commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2024-07-24 15:29:19 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.1869 (New) Package is "libgcrypt" Wed Jul 24 15:29:19 2024 rev:103 rq:1183830 version:1.11.0 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2024-01-29 22:25:50.142528789 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.1869/libgcrypt.changes 2024-07-25 11:55:32.197478957 +0200 @@ -1,0 +2,94 @@ +Thu Jun 20 08:11:07 UTC 2024 - Pedro Monreal + +- Update to 1.11.0: + * New and extended interfaces: +- Add an API for Key Encapsulation Mechanism (KEM). [T6755] +- Add Streamlined NTRU Prime sntrup761 algorithm. [rCcf9923e1a5] +- Add Kyber algorithm according to FIPS 203 ipd 2023-08-24. [rC18e5c0d268] +- Add Classic McEliece algorithm. [rC003367b912] +- Add One-Step KDF with hash and MAC. [T5964] +- Add KDF algorithm HKDF of RFC-5869. [T5964] +- Add KDF algorithm X963KDF for use in CMS. [rC3abac420b3] +- Add GMAC-SM4 and Poly1305-SM4. [rCd1ccc409d4] +- Add ARIA block cipher algorithm. [rC316c6d7715] +- Add explicit FIPS indicators for MD and MAC algorithms. [T6376] +- Add support for SHAKE as MGF in RSA. [T6557] +- Add gcry_md_read support for SHAKE algorithms. [T6539] +- Add gcry_md_hash_buffers_ext function. [T7035] +- Add cSHAKE hash algorithm. [rC065b3f4e02] +- Support internal generation of IV for AEAD cipher mode. [T4873] + * Performance: +- Add SM3 ARMv8/AArch64/CE assembly implementation. [rCfe891ff4a3] +- Add SM4 ARMv8/AArch64 assembly implementation. [rCd8825601f1] +- Add SM4 GFNI/AVX2 and GFI/AVX512 implementation. [rC5095d60af4,rCeaed633c16] +- Add SM4 ARMv9 SVE CE assembly implementation. [rC2dc2654006] +- Add PowerPC vector implementation of SM4. [rC0b2da804ee] +- Optimize ChaCha20 and Poly1305 for PPC P10 LE. [T6006] +- Add CTR32LE bulk acceleration for AES on PPC. [rC84f2e2d0b5] +- Add generic bulk acceleration for CTR32LE mode (GCM-SIV) for SM4 + and Camellia. [rCcf956793af] +- Add GFNI/AVX2 implementation of Camellia. [rC4e6896eb9f] +- Add AVX2 and AVX512 accelerated implementations for GHASH (GCM) + and POLYVAL (GCM-SIV). [rCd857e85cb4, rCe6f3600193] +- Add AVX512 implementation for SHA512. [rC089223aa3b] +- Add AVX512 implementation for Serpent. [rCce95b6ec35] +- Add AVX512 implementation for Poly1305 and ChaCha20. [rCcd3ed49770, rC9a63cfd617] +- Add AVX512 accelerated implementation for SHA3 and Blake2. [rCbeaad75f46,rC909daa700e] +- Add VAES/AVX2 accelerated i386 implementation for AES. [rC4a42a042bc] +- Add bulk processing for XTS mode of Camellia and SM4. [rC32b18cdb87, rCaad3381e93] +- Accelerate XTS and ECB modes for Twofish and Serpent. [rCd078a928f5,rC8a1fe5f78f] +- Add AArch64 crypto/SHA512 extension implementation for SHA512. [rCe51d3b8330] +- Add AArch64 crypto-extension implementation for Camellia. [rC898c857206] +- Accelerate OCB authentication on AMD with AVX2. [rC6b47e85d65] + * Bug fixes: +- For PowerPC check for missing optimization level for vector register usage. [T5785] +- Fix EdDSA secret key check. [T6511] +- Fix decoding of PKCS#1-v1.5 and OAEP padding. [rC34c2042792] +- Allow use of PKCS#1-v1.5 with SHA3 algorithms. [T6976] +- Fix AESWRAP padding length check. [T7130] + * Other: +- Allow empty password for Argon2 KDF. [rCa20700c55f] +- Various constant time operation imporvements. +- Add "bp256", "bp384", "bp512" aliases for Brainpool curves. +- Support for the random server has been removed. [T5811] +- The control code GCRYCTL_ENABLE_M_GUARD is deprecated and not + supported any more. Please use valgrind or other tools. [T5822] +- Logging is now done via the libgpg-error logging functions. [rCab0bdc72c7] + * Remove patches fixed upstream: +- libgcrypt-no-deprecated-grep-alias.patch +- libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch +- libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch + * Rebase patches: +- libgcrypt-FIPS-jitter-errorcodes.patch +- libgcrypt-FIPS-jitter-whole-entropy.patch + +--- +Wed Mar 20 20:31:40 UTC 2024 - Pedro Monreal + +- FIPS: Make sure that Libgcrypt makes use of the built-in Jitter RNG + for the whole length entropy buffer in FIPS mode. [bsc#1220893] + * Add libgcrypt-FIPS-jitter-whole-entropy.patch + +--- +Wed Mar 20 15:13:04 UTC 2024 - Pedro Monreal + +- FIPS: Set the FSM into error state if Jitter RNG i
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2024-01-29 22:25:48 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.1815 (New) Package is "libgcrypt" Mon Jan 29 22:25:48 2024 rev:102 rq:1141963 version:1.10.3 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2023-11-23 21:38:33.266864091 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.1815/libgcrypt.changes 2024-01-29 22:25:50.142528789 +0100 @@ -1,0 +2,5 @@ +Sat Jan 27 13:37:34 UTC 2024 - Dirk Müller + +- add libgcrypt-no-deprecated-grep-alias.patch + +--- New: libgcrypt-no-deprecated-grep-alias.patch BETA DEBUG BEGIN: New: - add libgcrypt-no-deprecated-grep-alias.patch BETA DEBUG END: Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.7LkTrl/_old 2024-01-29 22:25:52.390610272 +0100 +++ /var/tmp/diff_new_pack.7LkTrl/_new 2024-01-29 22:25:52.390610272 +0100 @@ -1,7 +1,7 @@ # # spec file for package libgcrypt # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -37,6 +37,8 @@ Patch1: libgcrypt-1.10.0-allow_FSM_same_state.patch #PATCH-FIX-OPENSUSE Do not pull revision info from GIT when autoconf is run Patch2: libgcrypt-nobetasuffix.patch +# https://dev.gnupg.org/T6964 +Patch3: libgcrypt-no-deprecated-grep-alias.patch # FIPS patches: #PATCH-FIX-SUSE bsc#1190700 FIPS: Provide a service-level indicator for PK Patch100: libgcrypt-FIPS-SLI-pk.patch ++ libgcrypt-no-deprecated-grep-alias.patch ++ --- libgcrypt-1.10.3.orig/acinclude.m4 +++ libgcrypt-1.10.3/acinclude.m4 @@ -130,10 +130,10 @@ EOF ac_nlist=conftest.nm if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \| cut -d \' \' -f 2 \> $ac_nlist) && test -s "$ac_nlist"; then # See whether the symbols have a leading underscore. - if egrep '^_nm_test_func' "$ac_nlist" >/dev/null; then + if grep -E '^_nm_test_func' "$ac_nlist" >/dev/null; then ac_cv_sys_symbol_underscore=yes else -if egrep '^nm_test_func ' "$ac_nlist" >/dev/null; then +if grep -E '^nm_test_func ' "$ac_nlist" >/dev/null; then : else echo "configure: cannot find nm_test_func in $ac_nlist" >&AS_MESSAGE_LOG_FD --- libgcrypt-1.10.3.orig/src/libgcrypt-config.in +++ libgcrypt-1.10.3/src/libgcrypt-config.in @@ -154,7 +154,7 @@ if test "$echo_cflags" = "yes"; then tmp="" for i in $includes $cflags_final; do - if echo "$tmp" | fgrep -v -- "$i" >/dev/null; then + if echo "$tmp" | @GREP@ -F -v -- "$i" >/dev/null; then tmp="$tmp $i" fi done @@ -175,7 +175,7 @@ if test "$echo_libs" = "yes"; then tmp="" for i in $libdirs $libs_final; do - if echo "$tmp" | fgrep -v -- "$i" >/dev/null; then + if echo "$tmp" | @GREP@ -F -v -- "$i" >/dev/null; then tmp="$tmp $i" fi done
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2023-11-23 21:38:31
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new.25432 (New)
Package is "libgcrypt"
Thu Nov 23 21:38:31 2023 rev:101 rq:1127966 version:1.10.3
Changes:
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2023-11-17
20:47:58.881614933 +0100
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new.25432/libgcrypt.changes
2023-11-23 21:38:33.266864091 +0100
@@ -1,0 +2,6 @@
+Tue Nov 21 10:36:09 UTC 2023 - Otto Hollmann
+
+- Re-create HMAC checksum after RPM build strips the library
+ (bsc#1217058)
+
+---
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.xG18jt/_old 2023-11-23 21:38:34.046892826 +0100
+++ /var/tmp/diff_new_pack.xG18jt/_new 2023-11-23 21:38:34.050892974 +0100
@@ -131,11 +131,27 @@
# run the regression tests also in FIPS mode
LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check || true
-# Install the FIPS hmac file
-cp src/.libgcrypt.so.%{libsover}.hmac %{buildroot}%{_libdir}/
-
%install
%make_install
+
+# this is a hack that re-defines the __spec_install_post macro
+# for a simple reason: the macro strips the binaries and thereby
+# invalidates a HMAC that may have been created earlier.
+# solution: create the hashes _after_ the macro runs.
+
+%define libpath %{buildroot}%{_libdir}/libgcrypt.so.%{libsover}.?.?
+%define __spec_install_post \
+%{?__debug_package:%{__debug_install_post}} \
+%{__arch_install_post} \
+%{__os_install_post} \
+cd src \
+sed -i -e 's|FILE=.*|FILE=\\\$1|' gen-note-integrity.sh \
+READELF=readelf AWK=awk ECHO_N="-n" bash gen-note-integrity.sh %{libpath}
> %{libpath}.hmac \
+objcopy --update-section .note.fdo.integrity=%{libpath}.hmac %{libpath}
%{libpath}.new \
+mv -f %{libpath}.new %{libpath} \
+rm -f %{libpath}.hmac \
+%{nil}
+
rm %{buildroot}%{_libdir}/%{name}.la
# Create /etc/gcrypt directory and install random.conf
@@ -153,7 +169,6 @@
%dir %{_sysconfdir}/gcrypt
%config(noreplace) %{_sysconfdir}/gcrypt/random.conf
%config(noreplace) %{_sysconfdir}/gcrypt/hwf.deny
-%{_libdir}/.libgcrypt.so.*.hmac
%files devel
%license COPYING COPYING.LIB LICENSES
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2023-11-23 21:38:31
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new.25432 (New)
Package is "libgcrypt"
Thu Nov 23 21:38:31 2023 rev:101 rq:1127966 version:1.10.3
Changes:
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2023-11-17
20:47:58.881614933 +0100
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new.25432/libgcrypt.changes
2023-11-23 21:38:33.266864091 +0100
@@ -1,0 +2,6 @@
+Tue Nov 21 10:36:09 UTC 2023 - Otto Hollmann
+
+- Re-create HMAC checksum after RPM build strips the library
+ (bsc#1217058)
+
+---
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.xG18jt/_old 2023-11-23 21:38:34.046892826 +0100
+++ /var/tmp/diff_new_pack.xG18jt/_new 2023-11-23 21:38:34.050892974 +0100
@@ -131,11 +131,27 @@
# run the regression tests also in FIPS mode
LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check || true
-# Install the FIPS hmac file
-cp src/.libgcrypt.so.%{libsover}.hmac %{buildroot}%{_libdir}/
-
%install
%make_install
+
+# this is a hack that re-defines the __spec_install_post macro
+# for a simple reason: the macro strips the binaries and thereby
+# invalidates a HMAC that may have been created earlier.
+# solution: create the hashes _after_ the macro runs.
+
+%define libpath %{buildroot}%{_libdir}/libgcrypt.so.%{libsover}.?.?
+%define __spec_install_post \
+%{?__debug_package:%{__debug_install_post}} \
+%{__arch_install_post} \
+%{__os_install_post} \
+cd src \
+sed -i -e 's|FILE=.*|FILE=\\\$1|' gen-note-integrity.sh \
+READELF=readelf AWK=awk ECHO_N="-n" bash gen-note-integrity.sh %{libpath}
> %{libpath}.hmac \
+objcopy --update-section .note.fdo.integrity=%{libpath}.hmac %{libpath}
%{libpath}.new \
+mv -f %{libpath}.new %{libpath} \
+rm -f %{libpath}.hmac \
+%{nil}
+
rm %{buildroot}%{_libdir}/%{name}.la
# Create /etc/gcrypt directory and install random.conf
@@ -153,7 +169,6 @@
%dir %{_sysconfdir}/gcrypt
%config(noreplace) %{_sysconfdir}/gcrypt/random.conf
%config(noreplace) %{_sysconfdir}/gcrypt/hwf.deny
-%{_libdir}/.libgcrypt.so.*.hmac
%files devel
%license COPYING COPYING.LIB LICENSES
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2023-11-23 21:38:31
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new.25432 (New)
Package is "libgcrypt"
Thu Nov 23 21:38:31 2023 rev:101 rq:1127966 version:1.10.3
Changes:
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2023-11-17
20:47:58.881614933 +0100
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new.25432/libgcrypt.changes
2023-11-23 21:38:33.266864091 +0100
@@ -1,0 +2,6 @@
+Tue Nov 21 10:36:09 UTC 2023 - Otto Hollmann
+
+- Re-create HMAC checksum after RPM build strips the library
+ (bsc#1217058)
+
+---
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.xG18jt/_old 2023-11-23 21:38:34.046892826 +0100
+++ /var/tmp/diff_new_pack.xG18jt/_new 2023-11-23 21:38:34.050892974 +0100
@@ -131,11 +131,27 @@
# run the regression tests also in FIPS mode
LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check || true
-# Install the FIPS hmac file
-cp src/.libgcrypt.so.%{libsover}.hmac %{buildroot}%{_libdir}/
-
%install
%make_install
+
+# this is a hack that re-defines the __spec_install_post macro
+# for a simple reason: the macro strips the binaries and thereby
+# invalidates a HMAC that may have been created earlier.
+# solution: create the hashes _after_ the macro runs.
+
+%define libpath %{buildroot}%{_libdir}/libgcrypt.so.%{libsover}.?.?
+%define __spec_install_post \
+%{?__debug_package:%{__debug_install_post}} \
+%{__arch_install_post} \
+%{__os_install_post} \
+cd src \
+sed -i -e 's|FILE=.*|FILE=\\\$1|' gen-note-integrity.sh \
+READELF=readelf AWK=awk ECHO_N="-n" bash gen-note-integrity.sh %{libpath}
> %{libpath}.hmac \
+objcopy --update-section .note.fdo.integrity=%{libpath}.hmac %{libpath}
%{libpath}.new \
+mv -f %{libpath}.new %{libpath} \
+rm -f %{libpath}.hmac \
+%{nil}
+
rm %{buildroot}%{_libdir}/%{name}.la
# Create /etc/gcrypt directory and install random.conf
@@ -153,7 +169,6 @@
%dir %{_sysconfdir}/gcrypt
%config(noreplace) %{_sysconfdir}/gcrypt/random.conf
%config(noreplace) %{_sysconfdir}/gcrypt/hwf.deny
-%{_libdir}/.libgcrypt.so.*.hmac
%files devel
%license COPYING COPYING.LIB LICENSES
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2023-11-23 21:38:31
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new.25432 (New)
Package is "libgcrypt"
Thu Nov 23 21:38:31 2023 rev:101 rq:1127966 version:1.10.3
Changes:
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2023-11-17
20:47:58.881614933 +0100
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new.25432/libgcrypt.changes
2023-11-23 21:38:33.266864091 +0100
@@ -1,0 +2,6 @@
+Tue Nov 21 10:36:09 UTC 2023 - Otto Hollmann
+
+- Re-create HMAC checksum after RPM build strips the library
+ (bsc#1217058)
+
+---
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.xG18jt/_old 2023-11-23 21:38:34.046892826 +0100
+++ /var/tmp/diff_new_pack.xG18jt/_new 2023-11-23 21:38:34.050892974 +0100
@@ -131,11 +131,27 @@
# run the regression tests also in FIPS mode
LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check || true
-# Install the FIPS hmac file
-cp src/.libgcrypt.so.%{libsover}.hmac %{buildroot}%{_libdir}/
-
%install
%make_install
+
+# this is a hack that re-defines the __spec_install_post macro
+# for a simple reason: the macro strips the binaries and thereby
+# invalidates a HMAC that may have been created earlier.
+# solution: create the hashes _after_ the macro runs.
+
+%define libpath %{buildroot}%{_libdir}/libgcrypt.so.%{libsover}.?.?
+%define __spec_install_post \
+%{?__debug_package:%{__debug_install_post}} \
+%{__arch_install_post} \
+%{__os_install_post} \
+cd src \
+sed -i -e 's|FILE=.*|FILE=\\\$1|' gen-note-integrity.sh \
+READELF=readelf AWK=awk ECHO_N="-n" bash gen-note-integrity.sh %{libpath}
> %{libpath}.hmac \
+objcopy --update-section .note.fdo.integrity=%{libpath}.hmac %{libpath}
%{libpath}.new \
+mv -f %{libpath}.new %{libpath} \
+rm -f %{libpath}.hmac \
+%{nil}
+
rm %{buildroot}%{_libdir}/%{name}.la
# Create /etc/gcrypt directory and install random.conf
@@ -153,7 +169,6 @@
%dir %{_sysconfdir}/gcrypt
%config(noreplace) %{_sysconfdir}/gcrypt/random.conf
%config(noreplace) %{_sysconfdir}/gcrypt/hwf.deny
-%{_libdir}/.libgcrypt.so.*.hmac
%files devel
%license COPYING COPYING.LIB LICENSES
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2023-10-20 23:15:32
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new.1945 (New)
Package is "libgcrypt"
Fri Oct 20 23:15:32 2023 rev:99 rq:1118833 version:1.10.2
Changes:
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2023-10-13
23:14:13.890058680 +0200
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new.1945/libgcrypt.changes
2023-10-20 23:15:36.487982838 +0200
@@ -1,0 +2,7 @@
+Tue Oct 17 10:27:15 UTC 2023 - Pedro Monreal
+
+- Do not pull revision info from GIT when autoconf is run. This
+ removes the -unknown suffix after the version number.
+ * Add libgcrypt-nobetasuffix.patch [bsc#1216334]
+
+---
New:
libgcrypt-nobetasuffix.patch
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.4kjbkJ/_old 2023-10-20 23:15:37.216009401 +0200
+++ /var/tmp/diff_new_pack.4kjbkJ/_new 2023-10-20 23:15:37.220009547 +0200
@@ -37,6 +37,8 @@
Patch1: libgcrypt-1.10.0-allow_FSM_same_state.patch
#PATCH-FIX-SUSE bsc#1182983 gpg: out of core handler ignored in FIPS mode
while typing Tab key to Auto-Completion
Patch2: libgcrypt-1.10.0-out-of-core-handler.patch
+#PATCH-FIX-OPENSUSE Do not pull revision info from GIT when autoconf is run
+Patch3: libgcrypt-nobetasuffix.patch
# FIPS patches:
#PATCH-FIX-SUSE bsc#1190700 FIPS: Provide a service-level indicator for PK
Patch100: libgcrypt-FIPS-SLI-pk.patch
++ libgcrypt-nobetasuffix.patch ++
Index: libgcrypt-1.10.2/autogen.sh
===
--- libgcrypt-1.10.2.orig/autogen.sh
+++ libgcrypt-1.10.2/autogen.sh
@@ -249,7 +249,7 @@ if [ "$myhost" = "find-version" ]; then
fi
beta=no
-if [ -e .git ]; then
+if false; then
ingit=yes
tmp=$(git describe --match "${matchstr1}" --long 2>/dev/null)
tmp=$(echo "$tmp" | sed s/^"$package"//)
@@ -265,8 +265,8 @@ if [ "$myhost" = "find-version" ]; then
rvd=$((0x$(echo ${rev} | dd bs=1 count=4 2>/dev/null)))
else
ingit=no
- beta=yes
- tmp="-unknown"
+ beta=no
+ tmp=""
rev="000"
rvd="0"
fi
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2023-10-13 23:13:57
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new.20540 (New)
Package is "libgcrypt"
Fri Oct 13 23:13:57 2023 rev:98 rq:1116820 version:1.10.2
Changes:
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2023-05-28
19:22:01.296668951 +0200
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new.20540/libgcrypt.changes
2023-10-13 23:14:13.890058680 +0200
@@ -1,0 +2,13 @@
+Tue Oct 3 12:58:41 UTC 2023 - Pedro Monreal
+
+- POWER: performance enhancements for cryptography [jsc#PED-5088]
+ * Optimize Chacha20 and Poly1305 for PPC P10 LE: [T6006]
+- Chacha20/poly1305: Optimized chacha20/poly1305 for
+ P10 operation [rC88fe7ac33eb4]
+- ppc: enable P10 assembly with ENABLE_FORCE_SOFT_HWFEATURES
+ on arch-3.00 [rC2c5e5ab6843d]
+ * Add patches:
+- libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch
+- libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch
+
+---
New:
libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch
libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.XeNXXx/_old 2023-10-13 23:14:14.506081023 +0200
+++ /var/tmp/diff_new_pack.XeNXXx/_new 2023-10-13 23:14:14.506081023 +0200
@@ -48,6 +48,9 @@
Patch103: libgcrypt-jitterentropy-3.4.0.patch
#PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll
Patch104: libgcrypt-FIPS-rndjent_poll.patch
+# POWER patches [jsc#PED-5088] POWER performance enhancements for cryptography
+Patch200: libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch
+Patch201: libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch
BuildRequires: automake >= 1.14
BuildRequires: libgpg-error-devel >= 1.27
BuildRequires: libtool
++ libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch ++
1994 lines (skipped)
++ libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch ++
commit 2c5e5ab6843d747c4b877d2c6f47226f61e9ff14
Author: Jussi Kivilinna
Date: Sun Jun 12 21:51:34 2022 +0300
ppc enable P10 assembly with ENABLE_FORCE_SOFT_HWFEATURES on arch 3.00
* cipher/chacha20.c (chacha20_do_setkey) [USE_PPC_VEC]: Enable
P10 assembly for HWF_PPC_ARCH_3_00 if ENABLE_FORCE_SOFT_HWFEATURES is
defined.
* cipher/poly1305.c (poly1305_init) [POLY1305_USE_PPC_VEC]: Likewise.
* cipher/rijndael.c (do_setkey) [USE_PPC_CRYPTO_WITH_PPC9LE]: Likewise.
---
This change allows testing P10 implementations with P9 and with QEMU-PPC.
GnuPG-bug-id: 6006
Signed-off-by: Jussi Kivilinna
Index: libgcrypt-1.10.2/cipher/chacha20.c
===
--- libgcrypt-1.10.2.orig/cipher/chacha20.c
+++ libgcrypt-1.10.2/cipher/chacha20.c
@@ -484,6 +484,11 @@ chacha20_do_setkey (CHACHA20_context_t *
ctx->use_ppc = (features & HWF_PPC_ARCH_2_07) != 0;
# ifndef WORDS_BIGENDIAN
ctx->use_p10 = (features & HWF_PPC_ARCH_3_10) != 0;
+# ifdef ENABLE_FORCE_SOFT_HWFEATURES
+ /* HWF_PPC_ARCH_3_10 above is used as soft HW-feature indicator for P10.
+ * Actual implementation works with HWF_PPC_ARCH_3_00 also. */
+ ctx->use_p10 |= (features & HWF_PPC_ARCH_3_00) != 0;
+# endif
# endif
#endif
#ifdef USE_S390X_VX
Index: libgcrypt-1.10.2/cipher/poly1305.c
===
--- libgcrypt-1.10.2.orig/cipher/poly1305.c
+++ libgcrypt-1.10.2/cipher/poly1305.c
@@ -90,11 +90,19 @@ static void poly1305_init (poly1305_cont
const byte key[POLY1305_KEYLEN])
{
POLY1305_STATE *st = &ctx->state;
+ unsigned int features = _gcry_get_hw_features ();
#ifdef POLY1305_USE_PPC_VEC
- ctx->use_p10 = (_gcry_get_hw_features () & HWF_PPC_ARCH_3_10) != 0;
+ ctx->use_p10 = (features & HWF_PPC_ARCH_3_10) != 0;
+# ifdef ENABLE_FORCE_SOFT_HWFEATURES
+ /* HWF_PPC_ARCH_3_10 above is used as soft HW-feature indicator for P10.
+ * Actual implementation works with HWF_PPC_ARCH_3_00 also. */
+ ctx->use_p10 |= (features & HWF_PPC_ARCH_3_00) != 0;
+# endif
#endif
+ (void)features;
+
ctx->leftover = 0;
st->h[0] = 0;
Index: libgcrypt-1.10.2/cipher/rijndael.c
===
--- libgcrypt-1.10.2.orig/cipher/rijndael.c
+++ libgcrypt-1.10.2/cipher/rijndael.c
@@ -605,6 +605,12 @@ do_setkey (RIJNDAEL_context *ctx, const
bulk_ops->xts_c
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2023-05-28 19:21:50
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new.1533 (New)
Package is "libgcrypt"
Sun May 28 19:21:50 2023 rev:97 rq:1089003 version:1.10.2
Changes:
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2023-04-14
13:12:03.075211508 +0200
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new.1533/libgcrypt.changes
2023-05-28 19:22:01.296668951 +0200
@@ -1,0 +2,7 @@
+Mon May 22 11:32:53 UTC 2023 - Pedro Monreal
+
+- FIPS: Merge the libgcrypt20-hmac package into the library and
+ remove the "module is complete" trigger file .fips [bsc#1185116]
+ * Remove libgcrypt-1.10.0-use-fipscheck.patch
+
+---
Old:
libgcrypt-1.10.0-use-fipscheck.patch
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.BXNKVA/_old 2023-05-28 19:22:01.932672736 +0200
+++ /var/tmp/diff_new_pack.BXNKVA/_new 2023-05-28 19:22:01.936672760 +0200
@@ -16,7 +16,6 @@
#
-%define build_hmac256 1
%define libsover 20
%define libsoname %{name}%{libsover}
%define hmac_key orboDeJITITejsirpADONivirpUkvarP
@@ -49,8 +48,6 @@
Patch103: libgcrypt-jitterentropy-3.4.0.patch
#PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll
Patch104: libgcrypt-FIPS-rndjent_poll.patch
-#PATCH-FIX-SUSE Check the FIPS "module is complete" trigger file .fips
-Patch105: libgcrypt-1.10.0-use-fipscheck.patch
BuildRequires: automake >= 1.14
BuildRequires: libgpg-error-devel >= 1.27
BuildRequires: libtool
@@ -68,23 +65,13 @@
Summary:The GNU Crypto Library
License:GPL-2.0-or-later AND LGPL-2.1-or-later
Group: System/Libraries
-Suggests: %{libsoname}-hmac = %{version}-%{release}
+Provides: %{libsoname}-hmac = %{version}-%{release}
+Obsoletes: %{libsoname}-hmac < %{version}-%{release}
%description -n %{libsoname}
Libgcrypt is a general purpose crypto library based on the code used in
GnuPG (alpha version).
-%package -n %{libsoname}-hmac
-Summary:HMAC checksums for the GNU Crypto Library
-License:GPL-2.0-or-later AND LGPL-2.1-or-later
-Group: System/Libraries
-Requires: %{libsoname} = %{version}-%{release}
-
-%description -n %{libsoname}-hmac
-Libgcrypt is a general purpose crypto library based on the code used in
-GnuPG (alpha version). This package contains the HMAC checksum files
-for integrity checking the library, as required by FIPS 140-2.
-
%package devel
Summary:The GNU Crypto Library
License:GFDL-1.1-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND
MIT
@@ -109,8 +96,6 @@
sed -i "s/libgcrypt\.so\.hmac/\.libgcrypt\.so\.%{libsover}\.hmac/g"
src/Makefile.am src/Makefile.in
%build
-echo building with build_hmac256 set to %{build_hmac256}
-
export PUBKEYS="dsa elgamal rsa ecc"
export CIPHERS="arcfour blowfish cast5 des aes twofish serpent rfc2268 seed
camellia idea salsa20 gost28147 chacha20 sm4"
export DIGESTS="crc gostr3411-94 md4 md5 rmd160 sha1 sha256 sha512 sha3 tiger
whirlpool stribog blake2 sm3"
@@ -139,18 +124,13 @@
%make_build
%check
-%make_build check
+make -k check
# run the regression tests also in FIPS mode
-LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check VERBOSE=1 || true
+LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check || true
# Install the FIPS hmac file
cp src/.libgcrypt.so.%{libsover}.hmac %{buildroot}%{_libdir}/
-# create the FIPS "module is complete" trigger file
-%if 0%{?build_hmac256}
-touch %{buildroot}%{_libdir}/.%{name}.so.%{libsover}.fips
-%endif
-
%install
%make_install
rm %{buildroot}%{_libdir}/%{name}.la
@@ -170,12 +150,7 @@
%dir %{_sysconfdir}/gcrypt
%config(noreplace) %{_sysconfdir}/gcrypt/random.conf
%config(noreplace) %{_sysconfdir}/gcrypt/hwf.deny
-
-%files -n %{libsoname}-hmac
%{_libdir}/.libgcrypt.so.*.hmac
-%if 0%{?build_hmac256}
-%{_libdir}/.libgcrypt.so.*.fips
-%endif
%files devel
%license COPYING COPYING.LIB LICENSES
++ baselibs.conf ++
--- /var/tmp/diff_new_pack.BXNKVA/_old 2023-05-28 19:22:01.972672974 +0200
+++ /var/tmp/diff_new_pack.BXNKVA/_new 2023-05-28 19:22:01.976672998 +0200
@@ -1,8 +1,9 @@
libgcrypt20
- obsoletes "libgcrypt- <= "
provides "libgcrypt- = "
-libgcrypt20-hmac
+ obsoletes "libgcrypt- <= "
+ provides "libgcrypt20-hmac- = -%release"
+ obsoletes "libgcrypt20-hmac- < -%release"
libgcrypt-devel
- requires -libgcrypt-
- requires "libgcrypt20- = "
+ requires -libgcrypt-
+ requires "libgcrypt20- = "
++ hwf.deny ++
--- /var/tmp/diff_new_pack.BXNKVA/_
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2023-04-14 13:12:01
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new.19717 (New)
Package is "libgcrypt"
Fri Apr 14 13:12:01 2023 rev:96 rq:1078615 version:1.10.2
Changes:
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2023-03-12
16:22:14.580235539 +0100
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new.19717/libgcrypt.changes
2023-04-14 13:12:03.075211508 +0200
@@ -1,0 +2,43 @@
+Tue Apr 11 14:08:24 UTC 2023 - Pedro Monreal
+
+- Update to 1.10.2:
+ * Bug fixes:
+- Fix Argon2 for the case output > 64. [rC13b5454d26]
+- Fix missing HWF_PPC_ARCH_3_10 in HW feature. [rCe073f0ed44]
+- Fix RSA key generation failure in forced FIPS mode. [T5919]
+- Fix gcry_pk_hash_verify for explicit hash. [T6066]
+- Fix a wrong result of gcry_mpi_invm. [T5970]
+- Allow building with --disable-asm for HPPA. [T5976]
+- Allow building with -Oz. [T6432]
+- Enable the fast path to ChaCha20 only when supported. [T6384]
+- Use size_t to avoid counter overflow in Keccak when directly
+ feeding more than 4GiB. [T6217]
+ * Other:
+- Do not use secure memory for a DRBG instance. [T5933]
+- Do not allow PKCS#1.5 padding for encryption in FIPS mode. [T5918]
+- Fix the behaviour for child process re-seeding in the DRBG.
[rC019a40c990]
+- Allow verification of small RSA signatures in FIPS mode. [T5975]
+- Allow the use of a shorter salt for KDFs in FIPS mode. [T6039]
+- Run digest+sign self tests for RSA and ECC in FIPS mode. [rC06c9350165]
+- Add function-name based FIPS indicator function.
+ GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. This is not considered
+ an ABI changes because the new FIPS features were not yet
+ approved. [rC822ee57f07]
+- Improve PCT in FIPS mode. [rC285bf54b1a, rC4963c127ae, T6397]
+- Use getrandom (GRND_RANDOM) in FIPS mode. [rCcf10c74bd9]
+- Disable RSA-OAEP padding in FIPS mode. [rCe5bfda492a]
+- Check minimum allowed key size in PBKDF in FIPS mode. [T6039,T6219]
+- Get maximum 32B of entropy at once in FIPS mode. [rCce0df08bba]
+- Prefer gpgrt-config when available. [T5034]
+- Mark AESWRAP as approved FIPS algorithm. [T5512]
+- Prevent usage of long salt for PSS in FIPS mode. [rCfdd2a8b332]
+- Prevent usage of X9.31 keygen in FIPS mode. [rC392e0ccd25]
+- Remove GCM mode from the allowed FIPS indicators. [rC1540698389]
+- Add explicit FIPS indicators for hash and MAC algorithms. [T6376]
+ * Release-info: https://dev.gnupg.org/T5905
+ * Rebase FIPS patches:
+- libgcrypt-FIPS-SLI-hash-mac.patch
+- libgcrypt-FIPS-SLI-kdf-leylength.patch
+- libgcrypt-FIPS-SLI-pk.patch
+
+---
Old:
libgcrypt-1.10.1.tar.bz2
libgcrypt-1.10.1.tar.bz2.sig
New:
libgcrypt-1.10.2.tar.bz2
libgcrypt-1.10.2.tar.bz2.sig
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.AHOGvs/_old 2023-04-14 13:12:03.835215854 +0200
+++ /var/tmp/diff_new_pack.AHOGvs/_new 2023-04-14 13:12:03.839215877 +0200
@@ -21,7 +21,7 @@
%define libsoname %{name}%{libsover}
%define hmac_key orboDeJITITejsirpADONivirpUkvarP
Name: libgcrypt
-Version:1.10.1
+Version:1.10.2
Release:0
Summary:The GNU Crypto Library
License:GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later
@@ -36,20 +36,21 @@
Source5:libgcrypt.keyring
Source99: libgcrypt.changes
Patch1: libgcrypt-1.10.0-allow_FSM_same_state.patch
-#PATCH-FIX-UPSTREAM bsc#1190700 FIPS: Provide a service-level indicator for PK
-Patch2: libgcrypt-FIPS-SLI-pk.patch
-#PATCH-FIX-SUSE bsc#1190700 FIPS add indicators
-Patch3: libgcrypt-FIPS-SLI-hash-mac.patch
-#PATCH-FIX-SUSE bsc#1190700 FIPS: Check keylength in gcry_fips_indicator_kdf()
-Patch4: libgcrypt-FIPS-SLI-kdf-leylength.patch
#PATCH-FIX-SUSE bsc#1182983 gpg: out of core handler ignored in FIPS mode
while typing Tab key to Auto-Completion
-Patch5: libgcrypt-1.10.0-out-of-core-handler.patch
-#PATCH-FIX-UPSTREAM bsc#1202117 jsc#SLE-24941 FIPS: Port libgcrypt to use
jitterentropy
-Patch6: libgcrypt-jitterentropy-3.4.0.patch
+Patch2: libgcrypt-1.10.0-out-of-core-handler.patch
+# FIPS patches:
+#PATCH-FIX-SUSE bsc#1190700 FIPS: Provide a service-level indicator for PK
+Patch100: libgcrypt-FIPS-SLI-pk.patch
+#PATCH-FIX-SUSE bsc#1190700 FIPS: Check keylength in gcry_fips_indicator_kdf()
+Patch101: libgcrypt-FIPS-SLI-kdf-leylength
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2023-03-12 16:22:13
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new.31432 (New)
Package is "libgcrypt"
Sun Mar 12 16:22:13 2023 rev:95 rq:1070246 version:1.10.1
Changes:
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2022-11-27
12:52:54.187163065 +0100
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new.31432/libgcrypt.changes
2023-03-12 16:22:14.580235539 +0100
@@ -1,0 +2,5 @@
+Wed Mar 8 10:34:34 UTC 2023 - Martin Pluskal
+
+- Build AVX2 enabled hwcaps library for x86_64-v3
+
+---
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.WG3u7f/_old 2023-03-12 16:22:16.004241810 +0100
+++ /var/tmp/diff_new_pack.WG3u7f/_new 2023-03-12 16:22:16.012241845 +0100
@@ -1,7 +1,7 @@
#
# spec file for package libgcrypt
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -55,6 +55,7 @@
BuildRequires: libtool
BuildRequires: makeinfo
BuildRequires: pkgconfig
+%{?suse_build_hwcaps_libs}
%description
Libgcrypt is a general purpose library of cryptographic building
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2022-11-27 12:52:48 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.1597 (New) Package is "libgcrypt" Sun Nov 27 12:52:48 2022 rev:94 rq:1038228 version:1.10.1 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2022-09-19 16:02:45.978058930 +0200 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.1597/libgcrypt.changes 2022-11-27 12:52:54.187163065 +0100 @@ -1,0 +2,135 @@ +Wed Oct 19 14:01:24 UTC 2022 - Pedro Monreal + +- Update to 1.10.1: + * Bug fixes: +- Fix minor memory leaks in FIPS mode. +- Build fixes for MUSL libc. + * Other: +- More portable integrity check in FIPS mode. +- Add X9.62 OIDs to sha256 and sha512 modules. + * Add the hardware optimizations config file hwf.deny to +the /etc/gcrypt/ directory. This file can be used to globally +disable the use of hardware based optimizations. + * Remove not needed separate_hmac256_binary hmac256 package + +--- +Wed Sep 14 13:34:13 UTC 2022 - Pedro Monreal + +- Update to 1.10.0: + * New and extended interfaces: +- New control codes to check for FIPS 140-3 approved algorithms. +- New control code to switch into non-FIPS mode. +- New cipher modes SIV and GCM-SIV as specified by RFC-5297. +- Extended cipher mode AESWRAP with padding as specified by + RFC-5649. +- New set of KDF functions. +- New KDF modes Argon2 and Balloon. +- New functions for combining hashing and signing/verification. + * Performance: +- Improved support for PowerPC architectures. +- Improved ECC performance on zSeries/s390x by using accelerated + scalar multiplication. +- Many more assembler performance improvements for several + architectures. + * Bug fixes: +- Fix Elgamal encryption for other implementations. + [bsc#1190239, CVE-2021-40528] +- Check the input length of the point in ECDH. +- Fix an abort in gcry_pk_get_param for "Curve25519". + * Other features: +- The control code GCRYCTL_SET_ENFORCED_FIPS_FLAG is ignored + because it is useless with the FIPS 140-3 related changes. +- Update of the jitter entropy RNG code. +- Simplification of the entropy gatherer when using the getentropy + system call. + * Interface changes relative to the 1.10.0 release: +- GCRYCTL_SET_DECRYPTION_TAGNEW control code. +- GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER NEW control code. +- GCRYCTL_FIPS_SERVICE_INDICATOR_KDFNEW control code. +- GCRYCTL_NO_FIPS_MODE = 83 NEW control code. +- GCRY_CIPHER_MODE_SIV NEW mode. +- GCRY_CIPHER_MODE_GCM_SIV NEW mode. +- GCRY_CIPHER_EXTENDED NEW flag. +- GCRY_SIV_BLOCK_LENNEW macro. +- gcry_cipher_set_decryption_tagNEW macro. +- GCRY_KDF_ARGON2 NEW constant. +- GCRY_KDF_BALLOON NEW constant. +- GCRY_KDF_ARGON2D NEW constant. +- GCRY_KDF_ARGON2I NEW constant. +- GCRY_KDF_ARGON2ID NEW constant. +- gcry_kdf_hd_t NEW type. +- gcry_kdf_job_fn_t NEW type. +- gcry_kdf_dispatch_job_fn_tNEW type. +- gcry_kdf_wait_all_jobs_fn_t NEW type. +- struct gcry_kdf_thread_opsNEW struct. +- gcry_kdf_open NEW function. +- gcry_kdf_compute NEW function. +- gcry_kdf_finalNEW function. +- gcry_kdf_closeNEW function. +- gcry_pk_hash_sign NEW function. +- gcry_pk_hash_verify NEW function. +- gcry_pk_random_override_new NEW function. + * Rebase libgcrypt-1.8.4-allow_FSM_same_state.patch and rename +to libgcrypt-1.10.0-allow_FSM_same_state.patch + * Remove unused CAVS tests and related patches: +- cavs_driver.pl cavs-test.sh +- libgcrypt-1.6.1-fips-cavs.patch +- drbg_test.patch + * Remove DSA sign/verify patches for the FIPS CAVS test since DSA +has been disabled in FIPS mode: +- libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch +- libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch + * Rebase libgcrypt-FIPS-SLI-pk.patch + * Rebase libgcrypt_indicators_changes.patch and +libgcrypt-indicate-shake.patch and merge both into +libgcrypt-FIPS-SLI-hash-mac.patch + * Rebase libgcrypt-FIPS-kdf-leylength.patch and rename to +libgcrypt-FIPS-SLI-kdf-leylength.patch + * Rebase libg
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2022-09-19 16:02:44
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new.2083 (New)
Package is "libgcrypt"
Mon Sep 19 16:02:44 2022 rev:93 rq:1004197 version:1.9.4
Changes:
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2022-09-07
11:05:09.888273563 +0200
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new.2083/libgcrypt.changes
2022-09-19 16:02:45.978058930 +0200
@@ -1,0 +2,20 @@
+Thu Sep 8 10:34:53 UTC 2022 - Pedro Monreal
+
+- FIPS: Get most of the entropy from rndjent_poll [bsc#1202117]
+ * Add libgcrypt-FIPS-rndjent_poll.patch
+ * Rebase libgcrypt-jitterentropy-3.4.0.patch
+
+---
+Wed Sep 7 22:03:51 UTC 2022 - Pedro Monreal
+
+- FIPS: Check keylength in gcry_fips_indicator_kdf() [bsc#1190700]
+ * Consider approved keylength greater or equal to 112 bits.
+ * Add libgcrypt-FIPS-kdf-leylength.patch
+
+---
+Wed Sep 7 12:53:14 UTC 2022 - Pedro Monreal
+
+- FIPS: Zeroize buffer and digest in check_binary_integrity()
+ * Add libgcrypt-FIPS-Zeroize-hmac.patch [bsc#1191020]
+
+---
New:
libgcrypt-FIPS-Zeroize-hmac.patch
libgcrypt-FIPS-kdf-leylength.patch
libgcrypt-FIPS-rndjent_poll.patch
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.zgXpFt/_old 2022-09-19 16:02:47.010061687 +0200
+++ /var/tmp/diff_new_pack.zgXpFt/_new 2022-09-19 16:02:47.018061708 +0200
@@ -107,6 +107,12 @@
Patch46:libgcrypt-jitterentropy-3.4.0.patch
#PATCH-FIX-SUSE bsc#1182983 gpg: out of core handler ignored in FIPS mode
while typing Tab key to Auto-Completion
Patch47:libgcrypt-out-of-core-handler.patch
+#PATCH-FIX-SUSE bsc#1191020 FIPS: Zeroize buffer and digest in
check_binary_integrity()
+Patch48:libgcrypt-FIPS-Zeroize-hmac.patch
+#PATCH-FIX-SUSE bsc#1190700 FIPS: Check keylength in gcry_fips_indicator_kdf()
+Patch49:libgcrypt-FIPS-kdf-leylength.patch
+#PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll
+Patch50:libgcrypt-FIPS-rndjent_poll.patch
BuildRequires: automake >= 1.14
BuildRequires: fipscheck
BuildRequires: libgpg-error-devel >= 1.27
++ libgcrypt-FIPS-Zeroize-hmac.patch ++
Index: libgcrypt-1.9.4/src/fips.c
===
--- libgcrypt-1.9.4.orig/src/fips.c
+++ libgcrypt-1.9.4/src/fips.c
@@ -905,6 +905,10 @@ check_binary_integrity (void)
char *fname = NULL;
const char key[] = "orboDeJITITejsirpADONivirpUkvarP";
+ /* A buffer of 64 bytes plus one for a LF and one to
+ * detect garbage. */
+ unsigned char buffer[64+1+1];
+
if (get_library_path ("libgcrypt.so.20", "gcry_check_version", libpath,
sizeof(libpath)))
err = gpg_error_from_syserror ();
else
@@ -927,9 +931,6 @@ check_binary_integrity (void)
err = gpg_error_from_syserror ();
else
{
- /* A buffer of 64 bytes plus one for a LF and one to
- detect garbage. */
- unsigned char buffer[64+1+1];
const unsigned char *s;
int n;
@@ -957,6 +958,9 @@ check_binary_integrity (void)
}
}
}
+ /* Zeroize digest and buffer */
+ memset (digest, 0, sizeof(digest));
+ memset (buffer, 0, sizeof(buffer));
reporter ("binary", 0, fname, err? gpg_strerror (err):NULL);
#ifdef HAVE_SYSLOG
if (err)
++ libgcrypt-FIPS-kdf-leylength.patch ++
Index: libgcrypt-1.9.4/src/fips.c
===
--- libgcrypt-1.9.4.orig/src/fips.c
+++ libgcrypt-1.9.4/src/fips.c
@@ -475,10 +475,15 @@ int
_gcry_fips_indicator_kdf (va_list arg_ptr)
{
enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos);
+ unsigned int keylen = 0;
switch (alg)
{
case GCRY_KDF_PBKDF2:
+ keylen = va_arg (arg_ptr, unsigned int);
+ if (keylen < 112) {
+return GPG_ERR_NOT_SUPPORTED;
+ }
return GPG_ERR_NO_ERROR;
default:
return GPG_ERR_NOT_SUPPORTED;
Index: libgcrypt-1.9.4/doc/gcrypt.texi
===
--- libgcrypt-1.9.4.orig/doc/gcrypt.texi
+++ libgcrypt-1.9.4/doc/gcrypt.texi
@@ -983,10 +983,12 @@ algorithm supports different key sizes).
this function returns @code{GPS_ERR_NO_ERROR}. Otherwise
@code{GPG_ERR_NOT_SUPPORTED}
is returned
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2022-09-07 11:05:09
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new.2083 (New)
Package is "libgcrypt"
Wed Sep 7 11:05:09 2022 rev:92 rq:1001249 version:1.9.4
Changes:
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2022-08-04
13:22:45.636379017 +0200
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new.2083/libgcrypt.changes
2022-09-07 11:05:09.888273563 +0200
@@ -1,0 +2,16 @@
+Tue Aug 23 09:19:00 UTC 2022 - Pedro Monreal
+
+- FIPS: gpg/gpg2 gets out of core handler in FIPS mode while
+ typing Tab key to Auto-Completion. [bsc#1182983]
+ * Add libgcrypt-out-of-core-handler.patch
+
+---
+Mon Aug 8 11:33:03 UTC 2022 - Pedro Monreal
+
+- FIPS: Port libgcrypt to use jitterentropy [bsc#1202117, jsc#SLE-24941]
+ * Enable the jitter based entropy generator by default in random.conf
+- Add libgcrypt-jitterentropy-3.3.0.patch
+ * Update the internal jitterentropy to version 3.4.0
+- Add libgcrypt-jitterentropy-3.4.0.patch
+
+---
@@ -6,0 +23,25 @@
+
+---
+Thu Apr 14 12:30:36 UTC 2022 - Dennis Knorr
+
+- FIPS: extend the service indicator [bsc#1190700]
+ * introduced a pk indicator function
+ * adapted the approved and non approved ciphersuites
+ * Add libgcrypt_indicators_changes.patch
+ * Add libgcrypt-indicate-shake.patch
+
+---
+Tue Mar 22 12:32:09 UTC 2022 - Pedro Monreal
+
+- FIPS: Implement a service indicator for asymmetric ciphers [bsc#1190700]
+ * Mark RSA public key encryption and private key decryption with
+padding (e.g. OAEP, PKCS) as non-approved since RSA-OAEP lacks
+peer key assurance validation requirements per SP800-56Brev2.
+ * Mark ECC as approved only for NIST curves P-224, P-256, P-384
+and P-521 with check for common NIST names and aliases.
+ * Mark DSA, ELG, EDDSA, ECDSA and ECDH as non-approved.
+ * Add libgcrypt-FIPS-SLI-pk.patch
+ * Rebase libgcrypt-FIPS-service-indicators.patch
+- Run the regression tests also in FIPS mode.
+ * Disable tests for non-FIPS approved algos.
+ * Rebase: libgcrypt-FIPS-verify-unsupported-KDF-test.patch
New:
libgcrypt-FIPS-SLI-pk.patch
libgcrypt-indicate-shake.patch
libgcrypt-jitterentropy-3.3.0.patch
libgcrypt-jitterentropy-3.4.0.patch
libgcrypt-out-of-core-handler.patch
libgcrypt_indicators_changes.patch
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.SWckUY/_old 2022-09-07 11:05:12.156279327 +0200
+++ /var/tmp/diff_new_pack.SWckUY/_new 2022-09-07 11:05:12.160279338 +0200
@@ -96,6 +96,17 @@
Patch40:libgcrypt-FIPS-service-indicators.patch
#PATCH-FIX-UPSTREAM bsc#1195385 FIPS: Disable DSA in FIPS mode
Patch41:libgcrypt-FIPS-disable-DSA.patch
+#PATCH-FIX-UPSTREAM bsc#1190700 FIPS: Provide a service-level indicator for PK
+Patch42:libgcrypt-FIPS-SLI-pk.patch
+#PATCH-FIX-SUSE bsc#1190700 FIPS add indicators
+Patch43:libgcrypt_indicators_changes.patch
+#PATCH-FIX-SUSE bsc#1190700 FIPS allow shake
+Patch44:libgcrypt-indicate-shake.patch
+#PATCH-FIX-UPSTREAM bsc#1202117 jsc#SLE-24941 FIPS: Port libgcrypt to use
jitterentropy
+Patch45:libgcrypt-jitterentropy-3.3.0.patch
+Patch46:libgcrypt-jitterentropy-3.4.0.patch
+#PATCH-FIX-SUSE bsc#1182983 gpg: out of core handler ignored in FIPS mode
while typing Tab key to Auto-Completion
+Patch47:libgcrypt-out-of-core-handler.patch
BuildRequires: automake >= 1.14
BuildRequires: fipscheck
BuildRequires: libgpg-error-devel >= 1.27
@@ -213,6 +224,9 @@
fipshmac src/.libs/libgcrypt.so.??
%make_build check
+# run the regression tests also in FIPS mode
+LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check VERBOSE=1 || true
+
%install
%make_install
rm %{buildroot}%{_libdir}/%{name}.la
++ libgcrypt-FIPS-SLI-pk.patch ++
Index: libgcrypt-1.9.4/src/fips.c
===
--- libgcrypt-1.9.4.orig/src/fips.c
+++ libgcrypt-1.9.4/src/fips.c
@@ -32,6 +32,7 @@
#include "g10lib.h"
#include "cipher-proto.h"
+#include "cipher.h"
#include "hmac256.h"
@@ -482,6 +483,78 @@ _gcry_fips_indicator_kdf (va_list arg_pt
default:
return GPG_ERR_NOT_SUPPORTED;
}
+}
+
+
+/* FIPS approved curves, extracted from:
+ * cipher/ecc-curves.c:curve_aliases[] and domain_parms[]. */
+static const struct
+{
+ const char
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2022-08-04 13:22:40
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new.1521 (New)
Package is "libgcrypt"
Thu Aug 4 13:22:40 2022 rev:91 rq:991962 version:1.9.4
Changes:
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2022-02-05
23:22:56.704022419 +0100
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new.1521/libgcrypt.changes
2022-08-04 13:22:45.636379017 +0200
@@ -1,0 +2,7 @@
+Mon Aug 1 07:27:35 UTC 2022 - Stephan Kulow
+
+- Fix reproducible build problems:
+ - Do not use %release in binaries (but use SOURCE_DATE_EPOCH)
+ - Fix date call messed up by spec-cleaner
+
+---
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.oqs9sf/_old 2022-08-04 13:22:46.680381979 +0200
+++ /var/tmp/diff_new_pack.oqs9sf/_new 2022-08-04 13:22:46.684381991 +0200
@@ -179,11 +179,11 @@
%build
echo building with build_hmac256 set to %{build_hmac256}
autoreconf -fi
-date=$(date -u +%{Y}-%{m}-%{dT}%{H}:%{M}+ -r %{SOURCE99})
+date=$(date -u '+%%Y-%%m-%%dT%%H:%%M+' -r %{SOURCE99})
sed -e "s,BUILD_TIMESTAMP=.*,BUILD_TIMESTAMP=$date," -i configure
export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)"
%configure \
- --with-fips-module-version="Libgcrypt version
%{version}-%{release}" \
+ --with-fips-module-version="Libgcrypt version
%{version}-$SOURCE_DATE_EPOCH" \
--enable-noexecstack \
--disable-static \
--enable-m-guard \
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2022-02-05 23:22:53 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.1898 (New) Package is "libgcrypt" Sat Feb 5 23:22:53 2022 rev:90 rq:950434 version:1.9.4 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2021-12-18 20:30:30.790251445 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.1898/libgcrypt.changes 2022-02-05 23:22:56.704022419 +0100 @@ -1,0 +2,18 @@ +Tue Feb 1 11:28:51 UTC 2022 - Pedro Monreal + +- FIPS: Disable DSA in FIPS mode [bsc#1195385] + * Upstream task: https://dev.gnupg.org/T5710 + * Add libgcrypt-FIPS-disable-DSA.patch + +--- +Wed Jan 19 08:36:58 UTC 2022 - Pedro Monreal + +- FIPS: Service level indicator [bsc#1190700] + * Provide an indicator to check wether the service utilizes an +approved cryptographic algorithm or not. + * Add patches: +- libgcrypt-FIPS-service-indicators.patch +- libgcrypt-FIPS-verify-unsupported-KDF-test.patch +- libgcrypt-FIPS-HMAC-short-keylen.patch + +--- @@ -6,0 +25,56 @@ + +--- +Tue Nov 30 09:42:23 UTC 2021 - Pedro Monreal + +- FIPS: Define an entropy source SP800-90B compliant [bsc#1185140] + * Disable jitter entropy by default in random.conf + * Disable only-urandom option by default in random.conf + +--- +Fri Nov 26 13:10:29 UTC 2021 - Pedro Monreal + +- FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192240] + * rsa: Check RSA keylen constraints for key operations. + * rsa: Fix regression in not returning an error for prime generation. + * tests: Add 2k RSA key working in FIPS mode. + * tests: pubkey: Replace RSA key to one of 2k. + * tests: pkcs1v2: Skip tests with small keys in FIPS. + * Add patches: +- libgcrypt-FIPS-RSA-keylen.patch +- libgcrypt-FIPS-RSA-keylen-tests.patch + +--- +Mon Nov 8 10:21:39 UTC 2021 - Pedro Monreal + +- FIPS: Disable 3DES/Triple-DES in FIPS mode [bsc#1185138] + * Add libgcrypt-FIPS-disable-3DES.patch + +--- +Tue Nov 2 11:31:19 UTC 2021 - Pedro Monreal + +- FIPS: PBKDF requirements [bsc#1185137] + * The PBKDF2 selftests were introduced in libgcrypt version +1.9.1 in the function selftest_pbkdf2() + * Upstream task: https://dev.gnupg.org/T5182 + +--- +Thu Oct 28 19:48:06 UTC 2021 - Pedro Monreal + +- FIPS: Fix regression tests in FIPS mode [bsc#1192131] + * Add libgcrypt-FIPS-fix-regression-tests.patch + * Upstream task: https://dev.gnupg.org/T5520 + +--- +Thu Sep 21 11:25:06 UTC 2021 - Pedro Monreal + +- FIPS: Provide a module name/identifier and version that can be + mapped to the validation records. [bsc#1190706] + * Add libgcrypt-FIPS-module-version.patch + * Upstream task: https://dev.gnupg.org/T5600 + +--- +Thu Sep 21 10:23:44 UTC 2021 - Pedro Monreal + +- FIPS: Enable hardware support also in FIPS mode [bsc#1187110] + * Add libgcrypt-FIPS-hw-optimizations.patch + * Upstream task: https://dev.gnupg.org/T5508 New: libgcrypt-FIPS-HMAC-short-keylen.patch libgcrypt-FIPS-RSA-keylen-tests.patch libgcrypt-FIPS-RSA-keylen.patch libgcrypt-FIPS-disable-3DES.patch libgcrypt-FIPS-disable-DSA.patch libgcrypt-FIPS-fix-regression-tests.patch libgcrypt-FIPS-hw-optimizations.patch libgcrypt-FIPS-module-version.patch libgcrypt-FIPS-service-indicators.patch libgcrypt-FIPS-verify-unsupported-KDF-test.patch Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.eMt3ZZ/_old 2022-02-05 23:22:57.576016454 +0100 +++ /var/tmp/diff_new_pack.eMt3ZZ/_new 2022-02-05 23:22:57.580016427 +0100 @@ -1,7 +1,7 @@ # # spec file for package libgcrypt # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,7 +27,7 @@ Summary:The GNU Crypto Library License:GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later Group: Development/Libraries/C and C++ -URL:https://directory.fsf.org/wiki/Libgc
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2021-12-18 20:29:55
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new.2520 (New)
Package is "libgcrypt"
Sat Dec 18 20:29:55 2021 rev:89 rq:940475 version:1.9.4
Changes:
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2021-08-28
22:31:06.146104274 +0200
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new.2520/libgcrypt.changes
2021-12-18 20:30:30.790251445 +0100
@@ -1,0 +2,7 @@
+Tue Dec 7 09:41:01 UTC 2021 - Pedro Monreal
+
+- FIPS: Fix gcry_mpi_sub_ui subtraction [bsc#1193480]
+ * gcry_mpi_sub_ui: fix subtracting from negative value
+ * Add libgcrypt-FIPS-fix-gcry_mpi_sub_ui.patch
+
+---
New:
libgcrypt-FIPS-fix-gcry_mpi_sub_ui.patch
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.cg4EAO/_old 2021-12-18 20:30:31.650251922 +0100
+++ /var/tmp/diff_new_pack.cg4EAO/_new 2021-12-18 20:30:31.654251925 +0100
@@ -77,6 +77,8 @@
Patch29:libgcrypt-fips_selftest_trigger_file.patch
#PATCH-FIX-SUSE bsc#1189745 The t-lock test is not build with phtread in gcc7,
works in gcc11
Patch30:libgcrypt-pthread-in-t-lock-test.patch
+#PATCH-FIX-UPSTREAM bsc#1193480 FIPS: gcry_mpi_sub_ui: fix subtracting from
negative value
+Patch31:libgcrypt-FIPS-fix-gcry_mpi_sub_ui.patch
BuildRequires: automake >= 1.14
BuildRequires: fipscheck
BuildRequires: libgpg-error-devel >= 1.27
++ libgcrypt-FIPS-fix-gcry_mpi_sub_ui.patch ++
>From d5bf106468e6c6b0f33b193abf04590e4e9fc011 Mon Sep 17 00:00:00 2001
From: Jussi Kivilinna
Date: Tue, 30 Nov 2021 22:04:16 +0200
Subject: gcry_mpi_sub_ui: fix subtracting from negative value
* mpi/mpi-add.c (_gcry_mpi_sub_ui): Set output sign bit when 'u'
is negative.
* tests/mpitests.c (test_add): Additional tests for mpi_add_ui; Check
test output and fail if output does not match expected.
(test_sub): Additional tests for mpi_sub_ui; Check test output and fail
if output does not match expected.
(test_mul): Additional tests for mpi_mul_ui; Check test output and fail
if output does not match expected.
--
Reported-by: Guido Vranken
Signed-off-by: Jussi Kivilinna
---
mpi/mpi-add.c| 1 +
tests/mpitests.c | 119 ---
2 files changed, 113 insertions(+), 7 deletions(-)
diff --git a/mpi/mpi-add.c b/mpi/mpi-add.c
index 53f476e0..38dd352f 100644
--- a/mpi/mpi-add.c
+++ b/mpi/mpi-add.c
@@ -191,6 +191,7 @@ _gcry_mpi_sub_ui(gcry_mpi_t w, gcry_mpi_t u, unsigned long
v )
cy = _gcry_mpih_add_1(wp, up, usize, v);
wp[usize] = cy;
wsize = usize + cy;
+ wsign = 1;
}
else { /* The signs are different. Need exact comparison to determine
* which operand to subtract from which. */
diff --git a/tests/mpitests.c b/tests/mpitests.c
index 96e01551..48ea18b2 100644
--- a/tests/mpitests.c
+++ b/tests/mpitests.c
@@ -378,7 +378,8 @@ test_add (void)
gcry_mpi_t two;
gcry_mpi_t ff;
gcry_mpi_t result;
- unsigned char* pc;
+ gcry_mpi_t minusfive;
+ char *pc;
gcry_mpi_scan(&one, GCRYMPI_FMT_USG, ones, sizeof(ones), NULL);
gcry_mpi_scan(&two, GCRYMPI_FMT_USG, twos, sizeof(twos), NULL);
@@ -386,21 +387,47 @@ test_add (void)
result = gcry_mpi_new(0);
gcry_mpi_add(result, one, two);
- gcry_mpi_aprint(GCRYMPI_FMT_HEX, &pc, NULL, result);
+ gcry_mpi_aprint(GCRYMPI_FMT_HEX, (unsigned char **)&pc, NULL, result);
if (debug)
gcry_log_debug ("Result of one plus two:\n%s\n", pc);
+ if (strcmp (pc, "030303030303030303030303030303030303030303030303"
+ "030303030303030303030303030303030303030303030303") != 0)
+fail ("mpi_add failed at line %d", __LINE__);
gcry_free(pc);
gcry_mpi_add(result, ff, one);
- gcry_mpi_aprint(GCRYMPI_FMT_HEX, &pc, NULL, result);
+ gcry_mpi_aprint(GCRYMPI_FMT_HEX, (unsigned char **)&pc, NULL, result);
if (debug)
gcry_log_debug ("Result of ff plus one:\n%s\n", pc);
+ if (strcmp (pc, "010101010101010101010101010101010101010101010101"
+ "01010101010101010101010101010101010101010101010100") != 0)
+fail ("mpi_add failed at line %d", __LINE__);
+ gcry_free(pc);
+
+ gcry_mpi_scan(&minusfive, GCRYMPI_FMT_HEX, "-5", 0, NULL);
+ gcry_mpi_add_ui (result, minusfive, 2);
+
+ gcry_mpi_aprint(GCRYMPI_FMT_HEX, (unsigned char **)&pc, NULL, result);
+ if (debug)
+gcry_log_debug ("Result of minus five plus two:\n%s\n", pc);
+ if (strcmp (pc, "-03") != 0)
+fail ("mpi_add_ui failed at line %d", __LINE__);
+ gcry_free(pc);
+
+ gcry_mpi_a
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2021-08-28 22:31:04
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new.1899 (New)
Package is "libgcrypt"
Sat Aug 28 22:31:04 2021 rev:88 rq:913986 version:1.9.4
Changes:
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2021-06-18
10:13:18.329956114 +0200
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new.1899/libgcrypt.changes
2021-08-28 22:31:06.146104274 +0200
@@ -1,0 +2,25 @@
+Mon Aug 23 12:08:24 UTC 2021 - Pedro Monreal
+
+- Update to 1.9.4:
+ * Bug fixes:
+- Fix Elgamal encryption for other implementations. [CVE-2021-33560]
+- Fix alignment problem on macOS.
+- Check the input length of the point in ECDH.
+- Fix an abort in gcry_pk_get_param for "Curve25519".
+ * Other features:
+- Add GCM and CCM to OID mapping table for AES.
+ * Upstream libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch
+
+---
+Mon Aug 23 10:11:55 UTC 2021 - Pedro Monreal
+
+- Remove not needed patch libgcrypt-sparcv9.diff
+
+---
+Thu Jul 15 12:53:45 UTC 2021 - Pedro Monreal
+
+- Fix building test t-lock with pthread. [bsc#1189745]
+ * Explicitly add -lpthread to compile the t-lock test.
+ * Add libgcrypt-pthread-in-t-lock-test.patch
+
+---
Old:
libgcrypt-1.9.3.tar.bz2
libgcrypt-1.9.3.tar.bz2.sig
libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch
libgcrypt-sparcv9.diff
New:
libgcrypt-1.9.4.tar.bz2
libgcrypt-1.9.4.tar.bz2.sig
libgcrypt-pthread-in-t-lock-test.patch
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.mtClYx/_old 2021-08-28 22:31:07.750106057 +0200
+++ /var/tmp/diff_new_pack.mtClYx/_new 2021-08-28 22:31:07.750106057 +0200
@@ -22,7 +22,7 @@
%define libsoname %{name}%{libsover}
%define cavs_dir %{_libexecdir}/%{name}/cavs
Name: libgcrypt
-Version:1.9.3
+Version:1.9.4
Release:0
Summary:The GNU Crypto Library
License:GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later
@@ -39,7 +39,6 @@
Source6:cavs_driver.pl
Source99: libgcrypt.changes
Patch1: libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch
-Patch2: libgcrypt-sparcv9.diff
Patch3: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
Patch4: libgcrypt-1.6.1-use-fipscheck.patch
Patch5: libgcrypt-1.6.1-fips-cavs.patch
@@ -76,8 +75,8 @@
Patch27:libgcrypt-PCT-DSA.patch
Patch28:libgcrypt-PCT-ECC.patch
Patch29:libgcrypt-fips_selftest_trigger_file.patch
-#PATCH-FIX-UPSTREAM bsc#1187212 CVE-2021-33560 ElGamal encryption lacks
exponent blinding
-Patch30:libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch
+#PATCH-FIX-SUSE bsc#1189745 The t-lock test is not build with phtread in gcc7,
works in gcc11
+Patch30:libgcrypt-pthread-in-t-lock-test.patch
BuildRequires: automake >= 1.14
BuildRequires: fipscheck
BuildRequires: libgpg-error-devel >= 1.27
++ libgcrypt-1.9.3.tar.bz2 -> libgcrypt-1.9.4.tar.bz2 ++
3163 lines of diff (skipped)
++ libgcrypt-pthread-in-t-lock-test.patch ++
Index: libgcrypt-1.9.3/tests/Makefile.am
===
--- libgcrypt-1.9.3.orig/tests/Makefile.am
+++ libgcrypt-1.9.3/tests/Makefile.am
@@ -74,7 +74,7 @@ prime_LDADD = $(standard_ldadd) @LDADD_F
t_mpi_bit_LDADD = $(standard_ldadd) @LDADD_FOR_TESTS_KLUDGE@
t_secmem_LDADD = $(standard_ldadd) @LDADD_FOR_TESTS_KLUDGE@
testapi_LDADD = $(standard_ldadd) @LDADD_FOR_TESTS_KLUDGE@
-t_lock_LDADD = $(standard_ldadd) $(GPG_ERROR_MT_LIBS) @LDADD_FOR_TESTS_KLUDGE@
+t_lock_LDADD = $(standard_ldadd) $(GPG_ERROR_MT_LIBS) -lpthread
@LDADD_FOR_TESTS_KLUDGE@
t_lock_CFLAGS = $(GPG_ERROR_MT_CFLAGS)
testdrv_LDADD = $(LDADD_FOR_TESTS_KLUDGE)
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2021-06-18 10:13:11
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new.2625 (New)
Package is "libgcrypt"
Fri Jun 18 10:13:11 2021 rev:87 rq:900114 version:1.9.3
Changes:
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2021-04-26
16:38:13.701942305 +0200
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new.2625/libgcrypt.changes
2021-06-18 10:13:18.329956114 +0200
@@ -1,0 +2,9 @@
+Fri Jun 11 13:17:54 UTC 2021 - Pedro Monreal
+
+- Security fix: [bsc#1187212, CVE-2021-33560]
+ * cipher: Fix ElGamal encryption for other implementations.
+ * Exponent blinding was added in version 1.9.3. This patch
+fixes ElGamal encryption, see: https://dev.gnupg.org/T5328
+- Add libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch
+
+---
New:
libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.J2oKMi/_old 2021-06-18 10:13:19.005957008 +0200
+++ /var/tmp/diff_new_pack.J2oKMi/_new 2021-06-18 10:13:19.009957013 +0200
@@ -31,16 +31,15 @@
Source:
https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2
Source1:
https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.sig
Source2:baselibs.conf
+Source3:random.conf
# https://www.gnupg.org/signature_key.en.html
Source4:libgcrypt.keyring
# cavs test framework
Source5:cavs-test.sh
Source6:cavs_driver.pl
-Source7:random.conf
Source99: libgcrypt.changes
Patch1: libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch
Patch2: libgcrypt-sparcv9.diff
-#PATCH-FIX-SUSE: N/A
Patch3: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
Patch4: libgcrypt-1.6.1-use-fipscheck.patch
Patch5: libgcrypt-1.6.1-fips-cavs.patch
@@ -77,6 +76,8 @@
Patch27:libgcrypt-PCT-DSA.patch
Patch28:libgcrypt-PCT-ECC.patch
Patch29:libgcrypt-fips_selftest_trigger_file.patch
+#PATCH-FIX-UPSTREAM bsc#1187212 CVE-2021-33560 ElGamal encryption lacks
exponent blinding
+Patch30:libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch
BuildRequires: automake >= 1.14
BuildRequires: fipscheck
BuildRequires: libgpg-error-devel >= 1.27
@@ -150,7 +151,6 @@
blocks. It is originally based on code used by GnuPG. It does not
provide any implementation of OpenPGP or other protocols. Thorough
understanding of applied cryptography is required to use Libgcrypt.
-
%endif
%prep
@@ -211,7 +211,7 @@
# Create /etc/gcrypt directory and install random.conf
mkdir -p -m 0755 %{buildroot}%{_sysconfdir}/gcrypt
-install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/gcrypt/random.conf
+install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/gcrypt/random.conf
%post -n %{libsoname} -p /sbin/ldconfig
%postun -n %{libsoname} -p /sbin/ldconfig
++ libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch ++
From: NIIBE Yutaka
Date: Fri, 21 May 2021 02:15:07 + (+0900)
Subject: cipher: Fix ElGamal encryption for other implementations.
X-Git-Url:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff_plain;h=632d80ef30e13de6926d503aa697f92b5dbfbc5e
cipher: Fix ElGamal encryption for other implementations.
* cipher/elgamal.c (gen_k): Remove support of smaller K.
(do_encrypt): Never use smaller K.
(sign): Folllow the change of gen_k.
--
This change basically reverts encryption changes in two commits:
74386120dad6b3da62db37f7044267c8ef34689b
78531373a342aeb847950f404343a05e36022065
Use of smaller K for ephemeral key in ElGamal encryption is only good,
when we can guarantee that recipient's key is generated by our
implementation (or compatible).
For detail, please see:
Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
"On the (in)security of ElGamal in OpenPGP";
in the proceedings of CCS'2021.
CVE-id: CVE-2021-33560
GnuPG-bug-id: 5328
Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
Signed-off-by: NIIBE Yutaka
---
diff --git a/cipher/elgamal.c b/cipher/elgamal.c
index 9835122f..eead4502 100644
--- a/cipher/elgamal.c
+++ b/cipher/elgamal.c
@@ -66,7 +66,7 @@ static const char *elg_names[] =
static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
+static gcry_mpi_t gen_k (gcry_mpi_t p);
static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
gcry_mpi_t **factors);
static int check_secret
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2021-04-26 16:38:12
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new.12324 (New)
Package is "libgcrypt"
Mon Apr 26 16:38:12 2021 rev:86 rq:887034 version:1.9.3
Changes:
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2021-02-23
20:20:12.935645661 +0100
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new.12324/libgcrypt.changes
2021-04-26 16:38:13.701942305 +0200
@@ -1,0 +2,20 @@
+Tue Apr 20 08:46:11 UTC 2021 - Paolo Stivanin
+
+- libgcrypt 1.9.3:
+ * Bug fixes:
+- Fix build problems on i386 using gcc-4.7.
+- Fix checksum calculation in OCB decryption for AES on s390.
+- Fix a regression in gcry_mpi_ec_add related to certain usages
+ of curve 25519.
+- Fix a symbol not found problem on Apple M1.
+- Fix for Apple iOS getentropy peculiarity.
+- Make keygrip computation work for compressed points.
+ * Performance:
+- Add x86_64 VAES/AVX2 accelerated implementation of Camellia.
+- Add x86_64 VAES/AVX2 accelerated implementation of AES.
+- Add VPMSUMD acceleration for GCM mode on PPC.
+ * Internal changes.
+- Harden MPI conditional code against EM leakage.
+- Harden Elgamal by introducing exponent blinding.
+
+---
Old:
libgcrypt-1.9.2.tar.bz2
libgcrypt-1.9.2.tar.bz2.sig
New:
libgcrypt-1.9.3.tar.bz2
libgcrypt-1.9.3.tar.bz2.sig
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.20tTlU/_old 2021-04-26 16:38:14.649943815 +0200
+++ /var/tmp/diff_new_pack.20tTlU/_new 2021-04-26 16:38:14.649943815 +0200
@@ -22,7 +22,7 @@
%define libsoname %{name}%{libsover}
%define cavs_dir %{_libexecdir}/%{name}/cavs
Name: libgcrypt
-Version:1.9.2
+Version:1.9.3
Release:0
Summary:The GNU Crypto Library
License:GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later
++ libgcrypt-1.9.2.tar.bz2 -> libgcrypt-1.9.3.tar.bz2 ++
12505 lines of diff (skipped)
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2021-02-23 20:18:45
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new.2378 (New)
Package is "libgcrypt"
Tue Feb 23 20:18:45 2021 rev:85 rq:873072 version:1.9.2
Changes:
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2021-02-08
11:47:05.589677498 +0100
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new.2378/libgcrypt.changes
2021-02-23 20:20:12.935645661 +0100
@@ -1,0 +2,12 @@
+Wed Feb 17 09:49:55 UTC 2021 - Andreas Stieger
+
+- libgcrypt 1.9.2:
+ * Fix building with --disable-asm on x86
+ * Check public key for ECDSA verify operation
+ * Make sure gcry_get_config (NULL) returns a nul-terminated
+string
+ * Fix a memory leak in the ECDH code
+ * Fix a reading beyond end of input buffer in SHA2-avx2
+- remove obsolete texinfo packaging macros
+
+---
Old:
libgcrypt-1.9.1.tar.bz2
libgcrypt-1.9.1.tar.bz2.sig
New:
libgcrypt-1.9.2.tar.bz2
libgcrypt-1.9.2.tar.bz2.sig
Other differences:
--
++ libgcrypt.spec ++
--- /var/tmp/diff_new_pack.BZK32r/_old 2021-02-23 20:20:14.527647068 +0100
+++ /var/tmp/diff_new_pack.BZK32r/_new 2021-02-23 20:20:14.531647072 +0100
@@ -22,7 +22,7 @@
%define libsoname %{name}%{libsover}
%define cavs_dir %{_libexecdir}/%{name}/cavs
Name: libgcrypt
-Version:1.9.1
+Version:1.9.2
Release:0
Summary:The GNU Crypto Library
License:GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later
@@ -117,7 +117,6 @@
Requires: %{libsoname} = %{version}
Requires: glibc-devel
Requires: libgpg-error-devel >= 1.27
-Requires(post): %{install_info_prereq}
%description devel
Libgcrypt is a general purpose library of cryptographic building
@@ -145,7 +144,6 @@
Group: Development/Libraries/C and C++
Requires: %{libsoname} = %{version}
Requires: libgpg-error-devel >= 1.27
-Requires(post): %{install_info_prereq}
%description hmac256
Libgcrypt is a general purpose library of cryptographic building
@@ -217,11 +215,6 @@
%post -n %{libsoname} -p /sbin/ldconfig
%postun -n %{libsoname} -p /sbin/ldconfig
-%post devel
-%install_info --info-dir=%{_infodir} %{_infodir}/gcrypt.info.gz
-
-%preun devel
-%install_info_delete --info-dir=%{_infodir} %{_infodir}/gcrypt.info.gz
%files -n %{libsoname}
%license COPYING.LIB
++ libgcrypt-1.9.1.tar.bz2 -> libgcrypt-1.9.2.tar.bz2 ++
2110 lines of diff (skipped)
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2021-02-08 11:47:03 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.28504 (New) Package is "libgcrypt" Mon Feb 8 11:47:03 2021 rev:84 rq:868946 version:1.9.1 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2020-10-29 09:21:26.554638072 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.28504/libgcrypt.changes 2021-02-08 11:47:05.589677498 +0100 @@ -1,0 +2,89 @@ +Tue Feb 2 01:06:47 UTC 2021 - Pedro Monreal + +- Update to 1.9.1 + * *Fix exploitable bug* in hash functions introduced with + 1.9.0. [bsc#1181632, CVE-2021-3345] + * Return an error if a negative MPI is used with sexp scan + functions. + * Check for operational FIPS in the random and KDF functions. + * Fix compile error on ARMv7 with NEON disabled. + * Fix self-test in KDF module. + * Improve assembler checks for better LTO support. + * Fix 32-bit cross build on x86. + * Fix non-NEON ARM assembly implementation for SHA512. + * Fix build problems with the cipher_bulk_ops_t typedef. + * Fix Ed25519 private key handling for preceding ZEROs. + * Fix overflow in modular inverse implementation. + * Fix register access for AVX/AVX2 implementations of Blake2. + * Add optimized cipher and hash functions for s390x/zSeries. + * Use hardware bit counting functionx when available. + * Update DSA functions to match FIPS 186-3. + * New self-tests for CMACs and KDFs. + * Add bulk cipher functions for OFB and GCM modes. +- Update libgpg-error required version + +--- +Tue Feb 1 12:03:31 UTC 2021 - Pedro Monreal + +- Use the suffix variable correctly in get_hmac_path() +- Rebase libgcrypt-fips_selftest_trigger_file.patch + +--- +Mon Jan 25 12:38:35 UTC 2021 - Pedro Monreal + +- Add the global config file /etc/gcrypt/random.conf + * This file can be used to globally change parameters of the random +generator with the options: only-urandom and disable-jent. + +--- +Thu Jan 21 15:42:15 UTC 2021 - Pedro Monreal + +- Update to 1.9.0: + New stable branch of Libgcrypt with full API and ABI compatibility + to the 1.8 series. Release-info: https://dev.gnupg.org/T4294 + * New and extended interfaces: +- New curves Ed448, X448, and SM2. +- New cipher mode EAX. +- New cipher algo SM4. +- New hash algo SM3. +- New hash algo variants SHA512/224 and SHA512/256. +- New MAC algos for Blake-2 algorithms, the new SHA512 variants, + SM3, SM4 and for a GOST variant. +- New convenience function gcry_mpi_get_ui. +- gcry_sexp_extract_param understands new format specifiers to + directly store to integers and strings. +- New function gcry_ecc_mul_point and curve constants for Curve448 + and Curve25519. +- New function gcry_ecc_get_algo_keylen. +- New control code GCRYCTL_AUTO_EXPAND_SECMEM to allow growing the + secure memory area. + * Performance optimizations and bug fixes: See Release-info. + * Other features: +- Add OIDs from RFC-8410 as aliases for Ed25519 and Curve25519. +- Add mitigation against ECC timing attack CVE-2019-13627. +- Internal cleanup of the ECC implementation. +- Support reading EC point in compressed format for some curves. +- Rebase patches: + * libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch + * libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff + * libgcrypt-1.6.1-use-fipscheck.patch + * drbg_test.patch + * libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch + * libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch + * libgcrypt-1.8.4-fips-keygen.patch + * libgcrypt-1.8.4-getrandom.patch + * libgcrypt-fix-tests-fipsmode.patch + * libgcrypt-global_init-constructor.patch + * libgcrypt-ecc-ecdsa-no-blinding.patch + * libgcrypt-PCT-RSA.patch + * libgcrypt-PCT-ECC.patch +- Remove patches: + * libgcrypt-unresolved-dladdr.patch + * libgcrypt-CVE-2019-12904-GCM-Prefetch.patch + * libgcrypt-CVE-2019-12904-GCM.patch + * libgcrypt-CVE-2019-12904-AES.patch + * libgcrypt-CMAC-AES-TDES-selftest.patch + * libgcrypt-1.6.1-fips-cfgrandom.patch + * libgcrypt-fips_rsa_no_enforced_mode.patch + +--- Old: libgcrypt-1.6.1-fips-cfgrandom.patch libgcrypt-1.8.7.tar.bz2 libgcrypt-1.8.7.tar.bz2.sig libgcrypt-CMAC-AES-TDES-selftest.patch libgcrypt-CVE-2019-12904-AES.patch libgcrypt-CVE-2019-12904-GCM-Prefetch.patch libgcrypt-CVE-2019-12904-GCM.patch libgcrypt-fips_rsa_no_enforced_mode
