(cherry picked from commit 52bacaca)

(cherry picked from commit 0ad0b5df)

Improves consistency with _rsa_sec_compute_root, and fixes zero-input bug.

(cherry picked from commit 485b5e28)

(cherry picked from commit 0a714543)

* pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): Check that message
length is valid, for given key size.
* testsuite/rsa-sec-decrypt-test.c (test_main): Add test cases for
calls to rsa_sec_decrypt specifying a too large message length.

(cherry picked from commit 7616541e)

nettle-benchmark: avoid -Wmaybe-uninitialized warnings

See merge request nettle/nettle!22

Otherwise GCC 11 prints the following warning:

  nettle-benchmark.c: In function ‘time_umac’:
  ../umac.h:42:25: warning: ‘key’ may be used uninitialized [-Wmaybe-uninitialized]
     42 | #define umac32_set_key  nettle_umac32_set_key
  nettle-benchmark.c:395:3: note: in expansion of macro ‘umac32_set_key’
    395 |   umac32_set_key (&ctx32, key);
        |   ^~~~~~~~~~~~~~

Although this should be harmless as it's in the benchmarking code and
the content of the key doesn't matter, it wouldn't hurt to explicitly
initialize it.  This patch also uses predefined constants for key
sizes.

And enable remote/s390x job only when needed variables are set.

(cherry picked from commit 7a5f8632)

* gostdsa-vko.c (gostdsa_vko): Use ecc_mod_mul_canonical to
compute the scalar used for ecc multiplication.

* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
reduced. Two of the three call sites need that.

* ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
to compute the scalars used for ecc multiplication.

* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
canonical range.

* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
to compute the scalars used for ecc multiplication.
* testsuite/ecdsa-verify-test.c (test_main): Add test case that
triggers an assert on 64-bit platforms, without above fix.
* testsuite/ecdsa-sign-test.c (test_main): Test case generating
the same signature.

* eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.

* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
New functions.
* ecc-internal.h: Declare and document new functions.
* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
* ecc-j-to-a.c (ecc_j_to_a): Likewise.
* ecc-mul-m.c (ecc_mul_m): Likewise.

* configure.ac: Bump package version, to 3.7.1.
(LIBNETTLE_MINOR): Bump minor number, to 8.2.
(LIBHOGWEED_MINOR): Bump minor number, to 6.2.