Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libgcrypt for openSUSE:Factory
checked in at 2024-07-24 15:29:19
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old)
and /work/SRC/openSUSE:Factory/.libgcrypt.new.1869 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libgcrypt"
Wed Jul 24 15:29:19 2024 rev:103 rq:1183830 version:1.11.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2024-01-29
22:25:50.142528789 +0100
+++ /work/SRC/openSUSE:Factory/.libgcrypt.new.1869/libgcrypt.changes
2024-07-25 11:55:32.197478957 +0200
@@ -1,0 +2,94 @@
+Thu Jun 20 08:11:07 UTC 2024 - Pedro Monreal <pmonr...@suse.com>
+
+- Update to 1.11.0:
+ * New and extended interfaces:
+ - Add an API for Key Encapsulation Mechanism (KEM). [T6755]
+ - Add Streamlined NTRU Prime sntrup761 algorithm. [rCcf9923e1a5]
+ - Add Kyber algorithm according to FIPS 203 ipd 2023-08-24. [rC18e5c0d268]
+ - Add Classic McEliece algorithm. [rC003367b912]
+ - Add One-Step KDF with hash and MAC. [T5964]
+ - Add KDF algorithm HKDF of RFC-5869. [T5964]
+ - Add KDF algorithm X963KDF for use in CMS. [rC3abac420b3]
+ - Add GMAC-SM4 and Poly1305-SM4. [rCd1ccc409d4]
+ - Add ARIA block cipher algorithm. [rC316c6d7715]
+ - Add explicit FIPS indicators for MD and MAC algorithms. [T6376]
+ - Add support for SHAKE as MGF in RSA. [T6557]
+ - Add gcry_md_read support for SHAKE algorithms. [T6539]
+ - Add gcry_md_hash_buffers_ext function. [T7035]
+ - Add cSHAKE hash algorithm. [rC065b3f4e02]
+ - Support internal generation of IV for AEAD cipher mode. [T4873]
+ * Performance:
+ - Add SM3 ARMv8/AArch64/CE assembly implementation. [rCfe891ff4a3]
+ - Add SM4 ARMv8/AArch64 assembly implementation. [rCd8825601f1]
+ - Add SM4 GFNI/AVX2 and GFI/AVX512 implementation.
[rC5095d60af4,rCeaed633c16]
+ - Add SM4 ARMv9 SVE CE assembly implementation. [rC2dc2654006]
+ - Add PowerPC vector implementation of SM4. [rC0b2da804ee]
+ - Optimize ChaCha20 and Poly1305 for PPC P10 LE. [T6006]
+ - Add CTR32LE bulk acceleration for AES on PPC. [rC84f2e2d0b5]
+ - Add generic bulk acceleration for CTR32LE mode (GCM-SIV) for SM4
+ and Camellia. [rCcf956793af]
+ - Add GFNI/AVX2 implementation of Camellia. [rC4e6896eb9f]
+ - Add AVX2 and AVX512 accelerated implementations for GHASH (GCM)
+ and POLYVAL (GCM-SIV). [rCd857e85cb4, rCe6f3600193]
+ - Add AVX512 implementation for SHA512. [rC089223aa3b]
+ - Add AVX512 implementation for Serpent. [rCce95b6ec35]
+ - Add AVX512 implementation for Poly1305 and ChaCha20. [rCcd3ed49770,
rC9a63cfd617]
+ - Add AVX512 accelerated implementation for SHA3 and Blake2.
[rCbeaad75f46,rC909daa700e]
+ - Add VAES/AVX2 accelerated i386 implementation for AES. [rC4a42a042bc]
+ - Add bulk processing for XTS mode of Camellia and SM4. [rC32b18cdb87,
rCaad3381e93]
+ - Accelerate XTS and ECB modes for Twofish and Serpent.
[rCd078a928f5,rC8a1fe5f78f]
+ - Add AArch64 crypto/SHA512 extension implementation for SHA512.
[rCe51d3b8330]
+ - Add AArch64 crypto-extension implementation for Camellia. [rC898c857206]
+ - Accelerate OCB authentication on AMD with AVX2. [rC6b47e85d65]
+ * Bug fixes:
+ - For PowerPC check for missing optimization level for vector register
usage. [T5785]
+ - Fix EdDSA secret key check. [T6511]
+ - Fix decoding of PKCS#1-v1.5 and OAEP padding. [rC34c2042792]
+ - Allow use of PKCS#1-v1.5 with SHA3 algorithms. [T6976]
+ - Fix AESWRAP padding length check. [T7130]
+ * Other:
+ - Allow empty password for Argon2 KDF. [rCa20700c55f]
+ - Various constant time operation imporvements.
+ - Add "bp256", "bp384", "bp512" aliases for Brainpool curves.
+ - Support for the random server has been removed. [T5811]
+ - The control code GCRYCTL_ENABLE_M_GUARD is deprecated and not
+ supported any more. Please use valgrind or other tools. [T5822]
+ - Logging is now done via the libgpg-error logging functions.
[rCab0bdc72c7]
+ * Remove patches fixed upstream:
+ - libgcrypt-no-deprecated-grep-alias.patch
+ - libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch
+ - libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch
+ * Rebase patches:
+ - libgcrypt-FIPS-jitter-errorcodes.patch
+ - libgcrypt-FIPS-jitter-whole-entropy.patch
+
+-------------------------------------------------------------------
+Wed Mar 20 20:31:40 UTC 2024 - Pedro Monreal <pmonr...@suse.com>
+
+- FIPS: Make sure that Libgcrypt makes use of the built-in Jitter RNG
+ for the whole length entropy buffer in FIPS mode. [bsc#1220893]
+ * Add libgcrypt-FIPS-jitter-whole-entropy.patch
+
+-------------------------------------------------------------------
+Wed Mar 20 15:13:04 UTC 2024 - Pedro Monreal <pmonr...@suse.com>
+
+- FIPS: Set the FSM into error state if Jitter RNG is returning an
+ error code to the caller when an health test error occurs when
+ random bytes are requested through the jent_read_entropy_safe()
+ function. [bsc#1220895]
+ * Add libgcrypt-FIPS-jitter-errorcodes.patch
+
+-------------------------------------------------------------------
+Mon Mar 11 16:02:55 UTC 2024 - Pedro Monreal <pmonr...@suse.com>
+
+- FIPS: Replace the built-in jitter rng with standalone version
+ * Remove the internal jitterentropy copy [bsc#1220896]
+ * Add libgcrypt-FIPS-jitter-standalone.patch
+ * Remove not needed libgcrypt-jitterentropy-3.4.0.patch
+
+-------------------------------------------------------------------
+Mon Feb 26 12:13:56 UTC 2024 - Pedro Monreal <pmonr...@suse.com>
+
+- Update upstream libgcrypt.keyring
+
+-------------------------------------------------------------------
Old:
----
libgcrypt-1.10.3.tar.bz2
libgcrypt-1.10.3.tar.bz2.sig
libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch
libgcrypt-jitterentropy-3.4.0.patch
libgcrypt-no-deprecated-grep-alias.patch
libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch
New:
----
libgcrypt-1.11.0.tar.bz2
libgcrypt-1.11.0.tar.bz2.sig
libgcrypt-FIPS-jitter-errorcodes.patch
libgcrypt-FIPS-jitter-standalone.patch
libgcrypt-FIPS-jitter-whole-entropy.patch
BETA DEBUG BEGIN:
Old: - libgcrypt-no-deprecated-grep-alias.patch
- libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch
- libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch
Old: * Add libgcrypt-FIPS-jitter-standalone.patch
* Remove not needed libgcrypt-jitterentropy-3.4.0.patch
Old: * Remove patches fixed upstream:
- libgcrypt-no-deprecated-grep-alias.patch
- libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch
Old: - libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch
- libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch
* Rebase patches:
BETA DEBUG END:
BETA DEBUG BEGIN:
New: * Rebase patches:
- libgcrypt-FIPS-jitter-errorcodes.patch
- libgcrypt-FIPS-jitter-whole-entropy.patch
New: * Remove the internal jitterentropy copy [bsc#1220896]
* Add libgcrypt-FIPS-jitter-standalone.patch
* Remove not needed libgcrypt-jitterentropy-3.4.0.patch
New: - libgcrypt-FIPS-jitter-errorcodes.patch
- libgcrypt-FIPS-jitter-whole-entropy.patch
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libgcrypt.spec ++++++
--- /var/tmp/diff_new_pack.LVTANq/_old 2024-07-25 11:55:33.241521089 +0200
+++ /var/tmp/diff_new_pack.LVTANq/_new 2024-07-25 11:55:33.245521251 +0200
@@ -20,7 +20,7 @@
%define libsoname %{name}%{libsover}
%define hmac_key orboDeJITITejsirpADONivirpUkvarP
Name: libgcrypt
-Version: 1.10.3
+Version: 1.11.0
Release: 0
Summary: The GNU Crypto Library
License: GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later
@@ -31,14 +31,12 @@
Source2: baselibs.conf
Source3: random.conf
Source4: hwf.deny
-# https://gnupg.org/signature_key.asc
-Source5: libgcrypt.keyring
+# https://www.gnupg.org/signature_key.html
+Source5: https://gnupg.org/signature_key.asc#/%{name}.keyring
Source99: libgcrypt.changes
Patch1: libgcrypt-1.10.0-allow_FSM_same_state.patch
#PATCH-FIX-OPENSUSE Do not pull revision info from GIT when autoconf is run
Patch2: libgcrypt-nobetasuffix.patch
-# https://dev.gnupg.org/T6964
-Patch3: libgcrypt-no-deprecated-grep-alias.patch
# FIPS patches:
#PATCH-FIX-SUSE bsc#1190700 FIPS: Provide a service-level indicator for PK
Patch100: libgcrypt-FIPS-SLI-pk.patch
@@ -46,15 +44,16 @@
Patch101: libgcrypt-FIPS-SLI-kdf-leylength.patch
#PATCH-FIX-SUSE bsc#1190700 FIPS add indicators
Patch102: libgcrypt-FIPS-SLI-hash-mac.patch
-#PATCH-FIX-SUSE bsc#1202117 jsc#SLE-24941 FIPS: Port libgcrypt to use
jitterentropy
-Patch103: libgcrypt-jitterentropy-3.4.0.patch
#PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll
Patch104: libgcrypt-FIPS-rndjent_poll.patch
-# POWER patches [jsc#PED-5088] POWER performance enhancements for cryptography
-Patch200: libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch
-Patch201: libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch
+#PATCH-FIX-SUSE bsc#1220896 FIPS: Replace the built-in jitter rng with
standalone version
+Patch105: libgcrypt-FIPS-jitter-standalone.patch
+#PATCH-FIX-SUSE bsc#1220895 FIPS: Enforce the interpretation and use of jitter
rng
+Patch106: libgcrypt-FIPS-jitter-errorcodes.patch
+#PATCH-FIX-SUSE bsc#1220893 FIPS: Use Jitter RNG for the whole length entropy
buffer
+Patch107: libgcrypt-FIPS-jitter-whole-entropy.patch
BuildRequires: automake >= 1.14
-BuildRequires: libgpg-error-devel >= 1.27
+BuildRequires: libgpg-error-devel >= 1.49
BuildRequires: libtool
BuildRequires: makeinfo
BuildRequires: pkgconfig
@@ -70,6 +69,8 @@
Summary: The GNU Crypto Library
License: GPL-2.0-or-later AND LGPL-2.1-or-later
Group: System/Libraries
+BuildRequires: jitterentropy-devel >= 3.4.0
+Requires: libjitterentropy3 >= 3.4.0
Provides: %{libsoname}-hmac = %{version}-%{release}
Obsoletes: %{libsoname}-hmac < %{version}-%{release}
@@ -83,7 +84,8 @@
Group: Development/Libraries/C and C++
Requires: %{libsoname} = %{version}
Requires: glibc-devel
-Requires: libgpg-error-devel >= 1.27
+Requires: jitterentropy-devel >= 3.4.0
+Requires: libgpg-error-devel >= 1.49
%description devel
Libgcrypt is a general purpose library of cryptographic building
@@ -100,9 +102,12 @@
# Rename the internal .hmac file to include the so library version
sed -i "s/libgcrypt\.so\.hmac/\.libgcrypt\.so\.%{libsover}\.hmac/g"
src/Makefile.am src/Makefile.in
+# Replace the built-in jitter rng with the standalone version [bsc#1220896]
+find . -type f -name "jitterentropy*" -print -delete
+
%build
export PUBKEYS="dsa elgamal rsa ecc"
-export CIPHERS="arcfour blowfish cast5 des aes twofish serpent rfc2268 seed
camellia idea salsa20 gost28147 chacha20 sm4"
+export CIPHERS="arcfour blowfish cast5 des aes twofish serpent rfc2268 seed
camellia idea salsa20 gost28147 chacha20 sm4 aria"
export DIGESTS="crc gostr3411-94 md4 md5 rmd160 sha1 sha256 sha512 sha3 tiger
whirlpool stribog blake2 sm3"
export KDFS="s2k pkdf2 scrypt"
@@ -124,6 +129,7 @@
--disable-asm \
%endif
--enable-random=getentropy \
+ --enable-jent-support \
%{nil}
%make_build
@@ -140,7 +146,6 @@
# for a simple reason: the macro strips the binaries and thereby
# invalidates a HMAC that may have been created earlier.
# solution: create the hashes _after_ the macro runs.
-
%define libpath %{buildroot}%{_libdir}/libgcrypt.so.%{libsover}.?.?
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
++++++ libgcrypt-1.10.3.tar.bz2 -> libgcrypt-1.11.0.tar.bz2 ++++++
++++ 96190 lines of diff (skipped)
++++++ libgcrypt-FIPS-SLI-hash-mac.patch ++++++
--- /var/tmp/diff_new_pack.LVTANq/_old 2024-07-25 11:55:34.637577428 +0200
+++ /var/tmp/diff_new_pack.LVTANq/_new 2024-07-25 11:55:34.641577589 +0200
@@ -1,8 +1,8 @@
-Index: libgcrypt-1.10.2/doc/gcrypt.texi
+Index: libgcrypt-1.11.0/doc/gcrypt.texi
===================================================================
---- libgcrypt-1.10.2.orig/doc/gcrypt.texi
-+++ libgcrypt-1.10.2/doc/gcrypt.texi
-@@ -985,13 +985,21 @@ certification. If the function is approv
+--- libgcrypt-1.11.0.orig/doc/gcrypt.texi
++++ libgcrypt-1.11.0/doc/gcrypt.texi
+@@ -998,13 +998,21 @@ certification. If the function is approv
@code{GPG_ERR_NO_ERROR} (other restrictions might still apply).
Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
@@ -28,11 +28,11 @@
@item GCRYCTL_FIPS_SERVICE_INDICATOR_MD; Arguments: enum gcry_md_algos
Check if the given message digest algorithm is approved under the current
-Index: libgcrypt-1.10.2/src/fips.c
+Index: libgcrypt-1.11.0/src/fips.c
===================================================================
---- libgcrypt-1.10.2.orig/src/fips.c
-+++ libgcrypt-1.10.2/src/fips.c
-@@ -377,31 +378,6 @@ _gcry_fips_indicator_cipher (va_list arg
+--- libgcrypt-1.11.0.orig/src/fips.c
++++ libgcrypt-1.11.0/src/fips.c
+@@ -378,31 +378,6 @@ _gcry_fips_indicator_cipher (va_list arg
}
}
@@ -64,7 +64,7 @@
/* FIPS approved curves, extracted from:
* cipher/ecc-curves.c:curve_aliases[] and domain_parms[]. */
static const struct
-@@ -598,6 +574,62 @@ _gcry_fips_indicator_pk_flags (va_list a
+@@ -602,6 +577,62 @@ _gcry_fips_indicator_pk_flags (va_list a
return GPG_ERR_NOT_SUPPORTED;
}
@@ -127,11 +127,11 @@
/* This is a test on whether the library is in the error or
operational state. */
-Index: libgcrypt-1.10.2/src/g10lib.h
+Index: libgcrypt-1.11.0/src/g10lib.h
===================================================================
---- libgcrypt-1.10.2.orig/src/g10lib.h
-+++ libgcrypt-1.10.2/src/g10lib.h
-@@ -456,6 +456,7 @@ void _gcry_fips_signal_error (const char
+--- libgcrypt-1.11.0.orig/src/g10lib.h
++++ libgcrypt-1.11.0/src/g10lib.h
+@@ -469,6 +469,7 @@ void _gcry_fips_signal_error (const char
#endif
int _gcry_fips_indicator_cipher (va_list arg_ptr);
@@ -139,25 +139,25 @@
int _gcry_fips_indicator_mac (va_list arg_ptr);
int _gcry_fips_indicator_md (va_list arg_ptr);
int _gcry_fips_indicator_kdf (va_list arg_ptr);
-Index: libgcrypt-1.10.2/src/gcrypt.h.in
+Index: libgcrypt-1.11.0/src/gcrypt.h.in
===================================================================
---- libgcrypt-1.10.2.orig/src/gcrypt.h.in
-+++ libgcrypt-1.10.2/src/gcrypt.h.in
-@@ -335,7 +335,8 @@ enum gcry_ctl_cmds
- GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
+--- libgcrypt-1.11.0.orig/src/gcrypt.h.in
++++ libgcrypt-1.11.0/src/gcrypt.h.in
+@@ -336,7 +336,8 @@ enum gcry_ctl_cmds
GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
-- GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88
-+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88,
-+ GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 89
+ GCRYCTL_MD_CUSTOMIZE = 88,
+- GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 89
++ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 89,
++ GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 90
};
/* Perform various operations defined by CMD. */
-Index: libgcrypt-1.10.2/src/global.c
+Index: libgcrypt-1.11.0/src/global.c
===================================================================
---- libgcrypt-1.10.2.orig/src/global.c
-+++ libgcrypt-1.10.2/src/global.c
-@@ -791,6 +791,12 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
+--- libgcrypt-1.11.0.orig/src/global.c
++++ libgcrypt-1.11.0/src/global.c
+@@ -794,6 +794,12 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
rc = _gcry_fips_indicator_cipher (arg_ptr);
break;
++++++ libgcrypt-FIPS-SLI-pk.patch ++++++
--- /var/tmp/diff_new_pack.LVTANq/_old 2024-07-25 11:55:34.653578073 +0200
+++ /var/tmp/diff_new_pack.LVTANq/_new 2024-07-25 11:55:34.657578234 +0200
@@ -1,7 +1,7 @@
-Index: libgcrypt-1.10.2/src/fips.c
+Index: libgcrypt-1.11.0/src/fips.c
===================================================================
---- libgcrypt-1.10.2.orig/src/fips.c
-+++ libgcrypt-1.10.2/src/fips.c
+--- libgcrypt-1.11.0.orig/src/fips.c
++++ libgcrypt-1.11.0/src/fips.c
@@ -38,6 +38,7 @@
#include "g10lib.h"
@@ -10,7 +10,7 @@
#include "../random/random.h"
/* The states of the finite state machine used in fips mode. */
-@@ -399,6 +400,94 @@ _gcry_fips_indicator_mac (va_list arg_pt
+@@ -400,6 +401,94 @@ _gcry_fips_indicator_mac (va_list arg_pt
default:
return GPG_ERR_NOT_SUPPORTED;
}
@@ -105,25 +105,25 @@
}
int
-Index: libgcrypt-1.10.2/src/gcrypt.h.in
+Index: libgcrypt-1.11.0/src/gcrypt.h.in
===================================================================
---- libgcrypt-1.10.2.orig/src/gcrypt.h.in
-+++ libgcrypt-1.10.2/src/gcrypt.h.in
-@@ -334,7 +334,8 @@ enum gcry_ctl_cmds
- GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84,
+--- libgcrypt-1.11.0.orig/src/gcrypt.h.in
++++ libgcrypt-1.11.0/src/gcrypt.h.in
+@@ -335,7 +335,8 @@ enum gcry_ctl_cmds
GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
-- GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87
-+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
-+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88
+ GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
+- GCRYCTL_MD_CUSTOMIZE = 88
++ GCRYCTL_MD_CUSTOMIZE = 88,
++ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 89
};
/* Perform various operations defined by CMD. */
-Index: libgcrypt-1.10.2/doc/gcrypt.texi
+Index: libgcrypt-1.11.0/doc/gcrypt.texi
===================================================================
---- libgcrypt-1.10.2.orig/doc/gcrypt.texi
-+++ libgcrypt-1.10.2/doc/gcrypt.texi
-@@ -997,6 +997,19 @@ Check if the given message digest algori
+--- libgcrypt-1.11.0.orig/doc/gcrypt.texi
++++ libgcrypt-1.11.0/doc/gcrypt.texi
+@@ -1010,6 +1010,19 @@ Check if the given message digest algori
FIPS 140-3 certification. If the algorithm is approved, this function returns
@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
@@ -143,11 +143,11 @@
@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS; Arguments: const char *
Check if the given public key operation flag or s-expression object name is
-Index: libgcrypt-1.10.2/src/g10lib.h
+Index: libgcrypt-1.11.0/src/g10lib.h
===================================================================
---- libgcrypt-1.10.2.orig/src/g10lib.h
-+++ libgcrypt-1.10.2/src/g10lib.h
-@@ -460,6 +460,7 @@ int _gcry_fips_indicator_mac (va_list ar
+--- libgcrypt-1.11.0.orig/src/g10lib.h
++++ libgcrypt-1.11.0/src/g10lib.h
+@@ -473,6 +473,7 @@ int _gcry_fips_indicator_mac (va_list ar
int _gcry_fips_indicator_md (va_list arg_ptr);
int _gcry_fips_indicator_kdf (va_list arg_ptr);
int _gcry_fips_indicator_function (va_list arg_ptr);
@@ -155,11 +155,11 @@
int _gcry_fips_indicator_pk_flags (va_list arg_ptr);
int _gcry_fips_is_operational (void);
-Index: libgcrypt-1.10.2/src/global.c
+Index: libgcrypt-1.11.0/src/global.c
===================================================================
---- libgcrypt-1.10.2.orig/src/global.c
-+++ libgcrypt-1.10.2/src/global.c
-@@ -825,6 +834,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
+--- libgcrypt-1.11.0.orig/src/global.c
++++ libgcrypt-1.11.0/src/global.c
+@@ -828,6 +828,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
rc = _gcry_fips_indicator_pk_flags (arg_ptr);
break;
++++++ libgcrypt-FIPS-jitter-errorcodes.patch ++++++
Index: libgcrypt-1.10.3/random/rndjent.c
===================================================================
--- libgcrypt-1.10.3.orig/random/rndjent.c
+++ libgcrypt-1.10.3/random/rndjent.c
@@ -319,7 +319,10 @@ _gcry_rndjent_poll (void (*add)(const vo
jent_rng_totalcalls++;
rc = jent_read_entropy_safe (&jent_rng_collector, buffer, n);
if (rc < 0)
- break;
+ {
+ fips_signal_error ("jitter entropy failed");
+ break;
+ }
/* We need to hash the output to conform to the BSI
* NTG.1 specs. */
_gcry_md_hash_buffer (GCRY_MD_SHA256, buffer, buffer, rc);
++++++ libgcrypt-FIPS-jitter-standalone.patch ++++++
Index: libgcrypt-1.10.3/random/Makefile.am
===================================================================
--- libgcrypt-1.10.3.orig/random/Makefile.am
+++ libgcrypt-1.10.3/random/Makefile.am
@@ -21,7 +21,7 @@
# Need to include ../src in addition to top_srcdir because gcrypt.h is
# a built header.
AM_CPPFLAGS = -I../src -I$(top_srcdir)/src
-AM_CFLAGS = $(GPG_ERROR_CFLAGS)
+AM_CFLAGS = $(GPG_ERROR_CFLAGS) -ljitterentropy
noinst_LTLIBRARIES = librandom.la
@@ -45,14 +45,7 @@ rndoldlinux.c \
rndegd.c \
rndunix.c \
rndw32.c \
-rndw32ce.c \
-jitterentropy-gcd.c jitterentropy-gcd.h \
-jitterentropy-health.c jitterentropy-health.h \
-jitterentropy-noise.c jitterentropy-noise.h \
-jitterentropy-sha3.c jitterentropy-sha3.h \
-jitterentropy-timer.c jitterentropy-timer.h \
-jitterentropy-base.h \
-jitterentropy-base.c jitterentropy.h jitterentropy-base-user.h
+rndw32ce.c
# The rndjent module needs to be compiled without optimization. */
if ENABLE_O_FLAG_MUNGING
@@ -61,20 +54,8 @@ else
o_flag_munging = cat
endif
-rndjent.o: $(srcdir)/rndjent.c jitterentropy-base-user.h \
- $(srcdir)/jitterentropy-gcd.c $(srcdir)/jitterentropy-gcd.h \
- $(srcdir)/jitterentropy-health.c $(srcdir)/jitterentropy-health.h \
- $(srcdir)/jitterentropy-noise.c $(srcdir)/jitterentropy-noise.h \
- $(srcdir)/jitterentropy-sha3.c $(srcdir)/jitterentropy-sha3.h \
- $(srcdir)/jitterentropy-timer.c $(srcdir)/jitterentropy-timer.h \
- $(srcdir)/jitterentropy-base.c $(srcdir)/jitterentropy.h
+rndjent.o: $(srcdir)/rndjent.c
`echo $(COMPILE) -c $(srcdir)/rndjent.c | $(o_flag_munging) `
-rndjent.lo: $(srcdir)/rndjent.c jitterentropy-base-user.h \
- $(srcdir)/jitterentropy-gcd.c $(srcdir)/jitterentropy-gcd.h \
- $(srcdir)/jitterentropy-health.c $(srcdir)/jitterentropy-health.h \
- $(srcdir)/jitterentropy-noise.c $(srcdir)/jitterentropy-noise.h \
- $(srcdir)/jitterentropy-sha3.c $(srcdir)/jitterentropy-sha3.h \
- $(srcdir)/jitterentropy-timer.c $(srcdir)/jitterentropy-timer.h \
- $(srcdir)/jitterentropy-base.c $(srcdir)/jitterentropy.h
+rndjent.lo: $(srcdir)/rndjent.c
`echo $(LTCOMPILE) -c $(srcdir)/rndjent.c | $(o_flag_munging) `
Index: libgcrypt-1.10.3/random/rndjent.c
===================================================================
--- libgcrypt-1.10.3.orig/random/rndjent.c
+++ libgcrypt-1.10.3/random/rndjent.c
@@ -94,17 +94,12 @@
* jitterentropy-user-base.h file. */
/* Tell jitterentropy* that all functions shall be static. */
-#define JENT_PRIVATE_COMPILE 1
+#undef JENT_PRIVATE_COMPILE
-#include "jitterentropy-base.c"
#ifdef JENT_CONF_ENABLE_INTERNAL_TIMER
#include <pthread.h>
#endif /* JENT_CONF_ENABLE_INTERNAL_TIMER */
-#include "jitterentropy-gcd.c"
-#include "jitterentropy-health.c"
-#include "jitterentropy-noise.c"
-#include "jitterentropy-sha3.c"
-#include "jitterentropy-timer.c"
+#include <jitterentropy.h>
/* This is the lock we use to serialize access to this RNG. The extra
* integer variable is only used to check the locking state; that is,
Index: libgcrypt-1.10.3/random/Makefile.in
===================================================================
--- libgcrypt-1.10.3.orig/random/Makefile.in
+++ libgcrypt-1.10.3/random/Makefile.in
@@ -147,12 +147,7 @@ am__v_at_1 =
DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp
am__maybe_remake_depfiles = depfiles
-am__depfiles_remade = ./$(DEPDIR)/jitterentropy-base.Plo \
- ./$(DEPDIR)/jitterentropy-gcd.Plo \
- ./$(DEPDIR)/jitterentropy-health.Plo \
- ./$(DEPDIR)/jitterentropy-noise.Plo \
- ./$(DEPDIR)/jitterentropy-sha3.Plo \
- ./$(DEPDIR)/jitterentropy-timer.Plo \
+am__depfiles_remade = \
./$(DEPDIR)/random-csprng.Plo ./$(DEPDIR)/random-drbg.Plo \
./$(DEPDIR)/random-system.Plo ./$(DEPDIR)/random.Plo \
./$(DEPDIR)/rndegd.Plo ./$(DEPDIR)/rndgetentropy.Plo \
@@ -378,7 +373,7 @@ top_srcdir = @top_srcdir@
# Need to include ../src in addition to top_srcdir because gcrypt.h is
# a built header.
AM_CPPFLAGS = -I../src -I$(top_srcdir)/src
-AM_CFLAGS = $(GPG_ERROR_CFLAGS)
+AM_CFLAGS = $(GPG_ERROR_CFLAGS) -ljitterentropy
noinst_LTLIBRARIES = librandom.la
GCRYPT_MODULES = @GCRYPT_RANDOM@
librandom_la_DEPENDENCIES = $(GCRYPT_MODULES)
@@ -398,14 +393,7 @@ rndoldlinux.c \
rndegd.c \
rndunix.c \
rndw32.c \
-rndw32ce.c \
-jitterentropy-gcd.c jitterentropy-gcd.h \
-jitterentropy-health.c jitterentropy-health.h \
-jitterentropy-noise.c jitterentropy-noise.h \
-jitterentropy-sha3.c jitterentropy-sha3.h \
-jitterentropy-timer.c jitterentropy-timer.h \
-jitterentropy-base.h \
-jitterentropy-base.c jitterentropy.h jitterentropy-base-user.h
+rndw32ce.c
@ENABLE_O_FLAG_MUNGING_FALSE@o_flag_munging = cat
@@ -465,12 +453,6 @@ mostlyclean-compile:
distclean-compile:
-rm -f *.tab.c
-@AMDEP_TRUE@@am__include@
@am__quote@./$(DEPDIR)/jitterentropy-base.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@
@am__quote@./$(DEPDIR)/jitterentropy-gcd.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@
@am__quote@./$(DEPDIR)/jitterentropy-health.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@
@am__quote@./$(DEPDIR)/jitterentropy-noise.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@
@am__quote@./$(DEPDIR)/jitterentropy-sha3.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@
@am__quote@./$(DEPDIR)/jitterentropy-timer.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-csprng.Plo@am__quote@
# am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-drbg.Plo@am__quote@ #
am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-system.Plo@am__quote@
# am--include-marker
@@ -641,12 +623,6 @@ clean-am: clean-generic clean-libtool cl
mostlyclean-am
distclean: distclean-am
- -rm -f ./$(DEPDIR)/jitterentropy-base.Plo
- -rm -f ./$(DEPDIR)/jitterentropy-gcd.Plo
- -rm -f ./$(DEPDIR)/jitterentropy-health.Plo
- -rm -f ./$(DEPDIR)/jitterentropy-noise.Plo
- -rm -f ./$(DEPDIR)/jitterentropy-sha3.Plo
- -rm -f ./$(DEPDIR)/jitterentropy-timer.Plo
-rm -f ./$(DEPDIR)/random-csprng.Plo
-rm -f ./$(DEPDIR)/random-drbg.Plo
-rm -f ./$(DEPDIR)/random-system.Plo
@@ -704,12 +680,6 @@ install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
- -rm -f ./$(DEPDIR)/jitterentropy-base.Plo
- -rm -f ./$(DEPDIR)/jitterentropy-gcd.Plo
- -rm -f ./$(DEPDIR)/jitterentropy-health.Plo
- -rm -f ./$(DEPDIR)/jitterentropy-noise.Plo
- -rm -f ./$(DEPDIR)/jitterentropy-sha3.Plo
- -rm -f ./$(DEPDIR)/jitterentropy-timer.Plo
-rm -f ./$(DEPDIR)/random-csprng.Plo
-rm -f ./$(DEPDIR)/random-drbg.Plo
-rm -f ./$(DEPDIR)/random-system.Plo
@@ -759,22 +729,10 @@ uninstall-am:
.PRECIOUS: Makefile
-rndjent.o: $(srcdir)/rndjent.c jitterentropy-base-user.h \
- $(srcdir)/jitterentropy-gcd.c $(srcdir)/jitterentropy-gcd.h \
- $(srcdir)/jitterentropy-health.c $(srcdir)/jitterentropy-health.h \
- $(srcdir)/jitterentropy-noise.c $(srcdir)/jitterentropy-noise.h \
- $(srcdir)/jitterentropy-sha3.c $(srcdir)/jitterentropy-sha3.h \
- $(srcdir)/jitterentropy-timer.c $(srcdir)/jitterentropy-timer.h \
- $(srcdir)/jitterentropy-base.c $(srcdir)/jitterentropy.h
+rndjent.o: $(srcdir)/rndjent.c
`echo $(COMPILE) -c $(srcdir)/rndjent.c | $(o_flag_munging) `
-rndjent.lo: $(srcdir)/rndjent.c jitterentropy-base-user.h \
- $(srcdir)/jitterentropy-gcd.c $(srcdir)/jitterentropy-gcd.h \
- $(srcdir)/jitterentropy-health.c $(srcdir)/jitterentropy-health.h \
- $(srcdir)/jitterentropy-noise.c $(srcdir)/jitterentropy-noise.h \
- $(srcdir)/jitterentropy-sha3.c $(srcdir)/jitterentropy-sha3.h \
- $(srcdir)/jitterentropy-timer.c $(srcdir)/jitterentropy-timer.h \
- $(srcdir)/jitterentropy-base.c $(srcdir)/jitterentropy.h
+rndjent.lo: $(srcdir)/rndjent.c
`echo $(LTCOMPILE) -c $(srcdir)/rndjent.c | $(o_flag_munging) `
# Tell versions [3.59,3.63) of GNU make to not export all variables.
++++++ libgcrypt-FIPS-jitter-whole-entropy.patch ++++++
Index: libgcrypt-1.10.3/random/rndgetentropy.c
===================================================================
--- libgcrypt-1.10.3.orig/random/rndgetentropy.c
+++ libgcrypt-1.10.3/random/rndgetentropy.c
@@ -53,16 +53,30 @@ _gcry_rndgetentropy_gather_random (void
/* When using a blocking random generator try to get some entropy
* from the jitter based RNG. In this case we take up to 50% of the
- * remaining requested bytes. */
+ * remaining requested bytes. In FIPS mode, we get all the entropy
+ * from the jitter RNG. */
if (level >= GCRY_VERY_STRONG_RANDOM)
{
size_t n;
- n = _gcry_rndjent_poll (add, origin, length/2);
- if (n > length/2)
- n = length/2;
- if (length > 1)
- length -= n;
+ /* In FIPS mode, use the whole length of the entropy buffer from
+ * Jitter RNG */
+ if (fips_mode ())
+ {
+ n = _gcry_rndjent_poll (add, origin, length);
+ if (n != length)
+ fips_signal_error ("jitter entropy failed");
+ else
+ length = 0;
+ }
+ else
+ {
+ n = _gcry_rndjent_poll (add, origin, length/2);
+ if (n > length/2)
+ n = length/2;
+ if (length > 1)
+ length -= n;
+ }
}
/* Enter the loop. */
