Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2026-04-23 19:22:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libgcrypt" Thu Apr 23 19:22:56 2026 rev:113 rq:1348341 version:1.12.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2026-02-24 15:38:50.963038690 +0100 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.11940/libgcrypt.changes 2026-04-23 19:22:58.746815957 +0200 @@ -1,0 +2,6 @@ +Mon Apr 20 10:01:16 UTC 2026 - Angel Yankov <[email protected]> + +- Update to 1.12.2 + * Various fixes on gcry_kem_* apis + +------------------------------------------------------------------- Old: ---- libgcrypt-1.12.1.tar.bz2 libgcrypt-1.12.1.tar.bz2.sig New: ---- libgcrypt-1.12.2.tar.bz2 libgcrypt-1.12.2.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libgcrypt.spec ++++++ --- /var/tmp/diff_new_pack.YviVlm/_old 2026-04-23 19:22:59.870862278 +0200 +++ /var/tmp/diff_new_pack.YviVlm/_new 2026-04-23 19:22:59.874862443 +0200 @@ -21,7 +21,7 @@ %define libsoname %{name}%{libsover} %define hmac_key orboDeJITITejsirpADONivirpUkvarP Name: libgcrypt -Version: 1.12.1 +Version: 1.12.2 Release: 0 Summary: The GNU Crypto Library License: GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later ++++++ libgcrypt-1.12.1.tar.bz2 -> libgcrypt-1.12.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/ChangeLog new/libgcrypt-1.12.2/ChangeLog --- old/libgcrypt-1.12.1/ChangeLog 2026-02-20 14:15:50.000000000 +0100 +++ new/libgcrypt-1.12.2/ChangeLog 2026-04-15 11:12:40.000000000 +0200 @@ -1,3 +1,65 @@ +2026-04-15 NIIBE Yutaka <[email protected]> + + cipher:kem:ecc: Raise an error by validating a point on curve. + + commit f95ba3c063a5e67e895b93564164593890b5063c + * cipher/ecc-ecdh.c (_gcry_ecc_curve_mul_point): Add new argument + ENABLE_MONT_CHECK to enable check for Montgomery curve. Add point + validation. Raise GPG_ERR_INV_DATA on failure. + (_gcry_ecc_mul_point): Call _gcry_ecc_curve_mul_point with Montgomery + curve check disabled. + * cipher/kem-ecc.c (ecc_mul_point): Call _gcry_ecc_curve_mul_point + with Montgomery curve check enabled. + * src/gcrypt-int.h (_gcry_ecc_curve_mul_point): Change the proto. + + cipher:ecc: Fix decoding a point on Montgomery curve. + + commit 2d3d732c9bf87cc10729f69678dd9e6862f99fa3 + * cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix the padding + mistake and add updating RAWMPILEN. + +2026-04-13 NIIBE Yutaka <[email protected]> + Thai Duong <[email protected]> + + cipher:dilithium: Check the label length by caller. + + commit 905e00f046a71e5670517779afaf85a354952832 + * cipher/dilithium.h (dilithium_keypair, dilithium_sign) + (dilithium_verify): Return gpg_err_code_t. + * cipher/dilithium.c (dilithium_keypair): Return gpg_err_code_t. + (dilithium_sign, dilithium_verify): Ditto. Check CTXLEN. + * cipher/pubkey-dilithium.c (mldsa_generate): Follow the change. + (mldsa_sign, mldsa_verify): Likewise. + +2026-04-09 NIIBE Yutaka <[email protected]> + + cipher:dilithium: Fix the glue of libgcrypt. + + commit 5a875908cb95407e12c7d206e31c287b0e06dbca + * cipher/dilithium.h (dilithium_sign, dilithium_verify): Define the + macro correctly so that we can keep using _gcry namespace for internal + functions. + +2026-04-07 NIIBE Yutaka <[email protected]> + + tests:kem: Don't emit a message each time, but once. + + commit 460695d0538b2d9df6511e7ae686469bcecc686a + * tests/t-kem.c (test_kem_sntrup761, test_kem_mceliece6688128f) + (test_kem_mlkem512, test_kem_mlkem768, test_kem_mlkem1024): Don't emit + message here. + (check_kem): But here, before the loop. + +2026-03-24 NIIBE Yutaka <[email protected]> + + cipher:rsa: Fix the dead-code of stronger_key_check. + + commit 39aca53012e098c1c049e28d759a051e173709ec + * cipher/rsa.c (check_secret_key): Rename from stronger_key_check + to be enabled with ENABLE_STRONGER_CHECK. + +2026-03-16 Werner Koch <[email protected]> + + Add the commit-id to the VERSION file. + + commit 1f85852506bd8765a00a34d90822c6be4630c587 + * compat/compat.c (_gcry_compat_identification): Also use here. + * configure.ac (mym4_commitid): New. + (BUILD_COMMITID): New ac_define. + 2026-02-20 Werner Koch <[email protected]> Release 1.12.1. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/NEWS new/libgcrypt-1.12.2/NEWS --- old/libgcrypt-1.12.1/NEWS 2026-02-20 14:00:36.000000000 +0100 +++ new/libgcrypt-1.12.2/NEWS 2026-04-15 10:46:02.000000000 +0200 @@ -1,3 +1,22 @@ +Noteworthy changes in version 1.12.2 (2026-04-15) [C27/A7/R2] +------------------------------------------------- + + * Bug fixes: + + - Fix possible ECDH buffer overwrite with zeroes. [T8211] + + - Add a missing bounds check to the Dilithium context handling. + [T8208] + + - Add point validation when using the new KEM interface. [T8212] + + * Other: + + - Fix the dead-code of stronger_key_check for RSA. [T8171] + + Release-info: https://dev.gnupg.org/T8114 + + Noteworthy changes in version 1.12.1 (2026-02-20) [C27/A7/R1] ------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/VERSION new/libgcrypt-1.12.2/VERSION --- old/libgcrypt-1.12.1/VERSION 2026-02-20 14:15:37.000000000 +0100 +++ new/libgcrypt-1.12.2/VERSION 2026-04-15 11:12:27.000000000 +0200 @@ -1 +1,2 @@ -1.12.1 +1.12.2 +efc346430901b84f1f580a147191624d7ded0db6 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/cipher/dilithium.c new/libgcrypt-1.12.2/cipher/dilithium.c --- old/libgcrypt-1.12.1/cipher/dilithium.c 2025-09-23 15:14:22.000000000 +0200 +++ new/libgcrypt-1.12.2/cipher/dilithium.c 2026-04-15 10:46:02.000000000 +0200 @@ -82,6 +82,7 @@ #include "gcrypt-int.h" #include "const-time.h" +/* With glue code, we only use the "_internal" API of Dilithium. */ #define DILITHIUM_INTERNAL_API_ONLY 1 #include "dilithium.h" @@ -120,23 +121,33 @@ const uint8_t *pre, size_t prelen, const uint8_t *pk); -int +gpg_err_code_t dilithium_keypair (int algo, uint8_t *pk, uint8_t *sk, const uint8_t seed[SEEDBYTES]) { + int r; + switch (algo) { case GCRY_MLDSA44: - return crypto_sign_keypair_internal_2 (pk, sk, seed); + r = crypto_sign_keypair_internal_2 (pk, sk, seed); + break; case GCRY_MLDSA65: default: - return crypto_sign_keypair_internal_3 (pk, sk, seed); + r = crypto_sign_keypair_internal_3 (pk, sk, seed); + break; case GCRY_MLDSA87: - return crypto_sign_keypair_internal_5 (pk, sk, seed); + r = crypto_sign_keypair_internal_5 (pk, sk, seed); + break; } + + if (r < 0) + return GPG_ERR_INTERNAL; + + return 0; } -int +gpg_err_code_t dilithium_sign (int algo, uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *ctx, size_t ctxlen, @@ -145,9 +156,17 @@ size_t i; uint8_t pre[257]; size_t prelen; + int r; - if (ctx == NULL && ctxlen == -1) - prelen = 0; + if (ctx == NULL) + { + if (ctxlen == -1) + prelen = 0; + else + return GPG_ERR_INV_DATA; + } + else if (ctxlen > 255) + return GPG_ERR_INV_DATA; else { /* Prepare pre = (0, ctxlen, ctx) */ @@ -158,28 +177,44 @@ prelen = 2 + ctxlen; } + /* + * Note that the second argument of the upstream routine is the + * pointer to output length of signature. It assumes the first + * argument (pointer to output signature) should have correct (or + * more) length, beforehand. + * + * Before calling the routine, we should check the length. + */ switch (algo) { case GCRY_MLDSA44: if (siglen != CRYPTO_BYTES_2) - return -1; - return crypto_sign_signature_internal_2 (sig, &siglen, m, mlen, - pre, prelen, rnd, sk); + return GPG_ERR_INV_DATA; + r = crypto_sign_signature_internal_2 (sig, &siglen, m, mlen, + pre, prelen, rnd, sk); + break; case GCRY_MLDSA65: default: if (siglen != CRYPTO_BYTES_3) - return -1; - return crypto_sign_signature_internal_3 (sig, &siglen, m, mlen, - pre, prelen, rnd, sk); + return GPG_ERR_INV_DATA; + r = crypto_sign_signature_internal_3 (sig, &siglen, m, mlen, + pre, prelen, rnd, sk); + break; case GCRY_MLDSA87: if (siglen != CRYPTO_BYTES_5) - return -1; - return crypto_sign_signature_internal_5 (sig, &siglen, m, mlen, - pre, prelen, rnd, sk); + return GPG_ERR_INV_DATA; + r = crypto_sign_signature_internal_5 (sig, &siglen, m, mlen, + pre, prelen, rnd, sk); + break; } + + if (r < 0) + return GPG_ERR_INTERNAL; + + return 0; } -int +gpg_err_code_t dilithium_verify (int algo, const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *ctx, size_t ctxlen, @@ -188,9 +223,17 @@ size_t i; uint8_t pre[257]; size_t prelen; + int r; - if (ctx == NULL && ctxlen == -1) - prelen = 0; + if (ctx == NULL) + { + if (ctxlen == -1) + prelen = 0; + else + return GPG_ERR_INV_DATA; + } + else if (ctxlen > 255) + return GPG_ERR_INV_DATA; else { /* Prepare pre = (0, ctxlen, ctx) */ @@ -204,16 +247,24 @@ switch (algo) { case GCRY_MLDSA44: - return crypto_sign_verify_internal_2 (sig, siglen, m, mlen, - pre, prelen, pk); + r = crypto_sign_verify_internal_2 (sig, siglen, m, mlen, + pre, prelen, pk); + break; case GCRY_MLDSA65: default: - return crypto_sign_verify_internal_3 (sig, siglen, m, mlen, - pre, prelen, pk); + r = crypto_sign_verify_internal_3 (sig, siglen, m, mlen, + pre, prelen, pk); + break; case GCRY_MLDSA87: - return crypto_sign_verify_internal_5 (sig, siglen, m, mlen, - pre, prelen, pk); + r = crypto_sign_verify_internal_5 (sig, siglen, m, mlen, + pre, prelen, pk); + break; } + + if (r < 0) + return GPG_ERR_BAD_SIGNATURE; + + return 0; } typedef struct { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/cipher/dilithium.h new/libgcrypt-1.12.2/cipher/dilithium.h --- old/libgcrypt-1.12.1/cipher/dilithium.h 2025-11-27 10:08:47.000000000 +0100 +++ new/libgcrypt-1.12.2/cipher/dilithium.h 2026-04-15 10:46:02.000000000 +0200 @@ -56,24 +56,24 @@ #ifdef _GCRYPT_IN_LIBGCRYPT /**** Start of the glue code to libgcrypt ****/ #define dilithium_keypair _gcry_mldsa_keypair -#define dilithium_encap _gcry_mldsa_encap -#define dilithium_decap _gcry_mldsa_decap +#define dilithium_sign _gcry_mldsa_sign +#define dilithium_verify _gcry_mldsa_verify /**** End of the glue code ****/ #define DILITHIUM_KEYPAIR_STACK_BURN (128 * 1024) #define DILITHIUM_SIGN_STACK_BURN (161 * 1024) #define DILITHIUM_VERIFY_STACK_BURN (122 * 1024) -int dilithium_keypair (int algo, uint8_t *pk, uint8_t *sk, - const uint8_t seed[SEEDBYTES]); -int dilithium_sign (int algo, uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *ctx, size_t ctxlen, - const uint8_t *sk, const uint8_t rnd[RNDBYTES]); -int dilithium_verify (int algo, const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *ctx, size_t ctxlen, - const uint8_t *pk); +gpg_err_code_t dilithium_keypair (int algo, uint8_t *pk, uint8_t *sk, + const uint8_t seed[SEEDBYTES]); +gpg_err_code_t dilithium_sign (int algo, uint8_t *sig, size_t siglen, + const uint8_t *m, size_t mlen, + const uint8_t *ctx, size_t ctxlen, + const uint8_t *sk, const uint8_t rnd[RNDBYTES]); +gpg_err_code_t dilithium_verify (int algo, const uint8_t *sig, size_t siglen, + const uint8_t *m, size_t mlen, + const uint8_t *ctx, size_t ctxlen, + const uint8_t *pk); #endif #if defined(DILITHIUM_MODE) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/cipher/ecc-ecdh.c new/libgcrypt-1.12.2/cipher/ecc-ecdh.c --- old/libgcrypt-1.12.1/cipher/ecc-ecdh.c 2026-02-20 13:42:44.000000000 +0100 +++ new/libgcrypt-1.12.2/cipher/ecc-ecdh.c 2026-04-15 10:46:02.000000000 +0200 @@ -201,7 +201,7 @@ } gpg_err_code_t -_gcry_ecc_curve_mul_point (const char *curve, +_gcry_ecc_curve_mul_point (const char *curve, int enable_mont_check, unsigned char *result, size_t result_len, const unsigned char *scalar, size_t scalar_len, const unsigned char *point, size_t point_len) @@ -263,14 +263,45 @@ point_init (&P, ec->nbits); if (ec->model == MPI_EC_WEIERSTRASS) - err = _gcry_ecc_sec_decodepoint (mpi_u, ec, &P); + { + err = _gcry_ecc_sec_decodepoint (mpi_u, ec, &P); + if (err) + { + point_free (&P); + mpi_free (mpi_u); + goto leave; + } + else if (!_gcry_mpi_ec_curve_point (&P, ec)) + { + err = GPG_ERR_INV_DATA; + point_free (&P); + mpi_free (mpi_u); + goto leave; + } + } else /* MPI_EC_MONTGOMERY */ - err = _gcry_ecc_mont_decodepoint (mpi_u, ec, &P); - mpi_free (mpi_u); - if (err) - goto leave; + { + err = _gcry_ecc_mont_decodepoint (mpi_u, ec, &P); + if (err) + { + point_free (&P); + mpi_free (mpi_u); + goto leave; + } + /* See comments in ecc.c. While our implementation has + improved to be constant-time, we keep this check to be + conservative. */ + if (_gcry_mpi_ec_bad_point (&P, ec) && enable_mont_check) + { + err = GPG_ERR_INV_DATA; + point_free (&P); + mpi_free (mpi_u); + goto leave; + } + } _gcry_mpi_ec_mul_point (&Q, mpi_k, &P, ec); point_free (&P); + mpi_free (mpi_u); } else _gcry_mpi_ec_mul_point (&Q, mpi_k, ec->G, ec); @@ -280,7 +311,12 @@ { gcry_mpi_t y = mpi_new (nbits); - _gcry_mpi_ec_get_affine (x, y, &Q, ec); + if (_gcry_mpi_ec_get_affine (x, y, &Q, ec)) + { + err = GPG_ERR_INV_DATA; + mpi_free (y); + goto leave; + } buf = _gcry_ecc_ec2os_buf (x, y, ec->p, &len); if (!buf) @@ -305,7 +341,17 @@ } else /* MPI_EC_MONTGOMERY */ { - _gcry_mpi_ec_get_affine (x, NULL, &Q, ec); + if (_gcry_mpi_ec_get_affine (x, NULL, &Q, ec) && enable_mont_check) + { + /* + * Input validation with _gcry_mpi_ec_bad_point (above) + * could be removed, when we are sure (no leak from side + * channel). This output check should be kept for our usage + * of GnuPG. See the comments in ecc.c for X25519/X448. + */ + err = GPG_ERR_INV_DATA; + goto leave; + } buf = _gcry_mpi_get_buffer (x, nbytes, &len, NULL); if (!buf) err = gpg_err_code_from_syserror (); @@ -321,9 +367,9 @@ xfree (buf); } } - mpi_free (x); leave: + mpi_free (x); point_free (&Q); mpi_free (mpi_k); _gcry_mpi_ec_free (ec); @@ -350,7 +396,8 @@ else return gpg_error (GPG_ERR_UNKNOWN_CURVE); - return _gcry_ecc_curve_mul_point (curve, result, pubkey_len, + return _gcry_ecc_curve_mul_point (curve, 0, + result, pubkey_len, scalar, seckey_len, point, pubkey_len); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/cipher/ecc-misc.c new/libgcrypt-1.12.2/cipher/ecc-misc.c --- old/libgcrypt-1.12.1/cipher/ecc-misc.c 2026-02-20 13:42:44.000000000 +0100 +++ new/libgcrypt-1.12.2/cipher/ecc-misc.c 2026-04-15 10:46:02.000000000 +0200 @@ -438,7 +438,10 @@ *--p = *buf++; if (rawmpilen < nbytes) - memset (rawmpi + nbytes - rawmpilen, 0, nbytes - rawmpilen); + { + memset (rawmpi + rawmpilen, 0, nbytes - rawmpilen); + rawmpilen = nbytes; + } } else { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/cipher/kem-ecc.c new/libgcrypt-1.12.2/cipher/kem-ecc.c --- old/libgcrypt-1.12.1/cipher/kem-ecc.c 2025-07-14 14:48:50.000000000 +0200 +++ new/libgcrypt-1.12.2/cipher/kem-ecc.c 2026-04-15 10:46:02.000000000 +0200 @@ -120,7 +120,7 @@ { const char *curve = algo_to_curve (algo); - return _gcry_ecc_curve_mul_point (curve, result, result_len, + return _gcry_ecc_curve_mul_point (curve, 1, result, result_len, scalar, scalar_len, point, point_len); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/cipher/pubkey-dilithium.c new/libgcrypt-1.12.2/cipher/pubkey-dilithium.c --- old/libgcrypt-1.12.1/cipher/pubkey-dilithium.c 2025-11-27 10:08:47.000000000 +0100 +++ new/libgcrypt-1.12.2/cipher/pubkey-dilithium.c 2026-04-15 10:46:02.000000000 +0200 @@ -170,7 +170,7 @@ memcpy (seed, seed_supplied, SEEDBYTES); } - dilithium_keypair (info->algo, pk, sk, seed); + rc = dilithium_keypair (info->algo, pk, sk, seed); _gcry_burn_stack (DILITHIUM_KEYPAIR_STACK_BURN); if (!rc) @@ -206,7 +206,6 @@ size_t data_len; const unsigned char *sk; const struct mldsa_info *info = mldsa_get_info (keyparms); - int r; if (!info) return GPG_ERR_PUBKEY_ALGO; @@ -258,17 +257,14 @@ else randombytes (rnd, RNDBYTES); if (ctx.flags & PUBKEY_FLAG_NO_PREFIX) - r = dilithium_sign (info->algo, sig, info->sig_len, data, data_len, - NULL, -1, sk, rnd); + rc = dilithium_sign (info->algo, sig, info->sig_len, data, data_len, + NULL, -1, sk, rnd); else - r = dilithium_sign (info->algo, sig, info->sig_len, data, data_len, - ctx.label, ctx.labellen, sk, rnd); + rc = dilithium_sign (info->algo, sig, info->sig_len, data, data_len, + ctx.label, ctx.labellen, sk, rnd); _gcry_burn_stack (DILITHIUM_SIGN_STACK_BURN); - if (r < 0) - { - rc = GPG_ERR_INTERNAL; - goto leave; - } + if (rc) + goto leave; rc = sexp_build (r_sig, NULL, "(sig-val(%s(s%b)))", info->name, info->sig_len, sig); @@ -300,7 +296,6 @@ size_t data_len; const unsigned char *pk; const struct mldsa_info *info = mldsa_get_info (keyparms); - int r; if (!info) return GPG_ERR_PUBKEY_ALGO; @@ -350,17 +345,14 @@ } if (ctx.flags & PUBKEY_FLAG_NO_PREFIX) - r = dilithium_verify (info->algo, sig, info->sig_len, data, data_len, - NULL, -1, pk); + rc = dilithium_verify (info->algo, sig, info->sig_len, data, data_len, + NULL, -1, pk); else - r = dilithium_verify (info->algo, sig, info->sig_len, data, data_len, - ctx.label, ctx.labellen, pk); + rc = dilithium_verify (info->algo, sig, info->sig_len, data, data_len, + ctx.label, ctx.labellen, pk); _gcry_burn_stack (DILITHIUM_VERIFY_STACK_BURN); - if (r < 0) - { - rc = GPG_ERR_BAD_SIGNATURE; - goto leave; - } + if (rc) + goto leave; leave: _gcry_pk_util_free_encoding_ctx (&ctx); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/cipher/rsa.c new/libgcrypt-1.12.2/cipher/rsa.c --- old/libgcrypt-1.12.1/cipher/rsa.c 2025-07-14 14:48:50.000000000 +0200 +++ new/libgcrypt-1.12.2/cipher/rsa.c 2026-04-15 10:46:02.000000000 +0200 @@ -960,6 +960,9 @@ } +/* Uncomment following line to enable stronger check. */ +/* #define ENABLE_STRONGER_CHECK 1 */ +#ifndef ENABLE_STRONGER_CHECK /**************** * Test whether the secret key is valid. * Returns: true if this is a valid key. @@ -975,7 +978,7 @@ mpi_free(temp); return !rc; } - +#endif /**************** @@ -999,66 +1002,79 @@ mpi_powm( output, input, pkey->e, pkey->n ); } -#if 0 -static void -stronger_key_check ( RSA_secret_key *skey ) +#ifdef ENABLE_STRONGER_CHECK +/**************** + * Test whether the secret key is valid. + * Returns: true if this is a valid key. + */ +static int +check_secret_key ( RSA_secret_key *skey ) { gcry_mpi_t t = mpi_alloc_secure ( 0 ); gcry_mpi_t t1 = mpi_alloc_secure ( 0 ); gcry_mpi_t t2 = mpi_alloc_secure ( 0 ); gcry_mpi_t phi = mpi_alloc_secure ( 0 ); + int rc = 1; /* check that n == p * q */ mpi_mul( t, skey->p, skey->q); if (mpi_cmp( t, skey->n) ) - log_info ( "RSA Oops: n != p * q\n" ); + { + rc = 0; + goto leave; + } /* check that p is less than q */ if( mpi_cmp( skey->p, skey->q ) > 0 ) { - log_info ("RSA Oops: p >= q - fixed\n"); - _gcry_mpi_swap ( skey->p, skey->q); + rc = 0; + goto leave; } /* check that e divides neither p-1 nor q-1 */ mpi_sub_ui(t, skey->p, 1 ); mpi_fdiv_r(t, t, skey->e ); if ( !mpi_cmp_ui( t, 0) ) - log_info ( "RSA Oops: e divides p-1\n" ); + { + rc = 0; + goto leave; + } mpi_sub_ui(t, skey->q, 1 ); mpi_fdiv_r(t, t, skey->e ); if ( !mpi_cmp_ui( t, 0) ) - log_info ( "RSA Oops: e divides q-1\n" ); + { + rc = 0; + goto leave; + } /* check that d is correct */ mpi_sub_ui( t1, skey->p, 1 ); mpi_sub_ui( t2, skey->q, 1 ); mpi_mul( phi, t1, t2 ); - gcry_mpi_gcd(t, t1, t2); + _gcry_mpi_gcd(t, t1, t2); mpi_fdiv_q(t, phi, t); mpi_invm(t, skey->e, t ); if ( mpi_cmp(t, skey->d ) ) { - log_info ( "RSA Oops: d is wrong - fixed\n"); - mpi_set (skey->d, t); - log_printmpi (" fixed d", skey->d); + rc = 0; + goto leave; } /* check for correctness of u */ mpi_invm(t, skey->p, skey->q ); if ( mpi_cmp(t, skey->u ) ) { - log_info ( "RSA Oops: u is wrong - fixed\n"); - mpi_set (skey->u, t); - log_printmpi (" fixed u", skey->u); + rc = 0; + goto leave; } - log_info ( "RSA secret key check finished\n"); - + leave: mpi_free (t); mpi_free (t1); mpi_free (t2); mpi_free (phi); + + return rc; } #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/compat/compat.c new/libgcrypt-1.12.2/compat/compat.c --- old/libgcrypt-1.12.1/compat/compat.c 2025-03-13 10:47:17.000000000 +0100 +++ new/libgcrypt-1.12.2/compat/compat.c 2026-03-16 16:32:59.000000000 +0100 @@ -31,10 +31,10 @@ "\n\n" "This is Libgcrypt " PACKAGE_VERSION " - The GNU Crypto Library\n" "Copyright (C) 2000-2018 Free Software Foundation, Inc.\n" - "Copyright (C) 2012-2024 g10 Code GmbH\n" - "Copyright (C) 2013-2024 Jussi Kivilinna\n" + "Copyright (C) 2012-2026 g10 Code GmbH\n" + "Copyright (C) 2013-2026 Jussi Kivilinna\n" "\n" - "(" BUILD_REVISION " " BUILD_TIMESTAMP ")\n" + "(" BUILD_COMMITID " " BUILD_TIMESTAMP ")\n" "\n\n"; return blurb; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/config.h.in new/libgcrypt-1.12.2/config.h.in --- old/libgcrypt-1.12.1/config.h.in 2026-02-20 14:15:48.000000000 +0100 +++ new/libgcrypt-1.12.2/config.h.in 2026-04-15 10:47:13.000000000 +0200 @@ -11,7 +11,10 @@ /* Defined if --disable-asm was used to configure */ #undef ASM_DISABLED -/* GIT commit id revision used to build this package */ +/* Git full commit id used to build this package */ +#undef BUILD_COMMITID + +/* GIT shortened commit id used to build this package */ #undef BUILD_REVISION /* The time this package was configured for a build */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/configure new/libgcrypt-1.12.2/configure --- old/libgcrypt-1.12.1/configure 2026-02-20 14:15:37.000000000 +0100 +++ new/libgcrypt-1.12.2/configure 2026-04-15 11:12:28.000000000 +0200 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for libgcrypt 1.12.1. +# Generated by GNU Autoconf 2.71 for libgcrypt 1.12.2. # # Report bugs to <https://bugs.gnupg.org>. # @@ -622,8 +622,8 @@ # Identity of this package. PACKAGE_NAME='libgcrypt' PACKAGE_TARNAME='libgcrypt' -PACKAGE_VERSION='1.12.1' -PACKAGE_STRING='libgcrypt 1.12.1' +PACKAGE_VERSION='1.12.2' +PACKAGE_STRING='libgcrypt 1.12.2' PACKAGE_BUGREPORT='https://bugs.gnupg.org' PACKAGE_URL='' @@ -1532,7 +1532,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libgcrypt 1.12.1 to adapt to many kinds of systems. +\`configure' configures libgcrypt 1.12.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1603,7 +1603,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libgcrypt 1.12.1:";; + short | recursive ) echo "Configuration of libgcrypt 1.12.2:";; esac cat <<\_ACEOF @@ -1792,7 +1792,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libgcrypt configure 1.12.1 +libgcrypt configure 1.12.2 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2337,7 +2337,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libgcrypt $as_me 1.12.1, which was +It was created by libgcrypt $as_me 1.12.2, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -3107,7 +3107,7 @@ # (No interfaces changed: REVISION++) LIBGCRYPT_LT_CURRENT=27 LIBGCRYPT_LT_AGE=7 -LIBGCRYPT_LT_REVISION=1 +LIBGCRYPT_LT_REVISION=2 ################################################ @@ -3640,7 +3640,7 @@ # Define the identity of the package. PACKAGE='libgcrypt' - VERSION='1.12.1' + VERSION='1.12.2' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -6838,7 +6838,7 @@ esac -VERSION_NUMBER=0x010c01 +VERSION_NUMBER=0x010c02 # We need to compile and run a program on the build machine. @@ -24193,14 +24193,18 @@ # # Provide information about the build. # -BUILD_REVISION="7e91b2a3" +BUILD_REVISION="efc34643" printf "%s\n" "#define BUILD_REVISION \"$BUILD_REVISION\"" >>confdefs.h +BUILD_COMMITID="efc346430901b84f1f580a147191624d7ded0db6" + +printf "%s\n" "#define BUILD_COMMITID \"$BUILD_COMMITID\"" >>confdefs.h + BUILD_VERSION=`echo "$PACKAGE_VERSION" | sed 's/\([0-9.]*\).*/\1./'` -BUILD_VERSION="${BUILD_VERSION}32401" +BUILD_VERSION="${BUILD_VERSION}61379" BUILD_FILEVERSION=`echo "${BUILD_VERSION}" | tr . ,` @@ -24920,7 +24924,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libgcrypt $as_me 1.12.1, which was +This file was extended by libgcrypt $as_me 1.12.2, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -24992,7 +24996,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -libgcrypt config.status 1.12.1 +libgcrypt config.status 1.12.2 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/configure.ac new/libgcrypt-1.12.2/configure.ac --- old/libgcrypt-1.12.1/configure.ac 2026-02-20 14:11:12.000000000 +0100 +++ new/libgcrypt-1.12.2/configure.ac 2026-04-15 10:46:02.000000000 +0200 @@ -31,7 +31,7 @@ m4_define([mym4_package],[libgcrypt]) m4_define([mym4_major], [1]) m4_define([mym4_minor], [12]) -m4_define([mym4_micro], [1]) +m4_define([mym4_micro], [2]) # Below is m4 magic to extract and compute the git revision number, # the decimalized short revision number, a beta version string and a @@ -43,7 +43,9 @@ m4_define([mym4_version], m4_argn(4, mym4_verslist)) m4_define([mym4_revision], m4_argn(7, mym4_verslist)) m4_define([mym4_revision_dec], m4_argn(8, mym4_verslist)) +m4_define([mym4_commitid], m4_argn(9, mym4_verslist)) m4_esyscmd([echo ]mym4_version[>VERSION]) +m4_esyscmd([echo ]mym4_commitid[>>VERSION]) AC_INIT([mym4_package],[mym4_version],[https://bugs.gnupg.org]) # LT Version numbers, remember to change them just *before* a release. @@ -57,7 +59,7 @@ # (No interfaces changed: REVISION++) LIBGCRYPT_LT_CURRENT=27 LIBGCRYPT_LT_AGE=7 -LIBGCRYPT_LT_REVISION=1 +LIBGCRYPT_LT_REVISION=2 ################################################ AC_SUBST(LIBGCRYPT_LT_CURRENT) @@ -4282,7 +4284,10 @@ BUILD_REVISION="mym4_revision" AC_SUBST(BUILD_REVISION) AC_DEFINE_UNQUOTED(BUILD_REVISION, "$BUILD_REVISION", - [GIT commit id revision used to build this package]) + [GIT shortened commit id used to build this package]) +BUILD_COMMITID="mym4_commitid" +AC_DEFINE_UNQUOTED(BUILD_COMMITID, "$BUILD_COMMITID", + [Git full commit id used to build this package]) changequote(,)dnl BUILD_VERSION=`echo "$PACKAGE_VERSION" | sed 's/\([0-9.]*\).*/\1./'` Binary files old/libgcrypt-1.12.1/doc/fips-fsm.pdf and new/libgcrypt-1.12.2/doc/fips-fsm.pdf differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/doc/gcrypt.info new/libgcrypt-1.12.2/doc/gcrypt.info --- old/libgcrypt-1.12.1/doc/gcrypt.info 2026-02-20 14:15:49.000000000 +0100 +++ new/libgcrypt-1.12.2/doc/gcrypt.info 2026-04-15 11:12:40.000000000 +0200 @@ -1,6 +1,6 @@ This is gcrypt.info, produced by makeinfo version 6.8 from gcrypt.texi. -This manual is for Libgcrypt version 1.12.1 and was last updated 24 +This manual is for Libgcrypt version 1.12.2 and was last updated 24 September 2025. Libgcrypt is GNU's library of cryptographic building blocks. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/doc/gcrypt.info-1 new/libgcrypt-1.12.2/doc/gcrypt.info-1 --- old/libgcrypt-1.12.1/doc/gcrypt.info-1 2026-02-20 14:15:49.000000000 +0100 +++ new/libgcrypt-1.12.2/doc/gcrypt.info-1 2026-04-15 11:12:40.000000000 +0200 @@ -1,6 +1,6 @@ This is gcrypt.info, produced by makeinfo version 6.8 from gcrypt.texi. -This manual is for Libgcrypt version 1.12.1 and was last updated 24 +This manual is for Libgcrypt version 1.12.2 and was last updated 24 September 2025. Libgcrypt is GNU's library of cryptographic building blocks. @@ -25,7 +25,7 @@ The Libgcrypt Library ********************* -This manual is for Libgcrypt version 1.12.1 and was last updated 24 +This manual is for Libgcrypt version 1.12.2 and was last updated 24 September 2025. Libgcrypt is GNU's library of cryptographic building blocks. Binary files old/libgcrypt-1.12.1/doc/gcrypt.info-2 and new/libgcrypt-1.12.2/doc/gcrypt.info-2 differ Binary files old/libgcrypt-1.12.1/doc/libgcrypt-modules.pdf and new/libgcrypt-1.12.2/doc/libgcrypt-modules.pdf differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/doc/stamp-vti new/libgcrypt-1.12.2/doc/stamp-vti --- old/libgcrypt-1.12.1/doc/stamp-vti 2026-02-20 14:15:49.000000000 +0100 +++ new/libgcrypt-1.12.2/doc/stamp-vti 2026-04-15 11:12:40.000000000 +0200 @@ -1,4 +1,4 @@ @set UPDATED 24 September 2025 @set UPDATED-MONTH September 2025 -@set EDITION 1.12.1 -@set VERSION 1.12.1 +@set EDITION 1.12.2 +@set VERSION 1.12.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/doc/version.texi new/libgcrypt-1.12.2/doc/version.texi --- old/libgcrypt-1.12.1/doc/version.texi 2026-02-20 14:15:49.000000000 +0100 +++ new/libgcrypt-1.12.2/doc/version.texi 2026-04-15 11:12:40.000000000 +0200 @@ -1,4 +1,4 @@ @set UPDATED 24 September 2025 @set UPDATED-MONTH September 2025 -@set EDITION 1.12.1 -@set VERSION 1.12.1 +@set EDITION 1.12.2 +@set VERSION 1.12.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/src/gcrypt-int.h new/libgcrypt-1.12.2/src/gcrypt-int.h --- old/libgcrypt-1.12.1/src/gcrypt-int.h 2025-09-23 15:14:23.000000000 +0200 +++ new/libgcrypt-1.12.2/src/gcrypt-int.h 2026-04-15 10:46:02.000000000 +0200 @@ -121,7 +121,7 @@ size_t pubkey_len, unsigned char *seckey, size_t seckey_len); -gpg_err_code_t _gcry_ecc_curve_mul_point (const char *curve, +gpg_err_code_t _gcry_ecc_curve_mul_point (const char *curve, int enable_check, unsigned char *result, size_t result_len, const unsigned char *scalar, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/src/gcrypt.h.in new/libgcrypt-1.12.2/src/gcrypt.h.in --- old/libgcrypt-1.12.1/src/gcrypt.h.in 2025-09-23 15:14:23.000000000 +0200 +++ new/libgcrypt-1.12.2/src/gcrypt.h.in 2026-04-01 12:11:53.000000000 +0200 @@ -1,6 +1,7 @@ /* gcrypt.h - GNU Cryptographic Library Interface -*- c -*- * Copyright (C) 1998-2018 Free Software Foundation, Inc. - * Copyright (C) 2012-2024 g10 Code GmbH + * Copyright (C) 2012-2026 g10 Code GmbH + * Copyright (C) 2013-2026 Jussi Kivilinna * * This file is part of Libgcrypt. * diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgcrypt-1.12.1/tests/t-kem.c new/libgcrypt-1.12.2/tests/t-kem.c --- old/libgcrypt-1.12.1/tests/t-kem.c 2025-11-27 10:08:47.000000000 +0100 +++ new/libgcrypt-1.12.2/tests/t-kem.c 2026-04-15 10:46:02.000000000 +0200 @@ -43,8 +43,6 @@ uint8_t key1[GCRY_KEM_SNTRUP761_SHARED_LEN]; uint8_t key2[GCRY_KEM_SNTRUP761_SHARED_LEN]; - info (" Checking SNTRUP761.\n"); - err = gcry_kem_genkey (GCRY_KEM_SNTRUP761, pubkey, GCRY_KEM_SNTRUP761_PUBKEY_LEN, seckey, GCRY_KEM_SNTRUP761_SECKEY_LEN, @@ -104,8 +102,6 @@ uint8_t key1[GCRY_KEM_CM6688128F_SHARED_LEN]; uint8_t key2[GCRY_KEM_CM6688128F_SHARED_LEN]; - info (" Checking CM6688128F.\n"); - err = gcry_kem_genkey (GCRY_KEM_CM6688128F, pubkey, GCRY_KEM_CM6688128F_PUBKEY_LEN, seckey, GCRY_KEM_CM6688128F_SECKEY_LEN, @@ -166,8 +162,6 @@ uint8_t key1[GCRY_KEM_MLKEM512_SHARED_LEN]; uint8_t key2[GCRY_KEM_MLKEM512_SHARED_LEN]; - info (" Checking MLKEM512.\n"); - err = gcry_kem_genkey (GCRY_KEM_MLKEM512, pubkey, GCRY_KEM_MLKEM512_PUBKEY_LEN, seckey, GCRY_KEM_MLKEM512_SECKEY_LEN, @@ -226,8 +220,6 @@ uint8_t key1[GCRY_KEM_MLKEM768_SHARED_LEN]; uint8_t key2[GCRY_KEM_MLKEM768_SHARED_LEN]; - info (" Checking MLKEM768.\n"); - err = gcry_kem_genkey (GCRY_KEM_MLKEM768, pubkey, GCRY_KEM_MLKEM768_PUBKEY_LEN, seckey, GCRY_KEM_MLKEM768_SECKEY_LEN, @@ -286,8 +278,6 @@ uint8_t key1[GCRY_KEM_MLKEM1024_SHARED_LEN]; uint8_t key2[GCRY_KEM_MLKEM1024_SHARED_LEN]; - info (" Checking MLKEM1024.\n"); - err = gcry_kem_genkey (GCRY_KEM_MLKEM1024, pubkey, GCRY_KEM_MLKEM1024_PUBKEY_LEN, seckey, GCRY_KEM_MLKEM1024_SECKEY_LEN, @@ -500,6 +490,7 @@ if ((selected_algo & SELECTED_ALGO_SNTRUP761)) { + info (" Checking SNTRUP761.\n"); for (testno = 0; testno < n_loops; testno++) test_kem_sntrup761 (testno); ntests += n_loops; @@ -507,6 +498,7 @@ if ((selected_algo & SELECTED_ALGO_CM6688128F)) { + info (" Checking CM6688128F.\n"); for (testno = 0; testno < n_loops; testno++) test_kem_mceliece6688128f (testno); ntests += n_loops; @@ -515,6 +507,7 @@ #ifdef USE_KYBER if ((selected_algo & SELECTED_ALGO_MLKEM512)) { + info (" Checking MLKEM512.\n"); for (testno = 0; testno < ntests + n_loops; testno++) test_kem_mlkem512 (testno); ntests += n_loops; @@ -522,6 +515,7 @@ if ((selected_algo & SELECTED_ALGO_MLKEM768)) { + info (" Checking MLKEM768.\n"); for (testno = 0; testno < ntests + n_loops; testno++) test_kem_mlkem768 (testno); ntests += n_loops; @@ -529,6 +523,7 @@ if ((selected_algo & SELECTED_ALGO_MLKEM1024)) { + info (" Checking MLKEM1024.\n"); for (testno = 0; testno < ntests + n_loops; testno++) test_kem_mlkem1024 (testno); ntests += n_loops;
