket (session_ticket.c:249)
-==95231== by 0x419A333: _gnutls13_send_session_ticket (session_ticket.c:307)
-==95231== by 0x40F8817: _gnutls13_handshake_server (handshake-tls13.c:511)
-==95231== by 0x4110DEB: handshake_server (handshake.c:3331)
-==95231== by 0x410C70B: gnutls_handshake (handshake.c:2727)
-==95231== by 0x10009EBF: retry_handshake (serv.c:1306)
-==95231== by 0x1000AB67: tcp_server (serv.c:1500)
-==95231== by 0x10009E5B: main (serv.c:1297)
-==95231==
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/ext/session_ticket.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c
-index 09e240c2d..98db39ff8 100644
---- a/lib/ext/session_ticket.c
-+++ b/lib/ext/session_ticket.c
-@@ -136,7 +136,11 @@ pack_ticket(const struct ticket_st *ticket, gnutls_datum_t *ticket_data)
- _gnutls_write_uint16(ticket->encrypted_state_len, p);
- p += 2;
-
-- memcpy(p, ticket->encrypted_state, ticket->encrypted_state_len);
-+ /* We use memmove instead of memcpy here because
-+ * ticket->encrypted_state is allocated from
-+ * ticket_data->data, and thus both memory areas may overlap.
-+ */
-+ memmove(p, ticket->encrypted_state, ticket->encrypted_state_len);
- p += ticket->encrypted_state_len;
-
- memcpy(p, ticket->mac, TICKET_MAC_SIZE);
---
-2.21.0
-
diff --git a/SOURCES/gnutls-3.6.8.tar.xz.sig b/SOURCES/gnutls-3.6.8.tar.xz.sig
deleted file mode 100644
index d2f3862..0000000
Binary files a/SOURCES/gnutls-3.6.8.tar.xz.sig and /dev/null differ
diff --git a/SPECS/gnutls.spec b/SPECS/gnutls.spec
index 007d302..d4caf4b 100644
--- a/SPECS/gnutls.spec
+++ b/SPECS/gnutls.spec
@@ -1,19 +1,10 @@
-Version: 3.6.8
-Release: 9%{?dist}
+Version: 3.6.14
+Release: 3%{?dist}
Patch1: gnutls-3.2.7-rpath.patch
Patch2: gnutls-3.6.4-no-now-guile.patch
-Patch3: gnutls-3.6.5-fix-fips-signature-post.patch
-Patch4: gnutls-3.6.8-fips-aes-cbc-kat.patch
-Patch5: gnutls-3.6.8-multiple-key-updates.patch
-Patch6: gnutls-3.6.8-fips-rng-continuous.patch
-Patch7: gnutls-3.6.8-session-ticket-ub.patch
-Patch8: gnutls-3.6.8-pkcs11-login-error.patch
-Patch9: gnutls-3.6.8-fips-deterministic-ecdsa.patch
-Patch10: gnutls-3.6.8-aead-cipher-encryptv2.patch
-Patch11: gnutls-3.6.8-fips-rsa-random-selftests.patch
-Patch12: gnutls-3.6.8-decr-len.patch
-Patch13: gnutls-3.6.8-fix-aead-cipher-encryptv2.patch
-Patch14: gnutls-3.6.8-fix-cfb8-decrypt.patch
+Patch3: gnutls-3.6.13-enable-intel-cet.patch
+Patch4: gnutls-3.6.14-autogen-int.patch
+Patch5: gnutls-3.6.14-fips-mode-check.patch
%bcond_without dane
%if 0%{?rhel}
%bcond_with guile
@@ -59,7 +50,7 @@ BuildRequires: guile-devel
URL: http://www.gnutls.org/
Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz
Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig
-Source2: gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
# Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
Provides: bundled(gnulib) = 20130424
@@ -297,6 +288,27 @@ fi
%endif
%changelog
+* Fri Jun 5 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-3
+- Update gnutls-3.6.14-fips-mode-check.patch
+
+* Thu Jun 4 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-2
+- Return false from gnutls_fips140_mode_enabled() if selftests failed (#1827687)
+
+* Thu Jun 4 2020 Daiki Ueno <dueno@redhat.com> - 3.6.14-1
+- Update to upstream 3.6.14 release
+
+* Mon May 25 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.13-3
+- Add an option to gnutls-cli to wait for resumption under TLS 1.3 (#1677754)
+
+* Wed May 20 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.6.13-2
+- Enable Intel CET (#1838476)
+
+* Tue May 5 2020 Daiki Ueno <dueno@redhat.com> - 3.6.13-1
+- Update to upstream 3.6.13 release
+
+* Tue Apr 21 2020 Daiki Ueno <dueno@redhat.com> - 3.6.8-10
+- Fix CVE-2020-11501 (#1822005)
+
* Wed Nov 6 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-9
- Fix CFB8 decryption when repeatedly called (#1757848)
- Fix gnutls_aead_cipher_{en,de}cryptv2 with input not multiple of block size (#1757856)