commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2024-07-24 15:29:19 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.1869 (New) Package is "libgcrypt" Wed Jul 24 15:29:19 2024 rev:103 rq:1183830 version:1.11.0 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2024-01-29 22:25:50.142528789 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.1869/libgcrypt.changes 2024-07-25 11:55:32.197478957 +0200 @@ -1,0 +2,94 @@ +Thu Jun 20 08:11:07 UTC 2024 - Pedro Monreal + +- Update to 1.11.0: + * New and extended interfaces: +- Add an API for Key Encapsulation Mechanism (KEM). [T6755] +- Add Streamlined NTRU Prime sntrup761 algorithm. [rCcf9923e1a5] +- Add Kyber algorithm according to FIPS 203 ipd 2023-08-24. [rC18e5c0d268] +- Add Classic McEliece algorithm. [rC003367b912] +- Add One-Step KDF with hash and MAC. [T5964] +- Add KDF algorithm HKDF of RFC-5869. [T5964] +- Add KDF algorithm X963KDF for use in CMS. [rC3abac420b3] +- Add GMAC-SM4 and Poly1305-SM4. [rCd1ccc409d4] +- Add ARIA block cipher algorithm. [rC316c6d7715] +- Add explicit FIPS indicators for MD and MAC algorithms. [T6376] +- Add support for SHAKE as MGF in RSA. [T6557] +- Add gcry_md_read support for SHAKE algorithms. [T6539] +- Add gcry_md_hash_buffers_ext function. [T7035] +- Add cSHAKE hash algorithm. [rC065b3f4e02] +- Support internal generation of IV for AEAD cipher mode. [T4873] + * Performance: +- Add SM3 ARMv8/AArch64/CE assembly implementation. [rCfe891ff4a3] +- Add SM4 ARMv8/AArch64 assembly implementation. [rCd8825601f1] +- Add SM4 GFNI/AVX2 and GFI/AVX512 implementation. [rC5095d60af4,rCeaed633c16] +- Add SM4 ARMv9 SVE CE assembly implementation. [rC2dc2654006] +- Add PowerPC vector implementation of SM4. [rC0b2da804ee] +- Optimize ChaCha20 and Poly1305 for PPC P10 LE. [T6006] +- Add CTR32LE bulk acceleration for AES on PPC. [rC84f2e2d0b5] +- Add generic bulk acceleration for CTR32LE mode (GCM-SIV) for SM4 + and Camellia. [rCcf956793af] +- Add GFNI/AVX2 implementation of Camellia. [rC4e6896eb9f] +- Add AVX2 and AVX512 accelerated implementations for GHASH (GCM) + and POLYVAL (GCM-SIV). [rCd857e85cb4, rCe6f3600193] +- Add AVX512 implementation for SHA512. [rC089223aa3b] +- Add AVX512 implementation for Serpent. [rCce95b6ec35] +- Add AVX512 implementation for Poly1305 and ChaCha20. [rCcd3ed49770, rC9a63cfd617] +- Add AVX512 accelerated implementation for SHA3 and Blake2. [rCbeaad75f46,rC909daa700e] +- Add VAES/AVX2 accelerated i386 implementation for AES. [rC4a42a042bc] +- Add bulk processing for XTS mode of Camellia and SM4. [rC32b18cdb87, rCaad3381e93] +- Accelerate XTS and ECB modes for Twofish and Serpent. [rCd078a928f5,rC8a1fe5f78f] +- Add AArch64 crypto/SHA512 extension implementation for SHA512. [rCe51d3b8330] +- Add AArch64 crypto-extension implementation for Camellia. [rC898c857206] +- Accelerate OCB authentication on AMD with AVX2. [rC6b47e85d65] + * Bug fixes: +- For PowerPC check for missing optimization level for vector register usage. [T5785] +- Fix EdDSA secret key check. [T6511] +- Fix decoding of PKCS#1-v1.5 and OAEP padding. [rC34c2042792] +- Allow use of PKCS#1-v1.5 with SHA3 algorithms. [T6976] +- Fix AESWRAP padding length check. [T7130] + * Other: +- Allow empty password for Argon2 KDF. [rCa20700c55f] +- Various constant time operation imporvements. +- Add "bp256", "bp384", "bp512" aliases for Brainpool curves. +- Support for the random server has been removed. [T5811] +- The control code GCRYCTL_ENABLE_M_GUARD is deprecated and not + supported any more. Please use valgrind or other tools. [T5822] +- Logging is now done via the libgpg-error logging functions. [rCab0bdc72c7] + * Remove patches fixed upstream: +- libgcrypt-no-deprecated-grep-alias.patch +- libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch +- libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch + * Rebase patches: +- libgcrypt-FIPS-jitter-errorcodes.patch +- libgcrypt-FIPS-jitter-whole-entropy.patch + +--- +Wed Mar 20 20:31:40 UTC 2024 - Pedro Monreal + +- FIPS: Make sure that Libgcrypt makes use of the built-in Jitter RNG + for the whole length entropy buffer in FIPS mode. [bsc#1220893] + * Add libgcrypt-FIPS-jitter-whole-entropy.patch + +--- +Wed Mar 20 15:13:04 UTC 2024 - Pedro Monreal + +- FIPS: Set the FSM into error state if Jitter RNG i
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2024-01-29 22:25:48 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.1815 (New) Package is "libgcrypt" Mon Jan 29 22:25:48 2024 rev:102 rq:1141963 version:1.10.3 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2023-11-23 21:38:33.266864091 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.1815/libgcrypt.changes 2024-01-29 22:25:50.142528789 +0100 @@ -1,0 +2,5 @@ +Sat Jan 27 13:37:34 UTC 2024 - Dirk Müller + +- add libgcrypt-no-deprecated-grep-alias.patch + +--- New: libgcrypt-no-deprecated-grep-alias.patch BETA DEBUG BEGIN: New: - add libgcrypt-no-deprecated-grep-alias.patch BETA DEBUG END: Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.7LkTrl/_old 2024-01-29 22:25:52.390610272 +0100 +++ /var/tmp/diff_new_pack.7LkTrl/_new 2024-01-29 22:25:52.390610272 +0100 @@ -1,7 +1,7 @@ # # spec file for package libgcrypt # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -37,6 +37,8 @@ Patch1: libgcrypt-1.10.0-allow_FSM_same_state.patch #PATCH-FIX-OPENSUSE Do not pull revision info from GIT when autoconf is run Patch2: libgcrypt-nobetasuffix.patch +# https://dev.gnupg.org/T6964 +Patch3: libgcrypt-no-deprecated-grep-alias.patch # FIPS patches: #PATCH-FIX-SUSE bsc#1190700 FIPS: Provide a service-level indicator for PK Patch100: libgcrypt-FIPS-SLI-pk.patch ++ libgcrypt-no-deprecated-grep-alias.patch ++ --- libgcrypt-1.10.3.orig/acinclude.m4 +++ libgcrypt-1.10.3/acinclude.m4 @@ -130,10 +130,10 @@ EOF ac_nlist=conftest.nm if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \| cut -d \' \' -f 2 \> $ac_nlist) && test -s "$ac_nlist"; then # See whether the symbols have a leading underscore. - if egrep '^_nm_test_func' "$ac_nlist" >/dev/null; then + if grep -E '^_nm_test_func' "$ac_nlist" >/dev/null; then ac_cv_sys_symbol_underscore=yes else -if egrep '^nm_test_func ' "$ac_nlist" >/dev/null; then +if grep -E '^nm_test_func ' "$ac_nlist" >/dev/null; then : else echo "configure: cannot find nm_test_func in $ac_nlist" >&AS_MESSAGE_LOG_FD --- libgcrypt-1.10.3.orig/src/libgcrypt-config.in +++ libgcrypt-1.10.3/src/libgcrypt-config.in @@ -154,7 +154,7 @@ if test "$echo_cflags" = "yes"; then tmp="" for i in $includes $cflags_final; do - if echo "$tmp" | fgrep -v -- "$i" >/dev/null; then + if echo "$tmp" | @GREP@ -F -v -- "$i" >/dev/null; then tmp="$tmp $i" fi done @@ -175,7 +175,7 @@ if test "$echo_libs" = "yes"; then tmp="" for i in $libdirs $libs_final; do - if echo "$tmp" | fgrep -v -- "$i" >/dev/null; then + if echo "$tmp" | @GREP@ -F -v -- "$i" >/dev/null; then tmp="$tmp $i" fi done
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2023-11-23 21:38:31 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.25432 (New) Package is "libgcrypt" Thu Nov 23 21:38:31 2023 rev:101 rq:1127966 version:1.10.3 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2023-11-17 20:47:58.881614933 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.25432/libgcrypt.changes 2023-11-23 21:38:33.266864091 +0100 @@ -1,0 +2,6 @@ +Tue Nov 21 10:36:09 UTC 2023 - Otto Hollmann + +- Re-create HMAC checksum after RPM build strips the library + (bsc#1217058) + +--- Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.xG18jt/_old 2023-11-23 21:38:34.046892826 +0100 +++ /var/tmp/diff_new_pack.xG18jt/_new 2023-11-23 21:38:34.050892974 +0100 @@ -131,11 +131,27 @@ # run the regression tests also in FIPS mode LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check || true -# Install the FIPS hmac file -cp src/.libgcrypt.so.%{libsover}.hmac %{buildroot}%{_libdir}/ - %install %make_install + +# this is a hack that re-defines the __spec_install_post macro +# for a simple reason: the macro strips the binaries and thereby +# invalidates a HMAC that may have been created earlier. +# solution: create the hashes _after_ the macro runs. + +%define libpath %{buildroot}%{_libdir}/libgcrypt.so.%{libsover}.?.? +%define __spec_install_post \ +%{?__debug_package:%{__debug_install_post}} \ +%{__arch_install_post} \ +%{__os_install_post} \ +cd src \ +sed -i -e 's|FILE=.*|FILE=\\\$1|' gen-note-integrity.sh \ +READELF=readelf AWK=awk ECHO_N="-n" bash gen-note-integrity.sh %{libpath} > %{libpath}.hmac \ +objcopy --update-section .note.fdo.integrity=%{libpath}.hmac %{libpath} %{libpath}.new \ +mv -f %{libpath}.new %{libpath} \ +rm -f %{libpath}.hmac \ +%{nil} + rm %{buildroot}%{_libdir}/%{name}.la # Create /etc/gcrypt directory and install random.conf @@ -153,7 +169,6 @@ %dir %{_sysconfdir}/gcrypt %config(noreplace) %{_sysconfdir}/gcrypt/random.conf %config(noreplace) %{_sysconfdir}/gcrypt/hwf.deny -%{_libdir}/.libgcrypt.so.*.hmac %files devel %license COPYING COPYING.LIB LICENSES
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2023-11-23 21:38:31 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.25432 (New) Package is "libgcrypt" Thu Nov 23 21:38:31 2023 rev:101 rq:1127966 version:1.10.3 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2023-11-17 20:47:58.881614933 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.25432/libgcrypt.changes 2023-11-23 21:38:33.266864091 +0100 @@ -1,0 +2,6 @@ +Tue Nov 21 10:36:09 UTC 2023 - Otto Hollmann + +- Re-create HMAC checksum after RPM build strips the library + (bsc#1217058) + +--- Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.xG18jt/_old 2023-11-23 21:38:34.046892826 +0100 +++ /var/tmp/diff_new_pack.xG18jt/_new 2023-11-23 21:38:34.050892974 +0100 @@ -131,11 +131,27 @@ # run the regression tests also in FIPS mode LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check || true -# Install the FIPS hmac file -cp src/.libgcrypt.so.%{libsover}.hmac %{buildroot}%{_libdir}/ - %install %make_install + +# this is a hack that re-defines the __spec_install_post macro +# for a simple reason: the macro strips the binaries and thereby +# invalidates a HMAC that may have been created earlier. +# solution: create the hashes _after_ the macro runs. + +%define libpath %{buildroot}%{_libdir}/libgcrypt.so.%{libsover}.?.? +%define __spec_install_post \ +%{?__debug_package:%{__debug_install_post}} \ +%{__arch_install_post} \ +%{__os_install_post} \ +cd src \ +sed -i -e 's|FILE=.*|FILE=\\\$1|' gen-note-integrity.sh \ +READELF=readelf AWK=awk ECHO_N="-n" bash gen-note-integrity.sh %{libpath} > %{libpath}.hmac \ +objcopy --update-section .note.fdo.integrity=%{libpath}.hmac %{libpath} %{libpath}.new \ +mv -f %{libpath}.new %{libpath} \ +rm -f %{libpath}.hmac \ +%{nil} + rm %{buildroot}%{_libdir}/%{name}.la # Create /etc/gcrypt directory and install random.conf @@ -153,7 +169,6 @@ %dir %{_sysconfdir}/gcrypt %config(noreplace) %{_sysconfdir}/gcrypt/random.conf %config(noreplace) %{_sysconfdir}/gcrypt/hwf.deny -%{_libdir}/.libgcrypt.so.*.hmac %files devel %license COPYING COPYING.LIB LICENSES
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2023-11-23 21:38:31 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.25432 (New) Package is "libgcrypt" Thu Nov 23 21:38:31 2023 rev:101 rq:1127966 version:1.10.3 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2023-11-17 20:47:58.881614933 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.25432/libgcrypt.changes 2023-11-23 21:38:33.266864091 +0100 @@ -1,0 +2,6 @@ +Tue Nov 21 10:36:09 UTC 2023 - Otto Hollmann + +- Re-create HMAC checksum after RPM build strips the library + (bsc#1217058) + +--- Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.xG18jt/_old 2023-11-23 21:38:34.046892826 +0100 +++ /var/tmp/diff_new_pack.xG18jt/_new 2023-11-23 21:38:34.050892974 +0100 @@ -131,11 +131,27 @@ # run the regression tests also in FIPS mode LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check || true -# Install the FIPS hmac file -cp src/.libgcrypt.so.%{libsover}.hmac %{buildroot}%{_libdir}/ - %install %make_install + +# this is a hack that re-defines the __spec_install_post macro +# for a simple reason: the macro strips the binaries and thereby +# invalidates a HMAC that may have been created earlier. +# solution: create the hashes _after_ the macro runs. + +%define libpath %{buildroot}%{_libdir}/libgcrypt.so.%{libsover}.?.? +%define __spec_install_post \ +%{?__debug_package:%{__debug_install_post}} \ +%{__arch_install_post} \ +%{__os_install_post} \ +cd src \ +sed -i -e 's|FILE=.*|FILE=\\\$1|' gen-note-integrity.sh \ +READELF=readelf AWK=awk ECHO_N="-n" bash gen-note-integrity.sh %{libpath} > %{libpath}.hmac \ +objcopy --update-section .note.fdo.integrity=%{libpath}.hmac %{libpath} %{libpath}.new \ +mv -f %{libpath}.new %{libpath} \ +rm -f %{libpath}.hmac \ +%{nil} + rm %{buildroot}%{_libdir}/%{name}.la # Create /etc/gcrypt directory and install random.conf @@ -153,7 +169,6 @@ %dir %{_sysconfdir}/gcrypt %config(noreplace) %{_sysconfdir}/gcrypt/random.conf %config(noreplace) %{_sysconfdir}/gcrypt/hwf.deny -%{_libdir}/.libgcrypt.so.*.hmac %files devel %license COPYING COPYING.LIB LICENSES
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2023-11-23 21:38:31 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.25432 (New) Package is "libgcrypt" Thu Nov 23 21:38:31 2023 rev:101 rq:1127966 version:1.10.3 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2023-11-17 20:47:58.881614933 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.25432/libgcrypt.changes 2023-11-23 21:38:33.266864091 +0100 @@ -1,0 +2,6 @@ +Tue Nov 21 10:36:09 UTC 2023 - Otto Hollmann + +- Re-create HMAC checksum after RPM build strips the library + (bsc#1217058) + +--- Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.xG18jt/_old 2023-11-23 21:38:34.046892826 +0100 +++ /var/tmp/diff_new_pack.xG18jt/_new 2023-11-23 21:38:34.050892974 +0100 @@ -131,11 +131,27 @@ # run the regression tests also in FIPS mode LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check || true -# Install the FIPS hmac file -cp src/.libgcrypt.so.%{libsover}.hmac %{buildroot}%{_libdir}/ - %install %make_install + +# this is a hack that re-defines the __spec_install_post macro +# for a simple reason: the macro strips the binaries and thereby +# invalidates a HMAC that may have been created earlier. +# solution: create the hashes _after_ the macro runs. + +%define libpath %{buildroot}%{_libdir}/libgcrypt.so.%{libsover}.?.? +%define __spec_install_post \ +%{?__debug_package:%{__debug_install_post}} \ +%{__arch_install_post} \ +%{__os_install_post} \ +cd src \ +sed -i -e 's|FILE=.*|FILE=\\\$1|' gen-note-integrity.sh \ +READELF=readelf AWK=awk ECHO_N="-n" bash gen-note-integrity.sh %{libpath} > %{libpath}.hmac \ +objcopy --update-section .note.fdo.integrity=%{libpath}.hmac %{libpath} %{libpath}.new \ +mv -f %{libpath}.new %{libpath} \ +rm -f %{libpath}.hmac \ +%{nil} + rm %{buildroot}%{_libdir}/%{name}.la # Create /etc/gcrypt directory and install random.conf @@ -153,7 +169,6 @@ %dir %{_sysconfdir}/gcrypt %config(noreplace) %{_sysconfdir}/gcrypt/random.conf %config(noreplace) %{_sysconfdir}/gcrypt/hwf.deny -%{_libdir}/.libgcrypt.so.*.hmac %files devel %license COPYING COPYING.LIB LICENSES
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2023-10-20 23:15:32 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.1945 (New) Package is "libgcrypt" Fri Oct 20 23:15:32 2023 rev:99 rq:1118833 version:1.10.2 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2023-10-13 23:14:13.890058680 +0200 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.1945/libgcrypt.changes 2023-10-20 23:15:36.487982838 +0200 @@ -1,0 +2,7 @@ +Tue Oct 17 10:27:15 UTC 2023 - Pedro Monreal + +- Do not pull revision info from GIT when autoconf is run. This + removes the -unknown suffix after the version number. + * Add libgcrypt-nobetasuffix.patch [bsc#1216334] + +--- New: libgcrypt-nobetasuffix.patch Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.4kjbkJ/_old 2023-10-20 23:15:37.216009401 +0200 +++ /var/tmp/diff_new_pack.4kjbkJ/_new 2023-10-20 23:15:37.220009547 +0200 @@ -37,6 +37,8 @@ Patch1: libgcrypt-1.10.0-allow_FSM_same_state.patch #PATCH-FIX-SUSE bsc#1182983 gpg: out of core handler ignored in FIPS mode while typing Tab key to Auto-Completion Patch2: libgcrypt-1.10.0-out-of-core-handler.patch +#PATCH-FIX-OPENSUSE Do not pull revision info from GIT when autoconf is run +Patch3: libgcrypt-nobetasuffix.patch # FIPS patches: #PATCH-FIX-SUSE bsc#1190700 FIPS: Provide a service-level indicator for PK Patch100: libgcrypt-FIPS-SLI-pk.patch ++ libgcrypt-nobetasuffix.patch ++ Index: libgcrypt-1.10.2/autogen.sh === --- libgcrypt-1.10.2.orig/autogen.sh +++ libgcrypt-1.10.2/autogen.sh @@ -249,7 +249,7 @@ if [ "$myhost" = "find-version" ]; then fi beta=no -if [ -e .git ]; then +if false; then ingit=yes tmp=$(git describe --match "${matchstr1}" --long 2>/dev/null) tmp=$(echo "$tmp" | sed s/^"$package"//) @@ -265,8 +265,8 @@ if [ "$myhost" = "find-version" ]; then rvd=$((0x$(echo ${rev} | dd bs=1 count=4 2>/dev/null))) else ingit=no - beta=yes - tmp="-unknown" + beta=no + tmp="" rev="000" rvd="0" fi
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2023-10-13 23:13:57 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.20540 (New) Package is "libgcrypt" Fri Oct 13 23:13:57 2023 rev:98 rq:1116820 version:1.10.2 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2023-05-28 19:22:01.296668951 +0200 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.20540/libgcrypt.changes 2023-10-13 23:14:13.890058680 +0200 @@ -1,0 +2,13 @@ +Tue Oct 3 12:58:41 UTC 2023 - Pedro Monreal + +- POWER: performance enhancements for cryptography [jsc#PED-5088] + * Optimize Chacha20 and Poly1305 for PPC P10 LE: [T6006] +- Chacha20/poly1305: Optimized chacha20/poly1305 for + P10 operation [rC88fe7ac33eb4] +- ppc: enable P10 assembly with ENABLE_FORCE_SOFT_HWFEATURES + on arch-3.00 [rC2c5e5ab6843d] + * Add patches: +- libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch +- libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch + +--- New: libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.XeNXXx/_old 2023-10-13 23:14:14.506081023 +0200 +++ /var/tmp/diff_new_pack.XeNXXx/_new 2023-10-13 23:14:14.506081023 +0200 @@ -48,6 +48,9 @@ Patch103: libgcrypt-jitterentropy-3.4.0.patch #PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll Patch104: libgcrypt-FIPS-rndjent_poll.patch +# POWER patches [jsc#PED-5088] POWER performance enhancements for cryptography +Patch200: libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch +Patch201: libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch BuildRequires: automake >= 1.14 BuildRequires: libgpg-error-devel >= 1.27 BuildRequires: libtool ++ libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch ++ 1994 lines (skipped) ++ libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch ++ commit 2c5e5ab6843d747c4b877d2c6f47226f61e9ff14 Author: Jussi Kivilinna Date: Sun Jun 12 21:51:34 2022 +0300 ppc enable P10 assembly with ENABLE_FORCE_SOFT_HWFEATURES on arch 3.00 * cipher/chacha20.c (chacha20_do_setkey) [USE_PPC_VEC]: Enable P10 assembly for HWF_PPC_ARCH_3_00 if ENABLE_FORCE_SOFT_HWFEATURES is defined. * cipher/poly1305.c (poly1305_init) [POLY1305_USE_PPC_VEC]: Likewise. * cipher/rijndael.c (do_setkey) [USE_PPC_CRYPTO_WITH_PPC9LE]: Likewise. --- This change allows testing P10 implementations with P9 and with QEMU-PPC. GnuPG-bug-id: 6006 Signed-off-by: Jussi Kivilinna Index: libgcrypt-1.10.2/cipher/chacha20.c === --- libgcrypt-1.10.2.orig/cipher/chacha20.c +++ libgcrypt-1.10.2/cipher/chacha20.c @@ -484,6 +484,11 @@ chacha20_do_setkey (CHACHA20_context_t * ctx->use_ppc = (features & HWF_PPC_ARCH_2_07) != 0; # ifndef WORDS_BIGENDIAN ctx->use_p10 = (features & HWF_PPC_ARCH_3_10) != 0; +# ifdef ENABLE_FORCE_SOFT_HWFEATURES + /* HWF_PPC_ARCH_3_10 above is used as soft HW-feature indicator for P10. + * Actual implementation works with HWF_PPC_ARCH_3_00 also. */ + ctx->use_p10 |= (features & HWF_PPC_ARCH_3_00) != 0; +# endif # endif #endif #ifdef USE_S390X_VX Index: libgcrypt-1.10.2/cipher/poly1305.c === --- libgcrypt-1.10.2.orig/cipher/poly1305.c +++ libgcrypt-1.10.2/cipher/poly1305.c @@ -90,11 +90,19 @@ static void poly1305_init (poly1305_cont const byte key[POLY1305_KEYLEN]) { POLY1305_STATE *st = &ctx->state; + unsigned int features = _gcry_get_hw_features (); #ifdef POLY1305_USE_PPC_VEC - ctx->use_p10 = (_gcry_get_hw_features () & HWF_PPC_ARCH_3_10) != 0; + ctx->use_p10 = (features & HWF_PPC_ARCH_3_10) != 0; +# ifdef ENABLE_FORCE_SOFT_HWFEATURES + /* HWF_PPC_ARCH_3_10 above is used as soft HW-feature indicator for P10. + * Actual implementation works with HWF_PPC_ARCH_3_00 also. */ + ctx->use_p10 |= (features & HWF_PPC_ARCH_3_00) != 0; +# endif #endif + (void)features; + ctx->leftover = 0; st->h[0] = 0; Index: libgcrypt-1.10.2/cipher/rijndael.c === --- libgcrypt-1.10.2.orig/cipher/rijndael.c +++ libgcrypt-1.10.2/cipher/rijndael.c @@ -605,6 +605,12 @@ do_setkey (RIJNDAEL_context *ctx, const bulk_ops->xts_c
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2023-05-28 19:21:50 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.1533 (New) Package is "libgcrypt" Sun May 28 19:21:50 2023 rev:97 rq:1089003 version:1.10.2 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2023-04-14 13:12:03.075211508 +0200 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.1533/libgcrypt.changes 2023-05-28 19:22:01.296668951 +0200 @@ -1,0 +2,7 @@ +Mon May 22 11:32:53 UTC 2023 - Pedro Monreal + +- FIPS: Merge the libgcrypt20-hmac package into the library and + remove the "module is complete" trigger file .fips [bsc#1185116] + * Remove libgcrypt-1.10.0-use-fipscheck.patch + +--- Old: libgcrypt-1.10.0-use-fipscheck.patch Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.BXNKVA/_old 2023-05-28 19:22:01.932672736 +0200 +++ /var/tmp/diff_new_pack.BXNKVA/_new 2023-05-28 19:22:01.936672760 +0200 @@ -16,7 +16,6 @@ # -%define build_hmac256 1 %define libsover 20 %define libsoname %{name}%{libsover} %define hmac_key orboDeJITITejsirpADONivirpUkvarP @@ -49,8 +48,6 @@ Patch103: libgcrypt-jitterentropy-3.4.0.patch #PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll Patch104: libgcrypt-FIPS-rndjent_poll.patch -#PATCH-FIX-SUSE Check the FIPS "module is complete" trigger file .fips -Patch105: libgcrypt-1.10.0-use-fipscheck.patch BuildRequires: automake >= 1.14 BuildRequires: libgpg-error-devel >= 1.27 BuildRequires: libtool @@ -68,23 +65,13 @@ Summary:The GNU Crypto Library License:GPL-2.0-or-later AND LGPL-2.1-or-later Group: System/Libraries -Suggests: %{libsoname}-hmac = %{version}-%{release} +Provides: %{libsoname}-hmac = %{version}-%{release} +Obsoletes: %{libsoname}-hmac < %{version}-%{release} %description -n %{libsoname} Libgcrypt is a general purpose crypto library based on the code used in GnuPG (alpha version). -%package -n %{libsoname}-hmac -Summary:HMAC checksums for the GNU Crypto Library -License:GPL-2.0-or-later AND LGPL-2.1-or-later -Group: System/Libraries -Requires: %{libsoname} = %{version}-%{release} - -%description -n %{libsoname}-hmac -Libgcrypt is a general purpose crypto library based on the code used in -GnuPG (alpha version). This package contains the HMAC checksum files -for integrity checking the library, as required by FIPS 140-2. - %package devel Summary:The GNU Crypto Library License:GFDL-1.1-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT @@ -109,8 +96,6 @@ sed -i "s/libgcrypt\.so\.hmac/\.libgcrypt\.so\.%{libsover}\.hmac/g" src/Makefile.am src/Makefile.in %build -echo building with build_hmac256 set to %{build_hmac256} - export PUBKEYS="dsa elgamal rsa ecc" export CIPHERS="arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea salsa20 gost28147 chacha20 sm4" export DIGESTS="crc gostr3411-94 md4 md5 rmd160 sha1 sha256 sha512 sha3 tiger whirlpool stribog blake2 sm3" @@ -139,18 +124,13 @@ %make_build %check -%make_build check +make -k check # run the regression tests also in FIPS mode -LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check VERBOSE=1 || true +LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check || true # Install the FIPS hmac file cp src/.libgcrypt.so.%{libsover}.hmac %{buildroot}%{_libdir}/ -# create the FIPS "module is complete" trigger file -%if 0%{?build_hmac256} -touch %{buildroot}%{_libdir}/.%{name}.so.%{libsover}.fips -%endif - %install %make_install rm %{buildroot}%{_libdir}/%{name}.la @@ -170,12 +150,7 @@ %dir %{_sysconfdir}/gcrypt %config(noreplace) %{_sysconfdir}/gcrypt/random.conf %config(noreplace) %{_sysconfdir}/gcrypt/hwf.deny - -%files -n %{libsoname}-hmac %{_libdir}/.libgcrypt.so.*.hmac -%if 0%{?build_hmac256} -%{_libdir}/.libgcrypt.so.*.fips -%endif %files devel %license COPYING COPYING.LIB LICENSES ++ baselibs.conf ++ --- /var/tmp/diff_new_pack.BXNKVA/_old 2023-05-28 19:22:01.972672974 +0200 +++ /var/tmp/diff_new_pack.BXNKVA/_new 2023-05-28 19:22:01.976672998 +0200 @@ -1,8 +1,9 @@ libgcrypt20 - obsoletes "libgcrypt- <= " provides "libgcrypt- = " -libgcrypt20-hmac + obsoletes "libgcrypt- <= " + provides "libgcrypt20-hmac- = -%release" + obsoletes "libgcrypt20-hmac- < -%release" libgcrypt-devel - requires -libgcrypt- - requires "libgcrypt20- = " + requires -libgcrypt- + requires "libgcrypt20- = " ++ hwf.deny ++ --- /var/tmp/diff_new_pack.BXNKVA/_
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2023-04-14 13:12:01 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.19717 (New) Package is "libgcrypt" Fri Apr 14 13:12:01 2023 rev:96 rq:1078615 version:1.10.2 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2023-03-12 16:22:14.580235539 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.19717/libgcrypt.changes 2023-04-14 13:12:03.075211508 +0200 @@ -1,0 +2,43 @@ +Tue Apr 11 14:08:24 UTC 2023 - Pedro Monreal + +- Update to 1.10.2: + * Bug fixes: +- Fix Argon2 for the case output > 64. [rC13b5454d26] +- Fix missing HWF_PPC_ARCH_3_10 in HW feature. [rCe073f0ed44] +- Fix RSA key generation failure in forced FIPS mode. [T5919] +- Fix gcry_pk_hash_verify for explicit hash. [T6066] +- Fix a wrong result of gcry_mpi_invm. [T5970] +- Allow building with --disable-asm for HPPA. [T5976] +- Allow building with -Oz. [T6432] +- Enable the fast path to ChaCha20 only when supported. [T6384] +- Use size_t to avoid counter overflow in Keccak when directly + feeding more than 4GiB. [T6217] + * Other: +- Do not use secure memory for a DRBG instance. [T5933] +- Do not allow PKCS#1.5 padding for encryption in FIPS mode. [T5918] +- Fix the behaviour for child process re-seeding in the DRBG. [rC019a40c990] +- Allow verification of small RSA signatures in FIPS mode. [T5975] +- Allow the use of a shorter salt for KDFs in FIPS mode. [T6039] +- Run digest+sign self tests for RSA and ECC in FIPS mode. [rC06c9350165] +- Add function-name based FIPS indicator function. + GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. This is not considered + an ABI changes because the new FIPS features were not yet + approved. [rC822ee57f07] +- Improve PCT in FIPS mode. [rC285bf54b1a, rC4963c127ae, T6397] +- Use getrandom (GRND_RANDOM) in FIPS mode. [rCcf10c74bd9] +- Disable RSA-OAEP padding in FIPS mode. [rCe5bfda492a] +- Check minimum allowed key size in PBKDF in FIPS mode. [T6039,T6219] +- Get maximum 32B of entropy at once in FIPS mode. [rCce0df08bba] +- Prefer gpgrt-config when available. [T5034] +- Mark AESWRAP as approved FIPS algorithm. [T5512] +- Prevent usage of long salt for PSS in FIPS mode. [rCfdd2a8b332] +- Prevent usage of X9.31 keygen in FIPS mode. [rC392e0ccd25] +- Remove GCM mode from the allowed FIPS indicators. [rC1540698389] +- Add explicit FIPS indicators for hash and MAC algorithms. [T6376] + * Release-info: https://dev.gnupg.org/T5905 + * Rebase FIPS patches: +- libgcrypt-FIPS-SLI-hash-mac.patch +- libgcrypt-FIPS-SLI-kdf-leylength.patch +- libgcrypt-FIPS-SLI-pk.patch + +--- Old: libgcrypt-1.10.1.tar.bz2 libgcrypt-1.10.1.tar.bz2.sig New: libgcrypt-1.10.2.tar.bz2 libgcrypt-1.10.2.tar.bz2.sig Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.AHOGvs/_old 2023-04-14 13:12:03.835215854 +0200 +++ /var/tmp/diff_new_pack.AHOGvs/_new 2023-04-14 13:12:03.839215877 +0200 @@ -21,7 +21,7 @@ %define libsoname %{name}%{libsover} %define hmac_key orboDeJITITejsirpADONivirpUkvarP Name: libgcrypt -Version:1.10.1 +Version:1.10.2 Release:0 Summary:The GNU Crypto Library License:GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later @@ -36,20 +36,21 @@ Source5:libgcrypt.keyring Source99: libgcrypt.changes Patch1: libgcrypt-1.10.0-allow_FSM_same_state.patch -#PATCH-FIX-UPSTREAM bsc#1190700 FIPS: Provide a service-level indicator for PK -Patch2: libgcrypt-FIPS-SLI-pk.patch -#PATCH-FIX-SUSE bsc#1190700 FIPS add indicators -Patch3: libgcrypt-FIPS-SLI-hash-mac.patch -#PATCH-FIX-SUSE bsc#1190700 FIPS: Check keylength in gcry_fips_indicator_kdf() -Patch4: libgcrypt-FIPS-SLI-kdf-leylength.patch #PATCH-FIX-SUSE bsc#1182983 gpg: out of core handler ignored in FIPS mode while typing Tab key to Auto-Completion -Patch5: libgcrypt-1.10.0-out-of-core-handler.patch -#PATCH-FIX-UPSTREAM bsc#1202117 jsc#SLE-24941 FIPS: Port libgcrypt to use jitterentropy -Patch6: libgcrypt-jitterentropy-3.4.0.patch +Patch2: libgcrypt-1.10.0-out-of-core-handler.patch +# FIPS patches: +#PATCH-FIX-SUSE bsc#1190700 FIPS: Provide a service-level indicator for PK +Patch100: libgcrypt-FIPS-SLI-pk.patch +#PATCH-FIX-SUSE bsc#1190700 FIPS: Check keylength in gcry_fips_indicator_kdf() +Patch101: libgcrypt-FIPS-SLI-kdf-leylength
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2023-03-12 16:22:13 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.31432 (New) Package is "libgcrypt" Sun Mar 12 16:22:13 2023 rev:95 rq:1070246 version:1.10.1 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2022-11-27 12:52:54.187163065 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.31432/libgcrypt.changes 2023-03-12 16:22:14.580235539 +0100 @@ -1,0 +2,5 @@ +Wed Mar 8 10:34:34 UTC 2023 - Martin Pluskal + +- Build AVX2 enabled hwcaps library for x86_64-v3 + +--- Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.WG3u7f/_old 2023-03-12 16:22:16.004241810 +0100 +++ /var/tmp/diff_new_pack.WG3u7f/_new 2023-03-12 16:22:16.012241845 +0100 @@ -1,7 +1,7 @@ # # spec file for package libgcrypt # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -55,6 +55,7 @@ BuildRequires: libtool BuildRequires: makeinfo BuildRequires: pkgconfig +%{?suse_build_hwcaps_libs} %description Libgcrypt is a general purpose library of cryptographic building
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2022-11-27 12:52:48 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.1597 (New) Package is "libgcrypt" Sun Nov 27 12:52:48 2022 rev:94 rq:1038228 version:1.10.1 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2022-09-19 16:02:45.978058930 +0200 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.1597/libgcrypt.changes 2022-11-27 12:52:54.187163065 +0100 @@ -1,0 +2,135 @@ +Wed Oct 19 14:01:24 UTC 2022 - Pedro Monreal + +- Update to 1.10.1: + * Bug fixes: +- Fix minor memory leaks in FIPS mode. +- Build fixes for MUSL libc. + * Other: +- More portable integrity check in FIPS mode. +- Add X9.62 OIDs to sha256 and sha512 modules. + * Add the hardware optimizations config file hwf.deny to +the /etc/gcrypt/ directory. This file can be used to globally +disable the use of hardware based optimizations. + * Remove not needed separate_hmac256_binary hmac256 package + +--- +Wed Sep 14 13:34:13 UTC 2022 - Pedro Monreal + +- Update to 1.10.0: + * New and extended interfaces: +- New control codes to check for FIPS 140-3 approved algorithms. +- New control code to switch into non-FIPS mode. +- New cipher modes SIV and GCM-SIV as specified by RFC-5297. +- Extended cipher mode AESWRAP with padding as specified by + RFC-5649. +- New set of KDF functions. +- New KDF modes Argon2 and Balloon. +- New functions for combining hashing and signing/verification. + * Performance: +- Improved support for PowerPC architectures. +- Improved ECC performance on zSeries/s390x by using accelerated + scalar multiplication. +- Many more assembler performance improvements for several + architectures. + * Bug fixes: +- Fix Elgamal encryption for other implementations. + [bsc#1190239, CVE-2021-40528] +- Check the input length of the point in ECDH. +- Fix an abort in gcry_pk_get_param for "Curve25519". + * Other features: +- The control code GCRYCTL_SET_ENFORCED_FIPS_FLAG is ignored + because it is useless with the FIPS 140-3 related changes. +- Update of the jitter entropy RNG code. +- Simplification of the entropy gatherer when using the getentropy + system call. + * Interface changes relative to the 1.10.0 release: +- GCRYCTL_SET_DECRYPTION_TAGNEW control code. +- GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER NEW control code. +- GCRYCTL_FIPS_SERVICE_INDICATOR_KDFNEW control code. +- GCRYCTL_NO_FIPS_MODE = 83 NEW control code. +- GCRY_CIPHER_MODE_SIV NEW mode. +- GCRY_CIPHER_MODE_GCM_SIV NEW mode. +- GCRY_CIPHER_EXTENDED NEW flag. +- GCRY_SIV_BLOCK_LENNEW macro. +- gcry_cipher_set_decryption_tagNEW macro. +- GCRY_KDF_ARGON2 NEW constant. +- GCRY_KDF_BALLOON NEW constant. +- GCRY_KDF_ARGON2D NEW constant. +- GCRY_KDF_ARGON2I NEW constant. +- GCRY_KDF_ARGON2ID NEW constant. +- gcry_kdf_hd_t NEW type. +- gcry_kdf_job_fn_t NEW type. +- gcry_kdf_dispatch_job_fn_tNEW type. +- gcry_kdf_wait_all_jobs_fn_t NEW type. +- struct gcry_kdf_thread_opsNEW struct. +- gcry_kdf_open NEW function. +- gcry_kdf_compute NEW function. +- gcry_kdf_finalNEW function. +- gcry_kdf_closeNEW function. +- gcry_pk_hash_sign NEW function. +- gcry_pk_hash_verify NEW function. +- gcry_pk_random_override_new NEW function. + * Rebase libgcrypt-1.8.4-allow_FSM_same_state.patch and rename +to libgcrypt-1.10.0-allow_FSM_same_state.patch + * Remove unused CAVS tests and related patches: +- cavs_driver.pl cavs-test.sh +- libgcrypt-1.6.1-fips-cavs.patch +- drbg_test.patch + * Remove DSA sign/verify patches for the FIPS CAVS test since DSA +has been disabled in FIPS mode: +- libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch +- libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch + * Rebase libgcrypt-FIPS-SLI-pk.patch + * Rebase libgcrypt_indicators_changes.patch and +libgcrypt-indicate-shake.patch and merge both into +libgcrypt-FIPS-SLI-hash-mac.patch + * Rebase libgcrypt-FIPS-kdf-leylength.patch and rename to +libgcrypt-FIPS-SLI-kdf-leylength.patch + * Rebase libg
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2022-09-19 16:02:44 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.2083 (New) Package is "libgcrypt" Mon Sep 19 16:02:44 2022 rev:93 rq:1004197 version:1.9.4 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2022-09-07 11:05:09.888273563 +0200 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.2083/libgcrypt.changes 2022-09-19 16:02:45.978058930 +0200 @@ -1,0 +2,20 @@ +Thu Sep 8 10:34:53 UTC 2022 - Pedro Monreal + +- FIPS: Get most of the entropy from rndjent_poll [bsc#1202117] + * Add libgcrypt-FIPS-rndjent_poll.patch + * Rebase libgcrypt-jitterentropy-3.4.0.patch + +--- +Wed Sep 7 22:03:51 UTC 2022 - Pedro Monreal + +- FIPS: Check keylength in gcry_fips_indicator_kdf() [bsc#1190700] + * Consider approved keylength greater or equal to 112 bits. + * Add libgcrypt-FIPS-kdf-leylength.patch + +--- +Wed Sep 7 12:53:14 UTC 2022 - Pedro Monreal + +- FIPS: Zeroize buffer and digest in check_binary_integrity() + * Add libgcrypt-FIPS-Zeroize-hmac.patch [bsc#1191020] + +--- New: libgcrypt-FIPS-Zeroize-hmac.patch libgcrypt-FIPS-kdf-leylength.patch libgcrypt-FIPS-rndjent_poll.patch Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.zgXpFt/_old 2022-09-19 16:02:47.010061687 +0200 +++ /var/tmp/diff_new_pack.zgXpFt/_new 2022-09-19 16:02:47.018061708 +0200 @@ -107,6 +107,12 @@ Patch46:libgcrypt-jitterentropy-3.4.0.patch #PATCH-FIX-SUSE bsc#1182983 gpg: out of core handler ignored in FIPS mode while typing Tab key to Auto-Completion Patch47:libgcrypt-out-of-core-handler.patch +#PATCH-FIX-SUSE bsc#1191020 FIPS: Zeroize buffer and digest in check_binary_integrity() +Patch48:libgcrypt-FIPS-Zeroize-hmac.patch +#PATCH-FIX-SUSE bsc#1190700 FIPS: Check keylength in gcry_fips_indicator_kdf() +Patch49:libgcrypt-FIPS-kdf-leylength.patch +#PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll +Patch50:libgcrypt-FIPS-rndjent_poll.patch BuildRequires: automake >= 1.14 BuildRequires: fipscheck BuildRequires: libgpg-error-devel >= 1.27 ++ libgcrypt-FIPS-Zeroize-hmac.patch ++ Index: libgcrypt-1.9.4/src/fips.c === --- libgcrypt-1.9.4.orig/src/fips.c +++ libgcrypt-1.9.4/src/fips.c @@ -905,6 +905,10 @@ check_binary_integrity (void) char *fname = NULL; const char key[] = "orboDeJITITejsirpADONivirpUkvarP"; + /* A buffer of 64 bytes plus one for a LF and one to + * detect garbage. */ + unsigned char buffer[64+1+1]; + if (get_library_path ("libgcrypt.so.20", "gcry_check_version", libpath, sizeof(libpath))) err = gpg_error_from_syserror (); else @@ -927,9 +931,6 @@ check_binary_integrity (void) err = gpg_error_from_syserror (); else { - /* A buffer of 64 bytes plus one for a LF and one to - detect garbage. */ - unsigned char buffer[64+1+1]; const unsigned char *s; int n; @@ -957,6 +958,9 @@ check_binary_integrity (void) } } } + /* Zeroize digest and buffer */ + memset (digest, 0, sizeof(digest)); + memset (buffer, 0, sizeof(buffer)); reporter ("binary", 0, fname, err? gpg_strerror (err):NULL); #ifdef HAVE_SYSLOG if (err) ++ libgcrypt-FIPS-kdf-leylength.patch ++ Index: libgcrypt-1.9.4/src/fips.c === --- libgcrypt-1.9.4.orig/src/fips.c +++ libgcrypt-1.9.4/src/fips.c @@ -475,10 +475,15 @@ int _gcry_fips_indicator_kdf (va_list arg_ptr) { enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos); + unsigned int keylen = 0; switch (alg) { case GCRY_KDF_PBKDF2: + keylen = va_arg (arg_ptr, unsigned int); + if (keylen < 112) { +return GPG_ERR_NOT_SUPPORTED; + } return GPG_ERR_NO_ERROR; default: return GPG_ERR_NOT_SUPPORTED; Index: libgcrypt-1.9.4/doc/gcrypt.texi === --- libgcrypt-1.9.4.orig/doc/gcrypt.texi +++ libgcrypt-1.9.4/doc/gcrypt.texi @@ -983,10 +983,12 @@ algorithm supports different key sizes). this function returns @code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2022-09-07 11:05:09 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.2083 (New) Package is "libgcrypt" Wed Sep 7 11:05:09 2022 rev:92 rq:1001249 version:1.9.4 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2022-08-04 13:22:45.636379017 +0200 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.2083/libgcrypt.changes 2022-09-07 11:05:09.888273563 +0200 @@ -1,0 +2,16 @@ +Tue Aug 23 09:19:00 UTC 2022 - Pedro Monreal + +- FIPS: gpg/gpg2 gets out of core handler in FIPS mode while + typing Tab key to Auto-Completion. [bsc#1182983] + * Add libgcrypt-out-of-core-handler.patch + +--- +Mon Aug 8 11:33:03 UTC 2022 - Pedro Monreal + +- FIPS: Port libgcrypt to use jitterentropy [bsc#1202117, jsc#SLE-24941] + * Enable the jitter based entropy generator by default in random.conf +- Add libgcrypt-jitterentropy-3.3.0.patch + * Update the internal jitterentropy to version 3.4.0 +- Add libgcrypt-jitterentropy-3.4.0.patch + +--- @@ -6,0 +23,25 @@ + +--- +Thu Apr 14 12:30:36 UTC 2022 - Dennis Knorr + +- FIPS: extend the service indicator [bsc#1190700] + * introduced a pk indicator function + * adapted the approved and non approved ciphersuites + * Add libgcrypt_indicators_changes.patch + * Add libgcrypt-indicate-shake.patch + +--- +Tue Mar 22 12:32:09 UTC 2022 - Pedro Monreal + +- FIPS: Implement a service indicator for asymmetric ciphers [bsc#1190700] + * Mark RSA public key encryption and private key decryption with +padding (e.g. OAEP, PKCS) as non-approved since RSA-OAEP lacks +peer key assurance validation requirements per SP800-56Brev2. + * Mark ECC as approved only for NIST curves P-224, P-256, P-384 +and P-521 with check for common NIST names and aliases. + * Mark DSA, ELG, EDDSA, ECDSA and ECDH as non-approved. + * Add libgcrypt-FIPS-SLI-pk.patch + * Rebase libgcrypt-FIPS-service-indicators.patch +- Run the regression tests also in FIPS mode. + * Disable tests for non-FIPS approved algos. + * Rebase: libgcrypt-FIPS-verify-unsupported-KDF-test.patch New: libgcrypt-FIPS-SLI-pk.patch libgcrypt-indicate-shake.patch libgcrypt-jitterentropy-3.3.0.patch libgcrypt-jitterentropy-3.4.0.patch libgcrypt-out-of-core-handler.patch libgcrypt_indicators_changes.patch Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.SWckUY/_old 2022-09-07 11:05:12.156279327 +0200 +++ /var/tmp/diff_new_pack.SWckUY/_new 2022-09-07 11:05:12.160279338 +0200 @@ -96,6 +96,17 @@ Patch40:libgcrypt-FIPS-service-indicators.patch #PATCH-FIX-UPSTREAM bsc#1195385 FIPS: Disable DSA in FIPS mode Patch41:libgcrypt-FIPS-disable-DSA.patch +#PATCH-FIX-UPSTREAM bsc#1190700 FIPS: Provide a service-level indicator for PK +Patch42:libgcrypt-FIPS-SLI-pk.patch +#PATCH-FIX-SUSE bsc#1190700 FIPS add indicators +Patch43:libgcrypt_indicators_changes.patch +#PATCH-FIX-SUSE bsc#1190700 FIPS allow shake +Patch44:libgcrypt-indicate-shake.patch +#PATCH-FIX-UPSTREAM bsc#1202117 jsc#SLE-24941 FIPS: Port libgcrypt to use jitterentropy +Patch45:libgcrypt-jitterentropy-3.3.0.patch +Patch46:libgcrypt-jitterentropy-3.4.0.patch +#PATCH-FIX-SUSE bsc#1182983 gpg: out of core handler ignored in FIPS mode while typing Tab key to Auto-Completion +Patch47:libgcrypt-out-of-core-handler.patch BuildRequires: automake >= 1.14 BuildRequires: fipscheck BuildRequires: libgpg-error-devel >= 1.27 @@ -213,6 +224,9 @@ fipshmac src/.libs/libgcrypt.so.?? %make_build check +# run the regression tests also in FIPS mode +LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check VERBOSE=1 || true + %install %make_install rm %{buildroot}%{_libdir}/%{name}.la ++ libgcrypt-FIPS-SLI-pk.patch ++ Index: libgcrypt-1.9.4/src/fips.c === --- libgcrypt-1.9.4.orig/src/fips.c +++ libgcrypt-1.9.4/src/fips.c @@ -32,6 +32,7 @@ #include "g10lib.h" #include "cipher-proto.h" +#include "cipher.h" #include "hmac256.h" @@ -482,6 +483,78 @@ _gcry_fips_indicator_kdf (va_list arg_pt default: return GPG_ERR_NOT_SUPPORTED; } +} + + +/* FIPS approved curves, extracted from: + * cipher/ecc-curves.c:curve_aliases[] and domain_parms[]. */ +static const struct +{ + const char
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2022-08-04 13:22:40 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.1521 (New) Package is "libgcrypt" Thu Aug 4 13:22:40 2022 rev:91 rq:991962 version:1.9.4 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2022-02-05 23:22:56.704022419 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.1521/libgcrypt.changes 2022-08-04 13:22:45.636379017 +0200 @@ -1,0 +2,7 @@ +Mon Aug 1 07:27:35 UTC 2022 - Stephan Kulow + +- Fix reproducible build problems: + - Do not use %release in binaries (but use SOURCE_DATE_EPOCH) + - Fix date call messed up by spec-cleaner + +--- Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.oqs9sf/_old 2022-08-04 13:22:46.680381979 +0200 +++ /var/tmp/diff_new_pack.oqs9sf/_new 2022-08-04 13:22:46.684381991 +0200 @@ -179,11 +179,11 @@ %build echo building with build_hmac256 set to %{build_hmac256} autoreconf -fi -date=$(date -u +%{Y}-%{m}-%{dT}%{H}:%{M}+ -r %{SOURCE99}) +date=$(date -u '+%%Y-%%m-%%dT%%H:%%M+' -r %{SOURCE99}) sed -e "s,BUILD_TIMESTAMP=.*,BUILD_TIMESTAMP=$date," -i configure export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)" %configure \ - --with-fips-module-version="Libgcrypt version %{version}-%{release}" \ + --with-fips-module-version="Libgcrypt version %{version}-$SOURCE_DATE_EPOCH" \ --enable-noexecstack \ --disable-static \ --enable-m-guard \
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2022-02-05 23:22:53 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.1898 (New) Package is "libgcrypt" Sat Feb 5 23:22:53 2022 rev:90 rq:950434 version:1.9.4 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2021-12-18 20:30:30.790251445 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.1898/libgcrypt.changes 2022-02-05 23:22:56.704022419 +0100 @@ -1,0 +2,18 @@ +Tue Feb 1 11:28:51 UTC 2022 - Pedro Monreal + +- FIPS: Disable DSA in FIPS mode [bsc#1195385] + * Upstream task: https://dev.gnupg.org/T5710 + * Add libgcrypt-FIPS-disable-DSA.patch + +--- +Wed Jan 19 08:36:58 UTC 2022 - Pedro Monreal + +- FIPS: Service level indicator [bsc#1190700] + * Provide an indicator to check wether the service utilizes an +approved cryptographic algorithm or not. + * Add patches: +- libgcrypt-FIPS-service-indicators.patch +- libgcrypt-FIPS-verify-unsupported-KDF-test.patch +- libgcrypt-FIPS-HMAC-short-keylen.patch + +--- @@ -6,0 +25,56 @@ + +--- +Tue Nov 30 09:42:23 UTC 2021 - Pedro Monreal + +- FIPS: Define an entropy source SP800-90B compliant [bsc#1185140] + * Disable jitter entropy by default in random.conf + * Disable only-urandom option by default in random.conf + +--- +Fri Nov 26 13:10:29 UTC 2021 - Pedro Monreal + +- FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192240] + * rsa: Check RSA keylen constraints for key operations. + * rsa: Fix regression in not returning an error for prime generation. + * tests: Add 2k RSA key working in FIPS mode. + * tests: pubkey: Replace RSA key to one of 2k. + * tests: pkcs1v2: Skip tests with small keys in FIPS. + * Add patches: +- libgcrypt-FIPS-RSA-keylen.patch +- libgcrypt-FIPS-RSA-keylen-tests.patch + +--- +Mon Nov 8 10:21:39 UTC 2021 - Pedro Monreal + +- FIPS: Disable 3DES/Triple-DES in FIPS mode [bsc#1185138] + * Add libgcrypt-FIPS-disable-3DES.patch + +--- +Tue Nov 2 11:31:19 UTC 2021 - Pedro Monreal + +- FIPS: PBKDF requirements [bsc#1185137] + * The PBKDF2 selftests were introduced in libgcrypt version +1.9.1 in the function selftest_pbkdf2() + * Upstream task: https://dev.gnupg.org/T5182 + +--- +Thu Oct 28 19:48:06 UTC 2021 - Pedro Monreal + +- FIPS: Fix regression tests in FIPS mode [bsc#1192131] + * Add libgcrypt-FIPS-fix-regression-tests.patch + * Upstream task: https://dev.gnupg.org/T5520 + +--- +Thu Sep 21 11:25:06 UTC 2021 - Pedro Monreal + +- FIPS: Provide a module name/identifier and version that can be + mapped to the validation records. [bsc#1190706] + * Add libgcrypt-FIPS-module-version.patch + * Upstream task: https://dev.gnupg.org/T5600 + +--- +Thu Sep 21 10:23:44 UTC 2021 - Pedro Monreal + +- FIPS: Enable hardware support also in FIPS mode [bsc#1187110] + * Add libgcrypt-FIPS-hw-optimizations.patch + * Upstream task: https://dev.gnupg.org/T5508 New: libgcrypt-FIPS-HMAC-short-keylen.patch libgcrypt-FIPS-RSA-keylen-tests.patch libgcrypt-FIPS-RSA-keylen.patch libgcrypt-FIPS-disable-3DES.patch libgcrypt-FIPS-disable-DSA.patch libgcrypt-FIPS-fix-regression-tests.patch libgcrypt-FIPS-hw-optimizations.patch libgcrypt-FIPS-module-version.patch libgcrypt-FIPS-service-indicators.patch libgcrypt-FIPS-verify-unsupported-KDF-test.patch Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.eMt3ZZ/_old 2022-02-05 23:22:57.576016454 +0100 +++ /var/tmp/diff_new_pack.eMt3ZZ/_new 2022-02-05 23:22:57.580016427 +0100 @@ -1,7 +1,7 @@ # # spec file for package libgcrypt # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,7 +27,7 @@ Summary:The GNU Crypto Library License:GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later Group: Development/Libraries/C and C++ -URL:https://directory.fsf.org/wiki/Libgc
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2021-12-18 20:29:55 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.2520 (New) Package is "libgcrypt" Sat Dec 18 20:29:55 2021 rev:89 rq:940475 version:1.9.4 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2021-08-28 22:31:06.146104274 +0200 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.2520/libgcrypt.changes 2021-12-18 20:30:30.790251445 +0100 @@ -1,0 +2,7 @@ +Tue Dec 7 09:41:01 UTC 2021 - Pedro Monreal + +- FIPS: Fix gcry_mpi_sub_ui subtraction [bsc#1193480] + * gcry_mpi_sub_ui: fix subtracting from negative value + * Add libgcrypt-FIPS-fix-gcry_mpi_sub_ui.patch + +--- New: libgcrypt-FIPS-fix-gcry_mpi_sub_ui.patch Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.cg4EAO/_old 2021-12-18 20:30:31.650251922 +0100 +++ /var/tmp/diff_new_pack.cg4EAO/_new 2021-12-18 20:30:31.654251925 +0100 @@ -77,6 +77,8 @@ Patch29:libgcrypt-fips_selftest_trigger_file.patch #PATCH-FIX-SUSE bsc#1189745 The t-lock test is not build with phtread in gcc7, works in gcc11 Patch30:libgcrypt-pthread-in-t-lock-test.patch +#PATCH-FIX-UPSTREAM bsc#1193480 FIPS: gcry_mpi_sub_ui: fix subtracting from negative value +Patch31:libgcrypt-FIPS-fix-gcry_mpi_sub_ui.patch BuildRequires: automake >= 1.14 BuildRequires: fipscheck BuildRequires: libgpg-error-devel >= 1.27 ++ libgcrypt-FIPS-fix-gcry_mpi_sub_ui.patch ++ >From d5bf106468e6c6b0f33b193abf04590e4e9fc011 Mon Sep 17 00:00:00 2001 From: Jussi Kivilinna Date: Tue, 30 Nov 2021 22:04:16 +0200 Subject: gcry_mpi_sub_ui: fix subtracting from negative value * mpi/mpi-add.c (_gcry_mpi_sub_ui): Set output sign bit when 'u' is negative. * tests/mpitests.c (test_add): Additional tests for mpi_add_ui; Check test output and fail if output does not match expected. (test_sub): Additional tests for mpi_sub_ui; Check test output and fail if output does not match expected. (test_mul): Additional tests for mpi_mul_ui; Check test output and fail if output does not match expected. -- Reported-by: Guido Vranken Signed-off-by: Jussi Kivilinna --- mpi/mpi-add.c| 1 + tests/mpitests.c | 119 --- 2 files changed, 113 insertions(+), 7 deletions(-) diff --git a/mpi/mpi-add.c b/mpi/mpi-add.c index 53f476e0..38dd352f 100644 --- a/mpi/mpi-add.c +++ b/mpi/mpi-add.c @@ -191,6 +191,7 @@ _gcry_mpi_sub_ui(gcry_mpi_t w, gcry_mpi_t u, unsigned long v ) cy = _gcry_mpih_add_1(wp, up, usize, v); wp[usize] = cy; wsize = usize + cy; + wsign = 1; } else { /* The signs are different. Need exact comparison to determine * which operand to subtract from which. */ diff --git a/tests/mpitests.c b/tests/mpitests.c index 96e01551..48ea18b2 100644 --- a/tests/mpitests.c +++ b/tests/mpitests.c @@ -378,7 +378,8 @@ test_add (void) gcry_mpi_t two; gcry_mpi_t ff; gcry_mpi_t result; - unsigned char* pc; + gcry_mpi_t minusfive; + char *pc; gcry_mpi_scan(&one, GCRYMPI_FMT_USG, ones, sizeof(ones), NULL); gcry_mpi_scan(&two, GCRYMPI_FMT_USG, twos, sizeof(twos), NULL); @@ -386,21 +387,47 @@ test_add (void) result = gcry_mpi_new(0); gcry_mpi_add(result, one, two); - gcry_mpi_aprint(GCRYMPI_FMT_HEX, &pc, NULL, result); + gcry_mpi_aprint(GCRYMPI_FMT_HEX, (unsigned char **)&pc, NULL, result); if (debug) gcry_log_debug ("Result of one plus two:\n%s\n", pc); + if (strcmp (pc, "030303030303030303030303030303030303030303030303" + "030303030303030303030303030303030303030303030303") != 0) +fail ("mpi_add failed at line %d", __LINE__); gcry_free(pc); gcry_mpi_add(result, ff, one); - gcry_mpi_aprint(GCRYMPI_FMT_HEX, &pc, NULL, result); + gcry_mpi_aprint(GCRYMPI_FMT_HEX, (unsigned char **)&pc, NULL, result); if (debug) gcry_log_debug ("Result of ff plus one:\n%s\n", pc); + if (strcmp (pc, "010101010101010101010101010101010101010101010101" + "01010101010101010101010101010101010101010101010100") != 0) +fail ("mpi_add failed at line %d", __LINE__); + gcry_free(pc); + + gcry_mpi_scan(&minusfive, GCRYMPI_FMT_HEX, "-5", 0, NULL); + gcry_mpi_add_ui (result, minusfive, 2); + + gcry_mpi_aprint(GCRYMPI_FMT_HEX, (unsigned char **)&pc, NULL, result); + if (debug) +gcry_log_debug ("Result of minus five plus two:\n%s\n", pc); + if (strcmp (pc, "-03") != 0) +fail ("mpi_add_ui failed at line %d", __LINE__); + gcry_free(pc); + + gcry_mpi_a
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2021-08-28 22:31:04 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.1899 (New) Package is "libgcrypt" Sat Aug 28 22:31:04 2021 rev:88 rq:913986 version:1.9.4 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2021-06-18 10:13:18.329956114 +0200 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.1899/libgcrypt.changes 2021-08-28 22:31:06.146104274 +0200 @@ -1,0 +2,25 @@ +Mon Aug 23 12:08:24 UTC 2021 - Pedro Monreal + +- Update to 1.9.4: + * Bug fixes: +- Fix Elgamal encryption for other implementations. [CVE-2021-33560] +- Fix alignment problem on macOS. +- Check the input length of the point in ECDH. +- Fix an abort in gcry_pk_get_param for "Curve25519". + * Other features: +- Add GCM and CCM to OID mapping table for AES. + * Upstream libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch + +--- +Mon Aug 23 10:11:55 UTC 2021 - Pedro Monreal + +- Remove not needed patch libgcrypt-sparcv9.diff + +--- +Thu Jul 15 12:53:45 UTC 2021 - Pedro Monreal + +- Fix building test t-lock with pthread. [bsc#1189745] + * Explicitly add -lpthread to compile the t-lock test. + * Add libgcrypt-pthread-in-t-lock-test.patch + +--- Old: libgcrypt-1.9.3.tar.bz2 libgcrypt-1.9.3.tar.bz2.sig libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch libgcrypt-sparcv9.diff New: libgcrypt-1.9.4.tar.bz2 libgcrypt-1.9.4.tar.bz2.sig libgcrypt-pthread-in-t-lock-test.patch Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.mtClYx/_old 2021-08-28 22:31:07.750106057 +0200 +++ /var/tmp/diff_new_pack.mtClYx/_new 2021-08-28 22:31:07.750106057 +0200 @@ -22,7 +22,7 @@ %define libsoname %{name}%{libsover} %define cavs_dir %{_libexecdir}/%{name}/cavs Name: libgcrypt -Version:1.9.3 +Version:1.9.4 Release:0 Summary:The GNU Crypto Library License:GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later @@ -39,7 +39,6 @@ Source6:cavs_driver.pl Source99: libgcrypt.changes Patch1: libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch -Patch2: libgcrypt-sparcv9.diff Patch3: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff Patch4: libgcrypt-1.6.1-use-fipscheck.patch Patch5: libgcrypt-1.6.1-fips-cavs.patch @@ -76,8 +75,8 @@ Patch27:libgcrypt-PCT-DSA.patch Patch28:libgcrypt-PCT-ECC.patch Patch29:libgcrypt-fips_selftest_trigger_file.patch -#PATCH-FIX-UPSTREAM bsc#1187212 CVE-2021-33560 ElGamal encryption lacks exponent blinding -Patch30:libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch +#PATCH-FIX-SUSE bsc#1189745 The t-lock test is not build with phtread in gcc7, works in gcc11 +Patch30:libgcrypt-pthread-in-t-lock-test.patch BuildRequires: automake >= 1.14 BuildRequires: fipscheck BuildRequires: libgpg-error-devel >= 1.27 ++ libgcrypt-1.9.3.tar.bz2 -> libgcrypt-1.9.4.tar.bz2 ++ 3163 lines of diff (skipped) ++ libgcrypt-pthread-in-t-lock-test.patch ++ Index: libgcrypt-1.9.3/tests/Makefile.am === --- libgcrypt-1.9.3.orig/tests/Makefile.am +++ libgcrypt-1.9.3/tests/Makefile.am @@ -74,7 +74,7 @@ prime_LDADD = $(standard_ldadd) @LDADD_F t_mpi_bit_LDADD = $(standard_ldadd) @LDADD_FOR_TESTS_KLUDGE@ t_secmem_LDADD = $(standard_ldadd) @LDADD_FOR_TESTS_KLUDGE@ testapi_LDADD = $(standard_ldadd) @LDADD_FOR_TESTS_KLUDGE@ -t_lock_LDADD = $(standard_ldadd) $(GPG_ERROR_MT_LIBS) @LDADD_FOR_TESTS_KLUDGE@ +t_lock_LDADD = $(standard_ldadd) $(GPG_ERROR_MT_LIBS) -lpthread @LDADD_FOR_TESTS_KLUDGE@ t_lock_CFLAGS = $(GPG_ERROR_MT_CFLAGS) testdrv_LDADD = $(LDADD_FOR_TESTS_KLUDGE)
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2021-06-18 10:13:11 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.2625 (New) Package is "libgcrypt" Fri Jun 18 10:13:11 2021 rev:87 rq:900114 version:1.9.3 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2021-04-26 16:38:13.701942305 +0200 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.2625/libgcrypt.changes 2021-06-18 10:13:18.329956114 +0200 @@ -1,0 +2,9 @@ +Fri Jun 11 13:17:54 UTC 2021 - Pedro Monreal + +- Security fix: [bsc#1187212, CVE-2021-33560] + * cipher: Fix ElGamal encryption for other implementations. + * Exponent blinding was added in version 1.9.3. This patch +fixes ElGamal encryption, see: https://dev.gnupg.org/T5328 +- Add libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch + +--- New: libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.J2oKMi/_old 2021-06-18 10:13:19.005957008 +0200 +++ /var/tmp/diff_new_pack.J2oKMi/_new 2021-06-18 10:13:19.009957013 +0200 @@ -31,16 +31,15 @@ Source: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2 Source1: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.sig Source2:baselibs.conf +Source3:random.conf # https://www.gnupg.org/signature_key.en.html Source4:libgcrypt.keyring # cavs test framework Source5:cavs-test.sh Source6:cavs_driver.pl -Source7:random.conf Source99: libgcrypt.changes Patch1: libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch Patch2: libgcrypt-sparcv9.diff -#PATCH-FIX-SUSE: N/A Patch3: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff Patch4: libgcrypt-1.6.1-use-fipscheck.patch Patch5: libgcrypt-1.6.1-fips-cavs.patch @@ -77,6 +76,8 @@ Patch27:libgcrypt-PCT-DSA.patch Patch28:libgcrypt-PCT-ECC.patch Patch29:libgcrypt-fips_selftest_trigger_file.patch +#PATCH-FIX-UPSTREAM bsc#1187212 CVE-2021-33560 ElGamal encryption lacks exponent blinding +Patch30:libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch BuildRequires: automake >= 1.14 BuildRequires: fipscheck BuildRequires: libgpg-error-devel >= 1.27 @@ -150,7 +151,6 @@ blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use Libgcrypt. - %endif %prep @@ -211,7 +211,7 @@ # Create /etc/gcrypt directory and install random.conf mkdir -p -m 0755 %{buildroot}%{_sysconfdir}/gcrypt -install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/gcrypt/random.conf +install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/gcrypt/random.conf %post -n %{libsoname} -p /sbin/ldconfig %postun -n %{libsoname} -p /sbin/ldconfig ++ libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch ++ From: NIIBE Yutaka Date: Fri, 21 May 2021 02:15:07 + (+0900) Subject: cipher: Fix ElGamal encryption for other implementations. X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff_plain;h=632d80ef30e13de6926d503aa697f92b5dbfbc5e cipher: Fix ElGamal encryption for other implementations. * cipher/elgamal.c (gen_k): Remove support of smaller K. (do_encrypt): Never use smaller K. (sign): Folllow the change of gen_k. -- This change basically reverts encryption changes in two commits: 74386120dad6b3da62db37f7044267c8ef34689b 78531373a342aeb847950f404343a05e36022065 Use of smaller K for ephemeral key in ElGamal encryption is only good, when we can guarantee that recipient's key is generated by our implementation (or compatible). For detail, please see: Luca De Feo, Bertram Poettering, Alessandro Sorniotti, "On the (in)security of ElGamal in OpenPGP"; in the proceedings of CCS'2021. CVE-id: CVE-2021-33560 GnuPG-bug-id: 5328 Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti Signed-off-by: NIIBE Yutaka --- diff --git a/cipher/elgamal.c b/cipher/elgamal.c index 9835122f..eead4502 100644 --- a/cipher/elgamal.c +++ b/cipher/elgamal.c @@ -66,7 +66,7 @@ static const char *elg_names[] = static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie); -static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k); +static gcry_mpi_t gen_k (gcry_mpi_t p); static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits, gcry_mpi_t **factors); static int check_secret
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2021-04-26 16:38:12 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.12324 (New) Package is "libgcrypt" Mon Apr 26 16:38:12 2021 rev:86 rq:887034 version:1.9.3 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2021-02-23 20:20:12.935645661 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.12324/libgcrypt.changes 2021-04-26 16:38:13.701942305 +0200 @@ -1,0 +2,20 @@ +Tue Apr 20 08:46:11 UTC 2021 - Paolo Stivanin + +- libgcrypt 1.9.3: + * Bug fixes: +- Fix build problems on i386 using gcc-4.7. +- Fix checksum calculation in OCB decryption for AES on s390. +- Fix a regression in gcry_mpi_ec_add related to certain usages + of curve 25519. +- Fix a symbol not found problem on Apple M1. +- Fix for Apple iOS getentropy peculiarity. +- Make keygrip computation work for compressed points. + * Performance: +- Add x86_64 VAES/AVX2 accelerated implementation of Camellia. +- Add x86_64 VAES/AVX2 accelerated implementation of AES. +- Add VPMSUMD acceleration for GCM mode on PPC. + * Internal changes. +- Harden MPI conditional code against EM leakage. +- Harden Elgamal by introducing exponent blinding. + +--- Old: libgcrypt-1.9.2.tar.bz2 libgcrypt-1.9.2.tar.bz2.sig New: libgcrypt-1.9.3.tar.bz2 libgcrypt-1.9.3.tar.bz2.sig Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.20tTlU/_old 2021-04-26 16:38:14.649943815 +0200 +++ /var/tmp/diff_new_pack.20tTlU/_new 2021-04-26 16:38:14.649943815 +0200 @@ -22,7 +22,7 @@ %define libsoname %{name}%{libsover} %define cavs_dir %{_libexecdir}/%{name}/cavs Name: libgcrypt -Version:1.9.2 +Version:1.9.3 Release:0 Summary:The GNU Crypto Library License:GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later ++ libgcrypt-1.9.2.tar.bz2 -> libgcrypt-1.9.3.tar.bz2 ++ 12505 lines of diff (skipped)
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2021-02-23 20:18:45 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.2378 (New) Package is "libgcrypt" Tue Feb 23 20:18:45 2021 rev:85 rq:873072 version:1.9.2 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2021-02-08 11:47:05.589677498 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.2378/libgcrypt.changes 2021-02-23 20:20:12.935645661 +0100 @@ -1,0 +2,12 @@ +Wed Feb 17 09:49:55 UTC 2021 - Andreas Stieger + +- libgcrypt 1.9.2: + * Fix building with --disable-asm on x86 + * Check public key for ECDSA verify operation + * Make sure gcry_get_config (NULL) returns a nul-terminated +string + * Fix a memory leak in the ECDH code + * Fix a reading beyond end of input buffer in SHA2-avx2 +- remove obsolete texinfo packaging macros + +--- Old: libgcrypt-1.9.1.tar.bz2 libgcrypt-1.9.1.tar.bz2.sig New: libgcrypt-1.9.2.tar.bz2 libgcrypt-1.9.2.tar.bz2.sig Other differences: -- ++ libgcrypt.spec ++ --- /var/tmp/diff_new_pack.BZK32r/_old 2021-02-23 20:20:14.527647068 +0100 +++ /var/tmp/diff_new_pack.BZK32r/_new 2021-02-23 20:20:14.531647072 +0100 @@ -22,7 +22,7 @@ %define libsoname %{name}%{libsover} %define cavs_dir %{_libexecdir}/%{name}/cavs Name: libgcrypt -Version:1.9.1 +Version:1.9.2 Release:0 Summary:The GNU Crypto Library License:GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later @@ -117,7 +117,6 @@ Requires: %{libsoname} = %{version} Requires: glibc-devel Requires: libgpg-error-devel >= 1.27 -Requires(post): %{install_info_prereq} %description devel Libgcrypt is a general purpose library of cryptographic building @@ -145,7 +144,6 @@ Group: Development/Libraries/C and C++ Requires: %{libsoname} = %{version} Requires: libgpg-error-devel >= 1.27 -Requires(post): %{install_info_prereq} %description hmac256 Libgcrypt is a general purpose library of cryptographic building @@ -217,11 +215,6 @@ %post -n %{libsoname} -p /sbin/ldconfig %postun -n %{libsoname} -p /sbin/ldconfig -%post devel -%install_info --info-dir=%{_infodir} %{_infodir}/gcrypt.info.gz - -%preun devel -%install_info_delete --info-dir=%{_infodir} %{_infodir}/gcrypt.info.gz %files -n %{libsoname} %license COPYING.LIB ++ libgcrypt-1.9.1.tar.bz2 -> libgcrypt-1.9.2.tar.bz2 ++ 2110 lines of diff (skipped)
commit libgcrypt for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2021-02-08 11:47:03 Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.28504 (New) Package is "libgcrypt" Mon Feb 8 11:47:03 2021 rev:84 rq:868946 version:1.9.1 Changes: --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2020-10-29 09:21:26.554638072 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.28504/libgcrypt.changes 2021-02-08 11:47:05.589677498 +0100 @@ -1,0 +2,89 @@ +Tue Feb 2 01:06:47 UTC 2021 - Pedro Monreal + +- Update to 1.9.1 + * *Fix exploitable bug* in hash functions introduced with + 1.9.0. [bsc#1181632, CVE-2021-3345] + * Return an error if a negative MPI is used with sexp scan + functions. + * Check for operational FIPS in the random and KDF functions. + * Fix compile error on ARMv7 with NEON disabled. + * Fix self-test in KDF module. + * Improve assembler checks for better LTO support. + * Fix 32-bit cross build on x86. + * Fix non-NEON ARM assembly implementation for SHA512. + * Fix build problems with the cipher_bulk_ops_t typedef. + * Fix Ed25519 private key handling for preceding ZEROs. + * Fix overflow in modular inverse implementation. + * Fix register access for AVX/AVX2 implementations of Blake2. + * Add optimized cipher and hash functions for s390x/zSeries. + * Use hardware bit counting functionx when available. + * Update DSA functions to match FIPS 186-3. + * New self-tests for CMACs and KDFs. + * Add bulk cipher functions for OFB and GCM modes. +- Update libgpg-error required version + +--- +Tue Feb 1 12:03:31 UTC 2021 - Pedro Monreal + +- Use the suffix variable correctly in get_hmac_path() +- Rebase libgcrypt-fips_selftest_trigger_file.patch + +--- +Mon Jan 25 12:38:35 UTC 2021 - Pedro Monreal + +- Add the global config file /etc/gcrypt/random.conf + * This file can be used to globally change parameters of the random +generator with the options: only-urandom and disable-jent. + +--- +Thu Jan 21 15:42:15 UTC 2021 - Pedro Monreal + +- Update to 1.9.0: + New stable branch of Libgcrypt with full API and ABI compatibility + to the 1.8 series. Release-info: https://dev.gnupg.org/T4294 + * New and extended interfaces: +- New curves Ed448, X448, and SM2. +- New cipher mode EAX. +- New cipher algo SM4. +- New hash algo SM3. +- New hash algo variants SHA512/224 and SHA512/256. +- New MAC algos for Blake-2 algorithms, the new SHA512 variants, + SM3, SM4 and for a GOST variant. +- New convenience function gcry_mpi_get_ui. +- gcry_sexp_extract_param understands new format specifiers to + directly store to integers and strings. +- New function gcry_ecc_mul_point and curve constants for Curve448 + and Curve25519. +- New function gcry_ecc_get_algo_keylen. +- New control code GCRYCTL_AUTO_EXPAND_SECMEM to allow growing the + secure memory area. + * Performance optimizations and bug fixes: See Release-info. + * Other features: +- Add OIDs from RFC-8410 as aliases for Ed25519 and Curve25519. +- Add mitigation against ECC timing attack CVE-2019-13627. +- Internal cleanup of the ECC implementation. +- Support reading EC point in compressed format for some curves. +- Rebase patches: + * libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch + * libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff + * libgcrypt-1.6.1-use-fipscheck.patch + * drbg_test.patch + * libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch + * libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch + * libgcrypt-1.8.4-fips-keygen.patch + * libgcrypt-1.8.4-getrandom.patch + * libgcrypt-fix-tests-fipsmode.patch + * libgcrypt-global_init-constructor.patch + * libgcrypt-ecc-ecdsa-no-blinding.patch + * libgcrypt-PCT-RSA.patch + * libgcrypt-PCT-ECC.patch +- Remove patches: + * libgcrypt-unresolved-dladdr.patch + * libgcrypt-CVE-2019-12904-GCM-Prefetch.patch + * libgcrypt-CVE-2019-12904-GCM.patch + * libgcrypt-CVE-2019-12904-AES.patch + * libgcrypt-CMAC-AES-TDES-selftest.patch + * libgcrypt-1.6.1-fips-cfgrandom.patch + * libgcrypt-fips_rsa_no_enforced_mode.patch + +--- Old: libgcrypt-1.6.1-fips-cfgrandom.patch libgcrypt-1.8.7.tar.bz2 libgcrypt-1.8.7.tar.bz2.sig libgcrypt-CMAC-AES-TDES-selftest.patch libgcrypt-CVE-2019-12904-AES.patch libgcrypt-CVE-2019-12904-GCM-Prefetch.patch libgcrypt-CVE-2019-12904-GCM.patch libgcrypt-fips_rsa_no_enforced_mode