Initialize for libnettle

.gitignore

@@ -0,0 +1 @@
+nettle-3.8.1.tar.gz

.libnettle.metadata

@@ -0,0 +1 @@
+87fa5e15984973ea6125b258edf9ec4bdc8fbf003325e1a8484c7f3a48023bbd nettle-3.8.1.tar.gz

baselibs.conf

@@ -0,0 +1,3 @@
+libnettle8
+libnettle-devel
+libhogweed6

libnettle-PowerPC-Implement-Poly1305-single-block-update-based.patch

@@ -0,0 +1,537 @@
+From c4856c14c510afc2800d55deeba2a4537943906f Mon Sep 17 00:00:00 2001
+From: Maamoun TK <maamoun.tk@googlemail.com>
+Date: Sun, 29 May 2022 03:34:44 +0200
+Subject: [PATCH 0929/1000] [PowerPC] Implement Poly1305 single block update
+ based on radix 2^64
+
+---
+ Makefile.in                           |   2 +-
+ configure.ac                          |  15 +-
+ fat-ppc.c                             |  54 ++++++
+ fat-setup.h                           |   6 +
+ poly1305-internal.c                   |  22 +++
+ powerpc64/fat/poly1305-internal-2.asm |  39 +++++
+ powerpc64/p9/poly1305-internal.asm    | 238 ++++++++++++++++++++++++++
+ 7 files changed, 373 insertions(+), 3 deletions(-)
+ create mode 100644 powerpc64/fat/poly1305-internal-2.asm
+ create mode 100644 powerpc64/p9/poly1305-internal.asm
+
+diff --git a/Makefile.in b/Makefile.in
+index 65911e2a..11c88114 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -607,7 +607,7 @@ distdir: $(DISTFILES)
+ 		x86_64 x86_64/aesni x86_64/sha_ni x86_64/pclmul x86_64/fat \
+ 		arm arm/neon arm/v6 arm/fat \
+ 		arm64 arm64/crypto arm64/fat \
+-		powerpc64 powerpc64/p7 powerpc64/p8 powerpc64/fat \
++		powerpc64 powerpc64/p7 powerpc64/p8 powerpc64/p9 powerpc64/fat \
+ 		s390x s390x/vf s390x/msa s390x/msa_x1 s390x/msa_x2 s390x/msa_x4 s390x/fat ; do \
+ 	  mkdir "$(distdir)/$$d" ; \
+ 	  find "$(srcdir)/$$d" -maxdepth 1 '(' -name '*.asm' -o -name '*.m4' -o -name README ')' \
+diff --git a/configure.ac b/configure.ac
+index 73c6fc21..b68b9e23 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -105,6 +105,10 @@ AC_ARG_ENABLE(power-altivec,
+   AC_HELP_STRING([--enable-power-altivec], [Enable POWER altivec and vsx extensions. (default=no)]),,
+   [enable_altivec=no])
+ 
++AC_ARG_ENABLE(power9,
++  AC_HELP_STRING([--enable-power9], [Enable POWER ISA v3.0. (default=no)]),,
++  [enable_power9=no])
++
+ AC_ARG_ENABLE(s390x-vf,
+   AC_HELP_STRING([--enable-s390x-vf], [Enable vector facility on z/Architecture. (default=no)]),,
+   [enable_s390x_vf=no])
+@@ -539,9 +543,12 @@ if test "x$enable_assembler" = xyes ; then
+ 	if test "x$enable_fat" = xyes ; then
+ 	  asm_path="powerpc64/fat $asm_path"
+ 	  OPT_NETTLE_SOURCES="fat-ppc.c $OPT_NETTLE_SOURCES"
+-	  FAT_TEST_LIST="none crypto_ext altivec"
++	  FAT_TEST_LIST="none crypto_ext altivec power9"
+ 	else
+-	  if test "$enable_power_crypto_ext" = yes ; then
++	  if test "$enable_power9" = yes ; then
++	    asm_path="powerpc64/p9 $asm_path"
++	  fi
++    if test "$enable_power_crypto_ext" = yes ; then
+             asm_path="powerpc64/p8 $asm_path"
+ 	  fi
+ 	  if test "$enable_power_altivec" = yes ; then
+@@ -605,6 +612,7 @@ asm_nettle_optional_list="cpuid.asm cpu-facility.asm \
+   aes256-encrypt-2.asm aes256-decrypt-2.asm \
+   cbc-aes128-encrypt-2.asm cbc-aes192-encrypt-2.asm cbc-aes256-encrypt-2.asm \
+   chacha-2core.asm chacha-3core.asm chacha-4core.asm chacha-core-internal-2.asm \
++  poly1305-internal-2.asm \
+   ghash-set-key-2.asm ghash-update-2.asm \
+   salsa20-2core.asm salsa20-core-internal-2.asm \
+   sha1-compress-2.asm sha256-compress-2.asm \
+@@ -751,6 +759,9 @@ AH_VERBATIM([HAVE_NATIVE],
+ #undef HAVE_NATIVE_ecc_secp384r1_redc
+ #undef HAVE_NATIVE_ecc_secp521r1_modp
+ #undef HAVE_NATIVE_ecc_secp521r1_redc
++#undef HAVE_NATIVE_poly1305_set_key
++#undef HAVE_NATIVE_poly1305_block
++#undef HAVE_NATIVE_poly1305_digest
+ #undef HAVE_NATIVE_ghash_set_key
+ #undef HAVE_NATIVE_ghash_update
+ #undef HAVE_NATIVE_salsa20_core
+diff --git a/fat-ppc.c b/fat-ppc.c
+index bf622cf5..7569e44d 100644
+--- a/fat-ppc.c
++++ b/fat-ppc.c
+@@ -65,6 +65,7 @@
+ #include "aes-internal.h"
+ #include "chacha-internal.h"
+ #include "ghash-internal.h"
++#include "poly1305.h"
+ #include "fat-setup.h"
+ 
+ /* Defines from arch/powerpc/include/uapi/asm/cputable.h in Linux kernel */
+@@ -77,11 +78,15 @@
+ #ifndef PPC_FEATURE2_VEC_CRYPTO
+ #define PPC_FEATURE2_VEC_CRYPTO 0x02000000
+ #endif
++#ifndef PPC_FEATURE2_ARCH_3_00
++#define PPC_FEATURE2_ARCH_3_00 0x00800000
++#endif
+ 
+ struct ppc_features
+ {
+   int have_crypto_ext;
+   int have_altivec;
++  int have_power9;
+ };
+ 
+ #define MATCH(s, slen, literal, llen) \
+@@ -93,6 +98,7 @@ get_ppc_features (struct ppc_features *features)
+   const char *s;
+   features->have_crypto_ext = 0;
+   features->have_altivec = 0;
++  features->have_power9 = 0;
+ 
+   s = secure_getenv (ENV_OVERRIDE);
+   if (s)
+@@ -105,6 +111,8 @@ get_ppc_features (struct ppc_features *features)
+ 	  features->have_crypto_ext = 1;
+ 	else if (MATCH(s, length, "altivec", 7))
+ 	  features->have_altivec = 1;
++  else if (MATCH(s, length, "power9", 6))
++	  features->have_power9 = 1;
+ 	if (!sep)
+ 	  break;
+ 	s = sep + 1;
+@@ -136,6 +144,9 @@ get_ppc_features (struct ppc_features *features)
+       features->have_crypto_ext
+ 	= ((hwcap2 & PPC_FEATURE2_VEC_CRYPTO) == PPC_FEATURE2_VEC_CRYPTO);
+ 
++      features->have_power9
++	= ((hwcap2 & PPC_FEATURE2_ARCH_3_00) == PPC_FEATURE2_ARCH_3_00);
++
+       /* We also need VSX instructions, mainly for load and store. */
+       features->have_altivec
+ 	= ((hwcap & (PPC_FEATURE_HAS_ALTIVEC | PPC_FEATURE_HAS_VSX))
+@@ -172,6 +183,18 @@ DECLARE_FAT_FUNC(nettle_chacha_crypt32, chacha_crypt_func)
+ DECLARE_FAT_FUNC_VAR(chacha_crypt32, chacha_crypt_func, 1core)
+ DECLARE_FAT_FUNC_VAR(chacha_crypt32, chacha_crypt_func, 3core)
+ 
++DECLARE_FAT_FUNC(_nettle_poly1305_set_key, poly1305_set_key_func)
++DECLARE_FAT_FUNC_VAR(poly1305_set_key, poly1305_set_key_func, c)
++DECLARE_FAT_FUNC_VAR(poly1305_set_key, poly1305_set_key_func, ppc64)
++
++DECLARE_FAT_FUNC(_nettle_poly1305_block, poly1305_block_func)
++DECLARE_FAT_FUNC_VAR(poly1305_block, poly1305_block_func, c)
++DECLARE_FAT_FUNC_VAR(poly1305_block, poly1305_block_func, ppc64)
++
++DECLARE_FAT_FUNC(_nettle_poly1305_digest, poly1305_digest_func)
++DECLARE_FAT_FUNC_VAR(poly1305_digest, poly1305_digest_func, c)
++DECLARE_FAT_FUNC_VAR(poly1305_digest, poly1305_digest_func, ppc64)
++
+ static void CONSTRUCTOR
+ fat_init (void)
+ {
+@@ -220,6 +243,21 @@ fat_init (void)
+       nettle_chacha_crypt_vec = _nettle_chacha_crypt_1core;
+       nettle_chacha_crypt32_vec = _nettle_chacha_crypt32_1core;
+     }
++
++  if (features.have_power9)
++    {
++      if (verbose)
++	fprintf (stderr, "libnettle: enabling arch 3.00 code.\n");
++      _nettle_poly1305_set_key_vec = _nettle_poly1305_set_key_ppc64;
++    _nettle_poly1305_block_vec = _nettle_poly1305_block_ppc64;
++    _nettle_poly1305_digest_vec = _nettle_poly1305_digest_ppc64;
++    }
++  else
++    {
++      _nettle_poly1305_set_key_vec = _nettle_poly1305_set_key_c;
++    _nettle_poly1305_block_vec = _nettle_poly1305_block_c;
++    _nettle_poly1305_digest_vec = _nettle_poly1305_digest_c;
++    }
+ }
+ 
+ DEFINE_FAT_FUNC(_nettle_aes_encrypt, void,
+@@ -261,3 +299,19 @@ DEFINE_FAT_FUNC(nettle_chacha_crypt32, void,
+ 		 uint8_t *dst,
+ 		 const uint8_t *src),
+ 		(ctx, length, dst, src))
++
++DEFINE_FAT_FUNC(_nettle_poly1305_set_key, void,
++		(struct poly1305_ctx *ctx,
++     const uint8_t *key),
++		(ctx, key))
++
++DEFINE_FAT_FUNC(_nettle_poly1305_block, void,
++		(struct poly1305_ctx *ctx,
++     const uint8_t *m,
++     unsigned high),
++		(ctx, m, high))
++
++DEFINE_FAT_FUNC(_nettle_poly1305_digest, void,
++		(struct poly1305_ctx *ctx,
++     union nettle_block16 *s),
++		(ctx, s))
+diff --git a/fat-setup.h b/fat-setup.h
+index e77cce02..ad3c10f0 100644
+--- a/fat-setup.h
++++ b/fat-setup.h
+@@ -196,6 +196,12 @@ typedef void chacha_crypt_func(struct chacha_ctx *ctx,
+ 			       uint8_t *dst,
+ 			       const uint8_t *src);
+ 
++struct poly1305_ctx;
++typedef void poly1305_set_key_func(struct poly1305_ctx *ctx, const uint8_t *key);
++typedef void poly1305_digest_func(struct poly1305_ctx *ctx, union nettle_block16 *s);
++typedef void poly1305_block_func(struct poly1305_ctx *ctx, const uint8_t *m,
++			     unsigned high);
++
+ struct aes128_ctx;
+ typedef void aes128_set_key_func (struct aes128_ctx *ctx, const uint8_t *key);
+ typedef void aes128_invert_key_func (struct aes128_ctx *dst, const struct aes128_ctx *src);
+diff --git a/poly1305-internal.c b/poly1305-internal.c
+index 490fdf71..380b934e 100644
+--- a/poly1305-internal.c
++++ b/poly1305-internal.c
+@@ -85,6 +85,28 @@
+ #define h3 h.h32[3]
+ #define h4 hh
+ 
++/* For fat builds */
++#if HAVE_NATIVE_poly1305_set_key
++void
++_nettle_poly1305_set_key_c(struct poly1305_ctx *ctx,
++	       const uint8_t key[16]);
++# define _nettle_poly1305_set_key _nettle_poly1305_set_key_c
++#endif
++
++#if HAVE_NATIVE_poly1305_block
++void
++_nettle_poly1305_block_c(struct poly1305_ctx *ctx, const uint8_t *m,
++	       unsigned t4);
++# define _nettle_poly1305_block _nettle_poly1305_block_c
++#endif
++
++#if HAVE_NATIVE_poly1305_digest
++void
++_nettle_poly1305_digest_c(struct poly1305_ctx *ctx,
++	       union nettle_block16 *s);
++# define _nettle_poly1305_digest _nettle_poly1305_digest_c
++#endif
++
+ void
+ _nettle_poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16])
+ {
+diff --git a/powerpc64/fat/poly1305-internal-2.asm b/powerpc64/fat/poly1305-internal-2.asm
+new file mode 100644
+index 00000000..177a4563
+--- /dev/null
++++ b/powerpc64/fat/poly1305-internal-2.asm
+@@ -0,0 +1,39 @@
++C powerpc64/fat/poly1305-internal-2.asm
++
++ifelse(`
++   Copyright (C) 2022 Mamone Tarsha
++
++   This file is part of GNU Nettle.
++
++   GNU Nettle is free software: you can redistribute it and/or
++   modify it under the terms of either:
++
++     * the GNU Lesser General Public License as published by the Free
++       Software Foundation; either version 3 of the License, or (at your
++       option) any later version.
++
++   or
++
++     * the GNU General Public License as published by the Free
++       Software Foundation; either version 2 of the License, or (at your
++       option) any later version.
++
++   or both in parallel, as here.
++
++   GNU Nettle is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   General Public License for more details.
++
++   You should have received copies of the GNU General Public License and
++   the GNU Lesser General Public License along with this program.  If
++   not, see http://www.gnu.org/licenses/.
++')
++
++dnl picked up by configure
++dnl PROLOGUE(_nettle_poly1305_set_key)
++dnl PROLOGUE(_nettle_poly1305_block)
++dnl PROLOGUE(_nettle_poly1305_digest)
++
++define(`fat_transform', `$1_ppc64')
++include_src(`powerpc64/p9/poly1305-internal.asm')
+diff --git a/powerpc64/p9/poly1305-internal.asm b/powerpc64/p9/poly1305-internal.asm
+new file mode 100644
+index 00000000..238d6397
+--- /dev/null
++++ b/powerpc64/p9/poly1305-internal.asm
+@@ -0,0 +1,238 @@
++C powerpc64/p9/poly1305-internal.asm
++
++ifelse(`
++   Copyright (C) 2013, 2022 Niels Möller
++   Copyright (C) 2022 Mamone Tarsha
++   This file is part of GNU Nettle.
++
++   GNU Nettle is free software: you can redistribute it and/or
++   modify it under the terms of either:
++
++     * the GNU Lesser General Public License as published by the Free
++       Software Foundation; either version 3 of the License, or (at your
++       option) any later version.
++
++   or
++
++     * the GNU General Public License as published by the Free
++       Software Foundation; either version 2 of the License, or (at your
++       option) any later version.
++
++   or both in parallel, as here.
++
++   GNU Nettle is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   General Public License for more details.
++
++   You should have received copies of the GNU General Public License and
++   the GNU Lesser General Public License along with this program.  If
++   not, see http://www.gnu.org/licenses/.
++')
++
++C Register usage:
++
++define(`SP', `r1')
++define(`TOCP', `r2')
++
++C Argments
++define(`CTX', `r3')
++define(`M', `r4')
++define(`M128', `r5')
++
++C Working state
++define(`H0', `r6')
++define(`H1', `r7')
++define(`H2', `r8')
++define(`T0', `r9')
++define(`T1', `r10')
++define(`T2', `r8')
++define(`T2A', `r9')
++define(`T2S', `r10')
++define(`IDX', `r6')
++define(`RZ', `r7')
++
++define(`ZERO', `v0')
++define(`F0', `v1')
++define(`F1', `v2')
++define(`F0S', `v3')
++define(`T', `v4')
++
++define(`R', `v5')
++define(`S', `v6')
++
++define(`T00', `v7')
++define(`T10', `v8')
++define(`T11', `v9')
++define(`MU0', `v10')
++define(`MU1', `v11')
++define(`TMP', `v12')
++
++.text
++
++C _poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16])
++define(`FUNC_ALIGN', `5')
++PROLOGUE(_nettle_poly1305_set_key)
++	li			r9, 0
++	addis		r5, TOCP, .key_mask@got@ha
++	ld			r5, .key_mask@got@l(r5)
++	ld			r8, 0(r5)
++	ori			r7, r8, 3
++
++	C Load R_0 and R_1
++IF_LE(`
++	ld			r5, 0(r4)
++	ld			r6, 8(r4)
++')
++IF_BE(`
++	ldbrx		r5, 0, r4
++	addi		r4, r4, 8
++	ldbrx		r6, 0, r4
++')
++	and			r5, r5, r7        C R_0 &= 0x0FFFFFFC0FFFFFFF
++	and			r6, r6, r8        C R_1 &= 0x0FFFFFFC0FFFFFFC
++
++	srdi		r10, r6, 2
++	sldi		r7, r5, 2
++	sldi		r8, r10, 2
++	add			r7, r7, r5
++	add			r8, r8, r10
++
++	C Store key
++	std			r5, 0(r3)
++	std			r6, 8(r3)
++	std			r7, 16(r3)
++	std			r8, 24(r3)
++	C Reset state
++	std			r9, 32(r3)
++	std			r9, 40(r3)
++	std			r9, 48(r3)
++
++	blr
++EPILOGUE(_nettle_poly1305_set_key)
++
++C void _nettle_poly1305_block(struct poly1305_ctx *ctx, const uint8_t *m, unsigned m128)
++define(`FUNC_ALIGN', `5')
++PROLOGUE(_nettle_poly1305_block)
++	ld			H0, 32(CTX)
++	ld			H1, 40(CTX)
++	ld			H2, 48(CTX)
++IF_LE(`
++	ld			T0, 0(M)
++	ld			T1, 8(M)
++')
++IF_BE(`
++	ldbrx		T0, 0, M
++	addi		M, M, 8
++	ldbrx		T0, 0, M
++')
++
++	addc		T0, T0, H0
++	adde		T1, T1, H1
++	adde		T2, M128, H2
++
++	mtvsrdd		VSR(T), T0, T1
++
++	li			IDX, 16
++	lxvd2x		VSR(R), 0, CTX
++	lxvd2x		VSR(S), IDX, CTX
++
++	andi.		T2A, T2, 3
++	srdi		T2S, T2, 2
++
++	li			RZ, 0
++	vxor		ZERO, ZERO, ZERO
++
++	xxpermdi	VSR(MU0), VSR(R), VSR(S), 0b01
++	xxswapd		VSR(MU1), VSR(R)
++
++	mtvsrdd		VSR(T11), 0, T2A
++	mtvsrdd		VSR(T00), T2S, RZ
++	mtvsrdd		VSR(T10), 0, T2
++
++	vmsumudm	F0, T, MU0, ZERO
++	vmsumudm	F1, T, MU1, ZERO
++	vmsumudm	TMP, T11, MU1, ZERO
++
++	vmsumudm	F0, T00, S, F0
++	vmsumudm	F1, T10, MU0, F1
++
++	xxmrgld		VSR(TMP), VSR(TMP), VSR(ZERO)
++	xxswapd		VSR(F0S), VSR(F0)
++	vadduqm		F1, F1, TMP
++	stxsd		F0S, 32(CTX)
++
++	li			IDX, 40
++	xxmrghd		VSR(F0), VSR(ZERO), VSR(F0)
++	vadduqm		F1, F1, F0
++	xxswapd		VSR(F1), VSR(F1)
++	stxvd2x		VSR(F1), IDX, CTX
++
++	blr
++EPILOGUE(_nettle_poly1305_block)
++
++C _poly1305_digest (struct poly1305_ctx *ctx, uint8_t *s)
++define(`FUNC_ALIGN', `5')
++PROLOGUE(_nettle_poly1305_digest)
++	C Load current state
++	ld			r5, 32(r3)
++	ld			r6, 40(r3)
++	ld			r7, 48(r3)
++
++	C Fold high part of H2
++	li			r10, 0
++	srdi		r9, r7, 2
++	sldi		r8, r9, 2
++	add			r8, r8, r9
++	andi.		r7, r7, 3
++	addc		r5, r5, r8
++	adde		r6, r6, r10
++	adde		r7, r7, r10
++
++	C Add 5 to state, save result if it carries
++	li			r8, 5
++	li			r9, 0
++	li			r10, -4
++	addc		r8, r8, r5
++	adde		r9, r9, r6
++	adde.		r10, r10, r7
++	iseleq		r5, r8, r5
++	iseleq		r6, r9, r6
++
++	C Load digest
++IF_LE(`
++	ld			r7, 0(r4)
++	ld			r8, 8(r4)
++')
++IF_BE(`
++	li			r10, 8
++	ldbrx		r7, 0, r4
++	ldbrx		r8, r10, r4
++')
++
++	C Add hash to digest
++	addc		r5, r5, r7
++	adde		r6, r6, r8
++
++	C Store digest
++IF_LE(`
++	std			r5, 0(r4)
++	std			r6, 8(r4)
++')
++IF_BE(`
++	stdbrx		r5, 0, r4
++	stdbrx		r6, r10, r4
++')
++	C Reset hash
++	li			r9, 0
++	std			r9, 32(r3)
++	std			r9, 40(r3)
++	std			r9, 48(r3)
++
++	blr
++EPILOGUE(_nettle_poly1305_digest)
++
++.data
++.align 3
++.key_mask:
++.quad 0x0FFFFFFC0FFFFFFC
+-- 
+2.38.0
+

libnettle-PowerPC-Use-defined-structure-constants-of-P1305-in.patch

@@ -0,0 +1,105 @@
+From 8c3c21180a9eadba6f946a193556832d1cdb6efa Mon Sep 17 00:00:00 2001
+From: Maamoun TK <maamoun.tk@googlemail.com>
+Date: Sat, 6 Aug 2022 05:09:55 +0000
+Subject: [PATCH 0957/1000] [PowerPC] Use defined structure constants of P1305
+ in asm.m4
+
+---
+ powerpc64/p9/poly1305-internal.asm | 40 +++++++++++++++---------------
+ 1 file changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/powerpc64/p9/poly1305-internal.asm b/powerpc64/p9/poly1305-internal.asm
+index 238d6397..a082fed2 100644
+--- a/powerpc64/p9/poly1305-internal.asm
++++ b/powerpc64/p9/poly1305-internal.asm
+@@ -99,14 +99,14 @@ IF_BE(`
+ 	add			r8, r8, r10
+ 
+ 	C Store key
+-	std			r5, 0(r3)
+-	std			r6, 8(r3)
+-	std			r7, 16(r3)
+-	std			r8, 24(r3)
++	std			r5, P1305_R0 (r3)
++	std			r6, P1305_R1 (r3)
++	std			r7, P1305_S0 (r3)
++	std			r8, P1305_S1 (r3)
+ 	C Reset state
+-	std			r9, 32(r3)
+-	std			r9, 40(r3)
+-	std			r9, 48(r3)
++	std			r9, P1305_H0 (r3)
++	std			r9, P1305_H1 (r3)
++	std			r9, P1305_H2 (r3)
+ 
+ 	blr
+ EPILOGUE(_nettle_poly1305_set_key)
+@@ -114,9 +114,9 @@ EPILOGUE(_nettle_poly1305_set_key)
+ C void _nettle_poly1305_block(struct poly1305_ctx *ctx, const uint8_t *m, unsigned m128)
+ define(`FUNC_ALIGN', `5')
+ PROLOGUE(_nettle_poly1305_block)
+-	ld			H0, 32(CTX)
+-	ld			H1, 40(CTX)
+-	ld			H2, 48(CTX)
++	ld			H0, P1305_H0 (CTX)
++	ld			H1, P1305_H1 (CTX)
++	ld			H2, P1305_H2 (CTX)
+ IF_LE(`
+ 	ld			T0, 0(M)
+ 	ld			T1, 8(M)
+@@ -133,7 +133,7 @@ IF_BE(`
+ 
+ 	mtvsrdd		VSR(T), T0, T1
+ 
+-	li			IDX, 16
++	li			IDX, P1305_S0
+ 	lxvd2x		VSR(R), 0, CTX
+ 	lxvd2x		VSR(S), IDX, CTX
+ 
+@@ -160,9 +160,9 @@ IF_BE(`
+ 	xxmrgld		VSR(TMP), VSR(TMP), VSR(ZERO)
+ 	xxswapd		VSR(F0S), VSR(F0)
+ 	vadduqm		F1, F1, TMP
+-	stxsd		F0S, 32(CTX)
++	stxsd		F0S, P1305_H0 (CTX)
+ 
+-	li			IDX, 40
++	li			IDX, P1305_H1
+ 	xxmrghd		VSR(F0), VSR(ZERO), VSR(F0)
+ 	vadduqm		F1, F1, F0
+ 	xxswapd		VSR(F1), VSR(F1)
+@@ -175,9 +175,9 @@ C _poly1305_digest (struct poly1305_ctx *ctx, uint8_t *s)
+ define(`FUNC_ALIGN', `5')
+ PROLOGUE(_nettle_poly1305_digest)
+ 	C Load current state
+-	ld			r5, 32(r3)
+-	ld			r6, 40(r3)
+-	ld			r7, 48(r3)
++	ld			r5, P1305_H0 (r3)
++	ld			r6, P1305_H1 (r3)
++	ld			r7, P1305_H2 (r3)
+ 
+ 	C Fold high part of H2
+ 	li			r10, 0
+@@ -225,14 +225,14 @@ IF_BE(`
+ ')
+ 	C Reset hash
+ 	li			r9, 0
+-	std			r9, 32(r3)
+-	std			r9, 40(r3)
+-	std			r9, 48(r3)
++	std			r9, P1305_H0 (r3)
++	std			r9, P1305_H1 (r3)
++	std			r9, P1305_H2 (r3)
+ 
+ 	blr
+ EPILOGUE(_nettle_poly1305_digest)
+ 
+-.data
++.rodata
+ .align 3
+ .key_mask:
+ .quad 0x0FFFFFFC0FFFFFFC
+-- 
+2.38.0
+

libnettle-Workaround-for-qemu-bug-affecting-the-ppc-intruction.patch

@@ -0,0 +1,46 @@
+From d618864183ccfdcd0d1b5443111fbaf9a5934517 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Sun, 14 Aug 2022 20:53:10 +0200
+Subject: [PATCH 0960/1000] Workaround for qemu bug affecting the ppc
+ intruction vmsumudm
+
+Introduce overriding environment variable NETTLE_FAT_DISABLE_POWER9
+that disables use of power9 code. This makes poly1305 tests under qemu
+pass. See https://gitlab.com/qemu-project/qemu/-/issues/1156.
+---
+ .gitlab-ci.yml | 4 ++--
+ fat-ppc.c      | 5 +++++
+ fat-setup.h    | 1 +
+ 3 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fat-ppc.c b/fat-ppc.c
+index 7569e44d..b0412e5a 100644
+--- a/fat-ppc.c
++++ b/fat-ppc.c
+@@ -153,6 +153,11 @@ get_ppc_features (struct ppc_features *features)
+ 	   == (PPC_FEATURE_HAS_ALTIVEC | PPC_FEATURE_HAS_VSX));
+ #endif
+     }
++  /* NETTLE_FAT_DISABLE_POWER9 can be set to disable code that fails
++     in qemu, due to
++     https://gitlab.com/qemu-project/qemu/-/issues/1156. */
++  if (secure_getenv (ENV_DISABLE_POWER9))
++    features->have_power9 = 0;
+ }
+ 
+ DECLARE_FAT_FUNC(_nettle_aes_encrypt, aes_crypt_internal_func)
+diff --git a/fat-setup.h b/fat-setup.h
+index ad3c10f0..a35b8b8c 100644
+--- a/fat-setup.h
++++ b/fat-setup.h
+@@ -92,6 +92,7 @@
+ 
+ #define ENV_VERBOSE "NETTLE_FAT_VERBOSE"
+ #define ENV_OVERRIDE "NETTLE_FAT_OVERRIDE"
++#define ENV_DISABLE_POWER9 "NETTLE_FAT_DISABLE_POWER9"
+ 
+ struct chacha_ctx;
+ struct salsa20_ctx;
+-- 
+2.38.0
+

libnettle-rpmlintrc

@@ -0,0 +1,2 @@
+addFilter("libnettle.* hidden-file-or-dir .*hmac")
+addFilter("libhogweed.* hidden-file-or-dir .*hmac")

libnettle.changes

@@ -0,0 +1,451 @@
+* Fri Oct 21 2022 pmonreal@suse.com
+- POWER10 performance enhancements for cryptography [jsc#PED-546]
+  * Backport the P0 performance enhancements.
+  * Add patches:
+  - libnettle-PowerPC-Implement-Poly1305-single-block-update-based.patch
+  - libnettle-PowerPC-Use-defined-structure-constants-of-P1305-in.patch
+  - libnettle-Workaround-for-qemu-bug-affecting-the-ppc-intruction.patch
+* Thu Jul 28 2022 dmueller@suse.com
+- update to 3.8.1:
+  * Avoid non-posix m4 argument references in the chacha
+    implementation for arm64, powerpc64 and s390x. Reported by
+    Christian Weisgerber, fix contributed by Mamone Tarsha.
+  * Use explicit .machine pseudo-ops where needed in s390x
+    assembly files. Bug report by Andreas K. Huettel, fix
+    contributed by Mamone Tarsha.
+* Mon Jul 11 2022 dmueller@suse.com
+- update to 3.8:
+  This release includes a couple of new features, and many
+  performance improvements. It adds assembly code for two more
+  architectures: ARM64 and S390x.
+  The new version is intended to be fully source and binary
+  compatible with Nettle-3.6. The shared library names are
+  libnettle.so.8.5 and libhogweed.so.6.5, with sonames
+  libnettle.so.8 and libhogweed.so.6.
+  New features:
+  * AES keywrap (RFC 3394), contributed by Nicolas Mora.
+  * SM3 hash function, contributed by Tianjia Zhang.
+  * New functions cbc_aes128_encrypt, cbc_aes192_encrypt,
+    cbc_aes256_encrypt.
+    On processors where AES is fast enough, e.g., x86_64 with
+    aesni instructions, the overhead of using Nettle's general
+    cbc_encrypt can be significant. The new functions can be
+    implemented in assembly, to do multiple blocks with reduced
+    per-block overhead.
+    Note that there's no corresponding new decrypt functions,
+    since the general cbc_decrypt doesn't suffer from the same
+    performance problem.
+  Bug fixes:
+  * Fix fat builds for x86_64 windows, these appear to never
+    have worked.
+  Optimizations:
+  * New ARM64 implementation of AES, GCM, Chacha, SHA1 and
+    SHA256, for processors supporting crypto extensions. Great
+    speedups, and fat builds are supported. Contributed by
+    Mamone Tarsha.
+  * New s390x implementation of AES, GCM, Chacha, memxor, SHA1,
+    SHA256, SHA512 and SHA3. Great speedups, and fat builds are
+    supported. Contributed by Mamone Tarsha.
+  * New PPC64 assembly for ecc modulo/redc operations,
+    contributed by Amitay Isaacs, Martin Schwenke and Alastair
+    D´Silva.
+  * The x86_64 AES implementation using aesni instructions has
+    been reorganized with one separate function per key size,
+    each interleaving the processing of two blocks at a time
+    (when the caller processes multiple blocks with each call).
+    This gives a modest performance improvement on some
+    processors.
+  * Rewritten and faster x86_64 poly1305 assembly.
+- drop libnettle-s390x-CPACF-SHA-AES-support.patch (included in 3.8)
+* Wed Jun 15 2022 gmbr3@opensuse.org
+- Make shared libraries executable
+* Mon Aug 30 2021 pmonreal@suse.com
+- Provide s390x CPACF/SHA/AES Support for Crypto Libraries
+  * Add libnettle-s390x-CPACF-SHA-AES-support.patch [jsc#SLE-20733]
+* Wed Jul 21 2021 pmonreal@suse.com
+- Update to 3.7.3 in SLE-15-SP4: [SLE-19765, jsc#SLE-18132]
+  - Add libnettle-rpmlintrc
+  - Remove patches upstream:
+  * libnettle-CVE-2021-20305.patch
+  * libnettle-CVE-2021-3580-rsa_decrypt.patch
+  * libnettle-CVE-2021-3580-rsa_sec.patch
+  * nettle-respect-cflags.patch
+* Thu Jun 10 2021 pmonreal@suse.com
+- Security fix: [CVE-2021-3580, bsc#1187060]
+  * Remote crash in RSA decryption via manipulated ciphertext
+- Add patches:
+  * libnettle-CVE-2021-3580-rsa_sec.patch
+  * libnettle-CVE-2021-3580-rsa_decrypt.patch
+* Wed Jun  9 2021 info@paolostivanin.com
+- GNU Nettle 3.7.3: [CVE-2021-3580, bsc#1187060]
+  * Fix crash for zero input to rsa_sec_decrypt and
+    rsa_decrypt_tr. Potential denial of service vector.
+  * Ensure that all of rsa_decrypt_tr and rsa_sec_decrypt return
+    failure for out of range inputs, instead of either crashing,
+    or silently reducing input modulo n. Potential denial of
+    service vector.
+  * Ensure that rsa_decrypt returns failure for out of range
+    inputs, instead of silently reducing input modulo n.
+  * Ensure that rsa_sec_decrypt returns failure if the message
+    size is too large for the given key. Unlike the other bugs,
+    this would typically be triggered by invalid local
+    configuration, rather than by processing untrusted remote
+    data.
+* Mon Apr 19 2021 pmonreal@suse.com
+- Security fix: [bsc#1184401, CVE-2021-20305]
+  * multiply function being called with out-of-range scalars
+  * Affects ecc-ecdsa-sign(), ecc_ecdsa_verify() and _eddsa_hash().
+- Add libnettle-CVE-2021-20305.patch
+* Sun Mar 21 2021 andreas.stieger@gmx.de
+- GNU Nettle 3.7.2:
+  * fix a bug in ECDSA signature verification that could lead to a
+    denial of service attack (via an assertion failure) or possibly
+    incorrect results (CVE-2021-20305, boo#1184401)
+  * fix a few related problems where scalars are required to be
+    canonically reduced modulo the ECC group order, but in fact may
+    be slightly larger
+* Thu Feb 18 2021 andreas.stieger@gmx.de
+- GNU Nettle 3.7.1:
+  * Fix bug in chacha counter update logic (ppc64 and ppc64el)
+  * Restore support for big-endian ARM platforms
+  * Fix corner case bug in ECDSA verify, it would produce incorrect
+    result in the unlikely case of an all-zero message hash
+  * Support for pbkdf2_hmac_sha384 and pbkdf2_hmac_sha512
+  * Remove poorly performing ARM Neon code for doing single-block
+    Salsa20 and Chacha
+* Mon Jan  4 2021 andreas.stieger@gmx.de
+- GNU Nettle 3.7:
+  * add bcrypt password hashing
+  * add optimizations: PowerPC64 assembly
+- remove deprecated texinfo packaing macros
+* Sun May 10 2020 andreas.stieger@gmx.de
+- GNU Nettle 3.6:
+  * removal of internal and undocumented poly1305 functions
+  * Support for Curve448 and ED448 signatures
+  * Support for SHAKE256, SIV-CMAC, CMAC64, "CryptoPro" variant of
+    the GOST hash (as gosthash94cp), GOST DSA signatures, including
+    GOST curves gc256b and gc512a
+  * Support for Intel CET in x86 and x86_64 assembly files, if
+    enabled via CFLAGS (gcc --fcf-protection=full)
+  * A few new functions to improve support for the Chacha
+    variant with 96-bit nonce and 32-bit block counter (the
+    existing functions use nonce and counter of 64-bit each),
+    and functions to set the counter.
+  * New interface, struct nettle_mac, for MAC (message
+    authentication code) algorithms. This abstraction is only
+    for MACs that don't require a per-message nonce. For HMAC,
+    the key size is fixed, and equal the digest size of the
+    underlying hash function
+  * multiple bug fixes
+- drop nettle-respect-cflags.patch
+- silence packaging warning raised by HMAC files
+  (bsc#1152692, jsc#SLE-9518)
+* Tue Oct  1 2019 vcizek@suse.com
+- Install checksums for binary integrity verification which are
+  required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
+* Thu Aug  1 2019 andreas.stieger@gmx.de
+- update to 3.5.1:
+  * correct upstream source packaging problems
+- new in 3.5:
+  * gcm_crypt will now call the underlying block cipher to process
+    more than one block at a time
+  * Support for CFB8 (Cipher Feedback Mode, processing a single
+    octet per block cipher operation)
+  * Support for CMAC (RFC 4493)
+  * Support for XTS mode
+  * various improvements
+* Sun Mar 17 2019 jsikes@suse.de
+- Update to 3.4.1 - FATE#327114 (bsc#1129598)
+  * Fix CVE-2018-16869 (bsc#1118086)
+    libnettle-CVE-2018-16869-3.4.patch (removed)
+    All functions using RSA private keys are now side-channel
+    silent, meaning that they try hard to avoid any branches or
+    memory accesses depending on secret data. This applies both to
+    the bignum calculations, which now use GMP's mpn_sec_* family
+    of functions, and the processing of PKCS#1 padding needed for
+    RSA decryption.
+  * Changes in behavior:
+    The functions rsa_decrypt and rsa_decrypt_tr may now clobber
+    all of the provided message buffer, independent of the
+    actual message length. They are side-channel silent, in that
+    branches and memory accesses don't depend on the validity or
+    length of the message. Side-channel leakage from the
+    caller's use of length and return value may still provide an
+    oracle useable for a Bleichenbacher-style chosen ciphertext
+    attack. Which is why the new function rsa_sec_decrypt is
+    recommended.
+  * New features:
+    A new function rsa_sec_decrypt.
+  * Bug fixes:
+  - Fix bug in pkcs1-conv, missing break statements in the
+    parsing of PEM input files.
+  - Fix link error on the pss-mgf1-test test, affecting builds
+    without public key support.
+* Fri Dec 14 2018 pmonrealgonzalez@suse.com
+- Security fix: [bsc#1118086, CVE-2018-16869]
+  * Leaky data conversion exposing a manager oracle
+  * Added libnettle-CVE-2018-16869-3.4.patch
+* Thu Dec  6 2018 jengelh@inai.de
+- Adjust SRPM group.
+* Tue Dec  4 2018 pmonrealgonzalez@suse.com
+- libnettle 3.4.1rc1: [bsc#1118086, CVE-2018-16869]
+  * pkcs1-decrypt.c (pkcs1_decrypt): Rewrite as a wrapper around
+    _pkcs1_sec_decrypt_variable. Improves side-channel silence of the
+    only caller, rsa_decrypt.
+  * rsa-sec-compute-root.c (sec_mul, sec_mod_mul, sec_powm): New
+    local helper functions, with their own itch functions.
+    (_rsa_sec_compute_root_itch, _rsa_sec_compute_root): Rewrote to
+    use helpers, for clarity.
+  * rsa-decrypt-tr.c (rsa_decrypt_tr): Use NETTLE_OCTET_SIZE_TO_LIMB_SIZE.
+  * rsa-sec-compute-root.c (_rsa_sec_compute_root): Avoid calls to
+    mpz_sizeinbase, since that potentially leaks most significant bits
+    of private key parameters a and b.
+  * rsa-sign.c (rsa_compute_root) [!NETTLE_USE_MINI_GMP]: Use
+    _rsa_sec_compute_root.
+  * testsuite/rsa-sec-compute-root-test.c: Add more tests for new
+    side-channel silent functions.
+  * rsa-sign.c (rsa_private_key_prepare): Check that qn + cn >= pn,
+    since that is required for one of the GMP calls in
+    _rsa_sec_compute_root.
+  * rsa-decrypt-tr.c: Switch to use side-channel silent functions.
+  * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt_variable): New private
+    function. Variable size version for backwards compatibility.
+  * testsuite/rsa-sec-decrypt-test.c: Adds more tests.
+  * rsa-sec-decrypt.c (rsa_sec_decrypt): New function.
+    Fixed length side-channel silent version of rsa-decrypt.
+  * testsuite/rsa-encrypt-test.c: add tests for the new fucntion.
+  * testsuite/pkcs1-sec-decrypt-test.c: Adds tests for _pkcs1_sec_decrypt.
+  * gmp-glue.c (mpn_get_base256): New function.
+  * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): New private function.
+    Fixed length side-channel silent version of pkcs1-decrypt.
+  * cnd-memcpy.c (cnd_memcpy): New function.
+  * testsuite/cnd-memcpy-test.c: New test case.
+  * rsa-sign-tr.c (rsa_sec_compute_root_tr): New function that uses
+    _rsa_sec_compute_root, as well as side-channel silent RSA blinding.
+    (rsa_compute_root_tr) Rewritten as a wrapper around rsa_sec_compute_root_tr.
+    (rsa_sec_blind, rsa_sec_unblind, sec_equal, rsa_sec_check_root)
+    (cnd_mpn_zero): New helper functions.
+    (rsa_sec_compute_root_tr) [NETTLE_USE_MINI_GMP]: Defined as a not
+    side-channel silent wrapper around rsa_compute_root_tr, and the
+    latter function left unchanged.
+  * rsa-sec-compute-root.c (_rsa_sec_compute_root_itch)
+    (_rsa_sec_compute_root): New file, new private functions.
+    Side-channel silent version of rsa_compute_root.
+  * rsa-internal.h: New header file with declarations.
+  * gmp-glue.h (NETTLE_OCTET_SIZE_TO_LIMB_SIZE): New macro.
+  * tools/pkcs1-conv.c (convert_file): Add missing break statements.
+  * nettle-internal.c (des_set_key_wrapper, des3_set_key_wrapper)
+    (blowfish128_set_key_wrapper): Wrapper functions, to avoid cast
+    between incompatible function types (which gcc-8 warns about).
+    Wrappers are expected to compile to a single jmp instruction.
+  * des-compat.c (des_compat_des3_decrypt): Change length argument type to size_t.
+* Thu Feb 22 2018 fvogt@suse.com
+- Use %%license (boo#1082318)
+* Sun Nov 19 2017 astieger@suse.com
+- libnettle 3.4:
+  * Fixed an improper use of GMP mpn_mul, breaking curve2559 and
+    eddsa on certain platforms
+  * Fixed memory leak when handling invalid signatures in
+    ecdsa_verify. Fix contributed by Nikos Mavrogiannopoulos.
+  * Reorganized the way certain data items are made available:
+    Nettle header files now define the symbols
+    nettle_hashes, nettle_ciphers, and nettle_aeads, as
+    preprocessor macros invoking a corresponding accessor
+    function. For backwards ABI compatibility, the symbols are
+    still present in the compiled libraries, and with the same
+    sizes as in nettle-3.3.
+  * Support for RSA-PSS signatures
+  * Support for the HKDF key derivation function, defined by RFC
+    5869
+  * Support for the Cipher Feedback Mode (CFB)
+  * New accessor functions: nettle_get_hashes,
+    nettle_get_ciphers, nettle_get_aeads, nettle_get_secp_192r1,
+    nettle_get_secp_224r1, nettle_get_secp_256r1,
+    nettle_get_secp_384r1, nettle_get_secp_521r1.
+    Direct access to data items is deprecated going forward.
+  * The base16 and base64 functions now use the type char * for
+    ascii data, rather than uint8_t *. This eliminates the last
+    pointer-signedness warnings when building Nettle
+  * The contents of the header file nettle/version.h is now
+    architecture independent, except in --enable-mini-gmp
+  * Prevent data sizes from leaking into the ABI
+- Fixes previously carried as patches:
+  * Fix compilation error with --enable-fat om ARM
+    Drop nettle-3.3-fix-fat-arm.patch
+* Mon Sep  4 2017 asn@cryptomilk.org
+- Add patch to fix build of fat-arm:
+  * nettle-3.3-fix-fat-arm.patch
+* Sun Sep  3 2017 asn@cryptomilk.org
+- Build nettle with AES-NI support (bsc#1056980)
+* Thu Feb  9 2017 dimstar@opensuse.org
+- Explicitly BuildRequire m4
+* Fri Oct 28 2016 astieger@suse.com
+- libnettle 3.3:
+  * Invalid private RSA keys, with an even modulo, are now
+    rejected by rsa_private_key_prepare. (Earlier versions
+    allowed such keys, even if results of using them were bogus).
+    Nettle applications are required to call
+    rsa_private_key_prepare and check the return value, before
+    using any other RSA private key functions; failing to do so
+    may result in crashes for invalid private keys.
+  * Ignore bit 255 of the x coordinate of the input point to
+    curve25519_mul, as required by RFC 7748. To differentiate at
+    compile time, curve25519.h defines the constant
+    NETTLE_CURVE25519_RFC7748.
+  * RSA and DSA now use side-channel silent modular
+    exponentiation, to defend against attacks on the private key
+    from evil processes sharing the same processor cache. This
+    attack scenario is of particular relevance when running an
+    HTTPS server on a virtual machine, where you don't know who
+    you share the cache hardware with.
+    bsc#991464 CVE-2016-6489
+  * Fix sexp-conv crashes on invalid input
+  * Fix out-of-bounds read in des_weak_p
+  * Fix a couple of formally undefined shift operations
+  * Fix compilation with c89
+  * New function memeql_sec, for side-channel silent comparison
+    of two memory areas.
+  * Building the public key support of nettle now requires GMP
+    version 5.0 or later (unless --enable-mini-gmp is used).
+* Tue Feb 23 2016 tchvatal@suse.com
+- Fix postun->preun on info packages regenerating
+* Thu Jan 28 2016 tchvatal@suse.com
+- Version update to 3.2 release bnc#964849 CVE-2015-8805 bnc#964847
+  CVE-2015-8804 bnc#964845 CVE-2015-8803:
+  * New functions for RSA private key operations, identified by
+    the "_tr" suffix, with better resistance to side channel
+    attacks and to hardware or software failures which could
+    break the CRT optimization
+  * SHA3 implementation is updated according to the FIPS 202 standard
+  * New ARM Neon implementation of the chacha stream cipher
+  * Should be compatible binary with 3.1 series
+- Add patch to fix build with cflags:
+  * nettle-respect-cflags.patch
+* Mon Jun 22 2015 tchvatal@suse.com
+- Remove off-by-one-test-suite.patch as it was fixed by upstream
+  differently
+* Sun Apr 26 2015 astieger@suse.com
+- nettle 3.1.1
+  Non-critical bugfix release, binary compatible to 3.1
+  * By accident, nettle-3.1 disabled the assembly code for the
+    secp_224r1 and secp_521r1 elliptic curves on all x86_64
+    configurations, making signature operations on those curves
+    10%%-30%% slower. This code is now re-enabled.
+  * The x86_64 assembly implementation of gcm hashing has been
+    fixed to work with the Sun/Oracle assembler.
+* Thu Apr 23 2015 vpereira@suse.com
+  added patch: off-by-one-test-suite.patch
+- Address Sanitizer, found a off-by-one error in the test suite (bnc#928328)
+* Sat Apr 11 2015 astieger@suse.com
+- nettle 3.1 (libnettle6, libhogweed4)
+- bug fixes in 3.1:
+  * Fixed a missing include of <limits.h>, which made the camellia
+    implementation fail on all 64-bit non-x86 platforms.
+  * Eliminate out-of-bounds reads in the C implementation of memxor
+  (related to valgrind's --partial-loads-ok flag). [bso#926745)
+- interface changes in 3.1:
+  * Declarations of many internal functions are moved from ecc.h to
+    ecc-internal.h.
+- interface changes in 3.0:
+  * contains developer relevant incompatible interface changes
+- Removed features:
+  * nettle_next_prime, use GMP's mpz_nextprime
+  * Deleted the RSAREF compatibility
+- New features in 3.1:
+  * Support for curve25519 and for EdDSA25519 signatures.
+  * Support for "fat builds" on x86_64 and arm (not enabled)
+  * Support for building the hogweed library (public key support)
+    using "mini-gmp" (not enabled)
+  * The shared libraries are now built with versioned symbols.
+  * Support for "URL-safe" base64 encoding and decoding
+- New features in 3.0:
+  * new DSA, AES, Camellia interfaces
+  * Support for Poly1305-AES MAC.
+  * Support for the ChaCha stream cipher and EXPERIMENTAL
+    support for the ChaCha-Poly1305 AEAD mode.
+  * Support for EAX mode.
+  * Support for CCM mode.
+  * Additional variants of SHA512 with output size of 224 and 256 bits
+  * New interface, struct nettle_aead, for mechanisms providing
+    authenticated encryption with associated data (AEAD).
+  * DSA: Support a wider range for the size of q and a wider
+    range for the digest size.
+  * New command line tool nettle-pbkdf2.
+- Optimizations in 3.1:
+  * New x86_64 implementation of AES, using the "aesni" instructions
+- Optimizations in 3.0:
+  * New x86_64 assembly for GCM and MD5. Modest speedups on the
+    order of 10%%-20%%.
+* Fri Mar 13 2015 tchvatal@suse.com
+- Add url to the spec
+* Thu Mar  5 2015 mpluskal@suse.com
+- Revert back to 2.7
+* Tue May 13 2014 tchvatal@suse.com
+- Cleanup with spec-cleaner
+- Paralelize test run
+* Thu Dec 19 2013 meissner@suse.com
+- also build baselibs for libnettle-devel (for wine 32bit development)
+* Tue Jun 25 2013 meissner@suse.com
+- Update to version 2.7.1
+  * Fixed ecc_modp_mul call, to avoid invalid overlap of arguments to
+    mpn_mul_n. Problem tracked down by Magnus Holmgren.
+  * ARM fixes.
+- reference gpg signatures and keyring. checking not enabled as to
+  avoid cycles.
+* Thu May 16 2013 idonmez@suse.com
+- Update to version 2.7
+  * Support for the GOST R 34.11-94 hash algorithm
+  * Support for SHA3
+  * Support for PKCS #5 PBKDF2
+  * Fixed a small memory leak in nettle_realloc and
+    nettle_xrealloc.
+  * x86_64 assembly for SHA256, SHA512, and SHA3
+  * ARM assembly code for several additional algorithms,
+    including AES, Salsa20, and the SHA family of hash
+    functions.
+  * Support for 12-round salsa20, "salsa20r12", as specified by
+    eSTREAM.
+  * Support for UMAC, including x86_64 and ARM assembly.
+  * Support for ECDSA signatures. Elliptic curve operations over
+    the following curves: secp192r1, secp224r1, secp256r1,
+    secp384r1 and secp521r1, including x86_64 and ARM assembly
+    for the most important primitives.
+- Depend on makeinfo for info file generation.
+- Don't disable static libs, they are needed at build time.
+* Sun Nov 25 2012 andreas.stieger@gmx.de
+- upgrade to 2.5:
+  * removed some internal undocumented functions
+  * pkcs1_signature_prefix renamed to _pkcs1_signature_prefix
+    with slightly different behavior
+  * nettle-internal.c is no longer included
+  * Support for the salsa20 block cipher
+  * Tentative interface for timing-resistant RSA functions
+  * A more general interface for PKCS#1 signatures
+  * Documentation, example programs for the base16 and base64
+  * Use an additional table to avoid GF2^8 multiplications in
+    aes_invert_key (mainly used by aes_set_decrypt_key). Also
+    tabulate round constants in aes_set_encrypt_key.
+- configure --enable-shared now default, no longer required
+* Tue Jan 31 2012 jengelh@medozas.de
+- Remove redundant tags/sections per specfile guideline suggestions
+* Sat Sep 24 2011 crrodriguez@opensuse.org
+- BuildRequire pkgconfig to fix rpmlint warning
+* Mon Sep 19 2011 crrodriguez@opensuse.org
+- Update to version 2.4 only two important changes
+  * ripemd160 was broken on all big endian machines
+  * add pkgconfig files
+* Mon Aug 29 2011 coolo@novell.com
+- use original source
+- add baselibs.conf
+- drop licenses
+* Wed Aug 17 2011 crrodriguez@opensuse.org
+- Fix licenses [bnc#712616]
+- run make check
+* Tue Aug 16 2011 crrodriguez@opensuse.org
+- Update to version 2.2, bump sonames accordingly
+- Fix build in factory
+- Fix -devel package dependencies
+- Tune up spec file in order to submit package to factory
+  as is needed for gnutls version 3.x
+* Tue Jan  5 2010 pascal.bleser@opensuse.org
+- initial package (2.0)

libnettle.keyring

@@ -0,0 +1,37 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.12 (GNU/Linux)
+
+mQFNBFDrIWMBCgCyyYoTAD/aL6Yl90eSJ1xuFpODTcwyRZsNSUZKSmKwnqXo9LgS
+2B00yVZ2nO2OrSmWPiYikTciitv04bAqFaggSstx6hlni6n3h2PL0jXpf9EI6qOO
+oKwi2IVtbBnJAhWpfRcAce6WEqvnav6KjuBM3lr8/5GzDV8tm6+X/G/paTnBqTB9
+pBxrH7smB+iRjDt/6ykWkbYLd6uBKzIkAp4HqAZb/aZMvxI28PeWGjZJQYq2nVPf
+LroM6Ub/sNlXpv/bmHJusFQjUL368njhZD1+aVLCUfBCCDzvZc3EYt3wBkbmuCiA
+xOb9ramHgiVkNENtzXR+sbQHtKRQv/jllY1qxROM2/rWmL+HohdxL5E0VPple2bg
+U/zqX0Hg2byb8FbpzPJO5PnBD+1PME3Uirsly4N7XT80OvhXlYe4t+9X0QARAQAB
+tCROaWVscyBNw7ZsbGVyIDxuaXNzZUBseXNhdG9yLmxpdS5zZT6JAX4EEwECACgF
+AlDrIWMCGwMFCRLMAwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPNZn/go
+xnKYqm0J/A4b6TE5qPWiWj0kriUBSmpys3qUz93gR6Ft7w2f478KJuzbSadvyn0u
+PcnP26AGTOQq75RhtgCJgdYbvRocTjlMh9jOX584Hx8hi/QSrpCSYMnj6dQKbu0Y
+QIFjZx8gPeYvzG8t34FCNEzZ09RQZqy/ukRyN99LkwEuP4FWq486b7dpgv7GC+SH
+lZcMco6VW8FLOT7KMalH06cmdhFPrFSYAIHDu3CsYhC8knIQV99Xzno/KeSkEwkq
+tYDOdz0x4HWdOwHrl2S2X6Ex1q3QRXcq84EYQwHz2WEGaPR7Vd76P5J1wiHN6rwO
+4exfgsRyTvc6NDQPTFqmoCzwuPviYk6JNnHr9E5TkLT7lAnESEhMLyyIG/7Uwpgu
+5C71IMaTpOpf8DEU9NU/zuxgHoMaKBZaeYKs0S26s1zwGOlQX0T9iEYEEBECAAYF
+AlDvuDsACgkQkVrMRaj0wv1SdgCeO+ktq5mAY5lZA3lA/I6hAKIk2s4An0L5XXjR
+vdHIxY5HSVNmRnyiIt9nuQFNBFDrIWMBCgDKlONI+5Bqcu69+72fmLZPizzEUsIR
+A2Y0w2RE7+uJ5Es9/YTp5PnWANpPT7GS8JJnc6NJJeh6GkMkGGwq5Op7CDsjW9pQ
+Z0vAW90XjnyniDa9W0W+m5+X/LPOzh+nis9Zcf17P91tprLCLi+TOOb35xt396pZ
++S+PwuV0dLiIYdVYV3e6LNCV0LjhEqp53TRwTrLTNPQVnt0DPYTh/Kn1x6d5zOS0
+MK4QybKN1WJU6nYIQRXyWKkixjbs++jcgV/juck96Ve0blvn6DfqfpG8YzbmqRCu
+fLo683LtlBUZ0c+znrD1nouqX2Eb/CylG8Q8ZUHXimCJ+g6RfH9kOmtVH/208u/n
+DofVL/Q0dvAXfU5MX49c7XYy7B2rTlk+4nuNeaHM0aU2Y14+SQy+sR6zydu7eGLd
+qjzV0CX/ekgrjQARAQABiQFlBBgBAgAPBQJQ6yFjAhsMBQkSzAMAAAoJEPNZn/go
+xnKYGUcJ/j+L0/uzfwCR1aTBZ6FBT9OdNyatVjmz20ahskF3BySmkT1R06K08YOG
+J//LPajj0eKqU8WKgxMc7pWi5SG+yMFn2db5HnJDGiSmSjCXW/BzsSt1786LtO0m
+0ehatj9kl6JrxQNXazOkRJ2ww13P6/91RBaV6R08BmFTrUco2P6w+djCF4NlnkOL
+a7fM6QtNZM+yB+EzaPjSBFjZG52BVWZkcXEVN0cEjPuznuQOmx8Dny7lQikp49Nu
+mrbamaxZEilx2Bi9gSbovNaKBuncKi9XboiEiNbAarGxP40Qvlk2AuXWvq+fiBnU
+1e1nU2oV7/7nAWH7kj/Vr/JxcBeOpsNDGkW7Yrd3mkJCrhG+jMs1V2qNb9Uhr5ZL
+OA40sIz2PHfDrR+gc8THm2p5OvCWEAeukYJ22XTUIt6XoPO0ERYD
+=Skk6
+-----END PGP PUBLIC KEY BLOCK-----

libnettle.spec

@@ -0,0 +1,164 @@
+#
+# spec file for package libnettle
+#
+# Copyright (c) 2022-2023 ZhuningOS
+#
+
+
+%define soname 8
+%define hogweed_soname 6
+Name:           libnettle
+Version:        3.8.1
+Release:        150500.2.25
+Summary:        Cryptographic Library
+License:        GPL-2.0-or-later AND LGPL-2.1-or-later
+Group:          Development/Libraries/C and C++
+URL:            https://www.lysator.liu.se/~nisse/nettle/
+Source0:        https://ftp.gnu.org/gnu/nettle/nettle-%{version}.tar.gz
+Source1:        https://ftp.gnu.org/gnu/nettle/nettle-%{version}.tar.gz.sig
+Source2:        %{name}.keyring
+Source3:        baselibs.conf
+Source4:        %{name}-rpmlintrc
+#PATCH-FIX-UPSTREAM jsc#PED-546 POWER10 performance enhancements for cryptography
+Patch0:         libnettle-PowerPC-Implement-Poly1305-single-block-update-based.patch
+Patch1:         libnettle-PowerPC-Use-defined-structure-constants-of-P1305-in.patch
+Patch2:         libnettle-Workaround-for-qemu-bug-affecting-the-ppc-intruction.patch
+BuildRequires:  autoconf
+BuildRequires:  fipscheck
+BuildRequires:  gmp-devel >= 6.1.0
+BuildRequires:  m4
+BuildRequires:  makeinfo
+BuildRequires:  pkgconfig
+
+%description
+Nettle is a cryptographic library that is designed to fit easily in more or
+less any context: In crypto toolkits for object-oriented languages (C++,
+Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space.
+
+%package -n libnettle%{soname}
+Summary:        Cryptographic Library
+License:        LGPL-2.1-or-later
+Group:          System/Libraries
+
+%description -n libnettle%{soname}
+Nettle is a cryptographic library that is designed to fit easily in more or
+less any context: In crypto toolkits for object-oriented languages (C++,
+Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space.
+
+%package -n libhogweed%{hogweed_soname}
+Summary:        Cryptographic Library for Public Key Algorithms
+License:        LGPL-2.1-or-later
+Group:          System/Libraries
+
+%description -n libhogweed%{hogweed_soname}
+Nettle is a cryptographic library that is designed to fit easily in more or
+less any context: In crypto toolkits for object-oriented languages (C++,
+Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space.
+
+The libhogweed library contains public key algorithms to use with libnettle.
+
+%package -n libnettle-devel
+Summary:        Cryptographic Library
+License:        LGPL-2.1-or-later
+Group:          Development/Libraries/C and C++
+Requires:       glibc-devel
+Requires:       gmp-devel
+Requires:       libhogweed%{hogweed_soname} = %{version}
+Requires:       libnettle%{soname} = %{version}
+
+%description -n libnettle-devel
+Nettle is a cryptographic library that is designed to fit easily in more or
+less any context: In crypto toolkits for object-oriented languages (C++,
+Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space.
+
+%package -n nettle
+Summary:        Cryptographic Tools
+License:        GPL-2.0-or-later AND LGPL-2.1-or-later
+Group:          Productivity/Security
+
+%description -n nettle
+Nettle is a cryptographic library that is designed to fit easily in more or
+less any context: In crypto toolkits for object-oriented languages (C++,
+Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space.
+
+This package contains a few command-line tools to perform cryptographic
+operations using the nettle library.
+
+%prep
+%autosetup -p1 -n nettle-%{version}
+
+%build
+autoreconf -fiv
+%configure \
+    --disable-static \
+    --enable-shared \
+    --enable-fat \
+%ifarch s390x
+    --enable-s390x-vf \
+    --enable-s390x-msa \
+%endif
+    %{nil}
+
+%make_build
+
+%install
+%make_install
+chmod 0755 %{buildroot}%{_libdir}/libnettle.so.%{soname}
+chmod 0755 %{buildroot}%{_libdir}/libhogweed.so.%{hogweed_soname}
+
+# the hmac hashes:
+#
+# this is a hack that re-defines the __os_install_post macro
+# for a simple reason: the macro strips the binaries and thereby
+# invalidates a HMAC that may have been created earlier.
+# solution: create the hashes _after_ the macro runs.
+#
+# this shows up earlier because otherwise the %%expand of
+# the macro is too late.
+# remark: This is the same as running
+#   openssl dgst -sha256 -hmac 'orboDeJITITejsirpADONivirpUkvarP'
+%{expand:%%global __os_install_post {%__os_install_post
+%{_bindir}/fipshmac %{buildroot}%{_libdir}/libnettle.so.%{soname}
+%{_bindir}/fipshmac %{buildroot}%{_libdir}/libhogweed.so.%{hogweed_soname}
+}}
+
+%post   -n libnettle%{soname} -p /sbin/ldconfig
+%postun -n libnettle%{soname} -p /sbin/ldconfig
+%post   -n libhogweed%{hogweed_soname} -p /sbin/ldconfig
+%postun -n libhogweed%{hogweed_soname} -p /sbin/ldconfig
+
+%check
+%make_build check
+
+%files -n libnettle%{soname}
+%license COPYING*
+%{_libdir}/libnettle.so.%{soname}
+%{_libdir}/libnettle.so.%{soname}.*
+%{_libdir}/.libnettle.so.%{soname}.hmac
+
+%files -n libhogweed%{hogweed_soname}
+%license COPYING*
+%{_libdir}/libhogweed.so.%{hogweed_soname}
+%{_libdir}/libhogweed.so.%{hogweed_soname}.*
+%{_libdir}/.libhogweed.so.%{hogweed_soname}.hmac
+
+%files -n libnettle-devel
+%license COPYING*
+%doc AUTHORS ChangeLog NEWS README
+%{_includedir}/nettle
+%{_libdir}/libnettle.so
+%{_libdir}/libhogweed.so
+%{_infodir}/nettle.info%{?ext_info}
+%{_libdir}/pkgconfig/hogweed.pc
+%{_libdir}/pkgconfig/nettle.pc
+
+%files -n nettle
+%license COPYING*
+%doc AUTHORS ChangeLog NEWS README
+%{_bindir}/nettle-lfib-stream
+%{_bindir}/nettle-pbkdf2
+%{_bindir}/pkcs1-conv
+%{_bindir}/sexp-conv
+%{_bindir}/nettle-hash
+
+%changelog